1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27 static LIST_HEAD(nf_tables_flowtables);
28 static LIST_HEAD(nf_tables_destroy_list);
29 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
30 static u64 table_handle;
33 NFT_VALIDATE_SKIP = 0,
38 static struct rhltable nft_objname_ht;
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
44 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static const struct rhashtable_params nft_chain_ht_params = {
49 .head_offset = offsetof(struct nft_chain, rhlhead),
50 .key_offset = offsetof(struct nft_chain, name),
51 .hashfn = nft_chain_hash,
52 .obj_hashfn = nft_chain_hash_obj,
53 .obj_cmpfn = nft_chain_hash_cmp,
54 .automatic_shrinking = true,
57 static const struct rhashtable_params nft_objname_ht_params = {
58 .head_offset = offsetof(struct nft_object, rhlhead),
59 .key_offset = offsetof(struct nft_object, key),
60 .hashfn = nft_objname_hash,
61 .obj_hashfn = nft_objname_hash_obj,
62 .obj_cmpfn = nft_objname_hash_cmp,
63 .automatic_shrinking = true,
66 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
68 switch (net->nft.validate_state) {
69 case NFT_VALIDATE_SKIP:
70 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
72 case NFT_VALIDATE_NEED:
75 if (new_validate_state == NFT_VALIDATE_NEED)
79 net->nft.validate_state = new_validate_state;
81 static void nf_tables_trans_destroy_work(struct work_struct *w);
82 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
84 static void nft_ctx_init(struct nft_ctx *ctx,
86 const struct sk_buff *skb,
87 const struct nlmsghdr *nlh,
89 struct nft_table *table,
90 struct nft_chain *chain,
91 const struct nlattr * const *nla)
99 ctx->portid = NETLINK_CB(skb).portid;
100 ctx->report = nlmsg_report(nlh);
101 ctx->flags = nlh->nlmsg_flags;
102 ctx->seq = nlh->nlmsg_seq;
105 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
106 int msg_type, u32 size, gfp_t gfp)
108 struct nft_trans *trans;
110 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 trans->msg_type = msg_type;
120 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
121 int msg_type, u32 size)
123 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126 static void nft_trans_destroy(struct nft_trans *trans)
128 list_del(&trans->list);
132 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
134 struct net *net = ctx->net;
135 struct nft_trans *trans;
137 if (!nft_set_is_anonymous(set))
140 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
141 switch (trans->msg_type) {
143 if (nft_trans_set(trans) == set)
144 nft_trans_set_bound(trans) = true;
146 case NFT_MSG_NEWSETELEM:
147 if (nft_trans_elem_set(trans) == set)
148 nft_trans_elem_set_bound(trans) = true;
154 static int nft_netdev_register_hooks(struct net *net,
155 struct list_head *hook_list)
157 struct nft_hook *hook;
161 list_for_each_entry(hook, hook_list, list) {
162 err = nf_register_net_hook(net, &hook->ops);
171 list_for_each_entry(hook, hook_list, list) {
175 nf_unregister_net_hook(net, &hook->ops);
180 static void nft_netdev_unregister_hooks(struct net *net,
181 struct list_head *hook_list)
183 struct nft_hook *hook;
185 list_for_each_entry(hook, hook_list, list)
186 nf_unregister_net_hook(net, &hook->ops);
189 static int nft_register_basechain_hooks(struct net *net, int family,
190 struct nft_base_chain *basechain)
192 if (family == NFPROTO_NETDEV)
193 return nft_netdev_register_hooks(net, &basechain->hook_list);
195 return nf_register_net_hook(net, &basechain->ops);
198 static void nft_unregister_basechain_hooks(struct net *net, int family,
199 struct nft_base_chain *basechain)
201 if (family == NFPROTO_NETDEV)
202 nft_netdev_unregister_hooks(net, &basechain->hook_list);
204 nf_unregister_net_hook(net, &basechain->ops);
207 static int nf_tables_register_hook(struct net *net,
208 const struct nft_table *table,
209 struct nft_chain *chain)
211 struct nft_base_chain *basechain;
212 const struct nf_hook_ops *ops;
214 if (table->flags & NFT_TABLE_F_DORMANT ||
215 !nft_is_base_chain(chain))
218 basechain = nft_base_chain(chain);
219 ops = &basechain->ops;
221 if (basechain->type->ops_register)
222 return basechain->type->ops_register(net, ops);
224 return nft_register_basechain_hooks(net, table->family, basechain);
227 static void nf_tables_unregister_hook(struct net *net,
228 const struct nft_table *table,
229 struct nft_chain *chain)
231 struct nft_base_chain *basechain;
232 const struct nf_hook_ops *ops;
234 if (table->flags & NFT_TABLE_F_DORMANT ||
235 !nft_is_base_chain(chain))
237 basechain = nft_base_chain(chain);
238 ops = &basechain->ops;
240 if (basechain->type->ops_unregister)
241 return basechain->type->ops_unregister(net, ops);
243 nft_unregister_basechain_hooks(net, table->family, basechain);
246 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
248 struct nft_trans *trans;
250 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
254 if (msg_type == NFT_MSG_NEWTABLE)
255 nft_activate_next(ctx->net, ctx->table);
257 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
261 static int nft_deltable(struct nft_ctx *ctx)
265 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
269 nft_deactivate_next(ctx->net, ctx->table);
273 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
275 struct nft_trans *trans;
277 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
279 return ERR_PTR(-ENOMEM);
281 if (msg_type == NFT_MSG_NEWCHAIN)
282 nft_activate_next(ctx->net, ctx->chain);
284 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
288 static int nft_delchain(struct nft_ctx *ctx)
290 struct nft_trans *trans;
292 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
294 return PTR_ERR(trans);
297 nft_deactivate_next(ctx->net, ctx->chain);
302 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
303 struct nft_rule *rule)
305 struct nft_expr *expr;
307 expr = nft_expr_first(rule);
308 while (expr != nft_expr_last(rule) && expr->ops) {
309 if (expr->ops->activate)
310 expr->ops->activate(ctx, expr);
312 expr = nft_expr_next(expr);
316 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
317 struct nft_rule *rule,
318 enum nft_trans_phase phase)
320 struct nft_expr *expr;
322 expr = nft_expr_first(rule);
323 while (expr != nft_expr_last(rule) && expr->ops) {
324 if (expr->ops->deactivate)
325 expr->ops->deactivate(ctx, expr, phase);
327 expr = nft_expr_next(expr);
332 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
334 /* You cannot delete the same rule twice */
335 if (nft_is_active_next(ctx->net, rule)) {
336 nft_deactivate_next(ctx->net, rule);
343 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
344 struct nft_rule *rule)
346 struct nft_trans *trans;
348 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
352 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
353 nft_trans_rule_id(trans) =
354 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
356 nft_trans_rule(trans) = rule;
357 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
362 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
364 struct nft_flow_rule *flow;
365 struct nft_trans *trans;
368 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
372 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
373 flow = nft_flow_rule_create(ctx->net, rule);
375 nft_trans_destroy(trans);
376 return PTR_ERR(flow);
379 nft_trans_flow_rule(trans) = flow;
382 err = nf_tables_delrule_deactivate(ctx, rule);
384 nft_trans_destroy(trans);
387 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
392 static int nft_delrule_by_chain(struct nft_ctx *ctx)
394 struct nft_rule *rule;
397 list_for_each_entry(rule, &ctx->chain->rules, list) {
398 if (!nft_is_active_next(ctx->net, rule))
401 err = nft_delrule(ctx, rule);
408 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
411 struct nft_trans *trans;
413 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
417 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
418 nft_trans_set_id(trans) =
419 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
420 nft_activate_next(ctx->net, set);
422 nft_trans_set(trans) = set;
423 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
428 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
432 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
436 nft_deactivate_next(ctx->net, set);
442 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
443 struct nft_object *obj)
445 struct nft_trans *trans;
447 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
451 if (msg_type == NFT_MSG_NEWOBJ)
452 nft_activate_next(ctx->net, obj);
454 nft_trans_obj(trans) = obj;
455 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
460 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
464 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
468 nft_deactivate_next(ctx->net, obj);
474 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
475 struct nft_flowtable *flowtable)
477 struct nft_trans *trans;
479 trans = nft_trans_alloc(ctx, msg_type,
480 sizeof(struct nft_trans_flowtable));
484 if (msg_type == NFT_MSG_NEWFLOWTABLE)
485 nft_activate_next(ctx->net, flowtable);
487 nft_trans_flowtable(trans) = flowtable;
488 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
493 static int nft_delflowtable(struct nft_ctx *ctx,
494 struct nft_flowtable *flowtable)
498 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
502 nft_deactivate_next(ctx->net, flowtable);
512 static struct nft_table *nft_table_lookup(const struct net *net,
513 const struct nlattr *nla,
514 u8 family, u8 genmask)
516 struct nft_table *table;
519 return ERR_PTR(-EINVAL);
521 list_for_each_entry_rcu(table, &net->nft.tables, list) {
522 if (!nla_strcmp(nla, table->name) &&
523 table->family == family &&
524 nft_active_genmask(table, genmask))
528 return ERR_PTR(-ENOENT);
531 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
532 const struct nlattr *nla,
535 struct nft_table *table;
537 list_for_each_entry(table, &net->nft.tables, list) {
538 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
539 nft_active_genmask(table, genmask))
543 return ERR_PTR(-ENOENT);
546 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
548 return ++table->hgenerator;
551 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
553 static const struct nft_chain_type *
554 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
558 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
559 if (chain_type[family][i] != NULL &&
560 !nla_strcmp(nla, chain_type[family][i]->name))
561 return chain_type[family][i];
567 * Loading a module requires dropping mutex that guards the
569 * We first need to abort any pending transactions as once
570 * mutex is unlocked a different client could start a new
571 * transaction. It must not see any 'future generation'
572 * changes * as these changes will never happen.
574 #ifdef CONFIG_MODULES
575 static int __nf_tables_abort(struct net *net);
577 static void nft_request_module(struct net *net, const char *fmt, ...)
579 char module_name[MODULE_NAME_LEN];
583 __nf_tables_abort(net);
586 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
588 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
591 mutex_unlock(&net->nft.commit_mutex);
592 request_module("%s", module_name);
593 mutex_lock(&net->nft.commit_mutex);
597 static void lockdep_nfnl_nft_mutex_not_held(void)
599 #ifdef CONFIG_PROVE_LOCKING
600 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
604 static const struct nft_chain_type *
605 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
606 u8 family, bool autoload)
608 const struct nft_chain_type *type;
610 type = __nf_tables_chain_type_lookup(nla, family);
614 lockdep_nfnl_nft_mutex_not_held();
615 #ifdef CONFIG_MODULES
617 nft_request_module(net, "nft-chain-%u-%.*s", family,
618 nla_len(nla), (const char *)nla_data(nla));
619 type = __nf_tables_chain_type_lookup(nla, family);
621 return ERR_PTR(-EAGAIN);
624 return ERR_PTR(-ENOENT);
627 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
628 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
629 .len = NFT_TABLE_MAXNAMELEN - 1 },
630 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
631 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
634 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
635 u32 portid, u32 seq, int event, u32 flags,
636 int family, const struct nft_table *table)
638 struct nlmsghdr *nlh;
639 struct nfgenmsg *nfmsg;
641 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
642 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
644 goto nla_put_failure;
646 nfmsg = nlmsg_data(nlh);
647 nfmsg->nfgen_family = family;
648 nfmsg->version = NFNETLINK_V0;
649 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
651 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
652 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
653 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
654 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
656 goto nla_put_failure;
662 nlmsg_trim(skb, nlh);
666 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
672 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
675 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
679 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
680 event, 0, ctx->family, ctx->table);
686 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
687 ctx->report, GFP_KERNEL);
690 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
693 static int nf_tables_dump_tables(struct sk_buff *skb,
694 struct netlink_callback *cb)
696 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
697 const struct nft_table *table;
698 unsigned int idx = 0, s_idx = cb->args[0];
699 struct net *net = sock_net(skb->sk);
700 int family = nfmsg->nfgen_family;
703 cb->seq = net->nft.base_seq;
705 list_for_each_entry_rcu(table, &net->nft.tables, list) {
706 if (family != NFPROTO_UNSPEC && family != table->family)
712 memset(&cb->args[1], 0,
713 sizeof(cb->args) - sizeof(cb->args[0]));
714 if (!nft_is_active(net, table))
716 if (nf_tables_fill_table_info(skb, net,
717 NETLINK_CB(cb->skb).portid,
719 NFT_MSG_NEWTABLE, NLM_F_MULTI,
720 table->family, table) < 0)
723 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
733 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
734 const struct nlmsghdr *nlh,
735 struct netlink_dump_control *c)
739 if (!try_module_get(THIS_MODULE))
743 err = netlink_dump_start(nlsk, skb, nlh, c);
745 module_put(THIS_MODULE);
750 /* called with rcu_read_lock held */
751 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
752 struct sk_buff *skb, const struct nlmsghdr *nlh,
753 const struct nlattr * const nla[],
754 struct netlink_ext_ack *extack)
756 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
757 u8 genmask = nft_genmask_cur(net);
758 const struct nft_table *table;
759 struct sk_buff *skb2;
760 int family = nfmsg->nfgen_family;
763 if (nlh->nlmsg_flags & NLM_F_DUMP) {
764 struct netlink_dump_control c = {
765 .dump = nf_tables_dump_tables,
766 .module = THIS_MODULE,
769 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
772 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
774 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
775 return PTR_ERR(table);
778 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
782 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
783 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
788 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
795 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
797 struct nft_chain *chain;
800 list_for_each_entry(chain, &table->chains, list) {
801 if (!nft_is_active_next(net, chain))
803 if (!nft_is_base_chain(chain))
806 if (cnt && i++ == cnt)
809 nft_unregister_basechain_hooks(net, table->family,
810 nft_base_chain(chain));
814 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
816 struct nft_chain *chain;
819 list_for_each_entry(chain, &table->chains, list) {
820 if (!nft_is_active_next(net, chain))
822 if (!nft_is_base_chain(chain))
825 err = nft_register_basechain_hooks(net, table->family,
826 nft_base_chain(chain));
828 goto err_register_hooks;
836 nft_table_disable(net, table, i);
840 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
842 nft_table_disable(net, table, 0);
845 static int nf_tables_updtable(struct nft_ctx *ctx)
847 struct nft_trans *trans;
851 if (!ctx->nla[NFTA_TABLE_FLAGS])
854 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
855 if (flags & ~NFT_TABLE_F_DORMANT)
858 if (flags == ctx->table->flags)
861 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
862 sizeof(struct nft_trans_table));
866 if ((flags & NFT_TABLE_F_DORMANT) &&
867 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
868 nft_trans_table_enable(trans) = false;
869 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
870 ctx->table->flags & NFT_TABLE_F_DORMANT) {
871 ret = nf_tables_table_enable(ctx->net, ctx->table);
873 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
874 nft_trans_table_enable(trans) = true;
880 nft_trans_table_update(trans) = true;
881 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
884 nft_trans_destroy(trans);
888 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
890 const char *name = data;
892 return jhash(name, strlen(name), seed);
895 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
897 const struct nft_chain *chain = data;
899 return nft_chain_hash(chain->name, 0, seed);
902 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
905 const struct nft_chain *chain = ptr;
906 const char *name = arg->key;
908 return strcmp(chain->name, name);
911 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
913 const struct nft_object_hash_key *k = data;
915 seed ^= hash_ptr(k->table, 32);
917 return jhash(k->name, strlen(k->name), seed);
920 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
922 const struct nft_object *obj = data;
924 return nft_objname_hash(&obj->key, 0, seed);
927 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
930 const struct nft_object_hash_key *k = arg->key;
931 const struct nft_object *obj = ptr;
933 if (obj->key.table != k->table)
936 return strcmp(obj->key.name, k->name);
939 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
940 struct sk_buff *skb, const struct nlmsghdr *nlh,
941 const struct nlattr * const nla[],
942 struct netlink_ext_ack *extack)
944 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
945 u8 genmask = nft_genmask_next(net);
946 int family = nfmsg->nfgen_family;
947 const struct nlattr *attr;
948 struct nft_table *table;
953 lockdep_assert_held(&net->nft.commit_mutex);
954 attr = nla[NFTA_TABLE_NAME];
955 table = nft_table_lookup(net, attr, family, genmask);
957 if (PTR_ERR(table) != -ENOENT)
958 return PTR_ERR(table);
960 if (nlh->nlmsg_flags & NLM_F_EXCL) {
961 NL_SET_BAD_ATTR(extack, attr);
964 if (nlh->nlmsg_flags & NLM_F_REPLACE)
967 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
968 return nf_tables_updtable(&ctx);
971 if (nla[NFTA_TABLE_FLAGS]) {
972 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
973 if (flags & ~NFT_TABLE_F_DORMANT)
978 table = kzalloc(sizeof(*table), GFP_KERNEL);
982 table->name = nla_strdup(attr, GFP_KERNEL);
983 if (table->name == NULL)
986 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
990 INIT_LIST_HEAD(&table->chains);
991 INIT_LIST_HEAD(&table->sets);
992 INIT_LIST_HEAD(&table->objects);
993 INIT_LIST_HEAD(&table->flowtables);
994 table->family = family;
995 table->flags = flags;
996 table->handle = ++table_handle;
998 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
999 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1003 list_add_tail_rcu(&table->list, &net->nft.tables);
1006 rhltable_destroy(&table->chains_ht);
1015 static int nft_flush_table(struct nft_ctx *ctx)
1017 struct nft_flowtable *flowtable, *nft;
1018 struct nft_chain *chain, *nc;
1019 struct nft_object *obj, *ne;
1020 struct nft_set *set, *ns;
1023 list_for_each_entry(chain, &ctx->table->chains, list) {
1024 if (!nft_is_active_next(ctx->net, chain))
1029 err = nft_delrule_by_chain(ctx);
1034 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1035 if (!nft_is_active_next(ctx->net, set))
1038 if (nft_set_is_anonymous(set) &&
1039 !list_empty(&set->bindings))
1042 err = nft_delset(ctx, set);
1047 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1048 err = nft_delflowtable(ctx, flowtable);
1053 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1054 err = nft_delobj(ctx, obj);
1059 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1060 if (!nft_is_active_next(ctx->net, chain))
1065 err = nft_delchain(ctx);
1070 err = nft_deltable(ctx);
1075 static int nft_flush(struct nft_ctx *ctx, int family)
1077 struct nft_table *table, *nt;
1078 const struct nlattr * const *nla = ctx->nla;
1081 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1082 if (family != AF_UNSPEC && table->family != family)
1085 ctx->family = table->family;
1087 if (!nft_is_active_next(ctx->net, table))
1090 if (nla[NFTA_TABLE_NAME] &&
1091 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1096 err = nft_flush_table(ctx);
1104 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1105 struct sk_buff *skb, const struct nlmsghdr *nlh,
1106 const struct nlattr * const nla[],
1107 struct netlink_ext_ack *extack)
1109 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1110 u8 genmask = nft_genmask_next(net);
1111 int family = nfmsg->nfgen_family;
1112 const struct nlattr *attr;
1113 struct nft_table *table;
1116 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1117 if (family == AF_UNSPEC ||
1118 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1119 return nft_flush(&ctx, family);
1121 if (nla[NFTA_TABLE_HANDLE]) {
1122 attr = nla[NFTA_TABLE_HANDLE];
1123 table = nft_table_lookup_byhandle(net, attr, genmask);
1125 attr = nla[NFTA_TABLE_NAME];
1126 table = nft_table_lookup(net, attr, family, genmask);
1129 if (IS_ERR(table)) {
1130 NL_SET_BAD_ATTR(extack, attr);
1131 return PTR_ERR(table);
1134 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1138 ctx.family = family;
1141 return nft_flush_table(&ctx);
1144 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1146 if (WARN_ON(ctx->table->use > 0))
1149 rhltable_destroy(&ctx->table->chains_ht);
1150 kfree(ctx->table->name);
1154 void nft_register_chain_type(const struct nft_chain_type *ctype)
1156 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1159 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1160 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1161 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1164 chain_type[ctype->family][ctype->type] = ctype;
1165 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1167 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1169 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1171 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1172 chain_type[ctype->family][ctype->type] = NULL;
1173 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1175 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1181 static struct nft_chain *
1182 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1184 struct nft_chain *chain;
1186 list_for_each_entry(chain, &table->chains, list) {
1187 if (chain->handle == handle &&
1188 nft_active_genmask(chain, genmask))
1192 return ERR_PTR(-ENOENT);
1195 static bool lockdep_commit_lock_is_held(const struct net *net)
1197 #ifdef CONFIG_PROVE_LOCKING
1198 return lockdep_is_held(&net->nft.commit_mutex);
1204 static struct nft_chain *nft_chain_lookup(struct net *net,
1205 struct nft_table *table,
1206 const struct nlattr *nla, u8 genmask)
1208 char search[NFT_CHAIN_MAXNAMELEN + 1];
1209 struct rhlist_head *tmp, *list;
1210 struct nft_chain *chain;
1213 return ERR_PTR(-EINVAL);
1215 nla_strlcpy(search, nla, sizeof(search));
1217 WARN_ON(!rcu_read_lock_held() &&
1218 !lockdep_commit_lock_is_held(net));
1220 chain = ERR_PTR(-ENOENT);
1222 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1226 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1227 if (nft_active_genmask(chain, genmask))
1230 chain = ERR_PTR(-ENOENT);
1236 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1237 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1238 .len = NFT_TABLE_MAXNAMELEN - 1 },
1239 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1240 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1241 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1242 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1243 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1244 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1245 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1246 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1249 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1250 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1251 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1252 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1253 .len = IFNAMSIZ - 1 },
1256 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1258 struct nft_stats *cpu_stats, total;
1259 struct nlattr *nest;
1267 memset(&total, 0, sizeof(total));
1268 for_each_possible_cpu(cpu) {
1269 cpu_stats = per_cpu_ptr(stats, cpu);
1271 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1272 pkts = cpu_stats->pkts;
1273 bytes = cpu_stats->bytes;
1274 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1276 total.bytes += bytes;
1278 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1280 goto nla_put_failure;
1282 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1283 NFTA_COUNTER_PAD) ||
1284 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1286 goto nla_put_failure;
1288 nla_nest_end(skb, nest);
1295 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1296 const struct nft_base_chain *basechain)
1298 const struct nf_hook_ops *ops = &basechain->ops;
1299 struct nft_hook *hook, *first = NULL;
1300 struct nlattr *nest, *nest_devs;
1303 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1305 goto nla_put_failure;
1306 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1307 goto nla_put_failure;
1308 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1309 goto nla_put_failure;
1311 if (family == NFPROTO_NETDEV) {
1312 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1313 list_for_each_entry(hook, &basechain->hook_list, list) {
1317 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1318 hook->ops.dev->name))
1319 goto nla_put_failure;
1322 nla_nest_end(skb, nest_devs);
1325 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1326 goto nla_put_failure;
1328 nla_nest_end(skb, nest);
1335 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1336 u32 portid, u32 seq, int event, u32 flags,
1337 int family, const struct nft_table *table,
1338 const struct nft_chain *chain)
1340 struct nlmsghdr *nlh;
1341 struct nfgenmsg *nfmsg;
1343 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1344 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1346 goto nla_put_failure;
1348 nfmsg = nlmsg_data(nlh);
1349 nfmsg->nfgen_family = family;
1350 nfmsg->version = NFNETLINK_V0;
1351 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1353 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1354 goto nla_put_failure;
1355 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1357 goto nla_put_failure;
1358 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1359 goto nla_put_failure;
1361 if (nft_is_base_chain(chain)) {
1362 const struct nft_base_chain *basechain = nft_base_chain(chain);
1363 struct nft_stats __percpu *stats;
1365 if (nft_dump_basechain_hook(skb, family, basechain))
1366 goto nla_put_failure;
1368 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1369 htonl(basechain->policy)))
1370 goto nla_put_failure;
1372 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1373 goto nla_put_failure;
1375 stats = rcu_dereference_check(basechain->stats,
1376 lockdep_commit_lock_is_held(net));
1377 if (nft_dump_stats(skb, stats))
1378 goto nla_put_failure;
1381 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1382 goto nla_put_failure;
1384 nlmsg_end(skb, nlh);
1388 nlmsg_trim(skb, nlh);
1392 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1394 struct sk_buff *skb;
1398 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1401 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1405 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1406 event, 0, ctx->family, ctx->table,
1413 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1414 ctx->report, GFP_KERNEL);
1417 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1420 static int nf_tables_dump_chains(struct sk_buff *skb,
1421 struct netlink_callback *cb)
1423 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1424 const struct nft_table *table;
1425 const struct nft_chain *chain;
1426 unsigned int idx = 0, s_idx = cb->args[0];
1427 struct net *net = sock_net(skb->sk);
1428 int family = nfmsg->nfgen_family;
1431 cb->seq = net->nft.base_seq;
1433 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1434 if (family != NFPROTO_UNSPEC && family != table->family)
1437 list_for_each_entry_rcu(chain, &table->chains, list) {
1441 memset(&cb->args[1], 0,
1442 sizeof(cb->args) - sizeof(cb->args[0]));
1443 if (!nft_is_active(net, chain))
1445 if (nf_tables_fill_chain_info(skb, net,
1446 NETLINK_CB(cb->skb).portid,
1450 table->family, table,
1454 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1465 /* called with rcu_read_lock held */
1466 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1467 struct sk_buff *skb, const struct nlmsghdr *nlh,
1468 const struct nlattr * const nla[],
1469 struct netlink_ext_ack *extack)
1471 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1472 u8 genmask = nft_genmask_cur(net);
1473 const struct nft_chain *chain;
1474 struct nft_table *table;
1475 struct sk_buff *skb2;
1476 int family = nfmsg->nfgen_family;
1479 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1480 struct netlink_dump_control c = {
1481 .dump = nf_tables_dump_chains,
1482 .module = THIS_MODULE,
1485 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1488 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1489 if (IS_ERR(table)) {
1490 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1491 return PTR_ERR(table);
1494 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1495 if (IS_ERR(chain)) {
1496 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1497 return PTR_ERR(chain);
1500 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1504 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1505 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1506 family, table, chain);
1510 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1517 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1518 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1519 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1522 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1524 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1525 struct nft_stats __percpu *newstats;
1526 struct nft_stats *stats;
1529 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1530 nft_counter_policy, NULL);
1532 return ERR_PTR(err);
1534 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1535 return ERR_PTR(-EINVAL);
1537 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1538 if (newstats == NULL)
1539 return ERR_PTR(-ENOMEM);
1541 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1542 * are not exposed to userspace.
1545 stats = this_cpu_ptr(newstats);
1546 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1547 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1553 static void nft_chain_stats_replace(struct nft_trans *trans)
1555 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1557 if (!nft_trans_chain_stats(trans))
1560 nft_trans_chain_stats(trans) =
1561 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1562 lockdep_commit_lock_is_held(trans->ctx.net));
1564 if (!nft_trans_chain_stats(trans))
1565 static_branch_inc(&nft_counters_enabled);
1568 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1570 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1571 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1577 /* should be NULL either via abort or via successful commit */
1578 WARN_ON_ONCE(chain->rules_next);
1579 kvfree(chain->rules_next);
1582 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1584 struct nft_chain *chain = ctx->chain;
1585 struct nft_hook *hook, *next;
1587 if (WARN_ON(chain->use > 0))
1590 /* no concurrent access possible anymore */
1591 nf_tables_chain_free_chain_rules(chain);
1593 if (nft_is_base_chain(chain)) {
1594 struct nft_base_chain *basechain = nft_base_chain(chain);
1596 if (ctx->family == NFPROTO_NETDEV) {
1597 list_for_each_entry_safe(hook, next,
1598 &basechain->hook_list, list) {
1599 list_del_rcu(&hook->list);
1600 kfree_rcu(hook, rcu);
1603 module_put(basechain->type->owner);
1604 if (rcu_access_pointer(basechain->stats)) {
1605 static_branch_dec(&nft_counters_enabled);
1606 free_percpu(rcu_dereference_raw(basechain->stats));
1616 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1617 const struct nlattr *attr)
1619 struct net_device *dev;
1620 char ifname[IFNAMSIZ];
1621 struct nft_hook *hook;
1624 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1627 goto err_hook_alloc;
1630 nla_strlcpy(ifname, attr, IFNAMSIZ);
1631 dev = __dev_get_by_name(net, ifname);
1636 hook->ops.dev = dev;
1643 return ERR_PTR(err);
1646 static bool nft_hook_list_find(struct list_head *hook_list,
1647 const struct nft_hook *this)
1649 struct nft_hook *hook;
1651 list_for_each_entry(hook, hook_list, list) {
1652 if (this->ops.dev == hook->ops.dev)
1659 static int nf_tables_parse_netdev_hooks(struct net *net,
1660 const struct nlattr *attr,
1661 struct list_head *hook_list)
1663 struct nft_hook *hook, *next;
1664 const struct nlattr *tmp;
1665 int rem, n = 0, err;
1667 nla_for_each_nested(tmp, attr, rem) {
1668 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1673 hook = nft_netdev_hook_alloc(net, tmp);
1675 err = PTR_ERR(hook);
1678 if (nft_hook_list_find(hook_list, hook)) {
1682 list_add_tail(&hook->list, hook_list);
1685 if (n == NFT_NETDEVICE_MAX) {
1696 list_for_each_entry_safe(hook, next, hook_list, list) {
1697 list_del(&hook->list);
1703 struct nft_chain_hook {
1706 const struct nft_chain_type *type;
1707 struct list_head list;
1710 static int nft_chain_parse_netdev(struct net *net,
1711 struct nlattr *tb[],
1712 struct list_head *hook_list)
1714 struct nft_hook *hook;
1717 if (tb[NFTA_HOOK_DEV]) {
1718 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1720 return PTR_ERR(hook);
1722 list_add_tail(&hook->list, hook_list);
1723 } else if (tb[NFTA_HOOK_DEVS]) {
1724 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1735 static int nft_chain_parse_hook(struct net *net,
1736 const struct nlattr * const nla[],
1737 struct nft_chain_hook *hook, u8 family,
1740 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1741 const struct nft_chain_type *type;
1744 lockdep_assert_held(&net->nft.commit_mutex);
1745 lockdep_nfnl_nft_mutex_not_held();
1747 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1748 nla[NFTA_CHAIN_HOOK],
1749 nft_hook_policy, NULL);
1753 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1754 ha[NFTA_HOOK_PRIORITY] == NULL)
1757 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1758 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1760 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1761 if (nla[NFTA_CHAIN_TYPE]) {
1762 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1765 return PTR_ERR(type);
1767 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1770 if (type->type == NFT_CHAIN_T_NAT &&
1771 hook->priority <= NF_IP_PRI_CONNTRACK)
1774 if (!try_module_get(type->owner))
1779 INIT_LIST_HEAD(&hook->list);
1780 if (family == NFPROTO_NETDEV) {
1781 err = nft_chain_parse_netdev(net, ha, &hook->list);
1783 module_put(type->owner);
1786 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1787 module_put(type->owner);
1794 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1796 struct nft_hook *h, *next;
1798 list_for_each_entry_safe(h, next, &hook->list, list) {
1802 module_put(hook->type->owner);
1805 struct nft_rules_old {
1807 struct nft_rule **start;
1810 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1813 if (alloc > INT_MAX)
1816 alloc += 1; /* NULL, ends rules */
1817 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1820 alloc *= sizeof(struct nft_rule *);
1821 alloc += sizeof(struct nft_rules_old);
1823 return kvmalloc(alloc, GFP_KERNEL);
1826 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1827 const struct nft_chain_hook *hook,
1828 struct nft_chain *chain)
1831 ops->hooknum = hook->num;
1832 ops->priority = hook->priority;
1834 ops->hook = hook->type->hooks[ops->hooknum];
1837 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1838 struct nft_chain_hook *hook, u32 flags)
1840 struct nft_chain *chain;
1843 basechain->type = hook->type;
1844 INIT_LIST_HEAD(&basechain->hook_list);
1845 chain = &basechain->chain;
1847 if (family == NFPROTO_NETDEV) {
1848 list_splice_init(&hook->list, &basechain->hook_list);
1849 list_for_each_entry(h, &basechain->hook_list, list)
1850 nft_basechain_hook_init(&h->ops, family, hook, chain);
1852 basechain->ops.hooknum = hook->num;
1853 basechain->ops.priority = hook->priority;
1855 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1858 chain->flags |= NFT_BASE_CHAIN | flags;
1859 basechain->policy = NF_ACCEPT;
1860 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1861 nft_chain_offload_priority(basechain) < 0)
1864 flow_block_init(&basechain->flow_block);
1869 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1870 u8 policy, u32 flags)
1872 const struct nlattr * const *nla = ctx->nla;
1873 struct nft_table *table = ctx->table;
1874 struct nft_base_chain *basechain;
1875 struct nft_stats __percpu *stats;
1876 struct net *net = ctx->net;
1877 struct nft_trans *trans;
1878 struct nft_chain *chain;
1879 struct nft_rule **rules;
1882 if (table->use == UINT_MAX)
1885 if (nla[NFTA_CHAIN_HOOK]) {
1886 struct nft_chain_hook hook;
1888 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1892 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1893 if (basechain == NULL) {
1894 nft_chain_release_hook(&hook);
1897 chain = &basechain->chain;
1899 if (nla[NFTA_CHAIN_COUNTERS]) {
1900 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1901 if (IS_ERR(stats)) {
1902 nft_chain_release_hook(&hook);
1904 return PTR_ERR(stats);
1906 rcu_assign_pointer(basechain->stats, stats);
1907 static_branch_inc(&nft_counters_enabled);
1910 err = nft_basechain_init(basechain, family, &hook, flags);
1912 nft_chain_release_hook(&hook);
1917 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1923 INIT_LIST_HEAD(&chain->rules);
1924 chain->handle = nf_tables_alloc_handle(table);
1925 chain->table = table;
1926 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1932 rules = nf_tables_chain_alloc_rules(chain, 0);
1939 rcu_assign_pointer(chain->rules_gen_0, rules);
1940 rcu_assign_pointer(chain->rules_gen_1, rules);
1942 err = nf_tables_register_hook(net, table, chain);
1946 err = rhltable_insert_key(&table->chains_ht, chain->name,
1947 &chain->rhlhead, nft_chain_ht_params);
1951 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1952 if (IS_ERR(trans)) {
1953 err = PTR_ERR(trans);
1954 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1955 nft_chain_ht_params);
1959 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1960 if (nft_is_base_chain(chain))
1961 nft_trans_chain_policy(trans) = policy;
1964 list_add_tail_rcu(&chain->list, &table->chains);
1968 nf_tables_unregister_hook(net, table, chain);
1970 nf_tables_chain_destroy(ctx);
1975 static bool nft_hook_list_equal(struct list_head *hook_list1,
1976 struct list_head *hook_list2)
1978 struct nft_hook *hook;
1982 list_for_each_entry(hook, hook_list2, list) {
1983 if (!nft_hook_list_find(hook_list1, hook))
1988 list_for_each_entry(hook, hook_list1, list)
1994 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1997 const struct nlattr * const *nla = ctx->nla;
1998 struct nft_table *table = ctx->table;
1999 struct nft_chain *chain = ctx->chain;
2000 struct nft_base_chain *basechain;
2001 struct nft_stats *stats = NULL;
2002 struct nft_chain_hook hook;
2003 struct nf_hook_ops *ops;
2004 struct nft_trans *trans;
2007 if (chain->flags ^ flags)
2010 if (nla[NFTA_CHAIN_HOOK]) {
2011 if (!nft_is_base_chain(chain))
2014 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2019 basechain = nft_base_chain(chain);
2020 if (basechain->type != hook.type) {
2021 nft_chain_release_hook(&hook);
2025 if (ctx->family == NFPROTO_NETDEV) {
2026 if (!nft_hook_list_equal(&basechain->hook_list,
2028 nft_chain_release_hook(&hook);
2032 ops = &basechain->ops;
2033 if (ops->hooknum != hook.num ||
2034 ops->priority != hook.priority) {
2035 nft_chain_release_hook(&hook);
2039 nft_chain_release_hook(&hook);
2042 if (nla[NFTA_CHAIN_HANDLE] &&
2043 nla[NFTA_CHAIN_NAME]) {
2044 struct nft_chain *chain2;
2046 chain2 = nft_chain_lookup(ctx->net, table,
2047 nla[NFTA_CHAIN_NAME], genmask);
2048 if (!IS_ERR(chain2))
2052 if (nla[NFTA_CHAIN_COUNTERS]) {
2053 if (!nft_is_base_chain(chain))
2056 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2058 return PTR_ERR(stats);
2062 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2063 sizeof(struct nft_trans_chain));
2067 nft_trans_chain_stats(trans) = stats;
2068 nft_trans_chain_update(trans) = true;
2070 if (nla[NFTA_CHAIN_POLICY])
2071 nft_trans_chain_policy(trans) = policy;
2073 nft_trans_chain_policy(trans) = -1;
2075 if (nla[NFTA_CHAIN_HANDLE] &&
2076 nla[NFTA_CHAIN_NAME]) {
2077 struct nft_trans *tmp;
2081 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2086 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2087 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2088 tmp->ctx.table == table &&
2089 nft_trans_chain_update(tmp) &&
2090 nft_trans_chain_name(tmp) &&
2091 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2097 nft_trans_chain_name(trans) = name;
2099 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2108 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2109 struct sk_buff *skb, const struct nlmsghdr *nlh,
2110 const struct nlattr * const nla[],
2111 struct netlink_ext_ack *extack)
2113 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2114 u8 genmask = nft_genmask_next(net);
2115 int family = nfmsg->nfgen_family;
2116 const struct nlattr *attr;
2117 struct nft_table *table;
2118 struct nft_chain *chain;
2119 u8 policy = NF_ACCEPT;
2124 lockdep_assert_held(&net->nft.commit_mutex);
2126 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2127 if (IS_ERR(table)) {
2128 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2129 return PTR_ERR(table);
2133 attr = nla[NFTA_CHAIN_NAME];
2135 if (nla[NFTA_CHAIN_HANDLE]) {
2136 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2137 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2138 if (IS_ERR(chain)) {
2139 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2140 return PTR_ERR(chain);
2142 attr = nla[NFTA_CHAIN_HANDLE];
2144 chain = nft_chain_lookup(net, table, attr, genmask);
2145 if (IS_ERR(chain)) {
2146 if (PTR_ERR(chain) != -ENOENT) {
2147 NL_SET_BAD_ATTR(extack, attr);
2148 return PTR_ERR(chain);
2154 if (nla[NFTA_CHAIN_POLICY]) {
2155 if (chain != NULL &&
2156 !nft_is_base_chain(chain)) {
2157 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2161 if (chain == NULL &&
2162 nla[NFTA_CHAIN_HOOK] == NULL) {
2163 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2167 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2177 if (nla[NFTA_CHAIN_FLAGS])
2178 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2180 flags = chain->flags;
2182 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2184 if (chain != NULL) {
2185 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2186 NL_SET_BAD_ATTR(extack, attr);
2189 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2192 flags |= chain->flags & NFT_BASE_CHAIN;
2193 return nf_tables_updchain(&ctx, genmask, policy, flags);
2196 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2199 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2200 struct sk_buff *skb, const struct nlmsghdr *nlh,
2201 const struct nlattr * const nla[],
2202 struct netlink_ext_ack *extack)
2204 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2205 u8 genmask = nft_genmask_next(net);
2206 int family = nfmsg->nfgen_family;
2207 const struct nlattr *attr;
2208 struct nft_table *table;
2209 struct nft_chain *chain;
2210 struct nft_rule *rule;
2216 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2217 if (IS_ERR(table)) {
2218 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2219 return PTR_ERR(table);
2222 if (nla[NFTA_CHAIN_HANDLE]) {
2223 attr = nla[NFTA_CHAIN_HANDLE];
2224 handle = be64_to_cpu(nla_get_be64(attr));
2225 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2227 attr = nla[NFTA_CHAIN_NAME];
2228 chain = nft_chain_lookup(net, table, attr, genmask);
2230 if (IS_ERR(chain)) {
2231 NL_SET_BAD_ATTR(extack, attr);
2232 return PTR_ERR(chain);
2235 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2239 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2242 list_for_each_entry(rule, &chain->rules, list) {
2243 if (!nft_is_active_next(net, rule))
2247 err = nft_delrule(&ctx, rule);
2252 /* There are rules and elements that are still holding references to us,
2253 * we cannot do a recursive removal in this case.
2256 NL_SET_BAD_ATTR(extack, attr);
2260 return nft_delchain(&ctx);
2268 * nft_register_expr - register nf_tables expr type
2271 * Registers the expr type for use with nf_tables. Returns zero on
2272 * success or a negative errno code otherwise.
2274 int nft_register_expr(struct nft_expr_type *type)
2276 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2277 if (type->family == NFPROTO_UNSPEC)
2278 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2280 list_add_rcu(&type->list, &nf_tables_expressions);
2281 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2284 EXPORT_SYMBOL_GPL(nft_register_expr);
2287 * nft_unregister_expr - unregister nf_tables expr type
2290 * Unregisters the expr typefor use with nf_tables.
2292 void nft_unregister_expr(struct nft_expr_type *type)
2294 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2295 list_del_rcu(&type->list);
2296 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2298 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2300 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2303 const struct nft_expr_type *type, *candidate = NULL;
2305 list_for_each_entry(type, &nf_tables_expressions, list) {
2306 if (!nla_strcmp(nla, type->name)) {
2307 if (!type->family && !candidate)
2309 else if (type->family == family)
2316 #ifdef CONFIG_MODULES
2317 static int nft_expr_type_request_module(struct net *net, u8 family,
2320 nft_request_module(net, "nft-expr-%u-%.*s", family,
2321 nla_len(nla), (char *)nla_data(nla));
2322 if (__nft_expr_type_get(family, nla))
2329 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2333 const struct nft_expr_type *type;
2336 return ERR_PTR(-EINVAL);
2338 type = __nft_expr_type_get(family, nla);
2339 if (type != NULL && try_module_get(type->owner))
2342 lockdep_nfnl_nft_mutex_not_held();
2343 #ifdef CONFIG_MODULES
2345 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2346 return ERR_PTR(-EAGAIN);
2348 nft_request_module(net, "nft-expr-%.*s",
2349 nla_len(nla), (char *)nla_data(nla));
2350 if (__nft_expr_type_get(family, nla))
2351 return ERR_PTR(-EAGAIN);
2354 return ERR_PTR(-ENOENT);
2357 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2358 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2359 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2362 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2363 const struct nft_expr *expr)
2365 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2366 goto nla_put_failure;
2368 if (expr->ops->dump) {
2369 struct nlattr *data = nla_nest_start_noflag(skb,
2372 goto nla_put_failure;
2373 if (expr->ops->dump(skb, expr) < 0)
2374 goto nla_put_failure;
2375 nla_nest_end(skb, data);
2384 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2385 const struct nft_expr *expr)
2387 struct nlattr *nest;
2389 nest = nla_nest_start_noflag(skb, attr);
2391 goto nla_put_failure;
2392 if (nf_tables_fill_expr_info(skb, expr) < 0)
2393 goto nla_put_failure;
2394 nla_nest_end(skb, nest);
2401 struct nft_expr_info {
2402 const struct nft_expr_ops *ops;
2403 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2406 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2407 const struct nlattr *nla,
2408 struct nft_expr_info *info)
2410 const struct nft_expr_type *type;
2411 const struct nft_expr_ops *ops;
2412 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2415 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2416 nft_expr_policy, NULL);
2420 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2422 return PTR_ERR(type);
2424 if (tb[NFTA_EXPR_DATA]) {
2425 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2427 type->policy, NULL);
2431 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2433 if (type->select_ops != NULL) {
2434 ops = type->select_ops(ctx,
2435 (const struct nlattr * const *)info->tb);
2438 #ifdef CONFIG_MODULES
2440 nft_expr_type_request_module(ctx->net,
2442 tb[NFTA_EXPR_NAME]);
2453 module_put(type->owner);
2457 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2458 const struct nft_expr_info *info,
2459 struct nft_expr *expr)
2461 const struct nft_expr_ops *ops = info->ops;
2466 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2477 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2478 struct nft_expr *expr)
2480 const struct nft_expr_type *type = expr->ops->type;
2482 if (expr->ops->destroy)
2483 expr->ops->destroy(ctx, expr);
2484 module_put(type->owner);
2487 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2488 const struct nlattr *nla)
2490 struct nft_expr_info info;
2491 struct nft_expr *expr;
2492 struct module *owner;
2495 err = nf_tables_expr_parse(ctx, nla, &info);
2500 expr = kzalloc(info.ops->size, GFP_KERNEL);
2504 err = nf_tables_newexpr(ctx, &info, expr);
2512 owner = info.ops->type->owner;
2513 if (info.ops->type->release_ops)
2514 info.ops->type->release_ops(info.ops);
2518 return ERR_PTR(err);
2521 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2523 nf_tables_expr_destroy(ctx, expr);
2531 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2534 struct nft_rule *rule;
2536 // FIXME: this sucks
2537 list_for_each_entry_rcu(rule, &chain->rules, list) {
2538 if (handle == rule->handle)
2542 return ERR_PTR(-ENOENT);
2545 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2546 const struct nlattr *nla)
2549 return ERR_PTR(-EINVAL);
2551 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2554 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2555 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2556 .len = NFT_TABLE_MAXNAMELEN - 1 },
2557 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2558 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2559 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2560 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2561 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2562 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2563 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2564 .len = NFT_USERDATA_MAXLEN },
2565 [NFTA_RULE_ID] = { .type = NLA_U32 },
2566 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2569 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2570 u32 portid, u32 seq, int event,
2571 u32 flags, int family,
2572 const struct nft_table *table,
2573 const struct nft_chain *chain,
2574 const struct nft_rule *rule,
2575 const struct nft_rule *prule)
2577 struct nlmsghdr *nlh;
2578 struct nfgenmsg *nfmsg;
2579 const struct nft_expr *expr, *next;
2580 struct nlattr *list;
2581 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2583 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2585 goto nla_put_failure;
2587 nfmsg = nlmsg_data(nlh);
2588 nfmsg->nfgen_family = family;
2589 nfmsg->version = NFNETLINK_V0;
2590 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2592 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2593 goto nla_put_failure;
2594 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2595 goto nla_put_failure;
2596 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2598 goto nla_put_failure;
2600 if (event != NFT_MSG_DELRULE && prule) {
2601 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2602 cpu_to_be64(prule->handle),
2604 goto nla_put_failure;
2607 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2609 goto nla_put_failure;
2610 nft_rule_for_each_expr(expr, next, rule) {
2611 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2612 goto nla_put_failure;
2614 nla_nest_end(skb, list);
2617 struct nft_userdata *udata = nft_userdata(rule);
2618 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2620 goto nla_put_failure;
2623 nlmsg_end(skb, nlh);
2627 nlmsg_trim(skb, nlh);
2631 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2632 const struct nft_rule *rule, int event)
2634 struct sk_buff *skb;
2638 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2641 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2645 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2646 event, 0, ctx->family, ctx->table,
2647 ctx->chain, rule, NULL);
2653 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2654 ctx->report, GFP_KERNEL);
2657 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2660 struct nft_rule_dump_ctx {
2665 static int __nf_tables_dump_rules(struct sk_buff *skb,
2667 struct netlink_callback *cb,
2668 const struct nft_table *table,
2669 const struct nft_chain *chain)
2671 struct net *net = sock_net(skb->sk);
2672 const struct nft_rule *rule, *prule;
2673 unsigned int s_idx = cb->args[0];
2676 list_for_each_entry_rcu(rule, &chain->rules, list) {
2677 if (!nft_is_active(net, rule))
2682 memset(&cb->args[1], 0,
2683 sizeof(cb->args) - sizeof(cb->args[0]));
2685 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2688 NLM_F_MULTI | NLM_F_APPEND,
2690 table, chain, rule, prule) < 0)
2693 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2702 static int nf_tables_dump_rules(struct sk_buff *skb,
2703 struct netlink_callback *cb)
2705 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2706 const struct nft_rule_dump_ctx *ctx = cb->data;
2707 struct nft_table *table;
2708 const struct nft_chain *chain;
2709 unsigned int idx = 0;
2710 struct net *net = sock_net(skb->sk);
2711 int family = nfmsg->nfgen_family;
2714 cb->seq = net->nft.base_seq;
2716 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2717 if (family != NFPROTO_UNSPEC && family != table->family)
2720 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2723 if (ctx && ctx->table && ctx->chain) {
2724 struct rhlist_head *list, *tmp;
2726 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2727 nft_chain_ht_params);
2731 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2732 if (!nft_is_active(net, chain))
2734 __nf_tables_dump_rules(skb, &idx,
2741 list_for_each_entry_rcu(chain, &table->chains, list) {
2742 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2746 if (ctx && ctx->table)
2756 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2758 const struct nlattr * const *nla = cb->data;
2759 struct nft_rule_dump_ctx *ctx = NULL;
2761 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2762 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2766 if (nla[NFTA_RULE_TABLE]) {
2767 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2774 if (nla[NFTA_RULE_CHAIN]) {
2775 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2789 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2791 struct nft_rule_dump_ctx *ctx = cb->data;
2801 /* called with rcu_read_lock held */
2802 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2803 struct sk_buff *skb, const struct nlmsghdr *nlh,
2804 const struct nlattr * const nla[],
2805 struct netlink_ext_ack *extack)
2807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2808 u8 genmask = nft_genmask_cur(net);
2809 const struct nft_chain *chain;
2810 const struct nft_rule *rule;
2811 struct nft_table *table;
2812 struct sk_buff *skb2;
2813 int family = nfmsg->nfgen_family;
2816 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2817 struct netlink_dump_control c = {
2818 .start= nf_tables_dump_rules_start,
2819 .dump = nf_tables_dump_rules,
2820 .done = nf_tables_dump_rules_done,
2821 .module = THIS_MODULE,
2822 .data = (void *)nla,
2825 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2828 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2829 if (IS_ERR(table)) {
2830 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2831 return PTR_ERR(table);
2834 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2835 if (IS_ERR(chain)) {
2836 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2837 return PTR_ERR(chain);
2840 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2842 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2843 return PTR_ERR(rule);
2846 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2850 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2851 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2852 family, table, chain, rule, NULL);
2856 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2863 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2864 struct nft_rule *rule)
2866 struct nft_expr *expr, *next;
2869 * Careful: some expressions might not be initialized in case this
2870 * is called on error from nf_tables_newrule().
2872 expr = nft_expr_first(rule);
2873 while (expr != nft_expr_last(rule) && expr->ops) {
2874 next = nft_expr_next(expr);
2875 nf_tables_expr_destroy(ctx, expr);
2881 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2882 struct nft_rule *rule)
2884 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2885 nf_tables_rule_destroy(ctx, rule);
2888 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2890 struct nft_expr *expr, *last;
2891 const struct nft_data *data;
2892 struct nft_rule *rule;
2895 if (ctx->level == NFT_JUMP_STACK_SIZE)
2898 list_for_each_entry(rule, &chain->rules, list) {
2899 if (!nft_is_active_next(ctx->net, rule))
2902 nft_rule_for_each_expr(expr, last, rule) {
2903 if (!expr->ops->validate)
2906 err = expr->ops->validate(ctx, expr, &data);
2914 EXPORT_SYMBOL_GPL(nft_chain_validate);
2916 static int nft_table_validate(struct net *net, const struct nft_table *table)
2918 struct nft_chain *chain;
2919 struct nft_ctx ctx = {
2921 .family = table->family,
2925 list_for_each_entry(chain, &table->chains, list) {
2926 if (!nft_is_base_chain(chain))
2930 err = nft_chain_validate(&ctx, chain);
2938 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2939 const struct nlattr *nla);
2941 #define NFT_RULE_MAXEXPRS 128
2943 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2944 struct sk_buff *skb, const struct nlmsghdr *nlh,
2945 const struct nlattr * const nla[],
2946 struct netlink_ext_ack *extack)
2948 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2949 u8 genmask = nft_genmask_next(net);
2950 struct nft_expr_info *info = NULL;
2951 int family = nfmsg->nfgen_family;
2952 struct nft_flow_rule *flow;
2953 struct nft_table *table;
2954 struct nft_chain *chain;
2955 struct nft_rule *rule, *old_rule = NULL;
2956 struct nft_userdata *udata;
2957 struct nft_trans *trans = NULL;
2958 struct nft_expr *expr;
2961 unsigned int size, i, n, ulen = 0, usize = 0;
2963 u64 handle, pos_handle;
2965 lockdep_assert_held(&net->nft.commit_mutex);
2967 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2968 if (IS_ERR(table)) {
2969 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2970 return PTR_ERR(table);
2973 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2974 if (IS_ERR(chain)) {
2975 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2976 return PTR_ERR(chain);
2979 if (nla[NFTA_RULE_HANDLE]) {
2980 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2981 rule = __nft_rule_lookup(chain, handle);
2983 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2984 return PTR_ERR(rule);
2987 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2988 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2991 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2996 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2997 nlh->nlmsg_flags & NLM_F_REPLACE)
2999 handle = nf_tables_alloc_handle(table);
3001 if (chain->use == UINT_MAX)
3004 if (nla[NFTA_RULE_POSITION]) {
3005 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3006 old_rule = __nft_rule_lookup(chain, pos_handle);
3007 if (IS_ERR(old_rule)) {
3008 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3009 return PTR_ERR(old_rule);
3011 } else if (nla[NFTA_RULE_POSITION_ID]) {
3012 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3013 if (IS_ERR(old_rule)) {
3014 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3015 return PTR_ERR(old_rule);
3020 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3024 if (nla[NFTA_RULE_EXPRESSIONS]) {
3025 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3026 sizeof(struct nft_expr_info),
3031 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3033 if (nla_type(tmp) != NFTA_LIST_ELEM)
3035 if (n == NFT_RULE_MAXEXPRS)
3037 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3040 size += info[n].ops->size;
3044 /* Check for overflow of dlen field */
3046 if (size >= 1 << 12)
3049 if (nla[NFTA_RULE_USERDATA]) {
3050 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3052 usize = sizeof(struct nft_userdata) + ulen;
3056 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3060 nft_activate_next(net, rule);
3062 rule->handle = handle;
3064 rule->udata = ulen ? 1 : 0;
3067 udata = nft_userdata(rule);
3068 udata->len = ulen - 1;
3069 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3072 expr = nft_expr_first(rule);
3073 for (i = 0; i < n; i++) {
3074 err = nf_tables_newexpr(&ctx, &info[i], expr);
3078 if (info[i].ops->validate)
3079 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3082 expr = nft_expr_next(expr);
3085 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3086 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3087 if (trans == NULL) {
3091 err = nft_delrule(&ctx, old_rule);
3093 nft_trans_destroy(trans);
3097 list_add_tail_rcu(&rule->list, &old_rule->list);
3099 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3105 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3107 list_add_rcu(&rule->list, &old_rule->list);
3109 list_add_tail_rcu(&rule->list, &chain->rules);
3112 list_add_tail_rcu(&rule->list, &old_rule->list);
3114 list_add_rcu(&rule->list, &chain->rules);
3120 if (net->nft.validate_state == NFT_VALIDATE_DO)
3121 return nft_table_validate(net, table);
3123 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3124 flow = nft_flow_rule_create(net, rule);
3126 return PTR_ERR(flow);
3128 nft_trans_flow_rule(trans) = flow;
3133 nf_tables_rule_release(&ctx, rule);
3135 for (i = 0; i < n; i++) {
3137 module_put(info[i].ops->type->owner);
3138 if (info[i].ops->type->release_ops)
3139 info[i].ops->type->release_ops(info[i].ops);
3146 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3147 const struct nlattr *nla)
3149 u32 id = ntohl(nla_get_be32(nla));
3150 struct nft_trans *trans;
3152 list_for_each_entry(trans, &net->nft.commit_list, list) {
3153 struct nft_rule *rule = nft_trans_rule(trans);
3155 if (trans->msg_type == NFT_MSG_NEWRULE &&
3156 id == nft_trans_rule_id(trans))
3159 return ERR_PTR(-ENOENT);
3162 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3163 struct sk_buff *skb, const struct nlmsghdr *nlh,
3164 const struct nlattr * const nla[],
3165 struct netlink_ext_ack *extack)
3167 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3168 u8 genmask = nft_genmask_next(net);
3169 struct nft_table *table;
3170 struct nft_chain *chain = NULL;
3171 struct nft_rule *rule;
3172 int family = nfmsg->nfgen_family, err = 0;
3175 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3176 if (IS_ERR(table)) {
3177 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3178 return PTR_ERR(table);
3181 if (nla[NFTA_RULE_CHAIN]) {
3182 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3184 if (IS_ERR(chain)) {
3185 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3186 return PTR_ERR(chain);
3190 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3193 if (nla[NFTA_RULE_HANDLE]) {
3194 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3196 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3197 return PTR_ERR(rule);
3200 err = nft_delrule(&ctx, rule);
3201 } else if (nla[NFTA_RULE_ID]) {
3202 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3204 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3205 return PTR_ERR(rule);
3208 err = nft_delrule(&ctx, rule);
3210 err = nft_delrule_by_chain(&ctx);
3213 list_for_each_entry(chain, &table->chains, list) {
3214 if (!nft_is_active_next(net, chain))
3218 err = nft_delrule_by_chain(&ctx);
3231 static LIST_HEAD(nf_tables_set_types);
3233 int nft_register_set(struct nft_set_type *type)
3235 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3236 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3237 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3240 EXPORT_SYMBOL_GPL(nft_register_set);
3242 void nft_unregister_set(struct nft_set_type *type)
3244 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3245 list_del_rcu(&type->list);
3246 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3248 EXPORT_SYMBOL_GPL(nft_unregister_set);
3250 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3251 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3254 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3256 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3260 * Select a set implementation based on the data characteristics and the
3261 * given policy. The total memory use might not be known if no size is
3262 * given, in that case the amount of memory per element is used.
3264 static const struct nft_set_ops *
3265 nft_select_set_ops(const struct nft_ctx *ctx,
3266 const struct nlattr * const nla[],
3267 const struct nft_set_desc *desc,
3268 enum nft_set_policies policy)
3270 const struct nft_set_ops *ops, *bops;
3271 struct nft_set_estimate est, best;
3272 const struct nft_set_type *type;
3275 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3276 lockdep_nfnl_nft_mutex_not_held();
3277 #ifdef CONFIG_MODULES
3278 if (list_empty(&nf_tables_set_types)) {
3279 nft_request_module(ctx->net, "nft-set");
3280 if (!list_empty(&nf_tables_set_types))
3281 return ERR_PTR(-EAGAIN);
3284 if (nla[NFTA_SET_FLAGS] != NULL)
3285 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3292 list_for_each_entry(type, &nf_tables_set_types, list) {
3295 if (!nft_set_ops_candidate(type, flags))
3297 if (!ops->estimate(desc, flags, &est))
3301 case NFT_SET_POL_PERFORMANCE:
3302 if (est.lookup < best.lookup)
3304 if (est.lookup == best.lookup &&
3305 est.space < best.space)
3308 case NFT_SET_POL_MEMORY:
3310 if (est.space < best.space)
3312 if (est.space == best.space &&
3313 est.lookup < best.lookup)
3315 } else if (est.size < best.size || !bops) {
3323 if (!try_module_get(type->owner))
3326 module_put(to_set_type(bops)->owner);
3335 return ERR_PTR(-EOPNOTSUPP);
3338 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3339 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3340 .len = NFT_TABLE_MAXNAMELEN - 1 },
3341 [NFTA_SET_NAME] = { .type = NLA_STRING,
3342 .len = NFT_SET_MAXNAMELEN - 1 },
3343 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3344 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3345 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3346 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3347 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3348 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3349 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3350 [NFTA_SET_ID] = { .type = NLA_U32 },
3351 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3352 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3353 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3354 .len = NFT_USERDATA_MAXLEN },
3355 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3356 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3359 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3360 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3363 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3364 const struct sk_buff *skb,
3365 const struct nlmsghdr *nlh,
3366 const struct nlattr * const nla[],
3367 struct netlink_ext_ack *extack,
3370 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3371 int family = nfmsg->nfgen_family;
3372 struct nft_table *table = NULL;
3374 if (nla[NFTA_SET_TABLE] != NULL) {
3375 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3377 if (IS_ERR(table)) {
3378 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3379 return PTR_ERR(table);
3383 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3387 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3388 const struct nlattr *nla, u8 genmask)
3390 struct nft_set *set;
3393 return ERR_PTR(-EINVAL);
3395 list_for_each_entry_rcu(set, &table->sets, list) {
3396 if (!nla_strcmp(nla, set->name) &&
3397 nft_active_genmask(set, genmask))
3400 return ERR_PTR(-ENOENT);
3403 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3404 const struct nlattr *nla,
3407 struct nft_set *set;
3409 list_for_each_entry(set, &table->sets, list) {
3410 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3411 nft_active_genmask(set, genmask))
3414 return ERR_PTR(-ENOENT);
3417 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3418 const struct nlattr *nla, u8 genmask)
3420 struct nft_trans *trans;
3421 u32 id = ntohl(nla_get_be32(nla));
3423 list_for_each_entry(trans, &net->nft.commit_list, list) {
3424 if (trans->msg_type == NFT_MSG_NEWSET) {
3425 struct nft_set *set = nft_trans_set(trans);
3427 if (id == nft_trans_set_id(trans) &&
3428 nft_active_genmask(set, genmask))
3432 return ERR_PTR(-ENOENT);
3435 struct nft_set *nft_set_lookup_global(const struct net *net,
3436 const struct nft_table *table,
3437 const struct nlattr *nla_set_name,
3438 const struct nlattr *nla_set_id,
3441 struct nft_set *set;
3443 set = nft_set_lookup(table, nla_set_name, genmask);
3448 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3452 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3454 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3457 const struct nft_set *i;
3459 unsigned long *inuse;
3460 unsigned int n = 0, min = 0;
3462 p = strchr(name, '%');
3464 if (p[1] != 'd' || strchr(p + 2, '%'))
3467 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3471 list_for_each_entry(i, &ctx->table->sets, list) {
3474 if (!nft_is_active_next(ctx->net, set))
3476 if (!sscanf(i->name, name, &tmp))
3478 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3481 set_bit(tmp - min, inuse);
3484 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3485 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3486 min += BITS_PER_BYTE * PAGE_SIZE;
3487 memset(inuse, 0, PAGE_SIZE);
3490 free_page((unsigned long)inuse);
3493 set->name = kasprintf(GFP_KERNEL, name, min + n);
3497 list_for_each_entry(i, &ctx->table->sets, list) {
3498 if (!nft_is_active_next(ctx->net, i))
3500 if (!strcmp(set->name, i->name)) {
3508 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3510 u64 ms = be64_to_cpu(nla_get_be64(nla));
3511 u64 max = (u64)(~((u64)0));
3513 max = div_u64(max, NSEC_PER_MSEC);
3517 ms *= NSEC_PER_MSEC;
3518 *result = nsecs_to_jiffies64(ms);
3522 static __be64 nf_jiffies64_to_msecs(u64 input)
3524 return cpu_to_be64(jiffies64_to_msecs(input));
3527 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3528 const struct nft_set *set, u16 event, u16 flags)
3530 struct nfgenmsg *nfmsg;
3531 struct nlmsghdr *nlh;
3532 struct nlattr *desc;
3533 u32 portid = ctx->portid;
3536 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3537 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3540 goto nla_put_failure;
3542 nfmsg = nlmsg_data(nlh);
3543 nfmsg->nfgen_family = ctx->family;
3544 nfmsg->version = NFNETLINK_V0;
3545 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3547 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3548 goto nla_put_failure;
3549 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3550 goto nla_put_failure;
3551 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3553 goto nla_put_failure;
3554 if (set->flags != 0)
3555 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3556 goto nla_put_failure;
3558 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3559 goto nla_put_failure;
3560 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3561 goto nla_put_failure;
3562 if (set->flags & NFT_SET_MAP) {
3563 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3564 goto nla_put_failure;
3565 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3566 goto nla_put_failure;
3568 if (set->flags & NFT_SET_OBJECT &&
3569 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3570 goto nla_put_failure;
3573 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3574 nf_jiffies64_to_msecs(set->timeout),
3576 goto nla_put_failure;
3578 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3579 goto nla_put_failure;
3581 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3582 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3583 goto nla_put_failure;
3586 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3587 goto nla_put_failure;
3589 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3591 goto nla_put_failure;
3593 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3594 goto nla_put_failure;
3595 nla_nest_end(skb, desc);
3597 nlmsg_end(skb, nlh);
3601 nlmsg_trim(skb, nlh);
3605 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3606 const struct nft_set *set, int event,
3609 struct sk_buff *skb;
3610 u32 portid = ctx->portid;
3614 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3617 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3621 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3627 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3631 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3634 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3636 const struct nft_set *set;
3637 unsigned int idx, s_idx = cb->args[0];
3638 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3639 struct net *net = sock_net(skb->sk);
3640 struct nft_ctx *ctx = cb->data, ctx_set;
3646 cb->seq = net->nft.base_seq;
3648 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3649 if (ctx->family != NFPROTO_UNSPEC &&
3650 ctx->family != table->family)
3653 if (ctx->table && ctx->table != table)
3657 if (cur_table != table)
3663 list_for_each_entry_rcu(set, &table->sets, list) {
3666 if (!nft_is_active(net, set))
3670 ctx_set.table = table;
3671 ctx_set.family = table->family;
3673 if (nf_tables_fill_set(skb, &ctx_set, set,
3677 cb->args[2] = (unsigned long) table;
3680 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3693 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3695 struct nft_ctx *ctx_dump = NULL;
3697 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3698 if (ctx_dump == NULL)
3701 cb->data = ctx_dump;
3705 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3711 /* called with rcu_read_lock held */
3712 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3713 struct sk_buff *skb, const struct nlmsghdr *nlh,
3714 const struct nlattr * const nla[],
3715 struct netlink_ext_ack *extack)
3717 u8 genmask = nft_genmask_cur(net);
3718 const struct nft_set *set;
3720 struct sk_buff *skb2;
3721 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3724 /* Verify existence before starting dump */
3725 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3730 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3731 struct netlink_dump_control c = {
3732 .start = nf_tables_dump_sets_start,
3733 .dump = nf_tables_dump_sets,
3734 .done = nf_tables_dump_sets_done,
3736 .module = THIS_MODULE,
3739 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3742 /* Only accept unspec with dump */
3743 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3744 return -EAFNOSUPPORT;
3745 if (!nla[NFTA_SET_TABLE])
3748 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3750 return PTR_ERR(set);
3752 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3756 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3760 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3767 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3768 const struct nlattr *nla)
3770 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3773 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3774 nft_set_desc_policy, NULL);
3778 if (da[NFTA_SET_DESC_SIZE] != NULL)
3779 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3784 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3785 struct sk_buff *skb, const struct nlmsghdr *nlh,
3786 const struct nlattr * const nla[],
3787 struct netlink_ext_ack *extack)
3789 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3790 u8 genmask = nft_genmask_next(net);
3791 int family = nfmsg->nfgen_family;
3792 const struct nft_set_ops *ops;
3793 struct nft_table *table;
3794 struct nft_set *set;
3799 u32 ktype, dtype, flags, policy, gc_int, objtype;
3800 struct nft_set_desc desc;
3801 unsigned char *udata;
3805 if (nla[NFTA_SET_TABLE] == NULL ||
3806 nla[NFTA_SET_NAME] == NULL ||
3807 nla[NFTA_SET_KEY_LEN] == NULL ||
3808 nla[NFTA_SET_ID] == NULL)
3811 memset(&desc, 0, sizeof(desc));
3813 ktype = NFT_DATA_VALUE;
3814 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3815 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3816 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3820 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3821 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3825 if (nla[NFTA_SET_FLAGS] != NULL) {
3826 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3827 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3828 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3829 NFT_SET_MAP | NFT_SET_EVAL |
3832 /* Only one of these operations is supported */
3833 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3834 (NFT_SET_MAP | NFT_SET_OBJECT))
3836 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3837 (NFT_SET_EVAL | NFT_SET_OBJECT))
3842 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3843 if (!(flags & NFT_SET_MAP))
3846 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3847 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3848 dtype != NFT_DATA_VERDICT)
3851 if (dtype != NFT_DATA_VERDICT) {
3852 if (nla[NFTA_SET_DATA_LEN] == NULL)
3854 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3855 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3858 desc.dlen = sizeof(struct nft_verdict);
3859 } else if (flags & NFT_SET_MAP)
3862 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3863 if (!(flags & NFT_SET_OBJECT))
3866 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3867 if (objtype == NFT_OBJECT_UNSPEC ||
3868 objtype > NFT_OBJECT_MAX)
3870 } else if (flags & NFT_SET_OBJECT)
3873 objtype = NFT_OBJECT_UNSPEC;
3876 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3877 if (!(flags & NFT_SET_TIMEOUT))
3880 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3885 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3886 if (!(flags & NFT_SET_TIMEOUT))
3888 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3891 policy = NFT_SET_POL_PERFORMANCE;
3892 if (nla[NFTA_SET_POLICY] != NULL)
3893 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3895 if (nla[NFTA_SET_DESC] != NULL) {
3896 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3901 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3902 if (IS_ERR(table)) {
3903 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3904 return PTR_ERR(table);
3907 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3909 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3911 if (PTR_ERR(set) != -ENOENT) {
3912 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3913 return PTR_ERR(set);
3916 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3917 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3920 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3926 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3929 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3931 return PTR_ERR(ops);
3934 if (nla[NFTA_SET_USERDATA])
3935 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3938 if (ops->privsize != NULL)
3939 size = ops->privsize(nla, &desc);
3941 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3947 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3953 err = nf_tables_set_alloc_name(&ctx, set, name);
3960 udata = set->data + size;
3961 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3964 INIT_LIST_HEAD(&set->bindings);
3966 write_pnet(&set->net, net);
3969 set->klen = desc.klen;
3971 set->objtype = objtype;
3972 set->dlen = desc.dlen;
3974 set->size = desc.size;
3975 set->policy = policy;
3978 set->timeout = timeout;
3979 set->gc_int = gc_int;
3980 set->handle = nf_tables_alloc_handle(table);
3982 err = ops->init(set, &desc, nla);
3986 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3990 list_add_tail_rcu(&set->list, &table->sets);
4001 module_put(to_set_type(ops)->owner);
4005 static void nft_set_destroy(struct nft_set *set)
4007 if (WARN_ON(set->use > 0))
4010 set->ops->destroy(set);
4011 module_put(to_set_type(set->ops)->owner);
4016 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4017 struct sk_buff *skb, const struct nlmsghdr *nlh,
4018 const struct nlattr * const nla[],
4019 struct netlink_ext_ack *extack)
4021 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4022 u8 genmask = nft_genmask_next(net);
4023 const struct nlattr *attr;
4024 struct nft_set *set;
4028 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4029 return -EAFNOSUPPORT;
4030 if (nla[NFTA_SET_TABLE] == NULL)
4033 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4038 if (nla[NFTA_SET_HANDLE]) {
4039 attr = nla[NFTA_SET_HANDLE];
4040 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4042 attr = nla[NFTA_SET_NAME];
4043 set = nft_set_lookup(ctx.table, attr, genmask);
4047 NL_SET_BAD_ATTR(extack, attr);
4048 return PTR_ERR(set);
4051 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4052 NL_SET_BAD_ATTR(extack, attr);
4056 return nft_delset(&ctx, set);
4059 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4060 struct nft_set *set,
4061 const struct nft_set_iter *iter,
4062 struct nft_set_elem *elem)
4064 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4065 enum nft_registers dreg;
4067 dreg = nft_type_to_reg(set->dtype);
4068 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4069 set->dtype == NFT_DATA_VERDICT ?
4070 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4074 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4075 struct nft_set_binding *binding)
4077 struct nft_set_binding *i;
4078 struct nft_set_iter iter;
4080 if (set->use == UINT_MAX)
4083 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4086 if (binding->flags & NFT_SET_MAP) {
4087 /* If the set is already bound to the same chain all
4088 * jumps are already validated for that chain.
4090 list_for_each_entry(i, &set->bindings, list) {
4091 if (i->flags & NFT_SET_MAP &&
4092 i->chain == binding->chain)
4096 iter.genmask = nft_genmask_next(ctx->net);
4100 iter.fn = nf_tables_bind_check_setelem;
4102 set->ops->walk(ctx, set, &iter);
4107 binding->chain = ctx->chain;
4108 list_add_tail_rcu(&binding->list, &set->bindings);
4109 nft_set_trans_bind(ctx, set);
4114 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4116 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4117 struct nft_set_binding *binding, bool event)
4119 list_del_rcu(&binding->list);
4121 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4122 list_del_rcu(&set->list);
4124 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4129 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4130 struct nft_set_binding *binding,
4131 enum nft_trans_phase phase)
4134 case NFT_TRANS_PREPARE:
4137 case NFT_TRANS_ABORT:
4138 case NFT_TRANS_RELEASE:
4142 nf_tables_unbind_set(ctx, set, binding,
4143 phase == NFT_TRANS_COMMIT);
4146 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4148 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4150 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4151 nft_set_destroy(set);
4153 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4155 const struct nft_set_ext_type nft_set_ext_types[] = {
4156 [NFT_SET_EXT_KEY] = {
4157 .align = __alignof__(u32),
4159 [NFT_SET_EXT_DATA] = {
4160 .align = __alignof__(u32),
4162 [NFT_SET_EXT_EXPR] = {
4163 .align = __alignof__(struct nft_expr),
4165 [NFT_SET_EXT_OBJREF] = {
4166 .len = sizeof(struct nft_object *),
4167 .align = __alignof__(struct nft_object *),
4169 [NFT_SET_EXT_FLAGS] = {
4171 .align = __alignof__(u8),
4173 [NFT_SET_EXT_TIMEOUT] = {
4175 .align = __alignof__(u64),
4177 [NFT_SET_EXT_EXPIRATION] = {
4179 .align = __alignof__(u64),
4181 [NFT_SET_EXT_USERDATA] = {
4182 .len = sizeof(struct nft_userdata),
4183 .align = __alignof__(struct nft_userdata),
4186 EXPORT_SYMBOL_GPL(nft_set_ext_types);
4192 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4193 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4194 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4195 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4196 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4197 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4198 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4199 .len = NFT_USERDATA_MAXLEN },
4200 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4201 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
4204 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4205 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4206 .len = NFT_TABLE_MAXNAMELEN - 1 },
4207 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4208 .len = NFT_SET_MAXNAMELEN - 1 },
4209 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4210 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4213 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4214 const struct sk_buff *skb,
4215 const struct nlmsghdr *nlh,
4216 const struct nlattr * const nla[],
4217 struct netlink_ext_ack *extack,
4220 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4221 int family = nfmsg->nfgen_family;
4222 struct nft_table *table;
4224 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4226 if (IS_ERR(table)) {
4227 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4228 return PTR_ERR(table);
4231 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4235 static int nf_tables_fill_setelem(struct sk_buff *skb,
4236 const struct nft_set *set,
4237 const struct nft_set_elem *elem)
4239 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4240 unsigned char *b = skb_tail_pointer(skb);
4241 struct nlattr *nest;
4243 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4245 goto nla_put_failure;
4247 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4248 NFT_DATA_VALUE, set->klen) < 0)
4249 goto nla_put_failure;
4251 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4252 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4253 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4255 goto nla_put_failure;
4257 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4258 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4259 goto nla_put_failure;
4261 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4262 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4263 (*nft_set_ext_obj(ext))->key.name) < 0)
4264 goto nla_put_failure;
4266 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4267 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4268 htonl(*nft_set_ext_flags(ext))))
4269 goto nla_put_failure;
4271 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4272 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4273 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4275 goto nla_put_failure;
4277 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4278 u64 expires, now = get_jiffies_64();
4280 expires = *nft_set_ext_expiration(ext);
4281 if (time_before64(now, expires))
4286 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4287 nf_jiffies64_to_msecs(expires),
4289 goto nla_put_failure;
4292 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4293 struct nft_userdata *udata;
4295 udata = nft_set_ext_userdata(ext);
4296 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4297 udata->len + 1, udata->data))
4298 goto nla_put_failure;
4301 nla_nest_end(skb, nest);
4309 struct nft_set_dump_args {
4310 const struct netlink_callback *cb;
4311 struct nft_set_iter iter;
4312 struct sk_buff *skb;
4315 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4316 struct nft_set *set,
4317 const struct nft_set_iter *iter,
4318 struct nft_set_elem *elem)
4320 struct nft_set_dump_args *args;
4322 args = container_of(iter, struct nft_set_dump_args, iter);
4323 return nf_tables_fill_setelem(args->skb, set, elem);
4326 struct nft_set_dump_ctx {
4327 const struct nft_set *set;
4331 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4333 struct nft_set_dump_ctx *dump_ctx = cb->data;
4334 struct net *net = sock_net(skb->sk);
4335 struct nft_table *table;
4336 struct nft_set *set;
4337 struct nft_set_dump_args args;
4338 bool set_found = false;
4339 struct nfgenmsg *nfmsg;
4340 struct nlmsghdr *nlh;
4341 struct nlattr *nest;
4346 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4347 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4348 dump_ctx->ctx.family != table->family)
4351 if (table != dump_ctx->ctx.table)
4354 list_for_each_entry_rcu(set, &table->sets, list) {
4355 if (set == dump_ctx->set) {
4368 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4369 portid = NETLINK_CB(cb->skb).portid;
4370 seq = cb->nlh->nlmsg_seq;
4372 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4375 goto nla_put_failure;
4377 nfmsg = nlmsg_data(nlh);
4378 nfmsg->nfgen_family = table->family;
4379 nfmsg->version = NFNETLINK_V0;
4380 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4382 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4383 goto nla_put_failure;
4384 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4385 goto nla_put_failure;
4387 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4389 goto nla_put_failure;
4393 args.iter.genmask = nft_genmask_cur(net);
4394 args.iter.skip = cb->args[0];
4395 args.iter.count = 0;
4397 args.iter.fn = nf_tables_dump_setelem;
4398 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4401 nla_nest_end(skb, nest);
4402 nlmsg_end(skb, nlh);
4404 if (args.iter.err && args.iter.err != -EMSGSIZE)
4405 return args.iter.err;
4406 if (args.iter.count == cb->args[0])
4409 cb->args[0] = args.iter.count;
4417 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4419 struct nft_set_dump_ctx *dump_ctx = cb->data;
4421 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4423 return cb->data ? 0 : -ENOMEM;
4426 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4432 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4433 const struct nft_ctx *ctx, u32 seq,
4434 u32 portid, int event, u16 flags,
4435 const struct nft_set *set,
4436 const struct nft_set_elem *elem)
4438 struct nfgenmsg *nfmsg;
4439 struct nlmsghdr *nlh;
4440 struct nlattr *nest;
4443 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4444 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4447 goto nla_put_failure;
4449 nfmsg = nlmsg_data(nlh);
4450 nfmsg->nfgen_family = ctx->family;
4451 nfmsg->version = NFNETLINK_V0;
4452 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4454 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4455 goto nla_put_failure;
4456 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4457 goto nla_put_failure;
4459 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4461 goto nla_put_failure;
4463 err = nf_tables_fill_setelem(skb, set, elem);
4465 goto nla_put_failure;
4467 nla_nest_end(skb, nest);
4469 nlmsg_end(skb, nlh);
4473 nlmsg_trim(skb, nlh);
4477 static int nft_setelem_parse_flags(const struct nft_set *set,
4478 const struct nlattr *attr, u32 *flags)
4483 *flags = ntohl(nla_get_be32(attr));
4484 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4486 if (!(set->flags & NFT_SET_INTERVAL) &&
4487 *flags & NFT_SET_ELEM_INTERVAL_END)
4493 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4494 const struct nlattr *attr)
4496 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4497 struct nft_data_desc desc;
4498 struct nft_set_elem elem;
4499 struct sk_buff *skb;
4504 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4505 nft_set_elem_policy, NULL);
4509 if (!nla[NFTA_SET_ELEM_KEY])
4512 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4516 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4517 nla[NFTA_SET_ELEM_KEY]);
4522 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4525 priv = set->ops->get(ctx->net, set, &elem, flags);
4527 return PTR_ERR(priv);
4532 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4536 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4537 NFT_MSG_NEWSETELEM, 0, set, &elem);
4541 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4542 /* This avoids a loop in nfnetlink. */
4550 /* this avoids a loop in nfnetlink. */
4551 return err == -EAGAIN ? -ENOBUFS : err;
4554 /* called with rcu_read_lock held */
4555 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4556 struct sk_buff *skb, const struct nlmsghdr *nlh,
4557 const struct nlattr * const nla[],
4558 struct netlink_ext_ack *extack)
4560 u8 genmask = nft_genmask_cur(net);
4561 struct nft_set *set;
4562 struct nlattr *attr;
4566 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4571 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4573 return PTR_ERR(set);
4575 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4576 struct netlink_dump_control c = {
4577 .start = nf_tables_dump_set_start,
4578 .dump = nf_tables_dump_set,
4579 .done = nf_tables_dump_set_done,
4580 .module = THIS_MODULE,
4582 struct nft_set_dump_ctx dump_ctx = {
4588 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4591 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4594 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4595 err = nft_get_set_elem(&ctx, set, attr);
4603 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4604 const struct nft_set *set,
4605 const struct nft_set_elem *elem,
4606 int event, u16 flags)
4608 struct net *net = ctx->net;
4609 u32 portid = ctx->portid;
4610 struct sk_buff *skb;
4613 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4616 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4620 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4627 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4631 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4634 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4636 struct nft_set *set)
4638 struct nft_trans *trans;
4640 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4644 nft_trans_elem_set(trans) = set;
4648 void *nft_set_elem_init(const struct nft_set *set,
4649 const struct nft_set_ext_tmpl *tmpl,
4650 const u32 *key, const u32 *data,
4651 u64 timeout, u64 expiration, gfp_t gfp)
4653 struct nft_set_ext *ext;
4656 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4660 ext = nft_set_elem_ext(set, elem);
4661 nft_set_ext_init(ext, tmpl);
4663 memcpy(nft_set_ext_key(ext), key, set->klen);
4664 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4665 memcpy(nft_set_ext_data(ext), data, set->dlen);
4666 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4667 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4668 if (expiration == 0)
4669 *nft_set_ext_expiration(ext) += timeout;
4671 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4672 *nft_set_ext_timeout(ext) = timeout;
4677 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4680 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4681 struct nft_ctx ctx = {
4682 .net = read_pnet(&set->net),
4683 .family = set->table->family,
4686 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4687 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4688 nft_data_release(nft_set_ext_data(ext), set->dtype);
4689 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4690 struct nft_expr *expr = nft_set_ext_expr(ext);
4692 if (expr->ops->destroy_clone) {
4693 expr->ops->destroy_clone(&ctx, expr);
4694 module_put(expr->ops->type->owner);
4696 nf_tables_expr_destroy(&ctx, expr);
4699 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4700 (*nft_set_ext_obj(ext))->use--;
4703 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4705 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4706 * the refcounting from the preparation phase.
4708 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4709 const struct nft_set *set, void *elem)
4711 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4713 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4714 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4718 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4719 const struct nlattr *attr, u32 nlmsg_flags)
4721 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4722 u8 genmask = nft_genmask_next(ctx->net);
4723 struct nft_data_desc d1, d2;
4724 struct nft_set_ext_tmpl tmpl;
4725 struct nft_set_ext *ext, *ext2;
4726 struct nft_set_elem elem;
4727 struct nft_set_binding *binding;
4728 struct nft_object *obj = NULL;
4729 struct nft_userdata *udata;
4730 struct nft_data data;
4731 enum nft_registers dreg;
4732 struct nft_trans *trans;
4739 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4740 nft_set_elem_policy, NULL);
4744 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4747 nft_set_ext_prepare(&tmpl);
4749 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4753 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4755 if (set->flags & NFT_SET_MAP) {
4756 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4757 !(flags & NFT_SET_ELEM_INTERVAL_END))
4759 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4760 flags & NFT_SET_ELEM_INTERVAL_END)
4763 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4768 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4769 if (!(set->flags & NFT_SET_TIMEOUT))
4771 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4775 } else if (set->flags & NFT_SET_TIMEOUT) {
4776 timeout = set->timeout;
4780 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4781 if (!(set->flags & NFT_SET_TIMEOUT))
4783 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4789 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4790 nla[NFTA_SET_ELEM_KEY]);
4794 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4797 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4799 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4800 if (timeout != set->timeout)
4801 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4804 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4805 if (!(set->flags & NFT_SET_OBJECT)) {
4809 obj = nft_obj_lookup(ctx->net, ctx->table,
4810 nla[NFTA_SET_ELEM_OBJREF],
4811 set->objtype, genmask);
4816 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4819 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4820 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4821 nla[NFTA_SET_ELEM_DATA]);
4826 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4829 dreg = nft_type_to_reg(set->dtype);
4830 list_for_each_entry(binding, &set->bindings, list) {
4831 struct nft_ctx bind_ctx = {
4833 .family = ctx->family,
4834 .table = ctx->table,
4835 .chain = (struct nft_chain *)binding->chain,
4838 if (!(binding->flags & NFT_SET_MAP))
4841 err = nft_validate_register_store(&bind_ctx, dreg,
4847 if (d2.type == NFT_DATA_VERDICT &&
4848 (data.verdict.code == NFT_GOTO ||
4849 data.verdict.code == NFT_JUMP))
4850 nft_validate_state_update(ctx->net,
4854 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4857 /* The full maximum length of userdata can exceed the maximum
4858 * offset value (U8_MAX) for following extensions, therefor it
4859 * must be the last extension added.
4862 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4863 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4865 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4870 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4871 timeout, expiration, GFP_KERNEL);
4872 if (elem.priv == NULL)
4875 ext = nft_set_elem_ext(set, elem.priv);
4877 *nft_set_ext_flags(ext) = flags;
4879 udata = nft_set_ext_userdata(ext);
4880 udata->len = ulen - 1;
4881 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4884 *nft_set_ext_obj(ext) = obj;
4888 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4892 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4893 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4895 if (err == -EEXIST) {
4896 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4897 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4898 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4899 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4903 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4904 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4905 memcmp(nft_set_ext_data(ext),
4906 nft_set_ext_data(ext2), set->dlen) != 0) ||
4907 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4908 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4909 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4911 else if (!(nlmsg_flags & NLM_F_EXCL))
4918 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4923 nft_trans_elem(trans) = elem;
4924 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4928 set->ops->remove(ctx->net, set, &elem);
4936 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4937 nft_data_release(&data, d2.type);
4939 nft_data_release(&elem.key.val, d1.type);
4944 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4945 struct sk_buff *skb, const struct nlmsghdr *nlh,
4946 const struct nlattr * const nla[],
4947 struct netlink_ext_ack *extack)
4949 u8 genmask = nft_genmask_next(net);
4950 const struct nlattr *attr;
4951 struct nft_set *set;
4955 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4958 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4963 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4964 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4966 return PTR_ERR(set);
4968 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4971 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4972 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4977 if (net->nft.validate_state == NFT_VALIDATE_DO)
4978 return nft_table_validate(net, ctx.table);
4984 * nft_data_hold - hold a nft_data item
4986 * @data: struct nft_data to release
4987 * @type: type of data
4989 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4990 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4991 * NFT_GOTO verdicts. This function must be called on active data objects
4992 * from the second phase of the commit protocol.
4994 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4996 if (type == NFT_DATA_VERDICT) {
4997 switch (data->verdict.code) {
5000 data->verdict.chain->use++;
5006 static void nft_set_elem_activate(const struct net *net,
5007 const struct nft_set *set,
5008 struct nft_set_elem *elem)
5010 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5012 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5013 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5014 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5015 (*nft_set_ext_obj(ext))->use++;
5018 static void nft_set_elem_deactivate(const struct net *net,
5019 const struct nft_set *set,
5020 struct nft_set_elem *elem)
5022 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5024 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5025 nft_data_release(nft_set_ext_data(ext), set->dtype);
5026 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5027 (*nft_set_ext_obj(ext))->use--;
5030 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5031 const struct nlattr *attr)
5033 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5034 struct nft_set_ext_tmpl tmpl;
5035 struct nft_data_desc desc;
5036 struct nft_set_elem elem;
5037 struct nft_set_ext *ext;
5038 struct nft_trans *trans;
5043 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5044 nft_set_elem_policy, NULL);
5049 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5052 nft_set_ext_prepare(&tmpl);
5054 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5058 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5060 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
5061 nla[NFTA_SET_ELEM_KEY]);
5066 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
5069 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
5072 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
5074 if (elem.priv == NULL)
5077 ext = nft_set_elem_ext(set, elem.priv);
5079 *nft_set_ext_flags(ext) = flags;
5081 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5082 if (trans == NULL) {
5087 priv = set->ops->deactivate(ctx->net, set, &elem);
5095 nft_set_elem_deactivate(ctx->net, set, &elem);
5097 nft_trans_elem(trans) = elem;
5098 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5106 nft_data_release(&elem.key.val, desc.type);
5111 static int nft_flush_set(const struct nft_ctx *ctx,
5112 struct nft_set *set,
5113 const struct nft_set_iter *iter,
5114 struct nft_set_elem *elem)
5116 struct nft_trans *trans;
5119 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5120 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5124 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5130 nft_set_elem_deactivate(ctx->net, set, elem);
5131 nft_trans_elem_set(trans) = set;
5132 nft_trans_elem(trans) = *elem;
5133 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5141 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5142 struct sk_buff *skb, const struct nlmsghdr *nlh,
5143 const struct nlattr * const nla[],
5144 struct netlink_ext_ack *extack)
5146 u8 genmask = nft_genmask_next(net);
5147 const struct nlattr *attr;
5148 struct nft_set *set;
5152 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5157 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5159 return PTR_ERR(set);
5160 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5163 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5164 struct nft_set_iter iter = {
5166 .fn = nft_flush_set,
5168 set->ops->walk(&ctx, set, &iter);
5173 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5174 err = nft_del_setelem(&ctx, set, attr);
5183 void nft_set_gc_batch_release(struct rcu_head *rcu)
5185 struct nft_set_gc_batch *gcb;
5188 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5189 for (i = 0; i < gcb->head.cnt; i++)
5190 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5193 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
5195 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5198 struct nft_set_gc_batch *gcb;
5200 gcb = kzalloc(sizeof(*gcb), gfp);
5203 gcb->head.set = set;
5206 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
5213 * nft_register_obj- register nf_tables stateful object type
5216 * Registers the object type for use with nf_tables. Returns zero on
5217 * success or a negative errno code otherwise.
5219 int nft_register_obj(struct nft_object_type *obj_type)
5221 if (obj_type->type == NFT_OBJECT_UNSPEC)
5224 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5225 list_add_rcu(&obj_type->list, &nf_tables_objects);
5226 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5229 EXPORT_SYMBOL_GPL(nft_register_obj);
5232 * nft_unregister_obj - unregister nf_tables object type
5235 * Unregisters the object type for use with nf_tables.
5237 void nft_unregister_obj(struct nft_object_type *obj_type)
5239 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5240 list_del_rcu(&obj_type->list);
5241 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5243 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5245 struct nft_object *nft_obj_lookup(const struct net *net,
5246 const struct nft_table *table,
5247 const struct nlattr *nla, u32 objtype,
5250 struct nft_object_hash_key k = { .table = table };
5251 char search[NFT_OBJ_MAXNAMELEN];
5252 struct rhlist_head *tmp, *list;
5253 struct nft_object *obj;
5255 nla_strlcpy(search, nla, sizeof(search));
5258 WARN_ON_ONCE(!rcu_read_lock_held() &&
5259 !lockdep_commit_lock_is_held(net));
5262 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5266 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5267 if (objtype == obj->ops->type->type &&
5268 nft_active_genmask(obj, genmask)) {
5275 return ERR_PTR(-ENOENT);
5277 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5279 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5280 const struct nlattr *nla,
5281 u32 objtype, u8 genmask)
5283 struct nft_object *obj;
5285 list_for_each_entry(obj, &table->objects, list) {
5286 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5287 objtype == obj->ops->type->type &&
5288 nft_active_genmask(obj, genmask))
5291 return ERR_PTR(-ENOENT);
5294 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5295 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5296 .len = NFT_TABLE_MAXNAMELEN - 1 },
5297 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5298 .len = NFT_OBJ_MAXNAMELEN - 1 },
5299 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5300 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5301 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5304 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5305 const struct nft_object_type *type,
5306 const struct nlattr *attr)
5309 const struct nft_object_ops *ops;
5310 struct nft_object *obj;
5313 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5318 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5319 type->policy, NULL);
5323 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5326 if (type->select_ops) {
5327 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5337 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5341 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5354 return ERR_PTR(err);
5357 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5358 struct nft_object *obj, bool reset)
5360 struct nlattr *nest;
5362 nest = nla_nest_start_noflag(skb, attr);
5364 goto nla_put_failure;
5365 if (obj->ops->dump(skb, obj, reset) < 0)
5366 goto nla_put_failure;
5367 nla_nest_end(skb, nest);
5374 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5376 const struct nft_object_type *type;
5378 list_for_each_entry(type, &nf_tables_objects, list) {
5379 if (objtype == type->type)
5385 static const struct nft_object_type *
5386 nft_obj_type_get(struct net *net, u32 objtype)
5388 const struct nft_object_type *type;
5390 type = __nft_obj_type_get(objtype);
5391 if (type != NULL && try_module_get(type->owner))
5394 lockdep_nfnl_nft_mutex_not_held();
5395 #ifdef CONFIG_MODULES
5397 nft_request_module(net, "nft-obj-%u", objtype);
5398 if (__nft_obj_type_get(objtype))
5399 return ERR_PTR(-EAGAIN);
5402 return ERR_PTR(-ENOENT);
5405 static int nf_tables_updobj(const struct nft_ctx *ctx,
5406 const struct nft_object_type *type,
5407 const struct nlattr *attr,
5408 struct nft_object *obj)
5410 struct nft_object *newobj;
5411 struct nft_trans *trans;
5414 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5415 sizeof(struct nft_trans_obj));
5419 newobj = nft_obj_init(ctx, type, attr);
5420 if (IS_ERR(newobj)) {
5421 err = PTR_ERR(newobj);
5422 goto err_free_trans;
5425 nft_trans_obj(trans) = obj;
5426 nft_trans_obj_update(trans) = true;
5427 nft_trans_obj_newobj(trans) = newobj;
5428 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5437 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5438 struct sk_buff *skb, const struct nlmsghdr *nlh,
5439 const struct nlattr * const nla[],
5440 struct netlink_ext_ack *extack)
5442 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5443 const struct nft_object_type *type;
5444 u8 genmask = nft_genmask_next(net);
5445 int family = nfmsg->nfgen_family;
5446 struct nft_table *table;
5447 struct nft_object *obj;
5452 if (!nla[NFTA_OBJ_TYPE] ||
5453 !nla[NFTA_OBJ_NAME] ||
5454 !nla[NFTA_OBJ_DATA])
5457 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5458 if (IS_ERR(table)) {
5459 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5460 return PTR_ERR(table);
5463 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5464 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5467 if (err != -ENOENT) {
5468 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5472 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5473 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5476 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5479 type = nft_obj_type_get(net, objtype);
5480 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5482 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5485 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5487 type = nft_obj_type_get(net, objtype);
5489 return PTR_ERR(type);
5491 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5496 obj->key.table = table;
5497 obj->handle = nf_tables_alloc_handle(table);
5499 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5500 if (!obj->key.name) {
5505 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5509 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5510 nft_objname_ht_params);
5514 list_add_tail_rcu(&obj->list, &table->objects);
5518 /* queued in transaction log */
5519 INIT_LIST_HEAD(&obj->list);
5522 kfree(obj->key.name);
5524 if (obj->ops->destroy)
5525 obj->ops->destroy(&ctx, obj);
5528 module_put(type->owner);
5532 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5533 u32 portid, u32 seq, int event, u32 flags,
5534 int family, const struct nft_table *table,
5535 struct nft_object *obj, bool reset)
5537 struct nfgenmsg *nfmsg;
5538 struct nlmsghdr *nlh;
5540 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5541 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5543 goto nla_put_failure;
5545 nfmsg = nlmsg_data(nlh);
5546 nfmsg->nfgen_family = family;
5547 nfmsg->version = NFNETLINK_V0;
5548 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5550 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5551 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5552 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5553 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5554 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5555 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5557 goto nla_put_failure;
5559 nlmsg_end(skb, nlh);
5563 nlmsg_trim(skb, nlh);
5567 struct nft_obj_filter {
5572 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5574 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5575 const struct nft_table *table;
5576 unsigned int idx = 0, s_idx = cb->args[0];
5577 struct nft_obj_filter *filter = cb->data;
5578 struct net *net = sock_net(skb->sk);
5579 int family = nfmsg->nfgen_family;
5580 struct nft_object *obj;
5583 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5587 cb->seq = net->nft.base_seq;
5589 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5590 if (family != NFPROTO_UNSPEC && family != table->family)
5593 list_for_each_entry_rcu(obj, &table->objects, list) {
5594 if (!nft_is_active(net, obj))
5599 memset(&cb->args[1], 0,
5600 sizeof(cb->args) - sizeof(cb->args[0]));
5601 if (filter && filter->table &&
5602 strcmp(filter->table, table->name))
5605 filter->type != NFT_OBJECT_UNSPEC &&
5606 obj->ops->type->type != filter->type)
5609 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5612 NLM_F_MULTI | NLM_F_APPEND,
5613 table->family, table,
5617 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5629 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5631 const struct nlattr * const *nla = cb->data;
5632 struct nft_obj_filter *filter = NULL;
5634 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5635 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5639 if (nla[NFTA_OBJ_TABLE]) {
5640 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5641 if (!filter->table) {
5647 if (nla[NFTA_OBJ_TYPE])
5648 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5655 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5657 struct nft_obj_filter *filter = cb->data;
5660 kfree(filter->table);
5667 /* called with rcu_read_lock held */
5668 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5669 struct sk_buff *skb, const struct nlmsghdr *nlh,
5670 const struct nlattr * const nla[],
5671 struct netlink_ext_ack *extack)
5673 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5674 u8 genmask = nft_genmask_cur(net);
5675 int family = nfmsg->nfgen_family;
5676 const struct nft_table *table;
5677 struct nft_object *obj;
5678 struct sk_buff *skb2;
5683 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5684 struct netlink_dump_control c = {
5685 .start = nf_tables_dump_obj_start,
5686 .dump = nf_tables_dump_obj,
5687 .done = nf_tables_dump_obj_done,
5688 .module = THIS_MODULE,
5689 .data = (void *)nla,
5692 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5695 if (!nla[NFTA_OBJ_NAME] ||
5696 !nla[NFTA_OBJ_TYPE])
5699 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5700 if (IS_ERR(table)) {
5701 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5702 return PTR_ERR(table);
5705 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5706 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5708 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5709 return PTR_ERR(obj);
5712 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5716 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5719 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5720 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5721 family, table, obj, reset);
5725 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5731 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5733 if (obj->ops->destroy)
5734 obj->ops->destroy(ctx, obj);
5736 module_put(obj->ops->type->owner);
5737 kfree(obj->key.name);
5741 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5742 struct sk_buff *skb, const struct nlmsghdr *nlh,
5743 const struct nlattr * const nla[],
5744 struct netlink_ext_ack *extack)
5746 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5747 u8 genmask = nft_genmask_next(net);
5748 int family = nfmsg->nfgen_family;
5749 const struct nlattr *attr;
5750 struct nft_table *table;
5751 struct nft_object *obj;
5755 if (!nla[NFTA_OBJ_TYPE] ||
5756 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5759 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5760 if (IS_ERR(table)) {
5761 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5762 return PTR_ERR(table);
5765 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5766 if (nla[NFTA_OBJ_HANDLE]) {
5767 attr = nla[NFTA_OBJ_HANDLE];
5768 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5770 attr = nla[NFTA_OBJ_NAME];
5771 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5775 NL_SET_BAD_ATTR(extack, attr);
5776 return PTR_ERR(obj);
5779 NL_SET_BAD_ATTR(extack, attr);
5783 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5785 return nft_delobj(&ctx, obj);
5788 void nft_obj_notify(struct net *net, const struct nft_table *table,
5789 struct nft_object *obj, u32 portid, u32 seq, int event,
5790 int family, int report, gfp_t gfp)
5792 struct sk_buff *skb;
5796 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5799 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5803 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5810 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5813 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5815 EXPORT_SYMBOL_GPL(nft_obj_notify);
5817 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5818 struct nft_object *obj, int event)
5820 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5821 ctx->family, ctx->report, GFP_KERNEL);
5827 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5829 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5830 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5831 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5833 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5835 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5837 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5838 list_del_rcu(&type->list);
5839 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5841 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5843 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5844 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5845 .len = NFT_NAME_MAXLEN - 1 },
5846 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5847 .len = NFT_NAME_MAXLEN - 1 },
5848 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5849 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5850 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
5853 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5854 const struct nlattr *nla, u8 genmask)
5856 struct nft_flowtable *flowtable;
5858 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5859 if (!nla_strcmp(nla, flowtable->name) &&
5860 nft_active_genmask(flowtable, genmask))
5863 return ERR_PTR(-ENOENT);
5865 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5867 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5868 struct nft_flowtable *flowtable,
5869 enum nft_trans_phase phase)
5872 case NFT_TRANS_PREPARE:
5873 case NFT_TRANS_ABORT:
5874 case NFT_TRANS_RELEASE:
5881 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5883 static struct nft_flowtable *
5884 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5885 const struct nlattr *nla, u8 genmask)
5887 struct nft_flowtable *flowtable;
5889 list_for_each_entry(flowtable, &table->flowtables, list) {
5890 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5891 nft_active_genmask(flowtable, genmask))
5894 return ERR_PTR(-ENOENT);
5897 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5898 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5899 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5900 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5903 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5904 const struct nlattr *attr,
5905 struct nft_flowtable *flowtable)
5907 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5908 struct nft_hook *hook;
5909 int hooknum, priority;
5912 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5913 nft_flowtable_hook_policy, NULL);
5917 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5918 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5919 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5922 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5923 if (hooknum != NF_NETDEV_INGRESS)
5926 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5928 err = nf_tables_parse_netdev_hooks(ctx->net,
5929 tb[NFTA_FLOWTABLE_HOOK_DEVS],
5930 &flowtable->hook_list);
5934 flowtable->hooknum = hooknum;
5935 flowtable->data.priority = priority;
5937 list_for_each_entry(hook, &flowtable->hook_list, list) {
5938 hook->ops.pf = NFPROTO_NETDEV;
5939 hook->ops.hooknum = hooknum;
5940 hook->ops.priority = priority;
5941 hook->ops.priv = &flowtable->data;
5942 hook->ops.hook = flowtable->data.type->hook;
5948 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5950 const struct nf_flowtable_type *type;
5952 list_for_each_entry(type, &nf_tables_flowtables, list) {
5953 if (family == type->family)
5959 static const struct nf_flowtable_type *
5960 nft_flowtable_type_get(struct net *net, u8 family)
5962 const struct nf_flowtable_type *type;
5964 type = __nft_flowtable_type_get(family);
5965 if (type != NULL && try_module_get(type->owner))
5968 lockdep_nfnl_nft_mutex_not_held();
5969 #ifdef CONFIG_MODULES
5971 nft_request_module(net, "nf-flowtable-%u", family);
5972 if (__nft_flowtable_type_get(family))
5973 return ERR_PTR(-EAGAIN);
5976 return ERR_PTR(-ENOENT);
5979 static void nft_unregister_flowtable_hook(struct net *net,
5980 struct nft_flowtable *flowtable,
5981 struct nft_hook *hook)
5983 nf_unregister_net_hook(net, &hook->ops);
5984 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
5988 static void nft_unregister_flowtable_net_hooks(struct net *net,
5989 struct nft_flowtable *flowtable)
5991 struct nft_hook *hook;
5993 list_for_each_entry(hook, &flowtable->hook_list, list)
5994 nft_unregister_flowtable_hook(net, flowtable, hook);
5997 static int nft_register_flowtable_net_hooks(struct net *net,
5998 struct nft_table *table,
5999 struct nft_flowtable *flowtable)
6001 struct nft_hook *hook, *hook2, *next;
6002 struct nft_flowtable *ft;
6005 list_for_each_entry(hook, &flowtable->hook_list, list) {
6006 list_for_each_entry(ft, &table->flowtables, list) {
6007 list_for_each_entry(hook2, &ft->hook_list, list) {
6008 if (hook->ops.dev == hook2->ops.dev &&
6009 hook->ops.pf == hook2->ops.pf) {
6011 goto err_unregister_net_hooks;
6016 err = flowtable->data.type->setup(&flowtable->data,
6020 goto err_unregister_net_hooks;
6022 err = nf_register_net_hook(net, &hook->ops);
6024 flowtable->data.type->setup(&flowtable->data,
6027 goto err_unregister_net_hooks;
6035 err_unregister_net_hooks:
6036 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6040 nft_unregister_flowtable_hook(net, flowtable, hook);
6041 list_del_rcu(&hook->list);
6042 kfree_rcu(hook, rcu);
6048 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6049 struct sk_buff *skb,
6050 const struct nlmsghdr *nlh,
6051 const struct nlattr * const nla[],
6052 struct netlink_ext_ack *extack)
6054 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6055 const struct nf_flowtable_type *type;
6056 u8 genmask = nft_genmask_next(net);
6057 int family = nfmsg->nfgen_family;
6058 struct nft_flowtable *flowtable;
6059 struct nft_hook *hook, *next;
6060 struct nft_table *table;
6064 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6065 !nla[NFTA_FLOWTABLE_NAME] ||
6066 !nla[NFTA_FLOWTABLE_HOOK])
6069 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6071 if (IS_ERR(table)) {
6072 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6073 return PTR_ERR(table);
6076 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6078 if (IS_ERR(flowtable)) {
6079 err = PTR_ERR(flowtable);
6080 if (err != -ENOENT) {
6081 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6085 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6086 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6093 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6095 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6099 flowtable->table = table;
6100 flowtable->handle = nf_tables_alloc_handle(table);
6101 INIT_LIST_HEAD(&flowtable->hook_list);
6103 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6104 if (!flowtable->name) {
6109 type = nft_flowtable_type_get(net, family);
6111 err = PTR_ERR(type);
6115 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6116 flowtable->data.flags =
6117 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6118 if (flowtable->data.flags & ~NF_FLOWTABLE_HW_OFFLOAD)
6122 write_pnet(&flowtable->data.net, net);
6123 flowtable->data.type = type;
6124 err = type->init(&flowtable->data);
6128 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6133 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6137 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6141 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6146 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6147 nft_unregister_flowtable_hook(net, flowtable, hook);
6148 list_del_rcu(&hook->list);
6149 kfree_rcu(hook, rcu);
6152 flowtable->data.type->free(&flowtable->data);
6154 module_put(type->owner);
6156 kfree(flowtable->name);
6162 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6163 struct sk_buff *skb,
6164 const struct nlmsghdr *nlh,
6165 const struct nlattr * const nla[],
6166 struct netlink_ext_ack *extack)
6168 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6169 u8 genmask = nft_genmask_next(net);
6170 int family = nfmsg->nfgen_family;
6171 struct nft_flowtable *flowtable;
6172 const struct nlattr *attr;
6173 struct nft_table *table;
6176 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6177 (!nla[NFTA_FLOWTABLE_NAME] &&
6178 !nla[NFTA_FLOWTABLE_HANDLE]))
6181 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6183 if (IS_ERR(table)) {
6184 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6185 return PTR_ERR(table);
6188 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6189 attr = nla[NFTA_FLOWTABLE_HANDLE];
6190 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6192 attr = nla[NFTA_FLOWTABLE_NAME];
6193 flowtable = nft_flowtable_lookup(table, attr, genmask);
6196 if (IS_ERR(flowtable)) {
6197 NL_SET_BAD_ATTR(extack, attr);
6198 return PTR_ERR(flowtable);
6200 if (flowtable->use > 0) {
6201 NL_SET_BAD_ATTR(extack, attr);
6205 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6207 return nft_delflowtable(&ctx, flowtable);
6210 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6211 u32 portid, u32 seq, int event,
6212 u32 flags, int family,
6213 struct nft_flowtable *flowtable)
6215 struct nlattr *nest, *nest_devs;
6216 struct nfgenmsg *nfmsg;
6217 struct nft_hook *hook;
6218 struct nlmsghdr *nlh;
6220 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6221 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6223 goto nla_put_failure;
6225 nfmsg = nlmsg_data(nlh);
6226 nfmsg->nfgen_family = family;
6227 nfmsg->version = NFNETLINK_V0;
6228 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6230 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6231 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6232 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6233 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6234 NFTA_FLOWTABLE_PAD) ||
6235 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6236 goto nla_put_failure;
6238 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6240 goto nla_put_failure;
6241 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6242 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6243 goto nla_put_failure;
6245 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6247 goto nla_put_failure;
6249 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6250 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6251 goto nla_put_failure;
6253 nla_nest_end(skb, nest_devs);
6254 nla_nest_end(skb, nest);
6256 nlmsg_end(skb, nlh);
6260 nlmsg_trim(skb, nlh);
6264 struct nft_flowtable_filter {
6268 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6269 struct netlink_callback *cb)
6271 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6272 struct nft_flowtable_filter *filter = cb->data;
6273 unsigned int idx = 0, s_idx = cb->args[0];
6274 struct net *net = sock_net(skb->sk);
6275 int family = nfmsg->nfgen_family;
6276 struct nft_flowtable *flowtable;
6277 const struct nft_table *table;
6280 cb->seq = net->nft.base_seq;
6282 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6283 if (family != NFPROTO_UNSPEC && family != table->family)
6286 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6287 if (!nft_is_active(net, flowtable))
6292 memset(&cb->args[1], 0,
6293 sizeof(cb->args) - sizeof(cb->args[0]));
6294 if (filter && filter->table &&
6295 strcmp(filter->table, table->name))
6298 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6300 NFT_MSG_NEWFLOWTABLE,
6301 NLM_F_MULTI | NLM_F_APPEND,
6302 table->family, flowtable) < 0)
6305 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6317 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6319 const struct nlattr * const *nla = cb->data;
6320 struct nft_flowtable_filter *filter = NULL;
6322 if (nla[NFTA_FLOWTABLE_TABLE]) {
6323 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6327 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6329 if (!filter->table) {
6339 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6341 struct nft_flowtable_filter *filter = cb->data;
6346 kfree(filter->table);
6352 /* called with rcu_read_lock held */
6353 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6354 struct sk_buff *skb,
6355 const struct nlmsghdr *nlh,
6356 const struct nlattr * const nla[],
6357 struct netlink_ext_ack *extack)
6359 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6360 u8 genmask = nft_genmask_cur(net);
6361 int family = nfmsg->nfgen_family;
6362 struct nft_flowtable *flowtable;
6363 const struct nft_table *table;
6364 struct sk_buff *skb2;
6367 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6368 struct netlink_dump_control c = {
6369 .start = nf_tables_dump_flowtable_start,
6370 .dump = nf_tables_dump_flowtable,
6371 .done = nf_tables_dump_flowtable_done,
6372 .module = THIS_MODULE,
6373 .data = (void *)nla,
6376 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6379 if (!nla[NFTA_FLOWTABLE_NAME])
6382 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6385 return PTR_ERR(table);
6387 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6389 if (IS_ERR(flowtable))
6390 return PTR_ERR(flowtable);
6392 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6396 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6398 NFT_MSG_NEWFLOWTABLE, 0, family,
6403 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6409 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6410 struct nft_flowtable *flowtable,
6413 struct sk_buff *skb;
6417 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6420 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6424 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6426 ctx->family, flowtable);
6432 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6433 ctx->report, GFP_KERNEL);
6436 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6439 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6441 struct nft_hook *hook, *next;
6443 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6444 list_del_rcu(&hook->list);
6447 kfree(flowtable->name);
6448 flowtable->data.type->free(&flowtable->data);
6449 module_put(flowtable->data.type->owner);
6453 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6454 u32 portid, u32 seq)
6456 struct nlmsghdr *nlh;
6457 struct nfgenmsg *nfmsg;
6458 char buf[TASK_COMM_LEN];
6459 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6461 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6463 goto nla_put_failure;
6465 nfmsg = nlmsg_data(nlh);
6466 nfmsg->nfgen_family = AF_UNSPEC;
6467 nfmsg->version = NFNETLINK_V0;
6468 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6470 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6471 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6472 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6473 goto nla_put_failure;
6475 nlmsg_end(skb, nlh);
6479 nlmsg_trim(skb, nlh);
6483 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6484 struct nft_flowtable *flowtable)
6486 struct nft_hook *hook;
6488 list_for_each_entry(hook, &flowtable->hook_list, list) {
6489 if (hook->ops.dev != dev)
6492 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6493 list_del_rcu(&hook->list);
6494 kfree_rcu(hook, rcu);
6499 static int nf_tables_flowtable_event(struct notifier_block *this,
6500 unsigned long event, void *ptr)
6502 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6503 struct nft_flowtable *flowtable;
6504 struct nft_table *table;
6507 if (event != NETDEV_UNREGISTER)
6511 mutex_lock(&net->nft.commit_mutex);
6512 list_for_each_entry(table, &net->nft.tables, list) {
6513 list_for_each_entry(flowtable, &table->flowtables, list) {
6514 nft_flowtable_event(event, dev, flowtable);
6517 mutex_unlock(&net->nft.commit_mutex);
6522 static struct notifier_block nf_tables_flowtable_notifier = {
6523 .notifier_call = nf_tables_flowtable_event,
6526 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6529 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6530 struct sk_buff *skb2;
6533 if (nlmsg_report(nlh) &&
6534 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6537 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6541 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6548 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6549 nlmsg_report(nlh), GFP_KERNEL);
6552 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6556 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6557 struct sk_buff *skb, const struct nlmsghdr *nlh,
6558 const struct nlattr * const nla[],
6559 struct netlink_ext_ack *extack)
6561 struct sk_buff *skb2;
6564 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6568 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6573 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6579 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6580 [NFT_MSG_NEWTABLE] = {
6581 .call_batch = nf_tables_newtable,
6582 .attr_count = NFTA_TABLE_MAX,
6583 .policy = nft_table_policy,
6585 [NFT_MSG_GETTABLE] = {
6586 .call_rcu = nf_tables_gettable,
6587 .attr_count = NFTA_TABLE_MAX,
6588 .policy = nft_table_policy,
6590 [NFT_MSG_DELTABLE] = {
6591 .call_batch = nf_tables_deltable,
6592 .attr_count = NFTA_TABLE_MAX,
6593 .policy = nft_table_policy,
6595 [NFT_MSG_NEWCHAIN] = {
6596 .call_batch = nf_tables_newchain,
6597 .attr_count = NFTA_CHAIN_MAX,
6598 .policy = nft_chain_policy,
6600 [NFT_MSG_GETCHAIN] = {
6601 .call_rcu = nf_tables_getchain,
6602 .attr_count = NFTA_CHAIN_MAX,
6603 .policy = nft_chain_policy,
6605 [NFT_MSG_DELCHAIN] = {
6606 .call_batch = nf_tables_delchain,
6607 .attr_count = NFTA_CHAIN_MAX,
6608 .policy = nft_chain_policy,
6610 [NFT_MSG_NEWRULE] = {
6611 .call_batch = nf_tables_newrule,
6612 .attr_count = NFTA_RULE_MAX,
6613 .policy = nft_rule_policy,
6615 [NFT_MSG_GETRULE] = {
6616 .call_rcu = nf_tables_getrule,
6617 .attr_count = NFTA_RULE_MAX,
6618 .policy = nft_rule_policy,
6620 [NFT_MSG_DELRULE] = {
6621 .call_batch = nf_tables_delrule,
6622 .attr_count = NFTA_RULE_MAX,
6623 .policy = nft_rule_policy,
6625 [NFT_MSG_NEWSET] = {
6626 .call_batch = nf_tables_newset,
6627 .attr_count = NFTA_SET_MAX,
6628 .policy = nft_set_policy,
6630 [NFT_MSG_GETSET] = {
6631 .call_rcu = nf_tables_getset,
6632 .attr_count = NFTA_SET_MAX,
6633 .policy = nft_set_policy,
6635 [NFT_MSG_DELSET] = {
6636 .call_batch = nf_tables_delset,
6637 .attr_count = NFTA_SET_MAX,
6638 .policy = nft_set_policy,
6640 [NFT_MSG_NEWSETELEM] = {
6641 .call_batch = nf_tables_newsetelem,
6642 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6643 .policy = nft_set_elem_list_policy,
6645 [NFT_MSG_GETSETELEM] = {
6646 .call_rcu = nf_tables_getsetelem,
6647 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6648 .policy = nft_set_elem_list_policy,
6650 [NFT_MSG_DELSETELEM] = {
6651 .call_batch = nf_tables_delsetelem,
6652 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6653 .policy = nft_set_elem_list_policy,
6655 [NFT_MSG_GETGEN] = {
6656 .call_rcu = nf_tables_getgen,
6658 [NFT_MSG_NEWOBJ] = {
6659 .call_batch = nf_tables_newobj,
6660 .attr_count = NFTA_OBJ_MAX,
6661 .policy = nft_obj_policy,
6663 [NFT_MSG_GETOBJ] = {
6664 .call_rcu = nf_tables_getobj,
6665 .attr_count = NFTA_OBJ_MAX,
6666 .policy = nft_obj_policy,
6668 [NFT_MSG_DELOBJ] = {
6669 .call_batch = nf_tables_delobj,
6670 .attr_count = NFTA_OBJ_MAX,
6671 .policy = nft_obj_policy,
6673 [NFT_MSG_GETOBJ_RESET] = {
6674 .call_rcu = nf_tables_getobj,
6675 .attr_count = NFTA_OBJ_MAX,
6676 .policy = nft_obj_policy,
6678 [NFT_MSG_NEWFLOWTABLE] = {
6679 .call_batch = nf_tables_newflowtable,
6680 .attr_count = NFTA_FLOWTABLE_MAX,
6681 .policy = nft_flowtable_policy,
6683 [NFT_MSG_GETFLOWTABLE] = {
6684 .call_rcu = nf_tables_getflowtable,
6685 .attr_count = NFTA_FLOWTABLE_MAX,
6686 .policy = nft_flowtable_policy,
6688 [NFT_MSG_DELFLOWTABLE] = {
6689 .call_batch = nf_tables_delflowtable,
6690 .attr_count = NFTA_FLOWTABLE_MAX,
6691 .policy = nft_flowtable_policy,
6695 static int nf_tables_validate(struct net *net)
6697 struct nft_table *table;
6699 switch (net->nft.validate_state) {
6700 case NFT_VALIDATE_SKIP:
6702 case NFT_VALIDATE_NEED:
6703 nft_validate_state_update(net, NFT_VALIDATE_DO);
6705 case NFT_VALIDATE_DO:
6706 list_for_each_entry(table, &net->nft.tables, list) {
6707 if (nft_table_validate(net, table) < 0)
6716 /* a drop policy has to be deferred until all rules have been activated,
6717 * otherwise a large ruleset that contains a drop-policy base chain will
6718 * cause all packets to get dropped until the full transaction has been
6721 * We defer the drop policy until the transaction has been finalized.
6723 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6725 struct nft_base_chain *basechain;
6727 if (nft_trans_chain_policy(trans) != NF_DROP)
6730 if (!nft_is_base_chain(trans->ctx.chain))
6733 basechain = nft_base_chain(trans->ctx.chain);
6734 basechain->policy = NF_DROP;
6737 static void nft_chain_commit_update(struct nft_trans *trans)
6739 struct nft_base_chain *basechain;
6741 if (nft_trans_chain_name(trans)) {
6742 rhltable_remove(&trans->ctx.table->chains_ht,
6743 &trans->ctx.chain->rhlhead,
6744 nft_chain_ht_params);
6745 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6746 rhltable_insert_key(&trans->ctx.table->chains_ht,
6747 trans->ctx.chain->name,
6748 &trans->ctx.chain->rhlhead,
6749 nft_chain_ht_params);
6752 if (!nft_is_base_chain(trans->ctx.chain))
6755 nft_chain_stats_replace(trans);
6757 basechain = nft_base_chain(trans->ctx.chain);
6759 switch (nft_trans_chain_policy(trans)) {
6762 basechain->policy = nft_trans_chain_policy(trans);
6767 static void nft_obj_commit_update(struct nft_trans *trans)
6769 struct nft_object *newobj;
6770 struct nft_object *obj;
6772 obj = nft_trans_obj(trans);
6773 newobj = nft_trans_obj_newobj(trans);
6775 if (obj->ops->update)
6776 obj->ops->update(obj, newobj);
6781 static void nft_commit_release(struct nft_trans *trans)
6783 switch (trans->msg_type) {
6784 case NFT_MSG_DELTABLE:
6785 nf_tables_table_destroy(&trans->ctx);
6787 case NFT_MSG_NEWCHAIN:
6788 free_percpu(nft_trans_chain_stats(trans));
6789 kfree(nft_trans_chain_name(trans));
6791 case NFT_MSG_DELCHAIN:
6792 nf_tables_chain_destroy(&trans->ctx);
6794 case NFT_MSG_DELRULE:
6795 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6797 case NFT_MSG_DELSET:
6798 nft_set_destroy(nft_trans_set(trans));
6800 case NFT_MSG_DELSETELEM:
6801 nf_tables_set_elem_destroy(&trans->ctx,
6802 nft_trans_elem_set(trans),
6803 nft_trans_elem(trans).priv);
6805 case NFT_MSG_DELOBJ:
6806 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6808 case NFT_MSG_DELFLOWTABLE:
6809 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6814 put_net(trans->ctx.net);
6819 static void nf_tables_trans_destroy_work(struct work_struct *w)
6821 struct nft_trans *trans, *next;
6824 spin_lock(&nf_tables_destroy_list_lock);
6825 list_splice_init(&nf_tables_destroy_list, &head);
6826 spin_unlock(&nf_tables_destroy_list_lock);
6828 if (list_empty(&head))
6833 list_for_each_entry_safe(trans, next, &head, list) {
6834 list_del(&trans->list);
6835 nft_commit_release(trans);
6839 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6841 struct nft_rule *rule;
6842 unsigned int alloc = 0;
6845 /* already handled or inactive chain? */
6846 if (chain->rules_next || !nft_is_active_next(net, chain))
6849 rule = list_entry(&chain->rules, struct nft_rule, list);
6852 list_for_each_entry_continue(rule, &chain->rules, list) {
6853 if (nft_is_active_next(net, rule))
6857 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6858 if (!chain->rules_next)
6861 list_for_each_entry_continue(rule, &chain->rules, list) {
6862 if (nft_is_active_next(net, rule))
6863 chain->rules_next[i++] = rule;
6866 chain->rules_next[i] = NULL;
6870 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6872 struct nft_trans *trans, *next;
6874 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6875 struct nft_chain *chain = trans->ctx.chain;
6877 if (trans->msg_type == NFT_MSG_NEWRULE ||
6878 trans->msg_type == NFT_MSG_DELRULE) {
6879 kvfree(chain->rules_next);
6880 chain->rules_next = NULL;
6885 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6887 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6892 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6894 struct nft_rule **r = rules;
6895 struct nft_rules_old *old;
6900 r++; /* rcu_head is after end marker */
6904 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6907 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6909 struct nft_rule **g0, **g1;
6912 next_genbit = nft_gencursor_next(net);
6914 g0 = rcu_dereference_protected(chain->rules_gen_0,
6915 lockdep_commit_lock_is_held(net));
6916 g1 = rcu_dereference_protected(chain->rules_gen_1,
6917 lockdep_commit_lock_is_held(net));
6919 /* No changes to this chain? */
6920 if (chain->rules_next == NULL) {
6921 /* chain had no change in last or next generation */
6925 * chain had no change in this generation; make sure next
6926 * one uses same rules as current generation.
6929 rcu_assign_pointer(chain->rules_gen_1, g0);
6930 nf_tables_commit_chain_free_rules_old(g1);
6932 rcu_assign_pointer(chain->rules_gen_0, g1);
6933 nf_tables_commit_chain_free_rules_old(g0);
6940 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6942 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6944 chain->rules_next = NULL;
6950 nf_tables_commit_chain_free_rules_old(g1);
6952 nf_tables_commit_chain_free_rules_old(g0);
6955 static void nft_obj_del(struct nft_object *obj)
6957 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6958 list_del_rcu(&obj->list);
6961 static void nft_chain_del(struct nft_chain *chain)
6963 struct nft_table *table = chain->table;
6965 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6966 nft_chain_ht_params));
6967 list_del_rcu(&chain->list);
6970 static void nf_tables_commit_release(struct net *net)
6972 struct nft_trans *trans;
6974 /* all side effects have to be made visible.
6975 * For example, if a chain named 'foo' has been deleted, a
6976 * new transaction must not find it anymore.
6978 * Memory reclaim happens asynchronously from work queue
6979 * to prevent expensive synchronize_rcu() in commit phase.
6981 if (list_empty(&net->nft.commit_list)) {
6982 mutex_unlock(&net->nft.commit_mutex);
6986 trans = list_last_entry(&net->nft.commit_list,
6987 struct nft_trans, list);
6988 get_net(trans->ctx.net);
6989 WARN_ON_ONCE(trans->put_net);
6991 trans->put_net = true;
6992 spin_lock(&nf_tables_destroy_list_lock);
6993 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6994 spin_unlock(&nf_tables_destroy_list_lock);
6996 mutex_unlock(&net->nft.commit_mutex);
6998 schedule_work(&trans_destroy_work);
7001 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7003 struct nft_trans *trans, *next;
7004 struct nft_trans_elem *te;
7005 struct nft_chain *chain;
7006 struct nft_table *table;
7009 if (list_empty(&net->nft.commit_list)) {
7010 mutex_unlock(&net->nft.commit_mutex);
7014 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7015 if (nf_tables_validate(net) < 0)
7018 err = nft_flow_rule_offload_commit(net);
7022 /* 1. Allocate space for next generation rules_gen_X[] */
7023 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7026 if (trans->msg_type == NFT_MSG_NEWRULE ||
7027 trans->msg_type == NFT_MSG_DELRULE) {
7028 chain = trans->ctx.chain;
7030 ret = nf_tables_commit_chain_prepare(net, chain);
7032 nf_tables_commit_chain_prepare_cancel(net);
7038 /* step 2. Make rules_gen_X visible to packet path */
7039 list_for_each_entry(table, &net->nft.tables, list) {
7040 list_for_each_entry(chain, &table->chains, list)
7041 nf_tables_commit_chain(net, chain);
7045 * Bump generation counter, invalidate any dump in progress.
7046 * Cannot fail after this point.
7048 while (++net->nft.base_seq == 0);
7050 /* step 3. Start new generation, rules_gen_X now in use. */
7051 net->nft.gencursor = nft_gencursor_next(net);
7053 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7054 switch (trans->msg_type) {
7055 case NFT_MSG_NEWTABLE:
7056 if (nft_trans_table_update(trans)) {
7057 if (!nft_trans_table_enable(trans)) {
7058 nf_tables_table_disable(net,
7060 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7063 nft_clear(net, trans->ctx.table);
7065 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7066 nft_trans_destroy(trans);
7068 case NFT_MSG_DELTABLE:
7069 list_del_rcu(&trans->ctx.table->list);
7070 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7072 case NFT_MSG_NEWCHAIN:
7073 if (nft_trans_chain_update(trans)) {
7074 nft_chain_commit_update(trans);
7075 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7076 /* trans destroyed after rcu grace period */
7078 nft_chain_commit_drop_policy(trans);
7079 nft_clear(net, trans->ctx.chain);
7080 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7081 nft_trans_destroy(trans);
7084 case NFT_MSG_DELCHAIN:
7085 nft_chain_del(trans->ctx.chain);
7086 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7087 nf_tables_unregister_hook(trans->ctx.net,
7091 case NFT_MSG_NEWRULE:
7092 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7093 nf_tables_rule_notify(&trans->ctx,
7094 nft_trans_rule(trans),
7096 nft_trans_destroy(trans);
7098 case NFT_MSG_DELRULE:
7099 list_del_rcu(&nft_trans_rule(trans)->list);
7100 nf_tables_rule_notify(&trans->ctx,
7101 nft_trans_rule(trans),
7103 nft_rule_expr_deactivate(&trans->ctx,
7104 nft_trans_rule(trans),
7107 case NFT_MSG_NEWSET:
7108 nft_clear(net, nft_trans_set(trans));
7109 /* This avoids hitting -EBUSY when deleting the table
7110 * from the transaction.
7112 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7113 !list_empty(&nft_trans_set(trans)->bindings))
7114 trans->ctx.table->use--;
7116 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7117 NFT_MSG_NEWSET, GFP_KERNEL);
7118 nft_trans_destroy(trans);
7120 case NFT_MSG_DELSET:
7121 list_del_rcu(&nft_trans_set(trans)->list);
7122 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7123 NFT_MSG_DELSET, GFP_KERNEL);
7125 case NFT_MSG_NEWSETELEM:
7126 te = (struct nft_trans_elem *)trans->data;
7128 te->set->ops->activate(net, te->set, &te->elem);
7129 nf_tables_setelem_notify(&trans->ctx, te->set,
7131 NFT_MSG_NEWSETELEM, 0);
7132 nft_trans_destroy(trans);
7134 case NFT_MSG_DELSETELEM:
7135 te = (struct nft_trans_elem *)trans->data;
7137 nf_tables_setelem_notify(&trans->ctx, te->set,
7139 NFT_MSG_DELSETELEM, 0);
7140 te->set->ops->remove(net, te->set, &te->elem);
7141 atomic_dec(&te->set->nelems);
7144 case NFT_MSG_NEWOBJ:
7145 if (nft_trans_obj_update(trans)) {
7146 nft_obj_commit_update(trans);
7147 nf_tables_obj_notify(&trans->ctx,
7148 nft_trans_obj(trans),
7151 nft_clear(net, nft_trans_obj(trans));
7152 nf_tables_obj_notify(&trans->ctx,
7153 nft_trans_obj(trans),
7155 nft_trans_destroy(trans);
7158 case NFT_MSG_DELOBJ:
7159 nft_obj_del(nft_trans_obj(trans));
7160 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7163 case NFT_MSG_NEWFLOWTABLE:
7164 nft_clear(net, nft_trans_flowtable(trans));
7165 nf_tables_flowtable_notify(&trans->ctx,
7166 nft_trans_flowtable(trans),
7167 NFT_MSG_NEWFLOWTABLE);
7168 nft_trans_destroy(trans);
7170 case NFT_MSG_DELFLOWTABLE:
7171 list_del_rcu(&nft_trans_flowtable(trans)->list);
7172 nf_tables_flowtable_notify(&trans->ctx,
7173 nft_trans_flowtable(trans),
7174 NFT_MSG_DELFLOWTABLE);
7175 nft_unregister_flowtable_net_hooks(net,
7176 nft_trans_flowtable(trans));
7181 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7182 nf_tables_commit_release(net);
7187 static void nf_tables_abort_release(struct nft_trans *trans)
7189 switch (trans->msg_type) {
7190 case NFT_MSG_NEWTABLE:
7191 nf_tables_table_destroy(&trans->ctx);
7193 case NFT_MSG_NEWCHAIN:
7194 nf_tables_chain_destroy(&trans->ctx);
7196 case NFT_MSG_NEWRULE:
7197 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7199 case NFT_MSG_NEWSET:
7200 nft_set_destroy(nft_trans_set(trans));
7202 case NFT_MSG_NEWSETELEM:
7203 nft_set_elem_destroy(nft_trans_elem_set(trans),
7204 nft_trans_elem(trans).priv, true);
7206 case NFT_MSG_NEWOBJ:
7207 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7209 case NFT_MSG_NEWFLOWTABLE:
7210 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7216 static int __nf_tables_abort(struct net *net)
7218 struct nft_trans *trans, *next;
7219 struct nft_trans_elem *te;
7221 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7223 switch (trans->msg_type) {
7224 case NFT_MSG_NEWTABLE:
7225 if (nft_trans_table_update(trans)) {
7226 if (nft_trans_table_enable(trans)) {
7227 nf_tables_table_disable(net,
7229 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7231 nft_trans_destroy(trans);
7233 list_del_rcu(&trans->ctx.table->list);
7236 case NFT_MSG_DELTABLE:
7237 nft_clear(trans->ctx.net, trans->ctx.table);
7238 nft_trans_destroy(trans);
7240 case NFT_MSG_NEWCHAIN:
7241 if (nft_trans_chain_update(trans)) {
7242 free_percpu(nft_trans_chain_stats(trans));
7243 kfree(nft_trans_chain_name(trans));
7244 nft_trans_destroy(trans);
7246 trans->ctx.table->use--;
7247 nft_chain_del(trans->ctx.chain);
7248 nf_tables_unregister_hook(trans->ctx.net,
7253 case NFT_MSG_DELCHAIN:
7254 trans->ctx.table->use++;
7255 nft_clear(trans->ctx.net, trans->ctx.chain);
7256 nft_trans_destroy(trans);
7258 case NFT_MSG_NEWRULE:
7259 trans->ctx.chain->use--;
7260 list_del_rcu(&nft_trans_rule(trans)->list);
7261 nft_rule_expr_deactivate(&trans->ctx,
7262 nft_trans_rule(trans),
7265 case NFT_MSG_DELRULE:
7266 trans->ctx.chain->use++;
7267 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7268 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7269 nft_trans_destroy(trans);
7271 case NFT_MSG_NEWSET:
7272 trans->ctx.table->use--;
7273 if (nft_trans_set_bound(trans)) {
7274 nft_trans_destroy(trans);
7277 list_del_rcu(&nft_trans_set(trans)->list);
7279 case NFT_MSG_DELSET:
7280 trans->ctx.table->use++;
7281 nft_clear(trans->ctx.net, nft_trans_set(trans));
7282 nft_trans_destroy(trans);
7284 case NFT_MSG_NEWSETELEM:
7285 if (nft_trans_elem_set_bound(trans)) {
7286 nft_trans_destroy(trans);
7289 te = (struct nft_trans_elem *)trans->data;
7290 te->set->ops->remove(net, te->set, &te->elem);
7291 atomic_dec(&te->set->nelems);
7293 case NFT_MSG_DELSETELEM:
7294 te = (struct nft_trans_elem *)trans->data;
7296 nft_set_elem_activate(net, te->set, &te->elem);
7297 te->set->ops->activate(net, te->set, &te->elem);
7300 nft_trans_destroy(trans);
7302 case NFT_MSG_NEWOBJ:
7303 if (nft_trans_obj_update(trans)) {
7304 kfree(nft_trans_obj_newobj(trans));
7305 nft_trans_destroy(trans);
7307 trans->ctx.table->use--;
7308 nft_obj_del(nft_trans_obj(trans));
7311 case NFT_MSG_DELOBJ:
7312 trans->ctx.table->use++;
7313 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7314 nft_trans_destroy(trans);
7316 case NFT_MSG_NEWFLOWTABLE:
7317 trans->ctx.table->use--;
7318 list_del_rcu(&nft_trans_flowtable(trans)->list);
7319 nft_unregister_flowtable_net_hooks(net,
7320 nft_trans_flowtable(trans));
7322 case NFT_MSG_DELFLOWTABLE:
7323 trans->ctx.table->use++;
7324 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7325 nft_trans_destroy(trans);
7332 list_for_each_entry_safe_reverse(trans, next,
7333 &net->nft.commit_list, list) {
7334 list_del(&trans->list);
7335 nf_tables_abort_release(trans);
7341 static void nf_tables_cleanup(struct net *net)
7343 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7346 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7348 int ret = __nf_tables_abort(net);
7350 mutex_unlock(&net->nft.commit_mutex);
7355 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7359 mutex_lock(&net->nft.commit_mutex);
7361 genid_ok = genid == 0 || net->nft.base_seq == genid;
7363 mutex_unlock(&net->nft.commit_mutex);
7365 /* else, commit mutex has to be released by commit or abort function */
7369 static const struct nfnetlink_subsystem nf_tables_subsys = {
7370 .name = "nf_tables",
7371 .subsys_id = NFNL_SUBSYS_NFTABLES,
7372 .cb_count = NFT_MSG_MAX,
7374 .commit = nf_tables_commit,
7375 .abort = nf_tables_abort,
7376 .cleanup = nf_tables_cleanup,
7377 .valid_genid = nf_tables_valid_genid,
7378 .owner = THIS_MODULE,
7381 int nft_chain_validate_dependency(const struct nft_chain *chain,
7382 enum nft_chain_types type)
7384 const struct nft_base_chain *basechain;
7386 if (nft_is_base_chain(chain)) {
7387 basechain = nft_base_chain(chain);
7388 if (basechain->type->type != type)
7393 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7395 int nft_chain_validate_hooks(const struct nft_chain *chain,
7396 unsigned int hook_flags)
7398 struct nft_base_chain *basechain;
7400 if (nft_is_base_chain(chain)) {
7401 basechain = nft_base_chain(chain);
7403 if ((1 << basechain->ops.hooknum) & hook_flags)
7411 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7414 * Loop detection - walk through the ruleset beginning at the destination chain
7415 * of a new jump until either the source chain is reached (loop) or all
7416 * reachable chains have been traversed.
7418 * The loop check is performed whenever a new jump verdict is added to an
7419 * expression or verdict map or a verdict map is bound to a new chain.
7422 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7423 const struct nft_chain *chain);
7425 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7426 struct nft_set *set,
7427 const struct nft_set_iter *iter,
7428 struct nft_set_elem *elem)
7430 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7431 const struct nft_data *data;
7433 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7434 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7437 data = nft_set_ext_data(ext);
7438 switch (data->verdict.code) {
7441 return nf_tables_check_loops(ctx, data->verdict.chain);
7447 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7448 const struct nft_chain *chain)
7450 const struct nft_rule *rule;
7451 const struct nft_expr *expr, *last;
7452 struct nft_set *set;
7453 struct nft_set_binding *binding;
7454 struct nft_set_iter iter;
7456 if (ctx->chain == chain)
7459 list_for_each_entry(rule, &chain->rules, list) {
7460 nft_rule_for_each_expr(expr, last, rule) {
7461 struct nft_immediate_expr *priv;
7462 const struct nft_data *data;
7465 if (strcmp(expr->ops->type->name, "immediate"))
7468 priv = nft_expr_priv(expr);
7469 if (priv->dreg != NFT_REG_VERDICT)
7473 switch (data->verdict.code) {
7476 err = nf_tables_check_loops(ctx,
7477 data->verdict.chain);
7486 list_for_each_entry(set, &ctx->table->sets, list) {
7487 if (!nft_is_active_next(ctx->net, set))
7489 if (!(set->flags & NFT_SET_MAP) ||
7490 set->dtype != NFT_DATA_VERDICT)
7493 list_for_each_entry(binding, &set->bindings, list) {
7494 if (!(binding->flags & NFT_SET_MAP) ||
7495 binding->chain != chain)
7498 iter.genmask = nft_genmask_next(ctx->net);
7502 iter.fn = nf_tables_loop_check_setelem;
7504 set->ops->walk(ctx, set, &iter);
7514 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7516 * @attr: netlink attribute to fetch value from
7517 * @max: maximum value to be stored in dest
7518 * @dest: pointer to the variable
7520 * Parse, check and store a given u32 netlink attribute into variable.
7521 * This function returns -ERANGE if the value goes over maximum value.
7522 * Otherwise a 0 is returned and the attribute value is stored in the
7523 * destination variable.
7525 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7529 val = ntohl(nla_get_be32(attr));
7536 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7539 * nft_parse_register - parse a register value from a netlink attribute
7541 * @attr: netlink attribute
7543 * Parse and translate a register value from a netlink attribute.
7544 * Registers used to be 128 bit wide, these register numbers will be
7545 * mapped to the corresponding 32 bit register numbers.
7547 unsigned int nft_parse_register(const struct nlattr *attr)
7551 reg = ntohl(nla_get_be32(attr));
7553 case NFT_REG_VERDICT...NFT_REG_4:
7554 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7556 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7559 EXPORT_SYMBOL_GPL(nft_parse_register);
7562 * nft_dump_register - dump a register value to a netlink attribute
7564 * @skb: socket buffer
7565 * @attr: attribute number
7566 * @reg: register number
7568 * Construct a netlink attribute containing the register number. For
7569 * compatibility reasons, register numbers being a multiple of 4 are
7570 * translated to the corresponding 128 bit register numbers.
7572 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7574 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7575 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7577 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7579 return nla_put_be32(skb, attr, htonl(reg));
7581 EXPORT_SYMBOL_GPL(nft_dump_register);
7584 * nft_validate_register_load - validate a load from a register
7586 * @reg: the register number
7587 * @len: the length of the data
7589 * Validate that the input register is one of the general purpose
7590 * registers and that the length of the load is within the bounds.
7592 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7594 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7598 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7603 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7606 * nft_validate_register_store - validate an expressions' register store
7608 * @ctx: context of the expression performing the load
7609 * @reg: the destination register number
7610 * @data: the data to load
7611 * @type: the data type
7612 * @len: the length of the data
7614 * Validate that a data load uses the appropriate data type for
7615 * the destination register and the length is within the bounds.
7616 * A value of NULL for the data means that its runtime gathered
7619 int nft_validate_register_store(const struct nft_ctx *ctx,
7620 enum nft_registers reg,
7621 const struct nft_data *data,
7622 enum nft_data_types type, unsigned int len)
7627 case NFT_REG_VERDICT:
7628 if (type != NFT_DATA_VERDICT)
7632 (data->verdict.code == NFT_GOTO ||
7633 data->verdict.code == NFT_JUMP)) {
7634 err = nf_tables_check_loops(ctx, data->verdict.chain);
7641 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7645 if (reg * NFT_REG32_SIZE + len >
7646 FIELD_SIZEOF(struct nft_regs, data))
7649 if (data != NULL && type != NFT_DATA_VALUE)
7654 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7656 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7657 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7658 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7659 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7662 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7663 struct nft_data_desc *desc, const struct nlattr *nla)
7665 u8 genmask = nft_genmask_next(ctx->net);
7666 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7667 struct nft_chain *chain;
7670 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7671 nft_verdict_policy, NULL);
7675 if (!tb[NFTA_VERDICT_CODE])
7677 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7679 switch (data->verdict.code) {
7681 switch (data->verdict.code & NF_VERDICT_MASK) {
7696 if (!tb[NFTA_VERDICT_CHAIN])
7698 chain = nft_chain_lookup(ctx->net, ctx->table,
7699 tb[NFTA_VERDICT_CHAIN], genmask);
7701 return PTR_ERR(chain);
7702 if (nft_is_base_chain(chain))
7706 data->verdict.chain = chain;
7710 desc->len = sizeof(data->verdict);
7711 desc->type = NFT_DATA_VERDICT;
7715 static void nft_verdict_uninit(const struct nft_data *data)
7717 switch (data->verdict.code) {
7720 data->verdict.chain->use--;
7725 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7727 struct nlattr *nest;
7729 nest = nla_nest_start_noflag(skb, type);
7731 goto nla_put_failure;
7733 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7734 goto nla_put_failure;
7739 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7741 goto nla_put_failure;
7743 nla_nest_end(skb, nest);
7750 static int nft_value_init(const struct nft_ctx *ctx,
7751 struct nft_data *data, unsigned int size,
7752 struct nft_data_desc *desc, const struct nlattr *nla)
7762 nla_memcpy(data->data, nla, len);
7763 desc->type = NFT_DATA_VALUE;
7768 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7771 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7774 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7775 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7776 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7780 * nft_data_init - parse nf_tables data netlink attributes
7782 * @ctx: context of the expression using the data
7783 * @data: destination struct nft_data
7784 * @size: maximum data length
7785 * @desc: data description
7786 * @nla: netlink attribute containing data
7788 * Parse the netlink data attributes and initialize a struct nft_data.
7789 * The type and length of data are returned in the data description.
7791 * The caller can indicate that it only wants to accept data of type
7792 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7794 int nft_data_init(const struct nft_ctx *ctx,
7795 struct nft_data *data, unsigned int size,
7796 struct nft_data_desc *desc, const struct nlattr *nla)
7798 struct nlattr *tb[NFTA_DATA_MAX + 1];
7801 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7802 nft_data_policy, NULL);
7806 if (tb[NFTA_DATA_VALUE])
7807 return nft_value_init(ctx, data, size, desc,
7808 tb[NFTA_DATA_VALUE]);
7809 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7810 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7813 EXPORT_SYMBOL_GPL(nft_data_init);
7816 * nft_data_release - release a nft_data item
7818 * @data: struct nft_data to release
7819 * @type: type of data
7821 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7822 * all others need to be released by calling this function.
7824 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7826 if (type < NFT_DATA_VERDICT)
7829 case NFT_DATA_VERDICT:
7830 return nft_verdict_uninit(data);
7835 EXPORT_SYMBOL_GPL(nft_data_release);
7837 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7838 enum nft_data_types type, unsigned int len)
7840 struct nlattr *nest;
7843 nest = nla_nest_start_noflag(skb, attr);
7848 case NFT_DATA_VALUE:
7849 err = nft_value_dump(skb, data, len);
7851 case NFT_DATA_VERDICT:
7852 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7859 nla_nest_end(skb, nest);
7862 EXPORT_SYMBOL_GPL(nft_data_dump);
7864 int __nft_release_basechain(struct nft_ctx *ctx)
7866 struct nft_rule *rule, *nr;
7868 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7871 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7872 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7873 list_del(&rule->list);
7875 nf_tables_rule_release(ctx, rule);
7877 nft_chain_del(ctx->chain);
7879 nf_tables_chain_destroy(ctx);
7883 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7885 static void __nft_release_tables(struct net *net)
7887 struct nft_flowtable *flowtable, *nf;
7888 struct nft_table *table, *nt;
7889 struct nft_chain *chain, *nc;
7890 struct nft_object *obj, *ne;
7891 struct nft_rule *rule, *nr;
7892 struct nft_set *set, *ns;
7893 struct nft_ctx ctx = {
7895 .family = NFPROTO_NETDEV,
7898 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7899 ctx.family = table->family;
7901 list_for_each_entry(chain, &table->chains, list)
7902 nf_tables_unregister_hook(net, table, chain);
7903 /* No packets are walking on these chains anymore. */
7905 list_for_each_entry(chain, &table->chains, list) {
7907 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7908 list_del(&rule->list);
7910 nf_tables_rule_release(&ctx, rule);
7913 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7914 list_del(&flowtable->list);
7916 nf_tables_flowtable_destroy(flowtable);
7918 list_for_each_entry_safe(set, ns, &table->sets, list) {
7919 list_del(&set->list);
7921 nft_set_destroy(set);
7923 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7926 nft_obj_destroy(&ctx, obj);
7928 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7930 nft_chain_del(chain);
7932 nf_tables_chain_destroy(&ctx);
7934 list_del(&table->list);
7935 nf_tables_table_destroy(&ctx);
7939 static int __net_init nf_tables_init_net(struct net *net)
7941 INIT_LIST_HEAD(&net->nft.tables);
7942 INIT_LIST_HEAD(&net->nft.commit_list);
7943 mutex_init(&net->nft.commit_mutex);
7944 net->nft.base_seq = 1;
7945 net->nft.validate_state = NFT_VALIDATE_SKIP;
7950 static void __net_exit nf_tables_exit_net(struct net *net)
7952 mutex_lock(&net->nft.commit_mutex);
7953 if (!list_empty(&net->nft.commit_list))
7954 __nf_tables_abort(net);
7955 __nft_release_tables(net);
7956 mutex_unlock(&net->nft.commit_mutex);
7957 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7960 static struct pernet_operations nf_tables_net_ops = {
7961 .init = nf_tables_init_net,
7962 .exit = nf_tables_exit_net,
7965 static int __init nf_tables_module_init(void)
7969 spin_lock_init(&nf_tables_destroy_list_lock);
7970 err = register_pernet_subsys(&nf_tables_net_ops);
7974 err = nft_chain_filter_init();
7978 err = nf_tables_core_module_init();
7982 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7986 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7990 err = nft_offload_init();
7995 err = nfnetlink_subsys_register(&nf_tables_subsys);
7999 nft_chain_route_init();
8005 rhltable_destroy(&nft_objname_ht);
8007 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8009 nf_tables_core_module_exit();
8011 nft_chain_filter_fini();
8013 unregister_pernet_subsys(&nf_tables_net_ops);
8017 static void __exit nf_tables_module_exit(void)
8019 nfnetlink_subsys_unregister(&nf_tables_subsys);
8021 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8022 nft_chain_filter_fini();
8023 nft_chain_route_fini();
8024 unregister_pernet_subsys(&nf_tables_net_ops);
8025 cancel_work_sync(&trans_destroy_work);
8027 rhltable_destroy(&nft_objname_ht);
8028 nf_tables_core_module_exit();
8031 module_init(nf_tables_module_init);
8032 module_exit(nf_tables_module_exit);
8034 MODULE_LICENSE("GPL");
8035 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8036 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);