2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
44 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47 * nft_unregister_afinfo - unregister nf_tables address family info
49 * @afi: address family info to unregister
51 * Unregister the address family for use with nf_tables.
53 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
62 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
64 struct nft_af_info *afi;
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
73 static struct nft_af_info *
74 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
76 struct nft_af_info *afi;
78 afi = nft_afinfo_lookup(net, family);
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
88 return ERR_PTR(-EAGAIN);
91 return ERR_PTR(-EAFNOSUPPORT);
94 static void nft_ctx_init(struct nft_ctx *ctx,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
113 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
116 struct nft_trans *trans;
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
122 trans->msg_type = msg_type;
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static int nf_tables_register_hooks(struct net *net,
135 const struct nft_table *table,
136 struct nft_chain *chain,
137 unsigned int hook_nops)
139 if (table->flags & NFT_TABLE_F_DORMANT ||
140 !(chain->flags & NFT_BASE_CHAIN))
143 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
147 static void nf_tables_unregister_hooks(struct net *net,
148 const struct nft_table *table,
149 struct nft_chain *chain,
150 unsigned int hook_nops)
152 if (table->flags & NFT_TABLE_F_DORMANT ||
153 !(chain->flags & NFT_BASE_CHAIN))
156 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
159 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
161 struct nft_trans *trans;
163 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
167 if (msg_type == NFT_MSG_NEWTABLE)
168 nft_activate_next(ctx->net, ctx->table);
170 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
174 static int nft_deltable(struct nft_ctx *ctx)
178 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
182 nft_deactivate_next(ctx->net, ctx->table);
186 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
188 struct nft_trans *trans;
190 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
194 if (msg_type == NFT_MSG_NEWCHAIN)
195 nft_activate_next(ctx->net, ctx->chain);
197 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
201 static int nft_delchain(struct nft_ctx *ctx)
205 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
210 nft_deactivate_next(ctx->net, ctx->chain);
216 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
218 /* You cannot delete the same rule twice */
219 if (nft_is_active_next(ctx->net, rule)) {
220 nft_deactivate_next(ctx->net, rule);
227 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
228 struct nft_rule *rule)
230 struct nft_trans *trans;
232 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
236 nft_trans_rule(trans) = rule;
237 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
242 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
244 struct nft_trans *trans;
247 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
251 err = nf_tables_delrule_deactivate(ctx, rule);
253 nft_trans_destroy(trans);
260 static int nft_delrule_by_chain(struct nft_ctx *ctx)
262 struct nft_rule *rule;
265 list_for_each_entry(rule, &ctx->chain->rules, list) {
266 if (!nft_is_active_next(ctx->net, rule))
269 err = nft_delrule(ctx, rule);
276 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
279 struct nft_trans *trans;
281 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
285 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
286 nft_trans_set_id(trans) =
287 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
288 nft_activate_next(ctx->net, set);
290 nft_trans_set(trans) = set;
291 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
296 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
300 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
304 nft_deactivate_next(ctx->net, set);
314 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
315 const struct nlattr *nla,
318 struct nft_table *table;
320 list_for_each_entry(table, &afi->tables, list) {
321 if (!nla_strcmp(nla, table->name) &&
322 nft_active_genmask(table, genmask))
328 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
329 const struct nlattr *nla,
332 struct nft_table *table;
335 return ERR_PTR(-EINVAL);
337 table = nft_table_lookup(afi, nla, genmask);
341 return ERR_PTR(-ENOENT);
344 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
346 return ++table->hgenerator;
349 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
351 static const struct nf_chain_type *
352 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
356 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
357 if (chain_type[family][i] != NULL &&
358 !nla_strcmp(nla, chain_type[family][i]->name))
359 return chain_type[family][i];
364 static const struct nf_chain_type *
365 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
366 const struct nlattr *nla,
369 const struct nf_chain_type *type;
371 type = __nf_tables_chain_type_lookup(afi->family, nla);
374 #ifdef CONFIG_MODULES
376 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
377 request_module("nft-chain-%u-%.*s", afi->family,
378 nla_len(nla), (const char *)nla_data(nla));
379 nfnl_lock(NFNL_SUBSYS_NFTABLES);
380 type = __nf_tables_chain_type_lookup(afi->family, nla);
382 return ERR_PTR(-EAGAIN);
385 return ERR_PTR(-ENOENT);
388 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
389 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
390 .len = NFT_TABLE_MAXNAMELEN - 1 },
391 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
394 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
395 u32 portid, u32 seq, int event, u32 flags,
396 int family, const struct nft_table *table)
398 struct nlmsghdr *nlh;
399 struct nfgenmsg *nfmsg;
401 event |= NFNL_SUBSYS_NFTABLES << 8;
402 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
404 goto nla_put_failure;
406 nfmsg = nlmsg_data(nlh);
407 nfmsg->nfgen_family = family;
408 nfmsg->version = NFNETLINK_V0;
409 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
411 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
412 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
413 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
414 goto nla_put_failure;
420 nlmsg_trim(skb, nlh);
424 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
430 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
434 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
438 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
439 event, 0, ctx->afi->family, ctx->table);
445 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
446 ctx->report, GFP_KERNEL);
449 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
455 static int nf_tables_dump_tables(struct sk_buff *skb,
456 struct netlink_callback *cb)
458 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
459 const struct nft_af_info *afi;
460 const struct nft_table *table;
461 unsigned int idx = 0, s_idx = cb->args[0];
462 struct net *net = sock_net(skb->sk);
463 int family = nfmsg->nfgen_family;
466 cb->seq = net->nft.base_seq;
468 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
469 if (family != NFPROTO_UNSPEC && family != afi->family)
472 list_for_each_entry_rcu(table, &afi->tables, list) {
476 memset(&cb->args[1], 0,
477 sizeof(cb->args) - sizeof(cb->args[0]));
478 if (!nft_is_active(net, table))
480 if (nf_tables_fill_table_info(skb, net,
481 NETLINK_CB(cb->skb).portid,
485 afi->family, table) < 0)
488 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
499 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
500 struct sk_buff *skb, const struct nlmsghdr *nlh,
501 const struct nlattr * const nla[])
503 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
504 u8 genmask = nft_genmask_cur(net);
505 const struct nft_af_info *afi;
506 const struct nft_table *table;
507 struct sk_buff *skb2;
508 int family = nfmsg->nfgen_family;
511 if (nlh->nlmsg_flags & NLM_F_DUMP) {
512 struct netlink_dump_control c = {
513 .dump = nf_tables_dump_tables,
515 return netlink_dump_start(nlsk, skb, nlh, &c);
518 afi = nf_tables_afinfo_lookup(net, family, false);
522 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
524 return PTR_ERR(table);
526 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
530 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
531 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
536 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
543 static int nf_tables_table_enable(struct net *net,
544 const struct nft_af_info *afi,
545 struct nft_table *table)
547 struct nft_chain *chain;
550 list_for_each_entry(chain, &table->chains, list) {
551 if (!nft_is_active_next(net, chain))
553 if (!(chain->flags & NFT_BASE_CHAIN))
556 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
565 list_for_each_entry(chain, &table->chains, list) {
566 if (!nft_is_active_next(net, chain))
568 if (!(chain->flags & NFT_BASE_CHAIN))
574 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
580 static void nf_tables_table_disable(struct net *net,
581 const struct nft_af_info *afi,
582 struct nft_table *table)
584 struct nft_chain *chain;
586 list_for_each_entry(chain, &table->chains, list) {
587 if (!nft_is_active_next(net, chain))
589 if (!(chain->flags & NFT_BASE_CHAIN))
592 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
597 static int nf_tables_updtable(struct nft_ctx *ctx)
599 struct nft_trans *trans;
603 if (!ctx->nla[NFTA_TABLE_FLAGS])
606 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
607 if (flags & ~NFT_TABLE_F_DORMANT)
610 if (flags == ctx->table->flags)
613 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
614 sizeof(struct nft_trans_table));
618 if ((flags & NFT_TABLE_F_DORMANT) &&
619 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
620 nft_trans_table_enable(trans) = false;
621 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
622 ctx->table->flags & NFT_TABLE_F_DORMANT) {
623 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
625 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
626 nft_trans_table_enable(trans) = true;
632 nft_trans_table_update(trans) = true;
633 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
636 nft_trans_destroy(trans);
640 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
641 struct sk_buff *skb, const struct nlmsghdr *nlh,
642 const struct nlattr * const nla[])
644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
645 u8 genmask = nft_genmask_next(net);
646 const struct nlattr *name;
647 struct nft_af_info *afi;
648 struct nft_table *table;
649 int family = nfmsg->nfgen_family;
654 afi = nf_tables_afinfo_lookup(net, family, true);
658 name = nla[NFTA_TABLE_NAME];
659 table = nf_tables_table_lookup(afi, name, genmask);
661 if (PTR_ERR(table) != -ENOENT)
662 return PTR_ERR(table);
667 if (nlh->nlmsg_flags & NLM_F_EXCL)
669 if (nlh->nlmsg_flags & NLM_F_REPLACE)
672 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
673 return nf_tables_updtable(&ctx);
676 if (nla[NFTA_TABLE_FLAGS]) {
677 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
678 if (flags & ~NFT_TABLE_F_DORMANT)
683 if (!try_module_get(afi->owner))
687 table = kzalloc(sizeof(*table), GFP_KERNEL);
691 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
692 INIT_LIST_HEAD(&table->chains);
693 INIT_LIST_HEAD(&table->sets);
694 table->flags = flags;
696 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
697 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
701 list_add_tail_rcu(&table->list, &afi->tables);
706 module_put(afi->owner);
711 static int nft_flush_table(struct nft_ctx *ctx)
714 struct nft_chain *chain, *nc;
715 struct nft_set *set, *ns;
717 list_for_each_entry(chain, &ctx->table->chains, list) {
718 if (!nft_is_active_next(ctx->net, chain))
723 err = nft_delrule_by_chain(ctx);
728 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
729 if (!nft_is_active_next(ctx->net, set))
732 if (set->flags & NFT_SET_ANONYMOUS &&
733 !list_empty(&set->bindings))
736 err = nft_delset(ctx, set);
741 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
742 if (!nft_is_active_next(ctx->net, chain))
747 err = nft_delchain(ctx);
752 err = nft_deltable(ctx);
757 static int nft_flush(struct nft_ctx *ctx, int family)
759 struct nft_af_info *afi;
760 struct nft_table *table, *nt;
761 const struct nlattr * const *nla = ctx->nla;
764 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
765 if (family != AF_UNSPEC && afi->family != family)
769 list_for_each_entry_safe(table, nt, &afi->tables, list) {
770 if (!nft_is_active_next(ctx->net, table))
773 if (nla[NFTA_TABLE_NAME] &&
774 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
779 err = nft_flush_table(ctx);
788 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
789 struct sk_buff *skb, const struct nlmsghdr *nlh,
790 const struct nlattr * const nla[])
792 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
793 u8 genmask = nft_genmask_next(net);
794 struct nft_af_info *afi;
795 struct nft_table *table;
796 int family = nfmsg->nfgen_family;
799 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
800 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
801 return nft_flush(&ctx, family);
803 afi = nf_tables_afinfo_lookup(net, family, false);
807 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
809 return PTR_ERR(table);
814 return nft_flush_table(&ctx);
817 static void nf_tables_table_destroy(struct nft_ctx *ctx)
819 BUG_ON(ctx->table->use > 0);
822 module_put(ctx->afi->owner);
825 int nft_register_chain_type(const struct nf_chain_type *ctype)
829 nfnl_lock(NFNL_SUBSYS_NFTABLES);
830 if (chain_type[ctype->family][ctype->type] != NULL) {
834 chain_type[ctype->family][ctype->type] = ctype;
836 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
839 EXPORT_SYMBOL_GPL(nft_register_chain_type);
841 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
843 nfnl_lock(NFNL_SUBSYS_NFTABLES);
844 chain_type[ctype->family][ctype->type] = NULL;
845 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
847 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
853 static struct nft_chain *
854 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
857 struct nft_chain *chain;
859 list_for_each_entry(chain, &table->chains, list) {
860 if (chain->handle == handle &&
861 nft_active_genmask(chain, genmask))
865 return ERR_PTR(-ENOENT);
868 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
869 const struct nlattr *nla,
872 struct nft_chain *chain;
875 return ERR_PTR(-EINVAL);
877 list_for_each_entry(chain, &table->chains, list) {
878 if (!nla_strcmp(nla, chain->name) &&
879 nft_active_genmask(chain, genmask))
883 return ERR_PTR(-ENOENT);
886 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
887 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
888 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
889 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
890 .len = NFT_CHAIN_MAXNAMELEN - 1 },
891 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
892 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
893 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
894 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
897 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
898 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
899 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
900 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
901 .len = IFNAMSIZ - 1 },
904 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
906 struct nft_stats *cpu_stats, total;
912 memset(&total, 0, sizeof(total));
913 for_each_possible_cpu(cpu) {
914 cpu_stats = per_cpu_ptr(stats, cpu);
916 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
917 pkts = cpu_stats->pkts;
918 bytes = cpu_stats->bytes;
919 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
921 total.bytes += bytes;
923 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
925 goto nla_put_failure;
927 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
929 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
931 goto nla_put_failure;
933 nla_nest_end(skb, nest);
940 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
941 u32 portid, u32 seq, int event, u32 flags,
942 int family, const struct nft_table *table,
943 const struct nft_chain *chain)
945 struct nlmsghdr *nlh;
946 struct nfgenmsg *nfmsg;
948 event |= NFNL_SUBSYS_NFTABLES << 8;
949 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
951 goto nla_put_failure;
953 nfmsg = nlmsg_data(nlh);
954 nfmsg->nfgen_family = family;
955 nfmsg->version = NFNETLINK_V0;
956 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
958 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
959 goto nla_put_failure;
960 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
962 goto nla_put_failure;
963 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
964 goto nla_put_failure;
966 if (chain->flags & NFT_BASE_CHAIN) {
967 const struct nft_base_chain *basechain = nft_base_chain(chain);
968 const struct nf_hook_ops *ops = &basechain->ops[0];
971 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
973 goto nla_put_failure;
974 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
975 goto nla_put_failure;
976 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
977 goto nla_put_failure;
978 if (basechain->dev_name[0] &&
979 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
980 goto nla_put_failure;
981 nla_nest_end(skb, nest);
983 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
984 htonl(basechain->policy)))
985 goto nla_put_failure;
987 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
988 goto nla_put_failure;
990 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
991 goto nla_put_failure;
994 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
995 goto nla_put_failure;
1001 nlmsg_trim(skb, nlh);
1005 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1007 struct sk_buff *skb;
1011 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1015 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1019 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1020 event, 0, ctx->afi->family, ctx->table,
1027 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1028 ctx->report, GFP_KERNEL);
1031 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1037 static int nf_tables_dump_chains(struct sk_buff *skb,
1038 struct netlink_callback *cb)
1040 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1041 const struct nft_af_info *afi;
1042 const struct nft_table *table;
1043 const struct nft_chain *chain;
1044 unsigned int idx = 0, s_idx = cb->args[0];
1045 struct net *net = sock_net(skb->sk);
1046 int family = nfmsg->nfgen_family;
1049 cb->seq = net->nft.base_seq;
1051 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1052 if (family != NFPROTO_UNSPEC && family != afi->family)
1055 list_for_each_entry_rcu(table, &afi->tables, list) {
1056 list_for_each_entry_rcu(chain, &table->chains, list) {
1060 memset(&cb->args[1], 0,
1061 sizeof(cb->args) - sizeof(cb->args[0]));
1062 if (!nft_is_active(net, chain))
1064 if (nf_tables_fill_chain_info(skb, net,
1065 NETLINK_CB(cb->skb).portid,
1069 afi->family, table, chain) < 0)
1072 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1084 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1085 struct sk_buff *skb, const struct nlmsghdr *nlh,
1086 const struct nlattr * const nla[])
1088 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1089 u8 genmask = nft_genmask_cur(net);
1090 const struct nft_af_info *afi;
1091 const struct nft_table *table;
1092 const struct nft_chain *chain;
1093 struct sk_buff *skb2;
1094 int family = nfmsg->nfgen_family;
1097 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1098 struct netlink_dump_control c = {
1099 .dump = nf_tables_dump_chains,
1101 return netlink_dump_start(nlsk, skb, nlh, &c);
1104 afi = nf_tables_afinfo_lookup(net, family, false);
1106 return PTR_ERR(afi);
1108 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1110 return PTR_ERR(table);
1112 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1114 return PTR_ERR(chain);
1116 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1120 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1121 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1122 family, table, chain);
1126 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1133 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1134 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1135 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1138 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1140 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1141 struct nft_stats __percpu *newstats;
1142 struct nft_stats *stats;
1145 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1147 return ERR_PTR(err);
1149 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1150 return ERR_PTR(-EINVAL);
1152 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1153 if (newstats == NULL)
1154 return ERR_PTR(-ENOMEM);
1156 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1157 * are not exposed to userspace.
1160 stats = this_cpu_ptr(newstats);
1161 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1162 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1168 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1169 struct nft_stats __percpu *newstats)
1171 if (newstats == NULL)
1175 struct nft_stats __percpu *oldstats =
1176 nft_dereference(chain->stats);
1178 rcu_assign_pointer(chain->stats, newstats);
1180 free_percpu(oldstats);
1182 rcu_assign_pointer(chain->stats, newstats);
1185 static void nf_tables_chain_destroy(struct nft_chain *chain)
1187 BUG_ON(chain->use > 0);
1189 if (chain->flags & NFT_BASE_CHAIN) {
1190 struct nft_base_chain *basechain = nft_base_chain(chain);
1192 module_put(basechain->type->owner);
1193 free_percpu(basechain->stats);
1194 if (basechain->ops[0].dev != NULL)
1195 dev_put(basechain->ops[0].dev);
1202 struct nft_chain_hook {
1205 const struct nf_chain_type *type;
1206 struct net_device *dev;
1209 static int nft_chain_parse_hook(struct net *net,
1210 const struct nlattr * const nla[],
1211 struct nft_af_info *afi,
1212 struct nft_chain_hook *hook, bool create)
1214 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1215 const struct nf_chain_type *type;
1216 struct net_device *dev;
1219 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1224 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1225 ha[NFTA_HOOK_PRIORITY] == NULL)
1228 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1229 if (hook->num >= afi->nhooks)
1232 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1234 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1235 if (nla[NFTA_CHAIN_TYPE]) {
1236 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1239 return PTR_ERR(type);
1241 if (!(type->hook_mask & (1 << hook->num)))
1243 if (!try_module_get(type->owner))
1249 if (afi->flags & NFT_AF_NEEDS_DEV) {
1250 char ifname[IFNAMSIZ];
1252 if (!ha[NFTA_HOOK_DEV]) {
1253 module_put(type->owner);
1257 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1258 dev = dev_get_by_name(net, ifname);
1260 module_put(type->owner);
1264 } else if (ha[NFTA_HOOK_DEV]) {
1265 module_put(type->owner);
1272 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1274 module_put(hook->type->owner);
1275 if (hook->dev != NULL)
1279 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1280 struct sk_buff *skb, const struct nlmsghdr *nlh,
1281 const struct nlattr * const nla[])
1283 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1284 const struct nlattr * uninitialized_var(name);
1285 struct nft_af_info *afi;
1286 struct nft_table *table;
1287 struct nft_chain *chain;
1288 struct nft_base_chain *basechain = NULL;
1289 u8 genmask = nft_genmask_next(net);
1290 int family = nfmsg->nfgen_family;
1291 u8 policy = NF_ACCEPT;
1294 struct nft_stats __percpu *stats;
1299 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1301 afi = nf_tables_afinfo_lookup(net, family, true);
1303 return PTR_ERR(afi);
1305 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1307 return PTR_ERR(table);
1310 name = nla[NFTA_CHAIN_NAME];
1312 if (nla[NFTA_CHAIN_HANDLE]) {
1313 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1314 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1316 return PTR_ERR(chain);
1318 chain = nf_tables_chain_lookup(table, name, genmask);
1319 if (IS_ERR(chain)) {
1320 if (PTR_ERR(chain) != -ENOENT)
1321 return PTR_ERR(chain);
1326 if (nla[NFTA_CHAIN_POLICY]) {
1327 if ((chain != NULL &&
1328 !(chain->flags & NFT_BASE_CHAIN)))
1331 if (chain == NULL &&
1332 nla[NFTA_CHAIN_HOOK] == NULL)
1335 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1345 if (chain != NULL) {
1346 struct nft_stats *stats = NULL;
1347 struct nft_trans *trans;
1349 if (nlh->nlmsg_flags & NLM_F_EXCL)
1351 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1354 if (nla[NFTA_CHAIN_HOOK]) {
1355 struct nft_base_chain *basechain;
1356 struct nft_chain_hook hook;
1357 struct nf_hook_ops *ops;
1359 if (!(chain->flags & NFT_BASE_CHAIN))
1362 err = nft_chain_parse_hook(net, nla, afi, &hook,
1367 basechain = nft_base_chain(chain);
1368 if (basechain->type != hook.type) {
1369 nft_chain_release_hook(&hook);
1373 for (i = 0; i < afi->nops; i++) {
1374 ops = &basechain->ops[i];
1375 if (ops->hooknum != hook.num ||
1376 ops->priority != hook.priority ||
1377 ops->dev != hook.dev) {
1378 nft_chain_release_hook(&hook);
1382 nft_chain_release_hook(&hook);
1385 if (nla[NFTA_CHAIN_HANDLE] && name) {
1386 struct nft_chain *chain2;
1388 chain2 = nf_tables_chain_lookup(table,
1389 nla[NFTA_CHAIN_NAME],
1392 return PTR_ERR(chain2);
1395 if (nla[NFTA_CHAIN_COUNTERS]) {
1396 if (!(chain->flags & NFT_BASE_CHAIN))
1399 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1401 return PTR_ERR(stats);
1404 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1405 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1406 sizeof(struct nft_trans_chain));
1407 if (trans == NULL) {
1412 nft_trans_chain_stats(trans) = stats;
1413 nft_trans_chain_update(trans) = true;
1415 if (nla[NFTA_CHAIN_POLICY])
1416 nft_trans_chain_policy(trans) = policy;
1418 nft_trans_chain_policy(trans) = -1;
1420 if (nla[NFTA_CHAIN_HANDLE] && name) {
1421 nla_strlcpy(nft_trans_chain_name(trans), name,
1422 NFT_CHAIN_MAXNAMELEN);
1424 list_add_tail(&trans->list, &net->nft.commit_list);
1428 if (table->use == UINT_MAX)
1431 if (nla[NFTA_CHAIN_HOOK]) {
1432 struct nft_chain_hook hook;
1433 struct nf_hook_ops *ops;
1436 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1440 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1441 if (basechain == NULL) {
1442 nft_chain_release_hook(&hook);
1446 if (hook.dev != NULL)
1447 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1449 if (nla[NFTA_CHAIN_COUNTERS]) {
1450 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1451 if (IS_ERR(stats)) {
1452 nft_chain_release_hook(&hook);
1454 return PTR_ERR(stats);
1456 basechain->stats = stats;
1458 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1459 if (stats == NULL) {
1460 nft_chain_release_hook(&hook);
1464 rcu_assign_pointer(basechain->stats, stats);
1467 hookfn = hook.type->hooks[hook.num];
1468 basechain->type = hook.type;
1469 chain = &basechain->chain;
1471 for (i = 0; i < afi->nops; i++) {
1472 ops = &basechain->ops[i];
1474 ops->hooknum = hook.num;
1475 ops->priority = hook.priority;
1477 ops->hook = afi->hooks[ops->hooknum];
1478 ops->dev = hook.dev;
1481 if (afi->hook_ops_init)
1482 afi->hook_ops_init(ops, i);
1485 chain->flags |= NFT_BASE_CHAIN;
1486 basechain->policy = policy;
1488 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1493 INIT_LIST_HEAD(&chain->rules);
1494 chain->handle = nf_tables_alloc_handle(table);
1495 chain->table = table;
1496 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1498 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1502 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1503 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1508 list_add_tail_rcu(&chain->list, &table->chains);
1511 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1513 nf_tables_chain_destroy(chain);
1517 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1518 struct sk_buff *skb, const struct nlmsghdr *nlh,
1519 const struct nlattr * const nla[])
1521 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1522 u8 genmask = nft_genmask_next(net);
1523 struct nft_af_info *afi;
1524 struct nft_table *table;
1525 struct nft_chain *chain;
1526 int family = nfmsg->nfgen_family;
1529 afi = nf_tables_afinfo_lookup(net, family, false);
1531 return PTR_ERR(afi);
1533 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1535 return PTR_ERR(table);
1537 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1539 return PTR_ERR(chain);
1543 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1545 return nft_delchain(&ctx);
1553 * nft_register_expr - register nf_tables expr type
1556 * Registers the expr type for use with nf_tables. Returns zero on
1557 * success or a negative errno code otherwise.
1559 int nft_register_expr(struct nft_expr_type *type)
1561 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1562 if (type->family == NFPROTO_UNSPEC)
1563 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1565 list_add_rcu(&type->list, &nf_tables_expressions);
1566 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1569 EXPORT_SYMBOL_GPL(nft_register_expr);
1572 * nft_unregister_expr - unregister nf_tables expr type
1575 * Unregisters the expr typefor use with nf_tables.
1577 void nft_unregister_expr(struct nft_expr_type *type)
1579 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1580 list_del_rcu(&type->list);
1581 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1583 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1585 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1588 const struct nft_expr_type *type;
1590 list_for_each_entry(type, &nf_tables_expressions, list) {
1591 if (!nla_strcmp(nla, type->name) &&
1592 (!type->family || type->family == family))
1598 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1601 const struct nft_expr_type *type;
1604 return ERR_PTR(-EINVAL);
1606 type = __nft_expr_type_get(family, nla);
1607 if (type != NULL && try_module_get(type->owner))
1610 #ifdef CONFIG_MODULES
1612 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1613 request_module("nft-expr-%u-%.*s", family,
1614 nla_len(nla), (char *)nla_data(nla));
1615 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1616 if (__nft_expr_type_get(family, nla))
1617 return ERR_PTR(-EAGAIN);
1619 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1620 request_module("nft-expr-%.*s",
1621 nla_len(nla), (char *)nla_data(nla));
1622 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1623 if (__nft_expr_type_get(family, nla))
1624 return ERR_PTR(-EAGAIN);
1627 return ERR_PTR(-ENOENT);
1630 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1631 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1632 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1635 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1636 const struct nft_expr *expr)
1638 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1639 goto nla_put_failure;
1641 if (expr->ops->dump) {
1642 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1644 goto nla_put_failure;
1645 if (expr->ops->dump(skb, expr) < 0)
1646 goto nla_put_failure;
1647 nla_nest_end(skb, data);
1656 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1657 const struct nft_expr *expr)
1659 struct nlattr *nest;
1661 nest = nla_nest_start(skb, attr);
1663 goto nla_put_failure;
1664 if (nf_tables_fill_expr_info(skb, expr) < 0)
1665 goto nla_put_failure;
1666 nla_nest_end(skb, nest);
1673 struct nft_expr_info {
1674 const struct nft_expr_ops *ops;
1675 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1678 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1679 const struct nlattr *nla,
1680 struct nft_expr_info *info)
1682 const struct nft_expr_type *type;
1683 const struct nft_expr_ops *ops;
1684 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1687 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1691 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1693 return PTR_ERR(type);
1695 if (tb[NFTA_EXPR_DATA]) {
1696 err = nla_parse_nested(info->tb, type->maxattr,
1697 tb[NFTA_EXPR_DATA], type->policy);
1701 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1703 if (type->select_ops != NULL) {
1704 ops = type->select_ops(ctx,
1705 (const struct nlattr * const *)info->tb);
1717 module_put(type->owner);
1721 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1722 const struct nft_expr_info *info,
1723 struct nft_expr *expr)
1725 const struct nft_expr_ops *ops = info->ops;
1730 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1742 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1743 struct nft_expr *expr)
1745 if (expr->ops->destroy)
1746 expr->ops->destroy(ctx, expr);
1747 module_put(expr->ops->type->owner);
1750 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1751 const struct nlattr *nla)
1753 struct nft_expr_info info;
1754 struct nft_expr *expr;
1757 err = nf_tables_expr_parse(ctx, nla, &info);
1762 expr = kzalloc(info.ops->size, GFP_KERNEL);
1766 err = nf_tables_newexpr(ctx, &info, expr);
1774 module_put(info.ops->type->owner);
1776 return ERR_PTR(err);
1779 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1781 nf_tables_expr_destroy(ctx, expr);
1789 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1792 struct nft_rule *rule;
1794 // FIXME: this sucks
1795 list_for_each_entry(rule, &chain->rules, list) {
1796 if (handle == rule->handle)
1800 return ERR_PTR(-ENOENT);
1803 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1804 const struct nlattr *nla)
1807 return ERR_PTR(-EINVAL);
1809 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1812 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1813 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1814 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1815 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1816 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1817 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1818 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1819 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1820 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1821 .len = NFT_USERDATA_MAXLEN },
1824 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1825 u32 portid, u32 seq, int event,
1826 u32 flags, int family,
1827 const struct nft_table *table,
1828 const struct nft_chain *chain,
1829 const struct nft_rule *rule)
1831 struct nlmsghdr *nlh;
1832 struct nfgenmsg *nfmsg;
1833 const struct nft_expr *expr, *next;
1834 struct nlattr *list;
1835 const struct nft_rule *prule;
1836 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1838 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1841 goto nla_put_failure;
1843 nfmsg = nlmsg_data(nlh);
1844 nfmsg->nfgen_family = family;
1845 nfmsg->version = NFNETLINK_V0;
1846 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1848 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1849 goto nla_put_failure;
1850 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1851 goto nla_put_failure;
1852 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1854 goto nla_put_failure;
1856 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1857 prule = list_entry(rule->list.prev, struct nft_rule, list);
1858 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1859 cpu_to_be64(prule->handle),
1861 goto nla_put_failure;
1864 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1866 goto nla_put_failure;
1867 nft_rule_for_each_expr(expr, next, rule) {
1868 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1869 goto nla_put_failure;
1871 nla_nest_end(skb, list);
1874 struct nft_userdata *udata = nft_userdata(rule);
1875 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1877 goto nla_put_failure;
1880 nlmsg_end(skb, nlh);
1884 nlmsg_trim(skb, nlh);
1888 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1889 const struct nft_rule *rule,
1892 struct sk_buff *skb;
1896 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1900 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1904 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1905 event, 0, ctx->afi->family, ctx->table,
1912 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1913 ctx->report, GFP_KERNEL);
1916 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1922 struct nft_rule_dump_ctx {
1923 char table[NFT_TABLE_MAXNAMELEN];
1924 char chain[NFT_CHAIN_MAXNAMELEN];
1927 static int nf_tables_dump_rules(struct sk_buff *skb,
1928 struct netlink_callback *cb)
1930 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1931 const struct nft_rule_dump_ctx *ctx = cb->data;
1932 const struct nft_af_info *afi;
1933 const struct nft_table *table;
1934 const struct nft_chain *chain;
1935 const struct nft_rule *rule;
1936 unsigned int idx = 0, s_idx = cb->args[0];
1937 struct net *net = sock_net(skb->sk);
1938 int family = nfmsg->nfgen_family;
1941 cb->seq = net->nft.base_seq;
1943 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1944 if (family != NFPROTO_UNSPEC && family != afi->family)
1947 list_for_each_entry_rcu(table, &afi->tables, list) {
1948 if (ctx && ctx->table[0] &&
1949 strcmp(ctx->table, table->name) != 0)
1952 list_for_each_entry_rcu(chain, &table->chains, list) {
1953 if (ctx && ctx->chain[0] &&
1954 strcmp(ctx->chain, chain->name) != 0)
1957 list_for_each_entry_rcu(rule, &chain->rules, list) {
1958 if (!nft_is_active(net, rule))
1963 memset(&cb->args[1], 0,
1964 sizeof(cb->args) - sizeof(cb->args[0]));
1965 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1968 NLM_F_MULTI | NLM_F_APPEND,
1969 afi->family, table, chain, rule) < 0)
1972 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1986 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
1992 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1993 struct sk_buff *skb, const struct nlmsghdr *nlh,
1994 const struct nlattr * const nla[])
1996 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1997 u8 genmask = nft_genmask_cur(net);
1998 const struct nft_af_info *afi;
1999 const struct nft_table *table;
2000 const struct nft_chain *chain;
2001 const struct nft_rule *rule;
2002 struct sk_buff *skb2;
2003 int family = nfmsg->nfgen_family;
2006 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2007 struct netlink_dump_control c = {
2008 .dump = nf_tables_dump_rules,
2009 .done = nf_tables_dump_rules_done,
2012 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2013 struct nft_rule_dump_ctx *ctx;
2015 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2019 if (nla[NFTA_RULE_TABLE])
2020 nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
2021 sizeof(ctx->table));
2022 if (nla[NFTA_RULE_CHAIN])
2023 nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
2024 sizeof(ctx->chain));
2028 return netlink_dump_start(nlsk, skb, nlh, &c);
2031 afi = nf_tables_afinfo_lookup(net, family, false);
2033 return PTR_ERR(afi);
2035 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2037 return PTR_ERR(table);
2039 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2041 return PTR_ERR(chain);
2043 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2045 return PTR_ERR(rule);
2047 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2051 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2052 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2053 family, table, chain, rule);
2057 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2064 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2065 struct nft_rule *rule)
2067 struct nft_expr *expr;
2070 * Careful: some expressions might not be initialized in case this
2071 * is called on error from nf_tables_newrule().
2073 expr = nft_expr_first(rule);
2074 while (expr != nft_expr_last(rule) && expr->ops) {
2075 nf_tables_expr_destroy(ctx, expr);
2076 expr = nft_expr_next(expr);
2081 #define NFT_RULE_MAXEXPRS 128
2083 static struct nft_expr_info *info;
2085 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2086 struct sk_buff *skb, const struct nlmsghdr *nlh,
2087 const struct nlattr * const nla[])
2089 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2090 u8 genmask = nft_genmask_next(net);
2091 struct nft_af_info *afi;
2092 struct nft_table *table;
2093 struct nft_chain *chain;
2094 struct nft_rule *rule, *old_rule = NULL;
2095 struct nft_userdata *udata;
2096 struct nft_trans *trans = NULL;
2097 struct nft_expr *expr;
2100 unsigned int size, i, n, ulen = 0, usize = 0;
2103 u64 handle, pos_handle;
2105 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2107 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2109 return PTR_ERR(afi);
2111 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2113 return PTR_ERR(table);
2115 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2117 return PTR_ERR(chain);
2119 if (nla[NFTA_RULE_HANDLE]) {
2120 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2121 rule = __nf_tables_rule_lookup(chain, handle);
2123 return PTR_ERR(rule);
2125 if (nlh->nlmsg_flags & NLM_F_EXCL)
2127 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2132 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2134 handle = nf_tables_alloc_handle(table);
2136 if (chain->use == UINT_MAX)
2140 if (nla[NFTA_RULE_POSITION]) {
2141 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2144 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2145 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2146 if (IS_ERR(old_rule))
2147 return PTR_ERR(old_rule);
2150 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2154 if (nla[NFTA_RULE_EXPRESSIONS]) {
2155 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2157 if (nla_type(tmp) != NFTA_LIST_ELEM)
2159 if (n == NFT_RULE_MAXEXPRS)
2161 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2164 size += info[n].ops->size;
2168 /* Check for overflow of dlen field */
2170 if (size >= 1 << 12)
2173 if (nla[NFTA_RULE_USERDATA]) {
2174 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2176 usize = sizeof(struct nft_userdata) + ulen;
2180 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2184 nft_activate_next(net, rule);
2186 rule->handle = handle;
2188 rule->udata = ulen ? 1 : 0;
2191 udata = nft_userdata(rule);
2192 udata->len = ulen - 1;
2193 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2196 expr = nft_expr_first(rule);
2197 for (i = 0; i < n; i++) {
2198 err = nf_tables_newexpr(&ctx, &info[i], expr);
2202 expr = nft_expr_next(expr);
2205 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2206 if (!nft_is_active_next(net, old_rule)) {
2210 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2212 if (trans == NULL) {
2216 nft_deactivate_next(net, old_rule);
2219 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2224 list_add_tail_rcu(&rule->list, &old_rule->list);
2226 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2231 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2233 list_add_rcu(&rule->list, &old_rule->list);
2235 list_add_tail_rcu(&rule->list, &chain->rules);
2238 list_add_tail_rcu(&rule->list, &old_rule->list);
2240 list_add_rcu(&rule->list, &chain->rules);
2247 nf_tables_rule_destroy(&ctx, rule);
2249 for (i = 0; i < n; i++) {
2250 if (info[i].ops != NULL)
2251 module_put(info[i].ops->type->owner);
2256 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2257 struct sk_buff *skb, const struct nlmsghdr *nlh,
2258 const struct nlattr * const nla[])
2260 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2261 u8 genmask = nft_genmask_next(net);
2262 struct nft_af_info *afi;
2263 struct nft_table *table;
2264 struct nft_chain *chain = NULL;
2265 struct nft_rule *rule;
2266 int family = nfmsg->nfgen_family, err = 0;
2269 afi = nf_tables_afinfo_lookup(net, family, false);
2271 return PTR_ERR(afi);
2273 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2275 return PTR_ERR(table);
2277 if (nla[NFTA_RULE_CHAIN]) {
2278 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2281 return PTR_ERR(chain);
2284 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2287 if (nla[NFTA_RULE_HANDLE]) {
2288 rule = nf_tables_rule_lookup(chain,
2289 nla[NFTA_RULE_HANDLE]);
2291 return PTR_ERR(rule);
2293 err = nft_delrule(&ctx, rule);
2295 err = nft_delrule_by_chain(&ctx);
2298 list_for_each_entry(chain, &table->chains, list) {
2299 if (!nft_is_active_next(net, chain))
2303 err = nft_delrule_by_chain(&ctx);
2316 static LIST_HEAD(nf_tables_set_ops);
2318 int nft_register_set(struct nft_set_ops *ops)
2320 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2321 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2322 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2325 EXPORT_SYMBOL_GPL(nft_register_set);
2327 void nft_unregister_set(struct nft_set_ops *ops)
2329 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2330 list_del_rcu(&ops->list);
2331 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2333 EXPORT_SYMBOL_GPL(nft_unregister_set);
2336 * Select a set implementation based on the data characteristics and the
2337 * given policy. The total memory use might not be known if no size is
2338 * given, in that case the amount of memory per element is used.
2340 static const struct nft_set_ops *
2341 nft_select_set_ops(const struct nlattr * const nla[],
2342 const struct nft_set_desc *desc,
2343 enum nft_set_policies policy)
2345 const struct nft_set_ops *ops, *bops;
2346 struct nft_set_estimate est, best;
2349 #ifdef CONFIG_MODULES
2350 if (list_empty(&nf_tables_set_ops)) {
2351 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2352 request_module("nft-set");
2353 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2354 if (!list_empty(&nf_tables_set_ops))
2355 return ERR_PTR(-EAGAIN);
2359 if (nla[NFTA_SET_FLAGS] != NULL) {
2360 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2361 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2368 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2369 if ((ops->features & features) != features)
2371 if (!ops->estimate(desc, features, &est))
2375 case NFT_SET_POL_PERFORMANCE:
2376 if (est.class < best.class)
2378 if (est.class == best.class && est.size < best.size)
2381 case NFT_SET_POL_MEMORY:
2382 if (est.size < best.size)
2384 if (est.size == best.size && est.class < best.class)
2391 if (!try_module_get(ops->owner))
2394 module_put(bops->owner);
2403 return ERR_PTR(-EOPNOTSUPP);
2406 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2407 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2408 [NFTA_SET_NAME] = { .type = NLA_STRING,
2409 .len = NFT_SET_MAXNAMELEN - 1 },
2410 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2411 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2412 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2413 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2414 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2415 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2416 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2417 [NFTA_SET_ID] = { .type = NLA_U32 },
2418 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2419 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2420 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2421 .len = NFT_USERDATA_MAXLEN },
2424 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2425 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2428 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2429 const struct sk_buff *skb,
2430 const struct nlmsghdr *nlh,
2431 const struct nlattr * const nla[],
2434 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2435 struct nft_af_info *afi = NULL;
2436 struct nft_table *table = NULL;
2438 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2439 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2441 return PTR_ERR(afi);
2444 if (nla[NFTA_SET_TABLE] != NULL) {
2446 return -EAFNOSUPPORT;
2448 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2451 return PTR_ERR(table);
2454 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2458 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2459 const struct nlattr *nla, u8 genmask)
2461 struct nft_set *set;
2464 return ERR_PTR(-EINVAL);
2466 list_for_each_entry(set, &table->sets, list) {
2467 if (!nla_strcmp(nla, set->name) &&
2468 nft_active_genmask(set, genmask))
2471 return ERR_PTR(-ENOENT);
2474 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2475 const struct nlattr *nla,
2478 struct nft_trans *trans;
2479 u32 id = ntohl(nla_get_be32(nla));
2481 list_for_each_entry(trans, &net->nft.commit_list, list) {
2482 if (trans->msg_type == NFT_MSG_NEWSET) {
2483 struct nft_set *set = nft_trans_set(trans);
2485 if (id == nft_trans_set_id(trans) &&
2486 nft_active_genmask(set, genmask))
2490 return ERR_PTR(-ENOENT);
2493 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2496 const struct nft_set *i;
2498 unsigned long *inuse;
2499 unsigned int n = 0, min = 0;
2501 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2503 if (p[1] != 'd' || strchr(p + 2, '%'))
2506 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2510 list_for_each_entry(i, &ctx->table->sets, list) {
2513 if (!nft_is_active_next(ctx->net, set))
2515 if (!sscanf(i->name, name, &tmp))
2517 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2520 set_bit(tmp - min, inuse);
2523 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2524 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2525 min += BITS_PER_BYTE * PAGE_SIZE;
2526 memset(inuse, 0, PAGE_SIZE);
2529 free_page((unsigned long)inuse);
2532 snprintf(set->name, sizeof(set->name), name, min + n);
2533 list_for_each_entry(i, &ctx->table->sets, list) {
2534 if (!nft_is_active_next(ctx->net, i))
2536 if (!strcmp(set->name, i->name))
2542 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2543 const struct nft_set *set, u16 event, u16 flags)
2545 struct nfgenmsg *nfmsg;
2546 struct nlmsghdr *nlh;
2547 struct nlattr *desc;
2548 u32 portid = ctx->portid;
2551 event |= NFNL_SUBSYS_NFTABLES << 8;
2552 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2555 goto nla_put_failure;
2557 nfmsg = nlmsg_data(nlh);
2558 nfmsg->nfgen_family = ctx->afi->family;
2559 nfmsg->version = NFNETLINK_V0;
2560 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2562 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2563 goto nla_put_failure;
2564 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2565 goto nla_put_failure;
2566 if (set->flags != 0)
2567 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2568 goto nla_put_failure;
2570 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2571 goto nla_put_failure;
2572 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2573 goto nla_put_failure;
2574 if (set->flags & NFT_SET_MAP) {
2575 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2576 goto nla_put_failure;
2577 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2578 goto nla_put_failure;
2582 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2583 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2585 goto nla_put_failure;
2587 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2588 goto nla_put_failure;
2590 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2591 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2592 goto nla_put_failure;
2596 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2597 goto nla_put_failure;
2599 desc = nla_nest_start(skb, NFTA_SET_DESC);
2601 goto nla_put_failure;
2603 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2604 goto nla_put_failure;
2605 nla_nest_end(skb, desc);
2607 nlmsg_end(skb, nlh);
2611 nlmsg_trim(skb, nlh);
2615 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2616 const struct nft_set *set,
2617 int event, gfp_t gfp_flags)
2619 struct sk_buff *skb;
2620 u32 portid = ctx->portid;
2624 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2628 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2632 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2638 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2639 ctx->report, gfp_flags);
