2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
29 * nft_register_afinfo - register nf_tables address family info
31 * @afi: address family info to register
33 * Register the address family for use with nf_tables. Returns zero on
34 * success or a negative errno code otherwise.
36 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
44 EXPORT_SYMBOL_GPL(nft_register_afinfo);
46 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
49 * nft_unregister_afinfo - unregister nf_tables address family info
51 * @afi: address family info to unregister
53 * Unregister the address family for use with nf_tables.
55 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
62 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
64 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
66 struct nft_af_info *afi;
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
75 static struct nft_af_info *
76 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
78 struct nft_af_info *afi;
80 afi = nft_afinfo_lookup(net, family);
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
90 return ERR_PTR(-EAGAIN);
93 return ERR_PTR(-EAFNOSUPPORT);
96 static void nft_ctx_init(struct nft_ctx *ctx,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
115 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
118 struct nft_trans *trans;
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
124 INIT_LIST_HEAD(&trans->list);
125 trans->msg_type = msg_type;
131 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
132 int msg_type, u32 size)
134 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
137 static void nft_trans_destroy(struct nft_trans *trans)
139 list_del(&trans->list);
143 static int nf_tables_register_hooks(struct net *net,
144 const struct nft_table *table,
145 struct nft_chain *chain,
146 unsigned int hook_nops)
148 if (table->flags & NFT_TABLE_F_DORMANT ||
149 !nft_is_base_chain(chain))
152 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
156 static void nf_tables_unregister_hooks(struct net *net,
157 const struct nft_table *table,
158 struct nft_chain *chain,
159 unsigned int hook_nops)
161 if (table->flags & NFT_TABLE_F_DORMANT ||
162 !nft_is_base_chain(chain))
165 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
168 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
170 struct nft_trans *trans;
172 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
176 if (msg_type == NFT_MSG_NEWTABLE)
177 nft_activate_next(ctx->net, ctx->table);
179 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
183 static int nft_deltable(struct nft_ctx *ctx)
187 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
191 nft_deactivate_next(ctx->net, ctx->table);
195 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
197 struct nft_trans *trans;
199 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
203 if (msg_type == NFT_MSG_NEWCHAIN)
204 nft_activate_next(ctx->net, ctx->chain);
206 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
210 static int nft_delchain(struct nft_ctx *ctx)
214 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
219 nft_deactivate_next(ctx->net, ctx->chain);
224 /* either expr ops provide both activate/deactivate, or neither */
225 static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
230 if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
236 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
237 struct nft_rule *rule)
239 struct nft_expr *expr;
241 expr = nft_expr_first(rule);
242 while (expr != nft_expr_last(rule) && expr->ops) {
243 if (expr->ops->activate)
244 expr->ops->activate(ctx, expr);
246 expr = nft_expr_next(expr);
250 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
251 struct nft_rule *rule)
253 struct nft_expr *expr;
255 expr = nft_expr_first(rule);
256 while (expr != nft_expr_last(rule) && expr->ops) {
257 if (expr->ops->deactivate)
258 expr->ops->deactivate(ctx, expr);
260 expr = nft_expr_next(expr);
265 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
267 /* You cannot delete the same rule twice */
268 if (nft_is_active_next(ctx->net, rule)) {
269 nft_deactivate_next(ctx->net, rule);
276 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
277 struct nft_rule *rule)
279 struct nft_trans *trans;
281 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
285 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
286 nft_trans_rule_id(trans) =
287 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
289 nft_trans_rule(trans) = rule;
290 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
295 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
297 struct nft_trans *trans;
300 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
304 err = nf_tables_delrule_deactivate(ctx, rule);
306 nft_trans_destroy(trans);
309 nft_rule_expr_deactivate(ctx, rule);
314 static int nft_delrule_by_chain(struct nft_ctx *ctx)
316 struct nft_rule *rule;
319 list_for_each_entry(rule, &ctx->chain->rules, list) {
320 if (!nft_is_active_next(ctx->net, rule))
323 err = nft_delrule(ctx, rule);
330 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
333 struct nft_trans *trans;
335 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
339 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
340 nft_trans_set_id(trans) =
341 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
342 nft_activate_next(ctx->net, set);
344 nft_trans_set(trans) = set;
345 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
350 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
354 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
358 nft_deactivate_next(ctx->net, set);
364 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
365 struct nft_object *obj)
367 struct nft_trans *trans;
369 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
373 if (msg_type == NFT_MSG_NEWOBJ)
374 nft_activate_next(ctx->net, obj);
376 nft_trans_obj(trans) = obj;
377 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
382 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
386 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
390 nft_deactivate_next(ctx->net, obj);
400 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
401 const struct nlattr *nla,
404 struct nft_table *table;
406 list_for_each_entry(table, &afi->tables, list) {
407 if (!nla_strcmp(nla, table->name) &&
408 nft_active_genmask(table, genmask))
414 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
415 const struct nlattr *nla,
418 struct nft_table *table;
421 return ERR_PTR(-EINVAL);
423 table = nft_table_lookup(afi, nla, genmask);
427 return ERR_PTR(-ENOENT);
430 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
432 return ++table->hgenerator;
435 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
437 static const struct nf_chain_type *
438 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
442 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
443 if (chain_type[family][i] != NULL &&
444 !nla_strcmp(nla, chain_type[family][i]->name))
445 return chain_type[family][i];
450 static const struct nf_chain_type *
451 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
452 const struct nlattr *nla,
455 const struct nf_chain_type *type;
457 type = __nf_tables_chain_type_lookup(afi->family, nla);
460 #ifdef CONFIG_MODULES
462 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
463 request_module("nft-chain-%u-%.*s", afi->family,
464 nla_len(nla), (const char *)nla_data(nla));
465 nfnl_lock(NFNL_SUBSYS_NFTABLES);
466 type = __nf_tables_chain_type_lookup(afi->family, nla);
468 return ERR_PTR(-EAGAIN);
471 return ERR_PTR(-ENOENT);
474 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
475 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
476 .len = NFT_TABLE_MAXNAMELEN - 1 },
477 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
480 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
481 u32 portid, u32 seq, int event, u32 flags,
482 int family, const struct nft_table *table)
484 struct nlmsghdr *nlh;
485 struct nfgenmsg *nfmsg;
487 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
488 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
490 goto nla_put_failure;
492 nfmsg = nlmsg_data(nlh);
493 nfmsg->nfgen_family = family;
494 nfmsg->version = NFNETLINK_V0;
495 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
497 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
498 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
499 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
500 goto nla_put_failure;
506 nlmsg_trim(skb, nlh);
510 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
516 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
519 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
523 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
524 event, 0, ctx->afi->family, ctx->table);
530 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
531 ctx->report, GFP_KERNEL);
534 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
537 static int nf_tables_dump_tables(struct sk_buff *skb,
538 struct netlink_callback *cb)
540 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
541 const struct nft_af_info *afi;
542 const struct nft_table *table;
543 unsigned int idx = 0, s_idx = cb->args[0];
544 struct net *net = sock_net(skb->sk);
545 int family = nfmsg->nfgen_family;
548 cb->seq = net->nft.base_seq;
550 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
551 if (family != NFPROTO_UNSPEC && family != afi->family)
554 list_for_each_entry_rcu(table, &afi->tables, list) {
558 memset(&cb->args[1], 0,
559 sizeof(cb->args) - sizeof(cb->args[0]));
560 if (!nft_is_active(net, table))
562 if (nf_tables_fill_table_info(skb, net,
563 NETLINK_CB(cb->skb).portid,
567 afi->family, table) < 0)
570 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
581 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
582 struct sk_buff *skb, const struct nlmsghdr *nlh,
583 const struct nlattr * const nla[],
584 struct netlink_ext_ack *extack)
586 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
587 u8 genmask = nft_genmask_cur(net);
588 const struct nft_af_info *afi;
589 const struct nft_table *table;
590 struct sk_buff *skb2;
591 int family = nfmsg->nfgen_family;
594 if (nlh->nlmsg_flags & NLM_F_DUMP) {
595 struct netlink_dump_control c = {
596 .dump = nf_tables_dump_tables,
598 return netlink_dump_start(nlsk, skb, nlh, &c);
601 afi = nf_tables_afinfo_lookup(net, family, false);
605 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
607 return PTR_ERR(table);
609 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
613 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
614 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
619 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
626 static void _nf_tables_table_disable(struct net *net,
627 const struct nft_af_info *afi,
628 struct nft_table *table,
631 struct nft_chain *chain;
634 list_for_each_entry(chain, &table->chains, list) {
635 if (!nft_is_active_next(net, chain))
637 if (!nft_is_base_chain(chain))
640 if (cnt && i++ == cnt)
643 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
648 static int nf_tables_table_enable(struct net *net,
649 const struct nft_af_info *afi,
650 struct nft_table *table)
652 struct nft_chain *chain;
655 list_for_each_entry(chain, &table->chains, list) {
656 if (!nft_is_active_next(net, chain))
658 if (!nft_is_base_chain(chain))
661 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
671 _nf_tables_table_disable(net, afi, table, i);
675 static void nf_tables_table_disable(struct net *net,
676 const struct nft_af_info *afi,
677 struct nft_table *table)
679 _nf_tables_table_disable(net, afi, table, 0);
682 static int nf_tables_updtable(struct nft_ctx *ctx)
684 struct nft_trans *trans;
688 if (!ctx->nla[NFTA_TABLE_FLAGS])
691 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
692 if (flags & ~NFT_TABLE_F_DORMANT)
695 if (flags == ctx->table->flags)
698 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
699 sizeof(struct nft_trans_table));
703 if ((flags & NFT_TABLE_F_DORMANT) &&
704 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
705 nft_trans_table_enable(trans) = false;
706 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
707 ctx->table->flags & NFT_TABLE_F_DORMANT) {
708 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
710 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
711 nft_trans_table_enable(trans) = true;
717 nft_trans_table_update(trans) = true;
718 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
721 nft_trans_destroy(trans);
725 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
726 struct sk_buff *skb, const struct nlmsghdr *nlh,
727 const struct nlattr * const nla[],
728 struct netlink_ext_ack *extack)
730 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
731 u8 genmask = nft_genmask_next(net);
732 const struct nlattr *name;
733 struct nft_af_info *afi;
734 struct nft_table *table;
735 int family = nfmsg->nfgen_family;
740 afi = nf_tables_afinfo_lookup(net, family, true);
744 name = nla[NFTA_TABLE_NAME];
745 table = nf_tables_table_lookup(afi, name, genmask);
747 if (PTR_ERR(table) != -ENOENT)
748 return PTR_ERR(table);
750 if (nlh->nlmsg_flags & NLM_F_EXCL)
752 if (nlh->nlmsg_flags & NLM_F_REPLACE)
755 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
756 return nf_tables_updtable(&ctx);
759 if (nla[NFTA_TABLE_FLAGS]) {
760 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
761 if (flags & ~NFT_TABLE_F_DORMANT)
766 if (!try_module_get(afi->owner))
770 table = kzalloc(sizeof(*table), GFP_KERNEL);
774 table->name = nla_strdup(name, GFP_KERNEL);
775 if (table->name == NULL)
778 INIT_LIST_HEAD(&table->chains);
779 INIT_LIST_HEAD(&table->sets);
780 INIT_LIST_HEAD(&table->objects);
781 table->flags = flags;
783 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
784 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
788 list_add_tail_rcu(&table->list, &afi->tables);
795 module_put(afi->owner);
800 static int nft_flush_table(struct nft_ctx *ctx)
803 struct nft_chain *chain, *nc;
804 struct nft_object *obj, *ne;
805 struct nft_set *set, *ns;
807 list_for_each_entry(chain, &ctx->table->chains, list) {
808 if (!nft_is_active_next(ctx->net, chain))
813 err = nft_delrule_by_chain(ctx);
818 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
819 if (!nft_is_active_next(ctx->net, set))
822 if (set->flags & NFT_SET_ANONYMOUS &&
823 !list_empty(&set->bindings))
826 err = nft_delset(ctx, set);
831 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
832 err = nft_delobj(ctx, obj);
837 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
838 if (!nft_is_active_next(ctx->net, chain))
843 err = nft_delchain(ctx);
848 err = nft_deltable(ctx);
853 static int nft_flush(struct nft_ctx *ctx, int family)
855 struct nft_af_info *afi;
856 struct nft_table *table, *nt;
857 const struct nlattr * const *nla = ctx->nla;
860 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
861 if (family != AF_UNSPEC && afi->family != family)
865 list_for_each_entry_safe(table, nt, &afi->tables, list) {
866 if (!nft_is_active_next(ctx->net, table))
869 if (nla[NFTA_TABLE_NAME] &&
870 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
875 err = nft_flush_table(ctx);
884 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
885 struct sk_buff *skb, const struct nlmsghdr *nlh,
886 const struct nlattr * const nla[],
887 struct netlink_ext_ack *extack)
889 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
890 u8 genmask = nft_genmask_next(net);
891 struct nft_af_info *afi;
892 struct nft_table *table;
893 int family = nfmsg->nfgen_family;
896 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
897 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
898 return nft_flush(&ctx, family);
900 afi = nf_tables_afinfo_lookup(net, family, false);
904 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
906 return PTR_ERR(table);
908 if (nlh->nlmsg_flags & NLM_F_NONREC &&
915 return nft_flush_table(&ctx);
918 static void nf_tables_table_destroy(struct nft_ctx *ctx)
920 BUG_ON(ctx->table->use > 0);
922 kfree(ctx->table->name);
924 module_put(ctx->afi->owner);
927 int nft_register_chain_type(const struct nf_chain_type *ctype)
931 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
934 nfnl_lock(NFNL_SUBSYS_NFTABLES);
935 if (chain_type[ctype->family][ctype->type] != NULL) {
939 chain_type[ctype->family][ctype->type] = ctype;
941 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
944 EXPORT_SYMBOL_GPL(nft_register_chain_type);
946 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
948 nfnl_lock(NFNL_SUBSYS_NFTABLES);
949 chain_type[ctype->family][ctype->type] = NULL;
950 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
952 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
958 static struct nft_chain *
959 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
962 struct nft_chain *chain;
964 list_for_each_entry(chain, &table->chains, list) {
965 if (chain->handle == handle &&
966 nft_active_genmask(chain, genmask))
970 return ERR_PTR(-ENOENT);
973 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
974 const struct nlattr *nla,
977 struct nft_chain *chain;
980 return ERR_PTR(-EINVAL);
982 list_for_each_entry(chain, &table->chains, list) {
983 if (!nla_strcmp(nla, chain->name) &&
984 nft_active_genmask(chain, genmask))
988 return ERR_PTR(-ENOENT);
991 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
992 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
993 .len = NFT_TABLE_MAXNAMELEN - 1 },
994 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
995 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
996 .len = NFT_CHAIN_MAXNAMELEN - 1 },
997 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
998 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
999 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1000 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1003 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1004 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1005 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1006 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1007 .len = IFNAMSIZ - 1 },
1010 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1012 struct nft_stats *cpu_stats, total;
1013 struct nlattr *nest;
1018 memset(&total, 0, sizeof(total));
1019 for_each_possible_cpu(cpu) {
1020 cpu_stats = per_cpu_ptr(stats, cpu);
1022 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1023 pkts = cpu_stats->pkts;
1024 bytes = cpu_stats->bytes;
1025 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1027 total.bytes += bytes;
1029 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1031 goto nla_put_failure;
1033 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1034 NFTA_COUNTER_PAD) ||
1035 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1037 goto nla_put_failure;
1039 nla_nest_end(skb, nest);
1046 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1047 u32 portid, u32 seq, int event, u32 flags,
1048 int family, const struct nft_table *table,
1049 const struct nft_chain *chain)
1051 struct nlmsghdr *nlh;
1052 struct nfgenmsg *nfmsg;
1054 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1055 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1057 goto nla_put_failure;
1059 nfmsg = nlmsg_data(nlh);
1060 nfmsg->nfgen_family = family;
1061 nfmsg->version = NFNETLINK_V0;
1062 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1064 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1065 goto nla_put_failure;
1066 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1068 goto nla_put_failure;
1069 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1070 goto nla_put_failure;
1072 if (nft_is_base_chain(chain)) {
1073 const struct nft_base_chain *basechain = nft_base_chain(chain);
1074 const struct nf_hook_ops *ops = &basechain->ops[0];
1075 struct nlattr *nest;
1077 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1079 goto nla_put_failure;
1080 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1081 goto nla_put_failure;
1082 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1083 goto nla_put_failure;
1084 if (basechain->dev_name[0] &&
1085 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1086 goto nla_put_failure;
1087 nla_nest_end(skb, nest);
1089 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1090 htonl(basechain->policy)))
1091 goto nla_put_failure;
1093 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1094 goto nla_put_failure;
1096 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1097 goto nla_put_failure;
1100 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1101 goto nla_put_failure;
1103 nlmsg_end(skb, nlh);
1107 nlmsg_trim(skb, nlh);
1111 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1113 struct sk_buff *skb;
1117 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1120 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1124 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1125 event, 0, ctx->afi->family, ctx->table,
1132 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1133 ctx->report, GFP_KERNEL);
1136 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1139 static int nf_tables_dump_chains(struct sk_buff *skb,
1140 struct netlink_callback *cb)
1142 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1143 const struct nft_af_info *afi;
1144 const struct nft_table *table;
1145 const struct nft_chain *chain;
1146 unsigned int idx = 0, s_idx = cb->args[0];
1147 struct net *net = sock_net(skb->sk);
1148 int family = nfmsg->nfgen_family;
1151 cb->seq = net->nft.base_seq;
1153 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1154 if (family != NFPROTO_UNSPEC && family != afi->family)
1157 list_for_each_entry_rcu(table, &afi->tables, list) {
1158 list_for_each_entry_rcu(chain, &table->chains, list) {
1162 memset(&cb->args[1], 0,
1163 sizeof(cb->args) - sizeof(cb->args[0]));
1164 if (!nft_is_active(net, chain))
1166 if (nf_tables_fill_chain_info(skb, net,
1167 NETLINK_CB(cb->skb).portid,
1171 afi->family, table, chain) < 0)
1174 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1186 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1187 struct sk_buff *skb, const struct nlmsghdr *nlh,
1188 const struct nlattr * const nla[],
1189 struct netlink_ext_ack *extack)
1191 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1192 u8 genmask = nft_genmask_cur(net);
1193 const struct nft_af_info *afi;
1194 const struct nft_table *table;
1195 const struct nft_chain *chain;
1196 struct sk_buff *skb2;
1197 int family = nfmsg->nfgen_family;
1200 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1201 struct netlink_dump_control c = {
1202 .dump = nf_tables_dump_chains,
1204 return netlink_dump_start(nlsk, skb, nlh, &c);
1207 afi = nf_tables_afinfo_lookup(net, family, false);
1209 return PTR_ERR(afi);
1211 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1213 return PTR_ERR(table);
1215 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1217 return PTR_ERR(chain);
1219 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1223 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1224 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1225 family, table, chain);
1229 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1236 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1237 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1238 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1241 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1243 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1244 struct nft_stats __percpu *newstats;
1245 struct nft_stats *stats;
1248 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1251 return ERR_PTR(err);
1253 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1254 return ERR_PTR(-EINVAL);
1256 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1257 if (newstats == NULL)
1258 return ERR_PTR(-ENOMEM);
1260 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1261 * are not exposed to userspace.
1264 stats = this_cpu_ptr(newstats);
1265 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1266 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1272 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1273 struct nft_stats __percpu *newstats)
1275 if (newstats == NULL)
1279 struct nft_stats __percpu *oldstats =
1280 nft_dereference(chain->stats);
1282 rcu_assign_pointer(chain->stats, newstats);
1284 free_percpu(oldstats);
1286 rcu_assign_pointer(chain->stats, newstats);
1287 static_branch_inc(&nft_counters_enabled);
1291 static void nf_tables_chain_destroy(struct nft_chain *chain)
1293 BUG_ON(chain->use > 0);
1295 if (nft_is_base_chain(chain)) {
1296 struct nft_base_chain *basechain = nft_base_chain(chain);
1298 module_put(basechain->type->owner);
1299 free_percpu(basechain->stats);
1300 if (basechain->stats)
1301 static_branch_dec(&nft_counters_enabled);
1302 if (basechain->ops[0].dev != NULL)
1303 dev_put(basechain->ops[0].dev);
1312 struct nft_chain_hook {
1315 const struct nf_chain_type *type;
1316 struct net_device *dev;
1319 static int nft_chain_parse_hook(struct net *net,
1320 const struct nlattr * const nla[],
1321 struct nft_af_info *afi,
1322 struct nft_chain_hook *hook, bool create)
1324 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1325 const struct nf_chain_type *type;
1326 struct net_device *dev;
1329 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1330 nft_hook_policy, NULL);
1334 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1335 ha[NFTA_HOOK_PRIORITY] == NULL)
1338 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1339 if (hook->num >= afi->nhooks)
1342 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1344 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1345 if (nla[NFTA_CHAIN_TYPE]) {
1346 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1349 return PTR_ERR(type);
1351 if (!(type->hook_mask & (1 << hook->num)))
1353 if (!try_module_get(type->owner))
1359 if (afi->flags & NFT_AF_NEEDS_DEV) {
1360 char ifname[IFNAMSIZ];
1362 if (!ha[NFTA_HOOK_DEV]) {
1363 module_put(type->owner);
1367 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1368 dev = dev_get_by_name(net, ifname);
1370 module_put(type->owner);
1374 } else if (ha[NFTA_HOOK_DEV]) {
1375 module_put(type->owner);
1382 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1384 module_put(hook->type->owner);
1385 if (hook->dev != NULL)
1389 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1390 u8 policy, bool create)
1392 const struct nlattr * const *nla = ctx->nla;
1393 struct nft_table *table = ctx->table;
1394 struct nft_af_info *afi = ctx->afi;
1395 struct nft_base_chain *basechain;
1396 struct nft_stats __percpu *stats;
1397 struct net *net = ctx->net;
1398 struct nft_chain *chain;
1402 if (table->use == UINT_MAX)
1405 if (nla[NFTA_CHAIN_HOOK]) {
1406 struct nft_chain_hook hook;
1407 struct nf_hook_ops *ops;
1410 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1414 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1415 if (basechain == NULL) {
1416 nft_chain_release_hook(&hook);
1420 if (hook.dev != NULL)
1421 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1423 if (nla[NFTA_CHAIN_COUNTERS]) {
1424 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1425 if (IS_ERR(stats)) {
1426 nft_chain_release_hook(&hook);
1428 return PTR_ERR(stats);
1430 basechain->stats = stats;
1431 static_branch_inc(&nft_counters_enabled);
1434 hookfn = hook.type->hooks[hook.num];
1435 basechain->type = hook.type;
1436 chain = &basechain->chain;
1438 for (i = 0; i < afi->nops; i++) {
1439 ops = &basechain->ops[i];
1441 ops->hooknum = hook.num;
1442 ops->priority = hook.priority;
1444 ops->hook = afi->hooks[ops->hooknum];
1445 ops->dev = hook.dev;
1448 if (afi->hook_ops_init)
1449 afi->hook_ops_init(ops, i);
1452 chain->flags |= NFT_BASE_CHAIN;
1453 basechain->policy = policy;
1455 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1459 INIT_LIST_HEAD(&chain->rules);
1460 chain->handle = nf_tables_alloc_handle(table);
1461 chain->table = table;
1462 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1468 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1473 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1478 list_add_tail_rcu(&chain->list, &table->chains);
1482 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1484 nf_tables_chain_destroy(chain);
1489 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1492 const struct nlattr * const *nla = ctx->nla;
1493 struct nft_table *table = ctx->table;
1494 struct nft_chain *chain = ctx->chain;
1495 struct nft_af_info *afi = ctx->afi;
1496 struct nft_base_chain *basechain;
1497 struct nft_stats *stats = NULL;
1498 struct nft_chain_hook hook;
1499 struct nf_hook_ops *ops;
1500 struct nft_trans *trans;
1503 if (nla[NFTA_CHAIN_HOOK]) {
1504 if (!nft_is_base_chain(chain))
1507 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1512 basechain = nft_base_chain(chain);
1513 if (basechain->type != hook.type) {
1514 nft_chain_release_hook(&hook);
1518 for (i = 0; i < afi->nops; i++) {
1519 ops = &basechain->ops[i];
1520 if (ops->hooknum != hook.num ||
1521 ops->priority != hook.priority ||
1522 ops->dev != hook.dev) {
1523 nft_chain_release_hook(&hook);
1527 nft_chain_release_hook(&hook);
1530 if (nla[NFTA_CHAIN_HANDLE] &&
1531 nla[NFTA_CHAIN_NAME]) {
1532 struct nft_chain *chain2;
1534 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1536 if (!IS_ERR(chain2))
1540 if (nla[NFTA_CHAIN_COUNTERS]) {
1541 if (!nft_is_base_chain(chain))
1544 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1546 return PTR_ERR(stats);
1550 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1551 sizeof(struct nft_trans_chain));
1555 nft_trans_chain_stats(trans) = stats;
1556 nft_trans_chain_update(trans) = true;
1558 if (nla[NFTA_CHAIN_POLICY])
1559 nft_trans_chain_policy(trans) = policy;
1561 nft_trans_chain_policy(trans) = -1;
1563 if (nla[NFTA_CHAIN_HANDLE] &&
1564 nla[NFTA_CHAIN_NAME]) {
1565 struct nft_trans *tmp;
1569 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1574 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1575 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1576 tmp->ctx.table == table &&
1577 nft_trans_chain_update(tmp) &&
1578 nft_trans_chain_name(tmp) &&
1579 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1585 nft_trans_chain_name(trans) = name;
1587 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1596 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1597 struct sk_buff *skb, const struct nlmsghdr *nlh,
1598 const struct nlattr * const nla[],
1599 struct netlink_ext_ack *extack)
1601 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1602 const struct nlattr * uninitialized_var(name);
1603 u8 genmask = nft_genmask_next(net);
1604 int family = nfmsg->nfgen_family;
1605 struct nft_af_info *afi;
1606 struct nft_table *table;
1607 struct nft_chain *chain;
1608 u8 policy = NF_ACCEPT;
1613 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1615 afi = nf_tables_afinfo_lookup(net, family, true);
1617 return PTR_ERR(afi);
1619 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1621 return PTR_ERR(table);
1624 name = nla[NFTA_CHAIN_NAME];
1626 if (nla[NFTA_CHAIN_HANDLE]) {
1627 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1628 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1630 return PTR_ERR(chain);
1632 chain = nf_tables_chain_lookup(table, name, genmask);
1633 if (IS_ERR(chain)) {
1634 if (PTR_ERR(chain) != -ENOENT)
1635 return PTR_ERR(chain);
1640 if (nla[NFTA_CHAIN_POLICY]) {
1641 if (chain != NULL &&
1642 !nft_is_base_chain(chain))
1645 if (chain == NULL &&
1646 nla[NFTA_CHAIN_HOOK] == NULL)
1649 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1659 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1661 if (chain != NULL) {
1662 if (nlh->nlmsg_flags & NLM_F_EXCL)
1664 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1667 return nf_tables_updchain(&ctx, genmask, policy, create);
1670 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1673 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1674 struct sk_buff *skb, const struct nlmsghdr *nlh,
1675 const struct nlattr * const nla[],
1676 struct netlink_ext_ack *extack)
1678 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1679 u8 genmask = nft_genmask_next(net);
1680 struct nft_af_info *afi;
1681 struct nft_table *table;
1682 struct nft_chain *chain;
1683 struct nft_rule *rule;
1684 int family = nfmsg->nfgen_family;
1689 afi = nf_tables_afinfo_lookup(net, family, false);
1691 return PTR_ERR(afi);
1693 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1695 return PTR_ERR(table);
1697 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1699 return PTR_ERR(chain);
1701 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1705 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1708 list_for_each_entry(rule, &chain->rules, list) {
1709 if (!nft_is_active_next(net, rule))
1713 err = nft_delrule(&ctx, rule);
1718 /* There are rules and elements that are still holding references to us,
1719 * we cannot do a recursive removal in this case.
1724 return nft_delchain(&ctx);
1732 * nft_register_expr - register nf_tables expr type
1735 * Registers the expr type for use with nf_tables. Returns zero on
1736 * success or a negative errno code otherwise.
1738 int nft_register_expr(struct nft_expr_type *type)
1740 if (!nft_expr_check_ops(type->ops))
1743 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1744 if (type->family == NFPROTO_UNSPEC)
1745 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1747 list_add_rcu(&type->list, &nf_tables_expressions);
1748 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1751 EXPORT_SYMBOL_GPL(nft_register_expr);
1754 * nft_unregister_expr - unregister nf_tables expr type
1757 * Unregisters the expr typefor use with nf_tables.
1759 void nft_unregister_expr(struct nft_expr_type *type)
1761 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1762 list_del_rcu(&type->list);
1763 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1765 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1767 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1770 const struct nft_expr_type *type;
1772 list_for_each_entry(type, &nf_tables_expressions, list) {
1773 if (!nla_strcmp(nla, type->name) &&
1774 (!type->family || type->family == family))
1780 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1783 const struct nft_expr_type *type;
1786 return ERR_PTR(-EINVAL);
1788 type = __nft_expr_type_get(family, nla);
1789 if (type != NULL && try_module_get(type->owner))
1792 #ifdef CONFIG_MODULES
1794 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1795 request_module("nft-expr-%u-%.*s", family,
1796 nla_len(nla), (char *)nla_data(nla));
1797 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1798 if (__nft_expr_type_get(family, nla))
1799 return ERR_PTR(-EAGAIN);
1801 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1802 request_module("nft-expr-%.*s",
1803 nla_len(nla), (char *)nla_data(nla));
1804 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1805 if (__nft_expr_type_get(family, nla))
1806 return ERR_PTR(-EAGAIN);
1809 return ERR_PTR(-ENOENT);
1812 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1813 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1814 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1817 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1818 const struct nft_expr *expr)
1820 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1821 goto nla_put_failure;
1823 if (expr->ops->dump) {
1824 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1826 goto nla_put_failure;
1827 if (expr->ops->dump(skb, expr) < 0)
1828 goto nla_put_failure;
1829 nla_nest_end(skb, data);
1838 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1839 const struct nft_expr *expr)
1841 struct nlattr *nest;
1843 nest = nla_nest_start(skb, attr);
1845 goto nla_put_failure;
1846 if (nf_tables_fill_expr_info(skb, expr) < 0)
1847 goto nla_put_failure;
1848 nla_nest_end(skb, nest);
1855 struct nft_expr_info {
1856 const struct nft_expr_ops *ops;
1857 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1860 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1861 const struct nlattr *nla,
1862 struct nft_expr_info *info)
1864 const struct nft_expr_type *type;
1865 const struct nft_expr_ops *ops;
1866 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1869 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1873 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1875 return PTR_ERR(type);
1877 if (tb[NFTA_EXPR_DATA]) {
1878 err = nla_parse_nested(info->tb, type->maxattr,
1879 tb[NFTA_EXPR_DATA], type->policy, NULL);
1883 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1885 if (type->select_ops != NULL) {
1886 ops = type->select_ops(ctx,
1887 (const struct nlattr * const *)info->tb);
1892 if (!nft_expr_check_ops(ops)) {
1903 module_put(type->owner);
1907 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1908 const struct nft_expr_info *info,
1909 struct nft_expr *expr)
1911 const struct nft_expr_ops *ops = info->ops;
1916 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1921 if (ops->validate) {
1922 const struct nft_data *data = NULL;
1924 err = ops->validate(ctx, expr, &data);
1933 ops->destroy(ctx, expr);
1939 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1940 struct nft_expr *expr)
1942 if (expr->ops->destroy)
1943 expr->ops->destroy(ctx, expr);
1944 module_put(expr->ops->type->owner);
1947 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1948 const struct nlattr *nla)
1950 struct nft_expr_info info;
1951 struct nft_expr *expr;
1954 err = nf_tables_expr_parse(ctx, nla, &info);
1956 goto err_expr_parse;
1959 if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
1960 goto err_expr_stateful;
1963 expr = kzalloc(info.ops->size, GFP_KERNEL);
1965 goto err_expr_stateful;
1967 err = nf_tables_newexpr(ctx, &info, expr);
1975 module_put(info.ops->type->owner);
1977 return ERR_PTR(err);
1980 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1982 nf_tables_expr_destroy(ctx, expr);
1990 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1993 struct nft_rule *rule;
1995 // FIXME: this sucks
1996 list_for_each_entry(rule, &chain->rules, list) {
1997 if (handle == rule->handle)
2001 return ERR_PTR(-ENOENT);
2004 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
2005 const struct nlattr *nla)
2008 return ERR_PTR(-EINVAL);
2010 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2013 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2014 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2015 .len = NFT_TABLE_MAXNAMELEN - 1 },
2016 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2017 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2018 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2019 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2020 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2021 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2022 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2023 .len = NFT_USERDATA_MAXLEN },
2024 [NFTA_RULE_ID] = { .type = NLA_U32 },
2027 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2028 u32 portid, u32 seq, int event,
2029 u32 flags, int family,
2030 const struct nft_table *table,
2031 const struct nft_chain *chain,
2032 const struct nft_rule *rule)
2034 struct nlmsghdr *nlh;
2035 struct nfgenmsg *nfmsg;
2036 const struct nft_expr *expr, *next;
2037 struct nlattr *list;
2038 const struct nft_rule *prule;
2039 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2041 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2043 goto nla_put_failure;
2045 nfmsg = nlmsg_data(nlh);
2046 nfmsg->nfgen_family = family;
2047 nfmsg->version = NFNETLINK_V0;
2048 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2050 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2051 goto nla_put_failure;
2052 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2053 goto nla_put_failure;
2054 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2056 goto nla_put_failure;
2058 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2059 prule = list_prev_entry(rule, list);
2060 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2061 cpu_to_be64(prule->handle),
2063 goto nla_put_failure;
2066 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2068 goto nla_put_failure;
2069 nft_rule_for_each_expr(expr, next, rule) {
2070 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2071 goto nla_put_failure;
2073 nla_nest_end(skb, list);
2076 struct nft_userdata *udata = nft_userdata(rule);
2077 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2079 goto nla_put_failure;
2082 nlmsg_end(skb, nlh);
2086 nlmsg_trim(skb, nlh);
2090 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2091 const struct nft_rule *rule, int event)
2093 struct sk_buff *skb;
2097 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2100 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2104 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2105 event, 0, ctx->afi->family, ctx->table,
2112 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2113 ctx->report, GFP_KERNEL);
2116 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2119 struct nft_rule_dump_ctx {
2124 static int nf_tables_dump_rules(struct sk_buff *skb,
2125 struct netlink_callback *cb)
2127 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2128 const struct nft_rule_dump_ctx *ctx = cb->data;
2129 const struct nft_af_info *afi;
2130 const struct nft_table *table;
2131 const struct nft_chain *chain;
2132 const struct nft_rule *rule;
2133 unsigned int idx = 0, s_idx = cb->args[0];
2134 struct net *net = sock_net(skb->sk);
2135 int family = nfmsg->nfgen_family;
2138 cb->seq = net->nft.base_seq;
2140 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2141 if (family != NFPROTO_UNSPEC && family != afi->family)
2144 list_for_each_entry_rcu(table, &afi->tables, list) {
2145 if (ctx && ctx->table &&
2146 strcmp(ctx->table, table->name) != 0)
2149 list_for_each_entry_rcu(chain, &table->chains, list) {
2150 if (ctx && ctx->chain &&
2151 strcmp(ctx->chain, chain->name) != 0)
2154 list_for_each_entry_rcu(rule, &chain->rules, list) {
2155 if (!nft_is_active(net, rule))
2160 memset(&cb->args[1], 0,
2161 sizeof(cb->args) - sizeof(cb->args[0]));
2162 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2165 NLM_F_MULTI | NLM_F_APPEND,
2166 afi->family, table, chain, rule) < 0)
2169 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2183 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2185 struct nft_rule_dump_ctx *ctx = cb->data;
2195 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2196 struct sk_buff *skb, const struct nlmsghdr *nlh,
2197 const struct nlattr * const nla[],
2198 struct netlink_ext_ack *extack)
2200 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2201 u8 genmask = nft_genmask_cur(net);
2202 const struct nft_af_info *afi;
2203 const struct nft_table *table;
2204 const struct nft_chain *chain;
2205 const struct nft_rule *rule;
2206 struct sk_buff *skb2;
2207 int family = nfmsg->nfgen_family;
2210 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2211 struct netlink_dump_control c = {
2212 .dump = nf_tables_dump_rules,
2213 .done = nf_tables_dump_rules_done,
2216 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2217 struct nft_rule_dump_ctx *ctx;
2219 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2223 if (nla[NFTA_RULE_TABLE]) {
2224 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2231 if (nla[NFTA_RULE_CHAIN]) {
2232 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2243 return netlink_dump_start(nlsk, skb, nlh, &c);
2246 afi = nf_tables_afinfo_lookup(net, family, false);
2248 return PTR_ERR(afi);
2250 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2252 return PTR_ERR(table);
2254 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2256 return PTR_ERR(chain);
2258 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2260 return PTR_ERR(rule);
2262 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2266 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2267 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2268 family, table, chain, rule);
2272 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2279 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2280 struct nft_rule *rule)
2282 struct nft_expr *expr, *next;
2285 * Careful: some expressions might not be initialized in case this
2286 * is called on error from nf_tables_newrule().
2288 expr = nft_expr_first(rule);
2289 while (expr != nft_expr_last(rule) && expr->ops) {
2290 next = nft_expr_next(expr);
2291 nf_tables_expr_destroy(ctx, expr);
2297 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2298 struct nft_rule *rule)
2300 nft_rule_expr_deactivate(ctx, rule);
2301 nf_tables_rule_destroy(ctx, rule);
2304 #define NFT_RULE_MAXEXPRS 128
2306 static struct nft_expr_info *info;
2308 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2309 struct sk_buff *skb, const struct nlmsghdr *nlh,
2310 const struct nlattr * const nla[],
2311 struct netlink_ext_ack *extack)
2313 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2314 u8 genmask = nft_genmask_next(net);
2315 struct nft_af_info *afi;
2316 struct nft_table *table;
2317 struct nft_chain *chain;
2318 struct nft_rule *rule, *old_rule = NULL;
2319 struct nft_userdata *udata;
2320 struct nft_trans *trans = NULL;
2321 struct nft_expr *expr;
2324 unsigned int size, i, n, ulen = 0, usize = 0;
2327 u64 handle, pos_handle;
2329 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2331 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2333 return PTR_ERR(afi);
2335 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2337 return PTR_ERR(table);
2339 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2341 return PTR_ERR(chain);
2343 if (nla[NFTA_RULE_HANDLE]) {
2344 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2345 rule = __nf_tables_rule_lookup(chain, handle);
2347 return PTR_ERR(rule);
2349 if (nlh->nlmsg_flags & NLM_F_EXCL)
2351 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2356 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2358 handle = nf_tables_alloc_handle(table);
2360 if (chain->use == UINT_MAX)
2364 if (nla[NFTA_RULE_POSITION]) {
2365 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2368 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2369 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2370 if (IS_ERR(old_rule))
2371 return PTR_ERR(old_rule);
2374 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2378 if (nla[NFTA_RULE_EXPRESSIONS]) {
2379 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2381 if (nla_type(tmp) != NFTA_LIST_ELEM)
2383 if (n == NFT_RULE_MAXEXPRS)
2385 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2388 size += info[n].ops->size;
2392 /* Check for overflow of dlen field */
2394 if (size >= 1 << 12)
2397 if (nla[NFTA_RULE_USERDATA]) {
2398 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2400 usize = sizeof(struct nft_userdata) + ulen;
2404 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2408 nft_activate_next(net, rule);
2410 rule->handle = handle;
2412 rule->udata = ulen ? 1 : 0;
2415 udata = nft_userdata(rule);
2416 udata->len = ulen - 1;
2417 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2420 expr = nft_expr_first(rule);
2421 for (i = 0; i < n; i++) {
2422 err = nf_tables_newexpr(&ctx, &info[i], expr);
2426 expr = nft_expr_next(expr);
2429 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2430 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2431 if (trans == NULL) {
2435 err = nft_delrule(&ctx, old_rule);
2437 nft_trans_destroy(trans);
2441 list_add_tail_rcu(&rule->list, &old_rule->list);
2443 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2448 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2450 list_add_rcu(&rule->list, &old_rule->list);
2452 list_add_tail_rcu(&rule->list, &chain->rules);
2455 list_add_tail_rcu(&rule->list, &old_rule->list);
2457 list_add_rcu(&rule->list, &chain->rules);
2464 nf_tables_rule_release(&ctx, rule);
2466 for (i = 0; i < n; i++) {
2467 if (info[i].ops != NULL)
2468 module_put(info[i].ops->type->owner);
2473 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2474 const struct nlattr *nla)
2476 u32 id = ntohl(nla_get_be32(nla));
2477 struct nft_trans *trans;
2479 list_for_each_entry(trans, &net->nft.commit_list, list) {
2480 struct nft_rule *rule = nft_trans_rule(trans);
2482 if (trans->msg_type == NFT_MSG_NEWRULE &&
2483 id == nft_trans_rule_id(trans))
2486 return ERR_PTR(-ENOENT);
2489 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2490 struct sk_buff *skb, const struct nlmsghdr *nlh,
2491 const struct nlattr * const nla[],
2492 struct netlink_ext_ack *extack)
2494 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2495 u8 genmask = nft_genmask_next(net);
2496 struct nft_af_info *afi;
2497 struct nft_table *table;
2498 struct nft_chain *chain = NULL;
2499 struct nft_rule *rule;
2500 int family = nfmsg->nfgen_family, err = 0;
2503 afi = nf_tables_afinfo_lookup(net, family, false);
2505 return PTR_ERR(afi);
2507 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2509 return PTR_ERR(table);
2511 if (nla[NFTA_RULE_CHAIN]) {
2512 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2515 return PTR_ERR(chain);
2518 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2521 if (nla[NFTA_RULE_HANDLE]) {
2522 rule = nf_tables_rule_lookup(chain,
2523 nla[NFTA_RULE_HANDLE]);
2525 return PTR_ERR(rule);
2527 err = nft_delrule(&ctx, rule);
2528 } else if (nla[NFTA_RULE_ID]) {
2529 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2531 return PTR_ERR(rule);
2533 err = nft_delrule(&ctx, rule);
2535 err = nft_delrule_by_chain(&ctx);
2538 list_for_each_entry(chain, &table->chains, list) {
2539 if (!nft_is_active_next(net, chain))
2543 err = nft_delrule_by_chain(&ctx);
2556 static LIST_HEAD(nf_tables_set_types);
2558 int nft_register_set(struct nft_set_type *type)
2560 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2561 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2562 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2565 EXPORT_SYMBOL_GPL(nft_register_set);
2567 void nft_unregister_set(struct nft_set_type *type)
2569 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2570 list_del_rcu(&type->list);
2571 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2573 EXPORT_SYMBOL_GPL(nft_unregister_set);
2575 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2576 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2578 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2580 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2584 * Select a set implementation based on the data characteristics and the
2585 * given policy. The total memory use might not be known if no size is
2586 * given, in that case the amount of memory per element is used.
2588 static const struct nft_set_ops *
2589 nft_select_set_ops(const struct nft_ctx *ctx,
2590 const struct nlattr * const nla[],
2591 const struct nft_set_desc *desc,
2592 enum nft_set_policies policy)
2594 const struct nft_set_ops *ops, *bops;
2595 struct nft_set_estimate est, best;
2596 const struct nft_set_type *type;
2599 #ifdef CONFIG_MODULES
2600 if (list_empty(&nf_tables_set_types)) {
2601 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2602 request_module("nft-set");
2603 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2604 if (!list_empty(&nf_tables_set_types))
2605 return ERR_PTR(-EAGAIN);
2608 if (nla[NFTA_SET_FLAGS] != NULL)
2609 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2616 list_for_each_entry(type, &nf_tables_set_types, list) {
2617 if (!type->select_ops)
2620 ops = type->select_ops(ctx, desc, flags);
2624 if (!nft_set_ops_candidate(ops, flags))
2626 if (!ops->estimate(desc, flags, &est))
2630 case NFT_SET_POL_PERFORMANCE:
2631 if (est.lookup < best.lookup)
2633 if (est.lookup == best.lookup) {
2635 if (est.space < best.space)
2637 } else if (est.size < best.size) {
2642 case NFT_SET_POL_MEMORY:
2644 if (est.space < best.space)
2646 if (est.space == best.space &&
2647 est.lookup < best.lookup)
2649 } else if (est.size < best.size) {
2657 if (!try_module_get(type->owner))
2660 module_put(bops->type->owner);
2669 return ERR_PTR(-EOPNOTSUPP);
2672 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2673 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2674 .len = NFT_TABLE_MAXNAMELEN - 1 },
2675 [NFTA_SET_NAME] = { .type = NLA_STRING,
2676 .len = NFT_SET_MAXNAMELEN - 1 },
2677 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2678 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2679 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2680 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2681 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2682 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2683 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2684 [NFTA_SET_ID] = { .type = NLA_U32 },
2685 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2686 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2687 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2688 .len = NFT_USERDATA_MAXLEN },
2689 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2692 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2693 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2696 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2697 const struct sk_buff *skb,
2698 const struct nlmsghdr *nlh,
2699 const struct nlattr * const nla[],
2702 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2703 struct nft_af_info *afi = NULL;
2704 struct nft_table *table = NULL;
2706 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2707 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2709 return PTR_ERR(afi);
2712 if (nla[NFTA_SET_TABLE] != NULL) {
2714 return -EAFNOSUPPORT;
2716 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2719 return PTR_ERR(table);
2722 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2726 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2727 const struct nlattr *nla, u8 genmask)
2729 struct nft_set *set;
2732 return ERR_PTR(-EINVAL);
2734 list_for_each_entry(set, &table->sets, list) {
2735 if (!nla_strcmp(nla, set->name) &&
2736 nft_active_genmask(set, genmask))
2739 return ERR_PTR(-ENOENT);
2742 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2743 const struct nlattr *nla,
2746 struct nft_trans *trans;
2747 u32 id = ntohl(nla_get_be32(nla));
2749 list_for_each_entry(trans, &net->nft.commit_list, list) {
2750 if (trans->msg_type == NFT_MSG_NEWSET) {
2751 struct nft_set *set = nft_trans_set(trans);
2753 if (id == nft_trans_set_id(trans) &&
2754 nft_active_genmask(set, genmask))
2758 return ERR_PTR(-ENOENT);
2761 struct nft_set *nft_set_lookup(const struct net *net,
2762 const struct nft_table *table,
2763 const struct nlattr *nla_set_name,
2764 const struct nlattr *nla_set_id,
2767 struct nft_set *set;
2769 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2774 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2778 EXPORT_SYMBOL_GPL(nft_set_lookup);
2780 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2783 const struct nft_set *i;
2785 unsigned long *inuse;
2786 unsigned int n = 0, min = 0;
2788 p = strchr(name, '%');
2790 if (p[1] != 'd' || strchr(p + 2, '%'))
2793 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2797 list_for_each_entry(i, &ctx->table->sets, list) {
2800 if (!nft_is_active_next(ctx->net, i))
2802 if (!sscanf(i->name, name, &tmp))
2804 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2807 set_bit(tmp - min, inuse);
2810 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2811 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2812 min += BITS_PER_BYTE * PAGE_SIZE;
2813 memset(inuse, 0, PAGE_SIZE);
2816 free_page((unsigned long)inuse);
2819 set->name = kasprintf(GFP_KERNEL, name, min + n);
2823 list_for_each_entry(i, &ctx->table->sets, list) {
2824 if (!nft_is_active_next(ctx->net, i))
2826 if (!strcmp(set->name, i->name)) {
2834 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2835 const struct nft_set *set, u16 event, u16 flags)
2837 struct nfgenmsg *nfmsg;
2838 struct nlmsghdr *nlh;
2839 struct nlattr *desc;
2840 u32 portid = ctx->portid;
2843 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2844 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2847 goto nla_put_failure;
2849 nfmsg = nlmsg_data(nlh);
2850 nfmsg->nfgen_family = ctx->afi->family;
2851 nfmsg->version = NFNETLINK_V0;
2852 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2854 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2855 goto nla_put_failure;
2856 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2857 goto nla_put_failure;
2858 if (set->flags != 0)
2859 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2860 goto nla_put_failure;
2862 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2863 goto nla_put_failure;
2864 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2865 goto nla_put_failure;
2866 if (set->flags & NFT_SET_MAP) {
2867 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2868 goto nla_put_failure;
2869 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2870 goto nla_put_failure;
2872 if (set->flags & NFT_SET_OBJECT &&
2873 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2874 goto nla_put_failure;
2877 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2878 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2880 goto nla_put_failure;
2882 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2883 goto nla_put_failure;
2885 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2886 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2887 goto nla_put_failure;
2891 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2892 goto nla_put_failure;
2894 desc = nla_nest_start(skb, NFTA_SET_DESC);
2896 goto nla_put_failure;
2898 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2899 goto nla_put_failure;
2900 nla_nest_end(skb, desc);
2902 nlmsg_end(skb, nlh);
2906 nlmsg_trim(skb, nlh);
2910 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2911 const struct nft_set *set, int event,
2914 struct sk_buff *skb;
2915 u32 portid = ctx->portid;
2919 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2922 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2926 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2932 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2936 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2939 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2941 const struct nft_set *set;
2942 unsigned int idx, s_idx = cb->args[0];
2943 struct nft_af_info *afi;
2944 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2945 struct net *net = sock_net(skb->sk);
2946 int cur_family = cb->args[3];
2947 struct nft_ctx *ctx = cb->data, ctx_set;
2953 cb->seq = net->nft.base_seq;
2955 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2956 if (ctx->afi && ctx->afi != afi)
2960 if (afi->family != cur_family)
2965 list_for_each_entry_rcu(table, &afi->tables, list) {
2966 if (ctx->table && ctx->table != table)
2970 if (cur_table != table)
2976 list_for_each_entry_rcu(set, &table->sets, list) {
2979 if (!nft_is_active(net, set))
2983 ctx_set.table = table;
2985 if (nf_tables_fill_set(skb, &ctx_set, set,
2989 cb->args[2] = (unsigned long) table;
2990 cb->args[3] = afi->family;
2993 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3007 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3013 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3014 struct sk_buff *skb, const struct nlmsghdr *nlh,
3015 const struct nlattr * const nla[],
3016 struct netlink_ext_ack *extack)
3018 u8 genmask = nft_genmask_cur(net);
3019 const struct nft_set *set;
3021 struct sk_buff *skb2;
3022 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3025 /* Verify existence before starting dump */
3026 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3030 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3031 struct netlink_dump_control c = {
3032 .dump = nf_tables_dump_sets,
3033 .done = nf_tables_dump_sets_done,
3035 struct nft_ctx *ctx_dump;
3037 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3038 if (ctx_dump == NULL)
3044 return netlink_dump_start(nlsk, skb, nlh, &c);
3047 /* Only accept unspec with dump */
3048 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3049 return -EAFNOSUPPORT;
3050 if (!nla[NFTA_SET_TABLE])
3053 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3055 return PTR_ERR(set);
3057 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3061 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3065 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3072 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3073 struct nft_set_desc *desc,
3074 const struct nlattr *nla)
3076 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3079 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3080 nft_set_desc_policy, NULL);
3084 if (da[NFTA_SET_DESC_SIZE] != NULL)
3085 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3090 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3091 struct sk_buff *skb, const struct nlmsghdr *nlh,
3092 const struct nlattr * const nla[],
3093 struct netlink_ext_ack *extack)
3095 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3096 u8 genmask = nft_genmask_next(net);
3097 const struct nft_set_ops *ops;
3098 struct nft_af_info *afi;
3099 struct nft_table *table;
3100 struct nft_set *set;
3106 u32 ktype, dtype, flags, policy, gc_int, objtype;
3107 struct nft_set_desc desc;
3108 unsigned char *udata;
3112 if (nla[NFTA_SET_TABLE] == NULL ||
3113 nla[NFTA_SET_NAME] == NULL ||
3114 nla[NFTA_SET_KEY_LEN] == NULL ||
3115 nla[NFTA_SET_ID] == NULL)
3118 memset(&desc, 0, sizeof(desc));
3120 ktype = NFT_DATA_VALUE;
3121 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3122 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3123 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3127 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3128 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3132 if (nla[NFTA_SET_FLAGS] != NULL) {
3133 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3134 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3135 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3136 NFT_SET_MAP | NFT_SET_EVAL |
3139 /* Only one of these operations is supported */
3140 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3141 (NFT_SET_MAP | NFT_SET_OBJECT))
3143 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3144 (NFT_SET_EVAL | NFT_SET_OBJECT))
3149 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3150 if (!(flags & NFT_SET_MAP))
3153 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3154 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3155 dtype != NFT_DATA_VERDICT)
3158 if (dtype != NFT_DATA_VERDICT) {
3159 if (nla[NFTA_SET_DATA_LEN] == NULL)
3161 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3162 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3165 desc.dlen = sizeof(struct nft_verdict);
3166 } else if (flags & NFT_SET_MAP)
3169 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3170 if (!(flags & NFT_SET_OBJECT))
3173 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3174 if (objtype == NFT_OBJECT_UNSPEC ||
3175 objtype > NFT_OBJECT_MAX)
3177 } else if (flags & NFT_SET_OBJECT)
3180 objtype = NFT_OBJECT_UNSPEC;
3183 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3184 if (!(flags & NFT_SET_TIMEOUT))
3186 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3187 nla[NFTA_SET_TIMEOUT])));
3190 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3191 if (!(flags & NFT_SET_TIMEOUT))
3193 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3196 policy = NFT_SET_POL_PERFORMANCE;
3197 if (nla[NFTA_SET_POLICY] != NULL)
3198 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3200 if (nla[NFTA_SET_DESC] != NULL) {
3201 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3206 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3208 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3210 return PTR_ERR(afi);
3212 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3214 return PTR_ERR(table);
3216 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3218 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3220 if (PTR_ERR(set) != -ENOENT)
3221 return PTR_ERR(set);
3223 if (nlh->nlmsg_flags & NLM_F_EXCL)
3225 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3230 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3233 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3235 return PTR_ERR(ops);
3238 if (nla[NFTA_SET_USERDATA])
3239 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3242 if (ops->privsize != NULL)
3243 size = ops->privsize(nla, &desc);
3245 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3251 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3257 err = nf_tables_set_alloc_name(&ctx, set, name);
3264 udata = set->data + size;
3265 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3268 INIT_LIST_HEAD(&set->bindings);
3271 set->klen = desc.klen;
3273 set->objtype = objtype;
3274 set->dlen = desc.dlen;
3276 set->size = desc.size;
3277 set->policy = policy;
3280 set->timeout = timeout;
3281 set->gc_int = gc_int;
3283 err = ops->init(set, &desc, nla);
3287 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3291 list_add_tail_rcu(&set->list, &table->sets);
3302 module_put(ops->type->owner);
3306 static void nft_set_destroy(struct nft_set *set)
3308 set->ops->destroy(set);
3309 module_put(set->ops->type->owner);
3314 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3316 list_del_rcu(&set->list);
3317 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3318 nft_set_destroy(set);
3321 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3322 struct sk_buff *skb, const struct nlmsghdr *nlh,
3323 const struct nlattr * const nla[],
3324 struct netlink_ext_ack *extack)
3326 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3327 u8 genmask = nft_genmask_next(net);
3328 struct nft_set *set;
3332 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3333 return -EAFNOSUPPORT;
3334 if (nla[NFTA_SET_TABLE] == NULL)
3337 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3341 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3343 return PTR_ERR(set);
3345 if (!list_empty(&set->bindings) ||
3346 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3349 return nft_delset(&ctx, set);
3352 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3353 struct nft_set *set,
3354 const struct nft_set_iter *iter,
3355 struct nft_set_elem *elem)
3357 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3358 enum nft_registers dreg;
3360 dreg = nft_type_to_reg(set->dtype);
3361 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3362 set->dtype == NFT_DATA_VERDICT ?
3363 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3367 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3368 struct nft_set_binding *binding)
3370 struct nft_set_binding *i;
3371 struct nft_set_iter iter;
3373 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3376 if (binding->flags & NFT_SET_MAP) {
3377 /* If the set is already bound to the same chain all
3378 * jumps are already validated for that chain.
3380 list_for_each_entry(i, &set->bindings, list) {
3381 if (i->flags & NFT_SET_MAP &&
3382 i->chain == binding->chain)
3386 iter.genmask = nft_genmask_next(ctx->net);
3390 iter.fn = nf_tables_bind_check_setelem;
3392 set->ops->walk(ctx, set, &iter);
3397 binding->chain = ctx->chain;
3398 list_add_tail_rcu(&binding->list, &set->bindings);
3401 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3403 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3404 struct nft_set_binding *binding)
3406 list_del_rcu(&binding->list);
3408 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3409 nft_is_active(ctx->net, set))
3410 nf_tables_set_destroy(ctx, set);
3412 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3414 const struct nft_set_ext_type nft_set_ext_types[] = {
3415 [NFT_SET_EXT_KEY] = {
3416 .align = __alignof__(u32),
3418 [NFT_SET_EXT_DATA] = {
3419 .align = __alignof__(u32),
3421 [NFT_SET_EXT_EXPR] = {
3422 .align = __alignof__(struct nft_expr),
3424 [NFT_SET_EXT_OBJREF] = {
3425 .len = sizeof(struct nft_object *),
3426 .align = __alignof__(struct nft_object *),
3428 [NFT_SET_EXT_FLAGS] = {
3430 .align = __alignof__(u8),
3432 [NFT_SET_EXT_TIMEOUT] = {
3434 .align = __alignof__(u64),
3436 [NFT_SET_EXT_EXPIRATION] = {
3437 .len = sizeof(unsigned long),
3438 .align = __alignof__(unsigned long),
3440 [NFT_SET_EXT_USERDATA] = {
3441 .len = sizeof(struct nft_userdata),
3442 .align = __alignof__(struct nft_userdata),
3445 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3451 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3452 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3453 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3454 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3455 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3456 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3457 .len = NFT_USERDATA_MAXLEN },
3458 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3459 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3462 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3463 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3464 .len = NFT_TABLE_MAXNAMELEN - 1 },
3465 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3466 .len = NFT_SET_MAXNAMELEN - 1 },
3467 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3468 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3471 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3472 const struct sk_buff *skb,
3473 const struct nlmsghdr *nlh,
3474 const struct nlattr * const nla[],
3477 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3478 struct nft_af_info *afi;
3479 struct nft_table *table;
3481 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3483 return PTR_ERR(afi);
3485 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3488 return PTR_ERR(table);
3490 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3494 static int nf_tables_fill_setelem(struct sk_buff *skb,
3495 const struct nft_set *set,
3496 const struct nft_set_elem *elem)
3498 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3499 unsigned char *b = skb_tail_pointer(skb);
3500 struct nlattr *nest;
3502 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3504 goto nla_put_failure;
3506 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3507 NFT_DATA_VALUE, set->klen) < 0)
3508 goto nla_put_failure;
3510 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3511 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3512 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3514 goto nla_put_failure;
3516 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3517 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3518 goto nla_put_failure;
3520 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3521 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3522 (*nft_set_ext_obj(ext))->name) < 0)
3523 goto nla_put_failure;
3525 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3526 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3527 htonl(*nft_set_ext_flags(ext))))
3528 goto nla_put_failure;
3530 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3531 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3532 cpu_to_be64(jiffies_to_msecs(
3533 *nft_set_ext_timeout(ext))),
3535 goto nla_put_failure;
3537 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3538 unsigned long expires, now = jiffies;
3540 expires = *nft_set_ext_expiration(ext);
3541 if (time_before(now, expires))
3546 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3547 cpu_to_be64(jiffies_to_msecs(expires)),
3549 goto nla_put_failure;
3552 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3553 struct nft_userdata *udata;
3555 udata = nft_set_ext_userdata(ext);
3556 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3557 udata->len + 1, udata->data))
3558 goto nla_put_failure;
3561 nla_nest_end(skb, nest);
3569 struct nft_set_dump_args {
3570 const struct netlink_callback *cb;
3571 struct nft_set_iter iter;
3572 struct sk_buff *skb;
3575 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3576 struct nft_set *set,
3577 const struct nft_set_iter *iter,
3578 struct nft_set_elem *elem)
3580 struct nft_set_dump_args *args;
3582 args = container_of(iter, struct nft_set_dump_args, iter);
3583 return nf_tables_fill_setelem(args->skb, set, elem);
3586 struct nft_set_dump_ctx {
3587 const struct nft_set *set;
3591 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3593 struct nft_set_dump_ctx *dump_ctx = cb->data;
3594 struct net *net = sock_net(skb->sk);
3595 struct nft_af_info *afi;
3596 struct nft_table *table;
3597 struct nft_set *set;
3598 struct nft_set_dump_args args;
3599 bool set_found = false;
3600 struct nfgenmsg *nfmsg;
3601 struct nlmsghdr *nlh;
3602 struct nlattr *nest;
3607 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3608 if (afi != dump_ctx->ctx.afi)
3611 list_for_each_entry_rcu(table, &afi->tables, list) {
3612 if (table != dump_ctx->ctx.table)
3615 list_for_each_entry_rcu(set, &table->sets, list) {
3616 if (set == dump_ctx->set) {
3631 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3632 portid = NETLINK_CB(cb->skb).portid;
3633 seq = cb->nlh->nlmsg_seq;
3635 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3638 goto nla_put_failure;
3640 nfmsg = nlmsg_data(nlh);
3641 nfmsg->nfgen_family = afi->family;
3642 nfmsg->version = NFNETLINK_V0;
3643 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3645 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3646 goto nla_put_failure;
3647 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3648 goto nla_put_failure;
3650 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3652 goto nla_put_failure;
3656 args.iter.genmask = nft_genmask_cur(net);
3657 args.iter.skip = cb->args[0];
3658 args.iter.count = 0;
3660 args.iter.fn = nf_tables_dump_setelem;
3661 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3664 nla_nest_end(skb, nest);
3665 nlmsg_end(skb, nlh);
3667 if (args.iter.err && args.iter.err != -EMSGSIZE)
3668 return args.iter.err;
3669 if (args.iter.count == cb->args[0])
3672 cb->args[0] = args.iter.count;
3680 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3686 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3687 struct sk_buff *skb, const struct nlmsghdr *nlh,
3688 const struct nlattr * const nla[],
3689 struct netlink_ext_ack *extack)
3691 u8 genmask = nft_genmask_cur(net);
3692 const struct nft_set *set;
3696 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3700 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3703 return PTR_ERR(set);
3705 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3706 struct netlink_dump_control c = {
3707 .dump = nf_tables_dump_set,
3708 .done = nf_tables_dump_set_done,
3710 struct nft_set_dump_ctx *dump_ctx;
3712 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3716 dump_ctx->set = set;
3717 dump_ctx->ctx = ctx;
3720 return netlink_dump_start(nlsk, skb, nlh, &c);
3725 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3726 const struct nft_ctx *ctx, u32 seq,
3727 u32 portid, int event, u16 flags,
3728 const struct nft_set *set,
3729 const struct nft_set_elem *elem)
3731 struct nfgenmsg *nfmsg;
3732 struct nlmsghdr *nlh;
3733 struct nlattr *nest;
3736 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3737 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3740 goto nla_put_failure;
3742 nfmsg = nlmsg_data(nlh);
3743 nfmsg->nfgen_family = ctx->afi->family;
3744 nfmsg->version = NFNETLINK_V0;
3745 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3747 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3748 goto nla_put_failure;
3749 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3750 goto nla_put_failure;
3752 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3754 goto nla_put_failure;
3756 err = nf_tables_fill_setelem(skb, set, elem);
3758 goto nla_put_failure;
3760 nla_nest_end(skb, nest);
3762 nlmsg_end(skb, nlh);
3766 nlmsg_trim(skb, nlh);
3770 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3771 const struct nft_set *set,
3772 const struct nft_set_elem *elem,
3773 int event, u16 flags)
3775 struct net *net = ctx->net;
3776 u32 portid = ctx->portid;
3777 struct sk_buff *skb;
3780 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3783 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3787 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3794 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3798 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3801 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3803 struct nft_set *set)
3805 struct nft_trans *trans;
3807 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3811 nft_trans_elem_set(trans) = set;
3815 void *nft_set_elem_init(const struct nft_set *set,
3816 const struct nft_set_ext_tmpl *tmpl,
3817 const u32 *key, const u32 *data,
3818 u64 timeout, gfp_t gfp)
3820 struct nft_set_ext *ext;
3823 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3827 ext = nft_set_elem_ext(set, elem);
3828 nft_set_ext_init(ext, tmpl);
3830 memcpy(nft_set_ext_key(ext), key, set->klen);
3831 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3832 memcpy(nft_set_ext_data(ext), data, set->dlen);
3833 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3834 *nft_set_ext_expiration(ext) =
3836 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3837 *nft_set_ext_timeout(ext) = timeout;
3842 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3845 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3847 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3848 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3849 nft_data_release(nft_set_ext_data(ext), set->dtype);
3850 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3851 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3852 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3853 (*nft_set_ext_obj(ext))->use--;
3856 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3858 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3859 * the refcounting from the preparation phase.
3861 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3863 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3865 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3866 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3870 static int nft_setelem_parse_flags(const struct nft_set *set,
3871 const struct nlattr *attr, u32 *flags)
3876 *flags = ntohl(nla_get_be32(attr));
3877 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3879 if (!(set->flags & NFT_SET_INTERVAL) &&
3880 *flags & NFT_SET_ELEM_INTERVAL_END)
3886 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3887 const struct nlattr *attr, u32 nlmsg_flags)
3889 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3890 u8 genmask = nft_genmask_next(ctx->net);
3891 struct nft_data_desc d1, d2;
3892 struct nft_set_ext_tmpl tmpl;
3893 struct nft_set_ext *ext, *ext2;
3894 struct nft_set_elem elem;
3895 struct nft_set_binding *binding;
3896 struct nft_object *obj = NULL;
3897 struct nft_userdata *udata;
3898 struct nft_data data;
3899 enum nft_registers dreg;
3900 struct nft_trans *trans;
3906 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3907 nft_set_elem_policy, NULL);
3911 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3914 nft_set_ext_prepare(&tmpl);
3916 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3920 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3922 if (set->flags & NFT_SET_MAP) {
3923 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3924 !(flags & NFT_SET_ELEM_INTERVAL_END))
3927 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3931 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
3932 (nla[NFTA_SET_ELEM_DATA] ||
3933 nla[NFTA_SET_ELEM_OBJREF] ||
3934 nla[NFTA_SET_ELEM_TIMEOUT] ||
3935 nla[NFTA_SET_ELEM_EXPIRATION] ||
3936 nla[NFTA_SET_ELEM_USERDATA] ||
3937 nla[NFTA_SET_ELEM_EXPR]))
3941 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3942 if (!(set->flags & NFT_SET_TIMEOUT))
3944 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3945 nla[NFTA_SET_ELEM_TIMEOUT])));
3946 } else if (set->flags & NFT_SET_TIMEOUT) {
3947 timeout = set->timeout;
3950 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3951 nla[NFTA_SET_ELEM_KEY]);
3955 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3958 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3960 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3961 if (timeout != set->timeout)
3962 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3965 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3966 if (!(set->flags & NFT_SET_OBJECT)) {
3970 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3971 set->objtype, genmask);
3976 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3979 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3980 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3981 nla[NFTA_SET_ELEM_DATA]);
3986 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3989 dreg = nft_type_to_reg(set->dtype);
3990 list_for_each_entry(binding, &set->bindings, list) {
3991 struct nft_ctx bind_ctx = {
3994 .table = ctx->table,
3995 .chain = (struct nft_chain *)binding->chain,
3998 if (!(binding->flags & NFT_SET_MAP))
4001 err = nft_validate_register_store(&bind_ctx, dreg,
4008 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4011 /* The full maximum length of userdata can exceed the maximum
4012 * offset value (U8_MAX) for following extensions, therefor it
4013 * must be the last extension added.
4016 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4017 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4019 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4024 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4025 timeout, GFP_KERNEL);
4026 if (elem.priv == NULL)
4029 ext = nft_set_elem_ext(set, elem.priv);
4031 *nft_set_ext_flags(ext) = flags;
4033 udata = nft_set_ext_userdata(ext);
4034 udata->len = ulen - 1;
4035 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4038 *nft_set_ext_obj(ext) = obj;
4042 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4046 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4047 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4049 if (err == -EEXIST) {
4050 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4051 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4052 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4053 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4057 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4058 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4059 memcmp(nft_set_ext_data(ext),
4060 nft_set_ext_data(ext2), set->dlen) != 0) ||
4061 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4062 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4063 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4065 else if (!(nlmsg_flags & NLM_F_EXCL))
4072 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4077 nft_trans_elem(trans) = elem;
4078 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4082 set->ops->remove(ctx->net, set, &elem);
4090 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4091 nft_data_release(&data, d2.type);
4093 nft_data_release(&elem.key.val, d1.type);
4098 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4099 struct sk_buff *skb, const struct nlmsghdr *nlh,
4100 const struct nlattr * const nla[],
4101 struct netlink_ext_ack *extack)
4103 u8 genmask = nft_genmask_next(net);
4104 const struct nlattr *attr;
4105 struct nft_set *set;
4109 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4112 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4116 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4119 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4120 set = nf_tables_set_lookup_byid(net,
4121 nla[NFTA_SET_ELEM_LIST_SET_ID],
4125 return PTR_ERR(set);
4128 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4131 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4132 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4140 * nft_data_hold - hold a nft_data item
4142 * @data: struct nft_data to release
4143 * @type: type of data
4145 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4146 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4147 * NFT_GOTO verdicts. This function must be called on active data objects
4148 * from the second phase of the commit protocol.
4150 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4152 if (type == NFT_DATA_VERDICT) {
4153 switch (data->verdict.code) {
4156 data->verdict.chain->use++;
4162 static void nft_set_elem_activate(const struct net *net,
4163 const struct nft_set *set,
4164 struct nft_set_elem *elem)
4166 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4168 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4169 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4170 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4171 (*nft_set_ext_obj(ext))->use++;
4174 static void nft_set_elem_deactivate(const struct net *net,
4175 const struct nft_set *set,
4176 struct nft_set_elem *elem)
4178 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4180 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4181 nft_data_release(nft_set_ext_data(ext), set->dtype);
4182 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4183 (*nft_set_ext_obj(ext))->use--;
4186 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4187 const struct nlattr *attr)
4189 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4190 struct nft_set_ext_tmpl tmpl;
4191 struct nft_data_desc desc;
4192 struct nft_set_elem elem;
4193 struct nft_set_ext *ext;
4194 struct nft_trans *trans;
4199 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4200 nft_set_elem_policy, NULL);
4205 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4208 nft_set_ext_prepare(&tmpl);
4210 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4214 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4216 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4217 nla[NFTA_SET_ELEM_KEY]);
4222 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4225 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4228 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4230 if (elem.priv == NULL)
4233 ext = nft_set_elem_ext(set, elem.priv);
4235 *nft_set_ext_flags(ext) = flags;
4237 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4238 if (trans == NULL) {
4243 priv = set->ops->deactivate(ctx->net, set, &elem);
4251 nft_set_elem_deactivate(ctx->net, set, &elem);
4253 nft_trans_elem(trans) = elem;
4254 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4262 nft_data_release(&elem.key.val, desc.type);
4267 static int nft_flush_set(const struct nft_ctx *ctx,
4268 struct nft_set *set,
4269 const struct nft_set_iter *iter,
4270 struct nft_set_elem *elem)
4272 struct nft_trans *trans;
4275 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4276 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4280 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4286 nft_set_elem_deactivate(ctx->net, set, elem);
4287 nft_trans_elem_set(trans) = set;
4288 nft_trans_elem(trans) = *elem;
4289 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4297 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4298 struct sk_buff *skb, const struct nlmsghdr *nlh,
4299 const struct nlattr * const nla[],
4300 struct netlink_ext_ack *extack)
4302 u8 genmask = nft_genmask_next(net);
4303 const struct nlattr *attr;
4304 struct nft_set *set;
4308 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4312 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4315 return PTR_ERR(set);
4316 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4319 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4320 struct nft_set_iter iter = {
4322 .fn = nft_flush_set,
4324 set->ops->walk(&ctx, set, &iter);
4329 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4330 err = nft_del_setelem(&ctx, set, attr);
4339 void nft_set_gc_batch_release(struct rcu_head *rcu)
4341 struct nft_set_gc_batch *gcb;
4344 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4345 for (i = 0; i < gcb->head.cnt; i++)
4346 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4349 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4351 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4354 struct nft_set_gc_batch *gcb;
4356 gcb = kzalloc(sizeof(*gcb), gfp);
4359 gcb->head.set = set;
4362 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4369 * nft_register_obj- register nf_tables stateful object type
4372 * Registers the object type for use with nf_tables. Returns zero on
4373 * success or a negative errno code otherwise.
4375 int nft_register_obj(struct nft_object_type *obj_type)
4377 if (obj_type->type == NFT_OBJECT_UNSPEC)
4380 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4381 list_add_rcu(&obj_type->list, &nf_tables_objects);
4382 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4385 EXPORT_SYMBOL_GPL(nft_register_obj);
4388 * nft_unregister_obj - unregister nf_tables object type
4391 * Unregisters the object type for use with nf_tables.
4393 void nft_unregister_obj(struct nft_object_type *obj_type)
4395 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4396 list_del_rcu(&obj_type->list);
4397 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4399 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4401 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4402 const struct nlattr *nla,
4403 u32 objtype, u8 genmask)
4405 struct nft_object *obj;
4407 list_for_each_entry(obj, &table->objects, list) {
4408 if (!nla_strcmp(nla, obj->name) &&
4409 objtype == obj->ops->type->type &&
4410 nft_active_genmask(obj, genmask))
4413 return ERR_PTR(-ENOENT);
4415 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4417 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4418 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4419 .len = NFT_TABLE_MAXNAMELEN - 1 },
4420 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4421 .len = NFT_OBJ_MAXNAMELEN - 1 },
4422 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4423 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4426 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4427 const struct nft_object_type *type,
4428 const struct nlattr *attr)
4430 struct nlattr *tb[type->maxattr + 1];
4431 const struct nft_object_ops *ops;
4432 struct nft_object *obj;
4436 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4441 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4444 if (type->select_ops) {
4445 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4455 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4459 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4469 return ERR_PTR(err);
4472 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4473 struct nft_object *obj, bool reset)
4475 struct nlattr *nest;
4477 nest = nla_nest_start(skb, attr);
4479 goto nla_put_failure;
4480 if (obj->ops->dump(skb, obj, reset) < 0)
4481 goto nla_put_failure;
4482 nla_nest_end(skb, nest);
4489 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4491 const struct nft_object_type *type;
4493 list_for_each_entry(type, &nf_tables_objects, list) {
4494 if (objtype == type->type)
4500 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4502 const struct nft_object_type *type;
4504 type = __nft_obj_type_get(objtype);
4505 if (type != NULL && try_module_get(type->owner))
4508 #ifdef CONFIG_MODULES
4510 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4511 request_module("nft-obj-%u", objtype);
4512 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4513 if (__nft_obj_type_get(objtype))
4514 return ERR_PTR(-EAGAIN);
4517 return ERR_PTR(-ENOENT);
4520 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4521 struct sk_buff *skb, const struct nlmsghdr *nlh,
4522 const struct nlattr * const nla[],
4523 struct netlink_ext_ack *extack)
4525 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4526 const struct nft_object_type *type;
4527 u8 genmask = nft_genmask_next(net);
4528 int family = nfmsg->nfgen_family;
4529 struct nft_af_info *afi;
4530 struct nft_table *table;
4531 struct nft_object *obj;
4536 if (!nla[NFTA_OBJ_TYPE] ||
4537 !nla[NFTA_OBJ_NAME] ||
4538 !nla[NFTA_OBJ_DATA])
4541 afi = nf_tables_afinfo_lookup(net, family, true);
4543 return PTR_ERR(afi);
4545 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4547 return PTR_ERR(table);
4549 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4550 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4557 if (nlh->nlmsg_flags & NLM_F_EXCL)
4563 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4565 type = nft_obj_type_get(objtype);
4567 return PTR_ERR(type);
4569 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4575 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4581 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4585 list_add_tail_rcu(&obj->list, &table->objects);
4591 if (obj->ops->destroy)
4592 obj->ops->destroy(obj);
4595 module_put(type->owner);
4599 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4600 u32 portid, u32 seq, int event, u32 flags,
4601 int family, const struct nft_table *table,
4602 struct nft_object *obj, bool reset)
4604 struct nfgenmsg *nfmsg;
4605 struct nlmsghdr *nlh;
4607 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4608 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4610 goto nla_put_failure;
4612 nfmsg = nlmsg_data(nlh);
4613 nfmsg->nfgen_family = family;
4614 nfmsg->version = NFNETLINK_V0;
4615 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4617 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4618 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4619 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4620 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4621 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4622 goto nla_put_failure;
4624 nlmsg_end(skb, nlh);
4628 nlmsg_trim(skb, nlh);
4632 struct nft_obj_filter {
4637 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4639 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4640 const struct nft_af_info *afi;
4641 const struct nft_table *table;
4642 unsigned int idx = 0, s_idx = cb->args[0];
4643 struct nft_obj_filter *filter = cb->data;
4644 struct net *net = sock_net(skb->sk);
4645 int family = nfmsg->nfgen_family;
4646 struct nft_object *obj;
4649 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4653 cb->seq = net->nft.base_seq;
4655 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4656 if (family != NFPROTO_UNSPEC && family != afi->family)
4659 list_for_each_entry_rcu(table, &afi->tables, list) {
4660 list_for_each_entry_rcu(obj, &table->objects, list) {
4661 if (!nft_is_active(net, obj))
4666 memset(&cb->args[1], 0,
4667 sizeof(cb->args) - sizeof(cb->args[0]));
4668 if (filter && filter->table &&
4669 strcmp(filter->table, table->name))
4672 filter->type != NFT_OBJECT_UNSPEC &&
4673 obj->ops->type->type != filter->type)
4676 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4679 NLM_F_MULTI | NLM_F_APPEND,
4680 afi->family, table, obj, reset) < 0)
4683 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4696 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4698 struct nft_obj_filter *filter = cb->data;
4701 kfree(filter->table);
4708 static struct nft_obj_filter *
4709 nft_obj_filter_alloc(const struct nlattr * const nla[])
4711 struct nft_obj_filter *filter;
4713 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4715 return ERR_PTR(-ENOMEM);
4717 if (nla[NFTA_OBJ_TABLE]) {
4718 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4719 if (!filter->table) {
4721 return ERR_PTR(-ENOMEM);
4724 if (nla[NFTA_OBJ_TYPE])
4725 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4730 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4731 struct sk_buff *skb, const struct nlmsghdr *nlh,
4732 const struct nlattr * const nla[],
4733 struct netlink_ext_ack *extack)
4735 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4736 u8 genmask = nft_genmask_cur(net);
4737 int family = nfmsg->nfgen_family;
4738 const struct nft_af_info *afi;
4739 const struct nft_table *table;
4740 struct nft_object *obj;
4741 struct sk_buff *skb2;
4746 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4747 struct netlink_dump_control c = {
4748 .dump = nf_tables_dump_obj,
4749 .done = nf_tables_dump_obj_done,
4752 if (nla[NFTA_OBJ_TABLE] ||
4753 nla[NFTA_OBJ_TYPE]) {
4754 struct nft_obj_filter *filter;
4756 filter = nft_obj_filter_alloc(nla);
4762 return netlink_dump_start(nlsk, skb, nlh, &c);
4765 if (!nla[NFTA_OBJ_NAME] ||
4766 !nla[NFTA_OBJ_TYPE])
4769 afi = nf_tables_afinfo_lookup(net, family, false);
4771 return PTR_ERR(afi);
4773 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4775 return PTR_ERR(table);
4777 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4778 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4780 return PTR_ERR(obj);
4782 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4786 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4789 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4790 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4791 family, table, obj, reset);
4795 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4801 static void nft_obj_destroy(struct nft_object *obj)
4803 if (obj->ops->destroy)
4804 obj->ops->destroy(obj);
4806 module_put(obj->ops->type->owner);
4811 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4812 struct sk_buff *skb, const struct nlmsghdr *nlh,
4813 const struct nlattr * const nla[],
4814 struct netlink_ext_ack *extack)
4816 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4817 u8 genmask = nft_genmask_next(net);
4818 int family = nfmsg->nfgen_family;
4819 struct nft_af_info *afi;
4820 struct nft_table *table;
4821 struct nft_object *obj;
4825 if (!nla[NFTA_OBJ_TYPE] ||
4826 !nla[NFTA_OBJ_NAME])
4829 afi = nf_tables_afinfo_lookup(net, family, true);
4831 return PTR_ERR(afi);
4833 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4835 return PTR_ERR(table);
4837 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4838 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4840 return PTR_ERR(obj);
4844 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4846 return nft_delobj(&ctx, obj);
4849 void nft_obj_notify(struct net *net, struct nft_table *table,
4850 struct nft_object *obj, u32 portid, u32 seq, int event,
4851 int family, int report, gfp_t gfp)
4853 struct sk_buff *skb;
4857 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4860 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4864 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4871 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4874 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4876 EXPORT_SYMBOL_GPL(nft_obj_notify);
4878 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4879 struct nft_object *obj, int event)
4881 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4882 ctx->afi->family, ctx->report, GFP_KERNEL);
4885 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4886 u32 portid, u32 seq)
4888 struct nlmsghdr *nlh;
4889 struct nfgenmsg *nfmsg;
4890 char buf[TASK_COMM_LEN];
4891 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
4893 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4895 goto nla_put_failure;
4897 nfmsg = nlmsg_data(nlh);
4898 nfmsg->nfgen_family = AF_UNSPEC;
4899 nfmsg->version = NFNETLINK_V0;
4900 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4902 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
4903 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
4904 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
4905 goto nla_put_failure;
4907 nlmsg_end(skb, nlh);
4911 nlmsg_trim(skb, nlh);
4915 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
4918 struct nlmsghdr *nlh = nlmsg_hdr(skb);
4919 struct sk_buff *skb2;
4922 if (nlmsg_report(nlh) &&
4923 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4926 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4930 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4937 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4938 nlmsg_report(nlh), GFP_KERNEL);
4941 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4945 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
4946 struct sk_buff *skb, const struct nlmsghdr *nlh,
4947 const struct nlattr * const nla[],
4948 struct netlink_ext_ack *extack)
4950 struct sk_buff *skb2;
4953 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4957 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4962 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4968 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
4969 [NFT_MSG_NEWTABLE] = {
4970 .call_batch = nf_tables_newtable,
4971 .attr_count = NFTA_TABLE_MAX,
4972 .policy = nft_table_policy,
4974 [NFT_MSG_GETTABLE] = {
4975 .call = nf_tables_gettable,
4976 .attr_count = NFTA_TABLE_MAX,
4977 .policy = nft_table_policy,
4979 [NFT_MSG_DELTABLE] = {
4980 .call_batch = nf_tables_deltable,
4981 .attr_count = NFTA_TABLE_MAX,
4982 .policy = nft_table_policy,
4984 [NFT_MSG_NEWCHAIN] = {
4985 .call_batch = nf_tables_newchain,
4986 .attr_count = NFTA_CHAIN_MAX,
4987 .policy = nft_chain_policy,
4989 [NFT_MSG_GETCHAIN] = {
4990 .call = nf_tables_getchain,
4991 .attr_count = NFTA_CHAIN_MAX,
4992 .policy = nft_chain_policy,
4994 [NFT_MSG_DELCHAIN] = {
4995 .call_batch = nf_tables_delchain,
4996 .attr_count = NFTA_CHAIN_MAX,
4997 .policy = nft_chain_policy,
4999 [NFT_MSG_NEWRULE] = {
5000 .call_batch = nf_tables_newrule,
5001 .attr_count = NFTA_RULE_MAX,
5002 .policy = nft_rule_policy,
5004 [NFT_MSG_GETRULE] = {
5005 .call = nf_tables_getrule,
5006 .attr_count = NFTA_RULE_MAX,
5007 .policy = nft_rule_policy,
5009 [NFT_MSG_DELRULE] = {
5010 .call_batch = nf_tables_delrule,
5011 .attr_count = NFTA_RULE_MAX,
5012 .policy = nft_rule_policy,
5014 [NFT_MSG_NEWSET] = {
5015 .call_batch = nf_tables_newset,
5016 .attr_count = NFTA_SET_MAX,
5017 .policy = nft_set_policy,
5019 [NFT_MSG_GETSET] = {
5020 .call = nf_tables_getset,
5021 .attr_count = NFTA_SET_MAX,
5022 .policy = nft_set_policy,
5024 [NFT_MSG_DELSET] = {
5025 .call_batch = nf_tables_delset,
5026 .attr_count = NFTA_SET_MAX,
5027 .policy = nft_set_policy,
5029 [NFT_MSG_NEWSETELEM] = {
5030 .call_batch = nf_tables_newsetelem,
5031 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5032 .policy = nft_set_elem_list_policy,
5034 [NFT_MSG_GETSETELEM] = {
5035 .call = nf_tables_getsetelem,
5036 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5037 .policy = nft_set_elem_list_policy,
5039 [NFT_MSG_DELSETELEM] = {
5040 .call_batch = nf_tables_delsetelem,
5041 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5042 .policy = nft_set_elem_list_policy,
5044 [NFT_MSG_GETGEN] = {
5045 .call = nf_tables_getgen,
5047 [NFT_MSG_NEWOBJ] = {
5048 .call_batch = nf_tables_newobj,
5049 .attr_count = NFTA_OBJ_MAX,
5050 .policy = nft_obj_policy,
5052 [NFT_MSG_GETOBJ] = {
5053 .call = nf_tables_getobj,
5054 .attr_count = NFTA_OBJ_MAX,
5055 .policy = nft_obj_policy,
5057 [NFT_MSG_DELOBJ] = {
5058 .call_batch = nf_tables_delobj,
5059 .attr_count = NFTA_OBJ_MAX,
5060 .policy = nft_obj_policy,
5062 [NFT_MSG_GETOBJ_RESET] = {
5063 .call = nf_tables_getobj,
5064 .attr_count = NFTA_OBJ_MAX,
5065 .policy = nft_obj_policy,
5069 static void nft_chain_commit_update(struct nft_trans *trans)
5071 struct nft_base_chain *basechain;
5073 if (nft_trans_chain_name(trans))
5074 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5076 if (!nft_is_base_chain(trans->ctx.chain))
5079 basechain = nft_base_chain(trans->ctx.chain);
5080 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5082 switch (nft_trans_chain_policy(trans)) {
5085 basechain->policy = nft_trans_chain_policy(trans);
5090 static void nf_tables_commit_release(struct nft_trans *trans)
5092 switch (trans->msg_type) {
5093 case NFT_MSG_DELTABLE:
5094 nf_tables_table_destroy(&trans->ctx);
5096 case NFT_MSG_NEWCHAIN:
5097 kfree(nft_trans_chain_name(trans));
5099 case NFT_MSG_DELCHAIN:
5100 nf_tables_chain_destroy(trans->ctx.chain);
5102 case NFT_MSG_DELRULE:
5103 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5105 case NFT_MSG_DELSET:
5106 nft_set_destroy(nft_trans_set(trans));
5108 case NFT_MSG_DELSETELEM:
5109 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5110 nft_trans_elem(trans).priv);
5112 case NFT_MSG_DELOBJ:
5113 nft_obj_destroy(nft_trans_obj(trans));
5119 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5121 struct nft_trans *trans, *next;
5122 struct nft_trans_elem *te;
5124 /* Bump generation counter, invalidate any dump in progress */
5125 while (++net->nft.base_seq == 0);
5127 /* A new generation has just started */
5128 net->nft.gencursor = nft_gencursor_next(net);
5130 /* Make sure all packets have left the previous generation before
5131 * purging old rules.
5135 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5136 switch (trans->msg_type) {
5137 case NFT_MSG_NEWTABLE:
5138 if (nft_trans_table_update(trans)) {
5139 if (!nft_trans_table_enable(trans)) {
5140 nf_tables_table_disable(net,
5143 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5146 nft_clear(net, trans->ctx.table);
5148 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5149 nft_trans_destroy(trans);
5151 case NFT_MSG_DELTABLE:
5152 list_del_rcu(&trans->ctx.table->list);
5153 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5155 case NFT_MSG_NEWCHAIN:
5156 if (nft_trans_chain_update(trans)) {
5157 nft_chain_commit_update(trans);
5158 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5159 /* trans destroyed after rcu grace period */
5161 nft_clear(net, trans->ctx.chain);
5162 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5163 nft_trans_destroy(trans);
5166 case NFT_MSG_DELCHAIN:
5167 list_del_rcu(&trans->ctx.chain->list);
5168 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5169 nf_tables_unregister_hooks(trans->ctx.net,
5172 trans->ctx.afi->nops);
5174 case NFT_MSG_NEWRULE:
5175 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5176 nf_tables_rule_notify(&trans->ctx,
5177 nft_trans_rule(trans),
5179 nft_trans_destroy(trans);
5181 case NFT_MSG_DELRULE:
5182 list_del_rcu(&nft_trans_rule(trans)->list);
5183 nf_tables_rule_notify(&trans->ctx,
5184 nft_trans_rule(trans),
5187 case NFT_MSG_NEWSET:
5188 nft_clear(net, nft_trans_set(trans));
5189 /* This avoids hitting -EBUSY when deleting the table
5190 * from the transaction.
5192 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
5193 !list_empty(&nft_trans_set(trans)->bindings))
5194 trans->ctx.table->use--;
5196 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5197 NFT_MSG_NEWSET, GFP_KERNEL);
5198 nft_trans_destroy(trans);
5200 case NFT_MSG_DELSET:
5201 list_del_rcu(&nft_trans_set(trans)->list);
5202 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5203 NFT_MSG_DELSET, GFP_KERNEL);
5205 case NFT_MSG_NEWSETELEM:
5206 te = (struct nft_trans_elem *)trans->data;
5208 te->set->ops->activate(net, te->set, &te->elem);
5209 nf_tables_setelem_notify(&trans->ctx, te->set,
5211 NFT_MSG_NEWSETELEM, 0);
5212 nft_trans_destroy(trans);
5214 case NFT_MSG_DELSETELEM:
5215 te = (struct nft_trans_elem *)trans->data;
5217 nf_tables_setelem_notify(&trans->ctx, te->set,
5219 NFT_MSG_DELSETELEM, 0);
5220 te->set->ops->remove(net, te->set, &te->elem);
5221 atomic_dec(&te->set->nelems);
5224 case NFT_MSG_NEWOBJ:
5225 nft_clear(net, nft_trans_obj(trans));
5226 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5228 nft_trans_destroy(trans);
5230 case NFT_MSG_DELOBJ:
5231 list_del_rcu(&nft_trans_obj(trans)->list);
5232 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5240 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5241 list_del(&trans->list);
5242 nf_tables_commit_release(trans);
5245 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5250 static void nf_tables_abort_release(struct nft_trans *trans)
5252 switch (trans->msg_type) {
5253 case NFT_MSG_NEWTABLE:
5254 nf_tables_table_destroy(&trans->ctx);
5256 case NFT_MSG_NEWCHAIN:
5257 nf_tables_chain_destroy(trans->ctx.chain);
5259 case NFT_MSG_NEWRULE:
5260 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5262 case NFT_MSG_NEWSET:
5263 nft_set_destroy(nft_trans_set(trans));
5265 case NFT_MSG_NEWSETELEM:
5266 nft_set_elem_destroy(nft_trans_elem_set(trans),
5267 nft_trans_elem(trans).priv, true);
5269 case NFT_MSG_NEWOBJ:
5270 nft_obj_destroy(nft_trans_obj(trans));
5276 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5278 struct nft_trans *trans, *next;
5279 struct nft_trans_elem *te;
5281 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5283 switch (trans->msg_type) {
5284 case NFT_MSG_NEWTABLE:
5285 if (nft_trans_table_update(trans)) {
5286 if (nft_trans_table_enable(trans)) {
5287 nf_tables_table_disable(net,
5290 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5292 nft_trans_destroy(trans);
5294 list_del_rcu(&trans->ctx.table->list);
5297 case NFT_MSG_DELTABLE:
5298 nft_clear(trans->ctx.net, trans->ctx.table);
5299 nft_trans_destroy(trans);
5301 case NFT_MSG_NEWCHAIN:
5302 if (nft_trans_chain_update(trans)) {
5303 free_percpu(nft_trans_chain_stats(trans));
5304 kfree(nft_trans_chain_name(trans));
5305 nft_trans_destroy(trans);
5307 trans->ctx.table->use--;
5308 list_del_rcu(&trans->ctx.chain->list);
5309 nf_tables_unregister_hooks(trans->ctx.net,
5312 trans->ctx.afi->nops);
5315 case NFT_MSG_DELCHAIN:
5316 trans->ctx.table->use++;
5317 nft_clear(trans->ctx.net, trans->ctx.chain);
5318 nft_trans_destroy(trans);
5320 case NFT_MSG_NEWRULE:
5321 trans->ctx.chain->use--;
5322 list_del_rcu(&nft_trans_rule(trans)->list);
5323 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
5325 case NFT_MSG_DELRULE:
5326 trans->ctx.chain->use++;
5327 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5328 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
5329 nft_trans_destroy(trans);
5331 case NFT_MSG_NEWSET:
5332 trans->ctx.table->use--;
5333 list_del_rcu(&nft_trans_set(trans)->list);
5335 case NFT_MSG_DELSET:
5336 trans->ctx.table->use++;
5337 nft_clear(trans->ctx.net, nft_trans_set(trans));
5338 nft_trans_destroy(trans);
5340 case NFT_MSG_NEWSETELEM:
5341 te = (struct nft_trans_elem *)trans->data;
5343 te->set->ops->remove(net, te->set, &te->elem);
5344 atomic_dec(&te->set->nelems);
5346 case NFT_MSG_DELSETELEM:
5347 te = (struct nft_trans_elem *)trans->data;
5349 nft_set_elem_activate(net, te->set, &te->elem);
5350 te->set->ops->activate(net, te->set, &te->elem);
5353 nft_trans_destroy(trans);
5355 case NFT_MSG_NEWOBJ:
5356 trans->ctx.table->use--;
5357 list_del_rcu(&nft_trans_obj(trans)->list);
5359 case NFT_MSG_DELOBJ:
5360 trans->ctx.table->use++;
5361 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5362 nft_trans_destroy(trans);
5369 list_for_each_entry_safe_reverse(trans, next,
5370 &net->nft.commit_list, list) {
5371 list_del(&trans->list);
5372 nf_tables_abort_release(trans);
5378 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5380 return net->nft.base_seq == genid;
5383 static const struct nfnetlink_subsystem nf_tables_subsys = {
5384 .name = "nf_tables",
5385 .subsys_id = NFNL_SUBSYS_NFTABLES,
5386 .cb_count = NFT_MSG_MAX,
5388 .commit = nf_tables_commit,
5389 .abort = nf_tables_abort,
5390 .valid_genid = nf_tables_valid_genid,
5393 int nft_chain_validate_dependency(const struct nft_chain *chain,
5394 enum nft_chain_type type)
5396 const struct nft_base_chain *basechain;
5398 if (nft_is_base_chain(chain)) {
5399 basechain = nft_base_chain(chain);
5400 if (basechain->type->type != type)
5405 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5407 int nft_chain_validate_hooks(const struct nft_chain *chain,
5408 unsigned int hook_flags)
5410 struct nft_base_chain *basechain;
5412 if (nft_is_base_chain(chain)) {
5413 basechain = nft_base_chain(chain);
5415 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5423 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5426 * Loop detection - walk through the ruleset beginning at the destination chain
5427 * of a new jump until either the source chain is reached (loop) or all
5428 * reachable chains have been traversed.
5430 * The loop check is performed whenever a new jump verdict is added to an
5431 * expression or verdict map or a verdict map is bound to a new chain.
5434 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5435 const struct nft_chain *chain);
5437 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5438 struct nft_set *set,
5439 const struct nft_set_iter *iter,
5440 struct nft_set_elem *elem)
5442 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5443 const struct nft_data *data;
5445 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5446 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5449 data = nft_set_ext_data(ext);
5450 switch (data->verdict.code) {
5453 return nf_tables_check_loops(ctx, data->verdict.chain);
5459 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5460 const struct nft_chain *chain)
5462 const struct nft_rule *rule;
5463 const struct nft_expr *expr, *last;
5464 struct nft_set *set;
5465 struct nft_set_binding *binding;
5466 struct nft_set_iter iter;
5468 if (ctx->chain == chain)
5471 list_for_each_entry(rule, &chain->rules, list) {
5472 nft_rule_for_each_expr(expr, last, rule) {
5473 const struct nft_data *data = NULL;
5476 if (!expr->ops->validate)
5479 err = expr->ops->validate(ctx, expr, &data);
5486 switch (data->verdict.code) {
5489 err = nf_tables_check_loops(ctx,
5490 data->verdict.chain);
5499 list_for_each_entry(set, &ctx->table->sets, list) {
5500 if (!nft_is_active_next(ctx->net, set))
5502 if (!(set->flags & NFT_SET_MAP) ||
5503 set->dtype != NFT_DATA_VERDICT)
5506 list_for_each_entry(binding, &set->bindings, list) {
5507 if (!(binding->flags & NFT_SET_MAP) ||
5508 binding->chain != chain)
5511 iter.genmask = nft_genmask_next(ctx->net);
5515 iter.fn = nf_tables_loop_check_setelem;
5517 set->ops->walk(ctx, set, &iter);
5527 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5529 * @attr: netlink attribute to fetch value from
5530 * @max: maximum value to be stored in dest
5531 * @dest: pointer to the variable
5533 * Parse, check and store a given u32 netlink attribute into variable.
5534 * This function returns -ERANGE if the value goes over maximum value.
5535 * Otherwise a 0 is returned and the attribute value is stored in the
5536 * destination variable.
5538 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5542 val = ntohl(nla_get_be32(attr));
5549 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5552 * nft_parse_register - parse a register value from a netlink attribute
5554 * @attr: netlink attribute
5556 * Parse and translate a register value from a netlink attribute.
5557 * Registers used to be 128 bit wide, these register numbers will be
5558 * mapped to the corresponding 32 bit register numbers.
5560 unsigned int nft_parse_register(const struct nlattr *attr)
5564 reg = ntohl(nla_get_be32(attr));
5566 case NFT_REG_VERDICT...NFT_REG_4:
5567 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5569 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5572 EXPORT_SYMBOL_GPL(nft_parse_register);
5575 * nft_dump_register - dump a register value to a netlink attribute
5577 * @skb: socket buffer
5578 * @attr: attribute number
5579 * @reg: register number
5581 * Construct a netlink attribute containing the register number. For
5582 * compatibility reasons, register numbers being a multiple of 4 are
5583 * translated to the corresponding 128 bit register numbers.
5585 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5587 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5588 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5590 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5592 return nla_put_be32(skb, attr, htonl(reg));
5594 EXPORT_SYMBOL_GPL(nft_dump_register);
5597 * nft_validate_register_load - validate a load from a register
5599 * @reg: the register number
5600 * @len: the length of the data
5602 * Validate that the input register is one of the general purpose
5603 * registers and that the length of the load is within the bounds.
5605 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5607 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5611 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5616 EXPORT_SYMBOL_GPL(nft_validate_register_load);
5619 * nft_validate_register_store - validate an expressions' register store
5621 * @ctx: context of the expression performing the load
5622 * @reg: the destination register number
5623 * @data: the data to load
5624 * @type: the data type
5625 * @len: the length of the data
5627 * Validate that a data load uses the appropriate data type for
5628 * the destination register and the length is within the bounds.
5629 * A value of NULL for the data means that its runtime gathered
5632 int nft_validate_register_store(const struct nft_ctx *ctx,
5633 enum nft_registers reg,
5634 const struct nft_data *data,
5635 enum nft_data_types type, unsigned int len)
5640 case NFT_REG_VERDICT:
5641 if (type != NFT_DATA_VERDICT)
5645 (data->verdict.code == NFT_GOTO ||
5646 data->verdict.code == NFT_JUMP)) {
5647 err = nf_tables_check_loops(ctx, data->verdict.chain);
5651 if (ctx->chain->level + 1 >
5652 data->verdict.chain->level) {
5653 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5655 data->verdict.chain->level = ctx->chain->level + 1;
5661 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5665 if (reg * NFT_REG32_SIZE + len >
5666 FIELD_SIZEOF(struct nft_regs, data))
5669 if (data != NULL && type != NFT_DATA_VALUE)
5674 EXPORT_SYMBOL_GPL(nft_validate_register_store);
5676 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5677 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5678 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5679 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5682 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5683 struct nft_data_desc *desc, const struct nlattr *nla)
5685 u8 genmask = nft_genmask_next(ctx->net);
5686 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5687 struct nft_chain *chain;
5690 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5695 if (!tb[NFTA_VERDICT_CODE])
5697 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5699 switch (data->verdict.code) {
5701 switch (data->verdict.code & NF_VERDICT_MASK) {
5716 if (!tb[NFTA_VERDICT_CHAIN])
5718 chain = nf_tables_chain_lookup(ctx->table,
5719 tb[NFTA_VERDICT_CHAIN], genmask);
5721 return PTR_ERR(chain);
5722 if (nft_is_base_chain(chain))
5726 data->verdict.chain = chain;
5730 desc->len = sizeof(data->verdict);
5731 desc->type = NFT_DATA_VERDICT;
5735 static void nft_verdict_uninit(const struct nft_data *data)
5737 switch (data->verdict.code) {
5740 data->verdict.chain->use--;
5745 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5747 struct nlattr *nest;
5749 nest = nla_nest_start(skb, type);
5751 goto nla_put_failure;
5753 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5754 goto nla_put_failure;
5759 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5761 goto nla_put_failure;
5763 nla_nest_end(skb, nest);
5770 static int nft_value_init(const struct nft_ctx *ctx,
5771 struct nft_data *data, unsigned int size,
5772 struct nft_data_desc *desc, const struct nlattr *nla)
5782 nla_memcpy(data->data, nla, len);
5783 desc->type = NFT_DATA_VALUE;
5788 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5791 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5794 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5795 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5796 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5800 * nft_data_init - parse nf_tables data netlink attributes
5802 * @ctx: context of the expression using the data
5803 * @data: destination struct nft_data
5804 * @size: maximum data length
5805 * @desc: data description
5806 * @nla: netlink attribute containing data
5808 * Parse the netlink data attributes and initialize a struct nft_data.
5809 * The type and length of data are returned in the data description.
5811 * The caller can indicate that it only wants to accept data of type
5812 * NFT_DATA_VALUE by passing NULL for the ctx argument.
5814 int nft_data_init(const struct nft_ctx *ctx,
5815 struct nft_data *data, unsigned int size,
5816 struct nft_data_desc *desc, const struct nlattr *nla)
5818 struct nlattr *tb[NFTA_DATA_MAX + 1];
5821 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
5825 if (tb[NFTA_DATA_VALUE])
5826 return nft_value_init(ctx, data, size, desc,
5827 tb[NFTA_DATA_VALUE]);
5828 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5829 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5832 EXPORT_SYMBOL_GPL(nft_data_init);
5835 * nft_data_release - release a nft_data item
5837 * @data: struct nft_data to release
5838 * @type: type of data
5840 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5841 * all others need to be released by calling this function.
5843 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
5845 if (type < NFT_DATA_VERDICT)
5848 case NFT_DATA_VERDICT:
5849 return nft_verdict_uninit(data);
5854 EXPORT_SYMBOL_GPL(nft_data_release);
5856 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5857 enum nft_data_types type, unsigned int len)
5859 struct nlattr *nest;
5862 nest = nla_nest_start(skb, attr);
5867 case NFT_DATA_VALUE:
5868 err = nft_value_dump(skb, data, len);
5870 case NFT_DATA_VERDICT:
5871 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
5878 nla_nest_end(skb, nest);
5881 EXPORT_SYMBOL_GPL(nft_data_dump);
5883 static int __net_init nf_tables_init_net(struct net *net)
5885 INIT_LIST_HEAD(&net->nft.af_info);
5886 INIT_LIST_HEAD(&net->nft.commit_list);
5887 net->nft.base_seq = 1;
5891 int __nft_release_basechain(struct nft_ctx *ctx)
5893 struct nft_rule *rule, *nr;
5895 BUG_ON(!nft_is_base_chain(ctx->chain));
5897 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
5899 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
5900 list_del(&rule->list);
5902 nf_tables_rule_release(ctx, rule);
5904 list_del(&ctx->chain->list);
5906 nf_tables_chain_destroy(ctx->chain);
5910 EXPORT_SYMBOL_GPL(__nft_release_basechain);
5912 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
5913 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
5915 struct nft_table *table, *nt;
5916 struct nft_chain *chain, *nc;
5917 struct nft_object *obj, *ne;
5918 struct nft_rule *rule, *nr;
5919 struct nft_set *set, *ns;
5920 struct nft_ctx ctx = {
5925 list_for_each_entry_safe(table, nt, &afi->tables, list) {
5926 list_for_each_entry(chain, &table->chains, list)
5927 nf_tables_unregister_hooks(net, table, chain,
5929 /* No packets are walking on these chains anymore. */
5931 list_for_each_entry(chain, &table->chains, list) {
5933 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
5934 list_del(&rule->list);
5936 nf_tables_rule_release(&ctx, rule);
5939 list_for_each_entry_safe(set, ns, &table->sets, list) {
5940 list_del(&set->list);
5942 nft_set_destroy(set);
5944 list_for_each_entry_safe(obj, ne, &table->objects, list) {
5945 list_del(&obj->list);
5947 nft_obj_destroy(obj);
5949 list_for_each_entry_safe(chain, nc, &table->chains, list) {
5950 list_del(&chain->list);
5952 nf_tables_chain_destroy(chain);
5954 list_del(&table->list);
5955 nf_tables_table_destroy(&ctx);
5959 static struct pernet_operations nf_tables_net_ops = {
5960 .init = nf_tables_init_net,
5963 static int __init nf_tables_module_init(void)
5967 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
5974 err = nf_tables_core_module_init();
5978 err = nfnetlink_subsys_register(&nf_tables_subsys);
5982 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
5983 return register_pernet_subsys(&nf_tables_net_ops);
5985 nf_tables_core_module_exit();
5992 static void __exit nf_tables_module_exit(void)
5994 unregister_pernet_subsys(&nf_tables_net_ops);
5995 nfnetlink_subsys_unregister(&nf_tables_subsys);
5997 nf_tables_core_module_exit();
6001 module_init(nf_tables_module_init);
6002 module_exit(nf_tables_module_exit);
6004 MODULE_LICENSE("GPL");
6005 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6006 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);