2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
95 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
96 const struct nlattr *nla)
98 struct nft_table *table;
100 list_for_each_entry(table, &afi->tables, list) {
101 if (!nla_strcmp(nla, table->name))
107 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
108 const struct nlattr *nla)
110 struct nft_table *table;
113 return ERR_PTR(-EINVAL);
115 table = nft_table_lookup(afi, nla);
119 return ERR_PTR(-ENOENT);
122 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
124 return ++table->hgenerator;
127 static struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
129 static int __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
133 for (i=0; i<NFT_CHAIN_T_MAX; i++) {
134 if (chain_type[family][i] != NULL &&
135 !nla_strcmp(nla, chain_type[family][i]->name))
141 static int nf_tables_chain_type_lookup(const struct nft_af_info *afi,
142 const struct nlattr *nla,
147 type = __nf_tables_chain_type_lookup(afi->family, nla);
148 #ifdef CONFIG_MODULES
149 if (type < 0 && autoload) {
150 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
151 request_module("nft-chain-%u-%*.s", afi->family,
152 nla_len(nla)-1, (const char *)nla_data(nla));
153 nfnl_lock(NFNL_SUBSYS_NFTABLES);
154 type = __nf_tables_chain_type_lookup(afi->family, nla);
160 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
161 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
162 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
165 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
166 int event, u32 flags, int family,
167 const struct nft_table *table)
169 struct nlmsghdr *nlh;
170 struct nfgenmsg *nfmsg;
172 event |= NFNL_SUBSYS_NFTABLES << 8;
173 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
175 goto nla_put_failure;
177 nfmsg = nlmsg_data(nlh);
178 nfmsg->nfgen_family = family;
179 nfmsg->version = NFNETLINK_V0;
182 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
183 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)))
184 goto nla_put_failure;
186 return nlmsg_end(skb, nlh);
189 nlmsg_trim(skb, nlh);
193 static int nf_tables_table_notify(const struct sk_buff *oskb,
194 const struct nlmsghdr *nlh,
195 const struct nft_table *table,
196 int event, int family)
199 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
200 u32 seq = nlh ? nlh->nlmsg_seq : 0;
201 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
205 report = nlh ? nlmsg_report(nlh) : false;
206 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
210 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
214 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
221 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
225 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
229 static int nf_tables_dump_tables(struct sk_buff *skb,
230 struct netlink_callback *cb)
232 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
233 const struct nft_af_info *afi;
234 const struct nft_table *table;
235 unsigned int idx = 0, s_idx = cb->args[0];
236 struct net *net = sock_net(skb->sk);
237 int family = nfmsg->nfgen_family;
239 list_for_each_entry(afi, &net->nft.af_info, list) {
240 if (family != NFPROTO_UNSPEC && family != afi->family)
243 list_for_each_entry(table, &afi->tables, list) {
247 memset(&cb->args[1], 0,
248 sizeof(cb->args) - sizeof(cb->args[0]));
249 if (nf_tables_fill_table_info(skb,
250 NETLINK_CB(cb->skb).portid,
254 afi->family, table) < 0)
265 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
266 const struct nlmsghdr *nlh,
267 const struct nlattr * const nla[])
269 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
270 const struct nft_af_info *afi;
271 const struct nft_table *table;
272 struct sk_buff *skb2;
273 struct net *net = sock_net(skb->sk);
274 int family = nfmsg->nfgen_family;
277 if (nlh->nlmsg_flags & NLM_F_DUMP) {
278 struct netlink_dump_control c = {
279 .dump = nf_tables_dump_tables,
281 return netlink_dump_start(nlsk, skb, nlh, &c);
284 afi = nf_tables_afinfo_lookup(net, family, false);
288 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
290 return PTR_ERR(table);
292 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
296 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
297 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
302 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
309 static int nf_tables_table_enable(struct nft_table *table)
311 struct nft_chain *chain;
314 list_for_each_entry(chain, &table->chains, list) {
315 if (!(chain->flags & NFT_BASE_CHAIN))
318 err = nf_register_hook(&nft_base_chain(chain)->ops);
326 list_for_each_entry(chain, &table->chains, list) {
327 if (!(chain->flags & NFT_BASE_CHAIN))
333 nf_unregister_hook(&nft_base_chain(chain)->ops);
338 static int nf_tables_table_disable(struct nft_table *table)
340 struct nft_chain *chain;
342 list_for_each_entry(chain, &table->chains, list) {
343 if (chain->flags & NFT_BASE_CHAIN)
344 nf_unregister_hook(&nft_base_chain(chain)->ops);
350 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
351 const struct nlmsghdr *nlh,
352 const struct nlattr * const nla[],
353 struct nft_af_info *afi, struct nft_table *table)
355 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
356 int family = nfmsg->nfgen_family, ret = 0;
358 if (nla[NFTA_TABLE_FLAGS]) {
361 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
362 if (flags & ~NFT_TABLE_F_DORMANT)
365 if ((flags & NFT_TABLE_F_DORMANT) &&
366 !(table->flags & NFT_TABLE_F_DORMANT)) {
367 ret = nf_tables_table_disable(table);
369 table->flags |= NFT_TABLE_F_DORMANT;
370 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
371 table->flags & NFT_TABLE_F_DORMANT) {
372 ret = nf_tables_table_enable(table);
374 table->flags &= ~NFT_TABLE_F_DORMANT;
380 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
385 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
386 const struct nlmsghdr *nlh,
387 const struct nlattr * const nla[])
389 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
390 const struct nlattr *name;
391 struct nft_af_info *afi;
392 struct nft_table *table;
393 struct net *net = sock_net(skb->sk);
394 int family = nfmsg->nfgen_family;
396 afi = nf_tables_afinfo_lookup(net, family, true);
400 name = nla[NFTA_TABLE_NAME];
401 table = nf_tables_table_lookup(afi, name);
403 if (PTR_ERR(table) != -ENOENT)
404 return PTR_ERR(table);
409 if (nlh->nlmsg_flags & NLM_F_EXCL)
411 if (nlh->nlmsg_flags & NLM_F_REPLACE)
413 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
416 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
420 nla_strlcpy(table->name, name, nla_len(name));
421 INIT_LIST_HEAD(&table->chains);
422 INIT_LIST_HEAD(&table->sets);
424 if (nla[NFTA_TABLE_FLAGS]) {
427 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
428 if (flags & ~NFT_TABLE_F_DORMANT) {
433 table->flags |= flags;
436 list_add_tail(&table->list, &afi->tables);
437 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
441 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
442 const struct nlmsghdr *nlh,
443 const struct nlattr * const nla[])
445 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
446 struct nft_af_info *afi;
447 struct nft_table *table;
448 struct net *net = sock_net(skb->sk);
449 int family = nfmsg->nfgen_family;
451 afi = nf_tables_afinfo_lookup(net, family, false);
455 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
457 return PTR_ERR(table);
462 list_del(&table->list);
463 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
468 int nft_register_chain_type(struct nf_chain_type *ctype)
472 nfnl_lock(NFNL_SUBSYS_NFTABLES);
473 if (chain_type[ctype->family][ctype->type] != NULL) {
478 if (!try_module_get(ctype->me))
481 chain_type[ctype->family][ctype->type] = ctype;
483 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
486 EXPORT_SYMBOL_GPL(nft_register_chain_type);
488 void nft_unregister_chain_type(struct nf_chain_type *ctype)
490 nfnl_lock(NFNL_SUBSYS_NFTABLES);
491 chain_type[ctype->family][ctype->type] = NULL;
492 module_put(ctype->me);
493 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
495 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
501 static struct nft_chain *
502 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
504 struct nft_chain *chain;
506 list_for_each_entry(chain, &table->chains, list) {
507 if (chain->handle == handle)
511 return ERR_PTR(-ENOENT);
514 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
515 const struct nlattr *nla)
517 struct nft_chain *chain;
520 return ERR_PTR(-EINVAL);
522 list_for_each_entry(chain, &table->chains, list) {
523 if (!nla_strcmp(nla, chain->name))
527 return ERR_PTR(-ENOENT);
530 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
531 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
532 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
533 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
534 .len = NFT_CHAIN_MAXNAMELEN - 1 },
535 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
536 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
537 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
538 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
541 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
542 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
543 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
546 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
548 struct nft_stats *cpu_stats, total;
552 memset(&total, 0, sizeof(total));
553 for_each_possible_cpu(cpu) {
554 cpu_stats = per_cpu_ptr(stats, cpu);
555 total.pkts += cpu_stats->pkts;
556 total.bytes += cpu_stats->bytes;
558 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
560 goto nla_put_failure;
562 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
563 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
564 goto nla_put_failure;
566 nla_nest_end(skb, nest);
573 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
574 int event, u32 flags, int family,
575 const struct nft_table *table,
576 const struct nft_chain *chain)
578 struct nlmsghdr *nlh;
579 struct nfgenmsg *nfmsg;
581 event |= NFNL_SUBSYS_NFTABLES << 8;
582 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
584 goto nla_put_failure;
586 nfmsg = nlmsg_data(nlh);
587 nfmsg->nfgen_family = family;
588 nfmsg->version = NFNETLINK_V0;
591 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
592 goto nla_put_failure;
593 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
594 goto nla_put_failure;
595 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
596 goto nla_put_failure;
598 if (chain->flags & NFT_BASE_CHAIN) {
599 const struct nft_base_chain *basechain = nft_base_chain(chain);
600 const struct nf_hook_ops *ops = &basechain->ops;
603 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
605 goto nla_put_failure;
606 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
607 goto nla_put_failure;
608 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
609 goto nla_put_failure;
610 nla_nest_end(skb, nest);
612 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
613 htonl(basechain->policy)))
614 goto nla_put_failure;
616 if (nla_put_string(skb, NFTA_CHAIN_TYPE,
617 chain_type[ops->pf][nft_base_chain(chain)->type]->name))
618 goto nla_put_failure;
620 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
621 goto nla_put_failure;
624 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
625 goto nla_put_failure;
627 return nlmsg_end(skb, nlh);
630 nlmsg_trim(skb, nlh);
634 static int nf_tables_chain_notify(const struct sk_buff *oskb,
635 const struct nlmsghdr *nlh,
636 const struct nft_table *table,
637 const struct nft_chain *chain,
638 int event, int family)
641 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
642 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
643 u32 seq = nlh ? nlh->nlmsg_seq : 0;
647 report = nlh ? nlmsg_report(nlh) : false;
648 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
652 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
656 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
663 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
667 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
671 static int nf_tables_dump_chains(struct sk_buff *skb,
672 struct netlink_callback *cb)
674 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
675 const struct nft_af_info *afi;
676 const struct nft_table *table;
677 const struct nft_chain *chain;
678 unsigned int idx = 0, s_idx = cb->args[0];
679 struct net *net = sock_net(skb->sk);
680 int family = nfmsg->nfgen_family;
682 list_for_each_entry(afi, &net->nft.af_info, list) {
683 if (family != NFPROTO_UNSPEC && family != afi->family)
686 list_for_each_entry(table, &afi->tables, list) {
687 list_for_each_entry(chain, &table->chains, list) {
691 memset(&cb->args[1], 0,
692 sizeof(cb->args) - sizeof(cb->args[0]));
693 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
697 afi->family, table, chain) < 0)
710 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
711 const struct nlmsghdr *nlh,
712 const struct nlattr * const nla[])
714 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
715 const struct nft_af_info *afi;
716 const struct nft_table *table;
717 const struct nft_chain *chain;
718 struct sk_buff *skb2;
719 struct net *net = sock_net(skb->sk);
720 int family = nfmsg->nfgen_family;
723 if (nlh->nlmsg_flags & NLM_F_DUMP) {
724 struct netlink_dump_control c = {
725 .dump = nf_tables_dump_chains,
727 return netlink_dump_start(nlsk, skb, nlh, &c);
730 afi = nf_tables_afinfo_lookup(net, family, false);
734 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
736 return PTR_ERR(table);
738 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
740 return PTR_ERR(chain);
742 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
746 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
747 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
748 family, table, chain);
752 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
760 nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
762 switch (ntohl(nla_get_be32(attr))) {
764 chain->policy = NF_DROP;
767 chain->policy = NF_ACCEPT;
775 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
776 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
777 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
781 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
783 struct nlattr *tb[NFTA_COUNTER_MAX+1];
784 struct nft_stats __percpu *newstats;
785 struct nft_stats *stats;
788 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
792 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
795 newstats = alloc_percpu(struct nft_stats);
796 if (newstats == NULL)
799 /* Restore old counters on this cpu, no problem. Per-cpu statistics
800 * are not exposed to userspace.
802 stats = this_cpu_ptr(newstats);
803 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
804 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
807 /* nfnl_lock is held, add some nfnl function for this, later */
808 struct nft_stats __percpu *oldstats =
809 rcu_dereference_protected(chain->stats, 1);
811 rcu_assign_pointer(chain->stats, newstats);
813 free_percpu(oldstats);
815 rcu_assign_pointer(chain->stats, newstats);
820 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
821 const struct nlmsghdr *nlh,
822 const struct nlattr * const nla[])
824 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
825 const struct nlattr * uninitialized_var(name);
826 const struct nft_af_info *afi;
827 struct nft_table *table;
828 struct nft_chain *chain;
829 struct nft_base_chain *basechain = NULL;
830 struct nlattr *ha[NFTA_HOOK_MAX + 1];
831 struct net *net = sock_net(skb->sk);
832 int family = nfmsg->nfgen_family;
837 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
839 afi = nf_tables_afinfo_lookup(net, family, true);
843 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
845 return PTR_ERR(table);
847 if (table->use == UINT_MAX)
851 name = nla[NFTA_CHAIN_NAME];
853 if (nla[NFTA_CHAIN_HANDLE]) {
854 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
855 chain = nf_tables_chain_lookup_byhandle(table, handle);
857 return PTR_ERR(chain);
859 chain = nf_tables_chain_lookup(table, name);
861 if (PTR_ERR(chain) != -ENOENT)
862 return PTR_ERR(chain);
868 if (nlh->nlmsg_flags & NLM_F_EXCL)
870 if (nlh->nlmsg_flags & NLM_F_REPLACE)
873 if (nla[NFTA_CHAIN_HANDLE] && name &&
874 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
877 if (nla[NFTA_CHAIN_POLICY]) {
878 if (!(chain->flags & NFT_BASE_CHAIN))
881 err = nf_tables_chain_policy(nft_base_chain(chain),
882 nla[NFTA_CHAIN_POLICY]);
887 if (nla[NFTA_CHAIN_COUNTERS]) {
888 if (!(chain->flags & NFT_BASE_CHAIN))
891 err = nf_tables_counters(nft_base_chain(chain),
892 nla[NFTA_CHAIN_COUNTERS]);
897 if (nla[NFTA_CHAIN_HANDLE] && name)
898 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
903 if (nla[NFTA_CHAIN_HOOK]) {
904 struct nf_hook_ops *ops;
907 int type = NFT_CHAIN_T_DEFAULT;
909 if (nla[NFTA_CHAIN_TYPE]) {
910 type = nf_tables_chain_type_lookup(afi,
911 nla[NFTA_CHAIN_TYPE],
917 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
921 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
922 ha[NFTA_HOOK_PRIORITY] == NULL)
925 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
926 if (hooknum >= afi->nhooks)
929 hookfn = chain_type[family][type]->fn[hooknum];
933 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
934 if (basechain == NULL)
937 basechain->type = type;
938 chain = &basechain->chain;
940 ops = &basechain->ops;
942 ops->owner = afi->owner;
943 ops->hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
944 ops->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
947 if (afi->hooks[ops->hooknum])
948 ops->hook = afi->hooks[ops->hooknum];
950 chain->flags |= NFT_BASE_CHAIN;
952 if (nla[NFTA_CHAIN_POLICY]) {
953 err = nf_tables_chain_policy(basechain,
954 nla[NFTA_CHAIN_POLICY]);
956 free_percpu(basechain->stats);
961 basechain->policy = NF_ACCEPT;
963 if (nla[NFTA_CHAIN_COUNTERS]) {
964 err = nf_tables_counters(basechain,
965 nla[NFTA_CHAIN_COUNTERS]);
967 free_percpu(basechain->stats);
972 struct nft_stats __percpu *newstats;
974 newstats = alloc_percpu(struct nft_stats);
975 if (newstats == NULL)
978 rcu_assign_pointer(nft_base_chain(chain)->stats,
982 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
987 INIT_LIST_HEAD(&chain->rules);
988 chain->handle = nf_tables_alloc_handle(table);
990 chain->table = table;
991 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
993 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
994 chain->flags & NFT_BASE_CHAIN) {
995 err = nf_register_hook(&nft_base_chain(chain)->ops);
997 free_percpu(basechain->stats);
1002 list_add_tail(&chain->list, &table->chains);
1005 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1010 static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
1012 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
1014 BUG_ON(chain->use > 0);
1016 if (chain->flags & NFT_BASE_CHAIN) {
1017 free_percpu(nft_base_chain(chain)->stats);
1018 kfree(nft_base_chain(chain));
1023 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1024 const struct nlmsghdr *nlh,
1025 const struct nlattr * const nla[])
1027 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1028 const struct nft_af_info *afi;
1029 struct nft_table *table;
1030 struct nft_chain *chain;
1031 struct net *net = sock_net(skb->sk);
1032 int family = nfmsg->nfgen_family;
1034 afi = nf_tables_afinfo_lookup(net, family, false);
1036 return PTR_ERR(afi);
1038 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1040 return PTR_ERR(table);
1042 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1044 return PTR_ERR(chain);
1046 if (!list_empty(&chain->rules))
1049 list_del(&chain->list);
1052 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1053 chain->flags & NFT_BASE_CHAIN)
1054 nf_unregister_hook(&nft_base_chain(chain)->ops);
1056 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1059 /* Make sure all rule references are gone before this is released */
1060 call_rcu(&chain->rcu_head, nf_tables_rcu_chain_destroy);
1064 static void nft_ctx_init(struct nft_ctx *ctx,
1065 const struct sk_buff *skb,
1066 const struct nlmsghdr *nlh,
1067 const struct nft_af_info *afi,
1068 const struct nft_table *table,
1069 const struct nft_chain *chain,
1070 const struct nlattr * const *nla)
1072 ctx->net = sock_net(skb->sk);
1086 * nft_register_expr - register nf_tables expr type
1089 * Registers the expr type for use with nf_tables. Returns zero on
1090 * success or a negative errno code otherwise.
1092 int nft_register_expr(struct nft_expr_type *type)
1094 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1095 list_add_tail(&type->list, &nf_tables_expressions);
1096 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1099 EXPORT_SYMBOL_GPL(nft_register_expr);
1102 * nft_unregister_expr - unregister nf_tables expr type
1105 * Unregisters the expr typefor use with nf_tables.
1107 void nft_unregister_expr(struct nft_expr_type *type)
1109 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1110 list_del(&type->list);
1111 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1113 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1115 static const struct nft_expr_type *__nft_expr_type_get(struct nlattr *nla)
1117 const struct nft_expr_type *type;
1119 list_for_each_entry(type, &nf_tables_expressions, list) {
1120 if (!nla_strcmp(nla, type->name))
1126 static const struct nft_expr_type *nft_expr_type_get(struct nlattr *nla)
1128 const struct nft_expr_type *type;
1131 return ERR_PTR(-EINVAL);
1133 type = __nft_expr_type_get(nla);
1134 if (type != NULL && try_module_get(type->owner))
1137 #ifdef CONFIG_MODULES
1139 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1140 request_module("nft-expr-%.*s",
1141 nla_len(nla), (char *)nla_data(nla));
1142 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1143 if (__nft_expr_type_get(nla))
1144 return ERR_PTR(-EAGAIN);
1147 return ERR_PTR(-ENOENT);
1150 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1151 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1152 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1155 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1156 const struct nft_expr *expr)
1158 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1159 goto nla_put_failure;
1161 if (expr->ops->dump) {
1162 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1164 goto nla_put_failure;
1165 if (expr->ops->dump(skb, expr) < 0)
1166 goto nla_put_failure;
1167 nla_nest_end(skb, data);
1176 struct nft_expr_info {
1177 const struct nft_expr_ops *ops;
1178 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1181 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1182 const struct nlattr *nla,
1183 struct nft_expr_info *info)
1185 const struct nft_expr_type *type;
1186 const struct nft_expr_ops *ops;
1187 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1190 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1194 type = nft_expr_type_get(tb[NFTA_EXPR_NAME]);
1196 return PTR_ERR(type);
1198 if (tb[NFTA_EXPR_DATA]) {
1199 err = nla_parse_nested(info->tb, type->maxattr,
1200 tb[NFTA_EXPR_DATA], type->policy);
1204 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1206 if (type->select_ops != NULL) {
1207 ops = type->select_ops(ctx,
1208 (const struct nlattr * const *)info->tb);
1220 module_put(type->owner);
1224 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1225 const struct nft_expr_info *info,
1226 struct nft_expr *expr)
1228 const struct nft_expr_ops *ops = info->ops;
1233 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1245 static void nf_tables_expr_destroy(struct nft_expr *expr)
1247 if (expr->ops->destroy)
1248 expr->ops->destroy(expr);
1249 module_put(expr->ops->type->owner);
1256 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1259 struct nft_rule *rule;
1261 // FIXME: this sucks
1262 list_for_each_entry(rule, &chain->rules, list) {
1263 if (handle == rule->handle)
1267 return ERR_PTR(-ENOENT);
1270 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1271 const struct nlattr *nla)
1274 return ERR_PTR(-EINVAL);
1276 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1279 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1280 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1281 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1282 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1283 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1284 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1285 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1286 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1289 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1290 int event, u32 flags, int family,
1291 const struct nft_table *table,
1292 const struct nft_chain *chain,
1293 const struct nft_rule *rule)
1295 struct nlmsghdr *nlh;
1296 struct nfgenmsg *nfmsg;
1297 const struct nft_expr *expr, *next;
1298 struct nlattr *list;
1299 const struct nft_rule *prule;
1300 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1302 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1305 goto nla_put_failure;
1307 nfmsg = nlmsg_data(nlh);
1308 nfmsg->nfgen_family = family;
1309 nfmsg->version = NFNETLINK_V0;
1312 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1313 goto nla_put_failure;
1314 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1315 goto nla_put_failure;
1316 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1317 goto nla_put_failure;
1319 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1320 prule = list_entry(rule->list.prev, struct nft_rule, list);
1321 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1322 cpu_to_be64(prule->handle)))
1323 goto nla_put_failure;
1326 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1328 goto nla_put_failure;
1329 nft_rule_for_each_expr(expr, next, rule) {
1330 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1332 goto nla_put_failure;
1333 if (nf_tables_fill_expr_info(skb, expr) < 0)
1334 goto nla_put_failure;
1335 nla_nest_end(skb, elem);
1337 nla_nest_end(skb, list);
1339 return nlmsg_end(skb, nlh);
1342 nlmsg_trim(skb, nlh);
1346 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1347 const struct nlmsghdr *nlh,
1348 const struct nft_table *table,
1349 const struct nft_chain *chain,
1350 const struct nft_rule *rule,
1351 int event, u32 flags, int family)
1353 struct sk_buff *skb;
1354 u32 portid = NETLINK_CB(oskb).portid;
1355 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1356 u32 seq = nlh->nlmsg_seq;
1360 report = nlmsg_report(nlh);
1361 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1365 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1369 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1370 family, table, chain, rule);
1376 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1380 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1385 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1387 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1390 static inline int gencursor_next(struct net *net)
1392 return net->nft.gencursor+1 == 1 ? 1 : 0;
1396 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1398 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1402 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1404 /* Now inactive, will be active in the future */
1405 rule->genmask = (1 << net->nft.gencursor);
1409 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1411 rule->genmask = (1 << gencursor_next(net));
1414 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1419 static int nf_tables_dump_rules(struct sk_buff *skb,
1420 struct netlink_callback *cb)
1422 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1423 const struct nft_af_info *afi;
1424 const struct nft_table *table;
1425 const struct nft_chain *chain;
1426 const struct nft_rule *rule;
1427 unsigned int idx = 0, s_idx = cb->args[0];
1428 struct net *net = sock_net(skb->sk);
1429 int family = nfmsg->nfgen_family;
1430 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1431 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1433 list_for_each_entry(afi, &net->nft.af_info, list) {
1434 if (family != NFPROTO_UNSPEC && family != afi->family)
1437 list_for_each_entry(table, &afi->tables, list) {
1438 list_for_each_entry(chain, &table->chains, list) {
1439 list_for_each_entry(rule, &chain->rules, list) {
1440 if (!nft_rule_is_active(net, rule))
1445 memset(&cb->args[1], 0,
1446 sizeof(cb->args) - sizeof(cb->args[0]));
1447 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1450 NLM_F_MULTI | NLM_F_APPEND,
1451 afi->family, table, chain, rule) < 0)
1460 /* Invalidate this dump, a transition to the new generation happened */
1461 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1468 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1469 const struct nlmsghdr *nlh,
1470 const struct nlattr * const nla[])
1472 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1473 const struct nft_af_info *afi;
1474 const struct nft_table *table;
1475 const struct nft_chain *chain;
1476 const struct nft_rule *rule;
1477 struct sk_buff *skb2;
1478 struct net *net = sock_net(skb->sk);
1479 int family = nfmsg->nfgen_family;
1482 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1483 struct netlink_dump_control c = {
1484 .dump = nf_tables_dump_rules,
1486 return netlink_dump_start(nlsk, skb, nlh, &c);
1489 afi = nf_tables_afinfo_lookup(net, family, false);
1491 return PTR_ERR(afi);
1493 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1495 return PTR_ERR(table);
1497 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1499 return PTR_ERR(chain);
1501 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1503 return PTR_ERR(rule);
1505 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1509 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1510 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1511 family, table, chain, rule);
1515 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1522 static void nf_tables_rcu_rule_destroy(struct rcu_head *head)
1524 struct nft_rule *rule = container_of(head, struct nft_rule, rcu_head);
1525 struct nft_expr *expr;
1528 * Careful: some expressions might not be initialized in case this
1529 * is called on error from nf_tables_newrule().
1531 expr = nft_expr_first(rule);
1532 while (expr->ops && expr != nft_expr_last(rule)) {
1533 nf_tables_expr_destroy(expr);
1534 expr = nft_expr_next(expr);
1539 static void nf_tables_rule_destroy(struct nft_rule *rule)
1541 call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
1544 #define NFT_RULE_MAXEXPRS 128
1546 static struct nft_expr_info *info;
1548 static struct nft_rule_trans *
1549 nf_tables_trans_add(struct nft_rule *rule, const struct nft_ctx *ctx)
1551 struct nft_rule_trans *rupd;
1553 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1557 rupd->chain = ctx->chain;
1558 rupd->table = ctx->table;
1560 rupd->family = ctx->afi->family;
1561 rupd->nlh = ctx->nlh;
1562 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1567 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1568 const struct nlmsghdr *nlh,
1569 const struct nlattr * const nla[])
1571 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1572 const struct nft_af_info *afi;
1573 struct net *net = sock_net(skb->sk);
1574 struct nft_table *table;
1575 struct nft_chain *chain;
1576 struct nft_rule *rule, *old_rule = NULL;
1577 struct nft_rule_trans *repl = NULL;
1578 struct nft_expr *expr;
1581 unsigned int size, i, n;
1584 u64 handle, pos_handle;
1586 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1588 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1590 return PTR_ERR(afi);
1592 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1594 return PTR_ERR(table);
1596 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1598 return PTR_ERR(chain);
1600 if (nla[NFTA_RULE_HANDLE]) {
1601 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1602 rule = __nf_tables_rule_lookup(chain, handle);
1604 return PTR_ERR(rule);
1606 if (nlh->nlmsg_flags & NLM_F_EXCL)
1608 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1613 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1615 handle = nf_tables_alloc_handle(table);
1618 if (nla[NFTA_RULE_POSITION]) {
1619 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1622 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1623 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1624 if (IS_ERR(old_rule))
1625 return PTR_ERR(old_rule);
1628 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1632 if (nla[NFTA_RULE_EXPRESSIONS]) {
1633 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1635 if (nla_type(tmp) != NFTA_LIST_ELEM)
1637 if (n == NFT_RULE_MAXEXPRS)
1639 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1642 size += info[n].ops->size;
1648 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1652 nft_rule_activate_next(net, rule);
1654 rule->handle = handle;
1657 expr = nft_expr_first(rule);
1658 for (i = 0; i < n; i++) {
1659 err = nf_tables_newexpr(&ctx, &info[i], expr);
1663 expr = nft_expr_next(expr);
1666 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1667 if (nft_rule_is_active_next(net, old_rule)) {
1668 repl = nf_tables_trans_add(old_rule, &ctx);
1673 nft_rule_disactivate_next(net, old_rule);
1674 list_add_tail(&rule->list, &old_rule->list);
1679 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1681 list_add_rcu(&rule->list, &old_rule->list);
1683 list_add_tail_rcu(&rule->list, &chain->rules);
1686 list_add_tail_rcu(&rule->list, &old_rule->list);
1688 list_add_rcu(&rule->list, &chain->rules);
1691 if (nf_tables_trans_add(rule, &ctx) == NULL) {
1698 list_del_rcu(&rule->list);
1700 list_del_rcu(&repl->rule->list);
1701 list_del(&repl->list);
1702 nft_rule_clear(net, repl->rule);
1706 nf_tables_rule_destroy(rule);
1708 for (i = 0; i < n; i++) {
1709 if (info[i].ops != NULL)
1710 module_put(info[i].ops->type->owner);
1716 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1718 /* You cannot delete the same rule twice */
1719 if (nft_rule_is_active_next(ctx->net, rule)) {
1720 if (nf_tables_trans_add(rule, ctx) == NULL)
1722 nft_rule_disactivate_next(ctx->net, rule);
1728 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1730 struct nft_rule *rule;
1733 list_for_each_entry(rule, &ctx->chain->rules, list) {
1734 err = nf_tables_delrule_one(ctx, rule);
1741 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1742 const struct nlmsghdr *nlh,
1743 const struct nlattr * const nla[])
1745 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1746 const struct nft_af_info *afi;
1747 struct net *net = sock_net(skb->sk);
1748 const struct nft_table *table;
1749 struct nft_chain *chain = NULL;
1750 struct nft_rule *rule;
1751 int family = nfmsg->nfgen_family, err = 0;
1754 afi = nf_tables_afinfo_lookup(net, family, false);
1756 return PTR_ERR(afi);
1758 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1760 return PTR_ERR(table);
1762 if (nla[NFTA_RULE_CHAIN]) {
1763 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1765 return PTR_ERR(chain);
1768 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1771 if (nla[NFTA_RULE_HANDLE]) {
1772 rule = nf_tables_rule_lookup(chain,
1773 nla[NFTA_RULE_HANDLE]);
1775 return PTR_ERR(rule);
1777 err = nf_tables_delrule_one(&ctx, rule);
1779 err = nf_table_delrule_by_chain(&ctx);
1782 list_for_each_entry(chain, &table->chains, list) {
1784 err = nf_table_delrule_by_chain(&ctx);
1793 static int nf_tables_commit(struct sk_buff *skb)
1795 struct net *net = sock_net(skb->sk);
1796 struct nft_rule_trans *rupd, *tmp;
1798 /* Bump generation counter, invalidate any dump in progress */
1801 /* A new generation has just started */
1802 net->nft.gencursor = gencursor_next(net);
1804 /* Make sure all packets have left the previous generation before
1805 * purging old rules.
1809 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1810 /* Delete this rule from the dirty list */
1811 list_del(&rupd->list);
1813 /* This rule was inactive in the past and just became active.
1814 * Clear the next bit of the genmask since its meaning has
1815 * changed, now it is the future.
1817 if (nft_rule_is_active(net, rupd->rule)) {
1818 nft_rule_clear(net, rupd->rule);
1819 nf_tables_rule_notify(skb, rupd->nlh, rupd->table,
1820 rupd->chain, rupd->rule,
1827 /* This rule is in the past, get rid of it */
1828 list_del_rcu(&rupd->rule->list);
1829 nf_tables_rule_notify(skb, rupd->nlh, rupd->table, rupd->chain,
1830 rupd->rule, NFT_MSG_DELRULE, 0,
1832 nf_tables_rule_destroy(rupd->rule);
1839 static int nf_tables_abort(struct sk_buff *skb)
1841 struct net *net = sock_net(skb->sk);
1842 struct nft_rule_trans *rupd, *tmp;
1844 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1845 /* Delete all rules from the dirty list */
1846 list_del(&rupd->list);
1848 if (!nft_rule_is_active_next(net, rupd->rule)) {
1849 nft_rule_clear(net, rupd->rule);
1854 /* This rule is inactive, get rid of it */
1855 list_del_rcu(&rupd->rule->list);
1856 nf_tables_rule_destroy(rupd->rule);
1866 static LIST_HEAD(nf_tables_set_ops);
1868 int nft_register_set(struct nft_set_ops *ops)
1870 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1871 list_add_tail(&ops->list, &nf_tables_set_ops);
1872 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1875 EXPORT_SYMBOL_GPL(nft_register_set);
1877 void nft_unregister_set(struct nft_set_ops *ops)
1879 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1880 list_del(&ops->list);
1881 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1883 EXPORT_SYMBOL_GPL(nft_unregister_set);
1885 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1887 const struct nft_set_ops *ops;
1890 #ifdef CONFIG_MODULES
1891 if (list_empty(&nf_tables_set_ops)) {
1892 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1893 request_module("nft-set");
1894 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1895 if (!list_empty(&nf_tables_set_ops))
1896 return ERR_PTR(-EAGAIN);
1900 if (nla[NFTA_SET_FLAGS] != NULL) {
1901 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1902 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1905 // FIXME: implement selection properly
1906 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1907 if ((ops->features & features) != features)
1909 if (!try_module_get(ops->owner))
1914 return ERR_PTR(-EOPNOTSUPP);
1917 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1918 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1919 [NFTA_SET_NAME] = { .type = NLA_STRING },
1920 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1921 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1922 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1923 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1924 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1927 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1928 const struct sk_buff *skb,
1929 const struct nlmsghdr *nlh,
1930 const struct nlattr * const nla[])
1932 struct net *net = sock_net(skb->sk);
1933 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1934 const struct nft_af_info *afi;
1935 const struct nft_table *table = NULL;
1937 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1939 return PTR_ERR(afi);
1941 if (nla[NFTA_SET_TABLE] != NULL) {
1942 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1944 return PTR_ERR(table);
1947 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1951 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1952 const struct nlattr *nla)
1954 struct nft_set *set;
1957 return ERR_PTR(-EINVAL);
1959 list_for_each_entry(set, &table->sets, list) {
1960 if (!nla_strcmp(nla, set->name))
1963 return ERR_PTR(-ENOENT);
1966 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1969 const struct nft_set *i;
1971 unsigned long *inuse;
1974 p = strnchr(name, IFNAMSIZ, '%');
1976 if (p[1] != 'd' || strchr(p + 2, '%'))
1979 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
1983 list_for_each_entry(i, &ctx->table->sets, list) {
1984 if (!sscanf(i->name, name, &n))
1986 if (n < 0 || n > BITS_PER_LONG * PAGE_SIZE)
1991 n = find_first_zero_bit(inuse, BITS_PER_LONG * PAGE_SIZE);
1992 free_page((unsigned long)inuse);
1995 snprintf(set->name, sizeof(set->name), name, n);
1996 list_for_each_entry(i, &ctx->table->sets, list) {
1997 if (!strcmp(set->name, i->name))
2003 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2004 const struct nft_set *set, u16 event, u16 flags)
2006 struct nfgenmsg *nfmsg;
2007 struct nlmsghdr *nlh;
2008 u32 portid = NETLINK_CB(ctx->skb).portid;
2009 u32 seq = ctx->nlh->nlmsg_seq;
2011 event |= NFNL_SUBSYS_NFTABLES << 8;
2012 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2015 goto nla_put_failure;
2017 nfmsg = nlmsg_data(nlh);
2018 nfmsg->nfgen_family = ctx->afi->family;
2019 nfmsg->version = NFNETLINK_V0;
2022 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2023 goto nla_put_failure;
2024 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2025 goto nla_put_failure;
2026 if (set->flags != 0)
2027 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2028 goto nla_put_failure;
2030 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2031 goto nla_put_failure;
2032 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2033 goto nla_put_failure;
2034 if (set->flags & NFT_SET_MAP) {
2035 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2036 goto nla_put_failure;
2037 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2038 goto nla_put_failure;
2041 return nlmsg_end(skb, nlh);
2044 nlmsg_trim(skb, nlh);
2048 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2049 const struct nft_set *set,
2052 struct sk_buff *skb;
2053 u32 portid = NETLINK_CB(ctx->skb).portid;
2057 report = nlmsg_report(ctx->nlh);
2058 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2062 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2066 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2072 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2076 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2080 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2081 struct netlink_callback *cb)
2083 const struct nft_set *set;
2084 unsigned int idx = 0, s_idx = cb->args[0];
2089 list_for_each_entry(set, &ctx->table->sets, list) {
2092 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2105 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2106 struct netlink_callback *cb)
2108 const struct nft_set *set;
2109 unsigned int idx, s_idx = cb->args[0];
2110 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2115 list_for_each_entry(table, &ctx->afi->tables, list) {
2117 if (cur_table != table)
2124 list_for_each_entry(set, &ctx->table->sets, list) {
2127 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2130 cb->args[2] = (unsigned long) table;
2142 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2144 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2145 struct nlattr *nla[NFTA_SET_MAX + 1];
2149 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2154 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2158 if (ctx.table == NULL)
2159 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2161 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2166 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2167 const struct nlmsghdr *nlh,
2168 const struct nlattr * const nla[])
2170 const struct nft_set *set;
2172 struct sk_buff *skb2;
2175 /* Verify existance before starting dump */
2176 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2180 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2181 struct netlink_dump_control c = {
2182 .dump = nf_tables_dump_sets,
2184 return netlink_dump_start(nlsk, skb, nlh, &c);
2187 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2189 return PTR_ERR(set);
2191 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2195 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2199 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2206 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2207 const struct nlmsghdr *nlh,
2208 const struct nlattr * const nla[])
2210 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2211 const struct nft_set_ops *ops;
2212 const struct nft_af_info *afi;
2213 struct net *net = sock_net(skb->sk);
2214 struct nft_table *table;
2215 struct nft_set *set;
2217 char name[IFNAMSIZ];
2220 u32 ktype, klen, dlen, dtype, flags;
2223 if (nla[NFTA_SET_TABLE] == NULL ||
2224 nla[NFTA_SET_NAME] == NULL ||
2225 nla[NFTA_SET_KEY_LEN] == NULL)
2228 ktype = NFT_DATA_VALUE;
2229 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2230 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2231 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2235 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2236 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2240 if (nla[NFTA_SET_FLAGS] != NULL) {
2241 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2242 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2243 NFT_SET_INTERVAL | NFT_SET_MAP))
2249 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2250 if (!(flags & NFT_SET_MAP))
2253 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2254 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2255 dtype != NFT_DATA_VERDICT)
2258 if (dtype != NFT_DATA_VERDICT) {
2259 if (nla[NFTA_SET_DATA_LEN] == NULL)
2261 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2263 dlen > FIELD_SIZEOF(struct nft_data, data))
2266 dlen = sizeof(struct nft_data);
2267 } else if (flags & NFT_SET_MAP)
2270 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2272 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2274 return PTR_ERR(afi);
2276 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2278 return PTR_ERR(table);
2280 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2282 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2284 if (PTR_ERR(set) != -ENOENT)
2285 return PTR_ERR(set);
2290 if (nlh->nlmsg_flags & NLM_F_EXCL)
2292 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2297 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2300 ops = nft_select_set_ops(nla);
2302 return PTR_ERR(ops);
2305 if (ops->privsize != NULL)
2306 size = ops->privsize(nla);
2309 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2313 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2314 err = nf_tables_set_alloc_name(&ctx, set, name);
2318 INIT_LIST_HEAD(&set->bindings);
2326 err = ops->init(set, nla);
2330 list_add_tail(&set->list, &table->sets);
2331 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2337 module_put(ops->owner);
2341 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2343 list_del(&set->list);
2344 if (!(set->flags & NFT_SET_ANONYMOUS))
2345 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2347 set->ops->destroy(set);
2348 module_put(set->ops->owner);
2352 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2353 const struct nlmsghdr *nlh,
2354 const struct nlattr * const nla[])
2356 struct nft_set *set;
2360 if (nla[NFTA_SET_TABLE] == NULL)
2363 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2367 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2369 return PTR_ERR(set);
2370 if (!list_empty(&set->bindings))
2373 nf_tables_set_destroy(&ctx, set);
2377 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2378 const struct nft_set *set,
2379 const struct nft_set_iter *iter,
2380 const struct nft_set_elem *elem)
2382 enum nft_registers dreg;
2384 dreg = nft_type_to_reg(set->dtype);
2385 return nft_validate_data_load(ctx, dreg, &elem->data,
2386 set->dtype == NFT_DATA_VERDICT ?
2387 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2390 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2391 struct nft_set_binding *binding)
2393 struct nft_set_binding *i;
2394 struct nft_set_iter iter;
2396 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2399 if (set->flags & NFT_SET_MAP) {
2400 /* If the set is already bound to the same chain all
2401 * jumps are already validated for that chain.
2403 list_for_each_entry(i, &set->bindings, list) {
2404 if (i->chain == binding->chain)
2411 iter.fn = nf_tables_bind_check_setelem;
2413 set->ops->walk(ctx, set, &iter);
2415 /* Destroy anonymous sets if binding fails */
2416 if (set->flags & NFT_SET_ANONYMOUS)
2417 nf_tables_set_destroy(ctx, set);
2423 binding->chain = ctx->chain;
2424 list_add_tail(&binding->list, &set->bindings);
2428 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2429 struct nft_set_binding *binding)
2431 list_del(&binding->list);
2433 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2434 nf_tables_set_destroy(ctx, set);
2441 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2442 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2443 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2444 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2447 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2448 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2449 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2450 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2453 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2454 const struct sk_buff *skb,
2455 const struct nlmsghdr *nlh,
2456 const struct nlattr * const nla[])
2458 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2459 const struct nft_af_info *afi;
2460 const struct nft_table *table;
2461 struct net *net = sock_net(skb->sk);
2463 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2465 return PTR_ERR(afi);
2467 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2469 return PTR_ERR(table);
2471 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2475 static int nf_tables_fill_setelem(struct sk_buff *skb,
2476 const struct nft_set *set,
2477 const struct nft_set_elem *elem)
2479 unsigned char *b = skb_tail_pointer(skb);
2480 struct nlattr *nest;
2482 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2484 goto nla_put_failure;
2486 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2488 goto nla_put_failure;
2490 if (set->flags & NFT_SET_MAP &&
2491 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2492 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2493 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2495 goto nla_put_failure;
2497 if (elem->flags != 0)
2498 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2499 goto nla_put_failure;
2501 nla_nest_end(skb, nest);
2509 struct nft_set_dump_args {
2510 const struct netlink_callback *cb;
2511 struct nft_set_iter iter;
2512 struct sk_buff *skb;
2515 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2516 const struct nft_set *set,
2517 const struct nft_set_iter *iter,
2518 const struct nft_set_elem *elem)
2520 struct nft_set_dump_args *args;
2522 args = container_of(iter, struct nft_set_dump_args, iter);
2523 return nf_tables_fill_setelem(args->skb, set, elem);
2526 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2528 const struct nft_set *set;
2529 struct nft_set_dump_args args;
2531 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2532 struct nfgenmsg *nfmsg;
2533 struct nlmsghdr *nlh;
2534 struct nlattr *nest;
2538 nfmsg = nlmsg_data(cb->nlh);
2539 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_ELEM_LIST_MAX,
2540 nft_set_elem_list_policy);
2544 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2548 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2550 return PTR_ERR(set);
2552 event = NFT_MSG_NEWSETELEM;
2553 event |= NFNL_SUBSYS_NFTABLES << 8;
2554 portid = NETLINK_CB(cb->skb).portid;
2555 seq = cb->nlh->nlmsg_seq;
2557 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2560 goto nla_put_failure;
2562 nfmsg = nlmsg_data(nlh);
2563 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2564 nfmsg->version = NFNETLINK_V0;
2567 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2568 goto nla_put_failure;
2569 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2570 goto nla_put_failure;
2572 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2574 goto nla_put_failure;
2578 args.iter.skip = cb->args[0];
2579 args.iter.count = 0;
2581 args.iter.fn = nf_tables_dump_setelem;
2582 set->ops->walk(&ctx, set, &args.iter);
2584 nla_nest_end(skb, nest);
2585 nlmsg_end(skb, nlh);
2587 if (args.iter.err && args.iter.err != -EMSGSIZE)
2588 return args.iter.err;
2589 if (args.iter.count == cb->args[0])
2592 cb->args[0] = args.iter.count;
2599 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2600 const struct nlmsghdr *nlh,
2601 const struct nlattr * const nla[])
2603 const struct nft_set *set;
2607 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2611 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2613 return PTR_ERR(set);
2615 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2616 struct netlink_dump_control c = {
2617 .dump = nf_tables_dump_set,
2619 return netlink_dump_start(nlsk, skb, nlh, &c);
2624 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2625 const struct nlattr *attr)
2627 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2628 struct nft_data_desc d1, d2;
2629 struct nft_set_elem elem;
2630 struct nft_set_binding *binding;
2631 enum nft_registers dreg;
2634 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2635 nft_set_elem_policy);
2639 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2643 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2644 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2645 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2649 if (set->flags & NFT_SET_MAP) {
2650 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2651 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2654 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2658 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2662 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2666 if (set->ops->get(set, &elem) == 0)
2669 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2670 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2675 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2678 dreg = nft_type_to_reg(set->dtype);
2679 list_for_each_entry(binding, &set->bindings, list) {
2680 struct nft_ctx bind_ctx = {
2682 .table = ctx->table,
2683 .chain = binding->chain,
2686 err = nft_validate_data_load(&bind_ctx, dreg,
2687 &elem.data, d2.type);
2693 err = set->ops->insert(set, &elem);
2700 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2701 nft_data_uninit(&elem.data, d2.type);
2703 nft_data_uninit(&elem.key, d1.type);
2708 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2709 const struct nlmsghdr *nlh,
2710 const struct nlattr * const nla[])
2712 const struct nlattr *attr;
2713 struct nft_set *set;
2717 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2721 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2723 return PTR_ERR(set);
2724 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2727 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2728 err = nft_add_set_elem(&ctx, set, attr);
2735 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2736 const struct nlattr *attr)
2738 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2739 struct nft_data_desc desc;
2740 struct nft_set_elem elem;
2743 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2744 nft_set_elem_policy);
2749 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2752 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2757 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2760 err = set->ops->get(set, &elem);
2764 set->ops->remove(set, &elem);
2766 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2767 if (set->flags & NFT_SET_MAP)
2768 nft_data_uninit(&elem.data, set->dtype);
2771 nft_data_uninit(&elem.key, desc.type);
2776 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2777 const struct nlmsghdr *nlh,
2778 const struct nlattr * const nla[])
2780 const struct nlattr *attr;
2781 struct nft_set *set;
2785 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2789 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2791 return PTR_ERR(set);
2792 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2795 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2796 err = nft_del_setelem(&ctx, set, attr);
2803 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2804 [NFT_MSG_NEWTABLE] = {
2805 .call = nf_tables_newtable,
2806 .attr_count = NFTA_TABLE_MAX,
2807 .policy = nft_table_policy,
2809 [NFT_MSG_GETTABLE] = {
2810 .call = nf_tables_gettable,
2811 .attr_count = NFTA_TABLE_MAX,
2812 .policy = nft_table_policy,
2814 [NFT_MSG_DELTABLE] = {
2815 .call = nf_tables_deltable,
2816 .attr_count = NFTA_TABLE_MAX,
2817 .policy = nft_table_policy,
2819 [NFT_MSG_NEWCHAIN] = {
2820 .call = nf_tables_newchain,
2821 .attr_count = NFTA_CHAIN_MAX,
2822 .policy = nft_chain_policy,
2824 [NFT_MSG_GETCHAIN] = {
2825 .call = nf_tables_getchain,
2826 .attr_count = NFTA_CHAIN_MAX,
2827 .policy = nft_chain_policy,
2829 [NFT_MSG_DELCHAIN] = {
2830 .call = nf_tables_delchain,
2831 .attr_count = NFTA_CHAIN_MAX,
2832 .policy = nft_chain_policy,
2834 [NFT_MSG_NEWRULE] = {
2835 .call_batch = nf_tables_newrule,
2836 .attr_count = NFTA_RULE_MAX,
2837 .policy = nft_rule_policy,
2839 [NFT_MSG_GETRULE] = {
2840 .call = nf_tables_getrule,
2841 .attr_count = NFTA_RULE_MAX,
2842 .policy = nft_rule_policy,
2844 [NFT_MSG_DELRULE] = {
2845 .call_batch = nf_tables_delrule,
2846 .attr_count = NFTA_RULE_MAX,
2847 .policy = nft_rule_policy,
2849 [NFT_MSG_NEWSET] = {
2850 .call = nf_tables_newset,
2851 .attr_count = NFTA_SET_MAX,
2852 .policy = nft_set_policy,
2854 [NFT_MSG_GETSET] = {
2855 .call = nf_tables_getset,
2856 .attr_count = NFTA_SET_MAX,
2857 .policy = nft_set_policy,
2859 [NFT_MSG_DELSET] = {
2860 .call = nf_tables_delset,
2861 .attr_count = NFTA_SET_MAX,
2862 .policy = nft_set_policy,
2864 [NFT_MSG_NEWSETELEM] = {
2865 .call = nf_tables_newsetelem,
2866 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2867 .policy = nft_set_elem_list_policy,
2869 [NFT_MSG_GETSETELEM] = {
2870 .call = nf_tables_getsetelem,
2871 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2872 .policy = nft_set_elem_list_policy,
2874 [NFT_MSG_DELSETELEM] = {
2875 .call = nf_tables_delsetelem,
2876 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2877 .policy = nft_set_elem_list_policy,
2881 static const struct nfnetlink_subsystem nf_tables_subsys = {
2882 .name = "nf_tables",
2883 .subsys_id = NFNL_SUBSYS_NFTABLES,
2884 .cb_count = NFT_MSG_MAX,
2886 .commit = nf_tables_commit,
2887 .abort = nf_tables_abort,
2891 * Loop detection - walk through the ruleset beginning at the destination chain
2892 * of a new jump until either the source chain is reached (loop) or all
2893 * reachable chains have been traversed.
2895 * The loop check is performed whenever a new jump verdict is added to an
2896 * expression or verdict map or a verdict map is bound to a new chain.
2899 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2900 const struct nft_chain *chain);
2902 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2903 const struct nft_set *set,
2904 const struct nft_set_iter *iter,
2905 const struct nft_set_elem *elem)
2907 switch (elem->data.verdict) {
2910 return nf_tables_check_loops(ctx, elem->data.chain);
2916 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2917 const struct nft_chain *chain)
2919 const struct nft_rule *rule;
2920 const struct nft_expr *expr, *last;
2921 const struct nft_set *set;
2922 struct nft_set_binding *binding;
2923 struct nft_set_iter iter;
2925 if (ctx->chain == chain)
2928 list_for_each_entry(rule, &chain->rules, list) {
2929 nft_rule_for_each_expr(expr, last, rule) {
2930 const struct nft_data *data = NULL;
2933 if (!expr->ops->validate)
2936 err = expr->ops->validate(ctx, expr, &data);
2943 switch (data->verdict) {
2946 err = nf_tables_check_loops(ctx, data->chain);
2955 list_for_each_entry(set, &ctx->table->sets, list) {
2956 if (!(set->flags & NFT_SET_MAP) ||
2957 set->dtype != NFT_DATA_VERDICT)
2960 list_for_each_entry(binding, &set->bindings, list) {
2961 if (binding->chain != chain)
2967 iter.fn = nf_tables_loop_check_setelem;
2969 set->ops->walk(ctx, set, &iter);
2979 * nft_validate_input_register - validate an expressions' input register
2981 * @reg: the register number
2983 * Validate that the input register is one of the general purpose
2986 int nft_validate_input_register(enum nft_registers reg)
2988 if (reg <= NFT_REG_VERDICT)
2990 if (reg > NFT_REG_MAX)
2994 EXPORT_SYMBOL_GPL(nft_validate_input_register);
2997 * nft_validate_output_register - validate an expressions' output register
2999 * @reg: the register number
3001 * Validate that the output register is one of the general purpose
3002 * registers or the verdict register.
3004 int nft_validate_output_register(enum nft_registers reg)
3006 if (reg < NFT_REG_VERDICT)
3008 if (reg > NFT_REG_MAX)
3012 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3015 * nft_validate_data_load - validate an expressions' data load
3017 * @ctx: context of the expression performing the load
3018 * @reg: the destination register number
3019 * @data: the data to load
3020 * @type: the data type
3022 * Validate that a data load uses the appropriate data type for
3023 * the destination register. A value of NULL for the data means
3024 * that its runtime gathered data, which is always of type
3027 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3028 const struct nft_data *data,
3029 enum nft_data_types type)
3034 case NFT_REG_VERDICT:
3035 if (data == NULL || type != NFT_DATA_VERDICT)
3038 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3039 err = nf_tables_check_loops(ctx, data->chain);
3043 if (ctx->chain->level + 1 > data->chain->level) {
3044 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3046 data->chain->level = ctx->chain->level + 1;
3052 if (data != NULL && type != NFT_DATA_VALUE)
3057 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3059 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3060 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3061 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3062 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3065 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3066 struct nft_data_desc *desc, const struct nlattr *nla)
3068 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3069 struct nft_chain *chain;
3072 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3076 if (!tb[NFTA_VERDICT_CODE])
3078 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3080 switch (data->verdict) {
3087 desc->len = sizeof(data->verdict);
3091 if (!tb[NFTA_VERDICT_CHAIN])
3093 chain = nf_tables_chain_lookup(ctx->table,
3094 tb[NFTA_VERDICT_CHAIN]);
3096 return PTR_ERR(chain);
3097 if (chain->flags & NFT_BASE_CHAIN)
3101 data->chain = chain;
3102 desc->len = sizeof(data);
3108 desc->type = NFT_DATA_VERDICT;
3112 static void nft_verdict_uninit(const struct nft_data *data)
3114 switch (data->verdict) {
3122 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3124 struct nlattr *nest;
3126 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3128 goto nla_put_failure;
3130 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3131 goto nla_put_failure;
3133 switch (data->verdict) {
3136 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3137 goto nla_put_failure;
3139 nla_nest_end(skb, nest);
3146 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3147 struct nft_data_desc *desc, const struct nlattr *nla)
3154 if (len > sizeof(data->data))
3157 nla_memcpy(data->data, nla, sizeof(data->data));
3158 desc->type = NFT_DATA_VALUE;
3163 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3166 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3169 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3170 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3171 .len = FIELD_SIZEOF(struct nft_data, data) },
3172 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3176 * nft_data_init - parse nf_tables data netlink attributes
3178 * @ctx: context of the expression using the data
3179 * @data: destination struct nft_data
3180 * @desc: data description
3181 * @nla: netlink attribute containing data
3183 * Parse the netlink data attributes and initialize a struct nft_data.
3184 * The type and length of data are returned in the data description.
3186 * The caller can indicate that it only wants to accept data of type
3187 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3189 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3190 struct nft_data_desc *desc, const struct nlattr *nla)
3192 struct nlattr *tb[NFTA_DATA_MAX + 1];
3195 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3199 if (tb[NFTA_DATA_VALUE])
3200 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3201 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3202 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3205 EXPORT_SYMBOL_GPL(nft_data_init);
3208 * nft_data_uninit - release a nft_data item
3210 * @data: struct nft_data to release
3211 * @type: type of data
3213 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3214 * all others need to be released by calling this function.
3216 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3219 case NFT_DATA_VALUE:
3221 case NFT_DATA_VERDICT:
3222 return nft_verdict_uninit(data);
3227 EXPORT_SYMBOL_GPL(nft_data_uninit);
3229 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3230 enum nft_data_types type, unsigned int len)
3232 struct nlattr *nest;
3235 nest = nla_nest_start(skb, attr);
3240 case NFT_DATA_VALUE:
3241 err = nft_value_dump(skb, data, len);
3243 case NFT_DATA_VERDICT:
3244 err = nft_verdict_dump(skb, data);
3251 nla_nest_end(skb, nest);
3254 EXPORT_SYMBOL_GPL(nft_data_dump);
3256 static int nf_tables_init_net(struct net *net)
3258 INIT_LIST_HEAD(&net->nft.af_info);
3259 INIT_LIST_HEAD(&net->nft.commit_list);
3263 static struct pernet_operations nf_tables_net_ops = {
3264 .init = nf_tables_init_net,
3267 static int __init nf_tables_module_init(void)
3271 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3278 err = nf_tables_core_module_init();
3282 err = nfnetlink_subsys_register(&nf_tables_subsys);
3286 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3287 return register_pernet_subsys(&nf_tables_net_ops);
3289 nf_tables_core_module_exit();
3296 static void __exit nf_tables_module_exit(void)
3298 unregister_pernet_subsys(&nf_tables_net_ops);
3299 nfnetlink_subsys_unregister(&nf_tables_subsys);
3300 nf_tables_core_module_exit();
3304 module_init(nf_tables_module_init);
3305 module_exit(nf_tables_module_exit);
3307 MODULE_LICENSE("GPL");
3308 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3309 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / adaptation / renesas_rcar / renesas_kernel.git / blob