2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/rhashtable.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_flow_table.h>
22 #include <net/netfilter/nf_tables_core.h>
23 #include <net/netfilter/nf_tables.h>
24 #include <net/net_namespace.h>
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static u64 table_handle;
33 NFT_VALIDATE_SKIP = 0,
38 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
39 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
40 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
42 static const struct rhashtable_params nft_chain_ht_params = {
43 .head_offset = offsetof(struct nft_chain, rhlhead),
44 .key_offset = offsetof(struct nft_chain, name),
45 .hashfn = nft_chain_hash,
46 .obj_hashfn = nft_chain_hash_obj,
47 .obj_cmpfn = nft_chain_hash_cmp,
49 .automatic_shrinking = true,
52 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
54 switch (net->nft.validate_state) {
55 case NFT_VALIDATE_SKIP:
56 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
58 case NFT_VALIDATE_NEED:
61 if (new_validate_state == NFT_VALIDATE_NEED)
65 net->nft.validate_state = new_validate_state;
68 static void nft_ctx_init(struct nft_ctx *ctx,
70 const struct sk_buff *skb,
71 const struct nlmsghdr *nlh,
73 struct nft_table *table,
74 struct nft_chain *chain,
75 const struct nlattr * const *nla)
83 ctx->portid = NETLINK_CB(skb).portid;
84 ctx->report = nlmsg_report(nlh);
85 ctx->seq = nlh->nlmsg_seq;
88 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
89 int msg_type, u32 size, gfp_t gfp)
91 struct nft_trans *trans;
93 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
97 trans->msg_type = msg_type;
103 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
104 int msg_type, u32 size)
106 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
109 static void nft_trans_destroy(struct nft_trans *trans)
111 list_del(&trans->list);
115 static int nf_tables_register_hook(struct net *net,
116 const struct nft_table *table,
117 struct nft_chain *chain)
119 const struct nft_base_chain *basechain;
120 const struct nf_hook_ops *ops;
122 if (table->flags & NFT_TABLE_F_DORMANT ||
123 !nft_is_base_chain(chain))
126 basechain = nft_base_chain(chain);
127 ops = &basechain->ops;
129 if (basechain->type->ops_register)
130 return basechain->type->ops_register(net, ops);
132 return nf_register_net_hook(net, ops);
135 static void nf_tables_unregister_hook(struct net *net,
136 const struct nft_table *table,
137 struct nft_chain *chain)
139 const struct nft_base_chain *basechain;
140 const struct nf_hook_ops *ops;
142 if (table->flags & NFT_TABLE_F_DORMANT ||
143 !nft_is_base_chain(chain))
145 basechain = nft_base_chain(chain);
146 ops = &basechain->ops;
148 if (basechain->type->ops_unregister)
149 return basechain->type->ops_unregister(net, ops);
151 nf_unregister_net_hook(net, ops);
154 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
156 struct nft_trans *trans;
158 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
162 if (msg_type == NFT_MSG_NEWTABLE)
163 nft_activate_next(ctx->net, ctx->table);
165 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
169 static int nft_deltable(struct nft_ctx *ctx)
173 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
177 nft_deactivate_next(ctx->net, ctx->table);
181 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
183 struct nft_trans *trans;
185 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
189 if (msg_type == NFT_MSG_NEWCHAIN)
190 nft_activate_next(ctx->net, ctx->chain);
192 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
196 static int nft_delchain(struct nft_ctx *ctx)
200 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
205 nft_deactivate_next(ctx->net, ctx->chain);
210 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
211 struct nft_rule *rule)
213 struct nft_expr *expr;
215 expr = nft_expr_first(rule);
216 while (expr != nft_expr_last(rule) && expr->ops) {
217 if (expr->ops->activate)
218 expr->ops->activate(ctx, expr);
220 expr = nft_expr_next(expr);
224 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
225 struct nft_rule *rule)
227 struct nft_expr *expr;
229 expr = nft_expr_first(rule);
230 while (expr != nft_expr_last(rule) && expr->ops) {
231 if (expr->ops->deactivate)
232 expr->ops->deactivate(ctx, expr);
234 expr = nft_expr_next(expr);
239 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
241 /* You cannot delete the same rule twice */
242 if (nft_is_active_next(ctx->net, rule)) {
243 nft_deactivate_next(ctx->net, rule);
250 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
251 struct nft_rule *rule)
253 struct nft_trans *trans;
255 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
259 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
260 nft_trans_rule_id(trans) =
261 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
263 nft_trans_rule(trans) = rule;
264 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
269 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
271 struct nft_trans *trans;
274 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
278 err = nf_tables_delrule_deactivate(ctx, rule);
280 nft_trans_destroy(trans);
283 nft_rule_expr_deactivate(ctx, rule);
288 static int nft_delrule_by_chain(struct nft_ctx *ctx)
290 struct nft_rule *rule;
293 list_for_each_entry(rule, &ctx->chain->rules, list) {
294 err = nft_delrule(ctx, rule);
301 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
304 struct nft_trans *trans;
306 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
310 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
311 nft_trans_set_id(trans) =
312 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
313 nft_activate_next(ctx->net, set);
315 nft_trans_set(trans) = set;
316 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
321 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
325 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
329 nft_deactivate_next(ctx->net, set);
335 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
336 struct nft_object *obj)
338 struct nft_trans *trans;
340 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
344 if (msg_type == NFT_MSG_NEWOBJ)
345 nft_activate_next(ctx->net, obj);
347 nft_trans_obj(trans) = obj;
348 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
353 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
357 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
361 nft_deactivate_next(ctx->net, obj);
367 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
368 struct nft_flowtable *flowtable)
370 struct nft_trans *trans;
372 trans = nft_trans_alloc(ctx, msg_type,
373 sizeof(struct nft_trans_flowtable));
377 if (msg_type == NFT_MSG_NEWFLOWTABLE)
378 nft_activate_next(ctx->net, flowtable);
380 nft_trans_flowtable(trans) = flowtable;
381 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
386 static int nft_delflowtable(struct nft_ctx *ctx,
387 struct nft_flowtable *flowtable)
391 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
395 nft_deactivate_next(ctx->net, flowtable);
405 static struct nft_table *nft_table_lookup(const struct net *net,
406 const struct nlattr *nla,
407 u8 family, u8 genmask)
409 struct nft_table *table;
412 return ERR_PTR(-EINVAL);
414 list_for_each_entry_rcu(table, &net->nft.tables, list) {
415 if (!nla_strcmp(nla, table->name) &&
416 table->family == family &&
417 nft_active_genmask(table, genmask))
421 return ERR_PTR(-ENOENT);
424 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
425 const struct nlattr *nla,
428 struct nft_table *table;
430 list_for_each_entry(table, &net->nft.tables, list) {
431 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
432 nft_active_genmask(table, genmask))
436 return ERR_PTR(-ENOENT);
439 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
441 return ++table->hgenerator;
444 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
446 static const struct nft_chain_type *
447 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
451 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
452 if (chain_type[family][i] != NULL &&
453 !nla_strcmp(nla, chain_type[family][i]->name))
454 return chain_type[family][i];
460 * Loading a module requires dropping mutex that guards the
462 * We first need to abort any pending transactions as once
463 * mutex is unlocked a different client could start a new
464 * transaction. It must not see any 'future generation'
465 * changes * as these changes will never happen.
467 #ifdef CONFIG_MODULES
468 static int __nf_tables_abort(struct net *net);
470 static void nft_request_module(struct net *net, const char *fmt, ...)
472 char module_name[MODULE_NAME_LEN];
476 __nf_tables_abort(net);
479 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
481 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
484 mutex_unlock(&net->nft.commit_mutex);
485 request_module("%s", module_name);
486 mutex_lock(&net->nft.commit_mutex);
490 static void lockdep_nfnl_nft_mutex_not_held(void)
492 #ifdef CONFIG_PROVE_LOCKING
493 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
497 static const struct nft_chain_type *
498 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
499 u8 family, bool autoload)
501 const struct nft_chain_type *type;
503 type = __nf_tables_chain_type_lookup(nla, family);
507 lockdep_nfnl_nft_mutex_not_held();
508 #ifdef CONFIG_MODULES
510 nft_request_module(net, "nft-chain-%u-%.*s", family,
511 nla_len(nla), (const char *)nla_data(nla));
512 type = __nf_tables_chain_type_lookup(nla, family);
514 return ERR_PTR(-EAGAIN);
517 return ERR_PTR(-ENOENT);
520 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
521 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
522 .len = NFT_TABLE_MAXNAMELEN - 1 },
523 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
524 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
527 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
528 u32 portid, u32 seq, int event, u32 flags,
529 int family, const struct nft_table *table)
531 struct nlmsghdr *nlh;
532 struct nfgenmsg *nfmsg;
534 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
535 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
537 goto nla_put_failure;
539 nfmsg = nlmsg_data(nlh);
540 nfmsg->nfgen_family = family;
541 nfmsg->version = NFNETLINK_V0;
542 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
544 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
545 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
546 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
547 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
549 goto nla_put_failure;
555 nlmsg_trim(skb, nlh);
559 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
565 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
568 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
572 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
573 event, 0, ctx->family, ctx->table);
579 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
580 ctx->report, GFP_KERNEL);
583 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
586 static int nf_tables_dump_tables(struct sk_buff *skb,
587 struct netlink_callback *cb)
589 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
590 const struct nft_table *table;
591 unsigned int idx = 0, s_idx = cb->args[0];
592 struct net *net = sock_net(skb->sk);
593 int family = nfmsg->nfgen_family;
596 cb->seq = net->nft.base_seq;
598 list_for_each_entry_rcu(table, &net->nft.tables, list) {
599 if (family != NFPROTO_UNSPEC && family != table->family)
605 memset(&cb->args[1], 0,
606 sizeof(cb->args) - sizeof(cb->args[0]));
607 if (!nft_is_active(net, table))
609 if (nf_tables_fill_table_info(skb, net,
610 NETLINK_CB(cb->skb).portid,
612 NFT_MSG_NEWTABLE, NLM_F_MULTI,
613 table->family, table) < 0)
616 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
626 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
627 const struct nlmsghdr *nlh,
628 struct netlink_dump_control *c)
632 if (!try_module_get(THIS_MODULE))
636 err = netlink_dump_start(nlsk, skb, nlh, c);
638 module_put(THIS_MODULE);
643 /* called with rcu_read_lock held */
644 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
645 struct sk_buff *skb, const struct nlmsghdr *nlh,
646 const struct nlattr * const nla[],
647 struct netlink_ext_ack *extack)
649 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
650 u8 genmask = nft_genmask_cur(net);
651 const struct nft_table *table;
652 struct sk_buff *skb2;
653 int family = nfmsg->nfgen_family;
656 if (nlh->nlmsg_flags & NLM_F_DUMP) {
657 struct netlink_dump_control c = {
658 .dump = nf_tables_dump_tables,
659 .module = THIS_MODULE,
662 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
665 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
667 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
668 return PTR_ERR(table);
671 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
675 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
676 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
681 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
688 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
690 struct nft_chain *chain;
693 list_for_each_entry(chain, &table->chains, list) {
694 if (!nft_is_active_next(net, chain))
696 if (!nft_is_base_chain(chain))
699 if (cnt && i++ == cnt)
702 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
706 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
708 struct nft_chain *chain;
711 list_for_each_entry(chain, &table->chains, list) {
712 if (!nft_is_active_next(net, chain))
714 if (!nft_is_base_chain(chain))
717 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
726 nft_table_disable(net, table, i);
730 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
732 nft_table_disable(net, table, 0);
735 static int nf_tables_updtable(struct nft_ctx *ctx)
737 struct nft_trans *trans;
741 if (!ctx->nla[NFTA_TABLE_FLAGS])
744 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
745 if (flags & ~NFT_TABLE_F_DORMANT)
748 if (flags == ctx->table->flags)
751 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
752 sizeof(struct nft_trans_table));
756 if ((flags & NFT_TABLE_F_DORMANT) &&
757 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
758 nft_trans_table_enable(trans) = false;
759 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
760 ctx->table->flags & NFT_TABLE_F_DORMANT) {
761 ret = nf_tables_table_enable(ctx->net, ctx->table);
763 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
764 nft_trans_table_enable(trans) = true;
770 nft_trans_table_update(trans) = true;
771 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
774 nft_trans_destroy(trans);
778 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
780 const char *name = data;
782 return jhash(name, strlen(name), seed);
785 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
787 const struct nft_chain *chain = data;
789 return nft_chain_hash(chain->name, 0, seed);
792 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
795 const struct nft_chain *chain = ptr;
796 const char *name = arg->key;
798 return strcmp(chain->name, name);
801 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
802 struct sk_buff *skb, const struct nlmsghdr *nlh,
803 const struct nlattr * const nla[],
804 struct netlink_ext_ack *extack)
806 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
807 u8 genmask = nft_genmask_next(net);
808 int family = nfmsg->nfgen_family;
809 const struct nlattr *attr;
810 struct nft_table *table;
815 lockdep_assert_held(&net->nft.commit_mutex);
816 attr = nla[NFTA_TABLE_NAME];
817 table = nft_table_lookup(net, attr, family, genmask);
819 if (PTR_ERR(table) != -ENOENT)
820 return PTR_ERR(table);
822 if (nlh->nlmsg_flags & NLM_F_EXCL) {
823 NL_SET_BAD_ATTR(extack, attr);
826 if (nlh->nlmsg_flags & NLM_F_REPLACE)
829 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
830 return nf_tables_updtable(&ctx);
833 if (nla[NFTA_TABLE_FLAGS]) {
834 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
835 if (flags & ~NFT_TABLE_F_DORMANT)
840 table = kzalloc(sizeof(*table), GFP_KERNEL);
844 table->name = nla_strdup(attr, GFP_KERNEL);
845 if (table->name == NULL)
848 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
852 INIT_LIST_HEAD(&table->chains);
853 INIT_LIST_HEAD(&table->sets);
854 INIT_LIST_HEAD(&table->objects);
855 INIT_LIST_HEAD(&table->flowtables);
856 table->family = family;
857 table->flags = flags;
858 table->handle = ++table_handle;
860 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
861 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
865 list_add_tail_rcu(&table->list, &net->nft.tables);
868 rhltable_destroy(&table->chains_ht);
877 static int nft_flush_table(struct nft_ctx *ctx)
879 struct nft_flowtable *flowtable, *nft;
880 struct nft_chain *chain, *nc;
881 struct nft_object *obj, *ne;
882 struct nft_set *set, *ns;
885 list_for_each_entry(chain, &ctx->table->chains, list) {
886 if (!nft_is_active_next(ctx->net, chain))
891 err = nft_delrule_by_chain(ctx);
896 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
897 if (!nft_is_active_next(ctx->net, set))
900 if (nft_set_is_anonymous(set) &&
901 !list_empty(&set->bindings))
904 err = nft_delset(ctx, set);
909 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
910 err = nft_delflowtable(ctx, flowtable);
915 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
916 err = nft_delobj(ctx, obj);
921 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
922 if (!nft_is_active_next(ctx->net, chain))
927 err = nft_delchain(ctx);
932 err = nft_deltable(ctx);
937 static int nft_flush(struct nft_ctx *ctx, int family)
939 struct nft_table *table, *nt;
940 const struct nlattr * const *nla = ctx->nla;
943 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
944 if (family != AF_UNSPEC && table->family != family)
947 ctx->family = table->family;
949 if (!nft_is_active_next(ctx->net, table))
952 if (nla[NFTA_TABLE_NAME] &&
953 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
958 err = nft_flush_table(ctx);
966 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
967 struct sk_buff *skb, const struct nlmsghdr *nlh,
968 const struct nlattr * const nla[],
969 struct netlink_ext_ack *extack)
971 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
972 u8 genmask = nft_genmask_next(net);
973 int family = nfmsg->nfgen_family;
974 const struct nlattr *attr;
975 struct nft_table *table;
978 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
979 if (family == AF_UNSPEC ||
980 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
981 return nft_flush(&ctx, family);
983 if (nla[NFTA_TABLE_HANDLE]) {
984 attr = nla[NFTA_TABLE_HANDLE];
985 table = nft_table_lookup_byhandle(net, attr, genmask);
987 attr = nla[NFTA_TABLE_NAME];
988 table = nft_table_lookup(net, attr, family, genmask);
992 NL_SET_BAD_ATTR(extack, attr);
993 return PTR_ERR(table);
996 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1000 ctx.family = family;
1003 return nft_flush_table(&ctx);
1006 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1008 BUG_ON(ctx->table->use > 0);
1010 rhltable_destroy(&ctx->table->chains_ht);
1011 kfree(ctx->table->name);
1015 void nft_register_chain_type(const struct nft_chain_type *ctype)
1017 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1020 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1021 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1022 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1025 chain_type[ctype->family][ctype->type] = ctype;
1026 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1028 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1030 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1032 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1033 chain_type[ctype->family][ctype->type] = NULL;
1034 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1036 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1042 static struct nft_chain *
1043 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1045 struct nft_chain *chain;
1047 list_for_each_entry(chain, &table->chains, list) {
1048 if (chain->handle == handle &&
1049 nft_active_genmask(chain, genmask))
1053 return ERR_PTR(-ENOENT);
1056 static bool lockdep_commit_lock_is_held(struct net *net)
1058 #ifdef CONFIG_PROVE_LOCKING
1059 return lockdep_is_held(&net->nft.commit_mutex);
1065 static struct nft_chain *nft_chain_lookup(struct net *net,
1066 struct nft_table *table,
1067 const struct nlattr *nla, u8 genmask)
1069 char search[NFT_CHAIN_MAXNAMELEN + 1];
1070 struct rhlist_head *tmp, *list;
1071 struct nft_chain *chain;
1074 return ERR_PTR(-EINVAL);
1076 nla_strlcpy(search, nla, sizeof(search));
1078 WARN_ON(!rcu_read_lock_held() &&
1079 !lockdep_commit_lock_is_held(net));
1081 chain = ERR_PTR(-ENOENT);
1083 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1087 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1088 if (nft_active_genmask(chain, genmask))
1091 chain = ERR_PTR(-ENOENT);
1097 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1098 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1099 .len = NFT_TABLE_MAXNAMELEN - 1 },
1100 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1101 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1102 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1103 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1104 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1105 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1106 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1109 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1110 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1111 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1112 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1113 .len = IFNAMSIZ - 1 },
1116 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1118 struct nft_stats *cpu_stats, total;
1119 struct nlattr *nest;
1124 memset(&total, 0, sizeof(total));
1125 for_each_possible_cpu(cpu) {
1126 cpu_stats = per_cpu_ptr(stats, cpu);
1128 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1129 pkts = cpu_stats->pkts;
1130 bytes = cpu_stats->bytes;
1131 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1133 total.bytes += bytes;
1135 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1137 goto nla_put_failure;
1139 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1140 NFTA_COUNTER_PAD) ||
1141 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1143 goto nla_put_failure;
1145 nla_nest_end(skb, nest);
1152 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1153 u32 portid, u32 seq, int event, u32 flags,
1154 int family, const struct nft_table *table,
1155 const struct nft_chain *chain)
1157 struct nlmsghdr *nlh;
1158 struct nfgenmsg *nfmsg;
1160 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1161 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1163 goto nla_put_failure;
1165 nfmsg = nlmsg_data(nlh);
1166 nfmsg->nfgen_family = family;
1167 nfmsg->version = NFNETLINK_V0;
1168 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1170 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1171 goto nla_put_failure;
1172 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1174 goto nla_put_failure;
1175 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1176 goto nla_put_failure;
1178 if (nft_is_base_chain(chain)) {
1179 const struct nft_base_chain *basechain = nft_base_chain(chain);
1180 const struct nf_hook_ops *ops = &basechain->ops;
1181 struct nlattr *nest;
1183 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1185 goto nla_put_failure;
1186 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1187 goto nla_put_failure;
1188 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1189 goto nla_put_failure;
1190 if (basechain->dev_name[0] &&
1191 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1192 goto nla_put_failure;
1193 nla_nest_end(skb, nest);
1195 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1196 htonl(basechain->policy)))
1197 goto nla_put_failure;
1199 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1200 goto nla_put_failure;
1202 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1203 goto nla_put_failure;
1206 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1207 goto nla_put_failure;
1209 nlmsg_end(skb, nlh);
1213 nlmsg_trim(skb, nlh);
1217 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1219 struct sk_buff *skb;
1223 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1226 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1230 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1231 event, 0, ctx->family, ctx->table,
1238 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1239 ctx->report, GFP_KERNEL);
1242 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1245 static int nf_tables_dump_chains(struct sk_buff *skb,
1246 struct netlink_callback *cb)
1248 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1249 const struct nft_table *table;
1250 const struct nft_chain *chain;
1251 unsigned int idx = 0, s_idx = cb->args[0];
1252 struct net *net = sock_net(skb->sk);
1253 int family = nfmsg->nfgen_family;
1256 cb->seq = net->nft.base_seq;
1258 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1259 if (family != NFPROTO_UNSPEC && family != table->family)
1262 list_for_each_entry_rcu(chain, &table->chains, list) {
1266 memset(&cb->args[1], 0,
1267 sizeof(cb->args) - sizeof(cb->args[0]));
1268 if (!nft_is_active(net, chain))
1270 if (nf_tables_fill_chain_info(skb, net,
1271 NETLINK_CB(cb->skb).portid,
1275 table->family, table,
1279 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1290 /* called with rcu_read_lock held */
1291 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1292 struct sk_buff *skb, const struct nlmsghdr *nlh,
1293 const struct nlattr * const nla[],
1294 struct netlink_ext_ack *extack)
1296 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1297 u8 genmask = nft_genmask_cur(net);
1298 const struct nft_chain *chain;
1299 struct nft_table *table;
1300 struct sk_buff *skb2;
1301 int family = nfmsg->nfgen_family;
1304 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1305 struct netlink_dump_control c = {
1306 .dump = nf_tables_dump_chains,
1307 .module = THIS_MODULE,
1310 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1313 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1314 if (IS_ERR(table)) {
1315 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1316 return PTR_ERR(table);
1319 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1320 if (IS_ERR(chain)) {
1321 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1322 return PTR_ERR(chain);
1325 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1329 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1330 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1331 family, table, chain);
1335 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1342 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1343 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1344 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1347 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1349 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1350 struct nft_stats __percpu *newstats;
1351 struct nft_stats *stats;
1354 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1357 return ERR_PTR(err);
1359 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1360 return ERR_PTR(-EINVAL);
1362 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1363 if (newstats == NULL)
1364 return ERR_PTR(-ENOMEM);
1366 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1367 * are not exposed to userspace.
1370 stats = this_cpu_ptr(newstats);
1371 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1372 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1378 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1379 struct nft_stats __percpu *newstats)
1381 struct nft_stats __percpu *oldstats;
1383 if (newstats == NULL)
1387 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1388 rcu_assign_pointer(chain->stats, newstats);
1390 free_percpu(oldstats);
1392 rcu_assign_pointer(chain->stats, newstats);
1393 static_branch_inc(&nft_counters_enabled);
1397 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1399 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1400 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1406 /* should be NULL either via abort or via successful commit */
1407 WARN_ON_ONCE(chain->rules_next);
1408 kvfree(chain->rules_next);
1411 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1413 struct nft_chain *chain = ctx->chain;
1415 BUG_ON(chain->use > 0);
1417 /* no concurrent access possible anymore */
1418 nf_tables_chain_free_chain_rules(chain);
1420 if (nft_is_base_chain(chain)) {
1421 struct nft_base_chain *basechain = nft_base_chain(chain);
1423 module_put(basechain->type->owner);
1424 free_percpu(basechain->stats);
1425 if (basechain->stats)
1426 static_branch_dec(&nft_counters_enabled);
1435 struct nft_chain_hook {
1438 const struct nft_chain_type *type;
1439 struct net_device *dev;
1442 static int nft_chain_parse_hook(struct net *net,
1443 const struct nlattr * const nla[],
1444 struct nft_chain_hook *hook, u8 family,
1447 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1448 const struct nft_chain_type *type;
1449 struct net_device *dev;
1452 lockdep_assert_held(&net->nft.commit_mutex);
1453 lockdep_nfnl_nft_mutex_not_held();
1455 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1456 nft_hook_policy, NULL);
1460 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1461 ha[NFTA_HOOK_PRIORITY] == NULL)
1464 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1465 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1467 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1468 if (nla[NFTA_CHAIN_TYPE]) {
1469 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1472 return PTR_ERR(type);
1474 if (!(type->hook_mask & (1 << hook->num)))
1477 if (type->type == NFT_CHAIN_T_NAT &&
1478 hook->priority <= NF_IP_PRI_CONNTRACK)
1481 if (!try_module_get(type->owner))
1487 if (family == NFPROTO_NETDEV) {
1488 char ifname[IFNAMSIZ];
1490 if (!ha[NFTA_HOOK_DEV]) {
1491 module_put(type->owner);
1495 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1496 dev = __dev_get_by_name(net, ifname);
1498 module_put(type->owner);
1502 } else if (ha[NFTA_HOOK_DEV]) {
1503 module_put(type->owner);
1510 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1512 module_put(hook->type->owner);
1515 struct nft_rules_old {
1517 struct nft_rule **start;
1520 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1523 if (alloc > INT_MAX)
1526 alloc += 1; /* NULL, ends rules */
1527 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1530 alloc *= sizeof(struct nft_rule *);
1531 alloc += sizeof(struct nft_rules_old);
1533 return kvmalloc(alloc, GFP_KERNEL);
1536 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1539 const struct nlattr * const *nla = ctx->nla;
1540 struct nft_table *table = ctx->table;
1541 struct nft_base_chain *basechain;
1542 struct nft_stats __percpu *stats;
1543 struct net *net = ctx->net;
1544 struct nft_chain *chain;
1545 struct nft_rule **rules;
1548 if (table->use == UINT_MAX)
1551 if (nla[NFTA_CHAIN_HOOK]) {
1552 struct nft_chain_hook hook;
1553 struct nf_hook_ops *ops;
1555 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1559 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1560 if (basechain == NULL) {
1561 nft_chain_release_hook(&hook);
1565 if (hook.dev != NULL)
1566 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1568 if (nla[NFTA_CHAIN_COUNTERS]) {
1569 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1570 if (IS_ERR(stats)) {
1571 nft_chain_release_hook(&hook);
1573 return PTR_ERR(stats);
1575 basechain->stats = stats;
1576 static_branch_inc(&nft_counters_enabled);
1579 basechain->type = hook.type;
1580 chain = &basechain->chain;
1582 ops = &basechain->ops;
1584 ops->hooknum = hook.num;
1585 ops->priority = hook.priority;
1587 ops->hook = hook.type->hooks[ops->hooknum];
1588 ops->dev = hook.dev;
1590 chain->flags |= NFT_BASE_CHAIN;
1591 basechain->policy = policy;
1593 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1599 INIT_LIST_HEAD(&chain->rules);
1600 chain->handle = nf_tables_alloc_handle(table);
1601 chain->table = table;
1602 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1608 rules = nf_tables_chain_alloc_rules(chain, 0);
1615 rcu_assign_pointer(chain->rules_gen_0, rules);
1616 rcu_assign_pointer(chain->rules_gen_1, rules);
1618 err = nf_tables_register_hook(net, table, chain);
1622 err = rhltable_insert_key(&table->chains_ht, chain->name,
1623 &chain->rhlhead, nft_chain_ht_params);
1627 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1629 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1630 nft_chain_ht_params);
1635 list_add_tail_rcu(&chain->list, &table->chains);
1639 nf_tables_unregister_hook(net, table, chain);
1641 nf_tables_chain_destroy(ctx);
1646 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1648 const struct nlattr * const *nla = ctx->nla;
1649 struct nft_table *table = ctx->table;
1650 struct nft_chain *chain = ctx->chain;
1651 struct nft_base_chain *basechain;
1652 struct nft_stats *stats = NULL;
1653 struct nft_chain_hook hook;
1654 struct nf_hook_ops *ops;
1655 struct nft_trans *trans;
1658 if (nla[NFTA_CHAIN_HOOK]) {
1659 if (!nft_is_base_chain(chain))
1662 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1667 basechain = nft_base_chain(chain);
1668 if (basechain->type != hook.type) {
1669 nft_chain_release_hook(&hook);
1673 ops = &basechain->ops;
1674 if (ops->hooknum != hook.num ||
1675 ops->priority != hook.priority ||
1676 ops->dev != hook.dev) {
1677 nft_chain_release_hook(&hook);
1680 nft_chain_release_hook(&hook);
1683 if (nla[NFTA_CHAIN_HANDLE] &&
1684 nla[NFTA_CHAIN_NAME]) {
1685 struct nft_chain *chain2;
1687 chain2 = nft_chain_lookup(ctx->net, table,
1688 nla[NFTA_CHAIN_NAME], genmask);
1689 if (!IS_ERR(chain2))
1693 if (nla[NFTA_CHAIN_COUNTERS]) {
1694 if (!nft_is_base_chain(chain))
1697 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1699 return PTR_ERR(stats);
1703 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1704 sizeof(struct nft_trans_chain));
1708 nft_trans_chain_stats(trans) = stats;
1709 nft_trans_chain_update(trans) = true;
1711 if (nla[NFTA_CHAIN_POLICY])
1712 nft_trans_chain_policy(trans) = policy;
1714 nft_trans_chain_policy(trans) = -1;
1716 if (nla[NFTA_CHAIN_HANDLE] &&
1717 nla[NFTA_CHAIN_NAME]) {
1718 struct nft_trans *tmp;
1722 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1727 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1728 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1729 tmp->ctx.table == table &&
1730 nft_trans_chain_update(tmp) &&
1731 nft_trans_chain_name(tmp) &&
1732 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1738 nft_trans_chain_name(trans) = name;
1740 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1749 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1750 struct sk_buff *skb, const struct nlmsghdr *nlh,
1751 const struct nlattr * const nla[],
1752 struct netlink_ext_ack *extack)
1754 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1755 u8 genmask = nft_genmask_next(net);
1756 int family = nfmsg->nfgen_family;
1757 const struct nlattr *attr;
1758 struct nft_table *table;
1759 struct nft_chain *chain;
1760 u8 policy = NF_ACCEPT;
1764 lockdep_assert_held(&net->nft.commit_mutex);
1766 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1767 if (IS_ERR(table)) {
1768 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1769 return PTR_ERR(table);
1773 attr = nla[NFTA_CHAIN_NAME];
1775 if (nla[NFTA_CHAIN_HANDLE]) {
1776 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1777 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1778 if (IS_ERR(chain)) {
1779 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1780 return PTR_ERR(chain);
1782 attr = nla[NFTA_CHAIN_HANDLE];
1784 chain = nft_chain_lookup(net, table, attr, genmask);
1785 if (IS_ERR(chain)) {
1786 if (PTR_ERR(chain) != -ENOENT) {
1787 NL_SET_BAD_ATTR(extack, attr);
1788 return PTR_ERR(chain);
1794 if (nla[NFTA_CHAIN_POLICY]) {
1795 if (chain != NULL &&
1796 !nft_is_base_chain(chain)) {
1797 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1801 if (chain == NULL &&
1802 nla[NFTA_CHAIN_HOOK] == NULL) {
1803 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1807 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1817 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1819 if (chain != NULL) {
1820 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1821 NL_SET_BAD_ATTR(extack, attr);
1824 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1827 return nf_tables_updchain(&ctx, genmask, policy);
1830 return nf_tables_addchain(&ctx, family, genmask, policy);
1833 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1834 struct sk_buff *skb, const struct nlmsghdr *nlh,
1835 const struct nlattr * const nla[],
1836 struct netlink_ext_ack *extack)
1838 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1839 u8 genmask = nft_genmask_next(net);
1840 int family = nfmsg->nfgen_family;
1841 const struct nlattr *attr;
1842 struct nft_table *table;
1843 struct nft_chain *chain;
1844 struct nft_rule *rule;
1850 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1851 if (IS_ERR(table)) {
1852 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1853 return PTR_ERR(table);
1856 if (nla[NFTA_CHAIN_HANDLE]) {
1857 attr = nla[NFTA_CHAIN_HANDLE];
1858 handle = be64_to_cpu(nla_get_be64(attr));
1859 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1861 attr = nla[NFTA_CHAIN_NAME];
1862 chain = nft_chain_lookup(net, table, attr, genmask);
1864 if (IS_ERR(chain)) {
1865 NL_SET_BAD_ATTR(extack, attr);
1866 return PTR_ERR(chain);
1869 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1873 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1876 list_for_each_entry(rule, &chain->rules, list) {
1877 if (!nft_is_active_next(net, rule))
1881 err = nft_delrule(&ctx, rule);
1886 /* There are rules and elements that are still holding references to us,
1887 * we cannot do a recursive removal in this case.
1890 NL_SET_BAD_ATTR(extack, attr);
1894 return nft_delchain(&ctx);
1902 * nft_register_expr - register nf_tables expr type
1905 * Registers the expr type for use with nf_tables. Returns zero on
1906 * success or a negative errno code otherwise.
1908 int nft_register_expr(struct nft_expr_type *type)
1910 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1911 if (type->family == NFPROTO_UNSPEC)
1912 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1914 list_add_rcu(&type->list, &nf_tables_expressions);
1915 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1918 EXPORT_SYMBOL_GPL(nft_register_expr);
1921 * nft_unregister_expr - unregister nf_tables expr type
1924 * Unregisters the expr typefor use with nf_tables.
1926 void nft_unregister_expr(struct nft_expr_type *type)
1928 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1929 list_del_rcu(&type->list);
1930 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1932 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1934 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1937 const struct nft_expr_type *type;
1939 list_for_each_entry(type, &nf_tables_expressions, list) {
1940 if (!nla_strcmp(nla, type->name) &&
1941 (!type->family || type->family == family))
1947 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
1951 const struct nft_expr_type *type;
1954 return ERR_PTR(-EINVAL);
1956 type = __nft_expr_type_get(family, nla);
1957 if (type != NULL && try_module_get(type->owner))
1960 lockdep_nfnl_nft_mutex_not_held();
1961 #ifdef CONFIG_MODULES
1963 nft_request_module(net, "nft-expr-%u-%.*s", family,
1964 nla_len(nla), (char *)nla_data(nla));
1965 if (__nft_expr_type_get(family, nla))
1966 return ERR_PTR(-EAGAIN);
1968 nft_request_module(net, "nft-expr-%.*s",
1969 nla_len(nla), (char *)nla_data(nla));
1970 if (__nft_expr_type_get(family, nla))
1971 return ERR_PTR(-EAGAIN);
1974 return ERR_PTR(-ENOENT);
1977 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1978 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1979 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1982 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1983 const struct nft_expr *expr)
1985 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1986 goto nla_put_failure;
1988 if (expr->ops->dump) {
1989 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1991 goto nla_put_failure;
1992 if (expr->ops->dump(skb, expr) < 0)
1993 goto nla_put_failure;
1994 nla_nest_end(skb, data);
2003 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2004 const struct nft_expr *expr)
2006 struct nlattr *nest;
2008 nest = nla_nest_start(skb, attr);
2010 goto nla_put_failure;
2011 if (nf_tables_fill_expr_info(skb, expr) < 0)
2012 goto nla_put_failure;
2013 nla_nest_end(skb, nest);
2020 struct nft_expr_info {
2021 const struct nft_expr_ops *ops;
2022 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2025 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2026 const struct nlattr *nla,
2027 struct nft_expr_info *info)
2029 const struct nft_expr_type *type;
2030 const struct nft_expr_ops *ops;
2031 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2034 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
2038 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2040 return PTR_ERR(type);
2042 if (tb[NFTA_EXPR_DATA]) {
2043 err = nla_parse_nested(info->tb, type->maxattr,
2044 tb[NFTA_EXPR_DATA], type->policy, NULL);
2048 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2050 if (type->select_ops != NULL) {
2051 ops = type->select_ops(ctx,
2052 (const struct nlattr * const *)info->tb);
2064 module_put(type->owner);
2068 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2069 const struct nft_expr_info *info,
2070 struct nft_expr *expr)
2072 const struct nft_expr_ops *ops = info->ops;
2077 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2088 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2089 struct nft_expr *expr)
2091 if (expr->ops->destroy)
2092 expr->ops->destroy(ctx, expr);
2093 module_put(expr->ops->type->owner);
2096 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2097 const struct nlattr *nla)
2099 struct nft_expr_info info;
2100 struct nft_expr *expr;
2103 err = nf_tables_expr_parse(ctx, nla, &info);
2108 expr = kzalloc(info.ops->size, GFP_KERNEL);
2112 err = nf_tables_newexpr(ctx, &info, expr);
2120 module_put(info.ops->type->owner);
2122 return ERR_PTR(err);
2125 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2127 nf_tables_expr_destroy(ctx, expr);
2135 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2138 struct nft_rule *rule;
2140 // FIXME: this sucks
2141 list_for_each_entry_rcu(rule, &chain->rules, list) {
2142 if (handle == rule->handle)
2146 return ERR_PTR(-ENOENT);
2149 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2150 const struct nlattr *nla)
2153 return ERR_PTR(-EINVAL);
2155 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2158 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2159 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2160 .len = NFT_TABLE_MAXNAMELEN - 1 },
2161 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2162 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2163 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2164 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2165 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2166 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2167 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2168 .len = NFT_USERDATA_MAXLEN },
2169 [NFTA_RULE_ID] = { .type = NLA_U32 },
2172 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2173 u32 portid, u32 seq, int event,
2174 u32 flags, int family,
2175 const struct nft_table *table,
2176 const struct nft_chain *chain,
2177 const struct nft_rule *rule)
2179 struct nlmsghdr *nlh;
2180 struct nfgenmsg *nfmsg;
2181 const struct nft_expr *expr, *next;
2182 struct nlattr *list;
2183 const struct nft_rule *prule;
2184 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2186 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2188 goto nla_put_failure;
2190 nfmsg = nlmsg_data(nlh);
2191 nfmsg->nfgen_family = family;
2192 nfmsg->version = NFNETLINK_V0;
2193 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2195 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2196 goto nla_put_failure;
2197 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2198 goto nla_put_failure;
2199 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2201 goto nla_put_failure;
2203 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2204 prule = list_prev_entry(rule, list);
2205 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2206 cpu_to_be64(prule->handle),
2208 goto nla_put_failure;
2211 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2213 goto nla_put_failure;
2214 nft_rule_for_each_expr(expr, next, rule) {
2215 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2216 goto nla_put_failure;
2218 nla_nest_end(skb, list);
2221 struct nft_userdata *udata = nft_userdata(rule);
2222 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2224 goto nla_put_failure;
2227 nlmsg_end(skb, nlh);
2231 nlmsg_trim(skb, nlh);
2235 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2236 const struct nft_rule *rule, int event)
2238 struct sk_buff *skb;
2242 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2245 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2249 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2250 event, 0, ctx->family, ctx->table,
2257 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2258 ctx->report, GFP_KERNEL);
2261 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2264 struct nft_rule_dump_ctx {
2269 static int nf_tables_dump_rules(struct sk_buff *skb,
2270 struct netlink_callback *cb)
2272 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2273 const struct nft_rule_dump_ctx *ctx = cb->data;
2274 const struct nft_table *table;
2275 const struct nft_chain *chain;
2276 const struct nft_rule *rule;
2277 unsigned int idx = 0, s_idx = cb->args[0];
2278 struct net *net = sock_net(skb->sk);
2279 int family = nfmsg->nfgen_family;
2282 cb->seq = net->nft.base_seq;
2284 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2285 if (family != NFPROTO_UNSPEC && family != table->family)
2288 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2291 list_for_each_entry_rcu(chain, &table->chains, list) {
2292 if (ctx && ctx->chain &&
2293 strcmp(ctx->chain, chain->name) != 0)
2296 list_for_each_entry_rcu(rule, &chain->rules, list) {
2297 if (!nft_is_active(net, rule))
2302 memset(&cb->args[1], 0,
2303 sizeof(cb->args) - sizeof(cb->args[0]));
2304 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2307 NLM_F_MULTI | NLM_F_APPEND,
2309 table, chain, rule) < 0)
2312 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2325 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2327 const struct nlattr * const *nla = cb->data;
2328 struct nft_rule_dump_ctx *ctx = NULL;
2330 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2331 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2335 if (nla[NFTA_RULE_TABLE]) {
2336 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2343 if (nla[NFTA_RULE_CHAIN]) {
2344 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2358 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2360 struct nft_rule_dump_ctx *ctx = cb->data;
2370 /* called with rcu_read_lock held */
2371 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2372 struct sk_buff *skb, const struct nlmsghdr *nlh,
2373 const struct nlattr * const nla[],
2374 struct netlink_ext_ack *extack)
2376 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2377 u8 genmask = nft_genmask_cur(net);
2378 const struct nft_chain *chain;
2379 const struct nft_rule *rule;
2380 struct nft_table *table;
2381 struct sk_buff *skb2;
2382 int family = nfmsg->nfgen_family;
2385 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2386 struct netlink_dump_control c = {
2387 .start= nf_tables_dump_rules_start,
2388 .dump = nf_tables_dump_rules,
2389 .done = nf_tables_dump_rules_done,
2390 .module = THIS_MODULE,
2391 .data = (void *)nla,
2394 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2397 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2398 if (IS_ERR(table)) {
2399 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2400 return PTR_ERR(table);
2403 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2404 if (IS_ERR(chain)) {
2405 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2406 return PTR_ERR(chain);
2409 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2411 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2412 return PTR_ERR(rule);
2415 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2419 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2420 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2421 family, table, chain, rule);
2425 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2432 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2433 struct nft_rule *rule)
2435 struct nft_expr *expr;
2437 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2439 * Careful: some expressions might not be initialized in case this
2440 * is called on error from nf_tables_newrule().
2442 expr = nft_expr_first(rule);
2443 while (expr != nft_expr_last(rule) && expr->ops) {
2444 nf_tables_expr_destroy(ctx, expr);
2445 expr = nft_expr_next(expr);
2450 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2451 struct nft_rule *rule)
2453 nft_rule_expr_deactivate(ctx, rule);
2454 nf_tables_rule_destroy(ctx, rule);
2457 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2459 struct nft_expr *expr, *last;
2460 const struct nft_data *data;
2461 struct nft_rule *rule;
2464 if (ctx->level == NFT_JUMP_STACK_SIZE)
2467 list_for_each_entry(rule, &chain->rules, list) {
2468 if (!nft_is_active_next(ctx->net, rule))
2471 nft_rule_for_each_expr(expr, last, rule) {
2472 if (!expr->ops->validate)
2475 err = expr->ops->validate(ctx, expr, &data);
2483 EXPORT_SYMBOL_GPL(nft_chain_validate);
2485 static int nft_table_validate(struct net *net, const struct nft_table *table)
2487 struct nft_chain *chain;
2488 struct nft_ctx ctx = {
2490 .family = table->family,
2494 list_for_each_entry(chain, &table->chains, list) {
2495 if (!nft_is_base_chain(chain))
2499 err = nft_chain_validate(&ctx, chain);
2507 #define NFT_RULE_MAXEXPRS 128
2509 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2510 struct sk_buff *skb, const struct nlmsghdr *nlh,
2511 const struct nlattr * const nla[],
2512 struct netlink_ext_ack *extack)
2514 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2515 u8 genmask = nft_genmask_next(net);
2516 struct nft_expr_info *info = NULL;
2517 int family = nfmsg->nfgen_family;
2518 struct nft_table *table;
2519 struct nft_chain *chain;
2520 struct nft_rule *rule, *old_rule = NULL;
2521 struct nft_userdata *udata;
2522 struct nft_trans *trans = NULL;
2523 struct nft_expr *expr;
2526 unsigned int size, i, n, ulen = 0, usize = 0;
2528 u64 handle, pos_handle;
2530 lockdep_assert_held(&net->nft.commit_mutex);
2532 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2533 if (IS_ERR(table)) {
2534 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2535 return PTR_ERR(table);
2538 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2539 if (IS_ERR(chain)) {
2540 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2541 return PTR_ERR(chain);
2544 if (nla[NFTA_RULE_HANDLE]) {
2545 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2546 rule = __nft_rule_lookup(chain, handle);
2548 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2549 return PTR_ERR(rule);
2552 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2553 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2556 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2561 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2562 nlh->nlmsg_flags & NLM_F_REPLACE)
2564 handle = nf_tables_alloc_handle(table);
2566 if (chain->use == UINT_MAX)
2570 if (nla[NFTA_RULE_POSITION]) {
2571 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2574 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2575 old_rule = __nft_rule_lookup(chain, pos_handle);
2576 if (IS_ERR(old_rule)) {
2577 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2578 return PTR_ERR(old_rule);
2582 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2586 if (nla[NFTA_RULE_EXPRESSIONS]) {
2587 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2588 sizeof(struct nft_expr_info),
2593 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2595 if (nla_type(tmp) != NFTA_LIST_ELEM)
2597 if (n == NFT_RULE_MAXEXPRS)
2599 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2602 size += info[n].ops->size;
2606 /* Check for overflow of dlen field */
2608 if (size >= 1 << 12)
2611 if (nla[NFTA_RULE_USERDATA]) {
2612 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2614 usize = sizeof(struct nft_userdata) + ulen;
2618 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2622 nft_activate_next(net, rule);
2624 rule->handle = handle;
2626 rule->udata = ulen ? 1 : 0;
2629 udata = nft_userdata(rule);
2630 udata->len = ulen - 1;
2631 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2634 expr = nft_expr_first(rule);
2635 for (i = 0; i < n; i++) {
2636 err = nf_tables_newexpr(&ctx, &info[i], expr);
2640 if (info[i].ops->validate)
2641 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2644 expr = nft_expr_next(expr);
2647 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2648 if (!nft_is_active_next(net, old_rule)) {
2652 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2654 if (trans == NULL) {
2658 nft_deactivate_next(net, old_rule);
2661 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2666 list_add_tail_rcu(&rule->list, &old_rule->list);
2668 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2673 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2675 list_add_rcu(&rule->list, &old_rule->list);
2677 list_add_tail_rcu(&rule->list, &chain->rules);
2680 list_add_tail_rcu(&rule->list, &old_rule->list);
2682 list_add_rcu(&rule->list, &chain->rules);
2688 if (net->nft.validate_state == NFT_VALIDATE_DO)
2689 return nft_table_validate(net, table);
2693 nf_tables_rule_release(&ctx, rule);
2695 for (i = 0; i < n; i++) {
2696 if (info[i].ops != NULL)
2697 module_put(info[i].ops->type->owner);
2703 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2704 const struct nlattr *nla)
2706 u32 id = ntohl(nla_get_be32(nla));
2707 struct nft_trans *trans;
2709 list_for_each_entry(trans, &net->nft.commit_list, list) {
2710 struct nft_rule *rule = nft_trans_rule(trans);
2712 if (trans->msg_type == NFT_MSG_NEWRULE &&
2713 id == nft_trans_rule_id(trans))
2716 return ERR_PTR(-ENOENT);
2719 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2720 struct sk_buff *skb, const struct nlmsghdr *nlh,
2721 const struct nlattr * const nla[],
2722 struct netlink_ext_ack *extack)
2724 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2725 u8 genmask = nft_genmask_next(net);
2726 struct nft_table *table;
2727 struct nft_chain *chain = NULL;
2728 struct nft_rule *rule;
2729 int family = nfmsg->nfgen_family, err = 0;
2732 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2733 if (IS_ERR(table)) {
2734 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2735 return PTR_ERR(table);
2738 if (nla[NFTA_RULE_CHAIN]) {
2739 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2741 if (IS_ERR(chain)) {
2742 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2743 return PTR_ERR(chain);
2747 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2750 if (nla[NFTA_RULE_HANDLE]) {
2751 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2753 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2754 return PTR_ERR(rule);
2757 err = nft_delrule(&ctx, rule);
2758 } else if (nla[NFTA_RULE_ID]) {
2759 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2761 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2762 return PTR_ERR(rule);
2765 err = nft_delrule(&ctx, rule);
2767 err = nft_delrule_by_chain(&ctx);
2770 list_for_each_entry(chain, &table->chains, list) {
2771 if (!nft_is_active_next(net, chain))
2775 err = nft_delrule_by_chain(&ctx);
2788 static LIST_HEAD(nf_tables_set_types);
2790 int nft_register_set(struct nft_set_type *type)
2792 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2793 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2794 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2797 EXPORT_SYMBOL_GPL(nft_register_set);
2799 void nft_unregister_set(struct nft_set_type *type)
2801 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2802 list_del_rcu(&type->list);
2803 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2805 EXPORT_SYMBOL_GPL(nft_unregister_set);
2807 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2808 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2811 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2813 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2817 * Select a set implementation based on the data characteristics and the
2818 * given policy. The total memory use might not be known if no size is
2819 * given, in that case the amount of memory per element is used.
2821 static const struct nft_set_ops *
2822 nft_select_set_ops(const struct nft_ctx *ctx,
2823 const struct nlattr * const nla[],
2824 const struct nft_set_desc *desc,
2825 enum nft_set_policies policy)
2827 const struct nft_set_ops *ops, *bops;
2828 struct nft_set_estimate est, best;
2829 const struct nft_set_type *type;
2832 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2833 lockdep_nfnl_nft_mutex_not_held();
2834 #ifdef CONFIG_MODULES
2835 if (list_empty(&nf_tables_set_types)) {
2836 nft_request_module(ctx->net, "nft-set");
2837 if (!list_empty(&nf_tables_set_types))
2838 return ERR_PTR(-EAGAIN);
2841 if (nla[NFTA_SET_FLAGS] != NULL)
2842 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2849 list_for_each_entry(type, &nf_tables_set_types, list) {
2852 if (!nft_set_ops_candidate(type, flags))
2854 if (!ops->estimate(desc, flags, &est))
2858 case NFT_SET_POL_PERFORMANCE:
2859 if (est.lookup < best.lookup)
2861 if (est.lookup == best.lookup &&
2862 est.space < best.space)
2865 case NFT_SET_POL_MEMORY:
2867 if (est.space < best.space)
2869 if (est.space == best.space &&
2870 est.lookup < best.lookup)
2872 } else if (est.size < best.size || !bops) {
2880 if (!try_module_get(type->owner))
2883 module_put(to_set_type(bops)->owner);
2892 return ERR_PTR(-EOPNOTSUPP);
2895 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2896 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2897 .len = NFT_TABLE_MAXNAMELEN - 1 },
2898 [NFTA_SET_NAME] = { .type = NLA_STRING,
2899 .len = NFT_SET_MAXNAMELEN - 1 },
2900 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2901 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2902 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2903 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2904 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2905 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2906 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2907 [NFTA_SET_ID] = { .type = NLA_U32 },
2908 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2909 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2910 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2911 .len = NFT_USERDATA_MAXLEN },
2912 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2913 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2916 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2917 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2920 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2921 const struct sk_buff *skb,
2922 const struct nlmsghdr *nlh,
2923 const struct nlattr * const nla[],
2924 struct netlink_ext_ack *extack,
2927 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2928 int family = nfmsg->nfgen_family;
2929 struct nft_table *table = NULL;
2931 if (nla[NFTA_SET_TABLE] != NULL) {
2932 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2934 if (IS_ERR(table)) {
2935 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2936 return PTR_ERR(table);
2940 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2944 static struct nft_set *nft_set_lookup(const struct nft_table *table,
2945 const struct nlattr *nla, u8 genmask)
2947 struct nft_set *set;
2950 return ERR_PTR(-EINVAL);
2952 list_for_each_entry_rcu(set, &table->sets, list) {
2953 if (!nla_strcmp(nla, set->name) &&
2954 nft_active_genmask(set, genmask))
2957 return ERR_PTR(-ENOENT);
2960 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2961 const struct nlattr *nla,
2964 struct nft_set *set;
2966 list_for_each_entry(set, &table->sets, list) {
2967 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2968 nft_active_genmask(set, genmask))
2971 return ERR_PTR(-ENOENT);
2974 static struct nft_set *nft_set_lookup_byid(const struct net *net,
2975 const struct nlattr *nla, u8 genmask)
2977 struct nft_trans *trans;
2978 u32 id = ntohl(nla_get_be32(nla));
2980 list_for_each_entry(trans, &net->nft.commit_list, list) {
2981 if (trans->msg_type == NFT_MSG_NEWSET) {
2982 struct nft_set *set = nft_trans_set(trans);
2984 if (id == nft_trans_set_id(trans) &&
2985 nft_active_genmask(set, genmask))
2989 return ERR_PTR(-ENOENT);
2992 struct nft_set *nft_set_lookup_global(const struct net *net,
2993 const struct nft_table *table,
2994 const struct nlattr *nla_set_name,
2995 const struct nlattr *nla_set_id,
2998 struct nft_set *set;
3000 set = nft_set_lookup(table, nla_set_name, genmask);
3005 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3009 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3011 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3014 const struct nft_set *i;
3016 unsigned long *inuse;
3017 unsigned int n = 0, min = 0;
3019 p = strchr(name, '%');
3021 if (p[1] != 'd' || strchr(p + 2, '%'))
3024 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3028 list_for_each_entry(i, &ctx->table->sets, list) {
3031 if (!nft_is_active_next(ctx->net, set))
3033 if (!sscanf(i->name, name, &tmp))
3035 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3038 set_bit(tmp - min, inuse);
3041 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3042 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3043 min += BITS_PER_BYTE * PAGE_SIZE;
3044 memset(inuse, 0, PAGE_SIZE);
3047 free_page((unsigned long)inuse);
3050 set->name = kasprintf(GFP_KERNEL, name, min + n);
3054 list_for_each_entry(i, &ctx->table->sets, list) {
3055 if (!nft_is_active_next(ctx->net, i))
3057 if (!strcmp(set->name, i->name)) {
3065 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3067 u64 ms = be64_to_cpu(nla_get_be64(nla));
3068 u64 max = (u64)(~((u64)0));
3070 max = div_u64(max, NSEC_PER_MSEC);
3074 ms *= NSEC_PER_MSEC;
3075 *result = nsecs_to_jiffies64(ms);
3079 static __be64 nf_jiffies64_to_msecs(u64 input)
3081 u64 ms = jiffies64_to_nsecs(input);
3083 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3086 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3087 const struct nft_set *set, u16 event, u16 flags)
3089 struct nfgenmsg *nfmsg;
3090 struct nlmsghdr *nlh;
3091 struct nlattr *desc;
3092 u32 portid = ctx->portid;
3095 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3096 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3099 goto nla_put_failure;
3101 nfmsg = nlmsg_data(nlh);
3102 nfmsg->nfgen_family = ctx->family;
3103 nfmsg->version = NFNETLINK_V0;
3104 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3106 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3107 goto nla_put_failure;
3108 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3109 goto nla_put_failure;
3110 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3112 goto nla_put_failure;
3113 if (set->flags != 0)
3114 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3115 goto nla_put_failure;
3117 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3118 goto nla_put_failure;
3119 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3120 goto nla_put_failure;
3121 if (set->flags & NFT_SET_MAP) {
3122 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3123 goto nla_put_failure;
3124 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3125 goto nla_put_failure;
3127 if (set->flags & NFT_SET_OBJECT &&
3128 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3129 goto nla_put_failure;
3132 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3133 nf_jiffies64_to_msecs(set->timeout),
3135 goto nla_put_failure;
3137 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3138 goto nla_put_failure;
3140 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3141 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3142 goto nla_put_failure;
3145 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3146 goto nla_put_failure;
3148 desc = nla_nest_start(skb, NFTA_SET_DESC);
3150 goto nla_put_failure;
3152 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3153 goto nla_put_failure;
3154 nla_nest_end(skb, desc);
3156 nlmsg_end(skb, nlh);
3160 nlmsg_trim(skb, nlh);
3164 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3165 const struct nft_set *set, int event,
3168 struct sk_buff *skb;
3169 u32 portid = ctx->portid;
3173 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3176 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3180 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3186 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3190 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3193 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3195 const struct nft_set *set;
3196 unsigned int idx, s_idx = cb->args[0];
3197 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3198 struct net *net = sock_net(skb->sk);
3199 struct nft_ctx *ctx = cb->data, ctx_set;
3205 cb->seq = net->nft.base_seq;
3207 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3208 if (ctx->family != NFPROTO_UNSPEC &&
3209 ctx->family != table->family)
3212 if (ctx->table && ctx->table != table)
3216 if (cur_table != table)
3222 list_for_each_entry_rcu(set, &table->sets, list) {
3225 if (!nft_is_active(net, set))
3229 ctx_set.table = table;
3230 ctx_set.family = table->family;
3232 if (nf_tables_fill_set(skb, &ctx_set, set,
3236 cb->args[2] = (unsigned long) table;
3239 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3252 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3254 struct nft_ctx *ctx_dump = NULL;
3256 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3257 if (ctx_dump == NULL)
3260 cb->data = ctx_dump;
3264 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3270 /* called with rcu_read_lock held */
3271 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3272 struct sk_buff *skb, const struct nlmsghdr *nlh,
3273 const struct nlattr * const nla[],
3274 struct netlink_ext_ack *extack)
3276 u8 genmask = nft_genmask_cur(net);
3277 const struct nft_set *set;
3279 struct sk_buff *skb2;
3280 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3283 /* Verify existence before starting dump */
3284 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3289 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3290 struct netlink_dump_control c = {
3291 .start = nf_tables_dump_sets_start,
3292 .dump = nf_tables_dump_sets,
3293 .done = nf_tables_dump_sets_done,
3295 .module = THIS_MODULE,
3298 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3301 /* Only accept unspec with dump */
3302 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3303 return -EAFNOSUPPORT;
3304 if (!nla[NFTA_SET_TABLE])
3307 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3309 return PTR_ERR(set);
3311 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3315 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3319 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3326 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3327 struct nft_set_desc *desc,
3328 const struct nlattr *nla)
3330 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3333 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3334 nft_set_desc_policy, NULL);
3338 if (da[NFTA_SET_DESC_SIZE] != NULL)
3339 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3344 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3345 struct sk_buff *skb, const struct nlmsghdr *nlh,
3346 const struct nlattr * const nla[],
3347 struct netlink_ext_ack *extack)
3349 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3350 u8 genmask = nft_genmask_next(net);
3351 int family = nfmsg->nfgen_family;
3352 const struct nft_set_ops *ops;
3353 struct nft_table *table;
3354 struct nft_set *set;
3359 u32 ktype, dtype, flags, policy, gc_int, objtype;
3360 struct nft_set_desc desc;
3361 unsigned char *udata;
3365 if (nla[NFTA_SET_TABLE] == NULL ||
3366 nla[NFTA_SET_NAME] == NULL ||
3367 nla[NFTA_SET_KEY_LEN] == NULL ||
3368 nla[NFTA_SET_ID] == NULL)
3371 memset(&desc, 0, sizeof(desc));
3373 ktype = NFT_DATA_VALUE;
3374 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3375 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3376 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3380 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3381 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3385 if (nla[NFTA_SET_FLAGS] != NULL) {
3386 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3387 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3388 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3389 NFT_SET_MAP | NFT_SET_EVAL |
3392 /* Only one of these operations is supported */
3393 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3394 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3399 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3400 if (!(flags & NFT_SET_MAP))
3403 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3404 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3405 dtype != NFT_DATA_VERDICT)
3408 if (dtype != NFT_DATA_VERDICT) {
3409 if (nla[NFTA_SET_DATA_LEN] == NULL)
3411 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3412 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3415 desc.dlen = sizeof(struct nft_verdict);
3416 } else if (flags & NFT_SET_MAP)
3419 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3420 if (!(flags & NFT_SET_OBJECT))
3423 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3424 if (objtype == NFT_OBJECT_UNSPEC ||
3425 objtype > NFT_OBJECT_MAX)
3427 } else if (flags & NFT_SET_OBJECT)
3430 objtype = NFT_OBJECT_UNSPEC;
3433 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3434 if (!(flags & NFT_SET_TIMEOUT))
3437 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3442 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3443 if (!(flags & NFT_SET_TIMEOUT))
3445 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3448 policy = NFT_SET_POL_PERFORMANCE;
3449 if (nla[NFTA_SET_POLICY] != NULL)
3450 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3452 if (nla[NFTA_SET_DESC] != NULL) {
3453 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3458 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3459 if (IS_ERR(table)) {
3460 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3461 return PTR_ERR(table);
3464 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3466 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3468 if (PTR_ERR(set) != -ENOENT) {
3469 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3470 return PTR_ERR(set);
3473 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3474 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3477 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3483 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3486 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3488 return PTR_ERR(ops);
3491 if (nla[NFTA_SET_USERDATA])
3492 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3495 if (ops->privsize != NULL)
3496 size = ops->privsize(nla, &desc);
3498 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3504 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3510 err = nf_tables_set_alloc_name(&ctx, set, name);
3517 udata = set->data + size;
3518 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3521 INIT_LIST_HEAD(&set->bindings);
3523 write_pnet(&set->net, net);
3526 set->klen = desc.klen;
3528 set->objtype = objtype;
3529 set->dlen = desc.dlen;
3531 set->size = desc.size;
3532 set->policy = policy;
3535 set->timeout = timeout;
3536 set->gc_int = gc_int;
3537 set->handle = nf_tables_alloc_handle(table);
3539 err = ops->init(set, &desc, nla);
3543 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3547 list_add_tail_rcu(&set->list, &table->sets);
3558 module_put(to_set_type(ops)->owner);
3562 static void nft_set_destroy(struct nft_set *set)
3564 set->ops->destroy(set);
3565 module_put(to_set_type(set->ops)->owner);
3570 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3572 list_del_rcu(&set->list);
3573 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3574 nft_set_destroy(set);
3577 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3578 struct sk_buff *skb, const struct nlmsghdr *nlh,
3579 const struct nlattr * const nla[],
3580 struct netlink_ext_ack *extack)
3582 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3583 u8 genmask = nft_genmask_next(net);
3584 const struct nlattr *attr;
3585 struct nft_set *set;
3589 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3590 return -EAFNOSUPPORT;
3591 if (nla[NFTA_SET_TABLE] == NULL)
3594 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3599 if (nla[NFTA_SET_HANDLE]) {
3600 attr = nla[NFTA_SET_HANDLE];
3601 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3603 attr = nla[NFTA_SET_NAME];
3604 set = nft_set_lookup(ctx.table, attr, genmask);
3608 NL_SET_BAD_ATTR(extack, attr);
3609 return PTR_ERR(set);
3611 if (!list_empty(&set->bindings) ||
3612 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3613 NL_SET_BAD_ATTR(extack, attr);
3617 return nft_delset(&ctx, set);
3620 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3621 struct nft_set *set,
3622 const struct nft_set_iter *iter,
3623 struct nft_set_elem *elem)
3625 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3626 enum nft_registers dreg;
3628 dreg = nft_type_to_reg(set->dtype);
3629 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3630 set->dtype == NFT_DATA_VERDICT ?
3631 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3635 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3636 struct nft_set_binding *binding)
3638 struct nft_set_binding *i;
3639 struct nft_set_iter iter;
3641 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3644 if (binding->flags & NFT_SET_MAP) {
3645 /* If the set is already bound to the same chain all
3646 * jumps are already validated for that chain.
3648 list_for_each_entry(i, &set->bindings, list) {
3649 if (i->flags & NFT_SET_MAP &&
3650 i->chain == binding->chain)
3654 iter.genmask = nft_genmask_next(ctx->net);
3658 iter.fn = nf_tables_bind_check_setelem;
3660 set->ops->walk(ctx, set, &iter);
3665 binding->chain = ctx->chain;
3666 list_add_tail_rcu(&binding->list, &set->bindings);
3669 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3671 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3672 struct nft_set_binding *binding)
3674 list_del_rcu(&binding->list);
3676 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3677 nft_is_active(ctx->net, set))
3678 nf_tables_set_destroy(ctx, set);
3680 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3682 const struct nft_set_ext_type nft_set_ext_types[] = {
3683 [NFT_SET_EXT_KEY] = {
3684 .align = __alignof__(u32),
3686 [NFT_SET_EXT_DATA] = {
3687 .align = __alignof__(u32),
3689 [NFT_SET_EXT_EXPR] = {
3690 .align = __alignof__(struct nft_expr),
3692 [NFT_SET_EXT_OBJREF] = {
3693 .len = sizeof(struct nft_object *),
3694 .align = __alignof__(struct nft_object *),
3696 [NFT_SET_EXT_FLAGS] = {
3698 .align = __alignof__(u8),
3700 [NFT_SET_EXT_TIMEOUT] = {
3702 .align = __alignof__(u64),
3704 [NFT_SET_EXT_EXPIRATION] = {
3706 .align = __alignof__(u64),
3708 [NFT_SET_EXT_USERDATA] = {
3709 .len = sizeof(struct nft_userdata),
3710 .align = __alignof__(struct nft_userdata),
3713 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3719 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3720 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3721 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3722 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3723 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3724 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3725 .len = NFT_USERDATA_MAXLEN },
3726 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3727 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3730 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3731 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3732 .len = NFT_TABLE_MAXNAMELEN - 1 },
3733 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3734 .len = NFT_SET_MAXNAMELEN - 1 },
3735 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3736 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3739 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3740 const struct sk_buff *skb,
3741 const struct nlmsghdr *nlh,
3742 const struct nlattr * const nla[],
3743 struct netlink_ext_ack *extack,
3746 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3747 int family = nfmsg->nfgen_family;
3748 struct nft_table *table;
3750 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3752 if (IS_ERR(table)) {
3753 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3754 return PTR_ERR(table);
3757 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3761 static int nf_tables_fill_setelem(struct sk_buff *skb,
3762 const struct nft_set *set,
3763 const struct nft_set_elem *elem)
3765 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3766 unsigned char *b = skb_tail_pointer(skb);
3767 struct nlattr *nest;
3769 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3771 goto nla_put_failure;
3773 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3774 NFT_DATA_VALUE, set->klen) < 0)
3775 goto nla_put_failure;
3777 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3778 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3779 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3781 goto nla_put_failure;
3783 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3784 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3785 goto nla_put_failure;
3787 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3788 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3789 (*nft_set_ext_obj(ext))->name) < 0)
3790 goto nla_put_failure;
3792 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3793 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3794 htonl(*nft_set_ext_flags(ext))))
3795 goto nla_put_failure;
3797 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3798 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3799 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3801 goto nla_put_failure;
3803 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3804 u64 expires, now = get_jiffies_64();
3806 expires = *nft_set_ext_expiration(ext);
3807 if (time_before64(now, expires))
3812 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3813 nf_jiffies64_to_msecs(expires),
3815 goto nla_put_failure;
3818 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3819 struct nft_userdata *udata;
3821 udata = nft_set_ext_userdata(ext);
3822 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3823 udata->len + 1, udata->data))
3824 goto nla_put_failure;
3827 nla_nest_end(skb, nest);
3835 struct nft_set_dump_args {
3836 const struct netlink_callback *cb;
3837 struct nft_set_iter iter;
3838 struct sk_buff *skb;
3841 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3842 struct nft_set *set,
3843 const struct nft_set_iter *iter,
3844 struct nft_set_elem *elem)
3846 struct nft_set_dump_args *args;
3848 args = container_of(iter, struct nft_set_dump_args, iter);
3849 return nf_tables_fill_setelem(args->skb, set, elem);
3852 struct nft_set_dump_ctx {
3853 const struct nft_set *set;
3857 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3859 struct nft_set_dump_ctx *dump_ctx = cb->data;
3860 struct net *net = sock_net(skb->sk);
3861 struct nft_table *table;
3862 struct nft_set *set;
3863 struct nft_set_dump_args args;
3864 bool set_found = false;
3865 struct nfgenmsg *nfmsg;
3866 struct nlmsghdr *nlh;
3867 struct nlattr *nest;
3872 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3873 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3874 dump_ctx->ctx.family != table->family)
3877 if (table != dump_ctx->ctx.table)
3880 list_for_each_entry_rcu(set, &table->sets, list) {
3881 if (set == dump_ctx->set) {
3894 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3895 portid = NETLINK_CB(cb->skb).portid;
3896 seq = cb->nlh->nlmsg_seq;
3898 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3901 goto nla_put_failure;
3903 nfmsg = nlmsg_data(nlh);
3904 nfmsg->nfgen_family = table->family;
3905 nfmsg->version = NFNETLINK_V0;
3906 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3908 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3909 goto nla_put_failure;
3910 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3911 goto nla_put_failure;
3913 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3915 goto nla_put_failure;
3919 args.iter.genmask = nft_genmask_cur(net);
3920 args.iter.skip = cb->args[0];
3921 args.iter.count = 0;
3923 args.iter.fn = nf_tables_dump_setelem;
3924 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3927 nla_nest_end(skb, nest);
3928 nlmsg_end(skb, nlh);
3930 if (args.iter.err && args.iter.err != -EMSGSIZE)
3931 return args.iter.err;
3932 if (args.iter.count == cb->args[0])
3935 cb->args[0] = args.iter.count;
3943 static int nf_tables_dump_set_start(struct netlink_callback *cb)
3945 struct nft_set_dump_ctx *dump_ctx = cb->data;
3947 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
3949 return cb->data ? 0 : -ENOMEM;
3952 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3958 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3959 const struct nft_ctx *ctx, u32 seq,
3960 u32 portid, int event, u16 flags,
3961 const struct nft_set *set,
3962 const struct nft_set_elem *elem)
3964 struct nfgenmsg *nfmsg;
3965 struct nlmsghdr *nlh;
3966 struct nlattr *nest;
3969 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3970 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3973 goto nla_put_failure;
3975 nfmsg = nlmsg_data(nlh);
3976 nfmsg->nfgen_family = ctx->family;
3977 nfmsg->version = NFNETLINK_V0;
3978 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3980 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3981 goto nla_put_failure;
3982 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3983 goto nla_put_failure;
3985 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3987 goto nla_put_failure;
3989 err = nf_tables_fill_setelem(skb, set, elem);
3991 goto nla_put_failure;
3993 nla_nest_end(skb, nest);
3995 nlmsg_end(skb, nlh);
3999 nlmsg_trim(skb, nlh);
4003 static int nft_setelem_parse_flags(const struct nft_set *set,
4004 const struct nlattr *attr, u32 *flags)
4009 *flags = ntohl(nla_get_be32(attr));
4010 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4012 if (!(set->flags & NFT_SET_INTERVAL) &&
4013 *flags & NFT_SET_ELEM_INTERVAL_END)
4019 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4020 const struct nlattr *attr)
4022 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4023 struct nft_data_desc desc;
4024 struct nft_set_elem elem;
4025 struct sk_buff *skb;
4030 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4031 nft_set_elem_policy, NULL);
4035 if (!nla[NFTA_SET_ELEM_KEY])
4038 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4042 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4043 nla[NFTA_SET_ELEM_KEY]);
4048 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4051 priv = set->ops->get(ctx->net, set, &elem, flags);
4053 return PTR_ERR(priv);
4058 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4062 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4063 NFT_MSG_NEWSETELEM, 0, set, &elem);
4067 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4068 /* This avoids a loop in nfnetlink. */
4076 /* this avoids a loop in nfnetlink. */
4077 return err == -EAGAIN ? -ENOBUFS : err;
4080 /* called with rcu_read_lock held */
4081 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4082 struct sk_buff *skb, const struct nlmsghdr *nlh,
4083 const struct nlattr * const nla[],
4084 struct netlink_ext_ack *extack)
4086 u8 genmask = nft_genmask_cur(net);
4087 struct nft_set *set;
4088 struct nlattr *attr;
4092 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4097 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4099 return PTR_ERR(set);
4101 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4102 struct netlink_dump_control c = {
4103 .start = nf_tables_dump_set_start,
4104 .dump = nf_tables_dump_set,
4105 .done = nf_tables_dump_set_done,
4106 .module = THIS_MODULE,
4108 struct nft_set_dump_ctx dump_ctx = {
4114 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4117 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4120 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4121 err = nft_get_set_elem(&ctx, set, attr);
4129 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4130 const struct nft_set *set,
4131 const struct nft_set_elem *elem,
4132 int event, u16 flags)
4134 struct net *net = ctx->net;
4135 u32 portid = ctx->portid;
4136 struct sk_buff *skb;
4139 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4142 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4146 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4153 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4157 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4160 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4162 struct nft_set *set)
4164 struct nft_trans *trans;
4166 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4170 nft_trans_elem_set(trans) = set;
4174 void *nft_set_elem_init(const struct nft_set *set,
4175 const struct nft_set_ext_tmpl *tmpl,
4176 const u32 *key, const u32 *data,
4177 u64 timeout, gfp_t gfp)
4179 struct nft_set_ext *ext;
4182 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4186 ext = nft_set_elem_ext(set, elem);
4187 nft_set_ext_init(ext, tmpl);
4189 memcpy(nft_set_ext_key(ext), key, set->klen);
4190 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4191 memcpy(nft_set_ext_data(ext), data, set->dlen);
4192 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4193 *nft_set_ext_expiration(ext) =
4194 get_jiffies_64() + timeout;
4195 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4196 *nft_set_ext_timeout(ext) = timeout;
4201 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4204 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4205 struct nft_ctx ctx = {
4206 .net = read_pnet(&set->net),
4207 .family = set->table->family,
4210 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4211 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4212 nft_data_release(nft_set_ext_data(ext), set->dtype);
4213 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4214 struct nft_expr *expr = nft_set_ext_expr(ext);
4216 if (expr->ops->destroy_clone) {
4217 expr->ops->destroy_clone(&ctx, expr);
4218 module_put(expr->ops->type->owner);
4220 nf_tables_expr_destroy(&ctx, expr);
4223 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4224 (*nft_set_ext_obj(ext))->use--;
4227 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4229 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4230 * the refcounting from the preparation phase.
4232 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4233 const struct nft_set *set, void *elem)
4235 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4237 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4238 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4242 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4243 const struct nlattr *attr, u32 nlmsg_flags)
4245 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4246 u8 genmask = nft_genmask_next(ctx->net);
4247 struct nft_data_desc d1, d2;
4248 struct nft_set_ext_tmpl tmpl;
4249 struct nft_set_ext *ext, *ext2;
4250 struct nft_set_elem elem;
4251 struct nft_set_binding *binding;
4252 struct nft_object *obj = NULL;
4253 struct nft_userdata *udata;
4254 struct nft_data data;
4255 enum nft_registers dreg;
4256 struct nft_trans *trans;
4262 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4263 nft_set_elem_policy, NULL);
4267 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4270 nft_set_ext_prepare(&tmpl);
4272 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4276 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4278 if (set->flags & NFT_SET_MAP) {
4279 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4280 !(flags & NFT_SET_ELEM_INTERVAL_END))
4282 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4283 flags & NFT_SET_ELEM_INTERVAL_END)
4286 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4291 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4292 if (!(set->flags & NFT_SET_TIMEOUT))
4294 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4298 } else if (set->flags & NFT_SET_TIMEOUT) {
4299 timeout = set->timeout;
4302 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4303 nla[NFTA_SET_ELEM_KEY]);
4307 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4310 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4312 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4313 if (timeout != set->timeout)
4314 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4317 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4318 if (!(set->flags & NFT_SET_OBJECT)) {
4322 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4323 set->objtype, genmask);
4328 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4331 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4332 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4333 nla[NFTA_SET_ELEM_DATA]);
4338 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4341 dreg = nft_type_to_reg(set->dtype);
4342 list_for_each_entry(binding, &set->bindings, list) {
4343 struct nft_ctx bind_ctx = {
4345 .family = ctx->family,
4346 .table = ctx->table,
4347 .chain = (struct nft_chain *)binding->chain,
4350 if (!(binding->flags & NFT_SET_MAP))
4353 err = nft_validate_register_store(&bind_ctx, dreg,
4359 if (d2.type == NFT_DATA_VERDICT &&
4360 (data.verdict.code == NFT_GOTO ||
4361 data.verdict.code == NFT_JUMP))
4362 nft_validate_state_update(ctx->net,
4366 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4369 /* The full maximum length of userdata can exceed the maximum
4370 * offset value (U8_MAX) for following extensions, therefor it
4371 * must be the last extension added.
4374 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4375 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4377 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4382 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4383 timeout, GFP_KERNEL);
4384 if (elem.priv == NULL)
4387 ext = nft_set_elem_ext(set, elem.priv);
4389 *nft_set_ext_flags(ext) = flags;
4391 udata = nft_set_ext_userdata(ext);
4392 udata->len = ulen - 1;
4393 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4396 *nft_set_ext_obj(ext) = obj;
4400 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4404 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4405 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4407 if (err == -EEXIST) {
4408 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4409 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4410 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4411 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4415 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4416 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4417 memcmp(nft_set_ext_data(ext),
4418 nft_set_ext_data(ext2), set->dlen) != 0) ||
4419 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4420 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4421 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4423 else if (!(nlmsg_flags & NLM_F_EXCL))
4430 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4435 nft_trans_elem(trans) = elem;
4436 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4440 set->ops->remove(ctx->net, set, &elem);
4446 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4447 nft_data_release(&data, d2.type);
4449 nft_data_release(&elem.key.val, d1.type);
4454 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4455 struct sk_buff *skb, const struct nlmsghdr *nlh,
4456 const struct nlattr * const nla[],
4457 struct netlink_ext_ack *extack)
4459 u8 genmask = nft_genmask_next(net);
4460 const struct nlattr *attr;
4461 struct nft_set *set;
4465 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4468 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4473 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4474 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4476 return PTR_ERR(set);
4478 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4481 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4482 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4487 if (net->nft.validate_state == NFT_VALIDATE_DO)
4488 return nft_table_validate(net, ctx.table);
4494 * nft_data_hold - hold a nft_data item
4496 * @data: struct nft_data to release
4497 * @type: type of data
4499 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4500 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4501 * NFT_GOTO verdicts. This function must be called on active data objects
4502 * from the second phase of the commit protocol.
4504 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4506 if (type == NFT_DATA_VERDICT) {
4507 switch (data->verdict.code) {
4510 data->verdict.chain->use++;
4516 static void nft_set_elem_activate(const struct net *net,
4517 const struct nft_set *set,
4518 struct nft_set_elem *elem)
4520 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4522 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4523 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4524 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4525 (*nft_set_ext_obj(ext))->use++;
4528 static void nft_set_elem_deactivate(const struct net *net,
4529 const struct nft_set *set,
4530 struct nft_set_elem *elem)
4532 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4534 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4535 nft_data_release(nft_set_ext_data(ext), set->dtype);
4536 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4537 (*nft_set_ext_obj(ext))->use--;
4540 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4541 const struct nlattr *attr)
4543 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4544 struct nft_set_ext_tmpl tmpl;
4545 struct nft_data_desc desc;
4546 struct nft_set_elem elem;
4547 struct nft_set_ext *ext;
4548 struct nft_trans *trans;
4553 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4554 nft_set_elem_policy, NULL);
4559 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4562 nft_set_ext_prepare(&tmpl);
4564 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4568 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4570 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4571 nla[NFTA_SET_ELEM_KEY]);
4576 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4579 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4582 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4584 if (elem.priv == NULL)
4587 ext = nft_set_elem_ext(set, elem.priv);
4589 *nft_set_ext_flags(ext) = flags;
4591 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4592 if (trans == NULL) {
4597 priv = set->ops->deactivate(ctx->net, set, &elem);
4605 nft_set_elem_deactivate(ctx->net, set, &elem);
4607 nft_trans_elem(trans) = elem;
4608 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4616 nft_data_release(&elem.key.val, desc.type);
4621 static int nft_flush_set(const struct nft_ctx *ctx,
4622 struct nft_set *set,
4623 const struct nft_set_iter *iter,
4624 struct nft_set_elem *elem)
4626 struct nft_trans *trans;
4629 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4630 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4634 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4640 nft_set_elem_deactivate(ctx->net, set, elem);
4641 nft_trans_elem_set(trans) = set;
4642 nft_trans_elem(trans) = *elem;
4643 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4651 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4652 struct sk_buff *skb, const struct nlmsghdr *nlh,
4653 const struct nlattr * const nla[],
4654 struct netlink_ext_ack *extack)
4656 u8 genmask = nft_genmask_next(net);
4657 const struct nlattr *attr;
4658 struct nft_set *set;
4662 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4667 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4669 return PTR_ERR(set);
4670 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4673 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4674 struct nft_set_iter iter = {
4676 .fn = nft_flush_set,
4678 set->ops->walk(&ctx, set, &iter);
4683 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4684 err = nft_del_setelem(&ctx, set, attr);
4693 void nft_set_gc_batch_release(struct rcu_head *rcu)
4695 struct nft_set_gc_batch *gcb;
4698 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4699 for (i = 0; i < gcb->head.cnt; i++)
4700 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4703 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4705 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4708 struct nft_set_gc_batch *gcb;
4710 gcb = kzalloc(sizeof(*gcb), gfp);
4713 gcb->head.set = set;
4716 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4723 * nft_register_obj- register nf_tables stateful object type
4726 * Registers the object type for use with nf_tables. Returns zero on
4727 * success or a negative errno code otherwise.
4729 int nft_register_obj(struct nft_object_type *obj_type)
4731 if (obj_type->type == NFT_OBJECT_UNSPEC)
4734 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4735 list_add_rcu(&obj_type->list, &nf_tables_objects);
4736 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4739 EXPORT_SYMBOL_GPL(nft_register_obj);
4742 * nft_unregister_obj - unregister nf_tables object type
4745 * Unregisters the object type for use with nf_tables.
4747 void nft_unregister_obj(struct nft_object_type *obj_type)
4749 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4750 list_del_rcu(&obj_type->list);
4751 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4753 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4755 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4756 const struct nlattr *nla, u32 objtype,
4759 struct nft_object *obj;
4761 list_for_each_entry_rcu(obj, &table->objects, list) {
4762 if (!nla_strcmp(nla, obj->name) &&
4763 objtype == obj->ops->type->type &&
4764 nft_active_genmask(obj, genmask))
4767 return ERR_PTR(-ENOENT);
4769 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4771 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4772 const struct nlattr *nla,
4773 u32 objtype, u8 genmask)
4775 struct nft_object *obj;
4777 list_for_each_entry(obj, &table->objects, list) {
4778 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4779 objtype == obj->ops->type->type &&
4780 nft_active_genmask(obj, genmask))
4783 return ERR_PTR(-ENOENT);
4786 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4787 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4788 .len = NFT_TABLE_MAXNAMELEN - 1 },
4789 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4790 .len = NFT_OBJ_MAXNAMELEN - 1 },
4791 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4792 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4793 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4796 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4797 const struct nft_object_type *type,
4798 const struct nlattr *attr)
4801 const struct nft_object_ops *ops;
4802 struct nft_object *obj;
4805 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4810 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4815 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4818 if (type->select_ops) {
4819 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4829 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4833 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4846 return ERR_PTR(err);
4849 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4850 struct nft_object *obj, bool reset)
4852 struct nlattr *nest;
4854 nest = nla_nest_start(skb, attr);
4856 goto nla_put_failure;
4857 if (obj->ops->dump(skb, obj, reset) < 0)
4858 goto nla_put_failure;
4859 nla_nest_end(skb, nest);
4866 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4868 const struct nft_object_type *type;
4870 list_for_each_entry(type, &nf_tables_objects, list) {
4871 if (objtype == type->type)
4877 static const struct nft_object_type *
4878 nft_obj_type_get(struct net *net, u32 objtype)
4880 const struct nft_object_type *type;
4882 type = __nft_obj_type_get(objtype);
4883 if (type != NULL && try_module_get(type->owner))
4886 lockdep_nfnl_nft_mutex_not_held();
4887 #ifdef CONFIG_MODULES
4889 nft_request_module(net, "nft-obj-%u", objtype);
4890 if (__nft_obj_type_get(objtype))
4891 return ERR_PTR(-EAGAIN);
4894 return ERR_PTR(-ENOENT);
4897 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4898 struct sk_buff *skb, const struct nlmsghdr *nlh,
4899 const struct nlattr * const nla[],
4900 struct netlink_ext_ack *extack)
4902 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4903 const struct nft_object_type *type;
4904 u8 genmask = nft_genmask_next(net);
4905 int family = nfmsg->nfgen_family;
4906 struct nft_table *table;
4907 struct nft_object *obj;
4912 if (!nla[NFTA_OBJ_TYPE] ||
4913 !nla[NFTA_OBJ_NAME] ||
4914 !nla[NFTA_OBJ_DATA])
4917 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4918 if (IS_ERR(table)) {
4919 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4920 return PTR_ERR(table);
4923 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4924 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4927 if (err != -ENOENT) {
4928 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4932 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4933 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4939 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4941 type = nft_obj_type_get(net, objtype);
4943 return PTR_ERR(type);
4945 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4951 obj->handle = nf_tables_alloc_handle(table);
4953 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4959 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4963 list_add_tail_rcu(&obj->list, &table->objects);
4969 if (obj->ops->destroy)
4970 obj->ops->destroy(&ctx, obj);
4973 module_put(type->owner);
4977 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4978 u32 portid, u32 seq, int event, u32 flags,
4979 int family, const struct nft_table *table,
4980 struct nft_object *obj, bool reset)
4982 struct nfgenmsg *nfmsg;
4983 struct nlmsghdr *nlh;
4985 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4986 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4988 goto nla_put_failure;
4990 nfmsg = nlmsg_data(nlh);
4991 nfmsg->nfgen_family = family;
4992 nfmsg->version = NFNETLINK_V0;
4993 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4995 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4996 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4997 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4998 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4999 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5000 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5002 goto nla_put_failure;
5004 nlmsg_end(skb, nlh);
5008 nlmsg_trim(skb, nlh);
5012 struct nft_obj_filter {
5017 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5019 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5020 const struct nft_table *table;
5021 unsigned int idx = 0, s_idx = cb->args[0];
5022 struct nft_obj_filter *filter = cb->data;
5023 struct net *net = sock_net(skb->sk);
5024 int family = nfmsg->nfgen_family;
5025 struct nft_object *obj;
5028 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5032 cb->seq = net->nft.base_seq;
5034 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5035 if (family != NFPROTO_UNSPEC && family != table->family)
5038 list_for_each_entry_rcu(obj, &table->objects, list) {
5039 if (!nft_is_active(net, obj))
5044 memset(&cb->args[1], 0,
5045 sizeof(cb->args) - sizeof(cb->args[0]));
5046 if (filter && filter->table &&
5047 strcmp(filter->table, table->name))
5050 filter->type != NFT_OBJECT_UNSPEC &&
5051 obj->ops->type->type != filter->type)
5054 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5057 NLM_F_MULTI | NLM_F_APPEND,
5058 table->family, table,
5062 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5074 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5076 const struct nlattr * const *nla = cb->data;
5077 struct nft_obj_filter *filter = NULL;
5079 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5080 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5084 if (nla[NFTA_OBJ_TABLE]) {
5085 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5086 if (!filter->table) {
5092 if (nla[NFTA_OBJ_TYPE])
5093 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5100 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5102 struct nft_obj_filter *filter = cb->data;
5105 kfree(filter->table);
5112 /* called with rcu_read_lock held */
5113 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5114 struct sk_buff *skb, const struct nlmsghdr *nlh,
5115 const struct nlattr * const nla[],
5116 struct netlink_ext_ack *extack)
5118 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5119 u8 genmask = nft_genmask_cur(net);
5120 int family = nfmsg->nfgen_family;
5121 const struct nft_table *table;
5122 struct nft_object *obj;
5123 struct sk_buff *skb2;
5128 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5129 struct netlink_dump_control c = {
5130 .start = nf_tables_dump_obj_start,
5131 .dump = nf_tables_dump_obj,
5132 .done = nf_tables_dump_obj_done,
5133 .module = THIS_MODULE,
5134 .data = (void *)nla,
5137 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5140 if (!nla[NFTA_OBJ_NAME] ||
5141 !nla[NFTA_OBJ_TYPE])
5144 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5145 if (IS_ERR(table)) {
5146 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5147 return PTR_ERR(table);
5150 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5151 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
5153 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5154 return PTR_ERR(obj);
5157 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5161 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5164 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5165 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5166 family, table, obj, reset);
5170 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5176 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5178 if (obj->ops->destroy)
5179 obj->ops->destroy(ctx, obj);
5181 module_put(obj->ops->type->owner);
5186 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5187 struct sk_buff *skb, const struct nlmsghdr *nlh,
5188 const struct nlattr * const nla[],
5189 struct netlink_ext_ack *extack)
5191 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5192 u8 genmask = nft_genmask_next(net);
5193 int family = nfmsg->nfgen_family;
5194 const struct nlattr *attr;
5195 struct nft_table *table;
5196 struct nft_object *obj;
5200 if (!nla[NFTA_OBJ_TYPE] ||
5201 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5204 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5205 if (IS_ERR(table)) {
5206 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5207 return PTR_ERR(table);
5210 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5211 if (nla[NFTA_OBJ_HANDLE]) {
5212 attr = nla[NFTA_OBJ_HANDLE];
5213 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5215 attr = nla[NFTA_OBJ_NAME];
5216 obj = nft_obj_lookup(table, attr, objtype, genmask);
5220 NL_SET_BAD_ATTR(extack, attr);
5221 return PTR_ERR(obj);
5224 NL_SET_BAD_ATTR(extack, attr);
5228 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5230 return nft_delobj(&ctx, obj);
5233 void nft_obj_notify(struct net *net, struct nft_table *table,
5234 struct nft_object *obj, u32 portid, u32 seq, int event,
5235 int family, int report, gfp_t gfp)
5237 struct sk_buff *skb;
5241 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5244 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5248 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5255 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5258 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5260 EXPORT_SYMBOL_GPL(nft_obj_notify);
5262 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5263 struct nft_object *obj, int event)
5265 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5266 ctx->family, ctx->report, GFP_KERNEL);
5272 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5274 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5275 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5276 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5278 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5280 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5282 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5283 list_del_rcu(&type->list);
5284 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5286 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5288 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5289 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5290 .len = NFT_NAME_MAXLEN - 1 },
5291 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5292 .len = NFT_NAME_MAXLEN - 1 },
5293 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5294 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5297 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5298 const struct nlattr *nla, u8 genmask)
5300 struct nft_flowtable *flowtable;
5302 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5303 if (!nla_strcmp(nla, flowtable->name) &&
5304 nft_active_genmask(flowtable, genmask))
5307 return ERR_PTR(-ENOENT);
5309 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5311 static struct nft_flowtable *
5312 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5313 const struct nlattr *nla, u8 genmask)
5315 struct nft_flowtable *flowtable;
5317 list_for_each_entry(flowtable, &table->flowtables, list) {
5318 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5319 nft_active_genmask(flowtable, genmask))
5322 return ERR_PTR(-ENOENT);
5325 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5326 const struct nlattr *attr,
5327 struct net_device *dev_array[], int *len)
5329 const struct nlattr *tmp;
5330 struct net_device *dev;
5331 char ifname[IFNAMSIZ];
5332 int rem, n = 0, err;
5334 nla_for_each_nested(tmp, attr, rem) {
5335 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5340 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5341 dev = __dev_get_by_name(ctx->net, ifname);
5347 dev_array[n++] = dev;
5348 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5362 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5363 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5364 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5365 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5368 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5369 const struct nlattr *attr,
5370 struct nft_flowtable *flowtable)
5372 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5373 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5374 struct nf_hook_ops *ops;
5375 int hooknum, priority;
5378 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5379 nft_flowtable_hook_policy, NULL);
5383 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5384 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5385 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5388 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5389 if (hooknum != NF_NETDEV_INGRESS)
5392 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5394 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5399 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5403 flowtable->hooknum = hooknum;
5404 flowtable->priority = priority;
5405 flowtable->ops = ops;
5406 flowtable->ops_len = n;
5408 for (i = 0; i < n; i++) {
5409 flowtable->ops[i].pf = NFPROTO_NETDEV;
5410 flowtable->ops[i].hooknum = hooknum;
5411 flowtable->ops[i].priority = priority;
5412 flowtable->ops[i].priv = &flowtable->data;
5413 flowtable->ops[i].hook = flowtable->data.type->hook;
5414 flowtable->ops[i].dev = dev_array[i];
5420 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5422 const struct nf_flowtable_type *type;
5424 list_for_each_entry(type, &nf_tables_flowtables, list) {
5425 if (family == type->family)
5431 static const struct nf_flowtable_type *
5432 nft_flowtable_type_get(struct net *net, u8 family)
5434 const struct nf_flowtable_type *type;
5436 type = __nft_flowtable_type_get(family);
5437 if (type != NULL && try_module_get(type->owner))
5440 lockdep_nfnl_nft_mutex_not_held();
5441 #ifdef CONFIG_MODULES
5443 nft_request_module(net, "nf-flowtable-%u", family);
5444 if (__nft_flowtable_type_get(family))
5445 return ERR_PTR(-EAGAIN);
5448 return ERR_PTR(-ENOENT);
5451 static void nft_unregister_flowtable_net_hooks(struct net *net,
5452 struct nft_flowtable *flowtable)
5456 for (i = 0; i < flowtable->ops_len; i++) {
5457 if (!flowtable->ops[i].dev)
5460 nf_unregister_net_hook(net, &flowtable->ops[i]);
5464 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5465 struct sk_buff *skb,
5466 const struct nlmsghdr *nlh,
5467 const struct nlattr * const nla[],
5468 struct netlink_ext_ack *extack)
5470 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5471 const struct nf_flowtable_type *type;
5472 struct nft_flowtable *flowtable, *ft;
5473 u8 genmask = nft_genmask_next(net);
5474 int family = nfmsg->nfgen_family;
5475 struct nft_table *table;
5479 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5480 !nla[NFTA_FLOWTABLE_NAME] ||
5481 !nla[NFTA_FLOWTABLE_HOOK])
5484 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5486 if (IS_ERR(table)) {
5487 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5488 return PTR_ERR(table);
5491 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5493 if (IS_ERR(flowtable)) {
5494 err = PTR_ERR(flowtable);
5495 if (err != -ENOENT) {
5496 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5500 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5501 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5508 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5510 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5514 flowtable->table = table;
5515 flowtable->handle = nf_tables_alloc_handle(table);
5517 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5518 if (!flowtable->name) {
5523 type = nft_flowtable_type_get(net, family);
5525 err = PTR_ERR(type);
5529 flowtable->data.type = type;
5530 err = type->init(&flowtable->data);
5534 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5539 for (i = 0; i < flowtable->ops_len; i++) {
5540 if (!flowtable->ops[i].dev)
5543 list_for_each_entry(ft, &table->flowtables, list) {
5544 for (k = 0; k < ft->ops_len; k++) {
5545 if (!ft->ops[k].dev)
5548 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5549 flowtable->ops[i].pf == ft->ops[k].pf) {
5556 err = nf_register_net_hook(net, &flowtable->ops[i]);
5561 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5565 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5570 i = flowtable->ops_len;
5572 for (k = i - 1; k >= 0; k--)
5573 nf_unregister_net_hook(net, &flowtable->ops[k]);
5575 kfree(flowtable->ops);
5577 flowtable->data.type->free(&flowtable->data);
5579 module_put(type->owner);
5581 kfree(flowtable->name);
5587 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5588 struct sk_buff *skb,
5589 const struct nlmsghdr *nlh,
5590 const struct nlattr * const nla[],
5591 struct netlink_ext_ack *extack)
5593 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5594 u8 genmask = nft_genmask_next(net);
5595 int family = nfmsg->nfgen_family;
5596 struct nft_flowtable *flowtable;
5597 const struct nlattr *attr;
5598 struct nft_table *table;
5601 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5602 (!nla[NFTA_FLOWTABLE_NAME] &&
5603 !nla[NFTA_FLOWTABLE_HANDLE]))
5606 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5608 if (IS_ERR(table)) {
5609 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5610 return PTR_ERR(table);
5613 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5614 attr = nla[NFTA_FLOWTABLE_HANDLE];
5615 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5617 attr = nla[NFTA_FLOWTABLE_NAME];
5618 flowtable = nft_flowtable_lookup(table, attr, genmask);
5621 if (IS_ERR(flowtable)) {
5622 NL_SET_BAD_ATTR(extack, attr);
5623 return PTR_ERR(flowtable);
5625 if (flowtable->use > 0) {
5626 NL_SET_BAD_ATTR(extack, attr);
5630 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5632 return nft_delflowtable(&ctx, flowtable);
5635 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5636 u32 portid, u32 seq, int event,
5637 u32 flags, int family,
5638 struct nft_flowtable *flowtable)
5640 struct nlattr *nest, *nest_devs;
5641 struct nfgenmsg *nfmsg;
5642 struct nlmsghdr *nlh;
5645 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5646 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5648 goto nla_put_failure;
5650 nfmsg = nlmsg_data(nlh);
5651 nfmsg->nfgen_family = family;
5652 nfmsg->version = NFNETLINK_V0;
5653 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5655 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5656 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5657 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5658 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5659 NFTA_FLOWTABLE_PAD))
5660 goto nla_put_failure;
5662 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5663 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5664 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5665 goto nla_put_failure;
5667 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5669 goto nla_put_failure;
5671 for (i = 0; i < flowtable->ops_len; i++) {
5672 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5675 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5676 goto nla_put_failure;
5678 nla_nest_end(skb, nest_devs);
5679 nla_nest_end(skb, nest);
5681 nlmsg_end(skb, nlh);
5685 nlmsg_trim(skb, nlh);
5689 struct nft_flowtable_filter {
5693 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5694 struct netlink_callback *cb)
5696 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5697 struct nft_flowtable_filter *filter = cb->data;
5698 unsigned int idx = 0, s_idx = cb->args[0];
5699 struct net *net = sock_net(skb->sk);
5700 int family = nfmsg->nfgen_family;
5701 struct nft_flowtable *flowtable;
5702 const struct nft_table *table;
5705 cb->seq = net->nft.base_seq;
5707 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5708 if (family != NFPROTO_UNSPEC && family != table->family)
5711 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5712 if (!nft_is_active(net, flowtable))
5717 memset(&cb->args[1], 0,
5718 sizeof(cb->args) - sizeof(cb->args[0]));
5719 if (filter && filter->table &&
5720 strcmp(filter->table, table->name))
5723 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5725 NFT_MSG_NEWFLOWTABLE,
5726 NLM_F_MULTI | NLM_F_APPEND,
5727 table->family, flowtable) < 0)
5730 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5742 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5744 const struct nlattr * const *nla = cb->data;
5745 struct nft_flowtable_filter *filter = NULL;
5747 if (nla[NFTA_FLOWTABLE_TABLE]) {
5748 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5752 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5754 if (!filter->table) {
5764 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5766 struct nft_flowtable_filter *filter = cb->data;
5771 kfree(filter->table);
5777 /* called with rcu_read_lock held */
5778 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5779 struct sk_buff *skb,
5780 const struct nlmsghdr *nlh,
5781 const struct nlattr * const nla[],
5782 struct netlink_ext_ack *extack)
5784 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5785 u8 genmask = nft_genmask_cur(net);
5786 int family = nfmsg->nfgen_family;
5787 struct nft_flowtable *flowtable;
5788 const struct nft_table *table;
5789 struct sk_buff *skb2;
5792 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5793 struct netlink_dump_control c = {
5794 .start = nf_tables_dump_flowtable_start,
5795 .dump = nf_tables_dump_flowtable,
5796 .done = nf_tables_dump_flowtable_done,
5797 .module = THIS_MODULE,
5798 .data = (void *)nla,
5801 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5804 if (!nla[NFTA_FLOWTABLE_NAME])
5807 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5810 return PTR_ERR(table);
5812 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5814 if (IS_ERR(flowtable))
5815 return PTR_ERR(flowtable);
5817 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5821 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5823 NFT_MSG_NEWFLOWTABLE, 0, family,
5828 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5834 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5835 struct nft_flowtable *flowtable,
5838 struct sk_buff *skb;
5842 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5845 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5849 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5851 ctx->family, flowtable);
5857 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5858 ctx->report, GFP_KERNEL);
5861 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5864 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5866 kfree(flowtable->ops);
5867 kfree(flowtable->name);
5868 flowtable->data.type->free(&flowtable->data);
5869 module_put(flowtable->data.type->owner);
5873 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5874 u32 portid, u32 seq)
5876 struct nlmsghdr *nlh;
5877 struct nfgenmsg *nfmsg;
5878 char buf[TASK_COMM_LEN];
5879 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5881 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5883 goto nla_put_failure;
5885 nfmsg = nlmsg_data(nlh);
5886 nfmsg->nfgen_family = AF_UNSPEC;
5887 nfmsg->version = NFNETLINK_V0;
5888 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5890 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5891 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5892 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5893 goto nla_put_failure;
5895 nlmsg_end(skb, nlh);
5899 nlmsg_trim(skb, nlh);
5903 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5904 struct nft_flowtable *flowtable)
5908 for (i = 0; i < flowtable->ops_len; i++) {
5909 if (flowtable->ops[i].dev != dev)
5912 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5913 flowtable->ops[i].dev = NULL;
5918 static int nf_tables_flowtable_event(struct notifier_block *this,
5919 unsigned long event, void *ptr)
5921 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5922 struct nft_flowtable *flowtable;
5923 struct nft_table *table;
5926 if (event != NETDEV_UNREGISTER)
5930 mutex_lock(&net->nft.commit_mutex);
5931 list_for_each_entry(table, &net->nft.tables, list) {
5932 list_for_each_entry(flowtable, &table->flowtables, list) {
5933 nft_flowtable_event(event, dev, flowtable);
5936 mutex_unlock(&net->nft.commit_mutex);
5941 static struct notifier_block nf_tables_flowtable_notifier = {
5942 .notifier_call = nf_tables_flowtable_event,
5945 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5948 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5949 struct sk_buff *skb2;
5952 if (nlmsg_report(nlh) &&
5953 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5956 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5960 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5967 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5968 nlmsg_report(nlh), GFP_KERNEL);
5971 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5975 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5976 struct sk_buff *skb, const struct nlmsghdr *nlh,
5977 const struct nlattr * const nla[],
5978 struct netlink_ext_ack *extack)
5980 struct sk_buff *skb2;
5983 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5987 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5992 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5998 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5999 [NFT_MSG_NEWTABLE] = {
6000 .call_batch = nf_tables_newtable,
6001 .attr_count = NFTA_TABLE_MAX,
6002 .policy = nft_table_policy,
6004 [NFT_MSG_GETTABLE] = {
6005 .call_rcu = nf_tables_gettable,
6006 .attr_count = NFTA_TABLE_MAX,
6007 .policy = nft_table_policy,
6009 [NFT_MSG_DELTABLE] = {
6010 .call_batch = nf_tables_deltable,
6011 .attr_count = NFTA_TABLE_MAX,
6012 .policy = nft_table_policy,
6014 [NFT_MSG_NEWCHAIN] = {
6015 .call_batch = nf_tables_newchain,
6016 .attr_count = NFTA_CHAIN_MAX,
6017 .policy = nft_chain_policy,
6019 [NFT_MSG_GETCHAIN] = {
6020 .call_rcu = nf_tables_getchain,
6021 .attr_count = NFTA_CHAIN_MAX,
6022 .policy = nft_chain_policy,
6024 [NFT_MSG_DELCHAIN] = {
6025 .call_batch = nf_tables_delchain,
6026 .attr_count = NFTA_CHAIN_MAX,
6027 .policy = nft_chain_policy,
6029 [NFT_MSG_NEWRULE] = {
6030 .call_batch = nf_tables_newrule,
6031 .attr_count = NFTA_RULE_MAX,
6032 .policy = nft_rule_policy,
6034 [NFT_MSG_GETRULE] = {
6035 .call_rcu = nf_tables_getrule,
6036 .attr_count = NFTA_RULE_MAX,
6037 .policy = nft_rule_policy,
6039 [NFT_MSG_DELRULE] = {
6040 .call_batch = nf_tables_delrule,
6041 .attr_count = NFTA_RULE_MAX,
6042 .policy = nft_rule_policy,
6044 [NFT_MSG_NEWSET] = {
6045 .call_batch = nf_tables_newset,
6046 .attr_count = NFTA_SET_MAX,
6047 .policy = nft_set_policy,
6049 [NFT_MSG_GETSET] = {
6050 .call_rcu = nf_tables_getset,
6051 .attr_count = NFTA_SET_MAX,
6052 .policy = nft_set_policy,
6054 [NFT_MSG_DELSET] = {
6055 .call_batch = nf_tables_delset,
6056 .attr_count = NFTA_SET_MAX,
6057 .policy = nft_set_policy,
6059 [NFT_MSG_NEWSETELEM] = {
6060 .call_batch = nf_tables_newsetelem,
6061 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6062 .policy = nft_set_elem_list_policy,
6064 [NFT_MSG_GETSETELEM] = {
6065 .call_rcu = nf_tables_getsetelem,
6066 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6067 .policy = nft_set_elem_list_policy,
6069 [NFT_MSG_DELSETELEM] = {
6070 .call_batch = nf_tables_delsetelem,
6071 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6072 .policy = nft_set_elem_list_policy,
6074 [NFT_MSG_GETGEN] = {
6075 .call_rcu = nf_tables_getgen,
6077 [NFT_MSG_NEWOBJ] = {
6078 .call_batch = nf_tables_newobj,
6079 .attr_count = NFTA_OBJ_MAX,
6080 .policy = nft_obj_policy,
6082 [NFT_MSG_GETOBJ] = {
6083 .call_rcu = nf_tables_getobj,
6084 .attr_count = NFTA_OBJ_MAX,
6085 .policy = nft_obj_policy,
6087 [NFT_MSG_DELOBJ] = {
6088 .call_batch = nf_tables_delobj,
6089 .attr_count = NFTA_OBJ_MAX,
6090 .policy = nft_obj_policy,
6092 [NFT_MSG_GETOBJ_RESET] = {
6093 .call_rcu = nf_tables_getobj,
6094 .attr_count = NFTA_OBJ_MAX,
6095 .policy = nft_obj_policy,
6097 [NFT_MSG_NEWFLOWTABLE] = {
6098 .call_batch = nf_tables_newflowtable,
6099 .attr_count = NFTA_FLOWTABLE_MAX,
6100 .policy = nft_flowtable_policy,
6102 [NFT_MSG_GETFLOWTABLE] = {
6103 .call_rcu = nf_tables_getflowtable,
6104 .attr_count = NFTA_FLOWTABLE_MAX,
6105 .policy = nft_flowtable_policy,
6107 [NFT_MSG_DELFLOWTABLE] = {
6108 .call_batch = nf_tables_delflowtable,
6109 .attr_count = NFTA_FLOWTABLE_MAX,
6110 .policy = nft_flowtable_policy,
6114 static int nf_tables_validate(struct net *net)
6116 struct nft_table *table;
6118 switch (net->nft.validate_state) {
6119 case NFT_VALIDATE_SKIP:
6121 case NFT_VALIDATE_NEED:
6122 nft_validate_state_update(net, NFT_VALIDATE_DO);
6124 case NFT_VALIDATE_DO:
6125 list_for_each_entry(table, &net->nft.tables, list) {
6126 if (nft_table_validate(net, table) < 0)
6135 static void nft_chain_commit_update(struct nft_trans *trans)
6137 struct nft_base_chain *basechain;
6139 if (nft_trans_chain_name(trans)) {
6140 rhltable_remove(&trans->ctx.table->chains_ht,
6141 &trans->ctx.chain->rhlhead,
6142 nft_chain_ht_params);
6143 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6144 rhltable_insert_key(&trans->ctx.table->chains_ht,
6145 trans->ctx.chain->name,
6146 &trans->ctx.chain->rhlhead,
6147 nft_chain_ht_params);
6150 if (!nft_is_base_chain(trans->ctx.chain))
6153 basechain = nft_base_chain(trans->ctx.chain);
6154 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
6156 switch (nft_trans_chain_policy(trans)) {
6159 basechain->policy = nft_trans_chain_policy(trans);
6164 static void nft_commit_release(struct nft_trans *trans)
6166 switch (trans->msg_type) {
6167 case NFT_MSG_DELTABLE:
6168 nf_tables_table_destroy(&trans->ctx);
6170 case NFT_MSG_NEWCHAIN:
6171 kfree(nft_trans_chain_name(trans));
6173 case NFT_MSG_DELCHAIN:
6174 nf_tables_chain_destroy(&trans->ctx);
6176 case NFT_MSG_DELRULE:
6177 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6179 case NFT_MSG_DELSET:
6180 nft_set_destroy(nft_trans_set(trans));
6182 case NFT_MSG_DELSETELEM:
6183 nf_tables_set_elem_destroy(&trans->ctx,
6184 nft_trans_elem_set(trans),
6185 nft_trans_elem(trans).priv);
6187 case NFT_MSG_DELOBJ:
6188 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6190 case NFT_MSG_DELFLOWTABLE:
6191 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6197 static void nf_tables_commit_release(struct net *net)
6199 struct nft_trans *trans, *next;
6201 if (list_empty(&net->nft.commit_list))
6206 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6207 list_del(&trans->list);
6208 nft_commit_release(trans);
6212 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6214 struct nft_rule *rule;
6215 unsigned int alloc = 0;
6218 /* already handled or inactive chain? */
6219 if (chain->rules_next || !nft_is_active_next(net, chain))
6222 rule = list_entry(&chain->rules, struct nft_rule, list);
6225 list_for_each_entry_continue(rule, &chain->rules, list) {
6226 if (nft_is_active_next(net, rule))
6230 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6231 if (!chain->rules_next)
6234 list_for_each_entry_continue(rule, &chain->rules, list) {
6235 if (nft_is_active_next(net, rule))
6236 chain->rules_next[i++] = rule;
6239 chain->rules_next[i] = NULL;
6243 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6245 struct nft_trans *trans, *next;
6247 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6248 struct nft_chain *chain = trans->ctx.chain;
6250 if (trans->msg_type == NFT_MSG_NEWRULE ||
6251 trans->msg_type == NFT_MSG_DELRULE) {
6252 kvfree(chain->rules_next);
6253 chain->rules_next = NULL;
6258 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6260 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6265 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6267 struct nft_rule **r = rules;
6268 struct nft_rules_old *old;
6273 r++; /* rcu_head is after end marker */
6277 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6280 static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain)
6282 struct nft_rule **g0, **g1;
6285 next_genbit = nft_gencursor_next(net);
6287 g0 = rcu_dereference_protected(chain->rules_gen_0,
6288 lockdep_commit_lock_is_held(net));
6289 g1 = rcu_dereference_protected(chain->rules_gen_1,
6290 lockdep_commit_lock_is_held(net));
6292 /* No changes to this chain? */
6293 if (chain->rules_next == NULL) {
6294 /* chain had no change in last or next generation */
6298 * chain had no change in this generation; make sure next
6299 * one uses same rules as current generation.
6302 rcu_assign_pointer(chain->rules_gen_1, g0);
6303 nf_tables_commit_chain_free_rules_old(g1);
6305 rcu_assign_pointer(chain->rules_gen_0, g1);
6306 nf_tables_commit_chain_free_rules_old(g0);
6313 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6315 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6317 chain->rules_next = NULL;
6323 nf_tables_commit_chain_free_rules_old(g1);
6325 nf_tables_commit_chain_free_rules_old(g0);
6328 static void nft_chain_del(struct nft_chain *chain)
6330 struct nft_table *table = chain->table;
6332 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6333 nft_chain_ht_params));
6334 list_del_rcu(&chain->list);
6337 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6339 struct nft_trans *trans, *next;
6340 struct nft_trans_elem *te;
6341 struct nft_chain *chain;
6342 struct nft_table *table;
6344 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6345 if (nf_tables_validate(net) < 0)
6348 /* 1. Allocate space for next generation rules_gen_X[] */
6349 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6352 if (trans->msg_type == NFT_MSG_NEWRULE ||
6353 trans->msg_type == NFT_MSG_DELRULE) {
6354 chain = trans->ctx.chain;
6356 ret = nf_tables_commit_chain_prepare(net, chain);
6358 nf_tables_commit_chain_prepare_cancel(net);
6364 /* step 2. Make rules_gen_X visible to packet path */
6365 list_for_each_entry(table, &net->nft.tables, list) {
6366 list_for_each_entry(chain, &table->chains, list) {
6367 if (!nft_is_active_next(net, chain))
6369 nf_tables_commit_chain_active(net, chain);
6374 * Bump generation counter, invalidate any dump in progress.
6375 * Cannot fail after this point.
6377 while (++net->nft.base_seq == 0);
6379 /* step 3. Start new generation, rules_gen_X now in use. */
6380 net->nft.gencursor = nft_gencursor_next(net);
6382 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6383 switch (trans->msg_type) {
6384 case NFT_MSG_NEWTABLE:
6385 if (nft_trans_table_update(trans)) {
6386 if (!nft_trans_table_enable(trans)) {
6387 nf_tables_table_disable(net,
6389 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6392 nft_clear(net, trans->ctx.table);
6394 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6395 nft_trans_destroy(trans);
6397 case NFT_MSG_DELTABLE:
6398 list_del_rcu(&trans->ctx.table->list);
6399 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6401 case NFT_MSG_NEWCHAIN:
6402 if (nft_trans_chain_update(trans)) {
6403 nft_chain_commit_update(trans);
6404 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6405 /* trans destroyed after rcu grace period */
6407 nft_clear(net, trans->ctx.chain);
6408 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6409 nft_trans_destroy(trans);
6412 case NFT_MSG_DELCHAIN:
6413 nft_chain_del(trans->ctx.chain);
6414 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6415 nf_tables_unregister_hook(trans->ctx.net,
6419 case NFT_MSG_NEWRULE:
6420 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6421 nf_tables_rule_notify(&trans->ctx,
6422 nft_trans_rule(trans),
6424 nft_trans_destroy(trans);
6426 case NFT_MSG_DELRULE:
6427 list_del_rcu(&nft_trans_rule(trans)->list);
6428 nf_tables_rule_notify(&trans->ctx,
6429 nft_trans_rule(trans),
6432 case NFT_MSG_NEWSET:
6433 nft_clear(net, nft_trans_set(trans));
6434 /* This avoids hitting -EBUSY when deleting the table
6435 * from the transaction.
6437 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6438 !list_empty(&nft_trans_set(trans)->bindings))
6439 trans->ctx.table->use--;
6441 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6442 NFT_MSG_NEWSET, GFP_KERNEL);
6443 nft_trans_destroy(trans);
6445 case NFT_MSG_DELSET:
6446 list_del_rcu(&nft_trans_set(trans)->list);
6447 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6448 NFT_MSG_DELSET, GFP_KERNEL);
6450 case NFT_MSG_NEWSETELEM:
6451 te = (struct nft_trans_elem *)trans->data;
6453 te->set->ops->activate(net, te->set, &te->elem);
6454 nf_tables_setelem_notify(&trans->ctx, te->set,
6456 NFT_MSG_NEWSETELEM, 0);
6457 nft_trans_destroy(trans);
6459 case NFT_MSG_DELSETELEM:
6460 te = (struct nft_trans_elem *)trans->data;
6462 nf_tables_setelem_notify(&trans->ctx, te->set,
6464 NFT_MSG_DELSETELEM, 0);
6465 te->set->ops->remove(net, te->set, &te->elem);
6466 atomic_dec(&te->set->nelems);
6469 case NFT_MSG_NEWOBJ:
6470 nft_clear(net, nft_trans_obj(trans));
6471 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6473 nft_trans_destroy(trans);
6475 case NFT_MSG_DELOBJ:
6476 list_del_rcu(&nft_trans_obj(trans)->list);
6477 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6480 case NFT_MSG_NEWFLOWTABLE:
6481 nft_clear(net, nft_trans_flowtable(trans));
6482 nf_tables_flowtable_notify(&trans->ctx,
6483 nft_trans_flowtable(trans),
6484 NFT_MSG_NEWFLOWTABLE);
6485 nft_trans_destroy(trans);
6487 case NFT_MSG_DELFLOWTABLE:
6488 list_del_rcu(&nft_trans_flowtable(trans)->list);
6489 nf_tables_flowtable_notify(&trans->ctx,
6490 nft_trans_flowtable(trans),
6491 NFT_MSG_DELFLOWTABLE);
6492 nft_unregister_flowtable_net_hooks(net,
6493 nft_trans_flowtable(trans));
6498 nf_tables_commit_release(net);
6499 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6500 mutex_unlock(&net->nft.commit_mutex);
6505 static void nf_tables_abort_release(struct nft_trans *trans)
6507 switch (trans->msg_type) {
6508 case NFT_MSG_NEWTABLE:
6509 nf_tables_table_destroy(&trans->ctx);
6511 case NFT_MSG_NEWCHAIN:
6512 nf_tables_chain_destroy(&trans->ctx);
6514 case NFT_MSG_NEWRULE:
6515 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6517 case NFT_MSG_NEWSET:
6518 nft_set_destroy(nft_trans_set(trans));
6520 case NFT_MSG_NEWSETELEM:
6521 nft_set_elem_destroy(nft_trans_elem_set(trans),
6522 nft_trans_elem(trans).priv, true);
6524 case NFT_MSG_NEWOBJ:
6525 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6527 case NFT_MSG_NEWFLOWTABLE:
6528 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6534 static int __nf_tables_abort(struct net *net)
6536 struct nft_trans *trans, *next;
6537 struct nft_trans_elem *te;
6539 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6541 switch (trans->msg_type) {
6542 case NFT_MSG_NEWTABLE:
6543 if (nft_trans_table_update(trans)) {
6544 if (nft_trans_table_enable(trans)) {
6545 nf_tables_table_disable(net,
6547 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6549 nft_trans_destroy(trans);
6551 list_del_rcu(&trans->ctx.table->list);
6554 case NFT_MSG_DELTABLE:
6555 nft_clear(trans->ctx.net, trans->ctx.table);
6556 nft_trans_destroy(trans);
6558 case NFT_MSG_NEWCHAIN:
6559 if (nft_trans_chain_update(trans)) {
6560 free_percpu(nft_trans_chain_stats(trans));
6561 kfree(nft_trans_chain_name(trans));
6562 nft_trans_destroy(trans);
6564 trans->ctx.table->use--;
6565 nft_chain_del(trans->ctx.chain);
6566 nf_tables_unregister_hook(trans->ctx.net,
6571 case NFT_MSG_DELCHAIN:
6572 trans->ctx.table->use++;
6573 nft_clear(trans->ctx.net, trans->ctx.chain);
6574 nft_trans_destroy(trans);
6576 case NFT_MSG_NEWRULE:
6577 trans->ctx.chain->use--;
6578 list_del_rcu(&nft_trans_rule(trans)->list);
6579 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6581 case NFT_MSG_DELRULE:
6582 trans->ctx.chain->use++;
6583 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6584 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6585 nft_trans_destroy(trans);
6587 case NFT_MSG_NEWSET:
6588 trans->ctx.table->use--;
6589 list_del_rcu(&nft_trans_set(trans)->list);
6591 case NFT_MSG_DELSET:
6592 trans->ctx.table->use++;
6593 nft_clear(trans->ctx.net, nft_trans_set(trans));
6594 nft_trans_destroy(trans);
6596 case NFT_MSG_NEWSETELEM:
6597 te = (struct nft_trans_elem *)trans->data;
6599 te->set->ops->remove(net, te->set, &te->elem);
6600 atomic_dec(&te->set->nelems);
6602 case NFT_MSG_DELSETELEM:
6603 te = (struct nft_trans_elem *)trans->data;
6605 nft_set_elem_activate(net, te->set, &te->elem);
6606 te->set->ops->activate(net, te->set, &te->elem);
6609 nft_trans_destroy(trans);
6611 case NFT_MSG_NEWOBJ:
6612 trans->ctx.table->use--;
6613 list_del_rcu(&nft_trans_obj(trans)->list);
6615 case NFT_MSG_DELOBJ:
6616 trans->ctx.table->use++;
6617 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6618 nft_trans_destroy(trans);
6620 case NFT_MSG_NEWFLOWTABLE:
6621 trans->ctx.table->use--;
6622 list_del_rcu(&nft_trans_flowtable(trans)->list);
6623 nft_unregister_flowtable_net_hooks(net,
6624 nft_trans_flowtable(trans));
6626 case NFT_MSG_DELFLOWTABLE:
6627 trans->ctx.table->use++;
6628 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6629 nft_trans_destroy(trans);
6636 list_for_each_entry_safe_reverse(trans, next,
6637 &net->nft.commit_list, list) {
6638 list_del(&trans->list);
6639 nf_tables_abort_release(trans);
6645 static void nf_tables_cleanup(struct net *net)
6647 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6650 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6652 int ret = __nf_tables_abort(net);
6654 mutex_unlock(&net->nft.commit_mutex);
6659 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6663 mutex_lock(&net->nft.commit_mutex);
6665 genid_ok = genid == 0 || net->nft.base_seq == genid;
6667 mutex_unlock(&net->nft.commit_mutex);
6669 /* else, commit mutex has to be released by commit or abort function */
6673 static const struct nfnetlink_subsystem nf_tables_subsys = {
6674 .name = "nf_tables",
6675 .subsys_id = NFNL_SUBSYS_NFTABLES,
6676 .cb_count = NFT_MSG_MAX,
6678 .commit = nf_tables_commit,
6679 .abort = nf_tables_abort,
6680 .cleanup = nf_tables_cleanup,
6681 .valid_genid = nf_tables_valid_genid,
6682 .owner = THIS_MODULE,
6685 int nft_chain_validate_dependency(const struct nft_chain *chain,
6686 enum nft_chain_types type)
6688 const struct nft_base_chain *basechain;
6690 if (nft_is_base_chain(chain)) {
6691 basechain = nft_base_chain(chain);
6692 if (basechain->type->type != type)
6697 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6699 int nft_chain_validate_hooks(const struct nft_chain *chain,
6700 unsigned int hook_flags)
6702 struct nft_base_chain *basechain;
6704 if (nft_is_base_chain(chain)) {
6705 basechain = nft_base_chain(chain);
6707 if ((1 << basechain->ops.hooknum) & hook_flags)
6715 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6718 * Loop detection - walk through the ruleset beginning at the destination chain
6719 * of a new jump until either the source chain is reached (loop) or all
6720 * reachable chains have been traversed.
6722 * The loop check is performed whenever a new jump verdict is added to an
6723 * expression or verdict map or a verdict map is bound to a new chain.
6726 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6727 const struct nft_chain *chain);
6729 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6730 struct nft_set *set,
6731 const struct nft_set_iter *iter,
6732 struct nft_set_elem *elem)
6734 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6735 const struct nft_data *data;
6737 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6738 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6741 data = nft_set_ext_data(ext);
6742 switch (data->verdict.code) {
6745 return nf_tables_check_loops(ctx, data->verdict.chain);
6751 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6752 const struct nft_chain *chain)
6754 const struct nft_rule *rule;
6755 const struct nft_expr *expr, *last;
6756 struct nft_set *set;
6757 struct nft_set_binding *binding;
6758 struct nft_set_iter iter;
6760 if (ctx->chain == chain)
6763 list_for_each_entry(rule, &chain->rules, list) {
6764 nft_rule_for_each_expr(expr, last, rule) {
6765 struct nft_immediate_expr *priv;
6766 const struct nft_data *data;
6769 if (strcmp(expr->ops->type->name, "immediate"))
6772 priv = nft_expr_priv(expr);
6773 if (priv->dreg != NFT_REG_VERDICT)
6777 switch (data->verdict.code) {
6780 err = nf_tables_check_loops(ctx,
6781 data->verdict.chain);
6790 list_for_each_entry(set, &ctx->table->sets, list) {
6791 if (!nft_is_active_next(ctx->net, set))
6793 if (!(set->flags & NFT_SET_MAP) ||
6794 set->dtype != NFT_DATA_VERDICT)
6797 list_for_each_entry(binding, &set->bindings, list) {
6798 if (!(binding->flags & NFT_SET_MAP) ||
6799 binding->chain != chain)
6802 iter.genmask = nft_genmask_next(ctx->net);
6806 iter.fn = nf_tables_loop_check_setelem;
6808 set->ops->walk(ctx, set, &iter);
6818 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6820 * @attr: netlink attribute to fetch value from
6821 * @max: maximum value to be stored in dest
6822 * @dest: pointer to the variable
6824 * Parse, check and store a given u32 netlink attribute into variable.
6825 * This function returns -ERANGE if the value goes over maximum value.
6826 * Otherwise a 0 is returned and the attribute value is stored in the
6827 * destination variable.
6829 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6833 val = ntohl(nla_get_be32(attr));
6840 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6843 * nft_parse_register - parse a register value from a netlink attribute
6845 * @attr: netlink attribute
6847 * Parse and translate a register value from a netlink attribute.
6848 * Registers used to be 128 bit wide, these register numbers will be
6849 * mapped to the corresponding 32 bit register numbers.
6851 unsigned int nft_parse_register(const struct nlattr *attr)
6855 reg = ntohl(nla_get_be32(attr));
6857 case NFT_REG_VERDICT...NFT_REG_4:
6858 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6860 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6863 EXPORT_SYMBOL_GPL(nft_parse_register);
6866 * nft_dump_register - dump a register value to a netlink attribute
6868 * @skb: socket buffer
6869 * @attr: attribute number
6870 * @reg: register number
6872 * Construct a netlink attribute containing the register number. For
6873 * compatibility reasons, register numbers being a multiple of 4 are
6874 * translated to the corresponding 128 bit register numbers.
6876 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6878 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6879 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6881 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6883 return nla_put_be32(skb, attr, htonl(reg));
6885 EXPORT_SYMBOL_GPL(nft_dump_register);
6888 * nft_validate_register_load - validate a load from a register
6890 * @reg: the register number
6891 * @len: the length of the data
6893 * Validate that the input register is one of the general purpose
6894 * registers and that the length of the load is within the bounds.
6896 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6898 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6902 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6907 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6910 * nft_validate_register_store - validate an expressions' register store
6912 * @ctx: context of the expression performing the load
6913 * @reg: the destination register number
6914 * @data: the data to load
6915 * @type: the data type
6916 * @len: the length of the data
6918 * Validate that a data load uses the appropriate data type for
6919 * the destination register and the length is within the bounds.
6920 * A value of NULL for the data means that its runtime gathered
6923 int nft_validate_register_store(const struct nft_ctx *ctx,
6924 enum nft_registers reg,
6925 const struct nft_data *data,
6926 enum nft_data_types type, unsigned int len)
6931 case NFT_REG_VERDICT:
6932 if (type != NFT_DATA_VERDICT)
6936 (data->verdict.code == NFT_GOTO ||
6937 data->verdict.code == NFT_JUMP)) {
6938 err = nf_tables_check_loops(ctx, data->verdict.chain);
6945 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6949 if (reg * NFT_REG32_SIZE + len >
6950 FIELD_SIZEOF(struct nft_regs, data))
6953 if (data != NULL && type != NFT_DATA_VALUE)
6958 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6960 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6961 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6962 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6963 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6966 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6967 struct nft_data_desc *desc, const struct nlattr *nla)
6969 u8 genmask = nft_genmask_next(ctx->net);
6970 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6971 struct nft_chain *chain;
6974 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6979 if (!tb[NFTA_VERDICT_CODE])
6981 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6983 switch (data->verdict.code) {
6985 switch (data->verdict.code & NF_VERDICT_MASK) {
7000 if (!tb[NFTA_VERDICT_CHAIN])
7002 chain = nft_chain_lookup(ctx->net, ctx->table,
7003 tb[NFTA_VERDICT_CHAIN], genmask);
7005 return PTR_ERR(chain);
7006 if (nft_is_base_chain(chain))
7010 data->verdict.chain = chain;
7014 desc->len = sizeof(data->verdict);
7015 desc->type = NFT_DATA_VERDICT;
7019 static void nft_verdict_uninit(const struct nft_data *data)
7021 switch (data->verdict.code) {
7024 data->verdict.chain->use--;
7029 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7031 struct nlattr *nest;
7033 nest = nla_nest_start(skb, type);
7035 goto nla_put_failure;
7037 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7038 goto nla_put_failure;
7043 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7045 goto nla_put_failure;
7047 nla_nest_end(skb, nest);
7054 static int nft_value_init(const struct nft_ctx *ctx,
7055 struct nft_data *data, unsigned int size,
7056 struct nft_data_desc *desc, const struct nlattr *nla)
7066 nla_memcpy(data->data, nla, len);
7067 desc->type = NFT_DATA_VALUE;
7072 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7075 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7078 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7079 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7080 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7084 * nft_data_init - parse nf_tables data netlink attributes
7086 * @ctx: context of the expression using the data
7087 * @data: destination struct nft_data
7088 * @size: maximum data length
7089 * @desc: data description
7090 * @nla: netlink attribute containing data
7092 * Parse the netlink data attributes and initialize a struct nft_data.
7093 * The type and length of data are returned in the data description.
7095 * The caller can indicate that it only wants to accept data of type
7096 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7098 int nft_data_init(const struct nft_ctx *ctx,
7099 struct nft_data *data, unsigned int size,
7100 struct nft_data_desc *desc, const struct nlattr *nla)
7102 struct nlattr *tb[NFTA_DATA_MAX + 1];
7105 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7109 if (tb[NFTA_DATA_VALUE])
7110 return nft_value_init(ctx, data, size, desc,
7111 tb[NFTA_DATA_VALUE]);
7112 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7113 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7116 EXPORT_SYMBOL_GPL(nft_data_init);
7119 * nft_data_release - release a nft_data item
7121 * @data: struct nft_data to release
7122 * @type: type of data
7124 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7125 * all others need to be released by calling this function.
7127 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7129 if (type < NFT_DATA_VERDICT)
7132 case NFT_DATA_VERDICT:
7133 return nft_verdict_uninit(data);
7138 EXPORT_SYMBOL_GPL(nft_data_release);
7140 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7141 enum nft_data_types type, unsigned int len)
7143 struct nlattr *nest;
7146 nest = nla_nest_start(skb, attr);
7151 case NFT_DATA_VALUE:
7152 err = nft_value_dump(skb, data, len);
7154 case NFT_DATA_VERDICT:
7155 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7162 nla_nest_end(skb, nest);
7165 EXPORT_SYMBOL_GPL(nft_data_dump);
7167 int __nft_release_basechain(struct nft_ctx *ctx)
7169 struct nft_rule *rule, *nr;
7171 BUG_ON(!nft_is_base_chain(ctx->chain));
7173 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7174 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7175 list_del(&rule->list);
7177 nf_tables_rule_release(ctx, rule);
7179 nft_chain_del(ctx->chain);
7181 nf_tables_chain_destroy(ctx);
7185 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7187 static void __nft_release_tables(struct net *net)
7189 struct nft_flowtable *flowtable, *nf;
7190 struct nft_table *table, *nt;
7191 struct nft_chain *chain, *nc;
7192 struct nft_object *obj, *ne;
7193 struct nft_rule *rule, *nr;
7194 struct nft_set *set, *ns;
7195 struct nft_ctx ctx = {
7197 .family = NFPROTO_NETDEV,
7200 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7201 ctx.family = table->family;
7203 list_for_each_entry(chain, &table->chains, list)
7204 nf_tables_unregister_hook(net, table, chain);
7205 list_for_each_entry(flowtable, &table->flowtables, list)
7206 nf_unregister_net_hooks(net, flowtable->ops,
7207 flowtable->ops_len);
7208 /* No packets are walking on these chains anymore. */
7210 list_for_each_entry(chain, &table->chains, list) {
7212 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7213 list_del(&rule->list);
7215 nf_tables_rule_release(&ctx, rule);
7218 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7219 list_del(&flowtable->list);
7221 nf_tables_flowtable_destroy(flowtable);
7223 list_for_each_entry_safe(set, ns, &table->sets, list) {
7224 list_del(&set->list);
7226 nft_set_destroy(set);
7228 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7229 list_del(&obj->list);
7231 nft_obj_destroy(&ctx, obj);
7233 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7235 nft_chain_del(chain);
7237 nf_tables_chain_destroy(&ctx);
7239 list_del(&table->list);
7240 nf_tables_table_destroy(&ctx);
7244 static int __net_init nf_tables_init_net(struct net *net)
7246 INIT_LIST_HEAD(&net->nft.tables);
7247 INIT_LIST_HEAD(&net->nft.commit_list);
7248 mutex_init(&net->nft.commit_mutex);
7249 net->nft.base_seq = 1;
7250 net->nft.validate_state = NFT_VALIDATE_SKIP;
7255 static void __net_exit nf_tables_exit_net(struct net *net)
7257 mutex_lock(&net->nft.commit_mutex);
7258 if (!list_empty(&net->nft.commit_list))
7259 __nf_tables_abort(net);
7260 __nft_release_tables(net);
7261 mutex_unlock(&net->nft.commit_mutex);
7262 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7265 static struct pernet_operations nf_tables_net_ops = {
7266 .init = nf_tables_init_net,
7267 .exit = nf_tables_exit_net,
7270 static int __init nf_tables_module_init(void)
7274 err = register_pernet_subsys(&nf_tables_net_ops);
7278 err = nft_chain_filter_init();
7282 err = nf_tables_core_module_init();
7286 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7291 err = nfnetlink_subsys_register(&nf_tables_subsys);
7297 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7299 nf_tables_core_module_exit();
7301 nft_chain_filter_fini();
7303 unregister_pernet_subsys(&nf_tables_net_ops);
7307 static void __exit nf_tables_module_exit(void)
7309 nfnetlink_subsys_unregister(&nf_tables_subsys);
7310 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7311 nft_chain_filter_fini();
7312 unregister_pernet_subsys(&nf_tables_net_ops);
7314 nf_tables_core_module_exit();
7317 module_init(nf_tables_module_init);
7318 module_exit(nf_tables_module_exit);
7320 MODULE_LICENSE("GPL");
7321 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7322 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-block.git / blob