2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/rhashtable.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_flow_table.h>
22 #include <net/netfilter/nf_tables_core.h>
23 #include <net/netfilter/nf_tables.h>
24 #include <net/net_namespace.h>
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
59 static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
68 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 case NFT_VALIDATE_NEED:
77 if (new_validate_state == NFT_VALIDATE_NEED)
81 net->nft.validate_state = new_validate_state;
83 static void nf_tables_trans_destroy_work(struct work_struct *w);
84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86 static void nft_ctx_init(struct nft_ctx *ctx,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->seq = nlh->nlmsg_seq;
106 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
107 int msg_type, u32 size, gfp_t gfp)
109 struct nft_trans *trans;
111 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
115 trans->msg_type = msg_type;
121 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
122 int msg_type, u32 size)
124 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
127 static void nft_trans_destroy(struct nft_trans *trans)
129 list_del(&trans->list);
133 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
135 struct net *net = ctx->net;
136 struct nft_trans *trans;
138 if (!nft_set_is_anonymous(set))
141 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
142 if (trans->msg_type == NFT_MSG_NEWSET &&
143 nft_trans_set(trans) == set) {
150 static int nf_tables_register_hook(struct net *net,
151 const struct nft_table *table,
152 struct nft_chain *chain)
154 const struct nft_base_chain *basechain;
155 const struct nf_hook_ops *ops;
157 if (table->flags & NFT_TABLE_F_DORMANT ||
158 !nft_is_base_chain(chain))
161 basechain = nft_base_chain(chain);
162 ops = &basechain->ops;
164 if (basechain->type->ops_register)
165 return basechain->type->ops_register(net, ops);
167 return nf_register_net_hook(net, ops);
170 static void nf_tables_unregister_hook(struct net *net,
171 const struct nft_table *table,
172 struct nft_chain *chain)
174 const struct nft_base_chain *basechain;
175 const struct nf_hook_ops *ops;
177 if (table->flags & NFT_TABLE_F_DORMANT ||
178 !nft_is_base_chain(chain))
180 basechain = nft_base_chain(chain);
181 ops = &basechain->ops;
183 if (basechain->type->ops_unregister)
184 return basechain->type->ops_unregister(net, ops);
186 nf_unregister_net_hook(net, ops);
189 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
191 struct nft_trans *trans;
193 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
197 if (msg_type == NFT_MSG_NEWTABLE)
198 nft_activate_next(ctx->net, ctx->table);
200 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
204 static int nft_deltable(struct nft_ctx *ctx)
208 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
212 nft_deactivate_next(ctx->net, ctx->table);
216 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
218 struct nft_trans *trans;
220 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
224 if (msg_type == NFT_MSG_NEWCHAIN)
225 nft_activate_next(ctx->net, ctx->chain);
227 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
231 static int nft_delchain(struct nft_ctx *ctx)
235 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
240 nft_deactivate_next(ctx->net, ctx->chain);
245 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
246 struct nft_rule *rule)
248 struct nft_expr *expr;
250 expr = nft_expr_first(rule);
251 while (expr != nft_expr_last(rule) && expr->ops) {
252 if (expr->ops->activate)
253 expr->ops->activate(ctx, expr);
255 expr = nft_expr_next(expr);
259 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
260 struct nft_rule *rule,
261 enum nft_trans_phase phase)
263 struct nft_expr *expr;
265 expr = nft_expr_first(rule);
266 while (expr != nft_expr_last(rule) && expr->ops) {
267 if (expr->ops->deactivate)
268 expr->ops->deactivate(ctx, expr, phase);
270 expr = nft_expr_next(expr);
275 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
277 /* You cannot delete the same rule twice */
278 if (nft_is_active_next(ctx->net, rule)) {
279 nft_deactivate_next(ctx->net, rule);
286 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
287 struct nft_rule *rule)
289 struct nft_trans *trans;
291 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
295 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
296 nft_trans_rule_id(trans) =
297 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
299 nft_trans_rule(trans) = rule;
300 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
305 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
307 struct nft_trans *trans;
310 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
314 err = nf_tables_delrule_deactivate(ctx, rule);
316 nft_trans_destroy(trans);
319 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
324 static int nft_delrule_by_chain(struct nft_ctx *ctx)
326 struct nft_rule *rule;
329 list_for_each_entry(rule, &ctx->chain->rules, list) {
330 if (!nft_is_active_next(ctx->net, rule))
333 err = nft_delrule(ctx, rule);
340 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
343 struct nft_trans *trans;
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
349 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
350 nft_trans_set_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
352 nft_activate_next(ctx->net, set);
354 nft_trans_set(trans) = set;
355 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
360 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
364 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
368 nft_deactivate_next(ctx->net, set);
374 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
375 struct nft_object *obj)
377 struct nft_trans *trans;
379 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
383 if (msg_type == NFT_MSG_NEWOBJ)
384 nft_activate_next(ctx->net, obj);
386 nft_trans_obj(trans) = obj;
387 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
392 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
396 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
400 nft_deactivate_next(ctx->net, obj);
406 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
407 struct nft_flowtable *flowtable)
409 struct nft_trans *trans;
411 trans = nft_trans_alloc(ctx, msg_type,
412 sizeof(struct nft_trans_flowtable));
416 if (msg_type == NFT_MSG_NEWFLOWTABLE)
417 nft_activate_next(ctx->net, flowtable);
419 nft_trans_flowtable(trans) = flowtable;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
425 static int nft_delflowtable(struct nft_ctx *ctx,
426 struct nft_flowtable *flowtable)
430 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
434 nft_deactivate_next(ctx->net, flowtable);
444 static struct nft_table *nft_table_lookup(const struct net *net,
445 const struct nlattr *nla,
446 u8 family, u8 genmask)
448 struct nft_table *table;
451 return ERR_PTR(-EINVAL);
453 list_for_each_entry_rcu(table, &net->nft.tables, list) {
454 if (!nla_strcmp(nla, table->name) &&
455 table->family == family &&
456 nft_active_genmask(table, genmask))
460 return ERR_PTR(-ENOENT);
463 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
464 const struct nlattr *nla,
467 struct nft_table *table;
469 list_for_each_entry(table, &net->nft.tables, list) {
470 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
471 nft_active_genmask(table, genmask))
475 return ERR_PTR(-ENOENT);
478 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
480 return ++table->hgenerator;
483 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
485 static const struct nft_chain_type *
486 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
490 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
491 if (chain_type[family][i] != NULL &&
492 !nla_strcmp(nla, chain_type[family][i]->name))
493 return chain_type[family][i];
499 * Loading a module requires dropping mutex that guards the
501 * We first need to abort any pending transactions as once
502 * mutex is unlocked a different client could start a new
503 * transaction. It must not see any 'future generation'
504 * changes * as these changes will never happen.
506 #ifdef CONFIG_MODULES
507 static int __nf_tables_abort(struct net *net);
509 static void nft_request_module(struct net *net, const char *fmt, ...)
511 char module_name[MODULE_NAME_LEN];
515 __nf_tables_abort(net);
518 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
520 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
523 mutex_unlock(&net->nft.commit_mutex);
524 request_module("%s", module_name);
525 mutex_lock(&net->nft.commit_mutex);
529 static void lockdep_nfnl_nft_mutex_not_held(void)
531 #ifdef CONFIG_PROVE_LOCKING
532 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
536 static const struct nft_chain_type *
537 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
538 u8 family, bool autoload)
540 const struct nft_chain_type *type;
542 type = __nf_tables_chain_type_lookup(nla, family);
546 lockdep_nfnl_nft_mutex_not_held();
547 #ifdef CONFIG_MODULES
549 nft_request_module(net, "nft-chain-%u-%.*s", family,
550 nla_len(nla), (const char *)nla_data(nla));
551 type = __nf_tables_chain_type_lookup(nla, family);
553 return ERR_PTR(-EAGAIN);
556 return ERR_PTR(-ENOENT);
559 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
560 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
561 .len = NFT_TABLE_MAXNAMELEN - 1 },
562 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
563 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
566 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
567 u32 portid, u32 seq, int event, u32 flags,
568 int family, const struct nft_table *table)
570 struct nlmsghdr *nlh;
571 struct nfgenmsg *nfmsg;
573 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
574 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
576 goto nla_put_failure;
578 nfmsg = nlmsg_data(nlh);
579 nfmsg->nfgen_family = family;
580 nfmsg->version = NFNETLINK_V0;
581 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
583 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
584 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
585 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
586 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
588 goto nla_put_failure;
594 nlmsg_trim(skb, nlh);
598 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
604 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
607 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
611 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
612 event, 0, ctx->family, ctx->table);
618 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
619 ctx->report, GFP_KERNEL);
622 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
625 static int nf_tables_dump_tables(struct sk_buff *skb,
626 struct netlink_callback *cb)
628 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
629 const struct nft_table *table;
630 unsigned int idx = 0, s_idx = cb->args[0];
631 struct net *net = sock_net(skb->sk);
632 int family = nfmsg->nfgen_family;
635 cb->seq = net->nft.base_seq;
637 list_for_each_entry_rcu(table, &net->nft.tables, list) {
638 if (family != NFPROTO_UNSPEC && family != table->family)
644 memset(&cb->args[1], 0,
645 sizeof(cb->args) - sizeof(cb->args[0]));
646 if (!nft_is_active(net, table))
648 if (nf_tables_fill_table_info(skb, net,
649 NETLINK_CB(cb->skb).portid,
651 NFT_MSG_NEWTABLE, NLM_F_MULTI,
652 table->family, table) < 0)
655 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
665 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
666 const struct nlmsghdr *nlh,
667 struct netlink_dump_control *c)
671 if (!try_module_get(THIS_MODULE))
675 err = netlink_dump_start(nlsk, skb, nlh, c);
677 module_put(THIS_MODULE);
682 /* called with rcu_read_lock held */
683 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
684 struct sk_buff *skb, const struct nlmsghdr *nlh,
685 const struct nlattr * const nla[],
686 struct netlink_ext_ack *extack)
688 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
689 u8 genmask = nft_genmask_cur(net);
690 const struct nft_table *table;
691 struct sk_buff *skb2;
692 int family = nfmsg->nfgen_family;
695 if (nlh->nlmsg_flags & NLM_F_DUMP) {
696 struct netlink_dump_control c = {
697 .dump = nf_tables_dump_tables,
698 .module = THIS_MODULE,
701 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
704 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
706 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
707 return PTR_ERR(table);
710 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
714 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
715 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
720 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
727 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
729 struct nft_chain *chain;
732 list_for_each_entry(chain, &table->chains, list) {
733 if (!nft_is_active_next(net, chain))
735 if (!nft_is_base_chain(chain))
738 if (cnt && i++ == cnt)
741 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
745 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
747 struct nft_chain *chain;
750 list_for_each_entry(chain, &table->chains, list) {
751 if (!nft_is_active_next(net, chain))
753 if (!nft_is_base_chain(chain))
756 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
765 nft_table_disable(net, table, i);
769 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
771 nft_table_disable(net, table, 0);
774 static int nf_tables_updtable(struct nft_ctx *ctx)
776 struct nft_trans *trans;
780 if (!ctx->nla[NFTA_TABLE_FLAGS])
783 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
784 if (flags & ~NFT_TABLE_F_DORMANT)
787 if (flags == ctx->table->flags)
790 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
791 sizeof(struct nft_trans_table));
795 if ((flags & NFT_TABLE_F_DORMANT) &&
796 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
797 nft_trans_table_enable(trans) = false;
798 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
799 ctx->table->flags & NFT_TABLE_F_DORMANT) {
800 ret = nf_tables_table_enable(ctx->net, ctx->table);
802 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
803 nft_trans_table_enable(trans) = true;
809 nft_trans_table_update(trans) = true;
810 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
813 nft_trans_destroy(trans);
817 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
819 const char *name = data;
821 return jhash(name, strlen(name), seed);
824 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
826 const struct nft_chain *chain = data;
828 return nft_chain_hash(chain->name, 0, seed);
831 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
834 const struct nft_chain *chain = ptr;
835 const char *name = arg->key;
837 return strcmp(chain->name, name);
840 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
842 const struct nft_object_hash_key *k = data;
844 seed ^= hash_ptr(k->table, 32);
846 return jhash(k->name, strlen(k->name), seed);
849 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
851 const struct nft_object *obj = data;
853 return nft_objname_hash(&obj->key, 0, seed);
856 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
859 const struct nft_object_hash_key *k = arg->key;
860 const struct nft_object *obj = ptr;
862 if (obj->key.table != k->table)
865 return strcmp(obj->key.name, k->name);
868 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
869 struct sk_buff *skb, const struct nlmsghdr *nlh,
870 const struct nlattr * const nla[],
871 struct netlink_ext_ack *extack)
873 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
874 u8 genmask = nft_genmask_next(net);
875 int family = nfmsg->nfgen_family;
876 const struct nlattr *attr;
877 struct nft_table *table;
882 lockdep_assert_held(&net->nft.commit_mutex);
883 attr = nla[NFTA_TABLE_NAME];
884 table = nft_table_lookup(net, attr, family, genmask);
886 if (PTR_ERR(table) != -ENOENT)
887 return PTR_ERR(table);
889 if (nlh->nlmsg_flags & NLM_F_EXCL) {
890 NL_SET_BAD_ATTR(extack, attr);
893 if (nlh->nlmsg_flags & NLM_F_REPLACE)
896 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
897 return nf_tables_updtable(&ctx);
900 if (nla[NFTA_TABLE_FLAGS]) {
901 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
902 if (flags & ~NFT_TABLE_F_DORMANT)
907 table = kzalloc(sizeof(*table), GFP_KERNEL);
911 table->name = nla_strdup(attr, GFP_KERNEL);
912 if (table->name == NULL)
915 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
919 INIT_LIST_HEAD(&table->chains);
920 INIT_LIST_HEAD(&table->sets);
921 INIT_LIST_HEAD(&table->objects);
922 INIT_LIST_HEAD(&table->flowtables);
923 table->family = family;
924 table->flags = flags;
925 table->handle = ++table_handle;
927 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
928 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
932 list_add_tail_rcu(&table->list, &net->nft.tables);
935 rhltable_destroy(&table->chains_ht);
944 static int nft_flush_table(struct nft_ctx *ctx)
946 struct nft_flowtable *flowtable, *nft;
947 struct nft_chain *chain, *nc;
948 struct nft_object *obj, *ne;
949 struct nft_set *set, *ns;
952 list_for_each_entry(chain, &ctx->table->chains, list) {
953 if (!nft_is_active_next(ctx->net, chain))
958 err = nft_delrule_by_chain(ctx);
963 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
964 if (!nft_is_active_next(ctx->net, set))
967 if (nft_set_is_anonymous(set) &&
968 !list_empty(&set->bindings))
971 err = nft_delset(ctx, set);
976 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
977 err = nft_delflowtable(ctx, flowtable);
982 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
983 err = nft_delobj(ctx, obj);
988 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
989 if (!nft_is_active_next(ctx->net, chain))
994 err = nft_delchain(ctx);
999 err = nft_deltable(ctx);
1004 static int nft_flush(struct nft_ctx *ctx, int family)
1006 struct nft_table *table, *nt;
1007 const struct nlattr * const *nla = ctx->nla;
1010 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1011 if (family != AF_UNSPEC && table->family != family)
1014 ctx->family = table->family;
1016 if (!nft_is_active_next(ctx->net, table))
1019 if (nla[NFTA_TABLE_NAME] &&
1020 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1025 err = nft_flush_table(ctx);
1033 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1034 struct sk_buff *skb, const struct nlmsghdr *nlh,
1035 const struct nlattr * const nla[],
1036 struct netlink_ext_ack *extack)
1038 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1039 u8 genmask = nft_genmask_next(net);
1040 int family = nfmsg->nfgen_family;
1041 const struct nlattr *attr;
1042 struct nft_table *table;
1045 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1046 if (family == AF_UNSPEC ||
1047 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1048 return nft_flush(&ctx, family);
1050 if (nla[NFTA_TABLE_HANDLE]) {
1051 attr = nla[NFTA_TABLE_HANDLE];
1052 table = nft_table_lookup_byhandle(net, attr, genmask);
1054 attr = nla[NFTA_TABLE_NAME];
1055 table = nft_table_lookup(net, attr, family, genmask);
1058 if (IS_ERR(table)) {
1059 NL_SET_BAD_ATTR(extack, attr);
1060 return PTR_ERR(table);
1063 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1067 ctx.family = family;
1070 return nft_flush_table(&ctx);
1073 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1075 if (WARN_ON(ctx->table->use > 0))
1078 rhltable_destroy(&ctx->table->chains_ht);
1079 kfree(ctx->table->name);
1083 void nft_register_chain_type(const struct nft_chain_type *ctype)
1085 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1088 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1089 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1090 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1093 chain_type[ctype->family][ctype->type] = ctype;
1094 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1096 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1098 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1100 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1101 chain_type[ctype->family][ctype->type] = NULL;
1102 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1104 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1110 static struct nft_chain *
1111 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1113 struct nft_chain *chain;
1115 list_for_each_entry(chain, &table->chains, list) {
1116 if (chain->handle == handle &&
1117 nft_active_genmask(chain, genmask))
1121 return ERR_PTR(-ENOENT);
1124 static bool lockdep_commit_lock_is_held(const struct net *net)
1126 #ifdef CONFIG_PROVE_LOCKING
1127 return lockdep_is_held(&net->nft.commit_mutex);
1133 static struct nft_chain *nft_chain_lookup(struct net *net,
1134 struct nft_table *table,
1135 const struct nlattr *nla, u8 genmask)
1137 char search[NFT_CHAIN_MAXNAMELEN + 1];
1138 struct rhlist_head *tmp, *list;
1139 struct nft_chain *chain;
1142 return ERR_PTR(-EINVAL);
1144 nla_strlcpy(search, nla, sizeof(search));
1146 WARN_ON(!rcu_read_lock_held() &&
1147 !lockdep_commit_lock_is_held(net));
1149 chain = ERR_PTR(-ENOENT);
1151 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1155 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1156 if (nft_active_genmask(chain, genmask))
1159 chain = ERR_PTR(-ENOENT);
1165 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1166 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1167 .len = NFT_TABLE_MAXNAMELEN - 1 },
1168 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1169 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1170 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1171 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1172 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1173 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1174 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1177 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1178 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1179 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1180 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1181 .len = IFNAMSIZ - 1 },
1184 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1186 struct nft_stats *cpu_stats, total;
1187 struct nlattr *nest;
1192 memset(&total, 0, sizeof(total));
1193 for_each_possible_cpu(cpu) {
1194 cpu_stats = per_cpu_ptr(stats, cpu);
1196 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1197 pkts = cpu_stats->pkts;
1198 bytes = cpu_stats->bytes;
1199 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1201 total.bytes += bytes;
1203 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1205 goto nla_put_failure;
1207 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1208 NFTA_COUNTER_PAD) ||
1209 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1211 goto nla_put_failure;
1213 nla_nest_end(skb, nest);
1220 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1221 u32 portid, u32 seq, int event, u32 flags,
1222 int family, const struct nft_table *table,
1223 const struct nft_chain *chain)
1225 struct nlmsghdr *nlh;
1226 struct nfgenmsg *nfmsg;
1228 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1229 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1231 goto nla_put_failure;
1233 nfmsg = nlmsg_data(nlh);
1234 nfmsg->nfgen_family = family;
1235 nfmsg->version = NFNETLINK_V0;
1236 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1238 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1239 goto nla_put_failure;
1240 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1242 goto nla_put_failure;
1243 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1244 goto nla_put_failure;
1246 if (nft_is_base_chain(chain)) {
1247 const struct nft_base_chain *basechain = nft_base_chain(chain);
1248 const struct nf_hook_ops *ops = &basechain->ops;
1249 struct nlattr *nest;
1251 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1253 goto nla_put_failure;
1254 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1255 goto nla_put_failure;
1256 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1257 goto nla_put_failure;
1258 if (basechain->dev_name[0] &&
1259 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1260 goto nla_put_failure;
1261 nla_nest_end(skb, nest);
1263 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1264 htonl(basechain->policy)))
1265 goto nla_put_failure;
1267 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1268 goto nla_put_failure;
1270 if (rcu_access_pointer(basechain->stats) &&
1271 nft_dump_stats(skb, rcu_dereference(basechain->stats)))
1272 goto nla_put_failure;
1275 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1276 goto nla_put_failure;
1278 nlmsg_end(skb, nlh);
1282 nlmsg_trim(skb, nlh);
1286 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1288 struct sk_buff *skb;
1292 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1295 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1299 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1300 event, 0, ctx->family, ctx->table,
1307 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1308 ctx->report, GFP_KERNEL);
1311 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1314 static int nf_tables_dump_chains(struct sk_buff *skb,
1315 struct netlink_callback *cb)
1317 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1318 const struct nft_table *table;
1319 const struct nft_chain *chain;
1320 unsigned int idx = 0, s_idx = cb->args[0];
1321 struct net *net = sock_net(skb->sk);
1322 int family = nfmsg->nfgen_family;
1325 cb->seq = net->nft.base_seq;
1327 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1328 if (family != NFPROTO_UNSPEC && family != table->family)
1331 list_for_each_entry_rcu(chain, &table->chains, list) {
1335 memset(&cb->args[1], 0,
1336 sizeof(cb->args) - sizeof(cb->args[0]));
1337 if (!nft_is_active(net, chain))
1339 if (nf_tables_fill_chain_info(skb, net,
1340 NETLINK_CB(cb->skb).portid,
1344 table->family, table,
1348 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1359 /* called with rcu_read_lock held */
1360 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1361 struct sk_buff *skb, const struct nlmsghdr *nlh,
1362 const struct nlattr * const nla[],
1363 struct netlink_ext_ack *extack)
1365 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1366 u8 genmask = nft_genmask_cur(net);
1367 const struct nft_chain *chain;
1368 struct nft_table *table;
1369 struct sk_buff *skb2;
1370 int family = nfmsg->nfgen_family;
1373 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1374 struct netlink_dump_control c = {
1375 .dump = nf_tables_dump_chains,
1376 .module = THIS_MODULE,
1379 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1382 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1383 if (IS_ERR(table)) {
1384 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1385 return PTR_ERR(table);
1388 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1389 if (IS_ERR(chain)) {
1390 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1391 return PTR_ERR(chain);
1394 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1398 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1399 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1400 family, table, chain);
1404 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1411 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1412 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1413 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1416 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1418 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1419 struct nft_stats __percpu *newstats;
1420 struct nft_stats *stats;
1423 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1426 return ERR_PTR(err);
1428 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1429 return ERR_PTR(-EINVAL);
1431 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1432 if (newstats == NULL)
1433 return ERR_PTR(-ENOMEM);
1435 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1436 * are not exposed to userspace.
1439 stats = this_cpu_ptr(newstats);
1440 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1441 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1447 static void nft_chain_stats_replace(struct net *net,
1448 struct nft_base_chain *chain,
1449 struct nft_stats __percpu *newstats)
1451 struct nft_stats __percpu *oldstats;
1453 if (newstats == NULL)
1456 if (rcu_access_pointer(chain->stats)) {
1457 oldstats = rcu_dereference_protected(chain->stats,
1458 lockdep_commit_lock_is_held(net));
1459 rcu_assign_pointer(chain->stats, newstats);
1461 free_percpu(oldstats);
1463 rcu_assign_pointer(chain->stats, newstats);
1464 static_branch_inc(&nft_counters_enabled);
1468 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1470 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1471 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1477 /* should be NULL either via abort or via successful commit */
1478 WARN_ON_ONCE(chain->rules_next);
1479 kvfree(chain->rules_next);
1482 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1484 struct nft_chain *chain = ctx->chain;
1486 if (WARN_ON(chain->use > 0))
1489 /* no concurrent access possible anymore */
1490 nf_tables_chain_free_chain_rules(chain);
1492 if (nft_is_base_chain(chain)) {
1493 struct nft_base_chain *basechain = nft_base_chain(chain);
1495 module_put(basechain->type->owner);
1496 if (rcu_access_pointer(basechain->stats)) {
1497 static_branch_dec(&nft_counters_enabled);
1498 free_percpu(rcu_dereference_raw(basechain->stats));
1508 struct nft_chain_hook {
1511 const struct nft_chain_type *type;
1512 struct net_device *dev;
1515 static int nft_chain_parse_hook(struct net *net,
1516 const struct nlattr * const nla[],
1517 struct nft_chain_hook *hook, u8 family,
1520 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1521 const struct nft_chain_type *type;
1522 struct net_device *dev;
1525 lockdep_assert_held(&net->nft.commit_mutex);
1526 lockdep_nfnl_nft_mutex_not_held();
1528 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1529 nft_hook_policy, NULL);
1533 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1534 ha[NFTA_HOOK_PRIORITY] == NULL)
1537 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1538 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1540 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1541 if (nla[NFTA_CHAIN_TYPE]) {
1542 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1545 return PTR_ERR(type);
1547 if (!(type->hook_mask & (1 << hook->num)))
1550 if (type->type == NFT_CHAIN_T_NAT &&
1551 hook->priority <= NF_IP_PRI_CONNTRACK)
1554 if (!try_module_get(type->owner))
1560 if (family == NFPROTO_NETDEV) {
1561 char ifname[IFNAMSIZ];
1563 if (!ha[NFTA_HOOK_DEV]) {
1564 module_put(type->owner);
1568 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1569 dev = __dev_get_by_name(net, ifname);
1571 module_put(type->owner);
1575 } else if (ha[NFTA_HOOK_DEV]) {
1576 module_put(type->owner);
1583 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1585 module_put(hook->type->owner);
1588 struct nft_rules_old {
1590 struct nft_rule **start;
1593 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1596 if (alloc > INT_MAX)
1599 alloc += 1; /* NULL, ends rules */
1600 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1603 alloc *= sizeof(struct nft_rule *);
1604 alloc += sizeof(struct nft_rules_old);
1606 return kvmalloc(alloc, GFP_KERNEL);
1609 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1612 const struct nlattr * const *nla = ctx->nla;
1613 struct nft_table *table = ctx->table;
1614 struct nft_base_chain *basechain;
1615 struct nft_stats __percpu *stats;
1616 struct net *net = ctx->net;
1617 struct nft_chain *chain;
1618 struct nft_rule **rules;
1621 if (table->use == UINT_MAX)
1624 if (nla[NFTA_CHAIN_HOOK]) {
1625 struct nft_chain_hook hook;
1626 struct nf_hook_ops *ops;
1628 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1632 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1633 if (basechain == NULL) {
1634 nft_chain_release_hook(&hook);
1638 if (hook.dev != NULL)
1639 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1641 if (nla[NFTA_CHAIN_COUNTERS]) {
1642 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1643 if (IS_ERR(stats)) {
1644 nft_chain_release_hook(&hook);
1646 return PTR_ERR(stats);
1648 rcu_assign_pointer(basechain->stats, stats);
1649 static_branch_inc(&nft_counters_enabled);
1652 basechain->type = hook.type;
1653 chain = &basechain->chain;
1655 ops = &basechain->ops;
1657 ops->hooknum = hook.num;
1658 ops->priority = hook.priority;
1660 ops->hook = hook.type->hooks[ops->hooknum];
1661 ops->dev = hook.dev;
1663 chain->flags |= NFT_BASE_CHAIN;
1664 basechain->policy = policy;
1666 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1672 INIT_LIST_HEAD(&chain->rules);
1673 chain->handle = nf_tables_alloc_handle(table);
1674 chain->table = table;
1675 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1681 rules = nf_tables_chain_alloc_rules(chain, 0);
1688 rcu_assign_pointer(chain->rules_gen_0, rules);
1689 rcu_assign_pointer(chain->rules_gen_1, rules);
1691 err = nf_tables_register_hook(net, table, chain);
1695 err = rhltable_insert_key(&table->chains_ht, chain->name,
1696 &chain->rhlhead, nft_chain_ht_params);
1700 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1702 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1703 nft_chain_ht_params);
1708 list_add_tail_rcu(&chain->list, &table->chains);
1712 nf_tables_unregister_hook(net, table, chain);
1714 nf_tables_chain_destroy(ctx);
1719 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1721 const struct nlattr * const *nla = ctx->nla;
1722 struct nft_table *table = ctx->table;
1723 struct nft_chain *chain = ctx->chain;
1724 struct nft_base_chain *basechain;
1725 struct nft_stats *stats = NULL;
1726 struct nft_chain_hook hook;
1727 struct nf_hook_ops *ops;
1728 struct nft_trans *trans;
1731 if (nla[NFTA_CHAIN_HOOK]) {
1732 if (!nft_is_base_chain(chain))
1735 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1740 basechain = nft_base_chain(chain);
1741 if (basechain->type != hook.type) {
1742 nft_chain_release_hook(&hook);
1746 ops = &basechain->ops;
1747 if (ops->hooknum != hook.num ||
1748 ops->priority != hook.priority ||
1749 ops->dev != hook.dev) {
1750 nft_chain_release_hook(&hook);
1753 nft_chain_release_hook(&hook);
1756 if (nla[NFTA_CHAIN_HANDLE] &&
1757 nla[NFTA_CHAIN_NAME]) {
1758 struct nft_chain *chain2;
1760 chain2 = nft_chain_lookup(ctx->net, table,
1761 nla[NFTA_CHAIN_NAME], genmask);
1762 if (!IS_ERR(chain2))
1766 if (nla[NFTA_CHAIN_COUNTERS]) {
1767 if (!nft_is_base_chain(chain))
1770 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1772 return PTR_ERR(stats);
1776 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1777 sizeof(struct nft_trans_chain));
1781 nft_trans_chain_stats(trans) = stats;
1782 nft_trans_chain_update(trans) = true;
1784 if (nla[NFTA_CHAIN_POLICY])
1785 nft_trans_chain_policy(trans) = policy;
1787 nft_trans_chain_policy(trans) = -1;
1789 if (nla[NFTA_CHAIN_HANDLE] &&
1790 nla[NFTA_CHAIN_NAME]) {
1791 struct nft_trans *tmp;
1795 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1800 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1801 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1802 tmp->ctx.table == table &&
1803 nft_trans_chain_update(tmp) &&
1804 nft_trans_chain_name(tmp) &&
1805 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1811 nft_trans_chain_name(trans) = name;
1813 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1822 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1823 struct sk_buff *skb, const struct nlmsghdr *nlh,
1824 const struct nlattr * const nla[],
1825 struct netlink_ext_ack *extack)
1827 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1828 u8 genmask = nft_genmask_next(net);
1829 int family = nfmsg->nfgen_family;
1830 const struct nlattr *attr;
1831 struct nft_table *table;
1832 struct nft_chain *chain;
1833 u8 policy = NF_ACCEPT;
1837 lockdep_assert_held(&net->nft.commit_mutex);
1839 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1840 if (IS_ERR(table)) {
1841 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1842 return PTR_ERR(table);
1846 attr = nla[NFTA_CHAIN_NAME];
1848 if (nla[NFTA_CHAIN_HANDLE]) {
1849 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1850 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1851 if (IS_ERR(chain)) {
1852 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1853 return PTR_ERR(chain);
1855 attr = nla[NFTA_CHAIN_HANDLE];
1857 chain = nft_chain_lookup(net, table, attr, genmask);
1858 if (IS_ERR(chain)) {
1859 if (PTR_ERR(chain) != -ENOENT) {
1860 NL_SET_BAD_ATTR(extack, attr);
1861 return PTR_ERR(chain);
1867 if (nla[NFTA_CHAIN_POLICY]) {
1868 if (chain != NULL &&
1869 !nft_is_base_chain(chain)) {
1870 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1874 if (chain == NULL &&
1875 nla[NFTA_CHAIN_HOOK] == NULL) {
1876 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1880 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1890 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1892 if (chain != NULL) {
1893 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1894 NL_SET_BAD_ATTR(extack, attr);
1897 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1900 return nf_tables_updchain(&ctx, genmask, policy);
1903 return nf_tables_addchain(&ctx, family, genmask, policy);
1906 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1907 struct sk_buff *skb, const struct nlmsghdr *nlh,
1908 const struct nlattr * const nla[],
1909 struct netlink_ext_ack *extack)
1911 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1912 u8 genmask = nft_genmask_next(net);
1913 int family = nfmsg->nfgen_family;
1914 const struct nlattr *attr;
1915 struct nft_table *table;
1916 struct nft_chain *chain;
1917 struct nft_rule *rule;
1923 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1924 if (IS_ERR(table)) {
1925 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1926 return PTR_ERR(table);
1929 if (nla[NFTA_CHAIN_HANDLE]) {
1930 attr = nla[NFTA_CHAIN_HANDLE];
1931 handle = be64_to_cpu(nla_get_be64(attr));
1932 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1934 attr = nla[NFTA_CHAIN_NAME];
1935 chain = nft_chain_lookup(net, table, attr, genmask);
1937 if (IS_ERR(chain)) {
1938 NL_SET_BAD_ATTR(extack, attr);
1939 return PTR_ERR(chain);
1942 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1946 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1949 list_for_each_entry(rule, &chain->rules, list) {
1950 if (!nft_is_active_next(net, rule))
1954 err = nft_delrule(&ctx, rule);
1959 /* There are rules and elements that are still holding references to us,
1960 * we cannot do a recursive removal in this case.
1963 NL_SET_BAD_ATTR(extack, attr);
1967 return nft_delchain(&ctx);
1975 * nft_register_expr - register nf_tables expr type
1978 * Registers the expr type for use with nf_tables. Returns zero on
1979 * success or a negative errno code otherwise.
1981 int nft_register_expr(struct nft_expr_type *type)
1983 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1984 if (type->family == NFPROTO_UNSPEC)
1985 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1987 list_add_rcu(&type->list, &nf_tables_expressions);
1988 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1991 EXPORT_SYMBOL_GPL(nft_register_expr);
1994 * nft_unregister_expr - unregister nf_tables expr type
1997 * Unregisters the expr typefor use with nf_tables.
1999 void nft_unregister_expr(struct nft_expr_type *type)
2001 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2002 list_del_rcu(&type->list);
2003 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2005 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2007 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2010 const struct nft_expr_type *type;
2012 list_for_each_entry(type, &nf_tables_expressions, list) {
2013 if (!nla_strcmp(nla, type->name) &&
2014 (!type->family || type->family == family))
2020 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2024 const struct nft_expr_type *type;
2027 return ERR_PTR(-EINVAL);
2029 type = __nft_expr_type_get(family, nla);
2030 if (type != NULL && try_module_get(type->owner))
2033 lockdep_nfnl_nft_mutex_not_held();
2034 #ifdef CONFIG_MODULES
2036 nft_request_module(net, "nft-expr-%u-%.*s", family,
2037 nla_len(nla), (char *)nla_data(nla));
2038 if (__nft_expr_type_get(family, nla))
2039 return ERR_PTR(-EAGAIN);
2041 nft_request_module(net, "nft-expr-%.*s",
2042 nla_len(nla), (char *)nla_data(nla));
2043 if (__nft_expr_type_get(family, nla))
2044 return ERR_PTR(-EAGAIN);
2047 return ERR_PTR(-ENOENT);
2050 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2051 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2052 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2055 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2056 const struct nft_expr *expr)
2058 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2059 goto nla_put_failure;
2061 if (expr->ops->dump) {
2062 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
2064 goto nla_put_failure;
2065 if (expr->ops->dump(skb, expr) < 0)
2066 goto nla_put_failure;
2067 nla_nest_end(skb, data);
2076 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2077 const struct nft_expr *expr)
2079 struct nlattr *nest;
2081 nest = nla_nest_start(skb, attr);
2083 goto nla_put_failure;
2084 if (nf_tables_fill_expr_info(skb, expr) < 0)
2085 goto nla_put_failure;
2086 nla_nest_end(skb, nest);
2093 struct nft_expr_info {
2094 const struct nft_expr_ops *ops;
2095 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2098 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2099 const struct nlattr *nla,
2100 struct nft_expr_info *info)
2102 const struct nft_expr_type *type;
2103 const struct nft_expr_ops *ops;
2104 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2107 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
2111 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2113 return PTR_ERR(type);
2115 if (tb[NFTA_EXPR_DATA]) {
2116 err = nla_parse_nested(info->tb, type->maxattr,
2117 tb[NFTA_EXPR_DATA], type->policy, NULL);
2121 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2123 if (type->select_ops != NULL) {
2124 ops = type->select_ops(ctx,
2125 (const struct nlattr * const *)info->tb);
2137 module_put(type->owner);
2141 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2142 const struct nft_expr_info *info,
2143 struct nft_expr *expr)
2145 const struct nft_expr_ops *ops = info->ops;
2150 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2161 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2162 struct nft_expr *expr)
2164 const struct nft_expr_type *type = expr->ops->type;
2166 if (expr->ops->destroy)
2167 expr->ops->destroy(ctx, expr);
2168 module_put(type->owner);
2171 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2172 const struct nlattr *nla)
2174 struct nft_expr_info info;
2175 struct nft_expr *expr;
2176 struct module *owner;
2179 err = nf_tables_expr_parse(ctx, nla, &info);
2184 expr = kzalloc(info.ops->size, GFP_KERNEL);
2188 err = nf_tables_newexpr(ctx, &info, expr);
2196 owner = info.ops->type->owner;
2197 if (info.ops->type->release_ops)
2198 info.ops->type->release_ops(info.ops);
2202 return ERR_PTR(err);
2205 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2207 nf_tables_expr_destroy(ctx, expr);
2215 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2218 struct nft_rule *rule;
2220 // FIXME: this sucks
2221 list_for_each_entry_rcu(rule, &chain->rules, list) {
2222 if (handle == rule->handle)
2226 return ERR_PTR(-ENOENT);
2229 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2230 const struct nlattr *nla)
2233 return ERR_PTR(-EINVAL);
2235 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2238 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2239 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2240 .len = NFT_TABLE_MAXNAMELEN - 1 },
2241 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2242 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2243 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2244 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2245 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2246 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2247 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2248 .len = NFT_USERDATA_MAXLEN },
2249 [NFTA_RULE_ID] = { .type = NLA_U32 },
2250 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2253 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2254 u32 portid, u32 seq, int event,
2255 u32 flags, int family,
2256 const struct nft_table *table,
2257 const struct nft_chain *chain,
2258 const struct nft_rule *rule)
2260 struct nlmsghdr *nlh;
2261 struct nfgenmsg *nfmsg;
2262 const struct nft_expr *expr, *next;
2263 struct nlattr *list;
2264 const struct nft_rule *prule;
2265 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2267 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2269 goto nla_put_failure;
2271 nfmsg = nlmsg_data(nlh);
2272 nfmsg->nfgen_family = family;
2273 nfmsg->version = NFNETLINK_V0;
2274 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2276 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2277 goto nla_put_failure;
2278 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2279 goto nla_put_failure;
2280 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2282 goto nla_put_failure;
2284 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2285 prule = list_prev_entry(rule, list);
2286 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2287 cpu_to_be64(prule->handle),
2289 goto nla_put_failure;
2292 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2294 goto nla_put_failure;
2295 nft_rule_for_each_expr(expr, next, rule) {
2296 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2297 goto nla_put_failure;
2299 nla_nest_end(skb, list);
2302 struct nft_userdata *udata = nft_userdata(rule);
2303 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2305 goto nla_put_failure;
2308 nlmsg_end(skb, nlh);
2312 nlmsg_trim(skb, nlh);
2316 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2317 const struct nft_rule *rule, int event)
2319 struct sk_buff *skb;
2323 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2326 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2330 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2331 event, 0, ctx->family, ctx->table,
2338 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2339 ctx->report, GFP_KERNEL);
2342 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2345 struct nft_rule_dump_ctx {
2350 static int __nf_tables_dump_rules(struct sk_buff *skb,
2352 struct netlink_callback *cb,
2353 const struct nft_table *table,
2354 const struct nft_chain *chain)
2356 struct net *net = sock_net(skb->sk);
2357 unsigned int s_idx = cb->args[0];
2358 const struct nft_rule *rule;
2360 list_for_each_entry_rcu(rule, &chain->rules, list) {
2361 if (!nft_is_active(net, rule))
2366 memset(&cb->args[1], 0,
2367 sizeof(cb->args) - sizeof(cb->args[0]));
2369 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2372 NLM_F_MULTI | NLM_F_APPEND,
2374 table, chain, rule) < 0)
2377 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2384 static int nf_tables_dump_rules(struct sk_buff *skb,
2385 struct netlink_callback *cb)
2387 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2388 const struct nft_rule_dump_ctx *ctx = cb->data;
2389 struct nft_table *table;
2390 const struct nft_chain *chain;
2391 unsigned int idx = 0;
2392 struct net *net = sock_net(skb->sk);
2393 int family = nfmsg->nfgen_family;
2396 cb->seq = net->nft.base_seq;
2398 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2399 if (family != NFPROTO_UNSPEC && family != table->family)
2402 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2405 if (ctx && ctx->table && ctx->chain) {
2406 struct rhlist_head *list, *tmp;
2408 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2409 nft_chain_ht_params);
2413 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2414 if (!nft_is_active(net, chain))
2416 __nf_tables_dump_rules(skb, &idx,
2423 list_for_each_entry_rcu(chain, &table->chains, list) {
2424 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2428 if (ctx && ctx->table)
2438 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2440 const struct nlattr * const *nla = cb->data;
2441 struct nft_rule_dump_ctx *ctx = NULL;
2443 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2444 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2448 if (nla[NFTA_RULE_TABLE]) {
2449 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2456 if (nla[NFTA_RULE_CHAIN]) {
2457 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2471 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2473 struct nft_rule_dump_ctx *ctx = cb->data;
2483 /* called with rcu_read_lock held */
2484 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2485 struct sk_buff *skb, const struct nlmsghdr *nlh,
2486 const struct nlattr * const nla[],
2487 struct netlink_ext_ack *extack)
2489 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2490 u8 genmask = nft_genmask_cur(net);
2491 const struct nft_chain *chain;
2492 const struct nft_rule *rule;
2493 struct nft_table *table;
2494 struct sk_buff *skb2;
2495 int family = nfmsg->nfgen_family;
2498 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2499 struct netlink_dump_control c = {
2500 .start= nf_tables_dump_rules_start,
2501 .dump = nf_tables_dump_rules,
2502 .done = nf_tables_dump_rules_done,
2503 .module = THIS_MODULE,
2504 .data = (void *)nla,
2507 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2510 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2511 if (IS_ERR(table)) {
2512 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2513 return PTR_ERR(table);
2516 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2517 if (IS_ERR(chain)) {
2518 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2519 return PTR_ERR(chain);
2522 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2524 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2525 return PTR_ERR(rule);
2528 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2532 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2533 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2534 family, table, chain, rule);
2538 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2545 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2546 struct nft_rule *rule)
2548 struct nft_expr *expr, *next;
2551 * Careful: some expressions might not be initialized in case this
2552 * is called on error from nf_tables_newrule().
2554 expr = nft_expr_first(rule);
2555 while (expr != nft_expr_last(rule) && expr->ops) {
2556 next = nft_expr_next(expr);
2557 nf_tables_expr_destroy(ctx, expr);
2563 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2564 struct nft_rule *rule)
2566 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2567 nf_tables_rule_destroy(ctx, rule);
2570 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2572 struct nft_expr *expr, *last;
2573 const struct nft_data *data;
2574 struct nft_rule *rule;
2577 if (ctx->level == NFT_JUMP_STACK_SIZE)
2580 list_for_each_entry(rule, &chain->rules, list) {
2581 if (!nft_is_active_next(ctx->net, rule))
2584 nft_rule_for_each_expr(expr, last, rule) {
2585 if (!expr->ops->validate)
2588 err = expr->ops->validate(ctx, expr, &data);
2596 EXPORT_SYMBOL_GPL(nft_chain_validate);
2598 static int nft_table_validate(struct net *net, const struct nft_table *table)
2600 struct nft_chain *chain;
2601 struct nft_ctx ctx = {
2603 .family = table->family,
2607 list_for_each_entry(chain, &table->chains, list) {
2608 if (!nft_is_base_chain(chain))
2612 err = nft_chain_validate(&ctx, chain);
2620 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2621 const struct nlattr *nla);
2623 #define NFT_RULE_MAXEXPRS 128
2625 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2626 struct sk_buff *skb, const struct nlmsghdr *nlh,
2627 const struct nlattr * const nla[],
2628 struct netlink_ext_ack *extack)
2630 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2631 u8 genmask = nft_genmask_next(net);
2632 struct nft_expr_info *info = NULL;
2633 int family = nfmsg->nfgen_family;
2634 struct nft_table *table;
2635 struct nft_chain *chain;
2636 struct nft_rule *rule, *old_rule = NULL;
2637 struct nft_userdata *udata;
2638 struct nft_trans *trans = NULL;
2639 struct nft_expr *expr;
2642 unsigned int size, i, n, ulen = 0, usize = 0;
2644 u64 handle, pos_handle;
2646 lockdep_assert_held(&net->nft.commit_mutex);
2648 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2649 if (IS_ERR(table)) {
2650 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2651 return PTR_ERR(table);
2654 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2655 if (IS_ERR(chain)) {
2656 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2657 return PTR_ERR(chain);
2660 if (nla[NFTA_RULE_HANDLE]) {
2661 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2662 rule = __nft_rule_lookup(chain, handle);
2664 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2665 return PTR_ERR(rule);
2668 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2669 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2672 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2677 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2678 nlh->nlmsg_flags & NLM_F_REPLACE)
2680 handle = nf_tables_alloc_handle(table);
2682 if (chain->use == UINT_MAX)
2685 if (nla[NFTA_RULE_POSITION]) {
2686 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2687 old_rule = __nft_rule_lookup(chain, pos_handle);
2688 if (IS_ERR(old_rule)) {
2689 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2690 return PTR_ERR(old_rule);
2692 } else if (nla[NFTA_RULE_POSITION_ID]) {
2693 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2694 if (IS_ERR(old_rule)) {
2695 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2696 return PTR_ERR(old_rule);
2701 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2705 if (nla[NFTA_RULE_EXPRESSIONS]) {
2706 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2707 sizeof(struct nft_expr_info),
2712 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2714 if (nla_type(tmp) != NFTA_LIST_ELEM)
2716 if (n == NFT_RULE_MAXEXPRS)
2718 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2721 size += info[n].ops->size;
2725 /* Check for overflow of dlen field */
2727 if (size >= 1 << 12)
2730 if (nla[NFTA_RULE_USERDATA]) {
2731 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2733 usize = sizeof(struct nft_userdata) + ulen;
2737 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2741 nft_activate_next(net, rule);
2743 rule->handle = handle;
2745 rule->udata = ulen ? 1 : 0;
2748 udata = nft_userdata(rule);
2749 udata->len = ulen - 1;
2750 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2753 expr = nft_expr_first(rule);
2754 for (i = 0; i < n; i++) {
2755 err = nf_tables_newexpr(&ctx, &info[i], expr);
2759 if (info[i].ops->validate)
2760 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2763 expr = nft_expr_next(expr);
2766 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2767 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2768 if (trans == NULL) {
2772 err = nft_delrule(&ctx, old_rule);
2774 nft_trans_destroy(trans);
2778 list_add_tail_rcu(&rule->list, &old_rule->list);
2780 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2785 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2787 list_add_rcu(&rule->list, &old_rule->list);
2789 list_add_tail_rcu(&rule->list, &chain->rules);
2792 list_add_tail_rcu(&rule->list, &old_rule->list);
2794 list_add_rcu(&rule->list, &chain->rules);
2800 if (net->nft.validate_state == NFT_VALIDATE_DO)
2801 return nft_table_validate(net, table);
2805 nf_tables_rule_release(&ctx, rule);
2807 for (i = 0; i < n; i++) {
2809 module_put(info[i].ops->type->owner);
2810 if (info[i].ops->type->release_ops)
2811 info[i].ops->type->release_ops(info[i].ops);
2818 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2819 const struct nlattr *nla)
2821 u32 id = ntohl(nla_get_be32(nla));
2822 struct nft_trans *trans;
2824 list_for_each_entry(trans, &net->nft.commit_list, list) {
2825 struct nft_rule *rule = nft_trans_rule(trans);
2827 if (trans->msg_type == NFT_MSG_NEWRULE &&
2828 id == nft_trans_rule_id(trans))
2831 return ERR_PTR(-ENOENT);
2834 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2835 struct sk_buff *skb, const struct nlmsghdr *nlh,
2836 const struct nlattr * const nla[],
2837 struct netlink_ext_ack *extack)
2839 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2840 u8 genmask = nft_genmask_next(net);
2841 struct nft_table *table;
2842 struct nft_chain *chain = NULL;
2843 struct nft_rule *rule;
2844 int family = nfmsg->nfgen_family, err = 0;
2847 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2848 if (IS_ERR(table)) {
2849 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2850 return PTR_ERR(table);
2853 if (nla[NFTA_RULE_CHAIN]) {
2854 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2856 if (IS_ERR(chain)) {
2857 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2858 return PTR_ERR(chain);
2862 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2865 if (nla[NFTA_RULE_HANDLE]) {
2866 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2868 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2869 return PTR_ERR(rule);
2872 err = nft_delrule(&ctx, rule);
2873 } else if (nla[NFTA_RULE_ID]) {
2874 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2876 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2877 return PTR_ERR(rule);
2880 err = nft_delrule(&ctx, rule);
2882 err = nft_delrule_by_chain(&ctx);
2885 list_for_each_entry(chain, &table->chains, list) {
2886 if (!nft_is_active_next(net, chain))
2890 err = nft_delrule_by_chain(&ctx);
2903 static LIST_HEAD(nf_tables_set_types);
2905 int nft_register_set(struct nft_set_type *type)
2907 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2908 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2909 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2912 EXPORT_SYMBOL_GPL(nft_register_set);
2914 void nft_unregister_set(struct nft_set_type *type)
2916 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2917 list_del_rcu(&type->list);
2918 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2920 EXPORT_SYMBOL_GPL(nft_unregister_set);
2922 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2923 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2926 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2928 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2932 * Select a set implementation based on the data characteristics and the
2933 * given policy. The total memory use might not be known if no size is
2934 * given, in that case the amount of memory per element is used.
2936 static const struct nft_set_ops *
2937 nft_select_set_ops(const struct nft_ctx *ctx,
2938 const struct nlattr * const nla[],
2939 const struct nft_set_desc *desc,
2940 enum nft_set_policies policy)
2942 const struct nft_set_ops *ops, *bops;
2943 struct nft_set_estimate est, best;
2944 const struct nft_set_type *type;
2947 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2948 lockdep_nfnl_nft_mutex_not_held();
2949 #ifdef CONFIG_MODULES
2950 if (list_empty(&nf_tables_set_types)) {
2951 nft_request_module(ctx->net, "nft-set");
2952 if (!list_empty(&nf_tables_set_types))
2953 return ERR_PTR(-EAGAIN);
2956 if (nla[NFTA_SET_FLAGS] != NULL)
2957 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2964 list_for_each_entry(type, &nf_tables_set_types, list) {
2967 if (!nft_set_ops_candidate(type, flags))
2969 if (!ops->estimate(desc, flags, &est))
2973 case NFT_SET_POL_PERFORMANCE:
2974 if (est.lookup < best.lookup)
2976 if (est.lookup == best.lookup &&
2977 est.space < best.space)
2980 case NFT_SET_POL_MEMORY:
2982 if (est.space < best.space)
2984 if (est.space == best.space &&
2985 est.lookup < best.lookup)
2987 } else if (est.size < best.size || !bops) {
2995 if (!try_module_get(type->owner))
2998 module_put(to_set_type(bops)->owner);
3007 return ERR_PTR(-EOPNOTSUPP);
3010 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3011 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3012 .len = NFT_TABLE_MAXNAMELEN - 1 },
3013 [NFTA_SET_NAME] = { .type = NLA_STRING,
3014 .len = NFT_SET_MAXNAMELEN - 1 },
3015 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3016 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3017 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3018 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3019 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3020 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3021 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3022 [NFTA_SET_ID] = { .type = NLA_U32 },
3023 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3024 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3025 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3026 .len = NFT_USERDATA_MAXLEN },
3027 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3028 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3031 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3032 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3035 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3036 const struct sk_buff *skb,
3037 const struct nlmsghdr *nlh,
3038 const struct nlattr * const nla[],
3039 struct netlink_ext_ack *extack,
3042 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3043 int family = nfmsg->nfgen_family;
3044 struct nft_table *table = NULL;
3046 if (nla[NFTA_SET_TABLE] != NULL) {
3047 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3049 if (IS_ERR(table)) {
3050 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3051 return PTR_ERR(table);
3055 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3059 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3060 const struct nlattr *nla, u8 genmask)
3062 struct nft_set *set;
3065 return ERR_PTR(-EINVAL);
3067 list_for_each_entry_rcu(set, &table->sets, list) {
3068 if (!nla_strcmp(nla, set->name) &&
3069 nft_active_genmask(set, genmask))
3072 return ERR_PTR(-ENOENT);
3075 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3076 const struct nlattr *nla,
3079 struct nft_set *set;
3081 list_for_each_entry(set, &table->sets, list) {
3082 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3083 nft_active_genmask(set, genmask))
3086 return ERR_PTR(-ENOENT);
3089 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3090 const struct nlattr *nla, u8 genmask)
3092 struct nft_trans *trans;
3093 u32 id = ntohl(nla_get_be32(nla));
3095 list_for_each_entry(trans, &net->nft.commit_list, list) {
3096 if (trans->msg_type == NFT_MSG_NEWSET) {
3097 struct nft_set *set = nft_trans_set(trans);
3099 if (id == nft_trans_set_id(trans) &&
3100 nft_active_genmask(set, genmask))
3104 return ERR_PTR(-ENOENT);
3107 struct nft_set *nft_set_lookup_global(const struct net *net,
3108 const struct nft_table *table,
3109 const struct nlattr *nla_set_name,
3110 const struct nlattr *nla_set_id,
3113 struct nft_set *set;
3115 set = nft_set_lookup(table, nla_set_name, genmask);
3120 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3124 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3126 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3129 const struct nft_set *i;
3131 unsigned long *inuse;
3132 unsigned int n = 0, min = 0;
3134 p = strchr(name, '%');
3136 if (p[1] != 'd' || strchr(p + 2, '%'))
3139 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3143 list_for_each_entry(i, &ctx->table->sets, list) {
3146 if (!nft_is_active_next(ctx->net, set))
3148 if (!sscanf(i->name, name, &tmp))
3150 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3153 set_bit(tmp - min, inuse);
3156 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3157 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3158 min += BITS_PER_BYTE * PAGE_SIZE;
3159 memset(inuse, 0, PAGE_SIZE);
3162 free_page((unsigned long)inuse);
3165 set->name = kasprintf(GFP_KERNEL, name, min + n);
3169 list_for_each_entry(i, &ctx->table->sets, list) {
3170 if (!nft_is_active_next(ctx->net, i))
3172 if (!strcmp(set->name, i->name)) {
3180 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3182 u64 ms = be64_to_cpu(nla_get_be64(nla));
3183 u64 max = (u64)(~((u64)0));
3185 max = div_u64(max, NSEC_PER_MSEC);
3189 ms *= NSEC_PER_MSEC;
3190 *result = nsecs_to_jiffies64(ms);
3194 static __be64 nf_jiffies64_to_msecs(u64 input)
3196 u64 ms = jiffies64_to_nsecs(input);
3198 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3201 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3202 const struct nft_set *set, u16 event, u16 flags)
3204 struct nfgenmsg *nfmsg;
3205 struct nlmsghdr *nlh;
3206 struct nlattr *desc;
3207 u32 portid = ctx->portid;
3210 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3211 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3214 goto nla_put_failure;
3216 nfmsg = nlmsg_data(nlh);
3217 nfmsg->nfgen_family = ctx->family;
3218 nfmsg->version = NFNETLINK_V0;
3219 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3221 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3222 goto nla_put_failure;
3223 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3224 goto nla_put_failure;
3225 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3227 goto nla_put_failure;
3228 if (set->flags != 0)
3229 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3230 goto nla_put_failure;
3232 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3233 goto nla_put_failure;
3234 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3235 goto nla_put_failure;
3236 if (set->flags & NFT_SET_MAP) {
3237 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3238 goto nla_put_failure;
3239 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3240 goto nla_put_failure;
3242 if (set->flags & NFT_SET_OBJECT &&
3243 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3244 goto nla_put_failure;
3247 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3248 nf_jiffies64_to_msecs(set->timeout),
3250 goto nla_put_failure;
3252 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3253 goto nla_put_failure;
3255 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3256 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3257 goto nla_put_failure;
3260 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3261 goto nla_put_failure;
3263 desc = nla_nest_start(skb, NFTA_SET_DESC);
3265 goto nla_put_failure;
3267 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3268 goto nla_put_failure;
3269 nla_nest_end(skb, desc);
3271 nlmsg_end(skb, nlh);
3275 nlmsg_trim(skb, nlh);
3279 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3280 const struct nft_set *set, int event,
3283 struct sk_buff *skb;
3284 u32 portid = ctx->portid;
3288 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3291 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3295 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3301 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3305 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3308 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3310 const struct nft_set *set;
3311 unsigned int idx, s_idx = cb->args[0];
3312 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3313 struct net *net = sock_net(skb->sk);
3314 struct nft_ctx *ctx = cb->data, ctx_set;
3320 cb->seq = net->nft.base_seq;
3322 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3323 if (ctx->family != NFPROTO_UNSPEC &&
3324 ctx->family != table->family)
3327 if (ctx->table && ctx->table != table)
3331 if (cur_table != table)
3337 list_for_each_entry_rcu(set, &table->sets, list) {
3340 if (!nft_is_active(net, set))
3344 ctx_set.table = table;
3345 ctx_set.family = table->family;
3347 if (nf_tables_fill_set(skb, &ctx_set, set,
3351 cb->args[2] = (unsigned long) table;
3354 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3367 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3369 struct nft_ctx *ctx_dump = NULL;
3371 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3372 if (ctx_dump == NULL)
3375 cb->data = ctx_dump;
3379 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3385 /* called with rcu_read_lock held */
3386 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3387 struct sk_buff *skb, const struct nlmsghdr *nlh,
3388 const struct nlattr * const nla[],
3389 struct netlink_ext_ack *extack)
3391 u8 genmask = nft_genmask_cur(net);
3392 const struct nft_set *set;
3394 struct sk_buff *skb2;
3395 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3398 /* Verify existence before starting dump */
3399 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3404 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3405 struct netlink_dump_control c = {
3406 .start = nf_tables_dump_sets_start,
3407 .dump = nf_tables_dump_sets,
3408 .done = nf_tables_dump_sets_done,
3410 .module = THIS_MODULE,
3413 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3416 /* Only accept unspec with dump */
3417 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3418 return -EAFNOSUPPORT;
3419 if (!nla[NFTA_SET_TABLE])
3422 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3424 return PTR_ERR(set);
3426 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3430 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3434 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3441 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3442 struct nft_set_desc *desc,
3443 const struct nlattr *nla)
3445 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3448 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3449 nft_set_desc_policy, NULL);
3453 if (da[NFTA_SET_DESC_SIZE] != NULL)
3454 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3459 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3460 struct sk_buff *skb, const struct nlmsghdr *nlh,
3461 const struct nlattr * const nla[],
3462 struct netlink_ext_ack *extack)
3464 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3465 u8 genmask = nft_genmask_next(net);
3466 int family = nfmsg->nfgen_family;
3467 const struct nft_set_ops *ops;
3468 struct nft_table *table;
3469 struct nft_set *set;
3474 u32 ktype, dtype, flags, policy, gc_int, objtype;
3475 struct nft_set_desc desc;
3476 unsigned char *udata;
3480 if (nla[NFTA_SET_TABLE] == NULL ||
3481 nla[NFTA_SET_NAME] == NULL ||
3482 nla[NFTA_SET_KEY_LEN] == NULL ||
3483 nla[NFTA_SET_ID] == NULL)
3486 memset(&desc, 0, sizeof(desc));
3488 ktype = NFT_DATA_VALUE;
3489 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3490 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3491 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3495 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3496 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3500 if (nla[NFTA_SET_FLAGS] != NULL) {
3501 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3502 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3503 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3504 NFT_SET_MAP | NFT_SET_EVAL |
3507 /* Only one of these operations is supported */
3508 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3509 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3514 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3515 if (!(flags & NFT_SET_MAP))
3518 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3519 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3520 dtype != NFT_DATA_VERDICT)
3523 if (dtype != NFT_DATA_VERDICT) {
3524 if (nla[NFTA_SET_DATA_LEN] == NULL)
3526 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3527 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3530 desc.dlen = sizeof(struct nft_verdict);
3531 } else if (flags & NFT_SET_MAP)
3534 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3535 if (!(flags & NFT_SET_OBJECT))
3538 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3539 if (objtype == NFT_OBJECT_UNSPEC ||
3540 objtype > NFT_OBJECT_MAX)
3542 } else if (flags & NFT_SET_OBJECT)
3545 objtype = NFT_OBJECT_UNSPEC;
3548 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3549 if (!(flags & NFT_SET_TIMEOUT))
3552 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3557 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3558 if (!(flags & NFT_SET_TIMEOUT))
3560 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3563 policy = NFT_SET_POL_PERFORMANCE;
3564 if (nla[NFTA_SET_POLICY] != NULL)
3565 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3567 if (nla[NFTA_SET_DESC] != NULL) {
3568 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3573 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3574 if (IS_ERR(table)) {
3575 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3576 return PTR_ERR(table);
3579 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3581 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3583 if (PTR_ERR(set) != -ENOENT) {
3584 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3585 return PTR_ERR(set);
3588 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3589 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3592 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3598 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3601 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3603 return PTR_ERR(ops);
3606 if (nla[NFTA_SET_USERDATA])
3607 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3610 if (ops->privsize != NULL)
3611 size = ops->privsize(nla, &desc);
3613 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3619 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3625 err = nf_tables_set_alloc_name(&ctx, set, name);
3632 udata = set->data + size;
3633 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3636 INIT_LIST_HEAD(&set->bindings);
3638 write_pnet(&set->net, net);
3641 set->klen = desc.klen;
3643 set->objtype = objtype;
3644 set->dlen = desc.dlen;
3646 set->size = desc.size;
3647 set->policy = policy;
3650 set->timeout = timeout;
3651 set->gc_int = gc_int;
3652 set->handle = nf_tables_alloc_handle(table);
3654 err = ops->init(set, &desc, nla);
3658 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3662 list_add_tail_rcu(&set->list, &table->sets);
3673 module_put(to_set_type(ops)->owner);
3677 static void nft_set_destroy(struct nft_set *set)
3679 if (WARN_ON(set->use > 0))
3682 set->ops->destroy(set);
3683 module_put(to_set_type(set->ops)->owner);
3688 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3689 struct sk_buff *skb, const struct nlmsghdr *nlh,
3690 const struct nlattr * const nla[],
3691 struct netlink_ext_ack *extack)
3693 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3694 u8 genmask = nft_genmask_next(net);
3695 const struct nlattr *attr;
3696 struct nft_set *set;
3700 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3701 return -EAFNOSUPPORT;
3702 if (nla[NFTA_SET_TABLE] == NULL)
3705 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3710 if (nla[NFTA_SET_HANDLE]) {
3711 attr = nla[NFTA_SET_HANDLE];
3712 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3714 attr = nla[NFTA_SET_NAME];
3715 set = nft_set_lookup(ctx.table, attr, genmask);
3719 NL_SET_BAD_ATTR(extack, attr);
3720 return PTR_ERR(set);
3723 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3724 NL_SET_BAD_ATTR(extack, attr);
3728 return nft_delset(&ctx, set);
3731 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3732 struct nft_set *set,
3733 const struct nft_set_iter *iter,
3734 struct nft_set_elem *elem)
3736 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3737 enum nft_registers dreg;
3739 dreg = nft_type_to_reg(set->dtype);
3740 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3741 set->dtype == NFT_DATA_VERDICT ?
3742 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3746 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3747 struct nft_set_binding *binding)
3749 struct nft_set_binding *i;
3750 struct nft_set_iter iter;
3752 if (set->use == UINT_MAX)
3755 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3758 if (binding->flags & NFT_SET_MAP) {
3759 /* If the set is already bound to the same chain all
3760 * jumps are already validated for that chain.
3762 list_for_each_entry(i, &set->bindings, list) {
3763 if (i->flags & NFT_SET_MAP &&
3764 i->chain == binding->chain)
3768 iter.genmask = nft_genmask_next(ctx->net);
3772 iter.fn = nf_tables_bind_check_setelem;
3774 set->ops->walk(ctx, set, &iter);
3779 binding->chain = ctx->chain;
3780 list_add_tail_rcu(&binding->list, &set->bindings);
3781 nft_set_trans_bind(ctx, set);
3786 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3788 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3789 struct nft_set_binding *binding, bool event)
3791 list_del_rcu(&binding->list);
3793 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3794 list_del_rcu(&set->list);
3796 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3800 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3802 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3803 struct nft_set_binding *binding,
3804 enum nft_trans_phase phase)
3807 case NFT_TRANS_PREPARE:
3810 case NFT_TRANS_ABORT:
3811 case NFT_TRANS_RELEASE:
3815 nf_tables_unbind_set(ctx, set, binding,
3816 phase == NFT_TRANS_COMMIT);
3819 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3821 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3823 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3824 nft_set_destroy(set);
3826 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3828 const struct nft_set_ext_type nft_set_ext_types[] = {
3829 [NFT_SET_EXT_KEY] = {
3830 .align = __alignof__(u32),
3832 [NFT_SET_EXT_DATA] = {
3833 .align = __alignof__(u32),
3835 [NFT_SET_EXT_EXPR] = {
3836 .align = __alignof__(struct nft_expr),
3838 [NFT_SET_EXT_OBJREF] = {
3839 .len = sizeof(struct nft_object *),
3840 .align = __alignof__(struct nft_object *),
3842 [NFT_SET_EXT_FLAGS] = {
3844 .align = __alignof__(u8),
3846 [NFT_SET_EXT_TIMEOUT] = {
3848 .align = __alignof__(u64),
3850 [NFT_SET_EXT_EXPIRATION] = {
3852 .align = __alignof__(u64),
3854 [NFT_SET_EXT_USERDATA] = {
3855 .len = sizeof(struct nft_userdata),
3856 .align = __alignof__(struct nft_userdata),
3859 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3865 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3866 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3867 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3868 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3869 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3870 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3871 .len = NFT_USERDATA_MAXLEN },
3872 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3873 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3876 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3877 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3878 .len = NFT_TABLE_MAXNAMELEN - 1 },
3879 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3880 .len = NFT_SET_MAXNAMELEN - 1 },
3881 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3882 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3885 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3886 const struct sk_buff *skb,
3887 const struct nlmsghdr *nlh,
3888 const struct nlattr * const nla[],
3889 struct netlink_ext_ack *extack,
3892 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3893 int family = nfmsg->nfgen_family;
3894 struct nft_table *table;
3896 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3898 if (IS_ERR(table)) {
3899 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3900 return PTR_ERR(table);
3903 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3907 static int nf_tables_fill_setelem(struct sk_buff *skb,
3908 const struct nft_set *set,
3909 const struct nft_set_elem *elem)
3911 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3912 unsigned char *b = skb_tail_pointer(skb);
3913 struct nlattr *nest;
3915 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3917 goto nla_put_failure;
3919 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3920 NFT_DATA_VALUE, set->klen) < 0)
3921 goto nla_put_failure;
3923 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3924 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3925 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3927 goto nla_put_failure;
3929 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3930 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3931 goto nla_put_failure;
3933 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3934 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3935 (*nft_set_ext_obj(ext))->key.name) < 0)
3936 goto nla_put_failure;
3938 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3939 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3940 htonl(*nft_set_ext_flags(ext))))
3941 goto nla_put_failure;
3943 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3944 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3945 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3947 goto nla_put_failure;
3949 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3950 u64 expires, now = get_jiffies_64();
3952 expires = *nft_set_ext_expiration(ext);
3953 if (time_before64(now, expires))
3958 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3959 nf_jiffies64_to_msecs(expires),
3961 goto nla_put_failure;
3964 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3965 struct nft_userdata *udata;
3967 udata = nft_set_ext_userdata(ext);
3968 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3969 udata->len + 1, udata->data))
3970 goto nla_put_failure;
3973 nla_nest_end(skb, nest);
3981 struct nft_set_dump_args {
3982 const struct netlink_callback *cb;
3983 struct nft_set_iter iter;
3984 struct sk_buff *skb;
3987 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3988 struct nft_set *set,
3989 const struct nft_set_iter *iter,
3990 struct nft_set_elem *elem)
3992 struct nft_set_dump_args *args;
3994 args = container_of(iter, struct nft_set_dump_args, iter);
3995 return nf_tables_fill_setelem(args->skb, set, elem);
3998 struct nft_set_dump_ctx {
3999 const struct nft_set *set;
4003 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4005 struct nft_set_dump_ctx *dump_ctx = cb->data;
4006 struct net *net = sock_net(skb->sk);
4007 struct nft_table *table;
4008 struct nft_set *set;
4009 struct nft_set_dump_args args;
4010 bool set_found = false;
4011 struct nfgenmsg *nfmsg;
4012 struct nlmsghdr *nlh;
4013 struct nlattr *nest;
4018 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4019 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4020 dump_ctx->ctx.family != table->family)
4023 if (table != dump_ctx->ctx.table)
4026 list_for_each_entry_rcu(set, &table->sets, list) {
4027 if (set == dump_ctx->set) {
4040 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4041 portid = NETLINK_CB(cb->skb).portid;
4042 seq = cb->nlh->nlmsg_seq;
4044 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4047 goto nla_put_failure;
4049 nfmsg = nlmsg_data(nlh);
4050 nfmsg->nfgen_family = table->family;
4051 nfmsg->version = NFNETLINK_V0;
4052 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4054 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4055 goto nla_put_failure;
4056 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4057 goto nla_put_failure;
4059 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4061 goto nla_put_failure;
4065 args.iter.genmask = nft_genmask_cur(net);
4066 args.iter.skip = cb->args[0];
4067 args.iter.count = 0;
4069 args.iter.fn = nf_tables_dump_setelem;
4070 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4073 nla_nest_end(skb, nest);
4074 nlmsg_end(skb, nlh);
4076 if (args.iter.err && args.iter.err != -EMSGSIZE)
4077 return args.iter.err;
4078 if (args.iter.count == cb->args[0])
4081 cb->args[0] = args.iter.count;
4089 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4091 struct nft_set_dump_ctx *dump_ctx = cb->data;
4093 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4095 return cb->data ? 0 : -ENOMEM;
4098 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4104 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4105 const struct nft_ctx *ctx, u32 seq,
4106 u32 portid, int event, u16 flags,
4107 const struct nft_set *set,
4108 const struct nft_set_elem *elem)
4110 struct nfgenmsg *nfmsg;
4111 struct nlmsghdr *nlh;
4112 struct nlattr *nest;
4115 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4116 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4119 goto nla_put_failure;
4121 nfmsg = nlmsg_data(nlh);
4122 nfmsg->nfgen_family = ctx->family;
4123 nfmsg->version = NFNETLINK_V0;
4124 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4126 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4127 goto nla_put_failure;
4128 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4129 goto nla_put_failure;
4131 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4133 goto nla_put_failure;
4135 err = nf_tables_fill_setelem(skb, set, elem);
4137 goto nla_put_failure;
4139 nla_nest_end(skb, nest);
4141 nlmsg_end(skb, nlh);
4145 nlmsg_trim(skb, nlh);
4149 static int nft_setelem_parse_flags(const struct nft_set *set,
4150 const struct nlattr *attr, u32 *flags)
4155 *flags = ntohl(nla_get_be32(attr));
4156 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4158 if (!(set->flags & NFT_SET_INTERVAL) &&
4159 *flags & NFT_SET_ELEM_INTERVAL_END)
4165 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4166 const struct nlattr *attr)
4168 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4169 struct nft_data_desc desc;
4170 struct nft_set_elem elem;
4171 struct sk_buff *skb;
4176 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4177 nft_set_elem_policy, NULL);
4181 if (!nla[NFTA_SET_ELEM_KEY])
4184 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4188 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4189 nla[NFTA_SET_ELEM_KEY]);
4194 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4197 priv = set->ops->get(ctx->net, set, &elem, flags);
4199 return PTR_ERR(priv);
4204 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4208 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4209 NFT_MSG_NEWSETELEM, 0, set, &elem);
4213 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4214 /* This avoids a loop in nfnetlink. */
4222 /* this avoids a loop in nfnetlink. */
4223 return err == -EAGAIN ? -ENOBUFS : err;
4226 /* called with rcu_read_lock held */
4227 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4228 struct sk_buff *skb, const struct nlmsghdr *nlh,
4229 const struct nlattr * const nla[],
4230 struct netlink_ext_ack *extack)
4232 u8 genmask = nft_genmask_cur(net);
4233 struct nft_set *set;
4234 struct nlattr *attr;
4238 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4243 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4245 return PTR_ERR(set);
4247 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4248 struct netlink_dump_control c = {
4249 .start = nf_tables_dump_set_start,
4250 .dump = nf_tables_dump_set,
4251 .done = nf_tables_dump_set_done,
4252 .module = THIS_MODULE,
4254 struct nft_set_dump_ctx dump_ctx = {
4260 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4263 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4266 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4267 err = nft_get_set_elem(&ctx, set, attr);
4275 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4276 const struct nft_set *set,
4277 const struct nft_set_elem *elem,
4278 int event, u16 flags)
4280 struct net *net = ctx->net;
4281 u32 portid = ctx->portid;
4282 struct sk_buff *skb;
4285 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4288 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4292 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4299 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4303 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4306 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4308 struct nft_set *set)
4310 struct nft_trans *trans;
4312 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4316 nft_trans_elem_set(trans) = set;
4320 void *nft_set_elem_init(const struct nft_set *set,
4321 const struct nft_set_ext_tmpl *tmpl,
4322 const u32 *key, const u32 *data,
4323 u64 timeout, gfp_t gfp)
4325 struct nft_set_ext *ext;
4328 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4332 ext = nft_set_elem_ext(set, elem);
4333 nft_set_ext_init(ext, tmpl);
4335 memcpy(nft_set_ext_key(ext), key, set->klen);
4336 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4337 memcpy(nft_set_ext_data(ext), data, set->dlen);
4338 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4339 *nft_set_ext_expiration(ext) =
4340 get_jiffies_64() + timeout;
4341 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4342 *nft_set_ext_timeout(ext) = timeout;
4347 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4350 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4351 struct nft_ctx ctx = {
4352 .net = read_pnet(&set->net),
4353 .family = set->table->family,
4356 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4357 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4358 nft_data_release(nft_set_ext_data(ext), set->dtype);
4359 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4360 struct nft_expr *expr = nft_set_ext_expr(ext);
4362 if (expr->ops->destroy_clone) {
4363 expr->ops->destroy_clone(&ctx, expr);
4364 module_put(expr->ops->type->owner);
4366 nf_tables_expr_destroy(&ctx, expr);
4369 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4370 (*nft_set_ext_obj(ext))->use--;
4373 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4375 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4376 * the refcounting from the preparation phase.
4378 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4379 const struct nft_set *set, void *elem)
4381 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4383 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4384 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4388 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4389 const struct nlattr *attr, u32 nlmsg_flags)
4391 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4392 u8 genmask = nft_genmask_next(ctx->net);
4393 struct nft_data_desc d1, d2;
4394 struct nft_set_ext_tmpl tmpl;
4395 struct nft_set_ext *ext, *ext2;
4396 struct nft_set_elem elem;
4397 struct nft_set_binding *binding;
4398 struct nft_object *obj = NULL;
4399 struct nft_userdata *udata;
4400 struct nft_data data;
4401 enum nft_registers dreg;
4402 struct nft_trans *trans;
4408 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4409 nft_set_elem_policy, NULL);
4413 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4416 nft_set_ext_prepare(&tmpl);
4418 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4422 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4424 if (set->flags & NFT_SET_MAP) {
4425 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4426 !(flags & NFT_SET_ELEM_INTERVAL_END))
4428 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4429 flags & NFT_SET_ELEM_INTERVAL_END)
4432 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4437 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4438 if (!(set->flags & NFT_SET_TIMEOUT))
4440 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4444 } else if (set->flags & NFT_SET_TIMEOUT) {
4445 timeout = set->timeout;
4448 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4449 nla[NFTA_SET_ELEM_KEY]);
4453 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4456 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4458 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4459 if (timeout != set->timeout)
4460 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4463 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4464 if (!(set->flags & NFT_SET_OBJECT)) {
4468 obj = nft_obj_lookup(ctx->net, ctx->table,
4469 nla[NFTA_SET_ELEM_OBJREF],
4470 set->objtype, genmask);
4475 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4478 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4479 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4480 nla[NFTA_SET_ELEM_DATA]);
4485 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4488 dreg = nft_type_to_reg(set->dtype);
4489 list_for_each_entry(binding, &set->bindings, list) {
4490 struct nft_ctx bind_ctx = {
4492 .family = ctx->family,
4493 .table = ctx->table,
4494 .chain = (struct nft_chain *)binding->chain,
4497 if (!(binding->flags & NFT_SET_MAP))
4500 err = nft_validate_register_store(&bind_ctx, dreg,
4506 if (d2.type == NFT_DATA_VERDICT &&
4507 (data.verdict.code == NFT_GOTO ||
4508 data.verdict.code == NFT_JUMP))
4509 nft_validate_state_update(ctx->net,
4513 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4516 /* The full maximum length of userdata can exceed the maximum
4517 * offset value (U8_MAX) for following extensions, therefor it
4518 * must be the last extension added.
4521 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4522 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4524 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4529 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4530 timeout, GFP_KERNEL);
4531 if (elem.priv == NULL)
4534 ext = nft_set_elem_ext(set, elem.priv);
4536 *nft_set_ext_flags(ext) = flags;
4538 udata = nft_set_ext_userdata(ext);
4539 udata->len = ulen - 1;
4540 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4543 *nft_set_ext_obj(ext) = obj;
4547 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4551 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4552 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4554 if (err == -EEXIST) {
4555 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4556 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4557 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4558 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4562 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4563 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4564 memcmp(nft_set_ext_data(ext),
4565 nft_set_ext_data(ext2), set->dlen) != 0) ||
4566 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4567 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4568 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4570 else if (!(nlmsg_flags & NLM_F_EXCL))
4577 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4582 nft_trans_elem(trans) = elem;
4583 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4587 set->ops->remove(ctx->net, set, &elem);
4595 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4596 nft_data_release(&data, d2.type);
4598 nft_data_release(&elem.key.val, d1.type);
4603 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4604 struct sk_buff *skb, const struct nlmsghdr *nlh,
4605 const struct nlattr * const nla[],
4606 struct netlink_ext_ack *extack)
4608 u8 genmask = nft_genmask_next(net);
4609 const struct nlattr *attr;
4610 struct nft_set *set;
4614 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4617 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4622 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4623 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4625 return PTR_ERR(set);
4627 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4630 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4631 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4636 if (net->nft.validate_state == NFT_VALIDATE_DO)
4637 return nft_table_validate(net, ctx.table);
4643 * nft_data_hold - hold a nft_data item
4645 * @data: struct nft_data to release
4646 * @type: type of data
4648 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4649 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4650 * NFT_GOTO verdicts. This function must be called on active data objects
4651 * from the second phase of the commit protocol.
4653 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4655 if (type == NFT_DATA_VERDICT) {
4656 switch (data->verdict.code) {
4659 data->verdict.chain->use++;
4665 static void nft_set_elem_activate(const struct net *net,
4666 const struct nft_set *set,
4667 struct nft_set_elem *elem)
4669 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4671 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4672 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4673 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4674 (*nft_set_ext_obj(ext))->use++;
4677 static void nft_set_elem_deactivate(const struct net *net,
4678 const struct nft_set *set,
4679 struct nft_set_elem *elem)
4681 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4683 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4684 nft_data_release(nft_set_ext_data(ext), set->dtype);
4685 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4686 (*nft_set_ext_obj(ext))->use--;
4689 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4690 const struct nlattr *attr)
4692 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4693 struct nft_set_ext_tmpl tmpl;
4694 struct nft_data_desc desc;
4695 struct nft_set_elem elem;
4696 struct nft_set_ext *ext;
4697 struct nft_trans *trans;
4702 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4703 nft_set_elem_policy, NULL);
4708 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4711 nft_set_ext_prepare(&tmpl);
4713 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4717 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4719 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4720 nla[NFTA_SET_ELEM_KEY]);
4725 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4728 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4731 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4733 if (elem.priv == NULL)
4736 ext = nft_set_elem_ext(set, elem.priv);
4738 *nft_set_ext_flags(ext) = flags;
4740 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4741 if (trans == NULL) {
4746 priv = set->ops->deactivate(ctx->net, set, &elem);
4754 nft_set_elem_deactivate(ctx->net, set, &elem);
4756 nft_trans_elem(trans) = elem;
4757 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4765 nft_data_release(&elem.key.val, desc.type);
4770 static int nft_flush_set(const struct nft_ctx *ctx,
4771 struct nft_set *set,
4772 const struct nft_set_iter *iter,
4773 struct nft_set_elem *elem)
4775 struct nft_trans *trans;
4778 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4779 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4783 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4789 nft_set_elem_deactivate(ctx->net, set, elem);
4790 nft_trans_elem_set(trans) = set;
4791 nft_trans_elem(trans) = *elem;
4792 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4800 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4801 struct sk_buff *skb, const struct nlmsghdr *nlh,
4802 const struct nlattr * const nla[],
4803 struct netlink_ext_ack *extack)
4805 u8 genmask = nft_genmask_next(net);
4806 const struct nlattr *attr;
4807 struct nft_set *set;
4811 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4816 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4818 return PTR_ERR(set);
4819 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4822 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4823 struct nft_set_iter iter = {
4825 .fn = nft_flush_set,
4827 set->ops->walk(&ctx, set, &iter);
4832 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4833 err = nft_del_setelem(&ctx, set, attr);
4842 void nft_set_gc_batch_release(struct rcu_head *rcu)
4844 struct nft_set_gc_batch *gcb;
4847 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4848 for (i = 0; i < gcb->head.cnt; i++)
4849 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4852 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4854 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4857 struct nft_set_gc_batch *gcb;
4859 gcb = kzalloc(sizeof(*gcb), gfp);
4862 gcb->head.set = set;
4865 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4872 * nft_register_obj- register nf_tables stateful object type
4875 * Registers the object type for use with nf_tables. Returns zero on
4876 * success or a negative errno code otherwise.
4878 int nft_register_obj(struct nft_object_type *obj_type)
4880 if (obj_type->type == NFT_OBJECT_UNSPEC)
4883 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4884 list_add_rcu(&obj_type->list, &nf_tables_objects);
4885 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4888 EXPORT_SYMBOL_GPL(nft_register_obj);
4891 * nft_unregister_obj - unregister nf_tables object type
4894 * Unregisters the object type for use with nf_tables.
4896 void nft_unregister_obj(struct nft_object_type *obj_type)
4898 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4899 list_del_rcu(&obj_type->list);
4900 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4902 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4904 struct nft_object *nft_obj_lookup(const struct net *net,
4905 const struct nft_table *table,
4906 const struct nlattr *nla, u32 objtype,
4909 struct nft_object_hash_key k = { .table = table };
4910 char search[NFT_OBJ_MAXNAMELEN];
4911 struct rhlist_head *tmp, *list;
4912 struct nft_object *obj;
4914 nla_strlcpy(search, nla, sizeof(search));
4917 WARN_ON_ONCE(!rcu_read_lock_held() &&
4918 !lockdep_commit_lock_is_held(net));
4921 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4925 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
4926 if (objtype == obj->ops->type->type &&
4927 nft_active_genmask(obj, genmask)) {
4934 return ERR_PTR(-ENOENT);
4936 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4938 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4939 const struct nlattr *nla,
4940 u32 objtype, u8 genmask)
4942 struct nft_object *obj;
4944 list_for_each_entry(obj, &table->objects, list) {
4945 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4946 objtype == obj->ops->type->type &&
4947 nft_active_genmask(obj, genmask))
4950 return ERR_PTR(-ENOENT);
4953 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4954 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4955 .len = NFT_TABLE_MAXNAMELEN - 1 },
4956 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4957 .len = NFT_OBJ_MAXNAMELEN - 1 },
4958 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4959 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4960 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4963 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4964 const struct nft_object_type *type,
4965 const struct nlattr *attr)
4968 const struct nft_object_ops *ops;
4969 struct nft_object *obj;
4972 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4977 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4982 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4985 if (type->select_ops) {
4986 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4996 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5000 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5013 return ERR_PTR(err);
5016 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5017 struct nft_object *obj, bool reset)
5019 struct nlattr *nest;
5021 nest = nla_nest_start(skb, attr);
5023 goto nla_put_failure;
5024 if (obj->ops->dump(skb, obj, reset) < 0)
5025 goto nla_put_failure;
5026 nla_nest_end(skb, nest);
5033 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5035 const struct nft_object_type *type;
5037 list_for_each_entry(type, &nf_tables_objects, list) {
5038 if (objtype == type->type)
5044 static const struct nft_object_type *
5045 nft_obj_type_get(struct net *net, u32 objtype)
5047 const struct nft_object_type *type;
5049 type = __nft_obj_type_get(objtype);
5050 if (type != NULL && try_module_get(type->owner))
5053 lockdep_nfnl_nft_mutex_not_held();
5054 #ifdef CONFIG_MODULES
5056 nft_request_module(net, "nft-obj-%u", objtype);
5057 if (__nft_obj_type_get(objtype))
5058 return ERR_PTR(-EAGAIN);
5061 return ERR_PTR(-ENOENT);
5064 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5065 struct sk_buff *skb, const struct nlmsghdr *nlh,
5066 const struct nlattr * const nla[],
5067 struct netlink_ext_ack *extack)
5069 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5070 const struct nft_object_type *type;
5071 u8 genmask = nft_genmask_next(net);
5072 int family = nfmsg->nfgen_family;
5073 struct nft_table *table;
5074 struct nft_object *obj;
5079 if (!nla[NFTA_OBJ_TYPE] ||
5080 !nla[NFTA_OBJ_NAME] ||
5081 !nla[NFTA_OBJ_DATA])
5084 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5085 if (IS_ERR(table)) {
5086 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5087 return PTR_ERR(table);
5090 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5091 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5094 if (err != -ENOENT) {
5095 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5099 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5100 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5106 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5108 type = nft_obj_type_get(net, objtype);
5110 return PTR_ERR(type);
5112 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5117 obj->key.table = table;
5118 obj->handle = nf_tables_alloc_handle(table);
5120 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5121 if (!obj->key.name) {
5126 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5130 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5131 nft_objname_ht_params);
5135 list_add_tail_rcu(&obj->list, &table->objects);
5139 /* queued in transaction log */
5140 INIT_LIST_HEAD(&obj->list);
5143 kfree(obj->key.name);
5145 if (obj->ops->destroy)
5146 obj->ops->destroy(&ctx, obj);
5149 module_put(type->owner);
5153 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5154 u32 portid, u32 seq, int event, u32 flags,
5155 int family, const struct nft_table *table,
5156 struct nft_object *obj, bool reset)
5158 struct nfgenmsg *nfmsg;
5159 struct nlmsghdr *nlh;
5161 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5162 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5164 goto nla_put_failure;
5166 nfmsg = nlmsg_data(nlh);
5167 nfmsg->nfgen_family = family;
5168 nfmsg->version = NFNETLINK_V0;
5169 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5171 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5172 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5173 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5174 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5175 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5176 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5178 goto nla_put_failure;
5180 nlmsg_end(skb, nlh);
5184 nlmsg_trim(skb, nlh);
5188 struct nft_obj_filter {
5193 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5195 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5196 const struct nft_table *table;
5197 unsigned int idx = 0, s_idx = cb->args[0];
5198 struct nft_obj_filter *filter = cb->data;
5199 struct net *net = sock_net(skb->sk);
5200 int family = nfmsg->nfgen_family;
5201 struct nft_object *obj;
5204 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5208 cb->seq = net->nft.base_seq;
5210 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5211 if (family != NFPROTO_UNSPEC && family != table->family)
5214 list_for_each_entry_rcu(obj, &table->objects, list) {
5215 if (!nft_is_active(net, obj))
5220 memset(&cb->args[1], 0,
5221 sizeof(cb->args) - sizeof(cb->args[0]));
5222 if (filter && filter->table &&
5223 strcmp(filter->table, table->name))
5226 filter->type != NFT_OBJECT_UNSPEC &&
5227 obj->ops->type->type != filter->type)
5230 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5233 NLM_F_MULTI | NLM_F_APPEND,
5234 table->family, table,
5238 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5250 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5252 const struct nlattr * const *nla = cb->data;
5253 struct nft_obj_filter *filter = NULL;
5255 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5256 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5260 if (nla[NFTA_OBJ_TABLE]) {
5261 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5262 if (!filter->table) {
5268 if (nla[NFTA_OBJ_TYPE])
5269 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5276 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5278 struct nft_obj_filter *filter = cb->data;
5281 kfree(filter->table);
5288 /* called with rcu_read_lock held */
5289 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5290 struct sk_buff *skb, const struct nlmsghdr *nlh,
5291 const struct nlattr * const nla[],
5292 struct netlink_ext_ack *extack)
5294 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5295 u8 genmask = nft_genmask_cur(net);
5296 int family = nfmsg->nfgen_family;
5297 const struct nft_table *table;
5298 struct nft_object *obj;
5299 struct sk_buff *skb2;
5304 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5305 struct netlink_dump_control c = {
5306 .start = nf_tables_dump_obj_start,
5307 .dump = nf_tables_dump_obj,
5308 .done = nf_tables_dump_obj_done,
5309 .module = THIS_MODULE,
5310 .data = (void *)nla,
5313 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5316 if (!nla[NFTA_OBJ_NAME] ||
5317 !nla[NFTA_OBJ_TYPE])
5320 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5321 if (IS_ERR(table)) {
5322 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5323 return PTR_ERR(table);
5326 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5327 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5329 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5330 return PTR_ERR(obj);
5333 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5337 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5340 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5341 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5342 family, table, obj, reset);
5346 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5352 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5354 if (obj->ops->destroy)
5355 obj->ops->destroy(ctx, obj);
5357 module_put(obj->ops->type->owner);
5358 kfree(obj->key.name);
5362 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5363 struct sk_buff *skb, const struct nlmsghdr *nlh,
5364 const struct nlattr * const nla[],
5365 struct netlink_ext_ack *extack)
5367 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5368 u8 genmask = nft_genmask_next(net);
5369 int family = nfmsg->nfgen_family;
5370 const struct nlattr *attr;
5371 struct nft_table *table;
5372 struct nft_object *obj;
5376 if (!nla[NFTA_OBJ_TYPE] ||
5377 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5380 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5381 if (IS_ERR(table)) {
5382 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5383 return PTR_ERR(table);
5386 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5387 if (nla[NFTA_OBJ_HANDLE]) {
5388 attr = nla[NFTA_OBJ_HANDLE];
5389 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5391 attr = nla[NFTA_OBJ_NAME];
5392 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5396 NL_SET_BAD_ATTR(extack, attr);
5397 return PTR_ERR(obj);
5400 NL_SET_BAD_ATTR(extack, attr);
5404 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5406 return nft_delobj(&ctx, obj);
5409 void nft_obj_notify(struct net *net, const struct nft_table *table,
5410 struct nft_object *obj, u32 portid, u32 seq, int event,
5411 int family, int report, gfp_t gfp)
5413 struct sk_buff *skb;
5417 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5420 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5424 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5431 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5434 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5436 EXPORT_SYMBOL_GPL(nft_obj_notify);
5438 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5439 struct nft_object *obj, int event)
5441 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5442 ctx->family, ctx->report, GFP_KERNEL);
5448 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5450 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5451 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5452 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5454 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5456 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5458 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5459 list_del_rcu(&type->list);
5460 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5462 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5464 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5465 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5466 .len = NFT_NAME_MAXLEN - 1 },
5467 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5468 .len = NFT_NAME_MAXLEN - 1 },
5469 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5470 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5473 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5474 const struct nlattr *nla, u8 genmask)
5476 struct nft_flowtable *flowtable;
5478 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5479 if (!nla_strcmp(nla, flowtable->name) &&
5480 nft_active_genmask(flowtable, genmask))
5483 return ERR_PTR(-ENOENT);
5485 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5487 static struct nft_flowtable *
5488 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5489 const struct nlattr *nla, u8 genmask)
5491 struct nft_flowtable *flowtable;
5493 list_for_each_entry(flowtable, &table->flowtables, list) {
5494 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5495 nft_active_genmask(flowtable, genmask))
5498 return ERR_PTR(-ENOENT);
5501 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5502 const struct nlattr *attr,
5503 struct net_device *dev_array[], int *len)
5505 const struct nlattr *tmp;
5506 struct net_device *dev;
5507 char ifname[IFNAMSIZ];
5508 int rem, n = 0, err;
5510 nla_for_each_nested(tmp, attr, rem) {
5511 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5516 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5517 dev = __dev_get_by_name(ctx->net, ifname);
5523 dev_array[n++] = dev;
5524 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5538 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5539 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5540 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5541 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5544 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5545 const struct nlattr *attr,
5546 struct nft_flowtable *flowtable)
5548 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5549 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5550 struct nf_hook_ops *ops;
5551 int hooknum, priority;
5554 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5555 nft_flowtable_hook_policy, NULL);
5559 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5560 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5561 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5564 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5565 if (hooknum != NF_NETDEV_INGRESS)
5568 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5570 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5575 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5579 flowtable->hooknum = hooknum;
5580 flowtable->priority = priority;
5581 flowtable->ops = ops;
5582 flowtable->ops_len = n;
5584 for (i = 0; i < n; i++) {
5585 flowtable->ops[i].pf = NFPROTO_NETDEV;
5586 flowtable->ops[i].hooknum = hooknum;
5587 flowtable->ops[i].priority = priority;
5588 flowtable->ops[i].priv = &flowtable->data;
5589 flowtable->ops[i].hook = flowtable->data.type->hook;
5590 flowtable->ops[i].dev = dev_array[i];
5596 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5598 const struct nf_flowtable_type *type;
5600 list_for_each_entry(type, &nf_tables_flowtables, list) {
5601 if (family == type->family)
5607 static const struct nf_flowtable_type *
5608 nft_flowtable_type_get(struct net *net, u8 family)
5610 const struct nf_flowtable_type *type;
5612 type = __nft_flowtable_type_get(family);
5613 if (type != NULL && try_module_get(type->owner))
5616 lockdep_nfnl_nft_mutex_not_held();
5617 #ifdef CONFIG_MODULES
5619 nft_request_module(net, "nf-flowtable-%u", family);
5620 if (__nft_flowtable_type_get(family))
5621 return ERR_PTR(-EAGAIN);
5624 return ERR_PTR(-ENOENT);
5627 static void nft_unregister_flowtable_net_hooks(struct net *net,
5628 struct nft_flowtable *flowtable)
5632 for (i = 0; i < flowtable->ops_len; i++) {
5633 if (!flowtable->ops[i].dev)
5636 nf_unregister_net_hook(net, &flowtable->ops[i]);
5640 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5641 struct sk_buff *skb,
5642 const struct nlmsghdr *nlh,
5643 const struct nlattr * const nla[],
5644 struct netlink_ext_ack *extack)
5646 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5647 const struct nf_flowtable_type *type;
5648 struct nft_flowtable *flowtable, *ft;
5649 u8 genmask = nft_genmask_next(net);
5650 int family = nfmsg->nfgen_family;
5651 struct nft_table *table;
5655 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5656 !nla[NFTA_FLOWTABLE_NAME] ||
5657 !nla[NFTA_FLOWTABLE_HOOK])
5660 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5662 if (IS_ERR(table)) {
5663 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5664 return PTR_ERR(table);
5667 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5669 if (IS_ERR(flowtable)) {
5670 err = PTR_ERR(flowtable);
5671 if (err != -ENOENT) {
5672 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5676 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5677 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5684 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5686 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5690 flowtable->table = table;
5691 flowtable->handle = nf_tables_alloc_handle(table);
5693 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5694 if (!flowtable->name) {
5699 type = nft_flowtable_type_get(net, family);
5701 err = PTR_ERR(type);
5705 flowtable->data.type = type;
5706 err = type->init(&flowtable->data);
5710 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5715 for (i = 0; i < flowtable->ops_len; i++) {
5716 if (!flowtable->ops[i].dev)
5719 list_for_each_entry(ft, &table->flowtables, list) {
5720 for (k = 0; k < ft->ops_len; k++) {
5721 if (!ft->ops[k].dev)
5724 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5725 flowtable->ops[i].pf == ft->ops[k].pf) {
5732 err = nf_register_net_hook(net, &flowtable->ops[i]);
5737 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5741 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5746 i = flowtable->ops_len;
5748 for (k = i - 1; k >= 0; k--)
5749 nf_unregister_net_hook(net, &flowtable->ops[k]);
5751 kfree(flowtable->ops);
5753 flowtable->data.type->free(&flowtable->data);
5755 module_put(type->owner);
5757 kfree(flowtable->name);
5763 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5764 struct sk_buff *skb,
5765 const struct nlmsghdr *nlh,
5766 const struct nlattr * const nla[],
5767 struct netlink_ext_ack *extack)
5769 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5770 u8 genmask = nft_genmask_next(net);
5771 int family = nfmsg->nfgen_family;
5772 struct nft_flowtable *flowtable;
5773 const struct nlattr *attr;
5774 struct nft_table *table;
5777 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5778 (!nla[NFTA_FLOWTABLE_NAME] &&
5779 !nla[NFTA_FLOWTABLE_HANDLE]))
5782 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5784 if (IS_ERR(table)) {
5785 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5786 return PTR_ERR(table);
5789 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5790 attr = nla[NFTA_FLOWTABLE_HANDLE];
5791 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5793 attr = nla[NFTA_FLOWTABLE_NAME];
5794 flowtable = nft_flowtable_lookup(table, attr, genmask);
5797 if (IS_ERR(flowtable)) {
5798 NL_SET_BAD_ATTR(extack, attr);
5799 return PTR_ERR(flowtable);
5801 if (flowtable->use > 0) {
5802 NL_SET_BAD_ATTR(extack, attr);
5806 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5808 return nft_delflowtable(&ctx, flowtable);
5811 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5812 u32 portid, u32 seq, int event,
5813 u32 flags, int family,
5814 struct nft_flowtable *flowtable)
5816 struct nlattr *nest, *nest_devs;
5817 struct nfgenmsg *nfmsg;
5818 struct nlmsghdr *nlh;
5821 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5822 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5824 goto nla_put_failure;
5826 nfmsg = nlmsg_data(nlh);
5827 nfmsg->nfgen_family = family;
5828 nfmsg->version = NFNETLINK_V0;
5829 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5831 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5832 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5833 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5834 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5835 NFTA_FLOWTABLE_PAD))
5836 goto nla_put_failure;
5838 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5840 goto nla_put_failure;
5841 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5842 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5843 goto nla_put_failure;
5845 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5847 goto nla_put_failure;
5849 for (i = 0; i < flowtable->ops_len; i++) {
5850 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5853 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5854 goto nla_put_failure;
5856 nla_nest_end(skb, nest_devs);
5857 nla_nest_end(skb, nest);
5859 nlmsg_end(skb, nlh);
5863 nlmsg_trim(skb, nlh);
5867 struct nft_flowtable_filter {
5871 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5872 struct netlink_callback *cb)
5874 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5875 struct nft_flowtable_filter *filter = cb->data;
5876 unsigned int idx = 0, s_idx = cb->args[0];
5877 struct net *net = sock_net(skb->sk);
5878 int family = nfmsg->nfgen_family;
5879 struct nft_flowtable *flowtable;
5880 const struct nft_table *table;
5883 cb->seq = net->nft.base_seq;
5885 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5886 if (family != NFPROTO_UNSPEC && family != table->family)
5889 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5890 if (!nft_is_active(net, flowtable))
5895 memset(&cb->args[1], 0,
5896 sizeof(cb->args) - sizeof(cb->args[0]));
5897 if (filter && filter->table &&
5898 strcmp(filter->table, table->name))
5901 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5903 NFT_MSG_NEWFLOWTABLE,
5904 NLM_F_MULTI | NLM_F_APPEND,
5905 table->family, flowtable) < 0)
5908 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5920 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5922 const struct nlattr * const *nla = cb->data;
5923 struct nft_flowtable_filter *filter = NULL;
5925 if (nla[NFTA_FLOWTABLE_TABLE]) {
5926 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5930 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5932 if (!filter->table) {
5942 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5944 struct nft_flowtable_filter *filter = cb->data;
5949 kfree(filter->table);
5955 /* called with rcu_read_lock held */
5956 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5957 struct sk_buff *skb,
5958 const struct nlmsghdr *nlh,
5959 const struct nlattr * const nla[],
5960 struct netlink_ext_ack *extack)
5962 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5963 u8 genmask = nft_genmask_cur(net);
5964 int family = nfmsg->nfgen_family;
5965 struct nft_flowtable *flowtable;
5966 const struct nft_table *table;
5967 struct sk_buff *skb2;
5970 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5971 struct netlink_dump_control c = {
5972 .start = nf_tables_dump_flowtable_start,
5973 .dump = nf_tables_dump_flowtable,
5974 .done = nf_tables_dump_flowtable_done,
5975 .module = THIS_MODULE,
5976 .data = (void *)nla,
5979 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5982 if (!nla[NFTA_FLOWTABLE_NAME])
5985 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5988 return PTR_ERR(table);
5990 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5992 if (IS_ERR(flowtable))
5993 return PTR_ERR(flowtable);
5995 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5999 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6001 NFT_MSG_NEWFLOWTABLE, 0, family,
6006 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6012 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6013 struct nft_flowtable *flowtable,
6016 struct sk_buff *skb;
6020 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6023 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6027 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6029 ctx->family, flowtable);
6035 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6036 ctx->report, GFP_KERNEL);
6039 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6042 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6044 kfree(flowtable->ops);
6045 kfree(flowtable->name);
6046 flowtable->data.type->free(&flowtable->data);
6047 module_put(flowtable->data.type->owner);
6051 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6052 u32 portid, u32 seq)
6054 struct nlmsghdr *nlh;
6055 struct nfgenmsg *nfmsg;
6056 char buf[TASK_COMM_LEN];
6057 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6059 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6061 goto nla_put_failure;
6063 nfmsg = nlmsg_data(nlh);
6064 nfmsg->nfgen_family = AF_UNSPEC;
6065 nfmsg->version = NFNETLINK_V0;
6066 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6068 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6069 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6070 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6071 goto nla_put_failure;
6073 nlmsg_end(skb, nlh);
6077 nlmsg_trim(skb, nlh);
6081 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6082 struct nft_flowtable *flowtable)
6086 for (i = 0; i < flowtable->ops_len; i++) {
6087 if (flowtable->ops[i].dev != dev)
6090 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6091 flowtable->ops[i].dev = NULL;
6096 static int nf_tables_flowtable_event(struct notifier_block *this,
6097 unsigned long event, void *ptr)
6099 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6100 struct nft_flowtable *flowtable;
6101 struct nft_table *table;
6104 if (event != NETDEV_UNREGISTER)
6108 mutex_lock(&net->nft.commit_mutex);
6109 list_for_each_entry(table, &net->nft.tables, list) {
6110 list_for_each_entry(flowtable, &table->flowtables, list) {
6111 nft_flowtable_event(event, dev, flowtable);
6114 mutex_unlock(&net->nft.commit_mutex);
6119 static struct notifier_block nf_tables_flowtable_notifier = {
6120 .notifier_call = nf_tables_flowtable_event,
6123 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6126 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6127 struct sk_buff *skb2;
6130 if (nlmsg_report(nlh) &&
6131 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6134 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6138 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6145 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6146 nlmsg_report(nlh), GFP_KERNEL);
6149 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6153 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6154 struct sk_buff *skb, const struct nlmsghdr *nlh,
6155 const struct nlattr * const nla[],
6156 struct netlink_ext_ack *extack)
6158 struct sk_buff *skb2;
6161 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6165 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6170 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6176 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6177 [NFT_MSG_NEWTABLE] = {
6178 .call_batch = nf_tables_newtable,
6179 .attr_count = NFTA_TABLE_MAX,
6180 .policy = nft_table_policy,
6182 [NFT_MSG_GETTABLE] = {
6183 .call_rcu = nf_tables_gettable,
6184 .attr_count = NFTA_TABLE_MAX,
6185 .policy = nft_table_policy,
6187 [NFT_MSG_DELTABLE] = {
6188 .call_batch = nf_tables_deltable,
6189 .attr_count = NFTA_TABLE_MAX,
6190 .policy = nft_table_policy,
6192 [NFT_MSG_NEWCHAIN] = {
6193 .call_batch = nf_tables_newchain,
6194 .attr_count = NFTA_CHAIN_MAX,
6195 .policy = nft_chain_policy,
6197 [NFT_MSG_GETCHAIN] = {
6198 .call_rcu = nf_tables_getchain,
6199 .attr_count = NFTA_CHAIN_MAX,
6200 .policy = nft_chain_policy,
6202 [NFT_MSG_DELCHAIN] = {
6203 .call_batch = nf_tables_delchain,
6204 .attr_count = NFTA_CHAIN_MAX,
6205 .policy = nft_chain_policy,
6207 [NFT_MSG_NEWRULE] = {
6208 .call_batch = nf_tables_newrule,
6209 .attr_count = NFTA_RULE_MAX,
6210 .policy = nft_rule_policy,
6212 [NFT_MSG_GETRULE] = {
6213 .call_rcu = nf_tables_getrule,
6214 .attr_count = NFTA_RULE_MAX,
6215 .policy = nft_rule_policy,
6217 [NFT_MSG_DELRULE] = {
6218 .call_batch = nf_tables_delrule,
6219 .attr_count = NFTA_RULE_MAX,
6220 .policy = nft_rule_policy,
6222 [NFT_MSG_NEWSET] = {
6223 .call_batch = nf_tables_newset,
6224 .attr_count = NFTA_SET_MAX,
6225 .policy = nft_set_policy,
6227 [NFT_MSG_GETSET] = {
6228 .call_rcu = nf_tables_getset,
6229 .attr_count = NFTA_SET_MAX,
6230 .policy = nft_set_policy,
6232 [NFT_MSG_DELSET] = {
6233 .call_batch = nf_tables_delset,
6234 .attr_count = NFTA_SET_MAX,
6235 .policy = nft_set_policy,
6237 [NFT_MSG_NEWSETELEM] = {
6238 .call_batch = nf_tables_newsetelem,
6239 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6240 .policy = nft_set_elem_list_policy,
6242 [NFT_MSG_GETSETELEM] = {
6243 .call_rcu = nf_tables_getsetelem,
6244 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6245 .policy = nft_set_elem_list_policy,
6247 [NFT_MSG_DELSETELEM] = {
6248 .call_batch = nf_tables_delsetelem,
6249 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6250 .policy = nft_set_elem_list_policy,
6252 [NFT_MSG_GETGEN] = {
6253 .call_rcu = nf_tables_getgen,
6255 [NFT_MSG_NEWOBJ] = {
6256 .call_batch = nf_tables_newobj,
6257 .attr_count = NFTA_OBJ_MAX,
6258 .policy = nft_obj_policy,
6260 [NFT_MSG_GETOBJ] = {
6261 .call_rcu = nf_tables_getobj,
6262 .attr_count = NFTA_OBJ_MAX,
6263 .policy = nft_obj_policy,
6265 [NFT_MSG_DELOBJ] = {
6266 .call_batch = nf_tables_delobj,
6267 .attr_count = NFTA_OBJ_MAX,
6268 .policy = nft_obj_policy,
6270 [NFT_MSG_GETOBJ_RESET] = {
6271 .call_rcu = nf_tables_getobj,
6272 .attr_count = NFTA_OBJ_MAX,
6273 .policy = nft_obj_policy,
6275 [NFT_MSG_NEWFLOWTABLE] = {
6276 .call_batch = nf_tables_newflowtable,
6277 .attr_count = NFTA_FLOWTABLE_MAX,
6278 .policy = nft_flowtable_policy,
6280 [NFT_MSG_GETFLOWTABLE] = {
6281 .call_rcu = nf_tables_getflowtable,
6282 .attr_count = NFTA_FLOWTABLE_MAX,
6283 .policy = nft_flowtable_policy,
6285 [NFT_MSG_DELFLOWTABLE] = {
6286 .call_batch = nf_tables_delflowtable,
6287 .attr_count = NFTA_FLOWTABLE_MAX,
6288 .policy = nft_flowtable_policy,
6292 static int nf_tables_validate(struct net *net)
6294 struct nft_table *table;
6296 switch (net->nft.validate_state) {
6297 case NFT_VALIDATE_SKIP:
6299 case NFT_VALIDATE_NEED:
6300 nft_validate_state_update(net, NFT_VALIDATE_DO);
6302 case NFT_VALIDATE_DO:
6303 list_for_each_entry(table, &net->nft.tables, list) {
6304 if (nft_table_validate(net, table) < 0)
6313 static void nft_chain_commit_update(struct nft_trans *trans)
6315 struct nft_base_chain *basechain;
6317 if (nft_trans_chain_name(trans)) {
6318 rhltable_remove(&trans->ctx.table->chains_ht,
6319 &trans->ctx.chain->rhlhead,
6320 nft_chain_ht_params);
6321 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6322 rhltable_insert_key(&trans->ctx.table->chains_ht,
6323 trans->ctx.chain->name,
6324 &trans->ctx.chain->rhlhead,
6325 nft_chain_ht_params);
6328 if (!nft_is_base_chain(trans->ctx.chain))
6331 basechain = nft_base_chain(trans->ctx.chain);
6332 nft_chain_stats_replace(trans->ctx.net, basechain,
6333 nft_trans_chain_stats(trans));
6335 switch (nft_trans_chain_policy(trans)) {
6338 basechain->policy = nft_trans_chain_policy(trans);
6343 static void nft_commit_release(struct nft_trans *trans)
6345 switch (trans->msg_type) {
6346 case NFT_MSG_DELTABLE:
6347 nf_tables_table_destroy(&trans->ctx);
6349 case NFT_MSG_NEWCHAIN:
6350 kfree(nft_trans_chain_name(trans));
6352 case NFT_MSG_DELCHAIN:
6353 nf_tables_chain_destroy(&trans->ctx);
6355 case NFT_MSG_DELRULE:
6356 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6358 case NFT_MSG_DELSET:
6359 nft_set_destroy(nft_trans_set(trans));
6361 case NFT_MSG_DELSETELEM:
6362 nf_tables_set_elem_destroy(&trans->ctx,
6363 nft_trans_elem_set(trans),
6364 nft_trans_elem(trans).priv);
6366 case NFT_MSG_DELOBJ:
6367 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6369 case NFT_MSG_DELFLOWTABLE:
6370 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6375 put_net(trans->ctx.net);
6380 static void nf_tables_trans_destroy_work(struct work_struct *w)
6382 struct nft_trans *trans, *next;
6385 spin_lock(&nf_tables_destroy_list_lock);
6386 list_splice_init(&nf_tables_destroy_list, &head);
6387 spin_unlock(&nf_tables_destroy_list_lock);
6389 if (list_empty(&head))
6394 list_for_each_entry_safe(trans, next, &head, list) {
6395 list_del(&trans->list);
6396 nft_commit_release(trans);
6400 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6402 struct nft_rule *rule;
6403 unsigned int alloc = 0;
6406 /* already handled or inactive chain? */
6407 if (chain->rules_next || !nft_is_active_next(net, chain))
6410 rule = list_entry(&chain->rules, struct nft_rule, list);
6413 list_for_each_entry_continue(rule, &chain->rules, list) {
6414 if (nft_is_active_next(net, rule))
6418 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6419 if (!chain->rules_next)
6422 list_for_each_entry_continue(rule, &chain->rules, list) {
6423 if (nft_is_active_next(net, rule))
6424 chain->rules_next[i++] = rule;
6427 chain->rules_next[i] = NULL;
6431 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6433 struct nft_trans *trans, *next;
6435 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6436 struct nft_chain *chain = trans->ctx.chain;
6438 if (trans->msg_type == NFT_MSG_NEWRULE ||
6439 trans->msg_type == NFT_MSG_DELRULE) {
6440 kvfree(chain->rules_next);
6441 chain->rules_next = NULL;
6446 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6448 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6453 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6455 struct nft_rule **r = rules;
6456 struct nft_rules_old *old;
6461 r++; /* rcu_head is after end marker */
6465 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6468 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6470 struct nft_rule **g0, **g1;
6473 next_genbit = nft_gencursor_next(net);
6475 g0 = rcu_dereference_protected(chain->rules_gen_0,
6476 lockdep_commit_lock_is_held(net));
6477 g1 = rcu_dereference_protected(chain->rules_gen_1,
6478 lockdep_commit_lock_is_held(net));
6480 /* No changes to this chain? */
6481 if (chain->rules_next == NULL) {
6482 /* chain had no change in last or next generation */
6486 * chain had no change in this generation; make sure next
6487 * one uses same rules as current generation.
6490 rcu_assign_pointer(chain->rules_gen_1, g0);
6491 nf_tables_commit_chain_free_rules_old(g1);
6493 rcu_assign_pointer(chain->rules_gen_0, g1);
6494 nf_tables_commit_chain_free_rules_old(g0);
6501 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6503 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6505 chain->rules_next = NULL;
6511 nf_tables_commit_chain_free_rules_old(g1);
6513 nf_tables_commit_chain_free_rules_old(g0);
6516 static void nft_obj_del(struct nft_object *obj)
6518 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6519 list_del_rcu(&obj->list);
6522 static void nft_chain_del(struct nft_chain *chain)
6524 struct nft_table *table = chain->table;
6526 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6527 nft_chain_ht_params));
6528 list_del_rcu(&chain->list);
6531 static void nf_tables_commit_release(struct net *net)
6533 struct nft_trans *trans;
6535 /* all side effects have to be made visible.
6536 * For example, if a chain named 'foo' has been deleted, a
6537 * new transaction must not find it anymore.
6539 * Memory reclaim happens asynchronously from work queue
6540 * to prevent expensive synchronize_rcu() in commit phase.
6542 if (list_empty(&net->nft.commit_list)) {
6543 mutex_unlock(&net->nft.commit_mutex);
6547 trans = list_last_entry(&net->nft.commit_list,
6548 struct nft_trans, list);
6549 get_net(trans->ctx.net);
6550 WARN_ON_ONCE(trans->put_net);
6552 trans->put_net = true;
6553 spin_lock(&nf_tables_destroy_list_lock);
6554 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6555 spin_unlock(&nf_tables_destroy_list_lock);
6557 mutex_unlock(&net->nft.commit_mutex);
6559 schedule_work(&trans_destroy_work);
6562 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6564 struct nft_trans *trans, *next;
6565 struct nft_trans_elem *te;
6566 struct nft_chain *chain;
6567 struct nft_table *table;
6569 if (list_empty(&net->nft.commit_list)) {
6570 mutex_unlock(&net->nft.commit_mutex);
6574 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6575 if (nf_tables_validate(net) < 0)
6578 /* 1. Allocate space for next generation rules_gen_X[] */
6579 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6582 if (trans->msg_type == NFT_MSG_NEWRULE ||
6583 trans->msg_type == NFT_MSG_DELRULE) {
6584 chain = trans->ctx.chain;
6586 ret = nf_tables_commit_chain_prepare(net, chain);
6588 nf_tables_commit_chain_prepare_cancel(net);
6594 /* step 2. Make rules_gen_X visible to packet path */
6595 list_for_each_entry(table, &net->nft.tables, list) {
6596 list_for_each_entry(chain, &table->chains, list)
6597 nf_tables_commit_chain(net, chain);
6601 * Bump generation counter, invalidate any dump in progress.
6602 * Cannot fail after this point.
6604 while (++net->nft.base_seq == 0);
6606 /* step 3. Start new generation, rules_gen_X now in use. */
6607 net->nft.gencursor = nft_gencursor_next(net);
6609 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6610 switch (trans->msg_type) {
6611 case NFT_MSG_NEWTABLE:
6612 if (nft_trans_table_update(trans)) {
6613 if (!nft_trans_table_enable(trans)) {
6614 nf_tables_table_disable(net,
6616 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6619 nft_clear(net, trans->ctx.table);
6621 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6622 nft_trans_destroy(trans);
6624 case NFT_MSG_DELTABLE:
6625 list_del_rcu(&trans->ctx.table->list);
6626 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6628 case NFT_MSG_NEWCHAIN:
6629 if (nft_trans_chain_update(trans)) {
6630 nft_chain_commit_update(trans);
6631 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6632 /* trans destroyed after rcu grace period */
6634 nft_clear(net, trans->ctx.chain);
6635 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6636 nft_trans_destroy(trans);
6639 case NFT_MSG_DELCHAIN:
6640 nft_chain_del(trans->ctx.chain);
6641 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6642 nf_tables_unregister_hook(trans->ctx.net,
6646 case NFT_MSG_NEWRULE:
6647 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6648 nf_tables_rule_notify(&trans->ctx,
6649 nft_trans_rule(trans),
6651 nft_trans_destroy(trans);
6653 case NFT_MSG_DELRULE:
6654 list_del_rcu(&nft_trans_rule(trans)->list);
6655 nf_tables_rule_notify(&trans->ctx,
6656 nft_trans_rule(trans),
6658 nft_rule_expr_deactivate(&trans->ctx,
6659 nft_trans_rule(trans),
6662 case NFT_MSG_NEWSET:
6663 nft_clear(net, nft_trans_set(trans));
6664 /* This avoids hitting -EBUSY when deleting the table
6665 * from the transaction.
6667 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6668 !list_empty(&nft_trans_set(trans)->bindings))
6669 trans->ctx.table->use--;
6671 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6672 NFT_MSG_NEWSET, GFP_KERNEL);
6673 nft_trans_destroy(trans);
6675 case NFT_MSG_DELSET:
6676 list_del_rcu(&nft_trans_set(trans)->list);
6677 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6678 NFT_MSG_DELSET, GFP_KERNEL);
6680 case NFT_MSG_NEWSETELEM:
6681 te = (struct nft_trans_elem *)trans->data;
6683 te->set->ops->activate(net, te->set, &te->elem);
6684 nf_tables_setelem_notify(&trans->ctx, te->set,
6686 NFT_MSG_NEWSETELEM, 0);
6687 nft_trans_destroy(trans);
6689 case NFT_MSG_DELSETELEM:
6690 te = (struct nft_trans_elem *)trans->data;
6692 nf_tables_setelem_notify(&trans->ctx, te->set,
6694 NFT_MSG_DELSETELEM, 0);
6695 te->set->ops->remove(net, te->set, &te->elem);
6696 atomic_dec(&te->set->nelems);
6699 case NFT_MSG_NEWOBJ:
6700 nft_clear(net, nft_trans_obj(trans));
6701 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6703 nft_trans_destroy(trans);
6705 case NFT_MSG_DELOBJ:
6706 nft_obj_del(nft_trans_obj(trans));
6707 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6710 case NFT_MSG_NEWFLOWTABLE:
6711 nft_clear(net, nft_trans_flowtable(trans));
6712 nf_tables_flowtable_notify(&trans->ctx,
6713 nft_trans_flowtable(trans),
6714 NFT_MSG_NEWFLOWTABLE);
6715 nft_trans_destroy(trans);
6717 case NFT_MSG_DELFLOWTABLE:
6718 list_del_rcu(&nft_trans_flowtable(trans)->list);
6719 nf_tables_flowtable_notify(&trans->ctx,
6720 nft_trans_flowtable(trans),
6721 NFT_MSG_DELFLOWTABLE);
6722 nft_unregister_flowtable_net_hooks(net,
6723 nft_trans_flowtable(trans));
6728 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6729 nf_tables_commit_release(net);
6734 static void nf_tables_abort_release(struct nft_trans *trans)
6736 switch (trans->msg_type) {
6737 case NFT_MSG_NEWTABLE:
6738 nf_tables_table_destroy(&trans->ctx);
6740 case NFT_MSG_NEWCHAIN:
6741 nf_tables_chain_destroy(&trans->ctx);
6743 case NFT_MSG_NEWRULE:
6744 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6746 case NFT_MSG_NEWSET:
6747 nft_set_destroy(nft_trans_set(trans));
6749 case NFT_MSG_NEWSETELEM:
6750 nft_set_elem_destroy(nft_trans_elem_set(trans),
6751 nft_trans_elem(trans).priv, true);
6753 case NFT_MSG_NEWOBJ:
6754 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6756 case NFT_MSG_NEWFLOWTABLE:
6757 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6763 static int __nf_tables_abort(struct net *net)
6765 struct nft_trans *trans, *next;
6766 struct nft_trans_elem *te;
6768 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6770 switch (trans->msg_type) {
6771 case NFT_MSG_NEWTABLE:
6772 if (nft_trans_table_update(trans)) {
6773 if (nft_trans_table_enable(trans)) {
6774 nf_tables_table_disable(net,
6776 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6778 nft_trans_destroy(trans);
6780 list_del_rcu(&trans->ctx.table->list);
6783 case NFT_MSG_DELTABLE:
6784 nft_clear(trans->ctx.net, trans->ctx.table);
6785 nft_trans_destroy(trans);
6787 case NFT_MSG_NEWCHAIN:
6788 if (nft_trans_chain_update(trans)) {
6789 free_percpu(nft_trans_chain_stats(trans));
6790 kfree(nft_trans_chain_name(trans));
6791 nft_trans_destroy(trans);
6793 trans->ctx.table->use--;
6794 nft_chain_del(trans->ctx.chain);
6795 nf_tables_unregister_hook(trans->ctx.net,
6800 case NFT_MSG_DELCHAIN:
6801 trans->ctx.table->use++;
6802 nft_clear(trans->ctx.net, trans->ctx.chain);
6803 nft_trans_destroy(trans);
6805 case NFT_MSG_NEWRULE:
6806 trans->ctx.chain->use--;
6807 list_del_rcu(&nft_trans_rule(trans)->list);
6808 nft_rule_expr_deactivate(&trans->ctx,
6809 nft_trans_rule(trans),
6812 case NFT_MSG_DELRULE:
6813 trans->ctx.chain->use++;
6814 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6815 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6816 nft_trans_destroy(trans);
6818 case NFT_MSG_NEWSET:
6819 trans->ctx.table->use--;
6820 if (nft_trans_set(trans)->bound) {
6821 nft_trans_destroy(trans);
6824 list_del_rcu(&nft_trans_set(trans)->list);
6826 case NFT_MSG_DELSET:
6827 trans->ctx.table->use++;
6828 nft_clear(trans->ctx.net, nft_trans_set(trans));
6829 nft_trans_destroy(trans);
6831 case NFT_MSG_NEWSETELEM:
6832 if (nft_trans_elem_set(trans)->bound) {
6833 nft_trans_destroy(trans);
6836 te = (struct nft_trans_elem *)trans->data;
6837 te->set->ops->remove(net, te->set, &te->elem);
6838 atomic_dec(&te->set->nelems);
6840 case NFT_MSG_DELSETELEM:
6841 te = (struct nft_trans_elem *)trans->data;
6843 nft_set_elem_activate(net, te->set, &te->elem);
6844 te->set->ops->activate(net, te->set, &te->elem);
6847 nft_trans_destroy(trans);
6849 case NFT_MSG_NEWOBJ:
6850 trans->ctx.table->use--;
6851 nft_obj_del(nft_trans_obj(trans));
6853 case NFT_MSG_DELOBJ:
6854 trans->ctx.table->use++;
6855 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6856 nft_trans_destroy(trans);
6858 case NFT_MSG_NEWFLOWTABLE:
6859 trans->ctx.table->use--;
6860 list_del_rcu(&nft_trans_flowtable(trans)->list);
6861 nft_unregister_flowtable_net_hooks(net,
6862 nft_trans_flowtable(trans));
6864 case NFT_MSG_DELFLOWTABLE:
6865 trans->ctx.table->use++;
6866 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6867 nft_trans_destroy(trans);
6874 list_for_each_entry_safe_reverse(trans, next,
6875 &net->nft.commit_list, list) {
6876 list_del(&trans->list);
6877 nf_tables_abort_release(trans);
6883 static void nf_tables_cleanup(struct net *net)
6885 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6888 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6890 int ret = __nf_tables_abort(net);
6892 mutex_unlock(&net->nft.commit_mutex);
6897 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6901 mutex_lock(&net->nft.commit_mutex);
6903 genid_ok = genid == 0 || net->nft.base_seq == genid;
6905 mutex_unlock(&net->nft.commit_mutex);
6907 /* else, commit mutex has to be released by commit or abort function */
6911 static const struct nfnetlink_subsystem nf_tables_subsys = {
6912 .name = "nf_tables",
6913 .subsys_id = NFNL_SUBSYS_NFTABLES,
6914 .cb_count = NFT_MSG_MAX,
6916 .commit = nf_tables_commit,
6917 .abort = nf_tables_abort,
6918 .cleanup = nf_tables_cleanup,
6919 .valid_genid = nf_tables_valid_genid,
6920 .owner = THIS_MODULE,
6923 int nft_chain_validate_dependency(const struct nft_chain *chain,
6924 enum nft_chain_types type)
6926 const struct nft_base_chain *basechain;
6928 if (nft_is_base_chain(chain)) {
6929 basechain = nft_base_chain(chain);
6930 if (basechain->type->type != type)
6935 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6937 int nft_chain_validate_hooks(const struct nft_chain *chain,
6938 unsigned int hook_flags)
6940 struct nft_base_chain *basechain;
6942 if (nft_is_base_chain(chain)) {
6943 basechain = nft_base_chain(chain);
6945 if ((1 << basechain->ops.hooknum) & hook_flags)
6953 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6956 * Loop detection - walk through the ruleset beginning at the destination chain
6957 * of a new jump until either the source chain is reached (loop) or all
6958 * reachable chains have been traversed.
6960 * The loop check is performed whenever a new jump verdict is added to an
6961 * expression or verdict map or a verdict map is bound to a new chain.
6964 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6965 const struct nft_chain *chain);
6967 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6968 struct nft_set *set,
6969 const struct nft_set_iter *iter,
6970 struct nft_set_elem *elem)
6972 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6973 const struct nft_data *data;
6975 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6976 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6979 data = nft_set_ext_data(ext);
6980 switch (data->verdict.code) {
6983 return nf_tables_check_loops(ctx, data->verdict.chain);
6989 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6990 const struct nft_chain *chain)
6992 const struct nft_rule *rule;
6993 const struct nft_expr *expr, *last;
6994 struct nft_set *set;
6995 struct nft_set_binding *binding;
6996 struct nft_set_iter iter;
6998 if (ctx->chain == chain)
7001 list_for_each_entry(rule, &chain->rules, list) {
7002 nft_rule_for_each_expr(expr, last, rule) {
7003 struct nft_immediate_expr *priv;
7004 const struct nft_data *data;
7007 if (strcmp(expr->ops->type->name, "immediate"))
7010 priv = nft_expr_priv(expr);
7011 if (priv->dreg != NFT_REG_VERDICT)
7015 switch (data->verdict.code) {
7018 err = nf_tables_check_loops(ctx,
7019 data->verdict.chain);
7028 list_for_each_entry(set, &ctx->table->sets, list) {
7029 if (!nft_is_active_next(ctx->net, set))
7031 if (!(set->flags & NFT_SET_MAP) ||
7032 set->dtype != NFT_DATA_VERDICT)
7035 list_for_each_entry(binding, &set->bindings, list) {
7036 if (!(binding->flags & NFT_SET_MAP) ||
7037 binding->chain != chain)
7040 iter.genmask = nft_genmask_next(ctx->net);
7044 iter.fn = nf_tables_loop_check_setelem;
7046 set->ops->walk(ctx, set, &iter);
7056 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7058 * @attr: netlink attribute to fetch value from
7059 * @max: maximum value to be stored in dest
7060 * @dest: pointer to the variable
7062 * Parse, check and store a given u32 netlink attribute into variable.
7063 * This function returns -ERANGE if the value goes over maximum value.
7064 * Otherwise a 0 is returned and the attribute value is stored in the
7065 * destination variable.
7067 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7071 val = ntohl(nla_get_be32(attr));
7078 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7081 * nft_parse_register - parse a register value from a netlink attribute
7083 * @attr: netlink attribute
7085 * Parse and translate a register value from a netlink attribute.
7086 * Registers used to be 128 bit wide, these register numbers will be
7087 * mapped to the corresponding 32 bit register numbers.
7089 unsigned int nft_parse_register(const struct nlattr *attr)
7093 reg = ntohl(nla_get_be32(attr));
7095 case NFT_REG_VERDICT...NFT_REG_4:
7096 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7098 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7101 EXPORT_SYMBOL_GPL(nft_parse_register);
7104 * nft_dump_register - dump a register value to a netlink attribute
7106 * @skb: socket buffer
7107 * @attr: attribute number
7108 * @reg: register number
7110 * Construct a netlink attribute containing the register number. For
7111 * compatibility reasons, register numbers being a multiple of 4 are
7112 * translated to the corresponding 128 bit register numbers.
7114 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7116 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7117 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7119 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7121 return nla_put_be32(skb, attr, htonl(reg));
7123 EXPORT_SYMBOL_GPL(nft_dump_register);
7126 * nft_validate_register_load - validate a load from a register
7128 * @reg: the register number
7129 * @len: the length of the data
7131 * Validate that the input register is one of the general purpose
7132 * registers and that the length of the load is within the bounds.
7134 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7136 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7140 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7145 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7148 * nft_validate_register_store - validate an expressions' register store
7150 * @ctx: context of the expression performing the load
7151 * @reg: the destination register number
7152 * @data: the data to load
7153 * @type: the data type
7154 * @len: the length of the data
7156 * Validate that a data load uses the appropriate data type for
7157 * the destination register and the length is within the bounds.
7158 * A value of NULL for the data means that its runtime gathered
7161 int nft_validate_register_store(const struct nft_ctx *ctx,
7162 enum nft_registers reg,
7163 const struct nft_data *data,
7164 enum nft_data_types type, unsigned int len)
7169 case NFT_REG_VERDICT:
7170 if (type != NFT_DATA_VERDICT)
7174 (data->verdict.code == NFT_GOTO ||
7175 data->verdict.code == NFT_JUMP)) {
7176 err = nf_tables_check_loops(ctx, data->verdict.chain);
7183 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7187 if (reg * NFT_REG32_SIZE + len >
7188 FIELD_SIZEOF(struct nft_regs, data))
7191 if (data != NULL && type != NFT_DATA_VALUE)
7196 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7198 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7199 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7200 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7201 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7204 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7205 struct nft_data_desc *desc, const struct nlattr *nla)
7207 u8 genmask = nft_genmask_next(ctx->net);
7208 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7209 struct nft_chain *chain;
7212 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
7217 if (!tb[NFTA_VERDICT_CODE])
7219 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7221 switch (data->verdict.code) {
7223 switch (data->verdict.code & NF_VERDICT_MASK) {
7238 if (!tb[NFTA_VERDICT_CHAIN])
7240 chain = nft_chain_lookup(ctx->net, ctx->table,
7241 tb[NFTA_VERDICT_CHAIN], genmask);
7243 return PTR_ERR(chain);
7244 if (nft_is_base_chain(chain))
7248 data->verdict.chain = chain;
7252 desc->len = sizeof(data->verdict);
7253 desc->type = NFT_DATA_VERDICT;
7257 static void nft_verdict_uninit(const struct nft_data *data)
7259 switch (data->verdict.code) {
7262 data->verdict.chain->use--;
7267 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7269 struct nlattr *nest;
7271 nest = nla_nest_start(skb, type);
7273 goto nla_put_failure;
7275 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7276 goto nla_put_failure;
7281 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7283 goto nla_put_failure;
7285 nla_nest_end(skb, nest);
7292 static int nft_value_init(const struct nft_ctx *ctx,
7293 struct nft_data *data, unsigned int size,
7294 struct nft_data_desc *desc, const struct nlattr *nla)
7304 nla_memcpy(data->data, nla, len);
7305 desc->type = NFT_DATA_VALUE;
7310 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7313 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7316 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7317 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7318 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7322 * nft_data_init - parse nf_tables data netlink attributes
7324 * @ctx: context of the expression using the data
7325 * @data: destination struct nft_data
7326 * @size: maximum data length
7327 * @desc: data description
7328 * @nla: netlink attribute containing data
7330 * Parse the netlink data attributes and initialize a struct nft_data.
7331 * The type and length of data are returned in the data description.
7333 * The caller can indicate that it only wants to accept data of type
7334 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7336 int nft_data_init(const struct nft_ctx *ctx,
7337 struct nft_data *data, unsigned int size,
7338 struct nft_data_desc *desc, const struct nlattr *nla)
7340 struct nlattr *tb[NFTA_DATA_MAX + 1];
7343 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7347 if (tb[NFTA_DATA_VALUE])
7348 return nft_value_init(ctx, data, size, desc,
7349 tb[NFTA_DATA_VALUE]);
7350 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7351 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7354 EXPORT_SYMBOL_GPL(nft_data_init);
7357 * nft_data_release - release a nft_data item
7359 * @data: struct nft_data to release
7360 * @type: type of data
7362 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7363 * all others need to be released by calling this function.
7365 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7367 if (type < NFT_DATA_VERDICT)
7370 case NFT_DATA_VERDICT:
7371 return nft_verdict_uninit(data);
7376 EXPORT_SYMBOL_GPL(nft_data_release);
7378 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7379 enum nft_data_types type, unsigned int len)
7381 struct nlattr *nest;
7384 nest = nla_nest_start(skb, attr);
7389 case NFT_DATA_VALUE:
7390 err = nft_value_dump(skb, data, len);
7392 case NFT_DATA_VERDICT:
7393 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7400 nla_nest_end(skb, nest);
7403 EXPORT_SYMBOL_GPL(nft_data_dump);
7405 int __nft_release_basechain(struct nft_ctx *ctx)
7407 struct nft_rule *rule, *nr;
7409 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7412 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7413 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7414 list_del(&rule->list);
7416 nf_tables_rule_release(ctx, rule);
7418 nft_chain_del(ctx->chain);
7420 nf_tables_chain_destroy(ctx);
7424 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7426 static void __nft_release_tables(struct net *net)
7428 struct nft_flowtable *flowtable, *nf;
7429 struct nft_table *table, *nt;
7430 struct nft_chain *chain, *nc;
7431 struct nft_object *obj, *ne;
7432 struct nft_rule *rule, *nr;
7433 struct nft_set *set, *ns;
7434 struct nft_ctx ctx = {
7436 .family = NFPROTO_NETDEV,
7439 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7440 ctx.family = table->family;
7442 list_for_each_entry(chain, &table->chains, list)
7443 nf_tables_unregister_hook(net, table, chain);
7444 /* No packets are walking on these chains anymore. */
7446 list_for_each_entry(chain, &table->chains, list) {
7448 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7449 list_del(&rule->list);
7451 nf_tables_rule_release(&ctx, rule);
7454 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7455 list_del(&flowtable->list);
7457 nf_tables_flowtable_destroy(flowtable);
7459 list_for_each_entry_safe(set, ns, &table->sets, list) {
7460 list_del(&set->list);
7462 nft_set_destroy(set);
7464 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7467 nft_obj_destroy(&ctx, obj);
7469 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7471 nft_chain_del(chain);
7473 nf_tables_chain_destroy(&ctx);
7475 list_del(&table->list);
7476 nf_tables_table_destroy(&ctx);
7480 static int __net_init nf_tables_init_net(struct net *net)
7482 INIT_LIST_HEAD(&net->nft.tables);
7483 INIT_LIST_HEAD(&net->nft.commit_list);
7484 mutex_init(&net->nft.commit_mutex);
7485 net->nft.base_seq = 1;
7486 net->nft.validate_state = NFT_VALIDATE_SKIP;
7491 static void __net_exit nf_tables_exit_net(struct net *net)
7493 mutex_lock(&net->nft.commit_mutex);
7494 if (!list_empty(&net->nft.commit_list))
7495 __nf_tables_abort(net);
7496 __nft_release_tables(net);
7497 mutex_unlock(&net->nft.commit_mutex);
7498 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7501 static struct pernet_operations nf_tables_net_ops = {
7502 .init = nf_tables_init_net,
7503 .exit = nf_tables_exit_net,
7506 static int __init nf_tables_module_init(void)
7510 spin_lock_init(&nf_tables_destroy_list_lock);
7511 err = register_pernet_subsys(&nf_tables_net_ops);
7515 err = nft_chain_filter_init();
7519 err = nf_tables_core_module_init();
7523 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7527 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7532 err = nfnetlink_subsys_register(&nf_tables_subsys);
7538 rhltable_destroy(&nft_objname_ht);
7540 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7542 nf_tables_core_module_exit();
7544 nft_chain_filter_fini();
7546 unregister_pernet_subsys(&nf_tables_net_ops);
7550 static void __exit nf_tables_module_exit(void)
7552 nfnetlink_subsys_unregister(&nf_tables_subsys);
7553 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7554 nft_chain_filter_fini();
7555 unregister_pernet_subsys(&nf_tables_net_ops);
7556 cancel_work_sync(&trans_destroy_work);
7558 rhltable_destroy(&nft_objname_ht);
7559 nf_tables_core_module_exit();
7562 module_init(nf_tables_module_init);
7563 module_exit(nf_tables_module_exit);
7565 MODULE_LICENSE("GPL");
7566 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7567 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux.git / blob