1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
36 NFT_VALIDATE_SKIP = 0,
41 static struct rhltable nft_objname_ht;
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
75 case NFT_VALIDATE_NEED:
78 if (new_validate_state == NFT_VALIDATE_NEED)
82 net->nft.validate_state = new_validate_state;
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
87 static void nft_ctx_init(struct nft_ctx *ctx,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->flags = nlh->nlmsg_flags;
105 ctx->seq = nlh->nlmsg_seq;
108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 int msg_type, u32 size, gfp_t gfp)
111 struct nft_trans *trans;
113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
117 trans->msg_type = msg_type;
123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
129 static void nft_trans_destroy(struct nft_trans *trans)
131 list_del(&trans->list);
135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
140 if (!nft_set_is_anonymous(set))
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
157 static int nft_netdev_register_hooks(struct net *net,
158 struct list_head *hook_list)
160 struct nft_hook *hook;
164 list_for_each_entry(hook, hook_list, list) {
165 err = nf_register_net_hook(net, &hook->ops);
174 list_for_each_entry(hook, hook_list, list) {
178 nf_unregister_net_hook(net, &hook->ops);
183 static void nft_netdev_unregister_hooks(struct net *net,
184 struct list_head *hook_list)
186 struct nft_hook *hook;
188 list_for_each_entry(hook, hook_list, list)
189 nf_unregister_net_hook(net, &hook->ops);
192 static int nf_tables_register_hook(struct net *net,
193 const struct nft_table *table,
194 struct nft_chain *chain)
196 struct nft_base_chain *basechain;
197 const struct nf_hook_ops *ops;
199 if (table->flags & NFT_TABLE_F_DORMANT ||
200 !nft_is_base_chain(chain))
203 basechain = nft_base_chain(chain);
204 ops = &basechain->ops;
206 if (basechain->type->ops_register)
207 return basechain->type->ops_register(net, ops);
209 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
210 return nft_netdev_register_hooks(net, &basechain->hook_list);
212 return nf_register_net_hook(net, &basechain->ops);
215 static void nf_tables_unregister_hook(struct net *net,
216 const struct nft_table *table,
217 struct nft_chain *chain)
219 struct nft_base_chain *basechain;
220 const struct nf_hook_ops *ops;
222 if (table->flags & NFT_TABLE_F_DORMANT ||
223 !nft_is_base_chain(chain))
225 basechain = nft_base_chain(chain);
226 ops = &basechain->ops;
228 if (basechain->type->ops_unregister)
229 return basechain->type->ops_unregister(net, ops);
231 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
232 nft_netdev_unregister_hooks(net, &basechain->hook_list);
234 nf_unregister_net_hook(net, &basechain->ops);
237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
239 struct nft_trans *trans;
241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
245 if (msg_type == NFT_MSG_NEWTABLE)
246 nft_activate_next(ctx->net, ctx->table);
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
252 static int nft_deltable(struct nft_ctx *ctx)
256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
260 nft_deactivate_next(ctx->net, ctx->table);
264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
266 struct nft_trans *trans;
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
270 return ERR_PTR(-ENOMEM);
272 if (msg_type == NFT_MSG_NEWCHAIN) {
273 nft_activate_next(ctx->net, ctx->chain);
275 if (ctx->nla[NFTA_CHAIN_ID]) {
276 nft_trans_chain_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
281 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
285 static int nft_delchain(struct nft_ctx *ctx)
287 struct nft_trans *trans;
289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
291 return PTR_ERR(trans);
294 nft_deactivate_next(ctx->net, ctx->chain);
299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 struct nft_rule *rule)
302 struct nft_expr *expr;
304 expr = nft_expr_first(rule);
305 while (nft_expr_more(rule, expr)) {
306 if (expr->ops->activate)
307 expr->ops->activate(ctx, expr);
309 expr = nft_expr_next(expr);
313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 struct nft_rule *rule,
315 enum nft_trans_phase phase)
317 struct nft_expr *expr;
319 expr = nft_expr_first(rule);
320 while (nft_expr_more(rule, expr)) {
321 if (expr->ops->deactivate)
322 expr->ops->deactivate(ctx, expr, phase);
324 expr = nft_expr_next(expr);
329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
331 /* You cannot delete the same rule twice */
332 if (nft_is_active_next(ctx->net, rule)) {
333 nft_deactivate_next(ctx->net, rule);
340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 struct nft_rule *rule)
343 struct nft_trans *trans;
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 nft_trans_rule_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
353 nft_trans_rule(trans) = rule;
354 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
361 struct nft_flow_rule *flow;
362 struct nft_trans *trans;
365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 flow = nft_flow_rule_create(ctx->net, rule);
372 nft_trans_destroy(trans);
373 return PTR_ERR(flow);
376 nft_trans_flow_rule(trans) = flow;
379 err = nf_tables_delrule_deactivate(ctx, rule);
381 nft_trans_destroy(trans);
384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
391 struct nft_rule *rule;
394 list_for_each_entry(rule, &ctx->chain->rules, list) {
395 if (!nft_is_active_next(ctx->net, rule))
398 err = nft_delrule(ctx, rule);
405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
408 struct nft_trans *trans;
410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 nft_trans_set_id(trans) =
416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 nft_activate_next(ctx->net, set);
419 nft_trans_set(trans) = set;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
433 nft_deactivate_next(ctx->net, set);
439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 struct nft_object *obj)
442 struct nft_trans *trans;
444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
448 if (msg_type == NFT_MSG_NEWOBJ)
449 nft_activate_next(ctx->net, obj);
451 nft_trans_obj(trans) = obj;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
465 nft_deactivate_next(ctx->net, obj);
471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 struct nft_flowtable *flowtable)
474 struct nft_trans *trans;
476 trans = nft_trans_alloc(ctx, msg_type,
477 sizeof(struct nft_trans_flowtable));
481 if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 nft_activate_next(ctx->net, flowtable);
484 nft_trans_flowtable(trans) = flowtable;
485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
490 static int nft_delflowtable(struct nft_ctx *ctx,
491 struct nft_flowtable *flowtable)
495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
499 nft_deactivate_next(ctx->net, flowtable);
509 static struct nft_table *nft_table_lookup(const struct net *net,
510 const struct nlattr *nla,
511 u8 family, u8 genmask)
513 struct nft_table *table;
516 return ERR_PTR(-EINVAL);
518 list_for_each_entry_rcu(table, &net->nft.tables, list,
519 lockdep_is_held(&net->nft.commit_mutex)) {
520 if (!nla_strcmp(nla, table->name) &&
521 table->family == family &&
522 nft_active_genmask(table, genmask))
526 return ERR_PTR(-ENOENT);
529 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
530 const struct nlattr *nla,
533 struct nft_table *table;
535 list_for_each_entry(table, &net->nft.tables, list) {
536 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
537 nft_active_genmask(table, genmask))
541 return ERR_PTR(-ENOENT);
544 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
546 return ++table->hgenerator;
549 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
551 static const struct nft_chain_type *
552 __nft_chain_type_get(u8 family, enum nft_chain_types type)
554 if (family >= NFPROTO_NUMPROTO ||
555 type >= NFT_CHAIN_T_MAX)
558 return chain_type[family][type];
561 static const struct nft_chain_type *
562 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
564 const struct nft_chain_type *type;
567 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
568 type = __nft_chain_type_get(family, i);
571 if (!nla_strcmp(nla, type->name))
577 struct nft_module_request {
578 struct list_head list;
579 char module[MODULE_NAME_LEN];
583 #ifdef CONFIG_MODULES
584 static int nft_request_module(struct net *net, const char *fmt, ...)
586 char module_name[MODULE_NAME_LEN];
587 struct nft_module_request *req;
592 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
594 if (ret >= MODULE_NAME_LEN)
597 list_for_each_entry(req, &net->nft.module_list, list) {
598 if (!strcmp(req->module, module_name)) {
602 /* A request to load this module already exists. */
607 req = kmalloc(sizeof(*req), GFP_KERNEL);
612 strlcpy(req->module, module_name, MODULE_NAME_LEN);
613 list_add_tail(&req->list, &net->nft.module_list);
619 static void lockdep_nfnl_nft_mutex_not_held(void)
621 #ifdef CONFIG_PROVE_LOCKING
622 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
626 static const struct nft_chain_type *
627 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
628 u8 family, bool autoload)
630 const struct nft_chain_type *type;
632 type = __nf_tables_chain_type_lookup(nla, family);
636 lockdep_nfnl_nft_mutex_not_held();
637 #ifdef CONFIG_MODULES
639 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
641 (const char *)nla_data(nla)) == -EAGAIN)
642 return ERR_PTR(-EAGAIN);
645 return ERR_PTR(-ENOENT);
648 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
649 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
650 .len = NFT_TABLE_MAXNAMELEN - 1 },
651 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
652 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
653 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
654 .len = NFT_USERDATA_MAXLEN }
657 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
658 u32 portid, u32 seq, int event, u32 flags,
659 int family, const struct nft_table *table)
661 struct nlmsghdr *nlh;
662 struct nfgenmsg *nfmsg;
664 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
665 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
667 goto nla_put_failure;
669 nfmsg = nlmsg_data(nlh);
670 nfmsg->nfgen_family = family;
671 nfmsg->version = NFNETLINK_V0;
672 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
674 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
675 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
676 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
677 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
679 goto nla_put_failure;
682 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
683 goto nla_put_failure;
690 nlmsg_trim(skb, nlh);
694 struct nftnl_skb_parms {
697 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
699 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
700 struct list_head *notify_list)
702 NFT_CB(skb).report = report;
703 list_add_tail(&skb->list, notify_list);
706 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
710 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
711 ctx->table->name, ctx->table->handle);
716 event == NFT_MSG_NEWTABLE ?
717 AUDIT_NFT_OP_TABLE_REGISTER :
718 AUDIT_NFT_OP_TABLE_UNREGISTER,
723 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
726 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
730 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
731 event, 0, ctx->family, ctx->table);
737 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
740 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
743 static int nf_tables_dump_tables(struct sk_buff *skb,
744 struct netlink_callback *cb)
746 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
747 const struct nft_table *table;
748 unsigned int idx = 0, s_idx = cb->args[0];
749 struct net *net = sock_net(skb->sk);
750 int family = nfmsg->nfgen_family;
753 cb->seq = net->nft.base_seq;
755 list_for_each_entry_rcu(table, &net->nft.tables, list) {
756 if (family != NFPROTO_UNSPEC && family != table->family)
762 memset(&cb->args[1], 0,
763 sizeof(cb->args) - sizeof(cb->args[0]));
764 if (!nft_is_active(net, table))
766 if (nf_tables_fill_table_info(skb, net,
767 NETLINK_CB(cb->skb).portid,
769 NFT_MSG_NEWTABLE, NLM_F_MULTI,
770 table->family, table) < 0)
773 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
783 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
784 const struct nlmsghdr *nlh,
785 struct netlink_dump_control *c)
789 if (!try_module_get(THIS_MODULE))
793 err = netlink_dump_start(nlsk, skb, nlh, c);
795 module_put(THIS_MODULE);
800 /* called with rcu_read_lock held */
801 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
802 struct sk_buff *skb, const struct nlmsghdr *nlh,
803 const struct nlattr * const nla[],
804 struct netlink_ext_ack *extack)
806 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
807 u8 genmask = nft_genmask_cur(net);
808 const struct nft_table *table;
809 struct sk_buff *skb2;
810 int family = nfmsg->nfgen_family;
813 if (nlh->nlmsg_flags & NLM_F_DUMP) {
814 struct netlink_dump_control c = {
815 .dump = nf_tables_dump_tables,
816 .module = THIS_MODULE,
819 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
822 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
824 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
825 return PTR_ERR(table);
828 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
832 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
833 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
836 goto err_fill_table_info;
838 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
845 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
847 struct nft_chain *chain;
850 list_for_each_entry(chain, &table->chains, list) {
851 if (!nft_is_active_next(net, chain))
853 if (!nft_is_base_chain(chain))
856 if (cnt && i++ == cnt)
859 nf_tables_unregister_hook(net, table, chain);
863 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
865 struct nft_chain *chain;
868 list_for_each_entry(chain, &table->chains, list) {
869 if (!nft_is_active_next(net, chain))
871 if (!nft_is_base_chain(chain))
874 err = nf_tables_register_hook(net, table, chain);
876 goto err_register_hooks;
884 nft_table_disable(net, table, i);
888 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
890 nft_table_disable(net, table, 0);
893 static int nf_tables_updtable(struct nft_ctx *ctx)
895 struct nft_trans *trans;
899 if (!ctx->nla[NFTA_TABLE_FLAGS])
902 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
903 if (flags & ~NFT_TABLE_F_DORMANT)
906 if (flags == ctx->table->flags)
909 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
910 sizeof(struct nft_trans_table));
914 if ((flags & NFT_TABLE_F_DORMANT) &&
915 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
916 nft_trans_table_enable(trans) = false;
917 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
918 ctx->table->flags & NFT_TABLE_F_DORMANT) {
919 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
920 ret = nf_tables_table_enable(ctx->net, ctx->table);
922 nft_trans_table_enable(trans) = true;
924 ctx->table->flags |= NFT_TABLE_F_DORMANT;
929 nft_trans_table_update(trans) = true;
930 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
933 nft_trans_destroy(trans);
937 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
939 const char *name = data;
941 return jhash(name, strlen(name), seed);
944 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
946 const struct nft_chain *chain = data;
948 return nft_chain_hash(chain->name, 0, seed);
951 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
954 const struct nft_chain *chain = ptr;
955 const char *name = arg->key;
957 return strcmp(chain->name, name);
960 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
962 const struct nft_object_hash_key *k = data;
964 seed ^= hash_ptr(k->table, 32);
966 return jhash(k->name, strlen(k->name), seed);
969 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
971 const struct nft_object *obj = data;
973 return nft_objname_hash(&obj->key, 0, seed);
976 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
979 const struct nft_object_hash_key *k = arg->key;
980 const struct nft_object *obj = ptr;
982 if (obj->key.table != k->table)
985 return strcmp(obj->key.name, k->name);
988 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
989 struct sk_buff *skb, const struct nlmsghdr *nlh,
990 const struct nlattr * const nla[],
991 struct netlink_ext_ack *extack)
993 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
994 u8 genmask = nft_genmask_next(net);
995 int family = nfmsg->nfgen_family;
996 const struct nlattr *attr;
997 struct nft_table *table;
1002 lockdep_assert_held(&net->nft.commit_mutex);
1003 attr = nla[NFTA_TABLE_NAME];
1004 table = nft_table_lookup(net, attr, family, genmask);
1005 if (IS_ERR(table)) {
1006 if (PTR_ERR(table) != -ENOENT)
1007 return PTR_ERR(table);
1009 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1010 NL_SET_BAD_ATTR(extack, attr);
1013 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1016 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1017 return nf_tables_updtable(&ctx);
1020 if (nla[NFTA_TABLE_FLAGS]) {
1021 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1022 if (flags & ~NFT_TABLE_F_DORMANT)
1027 table = kzalloc(sizeof(*table), GFP_KERNEL);
1031 table->name = nla_strdup(attr, GFP_KERNEL);
1032 if (table->name == NULL)
1035 if (nla[NFTA_TABLE_USERDATA]) {
1036 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1037 if (table->udata == NULL)
1038 goto err_table_udata;
1040 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1043 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1047 INIT_LIST_HEAD(&table->chains);
1048 INIT_LIST_HEAD(&table->sets);
1049 INIT_LIST_HEAD(&table->objects);
1050 INIT_LIST_HEAD(&table->flowtables);
1051 table->family = family;
1052 table->flags = flags;
1053 table->handle = ++table_handle;
1055 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1056 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1060 list_add_tail_rcu(&table->list, &net->nft.tables);
1063 rhltable_destroy(&table->chains_ht);
1065 kfree(table->udata);
1074 static int nft_flush_table(struct nft_ctx *ctx)
1076 struct nft_flowtable *flowtable, *nft;
1077 struct nft_chain *chain, *nc;
1078 struct nft_object *obj, *ne;
1079 struct nft_set *set, *ns;
1082 list_for_each_entry(chain, &ctx->table->chains, list) {
1083 if (!nft_is_active_next(ctx->net, chain))
1086 if (nft_chain_is_bound(chain))
1091 err = nft_delrule_by_chain(ctx);
1096 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1097 if (!nft_is_active_next(ctx->net, set))
1100 if (nft_set_is_anonymous(set) &&
1101 !list_empty(&set->bindings))
1104 err = nft_delset(ctx, set);
1109 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1110 if (!nft_is_active_next(ctx->net, flowtable))
1113 err = nft_delflowtable(ctx, flowtable);
1118 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1119 if (!nft_is_active_next(ctx->net, obj))
1122 err = nft_delobj(ctx, obj);
1127 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1128 if (!nft_is_active_next(ctx->net, chain))
1131 if (nft_chain_is_bound(chain))
1136 err = nft_delchain(ctx);
1141 err = nft_deltable(ctx);
1146 static int nft_flush(struct nft_ctx *ctx, int family)
1148 struct nft_table *table, *nt;
1149 const struct nlattr * const *nla = ctx->nla;
1152 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1153 if (family != AF_UNSPEC && table->family != family)
1156 ctx->family = table->family;
1158 if (!nft_is_active_next(ctx->net, table))
1161 if (nla[NFTA_TABLE_NAME] &&
1162 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1167 err = nft_flush_table(ctx);
1175 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1176 struct sk_buff *skb, const struct nlmsghdr *nlh,
1177 const struct nlattr * const nla[],
1178 struct netlink_ext_ack *extack)
1180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1181 u8 genmask = nft_genmask_next(net);
1182 int family = nfmsg->nfgen_family;
1183 const struct nlattr *attr;
1184 struct nft_table *table;
1187 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1188 if (family == AF_UNSPEC ||
1189 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1190 return nft_flush(&ctx, family);
1192 if (nla[NFTA_TABLE_HANDLE]) {
1193 attr = nla[NFTA_TABLE_HANDLE];
1194 table = nft_table_lookup_byhandle(net, attr, genmask);
1196 attr = nla[NFTA_TABLE_NAME];
1197 table = nft_table_lookup(net, attr, family, genmask);
1200 if (IS_ERR(table)) {
1201 NL_SET_BAD_ATTR(extack, attr);
1202 return PTR_ERR(table);
1205 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1209 ctx.family = family;
1212 return nft_flush_table(&ctx);
1215 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1217 if (WARN_ON(ctx->table->use > 0))
1220 rhltable_destroy(&ctx->table->chains_ht);
1221 kfree(ctx->table->name);
1222 kfree(ctx->table->udata);
1226 void nft_register_chain_type(const struct nft_chain_type *ctype)
1228 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1229 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1230 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1233 chain_type[ctype->family][ctype->type] = ctype;
1234 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1236 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1238 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1240 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1241 chain_type[ctype->family][ctype->type] = NULL;
1242 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1244 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1250 static struct nft_chain *
1251 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1253 struct nft_chain *chain;
1255 list_for_each_entry(chain, &table->chains, list) {
1256 if (chain->handle == handle &&
1257 nft_active_genmask(chain, genmask))
1261 return ERR_PTR(-ENOENT);
1264 static bool lockdep_commit_lock_is_held(const struct net *net)
1266 #ifdef CONFIG_PROVE_LOCKING
1267 return lockdep_is_held(&net->nft.commit_mutex);
1273 static struct nft_chain *nft_chain_lookup(struct net *net,
1274 struct nft_table *table,
1275 const struct nlattr *nla, u8 genmask)
1277 char search[NFT_CHAIN_MAXNAMELEN + 1];
1278 struct rhlist_head *tmp, *list;
1279 struct nft_chain *chain;
1282 return ERR_PTR(-EINVAL);
1284 nla_strlcpy(search, nla, sizeof(search));
1286 WARN_ON(!rcu_read_lock_held() &&
1287 !lockdep_commit_lock_is_held(net));
1289 chain = ERR_PTR(-ENOENT);
1291 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1295 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1296 if (nft_active_genmask(chain, genmask))
1299 chain = ERR_PTR(-ENOENT);
1305 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1306 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1307 .len = NFT_TABLE_MAXNAMELEN - 1 },
1308 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1309 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1310 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1311 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1312 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1313 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1314 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1315 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1316 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1317 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1318 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1319 .len = NFT_USERDATA_MAXLEN },
1322 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1323 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1324 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1325 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1326 .len = IFNAMSIZ - 1 },
1329 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1331 struct nft_stats *cpu_stats, total;
1332 struct nlattr *nest;
1340 memset(&total, 0, sizeof(total));
1341 for_each_possible_cpu(cpu) {
1342 cpu_stats = per_cpu_ptr(stats, cpu);
1344 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1345 pkts = cpu_stats->pkts;
1346 bytes = cpu_stats->bytes;
1347 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1349 total.bytes += bytes;
1351 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1353 goto nla_put_failure;
1355 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1356 NFTA_COUNTER_PAD) ||
1357 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1359 goto nla_put_failure;
1361 nla_nest_end(skb, nest);
1368 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1369 const struct nft_base_chain *basechain)
1371 const struct nf_hook_ops *ops = &basechain->ops;
1372 struct nft_hook *hook, *first = NULL;
1373 struct nlattr *nest, *nest_devs;
1376 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1378 goto nla_put_failure;
1379 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1380 goto nla_put_failure;
1381 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1382 goto nla_put_failure;
1384 if (nft_base_chain_netdev(family, ops->hooknum)) {
1385 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1386 list_for_each_entry(hook, &basechain->hook_list, list) {
1390 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1391 hook->ops.dev->name))
1392 goto nla_put_failure;
1395 nla_nest_end(skb, nest_devs);
1398 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1399 goto nla_put_failure;
1401 nla_nest_end(skb, nest);
1408 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1409 u32 portid, u32 seq, int event, u32 flags,
1410 int family, const struct nft_table *table,
1411 const struct nft_chain *chain)
1413 struct nlmsghdr *nlh;
1414 struct nfgenmsg *nfmsg;
1416 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1417 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1419 goto nla_put_failure;
1421 nfmsg = nlmsg_data(nlh);
1422 nfmsg->nfgen_family = family;
1423 nfmsg->version = NFNETLINK_V0;
1424 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1426 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1427 goto nla_put_failure;
1428 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1430 goto nla_put_failure;
1431 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1432 goto nla_put_failure;
1434 if (nft_is_base_chain(chain)) {
1435 const struct nft_base_chain *basechain = nft_base_chain(chain);
1436 struct nft_stats __percpu *stats;
1438 if (nft_dump_basechain_hook(skb, family, basechain))
1439 goto nla_put_failure;
1441 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1442 htonl(basechain->policy)))
1443 goto nla_put_failure;
1445 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1446 goto nla_put_failure;
1448 stats = rcu_dereference_check(basechain->stats,
1449 lockdep_commit_lock_is_held(net));
1450 if (nft_dump_stats(skb, stats))
1451 goto nla_put_failure;
1455 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1456 goto nla_put_failure;
1458 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1459 goto nla_put_failure;
1462 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1463 goto nla_put_failure;
1465 nlmsg_end(skb, nlh);
1469 nlmsg_trim(skb, nlh);
1473 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1475 struct sk_buff *skb;
1477 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1478 ctx->table->name, ctx->table->handle,
1479 ctx->chain->name, ctx->chain->handle);
1481 audit_log_nfcfg(buf,
1484 event == NFT_MSG_NEWCHAIN ?
1485 AUDIT_NFT_OP_CHAIN_REGISTER :
1486 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1491 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1494 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1498 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1499 event, 0, ctx->family, ctx->table,
1506 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1509 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1512 static int nf_tables_dump_chains(struct sk_buff *skb,
1513 struct netlink_callback *cb)
1515 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1516 const struct nft_table *table;
1517 const struct nft_chain *chain;
1518 unsigned int idx = 0, s_idx = cb->args[0];
1519 struct net *net = sock_net(skb->sk);
1520 int family = nfmsg->nfgen_family;
1523 cb->seq = net->nft.base_seq;
1525 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1526 if (family != NFPROTO_UNSPEC && family != table->family)
1529 list_for_each_entry_rcu(chain, &table->chains, list) {
1533 memset(&cb->args[1], 0,
1534 sizeof(cb->args) - sizeof(cb->args[0]));
1535 if (!nft_is_active(net, chain))
1537 if (nf_tables_fill_chain_info(skb, net,
1538 NETLINK_CB(cb->skb).portid,
1542 table->family, table,
1546 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1557 /* called with rcu_read_lock held */
1558 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1559 struct sk_buff *skb, const struct nlmsghdr *nlh,
1560 const struct nlattr * const nla[],
1561 struct netlink_ext_ack *extack)
1563 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1564 u8 genmask = nft_genmask_cur(net);
1565 const struct nft_chain *chain;
1566 struct nft_table *table;
1567 struct sk_buff *skb2;
1568 int family = nfmsg->nfgen_family;
1571 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1572 struct netlink_dump_control c = {
1573 .dump = nf_tables_dump_chains,
1574 .module = THIS_MODULE,
1577 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1580 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1581 if (IS_ERR(table)) {
1582 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1583 return PTR_ERR(table);
1586 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1587 if (IS_ERR(chain)) {
1588 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1589 return PTR_ERR(chain);
1592 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1596 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1597 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1598 family, table, chain);
1600 goto err_fill_chain_info;
1602 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1604 err_fill_chain_info:
1609 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1610 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1611 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1614 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1616 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1617 struct nft_stats __percpu *newstats;
1618 struct nft_stats *stats;
1621 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1622 nft_counter_policy, NULL);
1624 return ERR_PTR(err);
1626 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1627 return ERR_PTR(-EINVAL);
1629 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1630 if (newstats == NULL)
1631 return ERR_PTR(-ENOMEM);
1633 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1634 * are not exposed to userspace.
1637 stats = this_cpu_ptr(newstats);
1638 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1639 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1645 static void nft_chain_stats_replace(struct nft_trans *trans)
1647 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1649 if (!nft_trans_chain_stats(trans))
1652 nft_trans_chain_stats(trans) =
1653 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1654 lockdep_commit_lock_is_held(trans->ctx.net));
1656 if (!nft_trans_chain_stats(trans))
1657 static_branch_inc(&nft_counters_enabled);
1660 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1662 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1663 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1669 /* should be NULL either via abort or via successful commit */
1670 WARN_ON_ONCE(chain->rules_next);
1671 kvfree(chain->rules_next);
1674 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1676 struct nft_chain *chain = ctx->chain;
1677 struct nft_hook *hook, *next;
1679 if (WARN_ON(chain->use > 0))
1682 /* no concurrent access possible anymore */
1683 nf_tables_chain_free_chain_rules(chain);
1685 if (nft_is_base_chain(chain)) {
1686 struct nft_base_chain *basechain = nft_base_chain(chain);
1688 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1689 list_for_each_entry_safe(hook, next,
1690 &basechain->hook_list, list) {
1691 list_del_rcu(&hook->list);
1692 kfree_rcu(hook, rcu);
1695 module_put(basechain->type->owner);
1696 if (rcu_access_pointer(basechain->stats)) {
1697 static_branch_dec(&nft_counters_enabled);
1698 free_percpu(rcu_dereference_raw(basechain->stats));
1701 kfree(chain->udata);
1705 kfree(chain->udata);
1710 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1711 const struct nlattr *attr)
1713 struct net_device *dev;
1714 char ifname[IFNAMSIZ];
1715 struct nft_hook *hook;
1718 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1721 goto err_hook_alloc;
1724 nla_strlcpy(ifname, attr, IFNAMSIZ);
1725 dev = __dev_get_by_name(net, ifname);
1730 hook->ops.dev = dev;
1731 hook->inactive = false;
1738 return ERR_PTR(err);
1741 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1742 const struct nft_hook *this)
1744 struct nft_hook *hook;
1746 list_for_each_entry(hook, hook_list, list) {
1747 if (this->ops.dev == hook->ops.dev)
1754 static int nf_tables_parse_netdev_hooks(struct net *net,
1755 const struct nlattr *attr,
1756 struct list_head *hook_list)
1758 struct nft_hook *hook, *next;
1759 const struct nlattr *tmp;
1760 int rem, n = 0, err;
1762 nla_for_each_nested(tmp, attr, rem) {
1763 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1768 hook = nft_netdev_hook_alloc(net, tmp);
1770 err = PTR_ERR(hook);
1773 if (nft_hook_list_find(hook_list, hook)) {
1778 list_add_tail(&hook->list, hook_list);
1781 if (n == NFT_NETDEVICE_MAX) {
1790 list_for_each_entry_safe(hook, next, hook_list, list) {
1791 list_del(&hook->list);
1797 struct nft_chain_hook {
1800 const struct nft_chain_type *type;
1801 struct list_head list;
1804 static int nft_chain_parse_netdev(struct net *net,
1805 struct nlattr *tb[],
1806 struct list_head *hook_list)
1808 struct nft_hook *hook;
1811 if (tb[NFTA_HOOK_DEV]) {
1812 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1814 return PTR_ERR(hook);
1816 list_add_tail(&hook->list, hook_list);
1817 } else if (tb[NFTA_HOOK_DEVS]) {
1818 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1823 if (list_empty(hook_list))
1832 static int nft_chain_parse_hook(struct net *net,
1833 const struct nlattr * const nla[],
1834 struct nft_chain_hook *hook, u8 family,
1837 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1838 const struct nft_chain_type *type;
1841 lockdep_assert_held(&net->nft.commit_mutex);
1842 lockdep_nfnl_nft_mutex_not_held();
1844 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1845 nla[NFTA_CHAIN_HOOK],
1846 nft_hook_policy, NULL);
1850 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1851 ha[NFTA_HOOK_PRIORITY] == NULL)
1854 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1855 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1857 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1861 if (nla[NFTA_CHAIN_TYPE]) {
1862 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1865 return PTR_ERR(type);
1867 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1870 if (type->type == NFT_CHAIN_T_NAT &&
1871 hook->priority <= NF_IP_PRI_CONNTRACK)
1874 if (!try_module_get(type->owner))
1879 INIT_LIST_HEAD(&hook->list);
1880 if (nft_base_chain_netdev(family, hook->num)) {
1881 err = nft_chain_parse_netdev(net, ha, &hook->list);
1883 module_put(type->owner);
1886 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1887 module_put(type->owner);
1894 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1896 struct nft_hook *h, *next;
1898 list_for_each_entry_safe(h, next, &hook->list, list) {
1902 module_put(hook->type->owner);
1905 struct nft_rules_old {
1907 struct nft_rule **start;
1910 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1913 if (alloc > INT_MAX)
1916 alloc += 1; /* NULL, ends rules */
1917 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1920 alloc *= sizeof(struct nft_rule *);
1921 alloc += sizeof(struct nft_rules_old);
1923 return kvmalloc(alloc, GFP_KERNEL);
1926 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1927 const struct nft_chain_hook *hook,
1928 struct nft_chain *chain)
1931 ops->hooknum = hook->num;
1932 ops->priority = hook->priority;
1934 ops->hook = hook->type->hooks[ops->hooknum];
1937 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1938 struct nft_chain_hook *hook, u32 flags)
1940 struct nft_chain *chain;
1943 basechain->type = hook->type;
1944 INIT_LIST_HEAD(&basechain->hook_list);
1945 chain = &basechain->chain;
1947 if (nft_base_chain_netdev(family, hook->num)) {
1948 list_splice_init(&hook->list, &basechain->hook_list);
1949 list_for_each_entry(h, &basechain->hook_list, list)
1950 nft_basechain_hook_init(&h->ops, family, hook, chain);
1952 basechain->ops.hooknum = hook->num;
1953 basechain->ops.priority = hook->priority;
1955 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1958 chain->flags |= NFT_CHAIN_BASE | flags;
1959 basechain->policy = NF_ACCEPT;
1960 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1961 nft_chain_offload_priority(basechain) < 0)
1964 flow_block_init(&basechain->flow_block);
1969 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
1973 err = rhltable_insert_key(&table->chains_ht, chain->name,
1974 &chain->rhlhead, nft_chain_ht_params);
1978 list_add_tail_rcu(&chain->list, &table->chains);
1983 static u64 chain_id;
1985 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1986 u8 policy, u32 flags)
1988 const struct nlattr * const *nla = ctx->nla;
1989 struct nft_table *table = ctx->table;
1990 struct nft_base_chain *basechain;
1991 struct nft_stats __percpu *stats;
1992 struct net *net = ctx->net;
1993 char name[NFT_NAME_MAXLEN];
1994 struct nft_trans *trans;
1995 struct nft_chain *chain;
1996 struct nft_rule **rules;
1999 if (table->use == UINT_MAX)
2002 if (nla[NFTA_CHAIN_HOOK]) {
2003 struct nft_chain_hook hook;
2005 if (flags & NFT_CHAIN_BINDING)
2008 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2012 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2013 if (basechain == NULL) {
2014 nft_chain_release_hook(&hook);
2017 chain = &basechain->chain;
2019 if (nla[NFTA_CHAIN_COUNTERS]) {
2020 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2021 if (IS_ERR(stats)) {
2022 nft_chain_release_hook(&hook);
2024 return PTR_ERR(stats);
2026 rcu_assign_pointer(basechain->stats, stats);
2027 static_branch_inc(&nft_counters_enabled);
2030 err = nft_basechain_init(basechain, family, &hook, flags);
2032 nft_chain_release_hook(&hook);
2037 if (flags & NFT_CHAIN_BASE)
2039 if (flags & NFT_CHAIN_HW_OFFLOAD)
2042 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2046 chain->flags = flags;
2050 INIT_LIST_HEAD(&chain->rules);
2051 chain->handle = nf_tables_alloc_handle(table);
2052 chain->table = table;
2054 if (nla[NFTA_CHAIN_NAME]) {
2055 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2057 if (!(flags & NFT_CHAIN_BINDING)) {
2059 goto err_destroy_chain;
2062 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2063 chain->name = kstrdup(name, GFP_KERNEL);
2068 goto err_destroy_chain;
2071 if (nla[NFTA_CHAIN_USERDATA]) {
2072 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2073 if (chain->udata == NULL) {
2075 goto err_destroy_chain;
2077 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2080 rules = nf_tables_chain_alloc_rules(chain, 0);
2083 goto err_destroy_chain;
2087 rcu_assign_pointer(chain->rules_gen_0, rules);
2088 rcu_assign_pointer(chain->rules_gen_1, rules);
2090 err = nf_tables_register_hook(net, table, chain);
2092 goto err_destroy_chain;
2094 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2095 if (IS_ERR(trans)) {
2096 err = PTR_ERR(trans);
2097 goto err_unregister_hook;
2100 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2101 if (nft_is_base_chain(chain))
2102 nft_trans_chain_policy(trans) = policy;
2104 err = nft_chain_add(table, chain);
2106 nft_trans_destroy(trans);
2107 goto err_unregister_hook;
2113 err_unregister_hook:
2114 nf_tables_unregister_hook(net, table, chain);
2116 nf_tables_chain_destroy(ctx);
2121 static bool nft_hook_list_equal(struct list_head *hook_list1,
2122 struct list_head *hook_list2)
2124 struct nft_hook *hook;
2128 list_for_each_entry(hook, hook_list2, list) {
2129 if (!nft_hook_list_find(hook_list1, hook))
2134 list_for_each_entry(hook, hook_list1, list)
2140 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2141 u32 flags, const struct nlattr *attr,
2142 struct netlink_ext_ack *extack)
2144 const struct nlattr * const *nla = ctx->nla;
2145 struct nft_table *table = ctx->table;
2146 struct nft_chain *chain = ctx->chain;
2147 struct nft_base_chain *basechain;
2148 struct nft_stats *stats = NULL;
2149 struct nft_chain_hook hook;
2150 struct nf_hook_ops *ops;
2151 struct nft_trans *trans;
2154 if (chain->flags ^ flags)
2157 if (nla[NFTA_CHAIN_HOOK]) {
2158 if (!nft_is_base_chain(chain)) {
2159 NL_SET_BAD_ATTR(extack, attr);
2162 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2167 basechain = nft_base_chain(chain);
2168 if (basechain->type != hook.type) {
2169 nft_chain_release_hook(&hook);
2170 NL_SET_BAD_ATTR(extack, attr);
2174 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2175 if (!nft_hook_list_equal(&basechain->hook_list,
2177 nft_chain_release_hook(&hook);
2178 NL_SET_BAD_ATTR(extack, attr);
2182 ops = &basechain->ops;
2183 if (ops->hooknum != hook.num ||
2184 ops->priority != hook.priority) {
2185 nft_chain_release_hook(&hook);
2186 NL_SET_BAD_ATTR(extack, attr);
2190 nft_chain_release_hook(&hook);
2193 if (nla[NFTA_CHAIN_HANDLE] &&
2194 nla[NFTA_CHAIN_NAME]) {
2195 struct nft_chain *chain2;
2197 chain2 = nft_chain_lookup(ctx->net, table,
2198 nla[NFTA_CHAIN_NAME], genmask);
2199 if (!IS_ERR(chain2)) {
2200 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2205 if (nla[NFTA_CHAIN_COUNTERS]) {
2206 if (!nft_is_base_chain(chain))
2209 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2211 return PTR_ERR(stats);
2215 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2216 sizeof(struct nft_trans_chain));
2220 nft_trans_chain_stats(trans) = stats;
2221 nft_trans_chain_update(trans) = true;
2223 if (nla[NFTA_CHAIN_POLICY])
2224 nft_trans_chain_policy(trans) = policy;
2226 nft_trans_chain_policy(trans) = -1;
2228 if (nla[NFTA_CHAIN_HANDLE] &&
2229 nla[NFTA_CHAIN_NAME]) {
2230 struct nft_trans *tmp;
2234 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2239 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2240 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2241 tmp->ctx.table == table &&
2242 nft_trans_chain_update(tmp) &&
2243 nft_trans_chain_name(tmp) &&
2244 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2245 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2251 nft_trans_chain_name(trans) = name;
2253 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2262 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2263 const struct nlattr *nla)
2265 u32 id = ntohl(nla_get_be32(nla));
2266 struct nft_trans *trans;
2268 list_for_each_entry(trans, &net->nft.commit_list, list) {
2269 struct nft_chain *chain = trans->ctx.chain;
2271 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2272 id == nft_trans_chain_id(trans))
2275 return ERR_PTR(-ENOENT);
2278 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2279 struct sk_buff *skb, const struct nlmsghdr *nlh,
2280 const struct nlattr * const nla[],
2281 struct netlink_ext_ack *extack)
2283 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2284 u8 genmask = nft_genmask_next(net);
2285 int family = nfmsg->nfgen_family;
2286 struct nft_chain *chain = NULL;
2287 const struct nlattr *attr;
2288 struct nft_table *table;
2289 u8 policy = NF_ACCEPT;
2294 lockdep_assert_held(&net->nft.commit_mutex);
2296 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2297 if (IS_ERR(table)) {
2298 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2299 return PTR_ERR(table);
2303 attr = nla[NFTA_CHAIN_NAME];
2305 if (nla[NFTA_CHAIN_HANDLE]) {
2306 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2307 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2308 if (IS_ERR(chain)) {
2309 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2310 return PTR_ERR(chain);
2312 attr = nla[NFTA_CHAIN_HANDLE];
2313 } else if (nla[NFTA_CHAIN_NAME]) {
2314 chain = nft_chain_lookup(net, table, attr, genmask);
2315 if (IS_ERR(chain)) {
2316 if (PTR_ERR(chain) != -ENOENT) {
2317 NL_SET_BAD_ATTR(extack, attr);
2318 return PTR_ERR(chain);
2322 } else if (!nla[NFTA_CHAIN_ID]) {
2326 if (nla[NFTA_CHAIN_POLICY]) {
2327 if (chain != NULL &&
2328 !nft_is_base_chain(chain)) {
2329 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2333 if (chain == NULL &&
2334 nla[NFTA_CHAIN_HOOK] == NULL) {
2335 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2339 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2349 if (nla[NFTA_CHAIN_FLAGS])
2350 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2352 flags = chain->flags;
2354 if (flags & ~NFT_CHAIN_FLAGS)
2357 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2359 if (chain != NULL) {
2360 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2361 NL_SET_BAD_ATTR(extack, attr);
2364 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2367 flags |= chain->flags & NFT_CHAIN_BASE;
2368 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2372 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2375 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2376 struct sk_buff *skb, const struct nlmsghdr *nlh,
2377 const struct nlattr * const nla[],
2378 struct netlink_ext_ack *extack)
2380 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2381 u8 genmask = nft_genmask_next(net);
2382 int family = nfmsg->nfgen_family;
2383 const struct nlattr *attr;
2384 struct nft_table *table;
2385 struct nft_chain *chain;
2386 struct nft_rule *rule;
2392 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2393 if (IS_ERR(table)) {
2394 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2395 return PTR_ERR(table);
2398 if (nla[NFTA_CHAIN_HANDLE]) {
2399 attr = nla[NFTA_CHAIN_HANDLE];
2400 handle = be64_to_cpu(nla_get_be64(attr));
2401 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2403 attr = nla[NFTA_CHAIN_NAME];
2404 chain = nft_chain_lookup(net, table, attr, genmask);
2406 if (IS_ERR(chain)) {
2407 NL_SET_BAD_ATTR(extack, attr);
2408 return PTR_ERR(chain);
2411 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2415 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2418 list_for_each_entry(rule, &chain->rules, list) {
2419 if (!nft_is_active_next(net, rule))
2423 err = nft_delrule(&ctx, rule);
2428 /* There are rules and elements that are still holding references to us,
2429 * we cannot do a recursive removal in this case.
2432 NL_SET_BAD_ATTR(extack, attr);
2436 return nft_delchain(&ctx);
2444 * nft_register_expr - register nf_tables expr type
2447 * Registers the expr type for use with nf_tables. Returns zero on
2448 * success or a negative errno code otherwise.
2450 int nft_register_expr(struct nft_expr_type *type)
2452 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2453 if (type->family == NFPROTO_UNSPEC)
2454 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2456 list_add_rcu(&type->list, &nf_tables_expressions);
2457 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2460 EXPORT_SYMBOL_GPL(nft_register_expr);
2463 * nft_unregister_expr - unregister nf_tables expr type
2466 * Unregisters the expr typefor use with nf_tables.
2468 void nft_unregister_expr(struct nft_expr_type *type)
2470 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2471 list_del_rcu(&type->list);
2472 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2474 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2476 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2479 const struct nft_expr_type *type, *candidate = NULL;
2481 list_for_each_entry(type, &nf_tables_expressions, list) {
2482 if (!nla_strcmp(nla, type->name)) {
2483 if (!type->family && !candidate)
2485 else if (type->family == family)
2492 #ifdef CONFIG_MODULES
2493 static int nft_expr_type_request_module(struct net *net, u8 family,
2496 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2497 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2504 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2508 const struct nft_expr_type *type;
2511 return ERR_PTR(-EINVAL);
2513 type = __nft_expr_type_get(family, nla);
2514 if (type != NULL && try_module_get(type->owner))
2517 lockdep_nfnl_nft_mutex_not_held();
2518 #ifdef CONFIG_MODULES
2520 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2521 return ERR_PTR(-EAGAIN);
2523 if (nft_request_module(net, "nft-expr-%.*s",
2525 (char *)nla_data(nla)) == -EAGAIN)
2526 return ERR_PTR(-EAGAIN);
2529 return ERR_PTR(-ENOENT);
2532 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2533 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2534 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2535 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2538 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2539 const struct nft_expr *expr)
2541 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2542 goto nla_put_failure;
2544 if (expr->ops->dump) {
2545 struct nlattr *data = nla_nest_start_noflag(skb,
2548 goto nla_put_failure;
2549 if (expr->ops->dump(skb, expr) < 0)
2550 goto nla_put_failure;
2551 nla_nest_end(skb, data);
2560 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2561 const struct nft_expr *expr)
2563 struct nlattr *nest;
2565 nest = nla_nest_start_noflag(skb, attr);
2567 goto nla_put_failure;
2568 if (nf_tables_fill_expr_info(skb, expr) < 0)
2569 goto nla_put_failure;
2570 nla_nest_end(skb, nest);
2577 struct nft_expr_info {
2578 const struct nft_expr_ops *ops;
2579 const struct nlattr *attr;
2580 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2583 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2584 const struct nlattr *nla,
2585 struct nft_expr_info *info)
2587 const struct nft_expr_type *type;
2588 const struct nft_expr_ops *ops;
2589 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2592 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2593 nft_expr_policy, NULL);
2597 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2599 return PTR_ERR(type);
2601 if (tb[NFTA_EXPR_DATA]) {
2602 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2604 type->policy, NULL);
2608 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2610 if (type->select_ops != NULL) {
2611 ops = type->select_ops(ctx,
2612 (const struct nlattr * const *)info->tb);
2615 #ifdef CONFIG_MODULES
2617 if (nft_expr_type_request_module(ctx->net,
2619 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2633 module_put(type->owner);
2637 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2638 const struct nft_expr_info *info,
2639 struct nft_expr *expr)
2641 const struct nft_expr_ops *ops = info->ops;
2646 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2657 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2658 struct nft_expr *expr)
2660 const struct nft_expr_type *type = expr->ops->type;
2662 if (expr->ops->destroy)
2663 expr->ops->destroy(ctx, expr);
2664 module_put(type->owner);
2667 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2668 const struct nlattr *nla)
2670 struct nft_expr_info info;
2671 struct nft_expr *expr;
2672 struct module *owner;
2675 err = nf_tables_expr_parse(ctx, nla, &info);
2680 expr = kzalloc(info.ops->size, GFP_KERNEL);
2684 err = nf_tables_newexpr(ctx, &info, expr);
2692 owner = info.ops->type->owner;
2693 if (info.ops->type->release_ops)
2694 info.ops->type->release_ops(info.ops);
2698 return ERR_PTR(err);
2701 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2705 if (src->ops->clone) {
2706 dst->ops = src->ops;
2707 err = src->ops->clone(dst, src);
2711 memcpy(dst, src, src->ops->size);
2714 __module_get(src->ops->type->owner);
2719 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2721 nf_tables_expr_destroy(ctx, expr);
2729 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2732 struct nft_rule *rule;
2734 // FIXME: this sucks
2735 list_for_each_entry_rcu(rule, &chain->rules, list) {
2736 if (handle == rule->handle)
2740 return ERR_PTR(-ENOENT);
2743 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2744 const struct nlattr *nla)
2747 return ERR_PTR(-EINVAL);
2749 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2752 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2753 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2754 .len = NFT_TABLE_MAXNAMELEN - 1 },
2755 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2756 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2757 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2758 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2759 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2760 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2761 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2762 .len = NFT_USERDATA_MAXLEN },
2763 [NFTA_RULE_ID] = { .type = NLA_U32 },
2764 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2765 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2768 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2769 u32 portid, u32 seq, int event,
2770 u32 flags, int family,
2771 const struct nft_table *table,
2772 const struct nft_chain *chain,
2773 const struct nft_rule *rule,
2774 const struct nft_rule *prule)
2776 struct nlmsghdr *nlh;
2777 struct nfgenmsg *nfmsg;
2778 const struct nft_expr *expr, *next;
2779 struct nlattr *list;
2780 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2782 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2784 goto nla_put_failure;
2786 nfmsg = nlmsg_data(nlh);
2787 nfmsg->nfgen_family = family;
2788 nfmsg->version = NFNETLINK_V0;
2789 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2791 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2792 goto nla_put_failure;
2793 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2794 goto nla_put_failure;
2795 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2797 goto nla_put_failure;
2799 if (event != NFT_MSG_DELRULE && prule) {
2800 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2801 cpu_to_be64(prule->handle),
2803 goto nla_put_failure;
2806 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2808 goto nla_put_failure;
2809 nft_rule_for_each_expr(expr, next, rule) {
2810 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2811 goto nla_put_failure;
2813 nla_nest_end(skb, list);
2816 struct nft_userdata *udata = nft_userdata(rule);
2817 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2819 goto nla_put_failure;
2822 nlmsg_end(skb, nlh);
2826 nlmsg_trim(skb, nlh);
2830 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2831 const struct nft_rule *rule, int event)
2833 struct sk_buff *skb;
2835 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2836 ctx->table->name, ctx->table->handle,
2837 ctx->chain->name, ctx->chain->handle);
2839 audit_log_nfcfg(buf,
2842 event == NFT_MSG_NEWRULE ?
2843 AUDIT_NFT_OP_RULE_REGISTER :
2844 AUDIT_NFT_OP_RULE_UNREGISTER,
2849 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2852 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2856 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2857 event, 0, ctx->family, ctx->table,
2858 ctx->chain, rule, NULL);
2864 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2867 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2870 struct nft_rule_dump_ctx {
2875 static int __nf_tables_dump_rules(struct sk_buff *skb,
2877 struct netlink_callback *cb,
2878 const struct nft_table *table,
2879 const struct nft_chain *chain)
2881 struct net *net = sock_net(skb->sk);
2882 const struct nft_rule *rule, *prule;
2883 unsigned int s_idx = cb->args[0];
2886 list_for_each_entry_rcu(rule, &chain->rules, list) {
2887 if (!nft_is_active(net, rule))
2892 memset(&cb->args[1], 0,
2893 sizeof(cb->args) - sizeof(cb->args[0]));
2895 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2898 NLM_F_MULTI | NLM_F_APPEND,
2900 table, chain, rule, prule) < 0)
2903 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2912 static int nf_tables_dump_rules(struct sk_buff *skb,
2913 struct netlink_callback *cb)
2915 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2916 const struct nft_rule_dump_ctx *ctx = cb->data;
2917 struct nft_table *table;
2918 const struct nft_chain *chain;
2919 unsigned int idx = 0;
2920 struct net *net = sock_net(skb->sk);
2921 int family = nfmsg->nfgen_family;
2924 cb->seq = net->nft.base_seq;
2926 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2927 if (family != NFPROTO_UNSPEC && family != table->family)
2930 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2933 if (ctx && ctx->table && ctx->chain) {
2934 struct rhlist_head *list, *tmp;
2936 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2937 nft_chain_ht_params);
2941 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2942 if (!nft_is_active(net, chain))
2944 __nf_tables_dump_rules(skb, &idx,
2951 list_for_each_entry_rcu(chain, &table->chains, list) {
2952 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2956 if (ctx && ctx->table)
2966 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2968 const struct nlattr * const *nla = cb->data;
2969 struct nft_rule_dump_ctx *ctx = NULL;
2971 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2972 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2976 if (nla[NFTA_RULE_TABLE]) {
2977 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2984 if (nla[NFTA_RULE_CHAIN]) {
2985 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2999 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3001 struct nft_rule_dump_ctx *ctx = cb->data;
3011 /* called with rcu_read_lock held */
3012 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3013 struct sk_buff *skb, const struct nlmsghdr *nlh,
3014 const struct nlattr * const nla[],
3015 struct netlink_ext_ack *extack)
3017 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3018 u8 genmask = nft_genmask_cur(net);
3019 const struct nft_chain *chain;
3020 const struct nft_rule *rule;
3021 struct nft_table *table;
3022 struct sk_buff *skb2;
3023 int family = nfmsg->nfgen_family;
3026 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3027 struct netlink_dump_control c = {
3028 .start= nf_tables_dump_rules_start,
3029 .dump = nf_tables_dump_rules,
3030 .done = nf_tables_dump_rules_done,
3031 .module = THIS_MODULE,
3032 .data = (void *)nla,
3035 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3038 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3039 if (IS_ERR(table)) {
3040 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3041 return PTR_ERR(table);
3044 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3045 if (IS_ERR(chain)) {
3046 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3047 return PTR_ERR(chain);
3050 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3052 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3053 return PTR_ERR(rule);
3056 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3060 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3061 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3062 family, table, chain, rule, NULL);
3064 goto err_fill_rule_info;
3066 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3073 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3074 struct nft_rule *rule)
3076 struct nft_expr *expr, *next;
3079 * Careful: some expressions might not be initialized in case this
3080 * is called on error from nf_tables_newrule().
3082 expr = nft_expr_first(rule);
3083 while (nft_expr_more(rule, expr)) {
3084 next = nft_expr_next(expr);
3085 nf_tables_expr_destroy(ctx, expr);
3091 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3093 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3094 nf_tables_rule_destroy(ctx, rule);
3097 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3099 struct nft_expr *expr, *last;
3100 const struct nft_data *data;
3101 struct nft_rule *rule;
3104 if (ctx->level == NFT_JUMP_STACK_SIZE)
3107 list_for_each_entry(rule, &chain->rules, list) {
3108 if (!nft_is_active_next(ctx->net, rule))
3111 nft_rule_for_each_expr(expr, last, rule) {
3112 if (!expr->ops->validate)
3115 err = expr->ops->validate(ctx, expr, &data);
3123 EXPORT_SYMBOL_GPL(nft_chain_validate);
3125 static int nft_table_validate(struct net *net, const struct nft_table *table)
3127 struct nft_chain *chain;
3128 struct nft_ctx ctx = {
3130 .family = table->family,
3134 list_for_each_entry(chain, &table->chains, list) {
3135 if (!nft_is_base_chain(chain))
3139 err = nft_chain_validate(&ctx, chain);
3147 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3148 const struct nlattr *nla);
3150 #define NFT_RULE_MAXEXPRS 128
3152 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3153 struct sk_buff *skb, const struct nlmsghdr *nlh,
3154 const struct nlattr * const nla[],
3155 struct netlink_ext_ack *extack)
3157 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3158 u8 genmask = nft_genmask_next(net);
3159 struct nft_expr_info *info = NULL;
3160 int family = nfmsg->nfgen_family;
3161 struct nft_flow_rule *flow;
3162 struct nft_table *table;
3163 struct nft_chain *chain;
3164 struct nft_rule *rule, *old_rule = NULL;
3165 struct nft_userdata *udata;
3166 struct nft_trans *trans = NULL;
3167 struct nft_expr *expr;
3170 unsigned int size, i, n, ulen = 0, usize = 0;
3172 u64 handle, pos_handle;
3174 lockdep_assert_held(&net->nft.commit_mutex);
3176 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3177 if (IS_ERR(table)) {
3178 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3179 return PTR_ERR(table);
3182 if (nla[NFTA_RULE_CHAIN]) {
3183 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3185 if (IS_ERR(chain)) {
3186 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3187 return PTR_ERR(chain);
3189 if (nft_chain_is_bound(chain))
3192 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3193 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3194 if (IS_ERR(chain)) {
3195 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3196 return PTR_ERR(chain);
3202 if (nla[NFTA_RULE_HANDLE]) {
3203 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3204 rule = __nft_rule_lookup(chain, handle);
3206 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3207 return PTR_ERR(rule);
3210 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3211 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3214 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3219 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3220 nlh->nlmsg_flags & NLM_F_REPLACE)
3222 handle = nf_tables_alloc_handle(table);
3224 if (chain->use == UINT_MAX)
3227 if (nla[NFTA_RULE_POSITION]) {
3228 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3229 old_rule = __nft_rule_lookup(chain, pos_handle);
3230 if (IS_ERR(old_rule)) {
3231 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3232 return PTR_ERR(old_rule);
3234 } else if (nla[NFTA_RULE_POSITION_ID]) {
3235 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3236 if (IS_ERR(old_rule)) {
3237 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3238 return PTR_ERR(old_rule);
3243 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3247 if (nla[NFTA_RULE_EXPRESSIONS]) {
3248 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3249 sizeof(struct nft_expr_info),
3254 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3256 if (nla_type(tmp) != NFTA_LIST_ELEM)
3258 if (n == NFT_RULE_MAXEXPRS)
3260 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3263 size += info[n].ops->size;
3267 /* Check for overflow of dlen field */
3269 if (size >= 1 << 12)
3272 if (nla[NFTA_RULE_USERDATA]) {
3273 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3275 usize = sizeof(struct nft_userdata) + ulen;
3279 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3283 nft_activate_next(net, rule);
3285 rule->handle = handle;
3287 rule->udata = ulen ? 1 : 0;
3290 udata = nft_userdata(rule);
3291 udata->len = ulen - 1;
3292 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3295 expr = nft_expr_first(rule);
3296 for (i = 0; i < n; i++) {
3297 err = nf_tables_newexpr(&ctx, &info[i], expr);
3299 NL_SET_BAD_ATTR(extack, info[i].attr);
3303 if (info[i].ops->validate)
3304 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3307 expr = nft_expr_next(expr);
3310 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3311 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3312 if (trans == NULL) {
3316 err = nft_delrule(&ctx, old_rule);
3318 nft_trans_destroy(trans);
3322 list_add_tail_rcu(&rule->list, &old_rule->list);
3324 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3330 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3332 list_add_rcu(&rule->list, &old_rule->list);
3334 list_add_tail_rcu(&rule->list, &chain->rules);
3337 list_add_tail_rcu(&rule->list, &old_rule->list);
3339 list_add_rcu(&rule->list, &chain->rules);
3345 if (net->nft.validate_state == NFT_VALIDATE_DO)
3346 return nft_table_validate(net, table);
3348 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3349 flow = nft_flow_rule_create(net, rule);
3351 return PTR_ERR(flow);
3353 nft_trans_flow_rule(trans) = flow;
3358 nf_tables_rule_release(&ctx, rule);
3360 for (i = 0; i < n; i++) {
3362 module_put(info[i].ops->type->owner);
3363 if (info[i].ops->type->release_ops)
3364 info[i].ops->type->release_ops(info[i].ops);
3371 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3372 const struct nlattr *nla)
3374 u32 id = ntohl(nla_get_be32(nla));
3375 struct nft_trans *trans;
3377 list_for_each_entry(trans, &net->nft.commit_list, list) {
3378 struct nft_rule *rule = nft_trans_rule(trans);
3380 if (trans->msg_type == NFT_MSG_NEWRULE &&
3381 id == nft_trans_rule_id(trans))
3384 return ERR_PTR(-ENOENT);
3387 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3388 struct sk_buff *skb, const struct nlmsghdr *nlh,
3389 const struct nlattr * const nla[],
3390 struct netlink_ext_ack *extack)
3392 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3393 u8 genmask = nft_genmask_next(net);
3394 struct nft_table *table;
3395 struct nft_chain *chain = NULL;
3396 struct nft_rule *rule;
3397 int family = nfmsg->nfgen_family, err = 0;
3400 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3401 if (IS_ERR(table)) {
3402 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3403 return PTR_ERR(table);
3406 if (nla[NFTA_RULE_CHAIN]) {
3407 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3409 if (IS_ERR(chain)) {
3410 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3411 return PTR_ERR(chain);
3413 if (nft_chain_is_bound(chain))
3417 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3420 if (nla[NFTA_RULE_HANDLE]) {
3421 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3423 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3424 return PTR_ERR(rule);
3427 err = nft_delrule(&ctx, rule);
3428 } else if (nla[NFTA_RULE_ID]) {
3429 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3431 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3432 return PTR_ERR(rule);
3435 err = nft_delrule(&ctx, rule);
3437 err = nft_delrule_by_chain(&ctx);
3440 list_for_each_entry(chain, &table->chains, list) {
3441 if (!nft_is_active_next(net, chain))
3445 err = nft_delrule_by_chain(&ctx);
3457 static const struct nft_set_type *nft_set_types[] = {
3458 &nft_set_hash_fast_type,
3460 &nft_set_rhash_type,
3461 &nft_set_bitmap_type,
3462 &nft_set_rbtree_type,
3463 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3464 &nft_set_pipapo_avx2_type,
3466 &nft_set_pipapo_type,
3469 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3470 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3473 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3475 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3479 * Select a set implementation based on the data characteristics and the
3480 * given policy. The total memory use might not be known if no size is
3481 * given, in that case the amount of memory per element is used.
3483 static const struct nft_set_ops *
3484 nft_select_set_ops(const struct nft_ctx *ctx,
3485 const struct nlattr * const nla[],
3486 const struct nft_set_desc *desc,
3487 enum nft_set_policies policy)
3489 const struct nft_set_ops *ops, *bops;
3490 struct nft_set_estimate est, best;
3491 const struct nft_set_type *type;
3495 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3496 lockdep_nfnl_nft_mutex_not_held();
3498 if (nla[NFTA_SET_FLAGS] != NULL)
3499 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3506 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3507 type = nft_set_types[i];
3510 if (!nft_set_ops_candidate(type, flags))
3512 if (!ops->estimate(desc, flags, &est))
3516 case NFT_SET_POL_PERFORMANCE:
3517 if (est.lookup < best.lookup)
3519 if (est.lookup == best.lookup &&
3520 est.space < best.space)
3523 case NFT_SET_POL_MEMORY:
3525 if (est.space < best.space)
3527 if (est.space == best.space &&
3528 est.lookup < best.lookup)
3530 } else if (est.size < best.size || !bops) {
3545 return ERR_PTR(-EOPNOTSUPP);
3548 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3549 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3550 .len = NFT_TABLE_MAXNAMELEN - 1 },
3551 [NFTA_SET_NAME] = { .type = NLA_STRING,
3552 .len = NFT_SET_MAXNAMELEN - 1 },
3553 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3554 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3555 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3556 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3557 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3558 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3559 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3560 [NFTA_SET_ID] = { .type = NLA_U32 },
3561 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3562 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3563 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3564 .len = NFT_USERDATA_MAXLEN },
3565 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3566 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3567 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3570 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3571 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3572 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3575 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3576 const struct sk_buff *skb,
3577 const struct nlmsghdr *nlh,
3578 const struct nlattr * const nla[],
3579 struct netlink_ext_ack *extack,
3582 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3583 int family = nfmsg->nfgen_family;
3584 struct nft_table *table = NULL;
3586 if (nla[NFTA_SET_TABLE] != NULL) {
3587 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3589 if (IS_ERR(table)) {
3590 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3591 return PTR_ERR(table);
3595 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3599 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3600 const struct nlattr *nla, u8 genmask)
3602 struct nft_set *set;
3605 return ERR_PTR(-EINVAL);
3607 list_for_each_entry_rcu(set, &table->sets, list) {
3608 if (!nla_strcmp(nla, set->name) &&
3609 nft_active_genmask(set, genmask))
3612 return ERR_PTR(-ENOENT);
3615 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3616 const struct nlattr *nla,
3619 struct nft_set *set;
3621 list_for_each_entry(set, &table->sets, list) {
3622 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3623 nft_active_genmask(set, genmask))
3626 return ERR_PTR(-ENOENT);
3629 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3630 const struct nlattr *nla, u8 genmask)
3632 struct nft_trans *trans;
3633 u32 id = ntohl(nla_get_be32(nla));
3635 list_for_each_entry(trans, &net->nft.commit_list, list) {
3636 if (trans->msg_type == NFT_MSG_NEWSET) {
3637 struct nft_set *set = nft_trans_set(trans);
3639 if (id == nft_trans_set_id(trans) &&
3640 nft_active_genmask(set, genmask))
3644 return ERR_PTR(-ENOENT);
3647 struct nft_set *nft_set_lookup_global(const struct net *net,
3648 const struct nft_table *table,
3649 const struct nlattr *nla_set_name,
3650 const struct nlattr *nla_set_id,
3653 struct nft_set *set;
3655 set = nft_set_lookup(table, nla_set_name, genmask);
3660 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3664 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3666 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3669 const struct nft_set *i;
3671 unsigned long *inuse;
3672 unsigned int n = 0, min = 0;
3674 p = strchr(name, '%');
3676 if (p[1] != 'd' || strchr(p + 2, '%'))
3679 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3683 list_for_each_entry(i, &ctx->table->sets, list) {
3686 if (!nft_is_active_next(ctx->net, set))
3688 if (!sscanf(i->name, name, &tmp))
3690 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3693 set_bit(tmp - min, inuse);
3696 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3697 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3698 min += BITS_PER_BYTE * PAGE_SIZE;
3699 memset(inuse, 0, PAGE_SIZE);
3702 free_page((unsigned long)inuse);
3705 set->name = kasprintf(GFP_KERNEL, name, min + n);
3709 list_for_each_entry(i, &ctx->table->sets, list) {
3710 if (!nft_is_active_next(ctx->net, i))
3712 if (!strcmp(set->name, i->name)) {
3721 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3723 u64 ms = be64_to_cpu(nla_get_be64(nla));
3724 u64 max = (u64)(~((u64)0));
3726 max = div_u64(max, NSEC_PER_MSEC);
3730 ms *= NSEC_PER_MSEC;
3731 *result = nsecs_to_jiffies64(ms);
3735 static __be64 nf_jiffies64_to_msecs(u64 input)
3737 return cpu_to_be64(jiffies64_to_msecs(input));
3740 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3741 const struct nft_set *set)
3743 struct nlattr *concat, *field;
3746 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3750 for (i = 0; i < set->field_count; i++) {
3751 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3755 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3756 htonl(set->field_len[i])))
3759 nla_nest_end(skb, field);
3762 nla_nest_end(skb, concat);
3767 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3768 const struct nft_set *set, u16 event, u16 flags)
3770 struct nfgenmsg *nfmsg;
3771 struct nlmsghdr *nlh;
3772 u32 portid = ctx->portid;
3773 struct nlattr *nest;
3776 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3777 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3780 goto nla_put_failure;
3782 nfmsg = nlmsg_data(nlh);
3783 nfmsg->nfgen_family = ctx->family;
3784 nfmsg->version = NFNETLINK_V0;
3785 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3787 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3788 goto nla_put_failure;
3789 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3790 goto nla_put_failure;
3791 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3793 goto nla_put_failure;
3794 if (set->flags != 0)
3795 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3796 goto nla_put_failure;
3798 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3799 goto nla_put_failure;
3800 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3801 goto nla_put_failure;
3802 if (set->flags & NFT_SET_MAP) {
3803 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3804 goto nla_put_failure;
3805 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3806 goto nla_put_failure;
3808 if (set->flags & NFT_SET_OBJECT &&
3809 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3810 goto nla_put_failure;
3813 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3814 nf_jiffies64_to_msecs(set->timeout),
3816 goto nla_put_failure;
3818 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3819 goto nla_put_failure;
3821 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3822 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3823 goto nla_put_failure;
3827 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3828 goto nla_put_failure;
3830 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3832 goto nla_put_failure;
3834 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3835 goto nla_put_failure;
3837 if (set->field_count > 1 &&
3838 nf_tables_fill_set_concat(skb, set))
3839 goto nla_put_failure;
3841 nla_nest_end(skb, nest);
3844 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3845 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3846 goto nla_put_failure;
3848 nla_nest_end(skb, nest);
3851 nlmsg_end(skb, nlh);
3855 nlmsg_trim(skb, nlh);
3859 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3860 const struct nft_set *set, int event,
3863 struct sk_buff *skb;
3864 u32 portid = ctx->portid;
3866 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3867 ctx->table->name, ctx->table->handle,
3868 set->name, set->handle);
3870 audit_log_nfcfg(buf,
3873 event == NFT_MSG_NEWSET ?
3874 AUDIT_NFT_OP_SET_REGISTER :
3875 AUDIT_NFT_OP_SET_UNREGISTER,
3880 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3883 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3887 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3893 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3896 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3899 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3901 const struct nft_set *set;
3902 unsigned int idx, s_idx = cb->args[0];
3903 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3904 struct net *net = sock_net(skb->sk);
3905 struct nft_ctx *ctx = cb->data, ctx_set;
3911 cb->seq = net->nft.base_seq;
3913 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3914 if (ctx->family != NFPROTO_UNSPEC &&
3915 ctx->family != table->family)
3918 if (ctx->table && ctx->table != table)
3922 if (cur_table != table)
3928 list_for_each_entry_rcu(set, &table->sets, list) {
3931 if (!nft_is_active(net, set))
3935 ctx_set.table = table;
3936 ctx_set.family = table->family;
3938 if (nf_tables_fill_set(skb, &ctx_set, set,
3942 cb->args[2] = (unsigned long) table;
3945 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3958 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3960 struct nft_ctx *ctx_dump = NULL;
3962 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3963 if (ctx_dump == NULL)
3966 cb->data = ctx_dump;
3970 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3976 /* called with rcu_read_lock held */
3977 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3978 struct sk_buff *skb, const struct nlmsghdr *nlh,
3979 const struct nlattr * const nla[],
3980 struct netlink_ext_ack *extack)
3982 u8 genmask = nft_genmask_cur(net);
3983 const struct nft_set *set;
3985 struct sk_buff *skb2;
3986 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3989 /* Verify existence before starting dump */
3990 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3995 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3996 struct netlink_dump_control c = {
3997 .start = nf_tables_dump_sets_start,
3998 .dump = nf_tables_dump_sets,
3999 .done = nf_tables_dump_sets_done,
4001 .module = THIS_MODULE,
4004 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4007 /* Only accept unspec with dump */
4008 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4009 return -EAFNOSUPPORT;
4010 if (!nla[NFTA_SET_TABLE])
4013 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4015 return PTR_ERR(set);
4017 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4021 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4023 goto err_fill_set_info;
4025 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4032 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4033 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4036 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4037 struct nft_set_desc *desc)
4039 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4043 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4044 nft_concat_policy, NULL);
4048 if (!tb[NFTA_SET_FIELD_LEN])
4051 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4053 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4056 desc->field_len[desc->field_count++] = len;
4061 static int nft_set_desc_concat(struct nft_set_desc *desc,
4062 const struct nlattr *nla)
4064 struct nlattr *attr;
4067 nla_for_each_nested(attr, nla, rem) {
4068 if (nla_type(attr) != NFTA_LIST_ELEM)
4071 err = nft_set_desc_concat_parse(attr, desc);
4079 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4080 const struct nlattr *nla)
4082 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4085 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4086 nft_set_desc_policy, NULL);
4090 if (da[NFTA_SET_DESC_SIZE] != NULL)
4091 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4092 if (da[NFTA_SET_DESC_CONCAT])
4093 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4098 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4099 struct sk_buff *skb, const struct nlmsghdr *nlh,
4100 const struct nlattr * const nla[],
4101 struct netlink_ext_ack *extack)
4103 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4104 u8 genmask = nft_genmask_next(net);
4105 int family = nfmsg->nfgen_family;
4106 const struct nft_set_ops *ops;
4107 struct nft_expr *expr = NULL;
4108 struct nft_table *table;
4109 struct nft_set *set;
4114 u32 ktype, dtype, flags, policy, gc_int, objtype;
4115 struct nft_set_desc desc;
4116 unsigned char *udata;
4121 if (nla[NFTA_SET_TABLE] == NULL ||
4122 nla[NFTA_SET_NAME] == NULL ||
4123 nla[NFTA_SET_KEY_LEN] == NULL ||
4124 nla[NFTA_SET_ID] == NULL)
4127 memset(&desc, 0, sizeof(desc));
4129 ktype = NFT_DATA_VALUE;
4130 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4131 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4132 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4136 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4137 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4141 if (nla[NFTA_SET_FLAGS] != NULL) {
4142 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4143 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4144 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4145 NFT_SET_MAP | NFT_SET_EVAL |
4146 NFT_SET_OBJECT | NFT_SET_CONCAT))
4148 /* Only one of these operations is supported */
4149 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4150 (NFT_SET_MAP | NFT_SET_OBJECT))
4152 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4153 (NFT_SET_EVAL | NFT_SET_OBJECT))
4158 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4159 if (!(flags & NFT_SET_MAP))
4162 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4163 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4164 dtype != NFT_DATA_VERDICT)
4167 if (dtype != NFT_DATA_VERDICT) {
4168 if (nla[NFTA_SET_DATA_LEN] == NULL)
4170 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4171 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4174 desc.dlen = sizeof(struct nft_verdict);
4175 } else if (flags & NFT_SET_MAP)
4178 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4179 if (!(flags & NFT_SET_OBJECT))
4182 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4183 if (objtype == NFT_OBJECT_UNSPEC ||
4184 objtype > NFT_OBJECT_MAX)
4186 } else if (flags & NFT_SET_OBJECT)
4189 objtype = NFT_OBJECT_UNSPEC;
4192 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4193 if (!(flags & NFT_SET_TIMEOUT))
4196 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4201 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4202 if (!(flags & NFT_SET_TIMEOUT))
4204 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4207 policy = NFT_SET_POL_PERFORMANCE;
4208 if (nla[NFTA_SET_POLICY] != NULL)
4209 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4211 if (nla[NFTA_SET_DESC] != NULL) {
4212 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4217 if (nla[NFTA_SET_EXPR])
4220 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4221 if (IS_ERR(table)) {
4222 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4223 return PTR_ERR(table);
4226 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4228 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4230 if (PTR_ERR(set) != -ENOENT) {
4231 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4232 return PTR_ERR(set);
4235 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4236 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4239 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4245 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4248 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4250 return PTR_ERR(ops);
4253 if (nla[NFTA_SET_USERDATA])
4254 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4257 if (ops->privsize != NULL)
4258 size = ops->privsize(nla, &desc);
4260 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4264 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4270 err = nf_tables_set_alloc_name(&ctx, set, name);
4273 goto err_set_alloc_name;
4275 if (nla[NFTA_SET_EXPR]) {
4276 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4278 err = PTR_ERR(expr);
4279 goto err_set_alloc_name;
4285 udata = set->data + size;
4286 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4289 INIT_LIST_HEAD(&set->bindings);
4291 write_pnet(&set->net, net);
4294 set->klen = desc.klen;
4296 set->objtype = objtype;
4297 set->dlen = desc.dlen;
4300 set->size = desc.size;
4301 set->policy = policy;
4304 set->timeout = timeout;
4305 set->gc_int = gc_int;
4306 set->handle = nf_tables_alloc_handle(table);
4308 set->field_count = desc.field_count;
4309 for (i = 0; i < desc.field_count; i++)
4310 set->field_len[i] = desc.field_len[i];
4312 err = ops->init(set, &desc, nla);
4316 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4320 list_add_tail_rcu(&set->list, &table->sets);
4328 nft_expr_destroy(&ctx, expr);
4336 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4338 if (WARN_ON(set->use > 0))
4342 nft_expr_destroy(ctx, set->expr);
4344 set->ops->destroy(set);
4349 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4350 struct sk_buff *skb, const struct nlmsghdr *nlh,
4351 const struct nlattr * const nla[],
4352 struct netlink_ext_ack *extack)
4354 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4355 u8 genmask = nft_genmask_next(net);
4356 const struct nlattr *attr;
4357 struct nft_set *set;
4361 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4362 return -EAFNOSUPPORT;
4363 if (nla[NFTA_SET_TABLE] == NULL)
4366 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4371 if (nla[NFTA_SET_HANDLE]) {
4372 attr = nla[NFTA_SET_HANDLE];
4373 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4375 attr = nla[NFTA_SET_NAME];
4376 set = nft_set_lookup(ctx.table, attr, genmask);
4380 NL_SET_BAD_ATTR(extack, attr);
4381 return PTR_ERR(set);
4384 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4385 NL_SET_BAD_ATTR(extack, attr);
4389 return nft_delset(&ctx, set);
4392 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4393 struct nft_set *set,
4394 const struct nft_set_iter *iter,
4395 struct nft_set_elem *elem)
4397 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4398 enum nft_registers dreg;
4400 dreg = nft_type_to_reg(set->dtype);
4401 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4402 set->dtype == NFT_DATA_VERDICT ?
4403 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4407 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4408 struct nft_set_binding *binding)
4410 struct nft_set_binding *i;
4411 struct nft_set_iter iter;
4413 if (set->use == UINT_MAX)
4416 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4419 if (binding->flags & NFT_SET_MAP) {
4420 /* If the set is already bound to the same chain all
4421 * jumps are already validated for that chain.
4423 list_for_each_entry(i, &set->bindings, list) {
4424 if (i->flags & NFT_SET_MAP &&
4425 i->chain == binding->chain)
4429 iter.genmask = nft_genmask_next(ctx->net);
4433 iter.fn = nf_tables_bind_check_setelem;
4435 set->ops->walk(ctx, set, &iter);
4440 binding->chain = ctx->chain;
4441 list_add_tail_rcu(&binding->list, &set->bindings);
4442 nft_set_trans_bind(ctx, set);
4447 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4449 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4450 struct nft_set_binding *binding, bool event)
4452 list_del_rcu(&binding->list);
4454 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4455 list_del_rcu(&set->list);
4457 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4462 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4463 struct nft_set_binding *binding,
4464 enum nft_trans_phase phase)
4467 case NFT_TRANS_PREPARE:
4470 case NFT_TRANS_ABORT:
4471 case NFT_TRANS_RELEASE:
4475 nf_tables_unbind_set(ctx, set, binding,
4476 phase == NFT_TRANS_COMMIT);
4479 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4481 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4483 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4484 nft_set_destroy(ctx, set);
4486 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4488 const struct nft_set_ext_type nft_set_ext_types[] = {
4489 [NFT_SET_EXT_KEY] = {
4490 .align = __alignof__(u32),
4492 [NFT_SET_EXT_DATA] = {
4493 .align = __alignof__(u32),
4495 [NFT_SET_EXT_EXPR] = {
4496 .align = __alignof__(struct nft_expr),
4498 [NFT_SET_EXT_OBJREF] = {
4499 .len = sizeof(struct nft_object *),
4500 .align = __alignof__(struct nft_object *),
4502 [NFT_SET_EXT_FLAGS] = {
4504 .align = __alignof__(u8),
4506 [NFT_SET_EXT_TIMEOUT] = {
4508 .align = __alignof__(u64),
4510 [NFT_SET_EXT_EXPIRATION] = {
4512 .align = __alignof__(u64),
4514 [NFT_SET_EXT_USERDATA] = {
4515 .len = sizeof(struct nft_userdata),
4516 .align = __alignof__(struct nft_userdata),
4518 [NFT_SET_EXT_KEY_END] = {
4519 .align = __alignof__(u32),
4527 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4528 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4529 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4530 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4531 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4532 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4533 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4534 .len = NFT_USERDATA_MAXLEN },
4535 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4536 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4537 .len = NFT_OBJ_MAXNAMELEN - 1 },
4538 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4541 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4542 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4543 .len = NFT_TABLE_MAXNAMELEN - 1 },
4544 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4545 .len = NFT_SET_MAXNAMELEN - 1 },
4546 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4547 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4550 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4551 const struct sk_buff *skb,
4552 const struct nlmsghdr *nlh,
4553 const struct nlattr * const nla[],
4554 struct netlink_ext_ack *extack,
4557 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4558 int family = nfmsg->nfgen_family;
4559 struct nft_table *table;
4561 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4563 if (IS_ERR(table)) {
4564 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4565 return PTR_ERR(table);
4568 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4572 static int nf_tables_fill_setelem(struct sk_buff *skb,
4573 const struct nft_set *set,
4574 const struct nft_set_elem *elem)
4576 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4577 unsigned char *b = skb_tail_pointer(skb);
4578 struct nlattr *nest;
4580 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4582 goto nla_put_failure;
4584 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4585 NFT_DATA_VALUE, set->klen) < 0)
4586 goto nla_put_failure;
4588 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4589 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4590 NFT_DATA_VALUE, set->klen) < 0)
4591 goto nla_put_failure;
4593 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4594 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4595 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4597 goto nla_put_failure;
4599 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4600 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4601 goto nla_put_failure;
4603 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4604 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4605 (*nft_set_ext_obj(ext))->key.name) < 0)
4606 goto nla_put_failure;
4608 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4609 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4610 htonl(*nft_set_ext_flags(ext))))
4611 goto nla_put_failure;
4613 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4614 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4615 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4617 goto nla_put_failure;
4619 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4620 u64 expires, now = get_jiffies_64();
4622 expires = *nft_set_ext_expiration(ext);
4623 if (time_before64(now, expires))
4628 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4629 nf_jiffies64_to_msecs(expires),
4631 goto nla_put_failure;
4634 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4635 struct nft_userdata *udata;
4637 udata = nft_set_ext_userdata(ext);
4638 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4639 udata->len + 1, udata->data))
4640 goto nla_put_failure;
4643 nla_nest_end(skb, nest);
4651 struct nft_set_dump_args {
4652 const struct netlink_callback *cb;
4653 struct nft_set_iter iter;
4654 struct sk_buff *skb;
4657 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4658 struct nft_set *set,
4659 const struct nft_set_iter *iter,
4660 struct nft_set_elem *elem)
4662 struct nft_set_dump_args *args;
4664 args = container_of(iter, struct nft_set_dump_args, iter);
4665 return nf_tables_fill_setelem(args->skb, set, elem);
4668 struct nft_set_dump_ctx {
4669 const struct nft_set *set;
4673 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4675 struct nft_set_dump_ctx *dump_ctx = cb->data;
4676 struct net *net = sock_net(skb->sk);
4677 struct nft_table *table;
4678 struct nft_set *set;
4679 struct nft_set_dump_args args;
4680 bool set_found = false;
4681 struct nfgenmsg *nfmsg;
4682 struct nlmsghdr *nlh;
4683 struct nlattr *nest;
4688 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4689 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4690 dump_ctx->ctx.family != table->family)
4693 if (table != dump_ctx->ctx.table)
4696 list_for_each_entry_rcu(set, &table->sets, list) {
4697 if (set == dump_ctx->set) {
4710 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4711 portid = NETLINK_CB(cb->skb).portid;
4712 seq = cb->nlh->nlmsg_seq;
4714 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4717 goto nla_put_failure;
4719 nfmsg = nlmsg_data(nlh);
4720 nfmsg->nfgen_family = table->family;
4721 nfmsg->version = NFNETLINK_V0;
4722 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4724 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4725 goto nla_put_failure;
4726 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4727 goto nla_put_failure;
4729 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4731 goto nla_put_failure;
4735 args.iter.genmask = nft_genmask_cur(net);
4736 args.iter.skip = cb->args[0];
4737 args.iter.count = 0;
4739 args.iter.fn = nf_tables_dump_setelem;
4740 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4743 nla_nest_end(skb, nest);
4744 nlmsg_end(skb, nlh);
4746 if (args.iter.err && args.iter.err != -EMSGSIZE)
4747 return args.iter.err;
4748 if (args.iter.count == cb->args[0])
4751 cb->args[0] = args.iter.count;
4759 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4761 struct nft_set_dump_ctx *dump_ctx = cb->data;
4763 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4765 return cb->data ? 0 : -ENOMEM;
4768 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4774 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4775 const struct nft_ctx *ctx, u32 seq,
4776 u32 portid, int event, u16 flags,
4777 const struct nft_set *set,
4778 const struct nft_set_elem *elem)
4780 struct nfgenmsg *nfmsg;
4781 struct nlmsghdr *nlh;
4782 struct nlattr *nest;
4785 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4786 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4789 goto nla_put_failure;
4791 nfmsg = nlmsg_data(nlh);
4792 nfmsg->nfgen_family = ctx->family;
4793 nfmsg->version = NFNETLINK_V0;
4794 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4796 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4797 goto nla_put_failure;
4798 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4799 goto nla_put_failure;
4801 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4803 goto nla_put_failure;
4805 err = nf_tables_fill_setelem(skb, set, elem);
4807 goto nla_put_failure;
4809 nla_nest_end(skb, nest);
4811 nlmsg_end(skb, nlh);
4815 nlmsg_trim(skb, nlh);
4819 static int nft_setelem_parse_flags(const struct nft_set *set,
4820 const struct nlattr *attr, u32 *flags)
4825 *flags = ntohl(nla_get_be32(attr));
4826 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4828 if (!(set->flags & NFT_SET_INTERVAL) &&
4829 *flags & NFT_SET_ELEM_INTERVAL_END)
4835 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4836 struct nft_data *key, struct nlattr *attr)
4838 struct nft_data_desc desc;
4841 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4845 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4846 nft_data_release(key, desc.type);
4853 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4854 struct nft_data_desc *desc,
4855 struct nft_data *data,
4856 struct nlattr *attr)
4860 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4864 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4865 nft_data_release(data, desc->type);
4872 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4873 const struct nlattr *attr)
4875 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4876 struct nft_set_elem elem;
4877 struct sk_buff *skb;
4882 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4883 nft_set_elem_policy, NULL);
4887 if (!nla[NFTA_SET_ELEM_KEY])
4890 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4894 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4895 nla[NFTA_SET_ELEM_KEY]);
4899 if (nla[NFTA_SET_ELEM_KEY_END]) {
4900 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4901 nla[NFTA_SET_ELEM_KEY_END]);
4906 priv = set->ops->get(ctx->net, set, &elem, flags);
4908 return PTR_ERR(priv);
4913 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4917 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4918 NFT_MSG_NEWSETELEM, 0, set, &elem);
4920 goto err_fill_setelem;
4922 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4929 /* called with rcu_read_lock held */
4930 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4931 struct sk_buff *skb, const struct nlmsghdr *nlh,
4932 const struct nlattr * const nla[],
4933 struct netlink_ext_ack *extack)
4935 u8 genmask = nft_genmask_cur(net);
4936 struct nft_set *set;
4937 struct nlattr *attr;
4941 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4946 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4948 return PTR_ERR(set);
4950 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4951 struct netlink_dump_control c = {
4952 .start = nf_tables_dump_set_start,
4953 .dump = nf_tables_dump_set,
4954 .done = nf_tables_dump_set_done,
4955 .module = THIS_MODULE,
4957 struct nft_set_dump_ctx dump_ctx = {
4963 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4966 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4969 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4970 err = nft_get_set_elem(&ctx, set, attr);
4978 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4979 const struct nft_set *set,
4980 const struct nft_set_elem *elem,
4981 int event, u16 flags)
4983 struct net *net = ctx->net;
4984 u32 portid = ctx->portid;
4985 struct sk_buff *skb;
4987 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
4988 ctx->table->name, ctx->table->handle,
4989 set->name, set->handle);
4991 audit_log_nfcfg(buf,
4994 event == NFT_MSG_NEWSETELEM ?
4995 AUDIT_NFT_OP_SETELEM_REGISTER :
4996 AUDIT_NFT_OP_SETELEM_UNREGISTER,
5000 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5003 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5007 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5014 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5017 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5020 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5022 struct nft_set *set)
5024 struct nft_trans *trans;
5026 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5030 nft_trans_elem_set(trans) = set;
5034 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5035 const struct nft_set *set,
5036 const struct nlattr *attr)
5038 struct nft_expr *expr;
5041 expr = nft_expr_init(ctx, attr);
5046 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5047 goto err_set_elem_expr;
5049 if (expr->ops->type->flags & NFT_EXPR_GC) {
5050 if (set->flags & NFT_SET_TIMEOUT)
5051 goto err_set_elem_expr;
5052 if (!set->ops->gc_init)
5053 goto err_set_elem_expr;
5054 set->ops->gc_init(set);
5060 nft_expr_destroy(ctx, expr);
5061 return ERR_PTR(err);
5064 void *nft_set_elem_init(const struct nft_set *set,
5065 const struct nft_set_ext_tmpl *tmpl,
5066 const u32 *key, const u32 *key_end,
5067 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5069 struct nft_set_ext *ext;
5072 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5076 ext = nft_set_elem_ext(set, elem);
5077 nft_set_ext_init(ext, tmpl);
5079 memcpy(nft_set_ext_key(ext), key, set->klen);
5080 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5081 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5082 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5083 memcpy(nft_set_ext_data(ext), data, set->dlen);
5084 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5085 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5086 if (expiration == 0)
5087 *nft_set_ext_expiration(ext) += timeout;
5089 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5090 *nft_set_ext_timeout(ext) = timeout;
5095 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5096 struct nft_expr *expr)
5098 if (expr->ops->destroy_clone) {
5099 expr->ops->destroy_clone(ctx, expr);
5100 module_put(expr->ops->type->owner);
5102 nf_tables_expr_destroy(ctx, expr);
5106 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5109 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5110 struct nft_ctx ctx = {
5111 .net = read_pnet(&set->net),
5112 .family = set->table->family,
5115 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5116 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5117 nft_data_release(nft_set_ext_data(ext), set->dtype);
5118 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5119 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5121 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5122 (*nft_set_ext_obj(ext))->use--;
5125 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5127 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5128 * the refcounting from the preparation phase.
5130 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5131 const struct nft_set *set, void *elem)
5133 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5135 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5136 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5141 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5142 const struct nlattr *attr, u32 nlmsg_flags)
5144 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5145 u8 genmask = nft_genmask_next(ctx->net);
5146 struct nft_set_ext_tmpl tmpl;
5147 struct nft_set_ext *ext, *ext2;
5148 struct nft_set_elem elem;
5149 struct nft_set_binding *binding;
5150 struct nft_object *obj = NULL;
5151 struct nft_expr *expr = NULL;
5152 struct nft_userdata *udata;
5153 struct nft_data_desc desc;
5154 enum nft_registers dreg;
5155 struct nft_trans *trans;
5162 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5163 nft_set_elem_policy, NULL);
5167 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5170 nft_set_ext_prepare(&tmpl);
5172 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5176 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5178 if (set->flags & NFT_SET_MAP) {
5179 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5180 !(flags & NFT_SET_ELEM_INTERVAL_END))
5183 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5187 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5188 (nla[NFTA_SET_ELEM_DATA] ||
5189 nla[NFTA_SET_ELEM_OBJREF] ||
5190 nla[NFTA_SET_ELEM_TIMEOUT] ||
5191 nla[NFTA_SET_ELEM_EXPIRATION] ||
5192 nla[NFTA_SET_ELEM_USERDATA] ||
5193 nla[NFTA_SET_ELEM_EXPR]))
5197 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5198 if (!(set->flags & NFT_SET_TIMEOUT))
5200 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5204 } else if (set->flags & NFT_SET_TIMEOUT) {
5205 timeout = set->timeout;
5209 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5210 if (!(set->flags & NFT_SET_TIMEOUT))
5212 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5218 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5219 expr = nft_set_elem_expr_alloc(ctx, set,
5220 nla[NFTA_SET_ELEM_EXPR]);
5222 return PTR_ERR(expr);
5225 if (set->expr && set->expr->ops != expr->ops)
5226 goto err_set_elem_expr;
5227 } else if (set->expr) {
5228 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5232 err = nft_expr_clone(expr, set->expr);
5234 goto err_set_elem_expr;
5237 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5238 nla[NFTA_SET_ELEM_KEY]);
5240 goto err_set_elem_expr;
5242 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5244 if (nla[NFTA_SET_ELEM_KEY_END]) {
5245 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5246 nla[NFTA_SET_ELEM_KEY_END]);
5250 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5254 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5255 if (timeout != set->timeout)
5256 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5260 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5263 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5264 if (!(set->flags & NFT_SET_OBJECT)) {
5266 goto err_parse_key_end;
5268 obj = nft_obj_lookup(ctx->net, ctx->table,
5269 nla[NFTA_SET_ELEM_OBJREF],
5270 set->objtype, genmask);
5273 goto err_parse_key_end;
5275 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5278 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5279 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5280 nla[NFTA_SET_ELEM_DATA]);
5282 goto err_parse_key_end;
5284 dreg = nft_type_to_reg(set->dtype);
5285 list_for_each_entry(binding, &set->bindings, list) {
5286 struct nft_ctx bind_ctx = {
5288 .family = ctx->family,
5289 .table = ctx->table,
5290 .chain = (struct nft_chain *)binding->chain,
5293 if (!(binding->flags & NFT_SET_MAP))
5296 err = nft_validate_register_store(&bind_ctx, dreg,
5298 desc.type, desc.len);
5300 goto err_parse_data;
5302 if (desc.type == NFT_DATA_VERDICT &&
5303 (elem.data.val.verdict.code == NFT_GOTO ||
5304 elem.data.val.verdict.code == NFT_JUMP))
5305 nft_validate_state_update(ctx->net,
5309 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5312 /* The full maximum length of userdata can exceed the maximum
5313 * offset value (U8_MAX) for following extensions, therefor it
5314 * must be the last extension added.
5317 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5318 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5320 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5325 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5326 elem.key_end.val.data, elem.data.val.data,
5327 timeout, expiration, GFP_KERNEL);
5328 if (elem.priv == NULL)
5329 goto err_parse_data;
5331 ext = nft_set_elem_ext(set, elem.priv);
5333 *nft_set_ext_flags(ext) = flags;
5335 udata = nft_set_ext_userdata(ext);
5336 udata->len = ulen - 1;
5337 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5340 *nft_set_ext_obj(ext) = obj;
5344 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5349 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5353 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5354 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5356 if (err == -EEXIST) {
5357 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5358 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5359 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5360 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5361 goto err_element_clash;
5362 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5363 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5364 memcmp(nft_set_ext_data(ext),
5365 nft_set_ext_data(ext2), set->dlen) != 0) ||
5366 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5367 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5368 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5369 goto err_element_clash;
5370 else if (!(nlmsg_flags & NLM_F_EXCL))
5372 } else if (err == -ENOTEMPTY) {
5373 /* ENOTEMPTY reports overlapping between this element
5374 * and an existing one.
5378 goto err_element_clash;
5382 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5387 nft_trans_elem(trans) = elem;
5388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5392 set->ops->remove(ctx->net, set, &elem);
5399 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5401 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5402 nft_data_release(&elem.data.val, desc.type);
5404 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5406 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5409 nft_expr_destroy(ctx, expr);
5414 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5415 struct sk_buff *skb, const struct nlmsghdr *nlh,
5416 const struct nlattr * const nla[],
5417 struct netlink_ext_ack *extack)
5419 u8 genmask = nft_genmask_next(net);
5420 const struct nlattr *attr;
5421 struct nft_set *set;
5425 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5428 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5433 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5434 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5436 return PTR_ERR(set);
5438 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5441 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5442 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5447 if (net->nft.validate_state == NFT_VALIDATE_DO)
5448 return nft_table_validate(net, ctx.table);
5454 * nft_data_hold - hold a nft_data item
5456 * @data: struct nft_data to release
5457 * @type: type of data
5459 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5460 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5461 * NFT_GOTO verdicts. This function must be called on active data objects
5462 * from the second phase of the commit protocol.
5464 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5466 struct nft_chain *chain;
5467 struct nft_rule *rule;
5469 if (type == NFT_DATA_VERDICT) {
5470 switch (data->verdict.code) {
5473 chain = data->verdict.chain;
5476 if (!nft_chain_is_bound(chain))
5479 chain->table->use++;
5480 list_for_each_entry(rule, &chain->rules, list)
5483 nft_chain_add(chain->table, chain);
5489 static void nft_set_elem_activate(const struct net *net,
5490 const struct nft_set *set,
5491 struct nft_set_elem *elem)
5493 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5495 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5496 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5497 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5498 (*nft_set_ext_obj(ext))->use++;
5501 static void nft_set_elem_deactivate(const struct net *net,
5502 const struct nft_set *set,
5503 struct nft_set_elem *elem)
5505 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5507 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5508 nft_data_release(nft_set_ext_data(ext), set->dtype);
5509 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5510 (*nft_set_ext_obj(ext))->use--;
5513 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5514 const struct nlattr *attr)
5516 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5517 struct nft_set_ext_tmpl tmpl;
5518 struct nft_set_elem elem;
5519 struct nft_set_ext *ext;
5520 struct nft_trans *trans;
5525 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5526 nft_set_elem_policy, NULL);
5530 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5533 nft_set_ext_prepare(&tmpl);
5535 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5539 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5541 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5542 nla[NFTA_SET_ELEM_KEY]);
5546 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5548 if (nla[NFTA_SET_ELEM_KEY_END]) {
5549 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5550 nla[NFTA_SET_ELEM_KEY_END]);
5554 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5558 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5559 elem.key_end.val.data, NULL, 0, 0,
5561 if (elem.priv == NULL)
5564 ext = nft_set_elem_ext(set, elem.priv);
5566 *nft_set_ext_flags(ext) = flags;
5568 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5572 priv = set->ops->deactivate(ctx->net, set, &elem);
5580 nft_set_elem_deactivate(ctx->net, set, &elem);
5582 nft_trans_elem(trans) = elem;
5583 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5591 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5595 static int nft_flush_set(const struct nft_ctx *ctx,
5596 struct nft_set *set,
5597 const struct nft_set_iter *iter,
5598 struct nft_set_elem *elem)
5600 struct nft_trans *trans;
5603 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5604 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5608 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5614 nft_set_elem_deactivate(ctx->net, set, elem);
5615 nft_trans_elem_set(trans) = set;
5616 nft_trans_elem(trans) = *elem;
5617 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5625 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5626 struct sk_buff *skb, const struct nlmsghdr *nlh,
5627 const struct nlattr * const nla[],
5628 struct netlink_ext_ack *extack)
5630 u8 genmask = nft_genmask_next(net);
5631 const struct nlattr *attr;
5632 struct nft_set *set;
5636 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5641 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5643 return PTR_ERR(set);
5644 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5647 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5648 struct nft_set_iter iter = {
5650 .fn = nft_flush_set,
5652 set->ops->walk(&ctx, set, &iter);
5657 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5658 err = nft_del_setelem(&ctx, set, attr);
5667 void nft_set_gc_batch_release(struct rcu_head *rcu)
5669 struct nft_set_gc_batch *gcb;
5672 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5673 for (i = 0; i < gcb->head.cnt; i++)
5674 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5678 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5681 struct nft_set_gc_batch *gcb;
5683 gcb = kzalloc(sizeof(*gcb), gfp);
5686 gcb->head.set = set;
5695 * nft_register_obj- register nf_tables stateful object type
5696 * @obj_type: object type
5698 * Registers the object type for use with nf_tables. Returns zero on
5699 * success or a negative errno code otherwise.
5701 int nft_register_obj(struct nft_object_type *obj_type)
5703 if (obj_type->type == NFT_OBJECT_UNSPEC)
5706 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5707 list_add_rcu(&obj_type->list, &nf_tables_objects);
5708 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5711 EXPORT_SYMBOL_GPL(nft_register_obj);
5714 * nft_unregister_obj - unregister nf_tables object type
5715 * @obj_type: object type
5717 * Unregisters the object type for use with nf_tables.
5719 void nft_unregister_obj(struct nft_object_type *obj_type)
5721 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5722 list_del_rcu(&obj_type->list);
5723 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5725 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5727 struct nft_object *nft_obj_lookup(const struct net *net,
5728 const struct nft_table *table,
5729 const struct nlattr *nla, u32 objtype,
5732 struct nft_object_hash_key k = { .table = table };
5733 char search[NFT_OBJ_MAXNAMELEN];
5734 struct rhlist_head *tmp, *list;
5735 struct nft_object *obj;
5737 nla_strlcpy(search, nla, sizeof(search));
5740 WARN_ON_ONCE(!rcu_read_lock_held() &&
5741 !lockdep_commit_lock_is_held(net));
5744 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5748 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5749 if (objtype == obj->ops->type->type &&
5750 nft_active_genmask(obj, genmask)) {
5757 return ERR_PTR(-ENOENT);
5759 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5761 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5762 const struct nlattr *nla,
5763 u32 objtype, u8 genmask)
5765 struct nft_object *obj;
5767 list_for_each_entry(obj, &table->objects, list) {
5768 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5769 objtype == obj->ops->type->type &&
5770 nft_active_genmask(obj, genmask))
5773 return ERR_PTR(-ENOENT);
5776 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5777 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5778 .len = NFT_TABLE_MAXNAMELEN - 1 },
5779 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5780 .len = NFT_OBJ_MAXNAMELEN - 1 },
5781 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5782 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5783 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5784 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
5785 .len = NFT_USERDATA_MAXLEN },
5788 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5789 const struct nft_object_type *type,
5790 const struct nlattr *attr)
5793 const struct nft_object_ops *ops;
5794 struct nft_object *obj;
5797 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5802 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5803 type->policy, NULL);
5807 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5810 if (type->select_ops) {
5811 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5821 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5825 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5838 return ERR_PTR(err);
5841 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5842 struct nft_object *obj, bool reset)
5844 struct nlattr *nest;
5846 nest = nla_nest_start_noflag(skb, attr);
5848 goto nla_put_failure;
5849 if (obj->ops->dump(skb, obj, reset) < 0)
5850 goto nla_put_failure;
5851 nla_nest_end(skb, nest);
5858 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5860 const struct nft_object_type *type;
5862 list_for_each_entry(type, &nf_tables_objects, list) {
5863 if (objtype == type->type)
5869 static const struct nft_object_type *
5870 nft_obj_type_get(struct net *net, u32 objtype)
5872 const struct nft_object_type *type;
5874 type = __nft_obj_type_get(objtype);
5875 if (type != NULL && try_module_get(type->owner))
5878 lockdep_nfnl_nft_mutex_not_held();
5879 #ifdef CONFIG_MODULES
5881 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5882 return ERR_PTR(-EAGAIN);
5885 return ERR_PTR(-ENOENT);
5888 static int nf_tables_updobj(const struct nft_ctx *ctx,
5889 const struct nft_object_type *type,
5890 const struct nlattr *attr,
5891 struct nft_object *obj)
5893 struct nft_object *newobj;
5894 struct nft_trans *trans;
5897 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5898 sizeof(struct nft_trans_obj));
5902 newobj = nft_obj_init(ctx, type, attr);
5903 if (IS_ERR(newobj)) {
5904 err = PTR_ERR(newobj);
5905 goto err_free_trans;
5908 nft_trans_obj(trans) = obj;
5909 nft_trans_obj_update(trans) = true;
5910 nft_trans_obj_newobj(trans) = newobj;
5911 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5920 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5921 struct sk_buff *skb, const struct nlmsghdr *nlh,
5922 const struct nlattr * const nla[],
5923 struct netlink_ext_ack *extack)
5925 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5926 const struct nft_object_type *type;
5927 u8 genmask = nft_genmask_next(net);
5928 int family = nfmsg->nfgen_family;
5929 struct nft_table *table;
5930 struct nft_object *obj;
5935 if (!nla[NFTA_OBJ_TYPE] ||
5936 !nla[NFTA_OBJ_NAME] ||
5937 !nla[NFTA_OBJ_DATA])
5940 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5941 if (IS_ERR(table)) {
5942 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5943 return PTR_ERR(table);
5946 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5947 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5950 if (err != -ENOENT) {
5951 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5955 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5956 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5959 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5962 type = __nft_obj_type_get(objtype);
5963 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5965 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5968 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5970 type = nft_obj_type_get(net, objtype);
5972 return PTR_ERR(type);
5974 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5979 obj->key.table = table;
5980 obj->handle = nf_tables_alloc_handle(table);
5982 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5983 if (!obj->key.name) {
5988 if (nla[NFTA_OBJ_USERDATA]) {
5989 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
5990 if (obj->udata == NULL)
5993 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
5996 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6000 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6001 nft_objname_ht_params);
6005 list_add_tail_rcu(&obj->list, &table->objects);
6009 /* queued in transaction log */
6010 INIT_LIST_HEAD(&obj->list);
6013 kfree(obj->key.name);
6017 if (obj->ops->destroy)
6018 obj->ops->destroy(&ctx, obj);
6021 module_put(type->owner);
6025 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6026 u32 portid, u32 seq, int event, u32 flags,
6027 int family, const struct nft_table *table,
6028 struct nft_object *obj, bool reset)
6030 struct nfgenmsg *nfmsg;
6031 struct nlmsghdr *nlh;
6033 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6034 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6036 goto nla_put_failure;
6038 nfmsg = nlmsg_data(nlh);
6039 nfmsg->nfgen_family = family;
6040 nfmsg->version = NFNETLINK_V0;
6041 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6043 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6044 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6045 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6046 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6047 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6048 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6050 goto nla_put_failure;
6053 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6054 goto nla_put_failure;
6056 nlmsg_end(skb, nlh);
6060 nlmsg_trim(skb, nlh);
6064 struct nft_obj_filter {
6069 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6071 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6072 const struct nft_table *table;
6073 unsigned int idx = 0, s_idx = cb->args[0];
6074 struct nft_obj_filter *filter = cb->data;
6075 struct net *net = sock_net(skb->sk);
6076 int family = nfmsg->nfgen_family;
6077 struct nft_object *obj;
6080 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6084 cb->seq = net->nft.base_seq;
6086 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6087 if (family != NFPROTO_UNSPEC && family != table->family)
6090 list_for_each_entry_rcu(obj, &table->objects, list) {
6091 if (!nft_is_active(net, obj))
6096 memset(&cb->args[1], 0,
6097 sizeof(cb->args) - sizeof(cb->args[0]));
6098 if (filter && filter->table &&
6099 strcmp(filter->table, table->name))
6102 filter->type != NFT_OBJECT_UNSPEC &&
6103 obj->ops->type->type != filter->type)
6107 char *buf = kasprintf(GFP_ATOMIC,
6112 audit_log_nfcfg(buf,
6115 AUDIT_NFT_OP_OBJ_RESET,
6120 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6123 NLM_F_MULTI | NLM_F_APPEND,
6124 table->family, table,
6128 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6140 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6142 const struct nlattr * const *nla = cb->data;
6143 struct nft_obj_filter *filter = NULL;
6145 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6146 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6150 if (nla[NFTA_OBJ_TABLE]) {
6151 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6152 if (!filter->table) {
6158 if (nla[NFTA_OBJ_TYPE])
6159 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6166 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6168 struct nft_obj_filter *filter = cb->data;
6171 kfree(filter->table);
6178 /* called with rcu_read_lock held */
6179 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6180 struct sk_buff *skb, const struct nlmsghdr *nlh,
6181 const struct nlattr * const nla[],
6182 struct netlink_ext_ack *extack)
6184 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6185 u8 genmask = nft_genmask_cur(net);
6186 int family = nfmsg->nfgen_family;
6187 const struct nft_table *table;
6188 struct nft_object *obj;
6189 struct sk_buff *skb2;
6194 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6195 struct netlink_dump_control c = {
6196 .start = nf_tables_dump_obj_start,
6197 .dump = nf_tables_dump_obj,
6198 .done = nf_tables_dump_obj_done,
6199 .module = THIS_MODULE,
6200 .data = (void *)nla,
6203 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6206 if (!nla[NFTA_OBJ_NAME] ||
6207 !nla[NFTA_OBJ_TYPE])
6210 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6211 if (IS_ERR(table)) {
6212 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6213 return PTR_ERR(table);
6216 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6217 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6219 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6220 return PTR_ERR(obj);
6223 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6227 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6231 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6232 table->name, table->handle);
6234 audit_log_nfcfg(buf,
6237 AUDIT_NFT_OP_OBJ_RESET,
6242 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6243 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6244 family, table, obj, reset);
6246 goto err_fill_obj_info;
6248 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6255 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6257 if (obj->ops->destroy)
6258 obj->ops->destroy(ctx, obj);
6260 module_put(obj->ops->type->owner);
6261 kfree(obj->key.name);
6266 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6267 struct sk_buff *skb, const struct nlmsghdr *nlh,
6268 const struct nlattr * const nla[],
6269 struct netlink_ext_ack *extack)
6271 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6272 u8 genmask = nft_genmask_next(net);
6273 int family = nfmsg->nfgen_family;
6274 const struct nlattr *attr;
6275 struct nft_table *table;
6276 struct nft_object *obj;
6280 if (!nla[NFTA_OBJ_TYPE] ||
6281 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6284 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6285 if (IS_ERR(table)) {
6286 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6287 return PTR_ERR(table);
6290 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6291 if (nla[NFTA_OBJ_HANDLE]) {
6292 attr = nla[NFTA_OBJ_HANDLE];
6293 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6295 attr = nla[NFTA_OBJ_NAME];
6296 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6300 NL_SET_BAD_ATTR(extack, attr);
6301 return PTR_ERR(obj);
6304 NL_SET_BAD_ATTR(extack, attr);
6308 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6310 return nft_delobj(&ctx, obj);
6313 void nft_obj_notify(struct net *net, const struct nft_table *table,
6314 struct nft_object *obj, u32 portid, u32 seq, int event,
6315 int family, int report, gfp_t gfp)
6317 struct sk_buff *skb;
6319 char *buf = kasprintf(gfp, "%s:%llu;?:0",
6320 table->name, table->handle);
6322 audit_log_nfcfg(buf,
6325 event == NFT_MSG_NEWOBJ ?
6326 AUDIT_NFT_OP_OBJ_REGISTER :
6327 AUDIT_NFT_OP_OBJ_UNREGISTER,
6332 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6335 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6339 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6346 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6349 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6351 EXPORT_SYMBOL_GPL(nft_obj_notify);
6353 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6354 struct nft_object *obj, int event)
6356 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6357 ctx->family, ctx->report, GFP_KERNEL);
6363 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6365 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6366 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6367 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6369 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6371 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6373 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6374 list_del_rcu(&type->list);
6375 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6377 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6379 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6380 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6381 .len = NFT_NAME_MAXLEN - 1 },
6382 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6383 .len = NFT_NAME_MAXLEN - 1 },
6384 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6385 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6386 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6389 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6390 const struct nlattr *nla, u8 genmask)
6392 struct nft_flowtable *flowtable;
6394 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6395 if (!nla_strcmp(nla, flowtable->name) &&
6396 nft_active_genmask(flowtable, genmask))
6399 return ERR_PTR(-ENOENT);
6401 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6403 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6404 struct nft_flowtable *flowtable,
6405 enum nft_trans_phase phase)
6408 case NFT_TRANS_PREPARE:
6409 case NFT_TRANS_ABORT:
6410 case NFT_TRANS_RELEASE:
6417 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6419 static struct nft_flowtable *
6420 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6421 const struct nlattr *nla, u8 genmask)
6423 struct nft_flowtable *flowtable;
6425 list_for_each_entry(flowtable, &table->flowtables, list) {
6426 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6427 nft_active_genmask(flowtable, genmask))
6430 return ERR_PTR(-ENOENT);
6433 struct nft_flowtable_hook {
6436 struct list_head list;
6439 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6440 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6441 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6442 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6445 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6446 const struct nlattr *attr,
6447 struct nft_flowtable_hook *flowtable_hook,
6448 struct nft_flowtable *flowtable, bool add)
6450 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6451 struct nft_hook *hook;
6452 int hooknum, priority;
6455 INIT_LIST_HEAD(&flowtable_hook->list);
6457 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6458 nft_flowtable_hook_policy, NULL);
6463 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6464 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6467 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6468 if (hooknum != NF_NETDEV_INGRESS)
6471 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6473 flowtable_hook->priority = priority;
6474 flowtable_hook->num = hooknum;
6476 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6477 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6478 if (hooknum != flowtable->hooknum)
6482 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6483 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6484 if (priority != flowtable->data.priority)
6488 flowtable_hook->priority = flowtable->data.priority;
6489 flowtable_hook->num = flowtable->hooknum;
6492 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6493 err = nf_tables_parse_netdev_hooks(ctx->net,
6494 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6495 &flowtable_hook->list);
6500 list_for_each_entry(hook, &flowtable_hook->list, list) {
6501 hook->ops.pf = NFPROTO_NETDEV;
6502 hook->ops.hooknum = flowtable_hook->num;
6503 hook->ops.priority = flowtable_hook->priority;
6504 hook->ops.priv = &flowtable->data;
6505 hook->ops.hook = flowtable->data.type->hook;
6511 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6513 const struct nf_flowtable_type *type;
6515 list_for_each_entry(type, &nf_tables_flowtables, list) {
6516 if (family == type->family)
6522 static const struct nf_flowtable_type *
6523 nft_flowtable_type_get(struct net *net, u8 family)
6525 const struct nf_flowtable_type *type;
6527 type = __nft_flowtable_type_get(family);
6528 if (type != NULL && try_module_get(type->owner))
6531 lockdep_nfnl_nft_mutex_not_held();
6532 #ifdef CONFIG_MODULES
6534 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6535 return ERR_PTR(-EAGAIN);
6538 return ERR_PTR(-ENOENT);
6541 /* Only called from error and netdev event paths. */
6542 static void nft_unregister_flowtable_hook(struct net *net,
6543 struct nft_flowtable *flowtable,
6544 struct nft_hook *hook)
6546 nf_unregister_net_hook(net, &hook->ops);
6547 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6551 static void nft_unregister_flowtable_net_hooks(struct net *net,
6552 struct list_head *hook_list)
6554 struct nft_hook *hook;
6556 list_for_each_entry(hook, hook_list, list)
6557 nf_unregister_net_hook(net, &hook->ops);
6560 static int nft_register_flowtable_net_hooks(struct net *net,
6561 struct nft_table *table,
6562 struct list_head *hook_list,
6563 struct nft_flowtable *flowtable)
6565 struct nft_hook *hook, *hook2, *next;
6566 struct nft_flowtable *ft;
6569 list_for_each_entry(hook, hook_list, list) {
6570 list_for_each_entry(ft, &table->flowtables, list) {
6571 list_for_each_entry(hook2, &ft->hook_list, list) {
6572 if (hook->ops.dev == hook2->ops.dev &&
6573 hook->ops.pf == hook2->ops.pf) {
6575 goto err_unregister_net_hooks;
6580 err = flowtable->data.type->setup(&flowtable->data,
6584 goto err_unregister_net_hooks;
6586 err = nf_register_net_hook(net, &hook->ops);
6588 flowtable->data.type->setup(&flowtable->data,
6591 goto err_unregister_net_hooks;
6599 err_unregister_net_hooks:
6600 list_for_each_entry_safe(hook, next, hook_list, list) {
6604 nft_unregister_flowtable_hook(net, flowtable, hook);
6605 list_del_rcu(&hook->list);
6606 kfree_rcu(hook, rcu);
6612 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6614 struct nft_hook *hook, *next;
6616 list_for_each_entry_safe(hook, next, hook_list, list) {
6617 list_del_rcu(&hook->list);
6618 kfree_rcu(hook, rcu);
6622 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6623 struct nft_flowtable *flowtable)
6625 const struct nlattr * const *nla = ctx->nla;
6626 struct nft_flowtable_hook flowtable_hook;
6627 struct nft_hook *hook, *next;
6628 struct nft_trans *trans;
6629 bool unregister = false;
6632 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6633 &flowtable_hook, flowtable, false);
6637 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6638 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6639 list_del(&hook->list);
6644 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6645 &flowtable_hook.list, flowtable);
6647 goto err_flowtable_update_hook;
6649 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6650 sizeof(struct nft_trans_flowtable));
6654 goto err_flowtable_update_hook;
6657 nft_trans_flowtable(trans) = flowtable;
6658 nft_trans_flowtable_update(trans) = true;
6659 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6660 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6662 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6666 err_flowtable_update_hook:
6667 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6669 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6670 list_del_rcu(&hook->list);
6671 kfree_rcu(hook, rcu);
6678 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6679 struct sk_buff *skb,
6680 const struct nlmsghdr *nlh,
6681 const struct nlattr * const nla[],
6682 struct netlink_ext_ack *extack)
6684 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6685 struct nft_flowtable_hook flowtable_hook;
6686 const struct nf_flowtable_type *type;
6687 u8 genmask = nft_genmask_next(net);
6688 int family = nfmsg->nfgen_family;
6689 struct nft_flowtable *flowtable;
6690 struct nft_hook *hook, *next;
6691 struct nft_table *table;
6695 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6696 !nla[NFTA_FLOWTABLE_NAME] ||
6697 !nla[NFTA_FLOWTABLE_HOOK])
6700 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6702 if (IS_ERR(table)) {
6703 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6704 return PTR_ERR(table);
6707 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6709 if (IS_ERR(flowtable)) {
6710 err = PTR_ERR(flowtable);
6711 if (err != -ENOENT) {
6712 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6716 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6717 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6721 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6723 return nft_flowtable_update(&ctx, nlh, flowtable);
6726 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6728 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6732 flowtable->table = table;
6733 flowtable->handle = nf_tables_alloc_handle(table);
6734 INIT_LIST_HEAD(&flowtable->hook_list);
6736 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6737 if (!flowtable->name) {
6742 type = nft_flowtable_type_get(net, family);
6744 err = PTR_ERR(type);
6748 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6749 flowtable->data.flags =
6750 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6751 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6755 write_pnet(&flowtable->data.net, net);
6756 flowtable->data.type = type;
6757 err = type->init(&flowtable->data);
6761 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6762 &flowtable_hook, flowtable, true);
6766 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6767 flowtable->data.priority = flowtable_hook.priority;
6768 flowtable->hooknum = flowtable_hook.num;
6770 err = nft_register_flowtable_net_hooks(ctx.net, table,
6771 &flowtable->hook_list,
6774 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6778 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6782 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6787 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6788 nft_unregister_flowtable_hook(net, flowtable, hook);
6789 list_del_rcu(&hook->list);
6790 kfree_rcu(hook, rcu);
6793 flowtable->data.type->free(&flowtable->data);
6795 module_put(type->owner);
6797 kfree(flowtable->name);
6803 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
6805 struct nft_hook *this, *next;
6807 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
6808 list_del(&this->list);
6813 static int nft_delflowtable_hook(struct nft_ctx *ctx,
6814 struct nft_flowtable *flowtable)
6816 const struct nlattr * const *nla = ctx->nla;
6817 struct nft_flowtable_hook flowtable_hook;
6818 struct nft_hook *this, *hook;
6819 struct nft_trans *trans;
6822 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6823 &flowtable_hook, flowtable, false);
6827 list_for_each_entry(this, &flowtable_hook.list, list) {
6828 hook = nft_hook_list_find(&flowtable->hook_list, this);
6831 goto err_flowtable_del_hook;
6833 hook->inactive = true;
6836 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
6837 sizeof(struct nft_trans_flowtable));
6840 goto err_flowtable_del_hook;
6843 nft_trans_flowtable(trans) = flowtable;
6844 nft_trans_flowtable_update(trans) = true;
6845 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6846 nft_flowtable_hook_release(&flowtable_hook);
6848 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6852 err_flowtable_del_hook:
6853 list_for_each_entry(this, &flowtable_hook.list, list) {
6854 hook = nft_hook_list_find(&flowtable->hook_list, this);
6858 hook->inactive = false;
6860 nft_flowtable_hook_release(&flowtable_hook);
6865 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6866 struct sk_buff *skb,
6867 const struct nlmsghdr *nlh,
6868 const struct nlattr * const nla[],
6869 struct netlink_ext_ack *extack)
6871 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6872 u8 genmask = nft_genmask_next(net);
6873 int family = nfmsg->nfgen_family;
6874 struct nft_flowtable *flowtable;
6875 const struct nlattr *attr;
6876 struct nft_table *table;
6879 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6880 (!nla[NFTA_FLOWTABLE_NAME] &&
6881 !nla[NFTA_FLOWTABLE_HANDLE]))
6884 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6886 if (IS_ERR(table)) {
6887 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6888 return PTR_ERR(table);
6891 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6892 attr = nla[NFTA_FLOWTABLE_HANDLE];
6893 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6895 attr = nla[NFTA_FLOWTABLE_NAME];
6896 flowtable = nft_flowtable_lookup(table, attr, genmask);
6899 if (IS_ERR(flowtable)) {
6900 NL_SET_BAD_ATTR(extack, attr);
6901 return PTR_ERR(flowtable);
6904 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6906 if (nla[NFTA_FLOWTABLE_HOOK])
6907 return nft_delflowtable_hook(&ctx, flowtable);
6909 if (flowtable->use > 0) {
6910 NL_SET_BAD_ATTR(extack, attr);
6914 return nft_delflowtable(&ctx, flowtable);
6917 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6918 u32 portid, u32 seq, int event,
6919 u32 flags, int family,
6920 struct nft_flowtable *flowtable,
6921 struct list_head *hook_list)
6923 struct nlattr *nest, *nest_devs;
6924 struct nfgenmsg *nfmsg;
6925 struct nft_hook *hook;
6926 struct nlmsghdr *nlh;
6928 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6929 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6931 goto nla_put_failure;
6933 nfmsg = nlmsg_data(nlh);
6934 nfmsg->nfgen_family = family;
6935 nfmsg->version = NFNETLINK_V0;
6936 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6938 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6939 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6940 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6941 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6942 NFTA_FLOWTABLE_PAD) ||
6943 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6944 goto nla_put_failure;
6946 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6948 goto nla_put_failure;
6949 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6950 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6951 goto nla_put_failure;
6953 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6955 goto nla_put_failure;
6957 list_for_each_entry_rcu(hook, hook_list, list) {
6958 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6959 goto nla_put_failure;
6961 nla_nest_end(skb, nest_devs);
6962 nla_nest_end(skb, nest);
6964 nlmsg_end(skb, nlh);
6968 nlmsg_trim(skb, nlh);
6972 struct nft_flowtable_filter {
6976 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6977 struct netlink_callback *cb)
6979 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6980 struct nft_flowtable_filter *filter = cb->data;
6981 unsigned int idx = 0, s_idx = cb->args[0];
6982 struct net *net = sock_net(skb->sk);
6983 int family = nfmsg->nfgen_family;
6984 struct nft_flowtable *flowtable;
6985 const struct nft_table *table;
6988 cb->seq = net->nft.base_seq;
6990 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6991 if (family != NFPROTO_UNSPEC && family != table->family)
6994 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6995 if (!nft_is_active(net, flowtable))
7000 memset(&cb->args[1], 0,
7001 sizeof(cb->args) - sizeof(cb->args[0]));
7002 if (filter && filter->table &&
7003 strcmp(filter->table, table->name))
7006 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7008 NFT_MSG_NEWFLOWTABLE,
7009 NLM_F_MULTI | NLM_F_APPEND,
7012 &flowtable->hook_list) < 0)
7015 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7027 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7029 const struct nlattr * const *nla = cb->data;
7030 struct nft_flowtable_filter *filter = NULL;
7032 if (nla[NFTA_FLOWTABLE_TABLE]) {
7033 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7037 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7039 if (!filter->table) {
7049 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7051 struct nft_flowtable_filter *filter = cb->data;
7056 kfree(filter->table);
7062 /* called with rcu_read_lock held */
7063 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7064 struct sk_buff *skb,
7065 const struct nlmsghdr *nlh,
7066 const struct nlattr * const nla[],
7067 struct netlink_ext_ack *extack)
7069 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7070 u8 genmask = nft_genmask_cur(net);
7071 int family = nfmsg->nfgen_family;
7072 struct nft_flowtable *flowtable;
7073 const struct nft_table *table;
7074 struct sk_buff *skb2;
7077 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7078 struct netlink_dump_control c = {
7079 .start = nf_tables_dump_flowtable_start,
7080 .dump = nf_tables_dump_flowtable,
7081 .done = nf_tables_dump_flowtable_done,
7082 .module = THIS_MODULE,
7083 .data = (void *)nla,
7086 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7089 if (!nla[NFTA_FLOWTABLE_NAME])
7092 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7095 return PTR_ERR(table);
7097 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7099 if (IS_ERR(flowtable))
7100 return PTR_ERR(flowtable);
7102 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7106 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7108 NFT_MSG_NEWFLOWTABLE, 0, family,
7109 flowtable, &flowtable->hook_list);
7111 goto err_fill_flowtable_info;
7113 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7115 err_fill_flowtable_info:
7120 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7121 struct nft_flowtable *flowtable,
7122 struct list_head *hook_list,
7125 struct sk_buff *skb;
7127 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7128 flowtable->table->name, flowtable->table->handle,
7129 flowtable->name, flowtable->handle);
7131 audit_log_nfcfg(buf,
7134 event == NFT_MSG_NEWFLOWTABLE ?
7135 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7136 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7141 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7144 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7148 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7150 ctx->family, flowtable, hook_list);
7156 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7159 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7162 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7164 struct nft_hook *hook, *next;
7166 flowtable->data.type->free(&flowtable->data);
7167 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7168 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7170 list_del_rcu(&hook->list);
7173 kfree(flowtable->name);
7174 module_put(flowtable->data.type->owner);
7178 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7179 u32 portid, u32 seq)
7181 struct nlmsghdr *nlh;
7182 struct nfgenmsg *nfmsg;
7183 char buf[TASK_COMM_LEN];
7184 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7186 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7188 goto nla_put_failure;
7190 nfmsg = nlmsg_data(nlh);
7191 nfmsg->nfgen_family = AF_UNSPEC;
7192 nfmsg->version = NFNETLINK_V0;
7193 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7195 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7196 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7197 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7198 goto nla_put_failure;
7200 nlmsg_end(skb, nlh);
7204 nlmsg_trim(skb, nlh);
7208 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7209 struct nft_flowtable *flowtable)
7211 struct nft_hook *hook;
7213 list_for_each_entry(hook, &flowtable->hook_list, list) {
7214 if (hook->ops.dev != dev)
7217 /* flow_offload_netdev_event() cleans up entries for us. */
7218 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7219 list_del_rcu(&hook->list);
7220 kfree_rcu(hook, rcu);
7225 static int nf_tables_flowtable_event(struct notifier_block *this,
7226 unsigned long event, void *ptr)
7228 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7229 struct nft_flowtable *flowtable;
7230 struct nft_table *table;
7233 if (event != NETDEV_UNREGISTER)
7237 mutex_lock(&net->nft.commit_mutex);
7238 list_for_each_entry(table, &net->nft.tables, list) {
7239 list_for_each_entry(flowtable, &table->flowtables, list) {
7240 nft_flowtable_event(event, dev, flowtable);
7243 mutex_unlock(&net->nft.commit_mutex);
7248 static struct notifier_block nf_tables_flowtable_notifier = {
7249 .notifier_call = nf_tables_flowtable_event,
7252 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7255 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7256 struct sk_buff *skb2;
7259 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7260 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7262 if (nlmsg_report(nlh) &&
7263 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7266 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7270 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7277 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7278 nlmsg_report(nlh), GFP_KERNEL);
7281 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7285 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7286 struct sk_buff *skb, const struct nlmsghdr *nlh,
7287 const struct nlattr * const nla[],
7288 struct netlink_ext_ack *extack)
7290 struct sk_buff *skb2;
7293 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7297 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7300 goto err_fill_gen_info;
7302 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7309 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7310 [NFT_MSG_NEWTABLE] = {
7311 .call_batch = nf_tables_newtable,
7312 .attr_count = NFTA_TABLE_MAX,
7313 .policy = nft_table_policy,
7315 [NFT_MSG_GETTABLE] = {
7316 .call_rcu = nf_tables_gettable,
7317 .attr_count = NFTA_TABLE_MAX,
7318 .policy = nft_table_policy,
7320 [NFT_MSG_DELTABLE] = {
7321 .call_batch = nf_tables_deltable,
7322 .attr_count = NFTA_TABLE_MAX,
7323 .policy = nft_table_policy,
7325 [NFT_MSG_NEWCHAIN] = {
7326 .call_batch = nf_tables_newchain,
7327 .attr_count = NFTA_CHAIN_MAX,
7328 .policy = nft_chain_policy,
7330 [NFT_MSG_GETCHAIN] = {
7331 .call_rcu = nf_tables_getchain,
7332 .attr_count = NFTA_CHAIN_MAX,
7333 .policy = nft_chain_policy,
7335 [NFT_MSG_DELCHAIN] = {
7336 .call_batch = nf_tables_delchain,
7337 .attr_count = NFTA_CHAIN_MAX,
7338 .policy = nft_chain_policy,
7340 [NFT_MSG_NEWRULE] = {
7341 .call_batch = nf_tables_newrule,
7342 .attr_count = NFTA_RULE_MAX,
7343 .policy = nft_rule_policy,
7345 [NFT_MSG_GETRULE] = {
7346 .call_rcu = nf_tables_getrule,
7347 .attr_count = NFTA_RULE_MAX,
7348 .policy = nft_rule_policy,
7350 [NFT_MSG_DELRULE] = {
7351 .call_batch = nf_tables_delrule,
7352 .attr_count = NFTA_RULE_MAX,
7353 .policy = nft_rule_policy,
7355 [NFT_MSG_NEWSET] = {
7356 .call_batch = nf_tables_newset,
7357 .attr_count = NFTA_SET_MAX,
7358 .policy = nft_set_policy,
7360 [NFT_MSG_GETSET] = {
7361 .call_rcu = nf_tables_getset,
7362 .attr_count = NFTA_SET_MAX,
7363 .policy = nft_set_policy,
7365 [NFT_MSG_DELSET] = {
7366 .call_batch = nf_tables_delset,
7367 .attr_count = NFTA_SET_MAX,
7368 .policy = nft_set_policy,
7370 [NFT_MSG_NEWSETELEM] = {
7371 .call_batch = nf_tables_newsetelem,
7372 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7373 .policy = nft_set_elem_list_policy,
7375 [NFT_MSG_GETSETELEM] = {
7376 .call_rcu = nf_tables_getsetelem,
7377 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7378 .policy = nft_set_elem_list_policy,
7380 [NFT_MSG_DELSETELEM] = {
7381 .call_batch = nf_tables_delsetelem,
7382 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7383 .policy = nft_set_elem_list_policy,
7385 [NFT_MSG_GETGEN] = {
7386 .call_rcu = nf_tables_getgen,
7388 [NFT_MSG_NEWOBJ] = {
7389 .call_batch = nf_tables_newobj,
7390 .attr_count = NFTA_OBJ_MAX,
7391 .policy = nft_obj_policy,
7393 [NFT_MSG_GETOBJ] = {
7394 .call_rcu = nf_tables_getobj,
7395 .attr_count = NFTA_OBJ_MAX,
7396 .policy = nft_obj_policy,
7398 [NFT_MSG_DELOBJ] = {
7399 .call_batch = nf_tables_delobj,
7400 .attr_count = NFTA_OBJ_MAX,
7401 .policy = nft_obj_policy,
7403 [NFT_MSG_GETOBJ_RESET] = {
7404 .call_rcu = nf_tables_getobj,
7405 .attr_count = NFTA_OBJ_MAX,
7406 .policy = nft_obj_policy,
7408 [NFT_MSG_NEWFLOWTABLE] = {
7409 .call_batch = nf_tables_newflowtable,
7410 .attr_count = NFTA_FLOWTABLE_MAX,
7411 .policy = nft_flowtable_policy,
7413 [NFT_MSG_GETFLOWTABLE] = {
7414 .call_rcu = nf_tables_getflowtable,
7415 .attr_count = NFTA_FLOWTABLE_MAX,
7416 .policy = nft_flowtable_policy,
7418 [NFT_MSG_DELFLOWTABLE] = {
7419 .call_batch = nf_tables_delflowtable,
7420 .attr_count = NFTA_FLOWTABLE_MAX,
7421 .policy = nft_flowtable_policy,
7425 static int nf_tables_validate(struct net *net)
7427 struct nft_table *table;
7429 switch (net->nft.validate_state) {
7430 case NFT_VALIDATE_SKIP:
7432 case NFT_VALIDATE_NEED:
7433 nft_validate_state_update(net, NFT_VALIDATE_DO);
7435 case NFT_VALIDATE_DO:
7436 list_for_each_entry(table, &net->nft.tables, list) {
7437 if (nft_table_validate(net, table) < 0)
7446 /* a drop policy has to be deferred until all rules have been activated,
7447 * otherwise a large ruleset that contains a drop-policy base chain will
7448 * cause all packets to get dropped until the full transaction has been
7451 * We defer the drop policy until the transaction has been finalized.
7453 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7455 struct nft_base_chain *basechain;
7457 if (nft_trans_chain_policy(trans) != NF_DROP)
7460 if (!nft_is_base_chain(trans->ctx.chain))
7463 basechain = nft_base_chain(trans->ctx.chain);
7464 basechain->policy = NF_DROP;
7467 static void nft_chain_commit_update(struct nft_trans *trans)
7469 struct nft_base_chain *basechain;
7471 if (nft_trans_chain_name(trans)) {
7472 rhltable_remove(&trans->ctx.table->chains_ht,
7473 &trans->ctx.chain->rhlhead,
7474 nft_chain_ht_params);
7475 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7476 rhltable_insert_key(&trans->ctx.table->chains_ht,
7477 trans->ctx.chain->name,
7478 &trans->ctx.chain->rhlhead,
7479 nft_chain_ht_params);
7482 if (!nft_is_base_chain(trans->ctx.chain))
7485 nft_chain_stats_replace(trans);
7487 basechain = nft_base_chain(trans->ctx.chain);
7489 switch (nft_trans_chain_policy(trans)) {
7492 basechain->policy = nft_trans_chain_policy(trans);
7497 static void nft_obj_commit_update(struct nft_trans *trans)
7499 struct nft_object *newobj;
7500 struct nft_object *obj;
7502 obj = nft_trans_obj(trans);
7503 newobj = nft_trans_obj_newobj(trans);
7505 if (obj->ops->update)
7506 obj->ops->update(obj, newobj);
7511 static void nft_commit_release(struct nft_trans *trans)
7513 switch (trans->msg_type) {
7514 case NFT_MSG_DELTABLE:
7515 nf_tables_table_destroy(&trans->ctx);
7517 case NFT_MSG_NEWCHAIN:
7518 free_percpu(nft_trans_chain_stats(trans));
7519 kfree(nft_trans_chain_name(trans));
7521 case NFT_MSG_DELCHAIN:
7522 nf_tables_chain_destroy(&trans->ctx);
7524 case NFT_MSG_DELRULE:
7525 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7527 case NFT_MSG_DELSET:
7528 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7530 case NFT_MSG_DELSETELEM:
7531 nf_tables_set_elem_destroy(&trans->ctx,
7532 nft_trans_elem_set(trans),
7533 nft_trans_elem(trans).priv);
7535 case NFT_MSG_DELOBJ:
7536 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7538 case NFT_MSG_DELFLOWTABLE:
7539 if (nft_trans_flowtable_update(trans))
7540 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7542 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7547 put_net(trans->ctx.net);
7552 static void nf_tables_trans_destroy_work(struct work_struct *w)
7554 struct nft_trans *trans, *next;
7557 spin_lock(&nf_tables_destroy_list_lock);
7558 list_splice_init(&nf_tables_destroy_list, &head);
7559 spin_unlock(&nf_tables_destroy_list_lock);
7561 if (list_empty(&head))
7566 list_for_each_entry_safe(trans, next, &head, list) {
7567 list_del(&trans->list);
7568 nft_commit_release(trans);
7572 void nf_tables_trans_destroy_flush_work(void)
7574 flush_work(&trans_destroy_work);
7576 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7578 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7580 struct nft_rule *rule;
7581 unsigned int alloc = 0;
7584 /* already handled or inactive chain? */
7585 if (chain->rules_next || !nft_is_active_next(net, chain))
7588 rule = list_entry(&chain->rules, struct nft_rule, list);
7591 list_for_each_entry_continue(rule, &chain->rules, list) {
7592 if (nft_is_active_next(net, rule))
7596 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7597 if (!chain->rules_next)
7600 list_for_each_entry_continue(rule, &chain->rules, list) {
7601 if (nft_is_active_next(net, rule))
7602 chain->rules_next[i++] = rule;
7605 chain->rules_next[i] = NULL;
7609 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7611 struct nft_trans *trans, *next;
7613 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7614 struct nft_chain *chain = trans->ctx.chain;
7616 if (trans->msg_type == NFT_MSG_NEWRULE ||
7617 trans->msg_type == NFT_MSG_DELRULE) {
7618 kvfree(chain->rules_next);
7619 chain->rules_next = NULL;
7624 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7626 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7631 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7633 struct nft_rule **r = rules;
7634 struct nft_rules_old *old;
7639 r++; /* rcu_head is after end marker */
7643 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7646 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7648 struct nft_rule **g0, **g1;
7651 next_genbit = nft_gencursor_next(net);
7653 g0 = rcu_dereference_protected(chain->rules_gen_0,
7654 lockdep_commit_lock_is_held(net));
7655 g1 = rcu_dereference_protected(chain->rules_gen_1,
7656 lockdep_commit_lock_is_held(net));
7658 /* No changes to this chain? */
7659 if (chain->rules_next == NULL) {
7660 /* chain had no change in last or next generation */
7664 * chain had no change in this generation; make sure next
7665 * one uses same rules as current generation.
7668 rcu_assign_pointer(chain->rules_gen_1, g0);
7669 nf_tables_commit_chain_free_rules_old(g1);
7671 rcu_assign_pointer(chain->rules_gen_0, g1);
7672 nf_tables_commit_chain_free_rules_old(g0);
7679 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7681 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7683 chain->rules_next = NULL;
7689 nf_tables_commit_chain_free_rules_old(g1);
7691 nf_tables_commit_chain_free_rules_old(g0);
7694 static void nft_obj_del(struct nft_object *obj)
7696 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7697 list_del_rcu(&obj->list);
7700 void nft_chain_del(struct nft_chain *chain)
7702 struct nft_table *table = chain->table;
7704 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7705 nft_chain_ht_params));
7706 list_del_rcu(&chain->list);
7709 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7710 struct list_head *hook_list)
7712 struct nft_hook *hook, *next;
7714 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7716 list_move(&hook->list, hook_list);
7720 static void nf_tables_module_autoload_cleanup(struct net *net)
7722 struct nft_module_request *req, *next;
7724 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7725 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7726 WARN_ON_ONCE(!req->done);
7727 list_del(&req->list);
7732 static void nf_tables_commit_release(struct net *net)
7734 struct nft_trans *trans;
7736 /* all side effects have to be made visible.
7737 * For example, if a chain named 'foo' has been deleted, a
7738 * new transaction must not find it anymore.
7740 * Memory reclaim happens asynchronously from work queue
7741 * to prevent expensive synchronize_rcu() in commit phase.
7743 if (list_empty(&net->nft.commit_list)) {
7744 nf_tables_module_autoload_cleanup(net);
7745 mutex_unlock(&net->nft.commit_mutex);
7749 trans = list_last_entry(&net->nft.commit_list,
7750 struct nft_trans, list);
7751 get_net(trans->ctx.net);
7752 WARN_ON_ONCE(trans->put_net);
7754 trans->put_net = true;
7755 spin_lock(&nf_tables_destroy_list_lock);
7756 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7757 spin_unlock(&nf_tables_destroy_list_lock);
7759 nf_tables_module_autoload_cleanup(net);
7760 schedule_work(&trans_destroy_work);
7762 mutex_unlock(&net->nft.commit_mutex);
7765 static void nft_commit_notify(struct net *net, u32 portid)
7767 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7768 unsigned char *data;
7771 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7775 len = NLMSG_GOODSIZE - skb->len;
7776 list_del(&skb->list);
7780 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7781 data = skb_put(batch_skb, skb->len);
7782 memcpy(data, skb->data, skb->len);
7783 list_del(&skb->list);
7787 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7788 NFT_CB(batch_skb).report, GFP_KERNEL);
7793 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7794 NFT_CB(batch_skb).report, GFP_KERNEL);
7797 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
7800 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7802 struct nft_trans *trans, *next;
7803 struct nft_trans_elem *te;
7804 struct nft_chain *chain;
7805 struct nft_table *table;
7808 if (list_empty(&net->nft.commit_list)) {
7809 mutex_unlock(&net->nft.commit_mutex);
7813 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7814 if (nf_tables_validate(net) < 0)
7817 err = nft_flow_rule_offload_commit(net);
7821 /* 1. Allocate space for next generation rules_gen_X[] */
7822 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7825 if (trans->msg_type == NFT_MSG_NEWRULE ||
7826 trans->msg_type == NFT_MSG_DELRULE) {
7827 chain = trans->ctx.chain;
7829 ret = nf_tables_commit_chain_prepare(net, chain);
7831 nf_tables_commit_chain_prepare_cancel(net);
7837 /* step 2. Make rules_gen_X visible to packet path */
7838 list_for_each_entry(table, &net->nft.tables, list) {
7839 list_for_each_entry(chain, &table->chains, list)
7840 nf_tables_commit_chain(net, chain);
7844 * Bump generation counter, invalidate any dump in progress.
7845 * Cannot fail after this point.
7847 while (++net->nft.base_seq == 0);
7849 /* step 3. Start new generation, rules_gen_X now in use. */
7850 net->nft.gencursor = nft_gencursor_next(net);
7852 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7853 switch (trans->msg_type) {
7854 case NFT_MSG_NEWTABLE:
7855 if (nft_trans_table_update(trans)) {
7856 if (!nft_trans_table_enable(trans)) {
7857 nf_tables_table_disable(net,
7859 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7862 nft_clear(net, trans->ctx.table);
7864 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7865 nft_trans_destroy(trans);
7867 case NFT_MSG_DELTABLE:
7868 list_del_rcu(&trans->ctx.table->list);
7869 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7871 case NFT_MSG_NEWCHAIN:
7872 if (nft_trans_chain_update(trans)) {
7873 nft_chain_commit_update(trans);
7874 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7875 /* trans destroyed after rcu grace period */
7877 nft_chain_commit_drop_policy(trans);
7878 nft_clear(net, trans->ctx.chain);
7879 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7880 nft_trans_destroy(trans);
7883 case NFT_MSG_DELCHAIN:
7884 nft_chain_del(trans->ctx.chain);
7885 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7886 nf_tables_unregister_hook(trans->ctx.net,
7890 case NFT_MSG_NEWRULE:
7891 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7892 nf_tables_rule_notify(&trans->ctx,
7893 nft_trans_rule(trans),
7895 nft_trans_destroy(trans);
7897 case NFT_MSG_DELRULE:
7898 list_del_rcu(&nft_trans_rule(trans)->list);
7899 nf_tables_rule_notify(&trans->ctx,
7900 nft_trans_rule(trans),
7902 nft_rule_expr_deactivate(&trans->ctx,
7903 nft_trans_rule(trans),
7906 case NFT_MSG_NEWSET:
7907 nft_clear(net, nft_trans_set(trans));
7908 /* This avoids hitting -EBUSY when deleting the table
7909 * from the transaction.
7911 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7912 !list_empty(&nft_trans_set(trans)->bindings))
7913 trans->ctx.table->use--;
7915 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7916 NFT_MSG_NEWSET, GFP_KERNEL);
7917 nft_trans_destroy(trans);
7919 case NFT_MSG_DELSET:
7920 list_del_rcu(&nft_trans_set(trans)->list);
7921 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7922 NFT_MSG_DELSET, GFP_KERNEL);
7924 case NFT_MSG_NEWSETELEM:
7925 te = (struct nft_trans_elem *)trans->data;
7927 te->set->ops->activate(net, te->set, &te->elem);
7928 nf_tables_setelem_notify(&trans->ctx, te->set,
7930 NFT_MSG_NEWSETELEM, 0);
7931 nft_trans_destroy(trans);
7933 case NFT_MSG_DELSETELEM:
7934 te = (struct nft_trans_elem *)trans->data;
7936 nf_tables_setelem_notify(&trans->ctx, te->set,
7938 NFT_MSG_DELSETELEM, 0);
7939 te->set->ops->remove(net, te->set, &te->elem);
7940 atomic_dec(&te->set->nelems);
7943 case NFT_MSG_NEWOBJ:
7944 if (nft_trans_obj_update(trans)) {
7945 nft_obj_commit_update(trans);
7946 nf_tables_obj_notify(&trans->ctx,
7947 nft_trans_obj(trans),
7950 nft_clear(net, nft_trans_obj(trans));
7951 nf_tables_obj_notify(&trans->ctx,
7952 nft_trans_obj(trans),
7954 nft_trans_destroy(trans);
7957 case NFT_MSG_DELOBJ:
7958 nft_obj_del(nft_trans_obj(trans));
7959 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7962 case NFT_MSG_NEWFLOWTABLE:
7963 if (nft_trans_flowtable_update(trans)) {
7964 nf_tables_flowtable_notify(&trans->ctx,
7965 nft_trans_flowtable(trans),
7966 &nft_trans_flowtable_hooks(trans),
7967 NFT_MSG_NEWFLOWTABLE);
7968 list_splice(&nft_trans_flowtable_hooks(trans),
7969 &nft_trans_flowtable(trans)->hook_list);
7971 nft_clear(net, nft_trans_flowtable(trans));
7972 nf_tables_flowtable_notify(&trans->ctx,
7973 nft_trans_flowtable(trans),
7974 &nft_trans_flowtable(trans)->hook_list,
7975 NFT_MSG_NEWFLOWTABLE);
7977 nft_trans_destroy(trans);
7979 case NFT_MSG_DELFLOWTABLE:
7980 if (nft_trans_flowtable_update(trans)) {
7981 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
7982 &nft_trans_flowtable_hooks(trans));
7983 nf_tables_flowtable_notify(&trans->ctx,
7984 nft_trans_flowtable(trans),
7985 &nft_trans_flowtable_hooks(trans),
7986 NFT_MSG_DELFLOWTABLE);
7987 nft_unregister_flowtable_net_hooks(net,
7988 &nft_trans_flowtable_hooks(trans));
7990 list_del_rcu(&nft_trans_flowtable(trans)->list);
7991 nf_tables_flowtable_notify(&trans->ctx,
7992 nft_trans_flowtable(trans),
7993 &nft_trans_flowtable(trans)->hook_list,
7994 NFT_MSG_DELFLOWTABLE);
7995 nft_unregister_flowtable_net_hooks(net,
7996 &nft_trans_flowtable(trans)->hook_list);
8002 nft_commit_notify(net, NETLINK_CB(skb).portid);
8003 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8004 nf_tables_commit_release(net);
8009 static void nf_tables_module_autoload(struct net *net)
8011 struct nft_module_request *req, *next;
8012 LIST_HEAD(module_list);
8014 list_splice_init(&net->nft.module_list, &module_list);
8015 mutex_unlock(&net->nft.commit_mutex);
8016 list_for_each_entry_safe(req, next, &module_list, list) {
8017 request_module("%s", req->module);
8020 mutex_lock(&net->nft.commit_mutex);
8021 list_splice(&module_list, &net->nft.module_list);
8024 static void nf_tables_abort_release(struct nft_trans *trans)
8026 switch (trans->msg_type) {
8027 case NFT_MSG_NEWTABLE:
8028 nf_tables_table_destroy(&trans->ctx);
8030 case NFT_MSG_NEWCHAIN:
8031 nf_tables_chain_destroy(&trans->ctx);
8033 case NFT_MSG_NEWRULE:
8034 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8036 case NFT_MSG_NEWSET:
8037 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8039 case NFT_MSG_NEWSETELEM:
8040 nft_set_elem_destroy(nft_trans_elem_set(trans),
8041 nft_trans_elem(trans).priv, true);
8043 case NFT_MSG_NEWOBJ:
8044 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8046 case NFT_MSG_NEWFLOWTABLE:
8047 if (nft_trans_flowtable_update(trans))
8048 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8050 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8056 static int __nf_tables_abort(struct net *net, bool autoload)
8058 struct nft_trans *trans, *next;
8059 struct nft_trans_elem *te;
8060 struct nft_hook *hook;
8062 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8064 switch (trans->msg_type) {
8065 case NFT_MSG_NEWTABLE:
8066 if (nft_trans_table_update(trans)) {
8067 if (nft_trans_table_enable(trans)) {
8068 nf_tables_table_disable(net,
8070 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8072 nft_trans_destroy(trans);
8074 list_del_rcu(&trans->ctx.table->list);
8077 case NFT_MSG_DELTABLE:
8078 nft_clear(trans->ctx.net, trans->ctx.table);
8079 nft_trans_destroy(trans);
8081 case NFT_MSG_NEWCHAIN:
8082 if (nft_trans_chain_update(trans)) {
8083 free_percpu(nft_trans_chain_stats(trans));
8084 kfree(nft_trans_chain_name(trans));
8085 nft_trans_destroy(trans);
8087 if (nft_chain_is_bound(trans->ctx.chain)) {
8088 nft_trans_destroy(trans);
8091 trans->ctx.table->use--;
8092 nft_chain_del(trans->ctx.chain);
8093 nf_tables_unregister_hook(trans->ctx.net,
8098 case NFT_MSG_DELCHAIN:
8099 trans->ctx.table->use++;
8100 nft_clear(trans->ctx.net, trans->ctx.chain);
8101 nft_trans_destroy(trans);
8103 case NFT_MSG_NEWRULE:
8104 trans->ctx.chain->use--;
8105 list_del_rcu(&nft_trans_rule(trans)->list);
8106 nft_rule_expr_deactivate(&trans->ctx,
8107 nft_trans_rule(trans),
8110 case NFT_MSG_DELRULE:
8111 trans->ctx.chain->use++;
8112 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8113 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8114 nft_trans_destroy(trans);
8116 case NFT_MSG_NEWSET:
8117 trans->ctx.table->use--;
8118 if (nft_trans_set_bound(trans)) {
8119 nft_trans_destroy(trans);
8122 list_del_rcu(&nft_trans_set(trans)->list);
8124 case NFT_MSG_DELSET:
8125 trans->ctx.table->use++;
8126 nft_clear(trans->ctx.net, nft_trans_set(trans));
8127 nft_trans_destroy(trans);
8129 case NFT_MSG_NEWSETELEM:
8130 if (nft_trans_elem_set_bound(trans)) {
8131 nft_trans_destroy(trans);
8134 te = (struct nft_trans_elem *)trans->data;
8135 te->set->ops->remove(net, te->set, &te->elem);
8136 atomic_dec(&te->set->nelems);
8138 case NFT_MSG_DELSETELEM:
8139 te = (struct nft_trans_elem *)trans->data;
8141 nft_set_elem_activate(net, te->set, &te->elem);
8142 te->set->ops->activate(net, te->set, &te->elem);
8145 nft_trans_destroy(trans);
8147 case NFT_MSG_NEWOBJ:
8148 if (nft_trans_obj_update(trans)) {
8149 kfree(nft_trans_obj_newobj(trans));
8150 nft_trans_destroy(trans);
8152 trans->ctx.table->use--;
8153 nft_obj_del(nft_trans_obj(trans));
8156 case NFT_MSG_DELOBJ:
8157 trans->ctx.table->use++;
8158 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8159 nft_trans_destroy(trans);
8161 case NFT_MSG_NEWFLOWTABLE:
8162 if (nft_trans_flowtable_update(trans)) {
8163 nft_unregister_flowtable_net_hooks(net,
8164 &nft_trans_flowtable_hooks(trans));
8166 trans->ctx.table->use--;
8167 list_del_rcu(&nft_trans_flowtable(trans)->list);
8168 nft_unregister_flowtable_net_hooks(net,
8169 &nft_trans_flowtable(trans)->hook_list);
8172 case NFT_MSG_DELFLOWTABLE:
8173 if (nft_trans_flowtable_update(trans)) {
8174 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8175 hook->inactive = false;
8177 trans->ctx.table->use++;
8178 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8180 nft_trans_destroy(trans);
8187 list_for_each_entry_safe_reverse(trans, next,
8188 &net->nft.commit_list, list) {
8189 list_del(&trans->list);
8190 nf_tables_abort_release(trans);
8194 nf_tables_module_autoload(net);
8196 nf_tables_module_autoload_cleanup(net);
8201 static void nf_tables_cleanup(struct net *net)
8203 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8206 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
8208 int ret = __nf_tables_abort(net, autoload);
8210 mutex_unlock(&net->nft.commit_mutex);
8215 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8219 mutex_lock(&net->nft.commit_mutex);
8221 genid_ok = genid == 0 || net->nft.base_seq == genid;
8223 mutex_unlock(&net->nft.commit_mutex);
8225 /* else, commit mutex has to be released by commit or abort function */
8229 static const struct nfnetlink_subsystem nf_tables_subsys = {
8230 .name = "nf_tables",
8231 .subsys_id = NFNL_SUBSYS_NFTABLES,
8232 .cb_count = NFT_MSG_MAX,
8234 .commit = nf_tables_commit,
8235 .abort = nf_tables_abort,
8236 .cleanup = nf_tables_cleanup,
8237 .valid_genid = nf_tables_valid_genid,
8238 .owner = THIS_MODULE,
8241 int nft_chain_validate_dependency(const struct nft_chain *chain,
8242 enum nft_chain_types type)
8244 const struct nft_base_chain *basechain;
8246 if (nft_is_base_chain(chain)) {
8247 basechain = nft_base_chain(chain);
8248 if (basechain->type->type != type)
8253 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8255 int nft_chain_validate_hooks(const struct nft_chain *chain,
8256 unsigned int hook_flags)
8258 struct nft_base_chain *basechain;
8260 if (nft_is_base_chain(chain)) {
8261 basechain = nft_base_chain(chain);
8263 if ((1 << basechain->ops.hooknum) & hook_flags)
8271 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8274 * Loop detection - walk through the ruleset beginning at the destination chain
8275 * of a new jump until either the source chain is reached (loop) or all
8276 * reachable chains have been traversed.
8278 * The loop check is performed whenever a new jump verdict is added to an
8279 * expression or verdict map or a verdict map is bound to a new chain.
8282 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8283 const struct nft_chain *chain);
8285 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8286 struct nft_set *set,
8287 const struct nft_set_iter *iter,
8288 struct nft_set_elem *elem)
8290 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8291 const struct nft_data *data;
8293 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8294 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8297 data = nft_set_ext_data(ext);
8298 switch (data->verdict.code) {
8301 return nf_tables_check_loops(ctx, data->verdict.chain);
8307 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8308 const struct nft_chain *chain)
8310 const struct nft_rule *rule;
8311 const struct nft_expr *expr, *last;
8312 struct nft_set *set;
8313 struct nft_set_binding *binding;
8314 struct nft_set_iter iter;
8316 if (ctx->chain == chain)
8319 list_for_each_entry(rule, &chain->rules, list) {
8320 nft_rule_for_each_expr(expr, last, rule) {
8321 struct nft_immediate_expr *priv;
8322 const struct nft_data *data;
8325 if (strcmp(expr->ops->type->name, "immediate"))
8328 priv = nft_expr_priv(expr);
8329 if (priv->dreg != NFT_REG_VERDICT)
8333 switch (data->verdict.code) {
8336 err = nf_tables_check_loops(ctx,
8337 data->verdict.chain);
8346 list_for_each_entry(set, &ctx->table->sets, list) {
8347 if (!nft_is_active_next(ctx->net, set))
8349 if (!(set->flags & NFT_SET_MAP) ||
8350 set->dtype != NFT_DATA_VERDICT)
8353 list_for_each_entry(binding, &set->bindings, list) {
8354 if (!(binding->flags & NFT_SET_MAP) ||
8355 binding->chain != chain)
8358 iter.genmask = nft_genmask_next(ctx->net);
8362 iter.fn = nf_tables_loop_check_setelem;
8364 set->ops->walk(ctx, set, &iter);
8374 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8376 * @attr: netlink attribute to fetch value from
8377 * @max: maximum value to be stored in dest
8378 * @dest: pointer to the variable
8380 * Parse, check and store a given u32 netlink attribute into variable.
8381 * This function returns -ERANGE if the value goes over maximum value.
8382 * Otherwise a 0 is returned and the attribute value is stored in the
8383 * destination variable.
8385 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8389 val = ntohl(nla_get_be32(attr));
8396 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8399 * nft_parse_register - parse a register value from a netlink attribute
8401 * @attr: netlink attribute
8403 * Parse and translate a register value from a netlink attribute.
8404 * Registers used to be 128 bit wide, these register numbers will be
8405 * mapped to the corresponding 32 bit register numbers.
8407 unsigned int nft_parse_register(const struct nlattr *attr)
8411 reg = ntohl(nla_get_be32(attr));
8413 case NFT_REG_VERDICT...NFT_REG_4:
8414 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8416 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8419 EXPORT_SYMBOL_GPL(nft_parse_register);
8422 * nft_dump_register - dump a register value to a netlink attribute
8424 * @skb: socket buffer
8425 * @attr: attribute number
8426 * @reg: register number
8428 * Construct a netlink attribute containing the register number. For
8429 * compatibility reasons, register numbers being a multiple of 4 are
8430 * translated to the corresponding 128 bit register numbers.
8432 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8434 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8435 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8437 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8439 return nla_put_be32(skb, attr, htonl(reg));
8441 EXPORT_SYMBOL_GPL(nft_dump_register);
8444 * nft_validate_register_load - validate a load from a register
8446 * @reg: the register number
8447 * @len: the length of the data
8449 * Validate that the input register is one of the general purpose
8450 * registers and that the length of the load is within the bounds.
8452 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8454 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8458 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8463 EXPORT_SYMBOL_GPL(nft_validate_register_load);
8466 * nft_validate_register_store - validate an expressions' register store
8468 * @ctx: context of the expression performing the load
8469 * @reg: the destination register number
8470 * @data: the data to load
8471 * @type: the data type
8472 * @len: the length of the data
8474 * Validate that a data load uses the appropriate data type for
8475 * the destination register and the length is within the bounds.
8476 * A value of NULL for the data means that its runtime gathered
8479 int nft_validate_register_store(const struct nft_ctx *ctx,
8480 enum nft_registers reg,
8481 const struct nft_data *data,
8482 enum nft_data_types type, unsigned int len)
8487 case NFT_REG_VERDICT:
8488 if (type != NFT_DATA_VERDICT)
8492 (data->verdict.code == NFT_GOTO ||
8493 data->verdict.code == NFT_JUMP)) {
8494 err = nf_tables_check_loops(ctx, data->verdict.chain);
8501 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8505 if (reg * NFT_REG32_SIZE + len >
8506 sizeof_field(struct nft_regs, data))
8509 if (data != NULL && type != NFT_DATA_VALUE)
8514 EXPORT_SYMBOL_GPL(nft_validate_register_store);
8516 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8517 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8518 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8519 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8520 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8523 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8524 struct nft_data_desc *desc, const struct nlattr *nla)
8526 u8 genmask = nft_genmask_next(ctx->net);
8527 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8528 struct nft_chain *chain;
8531 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8532 nft_verdict_policy, NULL);
8536 if (!tb[NFTA_VERDICT_CODE])
8538 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8540 switch (data->verdict.code) {
8542 switch (data->verdict.code & NF_VERDICT_MASK) {
8557 if (tb[NFTA_VERDICT_CHAIN]) {
8558 chain = nft_chain_lookup(ctx->net, ctx->table,
8559 tb[NFTA_VERDICT_CHAIN],
8561 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8562 chain = nft_chain_lookup_byid(ctx->net,
8563 tb[NFTA_VERDICT_CHAIN_ID]);
8565 return PTR_ERR(chain);
8571 return PTR_ERR(chain);
8572 if (nft_is_base_chain(chain))
8576 data->verdict.chain = chain;
8580 desc->len = sizeof(data->verdict);
8581 desc->type = NFT_DATA_VERDICT;
8585 static void nft_verdict_uninit(const struct nft_data *data)
8587 struct nft_chain *chain;
8588 struct nft_rule *rule;
8590 switch (data->verdict.code) {
8593 chain = data->verdict.chain;
8596 if (!nft_chain_is_bound(chain))
8599 chain->table->use--;
8600 list_for_each_entry(rule, &chain->rules, list)
8603 nft_chain_del(chain);
8608 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8610 struct nlattr *nest;
8612 nest = nla_nest_start_noflag(skb, type);
8614 goto nla_put_failure;
8616 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8617 goto nla_put_failure;
8622 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8624 goto nla_put_failure;
8626 nla_nest_end(skb, nest);
8633 static int nft_value_init(const struct nft_ctx *ctx,
8634 struct nft_data *data, unsigned int size,
8635 struct nft_data_desc *desc, const struct nlattr *nla)
8645 nla_memcpy(data->data, nla, len);
8646 desc->type = NFT_DATA_VALUE;
8651 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8654 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8657 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8658 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8659 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8663 * nft_data_init - parse nf_tables data netlink attributes
8665 * @ctx: context of the expression using the data
8666 * @data: destination struct nft_data
8667 * @size: maximum data length
8668 * @desc: data description
8669 * @nla: netlink attribute containing data
8671 * Parse the netlink data attributes and initialize a struct nft_data.
8672 * The type and length of data are returned in the data description.
8674 * The caller can indicate that it only wants to accept data of type
8675 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8677 int nft_data_init(const struct nft_ctx *ctx,
8678 struct nft_data *data, unsigned int size,
8679 struct nft_data_desc *desc, const struct nlattr *nla)
8681 struct nlattr *tb[NFTA_DATA_MAX + 1];
8684 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8685 nft_data_policy, NULL);
8689 if (tb[NFTA_DATA_VALUE])
8690 return nft_value_init(ctx, data, size, desc,
8691 tb[NFTA_DATA_VALUE]);
8692 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8693 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8696 EXPORT_SYMBOL_GPL(nft_data_init);
8699 * nft_data_release - release a nft_data item
8701 * @data: struct nft_data to release
8702 * @type: type of data
8704 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8705 * all others need to be released by calling this function.
8707 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8709 if (type < NFT_DATA_VERDICT)
8712 case NFT_DATA_VERDICT:
8713 return nft_verdict_uninit(data);
8718 EXPORT_SYMBOL_GPL(nft_data_release);
8720 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8721 enum nft_data_types type, unsigned int len)
8723 struct nlattr *nest;
8726 nest = nla_nest_start_noflag(skb, attr);
8731 case NFT_DATA_VALUE:
8732 err = nft_value_dump(skb, data, len);
8734 case NFT_DATA_VERDICT:
8735 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8742 nla_nest_end(skb, nest);
8745 EXPORT_SYMBOL_GPL(nft_data_dump);
8747 int __nft_release_basechain(struct nft_ctx *ctx)
8749 struct nft_rule *rule, *nr;
8751 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8754 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8755 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8756 list_del(&rule->list);
8758 nf_tables_rule_release(ctx, rule);
8760 nft_chain_del(ctx->chain);
8762 nf_tables_chain_destroy(ctx);
8766 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8768 static void __nft_release_tables(struct net *net)
8770 struct nft_flowtable *flowtable, *nf;
8771 struct nft_table *table, *nt;
8772 struct nft_chain *chain, *nc;
8773 struct nft_object *obj, *ne;
8774 struct nft_rule *rule, *nr;
8775 struct nft_set *set, *ns;
8776 struct nft_ctx ctx = {
8778 .family = NFPROTO_NETDEV,
8781 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8782 ctx.family = table->family;
8784 list_for_each_entry(chain, &table->chains, list)
8785 nf_tables_unregister_hook(net, table, chain);
8786 /* No packets are walking on these chains anymore. */
8788 list_for_each_entry(chain, &table->chains, list) {
8790 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8791 list_del(&rule->list);
8793 nf_tables_rule_release(&ctx, rule);
8796 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8797 list_del(&flowtable->list);
8799 nf_tables_flowtable_destroy(flowtable);
8801 list_for_each_entry_safe(set, ns, &table->sets, list) {
8802 list_del(&set->list);
8804 nft_set_destroy(&ctx, set);
8806 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8809 nft_obj_destroy(&ctx, obj);
8811 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8813 nft_chain_del(chain);
8815 nf_tables_chain_destroy(&ctx);
8817 list_del(&table->list);
8818 nf_tables_table_destroy(&ctx);
8822 static int __net_init nf_tables_init_net(struct net *net)
8824 INIT_LIST_HEAD(&net->nft.tables);
8825 INIT_LIST_HEAD(&net->nft.commit_list);
8826 INIT_LIST_HEAD(&net->nft.module_list);
8827 INIT_LIST_HEAD(&net->nft.notify_list);
8828 mutex_init(&net->nft.commit_mutex);
8829 net->nft.base_seq = 1;
8830 net->nft.validate_state = NFT_VALIDATE_SKIP;
8835 static void __net_exit nf_tables_exit_net(struct net *net)
8837 mutex_lock(&net->nft.commit_mutex);
8838 if (!list_empty(&net->nft.commit_list))
8839 __nf_tables_abort(net, false);
8840 __nft_release_tables(net);
8841 mutex_unlock(&net->nft.commit_mutex);
8842 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8843 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8844 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8847 static struct pernet_operations nf_tables_net_ops = {
8848 .init = nf_tables_init_net,
8849 .exit = nf_tables_exit_net,
8852 static int __init nf_tables_module_init(void)
8856 spin_lock_init(&nf_tables_destroy_list_lock);
8857 err = register_pernet_subsys(&nf_tables_net_ops);
8861 err = nft_chain_filter_init();
8865 err = nf_tables_core_module_init();
8869 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8873 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8877 err = nft_offload_init();
8882 err = nfnetlink_subsys_register(&nf_tables_subsys);
8886 nft_chain_route_init();
8892 rhltable_destroy(&nft_objname_ht);
8894 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8896 nf_tables_core_module_exit();
8898 nft_chain_filter_fini();
8900 unregister_pernet_subsys(&nf_tables_net_ops);
8904 static void __exit nf_tables_module_exit(void)
8906 nfnetlink_subsys_unregister(&nf_tables_subsys);
8908 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8909 nft_chain_filter_fini();
8910 nft_chain_route_fini();
8911 unregister_pernet_subsys(&nf_tables_net_ops);
8912 cancel_work_sync(&trans_destroy_work);
8914 rhltable_destroy(&nft_objname_ht);
8915 nf_tables_core_module_exit();
8918 module_init(nf_tables_module_init);
8919 module_exit(nf_tables_module_exit);
8921 MODULE_LICENSE("GPL");
8922 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8923 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob