1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
59 static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
68 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 case NFT_VALIDATE_NEED:
77 if (new_validate_state == NFT_VALIDATE_NEED)
81 net->nft.validate_state = new_validate_state;
83 static void nf_tables_trans_destroy_work(struct work_struct *w);
84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86 static void nft_ctx_init(struct nft_ctx *ctx,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->flags = nlh->nlmsg_flags;
104 ctx->seq = nlh->nlmsg_seq;
107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
116 INIT_LIST_HEAD(&trans->list);
117 trans->msg_type = msg_type;
123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
129 static void nft_trans_destroy(struct nft_trans *trans)
131 list_del(&trans->list);
135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
140 if (!nft_set_is_anonymous(set))
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
157 static int nf_tables_register_hook(struct net *net,
158 const struct nft_table *table,
159 struct nft_chain *chain)
161 const struct nft_base_chain *basechain;
162 const struct nf_hook_ops *ops;
164 if (table->flags & NFT_TABLE_F_DORMANT ||
165 !nft_is_base_chain(chain))
168 basechain = nft_base_chain(chain);
169 ops = &basechain->ops;
171 if (basechain->type->ops_register)
172 return basechain->type->ops_register(net, ops);
174 return nf_register_net_hook(net, ops);
177 static void nf_tables_unregister_hook(struct net *net,
178 const struct nft_table *table,
179 struct nft_chain *chain)
181 const struct nft_base_chain *basechain;
182 const struct nf_hook_ops *ops;
184 if (table->flags & NFT_TABLE_F_DORMANT ||
185 !nft_is_base_chain(chain))
187 basechain = nft_base_chain(chain);
188 ops = &basechain->ops;
190 if (basechain->type->ops_unregister)
191 return basechain->type->ops_unregister(net, ops);
193 nf_unregister_net_hook(net, ops);
196 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
198 struct nft_trans *trans;
200 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
204 if (msg_type == NFT_MSG_NEWTABLE)
205 nft_activate_next(ctx->net, ctx->table);
207 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
211 static int nft_deltable(struct nft_ctx *ctx)
215 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
219 nft_deactivate_next(ctx->net, ctx->table);
223 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
225 struct nft_trans *trans;
227 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
229 return ERR_PTR(-ENOMEM);
231 if (msg_type == NFT_MSG_NEWCHAIN)
232 nft_activate_next(ctx->net, ctx->chain);
234 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
238 static int nft_delchain(struct nft_ctx *ctx)
240 struct nft_trans *trans;
242 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
244 return PTR_ERR(trans);
247 nft_deactivate_next(ctx->net, ctx->chain);
252 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
253 struct nft_rule *rule)
255 struct nft_expr *expr;
257 expr = nft_expr_first(rule);
258 while (nft_expr_more(rule, expr)) {
259 if (expr->ops->activate)
260 expr->ops->activate(ctx, expr);
262 expr = nft_expr_next(expr);
266 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
267 struct nft_rule *rule,
268 enum nft_trans_phase phase)
270 struct nft_expr *expr;
272 expr = nft_expr_first(rule);
273 while (nft_expr_more(rule, expr)) {
274 if (expr->ops->deactivate)
275 expr->ops->deactivate(ctx, expr, phase);
277 expr = nft_expr_next(expr);
282 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
284 /* You cannot delete the same rule twice */
285 if (nft_is_active_next(ctx->net, rule)) {
286 nft_deactivate_next(ctx->net, rule);
293 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
294 struct nft_rule *rule)
296 struct nft_trans *trans;
298 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
302 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
303 nft_trans_rule_id(trans) =
304 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
306 nft_trans_rule(trans) = rule;
307 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
312 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
314 struct nft_trans *trans;
317 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
321 err = nf_tables_delrule_deactivate(ctx, rule);
323 nft_trans_destroy(trans);
326 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
331 static int nft_delrule_by_chain(struct nft_ctx *ctx)
333 struct nft_rule *rule;
336 list_for_each_entry(rule, &ctx->chain->rules, list) {
337 if (!nft_is_active_next(ctx->net, rule))
340 err = nft_delrule(ctx, rule);
347 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
350 struct nft_trans *trans;
352 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
356 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
357 nft_trans_set_id(trans) =
358 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
359 nft_activate_next(ctx->net, set);
361 nft_trans_set(trans) = set;
362 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
367 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
371 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
375 nft_deactivate_next(ctx->net, set);
381 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
382 struct nft_object *obj)
384 struct nft_trans *trans;
386 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
390 if (msg_type == NFT_MSG_NEWOBJ)
391 nft_activate_next(ctx->net, obj);
393 nft_trans_obj(trans) = obj;
394 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
399 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
403 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
407 nft_deactivate_next(ctx->net, obj);
413 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
414 struct nft_flowtable *flowtable)
416 struct nft_trans *trans;
418 trans = nft_trans_alloc(ctx, msg_type,
419 sizeof(struct nft_trans_flowtable));
423 if (msg_type == NFT_MSG_NEWFLOWTABLE)
424 nft_activate_next(ctx->net, flowtable);
426 nft_trans_flowtable(trans) = flowtable;
427 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
432 static int nft_delflowtable(struct nft_ctx *ctx,
433 struct nft_flowtable *flowtable)
437 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
441 nft_deactivate_next(ctx->net, flowtable);
451 static struct nft_table *nft_table_lookup(const struct net *net,
452 const struct nlattr *nla,
453 u8 family, u8 genmask)
455 struct nft_table *table;
458 return ERR_PTR(-EINVAL);
460 list_for_each_entry_rcu(table, &net->nft.tables, list,
461 lockdep_is_held(&net->nft.commit_mutex)) {
462 if (!nla_strcmp(nla, table->name) &&
463 table->family == family &&
464 nft_active_genmask(table, genmask))
468 return ERR_PTR(-ENOENT);
471 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
472 const struct nlattr *nla,
475 struct nft_table *table;
477 list_for_each_entry(table, &net->nft.tables, list) {
478 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
479 nft_active_genmask(table, genmask))
483 return ERR_PTR(-ENOENT);
486 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
488 return ++table->hgenerator;
491 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
493 static const struct nft_chain_type *
494 __nft_chain_type_get(u8 family, enum nft_chain_types type)
496 if (family >= NFPROTO_NUMPROTO ||
497 type >= NFT_CHAIN_T_MAX)
500 return chain_type[family][type];
503 static const struct nft_chain_type *
504 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
506 const struct nft_chain_type *type;
509 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
510 type = __nft_chain_type_get(family, i);
513 if (!nla_strcmp(nla, type->name))
519 struct nft_module_request {
520 struct list_head list;
521 char module[MODULE_NAME_LEN];
525 #ifdef CONFIG_MODULES
526 static int nft_request_module(struct net *net, const char *fmt, ...)
528 char module_name[MODULE_NAME_LEN];
529 struct nft_module_request *req;
534 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
536 if (ret >= MODULE_NAME_LEN)
539 list_for_each_entry(req, &net->nft.module_list, list) {
540 if (!strcmp(req->module, module_name)) {
544 /* A request to load this module already exists. */
549 req = kmalloc(sizeof(*req), GFP_KERNEL);
554 strlcpy(req->module, module_name, MODULE_NAME_LEN);
555 list_add_tail(&req->list, &net->nft.module_list);
561 static void lockdep_nfnl_nft_mutex_not_held(void)
563 #ifdef CONFIG_PROVE_LOCKING
565 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
569 static const struct nft_chain_type *
570 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
571 u8 family, bool autoload)
573 const struct nft_chain_type *type;
575 type = __nf_tables_chain_type_lookup(nla, family);
579 lockdep_nfnl_nft_mutex_not_held();
580 #ifdef CONFIG_MODULES
582 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
584 (const char *)nla_data(nla)) == -EAGAIN)
585 return ERR_PTR(-EAGAIN);
588 return ERR_PTR(-ENOENT);
591 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
592 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
593 .len = NFT_TABLE_MAXNAMELEN - 1 },
594 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
595 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
598 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
599 u32 portid, u32 seq, int event, u32 flags,
600 int family, const struct nft_table *table)
602 struct nlmsghdr *nlh;
603 struct nfgenmsg *nfmsg;
605 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
606 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
608 goto nla_put_failure;
610 nfmsg = nlmsg_data(nlh);
611 nfmsg->nfgen_family = family;
612 nfmsg->version = NFNETLINK_V0;
613 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
615 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
616 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
617 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
618 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
620 goto nla_put_failure;
626 nlmsg_trim(skb, nlh);
630 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
636 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
639 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
643 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
644 event, 0, ctx->family, ctx->table);
650 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
651 ctx->report, GFP_KERNEL);
654 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
657 static int nf_tables_dump_tables(struct sk_buff *skb,
658 struct netlink_callback *cb)
660 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
661 const struct nft_table *table;
662 unsigned int idx = 0, s_idx = cb->args[0];
663 struct net *net = sock_net(skb->sk);
664 int family = nfmsg->nfgen_family;
667 cb->seq = net->nft.base_seq;
669 list_for_each_entry_rcu(table, &net->nft.tables, list) {
670 if (family != NFPROTO_UNSPEC && family != table->family)
676 memset(&cb->args[1], 0,
677 sizeof(cb->args) - sizeof(cb->args[0]));
678 if (!nft_is_active(net, table))
680 if (nf_tables_fill_table_info(skb, net,
681 NETLINK_CB(cb->skb).portid,
683 NFT_MSG_NEWTABLE, NLM_F_MULTI,
684 table->family, table) < 0)
687 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
697 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
698 const struct nlmsghdr *nlh,
699 struct netlink_dump_control *c)
703 if (!try_module_get(THIS_MODULE))
707 err = netlink_dump_start(nlsk, skb, nlh, c);
709 module_put(THIS_MODULE);
714 /* called with rcu_read_lock held */
715 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
716 struct sk_buff *skb, const struct nlmsghdr *nlh,
717 const struct nlattr * const nla[],
718 struct netlink_ext_ack *extack)
720 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
721 u8 genmask = nft_genmask_cur(net);
722 const struct nft_table *table;
723 struct sk_buff *skb2;
724 int family = nfmsg->nfgen_family;
727 if (nlh->nlmsg_flags & NLM_F_DUMP) {
728 struct netlink_dump_control c = {
729 .dump = nf_tables_dump_tables,
730 .module = THIS_MODULE,
733 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
736 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
738 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
739 return PTR_ERR(table);
742 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
746 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
747 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
750 goto err_fill_table_info;
752 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
759 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
761 struct nft_chain *chain;
764 list_for_each_entry(chain, &table->chains, list) {
765 if (!nft_is_active_next(net, chain))
767 if (!nft_is_base_chain(chain))
770 if (cnt && i++ == cnt)
773 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
777 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
779 struct nft_chain *chain;
782 list_for_each_entry(chain, &table->chains, list) {
783 if (!nft_is_active_next(net, chain))
785 if (!nft_is_base_chain(chain))
788 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
797 nft_table_disable(net, table, i);
801 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
803 nft_table_disable(net, table, 0);
806 static int nf_tables_updtable(struct nft_ctx *ctx)
808 struct nft_trans *trans;
812 if (!ctx->nla[NFTA_TABLE_FLAGS])
815 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
816 if (flags & ~NFT_TABLE_F_DORMANT)
819 if (flags == ctx->table->flags)
822 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
823 sizeof(struct nft_trans_table));
827 if ((flags & NFT_TABLE_F_DORMANT) &&
828 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
829 nft_trans_table_enable(trans) = false;
830 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
831 ctx->table->flags & NFT_TABLE_F_DORMANT) {
832 ret = nf_tables_table_enable(ctx->net, ctx->table);
834 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
835 nft_trans_table_enable(trans) = true;
841 nft_trans_table_update(trans) = true;
842 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
845 nft_trans_destroy(trans);
849 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
851 const char *name = data;
853 return jhash(name, strlen(name), seed);
856 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
858 const struct nft_chain *chain = data;
860 return nft_chain_hash(chain->name, 0, seed);
863 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
866 const struct nft_chain *chain = ptr;
867 const char *name = arg->key;
869 return strcmp(chain->name, name);
872 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
874 const struct nft_object_hash_key *k = data;
876 seed ^= hash_ptr(k->table, 32);
878 return jhash(k->name, strlen(k->name), seed);
881 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
883 const struct nft_object *obj = data;
885 return nft_objname_hash(&obj->key, 0, seed);
888 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
891 const struct nft_object_hash_key *k = arg->key;
892 const struct nft_object *obj = ptr;
894 if (obj->key.table != k->table)
897 return strcmp(obj->key.name, k->name);
900 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
901 struct sk_buff *skb, const struct nlmsghdr *nlh,
902 const struct nlattr * const nla[],
903 struct netlink_ext_ack *extack)
905 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
906 u8 genmask = nft_genmask_next(net);
907 int family = nfmsg->nfgen_family;
908 const struct nlattr *attr;
909 struct nft_table *table;
914 lockdep_assert_held(&net->nft.commit_mutex);
915 attr = nla[NFTA_TABLE_NAME];
916 table = nft_table_lookup(net, attr, family, genmask);
918 if (PTR_ERR(table) != -ENOENT)
919 return PTR_ERR(table);
921 if (nlh->nlmsg_flags & NLM_F_EXCL) {
922 NL_SET_BAD_ATTR(extack, attr);
925 if (nlh->nlmsg_flags & NLM_F_REPLACE)
928 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
929 return nf_tables_updtable(&ctx);
932 if (nla[NFTA_TABLE_FLAGS]) {
933 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
934 if (flags & ~NFT_TABLE_F_DORMANT)
939 table = kzalloc(sizeof(*table), GFP_KERNEL);
943 table->name = nla_strdup(attr, GFP_KERNEL);
944 if (table->name == NULL)
947 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
951 INIT_LIST_HEAD(&table->chains);
952 INIT_LIST_HEAD(&table->sets);
953 INIT_LIST_HEAD(&table->objects);
954 INIT_LIST_HEAD(&table->flowtables);
955 table->family = family;
956 table->flags = flags;
957 table->handle = ++table_handle;
959 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
960 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
964 list_add_tail_rcu(&table->list, &net->nft.tables);
967 rhltable_destroy(&table->chains_ht);
976 static int nft_flush_table(struct nft_ctx *ctx)
978 struct nft_flowtable *flowtable, *nft;
979 struct nft_chain *chain, *nc;
980 struct nft_object *obj, *ne;
981 struct nft_set *set, *ns;
984 list_for_each_entry(chain, &ctx->table->chains, list) {
985 if (!nft_is_active_next(ctx->net, chain))
990 err = nft_delrule_by_chain(ctx);
995 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
996 if (!nft_is_active_next(ctx->net, set))
999 if (nft_set_is_anonymous(set) &&
1000 !list_empty(&set->bindings))
1003 err = nft_delset(ctx, set);
1008 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1009 if (!nft_is_active_next(ctx->net, flowtable))
1012 err = nft_delflowtable(ctx, flowtable);
1017 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1018 if (!nft_is_active_next(ctx->net, obj))
1021 err = nft_delobj(ctx, obj);
1026 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1027 if (!nft_is_active_next(ctx->net, chain))
1032 err = nft_delchain(ctx);
1037 err = nft_deltable(ctx);
1042 static int nft_flush(struct nft_ctx *ctx, int family)
1044 struct nft_table *table, *nt;
1045 const struct nlattr * const *nla = ctx->nla;
1048 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1049 if (family != AF_UNSPEC && table->family != family)
1052 ctx->family = table->family;
1054 if (!nft_is_active_next(ctx->net, table))
1057 if (nla[NFTA_TABLE_NAME] &&
1058 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1063 err = nft_flush_table(ctx);
1071 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1072 struct sk_buff *skb, const struct nlmsghdr *nlh,
1073 const struct nlattr * const nla[],
1074 struct netlink_ext_ack *extack)
1076 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1077 u8 genmask = nft_genmask_next(net);
1078 int family = nfmsg->nfgen_family;
1079 const struct nlattr *attr;
1080 struct nft_table *table;
1083 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1084 if (family == AF_UNSPEC ||
1085 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1086 return nft_flush(&ctx, family);
1088 if (nla[NFTA_TABLE_HANDLE]) {
1089 attr = nla[NFTA_TABLE_HANDLE];
1090 table = nft_table_lookup_byhandle(net, attr, genmask);
1092 attr = nla[NFTA_TABLE_NAME];
1093 table = nft_table_lookup(net, attr, family, genmask);
1096 if (IS_ERR(table)) {
1097 NL_SET_BAD_ATTR(extack, attr);
1098 return PTR_ERR(table);
1101 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1105 ctx.family = family;
1108 return nft_flush_table(&ctx);
1111 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1113 if (WARN_ON(ctx->table->use > 0))
1116 rhltable_destroy(&ctx->table->chains_ht);
1117 kfree(ctx->table->name);
1121 void nft_register_chain_type(const struct nft_chain_type *ctype)
1123 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1124 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1125 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1128 chain_type[ctype->family][ctype->type] = ctype;
1129 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1131 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1133 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1135 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1136 chain_type[ctype->family][ctype->type] = NULL;
1137 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1139 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1145 static struct nft_chain *
1146 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1148 struct nft_chain *chain;
1150 list_for_each_entry(chain, &table->chains, list) {
1151 if (chain->handle == handle &&
1152 nft_active_genmask(chain, genmask))
1156 return ERR_PTR(-ENOENT);
1159 static bool lockdep_commit_lock_is_held(const struct net *net)
1161 #ifdef CONFIG_PROVE_LOCKING
1162 return lockdep_is_held(&net->nft.commit_mutex);
1168 static struct nft_chain *nft_chain_lookup(struct net *net,
1169 struct nft_table *table,
1170 const struct nlattr *nla, u8 genmask)
1172 char search[NFT_CHAIN_MAXNAMELEN + 1];
1173 struct rhlist_head *tmp, *list;
1174 struct nft_chain *chain;
1177 return ERR_PTR(-EINVAL);
1179 nla_strlcpy(search, nla, sizeof(search));
1181 WARN_ON(!rcu_read_lock_held() &&
1182 !lockdep_commit_lock_is_held(net));
1184 chain = ERR_PTR(-ENOENT);
1186 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1190 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1191 if (nft_active_genmask(chain, genmask))
1194 chain = ERR_PTR(-ENOENT);
1200 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1201 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1202 .len = NFT_TABLE_MAXNAMELEN - 1 },
1203 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1204 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1205 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1206 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1207 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1208 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1209 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1210 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1211 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1214 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1215 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1216 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1217 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1218 .len = IFNAMSIZ - 1 },
1221 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1223 struct nft_stats *cpu_stats, total;
1224 struct nlattr *nest;
1232 memset(&total, 0, sizeof(total));
1233 for_each_possible_cpu(cpu) {
1234 cpu_stats = per_cpu_ptr(stats, cpu);
1236 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1237 pkts = cpu_stats->pkts;
1238 bytes = cpu_stats->bytes;
1239 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1241 total.bytes += bytes;
1243 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1245 goto nla_put_failure;
1247 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1248 NFTA_COUNTER_PAD) ||
1249 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1251 goto nla_put_failure;
1253 nla_nest_end(skb, nest);
1260 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1261 u32 portid, u32 seq, int event, u32 flags,
1262 int family, const struct nft_table *table,
1263 const struct nft_chain *chain)
1265 struct nlmsghdr *nlh;
1266 struct nfgenmsg *nfmsg;
1268 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1269 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1271 goto nla_put_failure;
1273 nfmsg = nlmsg_data(nlh);
1274 nfmsg->nfgen_family = family;
1275 nfmsg->version = NFNETLINK_V0;
1276 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1278 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1279 goto nla_put_failure;
1280 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1282 goto nla_put_failure;
1283 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1284 goto nla_put_failure;
1286 if (nft_is_base_chain(chain)) {
1287 const struct nft_base_chain *basechain = nft_base_chain(chain);
1288 const struct nf_hook_ops *ops = &basechain->ops;
1289 struct nft_stats __percpu *stats;
1290 struct nlattr *nest;
1292 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1294 goto nla_put_failure;
1295 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1296 goto nla_put_failure;
1297 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1298 goto nla_put_failure;
1299 if (basechain->dev_name[0] &&
1300 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1301 goto nla_put_failure;
1302 nla_nest_end(skb, nest);
1304 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1305 htonl(basechain->policy)))
1306 goto nla_put_failure;
1308 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1309 goto nla_put_failure;
1311 stats = rcu_dereference_check(basechain->stats,
1312 lockdep_commit_lock_is_held(net));
1313 if (nft_dump_stats(skb, stats))
1314 goto nla_put_failure;
1316 if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) &&
1317 nla_put_be32(skb, NFTA_CHAIN_FLAGS,
1318 htonl(NFT_CHAIN_HW_OFFLOAD)))
1319 goto nla_put_failure;
1322 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1323 goto nla_put_failure;
1325 nlmsg_end(skb, nlh);
1329 nlmsg_trim(skb, nlh);
1333 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1335 struct sk_buff *skb;
1339 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1342 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1346 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1347 event, 0, ctx->family, ctx->table,
1354 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1355 ctx->report, GFP_KERNEL);
1358 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1361 static int nf_tables_dump_chains(struct sk_buff *skb,
1362 struct netlink_callback *cb)
1364 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1365 const struct nft_table *table;
1366 const struct nft_chain *chain;
1367 unsigned int idx = 0, s_idx = cb->args[0];
1368 struct net *net = sock_net(skb->sk);
1369 int family = nfmsg->nfgen_family;
1372 cb->seq = net->nft.base_seq;
1374 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1375 if (family != NFPROTO_UNSPEC && family != table->family)
1378 list_for_each_entry_rcu(chain, &table->chains, list) {
1382 memset(&cb->args[1], 0,
1383 sizeof(cb->args) - sizeof(cb->args[0]));
1384 if (!nft_is_active(net, chain))
1386 if (nf_tables_fill_chain_info(skb, net,
1387 NETLINK_CB(cb->skb).portid,
1391 table->family, table,
1395 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1406 /* called with rcu_read_lock held */
1407 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1408 struct sk_buff *skb, const struct nlmsghdr *nlh,
1409 const struct nlattr * const nla[],
1410 struct netlink_ext_ack *extack)
1412 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1413 u8 genmask = nft_genmask_cur(net);
1414 const struct nft_chain *chain;
1415 struct nft_table *table;
1416 struct sk_buff *skb2;
1417 int family = nfmsg->nfgen_family;
1420 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1421 struct netlink_dump_control c = {
1422 .dump = nf_tables_dump_chains,
1423 .module = THIS_MODULE,
1426 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1429 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1430 if (IS_ERR(table)) {
1431 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1432 return PTR_ERR(table);
1435 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1436 if (IS_ERR(chain)) {
1437 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1438 return PTR_ERR(chain);
1441 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1445 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1446 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1447 family, table, chain);
1449 goto err_fill_chain_info;
1451 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1453 err_fill_chain_info:
1458 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1459 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1460 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1463 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1465 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1466 struct nft_stats __percpu *newstats;
1467 struct nft_stats *stats;
1470 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1471 nft_counter_policy, NULL);
1473 return ERR_PTR(err);
1475 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1476 return ERR_PTR(-EINVAL);
1478 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1479 if (newstats == NULL)
1480 return ERR_PTR(-ENOMEM);
1482 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1483 * are not exposed to userspace.
1486 stats = this_cpu_ptr(newstats);
1487 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1488 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1494 static void nft_chain_stats_replace(struct nft_trans *trans)
1496 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1498 if (!nft_trans_chain_stats(trans))
1501 rcu_swap_protected(chain->stats, nft_trans_chain_stats(trans),
1502 lockdep_commit_lock_is_held(trans->ctx.net));
1504 if (!nft_trans_chain_stats(trans))
1505 static_branch_inc(&nft_counters_enabled);
1508 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1510 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1511 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1517 /* should be NULL either via abort or via successful commit */
1518 WARN_ON_ONCE(chain->rules_next);
1519 kvfree(chain->rules_next);
1522 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1524 struct nft_chain *chain = ctx->chain;
1526 if (WARN_ON(chain->use > 0))
1529 /* no concurrent access possible anymore */
1530 nf_tables_chain_free_chain_rules(chain);
1532 if (nft_is_base_chain(chain)) {
1533 struct nft_base_chain *basechain = nft_base_chain(chain);
1535 module_put(basechain->type->owner);
1536 if (rcu_access_pointer(basechain->stats)) {
1537 static_branch_dec(&nft_counters_enabled);
1538 free_percpu(rcu_dereference_raw(basechain->stats));
1548 struct nft_chain_hook {
1551 const struct nft_chain_type *type;
1552 struct net_device *dev;
1555 static int nft_chain_parse_hook(struct net *net,
1556 const struct nlattr * const nla[],
1557 struct nft_chain_hook *hook, u8 family,
1560 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1561 const struct nft_chain_type *type;
1562 struct net_device *dev;
1565 lockdep_assert_held(&net->nft.commit_mutex);
1566 lockdep_nfnl_nft_mutex_not_held();
1568 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1569 nla[NFTA_CHAIN_HOOK],
1570 nft_hook_policy, NULL);
1574 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1575 ha[NFTA_HOOK_PRIORITY] == NULL)
1578 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1579 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1581 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1585 if (nla[NFTA_CHAIN_TYPE]) {
1586 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1589 return PTR_ERR(type);
1591 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1594 if (type->type == NFT_CHAIN_T_NAT &&
1595 hook->priority <= NF_IP_PRI_CONNTRACK)
1598 if (!try_module_get(type->owner))
1604 if (family == NFPROTO_NETDEV) {
1605 char ifname[IFNAMSIZ];
1607 if (!ha[NFTA_HOOK_DEV]) {
1608 module_put(type->owner);
1612 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1613 dev = __dev_get_by_name(net, ifname);
1615 module_put(type->owner);
1619 } else if (ha[NFTA_HOOK_DEV]) {
1620 module_put(type->owner);
1627 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1629 module_put(hook->type->owner);
1632 struct nft_rules_old {
1634 struct nft_rule **start;
1637 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1640 if (alloc > INT_MAX)
1643 alloc += 1; /* NULL, ends rules */
1644 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1647 alloc *= sizeof(struct nft_rule *);
1648 alloc += sizeof(struct nft_rules_old);
1650 return kvmalloc(alloc, GFP_KERNEL);
1653 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1654 u8 policy, u32 flags)
1656 const struct nlattr * const *nla = ctx->nla;
1657 struct nft_table *table = ctx->table;
1658 struct nft_base_chain *basechain;
1659 struct nft_stats __percpu *stats;
1660 struct net *net = ctx->net;
1661 struct nft_trans *trans;
1662 struct nft_chain *chain;
1663 struct nft_rule **rules;
1666 if (table->use == UINT_MAX)
1669 if (nla[NFTA_CHAIN_HOOK]) {
1670 struct nft_chain_hook hook;
1671 struct nf_hook_ops *ops;
1673 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1677 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1678 if (basechain == NULL) {
1679 nft_chain_release_hook(&hook);
1683 if (hook.dev != NULL)
1684 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1686 if (nla[NFTA_CHAIN_COUNTERS]) {
1687 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1688 if (IS_ERR(stats)) {
1689 nft_chain_release_hook(&hook);
1691 return PTR_ERR(stats);
1693 rcu_assign_pointer(basechain->stats, stats);
1694 static_branch_inc(&nft_counters_enabled);
1697 basechain->type = hook.type;
1698 chain = &basechain->chain;
1700 ops = &basechain->ops;
1702 ops->hooknum = hook.num;
1703 ops->priority = hook.priority;
1705 ops->hook = hook.type->hooks[ops->hooknum];
1706 ops->dev = hook.dev;
1708 chain->flags |= NFT_BASE_CHAIN | flags;
1709 basechain->policy = NF_ACCEPT;
1710 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1711 nft_chain_offload_priority(basechain) < 0)
1714 flow_block_init(&basechain->flow_block);
1716 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1722 INIT_LIST_HEAD(&chain->rules);
1723 chain->handle = nf_tables_alloc_handle(table);
1724 chain->table = table;
1725 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1731 rules = nf_tables_chain_alloc_rules(chain, 0);
1738 rcu_assign_pointer(chain->rules_gen_0, rules);
1739 rcu_assign_pointer(chain->rules_gen_1, rules);
1741 err = nf_tables_register_hook(net, table, chain);
1745 err = rhltable_insert_key(&table->chains_ht, chain->name,
1746 &chain->rhlhead, nft_chain_ht_params);
1750 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1751 if (IS_ERR(trans)) {
1752 err = PTR_ERR(trans);
1753 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1754 nft_chain_ht_params);
1758 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1759 if (nft_is_base_chain(chain))
1760 nft_trans_chain_policy(trans) = policy;
1763 list_add_tail_rcu(&chain->list, &table->chains);
1767 nf_tables_unregister_hook(net, table, chain);
1769 nf_tables_chain_destroy(ctx);
1774 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1777 const struct nlattr * const *nla = ctx->nla;
1778 struct nft_table *table = ctx->table;
1779 struct nft_chain *chain = ctx->chain;
1780 struct nft_base_chain *basechain;
1781 struct nft_stats *stats = NULL;
1782 struct nft_chain_hook hook;
1783 struct nf_hook_ops *ops;
1784 struct nft_trans *trans;
1787 if (chain->flags ^ flags)
1790 if (nla[NFTA_CHAIN_HOOK]) {
1791 if (!nft_is_base_chain(chain))
1794 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1799 basechain = nft_base_chain(chain);
1800 if (basechain->type != hook.type) {
1801 nft_chain_release_hook(&hook);
1805 ops = &basechain->ops;
1806 if (ops->hooknum != hook.num ||
1807 ops->priority != hook.priority ||
1808 ops->dev != hook.dev) {
1809 nft_chain_release_hook(&hook);
1812 nft_chain_release_hook(&hook);
1815 if (nla[NFTA_CHAIN_HANDLE] &&
1816 nla[NFTA_CHAIN_NAME]) {
1817 struct nft_chain *chain2;
1819 chain2 = nft_chain_lookup(ctx->net, table,
1820 nla[NFTA_CHAIN_NAME], genmask);
1821 if (!IS_ERR(chain2))
1825 if (nla[NFTA_CHAIN_COUNTERS]) {
1826 if (!nft_is_base_chain(chain))
1829 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1831 return PTR_ERR(stats);
1835 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1836 sizeof(struct nft_trans_chain));
1840 nft_trans_chain_stats(trans) = stats;
1841 nft_trans_chain_update(trans) = true;
1843 if (nla[NFTA_CHAIN_POLICY])
1844 nft_trans_chain_policy(trans) = policy;
1846 nft_trans_chain_policy(trans) = -1;
1848 if (nla[NFTA_CHAIN_HANDLE] &&
1849 nla[NFTA_CHAIN_NAME]) {
1850 struct nft_trans *tmp;
1854 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1859 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1860 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1861 tmp->ctx.table == table &&
1862 nft_trans_chain_update(tmp) &&
1863 nft_trans_chain_name(tmp) &&
1864 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1870 nft_trans_chain_name(trans) = name;
1872 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1881 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1882 struct sk_buff *skb, const struct nlmsghdr *nlh,
1883 const struct nlattr * const nla[],
1884 struct netlink_ext_ack *extack)
1886 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1887 u8 genmask = nft_genmask_next(net);
1888 int family = nfmsg->nfgen_family;
1889 const struct nlattr *attr;
1890 struct nft_table *table;
1891 struct nft_chain *chain;
1892 u8 policy = NF_ACCEPT;
1897 lockdep_assert_held(&net->nft.commit_mutex);
1899 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1900 if (IS_ERR(table)) {
1901 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1902 return PTR_ERR(table);
1906 attr = nla[NFTA_CHAIN_NAME];
1908 if (nla[NFTA_CHAIN_HANDLE]) {
1909 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1910 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1911 if (IS_ERR(chain)) {
1912 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1913 return PTR_ERR(chain);
1915 attr = nla[NFTA_CHAIN_HANDLE];
1917 chain = nft_chain_lookup(net, table, attr, genmask);
1918 if (IS_ERR(chain)) {
1919 if (PTR_ERR(chain) != -ENOENT) {
1920 NL_SET_BAD_ATTR(extack, attr);
1921 return PTR_ERR(chain);
1927 if (nla[NFTA_CHAIN_POLICY]) {
1928 if (chain != NULL &&
1929 !nft_is_base_chain(chain)) {
1930 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1934 if (chain == NULL &&
1935 nla[NFTA_CHAIN_HOOK] == NULL) {
1936 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1940 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1950 if (nla[NFTA_CHAIN_FLAGS])
1951 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
1953 flags = chain->flags;
1955 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1957 if (chain != NULL) {
1958 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1959 NL_SET_BAD_ATTR(extack, attr);
1962 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1965 flags |= chain->flags & NFT_BASE_CHAIN;
1966 return nf_tables_updchain(&ctx, genmask, policy, flags);
1969 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
1972 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1973 struct sk_buff *skb, const struct nlmsghdr *nlh,
1974 const struct nlattr * const nla[],
1975 struct netlink_ext_ack *extack)
1977 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1978 u8 genmask = nft_genmask_next(net);
1979 int family = nfmsg->nfgen_family;
1980 const struct nlattr *attr;
1981 struct nft_table *table;
1982 struct nft_chain *chain;
1983 struct nft_rule *rule;
1989 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1990 if (IS_ERR(table)) {
1991 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1992 return PTR_ERR(table);
1995 if (nla[NFTA_CHAIN_HANDLE]) {
1996 attr = nla[NFTA_CHAIN_HANDLE];
1997 handle = be64_to_cpu(nla_get_be64(attr));
1998 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2000 attr = nla[NFTA_CHAIN_NAME];
2001 chain = nft_chain_lookup(net, table, attr, genmask);
2003 if (IS_ERR(chain)) {
2004 NL_SET_BAD_ATTR(extack, attr);
2005 return PTR_ERR(chain);
2008 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2012 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2015 list_for_each_entry(rule, &chain->rules, list) {
2016 if (!nft_is_active_next(net, rule))
2020 err = nft_delrule(&ctx, rule);
2025 /* There are rules and elements that are still holding references to us,
2026 * we cannot do a recursive removal in this case.
2029 NL_SET_BAD_ATTR(extack, attr);
2033 return nft_delchain(&ctx);
2041 * nft_register_expr - register nf_tables expr type
2044 * Registers the expr type for use with nf_tables. Returns zero on
2045 * success or a negative errno code otherwise.
2047 int nft_register_expr(struct nft_expr_type *type)
2049 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2050 if (type->family == NFPROTO_UNSPEC)
2051 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2053 list_add_rcu(&type->list, &nf_tables_expressions);
2054 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2057 EXPORT_SYMBOL_GPL(nft_register_expr);
2060 * nft_unregister_expr - unregister nf_tables expr type
2063 * Unregisters the expr typefor use with nf_tables.
2065 void nft_unregister_expr(struct nft_expr_type *type)
2067 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2068 list_del_rcu(&type->list);
2069 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2071 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2073 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2076 const struct nft_expr_type *type, *candidate = NULL;
2078 list_for_each_entry(type, &nf_tables_expressions, list) {
2079 if (!nla_strcmp(nla, type->name)) {
2080 if (!type->family && !candidate)
2082 else if (type->family == family)
2089 #ifdef CONFIG_MODULES
2090 static int nft_expr_type_request_module(struct net *net, u8 family,
2093 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2094 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2101 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2105 const struct nft_expr_type *type;
2108 return ERR_PTR(-EINVAL);
2110 type = __nft_expr_type_get(family, nla);
2111 if (type != NULL && try_module_get(type->owner))
2114 lockdep_nfnl_nft_mutex_not_held();
2115 #ifdef CONFIG_MODULES
2117 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2118 return ERR_PTR(-EAGAIN);
2120 if (nft_request_module(net, "nft-expr-%.*s",
2122 (char *)nla_data(nla)) == -EAGAIN)
2123 return ERR_PTR(-EAGAIN);
2126 return ERR_PTR(-ENOENT);
2129 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2130 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2131 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2132 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2135 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2136 const struct nft_expr *expr)
2138 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2139 goto nla_put_failure;
2141 if (expr->ops->dump) {
2142 struct nlattr *data = nla_nest_start_noflag(skb,
2145 goto nla_put_failure;
2146 if (expr->ops->dump(skb, expr) < 0)
2147 goto nla_put_failure;
2148 nla_nest_end(skb, data);
2157 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2158 const struct nft_expr *expr)
2160 struct nlattr *nest;
2162 nest = nla_nest_start_noflag(skb, attr);
2164 goto nla_put_failure;
2165 if (nf_tables_fill_expr_info(skb, expr) < 0)
2166 goto nla_put_failure;
2167 nla_nest_end(skb, nest);
2174 struct nft_expr_info {
2175 const struct nft_expr_ops *ops;
2176 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2179 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2180 const struct nlattr *nla,
2181 struct nft_expr_info *info)
2183 const struct nft_expr_type *type;
2184 const struct nft_expr_ops *ops;
2185 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2188 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2189 nft_expr_policy, NULL);
2193 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2195 return PTR_ERR(type);
2197 if (tb[NFTA_EXPR_DATA]) {
2198 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2200 type->policy, NULL);
2204 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2206 if (type->select_ops != NULL) {
2207 ops = type->select_ops(ctx,
2208 (const struct nlattr * const *)info->tb);
2211 #ifdef CONFIG_MODULES
2213 if (nft_expr_type_request_module(ctx->net,
2215 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2227 module_put(type->owner);
2231 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2232 const struct nft_expr_info *info,
2233 struct nft_expr *expr)
2235 const struct nft_expr_ops *ops = info->ops;
2240 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2251 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2252 struct nft_expr *expr)
2254 const struct nft_expr_type *type = expr->ops->type;
2256 if (expr->ops->destroy)
2257 expr->ops->destroy(ctx, expr);
2258 module_put(type->owner);
2261 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2262 const struct nlattr *nla)
2264 struct nft_expr_info info;
2265 struct nft_expr *expr;
2266 struct module *owner;
2269 err = nf_tables_expr_parse(ctx, nla, &info);
2271 goto err_expr_parse;
2274 if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
2275 goto err_expr_stateful;
2278 expr = kzalloc(info.ops->size, GFP_KERNEL);
2280 goto err_expr_stateful;
2282 err = nf_tables_newexpr(ctx, &info, expr);
2290 owner = info.ops->type->owner;
2291 if (info.ops->type->release_ops)
2292 info.ops->type->release_ops(info.ops);
2296 return ERR_PTR(err);
2299 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2301 nf_tables_expr_destroy(ctx, expr);
2309 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2312 struct nft_rule *rule;
2314 // FIXME: this sucks
2315 list_for_each_entry_rcu(rule, &chain->rules, list) {
2316 if (handle == rule->handle)
2320 return ERR_PTR(-ENOENT);
2323 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2324 const struct nlattr *nla)
2327 return ERR_PTR(-EINVAL);
2329 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2332 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2333 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2334 .len = NFT_TABLE_MAXNAMELEN - 1 },
2335 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2336 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2337 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2338 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2339 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2340 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2341 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2342 .len = NFT_USERDATA_MAXLEN },
2343 [NFTA_RULE_ID] = { .type = NLA_U32 },
2344 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2347 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2348 u32 portid, u32 seq, int event,
2349 u32 flags, int family,
2350 const struct nft_table *table,
2351 const struct nft_chain *chain,
2352 const struct nft_rule *rule,
2353 const struct nft_rule *prule)
2355 struct nlmsghdr *nlh;
2356 struct nfgenmsg *nfmsg;
2357 const struct nft_expr *expr, *next;
2358 struct nlattr *list;
2359 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2361 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2363 goto nla_put_failure;
2365 nfmsg = nlmsg_data(nlh);
2366 nfmsg->nfgen_family = family;
2367 nfmsg->version = NFNETLINK_V0;
2368 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2370 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2371 goto nla_put_failure;
2372 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2373 goto nla_put_failure;
2374 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2376 goto nla_put_failure;
2378 if (event != NFT_MSG_DELRULE && prule) {
2379 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2380 cpu_to_be64(prule->handle),
2382 goto nla_put_failure;
2385 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2387 goto nla_put_failure;
2388 nft_rule_for_each_expr(expr, next, rule) {
2389 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2390 goto nla_put_failure;
2392 nla_nest_end(skb, list);
2395 struct nft_userdata *udata = nft_userdata(rule);
2396 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2398 goto nla_put_failure;
2401 nlmsg_end(skb, nlh);
2405 nlmsg_trim(skb, nlh);
2409 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2410 const struct nft_rule *rule, int event)
2412 struct sk_buff *skb;
2416 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2419 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2423 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2424 event, 0, ctx->family, ctx->table,
2425 ctx->chain, rule, NULL);
2431 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2432 ctx->report, GFP_KERNEL);
2435 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2438 struct nft_rule_dump_ctx {
2443 static int __nf_tables_dump_rules(struct sk_buff *skb,
2445 struct netlink_callback *cb,
2446 const struct nft_table *table,
2447 const struct nft_chain *chain)
2449 struct net *net = sock_net(skb->sk);
2450 const struct nft_rule *rule, *prule;
2451 unsigned int s_idx = cb->args[0];
2454 list_for_each_entry_rcu(rule, &chain->rules, list) {
2455 if (!nft_is_active(net, rule))
2460 memset(&cb->args[1], 0,
2461 sizeof(cb->args) - sizeof(cb->args[0]));
2463 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2466 NLM_F_MULTI | NLM_F_APPEND,
2468 table, chain, rule, prule) < 0)
2471 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2480 static int nf_tables_dump_rules(struct sk_buff *skb,
2481 struct netlink_callback *cb)
2483 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2484 const struct nft_rule_dump_ctx *ctx = cb->data;
2485 struct nft_table *table;
2486 const struct nft_chain *chain;
2487 unsigned int idx = 0;
2488 struct net *net = sock_net(skb->sk);
2489 int family = nfmsg->nfgen_family;
2492 cb->seq = net->nft.base_seq;
2494 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2495 if (family != NFPROTO_UNSPEC && family != table->family)
2498 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2501 if (ctx && ctx->table && ctx->chain) {
2502 struct rhlist_head *list, *tmp;
2504 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2505 nft_chain_ht_params);
2509 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2510 if (!nft_is_active(net, chain))
2512 __nf_tables_dump_rules(skb, &idx,
2519 list_for_each_entry_rcu(chain, &table->chains, list) {
2520 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2524 if (ctx && ctx->table)
2534 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2536 const struct nlattr * const *nla = cb->data;
2537 struct nft_rule_dump_ctx *ctx = NULL;
2539 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2540 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2544 if (nla[NFTA_RULE_TABLE]) {
2545 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2552 if (nla[NFTA_RULE_CHAIN]) {
2553 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2567 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2569 struct nft_rule_dump_ctx *ctx = cb->data;
2579 /* called with rcu_read_lock held */
2580 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2581 struct sk_buff *skb, const struct nlmsghdr *nlh,
2582 const struct nlattr * const nla[],
2583 struct netlink_ext_ack *extack)
2585 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2586 u8 genmask = nft_genmask_cur(net);
2587 const struct nft_chain *chain;
2588 const struct nft_rule *rule;
2589 struct nft_table *table;
2590 struct sk_buff *skb2;
2591 int family = nfmsg->nfgen_family;
2594 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2595 struct netlink_dump_control c = {
2596 .start= nf_tables_dump_rules_start,
2597 .dump = nf_tables_dump_rules,
2598 .done = nf_tables_dump_rules_done,
2599 .module = THIS_MODULE,
2600 .data = (void *)nla,
2603 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2606 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2607 if (IS_ERR(table)) {
2608 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2609 return PTR_ERR(table);
2612 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2613 if (IS_ERR(chain)) {
2614 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2615 return PTR_ERR(chain);
2618 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2620 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2621 return PTR_ERR(rule);
2624 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2628 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2629 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2630 family, table, chain, rule, NULL);
2632 goto err_fill_rule_info;
2634 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2641 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2642 struct nft_rule *rule)
2644 struct nft_expr *expr, *next;
2647 * Careful: some expressions might not be initialized in case this
2648 * is called on error from nf_tables_newrule().
2650 expr = nft_expr_first(rule);
2651 while (nft_expr_more(rule, expr)) {
2652 next = nft_expr_next(expr);
2653 nf_tables_expr_destroy(ctx, expr);
2659 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2660 struct nft_rule *rule)
2662 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2663 nf_tables_rule_destroy(ctx, rule);
2666 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2668 struct nft_expr *expr, *last;
2669 const struct nft_data *data;
2670 struct nft_rule *rule;
2673 if (ctx->level == NFT_JUMP_STACK_SIZE)
2676 list_for_each_entry(rule, &chain->rules, list) {
2677 if (!nft_is_active_next(ctx->net, rule))
2680 nft_rule_for_each_expr(expr, last, rule) {
2681 if (!expr->ops->validate)
2684 err = expr->ops->validate(ctx, expr, &data);
2692 EXPORT_SYMBOL_GPL(nft_chain_validate);
2694 static int nft_table_validate(struct net *net, const struct nft_table *table)
2696 struct nft_chain *chain;
2697 struct nft_ctx ctx = {
2699 .family = table->family,
2703 list_for_each_entry(chain, &table->chains, list) {
2704 if (!nft_is_base_chain(chain))
2708 err = nft_chain_validate(&ctx, chain);
2716 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2717 const struct nft_chain *chain,
2718 const struct nlattr *nla);
2720 #define NFT_RULE_MAXEXPRS 128
2722 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2723 struct sk_buff *skb, const struct nlmsghdr *nlh,
2724 const struct nlattr * const nla[],
2725 struct netlink_ext_ack *extack)
2727 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2728 u8 genmask = nft_genmask_next(net);
2729 struct nft_expr_info *info = NULL;
2730 int family = nfmsg->nfgen_family;
2731 struct nft_flow_rule *flow;
2732 struct nft_table *table;
2733 struct nft_chain *chain;
2734 struct nft_rule *rule, *old_rule = NULL;
2735 struct nft_userdata *udata;
2736 struct nft_trans *trans = NULL;
2737 struct nft_expr *expr;
2740 unsigned int size, i, n, ulen = 0, usize = 0;
2742 u64 handle, pos_handle;
2744 lockdep_assert_held(&net->nft.commit_mutex);
2746 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2747 if (IS_ERR(table)) {
2748 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2749 return PTR_ERR(table);
2752 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2753 if (IS_ERR(chain)) {
2754 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2755 return PTR_ERR(chain);
2758 if (nla[NFTA_RULE_HANDLE]) {
2759 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2760 rule = __nft_rule_lookup(chain, handle);
2762 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2763 return PTR_ERR(rule);
2766 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2767 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2770 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2775 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2776 nlh->nlmsg_flags & NLM_F_REPLACE)
2778 handle = nf_tables_alloc_handle(table);
2780 if (chain->use == UINT_MAX)
2783 if (nla[NFTA_RULE_POSITION]) {
2784 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2785 old_rule = __nft_rule_lookup(chain, pos_handle);
2786 if (IS_ERR(old_rule)) {
2787 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2788 return PTR_ERR(old_rule);
2790 } else if (nla[NFTA_RULE_POSITION_ID]) {
2791 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
2792 if (IS_ERR(old_rule)) {
2793 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2794 return PTR_ERR(old_rule);
2799 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2803 if (nla[NFTA_RULE_EXPRESSIONS]) {
2804 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2805 sizeof(struct nft_expr_info),
2810 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2812 if (nla_type(tmp) != NFTA_LIST_ELEM)
2814 if (n == NFT_RULE_MAXEXPRS)
2816 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2819 size += info[n].ops->size;
2823 /* Check for overflow of dlen field */
2825 if (size >= 1 << 12)
2828 if (nla[NFTA_RULE_USERDATA]) {
2829 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2831 usize = sizeof(struct nft_userdata) + ulen;
2835 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2839 nft_activate_next(net, rule);
2841 rule->handle = handle;
2843 rule->udata = ulen ? 1 : 0;
2846 udata = nft_userdata(rule);
2847 udata->len = ulen - 1;
2848 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2851 expr = nft_expr_first(rule);
2852 for (i = 0; i < n; i++) {
2853 err = nf_tables_newexpr(&ctx, &info[i], expr);
2857 if (info[i].ops->validate)
2858 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2861 expr = nft_expr_next(expr);
2864 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2865 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2866 if (trans == NULL) {
2870 err = nft_delrule(&ctx, old_rule);
2872 nft_trans_destroy(trans);
2876 list_add_tail_rcu(&rule->list, &old_rule->list);
2878 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2884 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2886 list_add_rcu(&rule->list, &old_rule->list);
2888 list_add_tail_rcu(&rule->list, &chain->rules);
2891 list_add_tail_rcu(&rule->list, &old_rule->list);
2893 list_add_rcu(&rule->list, &chain->rules);
2899 if (net->nft.validate_state == NFT_VALIDATE_DO)
2900 return nft_table_validate(net, table);
2902 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
2903 flow = nft_flow_rule_create(net, rule);
2905 return PTR_ERR(flow);
2907 nft_trans_flow_rule(trans) = flow;
2912 nf_tables_rule_release(&ctx, rule);
2914 for (i = 0; i < n; i++) {
2916 module_put(info[i].ops->type->owner);
2917 if (info[i].ops->type->release_ops)
2918 info[i].ops->type->release_ops(info[i].ops);
2925 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2926 const struct nft_chain *chain,
2927 const struct nlattr *nla)
2929 u32 id = ntohl(nla_get_be32(nla));
2930 struct nft_trans *trans;
2932 list_for_each_entry(trans, &net->nft.commit_list, list) {
2933 struct nft_rule *rule = nft_trans_rule(trans);
2935 if (trans->msg_type == NFT_MSG_NEWRULE &&
2936 trans->ctx.chain == chain &&
2937 id == nft_trans_rule_id(trans))
2940 return ERR_PTR(-ENOENT);
2943 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2944 struct sk_buff *skb, const struct nlmsghdr *nlh,
2945 const struct nlattr * const nla[],
2946 struct netlink_ext_ack *extack)
2948 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2949 u8 genmask = nft_genmask_next(net);
2950 struct nft_table *table;
2951 struct nft_chain *chain = NULL;
2952 struct nft_rule *rule;
2953 int family = nfmsg->nfgen_family, err = 0;
2956 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2957 if (IS_ERR(table)) {
2958 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2959 return PTR_ERR(table);
2962 if (nla[NFTA_RULE_CHAIN]) {
2963 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2965 if (IS_ERR(chain)) {
2966 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2967 return PTR_ERR(chain);
2971 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2974 if (nla[NFTA_RULE_HANDLE]) {
2975 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2977 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2978 return PTR_ERR(rule);
2981 err = nft_delrule(&ctx, rule);
2982 } else if (nla[NFTA_RULE_ID]) {
2983 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
2985 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2986 return PTR_ERR(rule);
2989 err = nft_delrule(&ctx, rule);
2991 err = nft_delrule_by_chain(&ctx);
2994 list_for_each_entry(chain, &table->chains, list) {
2995 if (!nft_is_active_next(net, chain))
2999 err = nft_delrule_by_chain(&ctx);
3012 static LIST_HEAD(nf_tables_set_types);
3014 int nft_register_set(struct nft_set_type *type)
3016 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3017 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3018 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3021 EXPORT_SYMBOL_GPL(nft_register_set);
3023 void nft_unregister_set(struct nft_set_type *type)
3025 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3026 list_del_rcu(&type->list);
3027 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3029 EXPORT_SYMBOL_GPL(nft_unregister_set);
3031 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3032 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3035 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3037 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3041 * Select a set implementation based on the data characteristics and the
3042 * given policy. The total memory use might not be known if no size is
3043 * given, in that case the amount of memory per element is used.
3045 static const struct nft_set_ops *
3046 nft_select_set_ops(const struct nft_ctx *ctx,
3047 const struct nlattr * const nla[],
3048 const struct nft_set_desc *desc,
3049 enum nft_set_policies policy)
3051 const struct nft_set_ops *ops, *bops;
3052 struct nft_set_estimate est, best;
3053 const struct nft_set_type *type;
3056 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3057 lockdep_nfnl_nft_mutex_not_held();
3058 #ifdef CONFIG_MODULES
3059 if (list_empty(&nf_tables_set_types)) {
3060 if (nft_request_module(ctx->net, "nft-set") == -EAGAIN)
3061 return ERR_PTR(-EAGAIN);
3064 if (nla[NFTA_SET_FLAGS] != NULL)
3065 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3072 list_for_each_entry(type, &nf_tables_set_types, list) {
3075 if (!nft_set_ops_candidate(type, flags))
3077 if (!ops->estimate(desc, flags, &est))
3081 case NFT_SET_POL_PERFORMANCE:
3082 if (est.lookup < best.lookup)
3084 if (est.lookup == best.lookup &&
3085 est.space < best.space)
3088 case NFT_SET_POL_MEMORY:
3090 if (est.space < best.space)
3092 if (est.space == best.space &&
3093 est.lookup < best.lookup)
3095 } else if (est.size < best.size || !bops) {
3103 if (!try_module_get(type->owner))
3106 module_put(to_set_type(bops)->owner);
3115 return ERR_PTR(-EOPNOTSUPP);
3118 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3119 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3120 .len = NFT_TABLE_MAXNAMELEN - 1 },
3121 [NFTA_SET_NAME] = { .type = NLA_STRING,
3122 .len = NFT_SET_MAXNAMELEN - 1 },
3123 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3124 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3125 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3126 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3127 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3128 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3129 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3130 [NFTA_SET_ID] = { .type = NLA_U32 },
3131 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3132 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3133 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3134 .len = NFT_USERDATA_MAXLEN },
3135 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3136 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3139 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3140 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3143 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3144 const struct sk_buff *skb,
3145 const struct nlmsghdr *nlh,
3146 const struct nlattr * const nla[],
3147 struct netlink_ext_ack *extack,
3150 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3151 int family = nfmsg->nfgen_family;
3152 struct nft_table *table = NULL;
3154 if (nla[NFTA_SET_TABLE] != NULL) {
3155 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3157 if (IS_ERR(table)) {
3158 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3159 return PTR_ERR(table);
3163 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3167 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3168 const struct nlattr *nla, u8 genmask)
3170 struct nft_set *set;
3173 return ERR_PTR(-EINVAL);
3175 list_for_each_entry_rcu(set, &table->sets, list) {
3176 if (!nla_strcmp(nla, set->name) &&
3177 nft_active_genmask(set, genmask))
3180 return ERR_PTR(-ENOENT);
3183 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3184 const struct nlattr *nla,
3187 struct nft_set *set;
3189 list_for_each_entry(set, &table->sets, list) {
3190 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3191 nft_active_genmask(set, genmask))
3194 return ERR_PTR(-ENOENT);
3197 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3198 const struct nft_table *table,
3199 const struct nlattr *nla, u8 genmask)
3201 struct nft_trans *trans;
3202 u32 id = ntohl(nla_get_be32(nla));
3204 list_for_each_entry(trans, &net->nft.commit_list, list) {
3205 if (trans->msg_type == NFT_MSG_NEWSET) {
3206 struct nft_set *set = nft_trans_set(trans);
3208 if (id == nft_trans_set_id(trans) &&
3209 set->table == table &&
3210 nft_active_genmask(set, genmask))
3214 return ERR_PTR(-ENOENT);
3217 struct nft_set *nft_set_lookup_global(const struct net *net,
3218 const struct nft_table *table,
3219 const struct nlattr *nla_set_name,
3220 const struct nlattr *nla_set_id,
3223 struct nft_set *set;
3225 set = nft_set_lookup(table, nla_set_name, genmask);
3230 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
3234 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3236 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3239 const struct nft_set *i;
3241 unsigned long *inuse;
3242 unsigned int n = 0, min = 0;
3244 p = strchr(name, '%');
3246 if (p[1] != 'd' || strchr(p + 2, '%'))
3249 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3253 list_for_each_entry(i, &ctx->table->sets, list) {
3256 if (!nft_is_active_next(ctx->net, i))
3258 if (!sscanf(i->name, name, &tmp))
3260 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3263 set_bit(tmp - min, inuse);
3266 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3267 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3268 min += BITS_PER_BYTE * PAGE_SIZE;
3269 memset(inuse, 0, PAGE_SIZE);
3272 free_page((unsigned long)inuse);
3275 set->name = kasprintf(GFP_KERNEL, name, min + n);
3279 list_for_each_entry(i, &ctx->table->sets, list) {
3280 if (!nft_is_active_next(ctx->net, i))
3282 if (!strcmp(set->name, i->name)) {
3290 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3292 u64 ms = be64_to_cpu(nla_get_be64(nla));
3293 u64 max = (u64)(~((u64)0));
3295 max = div_u64(max, NSEC_PER_MSEC);
3299 ms *= NSEC_PER_MSEC;
3300 *result = nsecs_to_jiffies64(ms);
3304 __be64 nf_jiffies64_to_msecs(u64 input)
3306 return cpu_to_be64(jiffies64_to_msecs(input));
3309 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3310 const struct nft_set *set, u16 event, u16 flags)
3312 struct nfgenmsg *nfmsg;
3313 struct nlmsghdr *nlh;
3314 struct nlattr *desc;
3315 u32 portid = ctx->portid;
3318 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3319 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3322 goto nla_put_failure;
3324 nfmsg = nlmsg_data(nlh);
3325 nfmsg->nfgen_family = ctx->family;
3326 nfmsg->version = NFNETLINK_V0;
3327 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3329 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3330 goto nla_put_failure;
3331 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3332 goto nla_put_failure;
3333 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3335 goto nla_put_failure;
3336 if (set->flags != 0)
3337 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3338 goto nla_put_failure;
3340 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3341 goto nla_put_failure;
3342 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3343 goto nla_put_failure;
3344 if (set->flags & NFT_SET_MAP) {
3345 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3346 goto nla_put_failure;
3347 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3348 goto nla_put_failure;
3350 if (set->flags & NFT_SET_OBJECT &&
3351 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3352 goto nla_put_failure;
3355 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3356 nf_jiffies64_to_msecs(set->timeout),
3358 goto nla_put_failure;
3360 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3361 goto nla_put_failure;
3363 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3364 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3365 goto nla_put_failure;
3369 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3370 goto nla_put_failure;
3372 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3374 goto nla_put_failure;
3376 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3377 goto nla_put_failure;
3378 nla_nest_end(skb, desc);
3380 nlmsg_end(skb, nlh);
3384 nlmsg_trim(skb, nlh);
3388 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3389 const struct nft_set *set, int event,
3392 struct sk_buff *skb;
3393 u32 portid = ctx->portid;
3397 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3400 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3404 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3410 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3414 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3417 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3419 const struct nft_set *set;
3420 unsigned int idx, s_idx = cb->args[0];
3421 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3422 struct net *net = sock_net(skb->sk);
3423 struct nft_ctx *ctx = cb->data, ctx_set;
3429 cb->seq = net->nft.base_seq;
3431 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3432 if (ctx->family != NFPROTO_UNSPEC &&
3433 ctx->family != table->family)
3436 if (ctx->table && ctx->table != table)
3440 if (cur_table != table)
3446 list_for_each_entry_rcu(set, &table->sets, list) {
3449 if (!nft_is_active(net, set))
3453 ctx_set.table = table;
3454 ctx_set.family = table->family;
3456 if (nf_tables_fill_set(skb, &ctx_set, set,
3460 cb->args[2] = (unsigned long) table;
3463 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3476 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3478 struct nft_ctx *ctx_dump = NULL;
3480 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3481 if (ctx_dump == NULL)
3484 cb->data = ctx_dump;
3488 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3494 /* called with rcu_read_lock held */
3495 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3496 struct sk_buff *skb, const struct nlmsghdr *nlh,
3497 const struct nlattr * const nla[],
3498 struct netlink_ext_ack *extack)
3500 u8 genmask = nft_genmask_cur(net);
3501 const struct nft_set *set;
3503 struct sk_buff *skb2;
3504 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3507 /* Verify existence before starting dump */
3508 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3513 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3514 struct netlink_dump_control c = {
3515 .start = nf_tables_dump_sets_start,
3516 .dump = nf_tables_dump_sets,
3517 .done = nf_tables_dump_sets_done,
3519 .module = THIS_MODULE,
3522 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3525 /* Only accept unspec with dump */
3526 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3527 return -EAFNOSUPPORT;
3528 if (!nla[NFTA_SET_TABLE])
3531 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3533 return PTR_ERR(set);
3535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3539 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3541 goto err_fill_set_info;
3543 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3550 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3551 const struct nlattr *nla)
3553 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3556 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3557 nft_set_desc_policy, NULL);
3561 if (da[NFTA_SET_DESC_SIZE] != NULL)
3562 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3567 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3568 struct sk_buff *skb, const struct nlmsghdr *nlh,
3569 const struct nlattr * const nla[],
3570 struct netlink_ext_ack *extack)
3572 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3573 u8 genmask = nft_genmask_next(net);
3574 int family = nfmsg->nfgen_family;
3575 const struct nft_set_ops *ops;
3576 struct nft_table *table;
3577 struct nft_set *set;
3582 u32 ktype, dtype, flags, policy, gc_int, objtype;
3583 struct nft_set_desc desc;
3584 unsigned char *udata;
3588 if (nla[NFTA_SET_TABLE] == NULL ||
3589 nla[NFTA_SET_NAME] == NULL ||
3590 nla[NFTA_SET_KEY_LEN] == NULL ||
3591 nla[NFTA_SET_ID] == NULL)
3594 memset(&desc, 0, sizeof(desc));
3596 ktype = NFT_DATA_VALUE;
3597 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3598 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3599 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3603 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3604 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3608 if (nla[NFTA_SET_FLAGS] != NULL) {
3609 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3610 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3611 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3612 NFT_SET_MAP | NFT_SET_EVAL |
3615 /* Only one of these operations is supported */
3616 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3617 (NFT_SET_MAP | NFT_SET_OBJECT))
3619 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3620 (NFT_SET_EVAL | NFT_SET_OBJECT))
3625 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3626 if (!(flags & NFT_SET_MAP))
3629 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3630 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3631 dtype != NFT_DATA_VERDICT)
3634 if (dtype != NFT_DATA_VERDICT) {
3635 if (nla[NFTA_SET_DATA_LEN] == NULL)
3637 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3638 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3641 desc.dlen = sizeof(struct nft_verdict);
3642 } else if (flags & NFT_SET_MAP)
3645 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3646 if (!(flags & NFT_SET_OBJECT))
3649 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3650 if (objtype == NFT_OBJECT_UNSPEC ||
3651 objtype > NFT_OBJECT_MAX)
3653 } else if (flags & NFT_SET_OBJECT)
3656 objtype = NFT_OBJECT_UNSPEC;
3659 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3660 if (!(flags & NFT_SET_TIMEOUT))
3663 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3668 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3669 if (!(flags & NFT_SET_TIMEOUT))
3671 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3674 policy = NFT_SET_POL_PERFORMANCE;
3675 if (nla[NFTA_SET_POLICY] != NULL)
3676 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3678 if (nla[NFTA_SET_DESC] != NULL) {
3679 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3684 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3685 if (IS_ERR(table)) {
3686 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3687 return PTR_ERR(table);
3690 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3692 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3694 if (PTR_ERR(set) != -ENOENT) {
3695 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3696 return PTR_ERR(set);
3699 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3700 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3703 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3709 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3712 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3714 return PTR_ERR(ops);
3717 if (nla[NFTA_SET_USERDATA])
3718 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3721 if (ops->privsize != NULL)
3722 size = ops->privsize(nla, &desc);
3724 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3730 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3736 err = nf_tables_set_alloc_name(&ctx, set, name);
3743 udata = set->data + size;
3744 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3747 INIT_LIST_HEAD(&set->bindings);
3749 write_pnet(&set->net, net);
3752 set->klen = desc.klen;
3754 set->objtype = objtype;
3755 set->dlen = desc.dlen;
3757 set->size = desc.size;
3758 set->policy = policy;
3761 set->timeout = timeout;
3762 set->gc_int = gc_int;
3763 set->handle = nf_tables_alloc_handle(table);
3765 err = ops->init(set, &desc, nla);
3769 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3773 list_add_tail_rcu(&set->list, &table->sets);
3784 module_put(to_set_type(ops)->owner);
3788 static void nft_set_destroy(struct nft_set *set)
3790 if (WARN_ON(set->use > 0))
3793 set->ops->destroy(set);
3794 module_put(to_set_type(set->ops)->owner);
3799 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3800 struct sk_buff *skb, const struct nlmsghdr *nlh,
3801 const struct nlattr * const nla[],
3802 struct netlink_ext_ack *extack)
3804 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3805 u8 genmask = nft_genmask_next(net);
3806 const struct nlattr *attr;
3807 struct nft_set *set;
3811 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3812 return -EAFNOSUPPORT;
3813 if (nla[NFTA_SET_TABLE] == NULL)
3816 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3821 if (nla[NFTA_SET_HANDLE]) {
3822 attr = nla[NFTA_SET_HANDLE];
3823 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3825 attr = nla[NFTA_SET_NAME];
3826 set = nft_set_lookup(ctx.table, attr, genmask);
3830 NL_SET_BAD_ATTR(extack, attr);
3831 return PTR_ERR(set);
3834 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3835 NL_SET_BAD_ATTR(extack, attr);
3839 return nft_delset(&ctx, set);
3842 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3843 struct nft_set *set,
3844 const struct nft_set_iter *iter,
3845 struct nft_set_elem *elem)
3847 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3848 enum nft_registers dreg;
3850 dreg = nft_type_to_reg(set->dtype);
3851 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3852 set->dtype == NFT_DATA_VERDICT ?
3853 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3857 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3858 struct nft_set_binding *binding)
3860 struct nft_set_binding *i;
3861 struct nft_set_iter iter;
3863 if (set->use == UINT_MAX)
3866 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3869 if (binding->flags & NFT_SET_MAP) {
3870 /* If the set is already bound to the same chain all
3871 * jumps are already validated for that chain.
3873 list_for_each_entry(i, &set->bindings, list) {
3874 if (i->flags & NFT_SET_MAP &&
3875 i->chain == binding->chain)
3879 iter.genmask = nft_genmask_next(ctx->net);
3883 iter.fn = nf_tables_bind_check_setelem;
3885 set->ops->walk(ctx, set, &iter);
3890 binding->chain = ctx->chain;
3891 list_add_tail_rcu(&binding->list, &set->bindings);
3892 nft_set_trans_bind(ctx, set);
3897 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3899 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3900 struct nft_set_binding *binding, bool event)
3902 list_del_rcu(&binding->list);
3904 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3905 list_del_rcu(&set->list);
3907 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3912 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
3914 if (nft_set_is_anonymous(set))
3915 nft_clear(ctx->net, set);
3919 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
3921 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3922 struct nft_set_binding *binding,
3923 enum nft_trans_phase phase)
3926 case NFT_TRANS_PREPARE:
3927 if (nft_set_is_anonymous(set))
3928 nft_deactivate_next(ctx->net, set);
3932 case NFT_TRANS_ABORT:
3933 case NFT_TRANS_RELEASE:
3937 nf_tables_unbind_set(ctx, set, binding,
3938 phase == NFT_TRANS_COMMIT);
3941 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3943 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3945 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3946 nft_set_destroy(set);
3948 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3950 const struct nft_set_ext_type nft_set_ext_types[] = {
3951 [NFT_SET_EXT_KEY] = {
3952 .align = __alignof__(u32),
3954 [NFT_SET_EXT_DATA] = {
3955 .align = __alignof__(u32),
3957 [NFT_SET_EXT_EXPR] = {
3958 .align = __alignof__(struct nft_expr),
3960 [NFT_SET_EXT_OBJREF] = {
3961 .len = sizeof(struct nft_object *),
3962 .align = __alignof__(struct nft_object *),
3964 [NFT_SET_EXT_FLAGS] = {
3966 .align = __alignof__(u8),
3968 [NFT_SET_EXT_TIMEOUT] = {
3970 .align = __alignof__(u64),
3972 [NFT_SET_EXT_EXPIRATION] = {
3974 .align = __alignof__(u64),
3976 [NFT_SET_EXT_USERDATA] = {
3977 .len = sizeof(struct nft_userdata),
3978 .align = __alignof__(struct nft_userdata),
3981 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3987 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3988 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3989 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3990 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3991 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3992 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
3993 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3994 .len = NFT_USERDATA_MAXLEN },
3995 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3996 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
3997 .len = NFT_OBJ_MAXNAMELEN - 1 },
4000 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4001 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4002 .len = NFT_TABLE_MAXNAMELEN - 1 },
4003 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4004 .len = NFT_SET_MAXNAMELEN - 1 },
4005 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4006 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4009 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4010 const struct sk_buff *skb,
4011 const struct nlmsghdr *nlh,
4012 const struct nlattr * const nla[],
4013 struct netlink_ext_ack *extack,
4016 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4017 int family = nfmsg->nfgen_family;
4018 struct nft_table *table;
4020 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4022 if (IS_ERR(table)) {
4023 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4024 return PTR_ERR(table);
4027 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4031 static int nf_tables_fill_setelem(struct sk_buff *skb,
4032 const struct nft_set *set,
4033 const struct nft_set_elem *elem)
4035 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4036 unsigned char *b = skb_tail_pointer(skb);
4037 struct nlattr *nest;
4039 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4041 goto nla_put_failure;
4043 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4044 NFT_DATA_VALUE, set->klen) < 0)
4045 goto nla_put_failure;
4047 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4048 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4049 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4051 goto nla_put_failure;
4053 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4054 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4055 goto nla_put_failure;
4057 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4058 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4059 (*nft_set_ext_obj(ext))->key.name) < 0)
4060 goto nla_put_failure;
4062 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4063 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4064 htonl(*nft_set_ext_flags(ext))))
4065 goto nla_put_failure;
4067 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4068 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4069 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4071 goto nla_put_failure;
4073 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4074 u64 expires, now = get_jiffies_64();
4076 expires = *nft_set_ext_expiration(ext);
4077 if (time_before64(now, expires))
4082 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4083 nf_jiffies64_to_msecs(expires),
4085 goto nla_put_failure;
4088 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4089 struct nft_userdata *udata;
4091 udata = nft_set_ext_userdata(ext);
4092 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4093 udata->len + 1, udata->data))
4094 goto nla_put_failure;
4097 nla_nest_end(skb, nest);
4105 struct nft_set_dump_args {
4106 const struct netlink_callback *cb;
4107 struct nft_set_iter iter;
4108 struct sk_buff *skb;
4111 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4112 struct nft_set *set,
4113 const struct nft_set_iter *iter,
4114 struct nft_set_elem *elem)
4116 struct nft_set_dump_args *args;
4118 args = container_of(iter, struct nft_set_dump_args, iter);
4119 return nf_tables_fill_setelem(args->skb, set, elem);
4122 struct nft_set_dump_ctx {
4123 const struct nft_set *set;
4127 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4129 struct nft_set_dump_ctx *dump_ctx = cb->data;
4130 struct net *net = sock_net(skb->sk);
4131 struct nft_table *table;
4132 struct nft_set *set;
4133 struct nft_set_dump_args args;
4134 bool set_found = false;
4135 struct nfgenmsg *nfmsg;
4136 struct nlmsghdr *nlh;
4137 struct nlattr *nest;
4142 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4143 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4144 dump_ctx->ctx.family != table->family)
4147 if (table != dump_ctx->ctx.table)
4150 list_for_each_entry_rcu(set, &table->sets, list) {
4151 if (set == dump_ctx->set) {
4164 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4165 portid = NETLINK_CB(cb->skb).portid;
4166 seq = cb->nlh->nlmsg_seq;
4168 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4171 goto nla_put_failure;
4173 nfmsg = nlmsg_data(nlh);
4174 nfmsg->nfgen_family = table->family;
4175 nfmsg->version = NFNETLINK_V0;
4176 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4178 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4179 goto nla_put_failure;
4180 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4181 goto nla_put_failure;
4183 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4185 goto nla_put_failure;
4189 args.iter.genmask = nft_genmask_cur(net);
4190 args.iter.skip = cb->args[0];
4191 args.iter.count = 0;
4193 args.iter.fn = nf_tables_dump_setelem;
4194 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4197 nla_nest_end(skb, nest);
4198 nlmsg_end(skb, nlh);
4200 if (args.iter.err && args.iter.err != -EMSGSIZE)
4201 return args.iter.err;
4202 if (args.iter.count == cb->args[0])
4205 cb->args[0] = args.iter.count;
4213 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4215 struct nft_set_dump_ctx *dump_ctx = cb->data;
4217 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4219 return cb->data ? 0 : -ENOMEM;
4222 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4228 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4229 const struct nft_ctx *ctx, u32 seq,
4230 u32 portid, int event, u16 flags,
4231 const struct nft_set *set,
4232 const struct nft_set_elem *elem)
4234 struct nfgenmsg *nfmsg;
4235 struct nlmsghdr *nlh;
4236 struct nlattr *nest;
4239 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4240 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4243 goto nla_put_failure;
4245 nfmsg = nlmsg_data(nlh);
4246 nfmsg->nfgen_family = ctx->family;
4247 nfmsg->version = NFNETLINK_V0;
4248 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4250 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4251 goto nla_put_failure;
4252 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4253 goto nla_put_failure;
4255 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4257 goto nla_put_failure;
4259 err = nf_tables_fill_setelem(skb, set, elem);
4261 goto nla_put_failure;
4263 nla_nest_end(skb, nest);
4265 nlmsg_end(skb, nlh);
4269 nlmsg_trim(skb, nlh);
4273 static int nft_setelem_parse_flags(const struct nft_set *set,
4274 const struct nlattr *attr, u32 *flags)
4279 *flags = ntohl(nla_get_be32(attr));
4280 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4282 if (!(set->flags & NFT_SET_INTERVAL) &&
4283 *flags & NFT_SET_ELEM_INTERVAL_END)
4289 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4290 const struct nlattr *attr)
4292 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4293 struct nft_data_desc desc;
4294 struct nft_set_elem elem;
4295 struct sk_buff *skb;
4300 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4301 nft_set_elem_policy, NULL);
4305 if (!nla[NFTA_SET_ELEM_KEY])
4308 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4312 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4313 nla[NFTA_SET_ELEM_KEY]);
4318 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4319 nft_data_release(&elem.key.val, desc.type);
4323 priv = set->ops->get(ctx->net, set, &elem, flags);
4325 return PTR_ERR(priv);
4330 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4334 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4335 NFT_MSG_NEWSETELEM, 0, set, &elem);
4337 goto err_fill_setelem;
4339 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4346 /* called with rcu_read_lock held */
4347 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4348 struct sk_buff *skb, const struct nlmsghdr *nlh,
4349 const struct nlattr * const nla[],
4350 struct netlink_ext_ack *extack)
4352 u8 genmask = nft_genmask_cur(net);
4353 struct nft_set *set;
4354 struct nlattr *attr;
4358 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4363 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4365 return PTR_ERR(set);
4367 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4368 struct netlink_dump_control c = {
4369 .start = nf_tables_dump_set_start,
4370 .dump = nf_tables_dump_set,
4371 .done = nf_tables_dump_set_done,
4372 .module = THIS_MODULE,
4374 struct nft_set_dump_ctx dump_ctx = {
4380 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4383 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4386 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4387 err = nft_get_set_elem(&ctx, set, attr);
4395 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4396 const struct nft_set *set,
4397 const struct nft_set_elem *elem,
4398 int event, u16 flags)
4400 struct net *net = ctx->net;
4401 u32 portid = ctx->portid;
4402 struct sk_buff *skb;
4405 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4408 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4412 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4419 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4423 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4426 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4428 struct nft_set *set)
4430 struct nft_trans *trans;
4432 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4436 nft_trans_elem_set(trans) = set;
4440 void *nft_set_elem_init(const struct nft_set *set,
4441 const struct nft_set_ext_tmpl *tmpl,
4442 const u32 *key, const u32 *data,
4443 u64 timeout, u64 expiration, gfp_t gfp)
4445 struct nft_set_ext *ext;
4448 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4452 ext = nft_set_elem_ext(set, elem);
4453 nft_set_ext_init(ext, tmpl);
4455 memcpy(nft_set_ext_key(ext), key, set->klen);
4456 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4457 memcpy(nft_set_ext_data(ext), data, set->dlen);
4458 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4459 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4460 if (expiration == 0)
4461 *nft_set_ext_expiration(ext) += timeout;
4463 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4464 *nft_set_ext_timeout(ext) = timeout;
4469 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4472 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4473 struct nft_ctx ctx = {
4474 .net = read_pnet(&set->net),
4475 .family = set->table->family,
4478 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4479 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4480 nft_data_release(nft_set_ext_data(ext), set->dtype);
4481 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4482 struct nft_expr *expr = nft_set_ext_expr(ext);
4484 if (expr->ops->destroy_clone) {
4485 expr->ops->destroy_clone(&ctx, expr);
4486 module_put(expr->ops->type->owner);
4488 nf_tables_expr_destroy(&ctx, expr);
4491 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4492 (*nft_set_ext_obj(ext))->use--;
4495 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4497 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4498 * the refcounting from the preparation phase.
4500 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4501 const struct nft_set *set, void *elem)
4503 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4505 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4506 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4510 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4511 const struct nlattr *attr, u32 nlmsg_flags)
4513 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4514 u8 genmask = nft_genmask_next(ctx->net);
4515 struct nft_data_desc d1, d2;
4516 struct nft_set_ext_tmpl tmpl;
4517 struct nft_set_ext *ext, *ext2;
4518 struct nft_set_elem elem;
4519 struct nft_set_binding *binding;
4520 struct nft_object *obj = NULL;
4521 struct nft_userdata *udata;
4522 struct nft_data data;
4523 enum nft_registers dreg;
4524 struct nft_trans *trans;
4531 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4532 nft_set_elem_policy, NULL);
4536 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4539 nft_set_ext_prepare(&tmpl);
4541 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4545 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4547 if (set->flags & NFT_SET_MAP) {
4548 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4549 !(flags & NFT_SET_ELEM_INTERVAL_END))
4552 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4556 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4557 (nla[NFTA_SET_ELEM_DATA] ||
4558 nla[NFTA_SET_ELEM_OBJREF] ||
4559 nla[NFTA_SET_ELEM_TIMEOUT] ||
4560 nla[NFTA_SET_ELEM_EXPIRATION] ||
4561 nla[NFTA_SET_ELEM_USERDATA] ||
4562 nla[NFTA_SET_ELEM_EXPR]))
4566 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4567 if (!(set->flags & NFT_SET_TIMEOUT))
4569 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4573 } else if (set->flags & NFT_SET_TIMEOUT) {
4574 timeout = set->timeout;
4578 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4579 if (!(set->flags & NFT_SET_TIMEOUT))
4581 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4587 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4588 nla[NFTA_SET_ELEM_KEY]);
4592 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4595 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4597 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4598 if (timeout != set->timeout)
4599 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4602 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4603 if (!(set->flags & NFT_SET_OBJECT)) {
4607 obj = nft_obj_lookup(ctx->net, ctx->table,
4608 nla[NFTA_SET_ELEM_OBJREF],
4609 set->objtype, genmask);
4614 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4617 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4618 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4619 nla[NFTA_SET_ELEM_DATA]);
4624 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4627 dreg = nft_type_to_reg(set->dtype);
4628 list_for_each_entry(binding, &set->bindings, list) {
4629 struct nft_ctx bind_ctx = {
4631 .family = ctx->family,
4632 .table = ctx->table,
4633 .chain = (struct nft_chain *)binding->chain,
4636 if (!(binding->flags & NFT_SET_MAP))
4639 err = nft_validate_register_store(&bind_ctx, dreg,
4645 if (d2.type == NFT_DATA_VERDICT &&
4646 (data.verdict.code == NFT_GOTO ||
4647 data.verdict.code == NFT_JUMP))
4648 nft_validate_state_update(ctx->net,
4652 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4655 /* The full maximum length of userdata can exceed the maximum
4656 * offset value (U8_MAX) for following extensions, therefor it
4657 * must be the last extension added.
4660 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4661 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4663 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4668 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4669 timeout, expiration, GFP_KERNEL);
4670 if (elem.priv == NULL)
4673 ext = nft_set_elem_ext(set, elem.priv);
4675 *nft_set_ext_flags(ext) = flags;
4677 udata = nft_set_ext_userdata(ext);
4678 udata->len = ulen - 1;
4679 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4682 *nft_set_ext_obj(ext) = obj;
4686 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4690 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4691 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4693 if (err == -EEXIST) {
4694 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4695 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4696 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4697 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4701 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4702 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4703 memcmp(nft_set_ext_data(ext),
4704 nft_set_ext_data(ext2), set->dlen) != 0) ||
4705 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4706 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4707 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4709 else if (!(nlmsg_flags & NLM_F_EXCL))
4716 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4721 nft_trans_elem(trans) = elem;
4722 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4726 set->ops->remove(ctx->net, set, &elem);
4734 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4735 nft_data_release(&data, d2.type);
4737 nft_data_release(&elem.key.val, d1.type);
4742 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4743 struct sk_buff *skb, const struct nlmsghdr *nlh,
4744 const struct nlattr * const nla[],
4745 struct netlink_ext_ack *extack)
4747 u8 genmask = nft_genmask_next(net);
4748 const struct nlattr *attr;
4749 struct nft_set *set;
4753 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4756 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4761 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4762 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4764 return PTR_ERR(set);
4766 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4769 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4770 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4775 if (net->nft.validate_state == NFT_VALIDATE_DO)
4776 return nft_table_validate(net, ctx.table);
4782 * nft_data_hold - hold a nft_data item
4784 * @data: struct nft_data to release
4785 * @type: type of data
4787 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4788 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4789 * NFT_GOTO verdicts. This function must be called on active data objects
4790 * from the second phase of the commit protocol.
4792 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4794 if (type == NFT_DATA_VERDICT) {
4795 switch (data->verdict.code) {
4798 data->verdict.chain->use++;
4804 static void nft_set_elem_activate(const struct net *net,
4805 const struct nft_set *set,
4806 struct nft_set_elem *elem)
4808 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4810 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4811 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4812 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4813 (*nft_set_ext_obj(ext))->use++;
4816 static void nft_set_elem_deactivate(const struct net *net,
4817 const struct nft_set *set,
4818 struct nft_set_elem *elem)
4820 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4822 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4823 nft_data_release(nft_set_ext_data(ext), set->dtype);
4824 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4825 (*nft_set_ext_obj(ext))->use--;
4828 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4829 const struct nlattr *attr)
4831 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4832 struct nft_set_ext_tmpl tmpl;
4833 struct nft_data_desc desc;
4834 struct nft_set_elem elem;
4835 struct nft_set_ext *ext;
4836 struct nft_trans *trans;
4841 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4842 nft_set_elem_policy, NULL);
4847 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4850 nft_set_ext_prepare(&tmpl);
4852 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4856 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4858 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4859 nla[NFTA_SET_ELEM_KEY]);
4864 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4867 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4870 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4872 if (elem.priv == NULL)
4875 ext = nft_set_elem_ext(set, elem.priv);
4877 *nft_set_ext_flags(ext) = flags;
4879 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4880 if (trans == NULL) {
4885 priv = set->ops->deactivate(ctx->net, set, &elem);
4893 nft_set_elem_deactivate(ctx->net, set, &elem);
4895 nft_trans_elem(trans) = elem;
4896 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4904 nft_data_release(&elem.key.val, desc.type);
4909 static int nft_flush_set(const struct nft_ctx *ctx,
4910 struct nft_set *set,
4911 const struct nft_set_iter *iter,
4912 struct nft_set_elem *elem)
4914 struct nft_trans *trans;
4917 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4918 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4922 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4928 nft_set_elem_deactivate(ctx->net, set, elem);
4929 nft_trans_elem_set(trans) = set;
4930 nft_trans_elem(trans) = *elem;
4931 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4939 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4940 struct sk_buff *skb, const struct nlmsghdr *nlh,
4941 const struct nlattr * const nla[],
4942 struct netlink_ext_ack *extack)
4944 u8 genmask = nft_genmask_next(net);
4945 const struct nlattr *attr;
4946 struct nft_set *set;
4950 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4955 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4957 return PTR_ERR(set);
4958 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4961 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4962 struct nft_set_iter iter = {
4964 .fn = nft_flush_set,
4966 set->ops->walk(&ctx, set, &iter);
4971 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4972 err = nft_del_setelem(&ctx, set, attr);
4981 void nft_set_gc_batch_release(struct rcu_head *rcu)
4983 struct nft_set_gc_batch *gcb;
4986 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4987 for (i = 0; i < gcb->head.cnt; i++)
4988 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4991 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4993 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4996 struct nft_set_gc_batch *gcb;
4998 gcb = kzalloc(sizeof(*gcb), gfp);
5001 gcb->head.set = set;
5004 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
5011 * nft_register_obj- register nf_tables stateful object type
5014 * Registers the object type for use with nf_tables. Returns zero on
5015 * success or a negative errno code otherwise.
5017 int nft_register_obj(struct nft_object_type *obj_type)
5019 if (obj_type->type == NFT_OBJECT_UNSPEC)
5022 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5023 list_add_rcu(&obj_type->list, &nf_tables_objects);
5024 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5027 EXPORT_SYMBOL_GPL(nft_register_obj);
5030 * nft_unregister_obj - unregister nf_tables object type
5033 * Unregisters the object type for use with nf_tables.
5035 void nft_unregister_obj(struct nft_object_type *obj_type)
5037 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5038 list_del_rcu(&obj_type->list);
5039 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5041 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5043 struct nft_object *nft_obj_lookup(const struct net *net,
5044 const struct nft_table *table,
5045 const struct nlattr *nla, u32 objtype,
5048 struct nft_object_hash_key k = { .table = table };
5049 char search[NFT_OBJ_MAXNAMELEN];
5050 struct rhlist_head *tmp, *list;
5051 struct nft_object *obj;
5053 nla_strlcpy(search, nla, sizeof(search));
5056 WARN_ON_ONCE(!rcu_read_lock_held() &&
5057 !lockdep_commit_lock_is_held(net));
5060 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5064 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5065 if (objtype == obj->ops->type->type &&
5066 nft_active_genmask(obj, genmask)) {
5073 return ERR_PTR(-ENOENT);
5075 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5077 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5078 const struct nlattr *nla,
5079 u32 objtype, u8 genmask)
5081 struct nft_object *obj;
5083 list_for_each_entry(obj, &table->objects, list) {
5084 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5085 objtype == obj->ops->type->type &&
5086 nft_active_genmask(obj, genmask))
5089 return ERR_PTR(-ENOENT);
5092 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5093 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5094 .len = NFT_TABLE_MAXNAMELEN - 1 },
5095 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5096 .len = NFT_OBJ_MAXNAMELEN - 1 },
5097 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5098 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5099 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5102 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5103 const struct nft_object_type *type,
5104 const struct nlattr *attr)
5107 const struct nft_object_ops *ops;
5108 struct nft_object *obj;
5111 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5116 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5117 type->policy, NULL);
5121 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5124 if (type->select_ops) {
5125 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5135 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5139 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5152 return ERR_PTR(err);
5155 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5156 struct nft_object *obj, bool reset)
5158 struct nlattr *nest;
5160 nest = nla_nest_start_noflag(skb, attr);
5162 goto nla_put_failure;
5163 if (obj->ops->dump(skb, obj, reset) < 0)
5164 goto nla_put_failure;
5165 nla_nest_end(skb, nest);
5172 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5174 const struct nft_object_type *type;
5176 list_for_each_entry(type, &nf_tables_objects, list) {
5177 if (objtype == type->type)
5183 static const struct nft_object_type *
5184 nft_obj_type_get(struct net *net, u32 objtype)
5186 const struct nft_object_type *type;
5188 type = __nft_obj_type_get(objtype);
5189 if (type != NULL && try_module_get(type->owner))
5192 lockdep_nfnl_nft_mutex_not_held();
5193 #ifdef CONFIG_MODULES
5195 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5196 return ERR_PTR(-EAGAIN);
5199 return ERR_PTR(-ENOENT);
5202 static int nf_tables_updobj(const struct nft_ctx *ctx,
5203 const struct nft_object_type *type,
5204 const struct nlattr *attr,
5205 struct nft_object *obj)
5207 struct nft_object *newobj;
5208 struct nft_trans *trans;
5211 if (!try_module_get(type->owner))
5214 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5215 sizeof(struct nft_trans_obj));
5219 newobj = nft_obj_init(ctx, type, attr);
5220 if (IS_ERR(newobj)) {
5221 err = PTR_ERR(newobj);
5222 goto err_free_trans;
5225 nft_trans_obj(trans) = obj;
5226 nft_trans_obj_update(trans) = true;
5227 nft_trans_obj_newobj(trans) = newobj;
5228 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5235 module_put(type->owner);
5239 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5240 struct sk_buff *skb, const struct nlmsghdr *nlh,
5241 const struct nlattr * const nla[],
5242 struct netlink_ext_ack *extack)
5244 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5245 const struct nft_object_type *type;
5246 u8 genmask = nft_genmask_next(net);
5247 int family = nfmsg->nfgen_family;
5248 struct nft_table *table;
5249 struct nft_object *obj;
5254 if (!nla[NFTA_OBJ_TYPE] ||
5255 !nla[NFTA_OBJ_NAME] ||
5256 !nla[NFTA_OBJ_DATA])
5259 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5260 if (IS_ERR(table)) {
5261 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5262 return PTR_ERR(table);
5265 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5266 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5269 if (err != -ENOENT) {
5270 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5274 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5275 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5278 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5281 type = __nft_obj_type_get(objtype);
5282 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5284 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5287 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5289 type = nft_obj_type_get(net, objtype);
5291 return PTR_ERR(type);
5293 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5298 obj->key.table = table;
5299 obj->handle = nf_tables_alloc_handle(table);
5301 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5302 if (!obj->key.name) {
5307 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5311 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5312 nft_objname_ht_params);
5316 list_add_tail_rcu(&obj->list, &table->objects);
5320 /* queued in transaction log */
5321 INIT_LIST_HEAD(&obj->list);
5324 kfree(obj->key.name);
5326 if (obj->ops->destroy)
5327 obj->ops->destroy(&ctx, obj);
5330 module_put(type->owner);
5334 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5335 u32 portid, u32 seq, int event, u32 flags,
5336 int family, const struct nft_table *table,
5337 struct nft_object *obj, bool reset)
5339 struct nfgenmsg *nfmsg;
5340 struct nlmsghdr *nlh;
5342 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5343 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5345 goto nla_put_failure;
5347 nfmsg = nlmsg_data(nlh);
5348 nfmsg->nfgen_family = family;
5349 nfmsg->version = NFNETLINK_V0;
5350 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5352 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5353 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5354 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5355 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5356 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5357 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5359 goto nla_put_failure;
5361 nlmsg_end(skb, nlh);
5365 nlmsg_trim(skb, nlh);
5369 struct nft_obj_filter {
5374 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5376 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5377 const struct nft_table *table;
5378 unsigned int idx = 0, s_idx = cb->args[0];
5379 struct nft_obj_filter *filter = cb->data;
5380 struct net *net = sock_net(skb->sk);
5381 int family = nfmsg->nfgen_family;
5382 struct nft_object *obj;
5385 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5389 cb->seq = net->nft.base_seq;
5391 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5392 if (family != NFPROTO_UNSPEC && family != table->family)
5395 list_for_each_entry_rcu(obj, &table->objects, list) {
5396 if (!nft_is_active(net, obj))
5401 memset(&cb->args[1], 0,
5402 sizeof(cb->args) - sizeof(cb->args[0]));
5403 if (filter && filter->table &&
5404 strcmp(filter->table, table->name))
5407 filter->type != NFT_OBJECT_UNSPEC &&
5408 obj->ops->type->type != filter->type)
5411 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5414 NLM_F_MULTI | NLM_F_APPEND,
5415 table->family, table,
5419 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5431 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5433 const struct nlattr * const *nla = cb->data;
5434 struct nft_obj_filter *filter = NULL;
5436 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5437 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5441 if (nla[NFTA_OBJ_TABLE]) {
5442 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5443 if (!filter->table) {
5449 if (nla[NFTA_OBJ_TYPE])
5450 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5457 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5459 struct nft_obj_filter *filter = cb->data;
5462 kfree(filter->table);
5469 /* called with rcu_read_lock held */
5470 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5471 struct sk_buff *skb, const struct nlmsghdr *nlh,
5472 const struct nlattr * const nla[],
5473 struct netlink_ext_ack *extack)
5475 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5476 u8 genmask = nft_genmask_cur(net);
5477 int family = nfmsg->nfgen_family;
5478 const struct nft_table *table;
5479 struct nft_object *obj;
5480 struct sk_buff *skb2;
5485 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5486 struct netlink_dump_control c = {
5487 .start = nf_tables_dump_obj_start,
5488 .dump = nf_tables_dump_obj,
5489 .done = nf_tables_dump_obj_done,
5490 .module = THIS_MODULE,
5491 .data = (void *)nla,
5494 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5497 if (!nla[NFTA_OBJ_NAME] ||
5498 !nla[NFTA_OBJ_TYPE])
5501 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5502 if (IS_ERR(table)) {
5503 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5504 return PTR_ERR(table);
5507 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5508 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5510 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5511 return PTR_ERR(obj);
5514 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5518 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5521 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5522 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5523 family, table, obj, reset);
5525 goto err_fill_obj_info;
5527 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
5534 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5536 if (obj->ops->destroy)
5537 obj->ops->destroy(ctx, obj);
5539 module_put(obj->ops->type->owner);
5540 kfree(obj->key.name);
5544 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5545 struct sk_buff *skb, const struct nlmsghdr *nlh,
5546 const struct nlattr * const nla[],
5547 struct netlink_ext_ack *extack)
5549 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5550 u8 genmask = nft_genmask_next(net);
5551 int family = nfmsg->nfgen_family;
5552 const struct nlattr *attr;
5553 struct nft_table *table;
5554 struct nft_object *obj;
5558 if (!nla[NFTA_OBJ_TYPE] ||
5559 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5562 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5563 if (IS_ERR(table)) {
5564 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5565 return PTR_ERR(table);
5568 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5569 if (nla[NFTA_OBJ_HANDLE]) {
5570 attr = nla[NFTA_OBJ_HANDLE];
5571 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5573 attr = nla[NFTA_OBJ_NAME];
5574 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5578 NL_SET_BAD_ATTR(extack, attr);
5579 return PTR_ERR(obj);
5582 NL_SET_BAD_ATTR(extack, attr);
5586 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5588 return nft_delobj(&ctx, obj);
5591 void nft_obj_notify(struct net *net, const struct nft_table *table,
5592 struct nft_object *obj, u32 portid, u32 seq, int event,
5593 int family, int report, gfp_t gfp)
5595 struct sk_buff *skb;
5599 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5602 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5606 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5613 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5616 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5618 EXPORT_SYMBOL_GPL(nft_obj_notify);
5620 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5621 struct nft_object *obj, int event)
5623 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5624 ctx->family, ctx->report, GFP_KERNEL);
5630 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5632 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5633 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5634 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5636 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5638 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5640 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5641 list_del_rcu(&type->list);
5642 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5644 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5646 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5647 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5648 .len = NFT_NAME_MAXLEN - 1 },
5649 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5650 .len = NFT_NAME_MAXLEN - 1 },
5651 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5652 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5655 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5656 const struct nlattr *nla, u8 genmask)
5658 struct nft_flowtable *flowtable;
5660 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5661 if (!nla_strcmp(nla, flowtable->name) &&
5662 nft_active_genmask(flowtable, genmask))
5665 return ERR_PTR(-ENOENT);
5667 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5669 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5670 struct nft_flowtable *flowtable,
5671 enum nft_trans_phase phase)
5674 case NFT_TRANS_PREPARE:
5675 case NFT_TRANS_ABORT:
5676 case NFT_TRANS_RELEASE:
5683 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5685 static struct nft_flowtable *
5686 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5687 const struct nlattr *nla, u8 genmask)
5689 struct nft_flowtable *flowtable;
5691 list_for_each_entry(flowtable, &table->flowtables, list) {
5692 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5693 nft_active_genmask(flowtable, genmask))
5696 return ERR_PTR(-ENOENT);
5699 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5700 const struct nlattr *attr,
5701 struct net_device *dev_array[], int *len)
5703 const struct nlattr *tmp;
5704 struct net_device *dev;
5705 char ifname[IFNAMSIZ];
5706 int rem, n = 0, err;
5708 nla_for_each_nested(tmp, attr, rem) {
5709 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5714 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5715 dev = __dev_get_by_name(ctx->net, ifname);
5721 dev_array[n++] = dev;
5722 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5736 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5737 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5738 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5739 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5742 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5743 const struct nlattr *attr,
5744 struct nft_flowtable *flowtable)
5746 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5747 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5748 struct nf_hook_ops *ops;
5749 int hooknum, priority;
5752 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5753 nft_flowtable_hook_policy, NULL);
5757 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5758 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5759 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5762 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5763 if (hooknum != NF_NETDEV_INGRESS)
5766 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5768 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5773 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5777 flowtable->hooknum = hooknum;
5778 flowtable->priority = priority;
5779 flowtable->ops = ops;
5780 flowtable->ops_len = n;
5782 for (i = 0; i < n; i++) {
5783 flowtable->ops[i].pf = NFPROTO_NETDEV;
5784 flowtable->ops[i].hooknum = hooknum;
5785 flowtable->ops[i].priority = priority;
5786 flowtable->ops[i].priv = &flowtable->data;
5787 flowtable->ops[i].hook = flowtable->data.type->hook;
5788 flowtable->ops[i].dev = dev_array[i];
5794 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5796 const struct nf_flowtable_type *type;
5798 list_for_each_entry(type, &nf_tables_flowtables, list) {
5799 if (family == type->family)
5805 static const struct nf_flowtable_type *
5806 nft_flowtable_type_get(struct net *net, u8 family)
5808 const struct nf_flowtable_type *type;
5810 type = __nft_flowtable_type_get(family);
5811 if (type != NULL && try_module_get(type->owner))
5814 lockdep_nfnl_nft_mutex_not_held();
5815 #ifdef CONFIG_MODULES
5817 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
5818 return ERR_PTR(-EAGAIN);
5821 return ERR_PTR(-ENOENT);
5824 static void nft_unregister_flowtable_net_hooks(struct net *net,
5825 struct nft_flowtable *flowtable)
5829 for (i = 0; i < flowtable->ops_len; i++) {
5830 if (!flowtable->ops[i].dev)
5833 nf_unregister_net_hook(net, &flowtable->ops[i]);
5837 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5838 struct sk_buff *skb,
5839 const struct nlmsghdr *nlh,
5840 const struct nlattr * const nla[],
5841 struct netlink_ext_ack *extack)
5843 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5844 const struct nf_flowtable_type *type;
5845 struct nft_flowtable *flowtable, *ft;
5846 u8 genmask = nft_genmask_next(net);
5847 int family = nfmsg->nfgen_family;
5848 struct nft_table *table;
5852 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5853 !nla[NFTA_FLOWTABLE_NAME] ||
5854 !nla[NFTA_FLOWTABLE_HOOK])
5857 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5859 if (IS_ERR(table)) {
5860 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5861 return PTR_ERR(table);
5864 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5866 if (IS_ERR(flowtable)) {
5867 err = PTR_ERR(flowtable);
5868 if (err != -ENOENT) {
5869 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5873 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5874 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5881 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5883 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5887 flowtable->table = table;
5888 flowtable->handle = nf_tables_alloc_handle(table);
5890 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5891 if (!flowtable->name) {
5896 type = nft_flowtable_type_get(net, family);
5898 err = PTR_ERR(type);
5902 flowtable->data.type = type;
5903 err = type->init(&flowtable->data);
5907 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5912 for (i = 0; i < flowtable->ops_len; i++) {
5913 if (!flowtable->ops[i].dev)
5916 list_for_each_entry(ft, &table->flowtables, list) {
5917 for (k = 0; k < ft->ops_len; k++) {
5918 if (!ft->ops[k].dev)
5921 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5922 flowtable->ops[i].pf == ft->ops[k].pf) {
5929 err = nf_register_net_hook(net, &flowtable->ops[i]);
5934 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5938 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5943 i = flowtable->ops_len;
5945 for (k = i - 1; k >= 0; k--)
5946 nf_unregister_net_hook(net, &flowtable->ops[k]);
5948 kfree(flowtable->ops);
5950 flowtable->data.type->free(&flowtable->data);
5952 module_put(type->owner);
5954 kfree(flowtable->name);
5960 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5961 struct sk_buff *skb,
5962 const struct nlmsghdr *nlh,
5963 const struct nlattr * const nla[],
5964 struct netlink_ext_ack *extack)
5966 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5967 u8 genmask = nft_genmask_next(net);
5968 int family = nfmsg->nfgen_family;
5969 struct nft_flowtable *flowtable;
5970 const struct nlattr *attr;
5971 struct nft_table *table;
5974 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5975 (!nla[NFTA_FLOWTABLE_NAME] &&
5976 !nla[NFTA_FLOWTABLE_HANDLE]))
5979 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5981 if (IS_ERR(table)) {
5982 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5983 return PTR_ERR(table);
5986 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5987 attr = nla[NFTA_FLOWTABLE_HANDLE];
5988 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5990 attr = nla[NFTA_FLOWTABLE_NAME];
5991 flowtable = nft_flowtable_lookup(table, attr, genmask);
5994 if (IS_ERR(flowtable)) {
5995 NL_SET_BAD_ATTR(extack, attr);
5996 return PTR_ERR(flowtable);
5998 if (flowtable->use > 0) {
5999 NL_SET_BAD_ATTR(extack, attr);
6003 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6005 return nft_delflowtable(&ctx, flowtable);
6008 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6009 u32 portid, u32 seq, int event,
6010 u32 flags, int family,
6011 struct nft_flowtable *flowtable)
6013 struct nlattr *nest, *nest_devs;
6014 struct nfgenmsg *nfmsg;
6015 struct nlmsghdr *nlh;
6018 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6019 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6021 goto nla_put_failure;
6023 nfmsg = nlmsg_data(nlh);
6024 nfmsg->nfgen_family = family;
6025 nfmsg->version = NFNETLINK_V0;
6026 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6028 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6029 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6030 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6031 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6032 NFTA_FLOWTABLE_PAD))
6033 goto nla_put_failure;
6035 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6037 goto nla_put_failure;
6038 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6039 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
6040 goto nla_put_failure;
6042 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6044 goto nla_put_failure;
6046 for (i = 0; i < flowtable->ops_len; i++) {
6047 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
6050 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
6051 goto nla_put_failure;
6053 nla_nest_end(skb, nest_devs);
6054 nla_nest_end(skb, nest);
6056 nlmsg_end(skb, nlh);
6060 nlmsg_trim(skb, nlh);
6064 struct nft_flowtable_filter {
6068 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6069 struct netlink_callback *cb)
6071 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6072 struct nft_flowtable_filter *filter = cb->data;
6073 unsigned int idx = 0, s_idx = cb->args[0];
6074 struct net *net = sock_net(skb->sk);
6075 int family = nfmsg->nfgen_family;
6076 struct nft_flowtable *flowtable;
6077 const struct nft_table *table;
6080 cb->seq = net->nft.base_seq;
6082 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6083 if (family != NFPROTO_UNSPEC && family != table->family)
6086 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6087 if (!nft_is_active(net, flowtable))
6092 memset(&cb->args[1], 0,
6093 sizeof(cb->args) - sizeof(cb->args[0]));
6094 if (filter && filter->table &&
6095 strcmp(filter->table, table->name))
6098 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6100 NFT_MSG_NEWFLOWTABLE,
6101 NLM_F_MULTI | NLM_F_APPEND,
6102 table->family, flowtable) < 0)
6105 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6117 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6119 const struct nlattr * const *nla = cb->data;
6120 struct nft_flowtable_filter *filter = NULL;
6122 if (nla[NFTA_FLOWTABLE_TABLE]) {
6123 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6127 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6129 if (!filter->table) {
6139 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6141 struct nft_flowtable_filter *filter = cb->data;
6146 kfree(filter->table);
6152 /* called with rcu_read_lock held */
6153 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6154 struct sk_buff *skb,
6155 const struct nlmsghdr *nlh,
6156 const struct nlattr * const nla[],
6157 struct netlink_ext_ack *extack)
6159 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6160 u8 genmask = nft_genmask_cur(net);
6161 int family = nfmsg->nfgen_family;
6162 struct nft_flowtable *flowtable;
6163 const struct nft_table *table;
6164 struct sk_buff *skb2;
6167 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6168 struct netlink_dump_control c = {
6169 .start = nf_tables_dump_flowtable_start,
6170 .dump = nf_tables_dump_flowtable,
6171 .done = nf_tables_dump_flowtable_done,
6172 .module = THIS_MODULE,
6173 .data = (void *)nla,
6176 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6179 if (!nla[NFTA_FLOWTABLE_NAME])
6182 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6185 return PTR_ERR(table);
6187 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6189 if (IS_ERR(flowtable))
6190 return PTR_ERR(flowtable);
6192 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6196 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6198 NFT_MSG_NEWFLOWTABLE, 0, family,
6201 goto err_fill_flowtable_info;
6203 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6205 err_fill_flowtable_info:
6210 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6211 struct nft_flowtable *flowtable,
6214 struct sk_buff *skb;
6218 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6221 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6225 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6227 ctx->family, flowtable);
6233 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6234 ctx->report, GFP_KERNEL);
6237 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6240 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6242 kfree(flowtable->ops);
6243 kfree(flowtable->name);
6244 flowtable->data.type->free(&flowtable->data);
6245 module_put(flowtable->data.type->owner);
6249 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6250 u32 portid, u32 seq)
6252 struct nlmsghdr *nlh;
6253 struct nfgenmsg *nfmsg;
6254 char buf[TASK_COMM_LEN];
6255 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6257 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6259 goto nla_put_failure;
6261 nfmsg = nlmsg_data(nlh);
6262 nfmsg->nfgen_family = AF_UNSPEC;
6263 nfmsg->version = NFNETLINK_V0;
6264 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6266 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6267 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6268 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6269 goto nla_put_failure;
6271 nlmsg_end(skb, nlh);
6275 nlmsg_trim(skb, nlh);
6279 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6280 struct nft_flowtable *flowtable)
6284 for (i = 0; i < flowtable->ops_len; i++) {
6285 if (flowtable->ops[i].dev != dev)
6288 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6289 flowtable->ops[i].dev = NULL;
6294 static int nf_tables_flowtable_event(struct notifier_block *this,
6295 unsigned long event, void *ptr)
6297 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6298 struct nft_flowtable *flowtable;
6299 struct nft_table *table;
6302 if (event != NETDEV_UNREGISTER)
6306 mutex_lock(&net->nft.commit_mutex);
6307 list_for_each_entry(table, &net->nft.tables, list) {
6308 list_for_each_entry(flowtable, &table->flowtables, list) {
6309 nft_flowtable_event(event, dev, flowtable);
6312 mutex_unlock(&net->nft.commit_mutex);
6317 static struct notifier_block nf_tables_flowtable_notifier = {
6318 .notifier_call = nf_tables_flowtable_event,
6321 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6324 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6325 struct sk_buff *skb2;
6328 if (nlmsg_report(nlh) &&
6329 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6332 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6336 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6343 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6344 nlmsg_report(nlh), GFP_KERNEL);
6347 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6351 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6352 struct sk_buff *skb, const struct nlmsghdr *nlh,
6353 const struct nlattr * const nla[],
6354 struct netlink_ext_ack *extack)
6356 struct sk_buff *skb2;
6359 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6363 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6366 goto err_fill_gen_info;
6368 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6375 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6376 [NFT_MSG_NEWTABLE] = {
6377 .call_batch = nf_tables_newtable,
6378 .attr_count = NFTA_TABLE_MAX,
6379 .policy = nft_table_policy,
6381 [NFT_MSG_GETTABLE] = {
6382 .call_rcu = nf_tables_gettable,
6383 .attr_count = NFTA_TABLE_MAX,
6384 .policy = nft_table_policy,
6386 [NFT_MSG_DELTABLE] = {
6387 .call_batch = nf_tables_deltable,
6388 .attr_count = NFTA_TABLE_MAX,
6389 .policy = nft_table_policy,
6391 [NFT_MSG_NEWCHAIN] = {
6392 .call_batch = nf_tables_newchain,
6393 .attr_count = NFTA_CHAIN_MAX,
6394 .policy = nft_chain_policy,
6396 [NFT_MSG_GETCHAIN] = {
6397 .call_rcu = nf_tables_getchain,
6398 .attr_count = NFTA_CHAIN_MAX,
6399 .policy = nft_chain_policy,
6401 [NFT_MSG_DELCHAIN] = {
6402 .call_batch = nf_tables_delchain,
6403 .attr_count = NFTA_CHAIN_MAX,
6404 .policy = nft_chain_policy,
6406 [NFT_MSG_NEWRULE] = {
6407 .call_batch = nf_tables_newrule,
6408 .attr_count = NFTA_RULE_MAX,
6409 .policy = nft_rule_policy,
6411 [NFT_MSG_GETRULE] = {
6412 .call_rcu = nf_tables_getrule,
6413 .attr_count = NFTA_RULE_MAX,
6414 .policy = nft_rule_policy,
6416 [NFT_MSG_DELRULE] = {
6417 .call_batch = nf_tables_delrule,
6418 .attr_count = NFTA_RULE_MAX,
6419 .policy = nft_rule_policy,
6421 [NFT_MSG_NEWSET] = {
6422 .call_batch = nf_tables_newset,
6423 .attr_count = NFTA_SET_MAX,
6424 .policy = nft_set_policy,
6426 [NFT_MSG_GETSET] = {
6427 .call_rcu = nf_tables_getset,
6428 .attr_count = NFTA_SET_MAX,
6429 .policy = nft_set_policy,
6431 [NFT_MSG_DELSET] = {
6432 .call_batch = nf_tables_delset,
6433 .attr_count = NFTA_SET_MAX,
6434 .policy = nft_set_policy,
6436 [NFT_MSG_NEWSETELEM] = {
6437 .call_batch = nf_tables_newsetelem,
6438 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6439 .policy = nft_set_elem_list_policy,
6441 [NFT_MSG_GETSETELEM] = {
6442 .call_rcu = nf_tables_getsetelem,
6443 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6444 .policy = nft_set_elem_list_policy,
6446 [NFT_MSG_DELSETELEM] = {
6447 .call_batch = nf_tables_delsetelem,
6448 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6449 .policy = nft_set_elem_list_policy,
6451 [NFT_MSG_GETGEN] = {
6452 .call_rcu = nf_tables_getgen,
6454 [NFT_MSG_NEWOBJ] = {
6455 .call_batch = nf_tables_newobj,
6456 .attr_count = NFTA_OBJ_MAX,
6457 .policy = nft_obj_policy,
6459 [NFT_MSG_GETOBJ] = {
6460 .call_rcu = nf_tables_getobj,
6461 .attr_count = NFTA_OBJ_MAX,
6462 .policy = nft_obj_policy,
6464 [NFT_MSG_DELOBJ] = {
6465 .call_batch = nf_tables_delobj,
6466 .attr_count = NFTA_OBJ_MAX,
6467 .policy = nft_obj_policy,
6469 [NFT_MSG_GETOBJ_RESET] = {
6470 .call_rcu = nf_tables_getobj,
6471 .attr_count = NFTA_OBJ_MAX,
6472 .policy = nft_obj_policy,
6474 [NFT_MSG_NEWFLOWTABLE] = {
6475 .call_batch = nf_tables_newflowtable,
6476 .attr_count = NFTA_FLOWTABLE_MAX,
6477 .policy = nft_flowtable_policy,
6479 [NFT_MSG_GETFLOWTABLE] = {
6480 .call_rcu = nf_tables_getflowtable,
6481 .attr_count = NFTA_FLOWTABLE_MAX,
6482 .policy = nft_flowtable_policy,
6484 [NFT_MSG_DELFLOWTABLE] = {
6485 .call_batch = nf_tables_delflowtable,
6486 .attr_count = NFTA_FLOWTABLE_MAX,
6487 .policy = nft_flowtable_policy,
6491 static int nf_tables_validate(struct net *net)
6493 struct nft_table *table;
6495 switch (net->nft.validate_state) {
6496 case NFT_VALIDATE_SKIP:
6498 case NFT_VALIDATE_NEED:
6499 nft_validate_state_update(net, NFT_VALIDATE_DO);
6501 case NFT_VALIDATE_DO:
6502 list_for_each_entry(table, &net->nft.tables, list) {
6503 if (nft_table_validate(net, table) < 0)
6507 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6514 /* a drop policy has to be deferred until all rules have been activated,
6515 * otherwise a large ruleset that contains a drop-policy base chain will
6516 * cause all packets to get dropped until the full transaction has been
6519 * We defer the drop policy until the transaction has been finalized.
6521 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6523 struct nft_base_chain *basechain;
6525 if (nft_trans_chain_policy(trans) != NF_DROP)
6528 if (!nft_is_base_chain(trans->ctx.chain))
6531 basechain = nft_base_chain(trans->ctx.chain);
6532 basechain->policy = NF_DROP;
6535 static void nft_chain_commit_update(struct nft_trans *trans)
6537 struct nft_base_chain *basechain;
6539 if (nft_trans_chain_name(trans)) {
6540 rhltable_remove(&trans->ctx.table->chains_ht,
6541 &trans->ctx.chain->rhlhead,
6542 nft_chain_ht_params);
6543 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6544 rhltable_insert_key(&trans->ctx.table->chains_ht,
6545 trans->ctx.chain->name,
6546 &trans->ctx.chain->rhlhead,
6547 nft_chain_ht_params);
6550 if (!nft_is_base_chain(trans->ctx.chain))
6553 nft_chain_stats_replace(trans);
6555 basechain = nft_base_chain(trans->ctx.chain);
6557 switch (nft_trans_chain_policy(trans)) {
6560 basechain->policy = nft_trans_chain_policy(trans);
6565 static void nft_obj_commit_update(struct nft_trans *trans)
6567 struct nft_object *newobj;
6568 struct nft_object *obj;
6570 obj = nft_trans_obj(trans);
6571 newobj = nft_trans_obj_newobj(trans);
6573 if (obj->ops->update)
6574 obj->ops->update(obj, newobj);
6576 nft_obj_destroy(&trans->ctx, newobj);
6579 static void nft_commit_release(struct nft_trans *trans)
6581 switch (trans->msg_type) {
6582 case NFT_MSG_DELTABLE:
6583 nf_tables_table_destroy(&trans->ctx);
6585 case NFT_MSG_NEWCHAIN:
6586 free_percpu(nft_trans_chain_stats(trans));
6587 kfree(nft_trans_chain_name(trans));
6589 case NFT_MSG_DELCHAIN:
6590 nf_tables_chain_destroy(&trans->ctx);
6592 case NFT_MSG_DELRULE:
6593 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6595 case NFT_MSG_DELSET:
6596 nft_set_destroy(nft_trans_set(trans));
6598 case NFT_MSG_DELSETELEM:
6599 nf_tables_set_elem_destroy(&trans->ctx,
6600 nft_trans_elem_set(trans),
6601 nft_trans_elem(trans).priv);
6603 case NFT_MSG_DELOBJ:
6604 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6606 case NFT_MSG_DELFLOWTABLE:
6607 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6612 put_net(trans->ctx.net);
6617 static void nf_tables_trans_destroy_work(struct work_struct *w)
6619 struct nft_trans *trans, *next;
6622 spin_lock(&nf_tables_destroy_list_lock);
6623 list_splice_init(&nf_tables_destroy_list, &head);
6624 spin_unlock(&nf_tables_destroy_list_lock);
6626 if (list_empty(&head))
6631 list_for_each_entry_safe(trans, next, &head, list) {
6632 list_del(&trans->list);
6633 nft_commit_release(trans);
6637 void nf_tables_trans_destroy_flush_work(void)
6639 flush_work(&trans_destroy_work);
6641 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
6643 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6645 struct nft_rule *rule;
6646 unsigned int alloc = 0;
6649 /* already handled or inactive chain? */
6650 if (chain->rules_next || !nft_is_active_next(net, chain))
6653 rule = list_entry(&chain->rules, struct nft_rule, list);
6656 list_for_each_entry_continue(rule, &chain->rules, list) {
6657 if (nft_is_active_next(net, rule))
6661 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6662 if (!chain->rules_next)
6665 list_for_each_entry_continue(rule, &chain->rules, list) {
6666 if (nft_is_active_next(net, rule))
6667 chain->rules_next[i++] = rule;
6670 chain->rules_next[i] = NULL;
6674 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6676 struct nft_trans *trans, *next;
6678 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6679 struct nft_chain *chain = trans->ctx.chain;
6681 if (trans->msg_type == NFT_MSG_NEWRULE ||
6682 trans->msg_type == NFT_MSG_DELRULE) {
6683 kvfree(chain->rules_next);
6684 chain->rules_next = NULL;
6689 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6691 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6696 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6698 struct nft_rule **r = rules;
6699 struct nft_rules_old *old;
6704 r++; /* rcu_head is after end marker */
6708 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6711 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6713 struct nft_rule **g0, **g1;
6716 next_genbit = nft_gencursor_next(net);
6718 g0 = rcu_dereference_protected(chain->rules_gen_0,
6719 lockdep_commit_lock_is_held(net));
6720 g1 = rcu_dereference_protected(chain->rules_gen_1,
6721 lockdep_commit_lock_is_held(net));
6723 /* No changes to this chain? */
6724 if (chain->rules_next == NULL) {
6725 /* chain had no change in last or next generation */
6729 * chain had no change in this generation; make sure next
6730 * one uses same rules as current generation.
6733 rcu_assign_pointer(chain->rules_gen_1, g0);
6734 nf_tables_commit_chain_free_rules_old(g1);
6736 rcu_assign_pointer(chain->rules_gen_0, g1);
6737 nf_tables_commit_chain_free_rules_old(g0);
6744 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6746 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6748 chain->rules_next = NULL;
6754 nf_tables_commit_chain_free_rules_old(g1);
6756 nf_tables_commit_chain_free_rules_old(g0);
6759 static void nft_obj_del(struct nft_object *obj)
6761 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6762 list_del_rcu(&obj->list);
6765 static void nft_chain_del(struct nft_chain *chain)
6767 struct nft_table *table = chain->table;
6769 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6770 nft_chain_ht_params));
6771 list_del_rcu(&chain->list);
6774 static void nf_tables_module_autoload_cleanup(struct net *net)
6776 struct nft_module_request *req, *next;
6778 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6779 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
6780 WARN_ON_ONCE(!req->done);
6781 list_del(&req->list);
6786 static void nf_tables_commit_release(struct net *net)
6788 struct nft_trans *trans;
6790 /* all side effects have to be made visible.
6791 * For example, if a chain named 'foo' has been deleted, a
6792 * new transaction must not find it anymore.
6794 * Memory reclaim happens asynchronously from work queue
6795 * to prevent expensive synchronize_rcu() in commit phase.
6797 if (list_empty(&net->nft.commit_list)) {
6798 nf_tables_module_autoload_cleanup(net);
6799 mutex_unlock(&net->nft.commit_mutex);
6803 trans = list_last_entry(&net->nft.commit_list,
6804 struct nft_trans, list);
6805 get_net(trans->ctx.net);
6806 WARN_ON_ONCE(trans->put_net);
6808 trans->put_net = true;
6809 spin_lock(&nf_tables_destroy_list_lock);
6810 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6811 spin_unlock(&nf_tables_destroy_list_lock);
6813 nf_tables_module_autoload_cleanup(net);
6814 schedule_work(&trans_destroy_work);
6816 mutex_unlock(&net->nft.commit_mutex);
6819 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6821 struct nft_trans *trans, *next;
6822 struct nft_trans_elem *te;
6823 struct nft_chain *chain;
6824 struct nft_table *table;
6827 if (list_empty(&net->nft.commit_list)) {
6828 mutex_unlock(&net->nft.commit_mutex);
6832 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6833 if (nf_tables_validate(net) < 0)
6836 err = nft_flow_rule_offload_commit(net);
6840 /* 1. Allocate space for next generation rules_gen_X[] */
6841 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6844 if (trans->msg_type == NFT_MSG_NEWRULE ||
6845 trans->msg_type == NFT_MSG_DELRULE) {
6846 chain = trans->ctx.chain;
6848 ret = nf_tables_commit_chain_prepare(net, chain);
6850 nf_tables_commit_chain_prepare_cancel(net);
6856 /* step 2. Make rules_gen_X visible to packet path */
6857 list_for_each_entry(table, &net->nft.tables, list) {
6858 list_for_each_entry(chain, &table->chains, list)
6859 nf_tables_commit_chain(net, chain);
6863 * Bump generation counter, invalidate any dump in progress.
6864 * Cannot fail after this point.
6866 while (++net->nft.base_seq == 0);
6868 /* step 3. Start new generation, rules_gen_X now in use. */
6869 net->nft.gencursor = nft_gencursor_next(net);
6871 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6872 switch (trans->msg_type) {
6873 case NFT_MSG_NEWTABLE:
6874 if (nft_trans_table_update(trans)) {
6875 if (!nft_trans_table_enable(trans)) {
6876 nf_tables_table_disable(net,
6878 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6881 nft_clear(net, trans->ctx.table);
6883 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6884 nft_trans_destroy(trans);
6886 case NFT_MSG_DELTABLE:
6887 list_del_rcu(&trans->ctx.table->list);
6888 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6890 case NFT_MSG_NEWCHAIN:
6891 if (nft_trans_chain_update(trans)) {
6892 nft_chain_commit_update(trans);
6893 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6894 /* trans destroyed after rcu grace period */
6896 nft_chain_commit_drop_policy(trans);
6897 nft_clear(net, trans->ctx.chain);
6898 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6899 nft_trans_destroy(trans);
6902 case NFT_MSG_DELCHAIN:
6903 nft_chain_del(trans->ctx.chain);
6904 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6905 nf_tables_unregister_hook(trans->ctx.net,
6909 case NFT_MSG_NEWRULE:
6910 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6911 nf_tables_rule_notify(&trans->ctx,
6912 nft_trans_rule(trans),
6914 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
6915 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
6917 nft_trans_destroy(trans);
6919 case NFT_MSG_DELRULE:
6920 list_del_rcu(&nft_trans_rule(trans)->list);
6921 nf_tables_rule_notify(&trans->ctx,
6922 nft_trans_rule(trans),
6924 nft_rule_expr_deactivate(&trans->ctx,
6925 nft_trans_rule(trans),
6928 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
6929 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
6931 case NFT_MSG_NEWSET:
6932 nft_clear(net, nft_trans_set(trans));
6933 /* This avoids hitting -EBUSY when deleting the table
6934 * from the transaction.
6936 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6937 !list_empty(&nft_trans_set(trans)->bindings))
6938 trans->ctx.table->use--;
6940 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6941 NFT_MSG_NEWSET, GFP_KERNEL);
6942 nft_trans_destroy(trans);
6944 case NFT_MSG_DELSET:
6945 list_del_rcu(&nft_trans_set(trans)->list);
6946 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6947 NFT_MSG_DELSET, GFP_KERNEL);
6949 case NFT_MSG_NEWSETELEM:
6950 te = (struct nft_trans_elem *)trans->data;
6952 te->set->ops->activate(net, te->set, &te->elem);
6953 nf_tables_setelem_notify(&trans->ctx, te->set,
6955 NFT_MSG_NEWSETELEM, 0);
6956 nft_trans_destroy(trans);
6958 case NFT_MSG_DELSETELEM:
6959 te = (struct nft_trans_elem *)trans->data;
6961 nf_tables_setelem_notify(&trans->ctx, te->set,
6963 NFT_MSG_DELSETELEM, 0);
6964 te->set->ops->remove(net, te->set, &te->elem);
6965 atomic_dec(&te->set->nelems);
6968 case NFT_MSG_NEWOBJ:
6969 if (nft_trans_obj_update(trans)) {
6970 nft_obj_commit_update(trans);
6971 nf_tables_obj_notify(&trans->ctx,
6972 nft_trans_obj(trans),
6975 nft_clear(net, nft_trans_obj(trans));
6976 nf_tables_obj_notify(&trans->ctx,
6977 nft_trans_obj(trans),
6979 nft_trans_destroy(trans);
6982 case NFT_MSG_DELOBJ:
6983 nft_obj_del(nft_trans_obj(trans));
6984 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6987 case NFT_MSG_NEWFLOWTABLE:
6988 nft_clear(net, nft_trans_flowtable(trans));
6989 nf_tables_flowtable_notify(&trans->ctx,
6990 nft_trans_flowtable(trans),
6991 NFT_MSG_NEWFLOWTABLE);
6992 nft_trans_destroy(trans);
6994 case NFT_MSG_DELFLOWTABLE:
6995 list_del_rcu(&nft_trans_flowtable(trans)->list);
6996 nf_tables_flowtable_notify(&trans->ctx,
6997 nft_trans_flowtable(trans),
6998 NFT_MSG_DELFLOWTABLE);
6999 nft_unregister_flowtable_net_hooks(net,
7000 nft_trans_flowtable(trans));
7005 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7006 nf_tables_commit_release(net);
7011 static void nf_tables_module_autoload(struct net *net)
7013 struct nft_module_request *req, *next;
7014 LIST_HEAD(module_list);
7016 list_splice_init(&net->nft.module_list, &module_list);
7017 mutex_unlock(&net->nft.commit_mutex);
7018 list_for_each_entry_safe(req, next, &module_list, list) {
7019 request_module("%s", req->module);
7022 mutex_lock(&net->nft.commit_mutex);
7023 list_splice(&module_list, &net->nft.module_list);
7026 static void nf_tables_abort_release(struct nft_trans *trans)
7028 switch (trans->msg_type) {
7029 case NFT_MSG_NEWTABLE:
7030 nf_tables_table_destroy(&trans->ctx);
7032 case NFT_MSG_NEWCHAIN:
7033 nf_tables_chain_destroy(&trans->ctx);
7035 case NFT_MSG_NEWRULE:
7036 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7038 case NFT_MSG_NEWSET:
7039 nft_set_destroy(nft_trans_set(trans));
7041 case NFT_MSG_NEWSETELEM:
7042 nft_set_elem_destroy(nft_trans_elem_set(trans),
7043 nft_trans_elem(trans).priv, true);
7045 case NFT_MSG_NEWOBJ:
7046 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7048 case NFT_MSG_NEWFLOWTABLE:
7049 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7055 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
7057 struct nft_trans *trans, *next;
7058 struct nft_trans_elem *te;
7060 if (action == NFNL_ABORT_VALIDATE &&
7061 nf_tables_validate(net) < 0)
7064 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7066 switch (trans->msg_type) {
7067 case NFT_MSG_NEWTABLE:
7068 if (nft_trans_table_update(trans)) {
7069 if (nft_trans_table_enable(trans)) {
7070 nf_tables_table_disable(net,
7072 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7074 nft_trans_destroy(trans);
7076 list_del_rcu(&trans->ctx.table->list);
7079 case NFT_MSG_DELTABLE:
7080 nft_clear(trans->ctx.net, trans->ctx.table);
7081 nft_trans_destroy(trans);
7083 case NFT_MSG_NEWCHAIN:
7084 if (nft_trans_chain_update(trans)) {
7085 free_percpu(nft_trans_chain_stats(trans));
7086 kfree(nft_trans_chain_name(trans));
7087 nft_trans_destroy(trans);
7089 trans->ctx.table->use--;
7090 nft_chain_del(trans->ctx.chain);
7091 nf_tables_unregister_hook(trans->ctx.net,
7096 case NFT_MSG_DELCHAIN:
7097 trans->ctx.table->use++;
7098 nft_clear(trans->ctx.net, trans->ctx.chain);
7099 nft_trans_destroy(trans);
7101 case NFT_MSG_NEWRULE:
7102 trans->ctx.chain->use--;
7103 list_del_rcu(&nft_trans_rule(trans)->list);
7104 nft_rule_expr_deactivate(&trans->ctx,
7105 nft_trans_rule(trans),
7108 case NFT_MSG_DELRULE:
7109 trans->ctx.chain->use++;
7110 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7111 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7112 nft_trans_destroy(trans);
7114 case NFT_MSG_NEWSET:
7115 trans->ctx.table->use--;
7116 if (nft_trans_set_bound(trans)) {
7117 nft_trans_destroy(trans);
7120 list_del_rcu(&nft_trans_set(trans)->list);
7122 case NFT_MSG_DELSET:
7123 trans->ctx.table->use++;
7124 nft_clear(trans->ctx.net, nft_trans_set(trans));
7125 nft_trans_destroy(trans);
7127 case NFT_MSG_NEWSETELEM:
7128 if (nft_trans_elem_set_bound(trans)) {
7129 nft_trans_destroy(trans);
7132 te = (struct nft_trans_elem *)trans->data;
7133 te->set->ops->remove(net, te->set, &te->elem);
7134 atomic_dec(&te->set->nelems);
7136 case NFT_MSG_DELSETELEM:
7137 te = (struct nft_trans_elem *)trans->data;
7139 nft_set_elem_activate(net, te->set, &te->elem);
7140 te->set->ops->activate(net, te->set, &te->elem);
7143 nft_trans_destroy(trans);
7145 case NFT_MSG_NEWOBJ:
7146 if (nft_trans_obj_update(trans)) {
7147 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
7148 nft_trans_destroy(trans);
7150 trans->ctx.table->use--;
7151 nft_obj_del(nft_trans_obj(trans));
7154 case NFT_MSG_DELOBJ:
7155 trans->ctx.table->use++;
7156 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7157 nft_trans_destroy(trans);
7159 case NFT_MSG_NEWFLOWTABLE:
7160 trans->ctx.table->use--;
7161 list_del_rcu(&nft_trans_flowtable(trans)->list);
7162 nft_unregister_flowtable_net_hooks(net,
7163 nft_trans_flowtable(trans));
7165 case NFT_MSG_DELFLOWTABLE:
7166 trans->ctx.table->use++;
7167 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7168 nft_trans_destroy(trans);
7175 list_for_each_entry_safe_reverse(trans, next,
7176 &net->nft.commit_list, list) {
7177 list_del(&trans->list);
7178 nf_tables_abort_release(trans);
7181 if (action == NFNL_ABORT_AUTOLOAD)
7182 nf_tables_module_autoload(net);
7184 nf_tables_module_autoload_cleanup(net);
7189 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
7190 enum nfnl_abort_action action)
7192 int ret = __nf_tables_abort(net, action);
7194 mutex_unlock(&net->nft.commit_mutex);
7199 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7203 mutex_lock(&net->nft.commit_mutex);
7205 genid_ok = genid == 0 || net->nft.base_seq == genid;
7207 mutex_unlock(&net->nft.commit_mutex);
7209 /* else, commit mutex has to be released by commit or abort function */
7213 static const struct nfnetlink_subsystem nf_tables_subsys = {
7214 .name = "nf_tables",
7215 .subsys_id = NFNL_SUBSYS_NFTABLES,
7216 .cb_count = NFT_MSG_MAX,
7218 .commit = nf_tables_commit,
7219 .abort = nf_tables_abort,
7220 .valid_genid = nf_tables_valid_genid,
7221 .owner = THIS_MODULE,
7224 int nft_chain_validate_dependency(const struct nft_chain *chain,
7225 enum nft_chain_types type)
7227 const struct nft_base_chain *basechain;
7229 if (nft_is_base_chain(chain)) {
7230 basechain = nft_base_chain(chain);
7231 if (basechain->type->type != type)
7236 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7238 int nft_chain_validate_hooks(const struct nft_chain *chain,
7239 unsigned int hook_flags)
7241 struct nft_base_chain *basechain;
7243 if (nft_is_base_chain(chain)) {
7244 basechain = nft_base_chain(chain);
7246 if ((1 << basechain->ops.hooknum) & hook_flags)
7254 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7257 * Loop detection - walk through the ruleset beginning at the destination chain
7258 * of a new jump until either the source chain is reached (loop) or all
7259 * reachable chains have been traversed.
7261 * The loop check is performed whenever a new jump verdict is added to an
7262 * expression or verdict map or a verdict map is bound to a new chain.
7265 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7266 const struct nft_chain *chain);
7268 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7269 struct nft_set *set,
7270 const struct nft_set_iter *iter,
7271 struct nft_set_elem *elem)
7273 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7274 const struct nft_data *data;
7276 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7277 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7280 data = nft_set_ext_data(ext);
7281 switch (data->verdict.code) {
7284 return nf_tables_check_loops(ctx, data->verdict.chain);
7290 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7291 const struct nft_chain *chain)
7293 const struct nft_rule *rule;
7294 const struct nft_expr *expr, *last;
7295 struct nft_set *set;
7296 struct nft_set_binding *binding;
7297 struct nft_set_iter iter;
7299 if (ctx->chain == chain)
7302 list_for_each_entry(rule, &chain->rules, list) {
7303 nft_rule_for_each_expr(expr, last, rule) {
7304 struct nft_immediate_expr *priv;
7305 const struct nft_data *data;
7308 if (strcmp(expr->ops->type->name, "immediate"))
7311 priv = nft_expr_priv(expr);
7312 if (priv->dreg != NFT_REG_VERDICT)
7316 switch (data->verdict.code) {
7319 err = nf_tables_check_loops(ctx,
7320 data->verdict.chain);
7329 list_for_each_entry(set, &ctx->table->sets, list) {
7330 if (!nft_is_active_next(ctx->net, set))
7332 if (!(set->flags & NFT_SET_MAP) ||
7333 set->dtype != NFT_DATA_VERDICT)
7336 list_for_each_entry(binding, &set->bindings, list) {
7337 if (!(binding->flags & NFT_SET_MAP) ||
7338 binding->chain != chain)
7341 iter.genmask = nft_genmask_next(ctx->net);
7345 iter.fn = nf_tables_loop_check_setelem;
7347 set->ops->walk(ctx, set, &iter);
7357 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7359 * @attr: netlink attribute to fetch value from
7360 * @max: maximum value to be stored in dest
7361 * @dest: pointer to the variable
7363 * Parse, check and store a given u32 netlink attribute into variable.
7364 * This function returns -ERANGE if the value goes over maximum value.
7365 * Otherwise a 0 is returned and the attribute value is stored in the
7366 * destination variable.
7368 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7372 val = ntohl(nla_get_be32(attr));
7379 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7382 * nft_parse_register - parse a register value from a netlink attribute
7384 * @attr: netlink attribute
7386 * Parse and translate a register value from a netlink attribute.
7387 * Registers used to be 128 bit wide, these register numbers will be
7388 * mapped to the corresponding 32 bit register numbers.
7390 unsigned int nft_parse_register(const struct nlattr *attr)
7394 reg = ntohl(nla_get_be32(attr));
7396 case NFT_REG_VERDICT...NFT_REG_4:
7397 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7399 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7402 EXPORT_SYMBOL_GPL(nft_parse_register);
7405 * nft_dump_register - dump a register value to a netlink attribute
7407 * @skb: socket buffer
7408 * @attr: attribute number
7409 * @reg: register number
7411 * Construct a netlink attribute containing the register number. For
7412 * compatibility reasons, register numbers being a multiple of 4 are
7413 * translated to the corresponding 128 bit register numbers.
7415 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7417 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7418 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7420 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7422 return nla_put_be32(skb, attr, htonl(reg));
7424 EXPORT_SYMBOL_GPL(nft_dump_register);
7427 * nft_validate_register_load - validate a load from a register
7429 * @reg: the register number
7430 * @len: the length of the data
7432 * Validate that the input register is one of the general purpose
7433 * registers and that the length of the load is within the bounds.
7435 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7437 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7441 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7447 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
7452 reg = nft_parse_register(attr);
7453 err = nft_validate_register_load(reg, len);
7460 EXPORT_SYMBOL_GPL(nft_parse_register_load);
7463 * nft_validate_register_store - validate an expressions' register store
7465 * @ctx: context of the expression performing the load
7466 * @reg: the destination register number
7467 * @data: the data to load
7468 * @type: the data type
7469 * @len: the length of the data
7471 * Validate that a data load uses the appropriate data type for
7472 * the destination register and the length is within the bounds.
7473 * A value of NULL for the data means that its runtime gathered
7476 int nft_validate_register_store(const struct nft_ctx *ctx,
7477 enum nft_registers reg,
7478 const struct nft_data *data,
7479 enum nft_data_types type, unsigned int len)
7484 case NFT_REG_VERDICT:
7485 if (type != NFT_DATA_VERDICT)
7489 (data->verdict.code == NFT_GOTO ||
7490 data->verdict.code == NFT_JUMP)) {
7491 err = nf_tables_check_loops(ctx, data->verdict.chain);
7498 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7502 if (reg * NFT_REG32_SIZE + len >
7503 FIELD_SIZEOF(struct nft_regs, data))
7506 if (data != NULL && type != NFT_DATA_VALUE)
7511 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7513 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7514 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7515 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7516 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7519 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7520 struct nft_data_desc *desc, const struct nlattr *nla)
7522 u8 genmask = nft_genmask_next(ctx->net);
7523 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7524 struct nft_chain *chain;
7527 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7528 nft_verdict_policy, NULL);
7532 if (!tb[NFTA_VERDICT_CODE])
7534 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7536 switch (data->verdict.code) {
7538 switch (data->verdict.code & NF_VERDICT_MASK) {
7553 if (!tb[NFTA_VERDICT_CHAIN])
7555 chain = nft_chain_lookup(ctx->net, ctx->table,
7556 tb[NFTA_VERDICT_CHAIN], genmask);
7558 return PTR_ERR(chain);
7559 if (nft_is_base_chain(chain))
7563 data->verdict.chain = chain;
7567 desc->len = sizeof(data->verdict);
7568 desc->type = NFT_DATA_VERDICT;
7572 static void nft_verdict_uninit(const struct nft_data *data)
7574 switch (data->verdict.code) {
7577 data->verdict.chain->use--;
7582 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7584 struct nlattr *nest;
7586 nest = nla_nest_start_noflag(skb, type);
7588 goto nla_put_failure;
7590 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7591 goto nla_put_failure;
7596 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7598 goto nla_put_failure;
7600 nla_nest_end(skb, nest);
7607 static int nft_value_init(const struct nft_ctx *ctx,
7608 struct nft_data *data, unsigned int size,
7609 struct nft_data_desc *desc, const struct nlattr *nla)
7619 nla_memcpy(data->data, nla, len);
7620 desc->type = NFT_DATA_VALUE;
7625 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7628 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7631 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7632 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7633 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7637 * nft_data_init - parse nf_tables data netlink attributes
7639 * @ctx: context of the expression using the data
7640 * @data: destination struct nft_data
7641 * @size: maximum data length
7642 * @desc: data description
7643 * @nla: netlink attribute containing data
7645 * Parse the netlink data attributes and initialize a struct nft_data.
7646 * The type and length of data are returned in the data description.
7648 * The caller can indicate that it only wants to accept data of type
7649 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7651 int nft_data_init(const struct nft_ctx *ctx,
7652 struct nft_data *data, unsigned int size,
7653 struct nft_data_desc *desc, const struct nlattr *nla)
7655 struct nlattr *tb[NFTA_DATA_MAX + 1];
7658 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7659 nft_data_policy, NULL);
7663 if (tb[NFTA_DATA_VALUE])
7664 return nft_value_init(ctx, data, size, desc,
7665 tb[NFTA_DATA_VALUE]);
7666 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7667 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7670 EXPORT_SYMBOL_GPL(nft_data_init);
7673 * nft_data_release - release a nft_data item
7675 * @data: struct nft_data to release
7676 * @type: type of data
7678 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7679 * all others need to be released by calling this function.
7681 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7683 if (type < NFT_DATA_VERDICT)
7686 case NFT_DATA_VERDICT:
7687 return nft_verdict_uninit(data);
7692 EXPORT_SYMBOL_GPL(nft_data_release);
7694 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7695 enum nft_data_types type, unsigned int len)
7697 struct nlattr *nest;
7700 nest = nla_nest_start_noflag(skb, attr);
7705 case NFT_DATA_VALUE:
7706 err = nft_value_dump(skb, data, len);
7708 case NFT_DATA_VERDICT:
7709 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7716 nla_nest_end(skb, nest);
7719 EXPORT_SYMBOL_GPL(nft_data_dump);
7721 int __nft_release_basechain(struct nft_ctx *ctx)
7723 struct nft_rule *rule, *nr;
7725 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7728 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7729 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7730 list_del(&rule->list);
7732 nf_tables_rule_release(ctx, rule);
7734 nft_chain_del(ctx->chain);
7736 nf_tables_chain_destroy(ctx);
7740 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7742 static void __nft_release_hooks(struct net *net)
7744 struct nft_table *table;
7745 struct nft_chain *chain;
7747 list_for_each_entry(table, &net->nft.tables, list) {
7748 list_for_each_entry(chain, &table->chains, list)
7749 nf_tables_unregister_hook(net, table, chain);
7753 static void __nft_release_tables(struct net *net)
7755 struct nft_flowtable *flowtable, *nf;
7756 struct nft_table *table, *nt;
7757 struct nft_chain *chain, *nc;
7758 struct nft_object *obj, *ne;
7759 struct nft_rule *rule, *nr;
7760 struct nft_set *set, *ns;
7761 struct nft_ctx ctx = {
7763 .family = NFPROTO_NETDEV,
7766 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7767 ctx.family = table->family;
7769 list_for_each_entry(chain, &table->chains, list) {
7771 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7772 list_del(&rule->list);
7774 nf_tables_rule_release(&ctx, rule);
7777 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7778 list_del(&flowtable->list);
7780 nf_tables_flowtable_destroy(flowtable);
7782 list_for_each_entry_safe(set, ns, &table->sets, list) {
7783 list_del(&set->list);
7785 nft_set_destroy(set);
7787 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7790 nft_obj_destroy(&ctx, obj);
7792 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7794 nft_chain_del(chain);
7796 nf_tables_chain_destroy(&ctx);
7798 list_del(&table->list);
7799 nf_tables_table_destroy(&ctx);
7803 static int __net_init nf_tables_init_net(struct net *net)
7805 INIT_LIST_HEAD(&net->nft.tables);
7806 INIT_LIST_HEAD(&net->nft.commit_list);
7807 INIT_LIST_HEAD(&net->nft.module_list);
7808 mutex_init(&net->nft.commit_mutex);
7809 net->nft.base_seq = 1;
7810 net->nft.validate_state = NFT_VALIDATE_SKIP;
7815 static void __net_exit nf_tables_pre_exit_net(struct net *net)
7817 __nft_release_hooks(net);
7820 static void __net_exit nf_tables_exit_net(struct net *net)
7822 mutex_lock(&net->nft.commit_mutex);
7823 if (!list_empty(&net->nft.commit_list))
7824 __nf_tables_abort(net, NFNL_ABORT_NONE);
7825 __nft_release_tables(net);
7826 mutex_unlock(&net->nft.commit_mutex);
7827 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7828 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
7831 static struct pernet_operations nf_tables_net_ops = {
7832 .init = nf_tables_init_net,
7833 .pre_exit = nf_tables_pre_exit_net,
7834 .exit = nf_tables_exit_net,
7837 static int __init nf_tables_module_init(void)
7841 spin_lock_init(&nf_tables_destroy_list_lock);
7842 err = register_pernet_subsys(&nf_tables_net_ops);
7846 err = nft_chain_filter_init();
7850 err = nf_tables_core_module_init();
7854 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7858 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7862 err = nft_offload_init();
7867 err = nfnetlink_subsys_register(&nf_tables_subsys);
7871 nft_chain_route_init();
7877 rhltable_destroy(&nft_objname_ht);
7879 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7881 nf_tables_core_module_exit();
7883 nft_chain_filter_fini();
7885 unregister_pernet_subsys(&nf_tables_net_ops);
7889 static void __exit nf_tables_module_exit(void)
7891 nfnetlink_subsys_unregister(&nf_tables_subsys);
7893 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7894 nft_chain_filter_fini();
7895 nft_chain_route_fini();
7896 unregister_pernet_subsys(&nf_tables_net_ops);
7897 cancel_work_sync(&trans_destroy_work);
7899 rhltable_destroy(&nft_objname_ht);
7900 nf_tables_core_module_exit();
7903 module_init(nf_tables_module_init);
7904 module_exit(nf_tables_module_exit);
7906 MODULE_LICENSE("GPL");
7907 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7908 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-stable / blob