1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 unsigned int nf_tables_net_id __read_mostly;
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 NFT_VALIDATE_SKIP = 0,
42 static struct rhltable nft_objname_ht;
44 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
49 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
50 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52 static const struct rhashtable_params nft_chain_ht_params = {
53 .head_offset = offsetof(struct nft_chain, rhlhead),
54 .key_offset = offsetof(struct nft_chain, name),
55 .hashfn = nft_chain_hash,
56 .obj_hashfn = nft_chain_hash_obj,
57 .obj_cmpfn = nft_chain_hash_cmp,
58 .automatic_shrinking = true,
61 static const struct rhashtable_params nft_objname_ht_params = {
62 .head_offset = offsetof(struct nft_object, rhlhead),
63 .key_offset = offsetof(struct nft_object, key),
64 .hashfn = nft_objname_hash,
65 .obj_hashfn = nft_objname_hash_obj,
66 .obj_cmpfn = nft_objname_hash_cmp,
67 .automatic_shrinking = true,
70 struct nft_audit_data {
71 struct nft_table *table;
74 struct list_head list;
77 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
78 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
79 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
80 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
81 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
82 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
84 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
85 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
87 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
88 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
90 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
91 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
93 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
94 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
97 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
99 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
100 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
101 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
102 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
105 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
107 struct nftables_pernet *nft_net = nft_pernet(net);
109 switch (nft_net->validate_state) {
110 case NFT_VALIDATE_SKIP:
111 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
113 case NFT_VALIDATE_NEED:
115 case NFT_VALIDATE_DO:
116 if (new_validate_state == NFT_VALIDATE_NEED)
120 nft_net->validate_state = new_validate_state;
122 static void nf_tables_trans_destroy_work(struct work_struct *w);
123 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
125 static void nft_ctx_init(struct nft_ctx *ctx,
127 const struct sk_buff *skb,
128 const struct nlmsghdr *nlh,
130 struct nft_table *table,
131 struct nft_chain *chain,
132 const struct nlattr * const *nla)
135 ctx->family = family;
140 ctx->portid = NETLINK_CB(skb).portid;
141 ctx->report = nlmsg_report(nlh);
142 ctx->flags = nlh->nlmsg_flags;
143 ctx->seq = nlh->nlmsg_seq;
146 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
147 int msg_type, u32 size, gfp_t gfp)
149 struct nft_trans *trans;
151 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
155 INIT_LIST_HEAD(&trans->list);
156 trans->msg_type = msg_type;
162 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
163 int msg_type, u32 size)
165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
168 static void nft_trans_destroy(struct nft_trans *trans)
170 list_del(&trans->list);
174 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
176 struct nftables_pernet *nft_net;
177 struct net *net = ctx->net;
178 struct nft_trans *trans;
180 if (!nft_set_is_anonymous(set))
183 nft_net = nft_pernet(net);
184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
185 switch (trans->msg_type) {
187 if (nft_trans_set(trans) == set)
188 nft_trans_set_bound(trans) = true;
190 case NFT_MSG_NEWSETELEM:
191 if (nft_trans_elem_set(trans) == set)
192 nft_trans_elem_set_bound(trans) = true;
198 static int nft_netdev_register_hooks(struct net *net,
199 struct list_head *hook_list)
201 struct nft_hook *hook;
205 list_for_each_entry(hook, hook_list, list) {
206 err = nf_register_net_hook(net, &hook->ops);
215 list_for_each_entry(hook, hook_list, list) {
219 nf_unregister_net_hook(net, &hook->ops);
224 static void nft_netdev_unregister_hooks(struct net *net,
225 struct list_head *hook_list,
228 struct nft_hook *hook, *next;
230 list_for_each_entry_safe(hook, next, hook_list, list) {
231 nf_unregister_net_hook(net, &hook->ops);
232 if (release_netdev) {
233 list_del(&hook->list);
234 kfree_rcu(hook, rcu);
239 static int nf_tables_register_hook(struct net *net,
240 const struct nft_table *table,
241 struct nft_chain *chain)
243 struct nft_base_chain *basechain;
244 const struct nf_hook_ops *ops;
246 if (table->flags & NFT_TABLE_F_DORMANT ||
247 !nft_is_base_chain(chain))
250 basechain = nft_base_chain(chain);
251 ops = &basechain->ops;
253 if (basechain->type->ops_register)
254 return basechain->type->ops_register(net, ops);
256 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
257 return nft_netdev_register_hooks(net, &basechain->hook_list);
259 return nf_register_net_hook(net, &basechain->ops);
262 static void __nf_tables_unregister_hook(struct net *net,
263 const struct nft_table *table,
264 struct nft_chain *chain,
267 struct nft_base_chain *basechain;
268 const struct nf_hook_ops *ops;
270 if (table->flags & NFT_TABLE_F_DORMANT ||
271 !nft_is_base_chain(chain))
273 basechain = nft_base_chain(chain);
274 ops = &basechain->ops;
276 if (basechain->type->ops_unregister)
277 return basechain->type->ops_unregister(net, ops);
279 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
280 nft_netdev_unregister_hooks(net, &basechain->hook_list,
283 nf_unregister_net_hook(net, &basechain->ops);
286 static void nf_tables_unregister_hook(struct net *net,
287 const struct nft_table *table,
288 struct nft_chain *chain)
290 return __nf_tables_unregister_hook(net, table, chain, false);
293 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
295 struct nftables_pernet *nft_net = nft_pernet(net);
297 list_add_tail(&trans->list, &nft_net->commit_list);
300 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
302 struct nft_trans *trans;
304 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
308 if (msg_type == NFT_MSG_NEWTABLE)
309 nft_activate_next(ctx->net, ctx->table);
311 nft_trans_commit_list_add_tail(ctx->net, trans);
315 static int nft_deltable(struct nft_ctx *ctx)
319 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
323 nft_deactivate_next(ctx->net, ctx->table);
327 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
329 struct nft_trans *trans;
331 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
333 return ERR_PTR(-ENOMEM);
335 if (msg_type == NFT_MSG_NEWCHAIN) {
336 nft_activate_next(ctx->net, ctx->chain);
338 if (ctx->nla[NFTA_CHAIN_ID]) {
339 nft_trans_chain_id(trans) =
340 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
344 nft_trans_commit_list_add_tail(ctx->net, trans);
348 static int nft_delchain(struct nft_ctx *ctx)
350 struct nft_trans *trans;
352 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
354 return PTR_ERR(trans);
357 nft_deactivate_next(ctx->net, ctx->chain);
362 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
363 struct nft_rule *rule)
365 struct nft_expr *expr;
367 expr = nft_expr_first(rule);
368 while (nft_expr_more(rule, expr)) {
369 if (expr->ops->activate)
370 expr->ops->activate(ctx, expr);
372 expr = nft_expr_next(expr);
376 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
377 struct nft_rule *rule,
378 enum nft_trans_phase phase)
380 struct nft_expr *expr;
382 expr = nft_expr_first(rule);
383 while (nft_expr_more(rule, expr)) {
384 if (expr->ops->deactivate)
385 expr->ops->deactivate(ctx, expr, phase);
387 expr = nft_expr_next(expr);
392 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
394 /* You cannot delete the same rule twice */
395 if (nft_is_active_next(ctx->net, rule)) {
396 nft_deactivate_next(ctx->net, rule);
403 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
404 struct nft_rule *rule)
406 struct nft_trans *trans;
408 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
412 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
413 nft_trans_rule_id(trans) =
414 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
416 nft_trans_rule(trans) = rule;
417 nft_trans_commit_list_add_tail(ctx->net, trans);
422 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
424 struct nft_flow_rule *flow;
425 struct nft_trans *trans;
428 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
432 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
433 flow = nft_flow_rule_create(ctx->net, rule);
435 nft_trans_destroy(trans);
436 return PTR_ERR(flow);
439 nft_trans_flow_rule(trans) = flow;
442 err = nf_tables_delrule_deactivate(ctx, rule);
444 nft_trans_destroy(trans);
447 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
452 static int nft_delrule_by_chain(struct nft_ctx *ctx)
454 struct nft_rule *rule;
457 list_for_each_entry(rule, &ctx->chain->rules, list) {
458 if (!nft_is_active_next(ctx->net, rule))
461 err = nft_delrule(ctx, rule);
468 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
470 const struct nft_set_desc *desc)
472 struct nft_trans *trans;
474 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
478 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
479 nft_trans_set_id(trans) =
480 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
481 nft_activate_next(ctx->net, set);
483 nft_trans_set(trans) = set;
485 nft_trans_set_update(trans) = true;
486 nft_trans_set_gc_int(trans) = desc->gc_int;
487 nft_trans_set_timeout(trans) = desc->timeout;
489 nft_trans_commit_list_add_tail(ctx->net, trans);
494 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
497 return __nft_trans_set_add(ctx, msg_type, set, NULL);
500 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
504 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
508 nft_deactivate_next(ctx->net, set);
514 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
515 struct nft_object *obj)
517 struct nft_trans *trans;
519 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
523 if (msg_type == NFT_MSG_NEWOBJ)
524 nft_activate_next(ctx->net, obj);
526 nft_trans_obj(trans) = obj;
527 nft_trans_commit_list_add_tail(ctx->net, trans);
532 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
536 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
540 nft_deactivate_next(ctx->net, obj);
546 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
547 struct nft_flowtable *flowtable)
549 struct nft_trans *trans;
551 trans = nft_trans_alloc(ctx, msg_type,
552 sizeof(struct nft_trans_flowtable));
556 if (msg_type == NFT_MSG_NEWFLOWTABLE)
557 nft_activate_next(ctx->net, flowtable);
559 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
560 nft_trans_flowtable(trans) = flowtable;
561 nft_trans_commit_list_add_tail(ctx->net, trans);
566 static int nft_delflowtable(struct nft_ctx *ctx,
567 struct nft_flowtable *flowtable)
571 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
575 nft_deactivate_next(ctx->net, flowtable);
581 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
585 for (i = track->regs[dreg].num_reg; i > 0; i--)
586 __nft_reg_track_cancel(track, dreg - i);
589 static void __nft_reg_track_update(struct nft_regs_track *track,
590 const struct nft_expr *expr,
593 track->regs[dreg].selector = expr;
594 track->regs[dreg].bitwise = NULL;
595 track->regs[dreg].num_reg = num_reg;
598 void nft_reg_track_update(struct nft_regs_track *track,
599 const struct nft_expr *expr, u8 dreg, u8 len)
601 unsigned int regcount;
604 __nft_reg_track_clobber(track, dreg);
606 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
607 for (i = 0; i < regcount; i++, dreg++)
608 __nft_reg_track_update(track, expr, dreg, i);
610 EXPORT_SYMBOL_GPL(nft_reg_track_update);
612 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
614 unsigned int regcount;
617 __nft_reg_track_clobber(track, dreg);
619 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
620 for (i = 0; i < regcount; i++, dreg++)
621 __nft_reg_track_cancel(track, dreg);
623 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
625 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
627 track->regs[dreg].selector = NULL;
628 track->regs[dreg].bitwise = NULL;
629 track->regs[dreg].num_reg = 0;
631 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
637 static struct nft_table *nft_table_lookup(const struct net *net,
638 const struct nlattr *nla,
639 u8 family, u8 genmask, u32 nlpid)
641 struct nftables_pernet *nft_net;
642 struct nft_table *table;
645 return ERR_PTR(-EINVAL);
647 nft_net = nft_pernet(net);
648 list_for_each_entry_rcu(table, &nft_net->tables, list,
649 lockdep_is_held(&nft_net->commit_mutex)) {
650 if (!nla_strcmp(nla, table->name) &&
651 table->family == family &&
652 nft_active_genmask(table, genmask)) {
653 if (nft_table_has_owner(table) &&
654 nlpid && table->nlpid != nlpid)
655 return ERR_PTR(-EPERM);
661 return ERR_PTR(-ENOENT);
664 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
665 const struct nlattr *nla,
666 u8 genmask, u32 nlpid)
668 struct nftables_pernet *nft_net;
669 struct nft_table *table;
671 nft_net = nft_pernet(net);
672 list_for_each_entry(table, &nft_net->tables, list) {
673 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
674 nft_active_genmask(table, genmask)) {
675 if (nft_table_has_owner(table) &&
676 nlpid && table->nlpid != nlpid)
677 return ERR_PTR(-EPERM);
683 return ERR_PTR(-ENOENT);
686 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
688 return ++table->hgenerator;
691 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
693 static const struct nft_chain_type *
694 __nft_chain_type_get(u8 family, enum nft_chain_types type)
696 if (family >= NFPROTO_NUMPROTO ||
697 type >= NFT_CHAIN_T_MAX)
700 return chain_type[family][type];
703 static const struct nft_chain_type *
704 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
706 const struct nft_chain_type *type;
709 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
710 type = __nft_chain_type_get(family, i);
713 if (!nla_strcmp(nla, type->name))
719 struct nft_module_request {
720 struct list_head list;
721 char module[MODULE_NAME_LEN];
725 #ifdef CONFIG_MODULES
726 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
729 char module_name[MODULE_NAME_LEN];
730 struct nftables_pernet *nft_net;
731 struct nft_module_request *req;
736 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
738 if (ret >= MODULE_NAME_LEN)
741 nft_net = nft_pernet(net);
742 list_for_each_entry(req, &nft_net->module_list, list) {
743 if (!strcmp(req->module, module_name)) {
747 /* A request to load this module already exists. */
752 req = kmalloc(sizeof(*req), GFP_KERNEL);
757 strscpy(req->module, module_name, MODULE_NAME_LEN);
758 list_add_tail(&req->list, &nft_net->module_list);
762 EXPORT_SYMBOL_GPL(nft_request_module);
765 static void lockdep_nfnl_nft_mutex_not_held(void)
767 #ifdef CONFIG_PROVE_LOCKING
769 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
773 static const struct nft_chain_type *
774 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
775 u8 family, bool autoload)
777 const struct nft_chain_type *type;
779 type = __nf_tables_chain_type_lookup(nla, family);
783 lockdep_nfnl_nft_mutex_not_held();
784 #ifdef CONFIG_MODULES
786 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
788 (const char *)nla_data(nla)) == -EAGAIN)
789 return ERR_PTR(-EAGAIN);
792 return ERR_PTR(-ENOENT);
795 static __be16 nft_base_seq(const struct net *net)
797 struct nftables_pernet *nft_net = nft_pernet(net);
799 return htons(nft_net->base_seq & 0xffff);
802 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
803 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
804 .len = NFT_TABLE_MAXNAMELEN - 1 },
805 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
806 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
807 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
808 .len = NFT_USERDATA_MAXLEN }
811 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
812 u32 portid, u32 seq, int event, u32 flags,
813 int family, const struct nft_table *table)
815 struct nlmsghdr *nlh;
817 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
818 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
819 NFNETLINK_V0, nft_base_seq(net));
821 goto nla_put_failure;
823 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
824 nla_put_be32(skb, NFTA_TABLE_FLAGS,
825 htonl(table->flags & NFT_TABLE_F_MASK)) ||
826 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
827 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
829 goto nla_put_failure;
830 if (nft_table_has_owner(table) &&
831 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
832 goto nla_put_failure;
835 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
836 goto nla_put_failure;
843 nlmsg_trim(skb, nlh);
847 struct nftnl_skb_parms {
850 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
852 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
853 struct list_head *notify_list)
855 NFT_CB(skb).report = report;
856 list_add_tail(&skb->list, notify_list);
859 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
861 struct nftables_pernet *nft_net;
867 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
870 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
874 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
875 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
877 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
878 event, flags, ctx->family, ctx->table);
884 nft_net = nft_pernet(ctx->net);
885 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
888 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
891 static int nf_tables_dump_tables(struct sk_buff *skb,
892 struct netlink_callback *cb)
894 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
895 struct nftables_pernet *nft_net;
896 const struct nft_table *table;
897 unsigned int idx = 0, s_idx = cb->args[0];
898 struct net *net = sock_net(skb->sk);
899 int family = nfmsg->nfgen_family;
902 nft_net = nft_pernet(net);
903 cb->seq = READ_ONCE(nft_net->base_seq);
905 list_for_each_entry_rcu(table, &nft_net->tables, list) {
906 if (family != NFPROTO_UNSPEC && family != table->family)
912 memset(&cb->args[1], 0,
913 sizeof(cb->args) - sizeof(cb->args[0]));
914 if (!nft_is_active(net, table))
916 if (nf_tables_fill_table_info(skb, net,
917 NETLINK_CB(cb->skb).portid,
919 NFT_MSG_NEWTABLE, NLM_F_MULTI,
920 table->family, table) < 0)
923 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
933 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
934 const struct nlmsghdr *nlh,
935 struct netlink_dump_control *c)
939 if (!try_module_get(THIS_MODULE))
943 err = netlink_dump_start(nlsk, skb, nlh, c);
945 module_put(THIS_MODULE);
950 /* called with rcu_read_lock held */
951 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
952 const struct nlattr * const nla[])
954 struct netlink_ext_ack *extack = info->extack;
955 u8 genmask = nft_genmask_cur(info->net);
956 u8 family = info->nfmsg->nfgen_family;
957 const struct nft_table *table;
958 struct net *net = info->net;
959 struct sk_buff *skb2;
962 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
963 struct netlink_dump_control c = {
964 .dump = nf_tables_dump_tables,
965 .module = THIS_MODULE,
968 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
971 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
973 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
974 return PTR_ERR(table);
977 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
981 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
982 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
985 goto err_fill_table_info;
987 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
994 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
996 struct nft_chain *chain;
999 list_for_each_entry(chain, &table->chains, list) {
1000 if (!nft_is_active_next(net, chain))
1002 if (!nft_is_base_chain(chain))
1005 if (cnt && i++ == cnt)
1008 nf_tables_unregister_hook(net, table, chain);
1012 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1014 struct nft_chain *chain;
1017 list_for_each_entry(chain, &table->chains, list) {
1018 if (!nft_is_active_next(net, chain))
1020 if (!nft_is_base_chain(chain))
1023 err = nf_tables_register_hook(net, table, chain);
1025 goto err_register_hooks;
1033 nft_table_disable(net, table, i);
1037 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1039 table->flags &= ~NFT_TABLE_F_DORMANT;
1040 nft_table_disable(net, table, 0);
1041 table->flags |= NFT_TABLE_F_DORMANT;
1044 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1045 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1046 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1047 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1048 __NFT_TABLE_F_WAS_AWAKEN)
1050 static int nf_tables_updtable(struct nft_ctx *ctx)
1052 struct nft_trans *trans;
1056 if (!ctx->nla[NFTA_TABLE_FLAGS])
1059 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1060 if (flags & ~NFT_TABLE_F_MASK)
1063 if (flags == ctx->table->flags)
1066 if ((nft_table_has_owner(ctx->table) &&
1067 !(flags & NFT_TABLE_F_OWNER)) ||
1068 (!nft_table_has_owner(ctx->table) &&
1069 flags & NFT_TABLE_F_OWNER))
1072 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1073 sizeof(struct nft_trans_table));
1077 if ((flags & NFT_TABLE_F_DORMANT) &&
1078 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1079 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1080 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1081 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1082 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1083 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1084 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1085 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1086 ret = nf_tables_table_enable(ctx->net, ctx->table);
1088 goto err_register_hooks;
1090 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1094 nft_trans_table_update(trans) = true;
1095 nft_trans_commit_list_add_tail(ctx->net, trans);
1100 nft_trans_destroy(trans);
1104 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1106 const char *name = data;
1108 return jhash(name, strlen(name), seed);
1111 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1113 const struct nft_chain *chain = data;
1115 return nft_chain_hash(chain->name, 0, seed);
1118 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1121 const struct nft_chain *chain = ptr;
1122 const char *name = arg->key;
1124 return strcmp(chain->name, name);
1127 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1129 const struct nft_object_hash_key *k = data;
1131 seed ^= hash_ptr(k->table, 32);
1133 return jhash(k->name, strlen(k->name), seed);
1136 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1138 const struct nft_object *obj = data;
1140 return nft_objname_hash(&obj->key, 0, seed);
1143 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1146 const struct nft_object_hash_key *k = arg->key;
1147 const struct nft_object *obj = ptr;
1149 if (obj->key.table != k->table)
1152 return strcmp(obj->key.name, k->name);
1155 static bool nft_supported_family(u8 family)
1158 #ifdef CONFIG_NF_TABLES_INET
1159 || family == NFPROTO_INET
1161 #ifdef CONFIG_NF_TABLES_IPV4
1162 || family == NFPROTO_IPV4
1164 #ifdef CONFIG_NF_TABLES_ARP
1165 || family == NFPROTO_ARP
1167 #ifdef CONFIG_NF_TABLES_NETDEV
1168 || family == NFPROTO_NETDEV
1170 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1171 || family == NFPROTO_BRIDGE
1173 #ifdef CONFIG_NF_TABLES_IPV6
1174 || family == NFPROTO_IPV6
1179 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1180 const struct nlattr * const nla[])
1182 struct nftables_pernet *nft_net = nft_pernet(info->net);
1183 struct netlink_ext_ack *extack = info->extack;
1184 u8 genmask = nft_genmask_next(info->net);
1185 u8 family = info->nfmsg->nfgen_family;
1186 struct net *net = info->net;
1187 const struct nlattr *attr;
1188 struct nft_table *table;
1193 if (!nft_supported_family(family))
1196 lockdep_assert_held(&nft_net->commit_mutex);
1197 attr = nla[NFTA_TABLE_NAME];
1198 table = nft_table_lookup(net, attr, family, genmask,
1199 NETLINK_CB(skb).portid);
1200 if (IS_ERR(table)) {
1201 if (PTR_ERR(table) != -ENOENT)
1202 return PTR_ERR(table);
1204 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1205 NL_SET_BAD_ATTR(extack, attr);
1208 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1211 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1213 return nf_tables_updtable(&ctx);
1216 if (nla[NFTA_TABLE_FLAGS]) {
1217 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1218 if (flags & ~NFT_TABLE_F_MASK)
1223 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1227 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1228 if (table->name == NULL)
1231 if (nla[NFTA_TABLE_USERDATA]) {
1232 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1233 if (table->udata == NULL)
1234 goto err_table_udata;
1236 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1239 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1243 INIT_LIST_HEAD(&table->chains);
1244 INIT_LIST_HEAD(&table->sets);
1245 INIT_LIST_HEAD(&table->objects);
1246 INIT_LIST_HEAD(&table->flowtables);
1247 table->family = family;
1248 table->flags = flags;
1249 table->handle = ++nft_net->table_handle;
1250 if (table->flags & NFT_TABLE_F_OWNER)
1251 table->nlpid = NETLINK_CB(skb).portid;
1253 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1254 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1258 list_add_tail_rcu(&table->list, &nft_net->tables);
1261 rhltable_destroy(&table->chains_ht);
1263 kfree(table->udata);
1272 static int nft_flush_table(struct nft_ctx *ctx)
1274 struct nft_flowtable *flowtable, *nft;
1275 struct nft_chain *chain, *nc;
1276 struct nft_object *obj, *ne;
1277 struct nft_set *set, *ns;
1280 list_for_each_entry(chain, &ctx->table->chains, list) {
1281 if (!nft_is_active_next(ctx->net, chain))
1284 if (nft_chain_is_bound(chain))
1289 err = nft_delrule_by_chain(ctx);
1294 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1295 if (!nft_is_active_next(ctx->net, set))
1298 if (nft_set_is_anonymous(set) &&
1299 !list_empty(&set->bindings))
1302 err = nft_delset(ctx, set);
1307 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1308 if (!nft_is_active_next(ctx->net, flowtable))
1311 err = nft_delflowtable(ctx, flowtable);
1316 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1317 if (!nft_is_active_next(ctx->net, obj))
1320 err = nft_delobj(ctx, obj);
1325 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1326 if (!nft_is_active_next(ctx->net, chain))
1329 if (nft_chain_is_bound(chain))
1334 err = nft_delchain(ctx);
1339 err = nft_deltable(ctx);
1344 static int nft_flush(struct nft_ctx *ctx, int family)
1346 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1347 const struct nlattr * const *nla = ctx->nla;
1348 struct nft_table *table, *nt;
1351 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1352 if (family != AF_UNSPEC && table->family != family)
1355 ctx->family = table->family;
1357 if (!nft_is_active_next(ctx->net, table))
1360 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1363 if (nla[NFTA_TABLE_NAME] &&
1364 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1369 err = nft_flush_table(ctx);
1377 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1378 const struct nlattr * const nla[])
1380 struct netlink_ext_ack *extack = info->extack;
1381 u8 genmask = nft_genmask_next(info->net);
1382 u8 family = info->nfmsg->nfgen_family;
1383 struct net *net = info->net;
1384 const struct nlattr *attr;
1385 struct nft_table *table;
1388 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1389 if (family == AF_UNSPEC ||
1390 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1391 return nft_flush(&ctx, family);
1393 if (nla[NFTA_TABLE_HANDLE]) {
1394 attr = nla[NFTA_TABLE_HANDLE];
1395 table = nft_table_lookup_byhandle(net, attr, genmask,
1396 NETLINK_CB(skb).portid);
1398 attr = nla[NFTA_TABLE_NAME];
1399 table = nft_table_lookup(net, attr, family, genmask,
1400 NETLINK_CB(skb).portid);
1403 if (IS_ERR(table)) {
1404 NL_SET_BAD_ATTR(extack, attr);
1405 return PTR_ERR(table);
1408 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1412 ctx.family = family;
1415 return nft_flush_table(&ctx);
1418 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1420 if (WARN_ON(ctx->table->use > 0))
1423 rhltable_destroy(&ctx->table->chains_ht);
1424 kfree(ctx->table->name);
1425 kfree(ctx->table->udata);
1429 void nft_register_chain_type(const struct nft_chain_type *ctype)
1431 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1432 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1433 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1436 chain_type[ctype->family][ctype->type] = ctype;
1437 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1439 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1441 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1443 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1444 chain_type[ctype->family][ctype->type] = NULL;
1445 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1447 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1453 static struct nft_chain *
1454 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1456 struct nft_chain *chain;
1458 list_for_each_entry(chain, &table->chains, list) {
1459 if (chain->handle == handle &&
1460 nft_active_genmask(chain, genmask))
1464 return ERR_PTR(-ENOENT);
1467 static bool lockdep_commit_lock_is_held(const struct net *net)
1469 #ifdef CONFIG_PROVE_LOCKING
1470 struct nftables_pernet *nft_net = nft_pernet(net);
1472 return lockdep_is_held(&nft_net->commit_mutex);
1478 static struct nft_chain *nft_chain_lookup(struct net *net,
1479 struct nft_table *table,
1480 const struct nlattr *nla, u8 genmask)
1482 char search[NFT_CHAIN_MAXNAMELEN + 1];
1483 struct rhlist_head *tmp, *list;
1484 struct nft_chain *chain;
1487 return ERR_PTR(-EINVAL);
1489 nla_strscpy(search, nla, sizeof(search));
1491 WARN_ON(!rcu_read_lock_held() &&
1492 !lockdep_commit_lock_is_held(net));
1494 chain = ERR_PTR(-ENOENT);
1496 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1500 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1501 if (nft_active_genmask(chain, genmask))
1504 chain = ERR_PTR(-ENOENT);
1510 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1511 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1512 .len = NFT_TABLE_MAXNAMELEN - 1 },
1513 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1514 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1515 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1516 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1517 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1518 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1519 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1520 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1521 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1522 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1523 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1524 .len = NFT_USERDATA_MAXLEN },
1527 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1528 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1529 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1530 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1531 .len = IFNAMSIZ - 1 },
1534 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1536 struct nft_stats *cpu_stats, total;
1537 struct nlattr *nest;
1545 memset(&total, 0, sizeof(total));
1546 for_each_possible_cpu(cpu) {
1547 cpu_stats = per_cpu_ptr(stats, cpu);
1549 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1550 pkts = cpu_stats->pkts;
1551 bytes = cpu_stats->bytes;
1552 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1554 total.bytes += bytes;
1556 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1558 goto nla_put_failure;
1560 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1561 NFTA_COUNTER_PAD) ||
1562 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1564 goto nla_put_failure;
1566 nla_nest_end(skb, nest);
1573 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1574 const struct nft_base_chain *basechain)
1576 const struct nf_hook_ops *ops = &basechain->ops;
1577 struct nft_hook *hook, *first = NULL;
1578 struct nlattr *nest, *nest_devs;
1581 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1583 goto nla_put_failure;
1584 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1585 goto nla_put_failure;
1586 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1587 goto nla_put_failure;
1589 if (nft_base_chain_netdev(family, ops->hooknum)) {
1590 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1591 list_for_each_entry(hook, &basechain->hook_list, list) {
1595 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1596 hook->ops.dev->name))
1597 goto nla_put_failure;
1600 nla_nest_end(skb, nest_devs);
1603 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1604 goto nla_put_failure;
1606 nla_nest_end(skb, nest);
1613 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1614 u32 portid, u32 seq, int event, u32 flags,
1615 int family, const struct nft_table *table,
1616 const struct nft_chain *chain)
1618 struct nlmsghdr *nlh;
1620 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1621 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1622 NFNETLINK_V0, nft_base_seq(net));
1624 goto nla_put_failure;
1626 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1627 goto nla_put_failure;
1628 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1630 goto nla_put_failure;
1631 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1632 goto nla_put_failure;
1634 if (nft_is_base_chain(chain)) {
1635 const struct nft_base_chain *basechain = nft_base_chain(chain);
1636 struct nft_stats __percpu *stats;
1638 if (nft_dump_basechain_hook(skb, family, basechain))
1639 goto nla_put_failure;
1641 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1642 htonl(basechain->policy)))
1643 goto nla_put_failure;
1645 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1646 goto nla_put_failure;
1648 stats = rcu_dereference_check(basechain->stats,
1649 lockdep_commit_lock_is_held(net));
1650 if (nft_dump_stats(skb, stats))
1651 goto nla_put_failure;
1655 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1656 goto nla_put_failure;
1658 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1659 goto nla_put_failure;
1662 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1663 goto nla_put_failure;
1665 nlmsg_end(skb, nlh);
1669 nlmsg_trim(skb, nlh);
1673 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1675 struct nftables_pernet *nft_net;
1676 struct sk_buff *skb;
1681 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1684 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1688 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1689 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1691 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1692 event, flags, ctx->family, ctx->table,
1699 nft_net = nft_pernet(ctx->net);
1700 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1703 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1706 static int nf_tables_dump_chains(struct sk_buff *skb,
1707 struct netlink_callback *cb)
1709 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1710 unsigned int idx = 0, s_idx = cb->args[0];
1711 struct net *net = sock_net(skb->sk);
1712 int family = nfmsg->nfgen_family;
1713 struct nftables_pernet *nft_net;
1714 const struct nft_table *table;
1715 const struct nft_chain *chain;
1718 nft_net = nft_pernet(net);
1719 cb->seq = READ_ONCE(nft_net->base_seq);
1721 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1722 if (family != NFPROTO_UNSPEC && family != table->family)
1725 list_for_each_entry_rcu(chain, &table->chains, list) {
1729 memset(&cb->args[1], 0,
1730 sizeof(cb->args) - sizeof(cb->args[0]));
1731 if (!nft_is_active(net, chain))
1733 if (nf_tables_fill_chain_info(skb, net,
1734 NETLINK_CB(cb->skb).portid,
1738 table->family, table,
1742 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1753 /* called with rcu_read_lock held */
1754 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1755 const struct nlattr * const nla[])
1757 struct netlink_ext_ack *extack = info->extack;
1758 u8 genmask = nft_genmask_cur(info->net);
1759 u8 family = info->nfmsg->nfgen_family;
1760 const struct nft_chain *chain;
1761 struct net *net = info->net;
1762 struct nft_table *table;
1763 struct sk_buff *skb2;
1766 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1767 struct netlink_dump_control c = {
1768 .dump = nf_tables_dump_chains,
1769 .module = THIS_MODULE,
1772 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1775 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1776 if (IS_ERR(table)) {
1777 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1778 return PTR_ERR(table);
1781 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1782 if (IS_ERR(chain)) {
1783 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1784 return PTR_ERR(chain);
1787 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1791 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1792 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1793 0, family, table, chain);
1795 goto err_fill_chain_info;
1797 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1799 err_fill_chain_info:
1804 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1805 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1806 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1809 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1811 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1812 struct nft_stats __percpu *newstats;
1813 struct nft_stats *stats;
1816 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1817 nft_counter_policy, NULL);
1819 return ERR_PTR(err);
1821 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1822 return ERR_PTR(-EINVAL);
1824 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1825 if (newstats == NULL)
1826 return ERR_PTR(-ENOMEM);
1828 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1829 * are not exposed to userspace.
1832 stats = this_cpu_ptr(newstats);
1833 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1834 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1840 static void nft_chain_stats_replace(struct nft_trans *trans)
1842 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1844 if (!nft_trans_chain_stats(trans))
1847 nft_trans_chain_stats(trans) =
1848 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1849 lockdep_commit_lock_is_held(trans->ctx.net));
1851 if (!nft_trans_chain_stats(trans))
1852 static_branch_inc(&nft_counters_enabled);
1855 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1857 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
1858 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
1864 /* should be NULL either via abort or via successful commit */
1865 WARN_ON_ONCE(chain->blob_next);
1866 kvfree(chain->blob_next);
1869 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1871 struct nft_chain *chain = ctx->chain;
1872 struct nft_hook *hook, *next;
1874 if (WARN_ON(chain->use > 0))
1877 /* no concurrent access possible anymore */
1878 nf_tables_chain_free_chain_rules(chain);
1880 if (nft_is_base_chain(chain)) {
1881 struct nft_base_chain *basechain = nft_base_chain(chain);
1883 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1884 list_for_each_entry_safe(hook, next,
1885 &basechain->hook_list, list) {
1886 list_del_rcu(&hook->list);
1887 kfree_rcu(hook, rcu);
1890 module_put(basechain->type->owner);
1891 if (rcu_access_pointer(basechain->stats)) {
1892 static_branch_dec(&nft_counters_enabled);
1893 free_percpu(rcu_dereference_raw(basechain->stats));
1896 kfree(chain->udata);
1900 kfree(chain->udata);
1905 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1906 const struct nlattr *attr)
1908 struct net_device *dev;
1909 char ifname[IFNAMSIZ];
1910 struct nft_hook *hook;
1913 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
1916 goto err_hook_alloc;
1919 nla_strscpy(ifname, attr, IFNAMSIZ);
1920 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1921 * indirectly serializing all the other holders of the commit_mutex with
1924 dev = __dev_get_by_name(net, ifname);
1929 hook->ops.dev = dev;
1936 return ERR_PTR(err);
1939 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1940 const struct nft_hook *this)
1942 struct nft_hook *hook;
1944 list_for_each_entry(hook, hook_list, list) {
1945 if (this->ops.dev == hook->ops.dev)
1952 static int nf_tables_parse_netdev_hooks(struct net *net,
1953 const struct nlattr *attr,
1954 struct list_head *hook_list)
1956 struct nft_hook *hook, *next;
1957 const struct nlattr *tmp;
1958 int rem, n = 0, err;
1960 nla_for_each_nested(tmp, attr, rem) {
1961 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1966 hook = nft_netdev_hook_alloc(net, tmp);
1968 err = PTR_ERR(hook);
1971 if (nft_hook_list_find(hook_list, hook)) {
1976 list_add_tail(&hook->list, hook_list);
1979 if (n == NFT_NETDEVICE_MAX) {
1988 list_for_each_entry_safe(hook, next, hook_list, list) {
1989 list_del(&hook->list);
1995 struct nft_chain_hook {
1998 const struct nft_chain_type *type;
1999 struct list_head list;
2002 static int nft_chain_parse_netdev(struct net *net,
2003 struct nlattr *tb[],
2004 struct list_head *hook_list)
2006 struct nft_hook *hook;
2009 if (tb[NFTA_HOOK_DEV]) {
2010 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2012 return PTR_ERR(hook);
2014 list_add_tail(&hook->list, hook_list);
2015 } else if (tb[NFTA_HOOK_DEVS]) {
2016 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2021 if (list_empty(hook_list))
2030 static int nft_chain_parse_hook(struct net *net,
2031 const struct nlattr * const nla[],
2032 struct nft_chain_hook *hook, u8 family,
2033 struct netlink_ext_ack *extack, bool autoload)
2035 struct nftables_pernet *nft_net = nft_pernet(net);
2036 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2037 const struct nft_chain_type *type;
2040 lockdep_assert_held(&nft_net->commit_mutex);
2041 lockdep_nfnl_nft_mutex_not_held();
2043 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2044 nla[NFTA_CHAIN_HOOK],
2045 nft_hook_policy, NULL);
2049 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
2050 ha[NFTA_HOOK_PRIORITY] == NULL)
2053 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2054 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2056 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2060 if (nla[NFTA_CHAIN_TYPE]) {
2061 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2064 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2065 return PTR_ERR(type);
2068 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2071 if (type->type == NFT_CHAIN_T_NAT &&
2072 hook->priority <= NF_IP_PRI_CONNTRACK)
2075 if (!try_module_get(type->owner)) {
2076 if (nla[NFTA_CHAIN_TYPE])
2077 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2083 INIT_LIST_HEAD(&hook->list);
2084 if (nft_base_chain_netdev(family, hook->num)) {
2085 err = nft_chain_parse_netdev(net, ha, &hook->list);
2087 module_put(type->owner);
2090 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2091 module_put(type->owner);
2098 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2100 struct nft_hook *h, *next;
2102 list_for_each_entry_safe(h, next, &hook->list, list) {
2106 module_put(hook->type->owner);
2109 struct nft_rules_old {
2111 struct nft_rule_blob *blob;
2114 static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr)
2116 struct nft_rule_dp *prule;
2118 prule = (struct nft_rule_dp *)ptr;
2120 /* blob size does not include the trailer rule */
2123 static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size)
2125 struct nft_rule_blob *blob;
2127 /* size must include room for the last rule */
2128 if (size < offsetof(struct nft_rule_dp, data))
2131 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old);
2135 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2140 nft_last_rule(blob, blob->data);
2145 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2146 const struct nft_chain_hook *hook,
2147 struct nft_chain *chain)
2150 ops->hooknum = hook->num;
2151 ops->priority = hook->priority;
2153 ops->hook = hook->type->hooks[ops->hooknum];
2154 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2157 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2158 struct nft_chain_hook *hook, u32 flags)
2160 struct nft_chain *chain;
2163 basechain->type = hook->type;
2164 INIT_LIST_HEAD(&basechain->hook_list);
2165 chain = &basechain->chain;
2167 if (nft_base_chain_netdev(family, hook->num)) {
2168 list_splice_init(&hook->list, &basechain->hook_list);
2169 list_for_each_entry(h, &basechain->hook_list, list)
2170 nft_basechain_hook_init(&h->ops, family, hook, chain);
2172 basechain->ops.hooknum = hook->num;
2173 basechain->ops.priority = hook->priority;
2175 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2178 chain->flags |= NFT_CHAIN_BASE | flags;
2179 basechain->policy = NF_ACCEPT;
2180 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2181 !nft_chain_offload_support(basechain)) {
2182 list_splice_init(&basechain->hook_list, &hook->list);
2186 flow_block_init(&basechain->flow_block);
2191 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2195 err = rhltable_insert_key(&table->chains_ht, chain->name,
2196 &chain->rhlhead, nft_chain_ht_params);
2200 list_add_tail_rcu(&chain->list, &table->chains);
2205 static u64 chain_id;
2207 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2208 u8 policy, u32 flags,
2209 struct netlink_ext_ack *extack)
2211 const struct nlattr * const *nla = ctx->nla;
2212 struct nft_table *table = ctx->table;
2213 struct nft_base_chain *basechain;
2214 struct net *net = ctx->net;
2215 char name[NFT_NAME_MAXLEN];
2216 struct nft_rule_blob *blob;
2217 struct nft_trans *trans;
2218 struct nft_chain *chain;
2219 unsigned int data_size;
2222 if (table->use == UINT_MAX)
2225 if (nla[NFTA_CHAIN_HOOK]) {
2226 struct nft_stats __percpu *stats = NULL;
2227 struct nft_chain_hook hook;
2229 if (flags & NFT_CHAIN_BINDING)
2232 err = nft_chain_parse_hook(net, nla, &hook, family, extack,
2237 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2238 if (basechain == NULL) {
2239 nft_chain_release_hook(&hook);
2242 chain = &basechain->chain;
2244 if (nla[NFTA_CHAIN_COUNTERS]) {
2245 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2246 if (IS_ERR(stats)) {
2247 nft_chain_release_hook(&hook);
2249 return PTR_ERR(stats);
2251 rcu_assign_pointer(basechain->stats, stats);
2254 err = nft_basechain_init(basechain, family, &hook, flags);
2256 nft_chain_release_hook(&hook);
2262 static_branch_inc(&nft_counters_enabled);
2264 if (flags & NFT_CHAIN_BASE)
2266 if (flags & NFT_CHAIN_HW_OFFLOAD)
2269 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2273 chain->flags = flags;
2277 INIT_LIST_HEAD(&chain->rules);
2278 chain->handle = nf_tables_alloc_handle(table);
2279 chain->table = table;
2281 if (nla[NFTA_CHAIN_NAME]) {
2282 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2284 if (!(flags & NFT_CHAIN_BINDING)) {
2286 goto err_destroy_chain;
2289 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2290 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2295 goto err_destroy_chain;
2298 if (nla[NFTA_CHAIN_USERDATA]) {
2299 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2300 if (chain->udata == NULL) {
2302 goto err_destroy_chain;
2304 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2307 data_size = offsetof(struct nft_rule_dp, data); /* last rule */
2308 blob = nf_tables_chain_alloc_rules(data_size);
2311 goto err_destroy_chain;
2314 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2315 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2317 err = nf_tables_register_hook(net, table, chain);
2319 goto err_destroy_chain;
2321 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2322 if (IS_ERR(trans)) {
2323 err = PTR_ERR(trans);
2324 goto err_unregister_hook;
2327 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2328 if (nft_is_base_chain(chain))
2329 nft_trans_chain_policy(trans) = policy;
2331 err = nft_chain_add(table, chain);
2333 nft_trans_destroy(trans);
2334 goto err_unregister_hook;
2340 err_unregister_hook:
2341 nf_tables_unregister_hook(net, table, chain);
2343 nf_tables_chain_destroy(ctx);
2348 static bool nft_hook_list_equal(struct list_head *hook_list1,
2349 struct list_head *hook_list2)
2351 struct nft_hook *hook;
2355 list_for_each_entry(hook, hook_list2, list) {
2356 if (!nft_hook_list_find(hook_list1, hook))
2361 list_for_each_entry(hook, hook_list1, list)
2367 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2368 u32 flags, const struct nlattr *attr,
2369 struct netlink_ext_ack *extack)
2371 const struct nlattr * const *nla = ctx->nla;
2372 struct nft_table *table = ctx->table;
2373 struct nft_chain *chain = ctx->chain;
2374 struct nft_base_chain *basechain;
2375 struct nft_stats *stats = NULL;
2376 struct nft_chain_hook hook;
2377 struct nf_hook_ops *ops;
2378 struct nft_trans *trans;
2381 if (chain->flags ^ flags)
2384 if (nla[NFTA_CHAIN_HOOK]) {
2385 if (!nft_is_base_chain(chain)) {
2386 NL_SET_BAD_ATTR(extack, attr);
2389 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2394 basechain = nft_base_chain(chain);
2395 if (basechain->type != hook.type) {
2396 nft_chain_release_hook(&hook);
2397 NL_SET_BAD_ATTR(extack, attr);
2401 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2402 if (!nft_hook_list_equal(&basechain->hook_list,
2404 nft_chain_release_hook(&hook);
2405 NL_SET_BAD_ATTR(extack, attr);
2409 ops = &basechain->ops;
2410 if (ops->hooknum != hook.num ||
2411 ops->priority != hook.priority) {
2412 nft_chain_release_hook(&hook);
2413 NL_SET_BAD_ATTR(extack, attr);
2417 nft_chain_release_hook(&hook);
2420 if (nla[NFTA_CHAIN_HANDLE] &&
2421 nla[NFTA_CHAIN_NAME]) {
2422 struct nft_chain *chain2;
2424 chain2 = nft_chain_lookup(ctx->net, table,
2425 nla[NFTA_CHAIN_NAME], genmask);
2426 if (!IS_ERR(chain2)) {
2427 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2432 if (nla[NFTA_CHAIN_COUNTERS]) {
2433 if (!nft_is_base_chain(chain))
2436 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2438 return PTR_ERR(stats);
2442 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2443 sizeof(struct nft_trans_chain));
2447 nft_trans_chain_stats(trans) = stats;
2448 nft_trans_chain_update(trans) = true;
2450 if (nla[NFTA_CHAIN_POLICY])
2451 nft_trans_chain_policy(trans) = policy;
2453 nft_trans_chain_policy(trans) = -1;
2455 if (nla[NFTA_CHAIN_HANDLE] &&
2456 nla[NFTA_CHAIN_NAME]) {
2457 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2458 struct nft_trans *tmp;
2462 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2467 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2468 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2469 tmp->ctx.table == table &&
2470 nft_trans_chain_update(tmp) &&
2471 nft_trans_chain_name(tmp) &&
2472 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2473 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2479 nft_trans_chain_name(trans) = name;
2481 nft_trans_commit_list_add_tail(ctx->net, trans);
2490 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2491 const struct nft_table *table,
2492 const struct nlattr *nla)
2494 struct nftables_pernet *nft_net = nft_pernet(net);
2495 u32 id = ntohl(nla_get_be32(nla));
2496 struct nft_trans *trans;
2498 list_for_each_entry(trans, &nft_net->commit_list, list) {
2499 struct nft_chain *chain = trans->ctx.chain;
2501 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2502 chain->table == table &&
2503 id == nft_trans_chain_id(trans))
2506 return ERR_PTR(-ENOENT);
2509 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2510 const struct nlattr * const nla[])
2512 struct nftables_pernet *nft_net = nft_pernet(info->net);
2513 struct netlink_ext_ack *extack = info->extack;
2514 u8 genmask = nft_genmask_next(info->net);
2515 u8 family = info->nfmsg->nfgen_family;
2516 struct nft_chain *chain = NULL;
2517 struct net *net = info->net;
2518 const struct nlattr *attr;
2519 struct nft_table *table;
2520 u8 policy = NF_ACCEPT;
2525 lockdep_assert_held(&nft_net->commit_mutex);
2527 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2528 NETLINK_CB(skb).portid);
2529 if (IS_ERR(table)) {
2530 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2531 return PTR_ERR(table);
2535 attr = nla[NFTA_CHAIN_NAME];
2537 if (nla[NFTA_CHAIN_HANDLE]) {
2538 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2539 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2540 if (IS_ERR(chain)) {
2541 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2542 return PTR_ERR(chain);
2544 attr = nla[NFTA_CHAIN_HANDLE];
2545 } else if (nla[NFTA_CHAIN_NAME]) {
2546 chain = nft_chain_lookup(net, table, attr, genmask);
2547 if (IS_ERR(chain)) {
2548 if (PTR_ERR(chain) != -ENOENT) {
2549 NL_SET_BAD_ATTR(extack, attr);
2550 return PTR_ERR(chain);
2554 } else if (!nla[NFTA_CHAIN_ID]) {
2558 if (nla[NFTA_CHAIN_POLICY]) {
2559 if (chain != NULL &&
2560 !nft_is_base_chain(chain)) {
2561 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2565 if (chain == NULL &&
2566 nla[NFTA_CHAIN_HOOK] == NULL) {
2567 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2571 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2581 if (nla[NFTA_CHAIN_FLAGS])
2582 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2584 flags = chain->flags;
2586 if (flags & ~NFT_CHAIN_FLAGS)
2589 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2591 if (chain != NULL) {
2592 if (chain->flags & NFT_CHAIN_BINDING)
2595 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2596 NL_SET_BAD_ATTR(extack, attr);
2599 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2602 flags |= chain->flags & NFT_CHAIN_BASE;
2603 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2607 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2610 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2611 const struct nlattr * const nla[])
2613 struct netlink_ext_ack *extack = info->extack;
2614 u8 genmask = nft_genmask_next(info->net);
2615 u8 family = info->nfmsg->nfgen_family;
2616 struct net *net = info->net;
2617 const struct nlattr *attr;
2618 struct nft_table *table;
2619 struct nft_chain *chain;
2620 struct nft_rule *rule;
2626 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2627 NETLINK_CB(skb).portid);
2628 if (IS_ERR(table)) {
2629 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2630 return PTR_ERR(table);
2633 if (nla[NFTA_CHAIN_HANDLE]) {
2634 attr = nla[NFTA_CHAIN_HANDLE];
2635 handle = be64_to_cpu(nla_get_be64(attr));
2636 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2638 attr = nla[NFTA_CHAIN_NAME];
2639 chain = nft_chain_lookup(net, table, attr, genmask);
2641 if (IS_ERR(chain)) {
2642 NL_SET_BAD_ATTR(extack, attr);
2643 return PTR_ERR(chain);
2646 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2650 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2653 list_for_each_entry(rule, &chain->rules, list) {
2654 if (!nft_is_active_next(net, rule))
2658 err = nft_delrule(&ctx, rule);
2663 /* There are rules and elements that are still holding references to us,
2664 * we cannot do a recursive removal in this case.
2667 NL_SET_BAD_ATTR(extack, attr);
2671 return nft_delchain(&ctx);
2679 * nft_register_expr - register nf_tables expr type
2682 * Registers the expr type for use with nf_tables. Returns zero on
2683 * success or a negative errno code otherwise.
2685 int nft_register_expr(struct nft_expr_type *type)
2687 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2688 if (type->family == NFPROTO_UNSPEC)
2689 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2691 list_add_rcu(&type->list, &nf_tables_expressions);
2692 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2695 EXPORT_SYMBOL_GPL(nft_register_expr);
2698 * nft_unregister_expr - unregister nf_tables expr type
2701 * Unregisters the expr typefor use with nf_tables.
2703 void nft_unregister_expr(struct nft_expr_type *type)
2705 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2706 list_del_rcu(&type->list);
2707 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2709 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2711 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2714 const struct nft_expr_type *type, *candidate = NULL;
2716 list_for_each_entry(type, &nf_tables_expressions, list) {
2717 if (!nla_strcmp(nla, type->name)) {
2718 if (!type->family && !candidate)
2720 else if (type->family == family)
2727 #ifdef CONFIG_MODULES
2728 static int nft_expr_type_request_module(struct net *net, u8 family,
2731 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2732 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2739 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2743 const struct nft_expr_type *type;
2746 return ERR_PTR(-EINVAL);
2748 type = __nft_expr_type_get(family, nla);
2749 if (type != NULL && try_module_get(type->owner))
2752 lockdep_nfnl_nft_mutex_not_held();
2753 #ifdef CONFIG_MODULES
2755 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2756 return ERR_PTR(-EAGAIN);
2758 if (nft_request_module(net, "nft-expr-%.*s",
2760 (char *)nla_data(nla)) == -EAGAIN)
2761 return ERR_PTR(-EAGAIN);
2764 return ERR_PTR(-ENOENT);
2767 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2768 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2769 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2770 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2773 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2774 const struct nft_expr *expr)
2776 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2777 goto nla_put_failure;
2779 if (expr->ops->dump) {
2780 struct nlattr *data = nla_nest_start_noflag(skb,
2783 goto nla_put_failure;
2784 if (expr->ops->dump(skb, expr) < 0)
2785 goto nla_put_failure;
2786 nla_nest_end(skb, data);
2795 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2796 const struct nft_expr *expr)
2798 struct nlattr *nest;
2800 nest = nla_nest_start_noflag(skb, attr);
2802 goto nla_put_failure;
2803 if (nf_tables_fill_expr_info(skb, expr) < 0)
2804 goto nla_put_failure;
2805 nla_nest_end(skb, nest);
2812 struct nft_expr_info {
2813 const struct nft_expr_ops *ops;
2814 const struct nlattr *attr;
2815 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2818 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2819 const struct nlattr *nla,
2820 struct nft_expr_info *info)
2822 const struct nft_expr_type *type;
2823 const struct nft_expr_ops *ops;
2824 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2827 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2828 nft_expr_policy, NULL);
2832 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2834 return PTR_ERR(type);
2836 if (tb[NFTA_EXPR_DATA]) {
2837 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2839 type->policy, NULL);
2843 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2845 if (type->select_ops != NULL) {
2846 ops = type->select_ops(ctx,
2847 (const struct nlattr * const *)info->tb);
2850 #ifdef CONFIG_MODULES
2852 if (nft_expr_type_request_module(ctx->net,
2854 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2868 module_put(type->owner);
2872 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2873 const struct nft_expr_info *expr_info,
2874 struct nft_expr *expr)
2876 const struct nft_expr_ops *ops = expr_info->ops;
2881 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
2892 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2893 struct nft_expr *expr)
2895 const struct nft_expr_type *type = expr->ops->type;
2897 if (expr->ops->destroy)
2898 expr->ops->destroy(ctx, expr);
2899 module_put(type->owner);
2902 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2903 const struct nlattr *nla)
2905 struct nft_expr_info expr_info;
2906 struct nft_expr *expr;
2907 struct module *owner;
2910 err = nf_tables_expr_parse(ctx, nla, &expr_info);
2912 goto err_expr_parse;
2915 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
2916 goto err_expr_stateful;
2919 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
2921 goto err_expr_stateful;
2923 err = nf_tables_newexpr(ctx, &expr_info, expr);
2931 owner = expr_info.ops->type->owner;
2932 if (expr_info.ops->type->release_ops)
2933 expr_info.ops->type->release_ops(expr_info.ops);
2937 return ERR_PTR(err);
2940 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2944 if (src->ops->clone) {
2945 dst->ops = src->ops;
2946 err = src->ops->clone(dst, src);
2950 memcpy(dst, src, src->ops->size);
2953 __module_get(src->ops->type->owner);
2958 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2960 nf_tables_expr_destroy(ctx, expr);
2968 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2971 struct nft_rule *rule;
2973 // FIXME: this sucks
2974 list_for_each_entry_rcu(rule, &chain->rules, list) {
2975 if (handle == rule->handle)
2979 return ERR_PTR(-ENOENT);
2982 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2983 const struct nlattr *nla)
2986 return ERR_PTR(-EINVAL);
2988 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2991 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2992 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2993 .len = NFT_TABLE_MAXNAMELEN - 1 },
2994 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2995 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2996 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2997 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2998 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2999 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3000 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3001 .len = NFT_USERDATA_MAXLEN },
3002 [NFTA_RULE_ID] = { .type = NLA_U32 },
3003 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3004 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3007 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3008 u32 portid, u32 seq, int event,
3009 u32 flags, int family,
3010 const struct nft_table *table,
3011 const struct nft_chain *chain,
3012 const struct nft_rule *rule, u64 handle)
3014 struct nlmsghdr *nlh;
3015 const struct nft_expr *expr, *next;
3016 struct nlattr *list;
3017 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3019 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3022 goto nla_put_failure;
3024 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3025 goto nla_put_failure;
3026 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3027 goto nla_put_failure;
3028 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3030 goto nla_put_failure;
3032 if (event != NFT_MSG_DELRULE && handle) {
3033 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3035 goto nla_put_failure;
3038 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3039 nft_flow_rule_stats(chain, rule);
3041 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3043 goto nla_put_failure;
3044 nft_rule_for_each_expr(expr, next, rule) {
3045 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
3046 goto nla_put_failure;
3048 nla_nest_end(skb, list);
3051 struct nft_userdata *udata = nft_userdata(rule);
3052 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3054 goto nla_put_failure;
3057 nlmsg_end(skb, nlh);
3061 nlmsg_trim(skb, nlh);
3065 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3066 const struct nft_rule *rule, int event)
3068 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3069 const struct nft_rule *prule;
3070 struct sk_buff *skb;
3076 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3079 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3083 if (event == NFT_MSG_NEWRULE &&
3084 !list_is_first(&rule->list, &ctx->chain->rules) &&
3085 !list_is_last(&rule->list, &ctx->chain->rules)) {
3086 prule = list_prev_entry(rule, list);
3087 handle = prule->handle;
3089 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3090 flags |= NLM_F_APPEND;
3091 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3092 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3094 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3095 event, flags, ctx->family, ctx->table,
3096 ctx->chain, rule, handle);
3102 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3105 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3108 struct nft_rule_dump_ctx {
3113 static int __nf_tables_dump_rules(struct sk_buff *skb,
3115 struct netlink_callback *cb,
3116 const struct nft_table *table,
3117 const struct nft_chain *chain)
3119 struct net *net = sock_net(skb->sk);
3120 const struct nft_rule *rule, *prule;
3121 unsigned int s_idx = cb->args[0];
3125 list_for_each_entry_rcu(rule, &chain->rules, list) {
3126 if (!nft_is_active(net, rule))
3131 memset(&cb->args[1], 0,
3132 sizeof(cb->args) - sizeof(cb->args[0]));
3135 handle = prule->handle;
3139 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3142 NLM_F_MULTI | NLM_F_APPEND,
3144 table, chain, rule, handle) < 0)
3147 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3156 static int nf_tables_dump_rules(struct sk_buff *skb,
3157 struct netlink_callback *cb)
3159 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3160 const struct nft_rule_dump_ctx *ctx = cb->data;
3161 struct nft_table *table;
3162 const struct nft_chain *chain;
3163 unsigned int idx = 0;
3164 struct net *net = sock_net(skb->sk);
3165 int family = nfmsg->nfgen_family;
3166 struct nftables_pernet *nft_net;
3169 nft_net = nft_pernet(net);
3170 cb->seq = READ_ONCE(nft_net->base_seq);
3172 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3173 if (family != NFPROTO_UNSPEC && family != table->family)
3176 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3179 if (ctx && ctx->table && ctx->chain) {
3180 struct rhlist_head *list, *tmp;
3182 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3183 nft_chain_ht_params);
3187 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3188 if (!nft_is_active(net, chain))
3190 __nf_tables_dump_rules(skb, &idx,
3197 list_for_each_entry_rcu(chain, &table->chains, list) {
3198 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
3202 if (ctx && ctx->table)
3212 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3214 const struct nlattr * const *nla = cb->data;
3215 struct nft_rule_dump_ctx *ctx = NULL;
3217 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3218 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3222 if (nla[NFTA_RULE_TABLE]) {
3223 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3230 if (nla[NFTA_RULE_CHAIN]) {
3231 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3245 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3247 struct nft_rule_dump_ctx *ctx = cb->data;
3257 /* called with rcu_read_lock held */
3258 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3259 const struct nlattr * const nla[])
3261 struct netlink_ext_ack *extack = info->extack;
3262 u8 genmask = nft_genmask_cur(info->net);
3263 u8 family = info->nfmsg->nfgen_family;
3264 const struct nft_chain *chain;
3265 const struct nft_rule *rule;
3266 struct net *net = info->net;
3267 struct nft_table *table;
3268 struct sk_buff *skb2;
3271 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3272 struct netlink_dump_control c = {
3273 .start= nf_tables_dump_rules_start,
3274 .dump = nf_tables_dump_rules,
3275 .done = nf_tables_dump_rules_done,
3276 .module = THIS_MODULE,
3277 .data = (void *)nla,
3280 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3283 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3284 if (IS_ERR(table)) {
3285 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3286 return PTR_ERR(table);
3289 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3290 if (IS_ERR(chain)) {
3291 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3292 return PTR_ERR(chain);
3295 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3297 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3298 return PTR_ERR(rule);
3301 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3305 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3306 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3307 family, table, chain, rule, 0);
3309 goto err_fill_rule_info;
3311 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3318 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3319 struct nft_rule *rule)
3321 struct nft_expr *expr, *next;
3324 * Careful: some expressions might not be initialized in case this
3325 * is called on error from nf_tables_newrule().
3327 expr = nft_expr_first(rule);
3328 while (nft_expr_more(rule, expr)) {
3329 next = nft_expr_next(expr);
3330 nf_tables_expr_destroy(ctx, expr);
3336 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3338 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3339 nf_tables_rule_destroy(ctx, rule);
3342 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3344 struct nft_expr *expr, *last;
3345 const struct nft_data *data;
3346 struct nft_rule *rule;
3349 if (ctx->level == NFT_JUMP_STACK_SIZE)
3352 list_for_each_entry(rule, &chain->rules, list) {
3353 if (!nft_is_active_next(ctx->net, rule))
3356 nft_rule_for_each_expr(expr, last, rule) {
3357 if (!expr->ops->validate)
3360 err = expr->ops->validate(ctx, expr, &data);
3370 EXPORT_SYMBOL_GPL(nft_chain_validate);
3372 static int nft_table_validate(struct net *net, const struct nft_table *table)
3374 struct nft_chain *chain;
3375 struct nft_ctx ctx = {
3377 .family = table->family,
3381 list_for_each_entry(chain, &table->chains, list) {
3382 if (!nft_is_base_chain(chain))
3386 err = nft_chain_validate(&ctx, chain);
3394 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3395 const struct nft_chain *chain,
3396 const struct nlattr *nla);
3398 #define NFT_RULE_MAXEXPRS 128
3400 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3401 const struct nlattr * const nla[])
3403 struct nftables_pernet *nft_net = nft_pernet(info->net);
3404 struct netlink_ext_ack *extack = info->extack;
3405 unsigned int size, i, n, ulen = 0, usize = 0;
3406 u8 genmask = nft_genmask_next(info->net);
3407 struct nft_rule *rule, *old_rule = NULL;
3408 struct nft_expr_info *expr_info = NULL;
3409 u8 family = info->nfmsg->nfgen_family;
3410 struct nft_flow_rule *flow = NULL;
3411 struct net *net = info->net;
3412 struct nft_userdata *udata;
3413 struct nft_table *table;
3414 struct nft_chain *chain;
3415 struct nft_trans *trans;
3416 u64 handle, pos_handle;
3417 struct nft_expr *expr;
3422 lockdep_assert_held(&nft_net->commit_mutex);
3424 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3425 NETLINK_CB(skb).portid);
3426 if (IS_ERR(table)) {
3427 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3428 return PTR_ERR(table);
3431 if (nla[NFTA_RULE_CHAIN]) {
3432 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3434 if (IS_ERR(chain)) {
3435 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3436 return PTR_ERR(chain);
3438 if (nft_chain_is_bound(chain))
3441 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3442 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
3443 if (IS_ERR(chain)) {
3444 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3445 return PTR_ERR(chain);
3451 if (nla[NFTA_RULE_HANDLE]) {
3452 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3453 rule = __nft_rule_lookup(chain, handle);
3455 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3456 return PTR_ERR(rule);
3459 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3460 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3463 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3468 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3469 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3471 handle = nf_tables_alloc_handle(table);
3473 if (chain->use == UINT_MAX)
3476 if (nla[NFTA_RULE_POSITION]) {
3477 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3478 old_rule = __nft_rule_lookup(chain, pos_handle);
3479 if (IS_ERR(old_rule)) {
3480 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3481 return PTR_ERR(old_rule);
3483 } else if (nla[NFTA_RULE_POSITION_ID]) {
3484 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3485 if (IS_ERR(old_rule)) {
3486 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3487 return PTR_ERR(old_rule);
3492 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3496 if (nla[NFTA_RULE_EXPRESSIONS]) {
3497 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3498 sizeof(struct nft_expr_info),
3503 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3505 if (nla_type(tmp) != NFTA_LIST_ELEM)
3506 goto err_release_expr;
3507 if (n == NFT_RULE_MAXEXPRS)
3508 goto err_release_expr;
3509 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3511 NL_SET_BAD_ATTR(extack, tmp);
3512 goto err_release_expr;
3514 size += expr_info[n].ops->size;
3518 /* Check for overflow of dlen field */
3520 if (size >= 1 << 12)
3521 goto err_release_expr;
3523 if (nla[NFTA_RULE_USERDATA]) {
3524 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3526 usize = sizeof(struct nft_userdata) + ulen;
3530 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3532 goto err_release_expr;
3534 nft_activate_next(net, rule);
3536 rule->handle = handle;
3538 rule->udata = ulen ? 1 : 0;
3541 udata = nft_userdata(rule);
3542 udata->len = ulen - 1;
3543 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3546 expr = nft_expr_first(rule);
3547 for (i = 0; i < n; i++) {
3548 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3550 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3551 goto err_release_rule;
3554 if (expr_info[i].ops->validate)
3555 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3557 expr_info[i].ops = NULL;
3558 expr = nft_expr_next(expr);
3561 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3562 flow = nft_flow_rule_create(net, rule);
3564 err = PTR_ERR(flow);
3565 goto err_release_rule;
3569 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3570 err = nft_delrule(&ctx, old_rule);
3572 goto err_destroy_flow_rule;
3574 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3575 if (trans == NULL) {
3577 goto err_destroy_flow_rule;
3579 list_add_tail_rcu(&rule->list, &old_rule->list);
3581 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3584 goto err_destroy_flow_rule;
3587 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3589 list_add_rcu(&rule->list, &old_rule->list);
3591 list_add_tail_rcu(&rule->list, &chain->rules);
3594 list_add_tail_rcu(&rule->list, &old_rule->list);
3596 list_add_rcu(&rule->list, &chain->rules);
3603 nft_trans_flow_rule(trans) = flow;
3605 if (nft_net->validate_state == NFT_VALIDATE_DO)
3606 return nft_table_validate(net, table);
3610 err_destroy_flow_rule:
3612 nft_flow_rule_destroy(flow);
3614 nf_tables_rule_release(&ctx, rule);
3616 for (i = 0; i < n; i++) {
3617 if (expr_info[i].ops) {
3618 module_put(expr_info[i].ops->type->owner);
3619 if (expr_info[i].ops->type->release_ops)
3620 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3628 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3629 const struct nft_chain *chain,
3630 const struct nlattr *nla)
3632 struct nftables_pernet *nft_net = nft_pernet(net);
3633 u32 id = ntohl(nla_get_be32(nla));
3634 struct nft_trans *trans;
3636 list_for_each_entry(trans, &nft_net->commit_list, list) {
3637 struct nft_rule *rule = nft_trans_rule(trans);
3639 if (trans->msg_type == NFT_MSG_NEWRULE &&
3640 trans->ctx.chain == chain &&
3641 id == nft_trans_rule_id(trans))
3644 return ERR_PTR(-ENOENT);
3647 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3648 const struct nlattr * const nla[])
3650 struct netlink_ext_ack *extack = info->extack;
3651 u8 genmask = nft_genmask_next(info->net);
3652 u8 family = info->nfmsg->nfgen_family;
3653 struct nft_chain *chain = NULL;
3654 struct net *net = info->net;
3655 struct nft_table *table;
3656 struct nft_rule *rule;
3660 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3661 NETLINK_CB(skb).portid);
3662 if (IS_ERR(table)) {
3663 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3664 return PTR_ERR(table);
3667 if (nla[NFTA_RULE_CHAIN]) {
3668 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3670 if (IS_ERR(chain)) {
3671 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3672 return PTR_ERR(chain);
3674 if (nft_chain_is_bound(chain))
3678 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3681 if (nla[NFTA_RULE_HANDLE]) {
3682 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3684 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3685 return PTR_ERR(rule);
3688 err = nft_delrule(&ctx, rule);
3689 } else if (nla[NFTA_RULE_ID]) {
3690 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
3692 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3693 return PTR_ERR(rule);
3696 err = nft_delrule(&ctx, rule);
3698 err = nft_delrule_by_chain(&ctx);
3701 list_for_each_entry(chain, &table->chains, list) {
3702 if (!nft_is_active_next(net, chain))
3706 err = nft_delrule_by_chain(&ctx);
3718 static const struct nft_set_type *nft_set_types[] = {
3719 &nft_set_hash_fast_type,
3721 &nft_set_rhash_type,
3722 &nft_set_bitmap_type,
3723 &nft_set_rbtree_type,
3724 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3725 &nft_set_pipapo_avx2_type,
3727 &nft_set_pipapo_type,
3730 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3731 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3734 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3736 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3740 * Select a set implementation based on the data characteristics and the
3741 * given policy. The total memory use might not be known if no size is
3742 * given, in that case the amount of memory per element is used.
3744 static const struct nft_set_ops *
3745 nft_select_set_ops(const struct nft_ctx *ctx,
3746 const struct nlattr * const nla[],
3747 const struct nft_set_desc *desc)
3749 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3750 const struct nft_set_ops *ops, *bops;
3751 struct nft_set_estimate est, best;
3752 const struct nft_set_type *type;
3756 lockdep_assert_held(&nft_net->commit_mutex);
3757 lockdep_nfnl_nft_mutex_not_held();
3759 if (nla[NFTA_SET_FLAGS] != NULL)
3760 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3767 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3768 type = nft_set_types[i];
3771 if (!nft_set_ops_candidate(type, flags))
3773 if (!ops->estimate(desc, flags, &est))
3776 switch (desc->policy) {
3777 case NFT_SET_POL_PERFORMANCE:
3778 if (est.lookup < best.lookup)
3780 if (est.lookup == best.lookup &&
3781 est.space < best.space)
3784 case NFT_SET_POL_MEMORY:
3786 if (est.space < best.space)
3788 if (est.space == best.space &&
3789 est.lookup < best.lookup)
3791 } else if (est.size < best.size || !bops) {
3806 return ERR_PTR(-EOPNOTSUPP);
3809 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3810 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3811 .len = NFT_TABLE_MAXNAMELEN - 1 },
3812 [NFTA_SET_NAME] = { .type = NLA_STRING,
3813 .len = NFT_SET_MAXNAMELEN - 1 },
3814 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3815 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3816 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3817 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3818 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3819 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3820 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3821 [NFTA_SET_ID] = { .type = NLA_U32 },
3822 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3823 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3824 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3825 .len = NFT_USERDATA_MAXLEN },
3826 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3827 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3828 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3829 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3832 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3833 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3834 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3837 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3838 const struct nlattr *nla, u8 genmask)
3840 struct nft_set *set;
3843 return ERR_PTR(-EINVAL);
3845 list_for_each_entry_rcu(set, &table->sets, list) {
3846 if (!nla_strcmp(nla, set->name) &&
3847 nft_active_genmask(set, genmask))
3850 return ERR_PTR(-ENOENT);
3853 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3854 const struct nlattr *nla,
3857 struct nft_set *set;
3859 list_for_each_entry(set, &table->sets, list) {
3860 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3861 nft_active_genmask(set, genmask))
3864 return ERR_PTR(-ENOENT);
3867 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3868 const struct nft_table *table,
3869 const struct nlattr *nla, u8 genmask)
3871 struct nftables_pernet *nft_net = nft_pernet(net);
3872 u32 id = ntohl(nla_get_be32(nla));
3873 struct nft_trans *trans;
3875 list_for_each_entry(trans, &nft_net->commit_list, list) {
3876 if (trans->msg_type == NFT_MSG_NEWSET) {
3877 struct nft_set *set = nft_trans_set(trans);
3879 if (id == nft_trans_set_id(trans) &&
3880 set->table == table &&
3881 nft_active_genmask(set, genmask))
3885 return ERR_PTR(-ENOENT);
3888 struct nft_set *nft_set_lookup_global(const struct net *net,
3889 const struct nft_table *table,
3890 const struct nlattr *nla_set_name,
3891 const struct nlattr *nla_set_id,
3894 struct nft_set *set;
3896 set = nft_set_lookup(table, nla_set_name, genmask);
3901 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
3905 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3907 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3910 const struct nft_set *i;
3912 unsigned long *inuse;
3913 unsigned int n = 0, min = 0;
3915 p = strchr(name, '%');
3917 if (p[1] != 'd' || strchr(p + 2, '%'))
3920 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3924 list_for_each_entry(i, &ctx->table->sets, list) {
3927 if (!nft_is_active_next(ctx->net, i))
3929 if (!sscanf(i->name, name, &tmp))
3931 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3934 set_bit(tmp - min, inuse);
3937 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3938 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3939 min += BITS_PER_BYTE * PAGE_SIZE;
3940 memset(inuse, 0, PAGE_SIZE);
3943 free_page((unsigned long)inuse);
3946 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
3950 list_for_each_entry(i, &ctx->table->sets, list) {
3951 if (!nft_is_active_next(ctx->net, i))
3953 if (!strcmp(set->name, i->name)) {
3962 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3964 u64 ms = be64_to_cpu(nla_get_be64(nla));
3965 u64 max = (u64)(~((u64)0));
3967 max = div_u64(max, NSEC_PER_MSEC);
3971 ms *= NSEC_PER_MSEC;
3972 *result = nsecs_to_jiffies64(ms);
3976 __be64 nf_jiffies64_to_msecs(u64 input)
3978 return cpu_to_be64(jiffies64_to_msecs(input));
3981 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3982 const struct nft_set *set)
3984 struct nlattr *concat, *field;
3987 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3991 for (i = 0; i < set->field_count; i++) {
3992 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3996 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3997 htonl(set->field_len[i])))
4000 nla_nest_end(skb, field);
4003 nla_nest_end(skb, concat);
4008 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4009 const struct nft_set *set, u16 event, u16 flags)
4011 u64 timeout = READ_ONCE(set->timeout);
4012 u32 gc_int = READ_ONCE(set->gc_int);
4013 u32 portid = ctx->portid;
4014 struct nlmsghdr *nlh;
4015 struct nlattr *nest;
4019 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4020 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4021 NFNETLINK_V0, nft_base_seq(ctx->net));
4023 goto nla_put_failure;
4025 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4026 goto nla_put_failure;
4027 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4028 goto nla_put_failure;
4029 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4031 goto nla_put_failure;
4032 if (set->flags != 0)
4033 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4034 goto nla_put_failure;
4036 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4037 goto nla_put_failure;
4038 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4039 goto nla_put_failure;
4040 if (set->flags & NFT_SET_MAP) {
4041 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4042 goto nla_put_failure;
4043 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4044 goto nla_put_failure;
4046 if (set->flags & NFT_SET_OBJECT &&
4047 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4048 goto nla_put_failure;
4051 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4052 nf_jiffies64_to_msecs(timeout),
4054 goto nla_put_failure;
4056 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4057 goto nla_put_failure;
4059 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4060 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4061 goto nla_put_failure;
4065 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4066 goto nla_put_failure;
4068 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4070 goto nla_put_failure;
4072 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4073 goto nla_put_failure;
4075 if (set->field_count > 1 &&
4076 nf_tables_fill_set_concat(skb, set))
4077 goto nla_put_failure;
4079 nla_nest_end(skb, nest);
4081 if (set->num_exprs == 1) {
4082 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4083 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
4084 goto nla_put_failure;
4086 nla_nest_end(skb, nest);
4087 } else if (set->num_exprs > 1) {
4088 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4090 goto nla_put_failure;
4092 for (i = 0; i < set->num_exprs; i++) {
4093 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4095 goto nla_put_failure;
4097 nla_nest_end(skb, nest);
4100 nlmsg_end(skb, nlh);
4104 nlmsg_trim(skb, nlh);
4108 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4109 const struct nft_set *set, int event,
4112 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4113 u32 portid = ctx->portid;
4114 struct sk_buff *skb;
4119 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4122 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4126 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4127 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4129 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4135 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4138 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4141 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4143 const struct nft_set *set;
4144 unsigned int idx, s_idx = cb->args[0];
4145 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4146 struct net *net = sock_net(skb->sk);
4147 struct nft_ctx *ctx = cb->data, ctx_set;
4148 struct nftables_pernet *nft_net;
4154 nft_net = nft_pernet(net);
4155 cb->seq = READ_ONCE(nft_net->base_seq);
4157 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4158 if (ctx->family != NFPROTO_UNSPEC &&
4159 ctx->family != table->family)
4162 if (ctx->table && ctx->table != table)
4166 if (cur_table != table)
4172 list_for_each_entry_rcu(set, &table->sets, list) {
4175 if (!nft_is_active(net, set))
4179 ctx_set.table = table;
4180 ctx_set.family = table->family;
4182 if (nf_tables_fill_set(skb, &ctx_set, set,
4186 cb->args[2] = (unsigned long) table;
4189 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4202 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4204 struct nft_ctx *ctx_dump = NULL;
4206 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4207 if (ctx_dump == NULL)
4210 cb->data = ctx_dump;
4214 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4220 /* called with rcu_read_lock held */
4221 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4222 const struct nlattr * const nla[])
4224 struct netlink_ext_ack *extack = info->extack;
4225 u8 genmask = nft_genmask_cur(info->net);
4226 u8 family = info->nfmsg->nfgen_family;
4227 struct nft_table *table = NULL;
4228 struct net *net = info->net;
4229 const struct nft_set *set;
4230 struct sk_buff *skb2;
4234 if (nla[NFTA_SET_TABLE]) {
4235 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4237 if (IS_ERR(table)) {
4238 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4239 return PTR_ERR(table);
4243 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4245 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4246 struct netlink_dump_control c = {
4247 .start = nf_tables_dump_sets_start,
4248 .dump = nf_tables_dump_sets,
4249 .done = nf_tables_dump_sets_done,
4251 .module = THIS_MODULE,
4254 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4257 /* Only accept unspec with dump */
4258 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4259 return -EAFNOSUPPORT;
4260 if (!nla[NFTA_SET_TABLE])
4263 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4265 return PTR_ERR(set);
4267 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4271 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4273 goto err_fill_set_info;
4275 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4282 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4283 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4286 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4287 struct nft_set_desc *desc)
4289 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4293 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4296 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4297 nft_concat_policy, NULL);
4301 if (!tb[NFTA_SET_FIELD_LEN])
4304 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4305 if (!len || len > U8_MAX)
4308 desc->field_len[desc->field_count++] = len;
4313 static int nft_set_desc_concat(struct nft_set_desc *desc,
4314 const struct nlattr *nla)
4316 struct nlattr *attr;
4320 nla_for_each_nested(attr, nla, rem) {
4321 if (nla_type(attr) != NFTA_LIST_ELEM)
4324 err = nft_set_desc_concat_parse(attr, desc);
4329 for (i = 0; i < desc->field_count; i++)
4330 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4332 if (num_regs > NFT_REG32_COUNT)
4338 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4339 const struct nlattr *nla)
4341 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4344 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4345 nft_set_desc_policy, NULL);
4349 if (da[NFTA_SET_DESC_SIZE] != NULL)
4350 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4351 if (da[NFTA_SET_DESC_CONCAT])
4352 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4357 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4358 const struct nlattr * const *nla,
4359 struct nft_expr **exprs, int *num_exprs,
4362 struct nft_expr *expr;
4365 if (nla[NFTA_SET_EXPR]) {
4366 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4368 err = PTR_ERR(expr);
4369 goto err_set_expr_alloc;
4373 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4377 if (!(flags & NFT_SET_EXPR)) {
4379 goto err_set_expr_alloc;
4382 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4383 if (i == NFT_SET_EXPR_MAX) {
4385 goto err_set_expr_alloc;
4387 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4389 goto err_set_expr_alloc;
4391 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4393 err = PTR_ERR(expr);
4394 goto err_set_expr_alloc;
4404 for (i = 0; i < *num_exprs; i++)
4405 nft_expr_destroy(ctx, exprs[i]);
4410 static bool nft_set_is_same(const struct nft_set *set,
4411 const struct nft_set_desc *desc,
4412 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4416 if (set->ktype != desc->ktype ||
4417 set->dtype != desc->dtype ||
4418 set->flags != flags ||
4419 set->klen != desc->klen ||
4420 set->dlen != desc->dlen ||
4421 set->field_count != desc->field_count ||
4422 set->num_exprs != num_exprs)
4425 for (i = 0; i < desc->field_count; i++) {
4426 if (set->field_len[i] != desc->field_len[i])
4430 for (i = 0; i < num_exprs; i++) {
4431 if (set->exprs[i]->ops != exprs[i]->ops)
4438 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4439 const struct nlattr * const nla[])
4441 struct netlink_ext_ack *extack = info->extack;
4442 u8 genmask = nft_genmask_next(info->net);
4443 u8 family = info->nfmsg->nfgen_family;
4444 const struct nft_set_ops *ops;
4445 struct net *net = info->net;
4446 struct nft_set_desc desc;
4447 struct nft_table *table;
4448 unsigned char *udata;
4449 struct nft_set *set;
4459 if (nla[NFTA_SET_TABLE] == NULL ||
4460 nla[NFTA_SET_NAME] == NULL ||
4461 nla[NFTA_SET_KEY_LEN] == NULL ||
4462 nla[NFTA_SET_ID] == NULL)
4465 memset(&desc, 0, sizeof(desc));
4467 desc.ktype = NFT_DATA_VALUE;
4468 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4469 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4470 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4474 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4475 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4479 if (nla[NFTA_SET_FLAGS] != NULL) {
4480 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4481 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4482 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4483 NFT_SET_MAP | NFT_SET_EVAL |
4484 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4486 /* Only one of these operations is supported */
4487 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4488 (NFT_SET_MAP | NFT_SET_OBJECT))
4490 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4491 (NFT_SET_EVAL | NFT_SET_OBJECT))
4496 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4497 if (!(flags & NFT_SET_MAP))
4500 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4501 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4502 desc.dtype != NFT_DATA_VERDICT)
4505 if (desc.dtype != NFT_DATA_VERDICT) {
4506 if (nla[NFTA_SET_DATA_LEN] == NULL)
4508 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4509 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4512 desc.dlen = sizeof(struct nft_verdict);
4513 } else if (flags & NFT_SET_MAP)
4516 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4517 if (!(flags & NFT_SET_OBJECT))
4520 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4521 if (desc.objtype == NFT_OBJECT_UNSPEC ||
4522 desc.objtype > NFT_OBJECT_MAX)
4524 } else if (flags & NFT_SET_OBJECT)
4527 desc.objtype = NFT_OBJECT_UNSPEC;
4530 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4531 if (!(flags & NFT_SET_TIMEOUT))
4534 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
4539 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4540 if (!(flags & NFT_SET_TIMEOUT))
4542 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4545 desc.policy = NFT_SET_POL_PERFORMANCE;
4546 if (nla[NFTA_SET_POLICY] != NULL)
4547 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4549 if (nla[NFTA_SET_DESC] != NULL) {
4550 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4554 if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))
4556 } else if (flags & NFT_SET_CONCAT) {
4560 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4563 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4564 NETLINK_CB(skb).portid);
4565 if (IS_ERR(table)) {
4566 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4567 return PTR_ERR(table);
4570 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4572 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4574 if (PTR_ERR(set) != -ENOENT) {
4575 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4576 return PTR_ERR(set);
4579 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
4581 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4582 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4585 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4588 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
4593 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
4594 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4598 for (i = 0; i < num_exprs; i++)
4599 nft_expr_destroy(&ctx, exprs[i]);
4604 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
4607 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4610 ops = nft_select_set_ops(&ctx, nla, &desc);
4612 return PTR_ERR(ops);
4615 if (nla[NFTA_SET_USERDATA])
4616 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4619 if (ops->privsize != NULL)
4620 size = ops->privsize(nla, &desc);
4621 alloc_size = sizeof(*set) + size + udlen;
4622 if (alloc_size < size || alloc_size > INT_MAX)
4624 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
4628 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
4634 err = nf_tables_set_alloc_name(&ctx, set, name);
4641 udata = set->data + size;
4642 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4645 INIT_LIST_HEAD(&set->bindings);
4646 INIT_LIST_HEAD(&set->catchall_list);
4648 write_pnet(&set->net, net);
4650 set->ktype = desc.ktype;
4651 set->klen = desc.klen;
4652 set->dtype = desc.dtype;
4653 set->objtype = desc.objtype;
4654 set->dlen = desc.dlen;
4656 set->size = desc.size;
4657 set->policy = desc.policy;
4660 set->timeout = desc.timeout;
4661 set->gc_int = desc.gc_int;
4663 set->field_count = desc.field_count;
4664 for (i = 0; i < desc.field_count; i++)
4665 set->field_len[i] = desc.field_len[i];
4667 err = ops->init(set, &desc, nla);
4671 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
4673 goto err_set_destroy;
4675 set->num_exprs = num_exprs;
4676 set->handle = nf_tables_alloc_handle(table);
4678 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4680 goto err_set_expr_alloc;
4682 list_add_tail_rcu(&set->list, &table->sets);
4687 for (i = 0; i < set->num_exprs; i++)
4688 nft_expr_destroy(&ctx, set->exprs[i]);
4698 struct nft_set_elem_catchall {
4699 struct list_head list;
4700 struct rcu_head rcu;
4704 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
4705 struct nft_set *set)
4707 struct nft_set_elem_catchall *next, *catchall;
4709 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
4710 list_del_rcu(&catchall->list);
4711 nft_set_elem_destroy(set, catchall->elem, true);
4712 kfree_rcu(catchall, rcu);
4716 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4720 if (WARN_ON(set->use > 0))
4723 for (i = 0; i < set->num_exprs; i++)
4724 nft_expr_destroy(ctx, set->exprs[i]);
4726 set->ops->destroy(set);
4727 nft_set_catchall_destroy(ctx, set);
4732 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
4733 const struct nlattr * const nla[])
4735 struct netlink_ext_ack *extack = info->extack;
4736 u8 genmask = nft_genmask_next(info->net);
4737 u8 family = info->nfmsg->nfgen_family;
4738 struct net *net = info->net;
4739 const struct nlattr *attr;
4740 struct nft_table *table;
4741 struct nft_set *set;
4744 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4745 return -EAFNOSUPPORT;
4747 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4748 genmask, NETLINK_CB(skb).portid);
4749 if (IS_ERR(table)) {
4750 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4751 return PTR_ERR(table);
4754 if (nla[NFTA_SET_HANDLE]) {
4755 attr = nla[NFTA_SET_HANDLE];
4756 set = nft_set_lookup_byhandle(table, attr, genmask);
4758 attr = nla[NFTA_SET_NAME];
4759 set = nft_set_lookup(table, attr, genmask);
4763 NL_SET_BAD_ATTR(extack, attr);
4764 return PTR_ERR(set);
4767 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
4768 atomic_read(&set->nelems) > 0)) {
4769 NL_SET_BAD_ATTR(extack, attr);
4773 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4775 return nft_delset(&ctx, set);
4778 static int nft_validate_register_store(const struct nft_ctx *ctx,
4779 enum nft_registers reg,
4780 const struct nft_data *data,
4781 enum nft_data_types type,
4784 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
4785 struct nft_set *set,
4786 struct nft_set_elem *elem)
4788 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4789 enum nft_registers dreg;
4791 dreg = nft_type_to_reg(set->dtype);
4792 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4793 set->dtype == NFT_DATA_VERDICT ?
4794 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4798 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4799 struct nft_set *set,
4800 const struct nft_set_iter *iter,
4801 struct nft_set_elem *elem)
4803 return nft_setelem_data_validate(ctx, set, elem);
4806 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
4807 struct nft_set *set)
4809 u8 genmask = nft_genmask_next(ctx->net);
4810 struct nft_set_elem_catchall *catchall;
4811 struct nft_set_elem elem;
4812 struct nft_set_ext *ext;
4815 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4816 ext = nft_set_elem_ext(set, catchall->elem);
4817 if (!nft_set_elem_active(ext, genmask))
4820 elem.priv = catchall->elem;
4821 ret = nft_setelem_data_validate(ctx, set, &elem);
4829 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4830 struct nft_set_binding *binding)
4832 struct nft_set_binding *i;
4833 struct nft_set_iter iter;
4835 if (set->use == UINT_MAX)
4838 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4841 if (binding->flags & NFT_SET_MAP) {
4842 /* If the set is already bound to the same chain all
4843 * jumps are already validated for that chain.
4845 list_for_each_entry(i, &set->bindings, list) {
4846 if (i->flags & NFT_SET_MAP &&
4847 i->chain == binding->chain)
4851 iter.genmask = nft_genmask_next(ctx->net);
4855 iter.fn = nf_tables_bind_check_setelem;
4857 set->ops->walk(ctx, set, &iter);
4859 iter.err = nft_set_catchall_bind_check(ctx, set);
4865 binding->chain = ctx->chain;
4866 list_add_tail_rcu(&binding->list, &set->bindings);
4867 nft_set_trans_bind(ctx, set);
4872 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4874 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4875 struct nft_set_binding *binding, bool event)
4877 list_del_rcu(&binding->list);
4879 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4880 list_del_rcu(&set->list);
4882 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4887 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4888 struct nft_set_binding *binding,
4889 enum nft_trans_phase phase)
4892 case NFT_TRANS_PREPARE:
4895 case NFT_TRANS_ABORT:
4896 case NFT_TRANS_RELEASE:
4900 nf_tables_unbind_set(ctx, set, binding,
4901 phase == NFT_TRANS_COMMIT);
4904 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4906 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4908 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4909 nft_set_destroy(ctx, set);
4911 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4913 const struct nft_set_ext_type nft_set_ext_types[] = {
4914 [NFT_SET_EXT_KEY] = {
4915 .align = __alignof__(u32),
4917 [NFT_SET_EXT_DATA] = {
4918 .align = __alignof__(u32),
4920 [NFT_SET_EXT_EXPRESSIONS] = {
4921 .align = __alignof__(struct nft_set_elem_expr),
4923 [NFT_SET_EXT_OBJREF] = {
4924 .len = sizeof(struct nft_object *),
4925 .align = __alignof__(struct nft_object *),
4927 [NFT_SET_EXT_FLAGS] = {
4929 .align = __alignof__(u8),
4931 [NFT_SET_EXT_TIMEOUT] = {
4933 .align = __alignof__(u64),
4935 [NFT_SET_EXT_EXPIRATION] = {
4937 .align = __alignof__(u64),
4939 [NFT_SET_EXT_USERDATA] = {
4940 .len = sizeof(struct nft_userdata),
4941 .align = __alignof__(struct nft_userdata),
4943 [NFT_SET_EXT_KEY_END] = {
4944 .align = __alignof__(u32),
4952 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4953 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4954 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4955 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4956 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4957 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4958 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4959 .len = NFT_USERDATA_MAXLEN },
4960 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4961 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4962 .len = NFT_OBJ_MAXNAMELEN - 1 },
4963 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4964 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4967 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4968 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4969 .len = NFT_TABLE_MAXNAMELEN - 1 },
4970 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4971 .len = NFT_SET_MAXNAMELEN - 1 },
4972 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4973 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4976 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4977 const struct nft_set *set,
4978 const struct nft_set_ext *ext)
4980 struct nft_set_elem_expr *elem_expr;
4981 u32 size, num_exprs = 0;
4982 struct nft_expr *expr;
4983 struct nlattr *nest;
4985 elem_expr = nft_set_ext_expr(ext);
4986 nft_setelem_expr_foreach(expr, elem_expr, size)
4989 if (num_exprs == 1) {
4990 expr = nft_setelem_expr_at(elem_expr, 0);
4991 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4995 } else if (num_exprs > 1) {
4996 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4998 goto nla_put_failure;
5000 nft_setelem_expr_foreach(expr, elem_expr, size) {
5001 expr = nft_setelem_expr_at(elem_expr, size);
5002 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
5003 goto nla_put_failure;
5005 nla_nest_end(skb, nest);
5013 static int nf_tables_fill_setelem(struct sk_buff *skb,
5014 const struct nft_set *set,
5015 const struct nft_set_elem *elem)
5017 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5018 unsigned char *b = skb_tail_pointer(skb);
5019 struct nlattr *nest;
5021 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5023 goto nla_put_failure;
5025 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5026 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5027 NFT_DATA_VALUE, set->klen) < 0)
5028 goto nla_put_failure;
5030 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5031 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5032 NFT_DATA_VALUE, set->klen) < 0)
5033 goto nla_put_failure;
5035 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5036 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5037 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5039 goto nla_put_failure;
5041 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5042 nft_set_elem_expr_dump(skb, set, ext))
5043 goto nla_put_failure;
5045 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5046 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5047 (*nft_set_ext_obj(ext))->key.name) < 0)
5048 goto nla_put_failure;
5050 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5051 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5052 htonl(*nft_set_ext_flags(ext))))
5053 goto nla_put_failure;
5055 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5056 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5057 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5059 goto nla_put_failure;
5061 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5062 u64 expires, now = get_jiffies_64();
5064 expires = *nft_set_ext_expiration(ext);
5065 if (time_before64(now, expires))
5070 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5071 nf_jiffies64_to_msecs(expires),
5073 goto nla_put_failure;
5076 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5077 struct nft_userdata *udata;
5079 udata = nft_set_ext_userdata(ext);
5080 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5081 udata->len + 1, udata->data))
5082 goto nla_put_failure;
5085 nla_nest_end(skb, nest);
5093 struct nft_set_dump_args {
5094 const struct netlink_callback *cb;
5095 struct nft_set_iter iter;
5096 struct sk_buff *skb;
5099 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5100 struct nft_set *set,
5101 const struct nft_set_iter *iter,
5102 struct nft_set_elem *elem)
5104 struct nft_set_dump_args *args;
5106 args = container_of(iter, struct nft_set_dump_args, iter);
5107 return nf_tables_fill_setelem(args->skb, set, elem);
5110 struct nft_set_dump_ctx {
5111 const struct nft_set *set;
5115 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5116 const struct nft_set *set)
5118 struct nft_set_elem_catchall *catchall;
5119 u8 genmask = nft_genmask_cur(net);
5120 struct nft_set_elem elem;
5121 struct nft_set_ext *ext;
5124 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5125 ext = nft_set_elem_ext(set, catchall->elem);
5126 if (!nft_set_elem_active(ext, genmask) ||
5127 nft_set_elem_expired(ext))
5130 elem.priv = catchall->elem;
5131 ret = nf_tables_fill_setelem(skb, set, &elem);
5138 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5140 struct nft_set_dump_ctx *dump_ctx = cb->data;
5141 struct net *net = sock_net(skb->sk);
5142 struct nftables_pernet *nft_net;
5143 struct nft_table *table;
5144 struct nft_set *set;
5145 struct nft_set_dump_args args;
5146 bool set_found = false;
5147 struct nlmsghdr *nlh;
5148 struct nlattr *nest;
5153 nft_net = nft_pernet(net);
5154 cb->seq = READ_ONCE(nft_net->base_seq);
5156 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5157 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5158 dump_ctx->ctx.family != table->family)
5161 if (table != dump_ctx->ctx.table)
5164 list_for_each_entry_rcu(set, &table->sets, list) {
5165 if (set == dump_ctx->set) {
5178 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5179 portid = NETLINK_CB(cb->skb).portid;
5180 seq = cb->nlh->nlmsg_seq;
5182 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5183 table->family, NFNETLINK_V0, nft_base_seq(net));
5185 goto nla_put_failure;
5187 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5188 goto nla_put_failure;
5189 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5190 goto nla_put_failure;
5192 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5194 goto nla_put_failure;
5198 args.iter.genmask = nft_genmask_cur(net);
5199 args.iter.skip = cb->args[0];
5200 args.iter.count = 0;
5202 args.iter.fn = nf_tables_dump_setelem;
5203 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5205 if (!args.iter.err && args.iter.count == cb->args[0])
5206 args.iter.err = nft_set_catchall_dump(net, skb, set);
5209 nla_nest_end(skb, nest);
5210 nlmsg_end(skb, nlh);
5212 if (args.iter.err && args.iter.err != -EMSGSIZE)
5213 return args.iter.err;
5214 if (args.iter.count == cb->args[0])
5217 cb->args[0] = args.iter.count;
5225 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5227 struct nft_set_dump_ctx *dump_ctx = cb->data;
5229 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5231 return cb->data ? 0 : -ENOMEM;
5234 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5240 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5241 const struct nft_ctx *ctx, u32 seq,
5242 u32 portid, int event, u16 flags,
5243 const struct nft_set *set,
5244 const struct nft_set_elem *elem)
5246 struct nlmsghdr *nlh;
5247 struct nlattr *nest;
5250 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5251 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5252 NFNETLINK_V0, nft_base_seq(ctx->net));
5254 goto nla_put_failure;
5256 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5257 goto nla_put_failure;
5258 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5259 goto nla_put_failure;
5261 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5263 goto nla_put_failure;
5265 err = nf_tables_fill_setelem(skb, set, elem);
5267 goto nla_put_failure;
5269 nla_nest_end(skb, nest);
5271 nlmsg_end(skb, nlh);
5275 nlmsg_trim(skb, nlh);
5279 static int nft_setelem_parse_flags(const struct nft_set *set,
5280 const struct nlattr *attr, u32 *flags)
5285 *flags = ntohl(nla_get_be32(attr));
5286 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5288 if (!(set->flags & NFT_SET_INTERVAL) &&
5289 *flags & NFT_SET_ELEM_INTERVAL_END)
5291 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5292 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5298 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5299 struct nft_data *key, struct nlattr *attr)
5301 struct nft_data_desc desc = {
5302 .type = NFT_DATA_VALUE,
5303 .size = NFT_DATA_VALUE_MAXLEN,
5307 return nft_data_init(ctx, key, &desc, attr);
5310 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5311 struct nft_data_desc *desc,
5312 struct nft_data *data,
5313 struct nlattr *attr)
5317 if (set->dtype == NFT_DATA_VERDICT)
5318 dtype = NFT_DATA_VERDICT;
5320 dtype = NFT_DATA_VALUE;
5323 desc->size = NFT_DATA_VALUE_MAXLEN;
5324 desc->len = set->dlen;
5325 desc->flags = NFT_DATA_DESC_SETELEM;
5327 return nft_data_init(ctx, data, desc, attr);
5330 static void *nft_setelem_catchall_get(const struct net *net,
5331 const struct nft_set *set)
5333 struct nft_set_elem_catchall *catchall;
5334 u8 genmask = nft_genmask_cur(net);
5335 struct nft_set_ext *ext;
5338 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5339 ext = nft_set_elem_ext(set, catchall->elem);
5340 if (!nft_set_elem_active(ext, genmask) ||
5341 nft_set_elem_expired(ext))
5344 priv = catchall->elem;
5351 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5352 struct nft_set_elem *elem, u32 flags)
5356 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5357 priv = set->ops->get(ctx->net, set, elem, flags);
5359 return PTR_ERR(priv);
5361 priv = nft_setelem_catchall_get(ctx->net, set);
5370 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5371 const struct nlattr *attr)
5373 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5374 struct nft_set_elem elem;
5375 struct sk_buff *skb;
5379 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5380 nft_set_elem_policy, NULL);
5384 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5388 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5391 if (nla[NFTA_SET_ELEM_KEY]) {
5392 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5393 nla[NFTA_SET_ELEM_KEY]);
5398 if (nla[NFTA_SET_ELEM_KEY_END]) {
5399 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5400 nla[NFTA_SET_ELEM_KEY_END]);
5405 err = nft_setelem_get(ctx, set, &elem, flags);
5410 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5414 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5415 NFT_MSG_NEWSETELEM, 0, set, &elem);
5417 goto err_fill_setelem;
5419 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5426 /* called with rcu_read_lock held */
5427 static int nf_tables_getsetelem(struct sk_buff *skb,
5428 const struct nfnl_info *info,
5429 const struct nlattr * const nla[])
5431 struct netlink_ext_ack *extack = info->extack;
5432 u8 genmask = nft_genmask_cur(info->net);
5433 u8 family = info->nfmsg->nfgen_family;
5434 struct net *net = info->net;
5435 struct nft_table *table;
5436 struct nft_set *set;
5437 struct nlattr *attr;
5441 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
5443 if (IS_ERR(table)) {
5444 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
5445 return PTR_ERR(table);
5448 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5450 return PTR_ERR(set);
5452 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5454 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5455 struct netlink_dump_control c = {
5456 .start = nf_tables_dump_set_start,
5457 .dump = nf_tables_dump_set,
5458 .done = nf_tables_dump_set_done,
5459 .module = THIS_MODULE,
5461 struct nft_set_dump_ctx dump_ctx = {
5467 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5470 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5473 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5474 err = nft_get_set_elem(&ctx, set, attr);
5476 NL_SET_BAD_ATTR(extack, attr);
5484 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5485 const struct nft_set *set,
5486 const struct nft_set_elem *elem,
5489 struct nftables_pernet *nft_net;
5490 struct net *net = ctx->net;
5491 u32 portid = ctx->portid;
5492 struct sk_buff *skb;
5496 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5499 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5503 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5504 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5506 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5513 nft_net = nft_pernet(net);
5514 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5517 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5520 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5522 struct nft_set *set)
5524 struct nft_trans *trans;
5526 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5530 nft_trans_elem_set(trans) = set;
5534 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5535 const struct nft_set *set,
5536 const struct nlattr *attr)
5538 struct nft_expr *expr;
5541 expr = nft_expr_init(ctx, attr);
5546 if (expr->ops->type->flags & NFT_EXPR_GC) {
5547 if (set->flags & NFT_SET_TIMEOUT)
5548 goto err_set_elem_expr;
5549 if (!set->ops->gc_init)
5550 goto err_set_elem_expr;
5551 set->ops->gc_init(set);
5557 nft_expr_destroy(ctx, expr);
5558 return ERR_PTR(err);
5561 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
5563 len += nft_set_ext_types[id].len;
5564 if (len > tmpl->ext_len[id] ||
5571 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
5572 void *to, const void *from, u32 len)
5574 if (nft_set_ext_check(tmpl, id, len) < 0)
5577 memcpy(to, from, len);
5582 void *nft_set_elem_init(const struct nft_set *set,
5583 const struct nft_set_ext_tmpl *tmpl,
5584 const u32 *key, const u32 *key_end,
5585 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5587 struct nft_set_ext *ext;
5590 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5592 return ERR_PTR(-ENOMEM);
5594 ext = nft_set_elem_ext(set, elem);
5595 nft_set_ext_init(ext, tmpl);
5597 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5598 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
5599 nft_set_ext_key(ext), key, set->klen) < 0)
5602 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5603 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
5604 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
5607 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5608 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
5609 nft_set_ext_data(ext), data, set->dlen) < 0)
5612 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5613 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5614 if (expiration == 0)
5615 *nft_set_ext_expiration(ext) += timeout;
5617 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5618 *nft_set_ext_timeout(ext) = timeout;
5625 return ERR_PTR(-EINVAL);
5628 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5629 struct nft_expr *expr)
5631 if (expr->ops->destroy_clone) {
5632 expr->ops->destroy_clone(ctx, expr);
5633 module_put(expr->ops->type->owner);
5635 nf_tables_expr_destroy(ctx, expr);
5639 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5640 struct nft_set_elem_expr *elem_expr)
5642 struct nft_expr *expr;
5645 nft_setelem_expr_foreach(expr, elem_expr, size)
5646 __nft_set_elem_expr_destroy(ctx, expr);
5649 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5652 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5653 struct nft_ctx ctx = {
5654 .net = read_pnet(&set->net),
5655 .family = set->table->family,
5658 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5659 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5660 nft_data_release(nft_set_ext_data(ext), set->dtype);
5661 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5662 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5664 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5665 (*nft_set_ext_obj(ext))->use--;
5668 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5670 /* Only called from commit path, nft_setelem_data_deactivate() already deals
5671 * with the refcounting from the preparation phase.
5673 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5674 const struct nft_set *set, void *elem)
5676 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5678 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5679 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5684 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5685 struct nft_expr *expr_array[])
5687 struct nft_expr *expr;
5690 for (i = 0; i < set->num_exprs; i++) {
5691 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
5695 err = nft_expr_clone(expr, set->exprs[i]);
5700 expr_array[i] = expr;
5706 for (k = i - 1; k >= 0; k--)
5707 nft_expr_destroy(ctx, expr_array[k]);
5712 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5713 const struct nft_set_ext_tmpl *tmpl,
5714 const struct nft_set_ext *ext,
5715 struct nft_expr *expr_array[],
5718 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5719 u32 len = sizeof(struct nft_set_elem_expr);
5720 struct nft_expr *expr;
5726 for (i = 0; i < num_exprs; i++)
5727 len += expr_array[i]->ops->size;
5729 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
5732 for (i = 0; i < num_exprs; i++) {
5733 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5734 err = nft_expr_clone(expr, expr_array[i]);
5736 goto err_elem_expr_setup;
5738 elem_expr->size += expr_array[i]->ops->size;
5739 nft_expr_destroy(ctx, expr_array[i]);
5740 expr_array[i] = NULL;
5745 err_elem_expr_setup:
5746 for (; i < num_exprs; i++) {
5747 nft_expr_destroy(ctx, expr_array[i]);
5748 expr_array[i] = NULL;
5754 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
5755 const struct nft_set *set)
5757 struct nft_set_elem_catchall *catchall;
5758 u8 genmask = nft_genmask_cur(net);
5759 struct nft_set_ext *ext;
5761 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5762 ext = nft_set_elem_ext(set, catchall->elem);
5763 if (nft_set_elem_active(ext, genmask) &&
5764 !nft_set_elem_expired(ext))
5770 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
5772 void *nft_set_catchall_gc(const struct nft_set *set)
5774 struct nft_set_elem_catchall *catchall, *next;
5775 struct nft_set_ext *ext;
5778 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5779 ext = nft_set_elem_ext(set, catchall->elem);
5781 if (!nft_set_elem_expired(ext) ||
5782 nft_set_elem_mark_busy(ext))
5785 elem = catchall->elem;
5786 list_del_rcu(&catchall->list);
5787 kfree_rcu(catchall, rcu);
5793 EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
5795 static int nft_setelem_catchall_insert(const struct net *net,
5796 struct nft_set *set,
5797 const struct nft_set_elem *elem,
5798 struct nft_set_ext **pext)
5800 struct nft_set_elem_catchall *catchall;
5801 u8 genmask = nft_genmask_next(net);
5802 struct nft_set_ext *ext;
5804 list_for_each_entry(catchall, &set->catchall_list, list) {
5805 ext = nft_set_elem_ext(set, catchall->elem);
5806 if (nft_set_elem_active(ext, genmask)) {
5812 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
5816 catchall->elem = elem->priv;
5817 list_add_tail_rcu(&catchall->list, &set->catchall_list);
5822 static int nft_setelem_insert(const struct net *net,
5823 struct nft_set *set,
5824 const struct nft_set_elem *elem,
5825 struct nft_set_ext **ext, unsigned int flags)
5829 if (flags & NFT_SET_ELEM_CATCHALL)
5830 ret = nft_setelem_catchall_insert(net, set, elem, ext);
5832 ret = set->ops->insert(net, set, elem, ext);
5837 static bool nft_setelem_is_catchall(const struct nft_set *set,
5838 const struct nft_set_elem *elem)
5840 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5842 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5843 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
5849 static void nft_setelem_activate(struct net *net, struct nft_set *set,
5850 struct nft_set_elem *elem)
5852 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5854 if (nft_setelem_is_catchall(set, elem)) {
5855 nft_set_elem_change_active(net, set, ext);
5856 nft_set_elem_clear_busy(ext);
5858 set->ops->activate(net, set, elem);
5862 static int nft_setelem_catchall_deactivate(const struct net *net,
5863 struct nft_set *set,
5864 struct nft_set_elem *elem)
5866 struct nft_set_elem_catchall *catchall;
5867 struct nft_set_ext *ext;
5869 list_for_each_entry(catchall, &set->catchall_list, list) {
5870 ext = nft_set_elem_ext(set, catchall->elem);
5871 if (!nft_is_active(net, ext) ||
5872 nft_set_elem_mark_busy(ext))
5876 elem->priv = catchall->elem;
5877 nft_set_elem_change_active(net, set, ext);
5884 static int __nft_setelem_deactivate(const struct net *net,
5885 struct nft_set *set,
5886 struct nft_set_elem *elem)
5890 priv = set->ops->deactivate(net, set, elem);
5901 static int nft_setelem_deactivate(const struct net *net,
5902 struct nft_set *set,
5903 struct nft_set_elem *elem, u32 flags)
5907 if (flags & NFT_SET_ELEM_CATCHALL)
5908 ret = nft_setelem_catchall_deactivate(net, set, elem);
5910 ret = __nft_setelem_deactivate(net, set, elem);
5915 static void nft_setelem_catchall_remove(const struct net *net,
5916 const struct nft_set *set,
5917 const struct nft_set_elem *elem)
5919 struct nft_set_elem_catchall *catchall, *next;
5921 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5922 if (catchall->elem == elem->priv) {
5923 list_del_rcu(&catchall->list);
5924 kfree_rcu(catchall, rcu);
5930 static void nft_setelem_remove(const struct net *net,
5931 const struct nft_set *set,
5932 const struct nft_set_elem *elem)
5934 if (nft_setelem_is_catchall(set, elem))
5935 nft_setelem_catchall_remove(net, set, elem);
5937 set->ops->remove(net, set, elem);
5940 static bool nft_setelem_valid_key_end(const struct nft_set *set,
5941 struct nlattr **nla, u32 flags)
5943 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
5944 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
5945 if (flags & NFT_SET_ELEM_INTERVAL_END)
5948 if (nla[NFTA_SET_ELEM_KEY_END] &&
5949 flags & NFT_SET_ELEM_CATCHALL)
5952 if (nla[NFTA_SET_ELEM_KEY_END])
5959 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5960 const struct nlattr *attr, u32 nlmsg_flags)
5962 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5963 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5964 u8 genmask = nft_genmask_next(ctx->net);
5965 u32 flags = 0, size = 0, num_exprs = 0;
5966 struct nft_set_ext_tmpl tmpl;
5967 struct nft_set_ext *ext, *ext2;
5968 struct nft_set_elem elem;
5969 struct nft_set_binding *binding;
5970 struct nft_object *obj = NULL;
5971 struct nft_userdata *udata;
5972 struct nft_data_desc desc;
5973 enum nft_registers dreg;
5974 struct nft_trans *trans;
5980 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5981 nft_set_elem_policy, NULL);
5985 nft_set_ext_prepare(&tmpl);
5987 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5991 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5995 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6000 if (set->flags & NFT_SET_MAP) {
6001 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6002 !(flags & NFT_SET_ELEM_INTERVAL_END))
6005 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6009 if (set->flags & NFT_SET_OBJECT) {
6010 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6011 !(flags & NFT_SET_ELEM_INTERVAL_END))
6014 if (nla[NFTA_SET_ELEM_OBJREF])
6018 if (!nft_setelem_valid_key_end(set, nla, flags))
6021 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6022 (nla[NFTA_SET_ELEM_DATA] ||
6023 nla[NFTA_SET_ELEM_OBJREF] ||
6024 nla[NFTA_SET_ELEM_TIMEOUT] ||
6025 nla[NFTA_SET_ELEM_EXPIRATION] ||
6026 nla[NFTA_SET_ELEM_USERDATA] ||
6027 nla[NFTA_SET_ELEM_EXPR] ||
6028 nla[NFTA_SET_ELEM_KEY_END] ||
6029 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6033 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6034 if (!(set->flags & NFT_SET_TIMEOUT))
6036 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6040 } else if (set->flags & NFT_SET_TIMEOUT &&
6041 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6042 timeout = READ_ONCE(set->timeout);
6046 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6047 if (!(set->flags & NFT_SET_TIMEOUT))
6049 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6055 if (nla[NFTA_SET_ELEM_EXPR]) {
6056 struct nft_expr *expr;
6058 if (set->num_exprs && set->num_exprs != 1)
6061 expr = nft_set_elem_expr_alloc(ctx, set,
6062 nla[NFTA_SET_ELEM_EXPR]);
6064 return PTR_ERR(expr);
6066 expr_array[0] = expr;
6069 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6071 goto err_set_elem_expr;
6073 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6074 struct nft_expr *expr;
6079 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6080 if (i == NFT_SET_EXPR_MAX ||
6081 (set->num_exprs && set->num_exprs == i)) {
6083 goto err_set_elem_expr;
6085 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6087 goto err_set_elem_expr;
6089 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6091 err = PTR_ERR(expr);
6092 goto err_set_elem_expr;
6094 expr_array[i] = expr;
6097 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6099 goto err_set_elem_expr;
6103 if (set->num_exprs && set->num_exprs != i) {
6105 goto err_set_elem_expr;
6107 } else if (set->num_exprs > 0 &&
6108 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6109 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6111 goto err_set_elem_expr_clone;
6113 num_exprs = set->num_exprs;
6116 if (nla[NFTA_SET_ELEM_KEY]) {
6117 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6118 nla[NFTA_SET_ELEM_KEY]);
6120 goto err_set_elem_expr;
6122 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6127 if (nla[NFTA_SET_ELEM_KEY_END]) {
6128 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6129 nla[NFTA_SET_ELEM_KEY_END]);
6133 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6135 goto err_parse_key_end;
6139 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6141 goto err_parse_key_end;
6143 if (timeout != READ_ONCE(set->timeout)) {
6144 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6146 goto err_parse_key_end;
6151 for (i = 0; i < num_exprs; i++)
6152 size += expr_array[i]->ops->size;
6154 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6155 sizeof(struct nft_set_elem_expr) + size);
6157 goto err_parse_key_end;
6160 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6161 obj = nft_obj_lookup(ctx->net, ctx->table,
6162 nla[NFTA_SET_ELEM_OBJREF],
6163 set->objtype, genmask);
6166 goto err_parse_key_end;
6168 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6170 goto err_parse_key_end;
6173 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6174 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6175 nla[NFTA_SET_ELEM_DATA]);
6177 goto err_parse_key_end;
6179 dreg = nft_type_to_reg(set->dtype);
6180 list_for_each_entry(binding, &set->bindings, list) {
6181 struct nft_ctx bind_ctx = {
6183 .family = ctx->family,
6184 .table = ctx->table,
6185 .chain = (struct nft_chain *)binding->chain,
6188 if (!(binding->flags & NFT_SET_MAP))
6191 err = nft_validate_register_store(&bind_ctx, dreg,
6193 desc.type, desc.len);
6195 goto err_parse_data;
6197 if (desc.type == NFT_DATA_VERDICT &&
6198 (elem.data.val.verdict.code == NFT_GOTO ||
6199 elem.data.val.verdict.code == NFT_JUMP))
6200 nft_validate_state_update(ctx->net,
6204 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6206 goto err_parse_data;
6209 /* The full maximum length of userdata can exceed the maximum
6210 * offset value (U8_MAX) for following extensions, therefor it
6211 * must be the last extension added.
6214 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6215 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6217 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6220 goto err_parse_data;
6224 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6225 elem.key_end.val.data, elem.data.val.data,
6226 timeout, expiration, GFP_KERNEL_ACCOUNT);
6227 if (IS_ERR(elem.priv)) {
6228 err = PTR_ERR(elem.priv);
6229 goto err_parse_data;
6232 ext = nft_set_elem_ext(set, elem.priv);
6234 *nft_set_ext_flags(ext) = flags;
6237 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6239 goto err_elem_userdata;
6241 udata = nft_set_ext_userdata(ext);
6242 udata->len = ulen - 1;
6243 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6246 *nft_set_ext_obj(ext) = obj;
6249 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6253 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6254 if (trans == NULL) {
6259 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
6261 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
6263 if (err == -EEXIST) {
6264 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6265 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6266 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6267 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
6268 goto err_element_clash;
6269 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6270 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
6271 memcmp(nft_set_ext_data(ext),
6272 nft_set_ext_data(ext2), set->dlen) != 0) ||
6273 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6274 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
6275 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
6276 goto err_element_clash;
6277 else if (!(nlmsg_flags & NLM_F_EXCL))
6279 } else if (err == -ENOTEMPTY) {
6280 /* ENOTEMPTY reports overlapping between this element
6281 * and an existing one.
6285 goto err_element_clash;
6288 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
6289 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
6294 nft_trans_elem(trans) = elem;
6295 nft_trans_commit_list_add_tail(ctx->net, trans);
6299 nft_setelem_remove(ctx->net, set, &elem);
6306 nf_tables_set_elem_destroy(ctx, set, elem.priv);
6308 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6309 nft_data_release(&elem.data.val, desc.type);
6311 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6313 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6315 for (i = 0; i < num_exprs && expr_array[i]; i++)
6316 nft_expr_destroy(ctx, expr_array[i]);
6317 err_set_elem_expr_clone:
6321 static int nf_tables_newsetelem(struct sk_buff *skb,
6322 const struct nfnl_info *info,
6323 const struct nlattr * const nla[])
6325 struct nftables_pernet *nft_net = nft_pernet(info->net);
6326 struct netlink_ext_ack *extack = info->extack;
6327 u8 genmask = nft_genmask_next(info->net);
6328 u8 family = info->nfmsg->nfgen_family;
6329 struct net *net = info->net;
6330 const struct nlattr *attr;
6331 struct nft_table *table;
6332 struct nft_set *set;
6336 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6339 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6340 genmask, NETLINK_CB(skb).portid);
6341 if (IS_ERR(table)) {
6342 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6343 return PTR_ERR(table);
6346 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6347 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6349 return PTR_ERR(set);
6351 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6354 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6356 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6357 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6359 NL_SET_BAD_ATTR(extack, attr);
6364 if (nft_net->validate_state == NFT_VALIDATE_DO)
6365 return nft_table_validate(net, table);
6371 * nft_data_hold - hold a nft_data item
6373 * @data: struct nft_data to release
6374 * @type: type of data
6376 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6377 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
6378 * NFT_GOTO verdicts. This function must be called on active data objects
6379 * from the second phase of the commit protocol.
6381 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6383 struct nft_chain *chain;
6384 struct nft_rule *rule;
6386 if (type == NFT_DATA_VERDICT) {
6387 switch (data->verdict.code) {
6390 chain = data->verdict.chain;
6393 if (!nft_chain_is_bound(chain))
6396 chain->table->use++;
6397 list_for_each_entry(rule, &chain->rules, list)
6400 nft_chain_add(chain->table, chain);
6406 static void nft_setelem_data_activate(const struct net *net,
6407 const struct nft_set *set,
6408 struct nft_set_elem *elem)
6410 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6412 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6413 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6414 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6415 (*nft_set_ext_obj(ext))->use++;
6418 static void nft_setelem_data_deactivate(const struct net *net,
6419 const struct nft_set *set,
6420 struct nft_set_elem *elem)
6422 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6424 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6425 nft_data_release(nft_set_ext_data(ext), set->dtype);
6426 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6427 (*nft_set_ext_obj(ext))->use--;
6430 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6431 const struct nlattr *attr)
6433 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6434 struct nft_set_ext_tmpl tmpl;
6435 struct nft_set_elem elem;
6436 struct nft_set_ext *ext;
6437 struct nft_trans *trans;
6441 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6442 nft_set_elem_policy, NULL);
6446 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6450 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6453 if (!nft_setelem_valid_key_end(set, nla, flags))
6456 nft_set_ext_prepare(&tmpl);
6459 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6464 if (nla[NFTA_SET_ELEM_KEY]) {
6465 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6466 nla[NFTA_SET_ELEM_KEY]);
6470 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6475 if (nla[NFTA_SET_ELEM_KEY_END]) {
6476 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6477 nla[NFTA_SET_ELEM_KEY_END]);
6481 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6483 goto fail_elem_key_end;
6487 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6488 elem.key_end.val.data, NULL, 0, 0,
6489 GFP_KERNEL_ACCOUNT);
6490 if (IS_ERR(elem.priv)) {
6491 err = PTR_ERR(elem.priv);
6492 goto fail_elem_key_end;
6495 ext = nft_set_elem_ext(set, elem.priv);
6497 *nft_set_ext_flags(ext) = flags;
6499 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6503 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6507 nft_setelem_data_deactivate(ctx->net, set, &elem);
6509 nft_trans_elem(trans) = elem;
6510 nft_trans_commit_list_add_tail(ctx->net, trans);
6518 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6520 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6524 static int nft_setelem_flush(const struct nft_ctx *ctx,
6525 struct nft_set *set,
6526 const struct nft_set_iter *iter,
6527 struct nft_set_elem *elem)
6529 struct nft_trans *trans;
6532 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6533 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6537 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6543 nft_setelem_data_deactivate(ctx->net, set, elem);
6544 nft_trans_elem_set(trans) = set;
6545 nft_trans_elem(trans) = *elem;
6546 nft_trans_commit_list_add_tail(ctx->net, trans);
6554 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6555 struct nft_set *set,
6556 struct nft_set_elem *elem)
6558 struct nft_trans *trans;
6560 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6561 sizeof(struct nft_trans_elem), GFP_KERNEL);
6565 nft_setelem_data_deactivate(ctx->net, set, elem);
6566 nft_trans_elem_set(trans) = set;
6567 nft_trans_elem(trans) = *elem;
6568 nft_trans_commit_list_add_tail(ctx->net, trans);
6573 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6574 struct nft_set *set)
6576 u8 genmask = nft_genmask_next(ctx->net);
6577 struct nft_set_elem_catchall *catchall;
6578 struct nft_set_elem elem;
6579 struct nft_set_ext *ext;
6582 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6583 ext = nft_set_elem_ext(set, catchall->elem);
6584 if (!nft_set_elem_active(ext, genmask) ||
6585 nft_set_elem_mark_busy(ext))
6588 elem.priv = catchall->elem;
6589 ret = __nft_set_catchall_flush(ctx, set, &elem);
6597 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6599 struct nft_set_iter iter = {
6601 .fn = nft_setelem_flush,
6604 set->ops->walk(ctx, set, &iter);
6606 iter.err = nft_set_catchall_flush(ctx, set);
6611 static int nf_tables_delsetelem(struct sk_buff *skb,
6612 const struct nfnl_info *info,
6613 const struct nlattr * const nla[])
6615 struct netlink_ext_ack *extack = info->extack;
6616 u8 genmask = nft_genmask_next(info->net);
6617 u8 family = info->nfmsg->nfgen_family;
6618 struct net *net = info->net;
6619 const struct nlattr *attr;
6620 struct nft_table *table;
6621 struct nft_set *set;
6625 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6626 genmask, NETLINK_CB(skb).portid);
6627 if (IS_ERR(table)) {
6628 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6629 return PTR_ERR(table);
6632 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6634 return PTR_ERR(set);
6635 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6638 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6640 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6641 return nft_set_flush(&ctx, set, genmask);
6643 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6644 err = nft_del_setelem(&ctx, set, attr);
6646 NL_SET_BAD_ATTR(extack, attr);
6653 void nft_set_gc_batch_release(struct rcu_head *rcu)
6655 struct nft_set_gc_batch *gcb;
6658 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6659 for (i = 0; i < gcb->head.cnt; i++)
6660 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6664 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6667 struct nft_set_gc_batch *gcb;
6669 gcb = kzalloc(sizeof(*gcb), gfp);
6672 gcb->head.set = set;
6681 * nft_register_obj- register nf_tables stateful object type
6682 * @obj_type: object type
6684 * Registers the object type for use with nf_tables. Returns zero on
6685 * success or a negative errno code otherwise.
6687 int nft_register_obj(struct nft_object_type *obj_type)
6689 if (obj_type->type == NFT_OBJECT_UNSPEC)
6692 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6693 list_add_rcu(&obj_type->list, &nf_tables_objects);
6694 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6697 EXPORT_SYMBOL_GPL(nft_register_obj);
6700 * nft_unregister_obj - unregister nf_tables object type
6701 * @obj_type: object type
6703 * Unregisters the object type for use with nf_tables.
6705 void nft_unregister_obj(struct nft_object_type *obj_type)
6707 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6708 list_del_rcu(&obj_type->list);
6709 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6711 EXPORT_SYMBOL_GPL(nft_unregister_obj);
6713 struct nft_object *nft_obj_lookup(const struct net *net,
6714 const struct nft_table *table,
6715 const struct nlattr *nla, u32 objtype,
6718 struct nft_object_hash_key k = { .table = table };
6719 char search[NFT_OBJ_MAXNAMELEN];
6720 struct rhlist_head *tmp, *list;
6721 struct nft_object *obj;
6723 nla_strscpy(search, nla, sizeof(search));
6726 WARN_ON_ONCE(!rcu_read_lock_held() &&
6727 !lockdep_commit_lock_is_held(net));
6730 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
6734 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
6735 if (objtype == obj->ops->type->type &&
6736 nft_active_genmask(obj, genmask)) {
6743 return ERR_PTR(-ENOENT);
6745 EXPORT_SYMBOL_GPL(nft_obj_lookup);
6747 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
6748 const struct nlattr *nla,
6749 u32 objtype, u8 genmask)
6751 struct nft_object *obj;
6753 list_for_each_entry(obj, &table->objects, list) {
6754 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
6755 objtype == obj->ops->type->type &&
6756 nft_active_genmask(obj, genmask))
6759 return ERR_PTR(-ENOENT);
6762 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
6763 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
6764 .len = NFT_TABLE_MAXNAMELEN - 1 },
6765 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
6766 .len = NFT_OBJ_MAXNAMELEN - 1 },
6767 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
6768 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
6769 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
6770 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
6771 .len = NFT_USERDATA_MAXLEN },
6774 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6775 const struct nft_object_type *type,
6776 const struct nlattr *attr)
6779 const struct nft_object_ops *ops;
6780 struct nft_object *obj;
6783 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6788 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6789 type->policy, NULL);
6793 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6796 if (type->select_ops) {
6797 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6807 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
6811 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6824 return ERR_PTR(err);
6827 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6828 struct nft_object *obj, bool reset)
6830 struct nlattr *nest;
6832 nest = nla_nest_start_noflag(skb, attr);
6834 goto nla_put_failure;
6835 if (obj->ops->dump(skb, obj, reset) < 0)
6836 goto nla_put_failure;
6837 nla_nest_end(skb, nest);
6844 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6846 const struct nft_object_type *type;
6848 list_for_each_entry(type, &nf_tables_objects, list) {
6849 if (objtype == type->type)
6855 static const struct nft_object_type *
6856 nft_obj_type_get(struct net *net, u32 objtype)
6858 const struct nft_object_type *type;
6860 type = __nft_obj_type_get(objtype);
6861 if (type != NULL && try_module_get(type->owner))
6864 lockdep_nfnl_nft_mutex_not_held();
6865 #ifdef CONFIG_MODULES
6867 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6868 return ERR_PTR(-EAGAIN);
6871 return ERR_PTR(-ENOENT);
6874 static int nf_tables_updobj(const struct nft_ctx *ctx,
6875 const struct nft_object_type *type,
6876 const struct nlattr *attr,
6877 struct nft_object *obj)
6879 struct nft_object *newobj;
6880 struct nft_trans *trans;
6883 if (!try_module_get(type->owner))
6886 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6887 sizeof(struct nft_trans_obj));
6891 newobj = nft_obj_init(ctx, type, attr);
6892 if (IS_ERR(newobj)) {
6893 err = PTR_ERR(newobj);
6894 goto err_free_trans;
6897 nft_trans_obj(trans) = obj;
6898 nft_trans_obj_update(trans) = true;
6899 nft_trans_obj_newobj(trans) = newobj;
6900 nft_trans_commit_list_add_tail(ctx->net, trans);
6907 module_put(type->owner);
6911 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
6912 const struct nlattr * const nla[])
6914 struct netlink_ext_ack *extack = info->extack;
6915 u8 genmask = nft_genmask_next(info->net);
6916 u8 family = info->nfmsg->nfgen_family;
6917 const struct nft_object_type *type;
6918 struct net *net = info->net;
6919 struct nft_table *table;
6920 struct nft_object *obj;
6925 if (!nla[NFTA_OBJ_TYPE] ||
6926 !nla[NFTA_OBJ_NAME] ||
6927 !nla[NFTA_OBJ_DATA])
6930 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6931 NETLINK_CB(skb).portid);
6932 if (IS_ERR(table)) {
6933 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6934 return PTR_ERR(table);
6937 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6938 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6941 if (err != -ENOENT) {
6942 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6946 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
6947 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6950 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
6953 type = __nft_obj_type_get(objtype);
6954 if (WARN_ON_ONCE(!type))
6957 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6959 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6962 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6964 type = nft_obj_type_get(net, objtype);
6966 return PTR_ERR(type);
6968 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6973 obj->key.table = table;
6974 obj->handle = nf_tables_alloc_handle(table);
6976 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
6977 if (!obj->key.name) {
6982 if (nla[NFTA_OBJ_USERDATA]) {
6983 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6984 if (obj->udata == NULL)
6987 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6990 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6994 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6995 nft_objname_ht_params);
6999 list_add_tail_rcu(&obj->list, &table->objects);
7003 /* queued in transaction log */
7004 INIT_LIST_HEAD(&obj->list);
7009 kfree(obj->key.name);
7011 if (obj->ops->destroy)
7012 obj->ops->destroy(&ctx, obj);
7015 module_put(type->owner);
7019 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7020 u32 portid, u32 seq, int event, u32 flags,
7021 int family, const struct nft_table *table,
7022 struct nft_object *obj, bool reset)
7024 struct nlmsghdr *nlh;
7026 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7027 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7028 NFNETLINK_V0, nft_base_seq(net));
7030 goto nla_put_failure;
7032 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7033 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7034 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7035 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7036 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
7037 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7039 goto nla_put_failure;
7042 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7043 goto nla_put_failure;
7045 nlmsg_end(skb, nlh);
7049 nlmsg_trim(skb, nlh);
7053 struct nft_obj_filter {
7058 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7060 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7061 const struct nft_table *table;
7062 unsigned int idx = 0, s_idx = cb->args[0];
7063 struct nft_obj_filter *filter = cb->data;
7064 struct net *net = sock_net(skb->sk);
7065 int family = nfmsg->nfgen_family;
7066 struct nftables_pernet *nft_net;
7067 struct nft_object *obj;
7070 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7074 nft_net = nft_pernet(net);
7075 cb->seq = READ_ONCE(nft_net->base_seq);
7077 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7078 if (family != NFPROTO_UNSPEC && family != table->family)
7081 list_for_each_entry_rcu(obj, &table->objects, list) {
7082 if (!nft_is_active(net, obj))
7087 memset(&cb->args[1], 0,
7088 sizeof(cb->args) - sizeof(cb->args[0]));
7089 if (filter && filter->table &&
7090 strcmp(filter->table, table->name))
7093 filter->type != NFT_OBJECT_UNSPEC &&
7094 obj->ops->type->type != filter->type)
7097 char *buf = kasprintf(GFP_ATOMIC,
7102 audit_log_nfcfg(buf,
7105 AUDIT_NFT_OP_OBJ_RESET,
7110 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
7113 NLM_F_MULTI | NLM_F_APPEND,
7114 table->family, table,
7118 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7130 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7132 const struct nlattr * const *nla = cb->data;
7133 struct nft_obj_filter *filter = NULL;
7135 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
7136 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7140 if (nla[NFTA_OBJ_TABLE]) {
7141 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7142 if (!filter->table) {
7148 if (nla[NFTA_OBJ_TYPE])
7149 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7156 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7158 struct nft_obj_filter *filter = cb->data;
7161 kfree(filter->table);
7168 /* called with rcu_read_lock held */
7169 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7170 const struct nlattr * const nla[])
7172 struct netlink_ext_ack *extack = info->extack;
7173 u8 genmask = nft_genmask_cur(info->net);
7174 u8 family = info->nfmsg->nfgen_family;
7175 const struct nft_table *table;
7176 struct net *net = info->net;
7177 struct nft_object *obj;
7178 struct sk_buff *skb2;
7183 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7184 struct netlink_dump_control c = {
7185 .start = nf_tables_dump_obj_start,
7186 .dump = nf_tables_dump_obj,
7187 .done = nf_tables_dump_obj_done,
7188 .module = THIS_MODULE,
7189 .data = (void *)nla,
7192 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7195 if (!nla[NFTA_OBJ_NAME] ||
7196 !nla[NFTA_OBJ_TYPE])
7199 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7200 if (IS_ERR(table)) {
7201 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7202 return PTR_ERR(table);
7205 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7206 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7208 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7209 return PTR_ERR(obj);
7212 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7216 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7220 const struct nftables_pernet *nft_net;
7223 nft_net = nft_pernet(net);
7224 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7226 audit_log_nfcfg(buf,
7229 AUDIT_NFT_OP_OBJ_RESET,
7234 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7235 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7236 family, table, obj, reset);
7238 goto err_fill_obj_info;
7240 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7247 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7249 if (obj->ops->destroy)
7250 obj->ops->destroy(ctx, obj);
7252 module_put(obj->ops->type->owner);
7253 kfree(obj->key.name);
7258 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7259 const struct nlattr * const nla[])
7261 struct netlink_ext_ack *extack = info->extack;
7262 u8 genmask = nft_genmask_next(info->net);
7263 u8 family = info->nfmsg->nfgen_family;
7264 struct net *net = info->net;
7265 const struct nlattr *attr;
7266 struct nft_table *table;
7267 struct nft_object *obj;
7271 if (!nla[NFTA_OBJ_TYPE] ||
7272 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7275 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7276 NETLINK_CB(skb).portid);
7277 if (IS_ERR(table)) {
7278 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7279 return PTR_ERR(table);
7282 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7283 if (nla[NFTA_OBJ_HANDLE]) {
7284 attr = nla[NFTA_OBJ_HANDLE];
7285 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
7287 attr = nla[NFTA_OBJ_NAME];
7288 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
7292 NL_SET_BAD_ATTR(extack, attr);
7293 return PTR_ERR(obj);
7296 NL_SET_BAD_ATTR(extack, attr);
7300 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7302 return nft_delobj(&ctx, obj);
7305 void nft_obj_notify(struct net *net, const struct nft_table *table,
7306 struct nft_object *obj, u32 portid, u32 seq, int event,
7307 u16 flags, int family, int report, gfp_t gfp)
7309 struct nftables_pernet *nft_net = nft_pernet(net);
7310 struct sk_buff *skb;
7312 char *buf = kasprintf(gfp, "%s:%u",
7313 table->name, nft_net->base_seq);
7315 audit_log_nfcfg(buf,
7318 event == NFT_MSG_NEWOBJ ?
7319 AUDIT_NFT_OP_OBJ_REGISTER :
7320 AUDIT_NFT_OP_OBJ_UNREGISTER,
7325 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7328 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
7332 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
7333 flags & (NLM_F_CREATE | NLM_F_EXCL),
7334 family, table, obj, false);
7340 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7343 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7345 EXPORT_SYMBOL_GPL(nft_obj_notify);
7347 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7348 struct nft_object *obj, int event)
7350 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
7351 ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
7357 void nft_register_flowtable_type(struct nf_flowtable_type *type)
7359 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7360 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7361 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7363 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7365 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7367 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7368 list_del_rcu(&type->list);
7369 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7371 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7373 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7374 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7375 .len = NFT_NAME_MAXLEN - 1 },
7376 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7377 .len = NFT_NAME_MAXLEN - 1 },
7378 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7379 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7380 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7383 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7384 const struct nlattr *nla, u8 genmask)
7386 struct nft_flowtable *flowtable;
7388 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7389 if (!nla_strcmp(nla, flowtable->name) &&
7390 nft_active_genmask(flowtable, genmask))
7393 return ERR_PTR(-ENOENT);
7395 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7397 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7398 struct nft_flowtable *flowtable,
7399 enum nft_trans_phase phase)
7402 case NFT_TRANS_PREPARE:
7403 case NFT_TRANS_ABORT:
7404 case NFT_TRANS_RELEASE:
7411 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7413 static struct nft_flowtable *
7414 nft_flowtable_lookup_byhandle(const struct nft_table *table,
7415 const struct nlattr *nla, u8 genmask)
7417 struct nft_flowtable *flowtable;
7419 list_for_each_entry(flowtable, &table->flowtables, list) {
7420 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7421 nft_active_genmask(flowtable, genmask))
7424 return ERR_PTR(-ENOENT);
7427 struct nft_flowtable_hook {
7430 struct list_head list;
7433 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7434 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7435 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7436 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7439 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7440 const struct nlattr *attr,
7441 struct nft_flowtable_hook *flowtable_hook,
7442 struct nft_flowtable *flowtable, bool add)
7444 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7445 struct nft_hook *hook;
7446 int hooknum, priority;
7449 INIT_LIST_HEAD(&flowtable_hook->list);
7451 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
7452 nft_flowtable_hook_policy, NULL);
7457 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7458 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
7461 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7462 if (hooknum != NF_NETDEV_INGRESS)
7465 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7467 flowtable_hook->priority = priority;
7468 flowtable_hook->num = hooknum;
7470 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7471 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7472 if (hooknum != flowtable->hooknum)
7476 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7477 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7478 if (priority != flowtable->data.priority)
7482 flowtable_hook->priority = flowtable->data.priority;
7483 flowtable_hook->num = flowtable->hooknum;
7486 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7487 err = nf_tables_parse_netdev_hooks(ctx->net,
7488 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7489 &flowtable_hook->list);
7494 list_for_each_entry(hook, &flowtable_hook->list, list) {
7495 hook->ops.pf = NFPROTO_NETDEV;
7496 hook->ops.hooknum = flowtable_hook->num;
7497 hook->ops.priority = flowtable_hook->priority;
7498 hook->ops.priv = &flowtable->data;
7499 hook->ops.hook = flowtable->data.type->hook;
7505 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7507 const struct nf_flowtable_type *type;
7509 list_for_each_entry(type, &nf_tables_flowtables, list) {
7510 if (family == type->family)
7516 static const struct nf_flowtable_type *
7517 nft_flowtable_type_get(struct net *net, u8 family)
7519 const struct nf_flowtable_type *type;
7521 type = __nft_flowtable_type_get(family);
7522 if (type != NULL && try_module_get(type->owner))
7525 lockdep_nfnl_nft_mutex_not_held();
7526 #ifdef CONFIG_MODULES
7528 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7529 return ERR_PTR(-EAGAIN);
7532 return ERR_PTR(-ENOENT);
7535 /* Only called from error and netdev event paths. */
7536 static void nft_unregister_flowtable_hook(struct net *net,
7537 struct nft_flowtable *flowtable,
7538 struct nft_hook *hook)
7540 nf_unregister_net_hook(net, &hook->ops);
7541 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7545 static void __nft_unregister_flowtable_net_hooks(struct net *net,
7546 struct list_head *hook_list,
7547 bool release_netdev)
7549 struct nft_hook *hook, *next;
7551 list_for_each_entry_safe(hook, next, hook_list, list) {
7552 nf_unregister_net_hook(net, &hook->ops);
7553 if (release_netdev) {
7554 list_del(&hook->list);
7555 kfree_rcu(hook, rcu);
7560 static void nft_unregister_flowtable_net_hooks(struct net *net,
7561 struct list_head *hook_list)
7563 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
7566 static int nft_register_flowtable_net_hooks(struct net *net,
7567 struct nft_table *table,
7568 struct list_head *hook_list,
7569 struct nft_flowtable *flowtable)
7571 struct nft_hook *hook, *hook2, *next;
7572 struct nft_flowtable *ft;
7575 list_for_each_entry(hook, hook_list, list) {
7576 list_for_each_entry(ft, &table->flowtables, list) {
7577 if (!nft_is_active_next(net, ft))
7580 list_for_each_entry(hook2, &ft->hook_list, list) {
7581 if (hook->ops.dev == hook2->ops.dev &&
7582 hook->ops.pf == hook2->ops.pf) {
7584 goto err_unregister_net_hooks;
7589 err = flowtable->data.type->setup(&flowtable->data,
7593 goto err_unregister_net_hooks;
7595 err = nf_register_net_hook(net, &hook->ops);
7597 flowtable->data.type->setup(&flowtable->data,
7600 goto err_unregister_net_hooks;
7608 err_unregister_net_hooks:
7609 list_for_each_entry_safe(hook, next, hook_list, list) {
7613 nft_unregister_flowtable_hook(net, flowtable, hook);
7614 list_del_rcu(&hook->list);
7615 kfree_rcu(hook, rcu);
7621 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
7623 struct nft_hook *hook, *next;
7625 list_for_each_entry_safe(hook, next, hook_list, list) {
7626 list_del_rcu(&hook->list);
7627 kfree_rcu(hook, rcu);
7631 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7632 struct nft_flowtable *flowtable)
7634 const struct nlattr * const *nla = ctx->nla;
7635 struct nft_flowtable_hook flowtable_hook;
7636 struct nft_hook *hook, *next;
7637 struct nft_trans *trans;
7638 bool unregister = false;
7642 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7643 &flowtable_hook, flowtable, false);
7647 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7648 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7649 list_del(&hook->list);
7654 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7655 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7656 if (flags & ~NFT_FLOWTABLE_MASK) {
7658 goto err_flowtable_update_hook;
7660 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
7661 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
7663 goto err_flowtable_update_hook;
7666 flags = flowtable->data.flags;
7669 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
7670 &flowtable_hook.list, flowtable);
7672 goto err_flowtable_update_hook;
7674 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
7675 sizeof(struct nft_trans_flowtable));
7679 goto err_flowtable_update_hook;
7682 nft_trans_flowtable_flags(trans) = flags;
7683 nft_trans_flowtable(trans) = flowtable;
7684 nft_trans_flowtable_update(trans) = true;
7685 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7686 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
7688 nft_trans_commit_list_add_tail(ctx->net, trans);
7692 err_flowtable_update_hook:
7693 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7695 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
7696 list_del_rcu(&hook->list);
7697 kfree_rcu(hook, rcu);
7704 static int nf_tables_newflowtable(struct sk_buff *skb,
7705 const struct nfnl_info *info,
7706 const struct nlattr * const nla[])
7708 struct netlink_ext_ack *extack = info->extack;
7709 struct nft_flowtable_hook flowtable_hook;
7710 u8 genmask = nft_genmask_next(info->net);
7711 u8 family = info->nfmsg->nfgen_family;
7712 const struct nf_flowtable_type *type;
7713 struct nft_flowtable *flowtable;
7714 struct nft_hook *hook, *next;
7715 struct net *net = info->net;
7716 struct nft_table *table;
7720 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7721 !nla[NFTA_FLOWTABLE_NAME] ||
7722 !nla[NFTA_FLOWTABLE_HOOK])
7725 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7726 genmask, NETLINK_CB(skb).portid);
7727 if (IS_ERR(table)) {
7728 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7729 return PTR_ERR(table);
7732 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7734 if (IS_ERR(flowtable)) {
7735 err = PTR_ERR(flowtable);
7736 if (err != -ENOENT) {
7737 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7741 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7742 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7746 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7748 return nft_flowtable_update(&ctx, info->nlh, flowtable);
7751 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7753 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
7757 flowtable->table = table;
7758 flowtable->handle = nf_tables_alloc_handle(table);
7759 INIT_LIST_HEAD(&flowtable->hook_list);
7761 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
7762 if (!flowtable->name) {
7767 type = nft_flowtable_type_get(net, family);
7769 err = PTR_ERR(type);
7773 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7774 flowtable->data.flags =
7775 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7776 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
7782 write_pnet(&flowtable->data.net, net);
7783 flowtable->data.type = type;
7784 err = type->init(&flowtable->data);
7788 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
7789 &flowtable_hook, flowtable, true);
7793 list_splice(&flowtable_hook.list, &flowtable->hook_list);
7794 flowtable->data.priority = flowtable_hook.priority;
7795 flowtable->hooknum = flowtable_hook.num;
7797 err = nft_register_flowtable_net_hooks(ctx.net, table,
7798 &flowtable->hook_list,
7801 nft_flowtable_hooks_destroy(&flowtable->hook_list);
7805 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
7809 list_add_tail_rcu(&flowtable->list, &table->flowtables);
7814 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7815 nft_unregister_flowtable_hook(net, flowtable, hook);
7816 list_del_rcu(&hook->list);
7817 kfree_rcu(hook, rcu);
7820 flowtable->data.type->free(&flowtable->data);
7822 module_put(type->owner);
7824 kfree(flowtable->name);
7830 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7832 struct nft_hook *this, *next;
7834 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7835 list_del(&this->list);
7840 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7841 struct nft_flowtable *flowtable)
7843 const struct nlattr * const *nla = ctx->nla;
7844 struct nft_flowtable_hook flowtable_hook;
7845 LIST_HEAD(flowtable_del_list);
7846 struct nft_hook *this, *hook;
7847 struct nft_trans *trans;
7850 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7851 &flowtable_hook, flowtable, false);
7855 list_for_each_entry(this, &flowtable_hook.list, list) {
7856 hook = nft_hook_list_find(&flowtable->hook_list, this);
7859 goto err_flowtable_del_hook;
7861 list_move(&hook->list, &flowtable_del_list);
7864 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7865 sizeof(struct nft_trans_flowtable));
7868 goto err_flowtable_del_hook;
7871 nft_trans_flowtable(trans) = flowtable;
7872 nft_trans_flowtable_update(trans) = true;
7873 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7874 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
7875 nft_flowtable_hook_release(&flowtable_hook);
7877 nft_trans_commit_list_add_tail(ctx->net, trans);
7881 err_flowtable_del_hook:
7882 list_splice(&flowtable_del_list, &flowtable->hook_list);
7883 nft_flowtable_hook_release(&flowtable_hook);
7888 static int nf_tables_delflowtable(struct sk_buff *skb,
7889 const struct nfnl_info *info,
7890 const struct nlattr * const nla[])
7892 struct netlink_ext_ack *extack = info->extack;
7893 u8 genmask = nft_genmask_next(info->net);
7894 u8 family = info->nfmsg->nfgen_family;
7895 struct nft_flowtable *flowtable;
7896 struct net *net = info->net;
7897 const struct nlattr *attr;
7898 struct nft_table *table;
7901 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7902 (!nla[NFTA_FLOWTABLE_NAME] &&
7903 !nla[NFTA_FLOWTABLE_HANDLE]))
7906 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7907 genmask, NETLINK_CB(skb).portid);
7908 if (IS_ERR(table)) {
7909 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7910 return PTR_ERR(table);
7913 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7914 attr = nla[NFTA_FLOWTABLE_HANDLE];
7915 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7917 attr = nla[NFTA_FLOWTABLE_NAME];
7918 flowtable = nft_flowtable_lookup(table, attr, genmask);
7921 if (IS_ERR(flowtable)) {
7922 NL_SET_BAD_ATTR(extack, attr);
7923 return PTR_ERR(flowtable);
7926 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7928 if (nla[NFTA_FLOWTABLE_HOOK])
7929 return nft_delflowtable_hook(&ctx, flowtable);
7931 if (flowtable->use > 0) {
7932 NL_SET_BAD_ATTR(extack, attr);
7936 return nft_delflowtable(&ctx, flowtable);
7939 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7940 u32 portid, u32 seq, int event,
7941 u32 flags, int family,
7942 struct nft_flowtable *flowtable,
7943 struct list_head *hook_list)
7945 struct nlattr *nest, *nest_devs;
7946 struct nft_hook *hook;
7947 struct nlmsghdr *nlh;
7949 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7950 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7951 NFNETLINK_V0, nft_base_seq(net));
7953 goto nla_put_failure;
7955 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7956 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7957 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7958 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7959 NFTA_FLOWTABLE_PAD) ||
7960 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7961 goto nla_put_failure;
7963 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7965 goto nla_put_failure;
7966 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7967 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7968 goto nla_put_failure;
7970 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7972 goto nla_put_failure;
7974 list_for_each_entry_rcu(hook, hook_list, list) {
7975 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7976 goto nla_put_failure;
7978 nla_nest_end(skb, nest_devs);
7979 nla_nest_end(skb, nest);
7981 nlmsg_end(skb, nlh);
7985 nlmsg_trim(skb, nlh);
7989 struct nft_flowtable_filter {
7993 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7994 struct netlink_callback *cb)
7996 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7997 struct nft_flowtable_filter *filter = cb->data;
7998 unsigned int idx = 0, s_idx = cb->args[0];
7999 struct net *net = sock_net(skb->sk);
8000 int family = nfmsg->nfgen_family;
8001 struct nft_flowtable *flowtable;
8002 struct nftables_pernet *nft_net;
8003 const struct nft_table *table;
8006 nft_net = nft_pernet(net);
8007 cb->seq = READ_ONCE(nft_net->base_seq);
8009 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8010 if (family != NFPROTO_UNSPEC && family != table->family)
8013 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8014 if (!nft_is_active(net, flowtable))
8019 memset(&cb->args[1], 0,
8020 sizeof(cb->args) - sizeof(cb->args[0]));
8021 if (filter && filter->table &&
8022 strcmp(filter->table, table->name))
8025 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8027 NFT_MSG_NEWFLOWTABLE,
8028 NLM_F_MULTI | NLM_F_APPEND,
8031 &flowtable->hook_list) < 0)
8034 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8046 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8048 const struct nlattr * const *nla = cb->data;
8049 struct nft_flowtable_filter *filter = NULL;
8051 if (nla[NFTA_FLOWTABLE_TABLE]) {
8052 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8056 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8058 if (!filter->table) {
8068 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8070 struct nft_flowtable_filter *filter = cb->data;
8075 kfree(filter->table);
8081 /* called with rcu_read_lock held */
8082 static int nf_tables_getflowtable(struct sk_buff *skb,
8083 const struct nfnl_info *info,
8084 const struct nlattr * const nla[])
8086 u8 genmask = nft_genmask_cur(info->net);
8087 u8 family = info->nfmsg->nfgen_family;
8088 struct nft_flowtable *flowtable;
8089 const struct nft_table *table;
8090 struct net *net = info->net;
8091 struct sk_buff *skb2;
8094 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8095 struct netlink_dump_control c = {
8096 .start = nf_tables_dump_flowtable_start,
8097 .dump = nf_tables_dump_flowtable,
8098 .done = nf_tables_dump_flowtable_done,
8099 .module = THIS_MODULE,
8100 .data = (void *)nla,
8103 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8106 if (!nla[NFTA_FLOWTABLE_NAME])
8109 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8112 return PTR_ERR(table);
8114 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8116 if (IS_ERR(flowtable))
8117 return PTR_ERR(flowtable);
8119 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8123 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8124 info->nlh->nlmsg_seq,
8125 NFT_MSG_NEWFLOWTABLE, 0, family,
8126 flowtable, &flowtable->hook_list);
8128 goto err_fill_flowtable_info;
8130 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8132 err_fill_flowtable_info:
8137 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8138 struct nft_flowtable *flowtable,
8139 struct list_head *hook_list,
8142 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8143 struct sk_buff *skb;
8148 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8151 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8155 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8156 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8158 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8159 ctx->seq, event, flags,
8160 ctx->family, flowtable, hook_list);
8166 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8169 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8172 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8174 struct nft_hook *hook, *next;
8176 flowtable->data.type->free(&flowtable->data);
8177 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8178 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8180 list_del_rcu(&hook->list);
8183 kfree(flowtable->name);
8184 module_put(flowtable->data.type->owner);
8188 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8189 u32 portid, u32 seq)
8191 struct nftables_pernet *nft_net = nft_pernet(net);
8192 struct nlmsghdr *nlh;
8193 char buf[TASK_COMM_LEN];
8194 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8196 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8197 NFNETLINK_V0, nft_base_seq(net));
8199 goto nla_put_failure;
8201 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8202 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8203 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8204 goto nla_put_failure;
8206 nlmsg_end(skb, nlh);
8210 nlmsg_trim(skb, nlh);
8214 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8215 struct nft_flowtable *flowtable)
8217 struct nft_hook *hook;
8219 list_for_each_entry(hook, &flowtable->hook_list, list) {
8220 if (hook->ops.dev != dev)
8223 /* flow_offload_netdev_event() cleans up entries for us. */
8224 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
8225 list_del_rcu(&hook->list);
8226 kfree_rcu(hook, rcu);
8231 static int nf_tables_flowtable_event(struct notifier_block *this,
8232 unsigned long event, void *ptr)
8234 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
8235 struct nft_flowtable *flowtable;
8236 struct nftables_pernet *nft_net;
8237 struct nft_table *table;
8240 if (event != NETDEV_UNREGISTER)
8244 nft_net = nft_pernet(net);
8245 mutex_lock(&nft_net->commit_mutex);
8246 list_for_each_entry(table, &nft_net->tables, list) {
8247 list_for_each_entry(flowtable, &table->flowtables, list) {
8248 nft_flowtable_event(event, dev, flowtable);
8251 mutex_unlock(&nft_net->commit_mutex);
8256 static struct notifier_block nf_tables_flowtable_notifier = {
8257 .notifier_call = nf_tables_flowtable_event,
8260 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
8263 struct nlmsghdr *nlh = nlmsg_hdr(skb);
8264 struct sk_buff *skb2;
8267 if (!nlmsg_report(nlh) &&
8268 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8271 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8275 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
8282 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8283 nlmsg_report(nlh), GFP_KERNEL);
8286 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8290 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
8291 const struct nlattr * const nla[])
8293 struct sk_buff *skb2;
8296 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8300 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
8301 info->nlh->nlmsg_seq);
8303 goto err_fill_gen_info;
8305 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
8312 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
8313 [NFT_MSG_NEWTABLE] = {
8314 .call = nf_tables_newtable,
8315 .type = NFNL_CB_BATCH,
8316 .attr_count = NFTA_TABLE_MAX,
8317 .policy = nft_table_policy,
8319 [NFT_MSG_GETTABLE] = {
8320 .call = nf_tables_gettable,
8321 .type = NFNL_CB_RCU,
8322 .attr_count = NFTA_TABLE_MAX,
8323 .policy = nft_table_policy,
8325 [NFT_MSG_DELTABLE] = {
8326 .call = nf_tables_deltable,
8327 .type = NFNL_CB_BATCH,
8328 .attr_count = NFTA_TABLE_MAX,
8329 .policy = nft_table_policy,
8331 [NFT_MSG_NEWCHAIN] = {
8332 .call = nf_tables_newchain,
8333 .type = NFNL_CB_BATCH,
8334 .attr_count = NFTA_CHAIN_MAX,
8335 .policy = nft_chain_policy,
8337 [NFT_MSG_GETCHAIN] = {
8338 .call = nf_tables_getchain,
8339 .type = NFNL_CB_RCU,
8340 .attr_count = NFTA_CHAIN_MAX,
8341 .policy = nft_chain_policy,
8343 [NFT_MSG_DELCHAIN] = {
8344 .call = nf_tables_delchain,
8345 .type = NFNL_CB_BATCH,
8346 .attr_count = NFTA_CHAIN_MAX,
8347 .policy = nft_chain_policy,
8349 [NFT_MSG_NEWRULE] = {
8350 .call = nf_tables_newrule,
8351 .type = NFNL_CB_BATCH,
8352 .attr_count = NFTA_RULE_MAX,
8353 .policy = nft_rule_policy,
8355 [NFT_MSG_GETRULE] = {
8356 .call = nf_tables_getrule,
8357 .type = NFNL_CB_RCU,
8358 .attr_count = NFTA_RULE_MAX,
8359 .policy = nft_rule_policy,
8361 [NFT_MSG_DELRULE] = {
8362 .call = nf_tables_delrule,
8363 .type = NFNL_CB_BATCH,
8364 .attr_count = NFTA_RULE_MAX,
8365 .policy = nft_rule_policy,
8367 [NFT_MSG_NEWSET] = {
8368 .call = nf_tables_newset,
8369 .type = NFNL_CB_BATCH,
8370 .attr_count = NFTA_SET_MAX,
8371 .policy = nft_set_policy,
8373 [NFT_MSG_GETSET] = {
8374 .call = nf_tables_getset,
8375 .type = NFNL_CB_RCU,
8376 .attr_count = NFTA_SET_MAX,
8377 .policy = nft_set_policy,
8379 [NFT_MSG_DELSET] = {
8380 .call = nf_tables_delset,
8381 .type = NFNL_CB_BATCH,
8382 .attr_count = NFTA_SET_MAX,
8383 .policy = nft_set_policy,
8385 [NFT_MSG_NEWSETELEM] = {
8386 .call = nf_tables_newsetelem,
8387 .type = NFNL_CB_BATCH,
8388 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8389 .policy = nft_set_elem_list_policy,
8391 [NFT_MSG_GETSETELEM] = {
8392 .call = nf_tables_getsetelem,
8393 .type = NFNL_CB_RCU,
8394 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8395 .policy = nft_set_elem_list_policy,
8397 [NFT_MSG_DELSETELEM] = {
8398 .call = nf_tables_delsetelem,
8399 .type = NFNL_CB_BATCH,
8400 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8401 .policy = nft_set_elem_list_policy,
8403 [NFT_MSG_GETGEN] = {
8404 .call = nf_tables_getgen,
8405 .type = NFNL_CB_RCU,
8407 [NFT_MSG_NEWOBJ] = {
8408 .call = nf_tables_newobj,
8409 .type = NFNL_CB_BATCH,
8410 .attr_count = NFTA_OBJ_MAX,
8411 .policy = nft_obj_policy,
8413 [NFT_MSG_GETOBJ] = {
8414 .call = nf_tables_getobj,
8415 .type = NFNL_CB_RCU,
8416 .attr_count = NFTA_OBJ_MAX,
8417 .policy = nft_obj_policy,
8419 [NFT_MSG_DELOBJ] = {
8420 .call = nf_tables_delobj,
8421 .type = NFNL_CB_BATCH,
8422 .attr_count = NFTA_OBJ_MAX,
8423 .policy = nft_obj_policy,
8425 [NFT_MSG_GETOBJ_RESET] = {
8426 .call = nf_tables_getobj,
8427 .type = NFNL_CB_RCU,
8428 .attr_count = NFTA_OBJ_MAX,
8429 .policy = nft_obj_policy,
8431 [NFT_MSG_NEWFLOWTABLE] = {
8432 .call = nf_tables_newflowtable,
8433 .type = NFNL_CB_BATCH,
8434 .attr_count = NFTA_FLOWTABLE_MAX,
8435 .policy = nft_flowtable_policy,
8437 [NFT_MSG_GETFLOWTABLE] = {
8438 .call = nf_tables_getflowtable,
8439 .type = NFNL_CB_RCU,
8440 .attr_count = NFTA_FLOWTABLE_MAX,
8441 .policy = nft_flowtable_policy,
8443 [NFT_MSG_DELFLOWTABLE] = {
8444 .call = nf_tables_delflowtable,
8445 .type = NFNL_CB_BATCH,
8446 .attr_count = NFTA_FLOWTABLE_MAX,
8447 .policy = nft_flowtable_policy,
8451 static int nf_tables_validate(struct net *net)
8453 struct nftables_pernet *nft_net = nft_pernet(net);
8454 struct nft_table *table;
8456 switch (nft_net->validate_state) {
8457 case NFT_VALIDATE_SKIP:
8459 case NFT_VALIDATE_NEED:
8460 nft_validate_state_update(net, NFT_VALIDATE_DO);
8462 case NFT_VALIDATE_DO:
8463 list_for_each_entry(table, &nft_net->tables, list) {
8464 if (nft_table_validate(net, table) < 0)
8473 /* a drop policy has to be deferred until all rules have been activated,
8474 * otherwise a large ruleset that contains a drop-policy base chain will
8475 * cause all packets to get dropped until the full transaction has been
8478 * We defer the drop policy until the transaction has been finalized.
8480 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8482 struct nft_base_chain *basechain;
8484 if (nft_trans_chain_policy(trans) != NF_DROP)
8487 if (!nft_is_base_chain(trans->ctx.chain))
8490 basechain = nft_base_chain(trans->ctx.chain);
8491 basechain->policy = NF_DROP;
8494 static void nft_chain_commit_update(struct nft_trans *trans)
8496 struct nft_base_chain *basechain;
8498 if (nft_trans_chain_name(trans)) {
8499 rhltable_remove(&trans->ctx.table->chains_ht,
8500 &trans->ctx.chain->rhlhead,
8501 nft_chain_ht_params);
8502 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8503 rhltable_insert_key(&trans->ctx.table->chains_ht,
8504 trans->ctx.chain->name,
8505 &trans->ctx.chain->rhlhead,
8506 nft_chain_ht_params);
8509 if (!nft_is_base_chain(trans->ctx.chain))
8512 nft_chain_stats_replace(trans);
8514 basechain = nft_base_chain(trans->ctx.chain);
8516 switch (nft_trans_chain_policy(trans)) {
8519 basechain->policy = nft_trans_chain_policy(trans);
8524 static void nft_obj_commit_update(struct nft_trans *trans)
8526 struct nft_object *newobj;
8527 struct nft_object *obj;
8529 obj = nft_trans_obj(trans);
8530 newobj = nft_trans_obj_newobj(trans);
8532 if (obj->ops->update)
8533 obj->ops->update(obj, newobj);
8535 nft_obj_destroy(&trans->ctx, newobj);
8538 static void nft_commit_release(struct nft_trans *trans)
8540 switch (trans->msg_type) {
8541 case NFT_MSG_DELTABLE:
8542 nf_tables_table_destroy(&trans->ctx);
8544 case NFT_MSG_NEWCHAIN:
8545 free_percpu(nft_trans_chain_stats(trans));
8546 kfree(nft_trans_chain_name(trans));
8548 case NFT_MSG_DELCHAIN:
8549 nf_tables_chain_destroy(&trans->ctx);
8551 case NFT_MSG_DELRULE:
8552 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8554 case NFT_MSG_DELSET:
8555 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8557 case NFT_MSG_DELSETELEM:
8558 nf_tables_set_elem_destroy(&trans->ctx,
8559 nft_trans_elem_set(trans),
8560 nft_trans_elem(trans).priv);
8562 case NFT_MSG_DELOBJ:
8563 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8565 case NFT_MSG_DELFLOWTABLE:
8566 if (nft_trans_flowtable_update(trans))
8567 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8569 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8574 put_net(trans->ctx.net);
8579 static void nf_tables_trans_destroy_work(struct work_struct *w)
8581 struct nft_trans *trans, *next;
8584 spin_lock(&nf_tables_destroy_list_lock);
8585 list_splice_init(&nf_tables_destroy_list, &head);
8586 spin_unlock(&nf_tables_destroy_list_lock);
8588 if (list_empty(&head))
8593 list_for_each_entry_safe(trans, next, &head, list) {
8594 list_del(&trans->list);
8595 nft_commit_release(trans);
8599 void nf_tables_trans_destroy_flush_work(void)
8601 flush_work(&trans_destroy_work);
8603 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
8605 static bool nft_expr_reduce(struct nft_regs_track *track,
8606 const struct nft_expr *expr)
8611 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
8613 const struct nft_expr *expr, *last;
8614 struct nft_regs_track track = {};
8615 unsigned int size, data_size;
8616 void *data, *data_boundary;
8617 struct nft_rule_dp *prule;
8618 struct nft_rule *rule;
8620 /* already handled or inactive chain? */
8621 if (chain->blob_next || !nft_is_active_next(net, chain))
8625 list_for_each_entry(rule, &chain->rules, list) {
8626 if (nft_is_active_next(net, rule)) {
8627 data_size += sizeof(*prule) + rule->dlen;
8628 if (data_size > INT_MAX)
8632 data_size += offsetof(struct nft_rule_dp, data); /* last rule */
8634 chain->blob_next = nf_tables_chain_alloc_rules(data_size);
8635 if (!chain->blob_next)
8638 data = (void *)chain->blob_next->data;
8639 data_boundary = data + data_size;
8642 list_for_each_entry(rule, &chain->rules, list) {
8643 if (!nft_is_active_next(net, rule))
8646 prule = (struct nft_rule_dp *)data;
8647 data += offsetof(struct nft_rule_dp, data);
8648 if (WARN_ON_ONCE(data > data_boundary))
8652 track.last = nft_expr_last(rule);
8653 nft_rule_for_each_expr(expr, last, rule) {
8656 if (nft_expr_reduce(&track, expr)) {
8661 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))
8664 memcpy(data + size, expr, expr->ops->size);
8665 size += expr->ops->size;
8667 if (WARN_ON_ONCE(size >= 1 << 12))
8670 prule->handle = rule->handle;
8676 chain->blob_next->size += (unsigned long)(data - (void *)prule);
8679 prule = (struct nft_rule_dp *)data;
8680 data += offsetof(struct nft_rule_dp, data);
8681 if (WARN_ON_ONCE(data > data_boundary))
8684 nft_last_rule(chain->blob_next, prule);
8689 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
8691 struct nftables_pernet *nft_net = nft_pernet(net);
8692 struct nft_trans *trans, *next;
8694 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8695 struct nft_chain *chain = trans->ctx.chain;
8697 if (trans->msg_type == NFT_MSG_NEWRULE ||
8698 trans->msg_type == NFT_MSG_DELRULE) {
8699 kvfree(chain->blob_next);
8700 chain->blob_next = NULL;
8705 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
8707 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
8712 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
8714 struct nft_rules_old *old;
8716 /* rcu_head is after end marker */
8717 old = (void *)blob + sizeof(*blob) + blob->size;
8720 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
8723 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
8725 struct nft_rule_blob *g0, *g1;
8728 next_genbit = nft_gencursor_next(net);
8730 g0 = rcu_dereference_protected(chain->blob_gen_0,
8731 lockdep_commit_lock_is_held(net));
8732 g1 = rcu_dereference_protected(chain->blob_gen_1,
8733 lockdep_commit_lock_is_held(net));
8735 /* No changes to this chain? */
8736 if (chain->blob_next == NULL) {
8737 /* chain had no change in last or next generation */
8741 * chain had no change in this generation; make sure next
8742 * one uses same rules as current generation.
8745 rcu_assign_pointer(chain->blob_gen_1, g0);
8746 nf_tables_commit_chain_free_rules_old(g1);
8748 rcu_assign_pointer(chain->blob_gen_0, g1);
8749 nf_tables_commit_chain_free_rules_old(g0);
8756 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
8758 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
8760 chain->blob_next = NULL;
8766 nf_tables_commit_chain_free_rules_old(g1);
8768 nf_tables_commit_chain_free_rules_old(g0);
8771 static void nft_obj_del(struct nft_object *obj)
8773 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
8774 list_del_rcu(&obj->list);
8777 void nft_chain_del(struct nft_chain *chain)
8779 struct nft_table *table = chain->table;
8781 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
8782 nft_chain_ht_params));
8783 list_del_rcu(&chain->list);
8786 static void nf_tables_module_autoload_cleanup(struct net *net)
8788 struct nftables_pernet *nft_net = nft_pernet(net);
8789 struct nft_module_request *req, *next;
8791 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
8792 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
8793 WARN_ON_ONCE(!req->done);
8794 list_del(&req->list);
8799 static void nf_tables_commit_release(struct net *net)
8801 struct nftables_pernet *nft_net = nft_pernet(net);
8802 struct nft_trans *trans;
8804 /* all side effects have to be made visible.
8805 * For example, if a chain named 'foo' has been deleted, a
8806 * new transaction must not find it anymore.
8808 * Memory reclaim happens asynchronously from work queue
8809 * to prevent expensive synchronize_rcu() in commit phase.
8811 if (list_empty(&nft_net->commit_list)) {
8812 nf_tables_module_autoload_cleanup(net);
8813 mutex_unlock(&nft_net->commit_mutex);
8817 trans = list_last_entry(&nft_net->commit_list,
8818 struct nft_trans, list);
8819 get_net(trans->ctx.net);
8820 WARN_ON_ONCE(trans->put_net);
8822 trans->put_net = true;
8823 spin_lock(&nf_tables_destroy_list_lock);
8824 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
8825 spin_unlock(&nf_tables_destroy_list_lock);
8827 nf_tables_module_autoload_cleanup(net);
8828 schedule_work(&trans_destroy_work);
8830 mutex_unlock(&nft_net->commit_mutex);
8833 static void nft_commit_notify(struct net *net, u32 portid)
8835 struct nftables_pernet *nft_net = nft_pernet(net);
8836 struct sk_buff *batch_skb = NULL, *nskb, *skb;
8837 unsigned char *data;
8840 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
8844 len = NLMSG_GOODSIZE - skb->len;
8845 list_del(&skb->list);
8849 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
8850 data = skb_put(batch_skb, skb->len);
8851 memcpy(data, skb->data, skb->len);
8852 list_del(&skb->list);
8856 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8857 NFT_CB(batch_skb).report, GFP_KERNEL);
8862 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8863 NFT_CB(batch_skb).report, GFP_KERNEL);
8866 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
8869 static int nf_tables_commit_audit_alloc(struct list_head *adl,
8870 struct nft_table *table)
8872 struct nft_audit_data *adp;
8874 list_for_each_entry(adp, adl, list) {
8875 if (adp->table == table)
8878 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
8882 list_add(&adp->list, adl);
8886 static void nf_tables_commit_audit_free(struct list_head *adl)
8888 struct nft_audit_data *adp, *adn;
8890 list_for_each_entry_safe(adp, adn, adl, list) {
8891 list_del(&adp->list);
8896 static void nf_tables_commit_audit_collect(struct list_head *adl,
8897 struct nft_table *table, u32 op)
8899 struct nft_audit_data *adp;
8901 list_for_each_entry(adp, adl, list) {
8902 if (adp->table == table)
8905 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
8909 if (!adp->op || adp->op > op)
8913 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8915 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
8917 struct nft_audit_data *adp, *adn;
8918 char aubuf[AUNFTABLENAMELEN];
8920 list_for_each_entry_safe(adp, adn, adl, list) {
8921 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
8923 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
8924 nft2audit_op[adp->op], GFP_KERNEL);
8925 list_del(&adp->list);
8930 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8932 struct nftables_pernet *nft_net = nft_pernet(net);
8933 struct nft_trans *trans, *next;
8934 struct nft_trans_elem *te;
8935 struct nft_chain *chain;
8936 struct nft_table *table;
8937 unsigned int base_seq;
8941 if (list_empty(&nft_net->commit_list)) {
8942 mutex_unlock(&nft_net->commit_mutex);
8946 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8947 if (nf_tables_validate(net) < 0)
8950 err = nft_flow_rule_offload_commit(net);
8954 /* 1. Allocate space for next generation rules_gen_X[] */
8955 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8958 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
8960 nf_tables_commit_chain_prepare_cancel(net);
8961 nf_tables_commit_audit_free(&adl);
8964 if (trans->msg_type == NFT_MSG_NEWRULE ||
8965 trans->msg_type == NFT_MSG_DELRULE) {
8966 chain = trans->ctx.chain;
8968 ret = nf_tables_commit_chain_prepare(net, chain);
8970 nf_tables_commit_chain_prepare_cancel(net);
8971 nf_tables_commit_audit_free(&adl);
8977 /* step 2. Make rules_gen_X visible to packet path */
8978 list_for_each_entry(table, &nft_net->tables, list) {
8979 list_for_each_entry(chain, &table->chains, list)
8980 nf_tables_commit_chain(net, chain);
8984 * Bump generation counter, invalidate any dump in progress.
8985 * Cannot fail after this point.
8987 base_seq = READ_ONCE(nft_net->base_seq);
8988 while (++base_seq == 0)
8991 WRITE_ONCE(nft_net->base_seq, base_seq);
8993 /* step 3. Start new generation, rules_gen_X now in use. */
8994 net->nft.gencursor = nft_gencursor_next(net);
8996 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8997 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8999 switch (trans->msg_type) {
9000 case NFT_MSG_NEWTABLE:
9001 if (nft_trans_table_update(trans)) {
9002 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9003 nft_trans_destroy(trans);
9006 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
9007 nf_tables_table_disable(net, trans->ctx.table);
9009 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9011 nft_clear(net, trans->ctx.table);
9013 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
9014 nft_trans_destroy(trans);
9016 case NFT_MSG_DELTABLE:
9017 list_del_rcu(&trans->ctx.table->list);
9018 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
9020 case NFT_MSG_NEWCHAIN:
9021 if (nft_trans_chain_update(trans)) {
9022 nft_chain_commit_update(trans);
9023 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
9024 /* trans destroyed after rcu grace period */
9026 nft_chain_commit_drop_policy(trans);
9027 nft_clear(net, trans->ctx.chain);
9028 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
9029 nft_trans_destroy(trans);
9032 case NFT_MSG_DELCHAIN:
9033 nft_chain_del(trans->ctx.chain);
9034 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
9035 nf_tables_unregister_hook(trans->ctx.net,
9039 case NFT_MSG_NEWRULE:
9040 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9041 nf_tables_rule_notify(&trans->ctx,
9042 nft_trans_rule(trans),
9044 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9045 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9047 nft_trans_destroy(trans);
9049 case NFT_MSG_DELRULE:
9050 list_del_rcu(&nft_trans_rule(trans)->list);
9051 nf_tables_rule_notify(&trans->ctx,
9052 nft_trans_rule(trans),
9054 nft_rule_expr_deactivate(&trans->ctx,
9055 nft_trans_rule(trans),
9058 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9059 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9061 case NFT_MSG_NEWSET:
9062 if (nft_trans_set_update(trans)) {
9063 struct nft_set *set = nft_trans_set(trans);
9065 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
9066 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
9068 nft_clear(net, nft_trans_set(trans));
9069 /* This avoids hitting -EBUSY when deleting the table
9070 * from the transaction.
9072 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
9073 !list_empty(&nft_trans_set(trans)->bindings))
9074 trans->ctx.table->use--;
9076 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9077 NFT_MSG_NEWSET, GFP_KERNEL);
9078 nft_trans_destroy(trans);
9080 case NFT_MSG_DELSET:
9081 list_del_rcu(&nft_trans_set(trans)->list);
9082 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9083 NFT_MSG_DELSET, GFP_KERNEL);
9085 case NFT_MSG_NEWSETELEM:
9086 te = (struct nft_trans_elem *)trans->data;
9088 nft_setelem_activate(net, te->set, &te->elem);
9089 nf_tables_setelem_notify(&trans->ctx, te->set,
9091 NFT_MSG_NEWSETELEM);
9092 nft_trans_destroy(trans);
9094 case NFT_MSG_DELSETELEM:
9095 te = (struct nft_trans_elem *)trans->data;
9097 nf_tables_setelem_notify(&trans->ctx, te->set,
9099 NFT_MSG_DELSETELEM);
9100 nft_setelem_remove(net, te->set, &te->elem);
9101 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
9102 atomic_dec(&te->set->nelems);
9106 case NFT_MSG_NEWOBJ:
9107 if (nft_trans_obj_update(trans)) {
9108 nft_obj_commit_update(trans);
9109 nf_tables_obj_notify(&trans->ctx,
9110 nft_trans_obj(trans),
9113 nft_clear(net, nft_trans_obj(trans));
9114 nf_tables_obj_notify(&trans->ctx,
9115 nft_trans_obj(trans),
9117 nft_trans_destroy(trans);
9120 case NFT_MSG_DELOBJ:
9121 nft_obj_del(nft_trans_obj(trans));
9122 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
9125 case NFT_MSG_NEWFLOWTABLE:
9126 if (nft_trans_flowtable_update(trans)) {
9127 nft_trans_flowtable(trans)->data.flags =
9128 nft_trans_flowtable_flags(trans);
9129 nf_tables_flowtable_notify(&trans->ctx,
9130 nft_trans_flowtable(trans),
9131 &nft_trans_flowtable_hooks(trans),
9132 NFT_MSG_NEWFLOWTABLE);
9133 list_splice(&nft_trans_flowtable_hooks(trans),
9134 &nft_trans_flowtable(trans)->hook_list);
9136 nft_clear(net, nft_trans_flowtable(trans));
9137 nf_tables_flowtable_notify(&trans->ctx,
9138 nft_trans_flowtable(trans),
9139 &nft_trans_flowtable(trans)->hook_list,
9140 NFT_MSG_NEWFLOWTABLE);
9142 nft_trans_destroy(trans);
9144 case NFT_MSG_DELFLOWTABLE:
9145 if (nft_trans_flowtable_update(trans)) {
9146 nf_tables_flowtable_notify(&trans->ctx,
9147 nft_trans_flowtable(trans),
9148 &nft_trans_flowtable_hooks(trans),
9149 NFT_MSG_DELFLOWTABLE);
9150 nft_unregister_flowtable_net_hooks(net,
9151 &nft_trans_flowtable_hooks(trans));
9153 list_del_rcu(&nft_trans_flowtable(trans)->list);
9154 nf_tables_flowtable_notify(&trans->ctx,
9155 nft_trans_flowtable(trans),
9156 &nft_trans_flowtable(trans)->hook_list,
9157 NFT_MSG_DELFLOWTABLE);
9158 nft_unregister_flowtable_net_hooks(net,
9159 &nft_trans_flowtable(trans)->hook_list);
9165 nft_commit_notify(net, NETLINK_CB(skb).portid);
9166 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
9167 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
9168 nf_tables_commit_release(net);
9173 static void nf_tables_module_autoload(struct net *net)
9175 struct nftables_pernet *nft_net = nft_pernet(net);
9176 struct nft_module_request *req, *next;
9177 LIST_HEAD(module_list);
9179 list_splice_init(&nft_net->module_list, &module_list);
9180 mutex_unlock(&nft_net->commit_mutex);
9181 list_for_each_entry_safe(req, next, &module_list, list) {
9182 request_module("%s", req->module);
9185 mutex_lock(&nft_net->commit_mutex);
9186 list_splice(&module_list, &nft_net->module_list);
9189 static void nf_tables_abort_release(struct nft_trans *trans)
9191 switch (trans->msg_type) {
9192 case NFT_MSG_NEWTABLE:
9193 nf_tables_table_destroy(&trans->ctx);
9195 case NFT_MSG_NEWCHAIN:
9196 nf_tables_chain_destroy(&trans->ctx);
9198 case NFT_MSG_NEWRULE:
9199 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9201 case NFT_MSG_NEWSET:
9202 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9204 case NFT_MSG_NEWSETELEM:
9205 nft_set_elem_destroy(nft_trans_elem_set(trans),
9206 nft_trans_elem(trans).priv, true);
9208 case NFT_MSG_NEWOBJ:
9209 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9211 case NFT_MSG_NEWFLOWTABLE:
9212 if (nft_trans_flowtable_update(trans))
9213 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9215 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9221 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
9223 struct nftables_pernet *nft_net = nft_pernet(net);
9224 struct nft_trans *trans, *next;
9225 struct nft_trans_elem *te;
9227 if (action == NFNL_ABORT_VALIDATE &&
9228 nf_tables_validate(net) < 0)
9231 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
9233 switch (trans->msg_type) {
9234 case NFT_MSG_NEWTABLE:
9235 if (nft_trans_table_update(trans)) {
9236 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9237 nft_trans_destroy(trans);
9240 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
9241 nf_tables_table_disable(net, trans->ctx.table);
9242 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
9243 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
9244 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
9246 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9247 nft_trans_destroy(trans);
9249 list_del_rcu(&trans->ctx.table->list);
9252 case NFT_MSG_DELTABLE:
9253 nft_clear(trans->ctx.net, trans->ctx.table);
9254 nft_trans_destroy(trans);
9256 case NFT_MSG_NEWCHAIN:
9257 if (nft_trans_chain_update(trans)) {
9258 free_percpu(nft_trans_chain_stats(trans));
9259 kfree(nft_trans_chain_name(trans));
9260 nft_trans_destroy(trans);
9262 if (nft_chain_is_bound(trans->ctx.chain)) {
9263 nft_trans_destroy(trans);
9266 trans->ctx.table->use--;
9267 nft_chain_del(trans->ctx.chain);
9268 nf_tables_unregister_hook(trans->ctx.net,
9273 case NFT_MSG_DELCHAIN:
9274 trans->ctx.table->use++;
9275 nft_clear(trans->ctx.net, trans->ctx.chain);
9276 nft_trans_destroy(trans);
9278 case NFT_MSG_NEWRULE:
9279 trans->ctx.chain->use--;
9280 list_del_rcu(&nft_trans_rule(trans)->list);
9281 nft_rule_expr_deactivate(&trans->ctx,
9282 nft_trans_rule(trans),
9284 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9285 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9287 case NFT_MSG_DELRULE:
9288 trans->ctx.chain->use++;
9289 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9290 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
9291 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9292 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9294 nft_trans_destroy(trans);
9296 case NFT_MSG_NEWSET:
9297 if (nft_trans_set_update(trans)) {
9298 nft_trans_destroy(trans);
9301 trans->ctx.table->use--;
9302 if (nft_trans_set_bound(trans)) {
9303 nft_trans_destroy(trans);
9306 list_del_rcu(&nft_trans_set(trans)->list);
9308 case NFT_MSG_DELSET:
9309 trans->ctx.table->use++;
9310 nft_clear(trans->ctx.net, nft_trans_set(trans));
9311 nft_trans_destroy(trans);
9313 case NFT_MSG_NEWSETELEM:
9314 if (nft_trans_elem_set_bound(trans)) {
9315 nft_trans_destroy(trans);
9318 te = (struct nft_trans_elem *)trans->data;
9319 nft_setelem_remove(net, te->set, &te->elem);
9320 if (!nft_setelem_is_catchall(te->set, &te->elem))
9321 atomic_dec(&te->set->nelems);
9323 case NFT_MSG_DELSETELEM:
9324 te = (struct nft_trans_elem *)trans->data;
9326 nft_setelem_data_activate(net, te->set, &te->elem);
9327 nft_setelem_activate(net, te->set, &te->elem);
9328 if (!nft_setelem_is_catchall(te->set, &te->elem))
9331 nft_trans_destroy(trans);
9333 case NFT_MSG_NEWOBJ:
9334 if (nft_trans_obj_update(trans)) {
9335 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
9336 nft_trans_destroy(trans);
9338 trans->ctx.table->use--;
9339 nft_obj_del(nft_trans_obj(trans));
9342 case NFT_MSG_DELOBJ:
9343 trans->ctx.table->use++;
9344 nft_clear(trans->ctx.net, nft_trans_obj(trans));
9345 nft_trans_destroy(trans);
9347 case NFT_MSG_NEWFLOWTABLE:
9348 if (nft_trans_flowtable_update(trans)) {
9349 nft_unregister_flowtable_net_hooks(net,
9350 &nft_trans_flowtable_hooks(trans));
9352 trans->ctx.table->use--;
9353 list_del_rcu(&nft_trans_flowtable(trans)->list);
9354 nft_unregister_flowtable_net_hooks(net,
9355 &nft_trans_flowtable(trans)->hook_list);
9358 case NFT_MSG_DELFLOWTABLE:
9359 if (nft_trans_flowtable_update(trans)) {
9360 list_splice(&nft_trans_flowtable_hooks(trans),
9361 &nft_trans_flowtable(trans)->hook_list);
9363 trans->ctx.table->use++;
9364 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
9366 nft_trans_destroy(trans);
9373 list_for_each_entry_safe_reverse(trans, next,
9374 &nft_net->commit_list, list) {
9375 list_del(&trans->list);
9376 nf_tables_abort_release(trans);
9379 if (action == NFNL_ABORT_AUTOLOAD)
9380 nf_tables_module_autoload(net);
9382 nf_tables_module_autoload_cleanup(net);
9387 static void nf_tables_cleanup(struct net *net)
9389 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
9392 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
9393 enum nfnl_abort_action action)
9395 struct nftables_pernet *nft_net = nft_pernet(net);
9396 int ret = __nf_tables_abort(net, action);
9398 mutex_unlock(&nft_net->commit_mutex);
9403 static bool nf_tables_valid_genid(struct net *net, u32 genid)
9405 struct nftables_pernet *nft_net = nft_pernet(net);
9408 mutex_lock(&nft_net->commit_mutex);
9410 genid_ok = genid == 0 || nft_net->base_seq == genid;
9412 mutex_unlock(&nft_net->commit_mutex);
9414 /* else, commit mutex has to be released by commit or abort function */
9418 static const struct nfnetlink_subsystem nf_tables_subsys = {
9419 .name = "nf_tables",
9420 .subsys_id = NFNL_SUBSYS_NFTABLES,
9421 .cb_count = NFT_MSG_MAX,
9423 .commit = nf_tables_commit,
9424 .abort = nf_tables_abort,
9425 .cleanup = nf_tables_cleanup,
9426 .valid_genid = nf_tables_valid_genid,
9427 .owner = THIS_MODULE,
9430 int nft_chain_validate_dependency(const struct nft_chain *chain,
9431 enum nft_chain_types type)
9433 const struct nft_base_chain *basechain;
9435 if (nft_is_base_chain(chain)) {
9436 basechain = nft_base_chain(chain);
9437 if (basechain->type->type != type)
9442 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
9444 int nft_chain_validate_hooks(const struct nft_chain *chain,
9445 unsigned int hook_flags)
9447 struct nft_base_chain *basechain;
9449 if (nft_is_base_chain(chain)) {
9450 basechain = nft_base_chain(chain);
9452 if ((1 << basechain->ops.hooknum) & hook_flags)
9460 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9463 * Loop detection - walk through the ruleset beginning at the destination chain
9464 * of a new jump until either the source chain is reached (loop) or all
9465 * reachable chains have been traversed.
9467 * The loop check is performed whenever a new jump verdict is added to an
9468 * expression or verdict map or a verdict map is bound to a new chain.
9471 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9472 const struct nft_chain *chain);
9474 static int nft_check_loops(const struct nft_ctx *ctx,
9475 const struct nft_set_ext *ext)
9477 const struct nft_data *data;
9480 data = nft_set_ext_data(ext);
9481 switch (data->verdict.code) {
9484 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9494 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9495 struct nft_set *set,
9496 const struct nft_set_iter *iter,
9497 struct nft_set_elem *elem)
9499 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
9501 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
9502 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
9505 return nft_check_loops(ctx, ext);
9508 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
9509 struct nft_set *set)
9511 u8 genmask = nft_genmask_next(ctx->net);
9512 struct nft_set_elem_catchall *catchall;
9513 struct nft_set_ext *ext;
9516 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9517 ext = nft_set_elem_ext(set, catchall->elem);
9518 if (!nft_set_elem_active(ext, genmask))
9521 ret = nft_check_loops(ctx, ext);
9529 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9530 const struct nft_chain *chain)
9532 const struct nft_rule *rule;
9533 const struct nft_expr *expr, *last;
9534 struct nft_set *set;
9535 struct nft_set_binding *binding;
9536 struct nft_set_iter iter;
9538 if (ctx->chain == chain)
9541 list_for_each_entry(rule, &chain->rules, list) {
9542 nft_rule_for_each_expr(expr, last, rule) {
9543 struct nft_immediate_expr *priv;
9544 const struct nft_data *data;
9547 if (strcmp(expr->ops->type->name, "immediate"))
9550 priv = nft_expr_priv(expr);
9551 if (priv->dreg != NFT_REG_VERDICT)
9555 switch (data->verdict.code) {
9558 err = nf_tables_check_loops(ctx,
9559 data->verdict.chain);
9569 list_for_each_entry(set, &ctx->table->sets, list) {
9570 if (!nft_is_active_next(ctx->net, set))
9572 if (!(set->flags & NFT_SET_MAP) ||
9573 set->dtype != NFT_DATA_VERDICT)
9576 list_for_each_entry(binding, &set->bindings, list) {
9577 if (!(binding->flags & NFT_SET_MAP) ||
9578 binding->chain != chain)
9581 iter.genmask = nft_genmask_next(ctx->net);
9585 iter.fn = nf_tables_loop_check_setelem;
9587 set->ops->walk(ctx, set, &iter);
9589 iter.err = nft_set_catchall_loops(ctx, set);
9600 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
9602 * @attr: netlink attribute to fetch value from
9603 * @max: maximum value to be stored in dest
9604 * @dest: pointer to the variable
9606 * Parse, check and store a given u32 netlink attribute into variable.
9607 * This function returns -ERANGE if the value goes over maximum value.
9608 * Otherwise a 0 is returned and the attribute value is stored in the
9609 * destination variable.
9611 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
9615 val = ntohl(nla_get_be32(attr));
9622 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
9624 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
9628 reg = ntohl(nla_get_be32(attr));
9630 case NFT_REG_VERDICT...NFT_REG_4:
9631 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
9633 case NFT_REG32_00...NFT_REG32_15:
9634 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
9644 * nft_dump_register - dump a register value to a netlink attribute
9646 * @skb: socket buffer
9647 * @attr: attribute number
9648 * @reg: register number
9650 * Construct a netlink attribute containing the register number. For
9651 * compatibility reasons, register numbers being a multiple of 4 are
9652 * translated to the corresponding 128 bit register numbers.
9654 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
9656 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
9657 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
9659 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
9661 return nla_put_be32(skb, attr, htonl(reg));
9663 EXPORT_SYMBOL_GPL(nft_dump_register);
9665 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
9667 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9671 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
9677 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
9682 err = nft_parse_register(attr, ®);
9686 err = nft_validate_register_load(reg, len);
9693 EXPORT_SYMBOL_GPL(nft_parse_register_load);
9695 static int nft_validate_register_store(const struct nft_ctx *ctx,
9696 enum nft_registers reg,
9697 const struct nft_data *data,
9698 enum nft_data_types type,
9704 case NFT_REG_VERDICT:
9705 if (type != NFT_DATA_VERDICT)
9709 (data->verdict.code == NFT_GOTO ||
9710 data->verdict.code == NFT_JUMP)) {
9711 err = nf_tables_check_loops(ctx, data->verdict.chain);
9718 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9722 if (reg * NFT_REG32_SIZE + len >
9723 sizeof_field(struct nft_regs, data))
9726 if (data != NULL && type != NFT_DATA_VALUE)
9732 int nft_parse_register_store(const struct nft_ctx *ctx,
9733 const struct nlattr *attr, u8 *dreg,
9734 const struct nft_data *data,
9735 enum nft_data_types type, unsigned int len)
9740 err = nft_parse_register(attr, ®);
9744 err = nft_validate_register_store(ctx, reg, data, type, len);
9751 EXPORT_SYMBOL_GPL(nft_parse_register_store);
9753 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
9754 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
9755 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
9756 .len = NFT_CHAIN_MAXNAMELEN - 1 },
9757 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
9760 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
9761 struct nft_data_desc *desc, const struct nlattr *nla)
9763 u8 genmask = nft_genmask_next(ctx->net);
9764 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
9765 struct nft_chain *chain;
9768 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
9769 nft_verdict_policy, NULL);
9773 if (!tb[NFTA_VERDICT_CODE])
9775 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
9777 switch (data->verdict.code) {
9779 switch (data->verdict.code & NF_VERDICT_MASK) {
9794 if (tb[NFTA_VERDICT_CHAIN]) {
9795 chain = nft_chain_lookup(ctx->net, ctx->table,
9796 tb[NFTA_VERDICT_CHAIN],
9798 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
9799 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
9800 tb[NFTA_VERDICT_CHAIN_ID]);
9802 return PTR_ERR(chain);
9808 return PTR_ERR(chain);
9809 if (nft_is_base_chain(chain))
9811 if (nft_chain_is_bound(chain))
9813 if (desc->flags & NFT_DATA_DESC_SETELEM &&
9814 chain->flags & NFT_CHAIN_BINDING)
9818 data->verdict.chain = chain;
9822 desc->len = sizeof(data->verdict);
9827 static void nft_verdict_uninit(const struct nft_data *data)
9829 struct nft_chain *chain;
9830 struct nft_rule *rule;
9832 switch (data->verdict.code) {
9835 chain = data->verdict.chain;
9838 if (!nft_chain_is_bound(chain))
9841 chain->table->use--;
9842 list_for_each_entry(rule, &chain->rules, list)
9845 nft_chain_del(chain);
9850 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
9852 struct nlattr *nest;
9854 nest = nla_nest_start_noflag(skb, type);
9856 goto nla_put_failure;
9858 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
9859 goto nla_put_failure;
9864 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
9866 goto nla_put_failure;
9868 nla_nest_end(skb, nest);
9875 static int nft_value_init(const struct nft_ctx *ctx,
9876 struct nft_data *data, struct nft_data_desc *desc,
9877 const struct nlattr *nla)
9884 if (len > desc->size)
9887 if (len != desc->len)
9893 nla_memcpy(data->data, nla, len);
9898 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
9901 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
9904 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
9905 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
9906 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
9910 * nft_data_init - parse nf_tables data netlink attributes
9912 * @ctx: context of the expression using the data
9913 * @data: destination struct nft_data
9914 * @desc: data description
9915 * @nla: netlink attribute containing data
9917 * Parse the netlink data attributes and initialize a struct nft_data.
9918 * The type and length of data are returned in the data description.
9920 * The caller can indicate that it only wants to accept data of type
9921 * NFT_DATA_VALUE by passing NULL for the ctx argument.
9923 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
9924 struct nft_data_desc *desc, const struct nlattr *nla)
9926 struct nlattr *tb[NFTA_DATA_MAX + 1];
9929 if (WARN_ON_ONCE(!desc->size))
9932 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
9933 nft_data_policy, NULL);
9937 if (tb[NFTA_DATA_VALUE]) {
9938 if (desc->type != NFT_DATA_VALUE)
9941 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
9942 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
9943 if (desc->type != NFT_DATA_VERDICT)
9946 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
9953 EXPORT_SYMBOL_GPL(nft_data_init);
9956 * nft_data_release - release a nft_data item
9958 * @data: struct nft_data to release
9959 * @type: type of data
9961 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
9962 * all others need to be released by calling this function.
9964 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
9966 if (type < NFT_DATA_VERDICT)
9969 case NFT_DATA_VERDICT:
9970 return nft_verdict_uninit(data);
9975 EXPORT_SYMBOL_GPL(nft_data_release);
9977 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
9978 enum nft_data_types type, unsigned int len)
9980 struct nlattr *nest;
9983 nest = nla_nest_start_noflag(skb, attr);
9988 case NFT_DATA_VALUE:
9989 err = nft_value_dump(skb, data, len);
9991 case NFT_DATA_VERDICT:
9992 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9999 nla_nest_end(skb, nest);
10002 EXPORT_SYMBOL_GPL(nft_data_dump);
10004 int __nft_release_basechain(struct nft_ctx *ctx)
10006 struct nft_rule *rule, *nr;
10008 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
10011 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
10012 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
10013 list_del(&rule->list);
10015 nf_tables_rule_release(ctx, rule);
10017 nft_chain_del(ctx->chain);
10019 nf_tables_chain_destroy(ctx);
10023 EXPORT_SYMBOL_GPL(__nft_release_basechain);
10025 static void __nft_release_hook(struct net *net, struct nft_table *table)
10027 struct nft_flowtable *flowtable;
10028 struct nft_chain *chain;
10030 list_for_each_entry(chain, &table->chains, list)
10031 __nf_tables_unregister_hook(net, table, chain, true);
10032 list_for_each_entry(flowtable, &table->flowtables, list)
10033 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
10037 static void __nft_release_hooks(struct net *net)
10039 struct nftables_pernet *nft_net = nft_pernet(net);
10040 struct nft_table *table;
10042 list_for_each_entry(table, &nft_net->tables, list) {
10043 if (nft_table_has_owner(table))
10046 __nft_release_hook(net, table);
10050 static void __nft_release_table(struct net *net, struct nft_table *table)
10052 struct nft_flowtable *flowtable, *nf;
10053 struct nft_chain *chain, *nc;
10054 struct nft_object *obj, *ne;
10055 struct nft_rule *rule, *nr;
10056 struct nft_set *set, *ns;
10057 struct nft_ctx ctx = {
10059 .family = NFPROTO_NETDEV,
10062 ctx.family = table->family;
10064 list_for_each_entry(chain, &table->chains, list) {
10066 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
10067 list_del(&rule->list);
10069 nf_tables_rule_release(&ctx, rule);
10072 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
10073 list_del(&flowtable->list);
10075 nf_tables_flowtable_destroy(flowtable);
10077 list_for_each_entry_safe(set, ns, &table->sets, list) {
10078 list_del(&set->list);
10080 nft_set_destroy(&ctx, set);
10082 list_for_each_entry_safe(obj, ne, &table->objects, list) {
10085 nft_obj_destroy(&ctx, obj);
10087 list_for_each_entry_safe(chain, nc, &table->chains, list) {
10089 nft_chain_del(chain);
10091 nf_tables_chain_destroy(&ctx);
10093 nf_tables_table_destroy(&ctx);
10096 static void __nft_release_tables(struct net *net)
10098 struct nftables_pernet *nft_net = nft_pernet(net);
10099 struct nft_table *table, *nt;
10101 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
10102 if (nft_table_has_owner(table))
10105 list_del(&table->list);
10107 __nft_release_table(net, table);
10111 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
10114 struct nft_table *table, *to_delete[8];
10115 struct nftables_pernet *nft_net;
10116 struct netlink_notify *n = ptr;
10117 struct net *net = n->net;
10118 unsigned int deleted;
10119 bool restart = false;
10121 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
10122 return NOTIFY_DONE;
10124 nft_net = nft_pernet(net);
10126 mutex_lock(&nft_net->commit_mutex);
10127 if (!list_empty(&nf_tables_destroy_list))
10130 list_for_each_entry(table, &nft_net->tables, list) {
10131 if (nft_table_has_owner(table) &&
10132 n->portid == table->nlpid) {
10133 __nft_release_hook(net, table);
10134 list_del_rcu(&table->list);
10135 to_delete[deleted++] = table;
10136 if (deleted >= ARRAY_SIZE(to_delete))
10141 restart = deleted >= ARRAY_SIZE(to_delete);
10144 __nft_release_table(net, to_delete[--deleted]);
10149 mutex_unlock(&nft_net->commit_mutex);
10151 return NOTIFY_DONE;
10154 static struct notifier_block nft_nl_notifier = {
10155 .notifier_call = nft_rcv_nl_event,
10158 static int __net_init nf_tables_init_net(struct net *net)
10160 struct nftables_pernet *nft_net = nft_pernet(net);
10162 INIT_LIST_HEAD(&nft_net->tables);
10163 INIT_LIST_HEAD(&nft_net->commit_list);
10164 INIT_LIST_HEAD(&nft_net->module_list);
10165 INIT_LIST_HEAD(&nft_net->notify_list);
10166 mutex_init(&nft_net->commit_mutex);
10167 nft_net->base_seq = 1;
10168 nft_net->validate_state = NFT_VALIDATE_SKIP;
10173 static void __net_exit nf_tables_pre_exit_net(struct net *net)
10175 struct nftables_pernet *nft_net = nft_pernet(net);
10177 mutex_lock(&nft_net->commit_mutex);
10178 __nft_release_hooks(net);
10179 mutex_unlock(&nft_net->commit_mutex);
10182 static void __net_exit nf_tables_exit_net(struct net *net)
10184 struct nftables_pernet *nft_net = nft_pernet(net);
10186 mutex_lock(&nft_net->commit_mutex);
10187 if (!list_empty(&nft_net->commit_list) ||
10188 !list_empty(&nft_net->module_list))
10189 __nf_tables_abort(net, NFNL_ABORT_NONE);
10190 __nft_release_tables(net);
10191 mutex_unlock(&nft_net->commit_mutex);
10192 WARN_ON_ONCE(!list_empty(&nft_net->tables));
10193 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
10194 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10197 static struct pernet_operations nf_tables_net_ops = {
10198 .init = nf_tables_init_net,
10199 .pre_exit = nf_tables_pre_exit_net,
10200 .exit = nf_tables_exit_net,
10201 .id = &nf_tables_net_id,
10202 .size = sizeof(struct nftables_pernet),
10205 static int __init nf_tables_module_init(void)
10209 err = register_pernet_subsys(&nf_tables_net_ops);
10213 err = nft_chain_filter_init();
10215 goto err_chain_filter;
10217 err = nf_tables_core_module_init();
10219 goto err_core_module;
10221 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
10223 goto err_netdev_notifier;
10225 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
10227 goto err_rht_objname;
10229 err = nft_offload_init();
10233 err = netlink_register_notifier(&nft_nl_notifier);
10235 goto err_netlink_notifier;
10238 err = nfnetlink_subsys_register(&nf_tables_subsys);
10240 goto err_nfnl_subsys;
10242 nft_chain_route_init();
10247 netlink_unregister_notifier(&nft_nl_notifier);
10248 err_netlink_notifier:
10249 nft_offload_exit();
10251 rhltable_destroy(&nft_objname_ht);
10253 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10254 err_netdev_notifier:
10255 nf_tables_core_module_exit();
10257 nft_chain_filter_fini();
10259 unregister_pernet_subsys(&nf_tables_net_ops);
10263 static void __exit nf_tables_module_exit(void)
10265 nfnetlink_subsys_unregister(&nf_tables_subsys);
10266 netlink_unregister_notifier(&nft_nl_notifier);
10267 nft_offload_exit();
10268 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10269 nft_chain_filter_fini();
10270 nft_chain_route_fini();
10271 unregister_pernet_subsys(&nf_tables_net_ops);
10272 cancel_work_sync(&trans_destroy_work);
10274 rhltable_destroy(&nft_objname_ht);
10275 nf_tables_core_module_exit();
10278 module_init(nf_tables_module_init);
10279 module_exit(nf_tables_module_exit);
10281 MODULE_LICENSE("GPL");
10282 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
10283 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / releases.git / blob