2642 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2646 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2648 const struct nft_set *set;
2649 unsigned int idx, s_idx = cb->args[0];
2650 struct nft_af_info *afi;
2651 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2652 struct net *net = sock_net(skb->sk);
2653 int cur_family = cb->args[3];
2654 struct nft_ctx *ctx = cb->data, ctx_set;
2660 cb->seq = net->nft.base_seq;
2662 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2663 if (ctx->afi && ctx->afi != afi)
2667 if (afi->family != cur_family)
2672 list_for_each_entry_rcu(table, &afi->tables, list) {
2673 if (ctx->table && ctx->table != table)
2677 if (cur_table != table)
2683 list_for_each_entry_rcu(set, &table->sets, list) {
2686 if (!nft_is_active(net, set))
2690 ctx_set.table = table;
2692 if (nf_tables_fill_set(skb, &ctx_set, set,
2696 cb->args[2] = (unsigned long) table;
2697 cb->args[3] = afi->family;
2700 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2714 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2720 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2721 struct sk_buff *skb, const struct nlmsghdr *nlh,
2722 const struct nlattr * const nla[])
2724 u8 genmask = nft_genmask_cur(net);
2725 const struct nft_set *set;
2727 struct sk_buff *skb2;
2728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2731 /* Verify existence before starting dump */
2732 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2736 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2737 struct netlink_dump_control c = {
2738 .dump = nf_tables_dump_sets,
2739 .done = nf_tables_dump_sets_done,
2741 struct nft_ctx *ctx_dump;
2743 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2744 if (ctx_dump == NULL)
2750 return netlink_dump_start(nlsk, skb, nlh, &c);
2753 /* Only accept unspec with dump */
2754 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2755 return -EAFNOSUPPORT;
2756 if (!nla[NFTA_SET_TABLE])
2759 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2761 return PTR_ERR(set);
2763 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2767 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2771 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2778 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2779 struct nft_set_desc *desc,
2780 const struct nlattr *nla)
2782 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2785 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2789 if (da[NFTA_SET_DESC_SIZE] != NULL)
2790 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2795 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2796 struct sk_buff *skb, const struct nlmsghdr *nlh,
2797 const struct nlattr * const nla[])
2799 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2800 u8 genmask = nft_genmask_next(net);
2801 const struct nft_set_ops *ops;
2802 struct nft_af_info *afi;
2803 struct nft_table *table;
2804 struct nft_set *set;
2806 char name[NFT_SET_MAXNAMELEN];
2810 u32 ktype, dtype, flags, policy, gc_int;
2811 struct nft_set_desc desc;
2812 unsigned char *udata;
2816 if (nla[NFTA_SET_TABLE] == NULL ||
2817 nla[NFTA_SET_NAME] == NULL ||
2818 nla[NFTA_SET_KEY_LEN] == NULL ||
2819 nla[NFTA_SET_ID] == NULL)
2822 memset(&desc, 0, sizeof(desc));
2824 ktype = NFT_DATA_VALUE;
2825 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2826 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2827 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2831 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2832 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2836 if (nla[NFTA_SET_FLAGS] != NULL) {
2837 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2838 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2839 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2840 NFT_SET_MAP | NFT_SET_EVAL))
2842 /* Only one of both operations is supported */
2843 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2844 (NFT_SET_MAP | NFT_SET_EVAL))
2849 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2850 if (!(flags & NFT_SET_MAP))
2853 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2854 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2855 dtype != NFT_DATA_VERDICT)
2858 if (dtype != NFT_DATA_VERDICT) {
2859 if (nla[NFTA_SET_DATA_LEN] == NULL)
2861 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2862 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2865 desc.dlen = sizeof(struct nft_verdict);
2866 } else if (flags & NFT_SET_MAP)
2870 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2871 if (!(flags & NFT_SET_TIMEOUT))
2873 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2874 nla[NFTA_SET_TIMEOUT])));
2877 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2878 if (!(flags & NFT_SET_TIMEOUT))
2880 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2883 policy = NFT_SET_POL_PERFORMANCE;
2884 if (nla[NFTA_SET_POLICY] != NULL)
2885 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2887 if (nla[NFTA_SET_DESC] != NULL) {
2888 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2893 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2895 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2897 return PTR_ERR(afi);
2899 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2901 return PTR_ERR(table);
2903 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2905 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
2907 if (PTR_ERR(set) != -ENOENT)
2908 return PTR_ERR(set);
2913 if (nlh->nlmsg_flags & NLM_F_EXCL)
2915 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2920 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2923 ops = nft_select_set_ops(nla, &desc, policy);
2925 return PTR_ERR(ops);
2928 if (nla[NFTA_SET_USERDATA])
2929 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2932 if (ops->privsize != NULL)
2933 size = ops->privsize(nla);
2936 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2940 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2941 err = nf_tables_set_alloc_name(&ctx, set, name);
2947 udata = set->data + size;
2948 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2951 INIT_LIST_HEAD(&set->bindings);
2954 set->klen = desc.klen;
2956 set->dlen = desc.dlen;
2958 set->size = desc.size;
2959 set->policy = policy;
2962 set->timeout = timeout;
2963 set->gc_int = gc_int;
2965 err = ops->init(set, &desc, nla);
2969 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2973 list_add_tail_rcu(&set->list, &table->sets);
2982 module_put(ops->owner);
2986 static void nft_set_destroy(struct nft_set *set)
2988 set->ops->destroy(set);
2989 module_put(set->ops->owner);
2993 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2995 list_del_rcu(&set->list);
2996 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2997 nft_set_destroy(set);
3000 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3001 struct sk_buff *skb, const struct nlmsghdr *nlh,
3002 const struct nlattr * const nla[])
3004 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3005 u8 genmask = nft_genmask_next(net);
3006 struct nft_set *set;
3010 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3011 return -EAFNOSUPPORT;
3012 if (nla[NFTA_SET_TABLE] == NULL)
3015 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3019 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3021 return PTR_ERR(set);
3022 if (!list_empty(&set->bindings))
3025 return nft_delset(&ctx, set);
3028 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3029 const struct nft_set *set,
3030 const struct nft_set_iter *iter,
3031 const struct nft_set_elem *elem)
3033 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3034 enum nft_registers dreg;
3036 dreg = nft_type_to_reg(set->dtype);
3037 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3038 set->dtype == NFT_DATA_VERDICT ?
3039 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3043 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3044 struct nft_set_binding *binding)
3046 struct nft_set_binding *i;
3047 struct nft_set_iter iter;
3049 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3052 if (binding->flags & NFT_SET_MAP) {
3053 /* If the set is already bound to the same chain all
3054 * jumps are already validated for that chain.
3056 list_for_each_entry(i, &set->bindings, list) {
3057 if (i->flags & NFT_SET_MAP &&
3058 i->chain == binding->chain)
3062 iter.genmask = nft_genmask_next(ctx->net);
3066 iter.fn = nf_tables_bind_check_setelem;
3068 set->ops->walk(ctx, set, &iter);
3073 binding->chain = ctx->chain;
3074 list_add_tail_rcu(&binding->list, &set->bindings);
3078 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3079 struct nft_set_binding *binding)
3081 list_del_rcu(&binding->list);
3083 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3084 nft_is_active(ctx->net, set))
3085 nf_tables_set_destroy(ctx, set);
3088 const struct nft_set_ext_type nft_set_ext_types[] = {
3089 [NFT_SET_EXT_KEY] = {
3090 .align = __alignof__(u32),
3092 [NFT_SET_EXT_DATA] = {
3093 .align = __alignof__(u32),
3095 [NFT_SET_EXT_EXPR] = {
3096 .align = __alignof__(struct nft_expr),
3098 [NFT_SET_EXT_FLAGS] = {
3100 .align = __alignof__(u8),
3102 [NFT_SET_EXT_TIMEOUT] = {
3104 .align = __alignof__(u64),
3106 [NFT_SET_EXT_EXPIRATION] = {
3107 .len = sizeof(unsigned long),
3108 .align = __alignof__(unsigned long),
3110 [NFT_SET_EXT_USERDATA] = {
3111 .len = sizeof(struct nft_userdata),
3112 .align = __alignof__(struct nft_userdata),
3115 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3121 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3122 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3123 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3124 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3125 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3126 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3127 .len = NFT_USERDATA_MAXLEN },
3130 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3131 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3132 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3133 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3134 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3137 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3138 const struct sk_buff *skb,
3139 const struct nlmsghdr *nlh,
3140 const struct nlattr * const nla[],
3143 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3144 struct nft_af_info *afi;
3145 struct nft_table *table;
3147 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3149 return PTR_ERR(afi);
3151 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3154 return PTR_ERR(table);
3156 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3160 static int nf_tables_fill_setelem(struct sk_buff *skb,
3161 const struct nft_set *set,
3162 const struct nft_set_elem *elem)
3164 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3165 unsigned char *b = skb_tail_pointer(skb);
3166 struct nlattr *nest;
3168 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3170 goto nla_put_failure;
3172 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3173 NFT_DATA_VALUE, set->klen) < 0)
3174 goto nla_put_failure;
3176 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3177 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3178 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3180 goto nla_put_failure;
3182 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3183 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3184 goto nla_put_failure;
3186 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3187 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3188 htonl(*nft_set_ext_flags(ext))))
3189 goto nla_put_failure;
3191 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3192 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3193 cpu_to_be64(jiffies_to_msecs(
3194 *nft_set_ext_timeout(ext))),
3196 goto nla_put_failure;
3198 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3199 unsigned long expires, now = jiffies;
3201 expires = *nft_set_ext_expiration(ext);
3202 if (time_before(now, expires))
