2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 /* removal requests are queued in the commit_list, but not acted upon
78 * until after all new rules are in place.
80 * Therefore, nf_register_net_hook(net, &nat_hook) runs before pending
81 * nf_unregister_net_hook().
83 * nf_register_net_hook thus fails if a nat hook is already in place
84 * even if the conflicting hook is about to be removed.
86 * If collision is detected, search commit_log for DELCHAIN matching
87 * the new nat hooknum; if we find one collision is temporary:
89 * Either transaction is aborted (new/colliding hook is removed), or
90 * transaction is committed (old hook is removed).
92 static bool nf_tables_allow_nat_conflict(const struct net *net,
93 const struct nf_hook_ops *ops)
95 const struct nft_trans *trans;
101 list_for_each_entry(trans, &net->nft.commit_list, list) {
102 const struct nf_hook_ops *pending_ops;
103 const struct nft_chain *pending;
105 if (trans->msg_type != NFT_MSG_NEWCHAIN &&
106 trans->msg_type != NFT_MSG_DELCHAIN)
109 pending = trans->ctx.chain;
110 if (!nft_is_base_chain(pending))
113 pending_ops = &nft_base_chain(pending)->ops;
114 if (pending_ops->nat_hook &&
115 pending_ops->pf == ops->pf &&
116 pending_ops->hooknum == ops->hooknum) {
117 /* other hook registration already pending? */
118 if (trans->msg_type == NFT_MSG_NEWCHAIN)
128 static int nf_tables_register_hook(struct net *net,
129 const struct nft_table *table,
130 struct nft_chain *chain)
132 struct nf_hook_ops *ops;
135 if (table->flags & NFT_TABLE_F_DORMANT ||
136 !nft_is_base_chain(chain))
139 ops = &nft_base_chain(chain)->ops;
140 ret = nf_register_net_hook(net, ops);
141 if (ret == -EBUSY && nf_tables_allow_nat_conflict(net, ops)) {
142 ops->nat_hook = false;
143 ret = nf_register_net_hook(net, ops);
144 ops->nat_hook = true;
150 static void nf_tables_unregister_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
161 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
163 struct nft_trans *trans;
165 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
169 if (msg_type == NFT_MSG_NEWTABLE)
170 nft_activate_next(ctx->net, ctx->table);
172 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
176 static int nft_deltable(struct nft_ctx *ctx)
180 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
184 nft_deactivate_next(ctx->net, ctx->table);
188 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
190 struct nft_trans *trans;
192 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
196 if (msg_type == NFT_MSG_NEWCHAIN)
197 nft_activate_next(ctx->net, ctx->chain);
199 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
203 static int nft_delchain(struct nft_ctx *ctx)
207 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
212 nft_deactivate_next(ctx->net, ctx->chain);
218 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
220 /* You cannot delete the same rule twice */
221 if (nft_is_active_next(ctx->net, rule)) {
222 nft_deactivate_next(ctx->net, rule);
229 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
230 struct nft_rule *rule)
232 struct nft_trans *trans;
234 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
238 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
239 nft_trans_rule_id(trans) =
240 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
242 nft_trans_rule(trans) = rule;
243 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
248 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
250 struct nft_trans *trans;
253 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
257 err = nf_tables_delrule_deactivate(ctx, rule);
259 nft_trans_destroy(trans);
266 static int nft_delrule_by_chain(struct nft_ctx *ctx)
268 struct nft_rule *rule;
271 list_for_each_entry(rule, &ctx->chain->rules, list) {
272 err = nft_delrule(ctx, rule);
279 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
282 struct nft_trans *trans;
284 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
288 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
289 nft_trans_set_id(trans) =
290 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
291 nft_activate_next(ctx->net, set);
293 nft_trans_set(trans) = set;
294 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
299 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
303 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
307 nft_deactivate_next(ctx->net, set);
313 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
314 struct nft_object *obj)
316 struct nft_trans *trans;
318 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
322 if (msg_type == NFT_MSG_NEWOBJ)
323 nft_activate_next(ctx->net, obj);
325 nft_trans_obj(trans) = obj;
326 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
331 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
335 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
339 nft_deactivate_next(ctx->net, obj);
345 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
346 struct nft_flowtable *flowtable)
348 struct nft_trans *trans;
350 trans = nft_trans_alloc(ctx, msg_type,
351 sizeof(struct nft_trans_flowtable));
355 if (msg_type == NFT_MSG_NEWFLOWTABLE)
356 nft_activate_next(ctx->net, flowtable);
358 nft_trans_flowtable(trans) = flowtable;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
364 static int nft_delflowtable(struct nft_ctx *ctx,
365 struct nft_flowtable *flowtable)
369 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
373 nft_deactivate_next(ctx->net, flowtable);
383 static struct nft_table *nft_table_lookup(const struct net *net,
384 const struct nlattr *nla,
385 u8 family, u8 genmask)
387 struct nft_table *table;
389 list_for_each_entry(table, &net->nft.tables, list) {
390 if (!nla_strcmp(nla, table->name) &&
391 table->family == family &&
392 nft_active_genmask(table, genmask))
398 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
399 const struct nlattr *nla,
402 struct nft_table *table;
404 list_for_each_entry(table, &net->nft.tables, list) {
405 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
406 nft_active_genmask(table, genmask))
412 static struct nft_table *nf_tables_table_lookup(const struct net *net,
413 const struct nlattr *nla,
414 u8 family, u8 genmask)
416 struct nft_table *table;
419 return ERR_PTR(-EINVAL);
421 table = nft_table_lookup(net, nla, family, genmask);
425 return ERR_PTR(-ENOENT);
428 static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
429 const struct nlattr *nla,
432 struct nft_table *table;
435 return ERR_PTR(-EINVAL);
437 table = nft_table_lookup_byhandle(net, nla, genmask);
441 return ERR_PTR(-ENOENT);
444 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
446 return ++table->hgenerator;
449 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
451 static const struct nft_chain_type *
452 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
456 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
457 if (chain_type[family][i] != NULL &&
458 !nla_strcmp(nla, chain_type[family][i]->name))
459 return chain_type[family][i];
464 static const struct nft_chain_type *
465 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
467 const struct nft_chain_type *type;
469 type = __nf_tables_chain_type_lookup(nla, family);
472 #ifdef CONFIG_MODULES
474 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
475 request_module("nft-chain-%u-%.*s", family,
476 nla_len(nla), (const char *)nla_data(nla));
477 nfnl_lock(NFNL_SUBSYS_NFTABLES);
478 type = __nf_tables_chain_type_lookup(nla, family);
480 return ERR_PTR(-EAGAIN);
483 return ERR_PTR(-ENOENT);
486 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
487 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
488 .len = NFT_TABLE_MAXNAMELEN - 1 },
489 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
490 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
493 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
494 u32 portid, u32 seq, int event, u32 flags,
495 int family, const struct nft_table *table)
497 struct nlmsghdr *nlh;
498 struct nfgenmsg *nfmsg;
500 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
501 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
503 goto nla_put_failure;
505 nfmsg = nlmsg_data(nlh);
506 nfmsg->nfgen_family = family;
507 nfmsg->version = NFNETLINK_V0;
508 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
510 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
511 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
512 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
513 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
515 goto nla_put_failure;
521 nlmsg_trim(skb, nlh);
525 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
531 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
534 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
538 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
539 event, 0, ctx->family, ctx->table);
545 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
546 ctx->report, GFP_KERNEL);
549 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
552 static int nf_tables_dump_tables(struct sk_buff *skb,
553 struct netlink_callback *cb)
555 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
556 const struct nft_table *table;
557 unsigned int idx = 0, s_idx = cb->args[0];
558 struct net *net = sock_net(skb->sk);
559 int family = nfmsg->nfgen_family;
562 cb->seq = net->nft.base_seq;
564 list_for_each_entry_rcu(table, &net->nft.tables, list) {
565 if (family != NFPROTO_UNSPEC && family != table->family)
571 memset(&cb->args[1], 0,
572 sizeof(cb->args) - sizeof(cb->args[0]));
573 if (!nft_is_active(net, table))
575 if (nf_tables_fill_table_info(skb, net,
576 NETLINK_CB(cb->skb).portid,
578 NFT_MSG_NEWTABLE, NLM_F_MULTI,
579 table->family, table) < 0)
582 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
592 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
593 struct sk_buff *skb, const struct nlmsghdr *nlh,
594 const struct nlattr * const nla[],
595 struct netlink_ext_ack *extack)
597 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
598 u8 genmask = nft_genmask_cur(net);
599 const struct nft_table *table;
600 struct sk_buff *skb2;
601 int family = nfmsg->nfgen_family;
604 if (nlh->nlmsg_flags & NLM_F_DUMP) {
605 struct netlink_dump_control c = {
606 .dump = nf_tables_dump_tables,
608 return netlink_dump_start(nlsk, skb, nlh, &c);
611 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
614 return PTR_ERR(table);
616 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
620 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
621 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
626 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
633 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
635 struct nft_chain *chain;
638 list_for_each_entry(chain, &table->chains, list) {
639 if (!nft_is_active_next(net, chain))
641 if (!nft_is_base_chain(chain))
644 if (cnt && i++ == cnt)
647 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
651 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
653 struct nft_chain *chain;
656 list_for_each_entry(chain, &table->chains, list) {
657 if (!nft_is_active_next(net, chain))
659 if (!nft_is_base_chain(chain))
662 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
671 nft_table_disable(net, table, i);
675 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
677 nft_table_disable(net, table, 0);
680 static int nf_tables_updtable(struct nft_ctx *ctx)
682 struct nft_trans *trans;
686 if (!ctx->nla[NFTA_TABLE_FLAGS])
689 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
690 if (flags & ~NFT_TABLE_F_DORMANT)
693 if (flags == ctx->table->flags)
696 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
697 sizeof(struct nft_trans_table));
701 if ((flags & NFT_TABLE_F_DORMANT) &&
702 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
703 nft_trans_table_enable(trans) = false;
704 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
705 ctx->table->flags & NFT_TABLE_F_DORMANT) {
706 ret = nf_tables_table_enable(ctx->net, ctx->table);
708 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
709 nft_trans_table_enable(trans) = true;
715 nft_trans_table_update(trans) = true;
716 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
719 nft_trans_destroy(trans);
723 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
724 struct sk_buff *skb, const struct nlmsghdr *nlh,
725 const struct nlattr * const nla[],
726 struct netlink_ext_ack *extack)
728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
729 u8 genmask = nft_genmask_next(net);
730 const struct nlattr *name;
731 struct nft_table *table;
732 int family = nfmsg->nfgen_family;
737 name = nla[NFTA_TABLE_NAME];
738 table = nf_tables_table_lookup(net, name, family, genmask);
740 if (PTR_ERR(table) != -ENOENT)
741 return PTR_ERR(table);
743 if (nlh->nlmsg_flags & NLM_F_EXCL)
745 if (nlh->nlmsg_flags & NLM_F_REPLACE)
748 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
749 return nf_tables_updtable(&ctx);
752 if (nla[NFTA_TABLE_FLAGS]) {
753 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
754 if (flags & ~NFT_TABLE_F_DORMANT)
759 table = kzalloc(sizeof(*table), GFP_KERNEL);
763 table->name = nla_strdup(name, GFP_KERNEL);
764 if (table->name == NULL)
767 INIT_LIST_HEAD(&table->chains);
768 INIT_LIST_HEAD(&table->sets);
769 INIT_LIST_HEAD(&table->objects);
770 INIT_LIST_HEAD(&table->flowtables);
771 table->family = family;
772 table->flags = flags;
773 table->handle = ++table_handle;
775 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
776 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
780 list_add_tail_rcu(&table->list, &net->nft.tables);
790 static int nft_flush_table(struct nft_ctx *ctx)
792 struct nft_flowtable *flowtable, *nft;
793 struct nft_chain *chain, *nc;
794 struct nft_object *obj, *ne;
795 struct nft_set *set, *ns;
798 list_for_each_entry(chain, &ctx->table->chains, list) {
799 if (!nft_is_active_next(ctx->net, chain))
804 err = nft_delrule_by_chain(ctx);
809 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
810 if (!nft_is_active_next(ctx->net, set))
813 if (nft_set_is_anonymous(set) &&
814 !list_empty(&set->bindings))
817 err = nft_delset(ctx, set);
822 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
823 err = nft_delflowtable(ctx, flowtable);
828 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
829 err = nft_delobj(ctx, obj);
834 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
835 if (!nft_is_active_next(ctx->net, chain))
840 err = nft_delchain(ctx);
845 err = nft_deltable(ctx);
850 static int nft_flush(struct nft_ctx *ctx, int family)
852 struct nft_table *table, *nt;
853 const struct nlattr * const *nla = ctx->nla;
856 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
857 if (family != AF_UNSPEC && table->family != family)
860 ctx->family = table->family;
862 if (!nft_is_active_next(ctx->net, table))
865 if (nla[NFTA_TABLE_NAME] &&
866 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
871 err = nft_flush_table(ctx);
879 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
880 struct sk_buff *skb, const struct nlmsghdr *nlh,
881 const struct nlattr * const nla[],
882 struct netlink_ext_ack *extack)
884 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
885 u8 genmask = nft_genmask_next(net);
886 struct nft_table *table;
887 int family = nfmsg->nfgen_family;
890 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
891 if (family == AF_UNSPEC ||
892 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
893 return nft_flush(&ctx, family);
895 if (nla[NFTA_TABLE_HANDLE])
896 table = nf_tables_table_lookup_byhandle(net,
897 nla[NFTA_TABLE_HANDLE],
900 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
904 return PTR_ERR(table);
906 if (nlh->nlmsg_flags & NLM_F_NONREC &&
913 return nft_flush_table(&ctx);
916 static void nf_tables_table_destroy(struct nft_ctx *ctx)
918 BUG_ON(ctx->table->use > 0);
920 kfree(ctx->table->name);
924 void nft_register_chain_type(const struct nft_chain_type *ctype)
926 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
929 nfnl_lock(NFNL_SUBSYS_NFTABLES);
930 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
931 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
934 chain_type[ctype->family][ctype->type] = ctype;
935 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
937 EXPORT_SYMBOL_GPL(nft_register_chain_type);
939 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
941 nfnl_lock(NFNL_SUBSYS_NFTABLES);
942 chain_type[ctype->family][ctype->type] = NULL;
943 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
945 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
951 static struct nft_chain *
952 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
955 struct nft_chain *chain;
957 list_for_each_entry(chain, &table->chains, list) {
958 if (chain->handle == handle &&
959 nft_active_genmask(chain, genmask))
963 return ERR_PTR(-ENOENT);
966 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
967 const struct nlattr *nla,
970 struct nft_chain *chain;
973 return ERR_PTR(-EINVAL);
975 list_for_each_entry(chain, &table->chains, list) {
976 if (!nla_strcmp(nla, chain->name) &&
977 nft_active_genmask(chain, genmask))
981 return ERR_PTR(-ENOENT);
984 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
985 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
986 .len = NFT_TABLE_MAXNAMELEN - 1 },
987 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
988 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
989 .len = NFT_CHAIN_MAXNAMELEN - 1 },
990 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
991 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
992 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
993 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
996 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
997 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
998 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
999 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1000 .len = IFNAMSIZ - 1 },
1003 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1005 struct nft_stats *cpu_stats, total;
1006 struct nlattr *nest;
1011 memset(&total, 0, sizeof(total));
1012 for_each_possible_cpu(cpu) {
1013 cpu_stats = per_cpu_ptr(stats, cpu);
1015 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1016 pkts = cpu_stats->pkts;
1017 bytes = cpu_stats->bytes;
1018 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1020 total.bytes += bytes;
1022 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1024 goto nla_put_failure;
1026 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1027 NFTA_COUNTER_PAD) ||
1028 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1030 goto nla_put_failure;
1032 nla_nest_end(skb, nest);
1039 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1040 u32 portid, u32 seq, int event, u32 flags,
1041 int family, const struct nft_table *table,
1042 const struct nft_chain *chain)
1044 struct nlmsghdr *nlh;
1045 struct nfgenmsg *nfmsg;
1047 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1048 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1050 goto nla_put_failure;
1052 nfmsg = nlmsg_data(nlh);
1053 nfmsg->nfgen_family = family;
1054 nfmsg->version = NFNETLINK_V0;
1055 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1057 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1058 goto nla_put_failure;
1059 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1061 goto nla_put_failure;
1062 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1063 goto nla_put_failure;
1065 if (nft_is_base_chain(chain)) {
1066 const struct nft_base_chain *basechain = nft_base_chain(chain);
1067 const struct nf_hook_ops *ops = &basechain->ops;
1068 struct nlattr *nest;
1070 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1072 goto nla_put_failure;
1073 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1074 goto nla_put_failure;
1075 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1076 goto nla_put_failure;
1077 if (basechain->dev_name[0] &&
1078 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1079 goto nla_put_failure;
1080 nla_nest_end(skb, nest);
1082 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1083 htonl(basechain->policy)))
1084 goto nla_put_failure;
1086 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1087 goto nla_put_failure;
1089 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1090 goto nla_put_failure;
1093 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1094 goto nla_put_failure;
1096 nlmsg_end(skb, nlh);
1100 nlmsg_trim(skb, nlh);
1104 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1106 struct sk_buff *skb;
1110 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1113 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1117 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1118 event, 0, ctx->family, ctx->table,
1125 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1126 ctx->report, GFP_KERNEL);
1129 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1132 static int nf_tables_dump_chains(struct sk_buff *skb,
1133 struct netlink_callback *cb)
1135 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1136 const struct nft_table *table;
1137 const struct nft_chain *chain;
1138 unsigned int idx = 0, s_idx = cb->args[0];
1139 struct net *net = sock_net(skb->sk);
1140 int family = nfmsg->nfgen_family;
1143 cb->seq = net->nft.base_seq;
1145 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1146 if (family != NFPROTO_UNSPEC && family != table->family)
1149 list_for_each_entry_rcu(chain, &table->chains, list) {
1153 memset(&cb->args[1], 0,
1154 sizeof(cb->args) - sizeof(cb->args[0]));
1155 if (!nft_is_active(net, chain))
1157 if (nf_tables_fill_chain_info(skb, net,
1158 NETLINK_CB(cb->skb).portid,
1162 table->family, table,
1166 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1177 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1178 struct sk_buff *skb, const struct nlmsghdr *nlh,
1179 const struct nlattr * const nla[],
1180 struct netlink_ext_ack *extack)
1182 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1183 u8 genmask = nft_genmask_cur(net);
1184 const struct nft_table *table;
1185 const struct nft_chain *chain;
1186 struct sk_buff *skb2;
1187 int family = nfmsg->nfgen_family;
1190 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1191 struct netlink_dump_control c = {
1192 .dump = nf_tables_dump_chains,
1194 return netlink_dump_start(nlsk, skb, nlh, &c);
1197 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1200 return PTR_ERR(table);
1202 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1204 return PTR_ERR(chain);
1206 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1210 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1211 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1212 family, table, chain);
1216 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1223 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1224 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1225 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1228 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1230 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1231 struct nft_stats __percpu *newstats;
1232 struct nft_stats *stats;
1235 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1238 return ERR_PTR(err);
1240 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1241 return ERR_PTR(-EINVAL);
1243 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1244 if (newstats == NULL)
1245 return ERR_PTR(-ENOMEM);
1247 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1248 * are not exposed to userspace.
1251 stats = this_cpu_ptr(newstats);
1252 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1253 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1259 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1260 struct nft_stats __percpu *newstats)
1262 struct nft_stats __percpu *oldstats;
1264 if (newstats == NULL)
1268 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1269 rcu_assign_pointer(chain->stats, newstats);
1271 free_percpu(oldstats);
1273 rcu_assign_pointer(chain->stats, newstats);
1276 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1278 struct nft_chain *chain = ctx->chain;
1280 BUG_ON(chain->use > 0);
1282 if (nft_is_base_chain(chain)) {
1283 struct nft_base_chain *basechain = nft_base_chain(chain);
1285 if (basechain->type->free)
1286 basechain->type->free(ctx);
1287 module_put(basechain->type->owner);
1288 free_percpu(basechain->stats);
1289 if (basechain->stats)
1290 static_branch_dec(&nft_counters_enabled);
1299 struct nft_chain_hook {
1302 const struct nft_chain_type *type;
1303 struct net_device *dev;
1306 static int nft_chain_parse_hook(struct net *net,
1307 const struct nlattr * const nla[],
1308 struct nft_chain_hook *hook, u8 family,
1311 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1312 const struct nft_chain_type *type;
1313 struct net_device *dev;
1316 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1317 nft_hook_policy, NULL);
1321 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1322 ha[NFTA_HOOK_PRIORITY] == NULL)
1325 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1326 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1328 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1329 if (nla[NFTA_CHAIN_TYPE]) {
1330 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1333 return PTR_ERR(type);
1335 if (!(type->hook_mask & (1 << hook->num)))
1338 if (type->type == NFT_CHAIN_T_NAT &&
1339 hook->priority <= NF_IP_PRI_CONNTRACK)
1342 if (!try_module_get(type->owner))
1348 if (family == NFPROTO_NETDEV) {
1349 char ifname[IFNAMSIZ];
1351 if (!ha[NFTA_HOOK_DEV]) {
1352 module_put(type->owner);
1356 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1357 dev = __dev_get_by_name(net, ifname);
1359 module_put(type->owner);
1363 } else if (ha[NFTA_HOOK_DEV]) {
1364 module_put(type->owner);
1371 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1373 module_put(hook->type->owner);
1376 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1377 u8 policy, bool create)
1379 const struct nlattr * const *nla = ctx->nla;
1380 struct nft_table *table = ctx->table;
1381 struct nft_base_chain *basechain;
1382 struct nft_stats __percpu *stats;
1383 struct net *net = ctx->net;
1384 struct nft_chain *chain;
1387 if (table->use == UINT_MAX)
1390 if (nla[NFTA_CHAIN_HOOK]) {
1391 struct nft_chain_hook hook;
1392 struct nf_hook_ops *ops;
1394 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1398 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1399 if (basechain == NULL) {
1400 nft_chain_release_hook(&hook);
1404 if (hook.dev != NULL)
1405 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1407 if (nla[NFTA_CHAIN_COUNTERS]) {
1408 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1409 if (IS_ERR(stats)) {
1410 nft_chain_release_hook(&hook);
1412 return PTR_ERR(stats);
1414 basechain->stats = stats;
1415 static_branch_inc(&nft_counters_enabled);
1418 basechain->type = hook.type;
1419 if (basechain->type->init)
1420 basechain->type->init(ctx);
1422 chain = &basechain->chain;
1424 ops = &basechain->ops;
1426 ops->hooknum = hook.num;
1427 ops->priority = hook.priority;
1429 ops->hook = hook.type->hooks[ops->hooknum];
1430 ops->dev = hook.dev;
1432 if (basechain->type->type == NFT_CHAIN_T_NAT)
1433 ops->nat_hook = true;
1435 chain->flags |= NFT_BASE_CHAIN;
1436 basechain->policy = policy;
1438 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1444 INIT_LIST_HEAD(&chain->rules);
1445 chain->handle = nf_tables_alloc_handle(table);
1446 chain->table = table;
1447 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1453 err = nf_tables_register_hook(net, table, chain);
1457 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1462 list_add_tail_rcu(&chain->list, &table->chains);
1466 nf_tables_unregister_hook(net, table, chain);
1468 nf_tables_chain_destroy(ctx);
1473 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1476 const struct nlattr * const *nla = ctx->nla;
1477 struct nft_table *table = ctx->table;
1478 struct nft_chain *chain = ctx->chain;
1479 struct nft_base_chain *basechain;
1480 struct nft_stats *stats = NULL;
1481 struct nft_chain_hook hook;
1482 const struct nlattr *name;
1483 struct nf_hook_ops *ops;
1484 struct nft_trans *trans;
1487 if (nla[NFTA_CHAIN_HOOK]) {
1488 if (!nft_is_base_chain(chain))
1491 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1496 basechain = nft_base_chain(chain);
1497 if (basechain->type != hook.type) {
1498 nft_chain_release_hook(&hook);
1502 ops = &basechain->ops;
1503 if (ops->hooknum != hook.num ||
1504 ops->priority != hook.priority ||
1505 ops->dev != hook.dev) {
1506 nft_chain_release_hook(&hook);
1509 nft_chain_release_hook(&hook);
1512 if (nla[NFTA_CHAIN_HANDLE] &&
1513 nla[NFTA_CHAIN_NAME]) {
1514 struct nft_chain *chain2;
1516 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1518 if (!IS_ERR(chain2))
1522 if (nla[NFTA_CHAIN_COUNTERS]) {
1523 if (!nft_is_base_chain(chain))
1526 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1528 return PTR_ERR(stats);
1531 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1532 sizeof(struct nft_trans_chain));
1533 if (trans == NULL) {
1538 nft_trans_chain_stats(trans) = stats;
1539 nft_trans_chain_update(trans) = true;
1541 if (nla[NFTA_CHAIN_POLICY])
1542 nft_trans_chain_policy(trans) = policy;
1544 nft_trans_chain_policy(trans) = -1;
1546 name = nla[NFTA_CHAIN_NAME];
1547 if (nla[NFTA_CHAIN_HANDLE] && name) {
1548 nft_trans_chain_name(trans) =
1549 nla_strdup(name, GFP_KERNEL);
1550 if (!nft_trans_chain_name(trans)) {
1556 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1561 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1562 struct sk_buff *skb, const struct nlmsghdr *nlh,
1563 const struct nlattr * const nla[],
1564 struct netlink_ext_ack *extack)
1566 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1567 const struct nlattr * uninitialized_var(name);
1568 u8 genmask = nft_genmask_next(net);
1569 int family = nfmsg->nfgen_family;
1570 struct nft_table *table;
1571 struct nft_chain *chain;
1572 u8 policy = NF_ACCEPT;
1577 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1579 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1582 return PTR_ERR(table);
1585 name = nla[NFTA_CHAIN_NAME];
1587 if (nla[NFTA_CHAIN_HANDLE]) {
1588 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1589 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1591 return PTR_ERR(chain);
1593 chain = nf_tables_chain_lookup(table, name, genmask);
1594 if (IS_ERR(chain)) {
1595 if (PTR_ERR(chain) != -ENOENT)
1596 return PTR_ERR(chain);
1601 if (nla[NFTA_CHAIN_POLICY]) {
1602 if (chain != NULL &&
1603 !nft_is_base_chain(chain))
1606 if (chain == NULL &&
1607 nla[NFTA_CHAIN_HOOK] == NULL)
1610 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1620 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1622 if (chain != NULL) {
1623 if (nlh->nlmsg_flags & NLM_F_EXCL)
1625 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1628 return nf_tables_updchain(&ctx, genmask, policy, create);
1631 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1634 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1635 struct sk_buff *skb, const struct nlmsghdr *nlh,
1636 const struct nlattr * const nla[],
1637 struct netlink_ext_ack *extack)
1639 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1640 u8 genmask = nft_genmask_next(net);
1641 struct nft_table *table;
1642 struct nft_chain *chain;
1643 struct nft_rule *rule;
1644 int family = nfmsg->nfgen_family;
1650 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1653 return PTR_ERR(table);
1655 if (nla[NFTA_CHAIN_HANDLE]) {
1656 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1657 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1659 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1662 return PTR_ERR(chain);
1664 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1668 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1671 list_for_each_entry(rule, &chain->rules, list) {
1672 if (!nft_is_active_next(net, rule))
1676 err = nft_delrule(&ctx, rule);
1681 /* There are rules and elements that are still holding references to us,
1682 * we cannot do a recursive removal in this case.
1687 return nft_delchain(&ctx);
1695 * nft_register_expr - register nf_tables expr type
1698 * Registers the expr type for use with nf_tables. Returns zero on
1699 * success or a negative errno code otherwise.
1701 int nft_register_expr(struct nft_expr_type *type)
1703 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1704 if (type->family == NFPROTO_UNSPEC)
1705 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1707 list_add_rcu(&type->list, &nf_tables_expressions);
1708 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1711 EXPORT_SYMBOL_GPL(nft_register_expr);
1714 * nft_unregister_expr - unregister nf_tables expr type
1717 * Unregisters the expr typefor use with nf_tables.
1719 void nft_unregister_expr(struct nft_expr_type *type)
1721 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1722 list_del_rcu(&type->list);
1723 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1725 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1727 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1730 const struct nft_expr_type *type;
1732 list_for_each_entry(type, &nf_tables_expressions, list) {
1733 if (!nla_strcmp(nla, type->name) &&
1734 (!type->family || type->family == family))
1740 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1743 const struct nft_expr_type *type;
1746 return ERR_PTR(-EINVAL);
1748 type = __nft_expr_type_get(family, nla);
1749 if (type != NULL && try_module_get(type->owner))
1752 #ifdef CONFIG_MODULES
1754 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1755 request_module("nft-expr-%u-%.*s", family,
1756 nla_len(nla), (char *)nla_data(nla));
1757 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1758 if (__nft_expr_type_get(family, nla))
1759 return ERR_PTR(-EAGAIN);
1761 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1762 request_module("nft-expr-%.*s",
1763 nla_len(nla), (char *)nla_data(nla));
1764 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1765 if (__nft_expr_type_get(family, nla))
1766 return ERR_PTR(-EAGAIN);
1769 return ERR_PTR(-ENOENT);
1772 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1773 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1774 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1777 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1778 const struct nft_expr *expr)
1780 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1781 goto nla_put_failure;
1783 if (expr->ops->dump) {
1784 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1786 goto nla_put_failure;
1787 if (expr->ops->dump(skb, expr) < 0)
1788 goto nla_put_failure;
1789 nla_nest_end(skb, data);
1798 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1799 const struct nft_expr *expr)
1801 struct nlattr *nest;
1803 nest = nla_nest_start(skb, attr);
1805 goto nla_put_failure;
1806 if (nf_tables_fill_expr_info(skb, expr) < 0)
1807 goto nla_put_failure;
1808 nla_nest_end(skb, nest);
1815 struct nft_expr_info {
1816 const struct nft_expr_ops *ops;
1817 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1820 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1821 const struct nlattr *nla,
1822 struct nft_expr_info *info)
1824 const struct nft_expr_type *type;
1825 const struct nft_expr_ops *ops;
1826 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1829 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1833 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1835 return PTR_ERR(type);
1837 if (tb[NFTA_EXPR_DATA]) {
1838 err = nla_parse_nested(info->tb, type->maxattr,
1839 tb[NFTA_EXPR_DATA], type->policy, NULL);
1843 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1845 if (type->select_ops != NULL) {
1846 ops = type->select_ops(ctx,
1847 (const struct nlattr * const *)info->tb);
1859 module_put(type->owner);
1863 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1864 const struct nft_expr_info *info,
1865 struct nft_expr *expr)
1867 const struct nft_expr_ops *ops = info->ops;
1872 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1877 if (ops->validate) {
1878 const struct nft_data *data = NULL;
1880 err = ops->validate(ctx, expr, &data);
1889 ops->destroy(ctx, expr);
1895 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1896 struct nft_expr *expr)
1898 if (expr->ops->destroy)
1899 expr->ops->destroy(ctx, expr);
1900 module_put(expr->ops->type->owner);
1903 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1904 const struct nlattr *nla)
1906 struct nft_expr_info info;
1907 struct nft_expr *expr;
1910 err = nf_tables_expr_parse(ctx, nla, &info);
1915 expr = kzalloc(info.ops->size, GFP_KERNEL);
1919 err = nf_tables_newexpr(ctx, &info, expr);
1927 module_put(info.ops->type->owner);
1929 return ERR_PTR(err);
1932 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1934 nf_tables_expr_destroy(ctx, expr);
1942 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1945 struct nft_rule *rule;
1947 // FIXME: this sucks
1948 list_for_each_entry(rule, &chain->rules, list) {
1949 if (handle == rule->handle)
1953 return ERR_PTR(-ENOENT);
1956 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1957 const struct nlattr *nla)
1960 return ERR_PTR(-EINVAL);
1962 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1965 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1966 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1967 .len = NFT_TABLE_MAXNAMELEN - 1 },
1968 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1969 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1970 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1971 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1972 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1973 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1974 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1975 .len = NFT_USERDATA_MAXLEN },
1976 [NFTA_RULE_ID] = { .type = NLA_U32 },
1979 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1980 u32 portid, u32 seq, int event,
1981 u32 flags, int family,
1982 const struct nft_table *table,
1983 const struct nft_chain *chain,
1984 const struct nft_rule *rule)
1986 struct nlmsghdr *nlh;
1987 struct nfgenmsg *nfmsg;
1988 const struct nft_expr *expr, *next;
1989 struct nlattr *list;
1990 const struct nft_rule *prule;
1991 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1993 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1995 goto nla_put_failure;
1997 nfmsg = nlmsg_data(nlh);
1998 nfmsg->nfgen_family = family;
1999 nfmsg->version = NFNETLINK_V0;
2000 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2002 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2003 goto nla_put_failure;
2004 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2005 goto nla_put_failure;
2006 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2008 goto nla_put_failure;
2010 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2011 prule = list_prev_entry(rule, list);
2012 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2013 cpu_to_be64(prule->handle),
2015 goto nla_put_failure;
2018 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2020 goto nla_put_failure;
2021 nft_rule_for_each_expr(expr, next, rule) {
2022 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2023 goto nla_put_failure;
2025 nla_nest_end(skb, list);
2028 struct nft_userdata *udata = nft_userdata(rule);
2029 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2031 goto nla_put_failure;
2034 nlmsg_end(skb, nlh);
2038 nlmsg_trim(skb, nlh);
2042 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2043 const struct nft_rule *rule, int event)
2045 struct sk_buff *skb;
2049 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2052 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2056 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2057 event, 0, ctx->family, ctx->table,
2064 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2065 ctx->report, GFP_KERNEL);
2068 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2071 struct nft_rule_dump_ctx {
2076 static int nf_tables_dump_rules(struct sk_buff *skb,
2077 struct netlink_callback *cb)
2079 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2080 const struct nft_rule_dump_ctx *ctx = cb->data;
2081 const struct nft_table *table;
2082 const struct nft_chain *chain;
2083 const struct nft_rule *rule;
2084 unsigned int idx = 0, s_idx = cb->args[0];
2085 struct net *net = sock_net(skb->sk);
2086 int family = nfmsg->nfgen_family;
2089 cb->seq = net->nft.base_seq;
2091 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2092 if (family != NFPROTO_UNSPEC && family != table->family)
2095 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2098 list_for_each_entry_rcu(chain, &table->chains, list) {
2099 if (ctx && ctx->chain &&
2100 strcmp(ctx->chain, chain->name) != 0)
2103 list_for_each_entry_rcu(rule, &chain->rules, list) {
2104 if (!nft_is_active(net, rule))
2109 memset(&cb->args[1], 0,
2110 sizeof(cb->args) - sizeof(cb->args[0]));
2111 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2114 NLM_F_MULTI | NLM_F_APPEND,
2116 table, chain, rule) < 0)
2119 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2132 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2134 struct nft_rule_dump_ctx *ctx = cb->data;
2144 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2145 struct sk_buff *skb, const struct nlmsghdr *nlh,
2146 const struct nlattr * const nla[],
2147 struct netlink_ext_ack *extack)
2149 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2150 u8 genmask = nft_genmask_cur(net);
2151 const struct nft_table *table;
2152 const struct nft_chain *chain;
2153 const struct nft_rule *rule;
2154 struct sk_buff *skb2;
2155 int family = nfmsg->nfgen_family;
2158 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2159 struct netlink_dump_control c = {
2160 .dump = nf_tables_dump_rules,
2161 .done = nf_tables_dump_rules_done,
2164 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2165 struct nft_rule_dump_ctx *ctx;
2167 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2171 if (nla[NFTA_RULE_TABLE]) {
2172 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2179 if (nla[NFTA_RULE_CHAIN]) {
2180 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2191 return netlink_dump_start(nlsk, skb, nlh, &c);
2194 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2197 return PTR_ERR(table);
2199 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2201 return PTR_ERR(chain);
2203 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2205 return PTR_ERR(rule);
2207 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2211 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2212 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2213 family, table, chain, rule);
2217 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2224 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2225 struct nft_rule *rule)
2227 struct nft_expr *expr;
2230 * Careful: some expressions might not be initialized in case this
2231 * is called on error from nf_tables_newrule().
2233 expr = nft_expr_first(rule);
2234 while (expr != nft_expr_last(rule) && expr->ops) {
2235 nf_tables_expr_destroy(ctx, expr);
2236 expr = nft_expr_next(expr);
2241 #define NFT_RULE_MAXEXPRS 128
2243 static struct nft_expr_info *info;
2245 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2246 struct sk_buff *skb, const struct nlmsghdr *nlh,
2247 const struct nlattr * const nla[],
2248 struct netlink_ext_ack *extack)
2250 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2251 u8 genmask = nft_genmask_next(net);
2252 int family = nfmsg->nfgen_family;
2253 struct nft_table *table;
2254 struct nft_chain *chain;
2255 struct nft_rule *rule, *old_rule = NULL;
2256 struct nft_userdata *udata;
2257 struct nft_trans *trans = NULL;
2258 struct nft_expr *expr;
2261 unsigned int size, i, n, ulen = 0, usize = 0;
2264 u64 handle, pos_handle;
2266 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2268 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2271 return PTR_ERR(table);
2273 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2275 return PTR_ERR(chain);
2277 if (nla[NFTA_RULE_HANDLE]) {
2278 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2279 rule = __nf_tables_rule_lookup(chain, handle);
2281 return PTR_ERR(rule);
2283 if (nlh->nlmsg_flags & NLM_F_EXCL)
2285 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2290 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2292 handle = nf_tables_alloc_handle(table);
2294 if (chain->use == UINT_MAX)
2298 if (nla[NFTA_RULE_POSITION]) {
2299 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2302 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2303 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2304 if (IS_ERR(old_rule))
2305 return PTR_ERR(old_rule);
2308 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2312 if (nla[NFTA_RULE_EXPRESSIONS]) {
2313 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2315 if (nla_type(tmp) != NFTA_LIST_ELEM)
2317 if (n == NFT_RULE_MAXEXPRS)
2319 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2322 size += info[n].ops->size;
2326 /* Check for overflow of dlen field */
2328 if (size >= 1 << 12)
2331 if (nla[NFTA_RULE_USERDATA]) {
2332 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2334 usize = sizeof(struct nft_userdata) + ulen;
2338 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2342 nft_activate_next(net, rule);
2344 rule->handle = handle;
2346 rule->udata = ulen ? 1 : 0;
2349 udata = nft_userdata(rule);
2350 udata->len = ulen - 1;
2351 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2354 expr = nft_expr_first(rule);
2355 for (i = 0; i < n; i++) {
2356 err = nf_tables_newexpr(&ctx, &info[i], expr);
2360 expr = nft_expr_next(expr);
2363 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2364 if (!nft_is_active_next(net, old_rule)) {
2368 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2370 if (trans == NULL) {
2374 nft_deactivate_next(net, old_rule);
2377 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2382 list_add_tail_rcu(&rule->list, &old_rule->list);
2384 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2389 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2391 list_add_rcu(&rule->list, &old_rule->list);
2393 list_add_tail_rcu(&rule->list, &chain->rules);
2396 list_add_tail_rcu(&rule->list, &old_rule->list);
2398 list_add_rcu(&rule->list, &chain->rules);
2405 nf_tables_rule_destroy(&ctx, rule);
2407 for (i = 0; i < n; i++) {
2408 if (info[i].ops != NULL)
2409 module_put(info[i].ops->type->owner);
2414 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2415 const struct nlattr *nla)
2417 u32 id = ntohl(nla_get_be32(nla));
2418 struct nft_trans *trans;
2420 list_for_each_entry(trans, &net->nft.commit_list, list) {
2421 struct nft_rule *rule = nft_trans_rule(trans);
2423 if (trans->msg_type == NFT_MSG_NEWRULE &&
2424 id == nft_trans_rule_id(trans))
2427 return ERR_PTR(-ENOENT);
2430 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2431 struct sk_buff *skb, const struct nlmsghdr *nlh,
2432 const struct nlattr * const nla[],
2433 struct netlink_ext_ack *extack)
2435 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2436 u8 genmask = nft_genmask_next(net);
2437 struct nft_table *table;
2438 struct nft_chain *chain = NULL;
2439 struct nft_rule *rule;
2440 int family = nfmsg->nfgen_family, err = 0;
2443 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2446 return PTR_ERR(table);
2448 if (nla[NFTA_RULE_CHAIN]) {
2449 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2452 return PTR_ERR(chain);
2455 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2458 if (nla[NFTA_RULE_HANDLE]) {
2459 rule = nf_tables_rule_lookup(chain,
2460 nla[NFTA_RULE_HANDLE]);
2462 return PTR_ERR(rule);
2464 err = nft_delrule(&ctx, rule);
2465 } else if (nla[NFTA_RULE_ID]) {
2466 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2468 return PTR_ERR(rule);
2470 err = nft_delrule(&ctx, rule);
2472 err = nft_delrule_by_chain(&ctx);
2475 list_for_each_entry(chain, &table->chains, list) {
2476 if (!nft_is_active_next(net, chain))
2480 err = nft_delrule_by_chain(&ctx);
2493 static LIST_HEAD(nf_tables_set_types);
2495 int nft_register_set(struct nft_set_type *type)
2497 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2498 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2499 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2502 EXPORT_SYMBOL_GPL(nft_register_set);
2504 void nft_unregister_set(struct nft_set_type *type)
2506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2507 list_del_rcu(&type->list);
2508 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2510 EXPORT_SYMBOL_GPL(nft_unregister_set);
2512 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2513 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2515 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2517 if ((flags & NFT_SET_EVAL) && !ops->update)
2520 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2524 * Select a set implementation based on the data characteristics and the
2525 * given policy. The total memory use might not be known if no size is
2526 * given, in that case the amount of memory per element is used.
2528 static const struct nft_set_ops *
2529 nft_select_set_ops(const struct nft_ctx *ctx,
2530 const struct nlattr * const nla[],
2531 const struct nft_set_desc *desc,
2532 enum nft_set_policies policy)
2534 const struct nft_set_ops *ops, *bops;
2535 struct nft_set_estimate est, best;
2536 const struct nft_set_type *type;
2539 #ifdef CONFIG_MODULES
2540 if (list_empty(&nf_tables_set_types)) {
2541 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2542 request_module("nft-set");
2543 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2544 if (!list_empty(&nf_tables_set_types))
2545 return ERR_PTR(-EAGAIN);
2548 if (nla[NFTA_SET_FLAGS] != NULL)
2549 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2556 list_for_each_entry(type, &nf_tables_set_types, list) {
2557 if (!type->select_ops)
2560 ops = type->select_ops(ctx, desc, flags);
2564 if (!nft_set_ops_candidate(ops, flags))
2566 if (!ops->estimate(desc, flags, &est))
2570 case NFT_SET_POL_PERFORMANCE:
2571 if (est.lookup < best.lookup)
2573 if (est.lookup == best.lookup &&
2574 est.space < best.space)
2577 case NFT_SET_POL_MEMORY:
2579 if (est.space < best.space)
2581 if (est.space == best.space &&
2582 est.lookup < best.lookup)
2584 } else if (est.size < best.size || !bops) {
2592 if (!try_module_get(type->owner))
2595 module_put(bops->type->owner);
2604 return ERR_PTR(-EOPNOTSUPP);
2607 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2608 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2609 .len = NFT_TABLE_MAXNAMELEN - 1 },
2610 [NFTA_SET_NAME] = { .type = NLA_STRING,
2611 .len = NFT_SET_MAXNAMELEN - 1 },
2612 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2613 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2614 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2615 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2616 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2617 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2618 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2619 [NFTA_SET_ID] = { .type = NLA_U32 },
2620 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2621 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2622 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2623 .len = NFT_USERDATA_MAXLEN },
2624 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2625 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2628 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2629 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2632 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2633 const struct sk_buff *skb,
2634 const struct nlmsghdr *nlh,
2635 const struct nlattr * const nla[],
2638 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2639 int family = nfmsg->nfgen_family;
2640 struct nft_table *table = NULL;
2642 if (nla[NFTA_SET_TABLE] != NULL) {
2643 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2646 return PTR_ERR(table);
2649 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2653 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2654 const struct nlattr *nla, u8 genmask)
2656 struct nft_set *set;
2659 return ERR_PTR(-EINVAL);
2661 list_for_each_entry(set, &table->sets, list) {
2662 if (!nla_strcmp(nla, set->name) &&
2663 nft_active_genmask(set, genmask))
2666 return ERR_PTR(-ENOENT);
2669 static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
2670 const struct nlattr *nla, u8 genmask)
2672 struct nft_set *set;
2675 return ERR_PTR(-EINVAL);
2677 list_for_each_entry(set, &table->sets, list) {
2678 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2679 nft_active_genmask(set, genmask))
2682 return ERR_PTR(-ENOENT);
2685 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2686 const struct nlattr *nla,
2689 struct nft_trans *trans;
2690 u32 id = ntohl(nla_get_be32(nla));
2692 list_for_each_entry(trans, &net->nft.commit_list, list) {
2693 struct nft_set *set = nft_trans_set(trans);
2695 if (trans->msg_type == NFT_MSG_NEWSET &&
2696 id == nft_trans_set_id(trans) &&
2697 nft_active_genmask(set, genmask))
2700 return ERR_PTR(-ENOENT);
2703 struct nft_set *nft_set_lookup_global(const struct net *net,
2704 const struct nft_table *table,
2705 const struct nlattr *nla_set_name,
2706 const struct nlattr *nla_set_id,
2709 struct nft_set *set;
2711 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2716 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2720 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2722 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2725 const struct nft_set *i;
2727 unsigned long *inuse;
2728 unsigned int n = 0, min = 0;
2730 p = strchr(name, '%');
2732 if (p[1] != 'd' || strchr(p + 2, '%'))
2735 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2739 list_for_each_entry(i, &ctx->table->sets, list) {
2742 if (!nft_is_active_next(ctx->net, set))
2744 if (!sscanf(i->name, name, &tmp))
2746 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2749 set_bit(tmp - min, inuse);
2752 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2753 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2754 min += BITS_PER_BYTE * PAGE_SIZE;
2755 memset(inuse, 0, PAGE_SIZE);
2758 free_page((unsigned long)inuse);
2761 set->name = kasprintf(GFP_KERNEL, name, min + n);
2765 list_for_each_entry(i, &ctx->table->sets, list) {
2766 if (!nft_is_active_next(ctx->net, i))
2768 if (!strcmp(set->name, i->name)) {
2776 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2777 const struct nft_set *set, u16 event, u16 flags)
2779 struct nfgenmsg *nfmsg;
2780 struct nlmsghdr *nlh;
2781 struct nlattr *desc;
2782 u32 portid = ctx->portid;
2785 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2786 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2789 goto nla_put_failure;
2791 nfmsg = nlmsg_data(nlh);
2792 nfmsg->nfgen_family = ctx->family;
2793 nfmsg->version = NFNETLINK_V0;
2794 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2796 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2797 goto nla_put_failure;
2798 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2799 goto nla_put_failure;
2800 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2802 goto nla_put_failure;
2803 if (set->flags != 0)
2804 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2805 goto nla_put_failure;
2807 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2808 goto nla_put_failure;
2809 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2810 goto nla_put_failure;
2811 if (set->flags & NFT_SET_MAP) {
2812 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2813 goto nla_put_failure;
2814 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2815 goto nla_put_failure;
2817 if (set->flags & NFT_SET_OBJECT &&
2818 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2819 goto nla_put_failure;
2822 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2823 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2825 goto nla_put_failure;
2827 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2828 goto nla_put_failure;
2830 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2831 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2832 goto nla_put_failure;
2835 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2836 goto nla_put_failure;
2838 desc = nla_nest_start(skb, NFTA_SET_DESC);
2840 goto nla_put_failure;
2842 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2843 goto nla_put_failure;
2844 nla_nest_end(skb, desc);
2846 nlmsg_end(skb, nlh);
2850 nlmsg_trim(skb, nlh);
2854 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2855 const struct nft_set *set, int event,
2858 struct sk_buff *skb;
2859 u32 portid = ctx->portid;
2863 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2866 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2870 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2876 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2880 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2883 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2885 const struct nft_set *set;
2886 unsigned int idx, s_idx = cb->args[0];
2887 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2888 struct net *net = sock_net(skb->sk);
2889 struct nft_ctx *ctx = cb->data, ctx_set;
2895 cb->seq = net->nft.base_seq;
2897 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2898 if (ctx->family != NFPROTO_UNSPEC &&
2899 ctx->family != table->family)
2902 if (ctx->table && ctx->table != table)
2906 if (cur_table != table)
2912 list_for_each_entry_rcu(set, &table->sets, list) {
2915 if (!nft_is_active(net, set))
2919 ctx_set.table = table;
2920 ctx_set.family = table->family;
2922 if (nf_tables_fill_set(skb, &ctx_set, set,
2926 cb->args[2] = (unsigned long) table;
2929 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2942 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2948 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2949 struct sk_buff *skb, const struct nlmsghdr *nlh,
2950 const struct nlattr * const nla[],
2951 struct netlink_ext_ack *extack)
2953 u8 genmask = nft_genmask_cur(net);
2954 const struct nft_set *set;
2956 struct sk_buff *skb2;
2957 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2960 /* Verify existence before starting dump */
2961 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2965 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2966 struct netlink_dump_control c = {
2967 .dump = nf_tables_dump_sets,
2968 .done = nf_tables_dump_sets_done,
2970 struct nft_ctx *ctx_dump;
2972 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2973 if (ctx_dump == NULL)
2979 return netlink_dump_start(nlsk, skb, nlh, &c);
2982 /* Only accept unspec with dump */
2983 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2984 return -EAFNOSUPPORT;
2985 if (!nla[NFTA_SET_TABLE])
2988 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2990 return PTR_ERR(set);
2992 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2996 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3000 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3007 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3008 struct nft_set_desc *desc,
3009 const struct nlattr *nla)
3011 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3014 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3015 nft_set_desc_policy, NULL);
3019 if (da[NFTA_SET_DESC_SIZE] != NULL)
3020 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3025 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3026 struct sk_buff *skb, const struct nlmsghdr *nlh,
3027 const struct nlattr * const nla[],
3028 struct netlink_ext_ack *extack)
3030 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3031 u8 genmask = nft_genmask_next(net);
3032 int family = nfmsg->nfgen_family;
3033 const struct nft_set_ops *ops;
3034 struct nft_table *table;
3035 struct nft_set *set;
3041 u32 ktype, dtype, flags, policy, gc_int, objtype;
3042 struct nft_set_desc desc;
3043 unsigned char *udata;
3047 if (nla[NFTA_SET_TABLE] == NULL ||
3048 nla[NFTA_SET_NAME] == NULL ||
3049 nla[NFTA_SET_KEY_LEN] == NULL ||
3050 nla[NFTA_SET_ID] == NULL)
3053 memset(&desc, 0, sizeof(desc));
3055 ktype = NFT_DATA_VALUE;
3056 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3057 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3058 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3062 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3063 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3067 if (nla[NFTA_SET_FLAGS] != NULL) {
3068 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3069 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3070 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3071 NFT_SET_MAP | NFT_SET_EVAL |
3074 /* Only one of these operations is supported */
3075 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3076 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3081 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3082 if (!(flags & NFT_SET_MAP))
3085 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3086 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3087 dtype != NFT_DATA_VERDICT)
3090 if (dtype != NFT_DATA_VERDICT) {
3091 if (nla[NFTA_SET_DATA_LEN] == NULL)
3093 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3094 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3097 desc.dlen = sizeof(struct nft_verdict);
3098 } else if (flags & NFT_SET_MAP)
3101 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3102 if (!(flags & NFT_SET_OBJECT))
3105 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3106 if (objtype == NFT_OBJECT_UNSPEC ||
3107 objtype > NFT_OBJECT_MAX)
3109 } else if (flags & NFT_SET_OBJECT)
3112 objtype = NFT_OBJECT_UNSPEC;
3115 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3116 if (!(flags & NFT_SET_TIMEOUT))
3118 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3119 nla[NFTA_SET_TIMEOUT])));
3122 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3123 if (!(flags & NFT_SET_TIMEOUT))
3125 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3128 policy = NFT_SET_POL_PERFORMANCE;
3129 if (nla[NFTA_SET_POLICY] != NULL)
3130 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3132 if (nla[NFTA_SET_DESC] != NULL) {
3133 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3138 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3140 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family,
3143 return PTR_ERR(table);
3145 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3147 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3149 if (PTR_ERR(set) != -ENOENT)
3150 return PTR_ERR(set);
3152 if (nlh->nlmsg_flags & NLM_F_EXCL)
3154 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3159 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3162 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3164 return PTR_ERR(ops);
3167 if (nla[NFTA_SET_USERDATA])
3168 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3171 if (ops->privsize != NULL)
3172 size = ops->privsize(nla, &desc);
3174 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3180 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3186 err = nf_tables_set_alloc_name(&ctx, set, name);
3193 udata = set->data + size;
3194 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3197 INIT_LIST_HEAD(&set->bindings);
3200 set->klen = desc.klen;
3202 set->objtype = objtype;
3203 set->dlen = desc.dlen;
3205 set->size = desc.size;
3206 set->policy = policy;
3209 set->timeout = timeout;
3210 set->gc_int = gc_int;
3211 set->handle = nf_tables_alloc_handle(table);
3213 err = ops->init(set, &desc, nla);
3217 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3221 list_add_tail_rcu(&set->list, &table->sets);
3232 module_put(ops->type->owner);
3236 static void nft_set_destroy(struct nft_set *set)
3238 set->ops->destroy(set);
3239 module_put(set->ops->type->owner);
3244 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3246 list_del_rcu(&set->list);
3247 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3248 nft_set_destroy(set);
3251 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3252 struct sk_buff *skb, const struct nlmsghdr *nlh,
3253 const struct nlattr * const nla[],
3254 struct netlink_ext_ack *extack)
3256 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3257 u8 genmask = nft_genmask_next(net);
3258 struct nft_set *set;
3262 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3263 return -EAFNOSUPPORT;
3264 if (nla[NFTA_SET_TABLE] == NULL)
3267 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3271 if (nla[NFTA_SET_HANDLE])
3272 set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
3274 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3276 return PTR_ERR(set);
3278 if (!list_empty(&set->bindings) ||
3279 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3282 return nft_delset(&ctx, set);
3285 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3286 struct nft_set *set,
3287 const struct nft_set_iter *iter,
3288 struct nft_set_elem *elem)
3290 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3291 enum nft_registers dreg;
3293 dreg = nft_type_to_reg(set->dtype);
3294 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3295 set->dtype == NFT_DATA_VERDICT ?
3296 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3300 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3301 struct nft_set_binding *binding)
3303 struct nft_set_binding *i;
3304 struct nft_set_iter iter;
3306 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3309 if (binding->flags & NFT_SET_MAP) {
3310 /* If the set is already bound to the same chain all
3311 * jumps are already validated for that chain.
3313 list_for_each_entry(i, &set->bindings, list) {
3314 if (i->flags & NFT_SET_MAP &&
3315 i->chain == binding->chain)
3319 iter.genmask = nft_genmask_next(ctx->net);
3323 iter.fn = nf_tables_bind_check_setelem;
3325 set->ops->walk(ctx, set, &iter);
3330 binding->chain = ctx->chain;
3331 list_add_tail_rcu(&binding->list, &set->bindings);
3334 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3336 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3337 struct nft_set_binding *binding)
3339 list_del_rcu(&binding->list);
3341 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3342 nft_is_active(ctx->net, set))
3343 nf_tables_set_destroy(ctx, set);
3345 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3347 const struct nft_set_ext_type nft_set_ext_types[] = {
3348 [NFT_SET_EXT_KEY] = {
3349 .align = __alignof__(u32),
3351 [NFT_SET_EXT_DATA] = {
3352 .align = __alignof__(u32),
3354 [NFT_SET_EXT_EXPR] = {
3355 .align = __alignof__(struct nft_expr),
3357 [NFT_SET_EXT_OBJREF] = {
3358 .len = sizeof(struct nft_object *),
3359 .align = __alignof__(struct nft_object *),
3361 [NFT_SET_EXT_FLAGS] = {
3363 .align = __alignof__(u8),
3365 [NFT_SET_EXT_TIMEOUT] = {
3367 .align = __alignof__(u64),
3369 [NFT_SET_EXT_EXPIRATION] = {
3370 .len = sizeof(unsigned long),
3371 .align = __alignof__(unsigned long),
3373 [NFT_SET_EXT_USERDATA] = {
3374 .len = sizeof(struct nft_userdata),
3375 .align = __alignof__(struct nft_userdata),
3378 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3384 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3385 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3386 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3387 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3388 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3389 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3390 .len = NFT_USERDATA_MAXLEN },
3391 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3392 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3395 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3396 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3397 .len = NFT_TABLE_MAXNAMELEN - 1 },
3398 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3399 .len = NFT_SET_MAXNAMELEN - 1 },
3400 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3401 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3404 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3405 const struct sk_buff *skb,
3406 const struct nlmsghdr *nlh,
3407 const struct nlattr * const nla[],
3410 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3411 int family = nfmsg->nfgen_family;
3412 struct nft_table *table;
3414 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3417 return PTR_ERR(table);
3419 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3423 static int nf_tables_fill_setelem(struct sk_buff *skb,
3424 const struct nft_set *set,
3425 const struct nft_set_elem *elem)
3427 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3428 unsigned char *b = skb_tail_pointer(skb);
3429 struct nlattr *nest;
3431 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3433 goto nla_put_failure;
3435 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3436 NFT_DATA_VALUE, set->klen) < 0)
3437 goto nla_put_failure;
3439 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3440 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3441 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3443 goto nla_put_failure;
3445 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3446 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3447 goto nla_put_failure;
3449 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3450 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3451 (*nft_set_ext_obj(ext))->name) < 0)
3452 goto nla_put_failure;
3454 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3455 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3456 htonl(*nft_set_ext_flags(ext))))
3457 goto nla_put_failure;
3459 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3460 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3461 cpu_to_be64(jiffies_to_msecs(
3462 *nft_set_ext_timeout(ext))),
3464 goto nla_put_failure;
3466 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3467 unsigned long expires, now = jiffies;
3469 expires = *nft_set_ext_expiration(ext);
3470 if (time_before(now, expires))
3475 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3476 cpu_to_be64(jiffies_to_msecs(expires)),
3478 goto nla_put_failure;
3481 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3482 struct nft_userdata *udata;
3484 udata = nft_set_ext_userdata(ext);
3485 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3486 udata->len + 1, udata->data))
3487 goto nla_put_failure;
3490 nla_nest_end(skb, nest);
3498 struct nft_set_dump_args {
3499 const struct netlink_callback *cb;
3500 struct nft_set_iter iter;
3501 struct sk_buff *skb;
3504 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3505 struct nft_set *set,
3506 const struct nft_set_iter *iter,
3507 struct nft_set_elem *elem)
3509 struct nft_set_dump_args *args;
3511 args = container_of(iter, struct nft_set_dump_args, iter);
3512 return nf_tables_fill_setelem(args->skb, set, elem);
3515 struct nft_set_dump_ctx {
3516 const struct nft_set *set;
3520 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3522 struct nft_set_dump_ctx *dump_ctx = cb->data;
3523 struct net *net = sock_net(skb->sk);
3524 struct nft_table *table;
3525 struct nft_set *set;
3526 struct nft_set_dump_args args;
3527 bool set_found = false;
3528 struct nfgenmsg *nfmsg;
3529 struct nlmsghdr *nlh;
3530 struct nlattr *nest;
3535 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3536 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3537 dump_ctx->ctx.family != table->family)
3540 if (table != dump_ctx->ctx.table)
3543 list_for_each_entry_rcu(set, &table->sets, list) {
3544 if (set == dump_ctx->set) {
3557 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3558 portid = NETLINK_CB(cb->skb).portid;
3559 seq = cb->nlh->nlmsg_seq;
3561 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3564 goto nla_put_failure;
3566 nfmsg = nlmsg_data(nlh);
3567 nfmsg->nfgen_family = table->family;
3568 nfmsg->version = NFNETLINK_V0;
3569 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3571 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3572 goto nla_put_failure;
3573 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3574 goto nla_put_failure;
3576 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3578 goto nla_put_failure;
3582 args.iter.genmask = nft_genmask_cur(net);
3583 args.iter.skip = cb->args[0];
3584 args.iter.count = 0;
3586 args.iter.fn = nf_tables_dump_setelem;
3587 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3590 nla_nest_end(skb, nest);
3591 nlmsg_end(skb, nlh);
3593 if (args.iter.err && args.iter.err != -EMSGSIZE)
3594 return args.iter.err;
3595 if (args.iter.count == cb->args[0])
3598 cb->args[0] = args.iter.count;
3606 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3612 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3613 const struct nft_ctx *ctx, u32 seq,
3614 u32 portid, int event, u16 flags,
3615 const struct nft_set *set,
3616 const struct nft_set_elem *elem)
3618 struct nfgenmsg *nfmsg;
3619 struct nlmsghdr *nlh;
3620 struct nlattr *nest;
3623 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3624 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3627 goto nla_put_failure;
3629 nfmsg = nlmsg_data(nlh);
3630 nfmsg->nfgen_family = ctx->family;
3631 nfmsg->version = NFNETLINK_V0;
3632 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3634 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3635 goto nla_put_failure;
3636 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3637 goto nla_put_failure;
3639 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3641 goto nla_put_failure;
3643 err = nf_tables_fill_setelem(skb, set, elem);
3645 goto nla_put_failure;
3647 nla_nest_end(skb, nest);
3649 nlmsg_end(skb, nlh);
3653 nlmsg_trim(skb, nlh);
3657 static int nft_setelem_parse_flags(const struct nft_set *set,
3658 const struct nlattr *attr, u32 *flags)
3663 *flags = ntohl(nla_get_be32(attr));
3664 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3666 if (!(set->flags & NFT_SET_INTERVAL) &&
3667 *flags & NFT_SET_ELEM_INTERVAL_END)
3673 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3674 const struct nlattr *attr)
3676 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3677 const struct nft_set_ext *ext;
3678 struct nft_data_desc desc;
3679 struct nft_set_elem elem;
3680 struct sk_buff *skb;
3685 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3686 nft_set_elem_policy, NULL);
3690 if (!nla[NFTA_SET_ELEM_KEY])
3693 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3697 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3698 nla[NFTA_SET_ELEM_KEY]);
3703 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3706 priv = set->ops->get(ctx->net, set, &elem, flags);
3708 return PTR_ERR(priv);
3711 ext = nft_set_elem_ext(set, &elem);
3714 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3718 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3719 NFT_MSG_NEWSETELEM, 0, set, &elem);
3723 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3724 /* This avoids a loop in nfnetlink. */
3732 /* this avoids a loop in nfnetlink. */
3733 return err == -EAGAIN ? -ENOBUFS : err;
3736 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3737 struct sk_buff *skb, const struct nlmsghdr *nlh,
3738 const struct nlattr * const nla[],
3739 struct netlink_ext_ack *extack)
3741 u8 genmask = nft_genmask_cur(net);
3742 struct nft_set *set;
3743 struct nlattr *attr;
3747 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3751 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3754 return PTR_ERR(set);
3756 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3757 struct netlink_dump_control c = {
3758 .dump = nf_tables_dump_set,
3759 .done = nf_tables_dump_set_done,
3761 struct nft_set_dump_ctx *dump_ctx;
3763 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3767 dump_ctx->set = set;
3768 dump_ctx->ctx = ctx;
3771 return netlink_dump_start(nlsk, skb, nlh, &c);
3774 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3777 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3778 err = nft_get_set_elem(&ctx, set, attr);
3786 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3787 const struct nft_set *set,
3788 const struct nft_set_elem *elem,
3789 int event, u16 flags)
3791 struct net *net = ctx->net;
3792 u32 portid = ctx->portid;
3793 struct sk_buff *skb;
3796 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3799 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3803 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3810 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3814 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3817 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3819 struct nft_set *set)
3821 struct nft_trans *trans;
3823 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3827 nft_trans_elem_set(trans) = set;
3831 void *nft_set_elem_init(const struct nft_set *set,
3832 const struct nft_set_ext_tmpl *tmpl,
3833 const u32 *key, const u32 *data,
3834 u64 timeout, gfp_t gfp)
3836 struct nft_set_ext *ext;
3839 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3843 ext = nft_set_elem_ext(set, elem);
3844 nft_set_ext_init(ext, tmpl);
3846 memcpy(nft_set_ext_key(ext), key, set->klen);
3847 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3848 memcpy(nft_set_ext_data(ext), data, set->dlen);
3849 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3850 *nft_set_ext_expiration(ext) =
3852 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3853 *nft_set_ext_timeout(ext) = timeout;
3858 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3861 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3863 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3864 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3865 nft_data_release(nft_set_ext_data(ext), set->dtype);
3866 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3867 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3868 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3869 (*nft_set_ext_obj(ext))->use--;
3872 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3874 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3875 * the refcounting from the preparation phase.
3877 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3879 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3881 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3882 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3886 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3887 const struct nlattr *attr, u32 nlmsg_flags)
3889 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3890 u8 genmask = nft_genmask_next(ctx->net);
3891 struct nft_data_desc d1, d2;
3892 struct nft_set_ext_tmpl tmpl;
3893 struct nft_set_ext *ext, *ext2;
3894 struct nft_set_elem elem;
3895 struct nft_set_binding *binding;
3896 struct nft_object *obj = NULL;
3897 struct nft_userdata *udata;
3898 struct nft_data data;
3899 enum nft_registers dreg;
3900 struct nft_trans *trans;
3906 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3907 nft_set_elem_policy, NULL);
3911 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3914 nft_set_ext_prepare(&tmpl);
3916 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3920 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3922 if (set->flags & NFT_SET_MAP) {
3923 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3924 !(flags & NFT_SET_ELEM_INTERVAL_END))
3926 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3927 flags & NFT_SET_ELEM_INTERVAL_END)
3930 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3935 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3936 if (!(set->flags & NFT_SET_TIMEOUT))
3938 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3939 nla[NFTA_SET_ELEM_TIMEOUT])));
3940 } else if (set->flags & NFT_SET_TIMEOUT) {
3941 timeout = set->timeout;
3944 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3945 nla[NFTA_SET_ELEM_KEY]);
3949 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3952 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3954 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3955 if (timeout != set->timeout)
3956 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3959 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3960 if (!(set->flags & NFT_SET_OBJECT)) {
3964 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3965 set->objtype, genmask);
3970 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3973 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3974 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3975 nla[NFTA_SET_ELEM_DATA]);
3980 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3983 dreg = nft_type_to_reg(set->dtype);
3984 list_for_each_entry(binding, &set->bindings, list) {
3985 struct nft_ctx bind_ctx = {
3987 .family = ctx->family,
3988 .table = ctx->table,
3989 .chain = (struct nft_chain *)binding->chain,
3992 if (!(binding->flags & NFT_SET_MAP))
3995 err = nft_validate_register_store(&bind_ctx, dreg,
4002 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4005 /* The full maximum length of userdata can exceed the maximum
4006 * offset value (U8_MAX) for following extensions, therefor it
4007 * must be the last extension added.
4010 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4011 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4013 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4018 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4019 timeout, GFP_KERNEL);
4020 if (elem.priv == NULL)
4023 ext = nft_set_elem_ext(set, elem.priv);
4025 *nft_set_ext_flags(ext) = flags;
4027 udata = nft_set_ext_userdata(ext);
4028 udata->len = ulen - 1;
4029 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4032 *nft_set_ext_obj(ext) = obj;
4036 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4040 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4041 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4043 if (err == -EEXIST) {
4044 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4045 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4046 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4047 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
4049 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4050 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4051 memcmp(nft_set_ext_data(ext),
4052 nft_set_ext_data(ext2), set->dlen) != 0) ||
4053 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4054 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4055 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4057 else if (!(nlmsg_flags & NLM_F_EXCL))
4064 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4069 nft_trans_elem(trans) = elem;
4070 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4074 set->ops->remove(ctx->net, set, &elem);
4080 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4081 nft_data_release(&data, d2.type);
4083 nft_data_release(&elem.key.val, d1.type);
4088 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4089 struct sk_buff *skb, const struct nlmsghdr *nlh,
4090 const struct nlattr * const nla[],
4091 struct netlink_ext_ack *extack)
4093 u8 genmask = nft_genmask_next(net);
4094 const struct nlattr *attr;
4095 struct nft_set *set;
4099 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4102 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4106 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4107 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4109 return PTR_ERR(set);
4111 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4114 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4115 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4123 * nft_data_hold - hold a nft_data item
4125 * @data: struct nft_data to release
4126 * @type: type of data
4128 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4129 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4130 * NFT_GOTO verdicts. This function must be called on active data objects
4131 * from the second phase of the commit protocol.
4133 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4135 if (type == NFT_DATA_VERDICT) {
4136 switch (data->verdict.code) {
4139 data->verdict.chain->use++;
4145 static void nft_set_elem_activate(const struct net *net,
4146 const struct nft_set *set,
4147 struct nft_set_elem *elem)
4149 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4151 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4152 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4153 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4154 (*nft_set_ext_obj(ext))->use++;
4157 static void nft_set_elem_deactivate(const struct net *net,
4158 const struct nft_set *set,
4159 struct nft_set_elem *elem)
4161 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4163 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4164 nft_data_release(nft_set_ext_data(ext), set->dtype);
4165 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4166 (*nft_set_ext_obj(ext))->use--;
4169 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4170 const struct nlattr *attr)
4172 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4173 struct nft_set_ext_tmpl tmpl;
4174 struct nft_data_desc desc;
4175 struct nft_set_elem elem;
4176 struct nft_set_ext *ext;
4177 struct nft_trans *trans;
4182 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4183 nft_set_elem_policy, NULL);
4188 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4191 nft_set_ext_prepare(&tmpl);
4193 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4197 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4199 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4200 nla[NFTA_SET_ELEM_KEY]);
4205 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4208 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4211 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4213 if (elem.priv == NULL)
4216 ext = nft_set_elem_ext(set, elem.priv);
4218 *nft_set_ext_flags(ext) = flags;
4220 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4221 if (trans == NULL) {
4226 priv = set->ops->deactivate(ctx->net, set, &elem);
4234 nft_set_elem_deactivate(ctx->net, set, &elem);
4236 nft_trans_elem(trans) = elem;
4237 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4245 nft_data_release(&elem.key.val, desc.type);
4250 static int nft_flush_set(const struct nft_ctx *ctx,
4251 struct nft_set *set,
4252 const struct nft_set_iter *iter,
4253 struct nft_set_elem *elem)
4255 struct nft_trans *trans;
4258 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4259 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4263 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4269 nft_trans_elem_set(trans) = set;
4270 nft_trans_elem(trans) = *elem;
4271 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4279 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4280 struct sk_buff *skb, const struct nlmsghdr *nlh,
4281 const struct nlattr * const nla[],
4282 struct netlink_ext_ack *extack)
4284 u8 genmask = nft_genmask_next(net);
4285 const struct nlattr *attr;
4286 struct nft_set *set;
4290 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4294 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4297 return PTR_ERR(set);
4298 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4301 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4302 struct nft_set_iter iter = {
4304 .fn = nft_flush_set,
4306 set->ops->walk(&ctx, set, &iter);
4311 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4312 err = nft_del_setelem(&ctx, set, attr);
4321 void nft_set_gc_batch_release(struct rcu_head *rcu)
4323 struct nft_set_gc_batch *gcb;
4326 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4327 for (i = 0; i < gcb->head.cnt; i++)
4328 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4331 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4333 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4336 struct nft_set_gc_batch *gcb;
4338 gcb = kzalloc(sizeof(*gcb), gfp);
4341 gcb->head.set = set;
4344 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4351 * nft_register_obj- register nf_tables stateful object type
4354 * Registers the object type for use with nf_tables. Returns zero on
4355 * success or a negative errno code otherwise.
4357 int nft_register_obj(struct nft_object_type *obj_type)
4359 if (obj_type->type == NFT_OBJECT_UNSPEC)
4362 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4363 list_add_rcu(&obj_type->list, &nf_tables_objects);
4364 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4367 EXPORT_SYMBOL_GPL(nft_register_obj);
4370 * nft_unregister_obj - unregister nf_tables object type
4373 * Unregisters the object type for use with nf_tables.
4375 void nft_unregister_obj(struct nft_object_type *obj_type)
4377 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4378 list_del_rcu(&obj_type->list);
4379 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4381 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4383 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4384 const struct nlattr *nla,
4385 u32 objtype, u8 genmask)
4387 struct nft_object *obj;
4389 list_for_each_entry(obj, &table->objects, list) {
4390 if (!nla_strcmp(nla, obj->name) &&
4391 objtype == obj->ops->type->type &&
4392 nft_active_genmask(obj, genmask))
4395 return ERR_PTR(-ENOENT);
4397 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4399 static struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
4400 const struct nlattr *nla,
4401 u32 objtype, u8 genmask)
4403 struct nft_object *obj;
4405 list_for_each_entry(obj, &table->objects, list) {
4406 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4407 objtype == obj->ops->type->type &&
4408 nft_active_genmask(obj, genmask))
4411 return ERR_PTR(-ENOENT);
4414 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4415 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4416 .len = NFT_TABLE_MAXNAMELEN - 1 },
4417 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4418 .len = NFT_OBJ_MAXNAMELEN - 1 },
4419 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4420 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4421 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4424 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4425 const struct nft_object_type *type,
4426 const struct nlattr *attr)
4429 const struct nft_object_ops *ops;
4430 struct nft_object *obj;
4433 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4438 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4443 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4446 if (type->select_ops) {
4447 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4457 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4461 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4474 return ERR_PTR(err);
4477 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4478 struct nft_object *obj, bool reset)
4480 struct nlattr *nest;
4482 nest = nla_nest_start(skb, attr);
4484 goto nla_put_failure;
4485 if (obj->ops->dump(skb, obj, reset) < 0)
4486 goto nla_put_failure;
4487 nla_nest_end(skb, nest);
4494 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4496 const struct nft_object_type *type;
4498 list_for_each_entry(type, &nf_tables_objects, list) {
4499 if (objtype == type->type)
4505 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4507 const struct nft_object_type *type;
4509 type = __nft_obj_type_get(objtype);
4510 if (type != NULL && try_module_get(type->owner))
4513 #ifdef CONFIG_MODULES
4515 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4516 request_module("nft-obj-%u", objtype);
4517 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4518 if (__nft_obj_type_get(objtype))
4519 return ERR_PTR(-EAGAIN);
4522 return ERR_PTR(-ENOENT);
4525 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4526 struct sk_buff *skb, const struct nlmsghdr *nlh,
4527 const struct nlattr * const nla[],
4528 struct netlink_ext_ack *extack)
4530 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4531 const struct nft_object_type *type;
4532 u8 genmask = nft_genmask_next(net);
4533 int family = nfmsg->nfgen_family;
4534 struct nft_table *table;
4535 struct nft_object *obj;
4540 if (!nla[NFTA_OBJ_TYPE] ||
4541 !nla[NFTA_OBJ_NAME] ||
4542 !nla[NFTA_OBJ_DATA])
4545 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4548 return PTR_ERR(table);
4550 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4551 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4558 if (nlh->nlmsg_flags & NLM_F_EXCL)
4564 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4566 type = nft_obj_type_get(objtype);
4568 return PTR_ERR(type);
4570 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4576 obj->handle = nf_tables_alloc_handle(table);
4578 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4584 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4588 list_add_tail_rcu(&obj->list, &table->objects);
4594 if (obj->ops->destroy)
4595 obj->ops->destroy(obj);
4598 module_put(type->owner);
4602 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4603 u32 portid, u32 seq, int event, u32 flags,
4604 int family, const struct nft_table *table,
4605 struct nft_object *obj, bool reset)
4607 struct nfgenmsg *nfmsg;
4608 struct nlmsghdr *nlh;
4610 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4611 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4613 goto nla_put_failure;
4615 nfmsg = nlmsg_data(nlh);
4616 nfmsg->nfgen_family = family;
4617 nfmsg->version = NFNETLINK_V0;
4618 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4620 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4621 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4622 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4623 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4624 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4625 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4627 goto nla_put_failure;
4629 nlmsg_end(skb, nlh);
4633 nlmsg_trim(skb, nlh);
4637 struct nft_obj_filter {
4642 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4644 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4645 const struct nft_table *table;
4646 unsigned int idx = 0, s_idx = cb->args[0];
4647 struct nft_obj_filter *filter = cb->data;
4648 struct net *net = sock_net(skb->sk);
4649 int family = nfmsg->nfgen_family;
4650 struct nft_object *obj;
4653 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4657 cb->seq = net->nft.base_seq;
4659 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4660 if (family != NFPROTO_UNSPEC && family != table->family)
4663 list_for_each_entry_rcu(obj, &table->objects, list) {
4664 if (!nft_is_active(net, obj))
4669 memset(&cb->args[1], 0,
4670 sizeof(cb->args) - sizeof(cb->args[0]));
4671 if (filter && filter->table[0] &&
4672 strcmp(filter->table, table->name))
4675 filter->type != NFT_OBJECT_UNSPEC &&
4676 obj->ops->type->type != filter->type)
4679 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4682 NLM_F_MULTI | NLM_F_APPEND,
4683 table->family, table,
4687 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4699 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4701 struct nft_obj_filter *filter = cb->data;
4704 kfree(filter->table);
4711 static struct nft_obj_filter *
4712 nft_obj_filter_alloc(const struct nlattr * const nla[])
4714 struct nft_obj_filter *filter;
4716 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4718 return ERR_PTR(-ENOMEM);
4720 if (nla[NFTA_OBJ_TABLE]) {
4721 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4722 if (!filter->table) {
4724 return ERR_PTR(-ENOMEM);
4727 if (nla[NFTA_OBJ_TYPE])
4728 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4733 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4734 struct sk_buff *skb, const struct nlmsghdr *nlh,
4735 const struct nlattr * const nla[],
4736 struct netlink_ext_ack *extack)
4738 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4739 u8 genmask = nft_genmask_cur(net);
4740 int family = nfmsg->nfgen_family;
4741 const struct nft_table *table;
4742 struct nft_object *obj;
4743 struct sk_buff *skb2;
4748 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4749 struct netlink_dump_control c = {
4750 .dump = nf_tables_dump_obj,
4751 .done = nf_tables_dump_obj_done,
4754 if (nla[NFTA_OBJ_TABLE] ||
4755 nla[NFTA_OBJ_TYPE]) {
4756 struct nft_obj_filter *filter;
4758 filter = nft_obj_filter_alloc(nla);
4764 return netlink_dump_start(nlsk, skb, nlh, &c);
4767 if (!nla[NFTA_OBJ_NAME] ||
4768 !nla[NFTA_OBJ_TYPE])
4771 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4774 return PTR_ERR(table);
4776 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4777 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4779 return PTR_ERR(obj);
4781 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4785 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4788 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4789 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4790 family, table, obj, reset);
4794 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4800 static void nft_obj_destroy(struct nft_object *obj)
4802 if (obj->ops->destroy)
4803 obj->ops->destroy(obj);
4805 module_put(obj->ops->type->owner);
4810 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4811 struct sk_buff *skb, const struct nlmsghdr *nlh,
4812 const struct nlattr * const nla[],
4813 struct netlink_ext_ack *extack)
4815 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4816 u8 genmask = nft_genmask_next(net);
4817 int family = nfmsg->nfgen_family;
4818 struct nft_table *table;
4819 struct nft_object *obj;
4823 if (!nla[NFTA_OBJ_TYPE] ||
4824 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4827 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4830 return PTR_ERR(table);
4832 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4833 if (nla[NFTA_OBJ_HANDLE])
4834 obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
4837 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
4840 return PTR_ERR(obj);
4844 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4846 return nft_delobj(&ctx, obj);
4849 void nft_obj_notify(struct net *net, struct nft_table *table,
4850 struct nft_object *obj, u32 portid, u32 seq, int event,
4851 int family, int report, gfp_t gfp)
4853 struct sk_buff *skb;
4857 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4860 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4864 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4871 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4874 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4876 EXPORT_SYMBOL_GPL(nft_obj_notify);
4878 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4879 struct nft_object *obj, int event)
4881 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4882 ctx->family, ctx->report, GFP_KERNEL);
4888 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4890 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4891 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4892 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4894 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4896 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4898 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4899 list_del_rcu(&type->list);
4900 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4902 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4904 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4905 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4906 .len = NFT_NAME_MAXLEN - 1 },
4907 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4908 .len = NFT_NAME_MAXLEN - 1 },
4909 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4910 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4913 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4914 const struct nlattr *nla,
4917 struct nft_flowtable *flowtable;
4919 list_for_each_entry(flowtable, &table->flowtables, list) {
4920 if (!nla_strcmp(nla, flowtable->name) &&
4921 nft_active_genmask(flowtable, genmask))
4924 return ERR_PTR(-ENOENT);
4926 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4928 static struct nft_flowtable *
4929 nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
4930 const struct nlattr *nla, u8 genmask)
4932 struct nft_flowtable *flowtable;
4934 list_for_each_entry(flowtable, &table->flowtables, list) {
4935 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4936 nft_active_genmask(flowtable, genmask))
4939 return ERR_PTR(-ENOENT);
4942 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4943 const struct nlattr *attr,
4944 struct net_device *dev_array[], int *len)
4946 const struct nlattr *tmp;
4947 struct net_device *dev;
4948 char ifname[IFNAMSIZ];
4949 int rem, n = 0, err;
4951 nla_for_each_nested(tmp, attr, rem) {
4952 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4957 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4958 dev = __dev_get_by_name(ctx->net, ifname);
4964 dev_array[n++] = dev;
4965 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
4979 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
4980 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
4981 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
4982 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
4985 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
4986 const struct nlattr *attr,
4987 struct nft_flowtable *flowtable)
4989 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
4990 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
4991 struct nf_hook_ops *ops;
4992 int hooknum, priority;
4995 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
4996 nft_flowtable_hook_policy, NULL);
5000 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5001 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5002 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5005 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5006 if (hooknum != NF_NETDEV_INGRESS)
5009 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5011 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5016 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5020 flowtable->hooknum = hooknum;
5021 flowtable->priority = priority;
5022 flowtable->ops = ops;
5023 flowtable->ops_len = n;
5025 for (i = 0; i < n; i++) {
5026 flowtable->ops[i].pf = NFPROTO_NETDEV;
5027 flowtable->ops[i].hooknum = hooknum;
5028 flowtable->ops[i].priority = priority;
5029 flowtable->ops[i].priv = &flowtable->data.rhashtable;
5030 flowtable->ops[i].hook = flowtable->data.type->hook;
5031 flowtable->ops[i].dev = dev_array[i];
5032 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5039 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5041 const struct nf_flowtable_type *type;
5043 list_for_each_entry(type, &nf_tables_flowtables, list) {
5044 if (family == type->family)
5050 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5052 const struct nf_flowtable_type *type;
5054 type = __nft_flowtable_type_get(family);
5055 if (type != NULL && try_module_get(type->owner))
5058 #ifdef CONFIG_MODULES
5060 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5061 request_module("nf-flowtable-%u", family);
5062 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5063 if (__nft_flowtable_type_get(family))
5064 return ERR_PTR(-EAGAIN);
5067 return ERR_PTR(-ENOENT);
5070 void nft_flow_table_iterate(struct net *net,
5071 void (*iter)(struct nf_flowtable *flowtable, void *data),
5074 struct nft_flowtable *flowtable;
5075 const struct nft_table *table;
5077 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5078 list_for_each_entry(table, &net->nft.tables, list) {
5079 list_for_each_entry(flowtable, &table->flowtables, list) {
5080 iter(&flowtable->data, data);
5083 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5085 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5087 static void nft_unregister_flowtable_net_hooks(struct net *net,
5088 struct nft_flowtable *flowtable)
5092 for (i = 0; i < flowtable->ops_len; i++) {
5093 if (!flowtable->ops[i].dev)
5096 nf_unregister_net_hook(net, &flowtable->ops[i]);
5100 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5101 struct sk_buff *skb,
5102 const struct nlmsghdr *nlh,
5103 const struct nlattr * const nla[],
5104 struct netlink_ext_ack *extack)
5106 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5107 const struct nf_flowtable_type *type;
5108 struct nft_flowtable *flowtable, *ft;
5109 u8 genmask = nft_genmask_next(net);
5110 int family = nfmsg->nfgen_family;
5111 struct nft_table *table;
5115 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5116 !nla[NFTA_FLOWTABLE_NAME] ||
5117 !nla[NFTA_FLOWTABLE_HOOK])
5120 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5123 return PTR_ERR(table);
5125 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5127 if (IS_ERR(flowtable)) {
5128 err = PTR_ERR(flowtable);
5132 if (nlh->nlmsg_flags & NLM_F_EXCL)
5138 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5140 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5144 flowtable->table = table;
5145 flowtable->handle = nf_tables_alloc_handle(table);
5147 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5148 if (!flowtable->name) {
5153 type = nft_flowtable_type_get(family);
5155 err = PTR_ERR(type);
5159 flowtable->data.type = type;
5160 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5164 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5169 for (i = 0; i < flowtable->ops_len; i++) {
5170 if (!flowtable->ops[i].dev)
5173 list_for_each_entry(ft, &table->flowtables, list) {
5174 for (k = 0; k < ft->ops_len; k++) {
5175 if (!ft->ops[k].dev)
5178 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5179 flowtable->ops[i].pf == ft->ops[k].pf) {
5186 err = nf_register_net_hook(net, &flowtable->ops[i]);
5191 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5195 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5196 queue_delayed_work(system_power_efficient_wq,
5197 &flowtable->data.gc_work, HZ);
5199 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5204 i = flowtable->ops_len;
5206 for (k = i - 1; k >= 0; k--) {
5207 kfree(flowtable->dev_name[k]);
5208 nf_unregister_net_hook(net, &flowtable->ops[k]);
5211 kfree(flowtable->ops);
5213 module_put(type->owner);
5215 kfree(flowtable->name);
5221 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5222 struct sk_buff *skb,
5223 const struct nlmsghdr *nlh,
5224 const struct nlattr * const nla[],
5225 struct netlink_ext_ack *extack)
5227 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5228 u8 genmask = nft_genmask_next(net);
5229 int family = nfmsg->nfgen_family;
5230 struct nft_flowtable *flowtable;
5231 struct nft_table *table;
5234 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5235 (!nla[NFTA_FLOWTABLE_NAME] &&
5236 !nla[NFTA_FLOWTABLE_HANDLE]))
5239 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5242 return PTR_ERR(table);
5244 if (nla[NFTA_FLOWTABLE_HANDLE])
5245 flowtable = nf_tables_flowtable_lookup_byhandle(table,
5246 nla[NFTA_FLOWTABLE_HANDLE],
5249 flowtable = nf_tables_flowtable_lookup(table,
5250 nla[NFTA_FLOWTABLE_NAME],
5252 if (IS_ERR(flowtable))
5253 return PTR_ERR(flowtable);
5254 if (flowtable->use > 0)
5257 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5259 return nft_delflowtable(&ctx, flowtable);
5262 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5263 u32 portid, u32 seq, int event,
5264 u32 flags, int family,
5265 struct nft_flowtable *flowtable)
5267 struct nlattr *nest, *nest_devs;
5268 struct nfgenmsg *nfmsg;
5269 struct nlmsghdr *nlh;
5272 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5273 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5275 goto nla_put_failure;
5277 nfmsg = nlmsg_data(nlh);
5278 nfmsg->nfgen_family = family;
5279 nfmsg->version = NFNETLINK_V0;
5280 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5282 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5283 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5284 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5285 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5286 NFTA_FLOWTABLE_PAD))
5287 goto nla_put_failure;
5289 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5290 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5291 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5292 goto nla_put_failure;
5294 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5296 goto nla_put_failure;
5298 for (i = 0; i < flowtable->ops_len; i++) {
5299 if (flowtable->dev_name[i][0] &&
5300 nla_put_string(skb, NFTA_DEVICE_NAME,
5301 flowtable->dev_name[i]))
5302 goto nla_put_failure;
5304 nla_nest_end(skb, nest_devs);
5305 nla_nest_end(skb, nest);
5307 nlmsg_end(skb, nlh);
5311 nlmsg_trim(skb, nlh);
5315 struct nft_flowtable_filter {
5319 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5320 struct netlink_callback *cb)
5322 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5323 struct nft_flowtable_filter *filter = cb->data;
5324 unsigned int idx = 0, s_idx = cb->args[0];
5325 struct net *net = sock_net(skb->sk);
5326 int family = nfmsg->nfgen_family;
5327 struct nft_flowtable *flowtable;
5328 const struct nft_table *table;
5331 cb->seq = net->nft.base_seq;
5333 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5334 if (family != NFPROTO_UNSPEC && family != table->family)
5337 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5338 if (!nft_is_active(net, flowtable))
5343 memset(&cb->args[1], 0,
5344 sizeof(cb->args) - sizeof(cb->args[0]));
5345 if (filter && filter->table[0] &&
5346 strcmp(filter->table, table->name))
5349 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5351 NFT_MSG_NEWFLOWTABLE,
5352 NLM_F_MULTI | NLM_F_APPEND,
5353 table->family, flowtable) < 0)
5356 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5368 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5370 struct nft_flowtable_filter *filter = cb->data;
5375 kfree(filter->table);
5381 static struct nft_flowtable_filter *
5382 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5384 struct nft_flowtable_filter *filter;
5386 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5388 return ERR_PTR(-ENOMEM);
5390 if (nla[NFTA_FLOWTABLE_TABLE]) {
5391 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5393 if (!filter->table) {
5395 return ERR_PTR(-ENOMEM);
5401 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5402 struct sk_buff *skb,
5403 const struct nlmsghdr *nlh,
5404 const struct nlattr * const nla[],
5405 struct netlink_ext_ack *extack)
5407 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5408 u8 genmask = nft_genmask_cur(net);
5409 int family = nfmsg->nfgen_family;
5410 struct nft_flowtable *flowtable;
5411 const struct nft_table *table;
5412 struct sk_buff *skb2;
5415 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5416 struct netlink_dump_control c = {
5417 .dump = nf_tables_dump_flowtable,
5418 .done = nf_tables_dump_flowtable_done,
5421 if (nla[NFTA_FLOWTABLE_TABLE]) {
5422 struct nft_flowtable_filter *filter;
5424 filter = nft_flowtable_filter_alloc(nla);
5430 return netlink_dump_start(nlsk, skb, nlh, &c);
5433 if (!nla[NFTA_FLOWTABLE_NAME])
5436 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5439 return PTR_ERR(table);
5441 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5443 if (IS_ERR(flowtable))
5444 return PTR_ERR(flowtable);
5446 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5450 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5452 NFT_MSG_NEWFLOWTABLE, 0, family,
5457 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5463 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5464 struct nft_flowtable *flowtable,
5467 struct sk_buff *skb;
5471 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5474 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5478 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5480 ctx->family, flowtable);
5486 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5487 ctx->report, GFP_KERNEL);
5490 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5493 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5495 cancel_delayed_work_sync(&flowtable->data.gc_work);
5496 kfree(flowtable->ops);
5497 kfree(flowtable->name);
5498 flowtable->data.type->free(&flowtable->data);
5499 rhashtable_destroy(&flowtable->data.rhashtable);
5500 module_put(flowtable->data.type->owner);
5503 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5504 u32 portid, u32 seq)
5506 struct nlmsghdr *nlh;
5507 struct nfgenmsg *nfmsg;
5508 char buf[TASK_COMM_LEN];
5509 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5511 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5513 goto nla_put_failure;
5515 nfmsg = nlmsg_data(nlh);
5516 nfmsg->nfgen_family = AF_UNSPEC;
5517 nfmsg->version = NFNETLINK_V0;
5518 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5520 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5521 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5522 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5523 goto nla_put_failure;
5525 nlmsg_end(skb, nlh);
5529 nlmsg_trim(skb, nlh);
5533 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5534 struct nft_flowtable *flowtable)
5538 for (i = 0; i < flowtable->ops_len; i++) {
5539 if (flowtable->ops[i].dev != dev)
5542 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5543 flowtable->dev_name[i][0] = '\0';
5544 flowtable->ops[i].dev = NULL;
5549 static int nf_tables_flowtable_event(struct notifier_block *this,
5550 unsigned long event, void *ptr)
5552 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5553 struct nft_flowtable *flowtable;
5554 struct nft_table *table;
5556 if (event != NETDEV_UNREGISTER)
5559 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5560 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5561 list_for_each_entry(flowtable, &table->flowtables, list) {
5562 nft_flowtable_event(event, dev, flowtable);
5565 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5570 static struct notifier_block nf_tables_flowtable_notifier = {
5571 .notifier_call = nf_tables_flowtable_event,
5574 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5577 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5578 struct sk_buff *skb2;
5581 if (nlmsg_report(nlh) &&
5582 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5585 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5589 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5596 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5597 nlmsg_report(nlh), GFP_KERNEL);
5600 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5604 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5605 struct sk_buff *skb, const struct nlmsghdr *nlh,
5606 const struct nlattr * const nla[],
5607 struct netlink_ext_ack *extack)
5609 struct sk_buff *skb2;
5612 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5616 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5621 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5627 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5628 [NFT_MSG_NEWTABLE] = {
5629 .call_batch = nf_tables_newtable,
5630 .attr_count = NFTA_TABLE_MAX,
5631 .policy = nft_table_policy,
5633 [NFT_MSG_GETTABLE] = {
5634 .call = nf_tables_gettable,
5635 .attr_count = NFTA_TABLE_MAX,
5636 .policy = nft_table_policy,
5638 [NFT_MSG_DELTABLE] = {
5639 .call_batch = nf_tables_deltable,
5640 .attr_count = NFTA_TABLE_MAX,
5641 .policy = nft_table_policy,
5643 [NFT_MSG_NEWCHAIN] = {
5644 .call_batch = nf_tables_newchain,
5645 .attr_count = NFTA_CHAIN_MAX,
5646 .policy = nft_chain_policy,
5648 [NFT_MSG_GETCHAIN] = {
5649 .call = nf_tables_getchain,
5650 .attr_count = NFTA_CHAIN_MAX,
5651 .policy = nft_chain_policy,
5653 [NFT_MSG_DELCHAIN] = {
5654 .call_batch = nf_tables_delchain,
5655 .attr_count = NFTA_CHAIN_MAX,
5656 .policy = nft_chain_policy,
5658 [NFT_MSG_NEWRULE] = {
5659 .call_batch = nf_tables_newrule,
5660 .attr_count = NFTA_RULE_MAX,
5661 .policy = nft_rule_policy,
5663 [NFT_MSG_GETRULE] = {
5664 .call = nf_tables_getrule,
5665 .attr_count = NFTA_RULE_MAX,
5666 .policy = nft_rule_policy,
5668 [NFT_MSG_DELRULE] = {
5669 .call_batch = nf_tables_delrule,
5670 .attr_count = NFTA_RULE_MAX,
5671 .policy = nft_rule_policy,
5673 [NFT_MSG_NEWSET] = {
5674 .call_batch = nf_tables_newset,
5675 .attr_count = NFTA_SET_MAX,
5676 .policy = nft_set_policy,
5678 [NFT_MSG_GETSET] = {
5679 .call = nf_tables_getset,
5680 .attr_count = NFTA_SET_MAX,
5681 .policy = nft_set_policy,
5683 [NFT_MSG_DELSET] = {
5684 .call_batch = nf_tables_delset,
5685 .attr_count = NFTA_SET_MAX,
5686 .policy = nft_set_policy,
5688 [NFT_MSG_NEWSETELEM] = {
5689 .call_batch = nf_tables_newsetelem,
5690 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5691 .policy = nft_set_elem_list_policy,
5693 [NFT_MSG_GETSETELEM] = {
5694 .call = nf_tables_getsetelem,
5695 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5696 .policy = nft_set_elem_list_policy,
5698 [NFT_MSG_DELSETELEM] = {
5699 .call_batch = nf_tables_delsetelem,
5700 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5701 .policy = nft_set_elem_list_policy,
5703 [NFT_MSG_GETGEN] = {
5704 .call = nf_tables_getgen,
5706 [NFT_MSG_NEWOBJ] = {
5707 .call_batch = nf_tables_newobj,
5708 .attr_count = NFTA_OBJ_MAX,
5709 .policy = nft_obj_policy,
5711 [NFT_MSG_GETOBJ] = {
5712 .call = nf_tables_getobj,
5713 .attr_count = NFTA_OBJ_MAX,
5714 .policy = nft_obj_policy,
5716 [NFT_MSG_DELOBJ] = {
5717 .call_batch = nf_tables_delobj,
5718 .attr_count = NFTA_OBJ_MAX,
5719 .policy = nft_obj_policy,
5721 [NFT_MSG_GETOBJ_RESET] = {
5722 .call = nf_tables_getobj,
5723 .attr_count = NFTA_OBJ_MAX,
5724 .policy = nft_obj_policy,
5726 [NFT_MSG_NEWFLOWTABLE] = {
5727 .call_batch = nf_tables_newflowtable,
5728 .attr_count = NFTA_FLOWTABLE_MAX,
5729 .policy = nft_flowtable_policy,
5731 [NFT_MSG_GETFLOWTABLE] = {
5732 .call = nf_tables_getflowtable,
5733 .attr_count = NFTA_FLOWTABLE_MAX,
5734 .policy = nft_flowtable_policy,
5736 [NFT_MSG_DELFLOWTABLE] = {
5737 .call_batch = nf_tables_delflowtable,
5738 .attr_count = NFTA_FLOWTABLE_MAX,
5739 .policy = nft_flowtable_policy,
5743 static void nft_chain_commit_update(struct nft_trans *trans)
5745 struct nft_base_chain *basechain;
5747 if (nft_trans_chain_name(trans))
5748 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5750 if (!nft_is_base_chain(trans->ctx.chain))
5753 basechain = nft_base_chain(trans->ctx.chain);
5754 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5756 switch (nft_trans_chain_policy(trans)) {
5759 basechain->policy = nft_trans_chain_policy(trans);
5764 static void nf_tables_commit_release(struct nft_trans *trans)
5766 switch (trans->msg_type) {
5767 case NFT_MSG_DELTABLE:
5768 nf_tables_table_destroy(&trans->ctx);
5770 case NFT_MSG_DELCHAIN:
5771 nf_tables_chain_destroy(&trans->ctx);
5773 case NFT_MSG_DELRULE:
5774 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5776 case NFT_MSG_DELSET:
5777 nft_set_destroy(nft_trans_set(trans));
5779 case NFT_MSG_DELSETELEM:
5780 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5781 nft_trans_elem(trans).priv);
5783 case NFT_MSG_DELOBJ:
5784 nft_obj_destroy(nft_trans_obj(trans));
5786 case NFT_MSG_DELFLOWTABLE:
5787 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5793 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5795 struct nft_trans *trans, *next;
5796 struct nft_trans_elem *te;
5798 /* Bump generation counter, invalidate any dump in progress */
5799 while (++net->nft.base_seq == 0);
5801 /* A new generation has just started */
5802 net->nft.gencursor = nft_gencursor_next(net);
5804 /* Make sure all packets have left the previous generation before
5805 * purging old rules.
5809 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5810 switch (trans->msg_type) {
5811 case NFT_MSG_NEWTABLE:
5812 if (nft_trans_table_update(trans)) {
5813 if (!nft_trans_table_enable(trans)) {
5814 nf_tables_table_disable(net,
5816 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5819 nft_clear(net, trans->ctx.table);
5821 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5822 nft_trans_destroy(trans);
5824 case NFT_MSG_DELTABLE:
5825 list_del_rcu(&trans->ctx.table->list);
5826 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5828 case NFT_MSG_NEWCHAIN:
5829 if (nft_trans_chain_update(trans))
5830 nft_chain_commit_update(trans);
5832 nft_clear(net, trans->ctx.chain);
5834 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5835 nft_trans_destroy(trans);
5837 case NFT_MSG_DELCHAIN:
5838 list_del_rcu(&trans->ctx.chain->list);
5839 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5840 nf_tables_unregister_hook(trans->ctx.net,
5844 case NFT_MSG_NEWRULE:
5845 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5846 nf_tables_rule_notify(&trans->ctx,
5847 nft_trans_rule(trans),
5849 nft_trans_destroy(trans);
5851 case NFT_MSG_DELRULE:
5852 list_del_rcu(&nft_trans_rule(trans)->list);
5853 nf_tables_rule_notify(&trans->ctx,
5854 nft_trans_rule(trans),
5857 case NFT_MSG_NEWSET:
5858 nft_clear(net, nft_trans_set(trans));
5859 /* This avoids hitting -EBUSY when deleting the table
5860 * from the transaction.
5862 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5863 !list_empty(&nft_trans_set(trans)->bindings))
5864 trans->ctx.table->use--;
5866 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5867 NFT_MSG_NEWSET, GFP_KERNEL);
5868 nft_trans_destroy(trans);
5870 case NFT_MSG_DELSET:
5871 list_del_rcu(&nft_trans_set(trans)->list);
5872 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5873 NFT_MSG_DELSET, GFP_KERNEL);
5875 case NFT_MSG_NEWSETELEM:
5876 te = (struct nft_trans_elem *)trans->data;
5878 te->set->ops->activate(net, te->set, &te->elem);
5879 nf_tables_setelem_notify(&trans->ctx, te->set,
5881 NFT_MSG_NEWSETELEM, 0);
5882 nft_trans_destroy(trans);
5884 case NFT_MSG_DELSETELEM:
5885 te = (struct nft_trans_elem *)trans->data;
5887 nf_tables_setelem_notify(&trans->ctx, te->set,
5889 NFT_MSG_DELSETELEM, 0);
5890 te->set->ops->remove(net, te->set, &te->elem);
5891 atomic_dec(&te->set->nelems);
5894 case NFT_MSG_NEWOBJ:
5895 nft_clear(net, nft_trans_obj(trans));
5896 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5898 nft_trans_destroy(trans);
5900 case NFT_MSG_DELOBJ:
5901 list_del_rcu(&nft_trans_obj(trans)->list);
5902 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5905 case NFT_MSG_NEWFLOWTABLE:
5906 nft_clear(net, nft_trans_flowtable(trans));
5907 nf_tables_flowtable_notify(&trans->ctx,
5908 nft_trans_flowtable(trans),
5909 NFT_MSG_NEWFLOWTABLE);
5910 nft_trans_destroy(trans);
5912 case NFT_MSG_DELFLOWTABLE:
5913 list_del_rcu(&nft_trans_flowtable(trans)->list);
5914 nf_tables_flowtable_notify(&trans->ctx,
5915 nft_trans_flowtable(trans),
5916 NFT_MSG_DELFLOWTABLE);
5917 nft_unregister_flowtable_net_hooks(net,
5918 nft_trans_flowtable(trans));
5925 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5926 list_del(&trans->list);
5927 nf_tables_commit_release(trans);
5930 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5935 static void nf_tables_abort_release(struct nft_trans *trans)
5937 switch (trans->msg_type) {
5938 case NFT_MSG_NEWTABLE:
5939 nf_tables_table_destroy(&trans->ctx);
5941 case NFT_MSG_NEWCHAIN:
5942 nf_tables_chain_destroy(&trans->ctx);
5944 case NFT_MSG_NEWRULE:
5945 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5947 case NFT_MSG_NEWSET:
5948 nft_set_destroy(nft_trans_set(trans));
5950 case NFT_MSG_NEWSETELEM:
5951 nft_set_elem_destroy(nft_trans_elem_set(trans),
5952 nft_trans_elem(trans).priv, true);
5954 case NFT_MSG_NEWOBJ:
5955 nft_obj_destroy(nft_trans_obj(trans));
5957 case NFT_MSG_NEWFLOWTABLE:
5958 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5964 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5966 struct nft_trans *trans, *next;
5967 struct nft_trans_elem *te;
5969 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5971 switch (trans->msg_type) {
5972 case NFT_MSG_NEWTABLE:
5973 if (nft_trans_table_update(trans)) {
5974 if (nft_trans_table_enable(trans)) {
5975 nf_tables_table_disable(net,
5977 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5979 nft_trans_destroy(trans);
5981 list_del_rcu(&trans->ctx.table->list);
5984 case NFT_MSG_DELTABLE:
5985 nft_clear(trans->ctx.net, trans->ctx.table);
5986 nft_trans_destroy(trans);
5988 case NFT_MSG_NEWCHAIN:
5989 if (nft_trans_chain_update(trans)) {
5990 free_percpu(nft_trans_chain_stats(trans));
5992 nft_trans_destroy(trans);
5994 trans->ctx.table->use--;
5995 list_del_rcu(&trans->ctx.chain->list);
5996 nf_tables_unregister_hook(trans->ctx.net,
6001 case NFT_MSG_DELCHAIN:
6002 trans->ctx.table->use++;
6003 nft_clear(trans->ctx.net, trans->ctx.chain);
6004 nft_trans_destroy(trans);
6006 case NFT_MSG_NEWRULE:
6007 trans->ctx.chain->use--;
6008 list_del_rcu(&nft_trans_rule(trans)->list);
6010 case NFT_MSG_DELRULE:
6011 trans->ctx.chain->use++;
6012 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6013 nft_trans_destroy(trans);
6015 case NFT_MSG_NEWSET:
6016 trans->ctx.table->use--;
6017 list_del_rcu(&nft_trans_set(trans)->list);
6019 case NFT_MSG_DELSET:
6020 trans->ctx.table->use++;
6021 nft_clear(trans->ctx.net, nft_trans_set(trans));
6022 nft_trans_destroy(trans);
6024 case NFT_MSG_NEWSETELEM:
6025 te = (struct nft_trans_elem *)trans->data;
6027 te->set->ops->remove(net, te->set, &te->elem);
6028 atomic_dec(&te->set->nelems);
6030 case NFT_MSG_DELSETELEM:
6031 te = (struct nft_trans_elem *)trans->data;
6033 nft_set_elem_activate(net, te->set, &te->elem);
6034 te->set->ops->activate(net, te->set, &te->elem);
6037 nft_trans_destroy(trans);
6039 case NFT_MSG_NEWOBJ:
6040 trans->ctx.table->use--;
6041 list_del_rcu(&nft_trans_obj(trans)->list);
6043 case NFT_MSG_DELOBJ:
6044 trans->ctx.table->use++;
6045 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6046 nft_trans_destroy(trans);
6048 case NFT_MSG_NEWFLOWTABLE:
6049 trans->ctx.table->use--;
6050 list_del_rcu(&nft_trans_flowtable(trans)->list);
6051 nft_unregister_flowtable_net_hooks(net,
6052 nft_trans_flowtable(trans));
6054 case NFT_MSG_DELFLOWTABLE:
6055 trans->ctx.table->use++;
6056 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6057 nft_trans_destroy(trans);
6064 list_for_each_entry_safe_reverse(trans, next,
6065 &net->nft.commit_list, list) {
6066 list_del(&trans->list);
6067 nf_tables_abort_release(trans);
6073 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6075 return net->nft.base_seq == genid;
6078 static const struct nfnetlink_subsystem nf_tables_subsys = {
6079 .name = "nf_tables",
6080 .subsys_id = NFNL_SUBSYS_NFTABLES,
6081 .cb_count = NFT_MSG_MAX,
6083 .commit = nf_tables_commit,
6084 .abort = nf_tables_abort,
6085 .valid_genid = nf_tables_valid_genid,
6088 int nft_chain_validate_dependency(const struct nft_chain *chain,
6089 enum nft_chain_types type)
6091 const struct nft_base_chain *basechain;
6093 if (nft_is_base_chain(chain)) {
6094 basechain = nft_base_chain(chain);
6095 if (basechain->type->type != type)
6100 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6102 int nft_chain_validate_hooks(const struct nft_chain *chain,
6103 unsigned int hook_flags)
6105 struct nft_base_chain *basechain;
6107 if (nft_is_base_chain(chain)) {
6108 basechain = nft_base_chain(chain);
6110 if ((1 << basechain->ops.hooknum) & hook_flags)
6118 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6121 * Loop detection - walk through the ruleset beginning at the destination chain
6122 * of a new jump until either the source chain is reached (loop) or all
6123 * reachable chains have been traversed.
6125 * The loop check is performed whenever a new jump verdict is added to an
6126 * expression or verdict map or a verdict map is bound to a new chain.
6129 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6130 const struct nft_chain *chain);
6132 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6133 struct nft_set *set,
6134 const struct nft_set_iter *iter,
6135 struct nft_set_elem *elem)
6137 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6138 const struct nft_data *data;
6140 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6141 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6144 data = nft_set_ext_data(ext);
6145 switch (data->verdict.code) {
6148 return nf_tables_check_loops(ctx, data->verdict.chain);
6154 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6155 const struct nft_chain *chain)
6157 const struct nft_rule *rule;
6158 const struct nft_expr *expr, *last;
6159 struct nft_set *set;
6160 struct nft_set_binding *binding;
6161 struct nft_set_iter iter;
6163 if (ctx->chain == chain)
6166 list_for_each_entry(rule, &chain->rules, list) {
6167 nft_rule_for_each_expr(expr, last, rule) {
6168 const struct nft_data *data = NULL;
6171 if (!expr->ops->validate)
6174 err = expr->ops->validate(ctx, expr, &data);
6181 switch (data->verdict.code) {
6184 err = nf_tables_check_loops(ctx,
6185 data->verdict.chain);
6194 list_for_each_entry(set, &ctx->table->sets, list) {
6195 if (!nft_is_active_next(ctx->net, set))
6197 if (!(set->flags & NFT_SET_MAP) ||
6198 set->dtype != NFT_DATA_VERDICT)
6201 list_for_each_entry(binding, &set->bindings, list) {
6202 if (!(binding->flags & NFT_SET_MAP) ||
6203 binding->chain != chain)
6206 iter.genmask = nft_genmask_next(ctx->net);
6210 iter.fn = nf_tables_loop_check_setelem;
6212 set->ops->walk(ctx, set, &iter);
6222 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6224 * @attr: netlink attribute to fetch value from
6225 * @max: maximum value to be stored in dest
6226 * @dest: pointer to the variable
6228 * Parse, check and store a given u32 netlink attribute into variable.
6229 * This function returns -ERANGE if the value goes over maximum value.
6230 * Otherwise a 0 is returned and the attribute value is stored in the
6231 * destination variable.
6233 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6237 val = ntohl(nla_get_be32(attr));
6244 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6247 * nft_parse_register - parse a register value from a netlink attribute
6249 * @attr: netlink attribute
6251 * Parse and translate a register value from a netlink attribute.
6252 * Registers used to be 128 bit wide, these register numbers will be
6253 * mapped to the corresponding 32 bit register numbers.
6255 unsigned int nft_parse_register(const struct nlattr *attr)
6259 reg = ntohl(nla_get_be32(attr));
6261 case NFT_REG_VERDICT...NFT_REG_4:
6262 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6264 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6267 EXPORT_SYMBOL_GPL(nft_parse_register);
6270 * nft_dump_register - dump a register value to a netlink attribute
6272 * @skb: socket buffer
6273 * @attr: attribute number
6274 * @reg: register number
6276 * Construct a netlink attribute containing the register number. For
6277 * compatibility reasons, register numbers being a multiple of 4 are
6278 * translated to the corresponding 128 bit register numbers.
6280 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6282 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6283 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6285 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6287 return nla_put_be32(skb, attr, htonl(reg));
6289 EXPORT_SYMBOL_GPL(nft_dump_register);
6292 * nft_validate_register_load - validate a load from a register
6294 * @reg: the register number
6295 * @len: the length of the data
6297 * Validate that the input register is one of the general purpose
6298 * registers and that the length of the load is within the bounds.
6300 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6302 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6306 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6311 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6314 * nft_validate_register_store - validate an expressions' register store
6316 * @ctx: context of the expression performing the load
6317 * @reg: the destination register number
6318 * @data: the data to load
6319 * @type: the data type
6320 * @len: the length of the data
6322 * Validate that a data load uses the appropriate data type for
6323 * the destination register and the length is within the bounds.
6324 * A value of NULL for the data means that its runtime gathered
6327 int nft_validate_register_store(const struct nft_ctx *ctx,
6328 enum nft_registers reg,
6329 const struct nft_data *data,
6330 enum nft_data_types type, unsigned int len)
6335 case NFT_REG_VERDICT:
6336 if (type != NFT_DATA_VERDICT)
6340 (data->verdict.code == NFT_GOTO ||
6341 data->verdict.code == NFT_JUMP)) {
6342 err = nf_tables_check_loops(ctx, data->verdict.chain);
6346 if (ctx->chain->level + 1 >
6347 data->verdict.chain->level) {
6348 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6350 data->verdict.chain->level = ctx->chain->level + 1;
6356 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6360 if (reg * NFT_REG32_SIZE + len >
6361 FIELD_SIZEOF(struct nft_regs, data))
6364 if (data != NULL && type != NFT_DATA_VALUE)
6369 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6371 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6372 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6373 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6374 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6377 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6378 struct nft_data_desc *desc, const struct nlattr *nla)
6380 u8 genmask = nft_genmask_next(ctx->net);
6381 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6382 struct nft_chain *chain;
6385 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6390 if (!tb[NFTA_VERDICT_CODE])
6392 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6394 switch (data->verdict.code) {
6396 switch (data->verdict.code & NF_VERDICT_MASK) {
6411 if (!tb[NFTA_VERDICT_CHAIN])
6413 chain = nf_tables_chain_lookup(ctx->table,
6414 tb[NFTA_VERDICT_CHAIN], genmask);
6416 return PTR_ERR(chain);
6417 if (nft_is_base_chain(chain))
6421 data->verdict.chain = chain;
6425 desc->len = sizeof(data->verdict);
6426 desc->type = NFT_DATA_VERDICT;
6430 static void nft_verdict_uninit(const struct nft_data *data)
6432 switch (data->verdict.code) {
6435 data->verdict.chain->use--;
6440 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6442 struct nlattr *nest;
6444 nest = nla_nest_start(skb, type);
6446 goto nla_put_failure;
6448 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6449 goto nla_put_failure;
6454 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6456 goto nla_put_failure;
6458 nla_nest_end(skb, nest);
6465 static int nft_value_init(const struct nft_ctx *ctx,
6466 struct nft_data *data, unsigned int size,
6467 struct nft_data_desc *desc, const struct nlattr *nla)
6477 nla_memcpy(data->data, nla, len);
6478 desc->type = NFT_DATA_VALUE;
6483 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6486 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6489 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6490 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6491 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6495 * nft_data_init - parse nf_tables data netlink attributes
6497 * @ctx: context of the expression using the data
6498 * @data: destination struct nft_data
6499 * @size: maximum data length
6500 * @desc: data description
6501 * @nla: netlink attribute containing data
6503 * Parse the netlink data attributes and initialize a struct nft_data.
6504 * The type and length of data are returned in the data description.
6506 * The caller can indicate that it only wants to accept data of type
6507 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6509 int nft_data_init(const struct nft_ctx *ctx,
6510 struct nft_data *data, unsigned int size,
6511 struct nft_data_desc *desc, const struct nlattr *nla)
6513 struct nlattr *tb[NFTA_DATA_MAX + 1];
6516 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6520 if (tb[NFTA_DATA_VALUE])
6521 return nft_value_init(ctx, data, size, desc,
6522 tb[NFTA_DATA_VALUE]);
6523 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6524 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6527 EXPORT_SYMBOL_GPL(nft_data_init);
6530 * nft_data_release - release a nft_data item
6532 * @data: struct nft_data to release
6533 * @type: type of data
6535 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6536 * all others need to be released by calling this function.
6538 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6540 if (type < NFT_DATA_VERDICT)
6543 case NFT_DATA_VERDICT:
6544 return nft_verdict_uninit(data);
6549 EXPORT_SYMBOL_GPL(nft_data_release);
6551 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6552 enum nft_data_types type, unsigned int len)
6554 struct nlattr *nest;
6557 nest = nla_nest_start(skb, attr);
6562 case NFT_DATA_VALUE:
6563 err = nft_value_dump(skb, data, len);
6565 case NFT_DATA_VERDICT:
6566 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6573 nla_nest_end(skb, nest);
6576 EXPORT_SYMBOL_GPL(nft_data_dump);
6578 int __nft_release_basechain(struct nft_ctx *ctx)
6580 struct nft_rule *rule, *nr;
6582 BUG_ON(!nft_is_base_chain(ctx->chain));
6584 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6585 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6586 list_del(&rule->list);
6588 nf_tables_rule_destroy(ctx, rule);
6590 list_del(&ctx->chain->list);
6592 nf_tables_chain_destroy(ctx);
6596 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6598 static void __nft_release_tables(struct net *net)
6600 struct nft_flowtable *flowtable, *nf;
6601 struct nft_table *table, *nt;
6602 struct nft_chain *chain, *nc;
6603 struct nft_object *obj, *ne;
6604 struct nft_rule *rule, *nr;
6605 struct nft_set *set, *ns;
6606 struct nft_ctx ctx = {
6608 .family = NFPROTO_NETDEV,
6611 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6612 ctx.family = table->family;
6614 list_for_each_entry(chain, &table->chains, list)
6615 nf_tables_unregister_hook(net, table, chain);
6616 list_for_each_entry(flowtable, &table->flowtables, list)
6617 nf_unregister_net_hooks(net, flowtable->ops,
6618 flowtable->ops_len);
6619 /* No packets are walking on these chains anymore. */
6621 list_for_each_entry(chain, &table->chains, list) {
6623 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6624 list_del(&rule->list);
6626 nf_tables_rule_destroy(&ctx, rule);
6629 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6630 list_del(&flowtable->list);
6632 nf_tables_flowtable_destroy(flowtable);
6634 list_for_each_entry_safe(set, ns, &table->sets, list) {
6635 list_del(&set->list);
6637 nft_set_destroy(set);
6639 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6640 list_del(&obj->list);
6642 nft_obj_destroy(obj);
6644 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6646 list_del(&chain->list);
6648 nf_tables_chain_destroy(&ctx);
6650 list_del(&table->list);
6651 nf_tables_table_destroy(&ctx);
6655 static int __net_init nf_tables_init_net(struct net *net)
6657 INIT_LIST_HEAD(&net->nft.tables);
6658 INIT_LIST_HEAD(&net->nft.commit_list);
6659 net->nft.base_seq = 1;
6663 static void __net_exit nf_tables_exit_net(struct net *net)
6665 __nft_release_tables(net);
6666 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6667 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6670 static struct pernet_operations nf_tables_net_ops = {
6671 .init = nf_tables_init_net,
6672 .exit = nf_tables_exit_net,
6675 static int __init nf_tables_module_init(void)
6679 nft_chain_filter_init();
6681 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6688 err = nf_tables_core_module_init();
6692 err = nfnetlink_subsys_register(&nf_tables_subsys);
6696 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6698 return register_pernet_subsys(&nf_tables_net_ops);
6700 nf_tables_core_module_exit();
6707 static void __exit nf_tables_module_exit(void)
6709 unregister_pernet_subsys(&nf_tables_net_ops);
6710 nfnetlink_subsys_unregister(&nf_tables_subsys);
6711 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6713 nf_tables_core_module_exit();
6715 nft_chain_filter_fini();
6718 module_init(nf_tables_module_init);
6719 module_exit(nf_tables_module_exit);
6721 MODULE_LICENSE("GPL");
6722 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6723 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob