2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
31 * nft_register_afinfo - register nf_tables address family info
33 * @afi: address family info to register
35 * Register the address family for use with nf_tables. Returns zero on
36 * success or a negative errno code otherwise.
38 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
40 INIT_LIST_HEAD(&afi->tables);
41 nfnl_lock(NFNL_SUBSYS_NFTABLES);
42 list_add_tail_rcu(&afi->list, &net->nft.af_info);
43 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
46 EXPORT_SYMBOL_GPL(nft_register_afinfo);
48 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
51 * nft_unregister_afinfo - unregister nf_tables address family info
53 * @afi: address family info to unregister
55 * Unregister the address family for use with nf_tables.
57 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
59 nfnl_lock(NFNL_SUBSYS_NFTABLES);
60 __nft_release_afinfo(net, afi);
61 list_del_rcu(&afi->list);
62 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
64 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
66 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
68 struct nft_af_info *afi;
70 list_for_each_entry(afi, &net->nft.af_info, list) {
71 if (afi->family == family)
77 static struct nft_af_info *
78 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
80 struct nft_af_info *afi;
82 afi = nft_afinfo_lookup(net, family);
87 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
88 request_module("nft-afinfo-%u", family);
89 nfnl_lock(NFNL_SUBSYS_NFTABLES);
90 afi = nft_afinfo_lookup(net, family);
92 return ERR_PTR(-EAGAIN);
95 return ERR_PTR(-EAFNOSUPPORT);
98 static void nft_ctx_init(struct nft_ctx *ctx,
100 const struct sk_buff *skb,
101 const struct nlmsghdr *nlh,
102 struct nft_af_info *afi,
103 struct nft_table *table,
104 struct nft_chain *chain,
105 const struct nlattr * const *nla)
112 ctx->portid = NETLINK_CB(skb).portid;
113 ctx->report = nlmsg_report(nlh);
114 ctx->seq = nlh->nlmsg_seq;
117 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
118 int msg_type, u32 size, gfp_t gfp)
120 struct nft_trans *trans;
122 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
126 trans->msg_type = msg_type;
132 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
133 int msg_type, u32 size)
135 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
138 static void nft_trans_destroy(struct nft_trans *trans)
140 list_del(&trans->list);
144 static int nf_tables_register_hook(struct net *net,
145 const struct nft_table *table,
146 struct nft_chain *chain)
148 if (table->flags & NFT_TABLE_F_DORMANT ||
149 !nft_is_base_chain(chain))
152 return nf_register_net_hook(net, &nft_base_chain(chain)->ops);
155 static void nf_tables_unregister_hook(struct net *net,
156 const struct nft_table *table,
157 struct nft_chain *chain)
159 if (table->flags & NFT_TABLE_F_DORMANT ||
160 !nft_is_base_chain(chain))
163 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
166 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
168 struct nft_trans *trans;
170 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
174 if (msg_type == NFT_MSG_NEWTABLE)
175 nft_activate_next(ctx->net, ctx->table);
177 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
181 static int nft_deltable(struct nft_ctx *ctx)
185 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
189 nft_deactivate_next(ctx->net, ctx->table);
193 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
195 struct nft_trans *trans;
197 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
201 if (msg_type == NFT_MSG_NEWCHAIN)
202 nft_activate_next(ctx->net, ctx->chain);
204 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
208 static int nft_delchain(struct nft_ctx *ctx)
212 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
217 nft_deactivate_next(ctx->net, ctx->chain);
223 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
225 /* You cannot delete the same rule twice */
226 if (nft_is_active_next(ctx->net, rule)) {
227 nft_deactivate_next(ctx->net, rule);
234 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
235 struct nft_rule *rule)
237 struct nft_trans *trans;
239 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
243 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
244 nft_trans_rule_id(trans) =
245 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
247 nft_trans_rule(trans) = rule;
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
253 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
255 struct nft_trans *trans;
258 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
262 err = nf_tables_delrule_deactivate(ctx, rule);
264 nft_trans_destroy(trans);
271 static int nft_delrule_by_chain(struct nft_ctx *ctx)
273 struct nft_rule *rule;
276 list_for_each_entry(rule, &ctx->chain->rules, list) {
277 err = nft_delrule(ctx, rule);
284 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
287 struct nft_trans *trans;
289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
293 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
294 nft_trans_set_id(trans) =
295 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
296 nft_activate_next(ctx->net, set);
298 nft_trans_set(trans) = set;
299 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
304 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
308 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
312 nft_deactivate_next(ctx->net, set);
318 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
319 struct nft_object *obj)
321 struct nft_trans *trans;
323 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
327 if (msg_type == NFT_MSG_NEWOBJ)
328 nft_activate_next(ctx->net, obj);
330 nft_trans_obj(trans) = obj;
331 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
336 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
340 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
344 nft_deactivate_next(ctx->net, obj);
350 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
351 struct nft_flowtable *flowtable)
353 struct nft_trans *trans;
355 trans = nft_trans_alloc(ctx, msg_type,
356 sizeof(struct nft_trans_flowtable));
360 if (msg_type == NFT_MSG_NEWFLOWTABLE)
361 nft_activate_next(ctx->net, flowtable);
363 nft_trans_flowtable(trans) = flowtable;
364 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
369 static int nft_delflowtable(struct nft_ctx *ctx,
370 struct nft_flowtable *flowtable)
374 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
378 nft_deactivate_next(ctx->net, flowtable);
388 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
389 const struct nlattr *nla,
392 struct nft_table *table;
394 list_for_each_entry(table, &afi->tables, list) {
395 if (!nla_strcmp(nla, table->name) &&
396 nft_active_genmask(table, genmask))
402 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
403 const struct nlattr *nla,
406 struct nft_table *table;
409 return ERR_PTR(-EINVAL);
411 table = nft_table_lookup(afi, nla, genmask);
415 return ERR_PTR(-ENOENT);
418 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
420 return ++table->hgenerator;
423 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
425 static const struct nf_chain_type *
426 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
430 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
431 if (chain_type[family][i] != NULL &&
432 !nla_strcmp(nla, chain_type[family][i]->name))
433 return chain_type[family][i];
438 static const struct nf_chain_type *
439 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
441 const struct nf_chain_type *type;
443 type = __nf_tables_chain_type_lookup(nla, family);
446 #ifdef CONFIG_MODULES
448 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
449 request_module("nft-chain-%u-%.*s", family,
450 nla_len(nla), (const char *)nla_data(nla));
451 nfnl_lock(NFNL_SUBSYS_NFTABLES);
452 type = __nf_tables_chain_type_lookup(nla, family);
454 return ERR_PTR(-EAGAIN);
457 return ERR_PTR(-ENOENT);
460 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
461 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
462 .len = NFT_TABLE_MAXNAMELEN - 1 },
463 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
466 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
467 u32 portid, u32 seq, int event, u32 flags,
468 int family, const struct nft_table *table)
470 struct nlmsghdr *nlh;
471 struct nfgenmsg *nfmsg;
473 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
474 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
476 goto nla_put_failure;
478 nfmsg = nlmsg_data(nlh);
479 nfmsg->nfgen_family = family;
480 nfmsg->version = NFNETLINK_V0;
481 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
483 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
484 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
485 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
486 goto nla_put_failure;
492 nlmsg_trim(skb, nlh);
496 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
502 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
505 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
509 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
510 event, 0, ctx->afi->family, ctx->table);
516 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
517 ctx->report, GFP_KERNEL);
520 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
523 static int nf_tables_dump_tables(struct sk_buff *skb,
524 struct netlink_callback *cb)
526 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
527 const struct nft_af_info *afi;
528 const struct nft_table *table;
529 unsigned int idx = 0, s_idx = cb->args[0];
530 struct net *net = sock_net(skb->sk);
531 int family = nfmsg->nfgen_family;
534 cb->seq = net->nft.base_seq;
536 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
537 if (family != NFPROTO_UNSPEC && family != afi->family)
540 list_for_each_entry_rcu(table, &afi->tables, list) {
544 memset(&cb->args[1], 0,
545 sizeof(cb->args) - sizeof(cb->args[0]));
546 if (!nft_is_active(net, table))
548 if (nf_tables_fill_table_info(skb, net,
549 NETLINK_CB(cb->skb).portid,
553 afi->family, table) < 0)
556 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
567 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
568 struct sk_buff *skb, const struct nlmsghdr *nlh,
569 const struct nlattr * const nla[],
570 struct netlink_ext_ack *extack)
572 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
573 u8 genmask = nft_genmask_cur(net);
574 const struct nft_af_info *afi;
575 const struct nft_table *table;
576 struct sk_buff *skb2;
577 int family = nfmsg->nfgen_family;
580 if (nlh->nlmsg_flags & NLM_F_DUMP) {
581 struct netlink_dump_control c = {
582 .dump = nf_tables_dump_tables,
584 return netlink_dump_start(nlsk, skb, nlh, &c);
587 afi = nf_tables_afinfo_lookup(net, family, false);
591 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
593 return PTR_ERR(table);
595 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
599 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
600 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
605 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
612 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
614 struct nft_chain *chain;
617 list_for_each_entry(chain, &table->chains, list) {
618 if (!nft_is_active_next(net, chain))
620 if (!nft_is_base_chain(chain))
623 if (cnt && i++ == cnt)
626 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
630 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
632 struct nft_chain *chain;
635 list_for_each_entry(chain, &table->chains, list) {
636 if (!nft_is_active_next(net, chain))
638 if (!nft_is_base_chain(chain))
641 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
650 nft_table_disable(net, table, i);
654 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
656 nft_table_disable(net, table, 0);
659 static int nf_tables_updtable(struct nft_ctx *ctx)
661 struct nft_trans *trans;
665 if (!ctx->nla[NFTA_TABLE_FLAGS])
668 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
669 if (flags & ~NFT_TABLE_F_DORMANT)
672 if (flags == ctx->table->flags)
675 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
676 sizeof(struct nft_trans_table));
680 if ((flags & NFT_TABLE_F_DORMANT) &&
681 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
682 nft_trans_table_enable(trans) = false;
683 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
684 ctx->table->flags & NFT_TABLE_F_DORMANT) {
685 ret = nf_tables_table_enable(ctx->net, ctx->table);
687 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
688 nft_trans_table_enable(trans) = true;
694 nft_trans_table_update(trans) = true;
695 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
698 nft_trans_destroy(trans);
702 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
703 struct sk_buff *skb, const struct nlmsghdr *nlh,
704 const struct nlattr * const nla[],
705 struct netlink_ext_ack *extack)
707 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
708 u8 genmask = nft_genmask_next(net);
709 const struct nlattr *name;
710 struct nft_af_info *afi;
711 struct nft_table *table;
712 int family = nfmsg->nfgen_family;
717 afi = nf_tables_afinfo_lookup(net, family, true);
721 name = nla[NFTA_TABLE_NAME];
722 table = nf_tables_table_lookup(afi, name, genmask);
724 if (PTR_ERR(table) != -ENOENT)
725 return PTR_ERR(table);
727 if (nlh->nlmsg_flags & NLM_F_EXCL)
729 if (nlh->nlmsg_flags & NLM_F_REPLACE)
732 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
733 return nf_tables_updtable(&ctx);
736 if (nla[NFTA_TABLE_FLAGS]) {
737 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
738 if (flags & ~NFT_TABLE_F_DORMANT)
743 if (!try_module_get(afi->owner))
747 table = kzalloc(sizeof(*table), GFP_KERNEL);
751 table->name = nla_strdup(name, GFP_KERNEL);
752 if (table->name == NULL)
755 INIT_LIST_HEAD(&table->chains);
756 INIT_LIST_HEAD(&table->sets);
757 INIT_LIST_HEAD(&table->objects);
758 INIT_LIST_HEAD(&table->flowtables);
759 table->flags = flags;
761 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
762 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
766 list_add_tail_rcu(&table->list, &afi->tables);
773 module_put(afi->owner);
778 static int nft_flush_table(struct nft_ctx *ctx)
780 struct nft_flowtable *flowtable, *nft;
781 struct nft_chain *chain, *nc;
782 struct nft_object *obj, *ne;
783 struct nft_set *set, *ns;
786 list_for_each_entry(chain, &ctx->table->chains, list) {
787 if (!nft_is_active_next(ctx->net, chain))
792 err = nft_delrule_by_chain(ctx);
797 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
798 if (!nft_is_active_next(ctx->net, set))
801 if (nft_set_is_anonymous(set) &&
802 !list_empty(&set->bindings))
805 err = nft_delset(ctx, set);
810 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
811 err = nft_delflowtable(ctx, flowtable);
816 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
817 err = nft_delobj(ctx, obj);
822 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
823 if (!nft_is_active_next(ctx->net, chain))
828 err = nft_delchain(ctx);
833 err = nft_deltable(ctx);
838 static int nft_flush(struct nft_ctx *ctx, int family)
840 struct nft_af_info *afi;
841 struct nft_table *table, *nt;
842 const struct nlattr * const *nla = ctx->nla;
845 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
846 if (family != AF_UNSPEC && afi->family != family)
850 list_for_each_entry_safe(table, nt, &afi->tables, list) {
851 if (!nft_is_active_next(ctx->net, table))
854 if (nla[NFTA_TABLE_NAME] &&
855 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
860 err = nft_flush_table(ctx);
869 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
870 struct sk_buff *skb, const struct nlmsghdr *nlh,
871 const struct nlattr * const nla[],
872 struct netlink_ext_ack *extack)
874 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
875 u8 genmask = nft_genmask_next(net);
876 struct nft_af_info *afi;
877 struct nft_table *table;
878 int family = nfmsg->nfgen_family;
881 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
882 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
883 return nft_flush(&ctx, family);
885 afi = nf_tables_afinfo_lookup(net, family, false);
889 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
891 return PTR_ERR(table);
893 if (nlh->nlmsg_flags & NLM_F_NONREC &&
900 return nft_flush_table(&ctx);
903 static void nf_tables_table_destroy(struct nft_ctx *ctx)
905 BUG_ON(ctx->table->use > 0);
907 kfree(ctx->table->name);
909 module_put(ctx->afi->owner);
912 int nft_register_chain_type(const struct nf_chain_type *ctype)
916 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
919 nfnl_lock(NFNL_SUBSYS_NFTABLES);
920 if (chain_type[ctype->family][ctype->type] != NULL) {
924 chain_type[ctype->family][ctype->type] = ctype;
926 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
929 EXPORT_SYMBOL_GPL(nft_register_chain_type);
931 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
