2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 /* removal requests are queued in the commit_list, but not acted upon
78 * until after all new rules are in place.
80 * Therefore, nf_register_net_hook(net, &nat_hook) runs before pending
81 * nf_unregister_net_hook().
83 * nf_register_net_hook thus fails if a nat hook is already in place
84 * even if the conflicting hook is about to be removed.
86 * If collision is detected, search commit_log for DELCHAIN matching
87 * the new nat hooknum; if we find one collision is temporary:
89 * Either transaction is aborted (new/colliding hook is removed), or
90 * transaction is committed (old hook is removed).
92 static bool nf_tables_allow_nat_conflict(const struct net *net,
93 const struct nf_hook_ops *ops)
95 const struct nft_trans *trans;
101 list_for_each_entry(trans, &net->nft.commit_list, list) {
102 const struct nf_hook_ops *pending_ops;
103 const struct nft_chain *pending;
105 if (trans->msg_type != NFT_MSG_NEWCHAIN &&
106 trans->msg_type != NFT_MSG_DELCHAIN)
109 pending = trans->ctx.chain;
110 if (!nft_is_base_chain(pending))
113 pending_ops = &nft_base_chain(pending)->ops;
114 if (pending_ops->nat_hook &&
115 pending_ops->pf == ops->pf &&
116 pending_ops->hooknum == ops->hooknum) {
117 /* other hook registration already pending? */
118 if (trans->msg_type == NFT_MSG_NEWCHAIN)
128 static int nf_tables_register_hook(struct net *net,
129 const struct nft_table *table,
130 struct nft_chain *chain)
132 struct nf_hook_ops *ops;
135 if (table->flags & NFT_TABLE_F_DORMANT ||
136 !nft_is_base_chain(chain))
139 ops = &nft_base_chain(chain)->ops;
140 ret = nf_register_net_hook(net, ops);
141 if (ret == -EBUSY && nf_tables_allow_nat_conflict(net, ops)) {
142 ops->nat_hook = false;
143 ret = nf_register_net_hook(net, ops);
144 ops->nat_hook = true;
150 static void nf_tables_unregister_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
161 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
163 struct nft_trans *trans;
165 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
169 if (msg_type == NFT_MSG_NEWTABLE)
170 nft_activate_next(ctx->net, ctx->table);
172 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
176 static int nft_deltable(struct nft_ctx *ctx)
180 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
184 nft_deactivate_next(ctx->net, ctx->table);
188 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
190 struct nft_trans *trans;
192 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
196 if (msg_type == NFT_MSG_NEWCHAIN)
197 nft_activate_next(ctx->net, ctx->chain);
199 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
203 static int nft_delchain(struct nft_ctx *ctx)
207 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
212 nft_deactivate_next(ctx->net, ctx->chain);
217 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
218 struct nft_rule *rule)
220 struct nft_expr *expr;
222 expr = nft_expr_first(rule);
223 while (expr != nft_expr_last(rule) && expr->ops) {
224 if (expr->ops->activate)
225 expr->ops->activate(ctx, expr);
227 expr = nft_expr_next(expr);
231 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
232 struct nft_rule *rule)
234 struct nft_expr *expr;
236 expr = nft_expr_first(rule);
237 while (expr != nft_expr_last(rule) && expr->ops) {
238 if (expr->ops->deactivate)
239 expr->ops->deactivate(ctx, expr);
241 expr = nft_expr_next(expr);
246 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
248 /* You cannot delete the same rule twice */
249 if (nft_is_active_next(ctx->net, rule)) {
250 nft_deactivate_next(ctx->net, rule);
257 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
258 struct nft_rule *rule)
260 struct nft_trans *trans;
262 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
266 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
267 nft_trans_rule_id(trans) =
268 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
270 nft_trans_rule(trans) = rule;
271 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
276 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
278 struct nft_trans *trans;
281 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
285 err = nf_tables_delrule_deactivate(ctx, rule);
287 nft_trans_destroy(trans);
290 nft_rule_expr_deactivate(ctx, rule);
295 static int nft_delrule_by_chain(struct nft_ctx *ctx)
297 struct nft_rule *rule;
300 list_for_each_entry(rule, &ctx->chain->rules, list) {
301 err = nft_delrule(ctx, rule);
308 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
311 struct nft_trans *trans;
313 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
317 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
318 nft_trans_set_id(trans) =
319 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
320 nft_activate_next(ctx->net, set);
322 nft_trans_set(trans) = set;
323 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
328 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
332 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
336 nft_deactivate_next(ctx->net, set);
342 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
343 struct nft_object *obj)
345 struct nft_trans *trans;
347 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
351 if (msg_type == NFT_MSG_NEWOBJ)
352 nft_activate_next(ctx->net, obj);
354 nft_trans_obj(trans) = obj;
355 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
360 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
364 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
368 nft_deactivate_next(ctx->net, obj);
374 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
375 struct nft_flowtable *flowtable)
377 struct nft_trans *trans;
379 trans = nft_trans_alloc(ctx, msg_type,
380 sizeof(struct nft_trans_flowtable));
384 if (msg_type == NFT_MSG_NEWFLOWTABLE)
385 nft_activate_next(ctx->net, flowtable);
387 nft_trans_flowtable(trans) = flowtable;
388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
393 static int nft_delflowtable(struct nft_ctx *ctx,
394 struct nft_flowtable *flowtable)
398 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
402 nft_deactivate_next(ctx->net, flowtable);
412 static struct nft_table *nft_table_lookup(const struct net *net,
413 const struct nlattr *nla,
414 u8 family, u8 genmask)
416 struct nft_table *table;
418 list_for_each_entry(table, &net->nft.tables, list) {
419 if (!nla_strcmp(nla, table->name) &&
420 table->family == family &&
421 nft_active_genmask(table, genmask))
427 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
428 const struct nlattr *nla,
431 struct nft_table *table;
433 list_for_each_entry(table, &net->nft.tables, list) {
434 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
435 nft_active_genmask(table, genmask))
441 static struct nft_table *nf_tables_table_lookup(const struct net *net,
442 const struct nlattr *nla,
443 u8 family, u8 genmask)
445 struct nft_table *table;
448 return ERR_PTR(-EINVAL);
450 table = nft_table_lookup(net, nla, family, genmask);
454 return ERR_PTR(-ENOENT);
457 static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
458 const struct nlattr *nla,
461 struct nft_table *table;
464 return ERR_PTR(-EINVAL);
466 table = nft_table_lookup_byhandle(net, nla, genmask);
470 return ERR_PTR(-ENOENT);
473 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
475 return ++table->hgenerator;
478 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
480 static const struct nft_chain_type *
481 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
485 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
486 if (chain_type[family][i] != NULL &&
487 !nla_strcmp(nla, chain_type[family][i]->name))
488 return chain_type[family][i];
493 static const struct nft_chain_type *
494 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
496 const struct nft_chain_type *type;
498 type = __nf_tables_chain_type_lookup(nla, family);
501 #ifdef CONFIG_MODULES
503 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
504 request_module("nft-chain-%u-%.*s", family,
505 nla_len(nla), (const char *)nla_data(nla));
506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
507 type = __nf_tables_chain_type_lookup(nla, family);
509 return ERR_PTR(-EAGAIN);
512 return ERR_PTR(-ENOENT);
515 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
516 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
517 .len = NFT_TABLE_MAXNAMELEN - 1 },
518 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
519 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
522 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
523 u32 portid, u32 seq, int event, u32 flags,
524 int family, const struct nft_table *table)
526 struct nlmsghdr *nlh;
527 struct nfgenmsg *nfmsg;
529 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
530 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
532 goto nla_put_failure;
534 nfmsg = nlmsg_data(nlh);
535 nfmsg->nfgen_family = family;
536 nfmsg->version = NFNETLINK_V0;
537 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
539 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
540 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
541 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
542 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
544 goto nla_put_failure;
550 nlmsg_trim(skb, nlh);
554 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
560 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
563 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
567 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
568 event, 0, ctx->family, ctx->table);
574 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
575 ctx->report, GFP_KERNEL);
578 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
581 static int nf_tables_dump_tables(struct sk_buff *skb,
582 struct netlink_callback *cb)
584 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
585 const struct nft_table *table;
586 unsigned int idx = 0, s_idx = cb->args[0];
587 struct net *net = sock_net(skb->sk);
588 int family = nfmsg->nfgen_family;
591 cb->seq = net->nft.base_seq;
593 list_for_each_entry_rcu(table, &net->nft.tables, list) {
594 if (family != NFPROTO_UNSPEC && family != table->family)
600 memset(&cb->args[1], 0,
601 sizeof(cb->args) - sizeof(cb->args[0]));
602 if (!nft_is_active(net, table))
604 if (nf_tables_fill_table_info(skb, net,
605 NETLINK_CB(cb->skb).portid,
607 NFT_MSG_NEWTABLE, NLM_F_MULTI,
608 table->family, table) < 0)
611 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
621 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
622 struct sk_buff *skb, const struct nlmsghdr *nlh,
623 const struct nlattr * const nla[],
624 struct netlink_ext_ack *extack)
626 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
627 u8 genmask = nft_genmask_cur(net);
628 const struct nft_table *table;
629 struct sk_buff *skb2;
630 int family = nfmsg->nfgen_family;
633 if (nlh->nlmsg_flags & NLM_F_DUMP) {
634 struct netlink_dump_control c = {
635 .dump = nf_tables_dump_tables,
637 return netlink_dump_start(nlsk, skb, nlh, &c);
640 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
643 return PTR_ERR(table);
645 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
649 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
650 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
655 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
662 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
664 struct nft_chain *chain;
667 list_for_each_entry(chain, &table->chains, list) {
668 if (!nft_is_active_next(net, chain))
670 if (!nft_is_base_chain(chain))
673 if (cnt && i++ == cnt)
676 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
680 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
682 struct nft_chain *chain;
685 list_for_each_entry(chain, &table->chains, list) {
686 if (!nft_is_active_next(net, chain))
688 if (!nft_is_base_chain(chain))
691 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
700 nft_table_disable(net, table, i);
704 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
706 nft_table_disable(net, table, 0);
709 static int nf_tables_updtable(struct nft_ctx *ctx)
711 struct nft_trans *trans;
715 if (!ctx->nla[NFTA_TABLE_FLAGS])
718 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
719 if (flags & ~NFT_TABLE_F_DORMANT)
722 if (flags == ctx->table->flags)
725 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
726 sizeof(struct nft_trans_table));
730 if ((flags & NFT_TABLE_F_DORMANT) &&
731 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
732 nft_trans_table_enable(trans) = false;
733 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
734 ctx->table->flags & NFT_TABLE_F_DORMANT) {
735 ret = nf_tables_table_enable(ctx->net, ctx->table);
737 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
738 nft_trans_table_enable(trans) = true;
744 nft_trans_table_update(trans) = true;
745 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
748 nft_trans_destroy(trans);
752 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
753 struct sk_buff *skb, const struct nlmsghdr *nlh,
754 const struct nlattr * const nla[],
755 struct netlink_ext_ack *extack)
757 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
758 u8 genmask = nft_genmask_next(net);
759 const struct nlattr *name;
760 struct nft_table *table;
761 int family = nfmsg->nfgen_family;
766 name = nla[NFTA_TABLE_NAME];
767 table = nf_tables_table_lookup(net, name, family, genmask);
769 if (PTR_ERR(table) != -ENOENT)
770 return PTR_ERR(table);
772 if (nlh->nlmsg_flags & NLM_F_EXCL)
774 if (nlh->nlmsg_flags & NLM_F_REPLACE)
777 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
778 return nf_tables_updtable(&ctx);
781 if (nla[NFTA_TABLE_FLAGS]) {
782 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
783 if (flags & ~NFT_TABLE_F_DORMANT)
788 table = kzalloc(sizeof(*table), GFP_KERNEL);
792 table->name = nla_strdup(name, GFP_KERNEL);
793 if (table->name == NULL)
796 INIT_LIST_HEAD(&table->chains);
797 INIT_LIST_HEAD(&table->sets);
798 INIT_LIST_HEAD(&table->objects);
799 INIT_LIST_HEAD(&table->flowtables);
800 table->family = family;
801 table->flags = flags;
802 table->handle = ++table_handle;
804 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
805 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
809 list_add_tail_rcu(&table->list, &net->nft.tables);
819 static int nft_flush_table(struct nft_ctx *ctx)
821 struct nft_flowtable *flowtable, *nft;
822 struct nft_chain *chain, *nc;
823 struct nft_object *obj, *ne;
824 struct nft_set *set, *ns;
827 list_for_each_entry(chain, &ctx->table->chains, list) {
828 if (!nft_is_active_next(ctx->net, chain))
833 err = nft_delrule_by_chain(ctx);
838 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
839 if (!nft_is_active_next(ctx->net, set))
842 if (nft_set_is_anonymous(set) &&
843 !list_empty(&set->bindings))
846 err = nft_delset(ctx, set);
851 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
852 err = nft_delflowtable(ctx, flowtable);
857 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
858 err = nft_delobj(ctx, obj);
863 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
864 if (!nft_is_active_next(ctx->net, chain))
869 err = nft_delchain(ctx);
874 err = nft_deltable(ctx);
879 static int nft_flush(struct nft_ctx *ctx, int family)
881 struct nft_table *table, *nt;
882 const struct nlattr * const *nla = ctx->nla;
885 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
886 if (family != AF_UNSPEC && table->family != family)
889 ctx->family = table->family;
891 if (!nft_is_active_next(ctx->net, table))
894 if (nla[NFTA_TABLE_NAME] &&
895 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
900 err = nft_flush_table(ctx);
908 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
909 struct sk_buff *skb, const struct nlmsghdr *nlh,
910 const struct nlattr * const nla[],
911 struct netlink_ext_ack *extack)
913 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
914 u8 genmask = nft_genmask_next(net);
915 struct nft_table *table;
916 int family = nfmsg->nfgen_family;
919 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
920 if (family == AF_UNSPEC ||
921 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
922 return nft_flush(&ctx, family);
924 if (nla[NFTA_TABLE_HANDLE])
925 table = nf_tables_table_lookup_byhandle(net,
926 nla[NFTA_TABLE_HANDLE],
929 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
933 return PTR_ERR(table);
935 if (nlh->nlmsg_flags & NLM_F_NONREC &&
942 return nft_flush_table(&ctx);
945 static void nf_tables_table_destroy(struct nft_ctx *ctx)
947 BUG_ON(ctx->table->use > 0);
949 kfree(ctx->table->name);
953 void nft_register_chain_type(const struct nft_chain_type *ctype)
955 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
958 nfnl_lock(NFNL_SUBSYS_NFTABLES);
959 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
960 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
963 chain_type[ctype->family][ctype->type] = ctype;
964 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
966 EXPORT_SYMBOL_GPL(nft_register_chain_type);
968 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
970 nfnl_lock(NFNL_SUBSYS_NFTABLES);
971 chain_type[ctype->family][ctype->type] = NULL;
972 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
974 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
980 static struct nft_chain *
981 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
984 struct nft_chain *chain;
986 list_for_each_entry(chain, &table->chains, list) {
987 if (chain->handle == handle &&
988 nft_active_genmask(chain, genmask))
992 return ERR_PTR(-ENOENT);
995 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
996 const struct nlattr *nla,
999 struct nft_chain *chain;
1002 return ERR_PTR(-EINVAL);
1004 list_for_each_entry(chain, &table->chains, list) {
1005 if (!nla_strcmp(nla, chain->name) &&
1006 nft_active_genmask(chain, genmask))
1010 return ERR_PTR(-ENOENT);
1013 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1014 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1015 .len = NFT_TABLE_MAXNAMELEN - 1 },
1016 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1017 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1018 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1019 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1020 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1021 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1022 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1025 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1026 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1027 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1028 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1029 .len = IFNAMSIZ - 1 },
1032 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1034 struct nft_stats *cpu_stats, total;
1035 struct nlattr *nest;
1040 memset(&total, 0, sizeof(total));
1041 for_each_possible_cpu(cpu) {
1042 cpu_stats = per_cpu_ptr(stats, cpu);
1044 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1045 pkts = cpu_stats->pkts;
1046 bytes = cpu_stats->bytes;
1047 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1049 total.bytes += bytes;
1051 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1053 goto nla_put_failure;
1055 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1056 NFTA_COUNTER_PAD) ||
1057 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1059 goto nla_put_failure;
1061 nla_nest_end(skb, nest);
1068 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1069 u32 portid, u32 seq, int event, u32 flags,
1070 int family, const struct nft_table *table,
1071 const struct nft_chain *chain)
1073 struct nlmsghdr *nlh;
1074 struct nfgenmsg *nfmsg;
1076 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1077 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1079 goto nla_put_failure;
1081 nfmsg = nlmsg_data(nlh);
1082 nfmsg->nfgen_family = family;
1083 nfmsg->version = NFNETLINK_V0;
1084 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1086 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1087 goto nla_put_failure;
1088 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1090 goto nla_put_failure;
1091 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1092 goto nla_put_failure;
1094 if (nft_is_base_chain(chain)) {
1095 const struct nft_base_chain *basechain = nft_base_chain(chain);
1096 const struct nf_hook_ops *ops = &basechain->ops;
1097 struct nlattr *nest;
1099 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1101 goto nla_put_failure;
1102 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1103 goto nla_put_failure;
1104 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1105 goto nla_put_failure;
1106 if (basechain->dev_name[0] &&
1107 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1108 goto nla_put_failure;
1109 nla_nest_end(skb, nest);
1111 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1112 htonl(basechain->policy)))
1113 goto nla_put_failure;
1115 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1116 goto nla_put_failure;
1118 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1119 goto nla_put_failure;
1122 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1123 goto nla_put_failure;
1125 nlmsg_end(skb, nlh);
1129 nlmsg_trim(skb, nlh);
1133 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1135 struct sk_buff *skb;
1139 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1142 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1146 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1147 event, 0, ctx->family, ctx->table,
1154 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1155 ctx->report, GFP_KERNEL);
1158 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1161 static int nf_tables_dump_chains(struct sk_buff *skb,
1162 struct netlink_callback *cb)
1164 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1165 const struct nft_table *table;
1166 const struct nft_chain *chain;
1167 unsigned int idx = 0, s_idx = cb->args[0];
1168 struct net *net = sock_net(skb->sk);
1169 int family = nfmsg->nfgen_family;
1172 cb->seq = net->nft.base_seq;
1174 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1175 if (family != NFPROTO_UNSPEC && family != table->family)
1178 list_for_each_entry_rcu(chain, &table->chains, list) {
1182 memset(&cb->args[1], 0,
1183 sizeof(cb->args) - sizeof(cb->args[0]));
1184 if (!nft_is_active(net, chain))
1186 if (nf_tables_fill_chain_info(skb, net,
1187 NETLINK_CB(cb->skb).portid,
1191 table->family, table,
1195 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1206 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1207 struct sk_buff *skb, const struct nlmsghdr *nlh,
1208 const struct nlattr * const nla[],
1209 struct netlink_ext_ack *extack)
1211 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1212 u8 genmask = nft_genmask_cur(net);
1213 const struct nft_table *table;
1214 const struct nft_chain *chain;
1215 struct sk_buff *skb2;
1216 int family = nfmsg->nfgen_family;
1219 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1220 struct netlink_dump_control c = {
1221 .dump = nf_tables_dump_chains,
1223 return netlink_dump_start(nlsk, skb, nlh, &c);
1226 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1229 return PTR_ERR(table);
1231 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1233 return PTR_ERR(chain);
1235 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1239 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1240 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1241 family, table, chain);
1245 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1252 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1253 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1254 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1257 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1259 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1260 struct nft_stats __percpu *newstats;
1261 struct nft_stats *stats;
1264 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1267 return ERR_PTR(err);
1269 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1270 return ERR_PTR(-EINVAL);
1272 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1273 if (newstats == NULL)
1274 return ERR_PTR(-ENOMEM);
1276 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1277 * are not exposed to userspace.
1280 stats = this_cpu_ptr(newstats);
1281 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1282 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1288 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1289 struct nft_stats __percpu *newstats)
1291 struct nft_stats __percpu *oldstats;
1293 if (newstats == NULL)
1297 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1298 rcu_assign_pointer(chain->stats, newstats);
1300 free_percpu(oldstats);
1302 rcu_assign_pointer(chain->stats, newstats);
1305 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1307 struct nft_chain *chain = ctx->chain;
1309 BUG_ON(chain->use > 0);
1311 if (nft_is_base_chain(chain)) {
1312 struct nft_base_chain *basechain = nft_base_chain(chain);
1314 if (basechain->type->free)
1315 basechain->type->free(ctx);
1316 module_put(basechain->type->owner);
1317 free_percpu(basechain->stats);
1318 if (basechain->stats)
1319 static_branch_dec(&nft_counters_enabled);
1328 struct nft_chain_hook {
1331 const struct nft_chain_type *type;
1332 struct net_device *dev;
1335 static int nft_chain_parse_hook(struct net *net,
1336 const struct nlattr * const nla[],
1337 struct nft_chain_hook *hook, u8 family,
1340 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1341 const struct nft_chain_type *type;
1342 struct net_device *dev;
1345 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1346 nft_hook_policy, NULL);
1350 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1351 ha[NFTA_HOOK_PRIORITY] == NULL)
1354 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1355 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1357 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1358 if (nla[NFTA_CHAIN_TYPE]) {
1359 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1362 return PTR_ERR(type);
1364 if (!(type->hook_mask & (1 << hook->num)))
1367 if (type->type == NFT_CHAIN_T_NAT &&
1368 hook->priority <= NF_IP_PRI_CONNTRACK)
1371 if (!try_module_get(type->owner))
1377 if (family == NFPROTO_NETDEV) {
1378 char ifname[IFNAMSIZ];
1380 if (!ha[NFTA_HOOK_DEV]) {
1381 module_put(type->owner);
1385 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1386 dev = __dev_get_by_name(net, ifname);
1388 module_put(type->owner);
1392 } else if (ha[NFTA_HOOK_DEV]) {
1393 module_put(type->owner);
1400 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1402 module_put(hook->type->owner);
1405 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1406 u8 policy, bool create)
1408 const struct nlattr * const *nla = ctx->nla;
1409 struct nft_table *table = ctx->table;
1410 struct nft_base_chain *basechain;
1411 struct nft_stats __percpu *stats;
1412 struct net *net = ctx->net;
1413 struct nft_chain *chain;
1416 if (table->use == UINT_MAX)
1419 if (nla[NFTA_CHAIN_HOOK]) {
1420 struct nft_chain_hook hook;
1421 struct nf_hook_ops *ops;
1423 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1427 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1428 if (basechain == NULL) {
1429 nft_chain_release_hook(&hook);
1433 if (hook.dev != NULL)
1434 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1436 if (nla[NFTA_CHAIN_COUNTERS]) {
1437 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1438 if (IS_ERR(stats)) {
1439 nft_chain_release_hook(&hook);
1441 return PTR_ERR(stats);
1443 basechain->stats = stats;
1444 static_branch_inc(&nft_counters_enabled);
1447 basechain->type = hook.type;
1448 if (basechain->type->init)
1449 basechain->type->init(ctx);
1451 chain = &basechain->chain;
1453 ops = &basechain->ops;
1455 ops->hooknum = hook.num;
1456 ops->priority = hook.priority;
1458 ops->hook = hook.type->hooks[ops->hooknum];
1459 ops->dev = hook.dev;
1461 if (basechain->type->type == NFT_CHAIN_T_NAT)
1462 ops->nat_hook = true;
1464 chain->flags |= NFT_BASE_CHAIN;
1465 basechain->policy = policy;
1467 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1473 INIT_LIST_HEAD(&chain->rules);
1474 chain->handle = nf_tables_alloc_handle(table);
1475 chain->table = table;
1476 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1482 err = nf_tables_register_hook(net, table, chain);
1486 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1491 list_add_tail_rcu(&chain->list, &table->chains);
1495 nf_tables_unregister_hook(net, table, chain);
1497 nf_tables_chain_destroy(ctx);
1502 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1505 const struct nlattr * const *nla = ctx->nla;
1506 struct nft_table *table = ctx->table;
1507 struct nft_chain *chain = ctx->chain;
1508 struct nft_base_chain *basechain;
1509 struct nft_stats *stats = NULL;
1510 struct nft_chain_hook hook;
1511 const struct nlattr *name;
1512 struct nf_hook_ops *ops;
1513 struct nft_trans *trans;
1516 if (nla[NFTA_CHAIN_HOOK]) {
1517 if (!nft_is_base_chain(chain))
1520 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1525 basechain = nft_base_chain(chain);
1526 if (basechain->type != hook.type) {
1527 nft_chain_release_hook(&hook);
1531 ops = &basechain->ops;
1532 if (ops->hooknum != hook.num ||
1533 ops->priority != hook.priority ||
1534 ops->dev != hook.dev) {
1535 nft_chain_release_hook(&hook);
1538 nft_chain_release_hook(&hook);
1541 if (nla[NFTA_CHAIN_HANDLE] &&
1542 nla[NFTA_CHAIN_NAME]) {
1543 struct nft_chain *chain2;
1545 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1547 if (!IS_ERR(chain2))
1551 if (nla[NFTA_CHAIN_COUNTERS]) {
1552 if (!nft_is_base_chain(chain))
1555 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1557 return PTR_ERR(stats);
1560 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1561 sizeof(struct nft_trans_chain));
1562 if (trans == NULL) {
1567 nft_trans_chain_stats(trans) = stats;
1568 nft_trans_chain_update(trans) = true;
1570 if (nla[NFTA_CHAIN_POLICY])
1571 nft_trans_chain_policy(trans) = policy;
1573 nft_trans_chain_policy(trans) = -1;
1575 name = nla[NFTA_CHAIN_NAME];
1576 if (nla[NFTA_CHAIN_HANDLE] && name) {
1577 nft_trans_chain_name(trans) =
1578 nla_strdup(name, GFP_KERNEL);
1579 if (!nft_trans_chain_name(trans)) {
1585 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1590 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1591 struct sk_buff *skb, const struct nlmsghdr *nlh,
1592 const struct nlattr * const nla[],
1593 struct netlink_ext_ack *extack)
1595 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1596 const struct nlattr * uninitialized_var(name);
1597 u8 genmask = nft_genmask_next(net);
1598 int family = nfmsg->nfgen_family;
1599 struct nft_table *table;
1600 struct nft_chain *chain;
1601 u8 policy = NF_ACCEPT;
1606 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1608 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1611 return PTR_ERR(table);
1614 name = nla[NFTA_CHAIN_NAME];
1616 if (nla[NFTA_CHAIN_HANDLE]) {
1617 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1618 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1620 return PTR_ERR(chain);
1622 chain = nf_tables_chain_lookup(table, name, genmask);
1623 if (IS_ERR(chain)) {
1624 if (PTR_ERR(chain) != -ENOENT)
1625 return PTR_ERR(chain);
1630 if (nla[NFTA_CHAIN_POLICY]) {
1631 if (chain != NULL &&
1632 !nft_is_base_chain(chain))
1635 if (chain == NULL &&
1636 nla[NFTA_CHAIN_HOOK] == NULL)
1639 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1649 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1651 if (chain != NULL) {
1652 if (nlh->nlmsg_flags & NLM_F_EXCL)
1654 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1657 return nf_tables_updchain(&ctx, genmask, policy, create);
1660 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1663 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1664 struct sk_buff *skb, const struct nlmsghdr *nlh,
1665 const struct nlattr * const nla[],
1666 struct netlink_ext_ack *extack)
1668 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1669 u8 genmask = nft_genmask_next(net);
1670 struct nft_table *table;
1671 struct nft_chain *chain;
1672 struct nft_rule *rule;
1673 int family = nfmsg->nfgen_family;
1679 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1682 return PTR_ERR(table);
1684 if (nla[NFTA_CHAIN_HANDLE]) {
1685 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1686 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1688 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1691 return PTR_ERR(chain);
1693 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1697 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1700 list_for_each_entry(rule, &chain->rules, list) {
1701 if (!nft_is_active_next(net, rule))
1705 err = nft_delrule(&ctx, rule);
1710 /* There are rules and elements that are still holding references to us,
1711 * we cannot do a recursive removal in this case.
1716 return nft_delchain(&ctx);
1724 * nft_register_expr - register nf_tables expr type
1727 * Registers the expr type for use with nf_tables. Returns zero on
1728 * success or a negative errno code otherwise.
1730 int nft_register_expr(struct nft_expr_type *type)
1732 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1733 if (type->family == NFPROTO_UNSPEC)
1734 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1736 list_add_rcu(&type->list, &nf_tables_expressions);
1737 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1740 EXPORT_SYMBOL_GPL(nft_register_expr);
1743 * nft_unregister_expr - unregister nf_tables expr type
1746 * Unregisters the expr typefor use with nf_tables.
1748 void nft_unregister_expr(struct nft_expr_type *type)
1750 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1751 list_del_rcu(&type->list);
1752 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1754 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1756 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1759 const struct nft_expr_type *type;
1761 list_for_each_entry(type, &nf_tables_expressions, list) {
1762 if (!nla_strcmp(nla, type->name) &&
1763 (!type->family || type->family == family))
1769 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1772 const struct nft_expr_type *type;
1775 return ERR_PTR(-EINVAL);
1777 type = __nft_expr_type_get(family, nla);
1778 if (type != NULL && try_module_get(type->owner))
1781 #ifdef CONFIG_MODULES
1783 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1784 request_module("nft-expr-%u-%.*s", family,
1785 nla_len(nla), (char *)nla_data(nla));
1786 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1787 if (__nft_expr_type_get(family, nla))
1788 return ERR_PTR(-EAGAIN);
1790 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1791 request_module("nft-expr-%.*s",
1792 nla_len(nla), (char *)nla_data(nla));
1793 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1794 if (__nft_expr_type_get(family, nla))
1795 return ERR_PTR(-EAGAIN);
1798 return ERR_PTR(-ENOENT);
1801 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1802 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1803 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1806 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1807 const struct nft_expr *expr)
1809 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1810 goto nla_put_failure;
1812 if (expr->ops->dump) {
1813 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1815 goto nla_put_failure;
1816 if (expr->ops->dump(skb, expr) < 0)
1817 goto nla_put_failure;
1818 nla_nest_end(skb, data);
1827 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1828 const struct nft_expr *expr)
1830 struct nlattr *nest;
1832 nest = nla_nest_start(skb, attr);
1834 goto nla_put_failure;
1835 if (nf_tables_fill_expr_info(skb, expr) < 0)
1836 goto nla_put_failure;
1837 nla_nest_end(skb, nest);
1844 struct nft_expr_info {
1845 const struct nft_expr_ops *ops;
1846 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1849 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1850 const struct nlattr *nla,
1851 struct nft_expr_info *info)
1853 const struct nft_expr_type *type;
1854 const struct nft_expr_ops *ops;
1855 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1858 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1862 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1864 return PTR_ERR(type);
1866 if (tb[NFTA_EXPR_DATA]) {
1867 err = nla_parse_nested(info->tb, type->maxattr,
1868 tb[NFTA_EXPR_DATA], type->policy, NULL);
1872 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1874 if (type->select_ops != NULL) {
1875 ops = type->select_ops(ctx,
1876 (const struct nlattr * const *)info->tb);
1888 module_put(type->owner);
1892 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1893 const struct nft_expr_info *info,
1894 struct nft_expr *expr)
1896 const struct nft_expr_ops *ops = info->ops;
1901 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1906 if (ops->validate) {
1907 const struct nft_data *data = NULL;
1909 err = ops->validate(ctx, expr, &data);
1918 ops->destroy(ctx, expr);
1924 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1925 struct nft_expr *expr)
1927 if (expr->ops->destroy)
1928 expr->ops->destroy(ctx, expr);
1929 module_put(expr->ops->type->owner);
1932 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1933 const struct nlattr *nla)
1935 struct nft_expr_info info;
1936 struct nft_expr *expr;
1939 err = nf_tables_expr_parse(ctx, nla, &info);
1944 expr = kzalloc(info.ops->size, GFP_KERNEL);
1948 err = nf_tables_newexpr(ctx, &info, expr);
1956 module_put(info.ops->type->owner);
1958 return ERR_PTR(err);
1961 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1963 nf_tables_expr_destroy(ctx, expr);
1971 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1974 struct nft_rule *rule;
1976 // FIXME: this sucks
1977 list_for_each_entry(rule, &chain->rules, list) {
1978 if (handle == rule->handle)
1982 return ERR_PTR(-ENOENT);
1985 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1986 const struct nlattr *nla)
1989 return ERR_PTR(-EINVAL);
1991 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1994 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1995 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1996 .len = NFT_TABLE_MAXNAMELEN - 1 },
1997 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1998 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1999 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2000 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2001 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2002 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2003 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2004 .len = NFT_USERDATA_MAXLEN },
2005 [NFTA_RULE_ID] = { .type = NLA_U32 },
2008 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2009 u32 portid, u32 seq, int event,
2010 u32 flags, int family,
2011 const struct nft_table *table,
2012 const struct nft_chain *chain,
2013 const struct nft_rule *rule)
2015 struct nlmsghdr *nlh;
2016 struct nfgenmsg *nfmsg;
2017 const struct nft_expr *expr, *next;
2018 struct nlattr *list;
2019 const struct nft_rule *prule;
2020 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2022 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2024 goto nla_put_failure;
2026 nfmsg = nlmsg_data(nlh);
2027 nfmsg->nfgen_family = family;
2028 nfmsg->version = NFNETLINK_V0;
2029 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2031 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2032 goto nla_put_failure;
2033 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2034 goto nla_put_failure;
2035 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2037 goto nla_put_failure;
2039 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2040 prule = list_prev_entry(rule, list);
2041 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2042 cpu_to_be64(prule->handle),
2044 goto nla_put_failure;
2047 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2049 goto nla_put_failure;
2050 nft_rule_for_each_expr(expr, next, rule) {
2051 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2052 goto nla_put_failure;
2054 nla_nest_end(skb, list);
2057 struct nft_userdata *udata = nft_userdata(rule);
2058 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2060 goto nla_put_failure;
2063 nlmsg_end(skb, nlh);
2067 nlmsg_trim(skb, nlh);
2071 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2072 const struct nft_rule *rule, int event)
2074 struct sk_buff *skb;
2078 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2081 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2085 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2086 event, 0, ctx->family, ctx->table,
2093 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2094 ctx->report, GFP_KERNEL);
2097 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2100 struct nft_rule_dump_ctx {
2105 static int nf_tables_dump_rules(struct sk_buff *skb,
2106 struct netlink_callback *cb)
2108 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2109 const struct nft_rule_dump_ctx *ctx = cb->data;
2110 const struct nft_table *table;
2111 const struct nft_chain *chain;
2112 const struct nft_rule *rule;
2113 unsigned int idx = 0, s_idx = cb->args[0];
2114 struct net *net = sock_net(skb->sk);
2115 int family = nfmsg->nfgen_family;
2118 cb->seq = net->nft.base_seq;
2120 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2121 if (family != NFPROTO_UNSPEC && family != table->family)
2124 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2127 list_for_each_entry_rcu(chain, &table->chains, list) {
2128 if (ctx && ctx->chain &&
2129 strcmp(ctx->chain, chain->name) != 0)
2132 list_for_each_entry_rcu(rule, &chain->rules, list) {
2133 if (!nft_is_active(net, rule))
2138 memset(&cb->args[1], 0,
2139 sizeof(cb->args) - sizeof(cb->args[0]));
2140 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2143 NLM_F_MULTI | NLM_F_APPEND,
2145 table, chain, rule) < 0)
2148 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2161 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2163 struct nft_rule_dump_ctx *ctx = cb->data;
2173 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2174 struct sk_buff *skb, const struct nlmsghdr *nlh,
2175 const struct nlattr * const nla[],
2176 struct netlink_ext_ack *extack)
2178 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2179 u8 genmask = nft_genmask_cur(net);
2180 const struct nft_table *table;
2181 const struct nft_chain *chain;
2182 const struct nft_rule *rule;
2183 struct sk_buff *skb2;
2184 int family = nfmsg->nfgen_family;
2187 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2188 struct netlink_dump_control c = {
2189 .dump = nf_tables_dump_rules,
2190 .done = nf_tables_dump_rules_done,
2193 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2194 struct nft_rule_dump_ctx *ctx;
2196 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2200 if (nla[NFTA_RULE_TABLE]) {
2201 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2208 if (nla[NFTA_RULE_CHAIN]) {
2209 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2220 return netlink_dump_start(nlsk, skb, nlh, &c);
2223 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2226 return PTR_ERR(table);
2228 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2230 return PTR_ERR(chain);
2232 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2234 return PTR_ERR(rule);
2236 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2240 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2241 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2242 family, table, chain, rule);
2246 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2253 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2254 struct nft_rule *rule)
2256 struct nft_expr *expr;
2259 * Careful: some expressions might not be initialized in case this
2260 * is called on error from nf_tables_newrule().
2262 expr = nft_expr_first(rule);
2263 while (expr != nft_expr_last(rule) && expr->ops) {
2264 nf_tables_expr_destroy(ctx, expr);
2265 expr = nft_expr_next(expr);
2270 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2271 struct nft_rule *rule)
2273 nft_rule_expr_deactivate(ctx, rule);
2274 nf_tables_rule_destroy(ctx, rule);
2277 #define NFT_RULE_MAXEXPRS 128
2279 static struct nft_expr_info *info;
2281 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2282 struct sk_buff *skb, const struct nlmsghdr *nlh,
2283 const struct nlattr * const nla[],
2284 struct netlink_ext_ack *extack)
2286 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2287 u8 genmask = nft_genmask_next(net);
2288 int family = nfmsg->nfgen_family;
2289 struct nft_table *table;
2290 struct nft_chain *chain;
2291 struct nft_rule *rule, *old_rule = NULL;
2292 struct nft_userdata *udata;
2293 struct nft_trans *trans = NULL;
2294 struct nft_expr *expr;
2297 unsigned int size, i, n, ulen = 0, usize = 0;
2300 u64 handle, pos_handle;
2302 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2304 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2307 return PTR_ERR(table);
2309 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2311 return PTR_ERR(chain);
2313 if (nla[NFTA_RULE_HANDLE]) {
2314 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2315 rule = __nf_tables_rule_lookup(chain, handle);
2317 return PTR_ERR(rule);
2319 if (nlh->nlmsg_flags & NLM_F_EXCL)
2321 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2326 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2328 handle = nf_tables_alloc_handle(table);
2330 if (chain->use == UINT_MAX)
2334 if (nla[NFTA_RULE_POSITION]) {
2335 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2338 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2339 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2340 if (IS_ERR(old_rule))
2341 return PTR_ERR(old_rule);
2344 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2348 if (nla[NFTA_RULE_EXPRESSIONS]) {
2349 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2351 if (nla_type(tmp) != NFTA_LIST_ELEM)
2353 if (n == NFT_RULE_MAXEXPRS)
2355 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2358 size += info[n].ops->size;
2362 /* Check for overflow of dlen field */
2364 if (size >= 1 << 12)
2367 if (nla[NFTA_RULE_USERDATA]) {
2368 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2370 usize = sizeof(struct nft_userdata) + ulen;
2374 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2378 nft_activate_next(net, rule);
2380 rule->handle = handle;
2382 rule->udata = ulen ? 1 : 0;
2385 udata = nft_userdata(rule);
2386 udata->len = ulen - 1;
2387 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2390 expr = nft_expr_first(rule);
2391 for (i = 0; i < n; i++) {
2392 err = nf_tables_newexpr(&ctx, &info[i], expr);
2396 expr = nft_expr_next(expr);
2399 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2400 if (!nft_is_active_next(net, old_rule)) {
2404 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2406 if (trans == NULL) {
2410 nft_deactivate_next(net, old_rule);
2413 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2418 list_add_tail_rcu(&rule->list, &old_rule->list);
2420 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2425 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2427 list_add_rcu(&rule->list, &old_rule->list);
2429 list_add_tail_rcu(&rule->list, &chain->rules);
2432 list_add_tail_rcu(&rule->list, &old_rule->list);
2434 list_add_rcu(&rule->list, &chain->rules);
2441 nf_tables_rule_release(&ctx, rule);
2443 for (i = 0; i < n; i++) {
2444 if (info[i].ops != NULL)
2445 module_put(info[i].ops->type->owner);
2450 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2451 const struct nlattr *nla)
2453 u32 id = ntohl(nla_get_be32(nla));
2454 struct nft_trans *trans;
2456 list_for_each_entry(trans, &net->nft.commit_list, list) {
2457 struct nft_rule *rule = nft_trans_rule(trans);
2459 if (trans->msg_type == NFT_MSG_NEWRULE &&
2460 id == nft_trans_rule_id(trans))
2463 return ERR_PTR(-ENOENT);
2466 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2467 struct sk_buff *skb, const struct nlmsghdr *nlh,
2468 const struct nlattr * const nla[],
2469 struct netlink_ext_ack *extack)
2471 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2472 u8 genmask = nft_genmask_next(net);
2473 struct nft_table *table;
2474 struct nft_chain *chain = NULL;
2475 struct nft_rule *rule;
2476 int family = nfmsg->nfgen_family, err = 0;
2479 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2482 return PTR_ERR(table);
2484 if (nla[NFTA_RULE_CHAIN]) {
2485 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2488 return PTR_ERR(chain);
2491 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2494 if (nla[NFTA_RULE_HANDLE]) {
2495 rule = nf_tables_rule_lookup(chain,
2496 nla[NFTA_RULE_HANDLE]);
2498 return PTR_ERR(rule);
2500 err = nft_delrule(&ctx, rule);
2501 } else if (nla[NFTA_RULE_ID]) {
2502 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2504 return PTR_ERR(rule);
2506 err = nft_delrule(&ctx, rule);
2508 err = nft_delrule_by_chain(&ctx);
2511 list_for_each_entry(chain, &table->chains, list) {
2512 if (!nft_is_active_next(net, chain))
2516 err = nft_delrule_by_chain(&ctx);
2529 static LIST_HEAD(nf_tables_set_types);
2531 int nft_register_set(struct nft_set_type *type)
2533 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2534 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2535 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2538 EXPORT_SYMBOL_GPL(nft_register_set);
2540 void nft_unregister_set(struct nft_set_type *type)
2542 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2543 list_del_rcu(&type->list);
2544 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2546 EXPORT_SYMBOL_GPL(nft_unregister_set);
2548 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2549 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2551 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2553 if ((flags & NFT_SET_EVAL) && !ops->update)
2556 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2560 * Select a set implementation based on the data characteristics and the
2561 * given policy. The total memory use might not be known if no size is
2562 * given, in that case the amount of memory per element is used.
2564 static const struct nft_set_ops *
2565 nft_select_set_ops(const struct nft_ctx *ctx,
2566 const struct nlattr * const nla[],
2567 const struct nft_set_desc *desc,
2568 enum nft_set_policies policy)
2570 const struct nft_set_ops *ops, *bops;
2571 struct nft_set_estimate est, best;
2572 const struct nft_set_type *type;
2575 #ifdef CONFIG_MODULES
2576 if (list_empty(&nf_tables_set_types)) {
2577 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2578 request_module("nft-set");
2579 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2580 if (!list_empty(&nf_tables_set_types))
2581 return ERR_PTR(-EAGAIN);
2584 if (nla[NFTA_SET_FLAGS] != NULL)
2585 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2592 list_for_each_entry(type, &nf_tables_set_types, list) {
2593 if (!type->select_ops)
2596 ops = type->select_ops(ctx, desc, flags);
2600 if (!nft_set_ops_candidate(ops, flags))
2602 if (!ops->estimate(desc, flags, &est))
2606 case NFT_SET_POL_PERFORMANCE:
2607 if (est.lookup < best.lookup)
2609 if (est.lookup == best.lookup &&
2610 est.space < best.space)
2613 case NFT_SET_POL_MEMORY:
2615 if (est.space < best.space)
2617 if (est.space == best.space &&
2618 est.lookup < best.lookup)
2620 } else if (est.size < best.size || !bops) {
2628 if (!try_module_get(type->owner))
2631 module_put(bops->type->owner);
2640 return ERR_PTR(-EOPNOTSUPP);
2643 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2644 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2645 .len = NFT_TABLE_MAXNAMELEN - 1 },
2646 [NFTA_SET_NAME] = { .type = NLA_STRING,
2647 .len = NFT_SET_MAXNAMELEN - 1 },
2648 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2649 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2650 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2651 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2652 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2653 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2654 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2655 [NFTA_SET_ID] = { .type = NLA_U32 },
2656 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2657 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2658 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2659 .len = NFT_USERDATA_MAXLEN },
2660 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2661 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2664 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2665 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2668 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2669 const struct sk_buff *skb,
2670 const struct nlmsghdr *nlh,
2671 const struct nlattr * const nla[],
2674 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2675 int family = nfmsg->nfgen_family;
2676 struct nft_table *table = NULL;
2678 if (nla[NFTA_SET_TABLE] != NULL) {
2679 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2682 return PTR_ERR(table);
2685 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2689 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2690 const struct nlattr *nla, u8 genmask)
2692 struct nft_set *set;
2695 return ERR_PTR(-EINVAL);
2697 list_for_each_entry(set, &table->sets, list) {
2698 if (!nla_strcmp(nla, set->name) &&
2699 nft_active_genmask(set, genmask))
2702 return ERR_PTR(-ENOENT);
2705 static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
2706 const struct nlattr *nla, u8 genmask)
2708 struct nft_set *set;
2711 return ERR_PTR(-EINVAL);
2713 list_for_each_entry(set, &table->sets, list) {
2714 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2715 nft_active_genmask(set, genmask))
2718 return ERR_PTR(-ENOENT);
2721 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2722 const struct nlattr *nla,
2725 struct nft_trans *trans;
2726 u32 id = ntohl(nla_get_be32(nla));
2728 list_for_each_entry(trans, &net->nft.commit_list, list) {
2729 struct nft_set *set = nft_trans_set(trans);
2731 if (trans->msg_type == NFT_MSG_NEWSET &&
2732 id == nft_trans_set_id(trans) &&
2733 nft_active_genmask(set, genmask))
2736 return ERR_PTR(-ENOENT);
2739 struct nft_set *nft_set_lookup_global(const struct net *net,
2740 const struct nft_table *table,
2741 const struct nlattr *nla_set_name,
2742 const struct nlattr *nla_set_id,
2745 struct nft_set *set;
2747 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2752 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2756 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2758 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2761 const struct nft_set *i;
2763 unsigned long *inuse;
2764 unsigned int n = 0, min = 0;
2766 p = strchr(name, '%');
2768 if (p[1] != 'd' || strchr(p + 2, '%'))
2771 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2775 list_for_each_entry(i, &ctx->table->sets, list) {
2778 if (!nft_is_active_next(ctx->net, set))
2780 if (!sscanf(i->name, name, &tmp))
2782 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2785 set_bit(tmp - min, inuse);
2788 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2789 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2790 min += BITS_PER_BYTE * PAGE_SIZE;
2791 memset(inuse, 0, PAGE_SIZE);
2794 free_page((unsigned long)inuse);
2797 set->name = kasprintf(GFP_KERNEL, name, min + n);
2801 list_for_each_entry(i, &ctx->table->sets, list) {
2802 if (!nft_is_active_next(ctx->net, i))
2804 if (!strcmp(set->name, i->name)) {
2812 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2813 const struct nft_set *set, u16 event, u16 flags)
2815 struct nfgenmsg *nfmsg;
2816 struct nlmsghdr *nlh;
2817 struct nlattr *desc;
2818 u32 portid = ctx->portid;
2821 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2822 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2825 goto nla_put_failure;
2827 nfmsg = nlmsg_data(nlh);
2828 nfmsg->nfgen_family = ctx->family;
2829 nfmsg->version = NFNETLINK_V0;
2830 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2832 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2833 goto nla_put_failure;
2834 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2835 goto nla_put_failure;
2836 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2838 goto nla_put_failure;
2839 if (set->flags != 0)
2840 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2841 goto nla_put_failure;
2843 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2844 goto nla_put_failure;
2845 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2846 goto nla_put_failure;
2847 if (set->flags & NFT_SET_MAP) {
2848 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2849 goto nla_put_failure;
2850 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2851 goto nla_put_failure;
2853 if (set->flags & NFT_SET_OBJECT &&
2854 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2855 goto nla_put_failure;
2858 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2859 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2861 goto nla_put_failure;
2863 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2864 goto nla_put_failure;
2866 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2867 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2868 goto nla_put_failure;
2871 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2872 goto nla_put_failure;
2874 desc = nla_nest_start(skb, NFTA_SET_DESC);
2876 goto nla_put_failure;
2878 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2879 goto nla_put_failure;
2880 nla_nest_end(skb, desc);
2882 nlmsg_end(skb, nlh);
2886 nlmsg_trim(skb, nlh);
2890 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2891 const struct nft_set *set, int event,
2894 struct sk_buff *skb;
2895 u32 portid = ctx->portid;
2899 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2902 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2906 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2912 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2916 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2919 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2921 const struct nft_set *set;
2922 unsigned int idx, s_idx = cb->args[0];
2923 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2924 struct net *net = sock_net(skb->sk);
2925 struct nft_ctx *ctx = cb->data, ctx_set;
2931 cb->seq = net->nft.base_seq;
2933 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2934 if (ctx->family != NFPROTO_UNSPEC &&
2935 ctx->family != table->family)
2938 if (ctx->table && ctx->table != table)
2942 if (cur_table != table)
2948 list_for_each_entry_rcu(set, &table->sets, list) {
2951 if (!nft_is_active(net, set))
2955 ctx_set.table = table;
2956 ctx_set.family = table->family;
2958 if (nf_tables_fill_set(skb, &ctx_set, set,
2962 cb->args[2] = (unsigned long) table;
2965 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2978 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2984 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2985 struct sk_buff *skb, const struct nlmsghdr *nlh,
2986 const struct nlattr * const nla[],
2987 struct netlink_ext_ack *extack)
2989 u8 genmask = nft_genmask_cur(net);
2990 const struct nft_set *set;
2992 struct sk_buff *skb2;
2993 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2996 /* Verify existence before starting dump */
2997 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3001 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3002 struct netlink_dump_control c = {
3003 .dump = nf_tables_dump_sets,
3004 .done = nf_tables_dump_sets_done,
3006 struct nft_ctx *ctx_dump;
3008 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3009 if (ctx_dump == NULL)
3015 return netlink_dump_start(nlsk, skb, nlh, &c);
3018 /* Only accept unspec with dump */
3019 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3020 return -EAFNOSUPPORT;
3021 if (!nla[NFTA_SET_TABLE])
3024 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3026 return PTR_ERR(set);
3028 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3032 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3036 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3043 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3044 struct nft_set_desc *desc,
3045 const struct nlattr *nla)
3047 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3050 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3051 nft_set_desc_policy, NULL);
3055 if (da[NFTA_SET_DESC_SIZE] != NULL)
3056 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3061 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3062 struct sk_buff *skb, const struct nlmsghdr *nlh,
3063 const struct nlattr * const nla[],
3064 struct netlink_ext_ack *extack)
3066 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3067 u8 genmask = nft_genmask_next(net);
3068 int family = nfmsg->nfgen_family;
3069 const struct nft_set_ops *ops;
3070 struct nft_table *table;
3071 struct nft_set *set;
3077 u32 ktype, dtype, flags, policy, gc_int, objtype;
3078 struct nft_set_desc desc;
3079 unsigned char *udata;
3083 if (nla[NFTA_SET_TABLE] == NULL ||
3084 nla[NFTA_SET_NAME] == NULL ||
3085 nla[NFTA_SET_KEY_LEN] == NULL ||
3086 nla[NFTA_SET_ID] == NULL)
3089 memset(&desc, 0, sizeof(desc));
3091 ktype = NFT_DATA_VALUE;
3092 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3093 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3094 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3098 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3099 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3103 if (nla[NFTA_SET_FLAGS] != NULL) {
3104 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3105 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3106 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3107 NFT_SET_MAP | NFT_SET_EVAL |
3110 /* Only one of these operations is supported */
3111 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3112 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3117 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3118 if (!(flags & NFT_SET_MAP))
3121 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3122 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3123 dtype != NFT_DATA_VERDICT)
3126 if (dtype != NFT_DATA_VERDICT) {
3127 if (nla[NFTA_SET_DATA_LEN] == NULL)
3129 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3130 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3133 desc.dlen = sizeof(struct nft_verdict);
3134 } else if (flags & NFT_SET_MAP)
3137 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3138 if (!(flags & NFT_SET_OBJECT))
3141 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3142 if (objtype == NFT_OBJECT_UNSPEC ||
3143 objtype > NFT_OBJECT_MAX)
3145 } else if (flags & NFT_SET_OBJECT)
3148 objtype = NFT_OBJECT_UNSPEC;
3151 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3152 if (!(flags & NFT_SET_TIMEOUT))
3154 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3155 nla[NFTA_SET_TIMEOUT])));
3158 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3159 if (!(flags & NFT_SET_TIMEOUT))
3161 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3164 policy = NFT_SET_POL_PERFORMANCE;
3165 if (nla[NFTA_SET_POLICY] != NULL)
3166 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3168 if (nla[NFTA_SET_DESC] != NULL) {
3169 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3174 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3176 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family,
3179 return PTR_ERR(table);
3181 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3183 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3185 if (PTR_ERR(set) != -ENOENT)
3186 return PTR_ERR(set);
3188 if (nlh->nlmsg_flags & NLM_F_EXCL)
3190 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3195 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3198 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3200 return PTR_ERR(ops);
3203 if (nla[NFTA_SET_USERDATA])
3204 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3207 if (ops->privsize != NULL)
3208 size = ops->privsize(nla, &desc);
3210 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3216 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3222 err = nf_tables_set_alloc_name(&ctx, set, name);
3229 udata = set->data + size;
3230 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3233 INIT_LIST_HEAD(&set->bindings);
3236 set->klen = desc.klen;
3238 set->objtype = objtype;
3239 set->dlen = desc.dlen;
3241 set->size = desc.size;
3242 set->policy = policy;
3245 set->timeout = timeout;
3246 set->gc_int = gc_int;
3247 set->handle = nf_tables_alloc_handle(table);
3249 err = ops->init(set, &desc, nla);
3253 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3257 list_add_tail_rcu(&set->list, &table->sets);
3268 module_put(ops->type->owner);
3272 static void nft_set_destroy(struct nft_set *set)
3274 set->ops->destroy(set);
3275 module_put(set->ops->type->owner);
3280 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3282 list_del_rcu(&set->list);
3283 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3284 nft_set_destroy(set);
3287 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3288 struct sk_buff *skb, const struct nlmsghdr *nlh,
3289 const struct nlattr * const nla[],
3290 struct netlink_ext_ack *extack)
3292 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3293 u8 genmask = nft_genmask_next(net);
3294 struct nft_set *set;
3298 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3299 return -EAFNOSUPPORT;
3300 if (nla[NFTA_SET_TABLE] == NULL)
3303 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3307 if (nla[NFTA_SET_HANDLE])
3308 set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
3310 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3312 return PTR_ERR(set);
3314 if (!list_empty(&set->bindings) ||
3315 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3318 return nft_delset(&ctx, set);
3321 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3322 struct nft_set *set,
3323 const struct nft_set_iter *iter,
3324 struct nft_set_elem *elem)
3326 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3327 enum nft_registers dreg;
3329 dreg = nft_type_to_reg(set->dtype);
3330 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3331 set->dtype == NFT_DATA_VERDICT ?
3332 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3336 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3337 struct nft_set_binding *binding)
3339 struct nft_set_binding *i;
3340 struct nft_set_iter iter;
3342 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3345 if (binding->flags & NFT_SET_MAP) {
3346 /* If the set is already bound to the same chain all
3347 * jumps are already validated for that chain.
3349 list_for_each_entry(i, &set->bindings, list) {
3350 if (i->flags & NFT_SET_MAP &&
3351 i->chain == binding->chain)
3355 iter.genmask = nft_genmask_next(ctx->net);
3359 iter.fn = nf_tables_bind_check_setelem;
3361 set->ops->walk(ctx, set, &iter);
3366 binding->chain = ctx->chain;
3367 list_add_tail_rcu(&binding->list, &set->bindings);
3370 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3372 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3373 struct nft_set_binding *binding)
3375 list_del_rcu(&binding->list);
3377 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3378 nft_is_active(ctx->net, set))
3379 nf_tables_set_destroy(ctx, set);
3381 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3383 const struct nft_set_ext_type nft_set_ext_types[] = {
3384 [NFT_SET_EXT_KEY] = {
3385 .align = __alignof__(u32),
3387 [NFT_SET_EXT_DATA] = {
3388 .align = __alignof__(u32),
3390 [NFT_SET_EXT_EXPR] = {
3391 .align = __alignof__(struct nft_expr),
3393 [NFT_SET_EXT_OBJREF] = {
3394 .len = sizeof(struct nft_object *),
3395 .align = __alignof__(struct nft_object *),
3397 [NFT_SET_EXT_FLAGS] = {
3399 .align = __alignof__(u8),
3401 [NFT_SET_EXT_TIMEOUT] = {
3403 .align = __alignof__(u64),
3405 [NFT_SET_EXT_EXPIRATION] = {
3406 .len = sizeof(unsigned long),
3407 .align = __alignof__(unsigned long),
3409 [NFT_SET_EXT_USERDATA] = {
3410 .len = sizeof(struct nft_userdata),
3411 .align = __alignof__(struct nft_userdata),
3414 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3420 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3421 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3422 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3423 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3424 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3425 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3426 .len = NFT_USERDATA_MAXLEN },
3427 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3428 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3431 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3432 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3433 .len = NFT_TABLE_MAXNAMELEN - 1 },
3434 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3435 .len = NFT_SET_MAXNAMELEN - 1 },
3436 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3437 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3440 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3441 const struct sk_buff *skb,
3442 const struct nlmsghdr *nlh,
3443 const struct nlattr * const nla[],
3446 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3447 int family = nfmsg->nfgen_family;
3448 struct nft_table *table;
3450 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3453 return PTR_ERR(table);
3455 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3459 static int nf_tables_fill_setelem(struct sk_buff *skb,
3460 const struct nft_set *set,
3461 const struct nft_set_elem *elem)
3463 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3464 unsigned char *b = skb_tail_pointer(skb);
3465 struct nlattr *nest;
3467 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3469 goto nla_put_failure;
3471 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3472 NFT_DATA_VALUE, set->klen) < 0)
3473 goto nla_put_failure;
3475 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3476 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3477 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3479 goto nla_put_failure;
3481 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3482 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3483 goto nla_put_failure;
3485 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3486 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3487 (*nft_set_ext_obj(ext))->name) < 0)
3488 goto nla_put_failure;
3490 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3491 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3492 htonl(*nft_set_ext_flags(ext))))
3493 goto nla_put_failure;
3495 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3496 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3497 cpu_to_be64(jiffies_to_msecs(
3498 *nft_set_ext_timeout(ext))),
3500 goto nla_put_failure;
3502 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3503 unsigned long expires, now = jiffies;
3505 expires = *nft_set_ext_expiration(ext);
3506 if (time_before(now, expires))
3511 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3512 cpu_to_be64(jiffies_to_msecs(expires)),
3514 goto nla_put_failure;
3517 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3518 struct nft_userdata *udata;
3520 udata = nft_set_ext_userdata(ext);
3521 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3522 udata->len + 1, udata->data))
3523 goto nla_put_failure;
3526 nla_nest_end(skb, nest);
3534 struct nft_set_dump_args {
3535 const struct netlink_callback *cb;
3536 struct nft_set_iter iter;
3537 struct sk_buff *skb;
3540 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3541 struct nft_set *set,
3542 const struct nft_set_iter *iter,
3543 struct nft_set_elem *elem)
3545 struct nft_set_dump_args *args;
3547 args = container_of(iter, struct nft_set_dump_args, iter);
3548 return nf_tables_fill_setelem(args->skb, set, elem);
3551 struct nft_set_dump_ctx {
3552 const struct nft_set *set;
3556 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3558 struct nft_set_dump_ctx *dump_ctx = cb->data;
3559 struct net *net = sock_net(skb->sk);
3560 struct nft_table *table;
3561 struct nft_set *set;
3562 struct nft_set_dump_args args;
3563 bool set_found = false;
3564 struct nfgenmsg *nfmsg;
3565 struct nlmsghdr *nlh;
3566 struct nlattr *nest;
3571 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3572 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3573 dump_ctx->ctx.family != table->family)
3576 if (table != dump_ctx->ctx.table)
3579 list_for_each_entry_rcu(set, &table->sets, list) {
3580 if (set == dump_ctx->set) {
3593 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3594 portid = NETLINK_CB(cb->skb).portid;
3595 seq = cb->nlh->nlmsg_seq;
3597 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3600 goto nla_put_failure;
3602 nfmsg = nlmsg_data(nlh);
3603 nfmsg->nfgen_family = table->family;
3604 nfmsg->version = NFNETLINK_V0;
3605 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3607 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3608 goto nla_put_failure;
3609 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3610 goto nla_put_failure;
3612 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3614 goto nla_put_failure;
3618 args.iter.genmask = nft_genmask_cur(net);
3619 args.iter.skip = cb->args[0];
3620 args.iter.count = 0;
3622 args.iter.fn = nf_tables_dump_setelem;
3623 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3626 nla_nest_end(skb, nest);
3627 nlmsg_end(skb, nlh);
3629 if (args.iter.err && args.iter.err != -EMSGSIZE)
3630 return args.iter.err;
3631 if (args.iter.count == cb->args[0])
3634 cb->args[0] = args.iter.count;
3642 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3648 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3649 const struct nft_ctx *ctx, u32 seq,
3650 u32 portid, int event, u16 flags,
3651 const struct nft_set *set,
3652 const struct nft_set_elem *elem)
3654 struct nfgenmsg *nfmsg;
3655 struct nlmsghdr *nlh;
3656 struct nlattr *nest;
3659 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3660 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3663 goto nla_put_failure;
3665 nfmsg = nlmsg_data(nlh);
3666 nfmsg->nfgen_family = ctx->family;
3667 nfmsg->version = NFNETLINK_V0;
3668 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3670 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3671 goto nla_put_failure;
3672 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3673 goto nla_put_failure;
3675 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3677 goto nla_put_failure;
3679 err = nf_tables_fill_setelem(skb, set, elem);
3681 goto nla_put_failure;
3683 nla_nest_end(skb, nest);
3685 nlmsg_end(skb, nlh);
3689 nlmsg_trim(skb, nlh);
3693 static int nft_setelem_parse_flags(const struct nft_set *set,
3694 const struct nlattr *attr, u32 *flags)
3699 *flags = ntohl(nla_get_be32(attr));
3700 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3702 if (!(set->flags & NFT_SET_INTERVAL) &&
3703 *flags & NFT_SET_ELEM_INTERVAL_END)
3709 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3710 const struct nlattr *attr)
3712 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3713 const struct nft_set_ext *ext;
3714 struct nft_data_desc desc;
3715 struct nft_set_elem elem;
3716 struct sk_buff *skb;
3721 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3722 nft_set_elem_policy, NULL);
3726 if (!nla[NFTA_SET_ELEM_KEY])
3729 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3733 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3734 nla[NFTA_SET_ELEM_KEY]);
3739 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3742 priv = set->ops->get(ctx->net, set, &elem, flags);
3744 return PTR_ERR(priv);
3747 ext = nft_set_elem_ext(set, &elem);
3750 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3754 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3755 NFT_MSG_NEWSETELEM, 0, set, &elem);
3759 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3760 /* This avoids a loop in nfnetlink. */
3768 /* this avoids a loop in nfnetlink. */
3769 return err == -EAGAIN ? -ENOBUFS : err;
3772 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3773 struct sk_buff *skb, const struct nlmsghdr *nlh,
3774 const struct nlattr * const nla[],
3775 struct netlink_ext_ack *extack)
3777 u8 genmask = nft_genmask_cur(net);
3778 struct nft_set *set;
3779 struct nlattr *attr;
3783 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3787 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3790 return PTR_ERR(set);
3792 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3793 struct netlink_dump_control c = {
3794 .dump = nf_tables_dump_set,
3795 .done = nf_tables_dump_set_done,
3797 struct nft_set_dump_ctx *dump_ctx;
3799 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3803 dump_ctx->set = set;
3804 dump_ctx->ctx = ctx;
3807 return netlink_dump_start(nlsk, skb, nlh, &c);
3810 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3813 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3814 err = nft_get_set_elem(&ctx, set, attr);
3822 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3823 const struct nft_set *set,
3824 const struct nft_set_elem *elem,
3825 int event, u16 flags)
3827 struct net *net = ctx->net;
3828 u32 portid = ctx->portid;
3829 struct sk_buff *skb;
3832 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3835 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3839 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3846 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3850 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3853 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3855 struct nft_set *set)
3857 struct nft_trans *trans;
3859 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3863 nft_trans_elem_set(trans) = set;
3867 void *nft_set_elem_init(const struct nft_set *set,
3868 const struct nft_set_ext_tmpl *tmpl,
3869 const u32 *key, const u32 *data,
3870 u64 timeout, gfp_t gfp)
3872 struct nft_set_ext *ext;
3875 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3879 ext = nft_set_elem_ext(set, elem);
3880 nft_set_ext_init(ext, tmpl);
3882 memcpy(nft_set_ext_key(ext), key, set->klen);
3883 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3884 memcpy(nft_set_ext_data(ext), data, set->dlen);
3885 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3886 *nft_set_ext_expiration(ext) =
3888 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3889 *nft_set_ext_timeout(ext) = timeout;
3894 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3897 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3899 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3900 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3901 nft_data_release(nft_set_ext_data(ext), set->dtype);
3902 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3903 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3904 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3905 (*nft_set_ext_obj(ext))->use--;
3908 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3910 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3911 * the refcounting from the preparation phase.
3913 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3915 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3917 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3918 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3922 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3923 const struct nlattr *attr, u32 nlmsg_flags)
3925 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3926 u8 genmask = nft_genmask_next(ctx->net);
3927 struct nft_data_desc d1, d2;
3928 struct nft_set_ext_tmpl tmpl;
3929 struct nft_set_ext *ext, *ext2;
3930 struct nft_set_elem elem;
3931 struct nft_set_binding *binding;
3932 struct nft_object *obj = NULL;
3933 struct nft_userdata *udata;
3934 struct nft_data data;
3935 enum nft_registers dreg;
3936 struct nft_trans *trans;
3942 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3943 nft_set_elem_policy, NULL);
3947 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3950 nft_set_ext_prepare(&tmpl);
3952 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3956 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3958 if (set->flags & NFT_SET_MAP) {
3959 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3960 !(flags & NFT_SET_ELEM_INTERVAL_END))
3962 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3963 flags & NFT_SET_ELEM_INTERVAL_END)
3966 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3971 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3972 if (!(set->flags & NFT_SET_TIMEOUT))
3974 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3975 nla[NFTA_SET_ELEM_TIMEOUT])));
3976 } else if (set->flags & NFT_SET_TIMEOUT) {
3977 timeout = set->timeout;
3980 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3981 nla[NFTA_SET_ELEM_KEY]);
3985 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3988 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3990 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3991 if (timeout != set->timeout)
3992 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3995 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3996 if (!(set->flags & NFT_SET_OBJECT)) {
4000 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4001 set->objtype, genmask);
4006 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4009 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4010 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4011 nla[NFTA_SET_ELEM_DATA]);
4016 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4019 dreg = nft_type_to_reg(set->dtype);
4020 list_for_each_entry(binding, &set->bindings, list) {
4021 struct nft_ctx bind_ctx = {
4023 .family = ctx->family,
4024 .table = ctx->table,
4025 .chain = (struct nft_chain *)binding->chain,
4028 if (!(binding->flags & NFT_SET_MAP))
4031 err = nft_validate_register_store(&bind_ctx, dreg,
4038 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4041 /* The full maximum length of userdata can exceed the maximum
4042 * offset value (U8_MAX) for following extensions, therefor it
4043 * must be the last extension added.
4046 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4047 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4049 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4054 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4055 timeout, GFP_KERNEL);
4056 if (elem.priv == NULL)
4059 ext = nft_set_elem_ext(set, elem.priv);
4061 *nft_set_ext_flags(ext) = flags;
4063 udata = nft_set_ext_userdata(ext);
4064 udata->len = ulen - 1;
4065 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4068 *nft_set_ext_obj(ext) = obj;
4072 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4076 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4077 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4079 if (err == -EEXIST) {
4080 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4081 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4082 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4083 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4087 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4088 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4089 memcmp(nft_set_ext_data(ext),
4090 nft_set_ext_data(ext2), set->dlen) != 0) ||
4091 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4092 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4093 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4095 else if (!(nlmsg_flags & NLM_F_EXCL))
4102 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4107 nft_trans_elem(trans) = elem;
4108 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4112 set->ops->remove(ctx->net, set, &elem);
4118 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4119 nft_data_release(&data, d2.type);
4121 nft_data_release(&elem.key.val, d1.type);
4126 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4127 struct sk_buff *skb, const struct nlmsghdr *nlh,
4128 const struct nlattr * const nla[],
4129 struct netlink_ext_ack *extack)
4131 u8 genmask = nft_genmask_next(net);
4132 const struct nlattr *attr;
4133 struct nft_set *set;
4137 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4140 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4144 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4145 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4147 return PTR_ERR(set);
4149 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4152 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4153 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4161 * nft_data_hold - hold a nft_data item
4163 * @data: struct nft_data to release
4164 * @type: type of data
4166 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4167 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4168 * NFT_GOTO verdicts. This function must be called on active data objects
4169 * from the second phase of the commit protocol.
4171 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4173 if (type == NFT_DATA_VERDICT) {
4174 switch (data->verdict.code) {
4177 data->verdict.chain->use++;
4183 static void nft_set_elem_activate(const struct net *net,
4184 const struct nft_set *set,
4185 struct nft_set_elem *elem)
4187 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4189 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4190 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4191 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4192 (*nft_set_ext_obj(ext))->use++;
4195 static void nft_set_elem_deactivate(const struct net *net,
4196 const struct nft_set *set,
4197 struct nft_set_elem *elem)
4199 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4201 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4202 nft_data_release(nft_set_ext_data(ext), set->dtype);
4203 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4204 (*nft_set_ext_obj(ext))->use--;
4207 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4208 const struct nlattr *attr)
4210 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4211 struct nft_set_ext_tmpl tmpl;
4212 struct nft_data_desc desc;
4213 struct nft_set_elem elem;
4214 struct nft_set_ext *ext;
4215 struct nft_trans *trans;
4220 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4221 nft_set_elem_policy, NULL);
4226 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4229 nft_set_ext_prepare(&tmpl);
4231 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4235 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4237 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4238 nla[NFTA_SET_ELEM_KEY]);
4243 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4246 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4249 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4251 if (elem.priv == NULL)
4254 ext = nft_set_elem_ext(set, elem.priv);
4256 *nft_set_ext_flags(ext) = flags;
4258 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4259 if (trans == NULL) {
4264 priv = set->ops->deactivate(ctx->net, set, &elem);
4272 nft_set_elem_deactivate(ctx->net, set, &elem);
4274 nft_trans_elem(trans) = elem;
4275 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4283 nft_data_release(&elem.key.val, desc.type);
4288 static int nft_flush_set(const struct nft_ctx *ctx,
4289 struct nft_set *set,
4290 const struct nft_set_iter *iter,
4291 struct nft_set_elem *elem)
4293 struct nft_trans *trans;
4296 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4297 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4301 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4307 nft_trans_elem_set(trans) = set;
4308 nft_trans_elem(trans) = *elem;
4309 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4317 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4318 struct sk_buff *skb, const struct nlmsghdr *nlh,
4319 const struct nlattr * const nla[],
4320 struct netlink_ext_ack *extack)
4322 u8 genmask = nft_genmask_next(net);
4323 const struct nlattr *attr;
4324 struct nft_set *set;
4328 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4332 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4335 return PTR_ERR(set);
4336 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4339 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4340 struct nft_set_iter iter = {
4342 .fn = nft_flush_set,
4344 set->ops->walk(&ctx, set, &iter);
4349 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4350 err = nft_del_setelem(&ctx, set, attr);
4359 void nft_set_gc_batch_release(struct rcu_head *rcu)
4361 struct nft_set_gc_batch *gcb;
4364 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4365 for (i = 0; i < gcb->head.cnt; i++)
4366 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4369 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4371 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4374 struct nft_set_gc_batch *gcb;
4376 gcb = kzalloc(sizeof(*gcb), gfp);
4379 gcb->head.set = set;
4382 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4389 * nft_register_obj- register nf_tables stateful object type
4392 * Registers the object type for use with nf_tables. Returns zero on
4393 * success or a negative errno code otherwise.
4395 int nft_register_obj(struct nft_object_type *obj_type)
4397 if (obj_type->type == NFT_OBJECT_UNSPEC)
4400 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4401 list_add_rcu(&obj_type->list, &nf_tables_objects);
4402 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4405 EXPORT_SYMBOL_GPL(nft_register_obj);
4408 * nft_unregister_obj - unregister nf_tables object type
4411 * Unregisters the object type for use with nf_tables.
4413 void nft_unregister_obj(struct nft_object_type *obj_type)
4415 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4416 list_del_rcu(&obj_type->list);
4417 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4419 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4421 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4422 const struct nlattr *nla,
4423 u32 objtype, u8 genmask)
4425 struct nft_object *obj;
4427 list_for_each_entry(obj, &table->objects, list) {
4428 if (!nla_strcmp(nla, obj->name) &&
4429 objtype == obj->ops->type->type &&
4430 nft_active_genmask(obj, genmask))
4433 return ERR_PTR(-ENOENT);
4435 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4437 static struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
4438 const struct nlattr *nla,
4439 u32 objtype, u8 genmask)
4441 struct nft_object *obj;
4443 list_for_each_entry(obj, &table->objects, list) {
4444 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4445 objtype == obj->ops->type->type &&
4446 nft_active_genmask(obj, genmask))
4449 return ERR_PTR(-ENOENT);
4452 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4453 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4454 .len = NFT_TABLE_MAXNAMELEN - 1 },
4455 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4456 .len = NFT_OBJ_MAXNAMELEN - 1 },
4457 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4458 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4459 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4462 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4463 const struct nft_object_type *type,
4464 const struct nlattr *attr)
4467 const struct nft_object_ops *ops;
4468 struct nft_object *obj;
4471 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4476 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4481 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4484 if (type->select_ops) {
4485 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4495 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4499 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4512 return ERR_PTR(err);
4515 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4516 struct nft_object *obj, bool reset)
4518 struct nlattr *nest;
4520 nest = nla_nest_start(skb, attr);
4522 goto nla_put_failure;
4523 if (obj->ops->dump(skb, obj, reset) < 0)
4524 goto nla_put_failure;
4525 nla_nest_end(skb, nest);
4532 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4534 const struct nft_object_type *type;
4536 list_for_each_entry(type, &nf_tables_objects, list) {
4537 if (objtype == type->type)
4543 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4545 const struct nft_object_type *type;
4547 type = __nft_obj_type_get(objtype);
4548 if (type != NULL && try_module_get(type->owner))
4551 #ifdef CONFIG_MODULES
4553 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4554 request_module("nft-obj-%u", objtype);
4555 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4556 if (__nft_obj_type_get(objtype))
4557 return ERR_PTR(-EAGAIN);
4560 return ERR_PTR(-ENOENT);
4563 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4564 struct sk_buff *skb, const struct nlmsghdr *nlh,
4565 const struct nlattr * const nla[],
4566 struct netlink_ext_ack *extack)
4568 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4569 const struct nft_object_type *type;
4570 u8 genmask = nft_genmask_next(net);
4571 int family = nfmsg->nfgen_family;
4572 struct nft_table *table;
4573 struct nft_object *obj;
4578 if (!nla[NFTA_OBJ_TYPE] ||
4579 !nla[NFTA_OBJ_NAME] ||
4580 !nla[NFTA_OBJ_DATA])
4583 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4586 return PTR_ERR(table);
4588 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4589 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4596 if (nlh->nlmsg_flags & NLM_F_EXCL)
4602 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4604 type = nft_obj_type_get(objtype);
4606 return PTR_ERR(type);
4608 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4614 obj->handle = nf_tables_alloc_handle(table);
4616 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4622 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4626 list_add_tail_rcu(&obj->list, &table->objects);
4632 if (obj->ops->destroy)
4633 obj->ops->destroy(obj);
4636 module_put(type->owner);
4640 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4641 u32 portid, u32 seq, int event, u32 flags,
4642 int family, const struct nft_table *table,
4643 struct nft_object *obj, bool reset)
4645 struct nfgenmsg *nfmsg;
4646 struct nlmsghdr *nlh;
4648 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4649 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4651 goto nla_put_failure;
4653 nfmsg = nlmsg_data(nlh);
4654 nfmsg->nfgen_family = family;
4655 nfmsg->version = NFNETLINK_V0;
4656 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4658 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4659 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4660 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4661 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4662 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4663 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4665 goto nla_put_failure;
4667 nlmsg_end(skb, nlh);
4671 nlmsg_trim(skb, nlh);
4675 struct nft_obj_filter {
4680 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4682 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4683 const struct nft_table *table;
4684 unsigned int idx = 0, s_idx = cb->args[0];
4685 struct nft_obj_filter *filter = cb->data;
4686 struct net *net = sock_net(skb->sk);
4687 int family = nfmsg->nfgen_family;
4688 struct nft_object *obj;
4691 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4695 cb->seq = net->nft.base_seq;
4697 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4698 if (family != NFPROTO_UNSPEC && family != table->family)
4701 list_for_each_entry_rcu(obj, &table->objects, list) {
4702 if (!nft_is_active(net, obj))
4707 memset(&cb->args[1], 0,
4708 sizeof(cb->args) - sizeof(cb->args[0]));
4709 if (filter && filter->table[0] &&
4710 strcmp(filter->table, table->name))
4713 filter->type != NFT_OBJECT_UNSPEC &&
4714 obj->ops->type->type != filter->type)
4717 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4720 NLM_F_MULTI | NLM_F_APPEND,
4721 table->family, table,
4725 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4737 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4739 struct nft_obj_filter *filter = cb->data;
4742 kfree(filter->table);
4749 static struct nft_obj_filter *
4750 nft_obj_filter_alloc(const struct nlattr * const nla[])
4752 struct nft_obj_filter *filter;
4754 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4756 return ERR_PTR(-ENOMEM);
4758 if (nla[NFTA_OBJ_TABLE]) {
4759 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4760 if (!filter->table) {
4762 return ERR_PTR(-ENOMEM);
4765 if (nla[NFTA_OBJ_TYPE])
4766 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4771 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4772 struct sk_buff *skb, const struct nlmsghdr *nlh,
4773 const struct nlattr * const nla[],
4774 struct netlink_ext_ack *extack)
4776 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4777 u8 genmask = nft_genmask_cur(net);
4778 int family = nfmsg->nfgen_family;
4779 const struct nft_table *table;
4780 struct nft_object *obj;
4781 struct sk_buff *skb2;
4786 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4787 struct netlink_dump_control c = {
4788 .dump = nf_tables_dump_obj,
4789 .done = nf_tables_dump_obj_done,
4792 if (nla[NFTA_OBJ_TABLE] ||
4793 nla[NFTA_OBJ_TYPE]) {
4794 struct nft_obj_filter *filter;
4796 filter = nft_obj_filter_alloc(nla);
4802 return netlink_dump_start(nlsk, skb, nlh, &c);
4805 if (!nla[NFTA_OBJ_NAME] ||
4806 !nla[NFTA_OBJ_TYPE])
4809 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4812 return PTR_ERR(table);
4814 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4815 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4817 return PTR_ERR(obj);
4819 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4823 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4826 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4827 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4828 family, table, obj, reset);
4832 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4838 static void nft_obj_destroy(struct nft_object *obj)
4840 if (obj->ops->destroy)
4841 obj->ops->destroy(obj);
4843 module_put(obj->ops->type->owner);
4848 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4849 struct sk_buff *skb, const struct nlmsghdr *nlh,
4850 const struct nlattr * const nla[],
4851 struct netlink_ext_ack *extack)
4853 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4854 u8 genmask = nft_genmask_next(net);
4855 int family = nfmsg->nfgen_family;
4856 struct nft_table *table;
4857 struct nft_object *obj;
4861 if (!nla[NFTA_OBJ_TYPE] ||
4862 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4865 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4868 return PTR_ERR(table);
4870 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4871 if (nla[NFTA_OBJ_HANDLE])
4872 obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
4875 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
4878 return PTR_ERR(obj);
4882 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4884 return nft_delobj(&ctx, obj);
4887 void nft_obj_notify(struct net *net, struct nft_table *table,
4888 struct nft_object *obj, u32 portid, u32 seq, int event,
4889 int family, int report, gfp_t gfp)
4891 struct sk_buff *skb;
4895 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4898 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4902 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4909 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4912 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4914 EXPORT_SYMBOL_GPL(nft_obj_notify);
4916 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4917 struct nft_object *obj, int event)
4919 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4920 ctx->family, ctx->report, GFP_KERNEL);
4926 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4928 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4929 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4930 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4932 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4934 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4936 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4937 list_del_rcu(&type->list);
4938 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4940 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4942 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4943 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4944 .len = NFT_NAME_MAXLEN - 1 },
4945 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4946 .len = NFT_NAME_MAXLEN - 1 },
4947 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4948 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4951 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4952 const struct nlattr *nla,
4955 struct nft_flowtable *flowtable;
4957 list_for_each_entry(flowtable, &table->flowtables, list) {
4958 if (!nla_strcmp(nla, flowtable->name) &&
4959 nft_active_genmask(flowtable, genmask))
4962 return ERR_PTR(-ENOENT);
4964 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4966 static struct nft_flowtable *
4967 nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
4968 const struct nlattr *nla, u8 genmask)
4970 struct nft_flowtable *flowtable;
4972 list_for_each_entry(flowtable, &table->flowtables, list) {
4973 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4974 nft_active_genmask(flowtable, genmask))
4977 return ERR_PTR(-ENOENT);
4980 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4981 const struct nlattr *attr,
4982 struct net_device *dev_array[], int *len)
4984 const struct nlattr *tmp;
4985 struct net_device *dev;
4986 char ifname[IFNAMSIZ];
4987 int rem, n = 0, err;
4989 nla_for_each_nested(tmp, attr, rem) {
4990 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4995 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4996 dev = __dev_get_by_name(ctx->net, ifname);
5002 dev_array[n++] = dev;
5003 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5017 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5018 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5019 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5020 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5023 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5024 const struct nlattr *attr,
5025 struct nft_flowtable *flowtable)
5027 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5028 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5029 struct nf_hook_ops *ops;
5030 int hooknum, priority;
5033 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5034 nft_flowtable_hook_policy, NULL);
5038 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5039 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5040 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5043 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5044 if (hooknum != NF_NETDEV_INGRESS)
5047 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5049 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5054 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5058 flowtable->hooknum = hooknum;
5059 flowtable->priority = priority;
5060 flowtable->ops = ops;
5061 flowtable->ops_len = n;
5063 for (i = 0; i < n; i++) {
5064 flowtable->ops[i].pf = NFPROTO_NETDEV;
5065 flowtable->ops[i].hooknum = hooknum;
5066 flowtable->ops[i].priority = priority;
5067 flowtable->ops[i].priv = &flowtable->data.rhashtable;
5068 flowtable->ops[i].hook = flowtable->data.type->hook;
5069 flowtable->ops[i].dev = dev_array[i];
5070 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5077 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5079 const struct nf_flowtable_type *type;
5081 list_for_each_entry(type, &nf_tables_flowtables, list) {
5082 if (family == type->family)
5088 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5090 const struct nf_flowtable_type *type;
5092 type = __nft_flowtable_type_get(family);
5093 if (type != NULL && try_module_get(type->owner))
5096 #ifdef CONFIG_MODULES
5098 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5099 request_module("nf-flowtable-%u", family);
5100 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5101 if (__nft_flowtable_type_get(family))
5102 return ERR_PTR(-EAGAIN);
5105 return ERR_PTR(-ENOENT);
5108 void nft_flow_table_iterate(struct net *net,
5109 void (*iter)(struct nf_flowtable *flowtable, void *data),
5112 struct nft_flowtable *flowtable;
5113 const struct nft_table *table;
5115 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5116 list_for_each_entry(table, &net->nft.tables, list) {
5117 list_for_each_entry(flowtable, &table->flowtables, list) {
5118 iter(&flowtable->data, data);
5121 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5123 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5125 static void nft_unregister_flowtable_net_hooks(struct net *net,
5126 struct nft_flowtable *flowtable)
5130 for (i = 0; i < flowtable->ops_len; i++) {
5131 if (!flowtable->ops[i].dev)
5134 nf_unregister_net_hook(net, &flowtable->ops[i]);
5138 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5139 struct sk_buff *skb,
5140 const struct nlmsghdr *nlh,
5141 const struct nlattr * const nla[],
5142 struct netlink_ext_ack *extack)
5144 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5145 const struct nf_flowtable_type *type;
5146 struct nft_flowtable *flowtable, *ft;
5147 u8 genmask = nft_genmask_next(net);
5148 int family = nfmsg->nfgen_family;
5149 struct nft_table *table;
5153 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5154 !nla[NFTA_FLOWTABLE_NAME] ||
5155 !nla[NFTA_FLOWTABLE_HOOK])
5158 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5161 return PTR_ERR(table);
5163 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5165 if (IS_ERR(flowtable)) {
5166 err = PTR_ERR(flowtable);
5170 if (nlh->nlmsg_flags & NLM_F_EXCL)
5176 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5178 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5182 flowtable->table = table;
5183 flowtable->handle = nf_tables_alloc_handle(table);
5185 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5186 if (!flowtable->name) {
5191 type = nft_flowtable_type_get(family);
5193 err = PTR_ERR(type);
5197 flowtable->data.type = type;
5198 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5202 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5207 for (i = 0; i < flowtable->ops_len; i++) {
5208 if (!flowtable->ops[i].dev)
5211 list_for_each_entry(ft, &table->flowtables, list) {
5212 for (k = 0; k < ft->ops_len; k++) {
5213 if (!ft->ops[k].dev)
5216 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5217 flowtable->ops[i].pf == ft->ops[k].pf) {
5224 err = nf_register_net_hook(net, &flowtable->ops[i]);
5229 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5233 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5234 queue_delayed_work(system_power_efficient_wq,
5235 &flowtable->data.gc_work, HZ);
5237 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5242 i = flowtable->ops_len;
5244 for (k = i - 1; k >= 0; k--) {
5245 kfree(flowtable->dev_name[k]);
5246 nf_unregister_net_hook(net, &flowtable->ops[k]);
5249 kfree(flowtable->ops);
5251 module_put(type->owner);
5253 kfree(flowtable->name);
5259 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5260 struct sk_buff *skb,
5261 const struct nlmsghdr *nlh,
5262 const struct nlattr * const nla[],
5263 struct netlink_ext_ack *extack)
5265 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5266 u8 genmask = nft_genmask_next(net);
5267 int family = nfmsg->nfgen_family;
5268 struct nft_flowtable *flowtable;
5269 struct nft_table *table;
5272 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5273 (!nla[NFTA_FLOWTABLE_NAME] &&
5274 !nla[NFTA_FLOWTABLE_HANDLE]))
5277 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5280 return PTR_ERR(table);
5282 if (nla[NFTA_FLOWTABLE_HANDLE])
5283 flowtable = nf_tables_flowtable_lookup_byhandle(table,
5284 nla[NFTA_FLOWTABLE_HANDLE],
5287 flowtable = nf_tables_flowtable_lookup(table,
5288 nla[NFTA_FLOWTABLE_NAME],
5290 if (IS_ERR(flowtable))
5291 return PTR_ERR(flowtable);
5292 if (flowtable->use > 0)
5295 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5297 return nft_delflowtable(&ctx, flowtable);
5300 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5301 u32 portid, u32 seq, int event,
5302 u32 flags, int family,
5303 struct nft_flowtable *flowtable)
5305 struct nlattr *nest, *nest_devs;
5306 struct nfgenmsg *nfmsg;
5307 struct nlmsghdr *nlh;
5310 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5311 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5313 goto nla_put_failure;
5315 nfmsg = nlmsg_data(nlh);
5316 nfmsg->nfgen_family = family;
5317 nfmsg->version = NFNETLINK_V0;
5318 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5320 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5321 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5322 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5323 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5324 NFTA_FLOWTABLE_PAD))
5325 goto nla_put_failure;
5327 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5328 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5329 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5330 goto nla_put_failure;
5332 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5334 goto nla_put_failure;
5336 for (i = 0; i < flowtable->ops_len; i++) {
5337 if (flowtable->dev_name[i][0] &&
5338 nla_put_string(skb, NFTA_DEVICE_NAME,
5339 flowtable->dev_name[i]))
5340 goto nla_put_failure;
5342 nla_nest_end(skb, nest_devs);
5343 nla_nest_end(skb, nest);
5345 nlmsg_end(skb, nlh);
5349 nlmsg_trim(skb, nlh);
5353 struct nft_flowtable_filter {
5357 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5358 struct netlink_callback *cb)
5360 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5361 struct nft_flowtable_filter *filter = cb->data;
5362 unsigned int idx = 0, s_idx = cb->args[0];
5363 struct net *net = sock_net(skb->sk);
5364 int family = nfmsg->nfgen_family;
5365 struct nft_flowtable *flowtable;
5366 const struct nft_table *table;
5369 cb->seq = net->nft.base_seq;
5371 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5372 if (family != NFPROTO_UNSPEC && family != table->family)
5375 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5376 if (!nft_is_active(net, flowtable))
5381 memset(&cb->args[1], 0,
5382 sizeof(cb->args) - sizeof(cb->args[0]));
5383 if (filter && filter->table[0] &&
5384 strcmp(filter->table, table->name))
5387 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5389 NFT_MSG_NEWFLOWTABLE,
5390 NLM_F_MULTI | NLM_F_APPEND,
5391 table->family, flowtable) < 0)
5394 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5406 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5408 struct nft_flowtable_filter *filter = cb->data;
5413 kfree(filter->table);
5419 static struct nft_flowtable_filter *
5420 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5422 struct nft_flowtable_filter *filter;
5424 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5426 return ERR_PTR(-ENOMEM);
5428 if (nla[NFTA_FLOWTABLE_TABLE]) {
5429 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5431 if (!filter->table) {
5433 return ERR_PTR(-ENOMEM);
5439 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5440 struct sk_buff *skb,
5441 const struct nlmsghdr *nlh,
5442 const struct nlattr * const nla[],
5443 struct netlink_ext_ack *extack)
5445 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5446 u8 genmask = nft_genmask_cur(net);
5447 int family = nfmsg->nfgen_family;
5448 struct nft_flowtable *flowtable;
5449 const struct nft_table *table;
5450 struct sk_buff *skb2;
5453 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5454 struct netlink_dump_control c = {
5455 .dump = nf_tables_dump_flowtable,
5456 .done = nf_tables_dump_flowtable_done,
5459 if (nla[NFTA_FLOWTABLE_TABLE]) {
5460 struct nft_flowtable_filter *filter;
5462 filter = nft_flowtable_filter_alloc(nla);
5468 return netlink_dump_start(nlsk, skb, nlh, &c);
5471 if (!nla[NFTA_FLOWTABLE_NAME])
5474 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5477 return PTR_ERR(table);
5479 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5481 if (IS_ERR(flowtable))
5482 return PTR_ERR(flowtable);
5484 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5488 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5490 NFT_MSG_NEWFLOWTABLE, 0, family,
5495 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5501 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5502 struct nft_flowtable *flowtable,
5505 struct sk_buff *skb;
5509 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5512 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5516 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5518 ctx->family, flowtable);
5524 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5525 ctx->report, GFP_KERNEL);
5528 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5531 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5533 cancel_delayed_work_sync(&flowtable->data.gc_work);
5534 kfree(flowtable->ops);
5535 kfree(flowtable->name);
5536 flowtable->data.type->free(&flowtable->data);
5537 rhashtable_destroy(&flowtable->data.rhashtable);
5538 module_put(flowtable->data.type->owner);
5541 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5542 u32 portid, u32 seq)
5544 struct nlmsghdr *nlh;
5545 struct nfgenmsg *nfmsg;
5546 char buf[TASK_COMM_LEN];
5547 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5549 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5551 goto nla_put_failure;
5553 nfmsg = nlmsg_data(nlh);
5554 nfmsg->nfgen_family = AF_UNSPEC;
5555 nfmsg->version = NFNETLINK_V0;
5556 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5558 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5559 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5560 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5561 goto nla_put_failure;
5563 nlmsg_end(skb, nlh);
5567 nlmsg_trim(skb, nlh);
5571 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5572 struct nft_flowtable *flowtable)
5576 for (i = 0; i < flowtable->ops_len; i++) {
5577 if (flowtable->ops[i].dev != dev)
5580 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5581 flowtable->dev_name[i][0] = '\0';
5582 flowtable->ops[i].dev = NULL;
5587 static int nf_tables_flowtable_event(struct notifier_block *this,
5588 unsigned long event, void *ptr)
5590 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5591 struct nft_flowtable *flowtable;
5592 struct nft_table *table;
5594 if (event != NETDEV_UNREGISTER)
5597 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5598 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5599 list_for_each_entry(flowtable, &table->flowtables, list) {
5600 nft_flowtable_event(event, dev, flowtable);
5603 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5608 static struct notifier_block nf_tables_flowtable_notifier = {
5609 .notifier_call = nf_tables_flowtable_event,
5612 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5615 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5616 struct sk_buff *skb2;
5619 if (nlmsg_report(nlh) &&
5620 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5623 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5627 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5634 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5635 nlmsg_report(nlh), GFP_KERNEL);
5638 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5642 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5643 struct sk_buff *skb, const struct nlmsghdr *nlh,
5644 const struct nlattr * const nla[],
5645 struct netlink_ext_ack *extack)
5647 struct sk_buff *skb2;
5650 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5654 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5659 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5665 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5666 [NFT_MSG_NEWTABLE] = {
5667 .call_batch = nf_tables_newtable,
5668 .attr_count = NFTA_TABLE_MAX,
5669 .policy = nft_table_policy,
5671 [NFT_MSG_GETTABLE] = {
5672 .call = nf_tables_gettable,
5673 .attr_count = NFTA_TABLE_MAX,
5674 .policy = nft_table_policy,
5676 [NFT_MSG_DELTABLE] = {
5677 .call_batch = nf_tables_deltable,
5678 .attr_count = NFTA_TABLE_MAX,
5679 .policy = nft_table_policy,
5681 [NFT_MSG_NEWCHAIN] = {
5682 .call_batch = nf_tables_newchain,
5683 .attr_count = NFTA_CHAIN_MAX,
5684 .policy = nft_chain_policy,
5686 [NFT_MSG_GETCHAIN] = {
5687 .call = nf_tables_getchain,
5688 .attr_count = NFTA_CHAIN_MAX,
5689 .policy = nft_chain_policy,
5691 [NFT_MSG_DELCHAIN] = {
5692 .call_batch = nf_tables_delchain,
5693 .attr_count = NFTA_CHAIN_MAX,
5694 .policy = nft_chain_policy,
5696 [NFT_MSG_NEWRULE] = {
5697 .call_batch = nf_tables_newrule,
5698 .attr_count = NFTA_RULE_MAX,
5699 .policy = nft_rule_policy,
5701 [NFT_MSG_GETRULE] = {
5702 .call = nf_tables_getrule,
5703 .attr_count = NFTA_RULE_MAX,
5704 .policy = nft_rule_policy,
5706 [NFT_MSG_DELRULE] = {
5707 .call_batch = nf_tables_delrule,
5708 .attr_count = NFTA_RULE_MAX,
5709 .policy = nft_rule_policy,
5711 [NFT_MSG_NEWSET] = {
5712 .call_batch = nf_tables_newset,
5713 .attr_count = NFTA_SET_MAX,
5714 .policy = nft_set_policy,
5716 [NFT_MSG_GETSET] = {
5717 .call = nf_tables_getset,
5718 .attr_count = NFTA_SET_MAX,
5719 .policy = nft_set_policy,
5721 [NFT_MSG_DELSET] = {
5722 .call_batch = nf_tables_delset,
5723 .attr_count = NFTA_SET_MAX,
5724 .policy = nft_set_policy,
5726 [NFT_MSG_NEWSETELEM] = {
5727 .call_batch = nf_tables_newsetelem,
5728 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5729 .policy = nft_set_elem_list_policy,
5731 [NFT_MSG_GETSETELEM] = {
5732 .call = nf_tables_getsetelem,
5733 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5734 .policy = nft_set_elem_list_policy,
5736 [NFT_MSG_DELSETELEM] = {
5737 .call_batch = nf_tables_delsetelem,
5738 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5739 .policy = nft_set_elem_list_policy,
5741 [NFT_MSG_GETGEN] = {
5742 .call = nf_tables_getgen,
5744 [NFT_MSG_NEWOBJ] = {
5745 .call_batch = nf_tables_newobj,
5746 .attr_count = NFTA_OBJ_MAX,
5747 .policy = nft_obj_policy,
5749 [NFT_MSG_GETOBJ] = {
5750 .call = nf_tables_getobj,
5751 .attr_count = NFTA_OBJ_MAX,
5752 .policy = nft_obj_policy,
5754 [NFT_MSG_DELOBJ] = {
5755 .call_batch = nf_tables_delobj,
5756 .attr_count = NFTA_OBJ_MAX,
5757 .policy = nft_obj_policy,
5759 [NFT_MSG_GETOBJ_RESET] = {
5760 .call = nf_tables_getobj,
5761 .attr_count = NFTA_OBJ_MAX,
5762 .policy = nft_obj_policy,
5764 [NFT_MSG_NEWFLOWTABLE] = {
5765 .call_batch = nf_tables_newflowtable,
5766 .attr_count = NFTA_FLOWTABLE_MAX,
5767 .policy = nft_flowtable_policy,
5769 [NFT_MSG_GETFLOWTABLE] = {
5770 .call = nf_tables_getflowtable,
5771 .attr_count = NFTA_FLOWTABLE_MAX,
5772 .policy = nft_flowtable_policy,
5774 [NFT_MSG_DELFLOWTABLE] = {
5775 .call_batch = nf_tables_delflowtable,
5776 .attr_count = NFTA_FLOWTABLE_MAX,
5777 .policy = nft_flowtable_policy,
5781 static void nft_chain_commit_update(struct nft_trans *trans)
5783 struct nft_base_chain *basechain;
5785 if (nft_trans_chain_name(trans))
5786 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5788 if (!nft_is_base_chain(trans->ctx.chain))
5791 basechain = nft_base_chain(trans->ctx.chain);
5792 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5794 switch (nft_trans_chain_policy(trans)) {
5797 basechain->policy = nft_trans_chain_policy(trans);
5802 static void nft_commit_release(struct nft_trans *trans)
5804 switch (trans->msg_type) {
5805 case NFT_MSG_DELTABLE:
5806 nf_tables_table_destroy(&trans->ctx);
5808 case NFT_MSG_DELCHAIN:
5809 nf_tables_chain_destroy(&trans->ctx);
5811 case NFT_MSG_DELRULE:
5812 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5814 case NFT_MSG_DELSET:
5815 nft_set_destroy(nft_trans_set(trans));
5817 case NFT_MSG_DELSETELEM:
5818 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5819 nft_trans_elem(trans).priv);
5821 case NFT_MSG_DELOBJ:
5822 nft_obj_destroy(nft_trans_obj(trans));
5824 case NFT_MSG_DELFLOWTABLE:
5825 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5831 static void nf_tables_commit_release(struct net *net)
5833 struct nft_trans *trans, *next;
5835 if (list_empty(&net->nft.commit_list))
5840 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5841 list_del(&trans->list);
5842 nft_commit_release(trans);
5846 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5848 struct nft_trans *trans, *next;
5849 struct nft_trans_elem *te;
5851 /* Bump generation counter, invalidate any dump in progress */
5852 while (++net->nft.base_seq == 0);
5854 /* A new generation has just started */
5855 net->nft.gencursor = nft_gencursor_next(net);
5857 /* Make sure all packets have left the previous generation before
5858 * purging old rules.
5862 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5863 switch (trans->msg_type) {
5864 case NFT_MSG_NEWTABLE:
5865 if (nft_trans_table_update(trans)) {
5866 if (!nft_trans_table_enable(trans)) {
5867 nf_tables_table_disable(net,
5869 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5872 nft_clear(net, trans->ctx.table);
5874 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5875 nft_trans_destroy(trans);
5877 case NFT_MSG_DELTABLE:
5878 list_del_rcu(&trans->ctx.table->list);
5879 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5881 case NFT_MSG_NEWCHAIN:
5882 if (nft_trans_chain_update(trans))
5883 nft_chain_commit_update(trans);
5885 nft_clear(net, trans->ctx.chain);
5887 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5888 nft_trans_destroy(trans);
5890 case NFT_MSG_DELCHAIN:
5891 list_del_rcu(&trans->ctx.chain->list);
5892 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5893 nf_tables_unregister_hook(trans->ctx.net,
5897 case NFT_MSG_NEWRULE:
5898 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5899 nf_tables_rule_notify(&trans->ctx,
5900 nft_trans_rule(trans),
5902 nft_trans_destroy(trans);
5904 case NFT_MSG_DELRULE:
5905 list_del_rcu(&nft_trans_rule(trans)->list);
5906 nf_tables_rule_notify(&trans->ctx,
5907 nft_trans_rule(trans),
5910 case NFT_MSG_NEWSET:
5911 nft_clear(net, nft_trans_set(trans));
5912 /* This avoids hitting -EBUSY when deleting the table
5913 * from the transaction.
5915 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5916 !list_empty(&nft_trans_set(trans)->bindings))
5917 trans->ctx.table->use--;
5919 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5920 NFT_MSG_NEWSET, GFP_KERNEL);
5921 nft_trans_destroy(trans);
5923 case NFT_MSG_DELSET:
5924 list_del_rcu(&nft_trans_set(trans)->list);
5925 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5926 NFT_MSG_DELSET, GFP_KERNEL);
5928 case NFT_MSG_NEWSETELEM:
5929 te = (struct nft_trans_elem *)trans->data;
5931 te->set->ops->activate(net, te->set, &te->elem);
5932 nf_tables_setelem_notify(&trans->ctx, te->set,
5934 NFT_MSG_NEWSETELEM, 0);
5935 nft_trans_destroy(trans);
5937 case NFT_MSG_DELSETELEM:
5938 te = (struct nft_trans_elem *)trans->data;
5940 nf_tables_setelem_notify(&trans->ctx, te->set,
5942 NFT_MSG_DELSETELEM, 0);
5943 te->set->ops->remove(net, te->set, &te->elem);
5944 atomic_dec(&te->set->nelems);
5947 case NFT_MSG_NEWOBJ:
5948 nft_clear(net, nft_trans_obj(trans));
5949 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5951 nft_trans_destroy(trans);
5953 case NFT_MSG_DELOBJ:
5954 list_del_rcu(&nft_trans_obj(trans)->list);
5955 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5958 case NFT_MSG_NEWFLOWTABLE:
5959 nft_clear(net, nft_trans_flowtable(trans));
5960 nf_tables_flowtable_notify(&trans->ctx,
5961 nft_trans_flowtable(trans),
5962 NFT_MSG_NEWFLOWTABLE);
5963 nft_trans_destroy(trans);
5965 case NFT_MSG_DELFLOWTABLE:
5966 list_del_rcu(&nft_trans_flowtable(trans)->list);
5967 nf_tables_flowtable_notify(&trans->ctx,
5968 nft_trans_flowtable(trans),
5969 NFT_MSG_DELFLOWTABLE);
5970 nft_unregister_flowtable_net_hooks(net,
5971 nft_trans_flowtable(trans));
5976 nf_tables_commit_release(net);
5977 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5982 static void nf_tables_abort_release(struct nft_trans *trans)
5984 switch (trans->msg_type) {
5985 case NFT_MSG_NEWTABLE:
5986 nf_tables_table_destroy(&trans->ctx);
5988 case NFT_MSG_NEWCHAIN:
5989 nf_tables_chain_destroy(&trans->ctx);
5991 case NFT_MSG_NEWRULE:
5992 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5994 case NFT_MSG_NEWSET:
5995 nft_set_destroy(nft_trans_set(trans));
5997 case NFT_MSG_NEWSETELEM:
5998 nft_set_elem_destroy(nft_trans_elem_set(trans),
5999 nft_trans_elem(trans).priv, true);
6001 case NFT_MSG_NEWOBJ:
6002 nft_obj_destroy(nft_trans_obj(trans));
6004 case NFT_MSG_NEWFLOWTABLE:
6005 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6011 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6013 struct nft_trans *trans, *next;
6014 struct nft_trans_elem *te;
6016 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6018 switch (trans->msg_type) {
6019 case NFT_MSG_NEWTABLE:
6020 if (nft_trans_table_update(trans)) {
6021 if (nft_trans_table_enable(trans)) {
6022 nf_tables_table_disable(net,
6024 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6026 nft_trans_destroy(trans);
6028 list_del_rcu(&trans->ctx.table->list);
6031 case NFT_MSG_DELTABLE:
6032 nft_clear(trans->ctx.net, trans->ctx.table);
6033 nft_trans_destroy(trans);
6035 case NFT_MSG_NEWCHAIN:
6036 if (nft_trans_chain_update(trans)) {
6037 free_percpu(nft_trans_chain_stats(trans));
6039 nft_trans_destroy(trans);
6041 trans->ctx.table->use--;
6042 list_del_rcu(&trans->ctx.chain->list);
6043 nf_tables_unregister_hook(trans->ctx.net,
6048 case NFT_MSG_DELCHAIN:
6049 trans->ctx.table->use++;
6050 nft_clear(trans->ctx.net, trans->ctx.chain);
6051 nft_trans_destroy(trans);
6053 case NFT_MSG_NEWRULE:
6054 trans->ctx.chain->use--;
6055 list_del_rcu(&nft_trans_rule(trans)->list);
6056 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6058 case NFT_MSG_DELRULE:
6059 trans->ctx.chain->use++;
6060 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6061 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6062 nft_trans_destroy(trans);
6064 case NFT_MSG_NEWSET:
6065 trans->ctx.table->use--;
6066 list_del_rcu(&nft_trans_set(trans)->list);
6068 case NFT_MSG_DELSET:
6069 trans->ctx.table->use++;
6070 nft_clear(trans->ctx.net, nft_trans_set(trans));
6071 nft_trans_destroy(trans);
6073 case NFT_MSG_NEWSETELEM:
6074 te = (struct nft_trans_elem *)trans->data;
6076 te->set->ops->remove(net, te->set, &te->elem);
6077 atomic_dec(&te->set->nelems);
6079 case NFT_MSG_DELSETELEM:
6080 te = (struct nft_trans_elem *)trans->data;
6082 nft_set_elem_activate(net, te->set, &te->elem);
6083 te->set->ops->activate(net, te->set, &te->elem);
6086 nft_trans_destroy(trans);
6088 case NFT_MSG_NEWOBJ:
6089 trans->ctx.table->use--;
6090 list_del_rcu(&nft_trans_obj(trans)->list);
6092 case NFT_MSG_DELOBJ:
6093 trans->ctx.table->use++;
6094 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6095 nft_trans_destroy(trans);
6097 case NFT_MSG_NEWFLOWTABLE:
6098 trans->ctx.table->use--;
6099 list_del_rcu(&nft_trans_flowtable(trans)->list);
6100 nft_unregister_flowtable_net_hooks(net,
6101 nft_trans_flowtable(trans));
6103 case NFT_MSG_DELFLOWTABLE:
6104 trans->ctx.table->use++;
6105 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6106 nft_trans_destroy(trans);
6113 list_for_each_entry_safe_reverse(trans, next,
6114 &net->nft.commit_list, list) {
6115 list_del(&trans->list);
6116 nf_tables_abort_release(trans);
6122 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6124 return net->nft.base_seq == genid;
6127 static const struct nfnetlink_subsystem nf_tables_subsys = {
6128 .name = "nf_tables",
6129 .subsys_id = NFNL_SUBSYS_NFTABLES,
6130 .cb_count = NFT_MSG_MAX,
6132 .commit = nf_tables_commit,
6133 .abort = nf_tables_abort,
6134 .valid_genid = nf_tables_valid_genid,
6137 int nft_chain_validate_dependency(const struct nft_chain *chain,
6138 enum nft_chain_types type)
6140 const struct nft_base_chain *basechain;
6142 if (nft_is_base_chain(chain)) {
6143 basechain = nft_base_chain(chain);
6144 if (basechain->type->type != type)
6149 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6151 int nft_chain_validate_hooks(const struct nft_chain *chain,
6152 unsigned int hook_flags)
6154 struct nft_base_chain *basechain;
6156 if (nft_is_base_chain(chain)) {
6157 basechain = nft_base_chain(chain);
6159 if ((1 << basechain->ops.hooknum) & hook_flags)
6167 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6170 * Loop detection - walk through the ruleset beginning at the destination chain
6171 * of a new jump until either the source chain is reached (loop) or all
6172 * reachable chains have been traversed.
6174 * The loop check is performed whenever a new jump verdict is added to an
6175 * expression or verdict map or a verdict map is bound to a new chain.
6178 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6179 const struct nft_chain *chain);
6181 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6182 struct nft_set *set,
6183 const struct nft_set_iter *iter,
6184 struct nft_set_elem *elem)
6186 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6187 const struct nft_data *data;
6189 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6190 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6193 data = nft_set_ext_data(ext);
6194 switch (data->verdict.code) {
6197 return nf_tables_check_loops(ctx, data->verdict.chain);
6203 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6204 const struct nft_chain *chain)
6206 const struct nft_rule *rule;
6207 const struct nft_expr *expr, *last;
6208 struct nft_set *set;
6209 struct nft_set_binding *binding;
6210 struct nft_set_iter iter;
6212 if (ctx->chain == chain)
6215 list_for_each_entry(rule, &chain->rules, list) {
6216 nft_rule_for_each_expr(expr, last, rule) {
6217 const struct nft_data *data = NULL;
6220 if (!expr->ops->validate)
6223 err = expr->ops->validate(ctx, expr, &data);
6230 switch (data->verdict.code) {
6233 err = nf_tables_check_loops(ctx,
6234 data->verdict.chain);
6243 list_for_each_entry(set, &ctx->table->sets, list) {
6244 if (!nft_is_active_next(ctx->net, set))
6246 if (!(set->flags & NFT_SET_MAP) ||
6247 set->dtype != NFT_DATA_VERDICT)
6250 list_for_each_entry(binding, &set->bindings, list) {
6251 if (!(binding->flags & NFT_SET_MAP) ||
6252 binding->chain != chain)
6255 iter.genmask = nft_genmask_next(ctx->net);
6259 iter.fn = nf_tables_loop_check_setelem;
6261 set->ops->walk(ctx, set, &iter);
6271 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6273 * @attr: netlink attribute to fetch value from
6274 * @max: maximum value to be stored in dest
6275 * @dest: pointer to the variable
6277 * Parse, check and store a given u32 netlink attribute into variable.
6278 * This function returns -ERANGE if the value goes over maximum value.
6279 * Otherwise a 0 is returned and the attribute value is stored in the
6280 * destination variable.
6282 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6286 val = ntohl(nla_get_be32(attr));
6293 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6296 * nft_parse_register - parse a register value from a netlink attribute
6298 * @attr: netlink attribute
6300 * Parse and translate a register value from a netlink attribute.
6301 * Registers used to be 128 bit wide, these register numbers will be
6302 * mapped to the corresponding 32 bit register numbers.
6304 unsigned int nft_parse_register(const struct nlattr *attr)
6308 reg = ntohl(nla_get_be32(attr));
6310 case NFT_REG_VERDICT...NFT_REG_4:
6311 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6313 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6316 EXPORT_SYMBOL_GPL(nft_parse_register);
6319 * nft_dump_register - dump a register value to a netlink attribute
6321 * @skb: socket buffer
6322 * @attr: attribute number
6323 * @reg: register number
6325 * Construct a netlink attribute containing the register number. For
6326 * compatibility reasons, register numbers being a multiple of 4 are
6327 * translated to the corresponding 128 bit register numbers.
6329 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6331 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6332 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6334 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6336 return nla_put_be32(skb, attr, htonl(reg));
6338 EXPORT_SYMBOL_GPL(nft_dump_register);
6341 * nft_validate_register_load - validate a load from a register
6343 * @reg: the register number
6344 * @len: the length of the data
6346 * Validate that the input register is one of the general purpose
6347 * registers and that the length of the load is within the bounds.
6349 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6351 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6355 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6360 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6363 * nft_validate_register_store - validate an expressions' register store
6365 * @ctx: context of the expression performing the load
6366 * @reg: the destination register number
6367 * @data: the data to load
6368 * @type: the data type
6369 * @len: the length of the data
6371 * Validate that a data load uses the appropriate data type for
6372 * the destination register and the length is within the bounds.
6373 * A value of NULL for the data means that its runtime gathered
6376 int nft_validate_register_store(const struct nft_ctx *ctx,
6377 enum nft_registers reg,
6378 const struct nft_data *data,
6379 enum nft_data_types type, unsigned int len)
6384 case NFT_REG_VERDICT:
6385 if (type != NFT_DATA_VERDICT)
6389 (data->verdict.code == NFT_GOTO ||
6390 data->verdict.code == NFT_JUMP)) {
6391 err = nf_tables_check_loops(ctx, data->verdict.chain);
6395 if (ctx->chain->level + 1 >
6396 data->verdict.chain->level) {
6397 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6399 data->verdict.chain->level = ctx->chain->level + 1;
6405 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6409 if (reg * NFT_REG32_SIZE + len >
6410 FIELD_SIZEOF(struct nft_regs, data))
6413 if (data != NULL && type != NFT_DATA_VALUE)
6418 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6420 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6421 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6422 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6423 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6426 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6427 struct nft_data_desc *desc, const struct nlattr *nla)
6429 u8 genmask = nft_genmask_next(ctx->net);
6430 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6431 struct nft_chain *chain;
6434 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6439 if (!tb[NFTA_VERDICT_CODE])
6441 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6443 switch (data->verdict.code) {
6445 switch (data->verdict.code & NF_VERDICT_MASK) {
6460 if (!tb[NFTA_VERDICT_CHAIN])
6462 chain = nf_tables_chain_lookup(ctx->table,
6463 tb[NFTA_VERDICT_CHAIN], genmask);
6465 return PTR_ERR(chain);
6466 if (nft_is_base_chain(chain))
6470 data->verdict.chain = chain;
6474 desc->len = sizeof(data->verdict);
6475 desc->type = NFT_DATA_VERDICT;
6479 static void nft_verdict_uninit(const struct nft_data *data)
6481 switch (data->verdict.code) {
6484 data->verdict.chain->use--;
6489 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6491 struct nlattr *nest;
6493 nest = nla_nest_start(skb, type);
6495 goto nla_put_failure;
6497 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6498 goto nla_put_failure;
6503 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6505 goto nla_put_failure;
6507 nla_nest_end(skb, nest);
6514 static int nft_value_init(const struct nft_ctx *ctx,
6515 struct nft_data *data, unsigned int size,
6516 struct nft_data_desc *desc, const struct nlattr *nla)
6526 nla_memcpy(data->data, nla, len);
6527 desc->type = NFT_DATA_VALUE;
6532 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6535 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6538 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6539 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6540 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6544 * nft_data_init - parse nf_tables data netlink attributes
6546 * @ctx: context of the expression using the data
6547 * @data: destination struct nft_data
6548 * @size: maximum data length
6549 * @desc: data description
6550 * @nla: netlink attribute containing data
6552 * Parse the netlink data attributes and initialize a struct nft_data.
6553 * The type and length of data are returned in the data description.
6555 * The caller can indicate that it only wants to accept data of type
6556 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6558 int nft_data_init(const struct nft_ctx *ctx,
6559 struct nft_data *data, unsigned int size,
6560 struct nft_data_desc *desc, const struct nlattr *nla)
6562 struct nlattr *tb[NFTA_DATA_MAX + 1];
6565 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6569 if (tb[NFTA_DATA_VALUE])
6570 return nft_value_init(ctx, data, size, desc,
6571 tb[NFTA_DATA_VALUE]);
6572 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6573 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6576 EXPORT_SYMBOL_GPL(nft_data_init);
6579 * nft_data_release - release a nft_data item
6581 * @data: struct nft_data to release
6582 * @type: type of data
6584 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6585 * all others need to be released by calling this function.
6587 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6589 if (type < NFT_DATA_VERDICT)
6592 case NFT_DATA_VERDICT:
6593 return nft_verdict_uninit(data);
6598 EXPORT_SYMBOL_GPL(nft_data_release);
6600 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6601 enum nft_data_types type, unsigned int len)
6603 struct nlattr *nest;
6606 nest = nla_nest_start(skb, attr);
6611 case NFT_DATA_VALUE:
6612 err = nft_value_dump(skb, data, len);
6614 case NFT_DATA_VERDICT:
6615 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6622 nla_nest_end(skb, nest);
6625 EXPORT_SYMBOL_GPL(nft_data_dump);
6627 int __nft_release_basechain(struct nft_ctx *ctx)
6629 struct nft_rule *rule, *nr;
6631 BUG_ON(!nft_is_base_chain(ctx->chain));
6633 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6634 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6635 list_del(&rule->list);
6637 nf_tables_rule_release(ctx, rule);
6639 list_del(&ctx->chain->list);
6641 nf_tables_chain_destroy(ctx);
6645 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6647 static void __nft_release_tables(struct net *net)
6649 struct nft_flowtable *flowtable, *nf;
6650 struct nft_table *table, *nt;
6651 struct nft_chain *chain, *nc;
6652 struct nft_object *obj, *ne;
6653 struct nft_rule *rule, *nr;
6654 struct nft_set *set, *ns;
6655 struct nft_ctx ctx = {
6657 .family = NFPROTO_NETDEV,
6660 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6661 ctx.family = table->family;
6663 list_for_each_entry(chain, &table->chains, list)
6664 nf_tables_unregister_hook(net, table, chain);
6665 list_for_each_entry(flowtable, &table->flowtables, list)
6666 nf_unregister_net_hooks(net, flowtable->ops,
6667 flowtable->ops_len);
6668 /* No packets are walking on these chains anymore. */
6670 list_for_each_entry(chain, &table->chains, list) {
6672 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6673 list_del(&rule->list);
6675 nf_tables_rule_release(&ctx, rule);
6678 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6679 list_del(&flowtable->list);
6681 nf_tables_flowtable_destroy(flowtable);
6683 list_for_each_entry_safe(set, ns, &table->sets, list) {
6684 list_del(&set->list);
6686 nft_set_destroy(set);
6688 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6689 list_del(&obj->list);
6691 nft_obj_destroy(obj);
6693 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6695 list_del(&chain->list);
6697 nf_tables_chain_destroy(&ctx);
6699 list_del(&table->list);
6700 nf_tables_table_destroy(&ctx);
6704 static int __net_init nf_tables_init_net(struct net *net)
6706 INIT_LIST_HEAD(&net->nft.tables);
6707 INIT_LIST_HEAD(&net->nft.commit_list);
6708 net->nft.base_seq = 1;
6712 static void __net_exit nf_tables_exit_net(struct net *net)
6714 __nft_release_tables(net);
6715 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6716 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6719 static struct pernet_operations nf_tables_net_ops = {
6720 .init = nf_tables_init_net,
6721 .exit = nf_tables_exit_net,
6724 static int __init nf_tables_module_init(void)
6728 nft_chain_filter_init();
6730 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6737 err = nf_tables_core_module_init();
6741 err = nfnetlink_subsys_register(&nf_tables_subsys);
6745 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6747 return register_pernet_subsys(&nf_tables_net_ops);
6749 nf_tables_core_module_exit();
6756 static void __exit nf_tables_module_exit(void)
6758 unregister_pernet_subsys(&nf_tables_net_ops);
6759 nfnetlink_subsys_unregister(&nf_tables_subsys);
6760 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6762 nf_tables_core_module_exit();
6764 nft_chain_filter_fini();
6767 module_init(nf_tables_module_init);
6768 module_exit(nf_tables_module_exit);
6770 MODULE_LICENSE("GPL");
6771 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6772 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-microblaze.git / blob