1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
36 NFT_VALIDATE_SKIP = 0,
41 static struct rhltable nft_objname_ht;
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
75 case NFT_VALIDATE_NEED:
78 if (new_validate_state == NFT_VALIDATE_NEED)
82 net->nft.validate_state = new_validate_state;
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
87 static void nft_ctx_init(struct nft_ctx *ctx,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->flags = nlh->nlmsg_flags;
105 ctx->seq = nlh->nlmsg_seq;
108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 int msg_type, u32 size, gfp_t gfp)
111 struct nft_trans *trans;
113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
117 trans->msg_type = msg_type;
123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
129 static void nft_trans_destroy(struct nft_trans *trans)
131 list_del(&trans->list);
135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
140 if (!nft_set_is_anonymous(set))
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
157 static int nft_netdev_register_hooks(struct net *net,
158 struct list_head *hook_list)
160 struct nft_hook *hook;
164 list_for_each_entry(hook, hook_list, list) {
165 err = nf_register_net_hook(net, &hook->ops);
174 list_for_each_entry(hook, hook_list, list) {
178 nf_unregister_net_hook(net, &hook->ops);
183 static void nft_netdev_unregister_hooks(struct net *net,
184 struct list_head *hook_list)
186 struct nft_hook *hook;
188 list_for_each_entry(hook, hook_list, list)
189 nf_unregister_net_hook(net, &hook->ops);
192 static int nf_tables_register_hook(struct net *net,
193 const struct nft_table *table,
194 struct nft_chain *chain)
196 struct nft_base_chain *basechain;
197 const struct nf_hook_ops *ops;
199 if (table->flags & NFT_TABLE_F_DORMANT ||
200 !nft_is_base_chain(chain))
203 basechain = nft_base_chain(chain);
204 ops = &basechain->ops;
206 if (basechain->type->ops_register)
207 return basechain->type->ops_register(net, ops);
209 if (table->family == NFPROTO_NETDEV)
210 return nft_netdev_register_hooks(net, &basechain->hook_list);
212 return nf_register_net_hook(net, &basechain->ops);
215 static void nf_tables_unregister_hook(struct net *net,
216 const struct nft_table *table,
217 struct nft_chain *chain)
219 struct nft_base_chain *basechain;
220 const struct nf_hook_ops *ops;
222 if (table->flags & NFT_TABLE_F_DORMANT ||
223 !nft_is_base_chain(chain))
225 basechain = nft_base_chain(chain);
226 ops = &basechain->ops;
228 if (basechain->type->ops_unregister)
229 return basechain->type->ops_unregister(net, ops);
231 if (table->family == NFPROTO_NETDEV)
232 nft_netdev_unregister_hooks(net, &basechain->hook_list);
234 nf_unregister_net_hook(net, &basechain->ops);
237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
239 struct nft_trans *trans;
241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
245 if (msg_type == NFT_MSG_NEWTABLE)
246 nft_activate_next(ctx->net, ctx->table);
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
252 static int nft_deltable(struct nft_ctx *ctx)
256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
260 nft_deactivate_next(ctx->net, ctx->table);
264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
266 struct nft_trans *trans;
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
270 return ERR_PTR(-ENOMEM);
272 if (msg_type == NFT_MSG_NEWCHAIN) {
273 nft_activate_next(ctx->net, ctx->chain);
275 if (ctx->nla[NFTA_CHAIN_ID]) {
276 nft_trans_chain_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
281 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
285 static int nft_delchain(struct nft_ctx *ctx)
287 struct nft_trans *trans;
289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
291 return PTR_ERR(trans);
294 nft_deactivate_next(ctx->net, ctx->chain);
299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 struct nft_rule *rule)
302 struct nft_expr *expr;
304 expr = nft_expr_first(rule);
305 while (expr != nft_expr_last(rule) && expr->ops) {
306 if (expr->ops->activate)
307 expr->ops->activate(ctx, expr);
309 expr = nft_expr_next(expr);
313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 struct nft_rule *rule,
315 enum nft_trans_phase phase)
317 struct nft_expr *expr;
319 expr = nft_expr_first(rule);
320 while (expr != nft_expr_last(rule) && expr->ops) {
321 if (expr->ops->deactivate)
322 expr->ops->deactivate(ctx, expr, phase);
324 expr = nft_expr_next(expr);
329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
331 /* You cannot delete the same rule twice */
332 if (nft_is_active_next(ctx->net, rule)) {
333 nft_deactivate_next(ctx->net, rule);
340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 struct nft_rule *rule)
343 struct nft_trans *trans;
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 nft_trans_rule_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
353 nft_trans_rule(trans) = rule;
354 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
361 struct nft_flow_rule *flow;
362 struct nft_trans *trans;
365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 flow = nft_flow_rule_create(ctx->net, rule);
372 nft_trans_destroy(trans);
373 return PTR_ERR(flow);
376 nft_trans_flow_rule(trans) = flow;
379 err = nf_tables_delrule_deactivate(ctx, rule);
381 nft_trans_destroy(trans);
384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
391 struct nft_rule *rule;
394 list_for_each_entry(rule, &ctx->chain->rules, list) {
395 if (!nft_is_active_next(ctx->net, rule))
398 err = nft_delrule(ctx, rule);
405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
408 struct nft_trans *trans;
410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 nft_trans_set_id(trans) =
416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 nft_activate_next(ctx->net, set);
419 nft_trans_set(trans) = set;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
433 nft_deactivate_next(ctx->net, set);
439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 struct nft_object *obj)
442 struct nft_trans *trans;
444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
448 if (msg_type == NFT_MSG_NEWOBJ)
449 nft_activate_next(ctx->net, obj);
451 nft_trans_obj(trans) = obj;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
465 nft_deactivate_next(ctx->net, obj);
471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 struct nft_flowtable *flowtable)
474 struct nft_trans *trans;
476 trans = nft_trans_alloc(ctx, msg_type,
477 sizeof(struct nft_trans_flowtable));
481 if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 nft_activate_next(ctx->net, flowtable);
484 nft_trans_flowtable(trans) = flowtable;
485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
490 static int nft_delflowtable(struct nft_ctx *ctx,
491 struct nft_flowtable *flowtable)
495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
499 nft_deactivate_next(ctx->net, flowtable);
509 static struct nft_table *nft_table_lookup(const struct net *net,
510 const struct nlattr *nla,
511 u8 family, u8 genmask)
513 struct nft_table *table;
516 return ERR_PTR(-EINVAL);
518 list_for_each_entry_rcu(table, &net->nft.tables, list,
519 lockdep_is_held(&net->nft.commit_mutex)) {
520 if (!nla_strcmp(nla, table->name) &&
521 table->family == family &&
522 nft_active_genmask(table, genmask))
526 return ERR_PTR(-ENOENT);
529 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
530 const struct nlattr *nla,
533 struct nft_table *table;
535 list_for_each_entry(table, &net->nft.tables, list) {
536 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
537 nft_active_genmask(table, genmask))
541 return ERR_PTR(-ENOENT);
544 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
546 return ++table->hgenerator;
549 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
551 static const struct nft_chain_type *
552 __nft_chain_type_get(u8 family, enum nft_chain_types type)
554 if (family >= NFPROTO_NUMPROTO ||
555 type >= NFT_CHAIN_T_MAX)
558 return chain_type[family][type];
561 static const struct nft_chain_type *
562 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
564 const struct nft_chain_type *type;
567 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
568 type = __nft_chain_type_get(family, i);
571 if (!nla_strcmp(nla, type->name))
577 struct nft_module_request {
578 struct list_head list;
579 char module[MODULE_NAME_LEN];
583 #ifdef CONFIG_MODULES
584 static int nft_request_module(struct net *net, const char *fmt, ...)
586 char module_name[MODULE_NAME_LEN];
587 struct nft_module_request *req;
592 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
594 if (ret >= MODULE_NAME_LEN)
597 list_for_each_entry(req, &net->nft.module_list, list) {
598 if (!strcmp(req->module, module_name)) {
602 /* A request to load this module already exists. */
607 req = kmalloc(sizeof(*req), GFP_KERNEL);
612 strlcpy(req->module, module_name, MODULE_NAME_LEN);
613 list_add_tail(&req->list, &net->nft.module_list);
619 static void lockdep_nfnl_nft_mutex_not_held(void)
621 #ifdef CONFIG_PROVE_LOCKING
622 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
626 static const struct nft_chain_type *
627 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
628 u8 family, bool autoload)
630 const struct nft_chain_type *type;
632 type = __nf_tables_chain_type_lookup(nla, family);
636 lockdep_nfnl_nft_mutex_not_held();
637 #ifdef CONFIG_MODULES
639 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
641 (const char *)nla_data(nla)) == -EAGAIN)
642 return ERR_PTR(-EAGAIN);
645 return ERR_PTR(-ENOENT);
648 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
649 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
650 .len = NFT_TABLE_MAXNAMELEN - 1 },
651 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
652 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
655 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
656 u32 portid, u32 seq, int event, u32 flags,
657 int family, const struct nft_table *table)
659 struct nlmsghdr *nlh;
660 struct nfgenmsg *nfmsg;
662 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
663 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
665 goto nla_put_failure;
667 nfmsg = nlmsg_data(nlh);
668 nfmsg->nfgen_family = family;
669 nfmsg->version = NFNETLINK_V0;
670 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
672 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
673 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
674 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
675 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
677 goto nla_put_failure;
683 nlmsg_trim(skb, nlh);
687 struct nftnl_skb_parms {
690 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
692 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
693 struct list_head *notify_list)
695 NFT_CB(skb).report = report;
696 list_add_tail(&skb->list, notify_list);
699 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
703 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
704 ctx->table->name, ctx->table->handle);
709 event == NFT_MSG_NEWTABLE ?
710 AUDIT_NFT_OP_TABLE_REGISTER :
711 AUDIT_NFT_OP_TABLE_UNREGISTER,
716 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
719 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
723 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
724 event, 0, ctx->family, ctx->table);
730 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
733 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
736 static int nf_tables_dump_tables(struct sk_buff *skb,
737 struct netlink_callback *cb)
739 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
740 const struct nft_table *table;
741 unsigned int idx = 0, s_idx = cb->args[0];
742 struct net *net = sock_net(skb->sk);
743 int family = nfmsg->nfgen_family;
746 cb->seq = net->nft.base_seq;
748 list_for_each_entry_rcu(table, &net->nft.tables, list) {
749 if (family != NFPROTO_UNSPEC && family != table->family)
755 memset(&cb->args[1], 0,
756 sizeof(cb->args) - sizeof(cb->args[0]));
757 if (!nft_is_active(net, table))
759 if (nf_tables_fill_table_info(skb, net,
760 NETLINK_CB(cb->skb).portid,
762 NFT_MSG_NEWTABLE, NLM_F_MULTI,
763 table->family, table) < 0)
766 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
776 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
777 const struct nlmsghdr *nlh,
778 struct netlink_dump_control *c)
782 if (!try_module_get(THIS_MODULE))
786 err = netlink_dump_start(nlsk, skb, nlh, c);
788 module_put(THIS_MODULE);
793 /* called with rcu_read_lock held */
794 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
795 struct sk_buff *skb, const struct nlmsghdr *nlh,
796 const struct nlattr * const nla[],
797 struct netlink_ext_ack *extack)
799 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
800 u8 genmask = nft_genmask_cur(net);
801 const struct nft_table *table;
802 struct sk_buff *skb2;
803 int family = nfmsg->nfgen_family;
806 if (nlh->nlmsg_flags & NLM_F_DUMP) {
807 struct netlink_dump_control c = {
808 .dump = nf_tables_dump_tables,
809 .module = THIS_MODULE,
812 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
815 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
817 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
818 return PTR_ERR(table);
821 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
825 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
826 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
829 goto err_fill_table_info;
831 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
838 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
840 struct nft_chain *chain;
843 list_for_each_entry(chain, &table->chains, list) {
844 if (!nft_is_active_next(net, chain))
846 if (!nft_is_base_chain(chain))
849 if (cnt && i++ == cnt)
852 nf_tables_unregister_hook(net, table, chain);
856 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
858 struct nft_chain *chain;
861 list_for_each_entry(chain, &table->chains, list) {
862 if (!nft_is_active_next(net, chain))
864 if (!nft_is_base_chain(chain))
867 err = nf_tables_register_hook(net, table, chain);
869 goto err_register_hooks;
877 nft_table_disable(net, table, i);
881 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
883 nft_table_disable(net, table, 0);
886 static int nf_tables_updtable(struct nft_ctx *ctx)
888 struct nft_trans *trans;
892 if (!ctx->nla[NFTA_TABLE_FLAGS])
895 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
896 if (flags & ~NFT_TABLE_F_DORMANT)
899 if (flags == ctx->table->flags)
902 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
903 sizeof(struct nft_trans_table));
907 if ((flags & NFT_TABLE_F_DORMANT) &&
908 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
909 nft_trans_table_enable(trans) = false;
910 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
911 ctx->table->flags & NFT_TABLE_F_DORMANT) {
912 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
913 ret = nf_tables_table_enable(ctx->net, ctx->table);
915 nft_trans_table_enable(trans) = true;
917 ctx->table->flags |= NFT_TABLE_F_DORMANT;
922 nft_trans_table_update(trans) = true;
923 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
926 nft_trans_destroy(trans);
930 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
932 const char *name = data;
934 return jhash(name, strlen(name), seed);
937 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
939 const struct nft_chain *chain = data;
941 return nft_chain_hash(chain->name, 0, seed);
944 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
947 const struct nft_chain *chain = ptr;
948 const char *name = arg->key;
950 return strcmp(chain->name, name);
953 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
955 const struct nft_object_hash_key *k = data;
957 seed ^= hash_ptr(k->table, 32);
959 return jhash(k->name, strlen(k->name), seed);
962 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
964 const struct nft_object *obj = data;
966 return nft_objname_hash(&obj->key, 0, seed);
969 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
972 const struct nft_object_hash_key *k = arg->key;
973 const struct nft_object *obj = ptr;
975 if (obj->key.table != k->table)
978 return strcmp(obj->key.name, k->name);
981 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
982 struct sk_buff *skb, const struct nlmsghdr *nlh,
983 const struct nlattr * const nla[],
984 struct netlink_ext_ack *extack)
986 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
987 u8 genmask = nft_genmask_next(net);
988 int family = nfmsg->nfgen_family;
989 const struct nlattr *attr;
990 struct nft_table *table;
995 lockdep_assert_held(&net->nft.commit_mutex);
996 attr = nla[NFTA_TABLE_NAME];
997 table = nft_table_lookup(net, attr, family, genmask);
999 if (PTR_ERR(table) != -ENOENT)
1000 return PTR_ERR(table);
1002 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1003 NL_SET_BAD_ATTR(extack, attr);
1006 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1009 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1010 return nf_tables_updtable(&ctx);
1013 if (nla[NFTA_TABLE_FLAGS]) {
1014 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1015 if (flags & ~NFT_TABLE_F_DORMANT)
1020 table = kzalloc(sizeof(*table), GFP_KERNEL);
1024 table->name = nla_strdup(attr, GFP_KERNEL);
1025 if (table->name == NULL)
1028 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1032 INIT_LIST_HEAD(&table->chains);
1033 INIT_LIST_HEAD(&table->sets);
1034 INIT_LIST_HEAD(&table->objects);
1035 INIT_LIST_HEAD(&table->flowtables);
1036 table->family = family;
1037 table->flags = flags;
1038 table->handle = ++table_handle;
1040 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1041 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1045 list_add_tail_rcu(&table->list, &net->nft.tables);
1048 rhltable_destroy(&table->chains_ht);
1057 static int nft_flush_table(struct nft_ctx *ctx)
1059 struct nft_flowtable *flowtable, *nft;
1060 struct nft_chain *chain, *nc;
1061 struct nft_object *obj, *ne;
1062 struct nft_set *set, *ns;
1065 list_for_each_entry(chain, &ctx->table->chains, list) {
1066 if (!nft_is_active_next(ctx->net, chain))
1069 if (nft_chain_is_bound(chain))
1074 err = nft_delrule_by_chain(ctx);
1079 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1080 if (!nft_is_active_next(ctx->net, set))
1083 if (nft_set_is_anonymous(set) &&
1084 !list_empty(&set->bindings))
1087 err = nft_delset(ctx, set);
1092 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1093 if (!nft_is_active_next(ctx->net, flowtable))
1096 err = nft_delflowtable(ctx, flowtable);
1101 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1102 if (!nft_is_active_next(ctx->net, obj))
1105 err = nft_delobj(ctx, obj);
1110 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1111 if (!nft_is_active_next(ctx->net, chain))
1114 if (nft_chain_is_bound(chain))
1119 err = nft_delchain(ctx);
1124 err = nft_deltable(ctx);
1129 static int nft_flush(struct nft_ctx *ctx, int family)
1131 struct nft_table *table, *nt;
1132 const struct nlattr * const *nla = ctx->nla;
1135 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1136 if (family != AF_UNSPEC && table->family != family)
1139 ctx->family = table->family;
1141 if (!nft_is_active_next(ctx->net, table))
1144 if (nla[NFTA_TABLE_NAME] &&
1145 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1150 err = nft_flush_table(ctx);
1158 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1159 struct sk_buff *skb, const struct nlmsghdr *nlh,
1160 const struct nlattr * const nla[],
1161 struct netlink_ext_ack *extack)
1163 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1164 u8 genmask = nft_genmask_next(net);
1165 int family = nfmsg->nfgen_family;
1166 const struct nlattr *attr;
1167 struct nft_table *table;
1170 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1171 if (family == AF_UNSPEC ||
1172 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1173 return nft_flush(&ctx, family);
1175 if (nla[NFTA_TABLE_HANDLE]) {
1176 attr = nla[NFTA_TABLE_HANDLE];
1177 table = nft_table_lookup_byhandle(net, attr, genmask);
1179 attr = nla[NFTA_TABLE_NAME];
1180 table = nft_table_lookup(net, attr, family, genmask);
1183 if (IS_ERR(table)) {
1184 NL_SET_BAD_ATTR(extack, attr);
1185 return PTR_ERR(table);
1188 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1192 ctx.family = family;
1195 return nft_flush_table(&ctx);
1198 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1200 if (WARN_ON(ctx->table->use > 0))
1203 rhltable_destroy(&ctx->table->chains_ht);
1204 kfree(ctx->table->name);
1208 void nft_register_chain_type(const struct nft_chain_type *ctype)
1210 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1211 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1212 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1215 chain_type[ctype->family][ctype->type] = ctype;
1216 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1218 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1220 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1222 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1223 chain_type[ctype->family][ctype->type] = NULL;
1224 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1226 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1232 static struct nft_chain *
1233 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1235 struct nft_chain *chain;
1237 list_for_each_entry(chain, &table->chains, list) {
1238 if (chain->handle == handle &&
1239 nft_active_genmask(chain, genmask))
1243 return ERR_PTR(-ENOENT);
1246 static bool lockdep_commit_lock_is_held(const struct net *net)
1248 #ifdef CONFIG_PROVE_LOCKING
1249 return lockdep_is_held(&net->nft.commit_mutex);
1255 static struct nft_chain *nft_chain_lookup(struct net *net,
1256 struct nft_table *table,
1257 const struct nlattr *nla, u8 genmask)
1259 char search[NFT_CHAIN_MAXNAMELEN + 1];
1260 struct rhlist_head *tmp, *list;
1261 struct nft_chain *chain;
1264 return ERR_PTR(-EINVAL);
1266 nla_strlcpy(search, nla, sizeof(search));
1268 WARN_ON(!rcu_read_lock_held() &&
1269 !lockdep_commit_lock_is_held(net));
1271 chain = ERR_PTR(-ENOENT);
1273 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1277 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1278 if (nft_active_genmask(chain, genmask))
1281 chain = ERR_PTR(-ENOENT);
1287 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1288 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1289 .len = NFT_TABLE_MAXNAMELEN - 1 },
1290 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1291 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1292 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1293 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1294 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1295 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1296 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1297 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1298 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1299 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1302 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1303 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1304 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1305 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1306 .len = IFNAMSIZ - 1 },
1309 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1311 struct nft_stats *cpu_stats, total;
1312 struct nlattr *nest;
1320 memset(&total, 0, sizeof(total));
1321 for_each_possible_cpu(cpu) {
1322 cpu_stats = per_cpu_ptr(stats, cpu);
1324 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1325 pkts = cpu_stats->pkts;
1326 bytes = cpu_stats->bytes;
1327 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1329 total.bytes += bytes;
1331 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1333 goto nla_put_failure;
1335 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1336 NFTA_COUNTER_PAD) ||
1337 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1339 goto nla_put_failure;
1341 nla_nest_end(skb, nest);
1348 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1349 const struct nft_base_chain *basechain)
1351 const struct nf_hook_ops *ops = &basechain->ops;
1352 struct nft_hook *hook, *first = NULL;
1353 struct nlattr *nest, *nest_devs;
1356 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1358 goto nla_put_failure;
1359 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1360 goto nla_put_failure;
1361 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1362 goto nla_put_failure;
1364 if (family == NFPROTO_NETDEV) {
1365 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1366 list_for_each_entry(hook, &basechain->hook_list, list) {
1370 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1371 hook->ops.dev->name))
1372 goto nla_put_failure;
1375 nla_nest_end(skb, nest_devs);
1378 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1379 goto nla_put_failure;
1381 nla_nest_end(skb, nest);
1388 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1389 u32 portid, u32 seq, int event, u32 flags,
1390 int family, const struct nft_table *table,
1391 const struct nft_chain *chain)
1393 struct nlmsghdr *nlh;
1394 struct nfgenmsg *nfmsg;
1396 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1397 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1399 goto nla_put_failure;
1401 nfmsg = nlmsg_data(nlh);
1402 nfmsg->nfgen_family = family;
1403 nfmsg->version = NFNETLINK_V0;
1404 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1406 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1407 goto nla_put_failure;
1408 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1410 goto nla_put_failure;
1411 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1412 goto nla_put_failure;
1414 if (nft_is_base_chain(chain)) {
1415 const struct nft_base_chain *basechain = nft_base_chain(chain);
1416 struct nft_stats __percpu *stats;
1418 if (nft_dump_basechain_hook(skb, family, basechain))
1419 goto nla_put_failure;
1421 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1422 htonl(basechain->policy)))
1423 goto nla_put_failure;
1425 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1426 goto nla_put_failure;
1428 stats = rcu_dereference_check(basechain->stats,
1429 lockdep_commit_lock_is_held(net));
1430 if (nft_dump_stats(skb, stats))
1431 goto nla_put_failure;
1435 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1436 goto nla_put_failure;
1438 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1439 goto nla_put_failure;
1441 nlmsg_end(skb, nlh);
1445 nlmsg_trim(skb, nlh);
1449 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1451 struct sk_buff *skb;
1453 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1454 ctx->table->name, ctx->table->handle,
1455 ctx->chain->name, ctx->chain->handle);
1457 audit_log_nfcfg(buf,
1460 event == NFT_MSG_NEWCHAIN ?
1461 AUDIT_NFT_OP_CHAIN_REGISTER :
1462 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1467 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1470 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1474 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1475 event, 0, ctx->family, ctx->table,
1482 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1485 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1488 static int nf_tables_dump_chains(struct sk_buff *skb,
1489 struct netlink_callback *cb)
1491 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1492 const struct nft_table *table;
1493 const struct nft_chain *chain;
1494 unsigned int idx = 0, s_idx = cb->args[0];
1495 struct net *net = sock_net(skb->sk);
1496 int family = nfmsg->nfgen_family;
1499 cb->seq = net->nft.base_seq;
1501 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1502 if (family != NFPROTO_UNSPEC && family != table->family)
1505 list_for_each_entry_rcu(chain, &table->chains, list) {
1509 memset(&cb->args[1], 0,
1510 sizeof(cb->args) - sizeof(cb->args[0]));
1511 if (!nft_is_active(net, chain))
1513 if (nf_tables_fill_chain_info(skb, net,
1514 NETLINK_CB(cb->skb).portid,
1518 table->family, table,
1522 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1533 /* called with rcu_read_lock held */
1534 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1535 struct sk_buff *skb, const struct nlmsghdr *nlh,
1536 const struct nlattr * const nla[],
1537 struct netlink_ext_ack *extack)
1539 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1540 u8 genmask = nft_genmask_cur(net);
1541 const struct nft_chain *chain;
1542 struct nft_table *table;
1543 struct sk_buff *skb2;
1544 int family = nfmsg->nfgen_family;
1547 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1548 struct netlink_dump_control c = {
1549 .dump = nf_tables_dump_chains,
1550 .module = THIS_MODULE,
1553 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1556 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1557 if (IS_ERR(table)) {
1558 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1559 return PTR_ERR(table);
1562 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1563 if (IS_ERR(chain)) {
1564 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1565 return PTR_ERR(chain);
1568 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1572 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1573 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1574 family, table, chain);
1576 goto err_fill_chain_info;
1578 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1580 err_fill_chain_info:
1585 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1586 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1587 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1590 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1592 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1593 struct nft_stats __percpu *newstats;
1594 struct nft_stats *stats;
1597 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1598 nft_counter_policy, NULL);
1600 return ERR_PTR(err);
1602 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1603 return ERR_PTR(-EINVAL);
1605 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1606 if (newstats == NULL)
1607 return ERR_PTR(-ENOMEM);
1609 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1610 * are not exposed to userspace.
1613 stats = this_cpu_ptr(newstats);
1614 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1615 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1621 static void nft_chain_stats_replace(struct nft_trans *trans)
1623 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1625 if (!nft_trans_chain_stats(trans))
1628 nft_trans_chain_stats(trans) =
1629 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1630 lockdep_commit_lock_is_held(trans->ctx.net));
1632 if (!nft_trans_chain_stats(trans))
1633 static_branch_inc(&nft_counters_enabled);
1636 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1638 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1639 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1645 /* should be NULL either via abort or via successful commit */
1646 WARN_ON_ONCE(chain->rules_next);
1647 kvfree(chain->rules_next);
1650 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1652 struct nft_chain *chain = ctx->chain;
1653 struct nft_hook *hook, *next;
1655 if (WARN_ON(chain->use > 0))
1658 /* no concurrent access possible anymore */
1659 nf_tables_chain_free_chain_rules(chain);
1661 if (nft_is_base_chain(chain)) {
1662 struct nft_base_chain *basechain = nft_base_chain(chain);
1664 if (ctx->family == NFPROTO_NETDEV) {
1665 list_for_each_entry_safe(hook, next,
1666 &basechain->hook_list, list) {
1667 list_del_rcu(&hook->list);
1668 kfree_rcu(hook, rcu);
1671 module_put(basechain->type->owner);
1672 if (rcu_access_pointer(basechain->stats)) {
1673 static_branch_dec(&nft_counters_enabled);
1674 free_percpu(rcu_dereference_raw(basechain->stats));
1684 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1685 const struct nlattr *attr)
1687 struct net_device *dev;
1688 char ifname[IFNAMSIZ];
1689 struct nft_hook *hook;
1692 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1695 goto err_hook_alloc;
1698 nla_strlcpy(ifname, attr, IFNAMSIZ);
1699 dev = __dev_get_by_name(net, ifname);
1704 hook->ops.dev = dev;
1705 hook->inactive = false;
1712 return ERR_PTR(err);
1715 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1716 const struct nft_hook *this)
1718 struct nft_hook *hook;
1720 list_for_each_entry(hook, hook_list, list) {
1721 if (this->ops.dev == hook->ops.dev)
1728 static int nf_tables_parse_netdev_hooks(struct net *net,
1729 const struct nlattr *attr,
1730 struct list_head *hook_list)
1732 struct nft_hook *hook, *next;
1733 const struct nlattr *tmp;
1734 int rem, n = 0, err;
1736 nla_for_each_nested(tmp, attr, rem) {
1737 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1742 hook = nft_netdev_hook_alloc(net, tmp);
1744 err = PTR_ERR(hook);
1747 if (nft_hook_list_find(hook_list, hook)) {
1752 list_add_tail(&hook->list, hook_list);
1755 if (n == NFT_NETDEVICE_MAX) {
1764 list_for_each_entry_safe(hook, next, hook_list, list) {
1765 list_del(&hook->list);
1771 struct nft_chain_hook {
1774 const struct nft_chain_type *type;
1775 struct list_head list;
1778 static int nft_chain_parse_netdev(struct net *net,
1779 struct nlattr *tb[],
1780 struct list_head *hook_list)
1782 struct nft_hook *hook;
1785 if (tb[NFTA_HOOK_DEV]) {
1786 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1788 return PTR_ERR(hook);
1790 list_add_tail(&hook->list, hook_list);
1791 } else if (tb[NFTA_HOOK_DEVS]) {
1792 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1797 if (list_empty(hook_list))
1806 static int nft_chain_parse_hook(struct net *net,
1807 const struct nlattr * const nla[],
1808 struct nft_chain_hook *hook, u8 family,
1811 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1812 const struct nft_chain_type *type;
1815 lockdep_assert_held(&net->nft.commit_mutex);
1816 lockdep_nfnl_nft_mutex_not_held();
1818 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1819 nla[NFTA_CHAIN_HOOK],
1820 nft_hook_policy, NULL);
1824 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1825 ha[NFTA_HOOK_PRIORITY] == NULL)
1828 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1829 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1831 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1835 if (nla[NFTA_CHAIN_TYPE]) {
1836 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1839 return PTR_ERR(type);
1841 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1844 if (type->type == NFT_CHAIN_T_NAT &&
1845 hook->priority <= NF_IP_PRI_CONNTRACK)
1848 if (!try_module_get(type->owner))
1853 INIT_LIST_HEAD(&hook->list);
1854 if (family == NFPROTO_NETDEV) {
1855 err = nft_chain_parse_netdev(net, ha, &hook->list);
1857 module_put(type->owner);
1860 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1861 module_put(type->owner);
1868 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1870 struct nft_hook *h, *next;
1872 list_for_each_entry_safe(h, next, &hook->list, list) {
1876 module_put(hook->type->owner);
1879 struct nft_rules_old {
1881 struct nft_rule **start;
1884 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1887 if (alloc > INT_MAX)
1890 alloc += 1; /* NULL, ends rules */
1891 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1894 alloc *= sizeof(struct nft_rule *);
1895 alloc += sizeof(struct nft_rules_old);
1897 return kvmalloc(alloc, GFP_KERNEL);
1900 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1901 const struct nft_chain_hook *hook,
1902 struct nft_chain *chain)
1905 ops->hooknum = hook->num;
1906 ops->priority = hook->priority;
1908 ops->hook = hook->type->hooks[ops->hooknum];
1911 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1912 struct nft_chain_hook *hook, u32 flags)
1914 struct nft_chain *chain;
1917 basechain->type = hook->type;
1918 INIT_LIST_HEAD(&basechain->hook_list);
1919 chain = &basechain->chain;
1921 if (family == NFPROTO_NETDEV) {
1922 list_splice_init(&hook->list, &basechain->hook_list);
1923 list_for_each_entry(h, &basechain->hook_list, list)
1924 nft_basechain_hook_init(&h->ops, family, hook, chain);
1926 basechain->ops.hooknum = hook->num;
1927 basechain->ops.priority = hook->priority;
1929 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1932 chain->flags |= NFT_CHAIN_BASE | flags;
1933 basechain->policy = NF_ACCEPT;
1934 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1935 nft_chain_offload_priority(basechain) < 0)
1938 flow_block_init(&basechain->flow_block);
1943 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
1947 err = rhltable_insert_key(&table->chains_ht, chain->name,
1948 &chain->rhlhead, nft_chain_ht_params);
1952 list_add_tail_rcu(&chain->list, &table->chains);
1957 static u64 chain_id;
1959 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1960 u8 policy, u32 flags)
1962 const struct nlattr * const *nla = ctx->nla;
1963 struct nft_table *table = ctx->table;
1964 struct nft_base_chain *basechain;
1965 struct nft_stats __percpu *stats;
1966 struct net *net = ctx->net;
1967 char name[NFT_NAME_MAXLEN];
1968 struct nft_trans *trans;
1969 struct nft_chain *chain;
1970 struct nft_rule **rules;
1973 if (table->use == UINT_MAX)
1976 if (nla[NFTA_CHAIN_HOOK]) {
1977 struct nft_chain_hook hook;
1979 if (flags & NFT_CHAIN_BINDING)
1982 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1986 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1987 if (basechain == NULL) {
1988 nft_chain_release_hook(&hook);
1991 chain = &basechain->chain;
1993 if (nla[NFTA_CHAIN_COUNTERS]) {
1994 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1995 if (IS_ERR(stats)) {
1996 nft_chain_release_hook(&hook);
1998 return PTR_ERR(stats);
2000 rcu_assign_pointer(basechain->stats, stats);
2001 static_branch_inc(&nft_counters_enabled);
2004 err = nft_basechain_init(basechain, family, &hook, flags);
2006 nft_chain_release_hook(&hook);
2011 if (flags & NFT_CHAIN_BASE)
2013 if (flags & NFT_CHAIN_HW_OFFLOAD)
2016 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2020 chain->flags = flags;
2024 INIT_LIST_HEAD(&chain->rules);
2025 chain->handle = nf_tables_alloc_handle(table);
2026 chain->table = table;
2028 if (nla[NFTA_CHAIN_NAME]) {
2029 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2031 if (!(flags & NFT_CHAIN_BINDING)) {
2036 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2037 chain->name = kstrdup(name, GFP_KERNEL);
2045 rules = nf_tables_chain_alloc_rules(chain, 0);
2052 rcu_assign_pointer(chain->rules_gen_0, rules);
2053 rcu_assign_pointer(chain->rules_gen_1, rules);
2055 err = nf_tables_register_hook(net, table, chain);
2059 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2060 if (IS_ERR(trans)) {
2061 err = PTR_ERR(trans);
2065 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2066 if (nft_is_base_chain(chain))
2067 nft_trans_chain_policy(trans) = policy;
2069 err = nft_chain_add(table, chain);
2071 nft_trans_destroy(trans);
2079 nf_tables_unregister_hook(net, table, chain);
2081 nf_tables_chain_destroy(ctx);
2086 static bool nft_hook_list_equal(struct list_head *hook_list1,
2087 struct list_head *hook_list2)
2089 struct nft_hook *hook;
2093 list_for_each_entry(hook, hook_list2, list) {
2094 if (!nft_hook_list_find(hook_list1, hook))
2099 list_for_each_entry(hook, hook_list1, list)
2105 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2108 const struct nlattr * const *nla = ctx->nla;
2109 struct nft_table *table = ctx->table;
2110 struct nft_chain *chain = ctx->chain;
2111 struct nft_base_chain *basechain;
2112 struct nft_stats *stats = NULL;
2113 struct nft_chain_hook hook;
2114 struct nf_hook_ops *ops;
2115 struct nft_trans *trans;
2118 if (chain->flags ^ flags)
2121 if (nla[NFTA_CHAIN_HOOK]) {
2122 if (!nft_is_base_chain(chain))
2125 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2130 basechain = nft_base_chain(chain);
2131 if (basechain->type != hook.type) {
2132 nft_chain_release_hook(&hook);
2136 if (ctx->family == NFPROTO_NETDEV) {
2137 if (!nft_hook_list_equal(&basechain->hook_list,
2139 nft_chain_release_hook(&hook);
2143 ops = &basechain->ops;
2144 if (ops->hooknum != hook.num ||
2145 ops->priority != hook.priority) {
2146 nft_chain_release_hook(&hook);
2150 nft_chain_release_hook(&hook);
2153 if (nla[NFTA_CHAIN_HANDLE] &&
2154 nla[NFTA_CHAIN_NAME]) {
2155 struct nft_chain *chain2;
2157 chain2 = nft_chain_lookup(ctx->net, table,
2158 nla[NFTA_CHAIN_NAME], genmask);
2159 if (!IS_ERR(chain2))
2163 if (nla[NFTA_CHAIN_COUNTERS]) {
2164 if (!nft_is_base_chain(chain))
2167 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2169 return PTR_ERR(stats);
2173 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2174 sizeof(struct nft_trans_chain));
2178 nft_trans_chain_stats(trans) = stats;
2179 nft_trans_chain_update(trans) = true;
2181 if (nla[NFTA_CHAIN_POLICY])
2182 nft_trans_chain_policy(trans) = policy;
2184 nft_trans_chain_policy(trans) = -1;
2186 if (nla[NFTA_CHAIN_HANDLE] &&
2187 nla[NFTA_CHAIN_NAME]) {
2188 struct nft_trans *tmp;
2192 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2197 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2198 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2199 tmp->ctx.table == table &&
2200 nft_trans_chain_update(tmp) &&
2201 nft_trans_chain_name(tmp) &&
2202 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2208 nft_trans_chain_name(trans) = name;
2210 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2219 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2220 const struct nlattr *nla)
2222 u32 id = ntohl(nla_get_be32(nla));
2223 struct nft_trans *trans;
2225 list_for_each_entry(trans, &net->nft.commit_list, list) {
2226 struct nft_chain *chain = trans->ctx.chain;
2228 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2229 id == nft_trans_chain_id(trans))
2232 return ERR_PTR(-ENOENT);
2235 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2236 struct sk_buff *skb, const struct nlmsghdr *nlh,
2237 const struct nlattr * const nla[],
2238 struct netlink_ext_ack *extack)
2240 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2241 u8 genmask = nft_genmask_next(net);
2242 int family = nfmsg->nfgen_family;
2243 struct nft_chain *chain = NULL;
2244 const struct nlattr *attr;
2245 struct nft_table *table;
2246 u8 policy = NF_ACCEPT;
2251 lockdep_assert_held(&net->nft.commit_mutex);
2253 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2254 if (IS_ERR(table)) {
2255 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2256 return PTR_ERR(table);
2260 attr = nla[NFTA_CHAIN_NAME];
2262 if (nla[NFTA_CHAIN_HANDLE]) {
2263 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2264 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2265 if (IS_ERR(chain)) {
2266 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2267 return PTR_ERR(chain);
2269 attr = nla[NFTA_CHAIN_HANDLE];
2270 } else if (nla[NFTA_CHAIN_NAME]) {
2271 chain = nft_chain_lookup(net, table, attr, genmask);
2272 if (IS_ERR(chain)) {
2273 if (PTR_ERR(chain) != -ENOENT) {
2274 NL_SET_BAD_ATTR(extack, attr);
2275 return PTR_ERR(chain);
2279 } else if (!nla[NFTA_CHAIN_ID]) {
2283 if (nla[NFTA_CHAIN_POLICY]) {
2284 if (chain != NULL &&
2285 !nft_is_base_chain(chain)) {
2286 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2290 if (chain == NULL &&
2291 nla[NFTA_CHAIN_HOOK] == NULL) {
2292 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2296 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2306 if (nla[NFTA_CHAIN_FLAGS])
2307 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2309 flags = chain->flags;
2311 if (flags & ~NFT_CHAIN_FLAGS)
2314 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2316 if (chain != NULL) {
2317 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2318 NL_SET_BAD_ATTR(extack, attr);
2321 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2324 flags |= chain->flags & NFT_CHAIN_BASE;
2325 return nf_tables_updchain(&ctx, genmask, policy, flags);
2328 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2331 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2332 struct sk_buff *skb, const struct nlmsghdr *nlh,
2333 const struct nlattr * const nla[],
2334 struct netlink_ext_ack *extack)
2336 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2337 u8 genmask = nft_genmask_next(net);
2338 int family = nfmsg->nfgen_family;
2339 const struct nlattr *attr;
2340 struct nft_table *table;
2341 struct nft_chain *chain;
2342 struct nft_rule *rule;
2348 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2349 if (IS_ERR(table)) {
2350 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2351 return PTR_ERR(table);
2354 if (nla[NFTA_CHAIN_HANDLE]) {
2355 attr = nla[NFTA_CHAIN_HANDLE];
2356 handle = be64_to_cpu(nla_get_be64(attr));
2357 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2359 attr = nla[NFTA_CHAIN_NAME];
2360 chain = nft_chain_lookup(net, table, attr, genmask);
2362 if (IS_ERR(chain)) {
2363 NL_SET_BAD_ATTR(extack, attr);
2364 return PTR_ERR(chain);
2367 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2371 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2374 list_for_each_entry(rule, &chain->rules, list) {
2375 if (!nft_is_active_next(net, rule))
2379 err = nft_delrule(&ctx, rule);
2384 /* There are rules and elements that are still holding references to us,
2385 * we cannot do a recursive removal in this case.
2388 NL_SET_BAD_ATTR(extack, attr);
2392 return nft_delchain(&ctx);
2400 * nft_register_expr - register nf_tables expr type
2403 * Registers the expr type for use with nf_tables. Returns zero on
2404 * success or a negative errno code otherwise.
2406 int nft_register_expr(struct nft_expr_type *type)
2408 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2409 if (type->family == NFPROTO_UNSPEC)
2410 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2412 list_add_rcu(&type->list, &nf_tables_expressions);
2413 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2416 EXPORT_SYMBOL_GPL(nft_register_expr);
2419 * nft_unregister_expr - unregister nf_tables expr type
2422 * Unregisters the expr typefor use with nf_tables.
2424 void nft_unregister_expr(struct nft_expr_type *type)
2426 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2427 list_del_rcu(&type->list);
2428 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2430 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2432 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2435 const struct nft_expr_type *type, *candidate = NULL;
2437 list_for_each_entry(type, &nf_tables_expressions, list) {
2438 if (!nla_strcmp(nla, type->name)) {
2439 if (!type->family && !candidate)
2441 else if (type->family == family)
2448 #ifdef CONFIG_MODULES
2449 static int nft_expr_type_request_module(struct net *net, u8 family,
2452 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2453 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2460 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2464 const struct nft_expr_type *type;
2467 return ERR_PTR(-EINVAL);
2469 type = __nft_expr_type_get(family, nla);
2470 if (type != NULL && try_module_get(type->owner))
2473 lockdep_nfnl_nft_mutex_not_held();
2474 #ifdef CONFIG_MODULES
2476 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2477 return ERR_PTR(-EAGAIN);
2479 if (nft_request_module(net, "nft-expr-%.*s",
2481 (char *)nla_data(nla)) == -EAGAIN)
2482 return ERR_PTR(-EAGAIN);
2485 return ERR_PTR(-ENOENT);
2488 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2489 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2490 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2491 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2494 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2495 const struct nft_expr *expr)
2497 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2498 goto nla_put_failure;
2500 if (expr->ops->dump) {
2501 struct nlattr *data = nla_nest_start_noflag(skb,
2504 goto nla_put_failure;
2505 if (expr->ops->dump(skb, expr) < 0)
2506 goto nla_put_failure;
2507 nla_nest_end(skb, data);
2516 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2517 const struct nft_expr *expr)
2519 struct nlattr *nest;
2521 nest = nla_nest_start_noflag(skb, attr);
2523 goto nla_put_failure;
2524 if (nf_tables_fill_expr_info(skb, expr) < 0)
2525 goto nla_put_failure;
2526 nla_nest_end(skb, nest);
2533 struct nft_expr_info {
2534 const struct nft_expr_ops *ops;
2535 const struct nlattr *attr;
2536 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2539 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2540 const struct nlattr *nla,
2541 struct nft_expr_info *info)
2543 const struct nft_expr_type *type;
2544 const struct nft_expr_ops *ops;
2545 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2548 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2549 nft_expr_policy, NULL);
2553 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2555 return PTR_ERR(type);
2557 if (tb[NFTA_EXPR_DATA]) {
2558 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2560 type->policy, NULL);
2564 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2566 if (type->select_ops != NULL) {
2567 ops = type->select_ops(ctx,
2568 (const struct nlattr * const *)info->tb);
2571 #ifdef CONFIG_MODULES
2573 if (nft_expr_type_request_module(ctx->net,
2575 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2589 module_put(type->owner);
2593 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2594 const struct nft_expr_info *info,
2595 struct nft_expr *expr)
2597 const struct nft_expr_ops *ops = info->ops;
2602 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2613 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2614 struct nft_expr *expr)
2616 const struct nft_expr_type *type = expr->ops->type;
2618 if (expr->ops->destroy)
2619 expr->ops->destroy(ctx, expr);
2620 module_put(type->owner);
2623 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2624 const struct nlattr *nla)
2626 struct nft_expr_info info;
2627 struct nft_expr *expr;
2628 struct module *owner;
2631 err = nf_tables_expr_parse(ctx, nla, &info);
2636 expr = kzalloc(info.ops->size, GFP_KERNEL);
2640 err = nf_tables_newexpr(ctx, &info, expr);
2648 owner = info.ops->type->owner;
2649 if (info.ops->type->release_ops)
2650 info.ops->type->release_ops(info.ops);
2654 return ERR_PTR(err);
2657 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2661 if (src->ops->clone) {
2662 dst->ops = src->ops;
2663 err = src->ops->clone(dst, src);
2667 memcpy(dst, src, src->ops->size);
2670 __module_get(src->ops->type->owner);
2675 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2677 nf_tables_expr_destroy(ctx, expr);
2685 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2688 struct nft_rule *rule;
2690 // FIXME: this sucks
2691 list_for_each_entry_rcu(rule, &chain->rules, list) {
2692 if (handle == rule->handle)
2696 return ERR_PTR(-ENOENT);
2699 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2700 const struct nlattr *nla)
2703 return ERR_PTR(-EINVAL);
2705 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2708 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2709 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2710 .len = NFT_TABLE_MAXNAMELEN - 1 },
2711 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2712 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2713 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2714 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2715 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2716 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2717 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2718 .len = NFT_USERDATA_MAXLEN },
2719 [NFTA_RULE_ID] = { .type = NLA_U32 },
2720 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2721 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2724 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2725 u32 portid, u32 seq, int event,
2726 u32 flags, int family,
2727 const struct nft_table *table,
2728 const struct nft_chain *chain,
2729 const struct nft_rule *rule,
2730 const struct nft_rule *prule)
2732 struct nlmsghdr *nlh;
2733 struct nfgenmsg *nfmsg;
2734 const struct nft_expr *expr, *next;
2735 struct nlattr *list;
2736 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2738 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2740 goto nla_put_failure;
2742 nfmsg = nlmsg_data(nlh);
2743 nfmsg->nfgen_family = family;
2744 nfmsg->version = NFNETLINK_V0;
2745 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2747 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2748 goto nla_put_failure;
2749 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2750 goto nla_put_failure;
2751 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2753 goto nla_put_failure;
2755 if (event != NFT_MSG_DELRULE && prule) {
2756 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2757 cpu_to_be64(prule->handle),
2759 goto nla_put_failure;
2762 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2764 goto nla_put_failure;
2765 nft_rule_for_each_expr(expr, next, rule) {
2766 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2767 goto nla_put_failure;
2769 nla_nest_end(skb, list);
2772 struct nft_userdata *udata = nft_userdata(rule);
2773 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2775 goto nla_put_failure;
2778 nlmsg_end(skb, nlh);
2782 nlmsg_trim(skb, nlh);
2786 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2787 const struct nft_rule *rule, int event)
2789 struct sk_buff *skb;
2791 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2792 ctx->table->name, ctx->table->handle,
2793 ctx->chain->name, ctx->chain->handle);
2795 audit_log_nfcfg(buf,
2798 event == NFT_MSG_NEWRULE ?
2799 AUDIT_NFT_OP_RULE_REGISTER :
2800 AUDIT_NFT_OP_RULE_UNREGISTER,
2805 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2808 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2812 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2813 event, 0, ctx->family, ctx->table,
2814 ctx->chain, rule, NULL);
2820 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2823 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2826 struct nft_rule_dump_ctx {
2831 static int __nf_tables_dump_rules(struct sk_buff *skb,
2833 struct netlink_callback *cb,
2834 const struct nft_table *table,
2835 const struct nft_chain *chain)
2837 struct net *net = sock_net(skb->sk);
2838 const struct nft_rule *rule, *prule;
2839 unsigned int s_idx = cb->args[0];
2842 list_for_each_entry_rcu(rule, &chain->rules, list) {
2843 if (!nft_is_active(net, rule))
2848 memset(&cb->args[1], 0,
2849 sizeof(cb->args) - sizeof(cb->args[0]));
2851 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2854 NLM_F_MULTI | NLM_F_APPEND,
2856 table, chain, rule, prule) < 0)
2859 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2868 static int nf_tables_dump_rules(struct sk_buff *skb,
2869 struct netlink_callback *cb)
2871 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2872 const struct nft_rule_dump_ctx *ctx = cb->data;
2873 struct nft_table *table;
2874 const struct nft_chain *chain;
2875 unsigned int idx = 0;
2876 struct net *net = sock_net(skb->sk);
2877 int family = nfmsg->nfgen_family;
2880 cb->seq = net->nft.base_seq;
2882 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2883 if (family != NFPROTO_UNSPEC && family != table->family)
2886 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2889 if (ctx && ctx->table && ctx->chain) {
2890 struct rhlist_head *list, *tmp;
2892 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2893 nft_chain_ht_params);
2897 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2898 if (!nft_is_active(net, chain))
2900 __nf_tables_dump_rules(skb, &idx,
2907 list_for_each_entry_rcu(chain, &table->chains, list) {
2908 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2912 if (ctx && ctx->table)
2922 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2924 const struct nlattr * const *nla = cb->data;
2925 struct nft_rule_dump_ctx *ctx = NULL;
2927 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2928 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2932 if (nla[NFTA_RULE_TABLE]) {
2933 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2940 if (nla[NFTA_RULE_CHAIN]) {
2941 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2955 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2957 struct nft_rule_dump_ctx *ctx = cb->data;
2967 /* called with rcu_read_lock held */
2968 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2969 struct sk_buff *skb, const struct nlmsghdr *nlh,
2970 const struct nlattr * const nla[],
2971 struct netlink_ext_ack *extack)
2973 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2974 u8 genmask = nft_genmask_cur(net);
2975 const struct nft_chain *chain;
2976 const struct nft_rule *rule;
2977 struct nft_table *table;
2978 struct sk_buff *skb2;
2979 int family = nfmsg->nfgen_family;
2982 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2983 struct netlink_dump_control c = {
2984 .start= nf_tables_dump_rules_start,
2985 .dump = nf_tables_dump_rules,
2986 .done = nf_tables_dump_rules_done,
2987 .module = THIS_MODULE,
2988 .data = (void *)nla,
2991 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2994 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2995 if (IS_ERR(table)) {
2996 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2997 return PTR_ERR(table);
3000 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3001 if (IS_ERR(chain)) {
3002 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3003 return PTR_ERR(chain);
3006 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3008 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3009 return PTR_ERR(rule);
3012 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3016 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3017 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3018 family, table, chain, rule, NULL);
3020 goto err_fill_rule_info;
3022 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3029 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3030 struct nft_rule *rule)
3032 struct nft_expr *expr, *next;
3035 * Careful: some expressions might not be initialized in case this
3036 * is called on error from nf_tables_newrule().
3038 expr = nft_expr_first(rule);
3039 while (expr != nft_expr_last(rule) && expr->ops) {
3040 next = nft_expr_next(expr);
3041 nf_tables_expr_destroy(ctx, expr);
3047 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3049 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3050 nf_tables_rule_destroy(ctx, rule);
3053 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3055 struct nft_expr *expr, *last;
3056 const struct nft_data *data;
3057 struct nft_rule *rule;
3060 if (ctx->level == NFT_JUMP_STACK_SIZE)
3063 list_for_each_entry(rule, &chain->rules, list) {
3064 if (!nft_is_active_next(ctx->net, rule))
3067 nft_rule_for_each_expr(expr, last, rule) {
3068 if (!expr->ops->validate)
3071 err = expr->ops->validate(ctx, expr, &data);
3079 EXPORT_SYMBOL_GPL(nft_chain_validate);
3081 static int nft_table_validate(struct net *net, const struct nft_table *table)
3083 struct nft_chain *chain;
3084 struct nft_ctx ctx = {
3086 .family = table->family,
3090 list_for_each_entry(chain, &table->chains, list) {
3091 if (!nft_is_base_chain(chain))
3095 err = nft_chain_validate(&ctx, chain);
3103 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3104 const struct nlattr *nla);
3106 #define NFT_RULE_MAXEXPRS 128
3108 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3109 struct sk_buff *skb, const struct nlmsghdr *nlh,
3110 const struct nlattr * const nla[],
3111 struct netlink_ext_ack *extack)
3113 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3114 u8 genmask = nft_genmask_next(net);
3115 struct nft_expr_info *info = NULL;
3116 int family = nfmsg->nfgen_family;
3117 struct nft_flow_rule *flow;
3118 struct nft_table *table;
3119 struct nft_chain *chain;
3120 struct nft_rule *rule, *old_rule = NULL;
3121 struct nft_userdata *udata;
3122 struct nft_trans *trans = NULL;
3123 struct nft_expr *expr;
3126 unsigned int size, i, n, ulen = 0, usize = 0;
3128 u64 handle, pos_handle;
3130 lockdep_assert_held(&net->nft.commit_mutex);
3132 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3133 if (IS_ERR(table)) {
3134 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3135 return PTR_ERR(table);
3138 if (nla[NFTA_RULE_CHAIN]) {
3139 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3141 if (IS_ERR(chain)) {
3142 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3143 return PTR_ERR(chain);
3145 if (nft_chain_is_bound(chain))
3148 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3149 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3150 if (IS_ERR(chain)) {
3151 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3152 return PTR_ERR(chain);
3158 if (nla[NFTA_RULE_HANDLE]) {
3159 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3160 rule = __nft_rule_lookup(chain, handle);
3162 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3163 return PTR_ERR(rule);
3166 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3167 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3170 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3175 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3176 nlh->nlmsg_flags & NLM_F_REPLACE)
3178 handle = nf_tables_alloc_handle(table);
3180 if (chain->use == UINT_MAX)
3183 if (nla[NFTA_RULE_POSITION]) {
3184 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3185 old_rule = __nft_rule_lookup(chain, pos_handle);
3186 if (IS_ERR(old_rule)) {
3187 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3188 return PTR_ERR(old_rule);
3190 } else if (nla[NFTA_RULE_POSITION_ID]) {
3191 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3192 if (IS_ERR(old_rule)) {
3193 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3194 return PTR_ERR(old_rule);
3199 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3203 if (nla[NFTA_RULE_EXPRESSIONS]) {
3204 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3205 sizeof(struct nft_expr_info),
3210 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3212 if (nla_type(tmp) != NFTA_LIST_ELEM)
3214 if (n == NFT_RULE_MAXEXPRS)
3216 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3219 size += info[n].ops->size;
3223 /* Check for overflow of dlen field */
3225 if (size >= 1 << 12)
3228 if (nla[NFTA_RULE_USERDATA]) {
3229 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3231 usize = sizeof(struct nft_userdata) + ulen;
3235 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3239 nft_activate_next(net, rule);
3241 rule->handle = handle;
3243 rule->udata = ulen ? 1 : 0;
3246 udata = nft_userdata(rule);
3247 udata->len = ulen - 1;
3248 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3251 expr = nft_expr_first(rule);
3252 for (i = 0; i < n; i++) {
3253 err = nf_tables_newexpr(&ctx, &info[i], expr);
3255 NL_SET_BAD_ATTR(extack, info[i].attr);
3259 if (info[i].ops->validate)
3260 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3263 expr = nft_expr_next(expr);
3266 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3267 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3268 if (trans == NULL) {
3272 err = nft_delrule(&ctx, old_rule);
3274 nft_trans_destroy(trans);
3278 list_add_tail_rcu(&rule->list, &old_rule->list);
3280 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3286 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3288 list_add_rcu(&rule->list, &old_rule->list);
3290 list_add_tail_rcu(&rule->list, &chain->rules);
3293 list_add_tail_rcu(&rule->list, &old_rule->list);
3295 list_add_rcu(&rule->list, &chain->rules);
3301 if (net->nft.validate_state == NFT_VALIDATE_DO)
3302 return nft_table_validate(net, table);
3304 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3305 flow = nft_flow_rule_create(net, rule);
3307 return PTR_ERR(flow);
3309 nft_trans_flow_rule(trans) = flow;
3314 nf_tables_rule_release(&ctx, rule);
3316 for (i = 0; i < n; i++) {
3318 module_put(info[i].ops->type->owner);
3319 if (info[i].ops->type->release_ops)
3320 info[i].ops->type->release_ops(info[i].ops);
3327 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3328 const struct nlattr *nla)
3330 u32 id = ntohl(nla_get_be32(nla));
3331 struct nft_trans *trans;
3333 list_for_each_entry(trans, &net->nft.commit_list, list) {
3334 struct nft_rule *rule = nft_trans_rule(trans);
3336 if (trans->msg_type == NFT_MSG_NEWRULE &&
3337 id == nft_trans_rule_id(trans))
3340 return ERR_PTR(-ENOENT);
3343 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3344 struct sk_buff *skb, const struct nlmsghdr *nlh,
3345 const struct nlattr * const nla[],
3346 struct netlink_ext_ack *extack)
3348 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3349 u8 genmask = nft_genmask_next(net);
3350 struct nft_table *table;
3351 struct nft_chain *chain = NULL;
3352 struct nft_rule *rule;
3353 int family = nfmsg->nfgen_family, err = 0;
3356 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3357 if (IS_ERR(table)) {
3358 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3359 return PTR_ERR(table);
3362 if (nla[NFTA_RULE_CHAIN]) {
3363 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3365 if (IS_ERR(chain)) {
3366 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3367 return PTR_ERR(chain);
3369 if (nft_chain_is_bound(chain))
3373 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3376 if (nla[NFTA_RULE_HANDLE]) {
3377 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3379 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3380 return PTR_ERR(rule);
3383 err = nft_delrule(&ctx, rule);
3384 } else if (nla[NFTA_RULE_ID]) {
3385 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3387 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3388 return PTR_ERR(rule);
3391 err = nft_delrule(&ctx, rule);
3393 err = nft_delrule_by_chain(&ctx);
3396 list_for_each_entry(chain, &table->chains, list) {
3397 if (!nft_is_active_next(net, chain))
3401 err = nft_delrule_by_chain(&ctx);
3413 static const struct nft_set_type *nft_set_types[] = {
3414 &nft_set_hash_fast_type,
3416 &nft_set_rhash_type,
3417 &nft_set_bitmap_type,
3418 &nft_set_rbtree_type,
3419 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3420 &nft_set_pipapo_avx2_type,
3422 &nft_set_pipapo_type,
3425 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3426 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3429 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3431 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3435 * Select a set implementation based on the data characteristics and the
3436 * given policy. The total memory use might not be known if no size is
3437 * given, in that case the amount of memory per element is used.
