1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27 static LIST_HEAD(nf_tables_flowtables);
28 static LIST_HEAD(nf_tables_destroy_list);
29 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
30 static u64 table_handle;
33 NFT_VALIDATE_SKIP = 0,
38 static struct rhltable nft_objname_ht;
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
44 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static const struct rhashtable_params nft_chain_ht_params = {
49 .head_offset = offsetof(struct nft_chain, rhlhead),
50 .key_offset = offsetof(struct nft_chain, name),
51 .hashfn = nft_chain_hash,
52 .obj_hashfn = nft_chain_hash_obj,
53 .obj_cmpfn = nft_chain_hash_cmp,
54 .automatic_shrinking = true,
57 static const struct rhashtable_params nft_objname_ht_params = {
58 .head_offset = offsetof(struct nft_object, rhlhead),
59 .key_offset = offsetof(struct nft_object, key),
60 .hashfn = nft_objname_hash,
61 .obj_hashfn = nft_objname_hash_obj,
62 .obj_cmpfn = nft_objname_hash_cmp,
63 .automatic_shrinking = true,
66 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
68 switch (net->nft.validate_state) {
69 case NFT_VALIDATE_SKIP:
70 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
72 case NFT_VALIDATE_NEED:
75 if (new_validate_state == NFT_VALIDATE_NEED)
79 net->nft.validate_state = new_validate_state;
81 static void nf_tables_trans_destroy_work(struct work_struct *w);
82 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
84 static void nft_ctx_init(struct nft_ctx *ctx,
86 const struct sk_buff *skb,
87 const struct nlmsghdr *nlh,
89 struct nft_table *table,
90 struct nft_chain *chain,
91 const struct nlattr * const *nla)
99 ctx->portid = NETLINK_CB(skb).portid;
100 ctx->report = nlmsg_report(nlh);
101 ctx->flags = nlh->nlmsg_flags;
102 ctx->seq = nlh->nlmsg_seq;
105 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
106 int msg_type, u32 size, gfp_t gfp)
108 struct nft_trans *trans;
110 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 trans->msg_type = msg_type;
120 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
121 int msg_type, u32 size)
123 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126 static void nft_trans_destroy(struct nft_trans *trans)
128 list_del(&trans->list);
132 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
134 struct net *net = ctx->net;
135 struct nft_trans *trans;
137 if (!nft_set_is_anonymous(set))
140 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
141 switch (trans->msg_type) {
143 if (nft_trans_set(trans) == set)
144 nft_trans_set_bound(trans) = true;
146 case NFT_MSG_NEWSETELEM:
147 if (nft_trans_elem_set(trans) == set)
148 nft_trans_elem_set_bound(trans) = true;
154 static int nft_netdev_register_hooks(struct net *net,
155 struct list_head *hook_list)
157 struct nft_hook *hook;
161 list_for_each_entry(hook, hook_list, list) {
162 err = nf_register_net_hook(net, &hook->ops);
171 list_for_each_entry(hook, hook_list, list) {
175 nf_unregister_net_hook(net, &hook->ops);
180 static void nft_netdev_unregister_hooks(struct net *net,
181 struct list_head *hook_list)
183 struct nft_hook *hook;
185 list_for_each_entry(hook, hook_list, list)
186 nf_unregister_net_hook(net, &hook->ops);
189 static int nft_register_basechain_hooks(struct net *net, int family,
190 struct nft_base_chain *basechain)
192 if (family == NFPROTO_NETDEV)
193 return nft_netdev_register_hooks(net, &basechain->hook_list);
195 return nf_register_net_hook(net, &basechain->ops);
198 static void nft_unregister_basechain_hooks(struct net *net, int family,
199 struct nft_base_chain *basechain)
201 if (family == NFPROTO_NETDEV)
202 nft_netdev_unregister_hooks(net, &basechain->hook_list);
204 nf_unregister_net_hook(net, &basechain->ops);
207 static int nf_tables_register_hook(struct net *net,
208 const struct nft_table *table,
209 struct nft_chain *chain)
211 struct nft_base_chain *basechain;
212 const struct nf_hook_ops *ops;
214 if (table->flags & NFT_TABLE_F_DORMANT ||
215 !nft_is_base_chain(chain))
218 basechain = nft_base_chain(chain);
219 ops = &basechain->ops;
221 if (basechain->type->ops_register)
222 return basechain->type->ops_register(net, ops);
224 return nft_register_basechain_hooks(net, table->family, basechain);
227 static void nf_tables_unregister_hook(struct net *net,
228 const struct nft_table *table,
229 struct nft_chain *chain)
231 struct nft_base_chain *basechain;
232 const struct nf_hook_ops *ops;
234 if (table->flags & NFT_TABLE_F_DORMANT ||
235 !nft_is_base_chain(chain))
237 basechain = nft_base_chain(chain);
238 ops = &basechain->ops;
240 if (basechain->type->ops_unregister)
241 return basechain->type->ops_unregister(net, ops);
243 nft_unregister_basechain_hooks(net, table->family, basechain);
246 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
248 struct nft_trans *trans;
250 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
254 if (msg_type == NFT_MSG_NEWTABLE)
255 nft_activate_next(ctx->net, ctx->table);
257 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
261 static int nft_deltable(struct nft_ctx *ctx)
265 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
269 nft_deactivate_next(ctx->net, ctx->table);
273 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
275 struct nft_trans *trans;
277 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
279 return ERR_PTR(-ENOMEM);
281 if (msg_type == NFT_MSG_NEWCHAIN)
282 nft_activate_next(ctx->net, ctx->chain);
284 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
288 static int nft_delchain(struct nft_ctx *ctx)
290 struct nft_trans *trans;
292 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
294 return PTR_ERR(trans);
297 nft_deactivate_next(ctx->net, ctx->chain);
302 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
303 struct nft_rule *rule)
305 struct nft_expr *expr;
307 expr = nft_expr_first(rule);
308 while (expr != nft_expr_last(rule) && expr->ops) {
309 if (expr->ops->activate)
310 expr->ops->activate(ctx, expr);
312 expr = nft_expr_next(expr);
316 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
317 struct nft_rule *rule,
318 enum nft_trans_phase phase)
320 struct nft_expr *expr;
322 expr = nft_expr_first(rule);
323 while (expr != nft_expr_last(rule) && expr->ops) {
324 if (expr->ops->deactivate)
325 expr->ops->deactivate(ctx, expr, phase);
327 expr = nft_expr_next(expr);
332 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
334 /* You cannot delete the same rule twice */
335 if (nft_is_active_next(ctx->net, rule)) {
336 nft_deactivate_next(ctx->net, rule);
343 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
344 struct nft_rule *rule)
346 struct nft_trans *trans;
348 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
352 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
353 nft_trans_rule_id(trans) =
354 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
356 nft_trans_rule(trans) = rule;
357 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
362 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
364 struct nft_trans *trans;
367 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
371 err = nf_tables_delrule_deactivate(ctx, rule);
373 nft_trans_destroy(trans);
376 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
381 static int nft_delrule_by_chain(struct nft_ctx *ctx)
383 struct nft_rule *rule;
386 list_for_each_entry(rule, &ctx->chain->rules, list) {
387 if (!nft_is_active_next(ctx->net, rule))
390 err = nft_delrule(ctx, rule);
397 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
400 struct nft_trans *trans;
402 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
406 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
407 nft_trans_set_id(trans) =
408 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
409 nft_activate_next(ctx->net, set);
411 nft_trans_set(trans) = set;
412 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
417 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
421 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
425 nft_deactivate_next(ctx->net, set);
431 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
432 struct nft_object *obj)
434 struct nft_trans *trans;
436 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
440 if (msg_type == NFT_MSG_NEWOBJ)
441 nft_activate_next(ctx->net, obj);
443 nft_trans_obj(trans) = obj;
444 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
449 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
453 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
457 nft_deactivate_next(ctx->net, obj);
463 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
464 struct nft_flowtable *flowtable)
466 struct nft_trans *trans;
468 trans = nft_trans_alloc(ctx, msg_type,
469 sizeof(struct nft_trans_flowtable));
473 if (msg_type == NFT_MSG_NEWFLOWTABLE)
474 nft_activate_next(ctx->net, flowtable);
476 nft_trans_flowtable(trans) = flowtable;
477 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
482 static int nft_delflowtable(struct nft_ctx *ctx,
483 struct nft_flowtable *flowtable)
487 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
491 nft_deactivate_next(ctx->net, flowtable);
501 static struct nft_table *nft_table_lookup(const struct net *net,
502 const struct nlattr *nla,
503 u8 family, u8 genmask)
505 struct nft_table *table;
508 return ERR_PTR(-EINVAL);
510 list_for_each_entry_rcu(table, &net->nft.tables, list) {
511 if (!nla_strcmp(nla, table->name) &&
512 table->family == family &&
513 nft_active_genmask(table, genmask))
517 return ERR_PTR(-ENOENT);
520 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
521 const struct nlattr *nla,
524 struct nft_table *table;
526 list_for_each_entry(table, &net->nft.tables, list) {
527 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
528 nft_active_genmask(table, genmask))
532 return ERR_PTR(-ENOENT);
535 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
537 return ++table->hgenerator;
540 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
542 static const struct nft_chain_type *
543 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
547 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
548 if (chain_type[family][i] != NULL &&
549 !nla_strcmp(nla, chain_type[family][i]->name))
550 return chain_type[family][i];
556 * Loading a module requires dropping mutex that guards the
558 * We first need to abort any pending transactions as once
559 * mutex is unlocked a different client could start a new
560 * transaction. It must not see any 'future generation'
561 * changes * as these changes will never happen.
563 #ifdef CONFIG_MODULES
564 static int __nf_tables_abort(struct net *net);
566 static void nft_request_module(struct net *net, const char *fmt, ...)
568 char module_name[MODULE_NAME_LEN];
572 __nf_tables_abort(net);
575 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
577 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
580 mutex_unlock(&net->nft.commit_mutex);
581 request_module("%s", module_name);
582 mutex_lock(&net->nft.commit_mutex);
586 static void lockdep_nfnl_nft_mutex_not_held(void)
588 #ifdef CONFIG_PROVE_LOCKING
589 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
593 static const struct nft_chain_type *
594 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
595 u8 family, bool autoload)
597 const struct nft_chain_type *type;
599 type = __nf_tables_chain_type_lookup(nla, family);
603 lockdep_nfnl_nft_mutex_not_held();
604 #ifdef CONFIG_MODULES
606 nft_request_module(net, "nft-chain-%u-%.*s", family,
607 nla_len(nla), (const char *)nla_data(nla));
608 type = __nf_tables_chain_type_lookup(nla, family);
610 return ERR_PTR(-EAGAIN);
613 return ERR_PTR(-ENOENT);
616 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
617 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
618 .len = NFT_TABLE_MAXNAMELEN - 1 },
619 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
620 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
623 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
624 u32 portid, u32 seq, int event, u32 flags,
625 int family, const struct nft_table *table)
627 struct nlmsghdr *nlh;
628 struct nfgenmsg *nfmsg;
630 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
631 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
633 goto nla_put_failure;
635 nfmsg = nlmsg_data(nlh);
636 nfmsg->nfgen_family = family;
637 nfmsg->version = NFNETLINK_V0;
638 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
640 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
641 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
642 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
643 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
645 goto nla_put_failure;
651 nlmsg_trim(skb, nlh);
655 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
661 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
664 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
668 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
669 event, 0, ctx->family, ctx->table);
675 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
676 ctx->report, GFP_KERNEL);
679 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
682 static int nf_tables_dump_tables(struct sk_buff *skb,
683 struct netlink_callback *cb)
685 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
686 const struct nft_table *table;
687 unsigned int idx = 0, s_idx = cb->args[0];
688 struct net *net = sock_net(skb->sk);
689 int family = nfmsg->nfgen_family;
692 cb->seq = net->nft.base_seq;
694 list_for_each_entry_rcu(table, &net->nft.tables, list) {
695 if (family != NFPROTO_UNSPEC && family != table->family)
701 memset(&cb->args[1], 0,
702 sizeof(cb->args) - sizeof(cb->args[0]));
703 if (!nft_is_active(net, table))
705 if (nf_tables_fill_table_info(skb, net,
706 NETLINK_CB(cb->skb).portid,
708 NFT_MSG_NEWTABLE, NLM_F_MULTI,
709 table->family, table) < 0)
712 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
722 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
723 const struct nlmsghdr *nlh,
724 struct netlink_dump_control *c)
728 if (!try_module_get(THIS_MODULE))
732 err = netlink_dump_start(nlsk, skb, nlh, c);
734 module_put(THIS_MODULE);
739 /* called with rcu_read_lock held */
740 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
741 struct sk_buff *skb, const struct nlmsghdr *nlh,
742 const struct nlattr * const nla[],
743 struct netlink_ext_ack *extack)
745 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
746 u8 genmask = nft_genmask_cur(net);
747 const struct nft_table *table;
748 struct sk_buff *skb2;
749 int family = nfmsg->nfgen_family;
752 if (nlh->nlmsg_flags & NLM_F_DUMP) {
753 struct netlink_dump_control c = {
754 .dump = nf_tables_dump_tables,
755 .module = THIS_MODULE,
758 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
761 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
763 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
764 return PTR_ERR(table);
767 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
771 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
772 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
777 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
784 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
786 struct nft_chain *chain;
789 list_for_each_entry(chain, &table->chains, list) {
790 if (!nft_is_active_next(net, chain))
792 if (!nft_is_base_chain(chain))
795 if (cnt && i++ == cnt)
798 nft_unregister_basechain_hooks(net, table->family,
799 nft_base_chain(chain));
803 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
805 struct nft_chain *chain;
808 list_for_each_entry(chain, &table->chains, list) {
809 if (!nft_is_active_next(net, chain))
811 if (!nft_is_base_chain(chain))
814 err = nft_register_basechain_hooks(net, table->family,
815 nft_base_chain(chain));
817 goto err_register_hooks;
825 nft_table_disable(net, table, i);
829 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
831 nft_table_disable(net, table, 0);
834 static int nf_tables_updtable(struct nft_ctx *ctx)
836 struct nft_trans *trans;
840 if (!ctx->nla[NFTA_TABLE_FLAGS])
843 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
844 if (flags & ~NFT_TABLE_F_DORMANT)
847 if (flags == ctx->table->flags)
850 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
851 sizeof(struct nft_trans_table));
855 if ((flags & NFT_TABLE_F_DORMANT) &&
856 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
857 nft_trans_table_enable(trans) = false;
858 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
859 ctx->table->flags & NFT_TABLE_F_DORMANT) {
860 ret = nf_tables_table_enable(ctx->net, ctx->table);
862 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
863 nft_trans_table_enable(trans) = true;
869 nft_trans_table_update(trans) = true;
870 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
873 nft_trans_destroy(trans);
877 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
879 const char *name = data;
881 return jhash(name, strlen(name), seed);
884 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
886 const struct nft_chain *chain = data;
888 return nft_chain_hash(chain->name, 0, seed);
891 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
894 const struct nft_chain *chain = ptr;
895 const char *name = arg->key;
897 return strcmp(chain->name, name);
900 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
902 const struct nft_object_hash_key *k = data;
904 seed ^= hash_ptr(k->table, 32);
906 return jhash(k->name, strlen(k->name), seed);
909 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
911 const struct nft_object *obj = data;
913 return nft_objname_hash(&obj->key, 0, seed);
916 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
919 const struct nft_object_hash_key *k = arg->key;
920 const struct nft_object *obj = ptr;
922 if (obj->key.table != k->table)
925 return strcmp(obj->key.name, k->name);
928 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
929 struct sk_buff *skb, const struct nlmsghdr *nlh,
930 const struct nlattr * const nla[],
931 struct netlink_ext_ack *extack)
933 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
934 u8 genmask = nft_genmask_next(net);
935 int family = nfmsg->nfgen_family;
936 const struct nlattr *attr;
937 struct nft_table *table;
942 lockdep_assert_held(&net->nft.commit_mutex);
943 attr = nla[NFTA_TABLE_NAME];
944 table = nft_table_lookup(net, attr, family, genmask);
946 if (PTR_ERR(table) != -ENOENT)
947 return PTR_ERR(table);
949 if (nlh->nlmsg_flags & NLM_F_EXCL) {
950 NL_SET_BAD_ATTR(extack, attr);
953 if (nlh->nlmsg_flags & NLM_F_REPLACE)
956 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
957 return nf_tables_updtable(&ctx);
960 if (nla[NFTA_TABLE_FLAGS]) {
961 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
962 if (flags & ~NFT_TABLE_F_DORMANT)
967 table = kzalloc(sizeof(*table), GFP_KERNEL);
971 table->name = nla_strdup(attr, GFP_KERNEL);
972 if (table->name == NULL)
975 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
979 INIT_LIST_HEAD(&table->chains);
980 INIT_LIST_HEAD(&table->sets);
981 INIT_LIST_HEAD(&table->objects);
982 INIT_LIST_HEAD(&table->flowtables);
983 table->family = family;
984 table->flags = flags;
985 table->handle = ++table_handle;
987 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
988 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
992 list_add_tail_rcu(&table->list, &net->nft.tables);
995 rhltable_destroy(&table->chains_ht);
1004 static int nft_flush_table(struct nft_ctx *ctx)
1006 struct nft_flowtable *flowtable, *nft;
1007 struct nft_chain *chain, *nc;
1008 struct nft_object *obj, *ne;
1009 struct nft_set *set, *ns;
1012 list_for_each_entry(chain, &ctx->table->chains, list) {
1013 if (!nft_is_active_next(ctx->net, chain))
1018 err = nft_delrule_by_chain(ctx);
1023 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1024 if (!nft_is_active_next(ctx->net, set))
1027 if (nft_set_is_anonymous(set) &&
1028 !list_empty(&set->bindings))
1031 err = nft_delset(ctx, set);
1036 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1037 err = nft_delflowtable(ctx, flowtable);
1042 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1043 err = nft_delobj(ctx, obj);
1048 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1049 if (!nft_is_active_next(ctx->net, chain))
1054 err = nft_delchain(ctx);
1059 err = nft_deltable(ctx);
1064 static int nft_flush(struct nft_ctx *ctx, int family)
1066 struct nft_table *table, *nt;
1067 const struct nlattr * const *nla = ctx->nla;
1070 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1071 if (family != AF_UNSPEC && table->family != family)
1074 ctx->family = table->family;
1076 if (!nft_is_active_next(ctx->net, table))
1079 if (nla[NFTA_TABLE_NAME] &&
1080 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1085 err = nft_flush_table(ctx);
1093 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1094 struct sk_buff *skb, const struct nlmsghdr *nlh,
1095 const struct nlattr * const nla[],
1096 struct netlink_ext_ack *extack)
1098 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1099 u8 genmask = nft_genmask_next(net);
1100 int family = nfmsg->nfgen_family;
1101 const struct nlattr *attr;
1102 struct nft_table *table;
1105 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1106 if (family == AF_UNSPEC ||
1107 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1108 return nft_flush(&ctx, family);
1110 if (nla[NFTA_TABLE_HANDLE]) {
1111 attr = nla[NFTA_TABLE_HANDLE];
1112 table = nft_table_lookup_byhandle(net, attr, genmask);
1114 attr = nla[NFTA_TABLE_NAME];
1115 table = nft_table_lookup(net, attr, family, genmask);
1118 if (IS_ERR(table)) {
1119 NL_SET_BAD_ATTR(extack, attr);
1120 return PTR_ERR(table);
1123 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1127 ctx.family = family;
1130 return nft_flush_table(&ctx);
1133 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1135 if (WARN_ON(ctx->table->use > 0))
1138 rhltable_destroy(&ctx->table->chains_ht);
1139 kfree(ctx->table->name);
1143 void nft_register_chain_type(const struct nft_chain_type *ctype)
1145 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1148 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1149 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1150 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1153 chain_type[ctype->family][ctype->type] = ctype;
1154 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1156 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1158 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1160 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1161 chain_type[ctype->family][ctype->type] = NULL;
1162 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1164 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1170 static struct nft_chain *
1171 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1173 struct nft_chain *chain;
1175 list_for_each_entry(chain, &table->chains, list) {
1176 if (chain->handle == handle &&
1177 nft_active_genmask(chain, genmask))
1181 return ERR_PTR(-ENOENT);
1184 static bool lockdep_commit_lock_is_held(const struct net *net)
1186 #ifdef CONFIG_PROVE_LOCKING
1187 return lockdep_is_held(&net->nft.commit_mutex);
1193 static struct nft_chain *nft_chain_lookup(struct net *net,
1194 struct nft_table *table,
1195 const struct nlattr *nla, u8 genmask)
1197 char search[NFT_CHAIN_MAXNAMELEN + 1];
1198 struct rhlist_head *tmp, *list;
1199 struct nft_chain *chain;
1202 return ERR_PTR(-EINVAL);
1204 nla_strlcpy(search, nla, sizeof(search));
1206 WARN_ON(!rcu_read_lock_held() &&
1207 !lockdep_commit_lock_is_held(net));
1209 chain = ERR_PTR(-ENOENT);
1211 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1215 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1216 if (nft_active_genmask(chain, genmask))
1219 chain = ERR_PTR(-ENOENT);
1225 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1226 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1227 .len = NFT_TABLE_MAXNAMELEN - 1 },
1228 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1229 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1230 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1231 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1232 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1233 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1234 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1235 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1238 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1239 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1240 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1241 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1242 .len = IFNAMSIZ - 1 },
1245 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1247 struct nft_stats *cpu_stats, total;
1248 struct nlattr *nest;
1256 memset(&total, 0, sizeof(total));
1257 for_each_possible_cpu(cpu) {
1258 cpu_stats = per_cpu_ptr(stats, cpu);
1260 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1261 pkts = cpu_stats->pkts;
1262 bytes = cpu_stats->bytes;
1263 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1265 total.bytes += bytes;
1267 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1269 goto nla_put_failure;
1271 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1272 NFTA_COUNTER_PAD) ||
1273 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1275 goto nla_put_failure;
1277 nla_nest_end(skb, nest);
1284 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1285 const struct nft_base_chain *basechain)
1287 const struct nf_hook_ops *ops = &basechain->ops;
1288 struct nft_hook *hook, *first = NULL;
1289 struct nlattr *nest, *nest_devs;
1292 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1294 goto nla_put_failure;
1295 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1296 goto nla_put_failure;
1297 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1298 goto nla_put_failure;
1300 if (family == NFPROTO_NETDEV) {
1301 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1302 list_for_each_entry(hook, &basechain->hook_list, list) {
1306 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1307 hook->ops.dev->name))
1308 goto nla_put_failure;
1311 nla_nest_end(skb, nest_devs);
1314 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1315 goto nla_put_failure;
1317 nla_nest_end(skb, nest);
1324 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1325 u32 portid, u32 seq, int event, u32 flags,
1326 int family, const struct nft_table *table,
1327 const struct nft_chain *chain)
1329 struct nlmsghdr *nlh;
1330 struct nfgenmsg *nfmsg;
1332 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1333 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1335 goto nla_put_failure;
1337 nfmsg = nlmsg_data(nlh);
1338 nfmsg->nfgen_family = family;
1339 nfmsg->version = NFNETLINK_V0;
1340 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1342 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1343 goto nla_put_failure;
1344 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1346 goto nla_put_failure;
1347 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1348 goto nla_put_failure;
1350 if (nft_is_base_chain(chain)) {
1351 const struct nft_base_chain *basechain = nft_base_chain(chain);
1352 struct nft_stats __percpu *stats;
1354 if (nft_dump_basechain_hook(skb, family, basechain))
1355 goto nla_put_failure;
1357 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1358 htonl(basechain->policy)))
1359 goto nla_put_failure;
1361 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1362 goto nla_put_failure;
1364 stats = rcu_dereference_check(basechain->stats,
1365 lockdep_commit_lock_is_held(net));
1366 if (nft_dump_stats(skb, stats))
1367 goto nla_put_failure;
1370 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1371 goto nla_put_failure;
1373 nlmsg_end(skb, nlh);
1377 nlmsg_trim(skb, nlh);
1381 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1383 struct sk_buff *skb;
1387 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1390 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1394 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1395 event, 0, ctx->family, ctx->table,
1402 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1403 ctx->report, GFP_KERNEL);
1406 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1409 static int nf_tables_dump_chains(struct sk_buff *skb,
1410 struct netlink_callback *cb)
1412 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1413 const struct nft_table *table;
1414 const struct nft_chain *chain;
1415 unsigned int idx = 0, s_idx = cb->args[0];
1416 struct net *net = sock_net(skb->sk);
1417 int family = nfmsg->nfgen_family;
1420 cb->seq = net->nft.base_seq;
1422 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1423 if (family != NFPROTO_UNSPEC && family != table->family)
1426 list_for_each_entry_rcu(chain, &table->chains, list) {
1430 memset(&cb->args[1], 0,
1431 sizeof(cb->args) - sizeof(cb->args[0]));
1432 if (!nft_is_active(net, chain))
1434 if (nf_tables_fill_chain_info(skb, net,
1435 NETLINK_CB(cb->skb).portid,
1439 table->family, table,
1443 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1454 /* called with rcu_read_lock held */
1455 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1456 struct sk_buff *skb, const struct nlmsghdr *nlh,
1457 const struct nlattr * const nla[],
1458 struct netlink_ext_ack *extack)
1460 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1461 u8 genmask = nft_genmask_cur(net);
1462 const struct nft_chain *chain;
1463 struct nft_table *table;
1464 struct sk_buff *skb2;
1465 int family = nfmsg->nfgen_family;
1468 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1469 struct netlink_dump_control c = {
1470 .dump = nf_tables_dump_chains,
1471 .module = THIS_MODULE,
1474 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1477 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1478 if (IS_ERR(table)) {
1479 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1480 return PTR_ERR(table);
1483 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1484 if (IS_ERR(chain)) {
1485 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1486 return PTR_ERR(chain);
1489 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1493 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1494 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1495 family, table, chain);
1499 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1506 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1507 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1508 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1511 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1513 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1514 struct nft_stats __percpu *newstats;
1515 struct nft_stats *stats;
1518 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1519 nft_counter_policy, NULL);
1521 return ERR_PTR(err);
1523 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1524 return ERR_PTR(-EINVAL);
1526 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1527 if (newstats == NULL)
1528 return ERR_PTR(-ENOMEM);
1530 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1531 * are not exposed to userspace.
1534 stats = this_cpu_ptr(newstats);
1535 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1536 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1542 static void nft_chain_stats_replace(struct nft_trans *trans)
1544 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1546 if (!nft_trans_chain_stats(trans))
1549 rcu_swap_protected(chain->stats, nft_trans_chain_stats(trans),
1550 lockdep_commit_lock_is_held(trans->ctx.net));
1552 if (!nft_trans_chain_stats(trans))
1553 static_branch_inc(&nft_counters_enabled);
1556 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1558 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1559 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1565 /* should be NULL either via abort or via successful commit */
1566 WARN_ON_ONCE(chain->rules_next);
1567 kvfree(chain->rules_next);
1570 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1572 struct nft_chain *chain = ctx->chain;
1573 struct nft_hook *hook, *next;
1575 if (WARN_ON(chain->use > 0))
1578 /* no concurrent access possible anymore */
1579 nf_tables_chain_free_chain_rules(chain);
1581 if (nft_is_base_chain(chain)) {
1582 struct nft_base_chain *basechain = nft_base_chain(chain);
1584 if (ctx->family == NFPROTO_NETDEV) {
1585 list_for_each_entry_safe(hook, next,
1586 &basechain->hook_list, list) {
1587 list_del_rcu(&hook->list);
1588 kfree_rcu(hook, rcu);
1591 module_put(basechain->type->owner);
1592 if (rcu_access_pointer(basechain->stats)) {
1593 static_branch_dec(&nft_counters_enabled);
1594 free_percpu(rcu_dereference_raw(basechain->stats));
1604 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1605 const struct nlattr *attr)
1607 struct net_device *dev;
1608 char ifname[IFNAMSIZ];
1609 struct nft_hook *hook;
1612 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1615 goto err_hook_alloc;
1618 nla_strlcpy(ifname, attr, IFNAMSIZ);
1619 dev = __dev_get_by_name(net, ifname);
1624 hook->ops.dev = dev;
1631 return ERR_PTR(err);
1634 static bool nft_hook_list_find(struct list_head *hook_list,
1635 const struct nft_hook *this)
1637 struct nft_hook *hook;
1639 list_for_each_entry(hook, hook_list, list) {
1640 if (this->ops.dev == hook->ops.dev)
1647 static int nf_tables_parse_netdev_hooks(struct net *net,
1648 const struct nlattr *attr,
1649 struct list_head *hook_list)
1651 struct nft_hook *hook, *next;
1652 const struct nlattr *tmp;
1653 int rem, n = 0, err;
1655 nla_for_each_nested(tmp, attr, rem) {
1656 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1661 hook = nft_netdev_hook_alloc(net, tmp);
1663 err = PTR_ERR(hook);
1666 if (nft_hook_list_find(hook_list, hook)) {
1670 list_add_tail(&hook->list, hook_list);
1673 if (n == NFT_NETDEVICE_MAX) {
1684 list_for_each_entry_safe(hook, next, hook_list, list) {
1685 list_del(&hook->list);
1691 struct nft_chain_hook {
1694 const struct nft_chain_type *type;
1695 struct list_head list;
1698 static int nft_chain_parse_netdev(struct net *net,
1699 struct nlattr *tb[],
1700 struct list_head *hook_list)
1702 struct nft_hook *hook;
1705 if (tb[NFTA_HOOK_DEV]) {
1706 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1708 return PTR_ERR(hook);
1710 list_add_tail(&hook->list, hook_list);
1711 } else if (tb[NFTA_HOOK_DEVS]) {
1712 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1723 static int nft_chain_parse_hook(struct net *net,
1724 const struct nlattr * const nla[],
1725 struct nft_chain_hook *hook, u8 family,
1728 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1729 const struct nft_chain_type *type;
1732 lockdep_assert_held(&net->nft.commit_mutex);
1733 lockdep_nfnl_nft_mutex_not_held();
1735 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1736 nla[NFTA_CHAIN_HOOK],
1737 nft_hook_policy, NULL);
1741 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1742 ha[NFTA_HOOK_PRIORITY] == NULL)
1745 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1746 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1748 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1749 if (nla[NFTA_CHAIN_TYPE]) {
1750 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1753 return PTR_ERR(type);
1755 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1758 if (type->type == NFT_CHAIN_T_NAT &&
1759 hook->priority <= NF_IP_PRI_CONNTRACK)
1762 if (!try_module_get(type->owner))
1767 INIT_LIST_HEAD(&hook->list);
1768 if (family == NFPROTO_NETDEV) {
1769 err = nft_chain_parse_netdev(net, ha, &hook->list);
1771 module_put(type->owner);
1774 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1775 module_put(type->owner);
1782 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1784 struct nft_hook *h, *next;
1786 list_for_each_entry_safe(h, next, &hook->list, list) {
1790 module_put(hook->type->owner);
1793 struct nft_rules_old {
1795 struct nft_rule **start;
1798 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1801 if (alloc > INT_MAX)
1804 alloc += 1; /* NULL, ends rules */
1805 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1808 alloc *= sizeof(struct nft_rule *);
1809 alloc += sizeof(struct nft_rules_old);
1811 return kvmalloc(alloc, GFP_KERNEL);
1814 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1815 const struct nft_chain_hook *hook,
1816 struct nft_chain *chain)
1819 ops->hooknum = hook->num;
1820 ops->priority = hook->priority;
1822 ops->hook = hook->type->hooks[ops->hooknum];
1825 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1826 struct nft_chain_hook *hook, u32 flags)
1828 struct nft_chain *chain;
1831 basechain->type = hook->type;
1832 INIT_LIST_HEAD(&basechain->hook_list);
1833 chain = &basechain->chain;
1835 if (family == NFPROTO_NETDEV) {
1836 list_splice_init(&hook->list, &basechain->hook_list);
1837 list_for_each_entry(h, &basechain->hook_list, list)
1838 nft_basechain_hook_init(&h->ops, family, hook, chain);
1840 basechain->ops.hooknum = hook->num;
1841 basechain->ops.priority = hook->priority;
1843 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1846 chain->flags |= NFT_BASE_CHAIN | flags;
1847 basechain->policy = NF_ACCEPT;
1848 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1849 nft_chain_offload_priority(basechain) < 0)
1852 flow_block_init(&basechain->flow_block);
1857 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1858 u8 policy, u32 flags)
1860 const struct nlattr * const *nla = ctx->nla;
1861 struct nft_table *table = ctx->table;
1862 struct nft_base_chain *basechain;
1863 struct nft_stats __percpu *stats;
1864 struct net *net = ctx->net;
1865 struct nft_trans *trans;
1866 struct nft_chain *chain;
1867 struct nft_rule **rules;
1870 if (table->use == UINT_MAX)
1873 if (nla[NFTA_CHAIN_HOOK]) {
1874 struct nft_chain_hook hook;
1876 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1880 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1881 if (basechain == NULL) {
1882 nft_chain_release_hook(&hook);
1885 chain = &basechain->chain;
1887 if (nla[NFTA_CHAIN_COUNTERS]) {
1888 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1889 if (IS_ERR(stats)) {
1890 nft_chain_release_hook(&hook);
1892 return PTR_ERR(stats);
1894 rcu_assign_pointer(basechain->stats, stats);
1895 static_branch_inc(&nft_counters_enabled);
1898 err = nft_basechain_init(basechain, family, &hook, flags);
1900 nft_chain_release_hook(&hook);
1905 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1911 INIT_LIST_HEAD(&chain->rules);
1912 chain->handle = nf_tables_alloc_handle(table);
1913 chain->table = table;
1914 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1920 rules = nf_tables_chain_alloc_rules(chain, 0);
1927 rcu_assign_pointer(chain->rules_gen_0, rules);
1928 rcu_assign_pointer(chain->rules_gen_1, rules);
1930 err = nf_tables_register_hook(net, table, chain);
1934 err = rhltable_insert_key(&table->chains_ht, chain->name,
1935 &chain->rhlhead, nft_chain_ht_params);
1939 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1940 if (IS_ERR(trans)) {
1941 err = PTR_ERR(trans);
1942 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1943 nft_chain_ht_params);
1947 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1948 if (nft_is_base_chain(chain))
1949 nft_trans_chain_policy(trans) = policy;
1952 list_add_tail_rcu(&chain->list, &table->chains);
1956 nf_tables_unregister_hook(net, table, chain);
1958 nf_tables_chain_destroy(ctx);
1963 static bool nft_hook_list_equal(struct list_head *hook_list1,
1964 struct list_head *hook_list2)
1966 struct nft_hook *hook;
1970 list_for_each_entry(hook, hook_list2, list) {
1971 if (!nft_hook_list_find(hook_list1, hook))
1976 list_for_each_entry(hook, hook_list1, list)
1982 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1985 const struct nlattr * const *nla = ctx->nla;
1986 struct nft_table *table = ctx->table;
1987 struct nft_chain *chain = ctx->chain;
1988 struct nft_base_chain *basechain;
1989 struct nft_stats *stats = NULL;
1990 struct nft_chain_hook hook;
1991 struct nf_hook_ops *ops;
1992 struct nft_trans *trans;
1995 if (chain->flags ^ flags)
1998 if (nla[NFTA_CHAIN_HOOK]) {
1999 if (!nft_is_base_chain(chain))
2002 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2007 basechain = nft_base_chain(chain);
2008 if (basechain->type != hook.type) {
2009 nft_chain_release_hook(&hook);
2013 if (ctx->family == NFPROTO_NETDEV) {
2014 if (!nft_hook_list_equal(&basechain->hook_list,
2016 nft_chain_release_hook(&hook);
2020 ops = &basechain->ops;
2021 if (ops->hooknum != hook.num ||
2022 ops->priority != hook.priority) {
2023 nft_chain_release_hook(&hook);
2027 nft_chain_release_hook(&hook);
2030 if (nla[NFTA_CHAIN_HANDLE] &&
2031 nla[NFTA_CHAIN_NAME]) {
2032 struct nft_chain *chain2;
2034 chain2 = nft_chain_lookup(ctx->net, table,
2035 nla[NFTA_CHAIN_NAME], genmask);
2036 if (!IS_ERR(chain2))
2040 if (nla[NFTA_CHAIN_COUNTERS]) {
2041 if (!nft_is_base_chain(chain))
2044 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2046 return PTR_ERR(stats);
2050 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2051 sizeof(struct nft_trans_chain));
2055 nft_trans_chain_stats(trans) = stats;
2056 nft_trans_chain_update(trans) = true;
2058 if (nla[NFTA_CHAIN_POLICY])
2059 nft_trans_chain_policy(trans) = policy;
2061 nft_trans_chain_policy(trans) = -1;
2063 if (nla[NFTA_CHAIN_HANDLE] &&
2064 nla[NFTA_CHAIN_NAME]) {
2065 struct nft_trans *tmp;
2069 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2074 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2075 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2076 tmp->ctx.table == table &&
2077 nft_trans_chain_update(tmp) &&
2078 nft_trans_chain_name(tmp) &&
2079 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2085 nft_trans_chain_name(trans) = name;
2087 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2096 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2097 struct sk_buff *skb, const struct nlmsghdr *nlh,
2098 const struct nlattr * const nla[],
2099 struct netlink_ext_ack *extack)
2101 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2102 u8 genmask = nft_genmask_next(net);
2103 int family = nfmsg->nfgen_family;
2104 const struct nlattr *attr;
2105 struct nft_table *table;
2106 struct nft_chain *chain;
2107 u8 policy = NF_ACCEPT;
2112 lockdep_assert_held(&net->nft.commit_mutex);
2114 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2115 if (IS_ERR(table)) {
2116 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2117 return PTR_ERR(table);
2121 attr = nla[NFTA_CHAIN_NAME];
2123 if (nla[NFTA_CHAIN_HANDLE]) {
2124 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2125 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2126 if (IS_ERR(chain)) {
2127 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2128 return PTR_ERR(chain);
2130 attr = nla[NFTA_CHAIN_HANDLE];
2132 chain = nft_chain_lookup(net, table, attr, genmask);
2133 if (IS_ERR(chain)) {
2134 if (PTR_ERR(chain) != -ENOENT) {
2135 NL_SET_BAD_ATTR(extack, attr);
2136 return PTR_ERR(chain);
2142 if (nla[NFTA_CHAIN_POLICY]) {
2143 if (chain != NULL &&
2144 !nft_is_base_chain(chain)) {
2145 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2149 if (chain == NULL &&
2150 nla[NFTA_CHAIN_HOOK] == NULL) {
2151 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2155 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2165 if (nla[NFTA_CHAIN_FLAGS])
2166 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2168 flags = chain->flags;
2170 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2172 if (chain != NULL) {
2173 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2174 NL_SET_BAD_ATTR(extack, attr);
2177 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2180 flags |= chain->flags & NFT_BASE_CHAIN;
2181 return nf_tables_updchain(&ctx, genmask, policy, flags);
2184 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2187 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2188 struct sk_buff *skb, const struct nlmsghdr *nlh,
2189 const struct nlattr * const nla[],
2190 struct netlink_ext_ack *extack)
2192 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2193 u8 genmask = nft_genmask_next(net);
2194 int family = nfmsg->nfgen_family;
2195 const struct nlattr *attr;
2196 struct nft_table *table;
2197 struct nft_chain *chain;
2198 struct nft_rule *rule;
2204 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2205 if (IS_ERR(table)) {
2206 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2207 return PTR_ERR(table);
2210 if (nla[NFTA_CHAIN_HANDLE]) {
2211 attr = nla[NFTA_CHAIN_HANDLE];
2212 handle = be64_to_cpu(nla_get_be64(attr));
2213 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2215 attr = nla[NFTA_CHAIN_NAME];
2216 chain = nft_chain_lookup(net, table, attr, genmask);
2218 if (IS_ERR(chain)) {
2219 NL_SET_BAD_ATTR(extack, attr);
2220 return PTR_ERR(chain);
2223 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2227 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2230 list_for_each_entry(rule, &chain->rules, list) {
2231 if (!nft_is_active_next(net, rule))
2235 err = nft_delrule(&ctx, rule);
2240 /* There are rules and elements that are still holding references to us,
2241 * we cannot do a recursive removal in this case.
2244 NL_SET_BAD_ATTR(extack, attr);
2248 return nft_delchain(&ctx);
2256 * nft_register_expr - register nf_tables expr type
2259 * Registers the expr type for use with nf_tables. Returns zero on
2260 * success or a negative errno code otherwise.
2262 int nft_register_expr(struct nft_expr_type *type)
2264 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2265 if (type->family == NFPROTO_UNSPEC)
2266 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2268 list_add_rcu(&type->list, &nf_tables_expressions);
2269 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2272 EXPORT_SYMBOL_GPL(nft_register_expr);
2275 * nft_unregister_expr - unregister nf_tables expr type
2278 * Unregisters the expr typefor use with nf_tables.
2280 void nft_unregister_expr(struct nft_expr_type *type)
2282 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2283 list_del_rcu(&type->list);
2284 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2286 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2288 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2291 const struct nft_expr_type *type, *candidate = NULL;
2293 list_for_each_entry(type, &nf_tables_expressions, list) {
2294 if (!nla_strcmp(nla, type->name)) {
2295 if (!type->family && !candidate)
2297 else if (type->family == family)
2304 #ifdef CONFIG_MODULES
2305 static int nft_expr_type_request_module(struct net *net, u8 family,
2308 nft_request_module(net, "nft-expr-%u-%.*s", family,
2309 nla_len(nla), (char *)nla_data(nla));
2310 if (__nft_expr_type_get(family, nla))
2317 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2321 const struct nft_expr_type *type;
2324 return ERR_PTR(-EINVAL);
2326 type = __nft_expr_type_get(family, nla);
2327 if (type != NULL && try_module_get(type->owner))
2330 lockdep_nfnl_nft_mutex_not_held();
2331 #ifdef CONFIG_MODULES
2333 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2334 return ERR_PTR(-EAGAIN);
2336 nft_request_module(net, "nft-expr-%.*s",
2337 nla_len(nla), (char *)nla_data(nla));
2338 if (__nft_expr_type_get(family, nla))
2339 return ERR_PTR(-EAGAIN);
2342 return ERR_PTR(-ENOENT);
2345 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2346 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2347 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2350 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2351 const struct nft_expr *expr)
2353 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2354 goto nla_put_failure;
2356 if (expr->ops->dump) {
2357 struct nlattr *data = nla_nest_start_noflag(skb,
2360 goto nla_put_failure;
2361 if (expr->ops->dump(skb, expr) < 0)
2362 goto nla_put_failure;
2363 nla_nest_end(skb, data);
2372 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2373 const struct nft_expr *expr)
2375 struct nlattr *nest;
2377 nest = nla_nest_start_noflag(skb, attr);
2379 goto nla_put_failure;
2380 if (nf_tables_fill_expr_info(skb, expr) < 0)
2381 goto nla_put_failure;
2382 nla_nest_end(skb, nest);
2389 struct nft_expr_info {
2390 const struct nft_expr_ops *ops;
2391 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2394 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2395 const struct nlattr *nla,
2396 struct nft_expr_info *info)
2398 const struct nft_expr_type *type;
2399 const struct nft_expr_ops *ops;
2400 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2403 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2404 nft_expr_policy, NULL);
2408 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2410 return PTR_ERR(type);
2412 if (tb[NFTA_EXPR_DATA]) {
2413 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2415 type->policy, NULL);
2419 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2421 if (type->select_ops != NULL) {
2422 ops = type->select_ops(ctx,
2423 (const struct nlattr * const *)info->tb);
2426 #ifdef CONFIG_MODULES
2428 nft_expr_type_request_module(ctx->net,
2430 tb[NFTA_EXPR_NAME]);
2441 module_put(type->owner);
2445 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2446 const struct nft_expr_info *info,
2447 struct nft_expr *expr)
2449 const struct nft_expr_ops *ops = info->ops;
2454 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2465 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2466 struct nft_expr *expr)
2468 const struct nft_expr_type *type = expr->ops->type;
2470 if (expr->ops->destroy)
2471 expr->ops->destroy(ctx, expr);
2472 module_put(type->owner);
2475 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2476 const struct nlattr *nla)
2478 struct nft_expr_info info;
2479 struct nft_expr *expr;
2480 struct module *owner;
2483 err = nf_tables_expr_parse(ctx, nla, &info);
2488 expr = kzalloc(info.ops->size, GFP_KERNEL);
2492 err = nf_tables_newexpr(ctx, &info, expr);
2500 owner = info.ops->type->owner;
2501 if (info.ops->type->release_ops)
2502 info.ops->type->release_ops(info.ops);
2506 return ERR_PTR(err);
2509 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2511 nf_tables_expr_destroy(ctx, expr);
2519 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2522 struct nft_rule *rule;
2524 // FIXME: this sucks
2525 list_for_each_entry_rcu(rule, &chain->rules, list) {
2526 if (handle == rule->handle)
2530 return ERR_PTR(-ENOENT);
2533 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2534 const struct nlattr *nla)
2537 return ERR_PTR(-EINVAL);
2539 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2542 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2543 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2544 .len = NFT_TABLE_MAXNAMELEN - 1 },
2545 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2546 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2547 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2548 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2549 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2550 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2551 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2552 .len = NFT_USERDATA_MAXLEN },
2553 [NFTA_RULE_ID] = { .type = NLA_U32 },
2554 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2557 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2558 u32 portid, u32 seq, int event,
2559 u32 flags, int family,
2560 const struct nft_table *table,
2561 const struct nft_chain *chain,
2562 const struct nft_rule *rule,
2563 const struct nft_rule *prule)
2565 struct nlmsghdr *nlh;
2566 struct nfgenmsg *nfmsg;
2567 const struct nft_expr *expr, *next;
2568 struct nlattr *list;
2569 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2571 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2573 goto nla_put_failure;
2575 nfmsg = nlmsg_data(nlh);
2576 nfmsg->nfgen_family = family;
2577 nfmsg->version = NFNETLINK_V0;
2578 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2580 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2581 goto nla_put_failure;
2582 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2583 goto nla_put_failure;
2584 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2586 goto nla_put_failure;
2588 if (event != NFT_MSG_DELRULE && prule) {
2589 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2590 cpu_to_be64(prule->handle),
2592 goto nla_put_failure;
2595 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2597 goto nla_put_failure;
2598 nft_rule_for_each_expr(expr, next, rule) {
2599 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2600 goto nla_put_failure;
2602 nla_nest_end(skb, list);
2605 struct nft_userdata *udata = nft_userdata(rule);
2606 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2608 goto nla_put_failure;
2611 nlmsg_end(skb, nlh);
2615 nlmsg_trim(skb, nlh);
2619 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2620 const struct nft_rule *rule, int event)
2622 struct sk_buff *skb;
2626 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2629 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2633 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2634 event, 0, ctx->family, ctx->table,
2635 ctx->chain, rule, NULL);
2641 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2642 ctx->report, GFP_KERNEL);
2645 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2648 struct nft_rule_dump_ctx {
2653 static int __nf_tables_dump_rules(struct sk_buff *skb,
2655 struct netlink_callback *cb,
2656 const struct nft_table *table,
2657 const struct nft_chain *chain)
2659 struct net *net = sock_net(skb->sk);
2660 const struct nft_rule *rule, *prule;
2661 unsigned int s_idx = cb->args[0];
2664 list_for_each_entry_rcu(rule, &chain->rules, list) {
2665 if (!nft_is_active(net, rule))
2670 memset(&cb->args[1], 0,
2671 sizeof(cb->args) - sizeof(cb->args[0]));
2673 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2676 NLM_F_MULTI | NLM_F_APPEND,
2678 table, chain, rule, prule) < 0)
2681 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2690 static int nf_tables_dump_rules(struct sk_buff *skb,
2691 struct netlink_callback *cb)
2693 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2694 const struct nft_rule_dump_ctx *ctx = cb->data;
2695 struct nft_table *table;
2696 const struct nft_chain *chain;
2697 unsigned int idx = 0;
2698 struct net *net = sock_net(skb->sk);
2699 int family = nfmsg->nfgen_family;
2702 cb->seq = net->nft.base_seq;
2704 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2705 if (family != NFPROTO_UNSPEC && family != table->family)
2708 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2711 if (ctx && ctx->table && ctx->chain) {
2712 struct rhlist_head *list, *tmp;
2714 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2715 nft_chain_ht_params);
2719 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2720 if (!nft_is_active(net, chain))
2722 __nf_tables_dump_rules(skb, &idx,
2729 list_for_each_entry_rcu(chain, &table->chains, list) {
2730 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2734 if (ctx && ctx->table)
2744 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2746 const struct nlattr * const *nla = cb->data;
2747 struct nft_rule_dump_ctx *ctx = NULL;
2749 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2750 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2754 if (nla[NFTA_RULE_TABLE]) {
2755 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2762 if (nla[NFTA_RULE_CHAIN]) {
2763 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2777 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2779 struct nft_rule_dump_ctx *ctx = cb->data;
2789 /* called with rcu_read_lock held */
2790 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2791 struct sk_buff *skb, const struct nlmsghdr *nlh,
2792 const struct nlattr * const nla[],
2793 struct netlink_ext_ack *extack)
2795 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2796 u8 genmask = nft_genmask_cur(net);
2797 const struct nft_chain *chain;
2798 const struct nft_rule *rule;
2799 struct nft_table *table;
2800 struct sk_buff *skb2;
2801 int family = nfmsg->nfgen_family;
2804 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2805 struct netlink_dump_control c = {
2806 .start= nf_tables_dump_rules_start,
2807 .dump = nf_tables_dump_rules,
2808 .done = nf_tables_dump_rules_done,
2809 .module = THIS_MODULE,
2810 .data = (void *)nla,
2813 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2816 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2817 if (IS_ERR(table)) {
2818 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2819 return PTR_ERR(table);
2822 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2823 if (IS_ERR(chain)) {
2824 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2825 return PTR_ERR(chain);
2828 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2830 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2831 return PTR_ERR(rule);
2834 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2838 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2839 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2840 family, table, chain, rule, NULL);
2844 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2851 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2852 struct nft_rule *rule)
2854 struct nft_expr *expr, *next;
2857 * Careful: some expressions might not be initialized in case this
2858 * is called on error from nf_tables_newrule().
2860 expr = nft_expr_first(rule);
2861 while (expr != nft_expr_last(rule) && expr->ops) {
2862 next = nft_expr_next(expr);
2863 nf_tables_expr_destroy(ctx, expr);
2869 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2870 struct nft_rule *rule)
2872 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2873 nf_tables_rule_destroy(ctx, rule);
2876 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2878 struct nft_expr *expr, *last;
2879 const struct nft_data *data;
2880 struct nft_rule *rule;
2883 if (ctx->level == NFT_JUMP_STACK_SIZE)
2886 list_for_each_entry(rule, &chain->rules, list) {
2887 if (!nft_is_active_next(ctx->net, rule))
2890 nft_rule_for_each_expr(expr, last, rule) {
2891 if (!expr->ops->validate)
2894 err = expr->ops->validate(ctx, expr, &data);
2902 EXPORT_SYMBOL_GPL(nft_chain_validate);
2904 static int nft_table_validate(struct net *net, const struct nft_table *table)
2906 struct nft_chain *chain;
2907 struct nft_ctx ctx = {
2909 .family = table->family,
2913 list_for_each_entry(chain, &table->chains, list) {
2914 if (!nft_is_base_chain(chain))
2918 err = nft_chain_validate(&ctx, chain);
2926 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2927 const struct nlattr *nla);
2929 #define NFT_RULE_MAXEXPRS 128
2931 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2932 struct sk_buff *skb, const struct nlmsghdr *nlh,
2933 const struct nlattr * const nla[],
2934 struct netlink_ext_ack *extack)
2936 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2937 u8 genmask = nft_genmask_next(net);
2938 struct nft_expr_info *info = NULL;
2939 int family = nfmsg->nfgen_family;
2940 struct nft_flow_rule *flow;
2941 struct nft_table *table;
2942 struct nft_chain *chain;
2943 struct nft_rule *rule, *old_rule = NULL;
2944 struct nft_userdata *udata;
2945 struct nft_trans *trans = NULL;
2946 struct nft_expr *expr;
2949 unsigned int size, i, n, ulen = 0, usize = 0;
2951 u64 handle, pos_handle;
2953 lockdep_assert_held(&net->nft.commit_mutex);
2955 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2956 if (IS_ERR(table)) {
2957 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2958 return PTR_ERR(table);
2961 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2962 if (IS_ERR(chain)) {
2963 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2964 return PTR_ERR(chain);
2967 if (nla[NFTA_RULE_HANDLE]) {
2968 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2969 rule = __nft_rule_lookup(chain, handle);
2971 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2972 return PTR_ERR(rule);
2975 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2976 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2979 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2984 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2985 nlh->nlmsg_flags & NLM_F_REPLACE)
2987 handle = nf_tables_alloc_handle(table);
2989 if (chain->use == UINT_MAX)
2992 if (nla[NFTA_RULE_POSITION]) {
2993 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2994 old_rule = __nft_rule_lookup(chain, pos_handle);
2995 if (IS_ERR(old_rule)) {
2996 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2997 return PTR_ERR(old_rule);
2999 } else if (nla[NFTA_RULE_POSITION_ID]) {
3000 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3001 if (IS_ERR(old_rule)) {
3002 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3003 return PTR_ERR(old_rule);
3008 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3012 if (nla[NFTA_RULE_EXPRESSIONS]) {
3013 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3014 sizeof(struct nft_expr_info),
3019 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3021 if (nla_type(tmp) != NFTA_LIST_ELEM)
3023 if (n == NFT_RULE_MAXEXPRS)
3025 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3028 size += info[n].ops->size;
3032 /* Check for overflow of dlen field */
3034 if (size >= 1 << 12)
3037 if (nla[NFTA_RULE_USERDATA]) {
3038 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3040 usize = sizeof(struct nft_userdata) + ulen;
3044 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3048 nft_activate_next(net, rule);
3050 rule->handle = handle;
3052 rule->udata = ulen ? 1 : 0;
3055 udata = nft_userdata(rule);
3056 udata->len = ulen - 1;
3057 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3060 expr = nft_expr_first(rule);
3061 for (i = 0; i < n; i++) {
3062 err = nf_tables_newexpr(&ctx, &info[i], expr);
3066 if (info[i].ops->validate)
3067 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3070 expr = nft_expr_next(expr);
3073 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3074 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3075 if (trans == NULL) {
3079 err = nft_delrule(&ctx, old_rule);
3081 nft_trans_destroy(trans);
3085 list_add_tail_rcu(&rule->list, &old_rule->list);
3087 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3093 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3095 list_add_rcu(&rule->list, &old_rule->list);
3097 list_add_tail_rcu(&rule->list, &chain->rules);
3100 list_add_tail_rcu(&rule->list, &old_rule->list);
3102 list_add_rcu(&rule->list, &chain->rules);
3108 if (net->nft.validate_state == NFT_VALIDATE_DO)
3109 return nft_table_validate(net, table);
3111 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3112 flow = nft_flow_rule_create(net, rule);
3114 return PTR_ERR(flow);
3116 nft_trans_flow_rule(trans) = flow;
3121 nf_tables_rule_release(&ctx, rule);
3123 for (i = 0; i < n; i++) {
3125 module_put(info[i].ops->type->owner);
3126 if (info[i].ops->type->release_ops)
3127 info[i].ops->type->release_ops(info[i].ops);
3134 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3135 const struct nlattr *nla)
3137 u32 id = ntohl(nla_get_be32(nla));
3138 struct nft_trans *trans;
3140 list_for_each_entry(trans, &net->nft.commit_list, list) {
3141 struct nft_rule *rule = nft_trans_rule(trans);
3143 if (trans->msg_type == NFT_MSG_NEWRULE &&
3144 id == nft_trans_rule_id(trans))
3147 return ERR_PTR(-ENOENT);
3150 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3151 struct sk_buff *skb, const struct nlmsghdr *nlh,
3152 const struct nlattr * const nla[],
3153 struct netlink_ext_ack *extack)
3155 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3156 u8 genmask = nft_genmask_next(net);
3157 struct nft_table *table;
3158 struct nft_chain *chain = NULL;
3159 struct nft_rule *rule;
3160 int family = nfmsg->nfgen_family, err = 0;
3163 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3164 if (IS_ERR(table)) {
3165 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3166 return PTR_ERR(table);
3169 if (nla[NFTA_RULE_CHAIN]) {
3170 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3172 if (IS_ERR(chain)) {
3173 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3174 return PTR_ERR(chain);
3178 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3181 if (nla[NFTA_RULE_HANDLE]) {
3182 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3184 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3185 return PTR_ERR(rule);
3188 err = nft_delrule(&ctx, rule);
3189 } else if (nla[NFTA_RULE_ID]) {
3190 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3192 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3193 return PTR_ERR(rule);
3196 err = nft_delrule(&ctx, rule);
3198 err = nft_delrule_by_chain(&ctx);
3201 list_for_each_entry(chain, &table->chains, list) {
3202 if (!nft_is_active_next(net, chain))
3206 err = nft_delrule_by_chain(&ctx);
3219 static LIST_HEAD(nf_tables_set_types);
3221 int nft_register_set(struct nft_set_type *type)
3223 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3224 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3225 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3228 EXPORT_SYMBOL_GPL(nft_register_set);
3230 void nft_unregister_set(struct nft_set_type *type)
3232 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3233 list_del_rcu(&type->list);
3234 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3236 EXPORT_SYMBOL_GPL(nft_unregister_set);
3238 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3239 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3242 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3244 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3248 * Select a set implementation based on the data characteristics and the
3249 * given policy. The total memory use might not be known if no size is
3250 * given, in that case the amount of memory per element is used.
3252 static const struct nft_set_ops *
3253 nft_select_set_ops(const struct nft_ctx *ctx,
3254 const struct nlattr * const nla[],
3255 const struct nft_set_desc *desc,
3256 enum nft_set_policies policy)
3258 const struct nft_set_ops *ops, *bops;
3259 struct nft_set_estimate est, best;
3260 const struct nft_set_type *type;
3263 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3264 lockdep_nfnl_nft_mutex_not_held();
3265 #ifdef CONFIG_MODULES
3266 if (list_empty(&nf_tables_set_types)) {
3267 nft_request_module(ctx->net, "nft-set");
3268 if (!list_empty(&nf_tables_set_types))
3269 return ERR_PTR(-EAGAIN);
3272 if (nla[NFTA_SET_FLAGS] != NULL)
3273 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3280 list_for_each_entry(type, &nf_tables_set_types, list) {
3283 if (!nft_set_ops_candidate(type, flags))
3285 if (!ops->estimate(desc, flags, &est))
3289 case NFT_SET_POL_PERFORMANCE:
3290 if (est.lookup < best.lookup)
3292 if (est.lookup == best.lookup &&
3293 est.space < best.space)
3296 case NFT_SET_POL_MEMORY:
3298 if (est.space < best.space)
3300 if (est.space == best.space &&
3301 est.lookup < best.lookup)
3303 } else if (est.size < best.size || !bops) {
3311 if (!try_module_get(type->owner))
3314 module_put(to_set_type(bops)->owner);
3323 return ERR_PTR(-EOPNOTSUPP);
3326 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3327 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3328 .len = NFT_TABLE_MAXNAMELEN - 1 },
3329 [NFTA_SET_NAME] = { .type = NLA_STRING,
3330 .len = NFT_SET_MAXNAMELEN - 1 },
3331 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3332 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3333 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3334 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3335 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3336 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3337 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3338 [NFTA_SET_ID] = { .type = NLA_U32 },
3339 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3340 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3341 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3342 .len = NFT_USERDATA_MAXLEN },
3343 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3344 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3347 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3348 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3351 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3352 const struct sk_buff *skb,
3353 const struct nlmsghdr *nlh,
3354 const struct nlattr * const nla[],
3355 struct netlink_ext_ack *extack,
3358 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3359 int family = nfmsg->nfgen_family;
3360 struct nft_table *table = NULL;
3362 if (nla[NFTA_SET_TABLE] != NULL) {
3363 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3365 if (IS_ERR(table)) {
3366 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3367 return PTR_ERR(table);
3371 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3375 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3376 const struct nlattr *nla, u8 genmask)
3378 struct nft_set *set;
3381 return ERR_PTR(-EINVAL);
3383 list_for_each_entry_rcu(set, &table->sets, list) {
3384 if (!nla_strcmp(nla, set->name) &&
3385 nft_active_genmask(set, genmask))
3388 return ERR_PTR(-ENOENT);
3391 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3392 const struct nlattr *nla,
3395 struct nft_set *set;
3397 list_for_each_entry(set, &table->sets, list) {
3398 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3399 nft_active_genmask(set, genmask))
3402 return ERR_PTR(-ENOENT);
3405 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3406 const struct nlattr *nla, u8 genmask)
3408 struct nft_trans *trans;
3409 u32 id = ntohl(nla_get_be32(nla));
3411 list_for_each_entry(trans, &net->nft.commit_list, list) {
3412 if (trans->msg_type == NFT_MSG_NEWSET) {
3413 struct nft_set *set = nft_trans_set(trans);
3415 if (id == nft_trans_set_id(trans) &&
3416 nft_active_genmask(set, genmask))
3420 return ERR_PTR(-ENOENT);
3423 struct nft_set *nft_set_lookup_global(const struct net *net,
3424 const struct nft_table *table,
3425 const struct nlattr *nla_set_name,
3426 const struct nlattr *nla_set_id,
3429 struct nft_set *set;
3431 set = nft_set_lookup(table, nla_set_name, genmask);
3436 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3440 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3442 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3445 const struct nft_set *i;
3447 unsigned long *inuse;
3448 unsigned int n = 0, min = 0;
3450 p = strchr(name, '%');
3452 if (p[1] != 'd' || strchr(p + 2, '%'))
3455 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3459 list_for_each_entry(i, &ctx->table->sets, list) {
3462 if (!nft_is_active_next(ctx->net, set))
3464 if (!sscanf(i->name, name, &tmp))
3466 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3469 set_bit(tmp - min, inuse);
3472 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3473 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3474 min += BITS_PER_BYTE * PAGE_SIZE;
3475 memset(inuse, 0, PAGE_SIZE);
3478 free_page((unsigned long)inuse);
3481 set->name = kasprintf(GFP_KERNEL, name, min + n);
3485 list_for_each_entry(i, &ctx->table->sets, list) {
3486 if (!nft_is_active_next(ctx->net, i))
3488 if (!strcmp(set->name, i->name)) {
3496 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3498 u64 ms = be64_to_cpu(nla_get_be64(nla));
3499 u64 max = (u64)(~((u64)0));
3501 max = div_u64(max, NSEC_PER_MSEC);
3505 ms *= NSEC_PER_MSEC;
3506 *result = nsecs_to_jiffies64(ms);
3510 static __be64 nf_jiffies64_to_msecs(u64 input)
3512 return cpu_to_be64(jiffies64_to_msecs(input));
3515 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3516 const struct nft_set *set, u16 event, u16 flags)
3518 struct nfgenmsg *nfmsg;
3519 struct nlmsghdr *nlh;
3520 struct nlattr *desc;
3521 u32 portid = ctx->portid;
3524 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3525 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3528 goto nla_put_failure;
3530 nfmsg = nlmsg_data(nlh);
3531 nfmsg->nfgen_family = ctx->family;
3532 nfmsg->version = NFNETLINK_V0;
3533 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3535 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3536 goto nla_put_failure;
3537 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3538 goto nla_put_failure;
3539 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3541 goto nla_put_failure;
3542 if (set->flags != 0)
3543 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3544 goto nla_put_failure;
3546 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3547 goto nla_put_failure;
3548 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3549 goto nla_put_failure;
3550 if (set->flags & NFT_SET_MAP) {
3551 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3552 goto nla_put_failure;
3553 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3554 goto nla_put_failure;
3556 if (set->flags & NFT_SET_OBJECT &&
3557 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3558 goto nla_put_failure;
3561 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3562 nf_jiffies64_to_msecs(set->timeout),
3564 goto nla_put_failure;
3566 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3567 goto nla_put_failure;
3569 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3570 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3571 goto nla_put_failure;
3574 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3575 goto nla_put_failure;
3577 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3579 goto nla_put_failure;
3581 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3582 goto nla_put_failure;
3583 nla_nest_end(skb, desc);
3585 nlmsg_end(skb, nlh);
3589 nlmsg_trim(skb, nlh);
3593 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3594 const struct nft_set *set, int event,
3597 struct sk_buff *skb;
3598 u32 portid = ctx->portid;
3602 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3605 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3609 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3615 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3619 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3622 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3624 const struct nft_set *set;
3625 unsigned int idx, s_idx = cb->args[0];
3626 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3627 struct net *net = sock_net(skb->sk);
3628 struct nft_ctx *ctx = cb->data, ctx_set;
3634 cb->seq = net->nft.base_seq;
3636 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3637 if (ctx->family != NFPROTO_UNSPEC &&
3638 ctx->family != table->family)
3641 if (ctx->table && ctx->table != table)
3645 if (cur_table != table)
3651 list_for_each_entry_rcu(set, &table->sets, list) {
3654 if (!nft_is_active(net, set))
3658 ctx_set.table = table;
3659 ctx_set.family = table->family;
3661 if (nf_tables_fill_set(skb, &ctx_set, set,
3665 cb->args[2] = (unsigned long) table;
3668 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3681 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3683 struct nft_ctx *ctx_dump = NULL;
3685 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3686 if (ctx_dump == NULL)
3689 cb->data = ctx_dump;
3693 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3699 /* called with rcu_read_lock held */
3700 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3701 struct sk_buff *skb, const struct nlmsghdr *nlh,
3702 const struct nlattr * const nla[],
3703 struct netlink_ext_ack *extack)
3705 u8 genmask = nft_genmask_cur(net);
3706 const struct nft_set *set;
3708 struct sk_buff *skb2;
3709 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3712 /* Verify existence before starting dump */
3713 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3718 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3719 struct netlink_dump_control c = {
3720 .start = nf_tables_dump_sets_start,
3721 .dump = nf_tables_dump_sets,
3722 .done = nf_tables_dump_sets_done,
3724 .module = THIS_MODULE,
3727 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3730 /* Only accept unspec with dump */
3731 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3732 return -EAFNOSUPPORT;
3733 if (!nla[NFTA_SET_TABLE])
3736 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3738 return PTR_ERR(set);
3740 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3744 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3748 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3755 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3756 const struct nlattr *nla)
3758 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3761 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3762 nft_set_desc_policy, NULL);
3766 if (da[NFTA_SET_DESC_SIZE] != NULL)
3767 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3772 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3773 struct sk_buff *skb, const struct nlmsghdr *nlh,
3774 const struct nlattr * const nla[],
3775 struct netlink_ext_ack *extack)
3777 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3778 u8 genmask = nft_genmask_next(net);
3779 int family = nfmsg->nfgen_family;
3780 const struct nft_set_ops *ops;
3781 struct nft_table *table;
3782 struct nft_set *set;
3787 u32 ktype, dtype, flags, policy, gc_int, objtype;
3788 struct nft_set_desc desc;
3789 unsigned char *udata;
3793 if (nla[NFTA_SET_TABLE] == NULL ||
3794 nla[NFTA_SET_NAME] == NULL ||
3795 nla[NFTA_SET_KEY_LEN] == NULL ||
3796 nla[NFTA_SET_ID] == NULL)
3799 memset(&desc, 0, sizeof(desc));
3801 ktype = NFT_DATA_VALUE;
3802 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3803 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3804 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3808 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3809 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3813 if (nla[NFTA_SET_FLAGS] != NULL) {
3814 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3815 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3816 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3817 NFT_SET_MAP | NFT_SET_EVAL |
3820 /* Only one of these operations is supported */
3821 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3822 (NFT_SET_MAP | NFT_SET_OBJECT))
3824 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3825 (NFT_SET_EVAL | NFT_SET_OBJECT))
3830 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3831 if (!(flags & NFT_SET_MAP))
3834 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3835 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3836 dtype != NFT_DATA_VERDICT)
3839 if (dtype != NFT_DATA_VERDICT) {
3840 if (nla[NFTA_SET_DATA_LEN] == NULL)
3842 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3843 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3846 desc.dlen = sizeof(struct nft_verdict);
3847 } else if (flags & NFT_SET_MAP)
3850 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3851 if (!(flags & NFT_SET_OBJECT))
3854 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3855 if (objtype == NFT_OBJECT_UNSPEC ||
3856 objtype > NFT_OBJECT_MAX)
3858 } else if (flags & NFT_SET_OBJECT)
3861 objtype = NFT_OBJECT_UNSPEC;
3864 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3865 if (!(flags & NFT_SET_TIMEOUT))
3868 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3873 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3874 if (!(flags & NFT_SET_TIMEOUT))
3876 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3879 policy = NFT_SET_POL_PERFORMANCE;
3880 if (nla[NFTA_SET_POLICY] != NULL)
3881 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3883 if (nla[NFTA_SET_DESC] != NULL) {
3884 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3889 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3890 if (IS_ERR(table)) {
3891 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3892 return PTR_ERR(table);
3895 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3897 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3899 if (PTR_ERR(set) != -ENOENT) {
3900 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3901 return PTR_ERR(set);
3904 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3905 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3908 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3914 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3917 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3919 return PTR_ERR(ops);
3922 if (nla[NFTA_SET_USERDATA])
3923 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3926 if (ops->privsize != NULL)
3927 size = ops->privsize(nla, &desc);
3929 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3935 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3941 err = nf_tables_set_alloc_name(&ctx, set, name);
3948 udata = set->data + size;
3949 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3952 INIT_LIST_HEAD(&set->bindings);
3954 write_pnet(&set->net, net);
3957 set->klen = desc.klen;
3959 set->objtype = objtype;
3960 set->dlen = desc.dlen;
3962 set->size = desc.size;
3963 set->policy = policy;
3966 set->timeout = timeout;
3967 set->gc_int = gc_int;
3968 set->handle = nf_tables_alloc_handle(table);
3970 err = ops->init(set, &desc, nla);
3974 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3978 list_add_tail_rcu(&set->list, &table->sets);
3989 module_put(to_set_type(ops)->owner);
3993 static void nft_set_destroy(struct nft_set *set)
3995 if (WARN_ON(set->use > 0))
3998 set->ops->destroy(set);
3999 module_put(to_set_type(set->ops)->owner);
4004 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4005 struct sk_buff *skb, const struct nlmsghdr *nlh,
4006 const struct nlattr * const nla[],
4007 struct netlink_ext_ack *extack)
4009 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4010 u8 genmask = nft_genmask_next(net);
4011 const struct nlattr *attr;
4012 struct nft_set *set;
4016 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4017 return -EAFNOSUPPORT;
4018 if (nla[NFTA_SET_TABLE] == NULL)
4021 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4026 if (nla[NFTA_SET_HANDLE]) {
4027 attr = nla[NFTA_SET_HANDLE];
4028 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4030 attr = nla[NFTA_SET_NAME];
4031 set = nft_set_lookup(ctx.table, attr, genmask);
4035 NL_SET_BAD_ATTR(extack, attr);
4036 return PTR_ERR(set);
4039 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4040 NL_SET_BAD_ATTR(extack, attr);
4044 return nft_delset(&ctx, set);
4047 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4048 struct nft_set *set,
4049 const struct nft_set_iter *iter,
4050 struct nft_set_elem *elem)
4052 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4053 enum nft_registers dreg;
4055 dreg = nft_type_to_reg(set->dtype);
4056 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4057 set->dtype == NFT_DATA_VERDICT ?
4058 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4062 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4063 struct nft_set_binding *binding)
4065 struct nft_set_binding *i;
4066 struct nft_set_iter iter;
4068 if (set->use == UINT_MAX)
4071 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4074 if (binding->flags & NFT_SET_MAP) {
4075 /* If the set is already bound to the same chain all
4076 * jumps are already validated for that chain.
4078 list_for_each_entry(i, &set->bindings, list) {
4079 if (i->flags & NFT_SET_MAP &&
4080 i->chain == binding->chain)
4084 iter.genmask = nft_genmask_next(ctx->net);
4088 iter.fn = nf_tables_bind_check_setelem;
4090 set->ops->walk(ctx, set, &iter);
4095 binding->chain = ctx->chain;
4096 list_add_tail_rcu(&binding->list, &set->bindings);
4097 nft_set_trans_bind(ctx, set);
4102 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4104 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4105 struct nft_set_binding *binding, bool event)
4107 list_del_rcu(&binding->list);
4109 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4110 list_del_rcu(&set->list);
4112 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4117 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4118 struct nft_set_binding *binding,
4119 enum nft_trans_phase phase)
4122 case NFT_TRANS_PREPARE:
4125 case NFT_TRANS_ABORT:
4126 case NFT_TRANS_RELEASE:
4130 nf_tables_unbind_set(ctx, set, binding,
4131 phase == NFT_TRANS_COMMIT);
4134 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4136 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4138 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4139 nft_set_destroy(set);
4141 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4143 const struct nft_set_ext_type nft_set_ext_types[] = {
4144 [NFT_SET_EXT_KEY] = {
4145 .align = __alignof__(u32),
4147 [NFT_SET_EXT_DATA] = {
4148 .align = __alignof__(u32),
4150 [NFT_SET_EXT_EXPR] = {
4151 .align = __alignof__(struct nft_expr),
4153 [NFT_SET_EXT_OBJREF] = {
4154 .len = sizeof(struct nft_object *),
4155 .align = __alignof__(struct nft_object *),
4157 [NFT_SET_EXT_FLAGS] = {
4159 .align = __alignof__(u8),
4161 [NFT_SET_EXT_TIMEOUT] = {
4163 .align = __alignof__(u64),
4165 [NFT_SET_EXT_EXPIRATION] = {
4167 .align = __alignof__(u64),
4169 [NFT_SET_EXT_USERDATA] = {
4170 .len = sizeof(struct nft_userdata),
4171 .align = __alignof__(struct nft_userdata),
4174 EXPORT_SYMBOL_GPL(nft_set_ext_types);
4180 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4181 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4182 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4183 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4184 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4185 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4186 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4187 .len = NFT_USERDATA_MAXLEN },
4188 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4189 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
4192 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4193 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4194 .len = NFT_TABLE_MAXNAMELEN - 1 },
4195 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4196 .len = NFT_SET_MAXNAMELEN - 1 },
4197 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4198 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4201 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4202 const struct sk_buff *skb,
4203 const struct nlmsghdr *nlh,
4204 const struct nlattr * const nla[],
4205 struct netlink_ext_ack *extack,
4208 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4209 int family = nfmsg->nfgen_family;
4210 struct nft_table *table;
4212 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4214 if (IS_ERR(table)) {
4215 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4216 return PTR_ERR(table);
4219 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4223 static int nf_tables_fill_setelem(struct sk_buff *skb,
4224 const struct nft_set *set,
4225 const struct nft_set_elem *elem)
4227 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4228 unsigned char *b = skb_tail_pointer(skb);
4229 struct nlattr *nest;
4231 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4233 goto nla_put_failure;
4235 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4236 NFT_DATA_VALUE, set->klen) < 0)
4237 goto nla_put_failure;
4239 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4240 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4241 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4243 goto nla_put_failure;
4245 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4246 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4247 goto nla_put_failure;
4249 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4250 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4251 (*nft_set_ext_obj(ext))->key.name) < 0)
4252 goto nla_put_failure;
4254 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4255 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4256 htonl(*nft_set_ext_flags(ext))))
4257 goto nla_put_failure;
4259 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4260 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4261 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4263 goto nla_put_failure;
4265 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4266 u64 expires, now = get_jiffies_64();
4268 expires = *nft_set_ext_expiration(ext);
4269 if (time_before64(now, expires))
4274 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4275 nf_jiffies64_to_msecs(expires),
4277 goto nla_put_failure;
4280 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4281 struct nft_userdata *udata;
4283 udata = nft_set_ext_userdata(ext);
4284 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4285 udata->len + 1, udata->data))
4286 goto nla_put_failure;
4289 nla_nest_end(skb, nest);
4297 struct nft_set_dump_args {
4298 const struct netlink_callback *cb;
4299 struct nft_set_iter iter;
4300 struct sk_buff *skb;
4303 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4304 struct nft_set *set,
4305 const struct nft_set_iter *iter,
4306 struct nft_set_elem *elem)
4308 struct nft_set_dump_args *args;
4310 args = container_of(iter, struct nft_set_dump_args, iter);
4311 return nf_tables_fill_setelem(args->skb, set, elem);
4314 struct nft_set_dump_ctx {
4315 const struct nft_set *set;
4319 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4321 struct nft_set_dump_ctx *dump_ctx = cb->data;
4322 struct net *net = sock_net(skb->sk);
4323 struct nft_table *table;
4324 struct nft_set *set;
4325 struct nft_set_dump_args args;
4326 bool set_found = false;
4327 struct nfgenmsg *nfmsg;
4328 struct nlmsghdr *nlh;
4329 struct nlattr *nest;
4334 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4335 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4336 dump_ctx->ctx.family != table->family)
4339 if (table != dump_ctx->ctx.table)
4342 list_for_each_entry_rcu(set, &table->sets, list) {
4343 if (set == dump_ctx->set) {
4356 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4357 portid = NETLINK_CB(cb->skb).portid;
4358 seq = cb->nlh->nlmsg_seq;
4360 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4363 goto nla_put_failure;
4365 nfmsg = nlmsg_data(nlh);
4366 nfmsg->nfgen_family = table->family;
4367 nfmsg->version = NFNETLINK_V0;
4368 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4370 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4371 goto nla_put_failure;
4372 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4373 goto nla_put_failure;
4375 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4377 goto nla_put_failure;
4381 args.iter.genmask = nft_genmask_cur(net);
4382 args.iter.skip = cb->args[0];
4383 args.iter.count = 0;
4385 args.iter.fn = nf_tables_dump_setelem;
4386 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4389 nla_nest_end(skb, nest);
4390 nlmsg_end(skb, nlh);
4392 if (args.iter.err && args.iter.err != -EMSGSIZE)
4393 return args.iter.err;
4394 if (args.iter.count == cb->args[0])
4397 cb->args[0] = args.iter.count;
4405 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4407 struct nft_set_dump_ctx *dump_ctx = cb->data;
4409 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4411 return cb->data ? 0 : -ENOMEM;
4414 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4420 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4421 const struct nft_ctx *ctx, u32 seq,
4422 u32 portid, int event, u16 flags,
4423 const struct nft_set *set,
4424 const struct nft_set_elem *elem)
4426 struct nfgenmsg *nfmsg;
4427 struct nlmsghdr *nlh;
4428 struct nlattr *nest;
4431 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4432 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4435 goto nla_put_failure;
4437 nfmsg = nlmsg_data(nlh);
4438 nfmsg->nfgen_family = ctx->family;
4439 nfmsg->version = NFNETLINK_V0;
4440 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4442 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4443 goto nla_put_failure;
4444 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4445 goto nla_put_failure;
4447 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4449 goto nla_put_failure;
4451 err = nf_tables_fill_setelem(skb, set, elem);
4453 goto nla_put_failure;
4455 nla_nest_end(skb, nest);
4457 nlmsg_end(skb, nlh);
4461 nlmsg_trim(skb, nlh);
4465 static int nft_setelem_parse_flags(const struct nft_set *set,
4466 const struct nlattr *attr, u32 *flags)
4471 *flags = ntohl(nla_get_be32(attr));
4472 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4474 if (!(set->flags & NFT_SET_INTERVAL) &&
4475 *flags & NFT_SET_ELEM_INTERVAL_END)
4481 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4482 const struct nlattr *attr)
4484 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4485 struct nft_data_desc desc;
4486 struct nft_set_elem elem;
4487 struct sk_buff *skb;
4492 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4493 nft_set_elem_policy, NULL);
4497 if (!nla[NFTA_SET_ELEM_KEY])
4500 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4504 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4505 nla[NFTA_SET_ELEM_KEY]);
4510 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4513 priv = set->ops->get(ctx->net, set, &elem, flags);
4515 return PTR_ERR(priv);
4520 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4524 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4525 NFT_MSG_NEWSETELEM, 0, set, &elem);
4529 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4530 /* This avoids a loop in nfnetlink. */
4538 /* this avoids a loop in nfnetlink. */
4539 return err == -EAGAIN ? -ENOBUFS : err;
4542 /* called with rcu_read_lock held */
4543 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4544 struct sk_buff *skb, const struct nlmsghdr *nlh,
4545 const struct nlattr * const nla[],
4546 struct netlink_ext_ack *extack)
4548 u8 genmask = nft_genmask_cur(net);
4549 struct nft_set *set;
4550 struct nlattr *attr;
4554 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4559 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4561 return PTR_ERR(set);
4563 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4564 struct netlink_dump_control c = {
4565 .start = nf_tables_dump_set_start,
4566 .dump = nf_tables_dump_set,
4567 .done = nf_tables_dump_set_done,
4568 .module = THIS_MODULE,
4570 struct nft_set_dump_ctx dump_ctx = {
4576 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4579 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4582 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4583 err = nft_get_set_elem(&ctx, set, attr);
4591 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4592 const struct nft_set *set,
4593 const struct nft_set_elem *elem,
4594 int event, u16 flags)
4596 struct net *net = ctx->net;
4597 u32 portid = ctx->portid;
4598 struct sk_buff *skb;
4601 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4604 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4608 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4615 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4619 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4622 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4624 struct nft_set *set)
4626 struct nft_trans *trans;
4628 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4632 nft_trans_elem_set(trans) = set;
4636 void *nft_set_elem_init(const struct nft_set *set,
4637 const struct nft_set_ext_tmpl *tmpl,
4638 const u32 *key, const u32 *data,
4639 u64 timeout, u64 expiration, gfp_t gfp)
4641 struct nft_set_ext *ext;
4644 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4648 ext = nft_set_elem_ext(set, elem);
4649 nft_set_ext_init(ext, tmpl);
4651 memcpy(nft_set_ext_key(ext), key, set->klen);
4652 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4653 memcpy(nft_set_ext_data(ext), data, set->dlen);
4654 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4655 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4656 if (expiration == 0)
4657 *nft_set_ext_expiration(ext) += timeout;
4659 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4660 *nft_set_ext_timeout(ext) = timeout;
4665 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4668 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4669 struct nft_ctx ctx = {
4670 .net = read_pnet(&set->net),
4671 .family = set->table->family,
4674 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4675 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4676 nft_data_release(nft_set_ext_data(ext), set->dtype);
4677 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4678 struct nft_expr *expr = nft_set_ext_expr(ext);
4680 if (expr->ops->destroy_clone) {
4681 expr->ops->destroy_clone(&ctx, expr);
4682 module_put(expr->ops->type->owner);
4684 nf_tables_expr_destroy(&ctx, expr);
4687 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4688 (*nft_set_ext_obj(ext))->use--;
4691 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4693 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4694 * the refcounting from the preparation phase.
4696 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4697 const struct nft_set *set, void *elem)
4699 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4701 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4702 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4706 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4707 const struct nlattr *attr, u32 nlmsg_flags)
4709 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4710 u8 genmask = nft_genmask_next(ctx->net);
4711 struct nft_data_desc d1, d2;
4712 struct nft_set_ext_tmpl tmpl;
4713 struct nft_set_ext *ext, *ext2;
4714 struct nft_set_elem elem;
4715 struct nft_set_binding *binding;
4716 struct nft_object *obj = NULL;
4717 struct nft_userdata *udata;
4718 struct nft_data data;
4719 enum nft_registers dreg;
4720 struct nft_trans *trans;
4727 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4728 nft_set_elem_policy, NULL);
4732 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4735 nft_set_ext_prepare(&tmpl);
4737 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4741 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4743 if (set->flags & NFT_SET_MAP) {
4744 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4745 !(flags & NFT_SET_ELEM_INTERVAL_END))
4747 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4748 flags & NFT_SET_ELEM_INTERVAL_END)
4751 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4756 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4757 if (!(set->flags & NFT_SET_TIMEOUT))
4759 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4763 } else if (set->flags & NFT_SET_TIMEOUT) {
4764 timeout = set->timeout;
4768 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4769 if (!(set->flags & NFT_SET_TIMEOUT))
4771 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4777 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4778 nla[NFTA_SET_ELEM_KEY]);
4782 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4785 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4787 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4788 if (timeout != set->timeout)
4789 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4792 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4793 if (!(set->flags & NFT_SET_OBJECT)) {
4797 obj = nft_obj_lookup(ctx->net, ctx->table,
4798 nla[NFTA_SET_ELEM_OBJREF],
4799 set->objtype, genmask);
4804 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4807 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4808 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4809 nla[NFTA_SET_ELEM_DATA]);
4814 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4817 dreg = nft_type_to_reg(set->dtype);
4818 list_for_each_entry(binding, &set->bindings, list) {
4819 struct nft_ctx bind_ctx = {
4821 .family = ctx->family,
4822 .table = ctx->table,
4823 .chain = (struct nft_chain *)binding->chain,
4826 if (!(binding->flags & NFT_SET_MAP))
4829 err = nft_validate_register_store(&bind_ctx, dreg,
4835 if (d2.type == NFT_DATA_VERDICT &&
4836 (data.verdict.code == NFT_GOTO ||
4837 data.verdict.code == NFT_JUMP))
4838 nft_validate_state_update(ctx->net,
4842 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4845 /* The full maximum length of userdata can exceed the maximum
4846 * offset value (U8_MAX) for following extensions, therefor it
4847 * must be the last extension added.
4850 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4851 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4853 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4858 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4859 timeout, expiration, GFP_KERNEL);
4860 if (elem.priv == NULL)
4863 ext = nft_set_elem_ext(set, elem.priv);
4865 *nft_set_ext_flags(ext) = flags;
4867 udata = nft_set_ext_userdata(ext);
4868 udata->len = ulen - 1;
4869 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4872 *nft_set_ext_obj(ext) = obj;
4876 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4880 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4881 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4883 if (err == -EEXIST) {
4884 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4885 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4886 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4887 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4891 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4892 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4893 memcmp(nft_set_ext_data(ext),
4894 nft_set_ext_data(ext2), set->dlen) != 0) ||
4895 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4896 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4897 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4899 else if (!(nlmsg_flags & NLM_F_EXCL))
4906 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4911 nft_trans_elem(trans) = elem;
4912 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4916 set->ops->remove(ctx->net, set, &elem);
4924 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4925 nft_data_release(&data, d2.type);
4927 nft_data_release(&elem.key.val, d1.type);
4932 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4933 struct sk_buff *skb, const struct nlmsghdr *nlh,
4934 const struct nlattr * const nla[],
4935 struct netlink_ext_ack *extack)
4937 u8 genmask = nft_genmask_next(net);
4938 const struct nlattr *attr;
4939 struct nft_set *set;
4943 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4946 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4951 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4952 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4954 return PTR_ERR(set);
4956 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4959 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4960 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4965 if (net->nft.validate_state == NFT_VALIDATE_DO)
4966 return nft_table_validate(net, ctx.table);
4972 * nft_data_hold - hold a nft_data item
4974 * @data: struct nft_data to release
4975 * @type: type of data
4977 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4978 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4979 * NFT_GOTO verdicts. This function must be called on active data objects
4980 * from the second phase of the commit protocol.
4982 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4984 if (type == NFT_DATA_VERDICT) {
4985 switch (data->verdict.code) {
4988 data->verdict.chain->use++;
4994 static void nft_set_elem_activate(const struct net *net,
4995 const struct nft_set *set,
4996 struct nft_set_elem *elem)
4998 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5000 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5001 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5002 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5003 (*nft_set_ext_obj(ext))->use++;
5006 static void nft_set_elem_deactivate(const struct net *net,
5007 const struct nft_set *set,
5008 struct nft_set_elem *elem)
5010 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5012 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5013 nft_data_release(nft_set_ext_data(ext), set->dtype);
5014 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5015 (*nft_set_ext_obj(ext))->use--;
5018 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5019 const struct nlattr *attr)
5021 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5022 struct nft_set_ext_tmpl tmpl;
5023 struct nft_data_desc desc;
5024 struct nft_set_elem elem;
5025 struct nft_set_ext *ext;
5026 struct nft_trans *trans;
5031 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5032 nft_set_elem_policy, NULL);
5037 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5040 nft_set_ext_prepare(&tmpl);
5042 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5046 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5048 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
5049 nla[NFTA_SET_ELEM_KEY]);
5054 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
5057 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
5060 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
5062 if (elem.priv == NULL)
5065 ext = nft_set_elem_ext(set, elem.priv);
5067 *nft_set_ext_flags(ext) = flags;
5069 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5070 if (trans == NULL) {
5075 priv = set->ops->deactivate(ctx->net, set, &elem);
5083 nft_set_elem_deactivate(ctx->net, set, &elem);
5085 nft_trans_elem(trans) = elem;
5086 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5094 nft_data_release(&elem.key.val, desc.type);
5099 static int nft_flush_set(const struct nft_ctx *ctx,
5100 struct nft_set *set,
5101 const struct nft_set_iter *iter,
5102 struct nft_set_elem *elem)
5104 struct nft_trans *trans;
5107 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5108 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5112 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5118 nft_set_elem_deactivate(ctx->net, set, elem);
5119 nft_trans_elem_set(trans) = set;
5120 nft_trans_elem(trans) = *elem;
5121 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5129 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5130 struct sk_buff *skb, const struct nlmsghdr *nlh,
5131 const struct nlattr * const nla[],
5132 struct netlink_ext_ack *extack)
5134 u8 genmask = nft_genmask_next(net);
5135 const struct nlattr *attr;
5136 struct nft_set *set;
5140 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5145 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5147 return PTR_ERR(set);
5148 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5151 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5152 struct nft_set_iter iter = {
5154 .fn = nft_flush_set,
5156 set->ops->walk(&ctx, set, &iter);
5161 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5162 err = nft_del_setelem(&ctx, set, attr);
5171 void nft_set_gc_batch_release(struct rcu_head *rcu)
5173 struct nft_set_gc_batch *gcb;
5176 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5177 for (i = 0; i < gcb->head.cnt; i++)
5178 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5181 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
5183 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5186 struct nft_set_gc_batch *gcb;
5188 gcb = kzalloc(sizeof(*gcb), gfp);
5191 gcb->head.set = set;
5194 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
5201 * nft_register_obj- register nf_tables stateful object type
5204 * Registers the object type for use with nf_tables. Returns zero on
5205 * success or a negative errno code otherwise.
5207 int nft_register_obj(struct nft_object_type *obj_type)
5209 if (obj_type->type == NFT_OBJECT_UNSPEC)
5212 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5213 list_add_rcu(&obj_type->list, &nf_tables_objects);
5214 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5217 EXPORT_SYMBOL_GPL(nft_register_obj);
5220 * nft_unregister_obj - unregister nf_tables object type
5223 * Unregisters the object type for use with nf_tables.
5225 void nft_unregister_obj(struct nft_object_type *obj_type)
5227 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5228 list_del_rcu(&obj_type->list);
5229 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5231 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5233 struct nft_object *nft_obj_lookup(const struct net *net,
5234 const struct nft_table *table,
5235 const struct nlattr *nla, u32 objtype,
5238 struct nft_object_hash_key k = { .table = table };
5239 char search[NFT_OBJ_MAXNAMELEN];
5240 struct rhlist_head *tmp, *list;
5241 struct nft_object *obj;
5243 nla_strlcpy(search, nla, sizeof(search));
5246 WARN_ON_ONCE(!rcu_read_lock_held() &&
5247 !lockdep_commit_lock_is_held(net));
5250 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5254 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5255 if (objtype == obj->ops->type->type &&
5256 nft_active_genmask(obj, genmask)) {
5263 return ERR_PTR(-ENOENT);
5265 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5267 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5268 const struct nlattr *nla,
5269 u32 objtype, u8 genmask)
5271 struct nft_object *obj;
5273 list_for_each_entry(obj, &table->objects, list) {
5274 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5275 objtype == obj->ops->type->type &&
5276 nft_active_genmask(obj, genmask))
5279 return ERR_PTR(-ENOENT);
5282 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5283 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5284 .len = NFT_TABLE_MAXNAMELEN - 1 },
5285 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5286 .len = NFT_OBJ_MAXNAMELEN - 1 },
5287 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5288 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5289 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5292 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5293 const struct nft_object_type *type,
5294 const struct nlattr *attr)
5297 const struct nft_object_ops *ops;
5298 struct nft_object *obj;
5301 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5306 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5307 type->policy, NULL);
5311 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5314 if (type->select_ops) {
5315 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5325 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5329 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5342 return ERR_PTR(err);
5345 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5346 struct nft_object *obj, bool reset)
5348 struct nlattr *nest;
5350 nest = nla_nest_start_noflag(skb, attr);
5352 goto nla_put_failure;
5353 if (obj->ops->dump(skb, obj, reset) < 0)
5354 goto nla_put_failure;
5355 nla_nest_end(skb, nest);
5362 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5364 const struct nft_object_type *type;
5366 list_for_each_entry(type, &nf_tables_objects, list) {
5367 if (objtype == type->type)
5373 static const struct nft_object_type *
5374 nft_obj_type_get(struct net *net, u32 objtype)
5376 const struct nft_object_type *type;
5378 type = __nft_obj_type_get(objtype);
5379 if (type != NULL && try_module_get(type->owner))
5382 lockdep_nfnl_nft_mutex_not_held();
5383 #ifdef CONFIG_MODULES
5385 nft_request_module(net, "nft-obj-%u", objtype);
5386 if (__nft_obj_type_get(objtype))
5387 return ERR_PTR(-EAGAIN);
5390 return ERR_PTR(-ENOENT);
5393 static int nf_tables_updobj(const struct nft_ctx *ctx,
5394 const struct nft_object_type *type,
5395 const struct nlattr *attr,
5396 struct nft_object *obj)
5398 struct nft_object *newobj;
5399 struct nft_trans *trans;
5402 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5403 sizeof(struct nft_trans_obj));
5407 newobj = nft_obj_init(ctx, type, attr);
5408 if (IS_ERR(newobj)) {
5409 err = PTR_ERR(newobj);
5410 goto err_free_trans;
5413 nft_trans_obj(trans) = obj;
5414 nft_trans_obj_update(trans) = true;
5415 nft_trans_obj_newobj(trans) = newobj;
5416 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5425 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5426 struct sk_buff *skb, const struct nlmsghdr *nlh,
5427 const struct nlattr * const nla[],
5428 struct netlink_ext_ack *extack)
5430 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5431 const struct nft_object_type *type;
5432 u8 genmask = nft_genmask_next(net);
5433 int family = nfmsg->nfgen_family;
5434 struct nft_table *table;
5435 struct nft_object *obj;
5440 if (!nla[NFTA_OBJ_TYPE] ||
5441 !nla[NFTA_OBJ_NAME] ||
5442 !nla[NFTA_OBJ_DATA])
5445 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5446 if (IS_ERR(table)) {
5447 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5448 return PTR_ERR(table);
5451 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5452 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5455 if (err != -ENOENT) {
5456 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5460 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5461 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5464 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5467 type = nft_obj_type_get(net, objtype);
5468 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5470 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5473 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5475 type = nft_obj_type_get(net, objtype);
5477 return PTR_ERR(type);
5479 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5484 obj->key.table = table;
5485 obj->handle = nf_tables_alloc_handle(table);
5487 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5488 if (!obj->key.name) {
5493 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5497 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5498 nft_objname_ht_params);
5502 list_add_tail_rcu(&obj->list, &table->objects);
5506 /* queued in transaction log */
5507 INIT_LIST_HEAD(&obj->list);
5510 kfree(obj->key.name);
5512 if (obj->ops->destroy)
5513 obj->ops->destroy(&ctx, obj);
5516 module_put(type->owner);
5520 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5521 u32 portid, u32 seq, int event, u32 flags,
5522 int family, const struct nft_table *table,
5523 struct nft_object *obj, bool reset)
5525 struct nfgenmsg *nfmsg;
5526 struct nlmsghdr *nlh;
5528 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5529 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5531 goto nla_put_failure;
5533 nfmsg = nlmsg_data(nlh);
5534 nfmsg->nfgen_family = family;
5535 nfmsg->version = NFNETLINK_V0;
5536 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5538 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5539 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5540 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5541 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5542 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5543 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5545 goto nla_put_failure;
5547 nlmsg_end(skb, nlh);
5551 nlmsg_trim(skb, nlh);
5555 struct nft_obj_filter {
5560 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5562 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5563 const struct nft_table *table;
5564 unsigned int idx = 0, s_idx = cb->args[0];
5565 struct nft_obj_filter *filter = cb->data;
5566 struct net *net = sock_net(skb->sk);
5567 int family = nfmsg->nfgen_family;
5568 struct nft_object *obj;
5571 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5575 cb->seq = net->nft.base_seq;
5577 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5578 if (family != NFPROTO_UNSPEC && family != table->family)
5581 list_for_each_entry_rcu(obj, &table->objects, list) {
5582 if (!nft_is_active(net, obj))
5587 memset(&cb->args[1], 0,
5588 sizeof(cb->args) - sizeof(cb->args[0]));
5589 if (filter && filter->table &&
5590 strcmp(filter->table, table->name))
5593 filter->type != NFT_OBJECT_UNSPEC &&
5594 obj->ops->type->type != filter->type)
5597 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5600 NLM_F_MULTI | NLM_F_APPEND,
5601 table->family, table,
5605 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5617 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5619 const struct nlattr * const *nla = cb->data;
5620 struct nft_obj_filter *filter = NULL;
5622 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5623 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5627 if (nla[NFTA_OBJ_TABLE]) {
5628 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5629 if (!filter->table) {
5635 if (nla[NFTA_OBJ_TYPE])
5636 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5643 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5645 struct nft_obj_filter *filter = cb->data;
5648 kfree(filter->table);
5655 /* called with rcu_read_lock held */
5656 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5657 struct sk_buff *skb, const struct nlmsghdr *nlh,
5658 const struct nlattr * const nla[],
5659 struct netlink_ext_ack *extack)
5661 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5662 u8 genmask = nft_genmask_cur(net);
5663 int family = nfmsg->nfgen_family;
5664 const struct nft_table *table;
5665 struct nft_object *obj;
5666 struct sk_buff *skb2;
5671 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5672 struct netlink_dump_control c = {
5673 .start = nf_tables_dump_obj_start,
5674 .dump = nf_tables_dump_obj,
5675 .done = nf_tables_dump_obj_done,
5676 .module = THIS_MODULE,
5677 .data = (void *)nla,
5680 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5683 if (!nla[NFTA_OBJ_NAME] ||
5684 !nla[NFTA_OBJ_TYPE])
5687 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5688 if (IS_ERR(table)) {
5689 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5690 return PTR_ERR(table);
5693 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5694 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5696 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5697 return PTR_ERR(obj);
5700 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5704 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5707 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5708 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5709 family, table, obj, reset);
5713 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5719 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5721 if (obj->ops->destroy)
5722 obj->ops->destroy(ctx, obj);
5724 module_put(obj->ops->type->owner);
5725 kfree(obj->key.name);
5729 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5730 struct sk_buff *skb, const struct nlmsghdr *nlh,
5731 const struct nlattr * const nla[],
5732 struct netlink_ext_ack *extack)
5734 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5735 u8 genmask = nft_genmask_next(net);
5736 int family = nfmsg->nfgen_family;
5737 const struct nlattr *attr;
5738 struct nft_table *table;
5739 struct nft_object *obj;
5743 if (!nla[NFTA_OBJ_TYPE] ||
5744 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5747 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5748 if (IS_ERR(table)) {
5749 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5750 return PTR_ERR(table);
5753 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5754 if (nla[NFTA_OBJ_HANDLE]) {
5755 attr = nla[NFTA_OBJ_HANDLE];
5756 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5758 attr = nla[NFTA_OBJ_NAME];
5759 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5763 NL_SET_BAD_ATTR(extack, attr);
5764 return PTR_ERR(obj);
5767 NL_SET_BAD_ATTR(extack, attr);
5771 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5773 return nft_delobj(&ctx, obj);
5776 void nft_obj_notify(struct net *net, const struct nft_table *table,
5777 struct nft_object *obj, u32 portid, u32 seq, int event,
5778 int family, int report, gfp_t gfp)
5780 struct sk_buff *skb;
5784 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5787 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5791 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5798 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5801 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5803 EXPORT_SYMBOL_GPL(nft_obj_notify);
5805 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5806 struct nft_object *obj, int event)
5808 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5809 ctx->family, ctx->report, GFP_KERNEL);
5815 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5817 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5818 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5819 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5821 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5823 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5825 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5826 list_del_rcu(&type->list);
5827 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5829 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5831 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5832 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5833 .len = NFT_NAME_MAXLEN - 1 },
5834 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5835 .len = NFT_NAME_MAXLEN - 1 },
5836 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5837 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5840 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5841 const struct nlattr *nla, u8 genmask)
5843 struct nft_flowtable *flowtable;
5845 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5846 if (!nla_strcmp(nla, flowtable->name) &&
5847 nft_active_genmask(flowtable, genmask))
5850 return ERR_PTR(-ENOENT);
5852 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5854 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5855 struct nft_flowtable *flowtable,
5856 enum nft_trans_phase phase)
5859 case NFT_TRANS_PREPARE:
5860 case NFT_TRANS_ABORT:
5861 case NFT_TRANS_RELEASE:
5868 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5870 static struct nft_flowtable *
5871 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5872 const struct nlattr *nla, u8 genmask)
5874 struct nft_flowtable *flowtable;
5876 list_for_each_entry(flowtable, &table->flowtables, list) {
5877 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5878 nft_active_genmask(flowtable, genmask))
5881 return ERR_PTR(-ENOENT);
5884 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5885 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5886 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5887 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5890 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5891 const struct nlattr *attr,
5892 struct nft_flowtable *flowtable)
5894 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5895 struct nft_hook *hook;
5896 int hooknum, priority;
5899 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5900 nft_flowtable_hook_policy, NULL);
5904 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5905 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5906 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5909 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5910 if (hooknum != NF_NETDEV_INGRESS)
5913 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5915 err = nf_tables_parse_netdev_hooks(ctx->net,
5916 tb[NFTA_FLOWTABLE_HOOK_DEVS],
5917 &flowtable->hook_list);
5921 flowtable->hooknum = hooknum;
5922 flowtable->data.priority = priority;
5924 list_for_each_entry(hook, &flowtable->hook_list, list) {
5925 hook->ops.pf = NFPROTO_NETDEV;
5926 hook->ops.hooknum = hooknum;
5927 hook->ops.priority = priority;
5928 hook->ops.priv = &flowtable->data;
5929 hook->ops.hook = flowtable->data.type->hook;
5935 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5937 const struct nf_flowtable_type *type;
5939 list_for_each_entry(type, &nf_tables_flowtables, list) {
5940 if (family == type->family)
5946 static const struct nf_flowtable_type *
5947 nft_flowtable_type_get(struct net *net, u8 family)
5949 const struct nf_flowtable_type *type;
5951 type = __nft_flowtable_type_get(family);
5952 if (type != NULL && try_module_get(type->owner))
5955 lockdep_nfnl_nft_mutex_not_held();
5956 #ifdef CONFIG_MODULES
5958 nft_request_module(net, "nf-flowtable-%u", family);
5959 if (__nft_flowtable_type_get(family))
5960 return ERR_PTR(-EAGAIN);
5963 return ERR_PTR(-ENOENT);
5966 static void nft_unregister_flowtable_net_hooks(struct net *net,
5967 struct nft_flowtable *flowtable)
5969 struct nft_hook *hook;
5971 list_for_each_entry(hook, &flowtable->hook_list, list)
5972 nf_unregister_net_hook(net, &hook->ops);
5975 static int nft_register_flowtable_net_hooks(struct net *net,
5976 struct nft_table *table,
5977 struct nft_flowtable *flowtable)
5979 struct nft_hook *hook, *hook2, *next;
5980 struct nft_flowtable *ft;
5983 list_for_each_entry(hook, &flowtable->hook_list, list) {
5984 list_for_each_entry(ft, &table->flowtables, list) {
5985 list_for_each_entry(hook2, &ft->hook_list, list) {
5986 if (hook->ops.dev == hook2->ops.dev &&
5987 hook->ops.pf == hook2->ops.pf) {
5989 goto err_unregister_net_hooks;
5994 err = nf_register_net_hook(net, &hook->ops);
5996 goto err_unregister_net_hooks;
6003 err_unregister_net_hooks:
6004 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6008 nf_unregister_net_hook(net, &hook->ops);
6009 list_del_rcu(&hook->list);
6010 kfree_rcu(hook, rcu);
6016 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6017 struct sk_buff *skb,
6018 const struct nlmsghdr *nlh,
6019 const struct nlattr * const nla[],
6020 struct netlink_ext_ack *extack)
6022 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6023 const struct nf_flowtable_type *type;
6024 u8 genmask = nft_genmask_next(net);
6025 int family = nfmsg->nfgen_family;
6026 struct nft_flowtable *flowtable;
6027 struct nft_hook *hook, *next;
6028 struct nft_table *table;
6032 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6033 !nla[NFTA_FLOWTABLE_NAME] ||
6034 !nla[NFTA_FLOWTABLE_HOOK])
6037 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6039 if (IS_ERR(table)) {
6040 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6041 return PTR_ERR(table);
6044 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6046 if (IS_ERR(flowtable)) {
6047 err = PTR_ERR(flowtable);
6048 if (err != -ENOENT) {
6049 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6053 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6054 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6061 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6063 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6067 flowtable->table = table;
6068 flowtable->handle = nf_tables_alloc_handle(table);
6069 INIT_LIST_HEAD(&flowtable->hook_list);
6071 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6072 if (!flowtable->name) {
6077 type = nft_flowtable_type_get(net, family);
6079 err = PTR_ERR(type);
6083 flowtable->data.type = type;
6084 err = type->init(&flowtable->data);
6088 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6093 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6097 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6101 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6106 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6107 nf_unregister_net_hook(net, &hook->ops);
6108 list_del_rcu(&hook->list);
6109 kfree_rcu(hook, rcu);
6112 flowtable->data.type->free(&flowtable->data);
6114 module_put(type->owner);
6116 kfree(flowtable->name);
6122 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6123 struct sk_buff *skb,
6124 const struct nlmsghdr *nlh,
6125 const struct nlattr * const nla[],
6126 struct netlink_ext_ack *extack)
6128 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6129 u8 genmask = nft_genmask_next(net);
6130 int family = nfmsg->nfgen_family;
6131 struct nft_flowtable *flowtable;
6132 const struct nlattr *attr;
6133 struct nft_table *table;
6136 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6137 (!nla[NFTA_FLOWTABLE_NAME] &&
6138 !nla[NFTA_FLOWTABLE_HANDLE]))
6141 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6143 if (IS_ERR(table)) {
6144 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6145 return PTR_ERR(table);
6148 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6149 attr = nla[NFTA_FLOWTABLE_HANDLE];
6150 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6152 attr = nla[NFTA_FLOWTABLE_NAME];
6153 flowtable = nft_flowtable_lookup(table, attr, genmask);
6156 if (IS_ERR(flowtable)) {
6157 NL_SET_BAD_ATTR(extack, attr);
6158 return PTR_ERR(flowtable);
6160 if (flowtable->use > 0) {
6161 NL_SET_BAD_ATTR(extack, attr);
6165 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6167 return nft_delflowtable(&ctx, flowtable);
6170 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6171 u32 portid, u32 seq, int event,
6172 u32 flags, int family,
6173 struct nft_flowtable *flowtable)
6175 struct nlattr *nest, *nest_devs;
6176 struct nfgenmsg *nfmsg;
6177 struct nft_hook *hook;
6178 struct nlmsghdr *nlh;
6180 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6181 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6183 goto nla_put_failure;
6185 nfmsg = nlmsg_data(nlh);
6186 nfmsg->nfgen_family = family;
6187 nfmsg->version = NFNETLINK_V0;
6188 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6190 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6191 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6192 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6193 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6194 NFTA_FLOWTABLE_PAD))
6195 goto nla_put_failure;
6197 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6199 goto nla_put_failure;
6200 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6201 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6202 goto nla_put_failure;
6204 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6206 goto nla_put_failure;
6208 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6209 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6210 goto nla_put_failure;
6212 nla_nest_end(skb, nest_devs);
6213 nla_nest_end(skb, nest);
6215 nlmsg_end(skb, nlh);
6219 nlmsg_trim(skb, nlh);
6223 struct nft_flowtable_filter {
6227 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6228 struct netlink_callback *cb)
6230 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6231 struct nft_flowtable_filter *filter = cb->data;
6232 unsigned int idx = 0, s_idx = cb->args[0];
6233 struct net *net = sock_net(skb->sk);
6234 int family = nfmsg->nfgen_family;
6235 struct nft_flowtable *flowtable;
6236 const struct nft_table *table;
6239 cb->seq = net->nft.base_seq;
6241 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6242 if (family != NFPROTO_UNSPEC && family != table->family)
6245 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6246 if (!nft_is_active(net, flowtable))
6251 memset(&cb->args[1], 0,
6252 sizeof(cb->args) - sizeof(cb->args[0]));
6253 if (filter && filter->table &&
6254 strcmp(filter->table, table->name))
6257 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6259 NFT_MSG_NEWFLOWTABLE,
6260 NLM_F_MULTI | NLM_F_APPEND,
6261 table->family, flowtable) < 0)
6264 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6276 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6278 const struct nlattr * const *nla = cb->data;
6279 struct nft_flowtable_filter *filter = NULL;
6281 if (nla[NFTA_FLOWTABLE_TABLE]) {
6282 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6286 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6288 if (!filter->table) {
6298 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6300 struct nft_flowtable_filter *filter = cb->data;
6305 kfree(filter->table);
6311 /* called with rcu_read_lock held */
6312 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6313 struct sk_buff *skb,
6314 const struct nlmsghdr *nlh,
6315 const struct nlattr * const nla[],
6316 struct netlink_ext_ack *extack)
6318 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6319 u8 genmask = nft_genmask_cur(net);
6320 int family = nfmsg->nfgen_family;
6321 struct nft_flowtable *flowtable;
6322 const struct nft_table *table;
6323 struct sk_buff *skb2;
6326 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6327 struct netlink_dump_control c = {
6328 .start = nf_tables_dump_flowtable_start,
6329 .dump = nf_tables_dump_flowtable,
6330 .done = nf_tables_dump_flowtable_done,
6331 .module = THIS_MODULE,
6332 .data = (void *)nla,
6335 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6338 if (!nla[NFTA_FLOWTABLE_NAME])
6341 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6344 return PTR_ERR(table);
6346 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6348 if (IS_ERR(flowtable))
6349 return PTR_ERR(flowtable);
6351 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6355 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6357 NFT_MSG_NEWFLOWTABLE, 0, family,
6362 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6368 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6369 struct nft_flowtable *flowtable,
6372 struct sk_buff *skb;
6376 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6379 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6383 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6385 ctx->family, flowtable);
6391 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6392 ctx->report, GFP_KERNEL);
6395 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6398 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6400 struct nft_hook *hook, *next;
6402 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6403 list_del_rcu(&hook->list);
6406 kfree(flowtable->name);
6407 flowtable->data.type->free(&flowtable->data);
6408 module_put(flowtable->data.type->owner);
6412 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6413 u32 portid, u32 seq)
6415 struct nlmsghdr *nlh;
6416 struct nfgenmsg *nfmsg;
6417 char buf[TASK_COMM_LEN];
6418 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6420 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6422 goto nla_put_failure;
6424 nfmsg = nlmsg_data(nlh);
6425 nfmsg->nfgen_family = AF_UNSPEC;
6426 nfmsg->version = NFNETLINK_V0;
6427 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6429 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6430 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6431 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6432 goto nla_put_failure;
6434 nlmsg_end(skb, nlh);
6438 nlmsg_trim(skb, nlh);
6442 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6443 struct nft_flowtable *flowtable)
6445 struct nft_hook *hook;
6447 list_for_each_entry(hook, &flowtable->hook_list, list) {
6448 if (hook->ops.dev != dev)
6451 nf_unregister_net_hook(dev_net(dev), &hook->ops);
6452 list_del_rcu(&hook->list);
6453 kfree_rcu(hook, rcu);
6458 static int nf_tables_flowtable_event(struct notifier_block *this,
6459 unsigned long event, void *ptr)
6461 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6462 struct nft_flowtable *flowtable;
6463 struct nft_table *table;
6466 if (event != NETDEV_UNREGISTER)
6470 mutex_lock(&net->nft.commit_mutex);
6471 list_for_each_entry(table, &net->nft.tables, list) {
6472 list_for_each_entry(flowtable, &table->flowtables, list) {
6473 nft_flowtable_event(event, dev, flowtable);
6476 mutex_unlock(&net->nft.commit_mutex);
6481 static struct notifier_block nf_tables_flowtable_notifier = {
6482 .notifier_call = nf_tables_flowtable_event,
6485 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6488 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6489 struct sk_buff *skb2;
6492 if (nlmsg_report(nlh) &&
6493 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6496 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6500 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6507 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6508 nlmsg_report(nlh), GFP_KERNEL);
6511 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6515 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6516 struct sk_buff *skb, const struct nlmsghdr *nlh,
6517 const struct nlattr * const nla[],
6518 struct netlink_ext_ack *extack)
6520 struct sk_buff *skb2;
6523 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6527 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6532 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6538 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6539 [NFT_MSG_NEWTABLE] = {
6540 .call_batch = nf_tables_newtable,
6541 .attr_count = NFTA_TABLE_MAX,
6542 .policy = nft_table_policy,
6544 [NFT_MSG_GETTABLE] = {
6545 .call_rcu = nf_tables_gettable,
6546 .attr_count = NFTA_TABLE_MAX,
6547 .policy = nft_table_policy,
6549 [NFT_MSG_DELTABLE] = {
6550 .call_batch = nf_tables_deltable,
6551 .attr_count = NFTA_TABLE_MAX,
6552 .policy = nft_table_policy,
6554 [NFT_MSG_NEWCHAIN] = {
6555 .call_batch = nf_tables_newchain,
6556 .attr_count = NFTA_CHAIN_MAX,
6557 .policy = nft_chain_policy,
6559 [NFT_MSG_GETCHAIN] = {
6560 .call_rcu = nf_tables_getchain,
6561 .attr_count = NFTA_CHAIN_MAX,
6562 .policy = nft_chain_policy,
6564 [NFT_MSG_DELCHAIN] = {
6565 .call_batch = nf_tables_delchain,
6566 .attr_count = NFTA_CHAIN_MAX,
6567 .policy = nft_chain_policy,
6569 [NFT_MSG_NEWRULE] = {
6570 .call_batch = nf_tables_newrule,
6571 .attr_count = NFTA_RULE_MAX,
6572 .policy = nft_rule_policy,
6574 [NFT_MSG_GETRULE] = {
6575 .call_rcu = nf_tables_getrule,
6576 .attr_count = NFTA_RULE_MAX,
6577 .policy = nft_rule_policy,
6579 [NFT_MSG_DELRULE] = {
6580 .call_batch = nf_tables_delrule,
6581 .attr_count = NFTA_RULE_MAX,
6582 .policy = nft_rule_policy,
6584 [NFT_MSG_NEWSET] = {
6585 .call_batch = nf_tables_newset,
6586 .attr_count = NFTA_SET_MAX,
6587 .policy = nft_set_policy,
6589 [NFT_MSG_GETSET] = {
6590 .call_rcu = nf_tables_getset,
6591 .attr_count = NFTA_SET_MAX,
6592 .policy = nft_set_policy,
6594 [NFT_MSG_DELSET] = {
6595 .call_batch = nf_tables_delset,
6596 .attr_count = NFTA_SET_MAX,
6597 .policy = nft_set_policy,
6599 [NFT_MSG_NEWSETELEM] = {
6600 .call_batch = nf_tables_newsetelem,
6601 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6602 .policy = nft_set_elem_list_policy,
6604 [NFT_MSG_GETSETELEM] = {
6605 .call_rcu = nf_tables_getsetelem,
6606 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6607 .policy = nft_set_elem_list_policy,
6609 [NFT_MSG_DELSETELEM] = {
6610 .call_batch = nf_tables_delsetelem,
6611 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6612 .policy = nft_set_elem_list_policy,
6614 [NFT_MSG_GETGEN] = {
6615 .call_rcu = nf_tables_getgen,
6617 [NFT_MSG_NEWOBJ] = {
6618 .call_batch = nf_tables_newobj,
6619 .attr_count = NFTA_OBJ_MAX,
6620 .policy = nft_obj_policy,
6622 [NFT_MSG_GETOBJ] = {
6623 .call_rcu = nf_tables_getobj,
6624 .attr_count = NFTA_OBJ_MAX,
6625 .policy = nft_obj_policy,
6627 [NFT_MSG_DELOBJ] = {
6628 .call_batch = nf_tables_delobj,
6629 .attr_count = NFTA_OBJ_MAX,
6630 .policy = nft_obj_policy,
6632 [NFT_MSG_GETOBJ_RESET] = {
6633 .call_rcu = nf_tables_getobj,
6634 .attr_count = NFTA_OBJ_MAX,
6635 .policy = nft_obj_policy,
6637 [NFT_MSG_NEWFLOWTABLE] = {
6638 .call_batch = nf_tables_newflowtable,
6639 .attr_count = NFTA_FLOWTABLE_MAX,
6640 .policy = nft_flowtable_policy,
6642 [NFT_MSG_GETFLOWTABLE] = {
6643 .call_rcu = nf_tables_getflowtable,
6644 .attr_count = NFTA_FLOWTABLE_MAX,
6645 .policy = nft_flowtable_policy,
6647 [NFT_MSG_DELFLOWTABLE] = {
6648 .call_batch = nf_tables_delflowtable,
6649 .attr_count = NFTA_FLOWTABLE_MAX,
6650 .policy = nft_flowtable_policy,
6654 static int nf_tables_validate(struct net *net)
6656 struct nft_table *table;
6658 switch (net->nft.validate_state) {
6659 case NFT_VALIDATE_SKIP:
6661 case NFT_VALIDATE_NEED:
6662 nft_validate_state_update(net, NFT_VALIDATE_DO);
6664 case NFT_VALIDATE_DO:
6665 list_for_each_entry(table, &net->nft.tables, list) {
6666 if (nft_table_validate(net, table) < 0)
6675 /* a drop policy has to be deferred until all rules have been activated,
6676 * otherwise a large ruleset that contains a drop-policy base chain will
6677 * cause all packets to get dropped until the full transaction has been
6680 * We defer the drop policy until the transaction has been finalized.
6682 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6684 struct nft_base_chain *basechain;
6686 if (nft_trans_chain_policy(trans) != NF_DROP)
6689 if (!nft_is_base_chain(trans->ctx.chain))
6692 basechain = nft_base_chain(trans->ctx.chain);
6693 basechain->policy = NF_DROP;
6696 static void nft_chain_commit_update(struct nft_trans *trans)
6698 struct nft_base_chain *basechain;
6700 if (nft_trans_chain_name(trans)) {
6701 rhltable_remove(&trans->ctx.table->chains_ht,
6702 &trans->ctx.chain->rhlhead,
6703 nft_chain_ht_params);
6704 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6705 rhltable_insert_key(&trans->ctx.table->chains_ht,
6706 trans->ctx.chain->name,
6707 &trans->ctx.chain->rhlhead,
6708 nft_chain_ht_params);
6711 if (!nft_is_base_chain(trans->ctx.chain))
6714 nft_chain_stats_replace(trans);
6716 basechain = nft_base_chain(trans->ctx.chain);
6718 switch (nft_trans_chain_policy(trans)) {
6721 basechain->policy = nft_trans_chain_policy(trans);
6726 static void nft_obj_commit_update(struct nft_trans *trans)
6728 struct nft_object *newobj;
6729 struct nft_object *obj;
6731 obj = nft_trans_obj(trans);
6732 newobj = nft_trans_obj_newobj(trans);
6734 if (obj->ops->update)
6735 obj->ops->update(obj, newobj);
6740 static void nft_commit_release(struct nft_trans *trans)
6742 switch (trans->msg_type) {
6743 case NFT_MSG_DELTABLE:
6744 nf_tables_table_destroy(&trans->ctx);
6746 case NFT_MSG_NEWCHAIN:
6747 free_percpu(nft_trans_chain_stats(trans));
6748 kfree(nft_trans_chain_name(trans));
6750 case NFT_MSG_DELCHAIN:
6751 nf_tables_chain_destroy(&trans->ctx);
6753 case NFT_MSG_DELRULE:
6754 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6756 case NFT_MSG_DELSET:
6757 nft_set_destroy(nft_trans_set(trans));
6759 case NFT_MSG_DELSETELEM:
6760 nf_tables_set_elem_destroy(&trans->ctx,
6761 nft_trans_elem_set(trans),
6762 nft_trans_elem(trans).priv);
6764 case NFT_MSG_DELOBJ:
6765 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6767 case NFT_MSG_DELFLOWTABLE:
6768 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6773 put_net(trans->ctx.net);
6778 static void nf_tables_trans_destroy_work(struct work_struct *w)
6780 struct nft_trans *trans, *next;
6783 spin_lock(&nf_tables_destroy_list_lock);
6784 list_splice_init(&nf_tables_destroy_list, &head);
6785 spin_unlock(&nf_tables_destroy_list_lock);
6787 if (list_empty(&head))
6792 list_for_each_entry_safe(trans, next, &head, list) {
6793 list_del(&trans->list);
6794 nft_commit_release(trans);
6798 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6800 struct nft_rule *rule;
6801 unsigned int alloc = 0;
6804 /* already handled or inactive chain? */
6805 if (chain->rules_next || !nft_is_active_next(net, chain))
6808 rule = list_entry(&chain->rules, struct nft_rule, list);
6811 list_for_each_entry_continue(rule, &chain->rules, list) {
6812 if (nft_is_active_next(net, rule))
6816 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6817 if (!chain->rules_next)
6820 list_for_each_entry_continue(rule, &chain->rules, list) {
6821 if (nft_is_active_next(net, rule))
6822 chain->rules_next[i++] = rule;
6825 chain->rules_next[i] = NULL;
6829 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6831 struct nft_trans *trans, *next;
6833 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6834 struct nft_chain *chain = trans->ctx.chain;
6836 if (trans->msg_type == NFT_MSG_NEWRULE ||
6837 trans->msg_type == NFT_MSG_DELRULE) {
6838 kvfree(chain->rules_next);
6839 chain->rules_next = NULL;
6844 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6846 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6851 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6853 struct nft_rule **r = rules;
6854 struct nft_rules_old *old;
6859 r++; /* rcu_head is after end marker */
6863 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6866 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6868 struct nft_rule **g0, **g1;
6871 next_genbit = nft_gencursor_next(net);
6873 g0 = rcu_dereference_protected(chain->rules_gen_0,
6874 lockdep_commit_lock_is_held(net));
6875 g1 = rcu_dereference_protected(chain->rules_gen_1,
6876 lockdep_commit_lock_is_held(net));
6878 /* No changes to this chain? */
6879 if (chain->rules_next == NULL) {
6880 /* chain had no change in last or next generation */
6884 * chain had no change in this generation; make sure next
6885 * one uses same rules as current generation.
6888 rcu_assign_pointer(chain->rules_gen_1, g0);
6889 nf_tables_commit_chain_free_rules_old(g1);
6891 rcu_assign_pointer(chain->rules_gen_0, g1);
6892 nf_tables_commit_chain_free_rules_old(g0);
6899 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6901 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6903 chain->rules_next = NULL;
6909 nf_tables_commit_chain_free_rules_old(g1);
6911 nf_tables_commit_chain_free_rules_old(g0);
6914 static void nft_obj_del(struct nft_object *obj)
6916 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6917 list_del_rcu(&obj->list);
6920 static void nft_chain_del(struct nft_chain *chain)
6922 struct nft_table *table = chain->table;
6924 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6925 nft_chain_ht_params));
6926 list_del_rcu(&chain->list);
6929 static void nf_tables_commit_release(struct net *net)
6931 struct nft_trans *trans;
6933 /* all side effects have to be made visible.
6934 * For example, if a chain named 'foo' has been deleted, a
6935 * new transaction must not find it anymore.
6937 * Memory reclaim happens asynchronously from work queue
6938 * to prevent expensive synchronize_rcu() in commit phase.
6940 if (list_empty(&net->nft.commit_list)) {
6941 mutex_unlock(&net->nft.commit_mutex);
6945 trans = list_last_entry(&net->nft.commit_list,
6946 struct nft_trans, list);
6947 get_net(trans->ctx.net);
6948 WARN_ON_ONCE(trans->put_net);
6950 trans->put_net = true;
6951 spin_lock(&nf_tables_destroy_list_lock);
6952 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6953 spin_unlock(&nf_tables_destroy_list_lock);
6955 mutex_unlock(&net->nft.commit_mutex);
6957 schedule_work(&trans_destroy_work);
6960 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6962 struct nft_trans *trans, *next;
6963 struct nft_trans_elem *te;
6964 struct nft_chain *chain;
6965 struct nft_table *table;
6968 if (list_empty(&net->nft.commit_list)) {
6969 mutex_unlock(&net->nft.commit_mutex);
6973 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6974 if (nf_tables_validate(net) < 0)
6977 err = nft_flow_rule_offload_commit(net);
6981 /* 1. Allocate space for next generation rules_gen_X[] */
6982 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6985 if (trans->msg_type == NFT_MSG_NEWRULE ||
6986 trans->msg_type == NFT_MSG_DELRULE) {
6987 chain = trans->ctx.chain;
6989 ret = nf_tables_commit_chain_prepare(net, chain);
6991 nf_tables_commit_chain_prepare_cancel(net);
6997 /* step 2. Make rules_gen_X visible to packet path */
6998 list_for_each_entry(table, &net->nft.tables, list) {
6999 list_for_each_entry(chain, &table->chains, list)
7000 nf_tables_commit_chain(net, chain);
7004 * Bump generation counter, invalidate any dump in progress.
7005 * Cannot fail after this point.
7007 while (++net->nft.base_seq == 0);
7009 /* step 3. Start new generation, rules_gen_X now in use. */
7010 net->nft.gencursor = nft_gencursor_next(net);
7012 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7013 switch (trans->msg_type) {
7014 case NFT_MSG_NEWTABLE:
7015 if (nft_trans_table_update(trans)) {
7016 if (!nft_trans_table_enable(trans)) {
7017 nf_tables_table_disable(net,
7019 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7022 nft_clear(net, trans->ctx.table);
7024 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7025 nft_trans_destroy(trans);
7027 case NFT_MSG_DELTABLE:
7028 list_del_rcu(&trans->ctx.table->list);
7029 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7031 case NFT_MSG_NEWCHAIN:
7032 if (nft_trans_chain_update(trans)) {
7033 nft_chain_commit_update(trans);
7034 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7035 /* trans destroyed after rcu grace period */
7037 nft_chain_commit_drop_policy(trans);
7038 nft_clear(net, trans->ctx.chain);
7039 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7040 nft_trans_destroy(trans);
7043 case NFT_MSG_DELCHAIN:
7044 nft_chain_del(trans->ctx.chain);
7045 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7046 nf_tables_unregister_hook(trans->ctx.net,
7050 case NFT_MSG_NEWRULE:
7051 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7052 nf_tables_rule_notify(&trans->ctx,
7053 nft_trans_rule(trans),
7055 nft_trans_destroy(trans);
7057 case NFT_MSG_DELRULE:
7058 list_del_rcu(&nft_trans_rule(trans)->list);
7059 nf_tables_rule_notify(&trans->ctx,
7060 nft_trans_rule(trans),
7062 nft_rule_expr_deactivate(&trans->ctx,
7063 nft_trans_rule(trans),
7066 case NFT_MSG_NEWSET:
7067 nft_clear(net, nft_trans_set(trans));
7068 /* This avoids hitting -EBUSY when deleting the table
7069 * from the transaction.
7071 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7072 !list_empty(&nft_trans_set(trans)->bindings))
7073 trans->ctx.table->use--;
7075 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7076 NFT_MSG_NEWSET, GFP_KERNEL);
7077 nft_trans_destroy(trans);
7079 case NFT_MSG_DELSET:
7080 list_del_rcu(&nft_trans_set(trans)->list);
7081 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7082 NFT_MSG_DELSET, GFP_KERNEL);
7084 case NFT_MSG_NEWSETELEM:
7085 te = (struct nft_trans_elem *)trans->data;
7087 te->set->ops->activate(net, te->set, &te->elem);
7088 nf_tables_setelem_notify(&trans->ctx, te->set,
7090 NFT_MSG_NEWSETELEM, 0);
7091 nft_trans_destroy(trans);
7093 case NFT_MSG_DELSETELEM:
7094 te = (struct nft_trans_elem *)trans->data;
7096 nf_tables_setelem_notify(&trans->ctx, te->set,
7098 NFT_MSG_DELSETELEM, 0);
7099 te->set->ops->remove(net, te->set, &te->elem);
7100 atomic_dec(&te->set->nelems);
7103 case NFT_MSG_NEWOBJ:
7104 if (nft_trans_obj_update(trans)) {
7105 nft_obj_commit_update(trans);
7106 nf_tables_obj_notify(&trans->ctx,
7107 nft_trans_obj(trans),
7110 nft_clear(net, nft_trans_obj(trans));
7111 nf_tables_obj_notify(&trans->ctx,
7112 nft_trans_obj(trans),
7114 nft_trans_destroy(trans);
7117 case NFT_MSG_DELOBJ:
7118 nft_obj_del(nft_trans_obj(trans));
7119 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7122 case NFT_MSG_NEWFLOWTABLE:
7123 nft_clear(net, nft_trans_flowtable(trans));
7124 nf_tables_flowtable_notify(&trans->ctx,
7125 nft_trans_flowtable(trans),
7126 NFT_MSG_NEWFLOWTABLE);
7127 nft_trans_destroy(trans);
7129 case NFT_MSG_DELFLOWTABLE:
7130 list_del_rcu(&nft_trans_flowtable(trans)->list);
7131 nf_tables_flowtable_notify(&trans->ctx,
7132 nft_trans_flowtable(trans),
7133 NFT_MSG_DELFLOWTABLE);
7134 nft_unregister_flowtable_net_hooks(net,
7135 nft_trans_flowtable(trans));
7140 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7141 nf_tables_commit_release(net);
7146 static void nf_tables_abort_release(struct nft_trans *trans)
7148 switch (trans->msg_type) {
7149 case NFT_MSG_NEWTABLE:
7150 nf_tables_table_destroy(&trans->ctx);
7152 case NFT_MSG_NEWCHAIN:
7153 nf_tables_chain_destroy(&trans->ctx);
7155 case NFT_MSG_NEWRULE:
7156 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7158 case NFT_MSG_NEWSET:
7159 nft_set_destroy(nft_trans_set(trans));
7161 case NFT_MSG_NEWSETELEM:
7162 nft_set_elem_destroy(nft_trans_elem_set(trans),
7163 nft_trans_elem(trans).priv, true);
7165 case NFT_MSG_NEWOBJ:
7166 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7168 case NFT_MSG_NEWFLOWTABLE:
7169 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7175 static int __nf_tables_abort(struct net *net)
7177 struct nft_trans *trans, *next;
7178 struct nft_trans_elem *te;
7180 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7182 switch (trans->msg_type) {
7183 case NFT_MSG_NEWTABLE:
7184 if (nft_trans_table_update(trans)) {
7185 if (nft_trans_table_enable(trans)) {
7186 nf_tables_table_disable(net,
7188 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7190 nft_trans_destroy(trans);
7192 list_del_rcu(&trans->ctx.table->list);
7195 case NFT_MSG_DELTABLE:
7196 nft_clear(trans->ctx.net, trans->ctx.table);
7197 nft_trans_destroy(trans);
7199 case NFT_MSG_NEWCHAIN:
7200 if (nft_trans_chain_update(trans)) {
7201 free_percpu(nft_trans_chain_stats(trans));
7202 kfree(nft_trans_chain_name(trans));
7203 nft_trans_destroy(trans);
7205 trans->ctx.table->use--;
7206 nft_chain_del(trans->ctx.chain);
7207 nf_tables_unregister_hook(trans->ctx.net,
7212 case NFT_MSG_DELCHAIN:
7213 trans->ctx.table->use++;
7214 nft_clear(trans->ctx.net, trans->ctx.chain);
7215 nft_trans_destroy(trans);
7217 case NFT_MSG_NEWRULE:
7218 trans->ctx.chain->use--;
7219 list_del_rcu(&nft_trans_rule(trans)->list);
7220 nft_rule_expr_deactivate(&trans->ctx,
7221 nft_trans_rule(trans),
7224 case NFT_MSG_DELRULE:
7225 trans->ctx.chain->use++;
7226 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7227 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7228 nft_trans_destroy(trans);
7230 case NFT_MSG_NEWSET:
7231 trans->ctx.table->use--;
7232 if (nft_trans_set_bound(trans)) {
7233 nft_trans_destroy(trans);
7236 list_del_rcu(&nft_trans_set(trans)->list);
7238 case NFT_MSG_DELSET:
7239 trans->ctx.table->use++;
7240 nft_clear(trans->ctx.net, nft_trans_set(trans));
7241 nft_trans_destroy(trans);
7243 case NFT_MSG_NEWSETELEM:
7244 if (nft_trans_elem_set_bound(trans)) {
7245 nft_trans_destroy(trans);
7248 te = (struct nft_trans_elem *)trans->data;
7249 te->set->ops->remove(net, te->set, &te->elem);
7250 atomic_dec(&te->set->nelems);
7252 case NFT_MSG_DELSETELEM:
7253 te = (struct nft_trans_elem *)trans->data;
7255 nft_set_elem_activate(net, te->set, &te->elem);
7256 te->set->ops->activate(net, te->set, &te->elem);
7259 nft_trans_destroy(trans);
7261 case NFT_MSG_NEWOBJ:
7262 if (nft_trans_obj_update(trans)) {
7263 kfree(nft_trans_obj_newobj(trans));
7264 nft_trans_destroy(trans);
7266 trans->ctx.table->use--;
7267 nft_obj_del(nft_trans_obj(trans));
7270 case NFT_MSG_DELOBJ:
7271 trans->ctx.table->use++;
7272 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7273 nft_trans_destroy(trans);
7275 case NFT_MSG_NEWFLOWTABLE:
7276 trans->ctx.table->use--;
7277 list_del_rcu(&nft_trans_flowtable(trans)->list);
7278 nft_unregister_flowtable_net_hooks(net,
7279 nft_trans_flowtable(trans));
7281 case NFT_MSG_DELFLOWTABLE:
7282 trans->ctx.table->use++;
7283 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7284 nft_trans_destroy(trans);
7291 list_for_each_entry_safe_reverse(trans, next,
7292 &net->nft.commit_list, list) {
7293 list_del(&trans->list);
7294 nf_tables_abort_release(trans);
7300 static void nf_tables_cleanup(struct net *net)
7302 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7305 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7307 int ret = __nf_tables_abort(net);
7309 mutex_unlock(&net->nft.commit_mutex);
7314 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7318 mutex_lock(&net->nft.commit_mutex);
7320 genid_ok = genid == 0 || net->nft.base_seq == genid;
7322 mutex_unlock(&net->nft.commit_mutex);
7324 /* else, commit mutex has to be released by commit or abort function */
7328 static const struct nfnetlink_subsystem nf_tables_subsys = {
7329 .name = "nf_tables",
7330 .subsys_id = NFNL_SUBSYS_NFTABLES,
7331 .cb_count = NFT_MSG_MAX,
7333 .commit = nf_tables_commit,
7334 .abort = nf_tables_abort,
7335 .cleanup = nf_tables_cleanup,
7336 .valid_genid = nf_tables_valid_genid,
7337 .owner = THIS_MODULE,
7340 int nft_chain_validate_dependency(const struct nft_chain *chain,
7341 enum nft_chain_types type)
7343 const struct nft_base_chain *basechain;
7345 if (nft_is_base_chain(chain)) {
7346 basechain = nft_base_chain(chain);
7347 if (basechain->type->type != type)
7352 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7354 int nft_chain_validate_hooks(const struct nft_chain *chain,
7355 unsigned int hook_flags)
7357 struct nft_base_chain *basechain;
7359 if (nft_is_base_chain(chain)) {
7360 basechain = nft_base_chain(chain);
7362 if ((1 << basechain->ops.hooknum) & hook_flags)
7370 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7373 * Loop detection - walk through the ruleset beginning at the destination chain
7374 * of a new jump until either the source chain is reached (loop) or all
7375 * reachable chains have been traversed.
7377 * The loop check is performed whenever a new jump verdict is added to an
7378 * expression or verdict map or a verdict map is bound to a new chain.
7381 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7382 const struct nft_chain *chain);
7384 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7385 struct nft_set *set,
7386 const struct nft_set_iter *iter,
7387 struct nft_set_elem *elem)
7389 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7390 const struct nft_data *data;
7392 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7393 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7396 data = nft_set_ext_data(ext);
7397 switch (data->verdict.code) {
7400 return nf_tables_check_loops(ctx, data->verdict.chain);
7406 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7407 const struct nft_chain *chain)
7409 const struct nft_rule *rule;
7410 const struct nft_expr *expr, *last;
7411 struct nft_set *set;
7412 struct nft_set_binding *binding;
7413 struct nft_set_iter iter;
7415 if (ctx->chain == chain)
7418 list_for_each_entry(rule, &chain->rules, list) {
7419 nft_rule_for_each_expr(expr, last, rule) {
7420 struct nft_immediate_expr *priv;
7421 const struct nft_data *data;
7424 if (strcmp(expr->ops->type->name, "immediate"))
7427 priv = nft_expr_priv(expr);
7428 if (priv->dreg != NFT_REG_VERDICT)
7432 switch (data->verdict.code) {
7435 err = nf_tables_check_loops(ctx,
7436 data->verdict.chain);
7445 list_for_each_entry(set, &ctx->table->sets, list) {
7446 if (!nft_is_active_next(ctx->net, set))
7448 if (!(set->flags & NFT_SET_MAP) ||
7449 set->dtype != NFT_DATA_VERDICT)
7452 list_for_each_entry(binding, &set->bindings, list) {
7453 if (!(binding->flags & NFT_SET_MAP) ||
7454 binding->chain != chain)
7457 iter.genmask = nft_genmask_next(ctx->net);
7461 iter.fn = nf_tables_loop_check_setelem;
7463 set->ops->walk(ctx, set, &iter);
7473 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7475 * @attr: netlink attribute to fetch value from
7476 * @max: maximum value to be stored in dest
7477 * @dest: pointer to the variable
7479 * Parse, check and store a given u32 netlink attribute into variable.
7480 * This function returns -ERANGE if the value goes over maximum value.
7481 * Otherwise a 0 is returned and the attribute value is stored in the
7482 * destination variable.
7484 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7488 val = ntohl(nla_get_be32(attr));
7495 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7498 * nft_parse_register - parse a register value from a netlink attribute
7500 * @attr: netlink attribute
7502 * Parse and translate a register value from a netlink attribute.
7503 * Registers used to be 128 bit wide, these register numbers will be
7504 * mapped to the corresponding 32 bit register numbers.
7506 unsigned int nft_parse_register(const struct nlattr *attr)
7510 reg = ntohl(nla_get_be32(attr));
7512 case NFT_REG_VERDICT...NFT_REG_4:
7513 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7515 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7518 EXPORT_SYMBOL_GPL(nft_parse_register);
7521 * nft_dump_register - dump a register value to a netlink attribute
7523 * @skb: socket buffer
7524 * @attr: attribute number
7525 * @reg: register number
7527 * Construct a netlink attribute containing the register number. For
7528 * compatibility reasons, register numbers being a multiple of 4 are
7529 * translated to the corresponding 128 bit register numbers.
7531 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7533 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7534 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7536 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7538 return nla_put_be32(skb, attr, htonl(reg));
7540 EXPORT_SYMBOL_GPL(nft_dump_register);
7543 * nft_validate_register_load - validate a load from a register
7545 * @reg: the register number
7546 * @len: the length of the data
7548 * Validate that the input register is one of the general purpose
7549 * registers and that the length of the load is within the bounds.
7551 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7553 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7557 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7562 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7565 * nft_validate_register_store - validate an expressions' register store
7567 * @ctx: context of the expression performing the load
7568 * @reg: the destination register number
7569 * @data: the data to load
7570 * @type: the data type
7571 * @len: the length of the data
7573 * Validate that a data load uses the appropriate data type for
7574 * the destination register and the length is within the bounds.
7575 * A value of NULL for the data means that its runtime gathered
7578 int nft_validate_register_store(const struct nft_ctx *ctx,
7579 enum nft_registers reg,
7580 const struct nft_data *data,
7581 enum nft_data_types type, unsigned int len)
7586 case NFT_REG_VERDICT:
7587 if (type != NFT_DATA_VERDICT)
7591 (data->verdict.code == NFT_GOTO ||
7592 data->verdict.code == NFT_JUMP)) {
7593 err = nf_tables_check_loops(ctx, data->verdict.chain);
7600 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7604 if (reg * NFT_REG32_SIZE + len >
7605 FIELD_SIZEOF(struct nft_regs, data))
7608 if (data != NULL && type != NFT_DATA_VALUE)
7613 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7615 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7616 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7617 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7618 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7621 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7622 struct nft_data_desc *desc, const struct nlattr *nla)
7624 u8 genmask = nft_genmask_next(ctx->net);
7625 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7626 struct nft_chain *chain;
7629 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7630 nft_verdict_policy, NULL);
7634 if (!tb[NFTA_VERDICT_CODE])
7636 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7638 switch (data->verdict.code) {
7640 switch (data->verdict.code & NF_VERDICT_MASK) {
7655 if (!tb[NFTA_VERDICT_CHAIN])
7657 chain = nft_chain_lookup(ctx->net, ctx->table,
7658 tb[NFTA_VERDICT_CHAIN], genmask);
7660 return PTR_ERR(chain);
7661 if (nft_is_base_chain(chain))
7665 data->verdict.chain = chain;
7669 desc->len = sizeof(data->verdict);
7670 desc->type = NFT_DATA_VERDICT;
7674 static void nft_verdict_uninit(const struct nft_data *data)
7676 switch (data->verdict.code) {
7679 data->verdict.chain->use--;
7684 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7686 struct nlattr *nest;
7688 nest = nla_nest_start_noflag(skb, type);
7690 goto nla_put_failure;
7692 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7693 goto nla_put_failure;
7698 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7700 goto nla_put_failure;
7702 nla_nest_end(skb, nest);
7709 static int nft_value_init(const struct nft_ctx *ctx,
7710 struct nft_data *data, unsigned int size,
7711 struct nft_data_desc *desc, const struct nlattr *nla)
7721 nla_memcpy(data->data, nla, len);
7722 desc->type = NFT_DATA_VALUE;
7727 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7730 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7733 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7734 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7735 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7739 * nft_data_init - parse nf_tables data netlink attributes
7741 * @ctx: context of the expression using the data
7742 * @data: destination struct nft_data
7743 * @size: maximum data length
7744 * @desc: data description
7745 * @nla: netlink attribute containing data
7747 * Parse the netlink data attributes and initialize a struct nft_data.
7748 * The type and length of data are returned in the data description.
7750 * The caller can indicate that it only wants to accept data of type
7751 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7753 int nft_data_init(const struct nft_ctx *ctx,
7754 struct nft_data *data, unsigned int size,
7755 struct nft_data_desc *desc, const struct nlattr *nla)
7757 struct nlattr *tb[NFTA_DATA_MAX + 1];
7760 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7761 nft_data_policy, NULL);
7765 if (tb[NFTA_DATA_VALUE])
7766 return nft_value_init(ctx, data, size, desc,
7767 tb[NFTA_DATA_VALUE]);
7768 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7769 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7772 EXPORT_SYMBOL_GPL(nft_data_init);
7775 * nft_data_release - release a nft_data item
7777 * @data: struct nft_data to release
7778 * @type: type of data
7780 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7781 * all others need to be released by calling this function.
7783 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7785 if (type < NFT_DATA_VERDICT)
7788 case NFT_DATA_VERDICT:
7789 return nft_verdict_uninit(data);
7794 EXPORT_SYMBOL_GPL(nft_data_release);
7796 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7797 enum nft_data_types type, unsigned int len)
7799 struct nlattr *nest;
7802 nest = nla_nest_start_noflag(skb, attr);
7807 case NFT_DATA_VALUE:
7808 err = nft_value_dump(skb, data, len);
7810 case NFT_DATA_VERDICT:
7811 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7818 nla_nest_end(skb, nest);
7821 EXPORT_SYMBOL_GPL(nft_data_dump);
7823 int __nft_release_basechain(struct nft_ctx *ctx)
7825 struct nft_rule *rule, *nr;
7827 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7830 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7831 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7832 list_del(&rule->list);
7834 nf_tables_rule_release(ctx, rule);
7836 nft_chain_del(ctx->chain);
7838 nf_tables_chain_destroy(ctx);
7842 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7844 static void __nft_release_tables(struct net *net)
7846 struct nft_flowtable *flowtable, *nf;
7847 struct nft_table *table, *nt;
7848 struct nft_chain *chain, *nc;
7849 struct nft_object *obj, *ne;
7850 struct nft_rule *rule, *nr;
7851 struct nft_set *set, *ns;
7852 struct nft_ctx ctx = {
7854 .family = NFPROTO_NETDEV,
7857 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7858 ctx.family = table->family;
7860 list_for_each_entry(chain, &table->chains, list)
7861 nf_tables_unregister_hook(net, table, chain);
7862 /* No packets are walking on these chains anymore. */
7864 list_for_each_entry(chain, &table->chains, list) {
7866 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7867 list_del(&rule->list);
7869 nf_tables_rule_release(&ctx, rule);
7872 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7873 list_del(&flowtable->list);
7875 nf_tables_flowtable_destroy(flowtable);
7877 list_for_each_entry_safe(set, ns, &table->sets, list) {
7878 list_del(&set->list);
7880 nft_set_destroy(set);
7882 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7885 nft_obj_destroy(&ctx, obj);
7887 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7889 nft_chain_del(chain);
7891 nf_tables_chain_destroy(&ctx);
7893 list_del(&table->list);
7894 nf_tables_table_destroy(&ctx);
7898 static int __net_init nf_tables_init_net(struct net *net)
7900 INIT_LIST_HEAD(&net->nft.tables);
7901 INIT_LIST_HEAD(&net->nft.commit_list);
7902 mutex_init(&net->nft.commit_mutex);
7903 net->nft.base_seq = 1;
7904 net->nft.validate_state = NFT_VALIDATE_SKIP;
7909 static void __net_exit nf_tables_exit_net(struct net *net)
7911 mutex_lock(&net->nft.commit_mutex);
7912 if (!list_empty(&net->nft.commit_list))
7913 __nf_tables_abort(net);
7914 __nft_release_tables(net);
7915 mutex_unlock(&net->nft.commit_mutex);
7916 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7919 static struct pernet_operations nf_tables_net_ops = {
7920 .init = nf_tables_init_net,
7921 .exit = nf_tables_exit_net,
7924 static int __init nf_tables_module_init(void)
7928 spin_lock_init(&nf_tables_destroy_list_lock);
7929 err = register_pernet_subsys(&nf_tables_net_ops);
7933 err = nft_chain_filter_init();
7937 err = nf_tables_core_module_init();
7941 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7945 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7949 err = nft_offload_init();
7954 err = nfnetlink_subsys_register(&nf_tables_subsys);
7958 nft_chain_route_init();
7964 rhltable_destroy(&nft_objname_ht);
7966 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7968 nf_tables_core_module_exit();
7970 nft_chain_filter_fini();
7972 unregister_pernet_subsys(&nf_tables_net_ops);
7976 static void __exit nf_tables_module_exit(void)
7978 nfnetlink_subsys_unregister(&nf_tables_subsys);
7980 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7981 nft_chain_filter_fini();
7982 nft_chain_route_fini();
7983 unregister_pernet_subsys(&nf_tables_net_ops);
7984 cancel_work_sync(&trans_destroy_work);
7986 rhltable_destroy(&nft_objname_ht);
7987 nf_tables_core_module_exit();
7990 module_init(nf_tables_module_init);
7991 module_exit(nf_tables_module_exit);
7993 MODULE_LICENSE("GPL");
7994 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7995 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob