2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/rhashtable.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_flow_table.h>
22 #include <net/netfilter/nf_tables_core.h>
23 #include <net/netfilter/nf_tables.h>
24 #include <net/net_namespace.h>
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
44 static const struct rhashtable_params nft_chain_ht_params = {
45 .head_offset = offsetof(struct nft_chain, rhlhead),
46 .key_offset = offsetof(struct nft_chain, name),
47 .hashfn = nft_chain_hash,
48 .obj_hashfn = nft_chain_hash_obj,
49 .obj_cmpfn = nft_chain_hash_cmp,
51 .automatic_shrinking = true,
54 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
56 switch (net->nft.validate_state) {
57 case NFT_VALIDATE_SKIP:
58 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
60 case NFT_VALIDATE_NEED:
63 if (new_validate_state == NFT_VALIDATE_NEED)
67 net->nft.validate_state = new_validate_state;
69 static void nf_tables_trans_destroy_work(struct work_struct *w);
70 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
72 static void nft_ctx_init(struct nft_ctx *ctx,
74 const struct sk_buff *skb,
75 const struct nlmsghdr *nlh,
77 struct nft_table *table,
78 struct nft_chain *chain,
79 const struct nlattr * const *nla)
87 ctx->portid = NETLINK_CB(skb).portid;
88 ctx->report = nlmsg_report(nlh);
89 ctx->seq = nlh->nlmsg_seq;
92 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
93 int msg_type, u32 size, gfp_t gfp)
95 struct nft_trans *trans;
97 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
101 trans->msg_type = msg_type;
107 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
108 int msg_type, u32 size)
110 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
113 static void nft_trans_destroy(struct nft_trans *trans)
115 list_del(&trans->list);
119 static int nf_tables_register_hook(struct net *net,
120 const struct nft_table *table,
121 struct nft_chain *chain)
123 const struct nft_base_chain *basechain;
124 const struct nf_hook_ops *ops;
126 if (table->flags & NFT_TABLE_F_DORMANT ||
127 !nft_is_base_chain(chain))
130 basechain = nft_base_chain(chain);
131 ops = &basechain->ops;
133 if (basechain->type->ops_register)
134 return basechain->type->ops_register(net, ops);
136 return nf_register_net_hook(net, ops);
139 static void nf_tables_unregister_hook(struct net *net,
140 const struct nft_table *table,
141 struct nft_chain *chain)
143 const struct nft_base_chain *basechain;
144 const struct nf_hook_ops *ops;
146 if (table->flags & NFT_TABLE_F_DORMANT ||
147 !nft_is_base_chain(chain))
149 basechain = nft_base_chain(chain);
150 ops = &basechain->ops;
152 if (basechain->type->ops_unregister)
153 return basechain->type->ops_unregister(net, ops);
155 nf_unregister_net_hook(net, ops);
158 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
160 struct nft_trans *trans;
162 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
166 if (msg_type == NFT_MSG_NEWTABLE)
167 nft_activate_next(ctx->net, ctx->table);
169 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
173 static int nft_deltable(struct nft_ctx *ctx)
177 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
181 nft_deactivate_next(ctx->net, ctx->table);
185 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
187 struct nft_trans *trans;
189 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
193 if (msg_type == NFT_MSG_NEWCHAIN)
194 nft_activate_next(ctx->net, ctx->chain);
196 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
200 static int nft_delchain(struct nft_ctx *ctx)
204 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
209 nft_deactivate_next(ctx->net, ctx->chain);
214 /* either expr ops provide both activate/deactivate, or neither */
215 static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
220 if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
226 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
227 struct nft_rule *rule)
229 struct nft_expr *expr;
231 expr = nft_expr_first(rule);
232 while (expr != nft_expr_last(rule) && expr->ops) {
233 if (expr->ops->activate)
234 expr->ops->activate(ctx, expr);
236 expr = nft_expr_next(expr);
240 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
241 struct nft_rule *rule)
243 struct nft_expr *expr;
245 expr = nft_expr_first(rule);
246 while (expr != nft_expr_last(rule) && expr->ops) {
247 if (expr->ops->deactivate)
248 expr->ops->deactivate(ctx, expr);
250 expr = nft_expr_next(expr);
255 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
257 /* You cannot delete the same rule twice */
258 if (nft_is_active_next(ctx->net, rule)) {
259 nft_deactivate_next(ctx->net, rule);
266 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
267 struct nft_rule *rule)
269 struct nft_trans *trans;
271 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
275 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
276 nft_trans_rule_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
279 nft_trans_rule(trans) = rule;
280 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
285 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
287 struct nft_trans *trans;
290 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
294 err = nf_tables_delrule_deactivate(ctx, rule);
296 nft_trans_destroy(trans);
299 nft_rule_expr_deactivate(ctx, rule);
304 static int nft_delrule_by_chain(struct nft_ctx *ctx)
306 struct nft_rule *rule;
309 list_for_each_entry(rule, &ctx->chain->rules, list) {
310 err = nft_delrule(ctx, rule);
317 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
320 struct nft_trans *trans;
322 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
326 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
327 nft_trans_set_id(trans) =
328 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
329 nft_activate_next(ctx->net, set);
331 nft_trans_set(trans) = set;
332 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
337 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
341 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
345 nft_deactivate_next(ctx->net, set);
351 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
352 struct nft_object *obj)
354 struct nft_trans *trans;
356 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
360 if (msg_type == NFT_MSG_NEWOBJ)
361 nft_activate_next(ctx->net, obj);
363 nft_trans_obj(trans) = obj;
364 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
369 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
373 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
377 nft_deactivate_next(ctx->net, obj);
383 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
384 struct nft_flowtable *flowtable)
386 struct nft_trans *trans;
388 trans = nft_trans_alloc(ctx, msg_type,
389 sizeof(struct nft_trans_flowtable));
393 if (msg_type == NFT_MSG_NEWFLOWTABLE)
394 nft_activate_next(ctx->net, flowtable);
396 nft_trans_flowtable(trans) = flowtable;
397 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
402 static int nft_delflowtable(struct nft_ctx *ctx,
403 struct nft_flowtable *flowtable)
407 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
411 nft_deactivate_next(ctx->net, flowtable);
421 static struct nft_table *nft_table_lookup(const struct net *net,
422 const struct nlattr *nla,
423 u8 family, u8 genmask)
425 struct nft_table *table;
428 return ERR_PTR(-EINVAL);
430 list_for_each_entry_rcu(table, &net->nft.tables, list) {
431 if (!nla_strcmp(nla, table->name) &&
432 table->family == family &&
433 nft_active_genmask(table, genmask))
437 return ERR_PTR(-ENOENT);
440 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
441 const struct nlattr *nla,
444 struct nft_table *table;
446 list_for_each_entry(table, &net->nft.tables, list) {
447 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
448 nft_active_genmask(table, genmask))
452 return ERR_PTR(-ENOENT);
455 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
457 return ++table->hgenerator;
460 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
462 static const struct nft_chain_type *
463 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
467 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
468 if (chain_type[family][i] != NULL &&
469 !nla_strcmp(nla, chain_type[family][i]->name))
470 return chain_type[family][i];
476 * Loading a module requires dropping mutex that guards the
478 * We first need to abort any pending transactions as once
479 * mutex is unlocked a different client could start a new
480 * transaction. It must not see any 'future generation'
481 * changes * as these changes will never happen.
483 #ifdef CONFIG_MODULES
484 static int __nf_tables_abort(struct net *net);
486 static void nft_request_module(struct net *net, const char *fmt, ...)
488 char module_name[MODULE_NAME_LEN];
492 __nf_tables_abort(net);
495 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
497 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
500 mutex_unlock(&net->nft.commit_mutex);
501 request_module("%s", module_name);
502 mutex_lock(&net->nft.commit_mutex);
506 static void lockdep_nfnl_nft_mutex_not_held(void)
508 #ifdef CONFIG_PROVE_LOCKING
509 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
513 static const struct nft_chain_type *
514 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
515 u8 family, bool autoload)
517 const struct nft_chain_type *type;
519 type = __nf_tables_chain_type_lookup(nla, family);
523 lockdep_nfnl_nft_mutex_not_held();
524 #ifdef CONFIG_MODULES
526 nft_request_module(net, "nft-chain-%u-%.*s", family,
527 nla_len(nla), (const char *)nla_data(nla));
528 type = __nf_tables_chain_type_lookup(nla, family);
530 return ERR_PTR(-EAGAIN);
533 return ERR_PTR(-ENOENT);
536 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
537 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
538 .len = NFT_TABLE_MAXNAMELEN - 1 },
539 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
540 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
543 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
544 u32 portid, u32 seq, int event, u32 flags,
545 int family, const struct nft_table *table)
547 struct nlmsghdr *nlh;
548 struct nfgenmsg *nfmsg;
550 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
551 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
553 goto nla_put_failure;
555 nfmsg = nlmsg_data(nlh);
556 nfmsg->nfgen_family = family;
557 nfmsg->version = NFNETLINK_V0;
558 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
560 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
561 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
562 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
563 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
565 goto nla_put_failure;
571 nlmsg_trim(skb, nlh);
575 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
581 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
584 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
588 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
589 event, 0, ctx->family, ctx->table);
595 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
596 ctx->report, GFP_KERNEL);
599 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
602 static int nf_tables_dump_tables(struct sk_buff *skb,
603 struct netlink_callback *cb)
605 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
606 const struct nft_table *table;
607 unsigned int idx = 0, s_idx = cb->args[0];
608 struct net *net = sock_net(skb->sk);
609 int family = nfmsg->nfgen_family;
612 cb->seq = net->nft.base_seq;
614 list_for_each_entry_rcu(table, &net->nft.tables, list) {
615 if (family != NFPROTO_UNSPEC && family != table->family)
621 memset(&cb->args[1], 0,
622 sizeof(cb->args) - sizeof(cb->args[0]));
623 if (!nft_is_active(net, table))
625 if (nf_tables_fill_table_info(skb, net,
626 NETLINK_CB(cb->skb).portid,
628 NFT_MSG_NEWTABLE, NLM_F_MULTI,
629 table->family, table) < 0)
632 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
642 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
643 const struct nlmsghdr *nlh,
644 struct netlink_dump_control *c)
648 if (!try_module_get(THIS_MODULE))
652 err = netlink_dump_start(nlsk, skb, nlh, c);
654 module_put(THIS_MODULE);
659 /* called with rcu_read_lock held */
660 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
661 struct sk_buff *skb, const struct nlmsghdr *nlh,
662 const struct nlattr * const nla[],
663 struct netlink_ext_ack *extack)
665 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
666 u8 genmask = nft_genmask_cur(net);
667 const struct nft_table *table;
668 struct sk_buff *skb2;
669 int family = nfmsg->nfgen_family;
672 if (nlh->nlmsg_flags & NLM_F_DUMP) {
673 struct netlink_dump_control c = {
674 .dump = nf_tables_dump_tables,
675 .module = THIS_MODULE,
678 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
681 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
683 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
684 return PTR_ERR(table);
687 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
691 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
692 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
697 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
704 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
706 struct nft_chain *chain;
709 list_for_each_entry(chain, &table->chains, list) {
710 if (!nft_is_active_next(net, chain))
712 if (!nft_is_base_chain(chain))
715 if (cnt && i++ == cnt)
718 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
722 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
724 struct nft_chain *chain;
727 list_for_each_entry(chain, &table->chains, list) {
728 if (!nft_is_active_next(net, chain))
730 if (!nft_is_base_chain(chain))
733 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
742 nft_table_disable(net, table, i);
746 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
748 nft_table_disable(net, table, 0);
751 static int nf_tables_updtable(struct nft_ctx *ctx)
753 struct nft_trans *trans;
757 if (!ctx->nla[NFTA_TABLE_FLAGS])
760 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
761 if (flags & ~NFT_TABLE_F_DORMANT)
764 if (flags == ctx->table->flags)
767 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
768 sizeof(struct nft_trans_table));
772 if ((flags & NFT_TABLE_F_DORMANT) &&
773 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
774 nft_trans_table_enable(trans) = false;
775 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
776 ctx->table->flags & NFT_TABLE_F_DORMANT) {
777 ret = nf_tables_table_enable(ctx->net, ctx->table);
779 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
780 nft_trans_table_enable(trans) = true;
786 nft_trans_table_update(trans) = true;
787 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
790 nft_trans_destroy(trans);
794 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
796 const char *name = data;
798 return jhash(name, strlen(name), seed);
801 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
803 const struct nft_chain *chain = data;
805 return nft_chain_hash(chain->name, 0, seed);
808 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
811 const struct nft_chain *chain = ptr;
812 const char *name = arg->key;
814 return strcmp(chain->name, name);
817 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
818 struct sk_buff *skb, const struct nlmsghdr *nlh,
819 const struct nlattr * const nla[],
820 struct netlink_ext_ack *extack)
822 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
823 u8 genmask = nft_genmask_next(net);
824 int family = nfmsg->nfgen_family;
825 const struct nlattr *attr;
826 struct nft_table *table;
831 lockdep_assert_held(&net->nft.commit_mutex);
832 attr = nla[NFTA_TABLE_NAME];
833 table = nft_table_lookup(net, attr, family, genmask);
835 if (PTR_ERR(table) != -ENOENT)
836 return PTR_ERR(table);
838 if (nlh->nlmsg_flags & NLM_F_EXCL) {
839 NL_SET_BAD_ATTR(extack, attr);
842 if (nlh->nlmsg_flags & NLM_F_REPLACE)
845 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
846 return nf_tables_updtable(&ctx);
849 if (nla[NFTA_TABLE_FLAGS]) {
850 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
851 if (flags & ~NFT_TABLE_F_DORMANT)
856 table = kzalloc(sizeof(*table), GFP_KERNEL);
860 table->name = nla_strdup(attr, GFP_KERNEL);
861 if (table->name == NULL)
864 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
868 INIT_LIST_HEAD(&table->chains);
869 INIT_LIST_HEAD(&table->sets);
870 INIT_LIST_HEAD(&table->objects);
871 INIT_LIST_HEAD(&table->flowtables);
872 table->family = family;
873 table->flags = flags;
874 table->handle = ++table_handle;
876 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
877 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
881 list_add_tail_rcu(&table->list, &net->nft.tables);
884 rhltable_destroy(&table->chains_ht);
893 static int nft_flush_table(struct nft_ctx *ctx)
895 struct nft_flowtable *flowtable, *nft;
896 struct nft_chain *chain, *nc;
897 struct nft_object *obj, *ne;
898 struct nft_set *set, *ns;
901 list_for_each_entry(chain, &ctx->table->chains, list) {
902 if (!nft_is_active_next(ctx->net, chain))
907 err = nft_delrule_by_chain(ctx);
912 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
913 if (!nft_is_active_next(ctx->net, set))
916 if (nft_set_is_anonymous(set) &&
917 !list_empty(&set->bindings))
920 err = nft_delset(ctx, set);
925 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
926 err = nft_delflowtable(ctx, flowtable);
931 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
932 err = nft_delobj(ctx, obj);
937 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
938 if (!nft_is_active_next(ctx->net, chain))
943 err = nft_delchain(ctx);
948 err = nft_deltable(ctx);
953 static int nft_flush(struct nft_ctx *ctx, int family)
955 struct nft_table *table, *nt;
956 const struct nlattr * const *nla = ctx->nla;
959 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
960 if (family != AF_UNSPEC && table->family != family)
963 ctx->family = table->family;
965 if (!nft_is_active_next(ctx->net, table))
968 if (nla[NFTA_TABLE_NAME] &&
969 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
974 err = nft_flush_table(ctx);
982 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
983 struct sk_buff *skb, const struct nlmsghdr *nlh,
984 const struct nlattr * const nla[],
985 struct netlink_ext_ack *extack)
987 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
988 u8 genmask = nft_genmask_next(net);
989 int family = nfmsg->nfgen_family;
990 const struct nlattr *attr;
991 struct nft_table *table;
994 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
995 if (family == AF_UNSPEC ||
996 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
997 return nft_flush(&ctx, family);
999 if (nla[NFTA_TABLE_HANDLE]) {
1000 attr = nla[NFTA_TABLE_HANDLE];
1001 table = nft_table_lookup_byhandle(net, attr, genmask);
1003 attr = nla[NFTA_TABLE_NAME];
1004 table = nft_table_lookup(net, attr, family, genmask);
1007 if (IS_ERR(table)) {
1008 NL_SET_BAD_ATTR(extack, attr);
1009 return PTR_ERR(table);
1012 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1016 ctx.family = family;
1019 return nft_flush_table(&ctx);
1022 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1024 if (WARN_ON(ctx->table->use > 0))
1027 rhltable_destroy(&ctx->table->chains_ht);
1028 kfree(ctx->table->name);
1032 void nft_register_chain_type(const struct nft_chain_type *ctype)
1034 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1037 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1038 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1039 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1042 chain_type[ctype->family][ctype->type] = ctype;
1043 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1045 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1047 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1049 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1050 chain_type[ctype->family][ctype->type] = NULL;
1051 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1053 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1059 static struct nft_chain *
1060 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1062 struct nft_chain *chain;
1064 list_for_each_entry(chain, &table->chains, list) {
1065 if (chain->handle == handle &&
1066 nft_active_genmask(chain, genmask))
1070 return ERR_PTR(-ENOENT);
1073 static bool lockdep_commit_lock_is_held(struct net *net)
1075 #ifdef CONFIG_PROVE_LOCKING
1076 return lockdep_is_held(&net->nft.commit_mutex);
1082 static struct nft_chain *nft_chain_lookup(struct net *net,
1083 struct nft_table *table,
1084 const struct nlattr *nla, u8 genmask)
1086 char search[NFT_CHAIN_MAXNAMELEN + 1];
1087 struct rhlist_head *tmp, *list;
1088 struct nft_chain *chain;
1091 return ERR_PTR(-EINVAL);
1093 nla_strlcpy(search, nla, sizeof(search));
1095 WARN_ON(!rcu_read_lock_held() &&
1096 !lockdep_commit_lock_is_held(net));
1098 chain = ERR_PTR(-ENOENT);
1100 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1104 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1105 if (nft_active_genmask(chain, genmask))
1108 chain = ERR_PTR(-ENOENT);
1114 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1115 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1116 .len = NFT_TABLE_MAXNAMELEN - 1 },
1117 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1118 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1119 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1120 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1121 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1122 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1123 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1126 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1127 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1128 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1129 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1130 .len = IFNAMSIZ - 1 },
1133 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1135 struct nft_stats *cpu_stats, total;
1136 struct nlattr *nest;
1141 memset(&total, 0, sizeof(total));
1142 for_each_possible_cpu(cpu) {
1143 cpu_stats = per_cpu_ptr(stats, cpu);
1145 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1146 pkts = cpu_stats->pkts;
1147 bytes = cpu_stats->bytes;
1148 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1150 total.bytes += bytes;
1152 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1154 goto nla_put_failure;
1156 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1157 NFTA_COUNTER_PAD) ||
1158 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1160 goto nla_put_failure;
1162 nla_nest_end(skb, nest);
1169 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1170 u32 portid, u32 seq, int event, u32 flags,
1171 int family, const struct nft_table *table,
1172 const struct nft_chain *chain)
1174 struct nlmsghdr *nlh;
1175 struct nfgenmsg *nfmsg;
1177 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1178 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1180 goto nla_put_failure;
1182 nfmsg = nlmsg_data(nlh);
1183 nfmsg->nfgen_family = family;
1184 nfmsg->version = NFNETLINK_V0;
1185 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1187 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1188 goto nla_put_failure;
1189 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1191 goto nla_put_failure;
1192 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1193 goto nla_put_failure;
1195 if (nft_is_base_chain(chain)) {
1196 const struct nft_base_chain *basechain = nft_base_chain(chain);
1197 const struct nf_hook_ops *ops = &basechain->ops;
1198 struct nlattr *nest;
1200 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1202 goto nla_put_failure;
1203 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1204 goto nla_put_failure;
1205 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1206 goto nla_put_failure;
1207 if (basechain->dev_name[0] &&
1208 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1209 goto nla_put_failure;
1210 nla_nest_end(skb, nest);
1212 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1213 htonl(basechain->policy)))
1214 goto nla_put_failure;
1216 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1217 goto nla_put_failure;
1219 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1220 goto nla_put_failure;
1223 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1224 goto nla_put_failure;
1226 nlmsg_end(skb, nlh);
1230 nlmsg_trim(skb, nlh);
1234 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1236 struct sk_buff *skb;
1240 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1243 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1247 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1248 event, 0, ctx->family, ctx->table,
1255 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1256 ctx->report, GFP_KERNEL);
1259 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1262 static int nf_tables_dump_chains(struct sk_buff *skb,
1263 struct netlink_callback *cb)
1265 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1266 const struct nft_table *table;
1267 const struct nft_chain *chain;
1268 unsigned int idx = 0, s_idx = cb->args[0];
1269 struct net *net = sock_net(skb->sk);
1270 int family = nfmsg->nfgen_family;
1273 cb->seq = net->nft.base_seq;
1275 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1276 if (family != NFPROTO_UNSPEC && family != table->family)
1279 list_for_each_entry_rcu(chain, &table->chains, list) {
1283 memset(&cb->args[1], 0,
1284 sizeof(cb->args) - sizeof(cb->args[0]));
1285 if (!nft_is_active(net, chain))
1287 if (nf_tables_fill_chain_info(skb, net,
1288 NETLINK_CB(cb->skb).portid,
1292 table->family, table,
1296 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1307 /* called with rcu_read_lock held */
1308 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1309 struct sk_buff *skb, const struct nlmsghdr *nlh,
1310 const struct nlattr * const nla[],
1311 struct netlink_ext_ack *extack)
1313 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1314 u8 genmask = nft_genmask_cur(net);
1315 const struct nft_chain *chain;
1316 struct nft_table *table;
1317 struct sk_buff *skb2;
1318 int family = nfmsg->nfgen_family;
1321 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1322 struct netlink_dump_control c = {
1323 .dump = nf_tables_dump_chains,
1324 .module = THIS_MODULE,
1327 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1330 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1331 if (IS_ERR(table)) {
1332 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1333 return PTR_ERR(table);
1336 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1337 if (IS_ERR(chain)) {
1338 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1339 return PTR_ERR(chain);
1342 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1346 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1347 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1348 family, table, chain);
1352 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1359 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1360 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1361 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1364 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1366 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1367 struct nft_stats __percpu *newstats;
1368 struct nft_stats *stats;
1371 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1374 return ERR_PTR(err);
1376 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1377 return ERR_PTR(-EINVAL);
1379 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1380 if (newstats == NULL)
1381 return ERR_PTR(-ENOMEM);
1383 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1384 * are not exposed to userspace.
1387 stats = this_cpu_ptr(newstats);
1388 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1389 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1395 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1396 struct nft_stats __percpu *newstats)
1398 struct nft_stats __percpu *oldstats;
1400 if (newstats == NULL)
1404 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1405 rcu_assign_pointer(chain->stats, newstats);
1407 free_percpu(oldstats);
1409 rcu_assign_pointer(chain->stats, newstats);
1410 static_branch_inc(&nft_counters_enabled);
1414 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1416 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1417 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1423 /* should be NULL either via abort or via successful commit */
1424 WARN_ON_ONCE(chain->rules_next);
1425 kvfree(chain->rules_next);
1428 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1430 struct nft_chain *chain = ctx->chain;
1432 if (WARN_ON(chain->use > 0))
1435 /* no concurrent access possible anymore */
1436 nf_tables_chain_free_chain_rules(chain);
1438 if (nft_is_base_chain(chain)) {
1439 struct nft_base_chain *basechain = nft_base_chain(chain);
1441 module_put(basechain->type->owner);
1442 free_percpu(basechain->stats);
1443 if (basechain->stats)
1444 static_branch_dec(&nft_counters_enabled);
1453 struct nft_chain_hook {
1456 const struct nft_chain_type *type;
1457 struct net_device *dev;
1460 static int nft_chain_parse_hook(struct net *net,
1461 const struct nlattr * const nla[],
1462 struct nft_chain_hook *hook, u8 family,
1465 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1466 const struct nft_chain_type *type;
1467 struct net_device *dev;
1470 lockdep_assert_held(&net->nft.commit_mutex);
1471 lockdep_nfnl_nft_mutex_not_held();
1473 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1474 nft_hook_policy, NULL);
1478 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1479 ha[NFTA_HOOK_PRIORITY] == NULL)
1482 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1483 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1485 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1486 if (nla[NFTA_CHAIN_TYPE]) {
1487 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1490 return PTR_ERR(type);
1492 if (!(type->hook_mask & (1 << hook->num)))
1495 if (type->type == NFT_CHAIN_T_NAT &&
1496 hook->priority <= NF_IP_PRI_CONNTRACK)
1499 if (!try_module_get(type->owner))
1505 if (family == NFPROTO_NETDEV) {
1506 char ifname[IFNAMSIZ];
1508 if (!ha[NFTA_HOOK_DEV]) {
1509 module_put(type->owner);
1513 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1514 dev = __dev_get_by_name(net, ifname);
1516 module_put(type->owner);
1520 } else if (ha[NFTA_HOOK_DEV]) {
1521 module_put(type->owner);
1528 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1530 module_put(hook->type->owner);
1533 struct nft_rules_old {
1535 struct nft_rule **start;
1538 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1541 if (alloc > INT_MAX)
1544 alloc += 1; /* NULL, ends rules */
1545 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1548 alloc *= sizeof(struct nft_rule *);
1549 alloc += sizeof(struct nft_rules_old);
1551 return kvmalloc(alloc, GFP_KERNEL);
1554 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1557 const struct nlattr * const *nla = ctx->nla;
1558 struct nft_table *table = ctx->table;
1559 struct nft_base_chain *basechain;
1560 struct nft_stats __percpu *stats;
1561 struct net *net = ctx->net;
1562 struct nft_chain *chain;
1563 struct nft_rule **rules;
1566 if (table->use == UINT_MAX)
1569 if (nla[NFTA_CHAIN_HOOK]) {
1570 struct nft_chain_hook hook;
1571 struct nf_hook_ops *ops;
1573 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1577 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1578 if (basechain == NULL) {
1579 nft_chain_release_hook(&hook);
1583 if (hook.dev != NULL)
1584 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1586 if (nla[NFTA_CHAIN_COUNTERS]) {
1587 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1588 if (IS_ERR(stats)) {
1589 nft_chain_release_hook(&hook);
1591 return PTR_ERR(stats);
1593 basechain->stats = stats;
1594 static_branch_inc(&nft_counters_enabled);
1597 basechain->type = hook.type;
1598 chain = &basechain->chain;
1600 ops = &basechain->ops;
1602 ops->hooknum = hook.num;
1603 ops->priority = hook.priority;
1605 ops->hook = hook.type->hooks[ops->hooknum];
1606 ops->dev = hook.dev;
1608 chain->flags |= NFT_BASE_CHAIN;
1609 basechain->policy = policy;
1611 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1617 INIT_LIST_HEAD(&chain->rules);
1618 chain->handle = nf_tables_alloc_handle(table);
1619 chain->table = table;
1620 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1626 rules = nf_tables_chain_alloc_rules(chain, 0);
1633 rcu_assign_pointer(chain->rules_gen_0, rules);
1634 rcu_assign_pointer(chain->rules_gen_1, rules);
1636 err = nf_tables_register_hook(net, table, chain);
1640 err = rhltable_insert_key(&table->chains_ht, chain->name,
1641 &chain->rhlhead, nft_chain_ht_params);
1645 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1647 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1648 nft_chain_ht_params);
1653 list_add_tail_rcu(&chain->list, &table->chains);
1657 nf_tables_unregister_hook(net, table, chain);
1659 nf_tables_chain_destroy(ctx);
1664 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1666 const struct nlattr * const *nla = ctx->nla;
1667 struct nft_table *table = ctx->table;
1668 struct nft_chain *chain = ctx->chain;
1669 struct nft_base_chain *basechain;
1670 struct nft_stats *stats = NULL;
1671 struct nft_chain_hook hook;
1672 struct nf_hook_ops *ops;
1673 struct nft_trans *trans;
1676 if (nla[NFTA_CHAIN_HOOK]) {
1677 if (!nft_is_base_chain(chain))
1680 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1685 basechain = nft_base_chain(chain);
1686 if (basechain->type != hook.type) {
1687 nft_chain_release_hook(&hook);
1691 ops = &basechain->ops;
1692 if (ops->hooknum != hook.num ||
1693 ops->priority != hook.priority ||
1694 ops->dev != hook.dev) {
1695 nft_chain_release_hook(&hook);
1698 nft_chain_release_hook(&hook);
1701 if (nla[NFTA_CHAIN_HANDLE] &&
1702 nla[NFTA_CHAIN_NAME]) {
1703 struct nft_chain *chain2;
1705 chain2 = nft_chain_lookup(ctx->net, table,
1706 nla[NFTA_CHAIN_NAME], genmask);
1707 if (!IS_ERR(chain2))
1711 if (nla[NFTA_CHAIN_COUNTERS]) {
1712 if (!nft_is_base_chain(chain))
1715 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1717 return PTR_ERR(stats);
1721 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1722 sizeof(struct nft_trans_chain));
1726 nft_trans_chain_stats(trans) = stats;
1727 nft_trans_chain_update(trans) = true;
1729 if (nla[NFTA_CHAIN_POLICY])
1730 nft_trans_chain_policy(trans) = policy;
1732 nft_trans_chain_policy(trans) = -1;
1734 if (nla[NFTA_CHAIN_HANDLE] &&
1735 nla[NFTA_CHAIN_NAME]) {
1736 struct nft_trans *tmp;
1740 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1745 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1746 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1747 tmp->ctx.table == table &&
1748 nft_trans_chain_update(tmp) &&
1749 nft_trans_chain_name(tmp) &&
1750 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1756 nft_trans_chain_name(trans) = name;
1758 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1767 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1768 struct sk_buff *skb, const struct nlmsghdr *nlh,
1769 const struct nlattr * const nla[],
1770 struct netlink_ext_ack *extack)
1772 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1773 u8 genmask = nft_genmask_next(net);
1774 int family = nfmsg->nfgen_family;
1775 const struct nlattr *attr;
1776 struct nft_table *table;
1777 struct nft_chain *chain;
1778 u8 policy = NF_ACCEPT;
1782 lockdep_assert_held(&net->nft.commit_mutex);
1784 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1785 if (IS_ERR(table)) {
1786 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1787 return PTR_ERR(table);
1791 attr = nla[NFTA_CHAIN_NAME];
1793 if (nla[NFTA_CHAIN_HANDLE]) {
1794 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1795 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1796 if (IS_ERR(chain)) {
1797 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1798 return PTR_ERR(chain);
1800 attr = nla[NFTA_CHAIN_HANDLE];
1802 chain = nft_chain_lookup(net, table, attr, genmask);
1803 if (IS_ERR(chain)) {
1804 if (PTR_ERR(chain) != -ENOENT) {
1805 NL_SET_BAD_ATTR(extack, attr);
1806 return PTR_ERR(chain);
1812 if (nla[NFTA_CHAIN_POLICY]) {
1813 if (chain != NULL &&
1814 !nft_is_base_chain(chain)) {
1815 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1819 if (chain == NULL &&
1820 nla[NFTA_CHAIN_HOOK] == NULL) {
1821 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1825 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1835 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1837 if (chain != NULL) {
1838 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1839 NL_SET_BAD_ATTR(extack, attr);
1842 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1845 return nf_tables_updchain(&ctx, genmask, policy);
1848 return nf_tables_addchain(&ctx, family, genmask, policy);
1851 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1852 struct sk_buff *skb, const struct nlmsghdr *nlh,
1853 const struct nlattr * const nla[],
1854 struct netlink_ext_ack *extack)
1856 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1857 u8 genmask = nft_genmask_next(net);
1858 int family = nfmsg->nfgen_family;
1859 const struct nlattr *attr;
1860 struct nft_table *table;
1861 struct nft_chain *chain;
1862 struct nft_rule *rule;
1868 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1869 if (IS_ERR(table)) {
1870 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1871 return PTR_ERR(table);
1874 if (nla[NFTA_CHAIN_HANDLE]) {
1875 attr = nla[NFTA_CHAIN_HANDLE];
1876 handle = be64_to_cpu(nla_get_be64(attr));
1877 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1879 attr = nla[NFTA_CHAIN_NAME];
1880 chain = nft_chain_lookup(net, table, attr, genmask);
1882 if (IS_ERR(chain)) {
1883 NL_SET_BAD_ATTR(extack, attr);
1884 return PTR_ERR(chain);
1887 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1891 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1894 list_for_each_entry(rule, &chain->rules, list) {
1895 if (!nft_is_active_next(net, rule))
1899 err = nft_delrule(&ctx, rule);
1904 /* There are rules and elements that are still holding references to us,
1905 * we cannot do a recursive removal in this case.
1908 NL_SET_BAD_ATTR(extack, attr);
1912 return nft_delchain(&ctx);
1920 * nft_register_expr - register nf_tables expr type
1923 * Registers the expr type for use with nf_tables. Returns zero on
1924 * success or a negative errno code otherwise.
1926 int nft_register_expr(struct nft_expr_type *type)
1928 if (!nft_expr_check_ops(type->ops))
1931 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1932 if (type->family == NFPROTO_UNSPEC)
1933 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1935 list_add_rcu(&type->list, &nf_tables_expressions);
1936 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1939 EXPORT_SYMBOL_GPL(nft_register_expr);
1942 * nft_unregister_expr - unregister nf_tables expr type
1945 * Unregisters the expr typefor use with nf_tables.
1947 void nft_unregister_expr(struct nft_expr_type *type)
1949 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1950 list_del_rcu(&type->list);
1951 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1953 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1955 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1958 const struct nft_expr_type *type;
1960 list_for_each_entry(type, &nf_tables_expressions, list) {
1961 if (!nla_strcmp(nla, type->name) &&
1962 (!type->family || type->family == family))
1968 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
1972 const struct nft_expr_type *type;
1975 return ERR_PTR(-EINVAL);
1977 type = __nft_expr_type_get(family, nla);
1978 if (type != NULL && try_module_get(type->owner))
1981 lockdep_nfnl_nft_mutex_not_held();
1982 #ifdef CONFIG_MODULES
1984 nft_request_module(net, "nft-expr-%u-%.*s", family,
1985 nla_len(nla), (char *)nla_data(nla));
1986 if (__nft_expr_type_get(family, nla))
1987 return ERR_PTR(-EAGAIN);
1989 nft_request_module(net, "nft-expr-%.*s",
1990 nla_len(nla), (char *)nla_data(nla));
1991 if (__nft_expr_type_get(family, nla))
1992 return ERR_PTR(-EAGAIN);
1995 return ERR_PTR(-ENOENT);
1998 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1999 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2000 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2003 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2004 const struct nft_expr *expr)
2006 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2007 goto nla_put_failure;
2009 if (expr->ops->dump) {
2010 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
2012 goto nla_put_failure;
2013 if (expr->ops->dump(skb, expr) < 0)
2014 goto nla_put_failure;
2015 nla_nest_end(skb, data);
2024 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2025 const struct nft_expr *expr)
2027 struct nlattr *nest;
2029 nest = nla_nest_start(skb, attr);
2031 goto nla_put_failure;
2032 if (nf_tables_fill_expr_info(skb, expr) < 0)
2033 goto nla_put_failure;
2034 nla_nest_end(skb, nest);
2041 struct nft_expr_info {
2042 const struct nft_expr_ops *ops;
2043 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2046 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2047 const struct nlattr *nla,
2048 struct nft_expr_info *info)
2050 const struct nft_expr_type *type;
2051 const struct nft_expr_ops *ops;
2052 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2055 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
2059 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2061 return PTR_ERR(type);
2063 if (tb[NFTA_EXPR_DATA]) {
2064 err = nla_parse_nested(info->tb, type->maxattr,
2065 tb[NFTA_EXPR_DATA], type->policy, NULL);
2069 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2071 if (type->select_ops != NULL) {
2072 ops = type->select_ops(ctx,
2073 (const struct nlattr * const *)info->tb);
2078 if (!nft_expr_check_ops(ops)) {
2089 module_put(type->owner);
2093 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2094 const struct nft_expr_info *info,
2095 struct nft_expr *expr)
2097 const struct nft_expr_ops *ops = info->ops;
2102 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2113 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2114 struct nft_expr *expr)
2116 if (expr->ops->destroy)
2117 expr->ops->destroy(ctx, expr);
2118 module_put(expr->ops->type->owner);
2121 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2122 const struct nlattr *nla)
2124 struct nft_expr_info info;
2125 struct nft_expr *expr;
2128 err = nf_tables_expr_parse(ctx, nla, &info);
2133 expr = kzalloc(info.ops->size, GFP_KERNEL);
2137 err = nf_tables_newexpr(ctx, &info, expr);
2145 module_put(info.ops->type->owner);
2147 return ERR_PTR(err);
2150 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2152 nf_tables_expr_destroy(ctx, expr);
2160 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2163 struct nft_rule *rule;
2165 // FIXME: this sucks
2166 list_for_each_entry_rcu(rule, &chain->rules, list) {
2167 if (handle == rule->handle)
2171 return ERR_PTR(-ENOENT);
2174 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2175 const struct nlattr *nla)
2178 return ERR_PTR(-EINVAL);
2180 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2183 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2184 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2185 .len = NFT_TABLE_MAXNAMELEN - 1 },
2186 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2187 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2188 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2189 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2190 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2191 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2192 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2193 .len = NFT_USERDATA_MAXLEN },
2194 [NFTA_RULE_ID] = { .type = NLA_U32 },
2197 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2198 u32 portid, u32 seq, int event,
2199 u32 flags, int family,
2200 const struct nft_table *table,
2201 const struct nft_chain *chain,
2202 const struct nft_rule *rule)
2204 struct nlmsghdr *nlh;
2205 struct nfgenmsg *nfmsg;
2206 const struct nft_expr *expr, *next;
2207 struct nlattr *list;
2208 const struct nft_rule *prule;
2209 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2211 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2213 goto nla_put_failure;
2215 nfmsg = nlmsg_data(nlh);
2216 nfmsg->nfgen_family = family;
2217 nfmsg->version = NFNETLINK_V0;
2218 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2220 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2221 goto nla_put_failure;
2222 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2223 goto nla_put_failure;
2224 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2226 goto nla_put_failure;
2228 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2229 prule = list_prev_entry(rule, list);
2230 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2231 cpu_to_be64(prule->handle),
2233 goto nla_put_failure;
2236 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2238 goto nla_put_failure;
2239 nft_rule_for_each_expr(expr, next, rule) {
2240 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2241 goto nla_put_failure;
2243 nla_nest_end(skb, list);
2246 struct nft_userdata *udata = nft_userdata(rule);
2247 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2249 goto nla_put_failure;
2252 nlmsg_end(skb, nlh);
2256 nlmsg_trim(skb, nlh);
2260 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2261 const struct nft_rule *rule, int event)
2263 struct sk_buff *skb;
2267 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2270 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2274 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2275 event, 0, ctx->family, ctx->table,
2282 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2283 ctx->report, GFP_KERNEL);
2286 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2289 struct nft_rule_dump_ctx {
2294 static int __nf_tables_dump_rules(struct sk_buff *skb,
2296 struct netlink_callback *cb,
2297 const struct nft_table *table,
2298 const struct nft_chain *chain)
2300 struct net *net = sock_net(skb->sk);
2301 unsigned int s_idx = cb->args[0];
2302 const struct nft_rule *rule;
2305 list_for_each_entry_rcu(rule, &chain->rules, list) {
2306 if (!nft_is_active(net, rule))
2311 memset(&cb->args[1], 0,
2312 sizeof(cb->args) - sizeof(cb->args[0]));
2314 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2317 NLM_F_MULTI | NLM_F_APPEND,
2319 table, chain, rule) < 0)
2320 goto out_unfinished;
2322 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2332 static int nf_tables_dump_rules(struct sk_buff *skb,
2333 struct netlink_callback *cb)
2335 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2336 const struct nft_rule_dump_ctx *ctx = cb->data;
2337 struct nft_table *table;
2338 const struct nft_chain *chain;
2339 unsigned int idx = 0;
2340 struct net *net = sock_net(skb->sk);
2341 int family = nfmsg->nfgen_family;
2344 cb->seq = net->nft.base_seq;
2346 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2347 if (family != NFPROTO_UNSPEC && family != table->family)
2350 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2353 if (ctx && ctx->chain) {
2354 struct rhlist_head *list, *tmp;
2356 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2357 nft_chain_ht_params);
2361 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2362 if (!nft_is_active(net, chain))
2364 __nf_tables_dump_rules(skb, &idx,
2371 list_for_each_entry_rcu(chain, &table->chains, list) {
2372 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2376 if (ctx && ctx->table)
2384 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2386 const struct nlattr * const *nla = cb->data;
2387 struct nft_rule_dump_ctx *ctx = NULL;
2389 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2390 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2394 if (nla[NFTA_RULE_TABLE]) {
2395 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2402 if (nla[NFTA_RULE_CHAIN]) {
2403 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2417 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2419 struct nft_rule_dump_ctx *ctx = cb->data;
2429 /* called with rcu_read_lock held */
2430 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2431 struct sk_buff *skb, const struct nlmsghdr *nlh,
2432 const struct nlattr * const nla[],
2433 struct netlink_ext_ack *extack)
2435 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2436 u8 genmask = nft_genmask_cur(net);
2437 const struct nft_chain *chain;
2438 const struct nft_rule *rule;
2439 struct nft_table *table;
2440 struct sk_buff *skb2;
2441 int family = nfmsg->nfgen_family;
2444 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2445 struct netlink_dump_control c = {
2446 .start= nf_tables_dump_rules_start,
2447 .dump = nf_tables_dump_rules,
2448 .done = nf_tables_dump_rules_done,
2449 .module = THIS_MODULE,
2450 .data = (void *)nla,
2453 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2456 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2457 if (IS_ERR(table)) {
2458 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2459 return PTR_ERR(table);
2462 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2463 if (IS_ERR(chain)) {
2464 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2465 return PTR_ERR(chain);
2468 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2470 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2471 return PTR_ERR(rule);
2474 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2478 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2479 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2480 family, table, chain, rule);
2484 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2491 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2492 struct nft_rule *rule)
2494 struct nft_expr *expr;
2497 * Careful: some expressions might not be initialized in case this
2498 * is called on error from nf_tables_newrule().
2500 expr = nft_expr_first(rule);
2501 while (expr != nft_expr_last(rule) && expr->ops) {
2502 nf_tables_expr_destroy(ctx, expr);
2503 expr = nft_expr_next(expr);
2508 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2509 struct nft_rule *rule)
2511 nft_rule_expr_deactivate(ctx, rule);
2512 nf_tables_rule_destroy(ctx, rule);
2515 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2517 struct nft_expr *expr, *last;
2518 const struct nft_data *data;
2519 struct nft_rule *rule;
2522 if (ctx->level == NFT_JUMP_STACK_SIZE)
2525 list_for_each_entry(rule, &chain->rules, list) {
2526 if (!nft_is_active_next(ctx->net, rule))
2529 nft_rule_for_each_expr(expr, last, rule) {
2530 if (!expr->ops->validate)
2533 err = expr->ops->validate(ctx, expr, &data);
2541 EXPORT_SYMBOL_GPL(nft_chain_validate);
2543 static int nft_table_validate(struct net *net, const struct nft_table *table)
2545 struct nft_chain *chain;
2546 struct nft_ctx ctx = {
2548 .family = table->family,
2552 list_for_each_entry(chain, &table->chains, list) {
2553 if (!nft_is_base_chain(chain))
2557 err = nft_chain_validate(&ctx, chain);
2565 #define NFT_RULE_MAXEXPRS 128
2567 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2568 struct sk_buff *skb, const struct nlmsghdr *nlh,
2569 const struct nlattr * const nla[],
2570 struct netlink_ext_ack *extack)
2572 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2573 u8 genmask = nft_genmask_next(net);
2574 struct nft_expr_info *info = NULL;
2575 int family = nfmsg->nfgen_family;
2576 struct nft_table *table;
2577 struct nft_chain *chain;
2578 struct nft_rule *rule, *old_rule = NULL;
2579 struct nft_userdata *udata;
2580 struct nft_trans *trans = NULL;
2581 struct nft_expr *expr;
2584 unsigned int size, i, n, ulen = 0, usize = 0;
2586 u64 handle, pos_handle;
2588 lockdep_assert_held(&net->nft.commit_mutex);
2590 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2591 if (IS_ERR(table)) {
2592 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2593 return PTR_ERR(table);
2596 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2597 if (IS_ERR(chain)) {
2598 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2599 return PTR_ERR(chain);
2602 if (nla[NFTA_RULE_HANDLE]) {
2603 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2604 rule = __nft_rule_lookup(chain, handle);
2606 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2607 return PTR_ERR(rule);
2610 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2611 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2614 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2619 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2620 nlh->nlmsg_flags & NLM_F_REPLACE)
2622 handle = nf_tables_alloc_handle(table);
2624 if (chain->use == UINT_MAX)
2628 if (nla[NFTA_RULE_POSITION]) {
2629 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2632 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2633 old_rule = __nft_rule_lookup(chain, pos_handle);
2634 if (IS_ERR(old_rule)) {
2635 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2636 return PTR_ERR(old_rule);
2640 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2644 if (nla[NFTA_RULE_EXPRESSIONS]) {
2645 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2646 sizeof(struct nft_expr_info),
2651 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2653 if (nla_type(tmp) != NFTA_LIST_ELEM)
2655 if (n == NFT_RULE_MAXEXPRS)
2657 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2660 size += info[n].ops->size;
2664 /* Check for overflow of dlen field */
2666 if (size >= 1 << 12)
2669 if (nla[NFTA_RULE_USERDATA]) {
2670 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2672 usize = sizeof(struct nft_userdata) + ulen;
2676 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2680 nft_activate_next(net, rule);
2682 rule->handle = handle;
2684 rule->udata = ulen ? 1 : 0;
2687 udata = nft_userdata(rule);
2688 udata->len = ulen - 1;
2689 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2692 expr = nft_expr_first(rule);
2693 for (i = 0; i < n; i++) {
2694 err = nf_tables_newexpr(&ctx, &info[i], expr);
2698 if (info[i].ops->validate)
2699 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2702 expr = nft_expr_next(expr);
2705 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2706 if (!nft_is_active_next(net, old_rule)) {
2710 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2712 if (trans == NULL) {
2716 nft_deactivate_next(net, old_rule);
2719 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2724 list_add_tail_rcu(&rule->list, &old_rule->list);
2726 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2731 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2733 list_add_rcu(&rule->list, &old_rule->list);
2735 list_add_tail_rcu(&rule->list, &chain->rules);
2738 list_add_tail_rcu(&rule->list, &old_rule->list);
2740 list_add_rcu(&rule->list, &chain->rules);
2746 if (net->nft.validate_state == NFT_VALIDATE_DO)
2747 return nft_table_validate(net, table);
2751 nf_tables_rule_release(&ctx, rule);
2753 for (i = 0; i < n; i++) {
2754 if (info[i].ops != NULL)
2755 module_put(info[i].ops->type->owner);
2761 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2762 const struct nlattr *nla)
2764 u32 id = ntohl(nla_get_be32(nla));
2765 struct nft_trans *trans;
2767 list_for_each_entry(trans, &net->nft.commit_list, list) {
2768 struct nft_rule *rule = nft_trans_rule(trans);
2770 if (trans->msg_type == NFT_MSG_NEWRULE &&
2771 id == nft_trans_rule_id(trans))
2774 return ERR_PTR(-ENOENT);
2777 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2778 struct sk_buff *skb, const struct nlmsghdr *nlh,
2779 const struct nlattr * const nla[],
2780 struct netlink_ext_ack *extack)
2782 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2783 u8 genmask = nft_genmask_next(net);
2784 struct nft_table *table;
2785 struct nft_chain *chain = NULL;
2786 struct nft_rule *rule;
2787 int family = nfmsg->nfgen_family, err = 0;
2790 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2791 if (IS_ERR(table)) {
2792 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2793 return PTR_ERR(table);
2796 if (nla[NFTA_RULE_CHAIN]) {
2797 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2799 if (IS_ERR(chain)) {
2800 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2801 return PTR_ERR(chain);
2805 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2808 if (nla[NFTA_RULE_HANDLE]) {
2809 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2811 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2812 return PTR_ERR(rule);
2815 err = nft_delrule(&ctx, rule);
2816 } else if (nla[NFTA_RULE_ID]) {
2817 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2819 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2820 return PTR_ERR(rule);
2823 err = nft_delrule(&ctx, rule);
2825 err = nft_delrule_by_chain(&ctx);
2828 list_for_each_entry(chain, &table->chains, list) {
2829 if (!nft_is_active_next(net, chain))
2833 err = nft_delrule_by_chain(&ctx);
2846 static LIST_HEAD(nf_tables_set_types);
2848 int nft_register_set(struct nft_set_type *type)
2850 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2851 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2852 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2855 EXPORT_SYMBOL_GPL(nft_register_set);
2857 void nft_unregister_set(struct nft_set_type *type)
2859 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2860 list_del_rcu(&type->list);
2861 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2863 EXPORT_SYMBOL_GPL(nft_unregister_set);
2865 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2866 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2869 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2871 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2875 * Select a set implementation based on the data characteristics and the
2876 * given policy. The total memory use might not be known if no size is
2877 * given, in that case the amount of memory per element is used.
2879 static const struct nft_set_ops *
2880 nft_select_set_ops(const struct nft_ctx *ctx,
2881 const struct nlattr * const nla[],
2882 const struct nft_set_desc *desc,
2883 enum nft_set_policies policy)
2885 const struct nft_set_ops *ops, *bops;
2886 struct nft_set_estimate est, best;
2887 const struct nft_set_type *type;
2890 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2891 lockdep_nfnl_nft_mutex_not_held();
2892 #ifdef CONFIG_MODULES
2893 if (list_empty(&nf_tables_set_types)) {
2894 nft_request_module(ctx->net, "nft-set");
2895 if (!list_empty(&nf_tables_set_types))
2896 return ERR_PTR(-EAGAIN);
2899 if (nla[NFTA_SET_FLAGS] != NULL)
2900 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2907 list_for_each_entry(type, &nf_tables_set_types, list) {
2910 if (!nft_set_ops_candidate(type, flags))
2912 if (!ops->estimate(desc, flags, &est))
2916 case NFT_SET_POL_PERFORMANCE:
2917 if (est.lookup < best.lookup)
2919 if (est.lookup == best.lookup &&
2920 est.space < best.space)
2923 case NFT_SET_POL_MEMORY:
2925 if (est.space < best.space)
2927 if (est.space == best.space &&
2928 est.lookup < best.lookup)
2930 } else if (est.size < best.size || !bops) {
2938 if (!try_module_get(type->owner))
2941 module_put(to_set_type(bops)->owner);
2950 return ERR_PTR(-EOPNOTSUPP);
2953 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2954 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2955 .len = NFT_TABLE_MAXNAMELEN - 1 },
2956 [NFTA_SET_NAME] = { .type = NLA_STRING,
2957 .len = NFT_SET_MAXNAMELEN - 1 },
2958 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2959 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2960 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2961 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2962 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2963 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2964 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2965 [NFTA_SET_ID] = { .type = NLA_U32 },
2966 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2967 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2968 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2969 .len = NFT_USERDATA_MAXLEN },
2970 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2971 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2974 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2975 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2978 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2979 const struct sk_buff *skb,
2980 const struct nlmsghdr *nlh,
2981 const struct nlattr * const nla[],
2982 struct netlink_ext_ack *extack,
2985 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2986 int family = nfmsg->nfgen_family;
2987 struct nft_table *table = NULL;
2989 if (nla[NFTA_SET_TABLE] != NULL) {
2990 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2992 if (IS_ERR(table)) {
2993 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2994 return PTR_ERR(table);
2998 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3002 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3003 const struct nlattr *nla, u8 genmask)
3005 struct nft_set *set;
3008 return ERR_PTR(-EINVAL);
3010 list_for_each_entry_rcu(set, &table->sets, list) {
3011 if (!nla_strcmp(nla, set->name) &&
3012 nft_active_genmask(set, genmask))
3015 return ERR_PTR(-ENOENT);
3018 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3019 const struct nlattr *nla,
3022 struct nft_set *set;
3024 list_for_each_entry(set, &table->sets, list) {
3025 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3026 nft_active_genmask(set, genmask))
3029 return ERR_PTR(-ENOENT);
3032 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3033 const struct nlattr *nla, u8 genmask)
3035 struct nft_trans *trans;
3036 u32 id = ntohl(nla_get_be32(nla));
3038 list_for_each_entry(trans, &net->nft.commit_list, list) {
3039 if (trans->msg_type == NFT_MSG_NEWSET) {
3040 struct nft_set *set = nft_trans_set(trans);
3042 if (id == nft_trans_set_id(trans) &&
3043 nft_active_genmask(set, genmask))
3047 return ERR_PTR(-ENOENT);
3050 struct nft_set *nft_set_lookup_global(const struct net *net,
3051 const struct nft_table *table,
3052 const struct nlattr *nla_set_name,
3053 const struct nlattr *nla_set_id,
3056 struct nft_set *set;
3058 set = nft_set_lookup(table, nla_set_name, genmask);
3063 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3067 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3069 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3072 const struct nft_set *i;
3074 unsigned long *inuse;
3075 unsigned int n = 0, min = 0;
3077 p = strchr(name, '%');
3079 if (p[1] != 'd' || strchr(p + 2, '%'))
3082 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3086 list_for_each_entry(i, &ctx->table->sets, list) {
3089 if (!nft_is_active_next(ctx->net, set))
3091 if (!sscanf(i->name, name, &tmp))
3093 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3096 set_bit(tmp - min, inuse);
3099 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3100 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3101 min += BITS_PER_BYTE * PAGE_SIZE;
3102 memset(inuse, 0, PAGE_SIZE);
3105 free_page((unsigned long)inuse);
3108 set->name = kasprintf(GFP_KERNEL, name, min + n);
3112 list_for_each_entry(i, &ctx->table->sets, list) {
3113 if (!nft_is_active_next(ctx->net, i))
3115 if (!strcmp(set->name, i->name)) {
3123 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3125 u64 ms = be64_to_cpu(nla_get_be64(nla));
3126 u64 max = (u64)(~((u64)0));
3128 max = div_u64(max, NSEC_PER_MSEC);
3132 ms *= NSEC_PER_MSEC;
3133 *result = nsecs_to_jiffies64(ms);
3137 static __be64 nf_jiffies64_to_msecs(u64 input)
3139 u64 ms = jiffies64_to_nsecs(input);
3141 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3144 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3145 const struct nft_set *set, u16 event, u16 flags)
3147 struct nfgenmsg *nfmsg;
3148 struct nlmsghdr *nlh;
3149 struct nlattr *desc;
3150 u32 portid = ctx->portid;
3153 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3154 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3157 goto nla_put_failure;
3159 nfmsg = nlmsg_data(nlh);
3160 nfmsg->nfgen_family = ctx->family;
3161 nfmsg->version = NFNETLINK_V0;
3162 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3164 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3165 goto nla_put_failure;
3166 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3167 goto nla_put_failure;
3168 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3170 goto nla_put_failure;
3171 if (set->flags != 0)
3172 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3173 goto nla_put_failure;
3175 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3176 goto nla_put_failure;
3177 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3178 goto nla_put_failure;
3179 if (set->flags & NFT_SET_MAP) {
3180 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3181 goto nla_put_failure;
3182 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3183 goto nla_put_failure;
3185 if (set->flags & NFT_SET_OBJECT &&
3186 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3187 goto nla_put_failure;
3190 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3191 nf_jiffies64_to_msecs(set->timeout),
3193 goto nla_put_failure;
3195 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3196 goto nla_put_failure;
3198 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3199 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3200 goto nla_put_failure;
3203 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3204 goto nla_put_failure;
3206 desc = nla_nest_start(skb, NFTA_SET_DESC);
3208 goto nla_put_failure;
3210 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3211 goto nla_put_failure;
3212 nla_nest_end(skb, desc);
3214 nlmsg_end(skb, nlh);
3218 nlmsg_trim(skb, nlh);
3222 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3223 const struct nft_set *set, int event,
3226 struct sk_buff *skb;
3227 u32 portid = ctx->portid;
3231 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3234 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3238 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3244 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3248 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3251 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3253 const struct nft_set *set;
3254 unsigned int idx, s_idx = cb->args[0];
3255 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3256 struct net *net = sock_net(skb->sk);
3257 struct nft_ctx *ctx = cb->data, ctx_set;
3263 cb->seq = net->nft.base_seq;
3265 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3266 if (ctx->family != NFPROTO_UNSPEC &&
3267 ctx->family != table->family)
3270 if (ctx->table && ctx->table != table)
3274 if (cur_table != table)
3280 list_for_each_entry_rcu(set, &table->sets, list) {
3283 if (!nft_is_active(net, set))
3287 ctx_set.table = table;
3288 ctx_set.family = table->family;
3290 if (nf_tables_fill_set(skb, &ctx_set, set,
3294 cb->args[2] = (unsigned long) table;
3297 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3310 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3312 struct nft_ctx *ctx_dump = NULL;
3314 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3315 if (ctx_dump == NULL)
3318 cb->data = ctx_dump;
3322 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3328 /* called with rcu_read_lock held */
3329 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3330 struct sk_buff *skb, const struct nlmsghdr *nlh,
3331 const struct nlattr * const nla[],
3332 struct netlink_ext_ack *extack)
3334 u8 genmask = nft_genmask_cur(net);
3335 const struct nft_set *set;
3337 struct sk_buff *skb2;
3338 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3341 /* Verify existence before starting dump */
3342 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3347 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3348 struct netlink_dump_control c = {
3349 .start = nf_tables_dump_sets_start,
3350 .dump = nf_tables_dump_sets,
3351 .done = nf_tables_dump_sets_done,
3353 .module = THIS_MODULE,
3356 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3359 /* Only accept unspec with dump */
3360 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3361 return -EAFNOSUPPORT;
3362 if (!nla[NFTA_SET_TABLE])
3365 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3367 return PTR_ERR(set);
3369 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3373 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3377 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3384 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3385 struct nft_set_desc *desc,
3386 const struct nlattr *nla)
3388 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3391 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3392 nft_set_desc_policy, NULL);
3396 if (da[NFTA_SET_DESC_SIZE] != NULL)
3397 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3402 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3403 struct sk_buff *skb, const struct nlmsghdr *nlh,
3404 const struct nlattr * const nla[],
3405 struct netlink_ext_ack *extack)
3407 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3408 u8 genmask = nft_genmask_next(net);
3409 int family = nfmsg->nfgen_family;
3410 const struct nft_set_ops *ops;
3411 struct nft_table *table;
3412 struct nft_set *set;
3417 u32 ktype, dtype, flags, policy, gc_int, objtype;
3418 struct nft_set_desc desc;
3419 unsigned char *udata;
3423 if (nla[NFTA_SET_TABLE] == NULL ||
3424 nla[NFTA_SET_NAME] == NULL ||
3425 nla[NFTA_SET_KEY_LEN] == NULL ||
3426 nla[NFTA_SET_ID] == NULL)
3429 memset(&desc, 0, sizeof(desc));
3431 ktype = NFT_DATA_VALUE;
3432 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3433 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3434 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3438 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3439 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3443 if (nla[NFTA_SET_FLAGS] != NULL) {
3444 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3445 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3446 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3447 NFT_SET_MAP | NFT_SET_EVAL |
3450 /* Only one of these operations is supported */
3451 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3452 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3457 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3458 if (!(flags & NFT_SET_MAP))
3461 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3462 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3463 dtype != NFT_DATA_VERDICT)
3466 if (dtype != NFT_DATA_VERDICT) {
3467 if (nla[NFTA_SET_DATA_LEN] == NULL)
3469 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3470 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3473 desc.dlen = sizeof(struct nft_verdict);
3474 } else if (flags & NFT_SET_MAP)
3477 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3478 if (!(flags & NFT_SET_OBJECT))
3481 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3482 if (objtype == NFT_OBJECT_UNSPEC ||
3483 objtype > NFT_OBJECT_MAX)
3485 } else if (flags & NFT_SET_OBJECT)
3488 objtype = NFT_OBJECT_UNSPEC;
3491 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3492 if (!(flags & NFT_SET_TIMEOUT))
3495 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3500 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3501 if (!(flags & NFT_SET_TIMEOUT))
3503 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3506 policy = NFT_SET_POL_PERFORMANCE;
3507 if (nla[NFTA_SET_POLICY] != NULL)
3508 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3510 if (nla[NFTA_SET_DESC] != NULL) {
3511 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3516 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3517 if (IS_ERR(table)) {
3518 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3519 return PTR_ERR(table);
3522 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3524 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3526 if (PTR_ERR(set) != -ENOENT) {
3527 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3528 return PTR_ERR(set);
3531 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3532 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3535 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3541 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3544 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3546 return PTR_ERR(ops);
3549 if (nla[NFTA_SET_USERDATA])
3550 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3553 if (ops->privsize != NULL)
3554 size = ops->privsize(nla, &desc);
3556 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3562 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3568 err = nf_tables_set_alloc_name(&ctx, set, name);
3575 udata = set->data + size;
3576 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3579 INIT_LIST_HEAD(&set->bindings);
3581 write_pnet(&set->net, net);
3584 set->klen = desc.klen;
3586 set->objtype = objtype;
3587 set->dlen = desc.dlen;
3589 set->size = desc.size;
3590 set->policy = policy;
3593 set->timeout = timeout;
3594 set->gc_int = gc_int;
3595 set->handle = nf_tables_alloc_handle(table);
3597 err = ops->init(set, &desc, nla);
3601 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3605 list_add_tail_rcu(&set->list, &table->sets);
3616 module_put(to_set_type(ops)->owner);
3620 static void nft_set_destroy(struct nft_set *set)
3622 set->ops->destroy(set);
3623 module_put(to_set_type(set->ops)->owner);
3628 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3629 struct sk_buff *skb, const struct nlmsghdr *nlh,
3630 const struct nlattr * const nla[],
3631 struct netlink_ext_ack *extack)
3633 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3634 u8 genmask = nft_genmask_next(net);
3635 const struct nlattr *attr;
3636 struct nft_set *set;
3640 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3641 return -EAFNOSUPPORT;
3642 if (nla[NFTA_SET_TABLE] == NULL)
3645 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3650 if (nla[NFTA_SET_HANDLE]) {
3651 attr = nla[NFTA_SET_HANDLE];
3652 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3654 attr = nla[NFTA_SET_NAME];
3655 set = nft_set_lookup(ctx.table, attr, genmask);
3659 NL_SET_BAD_ATTR(extack, attr);
3660 return PTR_ERR(set);
3662 if (!list_empty(&set->bindings) ||
3663 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3664 NL_SET_BAD_ATTR(extack, attr);
3668 return nft_delset(&ctx, set);
3671 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3672 struct nft_set *set,
3673 const struct nft_set_iter *iter,
3674 struct nft_set_elem *elem)
3676 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3677 enum nft_registers dreg;
3679 dreg = nft_type_to_reg(set->dtype);
3680 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3681 set->dtype == NFT_DATA_VERDICT ?
3682 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3686 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3687 struct nft_set_binding *binding)
3689 struct nft_set_binding *i;
3690 struct nft_set_iter iter;
3692 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3695 if (binding->flags & NFT_SET_MAP) {
3696 /* If the set is already bound to the same chain all
3697 * jumps are already validated for that chain.
3699 list_for_each_entry(i, &set->bindings, list) {
3700 if (i->flags & NFT_SET_MAP &&
3701 i->chain == binding->chain)
3705 iter.genmask = nft_genmask_next(ctx->net);
3709 iter.fn = nf_tables_bind_check_setelem;
3711 set->ops->walk(ctx, set, &iter);
3716 binding->chain = ctx->chain;
3717 list_add_tail_rcu(&binding->list, &set->bindings);
3720 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3722 void nf_tables_rebind_set(const struct nft_ctx *ctx, struct nft_set *set,
3723 struct nft_set_binding *binding)
3725 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3726 nft_is_active(ctx->net, set))
3727 list_add_tail_rcu(&set->list, &ctx->table->sets);
3729 list_add_tail_rcu(&binding->list, &set->bindings);
3731 EXPORT_SYMBOL_GPL(nf_tables_rebind_set);
3733 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3734 struct nft_set_binding *binding)
3736 list_del_rcu(&binding->list);
3738 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3739 nft_is_active(ctx->net, set))
3740 list_del_rcu(&set->list);
3742 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3744 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3746 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3747 nft_is_active(ctx->net, set)) {
3748 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3749 nft_set_destroy(set);
3752 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3754 const struct nft_set_ext_type nft_set_ext_types[] = {
3755 [NFT_SET_EXT_KEY] = {
3756 .align = __alignof__(u32),
3758 [NFT_SET_EXT_DATA] = {
3759 .align = __alignof__(u32),
3761 [NFT_SET_EXT_EXPR] = {
3762 .align = __alignof__(struct nft_expr),
3764 [NFT_SET_EXT_OBJREF] = {
3765 .len = sizeof(struct nft_object *),
3766 .align = __alignof__(struct nft_object *),
3768 [NFT_SET_EXT_FLAGS] = {
3770 .align = __alignof__(u8),
3772 [NFT_SET_EXT_TIMEOUT] = {
3774 .align = __alignof__(u64),
3776 [NFT_SET_EXT_EXPIRATION] = {
3778 .align = __alignof__(u64),
3780 [NFT_SET_EXT_USERDATA] = {
3781 .len = sizeof(struct nft_userdata),
3782 .align = __alignof__(struct nft_userdata),
3785 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3791 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3792 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3793 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3794 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3795 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3796 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3797 .len = NFT_USERDATA_MAXLEN },
3798 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3799 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3802 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3803 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3804 .len = NFT_TABLE_MAXNAMELEN - 1 },
3805 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3806 .len = NFT_SET_MAXNAMELEN - 1 },
3807 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3808 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3811 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3812 const struct sk_buff *skb,
3813 const struct nlmsghdr *nlh,
3814 const struct nlattr * const nla[],
3815 struct netlink_ext_ack *extack,
3818 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3819 int family = nfmsg->nfgen_family;
3820 struct nft_table *table;
3822 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3824 if (IS_ERR(table)) {
3825 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3826 return PTR_ERR(table);
3829 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3833 static int nf_tables_fill_setelem(struct sk_buff *skb,
3834 const struct nft_set *set,
3835 const struct nft_set_elem *elem)
3837 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3838 unsigned char *b = skb_tail_pointer(skb);
3839 struct nlattr *nest;
3841 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3843 goto nla_put_failure;
3845 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3846 NFT_DATA_VALUE, set->klen) < 0)
3847 goto nla_put_failure;
3849 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3850 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3851 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3853 goto nla_put_failure;
3855 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3856 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3857 goto nla_put_failure;
3859 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3860 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3861 (*nft_set_ext_obj(ext))->name) < 0)
3862 goto nla_put_failure;
3864 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3865 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3866 htonl(*nft_set_ext_flags(ext))))
3867 goto nla_put_failure;
3869 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3870 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3871 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3873 goto nla_put_failure;
3875 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3876 u64 expires, now = get_jiffies_64();
3878 expires = *nft_set_ext_expiration(ext);
3879 if (time_before64(now, expires))
3884 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3885 nf_jiffies64_to_msecs(expires),
3887 goto nla_put_failure;
3890 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3891 struct nft_userdata *udata;
3893 udata = nft_set_ext_userdata(ext);
3894 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3895 udata->len + 1, udata->data))
3896 goto nla_put_failure;
3899 nla_nest_end(skb, nest);
3907 struct nft_set_dump_args {
3908 const struct netlink_callback *cb;
3909 struct nft_set_iter iter;
3910 struct sk_buff *skb;
3913 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3914 struct nft_set *set,
3915 const struct nft_set_iter *iter,
3916 struct nft_set_elem *elem)
3918 struct nft_set_dump_args *args;
3920 args = container_of(iter, struct nft_set_dump_args, iter);
3921 return nf_tables_fill_setelem(args->skb, set, elem);
3924 struct nft_set_dump_ctx {
3925 const struct nft_set *set;
3929 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3931 struct nft_set_dump_ctx *dump_ctx = cb->data;
3932 struct net *net = sock_net(skb->sk);
3933 struct nft_table *table;
3934 struct nft_set *set;
3935 struct nft_set_dump_args args;
3936 bool set_found = false;
3937 struct nfgenmsg *nfmsg;
3938 struct nlmsghdr *nlh;
3939 struct nlattr *nest;
3944 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3945 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3946 dump_ctx->ctx.family != table->family)
3949 if (table != dump_ctx->ctx.table)
3952 list_for_each_entry_rcu(set, &table->sets, list) {
3953 if (set == dump_ctx->set) {
3966 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3967 portid = NETLINK_CB(cb->skb).portid;
3968 seq = cb->nlh->nlmsg_seq;
3970 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3973 goto nla_put_failure;
3975 nfmsg = nlmsg_data(nlh);
3976 nfmsg->nfgen_family = table->family;
3977 nfmsg->version = NFNETLINK_V0;
3978 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3980 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3981 goto nla_put_failure;
3982 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3983 goto nla_put_failure;
3985 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3987 goto nla_put_failure;
3991 args.iter.genmask = nft_genmask_cur(net);
3992 args.iter.skip = cb->args[0];
3993 args.iter.count = 0;
3995 args.iter.fn = nf_tables_dump_setelem;
3996 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3999 nla_nest_end(skb, nest);
4000 nlmsg_end(skb, nlh);
4002 if (args.iter.err && args.iter.err != -EMSGSIZE)
4003 return args.iter.err;
4004 if (args.iter.count == cb->args[0])
4007 cb->args[0] = args.iter.count;
4015 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4017 struct nft_set_dump_ctx *dump_ctx = cb->data;
4019 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4021 return cb->data ? 0 : -ENOMEM;
4024 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4030 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4031 const struct nft_ctx *ctx, u32 seq,
4032 u32 portid, int event, u16 flags,
4033 const struct nft_set *set,
4034 const struct nft_set_elem *elem)
4036 struct nfgenmsg *nfmsg;
4037 struct nlmsghdr *nlh;
4038 struct nlattr *nest;
4041 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4042 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4045 goto nla_put_failure;
4047 nfmsg = nlmsg_data(nlh);
4048 nfmsg->nfgen_family = ctx->family;
4049 nfmsg->version = NFNETLINK_V0;
4050 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4052 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4053 goto nla_put_failure;
4054 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4055 goto nla_put_failure;
4057 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4059 goto nla_put_failure;
4061 err = nf_tables_fill_setelem(skb, set, elem);
4063 goto nla_put_failure;
4065 nla_nest_end(skb, nest);
4067 nlmsg_end(skb, nlh);
4071 nlmsg_trim(skb, nlh);
4075 static int nft_setelem_parse_flags(const struct nft_set *set,
4076 const struct nlattr *attr, u32 *flags)
4081 *flags = ntohl(nla_get_be32(attr));
4082 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4084 if (!(set->flags & NFT_SET_INTERVAL) &&
4085 *flags & NFT_SET_ELEM_INTERVAL_END)
4091 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4092 const struct nlattr *attr)
4094 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4095 struct nft_data_desc desc;
4096 struct nft_set_elem elem;
4097 struct sk_buff *skb;
4102 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4103 nft_set_elem_policy, NULL);
4107 if (!nla[NFTA_SET_ELEM_KEY])
4110 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4114 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4115 nla[NFTA_SET_ELEM_KEY]);
4120 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4123 priv = set->ops->get(ctx->net, set, &elem, flags);
4125 return PTR_ERR(priv);
4130 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4134 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4135 NFT_MSG_NEWSETELEM, 0, set, &elem);
4139 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4140 /* This avoids a loop in nfnetlink. */
4148 /* this avoids a loop in nfnetlink. */
4149 return err == -EAGAIN ? -ENOBUFS : err;
4152 /* called with rcu_read_lock held */
4153 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4154 struct sk_buff *skb, const struct nlmsghdr *nlh,
4155 const struct nlattr * const nla[],
4156 struct netlink_ext_ack *extack)
4158 u8 genmask = nft_genmask_cur(net);
4159 struct nft_set *set;
4160 struct nlattr *attr;
4164 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4169 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4171 return PTR_ERR(set);
4173 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4174 struct netlink_dump_control c = {
4175 .start = nf_tables_dump_set_start,
4176 .dump = nf_tables_dump_set,
4177 .done = nf_tables_dump_set_done,
4178 .module = THIS_MODULE,
4180 struct nft_set_dump_ctx dump_ctx = {
4186 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4189 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4192 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4193 err = nft_get_set_elem(&ctx, set, attr);
4201 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4202 const struct nft_set *set,
4203 const struct nft_set_elem *elem,
4204 int event, u16 flags)
4206 struct net *net = ctx->net;
4207 u32 portid = ctx->portid;
4208 struct sk_buff *skb;
4211 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4214 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4218 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4225 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4229 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4232 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4234 struct nft_set *set)
4236 struct nft_trans *trans;
4238 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4242 nft_trans_elem_set(trans) = set;
4246 void *nft_set_elem_init(const struct nft_set *set,
4247 const struct nft_set_ext_tmpl *tmpl,
4248 const u32 *key, const u32 *data,
4249 u64 timeout, gfp_t gfp)
4251 struct nft_set_ext *ext;
4254 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4258 ext = nft_set_elem_ext(set, elem);
4259 nft_set_ext_init(ext, tmpl);
4261 memcpy(nft_set_ext_key(ext), key, set->klen);
4262 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4263 memcpy(nft_set_ext_data(ext), data, set->dlen);
4264 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4265 *nft_set_ext_expiration(ext) =
4266 get_jiffies_64() + timeout;
4267 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4268 *nft_set_ext_timeout(ext) = timeout;
4273 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4276 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4277 struct nft_ctx ctx = {
4278 .net = read_pnet(&set->net),
4279 .family = set->table->family,
4282 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4283 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4284 nft_data_release(nft_set_ext_data(ext), set->dtype);
4285 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4286 struct nft_expr *expr = nft_set_ext_expr(ext);
4288 if (expr->ops->destroy_clone) {
4289 expr->ops->destroy_clone(&ctx, expr);
4290 module_put(expr->ops->type->owner);
4292 nf_tables_expr_destroy(&ctx, expr);
4295 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4296 (*nft_set_ext_obj(ext))->use--;
4299 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4301 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4302 * the refcounting from the preparation phase.
4304 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4305 const struct nft_set *set, void *elem)
4307 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4309 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4310 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4314 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4315 const struct nlattr *attr, u32 nlmsg_flags)
4317 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4318 u8 genmask = nft_genmask_next(ctx->net);
4319 struct nft_data_desc d1, d2;
4320 struct nft_set_ext_tmpl tmpl;
4321 struct nft_set_ext *ext, *ext2;
4322 struct nft_set_elem elem;
4323 struct nft_set_binding *binding;
4324 struct nft_object *obj = NULL;
4325 struct nft_userdata *udata;
4326 struct nft_data data;
4327 enum nft_registers dreg;
4328 struct nft_trans *trans;
4334 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4335 nft_set_elem_policy, NULL);
4339 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4342 nft_set_ext_prepare(&tmpl);
4344 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4348 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4350 if (set->flags & NFT_SET_MAP) {
4351 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4352 !(flags & NFT_SET_ELEM_INTERVAL_END))
4354 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4355 flags & NFT_SET_ELEM_INTERVAL_END)
4358 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4363 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4364 if (!(set->flags & NFT_SET_TIMEOUT))
4366 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4370 } else if (set->flags & NFT_SET_TIMEOUT) {
4371 timeout = set->timeout;
4374 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4375 nla[NFTA_SET_ELEM_KEY]);
4379 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4382 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4384 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4385 if (timeout != set->timeout)
4386 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4389 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4390 if (!(set->flags & NFT_SET_OBJECT)) {
4394 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4395 set->objtype, genmask);
4400 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4403 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4404 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4405 nla[NFTA_SET_ELEM_DATA]);
4410 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4413 dreg = nft_type_to_reg(set->dtype);
4414 list_for_each_entry(binding, &set->bindings, list) {
4415 struct nft_ctx bind_ctx = {
4417 .family = ctx->family,
4418 .table = ctx->table,
4419 .chain = (struct nft_chain *)binding->chain,
4422 if (!(binding->flags & NFT_SET_MAP))
4425 err = nft_validate_register_store(&bind_ctx, dreg,
4431 if (d2.type == NFT_DATA_VERDICT &&
4432 (data.verdict.code == NFT_GOTO ||
4433 data.verdict.code == NFT_JUMP))
4434 nft_validate_state_update(ctx->net,
4438 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4441 /* The full maximum length of userdata can exceed the maximum
4442 * offset value (U8_MAX) for following extensions, therefor it
4443 * must be the last extension added.
4446 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4447 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4449 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4454 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4455 timeout, GFP_KERNEL);
4456 if (elem.priv == NULL)
4459 ext = nft_set_elem_ext(set, elem.priv);
4461 *nft_set_ext_flags(ext) = flags;
4463 udata = nft_set_ext_userdata(ext);
4464 udata->len = ulen - 1;
4465 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4468 *nft_set_ext_obj(ext) = obj;
4472 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4476 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4477 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4479 if (err == -EEXIST) {
4480 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4481 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4482 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4483 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4487 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4488 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4489 memcmp(nft_set_ext_data(ext),
4490 nft_set_ext_data(ext2), set->dlen) != 0) ||
4491 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4492 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4493 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4495 else if (!(nlmsg_flags & NLM_F_EXCL))
4502 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4507 nft_trans_elem(trans) = elem;
4508 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4512 set->ops->remove(ctx->net, set, &elem);
4518 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4519 nft_data_release(&data, d2.type);
4521 nft_data_release(&elem.key.val, d1.type);
4526 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4527 struct sk_buff *skb, const struct nlmsghdr *nlh,
4528 const struct nlattr * const nla[],
4529 struct netlink_ext_ack *extack)
4531 u8 genmask = nft_genmask_next(net);
4532 const struct nlattr *attr;
4533 struct nft_set *set;
4537 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4540 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4545 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4546 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4548 return PTR_ERR(set);
4550 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4553 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4554 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4559 if (net->nft.validate_state == NFT_VALIDATE_DO)
4560 return nft_table_validate(net, ctx.table);
4566 * nft_data_hold - hold a nft_data item
4568 * @data: struct nft_data to release
4569 * @type: type of data
4571 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4572 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4573 * NFT_GOTO verdicts. This function must be called on active data objects
4574 * from the second phase of the commit protocol.
4576 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4578 if (type == NFT_DATA_VERDICT) {
4579 switch (data->verdict.code) {
4582 data->verdict.chain->use++;
4588 static void nft_set_elem_activate(const struct net *net,
4589 const struct nft_set *set,
4590 struct nft_set_elem *elem)
4592 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4594 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4595 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4596 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4597 (*nft_set_ext_obj(ext))->use++;
4600 static void nft_set_elem_deactivate(const struct net *net,
4601 const struct nft_set *set,
4602 struct nft_set_elem *elem)
4604 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4606 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4607 nft_data_release(nft_set_ext_data(ext), set->dtype);
4608 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4609 (*nft_set_ext_obj(ext))->use--;
4612 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4613 const struct nlattr *attr)
4615 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4616 struct nft_set_ext_tmpl tmpl;
4617 struct nft_data_desc desc;
4618 struct nft_set_elem elem;
4619 struct nft_set_ext *ext;
4620 struct nft_trans *trans;
4625 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4626 nft_set_elem_policy, NULL);
4631 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4634 nft_set_ext_prepare(&tmpl);
4636 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4640 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4642 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4643 nla[NFTA_SET_ELEM_KEY]);
4648 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4651 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4654 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4656 if (elem.priv == NULL)
4659 ext = nft_set_elem_ext(set, elem.priv);
4661 *nft_set_ext_flags(ext) = flags;
4663 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4664 if (trans == NULL) {
4669 priv = set->ops->deactivate(ctx->net, set, &elem);
4677 nft_set_elem_deactivate(ctx->net, set, &elem);
4679 nft_trans_elem(trans) = elem;
4680 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4688 nft_data_release(&elem.key.val, desc.type);
4693 static int nft_flush_set(const struct nft_ctx *ctx,
4694 struct nft_set *set,
4695 const struct nft_set_iter *iter,
4696 struct nft_set_elem *elem)
4698 struct nft_trans *trans;
4701 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4702 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4706 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4712 nft_set_elem_deactivate(ctx->net, set, elem);
4713 nft_trans_elem_set(trans) = set;
4714 nft_trans_elem(trans) = *elem;
4715 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4723 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4724 struct sk_buff *skb, const struct nlmsghdr *nlh,
4725 const struct nlattr * const nla[],
4726 struct netlink_ext_ack *extack)
4728 u8 genmask = nft_genmask_next(net);
4729 const struct nlattr *attr;
4730 struct nft_set *set;
4734 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4739 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4741 return PTR_ERR(set);
4742 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4745 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4746 struct nft_set_iter iter = {
4748 .fn = nft_flush_set,
4750 set->ops->walk(&ctx, set, &iter);
4755 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4756 err = nft_del_setelem(&ctx, set, attr);
4765 void nft_set_gc_batch_release(struct rcu_head *rcu)
4767 struct nft_set_gc_batch *gcb;
4770 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4771 for (i = 0; i < gcb->head.cnt; i++)
4772 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4775 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4777 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4780 struct nft_set_gc_batch *gcb;
4782 gcb = kzalloc(sizeof(*gcb), gfp);
4785 gcb->head.set = set;
4788 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4795 * nft_register_obj- register nf_tables stateful object type
4798 * Registers the object type for use with nf_tables. Returns zero on
4799 * success or a negative errno code otherwise.
4801 int nft_register_obj(struct nft_object_type *obj_type)
4803 if (obj_type->type == NFT_OBJECT_UNSPEC)
4806 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4807 list_add_rcu(&obj_type->list, &nf_tables_objects);
4808 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4811 EXPORT_SYMBOL_GPL(nft_register_obj);
4814 * nft_unregister_obj - unregister nf_tables object type
4817 * Unregisters the object type for use with nf_tables.
4819 void nft_unregister_obj(struct nft_object_type *obj_type)
4821 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4822 list_del_rcu(&obj_type->list);
4823 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4825 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4827 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4828 const struct nlattr *nla, u32 objtype,
4831 struct nft_object *obj;
4833 list_for_each_entry_rcu(obj, &table->objects, list) {
4834 if (!nla_strcmp(nla, obj->name) &&
4835 objtype == obj->ops->type->type &&
4836 nft_active_genmask(obj, genmask))
4839 return ERR_PTR(-ENOENT);
4841 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4843 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4844 const struct nlattr *nla,
4845 u32 objtype, u8 genmask)
4847 struct nft_object *obj;
4849 list_for_each_entry(obj, &table->objects, list) {
4850 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4851 objtype == obj->ops->type->type &&
4852 nft_active_genmask(obj, genmask))
4855 return ERR_PTR(-ENOENT);
4858 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4859 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4860 .len = NFT_TABLE_MAXNAMELEN - 1 },
4861 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4862 .len = NFT_OBJ_MAXNAMELEN - 1 },
4863 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4864 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4865 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4868 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4869 const struct nft_object_type *type,
4870 const struct nlattr *attr)
4873 const struct nft_object_ops *ops;
4874 struct nft_object *obj;
4877 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4882 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4887 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4890 if (type->select_ops) {
4891 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4901 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4905 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4918 return ERR_PTR(err);
4921 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4922 struct nft_object *obj, bool reset)
4924 struct nlattr *nest;
4926 nest = nla_nest_start(skb, attr);
4928 goto nla_put_failure;
4929 if (obj->ops->dump(skb, obj, reset) < 0)
4930 goto nla_put_failure;
4931 nla_nest_end(skb, nest);
4938 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4940 const struct nft_object_type *type;
4942 list_for_each_entry(type, &nf_tables_objects, list) {
4943 if (objtype == type->type)
4949 static const struct nft_object_type *
4950 nft_obj_type_get(struct net *net, u32 objtype)
4952 const struct nft_object_type *type;
4954 type = __nft_obj_type_get(objtype);
4955 if (type != NULL && try_module_get(type->owner))
4958 lockdep_nfnl_nft_mutex_not_held();
4959 #ifdef CONFIG_MODULES
4961 nft_request_module(net, "nft-obj-%u", objtype);
4962 if (__nft_obj_type_get(objtype))
4963 return ERR_PTR(-EAGAIN);
4966 return ERR_PTR(-ENOENT);
4969 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4970 struct sk_buff *skb, const struct nlmsghdr *nlh,
4971 const struct nlattr * const nla[],
4972 struct netlink_ext_ack *extack)
4974 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4975 const struct nft_object_type *type;
4976 u8 genmask = nft_genmask_next(net);
4977 int family = nfmsg->nfgen_family;
4978 struct nft_table *table;
4979 struct nft_object *obj;
4984 if (!nla[NFTA_OBJ_TYPE] ||
4985 !nla[NFTA_OBJ_NAME] ||
4986 !nla[NFTA_OBJ_DATA])
4989 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4990 if (IS_ERR(table)) {
4991 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4992 return PTR_ERR(table);
4995 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4996 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4999 if (err != -ENOENT) {
5000 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5004 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5005 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5011 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5013 type = nft_obj_type_get(net, objtype);
5015 return PTR_ERR(type);
5017 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5023 obj->handle = nf_tables_alloc_handle(table);
5025 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5031 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5035 list_add_tail_rcu(&obj->list, &table->objects);
5041 if (obj->ops->destroy)
5042 obj->ops->destroy(&ctx, obj);
5045 module_put(type->owner);
5049 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5050 u32 portid, u32 seq, int event, u32 flags,
5051 int family, const struct nft_table *table,
5052 struct nft_object *obj, bool reset)
5054 struct nfgenmsg *nfmsg;
5055 struct nlmsghdr *nlh;
5057 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5058 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5060 goto nla_put_failure;
5062 nfmsg = nlmsg_data(nlh);
5063 nfmsg->nfgen_family = family;
5064 nfmsg->version = NFNETLINK_V0;
5065 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5067 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5068 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
5069 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5070 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5071 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5072 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5074 goto nla_put_failure;
5076 nlmsg_end(skb, nlh);
5080 nlmsg_trim(skb, nlh);
5084 struct nft_obj_filter {
5089 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5091 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5092 const struct nft_table *table;
5093 unsigned int idx = 0, s_idx = cb->args[0];
5094 struct nft_obj_filter *filter = cb->data;
5095 struct net *net = sock_net(skb->sk);
5096 int family = nfmsg->nfgen_family;
5097 struct nft_object *obj;
5100 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5104 cb->seq = net->nft.base_seq;
5106 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5107 if (family != NFPROTO_UNSPEC && family != table->family)
5110 list_for_each_entry_rcu(obj, &table->objects, list) {
5111 if (!nft_is_active(net, obj))
5116 memset(&cb->args[1], 0,
5117 sizeof(cb->args) - sizeof(cb->args[0]));
5118 if (filter && filter->table &&
5119 strcmp(filter->table, table->name))
5122 filter->type != NFT_OBJECT_UNSPEC &&
5123 obj->ops->type->type != filter->type)
5126 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5129 NLM_F_MULTI | NLM_F_APPEND,
5130 table->family, table,
5134 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5146 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5148 const struct nlattr * const *nla = cb->data;
5149 struct nft_obj_filter *filter = NULL;
5151 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5152 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5156 if (nla[NFTA_OBJ_TABLE]) {
5157 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5158 if (!filter->table) {
5164 if (nla[NFTA_OBJ_TYPE])
5165 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5172 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5174 struct nft_obj_filter *filter = cb->data;
5177 kfree(filter->table);
5184 /* called with rcu_read_lock held */
5185 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5186 struct sk_buff *skb, const struct nlmsghdr *nlh,
5187 const struct nlattr * const nla[],
5188 struct netlink_ext_ack *extack)
5190 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5191 u8 genmask = nft_genmask_cur(net);
5192 int family = nfmsg->nfgen_family;
5193 const struct nft_table *table;
5194 struct nft_object *obj;
5195 struct sk_buff *skb2;
5200 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5201 struct netlink_dump_control c = {
5202 .start = nf_tables_dump_obj_start,
5203 .dump = nf_tables_dump_obj,
5204 .done = nf_tables_dump_obj_done,
5205 .module = THIS_MODULE,
5206 .data = (void *)nla,
5209 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5212 if (!nla[NFTA_OBJ_NAME] ||
5213 !nla[NFTA_OBJ_TYPE])
5216 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5217 if (IS_ERR(table)) {
5218 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5219 return PTR_ERR(table);
5222 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5223 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
5225 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5226 return PTR_ERR(obj);
5229 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5233 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5236 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5237 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5238 family, table, obj, reset);
5242 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5248 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5250 if (obj->ops->destroy)
5251 obj->ops->destroy(ctx, obj);
5253 module_put(obj->ops->type->owner);
5258 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5259 struct sk_buff *skb, const struct nlmsghdr *nlh,
5260 const struct nlattr * const nla[],
5261 struct netlink_ext_ack *extack)
5263 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5264 u8 genmask = nft_genmask_next(net);
5265 int family = nfmsg->nfgen_family;
5266 const struct nlattr *attr;
5267 struct nft_table *table;
5268 struct nft_object *obj;
5272 if (!nla[NFTA_OBJ_TYPE] ||
5273 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5276 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5277 if (IS_ERR(table)) {
5278 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5279 return PTR_ERR(table);
5282 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5283 if (nla[NFTA_OBJ_HANDLE]) {
5284 attr = nla[NFTA_OBJ_HANDLE];
5285 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5287 attr = nla[NFTA_OBJ_NAME];
5288 obj = nft_obj_lookup(table, attr, objtype, genmask);
5292 NL_SET_BAD_ATTR(extack, attr);
5293 return PTR_ERR(obj);
5296 NL_SET_BAD_ATTR(extack, attr);
5300 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5302 return nft_delobj(&ctx, obj);
5305 void nft_obj_notify(struct net *net, struct nft_table *table,
5306 struct nft_object *obj, u32 portid, u32 seq, int event,
5307 int family, int report, gfp_t gfp)
5309 struct sk_buff *skb;
5313 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5316 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5320 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5327 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5330 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5332 EXPORT_SYMBOL_GPL(nft_obj_notify);
5334 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5335 struct nft_object *obj, int event)
5337 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5338 ctx->family, ctx->report, GFP_KERNEL);
5344 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5346 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5347 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5348 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5350 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5352 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5354 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5355 list_del_rcu(&type->list);
5356 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5358 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5360 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5361 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5362 .len = NFT_NAME_MAXLEN - 1 },
5363 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5364 .len = NFT_NAME_MAXLEN - 1 },
5365 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5366 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5369 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5370 const struct nlattr *nla, u8 genmask)
5372 struct nft_flowtable *flowtable;
5374 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5375 if (!nla_strcmp(nla, flowtable->name) &&
5376 nft_active_genmask(flowtable, genmask))
5379 return ERR_PTR(-ENOENT);
5381 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5383 static struct nft_flowtable *
5384 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5385 const struct nlattr *nla, u8 genmask)
5387 struct nft_flowtable *flowtable;
5389 list_for_each_entry(flowtable, &table->flowtables, list) {
5390 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5391 nft_active_genmask(flowtable, genmask))
5394 return ERR_PTR(-ENOENT);
5397 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5398 const struct nlattr *attr,
5399 struct net_device *dev_array[], int *len)
5401 const struct nlattr *tmp;
5402 struct net_device *dev;
5403 char ifname[IFNAMSIZ];
5404 int rem, n = 0, err;
5406 nla_for_each_nested(tmp, attr, rem) {
5407 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5412 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5413 dev = __dev_get_by_name(ctx->net, ifname);
5419 dev_array[n++] = dev;
5420 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5434 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5435 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5436 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5437 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5440 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5441 const struct nlattr *attr,
5442 struct nft_flowtable *flowtable)
5444 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5445 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5446 struct nf_hook_ops *ops;
5447 int hooknum, priority;
5450 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5451 nft_flowtable_hook_policy, NULL);
5455 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5456 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5457 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5460 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5461 if (hooknum != NF_NETDEV_INGRESS)
5464 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5466 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5471 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5475 flowtable->hooknum = hooknum;
5476 flowtable->priority = priority;
5477 flowtable->ops = ops;
5478 flowtable->ops_len = n;
5480 for (i = 0; i < n; i++) {
5481 flowtable->ops[i].pf = NFPROTO_NETDEV;
5482 flowtable->ops[i].hooknum = hooknum;
5483 flowtable->ops[i].priority = priority;
5484 flowtable->ops[i].priv = &flowtable->data;
5485 flowtable->ops[i].hook = flowtable->data.type->hook;
5486 flowtable->ops[i].dev = dev_array[i];
5492 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5494 const struct nf_flowtable_type *type;
5496 list_for_each_entry(type, &nf_tables_flowtables, list) {
5497 if (family == type->family)
5503 static const struct nf_flowtable_type *
5504 nft_flowtable_type_get(struct net *net, u8 family)
5506 const struct nf_flowtable_type *type;
5508 type = __nft_flowtable_type_get(family);
5509 if (type != NULL && try_module_get(type->owner))
5512 lockdep_nfnl_nft_mutex_not_held();
5513 #ifdef CONFIG_MODULES
5515 nft_request_module(net, "nf-flowtable-%u", family);
5516 if (__nft_flowtable_type_get(family))
5517 return ERR_PTR(-EAGAIN);
5520 return ERR_PTR(-ENOENT);
5523 static void nft_unregister_flowtable_net_hooks(struct net *net,
5524 struct nft_flowtable *flowtable)
5528 for (i = 0; i < flowtable->ops_len; i++) {
5529 if (!flowtable->ops[i].dev)
5532 nf_unregister_net_hook(net, &flowtable->ops[i]);
5536 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5537 struct sk_buff *skb,
5538 const struct nlmsghdr *nlh,
5539 const struct nlattr * const nla[],
5540 struct netlink_ext_ack *extack)
5542 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5543 const struct nf_flowtable_type *type;
5544 struct nft_flowtable *flowtable, *ft;
5545 u8 genmask = nft_genmask_next(net);
5546 int family = nfmsg->nfgen_family;
5547 struct nft_table *table;
5551 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5552 !nla[NFTA_FLOWTABLE_NAME] ||
5553 !nla[NFTA_FLOWTABLE_HOOK])
5556 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5558 if (IS_ERR(table)) {
5559 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5560 return PTR_ERR(table);
5563 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5565 if (IS_ERR(flowtable)) {
5566 err = PTR_ERR(flowtable);
5567 if (err != -ENOENT) {
5568 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5572 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5573 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5580 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5582 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5586 flowtable->table = table;
5587 flowtable->handle = nf_tables_alloc_handle(table);
5589 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5590 if (!flowtable->name) {
5595 type = nft_flowtable_type_get(net, family);
5597 err = PTR_ERR(type);
5601 flowtable->data.type = type;
5602 err = type->init(&flowtable->data);
5606 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5611 for (i = 0; i < flowtable->ops_len; i++) {
5612 if (!flowtable->ops[i].dev)
5615 list_for_each_entry(ft, &table->flowtables, list) {
5616 for (k = 0; k < ft->ops_len; k++) {
5617 if (!ft->ops[k].dev)
5620 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5621 flowtable->ops[i].pf == ft->ops[k].pf) {
5628 err = nf_register_net_hook(net, &flowtable->ops[i]);
5633 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5637 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5642 i = flowtable->ops_len;
5644 for (k = i - 1; k >= 0; k--)
5645 nf_unregister_net_hook(net, &flowtable->ops[k]);
5647 kfree(flowtable->ops);
5649 flowtable->data.type->free(&flowtable->data);
5651 module_put(type->owner);
5653 kfree(flowtable->name);
5659 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5660 struct sk_buff *skb,
5661 const struct nlmsghdr *nlh,
5662 const struct nlattr * const nla[],
5663 struct netlink_ext_ack *extack)
5665 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5666 u8 genmask = nft_genmask_next(net);
5667 int family = nfmsg->nfgen_family;
5668 struct nft_flowtable *flowtable;
5669 const struct nlattr *attr;
5670 struct nft_table *table;
5673 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5674 (!nla[NFTA_FLOWTABLE_NAME] &&
5675 !nla[NFTA_FLOWTABLE_HANDLE]))
5678 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5680 if (IS_ERR(table)) {
5681 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5682 return PTR_ERR(table);
5685 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5686 attr = nla[NFTA_FLOWTABLE_HANDLE];
5687 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5689 attr = nla[NFTA_FLOWTABLE_NAME];
5690 flowtable = nft_flowtable_lookup(table, attr, genmask);
5693 if (IS_ERR(flowtable)) {
5694 NL_SET_BAD_ATTR(extack, attr);
5695 return PTR_ERR(flowtable);
5697 if (flowtable->use > 0) {
5698 NL_SET_BAD_ATTR(extack, attr);
5702 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5704 return nft_delflowtable(&ctx, flowtable);
5707 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5708 u32 portid, u32 seq, int event,
5709 u32 flags, int family,
5710 struct nft_flowtable *flowtable)
5712 struct nlattr *nest, *nest_devs;
5713 struct nfgenmsg *nfmsg;
5714 struct nlmsghdr *nlh;
5717 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5718 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5720 goto nla_put_failure;
5722 nfmsg = nlmsg_data(nlh);
5723 nfmsg->nfgen_family = family;
5724 nfmsg->version = NFNETLINK_V0;
5725 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5727 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5728 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5729 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5730 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5731 NFTA_FLOWTABLE_PAD))
5732 goto nla_put_failure;
5734 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5735 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5736 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5737 goto nla_put_failure;
5739 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5741 goto nla_put_failure;
5743 for (i = 0; i < flowtable->ops_len; i++) {
5744 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5747 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5748 goto nla_put_failure;
5750 nla_nest_end(skb, nest_devs);
5751 nla_nest_end(skb, nest);
5753 nlmsg_end(skb, nlh);
5757 nlmsg_trim(skb, nlh);
5761 struct nft_flowtable_filter {
5765 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5766 struct netlink_callback *cb)
5768 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5769 struct nft_flowtable_filter *filter = cb->data;
5770 unsigned int idx = 0, s_idx = cb->args[0];
5771 struct net *net = sock_net(skb->sk);
5772 int family = nfmsg->nfgen_family;
5773 struct nft_flowtable *flowtable;
5774 const struct nft_table *table;
5777 cb->seq = net->nft.base_seq;
5779 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5780 if (family != NFPROTO_UNSPEC && family != table->family)
5783 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5784 if (!nft_is_active(net, flowtable))
5789 memset(&cb->args[1], 0,
5790 sizeof(cb->args) - sizeof(cb->args[0]));
5791 if (filter && filter->table &&
5792 strcmp(filter->table, table->name))
5795 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5797 NFT_MSG_NEWFLOWTABLE,
5798 NLM_F_MULTI | NLM_F_APPEND,
5799 table->family, flowtable) < 0)
5802 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5814 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5816 const struct nlattr * const *nla = cb->data;
5817 struct nft_flowtable_filter *filter = NULL;
5819 if (nla[NFTA_FLOWTABLE_TABLE]) {
5820 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5824 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5826 if (!filter->table) {
5836 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5838 struct nft_flowtable_filter *filter = cb->data;
5843 kfree(filter->table);
5849 /* called with rcu_read_lock held */
5850 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5851 struct sk_buff *skb,
5852 const struct nlmsghdr *nlh,
5853 const struct nlattr * const nla[],
5854 struct netlink_ext_ack *extack)
5856 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5857 u8 genmask = nft_genmask_cur(net);
5858 int family = nfmsg->nfgen_family;
5859 struct nft_flowtable *flowtable;
5860 const struct nft_table *table;
5861 struct sk_buff *skb2;
5864 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5865 struct netlink_dump_control c = {
5866 .start = nf_tables_dump_flowtable_start,
5867 .dump = nf_tables_dump_flowtable,
5868 .done = nf_tables_dump_flowtable_done,
5869 .module = THIS_MODULE,
5870 .data = (void *)nla,
5873 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5876 if (!nla[NFTA_FLOWTABLE_NAME])
5879 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5882 return PTR_ERR(table);
5884 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5886 if (IS_ERR(flowtable))
5887 return PTR_ERR(flowtable);
5889 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5893 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5895 NFT_MSG_NEWFLOWTABLE, 0, family,
5900 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5906 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5907 struct nft_flowtable *flowtable,
5910 struct sk_buff *skb;
5914 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5917 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5921 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5923 ctx->family, flowtable);
5929 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5930 ctx->report, GFP_KERNEL);
5933 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5936 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5938 kfree(flowtable->ops);
5939 kfree(flowtable->name);
5940 flowtable->data.type->free(&flowtable->data);
5941 module_put(flowtable->data.type->owner);
5945 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5946 u32 portid, u32 seq)
5948 struct nlmsghdr *nlh;
5949 struct nfgenmsg *nfmsg;
5950 char buf[TASK_COMM_LEN];
5951 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5953 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5955 goto nla_put_failure;
5957 nfmsg = nlmsg_data(nlh);
5958 nfmsg->nfgen_family = AF_UNSPEC;
5959 nfmsg->version = NFNETLINK_V0;
5960 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5962 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5963 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5964 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5965 goto nla_put_failure;
5967 nlmsg_end(skb, nlh);
5971 nlmsg_trim(skb, nlh);
5975 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5976 struct nft_flowtable *flowtable)
5980 for (i = 0; i < flowtable->ops_len; i++) {
5981 if (flowtable->ops[i].dev != dev)
5984 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5985 flowtable->ops[i].dev = NULL;
5990 static int nf_tables_flowtable_event(struct notifier_block *this,
5991 unsigned long event, void *ptr)
5993 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5994 struct nft_flowtable *flowtable;
5995 struct nft_table *table;
5998 if (event != NETDEV_UNREGISTER)
6002 mutex_lock(&net->nft.commit_mutex);
6003 list_for_each_entry(table, &net->nft.tables, list) {
6004 list_for_each_entry(flowtable, &table->flowtables, list) {
6005 nft_flowtable_event(event, dev, flowtable);
6008 mutex_unlock(&net->nft.commit_mutex);
6013 static struct notifier_block nf_tables_flowtable_notifier = {
6014 .notifier_call = nf_tables_flowtable_event,
6017 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6020 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6021 struct sk_buff *skb2;
6024 if (nlmsg_report(nlh) &&
6025 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6028 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6032 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6039 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6040 nlmsg_report(nlh), GFP_KERNEL);
6043 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6047 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6048 struct sk_buff *skb, const struct nlmsghdr *nlh,
6049 const struct nlattr * const nla[],
6050 struct netlink_ext_ack *extack)
6052 struct sk_buff *skb2;
6055 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6059 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6064 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6070 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6071 [NFT_MSG_NEWTABLE] = {
6072 .call_batch = nf_tables_newtable,
6073 .attr_count = NFTA_TABLE_MAX,
6074 .policy = nft_table_policy,
6076 [NFT_MSG_GETTABLE] = {
6077 .call_rcu = nf_tables_gettable,
6078 .attr_count = NFTA_TABLE_MAX,
6079 .policy = nft_table_policy,
6081 [NFT_MSG_DELTABLE] = {
6082 .call_batch = nf_tables_deltable,
6083 .attr_count = NFTA_TABLE_MAX,
6084 .policy = nft_table_policy,
6086 [NFT_MSG_NEWCHAIN] = {
6087 .call_batch = nf_tables_newchain,
6088 .attr_count = NFTA_CHAIN_MAX,
6089 .policy = nft_chain_policy,
6091 [NFT_MSG_GETCHAIN] = {
6092 .call_rcu = nf_tables_getchain,
6093 .attr_count = NFTA_CHAIN_MAX,
6094 .policy = nft_chain_policy,
6096 [NFT_MSG_DELCHAIN] = {
6097 .call_batch = nf_tables_delchain,
6098 .attr_count = NFTA_CHAIN_MAX,
6099 .policy = nft_chain_policy,
6101 [NFT_MSG_NEWRULE] = {
6102 .call_batch = nf_tables_newrule,
6103 .attr_count = NFTA_RULE_MAX,
6104 .policy = nft_rule_policy,
6106 [NFT_MSG_GETRULE] = {
6107 .call_rcu = nf_tables_getrule,
6108 .attr_count = NFTA_RULE_MAX,
6109 .policy = nft_rule_policy,
6111 [NFT_MSG_DELRULE] = {
6112 .call_batch = nf_tables_delrule,
6113 .attr_count = NFTA_RULE_MAX,
6114 .policy = nft_rule_policy,
6116 [NFT_MSG_NEWSET] = {
6117 .call_batch = nf_tables_newset,
6118 .attr_count = NFTA_SET_MAX,
6119 .policy = nft_set_policy,
6121 [NFT_MSG_GETSET] = {
6122 .call_rcu = nf_tables_getset,
6123 .attr_count = NFTA_SET_MAX,
6124 .policy = nft_set_policy,
6126 [NFT_MSG_DELSET] = {
6127 .call_batch = nf_tables_delset,
6128 .attr_count = NFTA_SET_MAX,
6129 .policy = nft_set_policy,
6131 [NFT_MSG_NEWSETELEM] = {
6132 .call_batch = nf_tables_newsetelem,
6133 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6134 .policy = nft_set_elem_list_policy,
6136 [NFT_MSG_GETSETELEM] = {
6137 .call_rcu = nf_tables_getsetelem,
6138 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6139 .policy = nft_set_elem_list_policy,
6141 [NFT_MSG_DELSETELEM] = {
6142 .call_batch = nf_tables_delsetelem,
6143 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6144 .policy = nft_set_elem_list_policy,
6146 [NFT_MSG_GETGEN] = {
6147 .call_rcu = nf_tables_getgen,
6149 [NFT_MSG_NEWOBJ] = {
6150 .call_batch = nf_tables_newobj,
6151 .attr_count = NFTA_OBJ_MAX,
6152 .policy = nft_obj_policy,
6154 [NFT_MSG_GETOBJ] = {
6155 .call_rcu = nf_tables_getobj,
6156 .attr_count = NFTA_OBJ_MAX,
6157 .policy = nft_obj_policy,
6159 [NFT_MSG_DELOBJ] = {
6160 .call_batch = nf_tables_delobj,
6161 .attr_count = NFTA_OBJ_MAX,
6162 .policy = nft_obj_policy,
6164 [NFT_MSG_GETOBJ_RESET] = {
6165 .call_rcu = nf_tables_getobj,
6166 .attr_count = NFTA_OBJ_MAX,
6167 .policy = nft_obj_policy,
6169 [NFT_MSG_NEWFLOWTABLE] = {
6170 .call_batch = nf_tables_newflowtable,
6171 .attr_count = NFTA_FLOWTABLE_MAX,
6172 .policy = nft_flowtable_policy,
6174 [NFT_MSG_GETFLOWTABLE] = {
6175 .call_rcu = nf_tables_getflowtable,
6176 .attr_count = NFTA_FLOWTABLE_MAX,
6177 .policy = nft_flowtable_policy,
6179 [NFT_MSG_DELFLOWTABLE] = {
6180 .call_batch = nf_tables_delflowtable,
6181 .attr_count = NFTA_FLOWTABLE_MAX,
6182 .policy = nft_flowtable_policy,
6186 static int nf_tables_validate(struct net *net)
6188 struct nft_table *table;
6190 switch (net->nft.validate_state) {
6191 case NFT_VALIDATE_SKIP:
6193 case NFT_VALIDATE_NEED:
6194 nft_validate_state_update(net, NFT_VALIDATE_DO);
6196 case NFT_VALIDATE_DO:
6197 list_for_each_entry(table, &net->nft.tables, list) {
6198 if (nft_table_validate(net, table) < 0)
6207 static void nft_chain_commit_update(struct nft_trans *trans)
6209 struct nft_base_chain *basechain;
6211 if (nft_trans_chain_name(trans)) {
6212 rhltable_remove(&trans->ctx.table->chains_ht,
6213 &trans->ctx.chain->rhlhead,
6214 nft_chain_ht_params);
6215 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6216 rhltable_insert_key(&trans->ctx.table->chains_ht,
6217 trans->ctx.chain->name,
6218 &trans->ctx.chain->rhlhead,
6219 nft_chain_ht_params);
6222 if (!nft_is_base_chain(trans->ctx.chain))
6225 basechain = nft_base_chain(trans->ctx.chain);
6226 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
6228 switch (nft_trans_chain_policy(trans)) {
6231 basechain->policy = nft_trans_chain_policy(trans);
6236 static void nft_commit_release(struct nft_trans *trans)
6238 switch (trans->msg_type) {
6239 case NFT_MSG_DELTABLE:
6240 nf_tables_table_destroy(&trans->ctx);
6242 case NFT_MSG_NEWCHAIN:
6243 kfree(nft_trans_chain_name(trans));
6245 case NFT_MSG_DELCHAIN:
6246 nf_tables_chain_destroy(&trans->ctx);
6248 case NFT_MSG_DELRULE:
6249 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6251 case NFT_MSG_DELSET:
6252 nft_set_destroy(nft_trans_set(trans));
6254 case NFT_MSG_DELSETELEM:
6255 nf_tables_set_elem_destroy(&trans->ctx,
6256 nft_trans_elem_set(trans),
6257 nft_trans_elem(trans).priv);
6259 case NFT_MSG_DELOBJ:
6260 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6262 case NFT_MSG_DELFLOWTABLE:
6263 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6268 put_net(trans->ctx.net);
6273 static void nf_tables_trans_destroy_work(struct work_struct *w)
6275 struct nft_trans *trans, *next;
6278 spin_lock(&nf_tables_destroy_list_lock);
6279 list_splice_init(&nf_tables_destroy_list, &head);
6280 spin_unlock(&nf_tables_destroy_list_lock);
6282 if (list_empty(&head))
6287 list_for_each_entry_safe(trans, next, &head, list) {
6288 list_del(&trans->list);
6289 nft_commit_release(trans);
6293 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6295 struct nft_rule *rule;
6296 unsigned int alloc = 0;
6299 /* already handled or inactive chain? */
6300 if (chain->rules_next || !nft_is_active_next(net, chain))
6303 rule = list_entry(&chain->rules, struct nft_rule, list);
6306 list_for_each_entry_continue(rule, &chain->rules, list) {
6307 if (nft_is_active_next(net, rule))
6311 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6312 if (!chain->rules_next)
6315 list_for_each_entry_continue(rule, &chain->rules, list) {
6316 if (nft_is_active_next(net, rule))
6317 chain->rules_next[i++] = rule;
6320 chain->rules_next[i] = NULL;
6324 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6326 struct nft_trans *trans, *next;
6328 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6329 struct nft_chain *chain = trans->ctx.chain;
6331 if (trans->msg_type == NFT_MSG_NEWRULE ||
6332 trans->msg_type == NFT_MSG_DELRULE) {
6333 kvfree(chain->rules_next);
6334 chain->rules_next = NULL;
6339 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6341 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6346 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6348 struct nft_rule **r = rules;
6349 struct nft_rules_old *old;
6354 r++; /* rcu_head is after end marker */
6358 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6361 static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain)
6363 struct nft_rule **g0, **g1;
6366 next_genbit = nft_gencursor_next(net);
6368 g0 = rcu_dereference_protected(chain->rules_gen_0,
6369 lockdep_commit_lock_is_held(net));
6370 g1 = rcu_dereference_protected(chain->rules_gen_1,
6371 lockdep_commit_lock_is_held(net));
6373 /* No changes to this chain? */
6374 if (chain->rules_next == NULL) {
6375 /* chain had no change in last or next generation */
6379 * chain had no change in this generation; make sure next
6380 * one uses same rules as current generation.
6383 rcu_assign_pointer(chain->rules_gen_1, g0);
6384 nf_tables_commit_chain_free_rules_old(g1);
6386 rcu_assign_pointer(chain->rules_gen_0, g1);
6387 nf_tables_commit_chain_free_rules_old(g0);
6394 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6396 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6398 chain->rules_next = NULL;
6404 nf_tables_commit_chain_free_rules_old(g1);
6406 nf_tables_commit_chain_free_rules_old(g0);
6409 static void nft_chain_del(struct nft_chain *chain)
6411 struct nft_table *table = chain->table;
6413 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6414 nft_chain_ht_params));
6415 list_del_rcu(&chain->list);
6418 static void nf_tables_commit_release(struct net *net)
6420 struct nft_trans *trans;
6422 /* all side effects have to be made visible.
6423 * For example, if a chain named 'foo' has been deleted, a
6424 * new transaction must not find it anymore.
6426 * Memory reclaim happens asynchronously from work queue
6427 * to prevent expensive synchronize_rcu() in commit phase.
6429 if (list_empty(&net->nft.commit_list)) {
6430 mutex_unlock(&net->nft.commit_mutex);
6434 trans = list_last_entry(&net->nft.commit_list,
6435 struct nft_trans, list);
6436 get_net(trans->ctx.net);
6437 WARN_ON_ONCE(trans->put_net);
6439 trans->put_net = true;
6440 spin_lock(&nf_tables_destroy_list_lock);
6441 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6442 spin_unlock(&nf_tables_destroy_list_lock);
6444 mutex_unlock(&net->nft.commit_mutex);
6446 schedule_work(&trans_destroy_work);
6449 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6451 struct nft_trans *trans, *next;
6452 struct nft_trans_elem *te;
6453 struct nft_chain *chain;
6454 struct nft_table *table;
6456 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6457 if (nf_tables_validate(net) < 0)
6460 /* 1. Allocate space for next generation rules_gen_X[] */
6461 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6464 if (trans->msg_type == NFT_MSG_NEWRULE ||
6465 trans->msg_type == NFT_MSG_DELRULE) {
6466 chain = trans->ctx.chain;
6468 ret = nf_tables_commit_chain_prepare(net, chain);
6470 nf_tables_commit_chain_prepare_cancel(net);
6476 /* step 2. Make rules_gen_X visible to packet path */
6477 list_for_each_entry(table, &net->nft.tables, list) {
6478 list_for_each_entry(chain, &table->chains, list) {
6479 if (!nft_is_active_next(net, chain))
6481 nf_tables_commit_chain_active(net, chain);
6486 * Bump generation counter, invalidate any dump in progress.
6487 * Cannot fail after this point.
6489 while (++net->nft.base_seq == 0);
6491 /* step 3. Start new generation, rules_gen_X now in use. */
6492 net->nft.gencursor = nft_gencursor_next(net);
6494 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6495 switch (trans->msg_type) {
6496 case NFT_MSG_NEWTABLE:
6497 if (nft_trans_table_update(trans)) {
6498 if (!nft_trans_table_enable(trans)) {
6499 nf_tables_table_disable(net,
6501 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6504 nft_clear(net, trans->ctx.table);
6506 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6507 nft_trans_destroy(trans);
6509 case NFT_MSG_DELTABLE:
6510 list_del_rcu(&trans->ctx.table->list);
6511 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6513 case NFT_MSG_NEWCHAIN:
6514 if (nft_trans_chain_update(trans)) {
6515 nft_chain_commit_update(trans);
6516 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6517 /* trans destroyed after rcu grace period */
6519 nft_clear(net, trans->ctx.chain);
6520 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6521 nft_trans_destroy(trans);
6524 case NFT_MSG_DELCHAIN:
6525 nft_chain_del(trans->ctx.chain);
6526 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6527 nf_tables_unregister_hook(trans->ctx.net,
6531 case NFT_MSG_NEWRULE:
6532 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6533 nf_tables_rule_notify(&trans->ctx,
6534 nft_trans_rule(trans),
6536 nft_trans_destroy(trans);
6538 case NFT_MSG_DELRULE:
6539 list_del_rcu(&nft_trans_rule(trans)->list);
6540 nf_tables_rule_notify(&trans->ctx,
6541 nft_trans_rule(trans),
6544 case NFT_MSG_NEWSET:
6545 nft_clear(net, nft_trans_set(trans));
6546 /* This avoids hitting -EBUSY when deleting the table
6547 * from the transaction.
6549 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6550 !list_empty(&nft_trans_set(trans)->bindings))
6551 trans->ctx.table->use--;
6553 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6554 NFT_MSG_NEWSET, GFP_KERNEL);
6555 nft_trans_destroy(trans);
6557 case NFT_MSG_DELSET:
6558 list_del_rcu(&nft_trans_set(trans)->list);
6559 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6560 NFT_MSG_DELSET, GFP_KERNEL);
6562 case NFT_MSG_NEWSETELEM:
6563 te = (struct nft_trans_elem *)trans->data;
6565 te->set->ops->activate(net, te->set, &te->elem);
6566 nf_tables_setelem_notify(&trans->ctx, te->set,
6568 NFT_MSG_NEWSETELEM, 0);
6569 nft_trans_destroy(trans);
6571 case NFT_MSG_DELSETELEM:
6572 te = (struct nft_trans_elem *)trans->data;
6574 nf_tables_setelem_notify(&trans->ctx, te->set,
6576 NFT_MSG_DELSETELEM, 0);
6577 te->set->ops->remove(net, te->set, &te->elem);
6578 atomic_dec(&te->set->nelems);
6581 case NFT_MSG_NEWOBJ:
6582 nft_clear(net, nft_trans_obj(trans));
6583 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6585 nft_trans_destroy(trans);
6587 case NFT_MSG_DELOBJ:
6588 list_del_rcu(&nft_trans_obj(trans)->list);
6589 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6592 case NFT_MSG_NEWFLOWTABLE:
6593 nft_clear(net, nft_trans_flowtable(trans));
6594 nf_tables_flowtable_notify(&trans->ctx,
6595 nft_trans_flowtable(trans),
6596 NFT_MSG_NEWFLOWTABLE);
6597 nft_trans_destroy(trans);
6599 case NFT_MSG_DELFLOWTABLE:
6600 list_del_rcu(&nft_trans_flowtable(trans)->list);
6601 nf_tables_flowtable_notify(&trans->ctx,
6602 nft_trans_flowtable(trans),
6603 NFT_MSG_DELFLOWTABLE);
6604 nft_unregister_flowtable_net_hooks(net,
6605 nft_trans_flowtable(trans));
6610 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6611 nf_tables_commit_release(net);
6616 static void nf_tables_abort_release(struct nft_trans *trans)
6618 switch (trans->msg_type) {
6619 case NFT_MSG_NEWTABLE:
6620 nf_tables_table_destroy(&trans->ctx);
6622 case NFT_MSG_NEWCHAIN:
6623 nf_tables_chain_destroy(&trans->ctx);
6625 case NFT_MSG_NEWRULE:
6626 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6628 case NFT_MSG_NEWSET:
6629 nft_set_destroy(nft_trans_set(trans));
6631 case NFT_MSG_NEWSETELEM:
6632 nft_set_elem_destroy(nft_trans_elem_set(trans),
6633 nft_trans_elem(trans).priv, true);
6635 case NFT_MSG_NEWOBJ:
6636 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6638 case NFT_MSG_NEWFLOWTABLE:
6639 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6645 static int __nf_tables_abort(struct net *net)
6647 struct nft_trans *trans, *next;
6648 struct nft_trans_elem *te;
6650 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6652 switch (trans->msg_type) {
6653 case NFT_MSG_NEWTABLE:
6654 if (nft_trans_table_update(trans)) {
6655 if (nft_trans_table_enable(trans)) {
6656 nf_tables_table_disable(net,
6658 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6660 nft_trans_destroy(trans);
6662 list_del_rcu(&trans->ctx.table->list);
6665 case NFT_MSG_DELTABLE:
6666 nft_clear(trans->ctx.net, trans->ctx.table);
6667 nft_trans_destroy(trans);
6669 case NFT_MSG_NEWCHAIN:
6670 if (nft_trans_chain_update(trans)) {
6671 free_percpu(nft_trans_chain_stats(trans));
6672 kfree(nft_trans_chain_name(trans));
6673 nft_trans_destroy(trans);
6675 trans->ctx.table->use--;
6676 nft_chain_del(trans->ctx.chain);
6677 nf_tables_unregister_hook(trans->ctx.net,
6682 case NFT_MSG_DELCHAIN:
6683 trans->ctx.table->use++;
6684 nft_clear(trans->ctx.net, trans->ctx.chain);
6685 nft_trans_destroy(trans);
6687 case NFT_MSG_NEWRULE:
6688 trans->ctx.chain->use--;
6689 list_del_rcu(&nft_trans_rule(trans)->list);
6690 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6692 case NFT_MSG_DELRULE:
6693 trans->ctx.chain->use++;
6694 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6695 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6696 nft_trans_destroy(trans);
6698 case NFT_MSG_NEWSET:
6699 trans->ctx.table->use--;
6700 list_del_rcu(&nft_trans_set(trans)->list);
6702 case NFT_MSG_DELSET:
6703 trans->ctx.table->use++;
6704 nft_clear(trans->ctx.net, nft_trans_set(trans));
6705 nft_trans_destroy(trans);
6707 case NFT_MSG_NEWSETELEM:
6708 te = (struct nft_trans_elem *)trans->data;
6710 te->set->ops->remove(net, te->set, &te->elem);
6711 atomic_dec(&te->set->nelems);
6713 case NFT_MSG_DELSETELEM:
6714 te = (struct nft_trans_elem *)trans->data;
6716 nft_set_elem_activate(net, te->set, &te->elem);
6717 te->set->ops->activate(net, te->set, &te->elem);
6720 nft_trans_destroy(trans);
6722 case NFT_MSG_NEWOBJ:
6723 trans->ctx.table->use--;
6724 list_del_rcu(&nft_trans_obj(trans)->list);
6726 case NFT_MSG_DELOBJ:
6727 trans->ctx.table->use++;
6728 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6729 nft_trans_destroy(trans);
6731 case NFT_MSG_NEWFLOWTABLE:
6732 trans->ctx.table->use--;
6733 list_del_rcu(&nft_trans_flowtable(trans)->list);
6734 nft_unregister_flowtable_net_hooks(net,
6735 nft_trans_flowtable(trans));
6737 case NFT_MSG_DELFLOWTABLE:
6738 trans->ctx.table->use++;
6739 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6740 nft_trans_destroy(trans);
6747 list_for_each_entry_safe_reverse(trans, next,
6748 &net->nft.commit_list, list) {
6749 list_del(&trans->list);
6750 nf_tables_abort_release(trans);
6756 static void nf_tables_cleanup(struct net *net)
6758 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6761 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6763 int ret = __nf_tables_abort(net);
6765 mutex_unlock(&net->nft.commit_mutex);
6770 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6774 mutex_lock(&net->nft.commit_mutex);
6776 genid_ok = genid == 0 || net->nft.base_seq == genid;
6778 mutex_unlock(&net->nft.commit_mutex);
6780 /* else, commit mutex has to be released by commit or abort function */
6784 static const struct nfnetlink_subsystem nf_tables_subsys = {
6785 .name = "nf_tables",
6786 .subsys_id = NFNL_SUBSYS_NFTABLES,
6787 .cb_count = NFT_MSG_MAX,
6789 .commit = nf_tables_commit,
6790 .abort = nf_tables_abort,
6791 .cleanup = nf_tables_cleanup,
6792 .valid_genid = nf_tables_valid_genid,
6793 .owner = THIS_MODULE,
6796 int nft_chain_validate_dependency(const struct nft_chain *chain,
6797 enum nft_chain_types type)
6799 const struct nft_base_chain *basechain;
6801 if (nft_is_base_chain(chain)) {
6802 basechain = nft_base_chain(chain);
6803 if (basechain->type->type != type)
6808 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6810 int nft_chain_validate_hooks(const struct nft_chain *chain,
6811 unsigned int hook_flags)
6813 struct nft_base_chain *basechain;
6815 if (nft_is_base_chain(chain)) {
6816 basechain = nft_base_chain(chain);
6818 if ((1 << basechain->ops.hooknum) & hook_flags)
6826 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6829 * Loop detection - walk through the ruleset beginning at the destination chain
6830 * of a new jump until either the source chain is reached (loop) or all
6831 * reachable chains have been traversed.
6833 * The loop check is performed whenever a new jump verdict is added to an
6834 * expression or verdict map or a verdict map is bound to a new chain.
6837 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6838 const struct nft_chain *chain);
6840 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6841 struct nft_set *set,
6842 const struct nft_set_iter *iter,
6843 struct nft_set_elem *elem)
6845 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6846 const struct nft_data *data;
6848 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6849 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6852 data = nft_set_ext_data(ext);
6853 switch (data->verdict.code) {
6856 return nf_tables_check_loops(ctx, data->verdict.chain);
6862 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6863 const struct nft_chain *chain)
6865 const struct nft_rule *rule;
6866 const struct nft_expr *expr, *last;
6867 struct nft_set *set;
6868 struct nft_set_binding *binding;
6869 struct nft_set_iter iter;
6871 if (ctx->chain == chain)
6874 list_for_each_entry(rule, &chain->rules, list) {
6875 nft_rule_for_each_expr(expr, last, rule) {
6876 struct nft_immediate_expr *priv;
6877 const struct nft_data *data;
6880 if (strcmp(expr->ops->type->name, "immediate"))
6883 priv = nft_expr_priv(expr);
6884 if (priv->dreg != NFT_REG_VERDICT)
6888 switch (data->verdict.code) {
6891 err = nf_tables_check_loops(ctx,
6892 data->verdict.chain);
6901 list_for_each_entry(set, &ctx->table->sets, list) {
6902 if (!nft_is_active_next(ctx->net, set))
6904 if (!(set->flags & NFT_SET_MAP) ||
6905 set->dtype != NFT_DATA_VERDICT)
6908 list_for_each_entry(binding, &set->bindings, list) {
6909 if (!(binding->flags & NFT_SET_MAP) ||
6910 binding->chain != chain)
6913 iter.genmask = nft_genmask_next(ctx->net);
6917 iter.fn = nf_tables_loop_check_setelem;
6919 set->ops->walk(ctx, set, &iter);
6929 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6931 * @attr: netlink attribute to fetch value from
6932 * @max: maximum value to be stored in dest
6933 * @dest: pointer to the variable
6935 * Parse, check and store a given u32 netlink attribute into variable.
6936 * This function returns -ERANGE if the value goes over maximum value.
6937 * Otherwise a 0 is returned and the attribute value is stored in the
6938 * destination variable.
6940 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6944 val = ntohl(nla_get_be32(attr));
6951 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6954 * nft_parse_register - parse a register value from a netlink attribute
6956 * @attr: netlink attribute
6958 * Parse and translate a register value from a netlink attribute.
6959 * Registers used to be 128 bit wide, these register numbers will be
6960 * mapped to the corresponding 32 bit register numbers.
6962 unsigned int nft_parse_register(const struct nlattr *attr)
6966 reg = ntohl(nla_get_be32(attr));
6968 case NFT_REG_VERDICT...NFT_REG_4:
6969 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6971 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6974 EXPORT_SYMBOL_GPL(nft_parse_register);
6977 * nft_dump_register - dump a register value to a netlink attribute
6979 * @skb: socket buffer
6980 * @attr: attribute number
6981 * @reg: register number
6983 * Construct a netlink attribute containing the register number. For
6984 * compatibility reasons, register numbers being a multiple of 4 are
6985 * translated to the corresponding 128 bit register numbers.
6987 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6989 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6990 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6992 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6994 return nla_put_be32(skb, attr, htonl(reg));
6996 EXPORT_SYMBOL_GPL(nft_dump_register);
6999 * nft_validate_register_load - validate a load from a register
7001 * @reg: the register number
7002 * @len: the length of the data
7004 * Validate that the input register is one of the general purpose
7005 * registers and that the length of the load is within the bounds.
7007 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7009 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7013 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7018 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7021 * nft_validate_register_store - validate an expressions' register store
7023 * @ctx: context of the expression performing the load
7024 * @reg: the destination register number
7025 * @data: the data to load
7026 * @type: the data type
7027 * @len: the length of the data
7029 * Validate that a data load uses the appropriate data type for
7030 * the destination register and the length is within the bounds.
7031 * A value of NULL for the data means that its runtime gathered
7034 int nft_validate_register_store(const struct nft_ctx *ctx,
7035 enum nft_registers reg,
7036 const struct nft_data *data,
7037 enum nft_data_types type, unsigned int len)
7042 case NFT_REG_VERDICT:
7043 if (type != NFT_DATA_VERDICT)
7047 (data->verdict.code == NFT_GOTO ||
7048 data->verdict.code == NFT_JUMP)) {
7049 err = nf_tables_check_loops(ctx, data->verdict.chain);
7056 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7060 if (reg * NFT_REG32_SIZE + len >
7061 FIELD_SIZEOF(struct nft_regs, data))
7064 if (data != NULL && type != NFT_DATA_VALUE)
7069 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7071 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7072 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7073 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7074 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7077 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7078 struct nft_data_desc *desc, const struct nlattr *nla)
7080 u8 genmask = nft_genmask_next(ctx->net);
7081 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7082 struct nft_chain *chain;
7085 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
7090 if (!tb[NFTA_VERDICT_CODE])
7092 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7094 switch (data->verdict.code) {
7096 switch (data->verdict.code & NF_VERDICT_MASK) {
7111 if (!tb[NFTA_VERDICT_CHAIN])
7113 chain = nft_chain_lookup(ctx->net, ctx->table,
7114 tb[NFTA_VERDICT_CHAIN], genmask);
7116 return PTR_ERR(chain);
7117 if (nft_is_base_chain(chain))
7121 data->verdict.chain = chain;
7125 desc->len = sizeof(data->verdict);
7126 desc->type = NFT_DATA_VERDICT;
7130 static void nft_verdict_uninit(const struct nft_data *data)
7132 switch (data->verdict.code) {
7135 data->verdict.chain->use--;
7140 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7142 struct nlattr *nest;
7144 nest = nla_nest_start(skb, type);
7146 goto nla_put_failure;
7148 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7149 goto nla_put_failure;
7154 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7156 goto nla_put_failure;
7158 nla_nest_end(skb, nest);
7165 static int nft_value_init(const struct nft_ctx *ctx,
7166 struct nft_data *data, unsigned int size,
7167 struct nft_data_desc *desc, const struct nlattr *nla)
7177 nla_memcpy(data->data, nla, len);
7178 desc->type = NFT_DATA_VALUE;
7183 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7186 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7189 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7190 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7191 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7195 * nft_data_init - parse nf_tables data netlink attributes
7197 * @ctx: context of the expression using the data
7198 * @data: destination struct nft_data
7199 * @size: maximum data length
7200 * @desc: data description
7201 * @nla: netlink attribute containing data
7203 * Parse the netlink data attributes and initialize a struct nft_data.
7204 * The type and length of data are returned in the data description.
7206 * The caller can indicate that it only wants to accept data of type
7207 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7209 int nft_data_init(const struct nft_ctx *ctx,
7210 struct nft_data *data, unsigned int size,
7211 struct nft_data_desc *desc, const struct nlattr *nla)
7213 struct nlattr *tb[NFTA_DATA_MAX + 1];
7216 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7220 if (tb[NFTA_DATA_VALUE])
7221 return nft_value_init(ctx, data, size, desc,
7222 tb[NFTA_DATA_VALUE]);
7223 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7224 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7227 EXPORT_SYMBOL_GPL(nft_data_init);
7230 * nft_data_release - release a nft_data item
7232 * @data: struct nft_data to release
7233 * @type: type of data
7235 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7236 * all others need to be released by calling this function.
7238 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7240 if (type < NFT_DATA_VERDICT)
7243 case NFT_DATA_VERDICT:
7244 return nft_verdict_uninit(data);
7249 EXPORT_SYMBOL_GPL(nft_data_release);
7251 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7252 enum nft_data_types type, unsigned int len)
7254 struct nlattr *nest;
7257 nest = nla_nest_start(skb, attr);
7262 case NFT_DATA_VALUE:
7263 err = nft_value_dump(skb, data, len);
7265 case NFT_DATA_VERDICT:
7266 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7273 nla_nest_end(skb, nest);
7276 EXPORT_SYMBOL_GPL(nft_data_dump);
7278 int __nft_release_basechain(struct nft_ctx *ctx)
7280 struct nft_rule *rule, *nr;
7282 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7285 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7286 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7287 list_del(&rule->list);
7289 nf_tables_rule_release(ctx, rule);
7291 nft_chain_del(ctx->chain);
7293 nf_tables_chain_destroy(ctx);
7297 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7299 static void __nft_release_tables(struct net *net)
7301 struct nft_flowtable *flowtable, *nf;
7302 struct nft_table *table, *nt;
7303 struct nft_chain *chain, *nc;
7304 struct nft_object *obj, *ne;
7305 struct nft_rule *rule, *nr;
7306 struct nft_set *set, *ns;
7307 struct nft_ctx ctx = {
7309 .family = NFPROTO_NETDEV,
7312 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7313 ctx.family = table->family;
7315 list_for_each_entry(chain, &table->chains, list)
7316 nf_tables_unregister_hook(net, table, chain);
7317 /* No packets are walking on these chains anymore. */
7319 list_for_each_entry(chain, &table->chains, list) {
7321 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7322 list_del(&rule->list);
7324 nf_tables_rule_release(&ctx, rule);
7327 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7328 list_del(&flowtable->list);
7330 nf_tables_flowtable_destroy(flowtable);
7332 list_for_each_entry_safe(set, ns, &table->sets, list) {
7333 list_del(&set->list);
7335 nft_set_destroy(set);
7337 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7338 list_del(&obj->list);
7340 nft_obj_destroy(&ctx, obj);
7342 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7344 nft_chain_del(chain);
7346 nf_tables_chain_destroy(&ctx);
7348 list_del(&table->list);
7349 nf_tables_table_destroy(&ctx);
7353 static int __net_init nf_tables_init_net(struct net *net)
7355 INIT_LIST_HEAD(&net->nft.tables);
7356 INIT_LIST_HEAD(&net->nft.commit_list);
7357 mutex_init(&net->nft.commit_mutex);
7358 net->nft.base_seq = 1;
7359 net->nft.validate_state = NFT_VALIDATE_SKIP;
7364 static void __net_exit nf_tables_exit_net(struct net *net)
7366 mutex_lock(&net->nft.commit_mutex);
7367 if (!list_empty(&net->nft.commit_list))
7368 __nf_tables_abort(net);
7369 __nft_release_tables(net);
7370 mutex_unlock(&net->nft.commit_mutex);
7371 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7374 static struct pernet_operations nf_tables_net_ops = {
7375 .init = nf_tables_init_net,
7376 .exit = nf_tables_exit_net,
7379 static int __init nf_tables_module_init(void)
7383 spin_lock_init(&nf_tables_destroy_list_lock);
7384 err = register_pernet_subsys(&nf_tables_net_ops);
7388 err = nft_chain_filter_init();
7392 err = nf_tables_core_module_init();
7396 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7401 err = nfnetlink_subsys_register(&nf_tables_subsys);
7407 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7409 nf_tables_core_module_exit();
7411 nft_chain_filter_fini();
7413 unregister_pernet_subsys(&nf_tables_net_ops);
7417 static void __exit nf_tables_module_exit(void)
7419 nfnetlink_subsys_unregister(&nf_tables_subsys);
7420 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7421 nft_chain_filter_fini();
7422 unregister_pernet_subsys(&nf_tables_net_ops);
7423 cancel_work_sync(&trans_destroy_work);
7425 nf_tables_core_module_exit();
7428 module_init(nf_tables_module_init);
7429 module_exit(nf_tables_module_exit);
7431 MODULE_LICENSE("GPL");
7432 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7433 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob