2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 static int nf_tables_register_hook(struct net *net,
78 const struct nft_table *table,
79 struct nft_chain *chain)
81 if (table->flags & NFT_TABLE_F_DORMANT ||
82 !nft_is_base_chain(chain))
85 return nf_register_net_hook(net, &nft_base_chain(chain)->ops);
88 static void nf_tables_unregister_hook(struct net *net,
89 const struct nft_table *table,
90 struct nft_chain *chain)
92 if (table->flags & NFT_TABLE_F_DORMANT ||
93 !nft_is_base_chain(chain))
96 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
99 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
101 struct nft_trans *trans;
103 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
107 if (msg_type == NFT_MSG_NEWTABLE)
108 nft_activate_next(ctx->net, ctx->table);
110 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
114 static int nft_deltable(struct nft_ctx *ctx)
118 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
122 nft_deactivate_next(ctx->net, ctx->table);
126 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
128 struct nft_trans *trans;
130 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
134 if (msg_type == NFT_MSG_NEWCHAIN)
135 nft_activate_next(ctx->net, ctx->chain);
137 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
141 static int nft_delchain(struct nft_ctx *ctx)
145 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
150 nft_deactivate_next(ctx->net, ctx->chain);
156 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
158 /* You cannot delete the same rule twice */
159 if (nft_is_active_next(ctx->net, rule)) {
160 nft_deactivate_next(ctx->net, rule);
167 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
168 struct nft_rule *rule)
170 struct nft_trans *trans;
172 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
176 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
177 nft_trans_rule_id(trans) =
178 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
180 nft_trans_rule(trans) = rule;
181 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
186 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
188 struct nft_trans *trans;
191 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
195 err = nf_tables_delrule_deactivate(ctx, rule);
197 nft_trans_destroy(trans);
204 static int nft_delrule_by_chain(struct nft_ctx *ctx)
206 struct nft_rule *rule;
209 list_for_each_entry(rule, &ctx->chain->rules, list) {
210 err = nft_delrule(ctx, rule);
217 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
220 struct nft_trans *trans;
222 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
226 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
227 nft_trans_set_id(trans) =
228 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
229 nft_activate_next(ctx->net, set);
231 nft_trans_set(trans) = set;
232 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
237 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
241 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
245 nft_deactivate_next(ctx->net, set);
251 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
252 struct nft_object *obj)
254 struct nft_trans *trans;
256 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
260 if (msg_type == NFT_MSG_NEWOBJ)
261 nft_activate_next(ctx->net, obj);
263 nft_trans_obj(trans) = obj;
264 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
269 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
273 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
277 nft_deactivate_next(ctx->net, obj);
283 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
284 struct nft_flowtable *flowtable)
286 struct nft_trans *trans;
288 trans = nft_trans_alloc(ctx, msg_type,
289 sizeof(struct nft_trans_flowtable));
293 if (msg_type == NFT_MSG_NEWFLOWTABLE)
294 nft_activate_next(ctx->net, flowtable);
296 nft_trans_flowtable(trans) = flowtable;
297 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
302 static int nft_delflowtable(struct nft_ctx *ctx,
303 struct nft_flowtable *flowtable)
307 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
311 nft_deactivate_next(ctx->net, flowtable);
321 static struct nft_table *nft_table_lookup(const struct net *net,
322 const struct nlattr *nla,
323 u8 family, u8 genmask)
325 struct nft_table *table;
327 list_for_each_entry(table, &net->nft.tables, list) {
328 if (!nla_strcmp(nla, table->name) &&
329 table->family == family &&
330 nft_active_genmask(table, genmask))
336 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
337 const struct nlattr *nla,
340 struct nft_table *table;
342 list_for_each_entry(table, &net->nft.tables, list) {
343 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
344 nft_active_genmask(table, genmask))
350 static struct nft_table *nf_tables_table_lookup(const struct net *net,
351 const struct nlattr *nla,
352 u8 family, u8 genmask)
354 struct nft_table *table;
357 return ERR_PTR(-EINVAL);
359 table = nft_table_lookup(net, nla, family, genmask);
363 return ERR_PTR(-ENOENT);
366 static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
367 const struct nlattr *nla,
370 struct nft_table *table;
373 return ERR_PTR(-EINVAL);
375 table = nft_table_lookup_byhandle(net, nla, genmask);
379 return ERR_PTR(-ENOENT);
382 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
384 return ++table->hgenerator;
387 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
389 static const struct nf_chain_type *
390 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
394 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
395 if (chain_type[family][i] != NULL &&
396 !nla_strcmp(nla, chain_type[family][i]->name))
397 return chain_type[family][i];
402 static const struct nf_chain_type *
403 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
405 const struct nf_chain_type *type;
407 type = __nf_tables_chain_type_lookup(nla, family);
410 #ifdef CONFIG_MODULES
412 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
413 request_module("nft-chain-%u-%.*s", family,
414 nla_len(nla), (const char *)nla_data(nla));
415 nfnl_lock(NFNL_SUBSYS_NFTABLES);
416 type = __nf_tables_chain_type_lookup(nla, family);
418 return ERR_PTR(-EAGAIN);
421 return ERR_PTR(-ENOENT);
424 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
425 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
426 .len = NFT_TABLE_MAXNAMELEN - 1 },
427 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
428 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
431 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
432 u32 portid, u32 seq, int event, u32 flags,
433 int family, const struct nft_table *table)
435 struct nlmsghdr *nlh;
436 struct nfgenmsg *nfmsg;
438 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
439 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
441 goto nla_put_failure;
443 nfmsg = nlmsg_data(nlh);
444 nfmsg->nfgen_family = family;
445 nfmsg->version = NFNETLINK_V0;
446 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
448 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
449 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
450 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
451 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
453 goto nla_put_failure;
459 nlmsg_trim(skb, nlh);
463 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
469 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
472 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
476 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
477 event, 0, ctx->family, ctx->table);
483 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
484 ctx->report, GFP_KERNEL);
487 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
490 static int nf_tables_dump_tables(struct sk_buff *skb,
491 struct netlink_callback *cb)
493 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
494 const struct nft_table *table;
495 unsigned int idx = 0, s_idx = cb->args[0];
496 struct net *net = sock_net(skb->sk);
497 int family = nfmsg->nfgen_family;
500 cb->seq = net->nft.base_seq;
502 list_for_each_entry_rcu(table, &net->nft.tables, list) {
503 if (family != NFPROTO_UNSPEC && family != table->family)
509 memset(&cb->args[1], 0,
510 sizeof(cb->args) - sizeof(cb->args[0]));
511 if (!nft_is_active(net, table))
513 if (nf_tables_fill_table_info(skb, net,
514 NETLINK_CB(cb->skb).portid,
516 NFT_MSG_NEWTABLE, NLM_F_MULTI,
517 table->family, table) < 0)
520 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
530 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
531 struct sk_buff *skb, const struct nlmsghdr *nlh,
532 const struct nlattr * const nla[],
533 struct netlink_ext_ack *extack)
535 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
536 u8 genmask = nft_genmask_cur(net);
537 const struct nft_table *table;
538 struct sk_buff *skb2;
539 int family = nfmsg->nfgen_family;
542 if (nlh->nlmsg_flags & NLM_F_DUMP) {
543 struct netlink_dump_control c = {
544 .dump = nf_tables_dump_tables,
546 return netlink_dump_start(nlsk, skb, nlh, &c);
549 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
552 return PTR_ERR(table);
554 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
558 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
559 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
564 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
571 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
573 struct nft_chain *chain;
576 list_for_each_entry(chain, &table->chains, list) {
577 if (!nft_is_active_next(net, chain))
579 if (!nft_is_base_chain(chain))
582 if (cnt && i++ == cnt)
585 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
589 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
591 struct nft_chain *chain;
594 list_for_each_entry(chain, &table->chains, list) {
595 if (!nft_is_active_next(net, chain))
597 if (!nft_is_base_chain(chain))
600 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
609 nft_table_disable(net, table, i);
613 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
615 nft_table_disable(net, table, 0);
618 static int nf_tables_updtable(struct nft_ctx *ctx)
620 struct nft_trans *trans;
624 if (!ctx->nla[NFTA_TABLE_FLAGS])
627 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
628 if (flags & ~NFT_TABLE_F_DORMANT)
631 if (flags == ctx->table->flags)
634 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
635 sizeof(struct nft_trans_table));
639 if ((flags & NFT_TABLE_F_DORMANT) &&
640 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
641 nft_trans_table_enable(trans) = false;
642 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
643 ctx->table->flags & NFT_TABLE_F_DORMANT) {
644 ret = nf_tables_table_enable(ctx->net, ctx->table);
646 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
647 nft_trans_table_enable(trans) = true;
653 nft_trans_table_update(trans) = true;
654 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
657 nft_trans_destroy(trans);
661 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
662 struct sk_buff *skb, const struct nlmsghdr *nlh,
663 const struct nlattr * const nla[],
664 struct netlink_ext_ack *extack)
666 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
667 u8 genmask = nft_genmask_next(net);
668 const struct nlattr *name;
669 struct nft_table *table;
670 int family = nfmsg->nfgen_family;
675 name = nla[NFTA_TABLE_NAME];
676 table = nf_tables_table_lookup(net, name, family, genmask);
678 if (PTR_ERR(table) != -ENOENT)
679 return PTR_ERR(table);
681 if (nlh->nlmsg_flags & NLM_F_EXCL)
683 if (nlh->nlmsg_flags & NLM_F_REPLACE)
686 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
687 return nf_tables_updtable(&ctx);
690 if (nla[NFTA_TABLE_FLAGS]) {
691 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
692 if (flags & ~NFT_TABLE_F_DORMANT)
697 table = kzalloc(sizeof(*table), GFP_KERNEL);
701 table->name = nla_strdup(name, GFP_KERNEL);
702 if (table->name == NULL)
705 INIT_LIST_HEAD(&table->chains);
706 INIT_LIST_HEAD(&table->sets);
707 INIT_LIST_HEAD(&table->objects);
708 INIT_LIST_HEAD(&table->flowtables);
709 table->family = family;
710 table->flags = flags;
711 table->handle = ++table_handle;
713 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
714 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
718 list_add_tail_rcu(&table->list, &net->nft.tables);
728 static int nft_flush_table(struct nft_ctx *ctx)
730 struct nft_flowtable *flowtable, *nft;
731 struct nft_chain *chain, *nc;
732 struct nft_object *obj, *ne;
733 struct nft_set *set, *ns;
736 list_for_each_entry(chain, &ctx->table->chains, list) {
737 if (!nft_is_active_next(ctx->net, chain))
742 err = nft_delrule_by_chain(ctx);
747 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
748 if (!nft_is_active_next(ctx->net, set))
751 if (nft_set_is_anonymous(set) &&
752 !list_empty(&set->bindings))
755 err = nft_delset(ctx, set);
760 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
761 err = nft_delflowtable(ctx, flowtable);
766 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
767 err = nft_delobj(ctx, obj);
772 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
773 if (!nft_is_active_next(ctx->net, chain))
778 err = nft_delchain(ctx);
783 err = nft_deltable(ctx);
788 static int nft_flush(struct nft_ctx *ctx, int family)
790 struct nft_table *table, *nt;
791 const struct nlattr * const *nla = ctx->nla;
794 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
795 if (family != AF_UNSPEC && table->family != family)
798 ctx->family = table->family;
800 if (!nft_is_active_next(ctx->net, table))
803 if (nla[NFTA_TABLE_NAME] &&
804 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
809 err = nft_flush_table(ctx);
817 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
818 struct sk_buff *skb, const struct nlmsghdr *nlh,
819 const struct nlattr * const nla[],
820 struct netlink_ext_ack *extack)
822 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
823 u8 genmask = nft_genmask_next(net);
824 struct nft_table *table;
825 int family = nfmsg->nfgen_family;
828 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
829 if (family == AF_UNSPEC ||
830 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
831 return nft_flush(&ctx, family);
833 if (nla[NFTA_TABLE_HANDLE])
834 table = nf_tables_table_lookup_byhandle(net,
835 nla[NFTA_TABLE_HANDLE],
838 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
842 return PTR_ERR(table);
844 if (nlh->nlmsg_flags & NLM_F_NONREC &&
851 return nft_flush_table(&ctx);
854 static void nf_tables_table_destroy(struct nft_ctx *ctx)
856 BUG_ON(ctx->table->use > 0);
858 kfree(ctx->table->name);
862 int nft_register_chain_type(const struct nf_chain_type *ctype)
866 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
869 nfnl_lock(NFNL_SUBSYS_NFTABLES);
870 if (chain_type[ctype->family][ctype->type] != NULL) {
874 chain_type[ctype->family][ctype->type] = ctype;
876 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
879 EXPORT_SYMBOL_GPL(nft_register_chain_type);
881 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
883 nfnl_lock(NFNL_SUBSYS_NFTABLES);
884 chain_type[ctype->family][ctype->type] = NULL;
885 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
887 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
893 static struct nft_chain *
894 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
897 struct nft_chain *chain;
899 list_for_each_entry(chain, &table->chains, list) {
900 if (chain->handle == handle &&
901 nft_active_genmask(chain, genmask))
905 return ERR_PTR(-ENOENT);
908 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
909 const struct nlattr *nla,
912 struct nft_chain *chain;
915 return ERR_PTR(-EINVAL);
917 list_for_each_entry(chain, &table->chains, list) {
918 if (!nla_strcmp(nla, chain->name) &&
919 nft_active_genmask(chain, genmask))
923 return ERR_PTR(-ENOENT);
926 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
927 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
928 .len = NFT_TABLE_MAXNAMELEN - 1 },
929 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
930 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
931 .len = NFT_CHAIN_MAXNAMELEN - 1 },
932 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
933 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
934 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
935 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
938 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
939 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
940 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
941 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
942 .len = IFNAMSIZ - 1 },
945 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
947 struct nft_stats *cpu_stats, total;
953 memset(&total, 0, sizeof(total));
954 for_each_possible_cpu(cpu) {
955 cpu_stats = per_cpu_ptr(stats, cpu);
957 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
958 pkts = cpu_stats->pkts;
959 bytes = cpu_stats->bytes;
960 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
962 total.bytes += bytes;
964 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
966 goto nla_put_failure;
968 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
970 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
972 goto nla_put_failure;
974 nla_nest_end(skb, nest);
981 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
982 u32 portid, u32 seq, int event, u32 flags,
983 int family, const struct nft_table *table,
984 const struct nft_chain *chain)
986 struct nlmsghdr *nlh;
987 struct nfgenmsg *nfmsg;
989 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
990 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
992 goto nla_put_failure;
994 nfmsg = nlmsg_data(nlh);
995 nfmsg->nfgen_family = family;
996 nfmsg->version = NFNETLINK_V0;
997 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
999 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1000 goto nla_put_failure;
1001 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1003 goto nla_put_failure;
1004 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1005 goto nla_put_failure;
1007 if (nft_is_base_chain(chain)) {
1008 const struct nft_base_chain *basechain = nft_base_chain(chain);
1009 const struct nf_hook_ops *ops = &basechain->ops;
1010 struct nlattr *nest;
1012 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1014 goto nla_put_failure;
1015 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1016 goto nla_put_failure;
1017 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1018 goto nla_put_failure;
1019 if (basechain->dev_name[0] &&
1020 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1021 goto nla_put_failure;
1022 nla_nest_end(skb, nest);
1024 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1025 htonl(basechain->policy)))
1026 goto nla_put_failure;
1028 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1029 goto nla_put_failure;
1031 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1032 goto nla_put_failure;
1035 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1036 goto nla_put_failure;
1038 nlmsg_end(skb, nlh);
1042 nlmsg_trim(skb, nlh);
1046 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1048 struct sk_buff *skb;
1052 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1055 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1059 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1060 event, 0, ctx->family, ctx->table,
1067 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1068 ctx->report, GFP_KERNEL);
1071 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1074 static int nf_tables_dump_chains(struct sk_buff *skb,
1075 struct netlink_callback *cb)
1077 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1078 const struct nft_table *table;
1079 const struct nft_chain *chain;
1080 unsigned int idx = 0, s_idx = cb->args[0];
1081 struct net *net = sock_net(skb->sk);
1082 int family = nfmsg->nfgen_family;
1085 cb->seq = net->nft.base_seq;
1087 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1088 if (family != NFPROTO_UNSPEC && family != table->family)
1091 list_for_each_entry_rcu(chain, &table->chains, list) {
1095 memset(&cb->args[1], 0,
1096 sizeof(cb->args) - sizeof(cb->args[0]));
1097 if (!nft_is_active(net, chain))
1099 if (nf_tables_fill_chain_info(skb, net,
1100 NETLINK_CB(cb->skb).portid,
1104 table->family, table,
1108 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1119 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1120 struct sk_buff *skb, const struct nlmsghdr *nlh,
1121 const struct nlattr * const nla[],
1122 struct netlink_ext_ack *extack)
1124 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1125 u8 genmask = nft_genmask_cur(net);
1126 const struct nft_table *table;
1127 const struct nft_chain *chain;
1128 struct sk_buff *skb2;
1129 int family = nfmsg->nfgen_family;
1132 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1133 struct netlink_dump_control c = {
1134 .dump = nf_tables_dump_chains,
1136 return netlink_dump_start(nlsk, skb, nlh, &c);
1139 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1142 return PTR_ERR(table);
1144 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1146 return PTR_ERR(chain);
1148 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1152 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1153 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1154 family, table, chain);
1158 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1165 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1166 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1167 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1170 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1172 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1173 struct nft_stats __percpu *newstats;
1174 struct nft_stats *stats;
1177 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1180 return ERR_PTR(err);
1182 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1183 return ERR_PTR(-EINVAL);
1185 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1186 if (newstats == NULL)
1187 return ERR_PTR(-ENOMEM);
1189 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1190 * are not exposed to userspace.
1193 stats = this_cpu_ptr(newstats);
1194 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1195 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1201 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1202 struct nft_stats __percpu *newstats)
1204 struct nft_stats __percpu *oldstats;
1206 if (newstats == NULL)
1210 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1211 rcu_assign_pointer(chain->stats, newstats);
1213 free_percpu(oldstats);
1215 rcu_assign_pointer(chain->stats, newstats);
1218 static void nf_tables_chain_destroy(struct nft_chain *chain)
1220 BUG_ON(chain->use > 0);
1222 if (nft_is_base_chain(chain)) {
1223 struct nft_base_chain *basechain = nft_base_chain(chain);
1225 module_put(basechain->type->owner);
1226 free_percpu(basechain->stats);
1227 if (basechain->stats)
1228 static_branch_dec(&nft_counters_enabled);
1229 if (basechain->ops.dev != NULL)
1230 dev_put(basechain->ops.dev);
1239 struct nft_chain_hook {
1242 const struct nf_chain_type *type;
1243 struct net_device *dev;
1246 static int nft_chain_parse_hook(struct net *net,
1247 const struct nlattr * const nla[],
1248 struct nft_chain_hook *hook, u8 family,
1251 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1252 const struct nf_chain_type *type;
1253 struct net_device *dev;
1256 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1257 nft_hook_policy, NULL);
1261 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1262 ha[NFTA_HOOK_PRIORITY] == NULL)
1265 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1266 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1268 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1269 if (nla[NFTA_CHAIN_TYPE]) {
1270 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1273 return PTR_ERR(type);
1275 if (!(type->hook_mask & (1 << hook->num)))
1278 if (type->type == NFT_CHAIN_T_NAT &&
1279 hook->priority <= NF_IP_PRI_CONNTRACK)
1282 if (!try_module_get(type->owner))
1288 if (family == NFPROTO_NETDEV) {
1289 char ifname[IFNAMSIZ];
1291 if (!ha[NFTA_HOOK_DEV]) {
1292 module_put(type->owner);
1296 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1297 dev = dev_get_by_name(net, ifname);
1299 module_put(type->owner);
1303 } else if (ha[NFTA_HOOK_DEV]) {
1304 module_put(type->owner);
1311 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1313 module_put(hook->type->owner);
1314 if (hook->dev != NULL)
1318 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1319 u8 policy, bool create)
1321 const struct nlattr * const *nla = ctx->nla;
1322 struct nft_table *table = ctx->table;
1323 struct nft_base_chain *basechain;
1324 struct nft_stats __percpu *stats;
1325 struct net *net = ctx->net;
1326 struct nft_chain *chain;
1329 if (table->use == UINT_MAX)
1332 if (nla[NFTA_CHAIN_HOOK]) {
1333 struct nft_chain_hook hook;
1334 struct nf_hook_ops *ops;
1336 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1340 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1341 if (basechain == NULL) {
1342 nft_chain_release_hook(&hook);
1346 if (hook.dev != NULL)
1347 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1349 if (nla[NFTA_CHAIN_COUNTERS]) {
1350 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1351 if (IS_ERR(stats)) {
1352 nft_chain_release_hook(&hook);
1354 return PTR_ERR(stats);
1356 basechain->stats = stats;
1357 static_branch_inc(&nft_counters_enabled);
1360 basechain->type = hook.type;
1361 chain = &basechain->chain;
1363 ops = &basechain->ops;
1365 ops->hooknum = hook.num;
1366 ops->priority = hook.priority;
1368 ops->hook = hook.type->hooks[ops->hooknum];
1369 ops->dev = hook.dev;
1371 if (basechain->type->type == NFT_CHAIN_T_NAT)
1372 ops->nat_hook = true;
1374 chain->flags |= NFT_BASE_CHAIN;
1375 basechain->policy = policy;
1377 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1381 INIT_LIST_HEAD(&chain->rules);
1382 chain->handle = nf_tables_alloc_handle(table);
1383 chain->table = table;
1384 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1390 err = nf_tables_register_hook(net, table, chain);
1395 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1400 list_add_tail_rcu(&chain->list, &table->chains);
1404 nf_tables_unregister_hook(net, table, chain);
1406 nf_tables_chain_destroy(chain);
1411 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1414 const struct nlattr * const *nla = ctx->nla;
1415 struct nft_table *table = ctx->table;
1416 struct nft_chain *chain = ctx->chain;
1417 struct nft_base_chain *basechain;
1418 struct nft_stats *stats = NULL;
1419 struct nft_chain_hook hook;
1420 const struct nlattr *name;
1421 struct nf_hook_ops *ops;
1422 struct nft_trans *trans;
1425 if (nla[NFTA_CHAIN_HOOK]) {
1426 if (!nft_is_base_chain(chain))
1429 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1434 basechain = nft_base_chain(chain);
1435 if (basechain->type != hook.type) {
1436 nft_chain_release_hook(&hook);
1440 ops = &basechain->ops;
1441 if (ops->hooknum != hook.num ||
1442 ops->priority != hook.priority ||
1443 ops->dev != hook.dev) {
1444 nft_chain_release_hook(&hook);
1447 nft_chain_release_hook(&hook);
1450 if (nla[NFTA_CHAIN_HANDLE] &&
1451 nla[NFTA_CHAIN_NAME]) {
1452 struct nft_chain *chain2;
1454 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1456 if (!IS_ERR(chain2))
1460 if (nla[NFTA_CHAIN_COUNTERS]) {
1461 if (!nft_is_base_chain(chain))
1464 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1466 return PTR_ERR(stats);
1469 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1470 sizeof(struct nft_trans_chain));
1471 if (trans == NULL) {
1476 nft_trans_chain_stats(trans) = stats;
1477 nft_trans_chain_update(trans) = true;
1479 if (nla[NFTA_CHAIN_POLICY])
1480 nft_trans_chain_policy(trans) = policy;
1482 nft_trans_chain_policy(trans) = -1;
1484 name = nla[NFTA_CHAIN_NAME];
1485 if (nla[NFTA_CHAIN_HANDLE] && name) {
1486 nft_trans_chain_name(trans) =
1487 nla_strdup(name, GFP_KERNEL);
1488 if (!nft_trans_chain_name(trans)) {
1494 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1499 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1500 struct sk_buff *skb, const struct nlmsghdr *nlh,
1501 const struct nlattr * const nla[],
1502 struct netlink_ext_ack *extack)
1504 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1505 const struct nlattr * uninitialized_var(name);
1506 u8 genmask = nft_genmask_next(net);
1507 int family = nfmsg->nfgen_family;
1508 struct nft_table *table;
1509 struct nft_chain *chain;
1510 u8 policy = NF_ACCEPT;
1515 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1517 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1520 return PTR_ERR(table);
1523 name = nla[NFTA_CHAIN_NAME];
1525 if (nla[NFTA_CHAIN_HANDLE]) {
1526 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1527 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1529 return PTR_ERR(chain);
1531 chain = nf_tables_chain_lookup(table, name, genmask);
1532 if (IS_ERR(chain)) {
1533 if (PTR_ERR(chain) != -ENOENT)
1534 return PTR_ERR(chain);
1539 if (nla[NFTA_CHAIN_POLICY]) {
1540 if (chain != NULL &&
1541 !nft_is_base_chain(chain))
1544 if (chain == NULL &&
1545 nla[NFTA_CHAIN_HOOK] == NULL)
1548 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1558 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1560 if (chain != NULL) {
1561 if (nlh->nlmsg_flags & NLM_F_EXCL)
1563 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1566 return nf_tables_updchain(&ctx, genmask, policy, create);
1569 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1572 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1573 struct sk_buff *skb, const struct nlmsghdr *nlh,
1574 const struct nlattr * const nla[],
1575 struct netlink_ext_ack *extack)
1577 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1578 u8 genmask = nft_genmask_next(net);
1579 struct nft_table *table;
1580 struct nft_chain *chain;
1581 struct nft_rule *rule;
1582 int family = nfmsg->nfgen_family;
1588 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1591 return PTR_ERR(table);
1593 if (nla[NFTA_CHAIN_HANDLE]) {
1594 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1595 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1597 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1600 return PTR_ERR(chain);
1602 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1606 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1609 list_for_each_entry(rule, &chain->rules, list) {
1610 if (!nft_is_active_next(net, rule))
1614 err = nft_delrule(&ctx, rule);
1619 /* There are rules and elements that are still holding references to us,
1620 * we cannot do a recursive removal in this case.
1625 return nft_delchain(&ctx);
1633 * nft_register_expr - register nf_tables expr type
1636 * Registers the expr type for use with nf_tables. Returns zero on
1637 * success or a negative errno code otherwise.
1639 int nft_register_expr(struct nft_expr_type *type)
1641 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1642 if (type->family == NFPROTO_UNSPEC)
1643 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1645 list_add_rcu(&type->list, &nf_tables_expressions);
1646 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1649 EXPORT_SYMBOL_GPL(nft_register_expr);
1652 * nft_unregister_expr - unregister nf_tables expr type
1655 * Unregisters the expr typefor use with nf_tables.
1657 void nft_unregister_expr(struct nft_expr_type *type)
1659 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1660 list_del_rcu(&type->list);
1661 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1663 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1665 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1668 const struct nft_expr_type *type;
1670 list_for_each_entry(type, &nf_tables_expressions, list) {
1671 if (!nla_strcmp(nla, type->name) &&
1672 (!type->family || type->family == family))
1678 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1681 const struct nft_expr_type *type;
1684 return ERR_PTR(-EINVAL);
1686 type = __nft_expr_type_get(family, nla);
1687 if (type != NULL && try_module_get(type->owner))
1690 #ifdef CONFIG_MODULES
1692 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1693 request_module("nft-expr-%u-%.*s", family,
1694 nla_len(nla), (char *)nla_data(nla));
1695 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1696 if (__nft_expr_type_get(family, nla))
1697 return ERR_PTR(-EAGAIN);
1699 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1700 request_module("nft-expr-%.*s",
1701 nla_len(nla), (char *)nla_data(nla));
1702 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1703 if (__nft_expr_type_get(family, nla))
1704 return ERR_PTR(-EAGAIN);
1707 return ERR_PTR(-ENOENT);
1710 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1711 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1712 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1715 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1716 const struct nft_expr *expr)
1718 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1719 goto nla_put_failure;
1721 if (expr->ops->dump) {
1722 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1724 goto nla_put_failure;
1725 if (expr->ops->dump(skb, expr) < 0)
1726 goto nla_put_failure;
1727 nla_nest_end(skb, data);
1736 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1737 const struct nft_expr *expr)
1739 struct nlattr *nest;
1741 nest = nla_nest_start(skb, attr);
1743 goto nla_put_failure;
1744 if (nf_tables_fill_expr_info(skb, expr) < 0)
1745 goto nla_put_failure;
1746 nla_nest_end(skb, nest);
1753 struct nft_expr_info {
1754 const struct nft_expr_ops *ops;
1755 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1758 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1759 const struct nlattr *nla,
1760 struct nft_expr_info *info)
1762 const struct nft_expr_type *type;
1763 const struct nft_expr_ops *ops;
1764 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1767 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1771 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1773 return PTR_ERR(type);
1775 if (tb[NFTA_EXPR_DATA]) {
1776 err = nla_parse_nested(info->tb, type->maxattr,
1777 tb[NFTA_EXPR_DATA], type->policy, NULL);
1781 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1783 if (type->select_ops != NULL) {
1784 ops = type->select_ops(ctx,
1785 (const struct nlattr * const *)info->tb);
1797 module_put(type->owner);
1801 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1802 const struct nft_expr_info *info,
1803 struct nft_expr *expr)
1805 const struct nft_expr_ops *ops = info->ops;
1810 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1815 if (ops->validate) {
1816 const struct nft_data *data = NULL;
1818 err = ops->validate(ctx, expr, &data);
1827 ops->destroy(ctx, expr);
1833 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1834 struct nft_expr *expr)
1836 if (expr->ops->destroy)
1837 expr->ops->destroy(ctx, expr);
1838 module_put(expr->ops->type->owner);
1841 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1842 const struct nlattr *nla)
1844 struct nft_expr_info info;
1845 struct nft_expr *expr;
1848 err = nf_tables_expr_parse(ctx, nla, &info);
1853 expr = kzalloc(info.ops->size, GFP_KERNEL);
1857 err = nf_tables_newexpr(ctx, &info, expr);
1865 module_put(info.ops->type->owner);
1867 return ERR_PTR(err);
1870 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1872 nf_tables_expr_destroy(ctx, expr);
1880 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1883 struct nft_rule *rule;
1885 // FIXME: this sucks
1886 list_for_each_entry(rule, &chain->rules, list) {
1887 if (handle == rule->handle)
1891 return ERR_PTR(-ENOENT);
1894 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1895 const struct nlattr *nla)
1898 return ERR_PTR(-EINVAL);
1900 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1903 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1904 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1905 .len = NFT_TABLE_MAXNAMELEN - 1 },
1906 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1907 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1908 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1909 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1910 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1911 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1912 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1913 .len = NFT_USERDATA_MAXLEN },
1916 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1917 u32 portid, u32 seq, int event,
1918 u32 flags, int family,
1919 const struct nft_table *table,
1920 const struct nft_chain *chain,
1921 const struct nft_rule *rule)
1923 struct nlmsghdr *nlh;
1924 struct nfgenmsg *nfmsg;
1925 const struct nft_expr *expr, *next;
1926 struct nlattr *list;
1927 const struct nft_rule *prule;
1928 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1930 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1932 goto nla_put_failure;
1934 nfmsg = nlmsg_data(nlh);
1935 nfmsg->nfgen_family = family;
1936 nfmsg->version = NFNETLINK_V0;
1937 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1939 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1940 goto nla_put_failure;
1941 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1942 goto nla_put_failure;
1943 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1945 goto nla_put_failure;
1947 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1948 prule = list_prev_entry(rule, list);
1949 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1950 cpu_to_be64(prule->handle),
1952 goto nla_put_failure;
1955 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1957 goto nla_put_failure;
1958 nft_rule_for_each_expr(expr, next, rule) {
1959 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1960 goto nla_put_failure;
1962 nla_nest_end(skb, list);
1965 struct nft_userdata *udata = nft_userdata(rule);
1966 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1968 goto nla_put_failure;
1971 nlmsg_end(skb, nlh);
1975 nlmsg_trim(skb, nlh);
1979 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
1980 const struct nft_rule *rule, int event)
1982 struct sk_buff *skb;
1986 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1989 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1993 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1994 event, 0, ctx->family, ctx->table,
2001 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2002 ctx->report, GFP_KERNEL);
2005 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2008 struct nft_rule_dump_ctx {
2013 static int nf_tables_dump_rules(struct sk_buff *skb,
2014 struct netlink_callback *cb)
2016 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2017 const struct nft_rule_dump_ctx *ctx = cb->data;
2018 const struct nft_table *table;
2019 const struct nft_chain *chain;
2020 const struct nft_rule *rule;
2021 unsigned int idx = 0, s_idx = cb->args[0];
2022 struct net *net = sock_net(skb->sk);
2023 int family = nfmsg->nfgen_family;
2026 cb->seq = net->nft.base_seq;
2028 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2029 if (family != NFPROTO_UNSPEC && family != table->family)
2032 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2035 list_for_each_entry_rcu(chain, &table->chains, list) {
2036 if (ctx && ctx->chain &&
2037 strcmp(ctx->chain, chain->name) != 0)
2040 list_for_each_entry_rcu(rule, &chain->rules, list) {
2041 if (!nft_is_active(net, rule))
2046 memset(&cb->args[1], 0,
2047 sizeof(cb->args) - sizeof(cb->args[0]));
2048 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2051 NLM_F_MULTI | NLM_F_APPEND,
2053 table, chain, rule) < 0)
2056 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2069 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2071 struct nft_rule_dump_ctx *ctx = cb->data;
2081 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2082 struct sk_buff *skb, const struct nlmsghdr *nlh,
2083 const struct nlattr * const nla[],
2084 struct netlink_ext_ack *extack)
2086 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2087 u8 genmask = nft_genmask_cur(net);
2088 const struct nft_table *table;
2089 const struct nft_chain *chain;
2090 const struct nft_rule *rule;
2091 struct sk_buff *skb2;
2092 int family = nfmsg->nfgen_family;
2095 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2096 struct netlink_dump_control c = {
2097 .dump = nf_tables_dump_rules,
2098 .done = nf_tables_dump_rules_done,
2101 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2102 struct nft_rule_dump_ctx *ctx;
2104 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2108 if (nla[NFTA_RULE_TABLE]) {
2109 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2116 if (nla[NFTA_RULE_CHAIN]) {
2117 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2128 return netlink_dump_start(nlsk, skb, nlh, &c);
2131 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2134 return PTR_ERR(table);
2136 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2138 return PTR_ERR(chain);
2140 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2142 return PTR_ERR(rule);
2144 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2148 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2149 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2150 family, table, chain, rule);
2154 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2161 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2162 struct nft_rule *rule)
2164 struct nft_expr *expr;
2167 * Careful: some expressions might not be initialized in case this
2168 * is called on error from nf_tables_newrule().
2170 expr = nft_expr_first(rule);
2171 while (expr != nft_expr_last(rule) && expr->ops) {
2172 nf_tables_expr_destroy(ctx, expr);
2173 expr = nft_expr_next(expr);
2178 #define NFT_RULE_MAXEXPRS 128
2180 static struct nft_expr_info *info;
2182 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2183 struct sk_buff *skb, const struct nlmsghdr *nlh,
2184 const struct nlattr * const nla[],
2185 struct netlink_ext_ack *extack)
2187 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2188 u8 genmask = nft_genmask_next(net);
2189 int family = nfmsg->nfgen_family;
2190 struct nft_table *table;
2191 struct nft_chain *chain;
2192 struct nft_rule *rule, *old_rule = NULL;
2193 struct nft_userdata *udata;
2194 struct nft_trans *trans = NULL;
2195 struct nft_expr *expr;
2198 unsigned int size, i, n, ulen = 0, usize = 0;
2201 u64 handle, pos_handle;
2203 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2205 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2208 return PTR_ERR(table);
2210 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2212 return PTR_ERR(chain);
2214 if (nla[NFTA_RULE_HANDLE]) {
2215 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2216 rule = __nf_tables_rule_lookup(chain, handle);
2218 return PTR_ERR(rule);
2220 if (nlh->nlmsg_flags & NLM_F_EXCL)
2222 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2227 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2229 handle = nf_tables_alloc_handle(table);
2231 if (chain->use == UINT_MAX)
2235 if (nla[NFTA_RULE_POSITION]) {
2236 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2239 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2240 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2241 if (IS_ERR(old_rule))
2242 return PTR_ERR(old_rule);
2245 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2249 if (nla[NFTA_RULE_EXPRESSIONS]) {
2250 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2252 if (nla_type(tmp) != NFTA_LIST_ELEM)
2254 if (n == NFT_RULE_MAXEXPRS)
2256 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2259 size += info[n].ops->size;
2263 /* Check for overflow of dlen field */
2265 if (size >= 1 << 12)
2268 if (nla[NFTA_RULE_USERDATA]) {
2269 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2271 usize = sizeof(struct nft_userdata) + ulen;
2275 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2279 nft_activate_next(net, rule);
2281 rule->handle = handle;
2283 rule->udata = ulen ? 1 : 0;
2286 udata = nft_userdata(rule);
2287 udata->len = ulen - 1;
2288 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2291 expr = nft_expr_first(rule);
2292 for (i = 0; i < n; i++) {
2293 err = nf_tables_newexpr(&ctx, &info[i], expr);
2297 expr = nft_expr_next(expr);
2300 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2301 if (nft_is_active_next(net, old_rule)) {
2302 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2304 if (trans == NULL) {
2308 nft_deactivate_next(net, old_rule);
2310 list_add_tail_rcu(&rule->list, &old_rule->list);
2315 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2317 list_add_rcu(&rule->list, &old_rule->list);
2319 list_add_tail_rcu(&rule->list, &chain->rules);
2322 list_add_tail_rcu(&rule->list, &old_rule->list);
2324 list_add_rcu(&rule->list, &chain->rules);
2327 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2335 list_del_rcu(&rule->list);
2337 nf_tables_rule_destroy(&ctx, rule);
2339 for (i = 0; i < n; i++) {
2340 if (info[i].ops != NULL)
2341 module_put(info[i].ops->type->owner);
2346 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2347 const struct nlattr *nla)
2349 u32 id = ntohl(nla_get_be32(nla));
2350 struct nft_trans *trans;
2352 list_for_each_entry(trans, &net->nft.commit_list, list) {
2353 struct nft_rule *rule = nft_trans_rule(trans);
2355 if (trans->msg_type == NFT_MSG_NEWRULE &&
2356 id == nft_trans_rule_id(trans))
2359 return ERR_PTR(-ENOENT);
2362 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2363 struct sk_buff *skb, const struct nlmsghdr *nlh,
2364 const struct nlattr * const nla[],
2365 struct netlink_ext_ack *extack)
2367 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2368 u8 genmask = nft_genmask_next(net);
2369 struct nft_table *table;
2370 struct nft_chain *chain = NULL;
2371 struct nft_rule *rule;
2372 int family = nfmsg->nfgen_family, err = 0;
2375 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2378 return PTR_ERR(table);
2380 if (nla[NFTA_RULE_CHAIN]) {
2381 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2384 return PTR_ERR(chain);
2387 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2390 if (nla[NFTA_RULE_HANDLE]) {
2391 rule = nf_tables_rule_lookup(chain,
2392 nla[NFTA_RULE_HANDLE]);
2394 return PTR_ERR(rule);
2396 err = nft_delrule(&ctx, rule);
2397 } else if (nla[NFTA_RULE_ID]) {
2398 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2400 return PTR_ERR(rule);
2402 err = nft_delrule(&ctx, rule);
2404 err = nft_delrule_by_chain(&ctx);
2407 list_for_each_entry(chain, &table->chains, list) {
2408 if (!nft_is_active_next(net, chain))
2412 err = nft_delrule_by_chain(&ctx);
2425 static LIST_HEAD(nf_tables_set_types);
2427 int nft_register_set(struct nft_set_type *type)
2429 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2430 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2431 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2434 EXPORT_SYMBOL_GPL(nft_register_set);
2436 void nft_unregister_set(struct nft_set_type *type)
2438 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2439 list_del_rcu(&type->list);
2440 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2442 EXPORT_SYMBOL_GPL(nft_unregister_set);
2444 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2445 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2447 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2449 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2453 * Select a set implementation based on the data characteristics and the
2454 * given policy. The total memory use might not be known if no size is
2455 * given, in that case the amount of memory per element is used.
2457 static const struct nft_set_ops *
2458 nft_select_set_ops(const struct nft_ctx *ctx,
2459 const struct nlattr * const nla[],
2460 const struct nft_set_desc *desc,
2461 enum nft_set_policies policy)
2463 const struct nft_set_ops *ops, *bops;
2464 struct nft_set_estimate est, best;
2465 const struct nft_set_type *type;
2468 #ifdef CONFIG_MODULES
2469 if (list_empty(&nf_tables_set_types)) {
2470 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2471 request_module("nft-set");
2472 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2473 if (!list_empty(&nf_tables_set_types))
2474 return ERR_PTR(-EAGAIN);
2477 if (nla[NFTA_SET_FLAGS] != NULL)
2478 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2485 list_for_each_entry(type, &nf_tables_set_types, list) {
2486 if (!type->select_ops)
2489 ops = type->select_ops(ctx, desc, flags);
2493 if (!nft_set_ops_candidate(ops, flags))
2495 if (!ops->estimate(desc, flags, &est))
2499 case NFT_SET_POL_PERFORMANCE:
2500 if (est.lookup < best.lookup)
2502 if (est.lookup == best.lookup &&
2503 est.space < best.space)
2506 case NFT_SET_POL_MEMORY:
2508 if (est.space < best.space)
2510 if (est.space == best.space &&
2511 est.lookup < best.lookup)
2513 } else if (est.size < best.size) {
2521 if (!try_module_get(type->owner))
2524 module_put(bops->type->owner);
2533 return ERR_PTR(-EOPNOTSUPP);
2536 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2537 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2538 .len = NFT_TABLE_MAXNAMELEN - 1 },
2539 [NFTA_SET_NAME] = { .type = NLA_STRING,
2540 .len = NFT_SET_MAXNAMELEN - 1 },
2541 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2542 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2543 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2544 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2545 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2546 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2547 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2548 [NFTA_SET_ID] = { .type = NLA_U32 },
2549 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2550 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2551 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2552 .len = NFT_USERDATA_MAXLEN },
2553 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2554 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2557 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2558 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2561 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2562 const struct sk_buff *skb,
2563 const struct nlmsghdr *nlh,
2564 const struct nlattr * const nla[],
2567 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2568 int family = nfmsg->nfgen_family;
2569 struct nft_table *table = NULL;
2571 if (nla[NFTA_SET_TABLE] != NULL) {
2572 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2575 return PTR_ERR(table);
2578 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2582 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2583 const struct nlattr *nla, u8 genmask)
2585 struct nft_set *set;
2588 return ERR_PTR(-EINVAL);
2590 list_for_each_entry(set, &table->sets, list) {
2591 if (!nla_strcmp(nla, set->name) &&
2592 nft_active_genmask(set, genmask))
2595 return ERR_PTR(-ENOENT);
2598 static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
2599 const struct nlattr *nla, u8 genmask)
2601 struct nft_set *set;
2604 return ERR_PTR(-EINVAL);
2606 list_for_each_entry(set, &table->sets, list) {
2607 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2608 nft_active_genmask(set, genmask))
2611 return ERR_PTR(-ENOENT);
2614 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2615 const struct nlattr *nla,
2618 struct nft_trans *trans;
2619 u32 id = ntohl(nla_get_be32(nla));
2621 list_for_each_entry(trans, &net->nft.commit_list, list) {
2622 struct nft_set *set = nft_trans_set(trans);
2624 if (trans->msg_type == NFT_MSG_NEWSET &&
2625 id == nft_trans_set_id(trans) &&
2626 nft_active_genmask(set, genmask))
2629 return ERR_PTR(-ENOENT);
2632 struct nft_set *nft_set_lookup(const struct net *net,
2633 const struct nft_table *table,
2634 const struct nlattr *nla_set_name,
2635 const struct nlattr *nla_set_id,
2638 struct nft_set *set;
2640 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2645 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2649 EXPORT_SYMBOL_GPL(nft_set_lookup);
2651 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2654 const struct nft_set *i;
2656 unsigned long *inuse;
2657 unsigned int n = 0, min = 0;
2659 p = strchr(name, '%');
2661 if (p[1] != 'd' || strchr(p + 2, '%'))
2664 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2668 list_for_each_entry(i, &ctx->table->sets, list) {
2671 if (!nft_is_active_next(ctx->net, set))
2673 if (!sscanf(i->name, name, &tmp))
2675 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2678 set_bit(tmp - min, inuse);
2681 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2682 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2683 min += BITS_PER_BYTE * PAGE_SIZE;
2684 memset(inuse, 0, PAGE_SIZE);
2687 free_page((unsigned long)inuse);
2690 set->name = kasprintf(GFP_KERNEL, name, min + n);
2694 list_for_each_entry(i, &ctx->table->sets, list) {
2695 if (!nft_is_active_next(ctx->net, i))
2697 if (!strcmp(set->name, i->name)) {
2705 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2706 const struct nft_set *set, u16 event, u16 flags)
2708 struct nfgenmsg *nfmsg;
2709 struct nlmsghdr *nlh;
2710 struct nlattr *desc;
2711 u32 portid = ctx->portid;
2714 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2715 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2718 goto nla_put_failure;
2720 nfmsg = nlmsg_data(nlh);
2721 nfmsg->nfgen_family = ctx->family;
2722 nfmsg->version = NFNETLINK_V0;
2723 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2725 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2726 goto nla_put_failure;
2727 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2728 goto nla_put_failure;
2729 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2731 goto nla_put_failure;
2732 if (set->flags != 0)
2733 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2734 goto nla_put_failure;
2736 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2737 goto nla_put_failure;
2738 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2739 goto nla_put_failure;
2740 if (set->flags & NFT_SET_MAP) {
2741 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2742 goto nla_put_failure;
2743 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2744 goto nla_put_failure;
2746 if (set->flags & NFT_SET_OBJECT &&
2747 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2748 goto nla_put_failure;
2751 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2752 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2754 goto nla_put_failure;
2756 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2757 goto nla_put_failure;
2759 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2760 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2761 goto nla_put_failure;
2764 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2765 goto nla_put_failure;
2767 desc = nla_nest_start(skb, NFTA_SET_DESC);
2769 goto nla_put_failure;
2771 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2772 goto nla_put_failure;
2773 nla_nest_end(skb, desc);
2775 nlmsg_end(skb, nlh);
2779 nlmsg_trim(skb, nlh);
2783 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2784 const struct nft_set *set, int event,
2787 struct sk_buff *skb;
2788 u32 portid = ctx->portid;
2792 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2795 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2799 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2805 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2809 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2812 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2814 const struct nft_set *set;
2815 unsigned int idx, s_idx = cb->args[0];
2816 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2817 struct net *net = sock_net(skb->sk);
2818 struct nft_ctx *ctx = cb->data, ctx_set;
2824 cb->seq = net->nft.base_seq;
2826 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2827 if (ctx->family != NFPROTO_UNSPEC &&
2828 ctx->family != table->family)
2831 if (ctx->table && ctx->table != table)
2835 if (cur_table != table)
2841 list_for_each_entry_rcu(set, &table->sets, list) {
2844 if (!nft_is_active(net, set))
2848 ctx_set.table = table;
2849 ctx_set.family = table->family;
2851 if (nf_tables_fill_set(skb, &ctx_set, set,
2855 cb->args[2] = (unsigned long) table;
2858 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2871 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2877 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2878 struct sk_buff *skb, const struct nlmsghdr *nlh,
2879 const struct nlattr * const nla[],
2880 struct netlink_ext_ack *extack)
2882 u8 genmask = nft_genmask_cur(net);
2883 const struct nft_set *set;
2885 struct sk_buff *skb2;
2886 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2889 /* Verify existence before starting dump */
2890 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2894 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2895 struct netlink_dump_control c = {
2896 .dump = nf_tables_dump_sets,
2897 .done = nf_tables_dump_sets_done,
2899 struct nft_ctx *ctx_dump;
2901 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2902 if (ctx_dump == NULL)
2908 return netlink_dump_start(nlsk, skb, nlh, &c);
2911 /* Only accept unspec with dump */
2912 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2913 return -EAFNOSUPPORT;
2914 if (!nla[NFTA_SET_TABLE])
2917 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2919 return PTR_ERR(set);
2921 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2925 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2929 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2936 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2937 struct nft_set_desc *desc,
2938 const struct nlattr *nla)
2940 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2943 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
2944 nft_set_desc_policy, NULL);
2948 if (da[NFTA_SET_DESC_SIZE] != NULL)
2949 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2954 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2955 struct sk_buff *skb, const struct nlmsghdr *nlh,
2956 const struct nlattr * const nla[],
2957 struct netlink_ext_ack *extack)
2959 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2960 u8 genmask = nft_genmask_next(net);
2961 int family = nfmsg->nfgen_family;
2962 const struct nft_set_ops *ops;
2963 struct nft_table *table;
2964 struct nft_set *set;
2970 u32 ktype, dtype, flags, policy, gc_int, objtype;
2971 struct nft_set_desc desc;
2972 unsigned char *udata;
2976 if (nla[NFTA_SET_TABLE] == NULL ||
2977 nla[NFTA_SET_NAME] == NULL ||
2978 nla[NFTA_SET_KEY_LEN] == NULL ||
2979 nla[NFTA_SET_ID] == NULL)
2982 memset(&desc, 0, sizeof(desc));
2984 ktype = NFT_DATA_VALUE;
2985 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2986 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2987 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2991 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2992 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2996 if (nla[NFTA_SET_FLAGS] != NULL) {
2997 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2998 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2999 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3000 NFT_SET_MAP | NFT_SET_EVAL |
3003 /* Only one of these operations is supported */
3004 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3005 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3010 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3011 if (!(flags & NFT_SET_MAP))
3014 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3015 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3016 dtype != NFT_DATA_VERDICT)
3019 if (dtype != NFT_DATA_VERDICT) {
3020 if (nla[NFTA_SET_DATA_LEN] == NULL)
3022 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3023 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3026 desc.dlen = sizeof(struct nft_verdict);
3027 } else if (flags & NFT_SET_MAP)
3030 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3031 if (!(flags & NFT_SET_OBJECT))
3034 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3035 if (objtype == NFT_OBJECT_UNSPEC ||
3036 objtype > NFT_OBJECT_MAX)
3038 } else if (flags & NFT_SET_OBJECT)
3041 objtype = NFT_OBJECT_UNSPEC;
3044 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3045 if (!(flags & NFT_SET_TIMEOUT))
3047 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3048 nla[NFTA_SET_TIMEOUT])));
3051 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3052 if (!(flags & NFT_SET_TIMEOUT))
3054 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3057 policy = NFT_SET_POL_PERFORMANCE;
3058 if (nla[NFTA_SET_POLICY] != NULL)
3059 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3061 if (nla[NFTA_SET_DESC] != NULL) {
3062 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3067 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3069 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family,
3072 return PTR_ERR(table);
3074 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3076 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3078 if (PTR_ERR(set) != -ENOENT)
3079 return PTR_ERR(set);
3081 if (nlh->nlmsg_flags & NLM_F_EXCL)
3083 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3088 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3091 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3093 return PTR_ERR(ops);
3096 if (nla[NFTA_SET_USERDATA])
3097 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3100 if (ops->privsize != NULL)
3101 size = ops->privsize(nla, &desc);
3103 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3109 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3115 err = nf_tables_set_alloc_name(&ctx, set, name);
3122 udata = set->data + size;
3123 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3126 INIT_LIST_HEAD(&set->bindings);
3129 set->klen = desc.klen;
3131 set->objtype = objtype;
3132 set->dlen = desc.dlen;
3134 set->size = desc.size;
3135 set->policy = policy;
3138 set->timeout = timeout;
3139 set->gc_int = gc_int;
3140 set->handle = nf_tables_alloc_handle(table);
3142 err = ops->init(set, &desc, nla);
3146 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3150 list_add_tail_rcu(&set->list, &table->sets);
3159 module_put(ops->type->owner);
3163 static void nft_set_destroy(struct nft_set *set)
3165 set->ops->destroy(set);
3166 module_put(set->ops->type->owner);
3171 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3173 list_del_rcu(&set->list);
3174 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3175 nft_set_destroy(set);
3178 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3179 struct sk_buff *skb, const struct nlmsghdr *nlh,
3180 const struct nlattr * const nla[],
3181 struct netlink_ext_ack *extack)
3183 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3184 u8 genmask = nft_genmask_next(net);
3185 struct nft_set *set;
3189 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3190 return -EAFNOSUPPORT;
3191 if (nla[NFTA_SET_TABLE] == NULL)
3194 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3198 if (nla[NFTA_SET_HANDLE])
3199 set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
3201 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3203 return PTR_ERR(set);
3205 if (!list_empty(&set->bindings) ||
3206 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3209 return nft_delset(&ctx, set);
3212 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3213 struct nft_set *set,
3214 const struct nft_set_iter *iter,
3215 struct nft_set_elem *elem)
3217 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3218 enum nft_registers dreg;
3220 dreg = nft_type_to_reg(set->dtype);
3221 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3222 set->dtype == NFT_DATA_VERDICT ?
3223 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3227 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3228 struct nft_set_binding *binding)
3230 struct nft_set_binding *i;
3231 struct nft_set_iter iter;
3233 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3236 if (binding->flags & NFT_SET_MAP) {
3237 /* If the set is already bound to the same chain all
3238 * jumps are already validated for that chain.
3240 list_for_each_entry(i, &set->bindings, list) {
3241 if (i->flags & NFT_SET_MAP &&
3242 i->chain == binding->chain)
3246 iter.genmask = nft_genmask_next(ctx->net);
3250 iter.fn = nf_tables_bind_check_setelem;
3252 set->ops->walk(ctx, set, &iter);
3257 binding->chain = ctx->chain;
3258 list_add_tail_rcu(&binding->list, &set->bindings);
3261 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3263 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3264 struct nft_set_binding *binding)
3266 list_del_rcu(&binding->list);
3268 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3269 nft_is_active(ctx->net, set))
3270 nf_tables_set_destroy(ctx, set);
3272 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3274 const struct nft_set_ext_type nft_set_ext_types[] = {
3275 [NFT_SET_EXT_KEY] = {
3276 .align = __alignof__(u32),
3278 [NFT_SET_EXT_DATA] = {
3279 .align = __alignof__(u32),
3281 [NFT_SET_EXT_EXPR] = {
3282 .align = __alignof__(struct nft_expr),
3284 [NFT_SET_EXT_OBJREF] = {
3285 .len = sizeof(struct nft_object *),
3286 .align = __alignof__(struct nft_object *),
3288 [NFT_SET_EXT_FLAGS] = {
3290 .align = __alignof__(u8),
3292 [NFT_SET_EXT_TIMEOUT] = {
3294 .align = __alignof__(u64),
3296 [NFT_SET_EXT_EXPIRATION] = {
3297 .len = sizeof(unsigned long),
3298 .align = __alignof__(unsigned long),
3300 [NFT_SET_EXT_USERDATA] = {
3301 .len = sizeof(struct nft_userdata),
3302 .align = __alignof__(struct nft_userdata),
3305 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3311 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3312 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3313 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3314 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3315 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3316 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3317 .len = NFT_USERDATA_MAXLEN },
3320 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3321 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3322 .len = NFT_TABLE_MAXNAMELEN - 1 },
3323 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3324 .len = NFT_SET_MAXNAMELEN - 1 },
3325 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3326 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3329 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3330 const struct sk_buff *skb,
3331 const struct nlmsghdr *nlh,
3332 const struct nlattr * const nla[],
3335 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3336 int family = nfmsg->nfgen_family;
3337 struct nft_table *table;
3339 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3342 return PTR_ERR(table);
3344 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3348 static int nf_tables_fill_setelem(struct sk_buff *skb,
3349 const struct nft_set *set,
3350 const struct nft_set_elem *elem)
3352 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3353 unsigned char *b = skb_tail_pointer(skb);
3354 struct nlattr *nest;
3356 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3358 goto nla_put_failure;
3360 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3361 NFT_DATA_VALUE, set->klen) < 0)
3362 goto nla_put_failure;
3364 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3365 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3366 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3368 goto nla_put_failure;
3370 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3371 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3372 goto nla_put_failure;
3374 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3375 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3376 (*nft_set_ext_obj(ext))->name) < 0)
3377 goto nla_put_failure;
3379 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3380 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3381 htonl(*nft_set_ext_flags(ext))))
3382 goto nla_put_failure;
3384 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3385 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3386 cpu_to_be64(jiffies_to_msecs(
3387 *nft_set_ext_timeout(ext))),
3389 goto nla_put_failure;
3391 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3392 unsigned long expires, now = jiffies;
3394 expires = *nft_set_ext_expiration(ext);
3395 if (time_before(now, expires))
3400 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3401 cpu_to_be64(jiffies_to_msecs(expires)),
3403 goto nla_put_failure;
3406 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3407 struct nft_userdata *udata;
3409 udata = nft_set_ext_userdata(ext);
3410 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3411 udata->len + 1, udata->data))
3412 goto nla_put_failure;
3415 nla_nest_end(skb, nest);
3423 struct nft_set_dump_args {
3424 const struct netlink_callback *cb;
3425 struct nft_set_iter iter;
3426 struct sk_buff *skb;
3429 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3430 struct nft_set *set,
3431 const struct nft_set_iter *iter,
3432 struct nft_set_elem *elem)
3434 struct nft_set_dump_args *args;
3436 args = container_of(iter, struct nft_set_dump_args, iter);
3437 return nf_tables_fill_setelem(args->skb, set, elem);
3440 struct nft_set_dump_ctx {
3441 const struct nft_set *set;
3445 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3447 struct nft_set_dump_ctx *dump_ctx = cb->data;
3448 struct net *net = sock_net(skb->sk);
3449 struct nft_table *table;
3450 struct nft_set *set;
3451 struct nft_set_dump_args args;
3452 bool set_found = false;
3453 struct nfgenmsg *nfmsg;
3454 struct nlmsghdr *nlh;
3455 struct nlattr *nest;
3460 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3461 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3462 dump_ctx->ctx.family != table->family)
3465 if (table != dump_ctx->ctx.table)
3468 list_for_each_entry_rcu(set, &table->sets, list) {
3469 if (set == dump_ctx->set) {
3482 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3483 portid = NETLINK_CB(cb->skb).portid;
3484 seq = cb->nlh->nlmsg_seq;
3486 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3489 goto nla_put_failure;
3491 nfmsg = nlmsg_data(nlh);
3492 nfmsg->nfgen_family = table->family;
3493 nfmsg->version = NFNETLINK_V0;
3494 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3496 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3497 goto nla_put_failure;
3498 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3499 goto nla_put_failure;
3501 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3503 goto nla_put_failure;
3507 args.iter.genmask = nft_genmask_cur(net);
3508 args.iter.skip = cb->args[0];
3509 args.iter.count = 0;
3511 args.iter.fn = nf_tables_dump_setelem;
3512 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3515 nla_nest_end(skb, nest);
3516 nlmsg_end(skb, nlh);
3518 if (args.iter.err && args.iter.err != -EMSGSIZE)
3519 return args.iter.err;
3520 if (args.iter.count == cb->args[0])
3523 cb->args[0] = args.iter.count;
3531 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3537 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3538 const struct nft_ctx *ctx, u32 seq,
3539 u32 portid, int event, u16 flags,
3540 const struct nft_set *set,
3541 const struct nft_set_elem *elem)
3543 struct nfgenmsg *nfmsg;
3544 struct nlmsghdr *nlh;
3545 struct nlattr *nest;
3548 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3549 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3552 goto nla_put_failure;
3554 nfmsg = nlmsg_data(nlh);
3555 nfmsg->nfgen_family = ctx->family;
3556 nfmsg->version = NFNETLINK_V0;
3557 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3559 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3560 goto nla_put_failure;
3561 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3562 goto nla_put_failure;
3564 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3566 goto nla_put_failure;
3568 err = nf_tables_fill_setelem(skb, set, elem);
3570 goto nla_put_failure;
3572 nla_nest_end(skb, nest);
3574 nlmsg_end(skb, nlh);
3578 nlmsg_trim(skb, nlh);
3582 static int nft_setelem_parse_flags(const struct nft_set *set,
3583 const struct nlattr *attr, u32 *flags)
3588 *flags = ntohl(nla_get_be32(attr));
3589 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3591 if (!(set->flags & NFT_SET_INTERVAL) &&
3592 *flags & NFT_SET_ELEM_INTERVAL_END)
3598 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3599 const struct nlattr *attr)
3601 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3602 const struct nft_set_ext *ext;
3603 struct nft_data_desc desc;
3604 struct nft_set_elem elem;
3605 struct sk_buff *skb;
3610 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3611 nft_set_elem_policy, NULL);
3615 if (!nla[NFTA_SET_ELEM_KEY])
3618 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3622 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3623 nla[NFTA_SET_ELEM_KEY]);
3628 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3631 priv = set->ops->get(ctx->net, set, &elem, flags);
3633 return PTR_ERR(priv);
3636 ext = nft_set_elem_ext(set, &elem);
3639 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3643 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3644 NFT_MSG_NEWSETELEM, 0, set, &elem);
3648 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3649 /* This avoids a loop in nfnetlink. */
3657 /* this avoids a loop in nfnetlink. */
3658 return err == -EAGAIN ? -ENOBUFS : err;
3661 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3662 struct sk_buff *skb, const struct nlmsghdr *nlh,
3663 const struct nlattr * const nla[],
3664 struct netlink_ext_ack *extack)
3666 u8 genmask = nft_genmask_cur(net);
3667 struct nft_set *set;
3668 struct nlattr *attr;
3672 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3676 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3679 return PTR_ERR(set);
3681 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3682 struct netlink_dump_control c = {
3683 .dump = nf_tables_dump_set,
3684 .done = nf_tables_dump_set_done,
3686 struct nft_set_dump_ctx *dump_ctx;
3688 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3692 dump_ctx->set = set;
3693 dump_ctx->ctx = ctx;
3696 return netlink_dump_start(nlsk, skb, nlh, &c);
3699 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3702 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3703 err = nft_get_set_elem(&ctx, set, attr);
3711 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3712 const struct nft_set *set,
3713 const struct nft_set_elem *elem,
3714 int event, u16 flags)
3716 struct net *net = ctx->net;
3717 u32 portid = ctx->portid;
3718 struct sk_buff *skb;
3721 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3724 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3728 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3735 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3739 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3742 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3744 struct nft_set *set)
3746 struct nft_trans *trans;
3748 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3752 nft_trans_elem_set(trans) = set;
3756 void *nft_set_elem_init(const struct nft_set *set,
3757 const struct nft_set_ext_tmpl *tmpl,
3758 const u32 *key, const u32 *data,
3759 u64 timeout, gfp_t gfp)
3761 struct nft_set_ext *ext;
3764 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3768 ext = nft_set_elem_ext(set, elem);
3769 nft_set_ext_init(ext, tmpl);
3771 memcpy(nft_set_ext_key(ext), key, set->klen);
3772 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3773 memcpy(nft_set_ext_data(ext), data, set->dlen);
3774 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3775 *nft_set_ext_expiration(ext) =
3777 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3778 *nft_set_ext_timeout(ext) = timeout;
3783 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3786 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3788 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3789 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3790 nft_data_release(nft_set_ext_data(ext), set->dtype);
3791 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3792 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3793 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3794 (*nft_set_ext_obj(ext))->use--;
3797 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3799 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3800 * the refcounting from the preparation phase.
3802 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3804 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3806 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3807 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3811 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3812 const struct nlattr *attr, u32 nlmsg_flags)
3814 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3815 u8 genmask = nft_genmask_next(ctx->net);
3816 struct nft_data_desc d1, d2;
3817 struct nft_set_ext_tmpl tmpl;
3818 struct nft_set_ext *ext, *ext2;
3819 struct nft_set_elem elem;
3820 struct nft_set_binding *binding;
3821 struct nft_object *obj = NULL;
3822 struct nft_userdata *udata;
3823 struct nft_data data;
3824 enum nft_registers dreg;
3825 struct nft_trans *trans;
3831 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3832 nft_set_elem_policy, NULL);
3836 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3839 nft_set_ext_prepare(&tmpl);
3841 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3845 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3847 if (set->flags & NFT_SET_MAP) {
3848 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3849 !(flags & NFT_SET_ELEM_INTERVAL_END))
3851 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3852 flags & NFT_SET_ELEM_INTERVAL_END)
3855 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3860 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3861 if (!(set->flags & NFT_SET_TIMEOUT))
3863 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3864 nla[NFTA_SET_ELEM_TIMEOUT])));
3865 } else if (set->flags & NFT_SET_TIMEOUT) {
3866 timeout = set->timeout;
3869 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3870 nla[NFTA_SET_ELEM_KEY]);
3874 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3877 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3879 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3880 if (timeout != set->timeout)
3881 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3884 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3885 if (!(set->flags & NFT_SET_OBJECT)) {
3889 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3890 set->objtype, genmask);
3895 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3898 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3899 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3900 nla[NFTA_SET_ELEM_DATA]);
3905 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3908 dreg = nft_type_to_reg(set->dtype);
3909 list_for_each_entry(binding, &set->bindings, list) {
3910 struct nft_ctx bind_ctx = {
3912 .family = ctx->family,
3913 .table = ctx->table,
3914 .chain = (struct nft_chain *)binding->chain,
3917 if (!(binding->flags & NFT_SET_MAP))
3920 err = nft_validate_register_store(&bind_ctx, dreg,
3927 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3930 /* The full maximum length of userdata can exceed the maximum
3931 * offset value (U8_MAX) for following extensions, therefor it
3932 * must be the last extension added.
3935 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3936 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3938 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3943 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3944 timeout, GFP_KERNEL);
3945 if (elem.priv == NULL)
3948 ext = nft_set_elem_ext(set, elem.priv);
3950 *nft_set_ext_flags(ext) = flags;
3952 udata = nft_set_ext_userdata(ext);
3953 udata->len = ulen - 1;
3954 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3957 *nft_set_ext_obj(ext) = obj;
3961 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3965 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3966 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3968 if (err == -EEXIST) {
3969 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
3970 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
3971 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
3972 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
3974 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3975 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3976 memcmp(nft_set_ext_data(ext),
3977 nft_set_ext_data(ext2), set->dlen) != 0) ||
3978 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3979 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
3980 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
3982 else if (!(nlmsg_flags & NLM_F_EXCL))
3989 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
3994 nft_trans_elem(trans) = elem;
3995 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3999 set->ops->remove(ctx->net, set, &elem);
4005 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4006 nft_data_release(&data, d2.type);
4008 nft_data_release(&elem.key.val, d1.type);
4013 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4014 struct sk_buff *skb, const struct nlmsghdr *nlh,
4015 const struct nlattr * const nla[],
4016 struct netlink_ext_ack *extack)
4018 u8 genmask = nft_genmask_next(net);
4019 const struct nlattr *attr;
4020 struct nft_set *set;
4024 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4027 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4031 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4034 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4035 set = nf_tables_set_lookup_byid(net,
4036 nla[NFTA_SET_ELEM_LIST_SET_ID],
4040 return PTR_ERR(set);
4043 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4046 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4047 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4055 * nft_data_hold - hold a nft_data item
4057 * @data: struct nft_data to release
4058 * @type: type of data
4060 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4061 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4062 * NFT_GOTO verdicts. This function must be called on active data objects
4063 * from the second phase of the commit protocol.
4065 static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4067 if (type == NFT_DATA_VERDICT) {
4068 switch (data->verdict.code) {
4071 data->verdict.chain->use++;
4077 static void nft_set_elem_activate(const struct net *net,
4078 const struct nft_set *set,
4079 struct nft_set_elem *elem)
4081 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4083 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4084 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4085 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4086 (*nft_set_ext_obj(ext))->use++;
4089 static void nft_set_elem_deactivate(const struct net *net,
4090 const struct nft_set *set,
4091 struct nft_set_elem *elem)
4093 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4095 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4096 nft_data_release(nft_set_ext_data(ext), set->dtype);
4097 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4098 (*nft_set_ext_obj(ext))->use--;
4101 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4102 const struct nlattr *attr)
4104 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4105 struct nft_set_ext_tmpl tmpl;
4106 struct nft_data_desc desc;
4107 struct nft_set_elem elem;
4108 struct nft_set_ext *ext;
4109 struct nft_trans *trans;
4114 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4115 nft_set_elem_policy, NULL);
4120 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4123 nft_set_ext_prepare(&tmpl);
4125 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4129 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4131 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4132 nla[NFTA_SET_ELEM_KEY]);
4137 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4140 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4143 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4145 if (elem.priv == NULL)
4148 ext = nft_set_elem_ext(set, elem.priv);
4150 *nft_set_ext_flags(ext) = flags;
4152 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4153 if (trans == NULL) {
4158 priv = set->ops->deactivate(ctx->net, set, &elem);
4166 nft_set_elem_deactivate(ctx->net, set, &elem);
4168 nft_trans_elem(trans) = elem;
4169 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4177 nft_data_release(&elem.key.val, desc.type);
4182 static int nft_flush_set(const struct nft_ctx *ctx,
4183 struct nft_set *set,
4184 const struct nft_set_iter *iter,
4185 struct nft_set_elem *elem)
4187 struct nft_trans *trans;
4190 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4191 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4195 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4201 nft_trans_elem_set(trans) = set;
4202 nft_trans_elem(trans) = *elem;
4203 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4211 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4212 struct sk_buff *skb, const struct nlmsghdr *nlh,
4213 const struct nlattr * const nla[],
4214 struct netlink_ext_ack *extack)
4216 u8 genmask = nft_genmask_next(net);
4217 const struct nlattr *attr;
4218 struct nft_set *set;
4222 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4226 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4229 return PTR_ERR(set);
4230 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4233 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4234 struct nft_set_iter iter = {
4236 .fn = nft_flush_set,
4238 set->ops->walk(&ctx, set, &iter);
4243 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4244 err = nft_del_setelem(&ctx, set, attr);
4253 void nft_set_gc_batch_release(struct rcu_head *rcu)
4255 struct nft_set_gc_batch *gcb;
4258 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4259 for (i = 0; i < gcb->head.cnt; i++)
4260 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4263 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4265 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4268 struct nft_set_gc_batch *gcb;
4270 gcb = kzalloc(sizeof(*gcb), gfp);
4273 gcb->head.set = set;
4276 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4283 * nft_register_obj- register nf_tables stateful object type
4286 * Registers the object type for use with nf_tables. Returns zero on
4287 * success or a negative errno code otherwise.
4289 int nft_register_obj(struct nft_object_type *obj_type)
4291 if (obj_type->type == NFT_OBJECT_UNSPEC)
4294 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4295 list_add_rcu(&obj_type->list, &nf_tables_objects);
4296 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4299 EXPORT_SYMBOL_GPL(nft_register_obj);
4302 * nft_unregister_obj - unregister nf_tables object type
4305 * Unregisters the object type for use with nf_tables.
4307 void nft_unregister_obj(struct nft_object_type *obj_type)
4309 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4310 list_del_rcu(&obj_type->list);
4311 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4313 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4315 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4316 const struct nlattr *nla,
4317 u32 objtype, u8 genmask)
4319 struct nft_object *obj;
4321 list_for_each_entry(obj, &table->objects, list) {
4322 if (!nla_strcmp(nla, obj->name) &&
4323 objtype == obj->ops->type->type &&
4324 nft_active_genmask(obj, genmask))
4327 return ERR_PTR(-ENOENT);
4329 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4331 struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
4332 const struct nlattr *nla,
4333 u32 objtype, u8 genmask)
4335 struct nft_object *obj;
4337 list_for_each_entry(obj, &table->objects, list) {
4338 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4339 objtype == obj->ops->type->type &&
4340 nft_active_genmask(obj, genmask))
4343 return ERR_PTR(-ENOENT);
4346 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4347 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4348 .len = NFT_TABLE_MAXNAMELEN - 1 },
4349 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4350 .len = NFT_OBJ_MAXNAMELEN - 1 },
4351 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4352 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4353 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4356 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4357 const struct nft_object_type *type,
4358 const struct nlattr *attr)
4360 struct nlattr *tb[type->maxattr + 1];
4361 const struct nft_object_ops *ops;
4362 struct nft_object *obj;
4366 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4371 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4374 if (type->select_ops) {
4375 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4385 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4389 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4399 return ERR_PTR(err);
4402 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4403 struct nft_object *obj, bool reset)
4405 struct nlattr *nest;
4407 nest = nla_nest_start(skb, attr);
4409 goto nla_put_failure;
4410 if (obj->ops->dump(skb, obj, reset) < 0)
4411 goto nla_put_failure;
4412 nla_nest_end(skb, nest);
4419 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4421 const struct nft_object_type *type;
4423 list_for_each_entry(type, &nf_tables_objects, list) {
4424 if (objtype == type->type)
4430 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4432 const struct nft_object_type *type;
4434 type = __nft_obj_type_get(objtype);
4435 if (type != NULL && try_module_get(type->owner))
4438 #ifdef CONFIG_MODULES
4440 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4441 request_module("nft-obj-%u", objtype);
4442 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4443 if (__nft_obj_type_get(objtype))
4444 return ERR_PTR(-EAGAIN);
4447 return ERR_PTR(-ENOENT);
4450 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4451 struct sk_buff *skb, const struct nlmsghdr *nlh,
4452 const struct nlattr * const nla[],
4453 struct netlink_ext_ack *extack)
4455 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4456 const struct nft_object_type *type;
4457 u8 genmask = nft_genmask_next(net);
4458 int family = nfmsg->nfgen_family;
4459 struct nft_table *table;
4460 struct nft_object *obj;
4465 if (!nla[NFTA_OBJ_TYPE] ||
4466 !nla[NFTA_OBJ_NAME] ||
4467 !nla[NFTA_OBJ_DATA])
4470 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4473 return PTR_ERR(table);
4475 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4476 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4483 if (nlh->nlmsg_flags & NLM_F_EXCL)
4489 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4491 type = nft_obj_type_get(objtype);
4493 return PTR_ERR(type);
4495 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4501 obj->handle = nf_tables_alloc_handle(table);
4503 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4509 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4513 list_add_tail_rcu(&obj->list, &table->objects);
4519 if (obj->ops->destroy)
4520 obj->ops->destroy(obj);
4523 module_put(type->owner);
4527 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4528 u32 portid, u32 seq, int event, u32 flags,
4529 int family, const struct nft_table *table,
4530 struct nft_object *obj, bool reset)
4532 struct nfgenmsg *nfmsg;
4533 struct nlmsghdr *nlh;
4535 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4536 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4538 goto nla_put_failure;
4540 nfmsg = nlmsg_data(nlh);
4541 nfmsg->nfgen_family = family;
4542 nfmsg->version = NFNETLINK_V0;
4543 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4545 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4546 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4547 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4548 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4549 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4550 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4552 goto nla_put_failure;
4554 nlmsg_end(skb, nlh);
4558 nlmsg_trim(skb, nlh);
4562 struct nft_obj_filter {
4567 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4569 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4570 const struct nft_table *table;
4571 unsigned int idx = 0, s_idx = cb->args[0];
4572 struct nft_obj_filter *filter = cb->data;
4573 struct net *net = sock_net(skb->sk);
4574 int family = nfmsg->nfgen_family;
4575 struct nft_object *obj;
4578 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4582 cb->seq = net->nft.base_seq;
4584 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4585 if (family != NFPROTO_UNSPEC && family != table->family)
4588 list_for_each_entry_rcu(obj, &table->objects, list) {
4589 if (!nft_is_active(net, obj))
4594 memset(&cb->args[1], 0,
4595 sizeof(cb->args) - sizeof(cb->args[0]));
4596 if (filter && filter->table[0] &&
4597 strcmp(filter->table, table->name))
4600 filter->type != NFT_OBJECT_UNSPEC &&
4601 obj->ops->type->type != filter->type)
4604 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4607 NLM_F_MULTI | NLM_F_APPEND,
4608 table->family, table,
4612 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4624 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4626 struct nft_obj_filter *filter = cb->data;
4629 kfree(filter->table);
4636 static struct nft_obj_filter *
4637 nft_obj_filter_alloc(const struct nlattr * const nla[])
4639 struct nft_obj_filter *filter;
4641 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4643 return ERR_PTR(-ENOMEM);
4645 if (nla[NFTA_OBJ_TABLE]) {
4646 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4647 if (!filter->table) {
4649 return ERR_PTR(-ENOMEM);
4652 if (nla[NFTA_OBJ_TYPE])
4653 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4658 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4659 struct sk_buff *skb, const struct nlmsghdr *nlh,
4660 const struct nlattr * const nla[],
4661 struct netlink_ext_ack *extack)
4663 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4664 u8 genmask = nft_genmask_cur(net);
4665 int family = nfmsg->nfgen_family;
4666 const struct nft_table *table;
4667 struct nft_object *obj;
4668 struct sk_buff *skb2;
4673 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4674 struct netlink_dump_control c = {
4675 .dump = nf_tables_dump_obj,
4676 .done = nf_tables_dump_obj_done,
4679 if (nla[NFTA_OBJ_TABLE] ||
4680 nla[NFTA_OBJ_TYPE]) {
4681 struct nft_obj_filter *filter;
4683 filter = nft_obj_filter_alloc(nla);
4689 return netlink_dump_start(nlsk, skb, nlh, &c);
4692 if (!nla[NFTA_OBJ_NAME] ||
4693 !nla[NFTA_OBJ_TYPE])
4696 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4699 return PTR_ERR(table);
4701 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4702 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4704 return PTR_ERR(obj);
4706 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4710 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4713 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4714 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4715 family, table, obj, reset);
4719 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4725 static void nft_obj_destroy(struct nft_object *obj)
4727 if (obj->ops->destroy)
4728 obj->ops->destroy(obj);
4730 module_put(obj->ops->type->owner);
4735 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4736 struct sk_buff *skb, const struct nlmsghdr *nlh,
4737 const struct nlattr * const nla[],
4738 struct netlink_ext_ack *extack)
4740 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4741 u8 genmask = nft_genmask_next(net);
4742 int family = nfmsg->nfgen_family;
4743 struct nft_table *table;
4744 struct nft_object *obj;
4748 if (!nla[NFTA_OBJ_TYPE] ||
4749 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4752 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4755 return PTR_ERR(table);
4757 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4758 if (nla[NFTA_OBJ_HANDLE])
4759 obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
4762 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
4765 return PTR_ERR(obj);
4769 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4771 return nft_delobj(&ctx, obj);
4774 void nft_obj_notify(struct net *net, struct nft_table *table,
4775 struct nft_object *obj, u32 portid, u32 seq, int event,
4776 int family, int report, gfp_t gfp)
4778 struct sk_buff *skb;
4782 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4785 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4789 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4796 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4799 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4801 EXPORT_SYMBOL_GPL(nft_obj_notify);
4803 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4804 struct nft_object *obj, int event)
4806 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4807 ctx->family, ctx->report, GFP_KERNEL);
4813 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4815 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4816 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4817 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4819 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4821 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4823 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4824 list_del_rcu(&type->list);
4825 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4827 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4829 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4830 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4831 .len = NFT_NAME_MAXLEN - 1 },
4832 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4833 .len = NFT_NAME_MAXLEN - 1 },
4834 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4835 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4838 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4839 const struct nlattr *nla,
4842 struct nft_flowtable *flowtable;
4844 list_for_each_entry(flowtable, &table->flowtables, list) {
4845 if (!nla_strcmp(nla, flowtable->name) &&
4846 nft_active_genmask(flowtable, genmask))
4849 return ERR_PTR(-ENOENT);
4851 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4853 struct nft_flowtable *
4854 nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
4855 const struct nlattr *nla, u8 genmask)
4857 struct nft_flowtable *flowtable;
4859 list_for_each_entry(flowtable, &table->flowtables, list) {
4860 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4861 nft_active_genmask(flowtable, genmask))
4864 return ERR_PTR(-ENOENT);
4867 #define NFT_FLOWTABLE_DEVICE_MAX 8
4869 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4870 const struct nlattr *attr,
4871 struct net_device *dev_array[], int *len)
4873 const struct nlattr *tmp;
4874 struct net_device *dev;
4875 char ifname[IFNAMSIZ];
4876 int rem, n = 0, err;
4878 nla_for_each_nested(tmp, attr, rem) {
4879 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4884 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4885 dev = dev_get_by_name(ctx->net, ifname);
4891 dev_array[n++] = dev;
4892 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
4906 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
4907 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
4908 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
4909 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
4912 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
4913 const struct nlattr *attr,
4914 struct nft_flowtable *flowtable)
4916 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
4917 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
4918 struct nf_hook_ops *ops;
4919 int hooknum, priority;
4922 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
4923 nft_flowtable_hook_policy, NULL);
4927 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
4928 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
4929 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
4932 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
4933 if (hooknum != NF_NETDEV_INGRESS)
4936 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
4938 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
4943 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
4949 flowtable->hooknum = hooknum;
4950 flowtable->priority = priority;
4951 flowtable->ops = ops;
4952 flowtable->ops_len = n;
4954 for (i = 0; i < n; i++) {
4955 flowtable->ops[i].pf = NFPROTO_NETDEV;
4956 flowtable->ops[i].hooknum = hooknum;
4957 flowtable->ops[i].priority = priority;
4958 flowtable->ops[i].priv = &flowtable->data.rhashtable;
4959 flowtable->ops[i].hook = flowtable->data.type->hook;
4960 flowtable->ops[i].dev = dev_array[i];
4965 for (i = 0; i < n; i++)
4966 dev_put(dev_array[i]);
4971 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
4973 const struct nf_flowtable_type *type;
4975 list_for_each_entry(type, &nf_tables_flowtables, list) {
4976 if (family == type->family)
4982 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
4984 const struct nf_flowtable_type *type;
4986 type = __nft_flowtable_type_get(family);
4987 if (type != NULL && try_module_get(type->owner))
4990 #ifdef CONFIG_MODULES
4992 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4993 request_module("nf-flowtable-%u", family);
4994 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4995 if (__nft_flowtable_type_get(family))
4996 return ERR_PTR(-EAGAIN);
4999 return ERR_PTR(-ENOENT);
5002 void nft_flow_table_iterate(struct net *net,
5003 void (*iter)(struct nf_flowtable *flowtable, void *data),
5006 struct nft_flowtable *flowtable;
5007 const struct nft_table *table;
5009 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5010 list_for_each_entry(table, &net->nft.tables, list) {
5011 list_for_each_entry(flowtable, &table->flowtables, list) {
5012 iter(&flowtable->data, data);
5015 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5017 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5019 static void nft_unregister_flowtable_net_hooks(struct net *net,
5020 struct nft_flowtable *flowtable)
5024 for (i = 0; i < flowtable->ops_len; i++) {
5025 if (!flowtable->ops[i].dev)
5028 nf_unregister_net_hook(net, &flowtable->ops[i]);
5032 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5033 struct sk_buff *skb,
5034 const struct nlmsghdr *nlh,
5035 const struct nlattr * const nla[],
5036 struct netlink_ext_ack *extack)
5038 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5039 const struct nf_flowtable_type *type;
5040 u8 genmask = nft_genmask_next(net);
5041 int family = nfmsg->nfgen_family;
5042 struct nft_flowtable *flowtable;
5043 struct nft_table *table;
5047 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5048 !nla[NFTA_FLOWTABLE_NAME] ||
5049 !nla[NFTA_FLOWTABLE_HOOK])
5052 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5055 return PTR_ERR(table);
5057 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5059 if (IS_ERR(flowtable)) {
5060 err = PTR_ERR(flowtable);
5064 if (nlh->nlmsg_flags & NLM_F_EXCL)
5070 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5072 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5076 flowtable->table = table;
5077 flowtable->handle = nf_tables_alloc_handle(table);
5079 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5080 if (!flowtable->name) {
5085 type = nft_flowtable_type_get(family);
5087 err = PTR_ERR(type);
5091 flowtable->data.type = type;
5092 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5096 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5101 for (i = 0; i < flowtable->ops_len; i++) {
5102 err = nf_register_net_hook(net, &flowtable->ops[i]);
5107 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5111 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5112 queue_delayed_work(system_power_efficient_wq,
5113 &flowtable->data.gc_work, HZ);
5115 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5120 i = flowtable->ops_len;
5122 for (k = i - 1; k >= 0; k--)
5123 nf_unregister_net_hook(net, &flowtable->ops[i]);
5125 kfree(flowtable->ops);
5127 module_put(type->owner);
5129 kfree(flowtable->name);
5135 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5136 struct sk_buff *skb,
5137 const struct nlmsghdr *nlh,
5138 const struct nlattr * const nla[],
5139 struct netlink_ext_ack *extack)
5141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5142 u8 genmask = nft_genmask_next(net);
5143 int family = nfmsg->nfgen_family;
5144 struct nft_flowtable *flowtable;
5145 struct nft_table *table;
5148 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5151 return PTR_ERR(table);
5153 if (nla[NFTA_FLOWTABLE_HANDLE])
5154 flowtable = nf_tables_flowtable_lookup_byhandle(table,
5155 nla[NFTA_FLOWTABLE_HANDLE],
5158 flowtable = nf_tables_flowtable_lookup(table,
5159 nla[NFTA_FLOWTABLE_NAME],
5161 if (IS_ERR(flowtable))
5162 return PTR_ERR(flowtable);
5163 if (flowtable->use > 0)
5166 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5168 return nft_delflowtable(&ctx, flowtable);
5171 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5172 u32 portid, u32 seq, int event,
5173 u32 flags, int family,
5174 struct nft_flowtable *flowtable)
5176 struct nlattr *nest, *nest_devs;
5177 struct nfgenmsg *nfmsg;
5178 struct nlmsghdr *nlh;
5181 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5182 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5184 goto nla_put_failure;
5186 nfmsg = nlmsg_data(nlh);
5187 nfmsg->nfgen_family = family;
5188 nfmsg->version = NFNETLINK_V0;
5189 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5191 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5192 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5193 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5194 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5195 NFTA_FLOWTABLE_PAD))
5196 goto nla_put_failure;
5198 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5199 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5200 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5201 goto nla_put_failure;
5203 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5205 goto nla_put_failure;
5207 for (i = 0; i < flowtable->ops_len; i++) {
5208 if (flowtable->ops[i].dev &&
5209 nla_put_string(skb, NFTA_DEVICE_NAME,
5210 flowtable->ops[i].dev->name))
5211 goto nla_put_failure;
5213 nla_nest_end(skb, nest_devs);
5214 nla_nest_end(skb, nest);
5216 nlmsg_end(skb, nlh);
5220 nlmsg_trim(skb, nlh);
5224 struct nft_flowtable_filter {
5228 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5229 struct netlink_callback *cb)
5231 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5232 struct nft_flowtable_filter *filter = cb->data;
5233 unsigned int idx = 0, s_idx = cb->args[0];
5234 struct net *net = sock_net(skb->sk);
5235 int family = nfmsg->nfgen_family;
5236 struct nft_flowtable *flowtable;
5237 const struct nft_table *table;
5240 cb->seq = net->nft.base_seq;
5242 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5243 if (family != NFPROTO_UNSPEC && family != table->family)
5246 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5247 if (!nft_is_active(net, flowtable))
5252 memset(&cb->args[1], 0,
5253 sizeof(cb->args) - sizeof(cb->args[0]));
5254 if (filter && filter->table[0] &&
5255 strcmp(filter->table, table->name))
5258 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5260 NFT_MSG_NEWFLOWTABLE,
5261 NLM_F_MULTI | NLM_F_APPEND,
5262 table->family, flowtable) < 0)
5265 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5277 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5279 struct nft_flowtable_filter *filter = cb->data;
5284 kfree(filter->table);
5290 static struct nft_flowtable_filter *
5291 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5293 struct nft_flowtable_filter *filter;
5295 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5297 return ERR_PTR(-ENOMEM);
5299 if (nla[NFTA_FLOWTABLE_TABLE]) {
5300 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5302 if (!filter->table) {
5304 return ERR_PTR(-ENOMEM);
5310 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5311 struct sk_buff *skb,
5312 const struct nlmsghdr *nlh,
5313 const struct nlattr * const nla[],
5314 struct netlink_ext_ack *extack)
5316 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5317 u8 genmask = nft_genmask_cur(net);
5318 int family = nfmsg->nfgen_family;
5319 struct nft_flowtable *flowtable;
5320 const struct nft_table *table;
5321 struct sk_buff *skb2;
5324 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5325 struct netlink_dump_control c = {
5326 .dump = nf_tables_dump_flowtable,
5327 .done = nf_tables_dump_flowtable_done,
5330 if (nla[NFTA_FLOWTABLE_TABLE]) {
5331 struct nft_flowtable_filter *filter;
5333 filter = nft_flowtable_filter_alloc(nla);
5339 return netlink_dump_start(nlsk, skb, nlh, &c);
5342 if (!nla[NFTA_FLOWTABLE_NAME])
5345 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5348 return PTR_ERR(table);
5350 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5352 if (IS_ERR(flowtable))
5353 return PTR_ERR(flowtable);
5355 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5359 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5361 NFT_MSG_NEWFLOWTABLE, 0, family,
5366 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5372 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5373 struct nft_flowtable *flowtable,
5376 struct sk_buff *skb;
5380 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5383 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5387 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5389 ctx->family, flowtable);
5395 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5396 ctx->report, GFP_KERNEL);
5399 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5402 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5404 cancel_delayed_work_sync(&flowtable->data.gc_work);
5405 kfree(flowtable->name);
5406 flowtable->data.type->free(&flowtable->data);
5407 rhashtable_destroy(&flowtable->data.rhashtable);
5408 module_put(flowtable->data.type->owner);
5411 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5412 u32 portid, u32 seq)
5414 struct nlmsghdr *nlh;
5415 struct nfgenmsg *nfmsg;
5416 char buf[TASK_COMM_LEN];
5417 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5419 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5421 goto nla_put_failure;
5423 nfmsg = nlmsg_data(nlh);
5424 nfmsg->nfgen_family = AF_UNSPEC;
5425 nfmsg->version = NFNETLINK_V0;
5426 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5428 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5429 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5430 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5431 goto nla_put_failure;
5433 nlmsg_end(skb, nlh);
5437 nlmsg_trim(skb, nlh);
5441 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5442 struct nft_flowtable *flowtable)
5446 for (i = 0; i < flowtable->ops_len; i++) {
5447 if (flowtable->ops[i].dev != dev)
5450 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5451 flowtable->ops[i].dev = NULL;
5456 static int nf_tables_flowtable_event(struct notifier_block *this,
5457 unsigned long event, void *ptr)
5459 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5460 struct nft_flowtable *flowtable;
5461 struct nft_table *table;
5463 if (event != NETDEV_UNREGISTER)
5466 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5467 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5468 list_for_each_entry(flowtable, &table->flowtables, list) {
5469 nft_flowtable_event(event, dev, flowtable);
5472 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5477 static struct notifier_block nf_tables_flowtable_notifier = {
5478 .notifier_call = nf_tables_flowtable_event,
5481 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5484 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5485 struct sk_buff *skb2;
5488 if (nlmsg_report(nlh) &&
5489 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5492 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5496 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5503 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5504 nlmsg_report(nlh), GFP_KERNEL);
5507 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5511 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5512 struct sk_buff *skb, const struct nlmsghdr *nlh,
5513 const struct nlattr * const nla[],
5514 struct netlink_ext_ack *extack)
5516 struct sk_buff *skb2;
5519 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5523 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5528 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5534 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5535 [NFT_MSG_NEWTABLE] = {
5536 .call_batch = nf_tables_newtable,
5537 .attr_count = NFTA_TABLE_MAX,
5538 .policy = nft_table_policy,
5540 [NFT_MSG_GETTABLE] = {
5541 .call = nf_tables_gettable,
5542 .attr_count = NFTA_TABLE_MAX,
5543 .policy = nft_table_policy,
5545 [NFT_MSG_DELTABLE] = {
5546 .call_batch = nf_tables_deltable,
5547 .attr_count = NFTA_TABLE_MAX,
5548 .policy = nft_table_policy,
5550 [NFT_MSG_NEWCHAIN] = {
5551 .call_batch = nf_tables_newchain,
5552 .attr_count = NFTA_CHAIN_MAX,
5553 .policy = nft_chain_policy,
5555 [NFT_MSG_GETCHAIN] = {
5556 .call = nf_tables_getchain,
5557 .attr_count = NFTA_CHAIN_MAX,
5558 .policy = nft_chain_policy,
5560 [NFT_MSG_DELCHAIN] = {
5561 .call_batch = nf_tables_delchain,
5562 .attr_count = NFTA_CHAIN_MAX,
5563 .policy = nft_chain_policy,
5565 [NFT_MSG_NEWRULE] = {
5566 .call_batch = nf_tables_newrule,
5567 .attr_count = NFTA_RULE_MAX,
5568 .policy = nft_rule_policy,
5570 [NFT_MSG_GETRULE] = {
5571 .call = nf_tables_getrule,
5572 .attr_count = NFTA_RULE_MAX,
5573 .policy = nft_rule_policy,
5575 [NFT_MSG_DELRULE] = {
5576 .call_batch = nf_tables_delrule,
5577 .attr_count = NFTA_RULE_MAX,
5578 .policy = nft_rule_policy,
5580 [NFT_MSG_NEWSET] = {
5581 .call_batch = nf_tables_newset,
5582 .attr_count = NFTA_SET_MAX,
5583 .policy = nft_set_policy,
5585 [NFT_MSG_GETSET] = {
5586 .call = nf_tables_getset,
5587 .attr_count = NFTA_SET_MAX,
5588 .policy = nft_set_policy,
5590 [NFT_MSG_DELSET] = {
5591 .call_batch = nf_tables_delset,
5592 .attr_count = NFTA_SET_MAX,
5593 .policy = nft_set_policy,
5595 [NFT_MSG_NEWSETELEM] = {
5596 .call_batch = nf_tables_newsetelem,
5597 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5598 .policy = nft_set_elem_list_policy,
5600 [NFT_MSG_GETSETELEM] = {
5601 .call = nf_tables_getsetelem,
5602 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5603 .policy = nft_set_elem_list_policy,
5605 [NFT_MSG_DELSETELEM] = {
5606 .call_batch = nf_tables_delsetelem,
5607 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5608 .policy = nft_set_elem_list_policy,
5610 [NFT_MSG_GETGEN] = {
5611 .call = nf_tables_getgen,
5613 [NFT_MSG_NEWOBJ] = {
5614 .call_batch = nf_tables_newobj,
5615 .attr_count = NFTA_OBJ_MAX,
5616 .policy = nft_obj_policy,
5618 [NFT_MSG_GETOBJ] = {
5619 .call = nf_tables_getobj,
5620 .attr_count = NFTA_OBJ_MAX,
5621 .policy = nft_obj_policy,
5623 [NFT_MSG_DELOBJ] = {
5624 .call_batch = nf_tables_delobj,
5625 .attr_count = NFTA_OBJ_MAX,
5626 .policy = nft_obj_policy,
5628 [NFT_MSG_GETOBJ_RESET] = {
5629 .call = nf_tables_getobj,
5630 .attr_count = NFTA_OBJ_MAX,
5631 .policy = nft_obj_policy,
5633 [NFT_MSG_NEWFLOWTABLE] = {
5634 .call_batch = nf_tables_newflowtable,
5635 .attr_count = NFTA_FLOWTABLE_MAX,
5636 .policy = nft_flowtable_policy,
5638 [NFT_MSG_GETFLOWTABLE] = {
5639 .call = nf_tables_getflowtable,
5640 .attr_count = NFTA_FLOWTABLE_MAX,
5641 .policy = nft_flowtable_policy,
5643 [NFT_MSG_DELFLOWTABLE] = {
5644 .call_batch = nf_tables_delflowtable,
5645 .attr_count = NFTA_FLOWTABLE_MAX,
5646 .policy = nft_flowtable_policy,
5650 static void nft_chain_commit_update(struct nft_trans *trans)
5652 struct nft_base_chain *basechain;
5654 if (nft_trans_chain_name(trans))
5655 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
5657 if (!nft_is_base_chain(trans->ctx.chain))
5660 basechain = nft_base_chain(trans->ctx.chain);
5661 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5663 switch (nft_trans_chain_policy(trans)) {
5666 basechain->policy = nft_trans_chain_policy(trans);
5671 static void nf_tables_commit_release(struct nft_trans *trans)
5673 switch (trans->msg_type) {
5674 case NFT_MSG_DELTABLE:
5675 nf_tables_table_destroy(&trans->ctx);
5677 case NFT_MSG_DELCHAIN:
5678 nf_tables_chain_destroy(trans->ctx.chain);
5680 case NFT_MSG_DELRULE:
5681 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5683 case NFT_MSG_DELSET:
5684 nft_set_destroy(nft_trans_set(trans));
5686 case NFT_MSG_DELSETELEM:
5687 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5688 nft_trans_elem(trans).priv);
5690 case NFT_MSG_DELOBJ:
5691 nft_obj_destroy(nft_trans_obj(trans));
5693 case NFT_MSG_DELFLOWTABLE:
5694 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5700 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5702 struct nft_trans *trans, *next;
5703 struct nft_trans_elem *te;
5705 /* Bump generation counter, invalidate any dump in progress */
5706 while (++net->nft.base_seq == 0);
5708 /* A new generation has just started */
5709 net->nft.gencursor = nft_gencursor_next(net);
5711 /* Make sure all packets have left the previous generation before
5712 * purging old rules.
5716 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5717 switch (trans->msg_type) {
5718 case NFT_MSG_NEWTABLE:
5719 if (nft_trans_table_update(trans)) {
5720 if (!nft_trans_table_enable(trans)) {
5721 nf_tables_table_disable(net,
5723 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5726 nft_clear(net, trans->ctx.table);
5728 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5729 nft_trans_destroy(trans);
5731 case NFT_MSG_DELTABLE:
5732 list_del_rcu(&trans->ctx.table->list);
5733 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5735 case NFT_MSG_NEWCHAIN:
5736 if (nft_trans_chain_update(trans))
5737 nft_chain_commit_update(trans);
5739 nft_clear(net, trans->ctx.chain);
5741 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5742 nft_trans_destroy(trans);
5744 case NFT_MSG_DELCHAIN:
5745 list_del_rcu(&trans->ctx.chain->list);
5746 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5747 nf_tables_unregister_hook(trans->ctx.net,
5751 case NFT_MSG_NEWRULE:
5752 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5753 nf_tables_rule_notify(&trans->ctx,
5754 nft_trans_rule(trans),
5756 nft_trans_destroy(trans);
5758 case NFT_MSG_DELRULE:
5759 list_del_rcu(&nft_trans_rule(trans)->list);
5760 nf_tables_rule_notify(&trans->ctx,
5761 nft_trans_rule(trans),
5764 case NFT_MSG_NEWSET:
5765 nft_clear(net, nft_trans_set(trans));
5766 /* This avoids hitting -EBUSY when deleting the table
5767 * from the transaction.
5769 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5770 !list_empty(&nft_trans_set(trans)->bindings))
5771 trans->ctx.table->use--;
5773 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5774 NFT_MSG_NEWSET, GFP_KERNEL);
5775 nft_trans_destroy(trans);
5777 case NFT_MSG_DELSET:
5778 list_del_rcu(&nft_trans_set(trans)->list);
5779 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5780 NFT_MSG_DELSET, GFP_KERNEL);
5782 case NFT_MSG_NEWSETELEM:
5783 te = (struct nft_trans_elem *)trans->data;
5785 te->set->ops->activate(net, te->set, &te->elem);
5786 nf_tables_setelem_notify(&trans->ctx, te->set,
5788 NFT_MSG_NEWSETELEM, 0);
5789 nft_trans_destroy(trans);
5791 case NFT_MSG_DELSETELEM:
5792 te = (struct nft_trans_elem *)trans->data;
5794 nf_tables_setelem_notify(&trans->ctx, te->set,
5796 NFT_MSG_DELSETELEM, 0);
5797 te->set->ops->remove(net, te->set, &te->elem);
5798 atomic_dec(&te->set->nelems);
5801 case NFT_MSG_NEWOBJ:
5802 nft_clear(net, nft_trans_obj(trans));
5803 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5805 nft_trans_destroy(trans);
5807 case NFT_MSG_DELOBJ:
5808 list_del_rcu(&nft_trans_obj(trans)->list);
5809 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5812 case NFT_MSG_NEWFLOWTABLE:
5813 nft_clear(net, nft_trans_flowtable(trans));
5814 nf_tables_flowtable_notify(&trans->ctx,
5815 nft_trans_flowtable(trans),
5816 NFT_MSG_NEWFLOWTABLE);
5817 nft_trans_destroy(trans);
5819 case NFT_MSG_DELFLOWTABLE:
5820 list_del_rcu(&nft_trans_flowtable(trans)->list);
5821 nf_tables_flowtable_notify(&trans->ctx,
5822 nft_trans_flowtable(trans),
5823 NFT_MSG_DELFLOWTABLE);
5824 nft_unregister_flowtable_net_hooks(net,
5825 nft_trans_flowtable(trans));
5832 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5833 list_del(&trans->list);
5834 nf_tables_commit_release(trans);
5837 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5842 static void nf_tables_abort_release(struct nft_trans *trans)
5844 switch (trans->msg_type) {
5845 case NFT_MSG_NEWTABLE:
5846 nf_tables_table_destroy(&trans->ctx);
5848 case NFT_MSG_NEWCHAIN:
5849 nf_tables_chain_destroy(trans->ctx.chain);
5851 case NFT_MSG_NEWRULE:
5852 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5854 case NFT_MSG_NEWSET:
5855 nft_set_destroy(nft_trans_set(trans));
5857 case NFT_MSG_NEWSETELEM:
5858 nft_set_elem_destroy(nft_trans_elem_set(trans),
5859 nft_trans_elem(trans).priv, true);
5861 case NFT_MSG_NEWOBJ:
5862 nft_obj_destroy(nft_trans_obj(trans));
5864 case NFT_MSG_NEWFLOWTABLE:
5865 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5871 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5873 struct nft_trans *trans, *next;
5874 struct nft_trans_elem *te;
5876 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5878 switch (trans->msg_type) {
5879 case NFT_MSG_NEWTABLE:
5880 if (nft_trans_table_update(trans)) {
5881 if (nft_trans_table_enable(trans)) {
5882 nf_tables_table_disable(net,
5884 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5886 nft_trans_destroy(trans);
5888 list_del_rcu(&trans->ctx.table->list);
5891 case NFT_MSG_DELTABLE:
5892 nft_clear(trans->ctx.net, trans->ctx.table);
5893 nft_trans_destroy(trans);
5895 case NFT_MSG_NEWCHAIN:
5896 if (nft_trans_chain_update(trans)) {
5897 free_percpu(nft_trans_chain_stats(trans));
5899 nft_trans_destroy(trans);
5901 trans->ctx.table->use--;
5902 list_del_rcu(&trans->ctx.chain->list);
5903 nf_tables_unregister_hook(trans->ctx.net,
5908 case NFT_MSG_DELCHAIN:
5909 trans->ctx.table->use++;
5910 nft_clear(trans->ctx.net, trans->ctx.chain);
5911 nft_trans_destroy(trans);
5913 case NFT_MSG_NEWRULE:
5914 trans->ctx.chain->use--;
5915 list_del_rcu(&nft_trans_rule(trans)->list);
5917 case NFT_MSG_DELRULE:
5918 trans->ctx.chain->use++;
5919 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5920 nft_trans_destroy(trans);
5922 case NFT_MSG_NEWSET:
5923 trans->ctx.table->use--;
5924 list_del_rcu(&nft_trans_set(trans)->list);
5926 case NFT_MSG_DELSET:
5927 trans->ctx.table->use++;
5928 nft_clear(trans->ctx.net, nft_trans_set(trans));
5929 nft_trans_destroy(trans);
5931 case NFT_MSG_NEWSETELEM:
5932 te = (struct nft_trans_elem *)trans->data;
5934 te->set->ops->remove(net, te->set, &te->elem);
5935 atomic_dec(&te->set->nelems);
5937 case NFT_MSG_DELSETELEM:
5938 te = (struct nft_trans_elem *)trans->data;
5940 nft_set_elem_activate(net, te->set, &te->elem);
5941 te->set->ops->activate(net, te->set, &te->elem);
5944 nft_trans_destroy(trans);
5946 case NFT_MSG_NEWOBJ:
5947 trans->ctx.table->use--;
5948 list_del_rcu(&nft_trans_obj(trans)->list);
5950 case NFT_MSG_DELOBJ:
5951 trans->ctx.table->use++;
5952 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5953 nft_trans_destroy(trans);
5955 case NFT_MSG_NEWFLOWTABLE:
5956 trans->ctx.table->use--;
5957 list_del_rcu(&nft_trans_flowtable(trans)->list);
5958 nft_unregister_flowtable_net_hooks(net,
5959 nft_trans_flowtable(trans));
5961 case NFT_MSG_DELFLOWTABLE:
5962 trans->ctx.table->use++;
5963 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
5964 nft_trans_destroy(trans);
5971 list_for_each_entry_safe_reverse(trans, next,
5972 &net->nft.commit_list, list) {
5973 list_del(&trans->list);
5974 nf_tables_abort_release(trans);
5980 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5982 return net->nft.base_seq == genid;
5985 static const struct nfnetlink_subsystem nf_tables_subsys = {
5986 .name = "nf_tables",
5987 .subsys_id = NFNL_SUBSYS_NFTABLES,
5988 .cb_count = NFT_MSG_MAX,
5990 .commit = nf_tables_commit,
5991 .abort = nf_tables_abort,
5992 .valid_genid = nf_tables_valid_genid,
5995 int nft_chain_validate_dependency(const struct nft_chain *chain,
5996 enum nft_chain_type type)
5998 const struct nft_base_chain *basechain;
6000 if (nft_is_base_chain(chain)) {
6001 basechain = nft_base_chain(chain);
6002 if (basechain->type->type != type)
6007 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6009 int nft_chain_validate_hooks(const struct nft_chain *chain,
6010 unsigned int hook_flags)
6012 struct nft_base_chain *basechain;
6014 if (nft_is_base_chain(chain)) {
6015 basechain = nft_base_chain(chain);
6017 if ((1 << basechain->ops.hooknum) & hook_flags)
6025 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6028 * Loop detection - walk through the ruleset beginning at the destination chain
6029 * of a new jump until either the source chain is reached (loop) or all
6030 * reachable chains have been traversed.
6032 * The loop check is performed whenever a new jump verdict is added to an
6033 * expression or verdict map or a verdict map is bound to a new chain.
6036 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6037 const struct nft_chain *chain);
6039 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6040 struct nft_set *set,
6041 const struct nft_set_iter *iter,
6042 struct nft_set_elem *elem)
6044 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6045 const struct nft_data *data;
6047 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6048 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6051 data = nft_set_ext_data(ext);
6052 switch (data->verdict.code) {
6055 return nf_tables_check_loops(ctx, data->verdict.chain);
6061 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6062 const struct nft_chain *chain)
6064 const struct nft_rule *rule;
6065 const struct nft_expr *expr, *last;
6066 struct nft_set *set;
6067 struct nft_set_binding *binding;
6068 struct nft_set_iter iter;
6070 if (ctx->chain == chain)
6073 list_for_each_entry(rule, &chain->rules, list) {
6074 nft_rule_for_each_expr(expr, last, rule) {
6075 const struct nft_data *data = NULL;
6078 if (!expr->ops->validate)
6081 err = expr->ops->validate(ctx, expr, &data);
6088 switch (data->verdict.code) {
6091 err = nf_tables_check_loops(ctx,
6092 data->verdict.chain);
6101 list_for_each_entry(set, &ctx->table->sets, list) {
6102 if (!nft_is_active_next(ctx->net, set))
6104 if (!(set->flags & NFT_SET_MAP) ||
6105 set->dtype != NFT_DATA_VERDICT)
6108 list_for_each_entry(binding, &set->bindings, list) {
6109 if (!(binding->flags & NFT_SET_MAP) ||
6110 binding->chain != chain)
6113 iter.genmask = nft_genmask_next(ctx->net);
6117 iter.fn = nf_tables_loop_check_setelem;
6119 set->ops->walk(ctx, set, &iter);
6129 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6131 * @attr: netlink attribute to fetch value from
6132 * @max: maximum value to be stored in dest
6133 * @dest: pointer to the variable
6135 * Parse, check and store a given u32 netlink attribute into variable.
6136 * This function returns -ERANGE if the value goes over maximum value.
6137 * Otherwise a 0 is returned and the attribute value is stored in the
6138 * destination variable.
6140 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6144 val = ntohl(nla_get_be32(attr));
6151 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6154 * nft_parse_register - parse a register value from a netlink attribute
6156 * @attr: netlink attribute
6158 * Parse and translate a register value from a netlink attribute.
6159 * Registers used to be 128 bit wide, these register numbers will be
6160 * mapped to the corresponding 32 bit register numbers.
6162 unsigned int nft_parse_register(const struct nlattr *attr)
6166 reg = ntohl(nla_get_be32(attr));
6168 case NFT_REG_VERDICT...NFT_REG_4:
6169 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6171 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6174 EXPORT_SYMBOL_GPL(nft_parse_register);
6177 * nft_dump_register - dump a register value to a netlink attribute
6179 * @skb: socket buffer
6180 * @attr: attribute number
6181 * @reg: register number
6183 * Construct a netlink attribute containing the register number. For
6184 * compatibility reasons, register numbers being a multiple of 4 are
6185 * translated to the corresponding 128 bit register numbers.
6187 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6189 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6190 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6192 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6194 return nla_put_be32(skb, attr, htonl(reg));
6196 EXPORT_SYMBOL_GPL(nft_dump_register);
6199 * nft_validate_register_load - validate a load from a register
6201 * @reg: the register number
6202 * @len: the length of the data
6204 * Validate that the input register is one of the general purpose
6205 * registers and that the length of the load is within the bounds.
6207 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6209 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6213 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6218 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6221 * nft_validate_register_store - validate an expressions' register store
6223 * @ctx: context of the expression performing the load
6224 * @reg: the destination register number
6225 * @data: the data to load
6226 * @type: the data type
6227 * @len: the length of the data
6229 * Validate that a data load uses the appropriate data type for
6230 * the destination register and the length is within the bounds.
6231 * A value of NULL for the data means that its runtime gathered
6234 int nft_validate_register_store(const struct nft_ctx *ctx,
6235 enum nft_registers reg,
6236 const struct nft_data *data,
6237 enum nft_data_types type, unsigned int len)
6242 case NFT_REG_VERDICT:
6243 if (type != NFT_DATA_VERDICT)
6247 (data->verdict.code == NFT_GOTO ||
6248 data->verdict.code == NFT_JUMP)) {
6249 err = nf_tables_check_loops(ctx, data->verdict.chain);
6253 if (ctx->chain->level + 1 >
6254 data->verdict.chain->level) {
6255 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6257 data->verdict.chain->level = ctx->chain->level + 1;
6263 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6267 if (reg * NFT_REG32_SIZE + len >
6268 FIELD_SIZEOF(struct nft_regs, data))
6271 if (data != NULL && type != NFT_DATA_VALUE)
6276 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6278 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6279 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6280 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6281 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6284 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6285 struct nft_data_desc *desc, const struct nlattr *nla)
6287 u8 genmask = nft_genmask_next(ctx->net);
6288 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6289 struct nft_chain *chain;
6292 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6297 if (!tb[NFTA_VERDICT_CODE])
6299 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6301 switch (data->verdict.code) {
6303 switch (data->verdict.code & NF_VERDICT_MASK) {
6318 if (!tb[NFTA_VERDICT_CHAIN])
6320 chain = nf_tables_chain_lookup(ctx->table,
6321 tb[NFTA_VERDICT_CHAIN], genmask);
6323 return PTR_ERR(chain);
6324 if (nft_is_base_chain(chain))
6328 data->verdict.chain = chain;
6332 desc->len = sizeof(data->verdict);
6333 desc->type = NFT_DATA_VERDICT;
6337 static void nft_verdict_uninit(const struct nft_data *data)
6339 switch (data->verdict.code) {
6342 data->verdict.chain->use--;
6347 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6349 struct nlattr *nest;
6351 nest = nla_nest_start(skb, type);
6353 goto nla_put_failure;
6355 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6356 goto nla_put_failure;
6361 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6363 goto nla_put_failure;
6365 nla_nest_end(skb, nest);
6372 static int nft_value_init(const struct nft_ctx *ctx,
6373 struct nft_data *data, unsigned int size,
6374 struct nft_data_desc *desc, const struct nlattr *nla)
6384 nla_memcpy(data->data, nla, len);
6385 desc->type = NFT_DATA_VALUE;
6390 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6393 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6396 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6397 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6398 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6402 * nft_data_init - parse nf_tables data netlink attributes
6404 * @ctx: context of the expression using the data
6405 * @data: destination struct nft_data
6406 * @size: maximum data length
6407 * @desc: data description
6408 * @nla: netlink attribute containing data
6410 * Parse the netlink data attributes and initialize a struct nft_data.
6411 * The type and length of data are returned in the data description.
6413 * The caller can indicate that it only wants to accept data of type
6414 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6416 int nft_data_init(const struct nft_ctx *ctx,
6417 struct nft_data *data, unsigned int size,
6418 struct nft_data_desc *desc, const struct nlattr *nla)
6420 struct nlattr *tb[NFTA_DATA_MAX + 1];
6423 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6427 if (tb[NFTA_DATA_VALUE])
6428 return nft_value_init(ctx, data, size, desc,
6429 tb[NFTA_DATA_VALUE]);
6430 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6431 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6434 EXPORT_SYMBOL_GPL(nft_data_init);
6437 * nft_data_release - release a nft_data item
6439 * @data: struct nft_data to release
6440 * @type: type of data
6442 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6443 * all others need to be released by calling this function.
6445 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6447 if (type < NFT_DATA_VERDICT)
6450 case NFT_DATA_VERDICT:
6451 return nft_verdict_uninit(data);
6456 EXPORT_SYMBOL_GPL(nft_data_release);
6458 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6459 enum nft_data_types type, unsigned int len)
6461 struct nlattr *nest;
6464 nest = nla_nest_start(skb, attr);
6469 case NFT_DATA_VALUE:
6470 err = nft_value_dump(skb, data, len);
6472 case NFT_DATA_VERDICT:
6473 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6480 nla_nest_end(skb, nest);
6483 EXPORT_SYMBOL_GPL(nft_data_dump);
6485 int __nft_release_basechain(struct nft_ctx *ctx)
6487 struct nft_rule *rule, *nr;
6489 BUG_ON(!nft_is_base_chain(ctx->chain));
6491 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6492 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6493 list_del(&rule->list);
6495 nf_tables_rule_destroy(ctx, rule);
6497 list_del(&ctx->chain->list);
6499 nf_tables_chain_destroy(ctx->chain);
6503 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6505 static void __nft_release_tables(struct net *net)
6507 struct nft_flowtable *flowtable, *nf;
6508 struct nft_table *table, *nt;
6509 struct nft_chain *chain, *nc;
6510 struct nft_object *obj, *ne;
6511 struct nft_rule *rule, *nr;
6512 struct nft_set *set, *ns;
6513 struct nft_ctx ctx = {
6517 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6518 ctx.family = table->family;
6520 list_for_each_entry(chain, &table->chains, list)
6521 nf_tables_unregister_hook(net, table, chain);
6522 list_for_each_entry(flowtable, &table->flowtables, list)
6523 nf_unregister_net_hooks(net, flowtable->ops,
6524 flowtable->ops_len);
6525 /* No packets are walking on these chains anymore. */
6527 list_for_each_entry(chain, &table->chains, list) {
6529 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6530 list_del(&rule->list);
6532 nf_tables_rule_destroy(&ctx, rule);
6535 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6536 list_del(&flowtable->list);
6538 nf_tables_flowtable_destroy(flowtable);
6540 list_for_each_entry_safe(set, ns, &table->sets, list) {
6541 list_del(&set->list);
6543 nft_set_destroy(set);
6545 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6546 list_del(&obj->list);
6548 nft_obj_destroy(obj);
6550 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6551 list_del(&chain->list);
6553 nf_tables_chain_destroy(chain);
6555 list_del(&table->list);
6556 nf_tables_table_destroy(&ctx);
6560 static int __net_init nf_tables_init_net(struct net *net)
6562 INIT_LIST_HEAD(&net->nft.tables);
6563 INIT_LIST_HEAD(&net->nft.commit_list);
6564 net->nft.base_seq = 1;
6568 static void __net_exit nf_tables_exit_net(struct net *net)
6570 __nft_release_tables(net);
6571 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6572 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6575 static struct pernet_operations nf_tables_net_ops = {
6576 .init = nf_tables_init_net,
6577 .exit = nf_tables_exit_net,
6580 static int __init nf_tables_module_init(void)
6584 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6591 err = nf_tables_core_module_init();
6595 err = nfnetlink_subsys_register(&nf_tables_subsys);
6599 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6601 return register_pernet_subsys(&nf_tables_net_ops);
6603 nf_tables_core_module_exit();
6610 static void __exit nf_tables_module_exit(void)
6612 unregister_pernet_subsys(&nf_tables_net_ops);
6613 nfnetlink_subsys_unregister(&nf_tables_subsys);
6614 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6616 nf_tables_core_module_exit();
6620 module_init(nf_tables_module_init);
6621 module_exit(nf_tables_module_exit);
6623 MODULE_LICENSE("GPL");
6624 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6625 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-2.6-block.git / blob