2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 static int nf_tables_register_hook(struct net *net,
78 const struct nft_table *table,
79 struct nft_chain *chain)
81 const struct nft_base_chain *basechain;
82 const struct nf_hook_ops *ops;
84 if (table->flags & NFT_TABLE_F_DORMANT ||
85 !nft_is_base_chain(chain))
88 basechain = nft_base_chain(chain);
89 ops = &basechain->ops;
91 if (basechain->type->ops_register)
92 return basechain->type->ops_register(net, ops);
94 return nf_register_net_hook(net, ops);
97 static void nf_tables_unregister_hook(struct net *net,
98 const struct nft_table *table,
99 struct nft_chain *chain)
101 const struct nft_base_chain *basechain;
102 const struct nf_hook_ops *ops;
104 if (table->flags & NFT_TABLE_F_DORMANT ||
105 !nft_is_base_chain(chain))
107 basechain = nft_base_chain(chain);
108 ops = &basechain->ops;
110 if (basechain->type->ops_unregister)
111 return basechain->type->ops_unregister(net, ops);
113 nf_unregister_net_hook(net, ops);
116 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
118 struct nft_trans *trans;
120 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
124 if (msg_type == NFT_MSG_NEWTABLE)
125 nft_activate_next(ctx->net, ctx->table);
127 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
131 static int nft_deltable(struct nft_ctx *ctx)
135 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
139 nft_deactivate_next(ctx->net, ctx->table);
143 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
145 struct nft_trans *trans;
147 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
151 if (msg_type == NFT_MSG_NEWCHAIN)
152 nft_activate_next(ctx->net, ctx->chain);
154 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
158 static int nft_delchain(struct nft_ctx *ctx)
162 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
167 nft_deactivate_next(ctx->net, ctx->chain);
172 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
173 struct nft_rule *rule)
175 struct nft_expr *expr;
177 expr = nft_expr_first(rule);
178 while (expr != nft_expr_last(rule) && expr->ops) {
179 if (expr->ops->activate)
180 expr->ops->activate(ctx, expr);
182 expr = nft_expr_next(expr);
186 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
187 struct nft_rule *rule)
189 struct nft_expr *expr;
191 expr = nft_expr_first(rule);
192 while (expr != nft_expr_last(rule) && expr->ops) {
193 if (expr->ops->deactivate)
194 expr->ops->deactivate(ctx, expr);
196 expr = nft_expr_next(expr);
201 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
203 /* You cannot delete the same rule twice */
204 if (nft_is_active_next(ctx->net, rule)) {
205 nft_deactivate_next(ctx->net, rule);
212 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
213 struct nft_rule *rule)
215 struct nft_trans *trans;
217 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
221 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
222 nft_trans_rule_id(trans) =
223 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
225 nft_trans_rule(trans) = rule;
226 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
231 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
233 struct nft_trans *trans;
236 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
240 err = nf_tables_delrule_deactivate(ctx, rule);
242 nft_trans_destroy(trans);
245 nft_rule_expr_deactivate(ctx, rule);
250 static int nft_delrule_by_chain(struct nft_ctx *ctx)
252 struct nft_rule *rule;
255 list_for_each_entry(rule, &ctx->chain->rules, list) {
256 err = nft_delrule(ctx, rule);
263 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
266 struct nft_trans *trans;
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
272 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
273 nft_trans_set_id(trans) =
274 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
275 nft_activate_next(ctx->net, set);
277 nft_trans_set(trans) = set;
278 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
283 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
287 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
291 nft_deactivate_next(ctx->net, set);
297 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
298 struct nft_object *obj)
300 struct nft_trans *trans;
302 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
306 if (msg_type == NFT_MSG_NEWOBJ)
307 nft_activate_next(ctx->net, obj);
309 nft_trans_obj(trans) = obj;
310 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
315 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
319 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
323 nft_deactivate_next(ctx->net, obj);
329 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
330 struct nft_flowtable *flowtable)
332 struct nft_trans *trans;
334 trans = nft_trans_alloc(ctx, msg_type,
335 sizeof(struct nft_trans_flowtable));
339 if (msg_type == NFT_MSG_NEWFLOWTABLE)
340 nft_activate_next(ctx->net, flowtable);
342 nft_trans_flowtable(trans) = flowtable;
343 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
348 static int nft_delflowtable(struct nft_ctx *ctx,
349 struct nft_flowtable *flowtable)
353 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
357 nft_deactivate_next(ctx->net, flowtable);
367 static struct nft_table *nft_table_lookup(const struct net *net,
368 const struct nlattr *nla,
369 u8 family, u8 genmask)
371 struct nft_table *table;
374 return ERR_PTR(-EINVAL);
376 list_for_each_entry(table, &net->nft.tables, list) {
377 if (!nla_strcmp(nla, table->name) &&
378 table->family == family &&
379 nft_active_genmask(table, genmask))
383 return ERR_PTR(-ENOENT);
386 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
387 const struct nlattr *nla,
390 struct nft_table *table;
392 list_for_each_entry(table, &net->nft.tables, list) {
393 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
394 nft_active_genmask(table, genmask))
398 return ERR_PTR(-ENOENT);
401 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
403 return ++table->hgenerator;
406 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
408 static const struct nft_chain_type *
409 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
413 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
414 if (chain_type[family][i] != NULL &&
415 !nla_strcmp(nla, chain_type[family][i]->name))
416 return chain_type[family][i];
421 static const struct nft_chain_type *
422 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
424 const struct nft_chain_type *type;
426 type = __nf_tables_chain_type_lookup(nla, family);
429 #ifdef CONFIG_MODULES
431 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
432 request_module("nft-chain-%u-%.*s", family,
433 nla_len(nla), (const char *)nla_data(nla));
434 nfnl_lock(NFNL_SUBSYS_NFTABLES);
435 type = __nf_tables_chain_type_lookup(nla, family);
437 return ERR_PTR(-EAGAIN);
440 return ERR_PTR(-ENOENT);
443 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
444 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
445 .len = NFT_TABLE_MAXNAMELEN - 1 },
446 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
447 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
450 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
451 u32 portid, u32 seq, int event, u32 flags,
452 int family, const struct nft_table *table)
454 struct nlmsghdr *nlh;
455 struct nfgenmsg *nfmsg;
457 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
458 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
460 goto nla_put_failure;
462 nfmsg = nlmsg_data(nlh);
463 nfmsg->nfgen_family = family;
464 nfmsg->version = NFNETLINK_V0;
465 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
467 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
468 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
469 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
470 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
472 goto nla_put_failure;
478 nlmsg_trim(skb, nlh);
482 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
488 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
491 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
495 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
496 event, 0, ctx->family, ctx->table);
502 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
503 ctx->report, GFP_KERNEL);
506 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
509 static int nf_tables_dump_tables(struct sk_buff *skb,
510 struct netlink_callback *cb)
512 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
513 const struct nft_table *table;
514 unsigned int idx = 0, s_idx = cb->args[0];
515 struct net *net = sock_net(skb->sk);
516 int family = nfmsg->nfgen_family;
519 cb->seq = net->nft.base_seq;
521 list_for_each_entry_rcu(table, &net->nft.tables, list) {
522 if (family != NFPROTO_UNSPEC && family != table->family)
528 memset(&cb->args[1], 0,
529 sizeof(cb->args) - sizeof(cb->args[0]));
530 if (!nft_is_active(net, table))
532 if (nf_tables_fill_table_info(skb, net,
533 NETLINK_CB(cb->skb).portid,
535 NFT_MSG_NEWTABLE, NLM_F_MULTI,
536 table->family, table) < 0)
539 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
549 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
550 struct sk_buff *skb, const struct nlmsghdr *nlh,
551 const struct nlattr * const nla[],
552 struct netlink_ext_ack *extack)
554 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
555 u8 genmask = nft_genmask_cur(net);
556 const struct nft_table *table;
557 struct sk_buff *skb2;
558 int family = nfmsg->nfgen_family;
561 if (nlh->nlmsg_flags & NLM_F_DUMP) {
562 struct netlink_dump_control c = {
563 .dump = nf_tables_dump_tables,
565 return netlink_dump_start(nlsk, skb, nlh, &c);
568 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
570 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
571 return PTR_ERR(table);
574 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
578 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
579 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
584 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
591 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
593 struct nft_chain *chain;
596 list_for_each_entry(chain, &table->chains, list) {
597 if (!nft_is_active_next(net, chain))
599 if (!nft_is_base_chain(chain))
602 if (cnt && i++ == cnt)
605 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
609 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
611 struct nft_chain *chain;
614 list_for_each_entry(chain, &table->chains, list) {
615 if (!nft_is_active_next(net, chain))
617 if (!nft_is_base_chain(chain))
620 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
629 nft_table_disable(net, table, i);
633 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
635 nft_table_disable(net, table, 0);
638 static int nf_tables_updtable(struct nft_ctx *ctx)
640 struct nft_trans *trans;
644 if (!ctx->nla[NFTA_TABLE_FLAGS])
647 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
648 if (flags & ~NFT_TABLE_F_DORMANT)
651 if (flags == ctx->table->flags)
654 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
655 sizeof(struct nft_trans_table));
659 if ((flags & NFT_TABLE_F_DORMANT) &&
660 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
661 nft_trans_table_enable(trans) = false;
662 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
663 ctx->table->flags & NFT_TABLE_F_DORMANT) {
664 ret = nf_tables_table_enable(ctx->net, ctx->table);
666 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
667 nft_trans_table_enable(trans) = true;
673 nft_trans_table_update(trans) = true;
674 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
677 nft_trans_destroy(trans);
681 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
682 struct sk_buff *skb, const struct nlmsghdr *nlh,
683 const struct nlattr * const nla[],
684 struct netlink_ext_ack *extack)
686 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
687 u8 genmask = nft_genmask_next(net);
688 int family = nfmsg->nfgen_family;
689 const struct nlattr *attr;
690 struct nft_table *table;
695 attr = nla[NFTA_TABLE_NAME];
696 table = nft_table_lookup(net, attr, family, genmask);
698 if (PTR_ERR(table) != -ENOENT)
699 return PTR_ERR(table);
701 if (nlh->nlmsg_flags & NLM_F_EXCL) {
702 NL_SET_BAD_ATTR(extack, attr);
705 if (nlh->nlmsg_flags & NLM_F_REPLACE)
708 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
709 return nf_tables_updtable(&ctx);
712 if (nla[NFTA_TABLE_FLAGS]) {
713 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
714 if (flags & ~NFT_TABLE_F_DORMANT)
719 table = kzalloc(sizeof(*table), GFP_KERNEL);
723 table->name = nla_strdup(attr, GFP_KERNEL);
724 if (table->name == NULL)
727 INIT_LIST_HEAD(&table->chains);
728 INIT_LIST_HEAD(&table->sets);
729 INIT_LIST_HEAD(&table->objects);
730 INIT_LIST_HEAD(&table->flowtables);
731 table->family = family;
732 table->flags = flags;
733 table->handle = ++table_handle;
735 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
736 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
740 list_add_tail_rcu(&table->list, &net->nft.tables);
750 static int nft_flush_table(struct nft_ctx *ctx)
752 struct nft_flowtable *flowtable, *nft;
753 struct nft_chain *chain, *nc;
754 struct nft_object *obj, *ne;
755 struct nft_set *set, *ns;
758 list_for_each_entry(chain, &ctx->table->chains, list) {
759 if (!nft_is_active_next(ctx->net, chain))
764 err = nft_delrule_by_chain(ctx);
769 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
770 if (!nft_is_active_next(ctx->net, set))
773 if (nft_set_is_anonymous(set) &&
774 !list_empty(&set->bindings))
777 err = nft_delset(ctx, set);
782 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
783 err = nft_delflowtable(ctx, flowtable);
788 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
789 err = nft_delobj(ctx, obj);
794 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
795 if (!nft_is_active_next(ctx->net, chain))
800 err = nft_delchain(ctx);
805 err = nft_deltable(ctx);
810 static int nft_flush(struct nft_ctx *ctx, int family)
812 struct nft_table *table, *nt;
813 const struct nlattr * const *nla = ctx->nla;
816 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
817 if (family != AF_UNSPEC && table->family != family)
820 ctx->family = table->family;
822 if (!nft_is_active_next(ctx->net, table))
825 if (nla[NFTA_TABLE_NAME] &&
826 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
831 err = nft_flush_table(ctx);
839 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
840 struct sk_buff *skb, const struct nlmsghdr *nlh,
841 const struct nlattr * const nla[],
842 struct netlink_ext_ack *extack)
844 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
845 u8 genmask = nft_genmask_next(net);
846 int family = nfmsg->nfgen_family;
847 const struct nlattr *attr;
848 struct nft_table *table;
851 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
852 if (family == AF_UNSPEC ||
853 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
854 return nft_flush(&ctx, family);
856 if (nla[NFTA_TABLE_HANDLE]) {
857 attr = nla[NFTA_TABLE_HANDLE];
858 table = nft_table_lookup_byhandle(net, attr, genmask);
860 attr = nla[NFTA_TABLE_NAME];
861 table = nft_table_lookup(net, attr, family, genmask);
865 NL_SET_BAD_ATTR(extack, attr);
866 return PTR_ERR(table);
869 if (nlh->nlmsg_flags & NLM_F_NONREC &&
876 return nft_flush_table(&ctx);
879 static void nf_tables_table_destroy(struct nft_ctx *ctx)
881 BUG_ON(ctx->table->use > 0);
883 kfree(ctx->table->name);
887 void nft_register_chain_type(const struct nft_chain_type *ctype)
889 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
892 nfnl_lock(NFNL_SUBSYS_NFTABLES);
893 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
894 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
897 chain_type[ctype->family][ctype->type] = ctype;
898 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
900 EXPORT_SYMBOL_GPL(nft_register_chain_type);
902 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
904 nfnl_lock(NFNL_SUBSYS_NFTABLES);
905 chain_type[ctype->family][ctype->type] = NULL;
906 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
908 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
914 static struct nft_chain *
915 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
917 struct nft_chain *chain;
919 list_for_each_entry(chain, &table->chains, list) {
920 if (chain->handle == handle &&
921 nft_active_genmask(chain, genmask))
925 return ERR_PTR(-ENOENT);
928 static struct nft_chain *nft_chain_lookup(const struct nft_table *table,
929 const struct nlattr *nla, u8 genmask)
931 struct nft_chain *chain;
934 return ERR_PTR(-EINVAL);
936 list_for_each_entry(chain, &table->chains, list) {
937 if (!nla_strcmp(nla, chain->name) &&
938 nft_active_genmask(chain, genmask))
942 return ERR_PTR(-ENOENT);
945 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
946 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
947 .len = NFT_TABLE_MAXNAMELEN - 1 },
948 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
949 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
950 .len = NFT_CHAIN_MAXNAMELEN - 1 },
951 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
952 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
953 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
954 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
957 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
958 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
959 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
960 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
961 .len = IFNAMSIZ - 1 },
964 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
966 struct nft_stats *cpu_stats, total;
972 memset(&total, 0, sizeof(total));
973 for_each_possible_cpu(cpu) {
974 cpu_stats = per_cpu_ptr(stats, cpu);
976 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
977 pkts = cpu_stats->pkts;
978 bytes = cpu_stats->bytes;
979 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
981 total.bytes += bytes;
983 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
985 goto nla_put_failure;
987 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
989 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
991 goto nla_put_failure;
993 nla_nest_end(skb, nest);
1000 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1001 u32 portid, u32 seq, int event, u32 flags,
1002 int family, const struct nft_table *table,
1003 const struct nft_chain *chain)
1005 struct nlmsghdr *nlh;
1006 struct nfgenmsg *nfmsg;
1008 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1009 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1011 goto nla_put_failure;
1013 nfmsg = nlmsg_data(nlh);
1014 nfmsg->nfgen_family = family;
1015 nfmsg->version = NFNETLINK_V0;
1016 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1018 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1019 goto nla_put_failure;
1020 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1022 goto nla_put_failure;
1023 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1024 goto nla_put_failure;
1026 if (nft_is_base_chain(chain)) {
1027 const struct nft_base_chain *basechain = nft_base_chain(chain);
1028 const struct nf_hook_ops *ops = &basechain->ops;
1029 struct nlattr *nest;
1031 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1033 goto nla_put_failure;
1034 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1035 goto nla_put_failure;
1036 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1037 goto nla_put_failure;
1038 if (basechain->dev_name[0] &&
1039 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1040 goto nla_put_failure;
1041 nla_nest_end(skb, nest);
1043 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1044 htonl(basechain->policy)))
1045 goto nla_put_failure;
1047 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1048 goto nla_put_failure;
1050 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1051 goto nla_put_failure;
1054 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1055 goto nla_put_failure;
1057 nlmsg_end(skb, nlh);
1061 nlmsg_trim(skb, nlh);
1065 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1067 struct sk_buff *skb;
1071 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1074 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1078 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1079 event, 0, ctx->family, ctx->table,
1086 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1087 ctx->report, GFP_KERNEL);
1090 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1093 static int nf_tables_dump_chains(struct sk_buff *skb,
1094 struct netlink_callback *cb)
1096 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1097 const struct nft_table *table;
1098 const struct nft_chain *chain;
1099 unsigned int idx = 0, s_idx = cb->args[0];
1100 struct net *net = sock_net(skb->sk);
1101 int family = nfmsg->nfgen_family;
1104 cb->seq = net->nft.base_seq;
1106 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1107 if (family != NFPROTO_UNSPEC && family != table->family)
1110 list_for_each_entry_rcu(chain, &table->chains, list) {
1114 memset(&cb->args[1], 0,
1115 sizeof(cb->args) - sizeof(cb->args[0]));
1116 if (!nft_is_active(net, chain))
1118 if (nf_tables_fill_chain_info(skb, net,
1119 NETLINK_CB(cb->skb).portid,
1123 table->family, table,
1127 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1138 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1139 struct sk_buff *skb, const struct nlmsghdr *nlh,
1140 const struct nlattr * const nla[],
1141 struct netlink_ext_ack *extack)
1143 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1144 u8 genmask = nft_genmask_cur(net);
1145 const struct nft_table *table;
1146 const struct nft_chain *chain;
1147 struct sk_buff *skb2;
1148 int family = nfmsg->nfgen_family;
1151 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1152 struct netlink_dump_control c = {
1153 .dump = nf_tables_dump_chains,
1155 return netlink_dump_start(nlsk, skb, nlh, &c);
1158 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1159 if (IS_ERR(table)) {
1160 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1161 return PTR_ERR(table);
1164 chain = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1165 if (IS_ERR(chain)) {
1166 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1167 return PTR_ERR(chain);
1170 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1174 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1175 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1176 family, table, chain);
1180 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1187 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1188 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1189 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1192 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1194 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1195 struct nft_stats __percpu *newstats;
1196 struct nft_stats *stats;
1199 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1202 return ERR_PTR(err);
1204 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1205 return ERR_PTR(-EINVAL);
1207 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1208 if (newstats == NULL)
1209 return ERR_PTR(-ENOMEM);
1211 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1212 * are not exposed to userspace.
1215 stats = this_cpu_ptr(newstats);
1216 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1217 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1223 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1224 struct nft_stats __percpu *newstats)
1226 struct nft_stats __percpu *oldstats;
1228 if (newstats == NULL)
1232 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1233 rcu_assign_pointer(chain->stats, newstats);
1235 free_percpu(oldstats);
1237 rcu_assign_pointer(chain->stats, newstats);
1240 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1242 struct nft_chain *chain = ctx->chain;
1244 BUG_ON(chain->use > 0);
1246 if (nft_is_base_chain(chain)) {
1247 struct nft_base_chain *basechain = nft_base_chain(chain);
1249 module_put(basechain->type->owner);
1250 free_percpu(basechain->stats);
1251 if (basechain->stats)
1252 static_branch_dec(&nft_counters_enabled);
1261 struct nft_chain_hook {
1264 const struct nft_chain_type *type;
1265 struct net_device *dev;
1268 static int nft_chain_parse_hook(struct net *net,
1269 const struct nlattr * const nla[],
1270 struct nft_chain_hook *hook, u8 family,
1273 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1274 const struct nft_chain_type *type;
1275 struct net_device *dev;
1278 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1279 nft_hook_policy, NULL);
1283 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1284 ha[NFTA_HOOK_PRIORITY] == NULL)
1287 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1288 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1290 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1291 if (nla[NFTA_CHAIN_TYPE]) {
1292 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1295 return PTR_ERR(type);
1297 if (!(type->hook_mask & (1 << hook->num)))
1300 if (type->type == NFT_CHAIN_T_NAT &&
1301 hook->priority <= NF_IP_PRI_CONNTRACK)
1304 if (!try_module_get(type->owner))
1310 if (family == NFPROTO_NETDEV) {
1311 char ifname[IFNAMSIZ];
1313 if (!ha[NFTA_HOOK_DEV]) {
1314 module_put(type->owner);
1318 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1319 dev = __dev_get_by_name(net, ifname);
1321 module_put(type->owner);
1325 } else if (ha[NFTA_HOOK_DEV]) {
1326 module_put(type->owner);
1333 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1335 module_put(hook->type->owner);
1338 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1339 u8 policy, bool create)
1341 const struct nlattr * const *nla = ctx->nla;
1342 struct nft_table *table = ctx->table;
1343 struct nft_base_chain *basechain;
1344 struct nft_stats __percpu *stats;
1345 struct net *net = ctx->net;
1346 struct nft_chain *chain;
1349 if (table->use == UINT_MAX)
1352 if (nla[NFTA_CHAIN_HOOK]) {
1353 struct nft_chain_hook hook;
1354 struct nf_hook_ops *ops;
1356 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1360 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1361 if (basechain == NULL) {
1362 nft_chain_release_hook(&hook);
1366 if (hook.dev != NULL)
1367 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1369 if (nla[NFTA_CHAIN_COUNTERS]) {
1370 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1371 if (IS_ERR(stats)) {
1372 nft_chain_release_hook(&hook);
1374 return PTR_ERR(stats);
1376 basechain->stats = stats;
1377 static_branch_inc(&nft_counters_enabled);
1380 basechain->type = hook.type;
1381 chain = &basechain->chain;
1383 ops = &basechain->ops;
1385 ops->hooknum = hook.num;
1386 ops->priority = hook.priority;
1388 ops->hook = hook.type->hooks[ops->hooknum];
1389 ops->dev = hook.dev;
1391 chain->flags |= NFT_BASE_CHAIN;
1392 basechain->policy = policy;
1394 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1400 INIT_LIST_HEAD(&chain->rules);
1401 chain->handle = nf_tables_alloc_handle(table);
1402 chain->table = table;
1403 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1409 err = nf_tables_register_hook(net, table, chain);
1413 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1418 list_add_tail_rcu(&chain->list, &table->chains);
1422 nf_tables_unregister_hook(net, table, chain);
1424 nf_tables_chain_destroy(ctx);
1429 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1432 const struct nlattr * const *nla = ctx->nla;
1433 struct nft_table *table = ctx->table;
1434 struct nft_chain *chain = ctx->chain;
1435 struct nft_base_chain *basechain;
1436 struct nft_stats *stats = NULL;
1437 struct nft_chain_hook hook;
1438 const struct nlattr *name;
1439 struct nf_hook_ops *ops;
1440 struct nft_trans *trans;
1443 if (nla[NFTA_CHAIN_HOOK]) {
1444 if (!nft_is_base_chain(chain))
1447 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1452 basechain = nft_base_chain(chain);
1453 if (basechain->type != hook.type) {
1454 nft_chain_release_hook(&hook);
1458 ops = &basechain->ops;
1459 if (ops->hooknum != hook.num ||
1460 ops->priority != hook.priority ||
1461 ops->dev != hook.dev) {
1462 nft_chain_release_hook(&hook);
1465 nft_chain_release_hook(&hook);
1468 if (nla[NFTA_CHAIN_HANDLE] &&
1469 nla[NFTA_CHAIN_NAME]) {
1470 struct nft_chain *chain2;
1472 chain2 = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1473 if (!IS_ERR(chain2))
1477 if (nla[NFTA_CHAIN_COUNTERS]) {
1478 if (!nft_is_base_chain(chain))
1481 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1483 return PTR_ERR(stats);
1486 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1487 sizeof(struct nft_trans_chain));
1488 if (trans == NULL) {
1493 nft_trans_chain_stats(trans) = stats;
1494 nft_trans_chain_update(trans) = true;
1496 if (nla[NFTA_CHAIN_POLICY])
1497 nft_trans_chain_policy(trans) = policy;
1499 nft_trans_chain_policy(trans) = -1;
1501 name = nla[NFTA_CHAIN_NAME];
1502 if (nla[NFTA_CHAIN_HANDLE] && name) {
1503 nft_trans_chain_name(trans) =
1504 nla_strdup(name, GFP_KERNEL);
1505 if (!nft_trans_chain_name(trans)) {
1511 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1516 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1517 struct sk_buff *skb, const struct nlmsghdr *nlh,
1518 const struct nlattr * const nla[],
1519 struct netlink_ext_ack *extack)
1521 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1522 u8 genmask = nft_genmask_next(net);
1523 int family = nfmsg->nfgen_family;
1524 const struct nlattr *attr;
1525 struct nft_table *table;
1526 struct nft_chain *chain;
1527 u8 policy = NF_ACCEPT;
1532 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1534 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1535 if (IS_ERR(table)) {
1536 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1537 return PTR_ERR(table);
1541 attr = nla[NFTA_CHAIN_NAME];
1543 if (nla[NFTA_CHAIN_HANDLE]) {
1544 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1545 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1546 if (IS_ERR(chain)) {
1547 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1548 return PTR_ERR(chain);
1550 attr = nla[NFTA_CHAIN_HANDLE];
1552 chain = nft_chain_lookup(table, attr, genmask);
1553 if (IS_ERR(chain)) {
1554 if (PTR_ERR(chain) != -ENOENT) {
1555 NL_SET_BAD_ATTR(extack, attr);
1556 return PTR_ERR(chain);
1562 if (nla[NFTA_CHAIN_POLICY]) {
1563 if (chain != NULL &&
1564 !nft_is_base_chain(chain)) {
1565 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1569 if (chain == NULL &&
1570 nla[NFTA_CHAIN_HOOK] == NULL) {
1571 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1575 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1585 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1587 if (chain != NULL) {
1588 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1589 NL_SET_BAD_ATTR(extack, attr);
1592 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1595 return nf_tables_updchain(&ctx, genmask, policy, create);
1598 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1601 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1602 struct sk_buff *skb, const struct nlmsghdr *nlh,
1603 const struct nlattr * const nla[],
1604 struct netlink_ext_ack *extack)
1606 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1607 u8 genmask = nft_genmask_next(net);
1608 int family = nfmsg->nfgen_family;
1609 const struct nlattr *attr;
1610 struct nft_table *table;
1611 struct nft_chain *chain;
1612 struct nft_rule *rule;
1618 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1619 if (IS_ERR(table)) {
1620 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1621 return PTR_ERR(table);
1624 if (nla[NFTA_CHAIN_HANDLE]) {
1625 attr = nla[NFTA_CHAIN_HANDLE];
1626 handle = be64_to_cpu(nla_get_be64(attr));
1627 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1629 attr = nla[NFTA_CHAIN_NAME];
1630 chain = nft_chain_lookup(table, attr, genmask);
1632 if (IS_ERR(chain)) {
1633 NL_SET_BAD_ATTR(extack, attr);
1634 return PTR_ERR(chain);
1637 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1641 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1644 list_for_each_entry(rule, &chain->rules, list) {
1645 if (!nft_is_active_next(net, rule))
1649 err = nft_delrule(&ctx, rule);
1654 /* There are rules and elements that are still holding references to us,
1655 * we cannot do a recursive removal in this case.
1658 NL_SET_BAD_ATTR(extack, attr);
1662 return nft_delchain(&ctx);
1670 * nft_register_expr - register nf_tables expr type
1673 * Registers the expr type for use with nf_tables. Returns zero on
1674 * success or a negative errno code otherwise.
1676 int nft_register_expr(struct nft_expr_type *type)
1678 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1679 if (type->family == NFPROTO_UNSPEC)
1680 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1682 list_add_rcu(&type->list, &nf_tables_expressions);
1683 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1686 EXPORT_SYMBOL_GPL(nft_register_expr);
1689 * nft_unregister_expr - unregister nf_tables expr type
1692 * Unregisters the expr typefor use with nf_tables.
1694 void nft_unregister_expr(struct nft_expr_type *type)
1696 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1697 list_del_rcu(&type->list);
1698 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1700 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1702 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1705 const struct nft_expr_type *type;
1707 list_for_each_entry(type, &nf_tables_expressions, list) {
1708 if (!nla_strcmp(nla, type->name) &&
1709 (!type->family || type->family == family))
1715 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1718 const struct nft_expr_type *type;
1721 return ERR_PTR(-EINVAL);
1723 type = __nft_expr_type_get(family, nla);
1724 if (type != NULL && try_module_get(type->owner))
1727 #ifdef CONFIG_MODULES
1729 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1730 request_module("nft-expr-%u-%.*s", family,
1731 nla_len(nla), (char *)nla_data(nla));
1732 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1733 if (__nft_expr_type_get(family, nla))
1734 return ERR_PTR(-EAGAIN);
1736 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1737 request_module("nft-expr-%.*s",
1738 nla_len(nla), (char *)nla_data(nla));
1739 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1740 if (__nft_expr_type_get(family, nla))
1741 return ERR_PTR(-EAGAIN);
1744 return ERR_PTR(-ENOENT);
1747 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1748 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1749 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1752 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1753 const struct nft_expr *expr)
1755 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1756 goto nla_put_failure;
1758 if (expr->ops->dump) {
1759 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1761 goto nla_put_failure;
1762 if (expr->ops->dump(skb, expr) < 0)
1763 goto nla_put_failure;
1764 nla_nest_end(skb, data);
1773 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1774 const struct nft_expr *expr)
1776 struct nlattr *nest;
1778 nest = nla_nest_start(skb, attr);
1780 goto nla_put_failure;
1781 if (nf_tables_fill_expr_info(skb, expr) < 0)
1782 goto nla_put_failure;
1783 nla_nest_end(skb, nest);
1790 struct nft_expr_info {
1791 const struct nft_expr_ops *ops;
1792 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1795 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1796 const struct nlattr *nla,
1797 struct nft_expr_info *info)
1799 const struct nft_expr_type *type;
1800 const struct nft_expr_ops *ops;
1801 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1804 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1808 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1810 return PTR_ERR(type);
1812 if (tb[NFTA_EXPR_DATA]) {
1813 err = nla_parse_nested(info->tb, type->maxattr,
1814 tb[NFTA_EXPR_DATA], type->policy, NULL);
1818 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1820 if (type->select_ops != NULL) {
1821 ops = type->select_ops(ctx,
1822 (const struct nlattr * const *)info->tb);
1834 module_put(type->owner);
1838 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1839 const struct nft_expr_info *info,
1840 struct nft_expr *expr)
1842 const struct nft_expr_ops *ops = info->ops;
1847 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1852 if (ops->validate) {
1853 const struct nft_data *data = NULL;
1855 err = ops->validate(ctx, expr, &data);
1864 ops->destroy(ctx, expr);
1870 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1871 struct nft_expr *expr)
1873 if (expr->ops->destroy)
1874 expr->ops->destroy(ctx, expr);
1875 module_put(expr->ops->type->owner);
1878 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1879 const struct nlattr *nla)
1881 struct nft_expr_info info;
1882 struct nft_expr *expr;
1885 err = nf_tables_expr_parse(ctx, nla, &info);
1890 expr = kzalloc(info.ops->size, GFP_KERNEL);
1894 err = nf_tables_newexpr(ctx, &info, expr);
1902 module_put(info.ops->type->owner);
1904 return ERR_PTR(err);
1907 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1909 nf_tables_expr_destroy(ctx, expr);
1917 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
1920 struct nft_rule *rule;
1922 // FIXME: this sucks
1923 list_for_each_entry(rule, &chain->rules, list) {
1924 if (handle == rule->handle)
1928 return ERR_PTR(-ENOENT);
1931 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
1932 const struct nlattr *nla)
1935 return ERR_PTR(-EINVAL);
1937 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1940 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1941 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1942 .len = NFT_TABLE_MAXNAMELEN - 1 },
1943 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1944 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1945 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1946 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1947 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1948 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1949 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1950 .len = NFT_USERDATA_MAXLEN },
1951 [NFTA_RULE_ID] = { .type = NLA_U32 },
1954 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1955 u32 portid, u32 seq, int event,
1956 u32 flags, int family,
1957 const struct nft_table *table,
1958 const struct nft_chain *chain,
1959 const struct nft_rule *rule)
1961 struct nlmsghdr *nlh;
1962 struct nfgenmsg *nfmsg;
1963 const struct nft_expr *expr, *next;
1964 struct nlattr *list;
1965 const struct nft_rule *prule;
1966 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1968 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1970 goto nla_put_failure;
1972 nfmsg = nlmsg_data(nlh);
1973 nfmsg->nfgen_family = family;
1974 nfmsg->version = NFNETLINK_V0;
1975 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1977 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1978 goto nla_put_failure;
1979 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1980 goto nla_put_failure;
1981 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1983 goto nla_put_failure;
1985 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1986 prule = list_prev_entry(rule, list);
1987 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1988 cpu_to_be64(prule->handle),
1990 goto nla_put_failure;
1993 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1995 goto nla_put_failure;
1996 nft_rule_for_each_expr(expr, next, rule) {
1997 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1998 goto nla_put_failure;
2000 nla_nest_end(skb, list);
2003 struct nft_userdata *udata = nft_userdata(rule);
2004 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2006 goto nla_put_failure;
2009 nlmsg_end(skb, nlh);
2013 nlmsg_trim(skb, nlh);
2017 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2018 const struct nft_rule *rule, int event)
2020 struct sk_buff *skb;
2024 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2027 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2031 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2032 event, 0, ctx->family, ctx->table,
2039 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2040 ctx->report, GFP_KERNEL);
2043 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2046 struct nft_rule_dump_ctx {
2051 static int nf_tables_dump_rules(struct sk_buff *skb,
2052 struct netlink_callback *cb)
2054 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2055 const struct nft_rule_dump_ctx *ctx = cb->data;
2056 const struct nft_table *table;
2057 const struct nft_chain *chain;
2058 const struct nft_rule *rule;
2059 unsigned int idx = 0, s_idx = cb->args[0];
2060 struct net *net = sock_net(skb->sk);
2061 int family = nfmsg->nfgen_family;
2064 cb->seq = net->nft.base_seq;
2066 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2067 if (family != NFPROTO_UNSPEC && family != table->family)
2070 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2073 list_for_each_entry_rcu(chain, &table->chains, list) {
2074 if (ctx && ctx->chain &&
2075 strcmp(ctx->chain, chain->name) != 0)
2078 list_for_each_entry_rcu(rule, &chain->rules, list) {
2079 if (!nft_is_active(net, rule))
2084 memset(&cb->args[1], 0,
2085 sizeof(cb->args) - sizeof(cb->args[0]));
2086 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2089 NLM_F_MULTI | NLM_F_APPEND,
2091 table, chain, rule) < 0)
2094 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2107 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2109 struct nft_rule_dump_ctx *ctx = cb->data;
2119 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2120 struct sk_buff *skb, const struct nlmsghdr *nlh,
2121 const struct nlattr * const nla[],
2122 struct netlink_ext_ack *extack)
2124 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2125 u8 genmask = nft_genmask_cur(net);
2126 const struct nft_table *table;
2127 const struct nft_chain *chain;
2128 const struct nft_rule *rule;
2129 struct sk_buff *skb2;
2130 int family = nfmsg->nfgen_family;
2133 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2134 struct netlink_dump_control c = {
2135 .dump = nf_tables_dump_rules,
2136 .done = nf_tables_dump_rules_done,
2139 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2140 struct nft_rule_dump_ctx *ctx;
2142 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2146 if (nla[NFTA_RULE_TABLE]) {
2147 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2154 if (nla[NFTA_RULE_CHAIN]) {
2155 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2166 return netlink_dump_start(nlsk, skb, nlh, &c);
2169 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2170 if (IS_ERR(table)) {
2171 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2172 return PTR_ERR(table);
2175 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2176 if (IS_ERR(chain)) {
2177 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2178 return PTR_ERR(chain);
2181 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2183 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2184 return PTR_ERR(rule);
2187 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2191 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2192 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2193 family, table, chain, rule);
2197 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2204 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2205 struct nft_rule *rule)
2207 struct nft_expr *expr;
2210 * Careful: some expressions might not be initialized in case this
2211 * is called on error from nf_tables_newrule().
2213 expr = nft_expr_first(rule);
2214 while (expr != nft_expr_last(rule) && expr->ops) {
2215 nf_tables_expr_destroy(ctx, expr);
2216 expr = nft_expr_next(expr);
2221 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2222 struct nft_rule *rule)
2224 nft_rule_expr_deactivate(ctx, rule);
2225 nf_tables_rule_destroy(ctx, rule);
2228 #define NFT_RULE_MAXEXPRS 128
2230 static struct nft_expr_info *info;
2232 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2233 struct sk_buff *skb, const struct nlmsghdr *nlh,
2234 const struct nlattr * const nla[],
2235 struct netlink_ext_ack *extack)
2237 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2238 u8 genmask = nft_genmask_next(net);
2239 int family = nfmsg->nfgen_family;
2240 struct nft_table *table;
2241 struct nft_chain *chain;
2242 struct nft_rule *rule, *old_rule = NULL;
2243 struct nft_userdata *udata;
2244 struct nft_trans *trans = NULL;
2245 struct nft_expr *expr;
2248 unsigned int size, i, n, ulen = 0, usize = 0;
2251 u64 handle, pos_handle;
2253 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2255 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2256 if (IS_ERR(table)) {
2257 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2258 return PTR_ERR(table);
2261 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2262 if (IS_ERR(chain)) {
2263 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2264 return PTR_ERR(chain);
2267 if (nla[NFTA_RULE_HANDLE]) {
2268 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2269 rule = __nft_rule_lookup(chain, handle);
2271 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2272 return PTR_ERR(rule);
2275 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2276 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2279 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2284 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2286 handle = nf_tables_alloc_handle(table);
2288 if (chain->use == UINT_MAX)
2292 if (nla[NFTA_RULE_POSITION]) {
2293 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2296 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2297 old_rule = __nft_rule_lookup(chain, pos_handle);
2298 if (IS_ERR(old_rule)) {
2299 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2300 return PTR_ERR(old_rule);
2304 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2308 if (nla[NFTA_RULE_EXPRESSIONS]) {
2309 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2311 if (nla_type(tmp) != NFTA_LIST_ELEM)
2313 if (n == NFT_RULE_MAXEXPRS)
2315 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2318 size += info[n].ops->size;
2322 /* Check for overflow of dlen field */
2324 if (size >= 1 << 12)
2327 if (nla[NFTA_RULE_USERDATA]) {
2328 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2330 usize = sizeof(struct nft_userdata) + ulen;
2334 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2338 nft_activate_next(net, rule);
2340 rule->handle = handle;
2342 rule->udata = ulen ? 1 : 0;
2345 udata = nft_userdata(rule);
2346 udata->len = ulen - 1;
2347 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2350 expr = nft_expr_first(rule);
2351 for (i = 0; i < n; i++) {
2352 err = nf_tables_newexpr(&ctx, &info[i], expr);
2356 expr = nft_expr_next(expr);
2359 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2360 if (!nft_is_active_next(net, old_rule)) {
2364 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2366 if (trans == NULL) {
2370 nft_deactivate_next(net, old_rule);
2373 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2378 list_add_tail_rcu(&rule->list, &old_rule->list);
2380 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2385 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2387 list_add_rcu(&rule->list, &old_rule->list);
2389 list_add_tail_rcu(&rule->list, &chain->rules);
2392 list_add_tail_rcu(&rule->list, &old_rule->list);
2394 list_add_rcu(&rule->list, &chain->rules);
2401 nf_tables_rule_release(&ctx, rule);
2403 for (i = 0; i < n; i++) {
2404 if (info[i].ops != NULL)
2405 module_put(info[i].ops->type->owner);
2410 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2411 const struct nlattr *nla)
2413 u32 id = ntohl(nla_get_be32(nla));
2414 struct nft_trans *trans;
2416 list_for_each_entry(trans, &net->nft.commit_list, list) {
2417 struct nft_rule *rule = nft_trans_rule(trans);
2419 if (trans->msg_type == NFT_MSG_NEWRULE &&
2420 id == nft_trans_rule_id(trans))
2423 return ERR_PTR(-ENOENT);
2426 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2427 struct sk_buff *skb, const struct nlmsghdr *nlh,
2428 const struct nlattr * const nla[],
2429 struct netlink_ext_ack *extack)
2431 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2432 u8 genmask = nft_genmask_next(net);
2433 struct nft_table *table;
2434 struct nft_chain *chain = NULL;
2435 struct nft_rule *rule;
2436 int family = nfmsg->nfgen_family, err = 0;
2439 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2440 if (IS_ERR(table)) {
2441 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2442 return PTR_ERR(table);
2445 if (nla[NFTA_RULE_CHAIN]) {
2446 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2447 if (IS_ERR(chain)) {
2448 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2449 return PTR_ERR(chain);
2453 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2456 if (nla[NFTA_RULE_HANDLE]) {
2457 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2459 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2460 return PTR_ERR(rule);
2463 err = nft_delrule(&ctx, rule);
2464 } else if (nla[NFTA_RULE_ID]) {
2465 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2467 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2468 return PTR_ERR(rule);
2471 err = nft_delrule(&ctx, rule);
2473 err = nft_delrule_by_chain(&ctx);
2476 list_for_each_entry(chain, &table->chains, list) {
2477 if (!nft_is_active_next(net, chain))
2481 err = nft_delrule_by_chain(&ctx);
2494 static LIST_HEAD(nf_tables_set_types);
2496 int nft_register_set(struct nft_set_type *type)
2498 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2499 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2500 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2503 EXPORT_SYMBOL_GPL(nft_register_set);
2505 void nft_unregister_set(struct nft_set_type *type)
2507 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2508 list_del_rcu(&type->list);
2509 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2511 EXPORT_SYMBOL_GPL(nft_unregister_set);
2513 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2514 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2517 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2519 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2523 * Select a set implementation based on the data characteristics and the
2524 * given policy. The total memory use might not be known if no size is
2525 * given, in that case the amount of memory per element is used.
2527 static const struct nft_set_ops *
2528 nft_select_set_ops(const struct nft_ctx *ctx,
2529 const struct nlattr * const nla[],
2530 const struct nft_set_desc *desc,
2531 enum nft_set_policies policy)
2533 const struct nft_set_ops *ops, *bops;
2534 struct nft_set_estimate est, best;
2535 const struct nft_set_type *type;
2538 #ifdef CONFIG_MODULES
2539 if (list_empty(&nf_tables_set_types)) {
2540 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2541 request_module("nft-set");
2542 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2543 if (!list_empty(&nf_tables_set_types))
2544 return ERR_PTR(-EAGAIN);
2547 if (nla[NFTA_SET_FLAGS] != NULL)
2548 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2555 list_for_each_entry(type, &nf_tables_set_types, list) {
2558 if (!nft_set_ops_candidate(type, flags))
2560 if (!ops->estimate(desc, flags, &est))
2564 case NFT_SET_POL_PERFORMANCE:
2565 if (est.lookup < best.lookup)
2567 if (est.lookup == best.lookup &&
2568 est.space < best.space)
2571 case NFT_SET_POL_MEMORY:
2573 if (est.space < best.space)
2575 if (est.space == best.space &&
2576 est.lookup < best.lookup)
2578 } else if (est.size < best.size || !bops) {
2586 if (!try_module_get(type->owner))
2589 module_put(to_set_type(bops)->owner);
2598 return ERR_PTR(-EOPNOTSUPP);
2601 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2602 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2603 .len = NFT_TABLE_MAXNAMELEN - 1 },
2604 [NFTA_SET_NAME] = { .type = NLA_STRING,
2605 .len = NFT_SET_MAXNAMELEN - 1 },
2606 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2607 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2608 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2609 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2610 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2611 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2612 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2613 [NFTA_SET_ID] = { .type = NLA_U32 },
2614 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2615 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2616 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2617 .len = NFT_USERDATA_MAXLEN },
2618 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2619 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2622 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2623 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2626 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2627 const struct sk_buff *skb,
2628 const struct nlmsghdr *nlh,
2629 const struct nlattr * const nla[],
2630 struct netlink_ext_ack *extack,
2633 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2634 int family = nfmsg->nfgen_family;
2635 struct nft_table *table = NULL;
2637 if (nla[NFTA_SET_TABLE] != NULL) {
2638 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2640 if (IS_ERR(table)) {
2641 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2642 return PTR_ERR(table);
2646 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2650 static struct nft_set *nft_set_lookup(const struct nft_table *table,
2651 const struct nlattr *nla, u8 genmask)
2653 struct nft_set *set;
2656 return ERR_PTR(-EINVAL);
2658 list_for_each_entry(set, &table->sets, list) {
2659 if (!nla_strcmp(nla, set->name) &&
2660 nft_active_genmask(set, genmask))
2663 return ERR_PTR(-ENOENT);
2666 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2667 const struct nlattr *nla,
2670 struct nft_set *set;
2672 list_for_each_entry(set, &table->sets, list) {
2673 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2674 nft_active_genmask(set, genmask))
2677 return ERR_PTR(-ENOENT);
2680 static struct nft_set *nft_set_lookup_byid(const struct net *net,
2681 const struct nlattr *nla, u8 genmask)
2683 struct nft_trans *trans;
2684 u32 id = ntohl(nla_get_be32(nla));
2686 list_for_each_entry(trans, &net->nft.commit_list, list) {
2687 struct nft_set *set = nft_trans_set(trans);
2689 if (trans->msg_type == NFT_MSG_NEWSET &&
2690 id == nft_trans_set_id(trans) &&
2691 nft_active_genmask(set, genmask))
2694 return ERR_PTR(-ENOENT);
2697 struct nft_set *nft_set_lookup_global(const struct net *net,
2698 const struct nft_table *table,
2699 const struct nlattr *nla_set_name,
2700 const struct nlattr *nla_set_id,
2703 struct nft_set *set;
2705 set = nft_set_lookup(table, nla_set_name, genmask);
2710 set = nft_set_lookup_byid(net, nla_set_id, genmask);
2714 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2716 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2719 const struct nft_set *i;
2721 unsigned long *inuse;
2722 unsigned int n = 0, min = 0;
2724 p = strchr(name, '%');
2726 if (p[1] != 'd' || strchr(p + 2, '%'))
2729 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2733 list_for_each_entry(i, &ctx->table->sets, list) {
2736 if (!nft_is_active_next(ctx->net, set))
2738 if (!sscanf(i->name, name, &tmp))
2740 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2743 set_bit(tmp - min, inuse);
2746 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2747 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2748 min += BITS_PER_BYTE * PAGE_SIZE;
2749 memset(inuse, 0, PAGE_SIZE);
2752 free_page((unsigned long)inuse);
2755 set->name = kasprintf(GFP_KERNEL, name, min + n);
2759 list_for_each_entry(i, &ctx->table->sets, list) {
2760 if (!nft_is_active_next(ctx->net, i))
2762 if (!strcmp(set->name, i->name)) {
2770 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
2772 u64 ms = be64_to_cpu(nla_get_be64(nla));
2773 u64 max = (u64)(~((u64)0));
2775 max = div_u64(max, NSEC_PER_MSEC);
2779 ms *= NSEC_PER_MSEC;
2780 *result = nsecs_to_jiffies64(ms);
2784 static u64 nf_jiffies64_to_msecs(u64 input)
2786 u64 ms = jiffies64_to_nsecs(input);
2788 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
2791 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2792 const struct nft_set *set, u16 event, u16 flags)
2794 struct nfgenmsg *nfmsg;
2795 struct nlmsghdr *nlh;
2796 struct nlattr *desc;
2797 u32 portid = ctx->portid;
2800 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2801 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2804 goto nla_put_failure;
2806 nfmsg = nlmsg_data(nlh);
2807 nfmsg->nfgen_family = ctx->family;
2808 nfmsg->version = NFNETLINK_V0;
2809 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2811 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2812 goto nla_put_failure;
2813 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2814 goto nla_put_failure;
2815 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2817 goto nla_put_failure;
2818 if (set->flags != 0)
2819 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2820 goto nla_put_failure;
2822 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2823 goto nla_put_failure;
2824 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2825 goto nla_put_failure;
2826 if (set->flags & NFT_SET_MAP) {
2827 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2828 goto nla_put_failure;
2829 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2830 goto nla_put_failure;
2832 if (set->flags & NFT_SET_OBJECT &&
2833 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2834 goto nla_put_failure;
2837 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2838 nf_jiffies64_to_msecs(set->timeout),
2840 goto nla_put_failure;
2842 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2843 goto nla_put_failure;
2845 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2846 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2847 goto nla_put_failure;
2850 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2851 goto nla_put_failure;
2853 desc = nla_nest_start(skb, NFTA_SET_DESC);
2855 goto nla_put_failure;
2857 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2858 goto nla_put_failure;
2859 nla_nest_end(skb, desc);
2861 nlmsg_end(skb, nlh);
2865 nlmsg_trim(skb, nlh);
2869 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2870 const struct nft_set *set, int event,
2873 struct sk_buff *skb;
2874 u32 portid = ctx->portid;
2878 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2881 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2885 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2891 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2895 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2898 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2900 const struct nft_set *set;
2901 unsigned int idx, s_idx = cb->args[0];
2902 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2903 struct net *net = sock_net(skb->sk);
2904 struct nft_ctx *ctx = cb->data, ctx_set;
2910 cb->seq = net->nft.base_seq;
2912 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2913 if (ctx->family != NFPROTO_UNSPEC &&
2914 ctx->family != table->family)
2917 if (ctx->table && ctx->table != table)
2921 if (cur_table != table)
2927 list_for_each_entry_rcu(set, &table->sets, list) {
2930 if (!nft_is_active(net, set))
2934 ctx_set.table = table;
2935 ctx_set.family = table->family;
2937 if (nf_tables_fill_set(skb, &ctx_set, set,
2941 cb->args[2] = (unsigned long) table;
2944 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2957 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2963 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2964 struct sk_buff *skb, const struct nlmsghdr *nlh,
2965 const struct nlattr * const nla[],
2966 struct netlink_ext_ack *extack)
2968 u8 genmask = nft_genmask_cur(net);
2969 const struct nft_set *set;
2971 struct sk_buff *skb2;
2972 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2975 /* Verify existence before starting dump */
2976 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
2981 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2982 struct netlink_dump_control c = {
2983 .dump = nf_tables_dump_sets,
2984 .done = nf_tables_dump_sets_done,
2986 struct nft_ctx *ctx_dump;
2988 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2989 if (ctx_dump == NULL)
2995 return netlink_dump_start(nlsk, skb, nlh, &c);
2998 /* Only accept unspec with dump */
2999 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3000 return -EAFNOSUPPORT;
3001 if (!nla[NFTA_SET_TABLE])
3004 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3006 return PTR_ERR(set);
3008 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3012 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3016 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3023 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3024 struct nft_set_desc *desc,
3025 const struct nlattr *nla)
3027 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3030 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3031 nft_set_desc_policy, NULL);
3035 if (da[NFTA_SET_DESC_SIZE] != NULL)
3036 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3041 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3042 struct sk_buff *skb, const struct nlmsghdr *nlh,
3043 const struct nlattr * const nla[],
3044 struct netlink_ext_ack *extack)
3046 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3047 u8 genmask = nft_genmask_next(net);
3048 int family = nfmsg->nfgen_family;
3049 const struct nft_set_ops *ops;
3050 struct nft_table *table;
3051 struct nft_set *set;
3057 u32 ktype, dtype, flags, policy, gc_int, objtype;
3058 struct nft_set_desc desc;
3059 unsigned char *udata;
3063 if (nla[NFTA_SET_TABLE] == NULL ||
3064 nla[NFTA_SET_NAME] == NULL ||
3065 nla[NFTA_SET_KEY_LEN] == NULL ||
3066 nla[NFTA_SET_ID] == NULL)
3069 memset(&desc, 0, sizeof(desc));
3071 ktype = NFT_DATA_VALUE;
3072 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3073 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3074 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3078 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3079 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3083 if (nla[NFTA_SET_FLAGS] != NULL) {
3084 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3085 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3086 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3087 NFT_SET_MAP | NFT_SET_EVAL |
3090 /* Only one of these operations is supported */
3091 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3092 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3097 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3098 if (!(flags & NFT_SET_MAP))
3101 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3102 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3103 dtype != NFT_DATA_VERDICT)
3106 if (dtype != NFT_DATA_VERDICT) {
3107 if (nla[NFTA_SET_DATA_LEN] == NULL)
3109 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3110 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3113 desc.dlen = sizeof(struct nft_verdict);
3114 } else if (flags & NFT_SET_MAP)
3117 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3118 if (!(flags & NFT_SET_OBJECT))
3121 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3122 if (objtype == NFT_OBJECT_UNSPEC ||
3123 objtype > NFT_OBJECT_MAX)
3125 } else if (flags & NFT_SET_OBJECT)
3128 objtype = NFT_OBJECT_UNSPEC;
3131 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3132 if (!(flags & NFT_SET_TIMEOUT))
3135 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3140 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3141 if (!(flags & NFT_SET_TIMEOUT))
3143 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3146 policy = NFT_SET_POL_PERFORMANCE;
3147 if (nla[NFTA_SET_POLICY] != NULL)
3148 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3150 if (nla[NFTA_SET_DESC] != NULL) {
3151 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3156 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3158 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3159 if (IS_ERR(table)) {
3160 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3161 return PTR_ERR(table);
3164 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3166 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3168 if (PTR_ERR(set) != -ENOENT) {
3169 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3170 return PTR_ERR(set);
3173 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3174 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3177 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3183 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3186 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3188 return PTR_ERR(ops);
3191 if (nla[NFTA_SET_USERDATA])
3192 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3195 if (ops->privsize != NULL)
3196 size = ops->privsize(nla, &desc);
3198 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3204 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3210 err = nf_tables_set_alloc_name(&ctx, set, name);
3217 udata = set->data + size;
3218 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3221 INIT_LIST_HEAD(&set->bindings);
3224 set->klen = desc.klen;
3226 set->objtype = objtype;
3227 set->dlen = desc.dlen;
3229 set->size = desc.size;
3230 set->policy = policy;
3233 set->timeout = timeout;
3234 set->gc_int = gc_int;
3235 set->handle = nf_tables_alloc_handle(table);
3237 err = ops->init(set, &desc, nla);
3241 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3245 list_add_tail_rcu(&set->list, &table->sets);
3256 module_put(to_set_type(ops)->owner);
3260 static void nft_set_destroy(struct nft_set *set)
3262 set->ops->destroy(set);
3263 module_put(to_set_type(set->ops)->owner);
3268 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3270 list_del_rcu(&set->list);
3271 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3272 nft_set_destroy(set);
3275 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3276 struct sk_buff *skb, const struct nlmsghdr *nlh,
3277 const struct nlattr * const nla[],
3278 struct netlink_ext_ack *extack)
3280 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3281 u8 genmask = nft_genmask_next(net);
3282 const struct nlattr *attr;
3283 struct nft_set *set;
3287 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3288 return -EAFNOSUPPORT;
3289 if (nla[NFTA_SET_TABLE] == NULL)
3292 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3297 if (nla[NFTA_SET_HANDLE]) {
3298 attr = nla[NFTA_SET_HANDLE];
3299 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3301 attr = nla[NFTA_SET_NAME];
3302 set = nft_set_lookup(ctx.table, attr, genmask);
3306 NL_SET_BAD_ATTR(extack, attr);
3307 return PTR_ERR(set);
3309 if (!list_empty(&set->bindings) ||
3310 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3311 NL_SET_BAD_ATTR(extack, attr);
3315 return nft_delset(&ctx, set);
3318 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3319 struct nft_set *set,
3320 const struct nft_set_iter *iter,
3321 struct nft_set_elem *elem)
3323 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3324 enum nft_registers dreg;
3326 dreg = nft_type_to_reg(set->dtype);
3327 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3328 set->dtype == NFT_DATA_VERDICT ?
3329 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3333 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3334 struct nft_set_binding *binding)
3336 struct nft_set_binding *i;
3337 struct nft_set_iter iter;
3339 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3342 if (binding->flags & NFT_SET_MAP) {
3343 /* If the set is already bound to the same chain all
3344 * jumps are already validated for that chain.
3346 list_for_each_entry(i, &set->bindings, list) {
3347 if (i->flags & NFT_SET_MAP &&
3348 i->chain == binding->chain)
3352 iter.genmask = nft_genmask_next(ctx->net);
3356 iter.fn = nf_tables_bind_check_setelem;
3358 set->ops->walk(ctx, set, &iter);
3363 binding->chain = ctx->chain;
3364 list_add_tail_rcu(&binding->list, &set->bindings);
3367 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3369 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3370 struct nft_set_binding *binding)
3372 list_del_rcu(&binding->list);
3374 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3375 nft_is_active(ctx->net, set))
3376 nf_tables_set_destroy(ctx, set);
3378 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3380 const struct nft_set_ext_type nft_set_ext_types[] = {
3381 [NFT_SET_EXT_KEY] = {
3382 .align = __alignof__(u32),
3384 [NFT_SET_EXT_DATA] = {
3385 .align = __alignof__(u32),
3387 [NFT_SET_EXT_EXPR] = {
3388 .align = __alignof__(struct nft_expr),
3390 [NFT_SET_EXT_OBJREF] = {
3391 .len = sizeof(struct nft_object *),
3392 .align = __alignof__(struct nft_object *),
3394 [NFT_SET_EXT_FLAGS] = {
3396 .align = __alignof__(u8),
3398 [NFT_SET_EXT_TIMEOUT] = {
3400 .align = __alignof__(u64),
3402 [NFT_SET_EXT_EXPIRATION] = {
3404 .align = __alignof__(u64),
3406 [NFT_SET_EXT_USERDATA] = {
3407 .len = sizeof(struct nft_userdata),
3408 .align = __alignof__(struct nft_userdata),
3411 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3417 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3418 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3419 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3420 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3421 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3422 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3423 .len = NFT_USERDATA_MAXLEN },
3424 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3425 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3428 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3429 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3430 .len = NFT_TABLE_MAXNAMELEN - 1 },
3431 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3432 .len = NFT_SET_MAXNAMELEN - 1 },
3433 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3434 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3437 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3438 const struct sk_buff *skb,
3439 const struct nlmsghdr *nlh,
3440 const struct nlattr * const nla[],
3441 struct netlink_ext_ack *extack,
3444 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3445 int family = nfmsg->nfgen_family;
3446 struct nft_table *table;
3448 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3450 if (IS_ERR(table)) {
3451 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3452 return PTR_ERR(table);
3455 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3459 static int nf_tables_fill_setelem(struct sk_buff *skb,
3460 const struct nft_set *set,
3461 const struct nft_set_elem *elem)
3463 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3464 unsigned char *b = skb_tail_pointer(skb);
3465 struct nlattr *nest;
3467 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3469 goto nla_put_failure;
3471 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3472 NFT_DATA_VALUE, set->klen) < 0)
3473 goto nla_put_failure;
3475 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3476 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3477 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3479 goto nla_put_failure;
3481 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3482 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3483 goto nla_put_failure;
3485 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3486 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3487 (*nft_set_ext_obj(ext))->name) < 0)
3488 goto nla_put_failure;
3490 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3491 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3492 htonl(*nft_set_ext_flags(ext))))
3493 goto nla_put_failure;
3495 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3496 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3497 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3499 goto nla_put_failure;
3501 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3502 u64 expires, now = get_jiffies_64();
3504 expires = *nft_set_ext_expiration(ext);
3505 if (time_before64(now, expires))
3510 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3511 nf_jiffies64_to_msecs(expires),
3513 goto nla_put_failure;
3516 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3517 struct nft_userdata *udata;
3519 udata = nft_set_ext_userdata(ext);
3520 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3521 udata->len + 1, udata->data))
3522 goto nla_put_failure;
3525 nla_nest_end(skb, nest);
3533 struct nft_set_dump_args {
3534 const struct netlink_callback *cb;
3535 struct nft_set_iter iter;
3536 struct sk_buff *skb;
3539 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3540 struct nft_set *set,
3541 const struct nft_set_iter *iter,
3542 struct nft_set_elem *elem)
3544 struct nft_set_dump_args *args;
3546 args = container_of(iter, struct nft_set_dump_args, iter);
3547 return nf_tables_fill_setelem(args->skb, set, elem);
3550 struct nft_set_dump_ctx {
3551 const struct nft_set *set;
3555 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3557 struct nft_set_dump_ctx *dump_ctx = cb->data;
3558 struct net *net = sock_net(skb->sk);
3559 struct nft_table *table;
3560 struct nft_set *set;
3561 struct nft_set_dump_args args;
3562 bool set_found = false;
3563 struct nfgenmsg *nfmsg;
3564 struct nlmsghdr *nlh;
3565 struct nlattr *nest;
3570 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3571 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3572 dump_ctx->ctx.family != table->family)
3575 if (table != dump_ctx->ctx.table)
3578 list_for_each_entry_rcu(set, &table->sets, list) {
3579 if (set == dump_ctx->set) {
3592 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3593 portid = NETLINK_CB(cb->skb).portid;
3594 seq = cb->nlh->nlmsg_seq;
3596 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3599 goto nla_put_failure;
3601 nfmsg = nlmsg_data(nlh);
3602 nfmsg->nfgen_family = table->family;
3603 nfmsg->version = NFNETLINK_V0;
3604 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3606 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3607 goto nla_put_failure;
3608 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3609 goto nla_put_failure;
3611 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3613 goto nla_put_failure;
3617 args.iter.genmask = nft_genmask_cur(net);
3618 args.iter.skip = cb->args[0];
3619 args.iter.count = 0;
3621 args.iter.fn = nf_tables_dump_setelem;
3622 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3625 nla_nest_end(skb, nest);
3626 nlmsg_end(skb, nlh);
3628 if (args.iter.err && args.iter.err != -EMSGSIZE)
3629 return args.iter.err;
3630 if (args.iter.count == cb->args[0])
3633 cb->args[0] = args.iter.count;
3641 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3647 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3648 const struct nft_ctx *ctx, u32 seq,
3649 u32 portid, int event, u16 flags,
3650 const struct nft_set *set,
3651 const struct nft_set_elem *elem)
3653 struct nfgenmsg *nfmsg;
3654 struct nlmsghdr *nlh;
3655 struct nlattr *nest;
3658 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3659 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3662 goto nla_put_failure;
3664 nfmsg = nlmsg_data(nlh);
3665 nfmsg->nfgen_family = ctx->family;
3666 nfmsg->version = NFNETLINK_V0;
3667 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3669 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3670 goto nla_put_failure;
3671 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3672 goto nla_put_failure;
3674 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3676 goto nla_put_failure;
3678 err = nf_tables_fill_setelem(skb, set, elem);
3680 goto nla_put_failure;
3682 nla_nest_end(skb, nest);
3684 nlmsg_end(skb, nlh);
3688 nlmsg_trim(skb, nlh);
3692 static int nft_setelem_parse_flags(const struct nft_set *set,
3693 const struct nlattr *attr, u32 *flags)
3698 *flags = ntohl(nla_get_be32(attr));
3699 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3701 if (!(set->flags & NFT_SET_INTERVAL) &&
3702 *flags & NFT_SET_ELEM_INTERVAL_END)
3708 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3709 const struct nlattr *attr)
3711 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3712 const struct nft_set_ext *ext;
3713 struct nft_data_desc desc;
3714 struct nft_set_elem elem;
3715 struct sk_buff *skb;
3720 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3721 nft_set_elem_policy, NULL);
3725 if (!nla[NFTA_SET_ELEM_KEY])
3728 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3732 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3733 nla[NFTA_SET_ELEM_KEY]);
3738 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3741 priv = set->ops->get(ctx->net, set, &elem, flags);
3743 return PTR_ERR(priv);
3746 ext = nft_set_elem_ext(set, &elem);
3749 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3753 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3754 NFT_MSG_NEWSETELEM, 0, set, &elem);
3758 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3759 /* This avoids a loop in nfnetlink. */
3767 /* this avoids a loop in nfnetlink. */
3768 return err == -EAGAIN ? -ENOBUFS : err;
3771 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3772 struct sk_buff *skb, const struct nlmsghdr *nlh,
3773 const struct nlattr * const nla[],
3774 struct netlink_ext_ack *extack)
3776 u8 genmask = nft_genmask_cur(net);
3777 struct nft_set *set;
3778 struct nlattr *attr;
3782 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
3787 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
3789 return PTR_ERR(set);
3791 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3792 struct netlink_dump_control c = {
3793 .dump = nf_tables_dump_set,
3794 .done = nf_tables_dump_set_done,
3796 struct nft_set_dump_ctx *dump_ctx;
3798 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3802 dump_ctx->set = set;
3803 dump_ctx->ctx = ctx;
3806 return netlink_dump_start(nlsk, skb, nlh, &c);
3809 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3812 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3813 err = nft_get_set_elem(&ctx, set, attr);
3821 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3822 const struct nft_set *set,
3823 const struct nft_set_elem *elem,
3824 int event, u16 flags)
3826 struct net *net = ctx->net;
3827 u32 portid = ctx->portid;
3828 struct sk_buff *skb;
3831 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3834 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3838 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3845 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3849 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3852 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3854 struct nft_set *set)
3856 struct nft_trans *trans;
3858 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3862 nft_trans_elem_set(trans) = set;
3866 void *nft_set_elem_init(const struct nft_set *set,
3867 const struct nft_set_ext_tmpl *tmpl,
3868 const u32 *key, const u32 *data,
3869 u64 timeout, gfp_t gfp)
3871 struct nft_set_ext *ext;
3874 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3878 ext = nft_set_elem_ext(set, elem);
3879 nft_set_ext_init(ext, tmpl);
3881 memcpy(nft_set_ext_key(ext), key, set->klen);
3882 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3883 memcpy(nft_set_ext_data(ext), data, set->dlen);
3884 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3885 *nft_set_ext_expiration(ext) =
3886 get_jiffies_64() + timeout;
3887 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3888 *nft_set_ext_timeout(ext) = timeout;
3893 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3896 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3898 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3899 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3900 nft_data_release(nft_set_ext_data(ext), set->dtype);
3901 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3902 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3903 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3904 (*nft_set_ext_obj(ext))->use--;
3907 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3909 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3910 * the refcounting from the preparation phase.
3912 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3914 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3916 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3917 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3921 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3922 const struct nlattr *attr, u32 nlmsg_flags)
3924 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3925 u8 genmask = nft_genmask_next(ctx->net);
3926 struct nft_data_desc d1, d2;
3927 struct nft_set_ext_tmpl tmpl;
3928 struct nft_set_ext *ext, *ext2;
3929 struct nft_set_elem elem;
3930 struct nft_set_binding *binding;
3931 struct nft_object *obj = NULL;
3932 struct nft_userdata *udata;
3933 struct nft_data data;
3934 enum nft_registers dreg;
3935 struct nft_trans *trans;
3941 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3942 nft_set_elem_policy, NULL);
3946 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3949 nft_set_ext_prepare(&tmpl);
3951 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3955 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3957 if (set->flags & NFT_SET_MAP) {
3958 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3959 !(flags & NFT_SET_ELEM_INTERVAL_END))
3961 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3962 flags & NFT_SET_ELEM_INTERVAL_END)
3965 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3970 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3971 if (!(set->flags & NFT_SET_TIMEOUT))
3973 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
3977 } else if (set->flags & NFT_SET_TIMEOUT) {
3978 timeout = set->timeout;
3981 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3982 nla[NFTA_SET_ELEM_KEY]);
3986 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3989 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3991 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3992 if (timeout != set->timeout)
3993 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3996 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3997 if (!(set->flags & NFT_SET_OBJECT)) {
4001 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4002 set->objtype, genmask);
4007 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4010 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4011 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4012 nla[NFTA_SET_ELEM_DATA]);
4017 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4020 dreg = nft_type_to_reg(set->dtype);
4021 list_for_each_entry(binding, &set->bindings, list) {
4022 struct nft_ctx bind_ctx = {
4024 .family = ctx->family,
4025 .table = ctx->table,
4026 .chain = (struct nft_chain *)binding->chain,
4029 if (!(binding->flags & NFT_SET_MAP))
4032 err = nft_validate_register_store(&bind_ctx, dreg,
4039 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4042 /* The full maximum length of userdata can exceed the maximum
4043 * offset value (U8_MAX) for following extensions, therefor it
4044 * must be the last extension added.
4047 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4048 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4050 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4055 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4056 timeout, GFP_KERNEL);
4057 if (elem.priv == NULL)
4060 ext = nft_set_elem_ext(set, elem.priv);
4062 *nft_set_ext_flags(ext) = flags;
4064 udata = nft_set_ext_userdata(ext);
4065 udata->len = ulen - 1;
4066 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4069 *nft_set_ext_obj(ext) = obj;
4073 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4077 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4078 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4080 if (err == -EEXIST) {
4081 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4082 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4083 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4084 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4088 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4089 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4090 memcmp(nft_set_ext_data(ext),
4091 nft_set_ext_data(ext2), set->dlen) != 0) ||
4092 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4093 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4094 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4096 else if (!(nlmsg_flags & NLM_F_EXCL))
4103 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4108 nft_trans_elem(trans) = elem;
4109 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4113 set->ops->remove(ctx->net, set, &elem);
4119 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4120 nft_data_release(&data, d2.type);
4122 nft_data_release(&elem.key.val, d1.type);
4127 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4128 struct sk_buff *skb, const struct nlmsghdr *nlh,
4129 const struct nlattr * const nla[],
4130 struct netlink_ext_ack *extack)
4132 u8 genmask = nft_genmask_next(net);
4133 const struct nlattr *attr;
4134 struct nft_set *set;
4138 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4141 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4146 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4147 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4149 return PTR_ERR(set);
4151 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4154 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4155 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4163 * nft_data_hold - hold a nft_data item
4165 * @data: struct nft_data to release
4166 * @type: type of data
4168 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4169 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4170 * NFT_GOTO verdicts. This function must be called on active data objects
4171 * from the second phase of the commit protocol.
4173 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4175 if (type == NFT_DATA_VERDICT) {
4176 switch (data->verdict.code) {
4179 data->verdict.chain->use++;
4185 static void nft_set_elem_activate(const struct net *net,
4186 const struct nft_set *set,
4187 struct nft_set_elem *elem)
4189 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4191 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4192 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4193 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4194 (*nft_set_ext_obj(ext))->use++;
4197 static void nft_set_elem_deactivate(const struct net *net,
4198 const struct nft_set *set,
4199 struct nft_set_elem *elem)
4201 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4203 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4204 nft_data_release(nft_set_ext_data(ext), set->dtype);
4205 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4206 (*nft_set_ext_obj(ext))->use--;
4209 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4210 const struct nlattr *attr)
4212 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4213 struct nft_set_ext_tmpl tmpl;
4214 struct nft_data_desc desc;
4215 struct nft_set_elem elem;
4216 struct nft_set_ext *ext;
4217 struct nft_trans *trans;
4222 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4223 nft_set_elem_policy, NULL);
4228 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4231 nft_set_ext_prepare(&tmpl);
4233 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4237 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4239 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4240 nla[NFTA_SET_ELEM_KEY]);
4245 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4248 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4251 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4253 if (elem.priv == NULL)
4256 ext = nft_set_elem_ext(set, elem.priv);
4258 *nft_set_ext_flags(ext) = flags;
4260 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4261 if (trans == NULL) {
4266 priv = set->ops->deactivate(ctx->net, set, &elem);
4274 nft_set_elem_deactivate(ctx->net, set, &elem);
4276 nft_trans_elem(trans) = elem;
4277 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4285 nft_data_release(&elem.key.val, desc.type);
4290 static int nft_flush_set(const struct nft_ctx *ctx,
4291 struct nft_set *set,
4292 const struct nft_set_iter *iter,
4293 struct nft_set_elem *elem)
4295 struct nft_trans *trans;
4298 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4299 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4303 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4309 nft_trans_elem_set(trans) = set;
4310 nft_trans_elem(trans) = *elem;
4311 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4319 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4320 struct sk_buff *skb, const struct nlmsghdr *nlh,
4321 const struct nlattr * const nla[],
4322 struct netlink_ext_ack *extack)
4324 u8 genmask = nft_genmask_next(net);
4325 const struct nlattr *attr;
4326 struct nft_set *set;
4330 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4335 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4337 return PTR_ERR(set);
4338 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4341 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4342 struct nft_set_iter iter = {
4344 .fn = nft_flush_set,
4346 set->ops->walk(&ctx, set, &iter);
4351 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4352 err = nft_del_setelem(&ctx, set, attr);
4361 void nft_set_gc_batch_release(struct rcu_head *rcu)
4363 struct nft_set_gc_batch *gcb;
4366 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4367 for (i = 0; i < gcb->head.cnt; i++)
4368 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4371 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4373 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4376 struct nft_set_gc_batch *gcb;
4378 gcb = kzalloc(sizeof(*gcb), gfp);
4381 gcb->head.set = set;
4384 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4391 * nft_register_obj- register nf_tables stateful object type
4394 * Registers the object type for use with nf_tables. Returns zero on
4395 * success or a negative errno code otherwise.
4397 int nft_register_obj(struct nft_object_type *obj_type)
4399 if (obj_type->type == NFT_OBJECT_UNSPEC)
4402 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4403 list_add_rcu(&obj_type->list, &nf_tables_objects);
4404 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4407 EXPORT_SYMBOL_GPL(nft_register_obj);
4410 * nft_unregister_obj - unregister nf_tables object type
4413 * Unregisters the object type for use with nf_tables.
4415 void nft_unregister_obj(struct nft_object_type *obj_type)
4417 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4418 list_del_rcu(&obj_type->list);
4419 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4421 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4423 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4424 const struct nlattr *nla, u32 objtype,
4427 struct nft_object *obj;
4429 list_for_each_entry(obj, &table->objects, list) {
4430 if (!nla_strcmp(nla, obj->name) &&
4431 objtype == obj->ops->type->type &&
4432 nft_active_genmask(obj, genmask))
4435 return ERR_PTR(-ENOENT);
4437 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4439 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4440 const struct nlattr *nla,
4441 u32 objtype, u8 genmask)
4443 struct nft_object *obj;
4445 list_for_each_entry(obj, &table->objects, list) {
4446 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4447 objtype == obj->ops->type->type &&
4448 nft_active_genmask(obj, genmask))
4451 return ERR_PTR(-ENOENT);
4454 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4455 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4456 .len = NFT_TABLE_MAXNAMELEN - 1 },
4457 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4458 .len = NFT_OBJ_MAXNAMELEN - 1 },
4459 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4460 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4461 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4464 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4465 const struct nft_object_type *type,
4466 const struct nlattr *attr)
4469 const struct nft_object_ops *ops;
4470 struct nft_object *obj;
4473 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4478 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4483 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4486 if (type->select_ops) {
4487 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4497 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4501 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4514 return ERR_PTR(err);
4517 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4518 struct nft_object *obj, bool reset)
4520 struct nlattr *nest;
4522 nest = nla_nest_start(skb, attr);
4524 goto nla_put_failure;
4525 if (obj->ops->dump(skb, obj, reset) < 0)
4526 goto nla_put_failure;
4527 nla_nest_end(skb, nest);
4534 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4536 const struct nft_object_type *type;
4538 list_for_each_entry(type, &nf_tables_objects, list) {
4539 if (objtype == type->type)
4545 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4547 const struct nft_object_type *type;
4549 type = __nft_obj_type_get(objtype);
4550 if (type != NULL && try_module_get(type->owner))
4553 #ifdef CONFIG_MODULES
4555 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4556 request_module("nft-obj-%u", objtype);
4557 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4558 if (__nft_obj_type_get(objtype))
4559 return ERR_PTR(-EAGAIN);
4562 return ERR_PTR(-ENOENT);
4565 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4566 struct sk_buff *skb, const struct nlmsghdr *nlh,
4567 const struct nlattr * const nla[],
4568 struct netlink_ext_ack *extack)
4570 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4571 const struct nft_object_type *type;
4572 u8 genmask = nft_genmask_next(net);
4573 int family = nfmsg->nfgen_family;
4574 struct nft_table *table;
4575 struct nft_object *obj;
4580 if (!nla[NFTA_OBJ_TYPE] ||
4581 !nla[NFTA_OBJ_NAME] ||
4582 !nla[NFTA_OBJ_DATA])
4585 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4586 if (IS_ERR(table)) {
4587 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4588 return PTR_ERR(table);
4591 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4592 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4595 if (err != -ENOENT) {
4596 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4600 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4601 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4607 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4609 type = nft_obj_type_get(objtype);
4611 return PTR_ERR(type);
4613 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4619 obj->handle = nf_tables_alloc_handle(table);
4621 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4627 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4631 list_add_tail_rcu(&obj->list, &table->objects);
4637 if (obj->ops->destroy)
4638 obj->ops->destroy(obj);
4641 module_put(type->owner);
4645 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4646 u32 portid, u32 seq, int event, u32 flags,
4647 int family, const struct nft_table *table,
4648 struct nft_object *obj, bool reset)
4650 struct nfgenmsg *nfmsg;
4651 struct nlmsghdr *nlh;
4653 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4654 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4656 goto nla_put_failure;
4658 nfmsg = nlmsg_data(nlh);
4659 nfmsg->nfgen_family = family;
4660 nfmsg->version = NFNETLINK_V0;
4661 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4663 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4664 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4665 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4666 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4667 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4668 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4670 goto nla_put_failure;
4672 nlmsg_end(skb, nlh);
4676 nlmsg_trim(skb, nlh);
4680 struct nft_obj_filter {
4685 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4687 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4688 const struct nft_table *table;
4689 unsigned int idx = 0, s_idx = cb->args[0];
4690 struct nft_obj_filter *filter = cb->data;
4691 struct net *net = sock_net(skb->sk);
4692 int family = nfmsg->nfgen_family;
4693 struct nft_object *obj;
4696 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4700 cb->seq = net->nft.base_seq;
4702 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4703 if (family != NFPROTO_UNSPEC && family != table->family)
4706 list_for_each_entry_rcu(obj, &table->objects, list) {
4707 if (!nft_is_active(net, obj))
4712 memset(&cb->args[1], 0,
4713 sizeof(cb->args) - sizeof(cb->args[0]));
4714 if (filter && filter->table[0] &&
4715 strcmp(filter->table, table->name))
4718 filter->type != NFT_OBJECT_UNSPEC &&
4719 obj->ops->type->type != filter->type)
4722 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4725 NLM_F_MULTI | NLM_F_APPEND,
4726 table->family, table,
4730 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4742 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4744 struct nft_obj_filter *filter = cb->data;
4747 kfree(filter->table);
4754 static struct nft_obj_filter *
4755 nft_obj_filter_alloc(const struct nlattr * const nla[])
4757 struct nft_obj_filter *filter;
4759 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4761 return ERR_PTR(-ENOMEM);
4763 if (nla[NFTA_OBJ_TABLE]) {
4764 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4765 if (!filter->table) {
4767 return ERR_PTR(-ENOMEM);
4770 if (nla[NFTA_OBJ_TYPE])
4771 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4776 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4777 struct sk_buff *skb, const struct nlmsghdr *nlh,
4778 const struct nlattr * const nla[],
4779 struct netlink_ext_ack *extack)
4781 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4782 u8 genmask = nft_genmask_cur(net);
4783 int family = nfmsg->nfgen_family;
4784 const struct nft_table *table;
4785 struct nft_object *obj;
4786 struct sk_buff *skb2;
4791 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4792 struct netlink_dump_control c = {
4793 .dump = nf_tables_dump_obj,
4794 .done = nf_tables_dump_obj_done,
4797 if (nla[NFTA_OBJ_TABLE] ||
4798 nla[NFTA_OBJ_TYPE]) {
4799 struct nft_obj_filter *filter;
4801 filter = nft_obj_filter_alloc(nla);
4807 return netlink_dump_start(nlsk, skb, nlh, &c);
4810 if (!nla[NFTA_OBJ_NAME] ||
4811 !nla[NFTA_OBJ_TYPE])
4814 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4815 if (IS_ERR(table)) {
4816 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4817 return PTR_ERR(table);
4820 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4821 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4823 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4824 return PTR_ERR(obj);
4827 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4831 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4834 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4835 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4836 family, table, obj, reset);
4840 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4846 static void nft_obj_destroy(struct nft_object *obj)
4848 if (obj->ops->destroy)
4849 obj->ops->destroy(obj);
4851 module_put(obj->ops->type->owner);
4856 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4857 struct sk_buff *skb, const struct nlmsghdr *nlh,
4858 const struct nlattr * const nla[],
4859 struct netlink_ext_ack *extack)
4861 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4862 u8 genmask = nft_genmask_next(net);
4863 int family = nfmsg->nfgen_family;
4864 const struct nlattr *attr;
4865 struct nft_table *table;
4866 struct nft_object *obj;
4870 if (!nla[NFTA_OBJ_TYPE] ||
4871 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4874 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4875 if (IS_ERR(table)) {
4876 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4877 return PTR_ERR(table);
4880 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4881 if (nla[NFTA_OBJ_HANDLE]) {
4882 attr = nla[NFTA_OBJ_HANDLE];
4883 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
4885 attr = nla[NFTA_OBJ_NAME];
4886 obj = nft_obj_lookup(table, attr, objtype, genmask);
4890 NL_SET_BAD_ATTR(extack, attr);
4891 return PTR_ERR(obj);
4894 NL_SET_BAD_ATTR(extack, attr);
4898 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4900 return nft_delobj(&ctx, obj);
4903 void nft_obj_notify(struct net *net, struct nft_table *table,
4904 struct nft_object *obj, u32 portid, u32 seq, int event,
4905 int family, int report, gfp_t gfp)
4907 struct sk_buff *skb;
4911 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4914 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4918 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4925 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4928 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4930 EXPORT_SYMBOL_GPL(nft_obj_notify);
4932 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4933 struct nft_object *obj, int event)
4935 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4936 ctx->family, ctx->report, GFP_KERNEL);
4942 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4944 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4945 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4946 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4948 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4950 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4952 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4953 list_del_rcu(&type->list);
4954 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4956 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4958 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4959 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4960 .len = NFT_NAME_MAXLEN - 1 },
4961 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4962 .len = NFT_NAME_MAXLEN - 1 },
4963 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4964 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4967 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
4968 const struct nlattr *nla, u8 genmask)
4970 struct nft_flowtable *flowtable;
4972 list_for_each_entry(flowtable, &table->flowtables, list) {
4973 if (!nla_strcmp(nla, flowtable->name) &&
4974 nft_active_genmask(flowtable, genmask))
4977 return ERR_PTR(-ENOENT);
4979 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
4981 static struct nft_flowtable *
4982 nft_flowtable_lookup_byhandle(const struct nft_table *table,
4983 const struct nlattr *nla, u8 genmask)
4985 struct nft_flowtable *flowtable;
4987 list_for_each_entry(flowtable, &table->flowtables, list) {
4988 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4989 nft_active_genmask(flowtable, genmask))
4992 return ERR_PTR(-ENOENT);
4995 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4996 const struct nlattr *attr,
4997 struct net_device *dev_array[], int *len)
4999 const struct nlattr *tmp;
5000 struct net_device *dev;
5001 char ifname[IFNAMSIZ];
5002 int rem, n = 0, err;
5004 nla_for_each_nested(tmp, attr, rem) {
5005 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5010 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5011 dev = __dev_get_by_name(ctx->net, ifname);
5017 dev_array[n++] = dev;
5018 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5032 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5033 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5034 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5035 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5038 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5039 const struct nlattr *attr,
5040 struct nft_flowtable *flowtable)
5042 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5043 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5044 struct nf_hook_ops *ops;
5045 int hooknum, priority;
5048 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5049 nft_flowtable_hook_policy, NULL);
5053 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5054 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5055 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5058 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5059 if (hooknum != NF_NETDEV_INGRESS)
5062 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5064 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5069 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5073 flowtable->hooknum = hooknum;
5074 flowtable->priority = priority;
5075 flowtable->ops = ops;
5076 flowtable->ops_len = n;
5078 for (i = 0; i < n; i++) {
5079 flowtable->ops[i].pf = NFPROTO_NETDEV;
5080 flowtable->ops[i].hooknum = hooknum;
5081 flowtable->ops[i].priority = priority;
5082 flowtable->ops[i].priv = &flowtable->data;
5083 flowtable->ops[i].hook = flowtable->data.type->hook;
5084 flowtable->ops[i].dev = dev_array[i];
5085 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5092 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5094 const struct nf_flowtable_type *type;
5096 list_for_each_entry(type, &nf_tables_flowtables, list) {
5097 if (family == type->family)
5103 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5105 const struct nf_flowtable_type *type;
5107 type = __nft_flowtable_type_get(family);
5108 if (type != NULL && try_module_get(type->owner))
5111 #ifdef CONFIG_MODULES
5113 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5114 request_module("nf-flowtable-%u", family);
5115 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5116 if (__nft_flowtable_type_get(family))
5117 return ERR_PTR(-EAGAIN);
5120 return ERR_PTR(-ENOENT);
5123 static void nft_unregister_flowtable_net_hooks(struct net *net,
5124 struct nft_flowtable *flowtable)
5128 for (i = 0; i < flowtable->ops_len; i++) {
5129 if (!flowtable->ops[i].dev)
5132 nf_unregister_net_hook(net, &flowtable->ops[i]);
5136 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5137 struct sk_buff *skb,
5138 const struct nlmsghdr *nlh,
5139 const struct nlattr * const nla[],
5140 struct netlink_ext_ack *extack)
5142 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5143 const struct nf_flowtable_type *type;
5144 struct nft_flowtable *flowtable, *ft;
5145 u8 genmask = nft_genmask_next(net);
5146 int family = nfmsg->nfgen_family;
5147 struct nft_table *table;
5151 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5152 !nla[NFTA_FLOWTABLE_NAME] ||
5153 !nla[NFTA_FLOWTABLE_HOOK])
5156 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5158 if (IS_ERR(table)) {
5159 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5160 return PTR_ERR(table);
5163 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5165 if (IS_ERR(flowtable)) {
5166 err = PTR_ERR(flowtable);
5167 if (err != -ENOENT) {
5168 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5172 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5173 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5180 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5182 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5186 flowtable->table = table;
5187 flowtable->handle = nf_tables_alloc_handle(table);
5189 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5190 if (!flowtable->name) {
5195 type = nft_flowtable_type_get(family);
5197 err = PTR_ERR(type);
5201 flowtable->data.type = type;
5202 err = type->init(&flowtable->data);
5206 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5211 for (i = 0; i < flowtable->ops_len; i++) {
5212 if (!flowtable->ops[i].dev)
5215 list_for_each_entry(ft, &table->flowtables, list) {
5216 for (k = 0; k < ft->ops_len; k++) {
5217 if (!ft->ops[k].dev)
5220 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5221 flowtable->ops[i].pf == ft->ops[k].pf) {
5228 err = nf_register_net_hook(net, &flowtable->ops[i]);
5233 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5237 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5242 i = flowtable->ops_len;
5244 for (k = i - 1; k >= 0; k--) {
5245 kfree(flowtable->dev_name[k]);
5246 nf_unregister_net_hook(net, &flowtable->ops[k]);
5249 kfree(flowtable->ops);
5251 flowtable->data.type->free(&flowtable->data);
5253 module_put(type->owner);
5255 kfree(flowtable->name);
5261 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5262 struct sk_buff *skb,
5263 const struct nlmsghdr *nlh,
5264 const struct nlattr * const nla[],
5265 struct netlink_ext_ack *extack)
5267 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5268 u8 genmask = nft_genmask_next(net);
5269 int family = nfmsg->nfgen_family;
5270 struct nft_flowtable *flowtable;
5271 const struct nlattr *attr;
5272 struct nft_table *table;
5275 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5276 (!nla[NFTA_FLOWTABLE_NAME] &&
5277 !nla[NFTA_FLOWTABLE_HANDLE]))
5280 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5282 if (IS_ERR(table)) {
5283 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5284 return PTR_ERR(table);
5287 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5288 attr = nla[NFTA_FLOWTABLE_HANDLE];
5289 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5291 attr = nla[NFTA_FLOWTABLE_NAME];
5292 flowtable = nft_flowtable_lookup(table, attr, genmask);
5295 if (IS_ERR(flowtable)) {
5296 NL_SET_BAD_ATTR(extack, attr);
5297 return PTR_ERR(flowtable);
5299 if (flowtable->use > 0) {
5300 NL_SET_BAD_ATTR(extack, attr);
5304 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5306 return nft_delflowtable(&ctx, flowtable);
5309 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5310 u32 portid, u32 seq, int event,
5311 u32 flags, int family,
5312 struct nft_flowtable *flowtable)
5314 struct nlattr *nest, *nest_devs;
5315 struct nfgenmsg *nfmsg;
5316 struct nlmsghdr *nlh;
5319 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5320 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5322 goto nla_put_failure;
5324 nfmsg = nlmsg_data(nlh);
5325 nfmsg->nfgen_family = family;
5326 nfmsg->version = NFNETLINK_V0;
5327 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5329 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5330 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5331 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5332 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5333 NFTA_FLOWTABLE_PAD))
5334 goto nla_put_failure;
5336 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5337 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5338 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5339 goto nla_put_failure;
5341 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5343 goto nla_put_failure;
5345 for (i = 0; i < flowtable->ops_len; i++) {
5346 if (flowtable->dev_name[i][0] &&
5347 nla_put_string(skb, NFTA_DEVICE_NAME,
5348 flowtable->dev_name[i]))
5349 goto nla_put_failure;
5351 nla_nest_end(skb, nest_devs);
5352 nla_nest_end(skb, nest);
5354 nlmsg_end(skb, nlh);
5358 nlmsg_trim(skb, nlh);
5362 struct nft_flowtable_filter {
5366 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5367 struct netlink_callback *cb)
5369 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5370 struct nft_flowtable_filter *filter = cb->data;
5371 unsigned int idx = 0, s_idx = cb->args[0];
5372 struct net *net = sock_net(skb->sk);
5373 int family = nfmsg->nfgen_family;
5374 struct nft_flowtable *flowtable;
5375 const struct nft_table *table;
5378 cb->seq = net->nft.base_seq;
5380 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5381 if (family != NFPROTO_UNSPEC && family != table->family)
5384 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5385 if (!nft_is_active(net, flowtable))
5390 memset(&cb->args[1], 0,
5391 sizeof(cb->args) - sizeof(cb->args[0]));
5392 if (filter && filter->table[0] &&
5393 strcmp(filter->table, table->name))
5396 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5398 NFT_MSG_NEWFLOWTABLE,
5399 NLM_F_MULTI | NLM_F_APPEND,
5400 table->family, flowtable) < 0)
5403 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5415 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5417 struct nft_flowtable_filter *filter = cb->data;
5422 kfree(filter->table);
5428 static struct nft_flowtable_filter *
5429 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5431 struct nft_flowtable_filter *filter;
5433 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5435 return ERR_PTR(-ENOMEM);
5437 if (nla[NFTA_FLOWTABLE_TABLE]) {
5438 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5440 if (!filter->table) {
5442 return ERR_PTR(-ENOMEM);
5448 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5449 struct sk_buff *skb,
5450 const struct nlmsghdr *nlh,
5451 const struct nlattr * const nla[],
5452 struct netlink_ext_ack *extack)
5454 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5455 u8 genmask = nft_genmask_cur(net);
5456 int family = nfmsg->nfgen_family;
5457 struct nft_flowtable *flowtable;
5458 const struct nft_table *table;
5459 struct sk_buff *skb2;
5462 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5463 struct netlink_dump_control c = {
5464 .dump = nf_tables_dump_flowtable,
5465 .done = nf_tables_dump_flowtable_done,
5468 if (nla[NFTA_FLOWTABLE_TABLE]) {
5469 struct nft_flowtable_filter *filter;
5471 filter = nft_flowtable_filter_alloc(nla);
5477 return netlink_dump_start(nlsk, skb, nlh, &c);
5480 if (!nla[NFTA_FLOWTABLE_NAME])
5483 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5486 return PTR_ERR(table);
5488 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5490 if (IS_ERR(flowtable))
5491 return PTR_ERR(flowtable);
5493 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5497 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5499 NFT_MSG_NEWFLOWTABLE, 0, family,
5504 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5510 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5511 struct nft_flowtable *flowtable,
5514 struct sk_buff *skb;
5518 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5521 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5525 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5527 ctx->family, flowtable);
5533 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5534 ctx->report, GFP_KERNEL);
5537 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5540 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5542 kfree(flowtable->ops);
5543 kfree(flowtable->name);
5544 flowtable->data.type->free(&flowtable->data);
5545 module_put(flowtable->data.type->owner);
5548 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5549 u32 portid, u32 seq)
5551 struct nlmsghdr *nlh;
5552 struct nfgenmsg *nfmsg;
5553 char buf[TASK_COMM_LEN];
5554 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5556 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5558 goto nla_put_failure;
5560 nfmsg = nlmsg_data(nlh);
5561 nfmsg->nfgen_family = AF_UNSPEC;
5562 nfmsg->version = NFNETLINK_V0;
5563 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5565 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5566 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5567 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5568 goto nla_put_failure;
5570 nlmsg_end(skb, nlh);
5574 nlmsg_trim(skb, nlh);
5578 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5579 struct nft_flowtable *flowtable)
5583 for (i = 0; i < flowtable->ops_len; i++) {
5584 if (flowtable->ops[i].dev != dev)
5587 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5588 flowtable->dev_name[i][0] = '\0';
5589 flowtable->ops[i].dev = NULL;
5594 static int nf_tables_flowtable_event(struct notifier_block *this,
5595 unsigned long event, void *ptr)
5597 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5598 struct nft_flowtable *flowtable;
5599 struct nft_table *table;
5601 if (event != NETDEV_UNREGISTER)
5604 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5605 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5606 list_for_each_entry(flowtable, &table->flowtables, list) {
5607 nft_flowtable_event(event, dev, flowtable);
5610 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5615 static struct notifier_block nf_tables_flowtable_notifier = {
5616 .notifier_call = nf_tables_flowtable_event,
5619 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5622 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5623 struct sk_buff *skb2;
5626 if (nlmsg_report(nlh) &&
5627 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5630 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5634 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5641 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5642 nlmsg_report(nlh), GFP_KERNEL);
5645 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5649 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5650 struct sk_buff *skb, const struct nlmsghdr *nlh,
5651 const struct nlattr * const nla[],
5652 struct netlink_ext_ack *extack)
5654 struct sk_buff *skb2;
5657 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5661 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5666 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5672 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5673 [NFT_MSG_NEWTABLE] = {
5674 .call_batch = nf_tables_newtable,
5675 .attr_count = NFTA_TABLE_MAX,
5676 .policy = nft_table_policy,
5678 [NFT_MSG_GETTABLE] = {
5679 .call = nf_tables_gettable,
5680 .attr_count = NFTA_TABLE_MAX,
5681 .policy = nft_table_policy,
5683 [NFT_MSG_DELTABLE] = {
5684 .call_batch = nf_tables_deltable,
5685 .attr_count = NFTA_TABLE_MAX,
5686 .policy = nft_table_policy,
5688 [NFT_MSG_NEWCHAIN] = {
5689 .call_batch = nf_tables_newchain,
5690 .attr_count = NFTA_CHAIN_MAX,
5691 .policy = nft_chain_policy,
5693 [NFT_MSG_GETCHAIN] = {
5694 .call = nf_tables_getchain,
5695 .attr_count = NFTA_CHAIN_MAX,
5696 .policy = nft_chain_policy,
5698 [NFT_MSG_DELCHAIN] = {
5699 .call_batch = nf_tables_delchain,
5700 .attr_count = NFTA_CHAIN_MAX,
5701 .policy = nft_chain_policy,
5703 [NFT_MSG_NEWRULE] = {
5704 .call_batch = nf_tables_newrule,
5705 .attr_count = NFTA_RULE_MAX,
5706 .policy = nft_rule_policy,
5708 [NFT_MSG_GETRULE] = {
5709 .call = nf_tables_getrule,
5710 .attr_count = NFTA_RULE_MAX,
5711 .policy = nft_rule_policy,
5713 [NFT_MSG_DELRULE] = {
5714 .call_batch = nf_tables_delrule,
5715 .attr_count = NFTA_RULE_MAX,
5716 .policy = nft_rule_policy,
5718 [NFT_MSG_NEWSET] = {
5719 .call_batch = nf_tables_newset,
5720 .attr_count = NFTA_SET_MAX,
5721 .policy = nft_set_policy,
5723 [NFT_MSG_GETSET] = {
5724 .call = nf_tables_getset,
5725 .attr_count = NFTA_SET_MAX,
5726 .policy = nft_set_policy,
5728 [NFT_MSG_DELSET] = {
5729 .call_batch = nf_tables_delset,
5730 .attr_count = NFTA_SET_MAX,
5731 .policy = nft_set_policy,
5733 [NFT_MSG_NEWSETELEM] = {
5734 .call_batch = nf_tables_newsetelem,
5735 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5736 .policy = nft_set_elem_list_policy,
5738 [NFT_MSG_GETSETELEM] = {
5739 .call = nf_tables_getsetelem,
5740 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5741 .policy = nft_set_elem_list_policy,
5743 [NFT_MSG_DELSETELEM] = {
5744 .call_batch = nf_tables_delsetelem,
5745 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5746 .policy = nft_set_elem_list_policy,
5748 [NFT_MSG_GETGEN] = {
5749 .call = nf_tables_getgen,
5751 [NFT_MSG_NEWOBJ] = {
5752 .call_batch = nf_tables_newobj,
5753 .attr_count = NFTA_OBJ_MAX,
5754 .policy = nft_obj_policy,
5756 [NFT_MSG_GETOBJ] = {
5757 .call = nf_tables_getobj,
5758 .attr_count = NFTA_OBJ_MAX,
5759 .policy = nft_obj_policy,
5761 [NFT_MSG_DELOBJ] = {
5762 .call_batch = nf_tables_delobj,
5763 .attr_count = NFTA_OBJ_MAX,
5764 .policy = nft_obj_policy,
5766 [NFT_MSG_GETOBJ_RESET] = {
5767 .call = nf_tables_getobj,
5768 .attr_count = NFTA_OBJ_MAX,
5769 .policy = nft_obj_policy,
5771 [NFT_MSG_NEWFLOWTABLE] = {
5772 .call_batch = nf_tables_newflowtable,
5773 .attr_count = NFTA_FLOWTABLE_MAX,
5774 .policy = nft_flowtable_policy,
5776 [NFT_MSG_GETFLOWTABLE] = {
5777 .call = nf_tables_getflowtable,
5778 .attr_count = NFTA_FLOWTABLE_MAX,
5779 .policy = nft_flowtable_policy,
5781 [NFT_MSG_DELFLOWTABLE] = {
5782 .call_batch = nf_tables_delflowtable,
5783 .attr_count = NFTA_FLOWTABLE_MAX,
5784 .policy = nft_flowtable_policy,
5788 static void nft_chain_commit_update(struct nft_trans *trans)
5790 struct nft_base_chain *basechain;
5792 if (nft_trans_chain_name(trans))
5793 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5795 if (!nft_is_base_chain(trans->ctx.chain))
5798 basechain = nft_base_chain(trans->ctx.chain);
5799 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5801 switch (nft_trans_chain_policy(trans)) {
5804 basechain->policy = nft_trans_chain_policy(trans);
5809 static void nft_commit_release(struct nft_trans *trans)
5811 switch (trans->msg_type) {
5812 case NFT_MSG_DELTABLE:
5813 nf_tables_table_destroy(&trans->ctx);
5815 case NFT_MSG_DELCHAIN:
5816 nf_tables_chain_destroy(&trans->ctx);
5818 case NFT_MSG_DELRULE:
5819 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5821 case NFT_MSG_DELSET:
5822 nft_set_destroy(nft_trans_set(trans));
5824 case NFT_MSG_DELSETELEM:
5825 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5826 nft_trans_elem(trans).priv);
5828 case NFT_MSG_DELOBJ:
5829 nft_obj_destroy(nft_trans_obj(trans));
5831 case NFT_MSG_DELFLOWTABLE:
5832 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5838 static void nf_tables_commit_release(struct net *net)
5840 struct nft_trans *trans, *next;
5842 if (list_empty(&net->nft.commit_list))
5847 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5848 list_del(&trans->list);
5849 nft_commit_release(trans);
5853 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5855 struct nft_trans *trans, *next;
5856 struct nft_trans_elem *te;
5858 /* Bump generation counter, invalidate any dump in progress */
5859 while (++net->nft.base_seq == 0);
5861 /* A new generation has just started */
5862 net->nft.gencursor = nft_gencursor_next(net);
5864 /* Make sure all packets have left the previous generation before
5865 * purging old rules.
5869 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5870 switch (trans->msg_type) {
5871 case NFT_MSG_NEWTABLE:
5872 if (nft_trans_table_update(trans)) {
5873 if (!nft_trans_table_enable(trans)) {
5874 nf_tables_table_disable(net,
5876 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5879 nft_clear(net, trans->ctx.table);
5881 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5882 nft_trans_destroy(trans);
5884 case NFT_MSG_DELTABLE:
5885 list_del_rcu(&trans->ctx.table->list);
5886 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5888 case NFT_MSG_NEWCHAIN:
5889 if (nft_trans_chain_update(trans))
5890 nft_chain_commit_update(trans);
5892 nft_clear(net, trans->ctx.chain);
5894 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5895 nft_trans_destroy(trans);
5897 case NFT_MSG_DELCHAIN:
5898 list_del_rcu(&trans->ctx.chain->list);
5899 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5900 nf_tables_unregister_hook(trans->ctx.net,
5904 case NFT_MSG_NEWRULE:
5905 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5906 nf_tables_rule_notify(&trans->ctx,
5907 nft_trans_rule(trans),
5909 nft_trans_destroy(trans);
5911 case NFT_MSG_DELRULE:
5912 list_del_rcu(&nft_trans_rule(trans)->list);
5913 nf_tables_rule_notify(&trans->ctx,
5914 nft_trans_rule(trans),
5917 case NFT_MSG_NEWSET:
5918 nft_clear(net, nft_trans_set(trans));
5919 /* This avoids hitting -EBUSY when deleting the table
5920 * from the transaction.
5922 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5923 !list_empty(&nft_trans_set(trans)->bindings))
5924 trans->ctx.table->use--;
5926 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5927 NFT_MSG_NEWSET, GFP_KERNEL);
5928 nft_trans_destroy(trans);
5930 case NFT_MSG_DELSET:
5931 list_del_rcu(&nft_trans_set(trans)->list);
5932 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5933 NFT_MSG_DELSET, GFP_KERNEL);
5935 case NFT_MSG_NEWSETELEM:
5936 te = (struct nft_trans_elem *)trans->data;
5938 te->set->ops->activate(net, te->set, &te->elem);
5939 nf_tables_setelem_notify(&trans->ctx, te->set,
5941 NFT_MSG_NEWSETELEM, 0);
5942 nft_trans_destroy(trans);
5944 case NFT_MSG_DELSETELEM:
5945 te = (struct nft_trans_elem *)trans->data;
5947 nf_tables_setelem_notify(&trans->ctx, te->set,
5949 NFT_MSG_DELSETELEM, 0);
5950 te->set->ops->remove(net, te->set, &te->elem);
5951 atomic_dec(&te->set->nelems);
5954 case NFT_MSG_NEWOBJ:
5955 nft_clear(net, nft_trans_obj(trans));
5956 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5958 nft_trans_destroy(trans);
5960 case NFT_MSG_DELOBJ:
5961 list_del_rcu(&nft_trans_obj(trans)->list);
5962 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5965 case NFT_MSG_NEWFLOWTABLE:
5966 nft_clear(net, nft_trans_flowtable(trans));
5967 nf_tables_flowtable_notify(&trans->ctx,
5968 nft_trans_flowtable(trans),
5969 NFT_MSG_NEWFLOWTABLE);
5970 nft_trans_destroy(trans);
5972 case NFT_MSG_DELFLOWTABLE:
5973 list_del_rcu(&nft_trans_flowtable(trans)->list);
5974 nf_tables_flowtable_notify(&trans->ctx,
5975 nft_trans_flowtable(trans),
5976 NFT_MSG_DELFLOWTABLE);
5977 nft_unregister_flowtable_net_hooks(net,
5978 nft_trans_flowtable(trans));
5983 nf_tables_commit_release(net);
5984 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5989 static void nf_tables_abort_release(struct nft_trans *trans)
5991 switch (trans->msg_type) {
5992 case NFT_MSG_NEWTABLE:
5993 nf_tables_table_destroy(&trans->ctx);
5995 case NFT_MSG_NEWCHAIN:
5996 nf_tables_chain_destroy(&trans->ctx);
5998 case NFT_MSG_NEWRULE:
5999 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6001 case NFT_MSG_NEWSET:
6002 nft_set_destroy(nft_trans_set(trans));
6004 case NFT_MSG_NEWSETELEM:
6005 nft_set_elem_destroy(nft_trans_elem_set(trans),
6006 nft_trans_elem(trans).priv, true);
6008 case NFT_MSG_NEWOBJ:
6009 nft_obj_destroy(nft_trans_obj(trans));
6011 case NFT_MSG_NEWFLOWTABLE:
6012 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6018 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6020 struct nft_trans *trans, *next;
6021 struct nft_trans_elem *te;
6023 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6025 switch (trans->msg_type) {
6026 case NFT_MSG_NEWTABLE:
6027 if (nft_trans_table_update(trans)) {
6028 if (nft_trans_table_enable(trans)) {
6029 nf_tables_table_disable(net,
6031 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6033 nft_trans_destroy(trans);
6035 list_del_rcu(&trans->ctx.table->list);
6038 case NFT_MSG_DELTABLE:
6039 nft_clear(trans->ctx.net, trans->ctx.table);
6040 nft_trans_destroy(trans);
6042 case NFT_MSG_NEWCHAIN:
6043 if (nft_trans_chain_update(trans)) {
6044 free_percpu(nft_trans_chain_stats(trans));
6046 nft_trans_destroy(trans);
6048 trans->ctx.table->use--;
6049 list_del_rcu(&trans->ctx.chain->list);
6050 nf_tables_unregister_hook(trans->ctx.net,
6055 case NFT_MSG_DELCHAIN:
6056 trans->ctx.table->use++;
6057 nft_clear(trans->ctx.net, trans->ctx.chain);
6058 nft_trans_destroy(trans);
6060 case NFT_MSG_NEWRULE:
6061 trans->ctx.chain->use--;
6062 list_del_rcu(&nft_trans_rule(trans)->list);
6063 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6065 case NFT_MSG_DELRULE:
6066 trans->ctx.chain->use++;
6067 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6068 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6069 nft_trans_destroy(trans);
6071 case NFT_MSG_NEWSET:
6072 trans->ctx.table->use--;
6073 list_del_rcu(&nft_trans_set(trans)->list);
6075 case NFT_MSG_DELSET:
6076 trans->ctx.table->use++;
6077 nft_clear(trans->ctx.net, nft_trans_set(trans));
6078 nft_trans_destroy(trans);
6080 case NFT_MSG_NEWSETELEM:
6081 te = (struct nft_trans_elem *)trans->data;
6083 te->set->ops->remove(net, te->set, &te->elem);
6084 atomic_dec(&te->set->nelems);
6086 case NFT_MSG_DELSETELEM:
6087 te = (struct nft_trans_elem *)trans->data;
6089 nft_set_elem_activate(net, te->set, &te->elem);
6090 te->set->ops->activate(net, te->set, &te->elem);
6093 nft_trans_destroy(trans);
6095 case NFT_MSG_NEWOBJ:
6096 trans->ctx.table->use--;
6097 list_del_rcu(&nft_trans_obj(trans)->list);
6099 case NFT_MSG_DELOBJ:
6100 trans->ctx.table->use++;
6101 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6102 nft_trans_destroy(trans);
6104 case NFT_MSG_NEWFLOWTABLE:
6105 trans->ctx.table->use--;
6106 list_del_rcu(&nft_trans_flowtable(trans)->list);
6107 nft_unregister_flowtable_net_hooks(net,
6108 nft_trans_flowtable(trans));
6110 case NFT_MSG_DELFLOWTABLE:
6111 trans->ctx.table->use++;
6112 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6113 nft_trans_destroy(trans);
6120 list_for_each_entry_safe_reverse(trans, next,
6121 &net->nft.commit_list, list) {
6122 list_del(&trans->list);
6123 nf_tables_abort_release(trans);
6129 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6131 return net->nft.base_seq == genid;
6134 static const struct nfnetlink_subsystem nf_tables_subsys = {
6135 .name = "nf_tables",
6136 .subsys_id = NFNL_SUBSYS_NFTABLES,
6137 .cb_count = NFT_MSG_MAX,
6139 .commit = nf_tables_commit,
6140 .abort = nf_tables_abort,
6141 .valid_genid = nf_tables_valid_genid,
6144 int nft_chain_validate_dependency(const struct nft_chain *chain,
6145 enum nft_chain_types type)
6147 const struct nft_base_chain *basechain;
6149 if (nft_is_base_chain(chain)) {
6150 basechain = nft_base_chain(chain);
6151 if (basechain->type->type != type)
6156 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6158 int nft_chain_validate_hooks(const struct nft_chain *chain,
6159 unsigned int hook_flags)
6161 struct nft_base_chain *basechain;
6163 if (nft_is_base_chain(chain)) {
6164 basechain = nft_base_chain(chain);
6166 if ((1 << basechain->ops.hooknum) & hook_flags)
6174 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6177 * Loop detection - walk through the ruleset beginning at the destination chain
6178 * of a new jump until either the source chain is reached (loop) or all
6179 * reachable chains have been traversed.
6181 * The loop check is performed whenever a new jump verdict is added to an
6182 * expression or verdict map or a verdict map is bound to a new chain.
6185 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6186 const struct nft_chain *chain);
6188 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6189 struct nft_set *set,
6190 const struct nft_set_iter *iter,
6191 struct nft_set_elem *elem)
6193 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6194 const struct nft_data *data;
6196 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6197 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6200 data = nft_set_ext_data(ext);
6201 switch (data->verdict.code) {
6204 return nf_tables_check_loops(ctx, data->verdict.chain);
6210 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6211 const struct nft_chain *chain)
6213 const struct nft_rule *rule;
6214 const struct nft_expr *expr, *last;
6215 struct nft_set *set;
6216 struct nft_set_binding *binding;
6217 struct nft_set_iter iter;
6219 if (ctx->chain == chain)
6222 list_for_each_entry(rule, &chain->rules, list) {
6223 nft_rule_for_each_expr(expr, last, rule) {
6224 const struct nft_data *data = NULL;
6227 if (!expr->ops->validate)
6230 err = expr->ops->validate(ctx, expr, &data);
6237 switch (data->verdict.code) {
6240 err = nf_tables_check_loops(ctx,
6241 data->verdict.chain);
6250 list_for_each_entry(set, &ctx->table->sets, list) {
6251 if (!nft_is_active_next(ctx->net, set))
6253 if (!(set->flags & NFT_SET_MAP) ||
6254 set->dtype != NFT_DATA_VERDICT)
6257 list_for_each_entry(binding, &set->bindings, list) {
6258 if (!(binding->flags & NFT_SET_MAP) ||
6259 binding->chain != chain)
6262 iter.genmask = nft_genmask_next(ctx->net);
6266 iter.fn = nf_tables_loop_check_setelem;
6268 set->ops->walk(ctx, set, &iter);
6278 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6280 * @attr: netlink attribute to fetch value from
6281 * @max: maximum value to be stored in dest
6282 * @dest: pointer to the variable
6284 * Parse, check and store a given u32 netlink attribute into variable.
6285 * This function returns -ERANGE if the value goes over maximum value.
6286 * Otherwise a 0 is returned and the attribute value is stored in the
6287 * destination variable.
6289 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6293 val = ntohl(nla_get_be32(attr));
6300 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6303 * nft_parse_register - parse a register value from a netlink attribute
6305 * @attr: netlink attribute
6307 * Parse and translate a register value from a netlink attribute.
6308 * Registers used to be 128 bit wide, these register numbers will be
6309 * mapped to the corresponding 32 bit register numbers.
6311 unsigned int nft_parse_register(const struct nlattr *attr)
6315 reg = ntohl(nla_get_be32(attr));
6317 case NFT_REG_VERDICT...NFT_REG_4:
6318 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6320 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6323 EXPORT_SYMBOL_GPL(nft_parse_register);
6326 * nft_dump_register - dump a register value to a netlink attribute
6328 * @skb: socket buffer
6329 * @attr: attribute number
6330 * @reg: register number
6332 * Construct a netlink attribute containing the register number. For
6333 * compatibility reasons, register numbers being a multiple of 4 are
6334 * translated to the corresponding 128 bit register numbers.
6336 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6338 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6339 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6341 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6343 return nla_put_be32(skb, attr, htonl(reg));
6345 EXPORT_SYMBOL_GPL(nft_dump_register);
6348 * nft_validate_register_load - validate a load from a register
6350 * @reg: the register number
6351 * @len: the length of the data
6353 * Validate that the input register is one of the general purpose
6354 * registers and that the length of the load is within the bounds.
6356 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6358 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6362 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6367 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6370 * nft_validate_register_store - validate an expressions' register store
6372 * @ctx: context of the expression performing the load
6373 * @reg: the destination register number
6374 * @data: the data to load
6375 * @type: the data type
6376 * @len: the length of the data
6378 * Validate that a data load uses the appropriate data type for
6379 * the destination register and the length is within the bounds.
6380 * A value of NULL for the data means that its runtime gathered
6383 int nft_validate_register_store(const struct nft_ctx *ctx,
6384 enum nft_registers reg,
6385 const struct nft_data *data,
6386 enum nft_data_types type, unsigned int len)
6391 case NFT_REG_VERDICT:
6392 if (type != NFT_DATA_VERDICT)
6396 (data->verdict.code == NFT_GOTO ||
6397 data->verdict.code == NFT_JUMP)) {
6398 err = nf_tables_check_loops(ctx, data->verdict.chain);
6402 if (ctx->chain->level + 1 >
6403 data->verdict.chain->level) {
6404 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6406 data->verdict.chain->level = ctx->chain->level + 1;
6412 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6416 if (reg * NFT_REG32_SIZE + len >
6417 FIELD_SIZEOF(struct nft_regs, data))
6420 if (data != NULL && type != NFT_DATA_VALUE)
6425 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6427 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6428 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6429 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6430 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6433 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6434 struct nft_data_desc *desc, const struct nlattr *nla)
6436 u8 genmask = nft_genmask_next(ctx->net);
6437 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6438 struct nft_chain *chain;
6441 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6446 if (!tb[NFTA_VERDICT_CODE])
6448 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6450 switch (data->verdict.code) {
6452 switch (data->verdict.code & NF_VERDICT_MASK) {
6467 if (!tb[NFTA_VERDICT_CHAIN])
6469 chain = nft_chain_lookup(ctx->table, tb[NFTA_VERDICT_CHAIN],
6472 return PTR_ERR(chain);
6473 if (nft_is_base_chain(chain))
6477 data->verdict.chain = chain;
6481 desc->len = sizeof(data->verdict);
6482 desc->type = NFT_DATA_VERDICT;
6486 static void nft_verdict_uninit(const struct nft_data *data)
6488 switch (data->verdict.code) {
6491 data->verdict.chain->use--;
6496 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6498 struct nlattr *nest;
6500 nest = nla_nest_start(skb, type);
6502 goto nla_put_failure;
6504 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6505 goto nla_put_failure;
6510 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6512 goto nla_put_failure;
6514 nla_nest_end(skb, nest);
6521 static int nft_value_init(const struct nft_ctx *ctx,
6522 struct nft_data *data, unsigned int size,
6523 struct nft_data_desc *desc, const struct nlattr *nla)
6533 nla_memcpy(data->data, nla, len);
6534 desc->type = NFT_DATA_VALUE;
6539 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6542 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6545 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6546 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6547 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6551 * nft_data_init - parse nf_tables data netlink attributes
6553 * @ctx: context of the expression using the data
6554 * @data: destination struct nft_data
6555 * @size: maximum data length
6556 * @desc: data description
6557 * @nla: netlink attribute containing data
6559 * Parse the netlink data attributes and initialize a struct nft_data.
6560 * The type and length of data are returned in the data description.
6562 * The caller can indicate that it only wants to accept data of type
6563 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6565 int nft_data_init(const struct nft_ctx *ctx,
6566 struct nft_data *data, unsigned int size,
6567 struct nft_data_desc *desc, const struct nlattr *nla)
6569 struct nlattr *tb[NFTA_DATA_MAX + 1];
6572 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6576 if (tb[NFTA_DATA_VALUE])
6577 return nft_value_init(ctx, data, size, desc,
6578 tb[NFTA_DATA_VALUE]);
6579 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6580 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6583 EXPORT_SYMBOL_GPL(nft_data_init);
6586 * nft_data_release - release a nft_data item
6588 * @data: struct nft_data to release
6589 * @type: type of data
6591 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6592 * all others need to be released by calling this function.
6594 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6596 if (type < NFT_DATA_VERDICT)
6599 case NFT_DATA_VERDICT:
6600 return nft_verdict_uninit(data);
6605 EXPORT_SYMBOL_GPL(nft_data_release);
6607 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6608 enum nft_data_types type, unsigned int len)
6610 struct nlattr *nest;
6613 nest = nla_nest_start(skb, attr);
6618 case NFT_DATA_VALUE:
6619 err = nft_value_dump(skb, data, len);
6621 case NFT_DATA_VERDICT:
6622 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6629 nla_nest_end(skb, nest);
6632 EXPORT_SYMBOL_GPL(nft_data_dump);
6634 int __nft_release_basechain(struct nft_ctx *ctx)
6636 struct nft_rule *rule, *nr;
6638 BUG_ON(!nft_is_base_chain(ctx->chain));
6640 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6641 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6642 list_del(&rule->list);
6644 nf_tables_rule_release(ctx, rule);
6646 list_del(&ctx->chain->list);
6648 nf_tables_chain_destroy(ctx);
6652 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6654 static void __nft_release_tables(struct net *net)
6656 struct nft_flowtable *flowtable, *nf;
6657 struct nft_table *table, *nt;
6658 struct nft_chain *chain, *nc;
6659 struct nft_object *obj, *ne;
6660 struct nft_rule *rule, *nr;
6661 struct nft_set *set, *ns;
6662 struct nft_ctx ctx = {
6664 .family = NFPROTO_NETDEV,
6667 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6668 ctx.family = table->family;
6670 list_for_each_entry(chain, &table->chains, list)
6671 nf_tables_unregister_hook(net, table, chain);
6672 list_for_each_entry(flowtable, &table->flowtables, list)
6673 nf_unregister_net_hooks(net, flowtable->ops,
6674 flowtable->ops_len);
6675 /* No packets are walking on these chains anymore. */
6677 list_for_each_entry(chain, &table->chains, list) {
6679 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6680 list_del(&rule->list);
6682 nf_tables_rule_release(&ctx, rule);
6685 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6686 list_del(&flowtable->list);
6688 nf_tables_flowtable_destroy(flowtable);
6690 list_for_each_entry_safe(set, ns, &table->sets, list) {
6691 list_del(&set->list);
6693 nft_set_destroy(set);
6695 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6696 list_del(&obj->list);
6698 nft_obj_destroy(obj);
6700 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6702 list_del(&chain->list);
6704 nf_tables_chain_destroy(&ctx);
6706 list_del(&table->list);
6707 nf_tables_table_destroy(&ctx);
6711 static int __net_init nf_tables_init_net(struct net *net)
6713 INIT_LIST_HEAD(&net->nft.tables);
6714 INIT_LIST_HEAD(&net->nft.commit_list);
6715 net->nft.base_seq = 1;
6719 static void __net_exit nf_tables_exit_net(struct net *net)
6721 __nft_release_tables(net);
6722 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6723 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6726 static struct pernet_operations nf_tables_net_ops = {
6727 .init = nf_tables_init_net,
6728 .exit = nf_tables_exit_net,
6731 static int __init nf_tables_module_init(void)
6735 nft_chain_filter_init();
6737 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6744 err = nf_tables_core_module_init();
6748 err = nfnetlink_subsys_register(&nf_tables_subsys);
6752 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6754 return register_pernet_subsys(&nf_tables_net_ops);
6756 nf_tables_core_module_exit();
6763 static void __exit nf_tables_module_exit(void)
6765 unregister_pernet_subsys(&nf_tables_net_ops);
6766 nfnetlink_subsys_unregister(&nf_tables_subsys);
6767 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6769 nf_tables_core_module_exit();
6771 nft_chain_filter_fini();
6774 module_init(nf_tables_module_init);
6775 module_exit(nf_tables_module_exit);
6777 MODULE_LICENSE("GPL");
6778 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6779 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);