2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
29 * nft_register_afinfo - register nf_tables address family info
31 * @afi: address family info to register
33 * Register the address family for use with nf_tables. Returns zero on
34 * success or a negative errno code otherwise.
36 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
44 EXPORT_SYMBOL_GPL(nft_register_afinfo);
46 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
49 * nft_unregister_afinfo - unregister nf_tables address family info
51 * @afi: address family info to unregister
53 * Unregister the address family for use with nf_tables.
55 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
62 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
64 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
66 struct nft_af_info *afi;
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
75 static struct nft_af_info *
76 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
78 struct nft_af_info *afi;
80 afi = nft_afinfo_lookup(net, family);
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
90 return ERR_PTR(-EAGAIN);
93 return ERR_PTR(-EAFNOSUPPORT);
96 static void nft_ctx_init(struct nft_ctx *ctx,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
115 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
118 struct nft_trans *trans;
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
124 INIT_LIST_HEAD(&trans->list);
125 trans->msg_type = msg_type;
131 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
132 int msg_type, u32 size)
134 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
137 static void nft_trans_destroy(struct nft_trans *trans)
139 list_del(&trans->list);
143 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
145 struct net *net = ctx->net;
146 struct nft_trans *trans;
148 if (!(set->flags & NFT_SET_ANONYMOUS))
151 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
152 switch (trans->msg_type) {
154 if (nft_trans_set(trans) == set)
155 nft_trans_set_bound(trans) = true;
157 case NFT_MSG_NEWSETELEM:
158 if (nft_trans_elem_set(trans) == set)
159 nft_trans_elem_set_bound(trans) = true;
165 static int nf_tables_register_hooks(struct net *net,
166 const struct nft_table *table,
167 struct nft_chain *chain,
168 unsigned int hook_nops)
170 if (table->flags & NFT_TABLE_F_DORMANT ||
171 !nft_is_base_chain(chain))
174 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
178 static void nf_tables_unregister_hooks(struct net *net,
179 const struct nft_table *table,
180 struct nft_chain *chain,
181 unsigned int hook_nops)
183 if (table->flags & NFT_TABLE_F_DORMANT ||
184 !nft_is_base_chain(chain))
187 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
190 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
192 struct nft_trans *trans;
194 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
198 if (msg_type == NFT_MSG_NEWTABLE)
199 nft_activate_next(ctx->net, ctx->table);
201 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
205 static int nft_deltable(struct nft_ctx *ctx)
209 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
213 nft_deactivate_next(ctx->net, ctx->table);
217 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
219 struct nft_trans *trans;
221 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
225 if (msg_type == NFT_MSG_NEWCHAIN)
226 nft_activate_next(ctx->net, ctx->chain);
228 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
232 static int nft_delchain(struct nft_ctx *ctx)
236 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
241 nft_deactivate_next(ctx->net, ctx->chain);
246 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
247 struct nft_rule *rule)
249 struct nft_expr *expr;
251 expr = nft_expr_first(rule);
252 while (expr != nft_expr_last(rule) && expr->ops) {
253 if (expr->ops->activate)
254 expr->ops->activate(ctx, expr);
256 expr = nft_expr_next(expr);
260 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
261 struct nft_rule *rule,
262 enum nft_trans_phase phase)
264 struct nft_expr *expr;
266 expr = nft_expr_first(rule);
267 while (expr != nft_expr_last(rule) && expr->ops) {
268 if (expr->ops->deactivate)
269 expr->ops->deactivate(ctx, expr, phase);
271 expr = nft_expr_next(expr);
276 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
278 /* You cannot delete the same rule twice */
279 if (nft_is_active_next(ctx->net, rule)) {
280 nft_deactivate_next(ctx->net, rule);
287 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
288 struct nft_rule *rule)
290 struct nft_trans *trans;
292 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
296 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
297 nft_trans_rule_id(trans) =
298 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
300 nft_trans_rule(trans) = rule;
301 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
306 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
308 struct nft_trans *trans;
311 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
315 err = nf_tables_delrule_deactivate(ctx, rule);
317 nft_trans_destroy(trans);
320 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
325 static int nft_delrule_by_chain(struct nft_ctx *ctx)
327 struct nft_rule *rule;
330 list_for_each_entry(rule, &ctx->chain->rules, list) {
331 if (!nft_is_active_next(ctx->net, rule))
334 err = nft_delrule(ctx, rule);
341 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
344 struct nft_trans *trans;
346 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
350 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
351 nft_trans_set_id(trans) =
352 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
353 nft_activate_next(ctx->net, set);
355 nft_trans_set(trans) = set;
356 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
361 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
365 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
369 nft_deactivate_next(ctx->net, set);
375 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
376 struct nft_object *obj)
378 struct nft_trans *trans;
380 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
384 if (msg_type == NFT_MSG_NEWOBJ)
385 nft_activate_next(ctx->net, obj);
387 nft_trans_obj(trans) = obj;
388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
393 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
397 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
401 nft_deactivate_next(ctx->net, obj);
411 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
412 const struct nlattr *nla,
415 struct nft_table *table;
417 list_for_each_entry(table, &afi->tables, list) {
418 if (!nla_strcmp(nla, table->name) &&
419 nft_active_genmask(table, genmask))
425 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
426 const struct nlattr *nla,
429 struct nft_table *table;
432 return ERR_PTR(-EINVAL);
434 table = nft_table_lookup(afi, nla, genmask);
438 return ERR_PTR(-ENOENT);
441 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
443 return ++table->hgenerator;
446 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
448 static const struct nf_chain_type *
449 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
453 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
454 if (chain_type[family][i] != NULL &&
455 !nla_strcmp(nla, chain_type[family][i]->name))
456 return chain_type[family][i];
461 static const struct nf_chain_type *
462 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
463 const struct nlattr *nla,
466 const struct nf_chain_type *type;
468 type = __nf_tables_chain_type_lookup(afi->family, nla);
471 #ifdef CONFIG_MODULES
473 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
474 request_module("nft-chain-%u-%.*s", afi->family,
475 nla_len(nla), (const char *)nla_data(nla));
476 nfnl_lock(NFNL_SUBSYS_NFTABLES);
477 type = __nf_tables_chain_type_lookup(afi->family, nla);
479 return ERR_PTR(-EAGAIN);
482 return ERR_PTR(-ENOENT);
485 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
486 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
487 .len = NFT_TABLE_MAXNAMELEN - 1 },
488 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
491 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
492 u32 portid, u32 seq, int event, u32 flags,
493 int family, const struct nft_table *table)
495 struct nlmsghdr *nlh;
496 struct nfgenmsg *nfmsg;
498 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
499 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
501 goto nla_put_failure;
503 nfmsg = nlmsg_data(nlh);
504 nfmsg->nfgen_family = family;
505 nfmsg->version = NFNETLINK_V0;
506 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
508 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
509 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
510 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
511 goto nla_put_failure;
517 nlmsg_trim(skb, nlh);
521 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
527 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
530 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
534 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
535 event, 0, ctx->afi->family, ctx->table);
541 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
542 ctx->report, GFP_KERNEL);
545 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
548 static int nf_tables_dump_tables(struct sk_buff *skb,
549 struct netlink_callback *cb)
551 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
552 const struct nft_af_info *afi;
553 const struct nft_table *table;
554 unsigned int idx = 0, s_idx = cb->args[0];
555 struct net *net = sock_net(skb->sk);
556 int family = nfmsg->nfgen_family;
559 cb->seq = net->nft.base_seq;
561 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
562 if (family != NFPROTO_UNSPEC && family != afi->family)
565 list_for_each_entry_rcu(table, &afi->tables, list) {
569 memset(&cb->args[1], 0,
570 sizeof(cb->args) - sizeof(cb->args[0]));
571 if (!nft_is_active(net, table))
573 if (nf_tables_fill_table_info(skb, net,
574 NETLINK_CB(cb->skb).portid,
578 afi->family, table) < 0)
581 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
592 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
593 struct sk_buff *skb, const struct nlmsghdr *nlh,
594 const struct nlattr * const nla[],
595 struct netlink_ext_ack *extack)
597 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
598 u8 genmask = nft_genmask_cur(net);
599 const struct nft_af_info *afi;
600 const struct nft_table *table;
601 struct sk_buff *skb2;
602 int family = nfmsg->nfgen_family;
605 if (nlh->nlmsg_flags & NLM_F_DUMP) {
606 struct netlink_dump_control c = {
607 .dump = nf_tables_dump_tables,
609 return netlink_dump_start(nlsk, skb, nlh, &c);
612 afi = nf_tables_afinfo_lookup(net, family, false);
616 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
618 return PTR_ERR(table);
620 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
624 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
625 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
630 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
637 static void _nf_tables_table_disable(struct net *net,
638 const struct nft_af_info *afi,
639 struct nft_table *table,
642 struct nft_chain *chain;
645 list_for_each_entry(chain, &table->chains, list) {
646 if (!nft_is_active_next(net, chain))
648 if (!nft_is_base_chain(chain))
651 if (cnt && i++ == cnt)
654 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
659 static int nf_tables_table_enable(struct net *net,
660 const struct nft_af_info *afi,
661 struct nft_table *table)
663 struct nft_chain *chain;
666 list_for_each_entry(chain, &table->chains, list) {
667 if (!nft_is_active_next(net, chain))
669 if (!nft_is_base_chain(chain))
672 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
682 _nf_tables_table_disable(net, afi, table, i);
686 static void nf_tables_table_disable(struct net *net,
687 const struct nft_af_info *afi,
688 struct nft_table *table)
690 _nf_tables_table_disable(net, afi, table, 0);
693 static int nf_tables_updtable(struct nft_ctx *ctx)
695 struct nft_trans *trans;
699 if (!ctx->nla[NFTA_TABLE_FLAGS])
702 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
703 if (flags & ~NFT_TABLE_F_DORMANT)
706 if (flags == ctx->table->flags)
709 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
710 sizeof(struct nft_trans_table));
714 if ((flags & NFT_TABLE_F_DORMANT) &&
715 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
716 nft_trans_table_enable(trans) = false;
717 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
718 ctx->table->flags & NFT_TABLE_F_DORMANT) {
719 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
721 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
722 nft_trans_table_enable(trans) = true;
728 nft_trans_table_update(trans) = true;
729 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
732 nft_trans_destroy(trans);
736 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
737 struct sk_buff *skb, const struct nlmsghdr *nlh,
738 const struct nlattr * const nla[],
739 struct netlink_ext_ack *extack)
741 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
742 u8 genmask = nft_genmask_next(net);
743 const struct nlattr *name;
744 struct nft_af_info *afi;
745 struct nft_table *table;
746 int family = nfmsg->nfgen_family;
751 afi = nf_tables_afinfo_lookup(net, family, true);
755 name = nla[NFTA_TABLE_NAME];
756 table = nf_tables_table_lookup(afi, name, genmask);
758 if (PTR_ERR(table) != -ENOENT)
759 return PTR_ERR(table);
761 if (nlh->nlmsg_flags & NLM_F_EXCL)
763 if (nlh->nlmsg_flags & NLM_F_REPLACE)
766 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
767 return nf_tables_updtable(&ctx);
770 if (nla[NFTA_TABLE_FLAGS]) {
771 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
772 if (flags & ~NFT_TABLE_F_DORMANT)
777 if (!try_module_get(afi->owner))
781 table = kzalloc(sizeof(*table), GFP_KERNEL);
785 table->name = nla_strdup(name, GFP_KERNEL);
786 if (table->name == NULL)
789 INIT_LIST_HEAD(&table->chains);
790 INIT_LIST_HEAD(&table->sets);
791 INIT_LIST_HEAD(&table->objects);
792 table->flags = flags;
794 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
795 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
799 list_add_tail_rcu(&table->list, &afi->tables);
806 module_put(afi->owner);
811 static int nft_flush_table(struct nft_ctx *ctx)
814 struct nft_chain *chain, *nc;
815 struct nft_object *obj, *ne;
816 struct nft_set *set, *ns;
818 list_for_each_entry(chain, &ctx->table->chains, list) {
819 if (!nft_is_active_next(ctx->net, chain))
824 err = nft_delrule_by_chain(ctx);
829 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
830 if (!nft_is_active_next(ctx->net, set))
833 if (set->flags & NFT_SET_ANONYMOUS &&
834 !list_empty(&set->bindings))
837 err = nft_delset(ctx, set);
842 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
843 err = nft_delobj(ctx, obj);
848 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
849 if (!nft_is_active_next(ctx->net, chain))
854 err = nft_delchain(ctx);
859 err = nft_deltable(ctx);
864 static int nft_flush(struct nft_ctx *ctx, int family)
866 struct nft_af_info *afi;
867 struct nft_table *table, *nt;
868 const struct nlattr * const *nla = ctx->nla;
871 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
872 if (family != AF_UNSPEC && afi->family != family)
876 list_for_each_entry_safe(table, nt, &afi->tables, list) {
877 if (!nft_is_active_next(ctx->net, table))
880 if (nla[NFTA_TABLE_NAME] &&
881 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
886 err = nft_flush_table(ctx);
895 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
896 struct sk_buff *skb, const struct nlmsghdr *nlh,
897 const struct nlattr * const nla[],
898 struct netlink_ext_ack *extack)
900 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
901 u8 genmask = nft_genmask_next(net);
902 struct nft_af_info *afi;
903 struct nft_table *table;
904 int family = nfmsg->nfgen_family;
907 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
908 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
909 return nft_flush(&ctx, family);
911 afi = nf_tables_afinfo_lookup(net, family, false);
915 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
917 return PTR_ERR(table);
919 if (nlh->nlmsg_flags & NLM_F_NONREC &&
926 return nft_flush_table(&ctx);
929 static void nf_tables_table_destroy(struct nft_ctx *ctx)
931 BUG_ON(ctx->table->use > 0);
933 kfree(ctx->table->name);
935 module_put(ctx->afi->owner);
938 int nft_register_chain_type(const struct nf_chain_type *ctype)
942 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
945 nfnl_lock(NFNL_SUBSYS_NFTABLES);
946 if (chain_type[ctype->family][ctype->type] != NULL) {
950 chain_type[ctype->family][ctype->type] = ctype;
952 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
955 EXPORT_SYMBOL_GPL(nft_register_chain_type);
957 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
959 nfnl_lock(NFNL_SUBSYS_NFTABLES);
960 chain_type[ctype->family][ctype->type] = NULL;
961 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
963 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
969 static struct nft_chain *
970 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
973 struct nft_chain *chain;
975 list_for_each_entry(chain, &table->chains, list) {
976 if (chain->handle == handle &&
977 nft_active_genmask(chain, genmask))
981 return ERR_PTR(-ENOENT);
984 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
985 const struct nlattr *nla,
988 struct nft_chain *chain;
991 return ERR_PTR(-EINVAL);
993 list_for_each_entry(chain, &table->chains, list) {
994 if (!nla_strcmp(nla, chain->name) &&
995 nft_active_genmask(chain, genmask))
999 return ERR_PTR(-ENOENT);
1002 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1003 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1004 .len = NFT_TABLE_MAXNAMELEN - 1 },
1005 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1006 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1007 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1008 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1009 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1010 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1011 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1014 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1015 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1016 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1017 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1018 .len = IFNAMSIZ - 1 },
1021 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1023 struct nft_stats *cpu_stats, total;
1024 struct nlattr *nest;
1029 memset(&total, 0, sizeof(total));
1030 for_each_possible_cpu(cpu) {
1031 cpu_stats = per_cpu_ptr(stats, cpu);
1033 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1034 pkts = cpu_stats->pkts;
1035 bytes = cpu_stats->bytes;
1036 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1038 total.bytes += bytes;
1040 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1042 goto nla_put_failure;
1044 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1045 NFTA_COUNTER_PAD) ||
1046 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1048 goto nla_put_failure;
1050 nla_nest_end(skb, nest);
1057 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1058 u32 portid, u32 seq, int event, u32 flags,
1059 int family, const struct nft_table *table,
1060 const struct nft_chain *chain)
1062 struct nlmsghdr *nlh;
1063 struct nfgenmsg *nfmsg;
1065 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1066 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1068 goto nla_put_failure;
1070 nfmsg = nlmsg_data(nlh);
1071 nfmsg->nfgen_family = family;
1072 nfmsg->version = NFNETLINK_V0;
1073 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1075 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1076 goto nla_put_failure;
1077 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1079 goto nla_put_failure;
1080 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1081 goto nla_put_failure;
1083 if (nft_is_base_chain(chain)) {
1084 const struct nft_base_chain *basechain = nft_base_chain(chain);
1085 const struct nf_hook_ops *ops = &basechain->ops[0];
1086 struct nlattr *nest;
1088 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1090 goto nla_put_failure;
1091 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1092 goto nla_put_failure;
1093 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1094 goto nla_put_failure;
1095 if (basechain->dev_name[0] &&
1096 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1097 goto nla_put_failure;
1098 nla_nest_end(skb, nest);
1100 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1101 htonl(basechain->policy)))
1102 goto nla_put_failure;
1104 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1105 goto nla_put_failure;
1107 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1108 goto nla_put_failure;
1111 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1112 goto nla_put_failure;
1114 nlmsg_end(skb, nlh);
1118 nlmsg_trim(skb, nlh);
1122 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1124 struct sk_buff *skb;
1128 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1131 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1135 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1136 event, 0, ctx->afi->family, ctx->table,
1143 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1144 ctx->report, GFP_KERNEL);
1147 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1150 static int nf_tables_dump_chains(struct sk_buff *skb,
1151 struct netlink_callback *cb)
1153 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1154 const struct nft_af_info *afi;
1155 const struct nft_table *table;
1156 const struct nft_chain *chain;
1157 unsigned int idx = 0, s_idx = cb->args[0];
1158 struct net *net = sock_net(skb->sk);
1159 int family = nfmsg->nfgen_family;
1162 cb->seq = net->nft.base_seq;
1164 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1165 if (family != NFPROTO_UNSPEC && family != afi->family)
1168 list_for_each_entry_rcu(table, &afi->tables, list) {
1169 list_for_each_entry_rcu(chain, &table->chains, list) {
1173 memset(&cb->args[1], 0,
1174 sizeof(cb->args) - sizeof(cb->args[0]));
1175 if (!nft_is_active(net, chain))
1177 if (nf_tables_fill_chain_info(skb, net,
1178 NETLINK_CB(cb->skb).portid,
1182 afi->family, table, chain) < 0)
1185 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1197 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1198 struct sk_buff *skb, const struct nlmsghdr *nlh,
1199 const struct nlattr * const nla[],
1200 struct netlink_ext_ack *extack)
1202 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1203 u8 genmask = nft_genmask_cur(net);
1204 const struct nft_af_info *afi;
1205 const struct nft_table *table;
1206 const struct nft_chain *chain;
1207 struct sk_buff *skb2;
1208 int family = nfmsg->nfgen_family;
1211 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1212 struct netlink_dump_control c = {
1213 .dump = nf_tables_dump_chains,
1215 return netlink_dump_start(nlsk, skb, nlh, &c);
1218 afi = nf_tables_afinfo_lookup(net, family, false);
1220 return PTR_ERR(afi);
1222 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1224 return PTR_ERR(table);
1226 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1228 return PTR_ERR(chain);
1230 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1234 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1235 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1236 family, table, chain);
1240 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1247 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1248 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1249 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1252 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1254 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1255 struct nft_stats __percpu *newstats;
1256 struct nft_stats *stats;
1259 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1262 return ERR_PTR(err);
1264 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1265 return ERR_PTR(-EINVAL);
1267 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1268 if (newstats == NULL)
1269 return ERR_PTR(-ENOMEM);
1271 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1272 * are not exposed to userspace.
1275 stats = this_cpu_ptr(newstats);
1276 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1277 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1283 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1284 struct nft_stats __percpu *newstats)
1286 if (newstats == NULL)
1290 struct nft_stats __percpu *oldstats =
1291 nft_dereference(chain->stats);
1293 rcu_assign_pointer(chain->stats, newstats);
1295 free_percpu(oldstats);
1297 rcu_assign_pointer(chain->stats, newstats);
1298 static_branch_inc(&nft_counters_enabled);
1302 static void nf_tables_chain_destroy(struct nft_chain *chain)
1304 BUG_ON(chain->use > 0);
1306 if (nft_is_base_chain(chain)) {
1307 struct nft_base_chain *basechain = nft_base_chain(chain);
1309 module_put(basechain->type->owner);
1310 free_percpu(basechain->stats);
1311 if (basechain->stats)
1312 static_branch_dec(&nft_counters_enabled);
1313 if (basechain->ops[0].dev != NULL)
1314 dev_put(basechain->ops[0].dev);
1323 struct nft_chain_hook {
1326 const struct nf_chain_type *type;
1327 struct net_device *dev;
1330 static int nft_chain_parse_hook(struct net *net,
1331 const struct nlattr * const nla[],
1332 struct nft_af_info *afi,
1333 struct nft_chain_hook *hook, bool create)
1335 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1336 const struct nf_chain_type *type;
1337 struct net_device *dev;
1340 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1341 nft_hook_policy, NULL);
1345 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1346 ha[NFTA_HOOK_PRIORITY] == NULL)
1349 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1350 if (hook->num >= afi->nhooks)
1353 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1355 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1356 if (nla[NFTA_CHAIN_TYPE]) {
1357 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1360 return PTR_ERR(type);
1362 if (!(type->hook_mask & (1 << hook->num)))
1364 if (!try_module_get(type->owner))
1370 if (afi->flags & NFT_AF_NEEDS_DEV) {
1371 char ifname[IFNAMSIZ];
1373 if (!ha[NFTA_HOOK_DEV]) {
1374 module_put(type->owner);
1378 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1379 dev = dev_get_by_name(net, ifname);
1381 module_put(type->owner);
1385 } else if (ha[NFTA_HOOK_DEV]) {
1386 module_put(type->owner);
1393 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1395 module_put(hook->type->owner);
1396 if (hook->dev != NULL)
1400 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1401 u8 policy, bool create)
1403 const struct nlattr * const *nla = ctx->nla;
1404 struct nft_table *table = ctx->table;
1405 struct nft_af_info *afi = ctx->afi;
1406 struct nft_base_chain *basechain;
1407 struct nft_stats __percpu *stats;
1408 struct net *net = ctx->net;
1409 struct nft_chain *chain;
1413 if (table->use == UINT_MAX)
1416 if (nla[NFTA_CHAIN_HOOK]) {
1417 struct nft_chain_hook hook;
1418 struct nf_hook_ops *ops;
1421 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1425 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1426 if (basechain == NULL) {
1427 nft_chain_release_hook(&hook);
1431 if (hook.dev != NULL)
1432 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1434 if (nla[NFTA_CHAIN_COUNTERS]) {
1435 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1436 if (IS_ERR(stats)) {
1437 nft_chain_release_hook(&hook);
1439 return PTR_ERR(stats);
1441 basechain->stats = stats;
1442 static_branch_inc(&nft_counters_enabled);
1445 hookfn = hook.type->hooks[hook.num];
1446 basechain->type = hook.type;
1447 chain = &basechain->chain;
1449 for (i = 0; i < afi->nops; i++) {
1450 ops = &basechain->ops[i];
1452 ops->hooknum = hook.num;
1453 ops->priority = hook.priority;
1455 ops->hook = afi->hooks[ops->hooknum];
1456 ops->dev = hook.dev;
1459 if (afi->hook_ops_init)
1460 afi->hook_ops_init(ops, i);
1463 chain->flags |= NFT_BASE_CHAIN;
1464 basechain->policy = policy;
1466 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1470 INIT_LIST_HEAD(&chain->rules);
1471 chain->handle = nf_tables_alloc_handle(table);
1472 chain->table = table;
1473 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1479 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1484 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1489 list_add_tail_rcu(&chain->list, &table->chains);
1493 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1495 nf_tables_chain_destroy(chain);
1500 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1503 const struct nlattr * const *nla = ctx->nla;
1504 struct nft_table *table = ctx->table;
1505 struct nft_chain *chain = ctx->chain;
1506 struct nft_af_info *afi = ctx->afi;
1507 struct nft_base_chain *basechain;
1508 struct nft_stats *stats = NULL;
1509 struct nft_chain_hook hook;
1510 struct nf_hook_ops *ops;
1511 struct nft_trans *trans;
1514 if (nla[NFTA_CHAIN_HOOK]) {
1515 if (!nft_is_base_chain(chain))
1518 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1523 basechain = nft_base_chain(chain);
1524 if (basechain->type != hook.type) {
1525 nft_chain_release_hook(&hook);
1529 for (i = 0; i < afi->nops; i++) {
1530 ops = &basechain->ops[i];
1531 if (ops->hooknum != hook.num ||
1532 ops->priority != hook.priority ||
1533 ops->dev != hook.dev) {
1534 nft_chain_release_hook(&hook);
1538 nft_chain_release_hook(&hook);
1541 if (nla[NFTA_CHAIN_HANDLE] &&
1542 nla[NFTA_CHAIN_NAME]) {
1543 struct nft_chain *chain2;
1545 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1547 if (!IS_ERR(chain2))
1551 if (nla[NFTA_CHAIN_COUNTERS]) {
1552 if (!nft_is_base_chain(chain))
1555 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1557 return PTR_ERR(stats);
1561 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1562 sizeof(struct nft_trans_chain));
1566 nft_trans_chain_stats(trans) = stats;
1567 nft_trans_chain_update(trans) = true;
1569 if (nla[NFTA_CHAIN_POLICY])
1570 nft_trans_chain_policy(trans) = policy;
1572 nft_trans_chain_policy(trans) = -1;
1574 if (nla[NFTA_CHAIN_HANDLE] &&
1575 nla[NFTA_CHAIN_NAME]) {
1576 struct nft_trans *tmp;
1580 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1585 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1586 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1587 tmp->ctx.table == table &&
1588 nft_trans_chain_update(tmp) &&
1589 nft_trans_chain_name(tmp) &&
1590 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1596 nft_trans_chain_name(trans) = name;
1598 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1607 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1608 struct sk_buff *skb, const struct nlmsghdr *nlh,
1609 const struct nlattr * const nla[],
1610 struct netlink_ext_ack *extack)
1612 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1613 const struct nlattr * uninitialized_var(name);
1614 u8 genmask = nft_genmask_next(net);
1615 int family = nfmsg->nfgen_family;
1616 struct nft_af_info *afi;
1617 struct nft_table *table;
1618 struct nft_chain *chain;
1619 u8 policy = NF_ACCEPT;
1624 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1626 afi = nf_tables_afinfo_lookup(net, family, true);
1628 return PTR_ERR(afi);
1630 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1632 return PTR_ERR(table);
1635 name = nla[NFTA_CHAIN_NAME];
1637 if (nla[NFTA_CHAIN_HANDLE]) {
1638 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1639 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1641 return PTR_ERR(chain);
1643 chain = nf_tables_chain_lookup(table, name, genmask);
1644 if (IS_ERR(chain)) {
1645 if (PTR_ERR(chain) != -ENOENT)
1646 return PTR_ERR(chain);
1651 if (nla[NFTA_CHAIN_POLICY]) {
1652 if (chain != NULL &&
1653 !nft_is_base_chain(chain))
1656 if (chain == NULL &&
1657 nla[NFTA_CHAIN_HOOK] == NULL)
1660 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1670 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1672 if (chain != NULL) {
1673 if (nlh->nlmsg_flags & NLM_F_EXCL)
1675 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1678 return nf_tables_updchain(&ctx, genmask, policy, create);
1681 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1684 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1685 struct sk_buff *skb, const struct nlmsghdr *nlh,
1686 const struct nlattr * const nla[],
1687 struct netlink_ext_ack *extack)
1689 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1690 u8 genmask = nft_genmask_next(net);
1691 struct nft_af_info *afi;
1692 struct nft_table *table;
1693 struct nft_chain *chain;
1694 struct nft_rule *rule;
1695 int family = nfmsg->nfgen_family;
1700 afi = nf_tables_afinfo_lookup(net, family, false);
1702 return PTR_ERR(afi);
1704 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1706 return PTR_ERR(table);
1708 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1710 return PTR_ERR(chain);
1712 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1716 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1719 list_for_each_entry(rule, &chain->rules, list) {
1720 if (!nft_is_active_next(net, rule))
1724 err = nft_delrule(&ctx, rule);
1729 /* There are rules and elements that are still holding references to us,
1730 * we cannot do a recursive removal in this case.
1735 return nft_delchain(&ctx);
1743 * nft_register_expr - register nf_tables expr type
1746 * Registers the expr type for use with nf_tables. Returns zero on
1747 * success or a negative errno code otherwise.
1749 int nft_register_expr(struct nft_expr_type *type)
1751 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1752 if (type->family == NFPROTO_UNSPEC)
1753 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1755 list_add_rcu(&type->list, &nf_tables_expressions);
1756 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1759 EXPORT_SYMBOL_GPL(nft_register_expr);
1762 * nft_unregister_expr - unregister nf_tables expr type
1765 * Unregisters the expr typefor use with nf_tables.
1767 void nft_unregister_expr(struct nft_expr_type *type)
1769 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1770 list_del_rcu(&type->list);
1771 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1773 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1775 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1778 const struct nft_expr_type *type;
1780 list_for_each_entry(type, &nf_tables_expressions, list) {
1781 if (!nla_strcmp(nla, type->name) &&
1782 (!type->family || type->family == family))
1788 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1791 const struct nft_expr_type *type;
1794 return ERR_PTR(-EINVAL);
1796 type = __nft_expr_type_get(family, nla);
1797 if (type != NULL && try_module_get(type->owner))
1800 #ifdef CONFIG_MODULES
1802 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1803 request_module("nft-expr-%u-%.*s", family,
1804 nla_len(nla), (char *)nla_data(nla));
1805 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1806 if (__nft_expr_type_get(family, nla))
1807 return ERR_PTR(-EAGAIN);
1809 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1810 request_module("nft-expr-%.*s",
1811 nla_len(nla), (char *)nla_data(nla));
1812 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1813 if (__nft_expr_type_get(family, nla))
1814 return ERR_PTR(-EAGAIN);
1817 return ERR_PTR(-ENOENT);
1820 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1821 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1822 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1825 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1826 const struct nft_expr *expr)
1828 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1829 goto nla_put_failure;
1831 if (expr->ops->dump) {
1832 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1834 goto nla_put_failure;
1835 if (expr->ops->dump(skb, expr) < 0)
1836 goto nla_put_failure;
1837 nla_nest_end(skb, data);
1846 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1847 const struct nft_expr *expr)
1849 struct nlattr *nest;
1851 nest = nla_nest_start(skb, attr);
1853 goto nla_put_failure;
1854 if (nf_tables_fill_expr_info(skb, expr) < 0)
1855 goto nla_put_failure;
1856 nla_nest_end(skb, nest);
1863 struct nft_expr_info {
1864 const struct nft_expr_ops *ops;
1865 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1868 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1869 const struct nlattr *nla,
1870 struct nft_expr_info *info)
1872 const struct nft_expr_type *type;
1873 const struct nft_expr_ops *ops;
1874 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1877 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1881 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1883 return PTR_ERR(type);
1885 if (tb[NFTA_EXPR_DATA]) {
1886 err = nla_parse_nested(info->tb, type->maxattr,
1887 tb[NFTA_EXPR_DATA], type->policy, NULL);
1891 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1893 if (type->select_ops != NULL) {
1894 ops = type->select_ops(ctx,
1895 (const struct nlattr * const *)info->tb);
1907 module_put(type->owner);
1911 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1912 const struct nft_expr_info *info,
1913 struct nft_expr *expr)
1915 const struct nft_expr_ops *ops = info->ops;
1920 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1925 if (ops->validate) {
1926 const struct nft_data *data = NULL;
1928 err = ops->validate(ctx, expr, &data);
1937 ops->destroy(ctx, expr);
1943 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1944 struct nft_expr *expr)
1946 if (expr->ops->destroy)
1947 expr->ops->destroy(ctx, expr);
1948 module_put(expr->ops->type->owner);
1951 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1952 const struct nlattr *nla)
1954 struct nft_expr_info info;
1955 struct nft_expr *expr;
1958 err = nf_tables_expr_parse(ctx, nla, &info);
1960 goto err_expr_parse;
1963 if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
1964 goto err_expr_stateful;
1967 expr = kzalloc(info.ops->size, GFP_KERNEL);
1969 goto err_expr_stateful;
1971 err = nf_tables_newexpr(ctx, &info, expr);
1979 module_put(info.ops->type->owner);
1981 return ERR_PTR(err);
1984 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1986 nf_tables_expr_destroy(ctx, expr);
1994 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1997 struct nft_rule *rule;
1999 // FIXME: this sucks
2000 list_for_each_entry(rule, &chain->rules, list) {
2001 if (handle == rule->handle)
2005 return ERR_PTR(-ENOENT);
2008 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
2009 const struct nlattr *nla)
2012 return ERR_PTR(-EINVAL);
2014 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2017 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2018 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2019 .len = NFT_TABLE_MAXNAMELEN - 1 },
2020 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2021 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2022 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2023 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2024 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2025 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2026 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2027 .len = NFT_USERDATA_MAXLEN },
2028 [NFTA_RULE_ID] = { .type = NLA_U32 },
2031 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2032 u32 portid, u32 seq, int event,
2033 u32 flags, int family,
2034 const struct nft_table *table,
2035 const struct nft_chain *chain,
2036 const struct nft_rule *rule)
2038 struct nlmsghdr *nlh;
2039 struct nfgenmsg *nfmsg;
2040 const struct nft_expr *expr, *next;
2041 struct nlattr *list;
2042 const struct nft_rule *prule;
2043 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2045 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2047 goto nla_put_failure;
2049 nfmsg = nlmsg_data(nlh);
2050 nfmsg->nfgen_family = family;
2051 nfmsg->version = NFNETLINK_V0;
2052 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2054 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2055 goto nla_put_failure;
2056 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2057 goto nla_put_failure;
2058 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2060 goto nla_put_failure;
2062 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2063 prule = list_prev_entry(rule, list);
2064 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2065 cpu_to_be64(prule->handle),
2067 goto nla_put_failure;
2070 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2072 goto nla_put_failure;
2073 nft_rule_for_each_expr(expr, next, rule) {
2074 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2075 goto nla_put_failure;
2077 nla_nest_end(skb, list);
2080 struct nft_userdata *udata = nft_userdata(rule);
2081 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2083 goto nla_put_failure;
2086 nlmsg_end(skb, nlh);
2090 nlmsg_trim(skb, nlh);
2094 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2095 const struct nft_rule *rule, int event)
2097 struct sk_buff *skb;
2101 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2104 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2108 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2109 event, 0, ctx->afi->family, ctx->table,
2116 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2117 ctx->report, GFP_KERNEL);
2120 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2123 struct nft_rule_dump_ctx {
2128 static int nf_tables_dump_rules(struct sk_buff *skb,
2129 struct netlink_callback *cb)
2131 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2132 const struct nft_rule_dump_ctx *ctx = cb->data;
2133 const struct nft_af_info *afi;
2134 const struct nft_table *table;
2135 const struct nft_chain *chain;
2136 const struct nft_rule *rule;
2137 unsigned int idx = 0, s_idx = cb->args[0];
2138 struct net *net = sock_net(skb->sk);
2139 int family = nfmsg->nfgen_family;
2142 cb->seq = net->nft.base_seq;
2144 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2145 if (family != NFPROTO_UNSPEC && family != afi->family)
2148 list_for_each_entry_rcu(table, &afi->tables, list) {
2149 if (ctx && ctx->table &&
2150 strcmp(ctx->table, table->name) != 0)
2153 list_for_each_entry_rcu(chain, &table->chains, list) {
2154 if (ctx && ctx->chain &&
2155 strcmp(ctx->chain, chain->name) != 0)
2158 list_for_each_entry_rcu(rule, &chain->rules, list) {
2159 if (!nft_is_active(net, rule))
2164 memset(&cb->args[1], 0,
2165 sizeof(cb->args) - sizeof(cb->args[0]));
2166 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2169 NLM_F_MULTI | NLM_F_APPEND,
2170 afi->family, table, chain, rule) < 0)
2173 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2187 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2189 struct nft_rule_dump_ctx *ctx = cb->data;
2199 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2200 struct sk_buff *skb, const struct nlmsghdr *nlh,
2201 const struct nlattr * const nla[],
2202 struct netlink_ext_ack *extack)
2204 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2205 u8 genmask = nft_genmask_cur(net);
2206 const struct nft_af_info *afi;
2207 const struct nft_table *table;
2208 const struct nft_chain *chain;
2209 const struct nft_rule *rule;
2210 struct sk_buff *skb2;
2211 int family = nfmsg->nfgen_family;
2214 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2215 struct netlink_dump_control c = {
2216 .dump = nf_tables_dump_rules,
2217 .done = nf_tables_dump_rules_done,
2220 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2221 struct nft_rule_dump_ctx *ctx;
2223 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2227 if (nla[NFTA_RULE_TABLE]) {
2228 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2235 if (nla[NFTA_RULE_CHAIN]) {
2236 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2247 return netlink_dump_start(nlsk, skb, nlh, &c);
2250 afi = nf_tables_afinfo_lookup(net, family, false);
2252 return PTR_ERR(afi);
2254 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2256 return PTR_ERR(table);
2258 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2260 return PTR_ERR(chain);
2262 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2264 return PTR_ERR(rule);
2266 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2270 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2271 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2272 family, table, chain, rule);
2276 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2283 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2284 struct nft_rule *rule)
2286 struct nft_expr *expr, *next;
2289 * Careful: some expressions might not be initialized in case this
2290 * is called on error from nf_tables_newrule().
2292 expr = nft_expr_first(rule);
2293 while (expr != nft_expr_last(rule) && expr->ops) {
2294 next = nft_expr_next(expr);
2295 nf_tables_expr_destroy(ctx, expr);
2301 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2302 struct nft_rule *rule)
2304 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2305 nf_tables_rule_destroy(ctx, rule);
2308 #define NFT_RULE_MAXEXPRS 128
2310 static struct nft_expr_info *info;
2312 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2313 struct sk_buff *skb, const struct nlmsghdr *nlh,
2314 const struct nlattr * const nla[],
2315 struct netlink_ext_ack *extack)
2317 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2318 u8 genmask = nft_genmask_next(net);
2319 struct nft_af_info *afi;
2320 struct nft_table *table;
2321 struct nft_chain *chain;
2322 struct nft_rule *rule, *old_rule = NULL;
2323 struct nft_userdata *udata;
2324 struct nft_trans *trans = NULL;
2325 struct nft_expr *expr;
2328 unsigned int size, i, n, ulen = 0, usize = 0;
2331 u64 handle, pos_handle;
2333 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2335 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2337 return PTR_ERR(afi);
2339 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2341 return PTR_ERR(table);
2343 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2345 return PTR_ERR(chain);
2347 if (nla[NFTA_RULE_HANDLE]) {
2348 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2349 rule = __nf_tables_rule_lookup(chain, handle);
2351 return PTR_ERR(rule);
2353 if (nlh->nlmsg_flags & NLM_F_EXCL)
2355 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2360 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2362 handle = nf_tables_alloc_handle(table);
2364 if (chain->use == UINT_MAX)
2368 if (nla[NFTA_RULE_POSITION]) {
2369 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2372 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2373 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2374 if (IS_ERR(old_rule))
2375 return PTR_ERR(old_rule);
2378 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2382 if (nla[NFTA_RULE_EXPRESSIONS]) {
2383 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2385 if (nla_type(tmp) != NFTA_LIST_ELEM)
2387 if (n == NFT_RULE_MAXEXPRS)
2389 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2392 size += info[n].ops->size;
2396 /* Check for overflow of dlen field */
2398 if (size >= 1 << 12)
2401 if (nla[NFTA_RULE_USERDATA]) {
2402 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2404 usize = sizeof(struct nft_userdata) + ulen;
2408 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2412 nft_activate_next(net, rule);
2414 rule->handle = handle;
2416 rule->udata = ulen ? 1 : 0;
2419 udata = nft_userdata(rule);
2420 udata->len = ulen - 1;
2421 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2424 expr = nft_expr_first(rule);
2425 for (i = 0; i < n; i++) {
2426 err = nf_tables_newexpr(&ctx, &info[i], expr);
2430 expr = nft_expr_next(expr);
2433 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2434 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2435 if (trans == NULL) {
2439 err = nft_delrule(&ctx, old_rule);
2441 nft_trans_destroy(trans);
2445 list_add_tail_rcu(&rule->list, &old_rule->list);
2447 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2452 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2454 list_add_rcu(&rule->list, &old_rule->list);
2456 list_add_tail_rcu(&rule->list, &chain->rules);
2459 list_add_tail_rcu(&rule->list, &old_rule->list);
2461 list_add_rcu(&rule->list, &chain->rules);
2468 nf_tables_rule_release(&ctx, rule);
2470 for (i = 0; i < n; i++) {
2471 if (info[i].ops != NULL)
2472 module_put(info[i].ops->type->owner);
2477 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2478 const struct nft_chain *chain,
2479 const struct nlattr *nla)
2481 u32 id = ntohl(nla_get_be32(nla));
2482 struct nft_trans *trans;
2484 list_for_each_entry(trans, &net->nft.commit_list, list) {
2485 struct nft_rule *rule = nft_trans_rule(trans);
2487 if (trans->msg_type == NFT_MSG_NEWRULE &&
2488 trans->ctx.chain == chain &&
2489 id == nft_trans_rule_id(trans))
2492 return ERR_PTR(-ENOENT);
2495 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2496 struct sk_buff *skb, const struct nlmsghdr *nlh,
2497 const struct nlattr * const nla[],
2498 struct netlink_ext_ack *extack)
2500 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2501 u8 genmask = nft_genmask_next(net);
2502 struct nft_af_info *afi;
2503 struct nft_table *table;
2504 struct nft_chain *chain = NULL;
2505 struct nft_rule *rule;
2506 int family = nfmsg->nfgen_family, err = 0;
2509 afi = nf_tables_afinfo_lookup(net, family, false);
2511 return PTR_ERR(afi);
2513 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2515 return PTR_ERR(table);
2517 if (nla[NFTA_RULE_CHAIN]) {
2518 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2521 return PTR_ERR(chain);
2524 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2527 if (nla[NFTA_RULE_HANDLE]) {
2528 rule = nf_tables_rule_lookup(chain,
2529 nla[NFTA_RULE_HANDLE]);
2531 return PTR_ERR(rule);
2533 err = nft_delrule(&ctx, rule);
2534 } else if (nla[NFTA_RULE_ID]) {
2535 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
2537 return PTR_ERR(rule);
2539 err = nft_delrule(&ctx, rule);
2541 err = nft_delrule_by_chain(&ctx);
2544 list_for_each_entry(chain, &table->chains, list) {
2545 if (!nft_is_active_next(net, chain))
2549 err = nft_delrule_by_chain(&ctx);
2562 static LIST_HEAD(nf_tables_set_types);
2564 int nft_register_set(struct nft_set_type *type)
2566 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2567 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2568 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2571 EXPORT_SYMBOL_GPL(nft_register_set);
2573 void nft_unregister_set(struct nft_set_type *type)
2575 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2576 list_del_rcu(&type->list);
2577 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2579 EXPORT_SYMBOL_GPL(nft_unregister_set);
2581 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2582 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2584 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2586 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2590 * Select a set implementation based on the data characteristics and the
2591 * given policy. The total memory use might not be known if no size is
2592 * given, in that case the amount of memory per element is used.
2594 static const struct nft_set_ops *
2595 nft_select_set_ops(const struct nft_ctx *ctx,
2596 const struct nlattr * const nla[],
2597 const struct nft_set_desc *desc,
2598 enum nft_set_policies policy)
2600 const struct nft_set_ops *ops, *bops;
2601 struct nft_set_estimate est, best;
2602 const struct nft_set_type *type;
2605 #ifdef CONFIG_MODULES
2606 if (list_empty(&nf_tables_set_types)) {
2607 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2608 request_module("nft-set");
2609 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2610 if (!list_empty(&nf_tables_set_types))
2611 return ERR_PTR(-EAGAIN);
2614 if (nla[NFTA_SET_FLAGS] != NULL)
2615 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2622 list_for_each_entry(type, &nf_tables_set_types, list) {
2623 if (!type->select_ops)
2626 ops = type->select_ops(ctx, desc, flags);
2630 if (!nft_set_ops_candidate(ops, flags))
2632 if (!ops->estimate(desc, flags, &est))
2636 case NFT_SET_POL_PERFORMANCE:
2637 if (est.lookup < best.lookup)
2639 if (est.lookup == best.lookup) {
2641 if (est.space < best.space)
2643 } else if (est.size < best.size) {
2648 case NFT_SET_POL_MEMORY:
2650 if (est.space < best.space)
2652 if (est.space == best.space &&
2653 est.lookup < best.lookup)
2655 } else if (est.size < best.size) {
2663 if (!try_module_get(type->owner))
2666 module_put(bops->type->owner);
2675 return ERR_PTR(-EOPNOTSUPP);
2678 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2679 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2680 .len = NFT_TABLE_MAXNAMELEN - 1 },
2681 [NFTA_SET_NAME] = { .type = NLA_STRING,
2682 .len = NFT_SET_MAXNAMELEN - 1 },
2683 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2684 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2685 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2686 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2687 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2688 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2689 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2690 [NFTA_SET_ID] = { .type = NLA_U32 },
2691 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2692 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2693 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2694 .len = NFT_USERDATA_MAXLEN },
2695 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2698 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2699 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2702 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2703 const struct sk_buff *skb,
2704 const struct nlmsghdr *nlh,
2705 const struct nlattr * const nla[],
2708 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2709 struct nft_af_info *afi = NULL;
2710 struct nft_table *table = NULL;
2712 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2713 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2715 return PTR_ERR(afi);
2718 if (nla[NFTA_SET_TABLE] != NULL) {
2720 return -EAFNOSUPPORT;
2722 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2725 return PTR_ERR(table);
2728 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2732 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2733 const struct nlattr *nla, u8 genmask)
2735 struct nft_set *set;
2738 return ERR_PTR(-EINVAL);
2740 list_for_each_entry(set, &table->sets, list) {
2741 if (!nla_strcmp(nla, set->name) &&
2742 nft_active_genmask(set, genmask))
2745 return ERR_PTR(-ENOENT);
2748 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2749 const struct nft_table *table,
2750 const struct nlattr *nla,
2753 struct nft_trans *trans;
2754 u32 id = ntohl(nla_get_be32(nla));
2756 list_for_each_entry(trans, &net->nft.commit_list, list) {
2757 if (trans->msg_type == NFT_MSG_NEWSET) {
2758 struct nft_set *set = nft_trans_set(trans);
2760 if (id == nft_trans_set_id(trans) &&
2761 set->table == table &&
2762 nft_active_genmask(set, genmask))
2766 return ERR_PTR(-ENOENT);
2769 struct nft_set *nft_set_lookup(const struct net *net,
2770 const struct nft_table *table,
2771 const struct nlattr *nla_set_name,
2772 const struct nlattr *nla_set_id,
2775 struct nft_set *set;
2777 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2782 set = nf_tables_set_lookup_byid(net, table, nla_set_id, genmask);
2786 EXPORT_SYMBOL_GPL(nft_set_lookup);
2788 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2791 const struct nft_set *i;
2793 unsigned long *inuse;
2794 unsigned int n = 0, min = 0;
2796 p = strchr(name, '%');
2798 if (p[1] != 'd' || strchr(p + 2, '%'))
2801 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2805 list_for_each_entry(i, &ctx->table->sets, list) {
2808 if (!nft_is_active_next(ctx->net, i))
2810 if (!sscanf(i->name, name, &tmp))
2812 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2815 set_bit(tmp - min, inuse);
2818 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2819 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2820 min += BITS_PER_BYTE * PAGE_SIZE;
2821 memset(inuse, 0, PAGE_SIZE);
2824 free_page((unsigned long)inuse);
2827 set->name = kasprintf(GFP_KERNEL, name, min + n);
2831 list_for_each_entry(i, &ctx->table->sets, list) {
2832 if (!nft_is_active_next(ctx->net, i))
2834 if (!strcmp(set->name, i->name)) {
2842 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2843 const struct nft_set *set, u16 event, u16 flags)
2845 struct nfgenmsg *nfmsg;
2846 struct nlmsghdr *nlh;
2847 struct nlattr *desc;
2848 u32 portid = ctx->portid;
2851 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2852 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2855 goto nla_put_failure;
2857 nfmsg = nlmsg_data(nlh);
2858 nfmsg->nfgen_family = ctx->afi->family;
2859 nfmsg->version = NFNETLINK_V0;
2860 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2862 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2863 goto nla_put_failure;
2864 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2865 goto nla_put_failure;
2866 if (set->flags != 0)
2867 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2868 goto nla_put_failure;
2870 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2871 goto nla_put_failure;
2872 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2873 goto nla_put_failure;
2874 if (set->flags & NFT_SET_MAP) {
2875 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2876 goto nla_put_failure;
2877 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2878 goto nla_put_failure;
2880 if (set->flags & NFT_SET_OBJECT &&
2881 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2882 goto nla_put_failure;
2885 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2886 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2888 goto nla_put_failure;
2890 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2891 goto nla_put_failure;
2893 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2894 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2895 goto nla_put_failure;
2899 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2900 goto nla_put_failure;
2902 desc = nla_nest_start(skb, NFTA_SET_DESC);
2904 goto nla_put_failure;
2906 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2907 goto nla_put_failure;
2908 nla_nest_end(skb, desc);
2910 nlmsg_end(skb, nlh);
2914 nlmsg_trim(skb, nlh);
2918 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2919 const struct nft_set *set, int event,
2922 struct sk_buff *skb;
2923 u32 portid = ctx->portid;
2927 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2930 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2934 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2940 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2944 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2947 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2949 const struct nft_set *set;
2950 unsigned int idx, s_idx = cb->args[0];
2951 struct nft_af_info *afi;
2952 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2953 struct net *net = sock_net(skb->sk);
2954 int cur_family = cb->args[3];
2955 struct nft_ctx *ctx = cb->data, ctx_set;
2961 cb->seq = net->nft.base_seq;
2963 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2964 if (ctx->afi && ctx->afi != afi)
2968 if (afi->family != cur_family)
2973 list_for_each_entry_rcu(table, &afi->tables, list) {
2974 if (ctx->table && ctx->table != table)
2978 if (cur_table != table)
2984 list_for_each_entry_rcu(set, &table->sets, list) {
2987 if (!nft_is_active(net, set))
2991 ctx_set.table = table;
2993 if (nf_tables_fill_set(skb, &ctx_set, set,
2997 cb->args[2] = (unsigned long) table;
2998 cb->args[3] = afi->family;
3001 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3015 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3021 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3022 struct sk_buff *skb, const struct nlmsghdr *nlh,
3023 const struct nlattr * const nla[],
3024 struct netlink_ext_ack *extack)
3026 u8 genmask = nft_genmask_cur(net);
3027 const struct nft_set *set;
3029 struct sk_buff *skb2;
3030 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3033 /* Verify existence before starting dump */
3034 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3038 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3039 struct netlink_dump_control c = {
3040 .dump = nf_tables_dump_sets,
3041 .done = nf_tables_dump_sets_done,
3043 struct nft_ctx *ctx_dump;
3045 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3046 if (ctx_dump == NULL)
3052 return netlink_dump_start(nlsk, skb, nlh, &c);
3055 /* Only accept unspec with dump */
3056 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3057 return -EAFNOSUPPORT;
3058 if (!nla[NFTA_SET_TABLE])
3061 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3063 return PTR_ERR(set);
3065 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3069 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3073 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3080 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3081 struct nft_set_desc *desc,
3082 const struct nlattr *nla)
3084 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3087 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3088 nft_set_desc_policy, NULL);
3092 if (da[NFTA_SET_DESC_SIZE] != NULL)
3093 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3098 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3099 struct sk_buff *skb, const struct nlmsghdr *nlh,
3100 const struct nlattr * const nla[],
3101 struct netlink_ext_ack *extack)
3103 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3104 u8 genmask = nft_genmask_next(net);
3105 const struct nft_set_ops *ops;
3106 struct nft_af_info *afi;
3107 struct nft_table *table;
3108 struct nft_set *set;
3114 u32 ktype, dtype, flags, policy, gc_int, objtype;
3115 struct nft_set_desc desc;
3116 unsigned char *udata;
3120 if (nla[NFTA_SET_TABLE] == NULL ||
3121 nla[NFTA_SET_NAME] == NULL ||
3122 nla[NFTA_SET_KEY_LEN] == NULL ||
3123 nla[NFTA_SET_ID] == NULL)
3126 memset(&desc, 0, sizeof(desc));
3128 ktype = NFT_DATA_VALUE;
3129 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3130 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3131 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3135 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3136 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3140 if (nla[NFTA_SET_FLAGS] != NULL) {
3141 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3142 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3143 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3144 NFT_SET_MAP | NFT_SET_EVAL |
3147 /* Only one of these operations is supported */
3148 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3149 (NFT_SET_MAP | NFT_SET_OBJECT))
3151 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3152 (NFT_SET_EVAL | NFT_SET_OBJECT))
3157 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3158 if (!(flags & NFT_SET_MAP))
3161 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3162 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3163 dtype != NFT_DATA_VERDICT)
3166 if (dtype != NFT_DATA_VERDICT) {
3167 if (nla[NFTA_SET_DATA_LEN] == NULL)
3169 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3170 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3173 desc.dlen = sizeof(struct nft_verdict);
3174 } else if (flags & NFT_SET_MAP)
3177 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3178 if (!(flags & NFT_SET_OBJECT))
3181 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3182 if (objtype == NFT_OBJECT_UNSPEC ||
3183 objtype > NFT_OBJECT_MAX)
3185 } else if (flags & NFT_SET_OBJECT)
3188 objtype = NFT_OBJECT_UNSPEC;
3191 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3192 if (!(flags & NFT_SET_TIMEOUT))
3194 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3195 nla[NFTA_SET_TIMEOUT])));
3198 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3199 if (!(flags & NFT_SET_TIMEOUT))
3201 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3204 policy = NFT_SET_POL_PERFORMANCE;
3205 if (nla[NFTA_SET_POLICY] != NULL)
3206 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3208 if (nla[NFTA_SET_DESC] != NULL) {
3209 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3214 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3216 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3218 return PTR_ERR(afi);
3220 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3222 return PTR_ERR(table);
3224 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3226 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3228 if (PTR_ERR(set) != -ENOENT)
3229 return PTR_ERR(set);
3231 if (nlh->nlmsg_flags & NLM_F_EXCL)
3233 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3238 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3241 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3243 return PTR_ERR(ops);
3246 if (nla[NFTA_SET_USERDATA])
3247 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3250 if (ops->privsize != NULL)
3251 size = ops->privsize(nla, &desc);
3253 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3259 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3265 err = nf_tables_set_alloc_name(&ctx, set, name);
3272 udata = set->data + size;
3273 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3276 INIT_LIST_HEAD(&set->bindings);
3280 set->klen = desc.klen;
3282 set->objtype = objtype;
3283 set->dlen = desc.dlen;
3285 set->size = desc.size;
3286 set->policy = policy;
3289 set->timeout = timeout;
3290 set->gc_int = gc_int;
3292 err = ops->init(set, &desc, nla);
3296 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3300 list_add_tail_rcu(&set->list, &table->sets);
3311 module_put(ops->type->owner);
3315 static void nft_set_destroy(struct nft_set *set)
3317 if (WARN_ON(set->use > 0))
3320 set->ops->destroy(set);
3321 module_put(set->ops->type->owner);
3326 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3327 struct sk_buff *skb, const struct nlmsghdr *nlh,
3328 const struct nlattr * const nla[],
3329 struct netlink_ext_ack *extack)
3331 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3332 u8 genmask = nft_genmask_next(net);
3333 struct nft_set *set;
3337 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3338 return -EAFNOSUPPORT;
3339 if (nla[NFTA_SET_TABLE] == NULL)
3342 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3346 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3348 return PTR_ERR(set);
3351 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3354 return nft_delset(&ctx, set);
3357 static int nft_validate_register_store(const struct nft_ctx *ctx,
3358 enum nft_registers reg,
3359 const struct nft_data *data,
3360 enum nft_data_types type,
3363 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3364 struct nft_set *set,
3365 const struct nft_set_iter *iter,
3366 struct nft_set_elem *elem)
3368 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3369 enum nft_registers dreg;
3371 dreg = nft_type_to_reg(set->dtype);
3372 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3373 set->dtype == NFT_DATA_VERDICT ?
3374 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3378 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3379 struct nft_set_binding *binding)
3381 struct nft_set_binding *i;
3382 struct nft_set_iter iter;
3384 if (set->use == UINT_MAX)
3387 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3390 if (binding->flags & NFT_SET_MAP) {
3391 /* If the set is already bound to the same chain all
3392 * jumps are already validated for that chain.
3394 list_for_each_entry(i, &set->bindings, list) {
3395 if (i->flags & NFT_SET_MAP &&
3396 i->chain == binding->chain)
3400 iter.genmask = nft_genmask_next(ctx->net);
3404 iter.fn = nf_tables_bind_check_setelem;
3406 set->ops->walk(ctx, set, &iter);
3411 binding->chain = ctx->chain;
3412 list_add_tail_rcu(&binding->list, &set->bindings);
3413 nft_set_trans_bind(ctx, set);
3418 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3420 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3421 struct nft_set_binding *binding, bool event)
3423 list_del_rcu(&binding->list);
3425 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) {
3426 list_del_rcu(&set->list);
3428 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3432 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3434 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
3436 if (set->flags & NFT_SET_ANONYMOUS)
3437 nft_clear(ctx->net, set);
3441 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
3443 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3444 struct nft_set_binding *binding,
3445 enum nft_trans_phase phase)
3448 case NFT_TRANS_PREPARE:
3449 if (set->flags & NFT_SET_ANONYMOUS)
3450 nft_deactivate_next(ctx->net, set);
3454 case NFT_TRANS_ABORT:
3455 case NFT_TRANS_RELEASE:
3459 nf_tables_unbind_set(ctx, set, binding,
3460 phase == NFT_TRANS_COMMIT);
3463 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3465 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3467 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3468 nft_set_destroy(set);
3470 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3472 const struct nft_set_ext_type nft_set_ext_types[] = {
3473 [NFT_SET_EXT_KEY] = {
3474 .align = __alignof__(u32),
3476 [NFT_SET_EXT_DATA] = {
3477 .align = __alignof__(u32),
3479 [NFT_SET_EXT_EXPR] = {
3480 .align = __alignof__(struct nft_expr),
3482 [NFT_SET_EXT_OBJREF] = {
3483 .len = sizeof(struct nft_object *),
3484 .align = __alignof__(struct nft_object *),
3486 [NFT_SET_EXT_FLAGS] = {
3488 .align = __alignof__(u8),
3490 [NFT_SET_EXT_TIMEOUT] = {
3492 .align = __alignof__(u64),
3494 [NFT_SET_EXT_EXPIRATION] = {
3495 .len = sizeof(unsigned long),
3496 .align = __alignof__(unsigned long),
3498 [NFT_SET_EXT_USERDATA] = {
3499 .len = sizeof(struct nft_userdata),
3500 .align = __alignof__(struct nft_userdata),
3503 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3509 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3510 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3511 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3512 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3513 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3514 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3515 .len = NFT_USERDATA_MAXLEN },
3516 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3517 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3520 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3521 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3522 .len = NFT_TABLE_MAXNAMELEN - 1 },
3523 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3524 .len = NFT_SET_MAXNAMELEN - 1 },
3525 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3526 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3529 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3530 const struct sk_buff *skb,
3531 const struct nlmsghdr *nlh,
3532 const struct nlattr * const nla[],
3535 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3536 struct nft_af_info *afi;
3537 struct nft_table *table;
3539 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3541 return PTR_ERR(afi);
3543 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3546 return PTR_ERR(table);
3548 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3552 static int nf_tables_fill_setelem(struct sk_buff *skb,
3553 const struct nft_set *set,
3554 const struct nft_set_elem *elem)
3556 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3557 unsigned char *b = skb_tail_pointer(skb);
3558 struct nlattr *nest;
3560 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3562 goto nla_put_failure;
3564 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3565 NFT_DATA_VALUE, set->klen) < 0)
3566 goto nla_put_failure;
3568 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3569 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3570 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3572 goto nla_put_failure;
3574 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3575 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3576 goto nla_put_failure;
3578 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3579 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3580 (*nft_set_ext_obj(ext))->name) < 0)
3581 goto nla_put_failure;
3583 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3584 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3585 htonl(*nft_set_ext_flags(ext))))
3586 goto nla_put_failure;
3588 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3589 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3590 cpu_to_be64(jiffies_to_msecs(
3591 *nft_set_ext_timeout(ext))),
3593 goto nla_put_failure;
3595 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3596 unsigned long expires, now = jiffies;
3598 expires = *nft_set_ext_expiration(ext);
3599 if (time_before(now, expires))
3604 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3605 cpu_to_be64(jiffies_to_msecs(expires)),
3607 goto nla_put_failure;
3610 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3611 struct nft_userdata *udata;
3613 udata = nft_set_ext_userdata(ext);
3614 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3615 udata->len + 1, udata->data))
3616 goto nla_put_failure;
3619 nla_nest_end(skb, nest);
3627 struct nft_set_dump_args {
3628 const struct netlink_callback *cb;
3629 struct nft_set_iter iter;
3630 struct sk_buff *skb;
3633 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3634 struct nft_set *set,
3635 const struct nft_set_iter *iter,
3636 struct nft_set_elem *elem)
3638 struct nft_set_dump_args *args;
3640 args = container_of(iter, struct nft_set_dump_args, iter);
3641 return nf_tables_fill_setelem(args->skb, set, elem);
3644 struct nft_set_dump_ctx {
3645 const struct nft_set *set;
3649 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3651 struct nft_set_dump_ctx *dump_ctx = cb->data;
3652 struct net *net = sock_net(skb->sk);
3653 struct nft_af_info *afi;
3654 struct nft_table *table;
3655 struct nft_set *set;
3656 struct nft_set_dump_args args;
3657 bool set_found = false;
3658 struct nfgenmsg *nfmsg;
3659 struct nlmsghdr *nlh;
3660 struct nlattr *nest;
3665 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3666 if (afi != dump_ctx->ctx.afi)
3669 list_for_each_entry_rcu(table, &afi->tables, list) {
3670 if (table != dump_ctx->ctx.table)
3673 list_for_each_entry_rcu(set, &table->sets, list) {
3674 if (set == dump_ctx->set) {
3689 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3690 portid = NETLINK_CB(cb->skb).portid;
3691 seq = cb->nlh->nlmsg_seq;
3693 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3696 goto nla_put_failure;
3698 nfmsg = nlmsg_data(nlh);
3699 nfmsg->nfgen_family = afi->family;
3700 nfmsg->version = NFNETLINK_V0;
3701 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3703 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3704 goto nla_put_failure;
3705 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3706 goto nla_put_failure;
3708 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3710 goto nla_put_failure;
3714 args.iter.genmask = nft_genmask_cur(net);
3715 args.iter.skip = cb->args[0];
3716 args.iter.count = 0;
3718 args.iter.fn = nf_tables_dump_setelem;
3719 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3722 nla_nest_end(skb, nest);
3723 nlmsg_end(skb, nlh);
3725 if (args.iter.err && args.iter.err != -EMSGSIZE)
3726 return args.iter.err;
3727 if (args.iter.count == cb->args[0])
3730 cb->args[0] = args.iter.count;
3738 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3744 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
3745 struct nft_data *key, struct nlattr *attr)
3747 struct nft_data_desc desc;
3750 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
3754 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
3755 nft_data_release(key, desc.type);
3762 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3763 struct sk_buff *skb, const struct nlmsghdr *nlh,
3764 const struct nlattr * const nla[],
3765 struct netlink_ext_ack *extack)
3767 u8 genmask = nft_genmask_cur(net);
3768 const struct nft_set *set;
3772 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3776 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3779 return PTR_ERR(set);
3781 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3782 struct netlink_dump_control c = {
3783 .dump = nf_tables_dump_set,
3784 .done = nf_tables_dump_set_done,
3786 struct nft_set_dump_ctx *dump_ctx;
3788 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3792 dump_ctx->set = set;
3793 dump_ctx->ctx = ctx;
3796 return netlink_dump_start(nlsk, skb, nlh, &c);
3801 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3802 const struct nft_ctx *ctx, u32 seq,
3803 u32 portid, int event, u16 flags,
3804 const struct nft_set *set,
3805 const struct nft_set_elem *elem)
3807 struct nfgenmsg *nfmsg;
3808 struct nlmsghdr *nlh;
3809 struct nlattr *nest;
3812 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3813 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3816 goto nla_put_failure;
3818 nfmsg = nlmsg_data(nlh);
3819 nfmsg->nfgen_family = ctx->afi->family;
3820 nfmsg->version = NFNETLINK_V0;
3821 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3823 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3824 goto nla_put_failure;
3825 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3826 goto nla_put_failure;
3828 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3830 goto nla_put_failure;
3832 err = nf_tables_fill_setelem(skb, set, elem);
3834 goto nla_put_failure;
3836 nla_nest_end(skb, nest);
3838 nlmsg_end(skb, nlh);
3842 nlmsg_trim(skb, nlh);
3846 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3847 const struct nft_set *set,
3848 const struct nft_set_elem *elem,
3849 int event, u16 flags)
3851 struct net *net = ctx->net;
3852 u32 portid = ctx->portid;
3853 struct sk_buff *skb;
3856 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3859 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3863 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3870 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3874 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3877 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3879 struct nft_set *set)
3881 struct nft_trans *trans;
3883 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3887 nft_trans_elem_set(trans) = set;
3891 void *nft_set_elem_init(const struct nft_set *set,
3892 const struct nft_set_ext_tmpl *tmpl,
3893 const u32 *key, const u32 *data,
3894 u64 timeout, gfp_t gfp)
3896 struct nft_set_ext *ext;
3899 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3903 ext = nft_set_elem_ext(set, elem);
3904 nft_set_ext_init(ext, tmpl);
3906 memcpy(nft_set_ext_key(ext), key, set->klen);
3907 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3908 memcpy(nft_set_ext_data(ext), data, set->dlen);
3909 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3910 *nft_set_ext_expiration(ext) =
3912 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3913 *nft_set_ext_timeout(ext) = timeout;
3918 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3921 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3923 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3924 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3925 nft_data_release(nft_set_ext_data(ext), set->dtype);
3926 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3927 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3928 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3929 (*nft_set_ext_obj(ext))->use--;
3932 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3934 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3935 * the refcounting from the preparation phase.
3937 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3939 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3941 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3942 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3946 static int nft_setelem_parse_flags(const struct nft_set *set,
3947 const struct nlattr *attr, u32 *flags)
3952 *flags = ntohl(nla_get_be32(attr));
3953 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3955 if (!(set->flags & NFT_SET_INTERVAL) &&
3956 *flags & NFT_SET_ELEM_INTERVAL_END)
3962 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
3963 struct nft_data_desc *desc,
3964 struct nft_data *data,
3965 struct nlattr *attr)
3970 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
3974 if (set->dtype == NFT_DATA_VERDICT)
3975 dtype = NFT_DATA_VERDICT;
3977 dtype = NFT_DATA_VALUE;
3979 if (dtype != desc->type ||
3980 set->dlen != desc->len) {
3981 nft_data_release(data, desc->type);
3988 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3989 const struct nlattr *attr, u32 nlmsg_flags)
3991 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3992 u8 genmask = nft_genmask_next(ctx->net);
3993 struct nft_set_ext_tmpl tmpl;
3994 struct nft_set_ext *ext, *ext2;
3995 struct nft_set_elem elem;
3996 struct nft_set_binding *binding;
3997 struct nft_object *obj = NULL;
3998 struct nft_userdata *udata;
3999 struct nft_data_desc desc;
4000 enum nft_registers dreg;
4001 struct nft_trans *trans;
4007 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4008 nft_set_elem_policy, NULL);
4012 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4015 nft_set_ext_prepare(&tmpl);
4017 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4021 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4023 if (set->flags & NFT_SET_MAP) {
4024 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4025 !(flags & NFT_SET_ELEM_INTERVAL_END))
4028 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4032 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4033 (nla[NFTA_SET_ELEM_DATA] ||
4034 nla[NFTA_SET_ELEM_OBJREF] ||
4035 nla[NFTA_SET_ELEM_TIMEOUT] ||
4036 nla[NFTA_SET_ELEM_EXPIRATION] ||
4037 nla[NFTA_SET_ELEM_USERDATA] ||
4038 nla[NFTA_SET_ELEM_EXPR]))
4042 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4043 if (!(set->flags & NFT_SET_TIMEOUT))
4045 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
4046 nla[NFTA_SET_ELEM_TIMEOUT])));
4047 } else if (set->flags & NFT_SET_TIMEOUT) {
4048 timeout = set->timeout;
4051 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4052 nla[NFTA_SET_ELEM_KEY]);
4056 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
4058 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4059 if (timeout != set->timeout)
4060 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4063 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4064 if (!(set->flags & NFT_SET_OBJECT)) {
4068 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4069 set->objtype, genmask);
4074 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4077 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4078 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
4079 nla[NFTA_SET_ELEM_DATA]);
4083 dreg = nft_type_to_reg(set->dtype);
4084 list_for_each_entry(binding, &set->bindings, list) {
4085 struct nft_ctx bind_ctx = {
4088 .table = ctx->table,
4089 .chain = (struct nft_chain *)binding->chain,
4092 if (!(binding->flags & NFT_SET_MAP))
4095 err = nft_validate_register_store(&bind_ctx, dreg,
4097 desc.type, desc.len);
4102 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
4105 /* The full maximum length of userdata can exceed the maximum
4106 * offset value (U8_MAX) for following extensions, therefor it
4107 * must be the last extension added.
4110 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4111 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4113 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4118 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
4120 timeout, GFP_KERNEL);
4121 if (elem.priv == NULL)
4124 ext = nft_set_elem_ext(set, elem.priv);
4126 *nft_set_ext_flags(ext) = flags;
4128 udata = nft_set_ext_userdata(ext);
4129 udata->len = ulen - 1;
4130 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4133 *nft_set_ext_obj(ext) = obj;
4137 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4141 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4142 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4144 if (err == -EEXIST) {
4145 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4146 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4147 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4148 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4152 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4153 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4154 memcmp(nft_set_ext_data(ext),
4155 nft_set_ext_data(ext2), set->dlen) != 0) ||
4156 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4157 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4158 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4160 else if (!(nlmsg_flags & NLM_F_EXCL))
4167 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4172 nft_trans_elem(trans) = elem;
4173 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4177 set->ops->remove(ctx->net, set, &elem);
4185 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4186 nft_data_release(&elem.data.val, desc.type);
4188 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
4193 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4194 struct sk_buff *skb, const struct nlmsghdr *nlh,
4195 const struct nlattr * const nla[],
4196 struct netlink_ext_ack *extack)
4198 u8 genmask = nft_genmask_next(net);
4199 const struct nlattr *attr;
4200 struct nft_set *set;
4204 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4207 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4211 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4214 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4215 set = nf_tables_set_lookup_byid(net, ctx.table,
4216 nla[NFTA_SET_ELEM_LIST_SET_ID],
4220 return PTR_ERR(set);
4223 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4226 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4227 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4235 * nft_data_hold - hold a nft_data item
4237 * @data: struct nft_data to release
4238 * @type: type of data
4240 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4241 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4242 * NFT_GOTO verdicts. This function must be called on active data objects
4243 * from the second phase of the commit protocol.
4245 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4247 if (type == NFT_DATA_VERDICT) {
4248 switch (data->verdict.code) {
4251 data->verdict.chain->use++;
4257 static void nft_set_elem_activate(const struct net *net,
4258 const struct nft_set *set,
4259 struct nft_set_elem *elem)
4261 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4263 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4264 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4265 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4266 (*nft_set_ext_obj(ext))->use++;
4269 static void nft_set_elem_deactivate(const struct net *net,
4270 const struct nft_set *set,
4271 struct nft_set_elem *elem)
4273 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4275 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4276 nft_data_release(nft_set_ext_data(ext), set->dtype);
4277 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4278 (*nft_set_ext_obj(ext))->use--;
4281 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4282 const struct nlattr *attr)
4284 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4285 struct nft_set_ext_tmpl tmpl;
4286 struct nft_set_elem elem;
4287 struct nft_set_ext *ext;
4288 struct nft_trans *trans;
4293 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4294 nft_set_elem_policy, NULL);
4298 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4301 nft_set_ext_prepare(&tmpl);
4303 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4307 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4309 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4310 nla[NFTA_SET_ELEM_KEY]);
4314 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
4317 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4319 if (elem.priv == NULL)
4322 ext = nft_set_elem_ext(set, elem.priv);
4324 *nft_set_ext_flags(ext) = flags;
4326 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4330 priv = set->ops->deactivate(ctx->net, set, &elem);
4338 nft_set_elem_deactivate(ctx->net, set, &elem);
4340 nft_trans_elem(trans) = elem;
4341 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4349 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
4353 static int nft_flush_set(const struct nft_ctx *ctx,
4354 struct nft_set *set,
4355 const struct nft_set_iter *iter,
4356 struct nft_set_elem *elem)
4358 struct nft_trans *trans;
4361 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4362 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4366 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4372 nft_set_elem_deactivate(ctx->net, set, elem);
4373 nft_trans_elem_set(trans) = set;
4374 nft_trans_elem(trans) = *elem;
4375 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4383 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4384 struct sk_buff *skb, const struct nlmsghdr *nlh,
4385 const struct nlattr * const nla[],
4386 struct netlink_ext_ack *extack)
4388 u8 genmask = nft_genmask_next(net);
4389 const struct nlattr *attr;
4390 struct nft_set *set;
4394 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4398 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4401 return PTR_ERR(set);
4402 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4405 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4406 struct nft_set_iter iter = {
4408 .fn = nft_flush_set,
4410 set->ops->walk(&ctx, set, &iter);
4415 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4416 err = nft_del_setelem(&ctx, set, attr);
4425 void nft_set_gc_batch_release(struct rcu_head *rcu)
4427 struct nft_set_gc_batch *gcb;
4430 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4431 for (i = 0; i < gcb->head.cnt; i++)
4432 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4435 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4437 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4440 struct nft_set_gc_batch *gcb;
4442 gcb = kzalloc(sizeof(*gcb), gfp);
4445 gcb->head.set = set;
4448 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4455 * nft_register_obj- register nf_tables stateful object type
4458 * Registers the object type for use with nf_tables. Returns zero on
4459 * success or a negative errno code otherwise.
4461 int nft_register_obj(struct nft_object_type *obj_type)
4463 if (obj_type->type == NFT_OBJECT_UNSPEC)
4466 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4467 list_add_rcu(&obj_type->list, &nf_tables_objects);
4468 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4471 EXPORT_SYMBOL_GPL(nft_register_obj);
4474 * nft_unregister_obj - unregister nf_tables object type
4477 * Unregisters the object type for use with nf_tables.
4479 void nft_unregister_obj(struct nft_object_type *obj_type)
4481 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4482 list_del_rcu(&obj_type->list);
4483 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4485 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4487 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4488 const struct nlattr *nla,
4489 u32 objtype, u8 genmask)
4491 struct nft_object *obj;
4493 list_for_each_entry(obj, &table->objects, list) {
4494 if (!nla_strcmp(nla, obj->name) &&
4495 objtype == obj->ops->type->type &&
4496 nft_active_genmask(obj, genmask))
4499 return ERR_PTR(-ENOENT);
4501 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4503 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4504 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4505 .len = NFT_TABLE_MAXNAMELEN - 1 },
4506 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4507 .len = NFT_OBJ_MAXNAMELEN - 1 },
4508 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4509 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4512 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4513 const struct nft_object_type *type,
4514 const struct nlattr *attr)
4516 struct nlattr *tb[type->maxattr + 1];
4517 const struct nft_object_ops *ops;
4518 struct nft_object *obj;
4522 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4527 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4530 if (type->select_ops) {
4531 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4541 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4545 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4555 return ERR_PTR(err);
4558 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4559 struct nft_object *obj, bool reset)
4561 struct nlattr *nest;
4563 nest = nla_nest_start(skb, attr);
4565 goto nla_put_failure;
4566 if (obj->ops->dump(skb, obj, reset) < 0)
4567 goto nla_put_failure;
4568 nla_nest_end(skb, nest);
4575 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4577 const struct nft_object_type *type;
4579 list_for_each_entry(type, &nf_tables_objects, list) {
4580 if (objtype == type->type)
4586 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4588 const struct nft_object_type *type;
4590 type = __nft_obj_type_get(objtype);
4591 if (type != NULL && try_module_get(type->owner))
4594 #ifdef CONFIG_MODULES
4596 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4597 request_module("nft-obj-%u", objtype);
4598 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4599 if (__nft_obj_type_get(objtype))
4600 return ERR_PTR(-EAGAIN);
4603 return ERR_PTR(-ENOENT);
4606 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4607 struct sk_buff *skb, const struct nlmsghdr *nlh,
4608 const struct nlattr * const nla[],
4609 struct netlink_ext_ack *extack)
4611 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4612 const struct nft_object_type *type;
4613 u8 genmask = nft_genmask_next(net);
4614 int family = nfmsg->nfgen_family;
4615 struct nft_af_info *afi;
4616 struct nft_table *table;
4617 struct nft_object *obj;
4622 if (!nla[NFTA_OBJ_TYPE] ||
4623 !nla[NFTA_OBJ_NAME] ||
4624 !nla[NFTA_OBJ_DATA])
4627 afi = nf_tables_afinfo_lookup(net, family, true);
4629 return PTR_ERR(afi);
4631 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4633 return PTR_ERR(table);
4635 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4636 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4643 if (nlh->nlmsg_flags & NLM_F_EXCL)
4649 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4651 type = nft_obj_type_get(objtype);
4653 return PTR_ERR(type);
4655 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4661 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4667 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4671 list_add_tail_rcu(&obj->list, &table->objects);
4677 if (obj->ops->destroy)
4678 obj->ops->destroy(obj);
4681 module_put(type->owner);
4685 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4686 u32 portid, u32 seq, int event, u32 flags,
4687 int family, const struct nft_table *table,
4688 struct nft_object *obj, bool reset)
4690 struct nfgenmsg *nfmsg;
4691 struct nlmsghdr *nlh;
4693 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4694 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4696 goto nla_put_failure;
4698 nfmsg = nlmsg_data(nlh);
4699 nfmsg->nfgen_family = family;
4700 nfmsg->version = NFNETLINK_V0;
4701 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4703 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4704 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4705 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4706 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4707 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4708 goto nla_put_failure;
4710 nlmsg_end(skb, nlh);
4714 nlmsg_trim(skb, nlh);
4718 struct nft_obj_filter {
4723 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4725 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4726 const struct nft_af_info *afi;
4727 const struct nft_table *table;
4728 unsigned int idx = 0, s_idx = cb->args[0];
4729 struct nft_obj_filter *filter = cb->data;
4730 struct net *net = sock_net(skb->sk);
4731 int family = nfmsg->nfgen_family;
4732 struct nft_object *obj;
4735 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4739 cb->seq = net->nft.base_seq;
4741 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4742 if (family != NFPROTO_UNSPEC && family != afi->family)
4745 list_for_each_entry_rcu(table, &afi->tables, list) {
4746 list_for_each_entry_rcu(obj, &table->objects, list) {
4747 if (!nft_is_active(net, obj))
4752 memset(&cb->args[1], 0,
4753 sizeof(cb->args) - sizeof(cb->args[0]));
4754 if (filter && filter->table &&
4755 strcmp(filter->table, table->name))
4758 filter->type != NFT_OBJECT_UNSPEC &&
4759 obj->ops->type->type != filter->type)
4762 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4765 NLM_F_MULTI | NLM_F_APPEND,
4766 afi->family, table, obj, reset) < 0)
4769 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4782 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4784 struct nft_obj_filter *filter = cb->data;
4787 kfree(filter->table);
4794 static struct nft_obj_filter *
4795 nft_obj_filter_alloc(const struct nlattr * const nla[])
4797 struct nft_obj_filter *filter;
4799 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4801 return ERR_PTR(-ENOMEM);
4803 if (nla[NFTA_OBJ_TABLE]) {
4804 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4805 if (!filter->table) {
4807 return ERR_PTR(-ENOMEM);
4810 if (nla[NFTA_OBJ_TYPE])
4811 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4816 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4817 struct sk_buff *skb, const struct nlmsghdr *nlh,
4818 const struct nlattr * const nla[],
4819 struct netlink_ext_ack *extack)
4821 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4822 u8 genmask = nft_genmask_cur(net);
4823 int family = nfmsg->nfgen_family;
4824 const struct nft_af_info *afi;
4825 const struct nft_table *table;
4826 struct nft_object *obj;
4827 struct sk_buff *skb2;
4832 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4833 struct netlink_dump_control c = {
4834 .dump = nf_tables_dump_obj,
4835 .done = nf_tables_dump_obj_done,
4838 if (nla[NFTA_OBJ_TABLE] ||
4839 nla[NFTA_OBJ_TYPE]) {
4840 struct nft_obj_filter *filter;
4842 filter = nft_obj_filter_alloc(nla);
4848 return netlink_dump_start(nlsk, skb, nlh, &c);
4851 if (!nla[NFTA_OBJ_NAME] ||
4852 !nla[NFTA_OBJ_TYPE])
4855 afi = nf_tables_afinfo_lookup(net, family, false);
4857 return PTR_ERR(afi);
4859 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4861 return PTR_ERR(table);
4863 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4864 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4866 return PTR_ERR(obj);
4868 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4872 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4875 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4876 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4877 family, table, obj, reset);
4881 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4887 static void nft_obj_destroy(struct nft_object *obj)
4889 if (obj->ops->destroy)
4890 obj->ops->destroy(obj);
4892 module_put(obj->ops->type->owner);
4897 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4898 struct sk_buff *skb, const struct nlmsghdr *nlh,
4899 const struct nlattr * const nla[],
4900 struct netlink_ext_ack *extack)
4902 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4903 u8 genmask = nft_genmask_next(net);
4904 int family = nfmsg->nfgen_family;
4905 struct nft_af_info *afi;
4906 struct nft_table *table;
4907 struct nft_object *obj;
4911 if (!nla[NFTA_OBJ_TYPE] ||
4912 !nla[NFTA_OBJ_NAME])
4915 afi = nf_tables_afinfo_lookup(net, family, true);
4917 return PTR_ERR(afi);
4919 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4921 return PTR_ERR(table);
4923 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4924 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4926 return PTR_ERR(obj);
4930 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4932 return nft_delobj(&ctx, obj);
4935 void nft_obj_notify(struct net *net, struct nft_table *table,
4936 struct nft_object *obj, u32 portid, u32 seq, int event,
4937 int family, int report, gfp_t gfp)
4939 struct sk_buff *skb;
4943 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4946 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4950 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4957 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4960 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4962 EXPORT_SYMBOL_GPL(nft_obj_notify);
4964 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4965 struct nft_object *obj, int event)
4967 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4968 ctx->afi->family, ctx->report, GFP_KERNEL);
4971 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4972 u32 portid, u32 seq)
4974 struct nlmsghdr *nlh;
4975 struct nfgenmsg *nfmsg;
4976 char buf[TASK_COMM_LEN];
4977 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
4979 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4981 goto nla_put_failure;
4983 nfmsg = nlmsg_data(nlh);
4984 nfmsg->nfgen_family = AF_UNSPEC;
4985 nfmsg->version = NFNETLINK_V0;
4986 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4988 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
4989 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
4990 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
4991 goto nla_put_failure;
4993 nlmsg_end(skb, nlh);
4997 nlmsg_trim(skb, nlh);
5001 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5004 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5005 struct sk_buff *skb2;
5008 if (nlmsg_report(nlh) &&
5009 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5012 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5016 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5023 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5024 nlmsg_report(nlh), GFP_KERNEL);
5027 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5031 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5032 struct sk_buff *skb, const struct nlmsghdr *nlh,
5033 const struct nlattr * const nla[],
5034 struct netlink_ext_ack *extack)
5036 struct sk_buff *skb2;
5039 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5043 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5048 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5054 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5055 [NFT_MSG_NEWTABLE] = {
5056 .call_batch = nf_tables_newtable,
5057 .attr_count = NFTA_TABLE_MAX,
5058 .policy = nft_table_policy,
5060 [NFT_MSG_GETTABLE] = {
5061 .call = nf_tables_gettable,
5062 .attr_count = NFTA_TABLE_MAX,
5063 .policy = nft_table_policy,
5065 [NFT_MSG_DELTABLE] = {
5066 .call_batch = nf_tables_deltable,
5067 .attr_count = NFTA_TABLE_MAX,
5068 .policy = nft_table_policy,
5070 [NFT_MSG_NEWCHAIN] = {
5071 .call_batch = nf_tables_newchain,
5072 .attr_count = NFTA_CHAIN_MAX,
5073 .policy = nft_chain_policy,
5075 [NFT_MSG_GETCHAIN] = {
5076 .call = nf_tables_getchain,
5077 .attr_count = NFTA_CHAIN_MAX,
5078 .policy = nft_chain_policy,
5080 [NFT_MSG_DELCHAIN] = {
5081 .call_batch = nf_tables_delchain,
5082 .attr_count = NFTA_CHAIN_MAX,
5083 .policy = nft_chain_policy,
5085 [NFT_MSG_NEWRULE] = {
5086 .call_batch = nf_tables_newrule,
5087 .attr_count = NFTA_RULE_MAX,
5088 .policy = nft_rule_policy,
5090 [NFT_MSG_GETRULE] = {
5091 .call = nf_tables_getrule,
5092 .attr_count = NFTA_RULE_MAX,
5093 .policy = nft_rule_policy,
5095 [NFT_MSG_DELRULE] = {
5096 .call_batch = nf_tables_delrule,
5097 .attr_count = NFTA_RULE_MAX,
5098 .policy = nft_rule_policy,
5100 [NFT_MSG_NEWSET] = {
5101 .call_batch = nf_tables_newset,
5102 .attr_count = NFTA_SET_MAX,
5103 .policy = nft_set_policy,
5105 [NFT_MSG_GETSET] = {
5106 .call = nf_tables_getset,
5107 .attr_count = NFTA_SET_MAX,
5108 .policy = nft_set_policy,
5110 [NFT_MSG_DELSET] = {
5111 .call_batch = nf_tables_delset,
5112 .attr_count = NFTA_SET_MAX,
5113 .policy = nft_set_policy,
5115 [NFT_MSG_NEWSETELEM] = {
5116 .call_batch = nf_tables_newsetelem,
5117 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5118 .policy = nft_set_elem_list_policy,
5120 [NFT_MSG_GETSETELEM] = {
5121 .call = nf_tables_getsetelem,
5122 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5123 .policy = nft_set_elem_list_policy,
5125 [NFT_MSG_DELSETELEM] = {
5126 .call_batch = nf_tables_delsetelem,
5127 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5128 .policy = nft_set_elem_list_policy,
5130 [NFT_MSG_GETGEN] = {
5131 .call = nf_tables_getgen,
5133 [NFT_MSG_NEWOBJ] = {
5134 .call_batch = nf_tables_newobj,
5135 .attr_count = NFTA_OBJ_MAX,
5136 .policy = nft_obj_policy,
5138 [NFT_MSG_GETOBJ] = {
5139 .call = nf_tables_getobj,
5140 .attr_count = NFTA_OBJ_MAX,
5141 .policy = nft_obj_policy,
5143 [NFT_MSG_DELOBJ] = {
5144 .call_batch = nf_tables_delobj,
5145 .attr_count = NFTA_OBJ_MAX,
5146 .policy = nft_obj_policy,
5148 [NFT_MSG_GETOBJ_RESET] = {
5149 .call = nf_tables_getobj,
5150 .attr_count = NFTA_OBJ_MAX,
5151 .policy = nft_obj_policy,
5155 static void nft_chain_commit_update(struct nft_trans *trans)
5157 struct nft_base_chain *basechain;
5159 if (nft_trans_chain_name(trans))
5160 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5162 if (!nft_is_base_chain(trans->ctx.chain))
5165 basechain = nft_base_chain(trans->ctx.chain);
5166 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5168 switch (nft_trans_chain_policy(trans)) {
5171 basechain->policy = nft_trans_chain_policy(trans);
5176 static void nf_tables_commit_release(struct nft_trans *trans)
5178 switch (trans->msg_type) {
5179 case NFT_MSG_DELTABLE:
5180 nf_tables_table_destroy(&trans->ctx);
5182 case NFT_MSG_NEWCHAIN:
5183 kfree(nft_trans_chain_name(trans));
5185 case NFT_MSG_DELCHAIN:
5186 nf_tables_chain_destroy(trans->ctx.chain);
5188 case NFT_MSG_DELRULE:
5189 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5191 case NFT_MSG_DELSET:
5192 nft_set_destroy(nft_trans_set(trans));
5194 case NFT_MSG_DELSETELEM:
5195 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5196 nft_trans_elem(trans).priv);
5198 case NFT_MSG_DELOBJ:
5199 nft_obj_destroy(nft_trans_obj(trans));
5205 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5207 struct nft_trans *trans, *next;
5208 struct nft_trans_elem *te;
5210 /* Bump generation counter, invalidate any dump in progress */
5211 while (++net->nft.base_seq == 0);
5213 /* A new generation has just started */
5214 net->nft.gencursor = nft_gencursor_next(net);
5216 /* Make sure all packets have left the previous generation before
5217 * purging old rules.
5221 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5222 switch (trans->msg_type) {
5223 case NFT_MSG_NEWTABLE:
5224 if (nft_trans_table_update(trans)) {
5225 if (!nft_trans_table_enable(trans)) {
5226 nf_tables_table_disable(net,
5229 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5232 nft_clear(net, trans->ctx.table);
5234 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5235 nft_trans_destroy(trans);
5237 case NFT_MSG_DELTABLE:
5238 list_del_rcu(&trans->ctx.table->list);
5239 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5241 case NFT_MSG_NEWCHAIN:
5242 if (nft_trans_chain_update(trans)) {
5243 nft_chain_commit_update(trans);
5244 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5245 /* trans destroyed after rcu grace period */
5247 nft_clear(net, trans->ctx.chain);
5248 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5249 nft_trans_destroy(trans);
5252 case NFT_MSG_DELCHAIN:
5253 list_del_rcu(&trans->ctx.chain->list);
5254 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5255 nf_tables_unregister_hooks(trans->ctx.net,
5258 trans->ctx.afi->nops);
5260 case NFT_MSG_NEWRULE:
5261 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5262 nf_tables_rule_notify(&trans->ctx,
5263 nft_trans_rule(trans),
5265 nft_trans_destroy(trans);
5267 case NFT_MSG_DELRULE:
5268 list_del_rcu(&nft_trans_rule(trans)->list);
5269 nf_tables_rule_notify(&trans->ctx,
5270 nft_trans_rule(trans),
5272 nft_rule_expr_deactivate(&trans->ctx,
5273 nft_trans_rule(trans),
5276 case NFT_MSG_NEWSET:
5277 nft_clear(net, nft_trans_set(trans));
5278 /* This avoids hitting -EBUSY when deleting the table
5279 * from the transaction.
5281 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
5282 !list_empty(&nft_trans_set(trans)->bindings))
5283 trans->ctx.table->use--;
5285 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5286 NFT_MSG_NEWSET, GFP_KERNEL);
5287 nft_trans_destroy(trans);
5289 case NFT_MSG_DELSET:
5290 list_del_rcu(&nft_trans_set(trans)->list);
5291 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5292 NFT_MSG_DELSET, GFP_KERNEL);
5294 case NFT_MSG_NEWSETELEM:
5295 te = (struct nft_trans_elem *)trans->data;
5297 te->set->ops->activate(net, te->set, &te->elem);
5298 nf_tables_setelem_notify(&trans->ctx, te->set,
5300 NFT_MSG_NEWSETELEM, 0);
5301 nft_trans_destroy(trans);
5303 case NFT_MSG_DELSETELEM:
5304 te = (struct nft_trans_elem *)trans->data;
5306 nf_tables_setelem_notify(&trans->ctx, te->set,
5308 NFT_MSG_DELSETELEM, 0);
5309 te->set->ops->remove(net, te->set, &te->elem);
5310 atomic_dec(&te->set->nelems);
5313 case NFT_MSG_NEWOBJ:
5314 nft_clear(net, nft_trans_obj(trans));
5315 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5317 nft_trans_destroy(trans);
5319 case NFT_MSG_DELOBJ:
5320 list_del_rcu(&nft_trans_obj(trans)->list);
5321 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5329 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5330 list_del(&trans->list);
5331 nf_tables_commit_release(trans);
5334 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5339 static void nf_tables_abort_release(struct nft_trans *trans)
5341 switch (trans->msg_type) {
5342 case NFT_MSG_NEWTABLE:
5343 nf_tables_table_destroy(&trans->ctx);
5345 case NFT_MSG_NEWCHAIN:
5346 nf_tables_chain_destroy(trans->ctx.chain);
5348 case NFT_MSG_NEWRULE:
5349 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5351 case NFT_MSG_NEWSET:
5352 if (!nft_trans_set_bound(trans))
5353 nft_set_destroy(nft_trans_set(trans));
5355 case NFT_MSG_NEWSETELEM:
5356 nft_set_elem_destroy(nft_trans_elem_set(trans),
5357 nft_trans_elem(trans).priv, true);
5359 case NFT_MSG_NEWOBJ:
5360 nft_obj_destroy(nft_trans_obj(trans));
5366 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5368 struct nft_trans *trans, *next;
5369 struct nft_trans_elem *te;
5371 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5373 switch (trans->msg_type) {
5374 case NFT_MSG_NEWTABLE:
5375 if (nft_trans_table_update(trans)) {
5376 if (nft_trans_table_enable(trans)) {
5377 nf_tables_table_disable(net,
5380 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5382 nft_trans_destroy(trans);
5384 list_del_rcu(&trans->ctx.table->list);
5387 case NFT_MSG_DELTABLE:
5388 nft_clear(trans->ctx.net, trans->ctx.table);
5389 nft_trans_destroy(trans);
5391 case NFT_MSG_NEWCHAIN:
5392 if (nft_trans_chain_update(trans)) {
5393 free_percpu(nft_trans_chain_stats(trans));
5394 kfree(nft_trans_chain_name(trans));
5395 nft_trans_destroy(trans);
5397 trans->ctx.table->use--;
5398 list_del_rcu(&trans->ctx.chain->list);
5399 nf_tables_unregister_hooks(trans->ctx.net,
5402 trans->ctx.afi->nops);
5405 case NFT_MSG_DELCHAIN:
5406 trans->ctx.table->use++;
5407 nft_clear(trans->ctx.net, trans->ctx.chain);
5408 nft_trans_destroy(trans);
5410 case NFT_MSG_NEWRULE:
5411 trans->ctx.chain->use--;
5412 list_del_rcu(&nft_trans_rule(trans)->list);
5413 nft_rule_expr_deactivate(&trans->ctx,
5414 nft_trans_rule(trans),
5417 case NFT_MSG_DELRULE:
5418 trans->ctx.chain->use++;
5419 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5420 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
5421 nft_trans_destroy(trans);
5423 case NFT_MSG_NEWSET:
5424 trans->ctx.table->use--;
5425 if (nft_trans_set_bound(trans)) {
5426 nft_trans_destroy(trans);
5429 list_del_rcu(&nft_trans_set(trans)->list);
5431 case NFT_MSG_DELSET:
5432 trans->ctx.table->use++;
5433 nft_clear(trans->ctx.net, nft_trans_set(trans));
5434 nft_trans_destroy(trans);
5436 case NFT_MSG_NEWSETELEM:
5437 if (nft_trans_elem_set_bound(trans)) {
5438 nft_trans_destroy(trans);
5441 te = (struct nft_trans_elem *)trans->data;
5443 te->set->ops->remove(net, te->set, &te->elem);
5444 atomic_dec(&te->set->nelems);
5446 case NFT_MSG_DELSETELEM:
5447 te = (struct nft_trans_elem *)trans->data;
5449 nft_set_elem_activate(net, te->set, &te->elem);
5450 te->set->ops->activate(net, te->set, &te->elem);
5453 nft_trans_destroy(trans);
5455 case NFT_MSG_NEWOBJ:
5456 trans->ctx.table->use--;
5457 list_del_rcu(&nft_trans_obj(trans)->list);
5459 case NFT_MSG_DELOBJ:
5460 trans->ctx.table->use++;
5461 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5462 nft_trans_destroy(trans);
5469 list_for_each_entry_safe_reverse(trans, next,
5470 &net->nft.commit_list, list) {
5471 list_del(&trans->list);
5472 nf_tables_abort_release(trans);
5478 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5480 return net->nft.base_seq == genid;
5483 static const struct nfnetlink_subsystem nf_tables_subsys = {
5484 .name = "nf_tables",
5485 .subsys_id = NFNL_SUBSYS_NFTABLES,
5486 .cb_count = NFT_MSG_MAX,
5488 .commit = nf_tables_commit,
5489 .abort = nf_tables_abort,
5490 .valid_genid = nf_tables_valid_genid,
5493 int nft_chain_validate_dependency(const struct nft_chain *chain,
5494 enum nft_chain_type type)
5496 const struct nft_base_chain *basechain;
5498 if (nft_is_base_chain(chain)) {
5499 basechain = nft_base_chain(chain);
5500 if (basechain->type->type != type)
5505 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5507 int nft_chain_validate_hooks(const struct nft_chain *chain,
5508 unsigned int hook_flags)
5510 struct nft_base_chain *basechain;
5512 if (nft_is_base_chain(chain)) {
5513 basechain = nft_base_chain(chain);
5515 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5523 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5526 * Loop detection - walk through the ruleset beginning at the destination chain
5527 * of a new jump until either the source chain is reached (loop) or all
5528 * reachable chains have been traversed.
5530 * The loop check is performed whenever a new jump verdict is added to an
5531 * expression or verdict map or a verdict map is bound to a new chain.
5534 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5535 const struct nft_chain *chain);
5537 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5538 struct nft_set *set,
5539 const struct nft_set_iter *iter,
5540 struct nft_set_elem *elem)
5542 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5543 const struct nft_data *data;
5545 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5546 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5549 data = nft_set_ext_data(ext);
5550 switch (data->verdict.code) {
5553 return nf_tables_check_loops(ctx, data->verdict.chain);
5559 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5560 const struct nft_chain *chain)
5562 const struct nft_rule *rule;
5563 const struct nft_expr *expr, *last;
5564 struct nft_set *set;
5565 struct nft_set_binding *binding;
5566 struct nft_set_iter iter;
5568 if (ctx->chain == chain)
5571 list_for_each_entry(rule, &chain->rules, list) {
5572 nft_rule_for_each_expr(expr, last, rule) {
5573 const struct nft_data *data = NULL;
5576 if (!expr->ops->validate)
5579 err = expr->ops->validate(ctx, expr, &data);
5586 switch (data->verdict.code) {
5589 err = nf_tables_check_loops(ctx,
5590 data->verdict.chain);
5599 list_for_each_entry(set, &ctx->table->sets, list) {
5600 if (!nft_is_active_next(ctx->net, set))
5602 if (!(set->flags & NFT_SET_MAP) ||
5603 set->dtype != NFT_DATA_VERDICT)
5606 list_for_each_entry(binding, &set->bindings, list) {
5607 if (!(binding->flags & NFT_SET_MAP) ||
5608 binding->chain != chain)
5611 iter.genmask = nft_genmask_next(ctx->net);
5615 iter.fn = nf_tables_loop_check_setelem;
5617 set->ops->walk(ctx, set, &iter);
5627 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5629 * @attr: netlink attribute to fetch value from
5630 * @max: maximum value to be stored in dest
5631 * @dest: pointer to the variable
5633 * Parse, check and store a given u32 netlink attribute into variable.
5634 * This function returns -ERANGE if the value goes over maximum value.
5635 * Otherwise a 0 is returned and the attribute value is stored in the
5636 * destination variable.
5638 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5642 val = ntohl(nla_get_be32(attr));
5649 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5651 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
5655 reg = ntohl(nla_get_be32(attr));
5657 case NFT_REG_VERDICT...NFT_REG_4:
5658 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5660 case NFT_REG32_00...NFT_REG32_15:
5661 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5671 * nft_dump_register - dump a register value to a netlink attribute
5673 * @skb: socket buffer
5674 * @attr: attribute number
5675 * @reg: register number
5677 * Construct a netlink attribute containing the register number. For
5678 * compatibility reasons, register numbers being a multiple of 4 are
5679 * translated to the corresponding 128 bit register numbers.
5681 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5683 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5684 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5686 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5688 return nla_put_be32(skb, attr, htonl(reg));
5690 EXPORT_SYMBOL_GPL(nft_dump_register);
5693 * nft_validate_register_load - validate a load from a register
5695 * @reg: the register number
5696 * @len: the length of the data
5698 * Validate that the input register is one of the general purpose
5699 * registers and that the length of the load is within the bounds.
5701 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5703 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5707 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5713 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
5718 err = nft_parse_register(attr, ®);
5722 err = nft_validate_register_load(reg, len);
5729 EXPORT_SYMBOL_GPL(nft_parse_register_load);
5732 * nft_validate_register_store - validate an expressions' register store
5734 * @ctx: context of the expression performing the load
5735 * @reg: the destination register number
5736 * @data: the data to load
5737 * @type: the data type
5738 * @len: the length of the data
5740 * Validate that a data load uses the appropriate data type for
5741 * the destination register and the length is within the bounds.
5742 * A value of NULL for the data means that its runtime gathered
5745 static int nft_validate_register_store(const struct nft_ctx *ctx,
5746 enum nft_registers reg,
5747 const struct nft_data *data,
5748 enum nft_data_types type,
5754 case NFT_REG_VERDICT:
5755 if (type != NFT_DATA_VERDICT)
5759 (data->verdict.code == NFT_GOTO ||
5760 data->verdict.code == NFT_JUMP)) {
5761 err = nf_tables_check_loops(ctx, data->verdict.chain);
5765 if (ctx->chain->level + 1 >
5766 data->verdict.chain->level) {
5767 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5769 data->verdict.chain->level = ctx->chain->level + 1;
5775 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5779 if (reg * NFT_REG32_SIZE + len >
5780 FIELD_SIZEOF(struct nft_regs, data))
5783 if (data != NULL && type != NFT_DATA_VALUE)
5789 int nft_parse_register_store(const struct nft_ctx *ctx,
5790 const struct nlattr *attr, u8 *dreg,
5791 const struct nft_data *data,
5792 enum nft_data_types type, unsigned int len)
5797 err = nft_parse_register(attr, ®);
5801 err = nft_validate_register_store(ctx, reg, data, type, len);
5808 EXPORT_SYMBOL_GPL(nft_parse_register_store);
5810 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5811 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5812 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5813 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5816 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5817 struct nft_data_desc *desc, const struct nlattr *nla)
5819 u8 genmask = nft_genmask_next(ctx->net);
5820 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5821 struct nft_chain *chain;
5824 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5829 if (!tb[NFTA_VERDICT_CODE])
5831 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5833 switch (data->verdict.code) {
5835 switch (data->verdict.code & NF_VERDICT_MASK) {
5850 if (!tb[NFTA_VERDICT_CHAIN])
5852 chain = nf_tables_chain_lookup(ctx->table,
5853 tb[NFTA_VERDICT_CHAIN], genmask);
5855 return PTR_ERR(chain);
5856 if (nft_is_base_chain(chain))
5860 data->verdict.chain = chain;
5864 desc->len = sizeof(data->verdict);
5865 desc->type = NFT_DATA_VERDICT;
5869 static void nft_verdict_uninit(const struct nft_data *data)
5871 switch (data->verdict.code) {
5874 data->verdict.chain->use--;
5879 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5881 struct nlattr *nest;
5883 nest = nla_nest_start(skb, type);
5885 goto nla_put_failure;
5887 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5888 goto nla_put_failure;
5893 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5895 goto nla_put_failure;
5897 nla_nest_end(skb, nest);
5904 static int nft_value_init(const struct nft_ctx *ctx,
5905 struct nft_data *data, unsigned int size,
5906 struct nft_data_desc *desc, const struct nlattr *nla)
5916 nla_memcpy(data->data, nla, len);
5917 desc->type = NFT_DATA_VALUE;
5922 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5925 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5928 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5929 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5930 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5934 * nft_data_init - parse nf_tables data netlink attributes
5936 * @ctx: context of the expression using the data
5937 * @data: destination struct nft_data
5938 * @size: maximum data length
5939 * @desc: data description
5940 * @nla: netlink attribute containing data
5942 * Parse the netlink data attributes and initialize a struct nft_data.
5943 * The type and length of data are returned in the data description.
5945 * The caller can indicate that it only wants to accept data of type
5946 * NFT_DATA_VALUE by passing NULL for the ctx argument.
5948 int nft_data_init(const struct nft_ctx *ctx,
5949 struct nft_data *data, unsigned int size,
5950 struct nft_data_desc *desc, const struct nlattr *nla)
5952 struct nlattr *tb[NFTA_DATA_MAX + 1];
5955 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
5959 if (tb[NFTA_DATA_VALUE])
5960 return nft_value_init(ctx, data, size, desc,
5961 tb[NFTA_DATA_VALUE]);
5962 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5963 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5966 EXPORT_SYMBOL_GPL(nft_data_init);
5969 * nft_data_release - release a nft_data item
5971 * @data: struct nft_data to release
5972 * @type: type of data
5974 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5975 * all others need to be released by calling this function.
5977 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
5979 if (type < NFT_DATA_VERDICT)
5982 case NFT_DATA_VERDICT:
5983 return nft_verdict_uninit(data);
5988 EXPORT_SYMBOL_GPL(nft_data_release);
5990 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5991 enum nft_data_types type, unsigned int len)
5993 struct nlattr *nest;
5996 nest = nla_nest_start(skb, attr);
6001 case NFT_DATA_VALUE:
6002 err = nft_value_dump(skb, data, len);
6004 case NFT_DATA_VERDICT:
6005 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6012 nla_nest_end(skb, nest);
6015 EXPORT_SYMBOL_GPL(nft_data_dump);
6017 static int __net_init nf_tables_init_net(struct net *net)
6019 INIT_LIST_HEAD(&net->nft.af_info);
6020 INIT_LIST_HEAD(&net->nft.commit_list);
6021 net->nft.base_seq = 1;
6025 int __nft_release_basechain(struct nft_ctx *ctx)
6027 struct nft_rule *rule, *nr;
6029 BUG_ON(!nft_is_base_chain(ctx->chain));
6031 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
6033 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6034 list_del(&rule->list);
6036 nf_tables_rule_release(ctx, rule);
6038 list_del(&ctx->chain->list);
6040 nf_tables_chain_destroy(ctx->chain);
6044 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6046 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
6047 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
6049 struct nft_table *table, *nt;
6050 struct nft_chain *chain, *nc;
6051 struct nft_object *obj, *ne;
6052 struct nft_rule *rule, *nr;
6053 struct nft_set *set, *ns;
6054 struct nft_ctx ctx = {
6059 list_for_each_entry_safe(table, nt, &afi->tables, list) {
6060 list_for_each_entry(chain, &table->chains, list)
6061 nf_tables_unregister_hooks(net, table, chain,
6063 /* No packets are walking on these chains anymore. */
6065 list_for_each_entry(chain, &table->chains, list) {
6067 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6068 list_del(&rule->list);
6070 nf_tables_rule_release(&ctx, rule);
6073 list_for_each_entry_safe(set, ns, &table->sets, list) {
6074 list_del(&set->list);
6076 nft_set_destroy(set);
6078 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6079 list_del(&obj->list);
6081 nft_obj_destroy(obj);
6083 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6084 list_del(&chain->list);
6086 nf_tables_chain_destroy(chain);
6088 list_del(&table->list);
6089 nf_tables_table_destroy(&ctx);
6093 static struct pernet_operations nf_tables_net_ops = {
6094 .init = nf_tables_init_net,
6097 static int __init nf_tables_module_init(void)
6101 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6108 err = nf_tables_core_module_init();
6112 err = nfnetlink_subsys_register(&nf_tables_subsys);
6116 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
6117 return register_pernet_subsys(&nf_tables_net_ops);
6119 nf_tables_core_module_exit();
6126 static void __exit nf_tables_module_exit(void)
6128 unregister_pernet_subsys(&nf_tables_net_ops);
6129 nfnetlink_subsys_unregister(&nf_tables_subsys);
6131 nf_tables_core_module_exit();
6135 module_init(nf_tables_module_init);
6136 module_exit(nf_tables_module_exit);
6138 MODULE_LICENSE("GPL");
6139 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6140 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-stable / blob