2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/rhashtable.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_flow_table.h>
22 #include <net/netfilter/nf_tables_core.h>
23 #include <net/netfilter/nf_tables.h>
24 #include <net/net_namespace.h>
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
75 case NFT_VALIDATE_NEED:
78 if (new_validate_state == NFT_VALIDATE_NEED)
82 net->nft.validate_state = new_validate_state;
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
87 static void nft_ctx_init(struct nft_ctx *ctx,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->seq = nlh->nlmsg_seq;
107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
116 trans->msg_type = msg_type;
122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
139 if (!nft_set_is_anonymous(set))
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 if (trans->msg_type == NFT_MSG_NEWSET &&
144 nft_trans_set(trans) == set) {
151 static int nf_tables_register_hook(struct net *net,
152 const struct nft_table *table,
153 struct nft_chain *chain)
155 const struct nft_base_chain *basechain;
156 const struct nf_hook_ops *ops;
158 if (table->flags & NFT_TABLE_F_DORMANT ||
159 !nft_is_base_chain(chain))
162 basechain = nft_base_chain(chain);
163 ops = &basechain->ops;
165 if (basechain->type->ops_register)
166 return basechain->type->ops_register(net, ops);
168 return nf_register_net_hook(net, ops);
171 static void nf_tables_unregister_hook(struct net *net,
172 const struct nft_table *table,
173 struct nft_chain *chain)
175 const struct nft_base_chain *basechain;
176 const struct nf_hook_ops *ops;
178 if (table->flags & NFT_TABLE_F_DORMANT ||
179 !nft_is_base_chain(chain))
181 basechain = nft_base_chain(chain);
182 ops = &basechain->ops;
184 if (basechain->type->ops_unregister)
185 return basechain->type->ops_unregister(net, ops);
187 nf_unregister_net_hook(net, ops);
190 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
192 struct nft_trans *trans;
194 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
198 if (msg_type == NFT_MSG_NEWTABLE)
199 nft_activate_next(ctx->net, ctx->table);
201 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
205 static int nft_deltable(struct nft_ctx *ctx)
209 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
213 nft_deactivate_next(ctx->net, ctx->table);
217 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
219 struct nft_trans *trans;
221 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
225 if (msg_type == NFT_MSG_NEWCHAIN)
226 nft_activate_next(ctx->net, ctx->chain);
228 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
232 static int nft_delchain(struct nft_ctx *ctx)
236 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
241 nft_deactivate_next(ctx->net, ctx->chain);
246 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
247 struct nft_rule *rule)
249 struct nft_expr *expr;
251 expr = nft_expr_first(rule);
252 while (expr != nft_expr_last(rule) && expr->ops) {
253 if (expr->ops->activate)
254 expr->ops->activate(ctx, expr);
256 expr = nft_expr_next(expr);
260 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
261 struct nft_rule *rule,
262 enum nft_trans_phase phase)
264 struct nft_expr *expr;
266 expr = nft_expr_first(rule);
267 while (expr != nft_expr_last(rule) && expr->ops) {
268 if (expr->ops->deactivate)
269 expr->ops->deactivate(ctx, expr, phase);
271 expr = nft_expr_next(expr);
276 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
278 /* You cannot delete the same rule twice */
279 if (nft_is_active_next(ctx->net, rule)) {
280 nft_deactivate_next(ctx->net, rule);
287 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
288 struct nft_rule *rule)
290 struct nft_trans *trans;
292 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
296 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
297 nft_trans_rule_id(trans) =
298 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
300 nft_trans_rule(trans) = rule;
301 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
306 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
308 struct nft_trans *trans;
311 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
315 err = nf_tables_delrule_deactivate(ctx, rule);
317 nft_trans_destroy(trans);
320 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
325 static int nft_delrule_by_chain(struct nft_ctx *ctx)
327 struct nft_rule *rule;
330 list_for_each_entry(rule, &ctx->chain->rules, list) {
331 if (!nft_is_active_next(ctx->net, rule))
334 err = nft_delrule(ctx, rule);
341 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
344 struct nft_trans *trans;
346 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
350 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
351 nft_trans_set_id(trans) =
352 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
353 nft_activate_next(ctx->net, set);
355 nft_trans_set(trans) = set;
356 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
361 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
365 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
369 nft_deactivate_next(ctx->net, set);
375 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
376 struct nft_object *obj)
378 struct nft_trans *trans;
380 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
384 if (msg_type == NFT_MSG_NEWOBJ)
385 nft_activate_next(ctx->net, obj);
387 nft_trans_obj(trans) = obj;
388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
393 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
397 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
401 nft_deactivate_next(ctx->net, obj);
407 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
408 struct nft_flowtable *flowtable)
410 struct nft_trans *trans;
412 trans = nft_trans_alloc(ctx, msg_type,
413 sizeof(struct nft_trans_flowtable));
417 if (msg_type == NFT_MSG_NEWFLOWTABLE)
418 nft_activate_next(ctx->net, flowtable);
420 nft_trans_flowtable(trans) = flowtable;
421 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
426 static int nft_delflowtable(struct nft_ctx *ctx,
427 struct nft_flowtable *flowtable)
431 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
435 nft_deactivate_next(ctx->net, flowtable);
445 static struct nft_table *nft_table_lookup(const struct net *net,
446 const struct nlattr *nla,
447 u8 family, u8 genmask)
449 struct nft_table *table;
452 return ERR_PTR(-EINVAL);
454 list_for_each_entry_rcu(table, &net->nft.tables, list) {
455 if (!nla_strcmp(nla, table->name) &&
456 table->family == family &&
457 nft_active_genmask(table, genmask))
461 return ERR_PTR(-ENOENT);
464 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
465 const struct nlattr *nla,
468 struct nft_table *table;
470 list_for_each_entry(table, &net->nft.tables, list) {
471 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
472 nft_active_genmask(table, genmask))
476 return ERR_PTR(-ENOENT);
479 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
481 return ++table->hgenerator;
484 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
486 static const struct nft_chain_type *
487 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
491 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
492 if (chain_type[family][i] != NULL &&
493 !nla_strcmp(nla, chain_type[family][i]->name))
494 return chain_type[family][i];
500 * Loading a module requires dropping mutex that guards the
502 * We first need to abort any pending transactions as once
503 * mutex is unlocked a different client could start a new
504 * transaction. It must not see any 'future generation'
505 * changes * as these changes will never happen.
507 #ifdef CONFIG_MODULES
508 static int __nf_tables_abort(struct net *net);
510 static void nft_request_module(struct net *net, const char *fmt, ...)
512 char module_name[MODULE_NAME_LEN];
516 __nf_tables_abort(net);
519 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
521 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
524 mutex_unlock(&net->nft.commit_mutex);
525 request_module("%s", module_name);
526 mutex_lock(&net->nft.commit_mutex);
530 static void lockdep_nfnl_nft_mutex_not_held(void)
532 #ifdef CONFIG_PROVE_LOCKING
533 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
537 static const struct nft_chain_type *
538 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
539 u8 family, bool autoload)
541 const struct nft_chain_type *type;
543 type = __nf_tables_chain_type_lookup(nla, family);
547 lockdep_nfnl_nft_mutex_not_held();
548 #ifdef CONFIG_MODULES
550 nft_request_module(net, "nft-chain-%u-%.*s", family,
551 nla_len(nla), (const char *)nla_data(nla));
552 type = __nf_tables_chain_type_lookup(nla, family);
554 return ERR_PTR(-EAGAIN);
557 return ERR_PTR(-ENOENT);
560 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
561 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
562 .len = NFT_TABLE_MAXNAMELEN - 1 },
563 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
564 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
567 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
568 u32 portid, u32 seq, int event, u32 flags,
569 int family, const struct nft_table *table)
571 struct nlmsghdr *nlh;
572 struct nfgenmsg *nfmsg;
574 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
575 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
577 goto nla_put_failure;
579 nfmsg = nlmsg_data(nlh);
580 nfmsg->nfgen_family = family;
581 nfmsg->version = NFNETLINK_V0;
582 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
584 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
585 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
586 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
587 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
589 goto nla_put_failure;
595 nlmsg_trim(skb, nlh);
599 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
605 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
608 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
612 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
613 event, 0, ctx->family, ctx->table);
619 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
620 ctx->report, GFP_KERNEL);
623 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
626 static int nf_tables_dump_tables(struct sk_buff *skb,
627 struct netlink_callback *cb)
629 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
630 const struct nft_table *table;
631 unsigned int idx = 0, s_idx = cb->args[0];
632 struct net *net = sock_net(skb->sk);
633 int family = nfmsg->nfgen_family;
636 cb->seq = net->nft.base_seq;
638 list_for_each_entry_rcu(table, &net->nft.tables, list) {
639 if (family != NFPROTO_UNSPEC && family != table->family)
645 memset(&cb->args[1], 0,
646 sizeof(cb->args) - sizeof(cb->args[0]));
647 if (!nft_is_active(net, table))
649 if (nf_tables_fill_table_info(skb, net,
650 NETLINK_CB(cb->skb).portid,
652 NFT_MSG_NEWTABLE, NLM_F_MULTI,
653 table->family, table) < 0)
656 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
666 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
667 const struct nlmsghdr *nlh,
668 struct netlink_dump_control *c)
672 if (!try_module_get(THIS_MODULE))
676 err = netlink_dump_start(nlsk, skb, nlh, c);
678 module_put(THIS_MODULE);
683 /* called with rcu_read_lock held */
684 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
685 struct sk_buff *skb, const struct nlmsghdr *nlh,
686 const struct nlattr * const nla[],
687 struct netlink_ext_ack *extack)
689 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
690 u8 genmask = nft_genmask_cur(net);
691 const struct nft_table *table;
692 struct sk_buff *skb2;
693 int family = nfmsg->nfgen_family;
696 if (nlh->nlmsg_flags & NLM_F_DUMP) {
697 struct netlink_dump_control c = {
698 .dump = nf_tables_dump_tables,
699 .module = THIS_MODULE,
702 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
705 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
707 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
708 return PTR_ERR(table);
711 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
715 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
716 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
721 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
728 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
730 struct nft_chain *chain;
733 list_for_each_entry(chain, &table->chains, list) {
734 if (!nft_is_active_next(net, chain))
736 if (!nft_is_base_chain(chain))
739 if (cnt && i++ == cnt)
742 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
746 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
748 struct nft_chain *chain;
751 list_for_each_entry(chain, &table->chains, list) {
752 if (!nft_is_active_next(net, chain))
754 if (!nft_is_base_chain(chain))
757 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
766 nft_table_disable(net, table, i);
770 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
772 nft_table_disable(net, table, 0);
775 static int nf_tables_updtable(struct nft_ctx *ctx)
777 struct nft_trans *trans;
781 if (!ctx->nla[NFTA_TABLE_FLAGS])
784 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
785 if (flags & ~NFT_TABLE_F_DORMANT)
788 if (flags == ctx->table->flags)
791 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
792 sizeof(struct nft_trans_table));
796 if ((flags & NFT_TABLE_F_DORMANT) &&
797 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
798 nft_trans_table_enable(trans) = false;
799 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
800 ctx->table->flags & NFT_TABLE_F_DORMANT) {
801 ret = nf_tables_table_enable(ctx->net, ctx->table);
803 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
804 nft_trans_table_enable(trans) = true;
810 nft_trans_table_update(trans) = true;
811 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
814 nft_trans_destroy(trans);
818 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
820 const char *name = data;
822 return jhash(name, strlen(name), seed);
825 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
827 const struct nft_chain *chain = data;
829 return nft_chain_hash(chain->name, 0, seed);
832 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
835 const struct nft_chain *chain = ptr;
836 const char *name = arg->key;
838 return strcmp(chain->name, name);
841 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
843 const struct nft_object_hash_key *k = data;
845 seed ^= hash_ptr(k->table, 32);
847 return jhash(k->name, strlen(k->name), seed);
850 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
852 const struct nft_object *obj = data;
854 return nft_objname_hash(&obj->key, 0, seed);
857 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
860 const struct nft_object_hash_key *k = arg->key;
861 const struct nft_object *obj = ptr;
863 if (obj->key.table != k->table)
866 return strcmp(obj->key.name, k->name);
869 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
870 struct sk_buff *skb, const struct nlmsghdr *nlh,
871 const struct nlattr * const nla[],
872 struct netlink_ext_ack *extack)
874 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
875 u8 genmask = nft_genmask_next(net);
876 int family = nfmsg->nfgen_family;
877 const struct nlattr *attr;
878 struct nft_table *table;
883 lockdep_assert_held(&net->nft.commit_mutex);
884 attr = nla[NFTA_TABLE_NAME];
885 table = nft_table_lookup(net, attr, family, genmask);
887 if (PTR_ERR(table) != -ENOENT)
888 return PTR_ERR(table);
890 if (nlh->nlmsg_flags & NLM_F_EXCL) {
891 NL_SET_BAD_ATTR(extack, attr);
894 if (nlh->nlmsg_flags & NLM_F_REPLACE)
897 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
898 return nf_tables_updtable(&ctx);
901 if (nla[NFTA_TABLE_FLAGS]) {
902 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
903 if (flags & ~NFT_TABLE_F_DORMANT)
908 table = kzalloc(sizeof(*table), GFP_KERNEL);
912 table->name = nla_strdup(attr, GFP_KERNEL);
913 if (table->name == NULL)
916 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
920 INIT_LIST_HEAD(&table->chains);
921 INIT_LIST_HEAD(&table->sets);
922 INIT_LIST_HEAD(&table->objects);
923 INIT_LIST_HEAD(&table->flowtables);
924 table->family = family;
925 table->flags = flags;
926 table->handle = ++table_handle;
928 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
929 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
933 list_add_tail_rcu(&table->list, &net->nft.tables);
936 rhltable_destroy(&table->chains_ht);
945 static int nft_flush_table(struct nft_ctx *ctx)
947 struct nft_flowtable *flowtable, *nft;
948 struct nft_chain *chain, *nc;
949 struct nft_object *obj, *ne;
950 struct nft_set *set, *ns;
953 list_for_each_entry(chain, &ctx->table->chains, list) {
954 if (!nft_is_active_next(ctx->net, chain))
959 err = nft_delrule_by_chain(ctx);
964 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
965 if (!nft_is_active_next(ctx->net, set))
968 if (nft_set_is_anonymous(set) &&
969 !list_empty(&set->bindings))
972 err = nft_delset(ctx, set);
977 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
978 err = nft_delflowtable(ctx, flowtable);
983 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
984 err = nft_delobj(ctx, obj);
989 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
990 if (!nft_is_active_next(ctx->net, chain))
995 err = nft_delchain(ctx);
1000 err = nft_deltable(ctx);
1005 static int nft_flush(struct nft_ctx *ctx, int family)
1007 struct nft_table *table, *nt;
1008 const struct nlattr * const *nla = ctx->nla;
1011 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1012 if (family != AF_UNSPEC && table->family != family)
1015 ctx->family = table->family;
1017 if (!nft_is_active_next(ctx->net, table))
1020 if (nla[NFTA_TABLE_NAME] &&
1021 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1026 err = nft_flush_table(ctx);
1034 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1035 struct sk_buff *skb, const struct nlmsghdr *nlh,
1036 const struct nlattr * const nla[],
1037 struct netlink_ext_ack *extack)
1039 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1040 u8 genmask = nft_genmask_next(net);
1041 int family = nfmsg->nfgen_family;
1042 const struct nlattr *attr;
1043 struct nft_table *table;
1046 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1047 if (family == AF_UNSPEC ||
1048 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1049 return nft_flush(&ctx, family);
1051 if (nla[NFTA_TABLE_HANDLE]) {
1052 attr = nla[NFTA_TABLE_HANDLE];
1053 table = nft_table_lookup_byhandle(net, attr, genmask);
1055 attr = nla[NFTA_TABLE_NAME];
1056 table = nft_table_lookup(net, attr, family, genmask);
1059 if (IS_ERR(table)) {
1060 NL_SET_BAD_ATTR(extack, attr);
1061 return PTR_ERR(table);
1064 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1068 ctx.family = family;
1071 return nft_flush_table(&ctx);
1074 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1076 if (WARN_ON(ctx->table->use > 0))
1079 rhltable_destroy(&ctx->table->chains_ht);
1080 kfree(ctx->table->name);
1084 void nft_register_chain_type(const struct nft_chain_type *ctype)
1086 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1089 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1090 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1091 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1094 chain_type[ctype->family][ctype->type] = ctype;
1095 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1097 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1099 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1101 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1102 chain_type[ctype->family][ctype->type] = NULL;
1103 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1105 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1111 static struct nft_chain *
1112 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1114 struct nft_chain *chain;
1116 list_for_each_entry(chain, &table->chains, list) {
1117 if (chain->handle == handle &&
1118 nft_active_genmask(chain, genmask))
1122 return ERR_PTR(-ENOENT);
1125 static bool lockdep_commit_lock_is_held(const struct net *net)
1127 #ifdef CONFIG_PROVE_LOCKING
1128 return lockdep_is_held(&net->nft.commit_mutex);
1134 static struct nft_chain *nft_chain_lookup(struct net *net,
1135 struct nft_table *table,
1136 const struct nlattr *nla, u8 genmask)
1138 char search[NFT_CHAIN_MAXNAMELEN + 1];
1139 struct rhlist_head *tmp, *list;
1140 struct nft_chain *chain;
1143 return ERR_PTR(-EINVAL);
1145 nla_strlcpy(search, nla, sizeof(search));
1147 WARN_ON(!rcu_read_lock_held() &&
1148 !lockdep_commit_lock_is_held(net));
1150 chain = ERR_PTR(-ENOENT);
1152 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1156 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1157 if (nft_active_genmask(chain, genmask))
1160 chain = ERR_PTR(-ENOENT);
1166 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1167 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1168 .len = NFT_TABLE_MAXNAMELEN - 1 },
1169 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1170 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1171 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1172 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1173 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1174 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1175 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1178 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1179 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1180 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1181 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1182 .len = IFNAMSIZ - 1 },
1185 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1187 struct nft_stats *cpu_stats, total;
1188 struct nlattr *nest;
1193 memset(&total, 0, sizeof(total));
1194 for_each_possible_cpu(cpu) {
1195 cpu_stats = per_cpu_ptr(stats, cpu);
1197 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1198 pkts = cpu_stats->pkts;
1199 bytes = cpu_stats->bytes;
1200 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1202 total.bytes += bytes;
1204 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1206 goto nla_put_failure;
1208 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1209 NFTA_COUNTER_PAD) ||
1210 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1212 goto nla_put_failure;
1214 nla_nest_end(skb, nest);
1221 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1222 u32 portid, u32 seq, int event, u32 flags,
1223 int family, const struct nft_table *table,
1224 const struct nft_chain *chain)
1226 struct nlmsghdr *nlh;
1227 struct nfgenmsg *nfmsg;
1229 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1230 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1232 goto nla_put_failure;
1234 nfmsg = nlmsg_data(nlh);
1235 nfmsg->nfgen_family = family;
1236 nfmsg->version = NFNETLINK_V0;
1237 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1239 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1240 goto nla_put_failure;
1241 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1243 goto nla_put_failure;
1244 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1245 goto nla_put_failure;
1247 if (nft_is_base_chain(chain)) {
1248 const struct nft_base_chain *basechain = nft_base_chain(chain);
1249 const struct nf_hook_ops *ops = &basechain->ops;
1250 struct nlattr *nest;
1252 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1254 goto nla_put_failure;
1255 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1256 goto nla_put_failure;
1257 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1258 goto nla_put_failure;
1259 if (basechain->dev_name[0] &&
1260 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1261 goto nla_put_failure;
1262 nla_nest_end(skb, nest);
1264 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1265 htonl(basechain->policy)))
1266 goto nla_put_failure;
1268 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1269 goto nla_put_failure;
1271 if (rcu_access_pointer(basechain->stats) &&
1272 nft_dump_stats(skb, rcu_dereference(basechain->stats)))
1273 goto nla_put_failure;
1276 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1277 goto nla_put_failure;
1279 nlmsg_end(skb, nlh);
1283 nlmsg_trim(skb, nlh);
1287 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1289 struct sk_buff *skb;
1293 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1296 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1300 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1301 event, 0, ctx->family, ctx->table,
1308 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1309 ctx->report, GFP_KERNEL);
1312 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1315 static int nf_tables_dump_chains(struct sk_buff *skb,
1316 struct netlink_callback *cb)
1318 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1319 const struct nft_table *table;
1320 const struct nft_chain *chain;
1321 unsigned int idx = 0, s_idx = cb->args[0];
1322 struct net *net = sock_net(skb->sk);
1323 int family = nfmsg->nfgen_family;
1326 cb->seq = net->nft.base_seq;
1328 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1329 if (family != NFPROTO_UNSPEC && family != table->family)
1332 list_for_each_entry_rcu(chain, &table->chains, list) {
1336 memset(&cb->args[1], 0,
1337 sizeof(cb->args) - sizeof(cb->args[0]));
1338 if (!nft_is_active(net, chain))
1340 if (nf_tables_fill_chain_info(skb, net,
1341 NETLINK_CB(cb->skb).portid,
1345 table->family, table,
1349 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1360 /* called with rcu_read_lock held */
1361 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1362 struct sk_buff *skb, const struct nlmsghdr *nlh,
1363 const struct nlattr * const nla[],
1364 struct netlink_ext_ack *extack)
1366 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1367 u8 genmask = nft_genmask_cur(net);
1368 const struct nft_chain *chain;
1369 struct nft_table *table;
1370 struct sk_buff *skb2;
1371 int family = nfmsg->nfgen_family;
1374 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1375 struct netlink_dump_control c = {
1376 .dump = nf_tables_dump_chains,
1377 .module = THIS_MODULE,
1380 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1383 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1384 if (IS_ERR(table)) {
1385 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1386 return PTR_ERR(table);
1389 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1390 if (IS_ERR(chain)) {
1391 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1392 return PTR_ERR(chain);
1395 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1399 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1400 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1401 family, table, chain);
1405 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1412 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1413 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1414 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1417 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1419 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1420 struct nft_stats __percpu *newstats;
1421 struct nft_stats *stats;
1424 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1427 return ERR_PTR(err);
1429 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1430 return ERR_PTR(-EINVAL);
1432 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1433 if (newstats == NULL)
1434 return ERR_PTR(-ENOMEM);
1436 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1437 * are not exposed to userspace.
1440 stats = this_cpu_ptr(newstats);
1441 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1442 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1448 static void nft_chain_stats_replace(struct net *net,
1449 struct nft_base_chain *chain,
1450 struct nft_stats __percpu *newstats)
1452 struct nft_stats __percpu *oldstats;
1454 if (newstats == NULL)
1457 if (rcu_access_pointer(chain->stats)) {
1458 oldstats = rcu_dereference_protected(chain->stats,
1459 lockdep_commit_lock_is_held(net));
1460 rcu_assign_pointer(chain->stats, newstats);
1462 free_percpu(oldstats);
1464 rcu_assign_pointer(chain->stats, newstats);
1465 static_branch_inc(&nft_counters_enabled);
1469 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1471 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1472 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1478 /* should be NULL either via abort or via successful commit */
1479 WARN_ON_ONCE(chain->rules_next);
1480 kvfree(chain->rules_next);
1483 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1485 struct nft_chain *chain = ctx->chain;
1487 if (WARN_ON(chain->use > 0))
1490 /* no concurrent access possible anymore */
1491 nf_tables_chain_free_chain_rules(chain);
1493 if (nft_is_base_chain(chain)) {
1494 struct nft_base_chain *basechain = nft_base_chain(chain);
1496 module_put(basechain->type->owner);
1497 if (rcu_access_pointer(basechain->stats)) {
1498 static_branch_dec(&nft_counters_enabled);
1499 free_percpu(rcu_dereference_raw(basechain->stats));
1509 struct nft_chain_hook {
1512 const struct nft_chain_type *type;
1513 struct net_device *dev;
1516 static int nft_chain_parse_hook(struct net *net,
1517 const struct nlattr * const nla[],
1518 struct nft_chain_hook *hook, u8 family,
1521 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1522 const struct nft_chain_type *type;
1523 struct net_device *dev;
1526 lockdep_assert_held(&net->nft.commit_mutex);
1527 lockdep_nfnl_nft_mutex_not_held();
1529 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1530 nft_hook_policy, NULL);
1534 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1535 ha[NFTA_HOOK_PRIORITY] == NULL)
1538 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1539 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1541 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1542 if (nla[NFTA_CHAIN_TYPE]) {
1543 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1546 return PTR_ERR(type);
1548 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1551 if (type->type == NFT_CHAIN_T_NAT &&
1552 hook->priority <= NF_IP_PRI_CONNTRACK)
1555 if (!try_module_get(type->owner))
1561 if (family == NFPROTO_NETDEV) {
1562 char ifname[IFNAMSIZ];
1564 if (!ha[NFTA_HOOK_DEV]) {
1565 module_put(type->owner);
1569 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1570 dev = __dev_get_by_name(net, ifname);
1572 module_put(type->owner);
1576 } else if (ha[NFTA_HOOK_DEV]) {
1577 module_put(type->owner);
1584 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1586 module_put(hook->type->owner);
1589 struct nft_rules_old {
1591 struct nft_rule **start;
1594 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1597 if (alloc > INT_MAX)
1600 alloc += 1; /* NULL, ends rules */
1601 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1604 alloc *= sizeof(struct nft_rule *);
1605 alloc += sizeof(struct nft_rules_old);
1607 return kvmalloc(alloc, GFP_KERNEL);
1610 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1613 const struct nlattr * const *nla = ctx->nla;
1614 struct nft_table *table = ctx->table;
1615 struct nft_base_chain *basechain;
1616 struct nft_stats __percpu *stats;
1617 struct net *net = ctx->net;
1618 struct nft_chain *chain;
1619 struct nft_rule **rules;
1622 if (table->use == UINT_MAX)
1625 if (nla[NFTA_CHAIN_HOOK]) {
1626 struct nft_chain_hook hook;
1627 struct nf_hook_ops *ops;
1629 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1633 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1634 if (basechain == NULL) {
1635 nft_chain_release_hook(&hook);
1639 if (hook.dev != NULL)
1640 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1642 if (nla[NFTA_CHAIN_COUNTERS]) {
1643 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1644 if (IS_ERR(stats)) {
1645 nft_chain_release_hook(&hook);
1647 return PTR_ERR(stats);
1649 rcu_assign_pointer(basechain->stats, stats);
1650 static_branch_inc(&nft_counters_enabled);
1653 basechain->type = hook.type;
1654 chain = &basechain->chain;
1656 ops = &basechain->ops;
1658 ops->hooknum = hook.num;
1659 ops->priority = hook.priority;
1661 ops->hook = hook.type->hooks[ops->hooknum];
1662 ops->dev = hook.dev;
1664 chain->flags |= NFT_BASE_CHAIN;
1665 basechain->policy = policy;
1667 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1673 INIT_LIST_HEAD(&chain->rules);
1674 chain->handle = nf_tables_alloc_handle(table);
1675 chain->table = table;
1676 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1682 rules = nf_tables_chain_alloc_rules(chain, 0);
1689 rcu_assign_pointer(chain->rules_gen_0, rules);
1690 rcu_assign_pointer(chain->rules_gen_1, rules);
1692 err = nf_tables_register_hook(net, table, chain);
1696 err = rhltable_insert_key(&table->chains_ht, chain->name,
1697 &chain->rhlhead, nft_chain_ht_params);
1701 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1703 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1704 nft_chain_ht_params);
1709 list_add_tail_rcu(&chain->list, &table->chains);
1713 nf_tables_unregister_hook(net, table, chain);
1715 nf_tables_chain_destroy(ctx);
1720 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1722 const struct nlattr * const *nla = ctx->nla;
1723 struct nft_table *table = ctx->table;
1724 struct nft_chain *chain = ctx->chain;
1725 struct nft_base_chain *basechain;
1726 struct nft_stats *stats = NULL;
1727 struct nft_chain_hook hook;
1728 struct nf_hook_ops *ops;
1729 struct nft_trans *trans;
1732 if (nla[NFTA_CHAIN_HOOK]) {
1733 if (!nft_is_base_chain(chain))
1736 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1741 basechain = nft_base_chain(chain);
1742 if (basechain->type != hook.type) {
1743 nft_chain_release_hook(&hook);
1747 ops = &basechain->ops;
1748 if (ops->hooknum != hook.num ||
1749 ops->priority != hook.priority ||
1750 ops->dev != hook.dev) {
1751 nft_chain_release_hook(&hook);
1754 nft_chain_release_hook(&hook);
1757 if (nla[NFTA_CHAIN_HANDLE] &&
1758 nla[NFTA_CHAIN_NAME]) {
1759 struct nft_chain *chain2;
1761 chain2 = nft_chain_lookup(ctx->net, table,
1762 nla[NFTA_CHAIN_NAME], genmask);
1763 if (!IS_ERR(chain2))
1767 if (nla[NFTA_CHAIN_COUNTERS]) {
1768 if (!nft_is_base_chain(chain))
1771 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1773 return PTR_ERR(stats);
1777 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1778 sizeof(struct nft_trans_chain));
1782 nft_trans_chain_stats(trans) = stats;
1783 nft_trans_chain_update(trans) = true;
1785 if (nla[NFTA_CHAIN_POLICY])
1786 nft_trans_chain_policy(trans) = policy;
1788 nft_trans_chain_policy(trans) = -1;
1790 if (nla[NFTA_CHAIN_HANDLE] &&
1791 nla[NFTA_CHAIN_NAME]) {
1792 struct nft_trans *tmp;
1796 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1801 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1802 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1803 tmp->ctx.table == table &&
1804 nft_trans_chain_update(tmp) &&
1805 nft_trans_chain_name(tmp) &&
1806 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1812 nft_trans_chain_name(trans) = name;
1814 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1823 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1824 struct sk_buff *skb, const struct nlmsghdr *nlh,
1825 const struct nlattr * const nla[],
1826 struct netlink_ext_ack *extack)
1828 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1829 u8 genmask = nft_genmask_next(net);
1830 int family = nfmsg->nfgen_family;
1831 const struct nlattr *attr;
1832 struct nft_table *table;
1833 struct nft_chain *chain;
1834 u8 policy = NF_ACCEPT;
1838 lockdep_assert_held(&net->nft.commit_mutex);
1840 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1841 if (IS_ERR(table)) {
1842 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1843 return PTR_ERR(table);
1847 attr = nla[NFTA_CHAIN_NAME];
1849 if (nla[NFTA_CHAIN_HANDLE]) {
1850 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1851 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1852 if (IS_ERR(chain)) {
1853 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1854 return PTR_ERR(chain);
1856 attr = nla[NFTA_CHAIN_HANDLE];
1858 chain = nft_chain_lookup(net, table, attr, genmask);
1859 if (IS_ERR(chain)) {
1860 if (PTR_ERR(chain) != -ENOENT) {
1861 NL_SET_BAD_ATTR(extack, attr);
1862 return PTR_ERR(chain);
1868 if (nla[NFTA_CHAIN_POLICY]) {
1869 if (chain != NULL &&
1870 !nft_is_base_chain(chain)) {
1871 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1875 if (chain == NULL &&
1876 nla[NFTA_CHAIN_HOOK] == NULL) {
1877 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1881 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1891 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1893 if (chain != NULL) {
1894 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1895 NL_SET_BAD_ATTR(extack, attr);
1898 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1901 return nf_tables_updchain(&ctx, genmask, policy);
1904 return nf_tables_addchain(&ctx, family, genmask, policy);
1907 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1908 struct sk_buff *skb, const struct nlmsghdr *nlh,
1909 const struct nlattr * const nla[],
1910 struct netlink_ext_ack *extack)
1912 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1913 u8 genmask = nft_genmask_next(net);
1914 int family = nfmsg->nfgen_family;
1915 const struct nlattr *attr;
1916 struct nft_table *table;
1917 struct nft_chain *chain;
1918 struct nft_rule *rule;
1924 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1925 if (IS_ERR(table)) {
1926 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1927 return PTR_ERR(table);
1930 if (nla[NFTA_CHAIN_HANDLE]) {
1931 attr = nla[NFTA_CHAIN_HANDLE];
1932 handle = be64_to_cpu(nla_get_be64(attr));
1933 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1935 attr = nla[NFTA_CHAIN_NAME];
1936 chain = nft_chain_lookup(net, table, attr, genmask);
1938 if (IS_ERR(chain)) {
1939 NL_SET_BAD_ATTR(extack, attr);
1940 return PTR_ERR(chain);
1943 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1947 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1950 list_for_each_entry(rule, &chain->rules, list) {
1951 if (!nft_is_active_next(net, rule))
1955 err = nft_delrule(&ctx, rule);
1960 /* There are rules and elements that are still holding references to us,
1961 * we cannot do a recursive removal in this case.
1964 NL_SET_BAD_ATTR(extack, attr);
1968 return nft_delchain(&ctx);
1976 * nft_register_expr - register nf_tables expr type
1979 * Registers the expr type for use with nf_tables. Returns zero on
1980 * success or a negative errno code otherwise.
1982 int nft_register_expr(struct nft_expr_type *type)
1984 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1985 if (type->family == NFPROTO_UNSPEC)
1986 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1988 list_add_rcu(&type->list, &nf_tables_expressions);
1989 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1992 EXPORT_SYMBOL_GPL(nft_register_expr);
1995 * nft_unregister_expr - unregister nf_tables expr type
1998 * Unregisters the expr typefor use with nf_tables.
2000 void nft_unregister_expr(struct nft_expr_type *type)
2002 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2003 list_del_rcu(&type->list);
2004 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2006 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2008 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2011 const struct nft_expr_type *type;
2013 list_for_each_entry(type, &nf_tables_expressions, list) {
2014 if (!nla_strcmp(nla, type->name) &&
2015 (!type->family || type->family == family))
2021 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2025 const struct nft_expr_type *type;
2028 return ERR_PTR(-EINVAL);
2030 type = __nft_expr_type_get(family, nla);
2031 if (type != NULL && try_module_get(type->owner))
2034 lockdep_nfnl_nft_mutex_not_held();
2035 #ifdef CONFIG_MODULES
2037 nft_request_module(net, "nft-expr-%u-%.*s", family,
2038 nla_len(nla), (char *)nla_data(nla));
2039 if (__nft_expr_type_get(family, nla))
2040 return ERR_PTR(-EAGAIN);
2042 nft_request_module(net, "nft-expr-%.*s",
2043 nla_len(nla), (char *)nla_data(nla));
2044 if (__nft_expr_type_get(family, nla))
2045 return ERR_PTR(-EAGAIN);
2048 return ERR_PTR(-ENOENT);
2051 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2052 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2053 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2056 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2057 const struct nft_expr *expr)
2059 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2060 goto nla_put_failure;
2062 if (expr->ops->dump) {
2063 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
2065 goto nla_put_failure;
2066 if (expr->ops->dump(skb, expr) < 0)
2067 goto nla_put_failure;
2068 nla_nest_end(skb, data);
2077 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2078 const struct nft_expr *expr)
2080 struct nlattr *nest;
2082 nest = nla_nest_start(skb, attr);
2084 goto nla_put_failure;
2085 if (nf_tables_fill_expr_info(skb, expr) < 0)
2086 goto nla_put_failure;
2087 nla_nest_end(skb, nest);
2094 struct nft_expr_info {
2095 const struct nft_expr_ops *ops;
2096 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2099 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2100 const struct nlattr *nla,
2101 struct nft_expr_info *info)
2103 const struct nft_expr_type *type;
2104 const struct nft_expr_ops *ops;
2105 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2108 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
2112 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2114 return PTR_ERR(type);
2116 if (tb[NFTA_EXPR_DATA]) {
2117 err = nla_parse_nested(info->tb, type->maxattr,
2118 tb[NFTA_EXPR_DATA], type->policy, NULL);
2122 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2124 if (type->select_ops != NULL) {
2125 ops = type->select_ops(ctx,
2126 (const struct nlattr * const *)info->tb);
2138 module_put(type->owner);
2142 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2143 const struct nft_expr_info *info,
2144 struct nft_expr *expr)
2146 const struct nft_expr_ops *ops = info->ops;
2151 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2163 struct nft_expr *expr)
2165 const struct nft_expr_type *type = expr->ops->type;
2167 if (expr->ops->destroy)
2168 expr->ops->destroy(ctx, expr);
2169 module_put(type->owner);
2172 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2173 const struct nlattr *nla)
2175 struct nft_expr_info info;
2176 struct nft_expr *expr;
2177 struct module *owner;
2180 err = nf_tables_expr_parse(ctx, nla, &info);
2185 expr = kzalloc(info.ops->size, GFP_KERNEL);
2189 err = nf_tables_newexpr(ctx, &info, expr);
2197 owner = info.ops->type->owner;
2198 if (info.ops->type->release_ops)
2199 info.ops->type->release_ops(info.ops);
2203 return ERR_PTR(err);
2206 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2208 nf_tables_expr_destroy(ctx, expr);
2216 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2219 struct nft_rule *rule;
2221 // FIXME: this sucks
2222 list_for_each_entry_rcu(rule, &chain->rules, list) {
2223 if (handle == rule->handle)
2227 return ERR_PTR(-ENOENT);
2230 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2231 const struct nlattr *nla)
2234 return ERR_PTR(-EINVAL);
2236 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2239 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2240 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2241 .len = NFT_TABLE_MAXNAMELEN - 1 },
2242 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2243 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2244 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2245 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2246 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2247 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2248 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2249 .len = NFT_USERDATA_MAXLEN },
2250 [NFTA_RULE_ID] = { .type = NLA_U32 },
2251 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2254 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2255 u32 portid, u32 seq, int event,
2256 u32 flags, int family,
2257 const struct nft_table *table,
2258 const struct nft_chain *chain,
2259 const struct nft_rule *rule)
2261 struct nlmsghdr *nlh;
2262 struct nfgenmsg *nfmsg;
2263 const struct nft_expr *expr, *next;
2264 struct nlattr *list;
2265 const struct nft_rule *prule;
2266 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2268 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2270 goto nla_put_failure;
2272 nfmsg = nlmsg_data(nlh);
2273 nfmsg->nfgen_family = family;
2274 nfmsg->version = NFNETLINK_V0;
2275 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2277 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2278 goto nla_put_failure;
2279 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2280 goto nla_put_failure;
2281 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2283 goto nla_put_failure;
2285 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2286 prule = list_prev_entry(rule, list);
2287 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2288 cpu_to_be64(prule->handle),
2290 goto nla_put_failure;
2293 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2295 goto nla_put_failure;
2296 nft_rule_for_each_expr(expr, next, rule) {
2297 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2298 goto nla_put_failure;
2300 nla_nest_end(skb, list);
2303 struct nft_userdata *udata = nft_userdata(rule);
2304 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2306 goto nla_put_failure;
2309 nlmsg_end(skb, nlh);
2313 nlmsg_trim(skb, nlh);
2317 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2318 const struct nft_rule *rule, int event)
2320 struct sk_buff *skb;
2324 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2327 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2331 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2332 event, 0, ctx->family, ctx->table,
2339 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2340 ctx->report, GFP_KERNEL);
2343 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2346 struct nft_rule_dump_ctx {
2351 static int __nf_tables_dump_rules(struct sk_buff *skb,
2353 struct netlink_callback *cb,
2354 const struct nft_table *table,
2355 const struct nft_chain *chain)
2357 struct net *net = sock_net(skb->sk);
2358 unsigned int s_idx = cb->args[0];
2359 const struct nft_rule *rule;
2361 list_for_each_entry_rcu(rule, &chain->rules, list) {
2362 if (!nft_is_active(net, rule))
2367 memset(&cb->args[1], 0,
2368 sizeof(cb->args) - sizeof(cb->args[0]));
2370 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2373 NLM_F_MULTI | NLM_F_APPEND,
2375 table, chain, rule) < 0)
2378 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2385 static int nf_tables_dump_rules(struct sk_buff *skb,
2386 struct netlink_callback *cb)
2388 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2389 const struct nft_rule_dump_ctx *ctx = cb->data;
2390 struct nft_table *table;
2391 const struct nft_chain *chain;
2392 unsigned int idx = 0;
2393 struct net *net = sock_net(skb->sk);
2394 int family = nfmsg->nfgen_family;
2397 cb->seq = net->nft.base_seq;
2399 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2400 if (family != NFPROTO_UNSPEC && family != table->family)
2403 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2406 if (ctx && ctx->table && ctx->chain) {
2407 struct rhlist_head *list, *tmp;
2409 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2410 nft_chain_ht_params);
2414 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2415 if (!nft_is_active(net, chain))
2417 __nf_tables_dump_rules(skb, &idx,
2424 list_for_each_entry_rcu(chain, &table->chains, list) {
2425 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2429 if (ctx && ctx->table)
2439 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2441 const struct nlattr * const *nla = cb->data;
2442 struct nft_rule_dump_ctx *ctx = NULL;
2444 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2445 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2449 if (nla[NFTA_RULE_TABLE]) {
2450 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2457 if (nla[NFTA_RULE_CHAIN]) {
2458 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2472 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2474 struct nft_rule_dump_ctx *ctx = cb->data;
2484 /* called with rcu_read_lock held */
2485 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2486 struct sk_buff *skb, const struct nlmsghdr *nlh,
2487 const struct nlattr * const nla[],
2488 struct netlink_ext_ack *extack)
2490 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2491 u8 genmask = nft_genmask_cur(net);
2492 const struct nft_chain *chain;
2493 const struct nft_rule *rule;
2494 struct nft_table *table;
2495 struct sk_buff *skb2;
2496 int family = nfmsg->nfgen_family;
2499 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2500 struct netlink_dump_control c = {
2501 .start= nf_tables_dump_rules_start,
2502 .dump = nf_tables_dump_rules,
2503 .done = nf_tables_dump_rules_done,
2504 .module = THIS_MODULE,
2505 .data = (void *)nla,
2508 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2511 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2512 if (IS_ERR(table)) {
2513 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2514 return PTR_ERR(table);
2517 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2518 if (IS_ERR(chain)) {
2519 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2520 return PTR_ERR(chain);
2523 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2525 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2526 return PTR_ERR(rule);
2529 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2533 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2534 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2535 family, table, chain, rule);
2539 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2546 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2547 struct nft_rule *rule)
2549 struct nft_expr *expr, *next;
2552 * Careful: some expressions might not be initialized in case this
2553 * is called on error from nf_tables_newrule().
2555 expr = nft_expr_first(rule);
2556 while (expr != nft_expr_last(rule) && expr->ops) {
2557 next = nft_expr_next(expr);
2558 nf_tables_expr_destroy(ctx, expr);
2564 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2565 struct nft_rule *rule)
2567 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2568 nf_tables_rule_destroy(ctx, rule);
2571 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2573 struct nft_expr *expr, *last;
2574 const struct nft_data *data;
2575 struct nft_rule *rule;
2578 if (ctx->level == NFT_JUMP_STACK_SIZE)
2581 list_for_each_entry(rule, &chain->rules, list) {
2582 if (!nft_is_active_next(ctx->net, rule))
2585 nft_rule_for_each_expr(expr, last, rule) {
2586 if (!expr->ops->validate)
2589 err = expr->ops->validate(ctx, expr, &data);
2597 EXPORT_SYMBOL_GPL(nft_chain_validate);
2599 static int nft_table_validate(struct net *net, const struct nft_table *table)
2601 struct nft_chain *chain;
2602 struct nft_ctx ctx = {
2604 .family = table->family,
2608 list_for_each_entry(chain, &table->chains, list) {
2609 if (!nft_is_base_chain(chain))
2613 err = nft_chain_validate(&ctx, chain);
2621 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2622 const struct nlattr *nla);
2624 #define NFT_RULE_MAXEXPRS 128
2626 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2627 struct sk_buff *skb, const struct nlmsghdr *nlh,
2628 const struct nlattr * const nla[],
2629 struct netlink_ext_ack *extack)
2631 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2632 u8 genmask = nft_genmask_next(net);
2633 struct nft_expr_info *info = NULL;
2634 int family = nfmsg->nfgen_family;
2635 struct nft_table *table;
2636 struct nft_chain *chain;
2637 struct nft_rule *rule, *old_rule = NULL;
2638 struct nft_userdata *udata;
2639 struct nft_trans *trans = NULL;
2640 struct nft_expr *expr;
2643 unsigned int size, i, n, ulen = 0, usize = 0;
2645 u64 handle, pos_handle;
2647 lockdep_assert_held(&net->nft.commit_mutex);
2649 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2650 if (IS_ERR(table)) {
2651 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2652 return PTR_ERR(table);
2655 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2656 if (IS_ERR(chain)) {
2657 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2658 return PTR_ERR(chain);
2661 if (nla[NFTA_RULE_HANDLE]) {
2662 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2663 rule = __nft_rule_lookup(chain, handle);
2665 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2666 return PTR_ERR(rule);
2669 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2670 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2673 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2678 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2679 nlh->nlmsg_flags & NLM_F_REPLACE)
2681 handle = nf_tables_alloc_handle(table);
2683 if (chain->use == UINT_MAX)
2686 if (nla[NFTA_RULE_POSITION]) {
2687 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2688 old_rule = __nft_rule_lookup(chain, pos_handle);
2689 if (IS_ERR(old_rule)) {
2690 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2691 return PTR_ERR(old_rule);
2693 } else if (nla[NFTA_RULE_POSITION_ID]) {
2694 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2695 if (IS_ERR(old_rule)) {
2696 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2697 return PTR_ERR(old_rule);
2702 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2706 if (nla[NFTA_RULE_EXPRESSIONS]) {
2707 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2708 sizeof(struct nft_expr_info),
2713 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2715 if (nla_type(tmp) != NFTA_LIST_ELEM)
2717 if (n == NFT_RULE_MAXEXPRS)
2719 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2722 size += info[n].ops->size;
2726 /* Check for overflow of dlen field */
2728 if (size >= 1 << 12)
2731 if (nla[NFTA_RULE_USERDATA]) {
2732 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2734 usize = sizeof(struct nft_userdata) + ulen;
2738 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2742 nft_activate_next(net, rule);
2744 rule->handle = handle;
2746 rule->udata = ulen ? 1 : 0;
2749 udata = nft_userdata(rule);
2750 udata->len = ulen - 1;
2751 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2754 expr = nft_expr_first(rule);
2755 for (i = 0; i < n; i++) {
2756 err = nf_tables_newexpr(&ctx, &info[i], expr);
2760 if (info[i].ops->validate)
2761 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2764 expr = nft_expr_next(expr);
2767 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2768 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2769 if (trans == NULL) {
2773 err = nft_delrule(&ctx, old_rule);
2775 nft_trans_destroy(trans);
2779 list_add_tail_rcu(&rule->list, &old_rule->list);
2781 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2786 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2788 list_add_rcu(&rule->list, &old_rule->list);
2790 list_add_tail_rcu(&rule->list, &chain->rules);
2793 list_add_tail_rcu(&rule->list, &old_rule->list);
2795 list_add_rcu(&rule->list, &chain->rules);
2801 if (net->nft.validate_state == NFT_VALIDATE_DO)
2802 return nft_table_validate(net, table);
2806 nf_tables_rule_release(&ctx, rule);
2808 for (i = 0; i < n; i++) {
2810 module_put(info[i].ops->type->owner);
2811 if (info[i].ops->type->release_ops)
2812 info[i].ops->type->release_ops(info[i].ops);
2819 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2820 const struct nlattr *nla)
2822 u32 id = ntohl(nla_get_be32(nla));
2823 struct nft_trans *trans;
2825 list_for_each_entry(trans, &net->nft.commit_list, list) {
2826 struct nft_rule *rule = nft_trans_rule(trans);
2828 if (trans->msg_type == NFT_MSG_NEWRULE &&
2829 id == nft_trans_rule_id(trans))
2832 return ERR_PTR(-ENOENT);
2835 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2836 struct sk_buff *skb, const struct nlmsghdr *nlh,
2837 const struct nlattr * const nla[],
2838 struct netlink_ext_ack *extack)
2840 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2841 u8 genmask = nft_genmask_next(net);
2842 struct nft_table *table;
2843 struct nft_chain *chain = NULL;
2844 struct nft_rule *rule;
2845 int family = nfmsg->nfgen_family, err = 0;
2848 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2849 if (IS_ERR(table)) {
2850 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2851 return PTR_ERR(table);
2854 if (nla[NFTA_RULE_CHAIN]) {
2855 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2857 if (IS_ERR(chain)) {
2858 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2859 return PTR_ERR(chain);
2863 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2866 if (nla[NFTA_RULE_HANDLE]) {
2867 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2869 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2870 return PTR_ERR(rule);
2873 err = nft_delrule(&ctx, rule);
2874 } else if (nla[NFTA_RULE_ID]) {
2875 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2877 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2878 return PTR_ERR(rule);
2881 err = nft_delrule(&ctx, rule);
2883 err = nft_delrule_by_chain(&ctx);
2886 list_for_each_entry(chain, &table->chains, list) {
2887 if (!nft_is_active_next(net, chain))
2891 err = nft_delrule_by_chain(&ctx);
2904 static LIST_HEAD(nf_tables_set_types);
2906 int nft_register_set(struct nft_set_type *type)
2908 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2909 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2910 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2913 EXPORT_SYMBOL_GPL(nft_register_set);
2915 void nft_unregister_set(struct nft_set_type *type)
2917 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2918 list_del_rcu(&type->list);
2919 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2921 EXPORT_SYMBOL_GPL(nft_unregister_set);
2923 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2924 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2927 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2929 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2933 * Select a set implementation based on the data characteristics and the
2934 * given policy. The total memory use might not be known if no size is
2935 * given, in that case the amount of memory per element is used.
2937 static const struct nft_set_ops *
2938 nft_select_set_ops(const struct nft_ctx *ctx,
2939 const struct nlattr * const nla[],
2940 const struct nft_set_desc *desc,
2941 enum nft_set_policies policy)
2943 const struct nft_set_ops *ops, *bops;
2944 struct nft_set_estimate est, best;
2945 const struct nft_set_type *type;
2948 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2949 lockdep_nfnl_nft_mutex_not_held();
2950 #ifdef CONFIG_MODULES
2951 if (list_empty(&nf_tables_set_types)) {
2952 nft_request_module(ctx->net, "nft-set");
2953 if (!list_empty(&nf_tables_set_types))
2954 return ERR_PTR(-EAGAIN);
2957 if (nla[NFTA_SET_FLAGS] != NULL)
2958 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2965 list_for_each_entry(type, &nf_tables_set_types, list) {
2968 if (!nft_set_ops_candidate(type, flags))
2970 if (!ops->estimate(desc, flags, &est))
2974 case NFT_SET_POL_PERFORMANCE:
2975 if (est.lookup < best.lookup)
2977 if (est.lookup == best.lookup &&
2978 est.space < best.space)
2981 case NFT_SET_POL_MEMORY:
2983 if (est.space < best.space)
2985 if (est.space == best.space &&
2986 est.lookup < best.lookup)
2988 } else if (est.size < best.size || !bops) {
2996 if (!try_module_get(type->owner))
2999 module_put(to_set_type(bops)->owner);
3008 return ERR_PTR(-EOPNOTSUPP);
3011 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3012 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3013 .len = NFT_TABLE_MAXNAMELEN - 1 },
3014 [NFTA_SET_NAME] = { .type = NLA_STRING,
3015 .len = NFT_SET_MAXNAMELEN - 1 },
3016 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3017 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3018 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3019 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3020 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3021 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3022 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3023 [NFTA_SET_ID] = { .type = NLA_U32 },
3024 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3025 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3026 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3027 .len = NFT_USERDATA_MAXLEN },
3028 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3029 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3032 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3033 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3036 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3037 const struct sk_buff *skb,
3038 const struct nlmsghdr *nlh,
3039 const struct nlattr * const nla[],
3040 struct netlink_ext_ack *extack,
3043 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3044 int family = nfmsg->nfgen_family;
3045 struct nft_table *table = NULL;
3047 if (nla[NFTA_SET_TABLE] != NULL) {
3048 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3050 if (IS_ERR(table)) {
3051 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3052 return PTR_ERR(table);
3056 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3060 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3061 const struct nlattr *nla, u8 genmask)
3063 struct nft_set *set;
3066 return ERR_PTR(-EINVAL);
3068 list_for_each_entry_rcu(set, &table->sets, list) {
3069 if (!nla_strcmp(nla, set->name) &&
3070 nft_active_genmask(set, genmask))
3073 return ERR_PTR(-ENOENT);
3076 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3077 const struct nlattr *nla,
3080 struct nft_set *set;
3082 list_for_each_entry(set, &table->sets, list) {
3083 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3084 nft_active_genmask(set, genmask))
3087 return ERR_PTR(-ENOENT);
3090 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3091 const struct nlattr *nla, u8 genmask)
3093 struct nft_trans *trans;
3094 u32 id = ntohl(nla_get_be32(nla));
3096 list_for_each_entry(trans, &net->nft.commit_list, list) {
3097 if (trans->msg_type == NFT_MSG_NEWSET) {
3098 struct nft_set *set = nft_trans_set(trans);
3100 if (id == nft_trans_set_id(trans) &&
3101 nft_active_genmask(set, genmask))
3105 return ERR_PTR(-ENOENT);
3108 struct nft_set *nft_set_lookup_global(const struct net *net,
3109 const struct nft_table *table,
3110 const struct nlattr *nla_set_name,
3111 const struct nlattr *nla_set_id,
3114 struct nft_set *set;
3116 set = nft_set_lookup(table, nla_set_name, genmask);
3121 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3125 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3127 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3130 const struct nft_set *i;
3132 unsigned long *inuse;
3133 unsigned int n = 0, min = 0;
3135 p = strchr(name, '%');
3137 if (p[1] != 'd' || strchr(p + 2, '%'))
3140 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3144 list_for_each_entry(i, &ctx->table->sets, list) {
3147 if (!nft_is_active_next(ctx->net, set))
3149 if (!sscanf(i->name, name, &tmp))
3151 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3154 set_bit(tmp - min, inuse);
3157 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3158 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3159 min += BITS_PER_BYTE * PAGE_SIZE;
3160 memset(inuse, 0, PAGE_SIZE);
3163 free_page((unsigned long)inuse);
3166 set->name = kasprintf(GFP_KERNEL, name, min + n);
3170 list_for_each_entry(i, &ctx->table->sets, list) {
3171 if (!nft_is_active_next(ctx->net, i))
3173 if (!strcmp(set->name, i->name)) {
3181 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3183 u64 ms = be64_to_cpu(nla_get_be64(nla));
3184 u64 max = (u64)(~((u64)0));
3186 max = div_u64(max, NSEC_PER_MSEC);
3190 ms *= NSEC_PER_MSEC;
3191 *result = nsecs_to_jiffies64(ms);
3195 static __be64 nf_jiffies64_to_msecs(u64 input)
3197 u64 ms = jiffies64_to_nsecs(input);
3199 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3202 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3203 const struct nft_set *set, u16 event, u16 flags)
3205 struct nfgenmsg *nfmsg;
3206 struct nlmsghdr *nlh;
3207 struct nlattr *desc;
3208 u32 portid = ctx->portid;
3211 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3212 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3215 goto nla_put_failure;
3217 nfmsg = nlmsg_data(nlh);
3218 nfmsg->nfgen_family = ctx->family;
3219 nfmsg->version = NFNETLINK_V0;
3220 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3222 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3223 goto nla_put_failure;
3224 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3225 goto nla_put_failure;
3226 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3228 goto nla_put_failure;
3229 if (set->flags != 0)
3230 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3231 goto nla_put_failure;
3233 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3234 goto nla_put_failure;
3235 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3236 goto nla_put_failure;
3237 if (set->flags & NFT_SET_MAP) {
3238 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3239 goto nla_put_failure;
3240 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3241 goto nla_put_failure;
3243 if (set->flags & NFT_SET_OBJECT &&
3244 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3245 goto nla_put_failure;
3248 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3249 nf_jiffies64_to_msecs(set->timeout),
3251 goto nla_put_failure;
3253 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3254 goto nla_put_failure;
3256 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3257 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3258 goto nla_put_failure;
3261 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3262 goto nla_put_failure;
3264 desc = nla_nest_start(skb, NFTA_SET_DESC);
3266 goto nla_put_failure;
3268 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3269 goto nla_put_failure;
3270 nla_nest_end(skb, desc);
3272 nlmsg_end(skb, nlh);
3276 nlmsg_trim(skb, nlh);
3280 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3281 const struct nft_set *set, int event,
3284 struct sk_buff *skb;
3285 u32 portid = ctx->portid;
3289 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3292 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3296 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3302 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3306 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3309 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3311 const struct nft_set *set;
3312 unsigned int idx, s_idx = cb->args[0];
3313 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3314 struct net *net = sock_net(skb->sk);
3315 struct nft_ctx *ctx = cb->data, ctx_set;
3321 cb->seq = net->nft.base_seq;
3323 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3324 if (ctx->family != NFPROTO_UNSPEC &&
3325 ctx->family != table->family)
3328 if (ctx->table && ctx->table != table)
3332 if (cur_table != table)
3338 list_for_each_entry_rcu(set, &table->sets, list) {
3341 if (!nft_is_active(net, set))
3345 ctx_set.table = table;
3346 ctx_set.family = table->family;
3348 if (nf_tables_fill_set(skb, &ctx_set, set,
3352 cb->args[2] = (unsigned long) table;
3355 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3368 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3370 struct nft_ctx *ctx_dump = NULL;
3372 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3373 if (ctx_dump == NULL)
3376 cb->data = ctx_dump;
3380 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3386 /* called with rcu_read_lock held */
3387 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3388 struct sk_buff *skb, const struct nlmsghdr *nlh,
3389 const struct nlattr * const nla[],
3390 struct netlink_ext_ack *extack)
3392 u8 genmask = nft_genmask_cur(net);
3393 const struct nft_set *set;
3395 struct sk_buff *skb2;
3396 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3399 /* Verify existence before starting dump */
3400 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3405 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3406 struct netlink_dump_control c = {
3407 .start = nf_tables_dump_sets_start,
3408 .dump = nf_tables_dump_sets,
3409 .done = nf_tables_dump_sets_done,
3411 .module = THIS_MODULE,
3414 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3417 /* Only accept unspec with dump */
3418 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3419 return -EAFNOSUPPORT;
3420 if (!nla[NFTA_SET_TABLE])
3423 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3425 return PTR_ERR(set);
3427 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3431 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3435 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3442 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3443 struct nft_set_desc *desc,
3444 const struct nlattr *nla)
3446 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3449 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3450 nft_set_desc_policy, NULL);
3454 if (da[NFTA_SET_DESC_SIZE] != NULL)
3455 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3460 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3461 struct sk_buff *skb, const struct nlmsghdr *nlh,
3462 const struct nlattr * const nla[],
3463 struct netlink_ext_ack *extack)
3465 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3466 u8 genmask = nft_genmask_next(net);
3467 int family = nfmsg->nfgen_family;
3468 const struct nft_set_ops *ops;
3469 struct nft_table *table;
3470 struct nft_set *set;
3475 u32 ktype, dtype, flags, policy, gc_int, objtype;
3476 struct nft_set_desc desc;
3477 unsigned char *udata;
3481 if (nla[NFTA_SET_TABLE] == NULL ||
3482 nla[NFTA_SET_NAME] == NULL ||
3483 nla[NFTA_SET_KEY_LEN] == NULL ||
3484 nla[NFTA_SET_ID] == NULL)
3487 memset(&desc, 0, sizeof(desc));
3489 ktype = NFT_DATA_VALUE;
3490 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3491 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3492 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3496 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3497 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3501 if (nla[NFTA_SET_FLAGS] != NULL) {
3502 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3503 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3504 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3505 NFT_SET_MAP | NFT_SET_EVAL |
3508 /* Only one of these operations is supported */
3509 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3510 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3515 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3516 if (!(flags & NFT_SET_MAP))
3519 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3520 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3521 dtype != NFT_DATA_VERDICT)
3524 if (dtype != NFT_DATA_VERDICT) {
3525 if (nla[NFTA_SET_DATA_LEN] == NULL)
3527 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3528 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3531 desc.dlen = sizeof(struct nft_verdict);
3532 } else if (flags & NFT_SET_MAP)
3535 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3536 if (!(flags & NFT_SET_OBJECT))
3539 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3540 if (objtype == NFT_OBJECT_UNSPEC ||
3541 objtype > NFT_OBJECT_MAX)
3543 } else if (flags & NFT_SET_OBJECT)
3546 objtype = NFT_OBJECT_UNSPEC;
3549 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3550 if (!(flags & NFT_SET_TIMEOUT))
3553 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3558 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3559 if (!(flags & NFT_SET_TIMEOUT))
3561 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3564 policy = NFT_SET_POL_PERFORMANCE;
3565 if (nla[NFTA_SET_POLICY] != NULL)
3566 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3568 if (nla[NFTA_SET_DESC] != NULL) {
3569 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3574 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3575 if (IS_ERR(table)) {
3576 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3577 return PTR_ERR(table);
3580 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3582 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3584 if (PTR_ERR(set) != -ENOENT) {
3585 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3586 return PTR_ERR(set);
3589 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3590 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3593 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3599 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3602 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3604 return PTR_ERR(ops);
3607 if (nla[NFTA_SET_USERDATA])
3608 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3611 if (ops->privsize != NULL)
3612 size = ops->privsize(nla, &desc);
3614 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3620 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3626 err = nf_tables_set_alloc_name(&ctx, set, name);
3633 udata = set->data + size;
3634 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3637 INIT_LIST_HEAD(&set->bindings);
3639 write_pnet(&set->net, net);
3642 set->klen = desc.klen;
3644 set->objtype = objtype;
3645 set->dlen = desc.dlen;
3647 set->size = desc.size;
3648 set->policy = policy;
3651 set->timeout = timeout;
3652 set->gc_int = gc_int;
3653 set->handle = nf_tables_alloc_handle(table);
3655 err = ops->init(set, &desc, nla);
3659 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3663 list_add_tail_rcu(&set->list, &table->sets);
3674 module_put(to_set_type(ops)->owner);
3678 static void nft_set_destroy(struct nft_set *set)
3680 if (WARN_ON(set->use > 0))
3683 set->ops->destroy(set);
3684 module_put(to_set_type(set->ops)->owner);
3689 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3690 struct sk_buff *skb, const struct nlmsghdr *nlh,
3691 const struct nlattr * const nla[],
3692 struct netlink_ext_ack *extack)
3694 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3695 u8 genmask = nft_genmask_next(net);
3696 const struct nlattr *attr;
3697 struct nft_set *set;
3701 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3702 return -EAFNOSUPPORT;
3703 if (nla[NFTA_SET_TABLE] == NULL)
3706 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3711 if (nla[NFTA_SET_HANDLE]) {
3712 attr = nla[NFTA_SET_HANDLE];
3713 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3715 attr = nla[NFTA_SET_NAME];
3716 set = nft_set_lookup(ctx.table, attr, genmask);
3720 NL_SET_BAD_ATTR(extack, attr);
3721 return PTR_ERR(set);
3724 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3725 NL_SET_BAD_ATTR(extack, attr);
3729 return nft_delset(&ctx, set);
3732 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3733 struct nft_set *set,
3734 const struct nft_set_iter *iter,
3735 struct nft_set_elem *elem)
3737 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3738 enum nft_registers dreg;
3740 dreg = nft_type_to_reg(set->dtype);
3741 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3742 set->dtype == NFT_DATA_VERDICT ?
3743 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3747 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3748 struct nft_set_binding *binding)
3750 struct nft_set_binding *i;
3751 struct nft_set_iter iter;
3753 if (set->use == UINT_MAX)
3756 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3759 if (binding->flags & NFT_SET_MAP) {
3760 /* If the set is already bound to the same chain all
3761 * jumps are already validated for that chain.
3763 list_for_each_entry(i, &set->bindings, list) {
3764 if (i->flags & NFT_SET_MAP &&
3765 i->chain == binding->chain)
3769 iter.genmask = nft_genmask_next(ctx->net);
3773 iter.fn = nf_tables_bind_check_setelem;
3775 set->ops->walk(ctx, set, &iter);
3780 binding->chain = ctx->chain;
3781 list_add_tail_rcu(&binding->list, &set->bindings);
3782 nft_set_trans_bind(ctx, set);
3787 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3789 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3790 struct nft_set_binding *binding, bool event)
3792 list_del_rcu(&binding->list);
3794 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3795 list_del_rcu(&set->list);
3797 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3801 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3803 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3804 struct nft_set_binding *binding,
3805 enum nft_trans_phase phase)
3808 case NFT_TRANS_PREPARE:
3811 case NFT_TRANS_ABORT:
3812 case NFT_TRANS_RELEASE:
3816 nf_tables_unbind_set(ctx, set, binding,
3817 phase == NFT_TRANS_COMMIT);
3820 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3822 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3824 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3825 nft_set_destroy(set);
3827 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3829 const struct nft_set_ext_type nft_set_ext_types[] = {
3830 [NFT_SET_EXT_KEY] = {
3831 .align = __alignof__(u32),
3833 [NFT_SET_EXT_DATA] = {
3834 .align = __alignof__(u32),
3836 [NFT_SET_EXT_EXPR] = {
3837 .align = __alignof__(struct nft_expr),
3839 [NFT_SET_EXT_OBJREF] = {
3840 .len = sizeof(struct nft_object *),
3841 .align = __alignof__(struct nft_object *),
3843 [NFT_SET_EXT_FLAGS] = {
3845 .align = __alignof__(u8),
3847 [NFT_SET_EXT_TIMEOUT] = {
3849 .align = __alignof__(u64),
3851 [NFT_SET_EXT_EXPIRATION] = {
3853 .align = __alignof__(u64),
3855 [NFT_SET_EXT_USERDATA] = {
3856 .len = sizeof(struct nft_userdata),
3857 .align = __alignof__(struct nft_userdata),
3860 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3866 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3867 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3868 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3869 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3870 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3871 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3872 .len = NFT_USERDATA_MAXLEN },
3873 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3874 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3877 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3878 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3879 .len = NFT_TABLE_MAXNAMELEN - 1 },
3880 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3881 .len = NFT_SET_MAXNAMELEN - 1 },
3882 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3883 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3886 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3887 const struct sk_buff *skb,
3888 const struct nlmsghdr *nlh,
3889 const struct nlattr * const nla[],
3890 struct netlink_ext_ack *extack,
3893 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3894 int family = nfmsg->nfgen_family;
3895 struct nft_table *table;
3897 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3899 if (IS_ERR(table)) {
3900 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3901 return PTR_ERR(table);
3904 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3908 static int nf_tables_fill_setelem(struct sk_buff *skb,
3909 const struct nft_set *set,
3910 const struct nft_set_elem *elem)
3912 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3913 unsigned char *b = skb_tail_pointer(skb);
3914 struct nlattr *nest;
3916 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3918 goto nla_put_failure;
3920 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3921 NFT_DATA_VALUE, set->klen) < 0)
3922 goto nla_put_failure;
3924 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3925 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3926 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3928 goto nla_put_failure;
3930 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3931 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3932 goto nla_put_failure;
3934 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3935 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3936 (*nft_set_ext_obj(ext))->key.name) < 0)
3937 goto nla_put_failure;
3939 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3940 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3941 htonl(*nft_set_ext_flags(ext))))
3942 goto nla_put_failure;
3944 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3945 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3946 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3948 goto nla_put_failure;
3950 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3951 u64 expires, now = get_jiffies_64();
3953 expires = *nft_set_ext_expiration(ext);
3954 if (time_before64(now, expires))
3959 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3960 nf_jiffies64_to_msecs(expires),
3962 goto nla_put_failure;
3965 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3966 struct nft_userdata *udata;
3968 udata = nft_set_ext_userdata(ext);
3969 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3970 udata->len + 1, udata->data))
3971 goto nla_put_failure;
3974 nla_nest_end(skb, nest);
3982 struct nft_set_dump_args {
3983 const struct netlink_callback *cb;
3984 struct nft_set_iter iter;
3985 struct sk_buff *skb;
3988 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3989 struct nft_set *set,
3990 const struct nft_set_iter *iter,
3991 struct nft_set_elem *elem)
3993 struct nft_set_dump_args *args;
3995 args = container_of(iter, struct nft_set_dump_args, iter);
3996 return nf_tables_fill_setelem(args->skb, set, elem);
3999 struct nft_set_dump_ctx {
4000 const struct nft_set *set;
4004 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4006 struct nft_set_dump_ctx *dump_ctx = cb->data;
4007 struct net *net = sock_net(skb->sk);
4008 struct nft_table *table;
4009 struct nft_set *set;
4010 struct nft_set_dump_args args;
4011 bool set_found = false;
4012 struct nfgenmsg *nfmsg;
4013 struct nlmsghdr *nlh;
4014 struct nlattr *nest;
4019 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4020 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4021 dump_ctx->ctx.family != table->family)
4024 if (table != dump_ctx->ctx.table)
4027 list_for_each_entry_rcu(set, &table->sets, list) {
4028 if (set == dump_ctx->set) {
4041 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4042 portid = NETLINK_CB(cb->skb).portid;
4043 seq = cb->nlh->nlmsg_seq;
4045 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4048 goto nla_put_failure;
4050 nfmsg = nlmsg_data(nlh);
4051 nfmsg->nfgen_family = table->family;
4052 nfmsg->version = NFNETLINK_V0;
4053 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4055 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4056 goto nla_put_failure;
4057 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4058 goto nla_put_failure;
4060 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4062 goto nla_put_failure;
4066 args.iter.genmask = nft_genmask_cur(net);
4067 args.iter.skip = cb->args[0];
4068 args.iter.count = 0;
4070 args.iter.fn = nf_tables_dump_setelem;
4071 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4074 nla_nest_end(skb, nest);
4075 nlmsg_end(skb, nlh);
4077 if (args.iter.err && args.iter.err != -EMSGSIZE)
4078 return args.iter.err;
4079 if (args.iter.count == cb->args[0])
4082 cb->args[0] = args.iter.count;
4090 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4092 struct nft_set_dump_ctx *dump_ctx = cb->data;
4094 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4096 return cb->data ? 0 : -ENOMEM;
4099 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4105 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4106 const struct nft_ctx *ctx, u32 seq,
4107 u32 portid, int event, u16 flags,
4108 const struct nft_set *set,
4109 const struct nft_set_elem *elem)
4111 struct nfgenmsg *nfmsg;
4112 struct nlmsghdr *nlh;
4113 struct nlattr *nest;
4116 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4117 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4120 goto nla_put_failure;
4122 nfmsg = nlmsg_data(nlh);
4123 nfmsg->nfgen_family = ctx->family;
4124 nfmsg->version = NFNETLINK_V0;
4125 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4127 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4128 goto nla_put_failure;
4129 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4130 goto nla_put_failure;
4132 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4134 goto nla_put_failure;
4136 err = nf_tables_fill_setelem(skb, set, elem);
4138 goto nla_put_failure;
4140 nla_nest_end(skb, nest);
4142 nlmsg_end(skb, nlh);
4146 nlmsg_trim(skb, nlh);
4150 static int nft_setelem_parse_flags(const struct nft_set *set,
4151 const struct nlattr *attr, u32 *flags)
4156 *flags = ntohl(nla_get_be32(attr));
4157 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4159 if (!(set->flags & NFT_SET_INTERVAL) &&
4160 *flags & NFT_SET_ELEM_INTERVAL_END)
4166 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4167 const struct nlattr *attr)
4169 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4170 struct nft_data_desc desc;
4171 struct nft_set_elem elem;
4172 struct sk_buff *skb;
4177 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4178 nft_set_elem_policy, NULL);
4182 if (!nla[NFTA_SET_ELEM_KEY])
4185 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4189 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4190 nla[NFTA_SET_ELEM_KEY]);
4195 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4198 priv = set->ops->get(ctx->net, set, &elem, flags);
4200 return PTR_ERR(priv);
4205 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4209 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4210 NFT_MSG_NEWSETELEM, 0, set, &elem);
4214 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4215 /* This avoids a loop in nfnetlink. */
4223 /* this avoids a loop in nfnetlink. */
4224 return err == -EAGAIN ? -ENOBUFS : err;
4227 /* called with rcu_read_lock held */
4228 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4229 struct sk_buff *skb, const struct nlmsghdr *nlh,
4230 const struct nlattr * const nla[],
4231 struct netlink_ext_ack *extack)
4233 u8 genmask = nft_genmask_cur(net);
4234 struct nft_set *set;
4235 struct nlattr *attr;
4239 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4244 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4246 return PTR_ERR(set);
4248 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4249 struct netlink_dump_control c = {
4250 .start = nf_tables_dump_set_start,
4251 .dump = nf_tables_dump_set,
4252 .done = nf_tables_dump_set_done,
4253 .module = THIS_MODULE,
4255 struct nft_set_dump_ctx dump_ctx = {
4261 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4264 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4267 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4268 err = nft_get_set_elem(&ctx, set, attr);
4276 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4277 const struct nft_set *set,
4278 const struct nft_set_elem *elem,
4279 int event, u16 flags)
4281 struct net *net = ctx->net;
4282 u32 portid = ctx->portid;
4283 struct sk_buff *skb;
4286 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4289 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4293 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4300 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4304 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4307 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4309 struct nft_set *set)
4311 struct nft_trans *trans;
4313 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4317 nft_trans_elem_set(trans) = set;
4321 void *nft_set_elem_init(const struct nft_set *set,
4322 const struct nft_set_ext_tmpl *tmpl,
4323 const u32 *key, const u32 *data,
4324 u64 timeout, gfp_t gfp)
4326 struct nft_set_ext *ext;
4329 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4333 ext = nft_set_elem_ext(set, elem);
4334 nft_set_ext_init(ext, tmpl);
4336 memcpy(nft_set_ext_key(ext), key, set->klen);
4337 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4338 memcpy(nft_set_ext_data(ext), data, set->dlen);
4339 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4340 *nft_set_ext_expiration(ext) =
4341 get_jiffies_64() + timeout;
4342 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4343 *nft_set_ext_timeout(ext) = timeout;
4348 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4351 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4352 struct nft_ctx ctx = {
4353 .net = read_pnet(&set->net),
4354 .family = set->table->family,
4357 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4358 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4359 nft_data_release(nft_set_ext_data(ext), set->dtype);
4360 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4361 struct nft_expr *expr = nft_set_ext_expr(ext);
4363 if (expr->ops->destroy_clone) {
4364 expr->ops->destroy_clone(&ctx, expr);
4365 module_put(expr->ops->type->owner);
4367 nf_tables_expr_destroy(&ctx, expr);
4370 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4371 (*nft_set_ext_obj(ext))->use--;
4374 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4376 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4377 * the refcounting from the preparation phase.
4379 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4380 const struct nft_set *set, void *elem)
4382 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4384 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4385 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4389 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4390 const struct nlattr *attr, u32 nlmsg_flags)
4392 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4393 u8 genmask = nft_genmask_next(ctx->net);
4394 struct nft_data_desc d1, d2;
4395 struct nft_set_ext_tmpl tmpl;
4396 struct nft_set_ext *ext, *ext2;
4397 struct nft_set_elem elem;
4398 struct nft_set_binding *binding;
4399 struct nft_object *obj = NULL;
4400 struct nft_userdata *udata;
4401 struct nft_data data;
4402 enum nft_registers dreg;
4403 struct nft_trans *trans;
4409 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4410 nft_set_elem_policy, NULL);
4414 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4417 nft_set_ext_prepare(&tmpl);
4419 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4423 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4425 if (set->flags & NFT_SET_MAP) {
4426 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4427 !(flags & NFT_SET_ELEM_INTERVAL_END))
4429 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4430 flags & NFT_SET_ELEM_INTERVAL_END)
4433 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4438 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4439 if (!(set->flags & NFT_SET_TIMEOUT))
4441 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4445 } else if (set->flags & NFT_SET_TIMEOUT) {
4446 timeout = set->timeout;
4449 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4450 nla[NFTA_SET_ELEM_KEY]);
4454 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4457 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4459 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4460 if (timeout != set->timeout)
4461 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4464 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4465 if (!(set->flags & NFT_SET_OBJECT)) {
4469 obj = nft_obj_lookup(ctx->net, ctx->table,
4470 nla[NFTA_SET_ELEM_OBJREF],
4471 set->objtype, genmask);
4476 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4479 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4480 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4481 nla[NFTA_SET_ELEM_DATA]);
4486 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4489 dreg = nft_type_to_reg(set->dtype);
4490 list_for_each_entry(binding, &set->bindings, list) {
4491 struct nft_ctx bind_ctx = {
4493 .family = ctx->family,
4494 .table = ctx->table,
4495 .chain = (struct nft_chain *)binding->chain,
4498 if (!(binding->flags & NFT_SET_MAP))
4501 err = nft_validate_register_store(&bind_ctx, dreg,
4507 if (d2.type == NFT_DATA_VERDICT &&
4508 (data.verdict.code == NFT_GOTO ||
4509 data.verdict.code == NFT_JUMP))
4510 nft_validate_state_update(ctx->net,
4514 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4517 /* The full maximum length of userdata can exceed the maximum
4518 * offset value (U8_MAX) for following extensions, therefor it
4519 * must be the last extension added.
4522 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4523 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4525 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4530 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4531 timeout, GFP_KERNEL);
4532 if (elem.priv == NULL)
4535 ext = nft_set_elem_ext(set, elem.priv);
4537 *nft_set_ext_flags(ext) = flags;
4539 udata = nft_set_ext_userdata(ext);
4540 udata->len = ulen - 1;
4541 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4544 *nft_set_ext_obj(ext) = obj;
4548 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4552 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4553 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4555 if (err == -EEXIST) {
4556 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4557 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4558 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4559 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4563 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4564 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4565 memcmp(nft_set_ext_data(ext),
4566 nft_set_ext_data(ext2), set->dlen) != 0) ||
4567 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4568 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4569 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4571 else if (!(nlmsg_flags & NLM_F_EXCL))
4578 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4583 nft_trans_elem(trans) = elem;
4584 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4588 set->ops->remove(ctx->net, set, &elem);
4596 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4597 nft_data_release(&data, d2.type);
4599 nft_data_release(&elem.key.val, d1.type);
4604 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4605 struct sk_buff *skb, const struct nlmsghdr *nlh,
4606 const struct nlattr * const nla[],
4607 struct netlink_ext_ack *extack)
4609 u8 genmask = nft_genmask_next(net);
4610 const struct nlattr *attr;
4611 struct nft_set *set;
4615 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4618 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4623 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4624 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4626 return PTR_ERR(set);
4628 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4631 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4632 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4637 if (net->nft.validate_state == NFT_VALIDATE_DO)
4638 return nft_table_validate(net, ctx.table);
4644 * nft_data_hold - hold a nft_data item
4646 * @data: struct nft_data to release
4647 * @type: type of data
4649 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4650 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4651 * NFT_GOTO verdicts. This function must be called on active data objects
4652 * from the second phase of the commit protocol.
4654 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4656 if (type == NFT_DATA_VERDICT) {
4657 switch (data->verdict.code) {
4660 data->verdict.chain->use++;
4666 static void nft_set_elem_activate(const struct net *net,
4667 const struct nft_set *set,
4668 struct nft_set_elem *elem)
4670 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4672 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4673 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4674 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4675 (*nft_set_ext_obj(ext))->use++;
4678 static void nft_set_elem_deactivate(const struct net *net,
4679 const struct nft_set *set,
4680 struct nft_set_elem *elem)
4682 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4684 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4685 nft_data_release(nft_set_ext_data(ext), set->dtype);
4686 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4687 (*nft_set_ext_obj(ext))->use--;
4690 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4691 const struct nlattr *attr)
4693 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4694 struct nft_set_ext_tmpl tmpl;
4695 struct nft_data_desc desc;
4696 struct nft_set_elem elem;
4697 struct nft_set_ext *ext;
4698 struct nft_trans *trans;
4703 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4704 nft_set_elem_policy, NULL);
4709 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4712 nft_set_ext_prepare(&tmpl);
4714 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4718 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4720 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4721 nla[NFTA_SET_ELEM_KEY]);
4726 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4729 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4732 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4734 if (elem.priv == NULL)
4737 ext = nft_set_elem_ext(set, elem.priv);
4739 *nft_set_ext_flags(ext) = flags;
4741 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4742 if (trans == NULL) {
4747 priv = set->ops->deactivate(ctx->net, set, &elem);
4755 nft_set_elem_deactivate(ctx->net, set, &elem);
4757 nft_trans_elem(trans) = elem;
4758 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4766 nft_data_release(&elem.key.val, desc.type);
4771 static int nft_flush_set(const struct nft_ctx *ctx,
4772 struct nft_set *set,
4773 const struct nft_set_iter *iter,
4774 struct nft_set_elem *elem)
4776 struct nft_trans *trans;
4779 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4780 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4784 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4790 nft_set_elem_deactivate(ctx->net, set, elem);
4791 nft_trans_elem_set(trans) = set;
4792 nft_trans_elem(trans) = *elem;
4793 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4801 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4802 struct sk_buff *skb, const struct nlmsghdr *nlh,
4803 const struct nlattr * const nla[],
4804 struct netlink_ext_ack *extack)
4806 u8 genmask = nft_genmask_next(net);
4807 const struct nlattr *attr;
4808 struct nft_set *set;
4812 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4817 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4819 return PTR_ERR(set);
4820 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4823 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4824 struct nft_set_iter iter = {
4826 .fn = nft_flush_set,
4828 set->ops->walk(&ctx, set, &iter);
4833 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4834 err = nft_del_setelem(&ctx, set, attr);
4843 void nft_set_gc_batch_release(struct rcu_head *rcu)
4845 struct nft_set_gc_batch *gcb;
4848 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4849 for (i = 0; i < gcb->head.cnt; i++)
4850 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4853 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4855 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4858 struct nft_set_gc_batch *gcb;
4860 gcb = kzalloc(sizeof(*gcb), gfp);
4863 gcb->head.set = set;
4866 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4873 * nft_register_obj- register nf_tables stateful object type
4876 * Registers the object type for use with nf_tables. Returns zero on
4877 * success or a negative errno code otherwise.
4879 int nft_register_obj(struct nft_object_type *obj_type)
4881 if (obj_type->type == NFT_OBJECT_UNSPEC)
4884 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4885 list_add_rcu(&obj_type->list, &nf_tables_objects);
4886 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4889 EXPORT_SYMBOL_GPL(nft_register_obj);
4892 * nft_unregister_obj - unregister nf_tables object type
4895 * Unregisters the object type for use with nf_tables.
4897 void nft_unregister_obj(struct nft_object_type *obj_type)
4899 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4900 list_del_rcu(&obj_type->list);
4901 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4903 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4905 struct nft_object *nft_obj_lookup(const struct net *net,
4906 const struct nft_table *table,
4907 const struct nlattr *nla, u32 objtype,
4910 struct nft_object_hash_key k = { .table = table };
4911 char search[NFT_OBJ_MAXNAMELEN];
4912 struct rhlist_head *tmp, *list;
4913 struct nft_object *obj;
4915 nla_strlcpy(search, nla, sizeof(search));
4918 WARN_ON_ONCE(!rcu_read_lock_held() &&
4919 !lockdep_commit_lock_is_held(net));
4922 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4926 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
4927 if (objtype == obj->ops->type->type &&
4928 nft_active_genmask(obj, genmask)) {
4935 return ERR_PTR(-ENOENT);
4937 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4939 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4940 const struct nlattr *nla,
4941 u32 objtype, u8 genmask)
4943 struct nft_object *obj;
4945 list_for_each_entry(obj, &table->objects, list) {
4946 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4947 objtype == obj->ops->type->type &&
4948 nft_active_genmask(obj, genmask))
4951 return ERR_PTR(-ENOENT);
4954 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4955 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4956 .len = NFT_TABLE_MAXNAMELEN - 1 },
4957 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4958 .len = NFT_OBJ_MAXNAMELEN - 1 },
4959 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4960 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4961 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4964 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4965 const struct nft_object_type *type,
4966 const struct nlattr *attr)
4969 const struct nft_object_ops *ops;
4970 struct nft_object *obj;
4973 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4978 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4983 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4986 if (type->select_ops) {
4987 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4997 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5001 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5014 return ERR_PTR(err);
5017 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5018 struct nft_object *obj, bool reset)
5020 struct nlattr *nest;
5022 nest = nla_nest_start(skb, attr);
5024 goto nla_put_failure;
5025 if (obj->ops->dump(skb, obj, reset) < 0)
5026 goto nla_put_failure;
5027 nla_nest_end(skb, nest);
5034 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5036 const struct nft_object_type *type;
5038 list_for_each_entry(type, &nf_tables_objects, list) {
5039 if (objtype == type->type)
5045 static const struct nft_object_type *
5046 nft_obj_type_get(struct net *net, u32 objtype)
5048 const struct nft_object_type *type;
5050 type = __nft_obj_type_get(objtype);
5051 if (type != NULL && try_module_get(type->owner))
5054 lockdep_nfnl_nft_mutex_not_held();
5055 #ifdef CONFIG_MODULES
5057 nft_request_module(net, "nft-obj-%u", objtype);
5058 if (__nft_obj_type_get(objtype))
5059 return ERR_PTR(-EAGAIN);
5062 return ERR_PTR(-ENOENT);
5065 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5066 struct sk_buff *skb, const struct nlmsghdr *nlh,
5067 const struct nlattr * const nla[],
5068 struct netlink_ext_ack *extack)
5070 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5071 const struct nft_object_type *type;
5072 u8 genmask = nft_genmask_next(net);
5073 int family = nfmsg->nfgen_family;
5074 struct nft_table *table;
5075 struct nft_object *obj;
5080 if (!nla[NFTA_OBJ_TYPE] ||
5081 !nla[NFTA_OBJ_NAME] ||
5082 !nla[NFTA_OBJ_DATA])
5085 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5086 if (IS_ERR(table)) {
5087 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5088 return PTR_ERR(table);
5091 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5092 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5095 if (err != -ENOENT) {
5096 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5100 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5101 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5107 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5109 type = nft_obj_type_get(net, objtype);
5111 return PTR_ERR(type);
5113 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5118 obj->key.table = table;
5119 obj->handle = nf_tables_alloc_handle(table);
5121 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5122 if (!obj->key.name) {
5127 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5131 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5132 nft_objname_ht_params);
5136 list_add_tail_rcu(&obj->list, &table->objects);
5140 /* queued in transaction log */
5141 INIT_LIST_HEAD(&obj->list);
5144 kfree(obj->key.name);
5146 if (obj->ops->destroy)
5147 obj->ops->destroy(&ctx, obj);
5150 module_put(type->owner);
5154 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5155 u32 portid, u32 seq, int event, u32 flags,
5156 int family, const struct nft_table *table,
5157 struct nft_object *obj, bool reset)
5159 struct nfgenmsg *nfmsg;
5160 struct nlmsghdr *nlh;
5162 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5163 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5165 goto nla_put_failure;
5167 nfmsg = nlmsg_data(nlh);
5168 nfmsg->nfgen_family = family;
5169 nfmsg->version = NFNETLINK_V0;
5170 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5172 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5173 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5174 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5175 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5176 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5177 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5179 goto nla_put_failure;
5181 nlmsg_end(skb, nlh);
5185 nlmsg_trim(skb, nlh);
5189 struct nft_obj_filter {
5194 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5196 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5197 const struct nft_table *table;
5198 unsigned int idx = 0, s_idx = cb->args[0];
5199 struct nft_obj_filter *filter = cb->data;
5200 struct net *net = sock_net(skb->sk);
5201 int family = nfmsg->nfgen_family;
5202 struct nft_object *obj;
5205 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5209 cb->seq = net->nft.base_seq;
5211 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5212 if (family != NFPROTO_UNSPEC && family != table->family)
5215 list_for_each_entry_rcu(obj, &table->objects, list) {
5216 if (!nft_is_active(net, obj))
5221 memset(&cb->args[1], 0,
5222 sizeof(cb->args) - sizeof(cb->args[0]));
5223 if (filter && filter->table &&
5224 strcmp(filter->table, table->name))
5227 filter->type != NFT_OBJECT_UNSPEC &&
5228 obj->ops->type->type != filter->type)
5231 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5234 NLM_F_MULTI | NLM_F_APPEND,
5235 table->family, table,
5239 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5251 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5253 const struct nlattr * const *nla = cb->data;
5254 struct nft_obj_filter *filter = NULL;
5256 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5257 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5261 if (nla[NFTA_OBJ_TABLE]) {
5262 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5263 if (!filter->table) {
5269 if (nla[NFTA_OBJ_TYPE])
5270 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5277 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5279 struct nft_obj_filter *filter = cb->data;
5282 kfree(filter->table);
5289 /* called with rcu_read_lock held */
5290 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5291 struct sk_buff *skb, const struct nlmsghdr *nlh,
5292 const struct nlattr * const nla[],
5293 struct netlink_ext_ack *extack)
5295 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5296 u8 genmask = nft_genmask_cur(net);
5297 int family = nfmsg->nfgen_family;
5298 const struct nft_table *table;
5299 struct nft_object *obj;
5300 struct sk_buff *skb2;
5305 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5306 struct netlink_dump_control c = {
5307 .start = nf_tables_dump_obj_start,
5308 .dump = nf_tables_dump_obj,
5309 .done = nf_tables_dump_obj_done,
5310 .module = THIS_MODULE,
5311 .data = (void *)nla,
5314 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5317 if (!nla[NFTA_OBJ_NAME] ||
5318 !nla[NFTA_OBJ_TYPE])
5321 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5322 if (IS_ERR(table)) {
5323 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5324 return PTR_ERR(table);
5327 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5328 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5330 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5331 return PTR_ERR(obj);
5334 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5338 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5341 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5342 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5343 family, table, obj, reset);
5347 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5353 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5355 if (obj->ops->destroy)
5356 obj->ops->destroy(ctx, obj);
5358 module_put(obj->ops->type->owner);
5359 kfree(obj->key.name);
5363 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5364 struct sk_buff *skb, const struct nlmsghdr *nlh,
5365 const struct nlattr * const nla[],
5366 struct netlink_ext_ack *extack)
5368 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5369 u8 genmask = nft_genmask_next(net);
5370 int family = nfmsg->nfgen_family;
5371 const struct nlattr *attr;
5372 struct nft_table *table;
5373 struct nft_object *obj;
5377 if (!nla[NFTA_OBJ_TYPE] ||
5378 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5381 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5382 if (IS_ERR(table)) {
5383 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5384 return PTR_ERR(table);
5387 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5388 if (nla[NFTA_OBJ_HANDLE]) {
5389 attr = nla[NFTA_OBJ_HANDLE];
5390 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5392 attr = nla[NFTA_OBJ_NAME];
5393 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5397 NL_SET_BAD_ATTR(extack, attr);
5398 return PTR_ERR(obj);
5401 NL_SET_BAD_ATTR(extack, attr);
5405 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5407 return nft_delobj(&ctx, obj);
5410 void nft_obj_notify(struct net *net, const struct nft_table *table,
5411 struct nft_object *obj, u32 portid, u32 seq, int event,
5412 int family, int report, gfp_t gfp)
5414 struct sk_buff *skb;
5418 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5421 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5425 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5432 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5435 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5437 EXPORT_SYMBOL_GPL(nft_obj_notify);
5439 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5440 struct nft_object *obj, int event)
5442 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5443 ctx->family, ctx->report, GFP_KERNEL);
5449 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5451 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5452 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5453 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5455 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5457 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5459 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5460 list_del_rcu(&type->list);
5461 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5463 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5465 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5466 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5467 .len = NFT_NAME_MAXLEN - 1 },
5468 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5469 .len = NFT_NAME_MAXLEN - 1 },
5470 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5471 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5474 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5475 const struct nlattr *nla, u8 genmask)
5477 struct nft_flowtable *flowtable;
5479 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5480 if (!nla_strcmp(nla, flowtable->name) &&
5481 nft_active_genmask(flowtable, genmask))
5484 return ERR_PTR(-ENOENT);
5486 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5488 static struct nft_flowtable *
5489 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5490 const struct nlattr *nla, u8 genmask)
5492 struct nft_flowtable *flowtable;
5494 list_for_each_entry(flowtable, &table->flowtables, list) {
5495 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5496 nft_active_genmask(flowtable, genmask))
5499 return ERR_PTR(-ENOENT);
5502 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5503 const struct nlattr *attr,
5504 struct net_device *dev_array[], int *len)
5506 const struct nlattr *tmp;
5507 struct net_device *dev;
5508 char ifname[IFNAMSIZ];
5509 int rem, n = 0, err;
5511 nla_for_each_nested(tmp, attr, rem) {
5512 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5517 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5518 dev = __dev_get_by_name(ctx->net, ifname);
5524 dev_array[n++] = dev;
5525 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5539 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5540 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5541 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5542 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5545 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5546 const struct nlattr *attr,
5547 struct nft_flowtable *flowtable)
5549 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5550 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5551 struct nf_hook_ops *ops;
5552 int hooknum, priority;
5555 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5556 nft_flowtable_hook_policy, NULL);
5560 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5561 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5562 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5565 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5566 if (hooknum != NF_NETDEV_INGRESS)
5569 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5571 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5576 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5580 flowtable->hooknum = hooknum;
5581 flowtable->priority = priority;
5582 flowtable->ops = ops;
5583 flowtable->ops_len = n;
5585 for (i = 0; i < n; i++) {
5586 flowtable->ops[i].pf = NFPROTO_NETDEV;
5587 flowtable->ops[i].hooknum = hooknum;
5588 flowtable->ops[i].priority = priority;
5589 flowtable->ops[i].priv = &flowtable->data;
5590 flowtable->ops[i].hook = flowtable->data.type->hook;
5591 flowtable->ops[i].dev = dev_array[i];
5597 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5599 const struct nf_flowtable_type *type;
5601 list_for_each_entry(type, &nf_tables_flowtables, list) {
5602 if (family == type->family)
5608 static const struct nf_flowtable_type *
5609 nft_flowtable_type_get(struct net *net, u8 family)
5611 const struct nf_flowtable_type *type;
5613 type = __nft_flowtable_type_get(family);
5614 if (type != NULL && try_module_get(type->owner))
5617 lockdep_nfnl_nft_mutex_not_held();
5618 #ifdef CONFIG_MODULES
5620 nft_request_module(net, "nf-flowtable-%u", family);
5621 if (__nft_flowtable_type_get(family))
5622 return ERR_PTR(-EAGAIN);
5625 return ERR_PTR(-ENOENT);
5628 static void nft_unregister_flowtable_net_hooks(struct net *net,
5629 struct nft_flowtable *flowtable)
5633 for (i = 0; i < flowtable->ops_len; i++) {
5634 if (!flowtable->ops[i].dev)
5637 nf_unregister_net_hook(net, &flowtable->ops[i]);
5641 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5642 struct sk_buff *skb,
5643 const struct nlmsghdr *nlh,
5644 const struct nlattr * const nla[],
5645 struct netlink_ext_ack *extack)
5647 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5648 const struct nf_flowtable_type *type;
5649 struct nft_flowtable *flowtable, *ft;
5650 u8 genmask = nft_genmask_next(net);
5651 int family = nfmsg->nfgen_family;
5652 struct nft_table *table;
5656 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5657 !nla[NFTA_FLOWTABLE_NAME] ||
5658 !nla[NFTA_FLOWTABLE_HOOK])
5661 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5663 if (IS_ERR(table)) {
5664 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5665 return PTR_ERR(table);
5668 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5670 if (IS_ERR(flowtable)) {
5671 err = PTR_ERR(flowtable);
5672 if (err != -ENOENT) {
5673 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5677 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5678 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5685 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5687 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5691 flowtable->table = table;
5692 flowtable->handle = nf_tables_alloc_handle(table);
5694 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5695 if (!flowtable->name) {
5700 type = nft_flowtable_type_get(net, family);
5702 err = PTR_ERR(type);
5706 flowtable->data.type = type;
5707 err = type->init(&flowtable->data);
5711 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5716 for (i = 0; i < flowtable->ops_len; i++) {
5717 if (!flowtable->ops[i].dev)
5720 list_for_each_entry(ft, &table->flowtables, list) {
5721 for (k = 0; k < ft->ops_len; k++) {
5722 if (!ft->ops[k].dev)
5725 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5726 flowtable->ops[i].pf == ft->ops[k].pf) {
5733 err = nf_register_net_hook(net, &flowtable->ops[i]);
5738 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5742 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5747 i = flowtable->ops_len;
5749 for (k = i - 1; k >= 0; k--)
5750 nf_unregister_net_hook(net, &flowtable->ops[k]);
5752 kfree(flowtable->ops);
5754 flowtable->data.type->free(&flowtable->data);
5756 module_put(type->owner);
5758 kfree(flowtable->name);
5764 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5765 struct sk_buff *skb,
5766 const struct nlmsghdr *nlh,
5767 const struct nlattr * const nla[],
5768 struct netlink_ext_ack *extack)
5770 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5771 u8 genmask = nft_genmask_next(net);
5772 int family = nfmsg->nfgen_family;
5773 struct nft_flowtable *flowtable;
5774 const struct nlattr *attr;
5775 struct nft_table *table;
5778 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5779 (!nla[NFTA_FLOWTABLE_NAME] &&
5780 !nla[NFTA_FLOWTABLE_HANDLE]))
5783 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5785 if (IS_ERR(table)) {
5786 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5787 return PTR_ERR(table);
5790 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5791 attr = nla[NFTA_FLOWTABLE_HANDLE];
5792 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5794 attr = nla[NFTA_FLOWTABLE_NAME];
5795 flowtable = nft_flowtable_lookup(table, attr, genmask);
5798 if (IS_ERR(flowtable)) {
5799 NL_SET_BAD_ATTR(extack, attr);
5800 return PTR_ERR(flowtable);
5802 if (flowtable->use > 0) {
5803 NL_SET_BAD_ATTR(extack, attr);
5807 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5809 return nft_delflowtable(&ctx, flowtable);
5812 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5813 u32 portid, u32 seq, int event,
5814 u32 flags, int family,
5815 struct nft_flowtable *flowtable)
5817 struct nlattr *nest, *nest_devs;
5818 struct nfgenmsg *nfmsg;
5819 struct nlmsghdr *nlh;
5822 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5823 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5825 goto nla_put_failure;
5827 nfmsg = nlmsg_data(nlh);
5828 nfmsg->nfgen_family = family;
5829 nfmsg->version = NFNETLINK_V0;
5830 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5832 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5833 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5834 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5835 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5836 NFTA_FLOWTABLE_PAD))
5837 goto nla_put_failure;
5839 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5841 goto nla_put_failure;
5842 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5843 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5844 goto nla_put_failure;
5846 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5848 goto nla_put_failure;
5850 for (i = 0; i < flowtable->ops_len; i++) {
5851 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5854 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5855 goto nla_put_failure;
5857 nla_nest_end(skb, nest_devs);
5858 nla_nest_end(skb, nest);
5860 nlmsg_end(skb, nlh);
5864 nlmsg_trim(skb, nlh);
5868 struct nft_flowtable_filter {
5872 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5873 struct netlink_callback *cb)
5875 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5876 struct nft_flowtable_filter *filter = cb->data;
5877 unsigned int idx = 0, s_idx = cb->args[0];
5878 struct net *net = sock_net(skb->sk);
5879 int family = nfmsg->nfgen_family;
5880 struct nft_flowtable *flowtable;
5881 const struct nft_table *table;
5884 cb->seq = net->nft.base_seq;
5886 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5887 if (family != NFPROTO_UNSPEC && family != table->family)
5890 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5891 if (!nft_is_active(net, flowtable))
5896 memset(&cb->args[1], 0,
5897 sizeof(cb->args) - sizeof(cb->args[0]));
5898 if (filter && filter->table &&
5899 strcmp(filter->table, table->name))
5902 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5904 NFT_MSG_NEWFLOWTABLE,
5905 NLM_F_MULTI | NLM_F_APPEND,
5906 table->family, flowtable) < 0)
5909 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5921 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5923 const struct nlattr * const *nla = cb->data;
5924 struct nft_flowtable_filter *filter = NULL;
5926 if (nla[NFTA_FLOWTABLE_TABLE]) {
5927 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5931 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5933 if (!filter->table) {
5943 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5945 struct nft_flowtable_filter *filter = cb->data;
5950 kfree(filter->table);
5956 /* called with rcu_read_lock held */
5957 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5958 struct sk_buff *skb,
5959 const struct nlmsghdr *nlh,
5960 const struct nlattr * const nla[],
5961 struct netlink_ext_ack *extack)
5963 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5964 u8 genmask = nft_genmask_cur(net);
5965 int family = nfmsg->nfgen_family;
5966 struct nft_flowtable *flowtable;
5967 const struct nft_table *table;
5968 struct sk_buff *skb2;
5971 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5972 struct netlink_dump_control c = {
5973 .start = nf_tables_dump_flowtable_start,
5974 .dump = nf_tables_dump_flowtable,
5975 .done = nf_tables_dump_flowtable_done,
5976 .module = THIS_MODULE,
5977 .data = (void *)nla,
5980 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5983 if (!nla[NFTA_FLOWTABLE_NAME])
5986 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5989 return PTR_ERR(table);
5991 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5993 if (IS_ERR(flowtable))
5994 return PTR_ERR(flowtable);
5996 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6000 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6002 NFT_MSG_NEWFLOWTABLE, 0, family,
6007 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6013 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6014 struct nft_flowtable *flowtable,
6017 struct sk_buff *skb;
6021 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6024 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6028 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6030 ctx->family, flowtable);
6036 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6037 ctx->report, GFP_KERNEL);
6040 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6043 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6045 kfree(flowtable->ops);
6046 kfree(flowtable->name);
6047 flowtable->data.type->free(&flowtable->data);
6048 module_put(flowtable->data.type->owner);
6052 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6053 u32 portid, u32 seq)
6055 struct nlmsghdr *nlh;
6056 struct nfgenmsg *nfmsg;
6057 char buf[TASK_COMM_LEN];
6058 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6060 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6062 goto nla_put_failure;
6064 nfmsg = nlmsg_data(nlh);
6065 nfmsg->nfgen_family = AF_UNSPEC;
6066 nfmsg->version = NFNETLINK_V0;
6067 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6069 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6070 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6071 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6072 goto nla_put_failure;
6074 nlmsg_end(skb, nlh);
6078 nlmsg_trim(skb, nlh);
6082 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6083 struct nft_flowtable *flowtable)
6087 for (i = 0; i < flowtable->ops_len; i++) {
6088 if (flowtable->ops[i].dev != dev)
6091 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6092 flowtable->ops[i].dev = NULL;
6097 static int nf_tables_flowtable_event(struct notifier_block *this,
6098 unsigned long event, void *ptr)
6100 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6101 struct nft_flowtable *flowtable;
6102 struct nft_table *table;
6105 if (event != NETDEV_UNREGISTER)
6109 mutex_lock(&net->nft.commit_mutex);
6110 list_for_each_entry(table, &net->nft.tables, list) {
6111 list_for_each_entry(flowtable, &table->flowtables, list) {
6112 nft_flowtable_event(event, dev, flowtable);
6115 mutex_unlock(&net->nft.commit_mutex);
6120 static struct notifier_block nf_tables_flowtable_notifier = {
6121 .notifier_call = nf_tables_flowtable_event,
6124 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6127 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6128 struct sk_buff *skb2;
6131 if (nlmsg_report(nlh) &&
6132 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6135 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6139 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6146 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6147 nlmsg_report(nlh), GFP_KERNEL);
6150 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6154 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6155 struct sk_buff *skb, const struct nlmsghdr *nlh,
6156 const struct nlattr * const nla[],
6157 struct netlink_ext_ack *extack)
6159 struct sk_buff *skb2;
6162 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6166 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6171 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6177 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6178 [NFT_MSG_NEWTABLE] = {
6179 .call_batch = nf_tables_newtable,
6180 .attr_count = NFTA_TABLE_MAX,
6181 .policy = nft_table_policy,
6183 [NFT_MSG_GETTABLE] = {
6184 .call_rcu = nf_tables_gettable,
6185 .attr_count = NFTA_TABLE_MAX,
6186 .policy = nft_table_policy,
6188 [NFT_MSG_DELTABLE] = {
6189 .call_batch = nf_tables_deltable,
6190 .attr_count = NFTA_TABLE_MAX,
6191 .policy = nft_table_policy,
6193 [NFT_MSG_NEWCHAIN] = {
6194 .call_batch = nf_tables_newchain,
6195 .attr_count = NFTA_CHAIN_MAX,
6196 .policy = nft_chain_policy,
6198 [NFT_MSG_GETCHAIN] = {
6199 .call_rcu = nf_tables_getchain,
6200 .attr_count = NFTA_CHAIN_MAX,
6201 .policy = nft_chain_policy,
6203 [NFT_MSG_DELCHAIN] = {
6204 .call_batch = nf_tables_delchain,
6205 .attr_count = NFTA_CHAIN_MAX,
6206 .policy = nft_chain_policy,
6208 [NFT_MSG_NEWRULE] = {
6209 .call_batch = nf_tables_newrule,
6210 .attr_count = NFTA_RULE_MAX,
6211 .policy = nft_rule_policy,
6213 [NFT_MSG_GETRULE] = {
6214 .call_rcu = nf_tables_getrule,
6215 .attr_count = NFTA_RULE_MAX,
6216 .policy = nft_rule_policy,
6218 [NFT_MSG_DELRULE] = {
6219 .call_batch = nf_tables_delrule,
6220 .attr_count = NFTA_RULE_MAX,
6221 .policy = nft_rule_policy,
6223 [NFT_MSG_NEWSET] = {
6224 .call_batch = nf_tables_newset,
6225 .attr_count = NFTA_SET_MAX,
6226 .policy = nft_set_policy,
6228 [NFT_MSG_GETSET] = {
6229 .call_rcu = nf_tables_getset,
6230 .attr_count = NFTA_SET_MAX,
6231 .policy = nft_set_policy,
6233 [NFT_MSG_DELSET] = {
6234 .call_batch = nf_tables_delset,
6235 .attr_count = NFTA_SET_MAX,
6236 .policy = nft_set_policy,
6238 [NFT_MSG_NEWSETELEM] = {
6239 .call_batch = nf_tables_newsetelem,
6240 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6241 .policy = nft_set_elem_list_policy,
6243 [NFT_MSG_GETSETELEM] = {
6244 .call_rcu = nf_tables_getsetelem,
6245 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6246 .policy = nft_set_elem_list_policy,
6248 [NFT_MSG_DELSETELEM] = {
6249 .call_batch = nf_tables_delsetelem,
6250 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6251 .policy = nft_set_elem_list_policy,
6253 [NFT_MSG_GETGEN] = {
6254 .call_rcu = nf_tables_getgen,
6256 [NFT_MSG_NEWOBJ] = {
6257 .call_batch = nf_tables_newobj,
6258 .attr_count = NFTA_OBJ_MAX,
6259 .policy = nft_obj_policy,
6261 [NFT_MSG_GETOBJ] = {
6262 .call_rcu = nf_tables_getobj,
6263 .attr_count = NFTA_OBJ_MAX,
6264 .policy = nft_obj_policy,
6266 [NFT_MSG_DELOBJ] = {
6267 .call_batch = nf_tables_delobj,
6268 .attr_count = NFTA_OBJ_MAX,
6269 .policy = nft_obj_policy,
6271 [NFT_MSG_GETOBJ_RESET] = {
6272 .call_rcu = nf_tables_getobj,
6273 .attr_count = NFTA_OBJ_MAX,
6274 .policy = nft_obj_policy,
6276 [NFT_MSG_NEWFLOWTABLE] = {
6277 .call_batch = nf_tables_newflowtable,
6278 .attr_count = NFTA_FLOWTABLE_MAX,
6279 .policy = nft_flowtable_policy,
6281 [NFT_MSG_GETFLOWTABLE] = {
6282 .call_rcu = nf_tables_getflowtable,
6283 .attr_count = NFTA_FLOWTABLE_MAX,
6284 .policy = nft_flowtable_policy,
6286 [NFT_MSG_DELFLOWTABLE] = {
6287 .call_batch = nf_tables_delflowtable,
6288 .attr_count = NFTA_FLOWTABLE_MAX,
6289 .policy = nft_flowtable_policy,
6293 static int nf_tables_validate(struct net *net)
6295 struct nft_table *table;
6297 switch (net->nft.validate_state) {
6298 case NFT_VALIDATE_SKIP:
6300 case NFT_VALIDATE_NEED:
6301 nft_validate_state_update(net, NFT_VALIDATE_DO);
6303 case NFT_VALIDATE_DO:
6304 list_for_each_entry(table, &net->nft.tables, list) {
6305 if (nft_table_validate(net, table) < 0)
6314 static void nft_chain_commit_update(struct nft_trans *trans)
6316 struct nft_base_chain *basechain;
6318 if (nft_trans_chain_name(trans)) {
6319 rhltable_remove(&trans->ctx.table->chains_ht,
6320 &trans->ctx.chain->rhlhead,
6321 nft_chain_ht_params);
6322 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6323 rhltable_insert_key(&trans->ctx.table->chains_ht,
6324 trans->ctx.chain->name,
6325 &trans->ctx.chain->rhlhead,
6326 nft_chain_ht_params);
6329 if (!nft_is_base_chain(trans->ctx.chain))
6332 basechain = nft_base_chain(trans->ctx.chain);
6333 nft_chain_stats_replace(trans->ctx.net, basechain,
6334 nft_trans_chain_stats(trans));
6336 switch (nft_trans_chain_policy(trans)) {
6339 basechain->policy = nft_trans_chain_policy(trans);
6344 static void nft_commit_release(struct nft_trans *trans)
6346 switch (trans->msg_type) {
6347 case NFT_MSG_DELTABLE:
6348 nf_tables_table_destroy(&trans->ctx);
6350 case NFT_MSG_NEWCHAIN:
6351 kfree(nft_trans_chain_name(trans));
6353 case NFT_MSG_DELCHAIN:
6354 nf_tables_chain_destroy(&trans->ctx);
6356 case NFT_MSG_DELRULE:
6357 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6359 case NFT_MSG_DELSET:
6360 nft_set_destroy(nft_trans_set(trans));
6362 case NFT_MSG_DELSETELEM:
6363 nf_tables_set_elem_destroy(&trans->ctx,
6364 nft_trans_elem_set(trans),
6365 nft_trans_elem(trans).priv);
6367 case NFT_MSG_DELOBJ:
6368 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6370 case NFT_MSG_DELFLOWTABLE:
6371 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6376 put_net(trans->ctx.net);
6381 static void nf_tables_trans_destroy_work(struct work_struct *w)
6383 struct nft_trans *trans, *next;
6386 spin_lock(&nf_tables_destroy_list_lock);
6387 list_splice_init(&nf_tables_destroy_list, &head);
6388 spin_unlock(&nf_tables_destroy_list_lock);
6390 if (list_empty(&head))
6395 list_for_each_entry_safe(trans, next, &head, list) {
6396 list_del(&trans->list);
6397 nft_commit_release(trans);
6401 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6403 struct nft_rule *rule;
6404 unsigned int alloc = 0;
6407 /* already handled or inactive chain? */
6408 if (chain->rules_next || !nft_is_active_next(net, chain))
6411 rule = list_entry(&chain->rules, struct nft_rule, list);
6414 list_for_each_entry_continue(rule, &chain->rules, list) {
6415 if (nft_is_active_next(net, rule))
6419 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6420 if (!chain->rules_next)
6423 list_for_each_entry_continue(rule, &chain->rules, list) {
6424 if (nft_is_active_next(net, rule))
6425 chain->rules_next[i++] = rule;
6428 chain->rules_next[i] = NULL;
6432 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6434 struct nft_trans *trans, *next;
6436 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6437 struct nft_chain *chain = trans->ctx.chain;
6439 if (trans->msg_type == NFT_MSG_NEWRULE ||
6440 trans->msg_type == NFT_MSG_DELRULE) {
6441 kvfree(chain->rules_next);
6442 chain->rules_next = NULL;
6447 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6449 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6454 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6456 struct nft_rule **r = rules;
6457 struct nft_rules_old *old;
6462 r++; /* rcu_head is after end marker */
6466 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6469 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6471 struct nft_rule **g0, **g1;
6474 next_genbit = nft_gencursor_next(net);
6476 g0 = rcu_dereference_protected(chain->rules_gen_0,
6477 lockdep_commit_lock_is_held(net));
6478 g1 = rcu_dereference_protected(chain->rules_gen_1,
6479 lockdep_commit_lock_is_held(net));
6481 /* No changes to this chain? */
6482 if (chain->rules_next == NULL) {
6483 /* chain had no change in last or next generation */
6487 * chain had no change in this generation; make sure next
6488 * one uses same rules as current generation.
6491 rcu_assign_pointer(chain->rules_gen_1, g0);
6492 nf_tables_commit_chain_free_rules_old(g1);
6494 rcu_assign_pointer(chain->rules_gen_0, g1);
6495 nf_tables_commit_chain_free_rules_old(g0);
6502 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6504 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6506 chain->rules_next = NULL;
6512 nf_tables_commit_chain_free_rules_old(g1);
6514 nf_tables_commit_chain_free_rules_old(g0);
6517 static void nft_obj_del(struct nft_object *obj)
6519 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6520 list_del_rcu(&obj->list);
6523 static void nft_chain_del(struct nft_chain *chain)
6525 struct nft_table *table = chain->table;
6527 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6528 nft_chain_ht_params));
6529 list_del_rcu(&chain->list);
6532 static void nf_tables_commit_release(struct net *net)
6534 struct nft_trans *trans;
6536 /* all side effects have to be made visible.
6537 * For example, if a chain named 'foo' has been deleted, a
6538 * new transaction must not find it anymore.
6540 * Memory reclaim happens asynchronously from work queue
6541 * to prevent expensive synchronize_rcu() in commit phase.
6543 if (list_empty(&net->nft.commit_list)) {
6544 mutex_unlock(&net->nft.commit_mutex);
6548 trans = list_last_entry(&net->nft.commit_list,
6549 struct nft_trans, list);
6550 get_net(trans->ctx.net);
6551 WARN_ON_ONCE(trans->put_net);
6553 trans->put_net = true;
6554 spin_lock(&nf_tables_destroy_list_lock);
6555 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6556 spin_unlock(&nf_tables_destroy_list_lock);
6558 mutex_unlock(&net->nft.commit_mutex);
6560 schedule_work(&trans_destroy_work);
6563 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6565 struct nft_trans *trans, *next;
6566 struct nft_trans_elem *te;
6567 struct nft_chain *chain;
6568 struct nft_table *table;
6570 if (list_empty(&net->nft.commit_list)) {
6571 mutex_unlock(&net->nft.commit_mutex);
6575 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6576 if (nf_tables_validate(net) < 0)
6579 /* 1. Allocate space for next generation rules_gen_X[] */
6580 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6583 if (trans->msg_type == NFT_MSG_NEWRULE ||
6584 trans->msg_type == NFT_MSG_DELRULE) {
6585 chain = trans->ctx.chain;
6587 ret = nf_tables_commit_chain_prepare(net, chain);
6589 nf_tables_commit_chain_prepare_cancel(net);
6595 /* step 2. Make rules_gen_X visible to packet path */
6596 list_for_each_entry(table, &net->nft.tables, list) {
6597 list_for_each_entry(chain, &table->chains, list)
6598 nf_tables_commit_chain(net, chain);
6602 * Bump generation counter, invalidate any dump in progress.
6603 * Cannot fail after this point.
6605 while (++net->nft.base_seq == 0);
6607 /* step 3. Start new generation, rules_gen_X now in use. */
6608 net->nft.gencursor = nft_gencursor_next(net);
6610 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6611 switch (trans->msg_type) {
6612 case NFT_MSG_NEWTABLE:
6613 if (nft_trans_table_update(trans)) {
6614 if (!nft_trans_table_enable(trans)) {
6615 nf_tables_table_disable(net,
6617 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6620 nft_clear(net, trans->ctx.table);
6622 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6623 nft_trans_destroy(trans);
6625 case NFT_MSG_DELTABLE:
6626 list_del_rcu(&trans->ctx.table->list);
6627 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6629 case NFT_MSG_NEWCHAIN:
6630 if (nft_trans_chain_update(trans)) {
6631 nft_chain_commit_update(trans);
6632 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6633 /* trans destroyed after rcu grace period */
6635 nft_clear(net, trans->ctx.chain);
6636 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6637 nft_trans_destroy(trans);
6640 case NFT_MSG_DELCHAIN:
6641 nft_chain_del(trans->ctx.chain);
6642 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6643 nf_tables_unregister_hook(trans->ctx.net,
6647 case NFT_MSG_NEWRULE:
6648 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6649 nf_tables_rule_notify(&trans->ctx,
6650 nft_trans_rule(trans),
6652 nft_trans_destroy(trans);
6654 case NFT_MSG_DELRULE:
6655 list_del_rcu(&nft_trans_rule(trans)->list);
6656 nf_tables_rule_notify(&trans->ctx,
6657 nft_trans_rule(trans),
6659 nft_rule_expr_deactivate(&trans->ctx,
6660 nft_trans_rule(trans),
6663 case NFT_MSG_NEWSET:
6664 nft_clear(net, nft_trans_set(trans));
6665 /* This avoids hitting -EBUSY when deleting the table
6666 * from the transaction.
6668 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6669 !list_empty(&nft_trans_set(trans)->bindings))
6670 trans->ctx.table->use--;
6672 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6673 NFT_MSG_NEWSET, GFP_KERNEL);
6674 nft_trans_destroy(trans);
6676 case NFT_MSG_DELSET:
6677 list_del_rcu(&nft_trans_set(trans)->list);
6678 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6679 NFT_MSG_DELSET, GFP_KERNEL);
6681 case NFT_MSG_NEWSETELEM:
6682 te = (struct nft_trans_elem *)trans->data;
6684 te->set->ops->activate(net, te->set, &te->elem);
6685 nf_tables_setelem_notify(&trans->ctx, te->set,
6687 NFT_MSG_NEWSETELEM, 0);
6688 nft_trans_destroy(trans);
6690 case NFT_MSG_DELSETELEM:
6691 te = (struct nft_trans_elem *)trans->data;
6693 nf_tables_setelem_notify(&trans->ctx, te->set,
6695 NFT_MSG_DELSETELEM, 0);
6696 te->set->ops->remove(net, te->set, &te->elem);
6697 atomic_dec(&te->set->nelems);
6700 case NFT_MSG_NEWOBJ:
6701 nft_clear(net, nft_trans_obj(trans));
6702 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6704 nft_trans_destroy(trans);
6706 case NFT_MSG_DELOBJ:
6707 nft_obj_del(nft_trans_obj(trans));
6708 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6711 case NFT_MSG_NEWFLOWTABLE:
6712 nft_clear(net, nft_trans_flowtable(trans));
6713 nf_tables_flowtable_notify(&trans->ctx,
6714 nft_trans_flowtable(trans),
6715 NFT_MSG_NEWFLOWTABLE);
6716 nft_trans_destroy(trans);
6718 case NFT_MSG_DELFLOWTABLE:
6719 list_del_rcu(&nft_trans_flowtable(trans)->list);
6720 nf_tables_flowtable_notify(&trans->ctx,
6721 nft_trans_flowtable(trans),
6722 NFT_MSG_DELFLOWTABLE);
6723 nft_unregister_flowtable_net_hooks(net,
6724 nft_trans_flowtable(trans));
6729 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6730 nf_tables_commit_release(net);
6735 static void nf_tables_abort_release(struct nft_trans *trans)
6737 switch (trans->msg_type) {
6738 case NFT_MSG_NEWTABLE:
6739 nf_tables_table_destroy(&trans->ctx);
6741 case NFT_MSG_NEWCHAIN:
6742 nf_tables_chain_destroy(&trans->ctx);
6744 case NFT_MSG_NEWRULE:
6745 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6747 case NFT_MSG_NEWSET:
6748 nft_set_destroy(nft_trans_set(trans));
6750 case NFT_MSG_NEWSETELEM:
6751 nft_set_elem_destroy(nft_trans_elem_set(trans),
6752 nft_trans_elem(trans).priv, true);
6754 case NFT_MSG_NEWOBJ:
6755 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6757 case NFT_MSG_NEWFLOWTABLE:
6758 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6764 static int __nf_tables_abort(struct net *net)
6766 struct nft_trans *trans, *next;
6767 struct nft_trans_elem *te;
6769 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6771 switch (trans->msg_type) {
6772 case NFT_MSG_NEWTABLE:
6773 if (nft_trans_table_update(trans)) {
6774 if (nft_trans_table_enable(trans)) {
6775 nf_tables_table_disable(net,
6777 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6779 nft_trans_destroy(trans);
6781 list_del_rcu(&trans->ctx.table->list);
6784 case NFT_MSG_DELTABLE:
6785 nft_clear(trans->ctx.net, trans->ctx.table);
6786 nft_trans_destroy(trans);
6788 case NFT_MSG_NEWCHAIN:
6789 if (nft_trans_chain_update(trans)) {
6790 free_percpu(nft_trans_chain_stats(trans));
6791 kfree(nft_trans_chain_name(trans));
6792 nft_trans_destroy(trans);
6794 trans->ctx.table->use--;
6795 nft_chain_del(trans->ctx.chain);
6796 nf_tables_unregister_hook(trans->ctx.net,
6801 case NFT_MSG_DELCHAIN:
6802 trans->ctx.table->use++;
6803 nft_clear(trans->ctx.net, trans->ctx.chain);
6804 nft_trans_destroy(trans);
6806 case NFT_MSG_NEWRULE:
6807 trans->ctx.chain->use--;
6808 list_del_rcu(&nft_trans_rule(trans)->list);
6809 nft_rule_expr_deactivate(&trans->ctx,
6810 nft_trans_rule(trans),
6813 case NFT_MSG_DELRULE:
6814 trans->ctx.chain->use++;
6815 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6816 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6817 nft_trans_destroy(trans);
6819 case NFT_MSG_NEWSET:
6820 trans->ctx.table->use--;
6821 if (nft_trans_set(trans)->bound) {
6822 nft_trans_destroy(trans);
6825 list_del_rcu(&nft_trans_set(trans)->list);
6827 case NFT_MSG_DELSET:
6828 trans->ctx.table->use++;
6829 nft_clear(trans->ctx.net, nft_trans_set(trans));
6830 nft_trans_destroy(trans);
6832 case NFT_MSG_NEWSETELEM:
6833 if (nft_trans_elem_set(trans)->bound) {
6834 nft_trans_destroy(trans);
6837 te = (struct nft_trans_elem *)trans->data;
6838 te->set->ops->remove(net, te->set, &te->elem);
6839 atomic_dec(&te->set->nelems);
6841 case NFT_MSG_DELSETELEM:
6842 te = (struct nft_trans_elem *)trans->data;
6844 nft_set_elem_activate(net, te->set, &te->elem);
6845 te->set->ops->activate(net, te->set, &te->elem);
6848 nft_trans_destroy(trans);
6850 case NFT_MSG_NEWOBJ:
6851 trans->ctx.table->use--;
6852 nft_obj_del(nft_trans_obj(trans));
6854 case NFT_MSG_DELOBJ:
6855 trans->ctx.table->use++;
6856 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6857 nft_trans_destroy(trans);
6859 case NFT_MSG_NEWFLOWTABLE:
6860 trans->ctx.table->use--;
6861 list_del_rcu(&nft_trans_flowtable(trans)->list);
6862 nft_unregister_flowtable_net_hooks(net,
6863 nft_trans_flowtable(trans));
6865 case NFT_MSG_DELFLOWTABLE:
6866 trans->ctx.table->use++;
6867 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6868 nft_trans_destroy(trans);
6875 list_for_each_entry_safe_reverse(trans, next,
6876 &net->nft.commit_list, list) {
6877 list_del(&trans->list);
6878 nf_tables_abort_release(trans);
6884 static void nf_tables_cleanup(struct net *net)
6886 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6889 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6891 int ret = __nf_tables_abort(net);
6893 mutex_unlock(&net->nft.commit_mutex);
6898 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6902 mutex_lock(&net->nft.commit_mutex);
6904 genid_ok = genid == 0 || net->nft.base_seq == genid;
6906 mutex_unlock(&net->nft.commit_mutex);
6908 /* else, commit mutex has to be released by commit or abort function */
6912 static const struct nfnetlink_subsystem nf_tables_subsys = {
6913 .name = "nf_tables",
6914 .subsys_id = NFNL_SUBSYS_NFTABLES,
6915 .cb_count = NFT_MSG_MAX,
6917 .commit = nf_tables_commit,
6918 .abort = nf_tables_abort,
6919 .cleanup = nf_tables_cleanup,
6920 .valid_genid = nf_tables_valid_genid,
6921 .owner = THIS_MODULE,
6924 int nft_chain_validate_dependency(const struct nft_chain *chain,
6925 enum nft_chain_types type)
6927 const struct nft_base_chain *basechain;
6929 if (nft_is_base_chain(chain)) {
6930 basechain = nft_base_chain(chain);
6931 if (basechain->type->type != type)
6936 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6938 int nft_chain_validate_hooks(const struct nft_chain *chain,
6939 unsigned int hook_flags)
6941 struct nft_base_chain *basechain;
6943 if (nft_is_base_chain(chain)) {
6944 basechain = nft_base_chain(chain);
6946 if ((1 << basechain->ops.hooknum) & hook_flags)
6954 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6957 * Loop detection - walk through the ruleset beginning at the destination chain
6958 * of a new jump until either the source chain is reached (loop) or all
6959 * reachable chains have been traversed.
6961 * The loop check is performed whenever a new jump verdict is added to an
6962 * expression or verdict map or a verdict map is bound to a new chain.
6965 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6966 const struct nft_chain *chain);
6968 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6969 struct nft_set *set,
6970 const struct nft_set_iter *iter,
6971 struct nft_set_elem *elem)
6973 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6974 const struct nft_data *data;
6976 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6977 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6980 data = nft_set_ext_data(ext);
6981 switch (data->verdict.code) {
6984 return nf_tables_check_loops(ctx, data->verdict.chain);
6990 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6991 const struct nft_chain *chain)
6993 const struct nft_rule *rule;
6994 const struct nft_expr *expr, *last;
6995 struct nft_set *set;
6996 struct nft_set_binding *binding;
6997 struct nft_set_iter iter;
6999 if (ctx->chain == chain)
7002 list_for_each_entry(rule, &chain->rules, list) {
7003 nft_rule_for_each_expr(expr, last, rule) {
7004 struct nft_immediate_expr *priv;
7005 const struct nft_data *data;
7008 if (strcmp(expr->ops->type->name, "immediate"))
7011 priv = nft_expr_priv(expr);
7012 if (priv->dreg != NFT_REG_VERDICT)
7016 switch (data->verdict.code) {
7019 err = nf_tables_check_loops(ctx,
7020 data->verdict.chain);
7029 list_for_each_entry(set, &ctx->table->sets, list) {
7030 if (!nft_is_active_next(ctx->net, set))
7032 if (!(set->flags & NFT_SET_MAP) ||
7033 set->dtype != NFT_DATA_VERDICT)
7036 list_for_each_entry(binding, &set->bindings, list) {
7037 if (!(binding->flags & NFT_SET_MAP) ||
7038 binding->chain != chain)
7041 iter.genmask = nft_genmask_next(ctx->net);
7045 iter.fn = nf_tables_loop_check_setelem;
7047 set->ops->walk(ctx, set, &iter);
7057 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7059 * @attr: netlink attribute to fetch value from
7060 * @max: maximum value to be stored in dest
7061 * @dest: pointer to the variable
7063 * Parse, check and store a given u32 netlink attribute into variable.
7064 * This function returns -ERANGE if the value goes over maximum value.
7065 * Otherwise a 0 is returned and the attribute value is stored in the
7066 * destination variable.
7068 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7072 val = ntohl(nla_get_be32(attr));
7079 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7082 * nft_parse_register - parse a register value from a netlink attribute
7084 * @attr: netlink attribute
7086 * Parse and translate a register value from a netlink attribute.
7087 * Registers used to be 128 bit wide, these register numbers will be
7088 * mapped to the corresponding 32 bit register numbers.
7090 unsigned int nft_parse_register(const struct nlattr *attr)
7094 reg = ntohl(nla_get_be32(attr));
7096 case NFT_REG_VERDICT...NFT_REG_4:
7097 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7099 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7102 EXPORT_SYMBOL_GPL(nft_parse_register);
7105 * nft_dump_register - dump a register value to a netlink attribute
7107 * @skb: socket buffer
7108 * @attr: attribute number
7109 * @reg: register number
7111 * Construct a netlink attribute containing the register number. For
7112 * compatibility reasons, register numbers being a multiple of 4 are
7113 * translated to the corresponding 128 bit register numbers.
7115 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7117 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7118 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7120 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7122 return nla_put_be32(skb, attr, htonl(reg));
7124 EXPORT_SYMBOL_GPL(nft_dump_register);
7127 * nft_validate_register_load - validate a load from a register
7129 * @reg: the register number
7130 * @len: the length of the data
7132 * Validate that the input register is one of the general purpose
7133 * registers and that the length of the load is within the bounds.
7135 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7137 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7141 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7146 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7149 * nft_validate_register_store - validate an expressions' register store
7151 * @ctx: context of the expression performing the load
7152 * @reg: the destination register number
7153 * @data: the data to load
7154 * @type: the data type
7155 * @len: the length of the data
7157 * Validate that a data load uses the appropriate data type for
7158 * the destination register and the length is within the bounds.
7159 * A value of NULL for the data means that its runtime gathered
7162 int nft_validate_register_store(const struct nft_ctx *ctx,
7163 enum nft_registers reg,
7164 const struct nft_data *data,
7165 enum nft_data_types type, unsigned int len)
7170 case NFT_REG_VERDICT:
7171 if (type != NFT_DATA_VERDICT)
7175 (data->verdict.code == NFT_GOTO ||
7176 data->verdict.code == NFT_JUMP)) {
7177 err = nf_tables_check_loops(ctx, data->verdict.chain);
7184 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7188 if (reg * NFT_REG32_SIZE + len >
7189 FIELD_SIZEOF(struct nft_regs, data))
7192 if (data != NULL && type != NFT_DATA_VALUE)
7197 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7199 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7200 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7201 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7202 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7205 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7206 struct nft_data_desc *desc, const struct nlattr *nla)
7208 u8 genmask = nft_genmask_next(ctx->net);
7209 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7210 struct nft_chain *chain;
7213 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
7218 if (!tb[NFTA_VERDICT_CODE])
7220 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7222 switch (data->verdict.code) {
7224 switch (data->verdict.code & NF_VERDICT_MASK) {
7239 if (!tb[NFTA_VERDICT_CHAIN])
7241 chain = nft_chain_lookup(ctx->net, ctx->table,
7242 tb[NFTA_VERDICT_CHAIN], genmask);
7244 return PTR_ERR(chain);
7245 if (nft_is_base_chain(chain))
7249 data->verdict.chain = chain;
7253 desc->len = sizeof(data->verdict);
7254 desc->type = NFT_DATA_VERDICT;
7258 static void nft_verdict_uninit(const struct nft_data *data)
7260 switch (data->verdict.code) {
7263 data->verdict.chain->use--;
7268 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7270 struct nlattr *nest;
7272 nest = nla_nest_start(skb, type);
7274 goto nla_put_failure;
7276 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7277 goto nla_put_failure;
7282 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7284 goto nla_put_failure;
7286 nla_nest_end(skb, nest);
7293 static int nft_value_init(const struct nft_ctx *ctx,
7294 struct nft_data *data, unsigned int size,
7295 struct nft_data_desc *desc, const struct nlattr *nla)
7305 nla_memcpy(data->data, nla, len);
7306 desc->type = NFT_DATA_VALUE;
7311 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7314 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7317 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7318 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7319 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7323 * nft_data_init - parse nf_tables data netlink attributes
7325 * @ctx: context of the expression using the data
7326 * @data: destination struct nft_data
7327 * @size: maximum data length
7328 * @desc: data description
7329 * @nla: netlink attribute containing data
7331 * Parse the netlink data attributes and initialize a struct nft_data.
7332 * The type and length of data are returned in the data description.
7334 * The caller can indicate that it only wants to accept data of type
7335 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7337 int nft_data_init(const struct nft_ctx *ctx,
7338 struct nft_data *data, unsigned int size,
7339 struct nft_data_desc *desc, const struct nlattr *nla)
7341 struct nlattr *tb[NFTA_DATA_MAX + 1];
7344 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7348 if (tb[NFTA_DATA_VALUE])
7349 return nft_value_init(ctx, data, size, desc,
7350 tb[NFTA_DATA_VALUE]);
7351 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7352 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7355 EXPORT_SYMBOL_GPL(nft_data_init);
7358 * nft_data_release - release a nft_data item
7360 * @data: struct nft_data to release
7361 * @type: type of data
7363 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7364 * all others need to be released by calling this function.
7366 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7368 if (type < NFT_DATA_VERDICT)
7371 case NFT_DATA_VERDICT:
7372 return nft_verdict_uninit(data);
7377 EXPORT_SYMBOL_GPL(nft_data_release);
7379 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7380 enum nft_data_types type, unsigned int len)
7382 struct nlattr *nest;
7385 nest = nla_nest_start(skb, attr);
7390 case NFT_DATA_VALUE:
7391 err = nft_value_dump(skb, data, len);
7393 case NFT_DATA_VERDICT:
7394 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7401 nla_nest_end(skb, nest);
7404 EXPORT_SYMBOL_GPL(nft_data_dump);
7406 int __nft_release_basechain(struct nft_ctx *ctx)
7408 struct nft_rule *rule, *nr;
7410 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7413 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7414 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7415 list_del(&rule->list);
7417 nf_tables_rule_release(ctx, rule);
7419 nft_chain_del(ctx->chain);
7421 nf_tables_chain_destroy(ctx);
7425 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7427 static void __nft_release_tables(struct net *net)
7429 struct nft_flowtable *flowtable, *nf;
7430 struct nft_table *table, *nt;
7431 struct nft_chain *chain, *nc;
7432 struct nft_object *obj, *ne;
7433 struct nft_rule *rule, *nr;
7434 struct nft_set *set, *ns;
7435 struct nft_ctx ctx = {
7437 .family = NFPROTO_NETDEV,
7440 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7441 ctx.family = table->family;
7443 list_for_each_entry(chain, &table->chains, list)
7444 nf_tables_unregister_hook(net, table, chain);
7445 /* No packets are walking on these chains anymore. */
7447 list_for_each_entry(chain, &table->chains, list) {
7449 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7450 list_del(&rule->list);
7452 nf_tables_rule_release(&ctx, rule);
7455 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7456 list_del(&flowtable->list);
7458 nf_tables_flowtable_destroy(flowtable);
7460 list_for_each_entry_safe(set, ns, &table->sets, list) {
7461 list_del(&set->list);
7463 nft_set_destroy(set);
7465 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7468 nft_obj_destroy(&ctx, obj);
7470 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7472 nft_chain_del(chain);
7474 nf_tables_chain_destroy(&ctx);
7476 list_del(&table->list);
7477 nf_tables_table_destroy(&ctx);
7481 static int __net_init nf_tables_init_net(struct net *net)
7483 INIT_LIST_HEAD(&net->nft.tables);
7484 INIT_LIST_HEAD(&net->nft.commit_list);
7485 mutex_init(&net->nft.commit_mutex);
7486 net->nft.base_seq = 1;
7487 net->nft.validate_state = NFT_VALIDATE_SKIP;
7492 static void __net_exit nf_tables_exit_net(struct net *net)
7494 mutex_lock(&net->nft.commit_mutex);
7495 if (!list_empty(&net->nft.commit_list))
7496 __nf_tables_abort(net);
7497 __nft_release_tables(net);
7498 mutex_unlock(&net->nft.commit_mutex);
7499 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7502 static struct pernet_operations nf_tables_net_ops = {
7503 .init = nf_tables_init_net,
7504 .exit = nf_tables_exit_net,
7507 static int __init nf_tables_module_init(void)
7511 spin_lock_init(&nf_tables_destroy_list_lock);
7512 err = register_pernet_subsys(&nf_tables_net_ops);
7516 err = nft_chain_filter_init();
7520 err = nf_tables_core_module_init();
7524 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7528 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7533 err = nfnetlink_subsys_register(&nf_tables_subsys);
7539 rhltable_destroy(&nft_objname_ht);
7541 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7543 nf_tables_core_module_exit();
7545 nft_chain_filter_fini();
7547 unregister_pernet_subsys(&nf_tables_net_ops);
7551 static void __exit nf_tables_module_exit(void)
7553 nfnetlink_subsys_unregister(&nf_tables_subsys);
7554 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7555 nft_chain_filter_fini();
7556 unregister_pernet_subsys(&nf_tables_net_ops);
7557 cancel_work_sync(&trans_destroy_work);
7559 rhltable_destroy(&nft_objname_ht);
7560 nf_tables_core_module_exit();
7563 module_init(nf_tables_module_init);
7564 module_exit(nf_tables_module_exit);
7566 MODULE_LICENSE("GPL");
7567 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7568 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob