2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 /* removal requests are queued in the commit_list, but not acted upon
78 * until after all new rules are in place.
80 * Therefore, nf_register_net_hook(net, &nat_hook) runs before pending
81 * nf_unregister_net_hook().
83 * nf_register_net_hook thus fails if a nat hook is already in place
84 * even if the conflicting hook is about to be removed.
86 * If collision is detected, search commit_log for DELCHAIN matching
87 * the new nat hooknum; if we find one collision is temporary:
89 * Either transaction is aborted (new/colliding hook is removed), or
90 * transaction is committed (old hook is removed).
92 static bool nf_tables_allow_nat_conflict(const struct net *net,
93 const struct nf_hook_ops *ops)
95 const struct nft_trans *trans;
101 list_for_each_entry(trans, &net->nft.commit_list, list) {
102 const struct nf_hook_ops *pending_ops;
103 const struct nft_chain *pending;
105 if (trans->msg_type != NFT_MSG_NEWCHAIN &&
106 trans->msg_type != NFT_MSG_DELCHAIN)
109 pending = trans->ctx.chain;
110 if (!nft_is_base_chain(pending))
113 pending_ops = &nft_base_chain(pending)->ops;
114 if (pending_ops->nat_hook &&
115 pending_ops->pf == ops->pf &&
116 pending_ops->hooknum == ops->hooknum) {
117 /* other hook registration already pending? */
118 if (trans->msg_type == NFT_MSG_NEWCHAIN)
128 static int nf_tables_register_hook(struct net *net,
129 const struct nft_table *table,
130 struct nft_chain *chain)
132 struct nf_hook_ops *ops;
135 if (table->flags & NFT_TABLE_F_DORMANT ||
136 !nft_is_base_chain(chain))
139 ops = &nft_base_chain(chain)->ops;
140 ret = nf_register_net_hook(net, ops);
141 if (ret == -EBUSY && nf_tables_allow_nat_conflict(net, ops)) {
142 ops->nat_hook = false;
143 ret = nf_register_net_hook(net, ops);
144 ops->nat_hook = true;
150 static void nf_tables_unregister_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
161 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
163 struct nft_trans *trans;
165 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
169 if (msg_type == NFT_MSG_NEWTABLE)
170 nft_activate_next(ctx->net, ctx->table);
172 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
176 static int nft_deltable(struct nft_ctx *ctx)
180 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
184 nft_deactivate_next(ctx->net, ctx->table);
188 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
190 struct nft_trans *trans;
192 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
196 if (msg_type == NFT_MSG_NEWCHAIN)
197 nft_activate_next(ctx->net, ctx->chain);
199 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
203 static int nft_delchain(struct nft_ctx *ctx)
207 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
212 nft_deactivate_next(ctx->net, ctx->chain);
218 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
220 /* You cannot delete the same rule twice */
221 if (nft_is_active_next(ctx->net, rule)) {
222 nft_deactivate_next(ctx->net, rule);
229 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
230 struct nft_rule *rule)
232 struct nft_trans *trans;
234 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
238 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
239 nft_trans_rule_id(trans) =
240 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
242 nft_trans_rule(trans) = rule;
243 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
248 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
250 struct nft_trans *trans;
253 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
257 err = nf_tables_delrule_deactivate(ctx, rule);
259 nft_trans_destroy(trans);
266 static int nft_delrule_by_chain(struct nft_ctx *ctx)
268 struct nft_rule *rule;
271 list_for_each_entry(rule, &ctx->chain->rules, list) {
272 err = nft_delrule(ctx, rule);
279 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
282 struct nft_trans *trans;
284 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
288 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
289 nft_trans_set_id(trans) =
290 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
291 nft_activate_next(ctx->net, set);
293 nft_trans_set(trans) = set;
294 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
299 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
303 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
307 nft_deactivate_next(ctx->net, set);
313 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
314 struct nft_object *obj)
316 struct nft_trans *trans;
318 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
322 if (msg_type == NFT_MSG_NEWOBJ)
323 nft_activate_next(ctx->net, obj);
325 nft_trans_obj(trans) = obj;
326 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
331 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
335 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
339 nft_deactivate_next(ctx->net, obj);
345 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
346 struct nft_flowtable *flowtable)
348 struct nft_trans *trans;
350 trans = nft_trans_alloc(ctx, msg_type,
351 sizeof(struct nft_trans_flowtable));
355 if (msg_type == NFT_MSG_NEWFLOWTABLE)
356 nft_activate_next(ctx->net, flowtable);
358 nft_trans_flowtable(trans) = flowtable;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
364 static int nft_delflowtable(struct nft_ctx *ctx,
365 struct nft_flowtable *flowtable)
369 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
373 nft_deactivate_next(ctx->net, flowtable);
383 static struct nft_table *nft_table_lookup(const struct net *net,
384 const struct nlattr *nla,
385 u8 family, u8 genmask)
387 struct nft_table *table;
389 list_for_each_entry(table, &net->nft.tables, list) {
390 if (!nla_strcmp(nla, table->name) &&
391 table->family == family &&
392 nft_active_genmask(table, genmask))
398 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
399 const struct nlattr *nla,
402 struct nft_table *table;
404 list_for_each_entry(table, &net->nft.tables, list) {
405 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
406 nft_active_genmask(table, genmask))
412 static struct nft_table *nf_tables_table_lookup(const struct net *net,
413 const struct nlattr *nla,
414 u8 family, u8 genmask)
416 struct nft_table *table;
419 return ERR_PTR(-EINVAL);
421 table = nft_table_lookup(net, nla, family, genmask);
425 return ERR_PTR(-ENOENT);
428 static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
429 const struct nlattr *nla,
432 struct nft_table *table;
435 return ERR_PTR(-EINVAL);
437 table = nft_table_lookup_byhandle(net, nla, genmask);
441 return ERR_PTR(-ENOENT);
444 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
446 return ++table->hgenerator;
449 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
451 static const struct nf_chain_type *
452 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
456 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
457 if (chain_type[family][i] != NULL &&
458 !nla_strcmp(nla, chain_type[family][i]->name))
459 return chain_type[family][i];
464 static const struct nf_chain_type *
465 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
467 const struct nf_chain_type *type;
469 type = __nf_tables_chain_type_lookup(nla, family);
472 #ifdef CONFIG_MODULES
474 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
475 request_module("nft-chain-%u-%.*s", family,
476 nla_len(nla), (const char *)nla_data(nla));
477 nfnl_lock(NFNL_SUBSYS_NFTABLES);
478 type = __nf_tables_chain_type_lookup(nla, family);
480 return ERR_PTR(-EAGAIN);
483 return ERR_PTR(-ENOENT);
486 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
487 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
488 .len = NFT_TABLE_MAXNAMELEN - 1 },
489 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
490 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
493 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
494 u32 portid, u32 seq, int event, u32 flags,
495 int family, const struct nft_table *table)
497 struct nlmsghdr *nlh;
498 struct nfgenmsg *nfmsg;
500 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
501 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
503 goto nla_put_failure;
505 nfmsg = nlmsg_data(nlh);
506 nfmsg->nfgen_family = family;
507 nfmsg->version = NFNETLINK_V0;
508 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
510 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
511 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
512 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
513 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
515 goto nla_put_failure;
521 nlmsg_trim(skb, nlh);
525 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
531 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
534 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
538 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
539 event, 0, ctx->family, ctx->table);
545 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
546 ctx->report, GFP_KERNEL);
549 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
552 static int nf_tables_dump_tables(struct sk_buff *skb,
553 struct netlink_callback *cb)
555 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
556 const struct nft_table *table;
557 unsigned int idx = 0, s_idx = cb->args[0];
558 struct net *net = sock_net(skb->sk);
559 int family = nfmsg->nfgen_family;
562 cb->seq = net->nft.base_seq;
564 list_for_each_entry_rcu(table, &net->nft.tables, list) {
565 if (family != NFPROTO_UNSPEC && family != table->family)
571 memset(&cb->args[1], 0,
572 sizeof(cb->args) - sizeof(cb->args[0]));
573 if (!nft_is_active(net, table))
575 if (nf_tables_fill_table_info(skb, net,
576 NETLINK_CB(cb->skb).portid,
578 NFT_MSG_NEWTABLE, NLM_F_MULTI,
579 table->family, table) < 0)
582 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
592 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
593 struct sk_buff *skb, const struct nlmsghdr *nlh,
594 const struct nlattr * const nla[],
595 struct netlink_ext_ack *extack)
597 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
598 u8 genmask = nft_genmask_cur(net);
599 const struct nft_table *table;
600 struct sk_buff *skb2;
601 int family = nfmsg->nfgen_family;
604 if (nlh->nlmsg_flags & NLM_F_DUMP) {
605 struct netlink_dump_control c = {
606 .dump = nf_tables_dump_tables,
608 return netlink_dump_start(nlsk, skb, nlh, &c);
611 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
614 return PTR_ERR(table);
616 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
620 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
621 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
626 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
633 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
635 struct nft_chain *chain;
638 list_for_each_entry(chain, &table->chains, list) {
639 if (!nft_is_active_next(net, chain))
641 if (!nft_is_base_chain(chain))
644 if (cnt && i++ == cnt)
647 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
651 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
653 struct nft_chain *chain;
656 list_for_each_entry(chain, &table->chains, list) {
657 if (!nft_is_active_next(net, chain))
659 if (!nft_is_base_chain(chain))
662 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
671 nft_table_disable(net, table, i);
675 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
677 nft_table_disable(net, table, 0);
680 static int nf_tables_updtable(struct nft_ctx *ctx)
682 struct nft_trans *trans;
686 if (!ctx->nla[NFTA_TABLE_FLAGS])
689 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
690 if (flags & ~NFT_TABLE_F_DORMANT)
693 if (flags == ctx->table->flags)
696 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
697 sizeof(struct nft_trans_table));
701 if ((flags & NFT_TABLE_F_DORMANT) &&
702 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
703 nft_trans_table_enable(trans) = false;
704 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
705 ctx->table->flags & NFT_TABLE_F_DORMANT) {
706 ret = nf_tables_table_enable(ctx->net, ctx->table);
708 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
709 nft_trans_table_enable(trans) = true;
715 nft_trans_table_update(trans) = true;
716 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
719 nft_trans_destroy(trans);
723 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
724 struct sk_buff *skb, const struct nlmsghdr *nlh,
725 const struct nlattr * const nla[],
726 struct netlink_ext_ack *extack)
728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
729 u8 genmask = nft_genmask_next(net);
730 const struct nlattr *name;
731 struct nft_table *table;
732 int family = nfmsg->nfgen_family;
737 name = nla[NFTA_TABLE_NAME];
738 table = nf_tables_table_lookup(net, name, family, genmask);
740 if (PTR_ERR(table) != -ENOENT)
741 return PTR_ERR(table);
743 if (nlh->nlmsg_flags & NLM_F_EXCL)
745 if (nlh->nlmsg_flags & NLM_F_REPLACE)
748 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
749 return nf_tables_updtable(&ctx);
752 if (nla[NFTA_TABLE_FLAGS]) {
753 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
754 if (flags & ~NFT_TABLE_F_DORMANT)
759 table = kzalloc(sizeof(*table), GFP_KERNEL);
763 table->name = nla_strdup(name, GFP_KERNEL);
764 if (table->name == NULL)
767 INIT_LIST_HEAD(&table->chains);
768 INIT_LIST_HEAD(&table->sets);
769 INIT_LIST_HEAD(&table->objects);
770 INIT_LIST_HEAD(&table->flowtables);
771 table->family = family;
772 table->flags = flags;
773 table->handle = ++table_handle;
775 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
776 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
780 list_add_tail_rcu(&table->list, &net->nft.tables);
790 static int nft_flush_table(struct nft_ctx *ctx)
792 struct nft_flowtable *flowtable, *nft;
793 struct nft_chain *chain, *nc;
794 struct nft_object *obj, *ne;
795 struct nft_set *set, *ns;
798 list_for_each_entry(chain, &ctx->table->chains, list) {
799 if (!nft_is_active_next(ctx->net, chain))
804 err = nft_delrule_by_chain(ctx);
809 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
810 if (!nft_is_active_next(ctx->net, set))
813 if (nft_set_is_anonymous(set) &&
814 !list_empty(&set->bindings))
817 err = nft_delset(ctx, set);
822 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
823 err = nft_delflowtable(ctx, flowtable);
828 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
829 err = nft_delobj(ctx, obj);
834 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
835 if (!nft_is_active_next(ctx->net, chain))
840 err = nft_delchain(ctx);
845 err = nft_deltable(ctx);
850 static int nft_flush(struct nft_ctx *ctx, int family)
852 struct nft_table *table, *nt;
853 const struct nlattr * const *nla = ctx->nla;
856 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
857 if (family != AF_UNSPEC && table->family != family)
860 ctx->family = table->family;
862 if (!nft_is_active_next(ctx->net, table))
865 if (nla[NFTA_TABLE_NAME] &&
866 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
871 err = nft_flush_table(ctx);
879 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
880 struct sk_buff *skb, const struct nlmsghdr *nlh,
881 const struct nlattr * const nla[],
882 struct netlink_ext_ack *extack)
884 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
885 u8 genmask = nft_genmask_next(net);
886 struct nft_table *table;
887 int family = nfmsg->nfgen_family;
890 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
891 if (family == AF_UNSPEC ||
892 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
893 return nft_flush(&ctx, family);
895 if (nla[NFTA_TABLE_HANDLE])
896 table = nf_tables_table_lookup_byhandle(net,
897 nla[NFTA_TABLE_HANDLE],
900 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
904 return PTR_ERR(table);
906 if (nlh->nlmsg_flags & NLM_F_NONREC &&
913 return nft_flush_table(&ctx);
916 static void nf_tables_table_destroy(struct nft_ctx *ctx)
918 BUG_ON(ctx->table->use > 0);
920 kfree(ctx->table->name);
924 int nft_register_chain_type(const struct nf_chain_type *ctype)
928 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
931 nfnl_lock(NFNL_SUBSYS_NFTABLES);
932 if (chain_type[ctype->family][ctype->type] != NULL) {
936 chain_type[ctype->family][ctype->type] = ctype;
938 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
941 EXPORT_SYMBOL_GPL(nft_register_chain_type);
943 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
945 nfnl_lock(NFNL_SUBSYS_NFTABLES);
946 chain_type[ctype->family][ctype->type] = NULL;
947 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
949 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
955 static struct nft_chain *
956 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
959 struct nft_chain *chain;
961 list_for_each_entry(chain, &table->chains, list) {
962 if (chain->handle == handle &&
963 nft_active_genmask(chain, genmask))
967 return ERR_PTR(-ENOENT);
970 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
971 const struct nlattr *nla,
974 struct nft_chain *chain;
977 return ERR_PTR(-EINVAL);
979 list_for_each_entry(chain, &table->chains, list) {
980 if (!nla_strcmp(nla, chain->name) &&
981 nft_active_genmask(chain, genmask))
985 return ERR_PTR(-ENOENT);
988 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
989 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
990 .len = NFT_TABLE_MAXNAMELEN - 1 },
991 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
992 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
993 .len = NFT_CHAIN_MAXNAMELEN - 1 },
994 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
995 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
996 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
997 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1000 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1001 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1002 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1003 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1004 .len = IFNAMSIZ - 1 },
1007 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1009 struct nft_stats *cpu_stats, total;
1010 struct nlattr *nest;
1015 memset(&total, 0, sizeof(total));
1016 for_each_possible_cpu(cpu) {
1017 cpu_stats = per_cpu_ptr(stats, cpu);
1019 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1020 pkts = cpu_stats->pkts;
1021 bytes = cpu_stats->bytes;
1022 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1024 total.bytes += bytes;
1026 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1028 goto nla_put_failure;
1030 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1031 NFTA_COUNTER_PAD) ||
1032 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1034 goto nla_put_failure;
1036 nla_nest_end(skb, nest);
1043 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1044 u32 portid, u32 seq, int event, u32 flags,
1045 int family, const struct nft_table *table,
1046 const struct nft_chain *chain)
1048 struct nlmsghdr *nlh;
1049 struct nfgenmsg *nfmsg;
1051 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1052 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1054 goto nla_put_failure;
1056 nfmsg = nlmsg_data(nlh);
1057 nfmsg->nfgen_family = family;
1058 nfmsg->version = NFNETLINK_V0;
1059 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1061 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1062 goto nla_put_failure;
1063 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1065 goto nla_put_failure;
1066 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1067 goto nla_put_failure;
1069 if (nft_is_base_chain(chain)) {
1070 const struct nft_base_chain *basechain = nft_base_chain(chain);
1071 const struct nf_hook_ops *ops = &basechain->ops;
1072 struct nlattr *nest;
1074 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1076 goto nla_put_failure;
1077 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1078 goto nla_put_failure;
1079 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1080 goto nla_put_failure;
1081 if (basechain->dev_name[0] &&
1082 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1083 goto nla_put_failure;
1084 nla_nest_end(skb, nest);
1086 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1087 htonl(basechain->policy)))
1088 goto nla_put_failure;
1090 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1091 goto nla_put_failure;
1093 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1094 goto nla_put_failure;
1097 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1098 goto nla_put_failure;
1100 nlmsg_end(skb, nlh);
1104 nlmsg_trim(skb, nlh);
1108 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1110 struct sk_buff *skb;
1114 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1117 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1121 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1122 event, 0, ctx->family, ctx->table,
1129 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1130 ctx->report, GFP_KERNEL);
1133 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1136 static int nf_tables_dump_chains(struct sk_buff *skb,
1137 struct netlink_callback *cb)
1139 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1140 const struct nft_table *table;
1141 const struct nft_chain *chain;
1142 unsigned int idx = 0, s_idx = cb->args[0];
1143 struct net *net = sock_net(skb->sk);
1144 int family = nfmsg->nfgen_family;
1147 cb->seq = net->nft.base_seq;
1149 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1150 if (family != NFPROTO_UNSPEC && family != table->family)
1153 list_for_each_entry_rcu(chain, &table->chains, list) {
1157 memset(&cb->args[1], 0,
1158 sizeof(cb->args) - sizeof(cb->args[0]));
1159 if (!nft_is_active(net, chain))
1161 if (nf_tables_fill_chain_info(skb, net,
1162 NETLINK_CB(cb->skb).portid,
1166 table->family, table,
1170 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1181 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1182 struct sk_buff *skb, const struct nlmsghdr *nlh,
1183 const struct nlattr * const nla[],
1184 struct netlink_ext_ack *extack)
1186 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1187 u8 genmask = nft_genmask_cur(net);
1188 const struct nft_table *table;
1189 const struct nft_chain *chain;
1190 struct sk_buff *skb2;
1191 int family = nfmsg->nfgen_family;
1194 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1195 struct netlink_dump_control c = {
1196 .dump = nf_tables_dump_chains,
1198 return netlink_dump_start(nlsk, skb, nlh, &c);
1201 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1204 return PTR_ERR(table);
1206 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1208 return PTR_ERR(chain);
1210 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1214 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1215 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1216 family, table, chain);
1220 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1227 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1228 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1229 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1232 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1234 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1235 struct nft_stats __percpu *newstats;
1236 struct nft_stats *stats;
1239 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1242 return ERR_PTR(err);
1244 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1245 return ERR_PTR(-EINVAL);
1247 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1248 if (newstats == NULL)
1249 return ERR_PTR(-ENOMEM);
1251 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1252 * are not exposed to userspace.
1255 stats = this_cpu_ptr(newstats);
1256 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1257 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1263 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1264 struct nft_stats __percpu *newstats)
1266 struct nft_stats __percpu *oldstats;
1268 if (newstats == NULL)
1272 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1273 rcu_assign_pointer(chain->stats, newstats);
1275 free_percpu(oldstats);
1277 rcu_assign_pointer(chain->stats, newstats);
1280 static void nf_tables_chain_destroy(struct nft_chain *chain)
1282 BUG_ON(chain->use > 0);
1284 if (nft_is_base_chain(chain)) {
1285 struct nft_base_chain *basechain = nft_base_chain(chain);
1287 module_put(basechain->type->owner);
1288 free_percpu(basechain->stats);
1289 if (basechain->stats)
1290 static_branch_dec(&nft_counters_enabled);
1299 struct nft_chain_hook {
1302 const struct nf_chain_type *type;
1303 struct net_device *dev;
1306 static int nft_chain_parse_hook(struct net *net,
1307 const struct nlattr * const nla[],
1308 struct nft_chain_hook *hook, u8 family,
1311 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1312 const struct nf_chain_type *type;
1313 struct net_device *dev;
1316 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1317 nft_hook_policy, NULL);
1321 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1322 ha[NFTA_HOOK_PRIORITY] == NULL)
1325 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1326 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1328 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1329 if (nla[NFTA_CHAIN_TYPE]) {
1330 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1333 return PTR_ERR(type);
1335 if (!(type->hook_mask & (1 << hook->num)))
1338 if (type->type == NFT_CHAIN_T_NAT &&
1339 hook->priority <= NF_IP_PRI_CONNTRACK)
1342 if (!try_module_get(type->owner))
1348 if (family == NFPROTO_NETDEV) {
1349 char ifname[IFNAMSIZ];
1351 if (!ha[NFTA_HOOK_DEV]) {
1352 module_put(type->owner);
1356 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1357 dev = __dev_get_by_name(net, ifname);
1359 module_put(type->owner);
1363 } else if (ha[NFTA_HOOK_DEV]) {
1364 module_put(type->owner);
1371 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1373 module_put(hook->type->owner);
1376 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1377 u8 policy, bool create)
1379 const struct nlattr * const *nla = ctx->nla;
1380 struct nft_table *table = ctx->table;
1381 struct nft_base_chain *basechain;
1382 struct nft_stats __percpu *stats;
1383 struct net *net = ctx->net;
1384 struct nft_chain *chain;
1387 if (table->use == UINT_MAX)
1390 if (nla[NFTA_CHAIN_HOOK]) {
1391 struct nft_chain_hook hook;
1392 struct nf_hook_ops *ops;
1394 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1398 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1399 if (basechain == NULL) {
1400 nft_chain_release_hook(&hook);
1404 if (hook.dev != NULL)
1405 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1407 if (nla[NFTA_CHAIN_COUNTERS]) {
1408 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1409 if (IS_ERR(stats)) {
1410 nft_chain_release_hook(&hook);
1412 return PTR_ERR(stats);
1414 basechain->stats = stats;
1415 static_branch_inc(&nft_counters_enabled);
1418 basechain->type = hook.type;
1419 chain = &basechain->chain;
1421 ops = &basechain->ops;
1423 ops->hooknum = hook.num;
1424 ops->priority = hook.priority;
1426 ops->hook = hook.type->hooks[ops->hooknum];
1427 ops->dev = hook.dev;
1429 if (basechain->type->type == NFT_CHAIN_T_NAT)
1430 ops->nat_hook = true;
1432 chain->flags |= NFT_BASE_CHAIN;
1433 basechain->policy = policy;
1435 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1439 INIT_LIST_HEAD(&chain->rules);
1440 chain->handle = nf_tables_alloc_handle(table);
1441 chain->table = table;
1442 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1448 err = nf_tables_register_hook(net, table, chain);
1453 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1458 list_add_tail_rcu(&chain->list, &table->chains);
1462 nf_tables_unregister_hook(net, table, chain);
1464 nf_tables_chain_destroy(chain);
1469 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1472 const struct nlattr * const *nla = ctx->nla;
1473 struct nft_table *table = ctx->table;
1474 struct nft_chain *chain = ctx->chain;
1475 struct nft_base_chain *basechain;
1476 struct nft_stats *stats = NULL;
1477 struct nft_chain_hook hook;
1478 const struct nlattr *name;
1479 struct nf_hook_ops *ops;
1480 struct nft_trans *trans;
1483 if (nla[NFTA_CHAIN_HOOK]) {
1484 if (!nft_is_base_chain(chain))
1487 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1492 basechain = nft_base_chain(chain);
1493 if (basechain->type != hook.type) {
1494 nft_chain_release_hook(&hook);
1498 ops = &basechain->ops;
1499 if (ops->hooknum != hook.num ||
1500 ops->priority != hook.priority ||
1501 ops->dev != hook.dev) {
1502 nft_chain_release_hook(&hook);
1505 nft_chain_release_hook(&hook);
1508 if (nla[NFTA_CHAIN_HANDLE] &&
1509 nla[NFTA_CHAIN_NAME]) {
1510 struct nft_chain *chain2;
1512 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1514 if (!IS_ERR(chain2))
1518 if (nla[NFTA_CHAIN_COUNTERS]) {
1519 if (!nft_is_base_chain(chain))
1522 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1524 return PTR_ERR(stats);
1527 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1528 sizeof(struct nft_trans_chain));
1529 if (trans == NULL) {
1534 nft_trans_chain_stats(trans) = stats;
1535 nft_trans_chain_update(trans) = true;
1537 if (nla[NFTA_CHAIN_POLICY])
1538 nft_trans_chain_policy(trans) = policy;
1540 nft_trans_chain_policy(trans) = -1;
1542 name = nla[NFTA_CHAIN_NAME];
1543 if (nla[NFTA_CHAIN_HANDLE] && name) {
1544 nft_trans_chain_name(trans) =
1545 nla_strdup(name, GFP_KERNEL);
1546 if (!nft_trans_chain_name(trans)) {
1552 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1557 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1558 struct sk_buff *skb, const struct nlmsghdr *nlh,
1559 const struct nlattr * const nla[],
1560 struct netlink_ext_ack *extack)
1562 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1563 const struct nlattr * uninitialized_var(name);
1564 u8 genmask = nft_genmask_next(net);
1565 int family = nfmsg->nfgen_family;
1566 struct nft_table *table;
1567 struct nft_chain *chain;
1568 u8 policy = NF_ACCEPT;
1573 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1575 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1578 return PTR_ERR(table);
1581 name = nla[NFTA_CHAIN_NAME];
1583 if (nla[NFTA_CHAIN_HANDLE]) {
1584 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1585 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1587 return PTR_ERR(chain);
1589 chain = nf_tables_chain_lookup(table, name, genmask);
1590 if (IS_ERR(chain)) {
1591 if (PTR_ERR(chain) != -ENOENT)
1592 return PTR_ERR(chain);
1597 if (nla[NFTA_CHAIN_POLICY]) {
1598 if (chain != NULL &&
1599 !nft_is_base_chain(chain))
1602 if (chain == NULL &&
1603 nla[NFTA_CHAIN_HOOK] == NULL)
1606 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1616 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1618 if (chain != NULL) {
1619 if (nlh->nlmsg_flags & NLM_F_EXCL)
1621 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1624 return nf_tables_updchain(&ctx, genmask, policy, create);
1627 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1630 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1631 struct sk_buff *skb, const struct nlmsghdr *nlh,
1632 const struct nlattr * const nla[],
1633 struct netlink_ext_ack *extack)
1635 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1636 u8 genmask = nft_genmask_next(net);
1637 struct nft_table *table;
1638 struct nft_chain *chain;
1639 struct nft_rule *rule;
1640 int family = nfmsg->nfgen_family;
1646 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1649 return PTR_ERR(table);
1651 if (nla[NFTA_CHAIN_HANDLE]) {
1652 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1653 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1655 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1658 return PTR_ERR(chain);
1660 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1664 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1667 list_for_each_entry(rule, &chain->rules, list) {
1668 if (!nft_is_active_next(net, rule))
1672 err = nft_delrule(&ctx, rule);
1677 /* There are rules and elements that are still holding references to us,
1678 * we cannot do a recursive removal in this case.
1683 return nft_delchain(&ctx);
1691 * nft_register_expr - register nf_tables expr type
1694 * Registers the expr type for use with nf_tables. Returns zero on
1695 * success or a negative errno code otherwise.
1697 int nft_register_expr(struct nft_expr_type *type)
1699 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1700 if (type->family == NFPROTO_UNSPEC)
1701 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1703 list_add_rcu(&type->list, &nf_tables_expressions);
1704 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1707 EXPORT_SYMBOL_GPL(nft_register_expr);
1710 * nft_unregister_expr - unregister nf_tables expr type
1713 * Unregisters the expr typefor use with nf_tables.
1715 void nft_unregister_expr(struct nft_expr_type *type)
1717 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1718 list_del_rcu(&type->list);
1719 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1721 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1723 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1726 const struct nft_expr_type *type;
1728 list_for_each_entry(type, &nf_tables_expressions, list) {
1729 if (!nla_strcmp(nla, type->name) &&
1730 (!type->family || type->family == family))
1736 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1739 const struct nft_expr_type *type;
1742 return ERR_PTR(-EINVAL);
1744 type = __nft_expr_type_get(family, nla);
1745 if (type != NULL && try_module_get(type->owner))
1748 #ifdef CONFIG_MODULES
1750 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1751 request_module("nft-expr-%u-%.*s", family,
1752 nla_len(nla), (char *)nla_data(nla));
1753 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1754 if (__nft_expr_type_get(family, nla))
1755 return ERR_PTR(-EAGAIN);
1757 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1758 request_module("nft-expr-%.*s",
1759 nla_len(nla), (char *)nla_data(nla));
1760 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1761 if (__nft_expr_type_get(family, nla))
1762 return ERR_PTR(-EAGAIN);
1765 return ERR_PTR(-ENOENT);
1768 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1769 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1770 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1773 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1774 const struct nft_expr *expr)
1776 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1777 goto nla_put_failure;
1779 if (expr->ops->dump) {
1780 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1782 goto nla_put_failure;
1783 if (expr->ops->dump(skb, expr) < 0)
1784 goto nla_put_failure;
1785 nla_nest_end(skb, data);
1794 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1795 const struct nft_expr *expr)
1797 struct nlattr *nest;
1799 nest = nla_nest_start(skb, attr);
1801 goto nla_put_failure;
1802 if (nf_tables_fill_expr_info(skb, expr) < 0)
1803 goto nla_put_failure;
1804 nla_nest_end(skb, nest);
1811 struct nft_expr_info {
1812 const struct nft_expr_ops *ops;
1813 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1816 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1817 const struct nlattr *nla,
1818 struct nft_expr_info *info)
1820 const struct nft_expr_type *type;
1821 const struct nft_expr_ops *ops;
1822 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1825 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1829 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1831 return PTR_ERR(type);
1833 if (tb[NFTA_EXPR_DATA]) {
1834 err = nla_parse_nested(info->tb, type->maxattr,
1835 tb[NFTA_EXPR_DATA], type->policy, NULL);
1839 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1841 if (type->select_ops != NULL) {
1842 ops = type->select_ops(ctx,
1843 (const struct nlattr * const *)info->tb);
1855 module_put(type->owner);
1859 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1860 const struct nft_expr_info *info,
1861 struct nft_expr *expr)
1863 const struct nft_expr_ops *ops = info->ops;
1868 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1873 if (ops->validate) {
1874 const struct nft_data *data = NULL;
1876 err = ops->validate(ctx, expr, &data);
1885 ops->destroy(ctx, expr);
1891 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1892 struct nft_expr *expr)
1894 if (expr->ops->destroy)
1895 expr->ops->destroy(ctx, expr);
1896 module_put(expr->ops->type->owner);
1899 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1900 const struct nlattr *nla)
1902 struct nft_expr_info info;
1903 struct nft_expr *expr;
1906 err = nf_tables_expr_parse(ctx, nla, &info);
1911 expr = kzalloc(info.ops->size, GFP_KERNEL);
1915 err = nf_tables_newexpr(ctx, &info, expr);
1923 module_put(info.ops->type->owner);
1925 return ERR_PTR(err);
1928 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1930 nf_tables_expr_destroy(ctx, expr);
1938 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1941 struct nft_rule *rule;
1943 // FIXME: this sucks
1944 list_for_each_entry(rule, &chain->rules, list) {
1945 if (handle == rule->handle)
1949 return ERR_PTR(-ENOENT);
1952 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1953 const struct nlattr *nla)
1956 return ERR_PTR(-EINVAL);
1958 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1961 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1962 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1963 .len = NFT_TABLE_MAXNAMELEN - 1 },
1964 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1965 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1966 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1967 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1968 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1969 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1970 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1971 .len = NFT_USERDATA_MAXLEN },
1972 [NFTA_RULE_ID] = { .type = NLA_U32 },
1975 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1976 u32 portid, u32 seq, int event,
1977 u32 flags, int family,
1978 const struct nft_table *table,
1979 const struct nft_chain *chain,
1980 const struct nft_rule *rule)
1982 struct nlmsghdr *nlh;
1983 struct nfgenmsg *nfmsg;
1984 const struct nft_expr *expr, *next;
1985 struct nlattr *list;
1986 const struct nft_rule *prule;
1987 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1989 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1991 goto nla_put_failure;
1993 nfmsg = nlmsg_data(nlh);
1994 nfmsg->nfgen_family = family;
1995 nfmsg->version = NFNETLINK_V0;
1996 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1998 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1999 goto nla_put_failure;
2000 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2001 goto nla_put_failure;
2002 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2004 goto nla_put_failure;
2006 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2007 prule = list_prev_entry(rule, list);
2008 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2009 cpu_to_be64(prule->handle),
2011 goto nla_put_failure;
2014 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2016 goto nla_put_failure;
2017 nft_rule_for_each_expr(expr, next, rule) {
2018 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2019 goto nla_put_failure;
2021 nla_nest_end(skb, list);
2024 struct nft_userdata *udata = nft_userdata(rule);
2025 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2027 goto nla_put_failure;
2030 nlmsg_end(skb, nlh);
2034 nlmsg_trim(skb, nlh);
2038 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2039 const struct nft_rule *rule, int event)
2041 struct sk_buff *skb;
2045 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2048 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2052 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2053 event, 0, ctx->family, ctx->table,
2060 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2061 ctx->report, GFP_KERNEL);
2064 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2067 struct nft_rule_dump_ctx {
2072 static int nf_tables_dump_rules(struct sk_buff *skb,
2073 struct netlink_callback *cb)
2075 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2076 const struct nft_rule_dump_ctx *ctx = cb->data;
2077 const struct nft_table *table;
2078 const struct nft_chain *chain;
2079 const struct nft_rule *rule;
2080 unsigned int idx = 0, s_idx = cb->args[0];
2081 struct net *net = sock_net(skb->sk);
2082 int family = nfmsg->nfgen_family;
2085 cb->seq = net->nft.base_seq;
2087 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2088 if (family != NFPROTO_UNSPEC && family != table->family)
2091 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2094 list_for_each_entry_rcu(chain, &table->chains, list) {
2095 if (ctx && ctx->chain &&
2096 strcmp(ctx->chain, chain->name) != 0)
2099 list_for_each_entry_rcu(rule, &chain->rules, list) {
2100 if (!nft_is_active(net, rule))
2105 memset(&cb->args[1], 0,
2106 sizeof(cb->args) - sizeof(cb->args[0]));
2107 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2110 NLM_F_MULTI | NLM_F_APPEND,
2112 table, chain, rule) < 0)
2115 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2128 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2130 struct nft_rule_dump_ctx *ctx = cb->data;
2140 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2141 struct sk_buff *skb, const struct nlmsghdr *nlh,
2142 const struct nlattr * const nla[],
2143 struct netlink_ext_ack *extack)
2145 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2146 u8 genmask = nft_genmask_cur(net);
2147 const struct nft_table *table;
2148 const struct nft_chain *chain;
2149 const struct nft_rule *rule;
2150 struct sk_buff *skb2;
2151 int family = nfmsg->nfgen_family;
2154 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2155 struct netlink_dump_control c = {
2156 .dump = nf_tables_dump_rules,
2157 .done = nf_tables_dump_rules_done,
2160 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2161 struct nft_rule_dump_ctx *ctx;
2163 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2167 if (nla[NFTA_RULE_TABLE]) {
2168 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2175 if (nla[NFTA_RULE_CHAIN]) {
2176 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2187 return netlink_dump_start(nlsk, skb, nlh, &c);
2190 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2193 return PTR_ERR(table);
2195 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2197 return PTR_ERR(chain);
2199 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2201 return PTR_ERR(rule);
2203 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2207 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2208 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2209 family, table, chain, rule);
2213 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2220 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2221 struct nft_rule *rule)
2223 struct nft_expr *expr;
2226 * Careful: some expressions might not be initialized in case this
2227 * is called on error from nf_tables_newrule().
2229 expr = nft_expr_first(rule);
2230 while (expr != nft_expr_last(rule) && expr->ops) {
2231 nf_tables_expr_destroy(ctx, expr);
2232 expr = nft_expr_next(expr);
2237 #define NFT_RULE_MAXEXPRS 128
2239 static struct nft_expr_info *info;
2241 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2242 struct sk_buff *skb, const struct nlmsghdr *nlh,
2243 const struct nlattr * const nla[],
2244 struct netlink_ext_ack *extack)
2246 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2247 u8 genmask = nft_genmask_next(net);
2248 int family = nfmsg->nfgen_family;
2249 struct nft_table *table;
2250 struct nft_chain *chain;
2251 struct nft_rule *rule, *old_rule = NULL;
2252 struct nft_userdata *udata;
2253 struct nft_trans *trans = NULL;
2254 struct nft_expr *expr;
2257 unsigned int size, i, n, ulen = 0, usize = 0;
2260 u64 handle, pos_handle;
2262 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2264 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2267 return PTR_ERR(table);
2269 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2271 return PTR_ERR(chain);
2273 if (nla[NFTA_RULE_HANDLE]) {
2274 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2275 rule = __nf_tables_rule_lookup(chain, handle);
2277 return PTR_ERR(rule);
2279 if (nlh->nlmsg_flags & NLM_F_EXCL)
2281 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2286 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2288 handle = nf_tables_alloc_handle(table);
2290 if (chain->use == UINT_MAX)
2294 if (nla[NFTA_RULE_POSITION]) {
2295 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2298 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2299 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2300 if (IS_ERR(old_rule))
2301 return PTR_ERR(old_rule);
2304 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2308 if (nla[NFTA_RULE_EXPRESSIONS]) {
2309 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2311 if (nla_type(tmp) != NFTA_LIST_ELEM)
2313 if (n == NFT_RULE_MAXEXPRS)
2315 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2318 size += info[n].ops->size;
2322 /* Check for overflow of dlen field */
2324 if (size >= 1 << 12)
2327 if (nla[NFTA_RULE_USERDATA]) {
2328 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2330 usize = sizeof(struct nft_userdata) + ulen;
2334 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2338 nft_activate_next(net, rule);
2340 rule->handle = handle;
2342 rule->udata = ulen ? 1 : 0;
2345 udata = nft_userdata(rule);
2346 udata->len = ulen - 1;
2347 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2350 expr = nft_expr_first(rule);
2351 for (i = 0; i < n; i++) {
2352 err = nf_tables_newexpr(&ctx, &info[i], expr);
2356 expr = nft_expr_next(expr);
2359 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2360 if (nft_is_active_next(net, old_rule)) {
2361 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2363 if (trans == NULL) {
2367 nft_deactivate_next(net, old_rule);
2369 list_add_tail_rcu(&rule->list, &old_rule->list);
2374 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2376 list_add_rcu(&rule->list, &old_rule->list);
2378 list_add_tail_rcu(&rule->list, &chain->rules);
2381 list_add_tail_rcu(&rule->list, &old_rule->list);
2383 list_add_rcu(&rule->list, &chain->rules);
2386 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2394 list_del_rcu(&rule->list);
2396 nf_tables_rule_destroy(&ctx, rule);
2398 for (i = 0; i < n; i++) {
2399 if (info[i].ops != NULL)
2400 module_put(info[i].ops->type->owner);
2405 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2406 const struct nlattr *nla)
2408 u32 id = ntohl(nla_get_be32(nla));
2409 struct nft_trans *trans;
2411 list_for_each_entry(trans, &net->nft.commit_list, list) {
2412 struct nft_rule *rule = nft_trans_rule(trans);
2414 if (trans->msg_type == NFT_MSG_NEWRULE &&
2415 id == nft_trans_rule_id(trans))
2418 return ERR_PTR(-ENOENT);
2421 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2422 struct sk_buff *skb, const struct nlmsghdr *nlh,
2423 const struct nlattr * const nla[],
2424 struct netlink_ext_ack *extack)
2426 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2427 u8 genmask = nft_genmask_next(net);
2428 struct nft_table *table;
2429 struct nft_chain *chain = NULL;
2430 struct nft_rule *rule;
2431 int family = nfmsg->nfgen_family, err = 0;
2434 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2437 return PTR_ERR(table);
2439 if (nla[NFTA_RULE_CHAIN]) {
2440 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2443 return PTR_ERR(chain);
2446 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2449 if (nla[NFTA_RULE_HANDLE]) {
2450 rule = nf_tables_rule_lookup(chain,
2451 nla[NFTA_RULE_HANDLE]);
2453 return PTR_ERR(rule);
2455 err = nft_delrule(&ctx, rule);
2456 } else if (nla[NFTA_RULE_ID]) {
2457 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2459 return PTR_ERR(rule);
2461 err = nft_delrule(&ctx, rule);
2463 err = nft_delrule_by_chain(&ctx);
2466 list_for_each_entry(chain, &table->chains, list) {
2467 if (!nft_is_active_next(net, chain))
2471 err = nft_delrule_by_chain(&ctx);
2484 static LIST_HEAD(nf_tables_set_types);
2486 int nft_register_set(struct nft_set_type *type)
2488 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2489 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2490 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2493 EXPORT_SYMBOL_GPL(nft_register_set);
2495 void nft_unregister_set(struct nft_set_type *type)
2497 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2498 list_del_rcu(&type->list);
2499 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2501 EXPORT_SYMBOL_GPL(nft_unregister_set);
2503 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2504 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2506 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2508 if ((flags & NFT_SET_EVAL) && !ops->update)
2511 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2515 * Select a set implementation based on the data characteristics and the
2516 * given policy. The total memory use might not be known if no size is
2517 * given, in that case the amount of memory per element is used.
2519 static const struct nft_set_ops *
2520 nft_select_set_ops(const struct nft_ctx *ctx,
2521 const struct nlattr * const nla[],
2522 const struct nft_set_desc *desc,
2523 enum nft_set_policies policy)
2525 const struct nft_set_ops *ops, *bops;
2526 struct nft_set_estimate est, best;
2527 const struct nft_set_type *type;
2530 #ifdef CONFIG_MODULES
2531 if (list_empty(&nf_tables_set_types)) {
2532 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2533 request_module("nft-set");
2534 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2535 if (!list_empty(&nf_tables_set_types))
2536 return ERR_PTR(-EAGAIN);
2539 if (nla[NFTA_SET_FLAGS] != NULL)
2540 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2547 list_for_each_entry(type, &nf_tables_set_types, list) {
2548 if (!type->select_ops)
2551 ops = type->select_ops(ctx, desc, flags);
2555 if (!nft_set_ops_candidate(ops, flags))
2557 if (!ops->estimate(desc, flags, &est))
2561 case NFT_SET_POL_PERFORMANCE:
2562 if (est.lookup < best.lookup)
2564 if (est.lookup == best.lookup &&
2565 est.space < best.space)
2568 case NFT_SET_POL_MEMORY:
2570 if (est.space < best.space)
2572 if (est.space == best.space &&
2573 est.lookup < best.lookup)
2575 } else if (est.size < best.size || !bops) {
2583 if (!try_module_get(type->owner))
2586 module_put(bops->type->owner);
2595 return ERR_PTR(-EOPNOTSUPP);
2598 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2599 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2600 .len = NFT_TABLE_MAXNAMELEN - 1 },
2601 [NFTA_SET_NAME] = { .type = NLA_STRING,
2602 .len = NFT_SET_MAXNAMELEN - 1 },
2603 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2604 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2605 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2606 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2607 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2608 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2609 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2610 [NFTA_SET_ID] = { .type = NLA_U32 },
2611 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2612 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2613 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2614 .len = NFT_USERDATA_MAXLEN },
2615 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2616 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2619 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2620 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2623 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2624 const struct sk_buff *skb,
2625 const struct nlmsghdr *nlh,
2626 const struct nlattr * const nla[],
2629 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2630 int family = nfmsg->nfgen_family;
2631 struct nft_table *table = NULL;
2633 if (nla[NFTA_SET_TABLE] != NULL) {
2634 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2637 return PTR_ERR(table);
2640 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2644 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2645 const struct nlattr *nla, u8 genmask)
2647 struct nft_set *set;
2650 return ERR_PTR(-EINVAL);
2652 list_for_each_entry(set, &table->sets, list) {
2653 if (!nla_strcmp(nla, set->name) &&
2654 nft_active_genmask(set, genmask))
2657 return ERR_PTR(-ENOENT);
2660 static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
2661 const struct nlattr *nla, u8 genmask)
2663 struct nft_set *set;
2666 return ERR_PTR(-EINVAL);
2668 list_for_each_entry(set, &table->sets, list) {
2669 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2670 nft_active_genmask(set, genmask))
2673 return ERR_PTR(-ENOENT);
2676 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2677 const struct nlattr *nla,
2680 struct nft_trans *trans;
2681 u32 id = ntohl(nla_get_be32(nla));
2683 list_for_each_entry(trans, &net->nft.commit_list, list) {
2684 struct nft_set *set = nft_trans_set(trans);
2686 if (trans->msg_type == NFT_MSG_NEWSET &&
2687 id == nft_trans_set_id(trans) &&
2688 nft_active_genmask(set, genmask))
2691 return ERR_PTR(-ENOENT);
2694 struct nft_set *nft_set_lookup(const struct net *net,
2695 const struct nft_table *table,
2696 const struct nlattr *nla_set_name,
2697 const struct nlattr *nla_set_id,
2700 struct nft_set *set;
2702 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2707 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2711 EXPORT_SYMBOL_GPL(nft_set_lookup);
2713 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2716 const struct nft_set *i;
2718 unsigned long *inuse;
2719 unsigned int n = 0, min = 0;
2721 p = strchr(name, '%');
2723 if (p[1] != 'd' || strchr(p + 2, '%'))
2726 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2730 list_for_each_entry(i, &ctx->table->sets, list) {
2733 if (!nft_is_active_next(ctx->net, set))
2735 if (!sscanf(i->name, name, &tmp))
2737 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2740 set_bit(tmp - min, inuse);
2743 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2744 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2745 min += BITS_PER_BYTE * PAGE_SIZE;
2746 memset(inuse, 0, PAGE_SIZE);
2749 free_page((unsigned long)inuse);
2752 set->name = kasprintf(GFP_KERNEL, name, min + n);
2756 list_for_each_entry(i, &ctx->table->sets, list) {
2757 if (!nft_is_active_next(ctx->net, i))
2759 if (!strcmp(set->name, i->name)) {
2767 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2768 const struct nft_set *set, u16 event, u16 flags)
2770 struct nfgenmsg *nfmsg;
2771 struct nlmsghdr *nlh;
2772 struct nlattr *desc;
2773 u32 portid = ctx->portid;
2776 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2777 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2780 goto nla_put_failure;
2782 nfmsg = nlmsg_data(nlh);
2783 nfmsg->nfgen_family = ctx->family;
2784 nfmsg->version = NFNETLINK_V0;
2785 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2787 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2788 goto nla_put_failure;
2789 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2790 goto nla_put_failure;
2791 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2793 goto nla_put_failure;
2794 if (set->flags != 0)
2795 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2796 goto nla_put_failure;
2798 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2799 goto nla_put_failure;
2800 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2801 goto nla_put_failure;
2802 if (set->flags & NFT_SET_MAP) {
2803 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2804 goto nla_put_failure;
2805 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2806 goto nla_put_failure;
2808 if (set->flags & NFT_SET_OBJECT &&
2809 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2810 goto nla_put_failure;
2813 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2814 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2816 goto nla_put_failure;
2818 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2819 goto nla_put_failure;
2821 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2822 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2823 goto nla_put_failure;
2826 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2827 goto nla_put_failure;
2829 desc = nla_nest_start(skb, NFTA_SET_DESC);
2831 goto nla_put_failure;
2833 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2834 goto nla_put_failure;
2835 nla_nest_end(skb, desc);
2837 nlmsg_end(skb, nlh);
2841 nlmsg_trim(skb, nlh);
2845 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2846 const struct nft_set *set, int event,
2849 struct sk_buff *skb;
2850 u32 portid = ctx->portid;
2854 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2857 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2861 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2867 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2871 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2874 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2876 const struct nft_set *set;
2877 unsigned int idx, s_idx = cb->args[0];
2878 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2879 struct net *net = sock_net(skb->sk);
2880 struct nft_ctx *ctx = cb->data, ctx_set;
2886 cb->seq = net->nft.base_seq;
2888 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2889 if (ctx->family != NFPROTO_UNSPEC &&
2890 ctx->family != table->family)
2893 if (ctx->table && ctx->table != table)
2897 if (cur_table != table)
2903 list_for_each_entry_rcu(set, &table->sets, list) {
2906 if (!nft_is_active(net, set))
2910 ctx_set.table = table;
2911 ctx_set.family = table->family;
2913 if (nf_tables_fill_set(skb, &ctx_set, set,
2917 cb->args[2] = (unsigned long) table;
2920 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2933 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2939 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2940 struct sk_buff *skb, const struct nlmsghdr *nlh,
2941 const struct nlattr * const nla[],
2942 struct netlink_ext_ack *extack)
2944 u8 genmask = nft_genmask_cur(net);
2945 const struct nft_set *set;
2947 struct sk_buff *skb2;
2948 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2951 /* Verify existence before starting dump */
2952 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2956 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2957 struct netlink_dump_control c = {
2958 .dump = nf_tables_dump_sets,
2959 .done = nf_tables_dump_sets_done,
2961 struct nft_ctx *ctx_dump;
2963 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2964 if (ctx_dump == NULL)
2970 return netlink_dump_start(nlsk, skb, nlh, &c);
2973 /* Only accept unspec with dump */
2974 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2975 return -EAFNOSUPPORT;
2976 if (!nla[NFTA_SET_TABLE])
2979 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2981 return PTR_ERR(set);
2983 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2987 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2991 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2998 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2999 struct nft_set_desc *desc,
3000 const struct nlattr *nla)
3002 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3005 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3006 nft_set_desc_policy, NULL);
3010 if (da[NFTA_SET_DESC_SIZE] != NULL)
3011 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3016 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3017 struct sk_buff *skb, const struct nlmsghdr *nlh,
3018 const struct nlattr * const nla[],
3019 struct netlink_ext_ack *extack)
3021 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3022 u8 genmask = nft_genmask_next(net);
3023 int family = nfmsg->nfgen_family;
3024 const struct nft_set_ops *ops;
3025 struct nft_table *table;
3026 struct nft_set *set;
3032 u32 ktype, dtype, flags, policy, gc_int, objtype;
3033 struct nft_set_desc desc;
3034 unsigned char *udata;
3038 if (nla[NFTA_SET_TABLE] == NULL ||
3039 nla[NFTA_SET_NAME] == NULL ||
3040 nla[NFTA_SET_KEY_LEN] == NULL ||
3041 nla[NFTA_SET_ID] == NULL)
3044 memset(&desc, 0, sizeof(desc));
3046 ktype = NFT_DATA_VALUE;
3047 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3048 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3049 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3053 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3054 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3058 if (nla[NFTA_SET_FLAGS] != NULL) {
3059 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3060 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3061 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3062 NFT_SET_MAP | NFT_SET_EVAL |
3065 /* Only one of these operations is supported */
3066 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3067 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3072 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3073 if (!(flags & NFT_SET_MAP))
3076 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3077 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3078 dtype != NFT_DATA_VERDICT)
3081 if (dtype != NFT_DATA_VERDICT) {
3082 if (nla[NFTA_SET_DATA_LEN] == NULL)
3084 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3085 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3088 desc.dlen = sizeof(struct nft_verdict);
3089 } else if (flags & NFT_SET_MAP)
3092 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3093 if (!(flags & NFT_SET_OBJECT))
3096 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3097 if (objtype == NFT_OBJECT_UNSPEC ||
3098 objtype > NFT_OBJECT_MAX)
3100 } else if (flags & NFT_SET_OBJECT)
3103 objtype = NFT_OBJECT_UNSPEC;
3106 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3107 if (!(flags & NFT_SET_TIMEOUT))
3109 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3110 nla[NFTA_SET_TIMEOUT])));
3113 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3114 if (!(flags & NFT_SET_TIMEOUT))
3116 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3119 policy = NFT_SET_POL_PERFORMANCE;
3120 if (nla[NFTA_SET_POLICY] != NULL)
3121 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3123 if (nla[NFTA_SET_DESC] != NULL) {
3124 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3129 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3131 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family,
3134 return PTR_ERR(table);
3136 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3138 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3140 if (PTR_ERR(set) != -ENOENT)
3141 return PTR_ERR(set);
3143 if (nlh->nlmsg_flags & NLM_F_EXCL)
3145 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3150 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3153 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3155 return PTR_ERR(ops);
3158 if (nla[NFTA_SET_USERDATA])
3159 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3162 if (ops->privsize != NULL)
3163 size = ops->privsize(nla, &desc);
3165 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3171 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3177 err = nf_tables_set_alloc_name(&ctx, set, name);
3184 udata = set->data + size;
3185 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3188 INIT_LIST_HEAD(&set->bindings);
3191 set->klen = desc.klen;
3193 set->objtype = objtype;
3194 set->dlen = desc.dlen;
3196 set->size = desc.size;
3197 set->policy = policy;
3200 set->timeout = timeout;
3201 set->gc_int = gc_int;
3202 set->handle = nf_tables_alloc_handle(table);
3204 err = ops->init(set, &desc, nla);
3208 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3212 list_add_tail_rcu(&set->list, &table->sets);
3221 module_put(ops->type->owner);
3225 static void nft_set_destroy(struct nft_set *set)
3227 set->ops->destroy(set);
3228 module_put(set->ops->type->owner);
3233 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3235 list_del_rcu(&set->list);
3236 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3237 nft_set_destroy(set);
3240 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3241 struct sk_buff *skb, const struct nlmsghdr *nlh,
3242 const struct nlattr * const nla[],
3243 struct netlink_ext_ack *extack)
3245 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3246 u8 genmask = nft_genmask_next(net);
3247 struct nft_set *set;
3251 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3252 return -EAFNOSUPPORT;
3253 if (nla[NFTA_SET_TABLE] == NULL)
3256 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3260 if (nla[NFTA_SET_HANDLE])
3261 set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
3263 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3265 return PTR_ERR(set);
3267 if (!list_empty(&set->bindings) ||
3268 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3271 return nft_delset(&ctx, set);
3274 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3275 struct nft_set *set,
3276 const struct nft_set_iter *iter,
3277 struct nft_set_elem *elem)
3279 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3280 enum nft_registers dreg;
3282 dreg = nft_type_to_reg(set->dtype);
3283 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3284 set->dtype == NFT_DATA_VERDICT ?
3285 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3289 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3290 struct nft_set_binding *binding)
3292 struct nft_set_binding *i;
3293 struct nft_set_iter iter;
3295 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3298 if (binding->flags & NFT_SET_MAP) {
3299 /* If the set is already bound to the same chain all
3300 * jumps are already validated for that chain.
3302 list_for_each_entry(i, &set->bindings, list) {
3303 if (i->flags & NFT_SET_MAP &&
3304 i->chain == binding->chain)
3308 iter.genmask = nft_genmask_next(ctx->net);
3312 iter.fn = nf_tables_bind_check_setelem;
3314 set->ops->walk(ctx, set, &iter);
3319 binding->chain = ctx->chain;
3320 list_add_tail_rcu(&binding->list, &set->bindings);
3323 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3325 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3326 struct nft_set_binding *binding)
3328 list_del_rcu(&binding->list);
3330 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3331 nft_is_active(ctx->net, set))
3332 nf_tables_set_destroy(ctx, set);
3334 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3336 const struct nft_set_ext_type nft_set_ext_types[] = {
3337 [NFT_SET_EXT_KEY] = {
3338 .align = __alignof__(u32),
3340 [NFT_SET_EXT_DATA] = {
3341 .align = __alignof__(u32),
3343 [NFT_SET_EXT_EXPR] = {
3344 .align = __alignof__(struct nft_expr),
3346 [NFT_SET_EXT_OBJREF] = {
3347 .len = sizeof(struct nft_object *),
3348 .align = __alignof__(struct nft_object *),
3350 [NFT_SET_EXT_FLAGS] = {
3352 .align = __alignof__(u8),
3354 [NFT_SET_EXT_TIMEOUT] = {
3356 .align = __alignof__(u64),
3358 [NFT_SET_EXT_EXPIRATION] = {
3359 .len = sizeof(unsigned long),
3360 .align = __alignof__(unsigned long),
3362 [NFT_SET_EXT_USERDATA] = {
3363 .len = sizeof(struct nft_userdata),
3364 .align = __alignof__(struct nft_userdata),
3367 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3373 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3374 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3375 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3376 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3377 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3378 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3379 .len = NFT_USERDATA_MAXLEN },
3380 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3381 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3384 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3385 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3386 .len = NFT_TABLE_MAXNAMELEN - 1 },
3387 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3388 .len = NFT_SET_MAXNAMELEN - 1 },
3389 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3390 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3393 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3394 const struct sk_buff *skb,
3395 const struct nlmsghdr *nlh,
3396 const struct nlattr * const nla[],
3399 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3400 int family = nfmsg->nfgen_family;
3401 struct nft_table *table;
3403 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3406 return PTR_ERR(table);
3408 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3412 static int nf_tables_fill_setelem(struct sk_buff *skb,
3413 const struct nft_set *set,
3414 const struct nft_set_elem *elem)
3416 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3417 unsigned char *b = skb_tail_pointer(skb);
3418 struct nlattr *nest;
3420 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3422 goto nla_put_failure;
3424 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3425 NFT_DATA_VALUE, set->klen) < 0)
3426 goto nla_put_failure;
3428 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3429 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3430 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3432 goto nla_put_failure;
3434 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3435 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3436 goto nla_put_failure;
3438 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3439 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3440 (*nft_set_ext_obj(ext))->name) < 0)
3441 goto nla_put_failure;
3443 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3444 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3445 htonl(*nft_set_ext_flags(ext))))
3446 goto nla_put_failure;
3448 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3449 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3450 cpu_to_be64(jiffies_to_msecs(
3451 *nft_set_ext_timeout(ext))),
3453 goto nla_put_failure;
3455 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3456 unsigned long expires, now = jiffies;
3458 expires = *nft_set_ext_expiration(ext);
3459 if (time_before(now, expires))
3464 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3465 cpu_to_be64(jiffies_to_msecs(expires)),
3467 goto nla_put_failure;
3470 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3471 struct nft_userdata *udata;
3473 udata = nft_set_ext_userdata(ext);
3474 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3475 udata->len + 1, udata->data))
3476 goto nla_put_failure;
3479 nla_nest_end(skb, nest);
3487 struct nft_set_dump_args {
3488 const struct netlink_callback *cb;
3489 struct nft_set_iter iter;
3490 struct sk_buff *skb;
3493 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3494 struct nft_set *set,
3495 const struct nft_set_iter *iter,
3496 struct nft_set_elem *elem)
3498 struct nft_set_dump_args *args;
3500 args = container_of(iter, struct nft_set_dump_args, iter);
3501 return nf_tables_fill_setelem(args->skb, set, elem);
3504 struct nft_set_dump_ctx {
3505 const struct nft_set *set;
3509 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3511 struct nft_set_dump_ctx *dump_ctx = cb->data;
3512 struct net *net = sock_net(skb->sk);
3513 struct nft_table *table;
3514 struct nft_set *set;
3515 struct nft_set_dump_args args;
3516 bool set_found = false;
3517 struct nfgenmsg *nfmsg;
3518 struct nlmsghdr *nlh;
3519 struct nlattr *nest;
3524 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3525 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3526 dump_ctx->ctx.family != table->family)
3529 if (table != dump_ctx->ctx.table)
3532 list_for_each_entry_rcu(set, &table->sets, list) {
3533 if (set == dump_ctx->set) {
3546 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3547 portid = NETLINK_CB(cb->skb).portid;
3548 seq = cb->nlh->nlmsg_seq;
3550 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3553 goto nla_put_failure;
3555 nfmsg = nlmsg_data(nlh);
3556 nfmsg->nfgen_family = table->family;
3557 nfmsg->version = NFNETLINK_V0;
3558 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3560 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3561 goto nla_put_failure;
3562 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3563 goto nla_put_failure;
3565 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3567 goto nla_put_failure;
3571 args.iter.genmask = nft_genmask_cur(net);
3572 args.iter.skip = cb->args[0];
3573 args.iter.count = 0;
3575 args.iter.fn = nf_tables_dump_setelem;
3576 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3579 nla_nest_end(skb, nest);
3580 nlmsg_end(skb, nlh);
3582 if (args.iter.err && args.iter.err != -EMSGSIZE)
3583 return args.iter.err;
3584 if (args.iter.count == cb->args[0])
3587 cb->args[0] = args.iter.count;
3595 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3601 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3602 const struct nft_ctx *ctx, u32 seq,
3603 u32 portid, int event, u16 flags,
3604 const struct nft_set *set,
3605 const struct nft_set_elem *elem)
3607 struct nfgenmsg *nfmsg;
3608 struct nlmsghdr *nlh;
3609 struct nlattr *nest;
3612 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3613 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3616 goto nla_put_failure;
3618 nfmsg = nlmsg_data(nlh);
3619 nfmsg->nfgen_family = ctx->family;
3620 nfmsg->version = NFNETLINK_V0;
3621 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3623 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3624 goto nla_put_failure;
3625 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3626 goto nla_put_failure;
3628 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3630 goto nla_put_failure;
3632 err = nf_tables_fill_setelem(skb, set, elem);
3634 goto nla_put_failure;
3636 nla_nest_end(skb, nest);
3638 nlmsg_end(skb, nlh);
3642 nlmsg_trim(skb, nlh);
3646 static int nft_setelem_parse_flags(const struct nft_set *set,
3647 const struct nlattr *attr, u32 *flags)
3652 *flags = ntohl(nla_get_be32(attr));
3653 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3655 if (!(set->flags & NFT_SET_INTERVAL) &&
3656 *flags & NFT_SET_ELEM_INTERVAL_END)
3662 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3663 const struct nlattr *attr)
3665 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3666 const struct nft_set_ext *ext;
3667 struct nft_data_desc desc;
3668 struct nft_set_elem elem;
3669 struct sk_buff *skb;
3674 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3675 nft_set_elem_policy, NULL);
3679 if (!nla[NFTA_SET_ELEM_KEY])
3682 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3686 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3687 nla[NFTA_SET_ELEM_KEY]);
3692 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3695 priv = set->ops->get(ctx->net, set, &elem, flags);
3697 return PTR_ERR(priv);
3700 ext = nft_set_elem_ext(set, &elem);
3703 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3707 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3708 NFT_MSG_NEWSETELEM, 0, set, &elem);
3712 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3713 /* This avoids a loop in nfnetlink. */
3721 /* this avoids a loop in nfnetlink. */
3722 return err == -EAGAIN ? -ENOBUFS : err;
3725 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3726 struct sk_buff *skb, const struct nlmsghdr *nlh,
3727 const struct nlattr * const nla[],
3728 struct netlink_ext_ack *extack)
3730 u8 genmask = nft_genmask_cur(net);
3731 struct nft_set *set;
3732 struct nlattr *attr;
3736 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3740 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3743 return PTR_ERR(set);
3745 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3746 struct netlink_dump_control c = {
3747 .dump = nf_tables_dump_set,
3748 .done = nf_tables_dump_set_done,
3750 struct nft_set_dump_ctx *dump_ctx;
3752 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3756 dump_ctx->set = set;
3757 dump_ctx->ctx = ctx;
3760 return netlink_dump_start(nlsk, skb, nlh, &c);
3763 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3766 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3767 err = nft_get_set_elem(&ctx, set, attr);
3775 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3776 const struct nft_set *set,
3777 const struct nft_set_elem *elem,
3778 int event, u16 flags)
3780 struct net *net = ctx->net;
3781 u32 portid = ctx->portid;
3782 struct sk_buff *skb;
3785 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3788 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3792 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3799 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3803 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3806 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3808 struct nft_set *set)
3810 struct nft_trans *trans;
3812 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3816 nft_trans_elem_set(trans) = set;
3820 void *nft_set_elem_init(const struct nft_set *set,
3821 const struct nft_set_ext_tmpl *tmpl,
3822 const u32 *key, const u32 *data,
3823 u64 timeout, gfp_t gfp)
3825 struct nft_set_ext *ext;
3828 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3832 ext = nft_set_elem_ext(set, elem);
3833 nft_set_ext_init(ext, tmpl);
3835 memcpy(nft_set_ext_key(ext), key, set->klen);
3836 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3837 memcpy(nft_set_ext_data(ext), data, set->dlen);
3838 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3839 *nft_set_ext_expiration(ext) =
3841 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3842 *nft_set_ext_timeout(ext) = timeout;
3847 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3850 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3852 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3853 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3854 nft_data_release(nft_set_ext_data(ext), set->dtype);
3855 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3856 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3857 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3858 (*nft_set_ext_obj(ext))->use--;
3861 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3863 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3864 * the refcounting from the preparation phase.
3866 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3868 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3870 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3871 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3875 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3876 const struct nlattr *attr, u32 nlmsg_flags)
3878 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3879 u8 genmask = nft_genmask_next(ctx->net);
3880 struct nft_data_desc d1, d2;
3881 struct nft_set_ext_tmpl tmpl;
3882 struct nft_set_ext *ext, *ext2;
3883 struct nft_set_elem elem;
3884 struct nft_set_binding *binding;
3885 struct nft_object *obj = NULL;
3886 struct nft_userdata *udata;
3887 struct nft_data data;
3888 enum nft_registers dreg;
3889 struct nft_trans *trans;
3895 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3896 nft_set_elem_policy, NULL);
3900 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3903 nft_set_ext_prepare(&tmpl);
3905 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3909 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3911 if (set->flags & NFT_SET_MAP) {
3912 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3913 !(flags & NFT_SET_ELEM_INTERVAL_END))
3915 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3916 flags & NFT_SET_ELEM_INTERVAL_END)
3919 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3924 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3925 if (!(set->flags & NFT_SET_TIMEOUT))
3927 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3928 nla[NFTA_SET_ELEM_TIMEOUT])));
3929 } else if (set->flags & NFT_SET_TIMEOUT) {
3930 timeout = set->timeout;
3933 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3934 nla[NFTA_SET_ELEM_KEY]);
3938 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3941 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3943 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3944 if (timeout != set->timeout)
3945 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3948 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3949 if (!(set->flags & NFT_SET_OBJECT)) {
3953 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3954 set->objtype, genmask);
3959 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3962 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3963 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3964 nla[NFTA_SET_ELEM_DATA]);
3969 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3972 dreg = nft_type_to_reg(set->dtype);
3973 list_for_each_entry(binding, &set->bindings, list) {
3974 struct nft_ctx bind_ctx = {
3976 .family = ctx->family,
3977 .table = ctx->table,
3978 .chain = (struct nft_chain *)binding->chain,
3981 if (!(binding->flags & NFT_SET_MAP))
3984 err = nft_validate_register_store(&bind_ctx, dreg,
3991 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3994 /* The full maximum length of userdata can exceed the maximum
3995 * offset value (U8_MAX) for following extensions, therefor it
3996 * must be the last extension added.
3999 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4000 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4002 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4007 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4008 timeout, GFP_KERNEL);
4009 if (elem.priv == NULL)
4012 ext = nft_set_elem_ext(set, elem.priv);
4014 *nft_set_ext_flags(ext) = flags;
4016 udata = nft_set_ext_userdata(ext);
4017 udata->len = ulen - 1;
4018 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4021 *nft_set_ext_obj(ext) = obj;
4025 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4029 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4030 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4032 if (err == -EEXIST) {
4033 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4034 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4035 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4036 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
4038 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4039 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4040 memcmp(nft_set_ext_data(ext),
4041 nft_set_ext_data(ext2), set->dlen) != 0) ||
4042 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4043 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4044 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4046 else if (!(nlmsg_flags & NLM_F_EXCL))
4053 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4058 nft_trans_elem(trans) = elem;
4059 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4063 set->ops->remove(ctx->net, set, &elem);
4069 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4070 nft_data_release(&data, d2.type);
4072 nft_data_release(&elem.key.val, d1.type);
4077 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4078 struct sk_buff *skb, const struct nlmsghdr *nlh,
4079 const struct nlattr * const nla[],
4080 struct netlink_ext_ack *extack)
4082 u8 genmask = nft_genmask_next(net);
4083 const struct nlattr *attr;
4084 struct nft_set *set;
4088 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4091 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4095 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4098 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4099 set = nf_tables_set_lookup_byid(net,
4100 nla[NFTA_SET_ELEM_LIST_SET_ID],
4104 return PTR_ERR(set);
4107 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4110 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4111 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4119 * nft_data_hold - hold a nft_data item
4121 * @data: struct nft_data to release
4122 * @type: type of data
4124 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4125 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4126 * NFT_GOTO verdicts. This function must be called on active data objects
4127 * from the second phase of the commit protocol.
4129 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4131 if (type == NFT_DATA_VERDICT) {
4132 switch (data->verdict.code) {
4135 data->verdict.chain->use++;
4141 static void nft_set_elem_activate(const struct net *net,
4142 const struct nft_set *set,
4143 struct nft_set_elem *elem)
4145 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4147 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4148 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4149 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4150 (*nft_set_ext_obj(ext))->use++;
4153 static void nft_set_elem_deactivate(const struct net *net,
4154 const struct nft_set *set,
4155 struct nft_set_elem *elem)
4157 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4159 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4160 nft_data_release(nft_set_ext_data(ext), set->dtype);
4161 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4162 (*nft_set_ext_obj(ext))->use--;
4165 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4166 const struct nlattr *attr)
4168 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4169 struct nft_set_ext_tmpl tmpl;
4170 struct nft_data_desc desc;
4171 struct nft_set_elem elem;
4172 struct nft_set_ext *ext;
4173 struct nft_trans *trans;
4178 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4179 nft_set_elem_policy, NULL);
4184 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4187 nft_set_ext_prepare(&tmpl);
4189 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4193 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4195 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4196 nla[NFTA_SET_ELEM_KEY]);
4201 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4204 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4207 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4209 if (elem.priv == NULL)
4212 ext = nft_set_elem_ext(set, elem.priv);
4214 *nft_set_ext_flags(ext) = flags;
4216 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4217 if (trans == NULL) {
4222 priv = set->ops->deactivate(ctx->net, set, &elem);
4230 nft_set_elem_deactivate(ctx->net, set, &elem);
4232 nft_trans_elem(trans) = elem;
4233 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4241 nft_data_release(&elem.key.val, desc.type);
4246 static int nft_flush_set(const struct nft_ctx *ctx,
4247 struct nft_set *set,
4248 const struct nft_set_iter *iter,
4249 struct nft_set_elem *elem)
4251 struct nft_trans *trans;
4254 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4255 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4259 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4265 nft_trans_elem_set(trans) = set;
4266 nft_trans_elem(trans) = *elem;
4267 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4275 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4276 struct sk_buff *skb, const struct nlmsghdr *nlh,
4277 const struct nlattr * const nla[],
4278 struct netlink_ext_ack *extack)
4280 u8 genmask = nft_genmask_next(net);
4281 const struct nlattr *attr;
4282 struct nft_set *set;
4286 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4290 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4293 return PTR_ERR(set);
4294 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4297 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4298 struct nft_set_iter iter = {
4300 .fn = nft_flush_set,
4302 set->ops->walk(&ctx, set, &iter);
4307 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4308 err = nft_del_setelem(&ctx, set, attr);
4317 void nft_set_gc_batch_release(struct rcu_head *rcu)
4319 struct nft_set_gc_batch *gcb;
4322 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4323 for (i = 0; i < gcb->head.cnt; i++)
4324 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4327 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4329 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4332 struct nft_set_gc_batch *gcb;
4334 gcb = kzalloc(sizeof(*gcb), gfp);
4337 gcb->head.set = set;
4340 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4347 * nft_register_obj- register nf_tables stateful object type
4350 * Registers the object type for use with nf_tables. Returns zero on
4351 * success or a negative errno code otherwise.
4353 int nft_register_obj(struct nft_object_type *obj_type)
4355 if (obj_type->type == NFT_OBJECT_UNSPEC)
4358 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4359 list_add_rcu(&obj_type->list, &nf_tables_objects);
4360 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4363 EXPORT_SYMBOL_GPL(nft_register_obj);
4366 * nft_unregister_obj - unregister nf_tables object type
4369 * Unregisters the object type for use with nf_tables.
4371 void nft_unregister_obj(struct nft_object_type *obj_type)
4373 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4374 list_del_rcu(&obj_type->list);
4375 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4377 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4379 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4380 const struct nlattr *nla,
4381 u32 objtype, u8 genmask)
4383 struct nft_object *obj;
4385 list_for_each_entry(obj, &table->objects, list) {
4386 if (!nla_strcmp(nla, obj->name) &&
4387 objtype == obj->ops->type->type &&
4388 nft_active_genmask(obj, genmask))
4391 return ERR_PTR(-ENOENT);
4393 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4395 struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
4396 const struct nlattr *nla,
4397 u32 objtype, u8 genmask)
4399 struct nft_object *obj;
4401 list_for_each_entry(obj, &table->objects, list) {
4402 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4403 objtype == obj->ops->type->type &&
4404 nft_active_genmask(obj, genmask))
4407 return ERR_PTR(-ENOENT);
4410 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4411 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4412 .len = NFT_TABLE_MAXNAMELEN - 1 },
4413 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4414 .len = NFT_OBJ_MAXNAMELEN - 1 },
4415 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4416 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4417 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4420 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4421 const struct nft_object_type *type,
4422 const struct nlattr *attr)
4424 struct nlattr *tb[type->maxattr + 1];
4425 const struct nft_object_ops *ops;
4426 struct nft_object *obj;
4430 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4435 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4438 if (type->select_ops) {
4439 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4449 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4453 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4463 return ERR_PTR(err);
4466 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4467 struct nft_object *obj, bool reset)
4469 struct nlattr *nest;
4471 nest = nla_nest_start(skb, attr);
4473 goto nla_put_failure;
4474 if (obj->ops->dump(skb, obj, reset) < 0)
4475 goto nla_put_failure;
4476 nla_nest_end(skb, nest);
4483 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4485 const struct nft_object_type *type;
4487 list_for_each_entry(type, &nf_tables_objects, list) {
4488 if (objtype == type->type)
4494 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4496 const struct nft_object_type *type;
4498 type = __nft_obj_type_get(objtype);
4499 if (type != NULL && try_module_get(type->owner))
4502 #ifdef CONFIG_MODULES
4504 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4505 request_module("nft-obj-%u", objtype);
4506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4507 if (__nft_obj_type_get(objtype))
4508 return ERR_PTR(-EAGAIN);
4511 return ERR_PTR(-ENOENT);
4514 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4515 struct sk_buff *skb, const struct nlmsghdr *nlh,
4516 const struct nlattr * const nla[],
4517 struct netlink_ext_ack *extack)
4519 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4520 const struct nft_object_type *type;
4521 u8 genmask = nft_genmask_next(net);
4522 int family = nfmsg->nfgen_family;
4523 struct nft_table *table;
4524 struct nft_object *obj;
4529 if (!nla[NFTA_OBJ_TYPE] ||
4530 !nla[NFTA_OBJ_NAME] ||
4531 !nla[NFTA_OBJ_DATA])
4534 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4537 return PTR_ERR(table);
4539 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4540 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4547 if (nlh->nlmsg_flags & NLM_F_EXCL)
4553 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4555 type = nft_obj_type_get(objtype);
4557 return PTR_ERR(type);
4559 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4565 obj->handle = nf_tables_alloc_handle(table);
4567 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4573 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4577 list_add_tail_rcu(&obj->list, &table->objects);
4583 if (obj->ops->destroy)
4584 obj->ops->destroy(obj);
4587 module_put(type->owner);
4591 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4592 u32 portid, u32 seq, int event, u32 flags,
4593 int family, const struct nft_table *table,
4594 struct nft_object *obj, bool reset)
4596 struct nfgenmsg *nfmsg;
4597 struct nlmsghdr *nlh;
4599 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4600 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4602 goto nla_put_failure;
4604 nfmsg = nlmsg_data(nlh);
4605 nfmsg->nfgen_family = family;
4606 nfmsg->version = NFNETLINK_V0;
4607 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4609 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4610 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4611 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4612 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4613 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4614 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4616 goto nla_put_failure;
4618 nlmsg_end(skb, nlh);
4622 nlmsg_trim(skb, nlh);
4626 struct nft_obj_filter {
4631 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4633 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4634 const struct nft_table *table;
4635 unsigned int idx = 0, s_idx = cb->args[0];
4636 struct nft_obj_filter *filter = cb->data;
4637 struct net *net = sock_net(skb->sk);
4638 int family = nfmsg->nfgen_family;
4639 struct nft_object *obj;
4642 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4646 cb->seq = net->nft.base_seq;
4648 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4649 if (family != NFPROTO_UNSPEC && family != table->family)
4652 list_for_each_entry_rcu(obj, &table->objects, list) {
4653 if (!nft_is_active(net, obj))
4658 memset(&cb->args[1], 0,
4659 sizeof(cb->args) - sizeof(cb->args[0]));
4660 if (filter && filter->table[0] &&
4661 strcmp(filter->table, table->name))
4664 filter->type != NFT_OBJECT_UNSPEC &&
4665 obj->ops->type->type != filter->type)
4668 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4671 NLM_F_MULTI | NLM_F_APPEND,
4672 table->family, table,
4676 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4688 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4690 struct nft_obj_filter *filter = cb->data;
4693 kfree(filter->table);
4700 static struct nft_obj_filter *
4701 nft_obj_filter_alloc(const struct nlattr * const nla[])
4703 struct nft_obj_filter *filter;
4705 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4707 return ERR_PTR(-ENOMEM);
4709 if (nla[NFTA_OBJ_TABLE]) {
4710 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4711 if (!filter->table) {
4713 return ERR_PTR(-ENOMEM);
4716 if (nla[NFTA_OBJ_TYPE])
4717 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4722 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4723 struct sk_buff *skb, const struct nlmsghdr *nlh,
4724 const struct nlattr * const nla[],
4725 struct netlink_ext_ack *extack)
4727 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4728 u8 genmask = nft_genmask_cur(net);
4729 int family = nfmsg->nfgen_family;
4730 const struct nft_table *table;
4731 struct nft_object *obj;
4732 struct sk_buff *skb2;
4737 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4738 struct netlink_dump_control c = {
4739 .dump = nf_tables_dump_obj,
4740 .done = nf_tables_dump_obj_done,
4743 if (nla[NFTA_OBJ_TABLE] ||
4744 nla[NFTA_OBJ_TYPE]) {
4745 struct nft_obj_filter *filter;
4747 filter = nft_obj_filter_alloc(nla);
4753 return netlink_dump_start(nlsk, skb, nlh, &c);
4756 if (!nla[NFTA_OBJ_NAME] ||
4757 !nla[NFTA_OBJ_TYPE])
4760 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4763 return PTR_ERR(table);
4765 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4766 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4768 return PTR_ERR(obj);
4770 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4774 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4777 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4778 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4779 family, table, obj, reset);
4783 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4789 static void nft_obj_destroy(struct nft_object *obj)
4791 if (obj->ops->destroy)
4792 obj->ops->destroy(obj);
4794 module_put(obj->ops->type->owner);
4799 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4800 struct sk_buff *skb, const struct nlmsghdr *nlh,
4801 const struct nlattr * const nla[],
4802 struct netlink_ext_ack *extack)
4804 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4805 u8 genmask = nft_genmask_next(net);
4806 int family = nfmsg->nfgen_family;
4807 struct nft_table *table;
4808 struct nft_object *obj;
4812 if (!nla[NFTA_OBJ_TYPE] ||
4813 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4816 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4819 return PTR_ERR(table);
4821 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4822 if (nla[NFTA_OBJ_HANDLE])
4823 obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
4826 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
4829 return PTR_ERR(obj);
4833 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4835 return nft_delobj(&ctx, obj);
4838 void nft_obj_notify(struct net *net, struct nft_table *table,
4839 struct nft_object *obj, u32 portid, u32 seq, int event,
4840 int family, int report, gfp_t gfp)
4842 struct sk_buff *skb;
4846 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4849 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4853 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4860 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4863 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4865 EXPORT_SYMBOL_GPL(nft_obj_notify);
4867 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4868 struct nft_object *obj, int event)
4870 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4871 ctx->family, ctx->report, GFP_KERNEL);
4877 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4879 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4880 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4881 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4883 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4885 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4887 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4888 list_del_rcu(&type->list);
4889 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4891 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4893 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4894 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4895 .len = NFT_NAME_MAXLEN - 1 },
4896 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4897 .len = NFT_NAME_MAXLEN - 1 },
4898 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4899 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4902 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4903 const struct nlattr *nla,
4906 struct nft_flowtable *flowtable;
4908 list_for_each_entry(flowtable, &table->flowtables, list) {
4909 if (!nla_strcmp(nla, flowtable->name) &&
4910 nft_active_genmask(flowtable, genmask))
4913 return ERR_PTR(-ENOENT);
4915 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4917 struct nft_flowtable *
4918 nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
4919 const struct nlattr *nla, u8 genmask)
4921 struct nft_flowtable *flowtable;
4923 list_for_each_entry(flowtable, &table->flowtables, list) {
4924 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4925 nft_active_genmask(flowtable, genmask))
4928 return ERR_PTR(-ENOENT);
4931 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4932 const struct nlattr *attr,
4933 struct net_device *dev_array[], int *len)
4935 const struct nlattr *tmp;
4936 struct net_device *dev;
4937 char ifname[IFNAMSIZ];
4938 int rem, n = 0, err;
4940 nla_for_each_nested(tmp, attr, rem) {
4941 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4946 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4947 dev = __dev_get_by_name(ctx->net, ifname);
4953 dev_array[n++] = dev;
4954 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
4968 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
4969 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
4970 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
4971 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
4974 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
4975 const struct nlattr *attr,
4976 struct nft_flowtable *flowtable)
4978 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
4979 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
4980 struct nf_hook_ops *ops;
4981 int hooknum, priority;
4984 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
4985 nft_flowtable_hook_policy, NULL);
4989 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
4990 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
4991 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
4994 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
4995 if (hooknum != NF_NETDEV_INGRESS)
4998 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5000 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5005 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5009 flowtable->hooknum = hooknum;
5010 flowtable->priority = priority;
5011 flowtable->ops = ops;
5012 flowtable->ops_len = n;
5014 for (i = 0; i < n; i++) {
5015 flowtable->ops[i].pf = NFPROTO_NETDEV;
5016 flowtable->ops[i].hooknum = hooknum;
5017 flowtable->ops[i].priority = priority;
5018 flowtable->ops[i].priv = &flowtable->data.rhashtable;
5019 flowtable->ops[i].hook = flowtable->data.type->hook;
5020 flowtable->ops[i].dev = dev_array[i];
5021 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5028 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5030 const struct nf_flowtable_type *type;
5032 list_for_each_entry(type, &nf_tables_flowtables, list) {
5033 if (family == type->family)
5039 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5041 const struct nf_flowtable_type *type;
5043 type = __nft_flowtable_type_get(family);
5044 if (type != NULL && try_module_get(type->owner))
5047 #ifdef CONFIG_MODULES
5049 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5050 request_module("nf-flowtable-%u", family);
5051 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5052 if (__nft_flowtable_type_get(family))
5053 return ERR_PTR(-EAGAIN);
5056 return ERR_PTR(-ENOENT);
5059 void nft_flow_table_iterate(struct net *net,
5060 void (*iter)(struct nf_flowtable *flowtable, void *data),
5063 struct nft_flowtable *flowtable;
5064 const struct nft_table *table;
5066 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5067 list_for_each_entry(table, &net->nft.tables, list) {
5068 list_for_each_entry(flowtable, &table->flowtables, list) {
5069 iter(&flowtable->data, data);
5072 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5074 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5076 static void nft_unregister_flowtable_net_hooks(struct net *net,
5077 struct nft_flowtable *flowtable)
5081 for (i = 0; i < flowtable->ops_len; i++) {
5082 if (!flowtable->ops[i].dev)
5085 nf_unregister_net_hook(net, &flowtable->ops[i]);
5089 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5090 struct sk_buff *skb,
5091 const struct nlmsghdr *nlh,
5092 const struct nlattr * const nla[],
5093 struct netlink_ext_ack *extack)
5095 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5096 const struct nf_flowtable_type *type;
5097 struct nft_flowtable *flowtable, *ft;
5098 u8 genmask = nft_genmask_next(net);
5099 int family = nfmsg->nfgen_family;
5100 struct nft_table *table;
5104 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5105 !nla[NFTA_FLOWTABLE_NAME] ||
5106 !nla[NFTA_FLOWTABLE_HOOK])
5109 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5112 return PTR_ERR(table);
5114 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5116 if (IS_ERR(flowtable)) {
5117 err = PTR_ERR(flowtable);
5121 if (nlh->nlmsg_flags & NLM_F_EXCL)
5127 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5129 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5133 flowtable->table = table;
5134 flowtable->handle = nf_tables_alloc_handle(table);
5136 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5137 if (!flowtable->name) {
5142 type = nft_flowtable_type_get(family);
5144 err = PTR_ERR(type);
5148 flowtable->data.type = type;
5149 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5153 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5158 for (i = 0; i < flowtable->ops_len; i++) {
5159 if (!flowtable->ops[i].dev)
5162 list_for_each_entry(ft, &table->flowtables, list) {
5163 for (k = 0; k < ft->ops_len; k++) {
5164 if (!ft->ops[k].dev)
5167 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5168 flowtable->ops[i].pf == ft->ops[k].pf) {
5175 err = nf_register_net_hook(net, &flowtable->ops[i]);
5180 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5184 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5185 queue_delayed_work(system_power_efficient_wq,
5186 &flowtable->data.gc_work, HZ);
5188 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5193 i = flowtable->ops_len;
5195 for (k = i - 1; k >= 0; k--) {
5196 kfree(flowtable->dev_name[k]);
5197 nf_unregister_net_hook(net, &flowtable->ops[k]);
5200 kfree(flowtable->ops);
5202 module_put(type->owner);
5204 kfree(flowtable->name);
5210 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5211 struct sk_buff *skb,
5212 const struct nlmsghdr *nlh,
5213 const struct nlattr * const nla[],
5214 struct netlink_ext_ack *extack)
5216 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5217 u8 genmask = nft_genmask_next(net);
5218 int family = nfmsg->nfgen_family;
5219 struct nft_flowtable *flowtable;
5220 struct nft_table *table;
5223 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5224 (!nla[NFTA_FLOWTABLE_NAME] &&
5225 !nla[NFTA_FLOWTABLE_HANDLE]))
5228 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5231 return PTR_ERR(table);
5233 if (nla[NFTA_FLOWTABLE_HANDLE])
5234 flowtable = nf_tables_flowtable_lookup_byhandle(table,
5235 nla[NFTA_FLOWTABLE_HANDLE],
5238 flowtable = nf_tables_flowtable_lookup(table,
5239 nla[NFTA_FLOWTABLE_NAME],
5241 if (IS_ERR(flowtable))
5242 return PTR_ERR(flowtable);
5243 if (flowtable->use > 0)
5246 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5248 return nft_delflowtable(&ctx, flowtable);
5251 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5252 u32 portid, u32 seq, int event,
5253 u32 flags, int family,
5254 struct nft_flowtable *flowtable)
5256 struct nlattr *nest, *nest_devs;
5257 struct nfgenmsg *nfmsg;
5258 struct nlmsghdr *nlh;
5261 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5262 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5264 goto nla_put_failure;
5266 nfmsg = nlmsg_data(nlh);
5267 nfmsg->nfgen_family = family;
5268 nfmsg->version = NFNETLINK_V0;
5269 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5271 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5272 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5273 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5274 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5275 NFTA_FLOWTABLE_PAD))
5276 goto nla_put_failure;
5278 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5279 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5280 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5281 goto nla_put_failure;
5283 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5285 goto nla_put_failure;
5287 for (i = 0; i < flowtable->ops_len; i++) {
5288 if (flowtable->dev_name[i][0] &&
5289 nla_put_string(skb, NFTA_DEVICE_NAME,
5290 flowtable->dev_name[i]))
5291 goto nla_put_failure;
5293 nla_nest_end(skb, nest_devs);
5294 nla_nest_end(skb, nest);
5296 nlmsg_end(skb, nlh);
5300 nlmsg_trim(skb, nlh);
5304 struct nft_flowtable_filter {
5308 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5309 struct netlink_callback *cb)
5311 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5312 struct nft_flowtable_filter *filter = cb->data;
5313 unsigned int idx = 0, s_idx = cb->args[0];
5314 struct net *net = sock_net(skb->sk);
5315 int family = nfmsg->nfgen_family;
5316 struct nft_flowtable *flowtable;
5317 const struct nft_table *table;
5320 cb->seq = net->nft.base_seq;
5322 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5323 if (family != NFPROTO_UNSPEC && family != table->family)
5326 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5327 if (!nft_is_active(net, flowtable))
5332 memset(&cb->args[1], 0,
5333 sizeof(cb->args) - sizeof(cb->args[0]));
5334 if (filter && filter->table[0] &&
5335 strcmp(filter->table, table->name))
5338 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5340 NFT_MSG_NEWFLOWTABLE,
5341 NLM_F_MULTI | NLM_F_APPEND,
5342 table->family, flowtable) < 0)
5345 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5357 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5359 struct nft_flowtable_filter *filter = cb->data;
5364 kfree(filter->table);
5370 static struct nft_flowtable_filter *
5371 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5373 struct nft_flowtable_filter *filter;
5375 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5377 return ERR_PTR(-ENOMEM);
5379 if (nla[NFTA_FLOWTABLE_TABLE]) {
5380 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5382 if (!filter->table) {
5384 return ERR_PTR(-ENOMEM);
5390 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5391 struct sk_buff *skb,
5392 const struct nlmsghdr *nlh,
5393 const struct nlattr * const nla[],
5394 struct netlink_ext_ack *extack)
5396 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5397 u8 genmask = nft_genmask_cur(net);
5398 int family = nfmsg->nfgen_family;
5399 struct nft_flowtable *flowtable;
5400 const struct nft_table *table;
5401 struct sk_buff *skb2;
5404 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5405 struct netlink_dump_control c = {
5406 .dump = nf_tables_dump_flowtable,
5407 .done = nf_tables_dump_flowtable_done,
5410 if (nla[NFTA_FLOWTABLE_TABLE]) {
5411 struct nft_flowtable_filter *filter;
5413 filter = nft_flowtable_filter_alloc(nla);
5419 return netlink_dump_start(nlsk, skb, nlh, &c);
5422 if (!nla[NFTA_FLOWTABLE_NAME])
5425 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5428 return PTR_ERR(table);
5430 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5432 if (IS_ERR(flowtable))
5433 return PTR_ERR(flowtable);
5435 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5439 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5441 NFT_MSG_NEWFLOWTABLE, 0, family,
5446 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5452 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5453 struct nft_flowtable *flowtable,
5456 struct sk_buff *skb;
5460 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5463 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5467 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5469 ctx->family, flowtable);
5475 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5476 ctx->report, GFP_KERNEL);
5479 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5482 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5484 cancel_delayed_work_sync(&flowtable->data.gc_work);
5485 kfree(flowtable->ops);
5486 kfree(flowtable->name);
5487 flowtable->data.type->free(&flowtable->data);
5488 rhashtable_destroy(&flowtable->data.rhashtable);
5489 module_put(flowtable->data.type->owner);
5492 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5493 u32 portid, u32 seq)
5495 struct nlmsghdr *nlh;
5496 struct nfgenmsg *nfmsg;
5497 char buf[TASK_COMM_LEN];
5498 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5500 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5502 goto nla_put_failure;
5504 nfmsg = nlmsg_data(nlh);
5505 nfmsg->nfgen_family = AF_UNSPEC;
5506 nfmsg->version = NFNETLINK_V0;
5507 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5509 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5510 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5511 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5512 goto nla_put_failure;
5514 nlmsg_end(skb, nlh);
5518 nlmsg_trim(skb, nlh);
5522 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5523 struct nft_flowtable *flowtable)
5527 for (i = 0; i < flowtable->ops_len; i++) {
5528 if (flowtable->ops[i].dev != dev)
5531 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5532 flowtable->dev_name[i][0] = '\0';
5533 flowtable->ops[i].dev = NULL;
5538 static int nf_tables_flowtable_event(struct notifier_block *this,
5539 unsigned long event, void *ptr)
5541 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5542 struct nft_flowtable *flowtable;
5543 struct nft_table *table;
5545 if (event != NETDEV_UNREGISTER)
5548 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5549 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5550 list_for_each_entry(flowtable, &table->flowtables, list) {
5551 nft_flowtable_event(event, dev, flowtable);
5554 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5559 static struct notifier_block nf_tables_flowtable_notifier = {
5560 .notifier_call = nf_tables_flowtable_event,
5563 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5566 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5567 struct sk_buff *skb2;
5570 if (nlmsg_report(nlh) &&
5571 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5574 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5578 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5585 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5586 nlmsg_report(nlh), GFP_KERNEL);
5589 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5593 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5594 struct sk_buff *skb, const struct nlmsghdr *nlh,
5595 const struct nlattr * const nla[],
5596 struct netlink_ext_ack *extack)
5598 struct sk_buff *skb2;
5601 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5605 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5610 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5616 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5617 [NFT_MSG_NEWTABLE] = {
5618 .call_batch = nf_tables_newtable,
5619 .attr_count = NFTA_TABLE_MAX,
5620 .policy = nft_table_policy,
5622 [NFT_MSG_GETTABLE] = {
5623 .call = nf_tables_gettable,
5624 .attr_count = NFTA_TABLE_MAX,
5625 .policy = nft_table_policy,
5627 [NFT_MSG_DELTABLE] = {
5628 .call_batch = nf_tables_deltable,
5629 .attr_count = NFTA_TABLE_MAX,
5630 .policy = nft_table_policy,
5632 [NFT_MSG_NEWCHAIN] = {
5633 .call_batch = nf_tables_newchain,
5634 .attr_count = NFTA_CHAIN_MAX,
5635 .policy = nft_chain_policy,
5637 [NFT_MSG_GETCHAIN] = {
5638 .call = nf_tables_getchain,
5639 .attr_count = NFTA_CHAIN_MAX,
5640 .policy = nft_chain_policy,
5642 [NFT_MSG_DELCHAIN] = {
5643 .call_batch = nf_tables_delchain,
5644 .attr_count = NFTA_CHAIN_MAX,
5645 .policy = nft_chain_policy,
5647 [NFT_MSG_NEWRULE] = {
5648 .call_batch = nf_tables_newrule,
5649 .attr_count = NFTA_RULE_MAX,
5650 .policy = nft_rule_policy,
5652 [NFT_MSG_GETRULE] = {
5653 .call = nf_tables_getrule,
5654 .attr_count = NFTA_RULE_MAX,
5655 .policy = nft_rule_policy,
5657 [NFT_MSG_DELRULE] = {
5658 .call_batch = nf_tables_delrule,
5659 .attr_count = NFTA_RULE_MAX,
5660 .policy = nft_rule_policy,
5662 [NFT_MSG_NEWSET] = {
5663 .call_batch = nf_tables_newset,
5664 .attr_count = NFTA_SET_MAX,
5665 .policy = nft_set_policy,
5667 [NFT_MSG_GETSET] = {
5668 .call = nf_tables_getset,
5669 .attr_count = NFTA_SET_MAX,
5670 .policy = nft_set_policy,
5672 [NFT_MSG_DELSET] = {
5673 .call_batch = nf_tables_delset,
5674 .attr_count = NFTA_SET_MAX,
5675 .policy = nft_set_policy,
5677 [NFT_MSG_NEWSETELEM] = {
5678 .call_batch = nf_tables_newsetelem,
5679 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5680 .policy = nft_set_elem_list_policy,
5682 [NFT_MSG_GETSETELEM] = {
5683 .call = nf_tables_getsetelem,
5684 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5685 .policy = nft_set_elem_list_policy,
5687 [NFT_MSG_DELSETELEM] = {
5688 .call_batch = nf_tables_delsetelem,
5689 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5690 .policy = nft_set_elem_list_policy,
5692 [NFT_MSG_GETGEN] = {
5693 .call = nf_tables_getgen,
5695 [NFT_MSG_NEWOBJ] = {
5696 .call_batch = nf_tables_newobj,
5697 .attr_count = NFTA_OBJ_MAX,
5698 .policy = nft_obj_policy,
5700 [NFT_MSG_GETOBJ] = {
5701 .call = nf_tables_getobj,
5702 .attr_count = NFTA_OBJ_MAX,
5703 .policy = nft_obj_policy,
5705 [NFT_MSG_DELOBJ] = {
5706 .call_batch = nf_tables_delobj,
5707 .attr_count = NFTA_OBJ_MAX,
5708 .policy = nft_obj_policy,
5710 [NFT_MSG_GETOBJ_RESET] = {
5711 .call = nf_tables_getobj,
5712 .attr_count = NFTA_OBJ_MAX,
5713 .policy = nft_obj_policy,
5715 [NFT_MSG_NEWFLOWTABLE] = {
5716 .call_batch = nf_tables_newflowtable,
5717 .attr_count = NFTA_FLOWTABLE_MAX,
5718 .policy = nft_flowtable_policy,
5720 [NFT_MSG_GETFLOWTABLE] = {
5721 .call = nf_tables_getflowtable,
5722 .attr_count = NFTA_FLOWTABLE_MAX,
5723 .policy = nft_flowtable_policy,
5725 [NFT_MSG_DELFLOWTABLE] = {
5726 .call_batch = nf_tables_delflowtable,
5727 .attr_count = NFTA_FLOWTABLE_MAX,
5728 .policy = nft_flowtable_policy,
5732 static void nft_chain_commit_update(struct nft_trans *trans)
5734 struct nft_base_chain *basechain;
5736 if (nft_trans_chain_name(trans))
5737 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
5739 if (!nft_is_base_chain(trans->ctx.chain))
5742 basechain = nft_base_chain(trans->ctx.chain);
5743 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5745 switch (nft_trans_chain_policy(trans)) {
5748 basechain->policy = nft_trans_chain_policy(trans);
5753 static void nf_tables_commit_release(struct nft_trans *trans)
5755 switch (trans->msg_type) {
5756 case NFT_MSG_DELTABLE:
5757 nf_tables_table_destroy(&trans->ctx);
5759 case NFT_MSG_DELCHAIN:
5760 nf_tables_chain_destroy(trans->ctx.chain);
5762 case NFT_MSG_DELRULE:
5763 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5765 case NFT_MSG_DELSET:
5766 nft_set_destroy(nft_trans_set(trans));
5768 case NFT_MSG_DELSETELEM:
5769 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5770 nft_trans_elem(trans).priv);
5772 case NFT_MSG_DELOBJ:
5773 nft_obj_destroy(nft_trans_obj(trans));
5775 case NFT_MSG_DELFLOWTABLE:
5776 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5782 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5784 struct nft_trans *trans, *next;
5785 struct nft_trans_elem *te;
5787 /* Bump generation counter, invalidate any dump in progress */
5788 while (++net->nft.base_seq == 0);
5790 /* A new generation has just started */
5791 net->nft.gencursor = nft_gencursor_next(net);
5793 /* Make sure all packets have left the previous generation before
5794 * purging old rules.
5798 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5799 switch (trans->msg_type) {
5800 case NFT_MSG_NEWTABLE:
5801 if (nft_trans_table_update(trans)) {
5802 if (!nft_trans_table_enable(trans)) {
5803 nf_tables_table_disable(net,
5805 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5808 nft_clear(net, trans->ctx.table);
5810 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5811 nft_trans_destroy(trans);
5813 case NFT_MSG_DELTABLE:
5814 list_del_rcu(&trans->ctx.table->list);
5815 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5817 case NFT_MSG_NEWCHAIN:
5818 if (nft_trans_chain_update(trans))
5819 nft_chain_commit_update(trans);
5821 nft_clear(net, trans->ctx.chain);
5823 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5824 nft_trans_destroy(trans);
5826 case NFT_MSG_DELCHAIN:
5827 list_del_rcu(&trans->ctx.chain->list);
5828 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5829 nf_tables_unregister_hook(trans->ctx.net,
5833 case NFT_MSG_NEWRULE:
5834 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5835 nf_tables_rule_notify(&trans->ctx,
5836 nft_trans_rule(trans),
5838 nft_trans_destroy(trans);
5840 case NFT_MSG_DELRULE:
5841 list_del_rcu(&nft_trans_rule(trans)->list);
5842 nf_tables_rule_notify(&trans->ctx,
5843 nft_trans_rule(trans),
5846 case NFT_MSG_NEWSET:
5847 nft_clear(net, nft_trans_set(trans));
5848 /* This avoids hitting -EBUSY when deleting the table
5849 * from the transaction.
5851 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5852 !list_empty(&nft_trans_set(trans)->bindings))
5853 trans->ctx.table->use--;
5855 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5856 NFT_MSG_NEWSET, GFP_KERNEL);
5857 nft_trans_destroy(trans);
5859 case NFT_MSG_DELSET:
5860 list_del_rcu(&nft_trans_set(trans)->list);
5861 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5862 NFT_MSG_DELSET, GFP_KERNEL);
5864 case NFT_MSG_NEWSETELEM:
5865 te = (struct nft_trans_elem *)trans->data;
5867 te->set->ops->activate(net, te->set, &te->elem);
5868 nf_tables_setelem_notify(&trans->ctx, te->set,
5870 NFT_MSG_NEWSETELEM, 0);
5871 nft_trans_destroy(trans);
5873 case NFT_MSG_DELSETELEM:
5874 te = (struct nft_trans_elem *)trans->data;
5876 nf_tables_setelem_notify(&trans->ctx, te->set,
5878 NFT_MSG_DELSETELEM, 0);
5879 te->set->ops->remove(net, te->set, &te->elem);
5880 atomic_dec(&te->set->nelems);
5883 case NFT_MSG_NEWOBJ:
5884 nft_clear(net, nft_trans_obj(trans));
5885 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5887 nft_trans_destroy(trans);
5889 case NFT_MSG_DELOBJ:
5890 list_del_rcu(&nft_trans_obj(trans)->list);
5891 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5894 case NFT_MSG_NEWFLOWTABLE:
5895 nft_clear(net, nft_trans_flowtable(trans));
5896 nf_tables_flowtable_notify(&trans->ctx,
5897 nft_trans_flowtable(trans),
5898 NFT_MSG_NEWFLOWTABLE);
5899 nft_trans_destroy(trans);
5901 case NFT_MSG_DELFLOWTABLE:
5902 list_del_rcu(&nft_trans_flowtable(trans)->list);
5903 nf_tables_flowtable_notify(&trans->ctx,
5904 nft_trans_flowtable(trans),
5905 NFT_MSG_DELFLOWTABLE);
5906 nft_unregister_flowtable_net_hooks(net,
5907 nft_trans_flowtable(trans));
5914 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5915 list_del(&trans->list);
5916 nf_tables_commit_release(trans);
5919 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5924 static void nf_tables_abort_release(struct nft_trans *trans)
5926 switch (trans->msg_type) {
5927 case NFT_MSG_NEWTABLE:
5928 nf_tables_table_destroy(&trans->ctx);
5930 case NFT_MSG_NEWCHAIN:
5931 nf_tables_chain_destroy(trans->ctx.chain);
5933 case NFT_MSG_NEWRULE:
5934 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5936 case NFT_MSG_NEWSET:
5937 nft_set_destroy(nft_trans_set(trans));
5939 case NFT_MSG_NEWSETELEM:
5940 nft_set_elem_destroy(nft_trans_elem_set(trans),
5941 nft_trans_elem(trans).priv, true);
5943 case NFT_MSG_NEWOBJ:
5944 nft_obj_destroy(nft_trans_obj(trans));
5946 case NFT_MSG_NEWFLOWTABLE:
5947 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5953 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5955 struct nft_trans *trans, *next;
5956 struct nft_trans_elem *te;
5958 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5960 switch (trans->msg_type) {
5961 case NFT_MSG_NEWTABLE:
5962 if (nft_trans_table_update(trans)) {
5963 if (nft_trans_table_enable(trans)) {
5964 nf_tables_table_disable(net,
5966 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5968 nft_trans_destroy(trans);
5970 list_del_rcu(&trans->ctx.table->list);
5973 case NFT_MSG_DELTABLE:
5974 nft_clear(trans->ctx.net, trans->ctx.table);
5975 nft_trans_destroy(trans);
5977 case NFT_MSG_NEWCHAIN:
5978 if (nft_trans_chain_update(trans)) {
5979 free_percpu(nft_trans_chain_stats(trans));
5981 nft_trans_destroy(trans);
5983 trans->ctx.table->use--;
5984 list_del_rcu(&trans->ctx.chain->list);
5985 nf_tables_unregister_hook(trans->ctx.net,
5990 case NFT_MSG_DELCHAIN:
5991 trans->ctx.table->use++;
5992 nft_clear(trans->ctx.net, trans->ctx.chain);
5993 nft_trans_destroy(trans);
5995 case NFT_MSG_NEWRULE:
5996 trans->ctx.chain->use--;
5997 list_del_rcu(&nft_trans_rule(trans)->list);
5999 case NFT_MSG_DELRULE:
6000 trans->ctx.chain->use++;
6001 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6002 nft_trans_destroy(trans);
6004 case NFT_MSG_NEWSET:
6005 trans->ctx.table->use--;
6006 list_del_rcu(&nft_trans_set(trans)->list);
6008 case NFT_MSG_DELSET:
6009 trans->ctx.table->use++;
6010 nft_clear(trans->ctx.net, nft_trans_set(trans));
6011 nft_trans_destroy(trans);
6013 case NFT_MSG_NEWSETELEM:
6014 te = (struct nft_trans_elem *)trans->data;
6016 te->set->ops->remove(net, te->set, &te->elem);
6017 atomic_dec(&te->set->nelems);
6019 case NFT_MSG_DELSETELEM:
6020 te = (struct nft_trans_elem *)trans->data;
6022 nft_set_elem_activate(net, te->set, &te->elem);
6023 te->set->ops->activate(net, te->set, &te->elem);
6026 nft_trans_destroy(trans);
6028 case NFT_MSG_NEWOBJ:
6029 trans->ctx.table->use--;
6030 list_del_rcu(&nft_trans_obj(trans)->list);
6032 case NFT_MSG_DELOBJ:
6033 trans->ctx.table->use++;
6034 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6035 nft_trans_destroy(trans);
6037 case NFT_MSG_NEWFLOWTABLE:
6038 trans->ctx.table->use--;
6039 list_del_rcu(&nft_trans_flowtable(trans)->list);
6040 nft_unregister_flowtable_net_hooks(net,
6041 nft_trans_flowtable(trans));
6043 case NFT_MSG_DELFLOWTABLE:
6044 trans->ctx.table->use++;
6045 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6046 nft_trans_destroy(trans);
6053 list_for_each_entry_safe_reverse(trans, next,
6054 &net->nft.commit_list, list) {
6055 list_del(&trans->list);
6056 nf_tables_abort_release(trans);
6062 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6064 return net->nft.base_seq == genid;
6067 static const struct nfnetlink_subsystem nf_tables_subsys = {
6068 .name = "nf_tables",
6069 .subsys_id = NFNL_SUBSYS_NFTABLES,
6070 .cb_count = NFT_MSG_MAX,
6072 .commit = nf_tables_commit,
6073 .abort = nf_tables_abort,
6074 .valid_genid = nf_tables_valid_genid,
6077 int nft_chain_validate_dependency(const struct nft_chain *chain,
6078 enum nft_chain_type type)
6080 const struct nft_base_chain *basechain;
6082 if (nft_is_base_chain(chain)) {
6083 basechain = nft_base_chain(chain);
6084 if (basechain->type->type != type)
6089 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6091 int nft_chain_validate_hooks(const struct nft_chain *chain,
6092 unsigned int hook_flags)
6094 struct nft_base_chain *basechain;
6096 if (nft_is_base_chain(chain)) {
6097 basechain = nft_base_chain(chain);
6099 if ((1 << basechain->ops.hooknum) & hook_flags)
6107 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6110 * Loop detection - walk through the ruleset beginning at the destination chain
6111 * of a new jump until either the source chain is reached (loop) or all
6112 * reachable chains have been traversed.
6114 * The loop check is performed whenever a new jump verdict is added to an
6115 * expression or verdict map or a verdict map is bound to a new chain.
6118 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6119 const struct nft_chain *chain);
6121 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6122 struct nft_set *set,
6123 const struct nft_set_iter *iter,
6124 struct nft_set_elem *elem)
6126 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6127 const struct nft_data *data;
6129 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6130 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6133 data = nft_set_ext_data(ext);
6134 switch (data->verdict.code) {
6137 return nf_tables_check_loops(ctx, data->verdict.chain);
6143 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6144 const struct nft_chain *chain)
6146 const struct nft_rule *rule;
6147 const struct nft_expr *expr, *last;
6148 struct nft_set *set;
6149 struct nft_set_binding *binding;
6150 struct nft_set_iter iter;
6152 if (ctx->chain == chain)
6155 list_for_each_entry(rule, &chain->rules, list) {
6156 nft_rule_for_each_expr(expr, last, rule) {
6157 const struct nft_data *data = NULL;
6160 if (!expr->ops->validate)
6163 err = expr->ops->validate(ctx, expr, &data);
6170 switch (data->verdict.code) {
6173 err = nf_tables_check_loops(ctx,
6174 data->verdict.chain);
6183 list_for_each_entry(set, &ctx->table->sets, list) {
6184 if (!nft_is_active_next(ctx->net, set))
6186 if (!(set->flags & NFT_SET_MAP) ||
6187 set->dtype != NFT_DATA_VERDICT)
6190 list_for_each_entry(binding, &set->bindings, list) {
6191 if (!(binding->flags & NFT_SET_MAP) ||
6192 binding->chain != chain)
6195 iter.genmask = nft_genmask_next(ctx->net);
6199 iter.fn = nf_tables_loop_check_setelem;
6201 set->ops->walk(ctx, set, &iter);
6211 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6213 * @attr: netlink attribute to fetch value from
6214 * @max: maximum value to be stored in dest
6215 * @dest: pointer to the variable
6217 * Parse, check and store a given u32 netlink attribute into variable.
6218 * This function returns -ERANGE if the value goes over maximum value.
6219 * Otherwise a 0 is returned and the attribute value is stored in the
6220 * destination variable.
6222 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6226 val = ntohl(nla_get_be32(attr));
6233 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6236 * nft_parse_register - parse a register value from a netlink attribute
6238 * @attr: netlink attribute
6240 * Parse and translate a register value from a netlink attribute.
6241 * Registers used to be 128 bit wide, these register numbers will be
6242 * mapped to the corresponding 32 bit register numbers.
6244 unsigned int nft_parse_register(const struct nlattr *attr)
6248 reg = ntohl(nla_get_be32(attr));
6250 case NFT_REG_VERDICT...NFT_REG_4:
6251 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6253 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6256 EXPORT_SYMBOL_GPL(nft_parse_register);
6259 * nft_dump_register - dump a register value to a netlink attribute
6261 * @skb: socket buffer
6262 * @attr: attribute number
6263 * @reg: register number
6265 * Construct a netlink attribute containing the register number. For
6266 * compatibility reasons, register numbers being a multiple of 4 are
6267 * translated to the corresponding 128 bit register numbers.
6269 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6271 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6272 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6274 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6276 return nla_put_be32(skb, attr, htonl(reg));
6278 EXPORT_SYMBOL_GPL(nft_dump_register);
6281 * nft_validate_register_load - validate a load from a register
6283 * @reg: the register number
6284 * @len: the length of the data
6286 * Validate that the input register is one of the general purpose
6287 * registers and that the length of the load is within the bounds.
6289 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6291 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6295 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6300 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6303 * nft_validate_register_store - validate an expressions' register store
6305 * @ctx: context of the expression performing the load
6306 * @reg: the destination register number
6307 * @data: the data to load
6308 * @type: the data type
6309 * @len: the length of the data
6311 * Validate that a data load uses the appropriate data type for
6312 * the destination register and the length is within the bounds.
6313 * A value of NULL for the data means that its runtime gathered
6316 int nft_validate_register_store(const struct nft_ctx *ctx,
6317 enum nft_registers reg,
6318 const struct nft_data *data,
6319 enum nft_data_types type, unsigned int len)
6324 case NFT_REG_VERDICT:
6325 if (type != NFT_DATA_VERDICT)
6329 (data->verdict.code == NFT_GOTO ||
6330 data->verdict.code == NFT_JUMP)) {
6331 err = nf_tables_check_loops(ctx, data->verdict.chain);
6335 if (ctx->chain->level + 1 >
6336 data->verdict.chain->level) {
6337 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6339 data->verdict.chain->level = ctx->chain->level + 1;
6345 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6349 if (reg * NFT_REG32_SIZE + len >
6350 FIELD_SIZEOF(struct nft_regs, data))
6353 if (data != NULL && type != NFT_DATA_VALUE)
6358 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6360 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6361 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6362 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6363 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6366 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6367 struct nft_data_desc *desc, const struct nlattr *nla)
6369 u8 genmask = nft_genmask_next(ctx->net);
6370 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6371 struct nft_chain *chain;
6374 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6379 if (!tb[NFTA_VERDICT_CODE])
6381 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6383 switch (data->verdict.code) {
6385 switch (data->verdict.code & NF_VERDICT_MASK) {
6400 if (!tb[NFTA_VERDICT_CHAIN])
6402 chain = nf_tables_chain_lookup(ctx->table,
6403 tb[NFTA_VERDICT_CHAIN], genmask);
6405 return PTR_ERR(chain);
6406 if (nft_is_base_chain(chain))
6410 data->verdict.chain = chain;
6414 desc->len = sizeof(data->verdict);
6415 desc->type = NFT_DATA_VERDICT;
6419 static void nft_verdict_uninit(const struct nft_data *data)
6421 switch (data->verdict.code) {
6424 data->verdict.chain->use--;
6429 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6431 struct nlattr *nest;
6433 nest = nla_nest_start(skb, type);
6435 goto nla_put_failure;
6437 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6438 goto nla_put_failure;
6443 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6445 goto nla_put_failure;
6447 nla_nest_end(skb, nest);
6454 static int nft_value_init(const struct nft_ctx *ctx,
6455 struct nft_data *data, unsigned int size,
6456 struct nft_data_desc *desc, const struct nlattr *nla)
6466 nla_memcpy(data->data, nla, len);
6467 desc->type = NFT_DATA_VALUE;
6472 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6475 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6478 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6479 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6480 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6484 * nft_data_init - parse nf_tables data netlink attributes
6486 * @ctx: context of the expression using the data
6487 * @data: destination struct nft_data
6488 * @size: maximum data length
6489 * @desc: data description
6490 * @nla: netlink attribute containing data
6492 * Parse the netlink data attributes and initialize a struct nft_data.
6493 * The type and length of data are returned in the data description.
6495 * The caller can indicate that it only wants to accept data of type
6496 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6498 int nft_data_init(const struct nft_ctx *ctx,
6499 struct nft_data *data, unsigned int size,
6500 struct nft_data_desc *desc, const struct nlattr *nla)
6502 struct nlattr *tb[NFTA_DATA_MAX + 1];
6505 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6509 if (tb[NFTA_DATA_VALUE])
6510 return nft_value_init(ctx, data, size, desc,
6511 tb[NFTA_DATA_VALUE]);
6512 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6513 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6516 EXPORT_SYMBOL_GPL(nft_data_init);
6519 * nft_data_release - release a nft_data item
6521 * @data: struct nft_data to release
6522 * @type: type of data
6524 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6525 * all others need to be released by calling this function.
6527 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6529 if (type < NFT_DATA_VERDICT)
6532 case NFT_DATA_VERDICT:
6533 return nft_verdict_uninit(data);
6538 EXPORT_SYMBOL_GPL(nft_data_release);
6540 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6541 enum nft_data_types type, unsigned int len)
6543 struct nlattr *nest;
6546 nest = nla_nest_start(skb, attr);
6551 case NFT_DATA_VALUE:
6552 err = nft_value_dump(skb, data, len);
6554 case NFT_DATA_VERDICT:
6555 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6562 nla_nest_end(skb, nest);
6565 EXPORT_SYMBOL_GPL(nft_data_dump);
6567 int __nft_release_basechain(struct nft_ctx *ctx)
6569 struct nft_rule *rule, *nr;
6571 BUG_ON(!nft_is_base_chain(ctx->chain));
6573 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6574 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6575 list_del(&rule->list);
6577 nf_tables_rule_destroy(ctx, rule);
6579 list_del(&ctx->chain->list);
6581 nf_tables_chain_destroy(ctx->chain);
6585 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6587 static void __nft_release_tables(struct net *net)
6589 struct nft_flowtable *flowtable, *nf;
6590 struct nft_table *table, *nt;
6591 struct nft_chain *chain, *nc;
6592 struct nft_object *obj, *ne;
6593 struct nft_rule *rule, *nr;
6594 struct nft_set *set, *ns;
6595 struct nft_ctx ctx = {
6599 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6600 ctx.family = table->family;
6602 list_for_each_entry(chain, &table->chains, list)
6603 nf_tables_unregister_hook(net, table, chain);
6604 list_for_each_entry(flowtable, &table->flowtables, list)
6605 nf_unregister_net_hooks(net, flowtable->ops,
6606 flowtable->ops_len);
6607 /* No packets are walking on these chains anymore. */
6609 list_for_each_entry(chain, &table->chains, list) {
6611 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6612 list_del(&rule->list);
6614 nf_tables_rule_destroy(&ctx, rule);
6617 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6618 list_del(&flowtable->list);
6620 nf_tables_flowtable_destroy(flowtable);
6622 list_for_each_entry_safe(set, ns, &table->sets, list) {
6623 list_del(&set->list);
6625 nft_set_destroy(set);
6627 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6628 list_del(&obj->list);
6630 nft_obj_destroy(obj);
6632 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6633 list_del(&chain->list);
6635 nf_tables_chain_destroy(chain);
6637 list_del(&table->list);
6638 nf_tables_table_destroy(&ctx);
6642 static int __net_init nf_tables_init_net(struct net *net)
6644 INIT_LIST_HEAD(&net->nft.tables);
6645 INIT_LIST_HEAD(&net->nft.commit_list);
6646 net->nft.base_seq = 1;
6650 static void __net_exit nf_tables_exit_net(struct net *net)
6652 __nft_release_tables(net);
6653 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6654 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6657 static struct pernet_operations nf_tables_net_ops = {
6658 .init = nf_tables_init_net,
6659 .exit = nf_tables_exit_net,
6662 static int __init nf_tables_module_init(void)
6666 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6673 err = nf_tables_core_module_init();
6677 err = nfnetlink_subsys_register(&nf_tables_subsys);
6681 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6683 return register_pernet_subsys(&nf_tables_net_ops);
6685 nf_tables_core_module_exit();
6692 static void __exit nf_tables_module_exit(void)
6694 unregister_pernet_subsys(&nf_tables_net_ops);
6695 nfnetlink_subsys_unregister(&nf_tables_subsys);
6696 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6698 nf_tables_core_module_exit();
6702 module_init(nf_tables_module_init);
6703 module_exit(nf_tables_module_exit);
6705 MODULE_LICENSE("GPL");
6706 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6707 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / kernel / linux-rpi.git / blob