2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
29 * nft_register_afinfo - register nf_tables address family info
31 * @afi: address family info to register
33 * Register the address family for use with nf_tables. Returns zero on
34 * success or a negative errno code otherwise.
36 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
44 EXPORT_SYMBOL_GPL(nft_register_afinfo);
46 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
49 * nft_unregister_afinfo - unregister nf_tables address family info
51 * @afi: address family info to unregister
53 * Unregister the address family for use with nf_tables.
55 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
62 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
64 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
66 struct nft_af_info *afi;
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
75 static struct nft_af_info *
76 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
78 struct nft_af_info *afi;
80 afi = nft_afinfo_lookup(net, family);
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
90 return ERR_PTR(-EAGAIN);
93 return ERR_PTR(-EAFNOSUPPORT);
96 static void nft_ctx_init(struct nft_ctx *ctx,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
115 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
118 struct nft_trans *trans;
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
124 INIT_LIST_HEAD(&trans->list);
125 trans->msg_type = msg_type;
131 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
132 int msg_type, u32 size)
134 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
137 static void nft_trans_destroy(struct nft_trans *trans)
139 list_del(&trans->list);
143 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
146 struct net *net = ctx->net;
147 struct nft_trans *trans;
149 if (!(set->flags & NFT_SET_ANONYMOUS))
152 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
153 switch (trans->msg_type) {
155 if (nft_trans_set(trans) == set)
156 nft_trans_set_bound(trans) = bind;
158 case NFT_MSG_NEWSETELEM:
159 if (nft_trans_elem_set(trans) == set)
160 nft_trans_elem_set_bound(trans) = bind;
166 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
168 return __nft_set_trans_bind(ctx, set, true);
171 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
173 return __nft_set_trans_bind(ctx, set, false);
176 static int nf_tables_register_hooks(struct net *net,
177 const struct nft_table *table,
178 struct nft_chain *chain,
179 unsigned int hook_nops)
181 if (table->flags & NFT_TABLE_F_DORMANT ||
182 !nft_is_base_chain(chain))
185 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
189 static void nf_tables_unregister_hooks(struct net *net,
190 const struct nft_table *table,
191 struct nft_chain *chain,
192 unsigned int hook_nops)
194 if (table->flags & NFT_TABLE_F_DORMANT ||
195 !nft_is_base_chain(chain))
198 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
201 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
203 struct nft_trans *trans;
205 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
209 if (msg_type == NFT_MSG_NEWTABLE)
210 nft_activate_next(ctx->net, ctx->table);
212 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
216 static int nft_deltable(struct nft_ctx *ctx)
220 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
224 nft_deactivate_next(ctx->net, ctx->table);
228 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
230 struct nft_trans *trans;
232 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
236 if (msg_type == NFT_MSG_NEWCHAIN)
237 nft_activate_next(ctx->net, ctx->chain);
239 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
243 static int nft_delchain(struct nft_ctx *ctx)
247 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
251 nft_use_dec(&ctx->table->use);
252 nft_deactivate_next(ctx->net, ctx->chain);
257 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
258 struct nft_rule *rule)
260 struct nft_expr *expr;
262 expr = nft_expr_first(rule);
263 while (expr != nft_expr_last(rule) && expr->ops) {
264 if (expr->ops->activate)
265 expr->ops->activate(ctx, expr);
267 expr = nft_expr_next(expr);
271 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
272 struct nft_rule *rule,
273 enum nft_trans_phase phase)
275 struct nft_expr *expr;
277 expr = nft_expr_first(rule);
278 while (expr != nft_expr_last(rule) && expr->ops) {
279 if (expr->ops->deactivate)
280 expr->ops->deactivate(ctx, expr, phase);
282 expr = nft_expr_next(expr);
287 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
289 /* You cannot delete the same rule twice */
290 if (nft_is_active_next(ctx->net, rule)) {
291 nft_deactivate_next(ctx->net, rule);
292 nft_use_dec(&ctx->chain->use);
298 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
299 struct nft_rule *rule)
301 struct nft_trans *trans;
303 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
307 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
308 nft_trans_rule_id(trans) =
309 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
311 nft_trans_rule(trans) = rule;
312 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
317 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
319 struct nft_trans *trans;
322 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
326 err = nf_tables_delrule_deactivate(ctx, rule);
328 nft_trans_destroy(trans);
331 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
336 static int nft_delrule_by_chain(struct nft_ctx *ctx)
338 struct nft_rule *rule;
341 list_for_each_entry(rule, &ctx->chain->rules, list) {
342 if (!nft_is_active_next(ctx->net, rule))
345 err = nft_delrule(ctx, rule);
352 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
355 struct nft_trans *trans;
357 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
361 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
362 nft_trans_set_id(trans) =
363 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
364 nft_activate_next(ctx->net, set);
366 nft_trans_set(trans) = set;
367 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
372 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
376 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
380 nft_deactivate_next(ctx->net, set);
381 nft_use_dec(&ctx->table->use);
386 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
387 struct nft_object *obj)
389 struct nft_trans *trans;
391 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
395 if (msg_type == NFT_MSG_NEWOBJ)
396 nft_activate_next(ctx->net, obj);
398 nft_trans_obj(trans) = obj;
399 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
404 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
408 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
412 nft_deactivate_next(ctx->net, obj);
413 nft_use_dec(&ctx->table->use);
422 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
423 const struct nlattr *nla,
426 struct nft_table *table;
428 list_for_each_entry(table, &afi->tables, list) {
429 if (!nla_strcmp(nla, table->name) &&
430 nft_active_genmask(table, genmask))
436 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
437 const struct nlattr *nla,
440 struct nft_table *table;
443 return ERR_PTR(-EINVAL);
445 table = nft_table_lookup(afi, nla, genmask);
449 return ERR_PTR(-ENOENT);
452 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
454 return ++table->hgenerator;
457 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
459 static const struct nf_chain_type *
460 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
464 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
465 if (chain_type[family][i] != NULL &&
466 !nla_strcmp(nla, chain_type[family][i]->name))
467 return chain_type[family][i];
472 static const struct nf_chain_type *
473 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
474 const struct nlattr *nla,
477 const struct nf_chain_type *type;
479 type = __nf_tables_chain_type_lookup(afi->family, nla);
482 #ifdef CONFIG_MODULES
484 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
485 request_module("nft-chain-%u-%.*s", afi->family,
486 nla_len(nla), (const char *)nla_data(nla));
487 nfnl_lock(NFNL_SUBSYS_NFTABLES);
488 type = __nf_tables_chain_type_lookup(afi->family, nla);
490 return ERR_PTR(-EAGAIN);
493 return ERR_PTR(-ENOENT);
496 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
497 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
498 .len = NFT_TABLE_MAXNAMELEN - 1 },
499 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
502 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
503 u32 portid, u32 seq, int event, u32 flags,
504 int family, const struct nft_table *table)
506 struct nlmsghdr *nlh;
507 struct nfgenmsg *nfmsg;
509 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
510 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
512 goto nla_put_failure;
514 nfmsg = nlmsg_data(nlh);
515 nfmsg->nfgen_family = family;
516 nfmsg->version = NFNETLINK_V0;
517 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
519 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
520 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
521 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
522 goto nla_put_failure;
528 nlmsg_trim(skb, nlh);
532 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
538 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
541 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
545 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
546 event, 0, ctx->afi->family, ctx->table);
552 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
553 ctx->report, GFP_KERNEL);
556 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
559 static int nf_tables_dump_tables(struct sk_buff *skb,
560 struct netlink_callback *cb)
562 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
563 const struct nft_af_info *afi;
564 const struct nft_table *table;
565 unsigned int idx = 0, s_idx = cb->args[0];
566 struct net *net = sock_net(skb->sk);
567 int family = nfmsg->nfgen_family;
570 cb->seq = net->nft.base_seq;
572 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
573 if (family != NFPROTO_UNSPEC && family != afi->family)
576 list_for_each_entry_rcu(table, &afi->tables, list) {
580 memset(&cb->args[1], 0,
581 sizeof(cb->args) - sizeof(cb->args[0]));
582 if (!nft_is_active(net, table))
584 if (nf_tables_fill_table_info(skb, net,
585 NETLINK_CB(cb->skb).portid,
589 afi->family, table) < 0)
592 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
603 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
604 struct sk_buff *skb, const struct nlmsghdr *nlh,
605 const struct nlattr * const nla[],
606 struct netlink_ext_ack *extack)
608 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
609 u8 genmask = nft_genmask_cur(net);
610 const struct nft_af_info *afi;
611 const struct nft_table *table;
612 struct sk_buff *skb2;
613 int family = nfmsg->nfgen_family;
616 if (nlh->nlmsg_flags & NLM_F_DUMP) {
617 struct netlink_dump_control c = {
618 .dump = nf_tables_dump_tables,
620 return netlink_dump_start(nlsk, skb, nlh, &c);
623 afi = nf_tables_afinfo_lookup(net, family, false);
627 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
629 return PTR_ERR(table);
631 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
635 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
636 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
641 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
648 static void _nf_tables_table_disable(struct net *net,
649 const struct nft_af_info *afi,
650 struct nft_table *table,
653 struct nft_chain *chain;
656 list_for_each_entry(chain, &table->chains, list) {
657 if (!nft_is_active_next(net, chain))
659 if (!nft_is_base_chain(chain))
662 if (cnt && i++ == cnt)
665 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
670 static int nf_tables_table_enable(struct net *net,
671 const struct nft_af_info *afi,
672 struct nft_table *table)
674 struct nft_chain *chain;
677 list_for_each_entry(chain, &table->chains, list) {
678 if (!nft_is_active_next(net, chain))
680 if (!nft_is_base_chain(chain))
683 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
693 _nf_tables_table_disable(net, afi, table, i);
697 static void nf_tables_table_disable(struct net *net,
698 const struct nft_af_info *afi,
699 struct nft_table *table)
701 _nf_tables_table_disable(net, afi, table, 0);
704 static int nf_tables_updtable(struct nft_ctx *ctx)
706 struct nft_trans *trans;
710 if (!ctx->nla[NFTA_TABLE_FLAGS])
713 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
714 if (flags & ~NFT_TABLE_F_DORMANT)
717 if (flags == ctx->table->flags)
720 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
721 sizeof(struct nft_trans_table));
725 if ((flags & NFT_TABLE_F_DORMANT) &&
726 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
727 nft_trans_table_enable(trans) = false;
728 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
729 ctx->table->flags & NFT_TABLE_F_DORMANT) {
730 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
732 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
733 nft_trans_table_enable(trans) = true;
739 nft_trans_table_update(trans) = true;
740 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
743 nft_trans_destroy(trans);
747 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
748 struct sk_buff *skb, const struct nlmsghdr *nlh,
749 const struct nlattr * const nla[],
750 struct netlink_ext_ack *extack)
752 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
753 u8 genmask = nft_genmask_next(net);
754 const struct nlattr *name;
755 struct nft_af_info *afi;
756 struct nft_table *table;
757 int family = nfmsg->nfgen_family;
762 afi = nf_tables_afinfo_lookup(net, family, true);
766 name = nla[NFTA_TABLE_NAME];
767 table = nf_tables_table_lookup(afi, name, genmask);
769 if (PTR_ERR(table) != -ENOENT)
770 return PTR_ERR(table);
772 if (nlh->nlmsg_flags & NLM_F_EXCL)
774 if (nlh->nlmsg_flags & NLM_F_REPLACE)
777 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
778 return nf_tables_updtable(&ctx);
781 if (nla[NFTA_TABLE_FLAGS]) {
782 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
783 if (flags & ~NFT_TABLE_F_DORMANT)
788 if (!try_module_get(afi->owner))
792 table = kzalloc(sizeof(*table), GFP_KERNEL);
796 table->name = nla_strdup(name, GFP_KERNEL);
797 if (table->name == NULL)
800 INIT_LIST_HEAD(&table->chains);
801 INIT_LIST_HEAD(&table->sets);
802 INIT_LIST_HEAD(&table->objects);
803 table->flags = flags;
805 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
806 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
810 list_add_tail_rcu(&table->list, &afi->tables);
817 module_put(afi->owner);
822 static int nft_flush_table(struct nft_ctx *ctx)
825 struct nft_chain *chain, *nc;
826 struct nft_object *obj, *ne;
827 struct nft_set *set, *ns;
829 list_for_each_entry(chain, &ctx->table->chains, list) {
830 if (!nft_is_active_next(ctx->net, chain))
835 err = nft_delrule_by_chain(ctx);
840 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
841 if (!nft_is_active_next(ctx->net, set))
844 if (set->flags & NFT_SET_ANONYMOUS &&
845 !list_empty(&set->bindings))
848 err = nft_delset(ctx, set);
853 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
854 err = nft_delobj(ctx, obj);
859 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
860 if (!nft_is_active_next(ctx->net, chain))
865 err = nft_delchain(ctx);
870 err = nft_deltable(ctx);
875 static int nft_flush(struct nft_ctx *ctx, int family)
877 struct nft_af_info *afi;
878 struct nft_table *table, *nt;
879 const struct nlattr * const *nla = ctx->nla;
882 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
883 if (family != AF_UNSPEC && afi->family != family)
887 list_for_each_entry_safe(table, nt, &afi->tables, list) {
888 if (!nft_is_active_next(ctx->net, table))
891 if (nla[NFTA_TABLE_NAME] &&
892 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
897 err = nft_flush_table(ctx);
906 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
907 struct sk_buff *skb, const struct nlmsghdr *nlh,
908 const struct nlattr * const nla[],
909 struct netlink_ext_ack *extack)
911 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
912 u8 genmask = nft_genmask_next(net);
913 struct nft_af_info *afi;
914 struct nft_table *table;
915 int family = nfmsg->nfgen_family;
918 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
919 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
920 return nft_flush(&ctx, family);
922 afi = nf_tables_afinfo_lookup(net, family, false);
926 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
928 return PTR_ERR(table);
930 if (nlh->nlmsg_flags & NLM_F_NONREC &&
937 return nft_flush_table(&ctx);
940 static void nf_tables_table_destroy(struct nft_ctx *ctx)
942 BUG_ON(ctx->table->use > 0);
944 kfree(ctx->table->name);
946 module_put(ctx->afi->owner);
949 int nft_register_chain_type(const struct nf_chain_type *ctype)
953 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
956 nfnl_lock(NFNL_SUBSYS_NFTABLES);
957 if (chain_type[ctype->family][ctype->type] != NULL) {
961 chain_type[ctype->family][ctype->type] = ctype;
963 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
966 EXPORT_SYMBOL_GPL(nft_register_chain_type);
968 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
970 nfnl_lock(NFNL_SUBSYS_NFTABLES);
971 chain_type[ctype->family][ctype->type] = NULL;
972 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
974 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
980 static struct nft_chain *
981 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
984 struct nft_chain *chain;
986 list_for_each_entry(chain, &table->chains, list) {
987 if (chain->handle == handle &&
988 nft_active_genmask(chain, genmask))
992 return ERR_PTR(-ENOENT);
995 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
996 const struct nlattr *nla,
999 struct nft_chain *chain;
1002 return ERR_PTR(-EINVAL);
1004 list_for_each_entry(chain, &table->chains, list) {
1005 if (!nla_strcmp(nla, chain->name) &&
1006 nft_active_genmask(chain, genmask))
1010 return ERR_PTR(-ENOENT);
1013 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1014 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1015 .len = NFT_TABLE_MAXNAMELEN - 1 },
1016 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1017 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1018 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1019 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1020 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1021 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1022 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1025 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1026 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1027 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1028 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1029 .len = IFNAMSIZ - 1 },
1032 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1034 struct nft_stats *cpu_stats, total;
1035 struct nlattr *nest;
1040 memset(&total, 0, sizeof(total));
1041 for_each_possible_cpu(cpu) {
1042 cpu_stats = per_cpu_ptr(stats, cpu);
1044 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1045 pkts = cpu_stats->pkts;
1046 bytes = cpu_stats->bytes;
1047 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1049 total.bytes += bytes;
1051 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1053 goto nla_put_failure;
1055 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1056 NFTA_COUNTER_PAD) ||
1057 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1059 goto nla_put_failure;
1061 nla_nest_end(skb, nest);
1068 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1069 u32 portid, u32 seq, int event, u32 flags,
1070 int family, const struct nft_table *table,
1071 const struct nft_chain *chain)
1073 struct nlmsghdr *nlh;
1074 struct nfgenmsg *nfmsg;
1076 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1077 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1079 goto nla_put_failure;
1081 nfmsg = nlmsg_data(nlh);
1082 nfmsg->nfgen_family = family;
1083 nfmsg->version = NFNETLINK_V0;
1084 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1086 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1087 goto nla_put_failure;
1088 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1090 goto nla_put_failure;
1091 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1092 goto nla_put_failure;
1094 if (nft_is_base_chain(chain)) {
1095 const struct nft_base_chain *basechain = nft_base_chain(chain);
1096 const struct nf_hook_ops *ops = &basechain->ops[0];
1097 struct nlattr *nest;
1099 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1101 goto nla_put_failure;
1102 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1103 goto nla_put_failure;
1104 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1105 goto nla_put_failure;
1106 if (basechain->dev_name[0] &&
1107 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1108 goto nla_put_failure;
1109 nla_nest_end(skb, nest);
1111 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1112 htonl(basechain->policy)))
1113 goto nla_put_failure;
1115 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1116 goto nla_put_failure;
1118 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1119 goto nla_put_failure;
1122 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1123 goto nla_put_failure;
1125 nlmsg_end(skb, nlh);
1129 nlmsg_trim(skb, nlh);
1133 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1135 struct sk_buff *skb;
1139 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1142 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1146 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1147 event, 0, ctx->afi->family, ctx->table,
1154 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1155 ctx->report, GFP_KERNEL);
1158 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1161 static int nf_tables_dump_chains(struct sk_buff *skb,
1162 struct netlink_callback *cb)
1164 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1165 const struct nft_af_info *afi;
1166 const struct nft_table *table;
1167 const struct nft_chain *chain;
1168 unsigned int idx = 0, s_idx = cb->args[0];
1169 struct net *net = sock_net(skb->sk);
1170 int family = nfmsg->nfgen_family;
1173 cb->seq = net->nft.base_seq;
1175 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1176 if (family != NFPROTO_UNSPEC && family != afi->family)
1179 list_for_each_entry_rcu(table, &afi->tables, list) {
1180 list_for_each_entry_rcu(chain, &table->chains, list) {
1184 memset(&cb->args[1], 0,
1185 sizeof(cb->args) - sizeof(cb->args[0]));
1186 if (!nft_is_active(net, chain))
1188 if (nf_tables_fill_chain_info(skb, net,
1189 NETLINK_CB(cb->skb).portid,
1193 afi->family, table, chain) < 0)
1196 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1208 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1209 struct sk_buff *skb, const struct nlmsghdr *nlh,
1210 const struct nlattr * const nla[],
1211 struct netlink_ext_ack *extack)
1213 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1214 u8 genmask = nft_genmask_cur(net);
1215 const struct nft_af_info *afi;
1216 const struct nft_table *table;
1217 const struct nft_chain *chain;
1218 struct sk_buff *skb2;
1219 int family = nfmsg->nfgen_family;
1222 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1223 struct netlink_dump_control c = {
1224 .dump = nf_tables_dump_chains,
1226 return netlink_dump_start(nlsk, skb, nlh, &c);
1229 afi = nf_tables_afinfo_lookup(net, family, false);
1231 return PTR_ERR(afi);
1233 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1235 return PTR_ERR(table);
1237 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1239 return PTR_ERR(chain);
1241 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1245 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1246 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1247 family, table, chain);
1251 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1258 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1259 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1260 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1263 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1265 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1266 struct nft_stats __percpu *newstats;
1267 struct nft_stats *stats;
1270 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1273 return ERR_PTR(err);
1275 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1276 return ERR_PTR(-EINVAL);
1278 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1279 if (newstats == NULL)
1280 return ERR_PTR(-ENOMEM);
1282 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1283 * are not exposed to userspace.
1286 stats = this_cpu_ptr(newstats);
1287 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1288 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1294 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1295 struct nft_stats __percpu *newstats)
1297 if (newstats == NULL)
1301 struct nft_stats __percpu *oldstats =
1302 nft_dereference(chain->stats);
1304 rcu_assign_pointer(chain->stats, newstats);
1306 free_percpu(oldstats);
1308 rcu_assign_pointer(chain->stats, newstats);
1309 static_branch_inc(&nft_counters_enabled);
1313 static void nf_tables_chain_destroy(struct nft_chain *chain)
1315 BUG_ON(chain->use > 0);
1317 if (nft_is_base_chain(chain)) {
1318 struct nft_base_chain *basechain = nft_base_chain(chain);
1320 module_put(basechain->type->owner);
1321 free_percpu(basechain->stats);
1322 if (basechain->stats)
1323 static_branch_dec(&nft_counters_enabled);
1324 if (basechain->ops[0].dev != NULL)
1325 dev_put(basechain->ops[0].dev);
1334 struct nft_chain_hook {
1337 const struct nf_chain_type *type;
1338 struct net_device *dev;
1341 static int nft_chain_parse_hook(struct net *net,
1342 const struct nlattr * const nla[],
1343 struct nft_af_info *afi,
1344 struct nft_chain_hook *hook, bool create)
1346 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1347 const struct nf_chain_type *type;
1348 struct net_device *dev;
1351 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1352 nft_hook_policy, NULL);
1356 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1357 ha[NFTA_HOOK_PRIORITY] == NULL)
1360 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1361 if (hook->num >= afi->nhooks)
1364 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1366 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1367 if (nla[NFTA_CHAIN_TYPE]) {
1368 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1371 return PTR_ERR(type);
1373 if (!(type->hook_mask & (1 << hook->num)))
1375 if (!try_module_get(type->owner))
1381 if (afi->flags & NFT_AF_NEEDS_DEV) {
1382 char ifname[IFNAMSIZ];
1384 if (!ha[NFTA_HOOK_DEV]) {
1385 module_put(type->owner);
1389 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1390 dev = dev_get_by_name(net, ifname);
1392 module_put(type->owner);
1396 } else if (ha[NFTA_HOOK_DEV]) {
1397 module_put(type->owner);
1404 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1406 module_put(hook->type->owner);
1407 if (hook->dev != NULL)
1411 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1412 u8 policy, bool create)
1414 const struct nlattr * const *nla = ctx->nla;
1415 struct nft_table *table = ctx->table;
1416 struct nft_af_info *afi = ctx->afi;
1417 struct nft_base_chain *basechain;
1418 struct nft_stats __percpu *stats;
1419 struct net *net = ctx->net;
1420 struct nft_chain *chain;
1424 if (nla[NFTA_CHAIN_HOOK]) {
1425 struct nft_chain_hook hook;
1426 struct nf_hook_ops *ops;
1429 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1433 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1434 if (basechain == NULL) {
1435 nft_chain_release_hook(&hook);
1439 if (hook.dev != NULL)
1440 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1442 if (nla[NFTA_CHAIN_COUNTERS]) {
1443 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1444 if (IS_ERR(stats)) {
1445 nft_chain_release_hook(&hook);
1447 return PTR_ERR(stats);
1449 basechain->stats = stats;
1450 static_branch_inc(&nft_counters_enabled);
1453 hookfn = hook.type->hooks[hook.num];
1454 basechain->type = hook.type;
1455 chain = &basechain->chain;
1457 for (i = 0; i < afi->nops; i++) {
1458 ops = &basechain->ops[i];
1460 ops->hooknum = hook.num;
1461 ops->priority = hook.priority;
1463 ops->hook = afi->hooks[ops->hooknum];
1464 ops->dev = hook.dev;
1467 if (afi->hook_ops_init)
1468 afi->hook_ops_init(ops, i);
1471 chain->flags |= NFT_BASE_CHAIN;
1472 basechain->policy = policy;
1474 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1478 INIT_LIST_HEAD(&chain->rules);
1479 chain->handle = nf_tables_alloc_handle(table);
1480 chain->table = table;
1481 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1487 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1491 if (!nft_use_inc(&table->use)) {
1497 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1501 list_add_tail_rcu(&chain->list, &table->chains);
1505 nft_use_dec_restore(&table->use);
1507 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1509 nf_tables_chain_destroy(chain);
1514 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1517 const struct nlattr * const *nla = ctx->nla;
1518 struct nft_table *table = ctx->table;
1519 struct nft_chain *chain = ctx->chain;
1520 struct nft_af_info *afi = ctx->afi;
1521 struct nft_base_chain *basechain;
1522 struct nft_stats *stats = NULL;
1523 struct nft_chain_hook hook;
1524 struct nf_hook_ops *ops;
1525 struct nft_trans *trans;
1528 if (nla[NFTA_CHAIN_HOOK]) {
1529 if (!nft_is_base_chain(chain))
1532 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1537 basechain = nft_base_chain(chain);
1538 if (basechain->type != hook.type) {
1539 nft_chain_release_hook(&hook);
1543 for (i = 0; i < afi->nops; i++) {
1544 ops = &basechain->ops[i];
1545 if (ops->hooknum != hook.num ||
1546 ops->priority != hook.priority ||
1547 ops->dev != hook.dev) {
1548 nft_chain_release_hook(&hook);
1552 nft_chain_release_hook(&hook);
1555 if (nla[NFTA_CHAIN_HANDLE] &&
1556 nla[NFTA_CHAIN_NAME]) {
1557 struct nft_chain *chain2;
1559 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1561 if (!IS_ERR(chain2))
1565 if (nla[NFTA_CHAIN_COUNTERS]) {
1566 if (!nft_is_base_chain(chain))
1569 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1571 return PTR_ERR(stats);
1575 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1576 sizeof(struct nft_trans_chain));
1580 nft_trans_chain_stats(trans) = stats;
1581 nft_trans_chain_update(trans) = true;
1583 if (nla[NFTA_CHAIN_POLICY])
1584 nft_trans_chain_policy(trans) = policy;
1586 nft_trans_chain_policy(trans) = -1;
1588 if (nla[NFTA_CHAIN_HANDLE] &&
1589 nla[NFTA_CHAIN_NAME]) {
1590 struct nft_trans *tmp;
1594 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1599 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1600 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1601 tmp->ctx.table == table &&
1602 nft_trans_chain_update(tmp) &&
1603 nft_trans_chain_name(tmp) &&
1604 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1610 nft_trans_chain_name(trans) = name;
1612 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1621 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1622 struct sk_buff *skb, const struct nlmsghdr *nlh,
1623 const struct nlattr * const nla[],
1624 struct netlink_ext_ack *extack)
1626 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1627 const struct nlattr * uninitialized_var(name);
1628 u8 genmask = nft_genmask_next(net);
1629 int family = nfmsg->nfgen_family;
1630 struct nft_af_info *afi;
1631 struct nft_table *table;
1632 struct nft_chain *chain;
1633 u8 policy = NF_ACCEPT;
1638 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1640 afi = nf_tables_afinfo_lookup(net, family, true);
1642 return PTR_ERR(afi);
1644 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1646 return PTR_ERR(table);
1649 name = nla[NFTA_CHAIN_NAME];
1651 if (nla[NFTA_CHAIN_HANDLE]) {
1652 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1653 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1655 return PTR_ERR(chain);
1657 chain = nf_tables_chain_lookup(table, name, genmask);
1658 if (IS_ERR(chain)) {
1659 if (PTR_ERR(chain) != -ENOENT)
1660 return PTR_ERR(chain);
1665 if (nla[NFTA_CHAIN_POLICY]) {
1666 if (chain != NULL &&
1667 !nft_is_base_chain(chain))
1670 if (chain == NULL &&
1671 nla[NFTA_CHAIN_HOOK] == NULL)
1674 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1684 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1686 if (chain != NULL) {
1687 if (nlh->nlmsg_flags & NLM_F_EXCL)
1689 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1692 return nf_tables_updchain(&ctx, genmask, policy, create);
1695 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1698 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1699 struct sk_buff *skb, const struct nlmsghdr *nlh,
1700 const struct nlattr * const nla[],
1701 struct netlink_ext_ack *extack)
1703 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1704 u8 genmask = nft_genmask_next(net);
1705 struct nft_af_info *afi;
1706 struct nft_table *table;
1707 struct nft_chain *chain;
1708 struct nft_rule *rule;
1709 int family = nfmsg->nfgen_family;
1714 afi = nf_tables_afinfo_lookup(net, family, false);
1716 return PTR_ERR(afi);
1718 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1720 return PTR_ERR(table);
1722 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1724 return PTR_ERR(chain);
1726 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1730 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1733 list_for_each_entry(rule, &chain->rules, list) {
1734 if (!nft_is_active_next(net, rule))
1738 err = nft_delrule(&ctx, rule);
1743 /* There are rules and elements that are still holding references to us,
1744 * we cannot do a recursive removal in this case.
1749 return nft_delchain(&ctx);
1757 * nft_register_expr - register nf_tables expr type
1760 * Registers the expr type for use with nf_tables. Returns zero on
1761 * success or a negative errno code otherwise.
1763 int nft_register_expr(struct nft_expr_type *type)
1765 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1766 if (type->family == NFPROTO_UNSPEC)
1767 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1769 list_add_rcu(&type->list, &nf_tables_expressions);
1770 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1773 EXPORT_SYMBOL_GPL(nft_register_expr);
1776 * nft_unregister_expr - unregister nf_tables expr type
1779 * Unregisters the expr typefor use with nf_tables.
1781 void nft_unregister_expr(struct nft_expr_type *type)
1783 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1784 list_del_rcu(&type->list);
1785 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1787 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1789 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1792 const struct nft_expr_type *type;
1794 list_for_each_entry(type, &nf_tables_expressions, list) {
1795 if (!nla_strcmp(nla, type->name) &&
1796 (!type->family || type->family == family))
1802 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1805 const struct nft_expr_type *type;
1808 return ERR_PTR(-EINVAL);
1810 type = __nft_expr_type_get(family, nla);
1811 if (type != NULL && try_module_get(type->owner))
1814 #ifdef CONFIG_MODULES
1816 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1817 request_module("nft-expr-%u-%.*s", family,
1818 nla_len(nla), (char *)nla_data(nla));
1819 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1820 if (__nft_expr_type_get(family, nla))
1821 return ERR_PTR(-EAGAIN);
1823 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1824 request_module("nft-expr-%.*s",
1825 nla_len(nla), (char *)nla_data(nla));
1826 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1827 if (__nft_expr_type_get(family, nla))
1828 return ERR_PTR(-EAGAIN);
1831 return ERR_PTR(-ENOENT);
1834 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1835 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1836 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1839 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1840 const struct nft_expr *expr)
1842 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1843 goto nla_put_failure;
1845 if (expr->ops->dump) {
1846 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1848 goto nla_put_failure;
1849 if (expr->ops->dump(skb, expr) < 0)
1850 goto nla_put_failure;
1851 nla_nest_end(skb, data);
1860 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1861 const struct nft_expr *expr)
1863 struct nlattr *nest;
1865 nest = nla_nest_start(skb, attr);
1867 goto nla_put_failure;
1868 if (nf_tables_fill_expr_info(skb, expr) < 0)
1869 goto nla_put_failure;
1870 nla_nest_end(skb, nest);
1877 struct nft_expr_info {
1878 const struct nft_expr_ops *ops;
1879 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1882 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1883 const struct nlattr *nla,
1884 struct nft_expr_info *info)
1886 const struct nft_expr_type *type;
1887 const struct nft_expr_ops *ops;
1888 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1891 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1895 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1897 return PTR_ERR(type);
1899 if (tb[NFTA_EXPR_DATA]) {
1900 err = nla_parse_nested(info->tb, type->maxattr,
1901 tb[NFTA_EXPR_DATA], type->policy, NULL);
1905 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1907 if (type->select_ops != NULL) {
1908 ops = type->select_ops(ctx,
1909 (const struct nlattr * const *)info->tb);
1921 module_put(type->owner);
1925 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1926 const struct nft_expr_info *info,
1927 struct nft_expr *expr)
1929 const struct nft_expr_ops *ops = info->ops;
1934 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1939 if (ops->validate) {
1940 const struct nft_data *data = NULL;
1942 err = ops->validate(ctx, expr, &data);
1951 ops->destroy(ctx, expr);
1957 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1958 struct nft_expr *expr)
1960 if (expr->ops->destroy)
1961 expr->ops->destroy(ctx, expr);
1962 module_put(expr->ops->type->owner);
1965 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1966 const struct nlattr *nla)
1968 struct nft_expr_info info;
1969 struct nft_expr *expr;
1972 err = nf_tables_expr_parse(ctx, nla, &info);
1974 goto err_expr_parse;
1977 if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
1978 goto err_expr_stateful;
1981 expr = kzalloc(info.ops->size, GFP_KERNEL);
1983 goto err_expr_stateful;
1985 err = nf_tables_newexpr(ctx, &info, expr);
1993 module_put(info.ops->type->owner);
1995 return ERR_PTR(err);
1998 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2000 nf_tables_expr_destroy(ctx, expr);
2008 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
2011 struct nft_rule *rule;
2013 // FIXME: this sucks
2014 list_for_each_entry(rule, &chain->rules, list) {
2015 if (handle == rule->handle)
2019 return ERR_PTR(-ENOENT);
2022 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
2023 const struct nlattr *nla)
2026 return ERR_PTR(-EINVAL);
2028 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2031 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2032 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2033 .len = NFT_TABLE_MAXNAMELEN - 1 },
2034 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2035 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2036 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2037 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2038 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2039 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2040 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2041 .len = NFT_USERDATA_MAXLEN },
2042 [NFTA_RULE_ID] = { .type = NLA_U32 },
2045 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2046 u32 portid, u32 seq, int event,
2047 u32 flags, int family,
2048 const struct nft_table *table,
2049 const struct nft_chain *chain,
2050 const struct nft_rule *rule)
2052 struct nlmsghdr *nlh;
2053 struct nfgenmsg *nfmsg;
2054 const struct nft_expr *expr, *next;
2055 struct nlattr *list;
2056 const struct nft_rule *prule;
2057 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2059 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2061 goto nla_put_failure;
2063 nfmsg = nlmsg_data(nlh);
2064 nfmsg->nfgen_family = family;
2065 nfmsg->version = NFNETLINK_V0;
2066 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2068 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2069 goto nla_put_failure;
2070 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2071 goto nla_put_failure;
2072 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2074 goto nla_put_failure;
2076 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2077 prule = list_prev_entry(rule, list);
2078 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2079 cpu_to_be64(prule->handle),
2081 goto nla_put_failure;
2084 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2086 goto nla_put_failure;
2087 nft_rule_for_each_expr(expr, next, rule) {
2088 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2089 goto nla_put_failure;
2091 nla_nest_end(skb, list);
2094 struct nft_userdata *udata = nft_userdata(rule);
2095 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2097 goto nla_put_failure;
2100 nlmsg_end(skb, nlh);
2104 nlmsg_trim(skb, nlh);
2108 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2109 const struct nft_rule *rule, int event)
2111 struct sk_buff *skb;
2115 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2118 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2122 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2123 event, 0, ctx->afi->family, ctx->table,
2130 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2131 ctx->report, GFP_KERNEL);
2134 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2137 struct nft_rule_dump_ctx {
2142 static int nf_tables_dump_rules(struct sk_buff *skb,
2143 struct netlink_callback *cb)
2145 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2146 const struct nft_rule_dump_ctx *ctx = cb->data;
2147 const struct nft_af_info *afi;
2148 const struct nft_table *table;
2149 const struct nft_chain *chain;
2150 const struct nft_rule *rule;
2151 unsigned int idx = 0, s_idx = cb->args[0];
2152 struct net *net = sock_net(skb->sk);
2153 int family = nfmsg->nfgen_family;
2156 cb->seq = net->nft.base_seq;
2158 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2159 if (family != NFPROTO_UNSPEC && family != afi->family)
2162 list_for_each_entry_rcu(table, &afi->tables, list) {
2163 if (ctx && ctx->table &&
2164 strcmp(ctx->table, table->name) != 0)
2167 list_for_each_entry_rcu(chain, &table->chains, list) {
2168 if (ctx && ctx->chain &&
2169 strcmp(ctx->chain, chain->name) != 0)
2172 list_for_each_entry_rcu(rule, &chain->rules, list) {
2173 if (!nft_is_active(net, rule))
2178 memset(&cb->args[1], 0,
2179 sizeof(cb->args) - sizeof(cb->args[0]));
2180 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2183 NLM_F_MULTI | NLM_F_APPEND,
2184 afi->family, table, chain, rule) < 0)
2187 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2201 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2203 struct nft_rule_dump_ctx *ctx = cb->data;
2213 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2214 struct sk_buff *skb, const struct nlmsghdr *nlh,
2215 const struct nlattr * const nla[],
2216 struct netlink_ext_ack *extack)
2218 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2219 u8 genmask = nft_genmask_cur(net);
2220 const struct nft_af_info *afi;
2221 const struct nft_table *table;
2222 const struct nft_chain *chain;
2223 const struct nft_rule *rule;
2224 struct sk_buff *skb2;
2225 int family = nfmsg->nfgen_family;
2228 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2229 struct netlink_dump_control c = {
2230 .dump = nf_tables_dump_rules,
2231 .done = nf_tables_dump_rules_done,
2234 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2235 struct nft_rule_dump_ctx *ctx;
2237 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2241 if (nla[NFTA_RULE_TABLE]) {
2242 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2249 if (nla[NFTA_RULE_CHAIN]) {
2250 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2261 return netlink_dump_start(nlsk, skb, nlh, &c);
2264 afi = nf_tables_afinfo_lookup(net, family, false);
2266 return PTR_ERR(afi);
2268 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2270 return PTR_ERR(table);
2272 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2274 return PTR_ERR(chain);
2276 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2278 return PTR_ERR(rule);
2280 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2284 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2285 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2286 family, table, chain, rule);
2290 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2297 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2298 struct nft_rule *rule)
2300 struct nft_expr *expr, *next;
2303 * Careful: some expressions might not be initialized in case this
2304 * is called on error from nf_tables_newrule().
2306 expr = nft_expr_first(rule);
2307 while (expr != nft_expr_last(rule) && expr->ops) {
2308 next = nft_expr_next(expr);
2309 nf_tables_expr_destroy(ctx, expr);
2315 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2316 struct nft_rule *rule)
2318 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2319 nf_tables_rule_destroy(ctx, rule);
2322 #define NFT_RULE_MAXEXPRS 128
2324 static struct nft_expr_info *info;
2326 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2327 struct sk_buff *skb, const struct nlmsghdr *nlh,
2328 const struct nlattr * const nla[],
2329 struct netlink_ext_ack *extack)
2331 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2332 u8 genmask = nft_genmask_next(net);
2333 struct nft_af_info *afi;
2334 struct nft_table *table;
2335 struct nft_chain *chain;
2336 struct nft_rule *rule, *old_rule = NULL;
2337 struct nft_userdata *udata;
2338 struct nft_trans *trans = NULL;
2339 struct nft_expr *expr;
2342 unsigned int size, i, n, ulen = 0, usize = 0;
2345 u64 handle, pos_handle;
2347 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2349 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2351 return PTR_ERR(afi);
2353 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2355 return PTR_ERR(table);
2357 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2359 return PTR_ERR(chain);
2361 if (nla[NFTA_RULE_HANDLE]) {
2362 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2363 rule = __nf_tables_rule_lookup(chain, handle);
2365 return PTR_ERR(rule);
2367 if (nlh->nlmsg_flags & NLM_F_EXCL)
2369 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2374 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2376 handle = nf_tables_alloc_handle(table);
2379 if (nla[NFTA_RULE_POSITION]) {
2380 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2383 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2384 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2385 if (IS_ERR(old_rule))
2386 return PTR_ERR(old_rule);
2389 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2393 if (nla[NFTA_RULE_EXPRESSIONS]) {
2394 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2396 if (nla_type(tmp) != NFTA_LIST_ELEM)
2398 if (n == NFT_RULE_MAXEXPRS)
2400 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2403 size += info[n].ops->size;
2407 /* Check for overflow of dlen field */
2409 if (size >= 1 << 12)
2412 if (nla[NFTA_RULE_USERDATA]) {
2413 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2415 usize = sizeof(struct nft_userdata) + ulen;
2419 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2423 nft_activate_next(net, rule);
2425 rule->handle = handle;
2427 rule->udata = ulen ? 1 : 0;
2430 udata = nft_userdata(rule);
2431 udata->len = ulen - 1;
2432 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2435 expr = nft_expr_first(rule);
2436 for (i = 0; i < n; i++) {
2437 err = nf_tables_newexpr(&ctx, &info[i], expr);
2441 expr = nft_expr_next(expr);
2444 if (!nft_use_inc(&chain->use)) {
2449 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2450 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2451 if (trans == NULL) {
2453 goto err_destroy_flow_rule;
2455 err = nft_delrule(&ctx, old_rule);
2457 nft_trans_destroy(trans);
2458 goto err_destroy_flow_rule;
2461 list_add_tail_rcu(&rule->list, &old_rule->list);
2463 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2465 goto err_destroy_flow_rule;
2468 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2470 list_add_rcu(&rule->list, &old_rule->list);
2472 list_add_tail_rcu(&rule->list, &chain->rules);
2475 list_add_tail_rcu(&rule->list, &old_rule->list);
2477 list_add_rcu(&rule->list, &chain->rules);
2483 err_destroy_flow_rule:
2484 nft_use_dec_restore(&chain->use);
2486 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
2487 nf_tables_rule_destroy(&ctx, rule);
2489 for (i = 0; i < n; i++) {
2490 if (info[i].ops != NULL)
2491 module_put(info[i].ops->type->owner);
2496 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2497 const struct nft_chain *chain,
2498 const struct nlattr *nla)
2500 u32 id = ntohl(nla_get_be32(nla));
2501 struct nft_trans *trans;
2503 list_for_each_entry(trans, &net->nft.commit_list, list) {
2504 struct nft_rule *rule = nft_trans_rule(trans);
2506 if (trans->msg_type == NFT_MSG_NEWRULE &&
2507 trans->ctx.chain == chain &&
2508 id == nft_trans_rule_id(trans))
2511 return ERR_PTR(-ENOENT);
2514 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2515 struct sk_buff *skb, const struct nlmsghdr *nlh,
2516 const struct nlattr * const nla[],
2517 struct netlink_ext_ack *extack)
2519 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2520 u8 genmask = nft_genmask_next(net);
2521 struct nft_af_info *afi;
2522 struct nft_table *table;
2523 struct nft_chain *chain = NULL;
2524 struct nft_rule *rule;
2525 int family = nfmsg->nfgen_family, err = 0;
2528 afi = nf_tables_afinfo_lookup(net, family, false);
2530 return PTR_ERR(afi);
2532 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2534 return PTR_ERR(table);
2536 if (nla[NFTA_RULE_CHAIN]) {
2537 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2540 return PTR_ERR(chain);
2543 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2546 if (nla[NFTA_RULE_HANDLE]) {
2547 rule = nf_tables_rule_lookup(chain,
2548 nla[NFTA_RULE_HANDLE]);
2550 return PTR_ERR(rule);
2552 err = nft_delrule(&ctx, rule);
2553 } else if (nla[NFTA_RULE_ID]) {
2554 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
2556 return PTR_ERR(rule);
2558 err = nft_delrule(&ctx, rule);
2560 err = nft_delrule_by_chain(&ctx);
2563 list_for_each_entry(chain, &table->chains, list) {
2564 if (!nft_is_active_next(net, chain))
2568 err = nft_delrule_by_chain(&ctx);
2581 static LIST_HEAD(nf_tables_set_types);
2583 int nft_register_set(struct nft_set_type *type)
2585 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2586 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2587 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2590 EXPORT_SYMBOL_GPL(nft_register_set);
2592 void nft_unregister_set(struct nft_set_type *type)
2594 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2595 list_del_rcu(&type->list);
2596 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2598 EXPORT_SYMBOL_GPL(nft_unregister_set);
2600 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2601 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2603 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2605 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2609 * Select a set implementation based on the data characteristics and the
2610 * given policy. The total memory use might not be known if no size is
2611 * given, in that case the amount of memory per element is used.
2613 static const struct nft_set_ops *
2614 nft_select_set_ops(const struct nft_ctx *ctx,
2615 const struct nlattr * const nla[],
2616 const struct nft_set_desc *desc,
2617 enum nft_set_policies policy)
2619 const struct nft_set_ops *ops, *bops;
2620 struct nft_set_estimate est, best;
2621 const struct nft_set_type *type;
2624 #ifdef CONFIG_MODULES
2625 if (list_empty(&nf_tables_set_types)) {
2626 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2627 request_module("nft-set");
2628 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2629 if (!list_empty(&nf_tables_set_types))
2630 return ERR_PTR(-EAGAIN);
2633 if (nla[NFTA_SET_FLAGS] != NULL)
2634 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2641 list_for_each_entry(type, &nf_tables_set_types, list) {
2642 if (!type->select_ops)
2645 ops = type->select_ops(ctx, desc, flags);
2649 if (!nft_set_ops_candidate(ops, flags))
2651 if (!ops->estimate(desc, flags, &est))
2655 case NFT_SET_POL_PERFORMANCE:
2656 if (est.lookup < best.lookup)
2658 if (est.lookup == best.lookup) {
2660 if (est.space < best.space)
2662 } else if (est.size < best.size) {
2667 case NFT_SET_POL_MEMORY:
2669 if (est.space < best.space)
2671 if (est.space == best.space &&
2672 est.lookup < best.lookup)
2674 } else if (est.size < best.size) {
2682 if (!try_module_get(type->owner))
2685 module_put(bops->type->owner);
2694 return ERR_PTR(-EOPNOTSUPP);
2697 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2698 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2699 .len = NFT_TABLE_MAXNAMELEN - 1 },
2700 [NFTA_SET_NAME] = { .type = NLA_STRING,
2701 .len = NFT_SET_MAXNAMELEN - 1 },
2702 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2703 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2704 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2705 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2706 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2707 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2708 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2709 [NFTA_SET_ID] = { .type = NLA_U32 },
2710 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2711 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2712 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2713 .len = NFT_USERDATA_MAXLEN },
2714 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2717 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2718 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2721 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2722 const struct sk_buff *skb,
2723 const struct nlmsghdr *nlh,
2724 const struct nlattr * const nla[],
2727 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2728 struct nft_af_info *afi = NULL;
2729 struct nft_table *table = NULL;
2731 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2732 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2734 return PTR_ERR(afi);
2737 if (nla[NFTA_SET_TABLE] != NULL) {
2739 return -EAFNOSUPPORT;
2741 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2744 return PTR_ERR(table);
2747 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2751 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2752 const struct nlattr *nla, u8 genmask)
2754 struct nft_set *set;
2757 return ERR_PTR(-EINVAL);
2759 list_for_each_entry(set, &table->sets, list) {
2760 if (!nla_strcmp(nla, set->name) &&
2761 nft_active_genmask(set, genmask))
2764 return ERR_PTR(-ENOENT);
2767 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2768 const struct nft_table *table,
2769 const struct nlattr *nla,
2772 struct nft_trans *trans;
2773 u32 id = ntohl(nla_get_be32(nla));
2775 list_for_each_entry(trans, &net->nft.commit_list, list) {
2776 if (trans->msg_type == NFT_MSG_NEWSET) {
2777 struct nft_set *set = nft_trans_set(trans);
2779 if (id == nft_trans_set_id(trans) &&
2780 set->table == table &&
2781 nft_active_genmask(set, genmask))
2785 return ERR_PTR(-ENOENT);
2788 struct nft_set *nft_set_lookup(const struct net *net,
2789 const struct nft_table *table,
2790 const struct nlattr *nla_set_name,
2791 const struct nlattr *nla_set_id,
2794 struct nft_set *set;
2796 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2801 set = nf_tables_set_lookup_byid(net, table, nla_set_id, genmask);
2805 EXPORT_SYMBOL_GPL(nft_set_lookup);
2807 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2810 const struct nft_set *i;
2812 unsigned long *inuse;
2813 unsigned int n = 0, min = 0;
2815 p = strchr(name, '%');
2817 if (p[1] != 'd' || strchr(p + 2, '%'))
2820 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2824 list_for_each_entry(i, &ctx->table->sets, list) {
2827 if (!nft_is_active_next(ctx->net, i))
2829 if (!sscanf(i->name, name, &tmp))
2831 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2834 set_bit(tmp - min, inuse);
2837 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2838 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2839 min += BITS_PER_BYTE * PAGE_SIZE;
2840 memset(inuse, 0, PAGE_SIZE);
2843 free_page((unsigned long)inuse);
2846 set->name = kasprintf(GFP_KERNEL, name, min + n);
2850 list_for_each_entry(i, &ctx->table->sets, list) {
2851 if (!nft_is_active_next(ctx->net, i))
2853 if (!strcmp(set->name, i->name)) {
2861 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2862 const struct nft_set *set, u16 event, u16 flags)
2864 struct nfgenmsg *nfmsg;
2865 struct nlmsghdr *nlh;
2866 struct nlattr *desc;
2867 u32 portid = ctx->portid;
2870 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2871 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2874 goto nla_put_failure;
2876 nfmsg = nlmsg_data(nlh);
2877 nfmsg->nfgen_family = ctx->afi->family;
2878 nfmsg->version = NFNETLINK_V0;
2879 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2881 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2882 goto nla_put_failure;
2883 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2884 goto nla_put_failure;
2885 if (set->flags != 0)
2886 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2887 goto nla_put_failure;
2889 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2890 goto nla_put_failure;
2891 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2892 goto nla_put_failure;
2893 if (set->flags & NFT_SET_MAP) {
2894 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2895 goto nla_put_failure;
2896 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2897 goto nla_put_failure;
2899 if (set->flags & NFT_SET_OBJECT &&
2900 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2901 goto nla_put_failure;
2904 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2905 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2907 goto nla_put_failure;
2909 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2910 goto nla_put_failure;
2912 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2913 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2914 goto nla_put_failure;
2918 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2919 goto nla_put_failure;
2921 desc = nla_nest_start(skb, NFTA_SET_DESC);
2923 goto nla_put_failure;
2925 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2926 goto nla_put_failure;
2927 nla_nest_end(skb, desc);
2929 nlmsg_end(skb, nlh);
2933 nlmsg_trim(skb, nlh);
2937 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2938 const struct nft_set *set, int event,
2941 struct sk_buff *skb;
2942 u32 portid = ctx->portid;
2946 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2949 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2953 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2959 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2963 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2966 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2968 const struct nft_set *set;
2969 unsigned int idx, s_idx = cb->args[0];
2970 struct nft_af_info *afi;
2971 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2972 struct net *net = sock_net(skb->sk);
2973 int cur_family = cb->args[3];
2974 struct nft_ctx *ctx = cb->data, ctx_set;
2980 cb->seq = net->nft.base_seq;
2982 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2983 if (ctx->afi && ctx->afi != afi)
2987 if (afi->family != cur_family)
2992 list_for_each_entry_rcu(table, &afi->tables, list) {
2993 if (ctx->table && ctx->table != table)
2997 if (cur_table != table)
3003 list_for_each_entry_rcu(set, &table->sets, list) {
3006 if (!nft_is_active(net, set))
3010 ctx_set.table = table;
3012 if (nf_tables_fill_set(skb, &ctx_set, set,
3016 cb->args[2] = (unsigned long) table;
3017 cb->args[3] = afi->family;
3020 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3034 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3040 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3041 struct sk_buff *skb, const struct nlmsghdr *nlh,
3042 const struct nlattr * const nla[],
3043 struct netlink_ext_ack *extack)
3045 u8 genmask = nft_genmask_cur(net);
3046 const struct nft_set *set;
3048 struct sk_buff *skb2;
3049 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3052 /* Verify existence before starting dump */
3053 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3057 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3058 struct netlink_dump_control c = {
3059 .dump = nf_tables_dump_sets,
3060 .done = nf_tables_dump_sets_done,
3062 struct nft_ctx *ctx_dump;
3064 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3065 if (ctx_dump == NULL)
3071 return netlink_dump_start(nlsk, skb, nlh, &c);
3074 /* Only accept unspec with dump */
3075 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3076 return -EAFNOSUPPORT;
3077 if (!nla[NFTA_SET_TABLE])
3080 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3082 return PTR_ERR(set);
3084 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3088 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3092 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3099 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3100 struct nft_set_desc *desc,
3101 const struct nlattr *nla)
3103 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3106 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3107 nft_set_desc_policy, NULL);
3111 if (da[NFTA_SET_DESC_SIZE] != NULL)
3112 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3117 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3118 struct sk_buff *skb, const struct nlmsghdr *nlh,
3119 const struct nlattr * const nla[],
3120 struct netlink_ext_ack *extack)
3122 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3123 u8 genmask = nft_genmask_next(net);
3124 const struct nft_set_ops *ops;
3125 struct nft_af_info *afi;
3126 struct nft_table *table;
3127 struct nft_set *set;
3133 u32 ktype, dtype, flags, policy, gc_int, objtype;
3134 struct nft_set_desc desc;
3135 unsigned char *udata;
3139 if (nla[NFTA_SET_TABLE] == NULL ||
3140 nla[NFTA_SET_NAME] == NULL ||
3141 nla[NFTA_SET_KEY_LEN] == NULL ||
3142 nla[NFTA_SET_ID] == NULL)
3145 memset(&desc, 0, sizeof(desc));
3147 ktype = NFT_DATA_VALUE;
3148 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3149 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3150 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3154 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3155 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3159 if (nla[NFTA_SET_FLAGS] != NULL) {
3160 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3161 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3162 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3163 NFT_SET_MAP | NFT_SET_EVAL |
3166 /* Only one of these operations is supported */
3167 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3168 (NFT_SET_MAP | NFT_SET_OBJECT))
3170 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3171 (NFT_SET_EVAL | NFT_SET_OBJECT))
3176 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3177 if (!(flags & NFT_SET_MAP))
3180 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3181 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3182 dtype != NFT_DATA_VERDICT)
3185 if (dtype != NFT_DATA_VERDICT) {
3186 if (nla[NFTA_SET_DATA_LEN] == NULL)
3188 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3189 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3192 desc.dlen = sizeof(struct nft_verdict);
3193 } else if (flags & NFT_SET_MAP)
3196 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3197 if (!(flags & NFT_SET_OBJECT))
3200 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3201 if (objtype == NFT_OBJECT_UNSPEC ||
3202 objtype > NFT_OBJECT_MAX)
3204 } else if (flags & NFT_SET_OBJECT)
3207 objtype = NFT_OBJECT_UNSPEC;
3210 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3211 if (!(flags & NFT_SET_TIMEOUT))
3213 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3214 nla[NFTA_SET_TIMEOUT])));
3217 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3218 if (!(flags & NFT_SET_TIMEOUT))
3220 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3223 policy = NFT_SET_POL_PERFORMANCE;
3224 if (nla[NFTA_SET_POLICY] != NULL)
3225 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3227 if (nla[NFTA_SET_DESC] != NULL) {
3228 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3233 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3235 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3237 return PTR_ERR(afi);
3239 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3241 return PTR_ERR(table);
3243 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3245 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3247 if (PTR_ERR(set) != -ENOENT)
3248 return PTR_ERR(set);
3250 if (nlh->nlmsg_flags & NLM_F_EXCL)
3252 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3257 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3260 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3262 return PTR_ERR(ops);
3265 if (nla[NFTA_SET_USERDATA])
3266 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3269 if (ops->privsize != NULL)
3270 size = ops->privsize(nla, &desc);
3272 if (!nft_use_inc(&table->use)) {
3277 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3283 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3289 err = nf_tables_set_alloc_name(&ctx, set, name);
3296 udata = set->data + size;
3297 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3300 INIT_LIST_HEAD(&set->bindings);
3304 set->klen = desc.klen;
3306 set->objtype = objtype;
3307 set->dlen = desc.dlen;
3309 set->size = desc.size;
3310 set->policy = policy;
3313 set->timeout = timeout;
3314 set->gc_int = gc_int;
3316 err = ops->init(set, &desc, nla);
3320 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3324 list_add_tail_rcu(&set->list, &table->sets);
3335 nft_use_dec_restore(&table->use);
3337 module_put(ops->type->owner);
3341 static void nft_set_destroy(struct nft_set *set)
3343 if (WARN_ON(set->use > 0))
3346 set->ops->destroy(set);
3347 module_put(set->ops->type->owner);
3352 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3353 struct sk_buff *skb, const struct nlmsghdr *nlh,
3354 const struct nlattr * const nla[],
3355 struct netlink_ext_ack *extack)
3357 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3358 u8 genmask = nft_genmask_next(net);
3359 struct nft_set *set;
3363 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3364 return -EAFNOSUPPORT;
3365 if (nla[NFTA_SET_TABLE] == NULL)
3368 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3372 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3374 return PTR_ERR(set);
3377 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3380 return nft_delset(&ctx, set);
3383 static int nft_validate_register_store(const struct nft_ctx *ctx,
3384 enum nft_registers reg,
3385 const struct nft_data *data,
3386 enum nft_data_types type,
3389 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3390 struct nft_set *set,
3391 const struct nft_set_iter *iter,
3392 struct nft_set_elem *elem)
3394 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3395 enum nft_registers dreg;
3397 dreg = nft_type_to_reg(set->dtype);
3398 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3399 set->dtype == NFT_DATA_VERDICT ?
3400 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3404 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3405 struct nft_set_binding *binding)
3407 struct nft_set_binding *i;
3408 struct nft_set_iter iter;
3410 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3413 if (binding->flags & NFT_SET_MAP) {
3414 /* If the set is already bound to the same chain all
3415 * jumps are already validated for that chain.
3417 list_for_each_entry(i, &set->bindings, list) {
3418 if (i->flags & NFT_SET_MAP &&
3419 i->chain == binding->chain)
3423 iter.genmask = nft_genmask_next(ctx->net);
3427 iter.fn = nf_tables_bind_check_setelem;
3429 set->ops->walk(ctx, set, &iter);
3434 if (!nft_use_inc(&set->use))
3437 binding->chain = ctx->chain;
3438 list_add_tail_rcu(&binding->list, &set->bindings);
3439 nft_set_trans_bind(ctx, set);
3443 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3445 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3446 struct nft_set_binding *binding, bool event)
3448 list_del_rcu(&binding->list);
3450 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) {
3451 list_del_rcu(&set->list);
3453 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3457 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3459 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
3461 if (set->flags & NFT_SET_ANONYMOUS)
3462 nft_clear(ctx->net, set);
3464 nft_use_inc_restore(&set->use);
3466 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
3468 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3469 struct nft_set_binding *binding,
3470 enum nft_trans_phase phase)
3473 case NFT_TRANS_PREPARE_ERROR:
3474 nft_set_trans_unbind(ctx, set);
3475 if (set->flags & NFT_SET_ANONYMOUS)
3476 nft_deactivate_next(ctx->net, set);
3478 list_del_rcu(&binding->list);
3480 nft_use_dec(&set->use);
3482 case NFT_TRANS_PREPARE:
3483 if (set->flags & NFT_SET_ANONYMOUS)
3484 nft_deactivate_next(ctx->net, set);
3486 nft_use_dec(&set->use);
3488 case NFT_TRANS_ABORT:
3489 case NFT_TRANS_RELEASE:
3490 nft_use_dec(&set->use);
3493 nf_tables_unbind_set(ctx, set, binding,
3494 phase == NFT_TRANS_COMMIT);
3497 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3499 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3501 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3502 nft_set_destroy(set);
3504 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3506 const struct nft_set_ext_type nft_set_ext_types[] = {
3507 [NFT_SET_EXT_KEY] = {
3508 .align = __alignof__(u32),
3510 [NFT_SET_EXT_DATA] = {
3511 .align = __alignof__(u32),
3513 [NFT_SET_EXT_EXPR] = {
3514 .align = __alignof__(struct nft_expr),
3516 [NFT_SET_EXT_OBJREF] = {
3517 .len = sizeof(struct nft_object *),
3518 .align = __alignof__(struct nft_object *),
3520 [NFT_SET_EXT_FLAGS] = {
3522 .align = __alignof__(u8),
3524 [NFT_SET_EXT_TIMEOUT] = {
3526 .align = __alignof__(u64),
3528 [NFT_SET_EXT_EXPIRATION] = {
3529 .len = sizeof(unsigned long),
3530 .align = __alignof__(unsigned long),
3532 [NFT_SET_EXT_USERDATA] = {
3533 .len = sizeof(struct nft_userdata),
3534 .align = __alignof__(struct nft_userdata),
3537 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3543 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3544 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3545 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3546 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3547 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3548 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3549 .len = NFT_USERDATA_MAXLEN },
3550 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3551 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3554 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3555 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3556 .len = NFT_TABLE_MAXNAMELEN - 1 },
3557 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3558 .len = NFT_SET_MAXNAMELEN - 1 },
3559 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3560 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3563 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3564 const struct sk_buff *skb,
3565 const struct nlmsghdr *nlh,
3566 const struct nlattr * const nla[],
3569 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3570 struct nft_af_info *afi;
3571 struct nft_table *table;
3573 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3575 return PTR_ERR(afi);
3577 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3580 return PTR_ERR(table);
3582 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3586 static int nf_tables_fill_setelem(struct sk_buff *skb,
3587 const struct nft_set *set,
3588 const struct nft_set_elem *elem)
3590 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3591 unsigned char *b = skb_tail_pointer(skb);
3592 struct nlattr *nest;
3594 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3596 goto nla_put_failure;
3598 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3599 NFT_DATA_VALUE, set->klen) < 0)
3600 goto nla_put_failure;
3602 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3603 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3604 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3606 goto nla_put_failure;
3608 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3609 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3610 goto nla_put_failure;
3612 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3613 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3614 (*nft_set_ext_obj(ext))->name) < 0)
3615 goto nla_put_failure;
3617 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3618 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3619 htonl(*nft_set_ext_flags(ext))))
3620 goto nla_put_failure;
3622 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3623 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3624 cpu_to_be64(jiffies_to_msecs(
3625 *nft_set_ext_timeout(ext))),
3627 goto nla_put_failure;
3629 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3630 unsigned long expires, now = jiffies;
3632 expires = *nft_set_ext_expiration(ext);
3633 if (time_before(now, expires))
3638 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3639 cpu_to_be64(jiffies_to_msecs(expires)),
3641 goto nla_put_failure;
3644 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3645 struct nft_userdata *udata;
3647 udata = nft_set_ext_userdata(ext);
3648 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3649 udata->len + 1, udata->data))
3650 goto nla_put_failure;
3653 nla_nest_end(skb, nest);
3661 struct nft_set_dump_args {
3662 const struct netlink_callback *cb;
3663 struct nft_set_iter iter;
3664 struct sk_buff *skb;
3667 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3668 struct nft_set *set,
3669 const struct nft_set_iter *iter,
3670 struct nft_set_elem *elem)
3672 struct nft_set_dump_args *args;
3674 args = container_of(iter, struct nft_set_dump_args, iter);
3675 return nf_tables_fill_setelem(args->skb, set, elem);
3678 struct nft_set_dump_ctx {
3679 const struct nft_set *set;
3683 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3685 struct nft_set_dump_ctx *dump_ctx = cb->data;
3686 struct net *net = sock_net(skb->sk);
3687 struct nft_af_info *afi;
3688 struct nft_table *table;
3689 struct nft_set *set;
3690 struct nft_set_dump_args args;
3691 bool set_found = false;
3692 struct nfgenmsg *nfmsg;
3693 struct nlmsghdr *nlh;
3694 struct nlattr *nest;
3699 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3700 if (afi != dump_ctx->ctx.afi)
3703 list_for_each_entry_rcu(table, &afi->tables, list) {
3704 if (table != dump_ctx->ctx.table)
3707 list_for_each_entry_rcu(set, &table->sets, list) {
3708 if (set == dump_ctx->set) {
3723 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3724 portid = NETLINK_CB(cb->skb).portid;
3725 seq = cb->nlh->nlmsg_seq;
3727 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3730 goto nla_put_failure;
3732 nfmsg = nlmsg_data(nlh);
3733 nfmsg->nfgen_family = afi->family;
3734 nfmsg->version = NFNETLINK_V0;
3735 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3737 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3738 goto nla_put_failure;
3739 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3740 goto nla_put_failure;
3742 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3744 goto nla_put_failure;
3748 args.iter.genmask = nft_genmask_cur(net);
3749 args.iter.skip = cb->args[0];
3750 args.iter.count = 0;
3752 args.iter.fn = nf_tables_dump_setelem;
3753 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3756 nla_nest_end(skb, nest);
3757 nlmsg_end(skb, nlh);
3759 if (args.iter.err && args.iter.err != -EMSGSIZE)
3760 return args.iter.err;
3761 if (args.iter.count == cb->args[0])
3764 cb->args[0] = args.iter.count;
3772 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3778 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
3779 struct nft_data *key, struct nlattr *attr)
3781 struct nft_data_desc desc;
3784 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
3788 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
3789 nft_data_release(key, desc.type);
3796 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3797 struct sk_buff *skb, const struct nlmsghdr *nlh,
3798 const struct nlattr * const nla[],
3799 struct netlink_ext_ack *extack)
3801 u8 genmask = nft_genmask_cur(net);
3802 const struct nft_set *set;
3806 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3810 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3813 return PTR_ERR(set);
3815 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3816 struct netlink_dump_control c = {
3817 .dump = nf_tables_dump_set,
3818 .done = nf_tables_dump_set_done,
3820 struct nft_set_dump_ctx *dump_ctx;
3822 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3826 dump_ctx->set = set;
3827 dump_ctx->ctx = ctx;
3830 return netlink_dump_start(nlsk, skb, nlh, &c);
3835 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3836 const struct nft_ctx *ctx, u32 seq,
3837 u32 portid, int event, u16 flags,
3838 const struct nft_set *set,
3839 const struct nft_set_elem *elem)
3841 struct nfgenmsg *nfmsg;
3842 struct nlmsghdr *nlh;
3843 struct nlattr *nest;
3846 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3847 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3850 goto nla_put_failure;
3852 nfmsg = nlmsg_data(nlh);
3853 nfmsg->nfgen_family = ctx->afi->family;
3854 nfmsg->version = NFNETLINK_V0;
3855 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3857 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3858 goto nla_put_failure;
3859 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3860 goto nla_put_failure;
3862 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3864 goto nla_put_failure;
3866 err = nf_tables_fill_setelem(skb, set, elem);
3868 goto nla_put_failure;
3870 nla_nest_end(skb, nest);
3872 nlmsg_end(skb, nlh);
3876 nlmsg_trim(skb, nlh);
3880 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3881 const struct nft_set *set,
3882 const struct nft_set_elem *elem,
3883 int event, u16 flags)
3885 struct net *net = ctx->net;
3886 u32 portid = ctx->portid;
3887 struct sk_buff *skb;
3890 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3893 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3897 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3904 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3908 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3911 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3913 struct nft_set *set)
3915 struct nft_trans *trans;
3917 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3921 nft_trans_elem_set(trans) = set;
3925 void *nft_set_elem_init(const struct nft_set *set,
3926 const struct nft_set_ext_tmpl *tmpl,
3927 const u32 *key, const u32 *data,
3928 u64 timeout, gfp_t gfp)
3930 struct nft_set_ext *ext;
3933 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3937 ext = nft_set_elem_ext(set, elem);
3938 nft_set_ext_init(ext, tmpl);
3940 memcpy(nft_set_ext_key(ext), key, set->klen);
3941 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3942 memcpy(nft_set_ext_data(ext), data, set->dlen);
3943 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3944 *nft_set_ext_expiration(ext) =
3946 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3947 *nft_set_ext_timeout(ext) = timeout;
3952 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3955 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3957 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3958 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3959 nft_data_release(nft_set_ext_data(ext), set->dtype);
3960 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3961 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3962 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3963 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
3966 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3968 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3969 * the refcounting from the preparation phase.
3971 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3973 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3975 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3976 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3980 static int nft_setelem_parse_flags(const struct nft_set *set,
3981 const struct nlattr *attr, u32 *flags)
3986 *flags = ntohl(nla_get_be32(attr));
3987 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3989 if (!(set->flags & NFT_SET_INTERVAL) &&
3990 *flags & NFT_SET_ELEM_INTERVAL_END)
3996 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
3997 struct nft_data_desc *desc,
3998 struct nft_data *data,
3999 struct nlattr *attr)
4004 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4008 if (set->dtype == NFT_DATA_VERDICT)
4009 dtype = NFT_DATA_VERDICT;
4011 dtype = NFT_DATA_VALUE;
4013 if (dtype != desc->type ||
4014 set->dlen != desc->len) {
4015 nft_data_release(data, desc->type);
4022 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4023 const struct nlattr *attr, u32 nlmsg_flags)
4025 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4026 u8 genmask = nft_genmask_next(ctx->net);
4027 struct nft_set_ext_tmpl tmpl;
4028 struct nft_set_ext *ext, *ext2;
4029 struct nft_set_elem elem;
4030 struct nft_set_binding *binding;
4031 struct nft_object *obj = NULL;
4032 struct nft_userdata *udata;
4033 struct nft_data_desc desc;
4034 enum nft_registers dreg;
4035 struct nft_trans *trans;
4041 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4042 nft_set_elem_policy, NULL);
4046 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4049 nft_set_ext_prepare(&tmpl);
4051 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4055 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4057 if (set->flags & NFT_SET_MAP) {
4058 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4059 !(flags & NFT_SET_ELEM_INTERVAL_END))
4062 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4066 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4067 (nla[NFTA_SET_ELEM_DATA] ||
4068 nla[NFTA_SET_ELEM_OBJREF] ||
4069 nla[NFTA_SET_ELEM_TIMEOUT] ||
4070 nla[NFTA_SET_ELEM_EXPIRATION] ||
4071 nla[NFTA_SET_ELEM_USERDATA] ||
4072 nla[NFTA_SET_ELEM_EXPR]))
4076 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4077 if (!(set->flags & NFT_SET_TIMEOUT))
4079 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
4080 nla[NFTA_SET_ELEM_TIMEOUT])));
4081 } else if (set->flags & NFT_SET_TIMEOUT) {
4082 timeout = set->timeout;
4085 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4086 nla[NFTA_SET_ELEM_KEY]);
4090 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
4092 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4093 if (timeout != set->timeout)
4094 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4097 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4098 if (!(set->flags & NFT_SET_OBJECT)) {
4102 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4103 set->objtype, genmask);
4110 if (!nft_use_inc(&obj->use)) {
4116 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4119 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4120 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
4121 nla[NFTA_SET_ELEM_DATA]);
4125 dreg = nft_type_to_reg(set->dtype);
4126 list_for_each_entry(binding, &set->bindings, list) {
4127 struct nft_ctx bind_ctx = {
4130 .table = ctx->table,
4131 .chain = (struct nft_chain *)binding->chain,
4134 if (!(binding->flags & NFT_SET_MAP))
4137 err = nft_validate_register_store(&bind_ctx, dreg,
4139 desc.type, desc.len);
4144 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
4147 /* The full maximum length of userdata can exceed the maximum
4148 * offset value (U8_MAX) for following extensions, therefor it
4149 * must be the last extension added.
4152 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4153 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4155 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4160 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
4162 timeout, GFP_KERNEL);
4163 if (elem.priv == NULL)
4166 ext = nft_set_elem_ext(set, elem.priv);
4168 *nft_set_ext_flags(ext) = flags;
4170 udata = nft_set_ext_userdata(ext);
4171 udata->len = ulen - 1;
4172 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4175 *nft_set_ext_obj(ext) = obj;
4177 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4181 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4182 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4184 if (err == -EEXIST) {
4185 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4186 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4187 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4188 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4192 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4193 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4194 memcmp(nft_set_ext_data(ext),
4195 nft_set_ext_data(ext2), set->dlen) != 0) ||
4196 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4197 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4198 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4200 else if (!(nlmsg_flags & NLM_F_EXCL))
4207 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4212 nft_trans_elem(trans) = elem;
4213 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4217 set->ops->remove(ctx->net, set, &elem);
4223 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4224 nft_data_release(&elem.data.val, desc.type);
4227 nft_use_dec_restore(&obj->use);
4229 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
4234 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4235 struct sk_buff *skb, const struct nlmsghdr *nlh,
4236 const struct nlattr * const nla[],
4237 struct netlink_ext_ack *extack)
4239 u8 genmask = nft_genmask_next(net);
4240 const struct nlattr *attr;
4241 struct nft_set *set;
4245 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4248 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4252 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4255 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4256 set = nf_tables_set_lookup_byid(net, ctx.table,
4257 nla[NFTA_SET_ELEM_LIST_SET_ID],
4261 return PTR_ERR(set);
4264 if (!list_empty(&set->bindings) &&
4265 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
4268 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4269 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4277 * nft_data_hold - hold a nft_data item
4279 * @data: struct nft_data to release
4280 * @type: type of data
4282 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4283 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4284 * NFT_GOTO verdicts. This function must be called on active data objects
4285 * from the second phase of the commit protocol.
4287 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4289 struct nft_chain *chain;
4291 if (type == NFT_DATA_VERDICT) {
4292 switch (data->verdict.code) {
4295 chain = data->verdict.chain;
4296 nft_use_inc_restore(&chain->use);
4302 static void nft_set_elem_activate(const struct net *net,
4303 const struct nft_set *set,
4304 struct nft_set_elem *elem)
4306 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4308 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4309 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4310 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4311 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
4314 static void nft_set_elem_deactivate(const struct net *net,
4315 const struct nft_set *set,
4316 struct nft_set_elem *elem)
4318 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4320 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4321 nft_data_release(nft_set_ext_data(ext), set->dtype);
4322 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4323 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
4326 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4327 const struct nlattr *attr)
4329 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4330 struct nft_set_ext_tmpl tmpl;
4331 struct nft_set_elem elem;
4332 struct nft_set_ext *ext;
4333 struct nft_trans *trans;
4338 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4339 nft_set_elem_policy, NULL);
4343 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4346 nft_set_ext_prepare(&tmpl);
4348 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4352 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4354 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4355 nla[NFTA_SET_ELEM_KEY]);
4359 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
4362 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4364 if (elem.priv == NULL)
4367 ext = nft_set_elem_ext(set, elem.priv);
4369 *nft_set_ext_flags(ext) = flags;
4371 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4375 priv = set->ops->deactivate(ctx->net, set, &elem);
4383 nft_set_elem_deactivate(ctx->net, set, &elem);
4385 nft_trans_elem(trans) = elem;
4386 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4394 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
4398 static int nft_flush_set(const struct nft_ctx *ctx,
4399 struct nft_set *set,
4400 const struct nft_set_iter *iter,
4401 struct nft_set_elem *elem)
4403 struct nft_trans *trans;
4406 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4407 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4411 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4417 nft_set_elem_deactivate(ctx->net, set, elem);
4418 nft_trans_elem_set(trans) = set;
4419 nft_trans_elem(trans) = *elem;
4420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4428 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4429 struct sk_buff *skb, const struct nlmsghdr *nlh,
4430 const struct nlattr * const nla[],
4431 struct netlink_ext_ack *extack)
4433 u8 genmask = nft_genmask_next(net);
4434 const struct nlattr *attr;
4435 struct nft_set *set;
4439 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4443 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4446 return PTR_ERR(set);
4448 if (!list_empty(&set->bindings) &&
4449 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
4452 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4453 struct nft_set_iter iter = {
4455 .fn = nft_flush_set,
4457 set->ops->walk(&ctx, set, &iter);
4462 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4463 err = nft_del_setelem(&ctx, set, attr);
4472 void nft_set_gc_batch_release(struct rcu_head *rcu)
4474 struct nft_set_gc_batch *gcb;
4477 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4478 for (i = 0; i < gcb->head.cnt; i++)
4479 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4482 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4484 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4487 struct nft_set_gc_batch *gcb;
4489 gcb = kzalloc(sizeof(*gcb), gfp);
4492 gcb->head.set = set;
4495 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4502 * nft_register_obj- register nf_tables stateful object type
4505 * Registers the object type for use with nf_tables. Returns zero on
4506 * success or a negative errno code otherwise.
4508 int nft_register_obj(struct nft_object_type *obj_type)
4510 if (obj_type->type == NFT_OBJECT_UNSPEC)
4513 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4514 list_add_rcu(&obj_type->list, &nf_tables_objects);
4515 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4518 EXPORT_SYMBOL_GPL(nft_register_obj);
4521 * nft_unregister_obj - unregister nf_tables object type
4524 * Unregisters the object type for use with nf_tables.
4526 void nft_unregister_obj(struct nft_object_type *obj_type)
4528 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4529 list_del_rcu(&obj_type->list);
4530 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4532 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4534 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4535 const struct nlattr *nla,
4536 u32 objtype, u8 genmask)
4538 struct nft_object *obj;
4540 list_for_each_entry(obj, &table->objects, list) {
4541 if (!nla_strcmp(nla, obj->name) &&
4542 objtype == obj->ops->type->type &&
4543 nft_active_genmask(obj, genmask))
4546 return ERR_PTR(-ENOENT);
4548 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4550 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4551 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4552 .len = NFT_TABLE_MAXNAMELEN - 1 },
4553 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4554 .len = NFT_OBJ_MAXNAMELEN - 1 },
4555 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4556 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4559 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4560 const struct nft_object_type *type,
4561 const struct nlattr *attr)
4563 struct nlattr *tb[type->maxattr + 1];
4564 const struct nft_object_ops *ops;
4565 struct nft_object *obj;
4569 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4574 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4577 if (type->select_ops) {
4578 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4588 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4592 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4602 return ERR_PTR(err);
4605 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4606 struct nft_object *obj, bool reset)
4608 struct nlattr *nest;
4610 nest = nla_nest_start(skb, attr);
4612 goto nla_put_failure;
4613 if (obj->ops->dump(skb, obj, reset) < 0)
4614 goto nla_put_failure;
4615 nla_nest_end(skb, nest);
4622 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4624 const struct nft_object_type *type;
4626 list_for_each_entry(type, &nf_tables_objects, list) {
4627 if (objtype == type->type)
4633 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4635 const struct nft_object_type *type;
4637 type = __nft_obj_type_get(objtype);
4638 if (type != NULL && try_module_get(type->owner))
4641 #ifdef CONFIG_MODULES
4643 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4644 request_module("nft-obj-%u", objtype);
4645 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4646 if (__nft_obj_type_get(objtype))
4647 return ERR_PTR(-EAGAIN);
4650 return ERR_PTR(-ENOENT);
4653 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4654 struct sk_buff *skb, const struct nlmsghdr *nlh,
4655 const struct nlattr * const nla[],
4656 struct netlink_ext_ack *extack)
4658 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4659 const struct nft_object_type *type;
4660 u8 genmask = nft_genmask_next(net);
4661 int family = nfmsg->nfgen_family;
4662 struct nft_af_info *afi;
4663 struct nft_table *table;
4664 struct nft_object *obj;
4669 if (!nla[NFTA_OBJ_TYPE] ||
4670 !nla[NFTA_OBJ_NAME] ||
4671 !nla[NFTA_OBJ_DATA])
4674 afi = nf_tables_afinfo_lookup(net, family, true);
4676 return PTR_ERR(afi);
4678 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4680 return PTR_ERR(table);
4682 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4683 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4690 if (nlh->nlmsg_flags & NLM_F_EXCL)
4696 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4698 if (!nft_use_inc(&table->use))
4701 type = nft_obj_type_get(objtype);
4703 err = PTR_ERR(type);
4707 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4713 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4719 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4723 list_add_tail_rcu(&obj->list, &table->objects);
4729 if (obj->ops->destroy)
4730 obj->ops->destroy(obj);
4733 module_put(type->owner);
4735 nft_use_dec_restore(&table->use);
4740 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4741 u32 portid, u32 seq, int event, u32 flags,
4742 int family, const struct nft_table *table,
4743 struct nft_object *obj, bool reset)
4745 struct nfgenmsg *nfmsg;
4746 struct nlmsghdr *nlh;
4748 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4749 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4751 goto nla_put_failure;
4753 nfmsg = nlmsg_data(nlh);
4754 nfmsg->nfgen_family = family;
4755 nfmsg->version = NFNETLINK_V0;
4756 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4758 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4759 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4760 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4761 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4762 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4763 goto nla_put_failure;
4765 nlmsg_end(skb, nlh);
4769 nlmsg_trim(skb, nlh);
4773 struct nft_obj_filter {
4778 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4780 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4781 const struct nft_af_info *afi;
4782 const struct nft_table *table;
4783 unsigned int idx = 0, s_idx = cb->args[0];
4784 struct nft_obj_filter *filter = cb->data;
4785 struct net *net = sock_net(skb->sk);
4786 int family = nfmsg->nfgen_family;
4787 struct nft_object *obj;
4790 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4794 cb->seq = net->nft.base_seq;
4796 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4797 if (family != NFPROTO_UNSPEC && family != afi->family)
4800 list_for_each_entry_rcu(table, &afi->tables, list) {
4801 list_for_each_entry_rcu(obj, &table->objects, list) {
4802 if (!nft_is_active(net, obj))
4807 memset(&cb->args[1], 0,
4808 sizeof(cb->args) - sizeof(cb->args[0]));
4809 if (filter && filter->table &&
4810 strcmp(filter->table, table->name))
4813 filter->type != NFT_OBJECT_UNSPEC &&
4814 obj->ops->type->type != filter->type)
4817 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4820 NLM_F_MULTI | NLM_F_APPEND,
4821 afi->family, table, obj, reset) < 0)
4824 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4837 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4839 struct nft_obj_filter *filter = cb->data;
4842 kfree(filter->table);
4849 static struct nft_obj_filter *
4850 nft_obj_filter_alloc(const struct nlattr * const nla[])
4852 struct nft_obj_filter *filter;
4854 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4856 return ERR_PTR(-ENOMEM);
4858 if (nla[NFTA_OBJ_TABLE]) {
4859 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4860 if (!filter->table) {
4862 return ERR_PTR(-ENOMEM);
4865 if (nla[NFTA_OBJ_TYPE])
4866 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4871 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4872 struct sk_buff *skb, const struct nlmsghdr *nlh,
4873 const struct nlattr * const nla[],
4874 struct netlink_ext_ack *extack)
4876 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4877 u8 genmask = nft_genmask_cur(net);
4878 int family = nfmsg->nfgen_family;
4879 const struct nft_af_info *afi;
4880 const struct nft_table *table;
4881 struct nft_object *obj;
4882 struct sk_buff *skb2;
4887 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4888 struct netlink_dump_control c = {
4889 .dump = nf_tables_dump_obj,
4890 .done = nf_tables_dump_obj_done,
4893 if (nla[NFTA_OBJ_TABLE] ||
4894 nla[NFTA_OBJ_TYPE]) {
4895 struct nft_obj_filter *filter;
4897 filter = nft_obj_filter_alloc(nla);
4903 return netlink_dump_start(nlsk, skb, nlh, &c);
4906 if (!nla[NFTA_OBJ_NAME] ||
4907 !nla[NFTA_OBJ_TYPE])
4910 afi = nf_tables_afinfo_lookup(net, family, false);
4912 return PTR_ERR(afi);
4914 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4916 return PTR_ERR(table);
4918 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4919 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4921 return PTR_ERR(obj);
4923 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4927 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4930 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4931 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4932 family, table, obj, reset);
4936 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4942 static void nft_obj_destroy(struct nft_object *obj)
4944 if (obj->ops->destroy)
4945 obj->ops->destroy(obj);
4947 module_put(obj->ops->type->owner);
4952 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4953 struct sk_buff *skb, const struct nlmsghdr *nlh,
4954 const struct nlattr * const nla[],
4955 struct netlink_ext_ack *extack)
4957 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4958 u8 genmask = nft_genmask_next(net);
4959 int family = nfmsg->nfgen_family;
4960 struct nft_af_info *afi;
4961 struct nft_table *table;
4962 struct nft_object *obj;
4966 if (!nla[NFTA_OBJ_TYPE] ||
4967 !nla[NFTA_OBJ_NAME])
4970 afi = nf_tables_afinfo_lookup(net, family, true);
4972 return PTR_ERR(afi);
4974 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4976 return PTR_ERR(table);
4978 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4979 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4981 return PTR_ERR(obj);
4985 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4987 return nft_delobj(&ctx, obj);
4990 void nft_obj_notify(struct net *net, struct nft_table *table,
4991 struct nft_object *obj, u32 portid, u32 seq, int event,
4992 int family, int report, gfp_t gfp)
4994 struct sk_buff *skb;
4998 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5001 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5005 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5012 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5015 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5017 EXPORT_SYMBOL_GPL(nft_obj_notify);
5019 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5020 struct nft_object *obj, int event)
5022 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5023 ctx->afi->family, ctx->report, GFP_KERNEL);
5026 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5027 u32 portid, u32 seq)
5029 struct nlmsghdr *nlh;
5030 struct nfgenmsg *nfmsg;
5031 char buf[TASK_COMM_LEN];
5032 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5034 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5036 goto nla_put_failure;
5038 nfmsg = nlmsg_data(nlh);
5039 nfmsg->nfgen_family = AF_UNSPEC;
5040 nfmsg->version = NFNETLINK_V0;
5041 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5043 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5044 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5045 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5046 goto nla_put_failure;
5048 nlmsg_end(skb, nlh);
5052 nlmsg_trim(skb, nlh);
5056 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5059 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5060 struct sk_buff *skb2;
5063 if (nlmsg_report(nlh) &&
5064 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5067 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5071 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5078 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5079 nlmsg_report(nlh), GFP_KERNEL);
5082 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5086 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5087 struct sk_buff *skb, const struct nlmsghdr *nlh,
5088 const struct nlattr * const nla[],
5089 struct netlink_ext_ack *extack)
5091 struct sk_buff *skb2;
5094 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5098 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5103 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5109 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5110 [NFT_MSG_NEWTABLE] = {
5111 .call_batch = nf_tables_newtable,
5112 .attr_count = NFTA_TABLE_MAX,
5113 .policy = nft_table_policy,
5115 [NFT_MSG_GETTABLE] = {
5116 .call = nf_tables_gettable,
5117 .attr_count = NFTA_TABLE_MAX,
5118 .policy = nft_table_policy,
5120 [NFT_MSG_DELTABLE] = {
5121 .call_batch = nf_tables_deltable,
5122 .attr_count = NFTA_TABLE_MAX,
5123 .policy = nft_table_policy,
5125 [NFT_MSG_NEWCHAIN] = {
5126 .call_batch = nf_tables_newchain,
5127 .attr_count = NFTA_CHAIN_MAX,
5128 .policy = nft_chain_policy,
5130 [NFT_MSG_GETCHAIN] = {
5131 .call = nf_tables_getchain,
5132 .attr_count = NFTA_CHAIN_MAX,
5133 .policy = nft_chain_policy,
5135 [NFT_MSG_DELCHAIN] = {
5136 .call_batch = nf_tables_delchain,
5137 .attr_count = NFTA_CHAIN_MAX,
5138 .policy = nft_chain_policy,
5140 [NFT_MSG_NEWRULE] = {
5141 .call_batch = nf_tables_newrule,
5142 .attr_count = NFTA_RULE_MAX,
5143 .policy = nft_rule_policy,
5145 [NFT_MSG_GETRULE] = {
5146 .call = nf_tables_getrule,
5147 .attr_count = NFTA_RULE_MAX,
5148 .policy = nft_rule_policy,
5150 [NFT_MSG_DELRULE] = {
5151 .call_batch = nf_tables_delrule,
5152 .attr_count = NFTA_RULE_MAX,
5153 .policy = nft_rule_policy,
5155 [NFT_MSG_NEWSET] = {
5156 .call_batch = nf_tables_newset,
5157 .attr_count = NFTA_SET_MAX,
5158 .policy = nft_set_policy,
5160 [NFT_MSG_GETSET] = {
5161 .call = nf_tables_getset,
5162 .attr_count = NFTA_SET_MAX,
5163 .policy = nft_set_policy,
5165 [NFT_MSG_DELSET] = {
5166 .call_batch = nf_tables_delset,
5167 .attr_count = NFTA_SET_MAX,
5168 .policy = nft_set_policy,
5170 [NFT_MSG_NEWSETELEM] = {
5171 .call_batch = nf_tables_newsetelem,
5172 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5173 .policy = nft_set_elem_list_policy,
5175 [NFT_MSG_GETSETELEM] = {
5176 .call = nf_tables_getsetelem,
5177 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5178 .policy = nft_set_elem_list_policy,
5180 [NFT_MSG_DELSETELEM] = {
5181 .call_batch = nf_tables_delsetelem,
5182 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5183 .policy = nft_set_elem_list_policy,
5185 [NFT_MSG_GETGEN] = {
5186 .call = nf_tables_getgen,
5188 [NFT_MSG_NEWOBJ] = {
5189 .call_batch = nf_tables_newobj,
5190 .attr_count = NFTA_OBJ_MAX,
5191 .policy = nft_obj_policy,
5193 [NFT_MSG_GETOBJ] = {
5194 .call = nf_tables_getobj,
5195 .attr_count = NFTA_OBJ_MAX,
5196 .policy = nft_obj_policy,
5198 [NFT_MSG_DELOBJ] = {
5199 .call_batch = nf_tables_delobj,
5200 .attr_count = NFTA_OBJ_MAX,
5201 .policy = nft_obj_policy,
5203 [NFT_MSG_GETOBJ_RESET] = {
5204 .call = nf_tables_getobj,
5205 .attr_count = NFTA_OBJ_MAX,
5206 .policy = nft_obj_policy,
5210 static void nft_chain_commit_update(struct nft_trans *trans)
5212 struct nft_base_chain *basechain;
5214 if (nft_trans_chain_name(trans))
5215 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5217 if (!nft_is_base_chain(trans->ctx.chain))
5220 basechain = nft_base_chain(trans->ctx.chain);
5221 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5223 switch (nft_trans_chain_policy(trans)) {
5226 basechain->policy = nft_trans_chain_policy(trans);
5231 static void nf_tables_commit_release(struct nft_trans *trans)
5233 switch (trans->msg_type) {
5234 case NFT_MSG_DELTABLE:
5235 nf_tables_table_destroy(&trans->ctx);
5237 case NFT_MSG_NEWCHAIN:
5238 kfree(nft_trans_chain_name(trans));
5240 case NFT_MSG_DELCHAIN:
5241 nf_tables_chain_destroy(trans->ctx.chain);
5243 case NFT_MSG_DELRULE:
5244 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5246 case NFT_MSG_DELSET:
5247 nft_set_destroy(nft_trans_set(trans));
5249 case NFT_MSG_DELSETELEM:
5250 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5251 nft_trans_elem(trans).priv);
5253 case NFT_MSG_DELOBJ:
5254 nft_obj_destroy(nft_trans_obj(trans));
5260 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5262 struct nft_trans *trans, *next;
5263 struct nft_trans_elem *te;
5265 /* Bump generation counter, invalidate any dump in progress */
5266 while (++net->nft.base_seq == 0);
5268 /* A new generation has just started */
5269 net->nft.gencursor = nft_gencursor_next(net);
5271 /* Make sure all packets have left the previous generation before
5272 * purging old rules.
5276 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5277 switch (trans->msg_type) {
5278 case NFT_MSG_NEWTABLE:
5279 if (nft_trans_table_update(trans)) {
5280 if (!nft_trans_table_enable(trans)) {
5281 nf_tables_table_disable(net,
5284 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5287 nft_clear(net, trans->ctx.table);
5289 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5290 nft_trans_destroy(trans);
5292 case NFT_MSG_DELTABLE:
5293 list_del_rcu(&trans->ctx.table->list);
5294 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5296 case NFT_MSG_NEWCHAIN:
5297 if (nft_trans_chain_update(trans)) {
5298 nft_chain_commit_update(trans);
5299 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5300 /* trans destroyed after rcu grace period */
5302 nft_clear(net, trans->ctx.chain);
5303 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5304 nft_trans_destroy(trans);
5307 case NFT_MSG_DELCHAIN:
5308 list_del_rcu(&trans->ctx.chain->list);
5309 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5310 nf_tables_unregister_hooks(trans->ctx.net,
5313 trans->ctx.afi->nops);
5315 case NFT_MSG_NEWRULE:
5316 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5317 nf_tables_rule_notify(&trans->ctx,
5318 nft_trans_rule(trans),
5320 nft_trans_destroy(trans);
5322 case NFT_MSG_DELRULE:
5323 list_del_rcu(&nft_trans_rule(trans)->list);
5324 nf_tables_rule_notify(&trans->ctx,
5325 nft_trans_rule(trans),
5327 nft_rule_expr_deactivate(&trans->ctx,
5328 nft_trans_rule(trans),
5331 case NFT_MSG_NEWSET:
5332 nft_clear(net, nft_trans_set(trans));
5333 /* This avoids hitting -EBUSY when deleting the table
5334 * from the transaction.
5336 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
5337 !list_empty(&nft_trans_set(trans)->bindings))
5338 nft_use_dec(&trans->ctx.table->use);
5340 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5341 NFT_MSG_NEWSET, GFP_KERNEL);
5342 nft_trans_destroy(trans);
5344 case NFT_MSG_DELSET:
5345 list_del_rcu(&nft_trans_set(trans)->list);
5346 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5347 NFT_MSG_DELSET, GFP_KERNEL);
5349 case NFT_MSG_NEWSETELEM:
5350 te = (struct nft_trans_elem *)trans->data;
5352 te->set->ops->activate(net, te->set, &te->elem);
5353 nf_tables_setelem_notify(&trans->ctx, te->set,
5355 NFT_MSG_NEWSETELEM, 0);
5356 nft_trans_destroy(trans);
5358 case NFT_MSG_DELSETELEM:
5359 te = (struct nft_trans_elem *)trans->data;
5361 nf_tables_setelem_notify(&trans->ctx, te->set,
5363 NFT_MSG_DELSETELEM, 0);
5364 te->set->ops->remove(net, te->set, &te->elem);
5365 atomic_dec(&te->set->nelems);
5368 case NFT_MSG_NEWOBJ:
5369 nft_clear(net, nft_trans_obj(trans));
5370 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5372 nft_trans_destroy(trans);
5374 case NFT_MSG_DELOBJ:
5375 list_del_rcu(&nft_trans_obj(trans)->list);
5376 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5384 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5385 list_del(&trans->list);
5386 nf_tables_commit_release(trans);
5389 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5394 static void nf_tables_abort_release(struct nft_trans *trans)
5396 switch (trans->msg_type) {
5397 case NFT_MSG_NEWTABLE:
5398 nf_tables_table_destroy(&trans->ctx);
5400 case NFT_MSG_NEWCHAIN:
5401 nf_tables_chain_destroy(trans->ctx.chain);
5403 case NFT_MSG_NEWRULE:
5404 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5406 case NFT_MSG_NEWSET:
5407 if (!nft_trans_set_bound(trans))
5408 nft_set_destroy(nft_trans_set(trans));
5410 case NFT_MSG_NEWSETELEM:
5411 nft_set_elem_destroy(nft_trans_elem_set(trans),
5412 nft_trans_elem(trans).priv, true);
5414 case NFT_MSG_NEWOBJ:
5415 nft_obj_destroy(nft_trans_obj(trans));
5421 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5423 struct nft_trans *trans, *next;
5424 struct nft_trans_elem *te;
5426 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5428 switch (trans->msg_type) {
5429 case NFT_MSG_NEWTABLE:
5430 if (nft_trans_table_update(trans)) {
5431 if (nft_trans_table_enable(trans)) {
5432 nf_tables_table_disable(net,
5435 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5437 nft_trans_destroy(trans);
5439 list_del_rcu(&trans->ctx.table->list);
5442 case NFT_MSG_DELTABLE:
5443 nft_clear(trans->ctx.net, trans->ctx.table);
5444 nft_trans_destroy(trans);
5446 case NFT_MSG_NEWCHAIN:
5447 if (nft_trans_chain_update(trans)) {
5448 free_percpu(nft_trans_chain_stats(trans));
5449 kfree(nft_trans_chain_name(trans));
5450 nft_trans_destroy(trans);
5452 nft_use_dec_restore(&trans->ctx.table->use);
5453 list_del_rcu(&trans->ctx.chain->list);
5454 nf_tables_unregister_hooks(trans->ctx.net,
5457 trans->ctx.afi->nops);
5460 case NFT_MSG_DELCHAIN:
5461 nft_use_inc_restore(&trans->ctx.table->use);
5462 nft_clear(trans->ctx.net, trans->ctx.chain);
5463 nft_trans_destroy(trans);
5465 case NFT_MSG_NEWRULE:
5466 nft_use_dec_restore(&trans->ctx.chain->use);
5467 list_del_rcu(&nft_trans_rule(trans)->list);
5468 nft_rule_expr_deactivate(&trans->ctx,
5469 nft_trans_rule(trans),
5472 case NFT_MSG_DELRULE:
5473 nft_use_inc_restore(&trans->ctx.chain->use);
5474 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5475 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
5476 nft_trans_destroy(trans);
5478 case NFT_MSG_NEWSET:
5479 nft_use_dec_restore(&trans->ctx.table->use);
5480 if (nft_trans_set_bound(trans)) {
5481 nft_trans_destroy(trans);
5484 list_del_rcu(&nft_trans_set(trans)->list);
5486 case NFT_MSG_DELSET:
5487 nft_use_inc_restore(&trans->ctx.table->use);
5488 nft_clear(trans->ctx.net, nft_trans_set(trans));
5489 nft_trans_destroy(trans);
5491 case NFT_MSG_NEWSETELEM:
5492 if (nft_trans_elem_set_bound(trans)) {
5493 nft_trans_destroy(trans);
5496 te = (struct nft_trans_elem *)trans->data;
5498 te->set->ops->remove(net, te->set, &te->elem);
5499 atomic_dec(&te->set->nelems);
5501 case NFT_MSG_DELSETELEM:
5502 te = (struct nft_trans_elem *)trans->data;
5504 nft_set_elem_activate(net, te->set, &te->elem);
5505 te->set->ops->activate(net, te->set, &te->elem);
5508 nft_trans_destroy(trans);
5510 case NFT_MSG_NEWOBJ:
5511 nft_use_dec_restore(&trans->ctx.table->use);
5512 list_del_rcu(&nft_trans_obj(trans)->list);
5514 case NFT_MSG_DELOBJ:
5515 nft_use_inc_restore(&trans->ctx.table->use);
5516 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5517 nft_trans_destroy(trans);
5524 list_for_each_entry_safe_reverse(trans, next,
5525 &net->nft.commit_list, list) {
5526 list_del(&trans->list);
5527 nf_tables_abort_release(trans);
5533 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5535 return net->nft.base_seq == genid;
5538 static const struct nfnetlink_subsystem nf_tables_subsys = {
5539 .name = "nf_tables",
5540 .subsys_id = NFNL_SUBSYS_NFTABLES,
5541 .cb_count = NFT_MSG_MAX,
5543 .commit = nf_tables_commit,
5544 .abort = nf_tables_abort,
5545 .valid_genid = nf_tables_valid_genid,
5548 int nft_chain_validate_dependency(const struct nft_chain *chain,
5549 enum nft_chain_type type)
5551 const struct nft_base_chain *basechain;
5553 if (nft_is_base_chain(chain)) {
5554 basechain = nft_base_chain(chain);
5555 if (basechain->type->type != type)
5560 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5562 int nft_chain_validate_hooks(const struct nft_chain *chain,
5563 unsigned int hook_flags)
5565 struct nft_base_chain *basechain;
5567 if (nft_is_base_chain(chain)) {
5568 basechain = nft_base_chain(chain);
5570 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5578 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5581 * Loop detection - walk through the ruleset beginning at the destination chain
5582 * of a new jump until either the source chain is reached (loop) or all
5583 * reachable chains have been traversed.
5585 * The loop check is performed whenever a new jump verdict is added to an
5586 * expression or verdict map or a verdict map is bound to a new chain.
5589 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5590 const struct nft_chain *chain);
5592 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5593 struct nft_set *set,
5594 const struct nft_set_iter *iter,
5595 struct nft_set_elem *elem)
5597 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5598 const struct nft_data *data;
5600 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5601 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5604 data = nft_set_ext_data(ext);
5605 switch (data->verdict.code) {
5608 return nf_tables_check_loops(ctx, data->verdict.chain);
5614 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5615 const struct nft_chain *chain)
5617 const struct nft_rule *rule;
5618 const struct nft_expr *expr, *last;
5619 struct nft_set *set;
5620 struct nft_set_binding *binding;
5621 struct nft_set_iter iter;
5623 if (ctx->chain == chain)
5626 list_for_each_entry(rule, &chain->rules, list) {
5627 nft_rule_for_each_expr(expr, last, rule) {
5628 const struct nft_data *data = NULL;
5631 if (!expr->ops->validate)
5634 err = expr->ops->validate(ctx, expr, &data);
5641 switch (data->verdict.code) {
5644 err = nf_tables_check_loops(ctx,
5645 data->verdict.chain);
5654 list_for_each_entry(set, &ctx->table->sets, list) {
5655 if (!nft_is_active_next(ctx->net, set))
5657 if (!(set->flags & NFT_SET_MAP) ||
5658 set->dtype != NFT_DATA_VERDICT)
5661 list_for_each_entry(binding, &set->bindings, list) {
5662 if (!(binding->flags & NFT_SET_MAP) ||
5663 binding->chain != chain)
5666 iter.genmask = nft_genmask_next(ctx->net);
5670 iter.fn = nf_tables_loop_check_setelem;
5672 set->ops->walk(ctx, set, &iter);
5682 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5684 * @attr: netlink attribute to fetch value from
5685 * @max: maximum value to be stored in dest
5686 * @dest: pointer to the variable
5688 * Parse, check and store a given u32 netlink attribute into variable.
5689 * This function returns -ERANGE if the value goes over maximum value.
5690 * Otherwise a 0 is returned and the attribute value is stored in the
5691 * destination variable.
5693 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5697 val = ntohl(nla_get_be32(attr));
5704 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5706 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
5710 reg = ntohl(nla_get_be32(attr));
5712 case NFT_REG_VERDICT...NFT_REG_4:
5713 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5715 case NFT_REG32_00...NFT_REG32_15:
5716 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5726 * nft_dump_register - dump a register value to a netlink attribute
5728 * @skb: socket buffer
5729 * @attr: attribute number
5730 * @reg: register number
5732 * Construct a netlink attribute containing the register number. For
5733 * compatibility reasons, register numbers being a multiple of 4 are
5734 * translated to the corresponding 128 bit register numbers.
5736 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5738 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5739 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5741 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5743 return nla_put_be32(skb, attr, htonl(reg));
5745 EXPORT_SYMBOL_GPL(nft_dump_register);
5748 * nft_validate_register_load - validate a load from a register
5750 * @reg: the register number
5751 * @len: the length of the data
5753 * Validate that the input register is one of the general purpose
5754 * registers and that the length of the load is within the bounds.
5756 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5758 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5762 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5768 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
5773 err = nft_parse_register(attr, ®);
5777 err = nft_validate_register_load(reg, len);
5784 EXPORT_SYMBOL_GPL(nft_parse_register_load);
5787 * nft_validate_register_store - validate an expressions' register store
5789 * @ctx: context of the expression performing the load
5790 * @reg: the destination register number
5791 * @data: the data to load
5792 * @type: the data type
5793 * @len: the length of the data
5795 * Validate that a data load uses the appropriate data type for
5796 * the destination register and the length is within the bounds.
5797 * A value of NULL for the data means that its runtime gathered
5800 static int nft_validate_register_store(const struct nft_ctx *ctx,
5801 enum nft_registers reg,
5802 const struct nft_data *data,
5803 enum nft_data_types type,
5809 case NFT_REG_VERDICT:
5810 if (type != NFT_DATA_VERDICT)
5814 (data->verdict.code == NFT_GOTO ||
5815 data->verdict.code == NFT_JUMP)) {
5816 err = nf_tables_check_loops(ctx, data->verdict.chain);
5820 if (ctx->chain->level + 1 >
5821 data->verdict.chain->level) {
5822 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5824 data->verdict.chain->level = ctx->chain->level + 1;
5830 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5834 if (reg * NFT_REG32_SIZE + len >
5835 FIELD_SIZEOF(struct nft_regs, data))
5838 if (data != NULL && type != NFT_DATA_VALUE)
5844 int nft_parse_register_store(const struct nft_ctx *ctx,
5845 const struct nlattr *attr, u8 *dreg,
5846 const struct nft_data *data,
5847 enum nft_data_types type, unsigned int len)
5852 err = nft_parse_register(attr, ®);
5856 err = nft_validate_register_store(ctx, reg, data, type, len);
5863 EXPORT_SYMBOL_GPL(nft_parse_register_store);
5865 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5866 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5867 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5868 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5871 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5872 struct nft_data_desc *desc, const struct nlattr *nla)
5874 u8 genmask = nft_genmask_next(ctx->net);
5875 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5876 struct nft_chain *chain;
5879 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5884 if (!tb[NFTA_VERDICT_CODE])
5887 /* zero padding hole for memcmp */
5888 memset(data, 0, sizeof(*data));
5889 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5891 switch (data->verdict.code) {
5893 switch (data->verdict.code & NF_VERDICT_MASK) {
5908 if (!tb[NFTA_VERDICT_CHAIN])
5910 chain = nf_tables_chain_lookup(ctx->table,
5911 tb[NFTA_VERDICT_CHAIN], genmask);
5913 return PTR_ERR(chain);
5914 if (nft_is_base_chain(chain))
5916 if (!nft_use_inc(&chain->use))
5919 data->verdict.chain = chain;
5923 desc->len = sizeof(data->verdict);
5924 desc->type = NFT_DATA_VERDICT;
5928 static void nft_verdict_uninit(const struct nft_data *data)
5930 struct nft_chain *chain;
5932 switch (data->verdict.code) {
5935 chain = data->verdict.chain;
5936 nft_use_dec(&chain->use);
5941 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5943 struct nlattr *nest;
5945 nest = nla_nest_start(skb, type);
5947 goto nla_put_failure;
5949 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5950 goto nla_put_failure;
5955 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5957 goto nla_put_failure;
5959 nla_nest_end(skb, nest);
5966 static int nft_value_init(const struct nft_ctx *ctx,
5967 struct nft_data *data, unsigned int size,
5968 struct nft_data_desc *desc, const struct nlattr *nla)
5978 nla_memcpy(data->data, nla, len);
5979 desc->type = NFT_DATA_VALUE;
5984 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5987 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5990 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5991 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5992 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5996 * nft_data_init - parse nf_tables data netlink attributes
5998 * @ctx: context of the expression using the data
5999 * @data: destination struct nft_data
6000 * @size: maximum data length
6001 * @desc: data description
6002 * @nla: netlink attribute containing data
6004 * Parse the netlink data attributes and initialize a struct nft_data.
6005 * The type and length of data are returned in the data description.
6007 * The caller can indicate that it only wants to accept data of type
6008 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6010 int nft_data_init(const struct nft_ctx *ctx,
6011 struct nft_data *data, unsigned int size,
6012 struct nft_data_desc *desc, const struct nlattr *nla)
6014 struct nlattr *tb[NFTA_DATA_MAX + 1];
6017 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6021 if (tb[NFTA_DATA_VALUE])
6022 return nft_value_init(ctx, data, size, desc,
6023 tb[NFTA_DATA_VALUE]);
6024 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6025 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6028 EXPORT_SYMBOL_GPL(nft_data_init);
6031 * nft_data_release - release a nft_data item
6033 * @data: struct nft_data to release
6034 * @type: type of data
6036 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6037 * all others need to be released by calling this function.
6039 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6041 if (type < NFT_DATA_VERDICT)
6044 case NFT_DATA_VERDICT:
6045 return nft_verdict_uninit(data);
6050 EXPORT_SYMBOL_GPL(nft_data_release);
6052 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6053 enum nft_data_types type, unsigned int len)
6055 struct nlattr *nest;
6058 nest = nla_nest_start(skb, attr);
6063 case NFT_DATA_VALUE:
6064 err = nft_value_dump(skb, data, len);
6066 case NFT_DATA_VERDICT:
6067 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6074 nla_nest_end(skb, nest);
6077 EXPORT_SYMBOL_GPL(nft_data_dump);
6079 static int __net_init nf_tables_init_net(struct net *net)
6081 INIT_LIST_HEAD(&net->nft.af_info);
6082 INIT_LIST_HEAD(&net->nft.commit_list);
6083 net->nft.base_seq = 1;
6087 int __nft_release_basechain(struct nft_ctx *ctx)
6089 struct nft_rule *rule, *nr;
6091 BUG_ON(!nft_is_base_chain(ctx->chain));
6093 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
6095 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6096 list_del(&rule->list);
6097 nft_use_dec(&ctx->chain->use);
6098 nf_tables_rule_release(ctx, rule);
6100 list_del(&ctx->chain->list);
6101 nft_use_dec(&ctx->table->use);
6102 nf_tables_chain_destroy(ctx->chain);
6106 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6108 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
6109 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
6111 struct nft_table *table, *nt;
6112 struct nft_chain *chain, *nc;
6113 struct nft_object *obj, *ne;
6114 struct nft_rule *rule, *nr;
6115 struct nft_set *set, *ns;
6116 struct nft_ctx ctx = {
6121 list_for_each_entry_safe(table, nt, &afi->tables, list) {
6122 list_for_each_entry(chain, &table->chains, list)
6123 nf_tables_unregister_hooks(net, table, chain,
6125 /* No packets are walking on these chains anymore. */
6127 list_for_each_entry(chain, &table->chains, list) {
6129 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6130 list_del(&rule->list);
6131 nft_use_dec(&chain->use);
6132 nf_tables_rule_release(&ctx, rule);
6135 list_for_each_entry_safe(set, ns, &table->sets, list) {
6136 list_del(&set->list);
6137 nft_use_dec(&table->use);
6138 nft_set_destroy(set);
6140 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6141 list_del(&obj->list);
6142 nft_use_dec(&table->use);
6143 nft_obj_destroy(obj);
6145 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6146 list_del(&chain->list);
6147 nft_use_dec(&table->use);
6148 nf_tables_chain_destroy(chain);
6150 list_del(&table->list);
6151 nf_tables_table_destroy(&ctx);
6155 static struct pernet_operations nf_tables_net_ops = {
6156 .init = nf_tables_init_net,
6159 static int __init nf_tables_module_init(void)
6163 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6170 err = register_pernet_subsys(&nf_tables_net_ops);
6174 err = nf_tables_core_module_init();
6179 err = nfnetlink_subsys_register(&nf_tables_subsys);
6183 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
6186 nf_tables_core_module_exit();
6188 unregister_pernet_subsys(&nf_tables_net_ops);
6195 static void __exit nf_tables_module_exit(void)
6197 unregister_pernet_subsys(&nf_tables_net_ops);
6198 nfnetlink_subsys_unregister(&nf_tables_subsys);
6200 nf_tables_core_module_exit();
6204 module_init(nf_tables_module_init);
6205 module_exit(nf_tables_module_exit);
6207 MODULE_LICENSE("GPL");
6208 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6209 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / releases.git / blob