2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
31 static void nft_ctx_init(struct nft_ctx *ctx,
33 const struct sk_buff *skb,
34 const struct nlmsghdr *nlh,
36 struct nft_table *table,
37 struct nft_chain *chain,
38 const struct nlattr * const *nla)
45 ctx->portid = NETLINK_CB(skb).portid;
46 ctx->report = nlmsg_report(nlh);
47 ctx->seq = nlh->nlmsg_seq;
50 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
51 int msg_type, u32 size, gfp_t gfp)
53 struct nft_trans *trans;
55 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
59 trans->msg_type = msg_type;
65 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
66 int msg_type, u32 size)
68 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
71 static void nft_trans_destroy(struct nft_trans *trans)
73 list_del(&trans->list);
77 /* removal requests are queued in the commit_list, but not acted upon
78 * until after all new rules are in place.
80 * Therefore, nf_register_net_hook(net, &nat_hook) runs before pending
81 * nf_unregister_net_hook().
83 * nf_register_net_hook thus fails if a nat hook is already in place
84 * even if the conflicting hook is about to be removed.
86 * If collision is detected, search commit_log for DELCHAIN matching
87 * the new nat hooknum; if we find one collision is temporary:
89 * Either transaction is aborted (new/colliding hook is removed), or
90 * transaction is committed (old hook is removed).
92 static bool nf_tables_allow_nat_conflict(const struct net *net,
93 const struct nf_hook_ops *ops)
95 const struct nft_trans *trans;
101 list_for_each_entry(trans, &net->nft.commit_list, list) {
102 const struct nf_hook_ops *pending_ops;
103 const struct nft_chain *pending;
105 if (trans->msg_type != NFT_MSG_NEWCHAIN &&
106 trans->msg_type != NFT_MSG_DELCHAIN)
109 pending = trans->ctx.chain;
110 if (!nft_is_base_chain(pending))
113 pending_ops = &nft_base_chain(pending)->ops;
114 if (pending_ops->nat_hook &&
115 pending_ops->pf == ops->pf &&
116 pending_ops->hooknum == ops->hooknum) {
117 /* other hook registration already pending? */
118 if (trans->msg_type == NFT_MSG_NEWCHAIN)
128 static int nf_tables_register_hook(struct net *net,
129 const struct nft_table *table,
130 struct nft_chain *chain)
132 struct nf_hook_ops *ops;
135 if (table->flags & NFT_TABLE_F_DORMANT ||
136 !nft_is_base_chain(chain))
139 ops = &nft_base_chain(chain)->ops;
140 ret = nf_register_net_hook(net, ops);
141 if (ret == -EBUSY && nf_tables_allow_nat_conflict(net, ops)) {
142 ops->nat_hook = false;
143 ret = nf_register_net_hook(net, ops);
144 ops->nat_hook = true;
150 static void nf_tables_unregister_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
161 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
163 struct nft_trans *trans;
165 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
169 if (msg_type == NFT_MSG_NEWTABLE)
170 nft_activate_next(ctx->net, ctx->table);
172 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
176 static int nft_deltable(struct nft_ctx *ctx)
180 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
184 nft_deactivate_next(ctx->net, ctx->table);
188 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
190 struct nft_trans *trans;
192 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
196 if (msg_type == NFT_MSG_NEWCHAIN)
197 nft_activate_next(ctx->net, ctx->chain);
199 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
203 static int nft_delchain(struct nft_ctx *ctx)
207 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
212 nft_deactivate_next(ctx->net, ctx->chain);
217 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
218 struct nft_rule *rule)
220 struct nft_expr *expr;
222 expr = nft_expr_first(rule);
223 while (expr != nft_expr_last(rule) && expr->ops) {
224 if (expr->ops->activate)
225 expr->ops->activate(ctx, expr);
227 expr = nft_expr_next(expr);
231 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
232 struct nft_rule *rule)
234 struct nft_expr *expr;
236 expr = nft_expr_first(rule);
237 while (expr != nft_expr_last(rule) && expr->ops) {
238 if (expr->ops->deactivate)
239 expr->ops->deactivate(ctx, expr);
241 expr = nft_expr_next(expr);
246 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
248 /* You cannot delete the same rule twice */
249 if (nft_is_active_next(ctx->net, rule)) {
250 nft_deactivate_next(ctx->net, rule);
257 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
258 struct nft_rule *rule)
260 struct nft_trans *trans;
262 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
266 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
267 nft_trans_rule_id(trans) =
268 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
270 nft_trans_rule(trans) = rule;
271 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
276 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
278 struct nft_trans *trans;
281 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
285 err = nf_tables_delrule_deactivate(ctx, rule);
287 nft_trans_destroy(trans);
290 nft_rule_expr_deactivate(ctx, rule);
295 static int nft_delrule_by_chain(struct nft_ctx *ctx)
297 struct nft_rule *rule;
300 list_for_each_entry(rule, &ctx->chain->rules, list) {
301 err = nft_delrule(ctx, rule);
308 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
311 struct nft_trans *trans;
313 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
317 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
318 nft_trans_set_id(trans) =
319 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
320 nft_activate_next(ctx->net, set);
322 nft_trans_set(trans) = set;
323 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
328 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
332 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
336 nft_deactivate_next(ctx->net, set);
342 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
343 struct nft_object *obj)
345 struct nft_trans *trans;
347 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
351 if (msg_type == NFT_MSG_NEWOBJ)
352 nft_activate_next(ctx->net, obj);
354 nft_trans_obj(trans) = obj;
355 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
360 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
364 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
368 nft_deactivate_next(ctx->net, obj);
374 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
375 struct nft_flowtable *flowtable)
377 struct nft_trans *trans;
379 trans = nft_trans_alloc(ctx, msg_type,
380 sizeof(struct nft_trans_flowtable));
384 if (msg_type == NFT_MSG_NEWFLOWTABLE)
385 nft_activate_next(ctx->net, flowtable);
387 nft_trans_flowtable(trans) = flowtable;
388 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
393 static int nft_delflowtable(struct nft_ctx *ctx,
394 struct nft_flowtable *flowtable)
398 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
402 nft_deactivate_next(ctx->net, flowtable);
412 static struct nft_table *nft_table_lookup(const struct net *net,
413 const struct nlattr *nla,
414 u8 family, u8 genmask)
416 struct nft_table *table;
418 list_for_each_entry(table, &net->nft.tables, list) {
419 if (!nla_strcmp(nla, table->name) &&
420 table->family == family &&
421 nft_active_genmask(table, genmask))
427 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
428 const struct nlattr *nla,
431 struct nft_table *table;
433 list_for_each_entry(table, &net->nft.tables, list) {
434 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
435 nft_active_genmask(table, genmask))
441 static struct nft_table *nf_tables_table_lookup(const struct net *net,
442 const struct nlattr *nla,
443 u8 family, u8 genmask)
445 struct nft_table *table;
448 return ERR_PTR(-EINVAL);
450 table = nft_table_lookup(net, nla, family, genmask);
454 return ERR_PTR(-ENOENT);
457 static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
458 const struct nlattr *nla,
461 struct nft_table *table;
464 return ERR_PTR(-EINVAL);
466 table = nft_table_lookup_byhandle(net, nla, genmask);
470 return ERR_PTR(-ENOENT);
473 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
475 return ++table->hgenerator;
478 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
480 static const struct nft_chain_type *
481 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
485 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
486 if (chain_type[family][i] != NULL &&
487 !nla_strcmp(nla, chain_type[family][i]->name))
488 return chain_type[family][i];
493 static const struct nft_chain_type *
494 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
496 const struct nft_chain_type *type;
498 type = __nf_tables_chain_type_lookup(nla, family);
501 #ifdef CONFIG_MODULES
503 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
504 request_module("nft-chain-%u-%.*s", family,
505 nla_len(nla), (const char *)nla_data(nla));
506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
507 type = __nf_tables_chain_type_lookup(nla, family);
509 return ERR_PTR(-EAGAIN);
512 return ERR_PTR(-ENOENT);
515 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
516 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
517 .len = NFT_TABLE_MAXNAMELEN - 1 },
518 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
519 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
522 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
523 u32 portid, u32 seq, int event, u32 flags,
524 int family, const struct nft_table *table)
526 struct nlmsghdr *nlh;
527 struct nfgenmsg *nfmsg;
529 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
530 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
532 goto nla_put_failure;
534 nfmsg = nlmsg_data(nlh);
535 nfmsg->nfgen_family = family;
536 nfmsg->version = NFNETLINK_V0;
537 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
539 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
540 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
541 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
542 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
544 goto nla_put_failure;
550 nlmsg_trim(skb, nlh);
554 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
560 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
563 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
567 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
568 event, 0, ctx->family, ctx->table);
574 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
575 ctx->report, GFP_KERNEL);
578 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
581 static int nf_tables_dump_tables(struct sk_buff *skb,
582 struct netlink_callback *cb)
584 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
585 const struct nft_table *table;
586 unsigned int idx = 0, s_idx = cb->args[0];
587 struct net *net = sock_net(skb->sk);
588 int family = nfmsg->nfgen_family;
591 cb->seq = net->nft.base_seq;
593 list_for_each_entry_rcu(table, &net->nft.tables, list) {
594 if (family != NFPROTO_UNSPEC && family != table->family)
600 memset(&cb->args[1], 0,
601 sizeof(cb->args) - sizeof(cb->args[0]));
602 if (!nft_is_active(net, table))
604 if (nf_tables_fill_table_info(skb, net,
605 NETLINK_CB(cb->skb).portid,
607 NFT_MSG_NEWTABLE, NLM_F_MULTI,
608 table->family, table) < 0)
611 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
621 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
622 struct sk_buff *skb, const struct nlmsghdr *nlh,
623 const struct nlattr * const nla[],
624 struct netlink_ext_ack *extack)
626 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
627 u8 genmask = nft_genmask_cur(net);
628 const struct nft_table *table;
629 struct sk_buff *skb2;
630 int family = nfmsg->nfgen_family;
633 if (nlh->nlmsg_flags & NLM_F_DUMP) {
634 struct netlink_dump_control c = {
635 .dump = nf_tables_dump_tables,
637 return netlink_dump_start(nlsk, skb, nlh, &c);
640 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
643 return PTR_ERR(table);
645 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
649 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
650 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
655 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
662 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
664 struct nft_chain *chain;
667 list_for_each_entry(chain, &table->chains, list) {
668 if (!nft_is_active_next(net, chain))
670 if (!nft_is_base_chain(chain))
673 if (cnt && i++ == cnt)
676 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
680 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
682 struct nft_chain *chain;
685 list_for_each_entry(chain, &table->chains, list) {
686 if (!nft_is_active_next(net, chain))
688 if (!nft_is_base_chain(chain))
691 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
700 nft_table_disable(net, table, i);
704 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
706 nft_table_disable(net, table, 0);
709 static int nf_tables_updtable(struct nft_ctx *ctx)
711 struct nft_trans *trans;
715 if (!ctx->nla[NFTA_TABLE_FLAGS])
718 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
719 if (flags & ~NFT_TABLE_F_DORMANT)
722 if (flags == ctx->table->flags)
725 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
726 sizeof(struct nft_trans_table));
730 if ((flags & NFT_TABLE_F_DORMANT) &&
731 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
732 nft_trans_table_enable(trans) = false;
733 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
734 ctx->table->flags & NFT_TABLE_F_DORMANT) {
735 ret = nf_tables_table_enable(ctx->net, ctx->table);
737 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
738 nft_trans_table_enable(trans) = true;
744 nft_trans_table_update(trans) = true;
745 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
748 nft_trans_destroy(trans);
752 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
753 struct sk_buff *skb, const struct nlmsghdr *nlh,
754 const struct nlattr * const nla[],
755 struct netlink_ext_ack *extack)
757 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
758 u8 genmask = nft_genmask_next(net);
759 const struct nlattr *name;
760 struct nft_table *table;
761 int family = nfmsg->nfgen_family;
766 name = nla[NFTA_TABLE_NAME];
767 table = nf_tables_table_lookup(net, name, family, genmask);
769 if (PTR_ERR(table) != -ENOENT)
770 return PTR_ERR(table);
772 if (nlh->nlmsg_flags & NLM_F_EXCL)
774 if (nlh->nlmsg_flags & NLM_F_REPLACE)
777 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
778 return nf_tables_updtable(&ctx);
781 if (nla[NFTA_TABLE_FLAGS]) {
782 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
783 if (flags & ~NFT_TABLE_F_DORMANT)
788 table = kzalloc(sizeof(*table), GFP_KERNEL);
792 table->name = nla_strdup(name, GFP_KERNEL);
793 if (table->name == NULL)
796 INIT_LIST_HEAD(&table->chains);
797 INIT_LIST_HEAD(&table->sets);
798 INIT_LIST_HEAD(&table->objects);
799 INIT_LIST_HEAD(&table->flowtables);
800 table->family = family;
801 table->flags = flags;
802 table->handle = ++table_handle;
804 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
805 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
809 list_add_tail_rcu(&table->list, &net->nft.tables);
819 static int nft_flush_table(struct nft_ctx *ctx)
821 struct nft_flowtable *flowtable, *nft;
822 struct nft_chain *chain, *nc;
823 struct nft_object *obj, *ne;
824 struct nft_set *set, *ns;
827 list_for_each_entry(chain, &ctx->table->chains, list) {
828 if (!nft_is_active_next(ctx->net, chain))
833 err = nft_delrule_by_chain(ctx);
838 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
839 if (!nft_is_active_next(ctx->net, set))
842 if (nft_set_is_anonymous(set) &&
843 !list_empty(&set->bindings))
846 err = nft_delset(ctx, set);
851 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
852 err = nft_delflowtable(ctx, flowtable);
857 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
858 err = nft_delobj(ctx, obj);
863 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
864 if (!nft_is_active_next(ctx->net, chain))
869 err = nft_delchain(ctx);
874 err = nft_deltable(ctx);
879 static int nft_flush(struct nft_ctx *ctx, int family)
881 struct nft_table *table, *nt;
882 const struct nlattr * const *nla = ctx->nla;
885 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
886 if (family != AF_UNSPEC && table->family != family)
889 ctx->family = table->family;
891 if (!nft_is_active_next(ctx->net, table))
894 if (nla[NFTA_TABLE_NAME] &&
895 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
900 err = nft_flush_table(ctx);
908 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
909 struct sk_buff *skb, const struct nlmsghdr *nlh,
910 const struct nlattr * const nla[],
911 struct netlink_ext_ack *extack)
913 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
914 u8 genmask = nft_genmask_next(net);
915 struct nft_table *table;
916 int family = nfmsg->nfgen_family;
919 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
920 if (family == AF_UNSPEC ||
921 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
922 return nft_flush(&ctx, family);
924 if (nla[NFTA_TABLE_HANDLE])
925 table = nf_tables_table_lookup_byhandle(net,
926 nla[NFTA_TABLE_HANDLE],
929 table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
933 return PTR_ERR(table);
935 if (nlh->nlmsg_flags & NLM_F_NONREC &&
942 return nft_flush_table(&ctx);
945 static void nf_tables_table_destroy(struct nft_ctx *ctx)
947 BUG_ON(ctx->table->use > 0);
949 kfree(ctx->table->name);
953 void nft_register_chain_type(const struct nft_chain_type *ctype)
955 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
958 nfnl_lock(NFNL_SUBSYS_NFTABLES);
959 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
960 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
963 chain_type[ctype->family][ctype->type] = ctype;
964 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
966 EXPORT_SYMBOL_GPL(nft_register_chain_type);
968 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
970 nfnl_lock(NFNL_SUBSYS_NFTABLES);
971 chain_type[ctype->family][ctype->type] = NULL;
972 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
974 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
980 static struct nft_chain *
981 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
984 struct nft_chain *chain;
986 list_for_each_entry(chain, &table->chains, list) {
987 if (chain->handle == handle &&
988 nft_active_genmask(chain, genmask))
992 return ERR_PTR(-ENOENT);
995 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
996 const struct nlattr *nla,
999 struct nft_chain *chain;
1002 return ERR_PTR(-EINVAL);
1004 list_for_each_entry(chain, &table->chains, list) {
1005 if (!nla_strcmp(nla, chain->name) &&
1006 nft_active_genmask(chain, genmask))
1010 return ERR_PTR(-ENOENT);
1013 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1014 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1015 .len = NFT_TABLE_MAXNAMELEN - 1 },
1016 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1017 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1018 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1019 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1020 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1021 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1022 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1025 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1026 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1027 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1028 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1029 .len = IFNAMSIZ - 1 },
1032 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1034 struct nft_stats *cpu_stats, total;
1035 struct nlattr *nest;
1040 memset(&total, 0, sizeof(total));
1041 for_each_possible_cpu(cpu) {
1042 cpu_stats = per_cpu_ptr(stats, cpu);
1044 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1045 pkts = cpu_stats->pkts;
1046 bytes = cpu_stats->bytes;
1047 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1049 total.bytes += bytes;
1051 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1053 goto nla_put_failure;
1055 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1056 NFTA_COUNTER_PAD) ||
1057 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1059 goto nla_put_failure;
1061 nla_nest_end(skb, nest);
1068 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1069 u32 portid, u32 seq, int event, u32 flags,
1070 int family, const struct nft_table *table,
1071 const struct nft_chain *chain)
1073 struct nlmsghdr *nlh;
1074 struct nfgenmsg *nfmsg;
1076 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1077 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1079 goto nla_put_failure;
1081 nfmsg = nlmsg_data(nlh);
1082 nfmsg->nfgen_family = family;
1083 nfmsg->version = NFNETLINK_V0;
1084 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1086 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1087 goto nla_put_failure;
1088 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1090 goto nla_put_failure;
1091 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1092 goto nla_put_failure;
1094 if (nft_is_base_chain(chain)) {
1095 const struct nft_base_chain *basechain = nft_base_chain(chain);
1096 const struct nf_hook_ops *ops = &basechain->ops;
1097 struct nlattr *nest;
1099 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1101 goto nla_put_failure;
1102 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1103 goto nla_put_failure;
1104 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1105 goto nla_put_failure;
1106 if (basechain->dev_name[0] &&
1107 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1108 goto nla_put_failure;
1109 nla_nest_end(skb, nest);
1111 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1112 htonl(basechain->policy)))
1113 goto nla_put_failure;
1115 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1116 goto nla_put_failure;
1118 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1119 goto nla_put_failure;
1122 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1123 goto nla_put_failure;
1125 nlmsg_end(skb, nlh);
1129 nlmsg_trim(skb, nlh);
1133 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1135 struct sk_buff *skb;
1139 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1142 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1146 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1147 event, 0, ctx->family, ctx->table,
1154 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1155 ctx->report, GFP_KERNEL);
1158 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1161 static int nf_tables_dump_chains(struct sk_buff *skb,
1162 struct netlink_callback *cb)
1164 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1165 const struct nft_table *table;
1166 const struct nft_chain *chain;
1167 unsigned int idx = 0, s_idx = cb->args[0];
1168 struct net *net = sock_net(skb->sk);
1169 int family = nfmsg->nfgen_family;
1172 cb->seq = net->nft.base_seq;
1174 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1175 if (family != NFPROTO_UNSPEC && family != table->family)
1178 list_for_each_entry_rcu(chain, &table->chains, list) {
1182 memset(&cb->args[1], 0,
1183 sizeof(cb->args) - sizeof(cb->args[0]));
1184 if (!nft_is_active(net, chain))
1186 if (nf_tables_fill_chain_info(skb, net,
1187 NETLINK_CB(cb->skb).portid,
1191 table->family, table,
1195 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1206 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1207 struct sk_buff *skb, const struct nlmsghdr *nlh,
1208 const struct nlattr * const nla[],
1209 struct netlink_ext_ack *extack)
1211 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1212 u8 genmask = nft_genmask_cur(net);
1213 const struct nft_table *table;
1214 const struct nft_chain *chain;
1215 struct sk_buff *skb2;
1216 int family = nfmsg->nfgen_family;
1219 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1220 struct netlink_dump_control c = {
1221 .dump = nf_tables_dump_chains,
1223 return netlink_dump_start(nlsk, skb, nlh, &c);
1226 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1229 return PTR_ERR(table);
1231 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1233 return PTR_ERR(chain);
1235 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1239 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1240 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1241 family, table, chain);
1245 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1252 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1253 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1254 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1257 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1259 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1260 struct nft_stats __percpu *newstats;
1261 struct nft_stats *stats;
1264 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1267 return ERR_PTR(err);
1269 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1270 return ERR_PTR(-EINVAL);
1272 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1273 if (newstats == NULL)
1274 return ERR_PTR(-ENOMEM);
1276 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1277 * are not exposed to userspace.
1280 stats = this_cpu_ptr(newstats);
1281 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1282 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1288 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1289 struct nft_stats __percpu *newstats)
1291 struct nft_stats __percpu *oldstats;
1293 if (newstats == NULL)
1297 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1298 rcu_assign_pointer(chain->stats, newstats);
1300 free_percpu(oldstats);
1302 rcu_assign_pointer(chain->stats, newstats);
1303 static_branch_inc(&nft_counters_enabled);
1307 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1309 struct nft_chain *chain = ctx->chain;
1311 BUG_ON(chain->use > 0);
1313 if (nft_is_base_chain(chain)) {
1314 struct nft_base_chain *basechain = nft_base_chain(chain);
1316 if (basechain->type->free)
1317 basechain->type->free(ctx);
1318 module_put(basechain->type->owner);
1319 free_percpu(basechain->stats);
1320 if (basechain->stats)
1321 static_branch_dec(&nft_counters_enabled);
1330 struct nft_chain_hook {
1333 const struct nft_chain_type *type;
1334 struct net_device *dev;
1337 static int nft_chain_parse_hook(struct net *net,
1338 const struct nlattr * const nla[],
1339 struct nft_chain_hook *hook, u8 family,
1342 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1343 const struct nft_chain_type *type;
1344 struct net_device *dev;
1347 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1348 nft_hook_policy, NULL);
1352 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1353 ha[NFTA_HOOK_PRIORITY] == NULL)
1356 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1357 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1359 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1360 if (nla[NFTA_CHAIN_TYPE]) {
1361 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1364 return PTR_ERR(type);
1366 if (!(type->hook_mask & (1 << hook->num)))
1369 if (type->type == NFT_CHAIN_T_NAT &&
1370 hook->priority <= NF_IP_PRI_CONNTRACK)
1373 if (!try_module_get(type->owner))
1379 if (family == NFPROTO_NETDEV) {
1380 char ifname[IFNAMSIZ];
1382 if (!ha[NFTA_HOOK_DEV]) {
1383 module_put(type->owner);
1387 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1388 dev = __dev_get_by_name(net, ifname);
1390 module_put(type->owner);
1394 } else if (ha[NFTA_HOOK_DEV]) {
1395 module_put(type->owner);
1402 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1404 module_put(hook->type->owner);
1407 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1408 u8 policy, bool create)
1410 const struct nlattr * const *nla = ctx->nla;
1411 struct nft_table *table = ctx->table;
1412 struct nft_base_chain *basechain;
1413 struct nft_stats __percpu *stats;
1414 struct net *net = ctx->net;
1415 struct nft_chain *chain;
1418 if (table->use == UINT_MAX)
1421 if (nla[NFTA_CHAIN_HOOK]) {
1422 struct nft_chain_hook hook;
1423 struct nf_hook_ops *ops;
1425 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1429 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1430 if (basechain == NULL) {
1431 nft_chain_release_hook(&hook);
1435 if (hook.dev != NULL)
1436 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1438 if (nla[NFTA_CHAIN_COUNTERS]) {
1439 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1440 if (IS_ERR(stats)) {
1441 nft_chain_release_hook(&hook);
1443 return PTR_ERR(stats);
1445 basechain->stats = stats;
1446 static_branch_inc(&nft_counters_enabled);
1449 basechain->type = hook.type;
1450 if (basechain->type->init)
1451 basechain->type->init(ctx);
1453 chain = &basechain->chain;
1455 ops = &basechain->ops;
1457 ops->hooknum = hook.num;
1458 ops->priority = hook.priority;
1460 ops->hook = hook.type->hooks[ops->hooknum];
1461 ops->dev = hook.dev;
1463 if (basechain->type->type == NFT_CHAIN_T_NAT)
1464 ops->nat_hook = true;
1466 chain->flags |= NFT_BASE_CHAIN;
1467 basechain->policy = policy;
1469 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1475 INIT_LIST_HEAD(&chain->rules);
1476 chain->handle = nf_tables_alloc_handle(table);
1477 chain->table = table;
1478 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1484 err = nf_tables_register_hook(net, table, chain);
1488 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1493 list_add_tail_rcu(&chain->list, &table->chains);
1497 nf_tables_unregister_hook(net, table, chain);
1499 nf_tables_chain_destroy(ctx);
1504 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1507 const struct nlattr * const *nla = ctx->nla;
1508 struct nft_table *table = ctx->table;
1509 struct nft_chain *chain = ctx->chain;
1510 struct nft_base_chain *basechain;
1511 struct nft_stats *stats = NULL;
1512 struct nft_chain_hook hook;
1513 const struct nlattr *name;
1514 struct nf_hook_ops *ops;
1515 struct nft_trans *trans;
1518 if (nla[NFTA_CHAIN_HOOK]) {
1519 if (!nft_is_base_chain(chain))
1522 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1527 basechain = nft_base_chain(chain);
1528 if (basechain->type != hook.type) {
1529 nft_chain_release_hook(&hook);
1533 ops = &basechain->ops;
1534 if (ops->hooknum != hook.num ||
1535 ops->priority != hook.priority ||
1536 ops->dev != hook.dev) {
1537 nft_chain_release_hook(&hook);
1540 nft_chain_release_hook(&hook);
1543 if (nla[NFTA_CHAIN_HANDLE] &&
1544 nla[NFTA_CHAIN_NAME]) {
1545 struct nft_chain *chain2;
1547 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1549 if (!IS_ERR(chain2))
1553 if (nla[NFTA_CHAIN_COUNTERS]) {
1554 if (!nft_is_base_chain(chain))
1557 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1559 return PTR_ERR(stats);
1562 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1563 sizeof(struct nft_trans_chain));
1564 if (trans == NULL) {
1569 nft_trans_chain_stats(trans) = stats;
1570 nft_trans_chain_update(trans) = true;
1572 if (nla[NFTA_CHAIN_POLICY])
1573 nft_trans_chain_policy(trans) = policy;
1575 nft_trans_chain_policy(trans) = -1;
1577 name = nla[NFTA_CHAIN_NAME];
1578 if (nla[NFTA_CHAIN_HANDLE] && name) {
1579 nft_trans_chain_name(trans) =
1580 nla_strdup(name, GFP_KERNEL);
1581 if (!nft_trans_chain_name(trans)) {
1587 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1592 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1593 struct sk_buff *skb, const struct nlmsghdr *nlh,
1594 const struct nlattr * const nla[],
1595 struct netlink_ext_ack *extack)
1597 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1598 const struct nlattr * uninitialized_var(name);
1599 u8 genmask = nft_genmask_next(net);
1600 int family = nfmsg->nfgen_family;
1601 struct nft_table *table;
1602 struct nft_chain *chain;
1603 u8 policy = NF_ACCEPT;
1608 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1610 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1613 return PTR_ERR(table);
1616 name = nla[NFTA_CHAIN_NAME];
1618 if (nla[NFTA_CHAIN_HANDLE]) {
1619 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1620 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1622 return PTR_ERR(chain);
1624 chain = nf_tables_chain_lookup(table, name, genmask);
1625 if (IS_ERR(chain)) {
1626 if (PTR_ERR(chain) != -ENOENT)
1627 return PTR_ERR(chain);
1632 if (nla[NFTA_CHAIN_POLICY]) {
1633 if (chain != NULL &&
1634 !nft_is_base_chain(chain))
1637 if (chain == NULL &&
1638 nla[NFTA_CHAIN_HOOK] == NULL)
1641 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1651 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1653 if (chain != NULL) {
1654 if (nlh->nlmsg_flags & NLM_F_EXCL)
1656 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1659 return nf_tables_updchain(&ctx, genmask, policy, create);
1662 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1665 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1666 struct sk_buff *skb, const struct nlmsghdr *nlh,
1667 const struct nlattr * const nla[],
1668 struct netlink_ext_ack *extack)
1670 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1671 u8 genmask = nft_genmask_next(net);
1672 struct nft_table *table;
1673 struct nft_chain *chain;
1674 struct nft_rule *rule;
1675 int family = nfmsg->nfgen_family;
1681 table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family,
1684 return PTR_ERR(table);
1686 if (nla[NFTA_CHAIN_HANDLE]) {
1687 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1688 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1690 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1693 return PTR_ERR(chain);
1695 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1699 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1702 list_for_each_entry(rule, &chain->rules, list) {
1703 if (!nft_is_active_next(net, rule))
1707 err = nft_delrule(&ctx, rule);
1712 /* There are rules and elements that are still holding references to us,
1713 * we cannot do a recursive removal in this case.
1718 return nft_delchain(&ctx);
1726 * nft_register_expr - register nf_tables expr type
1729 * Registers the expr type for use with nf_tables. Returns zero on
1730 * success or a negative errno code otherwise.
1732 int nft_register_expr(struct nft_expr_type *type)
1734 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1735 if (type->family == NFPROTO_UNSPEC)
1736 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1738 list_add_rcu(&type->list, &nf_tables_expressions);
1739 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1742 EXPORT_SYMBOL_GPL(nft_register_expr);
1745 * nft_unregister_expr - unregister nf_tables expr type
1748 * Unregisters the expr typefor use with nf_tables.
1750 void nft_unregister_expr(struct nft_expr_type *type)
1752 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1753 list_del_rcu(&type->list);
1754 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1756 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1758 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1761 const struct nft_expr_type *type;
1763 list_for_each_entry(type, &nf_tables_expressions, list) {
1764 if (!nla_strcmp(nla, type->name) &&
1765 (!type->family || type->family == family))
1771 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1774 const struct nft_expr_type *type;
1777 return ERR_PTR(-EINVAL);
1779 type = __nft_expr_type_get(family, nla);
1780 if (type != NULL && try_module_get(type->owner))
1783 #ifdef CONFIG_MODULES
1785 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1786 request_module("nft-expr-%u-%.*s", family,
1787 nla_len(nla), (char *)nla_data(nla));
1788 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1789 if (__nft_expr_type_get(family, nla))
1790 return ERR_PTR(-EAGAIN);
1792 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1793 request_module("nft-expr-%.*s",
1794 nla_len(nla), (char *)nla_data(nla));
1795 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1796 if (__nft_expr_type_get(family, nla))
1797 return ERR_PTR(-EAGAIN);
1800 return ERR_PTR(-ENOENT);
1803 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1804 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1805 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1808 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1809 const struct nft_expr *expr)
1811 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1812 goto nla_put_failure;
1814 if (expr->ops->dump) {
1815 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1817 goto nla_put_failure;
1818 if (expr->ops->dump(skb, expr) < 0)
1819 goto nla_put_failure;
1820 nla_nest_end(skb, data);
1829 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1830 const struct nft_expr *expr)
1832 struct nlattr *nest;
1834 nest = nla_nest_start(skb, attr);
1836 goto nla_put_failure;
1837 if (nf_tables_fill_expr_info(skb, expr) < 0)
1838 goto nla_put_failure;
1839 nla_nest_end(skb, nest);
1846 struct nft_expr_info {
1847 const struct nft_expr_ops *ops;
1848 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1851 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1852 const struct nlattr *nla,
1853 struct nft_expr_info *info)
1855 const struct nft_expr_type *type;
1856 const struct nft_expr_ops *ops;
1857 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1860 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1864 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1866 return PTR_ERR(type);
1868 if (tb[NFTA_EXPR_DATA]) {
1869 err = nla_parse_nested(info->tb, type->maxattr,
1870 tb[NFTA_EXPR_DATA], type->policy, NULL);
1874 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1876 if (type->select_ops != NULL) {
1877 ops = type->select_ops(ctx,
1878 (const struct nlattr * const *)info->tb);
1890 module_put(type->owner);
1894 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1895 const struct nft_expr_info *info,
1896 struct nft_expr *expr)
1898 const struct nft_expr_ops *ops = info->ops;
1903 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1908 if (ops->validate) {
1909 const struct nft_data *data = NULL;
1911 err = ops->validate(ctx, expr, &data);
1920 ops->destroy(ctx, expr);
1926 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1927 struct nft_expr *expr)
1929 if (expr->ops->destroy)
1930 expr->ops->destroy(ctx, expr);
1931 module_put(expr->ops->type->owner);
1934 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1935 const struct nlattr *nla)
1937 struct nft_expr_info info;
1938 struct nft_expr *expr;
1941 err = nf_tables_expr_parse(ctx, nla, &info);
1946 expr = kzalloc(info.ops->size, GFP_KERNEL);
1950 err = nf_tables_newexpr(ctx, &info, expr);
1958 module_put(info.ops->type->owner);
1960 return ERR_PTR(err);
1963 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1965 nf_tables_expr_destroy(ctx, expr);
1973 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1976 struct nft_rule *rule;
1978 // FIXME: this sucks
1979 list_for_each_entry(rule, &chain->rules, list) {
1980 if (handle == rule->handle)
1984 return ERR_PTR(-ENOENT);
1987 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1988 const struct nlattr *nla)
1991 return ERR_PTR(-EINVAL);
1993 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1996 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1997 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1998 .len = NFT_TABLE_MAXNAMELEN - 1 },
1999 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2000 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2001 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2002 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2003 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2004 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2005 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2006 .len = NFT_USERDATA_MAXLEN },
2007 [NFTA_RULE_ID] = { .type = NLA_U32 },
2010 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2011 u32 portid, u32 seq, int event,
2012 u32 flags, int family,
2013 const struct nft_table *table,
2014 const struct nft_chain *chain,
2015 const struct nft_rule *rule)
2017 struct nlmsghdr *nlh;
2018 struct nfgenmsg *nfmsg;
2019 const struct nft_expr *expr, *next;
2020 struct nlattr *list;
2021 const struct nft_rule *prule;
2022 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2024 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2026 goto nla_put_failure;
2028 nfmsg = nlmsg_data(nlh);
2029 nfmsg->nfgen_family = family;
2030 nfmsg->version = NFNETLINK_V0;
2031 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2033 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2034 goto nla_put_failure;
2035 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2036 goto nla_put_failure;
2037 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2039 goto nla_put_failure;
2041 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2042 prule = list_prev_entry(rule, list);
2043 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2044 cpu_to_be64(prule->handle),
2046 goto nla_put_failure;
2049 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2051 goto nla_put_failure;
2052 nft_rule_for_each_expr(expr, next, rule) {
2053 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2054 goto nla_put_failure;
2056 nla_nest_end(skb, list);
2059 struct nft_userdata *udata = nft_userdata(rule);
2060 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2062 goto nla_put_failure;
2065 nlmsg_end(skb, nlh);
2069 nlmsg_trim(skb, nlh);
2073 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2074 const struct nft_rule *rule, int event)
2076 struct sk_buff *skb;
2080 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2083 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2087 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2088 event, 0, ctx->family, ctx->table,
2095 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2096 ctx->report, GFP_KERNEL);
2099 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2102 struct nft_rule_dump_ctx {
2107 static int nf_tables_dump_rules(struct sk_buff *skb,
2108 struct netlink_callback *cb)
2110 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2111 const struct nft_rule_dump_ctx *ctx = cb->data;
2112 const struct nft_table *table;
2113 const struct nft_chain *chain;
2114 const struct nft_rule *rule;
2115 unsigned int idx = 0, s_idx = cb->args[0];
2116 struct net *net = sock_net(skb->sk);
2117 int family = nfmsg->nfgen_family;
2120 cb->seq = net->nft.base_seq;
2122 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2123 if (family != NFPROTO_UNSPEC && family != table->family)
2126 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2129 list_for_each_entry_rcu(chain, &table->chains, list) {
2130 if (ctx && ctx->chain &&
2131 strcmp(ctx->chain, chain->name) != 0)
2134 list_for_each_entry_rcu(rule, &chain->rules, list) {
2135 if (!nft_is_active(net, rule))
2140 memset(&cb->args[1], 0,
2141 sizeof(cb->args) - sizeof(cb->args[0]));
2142 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2145 NLM_F_MULTI | NLM_F_APPEND,
2147 table, chain, rule) < 0)
2150 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2163 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2165 struct nft_rule_dump_ctx *ctx = cb->data;
2175 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2176 struct sk_buff *skb, const struct nlmsghdr *nlh,
2177 const struct nlattr * const nla[],
2178 struct netlink_ext_ack *extack)
2180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2181 u8 genmask = nft_genmask_cur(net);
2182 const struct nft_table *table;
2183 const struct nft_chain *chain;
2184 const struct nft_rule *rule;
2185 struct sk_buff *skb2;
2186 int family = nfmsg->nfgen_family;
2189 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2190 struct netlink_dump_control c = {
2191 .dump = nf_tables_dump_rules,
2192 .done = nf_tables_dump_rules_done,
2195 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2196 struct nft_rule_dump_ctx *ctx;
2198 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2202 if (nla[NFTA_RULE_TABLE]) {
2203 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2210 if (nla[NFTA_RULE_CHAIN]) {
2211 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2222 return netlink_dump_start(nlsk, skb, nlh, &c);
2225 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2228 return PTR_ERR(table);
2230 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2232 return PTR_ERR(chain);
2234 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2236 return PTR_ERR(rule);
2238 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2242 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2243 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2244 family, table, chain, rule);
2248 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2255 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2256 struct nft_rule *rule)
2258 struct nft_expr *expr;
2261 * Careful: some expressions might not be initialized in case this
2262 * is called on error from nf_tables_newrule().
2264 expr = nft_expr_first(rule);
2265 while (expr != nft_expr_last(rule) && expr->ops) {
2266 nf_tables_expr_destroy(ctx, expr);
2267 expr = nft_expr_next(expr);
2272 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2273 struct nft_rule *rule)
2275 nft_rule_expr_deactivate(ctx, rule);
2276 nf_tables_rule_destroy(ctx, rule);
2279 #define NFT_RULE_MAXEXPRS 128
2281 static struct nft_expr_info *info;
2283 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2284 struct sk_buff *skb, const struct nlmsghdr *nlh,
2285 const struct nlattr * const nla[],
2286 struct netlink_ext_ack *extack)
2288 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2289 u8 genmask = nft_genmask_next(net);
2290 int family = nfmsg->nfgen_family;
2291 struct nft_table *table;
2292 struct nft_chain *chain;
2293 struct nft_rule *rule, *old_rule = NULL;
2294 struct nft_userdata *udata;
2295 struct nft_trans *trans = NULL;
2296 struct nft_expr *expr;
2299 unsigned int size, i, n, ulen = 0, usize = 0;
2302 u64 handle, pos_handle;
2304 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2306 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2309 return PTR_ERR(table);
2311 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2313 return PTR_ERR(chain);
2315 if (nla[NFTA_RULE_HANDLE]) {
2316 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2317 rule = __nf_tables_rule_lookup(chain, handle);
2319 return PTR_ERR(rule);
2321 if (nlh->nlmsg_flags & NLM_F_EXCL)
2323 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2328 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2330 handle = nf_tables_alloc_handle(table);
2332 if (chain->use == UINT_MAX)
2336 if (nla[NFTA_RULE_POSITION]) {
2337 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2340 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2341 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2342 if (IS_ERR(old_rule))
2343 return PTR_ERR(old_rule);
2346 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2350 if (nla[NFTA_RULE_EXPRESSIONS]) {
2351 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2353 if (nla_type(tmp) != NFTA_LIST_ELEM)
2355 if (n == NFT_RULE_MAXEXPRS)
2357 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2360 size += info[n].ops->size;
2364 /* Check for overflow of dlen field */
2366 if (size >= 1 << 12)
2369 if (nla[NFTA_RULE_USERDATA]) {
2370 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2372 usize = sizeof(struct nft_userdata) + ulen;
2376 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2380 nft_activate_next(net, rule);
2382 rule->handle = handle;
2384 rule->udata = ulen ? 1 : 0;
2387 udata = nft_userdata(rule);
2388 udata->len = ulen - 1;
2389 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2392 expr = nft_expr_first(rule);
2393 for (i = 0; i < n; i++) {
2394 err = nf_tables_newexpr(&ctx, &info[i], expr);
2398 expr = nft_expr_next(expr);
2401 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2402 if (!nft_is_active_next(net, old_rule)) {
2406 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2408 if (trans == NULL) {
2412 nft_deactivate_next(net, old_rule);
2415 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2420 list_add_tail_rcu(&rule->list, &old_rule->list);
2422 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2427 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2429 list_add_rcu(&rule->list, &old_rule->list);
2431 list_add_tail_rcu(&rule->list, &chain->rules);
2434 list_add_tail_rcu(&rule->list, &old_rule->list);
2436 list_add_rcu(&rule->list, &chain->rules);
2443 nf_tables_rule_release(&ctx, rule);
2445 for (i = 0; i < n; i++) {
2446 if (info[i].ops != NULL)
2447 module_put(info[i].ops->type->owner);
2452 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2453 const struct nlattr *nla)
2455 u32 id = ntohl(nla_get_be32(nla));
2456 struct nft_trans *trans;
2458 list_for_each_entry(trans, &net->nft.commit_list, list) {
2459 struct nft_rule *rule = nft_trans_rule(trans);
2461 if (trans->msg_type == NFT_MSG_NEWRULE &&
2462 id == nft_trans_rule_id(trans))
2465 return ERR_PTR(-ENOENT);
2468 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2469 struct sk_buff *skb, const struct nlmsghdr *nlh,
2470 const struct nlattr * const nla[],
2471 struct netlink_ext_ack *extack)
2473 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2474 u8 genmask = nft_genmask_next(net);
2475 struct nft_table *table;
2476 struct nft_chain *chain = NULL;
2477 struct nft_rule *rule;
2478 int family = nfmsg->nfgen_family, err = 0;
2481 table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family,
2484 return PTR_ERR(table);
2486 if (nla[NFTA_RULE_CHAIN]) {
2487 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2490 return PTR_ERR(chain);
2493 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2496 if (nla[NFTA_RULE_HANDLE]) {
2497 rule = nf_tables_rule_lookup(chain,
2498 nla[NFTA_RULE_HANDLE]);
2500 return PTR_ERR(rule);
2502 err = nft_delrule(&ctx, rule);
2503 } else if (nla[NFTA_RULE_ID]) {
2504 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2506 return PTR_ERR(rule);
2508 err = nft_delrule(&ctx, rule);
2510 err = nft_delrule_by_chain(&ctx);
2513 list_for_each_entry(chain, &table->chains, list) {
2514 if (!nft_is_active_next(net, chain))
2518 err = nft_delrule_by_chain(&ctx);
2531 static LIST_HEAD(nf_tables_set_types);
2533 int nft_register_set(struct nft_set_type *type)
2535 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2536 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2537 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2540 EXPORT_SYMBOL_GPL(nft_register_set);
2542 void nft_unregister_set(struct nft_set_type *type)
2544 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2545 list_del_rcu(&type->list);
2546 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2548 EXPORT_SYMBOL_GPL(nft_unregister_set);
2550 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2551 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2553 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2555 if ((flags & NFT_SET_EVAL) && !ops->update)
2558 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2562 * Select a set implementation based on the data characteristics and the
2563 * given policy. The total memory use might not be known if no size is
2564 * given, in that case the amount of memory per element is used.
2566 static const struct nft_set_ops *
2567 nft_select_set_ops(const struct nft_ctx *ctx,
2568 const struct nlattr * const nla[],
2569 const struct nft_set_desc *desc,
2570 enum nft_set_policies policy)
2572 const struct nft_set_ops *ops, *bops;
2573 struct nft_set_estimate est, best;
2574 const struct nft_set_type *type;
2577 #ifdef CONFIG_MODULES
2578 if (list_empty(&nf_tables_set_types)) {
2579 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2580 request_module("nft-set");
2581 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2582 if (!list_empty(&nf_tables_set_types))
2583 return ERR_PTR(-EAGAIN);
2586 if (nla[NFTA_SET_FLAGS] != NULL)
2587 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2594 list_for_each_entry(type, &nf_tables_set_types, list) {
2595 if (!type->select_ops)
2598 ops = type->select_ops(ctx, desc, flags);
2602 if (!nft_set_ops_candidate(ops, flags))
2604 if (!ops->estimate(desc, flags, &est))
2608 case NFT_SET_POL_PERFORMANCE:
2609 if (est.lookup < best.lookup)
2611 if (est.lookup == best.lookup &&
2612 est.space < best.space)
2615 case NFT_SET_POL_MEMORY:
2617 if (est.space < best.space)
2619 if (est.space == best.space &&
2620 est.lookup < best.lookup)
2622 } else if (est.size < best.size || !bops) {
2630 if (!try_module_get(type->owner))
2633 module_put(bops->type->owner);
2642 return ERR_PTR(-EOPNOTSUPP);
2645 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2646 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2647 .len = NFT_TABLE_MAXNAMELEN - 1 },
2648 [NFTA_SET_NAME] = { .type = NLA_STRING,
2649 .len = NFT_SET_MAXNAMELEN - 1 },
2650 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2651 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2652 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2653 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2654 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2655 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2656 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2657 [NFTA_SET_ID] = { .type = NLA_U32 },
2658 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2659 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2660 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2661 .len = NFT_USERDATA_MAXLEN },
2662 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2663 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2666 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2667 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2670 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2671 const struct sk_buff *skb,
2672 const struct nlmsghdr *nlh,
2673 const struct nlattr * const nla[],
2676 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2677 int family = nfmsg->nfgen_family;
2678 struct nft_table *table = NULL;
2680 if (nla[NFTA_SET_TABLE] != NULL) {
2681 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
2684 return PTR_ERR(table);
2687 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2691 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2692 const struct nlattr *nla, u8 genmask)
2694 struct nft_set *set;
2697 return ERR_PTR(-EINVAL);
2699 list_for_each_entry(set, &table->sets, list) {
2700 if (!nla_strcmp(nla, set->name) &&
2701 nft_active_genmask(set, genmask))
2704 return ERR_PTR(-ENOENT);
2707 static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
2708 const struct nlattr *nla, u8 genmask)
2710 struct nft_set *set;
2713 return ERR_PTR(-EINVAL);
2715 list_for_each_entry(set, &table->sets, list) {
2716 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2717 nft_active_genmask(set, genmask))
2720 return ERR_PTR(-ENOENT);
2723 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2724 const struct nlattr *nla,
2727 struct nft_trans *trans;
2728 u32 id = ntohl(nla_get_be32(nla));
2730 list_for_each_entry(trans, &net->nft.commit_list, list) {
2731 struct nft_set *set = nft_trans_set(trans);
2733 if (trans->msg_type == NFT_MSG_NEWSET &&
2734 id == nft_trans_set_id(trans) &&
2735 nft_active_genmask(set, genmask))
2738 return ERR_PTR(-ENOENT);
2741 struct nft_set *nft_set_lookup_global(const struct net *net,
2742 const struct nft_table *table,
2743 const struct nlattr *nla_set_name,
2744 const struct nlattr *nla_set_id,
2747 struct nft_set *set;
2749 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2754 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2758 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2760 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2763 const struct nft_set *i;
2765 unsigned long *inuse;
2766 unsigned int n = 0, min = 0;
2768 p = strchr(name, '%');
2770 if (p[1] != 'd' || strchr(p + 2, '%'))
2773 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2777 list_for_each_entry(i, &ctx->table->sets, list) {
2780 if (!nft_is_active_next(ctx->net, set))
2782 if (!sscanf(i->name, name, &tmp))
2784 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2787 set_bit(tmp - min, inuse);
2790 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2791 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2792 min += BITS_PER_BYTE * PAGE_SIZE;
2793 memset(inuse, 0, PAGE_SIZE);
2796 free_page((unsigned long)inuse);
2799 set->name = kasprintf(GFP_KERNEL, name, min + n);
2803 list_for_each_entry(i, &ctx->table->sets, list) {
2804 if (!nft_is_active_next(ctx->net, i))
2806 if (!strcmp(set->name, i->name)) {
2814 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2815 const struct nft_set *set, u16 event, u16 flags)
2817 struct nfgenmsg *nfmsg;
2818 struct nlmsghdr *nlh;
2819 struct nlattr *desc;
2820 u32 portid = ctx->portid;
2823 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2824 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2827 goto nla_put_failure;
2829 nfmsg = nlmsg_data(nlh);
2830 nfmsg->nfgen_family = ctx->family;
2831 nfmsg->version = NFNETLINK_V0;
2832 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2834 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2835 goto nla_put_failure;
2836 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2837 goto nla_put_failure;
2838 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
2840 goto nla_put_failure;
2841 if (set->flags != 0)
2842 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2843 goto nla_put_failure;
2845 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2846 goto nla_put_failure;
2847 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2848 goto nla_put_failure;
2849 if (set->flags & NFT_SET_MAP) {
2850 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2851 goto nla_put_failure;
2852 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2853 goto nla_put_failure;
2855 if (set->flags & NFT_SET_OBJECT &&
2856 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2857 goto nla_put_failure;
2860 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2861 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2863 goto nla_put_failure;
2865 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2866 goto nla_put_failure;
2868 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2869 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2870 goto nla_put_failure;
2873 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2874 goto nla_put_failure;
2876 desc = nla_nest_start(skb, NFTA_SET_DESC);
2878 goto nla_put_failure;
2880 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2881 goto nla_put_failure;
2882 nla_nest_end(skb, desc);
2884 nlmsg_end(skb, nlh);
2888 nlmsg_trim(skb, nlh);
2892 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2893 const struct nft_set *set, int event,
2896 struct sk_buff *skb;
2897 u32 portid = ctx->portid;
2901 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2904 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2908 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2914 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2918 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2921 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2923 const struct nft_set *set;
2924 unsigned int idx, s_idx = cb->args[0];
2925 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2926 struct net *net = sock_net(skb->sk);
2927 struct nft_ctx *ctx = cb->data, ctx_set;
2933 cb->seq = net->nft.base_seq;
2935 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2936 if (ctx->family != NFPROTO_UNSPEC &&
2937 ctx->family != table->family)
2940 if (ctx->table && ctx->table != table)
2944 if (cur_table != table)
2950 list_for_each_entry_rcu(set, &table->sets, list) {
2953 if (!nft_is_active(net, set))
2957 ctx_set.table = table;
2958 ctx_set.family = table->family;
2960 if (nf_tables_fill_set(skb, &ctx_set, set,
2964 cb->args[2] = (unsigned long) table;
2967 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2980 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2986 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2987 struct sk_buff *skb, const struct nlmsghdr *nlh,
2988 const struct nlattr * const nla[],
2989 struct netlink_ext_ack *extack)
2991 u8 genmask = nft_genmask_cur(net);
2992 const struct nft_set *set;
2994 struct sk_buff *skb2;
2995 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2998 /* Verify existence before starting dump */
2999 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3003 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3004 struct netlink_dump_control c = {
3005 .dump = nf_tables_dump_sets,
3006 .done = nf_tables_dump_sets_done,
3008 struct nft_ctx *ctx_dump;
3010 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3011 if (ctx_dump == NULL)
3017 return netlink_dump_start(nlsk, skb, nlh, &c);
3020 /* Only accept unspec with dump */
3021 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3022 return -EAFNOSUPPORT;
3023 if (!nla[NFTA_SET_TABLE])
3026 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3028 return PTR_ERR(set);
3030 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3034 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3038 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3045 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3046 struct nft_set_desc *desc,
3047 const struct nlattr *nla)
3049 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3052 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3053 nft_set_desc_policy, NULL);
3057 if (da[NFTA_SET_DESC_SIZE] != NULL)
3058 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3063 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3064 struct sk_buff *skb, const struct nlmsghdr *nlh,
3065 const struct nlattr * const nla[],
3066 struct netlink_ext_ack *extack)
3068 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3069 u8 genmask = nft_genmask_next(net);
3070 int family = nfmsg->nfgen_family;
3071 const struct nft_set_ops *ops;
3072 struct nft_table *table;
3073 struct nft_set *set;
3079 u32 ktype, dtype, flags, policy, gc_int, objtype;
3080 struct nft_set_desc desc;
3081 unsigned char *udata;
3085 if (nla[NFTA_SET_TABLE] == NULL ||
3086 nla[NFTA_SET_NAME] == NULL ||
3087 nla[NFTA_SET_KEY_LEN] == NULL ||
3088 nla[NFTA_SET_ID] == NULL)
3091 memset(&desc, 0, sizeof(desc));
3093 ktype = NFT_DATA_VALUE;
3094 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3095 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3096 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3100 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3101 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3105 if (nla[NFTA_SET_FLAGS] != NULL) {
3106 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3107 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3108 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3109 NFT_SET_MAP | NFT_SET_EVAL |
3112 /* Only one of these operations is supported */
3113 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3114 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3119 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3120 if (!(flags & NFT_SET_MAP))
3123 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3124 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3125 dtype != NFT_DATA_VERDICT)
3128 if (dtype != NFT_DATA_VERDICT) {
3129 if (nla[NFTA_SET_DATA_LEN] == NULL)
3131 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3132 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3135 desc.dlen = sizeof(struct nft_verdict);
3136 } else if (flags & NFT_SET_MAP)
3139 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3140 if (!(flags & NFT_SET_OBJECT))
3143 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3144 if (objtype == NFT_OBJECT_UNSPEC ||
3145 objtype > NFT_OBJECT_MAX)
3147 } else if (flags & NFT_SET_OBJECT)
3150 objtype = NFT_OBJECT_UNSPEC;
3153 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3154 if (!(flags & NFT_SET_TIMEOUT))
3156 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3157 nla[NFTA_SET_TIMEOUT])));
3160 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3161 if (!(flags & NFT_SET_TIMEOUT))
3163 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3166 policy = NFT_SET_POL_PERFORMANCE;
3167 if (nla[NFTA_SET_POLICY] != NULL)
3168 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3170 if (nla[NFTA_SET_DESC] != NULL) {
3171 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3176 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3178 table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family,
3181 return PTR_ERR(table);
3183 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3185 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3187 if (PTR_ERR(set) != -ENOENT)
3188 return PTR_ERR(set);
3190 if (nlh->nlmsg_flags & NLM_F_EXCL)
3192 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3197 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3200 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3202 return PTR_ERR(ops);
3205 if (nla[NFTA_SET_USERDATA])
3206 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3209 if (ops->privsize != NULL)
3210 size = ops->privsize(nla, &desc);
3212 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3218 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3224 err = nf_tables_set_alloc_name(&ctx, set, name);
3231 udata = set->data + size;
3232 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3235 INIT_LIST_HEAD(&set->bindings);
3238 set->klen = desc.klen;
3240 set->objtype = objtype;
3241 set->dlen = desc.dlen;
3243 set->size = desc.size;
3244 set->policy = policy;
3247 set->timeout = timeout;
3248 set->gc_int = gc_int;
3249 set->handle = nf_tables_alloc_handle(table);
3251 err = ops->init(set, &desc, nla);
3255 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3259 list_add_tail_rcu(&set->list, &table->sets);
3270 module_put(ops->type->owner);
3274 static void nft_set_destroy(struct nft_set *set)
3276 set->ops->destroy(set);
3277 module_put(set->ops->type->owner);
3282 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3284 list_del_rcu(&set->list);
3285 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3286 nft_set_destroy(set);
3289 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3290 struct sk_buff *skb, const struct nlmsghdr *nlh,
3291 const struct nlattr * const nla[],
3292 struct netlink_ext_ack *extack)
3294 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3295 u8 genmask = nft_genmask_next(net);
3296 struct nft_set *set;
3300 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3301 return -EAFNOSUPPORT;
3302 if (nla[NFTA_SET_TABLE] == NULL)
3305 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3309 if (nla[NFTA_SET_HANDLE])
3310 set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
3312 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3314 return PTR_ERR(set);
3316 if (!list_empty(&set->bindings) ||
3317 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3320 return nft_delset(&ctx, set);
3323 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3324 struct nft_set *set,
3325 const struct nft_set_iter *iter,
3326 struct nft_set_elem *elem)
3328 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3329 enum nft_registers dreg;
3331 dreg = nft_type_to_reg(set->dtype);
3332 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3333 set->dtype == NFT_DATA_VERDICT ?
3334 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3338 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3339 struct nft_set_binding *binding)
3341 struct nft_set_binding *i;
3342 struct nft_set_iter iter;
3344 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3347 if (binding->flags & NFT_SET_MAP) {
3348 /* If the set is already bound to the same chain all
3349 * jumps are already validated for that chain.
3351 list_for_each_entry(i, &set->bindings, list) {
3352 if (i->flags & NFT_SET_MAP &&
3353 i->chain == binding->chain)
3357 iter.genmask = nft_genmask_next(ctx->net);
3361 iter.fn = nf_tables_bind_check_setelem;
3363 set->ops->walk(ctx, set, &iter);
3368 binding->chain = ctx->chain;
3369 list_add_tail_rcu(&binding->list, &set->bindings);
3372 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3374 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3375 struct nft_set_binding *binding)
3377 list_del_rcu(&binding->list);
3379 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3380 nft_is_active(ctx->net, set))
3381 nf_tables_set_destroy(ctx, set);
3383 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3385 const struct nft_set_ext_type nft_set_ext_types[] = {
3386 [NFT_SET_EXT_KEY] = {
3387 .align = __alignof__(u32),
3389 [NFT_SET_EXT_DATA] = {
3390 .align = __alignof__(u32),
3392 [NFT_SET_EXT_EXPR] = {
3393 .align = __alignof__(struct nft_expr),
3395 [NFT_SET_EXT_OBJREF] = {
3396 .len = sizeof(struct nft_object *),
3397 .align = __alignof__(struct nft_object *),
3399 [NFT_SET_EXT_FLAGS] = {
3401 .align = __alignof__(u8),
3403 [NFT_SET_EXT_TIMEOUT] = {
3405 .align = __alignof__(u64),
3407 [NFT_SET_EXT_EXPIRATION] = {
3408 .len = sizeof(unsigned long),
3409 .align = __alignof__(unsigned long),
3411 [NFT_SET_EXT_USERDATA] = {
3412 .len = sizeof(struct nft_userdata),
3413 .align = __alignof__(struct nft_userdata),
3416 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3422 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3423 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3424 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3425 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3426 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3427 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3428 .len = NFT_USERDATA_MAXLEN },
3429 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3430 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3433 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3434 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3435 .len = NFT_TABLE_MAXNAMELEN - 1 },
3436 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3437 .len = NFT_SET_MAXNAMELEN - 1 },
3438 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3439 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3442 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3443 const struct sk_buff *skb,
3444 const struct nlmsghdr *nlh,
3445 const struct nlattr * const nla[],
3448 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3449 int family = nfmsg->nfgen_family;
3450 struct nft_table *table;
3452 table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
3455 return PTR_ERR(table);
3457 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3461 static int nf_tables_fill_setelem(struct sk_buff *skb,
3462 const struct nft_set *set,
3463 const struct nft_set_elem *elem)
3465 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3466 unsigned char *b = skb_tail_pointer(skb);
3467 struct nlattr *nest;
3469 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3471 goto nla_put_failure;
3473 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3474 NFT_DATA_VALUE, set->klen) < 0)
3475 goto nla_put_failure;
3477 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3478 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3479 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3481 goto nla_put_failure;
3483 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3484 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3485 goto nla_put_failure;
3487 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3488 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3489 (*nft_set_ext_obj(ext))->name) < 0)
3490 goto nla_put_failure;
3492 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3493 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3494 htonl(*nft_set_ext_flags(ext))))
3495 goto nla_put_failure;
3497 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3498 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3499 cpu_to_be64(jiffies_to_msecs(
3500 *nft_set_ext_timeout(ext))),
3502 goto nla_put_failure;
3504 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3505 unsigned long expires, now = jiffies;
3507 expires = *nft_set_ext_expiration(ext);
3508 if (time_before(now, expires))
3513 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3514 cpu_to_be64(jiffies_to_msecs(expires)),
3516 goto nla_put_failure;
3519 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3520 struct nft_userdata *udata;
3522 udata = nft_set_ext_userdata(ext);
3523 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3524 udata->len + 1, udata->data))
3525 goto nla_put_failure;
3528 nla_nest_end(skb, nest);
3536 struct nft_set_dump_args {
3537 const struct netlink_callback *cb;
3538 struct nft_set_iter iter;
3539 struct sk_buff *skb;
3542 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3543 struct nft_set *set,
3544 const struct nft_set_iter *iter,
3545 struct nft_set_elem *elem)
3547 struct nft_set_dump_args *args;
3549 args = container_of(iter, struct nft_set_dump_args, iter);
3550 return nf_tables_fill_setelem(args->skb, set, elem);
3553 struct nft_set_dump_ctx {
3554 const struct nft_set *set;
3558 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3560 struct nft_set_dump_ctx *dump_ctx = cb->data;
3561 struct net *net = sock_net(skb->sk);
3562 struct nft_table *table;
3563 struct nft_set *set;
3564 struct nft_set_dump_args args;
3565 bool set_found = false;
3566 struct nfgenmsg *nfmsg;
3567 struct nlmsghdr *nlh;
3568 struct nlattr *nest;
3573 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3574 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3575 dump_ctx->ctx.family != table->family)
3578 if (table != dump_ctx->ctx.table)
3581 list_for_each_entry_rcu(set, &table->sets, list) {
3582 if (set == dump_ctx->set) {
3595 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3596 portid = NETLINK_CB(cb->skb).portid;
3597 seq = cb->nlh->nlmsg_seq;
3599 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3602 goto nla_put_failure;
3604 nfmsg = nlmsg_data(nlh);
3605 nfmsg->nfgen_family = table->family;
3606 nfmsg->version = NFNETLINK_V0;
3607 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3609 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3610 goto nla_put_failure;
3611 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3612 goto nla_put_failure;
3614 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3616 goto nla_put_failure;
3620 args.iter.genmask = nft_genmask_cur(net);
3621 args.iter.skip = cb->args[0];
3622 args.iter.count = 0;
3624 args.iter.fn = nf_tables_dump_setelem;
3625 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3628 nla_nest_end(skb, nest);
3629 nlmsg_end(skb, nlh);
3631 if (args.iter.err && args.iter.err != -EMSGSIZE)
3632 return args.iter.err;
3633 if (args.iter.count == cb->args[0])
3636 cb->args[0] = args.iter.count;
3644 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3650 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3651 const struct nft_ctx *ctx, u32 seq,
3652 u32 portid, int event, u16 flags,
3653 const struct nft_set *set,
3654 const struct nft_set_elem *elem)
3656 struct nfgenmsg *nfmsg;
3657 struct nlmsghdr *nlh;
3658 struct nlattr *nest;
3661 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3662 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3665 goto nla_put_failure;
3667 nfmsg = nlmsg_data(nlh);
3668 nfmsg->nfgen_family = ctx->family;
3669 nfmsg->version = NFNETLINK_V0;
3670 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3672 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3673 goto nla_put_failure;
3674 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3675 goto nla_put_failure;
3677 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3679 goto nla_put_failure;
3681 err = nf_tables_fill_setelem(skb, set, elem);
3683 goto nla_put_failure;
3685 nla_nest_end(skb, nest);
3687 nlmsg_end(skb, nlh);
3691 nlmsg_trim(skb, nlh);
3695 static int nft_setelem_parse_flags(const struct nft_set *set,
3696 const struct nlattr *attr, u32 *flags)
3701 *flags = ntohl(nla_get_be32(attr));
3702 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3704 if (!(set->flags & NFT_SET_INTERVAL) &&
3705 *flags & NFT_SET_ELEM_INTERVAL_END)
3711 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3712 const struct nlattr *attr)
3714 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3715 const struct nft_set_ext *ext;
3716 struct nft_data_desc desc;
3717 struct nft_set_elem elem;
3718 struct sk_buff *skb;
3723 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3724 nft_set_elem_policy, NULL);
3728 if (!nla[NFTA_SET_ELEM_KEY])
3731 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3735 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3736 nla[NFTA_SET_ELEM_KEY]);
3741 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3744 priv = set->ops->get(ctx->net, set, &elem, flags);
3746 return PTR_ERR(priv);
3749 ext = nft_set_elem_ext(set, &elem);
3752 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3756 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3757 NFT_MSG_NEWSETELEM, 0, set, &elem);
3761 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3762 /* This avoids a loop in nfnetlink. */
3770 /* this avoids a loop in nfnetlink. */
3771 return err == -EAGAIN ? -ENOBUFS : err;
3774 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3775 struct sk_buff *skb, const struct nlmsghdr *nlh,
3776 const struct nlattr * const nla[],
3777 struct netlink_ext_ack *extack)
3779 u8 genmask = nft_genmask_cur(net);
3780 struct nft_set *set;
3781 struct nlattr *attr;
3785 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3789 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3792 return PTR_ERR(set);
3794 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3795 struct netlink_dump_control c = {
3796 .dump = nf_tables_dump_set,
3797 .done = nf_tables_dump_set_done,
3799 struct nft_set_dump_ctx *dump_ctx;
3801 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3805 dump_ctx->set = set;
3806 dump_ctx->ctx = ctx;
3809 return netlink_dump_start(nlsk, skb, nlh, &c);
3812 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3815 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3816 err = nft_get_set_elem(&ctx, set, attr);
3824 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3825 const struct nft_set *set,
3826 const struct nft_set_elem *elem,
3827 int event, u16 flags)
3829 struct net *net = ctx->net;
3830 u32 portid = ctx->portid;
3831 struct sk_buff *skb;
3834 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3837 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3841 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3848 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3852 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3855 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3857 struct nft_set *set)
3859 struct nft_trans *trans;
3861 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3865 nft_trans_elem_set(trans) = set;
3869 void *nft_set_elem_init(const struct nft_set *set,
3870 const struct nft_set_ext_tmpl *tmpl,
3871 const u32 *key, const u32 *data,
3872 u64 timeout, gfp_t gfp)
3874 struct nft_set_ext *ext;
3877 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3881 ext = nft_set_elem_ext(set, elem);
3882 nft_set_ext_init(ext, tmpl);
3884 memcpy(nft_set_ext_key(ext), key, set->klen);
3885 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3886 memcpy(nft_set_ext_data(ext), data, set->dlen);
3887 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3888 *nft_set_ext_expiration(ext) =
3890 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3891 *nft_set_ext_timeout(ext) = timeout;
3896 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3899 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3901 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3902 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3903 nft_data_release(nft_set_ext_data(ext), set->dtype);
3904 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3905 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3906 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3907 (*nft_set_ext_obj(ext))->use--;
3910 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3912 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3913 * the refcounting from the preparation phase.
3915 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3917 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3919 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3920 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3924 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3925 const struct nlattr *attr, u32 nlmsg_flags)
3927 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3928 u8 genmask = nft_genmask_next(ctx->net);
3929 struct nft_data_desc d1, d2;
3930 struct nft_set_ext_tmpl tmpl;
3931 struct nft_set_ext *ext, *ext2;
3932 struct nft_set_elem elem;
3933 struct nft_set_binding *binding;
3934 struct nft_object *obj = NULL;
3935 struct nft_userdata *udata;
3936 struct nft_data data;
3937 enum nft_registers dreg;
3938 struct nft_trans *trans;
3944 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3945 nft_set_elem_policy, NULL);
3949 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3952 nft_set_ext_prepare(&tmpl);
3954 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3958 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3960 if (set->flags & NFT_SET_MAP) {
3961 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3962 !(flags & NFT_SET_ELEM_INTERVAL_END))
3964 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3965 flags & NFT_SET_ELEM_INTERVAL_END)
3968 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3973 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3974 if (!(set->flags & NFT_SET_TIMEOUT))
3976 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3977 nla[NFTA_SET_ELEM_TIMEOUT])));
3978 } else if (set->flags & NFT_SET_TIMEOUT) {
3979 timeout = set->timeout;
3982 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3983 nla[NFTA_SET_ELEM_KEY]);
3987 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3990 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3992 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3993 if (timeout != set->timeout)
3994 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3997 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3998 if (!(set->flags & NFT_SET_OBJECT)) {
4002 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4003 set->objtype, genmask);
4008 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4011 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4012 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4013 nla[NFTA_SET_ELEM_DATA]);
4018 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4021 dreg = nft_type_to_reg(set->dtype);
4022 list_for_each_entry(binding, &set->bindings, list) {
4023 struct nft_ctx bind_ctx = {
4025 .family = ctx->family,
4026 .table = ctx->table,
4027 .chain = (struct nft_chain *)binding->chain,
4030 if (!(binding->flags & NFT_SET_MAP))
4033 err = nft_validate_register_store(&bind_ctx, dreg,
4040 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4043 /* The full maximum length of userdata can exceed the maximum
4044 * offset value (U8_MAX) for following extensions, therefor it
4045 * must be the last extension added.
4048 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4049 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4051 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4056 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4057 timeout, GFP_KERNEL);
4058 if (elem.priv == NULL)
4061 ext = nft_set_elem_ext(set, elem.priv);
4063 *nft_set_ext_flags(ext) = flags;
4065 udata = nft_set_ext_userdata(ext);
4066 udata->len = ulen - 1;
4067 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4070 *nft_set_ext_obj(ext) = obj;
4074 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4078 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4079 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4081 if (err == -EEXIST) {
4082 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4083 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4084 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4085 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4089 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4090 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4091 memcmp(nft_set_ext_data(ext),
4092 nft_set_ext_data(ext2), set->dlen) != 0) ||
4093 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4094 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4095 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4097 else if (!(nlmsg_flags & NLM_F_EXCL))
4104 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4109 nft_trans_elem(trans) = elem;
4110 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4114 set->ops->remove(ctx->net, set, &elem);
4120 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4121 nft_data_release(&data, d2.type);
4123 nft_data_release(&elem.key.val, d1.type);
4128 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4129 struct sk_buff *skb, const struct nlmsghdr *nlh,
4130 const struct nlattr * const nla[],
4131 struct netlink_ext_ack *extack)
4133 u8 genmask = nft_genmask_next(net);
4134 const struct nlattr *attr;
4135 struct nft_set *set;
4139 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4142 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4146 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4147 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4149 return PTR_ERR(set);
4151 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4154 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4155 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4163 * nft_data_hold - hold a nft_data item
4165 * @data: struct nft_data to release
4166 * @type: type of data
4168 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4169 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4170 * NFT_GOTO verdicts. This function must be called on active data objects
4171 * from the second phase of the commit protocol.
4173 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4175 if (type == NFT_DATA_VERDICT) {
4176 switch (data->verdict.code) {
4179 data->verdict.chain->use++;
4185 static void nft_set_elem_activate(const struct net *net,
4186 const struct nft_set *set,
4187 struct nft_set_elem *elem)
4189 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4191 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4192 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4193 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4194 (*nft_set_ext_obj(ext))->use++;
4197 static void nft_set_elem_deactivate(const struct net *net,
4198 const struct nft_set *set,
4199 struct nft_set_elem *elem)
4201 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4203 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4204 nft_data_release(nft_set_ext_data(ext), set->dtype);
4205 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4206 (*nft_set_ext_obj(ext))->use--;
4209 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4210 const struct nlattr *attr)
4212 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4213 struct nft_set_ext_tmpl tmpl;
4214 struct nft_data_desc desc;
4215 struct nft_set_elem elem;
4216 struct nft_set_ext *ext;
4217 struct nft_trans *trans;
4222 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4223 nft_set_elem_policy, NULL);
4228 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4231 nft_set_ext_prepare(&tmpl);
4233 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4237 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4239 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4240 nla[NFTA_SET_ELEM_KEY]);
4245 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4248 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4251 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4253 if (elem.priv == NULL)
4256 ext = nft_set_elem_ext(set, elem.priv);
4258 *nft_set_ext_flags(ext) = flags;
4260 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4261 if (trans == NULL) {
4266 priv = set->ops->deactivate(ctx->net, set, &elem);
4274 nft_set_elem_deactivate(ctx->net, set, &elem);
4276 nft_trans_elem(trans) = elem;
4277 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4285 nft_data_release(&elem.key.val, desc.type);
4290 static int nft_flush_set(const struct nft_ctx *ctx,
4291 struct nft_set *set,
4292 const struct nft_set_iter *iter,
4293 struct nft_set_elem *elem)
4295 struct nft_trans *trans;
4298 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4299 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4303 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4309 nft_trans_elem_set(trans) = set;
4310 nft_trans_elem(trans) = *elem;
4311 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4319 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4320 struct sk_buff *skb, const struct nlmsghdr *nlh,
4321 const struct nlattr * const nla[],
4322 struct netlink_ext_ack *extack)
4324 u8 genmask = nft_genmask_next(net);
4325 const struct nlattr *attr;
4326 struct nft_set *set;
4330 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4334 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4337 return PTR_ERR(set);
4338 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4341 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4342 struct nft_set_iter iter = {
4344 .fn = nft_flush_set,
4346 set->ops->walk(&ctx, set, &iter);
4351 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4352 err = nft_del_setelem(&ctx, set, attr);
4361 void nft_set_gc_batch_release(struct rcu_head *rcu)
4363 struct nft_set_gc_batch *gcb;
4366 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4367 for (i = 0; i < gcb->head.cnt; i++)
4368 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4371 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4373 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4376 struct nft_set_gc_batch *gcb;
4378 gcb = kzalloc(sizeof(*gcb), gfp);
4381 gcb->head.set = set;
4384 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4391 * nft_register_obj- register nf_tables stateful object type
4394 * Registers the object type for use with nf_tables. Returns zero on
4395 * success or a negative errno code otherwise.
4397 int nft_register_obj(struct nft_object_type *obj_type)
4399 if (obj_type->type == NFT_OBJECT_UNSPEC)
4402 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4403 list_add_rcu(&obj_type->list, &nf_tables_objects);
4404 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4407 EXPORT_SYMBOL_GPL(nft_register_obj);
4410 * nft_unregister_obj - unregister nf_tables object type
4413 * Unregisters the object type for use with nf_tables.
4415 void nft_unregister_obj(struct nft_object_type *obj_type)
4417 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4418 list_del_rcu(&obj_type->list);
4419 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4421 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4423 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4424 const struct nlattr *nla,
4425 u32 objtype, u8 genmask)
4427 struct nft_object *obj;
4429 list_for_each_entry(obj, &table->objects, list) {
4430 if (!nla_strcmp(nla, obj->name) &&
4431 objtype == obj->ops->type->type &&
4432 nft_active_genmask(obj, genmask))
4435 return ERR_PTR(-ENOENT);
4437 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4439 static struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
4440 const struct nlattr *nla,
4441 u32 objtype, u8 genmask)
4443 struct nft_object *obj;
4445 list_for_each_entry(obj, &table->objects, list) {
4446 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4447 objtype == obj->ops->type->type &&
4448 nft_active_genmask(obj, genmask))
4451 return ERR_PTR(-ENOENT);
4454 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4455 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4456 .len = NFT_TABLE_MAXNAMELEN - 1 },
4457 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4458 .len = NFT_OBJ_MAXNAMELEN - 1 },
4459 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4460 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4461 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4464 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4465 const struct nft_object_type *type,
4466 const struct nlattr *attr)
4469 const struct nft_object_ops *ops;
4470 struct nft_object *obj;
4473 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4478 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4483 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4486 if (type->select_ops) {
4487 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4497 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4501 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4514 return ERR_PTR(err);
4517 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4518 struct nft_object *obj, bool reset)
4520 struct nlattr *nest;
4522 nest = nla_nest_start(skb, attr);
4524 goto nla_put_failure;
4525 if (obj->ops->dump(skb, obj, reset) < 0)
4526 goto nla_put_failure;
4527 nla_nest_end(skb, nest);
4534 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4536 const struct nft_object_type *type;
4538 list_for_each_entry(type, &nf_tables_objects, list) {
4539 if (objtype == type->type)
4545 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4547 const struct nft_object_type *type;
4549 type = __nft_obj_type_get(objtype);
4550 if (type != NULL && try_module_get(type->owner))
4553 #ifdef CONFIG_MODULES
4555 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4556 request_module("nft-obj-%u", objtype);
4557 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4558 if (__nft_obj_type_get(objtype))
4559 return ERR_PTR(-EAGAIN);
4562 return ERR_PTR(-ENOENT);
4565 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4566 struct sk_buff *skb, const struct nlmsghdr *nlh,
4567 const struct nlattr * const nla[],
4568 struct netlink_ext_ack *extack)
4570 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4571 const struct nft_object_type *type;
4572 u8 genmask = nft_genmask_next(net);
4573 int family = nfmsg->nfgen_family;
4574 struct nft_table *table;
4575 struct nft_object *obj;
4580 if (!nla[NFTA_OBJ_TYPE] ||
4581 !nla[NFTA_OBJ_NAME] ||
4582 !nla[NFTA_OBJ_DATA])
4585 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4588 return PTR_ERR(table);
4590 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4591 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4598 if (nlh->nlmsg_flags & NLM_F_EXCL)
4604 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4606 type = nft_obj_type_get(objtype);
4608 return PTR_ERR(type);
4610 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4616 obj->handle = nf_tables_alloc_handle(table);
4618 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4624 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4628 list_add_tail_rcu(&obj->list, &table->objects);
4634 if (obj->ops->destroy)
4635 obj->ops->destroy(obj);
4638 module_put(type->owner);
4642 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4643 u32 portid, u32 seq, int event, u32 flags,
4644 int family, const struct nft_table *table,
4645 struct nft_object *obj, bool reset)
4647 struct nfgenmsg *nfmsg;
4648 struct nlmsghdr *nlh;
4650 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4651 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4653 goto nla_put_failure;
4655 nfmsg = nlmsg_data(nlh);
4656 nfmsg->nfgen_family = family;
4657 nfmsg->version = NFNETLINK_V0;
4658 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4660 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4661 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4662 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4663 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4664 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4665 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4667 goto nla_put_failure;
4669 nlmsg_end(skb, nlh);
4673 nlmsg_trim(skb, nlh);
4677 struct nft_obj_filter {
4682 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4684 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4685 const struct nft_table *table;
4686 unsigned int idx = 0, s_idx = cb->args[0];
4687 struct nft_obj_filter *filter = cb->data;
4688 struct net *net = sock_net(skb->sk);
4689 int family = nfmsg->nfgen_family;
4690 struct nft_object *obj;
4693 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4697 cb->seq = net->nft.base_seq;
4699 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4700 if (family != NFPROTO_UNSPEC && family != table->family)
4703 list_for_each_entry_rcu(obj, &table->objects, list) {
4704 if (!nft_is_active(net, obj))
4709 memset(&cb->args[1], 0,
4710 sizeof(cb->args) - sizeof(cb->args[0]));
4711 if (filter && filter->table &&
4712 strcmp(filter->table, table->name))
4715 filter->type != NFT_OBJECT_UNSPEC &&
4716 obj->ops->type->type != filter->type)
4719 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4722 NLM_F_MULTI | NLM_F_APPEND,
4723 table->family, table,
4727 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4739 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4741 struct nft_obj_filter *filter = cb->data;
4744 kfree(filter->table);
4751 static struct nft_obj_filter *
4752 nft_obj_filter_alloc(const struct nlattr * const nla[])
4754 struct nft_obj_filter *filter;
4756 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4758 return ERR_PTR(-ENOMEM);
4760 if (nla[NFTA_OBJ_TABLE]) {
4761 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4762 if (!filter->table) {
4764 return ERR_PTR(-ENOMEM);
4767 if (nla[NFTA_OBJ_TYPE])
4768 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4773 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4774 struct sk_buff *skb, const struct nlmsghdr *nlh,
4775 const struct nlattr * const nla[],
4776 struct netlink_ext_ack *extack)
4778 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4779 u8 genmask = nft_genmask_cur(net);
4780 int family = nfmsg->nfgen_family;
4781 const struct nft_table *table;
4782 struct nft_object *obj;
4783 struct sk_buff *skb2;
4788 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4789 struct netlink_dump_control c = {
4790 .dump = nf_tables_dump_obj,
4791 .done = nf_tables_dump_obj_done,
4794 if (nla[NFTA_OBJ_TABLE] ||
4795 nla[NFTA_OBJ_TYPE]) {
4796 struct nft_obj_filter *filter;
4798 filter = nft_obj_filter_alloc(nla);
4804 return netlink_dump_start(nlsk, skb, nlh, &c);
4807 if (!nla[NFTA_OBJ_NAME] ||
4808 !nla[NFTA_OBJ_TYPE])
4811 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4814 return PTR_ERR(table);
4816 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4817 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4819 return PTR_ERR(obj);
4821 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4825 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4828 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4829 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4830 family, table, obj, reset);
4834 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4840 static void nft_obj_destroy(struct nft_object *obj)
4842 if (obj->ops->destroy)
4843 obj->ops->destroy(obj);
4845 module_put(obj->ops->type->owner);
4850 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4851 struct sk_buff *skb, const struct nlmsghdr *nlh,
4852 const struct nlattr * const nla[],
4853 struct netlink_ext_ack *extack)
4855 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4856 u8 genmask = nft_genmask_next(net);
4857 int family = nfmsg->nfgen_family;
4858 struct nft_table *table;
4859 struct nft_object *obj;
4863 if (!nla[NFTA_OBJ_TYPE] ||
4864 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
4867 table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
4870 return PTR_ERR(table);
4872 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4873 if (nla[NFTA_OBJ_HANDLE])
4874 obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
4877 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
4880 return PTR_ERR(obj);
4884 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4886 return nft_delobj(&ctx, obj);
4889 void nft_obj_notify(struct net *net, struct nft_table *table,
4890 struct nft_object *obj, u32 portid, u32 seq, int event,
4891 int family, int report, gfp_t gfp)
4893 struct sk_buff *skb;
4897 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4900 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4904 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4911 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4914 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4916 EXPORT_SYMBOL_GPL(nft_obj_notify);
4918 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4919 struct nft_object *obj, int event)
4921 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4922 ctx->family, ctx->report, GFP_KERNEL);
4928 void nft_register_flowtable_type(struct nf_flowtable_type *type)
4930 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4931 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
4932 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4934 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
4936 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
4938 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4939 list_del_rcu(&type->list);
4940 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4942 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
4944 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
4945 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
4946 .len = NFT_NAME_MAXLEN - 1 },
4947 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
4948 .len = NFT_NAME_MAXLEN - 1 },
4949 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
4950 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
4953 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
4954 const struct nlattr *nla,
4957 struct nft_flowtable *flowtable;
4959 list_for_each_entry(flowtable, &table->flowtables, list) {
4960 if (!nla_strcmp(nla, flowtable->name) &&
4961 nft_active_genmask(flowtable, genmask))
4964 return ERR_PTR(-ENOENT);
4966 EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
4968 static struct nft_flowtable *
4969 nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
4970 const struct nlattr *nla, u8 genmask)
4972 struct nft_flowtable *flowtable;
4974 list_for_each_entry(flowtable, &table->flowtables, list) {
4975 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
4976 nft_active_genmask(flowtable, genmask))
4979 return ERR_PTR(-ENOENT);
4982 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
4983 const struct nlattr *attr,
4984 struct net_device *dev_array[], int *len)
4986 const struct nlattr *tmp;
4987 struct net_device *dev;
4988 char ifname[IFNAMSIZ];
4989 int rem, n = 0, err;
4991 nla_for_each_nested(tmp, attr, rem) {
4992 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
4997 nla_strlcpy(ifname, tmp, IFNAMSIZ);
4998 dev = __dev_get_by_name(ctx->net, ifname);
5004 dev_array[n++] = dev;
5005 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5019 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5020 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5021 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5022 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5025 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5026 const struct nlattr *attr,
5027 struct nft_flowtable *flowtable)
5029 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5030 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5031 struct nf_hook_ops *ops;
5032 int hooknum, priority;
5035 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5036 nft_flowtable_hook_policy, NULL);
5040 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5041 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5042 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5045 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5046 if (hooknum != NF_NETDEV_INGRESS)
5049 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5051 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5056 ops = kzalloc(sizeof(struct nf_hook_ops) * n, GFP_KERNEL);
5060 flowtable->hooknum = hooknum;
5061 flowtable->priority = priority;
5062 flowtable->ops = ops;
5063 flowtable->ops_len = n;
5065 for (i = 0; i < n; i++) {
5066 flowtable->ops[i].pf = NFPROTO_NETDEV;
5067 flowtable->ops[i].hooknum = hooknum;
5068 flowtable->ops[i].priority = priority;
5069 flowtable->ops[i].priv = &flowtable->data.rhashtable;
5070 flowtable->ops[i].hook = flowtable->data.type->hook;
5071 flowtable->ops[i].dev = dev_array[i];
5072 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5079 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5081 const struct nf_flowtable_type *type;
5083 list_for_each_entry(type, &nf_tables_flowtables, list) {
5084 if (family == type->family)
5090 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5092 const struct nf_flowtable_type *type;
5094 type = __nft_flowtable_type_get(family);
5095 if (type != NULL && try_module_get(type->owner))
5098 #ifdef CONFIG_MODULES
5100 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5101 request_module("nf-flowtable-%u", family);
5102 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5103 if (__nft_flowtable_type_get(family))
5104 return ERR_PTR(-EAGAIN);
5107 return ERR_PTR(-ENOENT);
5110 void nft_flow_table_iterate(struct net *net,
5111 void (*iter)(struct nf_flowtable *flowtable, void *data),
5114 struct nft_flowtable *flowtable;
5115 const struct nft_table *table;
5117 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5118 list_for_each_entry(table, &net->nft.tables, list) {
5119 list_for_each_entry(flowtable, &table->flowtables, list) {
5120 iter(&flowtable->data, data);
5123 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5125 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
5127 static void nft_unregister_flowtable_net_hooks(struct net *net,
5128 struct nft_flowtable *flowtable)
5132 for (i = 0; i < flowtable->ops_len; i++) {
5133 if (!flowtable->ops[i].dev)
5136 nf_unregister_net_hook(net, &flowtable->ops[i]);
5140 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5141 struct sk_buff *skb,
5142 const struct nlmsghdr *nlh,
5143 const struct nlattr * const nla[],
5144 struct netlink_ext_ack *extack)
5146 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5147 const struct nf_flowtable_type *type;
5148 struct nft_flowtable *flowtable, *ft;
5149 u8 genmask = nft_genmask_next(net);
5150 int family = nfmsg->nfgen_family;
5151 struct nft_table *table;
5155 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5156 !nla[NFTA_FLOWTABLE_NAME] ||
5157 !nla[NFTA_FLOWTABLE_HOOK])
5160 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5163 return PTR_ERR(table);
5165 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5167 if (IS_ERR(flowtable)) {
5168 err = PTR_ERR(flowtable);
5172 if (nlh->nlmsg_flags & NLM_F_EXCL)
5178 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5180 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5184 flowtable->table = table;
5185 flowtable->handle = nf_tables_alloc_handle(table);
5187 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5188 if (!flowtable->name) {
5193 type = nft_flowtable_type_get(family);
5195 err = PTR_ERR(type);
5199 flowtable->data.type = type;
5200 err = rhashtable_init(&flowtable->data.rhashtable, type->params);
5204 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5209 for (i = 0; i < flowtable->ops_len; i++) {
5210 if (!flowtable->ops[i].dev)
5213 list_for_each_entry(ft, &table->flowtables, list) {
5214 for (k = 0; k < ft->ops_len; k++) {
5215 if (!ft->ops[k].dev)
5218 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5219 flowtable->ops[i].pf == ft->ops[k].pf) {
5226 err = nf_register_net_hook(net, &flowtable->ops[i]);
5231 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5235 INIT_DEFERRABLE_WORK(&flowtable->data.gc_work, type->gc);
5236 queue_delayed_work(system_power_efficient_wq,
5237 &flowtable->data.gc_work, HZ);
5239 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5244 i = flowtable->ops_len;
5246 for (k = i - 1; k >= 0; k--) {
5247 kfree(flowtable->dev_name[k]);
5248 nf_unregister_net_hook(net, &flowtable->ops[k]);
5251 kfree(flowtable->ops);
5253 module_put(type->owner);
5255 kfree(flowtable->name);
5261 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5262 struct sk_buff *skb,
5263 const struct nlmsghdr *nlh,
5264 const struct nlattr * const nla[],
5265 struct netlink_ext_ack *extack)
5267 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5268 u8 genmask = nft_genmask_next(net);
5269 int family = nfmsg->nfgen_family;
5270 struct nft_flowtable *flowtable;
5271 struct nft_table *table;
5274 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5275 (!nla[NFTA_FLOWTABLE_NAME] &&
5276 !nla[NFTA_FLOWTABLE_HANDLE]))
5279 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5282 return PTR_ERR(table);
5284 if (nla[NFTA_FLOWTABLE_HANDLE])
5285 flowtable = nf_tables_flowtable_lookup_byhandle(table,
5286 nla[NFTA_FLOWTABLE_HANDLE],
5289 flowtable = nf_tables_flowtable_lookup(table,
5290 nla[NFTA_FLOWTABLE_NAME],
5292 if (IS_ERR(flowtable))
5293 return PTR_ERR(flowtable);
5294 if (flowtable->use > 0)
5297 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5299 return nft_delflowtable(&ctx, flowtable);
5302 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5303 u32 portid, u32 seq, int event,
5304 u32 flags, int family,
5305 struct nft_flowtable *flowtable)
5307 struct nlattr *nest, *nest_devs;
5308 struct nfgenmsg *nfmsg;
5309 struct nlmsghdr *nlh;
5312 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5313 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5315 goto nla_put_failure;
5317 nfmsg = nlmsg_data(nlh);
5318 nfmsg->nfgen_family = family;
5319 nfmsg->version = NFNETLINK_V0;
5320 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5322 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5323 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5324 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5325 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5326 NFTA_FLOWTABLE_PAD))
5327 goto nla_put_failure;
5329 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5330 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5331 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5332 goto nla_put_failure;
5334 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5336 goto nla_put_failure;
5338 for (i = 0; i < flowtable->ops_len; i++) {
5339 if (flowtable->dev_name[i][0] &&
5340 nla_put_string(skb, NFTA_DEVICE_NAME,
5341 flowtable->dev_name[i]))
5342 goto nla_put_failure;
5344 nla_nest_end(skb, nest_devs);
5345 nla_nest_end(skb, nest);
5347 nlmsg_end(skb, nlh);
5351 nlmsg_trim(skb, nlh);
5355 struct nft_flowtable_filter {
5359 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5360 struct netlink_callback *cb)
5362 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5363 struct nft_flowtable_filter *filter = cb->data;
5364 unsigned int idx = 0, s_idx = cb->args[0];
5365 struct net *net = sock_net(skb->sk);
5366 int family = nfmsg->nfgen_family;
5367 struct nft_flowtable *flowtable;
5368 const struct nft_table *table;
5371 cb->seq = net->nft.base_seq;
5373 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5374 if (family != NFPROTO_UNSPEC && family != table->family)
5377 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5378 if (!nft_is_active(net, flowtable))
5383 memset(&cb->args[1], 0,
5384 sizeof(cb->args) - sizeof(cb->args[0]));
5385 if (filter && filter->table &&
5386 strcmp(filter->table, table->name))
5389 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5391 NFT_MSG_NEWFLOWTABLE,
5392 NLM_F_MULTI | NLM_F_APPEND,
5393 table->family, flowtable) < 0)
5396 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5408 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5410 struct nft_flowtable_filter *filter = cb->data;
5415 kfree(filter->table);
5421 static struct nft_flowtable_filter *
5422 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5424 struct nft_flowtable_filter *filter;
5426 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
5428 return ERR_PTR(-ENOMEM);
5430 if (nla[NFTA_FLOWTABLE_TABLE]) {
5431 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5433 if (!filter->table) {
5435 return ERR_PTR(-ENOMEM);
5441 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5442 struct sk_buff *skb,
5443 const struct nlmsghdr *nlh,
5444 const struct nlattr * const nla[],
5445 struct netlink_ext_ack *extack)
5447 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5448 u8 genmask = nft_genmask_cur(net);
5449 int family = nfmsg->nfgen_family;
5450 struct nft_flowtable *flowtable;
5451 const struct nft_table *table;
5452 struct sk_buff *skb2;
5455 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5456 struct netlink_dump_control c = {
5457 .dump = nf_tables_dump_flowtable,
5458 .done = nf_tables_dump_flowtable_done,
5461 if (nla[NFTA_FLOWTABLE_TABLE]) {
5462 struct nft_flowtable_filter *filter;
5464 filter = nft_flowtable_filter_alloc(nla);
5470 return netlink_dump_start(nlsk, skb, nlh, &c);
5473 if (!nla[NFTA_FLOWTABLE_NAME])
5476 table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
5479 return PTR_ERR(table);
5481 flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5483 if (IS_ERR(flowtable))
5484 return PTR_ERR(flowtable);
5486 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5490 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5492 NFT_MSG_NEWFLOWTABLE, 0, family,
5497 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5503 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5504 struct nft_flowtable *flowtable,
5507 struct sk_buff *skb;
5511 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5514 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5518 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5520 ctx->family, flowtable);
5526 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5527 ctx->report, GFP_KERNEL);
5530 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5533 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5535 cancel_delayed_work_sync(&flowtable->data.gc_work);
5536 kfree(flowtable->ops);
5537 kfree(flowtable->name);
5538 flowtable->data.type->free(&flowtable->data);
5539 rhashtable_destroy(&flowtable->data.rhashtable);
5540 module_put(flowtable->data.type->owner);
5543 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5544 u32 portid, u32 seq)
5546 struct nlmsghdr *nlh;
5547 struct nfgenmsg *nfmsg;
5548 char buf[TASK_COMM_LEN];
5549 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5551 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5553 goto nla_put_failure;
5555 nfmsg = nlmsg_data(nlh);
5556 nfmsg->nfgen_family = AF_UNSPEC;
5557 nfmsg->version = NFNETLINK_V0;
5558 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5560 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5561 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5562 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5563 goto nla_put_failure;
5565 nlmsg_end(skb, nlh);
5569 nlmsg_trim(skb, nlh);
5573 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5574 struct nft_flowtable *flowtable)
5578 for (i = 0; i < flowtable->ops_len; i++) {
5579 if (flowtable->ops[i].dev != dev)
5582 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5583 flowtable->dev_name[i][0] = '\0';
5584 flowtable->ops[i].dev = NULL;
5589 static int nf_tables_flowtable_event(struct notifier_block *this,
5590 unsigned long event, void *ptr)
5592 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5593 struct nft_flowtable *flowtable;
5594 struct nft_table *table;
5596 if (event != NETDEV_UNREGISTER)
5599 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5600 list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
5601 list_for_each_entry(flowtable, &table->flowtables, list) {
5602 nft_flowtable_event(event, dev, flowtable);
5605 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5610 static struct notifier_block nf_tables_flowtable_notifier = {
5611 .notifier_call = nf_tables_flowtable_event,
5614 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5617 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5618 struct sk_buff *skb2;
5621 if (nlmsg_report(nlh) &&
5622 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5625 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5629 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5636 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5637 nlmsg_report(nlh), GFP_KERNEL);
5640 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5644 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5645 struct sk_buff *skb, const struct nlmsghdr *nlh,
5646 const struct nlattr * const nla[],
5647 struct netlink_ext_ack *extack)
5649 struct sk_buff *skb2;
5652 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5656 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5661 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5667 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5668 [NFT_MSG_NEWTABLE] = {
5669 .call_batch = nf_tables_newtable,
5670 .attr_count = NFTA_TABLE_MAX,
5671 .policy = nft_table_policy,
5673 [NFT_MSG_GETTABLE] = {
5674 .call = nf_tables_gettable,
5675 .attr_count = NFTA_TABLE_MAX,
5676 .policy = nft_table_policy,
5678 [NFT_MSG_DELTABLE] = {
5679 .call_batch = nf_tables_deltable,
5680 .attr_count = NFTA_TABLE_MAX,
5681 .policy = nft_table_policy,
5683 [NFT_MSG_NEWCHAIN] = {
5684 .call_batch = nf_tables_newchain,
5685 .attr_count = NFTA_CHAIN_MAX,
5686 .policy = nft_chain_policy,
5688 [NFT_MSG_GETCHAIN] = {
5689 .call = nf_tables_getchain,
5690 .attr_count = NFTA_CHAIN_MAX,
5691 .policy = nft_chain_policy,
5693 [NFT_MSG_DELCHAIN] = {
5694 .call_batch = nf_tables_delchain,
5695 .attr_count = NFTA_CHAIN_MAX,
5696 .policy = nft_chain_policy,
5698 [NFT_MSG_NEWRULE] = {
5699 .call_batch = nf_tables_newrule,
5700 .attr_count = NFTA_RULE_MAX,
5701 .policy = nft_rule_policy,
5703 [NFT_MSG_GETRULE] = {
5704 .call = nf_tables_getrule,
5705 .attr_count = NFTA_RULE_MAX,
5706 .policy = nft_rule_policy,
5708 [NFT_MSG_DELRULE] = {
5709 .call_batch = nf_tables_delrule,
5710 .attr_count = NFTA_RULE_MAX,
5711 .policy = nft_rule_policy,
5713 [NFT_MSG_NEWSET] = {
5714 .call_batch = nf_tables_newset,
5715 .attr_count = NFTA_SET_MAX,
5716 .policy = nft_set_policy,
5718 [NFT_MSG_GETSET] = {
5719 .call = nf_tables_getset,
5720 .attr_count = NFTA_SET_MAX,
5721 .policy = nft_set_policy,
5723 [NFT_MSG_DELSET] = {
5724 .call_batch = nf_tables_delset,
5725 .attr_count = NFTA_SET_MAX,
5726 .policy = nft_set_policy,
5728 [NFT_MSG_NEWSETELEM] = {
5729 .call_batch = nf_tables_newsetelem,
5730 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5731 .policy = nft_set_elem_list_policy,
5733 [NFT_MSG_GETSETELEM] = {
5734 .call = nf_tables_getsetelem,
5735 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5736 .policy = nft_set_elem_list_policy,
5738 [NFT_MSG_DELSETELEM] = {
5739 .call_batch = nf_tables_delsetelem,
5740 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5741 .policy = nft_set_elem_list_policy,
5743 [NFT_MSG_GETGEN] = {
5744 .call = nf_tables_getgen,
5746 [NFT_MSG_NEWOBJ] = {
5747 .call_batch = nf_tables_newobj,
5748 .attr_count = NFTA_OBJ_MAX,
5749 .policy = nft_obj_policy,
5751 [NFT_MSG_GETOBJ] = {
5752 .call = nf_tables_getobj,
5753 .attr_count = NFTA_OBJ_MAX,
5754 .policy = nft_obj_policy,
5756 [NFT_MSG_DELOBJ] = {
5757 .call_batch = nf_tables_delobj,
5758 .attr_count = NFTA_OBJ_MAX,
5759 .policy = nft_obj_policy,
5761 [NFT_MSG_GETOBJ_RESET] = {
5762 .call = nf_tables_getobj,
5763 .attr_count = NFTA_OBJ_MAX,
5764 .policy = nft_obj_policy,
5766 [NFT_MSG_NEWFLOWTABLE] = {
5767 .call_batch = nf_tables_newflowtable,
5768 .attr_count = NFTA_FLOWTABLE_MAX,
5769 .policy = nft_flowtable_policy,
5771 [NFT_MSG_GETFLOWTABLE] = {
5772 .call = nf_tables_getflowtable,
5773 .attr_count = NFTA_FLOWTABLE_MAX,
5774 .policy = nft_flowtable_policy,
5776 [NFT_MSG_DELFLOWTABLE] = {
5777 .call_batch = nf_tables_delflowtable,
5778 .attr_count = NFTA_FLOWTABLE_MAX,
5779 .policy = nft_flowtable_policy,
5783 static void nft_chain_commit_update(struct nft_trans *trans)
5785 struct nft_base_chain *basechain;
5787 if (nft_trans_chain_name(trans))
5788 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5790 if (!nft_is_base_chain(trans->ctx.chain))
5793 basechain = nft_base_chain(trans->ctx.chain);
5794 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5796 switch (nft_trans_chain_policy(trans)) {
5799 basechain->policy = nft_trans_chain_policy(trans);
5804 static void nft_commit_release(struct nft_trans *trans)
5806 switch (trans->msg_type) {
5807 case NFT_MSG_DELTABLE:
5808 nf_tables_table_destroy(&trans->ctx);
5810 case NFT_MSG_DELCHAIN:
5811 nf_tables_chain_destroy(&trans->ctx);
5813 case NFT_MSG_DELRULE:
5814 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5816 case NFT_MSG_DELSET:
5817 nft_set_destroy(nft_trans_set(trans));
5819 case NFT_MSG_DELSETELEM:
5820 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5821 nft_trans_elem(trans).priv);
5823 case NFT_MSG_DELOBJ:
5824 nft_obj_destroy(nft_trans_obj(trans));
5826 case NFT_MSG_DELFLOWTABLE:
5827 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
5833 static void nf_tables_commit_release(struct net *net)
5835 struct nft_trans *trans, *next;
5837 if (list_empty(&net->nft.commit_list))
5842 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5843 list_del(&trans->list);
5844 nft_commit_release(trans);
5848 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5850 struct nft_trans *trans, *next;
5851 struct nft_trans_elem *te;
5853 /* Bump generation counter, invalidate any dump in progress */
5854 while (++net->nft.base_seq == 0);
5856 /* A new generation has just started */
5857 net->nft.gencursor = nft_gencursor_next(net);
5859 /* Make sure all packets have left the previous generation before
5860 * purging old rules.
5864 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5865 switch (trans->msg_type) {
5866 case NFT_MSG_NEWTABLE:
5867 if (nft_trans_table_update(trans)) {
5868 if (!nft_trans_table_enable(trans)) {
5869 nf_tables_table_disable(net,
5871 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5874 nft_clear(net, trans->ctx.table);
5876 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5877 nft_trans_destroy(trans);
5879 case NFT_MSG_DELTABLE:
5880 list_del_rcu(&trans->ctx.table->list);
5881 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5883 case NFT_MSG_NEWCHAIN:
5884 if (nft_trans_chain_update(trans))
5885 nft_chain_commit_update(trans);
5887 nft_clear(net, trans->ctx.chain);
5889 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5890 nft_trans_destroy(trans);
5892 case NFT_MSG_DELCHAIN:
5893 list_del_rcu(&trans->ctx.chain->list);
5894 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5895 nf_tables_unregister_hook(trans->ctx.net,
5899 case NFT_MSG_NEWRULE:
5900 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5901 nf_tables_rule_notify(&trans->ctx,
5902 nft_trans_rule(trans),
5904 nft_trans_destroy(trans);
5906 case NFT_MSG_DELRULE:
5907 list_del_rcu(&nft_trans_rule(trans)->list);
5908 nf_tables_rule_notify(&trans->ctx,
5909 nft_trans_rule(trans),
5912 case NFT_MSG_NEWSET:
5913 nft_clear(net, nft_trans_set(trans));
5914 /* This avoids hitting -EBUSY when deleting the table
5915 * from the transaction.
5917 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
5918 !list_empty(&nft_trans_set(trans)->bindings))
5919 trans->ctx.table->use--;
5921 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5922 NFT_MSG_NEWSET, GFP_KERNEL);
5923 nft_trans_destroy(trans);
5925 case NFT_MSG_DELSET:
5926 list_del_rcu(&nft_trans_set(trans)->list);
5927 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5928 NFT_MSG_DELSET, GFP_KERNEL);
5930 case NFT_MSG_NEWSETELEM:
5931 te = (struct nft_trans_elem *)trans->data;
5933 te->set->ops->activate(net, te->set, &te->elem);
5934 nf_tables_setelem_notify(&trans->ctx, te->set,
5936 NFT_MSG_NEWSETELEM, 0);
5937 nft_trans_destroy(trans);
5939 case NFT_MSG_DELSETELEM:
5940 te = (struct nft_trans_elem *)trans->data;
5942 nf_tables_setelem_notify(&trans->ctx, te->set,
5944 NFT_MSG_DELSETELEM, 0);
5945 te->set->ops->remove(net, te->set, &te->elem);
5946 atomic_dec(&te->set->nelems);
5949 case NFT_MSG_NEWOBJ:
5950 nft_clear(net, nft_trans_obj(trans));
5951 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5953 nft_trans_destroy(trans);
5955 case NFT_MSG_DELOBJ:
5956 list_del_rcu(&nft_trans_obj(trans)->list);
5957 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5960 case NFT_MSG_NEWFLOWTABLE:
5961 nft_clear(net, nft_trans_flowtable(trans));
5962 nf_tables_flowtable_notify(&trans->ctx,
5963 nft_trans_flowtable(trans),
5964 NFT_MSG_NEWFLOWTABLE);
5965 nft_trans_destroy(trans);
5967 case NFT_MSG_DELFLOWTABLE:
5968 list_del_rcu(&nft_trans_flowtable(trans)->list);
5969 nf_tables_flowtable_notify(&trans->ctx,
5970 nft_trans_flowtable(trans),
5971 NFT_MSG_DELFLOWTABLE);
5972 nft_unregister_flowtable_net_hooks(net,
5973 nft_trans_flowtable(trans));
5978 nf_tables_commit_release(net);
5979 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5984 static void nf_tables_abort_release(struct nft_trans *trans)
5986 switch (trans->msg_type) {
5987 case NFT_MSG_NEWTABLE:
5988 nf_tables_table_destroy(&trans->ctx);
5990 case NFT_MSG_NEWCHAIN:
5991 nf_tables_chain_destroy(&trans->ctx);
5993 case NFT_MSG_NEWRULE:
5994 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5996 case NFT_MSG_NEWSET:
5997 nft_set_destroy(nft_trans_set(trans));
5999 case NFT_MSG_NEWSETELEM:
6000 nft_set_elem_destroy(nft_trans_elem_set(trans),
6001 nft_trans_elem(trans).priv, true);
6003 case NFT_MSG_NEWOBJ:
6004 nft_obj_destroy(nft_trans_obj(trans));
6006 case NFT_MSG_NEWFLOWTABLE:
6007 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6013 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6015 struct nft_trans *trans, *next;
6016 struct nft_trans_elem *te;
6018 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6020 switch (trans->msg_type) {
6021 case NFT_MSG_NEWTABLE:
6022 if (nft_trans_table_update(trans)) {
6023 if (nft_trans_table_enable(trans)) {
6024 nf_tables_table_disable(net,
6026 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6028 nft_trans_destroy(trans);
6030 list_del_rcu(&trans->ctx.table->list);
6033 case NFT_MSG_DELTABLE:
6034 nft_clear(trans->ctx.net, trans->ctx.table);
6035 nft_trans_destroy(trans);
6037 case NFT_MSG_NEWCHAIN:
6038 if (nft_trans_chain_update(trans)) {
6039 free_percpu(nft_trans_chain_stats(trans));
6041 nft_trans_destroy(trans);
6043 trans->ctx.table->use--;
6044 list_del_rcu(&trans->ctx.chain->list);
6045 nf_tables_unregister_hook(trans->ctx.net,
6050 case NFT_MSG_DELCHAIN:
6051 trans->ctx.table->use++;
6052 nft_clear(trans->ctx.net, trans->ctx.chain);
6053 nft_trans_destroy(trans);
6055 case NFT_MSG_NEWRULE:
6056 trans->ctx.chain->use--;
6057 list_del_rcu(&nft_trans_rule(trans)->list);
6058 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6060 case NFT_MSG_DELRULE:
6061 trans->ctx.chain->use++;
6062 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6063 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6064 nft_trans_destroy(trans);
6066 case NFT_MSG_NEWSET:
6067 trans->ctx.table->use--;
6068 list_del_rcu(&nft_trans_set(trans)->list);
6070 case NFT_MSG_DELSET:
6071 trans->ctx.table->use++;
6072 nft_clear(trans->ctx.net, nft_trans_set(trans));
6073 nft_trans_destroy(trans);
6075 case NFT_MSG_NEWSETELEM:
6076 te = (struct nft_trans_elem *)trans->data;
6078 te->set->ops->remove(net, te->set, &te->elem);
6079 atomic_dec(&te->set->nelems);
6081 case NFT_MSG_DELSETELEM:
6082 te = (struct nft_trans_elem *)trans->data;
6084 nft_set_elem_activate(net, te->set, &te->elem);
6085 te->set->ops->activate(net, te->set, &te->elem);
6088 nft_trans_destroy(trans);
6090 case NFT_MSG_NEWOBJ:
6091 trans->ctx.table->use--;
6092 list_del_rcu(&nft_trans_obj(trans)->list);
6094 case NFT_MSG_DELOBJ:
6095 trans->ctx.table->use++;
6096 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6097 nft_trans_destroy(trans);
6099 case NFT_MSG_NEWFLOWTABLE:
6100 trans->ctx.table->use--;
6101 list_del_rcu(&nft_trans_flowtable(trans)->list);
6102 nft_unregister_flowtable_net_hooks(net,
6103 nft_trans_flowtable(trans));
6105 case NFT_MSG_DELFLOWTABLE:
6106 trans->ctx.table->use++;
6107 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6108 nft_trans_destroy(trans);
6115 list_for_each_entry_safe_reverse(trans, next,
6116 &net->nft.commit_list, list) {
6117 list_del(&trans->list);
6118 nf_tables_abort_release(trans);
6124 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6126 return net->nft.base_seq == genid;
6129 static const struct nfnetlink_subsystem nf_tables_subsys = {
6130 .name = "nf_tables",
6131 .subsys_id = NFNL_SUBSYS_NFTABLES,
6132 .cb_count = NFT_MSG_MAX,
6134 .commit = nf_tables_commit,
6135 .abort = nf_tables_abort,
6136 .valid_genid = nf_tables_valid_genid,
6139 int nft_chain_validate_dependency(const struct nft_chain *chain,
6140 enum nft_chain_types type)
6142 const struct nft_base_chain *basechain;
6144 if (nft_is_base_chain(chain)) {
6145 basechain = nft_base_chain(chain);
6146 if (basechain->type->type != type)
6151 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6153 int nft_chain_validate_hooks(const struct nft_chain *chain,
6154 unsigned int hook_flags)
6156 struct nft_base_chain *basechain;
6158 if (nft_is_base_chain(chain)) {
6159 basechain = nft_base_chain(chain);
6161 if ((1 << basechain->ops.hooknum) & hook_flags)
6169 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6172 * Loop detection - walk through the ruleset beginning at the destination chain
6173 * of a new jump until either the source chain is reached (loop) or all
6174 * reachable chains have been traversed.
6176 * The loop check is performed whenever a new jump verdict is added to an
6177 * expression or verdict map or a verdict map is bound to a new chain.
6180 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6181 const struct nft_chain *chain);
6183 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6184 struct nft_set *set,
6185 const struct nft_set_iter *iter,
6186 struct nft_set_elem *elem)
6188 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6189 const struct nft_data *data;
6191 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6192 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6195 data = nft_set_ext_data(ext);
6196 switch (data->verdict.code) {
6199 return nf_tables_check_loops(ctx, data->verdict.chain);
6205 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6206 const struct nft_chain *chain)
6208 const struct nft_rule *rule;
6209 const struct nft_expr *expr, *last;
6210 struct nft_set *set;
6211 struct nft_set_binding *binding;
6212 struct nft_set_iter iter;
6214 if (ctx->chain == chain)
6217 list_for_each_entry(rule, &chain->rules, list) {
6218 nft_rule_for_each_expr(expr, last, rule) {
6219 const struct nft_data *data = NULL;
6222 if (!expr->ops->validate)
6225 err = expr->ops->validate(ctx, expr, &data);
6232 switch (data->verdict.code) {
6235 err = nf_tables_check_loops(ctx,
6236 data->verdict.chain);
6245 list_for_each_entry(set, &ctx->table->sets, list) {
6246 if (!nft_is_active_next(ctx->net, set))
6248 if (!(set->flags & NFT_SET_MAP) ||
6249 set->dtype != NFT_DATA_VERDICT)
6252 list_for_each_entry(binding, &set->bindings, list) {
6253 if (!(binding->flags & NFT_SET_MAP) ||
6254 binding->chain != chain)
6257 iter.genmask = nft_genmask_next(ctx->net);
6261 iter.fn = nf_tables_loop_check_setelem;
6263 set->ops->walk(ctx, set, &iter);
6273 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6275 * @attr: netlink attribute to fetch value from
6276 * @max: maximum value to be stored in dest
6277 * @dest: pointer to the variable
6279 * Parse, check and store a given u32 netlink attribute into variable.
6280 * This function returns -ERANGE if the value goes over maximum value.
6281 * Otherwise a 0 is returned and the attribute value is stored in the
6282 * destination variable.
6284 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6288 val = ntohl(nla_get_be32(attr));
6295 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6298 * nft_parse_register - parse a register value from a netlink attribute
6300 * @attr: netlink attribute
6302 * Parse and translate a register value from a netlink attribute.
6303 * Registers used to be 128 bit wide, these register numbers will be
6304 * mapped to the corresponding 32 bit register numbers.
6306 unsigned int nft_parse_register(const struct nlattr *attr)
6310 reg = ntohl(nla_get_be32(attr));
6312 case NFT_REG_VERDICT...NFT_REG_4:
6313 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6315 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6318 EXPORT_SYMBOL_GPL(nft_parse_register);
6321 * nft_dump_register - dump a register value to a netlink attribute
6323 * @skb: socket buffer
6324 * @attr: attribute number
6325 * @reg: register number
6327 * Construct a netlink attribute containing the register number. For
6328 * compatibility reasons, register numbers being a multiple of 4 are
6329 * translated to the corresponding 128 bit register numbers.
6331 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6333 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6334 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6336 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6338 return nla_put_be32(skb, attr, htonl(reg));
6340 EXPORT_SYMBOL_GPL(nft_dump_register);
6343 * nft_validate_register_load - validate a load from a register
6345 * @reg: the register number
6346 * @len: the length of the data
6348 * Validate that the input register is one of the general purpose
6349 * registers and that the length of the load is within the bounds.
6351 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6353 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6357 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6362 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6365 * nft_validate_register_store - validate an expressions' register store
6367 * @ctx: context of the expression performing the load
6368 * @reg: the destination register number
6369 * @data: the data to load
6370 * @type: the data type
6371 * @len: the length of the data
6373 * Validate that a data load uses the appropriate data type for
6374 * the destination register and the length is within the bounds.
6375 * A value of NULL for the data means that its runtime gathered
6378 int nft_validate_register_store(const struct nft_ctx *ctx,
6379 enum nft_registers reg,
6380 const struct nft_data *data,
6381 enum nft_data_types type, unsigned int len)
6386 case NFT_REG_VERDICT:
6387 if (type != NFT_DATA_VERDICT)
6391 (data->verdict.code == NFT_GOTO ||
6392 data->verdict.code == NFT_JUMP)) {
6393 err = nf_tables_check_loops(ctx, data->verdict.chain);
6397 if (ctx->chain->level + 1 >
6398 data->verdict.chain->level) {
6399 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6401 data->verdict.chain->level = ctx->chain->level + 1;
6407 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6411 if (reg * NFT_REG32_SIZE + len >
6412 FIELD_SIZEOF(struct nft_regs, data))
6415 if (data != NULL && type != NFT_DATA_VALUE)
6420 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6422 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6423 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6424 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6425 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6428 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6429 struct nft_data_desc *desc, const struct nlattr *nla)
6431 u8 genmask = nft_genmask_next(ctx->net);
6432 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6433 struct nft_chain *chain;
6436 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6441 if (!tb[NFTA_VERDICT_CODE])
6443 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6445 switch (data->verdict.code) {
6447 switch (data->verdict.code & NF_VERDICT_MASK) {
6462 if (!tb[NFTA_VERDICT_CHAIN])
6464 chain = nf_tables_chain_lookup(ctx->table,
6465 tb[NFTA_VERDICT_CHAIN], genmask);
6467 return PTR_ERR(chain);
6468 if (nft_is_base_chain(chain))
6472 data->verdict.chain = chain;
6476 desc->len = sizeof(data->verdict);
6477 desc->type = NFT_DATA_VERDICT;
6481 static void nft_verdict_uninit(const struct nft_data *data)
6483 switch (data->verdict.code) {
6486 data->verdict.chain->use--;
6491 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6493 struct nlattr *nest;
6495 nest = nla_nest_start(skb, type);
6497 goto nla_put_failure;
6499 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6500 goto nla_put_failure;
6505 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6507 goto nla_put_failure;
6509 nla_nest_end(skb, nest);
6516 static int nft_value_init(const struct nft_ctx *ctx,
6517 struct nft_data *data, unsigned int size,
6518 struct nft_data_desc *desc, const struct nlattr *nla)
6528 nla_memcpy(data->data, nla, len);
6529 desc->type = NFT_DATA_VALUE;
6534 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6537 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6540 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6541 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6542 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6546 * nft_data_init - parse nf_tables data netlink attributes
6548 * @ctx: context of the expression using the data
6549 * @data: destination struct nft_data
6550 * @size: maximum data length
6551 * @desc: data description
6552 * @nla: netlink attribute containing data
6554 * Parse the netlink data attributes and initialize a struct nft_data.
6555 * The type and length of data are returned in the data description.
6557 * The caller can indicate that it only wants to accept data of type
6558 * NFT_DATA_VALUE by passing NULL for the ctx argument.
6560 int nft_data_init(const struct nft_ctx *ctx,
6561 struct nft_data *data, unsigned int size,
6562 struct nft_data_desc *desc, const struct nlattr *nla)
6564 struct nlattr *tb[NFTA_DATA_MAX + 1];
6567 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
6571 if (tb[NFTA_DATA_VALUE])
6572 return nft_value_init(ctx, data, size, desc,
6573 tb[NFTA_DATA_VALUE]);
6574 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
6575 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
6578 EXPORT_SYMBOL_GPL(nft_data_init);
6581 * nft_data_release - release a nft_data item
6583 * @data: struct nft_data to release
6584 * @type: type of data
6586 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6587 * all others need to be released by calling this function.
6589 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
6591 if (type < NFT_DATA_VERDICT)
6594 case NFT_DATA_VERDICT:
6595 return nft_verdict_uninit(data);
6600 EXPORT_SYMBOL_GPL(nft_data_release);
6602 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
6603 enum nft_data_types type, unsigned int len)
6605 struct nlattr *nest;
6608 nest = nla_nest_start(skb, attr);
6613 case NFT_DATA_VALUE:
6614 err = nft_value_dump(skb, data, len);
6616 case NFT_DATA_VERDICT:
6617 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
6624 nla_nest_end(skb, nest);
6627 EXPORT_SYMBOL_GPL(nft_data_dump);
6629 int __nft_release_basechain(struct nft_ctx *ctx)
6631 struct nft_rule *rule, *nr;
6633 BUG_ON(!nft_is_base_chain(ctx->chain));
6635 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
6636 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
6637 list_del(&rule->list);
6639 nf_tables_rule_release(ctx, rule);
6641 list_del(&ctx->chain->list);
6643 nf_tables_chain_destroy(ctx);
6647 EXPORT_SYMBOL_GPL(__nft_release_basechain);
6649 static void __nft_release_tables(struct net *net)
6651 struct nft_flowtable *flowtable, *nf;
6652 struct nft_table *table, *nt;
6653 struct nft_chain *chain, *nc;
6654 struct nft_object *obj, *ne;
6655 struct nft_rule *rule, *nr;
6656 struct nft_set *set, *ns;
6657 struct nft_ctx ctx = {
6659 .family = NFPROTO_NETDEV,
6662 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
6663 ctx.family = table->family;
6665 list_for_each_entry(chain, &table->chains, list)
6666 nf_tables_unregister_hook(net, table, chain);
6667 list_for_each_entry(flowtable, &table->flowtables, list)
6668 nf_unregister_net_hooks(net, flowtable->ops,
6669 flowtable->ops_len);
6670 /* No packets are walking on these chains anymore. */
6672 list_for_each_entry(chain, &table->chains, list) {
6674 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
6675 list_del(&rule->list);
6677 nf_tables_rule_release(&ctx, rule);
6680 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
6681 list_del(&flowtable->list);
6683 nf_tables_flowtable_destroy(flowtable);
6685 list_for_each_entry_safe(set, ns, &table->sets, list) {
6686 list_del(&set->list);
6688 nft_set_destroy(set);
6690 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6691 list_del(&obj->list);
6693 nft_obj_destroy(obj);
6695 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6697 list_del(&chain->list);
6699 nf_tables_chain_destroy(&ctx);
6701 list_del(&table->list);
6702 nf_tables_table_destroy(&ctx);
6706 static int __net_init nf_tables_init_net(struct net *net)
6708 INIT_LIST_HEAD(&net->nft.tables);
6709 INIT_LIST_HEAD(&net->nft.commit_list);
6710 net->nft.base_seq = 1;
6714 static void __net_exit nf_tables_exit_net(struct net *net)
6716 __nft_release_tables(net);
6717 WARN_ON_ONCE(!list_empty(&net->nft.tables));
6718 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6721 static struct pernet_operations nf_tables_net_ops = {
6722 .init = nf_tables_init_net,
6723 .exit = nf_tables_exit_net,
6726 static int __init nf_tables_module_init(void)
6730 nft_chain_filter_init();
6732 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6739 err = nf_tables_core_module_init();
6743 err = nfnetlink_subsys_register(&nf_tables_subsys);
6747 register_netdevice_notifier(&nf_tables_flowtable_notifier);
6749 return register_pernet_subsys(&nf_tables_net_ops);
6751 nf_tables_core_module_exit();
6758 static void __exit nf_tables_module_exit(void)
6760 unregister_pernet_subsys(&nf_tables_net_ops);
6761 nfnetlink_subsys_unregister(&nf_tables_subsys);
6762 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
6764 nf_tables_core_module_exit();
6766 nft_chain_filter_fini();
6769 module_init(nf_tables_module_init);
6770 module_exit(nf_tables_module_exit);
6772 MODULE_LICENSE("GPL");
6773 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6774 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux.git / blob