1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27 static LIST_HEAD(nf_tables_flowtables);
28 static LIST_HEAD(nf_tables_destroy_list);
29 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
30 static u64 table_handle;
33 NFT_VALIDATE_SKIP = 0,
38 static struct rhltable nft_objname_ht;
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
44 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static const struct rhashtable_params nft_chain_ht_params = {
49 .head_offset = offsetof(struct nft_chain, rhlhead),
50 .key_offset = offsetof(struct nft_chain, name),
51 .hashfn = nft_chain_hash,
52 .obj_hashfn = nft_chain_hash_obj,
53 .obj_cmpfn = nft_chain_hash_cmp,
54 .automatic_shrinking = true,
57 static const struct rhashtable_params nft_objname_ht_params = {
58 .head_offset = offsetof(struct nft_object, rhlhead),
59 .key_offset = offsetof(struct nft_object, key),
60 .hashfn = nft_objname_hash,
61 .obj_hashfn = nft_objname_hash_obj,
62 .obj_cmpfn = nft_objname_hash_cmp,
63 .automatic_shrinking = true,
66 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
68 switch (net->nft.validate_state) {
69 case NFT_VALIDATE_SKIP:
70 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
72 case NFT_VALIDATE_NEED:
75 if (new_validate_state == NFT_VALIDATE_NEED)
79 net->nft.validate_state = new_validate_state;
81 static void nf_tables_trans_destroy_work(struct work_struct *w);
82 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
84 static void nft_ctx_init(struct nft_ctx *ctx,
86 const struct sk_buff *skb,
87 const struct nlmsghdr *nlh,
89 struct nft_table *table,
90 struct nft_chain *chain,
91 const struct nlattr * const *nla)
99 ctx->portid = NETLINK_CB(skb).portid;
100 ctx->report = nlmsg_report(nlh);
101 ctx->flags = nlh->nlmsg_flags;
102 ctx->seq = nlh->nlmsg_seq;
105 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
106 int msg_type, u32 size, gfp_t gfp)
108 struct nft_trans *trans;
110 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 trans->msg_type = msg_type;
120 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
121 int msg_type, u32 size)
123 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126 static void nft_trans_destroy(struct nft_trans *trans)
128 list_del(&trans->list);
132 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
134 struct net *net = ctx->net;
135 struct nft_trans *trans;
137 if (!nft_set_is_anonymous(set))
140 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
141 switch (trans->msg_type) {
143 if (nft_trans_set(trans) == set)
144 nft_trans_set_bound(trans) = true;
146 case NFT_MSG_NEWSETELEM:
147 if (nft_trans_elem_set(trans) == set)
148 nft_trans_elem_set_bound(trans) = true;
154 static int nf_tables_register_hook(struct net *net,
155 const struct nft_table *table,
156 struct nft_chain *chain)
158 const struct nft_base_chain *basechain;
159 const struct nf_hook_ops *ops;
161 if (table->flags & NFT_TABLE_F_DORMANT ||
162 !nft_is_base_chain(chain))
165 basechain = nft_base_chain(chain);
166 ops = &basechain->ops;
168 if (basechain->type->ops_register)
169 return basechain->type->ops_register(net, ops);
171 return nf_register_net_hook(net, ops);
174 static void nf_tables_unregister_hook(struct net *net,
175 const struct nft_table *table,
176 struct nft_chain *chain)
178 const struct nft_base_chain *basechain;
179 const struct nf_hook_ops *ops;
181 if (table->flags & NFT_TABLE_F_DORMANT ||
182 !nft_is_base_chain(chain))
184 basechain = nft_base_chain(chain);
185 ops = &basechain->ops;
187 if (basechain->type->ops_unregister)
188 return basechain->type->ops_unregister(net, ops);
190 nf_unregister_net_hook(net, ops);
193 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
195 struct nft_trans *trans;
197 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
201 if (msg_type == NFT_MSG_NEWTABLE)
202 nft_activate_next(ctx->net, ctx->table);
204 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
208 static int nft_deltable(struct nft_ctx *ctx)
212 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
216 nft_deactivate_next(ctx->net, ctx->table);
220 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
222 struct nft_trans *trans;
224 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
226 return ERR_PTR(-ENOMEM);
228 if (msg_type == NFT_MSG_NEWCHAIN)
229 nft_activate_next(ctx->net, ctx->chain);
231 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
235 static int nft_delchain(struct nft_ctx *ctx)
237 struct nft_trans *trans;
239 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
241 return PTR_ERR(trans);
244 nft_deactivate_next(ctx->net, ctx->chain);
249 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
250 struct nft_rule *rule)
252 struct nft_expr *expr;
254 expr = nft_expr_first(rule);
255 while (expr != nft_expr_last(rule) && expr->ops) {
256 if (expr->ops->activate)
257 expr->ops->activate(ctx, expr);
259 expr = nft_expr_next(expr);
263 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
264 struct nft_rule *rule,
265 enum nft_trans_phase phase)
267 struct nft_expr *expr;
269 expr = nft_expr_first(rule);
270 while (expr != nft_expr_last(rule) && expr->ops) {
271 if (expr->ops->deactivate)
272 expr->ops->deactivate(ctx, expr, phase);
274 expr = nft_expr_next(expr);
279 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
281 /* You cannot delete the same rule twice */
282 if (nft_is_active_next(ctx->net, rule)) {
283 nft_deactivate_next(ctx->net, rule);
290 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
291 struct nft_rule *rule)
293 struct nft_trans *trans;
295 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
299 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
300 nft_trans_rule_id(trans) =
301 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
303 nft_trans_rule(trans) = rule;
304 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
309 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
311 struct nft_trans *trans;
314 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
318 err = nf_tables_delrule_deactivate(ctx, rule);
320 nft_trans_destroy(trans);
323 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
328 static int nft_delrule_by_chain(struct nft_ctx *ctx)
330 struct nft_rule *rule;
333 list_for_each_entry(rule, &ctx->chain->rules, list) {
334 if (!nft_is_active_next(ctx->net, rule))
337 err = nft_delrule(ctx, rule);
344 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
347 struct nft_trans *trans;
349 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
353 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
354 nft_trans_set_id(trans) =
355 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
356 nft_activate_next(ctx->net, set);
358 nft_trans_set(trans) = set;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
364 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
368 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
372 nft_deactivate_next(ctx->net, set);
378 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
379 struct nft_object *obj)
381 struct nft_trans *trans;
383 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
387 if (msg_type == NFT_MSG_NEWOBJ)
388 nft_activate_next(ctx->net, obj);
390 nft_trans_obj(trans) = obj;
391 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
396 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
400 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
404 nft_deactivate_next(ctx->net, obj);
410 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
411 struct nft_flowtable *flowtable)
413 struct nft_trans *trans;
415 trans = nft_trans_alloc(ctx, msg_type,
416 sizeof(struct nft_trans_flowtable));
420 if (msg_type == NFT_MSG_NEWFLOWTABLE)
421 nft_activate_next(ctx->net, flowtable);
423 nft_trans_flowtable(trans) = flowtable;
424 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
429 static int nft_delflowtable(struct nft_ctx *ctx,
430 struct nft_flowtable *flowtable)
434 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
438 nft_deactivate_next(ctx->net, flowtable);
448 static struct nft_table *nft_table_lookup(const struct net *net,
449 const struct nlattr *nla,
450 u8 family, u8 genmask)
452 struct nft_table *table;
455 return ERR_PTR(-EINVAL);
457 list_for_each_entry_rcu(table, &net->nft.tables, list) {
458 if (!nla_strcmp(nla, table->name) &&
459 table->family == family &&
460 nft_active_genmask(table, genmask))
464 return ERR_PTR(-ENOENT);
467 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
468 const struct nlattr *nla,
471 struct nft_table *table;
473 list_for_each_entry(table, &net->nft.tables, list) {
474 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
475 nft_active_genmask(table, genmask))
479 return ERR_PTR(-ENOENT);
482 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
484 return ++table->hgenerator;
487 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
489 static const struct nft_chain_type *
490 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
494 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
495 if (chain_type[family][i] != NULL &&
496 !nla_strcmp(nla, chain_type[family][i]->name))
497 return chain_type[family][i];
503 * Loading a module requires dropping mutex that guards the
505 * We first need to abort any pending transactions as once
506 * mutex is unlocked a different client could start a new
507 * transaction. It must not see any 'future generation'
508 * changes * as these changes will never happen.
510 #ifdef CONFIG_MODULES
511 static int __nf_tables_abort(struct net *net);
513 static void nft_request_module(struct net *net, const char *fmt, ...)
515 char module_name[MODULE_NAME_LEN];
519 __nf_tables_abort(net);
522 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
524 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
527 mutex_unlock(&net->nft.commit_mutex);
528 request_module("%s", module_name);
529 mutex_lock(&net->nft.commit_mutex);
533 static void lockdep_nfnl_nft_mutex_not_held(void)
535 #ifdef CONFIG_PROVE_LOCKING
536 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
540 static const struct nft_chain_type *
541 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
542 u8 family, bool autoload)
544 const struct nft_chain_type *type;
546 type = __nf_tables_chain_type_lookup(nla, family);
550 lockdep_nfnl_nft_mutex_not_held();
551 #ifdef CONFIG_MODULES
553 nft_request_module(net, "nft-chain-%u-%.*s", family,
554 nla_len(nla), (const char *)nla_data(nla));
555 type = __nf_tables_chain_type_lookup(nla, family);
557 return ERR_PTR(-EAGAIN);
560 return ERR_PTR(-ENOENT);
563 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
564 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
565 .len = NFT_TABLE_MAXNAMELEN - 1 },
566 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
567 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
570 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
571 u32 portid, u32 seq, int event, u32 flags,
572 int family, const struct nft_table *table)
574 struct nlmsghdr *nlh;
575 struct nfgenmsg *nfmsg;
577 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
578 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
580 goto nla_put_failure;
582 nfmsg = nlmsg_data(nlh);
583 nfmsg->nfgen_family = family;
584 nfmsg->version = NFNETLINK_V0;
585 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
587 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
588 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
589 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
590 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
592 goto nla_put_failure;
598 nlmsg_trim(skb, nlh);
602 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
608 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
611 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
615 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
616 event, 0, ctx->family, ctx->table);
622 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
623 ctx->report, GFP_KERNEL);
626 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
629 static int nf_tables_dump_tables(struct sk_buff *skb,
630 struct netlink_callback *cb)
632 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
633 const struct nft_table *table;
634 unsigned int idx = 0, s_idx = cb->args[0];
635 struct net *net = sock_net(skb->sk);
636 int family = nfmsg->nfgen_family;
639 cb->seq = net->nft.base_seq;
641 list_for_each_entry_rcu(table, &net->nft.tables, list) {
642 if (family != NFPROTO_UNSPEC && family != table->family)
648 memset(&cb->args[1], 0,
649 sizeof(cb->args) - sizeof(cb->args[0]));
650 if (!nft_is_active(net, table))
652 if (nf_tables_fill_table_info(skb, net,
653 NETLINK_CB(cb->skb).portid,
655 NFT_MSG_NEWTABLE, NLM_F_MULTI,
656 table->family, table) < 0)
659 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
669 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
670 const struct nlmsghdr *nlh,
671 struct netlink_dump_control *c)
675 if (!try_module_get(THIS_MODULE))
679 err = netlink_dump_start(nlsk, skb, nlh, c);
681 module_put(THIS_MODULE);
686 /* called with rcu_read_lock held */
687 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
688 struct sk_buff *skb, const struct nlmsghdr *nlh,
689 const struct nlattr * const nla[],
690 struct netlink_ext_ack *extack)
692 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
693 u8 genmask = nft_genmask_cur(net);
694 const struct nft_table *table;
695 struct sk_buff *skb2;
696 int family = nfmsg->nfgen_family;
699 if (nlh->nlmsg_flags & NLM_F_DUMP) {
700 struct netlink_dump_control c = {
701 .dump = nf_tables_dump_tables,
702 .module = THIS_MODULE,
705 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
708 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
710 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
711 return PTR_ERR(table);
714 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
718 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
719 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
724 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
731 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
733 struct nft_chain *chain;
736 list_for_each_entry(chain, &table->chains, list) {
737 if (!nft_is_active_next(net, chain))
739 if (!nft_is_base_chain(chain))
742 if (cnt && i++ == cnt)
745 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
749 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
751 struct nft_chain *chain;
754 list_for_each_entry(chain, &table->chains, list) {
755 if (!nft_is_active_next(net, chain))
757 if (!nft_is_base_chain(chain))
760 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
769 nft_table_disable(net, table, i);
773 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
775 nft_table_disable(net, table, 0);
778 static int nf_tables_updtable(struct nft_ctx *ctx)
780 struct nft_trans *trans;
784 if (!ctx->nla[NFTA_TABLE_FLAGS])
787 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
788 if (flags & ~NFT_TABLE_F_DORMANT)
791 if (flags == ctx->table->flags)
794 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
795 sizeof(struct nft_trans_table));
799 if ((flags & NFT_TABLE_F_DORMANT) &&
800 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
801 nft_trans_table_enable(trans) = false;
802 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
803 ctx->table->flags & NFT_TABLE_F_DORMANT) {
804 ret = nf_tables_table_enable(ctx->net, ctx->table);
806 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
807 nft_trans_table_enable(trans) = true;
813 nft_trans_table_update(trans) = true;
814 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
817 nft_trans_destroy(trans);
821 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
823 const char *name = data;
825 return jhash(name, strlen(name), seed);
828 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
830 const struct nft_chain *chain = data;
832 return nft_chain_hash(chain->name, 0, seed);
835 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
838 const struct nft_chain *chain = ptr;
839 const char *name = arg->key;
841 return strcmp(chain->name, name);
844 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
846 const struct nft_object_hash_key *k = data;
848 seed ^= hash_ptr(k->table, 32);
850 return jhash(k->name, strlen(k->name), seed);
853 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
855 const struct nft_object *obj = data;
857 return nft_objname_hash(&obj->key, 0, seed);
860 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
863 const struct nft_object_hash_key *k = arg->key;
864 const struct nft_object *obj = ptr;
866 if (obj->key.table != k->table)
869 return strcmp(obj->key.name, k->name);
872 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
873 struct sk_buff *skb, const struct nlmsghdr *nlh,
874 const struct nlattr * const nla[],
875 struct netlink_ext_ack *extack)
877 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
878 u8 genmask = nft_genmask_next(net);
879 int family = nfmsg->nfgen_family;
880 const struct nlattr *attr;
881 struct nft_table *table;
886 lockdep_assert_held(&net->nft.commit_mutex);
887 attr = nla[NFTA_TABLE_NAME];
888 table = nft_table_lookup(net, attr, family, genmask);
890 if (PTR_ERR(table) != -ENOENT)
891 return PTR_ERR(table);
893 if (nlh->nlmsg_flags & NLM_F_EXCL) {
894 NL_SET_BAD_ATTR(extack, attr);
897 if (nlh->nlmsg_flags & NLM_F_REPLACE)
900 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
901 return nf_tables_updtable(&ctx);
904 if (nla[NFTA_TABLE_FLAGS]) {
905 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
906 if (flags & ~NFT_TABLE_F_DORMANT)
911 table = kzalloc(sizeof(*table), GFP_KERNEL);
915 table->name = nla_strdup(attr, GFP_KERNEL);
916 if (table->name == NULL)
919 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
923 INIT_LIST_HEAD(&table->chains);
924 INIT_LIST_HEAD(&table->sets);
925 INIT_LIST_HEAD(&table->objects);
926 INIT_LIST_HEAD(&table->flowtables);
927 table->family = family;
928 table->flags = flags;
929 table->handle = ++table_handle;
931 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
932 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
936 list_add_tail_rcu(&table->list, &net->nft.tables);
939 rhltable_destroy(&table->chains_ht);
948 static int nft_flush_table(struct nft_ctx *ctx)
950 struct nft_flowtable *flowtable, *nft;
951 struct nft_chain *chain, *nc;
952 struct nft_object *obj, *ne;
953 struct nft_set *set, *ns;
956 list_for_each_entry(chain, &ctx->table->chains, list) {
957 if (!nft_is_active_next(ctx->net, chain))
962 err = nft_delrule_by_chain(ctx);
967 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
968 if (!nft_is_active_next(ctx->net, set))
971 if (nft_set_is_anonymous(set) &&
972 !list_empty(&set->bindings))
975 err = nft_delset(ctx, set);
980 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
981 err = nft_delflowtable(ctx, flowtable);
986 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
987 err = nft_delobj(ctx, obj);
992 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
993 if (!nft_is_active_next(ctx->net, chain))
998 err = nft_delchain(ctx);
1003 err = nft_deltable(ctx);
1008 static int nft_flush(struct nft_ctx *ctx, int family)
1010 struct nft_table *table, *nt;
1011 const struct nlattr * const *nla = ctx->nla;
1014 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1015 if (family != AF_UNSPEC && table->family != family)
1018 ctx->family = table->family;
1020 if (!nft_is_active_next(ctx->net, table))
1023 if (nla[NFTA_TABLE_NAME] &&
1024 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1029 err = nft_flush_table(ctx);
1037 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1038 struct sk_buff *skb, const struct nlmsghdr *nlh,
1039 const struct nlattr * const nla[],
1040 struct netlink_ext_ack *extack)
1042 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1043 u8 genmask = nft_genmask_next(net);
1044 int family = nfmsg->nfgen_family;
1045 const struct nlattr *attr;
1046 struct nft_table *table;
1049 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1050 if (family == AF_UNSPEC ||
1051 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1052 return nft_flush(&ctx, family);
1054 if (nla[NFTA_TABLE_HANDLE]) {
1055 attr = nla[NFTA_TABLE_HANDLE];
1056 table = nft_table_lookup_byhandle(net, attr, genmask);
1058 attr = nla[NFTA_TABLE_NAME];
1059 table = nft_table_lookup(net, attr, family, genmask);
1062 if (IS_ERR(table)) {
1063 NL_SET_BAD_ATTR(extack, attr);
1064 return PTR_ERR(table);
1067 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1071 ctx.family = family;
1074 return nft_flush_table(&ctx);
1077 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1079 if (WARN_ON(ctx->table->use > 0))
1082 rhltable_destroy(&ctx->table->chains_ht);
1083 kfree(ctx->table->name);
1087 void nft_register_chain_type(const struct nft_chain_type *ctype)
1089 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1092 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1093 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1094 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1097 chain_type[ctype->family][ctype->type] = ctype;
1098 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1100 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1102 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1104 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1105 chain_type[ctype->family][ctype->type] = NULL;
1106 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1108 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1114 static struct nft_chain *
1115 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1117 struct nft_chain *chain;
1119 list_for_each_entry(chain, &table->chains, list) {
1120 if (chain->handle == handle &&
1121 nft_active_genmask(chain, genmask))
1125 return ERR_PTR(-ENOENT);
1128 static bool lockdep_commit_lock_is_held(const struct net *net)
1130 #ifdef CONFIG_PROVE_LOCKING
1131 return lockdep_is_held(&net->nft.commit_mutex);
1137 static struct nft_chain *nft_chain_lookup(struct net *net,
1138 struct nft_table *table,
1139 const struct nlattr *nla, u8 genmask)
1141 char search[NFT_CHAIN_MAXNAMELEN + 1];
1142 struct rhlist_head *tmp, *list;
1143 struct nft_chain *chain;
1146 return ERR_PTR(-EINVAL);
1148 nla_strlcpy(search, nla, sizeof(search));
1150 WARN_ON(!rcu_read_lock_held() &&
1151 !lockdep_commit_lock_is_held(net));
1153 chain = ERR_PTR(-ENOENT);
1155 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1159 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1160 if (nft_active_genmask(chain, genmask))
1163 chain = ERR_PTR(-ENOENT);
1169 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1170 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1171 .len = NFT_TABLE_MAXNAMELEN - 1 },
1172 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1173 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1174 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1175 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1176 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1177 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1178 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1179 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1182 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1183 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1184 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1185 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1186 .len = IFNAMSIZ - 1 },
1189 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1191 struct nft_stats *cpu_stats, total;
1192 struct nlattr *nest;
1200 memset(&total, 0, sizeof(total));
1201 for_each_possible_cpu(cpu) {
1202 cpu_stats = per_cpu_ptr(stats, cpu);
1204 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1205 pkts = cpu_stats->pkts;
1206 bytes = cpu_stats->bytes;
1207 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1209 total.bytes += bytes;
1211 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1213 goto nla_put_failure;
1215 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1216 NFTA_COUNTER_PAD) ||
1217 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1219 goto nla_put_failure;
1221 nla_nest_end(skb, nest);
1228 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1229 u32 portid, u32 seq, int event, u32 flags,
1230 int family, const struct nft_table *table,
1231 const struct nft_chain *chain)
1233 struct nlmsghdr *nlh;
1234 struct nfgenmsg *nfmsg;
1236 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1237 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1239 goto nla_put_failure;
1241 nfmsg = nlmsg_data(nlh);
1242 nfmsg->nfgen_family = family;
1243 nfmsg->version = NFNETLINK_V0;
1244 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1246 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1247 goto nla_put_failure;
1248 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1250 goto nla_put_failure;
1251 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1252 goto nla_put_failure;
1254 if (nft_is_base_chain(chain)) {
1255 const struct nft_base_chain *basechain = nft_base_chain(chain);
1256 const struct nf_hook_ops *ops = &basechain->ops;
1257 struct nft_stats __percpu *stats;
1258 struct nlattr *nest;
1260 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1262 goto nla_put_failure;
1263 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1264 goto nla_put_failure;
1265 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1266 goto nla_put_failure;
1267 if (basechain->dev_name[0] &&
1268 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1269 goto nla_put_failure;
1270 nla_nest_end(skb, nest);
1272 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1273 htonl(basechain->policy)))
1274 goto nla_put_failure;
1276 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1277 goto nla_put_failure;
1279 stats = rcu_dereference_check(basechain->stats,
1280 lockdep_commit_lock_is_held(net));
1281 if (nft_dump_stats(skb, stats))
1282 goto nla_put_failure;
1285 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1286 goto nla_put_failure;
1288 nlmsg_end(skb, nlh);
1292 nlmsg_trim(skb, nlh);
1296 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1298 struct sk_buff *skb;
1302 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1305 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1309 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1310 event, 0, ctx->family, ctx->table,
1317 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1318 ctx->report, GFP_KERNEL);
1321 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1324 static int nf_tables_dump_chains(struct sk_buff *skb,
1325 struct netlink_callback *cb)
1327 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1328 const struct nft_table *table;
1329 const struct nft_chain *chain;
1330 unsigned int idx = 0, s_idx = cb->args[0];
1331 struct net *net = sock_net(skb->sk);
1332 int family = nfmsg->nfgen_family;
1335 cb->seq = net->nft.base_seq;
1337 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1338 if (family != NFPROTO_UNSPEC && family != table->family)
1341 list_for_each_entry_rcu(chain, &table->chains, list) {
1345 memset(&cb->args[1], 0,
1346 sizeof(cb->args) - sizeof(cb->args[0]));
1347 if (!nft_is_active(net, chain))
1349 if (nf_tables_fill_chain_info(skb, net,
1350 NETLINK_CB(cb->skb).portid,
1354 table->family, table,
1358 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1369 /* called with rcu_read_lock held */
1370 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1371 struct sk_buff *skb, const struct nlmsghdr *nlh,
1372 const struct nlattr * const nla[],
1373 struct netlink_ext_ack *extack)
1375 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1376 u8 genmask = nft_genmask_cur(net);
1377 const struct nft_chain *chain;
1378 struct nft_table *table;
1379 struct sk_buff *skb2;
1380 int family = nfmsg->nfgen_family;
1383 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1384 struct netlink_dump_control c = {
1385 .dump = nf_tables_dump_chains,
1386 .module = THIS_MODULE,
1389 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1392 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1393 if (IS_ERR(table)) {
1394 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1395 return PTR_ERR(table);
1398 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1399 if (IS_ERR(chain)) {
1400 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1401 return PTR_ERR(chain);
1404 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1408 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1409 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1410 family, table, chain);
1414 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1421 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1422 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1423 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1426 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1428 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1429 struct nft_stats __percpu *newstats;
1430 struct nft_stats *stats;
1433 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1434 nft_counter_policy, NULL);
1436 return ERR_PTR(err);
1438 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1439 return ERR_PTR(-EINVAL);
1441 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1442 if (newstats == NULL)
1443 return ERR_PTR(-ENOMEM);
1445 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1446 * are not exposed to userspace.
1449 stats = this_cpu_ptr(newstats);
1450 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1451 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1457 static void nft_chain_stats_replace(struct nft_trans *trans)
1459 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1461 if (!nft_trans_chain_stats(trans))
1464 rcu_swap_protected(chain->stats, nft_trans_chain_stats(trans),
1465 lockdep_commit_lock_is_held(trans->ctx.net));
1467 if (!nft_trans_chain_stats(trans))
1468 static_branch_inc(&nft_counters_enabled);
1471 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1473 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1474 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1480 /* should be NULL either via abort or via successful commit */
1481 WARN_ON_ONCE(chain->rules_next);
1482 kvfree(chain->rules_next);
1485 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1487 struct nft_chain *chain = ctx->chain;
1489 if (WARN_ON(chain->use > 0))
1492 /* no concurrent access possible anymore */
1493 nf_tables_chain_free_chain_rules(chain);
1495 if (nft_is_base_chain(chain)) {
1496 struct nft_base_chain *basechain = nft_base_chain(chain);
1498 module_put(basechain->type->owner);
1499 if (rcu_access_pointer(basechain->stats)) {
1500 static_branch_dec(&nft_counters_enabled);
1501 free_percpu(rcu_dereference_raw(basechain->stats));
1511 struct nft_chain_hook {
1514 const struct nft_chain_type *type;
1515 struct net_device *dev;
1518 static int nft_chain_parse_hook(struct net *net,
1519 const struct nlattr * const nla[],
1520 struct nft_chain_hook *hook, u8 family,
1523 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1524 const struct nft_chain_type *type;
1525 struct net_device *dev;
1528 lockdep_assert_held(&net->nft.commit_mutex);
1529 lockdep_nfnl_nft_mutex_not_held();
1531 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1532 nla[NFTA_CHAIN_HOOK],
1533 nft_hook_policy, NULL);
1537 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1538 ha[NFTA_HOOK_PRIORITY] == NULL)
1541 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1542 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1544 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1545 if (nla[NFTA_CHAIN_TYPE]) {
1546 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1549 return PTR_ERR(type);
1551 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1554 if (type->type == NFT_CHAIN_T_NAT &&
1555 hook->priority <= NF_IP_PRI_CONNTRACK)
1558 if (!try_module_get(type->owner))
1564 if (family == NFPROTO_NETDEV) {
1565 char ifname[IFNAMSIZ];
1567 if (!ha[NFTA_HOOK_DEV]) {
1568 module_put(type->owner);
1572 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1573 dev = __dev_get_by_name(net, ifname);
1575 module_put(type->owner);
1579 } else if (ha[NFTA_HOOK_DEV]) {
1580 module_put(type->owner);
1587 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1589 module_put(hook->type->owner);
1592 struct nft_rules_old {
1594 struct nft_rule **start;
1597 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1600 if (alloc > INT_MAX)
1603 alloc += 1; /* NULL, ends rules */
1604 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1607 alloc *= sizeof(struct nft_rule *);
1608 alloc += sizeof(struct nft_rules_old);
1610 return kvmalloc(alloc, GFP_KERNEL);
1613 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1614 u8 policy, u32 flags)
1616 const struct nlattr * const *nla = ctx->nla;
1617 struct nft_table *table = ctx->table;
1618 struct nft_base_chain *basechain;
1619 struct nft_stats __percpu *stats;
1620 struct net *net = ctx->net;
1621 struct nft_trans *trans;
1622 struct nft_chain *chain;
1623 struct nft_rule **rules;
1626 if (table->use == UINT_MAX)
1629 if (nla[NFTA_CHAIN_HOOK]) {
1630 struct nft_chain_hook hook;
1631 struct nf_hook_ops *ops;
1633 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1637 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1638 if (basechain == NULL) {
1639 nft_chain_release_hook(&hook);
1643 if (hook.dev != NULL)
1644 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1646 if (nla[NFTA_CHAIN_COUNTERS]) {
1647 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1648 if (IS_ERR(stats)) {
1649 nft_chain_release_hook(&hook);
1651 return PTR_ERR(stats);
1653 rcu_assign_pointer(basechain->stats, stats);
1654 static_branch_inc(&nft_counters_enabled);
1657 basechain->type = hook.type;
1658 chain = &basechain->chain;
1660 ops = &basechain->ops;
1662 ops->hooknum = hook.num;
1663 ops->priority = hook.priority;
1665 ops->hook = hook.type->hooks[ops->hooknum];
1666 ops->dev = hook.dev;
1668 chain->flags |= NFT_BASE_CHAIN | flags;
1669 basechain->policy = NF_ACCEPT;
1670 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1671 nft_chain_offload_priority(basechain) < 0)
1674 flow_block_init(&basechain->flow_block);
1676 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1682 INIT_LIST_HEAD(&chain->rules);
1683 chain->handle = nf_tables_alloc_handle(table);
1684 chain->table = table;
1685 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1691 rules = nf_tables_chain_alloc_rules(chain, 0);
1698 rcu_assign_pointer(chain->rules_gen_0, rules);
1699 rcu_assign_pointer(chain->rules_gen_1, rules);
1701 err = nf_tables_register_hook(net, table, chain);
1705 err = rhltable_insert_key(&table->chains_ht, chain->name,
1706 &chain->rhlhead, nft_chain_ht_params);
1710 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1711 if (IS_ERR(trans)) {
1712 err = PTR_ERR(trans);
1713 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1714 nft_chain_ht_params);
1718 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1719 if (nft_is_base_chain(chain))
1720 nft_trans_chain_policy(trans) = policy;
1723 list_add_tail_rcu(&chain->list, &table->chains);
1727 nf_tables_unregister_hook(net, table, chain);
1729 nf_tables_chain_destroy(ctx);
1734 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1737 const struct nlattr * const *nla = ctx->nla;
1738 struct nft_table *table = ctx->table;
1739 struct nft_chain *chain = ctx->chain;
1740 struct nft_base_chain *basechain;
1741 struct nft_stats *stats = NULL;
1742 struct nft_chain_hook hook;
1743 struct nf_hook_ops *ops;
1744 struct nft_trans *trans;
1747 if (chain->flags ^ flags)
1750 if (nla[NFTA_CHAIN_HOOK]) {
1751 if (!nft_is_base_chain(chain))
1754 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1759 basechain = nft_base_chain(chain);
1760 if (basechain->type != hook.type) {
1761 nft_chain_release_hook(&hook);
1765 ops = &basechain->ops;
1766 if (ops->hooknum != hook.num ||
1767 ops->priority != hook.priority ||
1768 ops->dev != hook.dev) {
1769 nft_chain_release_hook(&hook);
1772 nft_chain_release_hook(&hook);
1775 if (nla[NFTA_CHAIN_HANDLE] &&
1776 nla[NFTA_CHAIN_NAME]) {
1777 struct nft_chain *chain2;
1779 chain2 = nft_chain_lookup(ctx->net, table,
1780 nla[NFTA_CHAIN_NAME], genmask);
1781 if (!IS_ERR(chain2))
1785 if (nla[NFTA_CHAIN_COUNTERS]) {
1786 if (!nft_is_base_chain(chain))
1789 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1791 return PTR_ERR(stats);
1795 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1796 sizeof(struct nft_trans_chain));
1800 nft_trans_chain_stats(trans) = stats;
1801 nft_trans_chain_update(trans) = true;
1803 if (nla[NFTA_CHAIN_POLICY])
1804 nft_trans_chain_policy(trans) = policy;
1806 nft_trans_chain_policy(trans) = -1;
1808 if (nla[NFTA_CHAIN_HANDLE] &&
1809 nla[NFTA_CHAIN_NAME]) {
1810 struct nft_trans *tmp;
1814 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1819 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1820 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1821 tmp->ctx.table == table &&
1822 nft_trans_chain_update(tmp) &&
1823 nft_trans_chain_name(tmp) &&
1824 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1830 nft_trans_chain_name(trans) = name;
1832 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1841 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1842 struct sk_buff *skb, const struct nlmsghdr *nlh,
1843 const struct nlattr * const nla[],
1844 struct netlink_ext_ack *extack)
1846 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1847 u8 genmask = nft_genmask_next(net);
1848 int family = nfmsg->nfgen_family;
1849 const struct nlattr *attr;
1850 struct nft_table *table;
1851 struct nft_chain *chain;
1852 u8 policy = NF_ACCEPT;
1857 lockdep_assert_held(&net->nft.commit_mutex);
1859 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1860 if (IS_ERR(table)) {
1861 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1862 return PTR_ERR(table);
1866 attr = nla[NFTA_CHAIN_NAME];
1868 if (nla[NFTA_CHAIN_HANDLE]) {
1869 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1870 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1871 if (IS_ERR(chain)) {
1872 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1873 return PTR_ERR(chain);
1875 attr = nla[NFTA_CHAIN_HANDLE];
1877 chain = nft_chain_lookup(net, table, attr, genmask);
1878 if (IS_ERR(chain)) {
1879 if (PTR_ERR(chain) != -ENOENT) {
1880 NL_SET_BAD_ATTR(extack, attr);
1881 return PTR_ERR(chain);
1887 if (nla[NFTA_CHAIN_POLICY]) {
1888 if (chain != NULL &&
1889 !nft_is_base_chain(chain)) {
1890 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1894 if (chain == NULL &&
1895 nla[NFTA_CHAIN_HOOK] == NULL) {
1896 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1900 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1910 if (nla[NFTA_CHAIN_FLAGS])
1911 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
1913 flags = chain->flags;
1915 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1917 if (chain != NULL) {
1918 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1919 NL_SET_BAD_ATTR(extack, attr);
1922 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1925 flags |= chain->flags & NFT_BASE_CHAIN;
1926 return nf_tables_updchain(&ctx, genmask, policy, flags);
1929 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
1932 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1933 struct sk_buff *skb, const struct nlmsghdr *nlh,
1934 const struct nlattr * const nla[],
1935 struct netlink_ext_ack *extack)
1937 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1938 u8 genmask = nft_genmask_next(net);
1939 int family = nfmsg->nfgen_family;
1940 const struct nlattr *attr;
1941 struct nft_table *table;
1942 struct nft_chain *chain;
1943 struct nft_rule *rule;
1949 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1950 if (IS_ERR(table)) {
1951 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1952 return PTR_ERR(table);
1955 if (nla[NFTA_CHAIN_HANDLE]) {
1956 attr = nla[NFTA_CHAIN_HANDLE];
1957 handle = be64_to_cpu(nla_get_be64(attr));
1958 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1960 attr = nla[NFTA_CHAIN_NAME];
1961 chain = nft_chain_lookup(net, table, attr, genmask);
1963 if (IS_ERR(chain)) {
1964 NL_SET_BAD_ATTR(extack, attr);
1965 return PTR_ERR(chain);
1968 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1972 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1975 list_for_each_entry(rule, &chain->rules, list) {
1976 if (!nft_is_active_next(net, rule))
1980 err = nft_delrule(&ctx, rule);
1985 /* There are rules and elements that are still holding references to us,
1986 * we cannot do a recursive removal in this case.
1989 NL_SET_BAD_ATTR(extack, attr);
1993 return nft_delchain(&ctx);
2001 * nft_register_expr - register nf_tables expr type
2004 * Registers the expr type for use with nf_tables. Returns zero on
2005 * success or a negative errno code otherwise.
2007 int nft_register_expr(struct nft_expr_type *type)
2009 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2010 if (type->family == NFPROTO_UNSPEC)
2011 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2013 list_add_rcu(&type->list, &nf_tables_expressions);
2014 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2017 EXPORT_SYMBOL_GPL(nft_register_expr);
2020 * nft_unregister_expr - unregister nf_tables expr type
2023 * Unregisters the expr typefor use with nf_tables.
2025 void nft_unregister_expr(struct nft_expr_type *type)
2027 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2028 list_del_rcu(&type->list);
2029 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2031 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2033 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2036 const struct nft_expr_type *type, *candidate = NULL;
2038 list_for_each_entry(type, &nf_tables_expressions, list) {
2039 if (!nla_strcmp(nla, type->name)) {
2040 if (!type->family && !candidate)
2042 else if (type->family == family)
2049 #ifdef CONFIG_MODULES
2050 static int nft_expr_type_request_module(struct net *net, u8 family,
2053 nft_request_module(net, "nft-expr-%u-%.*s", family,
2054 nla_len(nla), (char *)nla_data(nla));
2055 if (__nft_expr_type_get(family, nla))
2062 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2066 const struct nft_expr_type *type;
2069 return ERR_PTR(-EINVAL);
2071 type = __nft_expr_type_get(family, nla);
2072 if (type != NULL && try_module_get(type->owner))
2075 lockdep_nfnl_nft_mutex_not_held();
2076 #ifdef CONFIG_MODULES
2078 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2079 return ERR_PTR(-EAGAIN);
2081 nft_request_module(net, "nft-expr-%.*s",
2082 nla_len(nla), (char *)nla_data(nla));
2083 if (__nft_expr_type_get(family, nla))
2084 return ERR_PTR(-EAGAIN);
2087 return ERR_PTR(-ENOENT);
2090 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2091 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2092 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2095 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2096 const struct nft_expr *expr)
2098 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2099 goto nla_put_failure;
2101 if (expr->ops->dump) {
2102 struct nlattr *data = nla_nest_start_noflag(skb,
2105 goto nla_put_failure;
2106 if (expr->ops->dump(skb, expr) < 0)
2107 goto nla_put_failure;
2108 nla_nest_end(skb, data);
2117 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2118 const struct nft_expr *expr)
2120 struct nlattr *nest;
2122 nest = nla_nest_start_noflag(skb, attr);
2124 goto nla_put_failure;
2125 if (nf_tables_fill_expr_info(skb, expr) < 0)
2126 goto nla_put_failure;
2127 nla_nest_end(skb, nest);
2134 struct nft_expr_info {
2135 const struct nft_expr_ops *ops;
2136 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2139 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2140 const struct nlattr *nla,
2141 struct nft_expr_info *info)
2143 const struct nft_expr_type *type;
2144 const struct nft_expr_ops *ops;
2145 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2148 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2149 nft_expr_policy, NULL);
2153 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2155 return PTR_ERR(type);
2157 if (tb[NFTA_EXPR_DATA]) {
2158 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2160 type->policy, NULL);
2164 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2166 if (type->select_ops != NULL) {
2167 ops = type->select_ops(ctx,
2168 (const struct nlattr * const *)info->tb);
2171 #ifdef CONFIG_MODULES
2173 nft_expr_type_request_module(ctx->net,
2175 tb[NFTA_EXPR_NAME]);
2186 module_put(type->owner);
2190 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2191 const struct nft_expr_info *info,
2192 struct nft_expr *expr)
2194 const struct nft_expr_ops *ops = info->ops;
2199 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2210 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2211 struct nft_expr *expr)
2213 const struct nft_expr_type *type = expr->ops->type;
2215 if (expr->ops->destroy)
2216 expr->ops->destroy(ctx, expr);
2217 module_put(type->owner);
2220 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2221 const struct nlattr *nla)
2223 struct nft_expr_info info;
2224 struct nft_expr *expr;
2225 struct module *owner;
2228 err = nf_tables_expr_parse(ctx, nla, &info);
2233 expr = kzalloc(info.ops->size, GFP_KERNEL);
2237 err = nf_tables_newexpr(ctx, &info, expr);
2245 owner = info.ops->type->owner;
2246 if (info.ops->type->release_ops)
2247 info.ops->type->release_ops(info.ops);
2251 return ERR_PTR(err);
2254 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2256 nf_tables_expr_destroy(ctx, expr);
2264 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2267 struct nft_rule *rule;
2269 // FIXME: this sucks
2270 list_for_each_entry_rcu(rule, &chain->rules, list) {
2271 if (handle == rule->handle)
2275 return ERR_PTR(-ENOENT);
2278 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2279 const struct nlattr *nla)
2282 return ERR_PTR(-EINVAL);
2284 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2287 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2288 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2289 .len = NFT_TABLE_MAXNAMELEN - 1 },
2290 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2291 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2292 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2293 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2294 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2295 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2296 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2297 .len = NFT_USERDATA_MAXLEN },
2298 [NFTA_RULE_ID] = { .type = NLA_U32 },
2299 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2302 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2303 u32 portid, u32 seq, int event,
2304 u32 flags, int family,
2305 const struct nft_table *table,
2306 const struct nft_chain *chain,
2307 const struct nft_rule *rule,
2308 const struct nft_rule *prule)
2310 struct nlmsghdr *nlh;
2311 struct nfgenmsg *nfmsg;
2312 const struct nft_expr *expr, *next;
2313 struct nlattr *list;
2314 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2316 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2318 goto nla_put_failure;
2320 nfmsg = nlmsg_data(nlh);
2321 nfmsg->nfgen_family = family;
2322 nfmsg->version = NFNETLINK_V0;
2323 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2325 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2326 goto nla_put_failure;
2327 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2328 goto nla_put_failure;
2329 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2331 goto nla_put_failure;
2333 if (event != NFT_MSG_DELRULE && prule) {
2334 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2335 cpu_to_be64(prule->handle),
2337 goto nla_put_failure;
2340 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2342 goto nla_put_failure;
2343 nft_rule_for_each_expr(expr, next, rule) {
2344 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2345 goto nla_put_failure;
2347 nla_nest_end(skb, list);
2350 struct nft_userdata *udata = nft_userdata(rule);
2351 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2353 goto nla_put_failure;
2356 nlmsg_end(skb, nlh);
2360 nlmsg_trim(skb, nlh);
2364 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2365 const struct nft_rule *rule, int event)
2367 struct sk_buff *skb;
2371 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2374 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2378 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2379 event, 0, ctx->family, ctx->table,
2380 ctx->chain, rule, NULL);
2386 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2387 ctx->report, GFP_KERNEL);
2390 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2393 struct nft_rule_dump_ctx {
2398 static int __nf_tables_dump_rules(struct sk_buff *skb,
2400 struct netlink_callback *cb,
2401 const struct nft_table *table,
2402 const struct nft_chain *chain)
2404 struct net *net = sock_net(skb->sk);
2405 const struct nft_rule *rule, *prule;
2406 unsigned int s_idx = cb->args[0];
2409 list_for_each_entry_rcu(rule, &chain->rules, list) {
2410 if (!nft_is_active(net, rule))
2415 memset(&cb->args[1], 0,
2416 sizeof(cb->args) - sizeof(cb->args[0]));
2418 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2421 NLM_F_MULTI | NLM_F_APPEND,
2423 table, chain, rule, prule) < 0)
2426 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2435 static int nf_tables_dump_rules(struct sk_buff *skb,
2436 struct netlink_callback *cb)
2438 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2439 const struct nft_rule_dump_ctx *ctx = cb->data;
2440 struct nft_table *table;
2441 const struct nft_chain *chain;
2442 unsigned int idx = 0;
2443 struct net *net = sock_net(skb->sk);
2444 int family = nfmsg->nfgen_family;
2447 cb->seq = net->nft.base_seq;
2449 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2450 if (family != NFPROTO_UNSPEC && family != table->family)
2453 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2456 if (ctx && ctx->table && ctx->chain) {
2457 struct rhlist_head *list, *tmp;
2459 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2460 nft_chain_ht_params);
2464 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2465 if (!nft_is_active(net, chain))
2467 __nf_tables_dump_rules(skb, &idx,
2474 list_for_each_entry_rcu(chain, &table->chains, list) {
2475 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2479 if (ctx && ctx->table)
2489 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2491 const struct nlattr * const *nla = cb->data;
2492 struct nft_rule_dump_ctx *ctx = NULL;
2494 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2495 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2499 if (nla[NFTA_RULE_TABLE]) {
2500 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2507 if (nla[NFTA_RULE_CHAIN]) {
2508 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2522 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2524 struct nft_rule_dump_ctx *ctx = cb->data;
2534 /* called with rcu_read_lock held */
2535 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2536 struct sk_buff *skb, const struct nlmsghdr *nlh,
2537 const struct nlattr * const nla[],
2538 struct netlink_ext_ack *extack)
2540 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2541 u8 genmask = nft_genmask_cur(net);
2542 const struct nft_chain *chain;
2543 const struct nft_rule *rule;
2544 struct nft_table *table;
2545 struct sk_buff *skb2;
2546 int family = nfmsg->nfgen_family;
2549 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2550 struct netlink_dump_control c = {
2551 .start= nf_tables_dump_rules_start,
2552 .dump = nf_tables_dump_rules,
2553 .done = nf_tables_dump_rules_done,
2554 .module = THIS_MODULE,
2555 .data = (void *)nla,
2558 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2561 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2562 if (IS_ERR(table)) {
2563 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2564 return PTR_ERR(table);
2567 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2568 if (IS_ERR(chain)) {
2569 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2570 return PTR_ERR(chain);
2573 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2575 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2576 return PTR_ERR(rule);
2579 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2583 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2584 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2585 family, table, chain, rule, NULL);
2589 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2596 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2597 struct nft_rule *rule)
2599 struct nft_expr *expr, *next;
2602 * Careful: some expressions might not be initialized in case this
2603 * is called on error from nf_tables_newrule().
2605 expr = nft_expr_first(rule);
2606 while (expr != nft_expr_last(rule) && expr->ops) {
2607 next = nft_expr_next(expr);
2608 nf_tables_expr_destroy(ctx, expr);
2614 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2615 struct nft_rule *rule)
2617 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2618 nf_tables_rule_destroy(ctx, rule);
2621 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2623 struct nft_expr *expr, *last;
2624 const struct nft_data *data;
2625 struct nft_rule *rule;
2628 if (ctx->level == NFT_JUMP_STACK_SIZE)
2631 list_for_each_entry(rule, &chain->rules, list) {
2632 if (!nft_is_active_next(ctx->net, rule))
2635 nft_rule_for_each_expr(expr, last, rule) {
2636 if (!expr->ops->validate)
2639 err = expr->ops->validate(ctx, expr, &data);
2647 EXPORT_SYMBOL_GPL(nft_chain_validate);
2649 static int nft_table_validate(struct net *net, const struct nft_table *table)
2651 struct nft_chain *chain;
2652 struct nft_ctx ctx = {
2654 .family = table->family,
2658 list_for_each_entry(chain, &table->chains, list) {
2659 if (!nft_is_base_chain(chain))
2663 err = nft_chain_validate(&ctx, chain);
2671 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2672 const struct nlattr *nla);
2674 #define NFT_RULE_MAXEXPRS 128
2676 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2677 struct sk_buff *skb, const struct nlmsghdr *nlh,
2678 const struct nlattr * const nla[],
2679 struct netlink_ext_ack *extack)
2681 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2682 u8 genmask = nft_genmask_next(net);
2683 struct nft_expr_info *info = NULL;
2684 int family = nfmsg->nfgen_family;
2685 struct nft_flow_rule *flow;
2686 struct nft_table *table;
2687 struct nft_chain *chain;
2688 struct nft_rule *rule, *old_rule = NULL;
2689 struct nft_userdata *udata;
2690 struct nft_trans *trans = NULL;
2691 struct nft_expr *expr;
2694 unsigned int size, i, n, ulen = 0, usize = 0;
2696 u64 handle, pos_handle;
2698 lockdep_assert_held(&net->nft.commit_mutex);
2700 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2701 if (IS_ERR(table)) {
2702 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2703 return PTR_ERR(table);
2706 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2707 if (IS_ERR(chain)) {
2708 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2709 return PTR_ERR(chain);
2712 if (nla[NFTA_RULE_HANDLE]) {
2713 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2714 rule = __nft_rule_lookup(chain, handle);
2716 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2717 return PTR_ERR(rule);
2720 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2721 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2724 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2729 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2730 nlh->nlmsg_flags & NLM_F_REPLACE)
2732 handle = nf_tables_alloc_handle(table);
2734 if (chain->use == UINT_MAX)
2737 if (nla[NFTA_RULE_POSITION]) {
2738 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2739 old_rule = __nft_rule_lookup(chain, pos_handle);
2740 if (IS_ERR(old_rule)) {
2741 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2742 return PTR_ERR(old_rule);
2744 } else if (nla[NFTA_RULE_POSITION_ID]) {
2745 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2746 if (IS_ERR(old_rule)) {
2747 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2748 return PTR_ERR(old_rule);
2753 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2757 if (nla[NFTA_RULE_EXPRESSIONS]) {
2758 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2759 sizeof(struct nft_expr_info),
2764 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2766 if (nla_type(tmp) != NFTA_LIST_ELEM)
2768 if (n == NFT_RULE_MAXEXPRS)
2770 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2773 size += info[n].ops->size;
2777 /* Check for overflow of dlen field */
2779 if (size >= 1 << 12)
2782 if (nla[NFTA_RULE_USERDATA]) {
2783 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2785 usize = sizeof(struct nft_userdata) + ulen;
2789 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2793 nft_activate_next(net, rule);
2795 rule->handle = handle;
2797 rule->udata = ulen ? 1 : 0;
2800 udata = nft_userdata(rule);
2801 udata->len = ulen - 1;
2802 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2805 expr = nft_expr_first(rule);
2806 for (i = 0; i < n; i++) {
2807 err = nf_tables_newexpr(&ctx, &info[i], expr);
2811 if (info[i].ops->validate)
2812 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2815 expr = nft_expr_next(expr);
2818 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2819 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2820 if (trans == NULL) {
2824 err = nft_delrule(&ctx, old_rule);
2826 nft_trans_destroy(trans);
2830 list_add_tail_rcu(&rule->list, &old_rule->list);
2832 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2838 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2840 list_add_rcu(&rule->list, &old_rule->list);
2842 list_add_tail_rcu(&rule->list, &chain->rules);
2845 list_add_tail_rcu(&rule->list, &old_rule->list);
2847 list_add_rcu(&rule->list, &chain->rules);
2853 if (net->nft.validate_state == NFT_VALIDATE_DO)
2854 return nft_table_validate(net, table);
2856 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
2857 flow = nft_flow_rule_create(net, rule);
2859 return PTR_ERR(flow);
2861 nft_trans_flow_rule(trans) = flow;
2866 nf_tables_rule_release(&ctx, rule);
2868 for (i = 0; i < n; i++) {
2870 module_put(info[i].ops->type->owner);
2871 if (info[i].ops->type->release_ops)
2872 info[i].ops->type->release_ops(info[i].ops);
2879 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2880 const struct nlattr *nla)
2882 u32 id = ntohl(nla_get_be32(nla));
2883 struct nft_trans *trans;
2885 list_for_each_entry(trans, &net->nft.commit_list, list) {
2886 struct nft_rule *rule = nft_trans_rule(trans);
2888 if (trans->msg_type == NFT_MSG_NEWRULE &&
2889 id == nft_trans_rule_id(trans))
2892 return ERR_PTR(-ENOENT);
2895 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2896 struct sk_buff *skb, const struct nlmsghdr *nlh,
2897 const struct nlattr * const nla[],
2898 struct netlink_ext_ack *extack)
2900 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2901 u8 genmask = nft_genmask_next(net);
2902 struct nft_table *table;
2903 struct nft_chain *chain = NULL;
2904 struct nft_rule *rule;
2905 int family = nfmsg->nfgen_family, err = 0;
2908 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2909 if (IS_ERR(table)) {
2910 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2911 return PTR_ERR(table);
2914 if (nla[NFTA_RULE_CHAIN]) {
2915 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2917 if (IS_ERR(chain)) {
2918 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2919 return PTR_ERR(chain);
2923 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2926 if (nla[NFTA_RULE_HANDLE]) {
2927 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2929 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2930 return PTR_ERR(rule);
2933 err = nft_delrule(&ctx, rule);
2934 } else if (nla[NFTA_RULE_ID]) {
2935 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2937 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2938 return PTR_ERR(rule);
2941 err = nft_delrule(&ctx, rule);
2943 err = nft_delrule_by_chain(&ctx);
2946 list_for_each_entry(chain, &table->chains, list) {
2947 if (!nft_is_active_next(net, chain))
2951 err = nft_delrule_by_chain(&ctx);
2964 static LIST_HEAD(nf_tables_set_types);
2966 int nft_register_set(struct nft_set_type *type)
2968 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2969 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2970 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2973 EXPORT_SYMBOL_GPL(nft_register_set);
2975 void nft_unregister_set(struct nft_set_type *type)
2977 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2978 list_del_rcu(&type->list);
2979 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2981 EXPORT_SYMBOL_GPL(nft_unregister_set);
2983 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2984 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2987 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2989 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2993 * Select a set implementation based on the data characteristics and the
2994 * given policy. The total memory use might not be known if no size is
2995 * given, in that case the amount of memory per element is used.
2997 static const struct nft_set_ops *
2998 nft_select_set_ops(const struct nft_ctx *ctx,
2999 const struct nlattr * const nla[],
3000 const struct nft_set_desc *desc,
3001 enum nft_set_policies policy)
3003 const struct nft_set_ops *ops, *bops;
3004 struct nft_set_estimate est, best;
3005 const struct nft_set_type *type;
3008 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3009 lockdep_nfnl_nft_mutex_not_held();
3010 #ifdef CONFIG_MODULES
3011 if (list_empty(&nf_tables_set_types)) {
3012 nft_request_module(ctx->net, "nft-set");
3013 if (!list_empty(&nf_tables_set_types))
3014 return ERR_PTR(-EAGAIN);
3017 if (nla[NFTA_SET_FLAGS] != NULL)
3018 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3025 list_for_each_entry(type, &nf_tables_set_types, list) {
3028 if (!nft_set_ops_candidate(type, flags))
3030 if (!ops->estimate(desc, flags, &est))
3034 case NFT_SET_POL_PERFORMANCE:
3035 if (est.lookup < best.lookup)
3037 if (est.lookup == best.lookup &&
3038 est.space < best.space)
3041 case NFT_SET_POL_MEMORY:
3043 if (est.space < best.space)
3045 if (est.space == best.space &&
3046 est.lookup < best.lookup)
3048 } else if (est.size < best.size || !bops) {
3056 if (!try_module_get(type->owner))
3059 module_put(to_set_type(bops)->owner);
3068 return ERR_PTR(-EOPNOTSUPP);
3071 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3072 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3073 .len = NFT_TABLE_MAXNAMELEN - 1 },
3074 [NFTA_SET_NAME] = { .type = NLA_STRING,
3075 .len = NFT_SET_MAXNAMELEN - 1 },
3076 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3077 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3078 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3079 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3080 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3081 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3082 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3083 [NFTA_SET_ID] = { .type = NLA_U32 },
3084 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3085 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3086 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3087 .len = NFT_USERDATA_MAXLEN },
3088 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3089 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3092 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3093 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3096 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3097 const struct sk_buff *skb,
3098 const struct nlmsghdr *nlh,
3099 const struct nlattr * const nla[],
3100 struct netlink_ext_ack *extack,
3103 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3104 int family = nfmsg->nfgen_family;
3105 struct nft_table *table = NULL;
3107 if (nla[NFTA_SET_TABLE] != NULL) {
3108 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3110 if (IS_ERR(table)) {
3111 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3112 return PTR_ERR(table);
3116 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3120 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3121 const struct nlattr *nla, u8 genmask)
3123 struct nft_set *set;
3126 return ERR_PTR(-EINVAL);
3128 list_for_each_entry_rcu(set, &table->sets, list) {
3129 if (!nla_strcmp(nla, set->name) &&
3130 nft_active_genmask(set, genmask))
3133 return ERR_PTR(-ENOENT);
3136 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3137 const struct nlattr *nla,
3140 struct nft_set *set;
3142 list_for_each_entry(set, &table->sets, list) {
3143 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3144 nft_active_genmask(set, genmask))
3147 return ERR_PTR(-ENOENT);
3150 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3151 const struct nlattr *nla, u8 genmask)
3153 struct nft_trans *trans;
3154 u32 id = ntohl(nla_get_be32(nla));
3156 list_for_each_entry(trans, &net->nft.commit_list, list) {
3157 if (trans->msg_type == NFT_MSG_NEWSET) {
3158 struct nft_set *set = nft_trans_set(trans);
3160 if (id == nft_trans_set_id(trans) &&
3161 nft_active_genmask(set, genmask))
3165 return ERR_PTR(-ENOENT);
3168 struct nft_set *nft_set_lookup_global(const struct net *net,
3169 const struct nft_table *table,
3170 const struct nlattr *nla_set_name,
3171 const struct nlattr *nla_set_id,
3174 struct nft_set *set;
3176 set = nft_set_lookup(table, nla_set_name, genmask);
3181 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3185 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3187 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3190 const struct nft_set *i;
3192 unsigned long *inuse;
3193 unsigned int n = 0, min = 0;
3195 p = strchr(name, '%');
3197 if (p[1] != 'd' || strchr(p + 2, '%'))
3200 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3204 list_for_each_entry(i, &ctx->table->sets, list) {
3207 if (!nft_is_active_next(ctx->net, set))
3209 if (!sscanf(i->name, name, &tmp))
3211 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3214 set_bit(tmp - min, inuse);
3217 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3218 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3219 min += BITS_PER_BYTE * PAGE_SIZE;
3220 memset(inuse, 0, PAGE_SIZE);
3223 free_page((unsigned long)inuse);
3226 set->name = kasprintf(GFP_KERNEL, name, min + n);
3230 list_for_each_entry(i, &ctx->table->sets, list) {
3231 if (!nft_is_active_next(ctx->net, i))
3233 if (!strcmp(set->name, i->name)) {
3241 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3243 u64 ms = be64_to_cpu(nla_get_be64(nla));
3244 u64 max = (u64)(~((u64)0));
3246 max = div_u64(max, NSEC_PER_MSEC);
3250 ms *= NSEC_PER_MSEC;
3251 *result = nsecs_to_jiffies64(ms);
3255 static __be64 nf_jiffies64_to_msecs(u64 input)
3257 return cpu_to_be64(jiffies64_to_msecs(input));
3260 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3261 const struct nft_set *set, u16 event, u16 flags)
3263 struct nfgenmsg *nfmsg;
3264 struct nlmsghdr *nlh;
3265 struct nlattr *desc;
3266 u32 portid = ctx->portid;
3269 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3270 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3273 goto nla_put_failure;
3275 nfmsg = nlmsg_data(nlh);
3276 nfmsg->nfgen_family = ctx->family;
3277 nfmsg->version = NFNETLINK_V0;
3278 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3280 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3281 goto nla_put_failure;
3282 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3283 goto nla_put_failure;
3284 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3286 goto nla_put_failure;
3287 if (set->flags != 0)
3288 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3289 goto nla_put_failure;
3291 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3292 goto nla_put_failure;
3293 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3294 goto nla_put_failure;
3295 if (set->flags & NFT_SET_MAP) {
3296 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3297 goto nla_put_failure;
3298 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3299 goto nla_put_failure;
3301 if (set->flags & NFT_SET_OBJECT &&
3302 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3303 goto nla_put_failure;
3306 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3307 nf_jiffies64_to_msecs(set->timeout),
3309 goto nla_put_failure;
3311 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3312 goto nla_put_failure;
3314 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3315 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3316 goto nla_put_failure;
3319 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3320 goto nla_put_failure;
3322 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3324 goto nla_put_failure;
3326 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3327 goto nla_put_failure;
3328 nla_nest_end(skb, desc);
3330 nlmsg_end(skb, nlh);
3334 nlmsg_trim(skb, nlh);
3338 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3339 const struct nft_set *set, int event,
3342 struct sk_buff *skb;
3343 u32 portid = ctx->portid;
3347 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3350 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3354 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3360 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3364 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3367 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3369 const struct nft_set *set;
3370 unsigned int idx, s_idx = cb->args[0];
3371 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3372 struct net *net = sock_net(skb->sk);
3373 struct nft_ctx *ctx = cb->data, ctx_set;
3379 cb->seq = net->nft.base_seq;
3381 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3382 if (ctx->family != NFPROTO_UNSPEC &&
3383 ctx->family != table->family)
3386 if (ctx->table && ctx->table != table)
3390 if (cur_table != table)
3396 list_for_each_entry_rcu(set, &table->sets, list) {
3399 if (!nft_is_active(net, set))
3403 ctx_set.table = table;
3404 ctx_set.family = table->family;
3406 if (nf_tables_fill_set(skb, &ctx_set, set,
3410 cb->args[2] = (unsigned long) table;
3413 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3426 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3428 struct nft_ctx *ctx_dump = NULL;
3430 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3431 if (ctx_dump == NULL)
3434 cb->data = ctx_dump;
3438 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3444 /* called with rcu_read_lock held */
3445 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3446 struct sk_buff *skb, const struct nlmsghdr *nlh,
3447 const struct nlattr * const nla[],
3448 struct netlink_ext_ack *extack)
3450 u8 genmask = nft_genmask_cur(net);
3451 const struct nft_set *set;
3453 struct sk_buff *skb2;
3454 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3457 /* Verify existence before starting dump */
3458 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3463 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3464 struct netlink_dump_control c = {
3465 .start = nf_tables_dump_sets_start,
3466 .dump = nf_tables_dump_sets,
3467 .done = nf_tables_dump_sets_done,
3469 .module = THIS_MODULE,
3472 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3475 /* Only accept unspec with dump */
3476 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3477 return -EAFNOSUPPORT;
3478 if (!nla[NFTA_SET_TABLE])
3481 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3483 return PTR_ERR(set);
3485 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3489 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3493 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3500 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3501 const struct nlattr *nla)
3503 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3506 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3507 nft_set_desc_policy, NULL);
3511 if (da[NFTA_SET_DESC_SIZE] != NULL)
3512 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3517 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3518 struct sk_buff *skb, const struct nlmsghdr *nlh,
3519 const struct nlattr * const nla[],
3520 struct netlink_ext_ack *extack)
3522 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3523 u8 genmask = nft_genmask_next(net);
3524 int family = nfmsg->nfgen_family;
3525 const struct nft_set_ops *ops;
3526 struct nft_table *table;
3527 struct nft_set *set;
3532 u32 ktype, dtype, flags, policy, gc_int, objtype;
3533 struct nft_set_desc desc;
3534 unsigned char *udata;
3538 if (nla[NFTA_SET_TABLE] == NULL ||
3539 nla[NFTA_SET_NAME] == NULL ||
3540 nla[NFTA_SET_KEY_LEN] == NULL ||
3541 nla[NFTA_SET_ID] == NULL)
3544 memset(&desc, 0, sizeof(desc));
3546 ktype = NFT_DATA_VALUE;
3547 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3548 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3549 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3553 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3554 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3558 if (nla[NFTA_SET_FLAGS] != NULL) {
3559 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3560 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3561 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3562 NFT_SET_MAP | NFT_SET_EVAL |
3565 /* Only one of these operations is supported */
3566 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3567 (NFT_SET_MAP | NFT_SET_OBJECT))
3569 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3570 (NFT_SET_EVAL | NFT_SET_OBJECT))
3575 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3576 if (!(flags & NFT_SET_MAP))
3579 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3580 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3581 dtype != NFT_DATA_VERDICT)
3584 if (dtype != NFT_DATA_VERDICT) {
3585 if (nla[NFTA_SET_DATA_LEN] == NULL)
3587 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3588 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3591 desc.dlen = sizeof(struct nft_verdict);
3592 } else if (flags & NFT_SET_MAP)
3595 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3596 if (!(flags & NFT_SET_OBJECT))
3599 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3600 if (objtype == NFT_OBJECT_UNSPEC ||
3601 objtype > NFT_OBJECT_MAX)
3603 } else if (flags & NFT_SET_OBJECT)
3606 objtype = NFT_OBJECT_UNSPEC;
3609 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3610 if (!(flags & NFT_SET_TIMEOUT))
3613 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3618 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3619 if (!(flags & NFT_SET_TIMEOUT))
3621 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3624 policy = NFT_SET_POL_PERFORMANCE;
3625 if (nla[NFTA_SET_POLICY] != NULL)
3626 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3628 if (nla[NFTA_SET_DESC] != NULL) {
3629 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3634 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3635 if (IS_ERR(table)) {
3636 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3637 return PTR_ERR(table);
3640 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3642 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3644 if (PTR_ERR(set) != -ENOENT) {
3645 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3646 return PTR_ERR(set);
3649 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3650 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3653 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3659 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3662 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3664 return PTR_ERR(ops);
3667 if (nla[NFTA_SET_USERDATA])
3668 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3671 if (ops->privsize != NULL)
3672 size = ops->privsize(nla, &desc);
3674 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3680 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3686 err = nf_tables_set_alloc_name(&ctx, set, name);
3693 udata = set->data + size;
3694 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3697 INIT_LIST_HEAD(&set->bindings);
3699 write_pnet(&set->net, net);
3702 set->klen = desc.klen;
3704 set->objtype = objtype;
3705 set->dlen = desc.dlen;
3707 set->size = desc.size;
3708 set->policy = policy;
3711 set->timeout = timeout;
3712 set->gc_int = gc_int;
3713 set->handle = nf_tables_alloc_handle(table);
3715 err = ops->init(set, &desc, nla);
3719 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3723 list_add_tail_rcu(&set->list, &table->sets);
3734 module_put(to_set_type(ops)->owner);
3738 static void nft_set_destroy(struct nft_set *set)
3740 if (WARN_ON(set->use > 0))
3743 set->ops->destroy(set);
3744 module_put(to_set_type(set->ops)->owner);
3749 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3750 struct sk_buff *skb, const struct nlmsghdr *nlh,
3751 const struct nlattr * const nla[],
3752 struct netlink_ext_ack *extack)
3754 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3755 u8 genmask = nft_genmask_next(net);
3756 const struct nlattr *attr;
3757 struct nft_set *set;
3761 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3762 return -EAFNOSUPPORT;
3763 if (nla[NFTA_SET_TABLE] == NULL)
3766 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3771 if (nla[NFTA_SET_HANDLE]) {
3772 attr = nla[NFTA_SET_HANDLE];
3773 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3775 attr = nla[NFTA_SET_NAME];
3776 set = nft_set_lookup(ctx.table, attr, genmask);
3780 NL_SET_BAD_ATTR(extack, attr);
3781 return PTR_ERR(set);
3784 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3785 NL_SET_BAD_ATTR(extack, attr);
3789 return nft_delset(&ctx, set);
3792 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3793 struct nft_set *set,
3794 const struct nft_set_iter *iter,
3795 struct nft_set_elem *elem)
3797 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3798 enum nft_registers dreg;
3800 dreg = nft_type_to_reg(set->dtype);
3801 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3802 set->dtype == NFT_DATA_VERDICT ?
3803 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3807 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3808 struct nft_set_binding *binding)
3810 struct nft_set_binding *i;
3811 struct nft_set_iter iter;
3813 if (set->use == UINT_MAX)
3816 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3819 if (binding->flags & NFT_SET_MAP) {
3820 /* If the set is already bound to the same chain all
3821 * jumps are already validated for that chain.
3823 list_for_each_entry(i, &set->bindings, list) {
3824 if (i->flags & NFT_SET_MAP &&
3825 i->chain == binding->chain)
3829 iter.genmask = nft_genmask_next(ctx->net);
3833 iter.fn = nf_tables_bind_check_setelem;
3835 set->ops->walk(ctx, set, &iter);
3840 binding->chain = ctx->chain;
3841 list_add_tail_rcu(&binding->list, &set->bindings);
3842 nft_set_trans_bind(ctx, set);
3847 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3849 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3850 struct nft_set_binding *binding, bool event)
3852 list_del_rcu(&binding->list);
3854 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3855 list_del_rcu(&set->list);
3857 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3862 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3863 struct nft_set_binding *binding,
3864 enum nft_trans_phase phase)
3867 case NFT_TRANS_PREPARE:
3870 case NFT_TRANS_ABORT:
3871 case NFT_TRANS_RELEASE:
3875 nf_tables_unbind_set(ctx, set, binding,
3876 phase == NFT_TRANS_COMMIT);
3879 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3881 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3883 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3884 nft_set_destroy(set);
3886 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3888 const struct nft_set_ext_type nft_set_ext_types[] = {
3889 [NFT_SET_EXT_KEY] = {
3890 .align = __alignof__(u32),
3892 [NFT_SET_EXT_DATA] = {
3893 .align = __alignof__(u32),
3895 [NFT_SET_EXT_EXPR] = {
3896 .align = __alignof__(struct nft_expr),
3898 [NFT_SET_EXT_OBJREF] = {
3899 .len = sizeof(struct nft_object *),
3900 .align = __alignof__(struct nft_object *),
3902 [NFT_SET_EXT_FLAGS] = {
3904 .align = __alignof__(u8),
3906 [NFT_SET_EXT_TIMEOUT] = {
3908 .align = __alignof__(u64),
3910 [NFT_SET_EXT_EXPIRATION] = {
3912 .align = __alignof__(u64),
3914 [NFT_SET_EXT_USERDATA] = {
3915 .len = sizeof(struct nft_userdata),
3916 .align = __alignof__(struct nft_userdata),
3919 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3925 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3926 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3927 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3928 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3929 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3930 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
3931 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3932 .len = NFT_USERDATA_MAXLEN },
3933 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3934 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3937 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3938 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3939 .len = NFT_TABLE_MAXNAMELEN - 1 },
3940 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3941 .len = NFT_SET_MAXNAMELEN - 1 },
3942 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3943 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3946 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3947 const struct sk_buff *skb,
3948 const struct nlmsghdr *nlh,
3949 const struct nlattr * const nla[],
3950 struct netlink_ext_ack *extack,
3953 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3954 int family = nfmsg->nfgen_family;
3955 struct nft_table *table;
3957 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3959 if (IS_ERR(table)) {
3960 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3961 return PTR_ERR(table);
3964 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3968 static int nf_tables_fill_setelem(struct sk_buff *skb,
3969 const struct nft_set *set,
3970 const struct nft_set_elem *elem)
3972 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3973 unsigned char *b = skb_tail_pointer(skb);
3974 struct nlattr *nest;
3976 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3978 goto nla_put_failure;
3980 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3981 NFT_DATA_VALUE, set->klen) < 0)
3982 goto nla_put_failure;
3984 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3985 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3986 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3988 goto nla_put_failure;
3990 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3991 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3992 goto nla_put_failure;
3994 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3995 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3996 (*nft_set_ext_obj(ext))->key.name) < 0)
3997 goto nla_put_failure;
3999 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4000 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4001 htonl(*nft_set_ext_flags(ext))))
4002 goto nla_put_failure;
4004 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4005 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4006 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4008 goto nla_put_failure;
4010 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4011 u64 expires, now = get_jiffies_64();
4013 expires = *nft_set_ext_expiration(ext);
4014 if (time_before64(now, expires))
4019 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4020 nf_jiffies64_to_msecs(expires),
4022 goto nla_put_failure;
4025 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4026 struct nft_userdata *udata;
4028 udata = nft_set_ext_userdata(ext);
4029 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4030 udata->len + 1, udata->data))
4031 goto nla_put_failure;
4034 nla_nest_end(skb, nest);
4042 struct nft_set_dump_args {
4043 const struct netlink_callback *cb;
4044 struct nft_set_iter iter;
4045 struct sk_buff *skb;
4048 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4049 struct nft_set *set,
4050 const struct nft_set_iter *iter,
4051 struct nft_set_elem *elem)
4053 struct nft_set_dump_args *args;
4055 args = container_of(iter, struct nft_set_dump_args, iter);
4056 return nf_tables_fill_setelem(args->skb, set, elem);
4059 struct nft_set_dump_ctx {
4060 const struct nft_set *set;
4064 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4066 struct nft_set_dump_ctx *dump_ctx = cb->data;
4067 struct net *net = sock_net(skb->sk);
4068 struct nft_table *table;
4069 struct nft_set *set;
4070 struct nft_set_dump_args args;
4071 bool set_found = false;
4072 struct nfgenmsg *nfmsg;
4073 struct nlmsghdr *nlh;
4074 struct nlattr *nest;
4079 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4080 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4081 dump_ctx->ctx.family != table->family)
4084 if (table != dump_ctx->ctx.table)
4087 list_for_each_entry_rcu(set, &table->sets, list) {
4088 if (set == dump_ctx->set) {
4101 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4102 portid = NETLINK_CB(cb->skb).portid;
4103 seq = cb->nlh->nlmsg_seq;
4105 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4108 goto nla_put_failure;
4110 nfmsg = nlmsg_data(nlh);
4111 nfmsg->nfgen_family = table->family;
4112 nfmsg->version = NFNETLINK_V0;
4113 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4115 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4116 goto nla_put_failure;
4117 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4118 goto nla_put_failure;
4120 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4122 goto nla_put_failure;
4126 args.iter.genmask = nft_genmask_cur(net);
4127 args.iter.skip = cb->args[0];
4128 args.iter.count = 0;
4130 args.iter.fn = nf_tables_dump_setelem;
4131 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4134 nla_nest_end(skb, nest);
4135 nlmsg_end(skb, nlh);
4137 if (args.iter.err && args.iter.err != -EMSGSIZE)
4138 return args.iter.err;
4139 if (args.iter.count == cb->args[0])
4142 cb->args[0] = args.iter.count;
4150 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4152 struct nft_set_dump_ctx *dump_ctx = cb->data;
4154 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4156 return cb->data ? 0 : -ENOMEM;
4159 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4165 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4166 const struct nft_ctx *ctx, u32 seq,
4167 u32 portid, int event, u16 flags,
4168 const struct nft_set *set,
4169 const struct nft_set_elem *elem)
4171 struct nfgenmsg *nfmsg;
4172 struct nlmsghdr *nlh;
4173 struct nlattr *nest;
4176 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4177 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4180 goto nla_put_failure;
4182 nfmsg = nlmsg_data(nlh);
4183 nfmsg->nfgen_family = ctx->family;
4184 nfmsg->version = NFNETLINK_V0;
4185 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4187 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4188 goto nla_put_failure;
4189 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4190 goto nla_put_failure;
4192 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4194 goto nla_put_failure;
4196 err = nf_tables_fill_setelem(skb, set, elem);
4198 goto nla_put_failure;
4200 nla_nest_end(skb, nest);
4202 nlmsg_end(skb, nlh);
4206 nlmsg_trim(skb, nlh);
4210 static int nft_setelem_parse_flags(const struct nft_set *set,
4211 const struct nlattr *attr, u32 *flags)
4216 *flags = ntohl(nla_get_be32(attr));
4217 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4219 if (!(set->flags & NFT_SET_INTERVAL) &&
4220 *flags & NFT_SET_ELEM_INTERVAL_END)
4226 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4227 const struct nlattr *attr)
4229 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4230 struct nft_data_desc desc;
4231 struct nft_set_elem elem;
4232 struct sk_buff *skb;
4237 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4238 nft_set_elem_policy, NULL);
4242 if (!nla[NFTA_SET_ELEM_KEY])
4245 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4249 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4250 nla[NFTA_SET_ELEM_KEY]);
4255 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4258 priv = set->ops->get(ctx->net, set, &elem, flags);
4260 return PTR_ERR(priv);
4265 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4269 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4270 NFT_MSG_NEWSETELEM, 0, set, &elem);
4274 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4275 /* This avoids a loop in nfnetlink. */
4283 /* this avoids a loop in nfnetlink. */
4284 return err == -EAGAIN ? -ENOBUFS : err;
4287 /* called with rcu_read_lock held */
4288 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4289 struct sk_buff *skb, const struct nlmsghdr *nlh,
4290 const struct nlattr * const nla[],
4291 struct netlink_ext_ack *extack)
4293 u8 genmask = nft_genmask_cur(net);
4294 struct nft_set *set;
4295 struct nlattr *attr;
4299 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4304 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4306 return PTR_ERR(set);
4308 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4309 struct netlink_dump_control c = {
4310 .start = nf_tables_dump_set_start,
4311 .dump = nf_tables_dump_set,
4312 .done = nf_tables_dump_set_done,
4313 .module = THIS_MODULE,
4315 struct nft_set_dump_ctx dump_ctx = {
4321 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4324 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4327 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4328 err = nft_get_set_elem(&ctx, set, attr);
4336 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4337 const struct nft_set *set,
4338 const struct nft_set_elem *elem,
4339 int event, u16 flags)
4341 struct net *net = ctx->net;
4342 u32 portid = ctx->portid;
4343 struct sk_buff *skb;
4346 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4349 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4353 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4360 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4364 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4367 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4369 struct nft_set *set)
4371 struct nft_trans *trans;
4373 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4377 nft_trans_elem_set(trans) = set;
4381 void *nft_set_elem_init(const struct nft_set *set,
4382 const struct nft_set_ext_tmpl *tmpl,
4383 const u32 *key, const u32 *data,
4384 u64 timeout, u64 expiration, gfp_t gfp)
4386 struct nft_set_ext *ext;
4389 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4393 ext = nft_set_elem_ext(set, elem);
4394 nft_set_ext_init(ext, tmpl);
4396 memcpy(nft_set_ext_key(ext), key, set->klen);
4397 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4398 memcpy(nft_set_ext_data(ext), data, set->dlen);
4399 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4400 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4401 if (expiration == 0)
4402 *nft_set_ext_expiration(ext) += timeout;
4404 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4405 *nft_set_ext_timeout(ext) = timeout;
4410 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4413 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4414 struct nft_ctx ctx = {
4415 .net = read_pnet(&set->net),
4416 .family = set->table->family,
4419 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4420 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4421 nft_data_release(nft_set_ext_data(ext), set->dtype);
4422 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4423 struct nft_expr *expr = nft_set_ext_expr(ext);
4425 if (expr->ops->destroy_clone) {
4426 expr->ops->destroy_clone(&ctx, expr);
4427 module_put(expr->ops->type->owner);
4429 nf_tables_expr_destroy(&ctx, expr);
4432 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4433 (*nft_set_ext_obj(ext))->use--;
4436 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4438 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4439 * the refcounting from the preparation phase.
4441 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4442 const struct nft_set *set, void *elem)
4444 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4446 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4447 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4451 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4452 const struct nlattr *attr, u32 nlmsg_flags)
4454 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4455 u8 genmask = nft_genmask_next(ctx->net);
4456 struct nft_data_desc d1, d2;
4457 struct nft_set_ext_tmpl tmpl;
4458 struct nft_set_ext *ext, *ext2;
4459 struct nft_set_elem elem;
4460 struct nft_set_binding *binding;
4461 struct nft_object *obj = NULL;
4462 struct nft_userdata *udata;
4463 struct nft_data data;
4464 enum nft_registers dreg;
4465 struct nft_trans *trans;
4472 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4473 nft_set_elem_policy, NULL);
4477 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4480 nft_set_ext_prepare(&tmpl);
4482 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4486 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4488 if (set->flags & NFT_SET_MAP) {
4489 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4490 !(flags & NFT_SET_ELEM_INTERVAL_END))
4492 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4493 flags & NFT_SET_ELEM_INTERVAL_END)
4496 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4501 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4502 if (!(set->flags & NFT_SET_TIMEOUT))
4504 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4508 } else if (set->flags & NFT_SET_TIMEOUT) {
4509 timeout = set->timeout;
4513 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4514 if (!(set->flags & NFT_SET_TIMEOUT))
4516 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4522 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4523 nla[NFTA_SET_ELEM_KEY]);
4527 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4530 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4532 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4533 if (timeout != set->timeout)
4534 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4537 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4538 if (!(set->flags & NFT_SET_OBJECT)) {
4542 obj = nft_obj_lookup(ctx->net, ctx->table,
4543 nla[NFTA_SET_ELEM_OBJREF],
4544 set->objtype, genmask);
4549 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4552 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4553 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4554 nla[NFTA_SET_ELEM_DATA]);
4559 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4562 dreg = nft_type_to_reg(set->dtype);
4563 list_for_each_entry(binding, &set->bindings, list) {
4564 struct nft_ctx bind_ctx = {
4566 .family = ctx->family,
4567 .table = ctx->table,
4568 .chain = (struct nft_chain *)binding->chain,
4571 if (!(binding->flags & NFT_SET_MAP))
4574 err = nft_validate_register_store(&bind_ctx, dreg,
4580 if (d2.type == NFT_DATA_VERDICT &&
4581 (data.verdict.code == NFT_GOTO ||
4582 data.verdict.code == NFT_JUMP))
4583 nft_validate_state_update(ctx->net,
4587 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4590 /* The full maximum length of userdata can exceed the maximum
4591 * offset value (U8_MAX) for following extensions, therefor it
4592 * must be the last extension added.
4595 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4596 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4598 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4603 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4604 timeout, expiration, GFP_KERNEL);
4605 if (elem.priv == NULL)
4608 ext = nft_set_elem_ext(set, elem.priv);
4610 *nft_set_ext_flags(ext) = flags;
4612 udata = nft_set_ext_userdata(ext);
4613 udata->len = ulen - 1;
4614 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4617 *nft_set_ext_obj(ext) = obj;
4621 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4625 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4626 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4628 if (err == -EEXIST) {
4629 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4630 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4631 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4632 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4636 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4637 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4638 memcmp(nft_set_ext_data(ext),
4639 nft_set_ext_data(ext2), set->dlen) != 0) ||
4640 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4641 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4642 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4644 else if (!(nlmsg_flags & NLM_F_EXCL))
4651 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4656 nft_trans_elem(trans) = elem;
4657 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4661 set->ops->remove(ctx->net, set, &elem);
4669 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4670 nft_data_release(&data, d2.type);
4672 nft_data_release(&elem.key.val, d1.type);
4677 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4678 struct sk_buff *skb, const struct nlmsghdr *nlh,
4679 const struct nlattr * const nla[],
4680 struct netlink_ext_ack *extack)
4682 u8 genmask = nft_genmask_next(net);
4683 const struct nlattr *attr;
4684 struct nft_set *set;
4688 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4691 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4696 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4697 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4699 return PTR_ERR(set);
4701 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4704 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4705 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4710 if (net->nft.validate_state == NFT_VALIDATE_DO)
4711 return nft_table_validate(net, ctx.table);
4717 * nft_data_hold - hold a nft_data item
4719 * @data: struct nft_data to release
4720 * @type: type of data
4722 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4723 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4724 * NFT_GOTO verdicts. This function must be called on active data objects
4725 * from the second phase of the commit protocol.
4727 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4729 if (type == NFT_DATA_VERDICT) {
4730 switch (data->verdict.code) {
4733 data->verdict.chain->use++;
4739 static void nft_set_elem_activate(const struct net *net,
4740 const struct nft_set *set,
4741 struct nft_set_elem *elem)
4743 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4745 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4746 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4747 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4748 (*nft_set_ext_obj(ext))->use++;
4751 static void nft_set_elem_deactivate(const struct net *net,
4752 const struct nft_set *set,
4753 struct nft_set_elem *elem)
4755 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4757 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4758 nft_data_release(nft_set_ext_data(ext), set->dtype);
4759 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4760 (*nft_set_ext_obj(ext))->use--;
4763 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4764 const struct nlattr *attr)
4766 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4767 struct nft_set_ext_tmpl tmpl;
4768 struct nft_data_desc desc;
4769 struct nft_set_elem elem;
4770 struct nft_set_ext *ext;
4771 struct nft_trans *trans;
4776 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4777 nft_set_elem_policy, NULL);
4782 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4785 nft_set_ext_prepare(&tmpl);
4787 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4791 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4793 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4794 nla[NFTA_SET_ELEM_KEY]);
4799 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4802 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4805 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4807 if (elem.priv == NULL)
4810 ext = nft_set_elem_ext(set, elem.priv);
4812 *nft_set_ext_flags(ext) = flags;
4814 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4815 if (trans == NULL) {
4820 priv = set->ops->deactivate(ctx->net, set, &elem);
4828 nft_set_elem_deactivate(ctx->net, set, &elem);
4830 nft_trans_elem(trans) = elem;
4831 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4839 nft_data_release(&elem.key.val, desc.type);
4844 static int nft_flush_set(const struct nft_ctx *ctx,
4845 struct nft_set *set,
4846 const struct nft_set_iter *iter,
4847 struct nft_set_elem *elem)
4849 struct nft_trans *trans;
4852 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4853 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4857 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4863 nft_set_elem_deactivate(ctx->net, set, elem);
4864 nft_trans_elem_set(trans) = set;
4865 nft_trans_elem(trans) = *elem;
4866 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4874 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4875 struct sk_buff *skb, const struct nlmsghdr *nlh,
4876 const struct nlattr * const nla[],
4877 struct netlink_ext_ack *extack)
4879 u8 genmask = nft_genmask_next(net);
4880 const struct nlattr *attr;
4881 struct nft_set *set;
4885 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4890 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4892 return PTR_ERR(set);
4893 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4896 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4897 struct nft_set_iter iter = {
4899 .fn = nft_flush_set,
4901 set->ops->walk(&ctx, set, &iter);
4906 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4907 err = nft_del_setelem(&ctx, set, attr);
4916 void nft_set_gc_batch_release(struct rcu_head *rcu)
4918 struct nft_set_gc_batch *gcb;
4921 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4922 for (i = 0; i < gcb->head.cnt; i++)
4923 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4926 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4928 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4931 struct nft_set_gc_batch *gcb;
4933 gcb = kzalloc(sizeof(*gcb), gfp);
4936 gcb->head.set = set;
4939 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4946 * nft_register_obj- register nf_tables stateful object type
4949 * Registers the object type for use with nf_tables. Returns zero on
4950 * success or a negative errno code otherwise.
4952 int nft_register_obj(struct nft_object_type *obj_type)
4954 if (obj_type->type == NFT_OBJECT_UNSPEC)
4957 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4958 list_add_rcu(&obj_type->list, &nf_tables_objects);
4959 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4962 EXPORT_SYMBOL_GPL(nft_register_obj);
4965 * nft_unregister_obj - unregister nf_tables object type
4968 * Unregisters the object type for use with nf_tables.
4970 void nft_unregister_obj(struct nft_object_type *obj_type)
4972 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4973 list_del_rcu(&obj_type->list);
4974 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4976 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4978 struct nft_object *nft_obj_lookup(const struct net *net,
4979 const struct nft_table *table,
4980 const struct nlattr *nla, u32 objtype,
4983 struct nft_object_hash_key k = { .table = table };
4984 char search[NFT_OBJ_MAXNAMELEN];
4985 struct rhlist_head *tmp, *list;
4986 struct nft_object *obj;
4988 nla_strlcpy(search, nla, sizeof(search));
4991 WARN_ON_ONCE(!rcu_read_lock_held() &&
4992 !lockdep_commit_lock_is_held(net));
4995 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4999 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5000 if (objtype == obj->ops->type->type &&
5001 nft_active_genmask(obj, genmask)) {
5008 return ERR_PTR(-ENOENT);
5010 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5012 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5013 const struct nlattr *nla,
5014 u32 objtype, u8 genmask)
5016 struct nft_object *obj;
5018 list_for_each_entry(obj, &table->objects, list) {
5019 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5020 objtype == obj->ops->type->type &&
5021 nft_active_genmask(obj, genmask))
5024 return ERR_PTR(-ENOENT);
5027 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5028 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5029 .len = NFT_TABLE_MAXNAMELEN - 1 },
5030 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5031 .len = NFT_OBJ_MAXNAMELEN - 1 },
5032 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5033 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5034 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5037 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5038 const struct nft_object_type *type,
5039 const struct nlattr *attr)
5042 const struct nft_object_ops *ops;
5043 struct nft_object *obj;
5046 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5051 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5052 type->policy, NULL);
5056 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5059 if (type->select_ops) {
5060 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5070 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5074 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5087 return ERR_PTR(err);
5090 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5091 struct nft_object *obj, bool reset)
5093 struct nlattr *nest;
5095 nest = nla_nest_start_noflag(skb, attr);
5097 goto nla_put_failure;
5098 if (obj->ops->dump(skb, obj, reset) < 0)
5099 goto nla_put_failure;
5100 nla_nest_end(skb, nest);
5107 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5109 const struct nft_object_type *type;
5111 list_for_each_entry(type, &nf_tables_objects, list) {
5112 if (objtype == type->type)
5118 static const struct nft_object_type *
5119 nft_obj_type_get(struct net *net, u32 objtype)
5121 const struct nft_object_type *type;
5123 type = __nft_obj_type_get(objtype);
5124 if (type != NULL && try_module_get(type->owner))
5127 lockdep_nfnl_nft_mutex_not_held();
5128 #ifdef CONFIG_MODULES
5130 nft_request_module(net, "nft-obj-%u", objtype);
5131 if (__nft_obj_type_get(objtype))
5132 return ERR_PTR(-EAGAIN);
5135 return ERR_PTR(-ENOENT);
5138 static int nf_tables_updobj(const struct nft_ctx *ctx,
5139 const struct nft_object_type *type,
5140 const struct nlattr *attr,
5141 struct nft_object *obj)
5143 struct nft_object *newobj;
5144 struct nft_trans *trans;
5147 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5148 sizeof(struct nft_trans_obj));
5152 newobj = nft_obj_init(ctx, type, attr);
5153 if (IS_ERR(newobj)) {
5154 err = PTR_ERR(newobj);
5155 goto err_free_trans;
5158 nft_trans_obj(trans) = obj;
5159 nft_trans_obj_update(trans) = true;
5160 nft_trans_obj_newobj(trans) = newobj;
5161 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5170 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5171 struct sk_buff *skb, const struct nlmsghdr *nlh,
5172 const struct nlattr * const nla[],
5173 struct netlink_ext_ack *extack)
5175 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5176 const struct nft_object_type *type;
5177 u8 genmask = nft_genmask_next(net);
5178 int family = nfmsg->nfgen_family;
5179 struct nft_table *table;
5180 struct nft_object *obj;
5185 if (!nla[NFTA_OBJ_TYPE] ||
5186 !nla[NFTA_OBJ_NAME] ||
5187 !nla[NFTA_OBJ_DATA])
5190 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5191 if (IS_ERR(table)) {
5192 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5193 return PTR_ERR(table);
5196 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5197 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5200 if (err != -ENOENT) {
5201 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5205 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5206 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5209 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5212 type = nft_obj_type_get(net, objtype);
5213 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5215 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5218 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5220 type = nft_obj_type_get(net, objtype);
5222 return PTR_ERR(type);
5224 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5229 obj->key.table = table;
5230 obj->handle = nf_tables_alloc_handle(table);
5232 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5233 if (!obj->key.name) {
5238 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5242 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5243 nft_objname_ht_params);
5247 list_add_tail_rcu(&obj->list, &table->objects);
5251 /* queued in transaction log */
5252 INIT_LIST_HEAD(&obj->list);
5255 kfree(obj->key.name);
5257 if (obj->ops->destroy)
5258 obj->ops->destroy(&ctx, obj);
5261 module_put(type->owner);
5265 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5266 u32 portid, u32 seq, int event, u32 flags,
5267 int family, const struct nft_table *table,
5268 struct nft_object *obj, bool reset)
5270 struct nfgenmsg *nfmsg;
5271 struct nlmsghdr *nlh;
5273 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5274 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5276 goto nla_put_failure;
5278 nfmsg = nlmsg_data(nlh);
5279 nfmsg->nfgen_family = family;
5280 nfmsg->version = NFNETLINK_V0;
5281 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5283 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5284 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5285 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5286 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5287 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5288 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5290 goto nla_put_failure;
5292 nlmsg_end(skb, nlh);
5296 nlmsg_trim(skb, nlh);
5300 struct nft_obj_filter {
5305 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5307 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5308 const struct nft_table *table;
5309 unsigned int idx = 0, s_idx = cb->args[0];
5310 struct nft_obj_filter *filter = cb->data;
5311 struct net *net = sock_net(skb->sk);
5312 int family = nfmsg->nfgen_family;
5313 struct nft_object *obj;
5316 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5320 cb->seq = net->nft.base_seq;
5322 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5323 if (family != NFPROTO_UNSPEC && family != table->family)
5326 list_for_each_entry_rcu(obj, &table->objects, list) {
5327 if (!nft_is_active(net, obj))
5332 memset(&cb->args[1], 0,
5333 sizeof(cb->args) - sizeof(cb->args[0]));
5334 if (filter && filter->table &&
5335 strcmp(filter->table, table->name))
5338 filter->type != NFT_OBJECT_UNSPEC &&
5339 obj->ops->type->type != filter->type)
5342 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5345 NLM_F_MULTI | NLM_F_APPEND,
5346 table->family, table,
5350 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5362 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5364 const struct nlattr * const *nla = cb->data;
5365 struct nft_obj_filter *filter = NULL;
5367 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5368 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5372 if (nla[NFTA_OBJ_TABLE]) {
5373 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5374 if (!filter->table) {
5380 if (nla[NFTA_OBJ_TYPE])
5381 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5388 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5390 struct nft_obj_filter *filter = cb->data;
5393 kfree(filter->table);
5400 /* called with rcu_read_lock held */
5401 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5402 struct sk_buff *skb, const struct nlmsghdr *nlh,
5403 const struct nlattr * const nla[],
5404 struct netlink_ext_ack *extack)
5406 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5407 u8 genmask = nft_genmask_cur(net);
5408 int family = nfmsg->nfgen_family;
5409 const struct nft_table *table;
5410 struct nft_object *obj;
5411 struct sk_buff *skb2;
5416 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5417 struct netlink_dump_control c = {
5418 .start = nf_tables_dump_obj_start,
5419 .dump = nf_tables_dump_obj,
5420 .done = nf_tables_dump_obj_done,
5421 .module = THIS_MODULE,
5422 .data = (void *)nla,
5425 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5428 if (!nla[NFTA_OBJ_NAME] ||
5429 !nla[NFTA_OBJ_TYPE])
5432 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5433 if (IS_ERR(table)) {
5434 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5435 return PTR_ERR(table);
5438 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5439 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5441 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5442 return PTR_ERR(obj);
5445 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5449 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5452 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5453 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5454 family, table, obj, reset);
5458 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5464 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5466 if (obj->ops->destroy)
5467 obj->ops->destroy(ctx, obj);
5469 module_put(obj->ops->type->owner);
5470 kfree(obj->key.name);
5474 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5475 struct sk_buff *skb, const struct nlmsghdr *nlh,
5476 const struct nlattr * const nla[],
5477 struct netlink_ext_ack *extack)
5479 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5480 u8 genmask = nft_genmask_next(net);
5481 int family = nfmsg->nfgen_family;
5482 const struct nlattr *attr;
5483 struct nft_table *table;
5484 struct nft_object *obj;
5488 if (!nla[NFTA_OBJ_TYPE] ||
5489 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5492 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5493 if (IS_ERR(table)) {
5494 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5495 return PTR_ERR(table);
5498 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5499 if (nla[NFTA_OBJ_HANDLE]) {
5500 attr = nla[NFTA_OBJ_HANDLE];
5501 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5503 attr = nla[NFTA_OBJ_NAME];
5504 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5508 NL_SET_BAD_ATTR(extack, attr);
5509 return PTR_ERR(obj);
5512 NL_SET_BAD_ATTR(extack, attr);
5516 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5518 return nft_delobj(&ctx, obj);
5521 void nft_obj_notify(struct net *net, const struct nft_table *table,
5522 struct nft_object *obj, u32 portid, u32 seq, int event,
5523 int family, int report, gfp_t gfp)
5525 struct sk_buff *skb;
5529 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5532 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5536 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5543 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5546 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5548 EXPORT_SYMBOL_GPL(nft_obj_notify);
5550 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5551 struct nft_object *obj, int event)
5553 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5554 ctx->family, ctx->report, GFP_KERNEL);
5560 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5562 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5563 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5564 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5566 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5568 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5570 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5571 list_del_rcu(&type->list);
5572 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5574 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5576 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5577 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5578 .len = NFT_NAME_MAXLEN - 1 },
5579 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5580 .len = NFT_NAME_MAXLEN - 1 },
5581 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5582 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5585 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5586 const struct nlattr *nla, u8 genmask)
5588 struct nft_flowtable *flowtable;
5590 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5591 if (!nla_strcmp(nla, flowtable->name) &&
5592 nft_active_genmask(flowtable, genmask))
5595 return ERR_PTR(-ENOENT);
5597 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5599 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5600 struct nft_flowtable *flowtable,
5601 enum nft_trans_phase phase)
5604 case NFT_TRANS_PREPARE:
5605 case NFT_TRANS_ABORT:
5606 case NFT_TRANS_RELEASE:
5613 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5615 static struct nft_flowtable *
5616 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5617 const struct nlattr *nla, u8 genmask)
5619 struct nft_flowtable *flowtable;
5621 list_for_each_entry(flowtable, &table->flowtables, list) {
5622 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5623 nft_active_genmask(flowtable, genmask))
5626 return ERR_PTR(-ENOENT);
5629 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5630 const struct nlattr *attr,
5631 struct net_device *dev_array[], int *len)
5633 const struct nlattr *tmp;
5634 struct net_device *dev;
5635 char ifname[IFNAMSIZ];
5636 int rem, n = 0, err;
5638 nla_for_each_nested(tmp, attr, rem) {
5639 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5644 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5645 dev = __dev_get_by_name(ctx->net, ifname);
5651 dev_array[n++] = dev;
5652 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5666 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5667 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5668 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5669 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5672 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5673 const struct nlattr *attr,
5674 struct nft_flowtable *flowtable)
5676 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5677 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5678 struct nf_hook_ops *ops;
5679 int hooknum, priority;
5682 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5683 nft_flowtable_hook_policy, NULL);
5687 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5688 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5689 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5692 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5693 if (hooknum != NF_NETDEV_INGRESS)
5696 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5698 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5703 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5707 flowtable->hooknum = hooknum;
5708 flowtable->priority = priority;
5709 flowtable->ops = ops;
5710 flowtable->ops_len = n;
5712 for (i = 0; i < n; i++) {
5713 flowtable->ops[i].pf = NFPROTO_NETDEV;
5714 flowtable->ops[i].hooknum = hooknum;
5715 flowtable->ops[i].priority = priority;
5716 flowtable->ops[i].priv = &flowtable->data;
5717 flowtable->ops[i].hook = flowtable->data.type->hook;
5718 flowtable->ops[i].dev = dev_array[i];
5724 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5726 const struct nf_flowtable_type *type;
5728 list_for_each_entry(type, &nf_tables_flowtables, list) {
5729 if (family == type->family)
5735 static const struct nf_flowtable_type *
5736 nft_flowtable_type_get(struct net *net, u8 family)
5738 const struct nf_flowtable_type *type;
5740 type = __nft_flowtable_type_get(family);
5741 if (type != NULL && try_module_get(type->owner))
5744 lockdep_nfnl_nft_mutex_not_held();
5745 #ifdef CONFIG_MODULES
5747 nft_request_module(net, "nf-flowtable-%u", family);
5748 if (__nft_flowtable_type_get(family))
5749 return ERR_PTR(-EAGAIN);
5752 return ERR_PTR(-ENOENT);
5755 static void nft_unregister_flowtable_net_hooks(struct net *net,
5756 struct nft_flowtable *flowtable)
5760 for (i = 0; i < flowtable->ops_len; i++) {
5761 if (!flowtable->ops[i].dev)
5764 nf_unregister_net_hook(net, &flowtable->ops[i]);
5768 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5769 struct sk_buff *skb,
5770 const struct nlmsghdr *nlh,
5771 const struct nlattr * const nla[],
5772 struct netlink_ext_ack *extack)
5774 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5775 const struct nf_flowtable_type *type;
5776 struct nft_flowtable *flowtable, *ft;
5777 u8 genmask = nft_genmask_next(net);
5778 int family = nfmsg->nfgen_family;
5779 struct nft_table *table;
5783 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5784 !nla[NFTA_FLOWTABLE_NAME] ||
5785 !nla[NFTA_FLOWTABLE_HOOK])
5788 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5790 if (IS_ERR(table)) {
5791 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5792 return PTR_ERR(table);
5795 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5797 if (IS_ERR(flowtable)) {
5798 err = PTR_ERR(flowtable);
5799 if (err != -ENOENT) {
5800 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5804 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5805 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5812 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5814 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5818 flowtable->table = table;
5819 flowtable->handle = nf_tables_alloc_handle(table);
5821 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5822 if (!flowtable->name) {
5827 type = nft_flowtable_type_get(net, family);
5829 err = PTR_ERR(type);
5833 flowtable->data.type = type;
5834 err = type->init(&flowtable->data);
5838 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5843 for (i = 0; i < flowtable->ops_len; i++) {
5844 if (!flowtable->ops[i].dev)
5847 list_for_each_entry(ft, &table->flowtables, list) {
5848 for (k = 0; k < ft->ops_len; k++) {
5849 if (!ft->ops[k].dev)
5852 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5853 flowtable->ops[i].pf == ft->ops[k].pf) {
5860 err = nf_register_net_hook(net, &flowtable->ops[i]);
5865 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5869 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5874 i = flowtable->ops_len;
5876 for (k = i - 1; k >= 0; k--)
5877 nf_unregister_net_hook(net, &flowtable->ops[k]);
5879 kfree(flowtable->ops);
5881 flowtable->data.type->free(&flowtable->data);
5883 module_put(type->owner);
5885 kfree(flowtable->name);
5891 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5892 struct sk_buff *skb,
5893 const struct nlmsghdr *nlh,
5894 const struct nlattr * const nla[],
5895 struct netlink_ext_ack *extack)
5897 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5898 u8 genmask = nft_genmask_next(net);
5899 int family = nfmsg->nfgen_family;
5900 struct nft_flowtable *flowtable;
5901 const struct nlattr *attr;
5902 struct nft_table *table;
5905 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5906 (!nla[NFTA_FLOWTABLE_NAME] &&
5907 !nla[NFTA_FLOWTABLE_HANDLE]))
5910 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5912 if (IS_ERR(table)) {
5913 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5914 return PTR_ERR(table);
5917 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5918 attr = nla[NFTA_FLOWTABLE_HANDLE];
5919 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5921 attr = nla[NFTA_FLOWTABLE_NAME];
5922 flowtable = nft_flowtable_lookup(table, attr, genmask);
5925 if (IS_ERR(flowtable)) {
5926 NL_SET_BAD_ATTR(extack, attr);
5927 return PTR_ERR(flowtable);
5929 if (flowtable->use > 0) {
5930 NL_SET_BAD_ATTR(extack, attr);
5934 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5936 return nft_delflowtable(&ctx, flowtable);
5939 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5940 u32 portid, u32 seq, int event,
5941 u32 flags, int family,
5942 struct nft_flowtable *flowtable)
5944 struct nlattr *nest, *nest_devs;
5945 struct nfgenmsg *nfmsg;
5946 struct nlmsghdr *nlh;
5949 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5950 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5952 goto nla_put_failure;
5954 nfmsg = nlmsg_data(nlh);
5955 nfmsg->nfgen_family = family;
5956 nfmsg->version = NFNETLINK_V0;
5957 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5959 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5960 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5961 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5962 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5963 NFTA_FLOWTABLE_PAD))
5964 goto nla_put_failure;
5966 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
5968 goto nla_put_failure;
5969 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5970 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5971 goto nla_put_failure;
5973 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5975 goto nla_put_failure;
5977 for (i = 0; i < flowtable->ops_len; i++) {
5978 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5981 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5982 goto nla_put_failure;
5984 nla_nest_end(skb, nest_devs);
5985 nla_nest_end(skb, nest);
5987 nlmsg_end(skb, nlh);
5991 nlmsg_trim(skb, nlh);
5995 struct nft_flowtable_filter {
5999 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6000 struct netlink_callback *cb)
6002 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6003 struct nft_flowtable_filter *filter = cb->data;
6004 unsigned int idx = 0, s_idx = cb->args[0];
6005 struct net *net = sock_net(skb->sk);
6006 int family = nfmsg->nfgen_family;
6007 struct nft_flowtable *flowtable;
6008 const struct nft_table *table;
6011 cb->seq = net->nft.base_seq;
6013 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6014 if (family != NFPROTO_UNSPEC && family != table->family)
6017 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6018 if (!nft_is_active(net, flowtable))
6023 memset(&cb->args[1], 0,
6024 sizeof(cb->args) - sizeof(cb->args[0]));
6025 if (filter && filter->table &&
6026 strcmp(filter->table, table->name))
6029 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6031 NFT_MSG_NEWFLOWTABLE,
6032 NLM_F_MULTI | NLM_F_APPEND,
6033 table->family, flowtable) < 0)
6036 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6048 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6050 const struct nlattr * const *nla = cb->data;
6051 struct nft_flowtable_filter *filter = NULL;
6053 if (nla[NFTA_FLOWTABLE_TABLE]) {
6054 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6058 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6060 if (!filter->table) {
6070 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6072 struct nft_flowtable_filter *filter = cb->data;
6077 kfree(filter->table);
6083 /* called with rcu_read_lock held */
6084 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6085 struct sk_buff *skb,
6086 const struct nlmsghdr *nlh,
6087 const struct nlattr * const nla[],
6088 struct netlink_ext_ack *extack)
6090 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6091 u8 genmask = nft_genmask_cur(net);
6092 int family = nfmsg->nfgen_family;
6093 struct nft_flowtable *flowtable;
6094 const struct nft_table *table;
6095 struct sk_buff *skb2;
6098 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6099 struct netlink_dump_control c = {
6100 .start = nf_tables_dump_flowtable_start,
6101 .dump = nf_tables_dump_flowtable,
6102 .done = nf_tables_dump_flowtable_done,
6103 .module = THIS_MODULE,
6104 .data = (void *)nla,
6107 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6110 if (!nla[NFTA_FLOWTABLE_NAME])
6113 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6116 return PTR_ERR(table);
6118 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6120 if (IS_ERR(flowtable))
6121 return PTR_ERR(flowtable);
6123 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6127 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6129 NFT_MSG_NEWFLOWTABLE, 0, family,
6134 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6140 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6141 struct nft_flowtable *flowtable,
6144 struct sk_buff *skb;
6148 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6151 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6155 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6157 ctx->family, flowtable);
6163 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6164 ctx->report, GFP_KERNEL);
6167 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6170 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6172 kfree(flowtable->ops);
6173 kfree(flowtable->name);
6174 flowtable->data.type->free(&flowtable->data);
6175 module_put(flowtable->data.type->owner);
6179 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6180 u32 portid, u32 seq)
6182 struct nlmsghdr *nlh;
6183 struct nfgenmsg *nfmsg;
6184 char buf[TASK_COMM_LEN];
6185 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6187 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6189 goto nla_put_failure;
6191 nfmsg = nlmsg_data(nlh);
6192 nfmsg->nfgen_family = AF_UNSPEC;
6193 nfmsg->version = NFNETLINK_V0;
6194 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6196 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6197 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6198 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6199 goto nla_put_failure;
6201 nlmsg_end(skb, nlh);
6205 nlmsg_trim(skb, nlh);
6209 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6210 struct nft_flowtable *flowtable)
6214 for (i = 0; i < flowtable->ops_len; i++) {
6215 if (flowtable->ops[i].dev != dev)
6218 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6219 flowtable->ops[i].dev = NULL;
6224 static int nf_tables_flowtable_event(struct notifier_block *this,
6225 unsigned long event, void *ptr)
6227 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6228 struct nft_flowtable *flowtable;
6229 struct nft_table *table;
6232 if (event != NETDEV_UNREGISTER)
6236 mutex_lock(&net->nft.commit_mutex);
6237 list_for_each_entry(table, &net->nft.tables, list) {
6238 list_for_each_entry(flowtable, &table->flowtables, list) {
6239 nft_flowtable_event(event, dev, flowtable);
6242 mutex_unlock(&net->nft.commit_mutex);
6247 static struct notifier_block nf_tables_flowtable_notifier = {
6248 .notifier_call = nf_tables_flowtable_event,
6251 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6254 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6255 struct sk_buff *skb2;
6258 if (nlmsg_report(nlh) &&
6259 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6262 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6266 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6273 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6274 nlmsg_report(nlh), GFP_KERNEL);
6277 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6281 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6282 struct sk_buff *skb, const struct nlmsghdr *nlh,
6283 const struct nlattr * const nla[],
6284 struct netlink_ext_ack *extack)
6286 struct sk_buff *skb2;
6289 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6293 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6298 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6304 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6305 [NFT_MSG_NEWTABLE] = {
6306 .call_batch = nf_tables_newtable,
6307 .attr_count = NFTA_TABLE_MAX,
6308 .policy = nft_table_policy,
6310 [NFT_MSG_GETTABLE] = {
6311 .call_rcu = nf_tables_gettable,
6312 .attr_count = NFTA_TABLE_MAX,
6313 .policy = nft_table_policy,
6315 [NFT_MSG_DELTABLE] = {
6316 .call_batch = nf_tables_deltable,
6317 .attr_count = NFTA_TABLE_MAX,
6318 .policy = nft_table_policy,
6320 [NFT_MSG_NEWCHAIN] = {
6321 .call_batch = nf_tables_newchain,
6322 .attr_count = NFTA_CHAIN_MAX,
6323 .policy = nft_chain_policy,
6325 [NFT_MSG_GETCHAIN] = {
6326 .call_rcu = nf_tables_getchain,
6327 .attr_count = NFTA_CHAIN_MAX,
6328 .policy = nft_chain_policy,
6330 [NFT_MSG_DELCHAIN] = {
6331 .call_batch = nf_tables_delchain,
6332 .attr_count = NFTA_CHAIN_MAX,
6333 .policy = nft_chain_policy,
6335 [NFT_MSG_NEWRULE] = {
6336 .call_batch = nf_tables_newrule,
6337 .attr_count = NFTA_RULE_MAX,
6338 .policy = nft_rule_policy,
6340 [NFT_MSG_GETRULE] = {
6341 .call_rcu = nf_tables_getrule,
6342 .attr_count = NFTA_RULE_MAX,
6343 .policy = nft_rule_policy,
6345 [NFT_MSG_DELRULE] = {
6346 .call_batch = nf_tables_delrule,
6347 .attr_count = NFTA_RULE_MAX,
6348 .policy = nft_rule_policy,
6350 [NFT_MSG_NEWSET] = {
6351 .call_batch = nf_tables_newset,
6352 .attr_count = NFTA_SET_MAX,
6353 .policy = nft_set_policy,
6355 [NFT_MSG_GETSET] = {
6356 .call_rcu = nf_tables_getset,
6357 .attr_count = NFTA_SET_MAX,
6358 .policy = nft_set_policy,
6360 [NFT_MSG_DELSET] = {
6361 .call_batch = nf_tables_delset,
6362 .attr_count = NFTA_SET_MAX,
6363 .policy = nft_set_policy,
6365 [NFT_MSG_NEWSETELEM] = {
6366 .call_batch = nf_tables_newsetelem,
6367 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6368 .policy = nft_set_elem_list_policy,
6370 [NFT_MSG_GETSETELEM] = {
6371 .call_rcu = nf_tables_getsetelem,
6372 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6373 .policy = nft_set_elem_list_policy,
6375 [NFT_MSG_DELSETELEM] = {
6376 .call_batch = nf_tables_delsetelem,
6377 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6378 .policy = nft_set_elem_list_policy,
6380 [NFT_MSG_GETGEN] = {
6381 .call_rcu = nf_tables_getgen,
6383 [NFT_MSG_NEWOBJ] = {
6384 .call_batch = nf_tables_newobj,
6385 .attr_count = NFTA_OBJ_MAX,
6386 .policy = nft_obj_policy,
6388 [NFT_MSG_GETOBJ] = {
6389 .call_rcu = nf_tables_getobj,
6390 .attr_count = NFTA_OBJ_MAX,
6391 .policy = nft_obj_policy,
6393 [NFT_MSG_DELOBJ] = {
6394 .call_batch = nf_tables_delobj,
6395 .attr_count = NFTA_OBJ_MAX,
6396 .policy = nft_obj_policy,
6398 [NFT_MSG_GETOBJ_RESET] = {
6399 .call_rcu = nf_tables_getobj,
6400 .attr_count = NFTA_OBJ_MAX,
6401 .policy = nft_obj_policy,
6403 [NFT_MSG_NEWFLOWTABLE] = {
6404 .call_batch = nf_tables_newflowtable,
6405 .attr_count = NFTA_FLOWTABLE_MAX,
6406 .policy = nft_flowtable_policy,
6408 [NFT_MSG_GETFLOWTABLE] = {
6409 .call_rcu = nf_tables_getflowtable,
6410 .attr_count = NFTA_FLOWTABLE_MAX,
6411 .policy = nft_flowtable_policy,
6413 [NFT_MSG_DELFLOWTABLE] = {
6414 .call_batch = nf_tables_delflowtable,
6415 .attr_count = NFTA_FLOWTABLE_MAX,
6416 .policy = nft_flowtable_policy,
6420 static int nf_tables_validate(struct net *net)
6422 struct nft_table *table;
6424 switch (net->nft.validate_state) {
6425 case NFT_VALIDATE_SKIP:
6427 case NFT_VALIDATE_NEED:
6428 nft_validate_state_update(net, NFT_VALIDATE_DO);
6430 case NFT_VALIDATE_DO:
6431 list_for_each_entry(table, &net->nft.tables, list) {
6432 if (nft_table_validate(net, table) < 0)
6441 /* a drop policy has to be deferred until all rules have been activated,
6442 * otherwise a large ruleset that contains a drop-policy base chain will
6443 * cause all packets to get dropped until the full transaction has been
6446 * We defer the drop policy until the transaction has been finalized.
6448 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6450 struct nft_base_chain *basechain;
6452 if (nft_trans_chain_policy(trans) != NF_DROP)
6455 if (!nft_is_base_chain(trans->ctx.chain))
6458 basechain = nft_base_chain(trans->ctx.chain);
6459 basechain->policy = NF_DROP;
6462 static void nft_chain_commit_update(struct nft_trans *trans)
6464 struct nft_base_chain *basechain;
6466 if (nft_trans_chain_name(trans)) {
6467 rhltable_remove(&trans->ctx.table->chains_ht,
6468 &trans->ctx.chain->rhlhead,
6469 nft_chain_ht_params);
6470 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6471 rhltable_insert_key(&trans->ctx.table->chains_ht,
6472 trans->ctx.chain->name,
6473 &trans->ctx.chain->rhlhead,
6474 nft_chain_ht_params);
6477 if (!nft_is_base_chain(trans->ctx.chain))
6480 nft_chain_stats_replace(trans);
6482 basechain = nft_base_chain(trans->ctx.chain);
6484 switch (nft_trans_chain_policy(trans)) {
6487 basechain->policy = nft_trans_chain_policy(trans);
6492 static void nft_obj_commit_update(struct nft_trans *trans)
6494 struct nft_object *newobj;
6495 struct nft_object *obj;
6497 obj = nft_trans_obj(trans);
6498 newobj = nft_trans_obj_newobj(trans);
6500 if (obj->ops->update)
6501 obj->ops->update(obj, newobj);
6506 static void nft_commit_release(struct nft_trans *trans)
6508 switch (trans->msg_type) {
6509 case NFT_MSG_DELTABLE:
6510 nf_tables_table_destroy(&trans->ctx);
6512 case NFT_MSG_NEWCHAIN:
6513 free_percpu(nft_trans_chain_stats(trans));
6514 kfree(nft_trans_chain_name(trans));
6516 case NFT_MSG_DELCHAIN:
6517 nf_tables_chain_destroy(&trans->ctx);
6519 case NFT_MSG_DELRULE:
6520 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6522 case NFT_MSG_DELSET:
6523 nft_set_destroy(nft_trans_set(trans));
6525 case NFT_MSG_DELSETELEM:
6526 nf_tables_set_elem_destroy(&trans->ctx,
6527 nft_trans_elem_set(trans),
6528 nft_trans_elem(trans).priv);
6530 case NFT_MSG_DELOBJ:
6531 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6533 case NFT_MSG_DELFLOWTABLE:
6534 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6539 put_net(trans->ctx.net);
6544 static void nf_tables_trans_destroy_work(struct work_struct *w)
6546 struct nft_trans *trans, *next;
6549 spin_lock(&nf_tables_destroy_list_lock);
6550 list_splice_init(&nf_tables_destroy_list, &head);
6551 spin_unlock(&nf_tables_destroy_list_lock);
6553 if (list_empty(&head))
6558 list_for_each_entry_safe(trans, next, &head, list) {
6559 list_del(&trans->list);
6560 nft_commit_release(trans);
6564 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6566 struct nft_rule *rule;
6567 unsigned int alloc = 0;
6570 /* already handled or inactive chain? */
6571 if (chain->rules_next || !nft_is_active_next(net, chain))
6574 rule = list_entry(&chain->rules, struct nft_rule, list);
6577 list_for_each_entry_continue(rule, &chain->rules, list) {
6578 if (nft_is_active_next(net, rule))
6582 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6583 if (!chain->rules_next)
6586 list_for_each_entry_continue(rule, &chain->rules, list) {
6587 if (nft_is_active_next(net, rule))
6588 chain->rules_next[i++] = rule;
6591 chain->rules_next[i] = NULL;
6595 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6597 struct nft_trans *trans, *next;
6599 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6600 struct nft_chain *chain = trans->ctx.chain;
6602 if (trans->msg_type == NFT_MSG_NEWRULE ||
6603 trans->msg_type == NFT_MSG_DELRULE) {
6604 kvfree(chain->rules_next);
6605 chain->rules_next = NULL;
6610 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6612 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6617 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6619 struct nft_rule **r = rules;
6620 struct nft_rules_old *old;
6625 r++; /* rcu_head is after end marker */
6629 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6632 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6634 struct nft_rule **g0, **g1;
6637 next_genbit = nft_gencursor_next(net);
6639 g0 = rcu_dereference_protected(chain->rules_gen_0,
6640 lockdep_commit_lock_is_held(net));
6641 g1 = rcu_dereference_protected(chain->rules_gen_1,
6642 lockdep_commit_lock_is_held(net));
6644 /* No changes to this chain? */
6645 if (chain->rules_next == NULL) {
6646 /* chain had no change in last or next generation */
6650 * chain had no change in this generation; make sure next
6651 * one uses same rules as current generation.
6654 rcu_assign_pointer(chain->rules_gen_1, g0);
6655 nf_tables_commit_chain_free_rules_old(g1);
6657 rcu_assign_pointer(chain->rules_gen_0, g1);
6658 nf_tables_commit_chain_free_rules_old(g0);
6665 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6667 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6669 chain->rules_next = NULL;
6675 nf_tables_commit_chain_free_rules_old(g1);
6677 nf_tables_commit_chain_free_rules_old(g0);
6680 static void nft_obj_del(struct nft_object *obj)
6682 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6683 list_del_rcu(&obj->list);
6686 static void nft_chain_del(struct nft_chain *chain)
6688 struct nft_table *table = chain->table;
6690 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6691 nft_chain_ht_params));
6692 list_del_rcu(&chain->list);
6695 static void nf_tables_commit_release(struct net *net)
6697 struct nft_trans *trans;
6699 /* all side effects have to be made visible.
6700 * For example, if a chain named 'foo' has been deleted, a
6701 * new transaction must not find it anymore.
6703 * Memory reclaim happens asynchronously from work queue
6704 * to prevent expensive synchronize_rcu() in commit phase.
6706 if (list_empty(&net->nft.commit_list)) {
6707 mutex_unlock(&net->nft.commit_mutex);
6711 trans = list_last_entry(&net->nft.commit_list,
6712 struct nft_trans, list);
6713 get_net(trans->ctx.net);
6714 WARN_ON_ONCE(trans->put_net);
6716 trans->put_net = true;
6717 spin_lock(&nf_tables_destroy_list_lock);
6718 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6719 spin_unlock(&nf_tables_destroy_list_lock);
6721 mutex_unlock(&net->nft.commit_mutex);
6723 schedule_work(&trans_destroy_work);
6726 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6728 struct nft_trans *trans, *next;
6729 struct nft_trans_elem *te;
6730 struct nft_chain *chain;
6731 struct nft_table *table;
6734 if (list_empty(&net->nft.commit_list)) {
6735 mutex_unlock(&net->nft.commit_mutex);
6739 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6740 if (nf_tables_validate(net) < 0)
6743 err = nft_flow_rule_offload_commit(net);
6747 /* 1. Allocate space for next generation rules_gen_X[] */
6748 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6751 if (trans->msg_type == NFT_MSG_NEWRULE ||
6752 trans->msg_type == NFT_MSG_DELRULE) {
6753 chain = trans->ctx.chain;
6755 ret = nf_tables_commit_chain_prepare(net, chain);
6757 nf_tables_commit_chain_prepare_cancel(net);
6763 /* step 2. Make rules_gen_X visible to packet path */
6764 list_for_each_entry(table, &net->nft.tables, list) {
6765 list_for_each_entry(chain, &table->chains, list)
6766 nf_tables_commit_chain(net, chain);
6770 * Bump generation counter, invalidate any dump in progress.
6771 * Cannot fail after this point.
6773 while (++net->nft.base_seq == 0);
6775 /* step 3. Start new generation, rules_gen_X now in use. */
6776 net->nft.gencursor = nft_gencursor_next(net);
6778 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6779 switch (trans->msg_type) {
6780 case NFT_MSG_NEWTABLE:
6781 if (nft_trans_table_update(trans)) {
6782 if (!nft_trans_table_enable(trans)) {
6783 nf_tables_table_disable(net,
6785 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6788 nft_clear(net, trans->ctx.table);
6790 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6791 nft_trans_destroy(trans);
6793 case NFT_MSG_DELTABLE:
6794 list_del_rcu(&trans->ctx.table->list);
6795 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6797 case NFT_MSG_NEWCHAIN:
6798 if (nft_trans_chain_update(trans)) {
6799 nft_chain_commit_update(trans);
6800 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6801 /* trans destroyed after rcu grace period */
6803 nft_chain_commit_drop_policy(trans);
6804 nft_clear(net, trans->ctx.chain);
6805 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6806 nft_trans_destroy(trans);
6809 case NFT_MSG_DELCHAIN:
6810 nft_chain_del(trans->ctx.chain);
6811 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6812 nf_tables_unregister_hook(trans->ctx.net,
6816 case NFT_MSG_NEWRULE:
6817 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6818 nf_tables_rule_notify(&trans->ctx,
6819 nft_trans_rule(trans),
6821 nft_trans_destroy(trans);
6823 case NFT_MSG_DELRULE:
6824 list_del_rcu(&nft_trans_rule(trans)->list);
6825 nf_tables_rule_notify(&trans->ctx,
6826 nft_trans_rule(trans),
6828 nft_rule_expr_deactivate(&trans->ctx,
6829 nft_trans_rule(trans),
6832 case NFT_MSG_NEWSET:
6833 nft_clear(net, nft_trans_set(trans));
6834 /* This avoids hitting -EBUSY when deleting the table
6835 * from the transaction.
6837 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6838 !list_empty(&nft_trans_set(trans)->bindings))
6839 trans->ctx.table->use--;
6841 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6842 NFT_MSG_NEWSET, GFP_KERNEL);
6843 nft_trans_destroy(trans);
6845 case NFT_MSG_DELSET:
6846 list_del_rcu(&nft_trans_set(trans)->list);
6847 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6848 NFT_MSG_DELSET, GFP_KERNEL);
6850 case NFT_MSG_NEWSETELEM:
6851 te = (struct nft_trans_elem *)trans->data;
6853 te->set->ops->activate(net, te->set, &te->elem);
6854 nf_tables_setelem_notify(&trans->ctx, te->set,
6856 NFT_MSG_NEWSETELEM, 0);
6857 nft_trans_destroy(trans);
6859 case NFT_MSG_DELSETELEM:
6860 te = (struct nft_trans_elem *)trans->data;
6862 nf_tables_setelem_notify(&trans->ctx, te->set,
6864 NFT_MSG_DELSETELEM, 0);
6865 te->set->ops->remove(net, te->set, &te->elem);
6866 atomic_dec(&te->set->nelems);
6869 case NFT_MSG_NEWOBJ:
6870 if (nft_trans_obj_update(trans)) {
6871 nft_obj_commit_update(trans);
6872 nf_tables_obj_notify(&trans->ctx,
6873 nft_trans_obj(trans),
6876 nft_clear(net, nft_trans_obj(trans));
6877 nf_tables_obj_notify(&trans->ctx,
6878 nft_trans_obj(trans),
6880 nft_trans_destroy(trans);
6883 case NFT_MSG_DELOBJ:
6884 nft_obj_del(nft_trans_obj(trans));
6885 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6888 case NFT_MSG_NEWFLOWTABLE:
6889 nft_clear(net, nft_trans_flowtable(trans));
6890 nf_tables_flowtable_notify(&trans->ctx,
6891 nft_trans_flowtable(trans),
6892 NFT_MSG_NEWFLOWTABLE);
6893 nft_trans_destroy(trans);
6895 case NFT_MSG_DELFLOWTABLE:
6896 list_del_rcu(&nft_trans_flowtable(trans)->list);
6897 nf_tables_flowtable_notify(&trans->ctx,
6898 nft_trans_flowtable(trans),
6899 NFT_MSG_DELFLOWTABLE);
6900 nft_unregister_flowtable_net_hooks(net,
6901 nft_trans_flowtable(trans));
6906 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6907 nf_tables_commit_release(net);
6912 static void nf_tables_abort_release(struct nft_trans *trans)
6914 switch (trans->msg_type) {
6915 case NFT_MSG_NEWTABLE:
6916 nf_tables_table_destroy(&trans->ctx);
6918 case NFT_MSG_NEWCHAIN:
6919 nf_tables_chain_destroy(&trans->ctx);
6921 case NFT_MSG_NEWRULE:
6922 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6924 case NFT_MSG_NEWSET:
6925 nft_set_destroy(nft_trans_set(trans));
6927 case NFT_MSG_NEWSETELEM:
6928 nft_set_elem_destroy(nft_trans_elem_set(trans),
6929 nft_trans_elem(trans).priv, true);
6931 case NFT_MSG_NEWOBJ:
6932 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6934 case NFT_MSG_NEWFLOWTABLE:
6935 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6941 static int __nf_tables_abort(struct net *net)
6943 struct nft_trans *trans, *next;
6944 struct nft_trans_elem *te;
6946 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6948 switch (trans->msg_type) {
6949 case NFT_MSG_NEWTABLE:
6950 if (nft_trans_table_update(trans)) {
6951 if (nft_trans_table_enable(trans)) {
6952 nf_tables_table_disable(net,
6954 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6956 nft_trans_destroy(trans);
6958 list_del_rcu(&trans->ctx.table->list);
6961 case NFT_MSG_DELTABLE:
6962 nft_clear(trans->ctx.net, trans->ctx.table);
6963 nft_trans_destroy(trans);
6965 case NFT_MSG_NEWCHAIN:
6966 if (nft_trans_chain_update(trans)) {
6967 free_percpu(nft_trans_chain_stats(trans));
6968 kfree(nft_trans_chain_name(trans));
6969 nft_trans_destroy(trans);
6971 trans->ctx.table->use--;
6972 nft_chain_del(trans->ctx.chain);
6973 nf_tables_unregister_hook(trans->ctx.net,
6978 case NFT_MSG_DELCHAIN:
6979 trans->ctx.table->use++;
6980 nft_clear(trans->ctx.net, trans->ctx.chain);
6981 nft_trans_destroy(trans);
6983 case NFT_MSG_NEWRULE:
6984 trans->ctx.chain->use--;
6985 list_del_rcu(&nft_trans_rule(trans)->list);
6986 nft_rule_expr_deactivate(&trans->ctx,
6987 nft_trans_rule(trans),
6990 case NFT_MSG_DELRULE:
6991 trans->ctx.chain->use++;
6992 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6993 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6994 nft_trans_destroy(trans);
6996 case NFT_MSG_NEWSET:
6997 trans->ctx.table->use--;
6998 if (nft_trans_set_bound(trans)) {
6999 nft_trans_destroy(trans);
7002 list_del_rcu(&nft_trans_set(trans)->list);
7004 case NFT_MSG_DELSET:
7005 trans->ctx.table->use++;
7006 nft_clear(trans->ctx.net, nft_trans_set(trans));
7007 nft_trans_destroy(trans);
7009 case NFT_MSG_NEWSETELEM:
7010 if (nft_trans_elem_set_bound(trans)) {
7011 nft_trans_destroy(trans);
7014 te = (struct nft_trans_elem *)trans->data;
7015 te->set->ops->remove(net, te->set, &te->elem);
7016 atomic_dec(&te->set->nelems);
7018 case NFT_MSG_DELSETELEM:
7019 te = (struct nft_trans_elem *)trans->data;
7021 nft_set_elem_activate(net, te->set, &te->elem);
7022 te->set->ops->activate(net, te->set, &te->elem);
7025 nft_trans_destroy(trans);
7027 case NFT_MSG_NEWOBJ:
7028 if (nft_trans_obj_update(trans)) {
7029 kfree(nft_trans_obj_newobj(trans));
7030 nft_trans_destroy(trans);
7032 trans->ctx.table->use--;
7033 nft_obj_del(nft_trans_obj(trans));
7036 case NFT_MSG_DELOBJ:
7037 trans->ctx.table->use++;
7038 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7039 nft_trans_destroy(trans);
7041 case NFT_MSG_NEWFLOWTABLE:
7042 trans->ctx.table->use--;
7043 list_del_rcu(&nft_trans_flowtable(trans)->list);
7044 nft_unregister_flowtable_net_hooks(net,
7045 nft_trans_flowtable(trans));
7047 case NFT_MSG_DELFLOWTABLE:
7048 trans->ctx.table->use++;
7049 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7050 nft_trans_destroy(trans);
7057 list_for_each_entry_safe_reverse(trans, next,
7058 &net->nft.commit_list, list) {
7059 list_del(&trans->list);
7060 nf_tables_abort_release(trans);
7066 static void nf_tables_cleanup(struct net *net)
7068 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7071 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7073 int ret = __nf_tables_abort(net);
7075 mutex_unlock(&net->nft.commit_mutex);
7080 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7084 mutex_lock(&net->nft.commit_mutex);
7086 genid_ok = genid == 0 || net->nft.base_seq == genid;
7088 mutex_unlock(&net->nft.commit_mutex);
7090 /* else, commit mutex has to be released by commit or abort function */
7094 static const struct nfnetlink_subsystem nf_tables_subsys = {
7095 .name = "nf_tables",
7096 .subsys_id = NFNL_SUBSYS_NFTABLES,
7097 .cb_count = NFT_MSG_MAX,
7099 .commit = nf_tables_commit,
7100 .abort = nf_tables_abort,
7101 .cleanup = nf_tables_cleanup,
7102 .valid_genid = nf_tables_valid_genid,
7103 .owner = THIS_MODULE,
7106 int nft_chain_validate_dependency(const struct nft_chain *chain,
7107 enum nft_chain_types type)
7109 const struct nft_base_chain *basechain;
7111 if (nft_is_base_chain(chain)) {
7112 basechain = nft_base_chain(chain);
7113 if (basechain->type->type != type)
7118 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7120 int nft_chain_validate_hooks(const struct nft_chain *chain,
7121 unsigned int hook_flags)
7123 struct nft_base_chain *basechain;
7125 if (nft_is_base_chain(chain)) {
7126 basechain = nft_base_chain(chain);
7128 if ((1 << basechain->ops.hooknum) & hook_flags)
7136 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7139 * Loop detection - walk through the ruleset beginning at the destination chain
7140 * of a new jump until either the source chain is reached (loop) or all
7141 * reachable chains have been traversed.
7143 * The loop check is performed whenever a new jump verdict is added to an
7144 * expression or verdict map or a verdict map is bound to a new chain.
7147 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7148 const struct nft_chain *chain);
7150 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7151 struct nft_set *set,
7152 const struct nft_set_iter *iter,
7153 struct nft_set_elem *elem)
7155 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7156 const struct nft_data *data;
7158 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7159 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7162 data = nft_set_ext_data(ext);
7163 switch (data->verdict.code) {
7166 return nf_tables_check_loops(ctx, data->verdict.chain);
7172 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7173 const struct nft_chain *chain)
7175 const struct nft_rule *rule;
7176 const struct nft_expr *expr, *last;
7177 struct nft_set *set;
7178 struct nft_set_binding *binding;
7179 struct nft_set_iter iter;
7181 if (ctx->chain == chain)
7184 list_for_each_entry(rule, &chain->rules, list) {
7185 nft_rule_for_each_expr(expr, last, rule) {
7186 struct nft_immediate_expr *priv;
7187 const struct nft_data *data;
7190 if (strcmp(expr->ops->type->name, "immediate"))
7193 priv = nft_expr_priv(expr);
7194 if (priv->dreg != NFT_REG_VERDICT)
7198 switch (data->verdict.code) {
7201 err = nf_tables_check_loops(ctx,
7202 data->verdict.chain);
7211 list_for_each_entry(set, &ctx->table->sets, list) {
7212 if (!nft_is_active_next(ctx->net, set))
7214 if (!(set->flags & NFT_SET_MAP) ||
7215 set->dtype != NFT_DATA_VERDICT)
7218 list_for_each_entry(binding, &set->bindings, list) {
7219 if (!(binding->flags & NFT_SET_MAP) ||
7220 binding->chain != chain)
7223 iter.genmask = nft_genmask_next(ctx->net);
7227 iter.fn = nf_tables_loop_check_setelem;
7229 set->ops->walk(ctx, set, &iter);
7239 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7241 * @attr: netlink attribute to fetch value from
7242 * @max: maximum value to be stored in dest
7243 * @dest: pointer to the variable
7245 * Parse, check and store a given u32 netlink attribute into variable.
7246 * This function returns -ERANGE if the value goes over maximum value.
7247 * Otherwise a 0 is returned and the attribute value is stored in the
7248 * destination variable.
7250 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7254 val = ntohl(nla_get_be32(attr));
7261 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7264 * nft_parse_register - parse a register value from a netlink attribute
7266 * @attr: netlink attribute
7268 * Parse and translate a register value from a netlink attribute.
7269 * Registers used to be 128 bit wide, these register numbers will be
7270 * mapped to the corresponding 32 bit register numbers.
7272 unsigned int nft_parse_register(const struct nlattr *attr)
7276 reg = ntohl(nla_get_be32(attr));
7278 case NFT_REG_VERDICT...NFT_REG_4:
7279 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7281 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7284 EXPORT_SYMBOL_GPL(nft_parse_register);
7287 * nft_dump_register - dump a register value to a netlink attribute
7289 * @skb: socket buffer
7290 * @attr: attribute number
7291 * @reg: register number
7293 * Construct a netlink attribute containing the register number. For
7294 * compatibility reasons, register numbers being a multiple of 4 are
7295 * translated to the corresponding 128 bit register numbers.
7297 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7299 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7300 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7302 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7304 return nla_put_be32(skb, attr, htonl(reg));
7306 EXPORT_SYMBOL_GPL(nft_dump_register);
7309 * nft_validate_register_load - validate a load from a register
7311 * @reg: the register number
7312 * @len: the length of the data
7314 * Validate that the input register is one of the general purpose
7315 * registers and that the length of the load is within the bounds.
7317 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7319 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7323 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7328 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7331 * nft_validate_register_store - validate an expressions' register store
7333 * @ctx: context of the expression performing the load
7334 * @reg: the destination register number
7335 * @data: the data to load
7336 * @type: the data type
7337 * @len: the length of the data
7339 * Validate that a data load uses the appropriate data type for
7340 * the destination register and the length is within the bounds.
7341 * A value of NULL for the data means that its runtime gathered
7344 int nft_validate_register_store(const struct nft_ctx *ctx,
7345 enum nft_registers reg,
7346 const struct nft_data *data,
7347 enum nft_data_types type, unsigned int len)
7352 case NFT_REG_VERDICT:
7353 if (type != NFT_DATA_VERDICT)
7357 (data->verdict.code == NFT_GOTO ||
7358 data->verdict.code == NFT_JUMP)) {
7359 err = nf_tables_check_loops(ctx, data->verdict.chain);
7366 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7370 if (reg * NFT_REG32_SIZE + len >
7371 FIELD_SIZEOF(struct nft_regs, data))
7374 if (data != NULL && type != NFT_DATA_VALUE)
7379 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7381 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7382 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7383 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7384 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7387 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7388 struct nft_data_desc *desc, const struct nlattr *nla)
7390 u8 genmask = nft_genmask_next(ctx->net);
7391 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7392 struct nft_chain *chain;
7395 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7396 nft_verdict_policy, NULL);
7400 if (!tb[NFTA_VERDICT_CODE])
7402 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7404 switch (data->verdict.code) {
7406 switch (data->verdict.code & NF_VERDICT_MASK) {
7421 if (!tb[NFTA_VERDICT_CHAIN])
7423 chain = nft_chain_lookup(ctx->net, ctx->table,
7424 tb[NFTA_VERDICT_CHAIN], genmask);
7426 return PTR_ERR(chain);
7427 if (nft_is_base_chain(chain))
7431 data->verdict.chain = chain;
7435 desc->len = sizeof(data->verdict);
7436 desc->type = NFT_DATA_VERDICT;
7440 static void nft_verdict_uninit(const struct nft_data *data)
7442 switch (data->verdict.code) {
7445 data->verdict.chain->use--;
7450 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7452 struct nlattr *nest;
7454 nest = nla_nest_start_noflag(skb, type);
7456 goto nla_put_failure;
7458 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7459 goto nla_put_failure;
7464 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7466 goto nla_put_failure;
7468 nla_nest_end(skb, nest);
7475 static int nft_value_init(const struct nft_ctx *ctx,
7476 struct nft_data *data, unsigned int size,
7477 struct nft_data_desc *desc, const struct nlattr *nla)
7487 nla_memcpy(data->data, nla, len);
7488 desc->type = NFT_DATA_VALUE;
7493 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7496 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7499 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7500 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7501 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7505 * nft_data_init - parse nf_tables data netlink attributes
7507 * @ctx: context of the expression using the data
7508 * @data: destination struct nft_data
7509 * @size: maximum data length
7510 * @desc: data description
7511 * @nla: netlink attribute containing data
7513 * Parse the netlink data attributes and initialize a struct nft_data.
7514 * The type and length of data are returned in the data description.
7516 * The caller can indicate that it only wants to accept data of type
7517 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7519 int nft_data_init(const struct nft_ctx *ctx,
7520 struct nft_data *data, unsigned int size,
7521 struct nft_data_desc *desc, const struct nlattr *nla)
7523 struct nlattr *tb[NFTA_DATA_MAX + 1];
7526 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7527 nft_data_policy, NULL);
7531 if (tb[NFTA_DATA_VALUE])
7532 return nft_value_init(ctx, data, size, desc,
7533 tb[NFTA_DATA_VALUE]);
7534 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7535 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7538 EXPORT_SYMBOL_GPL(nft_data_init);
7541 * nft_data_release - release a nft_data item
7543 * @data: struct nft_data to release
7544 * @type: type of data
7546 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7547 * all others need to be released by calling this function.
7549 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7551 if (type < NFT_DATA_VERDICT)
7554 case NFT_DATA_VERDICT:
7555 return nft_verdict_uninit(data);
7560 EXPORT_SYMBOL_GPL(nft_data_release);
7562 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7563 enum nft_data_types type, unsigned int len)
7565 struct nlattr *nest;
7568 nest = nla_nest_start_noflag(skb, attr);
7573 case NFT_DATA_VALUE:
7574 err = nft_value_dump(skb, data, len);
7576 case NFT_DATA_VERDICT:
7577 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7584 nla_nest_end(skb, nest);
7587 EXPORT_SYMBOL_GPL(nft_data_dump);
7589 int __nft_release_basechain(struct nft_ctx *ctx)
7591 struct nft_rule *rule, *nr;
7593 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7596 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7597 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7598 list_del(&rule->list);
7600 nf_tables_rule_release(ctx, rule);
7602 nft_chain_del(ctx->chain);
7604 nf_tables_chain_destroy(ctx);
7608 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7610 static void __nft_release_tables(struct net *net)
7612 struct nft_flowtable *flowtable, *nf;
7613 struct nft_table *table, *nt;
7614 struct nft_chain *chain, *nc;
7615 struct nft_object *obj, *ne;
7616 struct nft_rule *rule, *nr;
7617 struct nft_set *set, *ns;
7618 struct nft_ctx ctx = {
7620 .family = NFPROTO_NETDEV,
7623 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7624 ctx.family = table->family;
7626 list_for_each_entry(chain, &table->chains, list)
7627 nf_tables_unregister_hook(net, table, chain);
7628 /* No packets are walking on these chains anymore. */
7630 list_for_each_entry(chain, &table->chains, list) {
7632 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7633 list_del(&rule->list);
7635 nf_tables_rule_release(&ctx, rule);
7638 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7639 list_del(&flowtable->list);
7641 nf_tables_flowtable_destroy(flowtable);
7643 list_for_each_entry_safe(set, ns, &table->sets, list) {
7644 list_del(&set->list);
7646 nft_set_destroy(set);
7648 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7651 nft_obj_destroy(&ctx, obj);
7653 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7655 nft_chain_del(chain);
7657 nf_tables_chain_destroy(&ctx);
7659 list_del(&table->list);
7660 nf_tables_table_destroy(&ctx);
7664 static int __net_init nf_tables_init_net(struct net *net)
7666 INIT_LIST_HEAD(&net->nft.tables);
7667 INIT_LIST_HEAD(&net->nft.commit_list);
7668 mutex_init(&net->nft.commit_mutex);
7669 net->nft.base_seq = 1;
7670 net->nft.validate_state = NFT_VALIDATE_SKIP;
7675 static void __net_exit nf_tables_exit_net(struct net *net)
7677 mutex_lock(&net->nft.commit_mutex);
7678 if (!list_empty(&net->nft.commit_list))
7679 __nf_tables_abort(net);
7680 __nft_release_tables(net);
7681 mutex_unlock(&net->nft.commit_mutex);
7682 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7685 static struct pernet_operations nf_tables_net_ops = {
7686 .init = nf_tables_init_net,
7687 .exit = nf_tables_exit_net,
7690 static int __init nf_tables_module_init(void)
7694 spin_lock_init(&nf_tables_destroy_list_lock);
7695 err = register_pernet_subsys(&nf_tables_net_ops);
7699 err = nft_chain_filter_init();
7703 err = nf_tables_core_module_init();
7707 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7711 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7715 err = nft_offload_init();
7720 err = nfnetlink_subsys_register(&nf_tables_subsys);
7724 nft_chain_route_init();
7730 rhltable_destroy(&nft_objname_ht);
7732 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7734 nf_tables_core_module_exit();
7736 nft_chain_filter_fini();
7738 unregister_pernet_subsys(&nf_tables_net_ops);
7742 static void __exit nf_tables_module_exit(void)
7744 nfnetlink_subsys_unregister(&nf_tables_subsys);
7746 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7747 nft_chain_filter_fini();
7748 nft_chain_route_fini();
7749 unregister_pernet_subsys(&nf_tables_net_ops);
7750 cancel_work_sync(&trans_destroy_work);
7752 rhltable_destroy(&nft_objname_ht);
7753 nf_tables_core_module_exit();
7756 module_init(nf_tables_module_init);
7757 module_exit(nf_tables_module_exit);
7759 MODULE_LICENSE("GPL");
7760 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7761 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-block.git / blob