2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
23 static LIST_HEAD(nf_tables_afinfo);
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &nf_tables_afinfo);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &nf_tables_afinfo, list) {
64 if (afi->family == family)
70 static struct nft_af_info *nf_tables_afinfo_lookup(int family, bool autoload)
72 struct nft_af_info *afi;
74 afi = nft_afinfo_lookup(family);
79 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
80 request_module("nft-afinfo-%u", family);
81 nfnl_lock(NFNL_SUBSYS_NFTABLES);
82 afi = nft_afinfo_lookup(family);
84 return ERR_PTR(-EAGAIN);
87 return ERR_PTR(-EAFNOSUPPORT);
94 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
95 const struct nlattr *nla)
97 struct nft_table *table;
99 list_for_each_entry(table, &afi->tables, list) {
100 if (!nla_strcmp(nla, table->name))
106 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
107 const struct nlattr *nla)
109 struct nft_table *table;
112 return ERR_PTR(-EINVAL);
114 table = nft_table_lookup(afi, nla);
118 return ERR_PTR(-ENOENT);
121 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
123 return ++table->hgenerator;
126 static struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
128 static int __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
132 for (i=0; i<NFT_CHAIN_T_MAX; i++) {
133 if (chain_type[family][i] != NULL &&
134 !nla_strcmp(nla, chain_type[family][i]->name))
140 static int nf_tables_chain_type_lookup(const struct nft_af_info *afi,
141 const struct nlattr *nla,
146 type = __nf_tables_chain_type_lookup(afi->family, nla);
147 #ifdef CONFIG_MODULES
148 if (type < 0 && autoload) {
149 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
150 request_module("nft-chain-%u-%*.s", afi->family,
151 nla_len(nla)-1, (const char *)nla_data(nla));
152 nfnl_lock(NFNL_SUBSYS_NFTABLES);
153 type = __nf_tables_chain_type_lookup(afi->family, nla);
159 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
160 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
161 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
164 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
165 int event, u32 flags, int family,
166 const struct nft_table *table)
168 struct nlmsghdr *nlh;
169 struct nfgenmsg *nfmsg;
171 event |= NFNL_SUBSYS_NFTABLES << 8;
172 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
174 goto nla_put_failure;
176 nfmsg = nlmsg_data(nlh);
177 nfmsg->nfgen_family = family;
178 nfmsg->version = NFNETLINK_V0;
181 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
182 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)))
183 goto nla_put_failure;
185 return nlmsg_end(skb, nlh);
188 nlmsg_trim(skb, nlh);
192 static int nf_tables_table_notify(const struct sk_buff *oskb,
193 const struct nlmsghdr *nlh,
194 const struct nft_table *table,
195 int event, int family)
198 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
199 u32 seq = nlh ? nlh->nlmsg_seq : 0;
200 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
204 report = nlh ? nlmsg_report(nlh) : false;
205 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
209 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
213 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
220 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
224 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
228 static int nf_tables_dump_tables(struct sk_buff *skb,
229 struct netlink_callback *cb)
231 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
232 const struct nft_af_info *afi;
233 const struct nft_table *table;
234 unsigned int idx = 0, s_idx = cb->args[0];
235 int family = nfmsg->nfgen_family;
237 list_for_each_entry(afi, &nf_tables_afinfo, list) {
238 if (family != NFPROTO_UNSPEC && family != afi->family)
241 list_for_each_entry(table, &afi->tables, list) {
245 memset(&cb->args[1], 0,
246 sizeof(cb->args) - sizeof(cb->args[0]));
247 if (nf_tables_fill_table_info(skb,
248 NETLINK_CB(cb->skb).portid,
252 afi->family, table) < 0)
263 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
264 const struct nlmsghdr *nlh,
265 const struct nlattr * const nla[])
267 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
268 const struct nft_af_info *afi;
269 const struct nft_table *table;
270 struct sk_buff *skb2;
271 int family = nfmsg->nfgen_family;
274 if (nlh->nlmsg_flags & NLM_F_DUMP) {
275 struct netlink_dump_control c = {
276 .dump = nf_tables_dump_tables,
278 return netlink_dump_start(nlsk, skb, nlh, &c);
281 afi = nf_tables_afinfo_lookup(family, false);
285 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
287 return PTR_ERR(table);
289 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
293 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
294 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
299 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
306 static int nf_tables_table_enable(struct nft_table *table)
308 struct nft_chain *chain;
311 list_for_each_entry(chain, &table->chains, list) {
312 err = nf_register_hook(&nft_base_chain(chain)->ops);
320 list_for_each_entry(chain, &table->chains, list) {
324 nf_unregister_hook(&nft_base_chain(chain)->ops);
329 static int nf_tables_table_disable(struct nft_table *table)
331 struct nft_chain *chain;
333 list_for_each_entry(chain, &table->chains, list)
334 nf_unregister_hook(&nft_base_chain(chain)->ops);
339 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
340 const struct nlmsghdr *nlh,
341 const struct nlattr * const nla[],
342 struct nft_af_info *afi, struct nft_table *table)
344 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
345 int family = nfmsg->nfgen_family, ret = 0;
347 if (nla[NFTA_TABLE_FLAGS]) {
350 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
351 if (flags & ~NFT_TABLE_F_DORMANT)
354 if ((flags & NFT_TABLE_F_DORMANT) &&
355 !(table->flags & NFT_TABLE_F_DORMANT)) {
356 ret = nf_tables_table_disable(table);
358 table->flags |= NFT_TABLE_F_DORMANT;
359 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
360 table->flags & NFT_TABLE_F_DORMANT) {
361 ret = nf_tables_table_enable(table);
363 table->flags &= ~NFT_TABLE_F_DORMANT;
369 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
374 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
375 const struct nlmsghdr *nlh,
376 const struct nlattr * const nla[])
378 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
379 const struct nlattr *name;
380 struct nft_af_info *afi;
381 struct nft_table *table;
382 int family = nfmsg->nfgen_family;
384 afi = nf_tables_afinfo_lookup(family, true);
388 name = nla[NFTA_TABLE_NAME];
389 table = nf_tables_table_lookup(afi, name);
391 if (PTR_ERR(table) != -ENOENT)
392 return PTR_ERR(table);
397 if (nlh->nlmsg_flags & NLM_F_EXCL)
399 if (nlh->nlmsg_flags & NLM_F_REPLACE)
401 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
404 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
408 nla_strlcpy(table->name, name, nla_len(name));
409 INIT_LIST_HEAD(&table->chains);
410 INIT_LIST_HEAD(&table->sets);
412 if (nla[NFTA_TABLE_FLAGS]) {
415 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
416 if (flags & ~NFT_TABLE_F_DORMANT) {
421 table->flags |= flags;
424 list_add_tail(&table->list, &afi->tables);
425 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
429 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
430 const struct nlmsghdr *nlh,
431 const struct nlattr * const nla[])
433 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
434 struct nft_af_info *afi;
435 struct nft_table *table;
436 int family = nfmsg->nfgen_family;
438 afi = nf_tables_afinfo_lookup(family, false);
442 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
444 return PTR_ERR(table);
449 list_del(&table->list);
450 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
455 int nft_register_chain_type(struct nf_chain_type *ctype)
459 nfnl_lock(NFNL_SUBSYS_NFTABLES);
460 if (chain_type[ctype->family][ctype->type] != NULL) {
465 if (!try_module_get(ctype->me))
468 chain_type[ctype->family][ctype->type] = ctype;
470 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
473 EXPORT_SYMBOL_GPL(nft_register_chain_type);
475 void nft_unregister_chain_type(struct nf_chain_type *ctype)
477 nfnl_lock(NFNL_SUBSYS_NFTABLES);
478 chain_type[ctype->family][ctype->type] = NULL;
479 module_put(ctype->me);
480 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
482 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
488 static struct nft_chain *
489 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
491 struct nft_chain *chain;
493 list_for_each_entry(chain, &table->chains, list) {
494 if (chain->handle == handle)
498 return ERR_PTR(-ENOENT);
501 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
502 const struct nlattr *nla)
504 struct nft_chain *chain;
507 return ERR_PTR(-EINVAL);
509 list_for_each_entry(chain, &table->chains, list) {
510 if (!nla_strcmp(nla, chain->name))
514 return ERR_PTR(-ENOENT);
517 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
518 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
519 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
520 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
521 .len = NFT_CHAIN_MAXNAMELEN - 1 },
522 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
523 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
524 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
525 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
528 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
529 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
530 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
533 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
535 struct nft_stats *cpu_stats, total;
539 memset(&total, 0, sizeof(total));
540 for_each_possible_cpu(cpu) {
541 cpu_stats = per_cpu_ptr(stats, cpu);
542 total.pkts += cpu_stats->pkts;
543 total.bytes += cpu_stats->bytes;
545 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
547 goto nla_put_failure;
549 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
550 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
551 goto nla_put_failure;
553 nla_nest_end(skb, nest);
560 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
561 int event, u32 flags, int family,
562 const struct nft_table *table,
563 const struct nft_chain *chain)
565 struct nlmsghdr *nlh;
566 struct nfgenmsg *nfmsg;
568 event |= NFNL_SUBSYS_NFTABLES << 8;
569 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
571 goto nla_put_failure;
573 nfmsg = nlmsg_data(nlh);
574 nfmsg->nfgen_family = family;
575 nfmsg->version = NFNETLINK_V0;
578 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
579 goto nla_put_failure;
580 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
581 goto nla_put_failure;
582 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
583 goto nla_put_failure;
585 if (chain->flags & NFT_BASE_CHAIN) {
586 const struct nft_base_chain *basechain = nft_base_chain(chain);
587 const struct nf_hook_ops *ops = &basechain->ops;
590 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
592 goto nla_put_failure;
593 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
594 goto nla_put_failure;
595 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
596 goto nla_put_failure;
597 nla_nest_end(skb, nest);
599 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
600 htonl(basechain->policy)))
601 goto nla_put_failure;
603 if (nla_put_string(skb, NFTA_CHAIN_TYPE,
604 chain_type[ops->pf][nft_base_chain(chain)->type]->name))
605 goto nla_put_failure;
607 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
608 goto nla_put_failure;
611 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
612 goto nla_put_failure;
614 return nlmsg_end(skb, nlh);
617 nlmsg_trim(skb, nlh);
621 static int nf_tables_chain_notify(const struct sk_buff *oskb,
622 const struct nlmsghdr *nlh,
623 const struct nft_table *table,
624 const struct nft_chain *chain,
625 int event, int family)
628 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
629 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
630 u32 seq = nlh ? nlh->nlmsg_seq : 0;
634 report = nlh ? nlmsg_report(nlh) : false;
635 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
639 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
643 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
650 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
654 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
658 static int nf_tables_dump_chains(struct sk_buff *skb,
659 struct netlink_callback *cb)
661 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
662 const struct nft_af_info *afi;
663 const struct nft_table *table;
664 const struct nft_chain *chain;
665 unsigned int idx = 0, s_idx = cb->args[0];
666 int family = nfmsg->nfgen_family;
668 list_for_each_entry(afi, &nf_tables_afinfo, list) {
669 if (family != NFPROTO_UNSPEC && family != afi->family)
672 list_for_each_entry(table, &afi->tables, list) {
673 list_for_each_entry(chain, &table->chains, list) {
677 memset(&cb->args[1], 0,
678 sizeof(cb->args) - sizeof(cb->args[0]));
679 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
683 afi->family, table, chain) < 0)
696 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
697 const struct nlmsghdr *nlh,
698 const struct nlattr * const nla[])
700 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
701 const struct nft_af_info *afi;
702 const struct nft_table *table;
703 const struct nft_chain *chain;
704 struct sk_buff *skb2;
705 int family = nfmsg->nfgen_family;
708 if (nlh->nlmsg_flags & NLM_F_DUMP) {
709 struct netlink_dump_control c = {
710 .dump = nf_tables_dump_chains,
712 return netlink_dump_start(nlsk, skb, nlh, &c);
715 afi = nf_tables_afinfo_lookup(family, false);
719 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
721 return PTR_ERR(table);
723 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
725 return PTR_ERR(chain);
727 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
731 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
732 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
733 family, table, chain);
737 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
745 nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
747 switch (ntohl(nla_get_be32(attr))) {
749 chain->policy = NF_DROP;
752 chain->policy = NF_ACCEPT;
760 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
761 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
762 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
766 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
768 struct nlattr *tb[NFTA_COUNTER_MAX+1];
769 struct nft_stats __percpu *newstats;
770 struct nft_stats *stats;
773 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
777 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
780 newstats = alloc_percpu(struct nft_stats);
781 if (newstats == NULL)
784 /* Restore old counters on this cpu, no problem. Per-cpu statistics
785 * are not exposed to userspace.
787 stats = this_cpu_ptr(newstats);
788 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
789 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
792 /* nfnl_lock is held, add some nfnl function for this, later */
793 struct nft_stats __percpu *oldstats =
794 rcu_dereference_protected(chain->stats, 1);
796 rcu_assign_pointer(chain->stats, newstats);
798 free_percpu(oldstats);
800 rcu_assign_pointer(chain->stats, newstats);
805 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
806 const struct nlmsghdr *nlh,
807 const struct nlattr * const nla[])
809 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
810 const struct nlattr * uninitialized_var(name);
811 const struct nft_af_info *afi;
812 struct nft_table *table;
813 struct nft_chain *chain;
814 struct nft_base_chain *basechain = NULL;
815 struct nlattr *ha[NFTA_HOOK_MAX + 1];
816 int family = nfmsg->nfgen_family;
821 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
823 afi = nf_tables_afinfo_lookup(family, true);
827 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
829 return PTR_ERR(table);
831 if (table->use == UINT_MAX)
835 name = nla[NFTA_CHAIN_NAME];
837 if (nla[NFTA_CHAIN_HANDLE]) {
838 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
839 chain = nf_tables_chain_lookup_byhandle(table, handle);
841 return PTR_ERR(chain);
843 chain = nf_tables_chain_lookup(table, name);
845 if (PTR_ERR(chain) != -ENOENT)
846 return PTR_ERR(chain);
852 if (nlh->nlmsg_flags & NLM_F_EXCL)
854 if (nlh->nlmsg_flags & NLM_F_REPLACE)
857 if (nla[NFTA_CHAIN_HANDLE] && name &&
858 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
861 if (nla[NFTA_CHAIN_POLICY]) {
862 if (!(chain->flags & NFT_BASE_CHAIN))
865 err = nf_tables_chain_policy(nft_base_chain(chain),
866 nla[NFTA_CHAIN_POLICY]);
871 if (nla[NFTA_CHAIN_COUNTERS]) {
872 if (!(chain->flags & NFT_BASE_CHAIN))
875 err = nf_tables_counters(nft_base_chain(chain),
876 nla[NFTA_CHAIN_COUNTERS]);
881 if (nla[NFTA_CHAIN_HANDLE] && name)
882 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
887 if (nla[NFTA_CHAIN_HOOK]) {
888 struct nf_hook_ops *ops;
891 int type = NFT_CHAIN_T_DEFAULT;
893 if (nla[NFTA_CHAIN_TYPE]) {
894 type = nf_tables_chain_type_lookup(afi,
895 nla[NFTA_CHAIN_TYPE],
901 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
905 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
906 ha[NFTA_HOOK_PRIORITY] == NULL)
909 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
910 if (hooknum >= afi->nhooks)
913 hookfn = chain_type[family][type]->fn[hooknum];
917 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
918 if (basechain == NULL)
921 basechain->type = type;
922 chain = &basechain->chain;
924 ops = &basechain->ops;
926 ops->owner = afi->owner;
927 ops->hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
928 ops->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
931 if (afi->hooks[ops->hooknum])
932 ops->hook = afi->hooks[ops->hooknum];
934 chain->flags |= NFT_BASE_CHAIN;
936 if (nla[NFTA_CHAIN_POLICY]) {
937 err = nf_tables_chain_policy(basechain,
938 nla[NFTA_CHAIN_POLICY]);
940 free_percpu(basechain->stats);
945 basechain->policy = NF_ACCEPT;
947 if (nla[NFTA_CHAIN_COUNTERS]) {
948 err = nf_tables_counters(basechain,
949 nla[NFTA_CHAIN_COUNTERS]);
951 free_percpu(basechain->stats);
956 struct nft_stats __percpu *newstats;
958 newstats = alloc_percpu(struct nft_stats);
959 if (newstats == NULL)
962 rcu_assign_pointer(nft_base_chain(chain)->stats,
966 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
971 INIT_LIST_HEAD(&chain->rules);
972 chain->handle = nf_tables_alloc_handle(table);
973 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
975 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
976 chain->flags & NFT_BASE_CHAIN) {
977 err = nf_register_hook(&nft_base_chain(chain)->ops);
979 free_percpu(basechain->stats);
984 list_add_tail(&chain->list, &table->chains);
987 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
992 static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
994 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
996 BUG_ON(chain->use > 0);
998 if (chain->flags & NFT_BASE_CHAIN) {
999 free_percpu(nft_base_chain(chain)->stats);
1000 kfree(nft_base_chain(chain));
1005 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1006 const struct nlmsghdr *nlh,
1007 const struct nlattr * const nla[])
1009 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1010 const struct nft_af_info *afi;
1011 struct nft_table *table;
1012 struct nft_chain *chain;
1013 int family = nfmsg->nfgen_family;
1015 afi = nf_tables_afinfo_lookup(family, false);
1017 return PTR_ERR(afi);
1019 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1021 return PTR_ERR(table);
1023 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1025 return PTR_ERR(chain);
1027 if (!list_empty(&chain->rules))
1030 list_del(&chain->list);
1033 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1034 chain->flags & NFT_BASE_CHAIN)
1035 nf_unregister_hook(&nft_base_chain(chain)->ops);
1037 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1040 /* Make sure all rule references are gone before this is released */
1041 call_rcu(&chain->rcu_head, nf_tables_rcu_chain_destroy);
1045 static void nft_ctx_init(struct nft_ctx *ctx,
1046 const struct sk_buff *skb,
1047 const struct nlmsghdr *nlh,
1048 const struct nft_af_info *afi,
1049 const struct nft_table *table,
1050 const struct nft_chain *chain,
1051 const struct nlattr * const *nla)
1066 * nft_register_expr - register nf_tables expr type
1069 * Registers the expr type for use with nf_tables. Returns zero on
1070 * success or a negative errno code otherwise.
1072 int nft_register_expr(struct nft_expr_type *type)
1074 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1075 list_add_tail(&type->list, &nf_tables_expressions);
1076 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1079 EXPORT_SYMBOL_GPL(nft_register_expr);
1082 * nft_unregister_expr - unregister nf_tables expr type
1085 * Unregisters the expr typefor use with nf_tables.
1087 void nft_unregister_expr(struct nft_expr_type *type)
1089 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1090 list_del(&type->list);
1091 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1093 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1095 static const struct nft_expr_type *__nft_expr_type_get(struct nlattr *nla)
1097 const struct nft_expr_type *type;
1099 list_for_each_entry(type, &nf_tables_expressions, list) {
1100 if (!nla_strcmp(nla, type->name))
1106 static const struct nft_expr_type *nft_expr_type_get(struct nlattr *nla)
1108 const struct nft_expr_type *type;
1111 return ERR_PTR(-EINVAL);
1113 type = __nft_expr_type_get(nla);
1114 if (type != NULL && try_module_get(type->owner))
1117 #ifdef CONFIG_MODULES
1119 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1120 request_module("nft-expr-%.*s",
1121 nla_len(nla), (char *)nla_data(nla));
1122 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1123 if (__nft_expr_type_get(nla))
1124 return ERR_PTR(-EAGAIN);
1127 return ERR_PTR(-ENOENT);
1130 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1131 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1132 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1135 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1136 const struct nft_expr *expr)
1138 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1139 goto nla_put_failure;
1141 if (expr->ops->dump) {
1142 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1144 goto nla_put_failure;
1145 if (expr->ops->dump(skb, expr) < 0)
1146 goto nla_put_failure;
1147 nla_nest_end(skb, data);
1156 struct nft_expr_info {
1157 const struct nft_expr_ops *ops;
1158 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1161 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1162 const struct nlattr *nla,
1163 struct nft_expr_info *info)
1165 const struct nft_expr_type *type;
1166 const struct nft_expr_ops *ops;
1167 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1170 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1174 type = nft_expr_type_get(tb[NFTA_EXPR_NAME]);
1176 return PTR_ERR(type);
1178 if (tb[NFTA_EXPR_DATA]) {
1179 err = nla_parse_nested(info->tb, type->maxattr,
1180 tb[NFTA_EXPR_DATA], type->policy);
1184 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1186 if (type->select_ops != NULL) {
1187 ops = type->select_ops(ctx,
1188 (const struct nlattr * const *)info->tb);
1200 module_put(type->owner);
1204 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1205 const struct nft_expr_info *info,
1206 struct nft_expr *expr)
1208 const struct nft_expr_ops *ops = info->ops;
1213 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1225 static void nf_tables_expr_destroy(struct nft_expr *expr)
1227 if (expr->ops->destroy)
1228 expr->ops->destroy(expr);
1229 module_put(expr->ops->type->owner);
1236 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1239 struct nft_rule *rule;
1241 // FIXME: this sucks
1242 list_for_each_entry(rule, &chain->rules, list) {
1243 if (handle == rule->handle)
1247 return ERR_PTR(-ENOENT);
1250 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1251 const struct nlattr *nla)
1254 return ERR_PTR(-EINVAL);
1256 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1259 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1260 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1261 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1262 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1263 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1264 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1265 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1268 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1269 int event, u32 flags, int family,
1270 const struct nft_table *table,
1271 const struct nft_chain *chain,
1272 const struct nft_rule *rule)
1274 struct nlmsghdr *nlh;
1275 struct nfgenmsg *nfmsg;
1276 const struct nft_expr *expr, *next;
1277 struct nlattr *list;
1279 event |= NFNL_SUBSYS_NFTABLES << 8;
1280 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
1283 goto nla_put_failure;
1285 nfmsg = nlmsg_data(nlh);
1286 nfmsg->nfgen_family = family;
1287 nfmsg->version = NFNETLINK_V0;
1290 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1291 goto nla_put_failure;
1292 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1293 goto nla_put_failure;
1294 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1295 goto nla_put_failure;
1297 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1299 goto nla_put_failure;
1300 nft_rule_for_each_expr(expr, next, rule) {
1301 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1303 goto nla_put_failure;
1304 if (nf_tables_fill_expr_info(skb, expr) < 0)
1305 goto nla_put_failure;
1306 nla_nest_end(skb, elem);
1308 nla_nest_end(skb, list);
1310 return nlmsg_end(skb, nlh);
1313 nlmsg_trim(skb, nlh);
1317 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1318 const struct nlmsghdr *nlh,
1319 const struct nft_table *table,
1320 const struct nft_chain *chain,
1321 const struct nft_rule *rule,
1322 int event, u32 flags, int family)
1324 struct sk_buff *skb;
1325 u32 portid = NETLINK_CB(oskb).portid;
1326 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1327 u32 seq = nlh->nlmsg_seq;
1331 report = nlmsg_report(nlh);
1332 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1336 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1340 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1341 family, table, chain, rule);
1347 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1351 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1355 static int nf_tables_dump_rules(struct sk_buff *skb,
1356 struct netlink_callback *cb)
1358 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1359 const struct nft_af_info *afi;
1360 const struct nft_table *table;
1361 const struct nft_chain *chain;
1362 const struct nft_rule *rule;
1363 unsigned int idx = 0, s_idx = cb->args[0];
1364 int family = nfmsg->nfgen_family;
1366 list_for_each_entry(afi, &nf_tables_afinfo, list) {
1367 if (family != NFPROTO_UNSPEC && family != afi->family)
1370 list_for_each_entry(table, &afi->tables, list) {
1371 list_for_each_entry(chain, &table->chains, list) {
1372 list_for_each_entry(rule, &chain->rules, list) {
1376 memset(&cb->args[1], 0,
1377 sizeof(cb->args) - sizeof(cb->args[0]));
1378 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1381 NLM_F_MULTI | NLM_F_APPEND,
1382 afi->family, table, chain, rule) < 0)
1395 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1396 const struct nlmsghdr *nlh,
1397 const struct nlattr * const nla[])
1399 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1400 const struct nft_af_info *afi;
1401 const struct nft_table *table;
1402 const struct nft_chain *chain;
1403 const struct nft_rule *rule;
1404 struct sk_buff *skb2;
1405 int family = nfmsg->nfgen_family;
1408 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1409 struct netlink_dump_control c = {
1410 .dump = nf_tables_dump_rules,
1412 return netlink_dump_start(nlsk, skb, nlh, &c);
1415 afi = nf_tables_afinfo_lookup(family, false);
1417 return PTR_ERR(afi);
1419 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1421 return PTR_ERR(table);
1423 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1425 return PTR_ERR(chain);
1427 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1429 return PTR_ERR(rule);
1431 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1435 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1436 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1437 family, table, chain, rule);
1441 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1448 static void nf_tables_rcu_rule_destroy(struct rcu_head *head)
1450 struct nft_rule *rule = container_of(head, struct nft_rule, rcu_head);
1451 struct nft_expr *expr;
1454 * Careful: some expressions might not be initialized in case this
1455 * is called on error from nf_tables_newrule().
1457 expr = nft_expr_first(rule);
1458 while (expr->ops && expr != nft_expr_last(rule)) {
1459 nf_tables_expr_destroy(expr);
1460 expr = nft_expr_next(expr);
1465 static void nf_tables_rule_destroy(struct nft_rule *rule)
1467 call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
1470 #define NFT_RULE_MAXEXPRS 128
1472 static struct nft_expr_info *info;
1474 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1475 const struct nlmsghdr *nlh,
1476 const struct nlattr * const nla[])
1478 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1479 const struct nft_af_info *afi;
1480 struct nft_table *table;
1481 struct nft_chain *chain;
1482 struct nft_rule *rule, *old_rule = NULL;
1483 struct nft_expr *expr;
1486 unsigned int size, i, n;
1491 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1493 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, create);
1495 return PTR_ERR(afi);
1497 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1499 return PTR_ERR(table);
1501 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1503 return PTR_ERR(chain);
1505 if (nla[NFTA_RULE_HANDLE]) {
1506 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1507 rule = __nf_tables_rule_lookup(chain, handle);
1509 return PTR_ERR(rule);
1511 if (nlh->nlmsg_flags & NLM_F_EXCL)
1513 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1518 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1520 handle = nf_tables_alloc_handle(table);
1523 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1527 if (nla[NFTA_RULE_EXPRESSIONS]) {
1528 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1530 if (nla_type(tmp) != NFTA_LIST_ELEM)
1532 if (n == NFT_RULE_MAXEXPRS)
1534 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1537 size += info[n].ops->size;
1543 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1547 rule->handle = handle;
1550 expr = nft_expr_first(rule);
1551 for (i = 0; i < n; i++) {
1552 err = nf_tables_newexpr(&ctx, &info[i], expr);
1556 expr = nft_expr_next(expr);
1559 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1560 list_replace_rcu(&old_rule->list, &rule->list);
1561 nf_tables_rule_destroy(old_rule);
1562 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1563 list_add_tail_rcu(&rule->list, &chain->rules);
1565 list_add_rcu(&rule->list, &chain->rules);
1567 nf_tables_rule_notify(skb, nlh, table, chain, rule, NFT_MSG_NEWRULE,
1568 nlh->nlmsg_flags & (NLM_F_APPEND | NLM_F_REPLACE),
1569 nfmsg->nfgen_family);
1573 nf_tables_rule_destroy(rule);
1575 for (i = 0; i < n; i++) {
1576 if (info[i].ops != NULL)
1577 module_put(info[i].ops->type->owner);
1582 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1583 const struct nlmsghdr *nlh,
1584 const struct nlattr * const nla[])
1586 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1587 const struct nft_af_info *afi;
1588 const struct nft_table *table;
1589 struct nft_chain *chain;
1590 struct nft_rule *rule, *tmp;
1591 int family = nfmsg->nfgen_family;
1593 afi = nf_tables_afinfo_lookup(family, false);
1595 return PTR_ERR(afi);
1597 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1599 return PTR_ERR(table);
1601 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1603 return PTR_ERR(chain);
1605 if (nla[NFTA_RULE_HANDLE]) {
1606 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1608 return PTR_ERR(rule);
1610 /* List removal must be visible before destroying expressions */
1611 list_del_rcu(&rule->list);
1613 nf_tables_rule_notify(skb, nlh, table, chain, rule,
1614 NFT_MSG_DELRULE, 0, family);
1615 nf_tables_rule_destroy(rule);
1617 /* Remove all rules in this chain */
1618 list_for_each_entry_safe(rule, tmp, &chain->rules, list) {
1619 list_del_rcu(&rule->list);
1621 nf_tables_rule_notify(skb, nlh, table, chain, rule,
1622 NFT_MSG_DELRULE, 0, family);
1623 nf_tables_rule_destroy(rule);
1634 static LIST_HEAD(nf_tables_set_ops);
1636 int nft_register_set(struct nft_set_ops *ops)
1638 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1639 list_add_tail(&ops->list, &nf_tables_set_ops);
1640 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1643 EXPORT_SYMBOL_GPL(nft_register_set);
1645 void nft_unregister_set(struct nft_set_ops *ops)
1647 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1648 list_del(&ops->list);
1649 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1651 EXPORT_SYMBOL_GPL(nft_unregister_set);
1653 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1655 const struct nft_set_ops *ops;
1658 #ifdef CONFIG_MODULES
1659 if (list_empty(&nf_tables_set_ops)) {
1660 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1661 request_module("nft-set");
1662 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1663 if (!list_empty(&nf_tables_set_ops))
1664 return ERR_PTR(-EAGAIN);
1668 if (nla[NFTA_SET_FLAGS] != NULL) {
1669 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1670 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1673 // FIXME: implement selection properly
1674 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1675 if ((ops->features & features) != features)
1677 if (!try_module_get(ops->owner))
1682 return ERR_PTR(-EOPNOTSUPP);
1685 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1686 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1687 [NFTA_SET_NAME] = { .type = NLA_STRING },
1688 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1689 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1690 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1691 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1692 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1695 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1696 const struct sk_buff *skb,
1697 const struct nlmsghdr *nlh,
1698 const struct nlattr * const nla[])
1700 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1701 const struct nft_af_info *afi;
1702 const struct nft_table *table = NULL;
1704 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, false);
1706 return PTR_ERR(afi);
1708 if (nla[NFTA_SET_TABLE] != NULL) {
1709 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1711 return PTR_ERR(table);
1714 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1718 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1719 const struct nlattr *nla)
1721 struct nft_set *set;
1724 return ERR_PTR(-EINVAL);
1726 list_for_each_entry(set, &table->sets, list) {
1727 if (!nla_strcmp(nla, set->name))
1730 return ERR_PTR(-ENOENT);
1733 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1736 const struct nft_set *i;
1738 unsigned long *inuse;
1741 p = strnchr(name, IFNAMSIZ, '%');
1743 if (p[1] != 'd' || strchr(p + 2, '%'))
1746 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
1750 list_for_each_entry(i, &ctx->table->sets, list) {
1751 if (!sscanf(i->name, name, &n))
1753 if (n < 0 || n > BITS_PER_LONG * PAGE_SIZE)
1758 n = find_first_zero_bit(inuse, BITS_PER_LONG * PAGE_SIZE);
1759 free_page((unsigned long)inuse);
1762 snprintf(set->name, sizeof(set->name), name, n);
1763 list_for_each_entry(i, &ctx->table->sets, list) {
1764 if (!strcmp(set->name, i->name))
1770 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
1771 const struct nft_set *set, u16 event, u16 flags)
1773 struct nfgenmsg *nfmsg;
1774 struct nlmsghdr *nlh;
1775 u32 portid = NETLINK_CB(ctx->skb).portid;
1776 u32 seq = ctx->nlh->nlmsg_seq;
1778 event |= NFNL_SUBSYS_NFTABLES << 8;
1779 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
1782 goto nla_put_failure;
1784 nfmsg = nlmsg_data(nlh);
1785 nfmsg->nfgen_family = ctx->afi->family;
1786 nfmsg->version = NFNETLINK_V0;
1789 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
1790 goto nla_put_failure;
1791 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
1792 goto nla_put_failure;
1793 if (set->flags != 0)
1794 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
1795 goto nla_put_failure;
1797 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
1798 goto nla_put_failure;
1799 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
1800 goto nla_put_failure;
1801 if (set->flags & NFT_SET_MAP) {
1802 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
1803 goto nla_put_failure;
1804 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
1805 goto nla_put_failure;
1808 return nlmsg_end(skb, nlh);
1811 nlmsg_trim(skb, nlh);
1815 static int nf_tables_set_notify(const struct nft_ctx *ctx,
1816 const struct nft_set *set,
1819 struct sk_buff *skb;
1820 u32 portid = NETLINK_CB(ctx->skb).portid;
1821 struct net *net = sock_net(ctx->skb->sk);
1825 report = nlmsg_report(ctx->nlh);
1826 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1830 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1834 err = nf_tables_fill_set(skb, ctx, set, event, 0);
1840 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1844 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1848 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
1849 struct netlink_callback *cb)
1851 const struct nft_set *set;
1852 unsigned int idx = 0, s_idx = cb->args[0];
1857 list_for_each_entry(set, &ctx->table->sets, list) {
1860 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
1873 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
1874 struct netlink_callback *cb)
1876 const struct nft_set *set;
1877 unsigned int idx = 0, s_idx = cb->args[0];
1878 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
1883 list_for_each_entry(table, &ctx->afi->tables, list) {
1884 if (cur_table && cur_table != table)
1888 list_for_each_entry(set, &ctx->table->sets, list) {
1891 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
1894 cb->args[2] = (unsigned long) table;
1906 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
1908 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1909 struct nlattr *nla[NFTA_SET_MAX + 1];
1913 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
1918 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
1922 if (ctx.table == NULL)
1923 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
1925 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
1930 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
1931 const struct nlmsghdr *nlh,
1932 const struct nlattr * const nla[])
1934 const struct nft_set *set;
1936 struct sk_buff *skb2;
1939 /* Verify existance before starting dump */
1940 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
1944 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1945 struct netlink_dump_control c = {
1946 .dump = nf_tables_dump_sets,
1948 return netlink_dump_start(nlsk, skb, nlh, &c);
1951 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
1953 return PTR_ERR(set);
1955 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1959 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
1963 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1970 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
1971 const struct nlmsghdr *nlh,
1972 const struct nlattr * const nla[])
1974 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1975 const struct nft_set_ops *ops;
1976 const struct nft_af_info *afi;
1977 struct nft_table *table;
1978 struct nft_set *set;
1980 char name[IFNAMSIZ];
1983 u32 ktype, klen, dlen, dtype, flags;
1986 if (nla[NFTA_SET_TABLE] == NULL ||
1987 nla[NFTA_SET_NAME] == NULL ||
1988 nla[NFTA_SET_KEY_LEN] == NULL)
1991 ktype = NFT_DATA_VALUE;
1992 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
1993 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
1994 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
1998 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
1999 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2003 if (nla[NFTA_SET_FLAGS] != NULL) {
2004 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2005 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2006 NFT_SET_INTERVAL | NFT_SET_MAP))
2012 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2013 if (!(flags & NFT_SET_MAP))
2016 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2017 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2018 dtype != NFT_DATA_VERDICT)
2021 if (dtype != NFT_DATA_VERDICT) {
2022 if (nla[NFTA_SET_DATA_LEN] == NULL)
2024 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2026 dlen > FIELD_SIZEOF(struct nft_data, data))
2029 dlen = sizeof(struct nft_data);
2030 } else if (flags & NFT_SET_MAP)
2033 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2035 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, create);
2037 return PTR_ERR(afi);
2039 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2041 return PTR_ERR(table);
2043 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2045 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2047 if (PTR_ERR(set) != -ENOENT)
2048 return PTR_ERR(set);
2053 if (nlh->nlmsg_flags & NLM_F_EXCL)
2055 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2060 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2063 ops = nft_select_set_ops(nla);
2065 return PTR_ERR(ops);
2068 if (ops->privsize != NULL)
2069 size = ops->privsize(nla);
2072 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2076 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2077 err = nf_tables_set_alloc_name(&ctx, set, name);
2081 INIT_LIST_HEAD(&set->bindings);
2089 err = ops->init(set, nla);
2093 list_add_tail(&set->list, &table->sets);
2094 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2100 module_put(ops->owner);
2104 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2106 list_del(&set->list);
2107 if (!(set->flags & NFT_SET_ANONYMOUS))
2108 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2110 set->ops->destroy(set);
2111 module_put(set->ops->owner);
2115 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2116 const struct nlmsghdr *nlh,
2117 const struct nlattr * const nla[])
2119 struct nft_set *set;
2123 if (nla[NFTA_SET_TABLE] == NULL)
2126 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2130 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2132 return PTR_ERR(set);
2133 if (!list_empty(&set->bindings))
2136 nf_tables_set_destroy(&ctx, set);
2140 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2141 const struct nft_set *set,
2142 const struct nft_set_iter *iter,
2143 const struct nft_set_elem *elem)
2145 enum nft_registers dreg;
2147 dreg = nft_type_to_reg(set->dtype);
2148 return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
2151 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2152 struct nft_set_binding *binding)
2154 struct nft_set_binding *i;
2155 struct nft_set_iter iter;
2157 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2160 if (set->flags & NFT_SET_MAP) {
2161 /* If the set is already bound to the same chain all
2162 * jumps are already validated for that chain.
2164 list_for_each_entry(i, &set->bindings, list) {
2165 if (i->chain == binding->chain)
2172 iter.fn = nf_tables_bind_check_setelem;
2174 set->ops->walk(ctx, set, &iter);
2176 /* Destroy anonymous sets if binding fails */
2177 if (set->flags & NFT_SET_ANONYMOUS)
2178 nf_tables_set_destroy(ctx, set);
2184 binding->chain = ctx->chain;
2185 list_add_tail(&binding->list, &set->bindings);
2189 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2190 struct nft_set_binding *binding)
2192 list_del(&binding->list);
2194 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2195 nf_tables_set_destroy(ctx, set);
2202 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2203 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2204 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2205 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2208 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2209 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2210 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2211 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2214 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2215 const struct sk_buff *skb,
2216 const struct nlmsghdr *nlh,
2217 const struct nlattr * const nla[])
2219 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2220 const struct nft_af_info *afi;
2221 const struct nft_table *table;
2223 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, false);
2225 return PTR_ERR(afi);
2227 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2229 return PTR_ERR(table);
2231 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2235 static int nf_tables_fill_setelem(struct sk_buff *skb,
2236 const struct nft_set *set,
2237 const struct nft_set_elem *elem)
2239 unsigned char *b = skb_tail_pointer(skb);
2240 struct nlattr *nest;
2242 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2244 goto nla_put_failure;
2246 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2248 goto nla_put_failure;
2250 if (set->flags & NFT_SET_MAP &&
2251 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2252 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2253 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2255 goto nla_put_failure;
2257 if (elem->flags != 0)
2258 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2259 goto nla_put_failure;
2261 nla_nest_end(skb, nest);
2269 struct nft_set_dump_args {
2270 const struct netlink_callback *cb;
2271 struct nft_set_iter iter;
2272 struct sk_buff *skb;
2275 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2276 const struct nft_set *set,
2277 const struct nft_set_iter *iter,
2278 const struct nft_set_elem *elem)
2280 struct nft_set_dump_args *args;
2282 args = container_of(iter, struct nft_set_dump_args, iter);
2283 return nf_tables_fill_setelem(args->skb, set, elem);
2286 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2288 const struct nft_set *set;
2289 struct nft_set_dump_args args;
2291 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2292 struct nfgenmsg *nfmsg;
2293 struct nlmsghdr *nlh;
2294 struct nlattr *nest;
2298 nfmsg = nlmsg_data(cb->nlh);
2299 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_ELEM_LIST_MAX,
2300 nft_set_elem_list_policy);
2304 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2308 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2310 return PTR_ERR(set);
2312 event = NFT_MSG_NEWSETELEM;
2313 event |= NFNL_SUBSYS_NFTABLES << 8;
2314 portid = NETLINK_CB(cb->skb).portid;
2315 seq = cb->nlh->nlmsg_seq;
2317 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2320 goto nla_put_failure;
2322 nfmsg = nlmsg_data(nlh);
2323 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2324 nfmsg->version = NFNETLINK_V0;
2327 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2328 goto nla_put_failure;
2329 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2330 goto nla_put_failure;
2332 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2334 goto nla_put_failure;
2338 args.iter.skip = cb->args[0];
2339 args.iter.count = 0;
2341 args.iter.fn = nf_tables_dump_setelem;
2342 set->ops->walk(&ctx, set, &args.iter);
2344 nla_nest_end(skb, nest);
2345 nlmsg_end(skb, nlh);
2347 if (args.iter.err && args.iter.err != -EMSGSIZE)
2348 return args.iter.err;
2349 if (args.iter.count == cb->args[0])
2352 cb->args[0] = args.iter.count;
2359 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2360 const struct nlmsghdr *nlh,
2361 const struct nlattr * const nla[])
2363 const struct nft_set *set;
2367 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2371 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2373 return PTR_ERR(set);
2375 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2376 struct netlink_dump_control c = {
2377 .dump = nf_tables_dump_set,
2379 return netlink_dump_start(nlsk, skb, nlh, &c);
2384 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2385 const struct nlattr *attr)
2387 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2388 struct nft_data_desc d1, d2;
2389 struct nft_set_elem elem;
2390 struct nft_set_binding *binding;
2391 enum nft_registers dreg;
2394 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2395 nft_set_elem_policy);
2399 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2403 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2404 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2405 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2409 if (set->flags & NFT_SET_MAP) {
2410 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2411 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2414 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2418 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2422 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2426 if (set->ops->get(set, &elem) == 0)
2429 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2430 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2435 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2438 dreg = nft_type_to_reg(set->dtype);
2439 list_for_each_entry(binding, &set->bindings, list) {
2440 struct nft_ctx bind_ctx = {
2442 .table = ctx->table,
2443 .chain = binding->chain,
2446 err = nft_validate_data_load(&bind_ctx, dreg,
2447 &elem.data, d2.type);
2453 err = set->ops->insert(set, &elem);
2460 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2461 nft_data_uninit(&elem.data, d2.type);
2463 nft_data_uninit(&elem.key, d1.type);
2468 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2469 const struct nlmsghdr *nlh,
2470 const struct nlattr * const nla[])
2472 const struct nlattr *attr;
2473 struct nft_set *set;
2477 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2481 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2483 return PTR_ERR(set);
2484 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2487 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2488 err = nft_add_set_elem(&ctx, set, attr);
2495 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2496 const struct nlattr *attr)
2498 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2499 struct nft_data_desc desc;
2500 struct nft_set_elem elem;
2503 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2504 nft_set_elem_policy);
2509 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2512 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2517 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2520 err = set->ops->get(set, &elem);
2524 set->ops->remove(set, &elem);
2526 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2527 if (set->flags & NFT_SET_MAP)
2528 nft_data_uninit(&elem.data, set->dtype);
2531 nft_data_uninit(&elem.key, desc.type);
2536 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2537 const struct nlmsghdr *nlh,
2538 const struct nlattr * const nla[])
2540 const struct nlattr *attr;
2541 struct nft_set *set;
2545 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2549 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2551 return PTR_ERR(set);
2552 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2555 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2556 err = nft_del_setelem(&ctx, set, attr);
2563 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2564 [NFT_MSG_NEWTABLE] = {
2565 .call = nf_tables_newtable,
2566 .attr_count = NFTA_TABLE_MAX,
2567 .policy = nft_table_policy,
2569 [NFT_MSG_GETTABLE] = {
2570 .call = nf_tables_gettable,
2571 .attr_count = NFTA_TABLE_MAX,
2572 .policy = nft_table_policy,
2574 [NFT_MSG_DELTABLE] = {
2575 .call = nf_tables_deltable,
2576 .attr_count = NFTA_TABLE_MAX,
2577 .policy = nft_table_policy,
2579 [NFT_MSG_NEWCHAIN] = {
2580 .call = nf_tables_newchain,
2581 .attr_count = NFTA_CHAIN_MAX,
2582 .policy = nft_chain_policy,
2584 [NFT_MSG_GETCHAIN] = {
2585 .call = nf_tables_getchain,
2586 .attr_count = NFTA_CHAIN_MAX,
2587 .policy = nft_chain_policy,
2589 [NFT_MSG_DELCHAIN] = {
2590 .call = nf_tables_delchain,
2591 .attr_count = NFTA_CHAIN_MAX,
2592 .policy = nft_chain_policy,
2594 [NFT_MSG_NEWRULE] = {
2595 .call = nf_tables_newrule,
2596 .attr_count = NFTA_RULE_MAX,
2597 .policy = nft_rule_policy,
2599 [NFT_MSG_GETRULE] = {
2600 .call = nf_tables_getrule,
2601 .attr_count = NFTA_RULE_MAX,
2602 .policy = nft_rule_policy,
2604 [NFT_MSG_DELRULE] = {
2605 .call = nf_tables_delrule,
2606 .attr_count = NFTA_RULE_MAX,
2607 .policy = nft_rule_policy,
2609 [NFT_MSG_NEWSET] = {
2610 .call = nf_tables_newset,
2611 .attr_count = NFTA_SET_MAX,
2612 .policy = nft_set_policy,
2614 [NFT_MSG_GETSET] = {
2615 .call = nf_tables_getset,
2616 .attr_count = NFTA_SET_MAX,
2617 .policy = nft_set_policy,
2619 [NFT_MSG_DELSET] = {
2620 .call = nf_tables_delset,
2621 .attr_count = NFTA_SET_MAX,
2622 .policy = nft_set_policy,
2624 [NFT_MSG_NEWSETELEM] = {
2625 .call = nf_tables_newsetelem,
2626 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2627 .policy = nft_set_elem_list_policy,
2629 [NFT_MSG_GETSETELEM] = {
2630 .call = nf_tables_getsetelem,
2631 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2632 .policy = nft_set_elem_list_policy,
2634 [NFT_MSG_DELSETELEM] = {
2635 .call = nf_tables_delsetelem,
2636 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2637 .policy = nft_set_elem_list_policy,
2641 static const struct nfnetlink_subsystem nf_tables_subsys = {
2642 .name = "nf_tables",
2643 .subsys_id = NFNL_SUBSYS_NFTABLES,
2644 .cb_count = NFT_MSG_MAX,
2649 * Loop detection - walk through the ruleset beginning at the destination chain
2650 * of a new jump until either the source chain is reached (loop) or all
2651 * reachable chains have been traversed.
2653 * The loop check is performed whenever a new jump verdict is added to an
2654 * expression or verdict map or a verdict map is bound to a new chain.
2657 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2658 const struct nft_chain *chain);
2660 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2661 const struct nft_set *set,
2662 const struct nft_set_iter *iter,
2663 const struct nft_set_elem *elem)
2665 switch (elem->data.verdict) {
2668 return nf_tables_check_loops(ctx, elem->data.chain);
2674 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2675 const struct nft_chain *chain)
2677 const struct nft_rule *rule;
2678 const struct nft_expr *expr, *last;
2679 const struct nft_set *set;
2680 struct nft_set_binding *binding;
2681 struct nft_set_iter iter;
2683 if (ctx->chain == chain)
2686 list_for_each_entry(rule, &chain->rules, list) {
2687 nft_rule_for_each_expr(expr, last, rule) {
2688 const struct nft_data *data = NULL;
2691 if (!expr->ops->validate)
2694 err = expr->ops->validate(ctx, expr, &data);
2701 switch (data->verdict) {
2704 err = nf_tables_check_loops(ctx, data->chain);
2713 list_for_each_entry(set, &ctx->table->sets, list) {
2714 if (!(set->flags & NFT_SET_MAP) ||
2715 set->dtype != NFT_DATA_VERDICT)
2718 list_for_each_entry(binding, &set->bindings, list) {
2719 if (binding->chain != chain)
2725 iter.fn = nf_tables_loop_check_setelem;
2727 set->ops->walk(ctx, set, &iter);
2737 * nft_validate_input_register - validate an expressions' input register
2739 * @reg: the register number
2741 * Validate that the input register is one of the general purpose
2744 int nft_validate_input_register(enum nft_registers reg)
2746 if (reg <= NFT_REG_VERDICT)
2748 if (reg > NFT_REG_MAX)
2752 EXPORT_SYMBOL_GPL(nft_validate_input_register);
2755 * nft_validate_output_register - validate an expressions' output register
2757 * @reg: the register number
2759 * Validate that the output register is one of the general purpose
2760 * registers or the verdict register.
2762 int nft_validate_output_register(enum nft_registers reg)
2764 if (reg < NFT_REG_VERDICT)
2766 if (reg > NFT_REG_MAX)
2770 EXPORT_SYMBOL_GPL(nft_validate_output_register);
2773 * nft_validate_data_load - validate an expressions' data load
2775 * @ctx: context of the expression performing the load
2776 * @reg: the destination register number
2777 * @data: the data to load
2778 * @type: the data type
2780 * Validate that a data load uses the appropriate data type for
2781 * the destination register. A value of NULL for the data means
2782 * that its runtime gathered data, which is always of type
2785 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
2786 const struct nft_data *data,
2787 enum nft_data_types type)
2792 case NFT_REG_VERDICT:
2793 if (data == NULL || type != NFT_DATA_VERDICT)
2796 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
2797 err = nf_tables_check_loops(ctx, data->chain);
2801 if (ctx->chain->level + 1 > data->chain->level) {
2802 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
2804 data->chain->level = ctx->chain->level + 1;
2810 if (data != NULL && type != NFT_DATA_VALUE)
2815 EXPORT_SYMBOL_GPL(nft_validate_data_load);
2817 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
2818 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
2819 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
2820 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2823 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
2824 struct nft_data_desc *desc, const struct nlattr *nla)
2826 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
2827 struct nft_chain *chain;
2830 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
2834 if (!tb[NFTA_VERDICT_CODE])
2836 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
2838 switch (data->verdict) {
2845 desc->len = sizeof(data->verdict);
2849 if (!tb[NFTA_VERDICT_CHAIN])
2851 chain = nf_tables_chain_lookup(ctx->table,
2852 tb[NFTA_VERDICT_CHAIN]);
2854 return PTR_ERR(chain);
2855 if (chain->flags & NFT_BASE_CHAIN)
2859 data->chain = chain;
2860 desc->len = sizeof(data);
2866 desc->type = NFT_DATA_VERDICT;
2870 static void nft_verdict_uninit(const struct nft_data *data)
2872 switch (data->verdict) {
2880 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
2882 struct nlattr *nest;
2884 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
2886 goto nla_put_failure;
2888 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
2889 goto nla_put_failure;
2891 switch (data->verdict) {
2894 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
2895 goto nla_put_failure;
2897 nla_nest_end(skb, nest);
2904 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
2905 struct nft_data_desc *desc, const struct nlattr *nla)
2912 if (len > sizeof(data->data))
2915 nla_memcpy(data->data, nla, sizeof(data->data));
2916 desc->type = NFT_DATA_VALUE;
2921 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
2924 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
2927 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
2928 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
2929 .len = FIELD_SIZEOF(struct nft_data, data) },
2930 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
2934 * nft_data_init - parse nf_tables data netlink attributes
2936 * @ctx: context of the expression using the data
2937 * @data: destination struct nft_data
2938 * @desc: data description
2939 * @nla: netlink attribute containing data
2941 * Parse the netlink data attributes and initialize a struct nft_data.
2942 * The type and length of data are returned in the data description.
2944 * The caller can indicate that it only wants to accept data of type
2945 * NFT_DATA_VALUE by passing NULL for the ctx argument.
2947 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
2948 struct nft_data_desc *desc, const struct nlattr *nla)
2950 struct nlattr *tb[NFTA_DATA_MAX + 1];
2953 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
2957 if (tb[NFTA_DATA_VALUE])
2958 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
2959 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
2960 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
2963 EXPORT_SYMBOL_GPL(nft_data_init);
2966 * nft_data_uninit - release a nft_data item
2968 * @data: struct nft_data to release
2969 * @type: type of data
2971 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
2972 * all others need to be released by calling this function.
2974 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
2977 case NFT_DATA_VALUE:
2979 case NFT_DATA_VERDICT:
2980 return nft_verdict_uninit(data);
2985 EXPORT_SYMBOL_GPL(nft_data_uninit);
2987 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
2988 enum nft_data_types type, unsigned int len)
2990 struct nlattr *nest;
2993 nest = nla_nest_start(skb, attr);
2998 case NFT_DATA_VALUE:
2999 err = nft_value_dump(skb, data, len);
3001 case NFT_DATA_VERDICT:
3002 err = nft_verdict_dump(skb, data);
3009 nla_nest_end(skb, nest);
3012 EXPORT_SYMBOL_GPL(nft_data_dump);
3014 static int __init nf_tables_module_init(void)
3018 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3025 err = nf_tables_core_module_init();
3029 err = nfnetlink_subsys_register(&nf_tables_subsys);
3033 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3036 nf_tables_core_module_exit();
3043 static void __exit nf_tables_module_exit(void)
3045 nfnetlink_subsys_unregister(&nf_tables_subsys);
3046 nf_tables_core_module_exit();
3050 module_init(nf_tables_module_init);
3051 module_exit(nf_tables_module_exit);
3053 MODULE_LICENSE("GPL");
3054 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3055 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / platform / adaptation / renesas_rcar / renesas_kernel.git / blob