3439 static const struct nft_set_ops *
3440 nft_select_set_ops(const struct nft_ctx *ctx,
3441 const struct nlattr * const nla[],
3442 const struct nft_set_desc *desc,
3443 enum nft_set_policies policy)
3445 const struct nft_set_ops *ops, *bops;
3446 struct nft_set_estimate est, best;
3447 const struct nft_set_type *type;
3451 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3452 lockdep_nfnl_nft_mutex_not_held();
3454 if (nla[NFTA_SET_FLAGS] != NULL)
3455 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3462 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3463 type = nft_set_types[i];
3466 if (!nft_set_ops_candidate(type, flags))
3468 if (!ops->estimate(desc, flags, &est))
3472 case NFT_SET_POL_PERFORMANCE:
3473 if (est.lookup < best.lookup)
3475 if (est.lookup == best.lookup &&
3476 est.space < best.space)
3479 case NFT_SET_POL_MEMORY:
3481 if (est.space < best.space)
3483 if (est.space == best.space &&
3484 est.lookup < best.lookup)
3486 } else if (est.size < best.size || !bops) {
3501 return ERR_PTR(-EOPNOTSUPP);
3504 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3505 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3506 .len = NFT_TABLE_MAXNAMELEN - 1 },
3507 [NFTA_SET_NAME] = { .type = NLA_STRING,
3508 .len = NFT_SET_MAXNAMELEN - 1 },
3509 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3510 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3511 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3512 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3513 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3514 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3515 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3516 [NFTA_SET_ID] = { .type = NLA_U32 },
3517 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3518 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3519 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3520 .len = NFT_USERDATA_MAXLEN },
3521 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3522 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3523 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3526 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3527 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3528 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3531 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3532 const struct sk_buff *skb,
3533 const struct nlmsghdr *nlh,
3534 const struct nlattr * const nla[],
3535 struct netlink_ext_ack *extack,
3538 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3539 int family = nfmsg->nfgen_family;
3540 struct nft_table *table = NULL;
3542 if (nla[NFTA_SET_TABLE] != NULL) {
3543 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3545 if (IS_ERR(table)) {
3546 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3547 return PTR_ERR(table);
3551 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3555 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3556 const struct nlattr *nla, u8 genmask)
3558 struct nft_set *set;
3561 return ERR_PTR(-EINVAL);
3563 list_for_each_entry_rcu(set, &table->sets, list) {
3564 if (!nla_strcmp(nla, set->name) &&
3565 nft_active_genmask(set, genmask))
3568 return ERR_PTR(-ENOENT);
3571 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3572 const struct nlattr *nla,
3575 struct nft_set *set;
3577 list_for_each_entry(set, &table->sets, list) {
3578 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3579 nft_active_genmask(set, genmask))
3582 return ERR_PTR(-ENOENT);
3585 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3586 const struct nlattr *nla, u8 genmask)
3588 struct nft_trans *trans;
3589 u32 id = ntohl(nla_get_be32(nla));
3591 list_for_each_entry(trans, &net->nft.commit_list, list) {
3592 if (trans->msg_type == NFT_MSG_NEWSET) {
3593 struct nft_set *set = nft_trans_set(trans);
3595 if (id == nft_trans_set_id(trans) &&
3596 nft_active_genmask(set, genmask))
3600 return ERR_PTR(-ENOENT);
3603 struct nft_set *nft_set_lookup_global(const struct net *net,
3604 const struct nft_table *table,
3605 const struct nlattr *nla_set_name,
3606 const struct nlattr *nla_set_id,
3609 struct nft_set *set;
3611 set = nft_set_lookup(table, nla_set_name, genmask);
3616 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3620 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3622 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3625 const struct nft_set *i;
3627 unsigned long *inuse;
3628 unsigned int n = 0, min = 0;
3630 p = strchr(name, '%');
3632 if (p[1] != 'd' || strchr(p + 2, '%'))
3635 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3639 list_for_each_entry(i, &ctx->table->sets, list) {
3642 if (!nft_is_active_next(ctx->net, set))
3644 if (!sscanf(i->name, name, &tmp))
3646 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3649 set_bit(tmp - min, inuse);
3652 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3653 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3654 min += BITS_PER_BYTE * PAGE_SIZE;
3655 memset(inuse, 0, PAGE_SIZE);
3658 free_page((unsigned long)inuse);
3661 set->name = kasprintf(GFP_KERNEL, name, min + n);
3665 list_for_each_entry(i, &ctx->table->sets, list) {
3666 if (!nft_is_active_next(ctx->net, i))
3668 if (!strcmp(set->name, i->name)) {
3677 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3679 u64 ms = be64_to_cpu(nla_get_be64(nla));
3680 u64 max = (u64)(~((u64)0));
3682 max = div_u64(max, NSEC_PER_MSEC);
3686 ms *= NSEC_PER_MSEC;
3687 *result = nsecs_to_jiffies64(ms);
3691 static __be64 nf_jiffies64_to_msecs(u64 input)
3693 return cpu_to_be64(jiffies64_to_msecs(input));
3696 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3697 const struct nft_set *set)
3699 struct nlattr *concat, *field;
3702 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3706 for (i = 0; i < set->field_count; i++) {
3707 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3711 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3712 htonl(set->field_len[i])))
3715 nla_nest_end(skb, field);
3718 nla_nest_end(skb, concat);
3723 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3724 const struct nft_set *set, u16 event, u16 flags)
3726 struct nfgenmsg *nfmsg;
3727 struct nlmsghdr *nlh;
3728 u32 portid = ctx->portid;
3729 struct nlattr *nest;
3732 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3733 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3736 goto nla_put_failure;
3738 nfmsg = nlmsg_data(nlh);
3739 nfmsg->nfgen_family = ctx->family;
3740 nfmsg->version = NFNETLINK_V0;
3741 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3743 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3744 goto nla_put_failure;
3745 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3746 goto nla_put_failure;
3747 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3749 goto nla_put_failure;
3750 if (set->flags != 0)
3751 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3752 goto nla_put_failure;
3754 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3755 goto nla_put_failure;
3756 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3757 goto nla_put_failure;
3758 if (set->flags & NFT_SET_MAP) {
3759 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3760 goto nla_put_failure;
3761 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3762 goto nla_put_failure;
3764 if (set->flags & NFT_SET_OBJECT &&
3765 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3766 goto nla_put_failure;
3769 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3770 nf_jiffies64_to_msecs(set->timeout),
3772 goto nla_put_failure;
3774 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3775 goto nla_put_failure;
3777 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3778 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3779 goto nla_put_failure;
3783 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3784 goto nla_put_failure;
3786 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3788 goto nla_put_failure;
3790 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3791 goto nla_put_failure;
3793 if (set->field_count > 1 &&
3794 nf_tables_fill_set_concat(skb, set))
3795 goto nla_put_failure;
3797 nla_nest_end(skb, nest);
3800 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3801 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3802 goto nla_put_failure;
3804 nla_nest_end(skb, nest);
3807 nlmsg_end(skb, nlh);
3811 nlmsg_trim(skb, nlh);
3815 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3816 const struct nft_set *set, int event,
3819 struct sk_buff *skb;
3820 u32 portid = ctx->portid;
3822 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3823 ctx->table->name, ctx->table->handle,
3824 set->name, set->handle);
3826 audit_log_nfcfg(buf,
3829 event == NFT_MSG_NEWSET ?
3830 AUDIT_NFT_OP_SET_REGISTER :
3831 AUDIT_NFT_OP_SET_UNREGISTER,
3836 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3839 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3843 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3849 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3852 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3855 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3857 const struct nft_set *set;
3858 unsigned int idx, s_idx = cb->args[0];
3859 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3860 struct net *net = sock_net(skb->sk);
3861 struct nft_ctx *ctx = cb->data, ctx_set;
3867 cb->seq = net->nft.base_seq;
3869 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3870 if (ctx->family != NFPROTO_UNSPEC &&
3871 ctx->family != table->family)
3874 if (ctx->table && ctx->table != table)
3878 if (cur_table != table)
3884 list_for_each_entry_rcu(set, &table->sets, list) {
3887 if (!nft_is_active(net, set))
3891 ctx_set.table = table;
3892 ctx_set.family = table->family;
3894 if (nf_tables_fill_set(skb, &ctx_set, set,
3898 cb->args[2] = (unsigned long) table;
3901 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3914 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3916 struct nft_ctx *ctx_dump = NULL;
3918 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3919 if (ctx_dump == NULL)
3922 cb->data = ctx_dump;
3926 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3932 /* called with rcu_read_lock held */
3933 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3934 struct sk_buff *skb, const struct nlmsghdr *nlh,
3935 const struct nlattr * const nla[],
3936 struct netlink_ext_ack *extack)
3938 u8 genmask = nft_genmask_cur(net);
3939 const struct nft_set *set;
3941 struct sk_buff *skb2;
3942 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3945 /* Verify existence before starting dump */
3946 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3951 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3952 struct netlink_dump_control c = {
3953 .start = nf_tables_dump_sets_start,
3954 .dump = nf_tables_dump_sets,
3955 .done = nf_tables_dump_sets_done,
3957 .module = THIS_MODULE,
3960 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3963 /* Only accept unspec with dump */
3964 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3965 return -EAFNOSUPPORT;
3966 if (!nla[NFTA_SET_TABLE])
3969 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3971 return PTR_ERR(set);
3973 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3977 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3979 goto err_fill_set_info;
3981 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3988 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
3989 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
3992 static int nft_set_desc_concat_parse(const struct nlattr *attr,
3993 struct nft_set_desc *desc)
3995 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
3999 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4000 nft_concat_policy, NULL);
4004 if (!tb[NFTA_SET_FIELD_LEN])
4007 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4009 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4012 desc->field_len[desc->field_count++] = len;
4017 static int nft_set_desc_concat(struct nft_set_desc *desc,
4018 const struct nlattr *nla)
4020 struct nlattr *attr;
4023 nla_for_each_nested(attr, nla, rem) {
4024 if (nla_type(attr) != NFTA_LIST_ELEM)
4027 err = nft_set_desc_concat_parse(attr, desc);
4035 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4036 const struct nlattr *nla)
4038 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4041 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4042 nft_set_desc_policy, NULL);
4046 if (da[NFTA_SET_DESC_SIZE] != NULL)
4047 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4048 if (da[NFTA_SET_DESC_CONCAT])
4049 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4054 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4055 struct sk_buff *skb, const struct nlmsghdr *nlh,
4056 const struct nlattr * const nla[],
4057 struct netlink_ext_ack *extack)
4059 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4060 u8 genmask = nft_genmask_next(net);
4061 int family = nfmsg->nfgen_family;
4062 const struct nft_set_ops *ops;
4063 struct nft_expr *expr = NULL;
4064 struct nft_table *table;
4065 struct nft_set *set;
4070 u32 ktype, dtype, flags, policy, gc_int, objtype;
4071 struct nft_set_desc desc;
4072 unsigned char *udata;
4077 if (nla[NFTA_SET_TABLE] == NULL ||
4078 nla[NFTA_SET_NAME] == NULL ||
4079 nla[NFTA_SET_KEY_LEN] == NULL ||
4080 nla[NFTA_SET_ID] == NULL)
4083 memset(&desc, 0, sizeof(desc));
4085 ktype = NFT_DATA_VALUE;
4086 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4087 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4088 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4092 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4093 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4097 if (nla[NFTA_SET_FLAGS] != NULL) {
4098 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4099 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4100 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4101 NFT_SET_MAP | NFT_SET_EVAL |
4102 NFT_SET_OBJECT | NFT_SET_CONCAT))
4104 /* Only one of these operations is supported */
4105 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4106 (NFT_SET_MAP | NFT_SET_OBJECT))
4108 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4109 (NFT_SET_EVAL | NFT_SET_OBJECT))
4114 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4115 if (!(flags & NFT_SET_MAP))
4118 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4119 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4120 dtype != NFT_DATA_VERDICT)
4123 if (dtype != NFT_DATA_VERDICT) {
4124 if (nla[NFTA_SET_DATA_LEN] == NULL)
4126 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4127 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4130 desc.dlen = sizeof(struct nft_verdict);
4131 } else if (flags & NFT_SET_MAP)
4134 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4135 if (!(flags & NFT_SET_OBJECT))
4138 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4139 if (objtype == NFT_OBJECT_UNSPEC ||
4140 objtype > NFT_OBJECT_MAX)
4142 } else if (flags & NFT_SET_OBJECT)
4145 objtype = NFT_OBJECT_UNSPEC;
4148 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4149 if (!(flags & NFT_SET_TIMEOUT))
4152 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4157 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4158 if (!(flags & NFT_SET_TIMEOUT))
4160 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4163 policy = NFT_SET_POL_PERFORMANCE;
4164 if (nla[NFTA_SET_POLICY] != NULL)
4165 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4167 if (nla[NFTA_SET_DESC] != NULL) {
4168 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4173 if (nla[NFTA_SET_EXPR])
4176 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4177 if (IS_ERR(table)) {
4178 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4179 return PTR_ERR(table);
4182 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4184 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4186 if (PTR_ERR(set) != -ENOENT) {
4187 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4188 return PTR_ERR(set);
4191 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4192 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4195 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4201 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4204 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4206 return PTR_ERR(ops);
4209 if (nla[NFTA_SET_USERDATA])
4210 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4213 if (ops->privsize != NULL)
4214 size = ops->privsize(nla, &desc);
4216 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4220 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4226 err = nf_tables_set_alloc_name(&ctx, set, name);
4229 goto err_set_alloc_name;
4231 if (nla[NFTA_SET_EXPR]) {
4232 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4234 err = PTR_ERR(expr);
4235 goto err_set_alloc_name;
4241 udata = set->data + size;
4242 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4245 INIT_LIST_HEAD(&set->bindings);
4247 write_pnet(&set->net, net);
4250 set->klen = desc.klen;
4252 set->objtype = objtype;
4253 set->dlen = desc.dlen;
4256 set->size = desc.size;
4257 set->policy = policy;
4260 set->timeout = timeout;
4261 set->gc_int = gc_int;
4262 set->handle = nf_tables_alloc_handle(table);
4264 set->field_count = desc.field_count;
4265 for (i = 0; i < desc.field_count; i++)
4266 set->field_len[i] = desc.field_len[i];
4268 err = ops->init(set, &desc, nla);
4272 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4276 list_add_tail_rcu(&set->list, &table->sets);
4284 nft_expr_destroy(&ctx, expr);
4292 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4294 if (WARN_ON(set->use > 0))
4298 nft_expr_destroy(ctx, set->expr);
4300 set->ops->destroy(set);
4305 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4306 struct sk_buff *skb, const struct nlmsghdr *nlh,
4307 const struct nlattr * const nla[],
4308 struct netlink_ext_ack *extack)
4310 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4311 u8 genmask = nft_genmask_next(net);
4312 const struct nlattr *attr;
4313 struct nft_set *set;
4317 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4318 return -EAFNOSUPPORT;
4319 if (nla[NFTA_SET_TABLE] == NULL)
4322 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4327 if (nla[NFTA_SET_HANDLE]) {
4328 attr = nla[NFTA_SET_HANDLE];
4329 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4331 attr = nla[NFTA_SET_NAME];
4332 set = nft_set_lookup(ctx.table, attr, genmask);
4336 NL_SET_BAD_ATTR(extack, attr);
4337 return PTR_ERR(set);
4340 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4341 NL_SET_BAD_ATTR(extack, attr);
4345 return nft_delset(&ctx, set);
4348 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4349 struct nft_set *set,
4350 const struct nft_set_iter *iter,
4351 struct nft_set_elem *elem)
4353 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4354 enum nft_registers dreg;
4356 dreg = nft_type_to_reg(set->dtype);
4357 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4358 set->dtype == NFT_DATA_VERDICT ?
4359 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4363 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4364 struct nft_set_binding *binding)
4366 struct nft_set_binding *i;
4367 struct nft_set_iter iter;
4369 if (set->use == UINT_MAX)
4372 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4375 if (binding->flags & NFT_SET_MAP) {
4376 /* If the set is already bound to the same chain all
4377 * jumps are already validated for that chain.
4379 list_for_each_entry(i, &set->bindings, list) {
4380 if (i->flags & NFT_SET_MAP &&
4381 i->chain == binding->chain)
4385 iter.genmask = nft_genmask_next(ctx->net);
4389 iter.fn = nf_tables_bind_check_setelem;
4391 set->ops->walk(ctx, set, &iter);
4396 binding->chain = ctx->chain;
4397 list_add_tail_rcu(&binding->list, &set->bindings);
4398 nft_set_trans_bind(ctx, set);
4403 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4405 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4406 struct nft_set_binding *binding, bool event)
4408 list_del_rcu(&binding->list);
4410 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4411 list_del_rcu(&set->list);
4413 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4418 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4419 struct nft_set_binding *binding,
4420 enum nft_trans_phase phase)
4423 case NFT_TRANS_PREPARE:
4426 case NFT_TRANS_ABORT:
4427 case NFT_TRANS_RELEASE:
4431 nf_tables_unbind_set(ctx, set, binding,
4432 phase == NFT_TRANS_COMMIT);
4435 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4437 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4439 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4440 nft_set_destroy(ctx, set);
4442 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4444 const struct nft_set_ext_type nft_set_ext_types[] = {
4445 [NFT_SET_EXT_KEY] = {
4446 .align = __alignof__(u32),
4448 [NFT_SET_EXT_DATA] = {
4449 .align = __alignof__(u32),
4451 [NFT_SET_EXT_EXPR] = {
4452 .align = __alignof__(struct nft_expr),
4454 [NFT_SET_EXT_OBJREF] = {
4455 .len = sizeof(struct nft_object *),
4456 .align = __alignof__(struct nft_object *),
4458 [NFT_SET_EXT_FLAGS] = {
4460 .align = __alignof__(u8),
4462 [NFT_SET_EXT_TIMEOUT] = {
4464 .align = __alignof__(u64),
4466 [NFT_SET_EXT_EXPIRATION] = {
4468 .align = __alignof__(u64),
4470 [NFT_SET_EXT_USERDATA] = {
4471 .len = sizeof(struct nft_userdata),
4472 .align = __alignof__(struct nft_userdata),
4474 [NFT_SET_EXT_KEY_END] = {
4475 .align = __alignof__(u32),
4483 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4484 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4485 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4486 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4487 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4488 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4489 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4490 .len = NFT_USERDATA_MAXLEN },
4491 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4492 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4493 .len = NFT_OBJ_MAXNAMELEN - 1 },
4494 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4497 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4498 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4499 .len = NFT_TABLE_MAXNAMELEN - 1 },
4500 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4501 .len = NFT_SET_MAXNAMELEN - 1 },
4502 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4503 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4506 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4507 const struct sk_buff *skb,
4508 const struct nlmsghdr *nlh,
4509 const struct nlattr * const nla[],
4510 struct netlink_ext_ack *extack,
4513 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4514 int family = nfmsg->nfgen_family;
4515 struct nft_table *table;
4517 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4519 if (IS_ERR(table)) {
4520 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4521 return PTR_ERR(table);
4524 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4528 static int nf_tables_fill_setelem(struct sk_buff *skb,
4529 const struct nft_set *set,
4530 const struct nft_set_elem *elem)
4532 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4533 unsigned char *b = skb_tail_pointer(skb);
4534 struct nlattr *nest;
4536 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4538 goto nla_put_failure;
4540 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4541 NFT_DATA_VALUE, set->klen) < 0)
4542 goto nla_put_failure;
4544 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4545 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4546 NFT_DATA_VALUE, set->klen) < 0)
4547 goto nla_put_failure;
4549 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4550 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4551 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4553 goto nla_put_failure;
4555 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4556 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4557 goto nla_put_failure;
4559 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4560 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4561 (*nft_set_ext_obj(ext))->key.name) < 0)
4562 goto nla_put_failure;
4564 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4565 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4566 htonl(*nft_set_ext_flags(ext))))
4567 goto nla_put_failure;
4569 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4570 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4571 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4573 goto nla_put_failure;
4575 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4576 u64 expires, now = get_jiffies_64();
4578 expires = *nft_set_ext_expiration(ext);
4579 if (time_before64(now, expires))
4584 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4585 nf_jiffies64_to_msecs(expires),
4587 goto nla_put_failure;
4590 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4591 struct nft_userdata *udata;
4593 udata = nft_set_ext_userdata(ext);
4594 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4595 udata->len + 1, udata->data))
4596 goto nla_put_failure;
4599 nla_nest_end(skb, nest);
4607 struct nft_set_dump_args {
4608 const struct netlink_callback *cb;
4609 struct nft_set_iter iter;
4610 struct sk_buff *skb;
4613 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4614 struct nft_set *set,
4615 const struct nft_set_iter *iter,
4616 struct nft_set_elem *elem)
4618 struct nft_set_dump_args *args;
4620 args = container_of(iter, struct nft_set_dump_args, iter);
4621 return nf_tables_fill_setelem(args->skb, set, elem);
4624 struct nft_set_dump_ctx {
4625 const struct nft_set *set;
4629 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4631 struct nft_set_dump_ctx *dump_ctx = cb->data;
4632 struct net *net = sock_net(skb->sk);
4633 struct nft_table *table;
4634 struct nft_set *set;
4635 struct nft_set_dump_args args;
4636 bool set_found = false;
4637 struct nfgenmsg *nfmsg;
4638 struct nlmsghdr *nlh;
4639 struct nlattr *nest;
4644 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4645 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4646 dump_ctx->ctx.family != table->family)
4649 if (table != dump_ctx->ctx.table)
4652 list_for_each_entry_rcu(set, &table->sets, list) {
4653 if (set == dump_ctx->set) {
4666 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4667 portid = NETLINK_CB(cb->skb).portid;
4668 seq = cb->nlh->nlmsg_seq;
4670 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4673 goto nla_put_failure;
4675 nfmsg = nlmsg_data(nlh);
4676 nfmsg->nfgen_family = table->family;
4677 nfmsg->version = NFNETLINK_V0;
4678 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4680 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4681 goto nla_put_failure;
4682 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4683 goto nla_put_failure;
4685 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4687 goto nla_put_failure;
4691 args.iter.genmask = nft_genmask_cur(net);
4692 args.iter.skip = cb->args[0];
4693 args.iter.count = 0;
4695 args.iter.fn = nf_tables_dump_setelem;
4696 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4699 nla_nest_end(skb, nest);
4700 nlmsg_end(skb, nlh);
4702 if (args.iter.err && args.iter.err != -EMSGSIZE)
4703 return args.iter.err;
4704 if (args.iter.count == cb->args[0])
4707 cb->args[0] = args.iter.count;
4715 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4717 struct nft_set_dump_ctx *dump_ctx = cb->data;
4719 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4721 return cb->data ? 0 : -ENOMEM;
4724 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4730 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4731 const struct nft_ctx *ctx, u32 seq,
4732 u32 portid, int event, u16 flags,
4733 const struct nft_set *set,
4734 const struct nft_set_elem *elem)
4736 struct nfgenmsg *nfmsg;
4737 struct nlmsghdr *nlh;
4738 struct nlattr *nest;
4741 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4742 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4745 goto nla_put_failure;
4747 nfmsg = nlmsg_data(nlh);
4748 nfmsg->nfgen_family = ctx->family;
4749 nfmsg->version = NFNETLINK_V0;
4750 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4752 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4753 goto nla_put_failure;
4754 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4755 goto nla_put_failure;
4757 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4759 goto nla_put_failure;
4761 err = nf_tables_fill_setelem(skb, set, elem);
4763 goto nla_put_failure;
4765 nla_nest_end(skb, nest);
4767 nlmsg_end(skb, nlh);
4771 nlmsg_trim(skb, nlh);
4775 static int nft_setelem_parse_flags(const struct nft_set *set,
4776 const struct nlattr *attr, u32 *flags)
4781 *flags = ntohl(nla_get_be32(attr));
4782 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4784 if (!(set->flags & NFT_SET_INTERVAL) &&
4785 *flags & NFT_SET_ELEM_INTERVAL_END)
4791 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4792 struct nft_data *key, struct nlattr *attr)
4794 struct nft_data_desc desc;
4797 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4801 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4802 nft_data_release(key, desc.type);
4809 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4810 struct nft_data_desc *desc,
4811 struct nft_data *data,
4812 struct nlattr *attr)
4816 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4820 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4821 nft_data_release(data, desc->type);
4828 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4829 const struct nlattr *attr)
4831 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4832 struct nft_set_elem elem;
4833 struct sk_buff *skb;
4838 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4839 nft_set_elem_policy, NULL);
4843 if (!nla[NFTA_SET_ELEM_KEY])
4846 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4850 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4851 nla[NFTA_SET_ELEM_KEY]);
4855 if (nla[NFTA_SET_ELEM_KEY_END]) {
4856 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4857 nla[NFTA_SET_ELEM_KEY_END]);
4862 priv = set->ops->get(ctx->net, set, &elem, flags);
4864 return PTR_ERR(priv);
4869 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4873 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4874 NFT_MSG_NEWSETELEM, 0, set, &elem);
4876 goto err_fill_setelem;
4878 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4885 /* called with rcu_read_lock held */
4886 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4887 struct sk_buff *skb, const struct nlmsghdr *nlh,
4888 const struct nlattr * const nla[],
4889 struct netlink_ext_ack *extack)
4891 u8 genmask = nft_genmask_cur(net);
4892 struct nft_set *set;
4893 struct nlattr *attr;
4897 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4902 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4904 return PTR_ERR(set);
4906 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4907 struct netlink_dump_control c = {
4908 .start = nf_tables_dump_set_start,
4909 .dump = nf_tables_dump_set,
4910 .done = nf_tables_dump_set_done,
4911 .module = THIS_MODULE,
4913 struct nft_set_dump_ctx dump_ctx = {
4919 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4922 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4925 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4926 err = nft_get_set_elem(&ctx, set, attr);
4934 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4935 const struct nft_set *set,
4936 const struct nft_set_elem *elem,
4937 int event, u16 flags)
4939 struct net *net = ctx->net;
4940 u32 portid = ctx->portid;
4941 struct sk_buff *skb;
4943 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
4944 ctx->table->name, ctx->table->handle,
4945 set->name, set->handle);
4947 audit_log_nfcfg(buf,
4950 event == NFT_MSG_NEWSETELEM ?
4951 AUDIT_NFT_OP_SETELEM_REGISTER :
4952 AUDIT_NFT_OP_SETELEM_UNREGISTER,
4956 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4959 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4963 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4970 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
4973 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4976 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4978 struct nft_set *set)
4980 struct nft_trans *trans;
4982 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4986 nft_trans_elem_set(trans) = set;
4990 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
4991 const struct nft_set *set,
4992 const struct nlattr *attr)
4994 struct nft_expr *expr;
4997 expr = nft_expr_init(ctx, attr);
5002 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5003 goto err_set_elem_expr;
5005 if (expr->ops->type->flags & NFT_EXPR_GC) {
5006 if (set->flags & NFT_SET_TIMEOUT)
5007 goto err_set_elem_expr;
5008 if (!set->ops->gc_init)
5009 goto err_set_elem_expr;
5010 set->ops->gc_init(set);
5016 nft_expr_destroy(ctx, expr);
5017 return ERR_PTR(err);
5020 void *nft_set_elem_init(const struct nft_set *set,
5021 const struct nft_set_ext_tmpl *tmpl,
5022 const u32 *key, const u32 *key_end,
5023 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5025 struct nft_set_ext *ext;
5028 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5032 ext = nft_set_elem_ext(set, elem);
5033 nft_set_ext_init(ext, tmpl);
5035 memcpy(nft_set_ext_key(ext), key, set->klen);
5036 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5037 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5038 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5039 memcpy(nft_set_ext_data(ext), data, set->dlen);
5040 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5041 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5042 if (expiration == 0)
5043 *nft_set_ext_expiration(ext) += timeout;
5045 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5046 *nft_set_ext_timeout(ext) = timeout;
5051 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5052 struct nft_expr *expr)
5054 if (expr->ops->destroy_clone) {
5055 expr->ops->destroy_clone(ctx, expr);
5056 module_put(expr->ops->type->owner);
5058 nf_tables_expr_destroy(ctx, expr);
5062 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5065 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5066 struct nft_ctx ctx = {
5067 .net = read_pnet(&set->net),
5068 .family = set->table->family,
5071 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5072 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5073 nft_data_release(nft_set_ext_data(ext), set->dtype);
5074 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5075 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5077 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5078 (*nft_set_ext_obj(ext))->use--;
5081 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5083 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5084 * the refcounting from the preparation phase.
5086 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5087 const struct nft_set *set, void *elem)
5089 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5091 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5092 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5097 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5098 const struct nlattr *attr, u32 nlmsg_flags)
5100 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5101 u8 genmask = nft_genmask_next(ctx->net);
5102 struct nft_set_ext_tmpl tmpl;
5103 struct nft_set_ext *ext, *ext2;
5104 struct nft_set_elem elem;
5105 struct nft_set_binding *binding;
5106 struct nft_object *obj = NULL;
5107 struct nft_expr *expr = NULL;
5108 struct nft_userdata *udata;
5109 struct nft_data_desc desc;
5110 enum nft_registers dreg;
5111 struct nft_trans *trans;
5118 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5119 nft_set_elem_policy, NULL);
5123 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5126 nft_set_ext_prepare(&tmpl);
5128 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5132 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5134 if (set->flags & NFT_SET_MAP) {
5135 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5136 !(flags & NFT_SET_ELEM_INTERVAL_END))
5139 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5143 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5144 (nla[NFTA_SET_ELEM_DATA] ||
5145 nla[NFTA_SET_ELEM_OBJREF] ||
5146 nla[NFTA_SET_ELEM_TIMEOUT] ||
5147 nla[NFTA_SET_ELEM_EXPIRATION] ||
5148 nla[NFTA_SET_ELEM_USERDATA] ||
5149 nla[NFTA_SET_ELEM_EXPR]))
5153 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5154 if (!(set->flags & NFT_SET_TIMEOUT))
5156 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5160 } else if (set->flags & NFT_SET_TIMEOUT) {
5161 timeout = set->timeout;
5165 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5166 if (!(set->flags & NFT_SET_TIMEOUT))
5168 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5174 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5175 expr = nft_set_elem_expr_alloc(ctx, set,
5176 nla[NFTA_SET_ELEM_EXPR]);
5178 return PTR_ERR(expr);
5181 if (set->expr && set->expr->ops != expr->ops)
5182 goto err_set_elem_expr;
5183 } else if (set->expr) {
5184 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5188 err = nft_expr_clone(expr, set->expr);
5190 goto err_set_elem_expr;
5193 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5194 nla[NFTA_SET_ELEM_KEY]);
5196 goto err_set_elem_expr;
5198 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5200 if (nla[NFTA_SET_ELEM_KEY_END]) {
5201 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5202 nla[NFTA_SET_ELEM_KEY_END]);
5206 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5210 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5211 if (timeout != set->timeout)
5212 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5216 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5219 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5220 if (!(set->flags & NFT_SET_OBJECT)) {
5222 goto err_parse_key_end;
5224 obj = nft_obj_lookup(ctx->net, ctx->table,
5225 nla[NFTA_SET_ELEM_OBJREF],
5226 set->objtype, genmask);
5229 goto err_parse_key_end;
5231 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5234 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5235 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5236 nla[NFTA_SET_ELEM_DATA]);
5238 goto err_parse_key_end;
5240 dreg = nft_type_to_reg(set->dtype);
5241 list_for_each_entry(binding, &set->bindings, list) {
5242 struct nft_ctx bind_ctx = {
5244 .family = ctx->family,
5245 .table = ctx->table,
5246 .chain = (struct nft_chain *)binding->chain,
5249 if (!(binding->flags & NFT_SET_MAP))
5252 err = nft_validate_register_store(&bind_ctx, dreg,
5254 desc.type, desc.len);
5256 goto err_parse_data;
5258 if (desc.type == NFT_DATA_VERDICT &&
5259 (elem.data.val.verdict.code == NFT_GOTO ||
5260 elem.data.val.verdict.code == NFT_JUMP))
5261 nft_validate_state_update(ctx->net,
5265 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5268 /* The full maximum length of userdata can exceed the maximum
5269 * offset value (U8_MAX) for following extensions, therefor it
5270 * must be the last extension added.
5273 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5274 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5276 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5281 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5282 elem.key_end.val.data, elem.data.val.data,
5283 timeout, expiration, GFP_KERNEL);
5284 if (elem.priv == NULL)
5285 goto err_parse_data;
5287 ext = nft_set_elem_ext(set, elem.priv);
5289 *nft_set_ext_flags(ext) = flags;
5291 udata = nft_set_ext_userdata(ext);
5292 udata->len = ulen - 1;
5293 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5296 *nft_set_ext_obj(ext) = obj;
5300 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5305 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5309 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5310 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5312 if (err == -EEXIST) {
5313 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5314 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5315 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5316 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5317 goto err_element_clash;
5318 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5319 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5320 memcmp(nft_set_ext_data(ext),
5321 nft_set_ext_data(ext2), set->dlen) != 0) ||
5322 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5323 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5324 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5325 goto err_element_clash;
5326 else if (!(nlmsg_flags & NLM_F_EXCL))
5328 } else if (err == -ENOTEMPTY) {
5329 /* ENOTEMPTY reports overlapping between this element
5330 * and an existing one.
5334 goto err_element_clash;
5338 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5343 nft_trans_elem(trans) = elem;
5344 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5348 set->ops->remove(ctx->net, set, &elem);
5355 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5357 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5358 nft_data_release(&elem.data.val, desc.type);
5360 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5362 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5365 nft_expr_destroy(ctx, expr);
5370 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5371 struct sk_buff *skb, const struct nlmsghdr *nlh,
5372 const struct nlattr * const nla[],
5373 struct netlink_ext_ack *extack)
5375 u8 genmask = nft_genmask_next(net);
5376 const struct nlattr *attr;
5377 struct nft_set *set;
5381 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5384 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5389 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5390 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5392 return PTR_ERR(set);
5394 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5397 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5398 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5403 if (net->nft.validate_state == NFT_VALIDATE_DO)
5404 return nft_table_validate(net, ctx.table);
5410 * nft_data_hold - hold a nft_data item
5412 * @data: struct nft_data to release
5413 * @type: type of data
5415 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5416 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5417 * NFT_GOTO verdicts. This function must be called on active data objects
5418 * from the second phase of the commit protocol.
5420 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5422 struct nft_chain *chain;
5423 struct nft_rule *rule;
5425 if (type == NFT_DATA_VERDICT) {
5426 switch (data->verdict.code) {
5429 chain = data->verdict.chain;
5432 if (!nft_chain_is_bound(chain))
5435 chain->table->use++;
5436 list_for_each_entry(rule, &chain->rules, list)
5439 nft_chain_add(chain->table, chain);
5445 static void nft_set_elem_activate(const struct net *net,
5446 const struct nft_set *set,
5447 struct nft_set_elem *elem)
5449 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5451 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5452 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5453 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5454 (*nft_set_ext_obj(ext))->use++;
5457 static void nft_set_elem_deactivate(const struct net *net,
5458 const struct nft_set *set,
5459 struct nft_set_elem *elem)
5461 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5463 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5464 nft_data_release(nft_set_ext_data(ext), set->dtype);
5465 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5466 (*nft_set_ext_obj(ext))->use--;
5469 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5470 const struct nlattr *attr)
5472 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5473 struct nft_set_ext_tmpl tmpl;
5474 struct nft_set_elem elem;
5475 struct nft_set_ext *ext;
5476 struct nft_trans *trans;
5481 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5482 nft_set_elem_policy, NULL);
5486 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5489 nft_set_ext_prepare(&tmpl);
5491 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5495 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5497 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5498 nla[NFTA_SET_ELEM_KEY]);
5502 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5504 if (nla[NFTA_SET_ELEM_KEY_END]) {
5505 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5506 nla[NFTA_SET_ELEM_KEY_END]);
5510 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5514 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5515 elem.key_end.val.data, NULL, 0, 0,
5517 if (elem.priv == NULL)
5520 ext = nft_set_elem_ext(set, elem.priv);
5522 *nft_set_ext_flags(ext) = flags;
5524 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5528 priv = set->ops->deactivate(ctx->net, set, &elem);
5536 nft_set_elem_deactivate(ctx->net, set, &elem);
5538 nft_trans_elem(trans) = elem;
5539 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5547 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5551 static int nft_flush_set(const struct nft_ctx *ctx,
5552 struct nft_set *set,
5553 const struct nft_set_iter *iter,
5554 struct nft_set_elem *elem)
5556 struct nft_trans *trans;
5559 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5560 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5564 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5570 nft_set_elem_deactivate(ctx->net, set, elem);
5571 nft_trans_elem_set(trans) = set;
5572 nft_trans_elem(trans) = *elem;
5573 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5581 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5582 struct sk_buff *skb, const struct nlmsghdr *nlh,
5583 const struct nlattr * const nla[],
5584 struct netlink_ext_ack *extack)
5586 u8 genmask = nft_genmask_next(net);
5587 const struct nlattr *attr;
5588 struct nft_set *set;
5592 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5597 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5599 return PTR_ERR(set);
5600 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5603 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5604 struct nft_set_iter iter = {
5606 .fn = nft_flush_set,
5608 set->ops->walk(&ctx, set, &iter);
5613 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5614 err = nft_del_setelem(&ctx, set, attr);
5623 void nft_set_gc_batch_release(struct rcu_head *rcu)
5625 struct nft_set_gc_batch *gcb;
5628 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5629 for (i = 0; i < gcb->head.cnt; i++)
5630 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5634 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5637 struct nft_set_gc_batch *gcb;
5639 gcb = kzalloc(sizeof(*gcb), gfp);
5642 gcb->head.set = set;
5651 * nft_register_obj- register nf_tables stateful object type
5652 * @obj_type: object type
5654 * Registers the object type for use with nf_tables. Returns zero on
5655 * success or a negative errno code otherwise.
5657 int nft_register_obj(struct nft_object_type *obj_type)
5659 if (obj_type->type == NFT_OBJECT_UNSPEC)
5662 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5663 list_add_rcu(&obj_type->list, &nf_tables_objects);
5664 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5667 EXPORT_SYMBOL_GPL(nft_register_obj);
5670 * nft_unregister_obj - unregister nf_tables object type
5671 * @obj_type: object type
5673 * Unregisters the object type for use with nf_tables.
5675 void nft_unregister_obj(struct nft_object_type *obj_type)
5677 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5678 list_del_rcu(&obj_type->list);
5679 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5681 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5683 struct nft_object *nft_obj_lookup(const struct net *net,
5684 const struct nft_table *table,
5685 const struct nlattr *nla, u32 objtype,
5688 struct nft_object_hash_key k = { .table = table };
5689 char search[NFT_OBJ_MAXNAMELEN];
5690 struct rhlist_head *tmp, *list;
5691 struct nft_object *obj;
5693 nla_strlcpy(search, nla, sizeof(search));
5696 WARN_ON_ONCE(!rcu_read_lock_held() &&
5697 !lockdep_commit_lock_is_held(net));
5700 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5704 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5705 if (objtype == obj->ops->type->type &&
5706 nft_active_genmask(obj, genmask)) {
5713 return ERR_PTR(-ENOENT);
5715 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5717 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5718 const struct nlattr *nla,
5719 u32 objtype, u8 genmask)
5721 struct nft_object *obj;
5723 list_for_each_entry(obj, &table->objects, list) {
5724 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5725 objtype == obj->ops->type->type &&
5726 nft_active_genmask(obj, genmask))
5729 return ERR_PTR(-ENOENT);
5732 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5733 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5734 .len = NFT_TABLE_MAXNAMELEN - 1 },
5735 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5736 .len = NFT_OBJ_MAXNAMELEN - 1 },
5737 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5738 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5739 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5742 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5743 const struct nft_object_type *type,
5744 const struct nlattr *attr)
5747 const struct nft_object_ops *ops;
5748 struct nft_object *obj;
5751 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5756 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5757 type->policy, NULL);
5761 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5764 if (type->select_ops) {
5765 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5775 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5779 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5792 return ERR_PTR(err);
5795 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5796 struct nft_object *obj, bool reset)
5798 struct nlattr *nest;
5800 nest = nla_nest_start_noflag(skb, attr);
5802 goto nla_put_failure;
5803 if (obj->ops->dump(skb, obj, reset) < 0)
5804 goto nla_put_failure;
5805 nla_nest_end(skb, nest);
5812 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5814 const struct nft_object_type *type;
5816 list_for_each_entry(type, &nf_tables_objects, list) {
5817 if (objtype == type->type)
5823 static const struct nft_object_type *
5824 nft_obj_type_get(struct net *net, u32 objtype)
5826 const struct nft_object_type *type;
5828 type = __nft_obj_type_get(objtype);
5829 if (type != NULL && try_module_get(type->owner))
5832 lockdep_nfnl_nft_mutex_not_held();
5833 #ifdef CONFIG_MODULES
5835 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5836 return ERR_PTR(-EAGAIN);
5839 return ERR_PTR(-ENOENT);
5842 static int nf_tables_updobj(const struct nft_ctx *ctx,
5843 const struct nft_object_type *type,
5844 const struct nlattr *attr,
5845 struct nft_object *obj)
5847 struct nft_object *newobj;
5848 struct nft_trans *trans;
5851 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5852 sizeof(struct nft_trans_obj));
5856 newobj = nft_obj_init(ctx, type, attr);
5857 if (IS_ERR(newobj)) {
5858 err = PTR_ERR(newobj);
5859 goto err_free_trans;
5862 nft_trans_obj(trans) = obj;
5863 nft_trans_obj_update(trans) = true;
5864 nft_trans_obj_newobj(trans) = newobj;
5865 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5874 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5875 struct sk_buff *skb, const struct nlmsghdr *nlh,
5876 const struct nlattr * const nla[],
5877 struct netlink_ext_ack *extack)
5879 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5880 const struct nft_object_type *type;
5881 u8 genmask = nft_genmask_next(net);
5882 int family = nfmsg->nfgen_family;
5883 struct nft_table *table;
5884 struct nft_object *obj;
5889 if (!nla[NFTA_OBJ_TYPE] ||
5890 !nla[NFTA_OBJ_NAME] ||
5891 !nla[NFTA_OBJ_DATA])
5894 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5895 if (IS_ERR(table)) {
5896 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5897 return PTR_ERR(table);
5900 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5901 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5904 if (err != -ENOENT) {
5905 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5909 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5910 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5913 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5916 type = __nft_obj_type_get(objtype);
5917 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5919 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5922 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5924 type = nft_obj_type_get(net, objtype);
5926 return PTR_ERR(type);
5928 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5933 obj->key.table = table;
5934 obj->handle = nf_tables_alloc_handle(table);
5936 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5937 if (!obj->key.name) {
5942 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5946 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5947 nft_objname_ht_params);
5951 list_add_tail_rcu(&obj->list, &table->objects);
5955 /* queued in transaction log */
5956 INIT_LIST_HEAD(&obj->list);
5959 kfree(obj->key.name);
5961 if (obj->ops->destroy)
5962 obj->ops->destroy(&ctx, obj);
5965 module_put(type->owner);
5969 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5970 u32 portid, u32 seq, int event, u32 flags,
5971 int family, const struct nft_table *table,
5972 struct nft_object *obj, bool reset)
5974 struct nfgenmsg *nfmsg;
5975 struct nlmsghdr *nlh;
5977 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5978 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5980 goto nla_put_failure;
5982 nfmsg = nlmsg_data(nlh);
5983 nfmsg->nfgen_family = family;
5984 nfmsg->version = NFNETLINK_V0;
5985 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5987 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5988 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5989 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5990 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5991 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5992 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5994 goto nla_put_failure;
5996 nlmsg_end(skb, nlh);
6000 nlmsg_trim(skb, nlh);
6004 struct nft_obj_filter {
6009 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6011 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6012 const struct nft_table *table;
6013 unsigned int idx = 0, s_idx = cb->args[0];
6014 struct nft_obj_filter *filter = cb->data;
6015 struct net *net = sock_net(skb->sk);
6016 int family = nfmsg->nfgen_family;
6017 struct nft_object *obj;
6020 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6024 cb->seq = net->nft.base_seq;
6026 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6027 if (family != NFPROTO_UNSPEC && family != table->family)
6030 list_for_each_entry_rcu(obj, &table->objects, list) {
6031 if (!nft_is_active(net, obj))
6036 memset(&cb->args[1], 0,
6037 sizeof(cb->args) - sizeof(cb->args[0]));
6038 if (filter && filter->table &&
6039 strcmp(filter->table, table->name))
6042 filter->type != NFT_OBJECT_UNSPEC &&
6043 obj->ops->type->type != filter->type)
6047 char *buf = kasprintf(GFP_ATOMIC,
6052 audit_log_nfcfg(buf,
6055 AUDIT_NFT_OP_OBJ_RESET,
6060 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6063 NLM_F_MULTI | NLM_F_APPEND,
6064 table->family, table,
6068 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6080 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6082 const struct nlattr * const *nla = cb->data;
6083 struct nft_obj_filter *filter = NULL;
6085 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6086 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6090 if (nla[NFTA_OBJ_TABLE]) {
6091 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6092 if (!filter->table) {
6098 if (nla[NFTA_OBJ_TYPE])
6099 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6106 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6108 struct nft_obj_filter *filter = cb->data;
6111 kfree(filter->table);
6118 /* called with rcu_read_lock held */
6119 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6120 struct sk_buff *skb, const struct nlmsghdr *nlh,
6121 const struct nlattr * const nla[],
6122 struct netlink_ext_ack *extack)
6124 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6125 u8 genmask = nft_genmask_cur(net);
6126 int family = nfmsg->nfgen_family;
6127 const struct nft_table *table;
6128 struct nft_object *obj;
6129 struct sk_buff *skb2;
6134 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6135 struct netlink_dump_control c = {
6136 .start = nf_tables_dump_obj_start,
6137 .dump = nf_tables_dump_obj,
6138 .done = nf_tables_dump_obj_done,
6139 .module = THIS_MODULE,
6140 .data = (void *)nla,
6143 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6146 if (!nla[NFTA_OBJ_NAME] ||
6147 !nla[NFTA_OBJ_TYPE])
6150 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6151 if (IS_ERR(table)) {
6152 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6153 return PTR_ERR(table);
6156 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6157 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6159 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6160 return PTR_ERR(obj);
6163 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6167 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6171 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6172 table->name, table->handle);
6174 audit_log_nfcfg(buf,
6177 AUDIT_NFT_OP_OBJ_RESET,
6182 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6183 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6184 family, table, obj, reset);
6186 goto err_fill_obj_info;
6188 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6195 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6197 if (obj->ops->destroy)
6198 obj->ops->destroy(ctx, obj);
6200 module_put(obj->ops->type->owner);
6201 kfree(obj->key.name);
6205 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6206 struct sk_buff *skb, const struct nlmsghdr *nlh,
6207 const struct nlattr * const nla[],
6208 struct netlink_ext_ack *extack)
6210 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6211 u8 genmask = nft_genmask_next(net);
6212 int family = nfmsg->nfgen_family;
6213 const struct nlattr *attr;
6214 struct nft_table *table;
6215 struct nft_object *obj;
6219 if (!nla[NFTA_OBJ_TYPE] ||
6220 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6223 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6224 if (IS_ERR(table)) {
6225 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6226 return PTR_ERR(table);
6229 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6230 if (nla[NFTA_OBJ_HANDLE]) {
6231 attr = nla[NFTA_OBJ_HANDLE];
6232 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6234 attr = nla[NFTA_OBJ_NAME];
6235 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6239 NL_SET_BAD_ATTR(extack, attr);
6240 return PTR_ERR(obj);
6243 NL_SET_BAD_ATTR(extack, attr);
6247 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6249 return nft_delobj(&ctx, obj);
6252 void nft_obj_notify(struct net *net, const struct nft_table *table,
6253 struct nft_object *obj, u32 portid, u32 seq, int event,
6254 int family, int report, gfp_t gfp)
6256 struct sk_buff *skb;
6258 char *buf = kasprintf(gfp, "%s:%llu;?:0",
6259 table->name, table->handle);
6261 audit_log_nfcfg(buf,
6264 event == NFT_MSG_NEWOBJ ?
6265 AUDIT_NFT_OP_OBJ_REGISTER :
6266 AUDIT_NFT_OP_OBJ_UNREGISTER,
6271 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6274 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6278 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6285 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6288 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6290 EXPORT_SYMBOL_GPL(nft_obj_notify);
6292 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6293 struct nft_object *obj, int event)
6295 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6296 ctx->family, ctx->report, GFP_KERNEL);
6302 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6304 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6305 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6306 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6308 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6310 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6312 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6313 list_del_rcu(&type->list);
6314 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6316 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6318 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6319 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6320 .len = NFT_NAME_MAXLEN - 1 },
6321 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6322 .len = NFT_NAME_MAXLEN - 1 },
6323 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6324 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6325 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6328 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6329 const struct nlattr *nla, u8 genmask)
6331 struct nft_flowtable *flowtable;
6333 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6334 if (!nla_strcmp(nla, flowtable->name) &&
6335 nft_active_genmask(flowtable, genmask))
6338 return ERR_PTR(-ENOENT);
6340 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6342 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6343 struct nft_flowtable *flowtable,
6344 enum nft_trans_phase phase)
6347 case NFT_TRANS_PREPARE:
6348 case NFT_TRANS_ABORT:
6349 case NFT_TRANS_RELEASE:
6356 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6358 static struct nft_flowtable *
6359 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6360 const struct nlattr *nla, u8 genmask)
6362 struct nft_flowtable *flowtable;
6364 list_for_each_entry(flowtable, &table->flowtables, list) {
6365 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6366 nft_active_genmask(flowtable, genmask))
6369 return ERR_PTR(-ENOENT);
6372 struct nft_flowtable_hook {
6375 struct list_head list;
6378 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6379 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6380 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6381 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6384 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6385 const struct nlattr *attr,
6386 struct nft_flowtable_hook *flowtable_hook,
6387 struct nft_flowtable *flowtable, bool add)
6389 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6390 struct nft_hook *hook;
6391 int hooknum, priority;
6394 INIT_LIST_HEAD(&flowtable_hook->list);
6396 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6397 nft_flowtable_hook_policy, NULL);
6402 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6403 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6406 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6407 if (hooknum != NF_NETDEV_INGRESS)
6410 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6412 flowtable_hook->priority = priority;
6413 flowtable_hook->num = hooknum;
6415 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6416 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6417 if (hooknum != flowtable->hooknum)
6421 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6422 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6423 if (priority != flowtable->data.priority)
6427 flowtable_hook->priority = flowtable->data.priority;
6428 flowtable_hook->num = flowtable->hooknum;
6431 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6432 err = nf_tables_parse_netdev_hooks(ctx->net,
6433 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6434 &flowtable_hook->list);
6439 list_for_each_entry(hook, &flowtable_hook->list, list) {
6440 hook->ops.pf = NFPROTO_NETDEV;
6441 hook->ops.hooknum = flowtable_hook->num;
6442 hook->ops.priority = flowtable_hook->priority;
6443 hook->ops.priv = &flowtable->data;
6444 hook->ops.hook = flowtable->data.type->hook;
6450 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6452 const struct nf_flowtable_type *type;
6454 list_for_each_entry(type, &nf_tables_flowtables, list) {
6455 if (family == type->family)
6461 static const struct nf_flowtable_type *
6462 nft_flowtable_type_get(struct net *net, u8 family)
6464 const struct nf_flowtable_type *type;
6466 type = __nft_flowtable_type_get(family);
6467 if (type != NULL && try_module_get(type->owner))
6470 lockdep_nfnl_nft_mutex_not_held();
6471 #ifdef CONFIG_MODULES
6473 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6474 return ERR_PTR(-EAGAIN);
6477 return ERR_PTR(-ENOENT);
6480 /* Only called from error and netdev event paths. */
6481 static void nft_unregister_flowtable_hook(struct net *net,
6482 struct nft_flowtable *flowtable,
6483 struct nft_hook *hook)
6485 nf_unregister_net_hook(net, &hook->ops);
6486 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6490 static void nft_unregister_flowtable_net_hooks(struct net *net,
6491 struct list_head *hook_list)
6493 struct nft_hook *hook;
6495 list_for_each_entry(hook, hook_list, list)
6496 nf_unregister_net_hook(net, &hook->ops);
6499 static int nft_register_flowtable_net_hooks(struct net *net,
6500 struct nft_table *table,
6501 struct list_head *hook_list,
6502 struct nft_flowtable *flowtable)
6504 struct nft_hook *hook, *hook2, *next;
6505 struct nft_flowtable *ft;
6508 list_for_each_entry(hook, hook_list, list) {
6509 list_for_each_entry(ft, &table->flowtables, list) {
6510 list_for_each_entry(hook2, &ft->hook_list, list) {
6511 if (hook->ops.dev == hook2->ops.dev &&
6512 hook->ops.pf == hook2->ops.pf) {
6514 goto err_unregister_net_hooks;
6519 err = flowtable->data.type->setup(&flowtable->data,
6523 goto err_unregister_net_hooks;
6525 err = nf_register_net_hook(net, &hook->ops);
6527 flowtable->data.type->setup(&flowtable->data,
6530 goto err_unregister_net_hooks;
6538 err_unregister_net_hooks:
6539 list_for_each_entry_safe(hook, next, hook_list, list) {
6543 nft_unregister_flowtable_hook(net, flowtable, hook);
6544 list_del_rcu(&hook->list);
6545 kfree_rcu(hook, rcu);
6551 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6553 struct nft_hook *hook, *next;
6555 list_for_each_entry_safe(hook, next, hook_list, list) {
6556 list_del_rcu(&hook->list);
6557 kfree_rcu(hook, rcu);
6561 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6562 struct nft_flowtable *flowtable)
6564 const struct nlattr * const *nla = ctx->nla;
6565 struct nft_flowtable_hook flowtable_hook;
6566 struct nft_hook *hook, *next;
6567 struct nft_trans *trans;
6568 bool unregister = false;
6571 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6572 &flowtable_hook, flowtable, false);
6576 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6577 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6578 list_del(&hook->list);
6583 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6584 &flowtable_hook.list, flowtable);
6586 goto err_flowtable_update_hook;
6588 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6589 sizeof(struct nft_trans_flowtable));
6593 goto err_flowtable_update_hook;
6596 nft_trans_flowtable(trans) = flowtable;
6597 nft_trans_flowtable_update(trans) = true;
6598 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6599 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6601 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6605 err_flowtable_update_hook:
6606 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6608 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6609 list_del_rcu(&hook->list);
6610 kfree_rcu(hook, rcu);
6617 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6618 struct sk_buff *skb,
6619 const struct nlmsghdr *nlh,
6620 const struct nlattr * const nla[],
6621 struct netlink_ext_ack *extack)
6623 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6624 struct nft_flowtable_hook flowtable_hook;
6625 const struct nf_flowtable_type *type;
6626 u8 genmask = nft_genmask_next(net);
6627 int family = nfmsg->nfgen_family;
6628 struct nft_flowtable *flowtable;
6629 struct nft_hook *hook, *next;
6630 struct nft_table *table;
6634 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6635 !nla[NFTA_FLOWTABLE_NAME] ||
6636 !nla[NFTA_FLOWTABLE_HOOK])
6639 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6641 if (IS_ERR(table)) {
6642 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6643 return PTR_ERR(table);
6646 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6648 if (IS_ERR(flowtable)) {
6649 err = PTR_ERR(flowtable);
6650 if (err != -ENOENT) {
6651 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6655 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6656 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6660 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6662 return nft_flowtable_update(&ctx, nlh, flowtable);
6665 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6667 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6671 flowtable->table = table;
6672 flowtable->handle = nf_tables_alloc_handle(table);
6673 INIT_LIST_HEAD(&flowtable->hook_list);
6675 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6676 if (!flowtable->name) {
6681 type = nft_flowtable_type_get(net, family);
6683 err = PTR_ERR(type);
6687 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6688 flowtable->data.flags =
6689 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6690 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6694 write_pnet(&flowtable->data.net, net);
6695 flowtable->data.type = type;
6696 err = type->init(&flowtable->data);
6700 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6701 &flowtable_hook, flowtable, true);
6705 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6706 flowtable->data.priority = flowtable_hook.priority;
6707 flowtable->hooknum = flowtable_hook.num;
6709 err = nft_register_flowtable_net_hooks(ctx.net, table,
6710 &flowtable->hook_list,
6713 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6717 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6721 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6726 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6727 nft_unregister_flowtable_hook(net, flowtable, hook);
6728 list_del_rcu(&hook->list);
6729 kfree_rcu(hook, rcu);
6732 flowtable->data.type->free(&flowtable->data);
6734 module_put(type->owner);
6736 kfree(flowtable->name);
6742 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
6744 struct nft_hook *this, *next;
6746 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
6747 list_del(&this->list);
6752 static int nft_delflowtable_hook(struct nft_ctx *ctx,
6753 struct nft_flowtable *flowtable)
6755 const struct nlattr * const *nla = ctx->nla;
6756 struct nft_flowtable_hook flowtable_hook;
6757 struct nft_hook *this, *hook;
6758 struct nft_trans *trans;
6761 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6762 &flowtable_hook, flowtable, false);
6766 list_for_each_entry(this, &flowtable_hook.list, list) {
6767 hook = nft_hook_list_find(&flowtable->hook_list, this);
6770 goto err_flowtable_del_hook;
6772 hook->inactive = true;
6775 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
6776 sizeof(struct nft_trans_flowtable));
6779 goto err_flowtable_del_hook;
6782 nft_trans_flowtable(trans) = flowtable;
6783 nft_trans_flowtable_update(trans) = true;
6784 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6785 nft_flowtable_hook_release(&flowtable_hook);
6787 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6791 err_flowtable_del_hook:
6792 list_for_each_entry(this, &flowtable_hook.list, list) {
6793 hook = nft_hook_list_find(&flowtable->hook_list, this);
6797 hook->inactive = false;
6799 nft_flowtable_hook_release(&flowtable_hook);
6804 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6805 struct sk_buff *skb,
6806 const struct nlmsghdr *nlh,
6807 const struct nlattr * const nla[],
6808 struct netlink_ext_ack *extack)
6810 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6811 u8 genmask = nft_genmask_next(net);
6812 int family = nfmsg->nfgen_family;
6813 struct nft_flowtable *flowtable;
6814 const struct nlattr *attr;
6815 struct nft_table *table;
6818 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6819 (!nla[NFTA_FLOWTABLE_NAME] &&
6820 !nla[NFTA_FLOWTABLE_HANDLE]))
6823 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6825 if (IS_ERR(table)) {
6826 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6827 return PTR_ERR(table);
6830 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6831 attr = nla[NFTA_FLOWTABLE_HANDLE];
6832 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6834 attr = nla[NFTA_FLOWTABLE_NAME];
6835 flowtable = nft_flowtable_lookup(table, attr, genmask);
6838 if (IS_ERR(flowtable)) {
6839 NL_SET_BAD_ATTR(extack, attr);
6840 return PTR_ERR(flowtable);
6843 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6845 if (nla[NFTA_FLOWTABLE_HOOK])
6846 return nft_delflowtable_hook(&ctx, flowtable);
6848 if (flowtable->use > 0) {
6849 NL_SET_BAD_ATTR(extack, attr);
6853 return nft_delflowtable(&ctx, flowtable);
6856 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6857 u32 portid, u32 seq, int event,
6858 u32 flags, int family,
6859 struct nft_flowtable *flowtable,
6860 struct list_head *hook_list)
6862 struct nlattr *nest, *nest_devs;
6863 struct nfgenmsg *nfmsg;
6864 struct nft_hook *hook;
6865 struct nlmsghdr *nlh;
6867 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6868 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6870 goto nla_put_failure;
6872 nfmsg = nlmsg_data(nlh);
6873 nfmsg->nfgen_family = family;
6874 nfmsg->version = NFNETLINK_V0;
6875 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6877 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6878 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6879 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6880 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6881 NFTA_FLOWTABLE_PAD) ||
6882 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6883 goto nla_put_failure;
6885 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6887 goto nla_put_failure;
6888 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6889 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6890 goto nla_put_failure;
6892 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6894 goto nla_put_failure;
6896 list_for_each_entry_rcu(hook, hook_list, list) {
6897 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6898 goto nla_put_failure;
6900 nla_nest_end(skb, nest_devs);
6901 nla_nest_end(skb, nest);
6903 nlmsg_end(skb, nlh);
6907 nlmsg_trim(skb, nlh);
6911 struct nft_flowtable_filter {
6915 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6916 struct netlink_callback *cb)
6918 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6919 struct nft_flowtable_filter *filter = cb->data;
6920 unsigned int idx = 0, s_idx = cb->args[0];
6921 struct net *net = sock_net(skb->sk);
6922 int family = nfmsg->nfgen_family;
6923 struct nft_flowtable *flowtable;
6924 const struct nft_table *table;
6927 cb->seq = net->nft.base_seq;
6929 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6930 if (family != NFPROTO_UNSPEC && family != table->family)
6933 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6934 if (!nft_is_active(net, flowtable))
6939 memset(&cb->args[1], 0,
6940 sizeof(cb->args) - sizeof(cb->args[0]));
6941 if (filter && filter->table &&
6942 strcmp(filter->table, table->name))
6945 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6947 NFT_MSG_NEWFLOWTABLE,
6948 NLM_F_MULTI | NLM_F_APPEND,
6951 &flowtable->hook_list) < 0)
6954 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6966 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6968 const struct nlattr * const *nla = cb->data;
6969 struct nft_flowtable_filter *filter = NULL;
6971 if (nla[NFTA_FLOWTABLE_TABLE]) {
6972 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6976 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6978 if (!filter->table) {
6988 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6990 struct nft_flowtable_filter *filter = cb->data;
6995 kfree(filter->table);
7001 /* called with rcu_read_lock held */
7002 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7003 struct sk_buff *skb,
7004 const struct nlmsghdr *nlh,
7005 const struct nlattr * const nla[],
7006 struct netlink_ext_ack *extack)
7008 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7009 u8 genmask = nft_genmask_cur(net);
7010 int family = nfmsg->nfgen_family;
7011 struct nft_flowtable *flowtable;
7012 const struct nft_table *table;
7013 struct sk_buff *skb2;
7016 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7017 struct netlink_dump_control c = {
7018 .start = nf_tables_dump_flowtable_start,
7019 .dump = nf_tables_dump_flowtable,
7020 .done = nf_tables_dump_flowtable_done,
7021 .module = THIS_MODULE,
7022 .data = (void *)nla,
7025 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7028 if (!nla[NFTA_FLOWTABLE_NAME])
7031 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7034 return PTR_ERR(table);
7036 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7038 if (IS_ERR(flowtable))
7039 return PTR_ERR(flowtable);
7041 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7045 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7047 NFT_MSG_NEWFLOWTABLE, 0, family,
7048 flowtable, &flowtable->hook_list);
7050 goto err_fill_flowtable_info;
7052 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7054 err_fill_flowtable_info:
7059 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7060 struct nft_flowtable *flowtable,
7061 struct list_head *hook_list,
7064 struct sk_buff *skb;
7066 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7067 flowtable->table->name, flowtable->table->handle,
7068 flowtable->name, flowtable->handle);
7070 audit_log_nfcfg(buf,
7073 event == NFT_MSG_NEWFLOWTABLE ?
7074 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7075 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7080 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7083 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7087 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7089 ctx->family, flowtable, hook_list);
7095 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7098 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7101 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7103 struct nft_hook *hook, *next;
7105 flowtable->data.type->free(&flowtable->data);
7106 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7107 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7109 list_del_rcu(&hook->list);
7112 kfree(flowtable->name);
7113 module_put(flowtable->data.type->owner);
7117 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7118 u32 portid, u32 seq)
7120 struct nlmsghdr *nlh;
7121 struct nfgenmsg *nfmsg;
7122 char buf[TASK_COMM_LEN];
7123 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7125 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7127 goto nla_put_failure;
7129 nfmsg = nlmsg_data(nlh);
7130 nfmsg->nfgen_family = AF_UNSPEC;
7131 nfmsg->version = NFNETLINK_V0;
7132 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7134 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7135 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7136 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7137 goto nla_put_failure;
7139 nlmsg_end(skb, nlh);
7143 nlmsg_trim(skb, nlh);
7147 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7148 struct nft_flowtable *flowtable)
7150 struct nft_hook *hook;
7152 list_for_each_entry(hook, &flowtable->hook_list, list) {
7153 if (hook->ops.dev != dev)
7156 /* flow_offload_netdev_event() cleans up entries for us. */
7157 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7158 list_del_rcu(&hook->list);
7159 kfree_rcu(hook, rcu);
7164 static int nf_tables_flowtable_event(struct notifier_block *this,
7165 unsigned long event, void *ptr)
7167 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7168 struct nft_flowtable *flowtable;
7169 struct nft_table *table;
7172 if (event != NETDEV_UNREGISTER)
7176 mutex_lock(&net->nft.commit_mutex);
7177 list_for_each_entry(table, &net->nft.tables, list) {
7178 list_for_each_entry(flowtable, &table->flowtables, list) {
7179 nft_flowtable_event(event, dev, flowtable);
7182 mutex_unlock(&net->nft.commit_mutex);
7187 static struct notifier_block nf_tables_flowtable_notifier = {
7188 .notifier_call = nf_tables_flowtable_event,
7191 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7194 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7195 struct sk_buff *skb2;
7198 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7199 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7201 if (nlmsg_report(nlh) &&
7202 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7205 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7209 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7216 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7217 nlmsg_report(nlh), GFP_KERNEL);
7220 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7224 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7225 struct sk_buff *skb, const struct nlmsghdr *nlh,
7226 const struct nlattr * const nla[],
7227 struct netlink_ext_ack *extack)
7229 struct sk_buff *skb2;
7232 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7236 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7239 goto err_fill_gen_info;
7241 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7248 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7249 [NFT_MSG_NEWTABLE] = {
7250 .call_batch = nf_tables_newtable,
7251 .attr_count = NFTA_TABLE_MAX,
7252 .policy = nft_table_policy,
7254 [NFT_MSG_GETTABLE] = {
7255 .call_rcu = nf_tables_gettable,
7256 .attr_count = NFTA_TABLE_MAX,
7257 .policy = nft_table_policy,
7259 [NFT_MSG_DELTABLE] = {
7260 .call_batch = nf_tables_deltable,
7261 .attr_count = NFTA_TABLE_MAX,
7262 .policy = nft_table_policy,
7264 [NFT_MSG_NEWCHAIN] = {
7265 .call_batch = nf_tables_newchain,
7266 .attr_count = NFTA_CHAIN_MAX,
7267 .policy = nft_chain_policy,
7269 [NFT_MSG_GETCHAIN] = {
7270 .call_rcu = nf_tables_getchain,
7271 .attr_count = NFTA_CHAIN_MAX,
7272 .policy = nft_chain_policy,
7274 [NFT_MSG_DELCHAIN] = {
7275 .call_batch = nf_tables_delchain,
7276 .attr_count = NFTA_CHAIN_MAX,
7277 .policy = nft_chain_policy,
7279 [NFT_MSG_NEWRULE] = {
7280 .call_batch = nf_tables_newrule,
7281 .attr_count = NFTA_RULE_MAX,
7282 .policy = nft_rule_policy,
7284 [NFT_MSG_GETRULE] = {
7285 .call_rcu = nf_tables_getrule,
7286 .attr_count = NFTA_RULE_MAX,
7287 .policy = nft_rule_policy,
7289 [NFT_MSG_DELRULE] = {
7290 .call_batch = nf_tables_delrule,
7291 .attr_count = NFTA_RULE_MAX,
7292 .policy = nft_rule_policy,
7294 [NFT_MSG_NEWSET] = {
7295 .call_batch = nf_tables_newset,
7296 .attr_count = NFTA_SET_MAX,
7297 .policy = nft_set_policy,
7299 [NFT_MSG_GETSET] = {
7300 .call_rcu = nf_tables_getset,
7301 .attr_count = NFTA_SET_MAX,
7302 .policy = nft_set_policy,
7304 [NFT_MSG_DELSET] = {
7305 .call_batch = nf_tables_delset,
7306 .attr_count = NFTA_SET_MAX,
7307 .policy = nft_set_policy,
7309 [NFT_MSG_NEWSETELEM] = {
7310 .call_batch = nf_tables_newsetelem,
7311 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7312 .policy = nft_set_elem_list_policy,
7314 [NFT_MSG_GETSETELEM] = {
7315 .call_rcu = nf_tables_getsetelem,
7316 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7317 .policy = nft_set_elem_list_policy,
7319 [NFT_MSG_DELSETELEM] = {
7320 .call_batch = nf_tables_delsetelem,
7321 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7322 .policy = nft_set_elem_list_policy,
7324 [NFT_MSG_GETGEN] = {
7325 .call_rcu = nf_tables_getgen,
7327 [NFT_MSG_NEWOBJ] = {
7328 .call_batch = nf_tables_newobj,
7329 .attr_count = NFTA_OBJ_MAX,
7330 .policy = nft_obj_policy,
7332 [NFT_MSG_GETOBJ] = {
7333 .call_rcu = nf_tables_getobj,
7334 .attr_count = NFTA_OBJ_MAX,
7335 .policy = nft_obj_policy,
7337 [NFT_MSG_DELOBJ] = {
7338 .call_batch = nf_tables_delobj,
7339 .attr_count = NFTA_OBJ_MAX,
7340 .policy = nft_obj_policy,
7342 [NFT_MSG_GETOBJ_RESET] = {
7343 .call_rcu = nf_tables_getobj,
7344 .attr_count = NFTA_OBJ_MAX,
7345 .policy = nft_obj_policy,
7347 [NFT_MSG_NEWFLOWTABLE] = {
7348 .call_batch = nf_tables_newflowtable,
7349 .attr_count = NFTA_FLOWTABLE_MAX,
7350 .policy = nft_flowtable_policy,
7352 [NFT_MSG_GETFLOWTABLE] = {
7353 .call_rcu = nf_tables_getflowtable,
7354 .attr_count = NFTA_FLOWTABLE_MAX,
7355 .policy = nft_flowtable_policy,
7357 [NFT_MSG_DELFLOWTABLE] = {
7358 .call_batch = nf_tables_delflowtable,
7359 .attr_count = NFTA_FLOWTABLE_MAX,
7360 .policy = nft_flowtable_policy,
7364 static int nf_tables_validate(struct net *net)
7366 struct nft_table *table;
7368 switch (net->nft.validate_state) {
7369 case NFT_VALIDATE_SKIP:
7371 case NFT_VALIDATE_NEED:
7372 nft_validate_state_update(net, NFT_VALIDATE_DO);
7374 case NFT_VALIDATE_DO:
7375 list_for_each_entry(table, &net->nft.tables, list) {
7376 if (nft_table_validate(net, table) < 0)
7385 /* a drop policy has to be deferred until all rules have been activated,
7386 * otherwise a large ruleset that contains a drop-policy base chain will
7387 * cause all packets to get dropped until the full transaction has been
7390 * We defer the drop policy until the transaction has been finalized.
7392 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7394 struct nft_base_chain *basechain;
7396 if (nft_trans_chain_policy(trans) != NF_DROP)
7399 if (!nft_is_base_chain(trans->ctx.chain))
7402 basechain = nft_base_chain(trans->ctx.chain);
7403 basechain->policy = NF_DROP;
7406 static void nft_chain_commit_update(struct nft_trans *trans)
7408 struct nft_base_chain *basechain;
7410 if (nft_trans_chain_name(trans)) {
7411 rhltable_remove(&trans->ctx.table->chains_ht,
7412 &trans->ctx.chain->rhlhead,
7413 nft_chain_ht_params);
7414 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7415 rhltable_insert_key(&trans->ctx.table->chains_ht,
7416 trans->ctx.chain->name,
7417 &trans->ctx.chain->rhlhead,
7418 nft_chain_ht_params);
7421 if (!nft_is_base_chain(trans->ctx.chain))
7424 nft_chain_stats_replace(trans);
7426 basechain = nft_base_chain(trans->ctx.chain);
7428 switch (nft_trans_chain_policy(trans)) {
7431 basechain->policy = nft_trans_chain_policy(trans);
7436 static void nft_obj_commit_update(struct nft_trans *trans)
7438 struct nft_object *newobj;
7439 struct nft_object *obj;
7441 obj = nft_trans_obj(trans);
7442 newobj = nft_trans_obj_newobj(trans);
7444 if (obj->ops->update)
7445 obj->ops->update(obj, newobj);
7450 static void nft_commit_release(struct nft_trans *trans)
7452 switch (trans->msg_type) {
7453 case NFT_MSG_DELTABLE:
7454 nf_tables_table_destroy(&trans->ctx);
7456 case NFT_MSG_NEWCHAIN:
7457 free_percpu(nft_trans_chain_stats(trans));
7458 kfree(nft_trans_chain_name(trans));
7460 case NFT_MSG_DELCHAIN:
7461 nf_tables_chain_destroy(&trans->ctx);
7463 case NFT_MSG_DELRULE:
7464 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7466 case NFT_MSG_DELSET:
7467 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7469 case NFT_MSG_DELSETELEM:
7470 nf_tables_set_elem_destroy(&trans->ctx,
7471 nft_trans_elem_set(trans),
7472 nft_trans_elem(trans).priv);
7474 case NFT_MSG_DELOBJ:
7475 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7477 case NFT_MSG_DELFLOWTABLE:
7478 if (nft_trans_flowtable_update(trans))
7479 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7481 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7486 put_net(trans->ctx.net);
7491 static void nf_tables_trans_destroy_work(struct work_struct *w)
7493 struct nft_trans *trans, *next;
7496 spin_lock(&nf_tables_destroy_list_lock);
7497 list_splice_init(&nf_tables_destroy_list, &head);
7498 spin_unlock(&nf_tables_destroy_list_lock);
7500 if (list_empty(&head))
7505 list_for_each_entry_safe(trans, next, &head, list) {
7506 list_del(&trans->list);
7507 nft_commit_release(trans);
7511 void nf_tables_trans_destroy_flush_work(void)
7513 flush_work(&trans_destroy_work);
7515 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7517 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7519 struct nft_rule *rule;
7520 unsigned int alloc = 0;
7523 /* already handled or inactive chain? */
7524 if (chain->rules_next || !nft_is_active_next(net, chain))
7527 rule = list_entry(&chain->rules, struct nft_rule, list);
7530 list_for_each_entry_continue(rule, &chain->rules, list) {
7531 if (nft_is_active_next(net, rule))
7535 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7536 if (!chain->rules_next)
7539 list_for_each_entry_continue(rule, &chain->rules, list) {
7540 if (nft_is_active_next(net, rule))
7541 chain->rules_next[i++] = rule;
7544 chain->rules_next[i] = NULL;
7548 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7550 struct nft_trans *trans, *next;
7552 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7553 struct nft_chain *chain = trans->ctx.chain;
7555 if (trans->msg_type == NFT_MSG_NEWRULE ||
7556 trans->msg_type == NFT_MSG_DELRULE) {
7557 kvfree(chain->rules_next);
7558 chain->rules_next = NULL;
7563 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7565 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7570 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7572 struct nft_rule **r = rules;
7573 struct nft_rules_old *old;
7578 r++; /* rcu_head is after end marker */
7582 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7585 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7587 struct nft_rule **g0, **g1;
7590 next_genbit = nft_gencursor_next(net);
7592 g0 = rcu_dereference_protected(chain->rules_gen_0,
7593 lockdep_commit_lock_is_held(net));
7594 g1 = rcu_dereference_protected(chain->rules_gen_1,
7595 lockdep_commit_lock_is_held(net));
7597 /* No changes to this chain? */
7598 if (chain->rules_next == NULL) {
7599 /* chain had no change in last or next generation */
7603 * chain had no change in this generation; make sure next
7604 * one uses same rules as current generation.
7607 rcu_assign_pointer(chain->rules_gen_1, g0);
7608 nf_tables_commit_chain_free_rules_old(g1);
7610 rcu_assign_pointer(chain->rules_gen_0, g1);
7611 nf_tables_commit_chain_free_rules_old(g0);
7618 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7620 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7622 chain->rules_next = NULL;
7628 nf_tables_commit_chain_free_rules_old(g1);
7630 nf_tables_commit_chain_free_rules_old(g0);
7633 static void nft_obj_del(struct nft_object *obj)
7635 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7636 list_del_rcu(&obj->list);
7639 void nft_chain_del(struct nft_chain *chain)
7641 struct nft_table *table = chain->table;
7643 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7644 nft_chain_ht_params));
7645 list_del_rcu(&chain->list);
7648 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7649 struct list_head *hook_list)
7651 struct nft_hook *hook, *next;
7653 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7655 list_move(&hook->list, hook_list);
7659 static void nf_tables_module_autoload_cleanup(struct net *net)
7661 struct nft_module_request *req, *next;
7663 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7664 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7665 WARN_ON_ONCE(!req->done);
7666 list_del(&req->list);
7671 static void nf_tables_commit_release(struct net *net)
7673 struct nft_trans *trans;
7675 /* all side effects have to be made visible.
7676 * For example, if a chain named 'foo' has been deleted, a
7677 * new transaction must not find it anymore.
7679 * Memory reclaim happens asynchronously from work queue
7680 * to prevent expensive synchronize_rcu() in commit phase.
7682 if (list_empty(&net->nft.commit_list)) {
7683 nf_tables_module_autoload_cleanup(net);
7684 mutex_unlock(&net->nft.commit_mutex);
7688 trans = list_last_entry(&net->nft.commit_list,
7689 struct nft_trans, list);
7690 get_net(trans->ctx.net);
7691 WARN_ON_ONCE(trans->put_net);
7693 trans->put_net = true;
7694 spin_lock(&nf_tables_destroy_list_lock);
7695 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7696 spin_unlock(&nf_tables_destroy_list_lock);
7698 nf_tables_module_autoload_cleanup(net);
7699 schedule_work(&trans_destroy_work);
7701 mutex_unlock(&net->nft.commit_mutex);
7704 static void nft_commit_notify(struct net *net, u32 portid)
7706 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7707 unsigned char *data;
7710 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7714 len = NLMSG_GOODSIZE - skb->len;
7715 list_del(&skb->list);
7719 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7720 data = skb_put(batch_skb, skb->len);
7721 memcpy(data, skb->data, skb->len);
7722 list_del(&skb->list);
7726 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7727 NFT_CB(batch_skb).report, GFP_KERNEL);
7732 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7733 NFT_CB(batch_skb).report, GFP_KERNEL);
7736 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
7739 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7741 struct nft_trans *trans, *next;
7742 struct nft_trans_elem *te;
7743 struct nft_chain *chain;
7744 struct nft_table *table;
7747 if (list_empty(&net->nft.commit_list)) {
7748 mutex_unlock(&net->nft.commit_mutex);
7752 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7753 if (nf_tables_validate(net) < 0)
7756 err = nft_flow_rule_offload_commit(net);
7760 /* 1. Allocate space for next generation rules_gen_X[] */
7761 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7764 if (trans->msg_type == NFT_MSG_NEWRULE ||
7765 trans->msg_type == NFT_MSG_DELRULE) {
7766 chain = trans->ctx.chain;
7768 ret = nf_tables_commit_chain_prepare(net, chain);
7770 nf_tables_commit_chain_prepare_cancel(net);
7776 /* step 2. Make rules_gen_X visible to packet path */
7777 list_for_each_entry(table, &net->nft.tables, list) {
7778 list_for_each_entry(chain, &table->chains, list)
7779 nf_tables_commit_chain(net, chain);
7783 * Bump generation counter, invalidate any dump in progress.
7784 * Cannot fail after this point.
7786 while (++net->nft.base_seq == 0);
7788 /* step 3. Start new generation, rules_gen_X now in use. */
7789 net->nft.gencursor = nft_gencursor_next(net);
7791 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7792 switch (trans->msg_type) {
7793 case NFT_MSG_NEWTABLE:
7794 if (nft_trans_table_update(trans)) {
7795 if (!nft_trans_table_enable(trans)) {
7796 nf_tables_table_disable(net,
7798 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7801 nft_clear(net, trans->ctx.table);
7803 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7804 nft_trans_destroy(trans);
7806 case NFT_MSG_DELTABLE:
7807 list_del_rcu(&trans->ctx.table->list);
7808 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7810 case NFT_MSG_NEWCHAIN:
7811 if (nft_trans_chain_update(trans)) {
7812 nft_chain_commit_update(trans);
7813 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7814 /* trans destroyed after rcu grace period */
7816 nft_chain_commit_drop_policy(trans);
7817 nft_clear(net, trans->ctx.chain);
7818 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7819 nft_trans_destroy(trans);
7822 case NFT_MSG_DELCHAIN:
7823 nft_chain_del(trans->ctx.chain);
7824 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7825 nf_tables_unregister_hook(trans->ctx.net,
7829 case NFT_MSG_NEWRULE:
7830 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7831 nf_tables_rule_notify(&trans->ctx,
7832 nft_trans_rule(trans),
7834 nft_trans_destroy(trans);
7836 case NFT_MSG_DELRULE:
7837 list_del_rcu(&nft_trans_rule(trans)->list);
7838 nf_tables_rule_notify(&trans->ctx,
7839 nft_trans_rule(trans),
7841 nft_rule_expr_deactivate(&trans->ctx,
7842 nft_trans_rule(trans),
7845 case NFT_MSG_NEWSET:
7846 nft_clear(net, nft_trans_set(trans));
7847 /* This avoids hitting -EBUSY when deleting the table
7848 * from the transaction.
7850 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7851 !list_empty(&nft_trans_set(trans)->bindings))
7852 trans->ctx.table->use--;
7854 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7855 NFT_MSG_NEWSET, GFP_KERNEL);
7856 nft_trans_destroy(trans);
7858 case NFT_MSG_DELSET:
7859 list_del_rcu(&nft_trans_set(trans)->list);
7860 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7861 NFT_MSG_DELSET, GFP_KERNEL);
7863 case NFT_MSG_NEWSETELEM:
7864 te = (struct nft_trans_elem *)trans->data;
7866 te->set->ops->activate(net, te->set, &te->elem);
7867 nf_tables_setelem_notify(&trans->ctx, te->set,
7869 NFT_MSG_NEWSETELEM, 0);
7870 nft_trans_destroy(trans);
7872 case NFT_MSG_DELSETELEM:
7873 te = (struct nft_trans_elem *)trans->data;
7875 nf_tables_setelem_notify(&trans->ctx, te->set,
7877 NFT_MSG_DELSETELEM, 0);
7878 te->set->ops->remove(net, te->set, &te->elem);
7879 atomic_dec(&te->set->nelems);
7882 case NFT_MSG_NEWOBJ:
7883 if (nft_trans_obj_update(trans)) {
7884 nft_obj_commit_update(trans);
7885 nf_tables_obj_notify(&trans->ctx,
7886 nft_trans_obj(trans),
7889 nft_clear(net, nft_trans_obj(trans));
7890 nf_tables_obj_notify(&trans->ctx,
7891 nft_trans_obj(trans),
7893 nft_trans_destroy(trans);
7896 case NFT_MSG_DELOBJ:
7897 nft_obj_del(nft_trans_obj(trans));
7898 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7901 case NFT_MSG_NEWFLOWTABLE:
7902 if (nft_trans_flowtable_update(trans)) {
7903 nf_tables_flowtable_notify(&trans->ctx,
7904 nft_trans_flowtable(trans),
7905 &nft_trans_flowtable_hooks(trans),
7906 NFT_MSG_NEWFLOWTABLE);
7907 list_splice(&nft_trans_flowtable_hooks(trans),
7908 &nft_trans_flowtable(trans)->hook_list);
7910 nft_clear(net, nft_trans_flowtable(trans));
7911 nf_tables_flowtable_notify(&trans->ctx,
7912 nft_trans_flowtable(trans),
7913 &nft_trans_flowtable(trans)->hook_list,
7914 NFT_MSG_NEWFLOWTABLE);
7916 nft_trans_destroy(trans);
7918 case NFT_MSG_DELFLOWTABLE:
7919 if (nft_trans_flowtable_update(trans)) {
7920 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
7921 &nft_trans_flowtable_hooks(trans));
7922 nf_tables_flowtable_notify(&trans->ctx,
7923 nft_trans_flowtable(trans),
7924 &nft_trans_flowtable_hooks(trans),
7925 NFT_MSG_DELFLOWTABLE);
7926 nft_unregister_flowtable_net_hooks(net,
7927 &nft_trans_flowtable_hooks(trans));
7929 list_del_rcu(&nft_trans_flowtable(trans)->list);
7930 nf_tables_flowtable_notify(&trans->ctx,
7931 nft_trans_flowtable(trans),
7932 &nft_trans_flowtable(trans)->hook_list,
7933 NFT_MSG_DELFLOWTABLE);
7934 nft_unregister_flowtable_net_hooks(net,
7935 &nft_trans_flowtable(trans)->hook_list);
7941 nft_commit_notify(net, NETLINK_CB(skb).portid);
7942 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7943 nf_tables_commit_release(net);
7948 static void nf_tables_module_autoload(struct net *net)
7950 struct nft_module_request *req, *next;
7951 LIST_HEAD(module_list);
7953 list_splice_init(&net->nft.module_list, &module_list);
7954 mutex_unlock(&net->nft.commit_mutex);
7955 list_for_each_entry_safe(req, next, &module_list, list) {
7956 request_module("%s", req->module);
7959 mutex_lock(&net->nft.commit_mutex);
7960 list_splice(&module_list, &net->nft.module_list);
7963 static void nf_tables_abort_release(struct nft_trans *trans)
7965 switch (trans->msg_type) {
7966 case NFT_MSG_NEWTABLE:
7967 nf_tables_table_destroy(&trans->ctx);
7969 case NFT_MSG_NEWCHAIN:
7970 nf_tables_chain_destroy(&trans->ctx);
7972 case NFT_MSG_NEWRULE:
7973 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7975 case NFT_MSG_NEWSET:
7976 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7978 case NFT_MSG_NEWSETELEM:
7979 nft_set_elem_destroy(nft_trans_elem_set(trans),
7980 nft_trans_elem(trans).priv, true);
7982 case NFT_MSG_NEWOBJ:
7983 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7985 case NFT_MSG_NEWFLOWTABLE:
7986 if (nft_trans_flowtable_update(trans))
7987 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7989 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7995 static int __nf_tables_abort(struct net *net, bool autoload)
7997 struct nft_trans *trans, *next;
7998 struct nft_trans_elem *te;
7999 struct nft_hook *hook;
8001 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8003 switch (trans->msg_type) {
8004 case NFT_MSG_NEWTABLE:
8005 if (nft_trans_table_update(trans)) {
8006 if (nft_trans_table_enable(trans)) {
8007 nf_tables_table_disable(net,
8009 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8011 nft_trans_destroy(trans);
8013 list_del_rcu(&trans->ctx.table->list);
8016 case NFT_MSG_DELTABLE:
8017 nft_clear(trans->ctx.net, trans->ctx.table);
8018 nft_trans_destroy(trans);
8020 case NFT_MSG_NEWCHAIN:
8021 if (nft_trans_chain_update(trans)) {
8022 free_percpu(nft_trans_chain_stats(trans));
8023 kfree(nft_trans_chain_name(trans));
8024 nft_trans_destroy(trans);
8026 if (nft_chain_is_bound(trans->ctx.chain)) {
8027 nft_trans_destroy(trans);
8030 trans->ctx.table->use--;
8031 nft_chain_del(trans->ctx.chain);
8032 nf_tables_unregister_hook(trans->ctx.net,
8037 case NFT_MSG_DELCHAIN:
8038 trans->ctx.table->use++;
8039 nft_clear(trans->ctx.net, trans->ctx.chain);
8040 nft_trans_destroy(trans);
8042 case NFT_MSG_NEWRULE:
8043 trans->ctx.chain->use--;
8044 list_del_rcu(&nft_trans_rule(trans)->list);
8045 nft_rule_expr_deactivate(&trans->ctx,
8046 nft_trans_rule(trans),
8049 case NFT_MSG_DELRULE:
8050 trans->ctx.chain->use++;
8051 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8052 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8053 nft_trans_destroy(trans);
8055 case NFT_MSG_NEWSET:
8056 trans->ctx.table->use--;
8057 if (nft_trans_set_bound(trans)) {
8058 nft_trans_destroy(trans);
8061 list_del_rcu(&nft_trans_set(trans)->list);
8063 case NFT_MSG_DELSET:
8064 trans->ctx.table->use++;
8065 nft_clear(trans->ctx.net, nft_trans_set(trans));
8066 nft_trans_destroy(trans);
8068 case NFT_MSG_NEWSETELEM:
8069 if (nft_trans_elem_set_bound(trans)) {
8070 nft_trans_destroy(trans);
8073 te = (struct nft_trans_elem *)trans->data;
8074 te->set->ops->remove(net, te->set, &te->elem);
8075 atomic_dec(&te->set->nelems);
8077 case NFT_MSG_DELSETELEM:
8078 te = (struct nft_trans_elem *)trans->data;
8080 nft_set_elem_activate(net, te->set, &te->elem);
8081 te->set->ops->activate(net, te->set, &te->elem);
8084 nft_trans_destroy(trans);
8086 case NFT_MSG_NEWOBJ:
8087 if (nft_trans_obj_update(trans)) {
8088 kfree(nft_trans_obj_newobj(trans));
8089 nft_trans_destroy(trans);
8091 trans->ctx.table->use--;
8092 nft_obj_del(nft_trans_obj(trans));
8095 case NFT_MSG_DELOBJ:
8096 trans->ctx.table->use++;
8097 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8098 nft_trans_destroy(trans);
8100 case NFT_MSG_NEWFLOWTABLE:
8101 if (nft_trans_flowtable_update(trans)) {
8102 nft_unregister_flowtable_net_hooks(net,
8103 &nft_trans_flowtable_hooks(trans));
8105 trans->ctx.table->use--;
8106 list_del_rcu(&nft_trans_flowtable(trans)->list);
8107 nft_unregister_flowtable_net_hooks(net,
8108 &nft_trans_flowtable(trans)->hook_list);
8111 case NFT_MSG_DELFLOWTABLE:
8112 if (nft_trans_flowtable_update(trans)) {
8113 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8114 hook->inactive = false;
8116 trans->ctx.table->use++;
8117 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8119 nft_trans_destroy(trans);
8126 list_for_each_entry_safe_reverse(trans, next,
8127 &net->nft.commit_list, list) {
8128 list_del(&trans->list);
8129 nf_tables_abort_release(trans);
8133 nf_tables_module_autoload(net);
8135 nf_tables_module_autoload_cleanup(net);
8140 static void nf_tables_cleanup(struct net *net)
8142 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8145 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
8147 int ret = __nf_tables_abort(net, autoload);
8149 mutex_unlock(&net->nft.commit_mutex);
8154 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8158 mutex_lock(&net->nft.commit_mutex);
8160 genid_ok = genid == 0 || net->nft.base_seq == genid;
8162 mutex_unlock(&net->nft.commit_mutex);
8164 /* else, commit mutex has to be released by commit or abort function */
8168 static const struct nfnetlink_subsystem nf_tables_subsys = {
8169 .name = "nf_tables",
8170 .subsys_id = NFNL_SUBSYS_NFTABLES,
8171 .cb_count = NFT_MSG_MAX,
8173 .commit = nf_tables_commit,
8174 .abort = nf_tables_abort,
8175 .cleanup = nf_tables_cleanup,
8176 .valid_genid = nf_tables_valid_genid,
8177 .owner = THIS_MODULE,
8180 int nft_chain_validate_dependency(const struct nft_chain *chain,
8181 enum nft_chain_types type)
8183 const struct nft_base_chain *basechain;
8185 if (nft_is_base_chain(chain)) {
8186 basechain = nft_base_chain(chain);
8187 if (basechain->type->type != type)
8192 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8194 int nft_chain_validate_hooks(const struct nft_chain *chain,
8195 unsigned int hook_flags)
8197 struct nft_base_chain *basechain;
8199 if (nft_is_base_chain(chain)) {
8200 basechain = nft_base_chain(chain);
8202 if ((1 << basechain->ops.hooknum) & hook_flags)
8210 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8213 * Loop detection - walk through the ruleset beginning at the destination chain
8214 * of a new jump until either the source chain is reached (loop) or all
8215 * reachable chains have been traversed.
8217 * The loop check is performed whenever a new jump verdict is added to an
8218 * expression or verdict map or a verdict map is bound to a new chain.
8221 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8222 const struct nft_chain *chain);
8224 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8225 struct nft_set *set,
8226 const struct nft_set_iter *iter,
8227 struct nft_set_elem *elem)
8229 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8230 const struct nft_data *data;
8232 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8233 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8236 data = nft_set_ext_data(ext);
8237 switch (data->verdict.code) {
8240 return nf_tables_check_loops(ctx, data->verdict.chain);
8246 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8247 const struct nft_chain *chain)
8249 const struct nft_rule *rule;
8250 const struct nft_expr *expr, *last;
8251 struct nft_set *set;
8252 struct nft_set_binding *binding;
8253 struct nft_set_iter iter;
8255 if (ctx->chain == chain)
8258 list_for_each_entry(rule, &chain->rules, list) {
8259 nft_rule_for_each_expr(expr, last, rule) {
8260 struct nft_immediate_expr *priv;
8261 const struct nft_data *data;
8264 if (strcmp(expr->ops->type->name, "immediate"))
8267 priv = nft_expr_priv(expr);
8268 if (priv->dreg != NFT_REG_VERDICT)
8272 switch (data->verdict.code) {
8275 err = nf_tables_check_loops(ctx,
8276 data->verdict.chain);
8285 list_for_each_entry(set, &ctx->table->sets, list) {
8286 if (!nft_is_active_next(ctx->net, set))
8288 if (!(set->flags & NFT_SET_MAP) ||
8289 set->dtype != NFT_DATA_VERDICT)
8292 list_for_each_entry(binding, &set->bindings, list) {
8293 if (!(binding->flags & NFT_SET_MAP) ||
8294 binding->chain != chain)
8297 iter.genmask = nft_genmask_next(ctx->net);
8301 iter.fn = nf_tables_loop_check_setelem;
8303 set->ops->walk(ctx, set, &iter);
8313 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8315 * @attr: netlink attribute to fetch value from
8316 * @max: maximum value to be stored in dest
8317 * @dest: pointer to the variable
8319 * Parse, check and store a given u32 netlink attribute into variable.
8320 * This function returns -ERANGE if the value goes over maximum value.
8321 * Otherwise a 0 is returned and the attribute value is stored in the
8322 * destination variable.
8324 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8328 val = ntohl(nla_get_be32(attr));
8335 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8338 * nft_parse_register - parse a register value from a netlink attribute
8340 * @attr: netlink attribute
8342 * Parse and translate a register value from a netlink attribute.
8343 * Registers used to be 128 bit wide, these register numbers will be
8344 * mapped to the corresponding 32 bit register numbers.
8346 unsigned int nft_parse_register(const struct nlattr *attr)
8350 reg = ntohl(nla_get_be32(attr));
8352 case NFT_REG_VERDICT...NFT_REG_4:
8353 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8355 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8358 EXPORT_SYMBOL_GPL(nft_parse_register);
8361 * nft_dump_register - dump a register value to a netlink attribute
8363 * @skb: socket buffer
8364 * @attr: attribute number
8365 * @reg: register number
8367 * Construct a netlink attribute containing the register number. For
8368 * compatibility reasons, register numbers being a multiple of 4 are
8369 * translated to the corresponding 128 bit register numbers.
8371 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8373 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8374 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8376 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8378 return nla_put_be32(skb, attr, htonl(reg));
8380 EXPORT_SYMBOL_GPL(nft_dump_register);
8383 * nft_validate_register_load - validate a load from a register
8385 * @reg: the register number
8386 * @len: the length of the data
8388 * Validate that the input register is one of the general purpose
8389 * registers and that the length of the load is within the bounds.
8391 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8393 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8397 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8402 EXPORT_SYMBOL_GPL(nft_validate_register_load);
8405 * nft_validate_register_store - validate an expressions' register store
8407 * @ctx: context of the expression performing the load
8408 * @reg: the destination register number
8409 * @data: the data to load
8410 * @type: the data type
8411 * @len: the length of the data
8413 * Validate that a data load uses the appropriate data type for
8414 * the destination register and the length is within the bounds.
8415 * A value of NULL for the data means that its runtime gathered
8418 int nft_validate_register_store(const struct nft_ctx *ctx,
8419 enum nft_registers reg,
8420 const struct nft_data *data,
8421 enum nft_data_types type, unsigned int len)
8426 case NFT_REG_VERDICT:
8427 if (type != NFT_DATA_VERDICT)
8431 (data->verdict.code == NFT_GOTO ||
8432 data->verdict.code == NFT_JUMP)) {
8433 err = nf_tables_check_loops(ctx, data->verdict.chain);
8440 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8444 if (reg * NFT_REG32_SIZE + len >
8445 sizeof_field(struct nft_regs, data))
8448 if (data != NULL && type != NFT_DATA_VALUE)
8453 EXPORT_SYMBOL_GPL(nft_validate_register_store);
8455 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8456 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8457 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8458 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8459 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8462 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8463 struct nft_data_desc *desc, const struct nlattr *nla)
8465 u8 genmask = nft_genmask_next(ctx->net);
8466 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8467 struct nft_chain *chain;
8470 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8471 nft_verdict_policy, NULL);
8475 if (!tb[NFTA_VERDICT_CODE])
8477 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8479 switch (data->verdict.code) {
8481 switch (data->verdict.code & NF_VERDICT_MASK) {
8496 if (tb[NFTA_VERDICT_CHAIN]) {
8497 chain = nft_chain_lookup(ctx->net, ctx->table,
8498 tb[NFTA_VERDICT_CHAIN],
8500 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8501 chain = nft_chain_lookup_byid(ctx->net,
8502 tb[NFTA_VERDICT_CHAIN_ID]);
8504 return PTR_ERR(chain);
8510 return PTR_ERR(chain);
8511 if (nft_is_base_chain(chain))
8515 data->verdict.chain = chain;
8519 desc->len = sizeof(data->verdict);
8520 desc->type = NFT_DATA_VERDICT;
8524 static void nft_verdict_uninit(const struct nft_data *data)
8526 struct nft_chain *chain;
8527 struct nft_rule *rule;
8529 switch (data->verdict.code) {
8532 chain = data->verdict.chain;
8535 if (!nft_chain_is_bound(chain))
8538 chain->table->use--;
8539 list_for_each_entry(rule, &chain->rules, list)
8542 nft_chain_del(chain);
8547 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8549 struct nlattr *nest;
8551 nest = nla_nest_start_noflag(skb, type);
8553 goto nla_put_failure;
8555 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8556 goto nla_put_failure;
8561 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8563 goto nla_put_failure;
8565 nla_nest_end(skb, nest);
8572 static int nft_value_init(const struct nft_ctx *ctx,
8573 struct nft_data *data, unsigned int size,
8574 struct nft_data_desc *desc, const struct nlattr *nla)
8584 nla_memcpy(data->data, nla, len);
8585 desc->type = NFT_DATA_VALUE;
8590 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8593 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8596 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8597 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8598 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8602 * nft_data_init - parse nf_tables data netlink attributes
8604 * @ctx: context of the expression using the data
8605 * @data: destination struct nft_data
8606 * @size: maximum data length
8607 * @desc: data description
8608 * @nla: netlink attribute containing data
8610 * Parse the netlink data attributes and initialize a struct nft_data.
8611 * The type and length of data are returned in the data description.
8613 * The caller can indicate that it only wants to accept data of type
8614 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8616 int nft_data_init(const struct nft_ctx *ctx,
8617 struct nft_data *data, unsigned int size,
8618 struct nft_data_desc *desc, const struct nlattr *nla)
8620 struct nlattr *tb[NFTA_DATA_MAX + 1];
8623 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8624 nft_data_policy, NULL);
8628 if (tb[NFTA_DATA_VALUE])
8629 return nft_value_init(ctx, data, size, desc,
8630 tb[NFTA_DATA_VALUE]);
8631 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8632 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8635 EXPORT_SYMBOL_GPL(nft_data_init);
8638 * nft_data_release - release a nft_data item
8640 * @data: struct nft_data to release
8641 * @type: type of data
8643 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8644 * all others need to be released by calling this function.
8646 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8648 if (type < NFT_DATA_VERDICT)
8651 case NFT_DATA_VERDICT:
8652 return nft_verdict_uninit(data);
8657 EXPORT_SYMBOL_GPL(nft_data_release);
8659 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8660 enum nft_data_types type, unsigned int len)
8662 struct nlattr *nest;
8665 nest = nla_nest_start_noflag(skb, attr);
8670 case NFT_DATA_VALUE:
8671 err = nft_value_dump(skb, data, len);
8673 case NFT_DATA_VERDICT:
8674 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8681 nla_nest_end(skb, nest);
8684 EXPORT_SYMBOL_GPL(nft_data_dump);
8686 int __nft_release_basechain(struct nft_ctx *ctx)
8688 struct nft_rule *rule, *nr;
8690 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8693 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8694 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8695 list_del(&rule->list);
8697 nf_tables_rule_release(ctx, rule);
8699 nft_chain_del(ctx->chain);
8701 nf_tables_chain_destroy(ctx);
8705 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8707 static void __nft_release_tables(struct net *net)
8709 struct nft_flowtable *flowtable, *nf;
8710 struct nft_table *table, *nt;
8711 struct nft_chain *chain, *nc;
8712 struct nft_object *obj, *ne;
8713 struct nft_rule *rule, *nr;
8714 struct nft_set *set, *ns;
8715 struct nft_ctx ctx = {
8717 .family = NFPROTO_NETDEV,
8720 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8721 ctx.family = table->family;
8723 list_for_each_entry(chain, &table->chains, list)
8724 nf_tables_unregister_hook(net, table, chain);
8725 /* No packets are walking on these chains anymore. */
8727 list_for_each_entry(chain, &table->chains, list) {
8729 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8730 list_del(&rule->list);
8732 nf_tables_rule_release(&ctx, rule);
8735 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8736 list_del(&flowtable->list);
8738 nf_tables_flowtable_destroy(flowtable);
8740 list_for_each_entry_safe(set, ns, &table->sets, list) {
8741 list_del(&set->list);
8743 nft_set_destroy(&ctx, set);
8745 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8748 nft_obj_destroy(&ctx, obj);
8750 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8752 nft_chain_del(chain);
8754 nf_tables_chain_destroy(&ctx);
8756 list_del(&table->list);
8757 nf_tables_table_destroy(&ctx);
8761 static int __net_init nf_tables_init_net(struct net *net)
8763 INIT_LIST_HEAD(&net->nft.tables);
8764 INIT_LIST_HEAD(&net->nft.commit_list);
8765 INIT_LIST_HEAD(&net->nft.module_list);
8766 INIT_LIST_HEAD(&net->nft.notify_list);
8767 mutex_init(&net->nft.commit_mutex);
8768 net->nft.base_seq = 1;
8769 net->nft.validate_state = NFT_VALIDATE_SKIP;
8774 static void __net_exit nf_tables_exit_net(struct net *net)
8776 mutex_lock(&net->nft.commit_mutex);
8777 if (!list_empty(&net->nft.commit_list))
8778 __nf_tables_abort(net, false);
8779 __nft_release_tables(net);
8780 mutex_unlock(&net->nft.commit_mutex);
8781 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8782 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8783 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8786 static struct pernet_operations nf_tables_net_ops = {
8787 .init = nf_tables_init_net,
8788 .exit = nf_tables_exit_net,
8791 static int __init nf_tables_module_init(void)
8795 spin_lock_init(&nf_tables_destroy_list_lock);
8796 err = register_pernet_subsys(&nf_tables_net_ops);
8800 err = nft_chain_filter_init();
8804 err = nf_tables_core_module_init();
8808 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8812 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8816 err = nft_offload_init();
8821 err = nfnetlink_subsys_register(&nf_tables_subsys);
8825 nft_chain_route_init();
8831 rhltable_destroy(&nft_objname_ht);
8833 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8835 nf_tables_core_module_exit();
8837 nft_chain_filter_fini();
8839 unregister_pernet_subsys(&nf_tables_net_ops);
8843 static void __exit nf_tables_module_exit(void)
8845 nfnetlink_subsys_unregister(&nf_tables_subsys);
8847 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8848 nft_chain_filter_fini();
8849 nft_chain_route_fini();
8850 unregister_pernet_subsys(&nf_tables_net_ops);
8851 cancel_work_sync(&trans_destroy_work);
8853 rhltable_destroy(&nft_objname_ht);
8854 nf_tables_core_module_exit();
8857 module_init(nf_tables_module_init);
8858 module_exit(nf_tables_module_exit);
8860 MODULE_LICENSE("GPL");
8861 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8862 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob