1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
59 static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
68 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 case NFT_VALIDATE_NEED:
77 if (new_validate_state == NFT_VALIDATE_NEED)
81 net->nft.validate_state = new_validate_state;
83 static void nf_tables_trans_destroy_work(struct work_struct *w);
84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86 static void nft_ctx_init(struct nft_ctx *ctx,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->flags = nlh->nlmsg_flags;
104 ctx->seq = nlh->nlmsg_seq;
107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
116 trans->msg_type = msg_type;
122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
139 if (!nft_set_is_anonymous(set))
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 switch (trans->msg_type) {
145 if (nft_trans_set(trans) == set)
146 nft_trans_set_bound(trans) = true;
148 case NFT_MSG_NEWSETELEM:
149 if (nft_trans_elem_set(trans) == set)
150 nft_trans_elem_set_bound(trans) = true;
156 static int nft_netdev_register_hooks(struct net *net,
157 struct list_head *hook_list)
159 struct nft_hook *hook;
163 list_for_each_entry(hook, hook_list, list) {
164 err = nf_register_net_hook(net, &hook->ops);
173 list_for_each_entry(hook, hook_list, list) {
177 nf_unregister_net_hook(net, &hook->ops);
182 static void nft_netdev_unregister_hooks(struct net *net,
183 struct list_head *hook_list)
185 struct nft_hook *hook;
187 list_for_each_entry(hook, hook_list, list)
188 nf_unregister_net_hook(net, &hook->ops);
191 static int nft_register_basechain_hooks(struct net *net, int family,
192 struct nft_base_chain *basechain)
194 if (family == NFPROTO_NETDEV)
195 return nft_netdev_register_hooks(net, &basechain->hook_list);
197 return nf_register_net_hook(net, &basechain->ops);
200 static void nft_unregister_basechain_hooks(struct net *net, int family,
201 struct nft_base_chain *basechain)
203 if (family == NFPROTO_NETDEV)
204 nft_netdev_unregister_hooks(net, &basechain->hook_list);
206 nf_unregister_net_hook(net, &basechain->ops);
209 static int nf_tables_register_hook(struct net *net,
210 const struct nft_table *table,
211 struct nft_chain *chain)
213 struct nft_base_chain *basechain;
214 const struct nf_hook_ops *ops;
216 if (table->flags & NFT_TABLE_F_DORMANT ||
217 !nft_is_base_chain(chain))
220 basechain = nft_base_chain(chain);
221 ops = &basechain->ops;
223 if (basechain->type->ops_register)
224 return basechain->type->ops_register(net, ops);
226 return nft_register_basechain_hooks(net, table->family, basechain);
229 static void nf_tables_unregister_hook(struct net *net,
230 const struct nft_table *table,
231 struct nft_chain *chain)
233 struct nft_base_chain *basechain;
234 const struct nf_hook_ops *ops;
236 if (table->flags & NFT_TABLE_F_DORMANT ||
237 !nft_is_base_chain(chain))
239 basechain = nft_base_chain(chain);
240 ops = &basechain->ops;
242 if (basechain->type->ops_unregister)
243 return basechain->type->ops_unregister(net, ops);
245 nft_unregister_basechain_hooks(net, table->family, basechain);
248 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
250 struct nft_trans *trans;
252 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
256 if (msg_type == NFT_MSG_NEWTABLE)
257 nft_activate_next(ctx->net, ctx->table);
259 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
263 static int nft_deltable(struct nft_ctx *ctx)
267 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
271 nft_deactivate_next(ctx->net, ctx->table);
275 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
277 struct nft_trans *trans;
279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
281 return ERR_PTR(-ENOMEM);
283 if (msg_type == NFT_MSG_NEWCHAIN)
284 nft_activate_next(ctx->net, ctx->chain);
286 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
290 static int nft_delchain(struct nft_ctx *ctx)
292 struct nft_trans *trans;
294 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
296 return PTR_ERR(trans);
299 nft_deactivate_next(ctx->net, ctx->chain);
304 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
305 struct nft_rule *rule)
307 struct nft_expr *expr;
309 expr = nft_expr_first(rule);
310 while (expr != nft_expr_last(rule) && expr->ops) {
311 if (expr->ops->activate)
312 expr->ops->activate(ctx, expr);
314 expr = nft_expr_next(expr);
318 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
319 struct nft_rule *rule,
320 enum nft_trans_phase phase)
322 struct nft_expr *expr;
324 expr = nft_expr_first(rule);
325 while (expr != nft_expr_last(rule) && expr->ops) {
326 if (expr->ops->deactivate)
327 expr->ops->deactivate(ctx, expr, phase);
329 expr = nft_expr_next(expr);
334 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
336 /* You cannot delete the same rule twice */
337 if (nft_is_active_next(ctx->net, rule)) {
338 nft_deactivate_next(ctx->net, rule);
345 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
346 struct nft_rule *rule)
348 struct nft_trans *trans;
350 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
354 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
355 nft_trans_rule_id(trans) =
356 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
358 nft_trans_rule(trans) = rule;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
364 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
366 struct nft_flow_rule *flow;
367 struct nft_trans *trans;
370 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
374 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
375 flow = nft_flow_rule_create(ctx->net, rule);
377 nft_trans_destroy(trans);
378 return PTR_ERR(flow);
381 nft_trans_flow_rule(trans) = flow;
384 err = nf_tables_delrule_deactivate(ctx, rule);
386 nft_trans_destroy(trans);
389 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
394 static int nft_delrule_by_chain(struct nft_ctx *ctx)
396 struct nft_rule *rule;
399 list_for_each_entry(rule, &ctx->chain->rules, list) {
400 if (!nft_is_active_next(ctx->net, rule))
403 err = nft_delrule(ctx, rule);
410 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
413 struct nft_trans *trans;
415 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
419 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
420 nft_trans_set_id(trans) =
421 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
422 nft_activate_next(ctx->net, set);
424 nft_trans_set(trans) = set;
425 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
430 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
434 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
438 nft_deactivate_next(ctx->net, set);
444 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
445 struct nft_object *obj)
447 struct nft_trans *trans;
449 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
453 if (msg_type == NFT_MSG_NEWOBJ)
454 nft_activate_next(ctx->net, obj);
456 nft_trans_obj(trans) = obj;
457 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
462 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
466 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
470 nft_deactivate_next(ctx->net, obj);
476 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
477 struct nft_flowtable *flowtable)
479 struct nft_trans *trans;
481 trans = nft_trans_alloc(ctx, msg_type,
482 sizeof(struct nft_trans_flowtable));
486 if (msg_type == NFT_MSG_NEWFLOWTABLE)
487 nft_activate_next(ctx->net, flowtable);
489 nft_trans_flowtable(trans) = flowtable;
490 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
495 static int nft_delflowtable(struct nft_ctx *ctx,
496 struct nft_flowtable *flowtable)
500 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
504 nft_deactivate_next(ctx->net, flowtable);
514 static struct nft_table *nft_table_lookup(const struct net *net,
515 const struct nlattr *nla,
516 u8 family, u8 genmask)
518 struct nft_table *table;
521 return ERR_PTR(-EINVAL);
523 list_for_each_entry_rcu(table, &net->nft.tables, list,
524 lockdep_is_held(&net->nft.commit_mutex)) {
525 if (!nla_strcmp(nla, table->name) &&
526 table->family == family &&
527 nft_active_genmask(table, genmask))
531 return ERR_PTR(-ENOENT);
534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
535 const struct nlattr *nla,
538 struct nft_table *table;
540 list_for_each_entry(table, &net->nft.tables, list) {
541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
542 nft_active_genmask(table, genmask))
546 return ERR_PTR(-ENOENT);
549 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
551 return ++table->hgenerator;
554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
556 static const struct nft_chain_type *
557 __nft_chain_type_get(u8 family, enum nft_chain_types type)
559 if (family >= NFPROTO_NUMPROTO ||
560 type >= NFT_CHAIN_T_MAX)
563 return chain_type[family][type];
566 static const struct nft_chain_type *
567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
569 const struct nft_chain_type *type;
572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
573 type = __nft_chain_type_get(family, i);
576 if (!nla_strcmp(nla, type->name))
582 struct nft_module_request {
583 struct list_head list;
584 char module[MODULE_NAME_LEN];
588 #ifdef CONFIG_MODULES
589 static int nft_request_module(struct net *net, const char *fmt, ...)
591 char module_name[MODULE_NAME_LEN];
592 struct nft_module_request *req;
597 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
599 if (ret >= MODULE_NAME_LEN)
602 list_for_each_entry(req, &net->nft.module_list, list) {
603 if (!strcmp(req->module, module_name)) {
607 /* A request to load this module already exists. */
612 req = kmalloc(sizeof(*req), GFP_KERNEL);
617 strlcpy(req->module, module_name, MODULE_NAME_LEN);
618 list_add_tail(&req->list, &net->nft.module_list);
624 static void lockdep_nfnl_nft_mutex_not_held(void)
626 #ifdef CONFIG_PROVE_LOCKING
627 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
631 static const struct nft_chain_type *
632 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
633 u8 family, bool autoload)
635 const struct nft_chain_type *type;
637 type = __nf_tables_chain_type_lookup(nla, family);
641 lockdep_nfnl_nft_mutex_not_held();
642 #ifdef CONFIG_MODULES
644 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
646 (const char *)nla_data(nla)) == -EAGAIN)
647 return ERR_PTR(-EAGAIN);
650 return ERR_PTR(-ENOENT);
653 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
654 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
655 .len = NFT_TABLE_MAXNAMELEN - 1 },
656 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
657 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
660 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
661 u32 portid, u32 seq, int event, u32 flags,
662 int family, const struct nft_table *table)
664 struct nlmsghdr *nlh;
665 struct nfgenmsg *nfmsg;
667 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
668 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
670 goto nla_put_failure;
672 nfmsg = nlmsg_data(nlh);
673 nfmsg->nfgen_family = family;
674 nfmsg->version = NFNETLINK_V0;
675 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
677 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
678 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
679 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
680 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
682 goto nla_put_failure;
688 nlmsg_trim(skb, nlh);
692 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
701 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
705 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
706 event, 0, ctx->family, ctx->table);
712 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
713 ctx->report, GFP_KERNEL);
716 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
719 static int nf_tables_dump_tables(struct sk_buff *skb,
720 struct netlink_callback *cb)
722 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
723 const struct nft_table *table;
724 unsigned int idx = 0, s_idx = cb->args[0];
725 struct net *net = sock_net(skb->sk);
726 int family = nfmsg->nfgen_family;
729 cb->seq = net->nft.base_seq;
731 list_for_each_entry_rcu(table, &net->nft.tables, list) {
732 if (family != NFPROTO_UNSPEC && family != table->family)
738 memset(&cb->args[1], 0,
739 sizeof(cb->args) - sizeof(cb->args[0]));
740 if (!nft_is_active(net, table))
742 if (nf_tables_fill_table_info(skb, net,
743 NETLINK_CB(cb->skb).portid,
745 NFT_MSG_NEWTABLE, NLM_F_MULTI,
746 table->family, table) < 0)
749 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
759 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
760 const struct nlmsghdr *nlh,
761 struct netlink_dump_control *c)
765 if (!try_module_get(THIS_MODULE))
769 err = netlink_dump_start(nlsk, skb, nlh, c);
771 module_put(THIS_MODULE);
776 /* called with rcu_read_lock held */
777 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
778 struct sk_buff *skb, const struct nlmsghdr *nlh,
779 const struct nlattr * const nla[],
780 struct netlink_ext_ack *extack)
782 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
783 u8 genmask = nft_genmask_cur(net);
784 const struct nft_table *table;
785 struct sk_buff *skb2;
786 int family = nfmsg->nfgen_family;
789 if (nlh->nlmsg_flags & NLM_F_DUMP) {
790 struct netlink_dump_control c = {
791 .dump = nf_tables_dump_tables,
792 .module = THIS_MODULE,
795 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
798 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
800 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
801 return PTR_ERR(table);
804 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
808 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
809 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
814 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
821 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
823 struct nft_chain *chain;
826 list_for_each_entry(chain, &table->chains, list) {
827 if (!nft_is_active_next(net, chain))
829 if (!nft_is_base_chain(chain))
832 if (cnt && i++ == cnt)
835 nft_unregister_basechain_hooks(net, table->family,
836 nft_base_chain(chain));
840 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
842 struct nft_chain *chain;
845 list_for_each_entry(chain, &table->chains, list) {
846 if (!nft_is_active_next(net, chain))
848 if (!nft_is_base_chain(chain))
851 err = nft_register_basechain_hooks(net, table->family,
852 nft_base_chain(chain));
854 goto err_register_hooks;
862 nft_table_disable(net, table, i);
866 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
868 nft_table_disable(net, table, 0);
871 static int nf_tables_updtable(struct nft_ctx *ctx)
873 struct nft_trans *trans;
877 if (!ctx->nla[NFTA_TABLE_FLAGS])
880 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
881 if (flags & ~NFT_TABLE_F_DORMANT)
884 if (flags == ctx->table->flags)
887 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
888 sizeof(struct nft_trans_table));
892 if ((flags & NFT_TABLE_F_DORMANT) &&
893 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
894 nft_trans_table_enable(trans) = false;
895 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
896 ctx->table->flags & NFT_TABLE_F_DORMANT) {
897 ret = nf_tables_table_enable(ctx->net, ctx->table);
899 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
900 nft_trans_table_enable(trans) = true;
906 nft_trans_table_update(trans) = true;
907 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
910 nft_trans_destroy(trans);
914 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
916 const char *name = data;
918 return jhash(name, strlen(name), seed);
921 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
923 const struct nft_chain *chain = data;
925 return nft_chain_hash(chain->name, 0, seed);
928 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
931 const struct nft_chain *chain = ptr;
932 const char *name = arg->key;
934 return strcmp(chain->name, name);
937 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
939 const struct nft_object_hash_key *k = data;
941 seed ^= hash_ptr(k->table, 32);
943 return jhash(k->name, strlen(k->name), seed);
946 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
948 const struct nft_object *obj = data;
950 return nft_objname_hash(&obj->key, 0, seed);
953 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
956 const struct nft_object_hash_key *k = arg->key;
957 const struct nft_object *obj = ptr;
959 if (obj->key.table != k->table)
962 return strcmp(obj->key.name, k->name);
965 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
966 struct sk_buff *skb, const struct nlmsghdr *nlh,
967 const struct nlattr * const nla[],
968 struct netlink_ext_ack *extack)
970 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
971 u8 genmask = nft_genmask_next(net);
972 int family = nfmsg->nfgen_family;
973 const struct nlattr *attr;
974 struct nft_table *table;
979 lockdep_assert_held(&net->nft.commit_mutex);
980 attr = nla[NFTA_TABLE_NAME];
981 table = nft_table_lookup(net, attr, family, genmask);
983 if (PTR_ERR(table) != -ENOENT)
984 return PTR_ERR(table);
986 if (nlh->nlmsg_flags & NLM_F_EXCL) {
987 NL_SET_BAD_ATTR(extack, attr);
990 if (nlh->nlmsg_flags & NLM_F_REPLACE)
993 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
994 return nf_tables_updtable(&ctx);
997 if (nla[NFTA_TABLE_FLAGS]) {
998 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
999 if (flags & ~NFT_TABLE_F_DORMANT)
1004 table = kzalloc(sizeof(*table), GFP_KERNEL);
1008 table->name = nla_strdup(attr, GFP_KERNEL);
1009 if (table->name == NULL)
1012 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1016 INIT_LIST_HEAD(&table->chains);
1017 INIT_LIST_HEAD(&table->sets);
1018 INIT_LIST_HEAD(&table->objects);
1019 INIT_LIST_HEAD(&table->flowtables);
1020 table->family = family;
1021 table->flags = flags;
1022 table->handle = ++table_handle;
1024 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1025 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1029 list_add_tail_rcu(&table->list, &net->nft.tables);
1032 rhltable_destroy(&table->chains_ht);
1041 static int nft_flush_table(struct nft_ctx *ctx)
1043 struct nft_flowtable *flowtable, *nft;
1044 struct nft_chain *chain, *nc;
1045 struct nft_object *obj, *ne;
1046 struct nft_set *set, *ns;
1049 list_for_each_entry(chain, &ctx->table->chains, list) {
1050 if (!nft_is_active_next(ctx->net, chain))
1055 err = nft_delrule_by_chain(ctx);
1060 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1061 if (!nft_is_active_next(ctx->net, set))
1064 if (nft_set_is_anonymous(set) &&
1065 !list_empty(&set->bindings))
1068 err = nft_delset(ctx, set);
1073 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1074 if (!nft_is_active_next(ctx->net, flowtable))
1077 err = nft_delflowtable(ctx, flowtable);
1082 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1083 if (!nft_is_active_next(ctx->net, obj))
1086 err = nft_delobj(ctx, obj);
1091 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1092 if (!nft_is_active_next(ctx->net, chain))
1097 err = nft_delchain(ctx);
1102 err = nft_deltable(ctx);
1107 static int nft_flush(struct nft_ctx *ctx, int family)
1109 struct nft_table *table, *nt;
1110 const struct nlattr * const *nla = ctx->nla;
1113 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1114 if (family != AF_UNSPEC && table->family != family)
1117 ctx->family = table->family;
1119 if (!nft_is_active_next(ctx->net, table))
1122 if (nla[NFTA_TABLE_NAME] &&
1123 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1128 err = nft_flush_table(ctx);
1136 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1137 struct sk_buff *skb, const struct nlmsghdr *nlh,
1138 const struct nlattr * const nla[],
1139 struct netlink_ext_ack *extack)
1141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1142 u8 genmask = nft_genmask_next(net);
1143 int family = nfmsg->nfgen_family;
1144 const struct nlattr *attr;
1145 struct nft_table *table;
1148 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1149 if (family == AF_UNSPEC ||
1150 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1151 return nft_flush(&ctx, family);
1153 if (nla[NFTA_TABLE_HANDLE]) {
1154 attr = nla[NFTA_TABLE_HANDLE];
1155 table = nft_table_lookup_byhandle(net, attr, genmask);
1157 attr = nla[NFTA_TABLE_NAME];
1158 table = nft_table_lookup(net, attr, family, genmask);
1161 if (IS_ERR(table)) {
1162 NL_SET_BAD_ATTR(extack, attr);
1163 return PTR_ERR(table);
1166 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1170 ctx.family = family;
1173 return nft_flush_table(&ctx);
1176 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1178 if (WARN_ON(ctx->table->use > 0))
1181 rhltable_destroy(&ctx->table->chains_ht);
1182 kfree(ctx->table->name);
1186 void nft_register_chain_type(const struct nft_chain_type *ctype)
1188 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1189 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1190 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1193 chain_type[ctype->family][ctype->type] = ctype;
1194 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1196 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1198 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1200 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1201 chain_type[ctype->family][ctype->type] = NULL;
1202 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1204 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1210 static struct nft_chain *
1211 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1213 struct nft_chain *chain;
1215 list_for_each_entry(chain, &table->chains, list) {
1216 if (chain->handle == handle &&
1217 nft_active_genmask(chain, genmask))
1221 return ERR_PTR(-ENOENT);
1224 static bool lockdep_commit_lock_is_held(const struct net *net)
1226 #ifdef CONFIG_PROVE_LOCKING
1227 return lockdep_is_held(&net->nft.commit_mutex);
1233 static struct nft_chain *nft_chain_lookup(struct net *net,
1234 struct nft_table *table,
1235 const struct nlattr *nla, u8 genmask)
1237 char search[NFT_CHAIN_MAXNAMELEN + 1];
1238 struct rhlist_head *tmp, *list;
1239 struct nft_chain *chain;
1242 return ERR_PTR(-EINVAL);
1244 nla_strlcpy(search, nla, sizeof(search));
1246 WARN_ON(!rcu_read_lock_held() &&
1247 !lockdep_commit_lock_is_held(net));
1249 chain = ERR_PTR(-ENOENT);
1251 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1255 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1256 if (nft_active_genmask(chain, genmask))
1259 chain = ERR_PTR(-ENOENT);
1265 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1266 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1267 .len = NFT_TABLE_MAXNAMELEN - 1 },
1268 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1269 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1270 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1271 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1272 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1273 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1274 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1275 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1276 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1279 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1280 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1281 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1282 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1283 .len = IFNAMSIZ - 1 },
1286 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1288 struct nft_stats *cpu_stats, total;
1289 struct nlattr *nest;
1297 memset(&total, 0, sizeof(total));
1298 for_each_possible_cpu(cpu) {
1299 cpu_stats = per_cpu_ptr(stats, cpu);
1301 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1302 pkts = cpu_stats->pkts;
1303 bytes = cpu_stats->bytes;
1304 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1306 total.bytes += bytes;
1308 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1310 goto nla_put_failure;
1312 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1313 NFTA_COUNTER_PAD) ||
1314 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1316 goto nla_put_failure;
1318 nla_nest_end(skb, nest);
1325 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1326 const struct nft_base_chain *basechain)
1328 const struct nf_hook_ops *ops = &basechain->ops;
1329 struct nft_hook *hook, *first = NULL;
1330 struct nlattr *nest, *nest_devs;
1333 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1335 goto nla_put_failure;
1336 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1337 goto nla_put_failure;
1338 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1339 goto nla_put_failure;
1341 if (family == NFPROTO_NETDEV) {
1342 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1343 list_for_each_entry(hook, &basechain->hook_list, list) {
1347 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1348 hook->ops.dev->name))
1349 goto nla_put_failure;
1352 nla_nest_end(skb, nest_devs);
1355 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1356 goto nla_put_failure;
1358 nla_nest_end(skb, nest);
1365 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1366 u32 portid, u32 seq, int event, u32 flags,
1367 int family, const struct nft_table *table,
1368 const struct nft_chain *chain)
1370 struct nlmsghdr *nlh;
1371 struct nfgenmsg *nfmsg;
1373 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1374 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1376 goto nla_put_failure;
1378 nfmsg = nlmsg_data(nlh);
1379 nfmsg->nfgen_family = family;
1380 nfmsg->version = NFNETLINK_V0;
1381 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1383 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1384 goto nla_put_failure;
1385 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1387 goto nla_put_failure;
1388 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1389 goto nla_put_failure;
1391 if (nft_is_base_chain(chain)) {
1392 const struct nft_base_chain *basechain = nft_base_chain(chain);
1393 struct nft_stats __percpu *stats;
1395 if (nft_dump_basechain_hook(skb, family, basechain))
1396 goto nla_put_failure;
1398 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1399 htonl(basechain->policy)))
1400 goto nla_put_failure;
1402 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1403 goto nla_put_failure;
1405 stats = rcu_dereference_check(basechain->stats,
1406 lockdep_commit_lock_is_held(net));
1407 if (nft_dump_stats(skb, stats))
1408 goto nla_put_failure;
1410 if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) &&
1411 nla_put_be32(skb, NFTA_CHAIN_FLAGS,
1412 htonl(NFT_CHAIN_HW_OFFLOAD)))
1413 goto nla_put_failure;
1416 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1417 goto nla_put_failure;
1419 nlmsg_end(skb, nlh);
1423 nlmsg_trim(skb, nlh);
1427 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1429 struct sk_buff *skb;
1433 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1436 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1440 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1441 event, 0, ctx->family, ctx->table,
1448 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1449 ctx->report, GFP_KERNEL);
1452 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1455 static int nf_tables_dump_chains(struct sk_buff *skb,
1456 struct netlink_callback *cb)
1458 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1459 const struct nft_table *table;
1460 const struct nft_chain *chain;
1461 unsigned int idx = 0, s_idx = cb->args[0];
1462 struct net *net = sock_net(skb->sk);
1463 int family = nfmsg->nfgen_family;
1466 cb->seq = net->nft.base_seq;
1468 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1469 if (family != NFPROTO_UNSPEC && family != table->family)
1472 list_for_each_entry_rcu(chain, &table->chains, list) {
1476 memset(&cb->args[1], 0,
1477 sizeof(cb->args) - sizeof(cb->args[0]));
1478 if (!nft_is_active(net, chain))
1480 if (nf_tables_fill_chain_info(skb, net,
1481 NETLINK_CB(cb->skb).portid,
1485 table->family, table,
1489 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1500 /* called with rcu_read_lock held */
1501 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1502 struct sk_buff *skb, const struct nlmsghdr *nlh,
1503 const struct nlattr * const nla[],
1504 struct netlink_ext_ack *extack)
1506 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1507 u8 genmask = nft_genmask_cur(net);
1508 const struct nft_chain *chain;
1509 struct nft_table *table;
1510 struct sk_buff *skb2;
1511 int family = nfmsg->nfgen_family;
1514 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1515 struct netlink_dump_control c = {
1516 .dump = nf_tables_dump_chains,
1517 .module = THIS_MODULE,
1520 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1523 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1524 if (IS_ERR(table)) {
1525 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1526 return PTR_ERR(table);
1529 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1530 if (IS_ERR(chain)) {
1531 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1532 return PTR_ERR(chain);
1535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1539 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1540 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1541 family, table, chain);
1545 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1552 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1553 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1554 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1557 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1559 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1560 struct nft_stats __percpu *newstats;
1561 struct nft_stats *stats;
1564 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1565 nft_counter_policy, NULL);
1567 return ERR_PTR(err);
1569 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1570 return ERR_PTR(-EINVAL);
1572 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1573 if (newstats == NULL)
1574 return ERR_PTR(-ENOMEM);
1576 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1577 * are not exposed to userspace.
1580 stats = this_cpu_ptr(newstats);
1581 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1582 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1588 static void nft_chain_stats_replace(struct nft_trans *trans)
1590 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1592 if (!nft_trans_chain_stats(trans))
1595 nft_trans_chain_stats(trans) =
1596 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1597 lockdep_commit_lock_is_held(trans->ctx.net));
1599 if (!nft_trans_chain_stats(trans))
1600 static_branch_inc(&nft_counters_enabled);
1603 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1605 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1606 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1612 /* should be NULL either via abort or via successful commit */
1613 WARN_ON_ONCE(chain->rules_next);
1614 kvfree(chain->rules_next);
1617 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1619 struct nft_chain *chain = ctx->chain;
1620 struct nft_hook *hook, *next;
1622 if (WARN_ON(chain->use > 0))
1625 /* no concurrent access possible anymore */
1626 nf_tables_chain_free_chain_rules(chain);
1628 if (nft_is_base_chain(chain)) {
1629 struct nft_base_chain *basechain = nft_base_chain(chain);
1631 if (ctx->family == NFPROTO_NETDEV) {
1632 list_for_each_entry_safe(hook, next,
1633 &basechain->hook_list, list) {
1634 list_del_rcu(&hook->list);
1635 kfree_rcu(hook, rcu);
1638 module_put(basechain->type->owner);
1639 if (rcu_access_pointer(basechain->stats)) {
1640 static_branch_dec(&nft_counters_enabled);
1641 free_percpu(rcu_dereference_raw(basechain->stats));
1651 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1652 const struct nlattr *attr)
1654 struct net_device *dev;
1655 char ifname[IFNAMSIZ];
1656 struct nft_hook *hook;
1659 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1662 goto err_hook_alloc;
1665 nla_strlcpy(ifname, attr, IFNAMSIZ);
1666 dev = __dev_get_by_name(net, ifname);
1671 hook->ops.dev = dev;
1672 hook->inactive = false;
1679 return ERR_PTR(err);
1682 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1683 const struct nft_hook *this)
1685 struct nft_hook *hook;
1687 list_for_each_entry(hook, hook_list, list) {
1688 if (this->ops.dev == hook->ops.dev)
1695 static int nf_tables_parse_netdev_hooks(struct net *net,
1696 const struct nlattr *attr,
1697 struct list_head *hook_list)
1699 struct nft_hook *hook, *next;
1700 const struct nlattr *tmp;
1701 int rem, n = 0, err;
1703 nla_for_each_nested(tmp, attr, rem) {
1704 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1709 hook = nft_netdev_hook_alloc(net, tmp);
1711 err = PTR_ERR(hook);
1714 if (nft_hook_list_find(hook_list, hook)) {
1719 list_add_tail(&hook->list, hook_list);
1722 if (n == NFT_NETDEVICE_MAX) {
1731 list_for_each_entry_safe(hook, next, hook_list, list) {
1732 list_del(&hook->list);
1738 struct nft_chain_hook {
1741 const struct nft_chain_type *type;
1742 struct list_head list;
1745 static int nft_chain_parse_netdev(struct net *net,
1746 struct nlattr *tb[],
1747 struct list_head *hook_list)
1749 struct nft_hook *hook;
1752 if (tb[NFTA_HOOK_DEV]) {
1753 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1755 return PTR_ERR(hook);
1757 list_add_tail(&hook->list, hook_list);
1758 } else if (tb[NFTA_HOOK_DEVS]) {
1759 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1764 if (list_empty(hook_list))
1773 static int nft_chain_parse_hook(struct net *net,
1774 const struct nlattr * const nla[],
1775 struct nft_chain_hook *hook, u8 family,
1778 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1779 const struct nft_chain_type *type;
1782 lockdep_assert_held(&net->nft.commit_mutex);
1783 lockdep_nfnl_nft_mutex_not_held();
1785 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1786 nla[NFTA_CHAIN_HOOK],
1787 nft_hook_policy, NULL);
1791 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1792 ha[NFTA_HOOK_PRIORITY] == NULL)
1795 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1796 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1798 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1802 if (nla[NFTA_CHAIN_TYPE]) {
1803 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1806 return PTR_ERR(type);
1808 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1811 if (type->type == NFT_CHAIN_T_NAT &&
1812 hook->priority <= NF_IP_PRI_CONNTRACK)
1815 if (!try_module_get(type->owner))
1820 INIT_LIST_HEAD(&hook->list);
1821 if (family == NFPROTO_NETDEV) {
1822 err = nft_chain_parse_netdev(net, ha, &hook->list);
1824 module_put(type->owner);
1827 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1828 module_put(type->owner);
1835 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1837 struct nft_hook *h, *next;
1839 list_for_each_entry_safe(h, next, &hook->list, list) {
1843 module_put(hook->type->owner);
1846 struct nft_rules_old {
1848 struct nft_rule **start;
1851 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1854 if (alloc > INT_MAX)
1857 alloc += 1; /* NULL, ends rules */
1858 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1861 alloc *= sizeof(struct nft_rule *);
1862 alloc += sizeof(struct nft_rules_old);
1864 return kvmalloc(alloc, GFP_KERNEL);
1867 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1868 const struct nft_chain_hook *hook,
1869 struct nft_chain *chain)
1872 ops->hooknum = hook->num;
1873 ops->priority = hook->priority;
1875 ops->hook = hook->type->hooks[ops->hooknum];
1878 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1879 struct nft_chain_hook *hook, u32 flags)
1881 struct nft_chain *chain;
1884 basechain->type = hook->type;
1885 INIT_LIST_HEAD(&basechain->hook_list);
1886 chain = &basechain->chain;
1888 if (family == NFPROTO_NETDEV) {
1889 list_splice_init(&hook->list, &basechain->hook_list);
1890 list_for_each_entry(h, &basechain->hook_list, list)
1891 nft_basechain_hook_init(&h->ops, family, hook, chain);
1893 basechain->ops.hooknum = hook->num;
1894 basechain->ops.priority = hook->priority;
1896 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1899 chain->flags |= NFT_BASE_CHAIN | flags;
1900 basechain->policy = NF_ACCEPT;
1901 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1902 nft_chain_offload_priority(basechain) < 0)
1905 flow_block_init(&basechain->flow_block);
1910 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1911 u8 policy, u32 flags)
1913 const struct nlattr * const *nla = ctx->nla;
1914 struct nft_table *table = ctx->table;
1915 struct nft_base_chain *basechain;
1916 struct nft_stats __percpu *stats;
1917 struct net *net = ctx->net;
1918 struct nft_trans *trans;
1919 struct nft_chain *chain;
1920 struct nft_rule **rules;
1923 if (table->use == UINT_MAX)
1926 if (nla[NFTA_CHAIN_HOOK]) {
1927 struct nft_chain_hook hook;
1929 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1933 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1934 if (basechain == NULL) {
1935 nft_chain_release_hook(&hook);
1938 chain = &basechain->chain;
1940 if (nla[NFTA_CHAIN_COUNTERS]) {
1941 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1942 if (IS_ERR(stats)) {
1943 nft_chain_release_hook(&hook);
1945 return PTR_ERR(stats);
1947 rcu_assign_pointer(basechain->stats, stats);
1948 static_branch_inc(&nft_counters_enabled);
1951 err = nft_basechain_init(basechain, family, &hook, flags);
1953 nft_chain_release_hook(&hook);
1958 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1964 INIT_LIST_HEAD(&chain->rules);
1965 chain->handle = nf_tables_alloc_handle(table);
1966 chain->table = table;
1967 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1973 rules = nf_tables_chain_alloc_rules(chain, 0);
1980 rcu_assign_pointer(chain->rules_gen_0, rules);
1981 rcu_assign_pointer(chain->rules_gen_1, rules);
1983 err = nf_tables_register_hook(net, table, chain);
1987 err = rhltable_insert_key(&table->chains_ht, chain->name,
1988 &chain->rhlhead, nft_chain_ht_params);
1992 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1993 if (IS_ERR(trans)) {
1994 err = PTR_ERR(trans);
1995 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1996 nft_chain_ht_params);
2000 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2001 if (nft_is_base_chain(chain))
2002 nft_trans_chain_policy(trans) = policy;
2005 list_add_tail_rcu(&chain->list, &table->chains);
2009 nf_tables_unregister_hook(net, table, chain);
2011 nf_tables_chain_destroy(ctx);
2016 static bool nft_hook_list_equal(struct list_head *hook_list1,
2017 struct list_head *hook_list2)
2019 struct nft_hook *hook;
2023 list_for_each_entry(hook, hook_list2, list) {
2024 if (!nft_hook_list_find(hook_list1, hook))
2029 list_for_each_entry(hook, hook_list1, list)
2035 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2038 const struct nlattr * const *nla = ctx->nla;
2039 struct nft_table *table = ctx->table;
2040 struct nft_chain *chain = ctx->chain;
2041 struct nft_base_chain *basechain;
2042 struct nft_stats *stats = NULL;
2043 struct nft_chain_hook hook;
2044 struct nf_hook_ops *ops;
2045 struct nft_trans *trans;
2048 if (chain->flags ^ flags)
2051 if (nla[NFTA_CHAIN_HOOK]) {
2052 if (!nft_is_base_chain(chain))
2055 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2060 basechain = nft_base_chain(chain);
2061 if (basechain->type != hook.type) {
2062 nft_chain_release_hook(&hook);
2066 if (ctx->family == NFPROTO_NETDEV) {
2067 if (!nft_hook_list_equal(&basechain->hook_list,
2069 nft_chain_release_hook(&hook);
2073 ops = &basechain->ops;
2074 if (ops->hooknum != hook.num ||
2075 ops->priority != hook.priority) {
2076 nft_chain_release_hook(&hook);
2080 nft_chain_release_hook(&hook);
2083 if (nla[NFTA_CHAIN_HANDLE] &&
2084 nla[NFTA_CHAIN_NAME]) {
2085 struct nft_chain *chain2;
2087 chain2 = nft_chain_lookup(ctx->net, table,
2088 nla[NFTA_CHAIN_NAME], genmask);
2089 if (!IS_ERR(chain2))
2093 if (nla[NFTA_CHAIN_COUNTERS]) {
2094 if (!nft_is_base_chain(chain))
2097 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2099 return PTR_ERR(stats);
2103 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2104 sizeof(struct nft_trans_chain));
2108 nft_trans_chain_stats(trans) = stats;
2109 nft_trans_chain_update(trans) = true;
2111 if (nla[NFTA_CHAIN_POLICY])
2112 nft_trans_chain_policy(trans) = policy;
2114 nft_trans_chain_policy(trans) = -1;
2116 if (nla[NFTA_CHAIN_HANDLE] &&
2117 nla[NFTA_CHAIN_NAME]) {
2118 struct nft_trans *tmp;
2122 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2127 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2128 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2129 tmp->ctx.table == table &&
2130 nft_trans_chain_update(tmp) &&
2131 nft_trans_chain_name(tmp) &&
2132 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2138 nft_trans_chain_name(trans) = name;
2140 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2149 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2150 struct sk_buff *skb, const struct nlmsghdr *nlh,
2151 const struct nlattr * const nla[],
2152 struct netlink_ext_ack *extack)
2154 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2155 u8 genmask = nft_genmask_next(net);
2156 int family = nfmsg->nfgen_family;
2157 const struct nlattr *attr;
2158 struct nft_table *table;
2159 struct nft_chain *chain;
2160 u8 policy = NF_ACCEPT;
2165 lockdep_assert_held(&net->nft.commit_mutex);
2167 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2168 if (IS_ERR(table)) {
2169 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2170 return PTR_ERR(table);
2174 attr = nla[NFTA_CHAIN_NAME];
2176 if (nla[NFTA_CHAIN_HANDLE]) {
2177 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2178 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2179 if (IS_ERR(chain)) {
2180 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2181 return PTR_ERR(chain);
2183 attr = nla[NFTA_CHAIN_HANDLE];
2185 chain = nft_chain_lookup(net, table, attr, genmask);
2186 if (IS_ERR(chain)) {
2187 if (PTR_ERR(chain) != -ENOENT) {
2188 NL_SET_BAD_ATTR(extack, attr);
2189 return PTR_ERR(chain);
2195 if (nla[NFTA_CHAIN_POLICY]) {
2196 if (chain != NULL &&
2197 !nft_is_base_chain(chain)) {
2198 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2202 if (chain == NULL &&
2203 nla[NFTA_CHAIN_HOOK] == NULL) {
2204 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2208 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2218 if (nla[NFTA_CHAIN_FLAGS])
2219 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2221 flags = chain->flags;
2223 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2225 if (chain != NULL) {
2226 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2227 NL_SET_BAD_ATTR(extack, attr);
2230 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2233 flags |= chain->flags & NFT_BASE_CHAIN;
2234 return nf_tables_updchain(&ctx, genmask, policy, flags);
2237 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2240 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2241 struct sk_buff *skb, const struct nlmsghdr *nlh,
2242 const struct nlattr * const nla[],
2243 struct netlink_ext_ack *extack)
2245 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2246 u8 genmask = nft_genmask_next(net);
2247 int family = nfmsg->nfgen_family;
2248 const struct nlattr *attr;
2249 struct nft_table *table;
2250 struct nft_chain *chain;
2251 struct nft_rule *rule;
2257 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2258 if (IS_ERR(table)) {
2259 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2260 return PTR_ERR(table);
2263 if (nla[NFTA_CHAIN_HANDLE]) {
2264 attr = nla[NFTA_CHAIN_HANDLE];
2265 handle = be64_to_cpu(nla_get_be64(attr));
2266 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2268 attr = nla[NFTA_CHAIN_NAME];
2269 chain = nft_chain_lookup(net, table, attr, genmask);
2271 if (IS_ERR(chain)) {
2272 NL_SET_BAD_ATTR(extack, attr);
2273 return PTR_ERR(chain);
2276 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2280 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2283 list_for_each_entry(rule, &chain->rules, list) {
2284 if (!nft_is_active_next(net, rule))
2288 err = nft_delrule(&ctx, rule);
2293 /* There are rules and elements that are still holding references to us,
2294 * we cannot do a recursive removal in this case.
2297 NL_SET_BAD_ATTR(extack, attr);
2301 return nft_delchain(&ctx);
2309 * nft_register_expr - register nf_tables expr type
2312 * Registers the expr type for use with nf_tables. Returns zero on
2313 * success or a negative errno code otherwise.
2315 int nft_register_expr(struct nft_expr_type *type)
2317 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2318 if (type->family == NFPROTO_UNSPEC)
2319 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2321 list_add_rcu(&type->list, &nf_tables_expressions);
2322 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2325 EXPORT_SYMBOL_GPL(nft_register_expr);
2328 * nft_unregister_expr - unregister nf_tables expr type
2331 * Unregisters the expr typefor use with nf_tables.
2333 void nft_unregister_expr(struct nft_expr_type *type)
2335 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2336 list_del_rcu(&type->list);
2337 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2339 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2341 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2344 const struct nft_expr_type *type, *candidate = NULL;
2346 list_for_each_entry(type, &nf_tables_expressions, list) {
2347 if (!nla_strcmp(nla, type->name)) {
2348 if (!type->family && !candidate)
2350 else if (type->family == family)
2357 #ifdef CONFIG_MODULES
2358 static int nft_expr_type_request_module(struct net *net, u8 family,
2361 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2362 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2369 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2373 const struct nft_expr_type *type;
2376 return ERR_PTR(-EINVAL);
2378 type = __nft_expr_type_get(family, nla);
2379 if (type != NULL && try_module_get(type->owner))
2382 lockdep_nfnl_nft_mutex_not_held();
2383 #ifdef CONFIG_MODULES
2385 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2386 return ERR_PTR(-EAGAIN);
2388 if (nft_request_module(net, "nft-expr-%.*s",
2390 (char *)nla_data(nla)) == -EAGAIN)
2391 return ERR_PTR(-EAGAIN);
2394 return ERR_PTR(-ENOENT);
2397 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2398 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2399 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2400 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2403 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2404 const struct nft_expr *expr)
2406 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2407 goto nla_put_failure;
2409 if (expr->ops->dump) {
2410 struct nlattr *data = nla_nest_start_noflag(skb,
2413 goto nla_put_failure;
2414 if (expr->ops->dump(skb, expr) < 0)
2415 goto nla_put_failure;
2416 nla_nest_end(skb, data);
2425 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2426 const struct nft_expr *expr)
2428 struct nlattr *nest;
2430 nest = nla_nest_start_noflag(skb, attr);
2432 goto nla_put_failure;
2433 if (nf_tables_fill_expr_info(skb, expr) < 0)
2434 goto nla_put_failure;
2435 nla_nest_end(skb, nest);
2442 struct nft_expr_info {
2443 const struct nft_expr_ops *ops;
2444 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2447 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2448 const struct nlattr *nla,
2449 struct nft_expr_info *info)
2451 const struct nft_expr_type *type;
2452 const struct nft_expr_ops *ops;
2453 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2456 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2457 nft_expr_policy, NULL);
2461 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2463 return PTR_ERR(type);
2465 if (tb[NFTA_EXPR_DATA]) {
2466 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2468 type->policy, NULL);
2472 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2474 if (type->select_ops != NULL) {
2475 ops = type->select_ops(ctx,
2476 (const struct nlattr * const *)info->tb);
2479 #ifdef CONFIG_MODULES
2481 if (nft_expr_type_request_module(ctx->net,
2483 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2495 module_put(type->owner);
2499 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2500 const struct nft_expr_info *info,
2501 struct nft_expr *expr)
2503 const struct nft_expr_ops *ops = info->ops;
2508 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2519 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2520 struct nft_expr *expr)
2522 const struct nft_expr_type *type = expr->ops->type;
2524 if (expr->ops->destroy)
2525 expr->ops->destroy(ctx, expr);
2526 module_put(type->owner);
2529 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2530 const struct nlattr *nla)
2532 struct nft_expr_info info;
2533 struct nft_expr *expr;
2534 struct module *owner;
2537 err = nf_tables_expr_parse(ctx, nla, &info);
2542 expr = kzalloc(info.ops->size, GFP_KERNEL);
2546 err = nf_tables_newexpr(ctx, &info, expr);
2554 owner = info.ops->type->owner;
2555 if (info.ops->type->release_ops)
2556 info.ops->type->release_ops(info.ops);
2560 return ERR_PTR(err);
2563 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2567 if (src->ops->clone) {
2568 dst->ops = src->ops;
2569 err = src->ops->clone(dst, src);
2573 memcpy(dst, src, src->ops->size);
2576 __module_get(src->ops->type->owner);
2581 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2583 nf_tables_expr_destroy(ctx, expr);
2591 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2594 struct nft_rule *rule;
2596 // FIXME: this sucks
2597 list_for_each_entry_rcu(rule, &chain->rules, list) {
2598 if (handle == rule->handle)
2602 return ERR_PTR(-ENOENT);
2605 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2606 const struct nlattr *nla)
2609 return ERR_PTR(-EINVAL);
2611 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2614 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2615 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2616 .len = NFT_TABLE_MAXNAMELEN - 1 },
2617 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2618 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2619 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2620 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2621 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2622 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2623 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2624 .len = NFT_USERDATA_MAXLEN },
2625 [NFTA_RULE_ID] = { .type = NLA_U32 },
2626 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2629 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2630 u32 portid, u32 seq, int event,
2631 u32 flags, int family,
2632 const struct nft_table *table,
2633 const struct nft_chain *chain,
2634 const struct nft_rule *rule,
2635 const struct nft_rule *prule)
2637 struct nlmsghdr *nlh;
2638 struct nfgenmsg *nfmsg;
2639 const struct nft_expr *expr, *next;
2640 struct nlattr *list;
2641 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2643 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2645 goto nla_put_failure;
2647 nfmsg = nlmsg_data(nlh);
2648 nfmsg->nfgen_family = family;
2649 nfmsg->version = NFNETLINK_V0;
2650 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2652 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2653 goto nla_put_failure;
2654 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2655 goto nla_put_failure;
2656 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2658 goto nla_put_failure;
2660 if (event != NFT_MSG_DELRULE && prule) {
2661 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2662 cpu_to_be64(prule->handle),
2664 goto nla_put_failure;
2667 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2669 goto nla_put_failure;
2670 nft_rule_for_each_expr(expr, next, rule) {
2671 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2672 goto nla_put_failure;
2674 nla_nest_end(skb, list);
2677 struct nft_userdata *udata = nft_userdata(rule);
2678 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2680 goto nla_put_failure;
2683 nlmsg_end(skb, nlh);
2687 nlmsg_trim(skb, nlh);
2691 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2692 const struct nft_rule *rule, int event)
2694 struct sk_buff *skb;
2698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2701 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2705 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2706 event, 0, ctx->family, ctx->table,
2707 ctx->chain, rule, NULL);
2713 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2714 ctx->report, GFP_KERNEL);
2717 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2720 struct nft_rule_dump_ctx {
2725 static int __nf_tables_dump_rules(struct sk_buff *skb,
2727 struct netlink_callback *cb,
2728 const struct nft_table *table,
2729 const struct nft_chain *chain)
2731 struct net *net = sock_net(skb->sk);
2732 const struct nft_rule *rule, *prule;
2733 unsigned int s_idx = cb->args[0];
2736 list_for_each_entry_rcu(rule, &chain->rules, list) {
2737 if (!nft_is_active(net, rule))
2742 memset(&cb->args[1], 0,
2743 sizeof(cb->args) - sizeof(cb->args[0]));
2745 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2748 NLM_F_MULTI | NLM_F_APPEND,
2750 table, chain, rule, prule) < 0)
2753 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2762 static int nf_tables_dump_rules(struct sk_buff *skb,
2763 struct netlink_callback *cb)
2765 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2766 const struct nft_rule_dump_ctx *ctx = cb->data;
2767 struct nft_table *table;
2768 const struct nft_chain *chain;
2769 unsigned int idx = 0;
2770 struct net *net = sock_net(skb->sk);
2771 int family = nfmsg->nfgen_family;
2774 cb->seq = net->nft.base_seq;
2776 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2777 if (family != NFPROTO_UNSPEC && family != table->family)
2780 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2783 if (ctx && ctx->table && ctx->chain) {
2784 struct rhlist_head *list, *tmp;
2786 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2787 nft_chain_ht_params);
2791 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2792 if (!nft_is_active(net, chain))
2794 __nf_tables_dump_rules(skb, &idx,
2801 list_for_each_entry_rcu(chain, &table->chains, list) {
2802 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2806 if (ctx && ctx->table)
2816 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2818 const struct nlattr * const *nla = cb->data;
2819 struct nft_rule_dump_ctx *ctx = NULL;
2821 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2822 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2826 if (nla[NFTA_RULE_TABLE]) {
2827 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2834 if (nla[NFTA_RULE_CHAIN]) {
2835 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2849 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2851 struct nft_rule_dump_ctx *ctx = cb->data;
2861 /* called with rcu_read_lock held */
2862 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2863 struct sk_buff *skb, const struct nlmsghdr *nlh,
2864 const struct nlattr * const nla[],
2865 struct netlink_ext_ack *extack)
2867 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2868 u8 genmask = nft_genmask_cur(net);
2869 const struct nft_chain *chain;
2870 const struct nft_rule *rule;
2871 struct nft_table *table;
2872 struct sk_buff *skb2;
2873 int family = nfmsg->nfgen_family;
2876 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2877 struct netlink_dump_control c = {
2878 .start= nf_tables_dump_rules_start,
2879 .dump = nf_tables_dump_rules,
2880 .done = nf_tables_dump_rules_done,
2881 .module = THIS_MODULE,
2882 .data = (void *)nla,
2885 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2888 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2889 if (IS_ERR(table)) {
2890 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2891 return PTR_ERR(table);
2894 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2895 if (IS_ERR(chain)) {
2896 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2897 return PTR_ERR(chain);
2900 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2902 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2903 return PTR_ERR(rule);
2906 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2910 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2911 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2912 family, table, chain, rule, NULL);
2916 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2923 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2924 struct nft_rule *rule)
2926 struct nft_expr *expr, *next;
2929 * Careful: some expressions might not be initialized in case this
2930 * is called on error from nf_tables_newrule().
2932 expr = nft_expr_first(rule);
2933 while (expr != nft_expr_last(rule) && expr->ops) {
2934 next = nft_expr_next(expr);
2935 nf_tables_expr_destroy(ctx, expr);
2941 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2942 struct nft_rule *rule)
2944 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2945 nf_tables_rule_destroy(ctx, rule);
2948 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2950 struct nft_expr *expr, *last;
2951 const struct nft_data *data;
2952 struct nft_rule *rule;
2955 if (ctx->level == NFT_JUMP_STACK_SIZE)
2958 list_for_each_entry(rule, &chain->rules, list) {
2959 if (!nft_is_active_next(ctx->net, rule))
2962 nft_rule_for_each_expr(expr, last, rule) {
2963 if (!expr->ops->validate)
2966 err = expr->ops->validate(ctx, expr, &data);
2974 EXPORT_SYMBOL_GPL(nft_chain_validate);
2976 static int nft_table_validate(struct net *net, const struct nft_table *table)
2978 struct nft_chain *chain;
2979 struct nft_ctx ctx = {
2981 .family = table->family,
2985 list_for_each_entry(chain, &table->chains, list) {
2986 if (!nft_is_base_chain(chain))
2990 err = nft_chain_validate(&ctx, chain);
2998 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2999 const struct nlattr *nla);
3001 #define NFT_RULE_MAXEXPRS 128
3003 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3004 struct sk_buff *skb, const struct nlmsghdr *nlh,
3005 const struct nlattr * const nla[],
3006 struct netlink_ext_ack *extack)
3008 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3009 u8 genmask = nft_genmask_next(net);
3010 struct nft_expr_info *info = NULL;
3011 int family = nfmsg->nfgen_family;
3012 struct nft_flow_rule *flow;
3013 struct nft_table *table;
3014 struct nft_chain *chain;
3015 struct nft_rule *rule, *old_rule = NULL;
3016 struct nft_userdata *udata;
3017 struct nft_trans *trans = NULL;
3018 struct nft_expr *expr;
3021 unsigned int size, i, n, ulen = 0, usize = 0;
3023 u64 handle, pos_handle;
3025 lockdep_assert_held(&net->nft.commit_mutex);
3027 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3028 if (IS_ERR(table)) {
3029 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3030 return PTR_ERR(table);
3033 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3034 if (IS_ERR(chain)) {
3035 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3036 return PTR_ERR(chain);
3039 if (nla[NFTA_RULE_HANDLE]) {
3040 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3041 rule = __nft_rule_lookup(chain, handle);
3043 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3044 return PTR_ERR(rule);
3047 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3048 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3051 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3056 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3057 nlh->nlmsg_flags & NLM_F_REPLACE)
3059 handle = nf_tables_alloc_handle(table);
3061 if (chain->use == UINT_MAX)
3064 if (nla[NFTA_RULE_POSITION]) {
3065 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3066 old_rule = __nft_rule_lookup(chain, pos_handle);
3067 if (IS_ERR(old_rule)) {
3068 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3069 return PTR_ERR(old_rule);
3071 } else if (nla[NFTA_RULE_POSITION_ID]) {
3072 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3073 if (IS_ERR(old_rule)) {
3074 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3075 return PTR_ERR(old_rule);
3080 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3084 if (nla[NFTA_RULE_EXPRESSIONS]) {
3085 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3086 sizeof(struct nft_expr_info),
3091 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3093 if (nla_type(tmp) != NFTA_LIST_ELEM)
3095 if (n == NFT_RULE_MAXEXPRS)
3097 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3100 size += info[n].ops->size;
3104 /* Check for overflow of dlen field */
3106 if (size >= 1 << 12)
3109 if (nla[NFTA_RULE_USERDATA]) {
3110 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3112 usize = sizeof(struct nft_userdata) + ulen;
3116 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3120 nft_activate_next(net, rule);
3122 rule->handle = handle;
3124 rule->udata = ulen ? 1 : 0;
3127 udata = nft_userdata(rule);
3128 udata->len = ulen - 1;
3129 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3132 expr = nft_expr_first(rule);
3133 for (i = 0; i < n; i++) {
3134 err = nf_tables_newexpr(&ctx, &info[i], expr);
3138 if (info[i].ops->validate)
3139 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3142 expr = nft_expr_next(expr);
3145 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3146 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3147 if (trans == NULL) {
3151 err = nft_delrule(&ctx, old_rule);
3153 nft_trans_destroy(trans);
3157 list_add_tail_rcu(&rule->list, &old_rule->list);
3159 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3165 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3167 list_add_rcu(&rule->list, &old_rule->list);
3169 list_add_tail_rcu(&rule->list, &chain->rules);
3172 list_add_tail_rcu(&rule->list, &old_rule->list);
3174 list_add_rcu(&rule->list, &chain->rules);
3180 if (net->nft.validate_state == NFT_VALIDATE_DO)
3181 return nft_table_validate(net, table);
3183 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3184 flow = nft_flow_rule_create(net, rule);
3186 return PTR_ERR(flow);
3188 nft_trans_flow_rule(trans) = flow;
3193 nf_tables_rule_release(&ctx, rule);
3195 for (i = 0; i < n; i++) {
3197 module_put(info[i].ops->type->owner);
3198 if (info[i].ops->type->release_ops)
3199 info[i].ops->type->release_ops(info[i].ops);
3206 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3207 const struct nlattr *nla)
3209 u32 id = ntohl(nla_get_be32(nla));
3210 struct nft_trans *trans;
3212 list_for_each_entry(trans, &net->nft.commit_list, list) {
3213 struct nft_rule *rule = nft_trans_rule(trans);
3215 if (trans->msg_type == NFT_MSG_NEWRULE &&
3216 id == nft_trans_rule_id(trans))
3219 return ERR_PTR(-ENOENT);
3222 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3223 struct sk_buff *skb, const struct nlmsghdr *nlh,
3224 const struct nlattr * const nla[],
3225 struct netlink_ext_ack *extack)
3227 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3228 u8 genmask = nft_genmask_next(net);
3229 struct nft_table *table;
3230 struct nft_chain *chain = NULL;
3231 struct nft_rule *rule;
3232 int family = nfmsg->nfgen_family, err = 0;
3235 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3236 if (IS_ERR(table)) {
3237 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3238 return PTR_ERR(table);
3241 if (nla[NFTA_RULE_CHAIN]) {
3242 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3244 if (IS_ERR(chain)) {
3245 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3246 return PTR_ERR(chain);
3250 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3253 if (nla[NFTA_RULE_HANDLE]) {
3254 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3256 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3257 return PTR_ERR(rule);
3260 err = nft_delrule(&ctx, rule);
3261 } else if (nla[NFTA_RULE_ID]) {
3262 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3264 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3265 return PTR_ERR(rule);
3268 err = nft_delrule(&ctx, rule);
3270 err = nft_delrule_by_chain(&ctx);
3273 list_for_each_entry(chain, &table->chains, list) {
3274 if (!nft_is_active_next(net, chain))
3278 err = nft_delrule_by_chain(&ctx);
3290 static const struct nft_set_type *nft_set_types[] = {
3291 &nft_set_hash_fast_type,
3293 &nft_set_rhash_type,
3294 &nft_set_bitmap_type,
3295 &nft_set_rbtree_type,
3296 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3297 &nft_set_pipapo_avx2_type,
3299 &nft_set_pipapo_type,
3302 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3303 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3306 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3308 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3312 * Select a set implementation based on the data characteristics and the
3313 * given policy. The total memory use might not be known if no size is
3314 * given, in that case the amount of memory per element is used.
3316 static const struct nft_set_ops *
3317 nft_select_set_ops(const struct nft_ctx *ctx,
3318 const struct nlattr * const nla[],
3319 const struct nft_set_desc *desc,
3320 enum nft_set_policies policy)
3322 const struct nft_set_ops *ops, *bops;
3323 struct nft_set_estimate est, best;
3324 const struct nft_set_type *type;
3328 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3329 lockdep_nfnl_nft_mutex_not_held();
3331 if (nla[NFTA_SET_FLAGS] != NULL)
3332 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3339 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3340 type = nft_set_types[i];
3343 if (!nft_set_ops_candidate(type, flags))
3345 if (!ops->estimate(desc, flags, &est))
3349 case NFT_SET_POL_PERFORMANCE:
3350 if (est.lookup < best.lookup)
3352 if (est.lookup == best.lookup &&
3353 est.space < best.space)
3356 case NFT_SET_POL_MEMORY:
3358 if (est.space < best.space)
3360 if (est.space == best.space &&
3361 est.lookup < best.lookup)
3363 } else if (est.size < best.size || !bops) {
3378 return ERR_PTR(-EOPNOTSUPP);
3381 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3382 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3383 .len = NFT_TABLE_MAXNAMELEN - 1 },
3384 [NFTA_SET_NAME] = { .type = NLA_STRING,
3385 .len = NFT_SET_MAXNAMELEN - 1 },
3386 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3387 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3388 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3389 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3390 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3391 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3392 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3393 [NFTA_SET_ID] = { .type = NLA_U32 },
3394 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3395 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3396 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3397 .len = NFT_USERDATA_MAXLEN },
3398 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3399 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3400 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3403 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3404 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3405 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3408 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3409 const struct sk_buff *skb,
3410 const struct nlmsghdr *nlh,
3411 const struct nlattr * const nla[],
3412 struct netlink_ext_ack *extack,
3415 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3416 int family = nfmsg->nfgen_family;
3417 struct nft_table *table = NULL;
3419 if (nla[NFTA_SET_TABLE] != NULL) {
3420 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3422 if (IS_ERR(table)) {
3423 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3424 return PTR_ERR(table);
3428 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3432 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3433 const struct nlattr *nla, u8 genmask)
3435 struct nft_set *set;
3438 return ERR_PTR(-EINVAL);
3440 list_for_each_entry_rcu(set, &table->sets, list) {
3441 if (!nla_strcmp(nla, set->name) &&
3442 nft_active_genmask(set, genmask))
3445 return ERR_PTR(-ENOENT);
3448 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3449 const struct nlattr *nla,
3452 struct nft_set *set;
3454 list_for_each_entry(set, &table->sets, list) {
3455 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3456 nft_active_genmask(set, genmask))
3459 return ERR_PTR(-ENOENT);
3462 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3463 const struct nlattr *nla, u8 genmask)
3465 struct nft_trans *trans;
3466 u32 id = ntohl(nla_get_be32(nla));
3468 list_for_each_entry(trans, &net->nft.commit_list, list) {
3469 if (trans->msg_type == NFT_MSG_NEWSET) {
3470 struct nft_set *set = nft_trans_set(trans);
3472 if (id == nft_trans_set_id(trans) &&
3473 nft_active_genmask(set, genmask))
3477 return ERR_PTR(-ENOENT);
3480 struct nft_set *nft_set_lookup_global(const struct net *net,
3481 const struct nft_table *table,
3482 const struct nlattr *nla_set_name,
3483 const struct nlattr *nla_set_id,
3486 struct nft_set *set;
3488 set = nft_set_lookup(table, nla_set_name, genmask);
3493 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3497 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3499 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3502 const struct nft_set *i;
3504 unsigned long *inuse;
3505 unsigned int n = 0, min = 0;
3507 p = strchr(name, '%');
3509 if (p[1] != 'd' || strchr(p + 2, '%'))
3512 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3516 list_for_each_entry(i, &ctx->table->sets, list) {
3519 if (!nft_is_active_next(ctx->net, set))
3521 if (!sscanf(i->name, name, &tmp))
3523 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3526 set_bit(tmp - min, inuse);
3529 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3530 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3531 min += BITS_PER_BYTE * PAGE_SIZE;
3532 memset(inuse, 0, PAGE_SIZE);
3535 free_page((unsigned long)inuse);
3538 set->name = kasprintf(GFP_KERNEL, name, min + n);
3542 list_for_each_entry(i, &ctx->table->sets, list) {
3543 if (!nft_is_active_next(ctx->net, i))
3545 if (!strcmp(set->name, i->name)) {
3554 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3556 u64 ms = be64_to_cpu(nla_get_be64(nla));
3557 u64 max = (u64)(~((u64)0));
3559 max = div_u64(max, NSEC_PER_MSEC);
3563 ms *= NSEC_PER_MSEC;
3564 *result = nsecs_to_jiffies64(ms);
3568 static __be64 nf_jiffies64_to_msecs(u64 input)
3570 return cpu_to_be64(jiffies64_to_msecs(input));
3573 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3574 const struct nft_set *set)
3576 struct nlattr *concat, *field;
3579 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3583 for (i = 0; i < set->field_count; i++) {
3584 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3588 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3589 htonl(set->field_len[i])))
3592 nla_nest_end(skb, field);
3595 nla_nest_end(skb, concat);
3600 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3601 const struct nft_set *set, u16 event, u16 flags)
3603 struct nfgenmsg *nfmsg;
3604 struct nlmsghdr *nlh;
3605 u32 portid = ctx->portid;
3606 struct nlattr *nest;
3609 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3610 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3613 goto nla_put_failure;
3615 nfmsg = nlmsg_data(nlh);
3616 nfmsg->nfgen_family = ctx->family;
3617 nfmsg->version = NFNETLINK_V0;
3618 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3620 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3621 goto nla_put_failure;
3622 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3623 goto nla_put_failure;
3624 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3626 goto nla_put_failure;
3627 if (set->flags != 0)
3628 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3629 goto nla_put_failure;
3631 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3632 goto nla_put_failure;
3633 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3634 goto nla_put_failure;
3635 if (set->flags & NFT_SET_MAP) {
3636 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3637 goto nla_put_failure;
3638 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3639 goto nla_put_failure;
3641 if (set->flags & NFT_SET_OBJECT &&
3642 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3643 goto nla_put_failure;
3646 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3647 nf_jiffies64_to_msecs(set->timeout),
3649 goto nla_put_failure;
3651 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3652 goto nla_put_failure;
3654 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3655 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3656 goto nla_put_failure;
3659 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3660 goto nla_put_failure;
3662 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3664 goto nla_put_failure;
3666 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3667 goto nla_put_failure;
3669 if (set->field_count > 1 &&
3670 nf_tables_fill_set_concat(skb, set))
3671 goto nla_put_failure;
3673 nla_nest_end(skb, nest);
3676 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3677 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3678 goto nla_put_failure;
3680 nla_nest_end(skb, nest);
3683 nlmsg_end(skb, nlh);
3687 nlmsg_trim(skb, nlh);
3691 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3692 const struct nft_set *set, int event,
3695 struct sk_buff *skb;
3696 u32 portid = ctx->portid;
3700 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3703 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3707 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3713 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3717 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3720 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3722 const struct nft_set *set;
3723 unsigned int idx, s_idx = cb->args[0];
3724 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3725 struct net *net = sock_net(skb->sk);
3726 struct nft_ctx *ctx = cb->data, ctx_set;
3732 cb->seq = net->nft.base_seq;
3734 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3735 if (ctx->family != NFPROTO_UNSPEC &&
3736 ctx->family != table->family)
3739 if (ctx->table && ctx->table != table)
3743 if (cur_table != table)
3749 list_for_each_entry_rcu(set, &table->sets, list) {
3752 if (!nft_is_active(net, set))
3756 ctx_set.table = table;
3757 ctx_set.family = table->family;
3759 if (nf_tables_fill_set(skb, &ctx_set, set,
3763 cb->args[2] = (unsigned long) table;
3766 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3779 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3781 struct nft_ctx *ctx_dump = NULL;
3783 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3784 if (ctx_dump == NULL)
3787 cb->data = ctx_dump;
3791 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3797 /* called with rcu_read_lock held */
3798 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3799 struct sk_buff *skb, const struct nlmsghdr *nlh,
3800 const struct nlattr * const nla[],
3801 struct netlink_ext_ack *extack)
3803 u8 genmask = nft_genmask_cur(net);
3804 const struct nft_set *set;
3806 struct sk_buff *skb2;
3807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3810 /* Verify existence before starting dump */
3811 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3816 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3817 struct netlink_dump_control c = {
3818 .start = nf_tables_dump_sets_start,
3819 .dump = nf_tables_dump_sets,
3820 .done = nf_tables_dump_sets_done,
3822 .module = THIS_MODULE,
3825 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3828 /* Only accept unspec with dump */
3829 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3830 return -EAFNOSUPPORT;
3831 if (!nla[NFTA_SET_TABLE])
3834 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3836 return PTR_ERR(set);
3838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3842 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3846 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3853 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
3854 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
3857 static int nft_set_desc_concat_parse(const struct nlattr *attr,
3858 struct nft_set_desc *desc)
3860 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
3864 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
3865 nft_concat_policy, NULL);
3869 if (!tb[NFTA_SET_FIELD_LEN])
3872 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
3874 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
3877 desc->field_len[desc->field_count++] = len;
3882 static int nft_set_desc_concat(struct nft_set_desc *desc,
3883 const struct nlattr *nla)
3885 struct nlattr *attr;
3888 nla_for_each_nested(attr, nla, rem) {
3889 if (nla_type(attr) != NFTA_LIST_ELEM)
3892 err = nft_set_desc_concat_parse(attr, desc);
3900 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3901 const struct nlattr *nla)
3903 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3906 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3907 nft_set_desc_policy, NULL);
3911 if (da[NFTA_SET_DESC_SIZE] != NULL)
3912 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3913 if (da[NFTA_SET_DESC_CONCAT])
3914 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
3919 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3920 struct sk_buff *skb, const struct nlmsghdr *nlh,
3921 const struct nlattr * const nla[],
3922 struct netlink_ext_ack *extack)
3924 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3925 u8 genmask = nft_genmask_next(net);
3926 int family = nfmsg->nfgen_family;
3927 const struct nft_set_ops *ops;
3928 struct nft_expr *expr = NULL;
3929 struct nft_table *table;
3930 struct nft_set *set;
3935 u32 ktype, dtype, flags, policy, gc_int, objtype;
3936 struct nft_set_desc desc;
3937 unsigned char *udata;
3942 if (nla[NFTA_SET_TABLE] == NULL ||
3943 nla[NFTA_SET_NAME] == NULL ||
3944 nla[NFTA_SET_KEY_LEN] == NULL ||
3945 nla[NFTA_SET_ID] == NULL)
3948 memset(&desc, 0, sizeof(desc));
3950 ktype = NFT_DATA_VALUE;
3951 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3952 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3953 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3957 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3958 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3962 if (nla[NFTA_SET_FLAGS] != NULL) {
3963 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3964 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3965 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3966 NFT_SET_MAP | NFT_SET_EVAL |
3967 NFT_SET_OBJECT | NFT_SET_CONCAT))
3969 /* Only one of these operations is supported */
3970 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3971 (NFT_SET_MAP | NFT_SET_OBJECT))
3973 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3974 (NFT_SET_EVAL | NFT_SET_OBJECT))
3979 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3980 if (!(flags & NFT_SET_MAP))
3983 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3984 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3985 dtype != NFT_DATA_VERDICT)
3988 if (dtype != NFT_DATA_VERDICT) {
3989 if (nla[NFTA_SET_DATA_LEN] == NULL)
3991 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3992 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3995 desc.dlen = sizeof(struct nft_verdict);
3996 } else if (flags & NFT_SET_MAP)
3999 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4000 if (!(flags & NFT_SET_OBJECT))
4003 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4004 if (objtype == NFT_OBJECT_UNSPEC ||
4005 objtype > NFT_OBJECT_MAX)
4007 } else if (flags & NFT_SET_OBJECT)
4010 objtype = NFT_OBJECT_UNSPEC;
4013 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4014 if (!(flags & NFT_SET_TIMEOUT))
4017 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4022 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4023 if (!(flags & NFT_SET_TIMEOUT))
4025 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4028 policy = NFT_SET_POL_PERFORMANCE;
4029 if (nla[NFTA_SET_POLICY] != NULL)
4030 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4032 if (nla[NFTA_SET_DESC] != NULL) {
4033 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4038 if (nla[NFTA_SET_EXPR])
4041 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4042 if (IS_ERR(table)) {
4043 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4044 return PTR_ERR(table);
4047 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4049 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4051 if (PTR_ERR(set) != -ENOENT) {
4052 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4053 return PTR_ERR(set);
4056 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4057 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4060 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4066 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4069 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4071 return PTR_ERR(ops);
4074 if (nla[NFTA_SET_USERDATA])
4075 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4078 if (ops->privsize != NULL)
4079 size = ops->privsize(nla, &desc);
4081 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4085 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4091 err = nf_tables_set_alloc_name(&ctx, set, name);
4094 goto err_set_alloc_name;
4096 if (nla[NFTA_SET_EXPR]) {
4097 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4099 err = PTR_ERR(expr);
4100 goto err_set_alloc_name;
4106 udata = set->data + size;
4107 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4110 INIT_LIST_HEAD(&set->bindings);
4112 write_pnet(&set->net, net);
4115 set->klen = desc.klen;
4117 set->objtype = objtype;
4118 set->dlen = desc.dlen;
4121 set->size = desc.size;
4122 set->policy = policy;
4125 set->timeout = timeout;
4126 set->gc_int = gc_int;
4127 set->handle = nf_tables_alloc_handle(table);
4129 set->field_count = desc.field_count;
4130 for (i = 0; i < desc.field_count; i++)
4131 set->field_len[i] = desc.field_len[i];
4133 err = ops->init(set, &desc, nla);
4137 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4141 list_add_tail_rcu(&set->list, &table->sets);
4149 nft_expr_destroy(&ctx, expr);
4157 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4159 if (WARN_ON(set->use > 0))
4163 nft_expr_destroy(ctx, set->expr);
4165 set->ops->destroy(set);
4170 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4171 struct sk_buff *skb, const struct nlmsghdr *nlh,
4172 const struct nlattr * const nla[],
4173 struct netlink_ext_ack *extack)
4175 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4176 u8 genmask = nft_genmask_next(net);
4177 const struct nlattr *attr;
4178 struct nft_set *set;
4182 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4183 return -EAFNOSUPPORT;
4184 if (nla[NFTA_SET_TABLE] == NULL)
4187 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4192 if (nla[NFTA_SET_HANDLE]) {
4193 attr = nla[NFTA_SET_HANDLE];
4194 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4196 attr = nla[NFTA_SET_NAME];
4197 set = nft_set_lookup(ctx.table, attr, genmask);
4201 NL_SET_BAD_ATTR(extack, attr);
4202 return PTR_ERR(set);
4205 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4206 NL_SET_BAD_ATTR(extack, attr);
4210 return nft_delset(&ctx, set);
4213 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4214 struct nft_set *set,
4215 const struct nft_set_iter *iter,
4216 struct nft_set_elem *elem)
4218 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4219 enum nft_registers dreg;
4221 dreg = nft_type_to_reg(set->dtype);
4222 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4223 set->dtype == NFT_DATA_VERDICT ?
4224 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4228 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4229 struct nft_set_binding *binding)
4231 struct nft_set_binding *i;
4232 struct nft_set_iter iter;
4234 if (set->use == UINT_MAX)
4237 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4240 if (binding->flags & NFT_SET_MAP) {
4241 /* If the set is already bound to the same chain all
4242 * jumps are already validated for that chain.
4244 list_for_each_entry(i, &set->bindings, list) {
4245 if (i->flags & NFT_SET_MAP &&
4246 i->chain == binding->chain)
4250 iter.genmask = nft_genmask_next(ctx->net);
4254 iter.fn = nf_tables_bind_check_setelem;
4256 set->ops->walk(ctx, set, &iter);
4261 binding->chain = ctx->chain;
4262 list_add_tail_rcu(&binding->list, &set->bindings);
4263 nft_set_trans_bind(ctx, set);
4268 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4270 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4271 struct nft_set_binding *binding, bool event)
4273 list_del_rcu(&binding->list);
4275 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4276 list_del_rcu(&set->list);
4278 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4283 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4284 struct nft_set_binding *binding,
4285 enum nft_trans_phase phase)
4288 case NFT_TRANS_PREPARE:
4291 case NFT_TRANS_ABORT:
4292 case NFT_TRANS_RELEASE:
4296 nf_tables_unbind_set(ctx, set, binding,
4297 phase == NFT_TRANS_COMMIT);
4300 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4302 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4304 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4305 nft_set_destroy(ctx, set);
4307 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4309 const struct nft_set_ext_type nft_set_ext_types[] = {
4310 [NFT_SET_EXT_KEY] = {
4311 .align = __alignof__(u32),
4313 [NFT_SET_EXT_DATA] = {
4314 .align = __alignof__(u32),
4316 [NFT_SET_EXT_EXPR] = {
4317 .align = __alignof__(struct nft_expr),
4319 [NFT_SET_EXT_OBJREF] = {
4320 .len = sizeof(struct nft_object *),
4321 .align = __alignof__(struct nft_object *),
4323 [NFT_SET_EXT_FLAGS] = {
4325 .align = __alignof__(u8),
4327 [NFT_SET_EXT_TIMEOUT] = {
4329 .align = __alignof__(u64),
4331 [NFT_SET_EXT_EXPIRATION] = {
4333 .align = __alignof__(u64),
4335 [NFT_SET_EXT_USERDATA] = {
4336 .len = sizeof(struct nft_userdata),
4337 .align = __alignof__(struct nft_userdata),
4339 [NFT_SET_EXT_KEY_END] = {
4340 .align = __alignof__(u32),
4348 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4349 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4350 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4351 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4352 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4353 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4354 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4355 .len = NFT_USERDATA_MAXLEN },
4356 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4357 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4358 .len = NFT_OBJ_MAXNAMELEN - 1 },
4359 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4362 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4363 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4364 .len = NFT_TABLE_MAXNAMELEN - 1 },
4365 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4366 .len = NFT_SET_MAXNAMELEN - 1 },
4367 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4368 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4371 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4372 const struct sk_buff *skb,
4373 const struct nlmsghdr *nlh,
4374 const struct nlattr * const nla[],
4375 struct netlink_ext_ack *extack,
4378 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4379 int family = nfmsg->nfgen_family;
4380 struct nft_table *table;
4382 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4384 if (IS_ERR(table)) {
4385 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4386 return PTR_ERR(table);
4389 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4393 static int nf_tables_fill_setelem(struct sk_buff *skb,
4394 const struct nft_set *set,
4395 const struct nft_set_elem *elem)
4397 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4398 unsigned char *b = skb_tail_pointer(skb);
4399 struct nlattr *nest;
4401 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4403 goto nla_put_failure;
4405 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4406 NFT_DATA_VALUE, set->klen) < 0)
4407 goto nla_put_failure;
4409 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4410 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4411 NFT_DATA_VALUE, set->klen) < 0)
4412 goto nla_put_failure;
4414 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4415 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4416 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4418 goto nla_put_failure;
4420 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4421 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4422 goto nla_put_failure;
4424 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4425 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4426 (*nft_set_ext_obj(ext))->key.name) < 0)
4427 goto nla_put_failure;
4429 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4430 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4431 htonl(*nft_set_ext_flags(ext))))
4432 goto nla_put_failure;
4434 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4435 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4436 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4438 goto nla_put_failure;
4440 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4441 u64 expires, now = get_jiffies_64();
4443 expires = *nft_set_ext_expiration(ext);
4444 if (time_before64(now, expires))
4449 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4450 nf_jiffies64_to_msecs(expires),
4452 goto nla_put_failure;
4455 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4456 struct nft_userdata *udata;
4458 udata = nft_set_ext_userdata(ext);
4459 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4460 udata->len + 1, udata->data))
4461 goto nla_put_failure;
4464 nla_nest_end(skb, nest);
4472 struct nft_set_dump_args {
4473 const struct netlink_callback *cb;
4474 struct nft_set_iter iter;
4475 struct sk_buff *skb;
4478 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4479 struct nft_set *set,
4480 const struct nft_set_iter *iter,
4481 struct nft_set_elem *elem)
4483 struct nft_set_dump_args *args;
4485 args = container_of(iter, struct nft_set_dump_args, iter);
4486 return nf_tables_fill_setelem(args->skb, set, elem);
4489 struct nft_set_dump_ctx {
4490 const struct nft_set *set;
4494 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4496 struct nft_set_dump_ctx *dump_ctx = cb->data;
4497 struct net *net = sock_net(skb->sk);
4498 struct nft_table *table;
4499 struct nft_set *set;
4500 struct nft_set_dump_args args;
4501 bool set_found = false;
4502 struct nfgenmsg *nfmsg;
4503 struct nlmsghdr *nlh;
4504 struct nlattr *nest;
4509 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4510 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4511 dump_ctx->ctx.family != table->family)
4514 if (table != dump_ctx->ctx.table)
4517 list_for_each_entry_rcu(set, &table->sets, list) {
4518 if (set == dump_ctx->set) {
4531 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4532 portid = NETLINK_CB(cb->skb).portid;
4533 seq = cb->nlh->nlmsg_seq;
4535 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4538 goto nla_put_failure;
4540 nfmsg = nlmsg_data(nlh);
4541 nfmsg->nfgen_family = table->family;
4542 nfmsg->version = NFNETLINK_V0;
4543 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4545 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4546 goto nla_put_failure;
4547 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4548 goto nla_put_failure;
4550 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4552 goto nla_put_failure;
4556 args.iter.genmask = nft_genmask_cur(net);
4557 args.iter.skip = cb->args[0];
4558 args.iter.count = 0;
4560 args.iter.fn = nf_tables_dump_setelem;
4561 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4564 nla_nest_end(skb, nest);
4565 nlmsg_end(skb, nlh);
4567 if (args.iter.err && args.iter.err != -EMSGSIZE)
4568 return args.iter.err;
4569 if (args.iter.count == cb->args[0])
4572 cb->args[0] = args.iter.count;
4580 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4582 struct nft_set_dump_ctx *dump_ctx = cb->data;
4584 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4586 return cb->data ? 0 : -ENOMEM;
4589 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4595 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4596 const struct nft_ctx *ctx, u32 seq,
4597 u32 portid, int event, u16 flags,
4598 const struct nft_set *set,
4599 const struct nft_set_elem *elem)
4601 struct nfgenmsg *nfmsg;
4602 struct nlmsghdr *nlh;
4603 struct nlattr *nest;
4606 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4607 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4610 goto nla_put_failure;
4612 nfmsg = nlmsg_data(nlh);
4613 nfmsg->nfgen_family = ctx->family;
4614 nfmsg->version = NFNETLINK_V0;
4615 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4617 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4618 goto nla_put_failure;
4619 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4620 goto nla_put_failure;
4622 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4624 goto nla_put_failure;
4626 err = nf_tables_fill_setelem(skb, set, elem);
4628 goto nla_put_failure;
4630 nla_nest_end(skb, nest);
4632 nlmsg_end(skb, nlh);
4636 nlmsg_trim(skb, nlh);
4640 static int nft_setelem_parse_flags(const struct nft_set *set,
4641 const struct nlattr *attr, u32 *flags)
4646 *flags = ntohl(nla_get_be32(attr));
4647 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4649 if (!(set->flags & NFT_SET_INTERVAL) &&
4650 *flags & NFT_SET_ELEM_INTERVAL_END)
4656 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4657 struct nft_data *key, struct nlattr *attr)
4659 struct nft_data_desc desc;
4662 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4666 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4667 nft_data_release(key, desc.type);
4674 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4675 struct nft_data_desc *desc,
4676 struct nft_data *data,
4677 struct nlattr *attr)
4681 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4685 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4686 nft_data_release(data, desc->type);
4693 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4694 const struct nlattr *attr)
4696 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4697 struct nft_set_elem elem;
4698 struct sk_buff *skb;
4703 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4704 nft_set_elem_policy, NULL);
4708 if (!nla[NFTA_SET_ELEM_KEY])
4711 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4715 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4716 nla[NFTA_SET_ELEM_KEY]);
4720 if (nla[NFTA_SET_ELEM_KEY_END]) {
4721 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4722 nla[NFTA_SET_ELEM_KEY_END]);
4727 priv = set->ops->get(ctx->net, set, &elem, flags);
4729 return PTR_ERR(priv);
4734 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4738 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4739 NFT_MSG_NEWSETELEM, 0, set, &elem);
4743 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4744 /* This avoids a loop in nfnetlink. */
4752 /* this avoids a loop in nfnetlink. */
4753 return err == -EAGAIN ? -ENOBUFS : err;
4756 /* called with rcu_read_lock held */
4757 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4758 struct sk_buff *skb, const struct nlmsghdr *nlh,
4759 const struct nlattr * const nla[],
4760 struct netlink_ext_ack *extack)
4762 u8 genmask = nft_genmask_cur(net);
4763 struct nft_set *set;
4764 struct nlattr *attr;
4768 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4773 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4775 return PTR_ERR(set);
4777 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4778 struct netlink_dump_control c = {
4779 .start = nf_tables_dump_set_start,
4780 .dump = nf_tables_dump_set,
4781 .done = nf_tables_dump_set_done,
4782 .module = THIS_MODULE,
4784 struct nft_set_dump_ctx dump_ctx = {
4790 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4793 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4796 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4797 err = nft_get_set_elem(&ctx, set, attr);
4805 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4806 const struct nft_set *set,
4807 const struct nft_set_elem *elem,
4808 int event, u16 flags)
4810 struct net *net = ctx->net;
4811 u32 portid = ctx->portid;
4812 struct sk_buff *skb;
4815 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4818 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4822 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4829 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4833 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4836 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4838 struct nft_set *set)
4840 struct nft_trans *trans;
4842 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4846 nft_trans_elem_set(trans) = set;
4850 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
4851 const struct nft_set *set,
4852 const struct nlattr *attr)
4854 struct nft_expr *expr;
4857 expr = nft_expr_init(ctx, attr);
4862 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
4863 goto err_set_elem_expr;
4865 if (expr->ops->type->flags & NFT_EXPR_GC) {
4866 if (set->flags & NFT_SET_TIMEOUT)
4867 goto err_set_elem_expr;
4868 if (!set->ops->gc_init)
4869 goto err_set_elem_expr;
4870 set->ops->gc_init(set);
4876 nft_expr_destroy(ctx, expr);
4877 return ERR_PTR(err);
4880 void *nft_set_elem_init(const struct nft_set *set,
4881 const struct nft_set_ext_tmpl *tmpl,
4882 const u32 *key, const u32 *key_end,
4883 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
4885 struct nft_set_ext *ext;
4888 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4892 ext = nft_set_elem_ext(set, elem);
4893 nft_set_ext_init(ext, tmpl);
4895 memcpy(nft_set_ext_key(ext), key, set->klen);
4896 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
4897 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
4898 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4899 memcpy(nft_set_ext_data(ext), data, set->dlen);
4900 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4901 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4902 if (expiration == 0)
4903 *nft_set_ext_expiration(ext) += timeout;
4905 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4906 *nft_set_ext_timeout(ext) = timeout;
4911 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
4912 struct nft_expr *expr)
4914 if (expr->ops->destroy_clone) {
4915 expr->ops->destroy_clone(ctx, expr);
4916 module_put(expr->ops->type->owner);
4918 nf_tables_expr_destroy(ctx, expr);
4922 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4925 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4926 struct nft_ctx ctx = {
4927 .net = read_pnet(&set->net),
4928 .family = set->table->family,
4931 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4932 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4933 nft_data_release(nft_set_ext_data(ext), set->dtype);
4934 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4935 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
4937 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4938 (*nft_set_ext_obj(ext))->use--;
4941 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4943 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4944 * the refcounting from the preparation phase.
4946 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4947 const struct nft_set *set, void *elem)
4949 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4951 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4952 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
4957 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4958 const struct nlattr *attr, u32 nlmsg_flags)
4960 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4961 u8 genmask = nft_genmask_next(ctx->net);
4962 struct nft_set_ext_tmpl tmpl;
4963 struct nft_set_ext *ext, *ext2;
4964 struct nft_set_elem elem;
4965 struct nft_set_binding *binding;
4966 struct nft_object *obj = NULL;
4967 struct nft_expr *expr = NULL;
4968 struct nft_userdata *udata;
4969 struct nft_data_desc desc;
4970 enum nft_registers dreg;
4971 struct nft_trans *trans;
4978 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4979 nft_set_elem_policy, NULL);
4983 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4986 nft_set_ext_prepare(&tmpl);
4988 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4992 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4994 if (set->flags & NFT_SET_MAP) {
4995 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4996 !(flags & NFT_SET_ELEM_INTERVAL_END))
4999 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5003 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5004 (nla[NFTA_SET_ELEM_DATA] ||
5005 nla[NFTA_SET_ELEM_OBJREF] ||
5006 nla[NFTA_SET_ELEM_TIMEOUT] ||
5007 nla[NFTA_SET_ELEM_EXPIRATION] ||
5008 nla[NFTA_SET_ELEM_USERDATA] ||
5009 nla[NFTA_SET_ELEM_EXPR]))
5013 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5014 if (!(set->flags & NFT_SET_TIMEOUT))
5016 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5020 } else if (set->flags & NFT_SET_TIMEOUT) {
5021 timeout = set->timeout;
5025 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5026 if (!(set->flags & NFT_SET_TIMEOUT))
5028 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5034 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5035 expr = nft_set_elem_expr_alloc(ctx, set,
5036 nla[NFTA_SET_ELEM_EXPR]);
5038 return PTR_ERR(expr);
5041 if (set->expr && set->expr->ops != expr->ops)
5042 goto err_set_elem_expr;
5043 } else if (set->expr) {
5044 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5048 err = nft_expr_clone(expr, set->expr);
5050 goto err_set_elem_expr;
5053 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5054 nla[NFTA_SET_ELEM_KEY]);
5056 goto err_set_elem_expr;
5058 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5060 if (nla[NFTA_SET_ELEM_KEY_END]) {
5061 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5062 nla[NFTA_SET_ELEM_KEY_END]);
5066 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5070 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5071 if (timeout != set->timeout)
5072 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5076 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5079 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5080 if (!(set->flags & NFT_SET_OBJECT)) {
5082 goto err_parse_key_end;
5084 obj = nft_obj_lookup(ctx->net, ctx->table,
5085 nla[NFTA_SET_ELEM_OBJREF],
5086 set->objtype, genmask);
5089 goto err_parse_key_end;
5091 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5094 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5095 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5096 nla[NFTA_SET_ELEM_DATA]);
5098 goto err_parse_key_end;
5100 dreg = nft_type_to_reg(set->dtype);
5101 list_for_each_entry(binding, &set->bindings, list) {
5102 struct nft_ctx bind_ctx = {
5104 .family = ctx->family,
5105 .table = ctx->table,
5106 .chain = (struct nft_chain *)binding->chain,
5109 if (!(binding->flags & NFT_SET_MAP))
5112 err = nft_validate_register_store(&bind_ctx, dreg,
5114 desc.type, desc.len);
5116 goto err_parse_data;
5118 if (desc.type == NFT_DATA_VERDICT &&
5119 (elem.data.val.verdict.code == NFT_GOTO ||
5120 elem.data.val.verdict.code == NFT_JUMP))
5121 nft_validate_state_update(ctx->net,
5125 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5128 /* The full maximum length of userdata can exceed the maximum
5129 * offset value (U8_MAX) for following extensions, therefor it
5130 * must be the last extension added.
5133 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5134 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5136 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5141 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5142 elem.key_end.val.data, elem.data.val.data,
5143 timeout, expiration, GFP_KERNEL);
5144 if (elem.priv == NULL)
5145 goto err_parse_data;
5147 ext = nft_set_elem_ext(set, elem.priv);
5149 *nft_set_ext_flags(ext) = flags;
5151 udata = nft_set_ext_userdata(ext);
5152 udata->len = ulen - 1;
5153 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5156 *nft_set_ext_obj(ext) = obj;
5160 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5165 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5169 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5170 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5172 if (err == -EEXIST) {
5173 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5174 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5175 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5176 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
5178 goto err_element_clash;
5180 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5181 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5182 memcmp(nft_set_ext_data(ext),
5183 nft_set_ext_data(ext2), set->dlen) != 0) ||
5184 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5185 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5186 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5188 else if (!(nlmsg_flags & NLM_F_EXCL))
5190 } else if (err == -ENOTEMPTY) {
5191 /* ENOTEMPTY reports overlapping between this element
5192 * and an existing one.
5196 goto err_element_clash;
5200 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5205 nft_trans_elem(trans) = elem;
5206 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5210 set->ops->remove(ctx->net, set, &elem);
5217 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5219 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5220 nft_data_release(&elem.data.val, desc.type);
5222 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5224 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5227 nft_expr_destroy(ctx, expr);
5232 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5233 struct sk_buff *skb, const struct nlmsghdr *nlh,
5234 const struct nlattr * const nla[],
5235 struct netlink_ext_ack *extack)
5237 u8 genmask = nft_genmask_next(net);
5238 const struct nlattr *attr;
5239 struct nft_set *set;
5243 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5246 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5251 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5252 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5254 return PTR_ERR(set);
5256 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5259 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5260 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5265 if (net->nft.validate_state == NFT_VALIDATE_DO)
5266 return nft_table_validate(net, ctx.table);
5272 * nft_data_hold - hold a nft_data item
5274 * @data: struct nft_data to release
5275 * @type: type of data
5277 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5278 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5279 * NFT_GOTO verdicts. This function must be called on active data objects
5280 * from the second phase of the commit protocol.
5282 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5284 if (type == NFT_DATA_VERDICT) {
5285 switch (data->verdict.code) {
5288 data->verdict.chain->use++;
5294 static void nft_set_elem_activate(const struct net *net,
5295 const struct nft_set *set,
5296 struct nft_set_elem *elem)
5298 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5300 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5301 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5302 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5303 (*nft_set_ext_obj(ext))->use++;
5306 static void nft_set_elem_deactivate(const struct net *net,
5307 const struct nft_set *set,
5308 struct nft_set_elem *elem)
5310 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5312 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5313 nft_data_release(nft_set_ext_data(ext), set->dtype);
5314 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5315 (*nft_set_ext_obj(ext))->use--;
5318 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5319 const struct nlattr *attr)
5321 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5322 struct nft_set_ext_tmpl tmpl;
5323 struct nft_set_elem elem;
5324 struct nft_set_ext *ext;
5325 struct nft_trans *trans;
5330 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5331 nft_set_elem_policy, NULL);
5335 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5338 nft_set_ext_prepare(&tmpl);
5340 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5344 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5346 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5347 nla[NFTA_SET_ELEM_KEY]);
5351 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5353 if (nla[NFTA_SET_ELEM_KEY_END]) {
5354 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5355 nla[NFTA_SET_ELEM_KEY_END]);
5359 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5363 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5364 elem.key_end.val.data, NULL, 0, 0,
5366 if (elem.priv == NULL)
5369 ext = nft_set_elem_ext(set, elem.priv);
5371 *nft_set_ext_flags(ext) = flags;
5373 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5377 priv = set->ops->deactivate(ctx->net, set, &elem);
5385 nft_set_elem_deactivate(ctx->net, set, &elem);
5387 nft_trans_elem(trans) = elem;
5388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5396 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5400 static int nft_flush_set(const struct nft_ctx *ctx,
5401 struct nft_set *set,
5402 const struct nft_set_iter *iter,
5403 struct nft_set_elem *elem)
5405 struct nft_trans *trans;
5408 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5409 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5413 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5419 nft_set_elem_deactivate(ctx->net, set, elem);
5420 nft_trans_elem_set(trans) = set;
5421 nft_trans_elem(trans) = *elem;
5422 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5430 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5431 struct sk_buff *skb, const struct nlmsghdr *nlh,
5432 const struct nlattr * const nla[],
5433 struct netlink_ext_ack *extack)
5435 u8 genmask = nft_genmask_next(net);
5436 const struct nlattr *attr;
5437 struct nft_set *set;
5441 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5446 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5448 return PTR_ERR(set);
5449 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5452 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5453 struct nft_set_iter iter = {
5455 .fn = nft_flush_set,
5457 set->ops->walk(&ctx, set, &iter);
5462 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5463 err = nft_del_setelem(&ctx, set, attr);
5472 void nft_set_gc_batch_release(struct rcu_head *rcu)
5474 struct nft_set_gc_batch *gcb;
5477 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5478 for (i = 0; i < gcb->head.cnt; i++)
5479 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5483 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5486 struct nft_set_gc_batch *gcb;
5488 gcb = kzalloc(sizeof(*gcb), gfp);
5491 gcb->head.set = set;
5500 * nft_register_obj- register nf_tables stateful object type
5503 * Registers the object type for use with nf_tables. Returns zero on
5504 * success or a negative errno code otherwise.
5506 int nft_register_obj(struct nft_object_type *obj_type)
5508 if (obj_type->type == NFT_OBJECT_UNSPEC)
5511 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5512 list_add_rcu(&obj_type->list, &nf_tables_objects);
5513 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5516 EXPORT_SYMBOL_GPL(nft_register_obj);
5519 * nft_unregister_obj - unregister nf_tables object type
5522 * Unregisters the object type for use with nf_tables.
5524 void nft_unregister_obj(struct nft_object_type *obj_type)
5526 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5527 list_del_rcu(&obj_type->list);
5528 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5530 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5532 struct nft_object *nft_obj_lookup(const struct net *net,
5533 const struct nft_table *table,
5534 const struct nlattr *nla, u32 objtype,
5537 struct nft_object_hash_key k = { .table = table };
5538 char search[NFT_OBJ_MAXNAMELEN];
5539 struct rhlist_head *tmp, *list;
5540 struct nft_object *obj;
5542 nla_strlcpy(search, nla, sizeof(search));
5545 WARN_ON_ONCE(!rcu_read_lock_held() &&
5546 !lockdep_commit_lock_is_held(net));
5549 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5553 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5554 if (objtype == obj->ops->type->type &&
5555 nft_active_genmask(obj, genmask)) {
5562 return ERR_PTR(-ENOENT);
5564 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5566 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5567 const struct nlattr *nla,
5568 u32 objtype, u8 genmask)
5570 struct nft_object *obj;
5572 list_for_each_entry(obj, &table->objects, list) {
5573 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5574 objtype == obj->ops->type->type &&
5575 nft_active_genmask(obj, genmask))
5578 return ERR_PTR(-ENOENT);
5581 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5582 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5583 .len = NFT_TABLE_MAXNAMELEN - 1 },
5584 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5585 .len = NFT_OBJ_MAXNAMELEN - 1 },
5586 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5587 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5588 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5591 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5592 const struct nft_object_type *type,
5593 const struct nlattr *attr)
5596 const struct nft_object_ops *ops;
5597 struct nft_object *obj;
5600 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5605 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5606 type->policy, NULL);
5610 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5613 if (type->select_ops) {
5614 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5624 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5628 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5641 return ERR_PTR(err);
5644 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5645 struct nft_object *obj, bool reset)
5647 struct nlattr *nest;
5649 nest = nla_nest_start_noflag(skb, attr);
5651 goto nla_put_failure;
5652 if (obj->ops->dump(skb, obj, reset) < 0)
5653 goto nla_put_failure;
5654 nla_nest_end(skb, nest);
5661 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5663 const struct nft_object_type *type;
5665 list_for_each_entry(type, &nf_tables_objects, list) {
5666 if (objtype == type->type)
5672 static const struct nft_object_type *
5673 nft_obj_type_get(struct net *net, u32 objtype)
5675 const struct nft_object_type *type;
5677 type = __nft_obj_type_get(objtype);
5678 if (type != NULL && try_module_get(type->owner))
5681 lockdep_nfnl_nft_mutex_not_held();
5682 #ifdef CONFIG_MODULES
5684 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5685 return ERR_PTR(-EAGAIN);
5688 return ERR_PTR(-ENOENT);
5691 static int nf_tables_updobj(const struct nft_ctx *ctx,
5692 const struct nft_object_type *type,
5693 const struct nlattr *attr,
5694 struct nft_object *obj)
5696 struct nft_object *newobj;
5697 struct nft_trans *trans;
5700 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5701 sizeof(struct nft_trans_obj));
5705 newobj = nft_obj_init(ctx, type, attr);
5706 if (IS_ERR(newobj)) {
5707 err = PTR_ERR(newobj);
5708 goto err_free_trans;
5711 nft_trans_obj(trans) = obj;
5712 nft_trans_obj_update(trans) = true;
5713 nft_trans_obj_newobj(trans) = newobj;
5714 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5723 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5724 struct sk_buff *skb, const struct nlmsghdr *nlh,
5725 const struct nlattr * const nla[],
5726 struct netlink_ext_ack *extack)
5728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5729 const struct nft_object_type *type;
5730 u8 genmask = nft_genmask_next(net);
5731 int family = nfmsg->nfgen_family;
5732 struct nft_table *table;
5733 struct nft_object *obj;
5738 if (!nla[NFTA_OBJ_TYPE] ||
5739 !nla[NFTA_OBJ_NAME] ||
5740 !nla[NFTA_OBJ_DATA])
5743 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5744 if (IS_ERR(table)) {
5745 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5746 return PTR_ERR(table);
5749 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5750 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5753 if (err != -ENOENT) {
5754 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5758 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5759 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5762 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5765 type = __nft_obj_type_get(objtype);
5766 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5768 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5771 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5773 type = nft_obj_type_get(net, objtype);
5775 return PTR_ERR(type);
5777 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5782 obj->key.table = table;
5783 obj->handle = nf_tables_alloc_handle(table);
5785 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5786 if (!obj->key.name) {
5791 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5795 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5796 nft_objname_ht_params);
5800 list_add_tail_rcu(&obj->list, &table->objects);
5804 /* queued in transaction log */
5805 INIT_LIST_HEAD(&obj->list);
5808 kfree(obj->key.name);
5810 if (obj->ops->destroy)
5811 obj->ops->destroy(&ctx, obj);
5814 module_put(type->owner);
5818 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5819 u32 portid, u32 seq, int event, u32 flags,
5820 int family, const struct nft_table *table,
5821 struct nft_object *obj, bool reset)
5823 struct nfgenmsg *nfmsg;
5824 struct nlmsghdr *nlh;
5826 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5827 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5829 goto nla_put_failure;
5831 nfmsg = nlmsg_data(nlh);
5832 nfmsg->nfgen_family = family;
5833 nfmsg->version = NFNETLINK_V0;
5834 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5836 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5837 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5838 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5839 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5840 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5841 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5843 goto nla_put_failure;
5845 nlmsg_end(skb, nlh);
5849 nlmsg_trim(skb, nlh);
5853 struct nft_obj_filter {
5858 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5860 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5861 const struct nft_table *table;
5862 unsigned int idx = 0, s_idx = cb->args[0];
5863 struct nft_obj_filter *filter = cb->data;
5864 struct net *net = sock_net(skb->sk);
5865 int family = nfmsg->nfgen_family;
5866 struct nft_object *obj;
5869 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5873 cb->seq = net->nft.base_seq;
5875 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5876 if (family != NFPROTO_UNSPEC && family != table->family)
5879 list_for_each_entry_rcu(obj, &table->objects, list) {
5880 if (!nft_is_active(net, obj))
5885 memset(&cb->args[1], 0,
5886 sizeof(cb->args) - sizeof(cb->args[0]));
5887 if (filter && filter->table &&
5888 strcmp(filter->table, table->name))
5891 filter->type != NFT_OBJECT_UNSPEC &&
5892 obj->ops->type->type != filter->type)
5895 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5898 NLM_F_MULTI | NLM_F_APPEND,
5899 table->family, table,
5903 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5915 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5917 const struct nlattr * const *nla = cb->data;
5918 struct nft_obj_filter *filter = NULL;
5920 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5921 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5925 if (nla[NFTA_OBJ_TABLE]) {
5926 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5927 if (!filter->table) {
5933 if (nla[NFTA_OBJ_TYPE])
5934 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5941 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5943 struct nft_obj_filter *filter = cb->data;
5946 kfree(filter->table);
5953 /* called with rcu_read_lock held */
5954 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5955 struct sk_buff *skb, const struct nlmsghdr *nlh,
5956 const struct nlattr * const nla[],
5957 struct netlink_ext_ack *extack)
5959 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5960 u8 genmask = nft_genmask_cur(net);
5961 int family = nfmsg->nfgen_family;
5962 const struct nft_table *table;
5963 struct nft_object *obj;
5964 struct sk_buff *skb2;
5969 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5970 struct netlink_dump_control c = {
5971 .start = nf_tables_dump_obj_start,
5972 .dump = nf_tables_dump_obj,
5973 .done = nf_tables_dump_obj_done,
5974 .module = THIS_MODULE,
5975 .data = (void *)nla,
5978 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5981 if (!nla[NFTA_OBJ_NAME] ||
5982 !nla[NFTA_OBJ_TYPE])
5985 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5986 if (IS_ERR(table)) {
5987 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5988 return PTR_ERR(table);
5991 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5992 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5994 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5995 return PTR_ERR(obj);
5998 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6002 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6005 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6006 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6007 family, table, obj, reset);
6011 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6017 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6019 if (obj->ops->destroy)
6020 obj->ops->destroy(ctx, obj);
6022 module_put(obj->ops->type->owner);
6023 kfree(obj->key.name);
6027 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6028 struct sk_buff *skb, const struct nlmsghdr *nlh,
6029 const struct nlattr * const nla[],
6030 struct netlink_ext_ack *extack)
6032 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6033 u8 genmask = nft_genmask_next(net);
6034 int family = nfmsg->nfgen_family;
6035 const struct nlattr *attr;
6036 struct nft_table *table;
6037 struct nft_object *obj;
6041 if (!nla[NFTA_OBJ_TYPE] ||
6042 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6045 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6046 if (IS_ERR(table)) {
6047 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6048 return PTR_ERR(table);
6051 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6052 if (nla[NFTA_OBJ_HANDLE]) {
6053 attr = nla[NFTA_OBJ_HANDLE];
6054 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6056 attr = nla[NFTA_OBJ_NAME];
6057 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6061 NL_SET_BAD_ATTR(extack, attr);
6062 return PTR_ERR(obj);
6065 NL_SET_BAD_ATTR(extack, attr);
6069 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6071 return nft_delobj(&ctx, obj);
6074 void nft_obj_notify(struct net *net, const struct nft_table *table,
6075 struct nft_object *obj, u32 portid, u32 seq, int event,
6076 int family, int report, gfp_t gfp)
6078 struct sk_buff *skb;
6082 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6085 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6089 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6096 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
6099 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6101 EXPORT_SYMBOL_GPL(nft_obj_notify);
6103 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6104 struct nft_object *obj, int event)
6106 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6107 ctx->family, ctx->report, GFP_KERNEL);
6113 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6115 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6116 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6117 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6119 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6121 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6123 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6124 list_del_rcu(&type->list);
6125 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6127 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6129 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6130 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6131 .len = NFT_NAME_MAXLEN - 1 },
6132 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6133 .len = NFT_NAME_MAXLEN - 1 },
6134 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6135 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6136 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6139 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6140 const struct nlattr *nla, u8 genmask)
6142 struct nft_flowtable *flowtable;
6144 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6145 if (!nla_strcmp(nla, flowtable->name) &&
6146 nft_active_genmask(flowtable, genmask))
6149 return ERR_PTR(-ENOENT);
6151 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6153 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6154 struct nft_flowtable *flowtable,
6155 enum nft_trans_phase phase)
6158 case NFT_TRANS_PREPARE:
6159 case NFT_TRANS_ABORT:
6160 case NFT_TRANS_RELEASE:
6167 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6169 static struct nft_flowtable *
6170 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6171 const struct nlattr *nla, u8 genmask)
6173 struct nft_flowtable *flowtable;
6175 list_for_each_entry(flowtable, &table->flowtables, list) {
6176 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6177 nft_active_genmask(flowtable, genmask))
6180 return ERR_PTR(-ENOENT);
6183 struct nft_flowtable_hook {
6186 struct list_head list;
6189 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6190 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6191 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6192 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6195 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6196 const struct nlattr *attr,
6197 struct nft_flowtable_hook *flowtable_hook,
6198 struct nft_flowtable *flowtable, bool add)
6200 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6201 struct nft_hook *hook;
6202 int hooknum, priority;
6205 INIT_LIST_HEAD(&flowtable_hook->list);
6207 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6208 nft_flowtable_hook_policy, NULL);
6213 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6214 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6217 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6218 if (hooknum != NF_NETDEV_INGRESS)
6221 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6223 flowtable_hook->priority = priority;
6224 flowtable_hook->num = hooknum;
6226 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6227 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6228 if (hooknum != flowtable->hooknum)
6232 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6233 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6234 if (priority != flowtable->data.priority)
6238 flowtable_hook->priority = flowtable->data.priority;
6239 flowtable_hook->num = flowtable->hooknum;
6242 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6243 err = nf_tables_parse_netdev_hooks(ctx->net,
6244 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6245 &flowtable_hook->list);
6250 list_for_each_entry(hook, &flowtable_hook->list, list) {
6251 hook->ops.pf = NFPROTO_NETDEV;
6252 hook->ops.hooknum = flowtable_hook->num;
6253 hook->ops.priority = flowtable_hook->priority;
6254 hook->ops.priv = &flowtable->data;
6255 hook->ops.hook = flowtable->data.type->hook;
6261 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6263 const struct nf_flowtable_type *type;
6265 list_for_each_entry(type, &nf_tables_flowtables, list) {
6266 if (family == type->family)
6272 static const struct nf_flowtable_type *
6273 nft_flowtable_type_get(struct net *net, u8 family)
6275 const struct nf_flowtable_type *type;
6277 type = __nft_flowtable_type_get(family);
6278 if (type != NULL && try_module_get(type->owner))
6281 lockdep_nfnl_nft_mutex_not_held();
6282 #ifdef CONFIG_MODULES
6284 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6285 return ERR_PTR(-EAGAIN);
6288 return ERR_PTR(-ENOENT);
6291 /* Only called from error and netdev event paths. */
6292 static void nft_unregister_flowtable_hook(struct net *net,
6293 struct nft_flowtable *flowtable,
6294 struct nft_hook *hook)
6296 nf_unregister_net_hook(net, &hook->ops);
6297 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6301 static void nft_unregister_flowtable_net_hooks(struct net *net,
6302 struct list_head *hook_list)
6304 struct nft_hook *hook;
6306 list_for_each_entry(hook, hook_list, list)
6307 nf_unregister_net_hook(net, &hook->ops);
6310 static int nft_register_flowtable_net_hooks(struct net *net,
6311 struct nft_table *table,
6312 struct list_head *hook_list,
6313 struct nft_flowtable *flowtable)
6315 struct nft_hook *hook, *hook2, *next;
6316 struct nft_flowtable *ft;
6319 list_for_each_entry(hook, hook_list, list) {
6320 list_for_each_entry(ft, &table->flowtables, list) {
6321 list_for_each_entry(hook2, &ft->hook_list, list) {
6322 if (hook->ops.dev == hook2->ops.dev &&
6323 hook->ops.pf == hook2->ops.pf) {
6325 goto err_unregister_net_hooks;
6330 err = flowtable->data.type->setup(&flowtable->data,
6334 goto err_unregister_net_hooks;
6336 err = nf_register_net_hook(net, &hook->ops);
6338 flowtable->data.type->setup(&flowtable->data,
6341 goto err_unregister_net_hooks;
6349 err_unregister_net_hooks:
6350 list_for_each_entry_safe(hook, next, hook_list, list) {
6354 nft_unregister_flowtable_hook(net, flowtable, hook);
6355 list_del_rcu(&hook->list);
6356 kfree_rcu(hook, rcu);
6362 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6364 struct nft_hook *hook, *next;
6366 list_for_each_entry_safe(hook, next, hook_list, list) {
6367 list_del_rcu(&hook->list);
6368 kfree_rcu(hook, rcu);
6372 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6373 struct nft_flowtable *flowtable)
6375 const struct nlattr * const *nla = ctx->nla;
6376 struct nft_flowtable_hook flowtable_hook;
6377 struct nft_hook *hook, *next;
6378 struct nft_trans *trans;
6379 bool unregister = false;
6382 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6383 &flowtable_hook, flowtable, false);
6387 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6388 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6389 list_del(&hook->list);
6394 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6395 &flowtable_hook.list, flowtable);
6397 goto err_flowtable_update_hook;
6399 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6400 sizeof(struct nft_trans_flowtable));
6404 goto err_flowtable_update_hook;
6407 nft_trans_flowtable(trans) = flowtable;
6408 nft_trans_flowtable_update(trans) = true;
6409 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6410 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6412 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6416 err_flowtable_update_hook:
6417 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6419 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6420 list_del_rcu(&hook->list);
6421 kfree_rcu(hook, rcu);
6428 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6429 struct sk_buff *skb,
6430 const struct nlmsghdr *nlh,
6431 const struct nlattr * const nla[],
6432 struct netlink_ext_ack *extack)
6434 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6435 struct nft_flowtable_hook flowtable_hook;
6436 const struct nf_flowtable_type *type;
6437 u8 genmask = nft_genmask_next(net);
6438 int family = nfmsg->nfgen_family;
6439 struct nft_flowtable *flowtable;
6440 struct nft_hook *hook, *next;
6441 struct nft_table *table;
6445 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6446 !nla[NFTA_FLOWTABLE_NAME] ||
6447 !nla[NFTA_FLOWTABLE_HOOK])
6450 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6452 if (IS_ERR(table)) {
6453 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6454 return PTR_ERR(table);
6457 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6459 if (IS_ERR(flowtable)) {
6460 err = PTR_ERR(flowtable);
6461 if (err != -ENOENT) {
6462 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6466 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6467 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6471 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6473 return nft_flowtable_update(&ctx, nlh, flowtable);
6476 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6478 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6482 flowtable->table = table;
6483 flowtable->handle = nf_tables_alloc_handle(table);
6484 INIT_LIST_HEAD(&flowtable->hook_list);
6486 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6487 if (!flowtable->name) {
6492 type = nft_flowtable_type_get(net, family);
6494 err = PTR_ERR(type);
6498 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6499 flowtable->data.flags =
6500 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6501 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6505 write_pnet(&flowtable->data.net, net);
6506 flowtable->data.type = type;
6507 err = type->init(&flowtable->data);
6511 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6512 &flowtable_hook, flowtable, true);
6516 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6517 flowtable->data.priority = flowtable_hook.priority;
6518 flowtable->hooknum = flowtable_hook.num;
6520 err = nft_register_flowtable_net_hooks(ctx.net, table,
6521 &flowtable->hook_list,
6524 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6528 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6532 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6537 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6538 nft_unregister_flowtable_hook(net, flowtable, hook);
6539 list_del_rcu(&hook->list);
6540 kfree_rcu(hook, rcu);
6543 flowtable->data.type->free(&flowtable->data);
6545 module_put(type->owner);
6547 kfree(flowtable->name);
6553 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
6555 struct nft_hook *this, *next;
6557 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
6558 list_del(&this->list);
6563 static int nft_delflowtable_hook(struct nft_ctx *ctx,
6564 struct nft_flowtable *flowtable)
6566 const struct nlattr * const *nla = ctx->nla;
6567 struct nft_flowtable_hook flowtable_hook;
6568 struct nft_hook *this, *hook;
6569 struct nft_trans *trans;
6572 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6573 &flowtable_hook, flowtable, false);
6577 list_for_each_entry(this, &flowtable_hook.list, list) {
6578 hook = nft_hook_list_find(&flowtable->hook_list, this);
6581 goto err_flowtable_del_hook;
6583 hook->inactive = true;
6586 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
6587 sizeof(struct nft_trans_flowtable));
6590 goto err_flowtable_del_hook;
6593 nft_trans_flowtable(trans) = flowtable;
6594 nft_trans_flowtable_update(trans) = true;
6595 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6596 nft_flowtable_hook_release(&flowtable_hook);
6598 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6602 err_flowtable_del_hook:
6603 list_for_each_entry(this, &flowtable_hook.list, list) {
6604 hook = nft_hook_list_find(&flowtable->hook_list, this);
6608 hook->inactive = false;
6610 nft_flowtable_hook_release(&flowtable_hook);
6615 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6616 struct sk_buff *skb,
6617 const struct nlmsghdr *nlh,
6618 const struct nlattr * const nla[],
6619 struct netlink_ext_ack *extack)
6621 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6622 u8 genmask = nft_genmask_next(net);
6623 int family = nfmsg->nfgen_family;
6624 struct nft_flowtable *flowtable;
6625 const struct nlattr *attr;
6626 struct nft_table *table;
6629 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6630 (!nla[NFTA_FLOWTABLE_NAME] &&
6631 !nla[NFTA_FLOWTABLE_HANDLE]))
6634 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6636 if (IS_ERR(table)) {
6637 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6638 return PTR_ERR(table);
6641 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6642 attr = nla[NFTA_FLOWTABLE_HANDLE];
6643 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6645 attr = nla[NFTA_FLOWTABLE_NAME];
6646 flowtable = nft_flowtable_lookup(table, attr, genmask);
6649 if (IS_ERR(flowtable)) {
6650 NL_SET_BAD_ATTR(extack, attr);
6651 return PTR_ERR(flowtable);
6654 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6656 if (nla[NFTA_FLOWTABLE_HOOK])
6657 return nft_delflowtable_hook(&ctx, flowtable);
6659 if (flowtable->use > 0) {
6660 NL_SET_BAD_ATTR(extack, attr);
6664 return nft_delflowtable(&ctx, flowtable);
6667 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6668 u32 portid, u32 seq, int event,
6669 u32 flags, int family,
6670 struct nft_flowtable *flowtable,
6671 struct list_head *hook_list)
6673 struct nlattr *nest, *nest_devs;
6674 struct nfgenmsg *nfmsg;
6675 struct nft_hook *hook;
6676 struct nlmsghdr *nlh;
6678 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6679 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6681 goto nla_put_failure;
6683 nfmsg = nlmsg_data(nlh);
6684 nfmsg->nfgen_family = family;
6685 nfmsg->version = NFNETLINK_V0;
6686 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6688 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6689 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6690 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6691 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6692 NFTA_FLOWTABLE_PAD) ||
6693 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6694 goto nla_put_failure;
6696 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6698 goto nla_put_failure;
6699 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6700 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6701 goto nla_put_failure;
6703 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6705 goto nla_put_failure;
6707 list_for_each_entry_rcu(hook, hook_list, list) {
6708 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6709 goto nla_put_failure;
6711 nla_nest_end(skb, nest_devs);
6712 nla_nest_end(skb, nest);
6714 nlmsg_end(skb, nlh);
6718 nlmsg_trim(skb, nlh);
6722 struct nft_flowtable_filter {
6726 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6727 struct netlink_callback *cb)
6729 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6730 struct nft_flowtable_filter *filter = cb->data;
6731 unsigned int idx = 0, s_idx = cb->args[0];
6732 struct net *net = sock_net(skb->sk);
6733 int family = nfmsg->nfgen_family;
6734 struct nft_flowtable *flowtable;
6735 const struct nft_table *table;
6738 cb->seq = net->nft.base_seq;
6740 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6741 if (family != NFPROTO_UNSPEC && family != table->family)
6744 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6745 if (!nft_is_active(net, flowtable))
6750 memset(&cb->args[1], 0,
6751 sizeof(cb->args) - sizeof(cb->args[0]));
6752 if (filter && filter->table &&
6753 strcmp(filter->table, table->name))
6756 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6758 NFT_MSG_NEWFLOWTABLE,
6759 NLM_F_MULTI | NLM_F_APPEND,
6762 &flowtable->hook_list) < 0)
6765 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6777 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6779 const struct nlattr * const *nla = cb->data;
6780 struct nft_flowtable_filter *filter = NULL;
6782 if (nla[NFTA_FLOWTABLE_TABLE]) {
6783 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6787 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6789 if (!filter->table) {
6799 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6801 struct nft_flowtable_filter *filter = cb->data;
6806 kfree(filter->table);
6812 /* called with rcu_read_lock held */
6813 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6814 struct sk_buff *skb,
6815 const struct nlmsghdr *nlh,
6816 const struct nlattr * const nla[],
6817 struct netlink_ext_ack *extack)
6819 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6820 u8 genmask = nft_genmask_cur(net);
6821 int family = nfmsg->nfgen_family;
6822 struct nft_flowtable *flowtable;
6823 const struct nft_table *table;
6824 struct sk_buff *skb2;
6827 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6828 struct netlink_dump_control c = {
6829 .start = nf_tables_dump_flowtable_start,
6830 .dump = nf_tables_dump_flowtable,
6831 .done = nf_tables_dump_flowtable_done,
6832 .module = THIS_MODULE,
6833 .data = (void *)nla,
6836 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6839 if (!nla[NFTA_FLOWTABLE_NAME])
6842 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6845 return PTR_ERR(table);
6847 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6849 if (IS_ERR(flowtable))
6850 return PTR_ERR(flowtable);
6852 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6856 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6858 NFT_MSG_NEWFLOWTABLE, 0, family,
6859 flowtable, &flowtable->hook_list);
6863 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6869 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6870 struct nft_flowtable *flowtable,
6871 struct list_head *hook_list,
6874 struct sk_buff *skb;
6878 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6881 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6885 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6887 ctx->family, flowtable, hook_list);
6893 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6894 ctx->report, GFP_KERNEL);
6897 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6900 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6902 struct nft_hook *hook, *next;
6904 flowtable->data.type->free(&flowtable->data);
6905 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6906 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6908 list_del_rcu(&hook->list);
6911 kfree(flowtable->name);
6912 module_put(flowtable->data.type->owner);
6916 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6917 u32 portid, u32 seq)
6919 struct nlmsghdr *nlh;
6920 struct nfgenmsg *nfmsg;
6921 char buf[TASK_COMM_LEN];
6922 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6924 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6926 goto nla_put_failure;
6928 nfmsg = nlmsg_data(nlh);
6929 nfmsg->nfgen_family = AF_UNSPEC;
6930 nfmsg->version = NFNETLINK_V0;
6931 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6933 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6934 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6935 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6936 goto nla_put_failure;
6938 nlmsg_end(skb, nlh);
6942 nlmsg_trim(skb, nlh);
6946 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6947 struct nft_flowtable *flowtable)
6949 struct nft_hook *hook;
6951 list_for_each_entry(hook, &flowtable->hook_list, list) {
6952 if (hook->ops.dev != dev)
6955 /* flow_offload_netdev_event() cleans up entries for us. */
6956 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6957 list_del_rcu(&hook->list);
6958 kfree_rcu(hook, rcu);
6963 static int nf_tables_flowtable_event(struct notifier_block *this,
6964 unsigned long event, void *ptr)
6966 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6967 struct nft_flowtable *flowtable;
6968 struct nft_table *table;
6971 if (event != NETDEV_UNREGISTER)
6975 mutex_lock(&net->nft.commit_mutex);
6976 list_for_each_entry(table, &net->nft.tables, list) {
6977 list_for_each_entry(flowtable, &table->flowtables, list) {
6978 nft_flowtable_event(event, dev, flowtable);
6981 mutex_unlock(&net->nft.commit_mutex);
6986 static struct notifier_block nf_tables_flowtable_notifier = {
6987 .notifier_call = nf_tables_flowtable_event,
6990 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6993 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6994 struct sk_buff *skb2;
6997 if (nlmsg_report(nlh) &&
6998 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7001 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7005 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7012 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7013 nlmsg_report(nlh), GFP_KERNEL);
7016 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7020 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7021 struct sk_buff *skb, const struct nlmsghdr *nlh,
7022 const struct nlattr * const nla[],
7023 struct netlink_ext_ack *extack)
7025 struct sk_buff *skb2;
7028 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7032 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7037 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
7043 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7044 [NFT_MSG_NEWTABLE] = {
7045 .call_batch = nf_tables_newtable,
7046 .attr_count = NFTA_TABLE_MAX,
7047 .policy = nft_table_policy,
7049 [NFT_MSG_GETTABLE] = {
7050 .call_rcu = nf_tables_gettable,
7051 .attr_count = NFTA_TABLE_MAX,
7052 .policy = nft_table_policy,
7054 [NFT_MSG_DELTABLE] = {
7055 .call_batch = nf_tables_deltable,
7056 .attr_count = NFTA_TABLE_MAX,
7057 .policy = nft_table_policy,
7059 [NFT_MSG_NEWCHAIN] = {
7060 .call_batch = nf_tables_newchain,
7061 .attr_count = NFTA_CHAIN_MAX,
7062 .policy = nft_chain_policy,
7064 [NFT_MSG_GETCHAIN] = {
7065 .call_rcu = nf_tables_getchain,
7066 .attr_count = NFTA_CHAIN_MAX,
7067 .policy = nft_chain_policy,
7069 [NFT_MSG_DELCHAIN] = {
7070 .call_batch = nf_tables_delchain,
7071 .attr_count = NFTA_CHAIN_MAX,
7072 .policy = nft_chain_policy,
7074 [NFT_MSG_NEWRULE] = {
7075 .call_batch = nf_tables_newrule,
7076 .attr_count = NFTA_RULE_MAX,
7077 .policy = nft_rule_policy,
7079 [NFT_MSG_GETRULE] = {
7080 .call_rcu = nf_tables_getrule,
7081 .attr_count = NFTA_RULE_MAX,
7082 .policy = nft_rule_policy,
7084 [NFT_MSG_DELRULE] = {
7085 .call_batch = nf_tables_delrule,
7086 .attr_count = NFTA_RULE_MAX,
7087 .policy = nft_rule_policy,
7089 [NFT_MSG_NEWSET] = {
7090 .call_batch = nf_tables_newset,
7091 .attr_count = NFTA_SET_MAX,
7092 .policy = nft_set_policy,
7094 [NFT_MSG_GETSET] = {
7095 .call_rcu = nf_tables_getset,
7096 .attr_count = NFTA_SET_MAX,
7097 .policy = nft_set_policy,
7099 [NFT_MSG_DELSET] = {
7100 .call_batch = nf_tables_delset,
7101 .attr_count = NFTA_SET_MAX,
7102 .policy = nft_set_policy,
7104 [NFT_MSG_NEWSETELEM] = {
7105 .call_batch = nf_tables_newsetelem,
7106 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7107 .policy = nft_set_elem_list_policy,
7109 [NFT_MSG_GETSETELEM] = {
7110 .call_rcu = nf_tables_getsetelem,
7111 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7112 .policy = nft_set_elem_list_policy,
7114 [NFT_MSG_DELSETELEM] = {
7115 .call_batch = nf_tables_delsetelem,
7116 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7117 .policy = nft_set_elem_list_policy,
7119 [NFT_MSG_GETGEN] = {
7120 .call_rcu = nf_tables_getgen,
7122 [NFT_MSG_NEWOBJ] = {
7123 .call_batch = nf_tables_newobj,
7124 .attr_count = NFTA_OBJ_MAX,
7125 .policy = nft_obj_policy,
7127 [NFT_MSG_GETOBJ] = {
7128 .call_rcu = nf_tables_getobj,
7129 .attr_count = NFTA_OBJ_MAX,
7130 .policy = nft_obj_policy,
7132 [NFT_MSG_DELOBJ] = {
7133 .call_batch = nf_tables_delobj,
7134 .attr_count = NFTA_OBJ_MAX,
7135 .policy = nft_obj_policy,
7137 [NFT_MSG_GETOBJ_RESET] = {
7138 .call_rcu = nf_tables_getobj,
7139 .attr_count = NFTA_OBJ_MAX,
7140 .policy = nft_obj_policy,
7142 [NFT_MSG_NEWFLOWTABLE] = {
7143 .call_batch = nf_tables_newflowtable,
7144 .attr_count = NFTA_FLOWTABLE_MAX,
7145 .policy = nft_flowtable_policy,
7147 [NFT_MSG_GETFLOWTABLE] = {
7148 .call_rcu = nf_tables_getflowtable,
7149 .attr_count = NFTA_FLOWTABLE_MAX,
7150 .policy = nft_flowtable_policy,
7152 [NFT_MSG_DELFLOWTABLE] = {
7153 .call_batch = nf_tables_delflowtable,
7154 .attr_count = NFTA_FLOWTABLE_MAX,
7155 .policy = nft_flowtable_policy,
7159 static int nf_tables_validate(struct net *net)
7161 struct nft_table *table;
7163 switch (net->nft.validate_state) {
7164 case NFT_VALIDATE_SKIP:
7166 case NFT_VALIDATE_NEED:
7167 nft_validate_state_update(net, NFT_VALIDATE_DO);
7169 case NFT_VALIDATE_DO:
7170 list_for_each_entry(table, &net->nft.tables, list) {
7171 if (nft_table_validate(net, table) < 0)
7180 /* a drop policy has to be deferred until all rules have been activated,
7181 * otherwise a large ruleset that contains a drop-policy base chain will
7182 * cause all packets to get dropped until the full transaction has been
7185 * We defer the drop policy until the transaction has been finalized.
7187 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7189 struct nft_base_chain *basechain;
7191 if (nft_trans_chain_policy(trans) != NF_DROP)
7194 if (!nft_is_base_chain(trans->ctx.chain))
7197 basechain = nft_base_chain(trans->ctx.chain);
7198 basechain->policy = NF_DROP;
7201 static void nft_chain_commit_update(struct nft_trans *trans)
7203 struct nft_base_chain *basechain;
7205 if (nft_trans_chain_name(trans)) {
7206 rhltable_remove(&trans->ctx.table->chains_ht,
7207 &trans->ctx.chain->rhlhead,
7208 nft_chain_ht_params);
7209 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7210 rhltable_insert_key(&trans->ctx.table->chains_ht,
7211 trans->ctx.chain->name,
7212 &trans->ctx.chain->rhlhead,
7213 nft_chain_ht_params);
7216 if (!nft_is_base_chain(trans->ctx.chain))
7219 nft_chain_stats_replace(trans);
7221 basechain = nft_base_chain(trans->ctx.chain);
7223 switch (nft_trans_chain_policy(trans)) {
7226 basechain->policy = nft_trans_chain_policy(trans);
7231 static void nft_obj_commit_update(struct nft_trans *trans)
7233 struct nft_object *newobj;
7234 struct nft_object *obj;
7236 obj = nft_trans_obj(trans);
7237 newobj = nft_trans_obj_newobj(trans);
7239 if (obj->ops->update)
7240 obj->ops->update(obj, newobj);
7245 static void nft_commit_release(struct nft_trans *trans)
7247 switch (trans->msg_type) {
7248 case NFT_MSG_DELTABLE:
7249 nf_tables_table_destroy(&trans->ctx);
7251 case NFT_MSG_NEWCHAIN:
7252 free_percpu(nft_trans_chain_stats(trans));
7253 kfree(nft_trans_chain_name(trans));
7255 case NFT_MSG_DELCHAIN:
7256 nf_tables_chain_destroy(&trans->ctx);
7258 case NFT_MSG_DELRULE:
7259 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7261 case NFT_MSG_DELSET:
7262 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7264 case NFT_MSG_DELSETELEM:
7265 nf_tables_set_elem_destroy(&trans->ctx,
7266 nft_trans_elem_set(trans),
7267 nft_trans_elem(trans).priv);
7269 case NFT_MSG_DELOBJ:
7270 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7272 case NFT_MSG_DELFLOWTABLE:
7273 if (nft_trans_flowtable_update(trans))
7274 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7276 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7281 put_net(trans->ctx.net);
7286 static void nf_tables_trans_destroy_work(struct work_struct *w)
7288 struct nft_trans *trans, *next;
7291 spin_lock(&nf_tables_destroy_list_lock);
7292 list_splice_init(&nf_tables_destroy_list, &head);
7293 spin_unlock(&nf_tables_destroy_list_lock);
7295 if (list_empty(&head))
7300 list_for_each_entry_safe(trans, next, &head, list) {
7301 list_del(&trans->list);
7302 nft_commit_release(trans);
7306 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7308 struct nft_rule *rule;
7309 unsigned int alloc = 0;
7312 /* already handled or inactive chain? */
7313 if (chain->rules_next || !nft_is_active_next(net, chain))
7316 rule = list_entry(&chain->rules, struct nft_rule, list);
7319 list_for_each_entry_continue(rule, &chain->rules, list) {
7320 if (nft_is_active_next(net, rule))
7324 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7325 if (!chain->rules_next)
7328 list_for_each_entry_continue(rule, &chain->rules, list) {
7329 if (nft_is_active_next(net, rule))
7330 chain->rules_next[i++] = rule;
7333 chain->rules_next[i] = NULL;
7337 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7339 struct nft_trans *trans, *next;
7341 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7342 struct nft_chain *chain = trans->ctx.chain;
7344 if (trans->msg_type == NFT_MSG_NEWRULE ||
7345 trans->msg_type == NFT_MSG_DELRULE) {
7346 kvfree(chain->rules_next);
7347 chain->rules_next = NULL;
7352 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7354 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7359 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7361 struct nft_rule **r = rules;
7362 struct nft_rules_old *old;
7367 r++; /* rcu_head is after end marker */
7371 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7374 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7376 struct nft_rule **g0, **g1;
7379 next_genbit = nft_gencursor_next(net);
7381 g0 = rcu_dereference_protected(chain->rules_gen_0,
7382 lockdep_commit_lock_is_held(net));
7383 g1 = rcu_dereference_protected(chain->rules_gen_1,
7384 lockdep_commit_lock_is_held(net));
7386 /* No changes to this chain? */
7387 if (chain->rules_next == NULL) {
7388 /* chain had no change in last or next generation */
7392 * chain had no change in this generation; make sure next
7393 * one uses same rules as current generation.
7396 rcu_assign_pointer(chain->rules_gen_1, g0);
7397 nf_tables_commit_chain_free_rules_old(g1);
7399 rcu_assign_pointer(chain->rules_gen_0, g1);
7400 nf_tables_commit_chain_free_rules_old(g0);
7407 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7409 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7411 chain->rules_next = NULL;
7417 nf_tables_commit_chain_free_rules_old(g1);
7419 nf_tables_commit_chain_free_rules_old(g0);
7422 static void nft_obj_del(struct nft_object *obj)
7424 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7425 list_del_rcu(&obj->list);
7428 static void nft_chain_del(struct nft_chain *chain)
7430 struct nft_table *table = chain->table;
7432 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7433 nft_chain_ht_params));
7434 list_del_rcu(&chain->list);
7437 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7438 struct list_head *hook_list)
7440 struct nft_hook *hook, *next;
7442 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7444 list_move(&hook->list, hook_list);
7448 static void nf_tables_module_autoload_cleanup(struct net *net)
7450 struct nft_module_request *req, *next;
7452 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7453 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7454 WARN_ON_ONCE(!req->done);
7455 list_del(&req->list);
7460 static void nf_tables_commit_release(struct net *net)
7462 struct nft_trans *trans;
7464 /* all side effects have to be made visible.
7465 * For example, if a chain named 'foo' has been deleted, a
7466 * new transaction must not find it anymore.
7468 * Memory reclaim happens asynchronously from work queue
7469 * to prevent expensive synchronize_rcu() in commit phase.
7471 if (list_empty(&net->nft.commit_list)) {
7472 nf_tables_module_autoload_cleanup(net);
7473 mutex_unlock(&net->nft.commit_mutex);
7477 trans = list_last_entry(&net->nft.commit_list,
7478 struct nft_trans, list);
7479 get_net(trans->ctx.net);
7480 WARN_ON_ONCE(trans->put_net);
7482 trans->put_net = true;
7483 spin_lock(&nf_tables_destroy_list_lock);
7484 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7485 spin_unlock(&nf_tables_destroy_list_lock);
7487 nf_tables_module_autoload_cleanup(net);
7488 mutex_unlock(&net->nft.commit_mutex);
7490 schedule_work(&trans_destroy_work);
7493 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7495 struct nft_trans *trans, *next;
7496 struct nft_trans_elem *te;
7497 struct nft_chain *chain;
7498 struct nft_table *table;
7501 if (list_empty(&net->nft.commit_list)) {
7502 mutex_unlock(&net->nft.commit_mutex);
7506 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7507 if (nf_tables_validate(net) < 0)
7510 err = nft_flow_rule_offload_commit(net);
7514 /* 1. Allocate space for next generation rules_gen_X[] */
7515 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7518 if (trans->msg_type == NFT_MSG_NEWRULE ||
7519 trans->msg_type == NFT_MSG_DELRULE) {
7520 chain = trans->ctx.chain;
7522 ret = nf_tables_commit_chain_prepare(net, chain);
7524 nf_tables_commit_chain_prepare_cancel(net);
7530 /* step 2. Make rules_gen_X visible to packet path */
7531 list_for_each_entry(table, &net->nft.tables, list) {
7532 list_for_each_entry(chain, &table->chains, list)
7533 nf_tables_commit_chain(net, chain);
7537 * Bump generation counter, invalidate any dump in progress.
7538 * Cannot fail after this point.
7540 while (++net->nft.base_seq == 0);
7542 /* step 3. Start new generation, rules_gen_X now in use. */
7543 net->nft.gencursor = nft_gencursor_next(net);
7545 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7546 switch (trans->msg_type) {
7547 case NFT_MSG_NEWTABLE:
7548 if (nft_trans_table_update(trans)) {
7549 if (!nft_trans_table_enable(trans)) {
7550 nf_tables_table_disable(net,
7552 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7555 nft_clear(net, trans->ctx.table);
7557 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7558 nft_trans_destroy(trans);
7560 case NFT_MSG_DELTABLE:
7561 list_del_rcu(&trans->ctx.table->list);
7562 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7564 case NFT_MSG_NEWCHAIN:
7565 if (nft_trans_chain_update(trans)) {
7566 nft_chain_commit_update(trans);
7567 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7568 /* trans destroyed after rcu grace period */
7570 nft_chain_commit_drop_policy(trans);
7571 nft_clear(net, trans->ctx.chain);
7572 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7573 nft_trans_destroy(trans);
7576 case NFT_MSG_DELCHAIN:
7577 nft_chain_del(trans->ctx.chain);
7578 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7579 nf_tables_unregister_hook(trans->ctx.net,
7583 case NFT_MSG_NEWRULE:
7584 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7585 nf_tables_rule_notify(&trans->ctx,
7586 nft_trans_rule(trans),
7588 nft_trans_destroy(trans);
7590 case NFT_MSG_DELRULE:
7591 list_del_rcu(&nft_trans_rule(trans)->list);
7592 nf_tables_rule_notify(&trans->ctx,
7593 nft_trans_rule(trans),
7595 nft_rule_expr_deactivate(&trans->ctx,
7596 nft_trans_rule(trans),
7599 case NFT_MSG_NEWSET:
7600 nft_clear(net, nft_trans_set(trans));
7601 /* This avoids hitting -EBUSY when deleting the table
7602 * from the transaction.
7604 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7605 !list_empty(&nft_trans_set(trans)->bindings))
7606 trans->ctx.table->use--;
7608 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7609 NFT_MSG_NEWSET, GFP_KERNEL);
7610 nft_trans_destroy(trans);
7612 case NFT_MSG_DELSET:
7613 list_del_rcu(&nft_trans_set(trans)->list);
7614 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7615 NFT_MSG_DELSET, GFP_KERNEL);
7617 case NFT_MSG_NEWSETELEM:
7618 te = (struct nft_trans_elem *)trans->data;
7620 te->set->ops->activate(net, te->set, &te->elem);
7621 nf_tables_setelem_notify(&trans->ctx, te->set,
7623 NFT_MSG_NEWSETELEM, 0);
7624 nft_trans_destroy(trans);
7626 case NFT_MSG_DELSETELEM:
7627 te = (struct nft_trans_elem *)trans->data;
7629 nf_tables_setelem_notify(&trans->ctx, te->set,
7631 NFT_MSG_DELSETELEM, 0);
7632 te->set->ops->remove(net, te->set, &te->elem);
7633 atomic_dec(&te->set->nelems);
7636 case NFT_MSG_NEWOBJ:
7637 if (nft_trans_obj_update(trans)) {
7638 nft_obj_commit_update(trans);
7639 nf_tables_obj_notify(&trans->ctx,
7640 nft_trans_obj(trans),
7643 nft_clear(net, nft_trans_obj(trans));
7644 nf_tables_obj_notify(&trans->ctx,
7645 nft_trans_obj(trans),
7647 nft_trans_destroy(trans);
7650 case NFT_MSG_DELOBJ:
7651 nft_obj_del(nft_trans_obj(trans));
7652 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7655 case NFT_MSG_NEWFLOWTABLE:
7656 if (nft_trans_flowtable_update(trans)) {
7657 nf_tables_flowtable_notify(&trans->ctx,
7658 nft_trans_flowtable(trans),
7659 &nft_trans_flowtable_hooks(trans),
7660 NFT_MSG_NEWFLOWTABLE);
7661 list_splice(&nft_trans_flowtable_hooks(trans),
7662 &nft_trans_flowtable(trans)->hook_list);
7664 nft_clear(net, nft_trans_flowtable(trans));
7665 nf_tables_flowtable_notify(&trans->ctx,
7666 nft_trans_flowtable(trans),
7667 &nft_trans_flowtable(trans)->hook_list,
7668 NFT_MSG_NEWFLOWTABLE);
7670 nft_trans_destroy(trans);
7672 case NFT_MSG_DELFLOWTABLE:
7673 if (nft_trans_flowtable_update(trans)) {
7674 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
7675 &nft_trans_flowtable_hooks(trans));
7676 nf_tables_flowtable_notify(&trans->ctx,
7677 nft_trans_flowtable(trans),
7678 &nft_trans_flowtable_hooks(trans),
7679 NFT_MSG_DELFLOWTABLE);
7680 nft_unregister_flowtable_net_hooks(net,
7681 &nft_trans_flowtable_hooks(trans));
7683 list_del_rcu(&nft_trans_flowtable(trans)->list);
7684 nf_tables_flowtable_notify(&trans->ctx,
7685 nft_trans_flowtable(trans),
7686 &nft_trans_flowtable(trans)->hook_list,
7687 NFT_MSG_DELFLOWTABLE);
7688 nft_unregister_flowtable_net_hooks(net,
7689 &nft_trans_flowtable(trans)->hook_list);
7695 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7696 nf_tables_commit_release(net);
7701 static void nf_tables_module_autoload(struct net *net)
7703 struct nft_module_request *req, *next;
7704 LIST_HEAD(module_list);
7706 list_splice_init(&net->nft.module_list, &module_list);
7707 mutex_unlock(&net->nft.commit_mutex);
7708 list_for_each_entry_safe(req, next, &module_list, list) {
7709 request_module("%s", req->module);
7712 mutex_lock(&net->nft.commit_mutex);
7713 list_splice(&module_list, &net->nft.module_list);
7716 static void nf_tables_abort_release(struct nft_trans *trans)
7718 switch (trans->msg_type) {
7719 case NFT_MSG_NEWTABLE:
7720 nf_tables_table_destroy(&trans->ctx);
7722 case NFT_MSG_NEWCHAIN:
7723 nf_tables_chain_destroy(&trans->ctx);
7725 case NFT_MSG_NEWRULE:
7726 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7728 case NFT_MSG_NEWSET:
7729 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7731 case NFT_MSG_NEWSETELEM:
7732 nft_set_elem_destroy(nft_trans_elem_set(trans),
7733 nft_trans_elem(trans).priv, true);
7735 case NFT_MSG_NEWOBJ:
7736 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7738 case NFT_MSG_NEWFLOWTABLE:
7739 if (nft_trans_flowtable_update(trans))
7740 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7742 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7748 static int __nf_tables_abort(struct net *net, bool autoload)
7750 struct nft_trans *trans, *next;
7751 struct nft_trans_elem *te;
7752 struct nft_hook *hook;
7754 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7756 switch (trans->msg_type) {
7757 case NFT_MSG_NEWTABLE:
7758 if (nft_trans_table_update(trans)) {
7759 if (nft_trans_table_enable(trans)) {
7760 nf_tables_table_disable(net,
7762 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7764 nft_trans_destroy(trans);
7766 list_del_rcu(&trans->ctx.table->list);
7769 case NFT_MSG_DELTABLE:
7770 nft_clear(trans->ctx.net, trans->ctx.table);
7771 nft_trans_destroy(trans);
7773 case NFT_MSG_NEWCHAIN:
7774 if (nft_trans_chain_update(trans)) {
7775 free_percpu(nft_trans_chain_stats(trans));
7776 kfree(nft_trans_chain_name(trans));
7777 nft_trans_destroy(trans);
7779 trans->ctx.table->use--;
7780 nft_chain_del(trans->ctx.chain);
7781 nf_tables_unregister_hook(trans->ctx.net,
7786 case NFT_MSG_DELCHAIN:
7787 trans->ctx.table->use++;
7788 nft_clear(trans->ctx.net, trans->ctx.chain);
7789 nft_trans_destroy(trans);
7791 case NFT_MSG_NEWRULE:
7792 trans->ctx.chain->use--;
7793 list_del_rcu(&nft_trans_rule(trans)->list);
7794 nft_rule_expr_deactivate(&trans->ctx,
7795 nft_trans_rule(trans),
7798 case NFT_MSG_DELRULE:
7799 trans->ctx.chain->use++;
7800 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7801 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7802 nft_trans_destroy(trans);
7804 case NFT_MSG_NEWSET:
7805 trans->ctx.table->use--;
7806 if (nft_trans_set_bound(trans)) {
7807 nft_trans_destroy(trans);
7810 list_del_rcu(&nft_trans_set(trans)->list);
7812 case NFT_MSG_DELSET:
7813 trans->ctx.table->use++;
7814 nft_clear(trans->ctx.net, nft_trans_set(trans));
7815 nft_trans_destroy(trans);
7817 case NFT_MSG_NEWSETELEM:
7818 if (nft_trans_elem_set_bound(trans)) {
7819 nft_trans_destroy(trans);
7822 te = (struct nft_trans_elem *)trans->data;
7823 te->set->ops->remove(net, te->set, &te->elem);
7824 atomic_dec(&te->set->nelems);
7826 case NFT_MSG_DELSETELEM:
7827 te = (struct nft_trans_elem *)trans->data;
7829 nft_set_elem_activate(net, te->set, &te->elem);
7830 te->set->ops->activate(net, te->set, &te->elem);
7833 nft_trans_destroy(trans);
7835 case NFT_MSG_NEWOBJ:
7836 if (nft_trans_obj_update(trans)) {
7837 kfree(nft_trans_obj_newobj(trans));
7838 nft_trans_destroy(trans);
7840 trans->ctx.table->use--;
7841 nft_obj_del(nft_trans_obj(trans));
7844 case NFT_MSG_DELOBJ:
7845 trans->ctx.table->use++;
7846 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7847 nft_trans_destroy(trans);
7849 case NFT_MSG_NEWFLOWTABLE:
7850 if (nft_trans_flowtable_update(trans)) {
7851 nft_unregister_flowtable_net_hooks(net,
7852 &nft_trans_flowtable_hooks(trans));
7854 trans->ctx.table->use--;
7855 list_del_rcu(&nft_trans_flowtable(trans)->list);
7856 nft_unregister_flowtable_net_hooks(net,
7857 &nft_trans_flowtable(trans)->hook_list);
7860 case NFT_MSG_DELFLOWTABLE:
7861 if (nft_trans_flowtable_update(trans)) {
7862 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
7863 hook->inactive = false;
7865 trans->ctx.table->use++;
7866 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7868 nft_trans_destroy(trans);
7875 list_for_each_entry_safe_reverse(trans, next,
7876 &net->nft.commit_list, list) {
7877 list_del(&trans->list);
7878 nf_tables_abort_release(trans);
7882 nf_tables_module_autoload(net);
7884 nf_tables_module_autoload_cleanup(net);
7889 static void nf_tables_cleanup(struct net *net)
7891 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7894 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
7896 int ret = __nf_tables_abort(net, autoload);
7898 mutex_unlock(&net->nft.commit_mutex);
7903 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7907 mutex_lock(&net->nft.commit_mutex);
7909 genid_ok = genid == 0 || net->nft.base_seq == genid;
7911 mutex_unlock(&net->nft.commit_mutex);
7913 /* else, commit mutex has to be released by commit or abort function */
7917 static const struct nfnetlink_subsystem nf_tables_subsys = {
7918 .name = "nf_tables",
7919 .subsys_id = NFNL_SUBSYS_NFTABLES,
7920 .cb_count = NFT_MSG_MAX,
7922 .commit = nf_tables_commit,
7923 .abort = nf_tables_abort,
7924 .cleanup = nf_tables_cleanup,
7925 .valid_genid = nf_tables_valid_genid,
7926 .owner = THIS_MODULE,
7929 int nft_chain_validate_dependency(const struct nft_chain *chain,
7930 enum nft_chain_types type)
7932 const struct nft_base_chain *basechain;
7934 if (nft_is_base_chain(chain)) {
7935 basechain = nft_base_chain(chain);
7936 if (basechain->type->type != type)
7941 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7943 int nft_chain_validate_hooks(const struct nft_chain *chain,
7944 unsigned int hook_flags)
7946 struct nft_base_chain *basechain;
7948 if (nft_is_base_chain(chain)) {
7949 basechain = nft_base_chain(chain);
7951 if ((1 << basechain->ops.hooknum) & hook_flags)
7959 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7962 * Loop detection - walk through the ruleset beginning at the destination chain
7963 * of a new jump until either the source chain is reached (loop) or all
7964 * reachable chains have been traversed.
7966 * The loop check is performed whenever a new jump verdict is added to an
7967 * expression or verdict map or a verdict map is bound to a new chain.
7970 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7971 const struct nft_chain *chain);
7973 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7974 struct nft_set *set,
7975 const struct nft_set_iter *iter,
7976 struct nft_set_elem *elem)
7978 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7979 const struct nft_data *data;
7981 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7982 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7985 data = nft_set_ext_data(ext);
7986 switch (data->verdict.code) {
7989 return nf_tables_check_loops(ctx, data->verdict.chain);
7995 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7996 const struct nft_chain *chain)
7998 const struct nft_rule *rule;
7999 const struct nft_expr *expr, *last;
8000 struct nft_set *set;
8001 struct nft_set_binding *binding;
8002 struct nft_set_iter iter;
8004 if (ctx->chain == chain)
8007 list_for_each_entry(rule, &chain->rules, list) {
8008 nft_rule_for_each_expr(expr, last, rule) {
8009 struct nft_immediate_expr *priv;
8010 const struct nft_data *data;
8013 if (strcmp(expr->ops->type->name, "immediate"))
8016 priv = nft_expr_priv(expr);
8017 if (priv->dreg != NFT_REG_VERDICT)
8021 switch (data->verdict.code) {
8024 err = nf_tables_check_loops(ctx,
8025 data->verdict.chain);
8034 list_for_each_entry(set, &ctx->table->sets, list) {
8035 if (!nft_is_active_next(ctx->net, set))
8037 if (!(set->flags & NFT_SET_MAP) ||
8038 set->dtype != NFT_DATA_VERDICT)
8041 list_for_each_entry(binding, &set->bindings, list) {
8042 if (!(binding->flags & NFT_SET_MAP) ||
8043 binding->chain != chain)
8046 iter.genmask = nft_genmask_next(ctx->net);
8050 iter.fn = nf_tables_loop_check_setelem;
8052 set->ops->walk(ctx, set, &iter);
8062 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8064 * @attr: netlink attribute to fetch value from
8065 * @max: maximum value to be stored in dest
8066 * @dest: pointer to the variable
8068 * Parse, check and store a given u32 netlink attribute into variable.
8069 * This function returns -ERANGE if the value goes over maximum value.
8070 * Otherwise a 0 is returned and the attribute value is stored in the
8071 * destination variable.
8073 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8077 val = ntohl(nla_get_be32(attr));
8084 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8087 * nft_parse_register - parse a register value from a netlink attribute
8089 * @attr: netlink attribute
8091 * Parse and translate a register value from a netlink attribute.
8092 * Registers used to be 128 bit wide, these register numbers will be
8093 * mapped to the corresponding 32 bit register numbers.
8095 unsigned int nft_parse_register(const struct nlattr *attr)
8099 reg = ntohl(nla_get_be32(attr));
8101 case NFT_REG_VERDICT...NFT_REG_4:
8102 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8104 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8107 EXPORT_SYMBOL_GPL(nft_parse_register);
8110 * nft_dump_register - dump a register value to a netlink attribute
8112 * @skb: socket buffer
8113 * @attr: attribute number
8114 * @reg: register number
8116 * Construct a netlink attribute containing the register number. For
8117 * compatibility reasons, register numbers being a multiple of 4 are
8118 * translated to the corresponding 128 bit register numbers.
8120 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8122 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8123 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8125 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8127 return nla_put_be32(skb, attr, htonl(reg));
8129 EXPORT_SYMBOL_GPL(nft_dump_register);
8132 * nft_validate_register_load - validate a load from a register
8134 * @reg: the register number
8135 * @len: the length of the data
8137 * Validate that the input register is one of the general purpose
8138 * registers and that the length of the load is within the bounds.
8140 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8142 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8146 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8151 EXPORT_SYMBOL_GPL(nft_validate_register_load);
8154 * nft_validate_register_store - validate an expressions' register store
8156 * @ctx: context of the expression performing the load
8157 * @reg: the destination register number
8158 * @data: the data to load
8159 * @type: the data type
8160 * @len: the length of the data
8162 * Validate that a data load uses the appropriate data type for
8163 * the destination register and the length is within the bounds.
8164 * A value of NULL for the data means that its runtime gathered
8167 int nft_validate_register_store(const struct nft_ctx *ctx,
8168 enum nft_registers reg,
8169 const struct nft_data *data,
8170 enum nft_data_types type, unsigned int len)
8175 case NFT_REG_VERDICT:
8176 if (type != NFT_DATA_VERDICT)
8180 (data->verdict.code == NFT_GOTO ||
8181 data->verdict.code == NFT_JUMP)) {
8182 err = nf_tables_check_loops(ctx, data->verdict.chain);
8189 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8193 if (reg * NFT_REG32_SIZE + len >
8194 sizeof_field(struct nft_regs, data))
8197 if (data != NULL && type != NFT_DATA_VALUE)
8202 EXPORT_SYMBOL_GPL(nft_validate_register_store);
8204 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8205 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8206 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8207 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8210 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8211 struct nft_data_desc *desc, const struct nlattr *nla)
8213 u8 genmask = nft_genmask_next(ctx->net);
8214 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8215 struct nft_chain *chain;
8218 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8219 nft_verdict_policy, NULL);
8223 if (!tb[NFTA_VERDICT_CODE])
8225 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8227 switch (data->verdict.code) {
8229 switch (data->verdict.code & NF_VERDICT_MASK) {
8244 if (!tb[NFTA_VERDICT_CHAIN])
8246 chain = nft_chain_lookup(ctx->net, ctx->table,
8247 tb[NFTA_VERDICT_CHAIN], genmask);
8249 return PTR_ERR(chain);
8250 if (nft_is_base_chain(chain))
8254 data->verdict.chain = chain;
8258 desc->len = sizeof(data->verdict);
8259 desc->type = NFT_DATA_VERDICT;
8263 static void nft_verdict_uninit(const struct nft_data *data)
8265 switch (data->verdict.code) {
8268 data->verdict.chain->use--;
8273 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8275 struct nlattr *nest;
8277 nest = nla_nest_start_noflag(skb, type);
8279 goto nla_put_failure;
8281 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8282 goto nla_put_failure;
8287 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8289 goto nla_put_failure;
8291 nla_nest_end(skb, nest);
8298 static int nft_value_init(const struct nft_ctx *ctx,
8299 struct nft_data *data, unsigned int size,
8300 struct nft_data_desc *desc, const struct nlattr *nla)
8310 nla_memcpy(data->data, nla, len);
8311 desc->type = NFT_DATA_VALUE;
8316 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8319 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8322 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8323 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8324 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8328 * nft_data_init - parse nf_tables data netlink attributes
8330 * @ctx: context of the expression using the data
8331 * @data: destination struct nft_data
8332 * @size: maximum data length
8333 * @desc: data description
8334 * @nla: netlink attribute containing data
8336 * Parse the netlink data attributes and initialize a struct nft_data.
8337 * The type and length of data are returned in the data description.
8339 * The caller can indicate that it only wants to accept data of type
8340 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8342 int nft_data_init(const struct nft_ctx *ctx,
8343 struct nft_data *data, unsigned int size,
8344 struct nft_data_desc *desc, const struct nlattr *nla)
8346 struct nlattr *tb[NFTA_DATA_MAX + 1];
8349 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8350 nft_data_policy, NULL);
8354 if (tb[NFTA_DATA_VALUE])
8355 return nft_value_init(ctx, data, size, desc,
8356 tb[NFTA_DATA_VALUE]);
8357 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8358 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8361 EXPORT_SYMBOL_GPL(nft_data_init);
8364 * nft_data_release - release a nft_data item
8366 * @data: struct nft_data to release
8367 * @type: type of data
8369 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8370 * all others need to be released by calling this function.
8372 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8374 if (type < NFT_DATA_VERDICT)
8377 case NFT_DATA_VERDICT:
8378 return nft_verdict_uninit(data);
8383 EXPORT_SYMBOL_GPL(nft_data_release);
8385 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8386 enum nft_data_types type, unsigned int len)
8388 struct nlattr *nest;
8391 nest = nla_nest_start_noflag(skb, attr);
8396 case NFT_DATA_VALUE:
8397 err = nft_value_dump(skb, data, len);
8399 case NFT_DATA_VERDICT:
8400 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8407 nla_nest_end(skb, nest);
8410 EXPORT_SYMBOL_GPL(nft_data_dump);
8412 int __nft_release_basechain(struct nft_ctx *ctx)
8414 struct nft_rule *rule, *nr;
8416 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8419 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8420 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8421 list_del(&rule->list);
8423 nf_tables_rule_release(ctx, rule);
8425 nft_chain_del(ctx->chain);
8427 nf_tables_chain_destroy(ctx);
8431 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8433 static void __nft_release_tables(struct net *net)
8435 struct nft_flowtable *flowtable, *nf;
8436 struct nft_table *table, *nt;
8437 struct nft_chain *chain, *nc;
8438 struct nft_object *obj, *ne;
8439 struct nft_rule *rule, *nr;
8440 struct nft_set *set, *ns;
8441 struct nft_ctx ctx = {
8443 .family = NFPROTO_NETDEV,
8446 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8447 ctx.family = table->family;
8449 list_for_each_entry(chain, &table->chains, list)
8450 nf_tables_unregister_hook(net, table, chain);
8451 /* No packets are walking on these chains anymore. */
8453 list_for_each_entry(chain, &table->chains, list) {
8455 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8456 list_del(&rule->list);
8458 nf_tables_rule_release(&ctx, rule);
8461 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8462 list_del(&flowtable->list);
8464 nf_tables_flowtable_destroy(flowtable);
8466 list_for_each_entry_safe(set, ns, &table->sets, list) {
8467 list_del(&set->list);
8469 nft_set_destroy(&ctx, set);
8471 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8474 nft_obj_destroy(&ctx, obj);
8476 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8478 nft_chain_del(chain);
8480 nf_tables_chain_destroy(&ctx);
8482 list_del(&table->list);
8483 nf_tables_table_destroy(&ctx);
8487 static int __net_init nf_tables_init_net(struct net *net)
8489 INIT_LIST_HEAD(&net->nft.tables);
8490 INIT_LIST_HEAD(&net->nft.commit_list);
8491 INIT_LIST_HEAD(&net->nft.module_list);
8492 mutex_init(&net->nft.commit_mutex);
8493 net->nft.base_seq = 1;
8494 net->nft.validate_state = NFT_VALIDATE_SKIP;
8499 static void __net_exit nf_tables_exit_net(struct net *net)
8501 mutex_lock(&net->nft.commit_mutex);
8502 if (!list_empty(&net->nft.commit_list))
8503 __nf_tables_abort(net, false);
8504 __nft_release_tables(net);
8505 mutex_unlock(&net->nft.commit_mutex);
8506 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8507 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8510 static struct pernet_operations nf_tables_net_ops = {
8511 .init = nf_tables_init_net,
8512 .exit = nf_tables_exit_net,
8515 static int __init nf_tables_module_init(void)
8519 spin_lock_init(&nf_tables_destroy_list_lock);
8520 err = register_pernet_subsys(&nf_tables_net_ops);
8524 err = nft_chain_filter_init();
8528 err = nf_tables_core_module_init();
8532 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8536 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8540 err = nft_offload_init();
8545 err = nfnetlink_subsys_register(&nf_tables_subsys);
8549 nft_chain_route_init();
8555 rhltable_destroy(&nft_objname_ht);
8557 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8559 nf_tables_core_module_exit();
8561 nft_chain_filter_fini();
8563 unregister_pernet_subsys(&nf_tables_net_ops);
8567 static void __exit nf_tables_module_exit(void)
8569 nfnetlink_subsys_unregister(&nf_tables_subsys);
8571 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8572 nft_chain_filter_fini();
8573 nft_chain_route_fini();
8574 unregister_pernet_subsys(&nf_tables_net_ops);
8575 cancel_work_sync(&trans_destroy_work);
8577 rhltable_destroy(&nft_objname_ht);
8578 nf_tables_core_module_exit();
8581 module_init(nf_tables_module_init);
8582 module_exit(nf_tables_module_exit);
8584 MODULE_LICENSE("GPL");
8585 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8586 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob