1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 unsigned int nf_tables_net_id __read_mostly;
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 NFT_VALIDATE_SKIP = 0,
42 static struct rhltable nft_objname_ht;
44 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
49 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
50 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52 static const struct rhashtable_params nft_chain_ht_params = {
53 .head_offset = offsetof(struct nft_chain, rhlhead),
54 .key_offset = offsetof(struct nft_chain, name),
55 .hashfn = nft_chain_hash,
56 .obj_hashfn = nft_chain_hash_obj,
57 .obj_cmpfn = nft_chain_hash_cmp,
58 .automatic_shrinking = true,
61 static const struct rhashtable_params nft_objname_ht_params = {
62 .head_offset = offsetof(struct nft_object, rhlhead),
63 .key_offset = offsetof(struct nft_object, key),
64 .hashfn = nft_objname_hash,
65 .obj_hashfn = nft_objname_hash_obj,
66 .obj_cmpfn = nft_objname_hash_cmp,
67 .automatic_shrinking = true,
70 struct nft_audit_data {
71 struct nft_table *table;
74 struct list_head list;
77 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
78 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
79 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
80 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
81 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
82 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
84 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
85 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
87 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
88 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
90 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
91 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
93 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
94 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
97 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
99 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
100 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
101 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
102 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
105 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
107 switch (table->validate_state) {
108 case NFT_VALIDATE_SKIP:
109 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
111 case NFT_VALIDATE_NEED:
113 case NFT_VALIDATE_DO:
114 if (new_validate_state == NFT_VALIDATE_NEED)
118 table->validate_state = new_validate_state;
120 static void nf_tables_trans_destroy_work(struct work_struct *w);
121 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
123 static void nft_ctx_init(struct nft_ctx *ctx,
125 const struct sk_buff *skb,
126 const struct nlmsghdr *nlh,
128 struct nft_table *table,
129 struct nft_chain *chain,
130 const struct nlattr * const *nla)
133 ctx->family = family;
138 ctx->portid = NETLINK_CB(skb).portid;
139 ctx->report = nlmsg_report(nlh);
140 ctx->flags = nlh->nlmsg_flags;
141 ctx->seq = nlh->nlmsg_seq;
144 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
145 int msg_type, u32 size, gfp_t gfp)
147 struct nft_trans *trans;
149 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
153 INIT_LIST_HEAD(&trans->list);
154 trans->msg_type = msg_type;
160 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
161 int msg_type, u32 size)
163 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
166 static void nft_trans_destroy(struct nft_trans *trans)
168 list_del(&trans->list);
172 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
174 struct nftables_pernet *nft_net;
175 struct net *net = ctx->net;
176 struct nft_trans *trans;
178 if (!nft_set_is_anonymous(set))
181 nft_net = nft_pernet(net);
182 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
183 switch (trans->msg_type) {
185 if (nft_trans_set(trans) == set)
186 nft_trans_set_bound(trans) = true;
188 case NFT_MSG_NEWSETELEM:
189 if (nft_trans_elem_set(trans) == set)
190 nft_trans_elem_set_bound(trans) = true;
196 static int nft_netdev_register_hooks(struct net *net,
197 struct list_head *hook_list)
199 struct nft_hook *hook;
203 list_for_each_entry(hook, hook_list, list) {
204 err = nf_register_net_hook(net, &hook->ops);
213 list_for_each_entry(hook, hook_list, list) {
217 nf_unregister_net_hook(net, &hook->ops);
222 static void nft_netdev_unregister_hooks(struct net *net,
223 struct list_head *hook_list,
226 struct nft_hook *hook, *next;
228 list_for_each_entry_safe(hook, next, hook_list, list) {
229 nf_unregister_net_hook(net, &hook->ops);
230 if (release_netdev) {
231 list_del(&hook->list);
232 kfree_rcu(hook, rcu);
237 static int nf_tables_register_hook(struct net *net,
238 const struct nft_table *table,
239 struct nft_chain *chain)
241 struct nft_base_chain *basechain;
242 const struct nf_hook_ops *ops;
244 if (table->flags & NFT_TABLE_F_DORMANT ||
245 !nft_is_base_chain(chain))
248 basechain = nft_base_chain(chain);
249 ops = &basechain->ops;
251 if (basechain->type->ops_register)
252 return basechain->type->ops_register(net, ops);
254 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
255 return nft_netdev_register_hooks(net, &basechain->hook_list);
257 return nf_register_net_hook(net, &basechain->ops);
260 static void __nf_tables_unregister_hook(struct net *net,
261 const struct nft_table *table,
262 struct nft_chain *chain,
265 struct nft_base_chain *basechain;
266 const struct nf_hook_ops *ops;
268 if (table->flags & NFT_TABLE_F_DORMANT ||
269 !nft_is_base_chain(chain))
271 basechain = nft_base_chain(chain);
272 ops = &basechain->ops;
274 if (basechain->type->ops_unregister)
275 return basechain->type->ops_unregister(net, ops);
277 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
278 nft_netdev_unregister_hooks(net, &basechain->hook_list,
281 nf_unregister_net_hook(net, &basechain->ops);
284 static void nf_tables_unregister_hook(struct net *net,
285 const struct nft_table *table,
286 struct nft_chain *chain)
288 return __nf_tables_unregister_hook(net, table, chain, false);
291 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
293 struct nftables_pernet *nft_net = nft_pernet(net);
295 list_add_tail(&trans->list, &nft_net->commit_list);
298 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
300 struct nft_trans *trans;
302 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
306 if (msg_type == NFT_MSG_NEWTABLE)
307 nft_activate_next(ctx->net, ctx->table);
309 nft_trans_commit_list_add_tail(ctx->net, trans);
313 static int nft_deltable(struct nft_ctx *ctx)
317 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
321 nft_deactivate_next(ctx->net, ctx->table);
325 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
327 struct nft_trans *trans;
329 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
331 return ERR_PTR(-ENOMEM);
333 if (msg_type == NFT_MSG_NEWCHAIN) {
334 nft_activate_next(ctx->net, ctx->chain);
336 if (ctx->nla[NFTA_CHAIN_ID]) {
337 nft_trans_chain_id(trans) =
338 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
342 nft_trans_commit_list_add_tail(ctx->net, trans);
346 static int nft_delchain(struct nft_ctx *ctx)
348 struct nft_trans *trans;
350 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
352 return PTR_ERR(trans);
355 nft_deactivate_next(ctx->net, ctx->chain);
360 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
361 struct nft_rule *rule)
363 struct nft_expr *expr;
365 expr = nft_expr_first(rule);
366 while (nft_expr_more(rule, expr)) {
367 if (expr->ops->activate)
368 expr->ops->activate(ctx, expr);
370 expr = nft_expr_next(expr);
374 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
375 struct nft_rule *rule,
376 enum nft_trans_phase phase)
378 struct nft_expr *expr;
380 expr = nft_expr_first(rule);
381 while (nft_expr_more(rule, expr)) {
382 if (expr->ops->deactivate)
383 expr->ops->deactivate(ctx, expr, phase);
385 expr = nft_expr_next(expr);
390 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
392 /* You cannot delete the same rule twice */
393 if (nft_is_active_next(ctx->net, rule)) {
394 nft_deactivate_next(ctx->net, rule);
401 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
402 struct nft_rule *rule)
404 struct nft_trans *trans;
406 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
410 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
411 nft_trans_rule_id(trans) =
412 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
414 nft_trans_rule(trans) = rule;
415 nft_trans_commit_list_add_tail(ctx->net, trans);
420 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
422 struct nft_flow_rule *flow;
423 struct nft_trans *trans;
426 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
430 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
431 flow = nft_flow_rule_create(ctx->net, rule);
433 nft_trans_destroy(trans);
434 return PTR_ERR(flow);
437 nft_trans_flow_rule(trans) = flow;
440 err = nf_tables_delrule_deactivate(ctx, rule);
442 nft_trans_destroy(trans);
445 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
450 static int nft_delrule_by_chain(struct nft_ctx *ctx)
452 struct nft_rule *rule;
455 list_for_each_entry(rule, &ctx->chain->rules, list) {
456 if (!nft_is_active_next(ctx->net, rule))
459 err = nft_delrule(ctx, rule);
466 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
468 const struct nft_set_desc *desc)
470 struct nft_trans *trans;
472 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
476 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
477 nft_trans_set_id(trans) =
478 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
479 nft_activate_next(ctx->net, set);
481 nft_trans_set(trans) = set;
483 nft_trans_set_update(trans) = true;
484 nft_trans_set_gc_int(trans) = desc->gc_int;
485 nft_trans_set_timeout(trans) = desc->timeout;
487 nft_trans_commit_list_add_tail(ctx->net, trans);
492 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
495 return __nft_trans_set_add(ctx, msg_type, set, NULL);
498 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
502 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
506 nft_deactivate_next(ctx->net, set);
512 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
513 struct nft_object *obj)
515 struct nft_trans *trans;
517 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
521 if (msg_type == NFT_MSG_NEWOBJ)
522 nft_activate_next(ctx->net, obj);
524 nft_trans_obj(trans) = obj;
525 nft_trans_commit_list_add_tail(ctx->net, trans);
530 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
534 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
538 nft_deactivate_next(ctx->net, obj);
544 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
545 struct nft_flowtable *flowtable)
547 struct nft_trans *trans;
549 trans = nft_trans_alloc(ctx, msg_type,
550 sizeof(struct nft_trans_flowtable));
554 if (msg_type == NFT_MSG_NEWFLOWTABLE)
555 nft_activate_next(ctx->net, flowtable);
557 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
558 nft_trans_flowtable(trans) = flowtable;
559 nft_trans_commit_list_add_tail(ctx->net, trans);
564 static int nft_delflowtable(struct nft_ctx *ctx,
565 struct nft_flowtable *flowtable)
569 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
573 nft_deactivate_next(ctx->net, flowtable);
579 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
583 for (i = track->regs[dreg].num_reg; i > 0; i--)
584 __nft_reg_track_cancel(track, dreg - i);
587 static void __nft_reg_track_update(struct nft_regs_track *track,
588 const struct nft_expr *expr,
591 track->regs[dreg].selector = expr;
592 track->regs[dreg].bitwise = NULL;
593 track->regs[dreg].num_reg = num_reg;
596 void nft_reg_track_update(struct nft_regs_track *track,
597 const struct nft_expr *expr, u8 dreg, u8 len)
599 unsigned int regcount;
602 __nft_reg_track_clobber(track, dreg);
604 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
605 for (i = 0; i < regcount; i++, dreg++)
606 __nft_reg_track_update(track, expr, dreg, i);
608 EXPORT_SYMBOL_GPL(nft_reg_track_update);
610 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
612 unsigned int regcount;
615 __nft_reg_track_clobber(track, dreg);
617 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
618 for (i = 0; i < regcount; i++, dreg++)
619 __nft_reg_track_cancel(track, dreg);
621 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
623 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
625 track->regs[dreg].selector = NULL;
626 track->regs[dreg].bitwise = NULL;
627 track->regs[dreg].num_reg = 0;
629 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
635 static struct nft_table *nft_table_lookup(const struct net *net,
636 const struct nlattr *nla,
637 u8 family, u8 genmask, u32 nlpid)
639 struct nftables_pernet *nft_net;
640 struct nft_table *table;
643 return ERR_PTR(-EINVAL);
645 nft_net = nft_pernet(net);
646 list_for_each_entry_rcu(table, &nft_net->tables, list,
647 lockdep_is_held(&nft_net->commit_mutex)) {
648 if (!nla_strcmp(nla, table->name) &&
649 table->family == family &&
650 nft_active_genmask(table, genmask)) {
651 if (nft_table_has_owner(table) &&
652 nlpid && table->nlpid != nlpid)
653 return ERR_PTR(-EPERM);
659 return ERR_PTR(-ENOENT);
662 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
663 const struct nlattr *nla,
664 u8 genmask, u32 nlpid)
666 struct nftables_pernet *nft_net;
667 struct nft_table *table;
669 nft_net = nft_pernet(net);
670 list_for_each_entry(table, &nft_net->tables, list) {
671 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
672 nft_active_genmask(table, genmask)) {
673 if (nft_table_has_owner(table) &&
674 nlpid && table->nlpid != nlpid)
675 return ERR_PTR(-EPERM);
681 return ERR_PTR(-ENOENT);
684 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
686 return ++table->hgenerator;
689 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
691 static const struct nft_chain_type *
692 __nft_chain_type_get(u8 family, enum nft_chain_types type)
694 if (family >= NFPROTO_NUMPROTO ||
695 type >= NFT_CHAIN_T_MAX)
698 return chain_type[family][type];
701 static const struct nft_chain_type *
702 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
704 const struct nft_chain_type *type;
707 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
708 type = __nft_chain_type_get(family, i);
711 if (!nla_strcmp(nla, type->name))
717 struct nft_module_request {
718 struct list_head list;
719 char module[MODULE_NAME_LEN];
723 #ifdef CONFIG_MODULES
724 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
727 char module_name[MODULE_NAME_LEN];
728 struct nftables_pernet *nft_net;
729 struct nft_module_request *req;
734 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
736 if (ret >= MODULE_NAME_LEN)
739 nft_net = nft_pernet(net);
740 list_for_each_entry(req, &nft_net->module_list, list) {
741 if (!strcmp(req->module, module_name)) {
745 /* A request to load this module already exists. */
750 req = kmalloc(sizeof(*req), GFP_KERNEL);
755 strscpy(req->module, module_name, MODULE_NAME_LEN);
756 list_add_tail(&req->list, &nft_net->module_list);
760 EXPORT_SYMBOL_GPL(nft_request_module);
763 static void lockdep_nfnl_nft_mutex_not_held(void)
765 #ifdef CONFIG_PROVE_LOCKING
767 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
771 static const struct nft_chain_type *
772 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
773 u8 family, bool autoload)
775 const struct nft_chain_type *type;
777 type = __nf_tables_chain_type_lookup(nla, family);
781 lockdep_nfnl_nft_mutex_not_held();
782 #ifdef CONFIG_MODULES
784 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
786 (const char *)nla_data(nla)) == -EAGAIN)
787 return ERR_PTR(-EAGAIN);
790 return ERR_PTR(-ENOENT);
793 static __be16 nft_base_seq(const struct net *net)
795 struct nftables_pernet *nft_net = nft_pernet(net);
797 return htons(nft_net->base_seq & 0xffff);
800 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
801 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
802 .len = NFT_TABLE_MAXNAMELEN - 1 },
803 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
804 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
805 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
806 .len = NFT_USERDATA_MAXLEN }
809 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
810 u32 portid, u32 seq, int event, u32 flags,
811 int family, const struct nft_table *table)
813 struct nlmsghdr *nlh;
815 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
816 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
817 NFNETLINK_V0, nft_base_seq(net));
819 goto nla_put_failure;
821 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
822 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
823 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
825 goto nla_put_failure;
827 if (event == NFT_MSG_DELTABLE) {
832 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
833 htonl(table->flags & NFT_TABLE_F_MASK)))
834 goto nla_put_failure;
836 if (nft_table_has_owner(table) &&
837 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
838 goto nla_put_failure;
841 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
842 goto nla_put_failure;
849 nlmsg_trim(skb, nlh);
853 struct nftnl_skb_parms {
856 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
858 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
859 struct list_head *notify_list)
861 NFT_CB(skb).report = report;
862 list_add_tail(&skb->list, notify_list);
865 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
867 struct nftables_pernet *nft_net;
873 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
876 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
880 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
881 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
883 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
884 event, flags, ctx->family, ctx->table);
890 nft_net = nft_pernet(ctx->net);
891 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
894 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
897 static int nf_tables_dump_tables(struct sk_buff *skb,
898 struct netlink_callback *cb)
900 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
901 struct nftables_pernet *nft_net;
902 const struct nft_table *table;
903 unsigned int idx = 0, s_idx = cb->args[0];
904 struct net *net = sock_net(skb->sk);
905 int family = nfmsg->nfgen_family;
908 nft_net = nft_pernet(net);
909 cb->seq = READ_ONCE(nft_net->base_seq);
911 list_for_each_entry_rcu(table, &nft_net->tables, list) {
912 if (family != NFPROTO_UNSPEC && family != table->family)
918 memset(&cb->args[1], 0,
919 sizeof(cb->args) - sizeof(cb->args[0]));
920 if (!nft_is_active(net, table))
922 if (nf_tables_fill_table_info(skb, net,
923 NETLINK_CB(cb->skb).portid,
925 NFT_MSG_NEWTABLE, NLM_F_MULTI,
926 table->family, table) < 0)
929 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
939 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
940 const struct nlmsghdr *nlh,
941 struct netlink_dump_control *c)
945 if (!try_module_get(THIS_MODULE))
949 err = netlink_dump_start(nlsk, skb, nlh, c);
951 module_put(THIS_MODULE);
956 /* called with rcu_read_lock held */
957 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
958 const struct nlattr * const nla[])
960 struct netlink_ext_ack *extack = info->extack;
961 u8 genmask = nft_genmask_cur(info->net);
962 u8 family = info->nfmsg->nfgen_family;
963 const struct nft_table *table;
964 struct net *net = info->net;
965 struct sk_buff *skb2;
968 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
969 struct netlink_dump_control c = {
970 .dump = nf_tables_dump_tables,
971 .module = THIS_MODULE,
974 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
977 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
979 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
980 return PTR_ERR(table);
983 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
987 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
988 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
991 goto err_fill_table_info;
993 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1000 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1002 struct nft_chain *chain;
1005 list_for_each_entry(chain, &table->chains, list) {
1006 if (!nft_is_active_next(net, chain))
1008 if (!nft_is_base_chain(chain))
1011 if (cnt && i++ == cnt)
1014 nf_tables_unregister_hook(net, table, chain);
1018 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1020 struct nft_chain *chain;
1023 list_for_each_entry(chain, &table->chains, list) {
1024 if (!nft_is_active_next(net, chain))
1026 if (!nft_is_base_chain(chain))
1029 err = nf_tables_register_hook(net, table, chain);
1031 goto err_register_hooks;
1039 nft_table_disable(net, table, i);
1043 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1045 table->flags &= ~NFT_TABLE_F_DORMANT;
1046 nft_table_disable(net, table, 0);
1047 table->flags |= NFT_TABLE_F_DORMANT;
1050 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1051 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1052 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1053 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1054 __NFT_TABLE_F_WAS_AWAKEN)
1056 static int nf_tables_updtable(struct nft_ctx *ctx)
1058 struct nft_trans *trans;
1062 if (!ctx->nla[NFTA_TABLE_FLAGS])
1065 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1066 if (flags & ~NFT_TABLE_F_MASK)
1069 if (flags == ctx->table->flags)
1072 if ((nft_table_has_owner(ctx->table) &&
1073 !(flags & NFT_TABLE_F_OWNER)) ||
1074 (!nft_table_has_owner(ctx->table) &&
1075 flags & NFT_TABLE_F_OWNER))
1078 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1079 sizeof(struct nft_trans_table));
1083 if ((flags & NFT_TABLE_F_DORMANT) &&
1084 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1085 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1086 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1087 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1088 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1089 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1090 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1091 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1092 ret = nf_tables_table_enable(ctx->net, ctx->table);
1094 goto err_register_hooks;
1096 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1100 nft_trans_table_update(trans) = true;
1101 nft_trans_commit_list_add_tail(ctx->net, trans);
1106 nft_trans_destroy(trans);
1110 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1112 const char *name = data;
1114 return jhash(name, strlen(name), seed);
1117 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1119 const struct nft_chain *chain = data;
1121 return nft_chain_hash(chain->name, 0, seed);
1124 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1127 const struct nft_chain *chain = ptr;
1128 const char *name = arg->key;
1130 return strcmp(chain->name, name);
1133 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1135 const struct nft_object_hash_key *k = data;
1137 seed ^= hash_ptr(k->table, 32);
1139 return jhash(k->name, strlen(k->name), seed);
1142 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1144 const struct nft_object *obj = data;
1146 return nft_objname_hash(&obj->key, 0, seed);
1149 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1152 const struct nft_object_hash_key *k = arg->key;
1153 const struct nft_object *obj = ptr;
1155 if (obj->key.table != k->table)
1158 return strcmp(obj->key.name, k->name);
1161 static bool nft_supported_family(u8 family)
1164 #ifdef CONFIG_NF_TABLES_INET
1165 || family == NFPROTO_INET
1167 #ifdef CONFIG_NF_TABLES_IPV4
1168 || family == NFPROTO_IPV4
1170 #ifdef CONFIG_NF_TABLES_ARP
1171 || family == NFPROTO_ARP
1173 #ifdef CONFIG_NF_TABLES_NETDEV
1174 || family == NFPROTO_NETDEV
1176 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1177 || family == NFPROTO_BRIDGE
1179 #ifdef CONFIG_NF_TABLES_IPV6
1180 || family == NFPROTO_IPV6
1185 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1186 const struct nlattr * const nla[])
1188 struct nftables_pernet *nft_net = nft_pernet(info->net);
1189 struct netlink_ext_ack *extack = info->extack;
1190 u8 genmask = nft_genmask_next(info->net);
1191 u8 family = info->nfmsg->nfgen_family;
1192 struct net *net = info->net;
1193 const struct nlattr *attr;
1194 struct nft_table *table;
1199 if (!nft_supported_family(family))
1202 lockdep_assert_held(&nft_net->commit_mutex);
1203 attr = nla[NFTA_TABLE_NAME];
1204 table = nft_table_lookup(net, attr, family, genmask,
1205 NETLINK_CB(skb).portid);
1206 if (IS_ERR(table)) {
1207 if (PTR_ERR(table) != -ENOENT)
1208 return PTR_ERR(table);
1210 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1211 NL_SET_BAD_ATTR(extack, attr);
1214 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1217 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1219 return nf_tables_updtable(&ctx);
1222 if (nla[NFTA_TABLE_FLAGS]) {
1223 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1224 if (flags & ~NFT_TABLE_F_MASK)
1229 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1233 table->validate_state = NFT_VALIDATE_SKIP;
1234 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1235 if (table->name == NULL)
1238 if (nla[NFTA_TABLE_USERDATA]) {
1239 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1240 if (table->udata == NULL)
1241 goto err_table_udata;
1243 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1246 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1250 INIT_LIST_HEAD(&table->chains);
1251 INIT_LIST_HEAD(&table->sets);
1252 INIT_LIST_HEAD(&table->objects);
1253 INIT_LIST_HEAD(&table->flowtables);
1254 table->family = family;
1255 table->flags = flags;
1256 table->handle = ++nft_net->table_handle;
1257 if (table->flags & NFT_TABLE_F_OWNER)
1258 table->nlpid = NETLINK_CB(skb).portid;
1260 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1261 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1265 list_add_tail_rcu(&table->list, &nft_net->tables);
1268 rhltable_destroy(&table->chains_ht);
1270 kfree(table->udata);
1279 static int nft_flush_table(struct nft_ctx *ctx)
1281 struct nft_flowtable *flowtable, *nft;
1282 struct nft_chain *chain, *nc;
1283 struct nft_object *obj, *ne;
1284 struct nft_set *set, *ns;
1287 list_for_each_entry(chain, &ctx->table->chains, list) {
1288 if (!nft_is_active_next(ctx->net, chain))
1291 if (nft_chain_is_bound(chain))
1296 err = nft_delrule_by_chain(ctx);
1301 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1302 if (!nft_is_active_next(ctx->net, set))
1305 if (nft_set_is_anonymous(set) &&
1306 !list_empty(&set->bindings))
1309 err = nft_delset(ctx, set);
1314 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1315 if (!nft_is_active_next(ctx->net, flowtable))
1318 err = nft_delflowtable(ctx, flowtable);
1323 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1324 if (!nft_is_active_next(ctx->net, obj))
1327 err = nft_delobj(ctx, obj);
1332 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1333 if (!nft_is_active_next(ctx->net, chain))
1336 if (nft_chain_is_bound(chain))
1341 err = nft_delchain(ctx);
1346 err = nft_deltable(ctx);
1351 static int nft_flush(struct nft_ctx *ctx, int family)
1353 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1354 const struct nlattr * const *nla = ctx->nla;
1355 struct nft_table *table, *nt;
1358 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1359 if (family != AF_UNSPEC && table->family != family)
1362 ctx->family = table->family;
1364 if (!nft_is_active_next(ctx->net, table))
1367 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1370 if (nla[NFTA_TABLE_NAME] &&
1371 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1376 err = nft_flush_table(ctx);
1384 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1385 const struct nlattr * const nla[])
1387 struct netlink_ext_ack *extack = info->extack;
1388 u8 genmask = nft_genmask_next(info->net);
1389 u8 family = info->nfmsg->nfgen_family;
1390 struct net *net = info->net;
1391 const struct nlattr *attr;
1392 struct nft_table *table;
1395 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1396 if (family == AF_UNSPEC ||
1397 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1398 return nft_flush(&ctx, family);
1400 if (nla[NFTA_TABLE_HANDLE]) {
1401 attr = nla[NFTA_TABLE_HANDLE];
1402 table = nft_table_lookup_byhandle(net, attr, genmask,
1403 NETLINK_CB(skb).portid);
1405 attr = nla[NFTA_TABLE_NAME];
1406 table = nft_table_lookup(net, attr, family, genmask,
1407 NETLINK_CB(skb).portid);
1410 if (IS_ERR(table)) {
1411 if (PTR_ERR(table) == -ENOENT &&
1412 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1415 NL_SET_BAD_ATTR(extack, attr);
1416 return PTR_ERR(table);
1419 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1423 ctx.family = family;
1426 return nft_flush_table(&ctx);
1429 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1431 if (WARN_ON(ctx->table->use > 0))
1434 rhltable_destroy(&ctx->table->chains_ht);
1435 kfree(ctx->table->name);
1436 kfree(ctx->table->udata);
1440 void nft_register_chain_type(const struct nft_chain_type *ctype)
1442 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1443 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1444 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1447 chain_type[ctype->family][ctype->type] = ctype;
1448 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1450 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1452 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1454 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1455 chain_type[ctype->family][ctype->type] = NULL;
1456 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1458 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1464 static struct nft_chain *
1465 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1467 struct nft_chain *chain;
1469 list_for_each_entry(chain, &table->chains, list) {
1470 if (chain->handle == handle &&
1471 nft_active_genmask(chain, genmask))
1475 return ERR_PTR(-ENOENT);
1478 static bool lockdep_commit_lock_is_held(const struct net *net)
1480 #ifdef CONFIG_PROVE_LOCKING
1481 struct nftables_pernet *nft_net = nft_pernet(net);
1483 return lockdep_is_held(&nft_net->commit_mutex);
1489 static struct nft_chain *nft_chain_lookup(struct net *net,
1490 struct nft_table *table,
1491 const struct nlattr *nla, u8 genmask)
1493 char search[NFT_CHAIN_MAXNAMELEN + 1];
1494 struct rhlist_head *tmp, *list;
1495 struct nft_chain *chain;
1498 return ERR_PTR(-EINVAL);
1500 nla_strscpy(search, nla, sizeof(search));
1502 WARN_ON(!rcu_read_lock_held() &&
1503 !lockdep_commit_lock_is_held(net));
1505 chain = ERR_PTR(-ENOENT);
1507 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1511 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1512 if (nft_active_genmask(chain, genmask))
1515 chain = ERR_PTR(-ENOENT);
1521 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1522 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1523 .len = NFT_TABLE_MAXNAMELEN - 1 },
1524 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1525 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1526 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1527 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1528 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1529 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1530 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1531 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1532 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1533 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1534 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1535 .len = NFT_USERDATA_MAXLEN },
1538 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1539 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1540 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1541 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1542 .len = IFNAMSIZ - 1 },
1545 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1547 struct nft_stats *cpu_stats, total;
1548 struct nlattr *nest;
1556 memset(&total, 0, sizeof(total));
1557 for_each_possible_cpu(cpu) {
1558 cpu_stats = per_cpu_ptr(stats, cpu);
1560 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1561 pkts = cpu_stats->pkts;
1562 bytes = cpu_stats->bytes;
1563 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1565 total.bytes += bytes;
1567 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1569 goto nla_put_failure;
1571 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1572 NFTA_COUNTER_PAD) ||
1573 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1575 goto nla_put_failure;
1577 nla_nest_end(skb, nest);
1584 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1585 const struct nft_base_chain *basechain,
1586 const struct list_head *hook_list)
1588 const struct nf_hook_ops *ops = &basechain->ops;
1589 struct nft_hook *hook, *first = NULL;
1590 struct nlattr *nest, *nest_devs;
1593 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1595 goto nla_put_failure;
1596 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1597 goto nla_put_failure;
1598 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1599 goto nla_put_failure;
1601 if (nft_base_chain_netdev(family, ops->hooknum)) {
1602 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1604 goto nla_put_failure;
1607 hook_list = &basechain->hook_list;
1609 list_for_each_entry(hook, hook_list, list) {
1613 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1614 hook->ops.dev->name))
1615 goto nla_put_failure;
1618 nla_nest_end(skb, nest_devs);
1621 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1622 goto nla_put_failure;
1624 nla_nest_end(skb, nest);
1631 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1632 u32 portid, u32 seq, int event, u32 flags,
1633 int family, const struct nft_table *table,
1634 const struct nft_chain *chain,
1635 const struct list_head *hook_list)
1637 struct nlmsghdr *nlh;
1639 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1640 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1641 NFNETLINK_V0, nft_base_seq(net));
1643 goto nla_put_failure;
1645 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1646 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1647 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1649 goto nla_put_failure;
1651 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1652 nlmsg_end(skb, nlh);
1656 if (nft_is_base_chain(chain)) {
1657 const struct nft_base_chain *basechain = nft_base_chain(chain);
1658 struct nft_stats __percpu *stats;
1660 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1661 goto nla_put_failure;
1663 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1664 htonl(basechain->policy)))
1665 goto nla_put_failure;
1667 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1668 goto nla_put_failure;
1670 stats = rcu_dereference_check(basechain->stats,
1671 lockdep_commit_lock_is_held(net));
1672 if (nft_dump_stats(skb, stats))
1673 goto nla_put_failure;
1677 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1678 goto nla_put_failure;
1680 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1681 goto nla_put_failure;
1684 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1685 goto nla_put_failure;
1687 nlmsg_end(skb, nlh);
1691 nlmsg_trim(skb, nlh);
1695 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1696 const struct list_head *hook_list)
1698 struct nftables_pernet *nft_net;
1699 struct sk_buff *skb;
1704 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1707 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1711 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1712 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1714 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1715 event, flags, ctx->family, ctx->table,
1716 ctx->chain, hook_list);
1722 nft_net = nft_pernet(ctx->net);
1723 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1726 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1729 static int nf_tables_dump_chains(struct sk_buff *skb,
1730 struct netlink_callback *cb)
1732 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1733 unsigned int idx = 0, s_idx = cb->args[0];
1734 struct net *net = sock_net(skb->sk);
1735 int family = nfmsg->nfgen_family;
1736 struct nftables_pernet *nft_net;
1737 const struct nft_table *table;
1738 const struct nft_chain *chain;
1741 nft_net = nft_pernet(net);
1742 cb->seq = READ_ONCE(nft_net->base_seq);
1744 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1745 if (family != NFPROTO_UNSPEC && family != table->family)
1748 list_for_each_entry_rcu(chain, &table->chains, list) {
1752 memset(&cb->args[1], 0,
1753 sizeof(cb->args) - sizeof(cb->args[0]));
1754 if (!nft_is_active(net, chain))
1756 if (nf_tables_fill_chain_info(skb, net,
1757 NETLINK_CB(cb->skb).portid,
1761 table->family, table,
1765 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1776 /* called with rcu_read_lock held */
1777 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1778 const struct nlattr * const nla[])
1780 struct netlink_ext_ack *extack = info->extack;
1781 u8 genmask = nft_genmask_cur(info->net);
1782 u8 family = info->nfmsg->nfgen_family;
1783 const struct nft_chain *chain;
1784 struct net *net = info->net;
1785 struct nft_table *table;
1786 struct sk_buff *skb2;
1789 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1790 struct netlink_dump_control c = {
1791 .dump = nf_tables_dump_chains,
1792 .module = THIS_MODULE,
1795 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1798 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1799 if (IS_ERR(table)) {
1800 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1801 return PTR_ERR(table);
1804 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1805 if (IS_ERR(chain)) {
1806 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1807 return PTR_ERR(chain);
1810 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1814 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1815 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1816 0, family, table, chain, NULL);
1818 goto err_fill_chain_info;
1820 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1822 err_fill_chain_info:
1827 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1828 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1829 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1832 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1834 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1835 struct nft_stats __percpu *newstats;
1836 struct nft_stats *stats;
1839 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1840 nft_counter_policy, NULL);
1842 return ERR_PTR(err);
1844 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1845 return ERR_PTR(-EINVAL);
1847 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1848 if (newstats == NULL)
1849 return ERR_PTR(-ENOMEM);
1851 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1852 * are not exposed to userspace.
1855 stats = this_cpu_ptr(newstats);
1856 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1857 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1863 static void nft_chain_stats_replace(struct nft_trans *trans)
1865 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1867 if (!nft_trans_chain_stats(trans))
1870 nft_trans_chain_stats(trans) =
1871 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1872 lockdep_commit_lock_is_held(trans->ctx.net));
1874 if (!nft_trans_chain_stats(trans))
1875 static_branch_inc(&nft_counters_enabled);
1878 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1880 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
1881 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
1887 /* should be NULL either via abort or via successful commit */
1888 WARN_ON_ONCE(chain->blob_next);
1889 kvfree(chain->blob_next);
1892 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1894 struct nft_chain *chain = ctx->chain;
1895 struct nft_hook *hook, *next;
1897 if (WARN_ON(chain->use > 0))
1900 /* no concurrent access possible anymore */
1901 nf_tables_chain_free_chain_rules(chain);
1903 if (nft_is_base_chain(chain)) {
1904 struct nft_base_chain *basechain = nft_base_chain(chain);
1906 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1907 list_for_each_entry_safe(hook, next,
1908 &basechain->hook_list, list) {
1909 list_del_rcu(&hook->list);
1910 kfree_rcu(hook, rcu);
1913 module_put(basechain->type->owner);
1914 if (rcu_access_pointer(basechain->stats)) {
1915 static_branch_dec(&nft_counters_enabled);
1916 free_percpu(rcu_dereference_raw(basechain->stats));
1919 kfree(chain->udata);
1923 kfree(chain->udata);
1928 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1929 const struct nlattr *attr)
1931 struct net_device *dev;
1932 char ifname[IFNAMSIZ];
1933 struct nft_hook *hook;
1936 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
1939 goto err_hook_alloc;
1942 nla_strscpy(ifname, attr, IFNAMSIZ);
1943 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1944 * indirectly serializing all the other holders of the commit_mutex with
1947 dev = __dev_get_by_name(net, ifname);
1952 hook->ops.dev = dev;
1959 return ERR_PTR(err);
1962 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1963 const struct nft_hook *this)
1965 struct nft_hook *hook;
1967 list_for_each_entry(hook, hook_list, list) {
1968 if (this->ops.dev == hook->ops.dev)
1975 static int nf_tables_parse_netdev_hooks(struct net *net,
1976 const struct nlattr *attr,
1977 struct list_head *hook_list,
1978 struct netlink_ext_ack *extack)
1980 struct nft_hook *hook, *next;
1981 const struct nlattr *tmp;
1982 int rem, n = 0, err;
1984 nla_for_each_nested(tmp, attr, rem) {
1985 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1990 hook = nft_netdev_hook_alloc(net, tmp);
1992 NL_SET_BAD_ATTR(extack, tmp);
1993 err = PTR_ERR(hook);
1996 if (nft_hook_list_find(hook_list, hook)) {
1997 NL_SET_BAD_ATTR(extack, tmp);
2002 list_add_tail(&hook->list, hook_list);
2005 if (n == NFT_NETDEVICE_MAX) {
2014 list_for_each_entry_safe(hook, next, hook_list, list) {
2015 list_del(&hook->list);
2021 struct nft_chain_hook {
2024 const struct nft_chain_type *type;
2025 struct list_head list;
2028 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2029 struct list_head *hook_list,
2030 struct netlink_ext_ack *extack, u32 flags)
2032 struct nft_hook *hook;
2035 if (tb[NFTA_HOOK_DEV]) {
2036 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2038 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2039 return PTR_ERR(hook);
2042 list_add_tail(&hook->list, hook_list);
2043 } else if (tb[NFTA_HOOK_DEVS]) {
2044 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2051 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2052 list_empty(hook_list))
2058 static int nft_chain_parse_hook(struct net *net,
2059 struct nft_base_chain *basechain,
2060 const struct nlattr * const nla[],
2061 struct nft_chain_hook *hook, u8 family,
2062 u32 flags, struct netlink_ext_ack *extack)
2064 struct nftables_pernet *nft_net = nft_pernet(net);
2065 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2066 const struct nft_chain_type *type;
2069 lockdep_assert_held(&nft_net->commit_mutex);
2070 lockdep_nfnl_nft_mutex_not_held();
2072 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2073 nla[NFTA_CHAIN_HOOK],
2074 nft_hook_policy, NULL);
2079 if (!ha[NFTA_HOOK_HOOKNUM] ||
2080 !ha[NFTA_HOOK_PRIORITY]) {
2081 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2085 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2086 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2088 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2092 if (nla[NFTA_CHAIN_TYPE]) {
2093 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2096 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2097 return PTR_ERR(type);
2100 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2103 if (type->type == NFT_CHAIN_T_NAT &&
2104 hook->priority <= NF_IP_PRI_CONNTRACK)
2107 if (ha[NFTA_HOOK_HOOKNUM]) {
2108 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2109 if (hook->num != basechain->ops.hooknum)
2112 if (ha[NFTA_HOOK_PRIORITY]) {
2113 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2114 if (hook->priority != basechain->ops.priority)
2118 type = basechain->type;
2121 if (!try_module_get(type->owner)) {
2122 if (nla[NFTA_CHAIN_TYPE])
2123 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2129 INIT_LIST_HEAD(&hook->list);
2130 if (nft_base_chain_netdev(family, hook->num)) {
2131 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2133 module_put(type->owner);
2136 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2137 module_put(type->owner);
2144 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2146 struct nft_hook *h, *next;
2148 list_for_each_entry_safe(h, next, &hook->list, list) {
2152 module_put(hook->type->owner);
2155 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2157 struct nft_rule_dp_last *lrule;
2159 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2161 lrule = (struct nft_rule_dp_last *)ptr;
2162 lrule->end.is_last = 1;
2163 lrule->chain = chain;
2164 /* blob size does not include the trailer rule */
2167 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2170 struct nft_rule_blob *blob;
2175 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2177 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2182 nft_last_rule(chain, blob->data);
2187 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2188 const struct nft_chain_hook *hook,
2189 struct nft_chain *chain)
2192 ops->hooknum = hook->num;
2193 ops->priority = hook->priority;
2195 ops->hook = hook->type->hooks[ops->hooknum];
2196 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2199 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2200 struct nft_chain_hook *hook, u32 flags)
2202 struct nft_chain *chain;
2205 basechain->type = hook->type;
2206 INIT_LIST_HEAD(&basechain->hook_list);
2207 chain = &basechain->chain;
2209 if (nft_base_chain_netdev(family, hook->num)) {
2210 list_splice_init(&hook->list, &basechain->hook_list);
2211 list_for_each_entry(h, &basechain->hook_list, list)
2212 nft_basechain_hook_init(&h->ops, family, hook, chain);
2214 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2216 chain->flags |= NFT_CHAIN_BASE | flags;
2217 basechain->policy = NF_ACCEPT;
2218 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2219 !nft_chain_offload_support(basechain)) {
2220 list_splice_init(&basechain->hook_list, &hook->list);
2224 flow_block_init(&basechain->flow_block);
2229 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2233 err = rhltable_insert_key(&table->chains_ht, chain->name,
2234 &chain->rhlhead, nft_chain_ht_params);
2238 list_add_tail_rcu(&chain->list, &table->chains);
2243 static u64 chain_id;
2245 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2246 u8 policy, u32 flags,
2247 struct netlink_ext_ack *extack)
2249 const struct nlattr * const *nla = ctx->nla;
2250 struct nft_table *table = ctx->table;
2251 struct nft_base_chain *basechain;
2252 struct net *net = ctx->net;
2253 char name[NFT_NAME_MAXLEN];
2254 struct nft_rule_blob *blob;
2255 struct nft_trans *trans;
2256 struct nft_chain *chain;
2259 if (table->use == UINT_MAX)
2262 if (nla[NFTA_CHAIN_HOOK]) {
2263 struct nft_stats __percpu *stats = NULL;
2264 struct nft_chain_hook hook = {};
2266 if (flags & NFT_CHAIN_BINDING)
2269 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2274 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2275 if (basechain == NULL) {
2276 nft_chain_release_hook(&hook);
2279 chain = &basechain->chain;
2281 if (nla[NFTA_CHAIN_COUNTERS]) {
2282 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2283 if (IS_ERR(stats)) {
2284 nft_chain_release_hook(&hook);
2286 return PTR_ERR(stats);
2288 rcu_assign_pointer(basechain->stats, stats);
2291 err = nft_basechain_init(basechain, family, &hook, flags);
2293 nft_chain_release_hook(&hook);
2299 static_branch_inc(&nft_counters_enabled);
2301 if (flags & NFT_CHAIN_BASE)
2303 if (flags & NFT_CHAIN_HW_OFFLOAD)
2306 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2310 chain->flags = flags;
2314 INIT_LIST_HEAD(&chain->rules);
2315 chain->handle = nf_tables_alloc_handle(table);
2316 chain->table = table;
2318 if (nla[NFTA_CHAIN_NAME]) {
2319 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2321 if (!(flags & NFT_CHAIN_BINDING)) {
2323 goto err_destroy_chain;
2326 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2327 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2332 goto err_destroy_chain;
2335 if (nla[NFTA_CHAIN_USERDATA]) {
2336 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2337 if (chain->udata == NULL) {
2339 goto err_destroy_chain;
2341 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2344 blob = nf_tables_chain_alloc_rules(chain, 0);
2347 goto err_destroy_chain;
2350 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2351 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2353 err = nf_tables_register_hook(net, table, chain);
2355 goto err_destroy_chain;
2357 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2358 if (IS_ERR(trans)) {
2359 err = PTR_ERR(trans);
2360 goto err_unregister_hook;
2363 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2364 if (nft_is_base_chain(chain))
2365 nft_trans_chain_policy(trans) = policy;
2367 err = nft_chain_add(table, chain);
2369 nft_trans_destroy(trans);
2370 goto err_unregister_hook;
2376 err_unregister_hook:
2377 nf_tables_unregister_hook(net, table, chain);
2379 nf_tables_chain_destroy(ctx);
2384 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2385 u32 flags, const struct nlattr *attr,
2386 struct netlink_ext_ack *extack)
2388 const struct nlattr * const *nla = ctx->nla;
2389 struct nft_base_chain *basechain = NULL;
2390 struct nft_table *table = ctx->table;
2391 struct nft_chain *chain = ctx->chain;
2392 struct nft_chain_hook hook = {};
2393 struct nft_stats *stats = NULL;
2394 struct nft_hook *h, *next;
2395 struct nf_hook_ops *ops;
2396 struct nft_trans *trans;
2397 bool unregister = false;
2400 if (chain->flags ^ flags)
2403 INIT_LIST_HEAD(&hook.list);
2405 if (nla[NFTA_CHAIN_HOOK]) {
2406 if (!nft_is_base_chain(chain)) {
2407 NL_SET_BAD_ATTR(extack, attr);
2411 basechain = nft_base_chain(chain);
2412 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2413 ctx->family, flags, extack);
2417 if (basechain->type != hook.type) {
2418 nft_chain_release_hook(&hook);
2419 NL_SET_BAD_ATTR(extack, attr);
2423 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2424 list_for_each_entry_safe(h, next, &hook.list, list) {
2425 h->ops.pf = basechain->ops.pf;
2426 h->ops.hooknum = basechain->ops.hooknum;
2427 h->ops.priority = basechain->ops.priority;
2428 h->ops.priv = basechain->ops.priv;
2429 h->ops.hook = basechain->ops.hook;
2431 if (nft_hook_list_find(&basechain->hook_list, h)) {
2437 ops = &basechain->ops;
2438 if (ops->hooknum != hook.num ||
2439 ops->priority != hook.priority) {
2440 nft_chain_release_hook(&hook);
2441 NL_SET_BAD_ATTR(extack, attr);
2447 if (nla[NFTA_CHAIN_HANDLE] &&
2448 nla[NFTA_CHAIN_NAME]) {
2449 struct nft_chain *chain2;
2451 chain2 = nft_chain_lookup(ctx->net, table,
2452 nla[NFTA_CHAIN_NAME], genmask);
2453 if (!IS_ERR(chain2)) {
2454 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2460 if (nla[NFTA_CHAIN_COUNTERS]) {
2461 if (!nft_is_base_chain(chain)) {
2466 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2467 if (IS_ERR(stats)) {
2468 err = PTR_ERR(stats);
2473 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2474 nft_is_base_chain(chain) &&
2475 !list_empty(&hook.list)) {
2476 basechain = nft_base_chain(chain);
2477 ops = &basechain->ops;
2479 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2480 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2488 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2489 sizeof(struct nft_trans_chain));
2493 nft_trans_chain_stats(trans) = stats;
2494 nft_trans_chain_update(trans) = true;
2496 if (nla[NFTA_CHAIN_POLICY])
2497 nft_trans_chain_policy(trans) = policy;
2499 nft_trans_chain_policy(trans) = -1;
2501 if (nla[NFTA_CHAIN_HANDLE] &&
2502 nla[NFTA_CHAIN_NAME]) {
2503 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2504 struct nft_trans *tmp;
2508 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2513 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2514 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2515 tmp->ctx.table == table &&
2516 nft_trans_chain_update(tmp) &&
2517 nft_trans_chain_name(tmp) &&
2518 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2519 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2525 nft_trans_chain_name(trans) = name;
2528 nft_trans_basechain(trans) = basechain;
2529 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2530 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2532 nft_trans_commit_list_add_tail(ctx->net, trans);
2540 if (nla[NFTA_CHAIN_HOOK]) {
2541 list_for_each_entry_safe(h, next, &hook.list, list) {
2543 nf_unregister_net_hook(ctx->net, &h->ops);
2547 module_put(hook.type->owner);
2553 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2554 const struct nft_table *table,
2555 const struct nlattr *nla)
2557 struct nftables_pernet *nft_net = nft_pernet(net);
2558 u32 id = ntohl(nla_get_be32(nla));
2559 struct nft_trans *trans;
2561 list_for_each_entry(trans, &nft_net->commit_list, list) {
2562 struct nft_chain *chain = trans->ctx.chain;
2564 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2565 chain->table == table &&
2566 id == nft_trans_chain_id(trans))
2569 return ERR_PTR(-ENOENT);
2572 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2573 const struct nlattr * const nla[])
2575 struct nftables_pernet *nft_net = nft_pernet(info->net);
2576 struct netlink_ext_ack *extack = info->extack;
2577 u8 genmask = nft_genmask_next(info->net);
2578 u8 family = info->nfmsg->nfgen_family;
2579 struct nft_chain *chain = NULL;
2580 struct net *net = info->net;
2581 const struct nlattr *attr;
2582 struct nft_table *table;
2583 u8 policy = NF_ACCEPT;
2588 lockdep_assert_held(&nft_net->commit_mutex);
2590 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2591 NETLINK_CB(skb).portid);
2592 if (IS_ERR(table)) {
2593 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2594 return PTR_ERR(table);
2598 attr = nla[NFTA_CHAIN_NAME];
2600 if (nla[NFTA_CHAIN_HANDLE]) {
2601 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2602 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2603 if (IS_ERR(chain)) {
2604 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2605 return PTR_ERR(chain);
2607 attr = nla[NFTA_CHAIN_HANDLE];
2608 } else if (nla[NFTA_CHAIN_NAME]) {
2609 chain = nft_chain_lookup(net, table, attr, genmask);
2610 if (IS_ERR(chain)) {
2611 if (PTR_ERR(chain) != -ENOENT) {
2612 NL_SET_BAD_ATTR(extack, attr);
2613 return PTR_ERR(chain);
2617 } else if (!nla[NFTA_CHAIN_ID]) {
2621 if (nla[NFTA_CHAIN_POLICY]) {
2622 if (chain != NULL &&
2623 !nft_is_base_chain(chain)) {
2624 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2628 if (chain == NULL &&
2629 nla[NFTA_CHAIN_HOOK] == NULL) {
2630 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2634 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2644 if (nla[NFTA_CHAIN_FLAGS])
2645 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2647 flags = chain->flags;
2649 if (flags & ~NFT_CHAIN_FLAGS)
2652 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2654 if (chain != NULL) {
2655 if (chain->flags & NFT_CHAIN_BINDING)
2658 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2659 NL_SET_BAD_ATTR(extack, attr);
2662 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2665 flags |= chain->flags & NFT_CHAIN_BASE;
2666 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2670 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2673 static int nft_delchain_hook(struct nft_ctx *ctx, struct nft_chain *chain,
2674 struct netlink_ext_ack *extack)
2676 const struct nlattr * const *nla = ctx->nla;
2677 struct nft_chain_hook chain_hook = {};
2678 struct nft_base_chain *basechain;
2679 struct nft_hook *this, *hook;
2680 LIST_HEAD(chain_del_list);
2681 struct nft_trans *trans;
2684 if (!nft_is_base_chain(chain))
2687 basechain = nft_base_chain(chain);
2688 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2689 ctx->family, chain->flags, extack);
2693 list_for_each_entry(this, &chain_hook.list, list) {
2694 hook = nft_hook_list_find(&basechain->hook_list, this);
2697 goto err_chain_del_hook;
2699 list_move(&hook->list, &chain_del_list);
2702 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2703 sizeof(struct nft_trans_chain));
2706 goto err_chain_del_hook;
2709 nft_trans_basechain(trans) = basechain;
2710 nft_trans_chain_update(trans) = true;
2711 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2712 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2713 nft_chain_release_hook(&chain_hook);
2715 nft_trans_commit_list_add_tail(ctx->net, trans);
2720 list_splice(&chain_del_list, &basechain->hook_list);
2721 nft_chain_release_hook(&chain_hook);
2726 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2727 const struct nlattr * const nla[])
2729 struct netlink_ext_ack *extack = info->extack;
2730 u8 genmask = nft_genmask_next(info->net);
2731 u8 family = info->nfmsg->nfgen_family;
2732 struct net *net = info->net;
2733 const struct nlattr *attr;
2734 struct nft_table *table;
2735 struct nft_chain *chain;
2736 struct nft_rule *rule;
2742 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2743 NETLINK_CB(skb).portid);
2744 if (IS_ERR(table)) {
2745 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2746 return PTR_ERR(table);
2749 if (nla[NFTA_CHAIN_HANDLE]) {
2750 attr = nla[NFTA_CHAIN_HANDLE];
2751 handle = be64_to_cpu(nla_get_be64(attr));
2752 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2754 attr = nla[NFTA_CHAIN_NAME];
2755 chain = nft_chain_lookup(net, table, attr, genmask);
2757 if (IS_ERR(chain)) {
2758 if (PTR_ERR(chain) == -ENOENT &&
2759 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2762 NL_SET_BAD_ATTR(extack, attr);
2763 return PTR_ERR(chain);
2766 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2768 if (nla[NFTA_CHAIN_HOOK]) {
2769 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2772 return nft_delchain_hook(&ctx, chain, extack);
2775 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2780 list_for_each_entry(rule, &chain->rules, list) {
2781 if (!nft_is_active_next(net, rule))
2785 err = nft_delrule(&ctx, rule);
2790 /* There are rules and elements that are still holding references to us,
2791 * we cannot do a recursive removal in this case.
2794 NL_SET_BAD_ATTR(extack, attr);
2798 return nft_delchain(&ctx);
2806 * nft_register_expr - register nf_tables expr type
2809 * Registers the expr type for use with nf_tables. Returns zero on
2810 * success or a negative errno code otherwise.
2812 int nft_register_expr(struct nft_expr_type *type)
2814 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2815 if (type->family == NFPROTO_UNSPEC)
2816 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2818 list_add_rcu(&type->list, &nf_tables_expressions);
2819 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2822 EXPORT_SYMBOL_GPL(nft_register_expr);
2825 * nft_unregister_expr - unregister nf_tables expr type
2828 * Unregisters the expr typefor use with nf_tables.
2830 void nft_unregister_expr(struct nft_expr_type *type)
2832 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2833 list_del_rcu(&type->list);
2834 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2836 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2838 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2841 const struct nft_expr_type *type, *candidate = NULL;
2843 list_for_each_entry(type, &nf_tables_expressions, list) {
2844 if (!nla_strcmp(nla, type->name)) {
2845 if (!type->family && !candidate)
2847 else if (type->family == family)
2854 #ifdef CONFIG_MODULES
2855 static int nft_expr_type_request_module(struct net *net, u8 family,
2858 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2859 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2866 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2870 const struct nft_expr_type *type;
2873 return ERR_PTR(-EINVAL);
2875 type = __nft_expr_type_get(family, nla);
2876 if (type != NULL && try_module_get(type->owner))
2879 lockdep_nfnl_nft_mutex_not_held();
2880 #ifdef CONFIG_MODULES
2882 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2883 return ERR_PTR(-EAGAIN);
2885 if (nft_request_module(net, "nft-expr-%.*s",
2887 (char *)nla_data(nla)) == -EAGAIN)
2888 return ERR_PTR(-EAGAIN);
2891 return ERR_PTR(-ENOENT);
2894 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2895 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2896 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2897 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2900 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2901 const struct nft_expr *expr, bool reset)
2903 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2904 goto nla_put_failure;
2906 if (expr->ops->dump) {
2907 struct nlattr *data = nla_nest_start_noflag(skb,
2910 goto nla_put_failure;
2911 if (expr->ops->dump(skb, expr, reset) < 0)
2912 goto nla_put_failure;
2913 nla_nest_end(skb, data);
2922 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2923 const struct nft_expr *expr, bool reset)
2925 struct nlattr *nest;
2927 nest = nla_nest_start_noflag(skb, attr);
2929 goto nla_put_failure;
2930 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
2931 goto nla_put_failure;
2932 nla_nest_end(skb, nest);
2939 struct nft_expr_info {
2940 const struct nft_expr_ops *ops;
2941 const struct nlattr *attr;
2942 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2945 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2946 const struct nlattr *nla,
2947 struct nft_expr_info *info)
2949 const struct nft_expr_type *type;
2950 const struct nft_expr_ops *ops;
2951 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2954 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2955 nft_expr_policy, NULL);
2959 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2961 return PTR_ERR(type);
2963 if (tb[NFTA_EXPR_DATA]) {
2964 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2966 type->policy, NULL);
2970 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2972 if (type->select_ops != NULL) {
2973 ops = type->select_ops(ctx,
2974 (const struct nlattr * const *)info->tb);
2977 #ifdef CONFIG_MODULES
2979 if (nft_expr_type_request_module(ctx->net,
2981 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2995 module_put(type->owner);
2999 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3000 struct nft_expr_info *info)
3002 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3003 const struct nft_expr_type *type;
3006 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3007 nft_expr_policy, NULL);
3011 if (!tb[NFTA_EXPR_DATA])
3014 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3018 if (!type->inner_ops)
3021 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3023 type->policy, NULL);
3028 info->ops = type->inner_ops;
3036 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3037 const struct nft_expr_info *expr_info,
3038 struct nft_expr *expr)
3040 const struct nft_expr_ops *ops = expr_info->ops;
3045 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3056 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3057 struct nft_expr *expr)
3059 const struct nft_expr_type *type = expr->ops->type;
3061 if (expr->ops->destroy)
3062 expr->ops->destroy(ctx, expr);
3063 module_put(type->owner);
3066 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3067 const struct nlattr *nla)
3069 struct nft_expr_info expr_info;
3070 struct nft_expr *expr;
3071 struct module *owner;
3074 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3076 goto err_expr_parse;
3079 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3080 goto err_expr_stateful;
3083 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3085 goto err_expr_stateful;
3087 err = nf_tables_newexpr(ctx, &expr_info, expr);
3095 owner = expr_info.ops->type->owner;
3096 if (expr_info.ops->type->release_ops)
3097 expr_info.ops->type->release_ops(expr_info.ops);
3101 return ERR_PTR(err);
3104 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3108 if (src->ops->clone) {
3109 dst->ops = src->ops;
3110 err = src->ops->clone(dst, src);
3114 memcpy(dst, src, src->ops->size);
3117 __module_get(src->ops->type->owner);
3122 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3124 nf_tables_expr_destroy(ctx, expr);
3132 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3135 struct nft_rule *rule;
3137 // FIXME: this sucks
3138 list_for_each_entry_rcu(rule, &chain->rules, list) {
3139 if (handle == rule->handle)
3143 return ERR_PTR(-ENOENT);
3146 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3147 const struct nlattr *nla)
3150 return ERR_PTR(-EINVAL);
3152 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3155 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3156 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3157 .len = NFT_TABLE_MAXNAMELEN - 1 },
3158 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3159 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3160 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3161 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
3162 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3163 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3164 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3165 .len = NFT_USERDATA_MAXLEN },
3166 [NFTA_RULE_ID] = { .type = NLA_U32 },
3167 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3168 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3171 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3172 u32 portid, u32 seq, int event,
3173 u32 flags, int family,
3174 const struct nft_table *table,
3175 const struct nft_chain *chain,
3176 const struct nft_rule *rule, u64 handle,
3179 struct nlmsghdr *nlh;
3180 const struct nft_expr *expr, *next;
3181 struct nlattr *list;
3182 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3184 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3187 goto nla_put_failure;
3189 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3190 goto nla_put_failure;
3191 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3192 goto nla_put_failure;
3193 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3195 goto nla_put_failure;
3197 if (event != NFT_MSG_DELRULE && handle) {
3198 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3200 goto nla_put_failure;
3203 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3204 nft_flow_rule_stats(chain, rule);
3206 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3208 goto nla_put_failure;
3209 nft_rule_for_each_expr(expr, next, rule) {
3210 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3211 goto nla_put_failure;
3213 nla_nest_end(skb, list);
3216 struct nft_userdata *udata = nft_userdata(rule);
3217 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3219 goto nla_put_failure;
3222 nlmsg_end(skb, nlh);
3226 nlmsg_trim(skb, nlh);
3230 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3231 const struct nft_rule *rule, int event)
3233 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3234 const struct nft_rule *prule;
3235 struct sk_buff *skb;
3241 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3244 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3248 if (event == NFT_MSG_NEWRULE &&
3249 !list_is_first(&rule->list, &ctx->chain->rules) &&
3250 !list_is_last(&rule->list, &ctx->chain->rules)) {
3251 prule = list_prev_entry(rule, list);
3252 handle = prule->handle;
3254 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3255 flags |= NLM_F_APPEND;
3256 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3257 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3259 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3260 event, flags, ctx->family, ctx->table,
3261 ctx->chain, rule, handle, false);
3267 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3270 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3273 struct nft_rule_dump_ctx {
3278 static int __nf_tables_dump_rules(struct sk_buff *skb,
3280 struct netlink_callback *cb,
3281 const struct nft_table *table,
3282 const struct nft_chain *chain,
3285 struct net *net = sock_net(skb->sk);
3286 const struct nft_rule *rule, *prule;
3287 unsigned int s_idx = cb->args[0];
3291 list_for_each_entry_rcu(rule, &chain->rules, list) {
3292 if (!nft_is_active(net, rule))
3297 memset(&cb->args[1], 0,
3298 sizeof(cb->args) - sizeof(cb->args[0]));
3301 handle = prule->handle;
3305 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3308 NLM_F_MULTI | NLM_F_APPEND,
3310 table, chain, rule, handle, reset) < 0)
3313 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3322 static int nf_tables_dump_rules(struct sk_buff *skb,
3323 struct netlink_callback *cb)
3325 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3326 const struct nft_rule_dump_ctx *ctx = cb->data;
3327 struct nft_table *table;
3328 const struct nft_chain *chain;
3329 unsigned int idx = 0;
3330 struct net *net = sock_net(skb->sk);
3331 int family = nfmsg->nfgen_family;
3332 struct nftables_pernet *nft_net;
3335 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3339 nft_net = nft_pernet(net);
3340 cb->seq = READ_ONCE(nft_net->base_seq);
3342 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3343 if (family != NFPROTO_UNSPEC && family != table->family)
3346 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3349 if (ctx && ctx->table && ctx->chain) {
3350 struct rhlist_head *list, *tmp;
3352 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3353 nft_chain_ht_params);
3357 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3358 if (!nft_is_active(net, chain))
3360 __nf_tables_dump_rules(skb, &idx,
3361 cb, table, chain, reset);
3367 list_for_each_entry_rcu(chain, &table->chains, list) {
3368 if (__nf_tables_dump_rules(skb, &idx,
3369 cb, table, chain, reset))
3373 if (ctx && ctx->table)
3383 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3385 const struct nlattr * const *nla = cb->data;
3386 struct nft_rule_dump_ctx *ctx = NULL;
3388 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3389 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3393 if (nla[NFTA_RULE_TABLE]) {
3394 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3401 if (nla[NFTA_RULE_CHAIN]) {
3402 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3416 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3418 struct nft_rule_dump_ctx *ctx = cb->data;
3428 /* called with rcu_read_lock held */
3429 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3430 const struct nlattr * const nla[])
3432 struct netlink_ext_ack *extack = info->extack;
3433 u8 genmask = nft_genmask_cur(info->net);
3434 u8 family = info->nfmsg->nfgen_family;
3435 const struct nft_chain *chain;
3436 const struct nft_rule *rule;
3437 struct net *net = info->net;
3438 struct nft_table *table;
3439 struct sk_buff *skb2;
3443 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3444 struct netlink_dump_control c = {
3445 .start= nf_tables_dump_rules_start,
3446 .dump = nf_tables_dump_rules,
3447 .done = nf_tables_dump_rules_done,
3448 .module = THIS_MODULE,
3449 .data = (void *)nla,
3452 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3455 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3456 if (IS_ERR(table)) {
3457 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3458 return PTR_ERR(table);
3461 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3462 if (IS_ERR(chain)) {
3463 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3464 return PTR_ERR(chain);
3467 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3469 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3470 return PTR_ERR(rule);
3473 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3477 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3480 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3481 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3482 family, table, chain, rule, 0, reset);
3484 goto err_fill_rule_info;
3486 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3493 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3494 struct nft_rule *rule)
3496 struct nft_expr *expr, *next;
3499 * Careful: some expressions might not be initialized in case this
3500 * is called on error from nf_tables_newrule().
3502 expr = nft_expr_first(rule);
3503 while (nft_expr_more(rule, expr)) {
3504 next = nft_expr_next(expr);
3505 nf_tables_expr_destroy(ctx, expr);
3511 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3513 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3514 nf_tables_rule_destroy(ctx, rule);
3517 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3519 struct nft_expr *expr, *last;
3520 const struct nft_data *data;
3521 struct nft_rule *rule;
3524 if (ctx->level == NFT_JUMP_STACK_SIZE)
3527 list_for_each_entry(rule, &chain->rules, list) {
3528 if (!nft_is_active_next(ctx->net, rule))
3531 nft_rule_for_each_expr(expr, last, rule) {
3532 if (!expr->ops->validate)
3535 err = expr->ops->validate(ctx, expr, &data);
3545 EXPORT_SYMBOL_GPL(nft_chain_validate);
3547 static int nft_table_validate(struct net *net, const struct nft_table *table)
3549 struct nft_chain *chain;
3550 struct nft_ctx ctx = {
3552 .family = table->family,
3556 list_for_each_entry(chain, &table->chains, list) {
3557 if (!nft_is_base_chain(chain))
3561 err = nft_chain_validate(&ctx, chain);
3569 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3570 const struct nft_set_iter *iter,
3571 struct nft_set_elem *elem)
3573 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3574 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3575 const struct nft_data *data;
3578 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3579 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3582 data = nft_set_ext_data(ext);
3583 switch (data->verdict.code) {
3587 err = nft_chain_validate(ctx, data->verdict.chain);
3599 struct nft_set_elem_catchall {
3600 struct list_head list;
3601 struct rcu_head rcu;
3605 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3607 u8 genmask = nft_genmask_next(ctx->net);
3608 struct nft_set_elem_catchall *catchall;
3609 struct nft_set_elem elem;
3610 struct nft_set_ext *ext;
3613 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3614 ext = nft_set_elem_ext(set, catchall->elem);
3615 if (!nft_set_elem_active(ext, genmask))
3618 elem.priv = catchall->elem;
3619 ret = nft_setelem_validate(ctx, set, NULL, &elem);
3627 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3628 const struct nft_chain *chain,
3629 const struct nlattr *nla);
3631 #define NFT_RULE_MAXEXPRS 128
3633 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3634 const struct nlattr * const nla[])
3636 struct nftables_pernet *nft_net = nft_pernet(info->net);
3637 struct netlink_ext_ack *extack = info->extack;
3638 unsigned int size, i, n, ulen = 0, usize = 0;
3639 u8 genmask = nft_genmask_next(info->net);
3640 struct nft_rule *rule, *old_rule = NULL;
3641 struct nft_expr_info *expr_info = NULL;
3642 u8 family = info->nfmsg->nfgen_family;
3643 struct nft_flow_rule *flow = NULL;
3644 struct net *net = info->net;
3645 struct nft_userdata *udata;
3646 struct nft_table *table;
3647 struct nft_chain *chain;
3648 struct nft_trans *trans;
3649 u64 handle, pos_handle;
3650 struct nft_expr *expr;
3655 lockdep_assert_held(&nft_net->commit_mutex);
3657 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3658 NETLINK_CB(skb).portid);
3659 if (IS_ERR(table)) {
3660 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3661 return PTR_ERR(table);
3664 if (nla[NFTA_RULE_CHAIN]) {
3665 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3667 if (IS_ERR(chain)) {
3668 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3669 return PTR_ERR(chain);
3671 if (nft_chain_is_bound(chain))
3674 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3675 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
3676 if (IS_ERR(chain)) {
3677 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3678 return PTR_ERR(chain);
3684 if (nla[NFTA_RULE_HANDLE]) {
3685 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3686 rule = __nft_rule_lookup(chain, handle);
3688 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3689 return PTR_ERR(rule);
3692 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3693 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3696 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3701 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3702 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3704 handle = nf_tables_alloc_handle(table);
3706 if (chain->use == UINT_MAX)
3709 if (nla[NFTA_RULE_POSITION]) {
3710 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3711 old_rule = __nft_rule_lookup(chain, pos_handle);
3712 if (IS_ERR(old_rule)) {
3713 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3714 return PTR_ERR(old_rule);
3716 } else if (nla[NFTA_RULE_POSITION_ID]) {
3717 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3718 if (IS_ERR(old_rule)) {
3719 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3720 return PTR_ERR(old_rule);
3725 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3729 if (nla[NFTA_RULE_EXPRESSIONS]) {
3730 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3731 sizeof(struct nft_expr_info),
3736 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3738 if (nla_type(tmp) != NFTA_LIST_ELEM)
3739 goto err_release_expr;
3740 if (n == NFT_RULE_MAXEXPRS)
3741 goto err_release_expr;
3742 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3744 NL_SET_BAD_ATTR(extack, tmp);
3745 goto err_release_expr;
3747 size += expr_info[n].ops->size;
3751 /* Check for overflow of dlen field */
3753 if (size >= 1 << 12)
3754 goto err_release_expr;
3756 if (nla[NFTA_RULE_USERDATA]) {
3757 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3759 usize = sizeof(struct nft_userdata) + ulen;
3763 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3765 goto err_release_expr;
3767 nft_activate_next(net, rule);
3769 rule->handle = handle;
3771 rule->udata = ulen ? 1 : 0;
3774 udata = nft_userdata(rule);
3775 udata->len = ulen - 1;
3776 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3779 expr = nft_expr_first(rule);
3780 for (i = 0; i < n; i++) {
3781 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3783 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3784 goto err_release_rule;
3787 if (expr_info[i].ops->validate)
3788 nft_validate_state_update(table, NFT_VALIDATE_NEED);
3790 expr_info[i].ops = NULL;
3791 expr = nft_expr_next(expr);
3794 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3795 flow = nft_flow_rule_create(net, rule);
3797 err = PTR_ERR(flow);
3798 goto err_release_rule;
3802 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3803 err = nft_delrule(&ctx, old_rule);
3805 goto err_destroy_flow_rule;
3807 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3808 if (trans == NULL) {
3810 goto err_destroy_flow_rule;
3812 list_add_tail_rcu(&rule->list, &old_rule->list);
3814 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3817 goto err_destroy_flow_rule;
3820 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3822 list_add_rcu(&rule->list, &old_rule->list);
3824 list_add_tail_rcu(&rule->list, &chain->rules);
3827 list_add_tail_rcu(&rule->list, &old_rule->list);
3829 list_add_rcu(&rule->list, &chain->rules);
3836 nft_trans_flow_rule(trans) = flow;
3838 if (table->validate_state == NFT_VALIDATE_DO)
3839 return nft_table_validate(net, table);
3843 err_destroy_flow_rule:
3845 nft_flow_rule_destroy(flow);
3847 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE);
3848 nf_tables_rule_destroy(&ctx, rule);
3850 for (i = 0; i < n; i++) {
3851 if (expr_info[i].ops) {
3852 module_put(expr_info[i].ops->type->owner);
3853 if (expr_info[i].ops->type->release_ops)
3854 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3862 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3863 const struct nft_chain *chain,
3864 const struct nlattr *nla)
3866 struct nftables_pernet *nft_net = nft_pernet(net);
3867 u32 id = ntohl(nla_get_be32(nla));
3868 struct nft_trans *trans;
3870 list_for_each_entry(trans, &nft_net->commit_list, list) {
3871 if (trans->msg_type == NFT_MSG_NEWRULE &&
3872 trans->ctx.chain == chain &&
3873 id == nft_trans_rule_id(trans))
3874 return nft_trans_rule(trans);
3876 return ERR_PTR(-ENOENT);
3879 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3880 const struct nlattr * const nla[])
3882 struct netlink_ext_ack *extack = info->extack;
3883 u8 genmask = nft_genmask_next(info->net);
3884 u8 family = info->nfmsg->nfgen_family;
3885 struct nft_chain *chain = NULL;
3886 struct net *net = info->net;
3887 struct nft_table *table;
3888 struct nft_rule *rule;
3892 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3893 NETLINK_CB(skb).portid);
3894 if (IS_ERR(table)) {
3895 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3896 return PTR_ERR(table);
3899 if (nla[NFTA_RULE_CHAIN]) {
3900 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3902 if (IS_ERR(chain)) {
3903 if (PTR_ERR(chain) == -ENOENT &&
3904 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
3907 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3908 return PTR_ERR(chain);
3910 if (nft_chain_is_bound(chain))
3914 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3917 if (nla[NFTA_RULE_HANDLE]) {
3918 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3920 if (PTR_ERR(rule) == -ENOENT &&
3921 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
3924 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3925 return PTR_ERR(rule);
3928 err = nft_delrule(&ctx, rule);
3929 } else if (nla[NFTA_RULE_ID]) {
3930 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
3932 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3933 return PTR_ERR(rule);
3936 err = nft_delrule(&ctx, rule);
3938 err = nft_delrule_by_chain(&ctx);
3941 list_for_each_entry(chain, &table->chains, list) {
3942 if (!nft_is_active_next(net, chain))
3946 err = nft_delrule_by_chain(&ctx);
3958 static const struct nft_set_type *nft_set_types[] = {
3959 &nft_set_hash_fast_type,
3961 &nft_set_rhash_type,
3962 &nft_set_bitmap_type,
3963 &nft_set_rbtree_type,
3964 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3965 &nft_set_pipapo_avx2_type,
3967 &nft_set_pipapo_type,
3970 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3971 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3974 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3976 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3980 * Select a set implementation based on the data characteristics and the
3981 * given policy. The total memory use might not be known if no size is
3982 * given, in that case the amount of memory per element is used.
3984 static const struct nft_set_ops *
3985 nft_select_set_ops(const struct nft_ctx *ctx,
3986 const struct nlattr * const nla[],
3987 const struct nft_set_desc *desc)
3989 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3990 const struct nft_set_ops *ops, *bops;
3991 struct nft_set_estimate est, best;
3992 const struct nft_set_type *type;
3996 lockdep_assert_held(&nft_net->commit_mutex);
3997 lockdep_nfnl_nft_mutex_not_held();
3999 if (nla[NFTA_SET_FLAGS] != NULL)
4000 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4007 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4008 type = nft_set_types[i];
4011 if (!nft_set_ops_candidate(type, flags))
4013 if (!ops->estimate(desc, flags, &est))
4016 switch (desc->policy) {
4017 case NFT_SET_POL_PERFORMANCE:
4018 if (est.lookup < best.lookup)
4020 if (est.lookup == best.lookup &&
4021 est.space < best.space)
4024 case NFT_SET_POL_MEMORY:
4026 if (est.space < best.space)
4028 if (est.space == best.space &&
4029 est.lookup < best.lookup)
4031 } else if (est.size < best.size || !bops) {
4046 return ERR_PTR(-EOPNOTSUPP);
4049 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4050 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4051 .len = NFT_TABLE_MAXNAMELEN - 1 },
4052 [NFTA_SET_NAME] = { .type = NLA_STRING,
4053 .len = NFT_SET_MAXNAMELEN - 1 },
4054 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4055 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4056 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4057 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4058 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4059 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4060 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4061 [NFTA_SET_ID] = { .type = NLA_U32 },
4062 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4063 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4064 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4065 .len = NFT_USERDATA_MAXLEN },
4066 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4067 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4068 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4069 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
4072 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4073 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4074 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
4077 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4078 const struct nlattr *nla, u8 genmask)
4080 struct nft_set *set;
4083 return ERR_PTR(-EINVAL);
4085 list_for_each_entry_rcu(set, &table->sets, list) {
4086 if (!nla_strcmp(nla, set->name) &&
4087 nft_active_genmask(set, genmask))
4090 return ERR_PTR(-ENOENT);
4093 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4094 const struct nlattr *nla,
4097 struct nft_set *set;
4099 list_for_each_entry(set, &table->sets, list) {
4100 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4101 nft_active_genmask(set, genmask))
4104 return ERR_PTR(-ENOENT);
4107 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4108 const struct nft_table *table,
4109 const struct nlattr *nla, u8 genmask)
4111 struct nftables_pernet *nft_net = nft_pernet(net);
4112 u32 id = ntohl(nla_get_be32(nla));
4113 struct nft_trans *trans;
4115 list_for_each_entry(trans, &nft_net->commit_list, list) {
4116 if (trans->msg_type == NFT_MSG_NEWSET) {
4117 struct nft_set *set = nft_trans_set(trans);
4119 if (id == nft_trans_set_id(trans) &&
4120 set->table == table &&
4121 nft_active_genmask(set, genmask))
4125 return ERR_PTR(-ENOENT);
4128 struct nft_set *nft_set_lookup_global(const struct net *net,
4129 const struct nft_table *table,
4130 const struct nlattr *nla_set_name,
4131 const struct nlattr *nla_set_id,
4134 struct nft_set *set;
4136 set = nft_set_lookup(table, nla_set_name, genmask);
4141 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4145 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4147 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4150 const struct nft_set *i;
4152 unsigned long *inuse;
4153 unsigned int n = 0, min = 0;
4155 p = strchr(name, '%');
4157 if (p[1] != 'd' || strchr(p + 2, '%'))
4160 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4164 list_for_each_entry(i, &ctx->table->sets, list) {
4167 if (!nft_is_active_next(ctx->net, i))
4169 if (!sscanf(i->name, name, &tmp))
4171 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4174 set_bit(tmp - min, inuse);
4177 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4178 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4179 min += BITS_PER_BYTE * PAGE_SIZE;
4180 memset(inuse, 0, PAGE_SIZE);
4183 free_page((unsigned long)inuse);
4186 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4190 list_for_each_entry(i, &ctx->table->sets, list) {
4191 if (!nft_is_active_next(ctx->net, i))
4193 if (!strcmp(set->name, i->name)) {
4202 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4204 u64 ms = be64_to_cpu(nla_get_be64(nla));
4205 u64 max = (u64)(~((u64)0));
4207 max = div_u64(max, NSEC_PER_MSEC);
4211 ms *= NSEC_PER_MSEC;
4212 *result = nsecs_to_jiffies64(ms);
4216 __be64 nf_jiffies64_to_msecs(u64 input)
4218 return cpu_to_be64(jiffies64_to_msecs(input));
4221 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4222 const struct nft_set *set)
4224 struct nlattr *concat, *field;
4227 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4231 for (i = 0; i < set->field_count; i++) {
4232 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4236 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4237 htonl(set->field_len[i])))
4240 nla_nest_end(skb, field);
4243 nla_nest_end(skb, concat);
4248 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4249 const struct nft_set *set, u16 event, u16 flags)
4251 u64 timeout = READ_ONCE(set->timeout);
4252 u32 gc_int = READ_ONCE(set->gc_int);
4253 u32 portid = ctx->portid;
4254 struct nlmsghdr *nlh;
4255 struct nlattr *nest;
4259 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4260 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4261 NFNETLINK_V0, nft_base_seq(ctx->net));
4263 goto nla_put_failure;
4265 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4266 goto nla_put_failure;
4267 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4268 goto nla_put_failure;
4269 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4271 goto nla_put_failure;
4273 if (event == NFT_MSG_DELSET) {
4274 nlmsg_end(skb, nlh);
4278 if (set->flags != 0)
4279 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4280 goto nla_put_failure;
4282 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4283 goto nla_put_failure;
4284 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4285 goto nla_put_failure;
4286 if (set->flags & NFT_SET_MAP) {
4287 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4288 goto nla_put_failure;
4289 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4290 goto nla_put_failure;
4292 if (set->flags & NFT_SET_OBJECT &&
4293 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4294 goto nla_put_failure;
4297 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4298 nf_jiffies64_to_msecs(timeout),
4300 goto nla_put_failure;
4302 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4303 goto nla_put_failure;
4305 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4306 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4307 goto nla_put_failure;
4311 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4312 goto nla_put_failure;
4314 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4316 goto nla_put_failure;
4318 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4319 goto nla_put_failure;
4321 if (set->field_count > 1 &&
4322 nf_tables_fill_set_concat(skb, set))
4323 goto nla_put_failure;
4325 nla_nest_end(skb, nest);
4327 if (set->num_exprs == 1) {
4328 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4329 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4330 goto nla_put_failure;
4332 nla_nest_end(skb, nest);
4333 } else if (set->num_exprs > 1) {
4334 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4336 goto nla_put_failure;
4338 for (i = 0; i < set->num_exprs; i++) {
4339 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4340 set->exprs[i], false) < 0)
4341 goto nla_put_failure;
4343 nla_nest_end(skb, nest);
4346 nlmsg_end(skb, nlh);
4350 nlmsg_trim(skb, nlh);
4354 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4355 const struct nft_set *set, int event,
4358 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4359 u32 portid = ctx->portid;
4360 struct sk_buff *skb;
4365 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4368 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4372 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4373 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4375 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4381 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4384 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4387 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4389 const struct nft_set *set;
4390 unsigned int idx, s_idx = cb->args[0];
4391 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4392 struct net *net = sock_net(skb->sk);
4393 struct nft_ctx *ctx = cb->data, ctx_set;
4394 struct nftables_pernet *nft_net;
4400 nft_net = nft_pernet(net);
4401 cb->seq = READ_ONCE(nft_net->base_seq);
4403 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4404 if (ctx->family != NFPROTO_UNSPEC &&
4405 ctx->family != table->family)
4408 if (ctx->table && ctx->table != table)
4412 if (cur_table != table)
4418 list_for_each_entry_rcu(set, &table->sets, list) {
4421 if (!nft_is_active(net, set))
4425 ctx_set.table = table;
4426 ctx_set.family = table->family;
4428 if (nf_tables_fill_set(skb, &ctx_set, set,
4432 cb->args[2] = (unsigned long) table;
4435 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4448 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4450 struct nft_ctx *ctx_dump = NULL;
4452 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4453 if (ctx_dump == NULL)
4456 cb->data = ctx_dump;
4460 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4466 /* called with rcu_read_lock held */
4467 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4468 const struct nlattr * const nla[])
4470 struct netlink_ext_ack *extack = info->extack;
4471 u8 genmask = nft_genmask_cur(info->net);
4472 u8 family = info->nfmsg->nfgen_family;
4473 struct nft_table *table = NULL;
4474 struct net *net = info->net;
4475 const struct nft_set *set;
4476 struct sk_buff *skb2;
4480 if (nla[NFTA_SET_TABLE]) {
4481 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4483 if (IS_ERR(table)) {
4484 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4485 return PTR_ERR(table);
4489 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4491 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4492 struct netlink_dump_control c = {
4493 .start = nf_tables_dump_sets_start,
4494 .dump = nf_tables_dump_sets,
4495 .done = nf_tables_dump_sets_done,
4497 .module = THIS_MODULE,
4500 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4503 /* Only accept unspec with dump */
4504 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4505 return -EAFNOSUPPORT;
4506 if (!nla[NFTA_SET_TABLE])
4509 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4511 return PTR_ERR(set);
4513 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4517 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4519 goto err_fill_set_info;
4521 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4528 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4529 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4532 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4533 struct nft_set_desc *desc)
4535 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4539 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4542 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4543 nft_concat_policy, NULL);
4547 if (!tb[NFTA_SET_FIELD_LEN])
4550 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4551 if (!len || len > U8_MAX)
4554 desc->field_len[desc->field_count++] = len;
4559 static int nft_set_desc_concat(struct nft_set_desc *desc,
4560 const struct nlattr *nla)
4562 struct nlattr *attr;
4566 nla_for_each_nested(attr, nla, rem) {
4567 if (nla_type(attr) != NFTA_LIST_ELEM)
4570 err = nft_set_desc_concat_parse(attr, desc);
4575 for (i = 0; i < desc->field_count; i++)
4576 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4578 if (num_regs > NFT_REG32_COUNT)
4584 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4585 const struct nlattr *nla)
4587 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4590 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4591 nft_set_desc_policy, NULL);
4595 if (da[NFTA_SET_DESC_SIZE] != NULL)
4596 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4597 if (da[NFTA_SET_DESC_CONCAT])
4598 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4603 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4604 const struct nlattr * const *nla,
4605 struct nft_expr **exprs, int *num_exprs,
4608 struct nft_expr *expr;
4611 if (nla[NFTA_SET_EXPR]) {
4612 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4614 err = PTR_ERR(expr);
4615 goto err_set_expr_alloc;
4619 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4623 if (!(flags & NFT_SET_EXPR)) {
4625 goto err_set_expr_alloc;
4628 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4629 if (i == NFT_SET_EXPR_MAX) {
4631 goto err_set_expr_alloc;
4633 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4635 goto err_set_expr_alloc;
4637 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4639 err = PTR_ERR(expr);
4640 goto err_set_expr_alloc;
4650 for (i = 0; i < *num_exprs; i++)
4651 nft_expr_destroy(ctx, exprs[i]);
4656 static bool nft_set_is_same(const struct nft_set *set,
4657 const struct nft_set_desc *desc,
4658 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4662 if (set->ktype != desc->ktype ||
4663 set->dtype != desc->dtype ||
4664 set->flags != flags ||
4665 set->klen != desc->klen ||
4666 set->dlen != desc->dlen ||
4667 set->field_count != desc->field_count ||
4668 set->num_exprs != num_exprs)
4671 for (i = 0; i < desc->field_count; i++) {
4672 if (set->field_len[i] != desc->field_len[i])
4676 for (i = 0; i < num_exprs; i++) {
4677 if (set->exprs[i]->ops != exprs[i]->ops)
4684 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4685 const struct nlattr * const nla[])
4687 struct netlink_ext_ack *extack = info->extack;
4688 u8 genmask = nft_genmask_next(info->net);
4689 u8 family = info->nfmsg->nfgen_family;
4690 const struct nft_set_ops *ops;
4691 struct net *net = info->net;
4692 struct nft_set_desc desc;
4693 struct nft_table *table;
4694 unsigned char *udata;
4695 struct nft_set *set;
4705 if (nla[NFTA_SET_TABLE] == NULL ||
4706 nla[NFTA_SET_NAME] == NULL ||
4707 nla[NFTA_SET_KEY_LEN] == NULL ||
4708 nla[NFTA_SET_ID] == NULL)
4711 memset(&desc, 0, sizeof(desc));
4713 desc.ktype = NFT_DATA_VALUE;
4714 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4715 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4716 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4720 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4721 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4725 if (nla[NFTA_SET_FLAGS] != NULL) {
4726 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4727 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4728 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4729 NFT_SET_MAP | NFT_SET_EVAL |
4730 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4732 /* Only one of these operations is supported */
4733 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4734 (NFT_SET_MAP | NFT_SET_OBJECT))
4736 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4737 (NFT_SET_EVAL | NFT_SET_OBJECT))
4742 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4743 if (!(flags & NFT_SET_MAP))
4746 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4747 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4748 desc.dtype != NFT_DATA_VERDICT)
4751 if (desc.dtype != NFT_DATA_VERDICT) {
4752 if (nla[NFTA_SET_DATA_LEN] == NULL)
4754 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4755 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4758 desc.dlen = sizeof(struct nft_verdict);
4759 } else if (flags & NFT_SET_MAP)
4762 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4763 if (!(flags & NFT_SET_OBJECT))
4766 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4767 if (desc.objtype == NFT_OBJECT_UNSPEC ||
4768 desc.objtype > NFT_OBJECT_MAX)
4770 } else if (flags & NFT_SET_OBJECT)
4773 desc.objtype = NFT_OBJECT_UNSPEC;
4776 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4777 if (!(flags & NFT_SET_TIMEOUT))
4780 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
4785 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4786 if (!(flags & NFT_SET_TIMEOUT))
4788 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4791 desc.policy = NFT_SET_POL_PERFORMANCE;
4792 if (nla[NFTA_SET_POLICY] != NULL)
4793 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4795 if (nla[NFTA_SET_DESC] != NULL) {
4796 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4800 if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))
4802 } else if (flags & NFT_SET_CONCAT) {
4806 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4809 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4810 NETLINK_CB(skb).portid);
4811 if (IS_ERR(table)) {
4812 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4813 return PTR_ERR(table);
4816 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4818 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4820 if (PTR_ERR(set) != -ENOENT) {
4821 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4822 return PTR_ERR(set);
4825 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
4827 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4828 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4831 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4834 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
4839 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
4840 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4844 for (i = 0; i < num_exprs; i++)
4845 nft_expr_destroy(&ctx, exprs[i]);
4850 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
4853 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4856 ops = nft_select_set_ops(&ctx, nla, &desc);
4858 return PTR_ERR(ops);
4861 if (nla[NFTA_SET_USERDATA])
4862 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4865 if (ops->privsize != NULL)
4866 size = ops->privsize(nla, &desc);
4867 alloc_size = sizeof(*set) + size + udlen;
4868 if (alloc_size < size || alloc_size > INT_MAX)
4870 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
4874 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
4880 err = nf_tables_set_alloc_name(&ctx, set, name);
4887 udata = set->data + size;
4888 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4891 INIT_LIST_HEAD(&set->bindings);
4892 INIT_LIST_HEAD(&set->catchall_list);
4894 write_pnet(&set->net, net);
4896 set->ktype = desc.ktype;
4897 set->klen = desc.klen;
4898 set->dtype = desc.dtype;
4899 set->objtype = desc.objtype;
4900 set->dlen = desc.dlen;
4902 set->size = desc.size;
4903 set->policy = desc.policy;
4906 set->timeout = desc.timeout;
4907 set->gc_int = desc.gc_int;
4909 set->field_count = desc.field_count;
4910 for (i = 0; i < desc.field_count; i++)
4911 set->field_len[i] = desc.field_len[i];
4913 err = ops->init(set, &desc, nla);
4917 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
4919 goto err_set_destroy;
4921 set->num_exprs = num_exprs;
4922 set->handle = nf_tables_alloc_handle(table);
4923 INIT_LIST_HEAD(&set->pending_update);
4925 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4927 goto err_set_expr_alloc;
4929 list_add_tail_rcu(&set->list, &table->sets);
4934 for (i = 0; i < set->num_exprs; i++)
4935 nft_expr_destroy(&ctx, set->exprs[i]);
4945 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
4946 struct nft_set *set)
4948 struct nft_set_elem_catchall *next, *catchall;
4950 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
4951 list_del_rcu(&catchall->list);
4952 nft_set_elem_destroy(set, catchall->elem, true);
4953 kfree_rcu(catchall, rcu);
4957 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4961 if (WARN_ON(set->use > 0))
4964 for (i = 0; i < set->num_exprs; i++)
4965 nft_expr_destroy(ctx, set->exprs[i]);
4967 set->ops->destroy(set);
4968 nft_set_catchall_destroy(ctx, set);
4973 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
4974 const struct nlattr * const nla[])
4976 struct netlink_ext_ack *extack = info->extack;
4977 u8 genmask = nft_genmask_next(info->net);
4978 u8 family = info->nfmsg->nfgen_family;
4979 struct net *net = info->net;
4980 const struct nlattr *attr;
4981 struct nft_table *table;
4982 struct nft_set *set;
4985 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4986 return -EAFNOSUPPORT;
4988 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4989 genmask, NETLINK_CB(skb).portid);
4990 if (IS_ERR(table)) {
4991 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4992 return PTR_ERR(table);
4995 if (nla[NFTA_SET_HANDLE]) {
4996 attr = nla[NFTA_SET_HANDLE];
4997 set = nft_set_lookup_byhandle(table, attr, genmask);
4999 attr = nla[NFTA_SET_NAME];
5000 set = nft_set_lookup(table, attr, genmask);
5004 if (PTR_ERR(set) == -ENOENT &&
5005 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5008 NL_SET_BAD_ATTR(extack, attr);
5009 return PTR_ERR(set);
5012 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5013 atomic_read(&set->nelems) > 0)) {
5014 NL_SET_BAD_ATTR(extack, attr);
5018 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5020 return nft_delset(&ctx, set);
5023 static int nft_validate_register_store(const struct nft_ctx *ctx,
5024 enum nft_registers reg,
5025 const struct nft_data *data,
5026 enum nft_data_types type,
5029 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5030 struct nft_set *set,
5031 struct nft_set_elem *elem)
5033 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5034 enum nft_registers dreg;
5036 dreg = nft_type_to_reg(set->dtype);
5037 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5038 set->dtype == NFT_DATA_VERDICT ?
5039 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5043 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5044 struct nft_set *set,
5045 const struct nft_set_iter *iter,
5046 struct nft_set_elem *elem)
5048 return nft_setelem_data_validate(ctx, set, elem);
5051 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5052 struct nft_set *set)
5054 u8 genmask = nft_genmask_next(ctx->net);
5055 struct nft_set_elem_catchall *catchall;
5056 struct nft_set_elem elem;
5057 struct nft_set_ext *ext;
5060 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5061 ext = nft_set_elem_ext(set, catchall->elem);
5062 if (!nft_set_elem_active(ext, genmask))
5065 elem.priv = catchall->elem;
5066 ret = nft_setelem_data_validate(ctx, set, &elem);
5074 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5075 struct nft_set_binding *binding)
5077 struct nft_set_binding *i;
5078 struct nft_set_iter iter;
5080 if (set->use == UINT_MAX)
5083 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5086 if (binding->flags & NFT_SET_MAP) {
5087 /* If the set is already bound to the same chain all
5088 * jumps are already validated for that chain.
5090 list_for_each_entry(i, &set->bindings, list) {
5091 if (i->flags & NFT_SET_MAP &&
5092 i->chain == binding->chain)
5096 iter.genmask = nft_genmask_next(ctx->net);
5100 iter.fn = nf_tables_bind_check_setelem;
5102 set->ops->walk(ctx, set, &iter);
5104 iter.err = nft_set_catchall_bind_check(ctx, set);
5110 binding->chain = ctx->chain;
5111 list_add_tail_rcu(&binding->list, &set->bindings);
5112 nft_set_trans_bind(ctx, set);
5117 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5119 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5120 struct nft_set_binding *binding, bool event)
5122 list_del_rcu(&binding->list);
5124 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5125 list_del_rcu(&set->list);
5127 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5132 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5134 if (nft_set_is_anonymous(set))
5135 nft_clear(ctx->net, set);
5139 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5141 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5142 struct nft_set_binding *binding,
5143 enum nft_trans_phase phase)
5146 case NFT_TRANS_PREPARE:
5147 if (nft_set_is_anonymous(set))
5148 nft_deactivate_next(ctx->net, set);
5152 case NFT_TRANS_ABORT:
5153 case NFT_TRANS_RELEASE:
5157 nf_tables_unbind_set(ctx, set, binding,
5158 phase == NFT_TRANS_COMMIT);
5161 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5163 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5165 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5166 nft_set_destroy(ctx, set);
5168 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5170 const struct nft_set_ext_type nft_set_ext_types[] = {
5171 [NFT_SET_EXT_KEY] = {
5172 .align = __alignof__(u32),
5174 [NFT_SET_EXT_DATA] = {
5175 .align = __alignof__(u32),
5177 [NFT_SET_EXT_EXPRESSIONS] = {
5178 .align = __alignof__(struct nft_set_elem_expr),
5180 [NFT_SET_EXT_OBJREF] = {
5181 .len = sizeof(struct nft_object *),
5182 .align = __alignof__(struct nft_object *),
5184 [NFT_SET_EXT_FLAGS] = {
5186 .align = __alignof__(u8),
5188 [NFT_SET_EXT_TIMEOUT] = {
5190 .align = __alignof__(u64),
5192 [NFT_SET_EXT_EXPIRATION] = {
5194 .align = __alignof__(u64),
5196 [NFT_SET_EXT_USERDATA] = {
5197 .len = sizeof(struct nft_userdata),
5198 .align = __alignof__(struct nft_userdata),
5200 [NFT_SET_EXT_KEY_END] = {
5201 .align = __alignof__(u32),
5209 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5210 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5211 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5212 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5213 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5214 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5215 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5216 .len = NFT_USERDATA_MAXLEN },
5217 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5218 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5219 .len = NFT_OBJ_MAXNAMELEN - 1 },
5220 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5221 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
5224 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5225 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5226 .len = NFT_TABLE_MAXNAMELEN - 1 },
5227 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5228 .len = NFT_SET_MAXNAMELEN - 1 },
5229 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
5230 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5233 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5234 const struct nft_set *set,
5235 const struct nft_set_ext *ext)
5237 struct nft_set_elem_expr *elem_expr;
5238 u32 size, num_exprs = 0;
5239 struct nft_expr *expr;
5240 struct nlattr *nest;
5242 elem_expr = nft_set_ext_expr(ext);
5243 nft_setelem_expr_foreach(expr, elem_expr, size)
5246 if (num_exprs == 1) {
5247 expr = nft_setelem_expr_at(elem_expr, 0);
5248 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, false) < 0)
5252 } else if (num_exprs > 1) {
5253 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5255 goto nla_put_failure;
5257 nft_setelem_expr_foreach(expr, elem_expr, size) {
5258 expr = nft_setelem_expr_at(elem_expr, size);
5259 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, false) < 0)
5260 goto nla_put_failure;
5262 nla_nest_end(skb, nest);
5270 static int nf_tables_fill_setelem(struct sk_buff *skb,
5271 const struct nft_set *set,
5272 const struct nft_set_elem *elem)
5274 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5275 unsigned char *b = skb_tail_pointer(skb);
5276 struct nlattr *nest;
5278 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5280 goto nla_put_failure;
5282 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5283 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5284 NFT_DATA_VALUE, set->klen) < 0)
5285 goto nla_put_failure;
5287 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5288 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5289 NFT_DATA_VALUE, set->klen) < 0)
5290 goto nla_put_failure;
5292 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5293 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5294 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5296 goto nla_put_failure;
5298 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5299 nft_set_elem_expr_dump(skb, set, ext))
5300 goto nla_put_failure;
5302 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5303 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5304 (*nft_set_ext_obj(ext))->key.name) < 0)
5305 goto nla_put_failure;
5307 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5308 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5309 htonl(*nft_set_ext_flags(ext))))
5310 goto nla_put_failure;
5312 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5313 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5314 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5316 goto nla_put_failure;
5318 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5319 u64 expires, now = get_jiffies_64();
5321 expires = *nft_set_ext_expiration(ext);
5322 if (time_before64(now, expires))
5327 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5328 nf_jiffies64_to_msecs(expires),
5330 goto nla_put_failure;
5333 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5334 struct nft_userdata *udata;
5336 udata = nft_set_ext_userdata(ext);
5337 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5338 udata->len + 1, udata->data))
5339 goto nla_put_failure;
5342 nla_nest_end(skb, nest);
5350 struct nft_set_dump_args {
5351 const struct netlink_callback *cb;
5352 struct nft_set_iter iter;
5353 struct sk_buff *skb;
5356 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5357 struct nft_set *set,
5358 const struct nft_set_iter *iter,
5359 struct nft_set_elem *elem)
5361 struct nft_set_dump_args *args;
5363 args = container_of(iter, struct nft_set_dump_args, iter);
5364 return nf_tables_fill_setelem(args->skb, set, elem);
5367 struct nft_set_dump_ctx {
5368 const struct nft_set *set;
5372 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5373 const struct nft_set *set)
5375 struct nft_set_elem_catchall *catchall;
5376 u8 genmask = nft_genmask_cur(net);
5377 struct nft_set_elem elem;
5378 struct nft_set_ext *ext;
5381 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5382 ext = nft_set_elem_ext(set, catchall->elem);
5383 if (!nft_set_elem_active(ext, genmask) ||
5384 nft_set_elem_expired(ext))
5387 elem.priv = catchall->elem;
5388 ret = nf_tables_fill_setelem(skb, set, &elem);
5395 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5397 struct nft_set_dump_ctx *dump_ctx = cb->data;
5398 struct net *net = sock_net(skb->sk);
5399 struct nftables_pernet *nft_net;
5400 struct nft_table *table;
5401 struct nft_set *set;
5402 struct nft_set_dump_args args;
5403 bool set_found = false;
5404 struct nlmsghdr *nlh;
5405 struct nlattr *nest;
5410 nft_net = nft_pernet(net);
5411 cb->seq = READ_ONCE(nft_net->base_seq);
5413 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5414 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5415 dump_ctx->ctx.family != table->family)
5418 if (table != dump_ctx->ctx.table)
5421 list_for_each_entry_rcu(set, &table->sets, list) {
5422 if (set == dump_ctx->set) {
5435 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5436 portid = NETLINK_CB(cb->skb).portid;
5437 seq = cb->nlh->nlmsg_seq;
5439 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5440 table->family, NFNETLINK_V0, nft_base_seq(net));
5442 goto nla_put_failure;
5444 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5445 goto nla_put_failure;
5446 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5447 goto nla_put_failure;
5449 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5451 goto nla_put_failure;
5455 args.iter.genmask = nft_genmask_cur(net);
5456 args.iter.skip = cb->args[0];
5457 args.iter.count = 0;
5459 args.iter.fn = nf_tables_dump_setelem;
5460 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5462 if (!args.iter.err && args.iter.count == cb->args[0])
5463 args.iter.err = nft_set_catchall_dump(net, skb, set);
5466 nla_nest_end(skb, nest);
5467 nlmsg_end(skb, nlh);
5469 if (args.iter.err && args.iter.err != -EMSGSIZE)
5470 return args.iter.err;
5471 if (args.iter.count == cb->args[0])
5474 cb->args[0] = args.iter.count;
5482 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5484 struct nft_set_dump_ctx *dump_ctx = cb->data;
5486 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5488 return cb->data ? 0 : -ENOMEM;
5491 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5497 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5498 const struct nft_ctx *ctx, u32 seq,
5499 u32 portid, int event, u16 flags,
5500 const struct nft_set *set,
5501 const struct nft_set_elem *elem)
5503 struct nlmsghdr *nlh;
5504 struct nlattr *nest;
5507 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5508 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5509 NFNETLINK_V0, nft_base_seq(ctx->net));
5511 goto nla_put_failure;
5513 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5514 goto nla_put_failure;
5515 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5516 goto nla_put_failure;
5518 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5520 goto nla_put_failure;
5522 err = nf_tables_fill_setelem(skb, set, elem);
5524 goto nla_put_failure;
5526 nla_nest_end(skb, nest);
5528 nlmsg_end(skb, nlh);
5532 nlmsg_trim(skb, nlh);
5536 static int nft_setelem_parse_flags(const struct nft_set *set,
5537 const struct nlattr *attr, u32 *flags)
5542 *flags = ntohl(nla_get_be32(attr));
5543 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5545 if (!(set->flags & NFT_SET_INTERVAL) &&
5546 *flags & NFT_SET_ELEM_INTERVAL_END)
5548 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5549 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5555 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5556 struct nft_data *key, struct nlattr *attr)
5558 struct nft_data_desc desc = {
5559 .type = NFT_DATA_VALUE,
5560 .size = NFT_DATA_VALUE_MAXLEN,
5564 return nft_data_init(ctx, key, &desc, attr);
5567 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5568 struct nft_data_desc *desc,
5569 struct nft_data *data,
5570 struct nlattr *attr)
5574 if (set->dtype == NFT_DATA_VERDICT)
5575 dtype = NFT_DATA_VERDICT;
5577 dtype = NFT_DATA_VALUE;
5580 desc->size = NFT_DATA_VALUE_MAXLEN;
5581 desc->len = set->dlen;
5582 desc->flags = NFT_DATA_DESC_SETELEM;
5584 return nft_data_init(ctx, data, desc, attr);
5587 static void *nft_setelem_catchall_get(const struct net *net,
5588 const struct nft_set *set)
5590 struct nft_set_elem_catchall *catchall;
5591 u8 genmask = nft_genmask_cur(net);
5592 struct nft_set_ext *ext;
5595 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5596 ext = nft_set_elem_ext(set, catchall->elem);
5597 if (!nft_set_elem_active(ext, genmask) ||
5598 nft_set_elem_expired(ext))
5601 priv = catchall->elem;
5608 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5609 struct nft_set_elem *elem, u32 flags)
5613 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5614 priv = set->ops->get(ctx->net, set, elem, flags);
5616 return PTR_ERR(priv);
5618 priv = nft_setelem_catchall_get(ctx->net, set);
5627 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5628 const struct nlattr *attr)
5630 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5631 struct nft_set_elem elem;
5632 struct sk_buff *skb;
5636 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5637 nft_set_elem_policy, NULL);
5641 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5645 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5648 if (nla[NFTA_SET_ELEM_KEY]) {
5649 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5650 nla[NFTA_SET_ELEM_KEY]);
5655 if (nla[NFTA_SET_ELEM_KEY_END]) {
5656 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5657 nla[NFTA_SET_ELEM_KEY_END]);
5662 err = nft_setelem_get(ctx, set, &elem, flags);
5667 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5671 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5672 NFT_MSG_NEWSETELEM, 0, set, &elem);
5674 goto err_fill_setelem;
5676 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5683 /* called with rcu_read_lock held */
5684 static int nf_tables_getsetelem(struct sk_buff *skb,
5685 const struct nfnl_info *info,
5686 const struct nlattr * const nla[])
5688 struct netlink_ext_ack *extack = info->extack;
5689 u8 genmask = nft_genmask_cur(info->net);
5690 u8 family = info->nfmsg->nfgen_family;
5691 struct net *net = info->net;
5692 struct nft_table *table;
5693 struct nft_set *set;
5694 struct nlattr *attr;
5698 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
5700 if (IS_ERR(table)) {
5701 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
5702 return PTR_ERR(table);
5705 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5707 return PTR_ERR(set);
5709 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5711 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5712 struct netlink_dump_control c = {
5713 .start = nf_tables_dump_set_start,
5714 .dump = nf_tables_dump_set,
5715 .done = nf_tables_dump_set_done,
5716 .module = THIS_MODULE,
5718 struct nft_set_dump_ctx dump_ctx = {
5724 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5727 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5730 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5731 err = nft_get_set_elem(&ctx, set, attr);
5733 NL_SET_BAD_ATTR(extack, attr);
5741 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5742 const struct nft_set *set,
5743 const struct nft_set_elem *elem,
5746 struct nftables_pernet *nft_net;
5747 struct net *net = ctx->net;
5748 u32 portid = ctx->portid;
5749 struct sk_buff *skb;
5753 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5756 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5760 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5761 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5763 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5770 nft_net = nft_pernet(net);
5771 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5774 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5777 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5779 struct nft_set *set)
5781 struct nft_trans *trans;
5783 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5787 nft_trans_elem_set(trans) = set;
5791 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5792 const struct nft_set *set,
5793 const struct nlattr *attr)
5795 struct nft_expr *expr;
5798 expr = nft_expr_init(ctx, attr);
5803 if (expr->ops->type->flags & NFT_EXPR_GC) {
5804 if (set->flags & NFT_SET_TIMEOUT)
5805 goto err_set_elem_expr;
5806 if (!set->ops->gc_init)
5807 goto err_set_elem_expr;
5808 set->ops->gc_init(set);
5814 nft_expr_destroy(ctx, expr);
5815 return ERR_PTR(err);
5818 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
5820 len += nft_set_ext_types[id].len;
5821 if (len > tmpl->ext_len[id] ||
5828 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
5829 void *to, const void *from, u32 len)
5831 if (nft_set_ext_check(tmpl, id, len) < 0)
5834 memcpy(to, from, len);
5839 void *nft_set_elem_init(const struct nft_set *set,
5840 const struct nft_set_ext_tmpl *tmpl,
5841 const u32 *key, const u32 *key_end,
5842 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5844 struct nft_set_ext *ext;
5847 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5849 return ERR_PTR(-ENOMEM);
5851 ext = nft_set_elem_ext(set, elem);
5852 nft_set_ext_init(ext, tmpl);
5854 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5855 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
5856 nft_set_ext_key(ext), key, set->klen) < 0)
5859 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5860 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
5861 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
5864 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5865 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
5866 nft_set_ext_data(ext), data, set->dlen) < 0)
5869 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5870 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5871 if (expiration == 0)
5872 *nft_set_ext_expiration(ext) += timeout;
5874 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5875 *nft_set_ext_timeout(ext) = timeout;
5882 return ERR_PTR(-EINVAL);
5885 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5886 struct nft_expr *expr)
5888 if (expr->ops->destroy_clone) {
5889 expr->ops->destroy_clone(ctx, expr);
5890 module_put(expr->ops->type->owner);
5892 nf_tables_expr_destroy(ctx, expr);
5896 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5897 struct nft_set_elem_expr *elem_expr)
5899 struct nft_expr *expr;
5902 nft_setelem_expr_foreach(expr, elem_expr, size)
5903 __nft_set_elem_expr_destroy(ctx, expr);
5906 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5909 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5910 struct nft_ctx ctx = {
5911 .net = read_pnet(&set->net),
5912 .family = set->table->family,
5915 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5916 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5917 nft_data_release(nft_set_ext_data(ext), set->dtype);
5918 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5919 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5921 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5922 (*nft_set_ext_obj(ext))->use--;
5925 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5927 /* Only called from commit path, nft_setelem_data_deactivate() already deals
5928 * with the refcounting from the preparation phase.
5930 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5931 const struct nft_set *set, void *elem)
5933 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5935 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5936 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5941 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5942 struct nft_expr *expr_array[])
5944 struct nft_expr *expr;
5947 for (i = 0; i < set->num_exprs; i++) {
5948 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
5952 err = nft_expr_clone(expr, set->exprs[i]);
5957 expr_array[i] = expr;
5963 for (k = i - 1; k >= 0; k--)
5964 nft_expr_destroy(ctx, expr_array[k]);
5969 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5970 const struct nft_set_ext_tmpl *tmpl,
5971 const struct nft_set_ext *ext,
5972 struct nft_expr *expr_array[],
5975 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5976 u32 len = sizeof(struct nft_set_elem_expr);
5977 struct nft_expr *expr;
5983 for (i = 0; i < num_exprs; i++)
5984 len += expr_array[i]->ops->size;
5986 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
5989 for (i = 0; i < num_exprs; i++) {
5990 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5991 err = nft_expr_clone(expr, expr_array[i]);
5993 goto err_elem_expr_setup;
5995 elem_expr->size += expr_array[i]->ops->size;
5996 nft_expr_destroy(ctx, expr_array[i]);
5997 expr_array[i] = NULL;
6002 err_elem_expr_setup:
6003 for (; i < num_exprs; i++) {
6004 nft_expr_destroy(ctx, expr_array[i]);
6005 expr_array[i] = NULL;
6011 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6012 const struct nft_set *set)
6014 struct nft_set_elem_catchall *catchall;
6015 u8 genmask = nft_genmask_cur(net);
6016 struct nft_set_ext *ext;
6018 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6019 ext = nft_set_elem_ext(set, catchall->elem);
6020 if (nft_set_elem_active(ext, genmask) &&
6021 !nft_set_elem_expired(ext))
6027 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6029 void *nft_set_catchall_gc(const struct nft_set *set)
6031 struct nft_set_elem_catchall *catchall, *next;
6032 struct nft_set_ext *ext;
6035 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6036 ext = nft_set_elem_ext(set, catchall->elem);
6038 if (!nft_set_elem_expired(ext) ||
6039 nft_set_elem_mark_busy(ext))
6042 elem = catchall->elem;
6043 list_del_rcu(&catchall->list);
6044 kfree_rcu(catchall, rcu);
6050 EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
6052 static int nft_setelem_catchall_insert(const struct net *net,
6053 struct nft_set *set,
6054 const struct nft_set_elem *elem,
6055 struct nft_set_ext **pext)
6057 struct nft_set_elem_catchall *catchall;
6058 u8 genmask = nft_genmask_next(net);
6059 struct nft_set_ext *ext;
6061 list_for_each_entry(catchall, &set->catchall_list, list) {
6062 ext = nft_set_elem_ext(set, catchall->elem);
6063 if (nft_set_elem_active(ext, genmask)) {
6069 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6073 catchall->elem = elem->priv;
6074 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6079 static int nft_setelem_insert(const struct net *net,
6080 struct nft_set *set,
6081 const struct nft_set_elem *elem,
6082 struct nft_set_ext **ext, unsigned int flags)
6086 if (flags & NFT_SET_ELEM_CATCHALL)
6087 ret = nft_setelem_catchall_insert(net, set, elem, ext);
6089 ret = set->ops->insert(net, set, elem, ext);
6094 static bool nft_setelem_is_catchall(const struct nft_set *set,
6095 const struct nft_set_elem *elem)
6097 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6099 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6100 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6106 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6107 struct nft_set_elem *elem)
6109 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6111 if (nft_setelem_is_catchall(set, elem)) {
6112 nft_set_elem_change_active(net, set, ext);
6113 nft_set_elem_clear_busy(ext);
6115 set->ops->activate(net, set, elem);
6119 static int nft_setelem_catchall_deactivate(const struct net *net,
6120 struct nft_set *set,
6121 struct nft_set_elem *elem)
6123 struct nft_set_elem_catchall *catchall;
6124 struct nft_set_ext *ext;
6126 list_for_each_entry(catchall, &set->catchall_list, list) {
6127 ext = nft_set_elem_ext(set, catchall->elem);
6128 if (!nft_is_active(net, ext) ||
6129 nft_set_elem_mark_busy(ext))
6133 elem->priv = catchall->elem;
6134 nft_set_elem_change_active(net, set, ext);
6141 static int __nft_setelem_deactivate(const struct net *net,
6142 struct nft_set *set,
6143 struct nft_set_elem *elem)
6147 priv = set->ops->deactivate(net, set, elem);
6158 static int nft_setelem_deactivate(const struct net *net,
6159 struct nft_set *set,
6160 struct nft_set_elem *elem, u32 flags)
6164 if (flags & NFT_SET_ELEM_CATCHALL)
6165 ret = nft_setelem_catchall_deactivate(net, set, elem);
6167 ret = __nft_setelem_deactivate(net, set, elem);
6172 static void nft_setelem_catchall_remove(const struct net *net,
6173 const struct nft_set *set,
6174 const struct nft_set_elem *elem)
6176 struct nft_set_elem_catchall *catchall, *next;
6178 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6179 if (catchall->elem == elem->priv) {
6180 list_del_rcu(&catchall->list);
6181 kfree_rcu(catchall, rcu);
6187 static void nft_setelem_remove(const struct net *net,
6188 const struct nft_set *set,
6189 const struct nft_set_elem *elem)
6191 if (nft_setelem_is_catchall(set, elem))
6192 nft_setelem_catchall_remove(net, set, elem);
6194 set->ops->remove(net, set, elem);
6197 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6198 struct nlattr **nla, u32 flags)
6200 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6201 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6202 if (flags & NFT_SET_ELEM_INTERVAL_END)
6205 if (nla[NFTA_SET_ELEM_KEY_END] &&
6206 flags & NFT_SET_ELEM_CATCHALL)
6209 if (nla[NFTA_SET_ELEM_KEY_END])
6216 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6217 const struct nlattr *attr, u32 nlmsg_flags)
6219 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6220 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6221 u8 genmask = nft_genmask_next(ctx->net);
6222 u32 flags = 0, size = 0, num_exprs = 0;
6223 struct nft_set_ext_tmpl tmpl;
6224 struct nft_set_ext *ext, *ext2;
6225 struct nft_set_elem elem;
6226 struct nft_set_binding *binding;
6227 struct nft_object *obj = NULL;
6228 struct nft_userdata *udata;
6229 struct nft_data_desc desc;
6230 enum nft_registers dreg;
6231 struct nft_trans *trans;
6237 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6238 nft_set_elem_policy, NULL);
6242 nft_set_ext_prepare(&tmpl);
6244 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6248 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6249 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6253 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6258 if (set->flags & NFT_SET_MAP) {
6259 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6260 !(flags & NFT_SET_ELEM_INTERVAL_END))
6263 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6267 if (set->flags & NFT_SET_OBJECT) {
6268 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6269 !(flags & NFT_SET_ELEM_INTERVAL_END))
6272 if (nla[NFTA_SET_ELEM_OBJREF])
6276 if (!nft_setelem_valid_key_end(set, nla, flags))
6279 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6280 (nla[NFTA_SET_ELEM_DATA] ||
6281 nla[NFTA_SET_ELEM_OBJREF] ||
6282 nla[NFTA_SET_ELEM_TIMEOUT] ||
6283 nla[NFTA_SET_ELEM_EXPIRATION] ||
6284 nla[NFTA_SET_ELEM_USERDATA] ||
6285 nla[NFTA_SET_ELEM_EXPR] ||
6286 nla[NFTA_SET_ELEM_KEY_END] ||
6287 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6291 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6292 if (!(set->flags & NFT_SET_TIMEOUT))
6294 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6298 } else if (set->flags & NFT_SET_TIMEOUT &&
6299 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6300 timeout = READ_ONCE(set->timeout);
6304 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6305 if (!(set->flags & NFT_SET_TIMEOUT))
6307 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6313 if (nla[NFTA_SET_ELEM_EXPR]) {
6314 struct nft_expr *expr;
6316 if (set->num_exprs && set->num_exprs != 1)
6319 expr = nft_set_elem_expr_alloc(ctx, set,
6320 nla[NFTA_SET_ELEM_EXPR]);
6322 return PTR_ERR(expr);
6324 expr_array[0] = expr;
6327 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6329 goto err_set_elem_expr;
6331 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6332 struct nft_expr *expr;
6337 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6338 if (i == NFT_SET_EXPR_MAX ||
6339 (set->num_exprs && set->num_exprs == i)) {
6341 goto err_set_elem_expr;
6343 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6345 goto err_set_elem_expr;
6347 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6349 err = PTR_ERR(expr);
6350 goto err_set_elem_expr;
6352 expr_array[i] = expr;
6355 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6357 goto err_set_elem_expr;
6361 if (set->num_exprs && set->num_exprs != i) {
6363 goto err_set_elem_expr;
6365 } else if (set->num_exprs > 0 &&
6366 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6367 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6369 goto err_set_elem_expr_clone;
6371 num_exprs = set->num_exprs;
6374 if (nla[NFTA_SET_ELEM_KEY]) {
6375 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6376 nla[NFTA_SET_ELEM_KEY]);
6378 goto err_set_elem_expr;
6380 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6385 if (nla[NFTA_SET_ELEM_KEY_END]) {
6386 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6387 nla[NFTA_SET_ELEM_KEY_END]);
6391 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6393 goto err_parse_key_end;
6397 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6399 goto err_parse_key_end;
6401 if (timeout != READ_ONCE(set->timeout)) {
6402 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6404 goto err_parse_key_end;
6409 for (i = 0; i < num_exprs; i++)
6410 size += expr_array[i]->ops->size;
6412 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6413 sizeof(struct nft_set_elem_expr) + size);
6415 goto err_parse_key_end;
6418 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6419 obj = nft_obj_lookup(ctx->net, ctx->table,
6420 nla[NFTA_SET_ELEM_OBJREF],
6421 set->objtype, genmask);
6424 goto err_parse_key_end;
6426 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6428 goto err_parse_key_end;
6431 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6432 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6433 nla[NFTA_SET_ELEM_DATA]);
6435 goto err_parse_key_end;
6437 dreg = nft_type_to_reg(set->dtype);
6438 list_for_each_entry(binding, &set->bindings, list) {
6439 struct nft_ctx bind_ctx = {
6441 .family = ctx->family,
6442 .table = ctx->table,
6443 .chain = (struct nft_chain *)binding->chain,
6446 if (!(binding->flags & NFT_SET_MAP))
6449 err = nft_validate_register_store(&bind_ctx, dreg,
6451 desc.type, desc.len);
6453 goto err_parse_data;
6455 if (desc.type == NFT_DATA_VERDICT &&
6456 (elem.data.val.verdict.code == NFT_GOTO ||
6457 elem.data.val.verdict.code == NFT_JUMP))
6458 nft_validate_state_update(ctx->table,
6462 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6464 goto err_parse_data;
6467 /* The full maximum length of userdata can exceed the maximum
6468 * offset value (U8_MAX) for following extensions, therefor it
6469 * must be the last extension added.
6472 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6473 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6475 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6478 goto err_parse_data;
6482 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6483 elem.key_end.val.data, elem.data.val.data,
6484 timeout, expiration, GFP_KERNEL_ACCOUNT);
6485 if (IS_ERR(elem.priv)) {
6486 err = PTR_ERR(elem.priv);
6487 goto err_parse_data;
6490 ext = nft_set_elem_ext(set, elem.priv);
6492 *nft_set_ext_flags(ext) = flags;
6495 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6497 goto err_elem_userdata;
6499 udata = nft_set_ext_userdata(ext);
6500 udata->len = ulen - 1;
6501 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6504 *nft_set_ext_obj(ext) = obj;
6507 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6511 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6512 if (trans == NULL) {
6517 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
6519 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
6521 if (err == -EEXIST) {
6522 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6523 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6524 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6525 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
6526 goto err_element_clash;
6527 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6528 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
6529 memcmp(nft_set_ext_data(ext),
6530 nft_set_ext_data(ext2), set->dlen) != 0) ||
6531 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6532 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
6533 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
6534 goto err_element_clash;
6535 else if (!(nlmsg_flags & NLM_F_EXCL))
6537 } else if (err == -ENOTEMPTY) {
6538 /* ENOTEMPTY reports overlapping between this element
6539 * and an existing one.
6543 goto err_element_clash;
6546 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
6547 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
6552 nft_trans_elem(trans) = elem;
6553 nft_trans_commit_list_add_tail(ctx->net, trans);
6557 nft_setelem_remove(ctx->net, set, &elem);
6564 nf_tables_set_elem_destroy(ctx, set, elem.priv);
6566 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6567 nft_data_release(&elem.data.val, desc.type);
6569 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6571 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6573 for (i = 0; i < num_exprs && expr_array[i]; i++)
6574 nft_expr_destroy(ctx, expr_array[i]);
6575 err_set_elem_expr_clone:
6579 static int nf_tables_newsetelem(struct sk_buff *skb,
6580 const struct nfnl_info *info,
6581 const struct nlattr * const nla[])
6583 struct netlink_ext_ack *extack = info->extack;
6584 u8 genmask = nft_genmask_next(info->net);
6585 u8 family = info->nfmsg->nfgen_family;
6586 struct net *net = info->net;
6587 const struct nlattr *attr;
6588 struct nft_table *table;
6589 struct nft_set *set;
6593 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6596 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6597 genmask, NETLINK_CB(skb).portid);
6598 if (IS_ERR(table)) {
6599 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6600 return PTR_ERR(table);
6603 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6604 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6606 return PTR_ERR(set);
6608 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6611 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6613 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6614 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6616 NL_SET_BAD_ATTR(extack, attr);
6621 if (table->validate_state == NFT_VALIDATE_DO)
6622 return nft_table_validate(net, table);
6628 * nft_data_hold - hold a nft_data item
6630 * @data: struct nft_data to release
6631 * @type: type of data
6633 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6634 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
6635 * NFT_GOTO verdicts. This function must be called on active data objects
6636 * from the second phase of the commit protocol.
6638 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6640 struct nft_chain *chain;
6641 struct nft_rule *rule;
6643 if (type == NFT_DATA_VERDICT) {
6644 switch (data->verdict.code) {
6647 chain = data->verdict.chain;
6650 if (!nft_chain_is_bound(chain))
6653 chain->table->use++;
6654 list_for_each_entry(rule, &chain->rules, list)
6657 nft_chain_add(chain->table, chain);
6663 static void nft_setelem_data_activate(const struct net *net,
6664 const struct nft_set *set,
6665 struct nft_set_elem *elem)
6667 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6669 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6670 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6671 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6672 (*nft_set_ext_obj(ext))->use++;
6675 static void nft_setelem_data_deactivate(const struct net *net,
6676 const struct nft_set *set,
6677 struct nft_set_elem *elem)
6679 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6681 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6682 nft_data_release(nft_set_ext_data(ext), set->dtype);
6683 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6684 (*nft_set_ext_obj(ext))->use--;
6687 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6688 const struct nlattr *attr)
6690 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6691 struct nft_set_ext_tmpl tmpl;
6692 struct nft_set_elem elem;
6693 struct nft_set_ext *ext;
6694 struct nft_trans *trans;
6698 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6699 nft_set_elem_policy, NULL);
6703 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6707 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6710 if (!nft_setelem_valid_key_end(set, nla, flags))
6713 nft_set_ext_prepare(&tmpl);
6716 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6721 if (nla[NFTA_SET_ELEM_KEY]) {
6722 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6723 nla[NFTA_SET_ELEM_KEY]);
6727 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6732 if (nla[NFTA_SET_ELEM_KEY_END]) {
6733 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6734 nla[NFTA_SET_ELEM_KEY_END]);
6738 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6740 goto fail_elem_key_end;
6744 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6745 elem.key_end.val.data, NULL, 0, 0,
6746 GFP_KERNEL_ACCOUNT);
6747 if (IS_ERR(elem.priv)) {
6748 err = PTR_ERR(elem.priv);
6749 goto fail_elem_key_end;
6752 ext = nft_set_elem_ext(set, elem.priv);
6754 *nft_set_ext_flags(ext) = flags;
6756 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6760 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6764 nft_setelem_data_deactivate(ctx->net, set, &elem);
6766 nft_trans_elem(trans) = elem;
6767 nft_trans_commit_list_add_tail(ctx->net, trans);
6775 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6777 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6781 static int nft_setelem_flush(const struct nft_ctx *ctx,
6782 struct nft_set *set,
6783 const struct nft_set_iter *iter,
6784 struct nft_set_elem *elem)
6786 struct nft_trans *trans;
6789 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6790 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6794 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6800 nft_setelem_data_deactivate(ctx->net, set, elem);
6801 nft_trans_elem_set(trans) = set;
6802 nft_trans_elem(trans) = *elem;
6803 nft_trans_commit_list_add_tail(ctx->net, trans);
6811 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6812 struct nft_set *set,
6813 struct nft_set_elem *elem)
6815 struct nft_trans *trans;
6817 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6818 sizeof(struct nft_trans_elem), GFP_KERNEL);
6822 nft_setelem_data_deactivate(ctx->net, set, elem);
6823 nft_trans_elem_set(trans) = set;
6824 nft_trans_elem(trans) = *elem;
6825 nft_trans_commit_list_add_tail(ctx->net, trans);
6830 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6831 struct nft_set *set)
6833 u8 genmask = nft_genmask_next(ctx->net);
6834 struct nft_set_elem_catchall *catchall;
6835 struct nft_set_elem elem;
6836 struct nft_set_ext *ext;
6839 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6840 ext = nft_set_elem_ext(set, catchall->elem);
6841 if (!nft_set_elem_active(ext, genmask) ||
6842 nft_set_elem_mark_busy(ext))
6845 elem.priv = catchall->elem;
6846 ret = __nft_set_catchall_flush(ctx, set, &elem);
6854 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6856 struct nft_set_iter iter = {
6858 .fn = nft_setelem_flush,
6861 set->ops->walk(ctx, set, &iter);
6863 iter.err = nft_set_catchall_flush(ctx, set);
6868 static int nf_tables_delsetelem(struct sk_buff *skb,
6869 const struct nfnl_info *info,
6870 const struct nlattr * const nla[])
6872 struct netlink_ext_ack *extack = info->extack;
6873 u8 genmask = nft_genmask_next(info->net);
6874 u8 family = info->nfmsg->nfgen_family;
6875 struct net *net = info->net;
6876 const struct nlattr *attr;
6877 struct nft_table *table;
6878 struct nft_set *set;
6882 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6883 genmask, NETLINK_CB(skb).portid);
6884 if (IS_ERR(table)) {
6885 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6886 return PTR_ERR(table);
6889 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6891 return PTR_ERR(set);
6892 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6895 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6897 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6898 return nft_set_flush(&ctx, set, genmask);
6900 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6901 err = nft_del_setelem(&ctx, set, attr);
6902 if (err == -ENOENT &&
6903 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
6907 NL_SET_BAD_ATTR(extack, attr);
6914 void nft_set_gc_batch_release(struct rcu_head *rcu)
6916 struct nft_set_gc_batch *gcb;
6919 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6920 for (i = 0; i < gcb->head.cnt; i++)
6921 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6925 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6928 struct nft_set_gc_batch *gcb;
6930 gcb = kzalloc(sizeof(*gcb), gfp);
6933 gcb->head.set = set;
6942 * nft_register_obj- register nf_tables stateful object type
6943 * @obj_type: object type
6945 * Registers the object type for use with nf_tables. Returns zero on
6946 * success or a negative errno code otherwise.
6948 int nft_register_obj(struct nft_object_type *obj_type)
6950 if (obj_type->type == NFT_OBJECT_UNSPEC)
6953 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6954 list_add_rcu(&obj_type->list, &nf_tables_objects);
6955 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6958 EXPORT_SYMBOL_GPL(nft_register_obj);
6961 * nft_unregister_obj - unregister nf_tables object type
6962 * @obj_type: object type
6964 * Unregisters the object type for use with nf_tables.
6966 void nft_unregister_obj(struct nft_object_type *obj_type)
6968 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6969 list_del_rcu(&obj_type->list);
6970 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6972 EXPORT_SYMBOL_GPL(nft_unregister_obj);
6974 struct nft_object *nft_obj_lookup(const struct net *net,
6975 const struct nft_table *table,
6976 const struct nlattr *nla, u32 objtype,
6979 struct nft_object_hash_key k = { .table = table };
6980 char search[NFT_OBJ_MAXNAMELEN];
6981 struct rhlist_head *tmp, *list;
6982 struct nft_object *obj;
6984 nla_strscpy(search, nla, sizeof(search));
6987 WARN_ON_ONCE(!rcu_read_lock_held() &&
6988 !lockdep_commit_lock_is_held(net));
6991 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
6995 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
6996 if (objtype == obj->ops->type->type &&
6997 nft_active_genmask(obj, genmask)) {
7004 return ERR_PTR(-ENOENT);
7006 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7008 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7009 const struct nlattr *nla,
7010 u32 objtype, u8 genmask)
7012 struct nft_object *obj;
7014 list_for_each_entry(obj, &table->objects, list) {
7015 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7016 objtype == obj->ops->type->type &&
7017 nft_active_genmask(obj, genmask))
7020 return ERR_PTR(-ENOENT);
7023 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7024 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7025 .len = NFT_TABLE_MAXNAMELEN - 1 },
7026 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7027 .len = NFT_OBJ_MAXNAMELEN - 1 },
7028 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7029 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7030 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7031 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7032 .len = NFT_USERDATA_MAXLEN },
7035 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7036 const struct nft_object_type *type,
7037 const struct nlattr *attr)
7040 const struct nft_object_ops *ops;
7041 struct nft_object *obj;
7044 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7049 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7050 type->policy, NULL);
7054 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7057 if (type->select_ops) {
7058 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7068 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7072 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7085 return ERR_PTR(err);
7088 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7089 struct nft_object *obj, bool reset)
7091 struct nlattr *nest;
7093 nest = nla_nest_start_noflag(skb, attr);
7095 goto nla_put_failure;
7096 if (obj->ops->dump(skb, obj, reset) < 0)
7097 goto nla_put_failure;
7098 nla_nest_end(skb, nest);
7105 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
7107 const struct nft_object_type *type;
7109 list_for_each_entry(type, &nf_tables_objects, list) {
7110 if (objtype == type->type)
7116 static const struct nft_object_type *
7117 nft_obj_type_get(struct net *net, u32 objtype)
7119 const struct nft_object_type *type;
7121 type = __nft_obj_type_get(objtype);
7122 if (type != NULL && try_module_get(type->owner))
7125 lockdep_nfnl_nft_mutex_not_held();
7126 #ifdef CONFIG_MODULES
7128 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7129 return ERR_PTR(-EAGAIN);
7132 return ERR_PTR(-ENOENT);
7135 static int nf_tables_updobj(const struct nft_ctx *ctx,
7136 const struct nft_object_type *type,
7137 const struct nlattr *attr,
7138 struct nft_object *obj)
7140 struct nft_object *newobj;
7141 struct nft_trans *trans;
7144 if (!try_module_get(type->owner))
7147 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7148 sizeof(struct nft_trans_obj));
7152 newobj = nft_obj_init(ctx, type, attr);
7153 if (IS_ERR(newobj)) {
7154 err = PTR_ERR(newobj);
7155 goto err_free_trans;
7158 nft_trans_obj(trans) = obj;
7159 nft_trans_obj_update(trans) = true;
7160 nft_trans_obj_newobj(trans) = newobj;
7161 nft_trans_commit_list_add_tail(ctx->net, trans);
7168 module_put(type->owner);
7172 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7173 const struct nlattr * const nla[])
7175 struct netlink_ext_ack *extack = info->extack;
7176 u8 genmask = nft_genmask_next(info->net);
7177 u8 family = info->nfmsg->nfgen_family;
7178 const struct nft_object_type *type;
7179 struct net *net = info->net;
7180 struct nft_table *table;
7181 struct nft_object *obj;
7186 if (!nla[NFTA_OBJ_TYPE] ||
7187 !nla[NFTA_OBJ_NAME] ||
7188 !nla[NFTA_OBJ_DATA])
7191 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7192 NETLINK_CB(skb).portid);
7193 if (IS_ERR(table)) {
7194 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7195 return PTR_ERR(table);
7198 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7199 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7202 if (err != -ENOENT) {
7203 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7207 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7208 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7211 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7214 type = __nft_obj_type_get(objtype);
7215 if (WARN_ON_ONCE(!type))
7218 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7220 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7223 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7225 type = nft_obj_type_get(net, objtype);
7227 return PTR_ERR(type);
7229 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7234 obj->key.table = table;
7235 obj->handle = nf_tables_alloc_handle(table);
7237 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7238 if (!obj->key.name) {
7243 if (nla[NFTA_OBJ_USERDATA]) {
7244 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7245 if (obj->udata == NULL)
7248 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7251 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7255 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7256 nft_objname_ht_params);
7260 list_add_tail_rcu(&obj->list, &table->objects);
7264 /* queued in transaction log */
7265 INIT_LIST_HEAD(&obj->list);
7270 kfree(obj->key.name);
7272 if (obj->ops->destroy)
7273 obj->ops->destroy(&ctx, obj);
7276 module_put(type->owner);
7280 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7281 u32 portid, u32 seq, int event, u32 flags,
7282 int family, const struct nft_table *table,
7283 struct nft_object *obj, bool reset)
7285 struct nlmsghdr *nlh;
7287 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7288 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7289 NFNETLINK_V0, nft_base_seq(net));
7291 goto nla_put_failure;
7293 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7294 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7295 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7297 goto nla_put_failure;
7299 if (event == NFT_MSG_DELOBJ) {
7300 nlmsg_end(skb, nlh);
7304 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7305 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7306 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7307 goto nla_put_failure;
7310 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7311 goto nla_put_failure;
7313 nlmsg_end(skb, nlh);
7317 nlmsg_trim(skb, nlh);
7321 struct nft_obj_filter {
7326 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7328 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7329 const struct nft_table *table;
7330 unsigned int idx = 0, s_idx = cb->args[0];
7331 struct nft_obj_filter *filter = cb->data;
7332 struct net *net = sock_net(skb->sk);
7333 int family = nfmsg->nfgen_family;
7334 struct nftables_pernet *nft_net;
7335 struct nft_object *obj;
7338 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7342 nft_net = nft_pernet(net);
7343 cb->seq = READ_ONCE(nft_net->base_seq);
7345 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7346 if (family != NFPROTO_UNSPEC && family != table->family)
7349 list_for_each_entry_rcu(obj, &table->objects, list) {
7350 if (!nft_is_active(net, obj))
7355 memset(&cb->args[1], 0,
7356 sizeof(cb->args) - sizeof(cb->args[0]));
7357 if (filter && filter->table &&
7358 strcmp(filter->table, table->name))
7361 filter->type != NFT_OBJECT_UNSPEC &&
7362 obj->ops->type->type != filter->type)
7365 char *buf = kasprintf(GFP_ATOMIC,
7370 audit_log_nfcfg(buf,
7373 AUDIT_NFT_OP_OBJ_RESET,
7378 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
7381 NLM_F_MULTI | NLM_F_APPEND,
7382 table->family, table,
7386 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7398 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7400 const struct nlattr * const *nla = cb->data;
7401 struct nft_obj_filter *filter = NULL;
7403 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
7404 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7408 if (nla[NFTA_OBJ_TABLE]) {
7409 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7410 if (!filter->table) {
7416 if (nla[NFTA_OBJ_TYPE])
7417 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7424 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7426 struct nft_obj_filter *filter = cb->data;
7429 kfree(filter->table);
7436 /* called with rcu_read_lock held */
7437 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7438 const struct nlattr * const nla[])
7440 struct netlink_ext_ack *extack = info->extack;
7441 u8 genmask = nft_genmask_cur(info->net);
7442 u8 family = info->nfmsg->nfgen_family;
7443 const struct nft_table *table;
7444 struct net *net = info->net;
7445 struct nft_object *obj;
7446 struct sk_buff *skb2;
7451 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7452 struct netlink_dump_control c = {
7453 .start = nf_tables_dump_obj_start,
7454 .dump = nf_tables_dump_obj,
7455 .done = nf_tables_dump_obj_done,
7456 .module = THIS_MODULE,
7457 .data = (void *)nla,
7460 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7463 if (!nla[NFTA_OBJ_NAME] ||
7464 !nla[NFTA_OBJ_TYPE])
7467 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7468 if (IS_ERR(table)) {
7469 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7470 return PTR_ERR(table);
7473 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7474 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7476 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7477 return PTR_ERR(obj);
7480 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7484 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7488 const struct nftables_pernet *nft_net;
7491 nft_net = nft_pernet(net);
7492 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7494 audit_log_nfcfg(buf,
7497 AUDIT_NFT_OP_OBJ_RESET,
7502 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7503 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7504 family, table, obj, reset);
7506 goto err_fill_obj_info;
7508 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7515 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7517 if (obj->ops->destroy)
7518 obj->ops->destroy(ctx, obj);
7520 module_put(obj->ops->type->owner);
7521 kfree(obj->key.name);
7526 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7527 const struct nlattr * const nla[])
7529 struct netlink_ext_ack *extack = info->extack;
7530 u8 genmask = nft_genmask_next(info->net);
7531 u8 family = info->nfmsg->nfgen_family;
7532 struct net *net = info->net;
7533 const struct nlattr *attr;
7534 struct nft_table *table;
7535 struct nft_object *obj;
7539 if (!nla[NFTA_OBJ_TYPE] ||
7540 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7543 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7544 NETLINK_CB(skb).portid);
7545 if (IS_ERR(table)) {
7546 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7547 return PTR_ERR(table);
7550 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7551 if (nla[NFTA_OBJ_HANDLE]) {
7552 attr = nla[NFTA_OBJ_HANDLE];
7553 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
7555 attr = nla[NFTA_OBJ_NAME];
7556 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
7560 if (PTR_ERR(obj) == -ENOENT &&
7561 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
7564 NL_SET_BAD_ATTR(extack, attr);
7565 return PTR_ERR(obj);
7568 NL_SET_BAD_ATTR(extack, attr);
7572 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7574 return nft_delobj(&ctx, obj);
7577 void nft_obj_notify(struct net *net, const struct nft_table *table,
7578 struct nft_object *obj, u32 portid, u32 seq, int event,
7579 u16 flags, int family, int report, gfp_t gfp)
7581 struct nftables_pernet *nft_net = nft_pernet(net);
7582 struct sk_buff *skb;
7584 char *buf = kasprintf(gfp, "%s:%u",
7585 table->name, nft_net->base_seq);
7587 audit_log_nfcfg(buf,
7590 event == NFT_MSG_NEWOBJ ?
7591 AUDIT_NFT_OP_OBJ_REGISTER :
7592 AUDIT_NFT_OP_OBJ_UNREGISTER,
7597 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7600 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
7604 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
7605 flags & (NLM_F_CREATE | NLM_F_EXCL),
7606 family, table, obj, false);
7612 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7615 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7617 EXPORT_SYMBOL_GPL(nft_obj_notify);
7619 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7620 struct nft_object *obj, int event)
7622 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
7623 ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
7629 void nft_register_flowtable_type(struct nf_flowtable_type *type)
7631 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7632 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7633 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7635 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7637 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7639 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7640 list_del_rcu(&type->list);
7641 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7643 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7645 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7646 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7647 .len = NFT_NAME_MAXLEN - 1 },
7648 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7649 .len = NFT_NAME_MAXLEN - 1 },
7650 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7651 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7652 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7655 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7656 const struct nlattr *nla, u8 genmask)
7658 struct nft_flowtable *flowtable;
7660 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7661 if (!nla_strcmp(nla, flowtable->name) &&
7662 nft_active_genmask(flowtable, genmask))
7665 return ERR_PTR(-ENOENT);
7667 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7669 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7670 struct nft_flowtable *flowtable,
7671 enum nft_trans_phase phase)
7674 case NFT_TRANS_PREPARE:
7675 case NFT_TRANS_ABORT:
7676 case NFT_TRANS_RELEASE:
7683 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7685 static struct nft_flowtable *
7686 nft_flowtable_lookup_byhandle(const struct nft_table *table,
7687 const struct nlattr *nla, u8 genmask)
7689 struct nft_flowtable *flowtable;
7691 list_for_each_entry(flowtable, &table->flowtables, list) {
7692 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7693 nft_active_genmask(flowtable, genmask))
7696 return ERR_PTR(-ENOENT);
7699 struct nft_flowtable_hook {
7702 struct list_head list;
7705 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7706 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7707 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7708 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7711 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7712 const struct nlattr * const nla[],
7713 struct nft_flowtable_hook *flowtable_hook,
7714 struct nft_flowtable *flowtable,
7715 struct netlink_ext_ack *extack, bool add)
7717 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7718 struct nft_hook *hook;
7719 int hooknum, priority;
7722 INIT_LIST_HEAD(&flowtable_hook->list);
7724 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
7725 nla[NFTA_FLOWTABLE_HOOK],
7726 nft_flowtable_hook_policy, NULL);
7731 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7732 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7733 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7737 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7738 if (hooknum != NF_NETDEV_INGRESS)
7741 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7743 flowtable_hook->priority = priority;
7744 flowtable_hook->num = hooknum;
7746 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7747 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7748 if (hooknum != flowtable->hooknum)
7752 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7753 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7754 if (priority != flowtable->data.priority)
7758 flowtable_hook->priority = flowtable->data.priority;
7759 flowtable_hook->num = flowtable->hooknum;
7762 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7763 err = nf_tables_parse_netdev_hooks(ctx->net,
7764 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7765 &flowtable_hook->list,
7771 list_for_each_entry(hook, &flowtable_hook->list, list) {
7772 hook->ops.pf = NFPROTO_NETDEV;
7773 hook->ops.hooknum = flowtable_hook->num;
7774 hook->ops.priority = flowtable_hook->priority;
7775 hook->ops.priv = &flowtable->data;
7776 hook->ops.hook = flowtable->data.type->hook;
7782 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7784 const struct nf_flowtable_type *type;
7786 list_for_each_entry(type, &nf_tables_flowtables, list) {
7787 if (family == type->family)
7793 static const struct nf_flowtable_type *
7794 nft_flowtable_type_get(struct net *net, u8 family)
7796 const struct nf_flowtable_type *type;
7798 type = __nft_flowtable_type_get(family);
7799 if (type != NULL && try_module_get(type->owner))
7802 lockdep_nfnl_nft_mutex_not_held();
7803 #ifdef CONFIG_MODULES
7805 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7806 return ERR_PTR(-EAGAIN);
7809 return ERR_PTR(-ENOENT);
7812 /* Only called from error and netdev event paths. */
7813 static void nft_unregister_flowtable_hook(struct net *net,
7814 struct nft_flowtable *flowtable,
7815 struct nft_hook *hook)
7817 nf_unregister_net_hook(net, &hook->ops);
7818 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7822 static void __nft_unregister_flowtable_net_hooks(struct net *net,
7823 struct list_head *hook_list,
7824 bool release_netdev)
7826 struct nft_hook *hook, *next;
7828 list_for_each_entry_safe(hook, next, hook_list, list) {
7829 nf_unregister_net_hook(net, &hook->ops);
7830 if (release_netdev) {
7831 list_del(&hook->list);
7832 kfree_rcu(hook, rcu);
7837 static void nft_unregister_flowtable_net_hooks(struct net *net,
7838 struct list_head *hook_list)
7840 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
7843 static int nft_register_flowtable_net_hooks(struct net *net,
7844 struct nft_table *table,
7845 struct list_head *hook_list,
7846 struct nft_flowtable *flowtable)
7848 struct nft_hook *hook, *hook2, *next;
7849 struct nft_flowtable *ft;
7852 list_for_each_entry(hook, hook_list, list) {
7853 list_for_each_entry(ft, &table->flowtables, list) {
7854 if (!nft_is_active_next(net, ft))
7857 list_for_each_entry(hook2, &ft->hook_list, list) {
7858 if (hook->ops.dev == hook2->ops.dev &&
7859 hook->ops.pf == hook2->ops.pf) {
7861 goto err_unregister_net_hooks;
7866 err = flowtable->data.type->setup(&flowtable->data,
7870 goto err_unregister_net_hooks;
7872 err = nf_register_net_hook(net, &hook->ops);
7874 flowtable->data.type->setup(&flowtable->data,
7877 goto err_unregister_net_hooks;
7885 err_unregister_net_hooks:
7886 list_for_each_entry_safe(hook, next, hook_list, list) {
7890 nft_unregister_flowtable_hook(net, flowtable, hook);
7891 list_del_rcu(&hook->list);
7892 kfree_rcu(hook, rcu);
7898 static void nft_hooks_destroy(struct list_head *hook_list)
7900 struct nft_hook *hook, *next;
7902 list_for_each_entry_safe(hook, next, hook_list, list) {
7903 list_del_rcu(&hook->list);
7904 kfree_rcu(hook, rcu);
7908 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7909 struct nft_flowtable *flowtable,
7910 struct netlink_ext_ack *extack)
7912 const struct nlattr * const *nla = ctx->nla;
7913 struct nft_flowtable_hook flowtable_hook;
7914 struct nft_hook *hook, *next;
7915 struct nft_trans *trans;
7916 bool unregister = false;
7920 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
7925 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7926 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7927 list_del(&hook->list);
7932 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7933 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7934 if (flags & ~NFT_FLOWTABLE_MASK) {
7936 goto err_flowtable_update_hook;
7938 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
7939 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
7941 goto err_flowtable_update_hook;
7944 flags = flowtable->data.flags;
7947 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
7948 &flowtable_hook.list, flowtable);
7950 goto err_flowtable_update_hook;
7952 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
7953 sizeof(struct nft_trans_flowtable));
7957 goto err_flowtable_update_hook;
7960 nft_trans_flowtable_flags(trans) = flags;
7961 nft_trans_flowtable(trans) = flowtable;
7962 nft_trans_flowtable_update(trans) = true;
7963 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7964 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
7966 nft_trans_commit_list_add_tail(ctx->net, trans);
7970 err_flowtable_update_hook:
7971 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7973 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
7974 list_del_rcu(&hook->list);
7975 kfree_rcu(hook, rcu);
7982 static int nf_tables_newflowtable(struct sk_buff *skb,
7983 const struct nfnl_info *info,
7984 const struct nlattr * const nla[])
7986 struct netlink_ext_ack *extack = info->extack;
7987 struct nft_flowtable_hook flowtable_hook;
7988 u8 genmask = nft_genmask_next(info->net);
7989 u8 family = info->nfmsg->nfgen_family;
7990 const struct nf_flowtable_type *type;
7991 struct nft_flowtable *flowtable;
7992 struct nft_hook *hook, *next;
7993 struct net *net = info->net;
7994 struct nft_table *table;
7998 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7999 !nla[NFTA_FLOWTABLE_NAME] ||
8000 !nla[NFTA_FLOWTABLE_HOOK])
8003 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8004 genmask, NETLINK_CB(skb).portid);
8005 if (IS_ERR(table)) {
8006 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8007 return PTR_ERR(table);
8010 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8012 if (IS_ERR(flowtable)) {
8013 err = PTR_ERR(flowtable);
8014 if (err != -ENOENT) {
8015 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8019 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8020 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8024 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8026 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8029 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8031 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8035 flowtable->table = table;
8036 flowtable->handle = nf_tables_alloc_handle(table);
8037 INIT_LIST_HEAD(&flowtable->hook_list);
8039 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8040 if (!flowtable->name) {
8045 type = nft_flowtable_type_get(net, family);
8047 err = PTR_ERR(type);
8051 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8052 flowtable->data.flags =
8053 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8054 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8060 write_pnet(&flowtable->data.net, net);
8061 flowtable->data.type = type;
8062 err = type->init(&flowtable->data);
8066 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8071 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8072 flowtable->data.priority = flowtable_hook.priority;
8073 flowtable->hooknum = flowtable_hook.num;
8075 err = nft_register_flowtable_net_hooks(ctx.net, table,
8076 &flowtable->hook_list,
8079 nft_hooks_destroy(&flowtable->hook_list);
8083 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8087 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8092 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8093 nft_unregister_flowtable_hook(net, flowtable, hook);
8094 list_del_rcu(&hook->list);
8095 kfree_rcu(hook, rcu);
8098 flowtable->data.type->free(&flowtable->data);
8100 module_put(type->owner);
8102 kfree(flowtable->name);
8108 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8110 struct nft_hook *this, *next;
8112 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8113 list_del(&this->list);
8118 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8119 struct nft_flowtable *flowtable,
8120 struct netlink_ext_ack *extack)
8122 const struct nlattr * const *nla = ctx->nla;
8123 struct nft_flowtable_hook flowtable_hook;
8124 LIST_HEAD(flowtable_del_list);
8125 struct nft_hook *this, *hook;
8126 struct nft_trans *trans;
8129 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8134 list_for_each_entry(this, &flowtable_hook.list, list) {
8135 hook = nft_hook_list_find(&flowtable->hook_list, this);
8138 goto err_flowtable_del_hook;
8140 list_move(&hook->list, &flowtable_del_list);
8143 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8144 sizeof(struct nft_trans_flowtable));
8147 goto err_flowtable_del_hook;
8150 nft_trans_flowtable(trans) = flowtable;
8151 nft_trans_flowtable_update(trans) = true;
8152 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8153 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8154 nft_flowtable_hook_release(&flowtable_hook);
8156 nft_trans_commit_list_add_tail(ctx->net, trans);
8160 err_flowtable_del_hook:
8161 list_splice(&flowtable_del_list, &flowtable->hook_list);
8162 nft_flowtable_hook_release(&flowtable_hook);
8167 static int nf_tables_delflowtable(struct sk_buff *skb,
8168 const struct nfnl_info *info,
8169 const struct nlattr * const nla[])
8171 struct netlink_ext_ack *extack = info->extack;
8172 u8 genmask = nft_genmask_next(info->net);
8173 u8 family = info->nfmsg->nfgen_family;
8174 struct nft_flowtable *flowtable;
8175 struct net *net = info->net;
8176 const struct nlattr *attr;
8177 struct nft_table *table;
8180 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8181 (!nla[NFTA_FLOWTABLE_NAME] &&
8182 !nla[NFTA_FLOWTABLE_HANDLE]))
8185 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8186 genmask, NETLINK_CB(skb).portid);
8187 if (IS_ERR(table)) {
8188 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8189 return PTR_ERR(table);
8192 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8193 attr = nla[NFTA_FLOWTABLE_HANDLE];
8194 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8196 attr = nla[NFTA_FLOWTABLE_NAME];
8197 flowtable = nft_flowtable_lookup(table, attr, genmask);
8200 if (IS_ERR(flowtable)) {
8201 if (PTR_ERR(flowtable) == -ENOENT &&
8202 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8205 NL_SET_BAD_ATTR(extack, attr);
8206 return PTR_ERR(flowtable);
8209 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8211 if (nla[NFTA_FLOWTABLE_HOOK])
8212 return nft_delflowtable_hook(&ctx, flowtable, extack);
8214 if (flowtable->use > 0) {
8215 NL_SET_BAD_ATTR(extack, attr);
8219 return nft_delflowtable(&ctx, flowtable);
8222 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8223 u32 portid, u32 seq, int event,
8224 u32 flags, int family,
8225 struct nft_flowtable *flowtable,
8226 struct list_head *hook_list)
8228 struct nlattr *nest, *nest_devs;
8229 struct nft_hook *hook;
8230 struct nlmsghdr *nlh;
8232 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8233 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8234 NFNETLINK_V0, nft_base_seq(net));
8236 goto nla_put_failure;
8238 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8239 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8240 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8241 NFTA_FLOWTABLE_PAD))
8242 goto nla_put_failure;
8244 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8245 nlmsg_end(skb, nlh);
8249 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8250 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8251 goto nla_put_failure;
8253 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8255 goto nla_put_failure;
8256 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8257 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8258 goto nla_put_failure;
8260 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8262 goto nla_put_failure;
8265 hook_list = &flowtable->hook_list;
8267 list_for_each_entry_rcu(hook, hook_list, list) {
8268 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8269 goto nla_put_failure;
8271 nla_nest_end(skb, nest_devs);
8272 nla_nest_end(skb, nest);
8274 nlmsg_end(skb, nlh);
8278 nlmsg_trim(skb, nlh);
8282 struct nft_flowtable_filter {
8286 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8287 struct netlink_callback *cb)
8289 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8290 struct nft_flowtable_filter *filter = cb->data;
8291 unsigned int idx = 0, s_idx = cb->args[0];
8292 struct net *net = sock_net(skb->sk);
8293 int family = nfmsg->nfgen_family;
8294 struct nft_flowtable *flowtable;
8295 struct nftables_pernet *nft_net;
8296 const struct nft_table *table;
8299 nft_net = nft_pernet(net);
8300 cb->seq = READ_ONCE(nft_net->base_seq);
8302 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8303 if (family != NFPROTO_UNSPEC && family != table->family)
8306 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8307 if (!nft_is_active(net, flowtable))
8312 memset(&cb->args[1], 0,
8313 sizeof(cb->args) - sizeof(cb->args[0]));
8314 if (filter && filter->table &&
8315 strcmp(filter->table, table->name))
8318 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8320 NFT_MSG_NEWFLOWTABLE,
8321 NLM_F_MULTI | NLM_F_APPEND,
8323 flowtable, NULL) < 0)
8326 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8338 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8340 const struct nlattr * const *nla = cb->data;
8341 struct nft_flowtable_filter *filter = NULL;
8343 if (nla[NFTA_FLOWTABLE_TABLE]) {
8344 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8348 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8350 if (!filter->table) {
8360 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8362 struct nft_flowtable_filter *filter = cb->data;
8367 kfree(filter->table);
8373 /* called with rcu_read_lock held */
8374 static int nf_tables_getflowtable(struct sk_buff *skb,
8375 const struct nfnl_info *info,
8376 const struct nlattr * const nla[])
8378 u8 genmask = nft_genmask_cur(info->net);
8379 u8 family = info->nfmsg->nfgen_family;
8380 struct nft_flowtable *flowtable;
8381 const struct nft_table *table;
8382 struct net *net = info->net;
8383 struct sk_buff *skb2;
8386 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8387 struct netlink_dump_control c = {
8388 .start = nf_tables_dump_flowtable_start,
8389 .dump = nf_tables_dump_flowtable,
8390 .done = nf_tables_dump_flowtable_done,
8391 .module = THIS_MODULE,
8392 .data = (void *)nla,
8395 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8398 if (!nla[NFTA_FLOWTABLE_NAME])
8401 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8404 return PTR_ERR(table);
8406 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8408 if (IS_ERR(flowtable))
8409 return PTR_ERR(flowtable);
8411 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8415 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8416 info->nlh->nlmsg_seq,
8417 NFT_MSG_NEWFLOWTABLE, 0, family,
8420 goto err_fill_flowtable_info;
8422 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8424 err_fill_flowtable_info:
8429 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8430 struct nft_flowtable *flowtable,
8431 struct list_head *hook_list, int event)
8433 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8434 struct sk_buff *skb;
8439 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8442 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8446 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8447 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8449 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8450 ctx->seq, event, flags,
8451 ctx->family, flowtable, hook_list);
8457 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8460 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8463 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8465 struct nft_hook *hook, *next;
8467 flowtable->data.type->free(&flowtable->data);
8468 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8469 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8471 list_del_rcu(&hook->list);
8474 kfree(flowtable->name);
8475 module_put(flowtable->data.type->owner);
8479 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8480 u32 portid, u32 seq)
8482 struct nftables_pernet *nft_net = nft_pernet(net);
8483 struct nlmsghdr *nlh;
8484 char buf[TASK_COMM_LEN];
8485 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8487 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8488 NFNETLINK_V0, nft_base_seq(net));
8490 goto nla_put_failure;
8492 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8493 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8494 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8495 goto nla_put_failure;
8497 nlmsg_end(skb, nlh);
8501 nlmsg_trim(skb, nlh);
8505 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8506 struct nft_flowtable *flowtable)
8508 struct nft_hook *hook;
8510 list_for_each_entry(hook, &flowtable->hook_list, list) {
8511 if (hook->ops.dev != dev)
8514 /* flow_offload_netdev_event() cleans up entries for us. */
8515 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
8516 list_del_rcu(&hook->list);
8517 kfree_rcu(hook, rcu);
8522 static int nf_tables_flowtable_event(struct notifier_block *this,
8523 unsigned long event, void *ptr)
8525 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
8526 struct nft_flowtable *flowtable;
8527 struct nftables_pernet *nft_net;
8528 struct nft_table *table;
8531 if (event != NETDEV_UNREGISTER)
8535 nft_net = nft_pernet(net);
8536 mutex_lock(&nft_net->commit_mutex);
8537 list_for_each_entry(table, &nft_net->tables, list) {
8538 list_for_each_entry(flowtable, &table->flowtables, list) {
8539 nft_flowtable_event(event, dev, flowtable);
8542 mutex_unlock(&nft_net->commit_mutex);
8547 static struct notifier_block nf_tables_flowtable_notifier = {
8548 .notifier_call = nf_tables_flowtable_event,
8551 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
8554 struct nlmsghdr *nlh = nlmsg_hdr(skb);
8555 struct sk_buff *skb2;
8558 if (!nlmsg_report(nlh) &&
8559 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8562 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8566 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
8573 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8574 nlmsg_report(nlh), GFP_KERNEL);
8577 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8581 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
8582 const struct nlattr * const nla[])
8584 struct sk_buff *skb2;
8587 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8591 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
8592 info->nlh->nlmsg_seq);
8594 goto err_fill_gen_info;
8596 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
8603 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
8604 [NFT_MSG_NEWTABLE] = {
8605 .call = nf_tables_newtable,
8606 .type = NFNL_CB_BATCH,
8607 .attr_count = NFTA_TABLE_MAX,
8608 .policy = nft_table_policy,
8610 [NFT_MSG_GETTABLE] = {
8611 .call = nf_tables_gettable,
8612 .type = NFNL_CB_RCU,
8613 .attr_count = NFTA_TABLE_MAX,
8614 .policy = nft_table_policy,
8616 [NFT_MSG_DELTABLE] = {
8617 .call = nf_tables_deltable,
8618 .type = NFNL_CB_BATCH,
8619 .attr_count = NFTA_TABLE_MAX,
8620 .policy = nft_table_policy,
8622 [NFT_MSG_DESTROYTABLE] = {
8623 .call = nf_tables_deltable,
8624 .type = NFNL_CB_BATCH,
8625 .attr_count = NFTA_TABLE_MAX,
8626 .policy = nft_table_policy,
8628 [NFT_MSG_NEWCHAIN] = {
8629 .call = nf_tables_newchain,
8630 .type = NFNL_CB_BATCH,
8631 .attr_count = NFTA_CHAIN_MAX,
8632 .policy = nft_chain_policy,
8634 [NFT_MSG_GETCHAIN] = {
8635 .call = nf_tables_getchain,
8636 .type = NFNL_CB_RCU,
8637 .attr_count = NFTA_CHAIN_MAX,
8638 .policy = nft_chain_policy,
8640 [NFT_MSG_DELCHAIN] = {
8641 .call = nf_tables_delchain,
8642 .type = NFNL_CB_BATCH,
8643 .attr_count = NFTA_CHAIN_MAX,
8644 .policy = nft_chain_policy,
8646 [NFT_MSG_DESTROYCHAIN] = {
8647 .call = nf_tables_delchain,
8648 .type = NFNL_CB_BATCH,
8649 .attr_count = NFTA_CHAIN_MAX,
8650 .policy = nft_chain_policy,
8652 [NFT_MSG_NEWRULE] = {
8653 .call = nf_tables_newrule,
8654 .type = NFNL_CB_BATCH,
8655 .attr_count = NFTA_RULE_MAX,
8656 .policy = nft_rule_policy,
8658 [NFT_MSG_GETRULE] = {
8659 .call = nf_tables_getrule,
8660 .type = NFNL_CB_RCU,
8661 .attr_count = NFTA_RULE_MAX,
8662 .policy = nft_rule_policy,
8664 [NFT_MSG_GETRULE_RESET] = {
8665 .call = nf_tables_getrule,
8666 .type = NFNL_CB_RCU,
8667 .attr_count = NFTA_RULE_MAX,
8668 .policy = nft_rule_policy,
8670 [NFT_MSG_DELRULE] = {
8671 .call = nf_tables_delrule,
8672 .type = NFNL_CB_BATCH,
8673 .attr_count = NFTA_RULE_MAX,
8674 .policy = nft_rule_policy,
8676 [NFT_MSG_DESTROYRULE] = {
8677 .call = nf_tables_delrule,
8678 .type = NFNL_CB_BATCH,
8679 .attr_count = NFTA_RULE_MAX,
8680 .policy = nft_rule_policy,
8682 [NFT_MSG_NEWSET] = {
8683 .call = nf_tables_newset,
8684 .type = NFNL_CB_BATCH,
8685 .attr_count = NFTA_SET_MAX,
8686 .policy = nft_set_policy,
8688 [NFT_MSG_GETSET] = {
8689 .call = nf_tables_getset,
8690 .type = NFNL_CB_RCU,
8691 .attr_count = NFTA_SET_MAX,
8692 .policy = nft_set_policy,
8694 [NFT_MSG_DELSET] = {
8695 .call = nf_tables_delset,
8696 .type = NFNL_CB_BATCH,
8697 .attr_count = NFTA_SET_MAX,
8698 .policy = nft_set_policy,
8700 [NFT_MSG_DESTROYSET] = {
8701 .call = nf_tables_delset,
8702 .type = NFNL_CB_BATCH,
8703 .attr_count = NFTA_SET_MAX,
8704 .policy = nft_set_policy,
8706 [NFT_MSG_NEWSETELEM] = {
8707 .call = nf_tables_newsetelem,
8708 .type = NFNL_CB_BATCH,
8709 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8710 .policy = nft_set_elem_list_policy,
8712 [NFT_MSG_GETSETELEM] = {
8713 .call = nf_tables_getsetelem,
8714 .type = NFNL_CB_RCU,
8715 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8716 .policy = nft_set_elem_list_policy,
8718 [NFT_MSG_DELSETELEM] = {
8719 .call = nf_tables_delsetelem,
8720 .type = NFNL_CB_BATCH,
8721 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8722 .policy = nft_set_elem_list_policy,
8724 [NFT_MSG_DESTROYSETELEM] = {
8725 .call = nf_tables_delsetelem,
8726 .type = NFNL_CB_BATCH,
8727 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8728 .policy = nft_set_elem_list_policy,
8730 [NFT_MSG_GETGEN] = {
8731 .call = nf_tables_getgen,
8732 .type = NFNL_CB_RCU,
8734 [NFT_MSG_NEWOBJ] = {
8735 .call = nf_tables_newobj,
8736 .type = NFNL_CB_BATCH,
8737 .attr_count = NFTA_OBJ_MAX,
8738 .policy = nft_obj_policy,
8740 [NFT_MSG_GETOBJ] = {
8741 .call = nf_tables_getobj,
8742 .type = NFNL_CB_RCU,
8743 .attr_count = NFTA_OBJ_MAX,
8744 .policy = nft_obj_policy,
8746 [NFT_MSG_DELOBJ] = {
8747 .call = nf_tables_delobj,
8748 .type = NFNL_CB_BATCH,
8749 .attr_count = NFTA_OBJ_MAX,
8750 .policy = nft_obj_policy,
8752 [NFT_MSG_DESTROYOBJ] = {
8753 .call = nf_tables_delobj,
8754 .type = NFNL_CB_BATCH,
8755 .attr_count = NFTA_OBJ_MAX,
8756 .policy = nft_obj_policy,
8758 [NFT_MSG_GETOBJ_RESET] = {
8759 .call = nf_tables_getobj,
8760 .type = NFNL_CB_RCU,
8761 .attr_count = NFTA_OBJ_MAX,
8762 .policy = nft_obj_policy,
8764 [NFT_MSG_NEWFLOWTABLE] = {
8765 .call = nf_tables_newflowtable,
8766 .type = NFNL_CB_BATCH,
8767 .attr_count = NFTA_FLOWTABLE_MAX,
8768 .policy = nft_flowtable_policy,
8770 [NFT_MSG_GETFLOWTABLE] = {
8771 .call = nf_tables_getflowtable,
8772 .type = NFNL_CB_RCU,
8773 .attr_count = NFTA_FLOWTABLE_MAX,
8774 .policy = nft_flowtable_policy,
8776 [NFT_MSG_DELFLOWTABLE] = {
8777 .call = nf_tables_delflowtable,
8778 .type = NFNL_CB_BATCH,
8779 .attr_count = NFTA_FLOWTABLE_MAX,
8780 .policy = nft_flowtable_policy,
8782 [NFT_MSG_DESTROYFLOWTABLE] = {
8783 .call = nf_tables_delflowtable,
8784 .type = NFNL_CB_BATCH,
8785 .attr_count = NFTA_FLOWTABLE_MAX,
8786 .policy = nft_flowtable_policy,
8790 static int nf_tables_validate(struct net *net)
8792 struct nftables_pernet *nft_net = nft_pernet(net);
8793 struct nft_table *table;
8795 list_for_each_entry(table, &nft_net->tables, list) {
8796 switch (table->validate_state) {
8797 case NFT_VALIDATE_SKIP:
8799 case NFT_VALIDATE_NEED:
8800 nft_validate_state_update(table, NFT_VALIDATE_DO);
8802 case NFT_VALIDATE_DO:
8803 if (nft_table_validate(net, table) < 0)
8806 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
8815 /* a drop policy has to be deferred until all rules have been activated,
8816 * otherwise a large ruleset that contains a drop-policy base chain will
8817 * cause all packets to get dropped until the full transaction has been
8820 * We defer the drop policy until the transaction has been finalized.
8822 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8824 struct nft_base_chain *basechain;
8826 if (nft_trans_chain_policy(trans) != NF_DROP)
8829 if (!nft_is_base_chain(trans->ctx.chain))
8832 basechain = nft_base_chain(trans->ctx.chain);
8833 basechain->policy = NF_DROP;
8836 static void nft_chain_commit_update(struct nft_trans *trans)
8838 struct nft_base_chain *basechain;
8840 if (nft_trans_chain_name(trans)) {
8841 rhltable_remove(&trans->ctx.table->chains_ht,
8842 &trans->ctx.chain->rhlhead,
8843 nft_chain_ht_params);
8844 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8845 rhltable_insert_key(&trans->ctx.table->chains_ht,
8846 trans->ctx.chain->name,
8847 &trans->ctx.chain->rhlhead,
8848 nft_chain_ht_params);
8851 if (!nft_is_base_chain(trans->ctx.chain))
8854 nft_chain_stats_replace(trans);
8856 basechain = nft_base_chain(trans->ctx.chain);
8858 switch (nft_trans_chain_policy(trans)) {
8861 basechain->policy = nft_trans_chain_policy(trans);
8866 static void nft_obj_commit_update(struct nft_trans *trans)
8868 struct nft_object *newobj;
8869 struct nft_object *obj;
8871 obj = nft_trans_obj(trans);
8872 newobj = nft_trans_obj_newobj(trans);
8874 if (obj->ops->update)
8875 obj->ops->update(obj, newobj);
8877 nft_obj_destroy(&trans->ctx, newobj);
8880 static void nft_commit_release(struct nft_trans *trans)
8882 switch (trans->msg_type) {
8883 case NFT_MSG_DELTABLE:
8884 case NFT_MSG_DESTROYTABLE:
8885 nf_tables_table_destroy(&trans->ctx);
8887 case NFT_MSG_NEWCHAIN:
8888 free_percpu(nft_trans_chain_stats(trans));
8889 kfree(nft_trans_chain_name(trans));
8891 case NFT_MSG_DELCHAIN:
8892 case NFT_MSG_DESTROYCHAIN:
8893 if (nft_trans_chain_update(trans))
8894 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
8896 nf_tables_chain_destroy(&trans->ctx);
8898 case NFT_MSG_DELRULE:
8899 case NFT_MSG_DESTROYRULE:
8900 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8902 case NFT_MSG_DELSET:
8903 case NFT_MSG_DESTROYSET:
8904 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8906 case NFT_MSG_DELSETELEM:
8907 case NFT_MSG_DESTROYSETELEM:
8908 nf_tables_set_elem_destroy(&trans->ctx,
8909 nft_trans_elem_set(trans),
8910 nft_trans_elem(trans).priv);
8912 case NFT_MSG_DELOBJ:
8913 case NFT_MSG_DESTROYOBJ:
8914 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8916 case NFT_MSG_DELFLOWTABLE:
8917 case NFT_MSG_DESTROYFLOWTABLE:
8918 if (nft_trans_flowtable_update(trans))
8919 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8921 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8926 put_net(trans->ctx.net);
8931 static void nf_tables_trans_destroy_work(struct work_struct *w)
8933 struct nft_trans *trans, *next;
8936 spin_lock(&nf_tables_destroy_list_lock);
8937 list_splice_init(&nf_tables_destroy_list, &head);
8938 spin_unlock(&nf_tables_destroy_list_lock);
8940 if (list_empty(&head))
8945 list_for_each_entry_safe(trans, next, &head, list) {
8946 list_del(&trans->list);
8947 nft_commit_release(trans);
8951 void nf_tables_trans_destroy_flush_work(void)
8953 flush_work(&trans_destroy_work);
8955 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
8957 static bool nft_expr_reduce(struct nft_regs_track *track,
8958 const struct nft_expr *expr)
8963 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
8965 const struct nft_expr *expr, *last;
8966 struct nft_regs_track track = {};
8967 unsigned int size, data_size;
8968 void *data, *data_boundary;
8969 struct nft_rule_dp *prule;
8970 struct nft_rule *rule;
8972 /* already handled or inactive chain? */
8973 if (chain->blob_next || !nft_is_active_next(net, chain))
8977 list_for_each_entry(rule, &chain->rules, list) {
8978 if (nft_is_active_next(net, rule)) {
8979 data_size += sizeof(*prule) + rule->dlen;
8980 if (data_size > INT_MAX)
8985 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
8986 if (!chain->blob_next)
8989 data = (void *)chain->blob_next->data;
8990 data_boundary = data + data_size;
8993 list_for_each_entry(rule, &chain->rules, list) {
8994 if (!nft_is_active_next(net, rule))
8997 prule = (struct nft_rule_dp *)data;
8998 data += offsetof(struct nft_rule_dp, data);
8999 if (WARN_ON_ONCE(data > data_boundary))
9003 track.last = nft_expr_last(rule);
9004 nft_rule_for_each_expr(expr, last, rule) {
9007 if (nft_expr_reduce(&track, expr)) {
9012 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9015 memcpy(data + size, expr, expr->ops->size);
9016 size += expr->ops->size;
9018 if (WARN_ON_ONCE(size >= 1 << 12))
9021 prule->handle = rule->handle;
9027 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9030 if (WARN_ON_ONCE(data > data_boundary))
9033 prule = (struct nft_rule_dp *)data;
9034 nft_last_rule(chain, prule);
9039 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9041 struct nftables_pernet *nft_net = nft_pernet(net);
9042 struct nft_trans *trans, *next;
9044 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9045 struct nft_chain *chain = trans->ctx.chain;
9047 if (trans->msg_type == NFT_MSG_NEWRULE ||
9048 trans->msg_type == NFT_MSG_DELRULE) {
9049 kvfree(chain->blob_next);
9050 chain->blob_next = NULL;
9055 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9057 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9062 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9064 struct nft_rule_dp_last *last;
9066 /* last rule trailer is after end marker */
9067 last = (void *)blob + sizeof(*blob) + blob->size;
9070 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9073 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9075 struct nft_rule_blob *g0, *g1;
9078 next_genbit = nft_gencursor_next(net);
9080 g0 = rcu_dereference_protected(chain->blob_gen_0,
9081 lockdep_commit_lock_is_held(net));
9082 g1 = rcu_dereference_protected(chain->blob_gen_1,
9083 lockdep_commit_lock_is_held(net));
9085 /* No changes to this chain? */
9086 if (chain->blob_next == NULL) {
9087 /* chain had no change in last or next generation */
9091 * chain had no change in this generation; make sure next
9092 * one uses same rules as current generation.
9095 rcu_assign_pointer(chain->blob_gen_1, g0);
9096 nf_tables_commit_chain_free_rules_old(g1);
9098 rcu_assign_pointer(chain->blob_gen_0, g1);
9099 nf_tables_commit_chain_free_rules_old(g0);
9106 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9108 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9110 chain->blob_next = NULL;
9116 nf_tables_commit_chain_free_rules_old(g1);
9118 nf_tables_commit_chain_free_rules_old(g0);
9121 static void nft_obj_del(struct nft_object *obj)
9123 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9124 list_del_rcu(&obj->list);
9127 void nft_chain_del(struct nft_chain *chain)
9129 struct nft_table *table = chain->table;
9131 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9132 nft_chain_ht_params));
9133 list_del_rcu(&chain->list);
9136 static void nf_tables_module_autoload_cleanup(struct net *net)
9138 struct nftables_pernet *nft_net = nft_pernet(net);
9139 struct nft_module_request *req, *next;
9141 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9142 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9143 WARN_ON_ONCE(!req->done);
9144 list_del(&req->list);
9149 static void nf_tables_commit_release(struct net *net)
9151 struct nftables_pernet *nft_net = nft_pernet(net);
9152 struct nft_trans *trans;
9154 /* all side effects have to be made visible.
9155 * For example, if a chain named 'foo' has been deleted, a
9156 * new transaction must not find it anymore.
9158 * Memory reclaim happens asynchronously from work queue
9159 * to prevent expensive synchronize_rcu() in commit phase.
9161 if (list_empty(&nft_net->commit_list)) {
9162 nf_tables_module_autoload_cleanup(net);
9163 mutex_unlock(&nft_net->commit_mutex);
9167 trans = list_last_entry(&nft_net->commit_list,
9168 struct nft_trans, list);
9169 get_net(trans->ctx.net);
9170 WARN_ON_ONCE(trans->put_net);
9172 trans->put_net = true;
9173 spin_lock(&nf_tables_destroy_list_lock);
9174 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
9175 spin_unlock(&nf_tables_destroy_list_lock);
9177 nf_tables_module_autoload_cleanup(net);
9178 schedule_work(&trans_destroy_work);
9180 mutex_unlock(&nft_net->commit_mutex);
9183 static void nft_commit_notify(struct net *net, u32 portid)
9185 struct nftables_pernet *nft_net = nft_pernet(net);
9186 struct sk_buff *batch_skb = NULL, *nskb, *skb;
9187 unsigned char *data;
9190 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
9194 len = NLMSG_GOODSIZE - skb->len;
9195 list_del(&skb->list);
9199 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
9200 data = skb_put(batch_skb, skb->len);
9201 memcpy(data, skb->data, skb->len);
9202 list_del(&skb->list);
9206 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9207 NFT_CB(batch_skb).report, GFP_KERNEL);
9212 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9213 NFT_CB(batch_skb).report, GFP_KERNEL);
9216 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9219 static int nf_tables_commit_audit_alloc(struct list_head *adl,
9220 struct nft_table *table)
9222 struct nft_audit_data *adp;
9224 list_for_each_entry(adp, adl, list) {
9225 if (adp->table == table)
9228 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
9232 list_add(&adp->list, adl);
9236 static void nf_tables_commit_audit_free(struct list_head *adl)
9238 struct nft_audit_data *adp, *adn;
9240 list_for_each_entry_safe(adp, adn, adl, list) {
9241 list_del(&adp->list);
9246 static void nf_tables_commit_audit_collect(struct list_head *adl,
9247 struct nft_table *table, u32 op)
9249 struct nft_audit_data *adp;
9251 list_for_each_entry(adp, adl, list) {
9252 if (adp->table == table)
9255 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
9259 if (!adp->op || adp->op > op)
9263 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
9265 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
9267 struct nft_audit_data *adp, *adn;
9268 char aubuf[AUNFTABLENAMELEN];
9270 list_for_each_entry_safe(adp, adn, adl, list) {
9271 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
9273 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
9274 nft2audit_op[adp->op], GFP_KERNEL);
9275 list_del(&adp->list);
9280 static void nft_set_commit_update(struct list_head *set_update_list)
9282 struct nft_set *set, *next;
9284 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
9285 list_del_init(&set->pending_update);
9287 if (!set->ops->commit)
9290 set->ops->commit(set);
9294 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
9296 struct nftables_pernet *nft_net = nft_pernet(net);
9297 struct nft_trans *trans, *next;
9298 LIST_HEAD(set_update_list);
9299 struct nft_trans_elem *te;
9300 struct nft_chain *chain;
9301 struct nft_table *table;
9302 unsigned int base_seq;
9306 if (list_empty(&nft_net->commit_list)) {
9307 mutex_unlock(&nft_net->commit_mutex);
9311 /* 0. Validate ruleset, otherwise roll back for error reporting. */
9312 if (nf_tables_validate(net) < 0)
9315 err = nft_flow_rule_offload_commit(net);
9319 /* 1. Allocate space for next generation rules_gen_X[] */
9320 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9323 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
9325 nf_tables_commit_chain_prepare_cancel(net);
9326 nf_tables_commit_audit_free(&adl);
9329 if (trans->msg_type == NFT_MSG_NEWRULE ||
9330 trans->msg_type == NFT_MSG_DELRULE) {
9331 chain = trans->ctx.chain;
9333 ret = nf_tables_commit_chain_prepare(net, chain);
9335 nf_tables_commit_chain_prepare_cancel(net);
9336 nf_tables_commit_audit_free(&adl);
9342 /* step 2. Make rules_gen_X visible to packet path */
9343 list_for_each_entry(table, &nft_net->tables, list) {
9344 list_for_each_entry(chain, &table->chains, list)
9345 nf_tables_commit_chain(net, chain);
9349 * Bump generation counter, invalidate any dump in progress.
9350 * Cannot fail after this point.
9352 base_seq = READ_ONCE(nft_net->base_seq);
9353 while (++base_seq == 0)
9356 WRITE_ONCE(nft_net->base_seq, base_seq);
9358 /* step 3. Start new generation, rules_gen_X now in use. */
9359 net->nft.gencursor = nft_gencursor_next(net);
9361 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9362 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
9364 switch (trans->msg_type) {
9365 case NFT_MSG_NEWTABLE:
9366 if (nft_trans_table_update(trans)) {
9367 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9368 nft_trans_destroy(trans);
9371 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
9372 nf_tables_table_disable(net, trans->ctx.table);
9374 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9376 nft_clear(net, trans->ctx.table);
9378 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
9379 nft_trans_destroy(trans);
9381 case NFT_MSG_DELTABLE:
9382 case NFT_MSG_DESTROYTABLE:
9383 list_del_rcu(&trans->ctx.table->list);
9384 nf_tables_table_notify(&trans->ctx, trans->msg_type);
9386 case NFT_MSG_NEWCHAIN:
9387 if (nft_trans_chain_update(trans)) {
9388 nft_chain_commit_update(trans);
9389 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
9390 &nft_trans_chain_hooks(trans));
9391 list_splice(&nft_trans_chain_hooks(trans),
9392 &nft_trans_basechain(trans)->hook_list);
9393 /* trans destroyed after rcu grace period */
9395 nft_chain_commit_drop_policy(trans);
9396 nft_clear(net, trans->ctx.chain);
9397 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
9398 nft_trans_destroy(trans);
9401 case NFT_MSG_DELCHAIN:
9402 case NFT_MSG_DESTROYCHAIN:
9403 if (nft_trans_chain_update(trans)) {
9404 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
9405 &nft_trans_chain_hooks(trans));
9406 nft_netdev_unregister_hooks(net,
9407 &nft_trans_chain_hooks(trans),
9410 nft_chain_del(trans->ctx.chain);
9411 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
9413 nf_tables_unregister_hook(trans->ctx.net,
9418 case NFT_MSG_NEWRULE:
9419 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9420 nf_tables_rule_notify(&trans->ctx,
9421 nft_trans_rule(trans),
9423 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9424 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9426 nft_trans_destroy(trans);
9428 case NFT_MSG_DELRULE:
9429 case NFT_MSG_DESTROYRULE:
9430 list_del_rcu(&nft_trans_rule(trans)->list);
9431 nf_tables_rule_notify(&trans->ctx,
9432 nft_trans_rule(trans),
9434 nft_rule_expr_deactivate(&trans->ctx,
9435 nft_trans_rule(trans),
9438 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9439 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9441 case NFT_MSG_NEWSET:
9442 if (nft_trans_set_update(trans)) {
9443 struct nft_set *set = nft_trans_set(trans);
9445 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
9446 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
9448 nft_clear(net, nft_trans_set(trans));
9449 /* This avoids hitting -EBUSY when deleting the table
9450 * from the transaction.
9452 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
9453 !list_empty(&nft_trans_set(trans)->bindings))
9454 trans->ctx.table->use--;
9456 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9457 NFT_MSG_NEWSET, GFP_KERNEL);
9458 nft_trans_destroy(trans);
9460 case NFT_MSG_DELSET:
9461 case NFT_MSG_DESTROYSET:
9462 list_del_rcu(&nft_trans_set(trans)->list);
9463 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9464 trans->msg_type, GFP_KERNEL);
9466 case NFT_MSG_NEWSETELEM:
9467 te = (struct nft_trans_elem *)trans->data;
9469 nft_setelem_activate(net, te->set, &te->elem);
9470 nf_tables_setelem_notify(&trans->ctx, te->set,
9472 NFT_MSG_NEWSETELEM);
9473 if (te->set->ops->commit &&
9474 list_empty(&te->set->pending_update)) {
9475 list_add_tail(&te->set->pending_update,
9478 nft_trans_destroy(trans);
9480 case NFT_MSG_DELSETELEM:
9481 case NFT_MSG_DESTROYSETELEM:
9482 te = (struct nft_trans_elem *)trans->data;
9484 nf_tables_setelem_notify(&trans->ctx, te->set,
9487 nft_setelem_remove(net, te->set, &te->elem);
9488 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
9489 atomic_dec(&te->set->nelems);
9492 if (te->set->ops->commit &&
9493 list_empty(&te->set->pending_update)) {
9494 list_add_tail(&te->set->pending_update,
9498 case NFT_MSG_NEWOBJ:
9499 if (nft_trans_obj_update(trans)) {
9500 nft_obj_commit_update(trans);
9501 nf_tables_obj_notify(&trans->ctx,
9502 nft_trans_obj(trans),
9505 nft_clear(net, nft_trans_obj(trans));
9506 nf_tables_obj_notify(&trans->ctx,
9507 nft_trans_obj(trans),
9509 nft_trans_destroy(trans);
9512 case NFT_MSG_DELOBJ:
9513 case NFT_MSG_DESTROYOBJ:
9514 nft_obj_del(nft_trans_obj(trans));
9515 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
9518 case NFT_MSG_NEWFLOWTABLE:
9519 if (nft_trans_flowtable_update(trans)) {
9520 nft_trans_flowtable(trans)->data.flags =
9521 nft_trans_flowtable_flags(trans);
9522 nf_tables_flowtable_notify(&trans->ctx,
9523 nft_trans_flowtable(trans),
9524 &nft_trans_flowtable_hooks(trans),
9525 NFT_MSG_NEWFLOWTABLE);
9526 list_splice(&nft_trans_flowtable_hooks(trans),
9527 &nft_trans_flowtable(trans)->hook_list);
9529 nft_clear(net, nft_trans_flowtable(trans));
9530 nf_tables_flowtable_notify(&trans->ctx,
9531 nft_trans_flowtable(trans),
9533 NFT_MSG_NEWFLOWTABLE);
9535 nft_trans_destroy(trans);
9537 case NFT_MSG_DELFLOWTABLE:
9538 case NFT_MSG_DESTROYFLOWTABLE:
9539 if (nft_trans_flowtable_update(trans)) {
9540 nf_tables_flowtable_notify(&trans->ctx,
9541 nft_trans_flowtable(trans),
9542 &nft_trans_flowtable_hooks(trans),
9544 nft_unregister_flowtable_net_hooks(net,
9545 &nft_trans_flowtable_hooks(trans));
9547 list_del_rcu(&nft_trans_flowtable(trans)->list);
9548 nf_tables_flowtable_notify(&trans->ctx,
9549 nft_trans_flowtable(trans),
9552 nft_unregister_flowtable_net_hooks(net,
9553 &nft_trans_flowtable(trans)->hook_list);
9559 nft_set_commit_update(&set_update_list);
9561 nft_commit_notify(net, NETLINK_CB(skb).portid);
9562 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
9563 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
9564 nf_tables_commit_release(net);
9569 static void nf_tables_module_autoload(struct net *net)
9571 struct nftables_pernet *nft_net = nft_pernet(net);
9572 struct nft_module_request *req, *next;
9573 LIST_HEAD(module_list);
9575 list_splice_init(&nft_net->module_list, &module_list);
9576 mutex_unlock(&nft_net->commit_mutex);
9577 list_for_each_entry_safe(req, next, &module_list, list) {
9578 request_module("%s", req->module);
9581 mutex_lock(&nft_net->commit_mutex);
9582 list_splice(&module_list, &nft_net->module_list);
9585 static void nf_tables_abort_release(struct nft_trans *trans)
9587 switch (trans->msg_type) {
9588 case NFT_MSG_NEWTABLE:
9589 nf_tables_table_destroy(&trans->ctx);
9591 case NFT_MSG_NEWCHAIN:
9592 if (nft_trans_chain_update(trans))
9593 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9595 nf_tables_chain_destroy(&trans->ctx);
9597 case NFT_MSG_NEWRULE:
9598 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9600 case NFT_MSG_NEWSET:
9601 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9603 case NFT_MSG_NEWSETELEM:
9604 nft_set_elem_destroy(nft_trans_elem_set(trans),
9605 nft_trans_elem(trans).priv, true);
9607 case NFT_MSG_NEWOBJ:
9608 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9610 case NFT_MSG_NEWFLOWTABLE:
9611 if (nft_trans_flowtable_update(trans))
9612 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9614 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9620 static void nft_set_abort_update(struct list_head *set_update_list)
9622 struct nft_set *set, *next;
9624 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
9625 list_del_init(&set->pending_update);
9627 if (!set->ops->abort)
9630 set->ops->abort(set);
9634 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
9636 struct nftables_pernet *nft_net = nft_pernet(net);
9637 struct nft_trans *trans, *next;
9638 LIST_HEAD(set_update_list);
9639 struct nft_trans_elem *te;
9641 if (action == NFNL_ABORT_VALIDATE &&
9642 nf_tables_validate(net) < 0)
9645 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
9647 switch (trans->msg_type) {
9648 case NFT_MSG_NEWTABLE:
9649 if (nft_trans_table_update(trans)) {
9650 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9651 nft_trans_destroy(trans);
9654 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
9655 nf_tables_table_disable(net, trans->ctx.table);
9656 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
9657 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
9658 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
9660 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9661 nft_trans_destroy(trans);
9663 list_del_rcu(&trans->ctx.table->list);
9666 case NFT_MSG_DELTABLE:
9667 case NFT_MSG_DESTROYTABLE:
9668 nft_clear(trans->ctx.net, trans->ctx.table);
9669 nft_trans_destroy(trans);
9671 case NFT_MSG_NEWCHAIN:
9672 if (nft_trans_chain_update(trans)) {
9673 nft_netdev_unregister_hooks(net,
9674 &nft_trans_chain_hooks(trans),
9676 free_percpu(nft_trans_chain_stats(trans));
9677 kfree(nft_trans_chain_name(trans));
9678 nft_trans_destroy(trans);
9680 if (nft_chain_is_bound(trans->ctx.chain)) {
9681 nft_trans_destroy(trans);
9684 trans->ctx.table->use--;
9685 nft_chain_del(trans->ctx.chain);
9686 nf_tables_unregister_hook(trans->ctx.net,
9691 case NFT_MSG_DELCHAIN:
9692 case NFT_MSG_DESTROYCHAIN:
9693 if (nft_trans_chain_update(trans)) {
9694 list_splice(&nft_trans_chain_hooks(trans),
9695 &nft_trans_basechain(trans)->hook_list);
9697 trans->ctx.table->use++;
9698 nft_clear(trans->ctx.net, trans->ctx.chain);
9700 nft_trans_destroy(trans);
9702 case NFT_MSG_NEWRULE:
9703 trans->ctx.chain->use--;
9704 list_del_rcu(&nft_trans_rule(trans)->list);
9705 nft_rule_expr_deactivate(&trans->ctx,
9706 nft_trans_rule(trans),
9708 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9709 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9711 case NFT_MSG_DELRULE:
9712 case NFT_MSG_DESTROYRULE:
9713 trans->ctx.chain->use++;
9714 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9715 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
9716 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9717 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9719 nft_trans_destroy(trans);
9721 case NFT_MSG_NEWSET:
9722 if (nft_trans_set_update(trans)) {
9723 nft_trans_destroy(trans);
9726 trans->ctx.table->use--;
9727 if (nft_trans_set_bound(trans)) {
9728 nft_trans_destroy(trans);
9731 list_del_rcu(&nft_trans_set(trans)->list);
9733 case NFT_MSG_DELSET:
9734 case NFT_MSG_DESTROYSET:
9735 trans->ctx.table->use++;
9736 nft_clear(trans->ctx.net, nft_trans_set(trans));
9737 nft_trans_destroy(trans);
9739 case NFT_MSG_NEWSETELEM:
9740 if (nft_trans_elem_set_bound(trans)) {
9741 nft_trans_destroy(trans);
9744 te = (struct nft_trans_elem *)trans->data;
9745 nft_setelem_remove(net, te->set, &te->elem);
9746 if (!nft_setelem_is_catchall(te->set, &te->elem))
9747 atomic_dec(&te->set->nelems);
9749 if (te->set->ops->abort &&
9750 list_empty(&te->set->pending_update)) {
9751 list_add_tail(&te->set->pending_update,
9755 case NFT_MSG_DELSETELEM:
9756 case NFT_MSG_DESTROYSETELEM:
9757 te = (struct nft_trans_elem *)trans->data;
9759 nft_setelem_data_activate(net, te->set, &te->elem);
9760 nft_setelem_activate(net, te->set, &te->elem);
9761 if (!nft_setelem_is_catchall(te->set, &te->elem))
9764 if (te->set->ops->abort &&
9765 list_empty(&te->set->pending_update)) {
9766 list_add_tail(&te->set->pending_update,
9769 nft_trans_destroy(trans);
9771 case NFT_MSG_NEWOBJ:
9772 if (nft_trans_obj_update(trans)) {
9773 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
9774 nft_trans_destroy(trans);
9776 trans->ctx.table->use--;
9777 nft_obj_del(nft_trans_obj(trans));
9780 case NFT_MSG_DELOBJ:
9781 case NFT_MSG_DESTROYOBJ:
9782 trans->ctx.table->use++;
9783 nft_clear(trans->ctx.net, nft_trans_obj(trans));
9784 nft_trans_destroy(trans);
9786 case NFT_MSG_NEWFLOWTABLE:
9787 if (nft_trans_flowtable_update(trans)) {
9788 nft_unregister_flowtable_net_hooks(net,
9789 &nft_trans_flowtable_hooks(trans));
9791 trans->ctx.table->use--;
9792 list_del_rcu(&nft_trans_flowtable(trans)->list);
9793 nft_unregister_flowtable_net_hooks(net,
9794 &nft_trans_flowtable(trans)->hook_list);
9797 case NFT_MSG_DELFLOWTABLE:
9798 case NFT_MSG_DESTROYFLOWTABLE:
9799 if (nft_trans_flowtable_update(trans)) {
9800 list_splice(&nft_trans_flowtable_hooks(trans),
9801 &nft_trans_flowtable(trans)->hook_list);
9803 trans->ctx.table->use++;
9804 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
9806 nft_trans_destroy(trans);
9811 nft_set_abort_update(&set_update_list);
9815 list_for_each_entry_safe_reverse(trans, next,
9816 &nft_net->commit_list, list) {
9817 list_del(&trans->list);
9818 nf_tables_abort_release(trans);
9821 if (action == NFNL_ABORT_AUTOLOAD)
9822 nf_tables_module_autoload(net);
9824 nf_tables_module_autoload_cleanup(net);
9829 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
9830 enum nfnl_abort_action action)
9832 struct nftables_pernet *nft_net = nft_pernet(net);
9833 int ret = __nf_tables_abort(net, action);
9835 mutex_unlock(&nft_net->commit_mutex);
9840 static bool nf_tables_valid_genid(struct net *net, u32 genid)
9842 struct nftables_pernet *nft_net = nft_pernet(net);
9845 mutex_lock(&nft_net->commit_mutex);
9847 genid_ok = genid == 0 || nft_net->base_seq == genid;
9849 mutex_unlock(&nft_net->commit_mutex);
9851 /* else, commit mutex has to be released by commit or abort function */
9855 static const struct nfnetlink_subsystem nf_tables_subsys = {
9856 .name = "nf_tables",
9857 .subsys_id = NFNL_SUBSYS_NFTABLES,
9858 .cb_count = NFT_MSG_MAX,
9860 .commit = nf_tables_commit,
9861 .abort = nf_tables_abort,
9862 .valid_genid = nf_tables_valid_genid,
9863 .owner = THIS_MODULE,
9866 int nft_chain_validate_dependency(const struct nft_chain *chain,
9867 enum nft_chain_types type)
9869 const struct nft_base_chain *basechain;
9871 if (nft_is_base_chain(chain)) {
9872 basechain = nft_base_chain(chain);
9873 if (basechain->type->type != type)
9878 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
9880 int nft_chain_validate_hooks(const struct nft_chain *chain,
9881 unsigned int hook_flags)
9883 struct nft_base_chain *basechain;
9885 if (nft_is_base_chain(chain)) {
9886 basechain = nft_base_chain(chain);
9888 if ((1 << basechain->ops.hooknum) & hook_flags)
9896 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9899 * Loop detection - walk through the ruleset beginning at the destination chain
9900 * of a new jump until either the source chain is reached (loop) or all
9901 * reachable chains have been traversed.
9903 * The loop check is performed whenever a new jump verdict is added to an
9904 * expression or verdict map or a verdict map is bound to a new chain.
9907 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9908 const struct nft_chain *chain);
9910 static int nft_check_loops(const struct nft_ctx *ctx,
9911 const struct nft_set_ext *ext)
9913 const struct nft_data *data;
9916 data = nft_set_ext_data(ext);
9917 switch (data->verdict.code) {
9920 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9930 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9931 struct nft_set *set,
9932 const struct nft_set_iter *iter,
9933 struct nft_set_elem *elem)
9935 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
9937 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
9938 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
9941 return nft_check_loops(ctx, ext);
9944 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
9945 struct nft_set *set)
9947 u8 genmask = nft_genmask_next(ctx->net);
9948 struct nft_set_elem_catchall *catchall;
9949 struct nft_set_ext *ext;
9952 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9953 ext = nft_set_elem_ext(set, catchall->elem);
9954 if (!nft_set_elem_active(ext, genmask))
9957 ret = nft_check_loops(ctx, ext);
9965 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9966 const struct nft_chain *chain)
9968 const struct nft_rule *rule;
9969 const struct nft_expr *expr, *last;
9970 struct nft_set *set;
9971 struct nft_set_binding *binding;
9972 struct nft_set_iter iter;
9974 if (ctx->chain == chain)
9977 list_for_each_entry(rule, &chain->rules, list) {
9978 nft_rule_for_each_expr(expr, last, rule) {
9979 struct nft_immediate_expr *priv;
9980 const struct nft_data *data;
9983 if (strcmp(expr->ops->type->name, "immediate"))
9986 priv = nft_expr_priv(expr);
9987 if (priv->dreg != NFT_REG_VERDICT)
9991 switch (data->verdict.code) {
9994 err = nf_tables_check_loops(ctx,
9995 data->verdict.chain);
10005 list_for_each_entry(set, &ctx->table->sets, list) {
10006 if (!nft_is_active_next(ctx->net, set))
10008 if (!(set->flags & NFT_SET_MAP) ||
10009 set->dtype != NFT_DATA_VERDICT)
10012 list_for_each_entry(binding, &set->bindings, list) {
10013 if (!(binding->flags & NFT_SET_MAP) ||
10014 binding->chain != chain)
10017 iter.genmask = nft_genmask_next(ctx->net);
10021 iter.fn = nf_tables_loop_check_setelem;
10023 set->ops->walk(ctx, set, &iter);
10025 iter.err = nft_set_catchall_loops(ctx, set);
10036 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10038 * @attr: netlink attribute to fetch value from
10039 * @max: maximum value to be stored in dest
10040 * @dest: pointer to the variable
10042 * Parse, check and store a given u32 netlink attribute into variable.
10043 * This function returns -ERANGE if the value goes over maximum value.
10044 * Otherwise a 0 is returned and the attribute value is stored in the
10045 * destination variable.
10047 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10051 val = ntohl(nla_get_be32(attr));
10058 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10060 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10064 reg = ntohl(nla_get_be32(attr));
10066 case NFT_REG_VERDICT...NFT_REG_4:
10067 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10069 case NFT_REG32_00...NFT_REG32_15:
10070 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10080 * nft_dump_register - dump a register value to a netlink attribute
10082 * @skb: socket buffer
10083 * @attr: attribute number
10084 * @reg: register number
10086 * Construct a netlink attribute containing the register number. For
10087 * compatibility reasons, register numbers being a multiple of 4 are
10088 * translated to the corresponding 128 bit register numbers.
10090 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10092 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10093 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10095 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10097 return nla_put_be32(skb, attr, htonl(reg));
10099 EXPORT_SYMBOL_GPL(nft_dump_register);
10101 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10103 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10107 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10113 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10118 err = nft_parse_register(attr, ®);
10122 err = nft_validate_register_load(reg, len);
10129 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10131 static int nft_validate_register_store(const struct nft_ctx *ctx,
10132 enum nft_registers reg,
10133 const struct nft_data *data,
10134 enum nft_data_types type,
10140 case NFT_REG_VERDICT:
10141 if (type != NFT_DATA_VERDICT)
10144 if (data != NULL &&
10145 (data->verdict.code == NFT_GOTO ||
10146 data->verdict.code == NFT_JUMP)) {
10147 err = nf_tables_check_loops(ctx, data->verdict.chain);
10154 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10158 if (reg * NFT_REG32_SIZE + len >
10159 sizeof_field(struct nft_regs, data))
10162 if (data != NULL && type != NFT_DATA_VALUE)
10168 int nft_parse_register_store(const struct nft_ctx *ctx,
10169 const struct nlattr *attr, u8 *dreg,
10170 const struct nft_data *data,
10171 enum nft_data_types type, unsigned int len)
10176 err = nft_parse_register(attr, ®);
10180 err = nft_validate_register_store(ctx, reg, data, type, len);
10187 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10189 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10190 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10191 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10192 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10193 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10196 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10197 struct nft_data_desc *desc, const struct nlattr *nla)
10199 u8 genmask = nft_genmask_next(ctx->net);
10200 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10201 struct nft_chain *chain;
10204 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
10205 nft_verdict_policy, NULL);
10209 if (!tb[NFTA_VERDICT_CODE])
10211 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
10213 switch (data->verdict.code) {
10215 switch (data->verdict.code & NF_VERDICT_MASK) {
10230 if (tb[NFTA_VERDICT_CHAIN]) {
10231 chain = nft_chain_lookup(ctx->net, ctx->table,
10232 tb[NFTA_VERDICT_CHAIN],
10234 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
10235 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
10236 tb[NFTA_VERDICT_CHAIN_ID]);
10238 return PTR_ERR(chain);
10244 return PTR_ERR(chain);
10245 if (nft_is_base_chain(chain))
10246 return -EOPNOTSUPP;
10247 if (nft_chain_is_bound(chain))
10249 if (desc->flags & NFT_DATA_DESC_SETELEM &&
10250 chain->flags & NFT_CHAIN_BINDING)
10254 data->verdict.chain = chain;
10258 desc->len = sizeof(data->verdict);
10263 static void nft_verdict_uninit(const struct nft_data *data)
10265 struct nft_chain *chain;
10266 struct nft_rule *rule;
10268 switch (data->verdict.code) {
10271 chain = data->verdict.chain;
10274 if (!nft_chain_is_bound(chain))
10277 chain->table->use--;
10278 list_for_each_entry(rule, &chain->rules, list)
10281 nft_chain_del(chain);
10286 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
10288 struct nlattr *nest;
10290 nest = nla_nest_start_noflag(skb, type);
10292 goto nla_put_failure;
10294 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
10295 goto nla_put_failure;
10300 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
10302 goto nla_put_failure;
10304 nla_nest_end(skb, nest);
10311 static int nft_value_init(const struct nft_ctx *ctx,
10312 struct nft_data *data, struct nft_data_desc *desc,
10313 const struct nlattr *nla)
10317 len = nla_len(nla);
10320 if (len > desc->size)
10323 if (len != desc->len)
10329 nla_memcpy(data->data, nla, len);
10334 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
10337 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
10340 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
10341 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
10342 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
10346 * nft_data_init - parse nf_tables data netlink attributes
10348 * @ctx: context of the expression using the data
10349 * @data: destination struct nft_data
10350 * @desc: data description
10351 * @nla: netlink attribute containing data
10353 * Parse the netlink data attributes and initialize a struct nft_data.
10354 * The type and length of data are returned in the data description.
10356 * The caller can indicate that it only wants to accept data of type
10357 * NFT_DATA_VALUE by passing NULL for the ctx argument.
10359 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
10360 struct nft_data_desc *desc, const struct nlattr *nla)
10362 struct nlattr *tb[NFTA_DATA_MAX + 1];
10365 if (WARN_ON_ONCE(!desc->size))
10368 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
10369 nft_data_policy, NULL);
10373 if (tb[NFTA_DATA_VALUE]) {
10374 if (desc->type != NFT_DATA_VALUE)
10377 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
10378 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
10379 if (desc->type != NFT_DATA_VERDICT)
10382 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
10389 EXPORT_SYMBOL_GPL(nft_data_init);
10392 * nft_data_release - release a nft_data item
10394 * @data: struct nft_data to release
10395 * @type: type of data
10397 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
10398 * all others need to be released by calling this function.
10400 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
10402 if (type < NFT_DATA_VERDICT)
10405 case NFT_DATA_VERDICT:
10406 return nft_verdict_uninit(data);
10411 EXPORT_SYMBOL_GPL(nft_data_release);
10413 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
10414 enum nft_data_types type, unsigned int len)
10416 struct nlattr *nest;
10419 nest = nla_nest_start_noflag(skb, attr);
10424 case NFT_DATA_VALUE:
10425 err = nft_value_dump(skb, data, len);
10427 case NFT_DATA_VERDICT:
10428 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
10435 nla_nest_end(skb, nest);
10438 EXPORT_SYMBOL_GPL(nft_data_dump);
10440 int __nft_release_basechain(struct nft_ctx *ctx)
10442 struct nft_rule *rule, *nr;
10444 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
10447 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
10448 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
10449 list_del(&rule->list);
10451 nf_tables_rule_release(ctx, rule);
10453 nft_chain_del(ctx->chain);
10455 nf_tables_chain_destroy(ctx);
10459 EXPORT_SYMBOL_GPL(__nft_release_basechain);
10461 static void __nft_release_hook(struct net *net, struct nft_table *table)
10463 struct nft_flowtable *flowtable;
10464 struct nft_chain *chain;
10466 list_for_each_entry(chain, &table->chains, list)
10467 __nf_tables_unregister_hook(net, table, chain, true);
10468 list_for_each_entry(flowtable, &table->flowtables, list)
10469 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
10473 static void __nft_release_hooks(struct net *net)
10475 struct nftables_pernet *nft_net = nft_pernet(net);
10476 struct nft_table *table;
10478 list_for_each_entry(table, &nft_net->tables, list) {
10479 if (nft_table_has_owner(table))
10482 __nft_release_hook(net, table);
10486 static void __nft_release_table(struct net *net, struct nft_table *table)
10488 struct nft_flowtable *flowtable, *nf;
10489 struct nft_chain *chain, *nc;
10490 struct nft_object *obj, *ne;
10491 struct nft_rule *rule, *nr;
10492 struct nft_set *set, *ns;
10493 struct nft_ctx ctx = {
10495 .family = NFPROTO_NETDEV,
10498 ctx.family = table->family;
10500 list_for_each_entry(chain, &table->chains, list) {
10502 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
10503 list_del(&rule->list);
10505 nf_tables_rule_release(&ctx, rule);
10508 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
10509 list_del(&flowtable->list);
10511 nf_tables_flowtable_destroy(flowtable);
10513 list_for_each_entry_safe(set, ns, &table->sets, list) {
10514 list_del(&set->list);
10516 nft_set_destroy(&ctx, set);
10518 list_for_each_entry_safe(obj, ne, &table->objects, list) {
10521 nft_obj_destroy(&ctx, obj);
10523 list_for_each_entry_safe(chain, nc, &table->chains, list) {
10525 nft_chain_del(chain);
10527 nf_tables_chain_destroy(&ctx);
10529 nf_tables_table_destroy(&ctx);
10532 static void __nft_release_tables(struct net *net)
10534 struct nftables_pernet *nft_net = nft_pernet(net);
10535 struct nft_table *table, *nt;
10537 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
10538 if (nft_table_has_owner(table))
10541 list_del(&table->list);
10543 __nft_release_table(net, table);
10547 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
10550 struct nft_table *table, *to_delete[8];
10551 struct nftables_pernet *nft_net;
10552 struct netlink_notify *n = ptr;
10553 struct net *net = n->net;
10554 unsigned int deleted;
10555 bool restart = false;
10557 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
10558 return NOTIFY_DONE;
10560 nft_net = nft_pernet(net);
10562 mutex_lock(&nft_net->commit_mutex);
10563 if (!list_empty(&nf_tables_destroy_list))
10566 list_for_each_entry(table, &nft_net->tables, list) {
10567 if (nft_table_has_owner(table) &&
10568 n->portid == table->nlpid) {
10569 __nft_release_hook(net, table);
10570 list_del_rcu(&table->list);
10571 to_delete[deleted++] = table;
10572 if (deleted >= ARRAY_SIZE(to_delete))
10577 restart = deleted >= ARRAY_SIZE(to_delete);
10580 __nft_release_table(net, to_delete[--deleted]);
10585 mutex_unlock(&nft_net->commit_mutex);
10587 return NOTIFY_DONE;
10590 static struct notifier_block nft_nl_notifier = {
10591 .notifier_call = nft_rcv_nl_event,
10594 static int __net_init nf_tables_init_net(struct net *net)
10596 struct nftables_pernet *nft_net = nft_pernet(net);
10598 INIT_LIST_HEAD(&nft_net->tables);
10599 INIT_LIST_HEAD(&nft_net->commit_list);
10600 INIT_LIST_HEAD(&nft_net->module_list);
10601 INIT_LIST_HEAD(&nft_net->notify_list);
10602 mutex_init(&nft_net->commit_mutex);
10603 nft_net->base_seq = 1;
10608 static void __net_exit nf_tables_pre_exit_net(struct net *net)
10610 struct nftables_pernet *nft_net = nft_pernet(net);
10612 mutex_lock(&nft_net->commit_mutex);
10613 __nft_release_hooks(net);
10614 mutex_unlock(&nft_net->commit_mutex);
10617 static void __net_exit nf_tables_exit_net(struct net *net)
10619 struct nftables_pernet *nft_net = nft_pernet(net);
10621 mutex_lock(&nft_net->commit_mutex);
10622 if (!list_empty(&nft_net->commit_list) ||
10623 !list_empty(&nft_net->module_list))
10624 __nf_tables_abort(net, NFNL_ABORT_NONE);
10625 __nft_release_tables(net);
10626 mutex_unlock(&nft_net->commit_mutex);
10627 WARN_ON_ONCE(!list_empty(&nft_net->tables));
10628 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
10629 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10632 static struct pernet_operations nf_tables_net_ops = {
10633 .init = nf_tables_init_net,
10634 .pre_exit = nf_tables_pre_exit_net,
10635 .exit = nf_tables_exit_net,
10636 .id = &nf_tables_net_id,
10637 .size = sizeof(struct nftables_pernet),
10640 static int __init nf_tables_module_init(void)
10644 err = register_pernet_subsys(&nf_tables_net_ops);
10648 err = nft_chain_filter_init();
10650 goto err_chain_filter;
10652 err = nf_tables_core_module_init();
10654 goto err_core_module;
10656 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
10658 goto err_netdev_notifier;
10660 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
10662 goto err_rht_objname;
10664 err = nft_offload_init();
10668 err = netlink_register_notifier(&nft_nl_notifier);
10670 goto err_netlink_notifier;
10673 err = nfnetlink_subsys_register(&nf_tables_subsys);
10675 goto err_nfnl_subsys;
10677 nft_chain_route_init();
10682 netlink_unregister_notifier(&nft_nl_notifier);
10683 err_netlink_notifier:
10684 nft_offload_exit();
10686 rhltable_destroy(&nft_objname_ht);
10688 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10689 err_netdev_notifier:
10690 nf_tables_core_module_exit();
10692 nft_chain_filter_fini();
10694 unregister_pernet_subsys(&nf_tables_net_ops);
10698 static void __exit nf_tables_module_exit(void)
10700 nfnetlink_subsys_unregister(&nf_tables_subsys);
10701 netlink_unregister_notifier(&nft_nl_notifier);
10702 nft_offload_exit();
10703 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10704 nft_chain_filter_fini();
10705 nft_chain_route_fini();
10706 unregister_pernet_subsys(&nf_tables_net_ops);
10707 cancel_work_sync(&trans_destroy_work);
10709 rhltable_destroy(&nft_objname_ht);
10710 nf_tables_core_module_exit();
10713 module_init(nf_tables_module_init);
10714 module_exit(nf_tables_module_exit);
10716 MODULE_LICENSE("GPL");
10717 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
10718 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / kernel / linux-rpi.git / blob