933 nfnl_lock(NFNL_SUBSYS_NFTABLES);
934 chain_type[ctype->family][ctype->type] = NULL;
935 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
937 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
943 static struct nft_chain *
944 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
947 struct nft_chain *chain;
949 list_for_each_entry(chain, &table->chains, list) {
950 if (chain->handle == handle &&
951 nft_active_genmask(chain, genmask))
955 return ERR_PTR(-ENOENT);
958 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
959 const struct nlattr *nla,
962 struct nft_chain *chain;
965 return ERR_PTR(-EINVAL);
967 list_for_each_entry(chain, &table->chains, list) {
968 if (!nla_strcmp(nla, chain->name) &&
969 nft_active_genmask(chain, genmask))
973 return ERR_PTR(-ENOENT);
976 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
977 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
978 .len = NFT_TABLE_MAXNAMELEN - 1 },
979 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
980 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
981 .len = NFT_CHAIN_MAXNAMELEN - 1 },
982 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
983 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
984 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
985 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
988 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
989 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
990 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
991 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
992 .len = IFNAMSIZ - 1 },
995 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
997 struct nft_stats *cpu_stats, total;
1003 memset(&total, 0, sizeof(total));
1004 for_each_possible_cpu(cpu) {
1005 cpu_stats = per_cpu_ptr(stats, cpu);
1007 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1008 pkts = cpu_stats->pkts;
1009 bytes = cpu_stats->bytes;
1010 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1012 total.bytes += bytes;
1014 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1016 goto nla_put_failure;
1018 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1019 NFTA_COUNTER_PAD) ||
1020 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1022 goto nla_put_failure;
1024 nla_nest_end(skb, nest);
1031 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1032 u32 portid, u32 seq, int event, u32 flags,
1033 int family, const struct nft_table *table,
1034 const struct nft_chain *chain)
1036 struct nlmsghdr *nlh;
1037 struct nfgenmsg *nfmsg;
1039 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1040 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1042 goto nla_put_failure;
1044 nfmsg = nlmsg_data(nlh);
1045 nfmsg->nfgen_family = family;
1046 nfmsg->version = NFNETLINK_V0;
1047 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1049 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1050 goto nla_put_failure;
1051 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1053 goto nla_put_failure;
1054 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1055 goto nla_put_failure;
1057 if (nft_is_base_chain(chain)) {
1058 const struct nft_base_chain *basechain = nft_base_chain(chain);
1059 const struct nf_hook_ops *ops = &basechain->ops;
1060 struct nlattr *nest;
1062 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1064 goto nla_put_failure;
1065 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1066 goto nla_put_failure;
1067 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1068 goto nla_put_failure;
1069 if (basechain->dev_name[0] &&
1070 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1071 goto nla_put_failure;
1072 nla_nest_end(skb, nest);
1074 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1075 htonl(basechain->policy)))
1076 goto nla_put_failure;
1078 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1079 goto nla_put_failure;
1081 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1082 goto nla_put_failure;
1085 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1086 goto nla_put_failure;
1088 nlmsg_end(skb, nlh);
1092 nlmsg_trim(skb, nlh);
1096 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1098 struct sk_buff *skb;
1102 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1105 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1109 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1110 event, 0, ctx->afi->family, ctx->table,
1117 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1118 ctx->report, GFP_KERNEL);
1121 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1124 static int nf_tables_dump_chains(struct sk_buff *skb,
1125 struct netlink_callback *cb)
1127 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1128 const struct nft_af_info *afi;
1129 const struct nft_table *table;
1130 const struct nft_chain *chain;
1131 unsigned int idx = 0, s_idx = cb->args[0];
1132 struct net *net = sock_net(skb->sk);
1133 int family = nfmsg->nfgen_family;
1136 cb->seq = net->nft.base_seq;
1138 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1139 if (family != NFPROTO_UNSPEC && family != afi->family)
1142 list_for_each_entry_rcu(table, &afi->tables, list) {
1143 list_for_each_entry_rcu(chain, &table->chains, list) {
1147 memset(&cb->args[1], 0,
1148 sizeof(cb->args) - sizeof(cb->args[0]));
1149 if (!nft_is_active(net, chain))
1151 if (nf_tables_fill_chain_info(skb, net,
1152 NETLINK_CB(cb->skb).portid,
1156 afi->family, table, chain) < 0)
1159 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1171 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1172 struct sk_buff *skb, const struct nlmsghdr *nlh,
1173 const struct nlattr * const nla[],
1174 struct netlink_ext_ack *extack)
1176 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1177 u8 genmask = nft_genmask_cur(net);
1178 const struct nft_af_info *afi;
1179 const struct nft_table *table;
1180 const struct nft_chain *chain;
1181 struct sk_buff *skb2;
1182 int family = nfmsg->nfgen_family;
1185 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1186 struct netlink_dump_control c = {
1187 .dump = nf_tables_dump_chains,
1189 return netlink_dump_start(nlsk, skb, nlh, &c);
1192 afi = nf_tables_afinfo_lookup(net, family, false);
1194 return PTR_ERR(afi);
1196 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1198 return PTR_ERR(table);
1200 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1202 return PTR_ERR(chain);
1204 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1208 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1209 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1210 family, table, chain);
1214 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1221 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1222 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1223 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1226 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1228 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1229 struct nft_stats __percpu *newstats;
1230 struct nft_stats *stats;
1233 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1236 return ERR_PTR(err);
1238 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1239 return ERR_PTR(-EINVAL);
1241 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1242 if (newstats == NULL)
1243 return ERR_PTR(-ENOMEM);
1245 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1246 * are not exposed to userspace.
1249 stats = this_cpu_ptr(newstats);
1250 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1251 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1257 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1258 struct nft_stats __percpu *newstats)
1260 struct nft_stats __percpu *oldstats;
1262 if (newstats == NULL)
1266 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1267 rcu_assign_pointer(chain->stats, newstats);
1269 free_percpu(oldstats);
1271 rcu_assign_pointer(chain->stats, newstats);
1274 static void nf_tables_chain_destroy(struct nft_chain *chain)
1276 BUG_ON(chain->use > 0);
1278 if (nft_is_base_chain(chain)) {
1279 struct nft_base_chain *basechain = nft_base_chain(chain);
1281 module_put(basechain->type->owner);
1282 free_percpu(basechain->stats);
1283 if (basechain->stats)
1284 static_branch_dec(&nft_counters_enabled);
1285 if (basechain->ops.dev != NULL)
1286 dev_put(basechain->ops.dev);
1295 struct nft_chain_hook {
1298 const struct nf_chain_type *type;
1299 struct net_device *dev;
1302 static int nft_chain_parse_hook(struct net *net,
1303 const struct nlattr * const nla[],
1304 struct nft_af_info *afi,
1305 struct nft_chain_hook *hook, bool create)
1307 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1308 const struct nf_chain_type *type;
1309 struct net_device *dev;
1312 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1313 nft_hook_policy, NULL);
1317 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1318 ha[NFTA_HOOK_PRIORITY] == NULL)
1321 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1322 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1324 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1325 if (nla[NFTA_CHAIN_TYPE]) {
1326 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1327 afi->family, create);
1329 return PTR_ERR(type);
1331 if (!(type->hook_mask & (1 << hook->num)))
1334 if (type->type == NFT_CHAIN_T_NAT &&
1335 hook->priority <= NF_IP_PRI_CONNTRACK)
1338 if (!try_module_get(type->owner))
1344 if (afi->family == NFPROTO_NETDEV) {
1345 char ifname[IFNAMSIZ];
1347 if (!ha[NFTA_HOOK_DEV]) {
1348 module_put(type->owner);
1352 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1353 dev = dev_get_by_name(net, ifname);
1355 module_put(type->owner);
1359 } else if (ha[NFTA_HOOK_DEV]) {
1360 module_put(type->owner);
1367 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1369 module_put(hook->type->owner);
1370 if (hook->dev != NULL)
1374 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1375 u8 policy, bool create)
1377 const struct nlattr * const *nla = ctx->nla;
1378 struct nft_table *table = ctx->table;
1379 struct nft_af_info *afi = ctx->afi;
1380 struct nft_base_chain *basechain;
1381 struct nft_stats __percpu *stats;
1382 struct net *net = ctx->net;
1383 struct nft_chain *chain;
1386 if (table->use == UINT_MAX)
1389 if (nla[NFTA_CHAIN_HOOK]) {
1390 struct nft_chain_hook hook;
1391 struct nf_hook_ops *ops;
1393 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1397 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1398 if (basechain == NULL) {
1399 nft_chain_release_hook(&hook);
1403 if (hook.dev != NULL)
1404 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1406 if (nla[NFTA_CHAIN_COUNTERS]) {
1407 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1408 if (IS_ERR(stats)) {
1409 nft_chain_release_hook(&hook);
1411 return PTR_ERR(stats);
1413 basechain->stats = stats;
1414 static_branch_inc(&nft_counters_enabled);
1417 basechain->type = hook.type;
1418 chain = &basechain->chain;
1420 ops = &basechain->ops;
1422 ops->hooknum = hook.num;
1423 ops->priority = hook.priority;
1425 ops->hook = hook.type->hooks[ops->hooknum];
1426 ops->dev = hook.dev;
1428 if (basechain->type->type == NFT_CHAIN_T_NAT)
1429 ops->nat_hook = true;
1431 chain->flags |= NFT_BASE_CHAIN;
1432 basechain->policy = policy;
1434 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1438 INIT_LIST_HEAD(&chain->rules);
1439 chain->handle = nf_tables_alloc_handle(table);
1440 chain->table = table;
1441 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1447 err = nf_tables_register_hook(net, table, chain);
1452 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1457 list_add_tail_rcu(&chain->list, &table->chains);
1461 nf_tables_unregister_hook(net, table, chain);
1463 nf_tables_chain_destroy(chain);
1468 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1471 const struct nlattr * const *nla = ctx->nla;
1472 struct nft_table *table = ctx->table;
1473 struct nft_chain *chain = ctx->chain;
1474 struct nft_base_chain *basechain;
1475 struct nft_stats *stats = NULL;
1476 struct nft_chain_hook hook;
1477 const struct nlattr *name;
1478 struct nf_hook_ops *ops;
1479 struct nft_trans *trans;
1482 if (nla[NFTA_CHAIN_HOOK]) {
1483 if (!nft_is_base_chain(chain))
1486 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1491 basechain = nft_base_chain(chain);
1492 if (basechain->type != hook.type) {
1493 nft_chain_release_hook(&hook);
1497 ops = &basechain->ops;
1498 if (ops->hooknum != hook.num ||
1499 ops->priority != hook.priority ||
1500 ops->dev != hook.dev) {
1501 nft_chain_release_hook(&hook);
1504 nft_chain_release_hook(&hook);
1507 if (nla[NFTA_CHAIN_HANDLE] &&
1508 nla[NFTA_CHAIN_NAME]) {
1509 struct nft_chain *chain2;
1511 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1513 if (!IS_ERR(chain2))
1517 if (nla[NFTA_CHAIN_COUNTERS]) {
1518 if (!nft_is_base_chain(chain))
1521 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1523 return PTR_ERR(stats);
1526 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1527 sizeof(struct nft_trans_chain));
1528 if (trans == NULL) {
1533 nft_trans_chain_stats(trans) = stats;
1534 nft_trans_chain_update(trans) = true;
1536 if (nla[NFTA_CHAIN_POLICY])
1537 nft_trans_chain_policy(trans) = policy;
1539 nft_trans_chain_policy(trans) = -1;
1541 name = nla[NFTA_CHAIN_NAME];
1542 if (nla[NFTA_CHAIN_HANDLE] && name) {
1543 nft_trans_chain_name(trans) =
1544 nla_strdup(name, GFP_KERNEL);
1545 if (!nft_trans_chain_name(trans)) {
1551 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1556 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1557 struct sk_buff *skb, const struct nlmsghdr *nlh,
1558 const struct nlattr * const nla[],
1559 struct netlink_ext_ack *extack)
1561 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1562 const struct nlattr * uninitialized_var(name);
1563 u8 genmask = nft_genmask_next(net);
1564 int family = nfmsg->nfgen_family;
1565 struct nft_af_info *afi;
1566 struct nft_table *table;
1567 struct nft_chain *chain;
1568 u8 policy = NF_ACCEPT;
1573 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1575 afi = nf_tables_afinfo_lookup(net, family, true);
1577 return PTR_ERR(afi);
1579 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1581 return PTR_ERR(table);
1584 name = nla[NFTA_CHAIN_NAME];
1586 if (nla[NFTA_CHAIN_HANDLE]) {
1587 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1588 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1590 return PTR_ERR(chain);
1592 chain = nf_tables_chain_lookup(table, name, genmask);
1593 if (IS_ERR(chain)) {
1594 if (PTR_ERR(chain) != -ENOENT)
1595 return PTR_ERR(chain);
1600 if (nla[NFTA_CHAIN_POLICY]) {
1601 if (chain != NULL &&
1602 !nft_is_base_chain(chain))
1605 if (chain == NULL &&
1606 nla[NFTA_CHAIN_HOOK] == NULL)
1609 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1619 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1621 if (chain != NULL) {
1622 if (nlh->nlmsg_flags & NLM_F_EXCL)
1624 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1627 return nf_tables_updchain(&ctx, genmask, policy, create);
1630 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1633 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1634 struct sk_buff *skb, const struct nlmsghdr *nlh,
1635 const struct nlattr * const nla[],
1636 struct netlink_ext_ack *extack)
1638 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1639 u8 genmask = nft_genmask_next(net);
1640 struct nft_af_info *afi;
1641 struct nft_table *table;
1642 struct nft_chain *chain;
1643 struct nft_rule *rule;
1644 int family = nfmsg->nfgen_family;
1649 afi = nf_tables_afinfo_lookup(net, family, false);
1651 return PTR_ERR(afi);
1653 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1655 return PTR_ERR(table);
1657 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1659 return PTR_ERR(chain);
1661 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1665 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1668 list_for_each_entry(rule, &chain->rules, list) {
1669 if (!nft_is_active_next(net, rule))
1673 err = nft_delrule(&ctx, rule);
1678 /* There are rules and elements that are still holding references to us,
1679 * we cannot do a recursive removal in this case.
1684 return nft_delchain(&ctx);
1692 * nft_register_expr - register nf_tables expr type
1695 * Registers the expr type for use with nf_tables. Returns zero on
1696 * success or a negative errno code otherwise.
1698 int nft_register_expr(struct nft_expr_type *type)
1700 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1701 if (type->family == NFPROTO_UNSPEC)
1702 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1704 list_add_rcu(&type->list, &nf_tables_expressions);
1705 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1708 EXPORT_SYMBOL_GPL(nft_register_expr);
1711 * nft_unregister_expr - unregister nf_tables expr type
1714 * Unregisters the expr typefor use with nf_tables.
1716 void nft_unregister_expr(struct nft_expr_type *type)
1718 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1719 list_del_rcu(&type->list);
1720 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1722 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1724 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1727 const struct nft_expr_type *type;
1729 list_for_each_entry(type, &nf_tables_expressions, list) {
1730 if (!nla_strcmp(nla, type->name) &&
1731 (!type->family || type->family == family))
1737 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1740 const struct nft_expr_type *type;
1743 return ERR_PTR(-EINVAL);
1745 type = __nft_expr_type_get(family, nla);
1746 if (type != NULL && try_module_get(type->owner))
1749 #ifdef CONFIG_MODULES
1751 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1752 request_module("nft-expr-%u-%.*s", family,
1753 nla_len(nla), (char *)nla_data(nla));
1754 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1755 if (__nft_expr_type_get(family, nla))
1756 return ERR_PTR(-EAGAIN);
1758 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1759 request_module("nft-expr-%.*s",
1760 nla_len(nla), (char *)nla_data(nla));
1761 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1762 if (__nft_expr_type_get(family, nla))
1763 return ERR_PTR(-EAGAIN);
1766 return ERR_PTR(-ENOENT);
1769 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1770 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1771 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1774 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1775 const struct nft_expr *expr)
1777 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1778 goto nla_put_failure;
1780 if (expr->ops->dump) {
1781 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1783 goto nla_put_failure;
1784 if (expr->ops->dump(skb, expr) < 0)
1785 goto nla_put_failure;
1786 nla_nest_end(skb, data);
1795 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1796 const struct nft_expr *expr)
1798 struct nlattr *nest;
1800 nest = nla_nest_start(skb, attr);
1802 goto nla_put_failure;
1803 if (nf_tables_fill_expr_info(skb, expr) < 0)
1804 goto nla_put_failure;
1805 nla_nest_end(skb, nest);
1812 struct nft_expr_info {
1813 const struct nft_expr_ops *ops;
1814 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1817 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1818 const struct nlattr *nla,
1819 struct nft_expr_info *info)
1821 const struct nft_expr_type *type;
1822 const struct nft_expr_ops *ops;
1823 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1826 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1830 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1832 return PTR_ERR(type);
1834 if (tb[NFTA_EXPR_DATA]) {
1835 err = nla_parse_nested(info->tb, type->maxattr,
1836 tb[NFTA_EXPR_DATA], type->policy, NULL);
1840 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1842 if (type->select_ops != NULL) {
1843 ops = type->select_ops(ctx,
1844 (const struct nlattr * const *)info->tb);
1856 module_put(type->owner);
1860 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1861 const struct nft_expr_info *info,
1862 struct nft_expr *expr)
1864 const struct nft_expr_ops *ops = info->ops;
1869 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1874 if (ops->validate) {
1875 const struct nft_data *data = NULL;
1877 err = ops->validate(ctx, expr, &data);
1886 ops->destroy(ctx, expr);
1892 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1893 struct nft_expr *expr)
1895 if (expr->ops->destroy)
1896 expr->ops->destroy(ctx, expr);
1897 module_put(expr->ops->type->owner);
1900 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1901 const struct nlattr *nla)
1903 struct nft_expr_info info;
1904 struct nft_expr *expr;
1907 err = nf_tables_expr_parse(ctx, nla, &info);
1912 expr = kzalloc(info.ops->size, GFP_KERNEL);
1916 err = nf_tables_newexpr(ctx, &info, expr);
1924 module_put(info.ops->type->owner);
1926 return ERR_PTR(err);
1929 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1931 nf_tables_expr_destroy(ctx, expr);
1939 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1942 struct nft_rule *rule;
1944 // FIXME: this sucks
1945 list_for_each_entry(rule, &chain->rules, list) {
1946 if (handle == rule->handle)
1950 return ERR_PTR(-ENOENT);
1953 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1954 const struct nlattr *nla)
1957 return ERR_PTR(-EINVAL);
1959 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1962 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1963 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1964 .len = NFT_TABLE_MAXNAMELEN - 1 },
1965 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1966 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1967 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1968 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1969 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1970 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1971 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1972 .len = NFT_USERDATA_MAXLEN },
1975 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1976 u32 portid, u32 seq, int event,
1977 u32 flags, int family,
1978 const struct nft_table *table,
1979 const struct nft_chain *chain,
1980 const struct nft_rule *rule)
1982 struct nlmsghdr *nlh;
1983 struct nfgenmsg *nfmsg;
1984 const struct nft_expr *expr, *next;
1985 struct nlattr *list;
1986 const struct nft_rule *prule;
1987 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1989 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1991 goto nla_put_failure;
1993 nfmsg = nlmsg_data(nlh);
1994 nfmsg->nfgen_family = family;
1995 nfmsg->version = NFNETLINK_V0;
1996 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1998 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1999 goto nla_put_failure;
2000 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2001 goto nla_put_failure;
2002 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2004 goto nla_put_failure;
2006 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2007 prule = list_prev_entry(rule, list);
2008 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2009 cpu_to_be64(prule->handle),
2011 goto nla_put_failure;
2014 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2016 goto nla_put_failure;
2017 nft_rule_for_each_expr(expr, next, rule) {
2018 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2019 goto nla_put_failure;
2021 nla_nest_end(skb, list);
2024 struct nft_userdata *udata = nft_userdata(rule);
2025 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2027 goto nla_put_failure;
2030 nlmsg_end(skb, nlh);
2034 nlmsg_trim(skb, nlh);
2038 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2039 const struct nft_rule *rule, int event)
2041 struct sk_buff *skb;
2045 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2048 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2052 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2053 event, 0, ctx->afi->family, ctx->table,
2060 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2061 ctx->report, GFP_KERNEL);
2064 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2067 struct nft_rule_dump_ctx {
2072 static int nf_tables_dump_rules(struct sk_buff *skb,
2073 struct netlink_callback *cb)
2075 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2076 const struct nft_rule_dump_ctx *ctx = cb->data;
2077 const struct nft_af_info *afi;
2078 const struct nft_table *table;
2079 const struct nft_chain *chain;
2080 const struct nft_rule *rule;
2081 unsigned int idx = 0, s_idx = cb->args[0];
2082 struct net *net = sock_net(skb->sk);
2083 int family = nfmsg->nfgen_family;
2086 cb->seq = net->nft.base_seq;
2088 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2089 if (family != NFPROTO_UNSPEC && family != afi->family)
2092 list_for_each_entry_rcu(table, &afi->tables, list) {
2093 if (ctx && ctx->table &&
2094 strcmp(ctx->table, table->name) != 0)
2097 list_for_each_entry_rcu(chain, &table->chains, list) {
2098 if (ctx && ctx->chain &&
2099 strcmp(ctx->chain, chain->name) != 0)
2102 list_for_each_entry_rcu(rule, &chain->rules, list) {
2103 if (!nft_is_active(net, rule))
2108 memset(&cb->args[1], 0,
2109 sizeof(cb->args) - sizeof(cb->args[0]));
2110 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2113 NLM_F_MULTI | NLM_F_APPEND,
2114 afi->family, table, chain, rule) < 0)
2117 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2131 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2133 struct nft_rule_dump_ctx *ctx = cb->data;
2143 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2144 struct sk_buff *skb, const struct nlmsghdr *nlh,
2145 const struct nlattr * const nla[],
2146 struct netlink_ext_ack *extack)
2148 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2149 u8 genmask = nft_genmask_cur(net);
2150 const struct nft_af_info *afi;
2151 const struct nft_table *table;
2152 const struct nft_chain *chain;
2153 const struct nft_rule *rule;
2154 struct sk_buff *skb2;
2155 int family = nfmsg->nfgen_family;
2158 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2159 struct netlink_dump_control c = {
2160 .dump = nf_tables_dump_rules,
2161 .done = nf_tables_dump_rules_done,
2164 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2165 struct nft_rule_dump_ctx *ctx;
2167 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2171 if (nla[NFTA_RULE_TABLE]) {
2172 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2179 if (nla[NFTA_RULE_CHAIN]) {
2180 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2191 return netlink_dump_start(nlsk, skb, nlh, &c);
2194 afi = nf_tables_afinfo_lookup(net, family, false);
2196 return PTR_ERR(afi);
2198 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2200 return PTR_ERR(table);
2202 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2204 return PTR_ERR(chain);
2206 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2208 return PTR_ERR(rule);
2210 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2214 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2215 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2216 family, table, chain, rule);
2220 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2227 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2228 struct nft_rule *rule)
2230 struct nft_expr *expr;
2233 * Careful: some expressions might not be initialized in case this
2234 * is called on error from nf_tables_newrule().
2236 expr = nft_expr_first(rule);
2237 while (expr != nft_expr_last(rule) && expr->ops) {
2238 nf_tables_expr_destroy(ctx, expr);
2239 expr = nft_expr_next(expr);
2244 #define NFT_RULE_MAXEXPRS 128
2246 static struct nft_expr_info *info;
2248 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2249 struct sk_buff *skb, const struct nlmsghdr *nlh,
2250 const struct nlattr * const nla[],
2251 struct netlink_ext_ack *extack)
2253 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2254 u8 genmask = nft_genmask_next(net);
2255 struct nft_af_info *afi;
2256 struct nft_table *table;
2257 struct nft_chain *chain;
2258 struct nft_rule *rule, *old_rule = NULL;
2259 struct nft_userdata *udata;
2260 struct nft_trans *trans = NULL;
2261 struct nft_expr *expr;
2264 unsigned int size, i, n, ulen = 0, usize = 0;
2267 u64 handle, pos_handle;
2269 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2271 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2273 return PTR_ERR(afi);
2275 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2277 return PTR_ERR(table);
2279 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2281 return PTR_ERR(chain);
2283 if (nla[NFTA_RULE_HANDLE]) {
2284 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2285 rule = __nf_tables_rule_lookup(chain, handle);
2287 return PTR_ERR(rule);
2289 if (nlh->nlmsg_flags & NLM_F_EXCL)
2291 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2296 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2298 handle = nf_tables_alloc_handle(table);
2300 if (chain->use == UINT_MAX)
2304 if (nla[NFTA_RULE_POSITION]) {
2305 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2308 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2309 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2310 if (IS_ERR(old_rule))
2311 return PTR_ERR(old_rule);
2314 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2318 if (nla[NFTA_RULE_EXPRESSIONS]) {
2319 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2321 if (nla_type(tmp) != NFTA_LIST_ELEM)
2323 if (n == NFT_RULE_MAXEXPRS)
2325 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2328 size += info[n].ops->size;
2332 /* Check for overflow of dlen field */
2334 if (size >= 1 << 12)
2337 if (nla[NFTA_RULE_USERDATA]) {
2338 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2340 usize = sizeof(struct nft_userdata) + ulen;
2344 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2348 nft_activate_next(net, rule);
2350 rule->handle = handle;
2352 rule->udata = ulen ? 1 : 0;
2355 udata = nft_userdata(rule);
2356 udata->len = ulen - 1;
2357 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2360 expr = nft_expr_first(rule);
2361 for (i = 0; i < n; i++) {
2362 err = nf_tables_newexpr(&ctx, &info[i], expr);
2366 expr = nft_expr_next(expr);
2369 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2370 if (nft_is_active_next(net, old_rule)) {
2371 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2373 if (trans == NULL) {
2377 nft_deactivate_next(net, old_rule);
2379 list_add_tail_rcu(&rule->list, &old_rule->list);
2384 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2386 list_add_rcu(&rule->list, &old_rule->list);
2388 list_add_tail_rcu(&rule->list, &chain->rules);
2391 list_add_tail_rcu(&rule->list, &old_rule->list);
2393 list_add_rcu(&rule->list, &chain->rules);
2396 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2404 list_del_rcu(&rule->list);
2406 nf_tables_rule_destroy(&ctx, rule);
2408 for (i = 0; i < n; i++) {
2409 if (info[i].ops != NULL)
2410 module_put(info[i].ops->type->owner);
2415 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2416 const struct nlattr *nla)
2418 u32 id = ntohl(nla_get_be32(nla));
2419 struct nft_trans *trans;
2421 list_for_each_entry(trans, &net->nft.commit_list, list) {
2422 struct nft_rule *rule = nft_trans_rule(trans);
2424 if (trans->msg_type == NFT_MSG_NEWRULE &&
2425 id == nft_trans_rule_id(trans))
2428 return ERR_PTR(-ENOENT);
2431 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2432 struct sk_buff *skb, const struct nlmsghdr *nlh,
2433 const struct nlattr * const nla[],
2434 struct netlink_ext_ack *extack)
2436 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2437 u8 genmask = nft_genmask_next(net);
2438 struct nft_af_info *afi;
2439 struct nft_table *table;
2440 struct nft_chain *chain = NULL;
2441 struct nft_rule *rule;
2442 int family = nfmsg->nfgen_family, err = 0;
2445 afi = nf_tables_afinfo_lookup(net, family, false);
2447 return PTR_ERR(afi);
2449 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2451 return PTR_ERR(table);
2453 if (nla[NFTA_RULE_CHAIN]) {
2454 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2457 return PTR_ERR(chain);
2460 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2463 if (nla[NFTA_RULE_HANDLE]) {
2464 rule = nf_tables_rule_lookup(chain,
2465 nla[NFTA_RULE_HANDLE]);
2467 return PTR_ERR(rule);
2469 err = nft_delrule(&ctx, rule);
2470 } else if (nla[NFTA_RULE_ID]) {
2471 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2473 return PTR_ERR(rule);
2475 err = nft_delrule(&ctx, rule);
2477 err = nft_delrule_by_chain(&ctx);
2480 list_for_each_entry(chain, &table->chains, list) {
2481 if (!nft_is_active_next(net, chain))
2485 err = nft_delrule_by_chain(&ctx);
2498 static LIST_HEAD(nf_tables_set_types);
2500 int nft_register_set(struct nft_set_type *type)
2502 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2503 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2504 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2507 EXPORT_SYMBOL_GPL(nft_register_set);
2509 void nft_unregister_set(struct nft_set_type *type)
2511 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2512 list_del_rcu(&type->list);
2513 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2515 EXPORT_SYMBOL_GPL(nft_unregister_set);
2517 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2518 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2520 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2522 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2526 * Select a set implementation based on the data characteristics and the
2527 * given policy. The total memory use might not be known if no size is
2528 * given, in that case the amount of memory per element is used.
2530 static const struct nft_set_ops *
2531 nft_select_set_ops(const struct nft_ctx *ctx,
2532 const struct nlattr * const nla[],
2533 const struct nft_set_desc *desc,
2534 enum nft_set_policies policy)
2536 const struct nft_set_ops *ops, *bops;
2537 struct nft_set_estimate est, best;
2538 const struct nft_set_type *type;
2541 #ifdef CONFIG_MODULES
2542 if (list_empty(&nf_tables_set_types)) {
2543 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2544 request_module("nft-set");
2545 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2546 if (!list_empty(&nf_tables_set_types))
2547 return ERR_PTR(-EAGAIN);
2550 if (nla[NFTA_SET_FLAGS] != NULL)
2551 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2558 list_for_each_entry(type, &nf_tables_set_types, list) {
2559 if (!type->select_ops)
2562 ops = type->select_ops(ctx, desc, flags);
2566 if (!nft_set_ops_candidate(ops, flags))
2568 if (!ops->estimate(desc, flags, &est))
2572 case NFT_SET_POL_PERFORMANCE:
2573 if (est.lookup < best.lookup)
2575 if (est.lookup == best.lookup &&
2576 est.space < best.space)
2579 case NFT_SET_POL_MEMORY:
2581 if (est.space < best.space)
2583 if (est.space == best.space &&
2584 est.lookup < best.lookup)
2586 } else if (est.size < best.size) {
2594 if (!try_module_get(type->owner))
2597 module_put(bops->type->owner);
2606 return ERR_PTR(-EOPNOTSUPP);
2609 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2610 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2611 .len = NFT_TABLE_MAXNAMELEN - 1 },
2612 [NFTA_SET_NAME] = { .type = NLA_STRING,
2613 .len = NFT_SET_MAXNAMELEN - 1 },
2614 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2615 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2616 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2617 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2618 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2619 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2620 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2621 [NFTA_SET_ID] = { .type = NLA_U32 },
2622 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2623 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2624 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2625 .len = NFT_USERDATA_MAXLEN },
2626 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2629 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2630 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2633 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2634 const struct sk_buff *skb,
2635 const struct nlmsghdr *nlh,
2636 const struct nlattr * const nla[],
2639 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2640 struct nft_af_info *afi = NULL;
2641 struct nft_table *table = NULL;
2643 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2644 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2646 return PTR_ERR(afi);
2649 if (nla[NFTA_SET_TABLE] != NULL) {
2651 return -EAFNOSUPPORT;
2653 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2656 return PTR_ERR(table);
2659 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2663 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2664 const struct nlattr *nla, u8 genmask)
2666 struct nft_set *set;
2669 return ERR_PTR(-EINVAL);
2671 list_for_each_entry(set, &table->sets, list) {
2672 if (!nla_strcmp(nla, set->name) &&
2673 nft_active_genmask(set, genmask))
2676 return ERR_PTR(-ENOENT);
2679 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2680 const struct nlattr *nla,
2683 struct nft_trans *trans;
2684 u32 id = ntohl(nla_get_be32(nla));
2686 list_for_each_entry(trans, &net->nft.commit_list, list) {
2687 struct nft_set *set = nft_trans_set(trans);
2689 if (trans->msg_type == NFT_MSG_NEWSET &&
2690 id == nft_trans_set_id(trans) &&
2691 nft_active_genmask(set, genmask))
2694 return ERR_PTR(-ENOENT);
2697 struct nft_set *nft_set_lookup(const struct net *net,
2698 const struct nft_table *table,
2699 const struct nlattr *nla_set_name,
2700 const struct nlattr *nla_set_id,
2703 struct nft_set *set;
2705 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2710 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2714 EXPORT_SYMBOL_GPL(nft_set_lookup);
2716 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2719 const struct nft_set *i;
2721 unsigned long *inuse;
2722 unsigned int n = 0, min = 0;
2724 p = strchr(name, '%');
2726 if (p[1] != 'd' || strchr(p + 2, '%'))
2729 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2733 list_for_each_entry(i, &ctx->table->sets, list) {
2736 if (!nft_is_active_next(ctx->net, set))
2738 if (!sscanf(i->name, name, &tmp))
2740 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2743 set_bit(tmp - min, inuse);
2746 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2747 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2748 min += BITS_PER_BYTE * PAGE_SIZE;
2749 memset(inuse, 0, PAGE_SIZE);
2752 free_page((unsigned long)inuse);
2755 set->name = kasprintf(GFP_KERNEL, name, min + n);
2759 list_for_each_entry(i, &ctx->table->sets, list) {
2760 if (!nft_is_active_next(ctx->net, i))
2762 if (!strcmp(set->name, i->name)) {
2770 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2771 const struct nft_set *set, u16 event, u16 flags)
2773 struct nfgenmsg *nfmsg;
2774 struct nlmsghdr *nlh;
2775 struct nlattr *desc;
2776 u32 portid = ctx->portid;
2779 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2780 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2783 goto nla_put_failure;
2785 nfmsg = nlmsg_data(nlh);
2786 nfmsg->nfgen_family = ctx->afi->family;
2787 nfmsg->version = NFNETLINK_V0;
2788 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2790 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2791 goto nla_put_failure;
2792 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2793 goto nla_put_failure;
2794 if (set->flags != 0)
2795 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2796 goto nla_put_failure;
2798 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2799 goto nla_put_failure;
2800 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2801 goto nla_put_failure;
2802 if (set->flags & NFT_SET_MAP) {
2803 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2804 goto nla_put_failure;
2805 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2806 goto nla_put_failure;
2808 if (set->flags & NFT_SET_OBJECT &&
2809 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2810 goto nla_put_failure;
2813 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2814 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2816 goto nla_put_failure;
2818 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2819 goto nla_put_failure;
2821 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2822 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2823 goto nla_put_failure;
2826 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2827 goto nla_put_failure;
2829 desc = nla_nest_start(skb, NFTA_SET_DESC);
2831 goto nla_put_failure;
2833 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2834 goto nla_put_failure;
2835 nla_nest_end(skb, desc);
2837 nlmsg_end(skb, nlh);
2841 nlmsg_trim(skb, nlh);
2845 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2846 const struct nft_set *set, int event,
2849 struct sk_buff *skb;
2850 u32 portid = ctx->portid;
2854 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2857 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2861 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2867 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2871 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2874 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2876 const struct nft_set *set;
2877 unsigned int idx, s_idx = cb->args[0];
2878 struct nft_af_info *afi;
2879 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2880 struct net *net = sock_net(skb->sk);
2881 int cur_family = cb->args[3];
2882 struct nft_ctx *ctx = cb->data, ctx_set;
2888 cb->seq = net->nft.base_seq;
2890 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2891 if (ctx->afi && ctx->afi != afi)
2895 if (afi->family != cur_family)
2900 list_for_each_entry_rcu(table, &afi->tables, list) {
2901 if (ctx->table && ctx->table != table)
2905 if (cur_table != table)
2911 list_for_each_entry_rcu(set, &table->sets, list) {
2914 if (!nft_is_active(net, set))
2918 ctx_set.table = table;
2920 if (nf_tables_fill_set(skb, &ctx_set, set,
2924 cb->args[2] = (unsigned long) table;
2925 cb->args[3] = afi->family;
2928 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2942 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2948 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2949 struct sk_buff *skb, const struct nlmsghdr *nlh,
2950 const struct nlattr * const nla[],
2951 struct netlink_ext_ack *extack)
2953 u8 genmask = nft_genmask_cur(net);
2954 const struct nft_set *set;
2956 struct sk_buff *skb2;
2957 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2960 /* Verify existence before starting dump */
2961 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2965 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2966 struct netlink_dump_control c = {
2967 .dump = nf_tables_dump_sets,
2968 .done = nf_tables_dump_sets_done,
2970 struct nft_ctx *ctx_dump;
2972 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2973 if (ctx_dump == NULL)
2979 return netlink_dump_start(nlsk, skb, nlh, &c);
2982 /* Only accept unspec with dump */
2983 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2984 return -EAFNOSUPPORT;
2985 if (!nla[NFTA_SET_TABLE])
2988 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2990 return PTR_ERR(set);
2992 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2996 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3000 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3007 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3008 struct nft_set_desc *desc,
3009 const struct nlattr *nla)
3011 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3014 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3015 nft_set_desc_policy, NULL);
3019 if (da[NFTA_SET_DESC_SIZE] != NULL)
3020 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3025 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3026 struct sk_buff *skb, const struct nlmsghdr *nlh,
3027 const struct nlattr * const nla[],
3028 struct netlink_ext_ack *extack)
3030 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3031 u8 genmask = nft_genmask_next(net);
3032 const struct nft_set_ops *ops;
3033 struct nft_af_info *afi;
3034 struct nft_table *table;
3035 struct nft_set *set;
3041 u32 ktype, dtype, flags, policy, gc_int, objtype;
3042 struct nft_set_desc desc;
3043 unsigned char *udata;
3047 if (nla[NFTA_SET_TABLE] == NULL ||
3048 nla[NFTA_SET_NAME] == NULL ||
3049 nla[NFTA_SET_KEY_LEN] == NULL ||
3050 nla[NFTA_SET_ID] == NULL)
3053 memset(&desc, 0, sizeof(desc));
3055 ktype = NFT_DATA_VALUE;
3056 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3057 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3058 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3062 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3063 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3067 if (nla[NFTA_SET_FLAGS] != NULL) {
3068 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3069 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3070 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3071 NFT_SET_MAP | NFT_SET_EVAL |
3074 /* Only one of these operations is supported */
3075 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3076 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3081 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3082 if (!(flags & NFT_SET_MAP))
3085 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3086 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3087 dtype != NFT_DATA_VERDICT)
3090 if (dtype != NFT_DATA_VERDICT) {
3091 if (nla[NFTA_SET_DATA_LEN] == NULL)
3093 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3094 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3097 desc.dlen = sizeof(struct nft_verdict);
3098 } else if (flags & NFT_SET_MAP)
3101 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3102 if (!(flags & NFT_SET_OBJECT))
3105 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3106 if (objtype == NFT_OBJECT_UNSPEC ||
3107 objtype > NFT_OBJECT_MAX)
3109 } else if (flags & NFT_SET_OBJECT)
3112 objtype = NFT_OBJECT_UNSPEC;
3115 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3116 if (!(flags & NFT_SET_TIMEOUT))
3118 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3119 nla[NFTA_SET_TIMEOUT])));
3122 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3123 if (!(flags & NFT_SET_TIMEOUT))
3125 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3128 policy = NFT_SET_POL_PERFORMANCE;
3129 if (nla[NFTA_SET_POLICY] != NULL)
3130 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3132 if (nla[NFTA_SET_DESC] != NULL) {
3133 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3138 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3140 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3142 return PTR_ERR(afi);
3144 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3146 return PTR_ERR(table);
3148 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3150 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3152 if (PTR_ERR(set) != -ENOENT)
3153 return PTR_ERR(set);
3155 if (nlh->nlmsg_flags & NLM_F_EXCL)
3157 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3162 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3165 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3167 return PTR_ERR(ops);
3170 if (nla[NFTA_SET_USERDATA])
3171 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3174 if (ops->privsize != NULL)
3175 size = ops->privsize(nla, &desc);
3177 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3183 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3189 err = nf_tables_set_alloc_name(&ctx, set, name);
3196 udata = set->data + size;
3197 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3200 INIT_LIST_HEAD(&set->bindings);
3203 set->klen = desc.klen;
3205 set->objtype = objtype;
3206 set->dlen = desc.dlen;
3208 set->size = desc.size;
3209 set->policy = policy;
3212 set->timeout = timeout;
3213 set->gc_int = gc_int;
3215 err = ops->init(set, &desc, nla);
3219 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3223 list_add_tail_rcu(&set->list, &table->sets);
3232 module_put(ops->type->owner);
3236 static void nft_set_destroy(struct nft_set *set)
3238 set->ops->destroy(set);
3239 module_put(set->ops->type->owner);
3244 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3246 list_del_rcu(&set->list);
3247 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3248 nft_set_destroy(set);
3251 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3252 struct sk_buff *skb, const struct nlmsghdr *nlh,
3253 const struct nlattr * const nla[],
3254 struct netlink_ext_ack *extack)
3256 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3257 u8 genmask = nft_genmask_next(net);
3258 struct nft_set *set;
3262 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3263 return -EAFNOSUPPORT;
3264 if (nla[NFTA_SET_TABLE] == NULL)
3267 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3271 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3273 return PTR_ERR(set);
3275 if (!list_empty(&set->bindings) ||
3276 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3279 return nft_delset(&ctx, set);
3282 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3283 struct nft_set *set,
3284 const struct nft_set_iter *iter,
3285 struct nft_set_elem *elem)
3287 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3288 enum nft_registers dreg;
3290 dreg = nft_type_to_reg(set->dtype);
3291 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3292 set->dtype == NFT_DATA_VERDICT ?
3293 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3297 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3298 struct nft_set_binding *binding)
3300 struct nft_set_binding *i;
3301 struct nft_set_iter iter;
3303 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3306 if (binding->flags & NFT_SET_MAP) {
3307 /* If the set is already bound to the same chain all
3308 * jumps are already validated for that chain.
3310 list_for_each_entry(i, &set->bindings, list) {
3311 if (i->flags & NFT_SET_MAP &&
3312 i->chain == binding->chain)
3316 iter.genmask = nft_genmask_next(ctx->net);
3320 iter.fn = nf_tables_bind_check_setelem;
3322 set->ops->walk(ctx, set, &iter);
3327 binding->chain = ctx->chain;
3328 list_add_tail_rcu(&binding->list, &set->bindings);
3331 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3333 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3334 struct nft_set_binding *binding)
3336 list_del_rcu(&binding->list);
3338 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3339 nft_is_active(ctx->net, set))
3340 nf_tables_set_destroy(ctx, set);
3342 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3344 const struct nft_set_ext_type nft_set_ext_types[] = {
3345 [NFT_SET_EXT_KEY] = {
3346 .align = __alignof__(u32),
3348 [NFT_SET_EXT_DATA] = {
3349 .align = __alignof__(u32),
3351 [NFT_SET_EXT_EXPR] = {
3352 .align = __alignof__(struct nft_expr),
3354 [NFT_SET_EXT_OBJREF] = {
3355 .len = sizeof(struct nft_object *),
3356 .align = __alignof__(struct nft_object *),
3358 [NFT_SET_EXT_FLAGS] = {
3360 .align = __alignof__(u8),
3362 [NFT_SET_EXT_TIMEOUT] = {
3364 .align = __alignof__(u64),
3366 [NFT_SET_EXT_EXPIRATION] = {
3367 .len = sizeof(unsigned long),
3368 .align = __alignof__(unsigned long),
3370 [NFT_SET_EXT_USERDATA] = {
3371 .len = sizeof(struct nft_userdata),
3372 .align = __alignof__(struct nft_userdata),
3375 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3381 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3382 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3383 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3384 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3385 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3386 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3387 .len = NFT_USERDATA_MAXLEN },
3390 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3391 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3392 .len = NFT_TABLE_MAXNAMELEN - 1 },
3393 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3394 .len = NFT_SET_MAXNAMELEN - 1 },
3395 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3396 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3399 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3400 const struct sk_buff *skb,
3401 const struct nlmsghdr *nlh,
3402 const struct nlattr * const nla[],
3405 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3406 struct nft_af_info *afi;
3407 struct nft_table *table;
3409 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3411 return PTR_ERR(afi);
3413 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3416 return PTR_ERR(table);
3418 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3422 static int nf_tables_fill_setelem(struct sk_buff *skb,
3423 const struct nft_set *set,
3424 const struct nft_set_elem *elem)
3426 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3427 unsigned char *b = skb_tail_pointer(skb);
3428 struct nlattr *nest;
3430 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3432 goto nla_put_failure;
3434 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3435 NFT_DATA_VALUE, set->klen) < 0)
3436 goto nla_put_failure;
3438 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3439 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3440 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3442 goto nla_put_failure;
3444 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3445 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3446 goto nla_put_failure;
3448 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3449 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3450 (*nft_set_ext_obj(ext))->name) < 0)
3451 goto nla_put_failure;
3453 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3454 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3455 htonl(*nft_set_ext_flags(ext))))
3456 goto nla_put_failure;
3458 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3459 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3460 cpu_to_be64(jiffies_to_msecs(
3461 *nft_set_ext_timeout(ext))),
3463 goto nla_put_failure;
3465 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3466 unsigned long expires, now = jiffies;
3468 expires = *nft_set_ext_expiration(ext);
3469 if (time_before(now, expires))
3474 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3475 cpu_to_be64(jiffies_to_msecs(expires)),
3477 goto nla_put_failure;
3480 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3481 struct nft_userdata *udata;
3483 udata = nft_set_ext_userdata(ext);
3484 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3485 udata->len + 1, udata->data))
3486 goto nla_put_failure;
3489 nla_nest_end(skb, nest);
3497 struct nft_set_dump_args {
3498 const struct netlink_callback *cb;
3499 struct nft_set_iter iter;
3500 struct sk_buff *skb;
3503 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3504 struct nft_set *set,
3505 const struct nft_set_iter *iter,
3506 struct nft_set_elem *elem)
3508 struct nft_set_dump_args *args;
3510 args = container_of(iter, struct nft_set_dump_args, iter);
3511 return nf_tables_fill_setelem(args->skb, set, elem);
3514 struct nft_set_dump_ctx {
3515 const struct nft_set *set;
3519 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3521 struct nft_set_dump_ctx *dump_ctx = cb->data;
3522 struct net *net = sock_net(skb->sk);
3523 struct nft_af_info *afi;
3524 struct nft_table *table;
3525 struct nft_set *set;
3526 struct nft_set_dump_args args;
3527 bool set_found = false;
3528 struct nfgenmsg *nfmsg;
3529 struct nlmsghdr *nlh;
3530 struct nlattr *nest;
3535 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3536 if (afi != dump_ctx->ctx.afi)
3539 list_for_each_entry_rcu(table, &afi->tables, list) {
3540 if (table != dump_ctx->ctx.table)
3543 list_for_each_entry_rcu(set, &table->sets, list) {
3544 if (set == dump_ctx->set) {
3559 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3560 portid = NETLINK_CB(cb->skb).portid;
3561 seq = cb->nlh->nlmsg_seq;
3563 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3566 goto nla_put_failure;
3568 nfmsg = nlmsg_data(nlh);
3569 nfmsg->nfgen_family = afi->family;
3570 nfmsg->version = NFNETLINK_V0;
3571 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3573 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3574 goto nla_put_failure;
3575 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3576 goto nla_put_failure;
3578 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3580 goto nla_put_failure;
3584 args.iter.genmask = nft_genmask_cur(net);
3585 args.iter.skip = cb->args[0];
3586 args.iter.count = 0;
3588 args.iter.fn = nf_tables_dump_setelem;
3589 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3592 nla_nest_end(skb, nest);
3593 nlmsg_end(skb, nlh);
3595 if (args.iter.err && args.iter.err != -EMSGSIZE)
3596 return args.iter.err;
3597 if (args.iter.count == cb->args[0])
3600 cb->args[0] = args.iter.count;
3608 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3614 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3615 const struct nft_ctx *ctx, u32 seq,
3616 u32 portid, int event, u16 flags,
3617 const struct nft_set *set,
3618 const struct nft_set_elem *elem)
3620 struct nfgenmsg *nfmsg;
3621 struct nlmsghdr *nlh;
3622 struct nlattr *nest;
3625 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3626 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3629 goto nla_put_failure;
3631 nfmsg = nlmsg_data(nlh);
3632 nfmsg->nfgen_family = ctx->afi->family;
3633 nfmsg->version = NFNETLINK_V0;
3634 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3636 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3637 goto nla_put_failure;
3638 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3639 goto nla_put_failure;
3641 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3643 goto nla_put_failure;
3645 err = nf_tables_fill_setelem(skb, set, elem);
3647 goto nla_put_failure;
3649 nla_nest_end(skb, nest);
3651 nlmsg_end(skb, nlh);
3655 nlmsg_trim(skb, nlh);
3659 static int nft_setelem_parse_flags(const struct nft_set *set,
3660 const struct nlattr *attr, u32 *flags)
3665 *flags = ntohl(nla_get_be32(attr));
3666 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3668 if (!(set->flags & NFT_SET_INTERVAL) &&
3669 *flags & NFT_SET_ELEM_INTERVAL_END)
3675 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3676 const struct nlattr *attr)
3678 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3679 const struct nft_set_ext *ext;
3680 struct nft_data_desc desc;
3681 struct nft_set_elem elem;
3682 struct sk_buff *skb;
3687 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3688 nft_set_elem_policy, NULL);
3692 if (!nla[NFTA_SET_ELEM_KEY])
3695 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3699 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3700 nla[NFTA_SET_ELEM_KEY]);
3705 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3708 priv = set->ops->get(ctx->net, set, &elem, flags);
3710 return PTR_ERR(priv);
3713 ext = nft_set_elem_ext(set, &elem);
3716 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3720 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3721 NFT_MSG_NEWSETELEM, 0, set, &elem);
3725 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3726 /* This avoids a loop in nfnetlink. */
3734 /* this avoids a loop in nfnetlink. */
3735 return err == -EAGAIN ? -ENOBUFS : err;
3738 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3739 struct sk_buff *skb, const struct nlmsghdr *nlh,
3740 const struct nlattr * const nla[],
3741 struct netlink_ext_ack *extack)
3743 u8 genmask = nft_genmask_cur(net);
3744 struct nft_set *set;
3745 struct nlattr *attr;
3749 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3753 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3756 return PTR_ERR(set);
3758 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3759 struct netlink_dump_control c = {
3760 .dump = nf_tables_dump_set,
3761 .done = nf_tables_dump_set_done,
3763 struct nft_set_dump_ctx *dump_ctx;
3765 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3769 dump_ctx->set = set;
3770 dump_ctx->ctx = ctx;
3773 return netlink_dump_start(nlsk, skb, nlh, &c);
3776 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3779 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3780 err = nft_get_set_elem(&ctx, set, attr);
3788 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3789 const struct nft_set *set,
3790 const struct nft_set_elem *elem,
3791 int event, u16 flags)
3793 struct net *net = ctx->net;
3794 u32 portid = ctx->portid;
3795 struct sk_buff *skb;
3798 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3801 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3805 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3812 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3816 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3819 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3821 struct nft_set *set)
3823 struct nft_trans *trans;
3825 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3829 nft_trans_elem_set(trans) = set;
3833 void *nft_set_elem_init(const struct nft_set *set,
3834 const struct nft_set_ext_tmpl *tmpl,
3835 const u32 *key, const u32 *data,
3836 u64 timeout, gfp_t gfp)
3838 struct nft_set_ext *ext;
3841 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3845 ext = nft_set_elem_ext(set, elem);
3846 nft_set_ext_init(ext, tmpl);
3848 memcpy(nft_set_ext_key(ext), key, set->klen);
3849 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3850 memcpy(nft_set_ext_data(ext), data, set->dlen);
3851 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3852 *nft_set_ext_expiration(ext) =
3854 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3855 *nft_set_ext_timeout(ext) = timeout;
3860 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3863 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3865 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3866 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3867 nft_data_release(nft_set_ext_data(ext), set->dtype);
3868 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3869 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3870 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3871 (*nft_set_ext_obj(ext))->use--;
3874 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3876 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3877 * the refcounting from the preparation phase.
3879 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3881 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3883 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3884 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3888 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3889 const struct nlattr *attr, u32 nlmsg_flags)
3891 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3892 u8 genmask = nft_genmask_next(ctx->net);
3893 struct nft_data_desc d1, d2;
3894 struct nft_set_ext_tmpl tmpl;
3895 struct nft_set_ext *ext, *ext2;
3896 struct nft_set_elem elem;
3897 struct nft_set_binding *binding;
3898 struct nft_object *obj = NULL;
3899 struct nft_userdata *udata;
3900 struct nft_data data;
3901 enum nft_registers dreg;
3902 struct nft_trans *trans;
3908 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3909 nft_set_elem_policy, NULL);
3913 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3916 nft_set_ext_prepare(&tmpl);
3918 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3922 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3924 if (set->flags & NFT_SET_MAP) {
3925 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3926 !(flags & NFT_SET_ELEM_INTERVAL_END))
3928 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3929 flags & NFT_SET_ELEM_INTERVAL_END)
3932 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3937 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3938 if (!(set->flags & NFT_SET_TIMEOUT))
3940 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3941 nla[NFTA_SET_ELEM_TIMEOUT])));
3942 } else if (set->flags & NFT_SET_TIMEOUT) {
3943 timeout = set->timeout;
3946 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3947 nla[NFTA_SET_ELEM_KEY]);
3951 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3954 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3956 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3957 if (timeout != set->timeout)
3958 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3961 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3962 if (!(set->flags & NFT_SET_OBJECT)) {
3966 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3967 set->objtype, genmask);
3972 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3975 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3976 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3977 nla[NFTA_SET_ELEM_DATA]);
3982 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3985 dreg = nft_type_to_reg(set->dtype);
3986 list_for_each_entry(binding, &set->bindings, list) {
3987 struct nft_ctx bind_ctx = {
3990 .table = ctx->table,
3991 .chain = (struct nft_chain *)binding->chain,
3994 if (!(binding->flags & NFT_SET_MAP))
3997 err = nft_validate_register_store(&bind_ctx, dreg,
4004 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4007 /* The full maximum length of userdata can exceed the maximum
4008 * offset value (U8_MAX) for following extensions, therefor it
4009 * must be the last extension added.
4012 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4013 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4015 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4020 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4021 timeout, GFP_KERNEL);
4022 if (elem.priv == NULL)
4025 ext = nft_set_elem_ext(set, elem.priv);
4027 *nft_set_ext_flags(ext) = flags;
4029 udata = nft_set_ext_userdata(ext);
4030 udata->len = ulen - 1;
4031 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4034 *nft_set_ext_obj(ext) = obj;
4038 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4042 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4043 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4045 if (err == -EEXIST) {
4046 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4047 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4048 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4049 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
4051 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4052 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4053 memcmp(nft_set_ext_data(ext),
4054 nft_set_ext_data(ext2), set->dlen) != 0) ||
4055 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4056 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4057 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4059 else if (!(nlmsg_flags & NLM_F_EXCL))
4066 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4071 nft_trans_elem(trans) = elem;
4072 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4076 set->ops->remove(ctx->net, set, &elem);
4082 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4083 nft_data_release(&data, d2.type);
4085 nft_data_release(&elem.key.val, d1.type);
4090 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4091 struct sk_buff *skb, const struct nlmsghdr *nlh,
4092 const struct nlattr * const nla[],
4093 struct netlink_ext_ack *extack)
4095 u8 genmask = nft_genmask_next(net);
4096 const struct nlattr *attr;
4097 struct nft_set *set;
4101 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4104 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4108 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4111 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4112 set = nf_tables_set_lookup_byid(net,
4113 nla[NFTA_SET_ELEM_LIST_SET_ID],
4117 return PTR_ERR(set);
4120 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4123 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4124 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4132 * nft_data_hold - hold a nft_data item
4134 * @data: struct nft_data to release
4135 * @type: type of data
4137 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4138 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4139 * NFT_GOTO verdicts. This function must be called on active data objects
4140 * from the second phase of the commit protocol.
4142 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4144 if (type == NFT_DATA_VERDICT) {
4145 switch (data->verdict.code) {
4148 data->verdict.chain->use++;
4154 static void nft_set_elem_activate(const struct net *net,
4155 const struct nft_set *set,
4156 struct nft_set_elem *elem)
4158 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4160 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4161 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4162 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4163 (*nft_set_ext_obj(ext))->use++;
4166 static void nft_set_elem_deactivate(const struct net *net,
4167 const struct nft_set *set,
4168 struct nft_set_elem *elem)
4170 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4172 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4173 nft_data_release(nft_set_ext_data(ext), set->dtype);
4174 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4175 (*nft_set_ext_obj(ext))->use--;
4178 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4179 const struct nlattr *attr)
4181 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4182 struct nft_set_ext_tmpl tmpl;
4183 struct nft_data_desc desc;
4184 struct nft_set_elem elem;
4185 struct nft_set_ext *ext;
4186 struct nft_trans *trans;
4191 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4192 nft_set_elem_policy, NULL);
4197 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4200 nft_set_ext_prepare(&tmpl);
4202 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4206 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4208 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4209 nla[NFTA_SET_ELEM_KEY]);
4214 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4217 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4220 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4222 if (elem.priv == NULL)
4225 ext = nft_set_elem_ext(set, elem.priv);
4227 *nft_set_ext_flags(ext) = flags;
4229 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4230 if (trans == NULL) {
4235 priv = set->ops->deactivate(ctx->net, set, &elem);
4243 nft_set_elem_deactivate(ctx->net, set, &elem);
4245 nft_trans_elem(trans) = elem;
4246 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4254 nft_data_release(&elem.key.val, desc.type);
4259 static int nft_flush_set(const struct nft_ctx *ctx,
4260 struct nft_set *set,
4261 const struct nft_set_iter *iter,
4262 struct nft_set_elem *elem)
4264 struct nft_trans *trans;
4267 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4268 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4272 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4278 nft_trans_elem_set(trans) = set;
4279 nft_trans_elem(trans) = *elem;
4280 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4288 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4289 struct sk_buff *skb, const struct nlmsghdr *nlh,
4290 const struct nlattr * const nla[],
4291 struct netlink_ext_ack *extack)
4293 u8 genmask = nft_genmask_next(net);
4294 const struct nlattr *attr;
4295 struct nft_set *set;
4299 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4303 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4306 return PTR_ERR(set);
4307 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4310 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4311 struct nft_set_iter iter = {
4313 .fn = nft_flush_set,
4315 set->ops->walk(&ctx, set, &iter);
4320 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4321 err = nft_del_setelem(&ctx, set, attr);
4330 void nft_set_gc_batch_release(struct rcu_head *rcu)
4332 struct nft_set_gc_batch *gcb;
4335 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4336 for (i = 0; i < gcb->head.cnt; i++)
4337 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4340 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4342 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4345 struct nft_set_gc_batch *gcb;
4347 gcb = kzalloc(sizeof(*gcb), gfp);
4350 gcb->head.set = set;
4353 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4360 * nft_register_obj- register nf_tables stateful object type
4363 * Registers the object type for use with nf_tables. Returns zero on
4364 * success or a negative errno code otherwise.
4366 int nft_register_obj(struct nft_object_type *obj_type)
4368 if (obj_type->type == NFT_OBJECT_UNSPEC)
4371 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4372 list_add_rcu(&obj_type->list, &nf_tables_objects);
4373 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4376 EXPORT_SYMBOL_GPL(nft_register_obj);
4379 * nft_unregister_obj - unregister nf_tables object type
4382 * Unregisters the object type for use with nf_tables.
4384 void nft_unregister_obj(struct nft_object_type *obj_type)
4386 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4387 list_del_rcu(&obj_type->list);
4388 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4390 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4392 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4393 const struct nlattr *nla,
4394 u32 objtype, u8 genmask)
4396 struct nft_object *obj;
4398 list_for_each_entry(obj, &table->objects, list) {
4399 if (!nla_strcmp(nla, obj->name) &&
4400 objtype == obj->ops->type->type &&
4401 nft_active_genmask(obj, genmask))
4404 return ERR_PTR(-ENOENT);
4406 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4408 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4409 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4410 .len = NFT_TABLE_MAXNAMELEN - 1 },
4411 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4412 .len = NFT_OBJ_MAXNAMELEN - 1 },
4413 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4414 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4417 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4418 const struct nft_object_type *type,
4419 const struct nlattr *attr)
4421 struct nlattr *tb[type->maxattr + 1];
4422 const struct nft_object_ops *ops;
4423 struct nft_object *obj;
4427 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4432 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4435 if (type->select_ops) {
4436 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4446 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4450 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4460 return ERR_PTR(err);
4463 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4464 struct nft_object *obj, bool reset)
4466 struct nlattr *nest;
4468 nest = nla_nest_start(skb, attr);
4470 goto nla_put_failure;
4471 if (obj->ops->dump(skb, obj, reset) < 0)
4472 goto nla_put_failure;
4473 nla_nest_end(skb, nest);
4480 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4482 const struct nft_object_type *type;
4484 list_for_each_entry(type, &nf_tables_objects, list) {
4485 if (objtype == type->type)
4491 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4493 const struct nft_object_type *type;
4495 type = __nft_obj_type_get(objtype);
4496 if (type != NULL && try_module_get(type->owner))
4499 #ifdef CONFIG_MODULES
4501 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4502 request_module("nft-obj-%u", objtype);
4503 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4504 if (__nft_obj_type_get(objtype))
4505 return ERR_PTR(-EAGAIN);
4508 return ERR_PTR(-ENOENT);
4511 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4512 struct sk_buff *skb, const struct nlmsghdr *nlh,
4513 const struct nlattr * const nla[],
4514 struct netlink_ext_ack *extack)
4516 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4517 const struct nft_object_type *type;
4518 u8 genmask = nft_genmask_next(net);
4519 int family = nfmsg->nfgen_family;
4520 struct nft_af_info *afi;
4521 struct nft_table *table;
4522 struct nft_object *obj;
4527 if (!nla[NFTA_OBJ_TYPE] ||
4528 !nla[NFTA_OBJ_NAME] ||
4529 !nla[NFTA_OBJ_DATA])
4532 afi = nf_tables_afinfo_lookup(net, family, true);
4534 return PTR_ERR(afi);
4536 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4538 return PTR_ERR(table);
4540 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4541 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4548 if (nlh->nlmsg_flags & NLM_F_EXCL)
4554 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4556 type = nft_obj_type_get(objtype);
4558 return PTR_ERR(type);
4560 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4566 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4572 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4576 list_add_tail_rcu(&obj->list, &table->objects);
4582 if (obj->ops->destroy)
4583 obj->ops->destroy(obj);
4586 module_put(type->owner);
4590 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4591 u32 portid, u32 seq, int event, u32 flags,
4592 int family, const struct nft_table *table,
4593 struct nft_object *obj, bool reset)
4595 struct nfgenmsg *nfmsg;
4596 struct nlmsghdr *nlh;
4598 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4599 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4601 goto nla_put_failure;
4603 nfmsg = nlmsg_data(nlh);
4604 nfmsg->nfgen_family = family;
4605 nfmsg->version = NFNETLINK_V0;
4606 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4608 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4609 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4610 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4611 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4612 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4613 goto nla_put_failure;
4615 nlmsg_end(skb, nlh);
4619 nlmsg_trim(skb, nlh);
4623 struct nft_obj_filter {
4628 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4630 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4631 const struct nft_af_info *afi;
4632 const struct nft_table *table;
4633 unsigned int idx = 0, s_idx = cb->args[0];
4634 struct nft_obj_filter *filter = cb->data;
4635 struct net *net = sock_net(skb->sk);
4636 int family = nfmsg->nfgen_family;
4637 struct nft_object *obj;
4640 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4644 cb->seq = net->nft.base_seq;
4646 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4647 if (family != NFPROTO_UNSPEC && family != afi->family)
4650 list_for_each_entry_rcu(table, &afi->tables, list) {
4651 list_for_each_entry_rcu(obj, &table->objects, list) {
4652 if (!nft_is_active(net, obj))
4657 memset(&cb->args[1], 0,
4658 sizeof(cb->args) - sizeof(cb->args[0]));
4659 if (filter && filter->table[0] &&
4660 strcmp(filter->table, table->name))
4663 filter->type != NFT_OBJECT_UNSPEC &&
4664 obj->ops->type->type != filter->type)
4667 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4670 NLM_F_MULTI | NLM_F_APPEND,
4671 afi->family, table, obj, reset) < 0)
4674 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4687 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4689 struct nft_obj_filter *filter = cb->data;
4692 kfree(filter->table);
4699 static struct nft_obj_filter *
4700 nft_obj_filter_alloc(const struct nlattr * const nla[])
4702 struct nft_obj_filter *filter;
4704 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4706 return ERR_PTR(-ENOMEM);
4708 if (nla[NFTA_OBJ_TABLE]) {
4709 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4710 if (!filter->table) {
4712 return ERR_PTR(-ENOMEM);
4715 if (nla[NFTA_OBJ_TYPE])
4716 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4721 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4722 struct sk_buff *skb, const struct nlmsghdr *nlh,
4723 const struct nlattr * const nla[],
4724 struct netlink_ext_ack *extack)
4726 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4727 u8 genmask = nft_genmask_cur(net);
4728 int family = nfmsg->nfgen_family;
4729 const struct nft_af_info *afi;
4730 const struct nft_table *table;
4731 struct nft_object *obj;
4732 struct sk_buff *skb2;
4737 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4738 struct netlink_dump_control c = {
4739 .dump = nf_tables_dump_obj,
4740 .done = nf_tables_dump_obj_done,
4743 if (nla[NFTA_OBJ_TABLE] ||
4744 nla[NFTA_OBJ_TYPE]) {
4745 struct nft_obj_filter *filter;
4747 filter = nft_obj_filter_alloc(nla);
4753 return netlink_dump_start(nlsk, skb, nlh, &c);
4756 if (!nla[NFTA_OBJ_NAME] ||
4757 !nla[NFTA_OBJ_TYPE])
4760 afi = nf_tables_afinfo_lookup(net, family, false);
4762 return PTR_ERR(afi);
4764 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4766 return PTR_ERR(table);
4768 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4769 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4771 return PTR_ERR(obj);
4773 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4777 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4780 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4781 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4782 family, table, obj, reset);
4786 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4792 static void nft_obj_destroy(struct nft_object *obj)
4794 if (obj->ops->destroy)
4795 obj->ops->destroy(obj);
4797 module_put(obj->ops->type->owner);
4802 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4803 struct sk_buff *skb, const struct nlmsghdr *nlh,
4804 const struct nlattr * const nla[],
4805 struct netlink_ext_ack *extack)
4807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4808 u8 genmask = nft_genmask_next(net);
4809 int family = nfmsg->nfgen_family;
4810 struct nft_af_info *afi;
4811 struct nft_table *table;
4812 struct nft_object *obj;
4816 if (!nla[NFTA_OBJ_TYPE] ||
4817 !nla[NFTA_OBJ_NAME])
4820 afi = nf_tables_afinfo_lookup(net, family, true);
4822 return PTR_ERR(afi);
4824 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4826 return PTR_ERR(table);
4828 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4829 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4831 return PTR_ERR(obj);
4835 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4837 return nft_delobj(&ctx, obj);
4840 void nft_obj_notify(struct net *net, struct nft_table *table,
4841 struct nft_object *obj, u32 portid, u32 seq, int event,
4842 int family, int report, gfp_t gfp)
4844 struct sk_buff *skb;
4848 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4851 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4855 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4862 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4865 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4867 EXPORT_SYMBOL_GPL(nft_obj_notify);
4869 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4870 struct nft_object *obj, int event)
4872 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4873 ctx->afi->family, ctx->report, GFP_KERNEL);
4879 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4881 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4882 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4885 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4887 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4889 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4890 list_del_rcu(&type->list);
4891 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4893 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4895 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4896 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4897 .len = NFT_NAME_MAXLEN - 1 },
4898 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4899 .len = NFT_NAME_MAXLEN - 1 },
4900 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4903 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4904 const struct nlattr *nla,
4907 struct nft_flowtable *flowtable;
4909 list_for_each_entry(flowtable, &table->flowtables, list) {
4910 if (!nla_strcmp(nla, flowtable->name) &&
4911 nft_active_genmask(flowtable, genmask))
4914 return ERR_PTR(-ENOENT);
4916 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4918 #define NFT_FLOWTABLE_DEVICE_MAX 8
4920 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4921 const struct nlattr *attr,
4922 struct net_device *dev_array[], int *len)
4924 const struct nlattr *tmp;
4925 struct net_device *dev;
4926 char ifname[IFNAMSIZ];
4927 int rem, n = 0, err;
4929 nla_for_each_nested(tmp, attr, rem) {
4930 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4935 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4936 dev = dev_get_by_name(ctx->net, ifname);
4942 dev_array[n++] = dev;
4943 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
4957 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
4958 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
4959 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
4960 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
4963 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
4964 const struct nlattr *attr,
4965 struct nft_flowtable *flowtable)
4967 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
4968 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
4969 struct nf_hook_ops *ops;
4970 int hooknum, priority;
4973 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
4974 nft_flowtable_hook_policy, NULL);
4978 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
4979 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
4980 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
4983 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
4984 if (hooknum != NF_NETDEV_INGRESS)
4987 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
4989 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
4994 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5000 flowtable->ops = ops;
5001 flowtable->ops_len = n;
5003 for (i = 0; i < n; i++) {
5004 flowtable->ops[i].pf = NFPROTO_NETDEV;
5005 flowtable->ops[i].hooknum = hooknum;
5006 flowtable->ops[i].priority = priority;
5007 flowtable->ops[i].priv = &flowtable->data.rhashtable;
5008 flowtable->ops[i].hook = flowtable->data.type->hook;
5009 flowtable->ops[i].dev = dev_array[i];
5014 for (i = 0; i < n; i++)
5015 dev_put(dev_array[i]);
5020 static const struct nf_flowtable_type *
5021 __nft_flowtable_type_get(const struct nft_af_info *afi)
5023 const struct nf_flowtable_type *type;
5025 list_for_each_entry(type, &nf_tables_flowtables, list) {
5026 if (afi->family == type->family)
5032 static const struct nf_flowtable_type *
5033 nft_flowtable_type_get(const struct nft_af_info *afi)
5035 const struct nf_flowtable_type *type;
5037 type = __nft_flowtable_type_get(afi);
5038 if (type != NULL && try_module_get(type->owner))
5041 #ifdef CONFIG_MODULES
5043 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5044 request_module("nf-flowtable-%u", afi->family);
5045 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5046 if (__nft_flowtable_type_get(afi))
5047 return ERR_PTR(-EAGAIN);
5050 return ERR_PTR(-ENOENT);
5053 void nft_flow_table_iterate(struct net *net,
5054 void (*iter)(struct nf_flowtable *flowtable, void *data),
5057 struct nft_flowtable *flowtable;
5058 const struct nft_af_info *afi;
5059 const struct nft_table *table;
5062 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
5063 list_for_each_entry_rcu(table, &afi->tables, list) {
5064 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5065 iter(&flowtable->data, data);
5071 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5073 static void nft_unregister_flowtable_net_hooks(struct net *net,
5074 struct nft_flowtable *flowtable)
5078 for (i = 0; i < flowtable->ops_len; i++) {
5079 if (!flowtable->ops[i].dev)
5082 nf_unregister_net_hook(net, &flowtable->ops[i]);
5086 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5087 struct sk_buff *skb,
5088 const struct nlmsghdr *nlh,
5089 const struct nlattr * const nla[],
5090 struct netlink_ext_ack *extack)
5092 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5093 const struct nf_flowtable_type *type;
5094 u8 genmask = nft_genmask_next(net);
5095 int family = nfmsg->nfgen_family;
5096 struct nft_flowtable *flowtable;
5097 struct nft_af_info *afi;
5098 struct nft_table *table;
5102 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5103 !nla[NFTA_FLOWTABLE_NAME] ||
5104 !nla[NFTA_FLOWTABLE_HOOK])
5107 afi = nf_tables_afinfo_lookup(net, family, true);
5109 return PTR_ERR(afi);
5111 table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
5113 return PTR_ERR(table);
5115 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5117 if (IS_ERR(flowtable)) {
5118 err = PTR_ERR(flowtable);
5122 if (nlh->nlmsg_flags & NLM_F_EXCL)
5128 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
5130 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5134 flowtable->table = table;
5135 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5136 if (!flowtable->name) {
5141 type = nft_flowtable_type_get(afi);
5143 err = PTR_ERR(type);
5147 flowtable->data.type = type;
5148 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5152 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5157 for (i = 0; i < flowtable->ops_len; i++) {
5158 err = nf_register_net_hook(net, &flowtable->ops[i]);
5163 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5167 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5168 queue_delayed_work(system_power_efficient_wq,
5169 &flowtable->data.gc_work, HZ);
5171 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5176 i = flowtable->ops_len;
5178 for (k = i - 1; k >= 0; k--)
5179 nf_unregister_net_hook(net, &flowtable->ops[i]);
5181 kfree(flowtable->ops);
5183 module_put(type->owner);
5185 kfree(flowtable->name);
5191 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5192 struct sk_buff *skb,
5193 const struct nlmsghdr *nlh,
5194 const struct nlattr * const nla[],
5195 struct netlink_ext_ack *extack)
5197 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5198 u8 genmask = nft_genmask_next(net);
5199 int family = nfmsg->nfgen_family;
5200 struct nft_flowtable *flowtable;
5201 struct nft_af_info *afi;
5202 struct nft_table *table;
5205 afi = nf_tables_afinfo_lookup(net, family, true);
5207 return PTR_ERR(afi);
5209 table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
5211 return PTR_ERR(table);
5213 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5215 if (IS_ERR(flowtable))
5216 return PTR_ERR(flowtable);
5217 if (flowtable->use > 0)
5220 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
5222 return nft_delflowtable(&ctx, flowtable);
5225 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5226 u32 portid, u32 seq, int event,
5227 u32 flags, int family,
5228 struct nft_flowtable *flowtable)
5230 struct nlattr *nest, *nest_devs;
5231 struct nfgenmsg *nfmsg;
5232 struct nlmsghdr *nlh;
5235 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5236 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5238 goto nla_put_failure;
5240 nfmsg = nlmsg_data(nlh);
5241 nfmsg->nfgen_family = family;
5242 nfmsg->version = NFNETLINK_V0;
5243 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5245 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5246 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5247 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)))
5248 goto nla_put_failure;
5250 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5251 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5252 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5253 goto nla_put_failure;
5255 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5257 goto nla_put_failure;
5259 for (i = 0; i < flowtable->ops_len; i++) {
5260 if (flowtable->ops[i].dev &&
5261 nla_put_string(skb, NFTA_DEVICE_NAME,
5262 flowtable->ops[i].dev->name))
5263 goto nla_put_failure;
5265 nla_nest_end(skb, nest_devs);
5266 nla_nest_end(skb, nest);
5268 nlmsg_end(skb, nlh);
5272 nlmsg_trim(skb, nlh);
5276 struct nft_flowtable_filter {
5280 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5281 struct netlink_callback *cb)
5283 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5284 struct nft_flowtable_filter *filter = cb->data;
5285 unsigned int idx = 0, s_idx = cb->args[0];
5286 struct net *net = sock_net(skb->sk);
5287 int family = nfmsg->nfgen_family;
5288 struct nft_flowtable *flowtable;
5289 const struct nft_af_info *afi;
5290 const struct nft_table *table;
5293 cb->seq = net->nft.base_seq;
5295 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
5296 if (family != NFPROTO_UNSPEC && family != afi->family)
5299 list_for_each_entry_rcu(table, &afi->tables, list) {
5300 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5301 if (!nft_is_active(net, flowtable))
5306 memset(&cb->args[1], 0,
5307 sizeof(cb->args) - sizeof(cb->args[0]));
5308 if (filter && filter->table[0] &&
5309 strcmp(filter->table, table->name))
5312 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5314 NFT_MSG_NEWFLOWTABLE,
5315 NLM_F_MULTI | NLM_F_APPEND,
5316 afi->family, flowtable) < 0)
5319 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5332 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5334 struct nft_flowtable_filter *filter = cb->data;
5339 kfree(filter->table);
5345 static struct nft_flowtable_filter *
5346 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5348 struct nft_flowtable_filter *filter;
5350 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5352 return ERR_PTR(-ENOMEM);
5354 if (nla[NFTA_FLOWTABLE_TABLE]) {
5355 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5357 if (!filter->table) {
5359 return ERR_PTR(-ENOMEM);
5365 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5366 struct sk_buff *skb,
5367 const struct nlmsghdr *nlh,
5368 const struct nlattr * const nla[],
5369 struct netlink_ext_ack *extack)
5371 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5372 u8 genmask = nft_genmask_cur(net);
5373 int family = nfmsg->nfgen_family;
5374 struct nft_flowtable *flowtable;
5375 const struct nft_af_info *afi;
5376 const struct nft_table *table;
5377 struct sk_buff *skb2;
5380 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5381 struct netlink_dump_control c = {
5382 .dump = nf_tables_dump_flowtable,
5383 .done = nf_tables_dump_flowtable_done,
5386 if (nla[NFTA_FLOWTABLE_TABLE]) {
5387 struct nft_flowtable_filter *filter;
5389 filter = nft_flowtable_filter_alloc(nla);
5395 return netlink_dump_start(nlsk, skb, nlh, &c);
5398 if (!nla[NFTA_FLOWTABLE_NAME])
5401 afi = nf_tables_afinfo_lookup(net, family, false);
5403 return PTR_ERR(afi);
5405 table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
5407 return PTR_ERR(table);
5409 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5412 return PTR_ERR(flowtable);
5414 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5418 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5420 NFT_MSG_NEWFLOWTABLE, 0, family,
5425 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5431 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5432 struct nft_flowtable *flowtable,
5435 struct sk_buff *skb;
5439 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5442 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5446 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5448 ctx->afi->family, flowtable);
5454 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5455 ctx->report, GFP_KERNEL);
5458 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5461 static void nft_flowtable_destroy(void *ptr, void *arg)
5466 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5468 cancel_delayed_work_sync(&flowtable->data.gc_work);
5469 kfree(flowtable->name);
5470 rhashtable_free_and_destroy(&flowtable->data.rhashtable,
5471 nft_flowtable_destroy, NULL);
5472 module_put(flowtable->data.type->owner);
5475 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5476 u32 portid, u32 seq)
5478 struct nlmsghdr *nlh;
5479 struct nfgenmsg *nfmsg;
5480 char buf[TASK_COMM_LEN];
5481 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5483 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5485 goto nla_put_failure;
5487 nfmsg = nlmsg_data(nlh);
5488 nfmsg->nfgen_family = AF_UNSPEC;
5489 nfmsg->version = NFNETLINK_V0;
5490 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5492 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5493 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5494 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5495 goto nla_put_failure;
5497 nlmsg_end(skb, nlh);
5501 nlmsg_trim(skb, nlh);
5505 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5506 struct nft_flowtable *flowtable)
5510 for (i = 0; i < flowtable->ops_len; i++) {
5511 if (flowtable->ops[i].dev != dev)
5514 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5515 flowtable->ops[i].dev = NULL;
5520 static int nf_tables_flowtable_event(struct notifier_block *this,
5521 unsigned long event, void *ptr)
5523 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5524 struct nft_flowtable *flowtable;
5525 struct nft_table *table;
5526 struct nft_af_info *afi;
5528 if (event != NETDEV_UNREGISTER)
5531 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5532 list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
5533 list_for_each_entry(table, &afi->tables, list) {
5534 list_for_each_entry(flowtable, &table->flowtables, list) {
5535 nft_flowtable_event(event, dev, flowtable);
5539 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5544 static struct notifier_block nf_tables_flowtable_notifier = {
5545 .notifier_call = nf_tables_flowtable_event,
5548 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5551 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5552 struct sk_buff *skb2;
5555 if (nlmsg_report(nlh) &&
5556 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5559 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5563 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5570 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5571 nlmsg_report(nlh), GFP_KERNEL);
5574 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5578 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5579 struct sk_buff *skb, const struct nlmsghdr *nlh,
5580 const struct nlattr * const nla[],
5581 struct netlink_ext_ack *extack)
5583 struct sk_buff *skb2;
5586 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5590 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5595 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5601 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5602 [NFT_MSG_NEWTABLE] = {
5603 .call_batch = nf_tables_newtable,
5604 .attr_count = NFTA_TABLE_MAX,
5605 .policy = nft_table_policy,
5607 [NFT_MSG_GETTABLE] = {
5608 .call = nf_tables_gettable,
5609 .attr_count = NFTA_TABLE_MAX,
5610 .policy = nft_table_policy,
5612 [NFT_MSG_DELTABLE] = {
5613 .call_batch = nf_tables_deltable,
5614 .attr_count = NFTA_TABLE_MAX,
5615 .policy = nft_table_policy,
5617 [NFT_MSG_NEWCHAIN] = {
5618 .call_batch = nf_tables_newchain,
5619 .attr_count = NFTA_CHAIN_MAX,
5620 .policy = nft_chain_policy,
5622 [NFT_MSG_GETCHAIN] = {
5623 .call = nf_tables_getchain,
5624 .attr_count = NFTA_CHAIN_MAX,
5625 .policy = nft_chain_policy,
5627 [NFT_MSG_DELCHAIN] = {
5628 .call_batch = nf_tables_delchain,
5629 .attr_count = NFTA_CHAIN_MAX,
5630 .policy = nft_chain_policy,
5632 [NFT_MSG_NEWRULE] = {
5633 .call_batch = nf_tables_newrule,
5634 .attr_count = NFTA_RULE_MAX,
5635 .policy = nft_rule_policy,
5637 [NFT_MSG_GETRULE] = {
5638 .call = nf_tables_getrule,
5639 .attr_count = NFTA_RULE_MAX,
5640 .policy = nft_rule_policy,
5642 [NFT_MSG_DELRULE] = {
5643 .call_batch = nf_tables_delrule,
5644 .attr_count = NFTA_RULE_MAX,
5645 .policy = nft_rule_policy,
5647 [NFT_MSG_NEWSET] = {
5648 .call_batch = nf_tables_newset,
5649 .attr_count = NFTA_SET_MAX,
5650 .policy = nft_set_policy,
5652 [NFT_MSG_GETSET] = {
5653 .call = nf_tables_getset,
5654 .attr_count = NFTA_SET_MAX,
5655 .policy = nft_set_policy,
5657 [NFT_MSG_DELSET] = {
5658 .call_batch = nf_tables_delset,
5659 .attr_count = NFTA_SET_MAX,
5660 .policy = nft_set_policy,
5662 [NFT_MSG_NEWSETELEM] = {
5663 .call_batch = nf_tables_newsetelem,
5664 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5665 .policy = nft_set_elem_list_policy,
5667 [NFT_MSG_GETSETELEM] = {
5668 .call = nf_tables_getsetelem,
5669 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5670 .policy = nft_set_elem_list_policy,
5672 [NFT_MSG_DELSETELEM] = {
5673 .call_batch = nf_tables_delsetelem,
5674 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5675 .policy = nft_set_elem_list_policy,
5677 [NFT_MSG_GETGEN] = {
5678 .call = nf_tables_getgen,
5680 [NFT_MSG_NEWOBJ] = {
5681 .call_batch = nf_tables_newobj,
5682 .attr_count = NFTA_OBJ_MAX,
5683 .policy = nft_obj_policy,
5685 [NFT_MSG_GETOBJ] = {
5686 .call = nf_tables_getobj,
5687 .attr_count = NFTA_OBJ_MAX,
5688 .policy = nft_obj_policy,
5690 [NFT_MSG_DELOBJ] = {
5691 .call_batch = nf_tables_delobj,
5692 .attr_count = NFTA_OBJ_MAX,
5693 .policy = nft_obj_policy,
5695 [NFT_MSG_GETOBJ_RESET] = {
5696 .call = nf_tables_getobj,
5697 .attr_count = NFTA_OBJ_MAX,
5698 .policy = nft_obj_policy,
5700 [NFT_MSG_NEWFLOWTABLE] = {
5701 .call_batch = nf_tables_newflowtable,
5702 .attr_count = NFTA_FLOWTABLE_MAX,
5703 .policy = nft_flowtable_policy,
5705 [NFT_MSG_GETFLOWTABLE] = {
5706 .call = nf_tables_getflowtable,
5707 .attr_count = NFTA_FLOWTABLE_MAX,
5708 .policy = nft_flowtable_policy,
5710 [NFT_MSG_DELFLOWTABLE] = {
5711 .call_batch = nf_tables_delflowtable,
5712 .attr_count = NFTA_FLOWTABLE_MAX,
5713 .policy = nft_flowtable_policy,
5717 static void nft_chain_commit_update(struct nft_trans *trans)
5719 struct nft_base_chain *basechain;
5721 if (nft_trans_chain_name(trans))
5722 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
5724 if (!nft_is_base_chain(trans->ctx.chain))
5727 basechain = nft_base_chain(trans->ctx.chain);
5728 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5730 switch (nft_trans_chain_policy(trans)) {
5733 basechain->policy = nft_trans_chain_policy(trans);
5738 static void nf_tables_commit_release(struct nft_trans *trans)
5740 switch (trans->msg_type) {
5741 case NFT_MSG_DELTABLE:
5742 nf_tables_table_destroy(&trans->ctx);
5744 case NFT_MSG_DELCHAIN:
5745 nf_tables_chain_destroy(trans->ctx.chain);
5747 case NFT_MSG_DELRULE:
5748 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5750 case NFT_MSG_DELSET:
5751 nft_set_destroy(nft_trans_set(trans));
5753 case NFT_MSG_DELSETELEM:
5754 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5755 nft_trans_elem(trans).priv);
5757 case NFT_MSG_DELOBJ:
5758 nft_obj_destroy(nft_trans_obj(trans));
5760 case NFT_MSG_DELFLOWTABLE:
5761 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5767 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5769 struct nft_trans *trans, *next;
5770 struct nft_trans_elem *te;
5772 /* Bump generation counter, invalidate any dump in progress */
5773 while (++net->nft.base_seq == 0);
5775 /* A new generation has just started */
5776 net->nft.gencursor = nft_gencursor_next(net);
5778 /* Make sure all packets have left the previous generation before
5779 * purging old rules.
5783 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5784 switch (trans->msg_type) {
5785 case NFT_MSG_NEWTABLE:
5786 if (nft_trans_table_update(trans)) {
5787 if (!nft_trans_table_enable(trans)) {
5788 nf_tables_table_disable(net,
5790 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5793 nft_clear(net, trans->ctx.table);
5795 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5796 nft_trans_destroy(trans);
5798 case NFT_MSG_DELTABLE:
5799 list_del_rcu(&trans->ctx.table->list);
5800 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5802 case NFT_MSG_NEWCHAIN:
5803 if (nft_trans_chain_update(trans))
5804 nft_chain_commit_update(trans);
5806 nft_clear(net, trans->ctx.chain);
5808 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5809 nft_trans_destroy(trans);
5811 case NFT_MSG_DELCHAIN:
5812 list_del_rcu(&trans->ctx.chain->list);
5813 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5814 nf_tables_unregister_hook(trans->ctx.net,
5818 case NFT_MSG_NEWRULE:
5819 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5820 nf_tables_rule_notify(&trans->ctx,
5821 nft_trans_rule(trans),
5823 nft_trans_destroy(trans);
5825 case NFT_MSG_DELRULE:
5826 list_del_rcu(&nft_trans_rule(trans)->list);
5827 nf_tables_rule_notify(&trans->ctx,
5828 nft_trans_rule(trans),
5831 case NFT_MSG_NEWSET:
5832 nft_clear(net, nft_trans_set(trans));
5833 /* This avoids hitting -EBUSY when deleting the table
5834 * from the transaction.
5836 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5837 !list_empty(&nft_trans_set(trans)->bindings))
5838 trans->ctx.table->use--;
5840 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5841 NFT_MSG_NEWSET, GFP_KERNEL);
5842 nft_trans_destroy(trans);
5844 case NFT_MSG_DELSET:
5845 list_del_rcu(&nft_trans_set(trans)->list);
5846 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5847 NFT_MSG_DELSET, GFP_KERNEL);
5849 case NFT_MSG_NEWSETELEM:
5850 te = (struct nft_trans_elem *)trans->data;
5852 te->set->ops->activate(net, te->set, &te->elem);
5853 nf_tables_setelem_notify(&trans->ctx, te->set,
5855 NFT_MSG_NEWSETELEM, 0);
5856 nft_trans_destroy(trans);
5858 case NFT_MSG_DELSETELEM:
5859 te = (struct nft_trans_elem *)trans->data;
5861 nf_tables_setelem_notify(&trans->ctx, te->set,
5863 NFT_MSG_DELSETELEM, 0);
5864 te->set->ops->remove(net, te->set, &te->elem);
5865 atomic_dec(&te->set->nelems);
5868 case NFT_MSG_NEWOBJ:
5869 nft_clear(net, nft_trans_obj(trans));
5870 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5872 nft_trans_destroy(trans);
5874 case NFT_MSG_DELOBJ:
5875 list_del_rcu(&nft_trans_obj(trans)->list);
5876 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5879 case NFT_MSG_NEWFLOWTABLE:
5880 nft_clear(net, nft_trans_flowtable(trans));
5881 nf_tables_flowtable_notify(&trans->ctx,
5882 nft_trans_flowtable(trans),
5883 NFT_MSG_NEWFLOWTABLE);
5884 nft_trans_destroy(trans);
5886 case NFT_MSG_DELFLOWTABLE:
5887 list_del_rcu(&nft_trans_flowtable(trans)->list);
5888 nf_tables_flowtable_notify(&trans->ctx,
5889 nft_trans_flowtable(trans),
5890 NFT_MSG_DELFLOWTABLE);
5891 nft_unregister_flowtable_net_hooks(net,
5892 nft_trans_flowtable(trans));
5899 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5900 list_del(&trans->list);
5901 nf_tables_commit_release(trans);
5904 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5909 static void nf_tables_abort_release(struct nft_trans *trans)
5911 switch (trans->msg_type) {
5912 case NFT_MSG_NEWTABLE:
5913 nf_tables_table_destroy(&trans->ctx);
5915 case NFT_MSG_NEWCHAIN:
5916 nf_tables_chain_destroy(trans->ctx.chain);
5918 case NFT_MSG_NEWRULE:
5919 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5921 case NFT_MSG_NEWSET:
5922 nft_set_destroy(nft_trans_set(trans));
5924 case NFT_MSG_NEWSETELEM:
5925 nft_set_elem_destroy(nft_trans_elem_set(trans),
5926 nft_trans_elem(trans).priv, true);
5928 case NFT_MSG_NEWOBJ:
5929 nft_obj_destroy(nft_trans_obj(trans));
5931 case NFT_MSG_NEWFLOWTABLE:
5932 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5938 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5940 struct nft_trans *trans, *next;
5941 struct nft_trans_elem *te;
5943 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5945 switch (trans->msg_type) {
5946 case NFT_MSG_NEWTABLE:
5947 if (nft_trans_table_update(trans)) {
5948 if (nft_trans_table_enable(trans)) {
5949 nf_tables_table_disable(net,
5951 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5953 nft_trans_destroy(trans);
5955 list_del_rcu(&trans->ctx.table->list);
5958 case NFT_MSG_DELTABLE:
5959 nft_clear(trans->ctx.net, trans->ctx.table);
5960 nft_trans_destroy(trans);
5962 case NFT_MSG_NEWCHAIN:
5963 if (nft_trans_chain_update(trans)) {
5964 free_percpu(nft_trans_chain_stats(trans));
5966 nft_trans_destroy(trans);
5968 trans->ctx.table->use--;
5969 list_del_rcu(&trans->ctx.chain->list);
5970 nf_tables_unregister_hook(trans->ctx.net,
5975 case NFT_MSG_DELCHAIN:
5976 trans->ctx.table->use++;
5977 nft_clear(trans->ctx.net, trans->ctx.chain);
5978 nft_trans_destroy(trans);
5980 case NFT_MSG_NEWRULE:
5981 trans->ctx.chain->use--;
5982 list_del_rcu(&nft_trans_rule(trans)->list);
5984 case NFT_MSG_DELRULE:
5985 trans->ctx.chain->use++;
5986 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5987 nft_trans_destroy(trans);
5989 case NFT_MSG_NEWSET:
5990 trans->ctx.table->use--;
5991 list_del_rcu(&nft_trans_set(trans)->list);
5993 case NFT_MSG_DELSET:
5994 trans->ctx.table->use++;
5995 nft_clear(trans->ctx.net, nft_trans_set(trans));
5996 nft_trans_destroy(trans);
5998 case NFT_MSG_NEWSETELEM:
5999 te = (struct nft_trans_elem *)trans->data;
6001 te->set->ops->remove(net, te->set, &te->elem);
6002 atomic_dec(&te->set->nelems);
6004 case NFT_MSG_DELSETELEM:
6005 te = (struct nft_trans_elem *)trans->data;
6007 nft_set_elem_activate(net, te->set, &te->elem);
6008 te->set->ops->activate(net, te->set, &te->elem);
6011 nft_trans_destroy(trans);
6013 case NFT_MSG_NEWOBJ:
6014 trans->ctx.table->use--;
6015 list_del_rcu(&nft_trans_obj(trans)->list);
6017 case NFT_MSG_DELOBJ:
6018 trans->ctx.table->use++;
6019 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6020 nft_trans_destroy(trans);
6022 case NFT_MSG_NEWFLOWTABLE:
6023 trans->ctx.table->use--;
6024 list_del_rcu(&nft_trans_flowtable(trans)->list);
6025 nft_unregister_flowtable_net_hooks(net,
6026 nft_trans_flowtable(trans));
6028 case NFT_MSG_DELFLOWTABLE:
6029 trans->ctx.table->use++;
6030 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6031 nft_trans_destroy(trans);
6038 list_for_each_entry_safe_reverse(trans, next,
6039 &net->nft.commit_list, list) {
6040 list_del(&trans->list);
6041 nf_tables_abort_release(trans);
6047 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6049 return net->nft.base_seq == genid;
6052 static const struct nfnetlink_subsystem nf_tables_subsys = {
6053 .name = "nf_tables",
6054 .subsys_id = NFNL_SUBSYS_NFTABLES,
6055 .cb_count = NFT_MSG_MAX,
6057 .commit = nf_tables_commit,
6058 .abort = nf_tables_abort,
6059 .valid_genid = nf_tables_valid_genid,
6062 int nft_chain_validate_dependency(const struct nft_chain *chain,
6063 enum nft_chain_type type)
6065 const struct nft_base_chain *basechain;
6067 if (nft_is_base_chain(chain)) {
6068 basechain = nft_base_chain(chain);
6069 if (basechain->type->type != type)
6074 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6076 int nft_chain_validate_hooks(const struct nft_chain *chain,
6077 unsigned int hook_flags)
6079 struct nft_base_chain *basechain;
6081 if (nft_is_base_chain(chain)) {
6082 basechain = nft_base_chain(chain);
6084 if ((1 << basechain->ops.hooknum) & hook_flags)
6092 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6095 * Loop detection - walk through the ruleset beginning at the destination chain
6096 * of a new jump until either the source chain is reached (loop) or all
6097 * reachable chains have been traversed.
6099 * The loop check is performed whenever a new jump verdict is added to an
6100 * expression or verdict map or a verdict map is bound to a new chain.
6103 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6104 const struct nft_chain *chain);
6106 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6107 struct nft_set *set,
6108 const struct nft_set_iter *iter,
6109 struct nft_set_elem *elem)
6111 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6112 const struct nft_data *data;
6114 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6115 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6118 data = nft_set_ext_data(ext);
6119 switch (data->verdict.code) {
6122 return nf_tables_check_loops(ctx, data->verdict.chain);
6128 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6129 const struct nft_chain *chain)
6131 const struct nft_rule *rule;
6132 const struct nft_expr *expr, *last;
6133 struct nft_set *set;
6134 struct nft_set_binding *binding;
6135 struct nft_set_iter iter;
6137 if (ctx->chain == chain)
6140 list_for_each_entry(rule, &chain->rules, list) {
6141 nft_rule_for_each_expr(expr, last, rule) {
6142 const struct nft_data *data = NULL;
6145 if (!expr->ops->validate)
6148 err = expr->ops->validate(ctx, expr, &data);
6155 switch (data->verdict.code) {
6158 err = nf_tables_check_loops(ctx,
6159 data->verdict.chain);
6168 list_for_each_entry(set, &ctx->table->sets, list) {
6169 if (!nft_is_active_next(ctx->net, set))
6171 if (!(set->flags & NFT_SET_MAP) ||
6172 set->dtype != NFT_DATA_VERDICT)
6175 list_for_each_entry(binding, &set->bindings, list) {
6176 if (!(binding->flags & NFT_SET_MAP) ||
6177 binding->chain != chain)
6180 iter.genmask = nft_genmask_next(ctx->net);
6184 iter.fn = nf_tables_loop_check_setelem;
6186 set->ops->walk(ctx, set, &iter);
6196 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6198 * @attr: netlink attribute to fetch value from
6199 * @max: maximum value to be stored in dest
6200 * @dest: pointer to the variable
6202 * Parse, check and store a given u32 netlink attribute into variable.
6203 * This function returns -ERANGE if the value goes over maximum value.
6204 * Otherwise a 0 is returned and the attribute value is stored in the
6205 * destination variable.
6207 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6211 val = ntohl(nla_get_be32(attr));
6218 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6221 * nft_parse_register - parse a register value from a netlink attribute
6223 * @attr: netlink attribute
6225 * Parse and translate a register value from a netlink attribute.
6226 * Registers used to be 128 bit wide, these register numbers will be
6227 * mapped to the corresponding 32 bit register numbers.
6229 unsigned int nft_parse_register(const struct nlattr *attr)
6233 reg = ntohl(nla_get_be32(attr));
6235 case NFT_REG_VERDICT...NFT_REG_4:
6236 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6238 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6241 EXPORT_SYMBOL_GPL(nft_parse_register);
6244 * nft_dump_register - dump a register value to a netlink attribute
6246 * @skb: socket buffer
6247 * @attr: attribute number
6248 * @reg: register number
6250 * Construct a netlink attribute containing the register number. For
6251 * compatibility reasons, register numbers being a multiple of 4 are
6252 * translated to the corresponding 128 bit register numbers.
6254 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6256 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6257 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6259 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6261 return nla_put_be32(skb, attr, htonl(reg));
6263 EXPORT_SYMBOL_GPL(nft_dump_register);
6266 * nft_validate_register_load - validate a load from a register
6268 * @reg: the register number
6269 * @len: the length of the data
6271 * Validate that the input register is one of the general purpose
6272 * registers and that the length of the load is within the bounds.
6274 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6276 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6280 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6285 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6288 * nft_validate_register_store - validate an expressions' register store
6290 * @ctx: context of the expression performing the load
6291 * @reg: the destination register number
6292 * @data: the data to load
6293 * @type: the data type
6294 * @len: the length of the data
6296 * Validate that a data load uses the appropriate data type for
6297 * the destination register and the length is within the bounds.
6298 * A value of NULL for the data means that its runtime gathered
6301 int nft_validate_register_store(const struct nft_ctx *ctx,
6302 enum nft_registers reg,
6303 const struct nft_data *data,
6304 enum nft_data_types type, unsigned int len)
6309 case NFT_REG_VERDICT:
6310 if (type != NFT_DATA_VERDICT)
6314 (data->verdict.code == NFT_GOTO ||
6315 data->verdict.code == NFT_JUMP)) {
6316 err = nf_tables_check_loops(ctx, data->verdict.chain);
6320 if (ctx->chain->level + 1 >
6321 data->verdict.chain->level) {
6322 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6324 data->verdict.chain->level = ctx->chain->level + 1;
6330 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6334 if (reg * NFT_REG32_SIZE + len >
6335 FIELD_SIZEOF(struct nft_regs, data))
6338 if (data != NULL && type != NFT_DATA_VALUE)
6343 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6345 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6346 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6347 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6348 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6351 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6352 struct nft_data_desc *desc, const struct nlattr *nla)
6354 u8 genmask = nft_genmask_next(ctx->net);
6355 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6356 struct nft_chain *chain;
6359 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6364 if (!tb[NFTA_VERDICT_CODE])
6366 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6368 switch (data->verdict.code) {
6370 switch (data->verdict.code & NF_VERDICT_MASK) {
6385 if (!tb[NFTA_VERDICT_CHAIN])
6387 chain = nf_tables_chain_lookup(ctx->table,
6388 tb[NFTA_VERDICT_CHAIN], genmask);
6390 return PTR_ERR(chain);
6391 if (nft_is_base_chain(chain))
6395 data->verdict.chain = chain;
6399 desc->len = sizeof(data->verdict);
6400 desc->type = NFT_DATA_VERDICT;
6404 static void nft_verdict_uninit(const struct nft_data *data)
6406 switch (data->verdict.code) {
6409 data->verdict.chain->use--;
6414 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6416 struct nlattr *nest;
6418 nest = nla_nest_start(skb, type);
6420 goto nla_put_failure;
6422 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6423 goto nla_put_failure;
6428 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6430 goto nla_put_failure;
6432 nla_nest_end(skb, nest);
6439 static int nft_value_init(const struct nft_ctx *ctx,
6440 struct nft_data *data, unsigned int size,
6441 struct nft_data_desc *desc, const struct nlattr *nla)
6451 nla_memcpy(data->data, nla, len);
6452 desc->type = NFT_DATA_VALUE;
6457 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6460 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6463 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6464 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6465 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6469 * nft_data_init - parse nf_tables data netlink attributes
6471 * @ctx: context of the expression using the data
6472 * @data: destination struct nft_data
6473 * @size: maximum data length
6474 * @desc: data description
6475 * @nla: netlink attribute containing data
6477 * Parse the netlink data attributes and initialize a struct nft_data.
6478 * The type and length of data are returned in the data description.
6480 * The caller can indicate that it only wants to accept data of type
6481 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6483 int nft_data_init(const struct nft_ctx *ctx,
6484 struct nft_data *data, unsigned int size,
6485 struct nft_data_desc *desc, const struct nlattr *nla)
6487 struct nlattr *tb[NFTA_DATA_MAX + 1];
6490 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6494 if (tb[NFTA_DATA_VALUE])
6495 return nft_value_init(ctx, data, size, desc,
6496 tb[NFTA_DATA_VALUE]);
6497 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6498 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6501 EXPORT_SYMBOL_GPL(nft_data_init);
6504 * nft_data_release - release a nft_data item
6506 * @data: struct nft_data to release
6507 * @type: type of data
6509 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6510 * all others need to be released by calling this function.
6512 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6514 if (type < NFT_DATA_VERDICT)
6517 case NFT_DATA_VERDICT:
6518 return nft_verdict_uninit(data);
6523 EXPORT_SYMBOL_GPL(nft_data_release);
6525 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6526 enum nft_data_types type, unsigned int len)
6528 struct nlattr *nest;
6531 nest = nla_nest_start(skb, attr);
6536 case NFT_DATA_VALUE:
6537 err = nft_value_dump(skb, data, len);
6539 case NFT_DATA_VERDICT:
6540 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6547 nla_nest_end(skb, nest);
6550 EXPORT_SYMBOL_GPL(nft_data_dump);
6552 static int __net_init nf_tables_init_net(struct net *net)
6554 INIT_LIST_HEAD(&net->nft.af_info);
6555 INIT_LIST_HEAD(&net->nft.commit_list);
6556 net->nft.base_seq = 1;
6560 static void __net_exit nf_tables_exit_net(struct net *net)
6562 WARN_ON_ONCE(!list_empty(&net->nft.af_info));
6563 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6566 int __nft_release_basechain(struct nft_ctx *ctx)
6568 struct nft_rule *rule, *nr;
6570 BUG_ON(!nft_is_base_chain(ctx->chain));
6572 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6573 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6574 list_del(&rule->list);
6576 nf_tables_rule_destroy(ctx, rule);
6578 list_del(&ctx->chain->list);
6580 nf_tables_chain_destroy(ctx->chain);
6584 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6586 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
6587 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
6589 struct nft_flowtable *flowtable, *nf;
6590 struct nft_table *table, *nt;
6591 struct nft_chain *chain, *nc;
6592 struct nft_object *obj, *ne;
6593 struct nft_rule *rule, *nr;
6594 struct nft_set *set, *ns;
6595 struct nft_ctx ctx = {
6600 list_for_each_entry_safe(table, nt, &afi->tables, list) {
6601 list_for_each_entry(chain, &table->chains, list)
6602 nf_tables_unregister_hook(net, table, chain);
6603 list_for_each_entry(flowtable, &table->flowtables, list)
6604 nf_unregister_net_hooks(net, flowtable->ops,
6605 flowtable->ops_len);
6606 /* No packets are walking on these chains anymore. */
6608 list_for_each_entry(chain, &table->chains, list) {
6610 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6611 list_del(&rule->list);
6613 nf_tables_rule_destroy(&ctx, rule);
6616 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6617 list_del(&flowtable->list);
6619 nf_tables_flowtable_destroy(flowtable);
6621 list_for_each_entry_safe(set, ns, &table->sets, list) {
6622 list_del(&set->list);
6624 nft_set_destroy(set);
6626 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6627 list_del(&obj->list);
6629 nft_obj_destroy(obj);
6631 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6632 list_del(&chain->list);
6634 nf_tables_chain_destroy(chain);
6636 list_del(&table->list);
6637 nf_tables_table_destroy(&ctx);
6641 static struct pernet_operations nf_tables_net_ops = {
6642 .init = nf_tables_init_net,
6643 .exit = nf_tables_exit_net,
6646 static int __init nf_tables_module_init(void)
6650 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6657 err = nf_tables_core_module_init();
6661 err = nfnetlink_subsys_register(&nf_tables_subsys);
6665 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6667 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
6668 return register_pernet_subsys(&nf_tables_net_ops);
6670 nf_tables_core_module_exit();
6677 static void __exit nf_tables_module_exit(void)
6679 unregister_pernet_subsys(&nf_tables_net_ops);
6680 nfnetlink_subsys_unregister(&nf_tables_subsys);
6681 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6683 nf_tables_core_module_exit();
6687 module_init(nf_tables_module_init);
6688 module_exit(nf_tables_module_exit);
6690 MODULE_LICENSE("GPL");
6691 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6692 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / kernel / linux-rpi.git / blob