2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 static int nf_tables_register_hook(struct net *net,
78 const struct nft_table *table,
79 struct nft_chain *chain)
81 if (table->flags & NFT_TABLE_F_DORMANT ||
82 !nft_is_base_chain(chain))
85 return nf_register_net_hook(net, &nft_base_chain(chain)->ops);
88 static void nf_tables_unregister_hook(struct net *net,
89 const struct nft_table *table,
90 struct nft_chain *chain)
92 if (table->flags & NFT_TABLE_F_DORMANT ||
93 !nft_is_base_chain(chain))
96 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
99 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
101 struct nft_trans *trans;
103 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
107 if (msg_type == NFT_MSG_NEWTABLE)
108 nft_activate_next(ctx->net, ctx->table);
110 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
114 static int nft_deltable(struct nft_ctx *ctx)
118 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
122 nft_deactivate_next(ctx->net, ctx->table);
126 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
128 struct nft_trans *trans;
130 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
134 if (msg_type == NFT_MSG_NEWCHAIN)
135 nft_activate_next(ctx->net, ctx->chain);
137 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
141 static int nft_delchain(struct nft_ctx *ctx)
145 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
150 nft_deactivate_next(ctx->net, ctx->chain);
156 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
158 /* You cannot delete the same rule twice */
159 if (nft_is_active_next(ctx->net, rule)) {
160 nft_deactivate_next(ctx->net, rule);
167 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
168 struct nft_rule *rule)
170 struct nft_trans *trans;
172 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
176 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
177 nft_trans_rule_id(trans) =
178 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
180 nft_trans_rule(trans) = rule;
181 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
186 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
188 struct nft_trans *trans;
191 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
195 err = nf_tables_delrule_deactivate(ctx, rule);
197 nft_trans_destroy(trans);
204 static int nft_delrule_by_chain(struct nft_ctx *ctx)
206 struct nft_rule *rule;
209 list_for_each_entry(rule, &ctx->chain->rules, list) {
210 err = nft_delrule(ctx, rule);
217 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
220 struct nft_trans *trans;
222 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
226 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
227 nft_trans_set_id(trans) =
228 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
229 nft_activate_next(ctx->net, set);
231 nft_trans_set(trans) = set;
232 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
237 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
241 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
245 nft_deactivate_next(ctx->net, set);
251 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
252 struct nft_object *obj)
254 struct nft_trans *trans;
256 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
260 if (msg_type == NFT_MSG_NEWOBJ)
261 nft_activate_next(ctx->net, obj);
263 nft_trans_obj(trans) = obj;
264 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
269 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
273 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
277 nft_deactivate_next(ctx->net, obj);
283 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
284 struct nft_flowtable *flowtable)
286 struct nft_trans *trans;
288 trans = nft_trans_alloc(ctx, msg_type,
289 sizeof(struct nft_trans_flowtable));
293 if (msg_type == NFT_MSG_NEWFLOWTABLE)
294 nft_activate_next(ctx->net, flowtable);
296 nft_trans_flowtable(trans) = flowtable;
297 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
302 static int nft_delflowtable(struct nft_ctx *ctx,
303 struct nft_flowtable *flowtable)
307 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
311 nft_deactivate_next(ctx->net, flowtable);
321 static struct nft_table *nft_table_lookup(const struct net *net,
322 const struct nlattr *nla,
323 u8 family, u8 genmask)
325 struct nft_table *table;
327 list_for_each_entry(table, &net->nft.tables, list) {
328 if (!nla_strcmp(nla, table->name) &&
329 table->family == family &&
330 nft_active_genmask(table, genmask))
336 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
337 const struct nlattr *nla,
340 struct nft_table *table;
342 list_for_each_entry(table, &net->nft.tables, list) {
343 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
344 nft_active_genmask(table, genmask))
350 static struct nft_table *nf_tables_table_lookup(const struct net *net,
351 const struct nlattr *nla,
352 u8 family, u8 genmask)
354 struct nft_table *table;
357 return ERR_PTR(-EINVAL);
359 table = nft_table_lookup(net, nla, family, genmask);
363 return ERR_PTR(-ENOENT);
366 static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
367 const struct nlattr *nla,
370 struct nft_table *table;
373 return ERR_PTR(-EINVAL);
375 table = nft_table_lookup_byhandle(net, nla, genmask);
379 return ERR_PTR(-ENOENT);
382 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
384 return ++table->hgenerator;
387 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
389 static const struct nft_chain_type *
390 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
394 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
395 if (chain_type[family][i] != NULL &&
396 !nla_strcmp(nla, chain_type[family][i]->name))
397 return chain_type[family][i];
402 static const struct nft_chain_type *
403 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
405 const struct nft_chain_type *type;
407 type = __nf_tables_chain_type_lookup(nla, family);
410 #ifdef CONFIG_MODULES
412 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
413 request_module("nft-chain-%u-%.*s", family,
414 nla_len(nla), (const char *)nla_data(nla));
415 nfnl_lock(NFNL_SUBSYS_NFTABLES);
416 type = __nf_tables_chain_type_lookup(nla, family);
418 return ERR_PTR(-EAGAIN);
421 return ERR_PTR(-ENOENT);
424 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
425 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
426 .len = NFT_TABLE_MAXNAMELEN - 1 },
427 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
428 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
431 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
432 u32 portid, u32 seq, int event, u32 flags,
433 int family, const struct nft_table *table)
435 struct nlmsghdr *nlh;
436 struct nfgenmsg *nfmsg;
438 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
439 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
441 goto nla_put_failure;
443 nfmsg = nlmsg_data(nlh);
444 nfmsg->nfgen_family = family;
445 nfmsg->version = NFNETLINK_V0;
446 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
448 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
449 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
450 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
451 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
453 goto nla_put_failure;
459 nlmsg_trim(skb, nlh);
463 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
469 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
472 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
476 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
477 event, 0, ctx->family, ctx->table);
483 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
484 ctx->report, GFP_KERNEL);
487 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
490 static int nf_tables_dump_tables(struct sk_buff *skb,
491 struct netlink_callback *cb)
493 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
494 const struct nft_table *table;
495 unsigned int idx = 0, s_idx = cb->args[0];
496 struct net *net = sock_net(skb->sk);
497 int family = nfmsg->nfgen_family;
500 cb->seq = net->nft.base_seq;
502 list_for_each_entry_rcu(table, &net->nft.tables, list) {
503 if (family != NFPROTO_UNSPEC && family != table->family)
509 memset(&cb->args[1], 0,
510 sizeof(cb->args) - sizeof(cb->args[0]));
511 if (!nft_is_active(net, table))
513 if (nf_tables_fill_table_info(skb, net,
514 NETLINK_CB(cb->skb).portid,
516 NFT_MSG_NEWTABLE, NLM_F_MULTI,
517 table->family, table) < 0)
520 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
530 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
531 struct sk_buff *skb, const struct nlmsghdr *nlh,
532 const struct nlattr * const nla[],
533 struct netlink_ext_ack *extack)
535 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
536 u8 genmask = nft_genmask_cur(net);
537 const struct nft_table *table;
538 struct sk_buff *skb2;
539 int family = nfmsg->nfgen_family;
542 if (nlh->nlmsg_flags & NLM_F_DUMP) {
543 struct netlink_dump_control c = {
544 .dump = nf_tables_dump_tables,
546 return netlink_dump_start(nlsk, skb, nlh, &c);
549 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
552 return PTR_ERR(table);
554 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
558 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
559 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
564 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
571 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
573 struct nft_chain *chain;
576 list_for_each_entry(chain, &table->chains, list) {
577 if (!nft_is_active_next(net, chain))
579 if (!nft_is_base_chain(chain))
582 if (cnt && i++ == cnt)
585 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
589 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
591 struct nft_chain *chain;
594 list_for_each_entry(chain, &table->chains, list) {
595 if (!nft_is_active_next(net, chain))
597 if (!nft_is_base_chain(chain))
600 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
609 nft_table_disable(net, table, i);
613 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
615 nft_table_disable(net, table, 0);
618 static int nf_tables_updtable(struct nft_ctx *ctx)
620 struct nft_trans *trans;
624 if (!ctx->nla[NFTA_TABLE_FLAGS])
627 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
628 if (flags & ~NFT_TABLE_F_DORMANT)
631 if (flags == ctx->table->flags)
634 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
635 sizeof(struct nft_trans_table));
639 if ((flags & NFT_TABLE_F_DORMANT) &&
640 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
641 nft_trans_table_enable(trans) = false;
642 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
643 ctx->table->flags & NFT_TABLE_F_DORMANT) {
644 ret = nf_tables_table_enable(ctx->net, ctx->table);
646 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
647 nft_trans_table_enable(trans) = true;
653 nft_trans_table_update(trans) = true;
654 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
657 nft_trans_destroy(trans);
661 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
662 struct sk_buff *skb, const struct nlmsghdr *nlh,
663 const struct nlattr * const nla[],
664 struct netlink_ext_ack *extack)
666 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
667 u8 genmask = nft_genmask_next(net);
668 const struct nlattr *name;
669 struct nft_table *table;
670 int family = nfmsg->nfgen_family;
675 name = nla[NFTA_TABLE_NAME];
676 table = nf_tables_table_lookup(net, name, family, genmask);
678 if (PTR_ERR(table) != -ENOENT)
679 return PTR_ERR(table);
681 if (nlh->nlmsg_flags & NLM_F_EXCL)
683 if (nlh->nlmsg_flags & NLM_F_REPLACE)
686 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
687 return nf_tables_updtable(&ctx);
690 if (nla[NFTA_TABLE_FLAGS]) {
691 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
692 if (flags & ~NFT_TABLE_F_DORMANT)
697 table = kzalloc(sizeof(*table), GFP_KERNEL);
701 table->name = nla_strdup(name, GFP_KERNEL);
702 if (table->name == NULL)
705 INIT_LIST_HEAD(&table->chains);
706 INIT_LIST_HEAD(&table->sets);
707 INIT_LIST_HEAD(&table->objects);
708 INIT_LIST_HEAD(&table->flowtables);
709 table->family = family;
710 table->flags = flags;
711 table->handle = ++table_handle;
713 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
714 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
718 list_add_tail_rcu(&table->list, &net->nft.tables);
728 static int nft_flush_table(struct nft_ctx *ctx)
730 struct nft_flowtable *flowtable, *nft;
731 struct nft_chain *chain, *nc;
732 struct nft_object *obj, *ne;
733 struct nft_set *set, *ns;
736 list_for_each_entry(chain, &ctx->table->chains, list) {
737 if (!nft_is_active_next(ctx->net, chain))
742 err = nft_delrule_by_chain(ctx);
747 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
748 if (!nft_is_active_next(ctx->net, set))
751 if (nft_set_is_anonymous(set) &&
752 !list_empty(&set->bindings))
755 err = nft_delset(ctx, set);
760 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
761 err = nft_delflowtable(ctx, flowtable);
766 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
767 err = nft_delobj(ctx, obj);
772 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
773 if (!nft_is_active_next(ctx->net, chain))
778 err = nft_delchain(ctx);
783 err = nft_deltable(ctx);
788 static int nft_flush(struct nft_ctx *ctx, int family)
790 struct nft_table *table, *nt;
791 const struct nlattr * const *nla = ctx->nla;
794 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
795 if (family != AF_UNSPEC && table->family != family)
798 ctx->family = table->family;
800 if (!nft_is_active_next(ctx->net, table))
803 if (nla[NFTA_TABLE_NAME] &&
804 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
809 err = nft_flush_table(ctx);
817 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
818 struct sk_buff *skb, const struct nlmsghdr *nlh,
819 const struct nlattr * const nla[],
820 struct netlink_ext_ack *extack)
822 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
823 u8 genmask = nft_genmask_next(net);
824 struct nft_table *table;
825 int family = nfmsg->nfgen_family;
828 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
829 if (family == AF_UNSPEC ||
830 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
831 return nft_flush(&ctx, family);
833 if (nla[NFTA_TABLE_HANDLE])
834 table = nf_tables_table_lookup_byhandle(net,
835 nla[NFTA_TABLE_HANDLE],
838 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
842 return PTR_ERR(table);
844 if (nlh->nlmsg_flags & NLM_F_NONREC &&
851 return nft_flush_table(&ctx);
854 static void nf_tables_table_destroy(struct nft_ctx *ctx)
856 BUG_ON(ctx->table->use > 0);
858 kfree(ctx->table->name);
862 void nft_register_chain_type(const struct nft_chain_type *ctype)
864 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
867 nfnl_lock(NFNL_SUBSYS_NFTABLES);
868 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
869 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
872 chain_type[ctype->family][ctype->type] = ctype;
873 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
875 EXPORT_SYMBOL_GPL(nft_register_chain_type);
877 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
879 nfnl_lock(NFNL_SUBSYS_NFTABLES);
880 chain_type[ctype->family][ctype->type] = NULL;
881 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
883 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
889 static struct nft_chain *
890 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
893 struct nft_chain *chain;
895 list_for_each_entry(chain, &table->chains, list) {
896 if (chain->handle == handle &&
897 nft_active_genmask(chain, genmask))
901 return ERR_PTR(-ENOENT);
904 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
905 const struct nlattr *nla,
908 struct nft_chain *chain;
911 return ERR_PTR(-EINVAL);
913 list_for_each_entry(chain, &table->chains, list) {
914 if (!nla_strcmp(nla, chain->name) &&
915 nft_active_genmask(chain, genmask))
919 return ERR_PTR(-ENOENT);
922 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
923 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
924 .len = NFT_TABLE_MAXNAMELEN - 1 },
925 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
926 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
927 .len = NFT_CHAIN_MAXNAMELEN - 1 },
928 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
929 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
930 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
931 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
934 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
935 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
936 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
937 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
938 .len = IFNAMSIZ - 1 },
941 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
943 struct nft_stats *cpu_stats, total;
949 memset(&total, 0, sizeof(total));
950 for_each_possible_cpu(cpu) {
951 cpu_stats = per_cpu_ptr(stats, cpu);
953 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
954 pkts = cpu_stats->pkts;
955 bytes = cpu_stats->bytes;
956 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
958 total.bytes += bytes;
960 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
962 goto nla_put_failure;
964 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
966 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
968 goto nla_put_failure;
970 nla_nest_end(skb, nest);
977 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
978 u32 portid, u32 seq, int event, u32 flags,
979 int family, const struct nft_table *table,
980 const struct nft_chain *chain)
982 struct nlmsghdr *nlh;
983 struct nfgenmsg *nfmsg;
985 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
986 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
988 goto nla_put_failure;
990 nfmsg = nlmsg_data(nlh);
991 nfmsg->nfgen_family = family;
992 nfmsg->version = NFNETLINK_V0;
993 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
995 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
996 goto nla_put_failure;
997 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
999 goto nla_put_failure;
1000 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1001 goto nla_put_failure;
1003 if (nft_is_base_chain(chain)) {
1004 const struct nft_base_chain *basechain = nft_base_chain(chain);
1005 const struct nf_hook_ops *ops = &basechain->ops;
1006 struct nlattr *nest;
1008 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1010 goto nla_put_failure;
1011 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1012 goto nla_put_failure;
1013 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1014 goto nla_put_failure;
1015 if (basechain->dev_name[0] &&
1016 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1017 goto nla_put_failure;
1018 nla_nest_end(skb, nest);
1020 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1021 htonl(basechain->policy)))
1022 goto nla_put_failure;
1024 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1025 goto nla_put_failure;
1027 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1028 goto nla_put_failure;
1031 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1032 goto nla_put_failure;
1034 nlmsg_end(skb, nlh);
1038 nlmsg_trim(skb, nlh);
1042 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1044 struct sk_buff *skb;
1048 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1051 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1055 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1056 event, 0, ctx->family, ctx->table,
1063 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1064 ctx->report, GFP_KERNEL);
1067 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1070 static int nf_tables_dump_chains(struct sk_buff *skb,
1071 struct netlink_callback *cb)
1073 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1074 const struct nft_table *table;
1075 const struct nft_chain *chain;
1076 unsigned int idx = 0, s_idx = cb->args[0];
1077 struct net *net = sock_net(skb->sk);
1078 int family = nfmsg->nfgen_family;
1081 cb->seq = net->nft.base_seq;
1083 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1084 if (family != NFPROTO_UNSPEC && family != table->family)
1087 list_for_each_entry_rcu(chain, &table->chains, list) {
1091 memset(&cb->args[1], 0,
1092 sizeof(cb->args) - sizeof(cb->args[0]));
1093 if (!nft_is_active(net, chain))
1095 if (nf_tables_fill_chain_info(skb, net,
1096 NETLINK_CB(cb->skb).portid,
1100 table->family, table,
1104 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1115 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1116 struct sk_buff *skb, const struct nlmsghdr *nlh,
1117 const struct nlattr * const nla[],
1118 struct netlink_ext_ack *extack)
1120 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1121 u8 genmask = nft_genmask_cur(net);
1122 const struct nft_table *table;
1123 const struct nft_chain *chain;
1124 struct sk_buff *skb2;
1125 int family = nfmsg->nfgen_family;
1128 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1129 struct netlink_dump_control c = {
1130 .dump = nf_tables_dump_chains,
1132 return netlink_dump_start(nlsk, skb, nlh, &c);
1135 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1138 return PTR_ERR(table);
1140 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1142 return PTR_ERR(chain);
1144 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1148 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1149 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1150 family, table, chain);
1154 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1161 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1162 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1163 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1166 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1168 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1169 struct nft_stats __percpu *newstats;
1170 struct nft_stats *stats;
1173 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1176 return ERR_PTR(err);
1178 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1179 return ERR_PTR(-EINVAL);
1181 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1182 if (newstats == NULL)
1183 return ERR_PTR(-ENOMEM);
1185 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1186 * are not exposed to userspace.
1189 stats = this_cpu_ptr(newstats);
1190 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1191 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1197 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1198 struct nft_stats __percpu *newstats)
1200 struct nft_stats __percpu *oldstats;
1202 if (newstats == NULL)
1206 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1207 rcu_assign_pointer(chain->stats, newstats);
1209 free_percpu(oldstats);
1211 rcu_assign_pointer(chain->stats, newstats);
1214 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1216 struct nft_chain *chain = ctx->chain;
1218 BUG_ON(chain->use > 0);
1220 if (nft_is_base_chain(chain)) {
1221 struct nft_base_chain *basechain = nft_base_chain(chain);
1223 if (basechain->type->free)
1224 basechain->type->free(ctx);
1225 module_put(basechain->type->owner);
1226 free_percpu(basechain->stats);
1227 if (basechain->stats)
1228 static_branch_dec(&nft_counters_enabled);
1229 if (basechain->ops.dev != NULL)
1230 dev_put(basechain->ops.dev);
1239 struct nft_chain_hook {
1242 const struct nft_chain_type *type;
1243 struct net_device *dev;
1246 static int nft_chain_parse_hook(struct net *net,
1247 const struct nlattr * const nla[],
1248 struct nft_chain_hook *hook, u8 family,
1251 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1252 const struct nft_chain_type *type;
1253 struct net_device *dev;
1256 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1257 nft_hook_policy, NULL);
1261 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1262 ha[NFTA_HOOK_PRIORITY] == NULL)
1265 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1266 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1268 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1269 if (nla[NFTA_CHAIN_TYPE]) {
1270 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1273 return PTR_ERR(type);
1275 if (!(type->hook_mask & (1 << hook->num)))
1278 if (type->type == NFT_CHAIN_T_NAT &&
1279 hook->priority <= NF_IP_PRI_CONNTRACK)
1282 if (!try_module_get(type->owner))
1288 if (family == NFPROTO_NETDEV) {
1289 char ifname[IFNAMSIZ];
1291 if (!ha[NFTA_HOOK_DEV]) {
1292 module_put(type->owner);
1296 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1297 dev = dev_get_by_name(net, ifname);
1299 module_put(type->owner);
1303 } else if (ha[NFTA_HOOK_DEV]) {
1304 module_put(type->owner);
1311 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1313 module_put(hook->type->owner);
1314 if (hook->dev != NULL)
1318 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1319 u8 policy, bool create)
1321 const struct nlattr * const *nla = ctx->nla;
1322 struct nft_table *table = ctx->table;
1323 struct nft_base_chain *basechain;
1324 struct nft_stats __percpu *stats;
1325 struct net *net = ctx->net;
1326 struct nft_chain *chain;
1329 if (table->use == UINT_MAX)
1332 if (nla[NFTA_CHAIN_HOOK]) {
1333 struct nft_chain_hook hook;
1334 struct nf_hook_ops *ops;
1336 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1340 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1341 if (basechain == NULL) {
1342 nft_chain_release_hook(&hook);
1346 if (hook.dev != NULL)
1347 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1349 if (nla[NFTA_CHAIN_COUNTERS]) {
1350 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1351 if (IS_ERR(stats)) {
1352 nft_chain_release_hook(&hook);
1354 return PTR_ERR(stats);
1356 basechain->stats = stats;
1357 static_branch_inc(&nft_counters_enabled);
1360 basechain->type = hook.type;
1361 if (basechain->type->init)
1362 basechain->type->init(ctx);
1364 chain = &basechain->chain;
1366 ops = &basechain->ops;
1368 ops->hooknum = hook.num;
1369 ops->priority = hook.priority;
1371 ops->hook = hook.type->hooks[ops->hooknum];
1372 ops->dev = hook.dev;
1374 if (basechain->type->type == NFT_CHAIN_T_NAT)
1375 ops->nat_hook = true;
1377 chain->flags |= NFT_BASE_CHAIN;
1378 basechain->policy = policy;
1380 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1386 INIT_LIST_HEAD(&chain->rules);
1387 chain->handle = nf_tables_alloc_handle(table);
1388 chain->table = table;
1389 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1395 err = nf_tables_register_hook(net, table, chain);
1399 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1404 list_add_tail_rcu(&chain->list, &table->chains);
1408 nf_tables_unregister_hook(net, table, chain);
1410 nf_tables_chain_destroy(ctx);
1415 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1418 const struct nlattr * const *nla = ctx->nla;
1419 struct nft_table *table = ctx->table;
1420 struct nft_chain *chain = ctx->chain;
1421 struct nft_base_chain *basechain;
1422 struct nft_stats *stats = NULL;
1423 struct nft_chain_hook hook;
1424 const struct nlattr *name;
1425 struct nf_hook_ops *ops;
1426 struct nft_trans *trans;
1429 if (nla[NFTA_CHAIN_HOOK]) {
1430 if (!nft_is_base_chain(chain))
1433 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1438 basechain = nft_base_chain(chain);
1439 if (basechain->type != hook.type) {
1440 nft_chain_release_hook(&hook);
1444 ops = &basechain->ops;
1445 if (ops->hooknum != hook.num ||
1446 ops->priority != hook.priority ||
1447 ops->dev != hook.dev) {
1448 nft_chain_release_hook(&hook);
1451 nft_chain_release_hook(&hook);
1454 if (nla[NFTA_CHAIN_HANDLE] &&
1455 nla[NFTA_CHAIN_NAME]) {
1456 struct nft_chain *chain2;
1458 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1460 if (!IS_ERR(chain2))
1464 if (nla[NFTA_CHAIN_COUNTERS]) {
1465 if (!nft_is_base_chain(chain))
1468 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1470 return PTR_ERR(stats);
1473 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1474 sizeof(struct nft_trans_chain));
1475 if (trans == NULL) {
1480 nft_trans_chain_stats(trans) = stats;
1481 nft_trans_chain_update(trans) = true;
1483 if (nla[NFTA_CHAIN_POLICY])
1484 nft_trans_chain_policy(trans) = policy;
1486 nft_trans_chain_policy(trans) = -1;
1488 name = nla[NFTA_CHAIN_NAME];
1489 if (nla[NFTA_CHAIN_HANDLE] && name) {
1490 nft_trans_chain_name(trans) =
1491 nla_strdup(name, GFP_KERNEL);
1492 if (!nft_trans_chain_name(trans)) {
1498 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1503 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1504 struct sk_buff *skb, const struct nlmsghdr *nlh,
1505 const struct nlattr * const nla[],
1506 struct netlink_ext_ack *extack)
1508 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1509 const struct nlattr * uninitialized_var(name);
1510 u8 genmask = nft_genmask_next(net);
1511 int family = nfmsg->nfgen_family;
1512 struct nft_table *table;
1513 struct nft_chain *chain;
1514 u8 policy = NF_ACCEPT;
1519 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1521 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1524 return PTR_ERR(table);
1527 name = nla[NFTA_CHAIN_NAME];
1529 if (nla[NFTA_CHAIN_HANDLE]) {
1530 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1531 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1533 return PTR_ERR(chain);
1535 chain = nf_tables_chain_lookup(table, name, genmask);
1536 if (IS_ERR(chain)) {
1537 if (PTR_ERR(chain) != -ENOENT)
1538 return PTR_ERR(chain);
1543 if (nla[NFTA_CHAIN_POLICY]) {
1544 if (chain != NULL &&
1545 !nft_is_base_chain(chain))
1548 if (chain == NULL &&
1549 nla[NFTA_CHAIN_HOOK] == NULL)
1552 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1562 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1564 if (chain != NULL) {
1565 if (nlh->nlmsg_flags & NLM_F_EXCL)
1567 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1570 return nf_tables_updchain(&ctx, genmask, policy, create);
1573 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1576 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1577 struct sk_buff *skb, const struct nlmsghdr *nlh,
1578 const struct nlattr * const nla[],
1579 struct netlink_ext_ack *extack)
1581 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1582 u8 genmask = nft_genmask_next(net);
1583 struct nft_table *table;
1584 struct nft_chain *chain;
1585 struct nft_rule *rule;
1586 int family = nfmsg->nfgen_family;
1592 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1595 return PTR_ERR(table);
1597 if (nla[NFTA_CHAIN_HANDLE]) {
1598 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1599 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1601 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1604 return PTR_ERR(chain);
1606 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1610 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1613 list_for_each_entry(rule, &chain->rules, list) {
1614 if (!nft_is_active_next(net, rule))
1618 err = nft_delrule(&ctx, rule);
1623 /* There are rules and elements that are still holding references to us,
1624 * we cannot do a recursive removal in this case.
1629 return nft_delchain(&ctx);
1637 * nft_register_expr - register nf_tables expr type
1640 * Registers the expr type for use with nf_tables. Returns zero on
1641 * success or a negative errno code otherwise.
1643 int nft_register_expr(struct nft_expr_type *type)
1645 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1646 if (type->family == NFPROTO_UNSPEC)
1647 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1649 list_add_rcu(&type->list, &nf_tables_expressions);
1650 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1653 EXPORT_SYMBOL_GPL(nft_register_expr);
1656 * nft_unregister_expr - unregister nf_tables expr type
1659 * Unregisters the expr typefor use with nf_tables.
1661 void nft_unregister_expr(struct nft_expr_type *type)
1663 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1664 list_del_rcu(&type->list);
1665 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1667 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1669 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1672 const struct nft_expr_type *type;
1674 list_for_each_entry(type, &nf_tables_expressions, list) {
1675 if (!nla_strcmp(nla, type->name) &&
1676 (!type->family || type->family == family))
1682 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1685 const struct nft_expr_type *type;
1688 return ERR_PTR(-EINVAL);
1690 type = __nft_expr_type_get(family, nla);
1691 if (type != NULL && try_module_get(type->owner))
1694 #ifdef CONFIG_MODULES
1696 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1697 request_module("nft-expr-%u-%.*s", family,
1698 nla_len(nla), (char *)nla_data(nla));
1699 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1700 if (__nft_expr_type_get(family, nla))
1701 return ERR_PTR(-EAGAIN);
1703 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1704 request_module("nft-expr-%.*s",
1705 nla_len(nla), (char *)nla_data(nla));
1706 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1707 if (__nft_expr_type_get(family, nla))
1708 return ERR_PTR(-EAGAIN);
1711 return ERR_PTR(-ENOENT);
1714 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1715 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1716 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1719 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1720 const struct nft_expr *expr)
1722 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1723 goto nla_put_failure;
1725 if (expr->ops->dump) {
1726 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1728 goto nla_put_failure;
1729 if (expr->ops->dump(skb, expr) < 0)
1730 goto nla_put_failure;
1731 nla_nest_end(skb, data);
1740 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1741 const struct nft_expr *expr)
1743 struct nlattr *nest;
1745 nest = nla_nest_start(skb, attr);
1747 goto nla_put_failure;
1748 if (nf_tables_fill_expr_info(skb, expr) < 0)
1749 goto nla_put_failure;
1750 nla_nest_end(skb, nest);
1757 struct nft_expr_info {
1758 const struct nft_expr_ops *ops;
1759 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1762 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1763 const struct nlattr *nla,
1764 struct nft_expr_info *info)
1766 const struct nft_expr_type *type;
1767 const struct nft_expr_ops *ops;
1768 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1771 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1775 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1777 return PTR_ERR(type);
1779 if (tb[NFTA_EXPR_DATA]) {
1780 err = nla_parse_nested(info->tb, type->maxattr,
1781 tb[NFTA_EXPR_DATA], type->policy, NULL);
1785 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1787 if (type->select_ops != NULL) {
1788 ops = type->select_ops(ctx,
1789 (const struct nlattr * const *)info->tb);
1801 module_put(type->owner);
1805 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1806 const struct nft_expr_info *info,
1807 struct nft_expr *expr)
1809 const struct nft_expr_ops *ops = info->ops;
1814 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1819 if (ops->validate) {
1820 const struct nft_data *data = NULL;
1822 err = ops->validate(ctx, expr, &data);
1831 ops->destroy(ctx, expr);
1837 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1838 struct nft_expr *expr)
1840 if (expr->ops->destroy)
1841 expr->ops->destroy(ctx, expr);
1842 module_put(expr->ops->type->owner);
1845 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1846 const struct nlattr *nla)
1848 struct nft_expr_info info;
1849 struct nft_expr *expr;
1852 err = nf_tables_expr_parse(ctx, nla, &info);
1857 expr = kzalloc(info.ops->size, GFP_KERNEL);
1861 err = nf_tables_newexpr(ctx, &info, expr);
1869 module_put(info.ops->type->owner);
1871 return ERR_PTR(err);
1874 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1876 nf_tables_expr_destroy(ctx, expr);
1884 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1887 struct nft_rule *rule;
1889 // FIXME: this sucks
1890 list_for_each_entry(rule, &chain->rules, list) {
1891 if (handle == rule->handle)
1895 return ERR_PTR(-ENOENT);
1898 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1899 const struct nlattr *nla)
1902 return ERR_PTR(-EINVAL);
1904 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1907 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1908 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1909 .len = NFT_TABLE_MAXNAMELEN - 1 },
1910 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1911 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1912 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1913 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1914 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1915 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1916 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1917 .len = NFT_USERDATA_MAXLEN },
1920 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1921 u32 portid, u32 seq, int event,
1922 u32 flags, int family,
1923 const struct nft_table *table,
1924 const struct nft_chain *chain,
1925 const struct nft_rule *rule)
1927 struct nlmsghdr *nlh;
1928 struct nfgenmsg *nfmsg;
1929 const struct nft_expr *expr, *next;
1930 struct nlattr *list;
1931 const struct nft_rule *prule;
1932 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1934 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1936 goto nla_put_failure;
1938 nfmsg = nlmsg_data(nlh);
1939 nfmsg->nfgen_family = family;
1940 nfmsg->version = NFNETLINK_V0;
1941 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1943 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1944 goto nla_put_failure;
1945 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1946 goto nla_put_failure;
1947 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1949 goto nla_put_failure;
1951 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1952 prule = list_prev_entry(rule, list);
1953 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1954 cpu_to_be64(prule->handle),
1956 goto nla_put_failure;
1959 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1961 goto nla_put_failure;
1962 nft_rule_for_each_expr(expr, next, rule) {
1963 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1964 goto nla_put_failure;
1966 nla_nest_end(skb, list);
1969 struct nft_userdata *udata = nft_userdata(rule);
1970 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1972 goto nla_put_failure;
1975 nlmsg_end(skb, nlh);
1979 nlmsg_trim(skb, nlh);
1983 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
1984 const struct nft_rule *rule, int event)
1986 struct sk_buff *skb;
1990 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1993 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1997 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1998 event, 0, ctx->family, ctx->table,
2005 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2006 ctx->report, GFP_KERNEL);
2009 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2012 struct nft_rule_dump_ctx {
2017 static int nf_tables_dump_rules(struct sk_buff *skb,
2018 struct netlink_callback *cb)
2020 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2021 const struct nft_rule_dump_ctx *ctx = cb->data;
2022 const struct nft_table *table;
2023 const struct nft_chain *chain;
2024 const struct nft_rule *rule;
2025 unsigned int idx = 0, s_idx = cb->args[0];
2026 struct net *net = sock_net(skb->sk);
2027 int family = nfmsg->nfgen_family;
2030 cb->seq = net->nft.base_seq;
2032 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2033 if (family != NFPROTO_UNSPEC && family != table->family)
2036 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2039 list_for_each_entry_rcu(chain, &table->chains, list) {
2040 if (ctx && ctx->chain &&
2041 strcmp(ctx->chain, chain->name) != 0)
2044 list_for_each_entry_rcu(rule, &chain->rules, list) {
2045 if (!nft_is_active(net, rule))
2050 memset(&cb->args[1], 0,
2051 sizeof(cb->args) - sizeof(cb->args[0]));
2052 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2055 NLM_F_MULTI | NLM_F_APPEND,
2057 table, chain, rule) < 0)
2060 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2073 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2075 struct nft_rule_dump_ctx *ctx = cb->data;
2085 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2086 struct sk_buff *skb, const struct nlmsghdr *nlh,
2087 const struct nlattr * const nla[],
2088 struct netlink_ext_ack *extack)
2090 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2091 u8 genmask = nft_genmask_cur(net);
2092 const struct nft_table *table;
2093 const struct nft_chain *chain;
2094 const struct nft_rule *rule;
2095 struct sk_buff *skb2;
2096 int family = nfmsg->nfgen_family;
2099 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2100 struct netlink_dump_control c = {
2101 .dump = nf_tables_dump_rules,
2102 .done = nf_tables_dump_rules_done,
2105 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2106 struct nft_rule_dump_ctx *ctx;
2108 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2112 if (nla[NFTA_RULE_TABLE]) {
2113 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2120 if (nla[NFTA_RULE_CHAIN]) {
2121 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2132 return netlink_dump_start(nlsk, skb, nlh, &c);
2135 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2138 return PTR_ERR(table);
2140 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2142 return PTR_ERR(chain);
2144 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2146 return PTR_ERR(rule);
2148 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2152 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2153 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2154 family, table, chain, rule);
2158 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2165 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2166 struct nft_rule *rule)
2168 struct nft_expr *expr;
2171 * Careful: some expressions might not be initialized in case this
2172 * is called on error from nf_tables_newrule().
2174 expr = nft_expr_first(rule);
2175 while (expr != nft_expr_last(rule) && expr->ops) {
2176 nf_tables_expr_destroy(ctx, expr);
2177 expr = nft_expr_next(expr);
2182 #define NFT_RULE_MAXEXPRS 128
2184 static struct nft_expr_info *info;
2186 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2187 struct sk_buff *skb, const struct nlmsghdr *nlh,
2188 const struct nlattr * const nla[],
2189 struct netlink_ext_ack *extack)
2191 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2192 u8 genmask = nft_genmask_next(net);
2193 int family = nfmsg->nfgen_family;
2194 struct nft_table *table;
2195 struct nft_chain *chain;
2196 struct nft_rule *rule, *old_rule = NULL;
2197 struct nft_userdata *udata;
2198 struct nft_trans *trans = NULL;
2199 struct nft_expr *expr;
2202 unsigned int size, i, n, ulen = 0, usize = 0;
2205 u64 handle, pos_handle;
2207 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2209 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2212 return PTR_ERR(table);
2214 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2216 return PTR_ERR(chain);
2218 if (nla[NFTA_RULE_HANDLE]) {
2219 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2220 rule = __nf_tables_rule_lookup(chain, handle);
2222 return PTR_ERR(rule);
2224 if (nlh->nlmsg_flags & NLM_F_EXCL)
2226 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2231 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2233 handle = nf_tables_alloc_handle(table);
2235 if (chain->use == UINT_MAX)
2239 if (nla[NFTA_RULE_POSITION]) {
2240 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2243 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2244 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2245 if (IS_ERR(old_rule))
2246 return PTR_ERR(old_rule);
2249 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2253 if (nla[NFTA_RULE_EXPRESSIONS]) {
2254 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2256 if (nla_type(tmp) != NFTA_LIST_ELEM)
2258 if (n == NFT_RULE_MAXEXPRS)
2260 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2263 size += info[n].ops->size;
2267 /* Check for overflow of dlen field */
2269 if (size >= 1 << 12)
2272 if (nla[NFTA_RULE_USERDATA]) {
2273 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2275 usize = sizeof(struct nft_userdata) + ulen;
2279 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2283 nft_activate_next(net, rule);
2285 rule->handle = handle;
2287 rule->udata = ulen ? 1 : 0;
2290 udata = nft_userdata(rule);
2291 udata->len = ulen - 1;
2292 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2295 expr = nft_expr_first(rule);
2296 for (i = 0; i < n; i++) {
2297 err = nf_tables_newexpr(&ctx, &info[i], expr);
2301 expr = nft_expr_next(expr);
2304 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2305 if (nft_is_active_next(net, old_rule)) {
2306 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2308 if (trans == NULL) {
2312 nft_deactivate_next(net, old_rule);
2314 list_add_tail_rcu(&rule->list, &old_rule->list);
2319 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2321 list_add_rcu(&rule->list, &old_rule->list);
2323 list_add_tail_rcu(&rule->list, &chain->rules);
2326 list_add_tail_rcu(&rule->list, &old_rule->list);
2328 list_add_rcu(&rule->list, &chain->rules);
2331 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2339 list_del_rcu(&rule->list);
2341 nf_tables_rule_destroy(&ctx, rule);
2343 for (i = 0; i < n; i++) {
2344 if (info[i].ops != NULL)
2345 module_put(info[i].ops->type->owner);
2350 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2351 const struct nlattr *nla)
2353 u32 id = ntohl(nla_get_be32(nla));
2354 struct nft_trans *trans;
2356 list_for_each_entry(trans, &net->nft.commit_list, list) {
2357 struct nft_rule *rule = nft_trans_rule(trans);
2359 if (trans->msg_type == NFT_MSG_NEWRULE &&
2360 id == nft_trans_rule_id(trans))
2363 return ERR_PTR(-ENOENT);
2366 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2367 struct sk_buff *skb, const struct nlmsghdr *nlh,
2368 const struct nlattr * const nla[],
2369 struct netlink_ext_ack *extack)
2371 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2372 u8 genmask = nft_genmask_next(net);
2373 struct nft_table *table;
2374 struct nft_chain *chain = NULL;
2375 struct nft_rule *rule;
2376 int family = nfmsg->nfgen_family, err = 0;
2379 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2382 return PTR_ERR(table);
2384 if (nla[NFTA_RULE_CHAIN]) {
2385 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2388 return PTR_ERR(chain);
2391 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2394 if (nla[NFTA_RULE_HANDLE]) {
2395 rule = nf_tables_rule_lookup(chain,
2396 nla[NFTA_RULE_HANDLE]);
2398 return PTR_ERR(rule);
2400 err = nft_delrule(&ctx, rule);
2401 } else if (nla[NFTA_RULE_ID]) {
2402 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2404 return PTR_ERR(rule);
2406 err = nft_delrule(&ctx, rule);
2408 err = nft_delrule_by_chain(&ctx);
2411 list_for_each_entry(chain, &table->chains, list) {
2412 if (!nft_is_active_next(net, chain))
2416 err = nft_delrule_by_chain(&ctx);
2429 static LIST_HEAD(nf_tables_set_types);
2431 int nft_register_set(struct nft_set_type *type)
2433 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2434 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2435 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2438 EXPORT_SYMBOL_GPL(nft_register_set);
2440 void nft_unregister_set(struct nft_set_type *type)
2442 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2443 list_del_rcu(&type->list);
2444 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2446 EXPORT_SYMBOL_GPL(nft_unregister_set);
2448 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2449 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2451 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2453 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2457 * Select a set implementation based on the data characteristics and the
2458 * given policy. The total memory use might not be known if no size is
2459 * given, in that case the amount of memory per element is used.
2461 static const struct nft_set_ops *
2462 nft_select_set_ops(const struct nft_ctx *ctx,
2463 const struct nlattr * const nla[],
2464 const struct nft_set_desc *desc,
2465 enum nft_set_policies policy)
2467 const struct nft_set_ops *ops, *bops;
2468 struct nft_set_estimate est, best;
2469 const struct nft_set_type *type;
2472 #ifdef CONFIG_MODULES
2473 if (list_empty(&nf_tables_set_types)) {
2474 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2475 request_module("nft-set");
2476 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2477 if (!list_empty(&nf_tables_set_types))
2478 return ERR_PTR(-EAGAIN);
2481 if (nla[NFTA_SET_FLAGS] != NULL)
2482 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2489 list_for_each_entry(type, &nf_tables_set_types, list) {
2490 if (!type->select_ops)
2493 ops = type->select_ops(ctx, desc, flags);
2497 if (!nft_set_ops_candidate(ops, flags))
2499 if (!ops->estimate(desc, flags, &est))
2503 case NFT_SET_POL_PERFORMANCE:
2504 if (est.lookup < best.lookup)
2506 if (est.lookup == best.lookup &&
2507 est.space < best.space)
2510 case NFT_SET_POL_MEMORY:
2512 if (est.space < best.space)
2514 if (est.space == best.space &&
2515 est.lookup < best.lookup)
2517 } else if (est.size < best.size) {
2525 if (!try_module_get(type->owner))
2528 module_put(bops->type->owner);
2537 return ERR_PTR(-EOPNOTSUPP);
2540 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2541 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2542 .len = NFT_TABLE_MAXNAMELEN - 1 },
2543 [NFTA_SET_NAME] = { .type = NLA_STRING,
2544 .len = NFT_SET_MAXNAMELEN - 1 },
2545 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2546 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2547 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2548 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2549 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2550 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2551 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2552 [NFTA_SET_ID] = { .type = NLA_U32 },
2553 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2554 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2555 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2556 .len = NFT_USERDATA_MAXLEN },
2557 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2558 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2561 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2562 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2565 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2566 const struct sk_buff *skb,
2567 const struct nlmsghdr *nlh,
2568 const struct nlattr * const nla[],
2571 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2572 int family = nfmsg->nfgen_family;
2573 struct nft_table *table = NULL;
2575 if (nla[NFTA_SET_TABLE] != NULL) {
2576 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2579 return PTR_ERR(table);
2582 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2586 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2587 const struct nlattr *nla, u8 genmask)
2589 struct nft_set *set;
2592 return ERR_PTR(-EINVAL);
2594 list_for_each_entry(set, &table->sets, list) {
2595 if (!nla_strcmp(nla, set->name) &&
2596 nft_active_genmask(set, genmask))
2599 return ERR_PTR(-ENOENT);
2602 static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
2603 const struct nlattr *nla, u8 genmask)
2605 struct nft_set *set;
2608 return ERR_PTR(-EINVAL);
2610 list_for_each_entry(set, &table->sets, list) {
2611 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2612 nft_active_genmask(set, genmask))
2615 return ERR_PTR(-ENOENT);
2618 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2619 const struct nlattr *nla,
2622 struct nft_trans *trans;
2623 u32 id = ntohl(nla_get_be32(nla));
2625 list_for_each_entry(trans, &net->nft.commit_list, list) {
2626 struct nft_set *set = nft_trans_set(trans);
2628 if (trans->msg_type == NFT_MSG_NEWSET &&
2629 id == nft_trans_set_id(trans) &&
2630 nft_active_genmask(set, genmask))
2633 return ERR_PTR(-ENOENT);
2636 struct nft_set *nft_set_lookup(const struct net *net,
2637 const struct nft_table *table,
2638 const struct nlattr *nla_set_name,
2639 const struct nlattr *nla_set_id,
2642 struct nft_set *set;
2644 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2649 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2653 EXPORT_SYMBOL_GPL(nft_set_lookup);
2655 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2658 const struct nft_set *i;
2660 unsigned long *inuse;
2661 unsigned int n = 0, min = 0;
2663 p = strchr(name, '%');
2665 if (p[1] != 'd' || strchr(p + 2, '%'))
2668 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2672 list_for_each_entry(i, &ctx->table->sets, list) {
2675 if (!nft_is_active_next(ctx->net, set))
2677 if (!sscanf(i->name, name, &tmp))
2679 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2682 set_bit(tmp - min, inuse);
2685 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2686 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2687 min += BITS_PER_BYTE * PAGE_SIZE;
2688 memset(inuse, 0, PAGE_SIZE);
2691 free_page((unsigned long)inuse);
2694 set->name = kasprintf(GFP_KERNEL, name, min + n);
2698 list_for_each_entry(i, &ctx->table->sets, list) {
2699 if (!nft_is_active_next(ctx->net, i))
2701 if (!strcmp(set->name, i->name)) {
2709 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2710 const struct nft_set *set, u16 event, u16 flags)
2712 struct nfgenmsg *nfmsg;
2713 struct nlmsghdr *nlh;
2714 struct nlattr *desc;
2715 u32 portid = ctx->portid;
2718 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2719 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2722 goto nla_put_failure;
2724 nfmsg = nlmsg_data(nlh);
2725 nfmsg->nfgen_family = ctx->family;
2726 nfmsg->version = NFNETLINK_V0;
2727 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2729 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2730 goto nla_put_failure;
2731 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2732 goto nla_put_failure;
2733 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2735 goto nla_put_failure;
2736 if (set->flags != 0)
2737 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2738 goto nla_put_failure;
2740 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2741 goto nla_put_failure;
2742 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2743 goto nla_put_failure;
2744 if (set->flags & NFT_SET_MAP) {
2745 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2746 goto nla_put_failure;
2747 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2748 goto nla_put_failure;
2750 if (set->flags & NFT_SET_OBJECT &&
2751 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2752 goto nla_put_failure;
2755 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2756 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2758 goto nla_put_failure;
2760 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2761 goto nla_put_failure;
2763 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2764 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2765 goto nla_put_failure;
2768 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2769 goto nla_put_failure;
2771 desc = nla_nest_start(skb, NFTA_SET_DESC);
2773 goto nla_put_failure;
2775 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2776 goto nla_put_failure;
2777 nla_nest_end(skb, desc);
2779 nlmsg_end(skb, nlh);
2783 nlmsg_trim(skb, nlh);
2787 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2788 const struct nft_set *set, int event,
2791 struct sk_buff *skb;
2792 u32 portid = ctx->portid;
2796 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2799 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2803 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2809 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2813 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2816 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2818 const struct nft_set *set;
2819 unsigned int idx, s_idx = cb->args[0];
2820 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2821 struct net *net = sock_net(skb->sk);
2822 struct nft_ctx *ctx = cb->data, ctx_set;
2828 cb->seq = net->nft.base_seq;
2830 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2831 if (ctx->family != NFPROTO_UNSPEC &&
2832 ctx->family != table->family)
2835 if (ctx->table && ctx->table != table)
2839 if (cur_table != table)
2845 list_for_each_entry_rcu(set, &table->sets, list) {
2848 if (!nft_is_active(net, set))
2852 ctx_set.table = table;
2853 ctx_set.family = table->family;
2855 if (nf_tables_fill_set(skb, &ctx_set, set,
2859 cb->args[2] = (unsigned long) table;
2862 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2875 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2881 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2882 struct sk_buff *skb, const struct nlmsghdr *nlh,
2883 const struct nlattr * const nla[],
2884 struct netlink_ext_ack *extack)
2886 u8 genmask = nft_genmask_cur(net);
2887 const struct nft_set *set;
2889 struct sk_buff *skb2;
2890 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2893 /* Verify existence before starting dump */
2894 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2898 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2899 struct netlink_dump_control c = {
2900 .dump = nf_tables_dump_sets,
2901 .done = nf_tables_dump_sets_done,
2903 struct nft_ctx *ctx_dump;
2905 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2906 if (ctx_dump == NULL)
2912 return netlink_dump_start(nlsk, skb, nlh, &c);
2915 /* Only accept unspec with dump */
2916 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2917 return -EAFNOSUPPORT;
2918 if (!nla[NFTA_SET_TABLE])
2921 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2923 return PTR_ERR(set);
2925 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2929 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2933 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2940 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2941 struct nft_set_desc *desc,
2942 const struct nlattr *nla)
2944 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2947 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
2948 nft_set_desc_policy, NULL);
2952 if (da[NFTA_SET_DESC_SIZE] != NULL)
2953 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2958 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2959 struct sk_buff *skb, const struct nlmsghdr *nlh,
2960 const struct nlattr * const nla[],
2961 struct netlink_ext_ack *extack)
2963 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2964 u8 genmask = nft_genmask_next(net);
2965 int family = nfmsg->nfgen_family;
2966 const struct nft_set_ops *ops;
2967 struct nft_table *table;
2968 struct nft_set *set;
2974 u32 ktype, dtype, flags, policy, gc_int, objtype;
2975 struct nft_set_desc desc;
2976 unsigned char *udata;
2980 if (nla[NFTA_SET_TABLE] == NULL ||
2981 nla[NFTA_SET_NAME] == NULL ||
2982 nla[NFTA_SET_KEY_LEN] == NULL ||
2983 nla[NFTA_SET_ID] == NULL)
2986 memset(&desc, 0, sizeof(desc));
2988 ktype = NFT_DATA_VALUE;
2989 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2990 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2991 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2995 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2996 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3000 if (nla[NFTA_SET_FLAGS] != NULL) {
3001 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3002 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3003 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3004 NFT_SET_MAP | NFT_SET_EVAL |
3007 /* Only one of these operations is supported */
3008 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3009 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3014 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3015 if (!(flags & NFT_SET_MAP))
3018 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3019 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3020 dtype != NFT_DATA_VERDICT)
3023 if (dtype != NFT_DATA_VERDICT) {
3024 if (nla[NFTA_SET_DATA_LEN] == NULL)
3026 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3027 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3030 desc.dlen = sizeof(struct nft_verdict);
3031 } else if (flags & NFT_SET_MAP)
3034 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3035 if (!(flags & NFT_SET_OBJECT))
3038 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3039 if (objtype == NFT_OBJECT_UNSPEC ||
3040 objtype > NFT_OBJECT_MAX)
3042 } else if (flags & NFT_SET_OBJECT)
3045 objtype = NFT_OBJECT_UNSPEC;
3048 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3049 if (!(flags & NFT_SET_TIMEOUT))
3051 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3052 nla[NFTA_SET_TIMEOUT])));
3055 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3056 if (!(flags & NFT_SET_TIMEOUT))
3058 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3061 policy = NFT_SET_POL_PERFORMANCE;
3062 if (nla[NFTA_SET_POLICY] != NULL)
3063 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3065 if (nla[NFTA_SET_DESC] != NULL) {
3066 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3071 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3073 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family,
3076 return PTR_ERR(table);
3078 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3080 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3082 if (PTR_ERR(set) != -ENOENT)
3083 return PTR_ERR(set);
3085 if (nlh->nlmsg_flags & NLM_F_EXCL)
3087 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3092 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3095 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3097 return PTR_ERR(ops);
3100 if (nla[NFTA_SET_USERDATA])
3101 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3104 if (ops->privsize != NULL)
3105 size = ops->privsize(nla, &desc);
3107 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3113 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3119 err = nf_tables_set_alloc_name(&ctx, set, name);
3126 udata = set->data + size;
3127 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3130 INIT_LIST_HEAD(&set->bindings);
3133 set->klen = desc.klen;
3135 set->objtype = objtype;
3136 set->dlen = desc.dlen;
3138 set->size = desc.size;
3139 set->policy = policy;
3142 set->timeout = timeout;
3143 set->gc_int = gc_int;
3144 set->handle = nf_tables_alloc_handle(table);
3146 err = ops->init(set, &desc, nla);
3150 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3154 list_add_tail_rcu(&set->list, &table->sets);
3163 module_put(ops->type->owner);
3167 static void nft_set_destroy(struct nft_set *set)
3169 set->ops->destroy(set);
3170 module_put(set->ops->type->owner);
3175 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3177 list_del_rcu(&set->list);
3178 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3179 nft_set_destroy(set);
3182 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3183 struct sk_buff *skb, const struct nlmsghdr *nlh,
3184 const struct nlattr * const nla[],
3185 struct netlink_ext_ack *extack)
3187 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3188 u8 genmask = nft_genmask_next(net);
3189 struct nft_set *set;
3193 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3194 return -EAFNOSUPPORT;
3195 if (nla[NFTA_SET_TABLE] == NULL)
3198 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3202 if (nla[NFTA_SET_HANDLE])
3203 set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
3205 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3207 return PTR_ERR(set);
3209 if (!list_empty(&set->bindings) ||
3210 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3213 return nft_delset(&ctx, set);
3216 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3217 struct nft_set *set,
3218 const struct nft_set_iter *iter,
3219 struct nft_set_elem *elem)
3221 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3222 enum nft_registers dreg;
3224 dreg = nft_type_to_reg(set->dtype);
3225 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3226 set->dtype == NFT_DATA_VERDICT ?
3227 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3231 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3232 struct nft_set_binding *binding)
3234 struct nft_set_binding *i;
3235 struct nft_set_iter iter;
3237 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3240 if (binding->flags & NFT_SET_MAP) {
3241 /* If the set is already bound to the same chain all
3242 * jumps are already validated for that chain.
3244 list_for_each_entry(i, &set->bindings, list) {
3245 if (i->flags & NFT_SET_MAP &&
3246 i->chain == binding->chain)
3250 iter.genmask = nft_genmask_next(ctx->net);
3254 iter.fn = nf_tables_bind_check_setelem;
3256 set->ops->walk(ctx, set, &iter);
3261 binding->chain = ctx->chain;
3262 list_add_tail_rcu(&binding->list, &set->bindings);
3265 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3267 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3268 struct nft_set_binding *binding)
3270 list_del_rcu(&binding->list);
3272 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3273 nft_is_active(ctx->net, set))
3274 nf_tables_set_destroy(ctx, set);
3276 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3278 const struct nft_set_ext_type nft_set_ext_types[] = {
3279 [NFT_SET_EXT_KEY] = {
3280 .align = __alignof__(u32),
3282 [NFT_SET_EXT_DATA] = {
3283 .align = __alignof__(u32),
3285 [NFT_SET_EXT_EXPR] = {
3286 .align = __alignof__(struct nft_expr),
3288 [NFT_SET_EXT_OBJREF] = {
3289 .len = sizeof(struct nft_object *),
3290 .align = __alignof__(struct nft_object *),
3292 [NFT_SET_EXT_FLAGS] = {
3294 .align = __alignof__(u8),
3296 [NFT_SET_EXT_TIMEOUT] = {
3298 .align = __alignof__(u64),
3300 [NFT_SET_EXT_EXPIRATION] = {
3301 .len = sizeof(unsigned long),
3302 .align = __alignof__(unsigned long),
3304 [NFT_SET_EXT_USERDATA] = {
3305 .len = sizeof(struct nft_userdata),
3306 .align = __alignof__(struct nft_userdata),
3309 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3315 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3316 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3317 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3318 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3319 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3320 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3321 .len = NFT_USERDATA_MAXLEN },
3324 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3325 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3326 .len = NFT_TABLE_MAXNAMELEN - 1 },
3327 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3328 .len = NFT_SET_MAXNAMELEN - 1 },
3329 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3330 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3333 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3334 const struct sk_buff *skb,
3335 const struct nlmsghdr *nlh,
3336 const struct nlattr * const nla[],
3339 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3340 int family = nfmsg->nfgen_family;
3341 struct nft_table *table;
3343 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3346 return PTR_ERR(table);
3348 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3352 static int nf_tables_fill_setelem(struct sk_buff *skb,
3353 const struct nft_set *set,
3354 const struct nft_set_elem *elem)
3356 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3357 unsigned char *b = skb_tail_pointer(skb);
3358 struct nlattr *nest;
3360 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3362 goto nla_put_failure;
3364 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3365 NFT_DATA_VALUE, set->klen) < 0)
3366 goto nla_put_failure;
3368 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3369 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3370 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3372 goto nla_put_failure;
3374 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3375 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3376 goto nla_put_failure;
3378 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3379 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3380 (*nft_set_ext_obj(ext))->name) < 0)
3381 goto nla_put_failure;
3383 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3384 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3385 htonl(*nft_set_ext_flags(ext))))
3386 goto nla_put_failure;
3388 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3389 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3390 cpu_to_be64(jiffies_to_msecs(
3391 *nft_set_ext_timeout(ext))),
3393 goto nla_put_failure;
3395 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3396 unsigned long expires, now = jiffies;
3398 expires = *nft_set_ext_expiration(ext);
3399 if (time_before(now, expires))
3404 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3405 cpu_to_be64(jiffies_to_msecs(expires)),
3407 goto nla_put_failure;
3410 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3411 struct nft_userdata *udata;
3413 udata = nft_set_ext_userdata(ext);
3414 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3415 udata->len + 1, udata->data))
3416 goto nla_put_failure;
3419 nla_nest_end(skb, nest);
3427 struct nft_set_dump_args {
3428 const struct netlink_callback *cb;
3429 struct nft_set_iter iter;
3430 struct sk_buff *skb;
3433 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3434 struct nft_set *set,
3435 const struct nft_set_iter *iter,
3436 struct nft_set_elem *elem)
3438 struct nft_set_dump_args *args;
3440 args = container_of(iter, struct nft_set_dump_args, iter);
3441 return nf_tables_fill_setelem(args->skb, set, elem);
3444 struct nft_set_dump_ctx {
3445 const struct nft_set *set;
3449 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3451 struct nft_set_dump_ctx *dump_ctx = cb->data;
3452 struct net *net = sock_net(skb->sk);
3453 struct nft_table *table;
3454 struct nft_set *set;
3455 struct nft_set_dump_args args;
3456 bool set_found = false;
3457 struct nfgenmsg *nfmsg;
3458 struct nlmsghdr *nlh;
3459 struct nlattr *nest;
3464 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3465 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3466 dump_ctx->ctx.family != table->family)
3469 if (table != dump_ctx->ctx.table)
3472 list_for_each_entry_rcu(set, &table->sets, list) {
3473 if (set == dump_ctx->set) {
3486 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3487 portid = NETLINK_CB(cb->skb).portid;
3488 seq = cb->nlh->nlmsg_seq;
3490 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3493 goto nla_put_failure;
3495 nfmsg = nlmsg_data(nlh);
3496 nfmsg->nfgen_family = table->family;
3497 nfmsg->version = NFNETLINK_V0;
3498 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3500 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3501 goto nla_put_failure;
3502 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3503 goto nla_put_failure;
3505 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3507 goto nla_put_failure;
3511 args.iter.genmask = nft_genmask_cur(net);
3512 args.iter.skip = cb->args[0];
3513 args.iter.count = 0;
3515 args.iter.fn = nf_tables_dump_setelem;
3516 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3519 nla_nest_end(skb, nest);
3520 nlmsg_end(skb, nlh);
3522 if (args.iter.err && args.iter.err != -EMSGSIZE)
3523 return args.iter.err;
3524 if (args.iter.count == cb->args[0])
3527 cb->args[0] = args.iter.count;
3535 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3541 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3542 const struct nft_ctx *ctx, u32 seq,
3543 u32 portid, int event, u16 flags,
3544 const struct nft_set *set,
3545 const struct nft_set_elem *elem)
3547 struct nfgenmsg *nfmsg;
3548 struct nlmsghdr *nlh;
3549 struct nlattr *nest;
3552 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3553 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3556 goto nla_put_failure;
3558 nfmsg = nlmsg_data(nlh);
3559 nfmsg->nfgen_family = ctx->family;
3560 nfmsg->version = NFNETLINK_V0;
3561 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3563 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3564 goto nla_put_failure;
3565 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3566 goto nla_put_failure;
3568 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3570 goto nla_put_failure;
3572 err = nf_tables_fill_setelem(skb, set, elem);
3574 goto nla_put_failure;
3576 nla_nest_end(skb, nest);
3578 nlmsg_end(skb, nlh);
3582 nlmsg_trim(skb, nlh);
3586 static int nft_setelem_parse_flags(const struct nft_set *set,
3587 const struct nlattr *attr, u32 *flags)
3592 *flags = ntohl(nla_get_be32(attr));
3593 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3595 if (!(set->flags & NFT_SET_INTERVAL) &&
3596 *flags & NFT_SET_ELEM_INTERVAL_END)
3602 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3603 const struct nlattr *attr)
3605 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3606 const struct nft_set_ext *ext;
3607 struct nft_data_desc desc;
3608 struct nft_set_elem elem;
3609 struct sk_buff *skb;
3614 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3615 nft_set_elem_policy, NULL);
3619 if (!nla[NFTA_SET_ELEM_KEY])
3622 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3626 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3627 nla[NFTA_SET_ELEM_KEY]);
3632 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3635 priv = set->ops->get(ctx->net, set, &elem, flags);
3637 return PTR_ERR(priv);
3640 ext = nft_set_elem_ext(set, &elem);
3643 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3647 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3648 NFT_MSG_NEWSETELEM, 0, set, &elem);
3652 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3653 /* This avoids a loop in nfnetlink. */
3661 /* this avoids a loop in nfnetlink. */
3662 return err == -EAGAIN ? -ENOBUFS : err;
3665 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3666 struct sk_buff *skb, const struct nlmsghdr *nlh,
3667 const struct nlattr * const nla[],
3668 struct netlink_ext_ack *extack)
3670 u8 genmask = nft_genmask_cur(net);
3671 struct nft_set *set;
3672 struct nlattr *attr;
3676 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3680 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3683 return PTR_ERR(set);
3685 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3686 struct netlink_dump_control c = {
3687 .dump = nf_tables_dump_set,
3688 .done = nf_tables_dump_set_done,
3690 struct nft_set_dump_ctx *dump_ctx;
3692 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3696 dump_ctx->set = set;
3697 dump_ctx->ctx = ctx;
3700 return netlink_dump_start(nlsk, skb, nlh, &c);
3703 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3706 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3707 err = nft_get_set_elem(&ctx, set, attr);
3715 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3716 const struct nft_set *set,
3717 const struct nft_set_elem *elem,
3718 int event, u16 flags)
3720 struct net *net = ctx->net;
3721 u32 portid = ctx->portid;
3722 struct sk_buff *skb;
3725 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3728 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3732 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3739 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3743 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3746 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3748 struct nft_set *set)
3750 struct nft_trans *trans;
3752 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3756 nft_trans_elem_set(trans) = set;
3760 void *nft_set_elem_init(const struct nft_set *set,
3761 const struct nft_set_ext_tmpl *tmpl,
3762 const u32 *key, const u32 *data,
3763 u64 timeout, gfp_t gfp)
3765 struct nft_set_ext *ext;
3768 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3772 ext = nft_set_elem_ext(set, elem);
3773 nft_set_ext_init(ext, tmpl);
3775 memcpy(nft_set_ext_key(ext), key, set->klen);
3776 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3777 memcpy(nft_set_ext_data(ext), data, set->dlen);
3778 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3779 *nft_set_ext_expiration(ext) =
3781 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3782 *nft_set_ext_timeout(ext) = timeout;
3787 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3790 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3792 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3793 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3794 nft_data_release(nft_set_ext_data(ext), set->dtype);
3795 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3796 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3797 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3798 (*nft_set_ext_obj(ext))->use--;
3801 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3803 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3804 * the refcounting from the preparation phase.
3806 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3808 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3810 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3811 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3815 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3816 const struct nlattr *attr, u32 nlmsg_flags)
3818 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3819 u8 genmask = nft_genmask_next(ctx->net);
3820 struct nft_data_desc d1, d2;
3821 struct nft_set_ext_tmpl tmpl;
3822 struct nft_set_ext *ext, *ext2;
3823 struct nft_set_elem elem;
3824 struct nft_set_binding *binding;
3825 struct nft_object *obj = NULL;
3826 struct nft_userdata *udata;
3827 struct nft_data data;
3828 enum nft_registers dreg;
3829 struct nft_trans *trans;
3835 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3836 nft_set_elem_policy, NULL);
3840 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3843 nft_set_ext_prepare(&tmpl);
3845 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3849 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3851 if (set->flags & NFT_SET_MAP) {
3852 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3853 !(flags & NFT_SET_ELEM_INTERVAL_END))
3855 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3856 flags & NFT_SET_ELEM_INTERVAL_END)
3859 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3864 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3865 if (!(set->flags & NFT_SET_TIMEOUT))
3867 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3868 nla[NFTA_SET_ELEM_TIMEOUT])));
3869 } else if (set->flags & NFT_SET_TIMEOUT) {
3870 timeout = set->timeout;
3873 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3874 nla[NFTA_SET_ELEM_KEY]);
3878 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3881 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3883 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3884 if (timeout != set->timeout)
3885 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3888 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3889 if (!(set->flags & NFT_SET_OBJECT)) {
3893 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3894 set->objtype, genmask);
3899 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3902 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3903 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3904 nla[NFTA_SET_ELEM_DATA]);
3909 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3912 dreg = nft_type_to_reg(set->dtype);
3913 list_for_each_entry(binding, &set->bindings, list) {
3914 struct nft_ctx bind_ctx = {
3916 .family = ctx->family,
3917 .table = ctx->table,
3918 .chain = (struct nft_chain *)binding->chain,
3921 if (!(binding->flags & NFT_SET_MAP))
3924 err = nft_validate_register_store(&bind_ctx, dreg,
3931 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3934 /* The full maximum length of userdata can exceed the maximum
3935 * offset value (U8_MAX) for following extensions, therefor it
3936 * must be the last extension added.
3939 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3940 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3942 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3947 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3948 timeout, GFP_KERNEL);
3949 if (elem.priv == NULL)
3952 ext = nft_set_elem_ext(set, elem.priv);
3954 *nft_set_ext_flags(ext) = flags;
3956 udata = nft_set_ext_userdata(ext);
3957 udata->len = ulen - 1;
3958 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3961 *nft_set_ext_obj(ext) = obj;
3965 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3969 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3970 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3972 if (err == -EEXIST) {
3973 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
3974 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
3975 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
3976 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
3978 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3979 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3980 memcmp(nft_set_ext_data(ext),
3981 nft_set_ext_data(ext2), set->dlen) != 0) ||
3982 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3983 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
3984 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
3986 else if (!(nlmsg_flags & NLM_F_EXCL))
3993 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
3998 nft_trans_elem(trans) = elem;
3999 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4003 set->ops->remove(ctx->net, set, &elem);
4009 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4010 nft_data_release(&data, d2.type);
4012 nft_data_release(&elem.key.val, d1.type);
4017 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4018 struct sk_buff *skb, const struct nlmsghdr *nlh,
4019 const struct nlattr * const nla[],
4020 struct netlink_ext_ack *extack)
4022 u8 genmask = nft_genmask_next(net);
4023 const struct nlattr *attr;
4024 struct nft_set *set;
4028 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4031 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4035 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4038 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4039 set = nf_tables_set_lookup_byid(net,
4040 nla[NFTA_SET_ELEM_LIST_SET_ID],
4044 return PTR_ERR(set);
4047 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4050 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4051 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4059 * nft_data_hold - hold a nft_data item
4061 * @data: struct nft_data to release
4062 * @type: type of data
4064 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4065 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4066 * NFT_GOTO verdicts. This function must be called on active data objects
4067 * from the second phase of the commit protocol.
4069 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4071 if (type == NFT_DATA_VERDICT) {
4072 switch (data->verdict.code) {
4075 data->verdict.chain->use++;
4081 static void nft_set_elem_activate(const struct net *net,
4082 const struct nft_set *set,
4083 struct nft_set_elem *elem)
4085 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4087 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4088 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4089 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4090 (*nft_set_ext_obj(ext))->use++;
4093 static void nft_set_elem_deactivate(const struct net *net,
4094 const struct nft_set *set,
4095 struct nft_set_elem *elem)
4097 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4099 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4100 nft_data_release(nft_set_ext_data(ext), set->dtype);
4101 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4102 (*nft_set_ext_obj(ext))->use--;
4105 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4106 const struct nlattr *attr)
4108 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4109 struct nft_set_ext_tmpl tmpl;
4110 struct nft_data_desc desc;
4111 struct nft_set_elem elem;
4112 struct nft_set_ext *ext;
4113 struct nft_trans *trans;
4118 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4119 nft_set_elem_policy, NULL);
4124 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4127 nft_set_ext_prepare(&tmpl);
4129 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4133 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4135 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4136 nla[NFTA_SET_ELEM_KEY]);
4141 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4144 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4147 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4149 if (elem.priv == NULL)
4152 ext = nft_set_elem_ext(set, elem.priv);
4154 *nft_set_ext_flags(ext) = flags;
4156 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4157 if (trans == NULL) {
4162 priv = set->ops->deactivate(ctx->net, set, &elem);
4170 nft_set_elem_deactivate(ctx->net, set, &elem);
4172 nft_trans_elem(trans) = elem;
4173 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4181 nft_data_release(&elem.key.val, desc.type);
4186 static int nft_flush_set(const struct nft_ctx *ctx,
4187 struct nft_set *set,
4188 const struct nft_set_iter *iter,
4189 struct nft_set_elem *elem)
4191 struct nft_trans *trans;
4194 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4195 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4199 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4205 nft_trans_elem_set(trans) = set;
4206 nft_trans_elem(trans) = *elem;
4207 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4215 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4216 struct sk_buff *skb, const struct nlmsghdr *nlh,
4217 const struct nlattr * const nla[],
4218 struct netlink_ext_ack *extack)
4220 u8 genmask = nft_genmask_next(net);
4221 const struct nlattr *attr;
4222 struct nft_set *set;
4226 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4230 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4233 return PTR_ERR(set);
4234 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4237 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4238 struct nft_set_iter iter = {
4240 .fn = nft_flush_set,
4242 set->ops->walk(&ctx, set, &iter);
4247 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4248 err = nft_del_setelem(&ctx, set, attr);
4257 void nft_set_gc_batch_release(struct rcu_head *rcu)
4259 struct nft_set_gc_batch *gcb;
4262 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4263 for (i = 0; i < gcb->head.cnt; i++)
4264 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4267 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4269 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4272 struct nft_set_gc_batch *gcb;
4274 gcb = kzalloc(sizeof(*gcb), gfp);
4277 gcb->head.set = set;
4280 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4287 * nft_register_obj- register nf_tables stateful object type
4290 * Registers the object type for use with nf_tables. Returns zero on
4291 * success or a negative errno code otherwise.
4293 int nft_register_obj(struct nft_object_type *obj_type)
4295 if (obj_type->type == NFT_OBJECT_UNSPEC)
4298 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4299 list_add_rcu(&obj_type->list, &nf_tables_objects);
4300 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4303 EXPORT_SYMBOL_GPL(nft_register_obj);
4306 * nft_unregister_obj - unregister nf_tables object type
4309 * Unregisters the object type for use with nf_tables.
4311 void nft_unregister_obj(struct nft_object_type *obj_type)
4313 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4314 list_del_rcu(&obj_type->list);
4315 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4317 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4319 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4320 const struct nlattr *nla,
4321 u32 objtype, u8 genmask)
4323 struct nft_object *obj;
4325 list_for_each_entry(obj, &table->objects, list) {
4326 if (!nla_strcmp(nla, obj->name) &&
4327 objtype == obj->ops->type->type &&
4328 nft_active_genmask(obj, genmask))
4331 return ERR_PTR(-ENOENT);
4333 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4335 static struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
4336 const struct nlattr *nla,
4337 u32 objtype, u8 genmask)
4339 struct nft_object *obj;
4341 list_for_each_entry(obj, &table->objects, list) {
4342 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4343 objtype == obj->ops->type->type &&
4344 nft_active_genmask(obj, genmask))
4347 return ERR_PTR(-ENOENT);
4350 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4351 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4352 .len = NFT_TABLE_MAXNAMELEN - 1 },
4353 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4354 .len = NFT_OBJ_MAXNAMELEN - 1 },
4355 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4356 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4357 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4360 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4361 const struct nft_object_type *type,
4362 const struct nlattr *attr)
4365 const struct nft_object_ops *ops;
4366 struct nft_object *obj;
4369 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4374 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4379 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4382 if (type->select_ops) {
4383 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4393 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4397 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4410 return ERR_PTR(err);
4413 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4414 struct nft_object *obj, bool reset)
4416 struct nlattr *nest;
4418 nest = nla_nest_start(skb, attr);
4420 goto nla_put_failure;
4421 if (obj->ops->dump(skb, obj, reset) < 0)
4422 goto nla_put_failure;
4423 nla_nest_end(skb, nest);
4430 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4432 const struct nft_object_type *type;
4434 list_for_each_entry(type, &nf_tables_objects, list) {
4435 if (objtype == type->type)
4441 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4443 const struct nft_object_type *type;
4445 type = __nft_obj_type_get(objtype);
4446 if (type != NULL && try_module_get(type->owner))
4449 #ifdef CONFIG_MODULES
4451 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4452 request_module("nft-obj-%u", objtype);
4453 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4454 if (__nft_obj_type_get(objtype))
4455 return ERR_PTR(-EAGAIN);
4458 return ERR_PTR(-ENOENT);
4461 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4462 struct sk_buff *skb, const struct nlmsghdr *nlh,
4463 const struct nlattr * const nla[],
4464 struct netlink_ext_ack *extack)
4466 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4467 const struct nft_object_type *type;
4468 u8 genmask = nft_genmask_next(net);
4469 int family = nfmsg->nfgen_family;
4470 struct nft_table *table;
4471 struct nft_object *obj;
4476 if (!nla[NFTA_OBJ_TYPE] ||
4477 !nla[NFTA_OBJ_NAME] ||
4478 !nla[NFTA_OBJ_DATA])
4481 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4484 return PTR_ERR(table);
4486 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4487 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4494 if (nlh->nlmsg_flags & NLM_F_EXCL)
4500 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4502 type = nft_obj_type_get(objtype);
4504 return PTR_ERR(type);
4506 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4512 obj->handle = nf_tables_alloc_handle(table);
4514 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4520 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4524 list_add_tail_rcu(&obj->list, &table->objects);
4530 if (obj->ops->destroy)
4531 obj->ops->destroy(obj);
4534 module_put(type->owner);
4538 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4539 u32 portid, u32 seq, int event, u32 flags,
4540 int family, const struct nft_table *table,
4541 struct nft_object *obj, bool reset)
4543 struct nfgenmsg *nfmsg;
4544 struct nlmsghdr *nlh;
4546 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4547 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4549 goto nla_put_failure;
4551 nfmsg = nlmsg_data(nlh);
4552 nfmsg->nfgen_family = family;
4553 nfmsg->version = NFNETLINK_V0;
4554 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4556 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4557 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4558 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4559 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4560 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4561 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4563 goto nla_put_failure;
4565 nlmsg_end(skb, nlh);
4569 nlmsg_trim(skb, nlh);
4573 struct nft_obj_filter {
4578 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4580 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4581 const struct nft_table *table;
4582 unsigned int idx = 0, s_idx = cb->args[0];
4583 struct nft_obj_filter *filter = cb->data;
4584 struct net *net = sock_net(skb->sk);
4585 int family = nfmsg->nfgen_family;
4586 struct nft_object *obj;
4589 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4593 cb->seq = net->nft.base_seq;
4595 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4596 if (family != NFPROTO_UNSPEC && family != table->family)
4599 list_for_each_entry_rcu(obj, &table->objects, list) {
4600 if (!nft_is_active(net, obj))
4605 memset(&cb->args[1], 0,
4606 sizeof(cb->args) - sizeof(cb->args[0]));
4607 if (filter && filter->table[0] &&
4608 strcmp(filter->table, table->name))
4611 filter->type != NFT_OBJECT_UNSPEC &&
4612 obj->ops->type->type != filter->type)
4615 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4618 NLM_F_MULTI | NLM_F_APPEND,
4619 table->family, table,
4623 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4635 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4637 struct nft_obj_filter *filter = cb->data;
4640 kfree(filter->table);
4647 static struct nft_obj_filter *
4648 nft_obj_filter_alloc(const struct nlattr * const nla[])
4650 struct nft_obj_filter *filter;
4652 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4654 return ERR_PTR(-ENOMEM);
4656 if (nla[NFTA_OBJ_TABLE]) {
4657 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4658 if (!filter->table) {
4660 return ERR_PTR(-ENOMEM);
4663 if (nla[NFTA_OBJ_TYPE])
4664 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4669 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4670 struct sk_buff *skb, const struct nlmsghdr *nlh,
4671 const struct nlattr * const nla[],
4672 struct netlink_ext_ack *extack)
4674 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4675 u8 genmask = nft_genmask_cur(net);
4676 int family = nfmsg->nfgen_family;
4677 const struct nft_table *table;
4678 struct nft_object *obj;
4679 struct sk_buff *skb2;
4684 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4685 struct netlink_dump_control c = {
4686 .dump = nf_tables_dump_obj,
4687 .done = nf_tables_dump_obj_done,
4690 if (nla[NFTA_OBJ_TABLE] ||
4691 nla[NFTA_OBJ_TYPE]) {
4692 struct nft_obj_filter *filter;
4694 filter = nft_obj_filter_alloc(nla);
4700 return netlink_dump_start(nlsk, skb, nlh, &c);
4703 if (!nla[NFTA_OBJ_NAME] ||
4704 !nla[NFTA_OBJ_TYPE])
4707 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4710 return PTR_ERR(table);
4712 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4713 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4715 return PTR_ERR(obj);
4717 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4721 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4724 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4725 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4726 family, table, obj, reset);
4730 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4736 static void nft_obj_destroy(struct nft_object *obj)
4738 if (obj->ops->destroy)
4739 obj->ops->destroy(obj);
4741 module_put(obj->ops->type->owner);
4746 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4747 struct sk_buff *skb, const struct nlmsghdr *nlh,
4748 const struct nlattr * const nla[],
4749 struct netlink_ext_ack *extack)
4751 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4752 u8 genmask = nft_genmask_next(net);
4753 int family = nfmsg->nfgen_family;
4754 struct nft_table *table;
4755 struct nft_object *obj;
4759 if (!nla[NFTA_OBJ_TYPE] ||
4760 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4763 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4766 return PTR_ERR(table);
4768 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4769 if (nla[NFTA_OBJ_HANDLE])
4770 obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
4773 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
4776 return PTR_ERR(obj);
4780 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4782 return nft_delobj(&ctx, obj);
4785 void nft_obj_notify(struct net *net, struct nft_table *table,
4786 struct nft_object *obj, u32 portid, u32 seq, int event,
4787 int family, int report, gfp_t gfp)
4789 struct sk_buff *skb;
4793 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4796 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4800 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4807 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4810 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4812 EXPORT_SYMBOL_GPL(nft_obj_notify);
4814 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4815 struct nft_object *obj, int event)
4817 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4818 ctx->family, ctx->report, GFP_KERNEL);
4824 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4826 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4827 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4828 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4830 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4832 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4834 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4835 list_del_rcu(&type->list);
4836 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4838 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4840 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4841 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4842 .len = NFT_NAME_MAXLEN - 1 },
4843 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4844 .len = NFT_NAME_MAXLEN - 1 },
4845 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4846 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4849 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4850 const struct nlattr *nla,
4853 struct nft_flowtable *flowtable;
4855 list_for_each_entry(flowtable, &table->flowtables, list) {
4856 if (!nla_strcmp(nla, flowtable->name) &&
4857 nft_active_genmask(flowtable, genmask))
4860 return ERR_PTR(-ENOENT);
4862 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4864 static struct nft_flowtable *
4865 nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
4866 const struct nlattr *nla, u8 genmask)
4868 struct nft_flowtable *flowtable;
4870 list_for_each_entry(flowtable, &table->flowtables, list) {
4871 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4872 nft_active_genmask(flowtable, genmask))
4875 return ERR_PTR(-ENOENT);
4878 #define NFT_FLOWTABLE_DEVICE_MAX 8
4880 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4881 const struct nlattr *attr,
4882 struct net_device *dev_array[], int *len)
4884 const struct nlattr *tmp;
4885 struct net_device *dev;
4886 char ifname[IFNAMSIZ];
4887 int rem, n = 0, err;
4889 nla_for_each_nested(tmp, attr, rem) {
4890 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4895 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4896 dev = dev_get_by_name(ctx->net, ifname);
4902 dev_array[n++] = dev;
4903 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
4917 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
4918 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
4919 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
4920 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
4923 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
4924 const struct nlattr *attr,
4925 struct nft_flowtable *flowtable)
4927 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
4928 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
4929 struct nf_hook_ops *ops;
4930 int hooknum, priority;
4933 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
4934 nft_flowtable_hook_policy, NULL);
4938 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
4939 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
4940 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
4943 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
4944 if (hooknum != NF_NETDEV_INGRESS)
4947 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
4949 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
4954 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
4960 flowtable->hooknum = hooknum;
4961 flowtable->priority = priority;
4962 flowtable->ops = ops;
4963 flowtable->ops_len = n;
4965 for (i = 0; i < n; i++) {
4966 flowtable->ops[i].pf = NFPROTO_NETDEV;
4967 flowtable->ops[i].hooknum = hooknum;
4968 flowtable->ops[i].priority = priority;
4969 flowtable->ops[i].priv = &flowtable->data.rhashtable;
4970 flowtable->ops[i].hook = flowtable->data.type->hook;
4971 flowtable->ops[i].dev = dev_array[i];
4976 for (i = 0; i < n; i++)
4977 dev_put(dev_array[i]);
4982 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
4984 const struct nf_flowtable_type *type;
4986 list_for_each_entry(type, &nf_tables_flowtables, list) {
4987 if (family == type->family)
4993 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
4995 const struct nf_flowtable_type *type;
4997 type = __nft_flowtable_type_get(family);
4998 if (type != NULL && try_module_get(type->owner))
5001 #ifdef CONFIG_MODULES
5003 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5004 request_module("nf-flowtable-%u", family);
5005 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5006 if (__nft_flowtable_type_get(family))
5007 return ERR_PTR(-EAGAIN);
5010 return ERR_PTR(-ENOENT);
5013 void nft_flow_table_iterate(struct net *net,
5014 void (*iter)(struct nf_flowtable *flowtable, void *data),
5017 struct nft_flowtable *flowtable;
5018 const struct nft_table *table;
5020 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5021 list_for_each_entry(table, &net->nft.tables, list) {
5022 list_for_each_entry(flowtable, &table->flowtables, list) {
5023 iter(&flowtable->data, data);
5026 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5028 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5030 static void nft_unregister_flowtable_net_hooks(struct net *net,
5031 struct nft_flowtable *flowtable)
5035 for (i = 0; i < flowtable->ops_len; i++) {
5036 if (!flowtable->ops[i].dev)
5039 nf_unregister_net_hook(net, &flowtable->ops[i]);
5043 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5044 struct sk_buff *skb,
5045 const struct nlmsghdr *nlh,
5046 const struct nlattr * const nla[],
5047 struct netlink_ext_ack *extack)
5049 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5050 const struct nf_flowtable_type *type;
5051 u8 genmask = nft_genmask_next(net);
5052 int family = nfmsg->nfgen_family;
5053 struct nft_flowtable *flowtable;
5054 struct nft_table *table;
5058 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5059 !nla[NFTA_FLOWTABLE_NAME] ||
5060 !nla[NFTA_FLOWTABLE_HOOK])
5063 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5066 return PTR_ERR(table);
5068 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5070 if (IS_ERR(flowtable)) {
5071 err = PTR_ERR(flowtable);
5075 if (nlh->nlmsg_flags & NLM_F_EXCL)
5081 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5083 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5087 flowtable->table = table;
5088 flowtable->handle = nf_tables_alloc_handle(table);
5090 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5091 if (!flowtable->name) {
5096 type = nft_flowtable_type_get(family);
5098 err = PTR_ERR(type);
5102 flowtable->data.type = type;
5103 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5107 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5112 for (i = 0; i < flowtable->ops_len; i++) {
5113 err = nf_register_net_hook(net, &flowtable->ops[i]);
5118 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5122 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5123 queue_delayed_work(system_power_efficient_wq,
5124 &flowtable->data.gc_work, HZ);
5126 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5131 i = flowtable->ops_len;
5133 for (k = i - 1; k >= 0; k--)
5134 nf_unregister_net_hook(net, &flowtable->ops[i]);
5136 kfree(flowtable->ops);
5138 module_put(type->owner);
5140 kfree(flowtable->name);
5146 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5147 struct sk_buff *skb,
5148 const struct nlmsghdr *nlh,
5149 const struct nlattr * const nla[],
5150 struct netlink_ext_ack *extack)
5152 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5153 u8 genmask = nft_genmask_next(net);
5154 int family = nfmsg->nfgen_family;
5155 struct nft_flowtable *flowtable;
5156 struct nft_table *table;
5159 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5162 return PTR_ERR(table);
5164 if (nla[NFTA_FLOWTABLE_HANDLE])
5165 flowtable = nf_tables_flowtable_lookup_byhandle(table,
5166 nla[NFTA_FLOWTABLE_HANDLE],
5169 flowtable = nf_tables_flowtable_lookup(table,
5170 nla[NFTA_FLOWTABLE_NAME],
5172 if (IS_ERR(flowtable))
5173 return PTR_ERR(flowtable);
5174 if (flowtable->use > 0)
5177 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5179 return nft_delflowtable(&ctx, flowtable);
5182 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5183 u32 portid, u32 seq, int event,
5184 u32 flags, int family,
5185 struct nft_flowtable *flowtable)
5187 struct nlattr *nest, *nest_devs;
5188 struct nfgenmsg *nfmsg;
5189 struct nlmsghdr *nlh;
5192 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5193 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5195 goto nla_put_failure;
5197 nfmsg = nlmsg_data(nlh);
5198 nfmsg->nfgen_family = family;
5199 nfmsg->version = NFNETLINK_V0;
5200 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5202 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5203 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5204 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5205 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5206 NFTA_FLOWTABLE_PAD))
5207 goto nla_put_failure;
5209 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5210 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5211 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5212 goto nla_put_failure;
5214 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5216 goto nla_put_failure;
5218 for (i = 0; i < flowtable->ops_len; i++) {
5219 if (flowtable->ops[i].dev &&
5220 nla_put_string(skb, NFTA_DEVICE_NAME,
5221 flowtable->ops[i].dev->name))
5222 goto nla_put_failure;
5224 nla_nest_end(skb, nest_devs);
5225 nla_nest_end(skb, nest);
5227 nlmsg_end(skb, nlh);
5231 nlmsg_trim(skb, nlh);
5235 struct nft_flowtable_filter {
5239 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5240 struct netlink_callback *cb)
5242 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5243 struct nft_flowtable_filter *filter = cb->data;
5244 unsigned int idx = 0, s_idx = cb->args[0];
5245 struct net *net = sock_net(skb->sk);
5246 int family = nfmsg->nfgen_family;
5247 struct nft_flowtable *flowtable;
5248 const struct nft_table *table;
5251 cb->seq = net->nft.base_seq;
5253 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5254 if (family != NFPROTO_UNSPEC && family != table->family)
5257 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5258 if (!nft_is_active(net, flowtable))
5263 memset(&cb->args[1], 0,
5264 sizeof(cb->args) - sizeof(cb->args[0]));
5265 if (filter && filter->table[0] &&
5266 strcmp(filter->table, table->name))
5269 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5271 NFT_MSG_NEWFLOWTABLE,
5272 NLM_F_MULTI | NLM_F_APPEND,
5273 table->family, flowtable) < 0)
5276 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5288 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5290 struct nft_flowtable_filter *filter = cb->data;
5295 kfree(filter->table);
5301 static struct nft_flowtable_filter *
5302 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5304 struct nft_flowtable_filter *filter;
5306 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5308 return ERR_PTR(-ENOMEM);
5310 if (nla[NFTA_FLOWTABLE_TABLE]) {
5311 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5313 if (!filter->table) {
5315 return ERR_PTR(-ENOMEM);
5321 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5322 struct sk_buff *skb,
5323 const struct nlmsghdr *nlh,
5324 const struct nlattr * const nla[],
5325 struct netlink_ext_ack *extack)
5327 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5328 u8 genmask = nft_genmask_cur(net);
5329 int family = nfmsg->nfgen_family;
5330 struct nft_flowtable *flowtable;
5331 const struct nft_table *table;
5332 struct sk_buff *skb2;
5335 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5336 struct netlink_dump_control c = {
5337 .dump = nf_tables_dump_flowtable,
5338 .done = nf_tables_dump_flowtable_done,
5341 if (nla[NFTA_FLOWTABLE_TABLE]) {
5342 struct nft_flowtable_filter *filter;
5344 filter = nft_flowtable_filter_alloc(nla);
5350 return netlink_dump_start(nlsk, skb, nlh, &c);
5353 if (!nla[NFTA_FLOWTABLE_NAME])
5356 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5359 return PTR_ERR(table);
5361 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5363 if (IS_ERR(flowtable))
5364 return PTR_ERR(flowtable);
5366 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5370 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5372 NFT_MSG_NEWFLOWTABLE, 0, family,
5377 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5383 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5384 struct nft_flowtable *flowtable,
5387 struct sk_buff *skb;
5391 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5394 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5398 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5400 ctx->family, flowtable);
5406 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5407 ctx->report, GFP_KERNEL);
5410 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5413 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5415 cancel_delayed_work_sync(&flowtable->data.gc_work);
5416 kfree(flowtable->name);
5417 flowtable->data.type->free(&flowtable->data);
5418 rhashtable_destroy(&flowtable->data.rhashtable);
5419 module_put(flowtable->data.type->owner);
5422 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5423 u32 portid, u32 seq)
5425 struct nlmsghdr *nlh;
5426 struct nfgenmsg *nfmsg;
5427 char buf[TASK_COMM_LEN];
5428 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5430 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5432 goto nla_put_failure;
5434 nfmsg = nlmsg_data(nlh);
5435 nfmsg->nfgen_family = AF_UNSPEC;
5436 nfmsg->version = NFNETLINK_V0;
5437 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5439 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5440 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5441 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5442 goto nla_put_failure;
5444 nlmsg_end(skb, nlh);
5448 nlmsg_trim(skb, nlh);
5452 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5453 struct nft_flowtable *flowtable)
5457 for (i = 0; i < flowtable->ops_len; i++) {
5458 if (flowtable->ops[i].dev != dev)
5461 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5462 flowtable->ops[i].dev = NULL;
5467 static int nf_tables_flowtable_event(struct notifier_block *this,
5468 unsigned long event, void *ptr)
5470 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5471 struct nft_flowtable *flowtable;
5472 struct nft_table *table;
5474 if (event != NETDEV_UNREGISTER)
5477 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5478 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5479 list_for_each_entry(flowtable, &table->flowtables, list) {
5480 nft_flowtable_event(event, dev, flowtable);
5483 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5488 static struct notifier_block nf_tables_flowtable_notifier = {
5489 .notifier_call = nf_tables_flowtable_event,
5492 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5495 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5496 struct sk_buff *skb2;
5499 if (nlmsg_report(nlh) &&
5500 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5503 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5507 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5514 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5515 nlmsg_report(nlh), GFP_KERNEL);
5518 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5522 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5523 struct sk_buff *skb, const struct nlmsghdr *nlh,
5524 const struct nlattr * const nla[],
5525 struct netlink_ext_ack *extack)
5527 struct sk_buff *skb2;
5530 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5534 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5539 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5545 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5546 [NFT_MSG_NEWTABLE] = {
5547 .call_batch = nf_tables_newtable,
5548 .attr_count = NFTA_TABLE_MAX,
5549 .policy = nft_table_policy,
5551 [NFT_MSG_GETTABLE] = {
5552 .call = nf_tables_gettable,
5553 .attr_count = NFTA_TABLE_MAX,
5554 .policy = nft_table_policy,
5556 [NFT_MSG_DELTABLE] = {
5557 .call_batch = nf_tables_deltable,
5558 .attr_count = NFTA_TABLE_MAX,
5559 .policy = nft_table_policy,
5561 [NFT_MSG_NEWCHAIN] = {
5562 .call_batch = nf_tables_newchain,
5563 .attr_count = NFTA_CHAIN_MAX,
5564 .policy = nft_chain_policy,
5566 [NFT_MSG_GETCHAIN] = {
5567 .call = nf_tables_getchain,
5568 .attr_count = NFTA_CHAIN_MAX,
5569 .policy = nft_chain_policy,
5571 [NFT_MSG_DELCHAIN] = {
5572 .call_batch = nf_tables_delchain,
5573 .attr_count = NFTA_CHAIN_MAX,
5574 .policy = nft_chain_policy,
5576 [NFT_MSG_NEWRULE] = {
5577 .call_batch = nf_tables_newrule,
5578 .attr_count = NFTA_RULE_MAX,
5579 .policy = nft_rule_policy,
5581 [NFT_MSG_GETRULE] = {
5582 .call = nf_tables_getrule,
5583 .attr_count = NFTA_RULE_MAX,
5584 .policy = nft_rule_policy,
5586 [NFT_MSG_DELRULE] = {
5587 .call_batch = nf_tables_delrule,
5588 .attr_count = NFTA_RULE_MAX,
5589 .policy = nft_rule_policy,
5591 [NFT_MSG_NEWSET] = {
5592 .call_batch = nf_tables_newset,
5593 .attr_count = NFTA_SET_MAX,
5594 .policy = nft_set_policy,
5596 [NFT_MSG_GETSET] = {
5597 .call = nf_tables_getset,
5598 .attr_count = NFTA_SET_MAX,
5599 .policy = nft_set_policy,
5601 [NFT_MSG_DELSET] = {
5602 .call_batch = nf_tables_delset,
5603 .attr_count = NFTA_SET_MAX,
5604 .policy = nft_set_policy,
5606 [NFT_MSG_NEWSETELEM] = {
5607 .call_batch = nf_tables_newsetelem,
5608 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5609 .policy = nft_set_elem_list_policy,
5611 [NFT_MSG_GETSETELEM] = {
5612 .call = nf_tables_getsetelem,
5613 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5614 .policy = nft_set_elem_list_policy,
5616 [NFT_MSG_DELSETELEM] = {
5617 .call_batch = nf_tables_delsetelem,
5618 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5619 .policy = nft_set_elem_list_policy,
5621 [NFT_MSG_GETGEN] = {
5622 .call = nf_tables_getgen,
5624 [NFT_MSG_NEWOBJ] = {
5625 .call_batch = nf_tables_newobj,
5626 .attr_count = NFTA_OBJ_MAX,
5627 .policy = nft_obj_policy,
5629 [NFT_MSG_GETOBJ] = {
5630 .call = nf_tables_getobj,
5631 .attr_count = NFTA_OBJ_MAX,
5632 .policy = nft_obj_policy,
5634 [NFT_MSG_DELOBJ] = {
5635 .call_batch = nf_tables_delobj,
5636 .attr_count = NFTA_OBJ_MAX,
5637 .policy = nft_obj_policy,
5639 [NFT_MSG_GETOBJ_RESET] = {
5640 .call = nf_tables_getobj,
5641 .attr_count = NFTA_OBJ_MAX,
5642 .policy = nft_obj_policy,
5644 [NFT_MSG_NEWFLOWTABLE] = {
5645 .call_batch = nf_tables_newflowtable,
5646 .attr_count = NFTA_FLOWTABLE_MAX,
5647 .policy = nft_flowtable_policy,
5649 [NFT_MSG_GETFLOWTABLE] = {
5650 .call = nf_tables_getflowtable,
5651 .attr_count = NFTA_FLOWTABLE_MAX,
5652 .policy = nft_flowtable_policy,
5654 [NFT_MSG_DELFLOWTABLE] = {
5655 .call_batch = nf_tables_delflowtable,
5656 .attr_count = NFTA_FLOWTABLE_MAX,
5657 .policy = nft_flowtable_policy,
5661 static void nft_chain_commit_update(struct nft_trans *trans)
5663 struct nft_base_chain *basechain;
5665 if (nft_trans_chain_name(trans))
5666 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
5668 if (!nft_is_base_chain(trans->ctx.chain))
5671 basechain = nft_base_chain(trans->ctx.chain);
5672 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5674 switch (nft_trans_chain_policy(trans)) {
5677 basechain->policy = nft_trans_chain_policy(trans);
5682 static void nf_tables_commit_release(struct nft_trans *trans)
5684 switch (trans->msg_type) {
5685 case NFT_MSG_DELTABLE:
5686 nf_tables_table_destroy(&trans->ctx);
5688 case NFT_MSG_DELCHAIN:
5689 nf_tables_chain_destroy(&trans->ctx);
5691 case NFT_MSG_DELRULE:
5692 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5694 case NFT_MSG_DELSET:
5695 nft_set_destroy(nft_trans_set(trans));
5697 case NFT_MSG_DELSETELEM:
5698 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5699 nft_trans_elem(trans).priv);
5701 case NFT_MSG_DELOBJ:
5702 nft_obj_destroy(nft_trans_obj(trans));
5704 case NFT_MSG_DELFLOWTABLE:
5705 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5711 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5713 struct nft_trans *trans, *next;
5714 struct nft_trans_elem *te;
5716 /* Bump generation counter, invalidate any dump in progress */
5717 while (++net->nft.base_seq == 0);
5719 /* A new generation has just started */
5720 net->nft.gencursor = nft_gencursor_next(net);
5722 /* Make sure all packets have left the previous generation before
5723 * purging old rules.
5727 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5728 switch (trans->msg_type) {
5729 case NFT_MSG_NEWTABLE:
5730 if (nft_trans_table_update(trans)) {
5731 if (!nft_trans_table_enable(trans)) {
5732 nf_tables_table_disable(net,
5734 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5737 nft_clear(net, trans->ctx.table);
5739 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5740 nft_trans_destroy(trans);
5742 case NFT_MSG_DELTABLE:
5743 list_del_rcu(&trans->ctx.table->list);
5744 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5746 case NFT_MSG_NEWCHAIN:
5747 if (nft_trans_chain_update(trans))
5748 nft_chain_commit_update(trans);
5750 nft_clear(net, trans->ctx.chain);
5752 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5753 nft_trans_destroy(trans);
5755 case NFT_MSG_DELCHAIN:
5756 list_del_rcu(&trans->ctx.chain->list);
5757 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5758 nf_tables_unregister_hook(trans->ctx.net,
5762 case NFT_MSG_NEWRULE:
5763 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5764 nf_tables_rule_notify(&trans->ctx,
5765 nft_trans_rule(trans),
5767 nft_trans_destroy(trans);
5769 case NFT_MSG_DELRULE:
5770 list_del_rcu(&nft_trans_rule(trans)->list);
5771 nf_tables_rule_notify(&trans->ctx,
5772 nft_trans_rule(trans),
5775 case NFT_MSG_NEWSET:
5776 nft_clear(net, nft_trans_set(trans));
5777 /* This avoids hitting -EBUSY when deleting the table
5778 * from the transaction.
5780 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5781 !list_empty(&nft_trans_set(trans)->bindings))
5782 trans->ctx.table->use--;
5784 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5785 NFT_MSG_NEWSET, GFP_KERNEL);
5786 nft_trans_destroy(trans);
5788 case NFT_MSG_DELSET:
5789 list_del_rcu(&nft_trans_set(trans)->list);
5790 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5791 NFT_MSG_DELSET, GFP_KERNEL);
5793 case NFT_MSG_NEWSETELEM:
5794 te = (struct nft_trans_elem *)trans->data;
5796 te->set->ops->activate(net, te->set, &te->elem);
5797 nf_tables_setelem_notify(&trans->ctx, te->set,
5799 NFT_MSG_NEWSETELEM, 0);
5800 nft_trans_destroy(trans);
5802 case NFT_MSG_DELSETELEM:
5803 te = (struct nft_trans_elem *)trans->data;
5805 nf_tables_setelem_notify(&trans->ctx, te->set,
5807 NFT_MSG_DELSETELEM, 0);
5808 te->set->ops->remove(net, te->set, &te->elem);
5809 atomic_dec(&te->set->nelems);
5812 case NFT_MSG_NEWOBJ:
5813 nft_clear(net, nft_trans_obj(trans));
5814 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5816 nft_trans_destroy(trans);
5818 case NFT_MSG_DELOBJ:
5819 list_del_rcu(&nft_trans_obj(trans)->list);
5820 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5823 case NFT_MSG_NEWFLOWTABLE:
5824 nft_clear(net, nft_trans_flowtable(trans));
5825 nf_tables_flowtable_notify(&trans->ctx,
5826 nft_trans_flowtable(trans),
5827 NFT_MSG_NEWFLOWTABLE);
5828 nft_trans_destroy(trans);
5830 case NFT_MSG_DELFLOWTABLE:
5831 list_del_rcu(&nft_trans_flowtable(trans)->list);
5832 nf_tables_flowtable_notify(&trans->ctx,
5833 nft_trans_flowtable(trans),
5834 NFT_MSG_DELFLOWTABLE);
5835 nft_unregister_flowtable_net_hooks(net,
5836 nft_trans_flowtable(trans));
5843 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5844 list_del(&trans->list);
5845 nf_tables_commit_release(trans);
5848 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5853 static void nf_tables_abort_release(struct nft_trans *trans)
5855 switch (trans->msg_type) {
5856 case NFT_MSG_NEWTABLE:
5857 nf_tables_table_destroy(&trans->ctx);
5859 case NFT_MSG_NEWCHAIN:
5860 nf_tables_chain_destroy(&trans->ctx);
5862 case NFT_MSG_NEWRULE:
5863 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5865 case NFT_MSG_NEWSET:
5866 nft_set_destroy(nft_trans_set(trans));
5868 case NFT_MSG_NEWSETELEM:
5869 nft_set_elem_destroy(nft_trans_elem_set(trans),
5870 nft_trans_elem(trans).priv, true);
5872 case NFT_MSG_NEWOBJ:
5873 nft_obj_destroy(nft_trans_obj(trans));
5875 case NFT_MSG_NEWFLOWTABLE:
5876 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5882 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5884 struct nft_trans *trans, *next;
5885 struct nft_trans_elem *te;
5887 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5889 switch (trans->msg_type) {
5890 case NFT_MSG_NEWTABLE:
5891 if (nft_trans_table_update(trans)) {
5892 if (nft_trans_table_enable(trans)) {
5893 nf_tables_table_disable(net,
5895 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5897 nft_trans_destroy(trans);
5899 list_del_rcu(&trans->ctx.table->list);
5902 case NFT_MSG_DELTABLE:
5903 nft_clear(trans->ctx.net, trans->ctx.table);
5904 nft_trans_destroy(trans);
5906 case NFT_MSG_NEWCHAIN:
5907 if (nft_trans_chain_update(trans)) {
5908 free_percpu(nft_trans_chain_stats(trans));
5910 nft_trans_destroy(trans);
5912 trans->ctx.table->use--;
5913 list_del_rcu(&trans->ctx.chain->list);
5914 nf_tables_unregister_hook(trans->ctx.net,
5919 case NFT_MSG_DELCHAIN:
5920 trans->ctx.table->use++;
5921 nft_clear(trans->ctx.net, trans->ctx.chain);
5922 nft_trans_destroy(trans);
5924 case NFT_MSG_NEWRULE:
5925 trans->ctx.chain->use--;
5926 list_del_rcu(&nft_trans_rule(trans)->list);
5928 case NFT_MSG_DELRULE:
5929 trans->ctx.chain->use++;
5930 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5931 nft_trans_destroy(trans);
5933 case NFT_MSG_NEWSET:
5934 trans->ctx.table->use--;
5935 list_del_rcu(&nft_trans_set(trans)->list);
5937 case NFT_MSG_DELSET:
5938 trans->ctx.table->use++;
5939 nft_clear(trans->ctx.net, nft_trans_set(trans));
5940 nft_trans_destroy(trans);
5942 case NFT_MSG_NEWSETELEM:
5943 te = (struct nft_trans_elem *)trans->data;
5945 te->set->ops->remove(net, te->set, &te->elem);
5946 atomic_dec(&te->set->nelems);
5948 case NFT_MSG_DELSETELEM:
5949 te = (struct nft_trans_elem *)trans->data;
5951 nft_set_elem_activate(net, te->set, &te->elem);
5952 te->set->ops->activate(net, te->set, &te->elem);
5955 nft_trans_destroy(trans);
5957 case NFT_MSG_NEWOBJ:
5958 trans->ctx.table->use--;
5959 list_del_rcu(&nft_trans_obj(trans)->list);
5961 case NFT_MSG_DELOBJ:
5962 trans->ctx.table->use++;
5963 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5964 nft_trans_destroy(trans);
5966 case NFT_MSG_NEWFLOWTABLE:
5967 trans->ctx.table->use--;
5968 list_del_rcu(&nft_trans_flowtable(trans)->list);
5969 nft_unregister_flowtable_net_hooks(net,
5970 nft_trans_flowtable(trans));
5972 case NFT_MSG_DELFLOWTABLE:
5973 trans->ctx.table->use++;
5974 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
5975 nft_trans_destroy(trans);
5982 list_for_each_entry_safe_reverse(trans, next,
5983 &net->nft.commit_list, list) {
5984 list_del(&trans->list);
5985 nf_tables_abort_release(trans);
5991 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5993 return net->nft.base_seq == genid;
5996 static const struct nfnetlink_subsystem nf_tables_subsys = {
5997 .name = "nf_tables",
5998 .subsys_id = NFNL_SUBSYS_NFTABLES,
5999 .cb_count = NFT_MSG_MAX,
6001 .commit = nf_tables_commit,
6002 .abort = nf_tables_abort,
6003 .valid_genid = nf_tables_valid_genid,
6006 int nft_chain_validate_dependency(const struct nft_chain *chain,
6007 enum nft_chain_types type)
6009 const struct nft_base_chain *basechain;
6011 if (nft_is_base_chain(chain)) {
6012 basechain = nft_base_chain(chain);
6013 if (basechain->type->type != type)
6018 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6020 int nft_chain_validate_hooks(const struct nft_chain *chain,
6021 unsigned int hook_flags)
6023 struct nft_base_chain *basechain;
6025 if (nft_is_base_chain(chain)) {
6026 basechain = nft_base_chain(chain);
6028 if ((1 << basechain->ops.hooknum) & hook_flags)
6036 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6039 * Loop detection - walk through the ruleset beginning at the destination chain
6040 * of a new jump until either the source chain is reached (loop) or all
6041 * reachable chains have been traversed.
6043 * The loop check is performed whenever a new jump verdict is added to an
6044 * expression or verdict map or a verdict map is bound to a new chain.
6047 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6048 const struct nft_chain *chain);
6050 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6051 struct nft_set *set,
6052 const struct nft_set_iter *iter,
6053 struct nft_set_elem *elem)
6055 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6056 const struct nft_data *data;
6058 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6059 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6062 data = nft_set_ext_data(ext);
6063 switch (data->verdict.code) {
6066 return nf_tables_check_loops(ctx, data->verdict.chain);
6072 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6073 const struct nft_chain *chain)
6075 const struct nft_rule *rule;
6076 const struct nft_expr *expr, *last;
6077 struct nft_set *set;
6078 struct nft_set_binding *binding;
6079 struct nft_set_iter iter;
6081 if (ctx->chain == chain)
6084 list_for_each_entry(rule, &chain->rules, list) {
6085 nft_rule_for_each_expr(expr, last, rule) {
6086 const struct nft_data *data = NULL;
6089 if (!expr->ops->validate)
6092 err = expr->ops->validate(ctx, expr, &data);
6099 switch (data->verdict.code) {
6102 err = nf_tables_check_loops(ctx,
6103 data->verdict.chain);
6112 list_for_each_entry(set, &ctx->table->sets, list) {
6113 if (!nft_is_active_next(ctx->net, set))
6115 if (!(set->flags & NFT_SET_MAP) ||
6116 set->dtype != NFT_DATA_VERDICT)
6119 list_for_each_entry(binding, &set->bindings, list) {
6120 if (!(binding->flags & NFT_SET_MAP) ||
6121 binding->chain != chain)
6124 iter.genmask = nft_genmask_next(ctx->net);
6128 iter.fn = nf_tables_loop_check_setelem;
6130 set->ops->walk(ctx, set, &iter);
6140 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6142 * @attr: netlink attribute to fetch value from
6143 * @max: maximum value to be stored in dest
6144 * @dest: pointer to the variable
6146 * Parse, check and store a given u32 netlink attribute into variable.
6147 * This function returns -ERANGE if the value goes over maximum value.
6148 * Otherwise a 0 is returned and the attribute value is stored in the
6149 * destination variable.
6151 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6155 val = ntohl(nla_get_be32(attr));
6162 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6165 * nft_parse_register - parse a register value from a netlink attribute
6167 * @attr: netlink attribute
6169 * Parse and translate a register value from a netlink attribute.
6170 * Registers used to be 128 bit wide, these register numbers will be
6171 * mapped to the corresponding 32 bit register numbers.
6173 unsigned int nft_parse_register(const struct nlattr *attr)
6177 reg = ntohl(nla_get_be32(attr));
6179 case NFT_REG_VERDICT...NFT_REG_4:
6180 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6182 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6185 EXPORT_SYMBOL_GPL(nft_parse_register);
6188 * nft_dump_register - dump a register value to a netlink attribute
6190 * @skb: socket buffer
6191 * @attr: attribute number
6192 * @reg: register number
6194 * Construct a netlink attribute containing the register number. For
6195 * compatibility reasons, register numbers being a multiple of 4 are
6196 * translated to the corresponding 128 bit register numbers.
6198 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6200 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6201 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6203 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6205 return nla_put_be32(skb, attr, htonl(reg));
6207 EXPORT_SYMBOL_GPL(nft_dump_register);
6210 * nft_validate_register_load - validate a load from a register
6212 * @reg: the register number
6213 * @len: the length of the data
6215 * Validate that the input register is one of the general purpose
6216 * registers and that the length of the load is within the bounds.
6218 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6220 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6224 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6229 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6232 * nft_validate_register_store - validate an expressions' register store
6234 * @ctx: context of the expression performing the load
6235 * @reg: the destination register number
6236 * @data: the data to load
6237 * @type: the data type
6238 * @len: the length of the data
6240 * Validate that a data load uses the appropriate data type for
6241 * the destination register and the length is within the bounds.
6242 * A value of NULL for the data means that its runtime gathered
6245 int nft_validate_register_store(const struct nft_ctx *ctx,
6246 enum nft_registers reg,
6247 const struct nft_data *data,
6248 enum nft_data_types type, unsigned int len)
6253 case NFT_REG_VERDICT:
6254 if (type != NFT_DATA_VERDICT)
6258 (data->verdict.code == NFT_GOTO ||
6259 data->verdict.code == NFT_JUMP)) {
6260 err = nf_tables_check_loops(ctx, data->verdict.chain);
6264 if (ctx->chain->level + 1 >
6265 data->verdict.chain->level) {
6266 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6268 data->verdict.chain->level = ctx->chain->level + 1;
6274 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6278 if (reg * NFT_REG32_SIZE + len >
6279 FIELD_SIZEOF(struct nft_regs, data))
6282 if (data != NULL && type != NFT_DATA_VALUE)
6287 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6289 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6290 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6291 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6292 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6295 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6296 struct nft_data_desc *desc, const struct nlattr *nla)
6298 u8 genmask = nft_genmask_next(ctx->net);
6299 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6300 struct nft_chain *chain;
6303 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6308 if (!tb[NFTA_VERDICT_CODE])
6310 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6312 switch (data->verdict.code) {
6314 switch (data->verdict.code & NF_VERDICT_MASK) {
6329 if (!tb[NFTA_VERDICT_CHAIN])
6331 chain = nf_tables_chain_lookup(ctx->table,
6332 tb[NFTA_VERDICT_CHAIN], genmask);
6334 return PTR_ERR(chain);
6335 if (nft_is_base_chain(chain))
6339 data->verdict.chain = chain;
6343 desc->len = sizeof(data->verdict);
6344 desc->type = NFT_DATA_VERDICT;
6348 static void nft_verdict_uninit(const struct nft_data *data)
6350 switch (data->verdict.code) {
6353 data->verdict.chain->use--;
6358 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6360 struct nlattr *nest;
6362 nest = nla_nest_start(skb, type);
6364 goto nla_put_failure;
6366 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6367 goto nla_put_failure;
6372 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6374 goto nla_put_failure;
6376 nla_nest_end(skb, nest);
6383 static int nft_value_init(const struct nft_ctx *ctx,
6384 struct nft_data *data, unsigned int size,
6385 struct nft_data_desc *desc, const struct nlattr *nla)
6395 nla_memcpy(data->data, nla, len);
6396 desc->type = NFT_DATA_VALUE;
6401 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6404 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6407 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6408 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6409 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6413 * nft_data_init - parse nf_tables data netlink attributes
6415 * @ctx: context of the expression using the data
6416 * @data: destination struct nft_data
6417 * @size: maximum data length
6418 * @desc: data description
6419 * @nla: netlink attribute containing data
6421 * Parse the netlink data attributes and initialize a struct nft_data.
6422 * The type and length of data are returned in the data description.
6424 * The caller can indicate that it only wants to accept data of type
6425 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6427 int nft_data_init(const struct nft_ctx *ctx,
6428 struct nft_data *data, unsigned int size,
6429 struct nft_data_desc *desc, const struct nlattr *nla)
6431 struct nlattr *tb[NFTA_DATA_MAX + 1];
6434 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6438 if (tb[NFTA_DATA_VALUE])
6439 return nft_value_init(ctx, data, size, desc,
6440 tb[NFTA_DATA_VALUE]);
6441 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6442 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6445 EXPORT_SYMBOL_GPL(nft_data_init);
6448 * nft_data_release - release a nft_data item
6450 * @data: struct nft_data to release
6451 * @type: type of data
6453 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6454 * all others need to be released by calling this function.
6456 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6458 if (type < NFT_DATA_VERDICT)
6461 case NFT_DATA_VERDICT:
6462 return nft_verdict_uninit(data);
6467 EXPORT_SYMBOL_GPL(nft_data_release);
6469 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6470 enum nft_data_types type, unsigned int len)
6472 struct nlattr *nest;
6475 nest = nla_nest_start(skb, attr);
6480 case NFT_DATA_VALUE:
6481 err = nft_value_dump(skb, data, len);
6483 case NFT_DATA_VERDICT:
6484 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6491 nla_nest_end(skb, nest);
6494 EXPORT_SYMBOL_GPL(nft_data_dump);
6496 int __nft_release_basechain(struct nft_ctx *ctx)
6498 struct nft_rule *rule, *nr;
6500 BUG_ON(!nft_is_base_chain(ctx->chain));
6502 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6503 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6504 list_del(&rule->list);
6506 nf_tables_rule_destroy(ctx, rule);
6508 list_del(&ctx->chain->list);
6510 nf_tables_chain_destroy(ctx);
6514 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6516 static void __nft_release_tables(struct net *net)
6518 struct nft_flowtable *flowtable, *nf;
6519 struct nft_table *table, *nt;
6520 struct nft_chain *chain, *nc;
6521 struct nft_object *obj, *ne;
6522 struct nft_rule *rule, *nr;
6523 struct nft_set *set, *ns;
6524 struct nft_ctx ctx = {
6526 .family = NFPROTO_NETDEV,
6529 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6530 ctx.family = table->family;
6532 list_for_each_entry(chain, &table->chains, list)
6533 nf_tables_unregister_hook(net, table, chain);
6534 list_for_each_entry(flowtable, &table->flowtables, list)
6535 nf_unregister_net_hooks(net, flowtable->ops,
6536 flowtable->ops_len);
6537 /* No packets are walking on these chains anymore. */
6539 list_for_each_entry(chain, &table->chains, list) {
6541 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6542 list_del(&rule->list);
6544 nf_tables_rule_destroy(&ctx, rule);
6547 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6548 list_del(&flowtable->list);
6550 nf_tables_flowtable_destroy(flowtable);
6552 list_for_each_entry_safe(set, ns, &table->sets, list) {
6553 list_del(&set->list);
6555 nft_set_destroy(set);
6557 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6558 list_del(&obj->list);
6560 nft_obj_destroy(obj);
6562 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6564 list_del(&chain->list);
6566 nf_tables_chain_destroy(&ctx);
6568 list_del(&table->list);
6569 nf_tables_table_destroy(&ctx);
6573 static int __net_init nf_tables_init_net(struct net *net)
6575 INIT_LIST_HEAD(&net->nft.tables);
6576 INIT_LIST_HEAD(&net->nft.commit_list);
6577 net->nft.base_seq = 1;
6581 static void __net_exit nf_tables_exit_net(struct net *net)
6583 __nft_release_tables(net);
6584 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6585 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6588 static struct pernet_operations nf_tables_net_ops = {
6589 .init = nf_tables_init_net,
6590 .exit = nf_tables_exit_net,
6593 static int __init nf_tables_module_init(void)
6597 nft_chain_filter_init();
6599 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6606 err = nf_tables_core_module_init();
6610 err = nfnetlink_subsys_register(&nf_tables_subsys);
6614 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6616 return register_pernet_subsys(&nf_tables_net_ops);
6618 nf_tables_core_module_exit();
6625 static void __exit nf_tables_module_exit(void)
6627 unregister_pernet_subsys(&nf_tables_net_ops);
6628 nfnetlink_subsys_unregister(&nf_tables_subsys);
6629 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6631 nf_tables_core_module_exit();
6633 nft_chain_filter_fini();
6636 module_init(nf_tables_module_init);
6637 module_exit(nf_tables_module_exit);
6639 MODULE_LICENSE("GPL");
6640 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6641 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / kernel / linux-rpi.git / blob