2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/rhashtable.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_flow_table.h>
22 #include <net/netfilter/nf_tables_core.h>
23 #include <net/netfilter/nf_tables.h>
24 #include <net/net_namespace.h>
27 static LIST_HEAD(nf_tables_expressions
);
28 static LIST_HEAD(nf_tables_objects
);
29 static LIST_HEAD(nf_tables_flowtables
);
30 static u64 table_handle
;
33 NFT_VALIDATE_SKIP
= 0,
38 static u32
nft_chain_hash(const void *data
, u32 len
, u32 seed
);
39 static u32
nft_chain_hash_obj(const void *data
, u32 len
, u32 seed
);
40 static int nft_chain_hash_cmp(struct rhashtable_compare_arg
*, const void *);
42 static const struct rhashtable_params nft_chain_ht_params
= {
43 .head_offset
= offsetof(struct nft_chain
, rhlhead
),
44 .key_offset
= offsetof(struct nft_chain
, name
),
45 .hashfn
= nft_chain_hash
,
46 .obj_hashfn
= nft_chain_hash_obj
,
47 .obj_cmpfn
= nft_chain_hash_cmp
,
49 .automatic_shrinking
= true,
52 static void nft_validate_state_update(struct net
*net
, u8 new_validate_state
)
54 switch (net
->nft
.validate_state
) {
55 case NFT_VALIDATE_SKIP
:
56 WARN_ON_ONCE(new_validate_state
== NFT_VALIDATE_DO
);
58 case NFT_VALIDATE_NEED
:
61 if (new_validate_state
== NFT_VALIDATE_NEED
)
65 net
->nft
.validate_state
= new_validate_state
;
68 static void nft_ctx_init(struct nft_ctx
*ctx
,
70 const struct sk_buff
*skb
,
71 const struct nlmsghdr
*nlh
,
73 struct nft_table
*table
,
74 struct nft_chain
*chain
,
75 const struct nlattr
* const *nla
)
83 ctx
->portid
= NETLINK_CB(skb
).portid
;
84 ctx
->report
= nlmsg_report(nlh
);
85 ctx
->seq
= nlh
->nlmsg_seq
;
88 static struct nft_trans
*nft_trans_alloc_gfp(const struct nft_ctx
*ctx
,
89 int msg_type
, u32 size
, gfp_t gfp
)
91 struct nft_trans
*trans
;
93 trans
= kzalloc(sizeof(struct nft_trans
) + size
, gfp
);
97 trans
->msg_type
= msg_type
;
103 static struct nft_trans
*nft_trans_alloc(const struct nft_ctx
*ctx
,
104 int msg_type
, u32 size
)
106 return nft_trans_alloc_gfp(ctx
, msg_type
, size
, GFP_KERNEL
);
109 static void nft_trans_destroy(struct nft_trans
*trans
)
111 list_del(&trans
->list
);
115 static int nf_tables_register_hook(struct net
*net
,
116 const struct nft_table
*table
,
117 struct nft_chain
*chain
)
119 const struct nft_base_chain
*basechain
;
120 const struct nf_hook_ops
*ops
;
122 if (table
->flags
& NFT_TABLE_F_DORMANT
||
123 !nft_is_base_chain(chain
))
126 basechain
= nft_base_chain(chain
);
127 ops
= &basechain
->ops
;
129 if (basechain
->type
->ops_register
)
130 return basechain
->type
->ops_register(net
, ops
);
132 return nf_register_net_hook(net
, ops
);
135 static void nf_tables_unregister_hook(struct net
*net
,
136 const struct nft_table
*table
,
137 struct nft_chain
*chain
)
139 const struct nft_base_chain
*basechain
;
140 const struct nf_hook_ops
*ops
;
142 if (table
->flags
& NFT_TABLE_F_DORMANT
||
143 !nft_is_base_chain(chain
))
145 basechain
= nft_base_chain(chain
);
146 ops
= &basechain
->ops
;
148 if (basechain
->type
->ops_unregister
)
149 return basechain
->type
->ops_unregister(net
, ops
);
151 nf_unregister_net_hook(net
, ops
);
154 static int nft_trans_table_add(struct nft_ctx
*ctx
, int msg_type
)
156 struct nft_trans
*trans
;
158 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_table
));
162 if (msg_type
== NFT_MSG_NEWTABLE
)
163 nft_activate_next(ctx
->net
, ctx
->table
);
165 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
169 static int nft_deltable(struct nft_ctx
*ctx
)
173 err
= nft_trans_table_add(ctx
, NFT_MSG_DELTABLE
);
177 nft_deactivate_next(ctx
->net
, ctx
->table
);
181 static int nft_trans_chain_add(struct nft_ctx
*ctx
, int msg_type
)
183 struct nft_trans
*trans
;
185 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_chain
));
189 if (msg_type
== NFT_MSG_NEWCHAIN
)
190 nft_activate_next(ctx
->net
, ctx
->chain
);
192 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
196 static int nft_delchain(struct nft_ctx
*ctx
)
200 err
= nft_trans_chain_add(ctx
, NFT_MSG_DELCHAIN
);
205 nft_deactivate_next(ctx
->net
, ctx
->chain
);
210 static void nft_rule_expr_activate(const struct nft_ctx
*ctx
,
211 struct nft_rule
*rule
)
213 struct nft_expr
*expr
;
215 expr
= nft_expr_first(rule
);
216 while (expr
!= nft_expr_last(rule
) && expr
->ops
) {
217 if (expr
->ops
->activate
)
218 expr
->ops
->activate(ctx
, expr
);
220 expr
= nft_expr_next(expr
);
224 static void nft_rule_expr_deactivate(const struct nft_ctx
*ctx
,
225 struct nft_rule
*rule
)
227 struct nft_expr
*expr
;
229 expr
= nft_expr_first(rule
);
230 while (expr
!= nft_expr_last(rule
) && expr
->ops
) {
231 if (expr
->ops
->deactivate
)
232 expr
->ops
->deactivate(ctx
, expr
);
234 expr
= nft_expr_next(expr
);
239 nf_tables_delrule_deactivate(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
241 /* You cannot delete the same rule twice */
242 if (nft_is_active_next(ctx
->net
, rule
)) {
243 nft_deactivate_next(ctx
->net
, rule
);
250 static struct nft_trans
*nft_trans_rule_add(struct nft_ctx
*ctx
, int msg_type
,
251 struct nft_rule
*rule
)
253 struct nft_trans
*trans
;
255 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_rule
));
259 if (msg_type
== NFT_MSG_NEWRULE
&& ctx
->nla
[NFTA_RULE_ID
] != NULL
) {
260 nft_trans_rule_id(trans
) =
261 ntohl(nla_get_be32(ctx
->nla
[NFTA_RULE_ID
]));
263 nft_trans_rule(trans
) = rule
;
264 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
269 static int nft_delrule(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
271 struct nft_trans
*trans
;
274 trans
= nft_trans_rule_add(ctx
, NFT_MSG_DELRULE
, rule
);
278 err
= nf_tables_delrule_deactivate(ctx
, rule
);
280 nft_trans_destroy(trans
);
283 nft_rule_expr_deactivate(ctx
, rule
);
288 static int nft_delrule_by_chain(struct nft_ctx
*ctx
)
290 struct nft_rule
*rule
;
293 list_for_each_entry(rule
, &ctx
->chain
->rules
, list
) {
294 err
= nft_delrule(ctx
, rule
);
301 static int nft_trans_set_add(struct nft_ctx
*ctx
, int msg_type
,
304 struct nft_trans
*trans
;
306 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_set
));
310 if (msg_type
== NFT_MSG_NEWSET
&& ctx
->nla
[NFTA_SET_ID
] != NULL
) {
311 nft_trans_set_id(trans
) =
312 ntohl(nla_get_be32(ctx
->nla
[NFTA_SET_ID
]));
313 nft_activate_next(ctx
->net
, set
);
315 nft_trans_set(trans
) = set
;
316 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
321 static int nft_delset(struct nft_ctx
*ctx
, struct nft_set
*set
)
325 err
= nft_trans_set_add(ctx
, NFT_MSG_DELSET
, set
);
329 nft_deactivate_next(ctx
->net
, set
);
335 static int nft_trans_obj_add(struct nft_ctx
*ctx
, int msg_type
,
336 struct nft_object
*obj
)
338 struct nft_trans
*trans
;
340 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_obj
));
344 if (msg_type
== NFT_MSG_NEWOBJ
)
345 nft_activate_next(ctx
->net
, obj
);
347 nft_trans_obj(trans
) = obj
;
348 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
353 static int nft_delobj(struct nft_ctx
*ctx
, struct nft_object
*obj
)
357 err
= nft_trans_obj_add(ctx
, NFT_MSG_DELOBJ
, obj
);
361 nft_deactivate_next(ctx
->net
, obj
);
367 static int nft_trans_flowtable_add(struct nft_ctx
*ctx
, int msg_type
,
368 struct nft_flowtable
*flowtable
)
370 struct nft_trans
*trans
;
372 trans
= nft_trans_alloc(ctx
, msg_type
,
373 sizeof(struct nft_trans_flowtable
));
377 if (msg_type
== NFT_MSG_NEWFLOWTABLE
)
378 nft_activate_next(ctx
->net
, flowtable
);
380 nft_trans_flowtable(trans
) = flowtable
;
381 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
386 static int nft_delflowtable(struct nft_ctx
*ctx
,
387 struct nft_flowtable
*flowtable
)
391 err
= nft_trans_flowtable_add(ctx
, NFT_MSG_DELFLOWTABLE
, flowtable
);
395 nft_deactivate_next(ctx
->net
, flowtable
);
405 static struct nft_table
*nft_table_lookup(const struct net
*net
,
406 const struct nlattr
*nla
,
407 u8 family
, u8 genmask
)
409 struct nft_table
*table
;
412 return ERR_PTR(-EINVAL
);
414 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
415 if (!nla_strcmp(nla
, table
->name
) &&
416 table
->family
== family
&&
417 nft_active_genmask(table
, genmask
))
421 return ERR_PTR(-ENOENT
);
424 static struct nft_table
*nft_table_lookup_byhandle(const struct net
*net
,
425 const struct nlattr
*nla
,
428 struct nft_table
*table
;
430 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
431 if (be64_to_cpu(nla_get_be64(nla
)) == table
->handle
&&
432 nft_active_genmask(table
, genmask
))
436 return ERR_PTR(-ENOENT
);
439 static inline u64
nf_tables_alloc_handle(struct nft_table
*table
)
441 return ++table
->hgenerator
;
444 static const struct nft_chain_type
*chain_type
[NFPROTO_NUMPROTO
][NFT_CHAIN_T_MAX
];
446 static const struct nft_chain_type
*
447 __nf_tables_chain_type_lookup(const struct nlattr
*nla
, u8 family
)
451 for (i
= 0; i
< NFT_CHAIN_T_MAX
; i
++) {
452 if (chain_type
[family
][i
] != NULL
&&
453 !nla_strcmp(nla
, chain_type
[family
][i
]->name
))
454 return chain_type
[family
][i
];
460 * Loading a module requires dropping mutex that guards the
462 * We first need to abort any pending transactions as once
463 * mutex is unlocked a different client could start a new
464 * transaction. It must not see any 'future generation'
465 * changes * as these changes will never happen.
467 #ifdef CONFIG_MODULES
468 static int __nf_tables_abort(struct net
*net
);
470 static void nft_request_module(struct net
*net
, const char *fmt
, ...)
472 char module_name
[MODULE_NAME_LEN
];
476 __nf_tables_abort(net
);
479 ret
= vsnprintf(module_name
, MODULE_NAME_LEN
, fmt
, args
);
481 if (WARN(ret
>= MODULE_NAME_LEN
, "truncated: '%s' (len %d)", module_name
, ret
))
484 mutex_unlock(&net
->nft
.commit_mutex
);
485 request_module("%s", module_name
);
486 mutex_lock(&net
->nft
.commit_mutex
);
490 static void lockdep_nfnl_nft_mutex_not_held(void)
492 #ifdef CONFIG_PROVE_LOCKING
493 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES
));
497 static const struct nft_chain_type
*
498 nf_tables_chain_type_lookup(struct net
*net
, const struct nlattr
*nla
,
499 u8 family
, bool autoload
)
501 const struct nft_chain_type
*type
;
503 type
= __nf_tables_chain_type_lookup(nla
, family
);
507 lockdep_nfnl_nft_mutex_not_held();
508 #ifdef CONFIG_MODULES
510 nft_request_module(net
, "nft-chain-%u-%.*s", family
,
511 nla_len(nla
), (const char *)nla_data(nla
));
512 type
= __nf_tables_chain_type_lookup(nla
, family
);
514 return ERR_PTR(-EAGAIN
);
517 return ERR_PTR(-ENOENT
);
520 static const struct nla_policy nft_table_policy
[NFTA_TABLE_MAX
+ 1] = {
521 [NFTA_TABLE_NAME
] = { .type
= NLA_STRING
,
522 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
523 [NFTA_TABLE_FLAGS
] = { .type
= NLA_U32
},
524 [NFTA_TABLE_HANDLE
] = { .type
= NLA_U64
},
527 static int nf_tables_fill_table_info(struct sk_buff
*skb
, struct net
*net
,
528 u32 portid
, u32 seq
, int event
, u32 flags
,
529 int family
, const struct nft_table
*table
)
531 struct nlmsghdr
*nlh
;
532 struct nfgenmsg
*nfmsg
;
534 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
535 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
537 goto nla_put_failure
;
539 nfmsg
= nlmsg_data(nlh
);
540 nfmsg
->nfgen_family
= family
;
541 nfmsg
->version
= NFNETLINK_V0
;
542 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
544 if (nla_put_string(skb
, NFTA_TABLE_NAME
, table
->name
) ||
545 nla_put_be32(skb
, NFTA_TABLE_FLAGS
, htonl(table
->flags
)) ||
546 nla_put_be32(skb
, NFTA_TABLE_USE
, htonl(table
->use
)) ||
547 nla_put_be64(skb
, NFTA_TABLE_HANDLE
, cpu_to_be64(table
->handle
),
549 goto nla_put_failure
;
555 nlmsg_trim(skb
, nlh
);
559 static void nf_tables_table_notify(const struct nft_ctx
*ctx
, int event
)
565 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
568 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
572 err
= nf_tables_fill_table_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
573 event
, 0, ctx
->family
, ctx
->table
);
579 nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
580 ctx
->report
, GFP_KERNEL
);
583 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
586 static int nf_tables_dump_tables(struct sk_buff
*skb
,
587 struct netlink_callback
*cb
)
589 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
590 const struct nft_table
*table
;
591 unsigned int idx
= 0, s_idx
= cb
->args
[0];
592 struct net
*net
= sock_net(skb
->sk
);
593 int family
= nfmsg
->nfgen_family
;
596 cb
->seq
= net
->nft
.base_seq
;
598 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
599 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
605 memset(&cb
->args
[1], 0,
606 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
607 if (!nft_is_active(net
, table
))
609 if (nf_tables_fill_table_info(skb
, net
,
610 NETLINK_CB(cb
->skb
).portid
,
612 NFT_MSG_NEWTABLE
, NLM_F_MULTI
,
613 table
->family
, table
) < 0)
616 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
626 static int nft_netlink_dump_start_rcu(struct sock
*nlsk
, struct sk_buff
*skb
,
627 const struct nlmsghdr
*nlh
,
628 struct netlink_dump_control
*c
)
632 if (!try_module_get(THIS_MODULE
))
636 err
= netlink_dump_start(nlsk
, skb
, nlh
, c
);
638 module_put(THIS_MODULE
);
643 /* called with rcu_read_lock held */
644 static int nf_tables_gettable(struct net
*net
, struct sock
*nlsk
,
645 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
646 const struct nlattr
* const nla
[],
647 struct netlink_ext_ack
*extack
)
649 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
650 u8 genmask
= nft_genmask_cur(net
);
651 const struct nft_table
*table
;
652 struct sk_buff
*skb2
;
653 int family
= nfmsg
->nfgen_family
;
656 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
657 struct netlink_dump_control c
= {
658 .dump
= nf_tables_dump_tables
,
659 .module
= THIS_MODULE
,
662 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
665 table
= nft_table_lookup(net
, nla
[NFTA_TABLE_NAME
], family
, genmask
);
667 NL_SET_BAD_ATTR(extack
, nla
[NFTA_TABLE_NAME
]);
668 return PTR_ERR(table
);
671 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
675 err
= nf_tables_fill_table_info(skb2
, net
, NETLINK_CB(skb
).portid
,
676 nlh
->nlmsg_seq
, NFT_MSG_NEWTABLE
, 0,
681 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
688 static void nft_table_disable(struct net
*net
, struct nft_table
*table
, u32 cnt
)
690 struct nft_chain
*chain
;
693 list_for_each_entry(chain
, &table
->chains
, list
) {
694 if (!nft_is_active_next(net
, chain
))
696 if (!nft_is_base_chain(chain
))
699 if (cnt
&& i
++ == cnt
)
702 nf_unregister_net_hook(net
, &nft_base_chain(chain
)->ops
);
706 static int nf_tables_table_enable(struct net
*net
, struct nft_table
*table
)
708 struct nft_chain
*chain
;
711 list_for_each_entry(chain
, &table
->chains
, list
) {
712 if (!nft_is_active_next(net
, chain
))
714 if (!nft_is_base_chain(chain
))
717 err
= nf_register_net_hook(net
, &nft_base_chain(chain
)->ops
);
726 nft_table_disable(net
, table
, i
);
730 static void nf_tables_table_disable(struct net
*net
, struct nft_table
*table
)
732 nft_table_disable(net
, table
, 0);
735 static int nf_tables_updtable(struct nft_ctx
*ctx
)
737 struct nft_trans
*trans
;
741 if (!ctx
->nla
[NFTA_TABLE_FLAGS
])
744 flags
= ntohl(nla_get_be32(ctx
->nla
[NFTA_TABLE_FLAGS
]));
745 if (flags
& ~NFT_TABLE_F_DORMANT
)
748 if (flags
== ctx
->table
->flags
)
751 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWTABLE
,
752 sizeof(struct nft_trans_table
));
756 if ((flags
& NFT_TABLE_F_DORMANT
) &&
757 !(ctx
->table
->flags
& NFT_TABLE_F_DORMANT
)) {
758 nft_trans_table_enable(trans
) = false;
759 } else if (!(flags
& NFT_TABLE_F_DORMANT
) &&
760 ctx
->table
->flags
& NFT_TABLE_F_DORMANT
) {
761 ret
= nf_tables_table_enable(ctx
->net
, ctx
->table
);
763 ctx
->table
->flags
&= ~NFT_TABLE_F_DORMANT
;
764 nft_trans_table_enable(trans
) = true;
770 nft_trans_table_update(trans
) = true;
771 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
774 nft_trans_destroy(trans
);
778 static u32
nft_chain_hash(const void *data
, u32 len
, u32 seed
)
780 const char *name
= data
;
782 return jhash(name
, strlen(name
), seed
);
785 static u32
nft_chain_hash_obj(const void *data
, u32 len
, u32 seed
)
787 const struct nft_chain
*chain
= data
;
789 return nft_chain_hash(chain
->name
, 0, seed
);
792 static int nft_chain_hash_cmp(struct rhashtable_compare_arg
*arg
,
795 const struct nft_chain
*chain
= ptr
;
796 const char *name
= arg
->key
;
798 return strcmp(chain
->name
, name
);
801 static int nf_tables_newtable(struct net
*net
, struct sock
*nlsk
,
802 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
803 const struct nlattr
* const nla
[],
804 struct netlink_ext_ack
*extack
)
806 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
807 u8 genmask
= nft_genmask_next(net
);
808 int family
= nfmsg
->nfgen_family
;
809 const struct nlattr
*attr
;
810 struct nft_table
*table
;
815 lockdep_assert_held(&net
->nft
.commit_mutex
);
816 attr
= nla
[NFTA_TABLE_NAME
];
817 table
= nft_table_lookup(net
, attr
, family
, genmask
);
819 if (PTR_ERR(table
) != -ENOENT
)
820 return PTR_ERR(table
);
822 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
823 NL_SET_BAD_ATTR(extack
, attr
);
826 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
829 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
830 return nf_tables_updtable(&ctx
);
833 if (nla
[NFTA_TABLE_FLAGS
]) {
834 flags
= ntohl(nla_get_be32(nla
[NFTA_TABLE_FLAGS
]));
835 if (flags
& ~NFT_TABLE_F_DORMANT
)
840 table
= kzalloc(sizeof(*table
), GFP_KERNEL
);
844 table
->name
= nla_strdup(attr
, GFP_KERNEL
);
845 if (table
->name
== NULL
)
848 err
= rhltable_init(&table
->chains_ht
, &nft_chain_ht_params
);
852 INIT_LIST_HEAD(&table
->chains
);
853 INIT_LIST_HEAD(&table
->sets
);
854 INIT_LIST_HEAD(&table
->objects
);
855 INIT_LIST_HEAD(&table
->flowtables
);
856 table
->family
= family
;
857 table
->flags
= flags
;
858 table
->handle
= ++table_handle
;
860 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
861 err
= nft_trans_table_add(&ctx
, NFT_MSG_NEWTABLE
);
865 list_add_tail_rcu(&table
->list
, &net
->nft
.tables
);
868 rhltable_destroy(&table
->chains_ht
);
877 static int nft_flush_table(struct nft_ctx
*ctx
)
879 struct nft_flowtable
*flowtable
, *nft
;
880 struct nft_chain
*chain
, *nc
;
881 struct nft_object
*obj
, *ne
;
882 struct nft_set
*set
, *ns
;
885 list_for_each_entry(chain
, &ctx
->table
->chains
, list
) {
886 if (!nft_is_active_next(ctx
->net
, chain
))
891 err
= nft_delrule_by_chain(ctx
);
896 list_for_each_entry_safe(set
, ns
, &ctx
->table
->sets
, list
) {
897 if (!nft_is_active_next(ctx
->net
, set
))
900 if (nft_set_is_anonymous(set
) &&
901 !list_empty(&set
->bindings
))
904 err
= nft_delset(ctx
, set
);
909 list_for_each_entry_safe(flowtable
, nft
, &ctx
->table
->flowtables
, list
) {
910 err
= nft_delflowtable(ctx
, flowtable
);
915 list_for_each_entry_safe(obj
, ne
, &ctx
->table
->objects
, list
) {
916 err
= nft_delobj(ctx
, obj
);
921 list_for_each_entry_safe(chain
, nc
, &ctx
->table
->chains
, list
) {
922 if (!nft_is_active_next(ctx
->net
, chain
))
927 err
= nft_delchain(ctx
);
932 err
= nft_deltable(ctx
);
937 static int nft_flush(struct nft_ctx
*ctx
, int family
)
939 struct nft_table
*table
, *nt
;
940 const struct nlattr
* const *nla
= ctx
->nla
;
943 list_for_each_entry_safe(table
, nt
, &ctx
->net
->nft
.tables
, list
) {
944 if (family
!= AF_UNSPEC
&& table
->family
!= family
)
947 ctx
->family
= table
->family
;
949 if (!nft_is_active_next(ctx
->net
, table
))
952 if (nla
[NFTA_TABLE_NAME
] &&
953 nla_strcmp(nla
[NFTA_TABLE_NAME
], table
->name
) != 0)
958 err
= nft_flush_table(ctx
);
966 static int nf_tables_deltable(struct net
*net
, struct sock
*nlsk
,
967 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
968 const struct nlattr
* const nla
[],
969 struct netlink_ext_ack
*extack
)
971 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
972 u8 genmask
= nft_genmask_next(net
);
973 int family
= nfmsg
->nfgen_family
;
974 const struct nlattr
*attr
;
975 struct nft_table
*table
;
978 nft_ctx_init(&ctx
, net
, skb
, nlh
, 0, NULL
, NULL
, nla
);
979 if (family
== AF_UNSPEC
||
980 (!nla
[NFTA_TABLE_NAME
] && !nla
[NFTA_TABLE_HANDLE
]))
981 return nft_flush(&ctx
, family
);
983 if (nla
[NFTA_TABLE_HANDLE
]) {
984 attr
= nla
[NFTA_TABLE_HANDLE
];
985 table
= nft_table_lookup_byhandle(net
, attr
, genmask
);
987 attr
= nla
[NFTA_TABLE_NAME
];
988 table
= nft_table_lookup(net
, attr
, family
, genmask
);
992 NL_SET_BAD_ATTR(extack
, attr
);
993 return PTR_ERR(table
);
996 if (nlh
->nlmsg_flags
& NLM_F_NONREC
&&
1000 ctx
.family
= family
;
1003 return nft_flush_table(&ctx
);
1006 static void nf_tables_table_destroy(struct nft_ctx
*ctx
)
1008 BUG_ON(ctx
->table
->use
> 0);
1010 rhltable_destroy(&ctx
->table
->chains_ht
);
1011 kfree(ctx
->table
->name
);
1015 void nft_register_chain_type(const struct nft_chain_type
*ctype
)
1017 if (WARN_ON(ctype
->family
>= NFPROTO_NUMPROTO
))
1020 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1021 if (WARN_ON(chain_type
[ctype
->family
][ctype
->type
] != NULL
)) {
1022 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1025 chain_type
[ctype
->family
][ctype
->type
] = ctype
;
1026 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1028 EXPORT_SYMBOL_GPL(nft_register_chain_type
);
1030 void nft_unregister_chain_type(const struct nft_chain_type
*ctype
)
1032 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1033 chain_type
[ctype
->family
][ctype
->type
] = NULL
;
1034 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1036 EXPORT_SYMBOL_GPL(nft_unregister_chain_type
);
1042 static struct nft_chain
*
1043 nft_chain_lookup_byhandle(const struct nft_table
*table
, u64 handle
, u8 genmask
)
1045 struct nft_chain
*chain
;
1047 list_for_each_entry(chain
, &table
->chains
, list
) {
1048 if (chain
->handle
== handle
&&
1049 nft_active_genmask(chain
, genmask
))
1053 return ERR_PTR(-ENOENT
);
1056 static bool lockdep_commit_lock_is_held(struct net
*net
)
1058 #ifdef CONFIG_PROVE_LOCKING
1059 return lockdep_is_held(&net
->nft
.commit_mutex
);
1065 static struct nft_chain
*nft_chain_lookup(struct net
*net
,
1066 struct nft_table
*table
,
1067 const struct nlattr
*nla
, u8 genmask
)
1069 char search
[NFT_CHAIN_MAXNAMELEN
+ 1];
1070 struct rhlist_head
*tmp
, *list
;
1071 struct nft_chain
*chain
;
1074 return ERR_PTR(-EINVAL
);
1076 nla_strlcpy(search
, nla
, sizeof(search
));
1078 WARN_ON(!rcu_read_lock_held() &&
1079 !lockdep_commit_lock_is_held(net
));
1081 chain
= ERR_PTR(-ENOENT
);
1083 list
= rhltable_lookup(&table
->chains_ht
, search
, nft_chain_ht_params
);
1087 rhl_for_each_entry_rcu(chain
, tmp
, list
, rhlhead
) {
1088 if (nft_active_genmask(chain
, genmask
))
1091 chain
= ERR_PTR(-ENOENT
);
1097 static const struct nla_policy nft_chain_policy
[NFTA_CHAIN_MAX
+ 1] = {
1098 [NFTA_CHAIN_TABLE
] = { .type
= NLA_STRING
,
1099 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
1100 [NFTA_CHAIN_HANDLE
] = { .type
= NLA_U64
},
1101 [NFTA_CHAIN_NAME
] = { .type
= NLA_STRING
,
1102 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
1103 [NFTA_CHAIN_HOOK
] = { .type
= NLA_NESTED
},
1104 [NFTA_CHAIN_POLICY
] = { .type
= NLA_U32
},
1105 [NFTA_CHAIN_TYPE
] = { .type
= NLA_STRING
},
1106 [NFTA_CHAIN_COUNTERS
] = { .type
= NLA_NESTED
},
1109 static const struct nla_policy nft_hook_policy
[NFTA_HOOK_MAX
+ 1] = {
1110 [NFTA_HOOK_HOOKNUM
] = { .type
= NLA_U32
},
1111 [NFTA_HOOK_PRIORITY
] = { .type
= NLA_U32
},
1112 [NFTA_HOOK_DEV
] = { .type
= NLA_STRING
,
1113 .len
= IFNAMSIZ
- 1 },
1116 static int nft_dump_stats(struct sk_buff
*skb
, struct nft_stats __percpu
*stats
)
1118 struct nft_stats
*cpu_stats
, total
;
1119 struct nlattr
*nest
;
1124 memset(&total
, 0, sizeof(total
));
1125 for_each_possible_cpu(cpu
) {
1126 cpu_stats
= per_cpu_ptr(stats
, cpu
);
1128 seq
= u64_stats_fetch_begin_irq(&cpu_stats
->syncp
);
1129 pkts
= cpu_stats
->pkts
;
1130 bytes
= cpu_stats
->bytes
;
1131 } while (u64_stats_fetch_retry_irq(&cpu_stats
->syncp
, seq
));
1133 total
.bytes
+= bytes
;
1135 nest
= nla_nest_start(skb
, NFTA_CHAIN_COUNTERS
);
1137 goto nla_put_failure
;
1139 if (nla_put_be64(skb
, NFTA_COUNTER_PACKETS
, cpu_to_be64(total
.pkts
),
1140 NFTA_COUNTER_PAD
) ||
1141 nla_put_be64(skb
, NFTA_COUNTER_BYTES
, cpu_to_be64(total
.bytes
),
1143 goto nla_put_failure
;
1145 nla_nest_end(skb
, nest
);
1152 static int nf_tables_fill_chain_info(struct sk_buff
*skb
, struct net
*net
,
1153 u32 portid
, u32 seq
, int event
, u32 flags
,
1154 int family
, const struct nft_table
*table
,
1155 const struct nft_chain
*chain
)
1157 struct nlmsghdr
*nlh
;
1158 struct nfgenmsg
*nfmsg
;
1160 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
1161 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
1163 goto nla_put_failure
;
1165 nfmsg
= nlmsg_data(nlh
);
1166 nfmsg
->nfgen_family
= family
;
1167 nfmsg
->version
= NFNETLINK_V0
;
1168 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
1170 if (nla_put_string(skb
, NFTA_CHAIN_TABLE
, table
->name
))
1171 goto nla_put_failure
;
1172 if (nla_put_be64(skb
, NFTA_CHAIN_HANDLE
, cpu_to_be64(chain
->handle
),
1174 goto nla_put_failure
;
1175 if (nla_put_string(skb
, NFTA_CHAIN_NAME
, chain
->name
))
1176 goto nla_put_failure
;
1178 if (nft_is_base_chain(chain
)) {
1179 const struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1180 const struct nf_hook_ops
*ops
= &basechain
->ops
;
1181 struct nlattr
*nest
;
1183 nest
= nla_nest_start(skb
, NFTA_CHAIN_HOOK
);
1185 goto nla_put_failure
;
1186 if (nla_put_be32(skb
, NFTA_HOOK_HOOKNUM
, htonl(ops
->hooknum
)))
1187 goto nla_put_failure
;
1188 if (nla_put_be32(skb
, NFTA_HOOK_PRIORITY
, htonl(ops
->priority
)))
1189 goto nla_put_failure
;
1190 if (basechain
->dev_name
[0] &&
1191 nla_put_string(skb
, NFTA_HOOK_DEV
, basechain
->dev_name
))
1192 goto nla_put_failure
;
1193 nla_nest_end(skb
, nest
);
1195 if (nla_put_be32(skb
, NFTA_CHAIN_POLICY
,
1196 htonl(basechain
->policy
)))
1197 goto nla_put_failure
;
1199 if (nla_put_string(skb
, NFTA_CHAIN_TYPE
, basechain
->type
->name
))
1200 goto nla_put_failure
;
1202 if (basechain
->stats
&& nft_dump_stats(skb
, basechain
->stats
))
1203 goto nla_put_failure
;
1206 if (nla_put_be32(skb
, NFTA_CHAIN_USE
, htonl(chain
->use
)))
1207 goto nla_put_failure
;
1209 nlmsg_end(skb
, nlh
);
1213 nlmsg_trim(skb
, nlh
);
1217 static void nf_tables_chain_notify(const struct nft_ctx
*ctx
, int event
)
1219 struct sk_buff
*skb
;
1223 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1226 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1230 err
= nf_tables_fill_chain_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1231 event
, 0, ctx
->family
, ctx
->table
,
1238 nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1239 ctx
->report
, GFP_KERNEL
);
1242 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
1245 static int nf_tables_dump_chains(struct sk_buff
*skb
,
1246 struct netlink_callback
*cb
)
1248 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1249 const struct nft_table
*table
;
1250 const struct nft_chain
*chain
;
1251 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1252 struct net
*net
= sock_net(skb
->sk
);
1253 int family
= nfmsg
->nfgen_family
;
1256 cb
->seq
= net
->nft
.base_seq
;
1258 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
1259 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
1262 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1266 memset(&cb
->args
[1], 0,
1267 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1268 if (!nft_is_active(net
, chain
))
1270 if (nf_tables_fill_chain_info(skb
, net
,
1271 NETLINK_CB(cb
->skb
).portid
,
1275 table
->family
, table
,
1279 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1290 /* called with rcu_read_lock held */
1291 static int nf_tables_getchain(struct net
*net
, struct sock
*nlsk
,
1292 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1293 const struct nlattr
* const nla
[],
1294 struct netlink_ext_ack
*extack
)
1296 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1297 u8 genmask
= nft_genmask_cur(net
);
1298 const struct nft_chain
*chain
;
1299 struct nft_table
*table
;
1300 struct sk_buff
*skb2
;
1301 int family
= nfmsg
->nfgen_family
;
1304 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1305 struct netlink_dump_control c
= {
1306 .dump
= nf_tables_dump_chains
,
1307 .module
= THIS_MODULE
,
1310 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
1313 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
);
1314 if (IS_ERR(table
)) {
1315 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
1316 return PTR_ERR(table
);
1319 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1320 if (IS_ERR(chain
)) {
1321 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
1322 return PTR_ERR(chain
);
1325 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
1329 err
= nf_tables_fill_chain_info(skb2
, net
, NETLINK_CB(skb
).portid
,
1330 nlh
->nlmsg_seq
, NFT_MSG_NEWCHAIN
, 0,
1331 family
, table
, chain
);
1335 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
1342 static const struct nla_policy nft_counter_policy
[NFTA_COUNTER_MAX
+ 1] = {
1343 [NFTA_COUNTER_PACKETS
] = { .type
= NLA_U64
},
1344 [NFTA_COUNTER_BYTES
] = { .type
= NLA_U64
},
1347 static struct nft_stats __percpu
*nft_stats_alloc(const struct nlattr
*attr
)
1349 struct nlattr
*tb
[NFTA_COUNTER_MAX
+1];
1350 struct nft_stats __percpu
*newstats
;
1351 struct nft_stats
*stats
;
1354 err
= nla_parse_nested(tb
, NFTA_COUNTER_MAX
, attr
, nft_counter_policy
,
1357 return ERR_PTR(err
);
1359 if (!tb
[NFTA_COUNTER_BYTES
] || !tb
[NFTA_COUNTER_PACKETS
])
1360 return ERR_PTR(-EINVAL
);
1362 newstats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1363 if (newstats
== NULL
)
1364 return ERR_PTR(-ENOMEM
);
1366 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1367 * are not exposed to userspace.
1370 stats
= this_cpu_ptr(newstats
);
1371 stats
->bytes
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_BYTES
]));
1372 stats
->pkts
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_PACKETS
]));
1378 static void nft_chain_stats_replace(struct nft_base_chain
*chain
,
1379 struct nft_stats __percpu
*newstats
)
1381 struct nft_stats __percpu
*oldstats
;
1383 if (newstats
== NULL
)
1387 oldstats
= nfnl_dereference(chain
->stats
, NFNL_SUBSYS_NFTABLES
);
1388 rcu_assign_pointer(chain
->stats
, newstats
);
1390 free_percpu(oldstats
);
1392 rcu_assign_pointer(chain
->stats
, newstats
);
1393 static_branch_inc(&nft_counters_enabled
);
1397 static void nf_tables_chain_free_chain_rules(struct nft_chain
*chain
)
1399 struct nft_rule
**g0
= rcu_dereference_raw(chain
->rules_gen_0
);
1400 struct nft_rule
**g1
= rcu_dereference_raw(chain
->rules_gen_1
);
1406 /* should be NULL either via abort or via successful commit */
1407 WARN_ON_ONCE(chain
->rules_next
);
1408 kvfree(chain
->rules_next
);
1411 static void nf_tables_chain_destroy(struct nft_ctx
*ctx
)
1413 struct nft_chain
*chain
= ctx
->chain
;
1415 BUG_ON(chain
->use
> 0);
1417 /* no concurrent access possible anymore */
1418 nf_tables_chain_free_chain_rules(chain
);
1420 if (nft_is_base_chain(chain
)) {
1421 struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1423 module_put(basechain
->type
->owner
);
1424 free_percpu(basechain
->stats
);
1425 if (basechain
->stats
)
1426 static_branch_dec(&nft_counters_enabled
);
1435 struct nft_chain_hook
{
1438 const struct nft_chain_type
*type
;
1439 struct net_device
*dev
;
1442 static int nft_chain_parse_hook(struct net
*net
,
1443 const struct nlattr
* const nla
[],
1444 struct nft_chain_hook
*hook
, u8 family
,
1447 struct nlattr
*ha
[NFTA_HOOK_MAX
+ 1];
1448 const struct nft_chain_type
*type
;
1449 struct net_device
*dev
;
1452 lockdep_assert_held(&net
->nft
.commit_mutex
);
1453 lockdep_nfnl_nft_mutex_not_held();
1455 err
= nla_parse_nested(ha
, NFTA_HOOK_MAX
, nla
[NFTA_CHAIN_HOOK
],
1456 nft_hook_policy
, NULL
);
1460 if (ha
[NFTA_HOOK_HOOKNUM
] == NULL
||
1461 ha
[NFTA_HOOK_PRIORITY
] == NULL
)
1464 hook
->num
= ntohl(nla_get_be32(ha
[NFTA_HOOK_HOOKNUM
]));
1465 hook
->priority
= ntohl(nla_get_be32(ha
[NFTA_HOOK_PRIORITY
]));
1467 type
= chain_type
[family
][NFT_CHAIN_T_DEFAULT
];
1468 if (nla
[NFTA_CHAIN_TYPE
]) {
1469 type
= nf_tables_chain_type_lookup(net
, nla
[NFTA_CHAIN_TYPE
],
1472 return PTR_ERR(type
);
1474 if (!(type
->hook_mask
& (1 << hook
->num
)))
1477 if (type
->type
== NFT_CHAIN_T_NAT
&&
1478 hook
->priority
<= NF_IP_PRI_CONNTRACK
)
1481 if (!try_module_get(type
->owner
))
1487 if (family
== NFPROTO_NETDEV
) {
1488 char ifname
[IFNAMSIZ
];
1490 if (!ha
[NFTA_HOOK_DEV
]) {
1491 module_put(type
->owner
);
1495 nla_strlcpy(ifname
, ha
[NFTA_HOOK_DEV
], IFNAMSIZ
);
1496 dev
= __dev_get_by_name(net
, ifname
);
1498 module_put(type
->owner
);
1502 } else if (ha
[NFTA_HOOK_DEV
]) {
1503 module_put(type
->owner
);
1510 static void nft_chain_release_hook(struct nft_chain_hook
*hook
)
1512 module_put(hook
->type
->owner
);
1515 struct nft_rules_old
{
1517 struct nft_rule
**start
;
1520 static struct nft_rule
**nf_tables_chain_alloc_rules(const struct nft_chain
*chain
,
1523 if (alloc
> INT_MAX
)
1526 alloc
+= 1; /* NULL, ends rules */
1527 if (sizeof(struct nft_rule
*) > INT_MAX
/ alloc
)
1530 alloc
*= sizeof(struct nft_rule
*);
1531 alloc
+= sizeof(struct nft_rules_old
);
1533 return kvmalloc(alloc
, GFP_KERNEL
);
1536 static int nf_tables_addchain(struct nft_ctx
*ctx
, u8 family
, u8 genmask
,
1539 const struct nlattr
* const *nla
= ctx
->nla
;
1540 struct nft_table
*table
= ctx
->table
;
1541 struct nft_base_chain
*basechain
;
1542 struct nft_stats __percpu
*stats
;
1543 struct net
*net
= ctx
->net
;
1544 struct nft_chain
*chain
;
1545 struct nft_rule
**rules
;
1548 if (table
->use
== UINT_MAX
)
1551 if (nla
[NFTA_CHAIN_HOOK
]) {
1552 struct nft_chain_hook hook
;
1553 struct nf_hook_ops
*ops
;
1555 err
= nft_chain_parse_hook(net
, nla
, &hook
, family
, true);
1559 basechain
= kzalloc(sizeof(*basechain
), GFP_KERNEL
);
1560 if (basechain
== NULL
) {
1561 nft_chain_release_hook(&hook
);
1565 if (hook
.dev
!= NULL
)
1566 strncpy(basechain
->dev_name
, hook
.dev
->name
, IFNAMSIZ
);
1568 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1569 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1570 if (IS_ERR(stats
)) {
1571 nft_chain_release_hook(&hook
);
1573 return PTR_ERR(stats
);
1575 basechain
->stats
= stats
;
1576 static_branch_inc(&nft_counters_enabled
);
1579 basechain
->type
= hook
.type
;
1580 chain
= &basechain
->chain
;
1582 ops
= &basechain
->ops
;
1584 ops
->hooknum
= hook
.num
;
1585 ops
->priority
= hook
.priority
;
1587 ops
->hook
= hook
.type
->hooks
[ops
->hooknum
];
1588 ops
->dev
= hook
.dev
;
1590 chain
->flags
|= NFT_BASE_CHAIN
;
1591 basechain
->policy
= policy
;
1593 chain
= kzalloc(sizeof(*chain
), GFP_KERNEL
);
1599 INIT_LIST_HEAD(&chain
->rules
);
1600 chain
->handle
= nf_tables_alloc_handle(table
);
1601 chain
->table
= table
;
1602 chain
->name
= nla_strdup(nla
[NFTA_CHAIN_NAME
], GFP_KERNEL
);
1608 rules
= nf_tables_chain_alloc_rules(chain
, 0);
1615 rcu_assign_pointer(chain
->rules_gen_0
, rules
);
1616 rcu_assign_pointer(chain
->rules_gen_1
, rules
);
1618 err
= nf_tables_register_hook(net
, table
, chain
);
1622 err
= rhltable_insert_key(&table
->chains_ht
, chain
->name
,
1623 &chain
->rhlhead
, nft_chain_ht_params
);
1627 err
= nft_trans_chain_add(ctx
, NFT_MSG_NEWCHAIN
);
1629 rhltable_remove(&table
->chains_ht
, &chain
->rhlhead
,
1630 nft_chain_ht_params
);
1635 list_add_tail_rcu(&chain
->list
, &table
->chains
);
1639 nf_tables_unregister_hook(net
, table
, chain
);
1641 nf_tables_chain_destroy(ctx
);
1646 static int nf_tables_updchain(struct nft_ctx
*ctx
, u8 genmask
, u8 policy
)
1648 const struct nlattr
* const *nla
= ctx
->nla
;
1649 struct nft_table
*table
= ctx
->table
;
1650 struct nft_chain
*chain
= ctx
->chain
;
1651 struct nft_base_chain
*basechain
;
1652 struct nft_stats
*stats
= NULL
;
1653 struct nft_chain_hook hook
;
1654 struct nf_hook_ops
*ops
;
1655 struct nft_trans
*trans
;
1658 if (nla
[NFTA_CHAIN_HOOK
]) {
1659 if (!nft_is_base_chain(chain
))
1662 err
= nft_chain_parse_hook(ctx
->net
, nla
, &hook
, ctx
->family
,
1667 basechain
= nft_base_chain(chain
);
1668 if (basechain
->type
!= hook
.type
) {
1669 nft_chain_release_hook(&hook
);
1673 ops
= &basechain
->ops
;
1674 if (ops
->hooknum
!= hook
.num
||
1675 ops
->priority
!= hook
.priority
||
1676 ops
->dev
!= hook
.dev
) {
1677 nft_chain_release_hook(&hook
);
1680 nft_chain_release_hook(&hook
);
1683 if (nla
[NFTA_CHAIN_HANDLE
] &&
1684 nla
[NFTA_CHAIN_NAME
]) {
1685 struct nft_chain
*chain2
;
1687 chain2
= nft_chain_lookup(ctx
->net
, table
,
1688 nla
[NFTA_CHAIN_NAME
], genmask
);
1689 if (!IS_ERR(chain2
))
1693 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1694 if (!nft_is_base_chain(chain
))
1697 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1699 return PTR_ERR(stats
);
1703 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWCHAIN
,
1704 sizeof(struct nft_trans_chain
));
1708 nft_trans_chain_stats(trans
) = stats
;
1709 nft_trans_chain_update(trans
) = true;
1711 if (nla
[NFTA_CHAIN_POLICY
])
1712 nft_trans_chain_policy(trans
) = policy
;
1714 nft_trans_chain_policy(trans
) = -1;
1716 if (nla
[NFTA_CHAIN_HANDLE
] &&
1717 nla
[NFTA_CHAIN_NAME
]) {
1718 struct nft_trans
*tmp
;
1722 name
= nla_strdup(nla
[NFTA_CHAIN_NAME
], GFP_KERNEL
);
1727 list_for_each_entry(tmp
, &ctx
->net
->nft
.commit_list
, list
) {
1728 if (tmp
->msg_type
== NFT_MSG_NEWCHAIN
&&
1729 tmp
->ctx
.table
== table
&&
1730 nft_trans_chain_update(tmp
) &&
1731 nft_trans_chain_name(tmp
) &&
1732 strcmp(name
, nft_trans_chain_name(tmp
)) == 0) {
1738 nft_trans_chain_name(trans
) = name
;
1740 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
1749 static int nf_tables_newchain(struct net
*net
, struct sock
*nlsk
,
1750 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1751 const struct nlattr
* const nla
[],
1752 struct netlink_ext_ack
*extack
)
1754 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1755 u8 genmask
= nft_genmask_next(net
);
1756 int family
= nfmsg
->nfgen_family
;
1757 const struct nlattr
*attr
;
1758 struct nft_table
*table
;
1759 struct nft_chain
*chain
;
1760 u8 policy
= NF_ACCEPT
;
1764 lockdep_assert_held(&net
->nft
.commit_mutex
);
1766 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
);
1767 if (IS_ERR(table
)) {
1768 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
1769 return PTR_ERR(table
);
1773 attr
= nla
[NFTA_CHAIN_NAME
];
1775 if (nla
[NFTA_CHAIN_HANDLE
]) {
1776 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_CHAIN_HANDLE
]));
1777 chain
= nft_chain_lookup_byhandle(table
, handle
, genmask
);
1778 if (IS_ERR(chain
)) {
1779 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_HANDLE
]);
1780 return PTR_ERR(chain
);
1782 attr
= nla
[NFTA_CHAIN_HANDLE
];
1784 chain
= nft_chain_lookup(net
, table
, attr
, genmask
);
1785 if (IS_ERR(chain
)) {
1786 if (PTR_ERR(chain
) != -ENOENT
) {
1787 NL_SET_BAD_ATTR(extack
, attr
);
1788 return PTR_ERR(chain
);
1794 if (nla
[NFTA_CHAIN_POLICY
]) {
1795 if (chain
!= NULL
&&
1796 !nft_is_base_chain(chain
)) {
1797 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_POLICY
]);
1801 if (chain
== NULL
&&
1802 nla
[NFTA_CHAIN_HOOK
] == NULL
) {
1803 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_POLICY
]);
1807 policy
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_POLICY
]));
1817 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
1819 if (chain
!= NULL
) {
1820 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
1821 NL_SET_BAD_ATTR(extack
, attr
);
1824 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
1827 return nf_tables_updchain(&ctx
, genmask
, policy
);
1830 return nf_tables_addchain(&ctx
, family
, genmask
, policy
);
1833 static int nf_tables_delchain(struct net
*net
, struct sock
*nlsk
,
1834 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1835 const struct nlattr
* const nla
[],
1836 struct netlink_ext_ack
*extack
)
1838 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1839 u8 genmask
= nft_genmask_next(net
);
1840 int family
= nfmsg
->nfgen_family
;
1841 const struct nlattr
*attr
;
1842 struct nft_table
*table
;
1843 struct nft_chain
*chain
;
1844 struct nft_rule
*rule
;
1850 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
);
1851 if (IS_ERR(table
)) {
1852 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
1853 return PTR_ERR(table
);
1856 if (nla
[NFTA_CHAIN_HANDLE
]) {
1857 attr
= nla
[NFTA_CHAIN_HANDLE
];
1858 handle
= be64_to_cpu(nla_get_be64(attr
));
1859 chain
= nft_chain_lookup_byhandle(table
, handle
, genmask
);
1861 attr
= nla
[NFTA_CHAIN_NAME
];
1862 chain
= nft_chain_lookup(net
, table
, attr
, genmask
);
1864 if (IS_ERR(chain
)) {
1865 NL_SET_BAD_ATTR(extack
, attr
);
1866 return PTR_ERR(chain
);
1869 if (nlh
->nlmsg_flags
& NLM_F_NONREC
&&
1873 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
1876 list_for_each_entry(rule
, &chain
->rules
, list
) {
1877 if (!nft_is_active_next(net
, rule
))
1881 err
= nft_delrule(&ctx
, rule
);
1886 /* There are rules and elements that are still holding references to us,
1887 * we cannot do a recursive removal in this case.
1890 NL_SET_BAD_ATTR(extack
, attr
);
1894 return nft_delchain(&ctx
);
1902 * nft_register_expr - register nf_tables expr type
1905 * Registers the expr type for use with nf_tables. Returns zero on
1906 * success or a negative errno code otherwise.
1908 int nft_register_expr(struct nft_expr_type
*type
)
1910 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1911 if (type
->family
== NFPROTO_UNSPEC
)
1912 list_add_tail_rcu(&type
->list
, &nf_tables_expressions
);
1914 list_add_rcu(&type
->list
, &nf_tables_expressions
);
1915 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1918 EXPORT_SYMBOL_GPL(nft_register_expr
);
1921 * nft_unregister_expr - unregister nf_tables expr type
1924 * Unregisters the expr typefor use with nf_tables.
1926 void nft_unregister_expr(struct nft_expr_type
*type
)
1928 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1929 list_del_rcu(&type
->list
);
1930 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1932 EXPORT_SYMBOL_GPL(nft_unregister_expr
);
1934 static const struct nft_expr_type
*__nft_expr_type_get(u8 family
,
1937 const struct nft_expr_type
*type
;
1939 list_for_each_entry(type
, &nf_tables_expressions
, list
) {
1940 if (!nla_strcmp(nla
, type
->name
) &&
1941 (!type
->family
|| type
->family
== family
))
1947 static const struct nft_expr_type
*nft_expr_type_get(struct net
*net
,
1951 const struct nft_expr_type
*type
;
1954 return ERR_PTR(-EINVAL
);
1956 type
= __nft_expr_type_get(family
, nla
);
1957 if (type
!= NULL
&& try_module_get(type
->owner
))
1960 lockdep_nfnl_nft_mutex_not_held();
1961 #ifdef CONFIG_MODULES
1963 nft_request_module(net
, "nft-expr-%u-%.*s", family
,
1964 nla_len(nla
), (char *)nla_data(nla
));
1965 if (__nft_expr_type_get(family
, nla
))
1966 return ERR_PTR(-EAGAIN
);
1968 nft_request_module(net
, "nft-expr-%.*s",
1969 nla_len(nla
), (char *)nla_data(nla
));
1970 if (__nft_expr_type_get(family
, nla
))
1971 return ERR_PTR(-EAGAIN
);
1974 return ERR_PTR(-ENOENT
);
1977 static const struct nla_policy nft_expr_policy
[NFTA_EXPR_MAX
+ 1] = {
1978 [NFTA_EXPR_NAME
] = { .type
= NLA_STRING
},
1979 [NFTA_EXPR_DATA
] = { .type
= NLA_NESTED
},
1982 static int nf_tables_fill_expr_info(struct sk_buff
*skb
,
1983 const struct nft_expr
*expr
)
1985 if (nla_put_string(skb
, NFTA_EXPR_NAME
, expr
->ops
->type
->name
))
1986 goto nla_put_failure
;
1988 if (expr
->ops
->dump
) {
1989 struct nlattr
*data
= nla_nest_start(skb
, NFTA_EXPR_DATA
);
1991 goto nla_put_failure
;
1992 if (expr
->ops
->dump(skb
, expr
) < 0)
1993 goto nla_put_failure
;
1994 nla_nest_end(skb
, data
);
2003 int nft_expr_dump(struct sk_buff
*skb
, unsigned int attr
,
2004 const struct nft_expr
*expr
)
2006 struct nlattr
*nest
;
2008 nest
= nla_nest_start(skb
, attr
);
2010 goto nla_put_failure
;
2011 if (nf_tables_fill_expr_info(skb
, expr
) < 0)
2012 goto nla_put_failure
;
2013 nla_nest_end(skb
, nest
);
2020 struct nft_expr_info
{
2021 const struct nft_expr_ops
*ops
;
2022 struct nlattr
*tb
[NFT_EXPR_MAXATTR
+ 1];
2025 static int nf_tables_expr_parse(const struct nft_ctx
*ctx
,
2026 const struct nlattr
*nla
,
2027 struct nft_expr_info
*info
)
2029 const struct nft_expr_type
*type
;
2030 const struct nft_expr_ops
*ops
;
2031 struct nlattr
*tb
[NFTA_EXPR_MAX
+ 1];
2034 err
= nla_parse_nested(tb
, NFTA_EXPR_MAX
, nla
, nft_expr_policy
, NULL
);
2038 type
= nft_expr_type_get(ctx
->net
, ctx
->family
, tb
[NFTA_EXPR_NAME
]);
2040 return PTR_ERR(type
);
2042 if (tb
[NFTA_EXPR_DATA
]) {
2043 err
= nla_parse_nested(info
->tb
, type
->maxattr
,
2044 tb
[NFTA_EXPR_DATA
], type
->policy
, NULL
);
2048 memset(info
->tb
, 0, sizeof(info
->tb
[0]) * (type
->maxattr
+ 1));
2050 if (type
->select_ops
!= NULL
) {
2051 ops
= type
->select_ops(ctx
,
2052 (const struct nlattr
* const *)info
->tb
);
2064 module_put(type
->owner
);
2068 static int nf_tables_newexpr(const struct nft_ctx
*ctx
,
2069 const struct nft_expr_info
*info
,
2070 struct nft_expr
*expr
)
2072 const struct nft_expr_ops
*ops
= info
->ops
;
2077 err
= ops
->init(ctx
, expr
, (const struct nlattr
**)info
->tb
);
2088 static void nf_tables_expr_destroy(const struct nft_ctx
*ctx
,
2089 struct nft_expr
*expr
)
2091 if (expr
->ops
->destroy
)
2092 expr
->ops
->destroy(ctx
, expr
);
2093 module_put(expr
->ops
->type
->owner
);
2096 struct nft_expr
*nft_expr_init(const struct nft_ctx
*ctx
,
2097 const struct nlattr
*nla
)
2099 struct nft_expr_info info
;
2100 struct nft_expr
*expr
;
2103 err
= nf_tables_expr_parse(ctx
, nla
, &info
);
2108 expr
= kzalloc(info
.ops
->size
, GFP_KERNEL
);
2112 err
= nf_tables_newexpr(ctx
, &info
, expr
);
2120 module_put(info
.ops
->type
->owner
);
2122 return ERR_PTR(err
);
2125 void nft_expr_destroy(const struct nft_ctx
*ctx
, struct nft_expr
*expr
)
2127 nf_tables_expr_destroy(ctx
, expr
);
2135 static struct nft_rule
*__nft_rule_lookup(const struct nft_chain
*chain
,
2138 struct nft_rule
*rule
;
2140 // FIXME: this sucks
2141 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2142 if (handle
== rule
->handle
)
2146 return ERR_PTR(-ENOENT
);
2149 static struct nft_rule
*nft_rule_lookup(const struct nft_chain
*chain
,
2150 const struct nlattr
*nla
)
2153 return ERR_PTR(-EINVAL
);
2155 return __nft_rule_lookup(chain
, be64_to_cpu(nla_get_be64(nla
)));
2158 static const struct nla_policy nft_rule_policy
[NFTA_RULE_MAX
+ 1] = {
2159 [NFTA_RULE_TABLE
] = { .type
= NLA_STRING
,
2160 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
2161 [NFTA_RULE_CHAIN
] = { .type
= NLA_STRING
,
2162 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
2163 [NFTA_RULE_HANDLE
] = { .type
= NLA_U64
},
2164 [NFTA_RULE_EXPRESSIONS
] = { .type
= NLA_NESTED
},
2165 [NFTA_RULE_COMPAT
] = { .type
= NLA_NESTED
},
2166 [NFTA_RULE_POSITION
] = { .type
= NLA_U64
},
2167 [NFTA_RULE_USERDATA
] = { .type
= NLA_BINARY
,
2168 .len
= NFT_USERDATA_MAXLEN
},
2169 [NFTA_RULE_ID
] = { .type
= NLA_U32
},
2172 static int nf_tables_fill_rule_info(struct sk_buff
*skb
, struct net
*net
,
2173 u32 portid
, u32 seq
, int event
,
2174 u32 flags
, int family
,
2175 const struct nft_table
*table
,
2176 const struct nft_chain
*chain
,
2177 const struct nft_rule
*rule
)
2179 struct nlmsghdr
*nlh
;
2180 struct nfgenmsg
*nfmsg
;
2181 const struct nft_expr
*expr
, *next
;
2182 struct nlattr
*list
;
2183 const struct nft_rule
*prule
;
2184 u16 type
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
2186 nlh
= nlmsg_put(skb
, portid
, seq
, type
, sizeof(struct nfgenmsg
), flags
);
2188 goto nla_put_failure
;
2190 nfmsg
= nlmsg_data(nlh
);
2191 nfmsg
->nfgen_family
= family
;
2192 nfmsg
->version
= NFNETLINK_V0
;
2193 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
2195 if (nla_put_string(skb
, NFTA_RULE_TABLE
, table
->name
))
2196 goto nla_put_failure
;
2197 if (nla_put_string(skb
, NFTA_RULE_CHAIN
, chain
->name
))
2198 goto nla_put_failure
;
2199 if (nla_put_be64(skb
, NFTA_RULE_HANDLE
, cpu_to_be64(rule
->handle
),
2201 goto nla_put_failure
;
2203 if ((event
!= NFT_MSG_DELRULE
) && (rule
->list
.prev
!= &chain
->rules
)) {
2204 prule
= list_prev_entry(rule
, list
);
2205 if (nla_put_be64(skb
, NFTA_RULE_POSITION
,
2206 cpu_to_be64(prule
->handle
),
2208 goto nla_put_failure
;
2211 list
= nla_nest_start(skb
, NFTA_RULE_EXPRESSIONS
);
2213 goto nla_put_failure
;
2214 nft_rule_for_each_expr(expr
, next
, rule
) {
2215 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
2216 goto nla_put_failure
;
2218 nla_nest_end(skb
, list
);
2221 struct nft_userdata
*udata
= nft_userdata(rule
);
2222 if (nla_put(skb
, NFTA_RULE_USERDATA
, udata
->len
+ 1,
2224 goto nla_put_failure
;
2227 nlmsg_end(skb
, nlh
);
2231 nlmsg_trim(skb
, nlh
);
2235 static void nf_tables_rule_notify(const struct nft_ctx
*ctx
,
2236 const struct nft_rule
*rule
, int event
)
2238 struct sk_buff
*skb
;
2242 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
2245 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
2249 err
= nf_tables_fill_rule_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
2250 event
, 0, ctx
->family
, ctx
->table
,
2257 nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
2258 ctx
->report
, GFP_KERNEL
);
2261 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
2264 struct nft_rule_dump_ctx
{
2269 static int nf_tables_dump_rules(struct sk_buff
*skb
,
2270 struct netlink_callback
*cb
)
2272 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
2273 const struct nft_rule_dump_ctx
*ctx
= cb
->data
;
2274 const struct nft_table
*table
;
2275 const struct nft_chain
*chain
;
2276 const struct nft_rule
*rule
;
2277 unsigned int idx
= 0, s_idx
= cb
->args
[0];
2278 struct net
*net
= sock_net(skb
->sk
);
2279 int family
= nfmsg
->nfgen_family
;
2282 cb
->seq
= net
->nft
.base_seq
;
2284 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
2285 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
2288 if (ctx
&& ctx
->table
&& strcmp(ctx
->table
, table
->name
) != 0)
2291 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
2292 if (ctx
&& ctx
->chain
&&
2293 strcmp(ctx
->chain
, chain
->name
) != 0)
2296 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2297 if (!nft_is_active(net
, rule
))
2302 memset(&cb
->args
[1], 0,
2303 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
2304 if (nf_tables_fill_rule_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
2307 NLM_F_MULTI
| NLM_F_APPEND
,
2309 table
, chain
, rule
) < 0)
2312 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
2325 static int nf_tables_dump_rules_start(struct netlink_callback
*cb
)
2327 const struct nlattr
* const *nla
= cb
->data
;
2328 struct nft_rule_dump_ctx
*ctx
= NULL
;
2330 if (nla
[NFTA_RULE_TABLE
] || nla
[NFTA_RULE_CHAIN
]) {
2331 ctx
= kzalloc(sizeof(*ctx
), GFP_ATOMIC
);
2335 if (nla
[NFTA_RULE_TABLE
]) {
2336 ctx
->table
= nla_strdup(nla
[NFTA_RULE_TABLE
],
2343 if (nla
[NFTA_RULE_CHAIN
]) {
2344 ctx
->chain
= nla_strdup(nla
[NFTA_RULE_CHAIN
],
2358 static int nf_tables_dump_rules_done(struct netlink_callback
*cb
)
2360 struct nft_rule_dump_ctx
*ctx
= cb
->data
;
2370 /* called with rcu_read_lock held */
2371 static int nf_tables_getrule(struct net
*net
, struct sock
*nlsk
,
2372 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2373 const struct nlattr
* const nla
[],
2374 struct netlink_ext_ack
*extack
)
2376 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2377 u8 genmask
= nft_genmask_cur(net
);
2378 const struct nft_chain
*chain
;
2379 const struct nft_rule
*rule
;
2380 struct nft_table
*table
;
2381 struct sk_buff
*skb2
;
2382 int family
= nfmsg
->nfgen_family
;
2385 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2386 struct netlink_dump_control c
= {
2387 .start
= nf_tables_dump_rules_start
,
2388 .dump
= nf_tables_dump_rules
,
2389 .done
= nf_tables_dump_rules_done
,
2390 .module
= THIS_MODULE
,
2391 .data
= (void *)nla
,
2394 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
2397 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
);
2398 if (IS_ERR(table
)) {
2399 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
2400 return PTR_ERR(table
);
2403 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2404 if (IS_ERR(chain
)) {
2405 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
2406 return PTR_ERR(chain
);
2409 rule
= nft_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
2411 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
2412 return PTR_ERR(rule
);
2415 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
2419 err
= nf_tables_fill_rule_info(skb2
, net
, NETLINK_CB(skb
).portid
,
2420 nlh
->nlmsg_seq
, NFT_MSG_NEWRULE
, 0,
2421 family
, table
, chain
, rule
);
2425 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2432 static void nf_tables_rule_destroy(const struct nft_ctx
*ctx
,
2433 struct nft_rule
*rule
)
2435 struct nft_expr
*expr
;
2437 lockdep_assert_held(&ctx
->net
->nft
.commit_mutex
);
2439 * Careful: some expressions might not be initialized in case this
2440 * is called on error from nf_tables_newrule().
2442 expr
= nft_expr_first(rule
);
2443 while (expr
!= nft_expr_last(rule
) && expr
->ops
) {
2444 nf_tables_expr_destroy(ctx
, expr
);
2445 expr
= nft_expr_next(expr
);
2450 static void nf_tables_rule_release(const struct nft_ctx
*ctx
,
2451 struct nft_rule
*rule
)
2453 nft_rule_expr_deactivate(ctx
, rule
);
2454 nf_tables_rule_destroy(ctx
, rule
);
2457 int nft_chain_validate(const struct nft_ctx
*ctx
, const struct nft_chain
*chain
)
2459 struct nft_expr
*expr
, *last
;
2460 const struct nft_data
*data
;
2461 struct nft_rule
*rule
;
2464 if (ctx
->level
== NFT_JUMP_STACK_SIZE
)
2467 list_for_each_entry(rule
, &chain
->rules
, list
) {
2468 if (!nft_is_active_next(ctx
->net
, rule
))
2471 nft_rule_for_each_expr(expr
, last
, rule
) {
2472 if (!expr
->ops
->validate
)
2475 err
= expr
->ops
->validate(ctx
, expr
, &data
);
2483 EXPORT_SYMBOL_GPL(nft_chain_validate
);
2485 static int nft_table_validate(struct net
*net
, const struct nft_table
*table
)
2487 struct nft_chain
*chain
;
2488 struct nft_ctx ctx
= {
2490 .family
= table
->family
,
2494 list_for_each_entry(chain
, &table
->chains
, list
) {
2495 if (!nft_is_base_chain(chain
))
2499 err
= nft_chain_validate(&ctx
, chain
);
2507 #define NFT_RULE_MAXEXPRS 128
2509 static int nf_tables_newrule(struct net
*net
, struct sock
*nlsk
,
2510 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2511 const struct nlattr
* const nla
[],
2512 struct netlink_ext_ack
*extack
)
2514 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2515 u8 genmask
= nft_genmask_next(net
);
2516 struct nft_expr_info
*info
= NULL
;
2517 int family
= nfmsg
->nfgen_family
;
2518 struct nft_table
*table
;
2519 struct nft_chain
*chain
;
2520 struct nft_rule
*rule
, *old_rule
= NULL
;
2521 struct nft_userdata
*udata
;
2522 struct nft_trans
*trans
= NULL
;
2523 struct nft_expr
*expr
;
2526 unsigned int size
, i
, n
, ulen
= 0, usize
= 0;
2528 u64 handle
, pos_handle
;
2530 lockdep_assert_held(&net
->nft
.commit_mutex
);
2532 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
);
2533 if (IS_ERR(table
)) {
2534 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
2535 return PTR_ERR(table
);
2538 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2539 if (IS_ERR(chain
)) {
2540 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
2541 return PTR_ERR(chain
);
2544 if (nla
[NFTA_RULE_HANDLE
]) {
2545 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_HANDLE
]));
2546 rule
= __nft_rule_lookup(chain
, handle
);
2548 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
2549 return PTR_ERR(rule
);
2552 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
2553 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
2556 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2561 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
) ||
2562 nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2564 handle
= nf_tables_alloc_handle(table
);
2566 if (chain
->use
== UINT_MAX
)
2570 if (nla
[NFTA_RULE_POSITION
]) {
2571 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2574 pos_handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_POSITION
]));
2575 old_rule
= __nft_rule_lookup(chain
, pos_handle
);
2576 if (IS_ERR(old_rule
)) {
2577 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_POSITION
]);
2578 return PTR_ERR(old_rule
);
2582 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
2586 if (nla
[NFTA_RULE_EXPRESSIONS
]) {
2587 info
= kvmalloc_array(NFT_RULE_MAXEXPRS
,
2588 sizeof(struct nft_expr_info
),
2593 nla_for_each_nested(tmp
, nla
[NFTA_RULE_EXPRESSIONS
], rem
) {
2595 if (nla_type(tmp
) != NFTA_LIST_ELEM
)
2597 if (n
== NFT_RULE_MAXEXPRS
)
2599 err
= nf_tables_expr_parse(&ctx
, tmp
, &info
[n
]);
2602 size
+= info
[n
].ops
->size
;
2606 /* Check for overflow of dlen field */
2608 if (size
>= 1 << 12)
2611 if (nla
[NFTA_RULE_USERDATA
]) {
2612 ulen
= nla_len(nla
[NFTA_RULE_USERDATA
]);
2614 usize
= sizeof(struct nft_userdata
) + ulen
;
2618 rule
= kzalloc(sizeof(*rule
) + size
+ usize
, GFP_KERNEL
);
2622 nft_activate_next(net
, rule
);
2624 rule
->handle
= handle
;
2626 rule
->udata
= ulen
? 1 : 0;
2629 udata
= nft_userdata(rule
);
2630 udata
->len
= ulen
- 1;
2631 nla_memcpy(udata
->data
, nla
[NFTA_RULE_USERDATA
], ulen
);
2634 expr
= nft_expr_first(rule
);
2635 for (i
= 0; i
< n
; i
++) {
2636 err
= nf_tables_newexpr(&ctx
, &info
[i
], expr
);
2640 if (info
[i
].ops
->validate
)
2641 nft_validate_state_update(net
, NFT_VALIDATE_NEED
);
2644 expr
= nft_expr_next(expr
);
2647 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
2648 if (!nft_is_active_next(net
, old_rule
)) {
2652 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_DELRULE
,
2654 if (trans
== NULL
) {
2658 nft_deactivate_next(net
, old_rule
);
2661 if (nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
) == NULL
) {
2666 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2668 if (nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
) == NULL
) {
2673 if (nlh
->nlmsg_flags
& NLM_F_APPEND
) {
2675 list_add_rcu(&rule
->list
, &old_rule
->list
);
2677 list_add_tail_rcu(&rule
->list
, &chain
->rules
);
2680 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2682 list_add_rcu(&rule
->list
, &chain
->rules
);
2688 if (net
->nft
.validate_state
== NFT_VALIDATE_DO
)
2689 return nft_table_validate(net
, table
);
2693 nf_tables_rule_release(&ctx
, rule
);
2695 for (i
= 0; i
< n
; i
++) {
2696 if (info
[i
].ops
!= NULL
)
2697 module_put(info
[i
].ops
->type
->owner
);
2703 static struct nft_rule
*nft_rule_lookup_byid(const struct net
*net
,
2704 const struct nlattr
*nla
)
2706 u32 id
= ntohl(nla_get_be32(nla
));
2707 struct nft_trans
*trans
;
2709 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
2710 struct nft_rule
*rule
= nft_trans_rule(trans
);
2712 if (trans
->msg_type
== NFT_MSG_NEWRULE
&&
2713 id
== nft_trans_rule_id(trans
))
2716 return ERR_PTR(-ENOENT
);
2719 static int nf_tables_delrule(struct net
*net
, struct sock
*nlsk
,
2720 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2721 const struct nlattr
* const nla
[],
2722 struct netlink_ext_ack
*extack
)
2724 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2725 u8 genmask
= nft_genmask_next(net
);
2726 struct nft_table
*table
;
2727 struct nft_chain
*chain
= NULL
;
2728 struct nft_rule
*rule
;
2729 int family
= nfmsg
->nfgen_family
, err
= 0;
2732 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
);
2733 if (IS_ERR(table
)) {
2734 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
2735 return PTR_ERR(table
);
2738 if (nla
[NFTA_RULE_CHAIN
]) {
2739 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
],
2741 if (IS_ERR(chain
)) {
2742 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
2743 return PTR_ERR(chain
);
2747 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
2750 if (nla
[NFTA_RULE_HANDLE
]) {
2751 rule
= nft_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
2753 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
2754 return PTR_ERR(rule
);
2757 err
= nft_delrule(&ctx
, rule
);
2758 } else if (nla
[NFTA_RULE_ID
]) {
2759 rule
= nft_rule_lookup_byid(net
, nla
[NFTA_RULE_ID
]);
2761 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_ID
]);
2762 return PTR_ERR(rule
);
2765 err
= nft_delrule(&ctx
, rule
);
2767 err
= nft_delrule_by_chain(&ctx
);
2770 list_for_each_entry(chain
, &table
->chains
, list
) {
2771 if (!nft_is_active_next(net
, chain
))
2775 err
= nft_delrule_by_chain(&ctx
);
2788 static LIST_HEAD(nf_tables_set_types
);
2790 int nft_register_set(struct nft_set_type
*type
)
2792 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2793 list_add_tail_rcu(&type
->list
, &nf_tables_set_types
);
2794 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2797 EXPORT_SYMBOL_GPL(nft_register_set
);
2799 void nft_unregister_set(struct nft_set_type
*type
)
2801 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2802 list_del_rcu(&type
->list
);
2803 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2805 EXPORT_SYMBOL_GPL(nft_unregister_set
);
2807 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2808 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2811 static bool nft_set_ops_candidate(const struct nft_set_type
*type
, u32 flags
)
2813 return (flags
& type
->features
) == (flags
& NFT_SET_FEATURES
);
2817 * Select a set implementation based on the data characteristics and the
2818 * given policy. The total memory use might not be known if no size is
2819 * given, in that case the amount of memory per element is used.
2821 static const struct nft_set_ops
*
2822 nft_select_set_ops(const struct nft_ctx
*ctx
,
2823 const struct nlattr
* const nla
[],
2824 const struct nft_set_desc
*desc
,
2825 enum nft_set_policies policy
)
2827 const struct nft_set_ops
*ops
, *bops
;
2828 struct nft_set_estimate est
, best
;
2829 const struct nft_set_type
*type
;
2832 lockdep_assert_held(&ctx
->net
->nft
.commit_mutex
);
2833 lockdep_nfnl_nft_mutex_not_held();
2834 #ifdef CONFIG_MODULES
2835 if (list_empty(&nf_tables_set_types
)) {
2836 nft_request_module(ctx
->net
, "nft-set");
2837 if (!list_empty(&nf_tables_set_types
))
2838 return ERR_PTR(-EAGAIN
);
2841 if (nla
[NFTA_SET_FLAGS
] != NULL
)
2842 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2849 list_for_each_entry(type
, &nf_tables_set_types
, list
) {
2852 if (!nft_set_ops_candidate(type
, flags
))
2854 if (!ops
->estimate(desc
, flags
, &est
))
2858 case NFT_SET_POL_PERFORMANCE
:
2859 if (est
.lookup
< best
.lookup
)
2861 if (est
.lookup
== best
.lookup
&&
2862 est
.space
< best
.space
)
2865 case NFT_SET_POL_MEMORY
:
2867 if (est
.space
< best
.space
)
2869 if (est
.space
== best
.space
&&
2870 est
.lookup
< best
.lookup
)
2872 } else if (est
.size
< best
.size
|| !bops
) {
2880 if (!try_module_get(type
->owner
))
2883 module_put(to_set_type(bops
)->owner
);
2892 return ERR_PTR(-EOPNOTSUPP
);
2895 static const struct nla_policy nft_set_policy
[NFTA_SET_MAX
+ 1] = {
2896 [NFTA_SET_TABLE
] = { .type
= NLA_STRING
,
2897 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
2898 [NFTA_SET_NAME
] = { .type
= NLA_STRING
,
2899 .len
= NFT_SET_MAXNAMELEN
- 1 },
2900 [NFTA_SET_FLAGS
] = { .type
= NLA_U32
},
2901 [NFTA_SET_KEY_TYPE
] = { .type
= NLA_U32
},
2902 [NFTA_SET_KEY_LEN
] = { .type
= NLA_U32
},
2903 [NFTA_SET_DATA_TYPE
] = { .type
= NLA_U32
},
2904 [NFTA_SET_DATA_LEN
] = { .type
= NLA_U32
},
2905 [NFTA_SET_POLICY
] = { .type
= NLA_U32
},
2906 [NFTA_SET_DESC
] = { .type
= NLA_NESTED
},
2907 [NFTA_SET_ID
] = { .type
= NLA_U32
},
2908 [NFTA_SET_TIMEOUT
] = { .type
= NLA_U64
},
2909 [NFTA_SET_GC_INTERVAL
] = { .type
= NLA_U32
},
2910 [NFTA_SET_USERDATA
] = { .type
= NLA_BINARY
,
2911 .len
= NFT_USERDATA_MAXLEN
},
2912 [NFTA_SET_OBJ_TYPE
] = { .type
= NLA_U32
},
2913 [NFTA_SET_HANDLE
] = { .type
= NLA_U64
},
2916 static const struct nla_policy nft_set_desc_policy
[NFTA_SET_DESC_MAX
+ 1] = {
2917 [NFTA_SET_DESC_SIZE
] = { .type
= NLA_U32
},
2920 static int nft_ctx_init_from_setattr(struct nft_ctx
*ctx
, struct net
*net
,
2921 const struct sk_buff
*skb
,
2922 const struct nlmsghdr
*nlh
,
2923 const struct nlattr
* const nla
[],
2924 struct netlink_ext_ack
*extack
,
2927 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2928 int family
= nfmsg
->nfgen_family
;
2929 struct nft_table
*table
= NULL
;
2931 if (nla
[NFTA_SET_TABLE
] != NULL
) {
2932 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
,
2934 if (IS_ERR(table
)) {
2935 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
2936 return PTR_ERR(table
);
2940 nft_ctx_init(ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
2944 static struct nft_set
*nft_set_lookup(const struct nft_table
*table
,
2945 const struct nlattr
*nla
, u8 genmask
)
2947 struct nft_set
*set
;
2950 return ERR_PTR(-EINVAL
);
2952 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
2953 if (!nla_strcmp(nla
, set
->name
) &&
2954 nft_active_genmask(set
, genmask
))
2957 return ERR_PTR(-ENOENT
);
2960 static struct nft_set
*nft_set_lookup_byhandle(const struct nft_table
*table
,
2961 const struct nlattr
*nla
,
2964 struct nft_set
*set
;
2966 list_for_each_entry(set
, &table
->sets
, list
) {
2967 if (be64_to_cpu(nla_get_be64(nla
)) == set
->handle
&&
2968 nft_active_genmask(set
, genmask
))
2971 return ERR_PTR(-ENOENT
);
2974 static struct nft_set
*nft_set_lookup_byid(const struct net
*net
,
2975 const struct nlattr
*nla
, u8 genmask
)
2977 struct nft_trans
*trans
;
2978 u32 id
= ntohl(nla_get_be32(nla
));
2980 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
2981 if (trans
->msg_type
== NFT_MSG_NEWSET
) {
2982 struct nft_set
*set
= nft_trans_set(trans
);
2984 if (id
== nft_trans_set_id(trans
) &&
2985 nft_active_genmask(set
, genmask
))
2989 return ERR_PTR(-ENOENT
);
2992 struct nft_set
*nft_set_lookup_global(const struct net
*net
,
2993 const struct nft_table
*table
,
2994 const struct nlattr
*nla_set_name
,
2995 const struct nlattr
*nla_set_id
,
2998 struct nft_set
*set
;
3000 set
= nft_set_lookup(table
, nla_set_name
, genmask
);
3005 set
= nft_set_lookup_byid(net
, nla_set_id
, genmask
);
3009 EXPORT_SYMBOL_GPL(nft_set_lookup_global
);
3011 static int nf_tables_set_alloc_name(struct nft_ctx
*ctx
, struct nft_set
*set
,
3014 const struct nft_set
*i
;
3016 unsigned long *inuse
;
3017 unsigned int n
= 0, min
= 0;
3019 p
= strchr(name
, '%');
3021 if (p
[1] != 'd' || strchr(p
+ 2, '%'))
3024 inuse
= (unsigned long *)get_zeroed_page(GFP_KERNEL
);
3028 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
3031 if (!nft_is_active_next(ctx
->net
, set
))
3033 if (!sscanf(i
->name
, name
, &tmp
))
3035 if (tmp
< min
|| tmp
>= min
+ BITS_PER_BYTE
* PAGE_SIZE
)
3038 set_bit(tmp
- min
, inuse
);
3041 n
= find_first_zero_bit(inuse
, BITS_PER_BYTE
* PAGE_SIZE
);
3042 if (n
>= BITS_PER_BYTE
* PAGE_SIZE
) {
3043 min
+= BITS_PER_BYTE
* PAGE_SIZE
;
3044 memset(inuse
, 0, PAGE_SIZE
);
3047 free_page((unsigned long)inuse
);
3050 set
->name
= kasprintf(GFP_KERNEL
, name
, min
+ n
);
3054 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
3055 if (!nft_is_active_next(ctx
->net
, i
))
3057 if (!strcmp(set
->name
, i
->name
)) {
3065 static int nf_msecs_to_jiffies64(const struct nlattr
*nla
, u64
*result
)
3067 u64 ms
= be64_to_cpu(nla_get_be64(nla
));
3068 u64 max
= (u64
)(~((u64
)0));
3070 max
= div_u64(max
, NSEC_PER_MSEC
);
3074 ms
*= NSEC_PER_MSEC
;
3075 *result
= nsecs_to_jiffies64(ms
);
3079 static __be64
nf_jiffies64_to_msecs(u64 input
)
3081 u64 ms
= jiffies64_to_nsecs(input
);
3083 return cpu_to_be64(div_u64(ms
, NSEC_PER_MSEC
));
3086 static int nf_tables_fill_set(struct sk_buff
*skb
, const struct nft_ctx
*ctx
,
3087 const struct nft_set
*set
, u16 event
, u16 flags
)
3089 struct nfgenmsg
*nfmsg
;
3090 struct nlmsghdr
*nlh
;
3091 struct nlattr
*desc
;
3092 u32 portid
= ctx
->portid
;
3095 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
3096 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3099 goto nla_put_failure
;
3101 nfmsg
= nlmsg_data(nlh
);
3102 nfmsg
->nfgen_family
= ctx
->family
;
3103 nfmsg
->version
= NFNETLINK_V0
;
3104 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
3106 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3107 goto nla_put_failure
;
3108 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3109 goto nla_put_failure
;
3110 if (nla_put_be64(skb
, NFTA_SET_HANDLE
, cpu_to_be64(set
->handle
),
3112 goto nla_put_failure
;
3113 if (set
->flags
!= 0)
3114 if (nla_put_be32(skb
, NFTA_SET_FLAGS
, htonl(set
->flags
)))
3115 goto nla_put_failure
;
3117 if (nla_put_be32(skb
, NFTA_SET_KEY_TYPE
, htonl(set
->ktype
)))
3118 goto nla_put_failure
;
3119 if (nla_put_be32(skb
, NFTA_SET_KEY_LEN
, htonl(set
->klen
)))
3120 goto nla_put_failure
;
3121 if (set
->flags
& NFT_SET_MAP
) {
3122 if (nla_put_be32(skb
, NFTA_SET_DATA_TYPE
, htonl(set
->dtype
)))
3123 goto nla_put_failure
;
3124 if (nla_put_be32(skb
, NFTA_SET_DATA_LEN
, htonl(set
->dlen
)))
3125 goto nla_put_failure
;
3127 if (set
->flags
& NFT_SET_OBJECT
&&
3128 nla_put_be32(skb
, NFTA_SET_OBJ_TYPE
, htonl(set
->objtype
)))
3129 goto nla_put_failure
;
3132 nla_put_be64(skb
, NFTA_SET_TIMEOUT
,
3133 nf_jiffies64_to_msecs(set
->timeout
),
3135 goto nla_put_failure
;
3137 nla_put_be32(skb
, NFTA_SET_GC_INTERVAL
, htonl(set
->gc_int
)))
3138 goto nla_put_failure
;
3140 if (set
->policy
!= NFT_SET_POL_PERFORMANCE
) {
3141 if (nla_put_be32(skb
, NFTA_SET_POLICY
, htonl(set
->policy
)))
3142 goto nla_put_failure
;
3145 if (nla_put(skb
, NFTA_SET_USERDATA
, set
->udlen
, set
->udata
))
3146 goto nla_put_failure
;
3148 desc
= nla_nest_start(skb
, NFTA_SET_DESC
);
3150 goto nla_put_failure
;
3152 nla_put_be32(skb
, NFTA_SET_DESC_SIZE
, htonl(set
->size
)))
3153 goto nla_put_failure
;
3154 nla_nest_end(skb
, desc
);
3156 nlmsg_end(skb
, nlh
);
3160 nlmsg_trim(skb
, nlh
);
3164 static void nf_tables_set_notify(const struct nft_ctx
*ctx
,
3165 const struct nft_set
*set
, int event
,
3168 struct sk_buff
*skb
;
3169 u32 portid
= ctx
->portid
;
3173 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
3176 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp_flags
);
3180 err
= nf_tables_fill_set(skb
, ctx
, set
, event
, 0);
3186 nfnetlink_send(skb
, ctx
->net
, portid
, NFNLGRP_NFTABLES
, ctx
->report
,
3190 nfnetlink_set_err(ctx
->net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
3193 static int nf_tables_dump_sets(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3195 const struct nft_set
*set
;
3196 unsigned int idx
, s_idx
= cb
->args
[0];
3197 struct nft_table
*table
, *cur_table
= (struct nft_table
*)cb
->args
[2];
3198 struct net
*net
= sock_net(skb
->sk
);
3199 struct nft_ctx
*ctx
= cb
->data
, ctx_set
;
3205 cb
->seq
= net
->nft
.base_seq
;
3207 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
3208 if (ctx
->family
!= NFPROTO_UNSPEC
&&
3209 ctx
->family
!= table
->family
)
3212 if (ctx
->table
&& ctx
->table
!= table
)
3216 if (cur_table
!= table
)
3222 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
3225 if (!nft_is_active(net
, set
))
3229 ctx_set
.table
= table
;
3230 ctx_set
.family
= table
->family
;
3232 if (nf_tables_fill_set(skb
, &ctx_set
, set
,
3236 cb
->args
[2] = (unsigned long) table
;
3239 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
3252 static int nf_tables_dump_sets_start(struct netlink_callback
*cb
)
3254 struct nft_ctx
*ctx_dump
= NULL
;
3256 ctx_dump
= kmemdup(cb
->data
, sizeof(*ctx_dump
), GFP_ATOMIC
);
3257 if (ctx_dump
== NULL
)
3260 cb
->data
= ctx_dump
;
3264 static int nf_tables_dump_sets_done(struct netlink_callback
*cb
)
3270 /* called with rcu_read_lock held */
3271 static int nf_tables_getset(struct net
*net
, struct sock
*nlsk
,
3272 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3273 const struct nlattr
* const nla
[],
3274 struct netlink_ext_ack
*extack
)
3276 u8 genmask
= nft_genmask_cur(net
);
3277 const struct nft_set
*set
;
3279 struct sk_buff
*skb2
;
3280 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3283 /* Verify existence before starting dump */
3284 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
3289 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3290 struct netlink_dump_control c
= {
3291 .start
= nf_tables_dump_sets_start
,
3292 .dump
= nf_tables_dump_sets
,
3293 .done
= nf_tables_dump_sets_done
,
3295 .module
= THIS_MODULE
,
3298 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
3301 /* Only accept unspec with dump */
3302 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
3303 return -EAFNOSUPPORT
;
3304 if (!nla
[NFTA_SET_TABLE
])
3307 set
= nft_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
3309 return PTR_ERR(set
);
3311 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
3315 err
= nf_tables_fill_set(skb2
, &ctx
, set
, NFT_MSG_NEWSET
, 0);
3319 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
3326 static int nf_tables_set_desc_parse(const struct nft_ctx
*ctx
,
3327 struct nft_set_desc
*desc
,
3328 const struct nlattr
*nla
)
3330 struct nlattr
*da
[NFTA_SET_DESC_MAX
+ 1];
3333 err
= nla_parse_nested(da
, NFTA_SET_DESC_MAX
, nla
,
3334 nft_set_desc_policy
, NULL
);
3338 if (da
[NFTA_SET_DESC_SIZE
] != NULL
)
3339 desc
->size
= ntohl(nla_get_be32(da
[NFTA_SET_DESC_SIZE
]));
3344 static int nf_tables_newset(struct net
*net
, struct sock
*nlsk
,
3345 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3346 const struct nlattr
* const nla
[],
3347 struct netlink_ext_ack
*extack
)
3349 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3350 u8 genmask
= nft_genmask_next(net
);
3351 int family
= nfmsg
->nfgen_family
;
3352 const struct nft_set_ops
*ops
;
3353 struct nft_table
*table
;
3354 struct nft_set
*set
;
3359 u32 ktype
, dtype
, flags
, policy
, gc_int
, objtype
;
3360 struct nft_set_desc desc
;
3361 unsigned char *udata
;
3365 if (nla
[NFTA_SET_TABLE
] == NULL
||
3366 nla
[NFTA_SET_NAME
] == NULL
||
3367 nla
[NFTA_SET_KEY_LEN
] == NULL
||
3368 nla
[NFTA_SET_ID
] == NULL
)
3371 memset(&desc
, 0, sizeof(desc
));
3373 ktype
= NFT_DATA_VALUE
;
3374 if (nla
[NFTA_SET_KEY_TYPE
] != NULL
) {
3375 ktype
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_TYPE
]));
3376 if ((ktype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
)
3380 desc
.klen
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_LEN
]));
3381 if (desc
.klen
== 0 || desc
.klen
> NFT_DATA_VALUE_MAXLEN
)
3385 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
3386 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
3387 if (flags
& ~(NFT_SET_ANONYMOUS
| NFT_SET_CONSTANT
|
3388 NFT_SET_INTERVAL
| NFT_SET_TIMEOUT
|
3389 NFT_SET_MAP
| NFT_SET_EVAL
|
3392 /* Only one of these operations is supported */
3393 if ((flags
& (NFT_SET_MAP
| NFT_SET_EVAL
| NFT_SET_OBJECT
)) ==
3394 (NFT_SET_MAP
| NFT_SET_EVAL
| NFT_SET_OBJECT
))
3399 if (nla
[NFTA_SET_DATA_TYPE
] != NULL
) {
3400 if (!(flags
& NFT_SET_MAP
))
3403 dtype
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_TYPE
]));
3404 if ((dtype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
&&
3405 dtype
!= NFT_DATA_VERDICT
)
3408 if (dtype
!= NFT_DATA_VERDICT
) {
3409 if (nla
[NFTA_SET_DATA_LEN
] == NULL
)
3411 desc
.dlen
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_LEN
]));
3412 if (desc
.dlen
== 0 || desc
.dlen
> NFT_DATA_VALUE_MAXLEN
)
3415 desc
.dlen
= sizeof(struct nft_verdict
);
3416 } else if (flags
& NFT_SET_MAP
)
3419 if (nla
[NFTA_SET_OBJ_TYPE
] != NULL
) {
3420 if (!(flags
& NFT_SET_OBJECT
))
3423 objtype
= ntohl(nla_get_be32(nla
[NFTA_SET_OBJ_TYPE
]));
3424 if (objtype
== NFT_OBJECT_UNSPEC
||
3425 objtype
> NFT_OBJECT_MAX
)
3427 } else if (flags
& NFT_SET_OBJECT
)
3430 objtype
= NFT_OBJECT_UNSPEC
;
3433 if (nla
[NFTA_SET_TIMEOUT
] != NULL
) {
3434 if (!(flags
& NFT_SET_TIMEOUT
))
3437 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_TIMEOUT
], &timeout
);
3442 if (nla
[NFTA_SET_GC_INTERVAL
] != NULL
) {
3443 if (!(flags
& NFT_SET_TIMEOUT
))
3445 gc_int
= ntohl(nla_get_be32(nla
[NFTA_SET_GC_INTERVAL
]));
3448 policy
= NFT_SET_POL_PERFORMANCE
;
3449 if (nla
[NFTA_SET_POLICY
] != NULL
)
3450 policy
= ntohl(nla_get_be32(nla
[NFTA_SET_POLICY
]));
3452 if (nla
[NFTA_SET_DESC
] != NULL
) {
3453 err
= nf_tables_set_desc_parse(&ctx
, &desc
, nla
[NFTA_SET_DESC
]);
3458 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
, genmask
);
3459 if (IS_ERR(table
)) {
3460 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
3461 return PTR_ERR(table
);
3464 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
3466 set
= nft_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
3468 if (PTR_ERR(set
) != -ENOENT
) {
3469 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_NAME
]);
3470 return PTR_ERR(set
);
3473 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
3474 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_NAME
]);
3477 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
3483 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
3486 ops
= nft_select_set_ops(&ctx
, nla
, &desc
, policy
);
3488 return PTR_ERR(ops
);
3491 if (nla
[NFTA_SET_USERDATA
])
3492 udlen
= nla_len(nla
[NFTA_SET_USERDATA
]);
3495 if (ops
->privsize
!= NULL
)
3496 size
= ops
->privsize(nla
, &desc
);
3498 set
= kvzalloc(sizeof(*set
) + size
+ udlen
, GFP_KERNEL
);
3504 name
= nla_strdup(nla
[NFTA_SET_NAME
], GFP_KERNEL
);
3510 err
= nf_tables_set_alloc_name(&ctx
, set
, name
);
3517 udata
= set
->data
+ size
;
3518 nla_memcpy(udata
, nla
[NFTA_SET_USERDATA
], udlen
);
3521 INIT_LIST_HEAD(&set
->bindings
);
3523 write_pnet(&set
->net
, net
);
3526 set
->klen
= desc
.klen
;
3528 set
->objtype
= objtype
;
3529 set
->dlen
= desc
.dlen
;
3531 set
->size
= desc
.size
;
3532 set
->policy
= policy
;
3535 set
->timeout
= timeout
;
3536 set
->gc_int
= gc_int
;
3537 set
->handle
= nf_tables_alloc_handle(table
);
3539 err
= ops
->init(set
, &desc
, nla
);
3543 err
= nft_trans_set_add(&ctx
, NFT_MSG_NEWSET
, set
);
3547 list_add_tail_rcu(&set
->list
, &table
->sets
);
3558 module_put(to_set_type(ops
)->owner
);
3562 static void nft_set_destroy(struct nft_set
*set
)
3564 set
->ops
->destroy(set
);
3565 module_put(to_set_type(set
->ops
)->owner
);
3570 static void nf_tables_set_destroy(const struct nft_ctx
*ctx
, struct nft_set
*set
)
3572 list_del_rcu(&set
->list
);
3573 nf_tables_set_notify(ctx
, set
, NFT_MSG_DELSET
, GFP_ATOMIC
);
3574 nft_set_destroy(set
);
3577 static int nf_tables_delset(struct net
*net
, struct sock
*nlsk
,
3578 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3579 const struct nlattr
* const nla
[],
3580 struct netlink_ext_ack
*extack
)
3582 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3583 u8 genmask
= nft_genmask_next(net
);
3584 const struct nlattr
*attr
;
3585 struct nft_set
*set
;
3589 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
3590 return -EAFNOSUPPORT
;
3591 if (nla
[NFTA_SET_TABLE
] == NULL
)
3594 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
3599 if (nla
[NFTA_SET_HANDLE
]) {
3600 attr
= nla
[NFTA_SET_HANDLE
];
3601 set
= nft_set_lookup_byhandle(ctx
.table
, attr
, genmask
);
3603 attr
= nla
[NFTA_SET_NAME
];
3604 set
= nft_set_lookup(ctx
.table
, attr
, genmask
);
3608 NL_SET_BAD_ATTR(extack
, attr
);
3609 return PTR_ERR(set
);
3611 if (!list_empty(&set
->bindings
) ||
3612 (nlh
->nlmsg_flags
& NLM_F_NONREC
&& atomic_read(&set
->nelems
) > 0)) {
3613 NL_SET_BAD_ATTR(extack
, attr
);
3617 return nft_delset(&ctx
, set
);
3620 static int nf_tables_bind_check_setelem(const struct nft_ctx
*ctx
,
3621 struct nft_set
*set
,
3622 const struct nft_set_iter
*iter
,
3623 struct nft_set_elem
*elem
)
3625 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3626 enum nft_registers dreg
;
3628 dreg
= nft_type_to_reg(set
->dtype
);
3629 return nft_validate_register_store(ctx
, dreg
, nft_set_ext_data(ext
),
3630 set
->dtype
== NFT_DATA_VERDICT
?
3631 NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3635 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3636 struct nft_set_binding
*binding
)
3638 struct nft_set_binding
*i
;
3639 struct nft_set_iter iter
;
3641 if (!list_empty(&set
->bindings
) && nft_set_is_anonymous(set
))
3644 if (binding
->flags
& NFT_SET_MAP
) {
3645 /* If the set is already bound to the same chain all
3646 * jumps are already validated for that chain.
3648 list_for_each_entry(i
, &set
->bindings
, list
) {
3649 if (i
->flags
& NFT_SET_MAP
&&
3650 i
->chain
== binding
->chain
)
3654 iter
.genmask
= nft_genmask_next(ctx
->net
);
3658 iter
.fn
= nf_tables_bind_check_setelem
;
3660 set
->ops
->walk(ctx
, set
, &iter
);
3665 binding
->chain
= ctx
->chain
;
3666 list_add_tail_rcu(&binding
->list
, &set
->bindings
);
3669 EXPORT_SYMBOL_GPL(nf_tables_bind_set
);
3671 void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3672 struct nft_set_binding
*binding
)
3674 list_del_rcu(&binding
->list
);
3676 if (list_empty(&set
->bindings
) && nft_set_is_anonymous(set
) &&
3677 nft_is_active(ctx
->net
, set
))
3678 nf_tables_set_destroy(ctx
, set
);
3680 EXPORT_SYMBOL_GPL(nf_tables_unbind_set
);
3682 const struct nft_set_ext_type nft_set_ext_types
[] = {
3683 [NFT_SET_EXT_KEY
] = {
3684 .align
= __alignof__(u32
),
3686 [NFT_SET_EXT_DATA
] = {
3687 .align
= __alignof__(u32
),
3689 [NFT_SET_EXT_EXPR
] = {
3690 .align
= __alignof__(struct nft_expr
),
3692 [NFT_SET_EXT_OBJREF
] = {
3693 .len
= sizeof(struct nft_object
*),
3694 .align
= __alignof__(struct nft_object
*),
3696 [NFT_SET_EXT_FLAGS
] = {
3698 .align
= __alignof__(u8
),
3700 [NFT_SET_EXT_TIMEOUT
] = {
3702 .align
= __alignof__(u64
),
3704 [NFT_SET_EXT_EXPIRATION
] = {
3706 .align
= __alignof__(u64
),
3708 [NFT_SET_EXT_USERDATA
] = {
3709 .len
= sizeof(struct nft_userdata
),
3710 .align
= __alignof__(struct nft_userdata
),
3713 EXPORT_SYMBOL_GPL(nft_set_ext_types
);
3719 static const struct nla_policy nft_set_elem_policy
[NFTA_SET_ELEM_MAX
+ 1] = {
3720 [NFTA_SET_ELEM_KEY
] = { .type
= NLA_NESTED
},
3721 [NFTA_SET_ELEM_DATA
] = { .type
= NLA_NESTED
},
3722 [NFTA_SET_ELEM_FLAGS
] = { .type
= NLA_U32
},
3723 [NFTA_SET_ELEM_TIMEOUT
] = { .type
= NLA_U64
},
3724 [NFTA_SET_ELEM_USERDATA
] = { .type
= NLA_BINARY
,
3725 .len
= NFT_USERDATA_MAXLEN
},
3726 [NFTA_SET_ELEM_EXPR
] = { .type
= NLA_NESTED
},
3727 [NFTA_SET_ELEM_OBJREF
] = { .type
= NLA_STRING
},
3730 static const struct nla_policy nft_set_elem_list_policy
[NFTA_SET_ELEM_LIST_MAX
+ 1] = {
3731 [NFTA_SET_ELEM_LIST_TABLE
] = { .type
= NLA_STRING
,
3732 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
3733 [NFTA_SET_ELEM_LIST_SET
] = { .type
= NLA_STRING
,
3734 .len
= NFT_SET_MAXNAMELEN
- 1 },
3735 [NFTA_SET_ELEM_LIST_ELEMENTS
] = { .type
= NLA_NESTED
},
3736 [NFTA_SET_ELEM_LIST_SET_ID
] = { .type
= NLA_U32
},
3739 static int nft_ctx_init_from_elemattr(struct nft_ctx
*ctx
, struct net
*net
,
3740 const struct sk_buff
*skb
,
3741 const struct nlmsghdr
*nlh
,
3742 const struct nlattr
* const nla
[],
3743 struct netlink_ext_ack
*extack
,
3746 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3747 int family
= nfmsg
->nfgen_family
;
3748 struct nft_table
*table
;
3750 table
= nft_table_lookup(net
, nla
[NFTA_SET_ELEM_LIST_TABLE
], family
,
3752 if (IS_ERR(table
)) {
3753 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_ELEM_LIST_TABLE
]);
3754 return PTR_ERR(table
);
3757 nft_ctx_init(ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
3761 static int nf_tables_fill_setelem(struct sk_buff
*skb
,
3762 const struct nft_set
*set
,
3763 const struct nft_set_elem
*elem
)
3765 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3766 unsigned char *b
= skb_tail_pointer(skb
);
3767 struct nlattr
*nest
;
3769 nest
= nla_nest_start(skb
, NFTA_LIST_ELEM
);
3771 goto nla_put_failure
;
3773 if (nft_data_dump(skb
, NFTA_SET_ELEM_KEY
, nft_set_ext_key(ext
),
3774 NFT_DATA_VALUE
, set
->klen
) < 0)
3775 goto nla_put_failure
;
3777 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3778 nft_data_dump(skb
, NFTA_SET_ELEM_DATA
, nft_set_ext_data(ext
),
3779 set
->dtype
== NFT_DATA_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3781 goto nla_put_failure
;
3783 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
) &&
3784 nft_expr_dump(skb
, NFTA_SET_ELEM_EXPR
, nft_set_ext_expr(ext
)) < 0)
3785 goto nla_put_failure
;
3787 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
3788 nla_put_string(skb
, NFTA_SET_ELEM_OBJREF
,
3789 (*nft_set_ext_obj(ext
))->name
) < 0)
3790 goto nla_put_failure
;
3792 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
3793 nla_put_be32(skb
, NFTA_SET_ELEM_FLAGS
,
3794 htonl(*nft_set_ext_flags(ext
))))
3795 goto nla_put_failure
;
3797 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
) &&
3798 nla_put_be64(skb
, NFTA_SET_ELEM_TIMEOUT
,
3799 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext
)),
3801 goto nla_put_failure
;
3803 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
3804 u64 expires
, now
= get_jiffies_64();
3806 expires
= *nft_set_ext_expiration(ext
);
3807 if (time_before64(now
, expires
))
3812 if (nla_put_be64(skb
, NFTA_SET_ELEM_EXPIRATION
,
3813 nf_jiffies64_to_msecs(expires
),
3815 goto nla_put_failure
;
3818 if (nft_set_ext_exists(ext
, NFT_SET_EXT_USERDATA
)) {
3819 struct nft_userdata
*udata
;
3821 udata
= nft_set_ext_userdata(ext
);
3822 if (nla_put(skb
, NFTA_SET_ELEM_USERDATA
,
3823 udata
->len
+ 1, udata
->data
))
3824 goto nla_put_failure
;
3827 nla_nest_end(skb
, nest
);
3835 struct nft_set_dump_args
{
3836 const struct netlink_callback
*cb
;
3837 struct nft_set_iter iter
;
3838 struct sk_buff
*skb
;
3841 static int nf_tables_dump_setelem(const struct nft_ctx
*ctx
,
3842 struct nft_set
*set
,
3843 const struct nft_set_iter
*iter
,
3844 struct nft_set_elem
*elem
)
3846 struct nft_set_dump_args
*args
;
3848 args
= container_of(iter
, struct nft_set_dump_args
, iter
);
3849 return nf_tables_fill_setelem(args
->skb
, set
, elem
);
3852 struct nft_set_dump_ctx
{
3853 const struct nft_set
*set
;
3857 static int nf_tables_dump_set(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3859 struct nft_set_dump_ctx
*dump_ctx
= cb
->data
;
3860 struct net
*net
= sock_net(skb
->sk
);
3861 struct nft_table
*table
;
3862 struct nft_set
*set
;
3863 struct nft_set_dump_args args
;
3864 bool set_found
= false;
3865 struct nfgenmsg
*nfmsg
;
3866 struct nlmsghdr
*nlh
;
3867 struct nlattr
*nest
;
3872 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
3873 if (dump_ctx
->ctx
.family
!= NFPROTO_UNSPEC
&&
3874 dump_ctx
->ctx
.family
!= table
->family
)
3877 if (table
!= dump_ctx
->ctx
.table
)
3880 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
3881 if (set
== dump_ctx
->set
) {
3894 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, NFT_MSG_NEWSETELEM
);
3895 portid
= NETLINK_CB(cb
->skb
).portid
;
3896 seq
= cb
->nlh
->nlmsg_seq
;
3898 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3901 goto nla_put_failure
;
3903 nfmsg
= nlmsg_data(nlh
);
3904 nfmsg
->nfgen_family
= table
->family
;
3905 nfmsg
->version
= NFNETLINK_V0
;
3906 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
3908 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_TABLE
, table
->name
))
3909 goto nla_put_failure
;
3910 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_SET
, set
->name
))
3911 goto nla_put_failure
;
3913 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3915 goto nla_put_failure
;
3919 args
.iter
.genmask
= nft_genmask_cur(net
);
3920 args
.iter
.skip
= cb
->args
[0];
3921 args
.iter
.count
= 0;
3923 args
.iter
.fn
= nf_tables_dump_setelem
;
3924 set
->ops
->walk(&dump_ctx
->ctx
, set
, &args
.iter
);
3927 nla_nest_end(skb
, nest
);
3928 nlmsg_end(skb
, nlh
);
3930 if (args
.iter
.err
&& args
.iter
.err
!= -EMSGSIZE
)
3931 return args
.iter
.err
;
3932 if (args
.iter
.count
== cb
->args
[0])
3935 cb
->args
[0] = args
.iter
.count
;
3943 static int nf_tables_dump_set_start(struct netlink_callback
*cb
)
3945 struct nft_set_dump_ctx
*dump_ctx
= cb
->data
;
3947 cb
->data
= kmemdup(dump_ctx
, sizeof(*dump_ctx
), GFP_ATOMIC
);
3949 return cb
->data
? 0 : -ENOMEM
;
3952 static int nf_tables_dump_set_done(struct netlink_callback
*cb
)
3958 static int nf_tables_fill_setelem_info(struct sk_buff
*skb
,
3959 const struct nft_ctx
*ctx
, u32 seq
,
3960 u32 portid
, int event
, u16 flags
,
3961 const struct nft_set
*set
,
3962 const struct nft_set_elem
*elem
)
3964 struct nfgenmsg
*nfmsg
;
3965 struct nlmsghdr
*nlh
;
3966 struct nlattr
*nest
;
3969 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
3970 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3973 goto nla_put_failure
;
3975 nfmsg
= nlmsg_data(nlh
);
3976 nfmsg
->nfgen_family
= ctx
->family
;
3977 nfmsg
->version
= NFNETLINK_V0
;
3978 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
3980 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3981 goto nla_put_failure
;
3982 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3983 goto nla_put_failure
;
3985 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3987 goto nla_put_failure
;
3989 err
= nf_tables_fill_setelem(skb
, set
, elem
);
3991 goto nla_put_failure
;
3993 nla_nest_end(skb
, nest
);
3995 nlmsg_end(skb
, nlh
);
3999 nlmsg_trim(skb
, nlh
);
4003 static int nft_setelem_parse_flags(const struct nft_set
*set
,
4004 const struct nlattr
*attr
, u32
*flags
)
4009 *flags
= ntohl(nla_get_be32(attr
));
4010 if (*flags
& ~NFT_SET_ELEM_INTERVAL_END
)
4012 if (!(set
->flags
& NFT_SET_INTERVAL
) &&
4013 *flags
& NFT_SET_ELEM_INTERVAL_END
)
4019 static int nft_get_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
4020 const struct nlattr
*attr
)
4022 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
4023 struct nft_data_desc desc
;
4024 struct nft_set_elem elem
;
4025 struct sk_buff
*skb
;
4030 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
4031 nft_set_elem_policy
, NULL
);
4035 if (!nla
[NFTA_SET_ELEM_KEY
])
4038 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
4042 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &desc
,
4043 nla
[NFTA_SET_ELEM_KEY
]);
4048 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
)
4051 priv
= set
->ops
->get(ctx
->net
, set
, &elem
, flags
);
4053 return PTR_ERR(priv
);
4058 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_ATOMIC
);
4062 err
= nf_tables_fill_setelem_info(skb
, ctx
, ctx
->seq
, ctx
->portid
,
4063 NFT_MSG_NEWSETELEM
, 0, set
, &elem
);
4067 err
= nfnetlink_unicast(skb
, ctx
->net
, ctx
->portid
, MSG_DONTWAIT
);
4068 /* This avoids a loop in nfnetlink. */
4076 /* this avoids a loop in nfnetlink. */
4077 return err
== -EAGAIN
? -ENOBUFS
: err
;
4080 /* called with rcu_read_lock held */
4081 static int nf_tables_getsetelem(struct net
*net
, struct sock
*nlsk
,
4082 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4083 const struct nlattr
* const nla
[],
4084 struct netlink_ext_ack
*extack
)
4086 u8 genmask
= nft_genmask_cur(net
);
4087 struct nft_set
*set
;
4088 struct nlattr
*attr
;
4092 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
4097 set
= nft_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
], genmask
);
4099 return PTR_ERR(set
);
4101 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
4102 struct netlink_dump_control c
= {
4103 .start
= nf_tables_dump_set_start
,
4104 .dump
= nf_tables_dump_set
,
4105 .done
= nf_tables_dump_set_done
,
4106 .module
= THIS_MODULE
,
4108 struct nft_set_dump_ctx dump_ctx
= {
4114 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
4117 if (!nla
[NFTA_SET_ELEM_LIST_ELEMENTS
])
4120 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
4121 err
= nft_get_set_elem(&ctx
, set
, attr
);
4129 static void nf_tables_setelem_notify(const struct nft_ctx
*ctx
,
4130 const struct nft_set
*set
,
4131 const struct nft_set_elem
*elem
,
4132 int event
, u16 flags
)
4134 struct net
*net
= ctx
->net
;
4135 u32 portid
= ctx
->portid
;
4136 struct sk_buff
*skb
;
4139 if (!ctx
->report
&& !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
4142 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
4146 err
= nf_tables_fill_setelem_info(skb
, ctx
, 0, portid
, event
, flags
,
4153 nfnetlink_send(skb
, net
, portid
, NFNLGRP_NFTABLES
, ctx
->report
,
4157 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
4160 static struct nft_trans
*nft_trans_elem_alloc(struct nft_ctx
*ctx
,
4162 struct nft_set
*set
)
4164 struct nft_trans
*trans
;
4166 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_elem
));
4170 nft_trans_elem_set(trans
) = set
;
4174 void *nft_set_elem_init(const struct nft_set
*set
,
4175 const struct nft_set_ext_tmpl
*tmpl
,
4176 const u32
*key
, const u32
*data
,
4177 u64 timeout
, gfp_t gfp
)
4179 struct nft_set_ext
*ext
;
4182 elem
= kzalloc(set
->ops
->elemsize
+ tmpl
->len
, gfp
);
4186 ext
= nft_set_elem_ext(set
, elem
);
4187 nft_set_ext_init(ext
, tmpl
);
4189 memcpy(nft_set_ext_key(ext
), key
, set
->klen
);
4190 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
4191 memcpy(nft_set_ext_data(ext
), data
, set
->dlen
);
4192 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
))
4193 *nft_set_ext_expiration(ext
) =
4194 get_jiffies_64() + timeout
;
4195 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
))
4196 *nft_set_ext_timeout(ext
) = timeout
;
4201 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
,
4204 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
4205 struct nft_ctx ctx
= {
4206 .net
= read_pnet(&set
->net
),
4207 .family
= set
->table
->family
,
4210 nft_data_release(nft_set_ext_key(ext
), NFT_DATA_VALUE
);
4211 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
4212 nft_data_release(nft_set_ext_data(ext
), set
->dtype
);
4213 if (destroy_expr
&& nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
)) {
4214 struct nft_expr
*expr
= nft_set_ext_expr(ext
);
4216 if (expr
->ops
->destroy_clone
) {
4217 expr
->ops
->destroy_clone(&ctx
, expr
);
4218 module_put(expr
->ops
->type
->owner
);
4220 nf_tables_expr_destroy(&ctx
, expr
);
4223 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
4224 (*nft_set_ext_obj(ext
))->use
--;
4227 EXPORT_SYMBOL_GPL(nft_set_elem_destroy
);
4229 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4230 * the refcounting from the preparation phase.
4232 static void nf_tables_set_elem_destroy(const struct nft_ctx
*ctx
,
4233 const struct nft_set
*set
, void *elem
)
4235 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
4237 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
))
4238 nf_tables_expr_destroy(ctx
, nft_set_ext_expr(ext
));
4242 static int nft_add_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
4243 const struct nlattr
*attr
, u32 nlmsg_flags
)
4245 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
4246 u8 genmask
= nft_genmask_next(ctx
->net
);
4247 struct nft_data_desc d1
, d2
;
4248 struct nft_set_ext_tmpl tmpl
;
4249 struct nft_set_ext
*ext
, *ext2
;
4250 struct nft_set_elem elem
;
4251 struct nft_set_binding
*binding
;
4252 struct nft_object
*obj
= NULL
;
4253 struct nft_userdata
*udata
;
4254 struct nft_data data
;
4255 enum nft_registers dreg
;
4256 struct nft_trans
*trans
;
4262 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
4263 nft_set_elem_policy
, NULL
);
4267 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
4270 nft_set_ext_prepare(&tmpl
);
4272 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
4276 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
4278 if (set
->flags
& NFT_SET_MAP
) {
4279 if (nla
[NFTA_SET_ELEM_DATA
] == NULL
&&
4280 !(flags
& NFT_SET_ELEM_INTERVAL_END
))
4282 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
&&
4283 flags
& NFT_SET_ELEM_INTERVAL_END
)
4286 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
4291 if (nla
[NFTA_SET_ELEM_TIMEOUT
] != NULL
) {
4292 if (!(set
->flags
& NFT_SET_TIMEOUT
))
4294 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_ELEM_TIMEOUT
],
4298 } else if (set
->flags
& NFT_SET_TIMEOUT
) {
4299 timeout
= set
->timeout
;
4302 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &d1
,
4303 nla
[NFTA_SET_ELEM_KEY
]);
4307 if (d1
.type
!= NFT_DATA_VALUE
|| d1
.len
!= set
->klen
)
4310 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, d1
.len
);
4312 nft_set_ext_add(&tmpl
, NFT_SET_EXT_EXPIRATION
);
4313 if (timeout
!= set
->timeout
)
4314 nft_set_ext_add(&tmpl
, NFT_SET_EXT_TIMEOUT
);
4317 if (nla
[NFTA_SET_ELEM_OBJREF
] != NULL
) {
4318 if (!(set
->flags
& NFT_SET_OBJECT
)) {
4322 obj
= nft_obj_lookup(ctx
->table
, nla
[NFTA_SET_ELEM_OBJREF
],
4323 set
->objtype
, genmask
);
4328 nft_set_ext_add(&tmpl
, NFT_SET_EXT_OBJREF
);
4331 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
) {
4332 err
= nft_data_init(ctx
, &data
, sizeof(data
), &d2
,
4333 nla
[NFTA_SET_ELEM_DATA
]);
4338 if (set
->dtype
!= NFT_DATA_VERDICT
&& d2
.len
!= set
->dlen
)
4341 dreg
= nft_type_to_reg(set
->dtype
);
4342 list_for_each_entry(binding
, &set
->bindings
, list
) {
4343 struct nft_ctx bind_ctx
= {
4345 .family
= ctx
->family
,
4346 .table
= ctx
->table
,
4347 .chain
= (struct nft_chain
*)binding
->chain
,
4350 if (!(binding
->flags
& NFT_SET_MAP
))
4353 err
= nft_validate_register_store(&bind_ctx
, dreg
,
4359 if (d2
.type
== NFT_DATA_VERDICT
&&
4360 (data
.verdict
.code
== NFT_GOTO
||
4361 data
.verdict
.code
== NFT_JUMP
))
4362 nft_validate_state_update(ctx
->net
,
4366 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_DATA
, d2
.len
);
4369 /* The full maximum length of userdata can exceed the maximum
4370 * offset value (U8_MAX) for following extensions, therefor it
4371 * must be the last extension added.
4374 if (nla
[NFTA_SET_ELEM_USERDATA
] != NULL
) {
4375 ulen
= nla_len(nla
[NFTA_SET_ELEM_USERDATA
]);
4377 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_USERDATA
,
4382 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, data
.data
,
4383 timeout
, GFP_KERNEL
);
4384 if (elem
.priv
== NULL
)
4387 ext
= nft_set_elem_ext(set
, elem
.priv
);
4389 *nft_set_ext_flags(ext
) = flags
;
4391 udata
= nft_set_ext_userdata(ext
);
4392 udata
->len
= ulen
- 1;
4393 nla_memcpy(&udata
->data
, nla
[NFTA_SET_ELEM_USERDATA
], ulen
);
4396 *nft_set_ext_obj(ext
) = obj
;
4400 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_NEWSETELEM
, set
);
4404 ext
->genmask
= nft_genmask_cur(ctx
->net
) | NFT_SET_ELEM_BUSY_MASK
;
4405 err
= set
->ops
->insert(ctx
->net
, set
, &elem
, &ext2
);
4407 if (err
== -EEXIST
) {
4408 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) ^
4409 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) ||
4410 nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) ^
4411 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
)) {
4415 if ((nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
4416 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) &&
4417 memcmp(nft_set_ext_data(ext
),
4418 nft_set_ext_data(ext2
), set
->dlen
) != 0) ||
4419 (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
4420 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
) &&
4421 *nft_set_ext_obj(ext
) != *nft_set_ext_obj(ext2
)))
4423 else if (!(nlmsg_flags
& NLM_F_EXCL
))
4430 !atomic_add_unless(&set
->nelems
, 1, set
->size
+ set
->ndeact
)) {
4435 nft_trans_elem(trans
) = elem
;
4436 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
4440 set
->ops
->remove(ctx
->net
, set
, &elem
);
4446 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
4447 nft_data_release(&data
, d2
.type
);
4449 nft_data_release(&elem
.key
.val
, d1
.type
);
4454 static int nf_tables_newsetelem(struct net
*net
, struct sock
*nlsk
,
4455 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4456 const struct nlattr
* const nla
[],
4457 struct netlink_ext_ack
*extack
)
4459 u8 genmask
= nft_genmask_next(net
);
4460 const struct nlattr
*attr
;
4461 struct nft_set
*set
;
4465 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
4468 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
4473 set
= nft_set_lookup_global(net
, ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
4474 nla
[NFTA_SET_ELEM_LIST_SET_ID
], genmask
);
4476 return PTR_ERR(set
);
4478 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
4481 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
4482 err
= nft_add_set_elem(&ctx
, set
, attr
, nlh
->nlmsg_flags
);
4487 if (net
->nft
.validate_state
== NFT_VALIDATE_DO
)
4488 return nft_table_validate(net
, ctx
.table
);
4494 * nft_data_hold - hold a nft_data item
4496 * @data: struct nft_data to release
4497 * @type: type of data
4499 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4500 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4501 * NFT_GOTO verdicts. This function must be called on active data objects
4502 * from the second phase of the commit protocol.
4504 void nft_data_hold(const struct nft_data
*data
, enum nft_data_types type
)
4506 if (type
== NFT_DATA_VERDICT
) {
4507 switch (data
->verdict
.code
) {
4510 data
->verdict
.chain
->use
++;
4516 static void nft_set_elem_activate(const struct net
*net
,
4517 const struct nft_set
*set
,
4518 struct nft_set_elem
*elem
)
4520 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4522 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
4523 nft_data_hold(nft_set_ext_data(ext
), set
->dtype
);
4524 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
4525 (*nft_set_ext_obj(ext
))->use
++;
4528 static void nft_set_elem_deactivate(const struct net
*net
,
4529 const struct nft_set
*set
,
4530 struct nft_set_elem
*elem
)
4532 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4534 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
4535 nft_data_release(nft_set_ext_data(ext
), set
->dtype
);
4536 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
4537 (*nft_set_ext_obj(ext
))->use
--;
4540 static int nft_del_setelem(struct nft_ctx
*ctx
, struct nft_set
*set
,
4541 const struct nlattr
*attr
)
4543 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
4544 struct nft_set_ext_tmpl tmpl
;
4545 struct nft_data_desc desc
;
4546 struct nft_set_elem elem
;
4547 struct nft_set_ext
*ext
;
4548 struct nft_trans
*trans
;
4553 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
4554 nft_set_elem_policy
, NULL
);
4559 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
4562 nft_set_ext_prepare(&tmpl
);
4564 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
4568 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
4570 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &desc
,
4571 nla
[NFTA_SET_ELEM_KEY
]);
4576 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
)
4579 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, desc
.len
);
4582 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, NULL
, 0,
4584 if (elem
.priv
== NULL
)
4587 ext
= nft_set_elem_ext(set
, elem
.priv
);
4589 *nft_set_ext_flags(ext
) = flags
;
4591 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_DELSETELEM
, set
);
4592 if (trans
== NULL
) {
4597 priv
= set
->ops
->deactivate(ctx
->net
, set
, &elem
);
4605 nft_set_elem_deactivate(ctx
->net
, set
, &elem
);
4607 nft_trans_elem(trans
) = elem
;
4608 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
4616 nft_data_release(&elem
.key
.val
, desc
.type
);
4621 static int nft_flush_set(const struct nft_ctx
*ctx
,
4622 struct nft_set
*set
,
4623 const struct nft_set_iter
*iter
,
4624 struct nft_set_elem
*elem
)
4626 struct nft_trans
*trans
;
4629 trans
= nft_trans_alloc_gfp(ctx
, NFT_MSG_DELSETELEM
,
4630 sizeof(struct nft_trans_elem
), GFP_ATOMIC
);
4634 if (!set
->ops
->flush(ctx
->net
, set
, elem
->priv
)) {
4640 nft_set_elem_deactivate(ctx
->net
, set
, elem
);
4641 nft_trans_elem_set(trans
) = set
;
4642 nft_trans_elem(trans
) = *elem
;
4643 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
4651 static int nf_tables_delsetelem(struct net
*net
, struct sock
*nlsk
,
4652 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4653 const struct nlattr
* const nla
[],
4654 struct netlink_ext_ack
*extack
)
4656 u8 genmask
= nft_genmask_next(net
);
4657 const struct nlattr
*attr
;
4658 struct nft_set
*set
;
4662 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
4667 set
= nft_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
], genmask
);
4669 return PTR_ERR(set
);
4670 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
4673 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
) {
4674 struct nft_set_iter iter
= {
4676 .fn
= nft_flush_set
,
4678 set
->ops
->walk(&ctx
, set
, &iter
);
4683 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
4684 err
= nft_del_setelem(&ctx
, set
, attr
);
4693 void nft_set_gc_batch_release(struct rcu_head
*rcu
)
4695 struct nft_set_gc_batch
*gcb
;
4698 gcb
= container_of(rcu
, struct nft_set_gc_batch
, head
.rcu
);
4699 for (i
= 0; i
< gcb
->head
.cnt
; i
++)
4700 nft_set_elem_destroy(gcb
->head
.set
, gcb
->elems
[i
], true);
4703 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release
);
4705 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
4708 struct nft_set_gc_batch
*gcb
;
4710 gcb
= kzalloc(sizeof(*gcb
), gfp
);
4713 gcb
->head
.set
= set
;
4716 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc
);
4723 * nft_register_obj- register nf_tables stateful object type
4726 * Registers the object type for use with nf_tables. Returns zero on
4727 * success or a negative errno code otherwise.
4729 int nft_register_obj(struct nft_object_type
*obj_type
)
4731 if (obj_type
->type
== NFT_OBJECT_UNSPEC
)
4734 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
4735 list_add_rcu(&obj_type
->list
, &nf_tables_objects
);
4736 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
4739 EXPORT_SYMBOL_GPL(nft_register_obj
);
4742 * nft_unregister_obj - unregister nf_tables object type
4745 * Unregisters the object type for use with nf_tables.
4747 void nft_unregister_obj(struct nft_object_type
*obj_type
)
4749 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
4750 list_del_rcu(&obj_type
->list
);
4751 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
4753 EXPORT_SYMBOL_GPL(nft_unregister_obj
);
4755 struct nft_object
*nft_obj_lookup(const struct nft_table
*table
,
4756 const struct nlattr
*nla
, u32 objtype
,
4759 struct nft_object
*obj
;
4761 list_for_each_entry_rcu(obj
, &table
->objects
, list
) {
4762 if (!nla_strcmp(nla
, obj
->name
) &&
4763 objtype
== obj
->ops
->type
->type
&&
4764 nft_active_genmask(obj
, genmask
))
4767 return ERR_PTR(-ENOENT
);
4769 EXPORT_SYMBOL_GPL(nft_obj_lookup
);
4771 static struct nft_object
*nft_obj_lookup_byhandle(const struct nft_table
*table
,
4772 const struct nlattr
*nla
,
4773 u32 objtype
, u8 genmask
)
4775 struct nft_object
*obj
;
4777 list_for_each_entry(obj
, &table
->objects
, list
) {
4778 if (be64_to_cpu(nla_get_be64(nla
)) == obj
->handle
&&
4779 objtype
== obj
->ops
->type
->type
&&
4780 nft_active_genmask(obj
, genmask
))
4783 return ERR_PTR(-ENOENT
);
4786 static const struct nla_policy nft_obj_policy
[NFTA_OBJ_MAX
+ 1] = {
4787 [NFTA_OBJ_TABLE
] = { .type
= NLA_STRING
,
4788 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
4789 [NFTA_OBJ_NAME
] = { .type
= NLA_STRING
,
4790 .len
= NFT_OBJ_MAXNAMELEN
- 1 },
4791 [NFTA_OBJ_TYPE
] = { .type
= NLA_U32
},
4792 [NFTA_OBJ_DATA
] = { .type
= NLA_NESTED
},
4793 [NFTA_OBJ_HANDLE
] = { .type
= NLA_U64
},
4796 static struct nft_object
*nft_obj_init(const struct nft_ctx
*ctx
,
4797 const struct nft_object_type
*type
,
4798 const struct nlattr
*attr
)
4801 const struct nft_object_ops
*ops
;
4802 struct nft_object
*obj
;
4805 tb
= kmalloc_array(type
->maxattr
+ 1, sizeof(*tb
), GFP_KERNEL
);
4810 err
= nla_parse_nested(tb
, type
->maxattr
, attr
, type
->policy
,
4815 memset(tb
, 0, sizeof(tb
[0]) * (type
->maxattr
+ 1));
4818 if (type
->select_ops
) {
4819 ops
= type
->select_ops(ctx
, (const struct nlattr
* const *)tb
);
4829 obj
= kzalloc(sizeof(*obj
) + ops
->size
, GFP_KERNEL
);
4833 err
= ops
->init(ctx
, (const struct nlattr
* const *)tb
, obj
);
4846 return ERR_PTR(err
);
4849 static int nft_object_dump(struct sk_buff
*skb
, unsigned int attr
,
4850 struct nft_object
*obj
, bool reset
)
4852 struct nlattr
*nest
;
4854 nest
= nla_nest_start(skb
, attr
);
4856 goto nla_put_failure
;
4857 if (obj
->ops
->dump(skb
, obj
, reset
) < 0)
4858 goto nla_put_failure
;
4859 nla_nest_end(skb
, nest
);
4866 static const struct nft_object_type
*__nft_obj_type_get(u32 objtype
)
4868 const struct nft_object_type
*type
;
4870 list_for_each_entry(type
, &nf_tables_objects
, list
) {
4871 if (objtype
== type
->type
)
4877 static const struct nft_object_type
*
4878 nft_obj_type_get(struct net
*net
, u32 objtype
)
4880 const struct nft_object_type
*type
;
4882 type
= __nft_obj_type_get(objtype
);
4883 if (type
!= NULL
&& try_module_get(type
->owner
))
4886 lockdep_nfnl_nft_mutex_not_held();
4887 #ifdef CONFIG_MODULES
4889 nft_request_module(net
, "nft-obj-%u", objtype
);
4890 if (__nft_obj_type_get(objtype
))
4891 return ERR_PTR(-EAGAIN
);
4894 return ERR_PTR(-ENOENT
);
4897 static int nf_tables_newobj(struct net
*net
, struct sock
*nlsk
,
4898 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4899 const struct nlattr
* const nla
[],
4900 struct netlink_ext_ack
*extack
)
4902 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4903 const struct nft_object_type
*type
;
4904 u8 genmask
= nft_genmask_next(net
);
4905 int family
= nfmsg
->nfgen_family
;
4906 struct nft_table
*table
;
4907 struct nft_object
*obj
;
4912 if (!nla
[NFTA_OBJ_TYPE
] ||
4913 !nla
[NFTA_OBJ_NAME
] ||
4914 !nla
[NFTA_OBJ_DATA
])
4917 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
);
4918 if (IS_ERR(table
)) {
4919 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
4920 return PTR_ERR(table
);
4923 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
4924 obj
= nft_obj_lookup(table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
4927 if (err
!= -ENOENT
) {
4928 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
4932 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
4933 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
4939 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
4941 type
= nft_obj_type_get(net
, objtype
);
4943 return PTR_ERR(type
);
4945 obj
= nft_obj_init(&ctx
, type
, nla
[NFTA_OBJ_DATA
]);
4951 obj
->handle
= nf_tables_alloc_handle(table
);
4953 obj
->name
= nla_strdup(nla
[NFTA_OBJ_NAME
], GFP_KERNEL
);
4959 err
= nft_trans_obj_add(&ctx
, NFT_MSG_NEWOBJ
, obj
);
4963 list_add_tail_rcu(&obj
->list
, &table
->objects
);
4969 if (obj
->ops
->destroy
)
4970 obj
->ops
->destroy(&ctx
, obj
);
4973 module_put(type
->owner
);
4977 static int nf_tables_fill_obj_info(struct sk_buff
*skb
, struct net
*net
,
4978 u32 portid
, u32 seq
, int event
, u32 flags
,
4979 int family
, const struct nft_table
*table
,
4980 struct nft_object
*obj
, bool reset
)
4982 struct nfgenmsg
*nfmsg
;
4983 struct nlmsghdr
*nlh
;
4985 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
4986 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
4988 goto nla_put_failure
;
4990 nfmsg
= nlmsg_data(nlh
);
4991 nfmsg
->nfgen_family
= family
;
4992 nfmsg
->version
= NFNETLINK_V0
;
4993 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
4995 if (nla_put_string(skb
, NFTA_OBJ_TABLE
, table
->name
) ||
4996 nla_put_string(skb
, NFTA_OBJ_NAME
, obj
->name
) ||
4997 nla_put_be32(skb
, NFTA_OBJ_TYPE
, htonl(obj
->ops
->type
->type
)) ||
4998 nla_put_be32(skb
, NFTA_OBJ_USE
, htonl(obj
->use
)) ||
4999 nft_object_dump(skb
, NFTA_OBJ_DATA
, obj
, reset
) ||
5000 nla_put_be64(skb
, NFTA_OBJ_HANDLE
, cpu_to_be64(obj
->handle
),
5002 goto nla_put_failure
;
5004 nlmsg_end(skb
, nlh
);
5008 nlmsg_trim(skb
, nlh
);
5012 struct nft_obj_filter
{
5017 static int nf_tables_dump_obj(struct sk_buff
*skb
, struct netlink_callback
*cb
)
5019 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
5020 const struct nft_table
*table
;
5021 unsigned int idx
= 0, s_idx
= cb
->args
[0];
5022 struct nft_obj_filter
*filter
= cb
->data
;
5023 struct net
*net
= sock_net(skb
->sk
);
5024 int family
= nfmsg
->nfgen_family
;
5025 struct nft_object
*obj
;
5028 if (NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
5032 cb
->seq
= net
->nft
.base_seq
;
5034 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
5035 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
5038 list_for_each_entry_rcu(obj
, &table
->objects
, list
) {
5039 if (!nft_is_active(net
, obj
))
5044 memset(&cb
->args
[1], 0,
5045 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
5046 if (filter
&& filter
->table
&&
5047 strcmp(filter
->table
, table
->name
))
5050 filter
->type
!= NFT_OBJECT_UNSPEC
&&
5051 obj
->ops
->type
->type
!= filter
->type
)
5054 if (nf_tables_fill_obj_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
5057 NLM_F_MULTI
| NLM_F_APPEND
,
5058 table
->family
, table
,
5062 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
5074 static int nf_tables_dump_obj_start(struct netlink_callback
*cb
)
5076 const struct nlattr
* const *nla
= cb
->data
;
5077 struct nft_obj_filter
*filter
= NULL
;
5079 if (nla
[NFTA_OBJ_TABLE
] || nla
[NFTA_OBJ_TYPE
]) {
5080 filter
= kzalloc(sizeof(*filter
), GFP_ATOMIC
);
5084 if (nla
[NFTA_OBJ_TABLE
]) {
5085 filter
->table
= nla_strdup(nla
[NFTA_OBJ_TABLE
], GFP_ATOMIC
);
5086 if (!filter
->table
) {
5092 if (nla
[NFTA_OBJ_TYPE
])
5093 filter
->type
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
5100 static int nf_tables_dump_obj_done(struct netlink_callback
*cb
)
5102 struct nft_obj_filter
*filter
= cb
->data
;
5105 kfree(filter
->table
);
5112 /* called with rcu_read_lock held */
5113 static int nf_tables_getobj(struct net
*net
, struct sock
*nlsk
,
5114 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
5115 const struct nlattr
* const nla
[],
5116 struct netlink_ext_ack
*extack
)
5118 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
5119 u8 genmask
= nft_genmask_cur(net
);
5120 int family
= nfmsg
->nfgen_family
;
5121 const struct nft_table
*table
;
5122 struct nft_object
*obj
;
5123 struct sk_buff
*skb2
;
5128 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
5129 struct netlink_dump_control c
= {
5130 .start
= nf_tables_dump_obj_start
,
5131 .dump
= nf_tables_dump_obj
,
5132 .done
= nf_tables_dump_obj_done
,
5133 .module
= THIS_MODULE
,
5134 .data
= (void *)nla
,
5137 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
5140 if (!nla
[NFTA_OBJ_NAME
] ||
5141 !nla
[NFTA_OBJ_TYPE
])
5144 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
);
5145 if (IS_ERR(table
)) {
5146 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
5147 return PTR_ERR(table
);
5150 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
5151 obj
= nft_obj_lookup(table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
5153 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
5154 return PTR_ERR(obj
);
5157 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
5161 if (NFNL_MSG_TYPE(nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
5164 err
= nf_tables_fill_obj_info(skb2
, net
, NETLINK_CB(skb
).portid
,
5165 nlh
->nlmsg_seq
, NFT_MSG_NEWOBJ
, 0,
5166 family
, table
, obj
, reset
);
5170 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
5176 static void nft_obj_destroy(const struct nft_ctx
*ctx
, struct nft_object
*obj
)
5178 if (obj
->ops
->destroy
)
5179 obj
->ops
->destroy(ctx
, obj
);
5181 module_put(obj
->ops
->type
->owner
);
5186 static int nf_tables_delobj(struct net
*net
, struct sock
*nlsk
,
5187 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
5188 const struct nlattr
* const nla
[],
5189 struct netlink_ext_ack
*extack
)
5191 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
5192 u8 genmask
= nft_genmask_next(net
);
5193 int family
= nfmsg
->nfgen_family
;
5194 const struct nlattr
*attr
;
5195 struct nft_table
*table
;
5196 struct nft_object
*obj
;
5200 if (!nla
[NFTA_OBJ_TYPE
] ||
5201 (!nla
[NFTA_OBJ_NAME
] && !nla
[NFTA_OBJ_HANDLE
]))
5204 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
);
5205 if (IS_ERR(table
)) {
5206 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
5207 return PTR_ERR(table
);
5210 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
5211 if (nla
[NFTA_OBJ_HANDLE
]) {
5212 attr
= nla
[NFTA_OBJ_HANDLE
];
5213 obj
= nft_obj_lookup_byhandle(table
, attr
, objtype
, genmask
);
5215 attr
= nla
[NFTA_OBJ_NAME
];
5216 obj
= nft_obj_lookup(table
, attr
, objtype
, genmask
);
5220 NL_SET_BAD_ATTR(extack
, attr
);
5221 return PTR_ERR(obj
);
5224 NL_SET_BAD_ATTR(extack
, attr
);
5228 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
5230 return nft_delobj(&ctx
, obj
);
5233 void nft_obj_notify(struct net
*net
, struct nft_table
*table
,
5234 struct nft_object
*obj
, u32 portid
, u32 seq
, int event
,
5235 int family
, int report
, gfp_t gfp
)
5237 struct sk_buff
*skb
;
5241 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
5244 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp
);
5248 err
= nf_tables_fill_obj_info(skb
, net
, portid
, seq
, event
, 0, family
,
5255 nfnetlink_send(skb
, net
, portid
, NFNLGRP_NFTABLES
, report
, gfp
);
5258 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
5260 EXPORT_SYMBOL_GPL(nft_obj_notify
);
5262 static void nf_tables_obj_notify(const struct nft_ctx
*ctx
,
5263 struct nft_object
*obj
, int event
)
5265 nft_obj_notify(ctx
->net
, ctx
->table
, obj
, ctx
->portid
, ctx
->seq
, event
,
5266 ctx
->family
, ctx
->report
, GFP_KERNEL
);
5272 void nft_register_flowtable_type(struct nf_flowtable_type
*type
)
5274 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
5275 list_add_tail_rcu(&type
->list
, &nf_tables_flowtables
);
5276 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
5278 EXPORT_SYMBOL_GPL(nft_register_flowtable_type
);
5280 void nft_unregister_flowtable_type(struct nf_flowtable_type
*type
)
5282 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
5283 list_del_rcu(&type
->list
);
5284 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
5286 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type
);
5288 static const struct nla_policy nft_flowtable_policy
[NFTA_FLOWTABLE_MAX
+ 1] = {
5289 [NFTA_FLOWTABLE_TABLE
] = { .type
= NLA_STRING
,
5290 .len
= NFT_NAME_MAXLEN
- 1 },
5291 [NFTA_FLOWTABLE_NAME
] = { .type
= NLA_STRING
,
5292 .len
= NFT_NAME_MAXLEN
- 1 },
5293 [NFTA_FLOWTABLE_HOOK
] = { .type
= NLA_NESTED
},
5294 [NFTA_FLOWTABLE_HANDLE
] = { .type
= NLA_U64
},
5297 struct nft_flowtable
*nft_flowtable_lookup(const struct nft_table
*table
,
5298 const struct nlattr
*nla
, u8 genmask
)
5300 struct nft_flowtable
*flowtable
;
5302 list_for_each_entry_rcu(flowtable
, &table
->flowtables
, list
) {
5303 if (!nla_strcmp(nla
, flowtable
->name
) &&
5304 nft_active_genmask(flowtable
, genmask
))
5307 return ERR_PTR(-ENOENT
);
5309 EXPORT_SYMBOL_GPL(nft_flowtable_lookup
);
5311 static struct nft_flowtable
*
5312 nft_flowtable_lookup_byhandle(const struct nft_table
*table
,
5313 const struct nlattr
*nla
, u8 genmask
)
5315 struct nft_flowtable
*flowtable
;
5317 list_for_each_entry(flowtable
, &table
->flowtables
, list
) {
5318 if (be64_to_cpu(nla_get_be64(nla
)) == flowtable
->handle
&&
5319 nft_active_genmask(flowtable
, genmask
))
5322 return ERR_PTR(-ENOENT
);
5325 static int nf_tables_parse_devices(const struct nft_ctx
*ctx
,
5326 const struct nlattr
*attr
,
5327 struct net_device
*dev_array
[], int *len
)
5329 const struct nlattr
*tmp
;
5330 struct net_device
*dev
;
5331 char ifname
[IFNAMSIZ
];
5332 int rem
, n
= 0, err
;
5334 nla_for_each_nested(tmp
, attr
, rem
) {
5335 if (nla_type(tmp
) != NFTA_DEVICE_NAME
) {
5340 nla_strlcpy(ifname
, tmp
, IFNAMSIZ
);
5341 dev
= __dev_get_by_name(ctx
->net
, ifname
);
5347 dev_array
[n
++] = dev
;
5348 if (n
== NFT_FLOWTABLE_DEVICE_MAX
) {
5362 static const struct nla_policy nft_flowtable_hook_policy
[NFTA_FLOWTABLE_HOOK_MAX
+ 1] = {
5363 [NFTA_FLOWTABLE_HOOK_NUM
] = { .type
= NLA_U32
},
5364 [NFTA_FLOWTABLE_HOOK_PRIORITY
] = { .type
= NLA_U32
},
5365 [NFTA_FLOWTABLE_HOOK_DEVS
] = { .type
= NLA_NESTED
},
5368 static int nf_tables_flowtable_parse_hook(const struct nft_ctx
*ctx
,
5369 const struct nlattr
*attr
,
5370 struct nft_flowtable
*flowtable
)
5372 struct net_device
*dev_array
[NFT_FLOWTABLE_DEVICE_MAX
];
5373 struct nlattr
*tb
[NFTA_FLOWTABLE_HOOK_MAX
+ 1];
5374 struct nf_hook_ops
*ops
;
5375 int hooknum
, priority
;
5378 err
= nla_parse_nested(tb
, NFTA_FLOWTABLE_HOOK_MAX
, attr
,
5379 nft_flowtable_hook_policy
, NULL
);
5383 if (!tb
[NFTA_FLOWTABLE_HOOK_NUM
] ||
5384 !tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
] ||
5385 !tb
[NFTA_FLOWTABLE_HOOK_DEVS
])
5388 hooknum
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_NUM
]));
5389 if (hooknum
!= NF_NETDEV_INGRESS
)
5392 priority
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]));
5394 err
= nf_tables_parse_devices(ctx
, tb
[NFTA_FLOWTABLE_HOOK_DEVS
],
5399 ops
= kcalloc(n
, sizeof(struct nf_hook_ops
), GFP_KERNEL
);
5403 flowtable
->hooknum
= hooknum
;
5404 flowtable
->priority
= priority
;
5405 flowtable
->ops
= ops
;
5406 flowtable
->ops_len
= n
;
5408 for (i
= 0; i
< n
; i
++) {
5409 flowtable
->ops
[i
].pf
= NFPROTO_NETDEV
;
5410 flowtable
->ops
[i
].hooknum
= hooknum
;
5411 flowtable
->ops
[i
].priority
= priority
;
5412 flowtable
->ops
[i
].priv
= &flowtable
->data
;
5413 flowtable
->ops
[i
].hook
= flowtable
->data
.type
->hook
;
5414 flowtable
->ops
[i
].dev
= dev_array
[i
];
5420 static const struct nf_flowtable_type
*__nft_flowtable_type_get(u8 family
)
5422 const struct nf_flowtable_type
*type
;
5424 list_for_each_entry(type
, &nf_tables_flowtables
, list
) {
5425 if (family
== type
->family
)
5431 static const struct nf_flowtable_type
*
5432 nft_flowtable_type_get(struct net
*net
, u8 family
)
5434 const struct nf_flowtable_type
*type
;
5436 type
= __nft_flowtable_type_get(family
);
5437 if (type
!= NULL
&& try_module_get(type
->owner
))
5440 lockdep_nfnl_nft_mutex_not_held();
5441 #ifdef CONFIG_MODULES
5443 nft_request_module(net
, "nf-flowtable-%u", family
);
5444 if (__nft_flowtable_type_get(family
))
5445 return ERR_PTR(-EAGAIN
);
5448 return ERR_PTR(-ENOENT
);
5451 static void nft_unregister_flowtable_net_hooks(struct net
*net
,
5452 struct nft_flowtable
*flowtable
)
5456 for (i
= 0; i
< flowtable
->ops_len
; i
++) {
5457 if (!flowtable
->ops
[i
].dev
)
5460 nf_unregister_net_hook(net
, &flowtable
->ops
[i
]);
5464 static int nf_tables_newflowtable(struct net
*net
, struct sock
*nlsk
,
5465 struct sk_buff
*skb
,
5466 const struct nlmsghdr
*nlh
,
5467 const struct nlattr
* const nla
[],
5468 struct netlink_ext_ack
*extack
)
5470 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
5471 const struct nf_flowtable_type
*type
;
5472 struct nft_flowtable
*flowtable
, *ft
;
5473 u8 genmask
= nft_genmask_next(net
);
5474 int family
= nfmsg
->nfgen_family
;
5475 struct nft_table
*table
;
5479 if (!nla
[NFTA_FLOWTABLE_TABLE
] ||
5480 !nla
[NFTA_FLOWTABLE_NAME
] ||
5481 !nla
[NFTA_FLOWTABLE_HOOK
])
5484 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
5486 if (IS_ERR(table
)) {
5487 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_TABLE
]);
5488 return PTR_ERR(table
);
5491 flowtable
= nft_flowtable_lookup(table
, nla
[NFTA_FLOWTABLE_NAME
],
5493 if (IS_ERR(flowtable
)) {
5494 err
= PTR_ERR(flowtable
);
5495 if (err
!= -ENOENT
) {
5496 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_NAME
]);
5500 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
5501 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_NAME
]);
5508 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
5510 flowtable
= kzalloc(sizeof(*flowtable
), GFP_KERNEL
);
5514 flowtable
->table
= table
;
5515 flowtable
->handle
= nf_tables_alloc_handle(table
);
5517 flowtable
->name
= nla_strdup(nla
[NFTA_FLOWTABLE_NAME
], GFP_KERNEL
);
5518 if (!flowtable
->name
) {
5523 type
= nft_flowtable_type_get(net
, family
);
5525 err
= PTR_ERR(type
);
5529 flowtable
->data
.type
= type
;
5530 err
= type
->init(&flowtable
->data
);
5534 err
= nf_tables_flowtable_parse_hook(&ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
5539 for (i
= 0; i
< flowtable
->ops_len
; i
++) {
5540 if (!flowtable
->ops
[i
].dev
)
5543 list_for_each_entry(ft
, &table
->flowtables
, list
) {
5544 for (k
= 0; k
< ft
->ops_len
; k
++) {
5545 if (!ft
->ops
[k
].dev
)
5548 if (flowtable
->ops
[i
].dev
== ft
->ops
[k
].dev
&&
5549 flowtable
->ops
[i
].pf
== ft
->ops
[k
].pf
) {
5556 err
= nf_register_net_hook(net
, &flowtable
->ops
[i
]);
5561 err
= nft_trans_flowtable_add(&ctx
, NFT_MSG_NEWFLOWTABLE
, flowtable
);
5565 list_add_tail_rcu(&flowtable
->list
, &table
->flowtables
);
5570 i
= flowtable
->ops_len
;
5572 for (k
= i
- 1; k
>= 0; k
--)
5573 nf_unregister_net_hook(net
, &flowtable
->ops
[k
]);
5575 kfree(flowtable
->ops
);
5577 flowtable
->data
.type
->free(&flowtable
->data
);
5579 module_put(type
->owner
);
5581 kfree(flowtable
->name
);
5587 static int nf_tables_delflowtable(struct net
*net
, struct sock
*nlsk
,
5588 struct sk_buff
*skb
,
5589 const struct nlmsghdr
*nlh
,
5590 const struct nlattr
* const nla
[],
5591 struct netlink_ext_ack
*extack
)
5593 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
5594 u8 genmask
= nft_genmask_next(net
);
5595 int family
= nfmsg
->nfgen_family
;
5596 struct nft_flowtable
*flowtable
;
5597 const struct nlattr
*attr
;
5598 struct nft_table
*table
;
5601 if (!nla
[NFTA_FLOWTABLE_TABLE
] ||
5602 (!nla
[NFTA_FLOWTABLE_NAME
] &&
5603 !nla
[NFTA_FLOWTABLE_HANDLE
]))
5606 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
5608 if (IS_ERR(table
)) {
5609 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_TABLE
]);
5610 return PTR_ERR(table
);
5613 if (nla
[NFTA_FLOWTABLE_HANDLE
]) {
5614 attr
= nla
[NFTA_FLOWTABLE_HANDLE
];
5615 flowtable
= nft_flowtable_lookup_byhandle(table
, attr
, genmask
);
5617 attr
= nla
[NFTA_FLOWTABLE_NAME
];
5618 flowtable
= nft_flowtable_lookup(table
, attr
, genmask
);
5621 if (IS_ERR(flowtable
)) {
5622 NL_SET_BAD_ATTR(extack
, attr
);
5623 return PTR_ERR(flowtable
);
5625 if (flowtable
->use
> 0) {
5626 NL_SET_BAD_ATTR(extack
, attr
);
5630 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
5632 return nft_delflowtable(&ctx
, flowtable
);
5635 static int nf_tables_fill_flowtable_info(struct sk_buff
*skb
, struct net
*net
,
5636 u32 portid
, u32 seq
, int event
,
5637 u32 flags
, int family
,
5638 struct nft_flowtable
*flowtable
)
5640 struct nlattr
*nest
, *nest_devs
;
5641 struct nfgenmsg
*nfmsg
;
5642 struct nlmsghdr
*nlh
;
5645 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
5646 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
5648 goto nla_put_failure
;
5650 nfmsg
= nlmsg_data(nlh
);
5651 nfmsg
->nfgen_family
= family
;
5652 nfmsg
->version
= NFNETLINK_V0
;
5653 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
5655 if (nla_put_string(skb
, NFTA_FLOWTABLE_TABLE
, flowtable
->table
->name
) ||
5656 nla_put_string(skb
, NFTA_FLOWTABLE_NAME
, flowtable
->name
) ||
5657 nla_put_be32(skb
, NFTA_FLOWTABLE_USE
, htonl(flowtable
->use
)) ||
5658 nla_put_be64(skb
, NFTA_FLOWTABLE_HANDLE
, cpu_to_be64(flowtable
->handle
),
5659 NFTA_FLOWTABLE_PAD
))
5660 goto nla_put_failure
;
5662 nest
= nla_nest_start(skb
, NFTA_FLOWTABLE_HOOK
);
5663 if (nla_put_be32(skb
, NFTA_FLOWTABLE_HOOK_NUM
, htonl(flowtable
->hooknum
)) ||
5664 nla_put_be32(skb
, NFTA_FLOWTABLE_HOOK_PRIORITY
, htonl(flowtable
->priority
)))
5665 goto nla_put_failure
;
5667 nest_devs
= nla_nest_start(skb
, NFTA_FLOWTABLE_HOOK_DEVS
);
5669 goto nla_put_failure
;
5671 for (i
= 0; i
< flowtable
->ops_len
; i
++) {
5672 const struct net_device
*dev
= READ_ONCE(flowtable
->ops
[i
].dev
);
5675 nla_put_string(skb
, NFTA_DEVICE_NAME
, dev
->name
))
5676 goto nla_put_failure
;
5678 nla_nest_end(skb
, nest_devs
);
5679 nla_nest_end(skb
, nest
);
5681 nlmsg_end(skb
, nlh
);
5685 nlmsg_trim(skb
, nlh
);
5689 struct nft_flowtable_filter
{
5693 static int nf_tables_dump_flowtable(struct sk_buff
*skb
,
5694 struct netlink_callback
*cb
)
5696 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
5697 struct nft_flowtable_filter
*filter
= cb
->data
;
5698 unsigned int idx
= 0, s_idx
= cb
->args
[0];
5699 struct net
*net
= sock_net(skb
->sk
);
5700 int family
= nfmsg
->nfgen_family
;
5701 struct nft_flowtable
*flowtable
;
5702 const struct nft_table
*table
;
5705 cb
->seq
= net
->nft
.base_seq
;
5707 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
5708 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
5711 list_for_each_entry_rcu(flowtable
, &table
->flowtables
, list
) {
5712 if (!nft_is_active(net
, flowtable
))
5717 memset(&cb
->args
[1], 0,
5718 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
5719 if (filter
&& filter
->table
&&
5720 strcmp(filter
->table
, table
->name
))
5723 if (nf_tables_fill_flowtable_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
5725 NFT_MSG_NEWFLOWTABLE
,
5726 NLM_F_MULTI
| NLM_F_APPEND
,
5727 table
->family
, flowtable
) < 0)
5730 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
5742 static int nf_tables_dump_flowtable_start(struct netlink_callback
*cb
)
5744 const struct nlattr
* const *nla
= cb
->data
;
5745 struct nft_flowtable_filter
*filter
= NULL
;
5747 if (nla
[NFTA_FLOWTABLE_TABLE
]) {
5748 filter
= kzalloc(sizeof(*filter
), GFP_ATOMIC
);
5752 filter
->table
= nla_strdup(nla
[NFTA_FLOWTABLE_TABLE
],
5754 if (!filter
->table
) {
5764 static int nf_tables_dump_flowtable_done(struct netlink_callback
*cb
)
5766 struct nft_flowtable_filter
*filter
= cb
->data
;
5771 kfree(filter
->table
);
5777 /* called with rcu_read_lock held */
5778 static int nf_tables_getflowtable(struct net
*net
, struct sock
*nlsk
,
5779 struct sk_buff
*skb
,
5780 const struct nlmsghdr
*nlh
,
5781 const struct nlattr
* const nla
[],
5782 struct netlink_ext_ack
*extack
)
5784 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
5785 u8 genmask
= nft_genmask_cur(net
);
5786 int family
= nfmsg
->nfgen_family
;
5787 struct nft_flowtable
*flowtable
;
5788 const struct nft_table
*table
;
5789 struct sk_buff
*skb2
;
5792 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
5793 struct netlink_dump_control c
= {
5794 .start
= nf_tables_dump_flowtable_start
,
5795 .dump
= nf_tables_dump_flowtable
,
5796 .done
= nf_tables_dump_flowtable_done
,
5797 .module
= THIS_MODULE
,
5798 .data
= (void *)nla
,
5801 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
5804 if (!nla
[NFTA_FLOWTABLE_NAME
])
5807 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
5810 return PTR_ERR(table
);
5812 flowtable
= nft_flowtable_lookup(table
, nla
[NFTA_FLOWTABLE_NAME
],
5814 if (IS_ERR(flowtable
))
5815 return PTR_ERR(flowtable
);
5817 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
5821 err
= nf_tables_fill_flowtable_info(skb2
, net
, NETLINK_CB(skb
).portid
,
5823 NFT_MSG_NEWFLOWTABLE
, 0, family
,
5828 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
5834 static void nf_tables_flowtable_notify(struct nft_ctx
*ctx
,
5835 struct nft_flowtable
*flowtable
,
5838 struct sk_buff
*skb
;
5842 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
5845 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
5849 err
= nf_tables_fill_flowtable_info(skb
, ctx
->net
, ctx
->portid
,
5851 ctx
->family
, flowtable
);
5857 nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
5858 ctx
->report
, GFP_KERNEL
);
5861 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
5864 static void nf_tables_flowtable_destroy(struct nft_flowtable
*flowtable
)
5866 kfree(flowtable
->ops
);
5867 kfree(flowtable
->name
);
5868 flowtable
->data
.type
->free(&flowtable
->data
);
5869 module_put(flowtable
->data
.type
->owner
);
5873 static int nf_tables_fill_gen_info(struct sk_buff
*skb
, struct net
*net
,
5874 u32 portid
, u32 seq
)
5876 struct nlmsghdr
*nlh
;
5877 struct nfgenmsg
*nfmsg
;
5878 char buf
[TASK_COMM_LEN
];
5879 int event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, NFT_MSG_NEWGEN
);
5881 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), 0);
5883 goto nla_put_failure
;
5885 nfmsg
= nlmsg_data(nlh
);
5886 nfmsg
->nfgen_family
= AF_UNSPEC
;
5887 nfmsg
->version
= NFNETLINK_V0
;
5888 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
5890 if (nla_put_be32(skb
, NFTA_GEN_ID
, htonl(net
->nft
.base_seq
)) ||
5891 nla_put_be32(skb
, NFTA_GEN_PROC_PID
, htonl(task_pid_nr(current
))) ||
5892 nla_put_string(skb
, NFTA_GEN_PROC_NAME
, get_task_comm(buf
, current
)))
5893 goto nla_put_failure
;
5895 nlmsg_end(skb
, nlh
);
5899 nlmsg_trim(skb
, nlh
);
5903 static void nft_flowtable_event(unsigned long event
, struct net_device
*dev
,
5904 struct nft_flowtable
*flowtable
)
5908 for (i
= 0; i
< flowtable
->ops_len
; i
++) {
5909 if (flowtable
->ops
[i
].dev
!= dev
)
5912 nf_unregister_net_hook(dev_net(dev
), &flowtable
->ops
[i
]);
5913 flowtable
->ops
[i
].dev
= NULL
;
5918 static int nf_tables_flowtable_event(struct notifier_block
*this,
5919 unsigned long event
, void *ptr
)
5921 struct net_device
*dev
= netdev_notifier_info_to_dev(ptr
);
5922 struct nft_flowtable
*flowtable
;
5923 struct nft_table
*table
;
5926 if (event
!= NETDEV_UNREGISTER
)
5930 mutex_lock(&net
->nft
.commit_mutex
);
5931 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
5932 list_for_each_entry(flowtable
, &table
->flowtables
, list
) {
5933 nft_flowtable_event(event
, dev
, flowtable
);
5936 mutex_unlock(&net
->nft
.commit_mutex
);
5941 static struct notifier_block nf_tables_flowtable_notifier
= {
5942 .notifier_call
= nf_tables_flowtable_event
,
5945 static void nf_tables_gen_notify(struct net
*net
, struct sk_buff
*skb
,
5948 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
5949 struct sk_buff
*skb2
;
5952 if (nlmsg_report(nlh
) &&
5953 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
5956 skb2
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
5960 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
5967 nfnetlink_send(skb2
, net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
5968 nlmsg_report(nlh
), GFP_KERNEL
);
5971 nfnetlink_set_err(net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
5975 static int nf_tables_getgen(struct net
*net
, struct sock
*nlsk
,
5976 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
5977 const struct nlattr
* const nla
[],
5978 struct netlink_ext_ack
*extack
)
5980 struct sk_buff
*skb2
;
5983 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
5987 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
5992 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
5998 static const struct nfnl_callback nf_tables_cb
[NFT_MSG_MAX
] = {
5999 [NFT_MSG_NEWTABLE
] = {
6000 .call_batch
= nf_tables_newtable
,
6001 .attr_count
= NFTA_TABLE_MAX
,
6002 .policy
= nft_table_policy
,
6004 [NFT_MSG_GETTABLE
] = {
6005 .call_rcu
= nf_tables_gettable
,
6006 .attr_count
= NFTA_TABLE_MAX
,
6007 .policy
= nft_table_policy
,
6009 [NFT_MSG_DELTABLE
] = {
6010 .call_batch
= nf_tables_deltable
,
6011 .attr_count
= NFTA_TABLE_MAX
,
6012 .policy
= nft_table_policy
,
6014 [NFT_MSG_NEWCHAIN
] = {
6015 .call_batch
= nf_tables_newchain
,
6016 .attr_count
= NFTA_CHAIN_MAX
,
6017 .policy
= nft_chain_policy
,
6019 [NFT_MSG_GETCHAIN
] = {
6020 .call_rcu
= nf_tables_getchain
,
6021 .attr_count
= NFTA_CHAIN_MAX
,
6022 .policy
= nft_chain_policy
,
6024 [NFT_MSG_DELCHAIN
] = {
6025 .call_batch
= nf_tables_delchain
,
6026 .attr_count
= NFTA_CHAIN_MAX
,
6027 .policy
= nft_chain_policy
,
6029 [NFT_MSG_NEWRULE
] = {
6030 .call_batch
= nf_tables_newrule
,
6031 .attr_count
= NFTA_RULE_MAX
,
6032 .policy
= nft_rule_policy
,
6034 [NFT_MSG_GETRULE
] = {
6035 .call_rcu
= nf_tables_getrule
,
6036 .attr_count
= NFTA_RULE_MAX
,
6037 .policy
= nft_rule_policy
,
6039 [NFT_MSG_DELRULE
] = {
6040 .call_batch
= nf_tables_delrule
,
6041 .attr_count
= NFTA_RULE_MAX
,
6042 .policy
= nft_rule_policy
,
6044 [NFT_MSG_NEWSET
] = {
6045 .call_batch
= nf_tables_newset
,
6046 .attr_count
= NFTA_SET_MAX
,
6047 .policy
= nft_set_policy
,
6049 [NFT_MSG_GETSET
] = {
6050 .call_rcu
= nf_tables_getset
,
6051 .attr_count
= NFTA_SET_MAX
,
6052 .policy
= nft_set_policy
,
6054 [NFT_MSG_DELSET
] = {
6055 .call_batch
= nf_tables_delset
,
6056 .attr_count
= NFTA_SET_MAX
,
6057 .policy
= nft_set_policy
,
6059 [NFT_MSG_NEWSETELEM
] = {
6060 .call_batch
= nf_tables_newsetelem
,
6061 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
6062 .policy
= nft_set_elem_list_policy
,
6064 [NFT_MSG_GETSETELEM
] = {
6065 .call_rcu
= nf_tables_getsetelem
,
6066 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
6067 .policy
= nft_set_elem_list_policy
,
6069 [NFT_MSG_DELSETELEM
] = {
6070 .call_batch
= nf_tables_delsetelem
,
6071 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
6072 .policy
= nft_set_elem_list_policy
,
6074 [NFT_MSG_GETGEN
] = {
6075 .call_rcu
= nf_tables_getgen
,
6077 [NFT_MSG_NEWOBJ
] = {
6078 .call_batch
= nf_tables_newobj
,
6079 .attr_count
= NFTA_OBJ_MAX
,
6080 .policy
= nft_obj_policy
,
6082 [NFT_MSG_GETOBJ
] = {
6083 .call_rcu
= nf_tables_getobj
,
6084 .attr_count
= NFTA_OBJ_MAX
,
6085 .policy
= nft_obj_policy
,
6087 [NFT_MSG_DELOBJ
] = {
6088 .call_batch
= nf_tables_delobj
,
6089 .attr_count
= NFTA_OBJ_MAX
,
6090 .policy
= nft_obj_policy
,
6092 [NFT_MSG_GETOBJ_RESET
] = {
6093 .call_rcu
= nf_tables_getobj
,
6094 .attr_count
= NFTA_OBJ_MAX
,
6095 .policy
= nft_obj_policy
,
6097 [NFT_MSG_NEWFLOWTABLE
] = {
6098 .call_batch
= nf_tables_newflowtable
,
6099 .attr_count
= NFTA_FLOWTABLE_MAX
,
6100 .policy
= nft_flowtable_policy
,
6102 [NFT_MSG_GETFLOWTABLE
] = {
6103 .call_rcu
= nf_tables_getflowtable
,
6104 .attr_count
= NFTA_FLOWTABLE_MAX
,
6105 .policy
= nft_flowtable_policy
,
6107 [NFT_MSG_DELFLOWTABLE
] = {
6108 .call_batch
= nf_tables_delflowtable
,
6109 .attr_count
= NFTA_FLOWTABLE_MAX
,
6110 .policy
= nft_flowtable_policy
,
6114 static int nf_tables_validate(struct net
*net
)
6116 struct nft_table
*table
;
6118 switch (net
->nft
.validate_state
) {
6119 case NFT_VALIDATE_SKIP
:
6121 case NFT_VALIDATE_NEED
:
6122 nft_validate_state_update(net
, NFT_VALIDATE_DO
);
6124 case NFT_VALIDATE_DO
:
6125 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
6126 if (nft_table_validate(net
, table
) < 0)
6135 static void nft_chain_commit_update(struct nft_trans
*trans
)
6137 struct nft_base_chain
*basechain
;
6139 if (nft_trans_chain_name(trans
)) {
6140 rhltable_remove(&trans
->ctx
.table
->chains_ht
,
6141 &trans
->ctx
.chain
->rhlhead
,
6142 nft_chain_ht_params
);
6143 swap(trans
->ctx
.chain
->name
, nft_trans_chain_name(trans
));
6144 rhltable_insert_key(&trans
->ctx
.table
->chains_ht
,
6145 trans
->ctx
.chain
->name
,
6146 &trans
->ctx
.chain
->rhlhead
,
6147 nft_chain_ht_params
);
6150 if (!nft_is_base_chain(trans
->ctx
.chain
))
6153 basechain
= nft_base_chain(trans
->ctx
.chain
);
6154 nft_chain_stats_replace(basechain
, nft_trans_chain_stats(trans
));
6156 switch (nft_trans_chain_policy(trans
)) {
6159 basechain
->policy
= nft_trans_chain_policy(trans
);
6164 static void nft_commit_release(struct nft_trans
*trans
)
6166 switch (trans
->msg_type
) {
6167 case NFT_MSG_DELTABLE
:
6168 nf_tables_table_destroy(&trans
->ctx
);
6170 case NFT_MSG_NEWCHAIN
:
6171 kfree(nft_trans_chain_name(trans
));
6173 case NFT_MSG_DELCHAIN
:
6174 nf_tables_chain_destroy(&trans
->ctx
);
6176 case NFT_MSG_DELRULE
:
6177 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
6179 case NFT_MSG_DELSET
:
6180 nft_set_destroy(nft_trans_set(trans
));
6182 case NFT_MSG_DELSETELEM
:
6183 nf_tables_set_elem_destroy(&trans
->ctx
,
6184 nft_trans_elem_set(trans
),
6185 nft_trans_elem(trans
).priv
);
6187 case NFT_MSG_DELOBJ
:
6188 nft_obj_destroy(&trans
->ctx
, nft_trans_obj(trans
));
6190 case NFT_MSG_DELFLOWTABLE
:
6191 nf_tables_flowtable_destroy(nft_trans_flowtable(trans
));
6197 static void nf_tables_commit_release(struct net
*net
)
6199 struct nft_trans
*trans
, *next
;
6201 if (list_empty(&net
->nft
.commit_list
))
6206 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
6207 list_del(&trans
->list
);
6208 nft_commit_release(trans
);
6212 static int nf_tables_commit_chain_prepare(struct net
*net
, struct nft_chain
*chain
)
6214 struct nft_rule
*rule
;
6215 unsigned int alloc
= 0;
6218 /* already handled or inactive chain? */
6219 if (chain
->rules_next
|| !nft_is_active_next(net
, chain
))
6222 rule
= list_entry(&chain
->rules
, struct nft_rule
, list
);
6225 list_for_each_entry_continue(rule
, &chain
->rules
, list
) {
6226 if (nft_is_active_next(net
, rule
))
6230 chain
->rules_next
= nf_tables_chain_alloc_rules(chain
, alloc
);
6231 if (!chain
->rules_next
)
6234 list_for_each_entry_continue(rule
, &chain
->rules
, list
) {
6235 if (nft_is_active_next(net
, rule
))
6236 chain
->rules_next
[i
++] = rule
;
6239 chain
->rules_next
[i
] = NULL
;
6243 static void nf_tables_commit_chain_prepare_cancel(struct net
*net
)
6245 struct nft_trans
*trans
, *next
;
6247 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
6248 struct nft_chain
*chain
= trans
->ctx
.chain
;
6250 if (trans
->msg_type
== NFT_MSG_NEWRULE
||
6251 trans
->msg_type
== NFT_MSG_DELRULE
) {
6252 kvfree(chain
->rules_next
);
6253 chain
->rules_next
= NULL
;
6258 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head
*h
)
6260 struct nft_rules_old
*o
= container_of(h
, struct nft_rules_old
, h
);
6265 static void nf_tables_commit_chain_free_rules_old(struct nft_rule
**rules
)
6267 struct nft_rule
**r
= rules
;
6268 struct nft_rules_old
*old
;
6273 r
++; /* rcu_head is after end marker */
6277 call_rcu(&old
->h
, __nf_tables_commit_chain_free_rules_old
);
6280 static void nf_tables_commit_chain_active(struct net
*net
, struct nft_chain
*chain
)
6282 struct nft_rule
**g0
, **g1
;
6285 next_genbit
= nft_gencursor_next(net
);
6287 g0
= rcu_dereference_protected(chain
->rules_gen_0
,
6288 lockdep_commit_lock_is_held(net
));
6289 g1
= rcu_dereference_protected(chain
->rules_gen_1
,
6290 lockdep_commit_lock_is_held(net
));
6292 /* No changes to this chain? */
6293 if (chain
->rules_next
== NULL
) {
6294 /* chain had no change in last or next generation */
6298 * chain had no change in this generation; make sure next
6299 * one uses same rules as current generation.
6302 rcu_assign_pointer(chain
->rules_gen_1
, g0
);
6303 nf_tables_commit_chain_free_rules_old(g1
);
6305 rcu_assign_pointer(chain
->rules_gen_0
, g1
);
6306 nf_tables_commit_chain_free_rules_old(g0
);
6313 rcu_assign_pointer(chain
->rules_gen_1
, chain
->rules_next
);
6315 rcu_assign_pointer(chain
->rules_gen_0
, chain
->rules_next
);
6317 chain
->rules_next
= NULL
;
6323 nf_tables_commit_chain_free_rules_old(g1
);
6325 nf_tables_commit_chain_free_rules_old(g0
);
6328 static void nft_chain_del(struct nft_chain
*chain
)
6330 struct nft_table
*table
= chain
->table
;
6332 WARN_ON_ONCE(rhltable_remove(&table
->chains_ht
, &chain
->rhlhead
,
6333 nft_chain_ht_params
));
6334 list_del_rcu(&chain
->list
);
6337 static int nf_tables_commit(struct net
*net
, struct sk_buff
*skb
)
6339 struct nft_trans
*trans
, *next
;
6340 struct nft_trans_elem
*te
;
6341 struct nft_chain
*chain
;
6342 struct nft_table
*table
;
6344 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6345 if (nf_tables_validate(net
) < 0)
6348 /* 1. Allocate space for next generation rules_gen_X[] */
6349 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
6352 if (trans
->msg_type
== NFT_MSG_NEWRULE
||
6353 trans
->msg_type
== NFT_MSG_DELRULE
) {
6354 chain
= trans
->ctx
.chain
;
6356 ret
= nf_tables_commit_chain_prepare(net
, chain
);
6358 nf_tables_commit_chain_prepare_cancel(net
);
6364 /* step 2. Make rules_gen_X visible to packet path */
6365 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
6366 list_for_each_entry(chain
, &table
->chains
, list
) {
6367 if (!nft_is_active_next(net
, chain
))
6369 nf_tables_commit_chain_active(net
, chain
);
6374 * Bump generation counter, invalidate any dump in progress.
6375 * Cannot fail after this point.
6377 while (++net
->nft
.base_seq
== 0);
6379 /* step 3. Start new generation, rules_gen_X now in use. */
6380 net
->nft
.gencursor
= nft_gencursor_next(net
);
6382 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
6383 switch (trans
->msg_type
) {
6384 case NFT_MSG_NEWTABLE
:
6385 if (nft_trans_table_update(trans
)) {
6386 if (!nft_trans_table_enable(trans
)) {
6387 nf_tables_table_disable(net
,
6389 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
6392 nft_clear(net
, trans
->ctx
.table
);
6394 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_NEWTABLE
);
6395 nft_trans_destroy(trans
);
6397 case NFT_MSG_DELTABLE
:
6398 list_del_rcu(&trans
->ctx
.table
->list
);
6399 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_DELTABLE
);
6401 case NFT_MSG_NEWCHAIN
:
6402 if (nft_trans_chain_update(trans
)) {
6403 nft_chain_commit_update(trans
);
6404 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
6405 /* trans destroyed after rcu grace period */
6407 nft_clear(net
, trans
->ctx
.chain
);
6408 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
6409 nft_trans_destroy(trans
);
6412 case NFT_MSG_DELCHAIN
:
6413 nft_chain_del(trans
->ctx
.chain
);
6414 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_DELCHAIN
);
6415 nf_tables_unregister_hook(trans
->ctx
.net
,
6419 case NFT_MSG_NEWRULE
:
6420 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
6421 nf_tables_rule_notify(&trans
->ctx
,
6422 nft_trans_rule(trans
),
6424 nft_trans_destroy(trans
);
6426 case NFT_MSG_DELRULE
:
6427 list_del_rcu(&nft_trans_rule(trans
)->list
);
6428 nf_tables_rule_notify(&trans
->ctx
,
6429 nft_trans_rule(trans
),
6432 case NFT_MSG_NEWSET
:
6433 nft_clear(net
, nft_trans_set(trans
));
6434 /* This avoids hitting -EBUSY when deleting the table
6435 * from the transaction.
6437 if (nft_set_is_anonymous(nft_trans_set(trans
)) &&
6438 !list_empty(&nft_trans_set(trans
)->bindings
))
6439 trans
->ctx
.table
->use
--;
6441 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
6442 NFT_MSG_NEWSET
, GFP_KERNEL
);
6443 nft_trans_destroy(trans
);
6445 case NFT_MSG_DELSET
:
6446 list_del_rcu(&nft_trans_set(trans
)->list
);
6447 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
6448 NFT_MSG_DELSET
, GFP_KERNEL
);
6450 case NFT_MSG_NEWSETELEM
:
6451 te
= (struct nft_trans_elem
*)trans
->data
;
6453 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
6454 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
6456 NFT_MSG_NEWSETELEM
, 0);
6457 nft_trans_destroy(trans
);
6459 case NFT_MSG_DELSETELEM
:
6460 te
= (struct nft_trans_elem
*)trans
->data
;
6462 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
6464 NFT_MSG_DELSETELEM
, 0);
6465 te
->set
->ops
->remove(net
, te
->set
, &te
->elem
);
6466 atomic_dec(&te
->set
->nelems
);
6469 case NFT_MSG_NEWOBJ
:
6470 nft_clear(net
, nft_trans_obj(trans
));
6471 nf_tables_obj_notify(&trans
->ctx
, nft_trans_obj(trans
),
6473 nft_trans_destroy(trans
);
6475 case NFT_MSG_DELOBJ
:
6476 list_del_rcu(&nft_trans_obj(trans
)->list
);
6477 nf_tables_obj_notify(&trans
->ctx
, nft_trans_obj(trans
),
6480 case NFT_MSG_NEWFLOWTABLE
:
6481 nft_clear(net
, nft_trans_flowtable(trans
));
6482 nf_tables_flowtable_notify(&trans
->ctx
,
6483 nft_trans_flowtable(trans
),
6484 NFT_MSG_NEWFLOWTABLE
);
6485 nft_trans_destroy(trans
);
6487 case NFT_MSG_DELFLOWTABLE
:
6488 list_del_rcu(&nft_trans_flowtable(trans
)->list
);
6489 nf_tables_flowtable_notify(&trans
->ctx
,
6490 nft_trans_flowtable(trans
),
6491 NFT_MSG_DELFLOWTABLE
);
6492 nft_unregister_flowtable_net_hooks(net
,
6493 nft_trans_flowtable(trans
));
6498 nf_tables_commit_release(net
);
6499 nf_tables_gen_notify(net
, skb
, NFT_MSG_NEWGEN
);
6500 mutex_unlock(&net
->nft
.commit_mutex
);
6505 static void nf_tables_abort_release(struct nft_trans
*trans
)
6507 switch (trans
->msg_type
) {
6508 case NFT_MSG_NEWTABLE
:
6509 nf_tables_table_destroy(&trans
->ctx
);
6511 case NFT_MSG_NEWCHAIN
:
6512 nf_tables_chain_destroy(&trans
->ctx
);
6514 case NFT_MSG_NEWRULE
:
6515 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
6517 case NFT_MSG_NEWSET
:
6518 nft_set_destroy(nft_trans_set(trans
));
6520 case NFT_MSG_NEWSETELEM
:
6521 nft_set_elem_destroy(nft_trans_elem_set(trans
),
6522 nft_trans_elem(trans
).priv
, true);
6524 case NFT_MSG_NEWOBJ
:
6525 nft_obj_destroy(&trans
->ctx
, nft_trans_obj(trans
));
6527 case NFT_MSG_NEWFLOWTABLE
:
6528 nf_tables_flowtable_destroy(nft_trans_flowtable(trans
));
6534 static int __nf_tables_abort(struct net
*net
)
6536 struct nft_trans
*trans
, *next
;
6537 struct nft_trans_elem
*te
;
6539 list_for_each_entry_safe_reverse(trans
, next
, &net
->nft
.commit_list
,
6541 switch (trans
->msg_type
) {
6542 case NFT_MSG_NEWTABLE
:
6543 if (nft_trans_table_update(trans
)) {
6544 if (nft_trans_table_enable(trans
)) {
6545 nf_tables_table_disable(net
,
6547 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
6549 nft_trans_destroy(trans
);
6551 list_del_rcu(&trans
->ctx
.table
->list
);
6554 case NFT_MSG_DELTABLE
:
6555 nft_clear(trans
->ctx
.net
, trans
->ctx
.table
);
6556 nft_trans_destroy(trans
);
6558 case NFT_MSG_NEWCHAIN
:
6559 if (nft_trans_chain_update(trans
)) {
6560 free_percpu(nft_trans_chain_stats(trans
));
6561 kfree(nft_trans_chain_name(trans
));
6562 nft_trans_destroy(trans
);
6564 trans
->ctx
.table
->use
--;
6565 nft_chain_del(trans
->ctx
.chain
);
6566 nf_tables_unregister_hook(trans
->ctx
.net
,
6571 case NFT_MSG_DELCHAIN
:
6572 trans
->ctx
.table
->use
++;
6573 nft_clear(trans
->ctx
.net
, trans
->ctx
.chain
);
6574 nft_trans_destroy(trans
);
6576 case NFT_MSG_NEWRULE
:
6577 trans
->ctx
.chain
->use
--;
6578 list_del_rcu(&nft_trans_rule(trans
)->list
);
6579 nft_rule_expr_deactivate(&trans
->ctx
, nft_trans_rule(trans
));
6581 case NFT_MSG_DELRULE
:
6582 trans
->ctx
.chain
->use
++;
6583 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
6584 nft_rule_expr_activate(&trans
->ctx
, nft_trans_rule(trans
));
6585 nft_trans_destroy(trans
);
6587 case NFT_MSG_NEWSET
:
6588 trans
->ctx
.table
->use
--;
6589 list_del_rcu(&nft_trans_set(trans
)->list
);
6591 case NFT_MSG_DELSET
:
6592 trans
->ctx
.table
->use
++;
6593 nft_clear(trans
->ctx
.net
, nft_trans_set(trans
));
6594 nft_trans_destroy(trans
);
6596 case NFT_MSG_NEWSETELEM
:
6597 te
= (struct nft_trans_elem
*)trans
->data
;
6599 te
->set
->ops
->remove(net
, te
->set
, &te
->elem
);
6600 atomic_dec(&te
->set
->nelems
);
6602 case NFT_MSG_DELSETELEM
:
6603 te
= (struct nft_trans_elem
*)trans
->data
;
6605 nft_set_elem_activate(net
, te
->set
, &te
->elem
);
6606 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
6609 nft_trans_destroy(trans
);
6611 case NFT_MSG_NEWOBJ
:
6612 trans
->ctx
.table
->use
--;
6613 list_del_rcu(&nft_trans_obj(trans
)->list
);
6615 case NFT_MSG_DELOBJ
:
6616 trans
->ctx
.table
->use
++;
6617 nft_clear(trans
->ctx
.net
, nft_trans_obj(trans
));
6618 nft_trans_destroy(trans
);
6620 case NFT_MSG_NEWFLOWTABLE
:
6621 trans
->ctx
.table
->use
--;
6622 list_del_rcu(&nft_trans_flowtable(trans
)->list
);
6623 nft_unregister_flowtable_net_hooks(net
,
6624 nft_trans_flowtable(trans
));
6626 case NFT_MSG_DELFLOWTABLE
:
6627 trans
->ctx
.table
->use
++;
6628 nft_clear(trans
->ctx
.net
, nft_trans_flowtable(trans
));
6629 nft_trans_destroy(trans
);
6636 list_for_each_entry_safe_reverse(trans
, next
,
6637 &net
->nft
.commit_list
, list
) {
6638 list_del(&trans
->list
);
6639 nf_tables_abort_release(trans
);
6645 static void nf_tables_cleanup(struct net
*net
)
6647 nft_validate_state_update(net
, NFT_VALIDATE_SKIP
);
6650 static int nf_tables_abort(struct net
*net
, struct sk_buff
*skb
)
6652 int ret
= __nf_tables_abort(net
);
6654 mutex_unlock(&net
->nft
.commit_mutex
);
6659 static bool nf_tables_valid_genid(struct net
*net
, u32 genid
)
6663 mutex_lock(&net
->nft
.commit_mutex
);
6665 genid_ok
= genid
== 0 || net
->nft
.base_seq
== genid
;
6667 mutex_unlock(&net
->nft
.commit_mutex
);
6669 /* else, commit mutex has to be released by commit or abort function */
6673 static const struct nfnetlink_subsystem nf_tables_subsys
= {
6674 .name
= "nf_tables",
6675 .subsys_id
= NFNL_SUBSYS_NFTABLES
,
6676 .cb_count
= NFT_MSG_MAX
,
6678 .commit
= nf_tables_commit
,
6679 .abort
= nf_tables_abort
,
6680 .cleanup
= nf_tables_cleanup
,
6681 .valid_genid
= nf_tables_valid_genid
,
6682 .owner
= THIS_MODULE
,
6685 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
6686 enum nft_chain_types type
)
6688 const struct nft_base_chain
*basechain
;
6690 if (nft_is_base_chain(chain
)) {
6691 basechain
= nft_base_chain(chain
);
6692 if (basechain
->type
->type
!= type
)
6697 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency
);
6699 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
6700 unsigned int hook_flags
)
6702 struct nft_base_chain
*basechain
;
6704 if (nft_is_base_chain(chain
)) {
6705 basechain
= nft_base_chain(chain
);
6707 if ((1 << basechain
->ops
.hooknum
) & hook_flags
)
6715 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks
);
6718 * Loop detection - walk through the ruleset beginning at the destination chain
6719 * of a new jump until either the source chain is reached (loop) or all
6720 * reachable chains have been traversed.
6722 * The loop check is performed whenever a new jump verdict is added to an
6723 * expression or verdict map or a verdict map is bound to a new chain.
6726 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
6727 const struct nft_chain
*chain
);
6729 static int nf_tables_loop_check_setelem(const struct nft_ctx
*ctx
,
6730 struct nft_set
*set
,
6731 const struct nft_set_iter
*iter
,
6732 struct nft_set_elem
*elem
)
6734 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
6735 const struct nft_data
*data
;
6737 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
6738 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_INTERVAL_END
)
6741 data
= nft_set_ext_data(ext
);
6742 switch (data
->verdict
.code
) {
6745 return nf_tables_check_loops(ctx
, data
->verdict
.chain
);
6751 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
6752 const struct nft_chain
*chain
)
6754 const struct nft_rule
*rule
;
6755 const struct nft_expr
*expr
, *last
;
6756 struct nft_set
*set
;
6757 struct nft_set_binding
*binding
;
6758 struct nft_set_iter iter
;
6760 if (ctx
->chain
== chain
)
6763 list_for_each_entry(rule
, &chain
->rules
, list
) {
6764 nft_rule_for_each_expr(expr
, last
, rule
) {
6765 struct nft_immediate_expr
*priv
;
6766 const struct nft_data
*data
;
6769 if (strcmp(expr
->ops
->type
->name
, "immediate"))
6772 priv
= nft_expr_priv(expr
);
6773 if (priv
->dreg
!= NFT_REG_VERDICT
)
6777 switch (data
->verdict
.code
) {
6780 err
= nf_tables_check_loops(ctx
,
6781 data
->verdict
.chain
);
6790 list_for_each_entry(set
, &ctx
->table
->sets
, list
) {
6791 if (!nft_is_active_next(ctx
->net
, set
))
6793 if (!(set
->flags
& NFT_SET_MAP
) ||
6794 set
->dtype
!= NFT_DATA_VERDICT
)
6797 list_for_each_entry(binding
, &set
->bindings
, list
) {
6798 if (!(binding
->flags
& NFT_SET_MAP
) ||
6799 binding
->chain
!= chain
)
6802 iter
.genmask
= nft_genmask_next(ctx
->net
);
6806 iter
.fn
= nf_tables_loop_check_setelem
;
6808 set
->ops
->walk(ctx
, set
, &iter
);
6818 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6820 * @attr: netlink attribute to fetch value from
6821 * @max: maximum value to be stored in dest
6822 * @dest: pointer to the variable
6824 * Parse, check and store a given u32 netlink attribute into variable.
6825 * This function returns -ERANGE if the value goes over maximum value.
6826 * Otherwise a 0 is returned and the attribute value is stored in the
6827 * destination variable.
6829 int nft_parse_u32_check(const struct nlattr
*attr
, int max
, u32
*dest
)
6833 val
= ntohl(nla_get_be32(attr
));
6840 EXPORT_SYMBOL_GPL(nft_parse_u32_check
);
6843 * nft_parse_register - parse a register value from a netlink attribute
6845 * @attr: netlink attribute
6847 * Parse and translate a register value from a netlink attribute.
6848 * Registers used to be 128 bit wide, these register numbers will be
6849 * mapped to the corresponding 32 bit register numbers.
6851 unsigned int nft_parse_register(const struct nlattr
*attr
)
6855 reg
= ntohl(nla_get_be32(attr
));
6857 case NFT_REG_VERDICT
...NFT_REG_4
:
6858 return reg
* NFT_REG_SIZE
/ NFT_REG32_SIZE
;
6860 return reg
+ NFT_REG_SIZE
/ NFT_REG32_SIZE
- NFT_REG32_00
;
6863 EXPORT_SYMBOL_GPL(nft_parse_register
);
6866 * nft_dump_register - dump a register value to a netlink attribute
6868 * @skb: socket buffer
6869 * @attr: attribute number
6870 * @reg: register number
6872 * Construct a netlink attribute containing the register number. For
6873 * compatibility reasons, register numbers being a multiple of 4 are
6874 * translated to the corresponding 128 bit register numbers.
6876 int nft_dump_register(struct sk_buff
*skb
, unsigned int attr
, unsigned int reg
)
6878 if (reg
% (NFT_REG_SIZE
/ NFT_REG32_SIZE
) == 0)
6879 reg
= reg
/ (NFT_REG_SIZE
/ NFT_REG32_SIZE
);
6881 reg
= reg
- NFT_REG_SIZE
/ NFT_REG32_SIZE
+ NFT_REG32_00
;
6883 return nla_put_be32(skb
, attr
, htonl(reg
));
6885 EXPORT_SYMBOL_GPL(nft_dump_register
);
6888 * nft_validate_register_load - validate a load from a register
6890 * @reg: the register number
6891 * @len: the length of the data
6893 * Validate that the input register is one of the general purpose
6894 * registers and that the length of the load is within the bounds.
6896 int nft_validate_register_load(enum nft_registers reg
, unsigned int len
)
6898 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
6902 if (reg
* NFT_REG32_SIZE
+ len
> FIELD_SIZEOF(struct nft_regs
, data
))
6907 EXPORT_SYMBOL_GPL(nft_validate_register_load
);
6910 * nft_validate_register_store - validate an expressions' register store
6912 * @ctx: context of the expression performing the load
6913 * @reg: the destination register number
6914 * @data: the data to load
6915 * @type: the data type
6916 * @len: the length of the data
6918 * Validate that a data load uses the appropriate data type for
6919 * the destination register and the length is within the bounds.
6920 * A value of NULL for the data means that its runtime gathered
6923 int nft_validate_register_store(const struct nft_ctx
*ctx
,
6924 enum nft_registers reg
,
6925 const struct nft_data
*data
,
6926 enum nft_data_types type
, unsigned int len
)
6931 case NFT_REG_VERDICT
:
6932 if (type
!= NFT_DATA_VERDICT
)
6936 (data
->verdict
.code
== NFT_GOTO
||
6937 data
->verdict
.code
== NFT_JUMP
)) {
6938 err
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
6945 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
6949 if (reg
* NFT_REG32_SIZE
+ len
>
6950 FIELD_SIZEOF(struct nft_regs
, data
))
6953 if (data
!= NULL
&& type
!= NFT_DATA_VALUE
)
6958 EXPORT_SYMBOL_GPL(nft_validate_register_store
);
6960 static const struct nla_policy nft_verdict_policy
[NFTA_VERDICT_MAX
+ 1] = {
6961 [NFTA_VERDICT_CODE
] = { .type
= NLA_U32
},
6962 [NFTA_VERDICT_CHAIN
] = { .type
= NLA_STRING
,
6963 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
6966 static int nft_verdict_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
6967 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
6969 u8 genmask
= nft_genmask_next(ctx
->net
);
6970 struct nlattr
*tb
[NFTA_VERDICT_MAX
+ 1];
6971 struct nft_chain
*chain
;
6974 err
= nla_parse_nested(tb
, NFTA_VERDICT_MAX
, nla
, nft_verdict_policy
,
6979 if (!tb
[NFTA_VERDICT_CODE
])
6981 data
->verdict
.code
= ntohl(nla_get_be32(tb
[NFTA_VERDICT_CODE
]));
6983 switch (data
->verdict
.code
) {
6985 switch (data
->verdict
.code
& NF_VERDICT_MASK
) {
7000 if (!tb
[NFTA_VERDICT_CHAIN
])
7002 chain
= nft_chain_lookup(ctx
->net
, ctx
->table
,
7003 tb
[NFTA_VERDICT_CHAIN
], genmask
);
7005 return PTR_ERR(chain
);
7006 if (nft_is_base_chain(chain
))
7010 data
->verdict
.chain
= chain
;
7014 desc
->len
= sizeof(data
->verdict
);
7015 desc
->type
= NFT_DATA_VERDICT
;
7019 static void nft_verdict_uninit(const struct nft_data
*data
)
7021 switch (data
->verdict
.code
) {
7024 data
->verdict
.chain
->use
--;
7029 int nft_verdict_dump(struct sk_buff
*skb
, int type
, const struct nft_verdict
*v
)
7031 struct nlattr
*nest
;
7033 nest
= nla_nest_start(skb
, type
);
7035 goto nla_put_failure
;
7037 if (nla_put_be32(skb
, NFTA_VERDICT_CODE
, htonl(v
->code
)))
7038 goto nla_put_failure
;
7043 if (nla_put_string(skb
, NFTA_VERDICT_CHAIN
,
7045 goto nla_put_failure
;
7047 nla_nest_end(skb
, nest
);
7054 static int nft_value_init(const struct nft_ctx
*ctx
,
7055 struct nft_data
*data
, unsigned int size
,
7056 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
7066 nla_memcpy(data
->data
, nla
, len
);
7067 desc
->type
= NFT_DATA_VALUE
;
7072 static int nft_value_dump(struct sk_buff
*skb
, const struct nft_data
*data
,
7075 return nla_put(skb
, NFTA_DATA_VALUE
, len
, data
->data
);
7078 static const struct nla_policy nft_data_policy
[NFTA_DATA_MAX
+ 1] = {
7079 [NFTA_DATA_VALUE
] = { .type
= NLA_BINARY
},
7080 [NFTA_DATA_VERDICT
] = { .type
= NLA_NESTED
},
7084 * nft_data_init - parse nf_tables data netlink attributes
7086 * @ctx: context of the expression using the data
7087 * @data: destination struct nft_data
7088 * @size: maximum data length
7089 * @desc: data description
7090 * @nla: netlink attribute containing data
7092 * Parse the netlink data attributes and initialize a struct nft_data.
7093 * The type and length of data are returned in the data description.
7095 * The caller can indicate that it only wants to accept data of type
7096 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7098 int nft_data_init(const struct nft_ctx
*ctx
,
7099 struct nft_data
*data
, unsigned int size
,
7100 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
7102 struct nlattr
*tb
[NFTA_DATA_MAX
+ 1];
7105 err
= nla_parse_nested(tb
, NFTA_DATA_MAX
, nla
, nft_data_policy
, NULL
);
7109 if (tb
[NFTA_DATA_VALUE
])
7110 return nft_value_init(ctx
, data
, size
, desc
,
7111 tb
[NFTA_DATA_VALUE
]);
7112 if (tb
[NFTA_DATA_VERDICT
] && ctx
!= NULL
)
7113 return nft_verdict_init(ctx
, data
, desc
, tb
[NFTA_DATA_VERDICT
]);
7116 EXPORT_SYMBOL_GPL(nft_data_init
);
7119 * nft_data_release - release a nft_data item
7121 * @data: struct nft_data to release
7122 * @type: type of data
7124 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7125 * all others need to be released by calling this function.
7127 void nft_data_release(const struct nft_data
*data
, enum nft_data_types type
)
7129 if (type
< NFT_DATA_VERDICT
)
7132 case NFT_DATA_VERDICT
:
7133 return nft_verdict_uninit(data
);
7138 EXPORT_SYMBOL_GPL(nft_data_release
);
7140 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
7141 enum nft_data_types type
, unsigned int len
)
7143 struct nlattr
*nest
;
7146 nest
= nla_nest_start(skb
, attr
);
7151 case NFT_DATA_VALUE
:
7152 err
= nft_value_dump(skb
, data
, len
);
7154 case NFT_DATA_VERDICT
:
7155 err
= nft_verdict_dump(skb
, NFTA_DATA_VERDICT
, &data
->verdict
);
7162 nla_nest_end(skb
, nest
);
7165 EXPORT_SYMBOL_GPL(nft_data_dump
);
7167 int __nft_release_basechain(struct nft_ctx
*ctx
)
7169 struct nft_rule
*rule
, *nr
;
7171 BUG_ON(!nft_is_base_chain(ctx
->chain
));
7173 nf_tables_unregister_hook(ctx
->net
, ctx
->chain
->table
, ctx
->chain
);
7174 list_for_each_entry_safe(rule
, nr
, &ctx
->chain
->rules
, list
) {
7175 list_del(&rule
->list
);
7177 nf_tables_rule_release(ctx
, rule
);
7179 nft_chain_del(ctx
->chain
);
7181 nf_tables_chain_destroy(ctx
);
7185 EXPORT_SYMBOL_GPL(__nft_release_basechain
);
7187 static void __nft_release_tables(struct net
*net
)
7189 struct nft_flowtable
*flowtable
, *nf
;
7190 struct nft_table
*table
, *nt
;
7191 struct nft_chain
*chain
, *nc
;
7192 struct nft_object
*obj
, *ne
;
7193 struct nft_rule
*rule
, *nr
;
7194 struct nft_set
*set
, *ns
;
7195 struct nft_ctx ctx
= {
7197 .family
= NFPROTO_NETDEV
,
7200 list_for_each_entry_safe(table
, nt
, &net
->nft
.tables
, list
) {
7201 ctx
.family
= table
->family
;
7203 list_for_each_entry(chain
, &table
->chains
, list
)
7204 nf_tables_unregister_hook(net
, table
, chain
);
7205 list_for_each_entry(flowtable
, &table
->flowtables
, list
)
7206 nf_unregister_net_hooks(net
, flowtable
->ops
,
7207 flowtable
->ops_len
);
7208 /* No packets are walking on these chains anymore. */
7210 list_for_each_entry(chain
, &table
->chains
, list
) {
7212 list_for_each_entry_safe(rule
, nr
, &chain
->rules
, list
) {
7213 list_del(&rule
->list
);
7215 nf_tables_rule_release(&ctx
, rule
);
7218 list_for_each_entry_safe(flowtable
, nf
, &table
->flowtables
, list
) {
7219 list_del(&flowtable
->list
);
7221 nf_tables_flowtable_destroy(flowtable
);
7223 list_for_each_entry_safe(set
, ns
, &table
->sets
, list
) {
7224 list_del(&set
->list
);
7226 nft_set_destroy(set
);
7228 list_for_each_entry_safe(obj
, ne
, &table
->objects
, list
) {
7229 list_del(&obj
->list
);
7231 nft_obj_destroy(&ctx
, obj
);
7233 list_for_each_entry_safe(chain
, nc
, &table
->chains
, list
) {
7235 nft_chain_del(chain
);
7237 nf_tables_chain_destroy(&ctx
);
7239 list_del(&table
->list
);
7240 nf_tables_table_destroy(&ctx
);
7244 static int __net_init
nf_tables_init_net(struct net
*net
)
7246 INIT_LIST_HEAD(&net
->nft
.tables
);
7247 INIT_LIST_HEAD(&net
->nft
.commit_list
);
7248 mutex_init(&net
->nft
.commit_mutex
);
7249 net
->nft
.base_seq
= 1;
7250 net
->nft
.validate_state
= NFT_VALIDATE_SKIP
;
7255 static void __net_exit
nf_tables_exit_net(struct net
*net
)
7257 mutex_lock(&net
->nft
.commit_mutex
);
7258 if (!list_empty(&net
->nft
.commit_list
))
7259 __nf_tables_abort(net
);
7260 __nft_release_tables(net
);
7261 mutex_unlock(&net
->nft
.commit_mutex
);
7262 WARN_ON_ONCE(!list_empty(&net
->nft
.tables
));
7265 static struct pernet_operations nf_tables_net_ops
= {
7266 .init
= nf_tables_init_net
,
7267 .exit
= nf_tables_exit_net
,
7270 static int __init
nf_tables_module_init(void)
7274 err
= register_pernet_subsys(&nf_tables_net_ops
);
7278 err
= nft_chain_filter_init();
7282 err
= nf_tables_core_module_init();
7286 err
= register_netdevice_notifier(&nf_tables_flowtable_notifier
);
7291 err
= nfnetlink_subsys_register(&nf_tables_subsys
);
7297 unregister_netdevice_notifier(&nf_tables_flowtable_notifier
);
7299 nf_tables_core_module_exit();
7301 nft_chain_filter_fini();
7303 unregister_pernet_subsys(&nf_tables_net_ops
);
7307 static void __exit
nf_tables_module_exit(void)
7309 nfnetlink_subsys_unregister(&nf_tables_subsys
);
7310 unregister_netdevice_notifier(&nf_tables_flowtable_notifier
);
7311 nft_chain_filter_fini();
7312 unregister_pernet_subsys(&nf_tables_net_ops
);
7314 nf_tables_core_module_exit();
7317 module_init(nf_tables_module_init
);
7318 module_exit(nf_tables_module_exit
);
7320 MODULE_LICENSE("GPL");
7321 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7322 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES
);