3207 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3208 cpu_to_be64(jiffies_to_msecs(expires)),
3210 goto nla_put_failure;
3213 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3214 struct nft_userdata *udata;
3216 udata = nft_set_ext_userdata(ext);
3217 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3218 udata->len + 1, udata->data))
3219 goto nla_put_failure;
3222 nla_nest_end(skb, nest);
3230 struct nft_set_dump_args {
3231 const struct netlink_callback *cb;
3232 struct nft_set_iter iter;
3233 struct sk_buff *skb;
3236 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3237 const struct nft_set *set,
3238 const struct nft_set_iter *iter,
3239 const struct nft_set_elem *elem)
3241 struct nft_set_dump_args *args;
3243 args = container_of(iter, struct nft_set_dump_args, iter);
3244 return nf_tables_fill_setelem(args->skb, set, elem);
3247 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3249 struct net *net = sock_net(skb->sk);
3250 u8 genmask = nft_genmask_cur(net);
3251 const struct nft_set *set;
3252 struct nft_set_dump_args args;
3254 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3255 struct nfgenmsg *nfmsg;
3256 struct nlmsghdr *nlh;
3257 struct nlattr *nest;
3261 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3262 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3266 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3267 (void *)nla, genmask);
3271 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3274 return PTR_ERR(set);
3276 event = NFT_MSG_NEWSETELEM;
3277 event |= NFNL_SUBSYS_NFTABLES << 8;
3278 portid = NETLINK_CB(cb->skb).portid;
3279 seq = cb->nlh->nlmsg_seq;
3281 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3284 goto nla_put_failure;
3286 nfmsg = nlmsg_data(nlh);
3287 nfmsg->nfgen_family = ctx.afi->family;
3288 nfmsg->version = NFNETLINK_V0;
3289 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3291 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3292 goto nla_put_failure;
3293 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3294 goto nla_put_failure;
3296 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3298 goto nla_put_failure;
3302 args.iter.genmask = nft_genmask_cur(ctx.net);
3303 args.iter.skip = cb->args[0];
3304 args.iter.count = 0;
3306 args.iter.fn = nf_tables_dump_setelem;
3307 set->ops->walk(&ctx, set, &args.iter);
3309 nla_nest_end(skb, nest);
3310 nlmsg_end(skb, nlh);
3312 if (args.iter.err && args.iter.err != -EMSGSIZE)
3313 return args.iter.err;
3314 if (args.iter.count == cb->args[0])
3317 cb->args[0] = args.iter.count;
3324 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3325 struct sk_buff *skb, const struct nlmsghdr *nlh,
3326 const struct nlattr * const nla[])
3328 u8 genmask = nft_genmask_cur(net);
3329 const struct nft_set *set;
3333 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3337 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3340 return PTR_ERR(set);
3342 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3343 struct netlink_dump_control c = {
3344 .dump = nf_tables_dump_set,
3346 return netlink_dump_start(nlsk, skb, nlh, &c);
3351 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3352 const struct nft_ctx *ctx, u32 seq,
3353 u32 portid, int event, u16 flags,
3354 const struct nft_set *set,
3355 const struct nft_set_elem *elem)
3357 struct nfgenmsg *nfmsg;
3358 struct nlmsghdr *nlh;
3359 struct nlattr *nest;
3362 event |= NFNL_SUBSYS_NFTABLES << 8;
3363 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3366 goto nla_put_failure;
3368 nfmsg = nlmsg_data(nlh);
3369 nfmsg->nfgen_family = ctx->afi->family;
3370 nfmsg->version = NFNETLINK_V0;
3371 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3373 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3374 goto nla_put_failure;
3375 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3376 goto nla_put_failure;
3378 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3380 goto nla_put_failure;
3382 err = nf_tables_fill_setelem(skb, set, elem);
3384 goto nla_put_failure;
3386 nla_nest_end(skb, nest);
3388 nlmsg_end(skb, nlh);
3392 nlmsg_trim(skb, nlh);
3396 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3397 const struct nft_set *set,
3398 const struct nft_set_elem *elem,
3399 int event, u16 flags)
3401 struct net *net = ctx->net;
3402 u32 portid = ctx->portid;
3403 struct sk_buff *skb;
3406 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3410 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3414 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3421 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3425 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3429 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3431 struct nft_set *set)
3433 struct nft_trans *trans;
3435 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3439 nft_trans_elem_set(trans) = set;
3443 void *nft_set_elem_init(const struct nft_set *set,
3444 const struct nft_set_ext_tmpl *tmpl,
3445 const u32 *key, const u32 *data,
3446 u64 timeout, gfp_t gfp)
3448 struct nft_set_ext *ext;
3451 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3455 ext = nft_set_elem_ext(set, elem);
3456 nft_set_ext_init(ext, tmpl);
3458 memcpy(nft_set_ext_key(ext), key, set->klen);
3459 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3460 memcpy(nft_set_ext_data(ext), data, set->dlen);
3461 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3462 *nft_set_ext_expiration(ext) =
3464 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3465 *nft_set_ext_timeout(ext) = timeout;
3470 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3473 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3475 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3476 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3477 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3478 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3479 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3483 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3485 static int nft_setelem_parse_flags(const struct nft_set *set,
3486 const struct nlattr *attr, u32 *flags)
3491 *flags = ntohl(nla_get_be32(attr));
3492 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3494 if (!(set->flags & NFT_SET_INTERVAL) &&
3495 *flags & NFT_SET_ELEM_INTERVAL_END)
3501 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3502 const struct nlattr *attr, u32 nlmsg_flags)
3504 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3505 struct nft_data_desc d1, d2;
3506 struct nft_set_ext_tmpl tmpl;
3507 struct nft_set_ext *ext, *ext2;
3508 struct nft_set_elem elem;
3509 struct nft_set_binding *binding;
3510 struct nft_userdata *udata;
3511 struct nft_data data;
3512 enum nft_registers dreg;
3513 struct nft_trans *trans;
3519 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3520 nft_set_elem_policy);
3524 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3527 nft_set_ext_prepare(&tmpl);
3529 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3533 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3535 if (set->flags & NFT_SET_MAP) {
3536 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3537 !(flags & NFT_SET_ELEM_INTERVAL_END))
3539 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3540 flags & NFT_SET_ELEM_INTERVAL_END)
3543 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3548 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3549 if (!(set->flags & NFT_SET_TIMEOUT))
3551 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3552 nla[NFTA_SET_ELEM_TIMEOUT])));
3553 } else if (set->flags & NFT_SET_TIMEOUT) {
3554 timeout = set->timeout;
3557 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3558 nla[NFTA_SET_ELEM_KEY]);
3562 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3565 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3567 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3568 if (timeout != set->timeout)
3569 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3572 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3573 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3574 nla[NFTA_SET_ELEM_DATA]);
3579 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3582 dreg = nft_type_to_reg(set->dtype);
3583 list_for_each_entry(binding, &set->bindings, list) {
3584 struct nft_ctx bind_ctx = {
3587 .table = ctx->table,
3588 .chain = (struct nft_chain *)binding->chain,
3591 if (!(binding->flags & NFT_SET_MAP))
3594 err = nft_validate_register_store(&bind_ctx, dreg,
3601 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3604 /* The full maximum length of userdata can exceed the maximum
3605 * offset value (U8_MAX) for following extensions, therefor it
3606 * must be the last extension added.
3609 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3610 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3612 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3617 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3618 timeout, GFP_KERNEL);
3619 if (elem.priv == NULL)
3622 ext = nft_set_elem_ext(set, elem.priv);
3624 *nft_set_ext_flags(ext) = flags;
3626 udata = nft_set_ext_userdata(ext);
3627 udata->len = ulen - 1;
3628 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3631 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3635 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3636 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3638 if (err == -EEXIST) {
3639 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3640 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3641 memcmp(nft_set_ext_data(ext),
3642 nft_set_ext_data(ext2), set->dlen) != 0)
3644 else if (!(nlmsg_flags & NLM_F_EXCL))
3651 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
3656 nft_trans_elem(trans) = elem;
3657 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3661 set->ops->remove(set, &elem);
3667 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3668 nft_data_uninit(&data, d2.type);
3670 nft_data_uninit(&elem.key.val, d1.type);
3675 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3676 struct sk_buff *skb, const struct nlmsghdr *nlh,
3677 const struct nlattr * const nla[])
3679 u8 genmask = nft_genmask_next(net);
3680 const struct nlattr *attr;
3681 struct nft_set *set;
3685 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3688 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3692 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3695 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3696 set = nf_tables_set_lookup_byid(net,
3697 nla[NFTA_SET_ELEM_LIST_SET_ID],
3701 return PTR_ERR(set);
3704 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3707 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3708 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
3715 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3716 const struct nlattr *attr)
3718 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3719 struct nft_set_ext_tmpl tmpl;
3720 struct nft_data_desc desc;
3721 struct nft_set_elem elem;
3722 struct nft_set_ext *ext;
3723 struct nft_trans *trans;
3728 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3729 nft_set_elem_policy);
3734 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3737 nft_set_ext_prepare(&tmpl);
3739 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3743 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3745 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3746 nla[NFTA_SET_ELEM_KEY]);
3751 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3754 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3757 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3759 if (elem.priv == NULL)
3762 ext = nft_set_elem_ext(set, elem.priv);
3764 *nft_set_ext_flags(ext) = flags;
3766 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3767 if (trans == NULL) {
3772 priv = set->ops->deactivate(ctx->net, set, &elem);
3780 nft_trans_elem(trans) = elem;
3781 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3789 nft_data_uninit(&elem.key.val, desc.type);
3794 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3795 struct sk_buff *skb, const struct nlmsghdr *nlh,
3796 const struct nlattr * const nla[])
3798 u8 genmask = nft_genmask_next(net);
3799 const struct nlattr *attr;
3800 struct nft_set *set;
3804 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3807 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3811 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3814 return PTR_ERR(set);
3815 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3818 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3819 err = nft_del_setelem(&ctx, set, attr);
3828 void nft_set_gc_batch_release(struct rcu_head *rcu)
3830 struct nft_set_gc_batch *gcb;
3833 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3834 for (i = 0; i < gcb->head.cnt; i++)
3835 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
3838 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3840 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3843 struct nft_set_gc_batch *gcb;
3845 gcb = kzalloc(sizeof(*gcb), gfp);
3848 gcb->head.set = set;
3851 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3853 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3854 u32 portid, u32 seq)
3856 struct nlmsghdr *nlh;
3857 struct nfgenmsg *nfmsg;
3858 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3860 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3862 goto nla_put_failure;
3864 nfmsg = nlmsg_data(nlh);
3865 nfmsg->nfgen_family = AF_UNSPEC;
3866 nfmsg->version = NFNETLINK_V0;
3867 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3869 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3870 goto nla_put_failure;
3872 nlmsg_end(skb, nlh);
3876 nlmsg_trim(skb, nlh);
3880 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3882 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3883 struct sk_buff *skb2;
3886 if (nlmsg_report(nlh) &&
3887 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3891 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3895 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3902 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3903 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3906 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3912 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3913 struct sk_buff *skb, const struct nlmsghdr *nlh,
3914 const struct nlattr * const nla[])
3916 struct sk_buff *skb2;
3919 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3923 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3928 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3934 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3935 [NFT_MSG_NEWTABLE] = {
3936 .call_batch = nf_tables_newtable,
3937 .attr_count = NFTA_TABLE_MAX,
3938 .policy = nft_table_policy,
3940 [NFT_MSG_GETTABLE] = {
3941 .call = nf_tables_gettable,
3942 .attr_count = NFTA_TABLE_MAX,
3943 .policy = nft_table_policy,
3945 [NFT_MSG_DELTABLE] = {
3946 .call_batch = nf_tables_deltable,
3947 .attr_count = NFTA_TABLE_MAX,
3948 .policy = nft_table_policy,
3950 [NFT_MSG_NEWCHAIN] = {
3951 .call_batch = nf_tables_newchain,
3952 .attr_count = NFTA_CHAIN_MAX,
3953 .policy = nft_chain_policy,
3955 [NFT_MSG_GETCHAIN] = {
3956 .call = nf_tables_getchain,
3957 .attr_count = NFTA_CHAIN_MAX,
3958 .policy = nft_chain_policy,
3960 [NFT_MSG_DELCHAIN] = {
3961 .call_batch = nf_tables_delchain,
3962 .attr_count = NFTA_CHAIN_MAX,
3963 .policy = nft_chain_policy,
3965 [NFT_MSG_NEWRULE] = {
3966 .call_batch = nf_tables_newrule,
3967 .attr_count = NFTA_RULE_MAX,
3968 .policy = nft_rule_policy,
3970 [NFT_MSG_GETRULE] = {
3971 .call = nf_tables_getrule,
3972 .attr_count = NFTA_RULE_MAX,
3973 .policy = nft_rule_policy,
3975 [NFT_MSG_DELRULE] = {
3976 .call_batch = nf_tables_delrule,
3977 .attr_count = NFTA_RULE_MAX,
3978 .policy = nft_rule_policy,
3980 [NFT_MSG_NEWSET] = {
3981 .call_batch = nf_tables_newset,
3982 .attr_count = NFTA_SET_MAX,
3983 .policy = nft_set_policy,
3985 [NFT_MSG_GETSET] = {
3986 .call = nf_tables_getset,
3987 .attr_count = NFTA_SET_MAX,
3988 .policy = nft_set_policy,
3990 [NFT_MSG_DELSET] = {
3991 .call_batch = nf_tables_delset,
3992 .attr_count = NFTA_SET_MAX,
3993 .policy = nft_set_policy,
3995 [NFT_MSG_NEWSETELEM] = {
3996 .call_batch = nf_tables_newsetelem,
3997 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3998 .policy = nft_set_elem_list_policy,
4000 [NFT_MSG_GETSETELEM] = {
4001 .call = nf_tables_getsetelem,
4002 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4003 .policy = nft_set_elem_list_policy,
4005 [NFT_MSG_DELSETELEM] = {
4006 .call_batch = nf_tables_delsetelem,
4007 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4008 .policy = nft_set_elem_list_policy,
4010 [NFT_MSG_GETGEN] = {
4011 .call = nf_tables_getgen,
4015 static void nft_chain_commit_update(struct nft_trans *trans)
4017 struct nft_base_chain *basechain;
4019 if (nft_trans_chain_name(trans)[0])
4020 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
4022 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
4025 basechain = nft_base_chain(trans->ctx.chain);
4026 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
4028 switch (nft_trans_chain_policy(trans)) {
4031 basechain->policy = nft_trans_chain_policy(trans);
4036 static void nf_tables_commit_release(struct nft_trans *trans)
4038 switch (trans->msg_type) {
4039 case NFT_MSG_DELTABLE:
4040 nf_tables_table_destroy(&trans->ctx);
4042 case NFT_MSG_DELCHAIN:
4043 nf_tables_chain_destroy(trans->ctx.chain);
4045 case NFT_MSG_DELRULE:
4046 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4048 case NFT_MSG_DELSET:
4049 nft_set_destroy(nft_trans_set(trans));
4051 case NFT_MSG_DELSETELEM:
4052 nft_set_elem_destroy(nft_trans_elem_set(trans),
4053 nft_trans_elem(trans).priv, true);
4059 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
4061 struct nft_trans *trans, *next;
4062 struct nft_trans_elem *te;
4064 /* Bump generation counter, invalidate any dump in progress */
4065 while (++net->nft.base_seq == 0);
4067 /* A new generation has just started */
4068 net->nft.gencursor = nft_gencursor_next(net);
4070 /* Make sure all packets have left the previous generation before
4071 * purging old rules.
4075 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4076 switch (trans->msg_type) {
4077 case NFT_MSG_NEWTABLE:
4078 if (nft_trans_table_update(trans)) {
4079 if (!nft_trans_table_enable(trans)) {
4080 nf_tables_table_disable(net,
4083 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4086 nft_clear(net, trans->ctx.table);
4088 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
4089 nft_trans_destroy(trans);
4091 case NFT_MSG_DELTABLE:
4092 list_del_rcu(&trans->ctx.table->list);
4093 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4095 case NFT_MSG_NEWCHAIN:
4096 if (nft_trans_chain_update(trans))
4097 nft_chain_commit_update(trans);
4099 nft_clear(net, trans->ctx.chain);
4101 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4102 nft_trans_destroy(trans);
4104 case NFT_MSG_DELCHAIN:
4105 list_del_rcu(&trans->ctx.chain->list);
4106 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4107 nf_tables_unregister_hooks(trans->ctx.net,
4110 trans->ctx.afi->nops);
4112 case NFT_MSG_NEWRULE:
4113 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4114 nf_tables_rule_notify(&trans->ctx,
4115 nft_trans_rule(trans),
4117 nft_trans_destroy(trans);
4119 case NFT_MSG_DELRULE:
4120 list_del_rcu(&nft_trans_rule(trans)->list);
4121 nf_tables_rule_notify(&trans->ctx,
4122 nft_trans_rule(trans),
4125 case NFT_MSG_NEWSET:
4126 nft_clear(net, nft_trans_set(trans));
4127 /* This avoids hitting -EBUSY when deleting the table
4128 * from the transaction.
4130 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4131 !list_empty(&nft_trans_set(trans)->bindings))
4132 trans->ctx.table->use--;
4134 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4135 NFT_MSG_NEWSET, GFP_KERNEL);
4136 nft_trans_destroy(trans);
4138 case NFT_MSG_DELSET:
4139 list_del_rcu(&nft_trans_set(trans)->list);
4140 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4141 NFT_MSG_DELSET, GFP_KERNEL);
4143 case NFT_MSG_NEWSETELEM:
4144 te = (struct nft_trans_elem *)trans->data;
4146 te->set->ops->activate(net, te->set, &te->elem);
4147 nf_tables_setelem_notify(&trans->ctx, te->set,
4149 NFT_MSG_NEWSETELEM, 0);
4150 nft_trans_destroy(trans);
4152 case NFT_MSG_DELSETELEM:
4153 te = (struct nft_trans_elem *)trans->data;
4155 nf_tables_setelem_notify(&trans->ctx, te->set,
4157 NFT_MSG_DELSETELEM, 0);
4158 te->set->ops->remove(te->set, &te->elem);
4159 atomic_dec(&te->set->nelems);
4167 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4168 list_del(&trans->list);
4169 nf_tables_commit_release(trans);
4172 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4177 static void nf_tables_abort_release(struct nft_trans *trans)
4179 switch (trans->msg_type) {
4180 case NFT_MSG_NEWTABLE:
4181 nf_tables_table_destroy(&trans->ctx);
4183 case NFT_MSG_NEWCHAIN:
4184 nf_tables_chain_destroy(trans->ctx.chain);
4186 case NFT_MSG_NEWRULE:
4187 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4189 case NFT_MSG_NEWSET:
4190 nft_set_destroy(nft_trans_set(trans));
4192 case NFT_MSG_NEWSETELEM:
4193 nft_set_elem_destroy(nft_trans_elem_set(trans),
4194 nft_trans_elem(trans).priv, true);
4200 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4202 struct nft_trans *trans, *next;
4203 struct nft_trans_elem *te;
4205 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4207 switch (trans->msg_type) {
4208 case NFT_MSG_NEWTABLE:
4209 if (nft_trans_table_update(trans)) {
4210 if (nft_trans_table_enable(trans)) {
4211 nf_tables_table_disable(net,
4214 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4216 nft_trans_destroy(trans);
4218 list_del_rcu(&trans->ctx.table->list);
4221 case NFT_MSG_DELTABLE:
4222 nft_clear(trans->ctx.net, trans->ctx.table);
4223 nft_trans_destroy(trans);
4225 case NFT_MSG_NEWCHAIN:
4226 if (nft_trans_chain_update(trans)) {
4227 free_percpu(nft_trans_chain_stats(trans));
4229 nft_trans_destroy(trans);
4231 trans->ctx.table->use--;
4232 list_del_rcu(&trans->ctx.chain->list);
4233 nf_tables_unregister_hooks(trans->ctx.net,
4236 trans->ctx.afi->nops);
4239 case NFT_MSG_DELCHAIN:
4240 trans->ctx.table->use++;
4241 nft_clear(trans->ctx.net, trans->ctx.chain);
4242 nft_trans_destroy(trans);
4244 case NFT_MSG_NEWRULE:
4245 trans->ctx.chain->use--;
4246 list_del_rcu(&nft_trans_rule(trans)->list);
4248 case NFT_MSG_DELRULE:
4249 trans->ctx.chain->use++;
4250 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4251 nft_trans_destroy(trans);
4253 case NFT_MSG_NEWSET:
4254 trans->ctx.table->use--;
4255 list_del_rcu(&nft_trans_set(trans)->list);
4257 case NFT_MSG_DELSET:
4258 trans->ctx.table->use++;
4259 nft_clear(trans->ctx.net, nft_trans_set(trans));
4260 nft_trans_destroy(trans);
4262 case NFT_MSG_NEWSETELEM:
4263 te = (struct nft_trans_elem *)trans->data;
4265 te->set->ops->remove(te->set, &te->elem);
4266 atomic_dec(&te->set->nelems);
4268 case NFT_MSG_DELSETELEM:
4269 te = (struct nft_trans_elem *)trans->data;
4271 te->set->ops->activate(net, te->set, &te->elem);
4274 nft_trans_destroy(trans);
4281 list_for_each_entry_safe_reverse(trans, next,
4282 &net->nft.commit_list, list) {
4283 list_del(&trans->list);
4284 nf_tables_abort_release(trans);
4290 static const struct nfnetlink_subsystem nf_tables_subsys = {
4291 .name = "nf_tables",
4292 .subsys_id = NFNL_SUBSYS_NFTABLES,
4293 .cb_count = NFT_MSG_MAX,
4295 .commit = nf_tables_commit,
4296 .abort = nf_tables_abort,
4299 int nft_chain_validate_dependency(const struct nft_chain *chain,
4300 enum nft_chain_type type)
4302 const struct nft_base_chain *basechain;
4304 if (chain->flags & NFT_BASE_CHAIN) {
4305 basechain = nft_base_chain(chain);
4306 if (basechain->type->type != type)
4311 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4313 int nft_chain_validate_hooks(const struct nft_chain *chain,
4314 unsigned int hook_flags)
4316 struct nft_base_chain *basechain;
4318 if (chain->flags & NFT_BASE_CHAIN) {
4319 basechain = nft_base_chain(chain);
4321 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4329 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4332 * Loop detection - walk through the ruleset beginning at the destination chain
4333 * of a new jump until either the source chain is reached (loop) or all
4334 * reachable chains have been traversed.
4336 * The loop check is performed whenever a new jump verdict is added to an
4337 * expression or verdict map or a verdict map is bound to a new chain.
4340 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4341 const struct nft_chain *chain);
4343 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4344 const struct nft_set *set,
4345 const struct nft_set_iter *iter,
4346 const struct nft_set_elem *elem)
4348 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4349 const struct nft_data *data;
4351 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4352 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4355 data = nft_set_ext_data(ext);
4356 switch (data->verdict.code) {
4359 return nf_tables_check_loops(ctx, data->verdict.chain);
4365 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4366 const struct nft_chain *chain)
4368 const struct nft_rule *rule;
4369 const struct nft_expr *expr, *last;
4370 const struct nft_set *set;
4371 struct nft_set_binding *binding;
4372 struct nft_set_iter iter;
4374 if (ctx->chain == chain)
4377 list_for_each_entry(rule, &chain->rules, list) {
4378 nft_rule_for_each_expr(expr, last, rule) {
4379 const struct nft_data *data = NULL;
4382 if (!expr->ops->validate)
4385 err = expr->ops->validate(ctx, expr, &data);
4392 switch (data->verdict.code) {
4395 err = nf_tables_check_loops(ctx,
4396 data->verdict.chain);
4405 list_for_each_entry(set, &ctx->table->sets, list) {
4406 if (!nft_is_active_next(ctx->net, set))
4408 if (!(set->flags & NFT_SET_MAP) ||
4409 set->dtype != NFT_DATA_VERDICT)
4412 list_for_each_entry(binding, &set->bindings, list) {
4413 if (!(binding->flags & NFT_SET_MAP) ||
4414 binding->chain != chain)
4417 iter.genmask = nft_genmask_next(ctx->net);
4421 iter.fn = nf_tables_loop_check_setelem;
4423 set->ops->walk(ctx, set, &iter);
4433 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
4435 * @attr: netlink attribute to fetch value from
4436 * @max: maximum value to be stored in dest
4437 * @dest: pointer to the variable
4439 * Parse, check and store a given u32 netlink attribute into variable.
4440 * This function returns -ERANGE if the value goes over maximum value.
4441 * Otherwise a 0 is returned and the attribute value is stored in the
4442 * destination variable.
4444 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
4448 val = ntohl(nla_get_be32(attr));
4455 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
4458 * nft_parse_register - parse a register value from a netlink attribute
4460 * @attr: netlink attribute
4462 * Parse and translate a register value from a netlink attribute.
4463 * Registers used to be 128 bit wide, these register numbers will be
4464 * mapped to the corresponding 32 bit register numbers.
4466 unsigned int nft_parse_register(const struct nlattr *attr)
4470 reg = ntohl(nla_get_be32(attr));
4472 case NFT_REG_VERDICT...NFT_REG_4:
4473 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4475 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4478 EXPORT_SYMBOL_GPL(nft_parse_register);
4481 * nft_dump_register - dump a register value to a netlink attribute
4483 * @skb: socket buffer
4484 * @attr: attribute number
4485 * @reg: register number
4487 * Construct a netlink attribute containing the register number. For
4488 * compatibility reasons, register numbers being a multiple of 4 are
4489 * translated to the corresponding 128 bit register numbers.
4491 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4493 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4494 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4496 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4498 return nla_put_be32(skb, attr, htonl(reg));
4500 EXPORT_SYMBOL_GPL(nft_dump_register);
4503 * nft_validate_register_load - validate a load from a register
4505 * @reg: the register number
4506 * @len: the length of the data
4508 * Validate that the input register is one of the general purpose
4509 * registers and that the length of the load is within the bounds.
4511 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4513 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4517 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4522 EXPORT_SYMBOL_GPL(nft_validate_register_load);
4525 * nft_validate_register_store - validate an expressions' register store
4527 * @ctx: context of the expression performing the load
4528 * @reg: the destination register number
4529 * @data: the data to load
4530 * @type: the data type
4531 * @len: the length of the data
4533 * Validate that a data load uses the appropriate data type for
4534 * the destination register and the length is within the bounds.
4535 * A value of NULL for the data means that its runtime gathered
4538 int nft_validate_register_store(const struct nft_ctx *ctx,
4539 enum nft_registers reg,
4540 const struct nft_data *data,
4541 enum nft_data_types type, unsigned int len)
4546 case NFT_REG_VERDICT:
4547 if (type != NFT_DATA_VERDICT)
4551 (data->verdict.code == NFT_GOTO ||
4552 data->verdict.code == NFT_JUMP)) {
4553 err = nf_tables_check_loops(ctx, data->verdict.chain);
4557 if (ctx->chain->level + 1 >
4558 data->verdict.chain->level) {
4559 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4561 data->verdict.chain->level = ctx->chain->level + 1;
4567 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4571 if (reg * NFT_REG32_SIZE + len >
4572 FIELD_SIZEOF(struct nft_regs, data))
4575 if (data != NULL && type != NFT_DATA_VALUE)
4580 EXPORT_SYMBOL_GPL(nft_validate_register_store);
4582 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4583 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4584 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4585 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4588 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4589 struct nft_data_desc *desc, const struct nlattr *nla)
4591 u8 genmask = nft_genmask_next(ctx->net);
4592 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4593 struct nft_chain *chain;
4596 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4600 if (!tb[NFTA_VERDICT_CODE])
4602 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4604 switch (data->verdict.code) {
4606 switch (data->verdict.code & NF_VERDICT_MASK) {
4621 if (!tb[NFTA_VERDICT_CHAIN])
4623 chain = nf_tables_chain_lookup(ctx->table,
4624 tb[NFTA_VERDICT_CHAIN], genmask);
4626 return PTR_ERR(chain);
4627 if (chain->flags & NFT_BASE_CHAIN)
4631 data->verdict.chain = chain;
4635 desc->len = sizeof(data->verdict);
4636 desc->type = NFT_DATA_VERDICT;
4640 static void nft_verdict_uninit(const struct nft_data *data)
4642 switch (data->verdict.code) {
4645 data->verdict.chain->use--;
4650 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4652 struct nlattr *nest;
4654 nest = nla_nest_start(skb, type);
4656 goto nla_put_failure;
4658 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4659 goto nla_put_failure;
4664 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4666 goto nla_put_failure;
4668 nla_nest_end(skb, nest);
4675 static int nft_value_init(const struct nft_ctx *ctx,
4676 struct nft_data *data, unsigned int size,
4677 struct nft_data_desc *desc, const struct nlattr *nla)
4687 nla_memcpy(data->data, nla, len);
4688 desc->type = NFT_DATA_VALUE;
4693 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4696 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4699 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4700 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4701 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4705 * nft_data_init - parse nf_tables data netlink attributes
4707 * @ctx: context of the expression using the data
4708 * @data: destination struct nft_data
4709 * @size: maximum data length
4710 * @desc: data description
4711 * @nla: netlink attribute containing data
4713 * Parse the netlink data attributes and initialize a struct nft_data.
4714 * The type and length of data are returned in the data description.
4716 * The caller can indicate that it only wants to accept data of type
4717 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4719 int nft_data_init(const struct nft_ctx *ctx,
4720 struct nft_data *data, unsigned int size,
4721 struct nft_data_desc *desc, const struct nlattr *nla)
4723 struct nlattr *tb[NFTA_DATA_MAX + 1];
4726 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4730 if (tb[NFTA_DATA_VALUE])
4731 return nft_value_init(ctx, data, size, desc,
4732 tb[NFTA_DATA_VALUE]);
4733 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4734 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4737 EXPORT_SYMBOL_GPL(nft_data_init);
4740 * nft_data_uninit - release a nft_data item
4742 * @data: struct nft_data to release
4743 * @type: type of data
4745 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4746 * all others need to be released by calling this function.
4748 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4750 if (type < NFT_DATA_VERDICT)
4753 case NFT_DATA_VERDICT:
4754 return nft_verdict_uninit(data);
4759 EXPORT_SYMBOL_GPL(nft_data_uninit);
4761 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4762 enum nft_data_types type, unsigned int len)
4764 struct nlattr *nest;
4767 nest = nla_nest_start(skb, attr);
4772 case NFT_DATA_VALUE:
4773 err = nft_value_dump(skb, data, len);
4775 case NFT_DATA_VERDICT:
4776 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4783 nla_nest_end(skb, nest);
4786 EXPORT_SYMBOL_GPL(nft_data_dump);
4788 static int __net_init nf_tables_init_net(struct net *net)
4790 INIT_LIST_HEAD(&net->nft.af_info);
4791 INIT_LIST_HEAD(&net->nft.commit_list);
4792 net->nft.base_seq = 1;
4796 int __nft_release_basechain(struct nft_ctx *ctx)
4798 struct nft_rule *rule, *nr;
4800 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4802 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
4804 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4805 list_del(&rule->list);
4807 nf_tables_rule_destroy(ctx, rule);
4809 list_del(&ctx->chain->list);
4811 nf_tables_chain_destroy(ctx->chain);
4815 EXPORT_SYMBOL_GPL(__nft_release_basechain);
4817 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4818 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4820 struct nft_table *table, *nt;
4821 struct nft_chain *chain, *nc;
4822 struct nft_rule *rule, *nr;
4823 struct nft_set *set, *ns;
4824 struct nft_ctx ctx = {
4829 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4830 list_for_each_entry(chain, &table->chains, list)
4831 nf_tables_unregister_hooks(net, table, chain,
4833 /* No packets are walking on these chains anymore. */
4835 list_for_each_entry(chain, &table->chains, list) {
4837 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4838 list_del(&rule->list);
4840 nf_tables_rule_destroy(&ctx, rule);
4843 list_for_each_entry_safe(set, ns, &table->sets, list) {
4844 list_del(&set->list);
4846 nft_set_destroy(set);
4848 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4849 list_del(&chain->list);
4851 nf_tables_chain_destroy(chain);
4853 list_del(&table->list);
4854 nf_tables_table_destroy(&ctx);
4858 static struct pernet_operations nf_tables_net_ops = {
4859 .init = nf_tables_init_net,
4862 static int __init nf_tables_module_init(void)
4866 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4873 err = nf_tables_core_module_init();
4877 err = nfnetlink_subsys_register(&nf_tables_subsys);
4881 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4882 return register_pernet_subsys(&nf_tables_net_ops);
4884 nf_tables_core_module_exit();
4891 static void __exit nf_tables_module_exit(void)
4893 unregister_pernet_subsys(&nf_tables_net_ops);
4894 nfnetlink_subsys_unregister(&nf_tables_subsys);
4896 nf_tables_core_module_exit();
4900 module_init(nf_tables_module_init);
4901 module_exit(nf_tables_module_exit);
4903 MODULE_LICENSE("GPL");
4904 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4905 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / releases.git / blob