1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 unsigned int nf_tables_net_id __read_mostly;
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 NFT_VALIDATE_SKIP = 0,
42 static struct rhltable nft_objname_ht;
44 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
49 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
50 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52 static const struct rhashtable_params nft_chain_ht_params = {
53 .head_offset = offsetof(struct nft_chain, rhlhead),
54 .key_offset = offsetof(struct nft_chain, name),
55 .hashfn = nft_chain_hash,
56 .obj_hashfn = nft_chain_hash_obj,
57 .obj_cmpfn = nft_chain_hash_cmp,
58 .automatic_shrinking = true,
61 static const struct rhashtable_params nft_objname_ht_params = {
62 .head_offset = offsetof(struct nft_object, rhlhead),
63 .key_offset = offsetof(struct nft_object, key),
64 .hashfn = nft_objname_hash,
65 .obj_hashfn = nft_objname_hash_obj,
66 .obj_cmpfn = nft_objname_hash_cmp,
67 .automatic_shrinking = true,
70 struct nft_audit_data {
71 struct nft_table *table;
74 struct list_head list;
77 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
78 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
79 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
80 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
81 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
82 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
84 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
85 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
87 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
88 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
90 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
91 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
93 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
94 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
97 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
99 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
100 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
101 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
102 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
105 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
107 struct nftables_pernet *nft_net = nft_pernet(net);
109 switch (nft_net->validate_state) {
110 case NFT_VALIDATE_SKIP:
111 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
113 case NFT_VALIDATE_NEED:
115 case NFT_VALIDATE_DO:
116 if (new_validate_state == NFT_VALIDATE_NEED)
120 nft_net->validate_state = new_validate_state;
122 static void nf_tables_trans_destroy_work(struct work_struct *w);
123 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
125 static void nft_ctx_init(struct nft_ctx *ctx,
127 const struct sk_buff *skb,
128 const struct nlmsghdr *nlh,
130 struct nft_table *table,
131 struct nft_chain *chain,
132 const struct nlattr * const *nla)
135 ctx->family = family;
140 ctx->portid = NETLINK_CB(skb).portid;
141 ctx->report = nlmsg_report(nlh);
142 ctx->flags = nlh->nlmsg_flags;
143 ctx->seq = nlh->nlmsg_seq;
146 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
147 int msg_type, u32 size, gfp_t gfp)
149 struct nft_trans *trans;
151 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
155 INIT_LIST_HEAD(&trans->list);
156 trans->msg_type = msg_type;
162 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
163 int msg_type, u32 size)
165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
168 static void nft_trans_destroy(struct nft_trans *trans)
170 list_del(&trans->list);
174 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
176 struct nftables_pernet *nft_net;
177 struct net *net = ctx->net;
178 struct nft_trans *trans;
180 if (!nft_set_is_anonymous(set))
183 nft_net = nft_pernet(net);
184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
185 switch (trans->msg_type) {
187 if (nft_trans_set(trans) == set)
188 nft_trans_set_bound(trans) = true;
190 case NFT_MSG_NEWSETELEM:
191 if (nft_trans_elem_set(trans) == set)
192 nft_trans_elem_set_bound(trans) = true;
198 static int nft_netdev_register_hooks(struct net *net,
199 struct list_head *hook_list)
201 struct nft_hook *hook;
205 list_for_each_entry(hook, hook_list, list) {
206 err = nf_register_net_hook(net, &hook->ops);
215 list_for_each_entry(hook, hook_list, list) {
219 nf_unregister_net_hook(net, &hook->ops);
224 static void nft_netdev_unregister_hooks(struct net *net,
225 struct list_head *hook_list,
228 struct nft_hook *hook, *next;
230 list_for_each_entry_safe(hook, next, hook_list, list) {
231 nf_unregister_net_hook(net, &hook->ops);
232 if (release_netdev) {
233 list_del(&hook->list);
234 kfree_rcu(hook, rcu);
239 static int nf_tables_register_hook(struct net *net,
240 const struct nft_table *table,
241 struct nft_chain *chain)
243 struct nft_base_chain *basechain;
244 const struct nf_hook_ops *ops;
246 if (table->flags & NFT_TABLE_F_DORMANT ||
247 !nft_is_base_chain(chain))
250 basechain = nft_base_chain(chain);
251 ops = &basechain->ops;
253 if (basechain->type->ops_register)
254 return basechain->type->ops_register(net, ops);
256 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
257 return nft_netdev_register_hooks(net, &basechain->hook_list);
259 return nf_register_net_hook(net, &basechain->ops);
262 static void __nf_tables_unregister_hook(struct net *net,
263 const struct nft_table *table,
264 struct nft_chain *chain,
267 struct nft_base_chain *basechain;
268 const struct nf_hook_ops *ops;
270 if (table->flags & NFT_TABLE_F_DORMANT ||
271 !nft_is_base_chain(chain))
273 basechain = nft_base_chain(chain);
274 ops = &basechain->ops;
276 if (basechain->type->ops_unregister)
277 return basechain->type->ops_unregister(net, ops);
279 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
280 nft_netdev_unregister_hooks(net, &basechain->hook_list,
283 nf_unregister_net_hook(net, &basechain->ops);
286 static void nf_tables_unregister_hook(struct net *net,
287 const struct nft_table *table,
288 struct nft_chain *chain)
290 return __nf_tables_unregister_hook(net, table, chain, false);
293 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
295 struct nftables_pernet *nft_net = nft_pernet(net);
297 list_add_tail(&trans->list, &nft_net->commit_list);
300 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
302 struct nft_trans *trans;
304 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
308 if (msg_type == NFT_MSG_NEWTABLE)
309 nft_activate_next(ctx->net, ctx->table);
311 nft_trans_commit_list_add_tail(ctx->net, trans);
315 static int nft_deltable(struct nft_ctx *ctx)
319 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
323 nft_deactivate_next(ctx->net, ctx->table);
327 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
329 struct nft_trans *trans;
331 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
333 return ERR_PTR(-ENOMEM);
335 if (msg_type == NFT_MSG_NEWCHAIN) {
336 nft_activate_next(ctx->net, ctx->chain);
338 if (ctx->nla[NFTA_CHAIN_ID]) {
339 nft_trans_chain_id(trans) =
340 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
344 nft_trans_commit_list_add_tail(ctx->net, trans);
348 static int nft_delchain(struct nft_ctx *ctx)
350 struct nft_trans *trans;
352 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
354 return PTR_ERR(trans);
357 nft_deactivate_next(ctx->net, ctx->chain);
362 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
363 struct nft_rule *rule)
365 struct nft_expr *expr;
367 expr = nft_expr_first(rule);
368 while (nft_expr_more(rule, expr)) {
369 if (expr->ops->activate)
370 expr->ops->activate(ctx, expr);
372 expr = nft_expr_next(expr);
376 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
377 struct nft_rule *rule,
378 enum nft_trans_phase phase)
380 struct nft_expr *expr;
382 expr = nft_expr_first(rule);
383 while (nft_expr_more(rule, expr)) {
384 if (expr->ops->deactivate)
385 expr->ops->deactivate(ctx, expr, phase);
387 expr = nft_expr_next(expr);
392 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
394 /* You cannot delete the same rule twice */
395 if (nft_is_active_next(ctx->net, rule)) {
396 nft_deactivate_next(ctx->net, rule);
403 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
404 struct nft_rule *rule)
406 struct nft_trans *trans;
408 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
412 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
413 nft_trans_rule_id(trans) =
414 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
416 nft_trans_rule(trans) = rule;
417 nft_trans_commit_list_add_tail(ctx->net, trans);
422 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
424 struct nft_flow_rule *flow;
425 struct nft_trans *trans;
428 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
432 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
433 flow = nft_flow_rule_create(ctx->net, rule);
435 nft_trans_destroy(trans);
436 return PTR_ERR(flow);
439 nft_trans_flow_rule(trans) = flow;
442 err = nf_tables_delrule_deactivate(ctx, rule);
444 nft_trans_destroy(trans);
447 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
452 static int nft_delrule_by_chain(struct nft_ctx *ctx)
454 struct nft_rule *rule;
457 list_for_each_entry(rule, &ctx->chain->rules, list) {
458 if (!nft_is_active_next(ctx->net, rule))
461 err = nft_delrule(ctx, rule);
468 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
470 const struct nft_set_desc *desc)
472 struct nft_trans *trans;
474 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
478 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
479 nft_trans_set_id(trans) =
480 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
481 nft_activate_next(ctx->net, set);
483 nft_trans_set(trans) = set;
485 nft_trans_set_update(trans) = true;
486 nft_trans_set_gc_int(trans) = desc->gc_int;
487 nft_trans_set_timeout(trans) = desc->timeout;
489 nft_trans_commit_list_add_tail(ctx->net, trans);
494 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
497 return __nft_trans_set_add(ctx, msg_type, set, NULL);
500 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
504 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
508 nft_deactivate_next(ctx->net, set);
514 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
515 struct nft_object *obj)
517 struct nft_trans *trans;
519 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
523 if (msg_type == NFT_MSG_NEWOBJ)
524 nft_activate_next(ctx->net, obj);
526 nft_trans_obj(trans) = obj;
527 nft_trans_commit_list_add_tail(ctx->net, trans);
532 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
536 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
540 nft_deactivate_next(ctx->net, obj);
546 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
547 struct nft_flowtable *flowtable)
549 struct nft_trans *trans;
551 trans = nft_trans_alloc(ctx, msg_type,
552 sizeof(struct nft_trans_flowtable));
556 if (msg_type == NFT_MSG_NEWFLOWTABLE)
557 nft_activate_next(ctx->net, flowtable);
559 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
560 nft_trans_flowtable(trans) = flowtable;
561 nft_trans_commit_list_add_tail(ctx->net, trans);
566 static int nft_delflowtable(struct nft_ctx *ctx,
567 struct nft_flowtable *flowtable)
571 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
575 nft_deactivate_next(ctx->net, flowtable);
581 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
585 for (i = track->regs[dreg].num_reg; i > 0; i--)
586 __nft_reg_track_cancel(track, dreg - i);
589 static void __nft_reg_track_update(struct nft_regs_track *track,
590 const struct nft_expr *expr,
593 track->regs[dreg].selector = expr;
594 track->regs[dreg].bitwise = NULL;
595 track->regs[dreg].num_reg = num_reg;
598 void nft_reg_track_update(struct nft_regs_track *track,
599 const struct nft_expr *expr, u8 dreg, u8 len)
601 unsigned int regcount;
604 __nft_reg_track_clobber(track, dreg);
606 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
607 for (i = 0; i < regcount; i++, dreg++)
608 __nft_reg_track_update(track, expr, dreg, i);
610 EXPORT_SYMBOL_GPL(nft_reg_track_update);
612 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
614 unsigned int regcount;
617 __nft_reg_track_clobber(track, dreg);
619 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
620 for (i = 0; i < regcount; i++, dreg++)
621 __nft_reg_track_cancel(track, dreg);
623 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
625 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
627 track->regs[dreg].selector = NULL;
628 track->regs[dreg].bitwise = NULL;
629 track->regs[dreg].num_reg = 0;
631 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
637 static struct nft_table *nft_table_lookup(const struct net *net,
638 const struct nlattr *nla,
639 u8 family, u8 genmask, u32 nlpid)
641 struct nftables_pernet *nft_net;
642 struct nft_table *table;
645 return ERR_PTR(-EINVAL);
647 nft_net = nft_pernet(net);
648 list_for_each_entry_rcu(table, &nft_net->tables, list,
649 lockdep_is_held(&nft_net->commit_mutex)) {
650 if (!nla_strcmp(nla, table->name) &&
651 table->family == family &&
652 nft_active_genmask(table, genmask)) {
653 if (nft_table_has_owner(table) &&
654 nlpid && table->nlpid != nlpid)
655 return ERR_PTR(-EPERM);
661 return ERR_PTR(-ENOENT);
664 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
665 const struct nlattr *nla,
666 u8 genmask, u32 nlpid)
668 struct nftables_pernet *nft_net;
669 struct nft_table *table;
671 nft_net = nft_pernet(net);
672 list_for_each_entry(table, &nft_net->tables, list) {
673 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
674 nft_active_genmask(table, genmask)) {
675 if (nft_table_has_owner(table) &&
676 nlpid && table->nlpid != nlpid)
677 return ERR_PTR(-EPERM);
683 return ERR_PTR(-ENOENT);
686 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
688 return ++table->hgenerator;
691 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
693 static const struct nft_chain_type *
694 __nft_chain_type_get(u8 family, enum nft_chain_types type)
696 if (family >= NFPROTO_NUMPROTO ||
697 type >= NFT_CHAIN_T_MAX)
700 return chain_type[family][type];
703 static const struct nft_chain_type *
704 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
706 const struct nft_chain_type *type;
709 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
710 type = __nft_chain_type_get(family, i);
713 if (!nla_strcmp(nla, type->name))
719 struct nft_module_request {
720 struct list_head list;
721 char module[MODULE_NAME_LEN];
725 #ifdef CONFIG_MODULES
726 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
729 char module_name[MODULE_NAME_LEN];
730 struct nftables_pernet *nft_net;
731 struct nft_module_request *req;
736 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
738 if (ret >= MODULE_NAME_LEN)
741 nft_net = nft_pernet(net);
742 list_for_each_entry(req, &nft_net->module_list, list) {
743 if (!strcmp(req->module, module_name)) {
747 /* A request to load this module already exists. */
752 req = kmalloc(sizeof(*req), GFP_KERNEL);
757 strscpy(req->module, module_name, MODULE_NAME_LEN);
758 list_add_tail(&req->list, &nft_net->module_list);
762 EXPORT_SYMBOL_GPL(nft_request_module);
765 static void lockdep_nfnl_nft_mutex_not_held(void)
767 #ifdef CONFIG_PROVE_LOCKING
769 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
773 static const struct nft_chain_type *
774 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
775 u8 family, bool autoload)
777 const struct nft_chain_type *type;
779 type = __nf_tables_chain_type_lookup(nla, family);
783 lockdep_nfnl_nft_mutex_not_held();
784 #ifdef CONFIG_MODULES
786 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
788 (const char *)nla_data(nla)) == -EAGAIN)
789 return ERR_PTR(-EAGAIN);
792 return ERR_PTR(-ENOENT);
795 static __be16 nft_base_seq(const struct net *net)
797 struct nftables_pernet *nft_net = nft_pernet(net);
799 return htons(nft_net->base_seq & 0xffff);
802 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
803 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
804 .len = NFT_TABLE_MAXNAMELEN - 1 },
805 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
806 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
807 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
808 .len = NFT_USERDATA_MAXLEN }
811 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
812 u32 portid, u32 seq, int event, u32 flags,
813 int family, const struct nft_table *table)
815 struct nlmsghdr *nlh;
817 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
818 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
819 NFNETLINK_V0, nft_base_seq(net));
821 goto nla_put_failure;
823 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
824 nla_put_be32(skb, NFTA_TABLE_FLAGS,
825 htonl(table->flags & NFT_TABLE_F_MASK)) ||
826 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
827 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
829 goto nla_put_failure;
830 if (nft_table_has_owner(table) &&
831 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
832 goto nla_put_failure;
835 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
836 goto nla_put_failure;
843 nlmsg_trim(skb, nlh);
847 struct nftnl_skb_parms {
850 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
852 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
853 struct list_head *notify_list)
855 NFT_CB(skb).report = report;
856 list_add_tail(&skb->list, notify_list);
859 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
861 struct nftables_pernet *nft_net;
867 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
870 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
874 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
875 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
877 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
878 event, flags, ctx->family, ctx->table);
884 nft_net = nft_pernet(ctx->net);
885 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
888 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
891 static int nf_tables_dump_tables(struct sk_buff *skb,
892 struct netlink_callback *cb)
894 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
895 struct nftables_pernet *nft_net;
896 const struct nft_table *table;
897 unsigned int idx = 0, s_idx = cb->args[0];
898 struct net *net = sock_net(skb->sk);
899 int family = nfmsg->nfgen_family;
902 nft_net = nft_pernet(net);
903 cb->seq = READ_ONCE(nft_net->base_seq);
905 list_for_each_entry_rcu(table, &nft_net->tables, list) {
906 if (family != NFPROTO_UNSPEC && family != table->family)
912 memset(&cb->args[1], 0,
913 sizeof(cb->args) - sizeof(cb->args[0]));
914 if (!nft_is_active(net, table))
916 if (nf_tables_fill_table_info(skb, net,
917 NETLINK_CB(cb->skb).portid,
919 NFT_MSG_NEWTABLE, NLM_F_MULTI,
920 table->family, table) < 0)
923 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
933 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
934 const struct nlmsghdr *nlh,
935 struct netlink_dump_control *c)
939 if (!try_module_get(THIS_MODULE))
943 err = netlink_dump_start(nlsk, skb, nlh, c);
945 module_put(THIS_MODULE);
950 /* called with rcu_read_lock held */
951 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
952 const struct nlattr * const nla[])
954 struct netlink_ext_ack *extack = info->extack;
955 u8 genmask = nft_genmask_cur(info->net);
956 u8 family = info->nfmsg->nfgen_family;
957 const struct nft_table *table;
958 struct net *net = info->net;
959 struct sk_buff *skb2;
962 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
963 struct netlink_dump_control c = {
964 .dump = nf_tables_dump_tables,
965 .module = THIS_MODULE,
968 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
971 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
973 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
974 return PTR_ERR(table);
977 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
981 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
982 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
985 goto err_fill_table_info;
987 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
994 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
996 struct nft_chain *chain;
999 list_for_each_entry(chain, &table->chains, list) {
1000 if (!nft_is_active_next(net, chain))
1002 if (!nft_is_base_chain(chain))
1005 if (cnt && i++ == cnt)
1008 nf_tables_unregister_hook(net, table, chain);
1012 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1014 struct nft_chain *chain;
1017 list_for_each_entry(chain, &table->chains, list) {
1018 if (!nft_is_active_next(net, chain))
1020 if (!nft_is_base_chain(chain))
1023 err = nf_tables_register_hook(net, table, chain);
1025 goto err_register_hooks;
1033 nft_table_disable(net, table, i);
1037 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1039 table->flags &= ~NFT_TABLE_F_DORMANT;
1040 nft_table_disable(net, table, 0);
1041 table->flags |= NFT_TABLE_F_DORMANT;
1044 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1045 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1046 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1047 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1048 __NFT_TABLE_F_WAS_AWAKEN)
1050 static int nf_tables_updtable(struct nft_ctx *ctx)
1052 struct nft_trans *trans;
1056 if (!ctx->nla[NFTA_TABLE_FLAGS])
1059 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1060 if (flags & ~NFT_TABLE_F_MASK)
1063 if (flags == ctx->table->flags)
1066 if ((nft_table_has_owner(ctx->table) &&
1067 !(flags & NFT_TABLE_F_OWNER)) ||
1068 (!nft_table_has_owner(ctx->table) &&
1069 flags & NFT_TABLE_F_OWNER))
1072 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1073 sizeof(struct nft_trans_table));
1077 if ((flags & NFT_TABLE_F_DORMANT) &&
1078 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1079 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1080 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1081 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1082 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1083 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1084 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1085 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1086 ret = nf_tables_table_enable(ctx->net, ctx->table);
1088 goto err_register_hooks;
1090 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1094 nft_trans_table_update(trans) = true;
1095 nft_trans_commit_list_add_tail(ctx->net, trans);
1100 nft_trans_destroy(trans);
1104 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1106 const char *name = data;
1108 return jhash(name, strlen(name), seed);
1111 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1113 const struct nft_chain *chain = data;
1115 return nft_chain_hash(chain->name, 0, seed);
1118 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1121 const struct nft_chain *chain = ptr;
1122 const char *name = arg->key;
1124 return strcmp(chain->name, name);
1127 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1129 const struct nft_object_hash_key *k = data;
1131 seed ^= hash_ptr(k->table, 32);
1133 return jhash(k->name, strlen(k->name), seed);
1136 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1138 const struct nft_object *obj = data;
1140 return nft_objname_hash(&obj->key, 0, seed);
1143 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1146 const struct nft_object_hash_key *k = arg->key;
1147 const struct nft_object *obj = ptr;
1149 if (obj->key.table != k->table)
1152 return strcmp(obj->key.name, k->name);
1155 static bool nft_supported_family(u8 family)
1158 #ifdef CONFIG_NF_TABLES_INET
1159 || family == NFPROTO_INET
1161 #ifdef CONFIG_NF_TABLES_IPV4
1162 || family == NFPROTO_IPV4
1164 #ifdef CONFIG_NF_TABLES_ARP
1165 || family == NFPROTO_ARP
1167 #ifdef CONFIG_NF_TABLES_NETDEV
1168 || family == NFPROTO_NETDEV
1170 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1171 || family == NFPROTO_BRIDGE
1173 #ifdef CONFIG_NF_TABLES_IPV6
1174 || family == NFPROTO_IPV6
1179 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1180 const struct nlattr * const nla[])
1182 struct nftables_pernet *nft_net = nft_pernet(info->net);
1183 struct netlink_ext_ack *extack = info->extack;
1184 u8 genmask = nft_genmask_next(info->net);
1185 u8 family = info->nfmsg->nfgen_family;
1186 struct net *net = info->net;
1187 const struct nlattr *attr;
1188 struct nft_table *table;
1193 if (!nft_supported_family(family))
1196 lockdep_assert_held(&nft_net->commit_mutex);
1197 attr = nla[NFTA_TABLE_NAME];
1198 table = nft_table_lookup(net, attr, family, genmask,
1199 NETLINK_CB(skb).portid);
1200 if (IS_ERR(table)) {
1201 if (PTR_ERR(table) != -ENOENT)
1202 return PTR_ERR(table);
1204 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1205 NL_SET_BAD_ATTR(extack, attr);
1208 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1211 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1213 return nf_tables_updtable(&ctx);
1216 if (nla[NFTA_TABLE_FLAGS]) {
1217 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1218 if (flags & ~NFT_TABLE_F_MASK)
1223 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1227 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1228 if (table->name == NULL)
1231 if (nla[NFTA_TABLE_USERDATA]) {
1232 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1233 if (table->udata == NULL)
1234 goto err_table_udata;
1236 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1239 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1243 INIT_LIST_HEAD(&table->chains);
1244 INIT_LIST_HEAD(&table->sets);
1245 INIT_LIST_HEAD(&table->objects);
1246 INIT_LIST_HEAD(&table->flowtables);
1247 table->family = family;
1248 table->flags = flags;
1249 table->handle = ++nft_net->table_handle;
1250 if (table->flags & NFT_TABLE_F_OWNER)
1251 table->nlpid = NETLINK_CB(skb).portid;
1253 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1254 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1258 list_add_tail_rcu(&table->list, &nft_net->tables);
1261 rhltable_destroy(&table->chains_ht);
1263 kfree(table->udata);
1272 static int nft_flush_table(struct nft_ctx *ctx)
1274 struct nft_flowtable *flowtable, *nft;
1275 struct nft_chain *chain, *nc;
1276 struct nft_object *obj, *ne;
1277 struct nft_set *set, *ns;
1280 list_for_each_entry(chain, &ctx->table->chains, list) {
1281 if (!nft_is_active_next(ctx->net, chain))
1284 if (nft_chain_is_bound(chain))
1289 err = nft_delrule_by_chain(ctx);
1294 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1295 if (!nft_is_active_next(ctx->net, set))
1298 if (nft_set_is_anonymous(set) &&
1299 !list_empty(&set->bindings))
1302 err = nft_delset(ctx, set);
1307 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1308 if (!nft_is_active_next(ctx->net, flowtable))
1311 err = nft_delflowtable(ctx, flowtable);
1316 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1317 if (!nft_is_active_next(ctx->net, obj))
1320 err = nft_delobj(ctx, obj);
1325 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1326 if (!nft_is_active_next(ctx->net, chain))
1329 if (nft_chain_is_bound(chain))
1334 err = nft_delchain(ctx);
1339 err = nft_deltable(ctx);
1344 static int nft_flush(struct nft_ctx *ctx, int family)
1346 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1347 const struct nlattr * const *nla = ctx->nla;
1348 struct nft_table *table, *nt;
1351 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1352 if (family != AF_UNSPEC && table->family != family)
1355 ctx->family = table->family;
1357 if (!nft_is_active_next(ctx->net, table))
1360 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1363 if (nla[NFTA_TABLE_NAME] &&
1364 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1369 err = nft_flush_table(ctx);
1377 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1378 const struct nlattr * const nla[])
1380 struct netlink_ext_ack *extack = info->extack;
1381 u8 genmask = nft_genmask_next(info->net);
1382 u8 family = info->nfmsg->nfgen_family;
1383 struct net *net = info->net;
1384 const struct nlattr *attr;
1385 struct nft_table *table;
1388 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1389 if (family == AF_UNSPEC ||
1390 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1391 return nft_flush(&ctx, family);
1393 if (nla[NFTA_TABLE_HANDLE]) {
1394 attr = nla[NFTA_TABLE_HANDLE];
1395 table = nft_table_lookup_byhandle(net, attr, genmask,
1396 NETLINK_CB(skb).portid);
1398 attr = nla[NFTA_TABLE_NAME];
1399 table = nft_table_lookup(net, attr, family, genmask,
1400 NETLINK_CB(skb).portid);
1403 if (IS_ERR(table)) {
1404 if (PTR_ERR(table) == -ENOENT &&
1405 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1408 NL_SET_BAD_ATTR(extack, attr);
1409 return PTR_ERR(table);
1412 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1416 ctx.family = family;
1419 return nft_flush_table(&ctx);
1422 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1424 if (WARN_ON(ctx->table->use > 0))
1427 rhltable_destroy(&ctx->table->chains_ht);
1428 kfree(ctx->table->name);
1429 kfree(ctx->table->udata);
1433 void nft_register_chain_type(const struct nft_chain_type *ctype)
1435 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1436 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1437 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1440 chain_type[ctype->family][ctype->type] = ctype;
1441 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1443 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1445 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1447 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1448 chain_type[ctype->family][ctype->type] = NULL;
1449 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1451 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1457 static struct nft_chain *
1458 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1460 struct nft_chain *chain;
1462 list_for_each_entry(chain, &table->chains, list) {
1463 if (chain->handle == handle &&
1464 nft_active_genmask(chain, genmask))
1468 return ERR_PTR(-ENOENT);
1471 static bool lockdep_commit_lock_is_held(const struct net *net)
1473 #ifdef CONFIG_PROVE_LOCKING
1474 struct nftables_pernet *nft_net = nft_pernet(net);
1476 return lockdep_is_held(&nft_net->commit_mutex);
1482 static struct nft_chain *nft_chain_lookup(struct net *net,
1483 struct nft_table *table,
1484 const struct nlattr *nla, u8 genmask)
1486 char search[NFT_CHAIN_MAXNAMELEN + 1];
1487 struct rhlist_head *tmp, *list;
1488 struct nft_chain *chain;
1491 return ERR_PTR(-EINVAL);
1493 nla_strscpy(search, nla, sizeof(search));
1495 WARN_ON(!rcu_read_lock_held() &&
1496 !lockdep_commit_lock_is_held(net));
1498 chain = ERR_PTR(-ENOENT);
1500 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1504 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1505 if (nft_active_genmask(chain, genmask))
1508 chain = ERR_PTR(-ENOENT);
1514 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1515 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1516 .len = NFT_TABLE_MAXNAMELEN - 1 },
1517 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1518 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1519 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1520 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1521 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1522 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1523 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1524 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1525 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1526 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1527 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1528 .len = NFT_USERDATA_MAXLEN },
1531 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1532 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1533 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1534 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1535 .len = IFNAMSIZ - 1 },
1538 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1540 struct nft_stats *cpu_stats, total;
1541 struct nlattr *nest;
1549 memset(&total, 0, sizeof(total));
1550 for_each_possible_cpu(cpu) {
1551 cpu_stats = per_cpu_ptr(stats, cpu);
1553 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1554 pkts = cpu_stats->pkts;
1555 bytes = cpu_stats->bytes;
1556 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1558 total.bytes += bytes;
1560 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1562 goto nla_put_failure;
1564 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1565 NFTA_COUNTER_PAD) ||
1566 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1568 goto nla_put_failure;
1570 nla_nest_end(skb, nest);
1577 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1578 const struct nft_base_chain *basechain,
1579 const struct list_head *hook_list)
1581 const struct nf_hook_ops *ops = &basechain->ops;
1582 struct nft_hook *hook, *first = NULL;
1583 struct nlattr *nest, *nest_devs;
1586 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1588 goto nla_put_failure;
1589 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1590 goto nla_put_failure;
1591 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1592 goto nla_put_failure;
1594 if (nft_base_chain_netdev(family, ops->hooknum)) {
1595 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1598 hook_list = &basechain->hook_list;
1600 list_for_each_entry(hook, hook_list, list) {
1604 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1605 hook->ops.dev->name))
1606 goto nla_put_failure;
1609 nla_nest_end(skb, nest_devs);
1612 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1613 goto nla_put_failure;
1615 nla_nest_end(skb, nest);
1622 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1623 u32 portid, u32 seq, int event, u32 flags,
1624 int family, const struct nft_table *table,
1625 const struct nft_chain *chain,
1626 const struct list_head *hook_list)
1628 struct nlmsghdr *nlh;
1630 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1631 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1632 NFNETLINK_V0, nft_base_seq(net));
1634 goto nla_put_failure;
1636 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1637 goto nla_put_failure;
1638 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1640 goto nla_put_failure;
1641 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1642 goto nla_put_failure;
1644 if (nft_is_base_chain(chain)) {
1645 const struct nft_base_chain *basechain = nft_base_chain(chain);
1646 struct nft_stats __percpu *stats;
1648 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1649 goto nla_put_failure;
1651 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1652 htonl(basechain->policy)))
1653 goto nla_put_failure;
1655 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1656 goto nla_put_failure;
1658 stats = rcu_dereference_check(basechain->stats,
1659 lockdep_commit_lock_is_held(net));
1660 if (nft_dump_stats(skb, stats))
1661 goto nla_put_failure;
1665 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1666 goto nla_put_failure;
1668 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1669 goto nla_put_failure;
1672 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1673 goto nla_put_failure;
1675 nlmsg_end(skb, nlh);
1679 nlmsg_trim(skb, nlh);
1683 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1684 const struct list_head *hook_list)
1686 struct nftables_pernet *nft_net;
1687 struct sk_buff *skb;
1692 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1695 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1699 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1700 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1702 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1703 event, flags, ctx->family, ctx->table,
1704 ctx->chain, hook_list);
1710 nft_net = nft_pernet(ctx->net);
1711 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1714 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1717 static int nf_tables_dump_chains(struct sk_buff *skb,
1718 struct netlink_callback *cb)
1720 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1721 unsigned int idx = 0, s_idx = cb->args[0];
1722 struct net *net = sock_net(skb->sk);
1723 int family = nfmsg->nfgen_family;
1724 struct nftables_pernet *nft_net;
1725 const struct nft_table *table;
1726 const struct nft_chain *chain;
1729 nft_net = nft_pernet(net);
1730 cb->seq = READ_ONCE(nft_net->base_seq);
1732 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1733 if (family != NFPROTO_UNSPEC && family != table->family)
1736 list_for_each_entry_rcu(chain, &table->chains, list) {
1740 memset(&cb->args[1], 0,
1741 sizeof(cb->args) - sizeof(cb->args[0]));
1742 if (!nft_is_active(net, chain))
1744 if (nf_tables_fill_chain_info(skb, net,
1745 NETLINK_CB(cb->skb).portid,
1749 table->family, table,
1753 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1764 /* called with rcu_read_lock held */
1765 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1766 const struct nlattr * const nla[])
1768 struct netlink_ext_ack *extack = info->extack;
1769 u8 genmask = nft_genmask_cur(info->net);
1770 u8 family = info->nfmsg->nfgen_family;
1771 const struct nft_chain *chain;
1772 struct net *net = info->net;
1773 struct nft_table *table;
1774 struct sk_buff *skb2;
1777 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1778 struct netlink_dump_control c = {
1779 .dump = nf_tables_dump_chains,
1780 .module = THIS_MODULE,
1783 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1786 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1787 if (IS_ERR(table)) {
1788 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1789 return PTR_ERR(table);
1792 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1793 if (IS_ERR(chain)) {
1794 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1795 return PTR_ERR(chain);
1798 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1802 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1803 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1804 0, family, table, chain, NULL);
1806 goto err_fill_chain_info;
1808 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1810 err_fill_chain_info:
1815 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1816 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1817 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1820 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1822 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1823 struct nft_stats __percpu *newstats;
1824 struct nft_stats *stats;
1827 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1828 nft_counter_policy, NULL);
1830 return ERR_PTR(err);
1832 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1833 return ERR_PTR(-EINVAL);
1835 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1836 if (newstats == NULL)
1837 return ERR_PTR(-ENOMEM);
1839 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1840 * are not exposed to userspace.
1843 stats = this_cpu_ptr(newstats);
1844 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1845 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1851 static void nft_chain_stats_replace(struct nft_trans *trans)
1853 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1855 if (!nft_trans_chain_stats(trans))
1858 nft_trans_chain_stats(trans) =
1859 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1860 lockdep_commit_lock_is_held(trans->ctx.net));
1862 if (!nft_trans_chain_stats(trans))
1863 static_branch_inc(&nft_counters_enabled);
1866 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1868 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
1869 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
1875 /* should be NULL either via abort or via successful commit */
1876 WARN_ON_ONCE(chain->blob_next);
1877 kvfree(chain->blob_next);
1880 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1882 struct nft_chain *chain = ctx->chain;
1883 struct nft_hook *hook, *next;
1885 if (WARN_ON(chain->use > 0))
1888 /* no concurrent access possible anymore */
1889 nf_tables_chain_free_chain_rules(chain);
1891 if (nft_is_base_chain(chain)) {
1892 struct nft_base_chain *basechain = nft_base_chain(chain);
1894 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1895 list_for_each_entry_safe(hook, next,
1896 &basechain->hook_list, list) {
1897 list_del_rcu(&hook->list);
1898 kfree_rcu(hook, rcu);
1901 module_put(basechain->type->owner);
1902 if (rcu_access_pointer(basechain->stats)) {
1903 static_branch_dec(&nft_counters_enabled);
1904 free_percpu(rcu_dereference_raw(basechain->stats));
1907 kfree(chain->udata);
1911 kfree(chain->udata);
1916 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1917 const struct nlattr *attr)
1919 struct net_device *dev;
1920 char ifname[IFNAMSIZ];
1921 struct nft_hook *hook;
1924 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
1927 goto err_hook_alloc;
1930 nla_strscpy(ifname, attr, IFNAMSIZ);
1931 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1932 * indirectly serializing all the other holders of the commit_mutex with
1935 dev = __dev_get_by_name(net, ifname);
1940 hook->ops.dev = dev;
1947 return ERR_PTR(err);
1950 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1951 const struct nft_hook *this)
1953 struct nft_hook *hook;
1955 list_for_each_entry(hook, hook_list, list) {
1956 if (this->ops.dev == hook->ops.dev)
1963 static int nf_tables_parse_netdev_hooks(struct net *net,
1964 const struct nlattr *attr,
1965 struct list_head *hook_list,
1966 struct netlink_ext_ack *extack)
1968 struct nft_hook *hook, *next;
1969 const struct nlattr *tmp;
1970 int rem, n = 0, err;
1972 nla_for_each_nested(tmp, attr, rem) {
1973 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1978 hook = nft_netdev_hook_alloc(net, tmp);
1980 NL_SET_BAD_ATTR(extack, tmp);
1981 err = PTR_ERR(hook);
1984 if (nft_hook_list_find(hook_list, hook)) {
1985 NL_SET_BAD_ATTR(extack, tmp);
1990 list_add_tail(&hook->list, hook_list);
1993 if (n == NFT_NETDEVICE_MAX) {
2002 list_for_each_entry_safe(hook, next, hook_list, list) {
2003 list_del(&hook->list);
2009 struct nft_chain_hook {
2012 const struct nft_chain_type *type;
2013 struct list_head list;
2016 static int nft_chain_parse_netdev(struct net *net,
2017 struct nlattr *tb[],
2018 struct list_head *hook_list,
2019 struct netlink_ext_ack *extack)
2021 struct nft_hook *hook;
2024 if (tb[NFTA_HOOK_DEV]) {
2025 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2027 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2028 return PTR_ERR(hook);
2031 list_add_tail(&hook->list, hook_list);
2032 } else if (tb[NFTA_HOOK_DEVS]) {
2033 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2038 if (list_empty(hook_list))
2047 static int nft_chain_parse_hook(struct net *net,
2048 struct nft_base_chain *basechain,
2049 const struct nlattr * const nla[],
2050 struct nft_chain_hook *hook, u8 family,
2051 struct netlink_ext_ack *extack)
2053 struct nftables_pernet *nft_net = nft_pernet(net);
2054 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2055 const struct nft_chain_type *type;
2058 lockdep_assert_held(&nft_net->commit_mutex);
2059 lockdep_nfnl_nft_mutex_not_held();
2061 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2062 nla[NFTA_CHAIN_HOOK],
2063 nft_hook_policy, NULL);
2068 if (!ha[NFTA_HOOK_HOOKNUM] ||
2069 !ha[NFTA_HOOK_PRIORITY]) {
2070 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2074 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2075 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2077 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2081 if (nla[NFTA_CHAIN_TYPE]) {
2082 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2085 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2086 return PTR_ERR(type);
2089 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2092 if (type->type == NFT_CHAIN_T_NAT &&
2093 hook->priority <= NF_IP_PRI_CONNTRACK)
2096 if (ha[NFTA_HOOK_HOOKNUM]) {
2097 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2098 if (hook->num != basechain->ops.hooknum)
2101 if (ha[NFTA_HOOK_PRIORITY]) {
2102 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2103 if (hook->priority != basechain->ops.priority)
2107 type = basechain->type;
2110 if (!try_module_get(type->owner)) {
2111 if (nla[NFTA_CHAIN_TYPE])
2112 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2118 INIT_LIST_HEAD(&hook->list);
2119 if (nft_base_chain_netdev(family, hook->num)) {
2120 err = nft_chain_parse_netdev(net, ha, &hook->list, extack);
2122 module_put(type->owner);
2125 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2126 module_put(type->owner);
2133 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2135 struct nft_hook *h, *next;
2137 list_for_each_entry_safe(h, next, &hook->list, list) {
2141 module_put(hook->type->owner);
2144 struct nft_rules_old {
2146 struct nft_rule_blob *blob;
2149 static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr)
2151 struct nft_rule_dp *prule;
2153 prule = (struct nft_rule_dp *)ptr;
2155 /* blob size does not include the trailer rule */
2158 static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size)
2160 struct nft_rule_blob *blob;
2162 /* size must include room for the last rule */
2163 if (size < offsetof(struct nft_rule_dp, data))
2166 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old);
2170 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2175 nft_last_rule(blob, blob->data);
2180 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2181 const struct nft_chain_hook *hook,
2182 struct nft_chain *chain)
2185 ops->hooknum = hook->num;
2186 ops->priority = hook->priority;
2188 ops->hook = hook->type->hooks[ops->hooknum];
2189 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2192 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2193 struct nft_chain_hook *hook, u32 flags)
2195 struct nft_chain *chain;
2198 basechain->type = hook->type;
2199 INIT_LIST_HEAD(&basechain->hook_list);
2200 chain = &basechain->chain;
2202 if (nft_base_chain_netdev(family, hook->num)) {
2203 list_splice_init(&hook->list, &basechain->hook_list);
2204 list_for_each_entry(h, &basechain->hook_list, list)
2205 nft_basechain_hook_init(&h->ops, family, hook, chain);
2207 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2209 chain->flags |= NFT_CHAIN_BASE | flags;
2210 basechain->policy = NF_ACCEPT;
2211 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2212 !nft_chain_offload_support(basechain)) {
2213 list_splice_init(&basechain->hook_list, &hook->list);
2217 flow_block_init(&basechain->flow_block);
2222 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2226 err = rhltable_insert_key(&table->chains_ht, chain->name,
2227 &chain->rhlhead, nft_chain_ht_params);
2231 list_add_tail_rcu(&chain->list, &table->chains);
2236 static u64 chain_id;
2238 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2239 u8 policy, u32 flags,
2240 struct netlink_ext_ack *extack)
2242 const struct nlattr * const *nla = ctx->nla;
2243 struct nft_table *table = ctx->table;
2244 struct nft_base_chain *basechain;
2245 struct net *net = ctx->net;
2246 char name[NFT_NAME_MAXLEN];
2247 struct nft_rule_blob *blob;
2248 struct nft_trans *trans;
2249 struct nft_chain *chain;
2250 unsigned int data_size;
2253 if (table->use == UINT_MAX)
2256 if (nla[NFTA_CHAIN_HOOK]) {
2257 struct nft_stats __percpu *stats = NULL;
2258 struct nft_chain_hook hook = {};
2260 if (flags & NFT_CHAIN_BINDING)
2263 err = nft_chain_parse_hook(net, NULL, nla, &hook, family,
2268 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2269 if (basechain == NULL) {
2270 nft_chain_release_hook(&hook);
2273 chain = &basechain->chain;
2275 if (nla[NFTA_CHAIN_COUNTERS]) {
2276 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2277 if (IS_ERR(stats)) {
2278 nft_chain_release_hook(&hook);
2280 return PTR_ERR(stats);
2282 rcu_assign_pointer(basechain->stats, stats);
2285 err = nft_basechain_init(basechain, family, &hook, flags);
2287 nft_chain_release_hook(&hook);
2293 static_branch_inc(&nft_counters_enabled);
2295 if (flags & NFT_CHAIN_BASE)
2297 if (flags & NFT_CHAIN_HW_OFFLOAD)
2300 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2304 chain->flags = flags;
2308 INIT_LIST_HEAD(&chain->rules);
2309 chain->handle = nf_tables_alloc_handle(table);
2310 chain->table = table;
2312 if (nla[NFTA_CHAIN_NAME]) {
2313 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2315 if (!(flags & NFT_CHAIN_BINDING)) {
2317 goto err_destroy_chain;
2320 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2321 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2326 goto err_destroy_chain;
2329 if (nla[NFTA_CHAIN_USERDATA]) {
2330 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2331 if (chain->udata == NULL) {
2333 goto err_destroy_chain;
2335 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2338 data_size = offsetof(struct nft_rule_dp, data); /* last rule */
2339 blob = nf_tables_chain_alloc_rules(data_size);
2342 goto err_destroy_chain;
2345 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2346 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2348 err = nf_tables_register_hook(net, table, chain);
2350 goto err_destroy_chain;
2352 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2353 if (IS_ERR(trans)) {
2354 err = PTR_ERR(trans);
2355 goto err_unregister_hook;
2358 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2359 if (nft_is_base_chain(chain))
2360 nft_trans_chain_policy(trans) = policy;
2362 err = nft_chain_add(table, chain);
2364 nft_trans_destroy(trans);
2365 goto err_unregister_hook;
2371 err_unregister_hook:
2372 nf_tables_unregister_hook(net, table, chain);
2374 nf_tables_chain_destroy(ctx);
2379 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2380 u32 flags, const struct nlattr *attr,
2381 struct netlink_ext_ack *extack)
2383 const struct nlattr * const *nla = ctx->nla;
2384 struct nft_base_chain *basechain = NULL;
2385 struct nft_table *table = ctx->table;
2386 struct nft_chain *chain = ctx->chain;
2387 struct nft_chain_hook hook = {};
2388 struct nft_stats *stats = NULL;
2389 struct nft_hook *h, *next;
2390 struct nf_hook_ops *ops;
2391 struct nft_trans *trans;
2392 bool unregister = false;
2395 if (chain->flags ^ flags)
2398 INIT_LIST_HEAD(&hook.list);
2400 if (nla[NFTA_CHAIN_HOOK]) {
2401 if (!nft_is_base_chain(chain)) {
2402 NL_SET_BAD_ATTR(extack, attr);
2406 basechain = nft_base_chain(chain);
2407 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2408 ctx->family, extack);
2412 if (basechain->type != hook.type) {
2413 nft_chain_release_hook(&hook);
2414 NL_SET_BAD_ATTR(extack, attr);
2418 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2419 list_for_each_entry_safe(h, next, &hook.list, list) {
2420 h->ops.pf = basechain->ops.pf;
2421 h->ops.hooknum = basechain->ops.hooknum;
2422 h->ops.priority = basechain->ops.priority;
2423 h->ops.priv = basechain->ops.priv;
2424 h->ops.hook = basechain->ops.hook;
2426 if (nft_hook_list_find(&basechain->hook_list, h)) {
2432 ops = &basechain->ops;
2433 if (ops->hooknum != hook.num ||
2434 ops->priority != hook.priority) {
2435 nft_chain_release_hook(&hook);
2436 NL_SET_BAD_ATTR(extack, attr);
2442 if (nla[NFTA_CHAIN_HANDLE] &&
2443 nla[NFTA_CHAIN_NAME]) {
2444 struct nft_chain *chain2;
2446 chain2 = nft_chain_lookup(ctx->net, table,
2447 nla[NFTA_CHAIN_NAME], genmask);
2448 if (!IS_ERR(chain2)) {
2449 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2455 if (nla[NFTA_CHAIN_COUNTERS]) {
2456 if (!nft_is_base_chain(chain)) {
2461 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2462 if (IS_ERR(stats)) {
2463 err = PTR_ERR(stats);
2468 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2469 nft_is_base_chain(chain) &&
2470 !list_empty(&hook.list)) {
2471 basechain = nft_base_chain(chain);
2472 ops = &basechain->ops;
2474 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2475 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2483 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2484 sizeof(struct nft_trans_chain));
2488 nft_trans_chain_stats(trans) = stats;
2489 nft_trans_chain_update(trans) = true;
2491 if (nla[NFTA_CHAIN_POLICY])
2492 nft_trans_chain_policy(trans) = policy;
2494 nft_trans_chain_policy(trans) = -1;
2496 if (nla[NFTA_CHAIN_HANDLE] &&
2497 nla[NFTA_CHAIN_NAME]) {
2498 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2499 struct nft_trans *tmp;
2503 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2508 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2509 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2510 tmp->ctx.table == table &&
2511 nft_trans_chain_update(tmp) &&
2512 nft_trans_chain_name(tmp) &&
2513 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2514 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2520 nft_trans_chain_name(trans) = name;
2523 nft_trans_basechain(trans) = basechain;
2524 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2525 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2527 nft_trans_commit_list_add_tail(ctx->net, trans);
2535 if (nla[NFTA_CHAIN_HOOK]) {
2536 list_for_each_entry_safe(h, next, &hook.list, list) {
2538 nf_unregister_net_hook(ctx->net, &h->ops);
2542 module_put(hook.type->owner);
2548 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2549 const struct nft_table *table,
2550 const struct nlattr *nla)
2552 struct nftables_pernet *nft_net = nft_pernet(net);
2553 u32 id = ntohl(nla_get_be32(nla));
2554 struct nft_trans *trans;
2556 list_for_each_entry(trans, &nft_net->commit_list, list) {
2557 struct nft_chain *chain = trans->ctx.chain;
2559 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2560 chain->table == table &&
2561 id == nft_trans_chain_id(trans))
2564 return ERR_PTR(-ENOENT);
2567 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2568 const struct nlattr * const nla[])
2570 struct nftables_pernet *nft_net = nft_pernet(info->net);
2571 struct netlink_ext_ack *extack = info->extack;
2572 u8 genmask = nft_genmask_next(info->net);
2573 u8 family = info->nfmsg->nfgen_family;
2574 struct nft_chain *chain = NULL;
2575 struct net *net = info->net;
2576 const struct nlattr *attr;
2577 struct nft_table *table;
2578 u8 policy = NF_ACCEPT;
2583 lockdep_assert_held(&nft_net->commit_mutex);
2585 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2586 NETLINK_CB(skb).portid);
2587 if (IS_ERR(table)) {
2588 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2589 return PTR_ERR(table);
2593 attr = nla[NFTA_CHAIN_NAME];
2595 if (nla[NFTA_CHAIN_HANDLE]) {
2596 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2597 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2598 if (IS_ERR(chain)) {
2599 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2600 return PTR_ERR(chain);
2602 attr = nla[NFTA_CHAIN_HANDLE];
2603 } else if (nla[NFTA_CHAIN_NAME]) {
2604 chain = nft_chain_lookup(net, table, attr, genmask);
2605 if (IS_ERR(chain)) {
2606 if (PTR_ERR(chain) != -ENOENT) {
2607 NL_SET_BAD_ATTR(extack, attr);
2608 return PTR_ERR(chain);
2612 } else if (!nla[NFTA_CHAIN_ID]) {
2616 if (nla[NFTA_CHAIN_POLICY]) {
2617 if (chain != NULL &&
2618 !nft_is_base_chain(chain)) {
2619 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2623 if (chain == NULL &&
2624 nla[NFTA_CHAIN_HOOK] == NULL) {
2625 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2629 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2639 if (nla[NFTA_CHAIN_FLAGS])
2640 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2642 flags = chain->flags;
2644 if (flags & ~NFT_CHAIN_FLAGS)
2647 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2649 if (chain != NULL) {
2650 if (chain->flags & NFT_CHAIN_BINDING)
2653 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2654 NL_SET_BAD_ATTR(extack, attr);
2657 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2660 flags |= chain->flags & NFT_CHAIN_BASE;
2661 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2665 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2668 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2669 const struct nlattr * const nla[])
2671 struct netlink_ext_ack *extack = info->extack;
2672 u8 genmask = nft_genmask_next(info->net);
2673 u8 family = info->nfmsg->nfgen_family;
2674 struct net *net = info->net;
2675 const struct nlattr *attr;
2676 struct nft_table *table;
2677 struct nft_chain *chain;
2678 struct nft_rule *rule;
2684 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2685 NETLINK_CB(skb).portid);
2686 if (IS_ERR(table)) {
2687 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2688 return PTR_ERR(table);
2691 if (nla[NFTA_CHAIN_HANDLE]) {
2692 attr = nla[NFTA_CHAIN_HANDLE];
2693 handle = be64_to_cpu(nla_get_be64(attr));
2694 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2696 attr = nla[NFTA_CHAIN_NAME];
2697 chain = nft_chain_lookup(net, table, attr, genmask);
2699 if (IS_ERR(chain)) {
2700 if (PTR_ERR(chain) == -ENOENT &&
2701 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2704 NL_SET_BAD_ATTR(extack, attr);
2705 return PTR_ERR(chain);
2708 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2712 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2715 list_for_each_entry(rule, &chain->rules, list) {
2716 if (!nft_is_active_next(net, rule))
2720 err = nft_delrule(&ctx, rule);
2725 /* There are rules and elements that are still holding references to us,
2726 * we cannot do a recursive removal in this case.
2729 NL_SET_BAD_ATTR(extack, attr);
2733 return nft_delchain(&ctx);
2741 * nft_register_expr - register nf_tables expr type
2744 * Registers the expr type for use with nf_tables. Returns zero on
2745 * success or a negative errno code otherwise.
2747 int nft_register_expr(struct nft_expr_type *type)
2749 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2750 if (type->family == NFPROTO_UNSPEC)
2751 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2753 list_add_rcu(&type->list, &nf_tables_expressions);
2754 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2757 EXPORT_SYMBOL_GPL(nft_register_expr);
2760 * nft_unregister_expr - unregister nf_tables expr type
2763 * Unregisters the expr typefor use with nf_tables.
2765 void nft_unregister_expr(struct nft_expr_type *type)
2767 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2768 list_del_rcu(&type->list);
2769 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2771 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2773 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2776 const struct nft_expr_type *type, *candidate = NULL;
2778 list_for_each_entry(type, &nf_tables_expressions, list) {
2779 if (!nla_strcmp(nla, type->name)) {
2780 if (!type->family && !candidate)
2782 else if (type->family == family)
2789 #ifdef CONFIG_MODULES
2790 static int nft_expr_type_request_module(struct net *net, u8 family,
2793 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2794 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2801 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2805 const struct nft_expr_type *type;
2808 return ERR_PTR(-EINVAL);
2810 type = __nft_expr_type_get(family, nla);
2811 if (type != NULL && try_module_get(type->owner))
2814 lockdep_nfnl_nft_mutex_not_held();
2815 #ifdef CONFIG_MODULES
2817 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2818 return ERR_PTR(-EAGAIN);
2820 if (nft_request_module(net, "nft-expr-%.*s",
2822 (char *)nla_data(nla)) == -EAGAIN)
2823 return ERR_PTR(-EAGAIN);
2826 return ERR_PTR(-ENOENT);
2829 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2830 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2831 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2832 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2835 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2836 const struct nft_expr *expr, bool reset)
2838 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2839 goto nla_put_failure;
2841 if (expr->ops->dump) {
2842 struct nlattr *data = nla_nest_start_noflag(skb,
2845 goto nla_put_failure;
2846 if (expr->ops->dump(skb, expr, reset) < 0)
2847 goto nla_put_failure;
2848 nla_nest_end(skb, data);
2857 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2858 const struct nft_expr *expr, bool reset)
2860 struct nlattr *nest;
2862 nest = nla_nest_start_noflag(skb, attr);
2864 goto nla_put_failure;
2865 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
2866 goto nla_put_failure;
2867 nla_nest_end(skb, nest);
2874 struct nft_expr_info {
2875 const struct nft_expr_ops *ops;
2876 const struct nlattr *attr;
2877 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2880 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2881 const struct nlattr *nla,
2882 struct nft_expr_info *info)
2884 const struct nft_expr_type *type;
2885 const struct nft_expr_ops *ops;
2886 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2889 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2890 nft_expr_policy, NULL);
2894 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2896 return PTR_ERR(type);
2898 if (tb[NFTA_EXPR_DATA]) {
2899 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2901 type->policy, NULL);
2905 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2907 if (type->select_ops != NULL) {
2908 ops = type->select_ops(ctx,
2909 (const struct nlattr * const *)info->tb);
2912 #ifdef CONFIG_MODULES
2914 if (nft_expr_type_request_module(ctx->net,
2916 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2930 module_put(type->owner);
2934 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
2935 struct nft_expr_info *info)
2937 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2938 const struct nft_expr_type *type;
2941 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2942 nft_expr_policy, NULL);
2946 if (!tb[NFTA_EXPR_DATA])
2949 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
2953 if (!type->inner_ops)
2956 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2958 type->policy, NULL);
2963 info->ops = type->inner_ops;
2971 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2972 const struct nft_expr_info *expr_info,
2973 struct nft_expr *expr)
2975 const struct nft_expr_ops *ops = expr_info->ops;
2980 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
2991 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2992 struct nft_expr *expr)
2994 const struct nft_expr_type *type = expr->ops->type;
2996 if (expr->ops->destroy)
2997 expr->ops->destroy(ctx, expr);
2998 module_put(type->owner);
3001 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3002 const struct nlattr *nla)
3004 struct nft_expr_info expr_info;
3005 struct nft_expr *expr;
3006 struct module *owner;
3009 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3011 goto err_expr_parse;
3014 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3015 goto err_expr_stateful;
3018 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3020 goto err_expr_stateful;
3022 err = nf_tables_newexpr(ctx, &expr_info, expr);
3030 owner = expr_info.ops->type->owner;
3031 if (expr_info.ops->type->release_ops)
3032 expr_info.ops->type->release_ops(expr_info.ops);
3036 return ERR_PTR(err);
3039 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3043 if (src->ops->clone) {
3044 dst->ops = src->ops;
3045 err = src->ops->clone(dst, src);
3049 memcpy(dst, src, src->ops->size);
3052 __module_get(src->ops->type->owner);
3057 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3059 nf_tables_expr_destroy(ctx, expr);
3067 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3070 struct nft_rule *rule;
3072 // FIXME: this sucks
3073 list_for_each_entry_rcu(rule, &chain->rules, list) {
3074 if (handle == rule->handle)
3078 return ERR_PTR(-ENOENT);
3081 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3082 const struct nlattr *nla)
3085 return ERR_PTR(-EINVAL);
3087 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3090 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3091 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3092 .len = NFT_TABLE_MAXNAMELEN - 1 },
3093 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3094 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3095 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3096 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
3097 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3098 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3099 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3100 .len = NFT_USERDATA_MAXLEN },
3101 [NFTA_RULE_ID] = { .type = NLA_U32 },
3102 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3103 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3106 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3107 u32 portid, u32 seq, int event,
3108 u32 flags, int family,
3109 const struct nft_table *table,
3110 const struct nft_chain *chain,
3111 const struct nft_rule *rule, u64 handle,
3114 struct nlmsghdr *nlh;
3115 const struct nft_expr *expr, *next;
3116 struct nlattr *list;
3117 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3119 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3122 goto nla_put_failure;
3124 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3125 goto nla_put_failure;
3126 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3127 goto nla_put_failure;
3128 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3130 goto nla_put_failure;
3132 if (event != NFT_MSG_DELRULE && handle) {
3133 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3135 goto nla_put_failure;
3138 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3139 nft_flow_rule_stats(chain, rule);
3141 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3143 goto nla_put_failure;
3144 nft_rule_for_each_expr(expr, next, rule) {
3145 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3146 goto nla_put_failure;
3148 nla_nest_end(skb, list);
3151 struct nft_userdata *udata = nft_userdata(rule);
3152 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3154 goto nla_put_failure;
3157 nlmsg_end(skb, nlh);
3161 nlmsg_trim(skb, nlh);
3165 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3166 const struct nft_rule *rule, int event)
3168 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3169 const struct nft_rule *prule;
3170 struct sk_buff *skb;
3176 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3179 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3183 if (event == NFT_MSG_NEWRULE &&
3184 !list_is_first(&rule->list, &ctx->chain->rules) &&
3185 !list_is_last(&rule->list, &ctx->chain->rules)) {
3186 prule = list_prev_entry(rule, list);
3187 handle = prule->handle;
3189 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3190 flags |= NLM_F_APPEND;
3191 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3192 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3194 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3195 event, flags, ctx->family, ctx->table,
3196 ctx->chain, rule, handle, false);
3202 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3205 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3208 struct nft_rule_dump_ctx {
3213 static int __nf_tables_dump_rules(struct sk_buff *skb,
3215 struct netlink_callback *cb,
3216 const struct nft_table *table,
3217 const struct nft_chain *chain,
3220 struct net *net = sock_net(skb->sk);
3221 const struct nft_rule *rule, *prule;
3222 unsigned int s_idx = cb->args[0];
3226 list_for_each_entry_rcu(rule, &chain->rules, list) {
3227 if (!nft_is_active(net, rule))
3232 memset(&cb->args[1], 0,
3233 sizeof(cb->args) - sizeof(cb->args[0]));
3236 handle = prule->handle;
3240 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3243 NLM_F_MULTI | NLM_F_APPEND,
3245 table, chain, rule, handle, reset) < 0)
3248 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3257 static int nf_tables_dump_rules(struct sk_buff *skb,
3258 struct netlink_callback *cb)
3260 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3261 const struct nft_rule_dump_ctx *ctx = cb->data;
3262 struct nft_table *table;
3263 const struct nft_chain *chain;
3264 unsigned int idx = 0;
3265 struct net *net = sock_net(skb->sk);
3266 int family = nfmsg->nfgen_family;
3267 struct nftables_pernet *nft_net;
3270 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3274 nft_net = nft_pernet(net);
3275 cb->seq = READ_ONCE(nft_net->base_seq);
3277 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3278 if (family != NFPROTO_UNSPEC && family != table->family)
3281 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3284 if (ctx && ctx->table && ctx->chain) {
3285 struct rhlist_head *list, *tmp;
3287 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3288 nft_chain_ht_params);
3292 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3293 if (!nft_is_active(net, chain))
3295 __nf_tables_dump_rules(skb, &idx,
3296 cb, table, chain, reset);
3302 list_for_each_entry_rcu(chain, &table->chains, list) {
3303 if (__nf_tables_dump_rules(skb, &idx,
3304 cb, table, chain, reset))
3308 if (ctx && ctx->table)
3318 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3320 const struct nlattr * const *nla = cb->data;
3321 struct nft_rule_dump_ctx *ctx = NULL;
3323 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3324 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3328 if (nla[NFTA_RULE_TABLE]) {
3329 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3336 if (nla[NFTA_RULE_CHAIN]) {
3337 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3351 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3353 struct nft_rule_dump_ctx *ctx = cb->data;
3363 /* called with rcu_read_lock held */
3364 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3365 const struct nlattr * const nla[])
3367 struct netlink_ext_ack *extack = info->extack;
3368 u8 genmask = nft_genmask_cur(info->net);
3369 u8 family = info->nfmsg->nfgen_family;
3370 const struct nft_chain *chain;
3371 const struct nft_rule *rule;
3372 struct net *net = info->net;
3373 struct nft_table *table;
3374 struct sk_buff *skb2;
3378 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3379 struct netlink_dump_control c = {
3380 .start= nf_tables_dump_rules_start,
3381 .dump = nf_tables_dump_rules,
3382 .done = nf_tables_dump_rules_done,
3383 .module = THIS_MODULE,
3384 .data = (void *)nla,
3387 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3390 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3391 if (IS_ERR(table)) {
3392 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3393 return PTR_ERR(table);
3396 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3397 if (IS_ERR(chain)) {
3398 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3399 return PTR_ERR(chain);
3402 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3404 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3405 return PTR_ERR(rule);
3408 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3412 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3415 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3416 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3417 family, table, chain, rule, 0, reset);
3419 goto err_fill_rule_info;
3421 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3428 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3429 struct nft_rule *rule)
3431 struct nft_expr *expr, *next;
3434 * Careful: some expressions might not be initialized in case this
3435 * is called on error from nf_tables_newrule().
3437 expr = nft_expr_first(rule);
3438 while (nft_expr_more(rule, expr)) {
3439 next = nft_expr_next(expr);
3440 nf_tables_expr_destroy(ctx, expr);
3446 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3448 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3449 nf_tables_rule_destroy(ctx, rule);
3452 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3454 struct nft_expr *expr, *last;
3455 const struct nft_data *data;
3456 struct nft_rule *rule;
3459 if (ctx->level == NFT_JUMP_STACK_SIZE)
3462 list_for_each_entry(rule, &chain->rules, list) {
3463 if (!nft_is_active_next(ctx->net, rule))
3466 nft_rule_for_each_expr(expr, last, rule) {
3467 if (!expr->ops->validate)
3470 err = expr->ops->validate(ctx, expr, &data);
3480 EXPORT_SYMBOL_GPL(nft_chain_validate);
3482 static int nft_table_validate(struct net *net, const struct nft_table *table)
3484 struct nft_chain *chain;
3485 struct nft_ctx ctx = {
3487 .family = table->family,
3491 list_for_each_entry(chain, &table->chains, list) {
3492 if (!nft_is_base_chain(chain))
3496 err = nft_chain_validate(&ctx, chain);
3504 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3505 const struct nft_set_iter *iter,
3506 struct nft_set_elem *elem)
3508 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3509 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3510 const struct nft_data *data;
3513 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3514 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3517 data = nft_set_ext_data(ext);
3518 switch (data->verdict.code) {
3522 err = nft_chain_validate(ctx, data->verdict.chain);
3534 struct nft_set_elem_catchall {
3535 struct list_head list;
3536 struct rcu_head rcu;
3540 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3542 u8 genmask = nft_genmask_next(ctx->net);
3543 struct nft_set_elem_catchall *catchall;
3544 struct nft_set_elem elem;
3545 struct nft_set_ext *ext;
3548 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3549 ext = nft_set_elem_ext(set, catchall->elem);
3550 if (!nft_set_elem_active(ext, genmask))
3553 elem.priv = catchall->elem;
3554 ret = nft_setelem_validate(ctx, set, NULL, &elem);
3562 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3563 const struct nft_chain *chain,
3564 const struct nlattr *nla);
3566 #define NFT_RULE_MAXEXPRS 128
3568 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3569 const struct nlattr * const nla[])
3571 struct nftables_pernet *nft_net = nft_pernet(info->net);
3572 struct netlink_ext_ack *extack = info->extack;
3573 unsigned int size, i, n, ulen = 0, usize = 0;
3574 u8 genmask = nft_genmask_next(info->net);
3575 struct nft_rule *rule, *old_rule = NULL;
3576 struct nft_expr_info *expr_info = NULL;
3577 u8 family = info->nfmsg->nfgen_family;
3578 struct nft_flow_rule *flow = NULL;
3579 struct net *net = info->net;
3580 struct nft_userdata *udata;
3581 struct nft_table *table;
3582 struct nft_chain *chain;
3583 struct nft_trans *trans;
3584 u64 handle, pos_handle;
3585 struct nft_expr *expr;
3590 lockdep_assert_held(&nft_net->commit_mutex);
3592 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3593 NETLINK_CB(skb).portid);
3594 if (IS_ERR(table)) {
3595 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3596 return PTR_ERR(table);
3599 if (nla[NFTA_RULE_CHAIN]) {
3600 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3602 if (IS_ERR(chain)) {
3603 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3604 return PTR_ERR(chain);
3606 if (nft_chain_is_bound(chain))
3609 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3610 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
3611 if (IS_ERR(chain)) {
3612 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3613 return PTR_ERR(chain);
3619 if (nla[NFTA_RULE_HANDLE]) {
3620 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3621 rule = __nft_rule_lookup(chain, handle);
3623 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3624 return PTR_ERR(rule);
3627 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3628 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3631 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3636 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3637 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3639 handle = nf_tables_alloc_handle(table);
3641 if (chain->use == UINT_MAX)
3644 if (nla[NFTA_RULE_POSITION]) {
3645 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3646 old_rule = __nft_rule_lookup(chain, pos_handle);
3647 if (IS_ERR(old_rule)) {
3648 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3649 return PTR_ERR(old_rule);
3651 } else if (nla[NFTA_RULE_POSITION_ID]) {
3652 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
3653 if (IS_ERR(old_rule)) {
3654 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3655 return PTR_ERR(old_rule);
3660 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3664 if (nla[NFTA_RULE_EXPRESSIONS]) {
3665 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3666 sizeof(struct nft_expr_info),
3671 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3673 if (nla_type(tmp) != NFTA_LIST_ELEM)
3674 goto err_release_expr;
3675 if (n == NFT_RULE_MAXEXPRS)
3676 goto err_release_expr;
3677 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3679 NL_SET_BAD_ATTR(extack, tmp);
3680 goto err_release_expr;
3682 size += expr_info[n].ops->size;
3686 /* Check for overflow of dlen field */
3688 if (size >= 1 << 12)
3689 goto err_release_expr;
3691 if (nla[NFTA_RULE_USERDATA]) {
3692 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3694 usize = sizeof(struct nft_userdata) + ulen;
3698 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3700 goto err_release_expr;
3702 nft_activate_next(net, rule);
3704 rule->handle = handle;
3706 rule->udata = ulen ? 1 : 0;
3709 udata = nft_userdata(rule);
3710 udata->len = ulen - 1;
3711 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3714 expr = nft_expr_first(rule);
3715 for (i = 0; i < n; i++) {
3716 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3718 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3719 goto err_release_rule;
3722 if (expr_info[i].ops->validate)
3723 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3725 expr_info[i].ops = NULL;
3726 expr = nft_expr_next(expr);
3729 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3730 flow = nft_flow_rule_create(net, rule);
3732 err = PTR_ERR(flow);
3733 goto err_release_rule;
3737 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3738 err = nft_delrule(&ctx, old_rule);
3740 goto err_destroy_flow_rule;
3742 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3743 if (trans == NULL) {
3745 goto err_destroy_flow_rule;
3747 list_add_tail_rcu(&rule->list, &old_rule->list);
3749 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3752 goto err_destroy_flow_rule;
3755 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3757 list_add_rcu(&rule->list, &old_rule->list);
3759 list_add_tail_rcu(&rule->list, &chain->rules);
3762 list_add_tail_rcu(&rule->list, &old_rule->list);
3764 list_add_rcu(&rule->list, &chain->rules);
3771 nft_trans_flow_rule(trans) = flow;
3773 if (nft_net->validate_state == NFT_VALIDATE_DO)
3774 return nft_table_validate(net, table);
3778 err_destroy_flow_rule:
3780 nft_flow_rule_destroy(flow);
3782 nf_tables_rule_release(&ctx, rule);
3784 for (i = 0; i < n; i++) {
3785 if (expr_info[i].ops) {
3786 module_put(expr_info[i].ops->type->owner);
3787 if (expr_info[i].ops->type->release_ops)
3788 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3796 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3797 const struct nft_chain *chain,
3798 const struct nlattr *nla)
3800 struct nftables_pernet *nft_net = nft_pernet(net);
3801 u32 id = ntohl(nla_get_be32(nla));
3802 struct nft_trans *trans;
3804 list_for_each_entry(trans, &nft_net->commit_list, list) {
3805 if (trans->msg_type == NFT_MSG_NEWRULE &&
3806 trans->ctx.chain == chain &&
3807 id == nft_trans_rule_id(trans))
3808 return nft_trans_rule(trans);
3810 return ERR_PTR(-ENOENT);
3813 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3814 const struct nlattr * const nla[])
3816 struct netlink_ext_ack *extack = info->extack;
3817 u8 genmask = nft_genmask_next(info->net);
3818 u8 family = info->nfmsg->nfgen_family;
3819 struct nft_chain *chain = NULL;
3820 struct net *net = info->net;
3821 struct nft_table *table;
3822 struct nft_rule *rule;
3826 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3827 NETLINK_CB(skb).portid);
3828 if (IS_ERR(table)) {
3829 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3830 return PTR_ERR(table);
3833 if (nla[NFTA_RULE_CHAIN]) {
3834 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3836 if (IS_ERR(chain)) {
3837 if (PTR_ERR(chain) == -ENOENT &&
3838 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
3841 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3842 return PTR_ERR(chain);
3844 if (nft_chain_is_bound(chain))
3848 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3851 if (nla[NFTA_RULE_HANDLE]) {
3852 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3854 if (PTR_ERR(rule) == -ENOENT &&
3855 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
3858 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3859 return PTR_ERR(rule);
3862 err = nft_delrule(&ctx, rule);
3863 } else if (nla[NFTA_RULE_ID]) {
3864 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
3866 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3867 return PTR_ERR(rule);
3870 err = nft_delrule(&ctx, rule);
3872 err = nft_delrule_by_chain(&ctx);
3875 list_for_each_entry(chain, &table->chains, list) {
3876 if (!nft_is_active_next(net, chain))
3880 err = nft_delrule_by_chain(&ctx);
3892 static const struct nft_set_type *nft_set_types[] = {
3893 &nft_set_hash_fast_type,
3895 &nft_set_rhash_type,
3896 &nft_set_bitmap_type,
3897 &nft_set_rbtree_type,
3898 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3899 &nft_set_pipapo_avx2_type,
3901 &nft_set_pipapo_type,
3904 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3905 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3908 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3910 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3914 * Select a set implementation based on the data characteristics and the
3915 * given policy. The total memory use might not be known if no size is
3916 * given, in that case the amount of memory per element is used.
3918 static const struct nft_set_ops *
3919 nft_select_set_ops(const struct nft_ctx *ctx,
3920 const struct nlattr * const nla[],
3921 const struct nft_set_desc *desc)
3923 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3924 const struct nft_set_ops *ops, *bops;
3925 struct nft_set_estimate est, best;
3926 const struct nft_set_type *type;
3930 lockdep_assert_held(&nft_net->commit_mutex);
3931 lockdep_nfnl_nft_mutex_not_held();
3933 if (nla[NFTA_SET_FLAGS] != NULL)
3934 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3941 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3942 type = nft_set_types[i];
3945 if (!nft_set_ops_candidate(type, flags))
3947 if (!ops->estimate(desc, flags, &est))
3950 switch (desc->policy) {
3951 case NFT_SET_POL_PERFORMANCE:
3952 if (est.lookup < best.lookup)
3954 if (est.lookup == best.lookup &&
3955 est.space < best.space)
3958 case NFT_SET_POL_MEMORY:
3960 if (est.space < best.space)
3962 if (est.space == best.space &&
3963 est.lookup < best.lookup)
3965 } else if (est.size < best.size || !bops) {
3980 return ERR_PTR(-EOPNOTSUPP);
3983 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3984 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3985 .len = NFT_TABLE_MAXNAMELEN - 1 },
3986 [NFTA_SET_NAME] = { .type = NLA_STRING,
3987 .len = NFT_SET_MAXNAMELEN - 1 },
3988 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3989 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3990 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3991 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3992 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3993 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3994 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3995 [NFTA_SET_ID] = { .type = NLA_U32 },
3996 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3997 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3998 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3999 .len = NFT_USERDATA_MAXLEN },
4000 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4001 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4002 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4003 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
4006 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4007 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4008 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
4011 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4012 const struct nlattr *nla, u8 genmask)
4014 struct nft_set *set;
4017 return ERR_PTR(-EINVAL);
4019 list_for_each_entry_rcu(set, &table->sets, list) {
4020 if (!nla_strcmp(nla, set->name) &&
4021 nft_active_genmask(set, genmask))
4024 return ERR_PTR(-ENOENT);
4027 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4028 const struct nlattr *nla,
4031 struct nft_set *set;
4033 list_for_each_entry(set, &table->sets, list) {
4034 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4035 nft_active_genmask(set, genmask))
4038 return ERR_PTR(-ENOENT);
4041 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4042 const struct nft_table *table,
4043 const struct nlattr *nla, u8 genmask)
4045 struct nftables_pernet *nft_net = nft_pernet(net);
4046 u32 id = ntohl(nla_get_be32(nla));
4047 struct nft_trans *trans;
4049 list_for_each_entry(trans, &nft_net->commit_list, list) {
4050 if (trans->msg_type == NFT_MSG_NEWSET) {
4051 struct nft_set *set = nft_trans_set(trans);
4053 if (id == nft_trans_set_id(trans) &&
4054 set->table == table &&
4055 nft_active_genmask(set, genmask))
4059 return ERR_PTR(-ENOENT);
4062 struct nft_set *nft_set_lookup_global(const struct net *net,
4063 const struct nft_table *table,
4064 const struct nlattr *nla_set_name,
4065 const struct nlattr *nla_set_id,
4068 struct nft_set *set;
4070 set = nft_set_lookup(table, nla_set_name, genmask);
4075 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4079 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4081 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4084 const struct nft_set *i;
4086 unsigned long *inuse;
4087 unsigned int n = 0, min = 0;
4089 p = strchr(name, '%');
4091 if (p[1] != 'd' || strchr(p + 2, '%'))
4094 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4098 list_for_each_entry(i, &ctx->table->sets, list) {
4101 if (!nft_is_active_next(ctx->net, i))
4103 if (!sscanf(i->name, name, &tmp))
4105 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4108 set_bit(tmp - min, inuse);
4111 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4112 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4113 min += BITS_PER_BYTE * PAGE_SIZE;
4114 memset(inuse, 0, PAGE_SIZE);
4117 free_page((unsigned long)inuse);
4120 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4124 list_for_each_entry(i, &ctx->table->sets, list) {
4125 if (!nft_is_active_next(ctx->net, i))
4127 if (!strcmp(set->name, i->name)) {
4136 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4138 u64 ms = be64_to_cpu(nla_get_be64(nla));
4139 u64 max = (u64)(~((u64)0));
4141 max = div_u64(max, NSEC_PER_MSEC);
4145 ms *= NSEC_PER_MSEC;
4146 *result = nsecs_to_jiffies64(ms);
4150 __be64 nf_jiffies64_to_msecs(u64 input)
4152 return cpu_to_be64(jiffies64_to_msecs(input));
4155 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4156 const struct nft_set *set)
4158 struct nlattr *concat, *field;
4161 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4165 for (i = 0; i < set->field_count; i++) {
4166 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4170 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4171 htonl(set->field_len[i])))
4174 nla_nest_end(skb, field);
4177 nla_nest_end(skb, concat);
4182 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4183 const struct nft_set *set, u16 event, u16 flags)
4185 u64 timeout = READ_ONCE(set->timeout);
4186 u32 gc_int = READ_ONCE(set->gc_int);
4187 u32 portid = ctx->portid;
4188 struct nlmsghdr *nlh;
4189 struct nlattr *nest;
4193 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4194 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4195 NFNETLINK_V0, nft_base_seq(ctx->net));
4197 goto nla_put_failure;
4199 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4200 goto nla_put_failure;
4201 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4202 goto nla_put_failure;
4203 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4205 goto nla_put_failure;
4206 if (set->flags != 0)
4207 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4208 goto nla_put_failure;
4210 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4211 goto nla_put_failure;
4212 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4213 goto nla_put_failure;
4214 if (set->flags & NFT_SET_MAP) {
4215 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4216 goto nla_put_failure;
4217 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4218 goto nla_put_failure;
4220 if (set->flags & NFT_SET_OBJECT &&
4221 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4222 goto nla_put_failure;
4225 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4226 nf_jiffies64_to_msecs(timeout),
4228 goto nla_put_failure;
4230 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4231 goto nla_put_failure;
4233 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4234 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4235 goto nla_put_failure;
4239 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4240 goto nla_put_failure;
4242 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4244 goto nla_put_failure;
4246 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4247 goto nla_put_failure;
4249 if (set->field_count > 1 &&
4250 nf_tables_fill_set_concat(skb, set))
4251 goto nla_put_failure;
4253 nla_nest_end(skb, nest);
4255 if (set->num_exprs == 1) {
4256 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4257 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4258 goto nla_put_failure;
4260 nla_nest_end(skb, nest);
4261 } else if (set->num_exprs > 1) {
4262 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4264 goto nla_put_failure;
4266 for (i = 0; i < set->num_exprs; i++) {
4267 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4268 set->exprs[i], false) < 0)
4269 goto nla_put_failure;
4271 nla_nest_end(skb, nest);
4274 nlmsg_end(skb, nlh);
4278 nlmsg_trim(skb, nlh);
4282 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4283 const struct nft_set *set, int event,
4286 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4287 u32 portid = ctx->portid;
4288 struct sk_buff *skb;
4293 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4296 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4300 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4301 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4303 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4309 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4312 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4315 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4317 const struct nft_set *set;
4318 unsigned int idx, s_idx = cb->args[0];
4319 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4320 struct net *net = sock_net(skb->sk);
4321 struct nft_ctx *ctx = cb->data, ctx_set;
4322 struct nftables_pernet *nft_net;
4328 nft_net = nft_pernet(net);
4329 cb->seq = READ_ONCE(nft_net->base_seq);
4331 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4332 if (ctx->family != NFPROTO_UNSPEC &&
4333 ctx->family != table->family)
4336 if (ctx->table && ctx->table != table)
4340 if (cur_table != table)
4346 list_for_each_entry_rcu(set, &table->sets, list) {
4349 if (!nft_is_active(net, set))
4353 ctx_set.table = table;
4354 ctx_set.family = table->family;
4356 if (nf_tables_fill_set(skb, &ctx_set, set,
4360 cb->args[2] = (unsigned long) table;
4363 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4376 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4378 struct nft_ctx *ctx_dump = NULL;
4380 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4381 if (ctx_dump == NULL)
4384 cb->data = ctx_dump;
4388 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4394 /* called with rcu_read_lock held */
4395 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4396 const struct nlattr * const nla[])
4398 struct netlink_ext_ack *extack = info->extack;
4399 u8 genmask = nft_genmask_cur(info->net);
4400 u8 family = info->nfmsg->nfgen_family;
4401 struct nft_table *table = NULL;
4402 struct net *net = info->net;
4403 const struct nft_set *set;
4404 struct sk_buff *skb2;
4408 if (nla[NFTA_SET_TABLE]) {
4409 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4411 if (IS_ERR(table)) {
4412 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4413 return PTR_ERR(table);
4417 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4419 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4420 struct netlink_dump_control c = {
4421 .start = nf_tables_dump_sets_start,
4422 .dump = nf_tables_dump_sets,
4423 .done = nf_tables_dump_sets_done,
4425 .module = THIS_MODULE,
4428 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4431 /* Only accept unspec with dump */
4432 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4433 return -EAFNOSUPPORT;
4434 if (!nla[NFTA_SET_TABLE])
4437 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4439 return PTR_ERR(set);
4441 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4445 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4447 goto err_fill_set_info;
4449 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4456 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4457 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4460 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4461 struct nft_set_desc *desc)
4463 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4467 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4470 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4471 nft_concat_policy, NULL);
4475 if (!tb[NFTA_SET_FIELD_LEN])
4478 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4479 if (!len || len > U8_MAX)
4482 desc->field_len[desc->field_count++] = len;
4487 static int nft_set_desc_concat(struct nft_set_desc *desc,
4488 const struct nlattr *nla)
4490 struct nlattr *attr;
4494 nla_for_each_nested(attr, nla, rem) {
4495 if (nla_type(attr) != NFTA_LIST_ELEM)
4498 err = nft_set_desc_concat_parse(attr, desc);
4503 for (i = 0; i < desc->field_count; i++)
4504 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4506 if (num_regs > NFT_REG32_COUNT)
4512 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4513 const struct nlattr *nla)
4515 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4518 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4519 nft_set_desc_policy, NULL);
4523 if (da[NFTA_SET_DESC_SIZE] != NULL)
4524 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4525 if (da[NFTA_SET_DESC_CONCAT])
4526 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4531 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4532 const struct nlattr * const *nla,
4533 struct nft_expr **exprs, int *num_exprs,
4536 struct nft_expr *expr;
4539 if (nla[NFTA_SET_EXPR]) {
4540 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4542 err = PTR_ERR(expr);
4543 goto err_set_expr_alloc;
4547 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4551 if (!(flags & NFT_SET_EXPR)) {
4553 goto err_set_expr_alloc;
4556 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4557 if (i == NFT_SET_EXPR_MAX) {
4559 goto err_set_expr_alloc;
4561 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4563 goto err_set_expr_alloc;
4565 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4567 err = PTR_ERR(expr);
4568 goto err_set_expr_alloc;
4578 for (i = 0; i < *num_exprs; i++)
4579 nft_expr_destroy(ctx, exprs[i]);
4584 static bool nft_set_is_same(const struct nft_set *set,
4585 const struct nft_set_desc *desc,
4586 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4590 if (set->ktype != desc->ktype ||
4591 set->dtype != desc->dtype ||
4592 set->flags != flags ||
4593 set->klen != desc->klen ||
4594 set->dlen != desc->dlen ||
4595 set->field_count != desc->field_count ||
4596 set->num_exprs != num_exprs)
4599 for (i = 0; i < desc->field_count; i++) {
4600 if (set->field_len[i] != desc->field_len[i])
4604 for (i = 0; i < num_exprs; i++) {
4605 if (set->exprs[i]->ops != exprs[i]->ops)
4612 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4613 const struct nlattr * const nla[])
4615 struct netlink_ext_ack *extack = info->extack;
4616 u8 genmask = nft_genmask_next(info->net);
4617 u8 family = info->nfmsg->nfgen_family;
4618 const struct nft_set_ops *ops;
4619 struct net *net = info->net;
4620 struct nft_set_desc desc;
4621 struct nft_table *table;
4622 unsigned char *udata;
4623 struct nft_set *set;
4633 if (nla[NFTA_SET_TABLE] == NULL ||
4634 nla[NFTA_SET_NAME] == NULL ||
4635 nla[NFTA_SET_KEY_LEN] == NULL ||
4636 nla[NFTA_SET_ID] == NULL)
4639 memset(&desc, 0, sizeof(desc));
4641 desc.ktype = NFT_DATA_VALUE;
4642 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4643 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4644 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4648 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4649 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4653 if (nla[NFTA_SET_FLAGS] != NULL) {
4654 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4655 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4656 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4657 NFT_SET_MAP | NFT_SET_EVAL |
4658 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4660 /* Only one of these operations is supported */
4661 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4662 (NFT_SET_MAP | NFT_SET_OBJECT))
4664 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4665 (NFT_SET_EVAL | NFT_SET_OBJECT))
4670 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4671 if (!(flags & NFT_SET_MAP))
4674 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4675 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4676 desc.dtype != NFT_DATA_VERDICT)
4679 if (desc.dtype != NFT_DATA_VERDICT) {
4680 if (nla[NFTA_SET_DATA_LEN] == NULL)
4682 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4683 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4686 desc.dlen = sizeof(struct nft_verdict);
4687 } else if (flags & NFT_SET_MAP)
4690 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4691 if (!(flags & NFT_SET_OBJECT))
4694 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4695 if (desc.objtype == NFT_OBJECT_UNSPEC ||
4696 desc.objtype > NFT_OBJECT_MAX)
4698 } else if (flags & NFT_SET_OBJECT)
4701 desc.objtype = NFT_OBJECT_UNSPEC;
4704 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4705 if (!(flags & NFT_SET_TIMEOUT))
4708 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
4713 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4714 if (!(flags & NFT_SET_TIMEOUT))
4716 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4719 desc.policy = NFT_SET_POL_PERFORMANCE;
4720 if (nla[NFTA_SET_POLICY] != NULL)
4721 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4723 if (nla[NFTA_SET_DESC] != NULL) {
4724 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4728 if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))
4730 } else if (flags & NFT_SET_CONCAT) {
4734 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4737 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4738 NETLINK_CB(skb).portid);
4739 if (IS_ERR(table)) {
4740 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4741 return PTR_ERR(table);
4744 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4746 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4748 if (PTR_ERR(set) != -ENOENT) {
4749 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4750 return PTR_ERR(set);
4753 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
4755 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4756 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4759 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4762 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
4767 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
4768 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4772 for (i = 0; i < num_exprs; i++)
4773 nft_expr_destroy(&ctx, exprs[i]);
4778 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
4781 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4784 ops = nft_select_set_ops(&ctx, nla, &desc);
4786 return PTR_ERR(ops);
4789 if (nla[NFTA_SET_USERDATA])
4790 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4793 if (ops->privsize != NULL)
4794 size = ops->privsize(nla, &desc);
4795 alloc_size = sizeof(*set) + size + udlen;
4796 if (alloc_size < size || alloc_size > INT_MAX)
4798 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
4802 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
4808 err = nf_tables_set_alloc_name(&ctx, set, name);
4815 udata = set->data + size;
4816 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4819 INIT_LIST_HEAD(&set->bindings);
4820 INIT_LIST_HEAD(&set->catchall_list);
4822 write_pnet(&set->net, net);
4824 set->ktype = desc.ktype;
4825 set->klen = desc.klen;
4826 set->dtype = desc.dtype;
4827 set->objtype = desc.objtype;
4828 set->dlen = desc.dlen;
4830 set->size = desc.size;
4831 set->policy = desc.policy;
4834 set->timeout = desc.timeout;
4835 set->gc_int = desc.gc_int;
4837 set->field_count = desc.field_count;
4838 for (i = 0; i < desc.field_count; i++)
4839 set->field_len[i] = desc.field_len[i];
4841 err = ops->init(set, &desc, nla);
4845 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
4847 goto err_set_destroy;
4849 set->num_exprs = num_exprs;
4850 set->handle = nf_tables_alloc_handle(table);
4852 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4854 goto err_set_expr_alloc;
4856 list_add_tail_rcu(&set->list, &table->sets);
4861 for (i = 0; i < set->num_exprs; i++)
4862 nft_expr_destroy(&ctx, set->exprs[i]);
4872 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
4873 struct nft_set *set)
4875 struct nft_set_elem_catchall *next, *catchall;
4877 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
4878 list_del_rcu(&catchall->list);
4879 nft_set_elem_destroy(set, catchall->elem, true);
4880 kfree_rcu(catchall, rcu);
4884 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4888 if (WARN_ON(set->use > 0))
4891 for (i = 0; i < set->num_exprs; i++)
4892 nft_expr_destroy(ctx, set->exprs[i]);
4894 set->ops->destroy(set);
4895 nft_set_catchall_destroy(ctx, set);
4900 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
4901 const struct nlattr * const nla[])
4903 struct netlink_ext_ack *extack = info->extack;
4904 u8 genmask = nft_genmask_next(info->net);
4905 u8 family = info->nfmsg->nfgen_family;
4906 struct net *net = info->net;
4907 const struct nlattr *attr;
4908 struct nft_table *table;
4909 struct nft_set *set;
4912 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4913 return -EAFNOSUPPORT;
4915 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4916 genmask, NETLINK_CB(skb).portid);
4917 if (IS_ERR(table)) {
4918 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4919 return PTR_ERR(table);
4922 if (nla[NFTA_SET_HANDLE]) {
4923 attr = nla[NFTA_SET_HANDLE];
4924 set = nft_set_lookup_byhandle(table, attr, genmask);
4926 attr = nla[NFTA_SET_NAME];
4927 set = nft_set_lookup(table, attr, genmask);
4931 if (PTR_ERR(set) == -ENOENT &&
4932 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
4935 NL_SET_BAD_ATTR(extack, attr);
4936 return PTR_ERR(set);
4939 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
4940 atomic_read(&set->nelems) > 0)) {
4941 NL_SET_BAD_ATTR(extack, attr);
4945 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4947 return nft_delset(&ctx, set);
4950 static int nft_validate_register_store(const struct nft_ctx *ctx,
4951 enum nft_registers reg,
4952 const struct nft_data *data,
4953 enum nft_data_types type,
4956 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
4957 struct nft_set *set,
4958 struct nft_set_elem *elem)
4960 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4961 enum nft_registers dreg;
4963 dreg = nft_type_to_reg(set->dtype);
4964 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4965 set->dtype == NFT_DATA_VERDICT ?
4966 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4970 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4971 struct nft_set *set,
4972 const struct nft_set_iter *iter,
4973 struct nft_set_elem *elem)
4975 return nft_setelem_data_validate(ctx, set, elem);
4978 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
4979 struct nft_set *set)
4981 u8 genmask = nft_genmask_next(ctx->net);
4982 struct nft_set_elem_catchall *catchall;
4983 struct nft_set_elem elem;
4984 struct nft_set_ext *ext;
4987 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4988 ext = nft_set_elem_ext(set, catchall->elem);
4989 if (!nft_set_elem_active(ext, genmask))
4992 elem.priv = catchall->elem;
4993 ret = nft_setelem_data_validate(ctx, set, &elem);
5001 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5002 struct nft_set_binding *binding)
5004 struct nft_set_binding *i;
5005 struct nft_set_iter iter;
5007 if (set->use == UINT_MAX)
5010 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5013 if (binding->flags & NFT_SET_MAP) {
5014 /* If the set is already bound to the same chain all
5015 * jumps are already validated for that chain.
5017 list_for_each_entry(i, &set->bindings, list) {
5018 if (i->flags & NFT_SET_MAP &&
5019 i->chain == binding->chain)
5023 iter.genmask = nft_genmask_next(ctx->net);
5027 iter.fn = nf_tables_bind_check_setelem;
5029 set->ops->walk(ctx, set, &iter);
5031 iter.err = nft_set_catchall_bind_check(ctx, set);
5037 binding->chain = ctx->chain;
5038 list_add_tail_rcu(&binding->list, &set->bindings);
5039 nft_set_trans_bind(ctx, set);
5044 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5046 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5047 struct nft_set_binding *binding, bool event)
5049 list_del_rcu(&binding->list);
5051 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5052 list_del_rcu(&set->list);
5054 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5059 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5061 if (nft_set_is_anonymous(set))
5062 nft_clear(ctx->net, set);
5066 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5068 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5069 struct nft_set_binding *binding,
5070 enum nft_trans_phase phase)
5073 case NFT_TRANS_PREPARE:
5074 if (nft_set_is_anonymous(set))
5075 nft_deactivate_next(ctx->net, set);
5079 case NFT_TRANS_ABORT:
5080 case NFT_TRANS_RELEASE:
5084 nf_tables_unbind_set(ctx, set, binding,
5085 phase == NFT_TRANS_COMMIT);
5088 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5090 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5092 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5093 nft_set_destroy(ctx, set);
5095 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5097 const struct nft_set_ext_type nft_set_ext_types[] = {
5098 [NFT_SET_EXT_KEY] = {
5099 .align = __alignof__(u32),
5101 [NFT_SET_EXT_DATA] = {
5102 .align = __alignof__(u32),
5104 [NFT_SET_EXT_EXPRESSIONS] = {
5105 .align = __alignof__(struct nft_set_elem_expr),
5107 [NFT_SET_EXT_OBJREF] = {
5108 .len = sizeof(struct nft_object *),
5109 .align = __alignof__(struct nft_object *),
5111 [NFT_SET_EXT_FLAGS] = {
5113 .align = __alignof__(u8),
5115 [NFT_SET_EXT_TIMEOUT] = {
5117 .align = __alignof__(u64),
5119 [NFT_SET_EXT_EXPIRATION] = {
5121 .align = __alignof__(u64),
5123 [NFT_SET_EXT_USERDATA] = {
5124 .len = sizeof(struct nft_userdata),
5125 .align = __alignof__(struct nft_userdata),
5127 [NFT_SET_EXT_KEY_END] = {
5128 .align = __alignof__(u32),
5136 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5137 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5138 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5139 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5140 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5141 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5142 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5143 .len = NFT_USERDATA_MAXLEN },
5144 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5145 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5146 .len = NFT_OBJ_MAXNAMELEN - 1 },
5147 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5148 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
5151 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5152 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5153 .len = NFT_TABLE_MAXNAMELEN - 1 },
5154 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5155 .len = NFT_SET_MAXNAMELEN - 1 },
5156 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
5157 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5160 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5161 const struct nft_set *set,
5162 const struct nft_set_ext *ext)
5164 struct nft_set_elem_expr *elem_expr;
5165 u32 size, num_exprs = 0;
5166 struct nft_expr *expr;
5167 struct nlattr *nest;
5169 elem_expr = nft_set_ext_expr(ext);
5170 nft_setelem_expr_foreach(expr, elem_expr, size)
5173 if (num_exprs == 1) {
5174 expr = nft_setelem_expr_at(elem_expr, 0);
5175 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, false) < 0)
5179 } else if (num_exprs > 1) {
5180 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5182 goto nla_put_failure;
5184 nft_setelem_expr_foreach(expr, elem_expr, size) {
5185 expr = nft_setelem_expr_at(elem_expr, size);
5186 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, false) < 0)
5187 goto nla_put_failure;
5189 nla_nest_end(skb, nest);
5197 static int nf_tables_fill_setelem(struct sk_buff *skb,
5198 const struct nft_set *set,
5199 const struct nft_set_elem *elem)
5201 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5202 unsigned char *b = skb_tail_pointer(skb);
5203 struct nlattr *nest;
5205 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5207 goto nla_put_failure;
5209 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5210 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5211 NFT_DATA_VALUE, set->klen) < 0)
5212 goto nla_put_failure;
5214 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5215 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5216 NFT_DATA_VALUE, set->klen) < 0)
5217 goto nla_put_failure;
5219 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5220 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5221 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5223 goto nla_put_failure;
5225 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5226 nft_set_elem_expr_dump(skb, set, ext))
5227 goto nla_put_failure;
5229 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5230 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5231 (*nft_set_ext_obj(ext))->key.name) < 0)
5232 goto nla_put_failure;
5234 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5235 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5236 htonl(*nft_set_ext_flags(ext))))
5237 goto nla_put_failure;
5239 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5240 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5241 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5243 goto nla_put_failure;
5245 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5246 u64 expires, now = get_jiffies_64();
5248 expires = *nft_set_ext_expiration(ext);
5249 if (time_before64(now, expires))
5254 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5255 nf_jiffies64_to_msecs(expires),
5257 goto nla_put_failure;
5260 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5261 struct nft_userdata *udata;
5263 udata = nft_set_ext_userdata(ext);
5264 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5265 udata->len + 1, udata->data))
5266 goto nla_put_failure;
5269 nla_nest_end(skb, nest);
5277 struct nft_set_dump_args {
5278 const struct netlink_callback *cb;
5279 struct nft_set_iter iter;
5280 struct sk_buff *skb;
5283 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5284 struct nft_set *set,
5285 const struct nft_set_iter *iter,
5286 struct nft_set_elem *elem)
5288 struct nft_set_dump_args *args;
5290 args = container_of(iter, struct nft_set_dump_args, iter);
5291 return nf_tables_fill_setelem(args->skb, set, elem);
5294 struct nft_set_dump_ctx {
5295 const struct nft_set *set;
5299 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5300 const struct nft_set *set)
5302 struct nft_set_elem_catchall *catchall;
5303 u8 genmask = nft_genmask_cur(net);
5304 struct nft_set_elem elem;
5305 struct nft_set_ext *ext;
5308 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5309 ext = nft_set_elem_ext(set, catchall->elem);
5310 if (!nft_set_elem_active(ext, genmask) ||
5311 nft_set_elem_expired(ext))
5314 elem.priv = catchall->elem;
5315 ret = nf_tables_fill_setelem(skb, set, &elem);
5322 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5324 struct nft_set_dump_ctx *dump_ctx = cb->data;
5325 struct net *net = sock_net(skb->sk);
5326 struct nftables_pernet *nft_net;
5327 struct nft_table *table;
5328 struct nft_set *set;
5329 struct nft_set_dump_args args;
5330 bool set_found = false;
5331 struct nlmsghdr *nlh;
5332 struct nlattr *nest;
5337 nft_net = nft_pernet(net);
5338 cb->seq = READ_ONCE(nft_net->base_seq);
5340 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5341 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5342 dump_ctx->ctx.family != table->family)
5345 if (table != dump_ctx->ctx.table)
5348 list_for_each_entry_rcu(set, &table->sets, list) {
5349 if (set == dump_ctx->set) {
5362 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5363 portid = NETLINK_CB(cb->skb).portid;
5364 seq = cb->nlh->nlmsg_seq;
5366 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5367 table->family, NFNETLINK_V0, nft_base_seq(net));
5369 goto nla_put_failure;
5371 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5372 goto nla_put_failure;
5373 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5374 goto nla_put_failure;
5376 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5378 goto nla_put_failure;
5382 args.iter.genmask = nft_genmask_cur(net);
5383 args.iter.skip = cb->args[0];
5384 args.iter.count = 0;
5386 args.iter.fn = nf_tables_dump_setelem;
5387 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5389 if (!args.iter.err && args.iter.count == cb->args[0])
5390 args.iter.err = nft_set_catchall_dump(net, skb, set);
5393 nla_nest_end(skb, nest);
5394 nlmsg_end(skb, nlh);
5396 if (args.iter.err && args.iter.err != -EMSGSIZE)
5397 return args.iter.err;
5398 if (args.iter.count == cb->args[0])
5401 cb->args[0] = args.iter.count;
5409 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5411 struct nft_set_dump_ctx *dump_ctx = cb->data;
5413 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5415 return cb->data ? 0 : -ENOMEM;
5418 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5424 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5425 const struct nft_ctx *ctx, u32 seq,
5426 u32 portid, int event, u16 flags,
5427 const struct nft_set *set,
5428 const struct nft_set_elem *elem)
5430 struct nlmsghdr *nlh;
5431 struct nlattr *nest;
5434 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5435 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5436 NFNETLINK_V0, nft_base_seq(ctx->net));
5438 goto nla_put_failure;
5440 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5441 goto nla_put_failure;
5442 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5443 goto nla_put_failure;
5445 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5447 goto nla_put_failure;
5449 err = nf_tables_fill_setelem(skb, set, elem);
5451 goto nla_put_failure;
5453 nla_nest_end(skb, nest);
5455 nlmsg_end(skb, nlh);
5459 nlmsg_trim(skb, nlh);
5463 static int nft_setelem_parse_flags(const struct nft_set *set,
5464 const struct nlattr *attr, u32 *flags)
5469 *flags = ntohl(nla_get_be32(attr));
5470 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5472 if (!(set->flags & NFT_SET_INTERVAL) &&
5473 *flags & NFT_SET_ELEM_INTERVAL_END)
5475 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
5476 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5482 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5483 struct nft_data *key, struct nlattr *attr)
5485 struct nft_data_desc desc = {
5486 .type = NFT_DATA_VALUE,
5487 .size = NFT_DATA_VALUE_MAXLEN,
5491 return nft_data_init(ctx, key, &desc, attr);
5494 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5495 struct nft_data_desc *desc,
5496 struct nft_data *data,
5497 struct nlattr *attr)
5501 if (set->dtype == NFT_DATA_VERDICT)
5502 dtype = NFT_DATA_VERDICT;
5504 dtype = NFT_DATA_VALUE;
5507 desc->size = NFT_DATA_VALUE_MAXLEN;
5508 desc->len = set->dlen;
5509 desc->flags = NFT_DATA_DESC_SETELEM;
5511 return nft_data_init(ctx, data, desc, attr);
5514 static void *nft_setelem_catchall_get(const struct net *net,
5515 const struct nft_set *set)
5517 struct nft_set_elem_catchall *catchall;
5518 u8 genmask = nft_genmask_cur(net);
5519 struct nft_set_ext *ext;
5522 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5523 ext = nft_set_elem_ext(set, catchall->elem);
5524 if (!nft_set_elem_active(ext, genmask) ||
5525 nft_set_elem_expired(ext))
5528 priv = catchall->elem;
5535 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5536 struct nft_set_elem *elem, u32 flags)
5540 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5541 priv = set->ops->get(ctx->net, set, elem, flags);
5543 return PTR_ERR(priv);
5545 priv = nft_setelem_catchall_get(ctx->net, set);
5554 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5555 const struct nlattr *attr)
5557 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5558 struct nft_set_elem elem;
5559 struct sk_buff *skb;
5563 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5564 nft_set_elem_policy, NULL);
5568 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5572 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5575 if (nla[NFTA_SET_ELEM_KEY]) {
5576 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5577 nla[NFTA_SET_ELEM_KEY]);
5582 if (nla[NFTA_SET_ELEM_KEY_END]) {
5583 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5584 nla[NFTA_SET_ELEM_KEY_END]);
5589 err = nft_setelem_get(ctx, set, &elem, flags);
5594 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5598 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5599 NFT_MSG_NEWSETELEM, 0, set, &elem);
5601 goto err_fill_setelem;
5603 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5610 /* called with rcu_read_lock held */
5611 static int nf_tables_getsetelem(struct sk_buff *skb,
5612 const struct nfnl_info *info,
5613 const struct nlattr * const nla[])
5615 struct netlink_ext_ack *extack = info->extack;
5616 u8 genmask = nft_genmask_cur(info->net);
5617 u8 family = info->nfmsg->nfgen_family;
5618 struct net *net = info->net;
5619 struct nft_table *table;
5620 struct nft_set *set;
5621 struct nlattr *attr;
5625 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
5627 if (IS_ERR(table)) {
5628 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
5629 return PTR_ERR(table);
5632 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5634 return PTR_ERR(set);
5636 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5638 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5639 struct netlink_dump_control c = {
5640 .start = nf_tables_dump_set_start,
5641 .dump = nf_tables_dump_set,
5642 .done = nf_tables_dump_set_done,
5643 .module = THIS_MODULE,
5645 struct nft_set_dump_ctx dump_ctx = {
5651 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5654 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5657 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5658 err = nft_get_set_elem(&ctx, set, attr);
5660 NL_SET_BAD_ATTR(extack, attr);
5668 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5669 const struct nft_set *set,
5670 const struct nft_set_elem *elem,
5673 struct nftables_pernet *nft_net;
5674 struct net *net = ctx->net;
5675 u32 portid = ctx->portid;
5676 struct sk_buff *skb;
5680 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5683 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5687 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5688 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5690 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5697 nft_net = nft_pernet(net);
5698 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5701 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5704 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5706 struct nft_set *set)
5708 struct nft_trans *trans;
5710 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5714 nft_trans_elem_set(trans) = set;
5718 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5719 const struct nft_set *set,
5720 const struct nlattr *attr)
5722 struct nft_expr *expr;
5725 expr = nft_expr_init(ctx, attr);
5730 if (expr->ops->type->flags & NFT_EXPR_GC) {
5731 if (set->flags & NFT_SET_TIMEOUT)
5732 goto err_set_elem_expr;
5733 if (!set->ops->gc_init)
5734 goto err_set_elem_expr;
5735 set->ops->gc_init(set);
5741 nft_expr_destroy(ctx, expr);
5742 return ERR_PTR(err);
5745 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
5747 len += nft_set_ext_types[id].len;
5748 if (len > tmpl->ext_len[id] ||
5755 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
5756 void *to, const void *from, u32 len)
5758 if (nft_set_ext_check(tmpl, id, len) < 0)
5761 memcpy(to, from, len);
5766 void *nft_set_elem_init(const struct nft_set *set,
5767 const struct nft_set_ext_tmpl *tmpl,
5768 const u32 *key, const u32 *key_end,
5769 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5771 struct nft_set_ext *ext;
5774 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5776 return ERR_PTR(-ENOMEM);
5778 ext = nft_set_elem_ext(set, elem);
5779 nft_set_ext_init(ext, tmpl);
5781 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5782 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
5783 nft_set_ext_key(ext), key, set->klen) < 0)
5786 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5787 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
5788 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
5791 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5792 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
5793 nft_set_ext_data(ext), data, set->dlen) < 0)
5796 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5797 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5798 if (expiration == 0)
5799 *nft_set_ext_expiration(ext) += timeout;
5801 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5802 *nft_set_ext_timeout(ext) = timeout;
5809 return ERR_PTR(-EINVAL);
5812 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5813 struct nft_expr *expr)
5815 if (expr->ops->destroy_clone) {
5816 expr->ops->destroy_clone(ctx, expr);
5817 module_put(expr->ops->type->owner);
5819 nf_tables_expr_destroy(ctx, expr);
5823 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5824 struct nft_set_elem_expr *elem_expr)
5826 struct nft_expr *expr;
5829 nft_setelem_expr_foreach(expr, elem_expr, size)
5830 __nft_set_elem_expr_destroy(ctx, expr);
5833 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5836 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5837 struct nft_ctx ctx = {
5838 .net = read_pnet(&set->net),
5839 .family = set->table->family,
5842 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5843 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5844 nft_data_release(nft_set_ext_data(ext), set->dtype);
5845 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5846 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5848 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5849 (*nft_set_ext_obj(ext))->use--;
5852 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5854 /* Only called from commit path, nft_setelem_data_deactivate() already deals
5855 * with the refcounting from the preparation phase.
5857 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5858 const struct nft_set *set, void *elem)
5860 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5862 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5863 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5868 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5869 struct nft_expr *expr_array[])
5871 struct nft_expr *expr;
5874 for (i = 0; i < set->num_exprs; i++) {
5875 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
5879 err = nft_expr_clone(expr, set->exprs[i]);
5884 expr_array[i] = expr;
5890 for (k = i - 1; k >= 0; k--)
5891 nft_expr_destroy(ctx, expr_array[k]);
5896 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5897 const struct nft_set_ext_tmpl *tmpl,
5898 const struct nft_set_ext *ext,
5899 struct nft_expr *expr_array[],
5902 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5903 u32 len = sizeof(struct nft_set_elem_expr);
5904 struct nft_expr *expr;
5910 for (i = 0; i < num_exprs; i++)
5911 len += expr_array[i]->ops->size;
5913 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
5916 for (i = 0; i < num_exprs; i++) {
5917 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5918 err = nft_expr_clone(expr, expr_array[i]);
5920 goto err_elem_expr_setup;
5922 elem_expr->size += expr_array[i]->ops->size;
5923 nft_expr_destroy(ctx, expr_array[i]);
5924 expr_array[i] = NULL;
5929 err_elem_expr_setup:
5930 for (; i < num_exprs; i++) {
5931 nft_expr_destroy(ctx, expr_array[i]);
5932 expr_array[i] = NULL;
5938 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
5939 const struct nft_set *set)
5941 struct nft_set_elem_catchall *catchall;
5942 u8 genmask = nft_genmask_cur(net);
5943 struct nft_set_ext *ext;
5945 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5946 ext = nft_set_elem_ext(set, catchall->elem);
5947 if (nft_set_elem_active(ext, genmask) &&
5948 !nft_set_elem_expired(ext))
5954 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
5956 void *nft_set_catchall_gc(const struct nft_set *set)
5958 struct nft_set_elem_catchall *catchall, *next;
5959 struct nft_set_ext *ext;
5962 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5963 ext = nft_set_elem_ext(set, catchall->elem);
5965 if (!nft_set_elem_expired(ext) ||
5966 nft_set_elem_mark_busy(ext))
5969 elem = catchall->elem;
5970 list_del_rcu(&catchall->list);
5971 kfree_rcu(catchall, rcu);
5977 EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
5979 static int nft_setelem_catchall_insert(const struct net *net,
5980 struct nft_set *set,
5981 const struct nft_set_elem *elem,
5982 struct nft_set_ext **pext)
5984 struct nft_set_elem_catchall *catchall;
5985 u8 genmask = nft_genmask_next(net);
5986 struct nft_set_ext *ext;
5988 list_for_each_entry(catchall, &set->catchall_list, list) {
5989 ext = nft_set_elem_ext(set, catchall->elem);
5990 if (nft_set_elem_active(ext, genmask)) {
5996 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6000 catchall->elem = elem->priv;
6001 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6006 static int nft_setelem_insert(const struct net *net,
6007 struct nft_set *set,
6008 const struct nft_set_elem *elem,
6009 struct nft_set_ext **ext, unsigned int flags)
6013 if (flags & NFT_SET_ELEM_CATCHALL)
6014 ret = nft_setelem_catchall_insert(net, set, elem, ext);
6016 ret = set->ops->insert(net, set, elem, ext);
6021 static bool nft_setelem_is_catchall(const struct nft_set *set,
6022 const struct nft_set_elem *elem)
6024 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6026 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6027 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6033 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6034 struct nft_set_elem *elem)
6036 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6038 if (nft_setelem_is_catchall(set, elem)) {
6039 nft_set_elem_change_active(net, set, ext);
6040 nft_set_elem_clear_busy(ext);
6042 set->ops->activate(net, set, elem);
6046 static int nft_setelem_catchall_deactivate(const struct net *net,
6047 struct nft_set *set,
6048 struct nft_set_elem *elem)
6050 struct nft_set_elem_catchall *catchall;
6051 struct nft_set_ext *ext;
6053 list_for_each_entry(catchall, &set->catchall_list, list) {
6054 ext = nft_set_elem_ext(set, catchall->elem);
6055 if (!nft_is_active(net, ext) ||
6056 nft_set_elem_mark_busy(ext))
6060 elem->priv = catchall->elem;
6061 nft_set_elem_change_active(net, set, ext);
6068 static int __nft_setelem_deactivate(const struct net *net,
6069 struct nft_set *set,
6070 struct nft_set_elem *elem)
6074 priv = set->ops->deactivate(net, set, elem);
6085 static int nft_setelem_deactivate(const struct net *net,
6086 struct nft_set *set,
6087 struct nft_set_elem *elem, u32 flags)
6091 if (flags & NFT_SET_ELEM_CATCHALL)
6092 ret = nft_setelem_catchall_deactivate(net, set, elem);
6094 ret = __nft_setelem_deactivate(net, set, elem);
6099 static void nft_setelem_catchall_remove(const struct net *net,
6100 const struct nft_set *set,
6101 const struct nft_set_elem *elem)
6103 struct nft_set_elem_catchall *catchall, *next;
6105 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6106 if (catchall->elem == elem->priv) {
6107 list_del_rcu(&catchall->list);
6108 kfree_rcu(catchall, rcu);
6114 static void nft_setelem_remove(const struct net *net,
6115 const struct nft_set *set,
6116 const struct nft_set_elem *elem)
6118 if (nft_setelem_is_catchall(set, elem))
6119 nft_setelem_catchall_remove(net, set, elem);
6121 set->ops->remove(net, set, elem);
6124 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6125 struct nlattr **nla, u32 flags)
6127 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6128 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6129 if (flags & NFT_SET_ELEM_INTERVAL_END)
6132 if (nla[NFTA_SET_ELEM_KEY_END] &&
6133 flags & NFT_SET_ELEM_CATCHALL)
6136 if (nla[NFTA_SET_ELEM_KEY_END])
6143 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6144 const struct nlattr *attr, u32 nlmsg_flags)
6146 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6147 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6148 u8 genmask = nft_genmask_next(ctx->net);
6149 u32 flags = 0, size = 0, num_exprs = 0;
6150 struct nft_set_ext_tmpl tmpl;
6151 struct nft_set_ext *ext, *ext2;
6152 struct nft_set_elem elem;
6153 struct nft_set_binding *binding;
6154 struct nft_object *obj = NULL;
6155 struct nft_userdata *udata;
6156 struct nft_data_desc desc;
6157 enum nft_registers dreg;
6158 struct nft_trans *trans;
6164 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6165 nft_set_elem_policy, NULL);
6169 nft_set_ext_prepare(&tmpl);
6171 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6175 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6176 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6180 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6185 if (set->flags & NFT_SET_MAP) {
6186 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6187 !(flags & NFT_SET_ELEM_INTERVAL_END))
6190 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6194 if (set->flags & NFT_SET_OBJECT) {
6195 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6196 !(flags & NFT_SET_ELEM_INTERVAL_END))
6199 if (nla[NFTA_SET_ELEM_OBJREF])
6203 if (!nft_setelem_valid_key_end(set, nla, flags))
6206 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6207 (nla[NFTA_SET_ELEM_DATA] ||
6208 nla[NFTA_SET_ELEM_OBJREF] ||
6209 nla[NFTA_SET_ELEM_TIMEOUT] ||
6210 nla[NFTA_SET_ELEM_EXPIRATION] ||
6211 nla[NFTA_SET_ELEM_USERDATA] ||
6212 nla[NFTA_SET_ELEM_EXPR] ||
6213 nla[NFTA_SET_ELEM_KEY_END] ||
6214 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6218 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6219 if (!(set->flags & NFT_SET_TIMEOUT))
6221 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6225 } else if (set->flags & NFT_SET_TIMEOUT &&
6226 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6227 timeout = READ_ONCE(set->timeout);
6231 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6232 if (!(set->flags & NFT_SET_TIMEOUT))
6234 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6240 if (nla[NFTA_SET_ELEM_EXPR]) {
6241 struct nft_expr *expr;
6243 if (set->num_exprs && set->num_exprs != 1)
6246 expr = nft_set_elem_expr_alloc(ctx, set,
6247 nla[NFTA_SET_ELEM_EXPR]);
6249 return PTR_ERR(expr);
6251 expr_array[0] = expr;
6254 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6256 goto err_set_elem_expr;
6258 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6259 struct nft_expr *expr;
6264 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6265 if (i == NFT_SET_EXPR_MAX ||
6266 (set->num_exprs && set->num_exprs == i)) {
6268 goto err_set_elem_expr;
6270 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6272 goto err_set_elem_expr;
6274 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6276 err = PTR_ERR(expr);
6277 goto err_set_elem_expr;
6279 expr_array[i] = expr;
6282 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6284 goto err_set_elem_expr;
6288 if (set->num_exprs && set->num_exprs != i) {
6290 goto err_set_elem_expr;
6292 } else if (set->num_exprs > 0 &&
6293 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6294 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6296 goto err_set_elem_expr_clone;
6298 num_exprs = set->num_exprs;
6301 if (nla[NFTA_SET_ELEM_KEY]) {
6302 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6303 nla[NFTA_SET_ELEM_KEY]);
6305 goto err_set_elem_expr;
6307 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6312 if (nla[NFTA_SET_ELEM_KEY_END]) {
6313 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6314 nla[NFTA_SET_ELEM_KEY_END]);
6318 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6320 goto err_parse_key_end;
6324 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6326 goto err_parse_key_end;
6328 if (timeout != READ_ONCE(set->timeout)) {
6329 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6331 goto err_parse_key_end;
6336 for (i = 0; i < num_exprs; i++)
6337 size += expr_array[i]->ops->size;
6339 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6340 sizeof(struct nft_set_elem_expr) + size);
6342 goto err_parse_key_end;
6345 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6346 obj = nft_obj_lookup(ctx->net, ctx->table,
6347 nla[NFTA_SET_ELEM_OBJREF],
6348 set->objtype, genmask);
6351 goto err_parse_key_end;
6353 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6355 goto err_parse_key_end;
6358 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6359 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6360 nla[NFTA_SET_ELEM_DATA]);
6362 goto err_parse_key_end;
6364 dreg = nft_type_to_reg(set->dtype);
6365 list_for_each_entry(binding, &set->bindings, list) {
6366 struct nft_ctx bind_ctx = {
6368 .family = ctx->family,
6369 .table = ctx->table,
6370 .chain = (struct nft_chain *)binding->chain,
6373 if (!(binding->flags & NFT_SET_MAP))
6376 err = nft_validate_register_store(&bind_ctx, dreg,
6378 desc.type, desc.len);
6380 goto err_parse_data;
6382 if (desc.type == NFT_DATA_VERDICT &&
6383 (elem.data.val.verdict.code == NFT_GOTO ||
6384 elem.data.val.verdict.code == NFT_JUMP))
6385 nft_validate_state_update(ctx->net,
6389 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6391 goto err_parse_data;
6394 /* The full maximum length of userdata can exceed the maximum
6395 * offset value (U8_MAX) for following extensions, therefor it
6396 * must be the last extension added.
6399 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6400 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6402 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
6405 goto err_parse_data;
6409 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6410 elem.key_end.val.data, elem.data.val.data,
6411 timeout, expiration, GFP_KERNEL_ACCOUNT);
6412 if (IS_ERR(elem.priv)) {
6413 err = PTR_ERR(elem.priv);
6414 goto err_parse_data;
6417 ext = nft_set_elem_ext(set, elem.priv);
6419 *nft_set_ext_flags(ext) = flags;
6422 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6424 goto err_elem_userdata;
6426 udata = nft_set_ext_userdata(ext);
6427 udata->len = ulen - 1;
6428 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6431 *nft_set_ext_obj(ext) = obj;
6434 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6438 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6439 if (trans == NULL) {
6444 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
6446 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
6448 if (err == -EEXIST) {
6449 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6450 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6451 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6452 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
6453 goto err_element_clash;
6454 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6455 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
6456 memcmp(nft_set_ext_data(ext),
6457 nft_set_ext_data(ext2), set->dlen) != 0) ||
6458 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6459 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
6460 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
6461 goto err_element_clash;
6462 else if (!(nlmsg_flags & NLM_F_EXCL))
6464 } else if (err == -ENOTEMPTY) {
6465 /* ENOTEMPTY reports overlapping between this element
6466 * and an existing one.
6470 goto err_element_clash;
6473 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
6474 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
6479 nft_trans_elem(trans) = elem;
6480 nft_trans_commit_list_add_tail(ctx->net, trans);
6484 nft_setelem_remove(ctx->net, set, &elem);
6491 nf_tables_set_elem_destroy(ctx, set, elem.priv);
6493 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6494 nft_data_release(&elem.data.val, desc.type);
6496 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6498 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6500 for (i = 0; i < num_exprs && expr_array[i]; i++)
6501 nft_expr_destroy(ctx, expr_array[i]);
6502 err_set_elem_expr_clone:
6506 static int nf_tables_newsetelem(struct sk_buff *skb,
6507 const struct nfnl_info *info,
6508 const struct nlattr * const nla[])
6510 struct nftables_pernet *nft_net = nft_pernet(info->net);
6511 struct netlink_ext_ack *extack = info->extack;
6512 u8 genmask = nft_genmask_next(info->net);
6513 u8 family = info->nfmsg->nfgen_family;
6514 struct net *net = info->net;
6515 const struct nlattr *attr;
6516 struct nft_table *table;
6517 struct nft_set *set;
6521 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6524 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6525 genmask, NETLINK_CB(skb).portid);
6526 if (IS_ERR(table)) {
6527 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6528 return PTR_ERR(table);
6531 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6532 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6534 return PTR_ERR(set);
6536 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6539 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6541 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6542 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6544 NL_SET_BAD_ATTR(extack, attr);
6549 if (nft_net->validate_state == NFT_VALIDATE_DO)
6550 return nft_table_validate(net, table);
6556 * nft_data_hold - hold a nft_data item
6558 * @data: struct nft_data to release
6559 * @type: type of data
6561 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6562 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
6563 * NFT_GOTO verdicts. This function must be called on active data objects
6564 * from the second phase of the commit protocol.
6566 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6568 struct nft_chain *chain;
6569 struct nft_rule *rule;
6571 if (type == NFT_DATA_VERDICT) {
6572 switch (data->verdict.code) {
6575 chain = data->verdict.chain;
6578 if (!nft_chain_is_bound(chain))
6581 chain->table->use++;
6582 list_for_each_entry(rule, &chain->rules, list)
6585 nft_chain_add(chain->table, chain);
6591 static void nft_setelem_data_activate(const struct net *net,
6592 const struct nft_set *set,
6593 struct nft_set_elem *elem)
6595 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6597 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6598 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6599 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6600 (*nft_set_ext_obj(ext))->use++;
6603 static void nft_setelem_data_deactivate(const struct net *net,
6604 const struct nft_set *set,
6605 struct nft_set_elem *elem)
6607 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6609 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6610 nft_data_release(nft_set_ext_data(ext), set->dtype);
6611 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6612 (*nft_set_ext_obj(ext))->use--;
6615 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6616 const struct nlattr *attr)
6618 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6619 struct nft_set_ext_tmpl tmpl;
6620 struct nft_set_elem elem;
6621 struct nft_set_ext *ext;
6622 struct nft_trans *trans;
6626 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6627 nft_set_elem_policy, NULL);
6631 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6635 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6638 if (!nft_setelem_valid_key_end(set, nla, flags))
6641 nft_set_ext_prepare(&tmpl);
6644 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6649 if (nla[NFTA_SET_ELEM_KEY]) {
6650 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6651 nla[NFTA_SET_ELEM_KEY]);
6655 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6660 if (nla[NFTA_SET_ELEM_KEY_END]) {
6661 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6662 nla[NFTA_SET_ELEM_KEY_END]);
6666 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6668 goto fail_elem_key_end;
6672 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6673 elem.key_end.val.data, NULL, 0, 0,
6674 GFP_KERNEL_ACCOUNT);
6675 if (IS_ERR(elem.priv)) {
6676 err = PTR_ERR(elem.priv);
6677 goto fail_elem_key_end;
6680 ext = nft_set_elem_ext(set, elem.priv);
6682 *nft_set_ext_flags(ext) = flags;
6684 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6688 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6692 nft_setelem_data_deactivate(ctx->net, set, &elem);
6694 nft_trans_elem(trans) = elem;
6695 nft_trans_commit_list_add_tail(ctx->net, trans);
6703 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6705 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6709 static int nft_setelem_flush(const struct nft_ctx *ctx,
6710 struct nft_set *set,
6711 const struct nft_set_iter *iter,
6712 struct nft_set_elem *elem)
6714 struct nft_trans *trans;
6717 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6718 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6722 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6728 nft_setelem_data_deactivate(ctx->net, set, elem);
6729 nft_trans_elem_set(trans) = set;
6730 nft_trans_elem(trans) = *elem;
6731 nft_trans_commit_list_add_tail(ctx->net, trans);
6739 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6740 struct nft_set *set,
6741 struct nft_set_elem *elem)
6743 struct nft_trans *trans;
6745 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6746 sizeof(struct nft_trans_elem), GFP_KERNEL);
6750 nft_setelem_data_deactivate(ctx->net, set, elem);
6751 nft_trans_elem_set(trans) = set;
6752 nft_trans_elem(trans) = *elem;
6753 nft_trans_commit_list_add_tail(ctx->net, trans);
6758 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6759 struct nft_set *set)
6761 u8 genmask = nft_genmask_next(ctx->net);
6762 struct nft_set_elem_catchall *catchall;
6763 struct nft_set_elem elem;
6764 struct nft_set_ext *ext;
6767 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6768 ext = nft_set_elem_ext(set, catchall->elem);
6769 if (!nft_set_elem_active(ext, genmask) ||
6770 nft_set_elem_mark_busy(ext))
6773 elem.priv = catchall->elem;
6774 ret = __nft_set_catchall_flush(ctx, set, &elem);
6782 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6784 struct nft_set_iter iter = {
6786 .fn = nft_setelem_flush,
6789 set->ops->walk(ctx, set, &iter);
6791 iter.err = nft_set_catchall_flush(ctx, set);
6796 static int nf_tables_delsetelem(struct sk_buff *skb,
6797 const struct nfnl_info *info,
6798 const struct nlattr * const nla[])
6800 struct netlink_ext_ack *extack = info->extack;
6801 u8 genmask = nft_genmask_next(info->net);
6802 u8 family = info->nfmsg->nfgen_family;
6803 struct net *net = info->net;
6804 const struct nlattr *attr;
6805 struct nft_table *table;
6806 struct nft_set *set;
6810 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6811 genmask, NETLINK_CB(skb).portid);
6812 if (IS_ERR(table)) {
6813 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6814 return PTR_ERR(table);
6817 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6819 return PTR_ERR(set);
6820 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6823 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6825 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6826 return nft_set_flush(&ctx, set, genmask);
6828 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6829 err = nft_del_setelem(&ctx, set, attr);
6830 if (err == -ENOENT &&
6831 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
6835 NL_SET_BAD_ATTR(extack, attr);
6842 void nft_set_gc_batch_release(struct rcu_head *rcu)
6844 struct nft_set_gc_batch *gcb;
6847 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6848 for (i = 0; i < gcb->head.cnt; i++)
6849 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6853 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6856 struct nft_set_gc_batch *gcb;
6858 gcb = kzalloc(sizeof(*gcb), gfp);
6861 gcb->head.set = set;
6870 * nft_register_obj- register nf_tables stateful object type
6871 * @obj_type: object type
6873 * Registers the object type for use with nf_tables. Returns zero on
6874 * success or a negative errno code otherwise.
6876 int nft_register_obj(struct nft_object_type *obj_type)
6878 if (obj_type->type == NFT_OBJECT_UNSPEC)
6881 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6882 list_add_rcu(&obj_type->list, &nf_tables_objects);
6883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6886 EXPORT_SYMBOL_GPL(nft_register_obj);
6889 * nft_unregister_obj - unregister nf_tables object type
6890 * @obj_type: object type
6892 * Unregisters the object type for use with nf_tables.
6894 void nft_unregister_obj(struct nft_object_type *obj_type)
6896 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6897 list_del_rcu(&obj_type->list);
6898 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6900 EXPORT_SYMBOL_GPL(nft_unregister_obj);
6902 struct nft_object *nft_obj_lookup(const struct net *net,
6903 const struct nft_table *table,
6904 const struct nlattr *nla, u32 objtype,
6907 struct nft_object_hash_key k = { .table = table };
6908 char search[NFT_OBJ_MAXNAMELEN];
6909 struct rhlist_head *tmp, *list;
6910 struct nft_object *obj;
6912 nla_strscpy(search, nla, sizeof(search));
6915 WARN_ON_ONCE(!rcu_read_lock_held() &&
6916 !lockdep_commit_lock_is_held(net));
6919 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
6923 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
6924 if (objtype == obj->ops->type->type &&
6925 nft_active_genmask(obj, genmask)) {
6932 return ERR_PTR(-ENOENT);
6934 EXPORT_SYMBOL_GPL(nft_obj_lookup);
6936 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
6937 const struct nlattr *nla,
6938 u32 objtype, u8 genmask)
6940 struct nft_object *obj;
6942 list_for_each_entry(obj, &table->objects, list) {
6943 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
6944 objtype == obj->ops->type->type &&
6945 nft_active_genmask(obj, genmask))
6948 return ERR_PTR(-ENOENT);
6951 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
6952 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
6953 .len = NFT_TABLE_MAXNAMELEN - 1 },
6954 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
6955 .len = NFT_OBJ_MAXNAMELEN - 1 },
6956 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
6957 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
6958 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
6959 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
6960 .len = NFT_USERDATA_MAXLEN },
6963 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6964 const struct nft_object_type *type,
6965 const struct nlattr *attr)
6968 const struct nft_object_ops *ops;
6969 struct nft_object *obj;
6972 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6977 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6978 type->policy, NULL);
6982 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6985 if (type->select_ops) {
6986 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6996 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7000 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7013 return ERR_PTR(err);
7016 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7017 struct nft_object *obj, bool reset)
7019 struct nlattr *nest;
7021 nest = nla_nest_start_noflag(skb, attr);
7023 goto nla_put_failure;
7024 if (obj->ops->dump(skb, obj, reset) < 0)
7025 goto nla_put_failure;
7026 nla_nest_end(skb, nest);
7033 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
7035 const struct nft_object_type *type;
7037 list_for_each_entry(type, &nf_tables_objects, list) {
7038 if (objtype == type->type)
7044 static const struct nft_object_type *
7045 nft_obj_type_get(struct net *net, u32 objtype)
7047 const struct nft_object_type *type;
7049 type = __nft_obj_type_get(objtype);
7050 if (type != NULL && try_module_get(type->owner))
7053 lockdep_nfnl_nft_mutex_not_held();
7054 #ifdef CONFIG_MODULES
7056 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7057 return ERR_PTR(-EAGAIN);
7060 return ERR_PTR(-ENOENT);
7063 static int nf_tables_updobj(const struct nft_ctx *ctx,
7064 const struct nft_object_type *type,
7065 const struct nlattr *attr,
7066 struct nft_object *obj)
7068 struct nft_object *newobj;
7069 struct nft_trans *trans;
7072 if (!try_module_get(type->owner))
7075 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7076 sizeof(struct nft_trans_obj));
7080 newobj = nft_obj_init(ctx, type, attr);
7081 if (IS_ERR(newobj)) {
7082 err = PTR_ERR(newobj);
7083 goto err_free_trans;
7086 nft_trans_obj(trans) = obj;
7087 nft_trans_obj_update(trans) = true;
7088 nft_trans_obj_newobj(trans) = newobj;
7089 nft_trans_commit_list_add_tail(ctx->net, trans);
7096 module_put(type->owner);
7100 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7101 const struct nlattr * const nla[])
7103 struct netlink_ext_ack *extack = info->extack;
7104 u8 genmask = nft_genmask_next(info->net);
7105 u8 family = info->nfmsg->nfgen_family;
7106 const struct nft_object_type *type;
7107 struct net *net = info->net;
7108 struct nft_table *table;
7109 struct nft_object *obj;
7114 if (!nla[NFTA_OBJ_TYPE] ||
7115 !nla[NFTA_OBJ_NAME] ||
7116 !nla[NFTA_OBJ_DATA])
7119 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7120 NETLINK_CB(skb).portid);
7121 if (IS_ERR(table)) {
7122 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7123 return PTR_ERR(table);
7126 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7127 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7130 if (err != -ENOENT) {
7131 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7135 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7136 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7139 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7142 type = __nft_obj_type_get(objtype);
7143 if (WARN_ON_ONCE(!type))
7146 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7148 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7151 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7153 type = nft_obj_type_get(net, objtype);
7155 return PTR_ERR(type);
7157 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7162 obj->key.table = table;
7163 obj->handle = nf_tables_alloc_handle(table);
7165 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7166 if (!obj->key.name) {
7171 if (nla[NFTA_OBJ_USERDATA]) {
7172 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7173 if (obj->udata == NULL)
7176 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7179 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7183 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7184 nft_objname_ht_params);
7188 list_add_tail_rcu(&obj->list, &table->objects);
7192 /* queued in transaction log */
7193 INIT_LIST_HEAD(&obj->list);
7198 kfree(obj->key.name);
7200 if (obj->ops->destroy)
7201 obj->ops->destroy(&ctx, obj);
7204 module_put(type->owner);
7208 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7209 u32 portid, u32 seq, int event, u32 flags,
7210 int family, const struct nft_table *table,
7211 struct nft_object *obj, bool reset)
7213 struct nlmsghdr *nlh;
7215 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7216 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7217 NFNETLINK_V0, nft_base_seq(net));
7219 goto nla_put_failure;
7221 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7222 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7223 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7224 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7225 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
7226 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7228 goto nla_put_failure;
7231 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7232 goto nla_put_failure;
7234 nlmsg_end(skb, nlh);
7238 nlmsg_trim(skb, nlh);
7242 struct nft_obj_filter {
7247 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7249 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7250 const struct nft_table *table;
7251 unsigned int idx = 0, s_idx = cb->args[0];
7252 struct nft_obj_filter *filter = cb->data;
7253 struct net *net = sock_net(skb->sk);
7254 int family = nfmsg->nfgen_family;
7255 struct nftables_pernet *nft_net;
7256 struct nft_object *obj;
7259 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7263 nft_net = nft_pernet(net);
7264 cb->seq = READ_ONCE(nft_net->base_seq);
7266 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7267 if (family != NFPROTO_UNSPEC && family != table->family)
7270 list_for_each_entry_rcu(obj, &table->objects, list) {
7271 if (!nft_is_active(net, obj))
7276 memset(&cb->args[1], 0,
7277 sizeof(cb->args) - sizeof(cb->args[0]));
7278 if (filter && filter->table &&
7279 strcmp(filter->table, table->name))
7282 filter->type != NFT_OBJECT_UNSPEC &&
7283 obj->ops->type->type != filter->type)
7286 char *buf = kasprintf(GFP_ATOMIC,
7291 audit_log_nfcfg(buf,
7294 AUDIT_NFT_OP_OBJ_RESET,
7299 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
7302 NLM_F_MULTI | NLM_F_APPEND,
7303 table->family, table,
7307 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7319 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7321 const struct nlattr * const *nla = cb->data;
7322 struct nft_obj_filter *filter = NULL;
7324 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
7325 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7329 if (nla[NFTA_OBJ_TABLE]) {
7330 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7331 if (!filter->table) {
7337 if (nla[NFTA_OBJ_TYPE])
7338 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7345 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7347 struct nft_obj_filter *filter = cb->data;
7350 kfree(filter->table);
7357 /* called with rcu_read_lock held */
7358 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
7359 const struct nlattr * const nla[])
7361 struct netlink_ext_ack *extack = info->extack;
7362 u8 genmask = nft_genmask_cur(info->net);
7363 u8 family = info->nfmsg->nfgen_family;
7364 const struct nft_table *table;
7365 struct net *net = info->net;
7366 struct nft_object *obj;
7367 struct sk_buff *skb2;
7372 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7373 struct netlink_dump_control c = {
7374 .start = nf_tables_dump_obj_start,
7375 .dump = nf_tables_dump_obj,
7376 .done = nf_tables_dump_obj_done,
7377 .module = THIS_MODULE,
7378 .data = (void *)nla,
7381 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7384 if (!nla[NFTA_OBJ_NAME] ||
7385 !nla[NFTA_OBJ_TYPE])
7388 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
7389 if (IS_ERR(table)) {
7390 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7391 return PTR_ERR(table);
7394 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7395 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7397 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7398 return PTR_ERR(obj);
7401 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7405 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7409 const struct nftables_pernet *nft_net;
7412 nft_net = nft_pernet(net);
7413 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
7415 audit_log_nfcfg(buf,
7418 AUDIT_NFT_OP_OBJ_RESET,
7423 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
7424 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
7425 family, table, obj, reset);
7427 goto err_fill_obj_info;
7429 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7436 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
7438 if (obj->ops->destroy)
7439 obj->ops->destroy(ctx, obj);
7441 module_put(obj->ops->type->owner);
7442 kfree(obj->key.name);
7447 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7448 const struct nlattr * const nla[])
7450 struct netlink_ext_ack *extack = info->extack;
7451 u8 genmask = nft_genmask_next(info->net);
7452 u8 family = info->nfmsg->nfgen_family;
7453 struct net *net = info->net;
7454 const struct nlattr *attr;
7455 struct nft_table *table;
7456 struct nft_object *obj;
7460 if (!nla[NFTA_OBJ_TYPE] ||
7461 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7464 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7465 NETLINK_CB(skb).portid);
7466 if (IS_ERR(table)) {
7467 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7468 return PTR_ERR(table);
7471 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7472 if (nla[NFTA_OBJ_HANDLE]) {
7473 attr = nla[NFTA_OBJ_HANDLE];
7474 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
7476 attr = nla[NFTA_OBJ_NAME];
7477 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
7481 if (PTR_ERR(obj) == -ENOENT &&
7482 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
7485 NL_SET_BAD_ATTR(extack, attr);
7486 return PTR_ERR(obj);
7489 NL_SET_BAD_ATTR(extack, attr);
7493 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7495 return nft_delobj(&ctx, obj);
7498 void nft_obj_notify(struct net *net, const struct nft_table *table,
7499 struct nft_object *obj, u32 portid, u32 seq, int event,
7500 u16 flags, int family, int report, gfp_t gfp)
7502 struct nftables_pernet *nft_net = nft_pernet(net);
7503 struct sk_buff *skb;
7505 char *buf = kasprintf(gfp, "%s:%u",
7506 table->name, nft_net->base_seq);
7508 audit_log_nfcfg(buf,
7511 event == NFT_MSG_NEWOBJ ?
7512 AUDIT_NFT_OP_OBJ_REGISTER :
7513 AUDIT_NFT_OP_OBJ_UNREGISTER,
7518 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7521 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
7525 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
7526 flags & (NLM_F_CREATE | NLM_F_EXCL),
7527 family, table, obj, false);
7533 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7536 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7538 EXPORT_SYMBOL_GPL(nft_obj_notify);
7540 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7541 struct nft_object *obj, int event)
7543 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
7544 ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
7550 void nft_register_flowtable_type(struct nf_flowtable_type *type)
7552 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7553 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7554 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7556 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7558 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7560 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7561 list_del_rcu(&type->list);
7562 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7564 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7566 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7567 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7568 .len = NFT_NAME_MAXLEN - 1 },
7569 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7570 .len = NFT_NAME_MAXLEN - 1 },
7571 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7572 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7573 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7576 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7577 const struct nlattr *nla, u8 genmask)
7579 struct nft_flowtable *flowtable;
7581 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7582 if (!nla_strcmp(nla, flowtable->name) &&
7583 nft_active_genmask(flowtable, genmask))
7586 return ERR_PTR(-ENOENT);
7588 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7590 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7591 struct nft_flowtable *flowtable,
7592 enum nft_trans_phase phase)
7595 case NFT_TRANS_PREPARE:
7596 case NFT_TRANS_ABORT:
7597 case NFT_TRANS_RELEASE:
7604 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7606 static struct nft_flowtable *
7607 nft_flowtable_lookup_byhandle(const struct nft_table *table,
7608 const struct nlattr *nla, u8 genmask)
7610 struct nft_flowtable *flowtable;
7612 list_for_each_entry(flowtable, &table->flowtables, list) {
7613 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7614 nft_active_genmask(flowtable, genmask))
7617 return ERR_PTR(-ENOENT);
7620 struct nft_flowtable_hook {
7623 struct list_head list;
7626 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7627 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7628 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7629 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7632 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7633 const struct nlattr * const nla[],
7634 struct nft_flowtable_hook *flowtable_hook,
7635 struct nft_flowtable *flowtable,
7636 struct netlink_ext_ack *extack, bool add)
7638 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7639 struct nft_hook *hook;
7640 int hooknum, priority;
7643 INIT_LIST_HEAD(&flowtable_hook->list);
7645 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
7646 nla[NFTA_FLOWTABLE_HOOK],
7647 nft_flowtable_hook_policy, NULL);
7652 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7653 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7654 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7658 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7659 if (hooknum != NF_NETDEV_INGRESS)
7662 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7664 flowtable_hook->priority = priority;
7665 flowtable_hook->num = hooknum;
7667 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7668 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7669 if (hooknum != flowtable->hooknum)
7673 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7674 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7675 if (priority != flowtable->data.priority)
7679 flowtable_hook->priority = flowtable->data.priority;
7680 flowtable_hook->num = flowtable->hooknum;
7683 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7684 err = nf_tables_parse_netdev_hooks(ctx->net,
7685 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7686 &flowtable_hook->list,
7692 list_for_each_entry(hook, &flowtable_hook->list, list) {
7693 hook->ops.pf = NFPROTO_NETDEV;
7694 hook->ops.hooknum = flowtable_hook->num;
7695 hook->ops.priority = flowtable_hook->priority;
7696 hook->ops.priv = &flowtable->data;
7697 hook->ops.hook = flowtable->data.type->hook;
7703 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7705 const struct nf_flowtable_type *type;
7707 list_for_each_entry(type, &nf_tables_flowtables, list) {
7708 if (family == type->family)
7714 static const struct nf_flowtable_type *
7715 nft_flowtable_type_get(struct net *net, u8 family)
7717 const struct nf_flowtable_type *type;
7719 type = __nft_flowtable_type_get(family);
7720 if (type != NULL && try_module_get(type->owner))
7723 lockdep_nfnl_nft_mutex_not_held();
7724 #ifdef CONFIG_MODULES
7726 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7727 return ERR_PTR(-EAGAIN);
7730 return ERR_PTR(-ENOENT);
7733 /* Only called from error and netdev event paths. */
7734 static void nft_unregister_flowtable_hook(struct net *net,
7735 struct nft_flowtable *flowtable,
7736 struct nft_hook *hook)
7738 nf_unregister_net_hook(net, &hook->ops);
7739 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7743 static void __nft_unregister_flowtable_net_hooks(struct net *net,
7744 struct list_head *hook_list,
7745 bool release_netdev)
7747 struct nft_hook *hook, *next;
7749 list_for_each_entry_safe(hook, next, hook_list, list) {
7750 nf_unregister_net_hook(net, &hook->ops);
7751 if (release_netdev) {
7752 list_del(&hook->list);
7753 kfree_rcu(hook, rcu);
7758 static void nft_unregister_flowtable_net_hooks(struct net *net,
7759 struct list_head *hook_list)
7761 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
7764 static int nft_register_flowtable_net_hooks(struct net *net,
7765 struct nft_table *table,
7766 struct list_head *hook_list,
7767 struct nft_flowtable *flowtable)
7769 struct nft_hook *hook, *hook2, *next;
7770 struct nft_flowtable *ft;
7773 list_for_each_entry(hook, hook_list, list) {
7774 list_for_each_entry(ft, &table->flowtables, list) {
7775 if (!nft_is_active_next(net, ft))
7778 list_for_each_entry(hook2, &ft->hook_list, list) {
7779 if (hook->ops.dev == hook2->ops.dev &&
7780 hook->ops.pf == hook2->ops.pf) {
7782 goto err_unregister_net_hooks;
7787 err = flowtable->data.type->setup(&flowtable->data,
7791 goto err_unregister_net_hooks;
7793 err = nf_register_net_hook(net, &hook->ops);
7795 flowtable->data.type->setup(&flowtable->data,
7798 goto err_unregister_net_hooks;
7806 err_unregister_net_hooks:
7807 list_for_each_entry_safe(hook, next, hook_list, list) {
7811 nft_unregister_flowtable_hook(net, flowtable, hook);
7812 list_del_rcu(&hook->list);
7813 kfree_rcu(hook, rcu);
7819 static void nft_hooks_destroy(struct list_head *hook_list)
7821 struct nft_hook *hook, *next;
7823 list_for_each_entry_safe(hook, next, hook_list, list) {
7824 list_del_rcu(&hook->list);
7825 kfree_rcu(hook, rcu);
7829 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7830 struct nft_flowtable *flowtable,
7831 struct netlink_ext_ack *extack)
7833 const struct nlattr * const *nla = ctx->nla;
7834 struct nft_flowtable_hook flowtable_hook;
7835 struct nft_hook *hook, *next;
7836 struct nft_trans *trans;
7837 bool unregister = false;
7841 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
7846 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7847 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7848 list_del(&hook->list);
7853 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7854 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7855 if (flags & ~NFT_FLOWTABLE_MASK) {
7857 goto err_flowtable_update_hook;
7859 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
7860 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
7862 goto err_flowtable_update_hook;
7865 flags = flowtable->data.flags;
7868 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
7869 &flowtable_hook.list, flowtable);
7871 goto err_flowtable_update_hook;
7873 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
7874 sizeof(struct nft_trans_flowtable));
7878 goto err_flowtable_update_hook;
7881 nft_trans_flowtable_flags(trans) = flags;
7882 nft_trans_flowtable(trans) = flowtable;
7883 nft_trans_flowtable_update(trans) = true;
7884 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7885 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
7887 nft_trans_commit_list_add_tail(ctx->net, trans);
7891 err_flowtable_update_hook:
7892 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7894 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
7895 list_del_rcu(&hook->list);
7896 kfree_rcu(hook, rcu);
7903 static int nf_tables_newflowtable(struct sk_buff *skb,
7904 const struct nfnl_info *info,
7905 const struct nlattr * const nla[])
7907 struct netlink_ext_ack *extack = info->extack;
7908 struct nft_flowtable_hook flowtable_hook;
7909 u8 genmask = nft_genmask_next(info->net);
7910 u8 family = info->nfmsg->nfgen_family;
7911 const struct nf_flowtable_type *type;
7912 struct nft_flowtable *flowtable;
7913 struct nft_hook *hook, *next;
7914 struct net *net = info->net;
7915 struct nft_table *table;
7919 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7920 !nla[NFTA_FLOWTABLE_NAME] ||
7921 !nla[NFTA_FLOWTABLE_HOOK])
7924 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7925 genmask, NETLINK_CB(skb).portid);
7926 if (IS_ERR(table)) {
7927 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7928 return PTR_ERR(table);
7931 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7933 if (IS_ERR(flowtable)) {
7934 err = PTR_ERR(flowtable);
7935 if (err != -ENOENT) {
7936 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7940 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7941 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7945 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7947 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
7950 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7952 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
7956 flowtable->table = table;
7957 flowtable->handle = nf_tables_alloc_handle(table);
7958 INIT_LIST_HEAD(&flowtable->hook_list);
7960 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
7961 if (!flowtable->name) {
7966 type = nft_flowtable_type_get(net, family);
7968 err = PTR_ERR(type);
7972 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7973 flowtable->data.flags =
7974 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7975 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
7981 write_pnet(&flowtable->data.net, net);
7982 flowtable->data.type = type;
7983 err = type->init(&flowtable->data);
7987 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
7992 list_splice(&flowtable_hook.list, &flowtable->hook_list);
7993 flowtable->data.priority = flowtable_hook.priority;
7994 flowtable->hooknum = flowtable_hook.num;
7996 err = nft_register_flowtable_net_hooks(ctx.net, table,
7997 &flowtable->hook_list,
8000 nft_hooks_destroy(&flowtable->hook_list);
8004 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8008 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8013 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8014 nft_unregister_flowtable_hook(net, flowtable, hook);
8015 list_del_rcu(&hook->list);
8016 kfree_rcu(hook, rcu);
8019 flowtable->data.type->free(&flowtable->data);
8021 module_put(type->owner);
8023 kfree(flowtable->name);
8029 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8031 struct nft_hook *this, *next;
8033 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8034 list_del(&this->list);
8039 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8040 struct nft_flowtable *flowtable,
8041 struct netlink_ext_ack *extack)
8043 const struct nlattr * const *nla = ctx->nla;
8044 struct nft_flowtable_hook flowtable_hook;
8045 LIST_HEAD(flowtable_del_list);
8046 struct nft_hook *this, *hook;
8047 struct nft_trans *trans;
8050 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8055 list_for_each_entry(this, &flowtable_hook.list, list) {
8056 hook = nft_hook_list_find(&flowtable->hook_list, this);
8059 goto err_flowtable_del_hook;
8061 list_move(&hook->list, &flowtable_del_list);
8064 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8065 sizeof(struct nft_trans_flowtable));
8068 goto err_flowtable_del_hook;
8071 nft_trans_flowtable(trans) = flowtable;
8072 nft_trans_flowtable_update(trans) = true;
8073 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8074 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8075 nft_flowtable_hook_release(&flowtable_hook);
8077 nft_trans_commit_list_add_tail(ctx->net, trans);
8081 err_flowtable_del_hook:
8082 list_splice(&flowtable_del_list, &flowtable->hook_list);
8083 nft_flowtable_hook_release(&flowtable_hook);
8088 static int nf_tables_delflowtable(struct sk_buff *skb,
8089 const struct nfnl_info *info,
8090 const struct nlattr * const nla[])
8092 struct netlink_ext_ack *extack = info->extack;
8093 u8 genmask = nft_genmask_next(info->net);
8094 u8 family = info->nfmsg->nfgen_family;
8095 struct nft_flowtable *flowtable;
8096 struct net *net = info->net;
8097 const struct nlattr *attr;
8098 struct nft_table *table;
8101 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8102 (!nla[NFTA_FLOWTABLE_NAME] &&
8103 !nla[NFTA_FLOWTABLE_HANDLE]))
8106 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8107 genmask, NETLINK_CB(skb).portid);
8108 if (IS_ERR(table)) {
8109 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8110 return PTR_ERR(table);
8113 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8114 attr = nla[NFTA_FLOWTABLE_HANDLE];
8115 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8117 attr = nla[NFTA_FLOWTABLE_NAME];
8118 flowtable = nft_flowtable_lookup(table, attr, genmask);
8121 if (IS_ERR(flowtable)) {
8122 if (PTR_ERR(flowtable) == -ENOENT &&
8123 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8126 NL_SET_BAD_ATTR(extack, attr);
8127 return PTR_ERR(flowtable);
8130 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8132 if (nla[NFTA_FLOWTABLE_HOOK])
8133 return nft_delflowtable_hook(&ctx, flowtable, extack);
8135 if (flowtable->use > 0) {
8136 NL_SET_BAD_ATTR(extack, attr);
8140 return nft_delflowtable(&ctx, flowtable);
8143 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8144 u32 portid, u32 seq, int event,
8145 u32 flags, int family,
8146 struct nft_flowtable *flowtable,
8147 struct list_head *hook_list)
8149 struct nlattr *nest, *nest_devs;
8150 struct nft_hook *hook;
8151 struct nlmsghdr *nlh;
8153 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8154 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8155 NFNETLINK_V0, nft_base_seq(net));
8157 goto nla_put_failure;
8159 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8160 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8161 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8162 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8163 NFTA_FLOWTABLE_PAD) ||
8164 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8165 goto nla_put_failure;
8167 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8169 goto nla_put_failure;
8170 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8171 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8172 goto nla_put_failure;
8174 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8176 goto nla_put_failure;
8178 list_for_each_entry_rcu(hook, hook_list, list) {
8179 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8180 goto nla_put_failure;
8182 nla_nest_end(skb, nest_devs);
8183 nla_nest_end(skb, nest);
8185 nlmsg_end(skb, nlh);
8189 nlmsg_trim(skb, nlh);
8193 struct nft_flowtable_filter {
8197 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8198 struct netlink_callback *cb)
8200 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8201 struct nft_flowtable_filter *filter = cb->data;
8202 unsigned int idx = 0, s_idx = cb->args[0];
8203 struct net *net = sock_net(skb->sk);
8204 int family = nfmsg->nfgen_family;
8205 struct nft_flowtable *flowtable;
8206 struct nftables_pernet *nft_net;
8207 const struct nft_table *table;
8210 nft_net = nft_pernet(net);
8211 cb->seq = READ_ONCE(nft_net->base_seq);
8213 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8214 if (family != NFPROTO_UNSPEC && family != table->family)
8217 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8218 if (!nft_is_active(net, flowtable))
8223 memset(&cb->args[1], 0,
8224 sizeof(cb->args) - sizeof(cb->args[0]));
8225 if (filter && filter->table &&
8226 strcmp(filter->table, table->name))
8229 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8231 NFT_MSG_NEWFLOWTABLE,
8232 NLM_F_MULTI | NLM_F_APPEND,
8235 &flowtable->hook_list) < 0)
8238 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8250 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8252 const struct nlattr * const *nla = cb->data;
8253 struct nft_flowtable_filter *filter = NULL;
8255 if (nla[NFTA_FLOWTABLE_TABLE]) {
8256 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8260 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8262 if (!filter->table) {
8272 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8274 struct nft_flowtable_filter *filter = cb->data;
8279 kfree(filter->table);
8285 /* called with rcu_read_lock held */
8286 static int nf_tables_getflowtable(struct sk_buff *skb,
8287 const struct nfnl_info *info,
8288 const struct nlattr * const nla[])
8290 u8 genmask = nft_genmask_cur(info->net);
8291 u8 family = info->nfmsg->nfgen_family;
8292 struct nft_flowtable *flowtable;
8293 const struct nft_table *table;
8294 struct net *net = info->net;
8295 struct sk_buff *skb2;
8298 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8299 struct netlink_dump_control c = {
8300 .start = nf_tables_dump_flowtable_start,
8301 .dump = nf_tables_dump_flowtable,
8302 .done = nf_tables_dump_flowtable_done,
8303 .module = THIS_MODULE,
8304 .data = (void *)nla,
8307 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8310 if (!nla[NFTA_FLOWTABLE_NAME])
8313 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8316 return PTR_ERR(table);
8318 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8320 if (IS_ERR(flowtable))
8321 return PTR_ERR(flowtable);
8323 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8327 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
8328 info->nlh->nlmsg_seq,
8329 NFT_MSG_NEWFLOWTABLE, 0, family,
8330 flowtable, &flowtable->hook_list);
8332 goto err_fill_flowtable_info;
8334 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8336 err_fill_flowtable_info:
8341 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
8342 struct nft_flowtable *flowtable,
8343 struct list_head *hook_list,
8346 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
8347 struct sk_buff *skb;
8352 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
8355 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8359 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
8360 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
8362 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
8363 ctx->seq, event, flags,
8364 ctx->family, flowtable, hook_list);
8370 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
8373 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
8376 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
8378 struct nft_hook *hook, *next;
8380 flowtable->data.type->free(&flowtable->data);
8381 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8382 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8384 list_del_rcu(&hook->list);
8387 kfree(flowtable->name);
8388 module_put(flowtable->data.type->owner);
8392 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
8393 u32 portid, u32 seq)
8395 struct nftables_pernet *nft_net = nft_pernet(net);
8396 struct nlmsghdr *nlh;
8397 char buf[TASK_COMM_LEN];
8398 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
8400 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
8401 NFNETLINK_V0, nft_base_seq(net));
8403 goto nla_put_failure;
8405 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
8406 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
8407 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
8408 goto nla_put_failure;
8410 nlmsg_end(skb, nlh);
8414 nlmsg_trim(skb, nlh);
8418 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
8419 struct nft_flowtable *flowtable)
8421 struct nft_hook *hook;
8423 list_for_each_entry(hook, &flowtable->hook_list, list) {
8424 if (hook->ops.dev != dev)
8427 /* flow_offload_netdev_event() cleans up entries for us. */
8428 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
8429 list_del_rcu(&hook->list);
8430 kfree_rcu(hook, rcu);
8435 static int nf_tables_flowtable_event(struct notifier_block *this,
8436 unsigned long event, void *ptr)
8438 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
8439 struct nft_flowtable *flowtable;
8440 struct nftables_pernet *nft_net;
8441 struct nft_table *table;
8444 if (event != NETDEV_UNREGISTER)
8448 nft_net = nft_pernet(net);
8449 mutex_lock(&nft_net->commit_mutex);
8450 list_for_each_entry(table, &nft_net->tables, list) {
8451 list_for_each_entry(flowtable, &table->flowtables, list) {
8452 nft_flowtable_event(event, dev, flowtable);
8455 mutex_unlock(&nft_net->commit_mutex);
8460 static struct notifier_block nf_tables_flowtable_notifier = {
8461 .notifier_call = nf_tables_flowtable_event,
8464 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
8467 struct nlmsghdr *nlh = nlmsg_hdr(skb);
8468 struct sk_buff *skb2;
8471 if (!nlmsg_report(nlh) &&
8472 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8475 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8479 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
8486 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8487 nlmsg_report(nlh), GFP_KERNEL);
8490 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8494 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
8495 const struct nlattr * const nla[])
8497 struct sk_buff *skb2;
8500 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8504 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
8505 info->nlh->nlmsg_seq);
8507 goto err_fill_gen_info;
8509 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
8516 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
8517 [NFT_MSG_NEWTABLE] = {
8518 .call = nf_tables_newtable,
8519 .type = NFNL_CB_BATCH,
8520 .attr_count = NFTA_TABLE_MAX,
8521 .policy = nft_table_policy,
8523 [NFT_MSG_GETTABLE] = {
8524 .call = nf_tables_gettable,
8525 .type = NFNL_CB_RCU,
8526 .attr_count = NFTA_TABLE_MAX,
8527 .policy = nft_table_policy,
8529 [NFT_MSG_DELTABLE] = {
8530 .call = nf_tables_deltable,
8531 .type = NFNL_CB_BATCH,
8532 .attr_count = NFTA_TABLE_MAX,
8533 .policy = nft_table_policy,
8535 [NFT_MSG_DESTROYTABLE] = {
8536 .call = nf_tables_deltable,
8537 .type = NFNL_CB_BATCH,
8538 .attr_count = NFTA_TABLE_MAX,
8539 .policy = nft_table_policy,
8541 [NFT_MSG_NEWCHAIN] = {
8542 .call = nf_tables_newchain,
8543 .type = NFNL_CB_BATCH,
8544 .attr_count = NFTA_CHAIN_MAX,
8545 .policy = nft_chain_policy,
8547 [NFT_MSG_GETCHAIN] = {
8548 .call = nf_tables_getchain,
8549 .type = NFNL_CB_RCU,
8550 .attr_count = NFTA_CHAIN_MAX,
8551 .policy = nft_chain_policy,
8553 [NFT_MSG_DELCHAIN] = {
8554 .call = nf_tables_delchain,
8555 .type = NFNL_CB_BATCH,
8556 .attr_count = NFTA_CHAIN_MAX,
8557 .policy = nft_chain_policy,
8559 [NFT_MSG_DESTROYCHAIN] = {
8560 .call = nf_tables_delchain,
8561 .type = NFNL_CB_BATCH,
8562 .attr_count = NFTA_CHAIN_MAX,
8563 .policy = nft_chain_policy,
8565 [NFT_MSG_NEWRULE] = {
8566 .call = nf_tables_newrule,
8567 .type = NFNL_CB_BATCH,
8568 .attr_count = NFTA_RULE_MAX,
8569 .policy = nft_rule_policy,
8571 [NFT_MSG_GETRULE] = {
8572 .call = nf_tables_getrule,
8573 .type = NFNL_CB_RCU,
8574 .attr_count = NFTA_RULE_MAX,
8575 .policy = nft_rule_policy,
8577 [NFT_MSG_GETRULE_RESET] = {
8578 .call = nf_tables_getrule,
8579 .type = NFNL_CB_RCU,
8580 .attr_count = NFTA_RULE_MAX,
8581 .policy = nft_rule_policy,
8583 [NFT_MSG_DELRULE] = {
8584 .call = nf_tables_delrule,
8585 .type = NFNL_CB_BATCH,
8586 .attr_count = NFTA_RULE_MAX,
8587 .policy = nft_rule_policy,
8589 [NFT_MSG_DESTROYRULE] = {
8590 .call = nf_tables_delrule,
8591 .type = NFNL_CB_BATCH,
8592 .attr_count = NFTA_RULE_MAX,
8593 .policy = nft_rule_policy,
8595 [NFT_MSG_NEWSET] = {
8596 .call = nf_tables_newset,
8597 .type = NFNL_CB_BATCH,
8598 .attr_count = NFTA_SET_MAX,
8599 .policy = nft_set_policy,
8601 [NFT_MSG_GETSET] = {
8602 .call = nf_tables_getset,
8603 .type = NFNL_CB_RCU,
8604 .attr_count = NFTA_SET_MAX,
8605 .policy = nft_set_policy,
8607 [NFT_MSG_DELSET] = {
8608 .call = nf_tables_delset,
8609 .type = NFNL_CB_BATCH,
8610 .attr_count = NFTA_SET_MAX,
8611 .policy = nft_set_policy,
8613 [NFT_MSG_DESTROYSET] = {
8614 .call = nf_tables_delset,
8615 .type = NFNL_CB_BATCH,
8616 .attr_count = NFTA_SET_MAX,
8617 .policy = nft_set_policy,
8619 [NFT_MSG_NEWSETELEM] = {
8620 .call = nf_tables_newsetelem,
8621 .type = NFNL_CB_BATCH,
8622 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8623 .policy = nft_set_elem_list_policy,
8625 [NFT_MSG_GETSETELEM] = {
8626 .call = nf_tables_getsetelem,
8627 .type = NFNL_CB_RCU,
8628 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8629 .policy = nft_set_elem_list_policy,
8631 [NFT_MSG_DELSETELEM] = {
8632 .call = nf_tables_delsetelem,
8633 .type = NFNL_CB_BATCH,
8634 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8635 .policy = nft_set_elem_list_policy,
8637 [NFT_MSG_DESTROYSETELEM] = {
8638 .call = nf_tables_delsetelem,
8639 .type = NFNL_CB_BATCH,
8640 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8641 .policy = nft_set_elem_list_policy,
8643 [NFT_MSG_GETGEN] = {
8644 .call = nf_tables_getgen,
8645 .type = NFNL_CB_RCU,
8647 [NFT_MSG_NEWOBJ] = {
8648 .call = nf_tables_newobj,
8649 .type = NFNL_CB_BATCH,
8650 .attr_count = NFTA_OBJ_MAX,
8651 .policy = nft_obj_policy,
8653 [NFT_MSG_GETOBJ] = {
8654 .call = nf_tables_getobj,
8655 .type = NFNL_CB_RCU,
8656 .attr_count = NFTA_OBJ_MAX,
8657 .policy = nft_obj_policy,
8659 [NFT_MSG_DELOBJ] = {
8660 .call = nf_tables_delobj,
8661 .type = NFNL_CB_BATCH,
8662 .attr_count = NFTA_OBJ_MAX,
8663 .policy = nft_obj_policy,
8665 [NFT_MSG_DESTROYOBJ] = {
8666 .call = nf_tables_delobj,
8667 .type = NFNL_CB_BATCH,
8668 .attr_count = NFTA_OBJ_MAX,
8669 .policy = nft_obj_policy,
8671 [NFT_MSG_GETOBJ_RESET] = {
8672 .call = nf_tables_getobj,
8673 .type = NFNL_CB_RCU,
8674 .attr_count = NFTA_OBJ_MAX,
8675 .policy = nft_obj_policy,
8677 [NFT_MSG_NEWFLOWTABLE] = {
8678 .call = nf_tables_newflowtable,
8679 .type = NFNL_CB_BATCH,
8680 .attr_count = NFTA_FLOWTABLE_MAX,
8681 .policy = nft_flowtable_policy,
8683 [NFT_MSG_GETFLOWTABLE] = {
8684 .call = nf_tables_getflowtable,
8685 .type = NFNL_CB_RCU,
8686 .attr_count = NFTA_FLOWTABLE_MAX,
8687 .policy = nft_flowtable_policy,
8689 [NFT_MSG_DELFLOWTABLE] = {
8690 .call = nf_tables_delflowtable,
8691 .type = NFNL_CB_BATCH,
8692 .attr_count = NFTA_FLOWTABLE_MAX,
8693 .policy = nft_flowtable_policy,
8695 [NFT_MSG_DESTROYFLOWTABLE] = {
8696 .call = nf_tables_delflowtable,
8697 .type = NFNL_CB_BATCH,
8698 .attr_count = NFTA_FLOWTABLE_MAX,
8699 .policy = nft_flowtable_policy,
8703 static int nf_tables_validate(struct net *net)
8705 struct nftables_pernet *nft_net = nft_pernet(net);
8706 struct nft_table *table;
8708 switch (nft_net->validate_state) {
8709 case NFT_VALIDATE_SKIP:
8711 case NFT_VALIDATE_NEED:
8712 nft_validate_state_update(net, NFT_VALIDATE_DO);
8714 case NFT_VALIDATE_DO:
8715 list_for_each_entry(table, &nft_net->tables, list) {
8716 if (nft_table_validate(net, table) < 0)
8720 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8727 /* a drop policy has to be deferred until all rules have been activated,
8728 * otherwise a large ruleset that contains a drop-policy base chain will
8729 * cause all packets to get dropped until the full transaction has been
8732 * We defer the drop policy until the transaction has been finalized.
8734 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8736 struct nft_base_chain *basechain;
8738 if (nft_trans_chain_policy(trans) != NF_DROP)
8741 if (!nft_is_base_chain(trans->ctx.chain))
8744 basechain = nft_base_chain(trans->ctx.chain);
8745 basechain->policy = NF_DROP;
8748 static void nft_chain_commit_update(struct nft_trans *trans)
8750 struct nft_base_chain *basechain;
8752 if (nft_trans_chain_name(trans)) {
8753 rhltable_remove(&trans->ctx.table->chains_ht,
8754 &trans->ctx.chain->rhlhead,
8755 nft_chain_ht_params);
8756 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8757 rhltable_insert_key(&trans->ctx.table->chains_ht,
8758 trans->ctx.chain->name,
8759 &trans->ctx.chain->rhlhead,
8760 nft_chain_ht_params);
8763 if (!nft_is_base_chain(trans->ctx.chain))
8766 nft_chain_stats_replace(trans);
8768 basechain = nft_base_chain(trans->ctx.chain);
8770 switch (nft_trans_chain_policy(trans)) {
8773 basechain->policy = nft_trans_chain_policy(trans);
8778 static void nft_obj_commit_update(struct nft_trans *trans)
8780 struct nft_object *newobj;
8781 struct nft_object *obj;
8783 obj = nft_trans_obj(trans);
8784 newobj = nft_trans_obj_newobj(trans);
8786 if (obj->ops->update)
8787 obj->ops->update(obj, newobj);
8789 nft_obj_destroy(&trans->ctx, newobj);
8792 static void nft_commit_release(struct nft_trans *trans)
8794 switch (trans->msg_type) {
8795 case NFT_MSG_DELTABLE:
8796 case NFT_MSG_DESTROYTABLE:
8797 nf_tables_table_destroy(&trans->ctx);
8799 case NFT_MSG_NEWCHAIN:
8800 free_percpu(nft_trans_chain_stats(trans));
8801 kfree(nft_trans_chain_name(trans));
8803 case NFT_MSG_DELCHAIN:
8804 case NFT_MSG_DESTROYCHAIN:
8805 nf_tables_chain_destroy(&trans->ctx);
8807 case NFT_MSG_DELRULE:
8808 case NFT_MSG_DESTROYRULE:
8809 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8811 case NFT_MSG_DELSET:
8812 case NFT_MSG_DESTROYSET:
8813 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8815 case NFT_MSG_DELSETELEM:
8816 case NFT_MSG_DESTROYSETELEM:
8817 nf_tables_set_elem_destroy(&trans->ctx,
8818 nft_trans_elem_set(trans),
8819 nft_trans_elem(trans).priv);
8821 case NFT_MSG_DELOBJ:
8822 case NFT_MSG_DESTROYOBJ:
8823 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8825 case NFT_MSG_DELFLOWTABLE:
8826 case NFT_MSG_DESTROYFLOWTABLE:
8827 if (nft_trans_flowtable_update(trans))
8828 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8830 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8835 put_net(trans->ctx.net);
8840 static void nf_tables_trans_destroy_work(struct work_struct *w)
8842 struct nft_trans *trans, *next;
8845 spin_lock(&nf_tables_destroy_list_lock);
8846 list_splice_init(&nf_tables_destroy_list, &head);
8847 spin_unlock(&nf_tables_destroy_list_lock);
8849 if (list_empty(&head))
8854 list_for_each_entry_safe(trans, next, &head, list) {
8855 list_del(&trans->list);
8856 nft_commit_release(trans);
8860 void nf_tables_trans_destroy_flush_work(void)
8862 flush_work(&trans_destroy_work);
8864 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
8866 static bool nft_expr_reduce(struct nft_regs_track *track,
8867 const struct nft_expr *expr)
8872 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
8874 const struct nft_expr *expr, *last;
8875 struct nft_regs_track track = {};
8876 unsigned int size, data_size;
8877 void *data, *data_boundary;
8878 struct nft_rule_dp *prule;
8879 struct nft_rule *rule;
8881 /* already handled or inactive chain? */
8882 if (chain->blob_next || !nft_is_active_next(net, chain))
8886 list_for_each_entry(rule, &chain->rules, list) {
8887 if (nft_is_active_next(net, rule)) {
8888 data_size += sizeof(*prule) + rule->dlen;
8889 if (data_size > INT_MAX)
8893 data_size += offsetof(struct nft_rule_dp, data); /* last rule */
8895 chain->blob_next = nf_tables_chain_alloc_rules(data_size);
8896 if (!chain->blob_next)
8899 data = (void *)chain->blob_next->data;
8900 data_boundary = data + data_size;
8903 list_for_each_entry(rule, &chain->rules, list) {
8904 if (!nft_is_active_next(net, rule))
8907 prule = (struct nft_rule_dp *)data;
8908 data += offsetof(struct nft_rule_dp, data);
8909 if (WARN_ON_ONCE(data > data_boundary))
8913 track.last = nft_expr_last(rule);
8914 nft_rule_for_each_expr(expr, last, rule) {
8917 if (nft_expr_reduce(&track, expr)) {
8922 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))
8925 memcpy(data + size, expr, expr->ops->size);
8926 size += expr->ops->size;
8928 if (WARN_ON_ONCE(size >= 1 << 12))
8931 prule->handle = rule->handle;
8937 chain->blob_next->size += (unsigned long)(data - (void *)prule);
8940 prule = (struct nft_rule_dp *)data;
8941 data += offsetof(struct nft_rule_dp, data);
8942 if (WARN_ON_ONCE(data > data_boundary))
8945 nft_last_rule(chain->blob_next, prule);
8950 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
8952 struct nftables_pernet *nft_net = nft_pernet(net);
8953 struct nft_trans *trans, *next;
8955 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8956 struct nft_chain *chain = trans->ctx.chain;
8958 if (trans->msg_type == NFT_MSG_NEWRULE ||
8959 trans->msg_type == NFT_MSG_DELRULE) {
8960 kvfree(chain->blob_next);
8961 chain->blob_next = NULL;
8966 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
8968 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
8973 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
8975 struct nft_rules_old *old;
8977 /* rcu_head is after end marker */
8978 old = (void *)blob + sizeof(*blob) + blob->size;
8981 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
8984 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
8986 struct nft_rule_blob *g0, *g1;
8989 next_genbit = nft_gencursor_next(net);
8991 g0 = rcu_dereference_protected(chain->blob_gen_0,
8992 lockdep_commit_lock_is_held(net));
8993 g1 = rcu_dereference_protected(chain->blob_gen_1,
8994 lockdep_commit_lock_is_held(net));
8996 /* No changes to this chain? */
8997 if (chain->blob_next == NULL) {
8998 /* chain had no change in last or next generation */
9002 * chain had no change in this generation; make sure next
9003 * one uses same rules as current generation.
9006 rcu_assign_pointer(chain->blob_gen_1, g0);
9007 nf_tables_commit_chain_free_rules_old(g1);
9009 rcu_assign_pointer(chain->blob_gen_0, g1);
9010 nf_tables_commit_chain_free_rules_old(g0);
9017 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9019 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9021 chain->blob_next = NULL;
9027 nf_tables_commit_chain_free_rules_old(g1);
9029 nf_tables_commit_chain_free_rules_old(g0);
9032 static void nft_obj_del(struct nft_object *obj)
9034 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9035 list_del_rcu(&obj->list);
9038 void nft_chain_del(struct nft_chain *chain)
9040 struct nft_table *table = chain->table;
9042 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9043 nft_chain_ht_params));
9044 list_del_rcu(&chain->list);
9047 static void nf_tables_module_autoload_cleanup(struct net *net)
9049 struct nftables_pernet *nft_net = nft_pernet(net);
9050 struct nft_module_request *req, *next;
9052 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9053 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9054 WARN_ON_ONCE(!req->done);
9055 list_del(&req->list);
9060 static void nf_tables_commit_release(struct net *net)
9062 struct nftables_pernet *nft_net = nft_pernet(net);
9063 struct nft_trans *trans;
9065 /* all side effects have to be made visible.
9066 * For example, if a chain named 'foo' has been deleted, a
9067 * new transaction must not find it anymore.
9069 * Memory reclaim happens asynchronously from work queue
9070 * to prevent expensive synchronize_rcu() in commit phase.
9072 if (list_empty(&nft_net->commit_list)) {
9073 nf_tables_module_autoload_cleanup(net);
9074 mutex_unlock(&nft_net->commit_mutex);
9078 trans = list_last_entry(&nft_net->commit_list,
9079 struct nft_trans, list);
9080 get_net(trans->ctx.net);
9081 WARN_ON_ONCE(trans->put_net);
9083 trans->put_net = true;
9084 spin_lock(&nf_tables_destroy_list_lock);
9085 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
9086 spin_unlock(&nf_tables_destroy_list_lock);
9088 nf_tables_module_autoload_cleanup(net);
9089 schedule_work(&trans_destroy_work);
9091 mutex_unlock(&nft_net->commit_mutex);
9094 static void nft_commit_notify(struct net *net, u32 portid)
9096 struct nftables_pernet *nft_net = nft_pernet(net);
9097 struct sk_buff *batch_skb = NULL, *nskb, *skb;
9098 unsigned char *data;
9101 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
9105 len = NLMSG_GOODSIZE - skb->len;
9106 list_del(&skb->list);
9110 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
9111 data = skb_put(batch_skb, skb->len);
9112 memcpy(data, skb->data, skb->len);
9113 list_del(&skb->list);
9117 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9118 NFT_CB(batch_skb).report, GFP_KERNEL);
9123 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
9124 NFT_CB(batch_skb).report, GFP_KERNEL);
9127 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9130 static int nf_tables_commit_audit_alloc(struct list_head *adl,
9131 struct nft_table *table)
9133 struct nft_audit_data *adp;
9135 list_for_each_entry(adp, adl, list) {
9136 if (adp->table == table)
9139 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
9143 list_add(&adp->list, adl);
9147 static void nf_tables_commit_audit_free(struct list_head *adl)
9149 struct nft_audit_data *adp, *adn;
9151 list_for_each_entry_safe(adp, adn, adl, list) {
9152 list_del(&adp->list);
9157 static void nf_tables_commit_audit_collect(struct list_head *adl,
9158 struct nft_table *table, u32 op)
9160 struct nft_audit_data *adp;
9162 list_for_each_entry(adp, adl, list) {
9163 if (adp->table == table)
9166 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
9170 if (!adp->op || adp->op > op)
9174 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
9176 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
9178 struct nft_audit_data *adp, *adn;
9179 char aubuf[AUNFTABLENAMELEN];
9181 list_for_each_entry_safe(adp, adn, adl, list) {
9182 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
9184 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
9185 nft2audit_op[adp->op], GFP_KERNEL);
9186 list_del(&adp->list);
9191 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
9193 struct nftables_pernet *nft_net = nft_pernet(net);
9194 struct nft_trans *trans, *next;
9195 struct nft_trans_elem *te;
9196 struct nft_chain *chain;
9197 struct nft_table *table;
9198 unsigned int base_seq;
9202 if (list_empty(&nft_net->commit_list)) {
9203 mutex_unlock(&nft_net->commit_mutex);
9207 /* 0. Validate ruleset, otherwise roll back for error reporting. */
9208 if (nf_tables_validate(net) < 0)
9211 err = nft_flow_rule_offload_commit(net);
9215 /* 1. Allocate space for next generation rules_gen_X[] */
9216 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9219 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
9221 nf_tables_commit_chain_prepare_cancel(net);
9222 nf_tables_commit_audit_free(&adl);
9225 if (trans->msg_type == NFT_MSG_NEWRULE ||
9226 trans->msg_type == NFT_MSG_DELRULE) {
9227 chain = trans->ctx.chain;
9229 ret = nf_tables_commit_chain_prepare(net, chain);
9231 nf_tables_commit_chain_prepare_cancel(net);
9232 nf_tables_commit_audit_free(&adl);
9238 /* step 2. Make rules_gen_X visible to packet path */
9239 list_for_each_entry(table, &nft_net->tables, list) {
9240 list_for_each_entry(chain, &table->chains, list)
9241 nf_tables_commit_chain(net, chain);
9245 * Bump generation counter, invalidate any dump in progress.
9246 * Cannot fail after this point.
9248 base_seq = READ_ONCE(nft_net->base_seq);
9249 while (++base_seq == 0)
9252 WRITE_ONCE(nft_net->base_seq, base_seq);
9254 /* step 3. Start new generation, rules_gen_X now in use. */
9255 net->nft.gencursor = nft_gencursor_next(net);
9257 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9258 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
9260 switch (trans->msg_type) {
9261 case NFT_MSG_NEWTABLE:
9262 if (nft_trans_table_update(trans)) {
9263 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9264 nft_trans_destroy(trans);
9267 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
9268 nf_tables_table_disable(net, trans->ctx.table);
9270 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9272 nft_clear(net, trans->ctx.table);
9274 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
9275 nft_trans_destroy(trans);
9277 case NFT_MSG_DELTABLE:
9278 case NFT_MSG_DESTROYTABLE:
9279 list_del_rcu(&trans->ctx.table->list);
9280 nf_tables_table_notify(&trans->ctx, trans->msg_type);
9282 case NFT_MSG_NEWCHAIN:
9283 if (nft_trans_chain_update(trans)) {
9284 nft_chain_commit_update(trans);
9285 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
9286 &nft_trans_chain_hooks(trans));
9287 list_splice(&nft_trans_chain_hooks(trans),
9288 &nft_trans_basechain(trans)->hook_list);
9289 /* trans destroyed after rcu grace period */
9291 nft_chain_commit_drop_policy(trans);
9292 nft_clear(net, trans->ctx.chain);
9293 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
9294 nft_trans_destroy(trans);
9297 case NFT_MSG_DELCHAIN:
9298 case NFT_MSG_DESTROYCHAIN:
9299 nft_chain_del(trans->ctx.chain);
9300 nf_tables_chain_notify(&trans->ctx, trans->msg_type, NULL);
9301 nf_tables_unregister_hook(trans->ctx.net,
9305 case NFT_MSG_NEWRULE:
9306 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9307 nf_tables_rule_notify(&trans->ctx,
9308 nft_trans_rule(trans),
9310 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9311 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9313 nft_trans_destroy(trans);
9315 case NFT_MSG_DELRULE:
9316 case NFT_MSG_DESTROYRULE:
9317 list_del_rcu(&nft_trans_rule(trans)->list);
9318 nf_tables_rule_notify(&trans->ctx,
9319 nft_trans_rule(trans),
9321 nft_rule_expr_deactivate(&trans->ctx,
9322 nft_trans_rule(trans),
9325 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9326 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9328 case NFT_MSG_NEWSET:
9329 if (nft_trans_set_update(trans)) {
9330 struct nft_set *set = nft_trans_set(trans);
9332 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
9333 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
9335 nft_clear(net, nft_trans_set(trans));
9336 /* This avoids hitting -EBUSY when deleting the table
9337 * from the transaction.
9339 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
9340 !list_empty(&nft_trans_set(trans)->bindings))
9341 trans->ctx.table->use--;
9343 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9344 NFT_MSG_NEWSET, GFP_KERNEL);
9345 nft_trans_destroy(trans);
9347 case NFT_MSG_DELSET:
9348 case NFT_MSG_DESTROYSET:
9349 list_del_rcu(&nft_trans_set(trans)->list);
9350 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
9351 trans->msg_type, GFP_KERNEL);
9353 case NFT_MSG_NEWSETELEM:
9354 te = (struct nft_trans_elem *)trans->data;
9356 nft_setelem_activate(net, te->set, &te->elem);
9357 nf_tables_setelem_notify(&trans->ctx, te->set,
9359 NFT_MSG_NEWSETELEM);
9360 nft_trans_destroy(trans);
9362 case NFT_MSG_DELSETELEM:
9363 case NFT_MSG_DESTROYSETELEM:
9364 te = (struct nft_trans_elem *)trans->data;
9366 nf_tables_setelem_notify(&trans->ctx, te->set,
9369 nft_setelem_remove(net, te->set, &te->elem);
9370 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
9371 atomic_dec(&te->set->nelems);
9375 case NFT_MSG_NEWOBJ:
9376 if (nft_trans_obj_update(trans)) {
9377 nft_obj_commit_update(trans);
9378 nf_tables_obj_notify(&trans->ctx,
9379 nft_trans_obj(trans),
9382 nft_clear(net, nft_trans_obj(trans));
9383 nf_tables_obj_notify(&trans->ctx,
9384 nft_trans_obj(trans),
9386 nft_trans_destroy(trans);
9389 case NFT_MSG_DELOBJ:
9390 case NFT_MSG_DESTROYOBJ:
9391 nft_obj_del(nft_trans_obj(trans));
9392 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
9395 case NFT_MSG_NEWFLOWTABLE:
9396 if (nft_trans_flowtable_update(trans)) {
9397 nft_trans_flowtable(trans)->data.flags =
9398 nft_trans_flowtable_flags(trans);
9399 nf_tables_flowtable_notify(&trans->ctx,
9400 nft_trans_flowtable(trans),
9401 &nft_trans_flowtable_hooks(trans),
9402 NFT_MSG_NEWFLOWTABLE);
9403 list_splice(&nft_trans_flowtable_hooks(trans),
9404 &nft_trans_flowtable(trans)->hook_list);
9406 nft_clear(net, nft_trans_flowtable(trans));
9407 nf_tables_flowtable_notify(&trans->ctx,
9408 nft_trans_flowtable(trans),
9409 &nft_trans_flowtable(trans)->hook_list,
9410 NFT_MSG_NEWFLOWTABLE);
9412 nft_trans_destroy(trans);
9414 case NFT_MSG_DELFLOWTABLE:
9415 case NFT_MSG_DESTROYFLOWTABLE:
9416 if (nft_trans_flowtable_update(trans)) {
9417 nf_tables_flowtable_notify(&trans->ctx,
9418 nft_trans_flowtable(trans),
9419 &nft_trans_flowtable_hooks(trans),
9421 nft_unregister_flowtable_net_hooks(net,
9422 &nft_trans_flowtable_hooks(trans));
9424 list_del_rcu(&nft_trans_flowtable(trans)->list);
9425 nf_tables_flowtable_notify(&trans->ctx,
9426 nft_trans_flowtable(trans),
9427 &nft_trans_flowtable(trans)->hook_list,
9429 nft_unregister_flowtable_net_hooks(net,
9430 &nft_trans_flowtable(trans)->hook_list);
9436 nft_commit_notify(net, NETLINK_CB(skb).portid);
9437 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
9438 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
9439 nf_tables_commit_release(net);
9444 static void nf_tables_module_autoload(struct net *net)
9446 struct nftables_pernet *nft_net = nft_pernet(net);
9447 struct nft_module_request *req, *next;
9448 LIST_HEAD(module_list);
9450 list_splice_init(&nft_net->module_list, &module_list);
9451 mutex_unlock(&nft_net->commit_mutex);
9452 list_for_each_entry_safe(req, next, &module_list, list) {
9453 request_module("%s", req->module);
9456 mutex_lock(&nft_net->commit_mutex);
9457 list_splice(&module_list, &nft_net->module_list);
9460 static void nf_tables_abort_release(struct nft_trans *trans)
9462 switch (trans->msg_type) {
9463 case NFT_MSG_NEWTABLE:
9464 nf_tables_table_destroy(&trans->ctx);
9466 case NFT_MSG_NEWCHAIN:
9467 if (nft_trans_chain_update(trans))
9468 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9470 nf_tables_chain_destroy(&trans->ctx);
9472 case NFT_MSG_NEWRULE:
9473 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9475 case NFT_MSG_NEWSET:
9476 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9478 case NFT_MSG_NEWSETELEM:
9479 nft_set_elem_destroy(nft_trans_elem_set(trans),
9480 nft_trans_elem(trans).priv, true);
9482 case NFT_MSG_NEWOBJ:
9483 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9485 case NFT_MSG_NEWFLOWTABLE:
9486 if (nft_trans_flowtable_update(trans))
9487 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9489 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9495 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
9497 struct nftables_pernet *nft_net = nft_pernet(net);
9498 struct nft_trans *trans, *next;
9499 struct nft_trans_elem *te;
9501 if (action == NFNL_ABORT_VALIDATE &&
9502 nf_tables_validate(net) < 0)
9505 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
9507 switch (trans->msg_type) {
9508 case NFT_MSG_NEWTABLE:
9509 if (nft_trans_table_update(trans)) {
9510 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
9511 nft_trans_destroy(trans);
9514 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
9515 nf_tables_table_disable(net, trans->ctx.table);
9516 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
9517 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
9518 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
9520 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
9521 nft_trans_destroy(trans);
9523 list_del_rcu(&trans->ctx.table->list);
9526 case NFT_MSG_DELTABLE:
9527 case NFT_MSG_DESTROYTABLE:
9528 nft_clear(trans->ctx.net, trans->ctx.table);
9529 nft_trans_destroy(trans);
9531 case NFT_MSG_NEWCHAIN:
9532 if (nft_trans_chain_update(trans)) {
9533 nft_netdev_unregister_hooks(net,
9534 &nft_trans_chain_hooks(trans),
9536 free_percpu(nft_trans_chain_stats(trans));
9537 kfree(nft_trans_chain_name(trans));
9538 nft_trans_destroy(trans);
9540 if (nft_chain_is_bound(trans->ctx.chain)) {
9541 nft_trans_destroy(trans);
9544 trans->ctx.table->use--;
9545 nft_chain_del(trans->ctx.chain);
9546 nf_tables_unregister_hook(trans->ctx.net,
9551 case NFT_MSG_DELCHAIN:
9552 case NFT_MSG_DESTROYCHAIN:
9553 trans->ctx.table->use++;
9554 nft_clear(trans->ctx.net, trans->ctx.chain);
9555 nft_trans_destroy(trans);
9557 case NFT_MSG_NEWRULE:
9558 trans->ctx.chain->use--;
9559 list_del_rcu(&nft_trans_rule(trans)->list);
9560 nft_rule_expr_deactivate(&trans->ctx,
9561 nft_trans_rule(trans),
9563 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9564 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9566 case NFT_MSG_DELRULE:
9567 case NFT_MSG_DESTROYRULE:
9568 trans->ctx.chain->use++;
9569 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9570 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
9571 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9572 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9574 nft_trans_destroy(trans);
9576 case NFT_MSG_NEWSET:
9577 if (nft_trans_set_update(trans)) {
9578 nft_trans_destroy(trans);
9581 trans->ctx.table->use--;
9582 if (nft_trans_set_bound(trans)) {
9583 nft_trans_destroy(trans);
9586 list_del_rcu(&nft_trans_set(trans)->list);
9588 case NFT_MSG_DELSET:
9589 case NFT_MSG_DESTROYSET:
9590 trans->ctx.table->use++;
9591 nft_clear(trans->ctx.net, nft_trans_set(trans));
9592 nft_trans_destroy(trans);
9594 case NFT_MSG_NEWSETELEM:
9595 if (nft_trans_elem_set_bound(trans)) {
9596 nft_trans_destroy(trans);
9599 te = (struct nft_trans_elem *)trans->data;
9600 nft_setelem_remove(net, te->set, &te->elem);
9601 if (!nft_setelem_is_catchall(te->set, &te->elem))
9602 atomic_dec(&te->set->nelems);
9604 case NFT_MSG_DELSETELEM:
9605 case NFT_MSG_DESTROYSETELEM:
9606 te = (struct nft_trans_elem *)trans->data;
9608 nft_setelem_data_activate(net, te->set, &te->elem);
9609 nft_setelem_activate(net, te->set, &te->elem);
9610 if (!nft_setelem_is_catchall(te->set, &te->elem))
9613 nft_trans_destroy(trans);
9615 case NFT_MSG_NEWOBJ:
9616 if (nft_trans_obj_update(trans)) {
9617 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
9618 nft_trans_destroy(trans);
9620 trans->ctx.table->use--;
9621 nft_obj_del(nft_trans_obj(trans));
9624 case NFT_MSG_DELOBJ:
9625 case NFT_MSG_DESTROYOBJ:
9626 trans->ctx.table->use++;
9627 nft_clear(trans->ctx.net, nft_trans_obj(trans));
9628 nft_trans_destroy(trans);
9630 case NFT_MSG_NEWFLOWTABLE:
9631 if (nft_trans_flowtable_update(trans)) {
9632 nft_unregister_flowtable_net_hooks(net,
9633 &nft_trans_flowtable_hooks(trans));
9635 trans->ctx.table->use--;
9636 list_del_rcu(&nft_trans_flowtable(trans)->list);
9637 nft_unregister_flowtable_net_hooks(net,
9638 &nft_trans_flowtable(trans)->hook_list);
9641 case NFT_MSG_DELFLOWTABLE:
9642 case NFT_MSG_DESTROYFLOWTABLE:
9643 if (nft_trans_flowtable_update(trans)) {
9644 list_splice(&nft_trans_flowtable_hooks(trans),
9645 &nft_trans_flowtable(trans)->hook_list);
9647 trans->ctx.table->use++;
9648 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
9650 nft_trans_destroy(trans);
9657 list_for_each_entry_safe_reverse(trans, next,
9658 &nft_net->commit_list, list) {
9659 list_del(&trans->list);
9660 nf_tables_abort_release(trans);
9663 if (action == NFNL_ABORT_AUTOLOAD)
9664 nf_tables_module_autoload(net);
9666 nf_tables_module_autoload_cleanup(net);
9671 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
9672 enum nfnl_abort_action action)
9674 struct nftables_pernet *nft_net = nft_pernet(net);
9675 int ret = __nf_tables_abort(net, action);
9677 mutex_unlock(&nft_net->commit_mutex);
9682 static bool nf_tables_valid_genid(struct net *net, u32 genid)
9684 struct nftables_pernet *nft_net = nft_pernet(net);
9687 mutex_lock(&nft_net->commit_mutex);
9689 genid_ok = genid == 0 || nft_net->base_seq == genid;
9691 mutex_unlock(&nft_net->commit_mutex);
9693 /* else, commit mutex has to be released by commit or abort function */
9697 static const struct nfnetlink_subsystem nf_tables_subsys = {
9698 .name = "nf_tables",
9699 .subsys_id = NFNL_SUBSYS_NFTABLES,
9700 .cb_count = NFT_MSG_MAX,
9702 .commit = nf_tables_commit,
9703 .abort = nf_tables_abort,
9704 .valid_genid = nf_tables_valid_genid,
9705 .owner = THIS_MODULE,
9708 int nft_chain_validate_dependency(const struct nft_chain *chain,
9709 enum nft_chain_types type)
9711 const struct nft_base_chain *basechain;
9713 if (nft_is_base_chain(chain)) {
9714 basechain = nft_base_chain(chain);
9715 if (basechain->type->type != type)
9720 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
9722 int nft_chain_validate_hooks(const struct nft_chain *chain,
9723 unsigned int hook_flags)
9725 struct nft_base_chain *basechain;
9727 if (nft_is_base_chain(chain)) {
9728 basechain = nft_base_chain(chain);
9730 if ((1 << basechain->ops.hooknum) & hook_flags)
9738 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9741 * Loop detection - walk through the ruleset beginning at the destination chain
9742 * of a new jump until either the source chain is reached (loop) or all
9743 * reachable chains have been traversed.
9745 * The loop check is performed whenever a new jump verdict is added to an
9746 * expression or verdict map or a verdict map is bound to a new chain.
9749 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9750 const struct nft_chain *chain);
9752 static int nft_check_loops(const struct nft_ctx *ctx,
9753 const struct nft_set_ext *ext)
9755 const struct nft_data *data;
9758 data = nft_set_ext_data(ext);
9759 switch (data->verdict.code) {
9762 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9772 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9773 struct nft_set *set,
9774 const struct nft_set_iter *iter,
9775 struct nft_set_elem *elem)
9777 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
9779 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
9780 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
9783 return nft_check_loops(ctx, ext);
9786 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
9787 struct nft_set *set)
9789 u8 genmask = nft_genmask_next(ctx->net);
9790 struct nft_set_elem_catchall *catchall;
9791 struct nft_set_ext *ext;
9794 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9795 ext = nft_set_elem_ext(set, catchall->elem);
9796 if (!nft_set_elem_active(ext, genmask))
9799 ret = nft_check_loops(ctx, ext);
9807 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9808 const struct nft_chain *chain)
9810 const struct nft_rule *rule;
9811 const struct nft_expr *expr, *last;
9812 struct nft_set *set;
9813 struct nft_set_binding *binding;
9814 struct nft_set_iter iter;
9816 if (ctx->chain == chain)
9819 list_for_each_entry(rule, &chain->rules, list) {
9820 nft_rule_for_each_expr(expr, last, rule) {
9821 struct nft_immediate_expr *priv;
9822 const struct nft_data *data;
9825 if (strcmp(expr->ops->type->name, "immediate"))
9828 priv = nft_expr_priv(expr);
9829 if (priv->dreg != NFT_REG_VERDICT)
9833 switch (data->verdict.code) {
9836 err = nf_tables_check_loops(ctx,
9837 data->verdict.chain);
9847 list_for_each_entry(set, &ctx->table->sets, list) {
9848 if (!nft_is_active_next(ctx->net, set))
9850 if (!(set->flags & NFT_SET_MAP) ||
9851 set->dtype != NFT_DATA_VERDICT)
9854 list_for_each_entry(binding, &set->bindings, list) {
9855 if (!(binding->flags & NFT_SET_MAP) ||
9856 binding->chain != chain)
9859 iter.genmask = nft_genmask_next(ctx->net);
9863 iter.fn = nf_tables_loop_check_setelem;
9865 set->ops->walk(ctx, set, &iter);
9867 iter.err = nft_set_catchall_loops(ctx, set);
9878 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
9880 * @attr: netlink attribute to fetch value from
9881 * @max: maximum value to be stored in dest
9882 * @dest: pointer to the variable
9884 * Parse, check and store a given u32 netlink attribute into variable.
9885 * This function returns -ERANGE if the value goes over maximum value.
9886 * Otherwise a 0 is returned and the attribute value is stored in the
9887 * destination variable.
9889 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
9893 val = ntohl(nla_get_be32(attr));
9900 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
9902 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
9906 reg = ntohl(nla_get_be32(attr));
9908 case NFT_REG_VERDICT...NFT_REG_4:
9909 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
9911 case NFT_REG32_00...NFT_REG32_15:
9912 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
9922 * nft_dump_register - dump a register value to a netlink attribute
9924 * @skb: socket buffer
9925 * @attr: attribute number
9926 * @reg: register number
9928 * Construct a netlink attribute containing the register number. For
9929 * compatibility reasons, register numbers being a multiple of 4 are
9930 * translated to the corresponding 128 bit register numbers.
9932 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
9934 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
9935 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
9937 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
9939 return nla_put_be32(skb, attr, htonl(reg));
9941 EXPORT_SYMBOL_GPL(nft_dump_register);
9943 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
9945 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9949 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
9955 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
9960 err = nft_parse_register(attr, ®);
9964 err = nft_validate_register_load(reg, len);
9971 EXPORT_SYMBOL_GPL(nft_parse_register_load);
9973 static int nft_validate_register_store(const struct nft_ctx *ctx,
9974 enum nft_registers reg,
9975 const struct nft_data *data,
9976 enum nft_data_types type,
9982 case NFT_REG_VERDICT:
9983 if (type != NFT_DATA_VERDICT)
9987 (data->verdict.code == NFT_GOTO ||
9988 data->verdict.code == NFT_JUMP)) {
9989 err = nf_tables_check_loops(ctx, data->verdict.chain);
9996 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10000 if (reg * NFT_REG32_SIZE + len >
10001 sizeof_field(struct nft_regs, data))
10004 if (data != NULL && type != NFT_DATA_VALUE)
10010 int nft_parse_register_store(const struct nft_ctx *ctx,
10011 const struct nlattr *attr, u8 *dreg,
10012 const struct nft_data *data,
10013 enum nft_data_types type, unsigned int len)
10018 err = nft_parse_register(attr, ®);
10022 err = nft_validate_register_store(ctx, reg, data, type, len);
10029 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10031 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10032 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10033 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10034 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10035 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10038 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10039 struct nft_data_desc *desc, const struct nlattr *nla)
10041 u8 genmask = nft_genmask_next(ctx->net);
10042 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10043 struct nft_chain *chain;
10046 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
10047 nft_verdict_policy, NULL);
10051 if (!tb[NFTA_VERDICT_CODE])
10053 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
10055 switch (data->verdict.code) {
10057 switch (data->verdict.code & NF_VERDICT_MASK) {
10072 if (tb[NFTA_VERDICT_CHAIN]) {
10073 chain = nft_chain_lookup(ctx->net, ctx->table,
10074 tb[NFTA_VERDICT_CHAIN],
10076 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
10077 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
10078 tb[NFTA_VERDICT_CHAIN_ID]);
10080 return PTR_ERR(chain);
10086 return PTR_ERR(chain);
10087 if (nft_is_base_chain(chain))
10088 return -EOPNOTSUPP;
10089 if (nft_chain_is_bound(chain))
10091 if (desc->flags & NFT_DATA_DESC_SETELEM &&
10092 chain->flags & NFT_CHAIN_BINDING)
10096 data->verdict.chain = chain;
10100 desc->len = sizeof(data->verdict);
10105 static void nft_verdict_uninit(const struct nft_data *data)
10107 struct nft_chain *chain;
10108 struct nft_rule *rule;
10110 switch (data->verdict.code) {
10113 chain = data->verdict.chain;
10116 if (!nft_chain_is_bound(chain))
10119 chain->table->use--;
10120 list_for_each_entry(rule, &chain->rules, list)
10123 nft_chain_del(chain);
10128 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
10130 struct nlattr *nest;
10132 nest = nla_nest_start_noflag(skb, type);
10134 goto nla_put_failure;
10136 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
10137 goto nla_put_failure;
10142 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
10144 goto nla_put_failure;
10146 nla_nest_end(skb, nest);
10153 static int nft_value_init(const struct nft_ctx *ctx,
10154 struct nft_data *data, struct nft_data_desc *desc,
10155 const struct nlattr *nla)
10159 len = nla_len(nla);
10162 if (len > desc->size)
10165 if (len != desc->len)
10171 nla_memcpy(data->data, nla, len);
10176 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
10179 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
10182 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
10183 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
10184 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
10188 * nft_data_init - parse nf_tables data netlink attributes
10190 * @ctx: context of the expression using the data
10191 * @data: destination struct nft_data
10192 * @desc: data description
10193 * @nla: netlink attribute containing data
10195 * Parse the netlink data attributes and initialize a struct nft_data.
10196 * The type and length of data are returned in the data description.
10198 * The caller can indicate that it only wants to accept data of type
10199 * NFT_DATA_VALUE by passing NULL for the ctx argument.
10201 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
10202 struct nft_data_desc *desc, const struct nlattr *nla)
10204 struct nlattr *tb[NFTA_DATA_MAX + 1];
10207 if (WARN_ON_ONCE(!desc->size))
10210 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
10211 nft_data_policy, NULL);
10215 if (tb[NFTA_DATA_VALUE]) {
10216 if (desc->type != NFT_DATA_VALUE)
10219 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
10220 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
10221 if (desc->type != NFT_DATA_VERDICT)
10224 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
10231 EXPORT_SYMBOL_GPL(nft_data_init);
10234 * nft_data_release - release a nft_data item
10236 * @data: struct nft_data to release
10237 * @type: type of data
10239 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
10240 * all others need to be released by calling this function.
10242 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
10244 if (type < NFT_DATA_VERDICT)
10247 case NFT_DATA_VERDICT:
10248 return nft_verdict_uninit(data);
10253 EXPORT_SYMBOL_GPL(nft_data_release);
10255 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
10256 enum nft_data_types type, unsigned int len)
10258 struct nlattr *nest;
10261 nest = nla_nest_start_noflag(skb, attr);
10266 case NFT_DATA_VALUE:
10267 err = nft_value_dump(skb, data, len);
10269 case NFT_DATA_VERDICT:
10270 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
10277 nla_nest_end(skb, nest);
10280 EXPORT_SYMBOL_GPL(nft_data_dump);
10282 int __nft_release_basechain(struct nft_ctx *ctx)
10284 struct nft_rule *rule, *nr;
10286 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
10289 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
10290 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
10291 list_del(&rule->list);
10293 nf_tables_rule_release(ctx, rule);
10295 nft_chain_del(ctx->chain);
10297 nf_tables_chain_destroy(ctx);
10301 EXPORT_SYMBOL_GPL(__nft_release_basechain);
10303 static void __nft_release_hook(struct net *net, struct nft_table *table)
10305 struct nft_flowtable *flowtable;
10306 struct nft_chain *chain;
10308 list_for_each_entry(chain, &table->chains, list)
10309 __nf_tables_unregister_hook(net, table, chain, true);
10310 list_for_each_entry(flowtable, &table->flowtables, list)
10311 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
10315 static void __nft_release_hooks(struct net *net)
10317 struct nftables_pernet *nft_net = nft_pernet(net);
10318 struct nft_table *table;
10320 list_for_each_entry(table, &nft_net->tables, list) {
10321 if (nft_table_has_owner(table))
10324 __nft_release_hook(net, table);
10328 static void __nft_release_table(struct net *net, struct nft_table *table)
10330 struct nft_flowtable *flowtable, *nf;
10331 struct nft_chain *chain, *nc;
10332 struct nft_object *obj, *ne;
10333 struct nft_rule *rule, *nr;
10334 struct nft_set *set, *ns;
10335 struct nft_ctx ctx = {
10337 .family = NFPROTO_NETDEV,
10340 ctx.family = table->family;
10342 list_for_each_entry(chain, &table->chains, list) {
10344 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
10345 list_del(&rule->list);
10347 nf_tables_rule_release(&ctx, rule);
10350 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
10351 list_del(&flowtable->list);
10353 nf_tables_flowtable_destroy(flowtable);
10355 list_for_each_entry_safe(set, ns, &table->sets, list) {
10356 list_del(&set->list);
10358 nft_set_destroy(&ctx, set);
10360 list_for_each_entry_safe(obj, ne, &table->objects, list) {
10363 nft_obj_destroy(&ctx, obj);
10365 list_for_each_entry_safe(chain, nc, &table->chains, list) {
10367 nft_chain_del(chain);
10369 nf_tables_chain_destroy(&ctx);
10371 nf_tables_table_destroy(&ctx);
10374 static void __nft_release_tables(struct net *net)
10376 struct nftables_pernet *nft_net = nft_pernet(net);
10377 struct nft_table *table, *nt;
10379 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
10380 if (nft_table_has_owner(table))
10383 list_del(&table->list);
10385 __nft_release_table(net, table);
10389 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
10392 struct nft_table *table, *to_delete[8];
10393 struct nftables_pernet *nft_net;
10394 struct netlink_notify *n = ptr;
10395 struct net *net = n->net;
10396 unsigned int deleted;
10397 bool restart = false;
10399 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
10400 return NOTIFY_DONE;
10402 nft_net = nft_pernet(net);
10404 mutex_lock(&nft_net->commit_mutex);
10405 if (!list_empty(&nf_tables_destroy_list))
10408 list_for_each_entry(table, &nft_net->tables, list) {
10409 if (nft_table_has_owner(table) &&
10410 n->portid == table->nlpid) {
10411 __nft_release_hook(net, table);
10412 list_del_rcu(&table->list);
10413 to_delete[deleted++] = table;
10414 if (deleted >= ARRAY_SIZE(to_delete))
10419 restart = deleted >= ARRAY_SIZE(to_delete);
10422 __nft_release_table(net, to_delete[--deleted]);
10427 mutex_unlock(&nft_net->commit_mutex);
10429 return NOTIFY_DONE;
10432 static struct notifier_block nft_nl_notifier = {
10433 .notifier_call = nft_rcv_nl_event,
10436 static int __net_init nf_tables_init_net(struct net *net)
10438 struct nftables_pernet *nft_net = nft_pernet(net);
10440 INIT_LIST_HEAD(&nft_net->tables);
10441 INIT_LIST_HEAD(&nft_net->commit_list);
10442 INIT_LIST_HEAD(&nft_net->module_list);
10443 INIT_LIST_HEAD(&nft_net->notify_list);
10444 mutex_init(&nft_net->commit_mutex);
10445 nft_net->base_seq = 1;
10446 nft_net->validate_state = NFT_VALIDATE_SKIP;
10451 static void __net_exit nf_tables_pre_exit_net(struct net *net)
10453 struct nftables_pernet *nft_net = nft_pernet(net);
10455 mutex_lock(&nft_net->commit_mutex);
10456 __nft_release_hooks(net);
10457 mutex_unlock(&nft_net->commit_mutex);
10460 static void __net_exit nf_tables_exit_net(struct net *net)
10462 struct nftables_pernet *nft_net = nft_pernet(net);
10464 mutex_lock(&nft_net->commit_mutex);
10465 if (!list_empty(&nft_net->commit_list) ||
10466 !list_empty(&nft_net->module_list))
10467 __nf_tables_abort(net, NFNL_ABORT_NONE);
10468 __nft_release_tables(net);
10469 mutex_unlock(&nft_net->commit_mutex);
10470 WARN_ON_ONCE(!list_empty(&nft_net->tables));
10471 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
10472 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10475 static struct pernet_operations nf_tables_net_ops = {
10476 .init = nf_tables_init_net,
10477 .pre_exit = nf_tables_pre_exit_net,
10478 .exit = nf_tables_exit_net,
10479 .id = &nf_tables_net_id,
10480 .size = sizeof(struct nftables_pernet),
10483 static int __init nf_tables_module_init(void)
10487 err = register_pernet_subsys(&nf_tables_net_ops);
10491 err = nft_chain_filter_init();
10493 goto err_chain_filter;
10495 err = nf_tables_core_module_init();
10497 goto err_core_module;
10499 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
10501 goto err_netdev_notifier;
10503 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
10505 goto err_rht_objname;
10507 err = nft_offload_init();
10511 err = netlink_register_notifier(&nft_nl_notifier);
10513 goto err_netlink_notifier;
10516 err = nfnetlink_subsys_register(&nf_tables_subsys);
10518 goto err_nfnl_subsys;
10520 nft_chain_route_init();
10525 netlink_unregister_notifier(&nft_nl_notifier);
10526 err_netlink_notifier:
10527 nft_offload_exit();
10529 rhltable_destroy(&nft_objname_ht);
10531 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10532 err_netdev_notifier:
10533 nf_tables_core_module_exit();
10535 nft_chain_filter_fini();
10537 unregister_pernet_subsys(&nf_tables_net_ops);
10541 static void __exit nf_tables_module_exit(void)
10543 nfnetlink_subsys_unregister(&nf_tables_subsys);
10544 netlink_unregister_notifier(&nft_nl_notifier);
10545 nft_offload_exit();
10546 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
10547 nft_chain_filter_fini();
10548 nft_chain_route_fini();
10549 unregister_pernet_subsys(&nf_tables_net_ops);
10550 cancel_work_sync(&trans_destroy_work);
10552 rhltable_destroy(&nft_objname_ht);
10553 nf_tables_core_module_exit();
10556 module_init(nf_tables_module_init);
10557 module_exit(nf_tables_module_exit);
10559 MODULE_LICENSE("GPL");
10560 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
10561 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-stable / blob