2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 /* removal requests are queued in the commit_list, but not acted upon
78 * until after all new rules are in place.
80 * Therefore, nf_register_net_hook(net, &nat_hook) runs before pending
81 * nf_unregister_net_hook().
83 * nf_register_net_hook thus fails if a nat hook is already in place
84 * even if the conflicting hook is about to be removed.
86 * If collision is detected, search commit_log for DELCHAIN matching
87 * the new nat hooknum; if we find one collision is temporary:
89 * Either transaction is aborted (new/colliding hook is removed), or
90 * transaction is committed (old hook is removed).
92 static bool nf_tables_allow_nat_conflict(const struct net *net,
93 const struct nf_hook_ops *ops)
95 const struct nft_trans *trans;
101 list_for_each_entry(trans, &net->nft.commit_list, list) {
102 const struct nf_hook_ops *pending_ops;
103 const struct nft_chain *pending;
105 if (trans->msg_type != NFT_MSG_NEWCHAIN &&
106 trans->msg_type != NFT_MSG_DELCHAIN)
109 pending = trans->ctx.chain;
110 if (!nft_is_base_chain(pending))
113 pending_ops = &nft_base_chain(pending)->ops;
114 if (pending_ops->nat_hook &&
115 pending_ops->pf == ops->pf &&
116 pending_ops->hooknum == ops->hooknum) {
117 /* other hook registration already pending? */
118 if (trans->msg_type == NFT_MSG_NEWCHAIN)
128 static int nf_tables_register_hook(struct net *net,
129 const struct nft_table *table,
130 struct nft_chain *chain)
132 struct nf_hook_ops *ops;
135 if (table->flags & NFT_TABLE_F_DORMANT ||
136 !nft_is_base_chain(chain))
139 ops = &nft_base_chain(chain)->ops;
140 ret = nf_register_net_hook(net, ops);
141 if (ret == -EBUSY && nf_tables_allow_nat_conflict(net, ops)) {
142 ops->nat_hook = false;
143 ret = nf_register_net_hook(net, ops);
144 ops->nat_hook = true;
150 static void nf_tables_unregister_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
161 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
163 struct nft_trans *trans;
165 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
169 if (msg_type == NFT_MSG_NEWTABLE)
170 nft_activate_next(ctx->net, ctx->table);
172 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
176 static int nft_deltable(struct nft_ctx *ctx)
180 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
184 nft_deactivate_next(ctx->net, ctx->table);
188 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
190 struct nft_trans *trans;
192 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
196 if (msg_type == NFT_MSG_NEWCHAIN)
197 nft_activate_next(ctx->net, ctx->chain);
199 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
203 static int nft_delchain(struct nft_ctx *ctx)
207 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
212 nft_deactivate_next(ctx->net, ctx->chain);
218 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
220 /* You cannot delete the same rule twice */
221 if (nft_is_active_next(ctx->net, rule)) {
222 nft_deactivate_next(ctx->net, rule);
229 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
230 struct nft_rule *rule)
232 struct nft_trans *trans;
234 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
238 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
239 nft_trans_rule_id(trans) =
240 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
242 nft_trans_rule(trans) = rule;
243 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
248 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
250 struct nft_trans *trans;
253 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
257 err = nf_tables_delrule_deactivate(ctx, rule);
259 nft_trans_destroy(trans);
266 static int nft_delrule_by_chain(struct nft_ctx *ctx)
268 struct nft_rule *rule;
271 list_for_each_entry(rule, &ctx->chain->rules, list) {
272 err = nft_delrule(ctx, rule);
279 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
282 struct nft_trans *trans;
284 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
288 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
289 nft_trans_set_id(trans) =
290 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
291 nft_activate_next(ctx->net, set);
293 nft_trans_set(trans) = set;
294 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
299 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
303 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
307 nft_deactivate_next(ctx->net, set);
313 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
314 struct nft_object *obj)
316 struct nft_trans *trans;
318 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
322 if (msg_type == NFT_MSG_NEWOBJ)
323 nft_activate_next(ctx->net, obj);
325 nft_trans_obj(trans) = obj;
326 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
331 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
335 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
339 nft_deactivate_next(ctx->net, obj);
345 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
346 struct nft_flowtable *flowtable)
348 struct nft_trans *trans;
350 trans = nft_trans_alloc(ctx, msg_type,
351 sizeof(struct nft_trans_flowtable));
355 if (msg_type == NFT_MSG_NEWFLOWTABLE)
356 nft_activate_next(ctx->net, flowtable);
358 nft_trans_flowtable(trans) = flowtable;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
364 static int nft_delflowtable(struct nft_ctx *ctx,
365 struct nft_flowtable *flowtable)
369 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
373 nft_deactivate_next(ctx->net, flowtable);
383 static struct nft_table *nft_table_lookup(const struct net *net,
384 const struct nlattr *nla,
385 u8 family, u8 genmask)
387 struct nft_table *table;
390 return ERR_PTR(-EINVAL);
392 list_for_each_entry(table, &net->nft.tables, list) {
393 if (!nla_strcmp(nla, table->name) &&
394 table->family == family &&
395 nft_active_genmask(table, genmask))
399 return ERR_PTR(-ENOENT);
402 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
403 const struct nlattr *nla,
406 struct nft_table *table;
408 list_for_each_entry(table, &net->nft.tables, list) {
409 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
410 nft_active_genmask(table, genmask))
414 return ERR_PTR(-ENOENT);
417 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
419 return ++table->hgenerator;
422 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
424 static const struct nft_chain_type *
425 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
429 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
430 if (chain_type[family][i] != NULL &&
431 !nla_strcmp(nla, chain_type[family][i]->name))
432 return chain_type[family][i];
437 static const struct nft_chain_type *
438 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
440 const struct nft_chain_type *type;
442 type = __nf_tables_chain_type_lookup(nla, family);
445 #ifdef CONFIG_MODULES
447 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
448 request_module("nft-chain-%u-%.*s", family,
449 nla_len(nla), (const char *)nla_data(nla));
450 nfnl_lock(NFNL_SUBSYS_NFTABLES);
451 type = __nf_tables_chain_type_lookup(nla, family);
453 return ERR_PTR(-EAGAIN);
456 return ERR_PTR(-ENOENT);
459 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
460 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
461 .len = NFT_TABLE_MAXNAMELEN - 1 },
462 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
463 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
466 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
467 u32 portid, u32 seq, int event, u32 flags,
468 int family, const struct nft_table *table)
470 struct nlmsghdr *nlh;
471 struct nfgenmsg *nfmsg;
473 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
474 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
476 goto nla_put_failure;
478 nfmsg = nlmsg_data(nlh);
479 nfmsg->nfgen_family = family;
480 nfmsg->version = NFNETLINK_V0;
481 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
483 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
484 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
485 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
486 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
488 goto nla_put_failure;
494 nlmsg_trim(skb, nlh);
498 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
504 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
507 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
511 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
512 event, 0, ctx->family, ctx->table);
518 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
519 ctx->report, GFP_KERNEL);
522 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
525 static int nf_tables_dump_tables(struct sk_buff *skb,
526 struct netlink_callback *cb)
528 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
529 const struct nft_table *table;
530 unsigned int idx = 0, s_idx = cb->args[0];
531 struct net *net = sock_net(skb->sk);
532 int family = nfmsg->nfgen_family;
535 cb->seq = net->nft.base_seq;
537 list_for_each_entry_rcu(table, &net->nft.tables, list) {
538 if (family != NFPROTO_UNSPEC && family != table->family)
544 memset(&cb->args[1], 0,
545 sizeof(cb->args) - sizeof(cb->args[0]));
546 if (!nft_is_active(net, table))
548 if (nf_tables_fill_table_info(skb, net,
549 NETLINK_CB(cb->skb).portid,
551 NFT_MSG_NEWTABLE, NLM_F_MULTI,
552 table->family, table) < 0)
555 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
565 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
566 struct sk_buff *skb, const struct nlmsghdr *nlh,
567 const struct nlattr * const nla[],
568 struct netlink_ext_ack *extack)
570 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
571 u8 genmask = nft_genmask_cur(net);
572 const struct nft_table *table;
573 struct sk_buff *skb2;
574 int family = nfmsg->nfgen_family;
577 if (nlh->nlmsg_flags & NLM_F_DUMP) {
578 struct netlink_dump_control c = {
579 .dump = nf_tables_dump_tables,
581 return netlink_dump_start(nlsk, skb, nlh, &c);
584 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
586 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
587 return PTR_ERR(table);
590 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
594 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
595 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
600 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
607 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
609 struct nft_chain *chain;
612 list_for_each_entry(chain, &table->chains, list) {
613 if (!nft_is_active_next(net, chain))
615 if (!nft_is_base_chain(chain))
618 if (cnt && i++ == cnt)
621 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
625 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
627 struct nft_chain *chain;
630 list_for_each_entry(chain, &table->chains, list) {
631 if (!nft_is_active_next(net, chain))
633 if (!nft_is_base_chain(chain))
636 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
645 nft_table_disable(net, table, i);
649 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
651 nft_table_disable(net, table, 0);
654 static int nf_tables_updtable(struct nft_ctx *ctx)
656 struct nft_trans *trans;
660 if (!ctx->nla[NFTA_TABLE_FLAGS])
663 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
664 if (flags & ~NFT_TABLE_F_DORMANT)
667 if (flags == ctx->table->flags)
670 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
671 sizeof(struct nft_trans_table));
675 if ((flags & NFT_TABLE_F_DORMANT) &&
676 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
677 nft_trans_table_enable(trans) = false;
678 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
679 ctx->table->flags & NFT_TABLE_F_DORMANT) {
680 ret = nf_tables_table_enable(ctx->net, ctx->table);
682 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
683 nft_trans_table_enable(trans) = true;
689 nft_trans_table_update(trans) = true;
690 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
693 nft_trans_destroy(trans);
697 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
698 struct sk_buff *skb, const struct nlmsghdr *nlh,
699 const struct nlattr * const nla[],
700 struct netlink_ext_ack *extack)
702 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
703 u8 genmask = nft_genmask_next(net);
704 int family = nfmsg->nfgen_family;
705 const struct nlattr *attr;
706 struct nft_table *table;
711 attr = nla[NFTA_TABLE_NAME];
712 table = nft_table_lookup(net, attr, family, genmask);
714 if (PTR_ERR(table) != -ENOENT)
715 return PTR_ERR(table);
717 if (nlh->nlmsg_flags & NLM_F_EXCL) {
718 NL_SET_BAD_ATTR(extack, attr);
721 if (nlh->nlmsg_flags & NLM_F_REPLACE)
724 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
725 return nf_tables_updtable(&ctx);
728 if (nla[NFTA_TABLE_FLAGS]) {
729 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
730 if (flags & ~NFT_TABLE_F_DORMANT)
735 table = kzalloc(sizeof(*table), GFP_KERNEL);
739 table->name = nla_strdup(attr, GFP_KERNEL);
740 if (table->name == NULL)
743 INIT_LIST_HEAD(&table->chains);
744 INIT_LIST_HEAD(&table->sets);
745 INIT_LIST_HEAD(&table->objects);
746 INIT_LIST_HEAD(&table->flowtables);
747 table->family = family;
748 table->flags = flags;
749 table->handle = ++table_handle;
751 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
752 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
756 list_add_tail_rcu(&table->list, &net->nft.tables);
766 static int nft_flush_table(struct nft_ctx *ctx)
768 struct nft_flowtable *flowtable, *nft;
769 struct nft_chain *chain, *nc;
770 struct nft_object *obj, *ne;
771 struct nft_set *set, *ns;
774 list_for_each_entry(chain, &ctx->table->chains, list) {
775 if (!nft_is_active_next(ctx->net, chain))
780 err = nft_delrule_by_chain(ctx);
785 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
786 if (!nft_is_active_next(ctx->net, set))
789 if (nft_set_is_anonymous(set) &&
790 !list_empty(&set->bindings))
793 err = nft_delset(ctx, set);
798 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
799 err = nft_delflowtable(ctx, flowtable);
804 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
805 err = nft_delobj(ctx, obj);
810 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
811 if (!nft_is_active_next(ctx->net, chain))
816 err = nft_delchain(ctx);
821 err = nft_deltable(ctx);
826 static int nft_flush(struct nft_ctx *ctx, int family)
828 struct nft_table *table, *nt;
829 const struct nlattr * const *nla = ctx->nla;
832 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
833 if (family != AF_UNSPEC && table->family != family)
836 ctx->family = table->family;
838 if (!nft_is_active_next(ctx->net, table))
841 if (nla[NFTA_TABLE_NAME] &&
842 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
847 err = nft_flush_table(ctx);
855 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
856 struct sk_buff *skb, const struct nlmsghdr *nlh,
857 const struct nlattr * const nla[],
858 struct netlink_ext_ack *extack)
860 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
861 u8 genmask = nft_genmask_next(net);
862 int family = nfmsg->nfgen_family;
863 const struct nlattr *attr;
864 struct nft_table *table;
867 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
868 if (family == AF_UNSPEC ||
869 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
870 return nft_flush(&ctx, family);
872 if (nla[NFTA_TABLE_HANDLE]) {
873 attr = nla[NFTA_TABLE_HANDLE];
874 table = nft_table_lookup_byhandle(net, attr, genmask);
876 attr = nla[NFTA_TABLE_NAME];
877 table = nft_table_lookup(net, attr, family, genmask);
881 NL_SET_BAD_ATTR(extack, attr);
882 return PTR_ERR(table);
885 if (nlh->nlmsg_flags & NLM_F_NONREC &&
892 return nft_flush_table(&ctx);
895 static void nf_tables_table_destroy(struct nft_ctx *ctx)
897 BUG_ON(ctx->table->use > 0);
899 kfree(ctx->table->name);
903 void nft_register_chain_type(const struct nft_chain_type *ctype)
905 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
908 nfnl_lock(NFNL_SUBSYS_NFTABLES);
909 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
910 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
913 chain_type[ctype->family][ctype->type] = ctype;
914 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
916 EXPORT_SYMBOL_GPL(nft_register_chain_type);
918 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
920 nfnl_lock(NFNL_SUBSYS_NFTABLES);
921 chain_type[ctype->family][ctype->type] = NULL;
922 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
924 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
930 static struct nft_chain *
931 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
933 struct nft_chain *chain;
935 list_for_each_entry(chain, &table->chains, list) {
936 if (chain->handle == handle &&
937 nft_active_genmask(chain, genmask))
941 return ERR_PTR(-ENOENT);
944 static struct nft_chain *nft_chain_lookup(const struct nft_table *table,
945 const struct nlattr *nla, u8 genmask)
947 struct nft_chain *chain;
950 return ERR_PTR(-EINVAL);
952 list_for_each_entry(chain, &table->chains, list) {
953 if (!nla_strcmp(nla, chain->name) &&
954 nft_active_genmask(chain, genmask))
958 return ERR_PTR(-ENOENT);
961 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
962 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
963 .len = NFT_TABLE_MAXNAMELEN - 1 },
964 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
965 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
966 .len = NFT_CHAIN_MAXNAMELEN - 1 },
967 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
968 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
969 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
970 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
973 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
974 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
975 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
976 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
977 .len = IFNAMSIZ - 1 },
980 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
982 struct nft_stats *cpu_stats, total;
988 memset(&total, 0, sizeof(total));
989 for_each_possible_cpu(cpu) {
990 cpu_stats = per_cpu_ptr(stats, cpu);
992 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
993 pkts = cpu_stats->pkts;
994 bytes = cpu_stats->bytes;
995 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
997 total.bytes += bytes;
999 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1001 goto nla_put_failure;
1003 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1004 NFTA_COUNTER_PAD) ||
1005 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1007 goto nla_put_failure;
1009 nla_nest_end(skb, nest);
1016 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1017 u32 portid, u32 seq, int event, u32 flags,
1018 int family, const struct nft_table *table,
1019 const struct nft_chain *chain)
1021 struct nlmsghdr *nlh;
1022 struct nfgenmsg *nfmsg;
1024 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1025 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1027 goto nla_put_failure;
1029 nfmsg = nlmsg_data(nlh);
1030 nfmsg->nfgen_family = family;
1031 nfmsg->version = NFNETLINK_V0;
1032 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1034 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1035 goto nla_put_failure;
1036 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1038 goto nla_put_failure;
1039 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1040 goto nla_put_failure;
1042 if (nft_is_base_chain(chain)) {
1043 const struct nft_base_chain *basechain = nft_base_chain(chain);
1044 const struct nf_hook_ops *ops = &basechain->ops;
1045 struct nlattr *nest;
1047 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1049 goto nla_put_failure;
1050 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1051 goto nla_put_failure;
1052 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1053 goto nla_put_failure;
1054 if (basechain->dev_name[0] &&
1055 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1056 goto nla_put_failure;
1057 nla_nest_end(skb, nest);
1059 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1060 htonl(basechain->policy)))
1061 goto nla_put_failure;
1063 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1064 goto nla_put_failure;
1066 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1067 goto nla_put_failure;
1070 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1071 goto nla_put_failure;
1073 nlmsg_end(skb, nlh);
1077 nlmsg_trim(skb, nlh);
1081 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1083 struct sk_buff *skb;
1087 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1090 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1094 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1095 event, 0, ctx->family, ctx->table,
1102 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1103 ctx->report, GFP_KERNEL);
1106 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1109 static int nf_tables_dump_chains(struct sk_buff *skb,
1110 struct netlink_callback *cb)
1112 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1113 const struct nft_table *table;
1114 const struct nft_chain *chain;
1115 unsigned int idx = 0, s_idx = cb->args[0];
1116 struct net *net = sock_net(skb->sk);
1117 int family = nfmsg->nfgen_family;
1120 cb->seq = net->nft.base_seq;
1122 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1123 if (family != NFPROTO_UNSPEC && family != table->family)
1126 list_for_each_entry_rcu(chain, &table->chains, list) {
1130 memset(&cb->args[1], 0,
1131 sizeof(cb->args) - sizeof(cb->args[0]));
1132 if (!nft_is_active(net, chain))
1134 if (nf_tables_fill_chain_info(skb, net,
1135 NETLINK_CB(cb->skb).portid,
1139 table->family, table,
1143 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1154 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1155 struct sk_buff *skb, const struct nlmsghdr *nlh,
1156 const struct nlattr * const nla[],
1157 struct netlink_ext_ack *extack)
1159 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1160 u8 genmask = nft_genmask_cur(net);
1161 const struct nft_table *table;
1162 const struct nft_chain *chain;
1163 struct sk_buff *skb2;
1164 int family = nfmsg->nfgen_family;
1167 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1168 struct netlink_dump_control c = {
1169 .dump = nf_tables_dump_chains,
1171 return netlink_dump_start(nlsk, skb, nlh, &c);
1174 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1175 if (IS_ERR(table)) {
1176 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1177 return PTR_ERR(table);
1180 chain = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1181 if (IS_ERR(chain)) {
1182 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1183 return PTR_ERR(chain);
1186 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1190 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1191 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1192 family, table, chain);
1196 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1203 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1204 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1205 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1208 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1210 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1211 struct nft_stats __percpu *newstats;
1212 struct nft_stats *stats;
1215 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1218 return ERR_PTR(err);
1220 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1221 return ERR_PTR(-EINVAL);
1223 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1224 if (newstats == NULL)
1225 return ERR_PTR(-ENOMEM);
1227 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1228 * are not exposed to userspace.
1231 stats = this_cpu_ptr(newstats);
1232 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1233 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1239 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1240 struct nft_stats __percpu *newstats)
1242 struct nft_stats __percpu *oldstats;
1244 if (newstats == NULL)
1248 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1249 rcu_assign_pointer(chain->stats, newstats);
1251 free_percpu(oldstats);
1253 rcu_assign_pointer(chain->stats, newstats);
1256 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1258 struct nft_chain *chain = ctx->chain;
1260 BUG_ON(chain->use > 0);
1262 if (nft_is_base_chain(chain)) {
1263 struct nft_base_chain *basechain = nft_base_chain(chain);
1265 if (basechain->type->free)
1266 basechain->type->free(ctx);
1267 module_put(basechain->type->owner);
1268 free_percpu(basechain->stats);
1269 if (basechain->stats)
1270 static_branch_dec(&nft_counters_enabled);
1279 struct nft_chain_hook {
1282 const struct nft_chain_type *type;
1283 struct net_device *dev;
1286 static int nft_chain_parse_hook(struct net *net,
1287 const struct nlattr * const nla[],
1288 struct nft_chain_hook *hook, u8 family,
1291 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1292 const struct nft_chain_type *type;
1293 struct net_device *dev;
1296 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1297 nft_hook_policy, NULL);
1301 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1302 ha[NFTA_HOOK_PRIORITY] == NULL)
1305 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1306 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1308 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1309 if (nla[NFTA_CHAIN_TYPE]) {
1310 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1313 return PTR_ERR(type);
1315 if (!(type->hook_mask & (1 << hook->num)))
1318 if (type->type == NFT_CHAIN_T_NAT &&
1319 hook->priority <= NF_IP_PRI_CONNTRACK)
1322 if (!try_module_get(type->owner))
1328 if (family == NFPROTO_NETDEV) {
1329 char ifname[IFNAMSIZ];
1331 if (!ha[NFTA_HOOK_DEV]) {
1332 module_put(type->owner);
1336 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1337 dev = __dev_get_by_name(net, ifname);
1339 module_put(type->owner);
1343 } else if (ha[NFTA_HOOK_DEV]) {
1344 module_put(type->owner);
1351 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1353 module_put(hook->type->owner);
1356 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1357 u8 policy, bool create)
1359 const struct nlattr * const *nla = ctx->nla;
1360 struct nft_table *table = ctx->table;
1361 struct nft_base_chain *basechain;
1362 struct nft_stats __percpu *stats;
1363 struct net *net = ctx->net;
1364 struct nft_chain *chain;
1367 if (table->use == UINT_MAX)
1370 if (nla[NFTA_CHAIN_HOOK]) {
1371 struct nft_chain_hook hook;
1372 struct nf_hook_ops *ops;
1374 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1378 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1379 if (basechain == NULL) {
1380 nft_chain_release_hook(&hook);
1384 if (hook.dev != NULL)
1385 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1387 if (nla[NFTA_CHAIN_COUNTERS]) {
1388 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1389 if (IS_ERR(stats)) {
1390 nft_chain_release_hook(&hook);
1392 return PTR_ERR(stats);
1394 basechain->stats = stats;
1395 static_branch_inc(&nft_counters_enabled);
1398 basechain->type = hook.type;
1399 if (basechain->type->init)
1400 basechain->type->init(ctx);
1402 chain = &basechain->chain;
1404 ops = &basechain->ops;
1406 ops->hooknum = hook.num;
1407 ops->priority = hook.priority;
1409 ops->hook = hook.type->hooks[ops->hooknum];
1410 ops->dev = hook.dev;
1412 if (basechain->type->type == NFT_CHAIN_T_NAT)
1413 ops->nat_hook = true;
1415 chain->flags |= NFT_BASE_CHAIN;
1416 basechain->policy = policy;
1418 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1424 INIT_LIST_HEAD(&chain->rules);
1425 chain->handle = nf_tables_alloc_handle(table);
1426 chain->table = table;
1427 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1433 err = nf_tables_register_hook(net, table, chain);
1437 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1442 list_add_tail_rcu(&chain->list, &table->chains);
1446 nf_tables_unregister_hook(net, table, chain);
1448 nf_tables_chain_destroy(ctx);
1453 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1456 const struct nlattr * const *nla = ctx->nla;
1457 struct nft_table *table = ctx->table;
1458 struct nft_chain *chain = ctx->chain;
1459 struct nft_base_chain *basechain;
1460 struct nft_stats *stats = NULL;
1461 struct nft_chain_hook hook;
1462 const struct nlattr *name;
1463 struct nf_hook_ops *ops;
1464 struct nft_trans *trans;
1467 if (nla[NFTA_CHAIN_HOOK]) {
1468 if (!nft_is_base_chain(chain))
1471 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1476 basechain = nft_base_chain(chain);
1477 if (basechain->type != hook.type) {
1478 nft_chain_release_hook(&hook);
1482 ops = &basechain->ops;
1483 if (ops->hooknum != hook.num ||
1484 ops->priority != hook.priority ||
1485 ops->dev != hook.dev) {
1486 nft_chain_release_hook(&hook);
1489 nft_chain_release_hook(&hook);
1492 if (nla[NFTA_CHAIN_HANDLE] &&
1493 nla[NFTA_CHAIN_NAME]) {
1494 struct nft_chain *chain2;
1496 chain2 = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1497 if (!IS_ERR(chain2))
1501 if (nla[NFTA_CHAIN_COUNTERS]) {
1502 if (!nft_is_base_chain(chain))
1505 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1507 return PTR_ERR(stats);
1510 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1511 sizeof(struct nft_trans_chain));
1512 if (trans == NULL) {
1517 nft_trans_chain_stats(trans) = stats;
1518 nft_trans_chain_update(trans) = true;
1520 if (nla[NFTA_CHAIN_POLICY])
1521 nft_trans_chain_policy(trans) = policy;
1523 nft_trans_chain_policy(trans) = -1;
1525 name = nla[NFTA_CHAIN_NAME];
1526 if (nla[NFTA_CHAIN_HANDLE] && name) {
1527 nft_trans_chain_name(trans) =
1528 nla_strdup(name, GFP_KERNEL);
1529 if (!nft_trans_chain_name(trans)) {
1535 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1540 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1541 struct sk_buff *skb, const struct nlmsghdr *nlh,
1542 const struct nlattr * const nla[],
1543 struct netlink_ext_ack *extack)
1545 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1546 u8 genmask = nft_genmask_next(net);
1547 int family = nfmsg->nfgen_family;
1548 const struct nlattr *attr;
1549 struct nft_table *table;
1550 struct nft_chain *chain;
1551 u8 policy = NF_ACCEPT;
1556 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1558 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1559 if (IS_ERR(table)) {
1560 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1561 return PTR_ERR(table);
1565 attr = nla[NFTA_CHAIN_NAME];
1567 if (nla[NFTA_CHAIN_HANDLE]) {
1568 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1569 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1570 if (IS_ERR(chain)) {
1571 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1572 return PTR_ERR(chain);
1574 attr = nla[NFTA_CHAIN_HANDLE];
1576 chain = nft_chain_lookup(table, attr, genmask);
1577 if (IS_ERR(chain)) {
1578 if (PTR_ERR(chain) != -ENOENT) {
1579 NL_SET_BAD_ATTR(extack, attr);
1580 return PTR_ERR(chain);
1586 if (nla[NFTA_CHAIN_POLICY]) {
1587 if (chain != NULL &&
1588 !nft_is_base_chain(chain)) {
1589 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1593 if (chain == NULL &&
1594 nla[NFTA_CHAIN_HOOK] == NULL) {
1595 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1599 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1609 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1611 if (chain != NULL) {
1612 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1613 NL_SET_BAD_ATTR(extack, attr);
1616 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1619 return nf_tables_updchain(&ctx, genmask, policy, create);
1622 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1625 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1626 struct sk_buff *skb, const struct nlmsghdr *nlh,
1627 const struct nlattr * const nla[],
1628 struct netlink_ext_ack *extack)
1630 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1631 u8 genmask = nft_genmask_next(net);
1632 int family = nfmsg->nfgen_family;
1633 const struct nlattr *attr;
1634 struct nft_table *table;
1635 struct nft_chain *chain;
1636 struct nft_rule *rule;
1642 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1643 if (IS_ERR(table)) {
1644 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1645 return PTR_ERR(table);
1648 if (nla[NFTA_CHAIN_HANDLE]) {
1649 attr = nla[NFTA_CHAIN_HANDLE];
1650 handle = be64_to_cpu(nla_get_be64(attr));
1651 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1653 attr = nla[NFTA_CHAIN_NAME];
1654 chain = nft_chain_lookup(table, attr, genmask);
1656 if (IS_ERR(chain)) {
1657 NL_SET_BAD_ATTR(extack, attr);
1658 return PTR_ERR(chain);
1661 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1665 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1668 list_for_each_entry(rule, &chain->rules, list) {
1669 if (!nft_is_active_next(net, rule))
1673 err = nft_delrule(&ctx, rule);
1678 /* There are rules and elements that are still holding references to us,
1679 * we cannot do a recursive removal in this case.
1682 NL_SET_BAD_ATTR(extack, attr);
1686 return nft_delchain(&ctx);
1694 * nft_register_expr - register nf_tables expr type
1697 * Registers the expr type for use with nf_tables. Returns zero on
1698 * success or a negative errno code otherwise.
1700 int nft_register_expr(struct nft_expr_type *type)
1702 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1703 if (type->family == NFPROTO_UNSPEC)
1704 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1706 list_add_rcu(&type->list, &nf_tables_expressions);
1707 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1710 EXPORT_SYMBOL_GPL(nft_register_expr);
1713 * nft_unregister_expr - unregister nf_tables expr type
1716 * Unregisters the expr typefor use with nf_tables.
1718 void nft_unregister_expr(struct nft_expr_type *type)
1720 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1721 list_del_rcu(&type->list);
1722 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1724 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1726 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1729 const struct nft_expr_type *type;
1731 list_for_each_entry(type, &nf_tables_expressions, list) {
1732 if (!nla_strcmp(nla, type->name) &&
1733 (!type->family || type->family == family))
1739 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1742 const struct nft_expr_type *type;
1745 return ERR_PTR(-EINVAL);
1747 type = __nft_expr_type_get(family, nla);
1748 if (type != NULL && try_module_get(type->owner))
1751 #ifdef CONFIG_MODULES
1753 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1754 request_module("nft-expr-%u-%.*s", family,
1755 nla_len(nla), (char *)nla_data(nla));
1756 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1757 if (__nft_expr_type_get(family, nla))
1758 return ERR_PTR(-EAGAIN);
1760 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1761 request_module("nft-expr-%.*s",
1762 nla_len(nla), (char *)nla_data(nla));
1763 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1764 if (__nft_expr_type_get(family, nla))
1765 return ERR_PTR(-EAGAIN);
1768 return ERR_PTR(-ENOENT);
1771 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1772 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1773 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1776 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1777 const struct nft_expr *expr)
1779 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1780 goto nla_put_failure;
1782 if (expr->ops->dump) {
1783 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1785 goto nla_put_failure;
1786 if (expr->ops->dump(skb, expr) < 0)
1787 goto nla_put_failure;
1788 nla_nest_end(skb, data);
1797 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1798 const struct nft_expr *expr)
1800 struct nlattr *nest;
1802 nest = nla_nest_start(skb, attr);
1804 goto nla_put_failure;
1805 if (nf_tables_fill_expr_info(skb, expr) < 0)
1806 goto nla_put_failure;
1807 nla_nest_end(skb, nest);
1814 struct nft_expr_info {
1815 const struct nft_expr_ops *ops;
1816 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1819 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1820 const struct nlattr *nla,
1821 struct nft_expr_info *info)
1823 const struct nft_expr_type *type;
1824 const struct nft_expr_ops *ops;
1825 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1828 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1832 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1834 return PTR_ERR(type);
1836 if (tb[NFTA_EXPR_DATA]) {
1837 err = nla_parse_nested(info->tb, type->maxattr,
1838 tb[NFTA_EXPR_DATA], type->policy, NULL);
1842 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1844 if (type->select_ops != NULL) {
1845 ops = type->select_ops(ctx,
1846 (const struct nlattr * const *)info->tb);
1858 module_put(type->owner);
1862 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1863 const struct nft_expr_info *info,
1864 struct nft_expr *expr)
1866 const struct nft_expr_ops *ops = info->ops;
1871 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1876 if (ops->validate) {
1877 const struct nft_data *data = NULL;
1879 err = ops->validate(ctx, expr, &data);
1888 ops->destroy(ctx, expr);
1894 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1895 struct nft_expr *expr)
1897 if (expr->ops->destroy)
1898 expr->ops->destroy(ctx, expr);
1899 module_put(expr->ops->type->owner);
1902 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1903 const struct nlattr *nla)
1905 struct nft_expr_info info;
1906 struct nft_expr *expr;
1909 err = nf_tables_expr_parse(ctx, nla, &info);
1914 expr = kzalloc(info.ops->size, GFP_KERNEL);
1918 err = nf_tables_newexpr(ctx, &info, expr);
1926 module_put(info.ops->type->owner);
1928 return ERR_PTR(err);
1931 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1933 nf_tables_expr_destroy(ctx, expr);
1941 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
1944 struct nft_rule *rule;
1946 // FIXME: this sucks
1947 list_for_each_entry(rule, &chain->rules, list) {
1948 if (handle == rule->handle)
1952 return ERR_PTR(-ENOENT);
1955 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
1956 const struct nlattr *nla)
1959 return ERR_PTR(-EINVAL);
1961 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1964 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1965 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1966 .len = NFT_TABLE_MAXNAMELEN - 1 },
1967 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1968 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1969 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1970 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1971 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1972 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1973 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1974 .len = NFT_USERDATA_MAXLEN },
1975 [NFTA_RULE_ID] = { .type = NLA_U32 },
1978 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1979 u32 portid, u32 seq, int event,
1980 u32 flags, int family,
1981 const struct nft_table *table,
1982 const struct nft_chain *chain,
1983 const struct nft_rule *rule)
1985 struct nlmsghdr *nlh;
1986 struct nfgenmsg *nfmsg;
1987 const struct nft_expr *expr, *next;
1988 struct nlattr *list;
1989 const struct nft_rule *prule;
1990 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1992 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1994 goto nla_put_failure;
1996 nfmsg = nlmsg_data(nlh);
1997 nfmsg->nfgen_family = family;
1998 nfmsg->version = NFNETLINK_V0;
1999 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2001 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2002 goto nla_put_failure;
2003 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2004 goto nla_put_failure;
2005 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2007 goto nla_put_failure;
2009 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2010 prule = list_prev_entry(rule, list);
2011 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2012 cpu_to_be64(prule->handle),
2014 goto nla_put_failure;
2017 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2019 goto nla_put_failure;
2020 nft_rule_for_each_expr(expr, next, rule) {
2021 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2022 goto nla_put_failure;
2024 nla_nest_end(skb, list);
2027 struct nft_userdata *udata = nft_userdata(rule);
2028 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2030 goto nla_put_failure;
2033 nlmsg_end(skb, nlh);
2037 nlmsg_trim(skb, nlh);
2041 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2042 const struct nft_rule *rule, int event)
2044 struct sk_buff *skb;
2048 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2051 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2055 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2056 event, 0, ctx->family, ctx->table,
2063 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2064 ctx->report, GFP_KERNEL);
2067 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2070 struct nft_rule_dump_ctx {
2075 static int nf_tables_dump_rules(struct sk_buff *skb,
2076 struct netlink_callback *cb)
2078 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2079 const struct nft_rule_dump_ctx *ctx = cb->data;
2080 const struct nft_table *table;
2081 const struct nft_chain *chain;
2082 const struct nft_rule *rule;
2083 unsigned int idx = 0, s_idx = cb->args[0];
2084 struct net *net = sock_net(skb->sk);
2085 int family = nfmsg->nfgen_family;
2088 cb->seq = net->nft.base_seq;
2090 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2091 if (family != NFPROTO_UNSPEC && family != table->family)
2094 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2097 list_for_each_entry_rcu(chain, &table->chains, list) {
2098 if (ctx && ctx->chain &&
2099 strcmp(ctx->chain, chain->name) != 0)
2102 list_for_each_entry_rcu(rule, &chain->rules, list) {
2103 if (!nft_is_active(net, rule))
2108 memset(&cb->args[1], 0,
2109 sizeof(cb->args) - sizeof(cb->args[0]));
2110 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2113 NLM_F_MULTI | NLM_F_APPEND,
2115 table, chain, rule) < 0)
2118 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2131 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2133 struct nft_rule_dump_ctx *ctx = cb->data;
2143 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2144 struct sk_buff *skb, const struct nlmsghdr *nlh,
2145 const struct nlattr * const nla[],
2146 struct netlink_ext_ack *extack)
2148 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2149 u8 genmask = nft_genmask_cur(net);
2150 const struct nft_table *table;
2151 const struct nft_chain *chain;
2152 const struct nft_rule *rule;
2153 struct sk_buff *skb2;
2154 int family = nfmsg->nfgen_family;
2157 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2158 struct netlink_dump_control c = {
2159 .dump = nf_tables_dump_rules,
2160 .done = nf_tables_dump_rules_done,
2163 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2164 struct nft_rule_dump_ctx *ctx;
2166 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2170 if (nla[NFTA_RULE_TABLE]) {
2171 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2178 if (nla[NFTA_RULE_CHAIN]) {
2179 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2190 return netlink_dump_start(nlsk, skb, nlh, &c);
2193 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2194 if (IS_ERR(table)) {
2195 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2196 return PTR_ERR(table);
2199 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2200 if (IS_ERR(chain)) {
2201 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2202 return PTR_ERR(chain);
2205 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2207 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2208 return PTR_ERR(rule);
2211 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2215 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2216 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2217 family, table, chain, rule);
2221 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2228 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2229 struct nft_rule *rule)
2231 struct nft_expr *expr;
2234 * Careful: some expressions might not be initialized in case this
2235 * is called on error from nf_tables_newrule().
2237 expr = nft_expr_first(rule);
2238 while (expr != nft_expr_last(rule) && expr->ops) {
2239 nf_tables_expr_destroy(ctx, expr);
2240 expr = nft_expr_next(expr);
2245 #define NFT_RULE_MAXEXPRS 128
2247 static struct nft_expr_info *info;
2249 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2250 struct sk_buff *skb, const struct nlmsghdr *nlh,
2251 const struct nlattr * const nla[],
2252 struct netlink_ext_ack *extack)
2254 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2255 u8 genmask = nft_genmask_next(net);
2256 int family = nfmsg->nfgen_family;
2257 struct nft_table *table;
2258 struct nft_chain *chain;
2259 struct nft_rule *rule, *old_rule = NULL;
2260 struct nft_userdata *udata;
2261 struct nft_trans *trans = NULL;
2262 struct nft_expr *expr;
2265 unsigned int size, i, n, ulen = 0, usize = 0;
2268 u64 handle, pos_handle;
2270 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2272 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2273 if (IS_ERR(table)) {
2274 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2275 return PTR_ERR(table);
2278 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2279 if (IS_ERR(chain)) {
2280 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2281 return PTR_ERR(chain);
2284 if (nla[NFTA_RULE_HANDLE]) {
2285 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2286 rule = __nft_rule_lookup(chain, handle);
2288 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2289 return PTR_ERR(rule);
2292 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2293 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2296 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2301 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2303 handle = nf_tables_alloc_handle(table);
2305 if (chain->use == UINT_MAX)
2309 if (nla[NFTA_RULE_POSITION]) {
2310 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2313 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2314 old_rule = __nft_rule_lookup(chain, pos_handle);
2315 if (IS_ERR(old_rule)) {
2316 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2317 return PTR_ERR(old_rule);
2321 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2325 if (nla[NFTA_RULE_EXPRESSIONS]) {
2326 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2328 if (nla_type(tmp) != NFTA_LIST_ELEM)
2330 if (n == NFT_RULE_MAXEXPRS)
2332 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2335 size += info[n].ops->size;
2339 /* Check for overflow of dlen field */
2341 if (size >= 1 << 12)
2344 if (nla[NFTA_RULE_USERDATA]) {
2345 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2347 usize = sizeof(struct nft_userdata) + ulen;
2351 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2355 nft_activate_next(net, rule);
2357 rule->handle = handle;
2359 rule->udata = ulen ? 1 : 0;
2362 udata = nft_userdata(rule);
2363 udata->len = ulen - 1;
2364 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2367 expr = nft_expr_first(rule);
2368 for (i = 0; i < n; i++) {
2369 err = nf_tables_newexpr(&ctx, &info[i], expr);
2373 expr = nft_expr_next(expr);
2376 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2377 if (!nft_is_active_next(net, old_rule)) {
2381 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2383 if (trans == NULL) {
2387 nft_deactivate_next(net, old_rule);
2390 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2395 list_add_tail_rcu(&rule->list, &old_rule->list);
2397 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2402 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2404 list_add_rcu(&rule->list, &old_rule->list);
2406 list_add_tail_rcu(&rule->list, &chain->rules);
2409 list_add_tail_rcu(&rule->list, &old_rule->list);
2411 list_add_rcu(&rule->list, &chain->rules);
2418 nf_tables_rule_destroy(&ctx, rule);
2420 for (i = 0; i < n; i++) {
2421 if (info[i].ops != NULL)
2422 module_put(info[i].ops->type->owner);
2427 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2428 const struct nlattr *nla)
2430 u32 id = ntohl(nla_get_be32(nla));
2431 struct nft_trans *trans;
2433 list_for_each_entry(trans, &net->nft.commit_list, list) {
2434 struct nft_rule *rule = nft_trans_rule(trans);
2436 if (trans->msg_type == NFT_MSG_NEWRULE &&
2437 id == nft_trans_rule_id(trans))
2440 return ERR_PTR(-ENOENT);
2443 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2444 struct sk_buff *skb, const struct nlmsghdr *nlh,
2445 const struct nlattr * const nla[],
2446 struct netlink_ext_ack *extack)
2448 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2449 u8 genmask = nft_genmask_next(net);
2450 struct nft_table *table;
2451 struct nft_chain *chain = NULL;
2452 struct nft_rule *rule;
2453 int family = nfmsg->nfgen_family, err = 0;
2456 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2457 if (IS_ERR(table)) {
2458 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2459 return PTR_ERR(table);
2462 if (nla[NFTA_RULE_CHAIN]) {
2463 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2464 if (IS_ERR(chain)) {
2465 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2466 return PTR_ERR(chain);
2470 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2473 if (nla[NFTA_RULE_HANDLE]) {
2474 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2476 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2477 return PTR_ERR(rule);
2480 err = nft_delrule(&ctx, rule);
2481 } else if (nla[NFTA_RULE_ID]) {
2482 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2484 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2485 return PTR_ERR(rule);
2488 err = nft_delrule(&ctx, rule);
2490 err = nft_delrule_by_chain(&ctx);
2493 list_for_each_entry(chain, &table->chains, list) {
2494 if (!nft_is_active_next(net, chain))
2498 err = nft_delrule_by_chain(&ctx);
2511 static LIST_HEAD(nf_tables_set_types);
2513 int nft_register_set(struct nft_set_type *type)
2515 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2516 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2517 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2520 EXPORT_SYMBOL_GPL(nft_register_set);
2522 void nft_unregister_set(struct nft_set_type *type)
2524 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2525 list_del_rcu(&type->list);
2526 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2528 EXPORT_SYMBOL_GPL(nft_unregister_set);
2530 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2531 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2534 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2536 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2540 * Select a set implementation based on the data characteristics and the
2541 * given policy. The total memory use might not be known if no size is
2542 * given, in that case the amount of memory per element is used.
2544 static const struct nft_set_ops *
2545 nft_select_set_ops(const struct nft_ctx *ctx,
2546 const struct nlattr * const nla[],
2547 const struct nft_set_desc *desc,
2548 enum nft_set_policies policy)
2550 const struct nft_set_ops *ops, *bops;
2551 struct nft_set_estimate est, best;
2552 const struct nft_set_type *type;
2555 #ifdef CONFIG_MODULES
2556 if (list_empty(&nf_tables_set_types)) {
2557 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2558 request_module("nft-set");
2559 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2560 if (!list_empty(&nf_tables_set_types))
2561 return ERR_PTR(-EAGAIN);
2564 if (nla[NFTA_SET_FLAGS] != NULL)
2565 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2572 list_for_each_entry(type, &nf_tables_set_types, list) {
2575 if (!nft_set_ops_candidate(type, flags))
2577 if (!ops->estimate(desc, flags, &est))
2581 case NFT_SET_POL_PERFORMANCE:
2582 if (est.lookup < best.lookup)
2584 if (est.lookup == best.lookup &&
2585 est.space < best.space)
2588 case NFT_SET_POL_MEMORY:
2590 if (est.space < best.space)
2592 if (est.space == best.space &&
2593 est.lookup < best.lookup)
2595 } else if (est.size < best.size || !bops) {
2603 if (!try_module_get(type->owner))
2606 module_put(to_set_type(bops)->owner);
2615 return ERR_PTR(-EOPNOTSUPP);
2618 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2619 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2620 .len = NFT_TABLE_MAXNAMELEN - 1 },
2621 [NFTA_SET_NAME] = { .type = NLA_STRING,
2622 .len = NFT_SET_MAXNAMELEN - 1 },
2623 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2624 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2625 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2626 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2627 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2628 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2629 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2630 [NFTA_SET_ID] = { .type = NLA_U32 },
2631 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2632 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2633 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2634 .len = NFT_USERDATA_MAXLEN },
2635 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2636 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2639 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2640 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2643 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2644 const struct sk_buff *skb,
2645 const struct nlmsghdr *nlh,
2646 const struct nlattr * const nla[],
2647 struct netlink_ext_ack *extack,
2650 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2651 int family = nfmsg->nfgen_family;
2652 struct nft_table *table = NULL;
2654 if (nla[NFTA_SET_TABLE] != NULL) {
2655 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2657 if (IS_ERR(table)) {
2658 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2659 return PTR_ERR(table);
2663 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2667 static struct nft_set *nft_set_lookup(const struct nft_table *table,
2668 const struct nlattr *nla, u8 genmask)
2670 struct nft_set *set;
2673 return ERR_PTR(-EINVAL);
2675 list_for_each_entry(set, &table->sets, list) {
2676 if (!nla_strcmp(nla, set->name) &&
2677 nft_active_genmask(set, genmask))
2680 return ERR_PTR(-ENOENT);
2683 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2684 const struct nlattr *nla,
2687 struct nft_set *set;
2689 list_for_each_entry(set, &table->sets, list) {
2690 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2691 nft_active_genmask(set, genmask))
2694 return ERR_PTR(-ENOENT);
2697 static struct nft_set *nft_set_lookup_byid(const struct net *net,
2698 const struct nlattr *nla, u8 genmask)
2700 struct nft_trans *trans;
2701 u32 id = ntohl(nla_get_be32(nla));
2703 list_for_each_entry(trans, &net->nft.commit_list, list) {
2704 struct nft_set *set = nft_trans_set(trans);
2706 if (trans->msg_type == NFT_MSG_NEWSET &&
2707 id == nft_trans_set_id(trans) &&
2708 nft_active_genmask(set, genmask))
2711 return ERR_PTR(-ENOENT);
2714 struct nft_set *nft_set_lookup_global(const struct net *net,
2715 const struct nft_table *table,
2716 const struct nlattr *nla_set_name,
2717 const struct nlattr *nla_set_id,
2720 struct nft_set *set;
2722 set = nft_set_lookup(table, nla_set_name, genmask);
2727 set = nft_set_lookup_byid(net, nla_set_id, genmask);
2731 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2733 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2736 const struct nft_set *i;
2738 unsigned long *inuse;
2739 unsigned int n = 0, min = 0;
2741 p = strchr(name, '%');
2743 if (p[1] != 'd' || strchr(p + 2, '%'))
2746 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2750 list_for_each_entry(i, &ctx->table->sets, list) {
2753 if (!nft_is_active_next(ctx->net, set))
2755 if (!sscanf(i->name, name, &tmp))
2757 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2760 set_bit(tmp - min, inuse);
2763 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2764 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2765 min += BITS_PER_BYTE * PAGE_SIZE;
2766 memset(inuse, 0, PAGE_SIZE);
2769 free_page((unsigned long)inuse);
2772 set->name = kasprintf(GFP_KERNEL, name, min + n);
2776 list_for_each_entry(i, &ctx->table->sets, list) {
2777 if (!nft_is_active_next(ctx->net, i))
2779 if (!strcmp(set->name, i->name)) {
2787 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
2789 u64 ms = be64_to_cpu(nla_get_be64(nla));
2790 u64 max = (u64)(~((u64)0));
2792 max = div_u64(max, NSEC_PER_MSEC);
2796 ms *= NSEC_PER_MSEC;
2797 *result = nsecs_to_jiffies64(ms);
2801 static u64 nf_jiffies64_to_msecs(u64 input)
2803 u64 ms = jiffies64_to_nsecs(input);
2805 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
2808 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2809 const struct nft_set *set, u16 event, u16 flags)
2811 struct nfgenmsg *nfmsg;
2812 struct nlmsghdr *nlh;
2813 struct nlattr *desc;
2814 u32 portid = ctx->portid;
2817 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2818 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2821 goto nla_put_failure;
2823 nfmsg = nlmsg_data(nlh);
2824 nfmsg->nfgen_family = ctx->family;
2825 nfmsg->version = NFNETLINK_V0;
2826 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2828 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2829 goto nla_put_failure;
2830 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2831 goto nla_put_failure;
2832 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2834 goto nla_put_failure;
2835 if (set->flags != 0)
2836 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2837 goto nla_put_failure;
2839 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2840 goto nla_put_failure;
2841 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2842 goto nla_put_failure;
2843 if (set->flags & NFT_SET_MAP) {
2844 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2845 goto nla_put_failure;
2846 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2847 goto nla_put_failure;
2849 if (set->flags & NFT_SET_OBJECT &&
2850 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2851 goto nla_put_failure;
2854 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2855 nf_jiffies64_to_msecs(set->timeout),
2857 goto nla_put_failure;
2859 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2860 goto nla_put_failure;
2862 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2863 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2864 goto nla_put_failure;
2867 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2868 goto nla_put_failure;
2870 desc = nla_nest_start(skb, NFTA_SET_DESC);
2872 goto nla_put_failure;
2874 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2875 goto nla_put_failure;
2876 nla_nest_end(skb, desc);
2878 nlmsg_end(skb, nlh);
2882 nlmsg_trim(skb, nlh);
2886 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2887 const struct nft_set *set, int event,
2890 struct sk_buff *skb;
2891 u32 portid = ctx->portid;
2895 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2898 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2902 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2908 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2912 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2915 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2917 const struct nft_set *set;
2918 unsigned int idx, s_idx = cb->args[0];
2919 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2920 struct net *net = sock_net(skb->sk);
2921 struct nft_ctx *ctx = cb->data, ctx_set;
2927 cb->seq = net->nft.base_seq;
2929 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2930 if (ctx->family != NFPROTO_UNSPEC &&
2931 ctx->family != table->family)
2934 if (ctx->table && ctx->table != table)
2938 if (cur_table != table)
2944 list_for_each_entry_rcu(set, &table->sets, list) {
2947 if (!nft_is_active(net, set))
2951 ctx_set.table = table;
2952 ctx_set.family = table->family;
2954 if (nf_tables_fill_set(skb, &ctx_set, set,
2958 cb->args[2] = (unsigned long) table;
2961 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2974 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2980 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2981 struct sk_buff *skb, const struct nlmsghdr *nlh,
2982 const struct nlattr * const nla[],
2983 struct netlink_ext_ack *extack)
2985 u8 genmask = nft_genmask_cur(net);
2986 const struct nft_set *set;
2988 struct sk_buff *skb2;
2989 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2992 /* Verify existence before starting dump */
2993 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
2998 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2999 struct netlink_dump_control c = {
3000 .dump = nf_tables_dump_sets,
3001 .done = nf_tables_dump_sets_done,
3003 struct nft_ctx *ctx_dump;
3005 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3006 if (ctx_dump == NULL)
3012 return netlink_dump_start(nlsk, skb, nlh, &c);
3015 /* Only accept unspec with dump */
3016 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3017 return -EAFNOSUPPORT;
3018 if (!nla[NFTA_SET_TABLE])
3021 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3023 return PTR_ERR(set);
3025 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3029 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3033 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3040 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3041 struct nft_set_desc *desc,
3042 const struct nlattr *nla)
3044 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3047 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3048 nft_set_desc_policy, NULL);
3052 if (da[NFTA_SET_DESC_SIZE] != NULL)
3053 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3058 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3059 struct sk_buff *skb, const struct nlmsghdr *nlh,
3060 const struct nlattr * const nla[],
3061 struct netlink_ext_ack *extack)
3063 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3064 u8 genmask = nft_genmask_next(net);
3065 int family = nfmsg->nfgen_family;
3066 const struct nft_set_ops *ops;
3067 struct nft_table *table;
3068 struct nft_set *set;
3074 u32 ktype, dtype, flags, policy, gc_int, objtype;
3075 struct nft_set_desc desc;
3076 unsigned char *udata;
3080 if (nla[NFTA_SET_TABLE] == NULL ||
3081 nla[NFTA_SET_NAME] == NULL ||
3082 nla[NFTA_SET_KEY_LEN] == NULL ||
3083 nla[NFTA_SET_ID] == NULL)
3086 memset(&desc, 0, sizeof(desc));
3088 ktype = NFT_DATA_VALUE;
3089 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3090 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3091 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3095 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3096 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3100 if (nla[NFTA_SET_FLAGS] != NULL) {
3101 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3102 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3103 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3104 NFT_SET_MAP | NFT_SET_EVAL |
3107 /* Only one of these operations is supported */
3108 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3109 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3114 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3115 if (!(flags & NFT_SET_MAP))
3118 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3119 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3120 dtype != NFT_DATA_VERDICT)
3123 if (dtype != NFT_DATA_VERDICT) {
3124 if (nla[NFTA_SET_DATA_LEN] == NULL)
3126 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3127 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3130 desc.dlen = sizeof(struct nft_verdict);
3131 } else if (flags & NFT_SET_MAP)
3134 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3135 if (!(flags & NFT_SET_OBJECT))
3138 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3139 if (objtype == NFT_OBJECT_UNSPEC ||
3140 objtype > NFT_OBJECT_MAX)
3142 } else if (flags & NFT_SET_OBJECT)
3145 objtype = NFT_OBJECT_UNSPEC;
3148 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3149 if (!(flags & NFT_SET_TIMEOUT))
3152 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3157 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3158 if (!(flags & NFT_SET_TIMEOUT))
3160 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3163 policy = NFT_SET_POL_PERFORMANCE;
3164 if (nla[NFTA_SET_POLICY] != NULL)
3165 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3167 if (nla[NFTA_SET_DESC] != NULL) {
3168 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3173 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3175 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3176 if (IS_ERR(table)) {
3177 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3178 return PTR_ERR(table);
3181 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3183 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3185 if (PTR_ERR(set) != -ENOENT) {
3186 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3187 return PTR_ERR(set);
3190 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3191 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3194 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3200 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3203 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3205 return PTR_ERR(ops);
3208 if (nla[NFTA_SET_USERDATA])
3209 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3212 if (ops->privsize != NULL)
3213 size = ops->privsize(nla, &desc);
3215 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3221 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3227 err = nf_tables_set_alloc_name(&ctx, set, name);
3234 udata = set->data + size;
3235 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3238 INIT_LIST_HEAD(&set->bindings);
3241 set->klen = desc.klen;
3243 set->objtype = objtype;
3244 set->dlen = desc.dlen;
3246 set->size = desc.size;
3247 set->policy = policy;
3250 set->timeout = timeout;
3251 set->gc_int = gc_int;
3252 set->handle = nf_tables_alloc_handle(table);
3254 err = ops->init(set, &desc, nla);
3258 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3262 list_add_tail_rcu(&set->list, &table->sets);
3273 module_put(to_set_type(ops)->owner);
3277 static void nft_set_destroy(struct nft_set *set)
3279 set->ops->destroy(set);
3280 module_put(to_set_type(set->ops)->owner);
3285 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3287 list_del_rcu(&set->list);
3288 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3289 nft_set_destroy(set);
3292 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3293 struct sk_buff *skb, const struct nlmsghdr *nlh,
3294 const struct nlattr * const nla[],
3295 struct netlink_ext_ack *extack)
3297 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3298 u8 genmask = nft_genmask_next(net);
3299 const struct nlattr *attr;
3300 struct nft_set *set;
3304 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3305 return -EAFNOSUPPORT;
3306 if (nla[NFTA_SET_TABLE] == NULL)
3309 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3314 if (nla[NFTA_SET_HANDLE]) {
3315 attr = nla[NFTA_SET_HANDLE];
3316 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3318 attr = nla[NFTA_SET_NAME];
3319 set = nft_set_lookup(ctx.table, attr, genmask);
3323 NL_SET_BAD_ATTR(extack, attr);
3324 return PTR_ERR(set);
3326 if (!list_empty(&set->bindings) ||
3327 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3328 NL_SET_BAD_ATTR(extack, attr);
3332 return nft_delset(&ctx, set);
3335 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3336 struct nft_set *set,
3337 const struct nft_set_iter *iter,
3338 struct nft_set_elem *elem)
3340 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3341 enum nft_registers dreg;
3343 dreg = nft_type_to_reg(set->dtype);
3344 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3345 set->dtype == NFT_DATA_VERDICT ?
3346 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3350 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3351 struct nft_set_binding *binding)
3353 struct nft_set_binding *i;
3354 struct nft_set_iter iter;
3356 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3359 if (binding->flags & NFT_SET_MAP) {
3360 /* If the set is already bound to the same chain all
3361 * jumps are already validated for that chain.
3363 list_for_each_entry(i, &set->bindings, list) {
3364 if (i->flags & NFT_SET_MAP &&
3365 i->chain == binding->chain)
3369 iter.genmask = nft_genmask_next(ctx->net);
3373 iter.fn = nf_tables_bind_check_setelem;
3375 set->ops->walk(ctx, set, &iter);
3380 binding->chain = ctx->chain;
3381 list_add_tail_rcu(&binding->list, &set->bindings);
3384 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3386 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3387 struct nft_set_binding *binding)
3389 list_del_rcu(&binding->list);
3391 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3392 nft_is_active(ctx->net, set))
3393 nf_tables_set_destroy(ctx, set);
3395 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3397 const struct nft_set_ext_type nft_set_ext_types[] = {
3398 [NFT_SET_EXT_KEY] = {
3399 .align = __alignof__(u32),
3401 [NFT_SET_EXT_DATA] = {
3402 .align = __alignof__(u32),
3404 [NFT_SET_EXT_EXPR] = {
3405 .align = __alignof__(struct nft_expr),
3407 [NFT_SET_EXT_OBJREF] = {
3408 .len = sizeof(struct nft_object *),
3409 .align = __alignof__(struct nft_object *),
3411 [NFT_SET_EXT_FLAGS] = {
3413 .align = __alignof__(u8),
3415 [NFT_SET_EXT_TIMEOUT] = {
3417 .align = __alignof__(u64),
3419 [NFT_SET_EXT_EXPIRATION] = {
3421 .align = __alignof__(u64),
3423 [NFT_SET_EXT_USERDATA] = {
3424 .len = sizeof(struct nft_userdata),
3425 .align = __alignof__(struct nft_userdata),
3428 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3434 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3435 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3436 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3437 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3438 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3439 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3440 .len = NFT_USERDATA_MAXLEN },
3441 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3442 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3445 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3446 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3447 .len = NFT_TABLE_MAXNAMELEN - 1 },
3448 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3449 .len = NFT_SET_MAXNAMELEN - 1 },
3450 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3451 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3454 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3455 const struct sk_buff *skb,
3456 const struct nlmsghdr *nlh,
3457 const struct nlattr * const nla[],
3458 struct netlink_ext_ack *extack,
3461 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3462 int family = nfmsg->nfgen_family;
3463 struct nft_table *table;
3465 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3467 if (IS_ERR(table)) {
3468 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3469 return PTR_ERR(table);
3472 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3476 static int nf_tables_fill_setelem(struct sk_buff *skb,
3477 const struct nft_set *set,
3478 const struct nft_set_elem *elem)
3480 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3481 unsigned char *b = skb_tail_pointer(skb);
3482 struct nlattr *nest;
3484 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3486 goto nla_put_failure;
3488 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3489 NFT_DATA_VALUE, set->klen) < 0)
3490 goto nla_put_failure;
3492 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3493 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3494 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3496 goto nla_put_failure;
3498 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3499 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3500 goto nla_put_failure;
3502 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3503 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3504 (*nft_set_ext_obj(ext))->name) < 0)
3505 goto nla_put_failure;
3507 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3508 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3509 htonl(*nft_set_ext_flags(ext))))
3510 goto nla_put_failure;
3512 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3513 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3514 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3516 goto nla_put_failure;
3518 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3519 u64 expires, now = get_jiffies_64();
3521 expires = *nft_set_ext_expiration(ext);
3522 if (time_before64(now, expires))
3527 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3528 nf_jiffies64_to_msecs(expires),
3530 goto nla_put_failure;
3533 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3534 struct nft_userdata *udata;
3536 udata = nft_set_ext_userdata(ext);
3537 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3538 udata->len + 1, udata->data))
3539 goto nla_put_failure;
3542 nla_nest_end(skb, nest);
3550 struct nft_set_dump_args {
3551 const struct netlink_callback *cb;
3552 struct nft_set_iter iter;
3553 struct sk_buff *skb;
3556 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3557 struct nft_set *set,
3558 const struct nft_set_iter *iter,
3559 struct nft_set_elem *elem)
3561 struct nft_set_dump_args *args;
3563 args = container_of(iter, struct nft_set_dump_args, iter);
3564 return nf_tables_fill_setelem(args->skb, set, elem);
3567 struct nft_set_dump_ctx {
3568 const struct nft_set *set;
3572 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3574 struct nft_set_dump_ctx *dump_ctx = cb->data;
3575 struct net *net = sock_net(skb->sk);
3576 struct nft_table *table;
3577 struct nft_set *set;
3578 struct nft_set_dump_args args;
3579 bool set_found = false;
3580 struct nfgenmsg *nfmsg;
3581 struct nlmsghdr *nlh;
3582 struct nlattr *nest;
3587 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3588 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3589 dump_ctx->ctx.family != table->family)
3592 if (table != dump_ctx->ctx.table)
3595 list_for_each_entry_rcu(set, &table->sets, list) {
3596 if (set == dump_ctx->set) {
3609 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3610 portid = NETLINK_CB(cb->skb).portid;
3611 seq = cb->nlh->nlmsg_seq;
3613 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3616 goto nla_put_failure;
3618 nfmsg = nlmsg_data(nlh);
3619 nfmsg->nfgen_family = table->family;
3620 nfmsg->version = NFNETLINK_V0;
3621 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3623 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3624 goto nla_put_failure;
3625 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3626 goto nla_put_failure;
3628 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3630 goto nla_put_failure;
3634 args.iter.genmask = nft_genmask_cur(net);
3635 args.iter.skip = cb->args[0];
3636 args.iter.count = 0;
3638 args.iter.fn = nf_tables_dump_setelem;
3639 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3642 nla_nest_end(skb, nest);
3643 nlmsg_end(skb, nlh);
3645 if (args.iter.err && args.iter.err != -EMSGSIZE)
3646 return args.iter.err;
3647 if (args.iter.count == cb->args[0])
3650 cb->args[0] = args.iter.count;
3658 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3664 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3665 const struct nft_ctx *ctx, u32 seq,
3666 u32 portid, int event, u16 flags,
3667 const struct nft_set *set,
3668 const struct nft_set_elem *elem)
3670 struct nfgenmsg *nfmsg;
3671 struct nlmsghdr *nlh;
3672 struct nlattr *nest;
3675 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3676 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3679 goto nla_put_failure;
3681 nfmsg = nlmsg_data(nlh);
3682 nfmsg->nfgen_family = ctx->family;
3683 nfmsg->version = NFNETLINK_V0;
3684 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3686 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3687 goto nla_put_failure;
3688 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3689 goto nla_put_failure;
3691 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3693 goto nla_put_failure;
3695 err = nf_tables_fill_setelem(skb, set, elem);
3697 goto nla_put_failure;
3699 nla_nest_end(skb, nest);
3701 nlmsg_end(skb, nlh);
3705 nlmsg_trim(skb, nlh);
3709 static int nft_setelem_parse_flags(const struct nft_set *set,
3710 const struct nlattr *attr, u32 *flags)
3715 *flags = ntohl(nla_get_be32(attr));
3716 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3718 if (!(set->flags & NFT_SET_INTERVAL) &&
3719 *flags & NFT_SET_ELEM_INTERVAL_END)
3725 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3726 const struct nlattr *attr)
3728 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3729 const struct nft_set_ext *ext;
3730 struct nft_data_desc desc;
3731 struct nft_set_elem elem;
3732 struct sk_buff *skb;
3737 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3738 nft_set_elem_policy, NULL);
3742 if (!nla[NFTA_SET_ELEM_KEY])
3745 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3749 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3750 nla[NFTA_SET_ELEM_KEY]);
3755 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3758 priv = set->ops->get(ctx->net, set, &elem, flags);
3760 return PTR_ERR(priv);
3763 ext = nft_set_elem_ext(set, &elem);
3766 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3770 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3771 NFT_MSG_NEWSETELEM, 0, set, &elem);
3775 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3776 /* This avoids a loop in nfnetlink. */
3784 /* this avoids a loop in nfnetlink. */
3785 return err == -EAGAIN ? -ENOBUFS : err;
3788 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3789 struct sk_buff *skb, const struct nlmsghdr *nlh,
3790 const struct nlattr * const nla[],
3791 struct netlink_ext_ack *extack)
3793 u8 genmask = nft_genmask_cur(net);
3794 struct nft_set *set;
3795 struct nlattr *attr;
3799 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
3804 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
3806 return PTR_ERR(set);
3808 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3809 struct netlink_dump_control c = {
3810 .dump = nf_tables_dump_set,
3811 .done = nf_tables_dump_set_done,
3813 struct nft_set_dump_ctx *dump_ctx;
3815 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3819 dump_ctx->set = set;
3820 dump_ctx->ctx = ctx;
3823 return netlink_dump_start(nlsk, skb, nlh, &c);
3826 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3829 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3830 err = nft_get_set_elem(&ctx, set, attr);
3838 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3839 const struct nft_set *set,
3840 const struct nft_set_elem *elem,
3841 int event, u16 flags)
3843 struct net *net = ctx->net;
3844 u32 portid = ctx->portid;
3845 struct sk_buff *skb;
3848 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3851 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3855 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3862 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3866 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3869 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3871 struct nft_set *set)
3873 struct nft_trans *trans;
3875 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3879 nft_trans_elem_set(trans) = set;
3883 void *nft_set_elem_init(const struct nft_set *set,
3884 const struct nft_set_ext_tmpl *tmpl,
3885 const u32 *key, const u32 *data,
3886 u64 timeout, gfp_t gfp)
3888 struct nft_set_ext *ext;
3891 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3895 ext = nft_set_elem_ext(set, elem);
3896 nft_set_ext_init(ext, tmpl);
3898 memcpy(nft_set_ext_key(ext), key, set->klen);
3899 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3900 memcpy(nft_set_ext_data(ext), data, set->dlen);
3901 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3902 *nft_set_ext_expiration(ext) =
3903 get_jiffies_64() + timeout;
3904 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3905 *nft_set_ext_timeout(ext) = timeout;
3910 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3913 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3915 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3916 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3917 nft_data_release(nft_set_ext_data(ext), set->dtype);
3918 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3919 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3920 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3921 (*nft_set_ext_obj(ext))->use--;
3924 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3926 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3927 * the refcounting from the preparation phase.
3929 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3931 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3933 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3934 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3938 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3939 const struct nlattr *attr, u32 nlmsg_flags)
3941 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3942 u8 genmask = nft_genmask_next(ctx->net);
3943 struct nft_data_desc d1, d2;
3944 struct nft_set_ext_tmpl tmpl;
3945 struct nft_set_ext *ext, *ext2;
3946 struct nft_set_elem elem;
3947 struct nft_set_binding *binding;
3948 struct nft_object *obj = NULL;
3949 struct nft_userdata *udata;
3950 struct nft_data data;
3951 enum nft_registers dreg;
3952 struct nft_trans *trans;
3958 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3959 nft_set_elem_policy, NULL);
3963 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3966 nft_set_ext_prepare(&tmpl);
3968 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3972 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3974 if (set->flags & NFT_SET_MAP) {
3975 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3976 !(flags & NFT_SET_ELEM_INTERVAL_END))
3978 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3979 flags & NFT_SET_ELEM_INTERVAL_END)
3982 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3987 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3988 if (!(set->flags & NFT_SET_TIMEOUT))
3990 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
3994 } else if (set->flags & NFT_SET_TIMEOUT) {
3995 timeout = set->timeout;
3998 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3999 nla[NFTA_SET_ELEM_KEY]);
4003 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4006 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4008 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4009 if (timeout != set->timeout)
4010 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4013 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4014 if (!(set->flags & NFT_SET_OBJECT)) {
4018 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4019 set->objtype, genmask);
4024 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4027 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4028 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4029 nla[NFTA_SET_ELEM_DATA]);
4034 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4037 dreg = nft_type_to_reg(set->dtype);
4038 list_for_each_entry(binding, &set->bindings, list) {
4039 struct nft_ctx bind_ctx = {
4041 .family = ctx->family,
4042 .table = ctx->table,
4043 .chain = (struct nft_chain *)binding->chain,
4046 if (!(binding->flags & NFT_SET_MAP))
4049 err = nft_validate_register_store(&bind_ctx, dreg,
4056 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4059 /* The full maximum length of userdata can exceed the maximum
4060 * offset value (U8_MAX) for following extensions, therefor it
4061 * must be the last extension added.
4064 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4065 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4067 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4072 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4073 timeout, GFP_KERNEL);
4074 if (elem.priv == NULL)
4077 ext = nft_set_elem_ext(set, elem.priv);
4079 *nft_set_ext_flags(ext) = flags;
4081 udata = nft_set_ext_userdata(ext);
4082 udata->len = ulen - 1;
4083 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4086 *nft_set_ext_obj(ext) = obj;
4090 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4094 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4095 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4097 if (err == -EEXIST) {
4098 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4099 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4100 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4101 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
4103 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4104 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4105 memcmp(nft_set_ext_data(ext),
4106 nft_set_ext_data(ext2), set->dlen) != 0) ||
4107 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4108 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4109 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4111 else if (!(nlmsg_flags & NLM_F_EXCL))
4118 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4123 nft_trans_elem(trans) = elem;
4124 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4128 set->ops->remove(ctx->net, set, &elem);
4134 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4135 nft_data_release(&data, d2.type);
4137 nft_data_release(&elem.key.val, d1.type);
4142 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4143 struct sk_buff *skb, const struct nlmsghdr *nlh,
4144 const struct nlattr * const nla[],
4145 struct netlink_ext_ack *extack)
4147 u8 genmask = nft_genmask_next(net);
4148 const struct nlattr *attr;
4149 struct nft_set *set;
4153 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4156 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4161 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4162 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4164 return PTR_ERR(set);
4166 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4169 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4170 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4178 * nft_data_hold - hold a nft_data item
4180 * @data: struct nft_data to release
4181 * @type: type of data
4183 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4184 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4185 * NFT_GOTO verdicts. This function must be called on active data objects
4186 * from the second phase of the commit protocol.
4188 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4190 if (type == NFT_DATA_VERDICT) {
4191 switch (data->verdict.code) {
4194 data->verdict.chain->use++;
4200 static void nft_set_elem_activate(const struct net *net,
4201 const struct nft_set *set,
4202 struct nft_set_elem *elem)
4204 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4206 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4207 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4208 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4209 (*nft_set_ext_obj(ext))->use++;
4212 static void nft_set_elem_deactivate(const struct net *net,
4213 const struct nft_set *set,
4214 struct nft_set_elem *elem)
4216 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4218 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4219 nft_data_release(nft_set_ext_data(ext), set->dtype);
4220 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4221 (*nft_set_ext_obj(ext))->use--;
4224 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4225 const struct nlattr *attr)
4227 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4228 struct nft_set_ext_tmpl tmpl;
4229 struct nft_data_desc desc;
4230 struct nft_set_elem elem;
4231 struct nft_set_ext *ext;
4232 struct nft_trans *trans;
4237 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4238 nft_set_elem_policy, NULL);
4243 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4246 nft_set_ext_prepare(&tmpl);
4248 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4252 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4254 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4255 nla[NFTA_SET_ELEM_KEY]);
4260 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4263 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4266 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4268 if (elem.priv == NULL)
4271 ext = nft_set_elem_ext(set, elem.priv);
4273 *nft_set_ext_flags(ext) = flags;
4275 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4276 if (trans == NULL) {
4281 priv = set->ops->deactivate(ctx->net, set, &elem);
4289 nft_set_elem_deactivate(ctx->net, set, &elem);
4291 nft_trans_elem(trans) = elem;
4292 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4300 nft_data_release(&elem.key.val, desc.type);
4305 static int nft_flush_set(const struct nft_ctx *ctx,
4306 struct nft_set *set,
4307 const struct nft_set_iter *iter,
4308 struct nft_set_elem *elem)
4310 struct nft_trans *trans;
4313 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4314 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4318 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4324 nft_trans_elem_set(trans) = set;
4325 nft_trans_elem(trans) = *elem;
4326 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4334 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4335 struct sk_buff *skb, const struct nlmsghdr *nlh,
4336 const struct nlattr * const nla[],
4337 struct netlink_ext_ack *extack)
4339 u8 genmask = nft_genmask_next(net);
4340 const struct nlattr *attr;
4341 struct nft_set *set;
4345 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4350 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4352 return PTR_ERR(set);
4353 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4356 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4357 struct nft_set_iter iter = {
4359 .fn = nft_flush_set,
4361 set->ops->walk(&ctx, set, &iter);
4366 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4367 err = nft_del_setelem(&ctx, set, attr);
4376 void nft_set_gc_batch_release(struct rcu_head *rcu)
4378 struct nft_set_gc_batch *gcb;
4381 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4382 for (i = 0; i < gcb->head.cnt; i++)
4383 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4386 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4388 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4391 struct nft_set_gc_batch *gcb;
4393 gcb = kzalloc(sizeof(*gcb), gfp);
4396 gcb->head.set = set;
4399 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4406 * nft_register_obj- register nf_tables stateful object type
4409 * Registers the object type for use with nf_tables. Returns zero on
4410 * success or a negative errno code otherwise.
4412 int nft_register_obj(struct nft_object_type *obj_type)
4414 if (obj_type->type == NFT_OBJECT_UNSPEC)
4417 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4418 list_add_rcu(&obj_type->list, &nf_tables_objects);
4419 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4422 EXPORT_SYMBOL_GPL(nft_register_obj);
4425 * nft_unregister_obj - unregister nf_tables object type
4428 * Unregisters the object type for use with nf_tables.
4430 void nft_unregister_obj(struct nft_object_type *obj_type)
4432 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4433 list_del_rcu(&obj_type->list);
4434 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4436 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4438 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4439 const struct nlattr *nla, u32 objtype,
4442 struct nft_object *obj;
4444 list_for_each_entry(obj, &table->objects, list) {
4445 if (!nla_strcmp(nla, obj->name) &&
4446 objtype == obj->ops->type->type &&
4447 nft_active_genmask(obj, genmask))
4450 return ERR_PTR(-ENOENT);
4452 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4454 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4455 const struct nlattr *nla,
4456 u32 objtype, u8 genmask)
4458 struct nft_object *obj;
4460 list_for_each_entry(obj, &table->objects, list) {
4461 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4462 objtype == obj->ops->type->type &&
4463 nft_active_genmask(obj, genmask))
4466 return ERR_PTR(-ENOENT);
4469 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4470 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4471 .len = NFT_TABLE_MAXNAMELEN - 1 },
4472 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4473 .len = NFT_OBJ_MAXNAMELEN - 1 },
4474 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4475 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4476 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4479 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4480 const struct nft_object_type *type,
4481 const struct nlattr *attr)
4484 const struct nft_object_ops *ops;
4485 struct nft_object *obj;
4488 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4493 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4498 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4501 if (type->select_ops) {
4502 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4512 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4516 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4529 return ERR_PTR(err);
4532 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4533 struct nft_object *obj, bool reset)
4535 struct nlattr *nest;
4537 nest = nla_nest_start(skb, attr);
4539 goto nla_put_failure;
4540 if (obj->ops->dump(skb, obj, reset) < 0)
4541 goto nla_put_failure;
4542 nla_nest_end(skb, nest);
4549 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4551 const struct nft_object_type *type;
4553 list_for_each_entry(type, &nf_tables_objects, list) {
4554 if (objtype == type->type)
4560 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4562 const struct nft_object_type *type;
4564 type = __nft_obj_type_get(objtype);
4565 if (type != NULL && try_module_get(type->owner))
4568 #ifdef CONFIG_MODULES
4570 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4571 request_module("nft-obj-%u", objtype);
4572 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4573 if (__nft_obj_type_get(objtype))
4574 return ERR_PTR(-EAGAIN);
4577 return ERR_PTR(-ENOENT);
4580 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4581 struct sk_buff *skb, const struct nlmsghdr *nlh,
4582 const struct nlattr * const nla[],
4583 struct netlink_ext_ack *extack)
4585 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4586 const struct nft_object_type *type;
4587 u8 genmask = nft_genmask_next(net);
4588 int family = nfmsg->nfgen_family;
4589 struct nft_table *table;
4590 struct nft_object *obj;
4595 if (!nla[NFTA_OBJ_TYPE] ||
4596 !nla[NFTA_OBJ_NAME] ||
4597 !nla[NFTA_OBJ_DATA])
4600 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4601 if (IS_ERR(table)) {
4602 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4603 return PTR_ERR(table);
4606 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4607 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4610 if (err != -ENOENT) {
4611 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4615 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4616 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4622 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4624 type = nft_obj_type_get(objtype);
4626 return PTR_ERR(type);
4628 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4634 obj->handle = nf_tables_alloc_handle(table);
4636 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4642 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4646 list_add_tail_rcu(&obj->list, &table->objects);
4652 if (obj->ops->destroy)
4653 obj->ops->destroy(obj);
4656 module_put(type->owner);
4660 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4661 u32 portid, u32 seq, int event, u32 flags,
4662 int family, const struct nft_table *table,
4663 struct nft_object *obj, bool reset)
4665 struct nfgenmsg *nfmsg;
4666 struct nlmsghdr *nlh;
4668 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4669 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4671 goto nla_put_failure;
4673 nfmsg = nlmsg_data(nlh);
4674 nfmsg->nfgen_family = family;
4675 nfmsg->version = NFNETLINK_V0;
4676 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4678 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4679 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4680 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4681 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4682 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4683 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4685 goto nla_put_failure;
4687 nlmsg_end(skb, nlh);
4691 nlmsg_trim(skb, nlh);
4695 struct nft_obj_filter {
4700 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4702 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4703 const struct nft_table *table;
4704 unsigned int idx = 0, s_idx = cb->args[0];
4705 struct nft_obj_filter *filter = cb->data;
4706 struct net *net = sock_net(skb->sk);
4707 int family = nfmsg->nfgen_family;
4708 struct nft_object *obj;
4711 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4715 cb->seq = net->nft.base_seq;
4717 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4718 if (family != NFPROTO_UNSPEC && family != table->family)
4721 list_for_each_entry_rcu(obj, &table->objects, list) {
4722 if (!nft_is_active(net, obj))
4727 memset(&cb->args[1], 0,
4728 sizeof(cb->args) - sizeof(cb->args[0]));
4729 if (filter && filter->table[0] &&
4730 strcmp(filter->table, table->name))
4733 filter->type != NFT_OBJECT_UNSPEC &&
4734 obj->ops->type->type != filter->type)
4737 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4740 NLM_F_MULTI | NLM_F_APPEND,
4741 table->family, table,
4745 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4757 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4759 struct nft_obj_filter *filter = cb->data;
4762 kfree(filter->table);
4769 static struct nft_obj_filter *
4770 nft_obj_filter_alloc(const struct nlattr * const nla[])
4772 struct nft_obj_filter *filter;
4774 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4776 return ERR_PTR(-ENOMEM);
4778 if (nla[NFTA_OBJ_TABLE]) {
4779 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4780 if (!filter->table) {
4782 return ERR_PTR(-ENOMEM);
4785 if (nla[NFTA_OBJ_TYPE])
4786 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4791 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4792 struct sk_buff *skb, const struct nlmsghdr *nlh,
4793 const struct nlattr * const nla[],
4794 struct netlink_ext_ack *extack)
4796 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4797 u8 genmask = nft_genmask_cur(net);
4798 int family = nfmsg->nfgen_family;
4799 const struct nft_table *table;
4800 struct nft_object *obj;
4801 struct sk_buff *skb2;
4806 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4807 struct netlink_dump_control c = {
4808 .dump = nf_tables_dump_obj,
4809 .done = nf_tables_dump_obj_done,
4812 if (nla[NFTA_OBJ_TABLE] ||
4813 nla[NFTA_OBJ_TYPE]) {
4814 struct nft_obj_filter *filter;
4816 filter = nft_obj_filter_alloc(nla);
4822 return netlink_dump_start(nlsk, skb, nlh, &c);
4825 if (!nla[NFTA_OBJ_NAME] ||
4826 !nla[NFTA_OBJ_TYPE])
4829 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4830 if (IS_ERR(table)) {
4831 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4832 return PTR_ERR(table);
4835 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4836 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4838 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4839 return PTR_ERR(obj);
4842 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4846 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4849 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4850 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4851 family, table, obj, reset);
4855 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4861 static void nft_obj_destroy(struct nft_object *obj)
4863 if (obj->ops->destroy)
4864 obj->ops->destroy(obj);
4866 module_put(obj->ops->type->owner);
4871 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4872 struct sk_buff *skb, const struct nlmsghdr *nlh,
4873 const struct nlattr * const nla[],
4874 struct netlink_ext_ack *extack)
4876 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4877 u8 genmask = nft_genmask_next(net);
4878 int family = nfmsg->nfgen_family;
4879 const struct nlattr *attr;
4880 struct nft_table *table;
4881 struct nft_object *obj;
4885 if (!nla[NFTA_OBJ_TYPE] ||
4886 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4889 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4890 if (IS_ERR(table)) {
4891 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4892 return PTR_ERR(table);
4895 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4896 if (nla[NFTA_OBJ_HANDLE]) {
4897 attr = nla[NFTA_OBJ_HANDLE];
4898 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
4900 attr = nla[NFTA_OBJ_NAME];
4901 obj = nft_obj_lookup(table, attr, objtype, genmask);
4905 NL_SET_BAD_ATTR(extack, attr);
4906 return PTR_ERR(obj);
4909 NL_SET_BAD_ATTR(extack, attr);
4913 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4915 return nft_delobj(&ctx, obj);
4918 void nft_obj_notify(struct net *net, struct nft_table *table,
4919 struct nft_object *obj, u32 portid, u32 seq, int event,
4920 int family, int report, gfp_t gfp)
4922 struct sk_buff *skb;
4926 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4929 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4933 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4940 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4943 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4945 EXPORT_SYMBOL_GPL(nft_obj_notify);
4947 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4948 struct nft_object *obj, int event)
4950 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4951 ctx->family, ctx->report, GFP_KERNEL);
4957 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4959 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4960 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4961 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4963 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4965 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4967 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4968 list_del_rcu(&type->list);
4969 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4971 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4973 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4974 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4975 .len = NFT_NAME_MAXLEN - 1 },
4976 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4977 .len = NFT_NAME_MAXLEN - 1 },
4978 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4979 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4982 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
4983 const struct nlattr *nla, u8 genmask)
4985 struct nft_flowtable *flowtable;
4987 list_for_each_entry(flowtable, &table->flowtables, list) {
4988 if (!nla_strcmp(nla, flowtable->name) &&
4989 nft_active_genmask(flowtable, genmask))
4992 return ERR_PTR(-ENOENT);
4994 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
4996 static struct nft_flowtable *
4997 nft_flowtable_lookup_byhandle(const struct nft_table *table,
4998 const struct nlattr *nla, u8 genmask)
5000 struct nft_flowtable *flowtable;
5002 list_for_each_entry(flowtable, &table->flowtables, list) {
5003 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5004 nft_active_genmask(flowtable, genmask))
5007 return ERR_PTR(-ENOENT);
5010 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5011 const struct nlattr *attr,
5012 struct net_device *dev_array[], int *len)
5014 const struct nlattr *tmp;
5015 struct net_device *dev;
5016 char ifname[IFNAMSIZ];
5017 int rem, n = 0, err;
5019 nla_for_each_nested(tmp, attr, rem) {
5020 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5025 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5026 dev = __dev_get_by_name(ctx->net, ifname);
5032 dev_array[n++] = dev;
5033 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5047 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5048 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5049 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5050 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5053 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5054 const struct nlattr *attr,
5055 struct nft_flowtable *flowtable)
5057 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5058 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5059 struct nf_hook_ops *ops;
5060 int hooknum, priority;
5063 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5064 nft_flowtable_hook_policy, NULL);
5068 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5069 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5070 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5073 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5074 if (hooknum != NF_NETDEV_INGRESS)
5077 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5079 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5084 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5088 flowtable->hooknum = hooknum;
5089 flowtable->priority = priority;
5090 flowtable->ops = ops;
5091 flowtable->ops_len = n;
5093 for (i = 0; i < n; i++) {
5094 flowtable->ops[i].pf = NFPROTO_NETDEV;
5095 flowtable->ops[i].hooknum = hooknum;
5096 flowtable->ops[i].priority = priority;
5097 flowtable->ops[i].priv = &flowtable->data;
5098 flowtable->ops[i].hook = flowtable->data.type->hook;
5099 flowtable->ops[i].dev = dev_array[i];
5100 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5107 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5109 const struct nf_flowtable_type *type;
5111 list_for_each_entry(type, &nf_tables_flowtables, list) {
5112 if (family == type->family)
5118 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5120 const struct nf_flowtable_type *type;
5122 type = __nft_flowtable_type_get(family);
5123 if (type != NULL && try_module_get(type->owner))
5126 #ifdef CONFIG_MODULES
5128 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5129 request_module("nf-flowtable-%u", family);
5130 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5131 if (__nft_flowtable_type_get(family))
5132 return ERR_PTR(-EAGAIN);
5135 return ERR_PTR(-ENOENT);
5138 static void nft_unregister_flowtable_net_hooks(struct net *net,
5139 struct nft_flowtable *flowtable)
5143 for (i = 0; i < flowtable->ops_len; i++) {
5144 if (!flowtable->ops[i].dev)
5147 nf_unregister_net_hook(net, &flowtable->ops[i]);
5151 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5152 struct sk_buff *skb,
5153 const struct nlmsghdr *nlh,
5154 const struct nlattr * const nla[],
5155 struct netlink_ext_ack *extack)
5157 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5158 const struct nf_flowtable_type *type;
5159 struct nft_flowtable *flowtable, *ft;
5160 u8 genmask = nft_genmask_next(net);
5161 int family = nfmsg->nfgen_family;
5162 struct nft_table *table;
5166 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5167 !nla[NFTA_FLOWTABLE_NAME] ||
5168 !nla[NFTA_FLOWTABLE_HOOK])
5171 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5173 if (IS_ERR(table)) {
5174 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5175 return PTR_ERR(table);
5178 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5180 if (IS_ERR(flowtable)) {
5181 err = PTR_ERR(flowtable);
5182 if (err != -ENOENT) {
5183 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5187 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5188 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5195 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5197 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5201 flowtable->table = table;
5202 flowtable->handle = nf_tables_alloc_handle(table);
5204 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5205 if (!flowtable->name) {
5210 type = nft_flowtable_type_get(family);
5212 err = PTR_ERR(type);
5216 flowtable->data.type = type;
5217 err = type->init(&flowtable->data);
5221 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5226 for (i = 0; i < flowtable->ops_len; i++) {
5227 if (!flowtable->ops[i].dev)
5230 list_for_each_entry(ft, &table->flowtables, list) {
5231 for (k = 0; k < ft->ops_len; k++) {
5232 if (!ft->ops[k].dev)
5235 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5236 flowtable->ops[i].pf == ft->ops[k].pf) {
5243 err = nf_register_net_hook(net, &flowtable->ops[i]);
5248 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5252 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5257 i = flowtable->ops_len;
5259 for (k = i - 1; k >= 0; k--) {
5260 kfree(flowtable->dev_name[k]);
5261 nf_unregister_net_hook(net, &flowtable->ops[k]);
5264 kfree(flowtable->ops);
5266 flowtable->data.type->free(&flowtable->data);
5268 module_put(type->owner);
5270 kfree(flowtable->name);
5276 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5277 struct sk_buff *skb,
5278 const struct nlmsghdr *nlh,
5279 const struct nlattr * const nla[],
5280 struct netlink_ext_ack *extack)
5282 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5283 u8 genmask = nft_genmask_next(net);
5284 int family = nfmsg->nfgen_family;
5285 struct nft_flowtable *flowtable;
5286 const struct nlattr *attr;
5287 struct nft_table *table;
5290 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5291 (!nla[NFTA_FLOWTABLE_NAME] &&
5292 !nla[NFTA_FLOWTABLE_HANDLE]))
5295 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5297 if (IS_ERR(table)) {
5298 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5299 return PTR_ERR(table);
5302 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5303 attr = nla[NFTA_FLOWTABLE_HANDLE];
5304 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5306 attr = nla[NFTA_FLOWTABLE_NAME];
5307 flowtable = nft_flowtable_lookup(table, attr, genmask);
5310 if (IS_ERR(flowtable)) {
5311 NL_SET_BAD_ATTR(extack, attr);
5312 return PTR_ERR(flowtable);
5314 if (flowtable->use > 0) {
5315 NL_SET_BAD_ATTR(extack, attr);
5319 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5321 return nft_delflowtable(&ctx, flowtable);
5324 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5325 u32 portid, u32 seq, int event,
5326 u32 flags, int family,
5327 struct nft_flowtable *flowtable)
5329 struct nlattr *nest, *nest_devs;
5330 struct nfgenmsg *nfmsg;
5331 struct nlmsghdr *nlh;
5334 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5335 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5337 goto nla_put_failure;
5339 nfmsg = nlmsg_data(nlh);
5340 nfmsg->nfgen_family = family;
5341 nfmsg->version = NFNETLINK_V0;
5342 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5344 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5345 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5346 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5347 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5348 NFTA_FLOWTABLE_PAD))
5349 goto nla_put_failure;
5351 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5352 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5353 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5354 goto nla_put_failure;
5356 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5358 goto nla_put_failure;
5360 for (i = 0; i < flowtable->ops_len; i++) {
5361 if (flowtable->dev_name[i][0] &&
5362 nla_put_string(skb, NFTA_DEVICE_NAME,
5363 flowtable->dev_name[i]))
5364 goto nla_put_failure;
5366 nla_nest_end(skb, nest_devs);
5367 nla_nest_end(skb, nest);
5369 nlmsg_end(skb, nlh);
5373 nlmsg_trim(skb, nlh);
5377 struct nft_flowtable_filter {
5381 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5382 struct netlink_callback *cb)
5384 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5385 struct nft_flowtable_filter *filter = cb->data;
5386 unsigned int idx = 0, s_idx = cb->args[0];
5387 struct net *net = sock_net(skb->sk);
5388 int family = nfmsg->nfgen_family;
5389 struct nft_flowtable *flowtable;
5390 const struct nft_table *table;
5393 cb->seq = net->nft.base_seq;
5395 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5396 if (family != NFPROTO_UNSPEC && family != table->family)
5399 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5400 if (!nft_is_active(net, flowtable))
5405 memset(&cb->args[1], 0,
5406 sizeof(cb->args) - sizeof(cb->args[0]));
5407 if (filter && filter->table[0] &&
5408 strcmp(filter->table, table->name))
5411 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5413 NFT_MSG_NEWFLOWTABLE,
5414 NLM_F_MULTI | NLM_F_APPEND,
5415 table->family, flowtable) < 0)
5418 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5430 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5432 struct nft_flowtable_filter *filter = cb->data;
5437 kfree(filter->table);
5443 static struct nft_flowtable_filter *
5444 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5446 struct nft_flowtable_filter *filter;
5448 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5450 return ERR_PTR(-ENOMEM);
5452 if (nla[NFTA_FLOWTABLE_TABLE]) {
5453 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5455 if (!filter->table) {
5457 return ERR_PTR(-ENOMEM);
5463 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5464 struct sk_buff *skb,
5465 const struct nlmsghdr *nlh,
5466 const struct nlattr * const nla[],
5467 struct netlink_ext_ack *extack)
5469 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5470 u8 genmask = nft_genmask_cur(net);
5471 int family = nfmsg->nfgen_family;
5472 struct nft_flowtable *flowtable;
5473 const struct nft_table *table;
5474 struct sk_buff *skb2;
5477 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5478 struct netlink_dump_control c = {
5479 .dump = nf_tables_dump_flowtable,
5480 .done = nf_tables_dump_flowtable_done,
5483 if (nla[NFTA_FLOWTABLE_TABLE]) {
5484 struct nft_flowtable_filter *filter;
5486 filter = nft_flowtable_filter_alloc(nla);
5492 return netlink_dump_start(nlsk, skb, nlh, &c);
5495 if (!nla[NFTA_FLOWTABLE_NAME])
5498 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5501 return PTR_ERR(table);
5503 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5505 if (IS_ERR(flowtable))
5506 return PTR_ERR(flowtable);
5508 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5512 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5514 NFT_MSG_NEWFLOWTABLE, 0, family,
5519 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5525 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5526 struct nft_flowtable *flowtable,
5529 struct sk_buff *skb;
5533 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5536 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5540 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5542 ctx->family, flowtable);
5548 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5549 ctx->report, GFP_KERNEL);
5552 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5555 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5557 kfree(flowtable->ops);
5558 kfree(flowtable->name);
5559 flowtable->data.type->free(&flowtable->data);
5560 module_put(flowtable->data.type->owner);
5563 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5564 u32 portid, u32 seq)
5566 struct nlmsghdr *nlh;
5567 struct nfgenmsg *nfmsg;
5568 char buf[TASK_COMM_LEN];
5569 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5571 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5573 goto nla_put_failure;
5575 nfmsg = nlmsg_data(nlh);
5576 nfmsg->nfgen_family = AF_UNSPEC;
5577 nfmsg->version = NFNETLINK_V0;
5578 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5580 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5581 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5582 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5583 goto nla_put_failure;
5585 nlmsg_end(skb, nlh);
5589 nlmsg_trim(skb, nlh);
5593 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5594 struct nft_flowtable *flowtable)
5598 for (i = 0; i < flowtable->ops_len; i++) {
5599 if (flowtable->ops[i].dev != dev)
5602 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5603 flowtable->dev_name[i][0] = '\0';
5604 flowtable->ops[i].dev = NULL;
5609 static int nf_tables_flowtable_event(struct notifier_block *this,
5610 unsigned long event, void *ptr)
5612 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5613 struct nft_flowtable *flowtable;
5614 struct nft_table *table;
5616 if (event != NETDEV_UNREGISTER)
5619 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5620 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5621 list_for_each_entry(flowtable, &table->flowtables, list) {
5622 nft_flowtable_event(event, dev, flowtable);
5625 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5630 static struct notifier_block nf_tables_flowtable_notifier = {
5631 .notifier_call = nf_tables_flowtable_event,
5634 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5637 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5638 struct sk_buff *skb2;
5641 if (nlmsg_report(nlh) &&
5642 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5645 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5649 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5656 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5657 nlmsg_report(nlh), GFP_KERNEL);
5660 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5664 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5665 struct sk_buff *skb, const struct nlmsghdr *nlh,
5666 const struct nlattr * const nla[],
5667 struct netlink_ext_ack *extack)
5669 struct sk_buff *skb2;
5672 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5676 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5681 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5687 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5688 [NFT_MSG_NEWTABLE] = {
5689 .call_batch = nf_tables_newtable,
5690 .attr_count = NFTA_TABLE_MAX,
5691 .policy = nft_table_policy,
5693 [NFT_MSG_GETTABLE] = {
5694 .call = nf_tables_gettable,
5695 .attr_count = NFTA_TABLE_MAX,
5696 .policy = nft_table_policy,
5698 [NFT_MSG_DELTABLE] = {
5699 .call_batch = nf_tables_deltable,
5700 .attr_count = NFTA_TABLE_MAX,
5701 .policy = nft_table_policy,
5703 [NFT_MSG_NEWCHAIN] = {
5704 .call_batch = nf_tables_newchain,
5705 .attr_count = NFTA_CHAIN_MAX,
5706 .policy = nft_chain_policy,
5708 [NFT_MSG_GETCHAIN] = {
5709 .call = nf_tables_getchain,
5710 .attr_count = NFTA_CHAIN_MAX,
5711 .policy = nft_chain_policy,
5713 [NFT_MSG_DELCHAIN] = {
5714 .call_batch = nf_tables_delchain,
5715 .attr_count = NFTA_CHAIN_MAX,
5716 .policy = nft_chain_policy,
5718 [NFT_MSG_NEWRULE] = {
5719 .call_batch = nf_tables_newrule,
5720 .attr_count = NFTA_RULE_MAX,
5721 .policy = nft_rule_policy,
5723 [NFT_MSG_GETRULE] = {
5724 .call = nf_tables_getrule,
5725 .attr_count = NFTA_RULE_MAX,
5726 .policy = nft_rule_policy,
5728 [NFT_MSG_DELRULE] = {
5729 .call_batch = nf_tables_delrule,
5730 .attr_count = NFTA_RULE_MAX,
5731 .policy = nft_rule_policy,
5733 [NFT_MSG_NEWSET] = {
5734 .call_batch = nf_tables_newset,
5735 .attr_count = NFTA_SET_MAX,
5736 .policy = nft_set_policy,
5738 [NFT_MSG_GETSET] = {
5739 .call = nf_tables_getset,
5740 .attr_count = NFTA_SET_MAX,
5741 .policy = nft_set_policy,
5743 [NFT_MSG_DELSET] = {
5744 .call_batch = nf_tables_delset,
5745 .attr_count = NFTA_SET_MAX,
5746 .policy = nft_set_policy,
5748 [NFT_MSG_NEWSETELEM] = {
5749 .call_batch = nf_tables_newsetelem,
5750 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5751 .policy = nft_set_elem_list_policy,
5753 [NFT_MSG_GETSETELEM] = {
5754 .call = nf_tables_getsetelem,
5755 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5756 .policy = nft_set_elem_list_policy,
5758 [NFT_MSG_DELSETELEM] = {
5759 .call_batch = nf_tables_delsetelem,
5760 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5761 .policy = nft_set_elem_list_policy,
5763 [NFT_MSG_GETGEN] = {
5764 .call = nf_tables_getgen,
5766 [NFT_MSG_NEWOBJ] = {
5767 .call_batch = nf_tables_newobj,
5768 .attr_count = NFTA_OBJ_MAX,
5769 .policy = nft_obj_policy,
5771 [NFT_MSG_GETOBJ] = {
5772 .call = nf_tables_getobj,
5773 .attr_count = NFTA_OBJ_MAX,
5774 .policy = nft_obj_policy,
5776 [NFT_MSG_DELOBJ] = {
5777 .call_batch = nf_tables_delobj,
5778 .attr_count = NFTA_OBJ_MAX,
5779 .policy = nft_obj_policy,
5781 [NFT_MSG_GETOBJ_RESET] = {
5782 .call = nf_tables_getobj,
5783 .attr_count = NFTA_OBJ_MAX,
5784 .policy = nft_obj_policy,
5786 [NFT_MSG_NEWFLOWTABLE] = {
5787 .call_batch = nf_tables_newflowtable,
5788 .attr_count = NFTA_FLOWTABLE_MAX,
5789 .policy = nft_flowtable_policy,
5791 [NFT_MSG_GETFLOWTABLE] = {
5792 .call = nf_tables_getflowtable,
5793 .attr_count = NFTA_FLOWTABLE_MAX,
5794 .policy = nft_flowtable_policy,
5796 [NFT_MSG_DELFLOWTABLE] = {
5797 .call_batch = nf_tables_delflowtable,
5798 .attr_count = NFTA_FLOWTABLE_MAX,
5799 .policy = nft_flowtable_policy,
5803 static void nft_chain_commit_update(struct nft_trans *trans)
5805 struct nft_base_chain *basechain;
5807 if (nft_trans_chain_name(trans))
5808 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5810 if (!nft_is_base_chain(trans->ctx.chain))
5813 basechain = nft_base_chain(trans->ctx.chain);
5814 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5816 switch (nft_trans_chain_policy(trans)) {
5819 basechain->policy = nft_trans_chain_policy(trans);
5824 static void nf_tables_commit_release(struct nft_trans *trans)
5826 switch (trans->msg_type) {
5827 case NFT_MSG_DELTABLE:
5828 nf_tables_table_destroy(&trans->ctx);
5830 case NFT_MSG_DELCHAIN:
5831 nf_tables_chain_destroy(&trans->ctx);
5833 case NFT_MSG_DELRULE:
5834 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5836 case NFT_MSG_DELSET:
5837 nft_set_destroy(nft_trans_set(trans));
5839 case NFT_MSG_DELSETELEM:
5840 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5841 nft_trans_elem(trans).priv);
5843 case NFT_MSG_DELOBJ:
5844 nft_obj_destroy(nft_trans_obj(trans));
5846 case NFT_MSG_DELFLOWTABLE:
5847 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5853 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5855 struct nft_trans *trans, *next;
5856 struct nft_trans_elem *te;
5858 /* Bump generation counter, invalidate any dump in progress */
5859 while (++net->nft.base_seq == 0);
5861 /* A new generation has just started */
5862 net->nft.gencursor = nft_gencursor_next(net);
5864 /* Make sure all packets have left the previous generation before
5865 * purging old rules.
5869 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5870 switch (trans->msg_type) {
5871 case NFT_MSG_NEWTABLE:
5872 if (nft_trans_table_update(trans)) {
5873 if (!nft_trans_table_enable(trans)) {
5874 nf_tables_table_disable(net,
5876 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5879 nft_clear(net, trans->ctx.table);
5881 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5882 nft_trans_destroy(trans);
5884 case NFT_MSG_DELTABLE:
5885 list_del_rcu(&trans->ctx.table->list);
5886 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5888 case NFT_MSG_NEWCHAIN:
5889 if (nft_trans_chain_update(trans))
5890 nft_chain_commit_update(trans);
5892 nft_clear(net, trans->ctx.chain);
5894 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5895 nft_trans_destroy(trans);
5897 case NFT_MSG_DELCHAIN:
5898 list_del_rcu(&trans->ctx.chain->list);
5899 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5900 nf_tables_unregister_hook(trans->ctx.net,
5904 case NFT_MSG_NEWRULE:
5905 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5906 nf_tables_rule_notify(&trans->ctx,
5907 nft_trans_rule(trans),
5909 nft_trans_destroy(trans);
5911 case NFT_MSG_DELRULE:
5912 list_del_rcu(&nft_trans_rule(trans)->list);
5913 nf_tables_rule_notify(&trans->ctx,
5914 nft_trans_rule(trans),
5917 case NFT_MSG_NEWSET:
5918 nft_clear(net, nft_trans_set(trans));
5919 /* This avoids hitting -EBUSY when deleting the table
5920 * from the transaction.
5922 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5923 !list_empty(&nft_trans_set(trans)->bindings))
5924 trans->ctx.table->use--;
5926 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5927 NFT_MSG_NEWSET, GFP_KERNEL);
5928 nft_trans_destroy(trans);
5930 case NFT_MSG_DELSET:
5931 list_del_rcu(&nft_trans_set(trans)->list);
5932 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5933 NFT_MSG_DELSET, GFP_KERNEL);
5935 case NFT_MSG_NEWSETELEM:
5936 te = (struct nft_trans_elem *)trans->data;
5938 te->set->ops->activate(net, te->set, &te->elem);
5939 nf_tables_setelem_notify(&trans->ctx, te->set,
5941 NFT_MSG_NEWSETELEM, 0);
5942 nft_trans_destroy(trans);
5944 case NFT_MSG_DELSETELEM:
5945 te = (struct nft_trans_elem *)trans->data;
5947 nf_tables_setelem_notify(&trans->ctx, te->set,
5949 NFT_MSG_DELSETELEM, 0);
5950 te->set->ops->remove(net, te->set, &te->elem);
5951 atomic_dec(&te->set->nelems);
5954 case NFT_MSG_NEWOBJ:
5955 nft_clear(net, nft_trans_obj(trans));
5956 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5958 nft_trans_destroy(trans);
5960 case NFT_MSG_DELOBJ:
5961 list_del_rcu(&nft_trans_obj(trans)->list);
5962 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5965 case NFT_MSG_NEWFLOWTABLE:
5966 nft_clear(net, nft_trans_flowtable(trans));
5967 nf_tables_flowtable_notify(&trans->ctx,
5968 nft_trans_flowtable(trans),
5969 NFT_MSG_NEWFLOWTABLE);
5970 nft_trans_destroy(trans);
5972 case NFT_MSG_DELFLOWTABLE:
5973 list_del_rcu(&nft_trans_flowtable(trans)->list);
5974 nf_tables_flowtable_notify(&trans->ctx,
5975 nft_trans_flowtable(trans),
5976 NFT_MSG_DELFLOWTABLE);
5977 nft_unregister_flowtable_net_hooks(net,
5978 nft_trans_flowtable(trans));
5985 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5986 list_del(&trans->list);
5987 nf_tables_commit_release(trans);
5990 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5995 static void nf_tables_abort_release(struct nft_trans *trans)
5997 switch (trans->msg_type) {
5998 case NFT_MSG_NEWTABLE:
5999 nf_tables_table_destroy(&trans->ctx);
6001 case NFT_MSG_NEWCHAIN:
6002 nf_tables_chain_destroy(&trans->ctx);
6004 case NFT_MSG_NEWRULE:
6005 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6007 case NFT_MSG_NEWSET:
6008 nft_set_destroy(nft_trans_set(trans));
6010 case NFT_MSG_NEWSETELEM:
6011 nft_set_elem_destroy(nft_trans_elem_set(trans),
6012 nft_trans_elem(trans).priv, true);
6014 case NFT_MSG_NEWOBJ:
6015 nft_obj_destroy(nft_trans_obj(trans));
6017 case NFT_MSG_NEWFLOWTABLE:
6018 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6024 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6026 struct nft_trans *trans, *next;
6027 struct nft_trans_elem *te;
6029 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6031 switch (trans->msg_type) {
6032 case NFT_MSG_NEWTABLE:
6033 if (nft_trans_table_update(trans)) {
6034 if (nft_trans_table_enable(trans)) {
6035 nf_tables_table_disable(net,
6037 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6039 nft_trans_destroy(trans);
6041 list_del_rcu(&trans->ctx.table->list);
6044 case NFT_MSG_DELTABLE:
6045 nft_clear(trans->ctx.net, trans->ctx.table);
6046 nft_trans_destroy(trans);
6048 case NFT_MSG_NEWCHAIN:
6049 if (nft_trans_chain_update(trans)) {
6050 free_percpu(nft_trans_chain_stats(trans));
6052 nft_trans_destroy(trans);
6054 trans->ctx.table->use--;
6055 list_del_rcu(&trans->ctx.chain->list);
6056 nf_tables_unregister_hook(trans->ctx.net,
6061 case NFT_MSG_DELCHAIN:
6062 trans->ctx.table->use++;
6063 nft_clear(trans->ctx.net, trans->ctx.chain);
6064 nft_trans_destroy(trans);
6066 case NFT_MSG_NEWRULE:
6067 trans->ctx.chain->use--;
6068 list_del_rcu(&nft_trans_rule(trans)->list);
6070 case NFT_MSG_DELRULE:
6071 trans->ctx.chain->use++;
6072 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6073 nft_trans_destroy(trans);
6075 case NFT_MSG_NEWSET:
6076 trans->ctx.table->use--;
6077 list_del_rcu(&nft_trans_set(trans)->list);
6079 case NFT_MSG_DELSET:
6080 trans->ctx.table->use++;
6081 nft_clear(trans->ctx.net, nft_trans_set(trans));
6082 nft_trans_destroy(trans);
6084 case NFT_MSG_NEWSETELEM:
6085 te = (struct nft_trans_elem *)trans->data;
6087 te->set->ops->remove(net, te->set, &te->elem);
6088 atomic_dec(&te->set->nelems);
6090 case NFT_MSG_DELSETELEM:
6091 te = (struct nft_trans_elem *)trans->data;
6093 nft_set_elem_activate(net, te->set, &te->elem);
6094 te->set->ops->activate(net, te->set, &te->elem);
6097 nft_trans_destroy(trans);
6099 case NFT_MSG_NEWOBJ:
6100 trans->ctx.table->use--;
6101 list_del_rcu(&nft_trans_obj(trans)->list);
6103 case NFT_MSG_DELOBJ:
6104 trans->ctx.table->use++;
6105 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6106 nft_trans_destroy(trans);
6108 case NFT_MSG_NEWFLOWTABLE:
6109 trans->ctx.table->use--;
6110 list_del_rcu(&nft_trans_flowtable(trans)->list);
6111 nft_unregister_flowtable_net_hooks(net,
6112 nft_trans_flowtable(trans));
6114 case NFT_MSG_DELFLOWTABLE:
6115 trans->ctx.table->use++;
6116 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6117 nft_trans_destroy(trans);
6124 list_for_each_entry_safe_reverse(trans, next,
6125 &net->nft.commit_list, list) {
6126 list_del(&trans->list);
6127 nf_tables_abort_release(trans);
6133 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6135 return net->nft.base_seq == genid;
6138 static const struct nfnetlink_subsystem nf_tables_subsys = {
6139 .name = "nf_tables",
6140 .subsys_id = NFNL_SUBSYS_NFTABLES,
6141 .cb_count = NFT_MSG_MAX,
6143 .commit = nf_tables_commit,
6144 .abort = nf_tables_abort,
6145 .valid_genid = nf_tables_valid_genid,
6148 int nft_chain_validate_dependency(const struct nft_chain *chain,
6149 enum nft_chain_types type)
6151 const struct nft_base_chain *basechain;
6153 if (nft_is_base_chain(chain)) {
6154 basechain = nft_base_chain(chain);
6155 if (basechain->type->type != type)
6160 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6162 int nft_chain_validate_hooks(const struct nft_chain *chain,
6163 unsigned int hook_flags)
6165 struct nft_base_chain *basechain;
6167 if (nft_is_base_chain(chain)) {
6168 basechain = nft_base_chain(chain);
6170 if ((1 << basechain->ops.hooknum) & hook_flags)
6178 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6181 * Loop detection - walk through the ruleset beginning at the destination chain
6182 * of a new jump until either the source chain is reached (loop) or all
6183 * reachable chains have been traversed.
6185 * The loop check is performed whenever a new jump verdict is added to an
6186 * expression or verdict map or a verdict map is bound to a new chain.
6189 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6190 const struct nft_chain *chain);
6192 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6193 struct nft_set *set,
6194 const struct nft_set_iter *iter,
6195 struct nft_set_elem *elem)
6197 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6198 const struct nft_data *data;
6200 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6201 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6204 data = nft_set_ext_data(ext);
6205 switch (data->verdict.code) {
6208 return nf_tables_check_loops(ctx, data->verdict.chain);
6214 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6215 const struct nft_chain *chain)
6217 const struct nft_rule *rule;
6218 const struct nft_expr *expr, *last;
6219 struct nft_set *set;
6220 struct nft_set_binding *binding;
6221 struct nft_set_iter iter;
6223 if (ctx->chain == chain)
6226 list_for_each_entry(rule, &chain->rules, list) {
6227 nft_rule_for_each_expr(expr, last, rule) {
6228 const struct nft_data *data = NULL;
6231 if (!expr->ops->validate)
6234 err = expr->ops->validate(ctx, expr, &data);
6241 switch (data->verdict.code) {
6244 err = nf_tables_check_loops(ctx,
6245 data->verdict.chain);
6254 list_for_each_entry(set, &ctx->table->sets, list) {
6255 if (!nft_is_active_next(ctx->net, set))
6257 if (!(set->flags & NFT_SET_MAP) ||
6258 set->dtype != NFT_DATA_VERDICT)
6261 list_for_each_entry(binding, &set->bindings, list) {
6262 if (!(binding->flags & NFT_SET_MAP) ||
6263 binding->chain != chain)
6266 iter.genmask = nft_genmask_next(ctx->net);
6270 iter.fn = nf_tables_loop_check_setelem;
6272 set->ops->walk(ctx, set, &iter);
6282 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6284 * @attr: netlink attribute to fetch value from
6285 * @max: maximum value to be stored in dest
6286 * @dest: pointer to the variable
6288 * Parse, check and store a given u32 netlink attribute into variable.
6289 * This function returns -ERANGE if the value goes over maximum value.
6290 * Otherwise a 0 is returned and the attribute value is stored in the
6291 * destination variable.
6293 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6297 val = ntohl(nla_get_be32(attr));
6304 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6307 * nft_parse_register - parse a register value from a netlink attribute
6309 * @attr: netlink attribute
6311 * Parse and translate a register value from a netlink attribute.
6312 * Registers used to be 128 bit wide, these register numbers will be
6313 * mapped to the corresponding 32 bit register numbers.
6315 unsigned int nft_parse_register(const struct nlattr *attr)
6319 reg = ntohl(nla_get_be32(attr));
6321 case NFT_REG_VERDICT...NFT_REG_4:
6322 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6324 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6327 EXPORT_SYMBOL_GPL(nft_parse_register);
6330 * nft_dump_register - dump a register value to a netlink attribute
6332 * @skb: socket buffer
6333 * @attr: attribute number
6334 * @reg: register number
6336 * Construct a netlink attribute containing the register number. For
6337 * compatibility reasons, register numbers being a multiple of 4 are
6338 * translated to the corresponding 128 bit register numbers.
6340 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6342 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6343 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6345 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6347 return nla_put_be32(skb, attr, htonl(reg));
6349 EXPORT_SYMBOL_GPL(nft_dump_register);
6352 * nft_validate_register_load - validate a load from a register
6354 * @reg: the register number
6355 * @len: the length of the data
6357 * Validate that the input register is one of the general purpose
6358 * registers and that the length of the load is within the bounds.
6360 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6362 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6366 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6371 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6374 * nft_validate_register_store - validate an expressions' register store
6376 * @ctx: context of the expression performing the load
6377 * @reg: the destination register number
6378 * @data: the data to load
6379 * @type: the data type
6380 * @len: the length of the data
6382 * Validate that a data load uses the appropriate data type for
6383 * the destination register and the length is within the bounds.
6384 * A value of NULL for the data means that its runtime gathered
6387 int nft_validate_register_store(const struct nft_ctx *ctx,
6388 enum nft_registers reg,
6389 const struct nft_data *data,
6390 enum nft_data_types type, unsigned int len)
6395 case NFT_REG_VERDICT:
6396 if (type != NFT_DATA_VERDICT)
6400 (data->verdict.code == NFT_GOTO ||
6401 data->verdict.code == NFT_JUMP)) {
6402 err = nf_tables_check_loops(ctx, data->verdict.chain);
6406 if (ctx->chain->level + 1 >
6407 data->verdict.chain->level) {
6408 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6410 data->verdict.chain->level = ctx->chain->level + 1;
6416 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6420 if (reg * NFT_REG32_SIZE + len >
6421 FIELD_SIZEOF(struct nft_regs, data))
6424 if (data != NULL && type != NFT_DATA_VALUE)
6429 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6431 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6432 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6433 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6434 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6437 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6438 struct nft_data_desc *desc, const struct nlattr *nla)
6440 u8 genmask = nft_genmask_next(ctx->net);
6441 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6442 struct nft_chain *chain;
6445 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6450 if (!tb[NFTA_VERDICT_CODE])
6452 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6454 switch (data->verdict.code) {
6456 switch (data->verdict.code & NF_VERDICT_MASK) {
6471 if (!tb[NFTA_VERDICT_CHAIN])
6473 chain = nft_chain_lookup(ctx->table, tb[NFTA_VERDICT_CHAIN],
6476 return PTR_ERR(chain);
6477 if (nft_is_base_chain(chain))
6481 data->verdict.chain = chain;
6485 desc->len = sizeof(data->verdict);
6486 desc->type = NFT_DATA_VERDICT;
6490 static void nft_verdict_uninit(const struct nft_data *data)
6492 switch (data->verdict.code) {
6495 data->verdict.chain->use--;
6500 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6502 struct nlattr *nest;
6504 nest = nla_nest_start(skb, type);
6506 goto nla_put_failure;
6508 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6509 goto nla_put_failure;
6514 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6516 goto nla_put_failure;
6518 nla_nest_end(skb, nest);
6525 static int nft_value_init(const struct nft_ctx *ctx,
6526 struct nft_data *data, unsigned int size,
6527 struct nft_data_desc *desc, const struct nlattr *nla)
6537 nla_memcpy(data->data, nla, len);
6538 desc->type = NFT_DATA_VALUE;
6543 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6546 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6549 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6550 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6551 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6555 * nft_data_init - parse nf_tables data netlink attributes
6557 * @ctx: context of the expression using the data
6558 * @data: destination struct nft_data
6559 * @size: maximum data length
6560 * @desc: data description
6561 * @nla: netlink attribute containing data
6563 * Parse the netlink data attributes and initialize a struct nft_data.
6564 * The type and length of data are returned in the data description.
6566 * The caller can indicate that it only wants to accept data of type
6567 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6569 int nft_data_init(const struct nft_ctx *ctx,
6570 struct nft_data *data, unsigned int size,
6571 struct nft_data_desc *desc, const struct nlattr *nla)
6573 struct nlattr *tb[NFTA_DATA_MAX + 1];
6576 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6580 if (tb[NFTA_DATA_VALUE])
6581 return nft_value_init(ctx, data, size, desc,
6582 tb[NFTA_DATA_VALUE]);
6583 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6584 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6587 EXPORT_SYMBOL_GPL(nft_data_init);
6590 * nft_data_release - release a nft_data item
6592 * @data: struct nft_data to release
6593 * @type: type of data
6595 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6596 * all others need to be released by calling this function.
6598 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6600 if (type < NFT_DATA_VERDICT)
6603 case NFT_DATA_VERDICT:
6604 return nft_verdict_uninit(data);
6609 EXPORT_SYMBOL_GPL(nft_data_release);
6611 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6612 enum nft_data_types type, unsigned int len)
6614 struct nlattr *nest;
6617 nest = nla_nest_start(skb, attr);
6622 case NFT_DATA_VALUE:
6623 err = nft_value_dump(skb, data, len);
6625 case NFT_DATA_VERDICT:
6626 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6633 nla_nest_end(skb, nest);
6636 EXPORT_SYMBOL_GPL(nft_data_dump);
6638 int __nft_release_basechain(struct nft_ctx *ctx)
6640 struct nft_rule *rule, *nr;
6642 BUG_ON(!nft_is_base_chain(ctx->chain));
6644 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6645 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6646 list_del(&rule->list);
6648 nf_tables_rule_destroy(ctx, rule);
6650 list_del(&ctx->chain->list);
6652 nf_tables_chain_destroy(ctx);
6656 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6658 static void __nft_release_tables(struct net *net)
6660 struct nft_flowtable *flowtable, *nf;
6661 struct nft_table *table, *nt;
6662 struct nft_chain *chain, *nc;
6663 struct nft_object *obj, *ne;
6664 struct nft_rule *rule, *nr;
6665 struct nft_set *set, *ns;
6666 struct nft_ctx ctx = {
6668 .family = NFPROTO_NETDEV,
6671 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6672 ctx.family = table->family;
6674 list_for_each_entry(chain, &table->chains, list)
6675 nf_tables_unregister_hook(net, table, chain);
6676 list_for_each_entry(flowtable, &table->flowtables, list)
6677 nf_unregister_net_hooks(net, flowtable->ops,
6678 flowtable->ops_len);
6679 /* No packets are walking on these chains anymore. */
6681 list_for_each_entry(chain, &table->chains, list) {
6683 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6684 list_del(&rule->list);
6686 nf_tables_rule_destroy(&ctx, rule);
6689 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6690 list_del(&flowtable->list);
6692 nf_tables_flowtable_destroy(flowtable);
6694 list_for_each_entry_safe(set, ns, &table->sets, list) {
6695 list_del(&set->list);
6697 nft_set_destroy(set);
6699 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6700 list_del(&obj->list);
6702 nft_obj_destroy(obj);
6704 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6706 list_del(&chain->list);
6708 nf_tables_chain_destroy(&ctx);
6710 list_del(&table->list);
6711 nf_tables_table_destroy(&ctx);
6715 static int __net_init nf_tables_init_net(struct net *net)
6717 INIT_LIST_HEAD(&net->nft.tables);
6718 INIT_LIST_HEAD(&net->nft.commit_list);
6719 net->nft.base_seq = 1;
6723 static void __net_exit nf_tables_exit_net(struct net *net)
6725 __nft_release_tables(net);
6726 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6727 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6730 static struct pernet_operations nf_tables_net_ops = {
6731 .init = nf_tables_init_net,
6732 .exit = nf_tables_exit_net,
6735 static int __init nf_tables_module_init(void)
6739 nft_chain_filter_init();
6741 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6748 err = nf_tables_core_module_init();
6752 err = nfnetlink_subsys_register(&nf_tables_subsys);
6756 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6758 return register_pernet_subsys(&nf_tables_net_ops);
6760 nf_tables_core_module_exit();
6767 static void __exit nf_tables_module_exit(void)
6769 unregister_pernet_subsys(&nf_tables_net_ops);
6770 nfnetlink_subsys_unregister(&nf_tables_subsys);
6771 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6773 nf_tables_core_module_exit();
6775 nft_chain_filter_fini();
6778 module_init(nf_tables_module_init);
6779 module_exit(nf_tables_module_exit);
6781 MODULE_LICENSE("GPL");
6782 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6783 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob