1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27 static LIST_HEAD(nf_tables_flowtables);
28 static LIST_HEAD(nf_tables_destroy_list);
29 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
30 static u64 table_handle;
33 NFT_VALIDATE_SKIP = 0,
38 static struct rhltable nft_objname_ht;
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
44 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static const struct rhashtable_params nft_chain_ht_params = {
49 .head_offset = offsetof(struct nft_chain, rhlhead),
50 .key_offset = offsetof(struct nft_chain, name),
51 .hashfn = nft_chain_hash,
52 .obj_hashfn = nft_chain_hash_obj,
53 .obj_cmpfn = nft_chain_hash_cmp,
54 .automatic_shrinking = true,
57 static const struct rhashtable_params nft_objname_ht_params = {
58 .head_offset = offsetof(struct nft_object, rhlhead),
59 .key_offset = offsetof(struct nft_object, key),
60 .hashfn = nft_objname_hash,
61 .obj_hashfn = nft_objname_hash_obj,
62 .obj_cmpfn = nft_objname_hash_cmp,
63 .automatic_shrinking = true,
66 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
68 switch (net->nft.validate_state) {
69 case NFT_VALIDATE_SKIP:
70 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
72 case NFT_VALIDATE_NEED:
75 if (new_validate_state == NFT_VALIDATE_NEED)
79 net->nft.validate_state = new_validate_state;
81 static void nf_tables_trans_destroy_work(struct work_struct *w);
82 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
84 static void nft_ctx_init(struct nft_ctx *ctx,
86 const struct sk_buff *skb,
87 const struct nlmsghdr *nlh,
89 struct nft_table *table,
90 struct nft_chain *chain,
91 const struct nlattr * const *nla)
99 ctx->portid = NETLINK_CB(skb).portid;
100 ctx->report = nlmsg_report(nlh);
101 ctx->flags = nlh->nlmsg_flags;
102 ctx->seq = nlh->nlmsg_seq;
105 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
106 int msg_type, u32 size, gfp_t gfp)
108 struct nft_trans *trans;
110 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 trans->msg_type = msg_type;
120 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
121 int msg_type, u32 size)
123 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126 static void nft_trans_destroy(struct nft_trans *trans)
128 list_del(&trans->list);
132 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
134 struct net *net = ctx->net;
135 struct nft_trans *trans;
137 if (!nft_set_is_anonymous(set))
140 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
141 switch (trans->msg_type) {
143 if (nft_trans_set(trans) == set)
144 nft_trans_set_bound(trans) = true;
146 case NFT_MSG_NEWSETELEM:
147 if (nft_trans_elem_set(trans) == set)
148 nft_trans_elem_set_bound(trans) = true;
154 static int nft_netdev_register_hooks(struct net *net,
155 struct list_head *hook_list)
157 struct nft_hook *hook;
161 list_for_each_entry(hook, hook_list, list) {
162 err = nf_register_net_hook(net, &hook->ops);
171 list_for_each_entry(hook, hook_list, list) {
175 nf_unregister_net_hook(net, &hook->ops);
180 static void nft_netdev_unregister_hooks(struct net *net,
181 struct list_head *hook_list)
183 struct nft_hook *hook;
185 list_for_each_entry(hook, hook_list, list)
186 nf_unregister_net_hook(net, &hook->ops);
189 static int nft_register_basechain_hooks(struct net *net, int family,
190 struct nft_base_chain *basechain)
192 if (family == NFPROTO_NETDEV)
193 return nft_netdev_register_hooks(net, &basechain->hook_list);
195 return nf_register_net_hook(net, &basechain->ops);
198 static void nft_unregister_basechain_hooks(struct net *net, int family,
199 struct nft_base_chain *basechain)
201 if (family == NFPROTO_NETDEV)
202 nft_netdev_unregister_hooks(net, &basechain->hook_list);
204 nf_unregister_net_hook(net, &basechain->ops);
207 static int nf_tables_register_hook(struct net *net,
208 const struct nft_table *table,
209 struct nft_chain *chain)
211 struct nft_base_chain *basechain;
212 const struct nf_hook_ops *ops;
214 if (table->flags & NFT_TABLE_F_DORMANT ||
215 !nft_is_base_chain(chain))
218 basechain = nft_base_chain(chain);
219 ops = &basechain->ops;
221 if (basechain->type->ops_register)
222 return basechain->type->ops_register(net, ops);
224 return nft_register_basechain_hooks(net, table->family, basechain);
227 static void nf_tables_unregister_hook(struct net *net,
228 const struct nft_table *table,
229 struct nft_chain *chain)
231 struct nft_base_chain *basechain;
232 const struct nf_hook_ops *ops;
234 if (table->flags & NFT_TABLE_F_DORMANT ||
235 !nft_is_base_chain(chain))
237 basechain = nft_base_chain(chain);
238 ops = &basechain->ops;
240 if (basechain->type->ops_unregister)
241 return basechain->type->ops_unregister(net, ops);
243 nft_unregister_basechain_hooks(net, table->family, basechain);
246 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
248 struct nft_trans *trans;
250 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
254 if (msg_type == NFT_MSG_NEWTABLE)
255 nft_activate_next(ctx->net, ctx->table);
257 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
261 static int nft_deltable(struct nft_ctx *ctx)
265 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
269 nft_deactivate_next(ctx->net, ctx->table);
273 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
275 struct nft_trans *trans;
277 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
279 return ERR_PTR(-ENOMEM);
281 if (msg_type == NFT_MSG_NEWCHAIN)
282 nft_activate_next(ctx->net, ctx->chain);
284 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
288 static int nft_delchain(struct nft_ctx *ctx)
290 struct nft_trans *trans;
292 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
294 return PTR_ERR(trans);
297 nft_deactivate_next(ctx->net, ctx->chain);
302 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
303 struct nft_rule *rule)
305 struct nft_expr *expr;
307 expr = nft_expr_first(rule);
308 while (expr != nft_expr_last(rule) && expr->ops) {
309 if (expr->ops->activate)
310 expr->ops->activate(ctx, expr);
312 expr = nft_expr_next(expr);
316 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
317 struct nft_rule *rule,
318 enum nft_trans_phase phase)
320 struct nft_expr *expr;
322 expr = nft_expr_first(rule);
323 while (expr != nft_expr_last(rule) && expr->ops) {
324 if (expr->ops->deactivate)
325 expr->ops->deactivate(ctx, expr, phase);
327 expr = nft_expr_next(expr);
332 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
334 /* You cannot delete the same rule twice */
335 if (nft_is_active_next(ctx->net, rule)) {
336 nft_deactivate_next(ctx->net, rule);
343 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
344 struct nft_rule *rule)
346 struct nft_trans *trans;
348 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
352 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
353 nft_trans_rule_id(trans) =
354 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
356 nft_trans_rule(trans) = rule;
357 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
362 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
364 struct nft_flow_rule *flow;
365 struct nft_trans *trans;
368 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
372 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
373 flow = nft_flow_rule_create(ctx->net, rule);
375 nft_trans_destroy(trans);
376 return PTR_ERR(flow);
379 nft_trans_flow_rule(trans) = flow;
382 err = nf_tables_delrule_deactivate(ctx, rule);
384 nft_trans_destroy(trans);
387 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
392 static int nft_delrule_by_chain(struct nft_ctx *ctx)
394 struct nft_rule *rule;
397 list_for_each_entry(rule, &ctx->chain->rules, list) {
398 if (!nft_is_active_next(ctx->net, rule))
401 err = nft_delrule(ctx, rule);
408 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
411 struct nft_trans *trans;
413 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
417 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
418 nft_trans_set_id(trans) =
419 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
420 nft_activate_next(ctx->net, set);
422 nft_trans_set(trans) = set;
423 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
428 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
432 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
436 nft_deactivate_next(ctx->net, set);
442 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
443 struct nft_object *obj)
445 struct nft_trans *trans;
447 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
451 if (msg_type == NFT_MSG_NEWOBJ)
452 nft_activate_next(ctx->net, obj);
454 nft_trans_obj(trans) = obj;
455 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
460 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
464 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
468 nft_deactivate_next(ctx->net, obj);
474 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
475 struct nft_flowtable *flowtable)
477 struct nft_trans *trans;
479 trans = nft_trans_alloc(ctx, msg_type,
480 sizeof(struct nft_trans_flowtable));
484 if (msg_type == NFT_MSG_NEWFLOWTABLE)
485 nft_activate_next(ctx->net, flowtable);
487 nft_trans_flowtable(trans) = flowtable;
488 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
493 static int nft_delflowtable(struct nft_ctx *ctx,
494 struct nft_flowtable *flowtable)
498 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
502 nft_deactivate_next(ctx->net, flowtable);
512 static struct nft_table *nft_table_lookup(const struct net *net,
513 const struct nlattr *nla,
514 u8 family, u8 genmask)
516 struct nft_table *table;
519 return ERR_PTR(-EINVAL);
521 list_for_each_entry_rcu(table, &net->nft.tables, list) {
522 if (!nla_strcmp(nla, table->name) &&
523 table->family == family &&
524 nft_active_genmask(table, genmask))
528 return ERR_PTR(-ENOENT);
531 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
532 const struct nlattr *nla,
535 struct nft_table *table;
537 list_for_each_entry(table, &net->nft.tables, list) {
538 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
539 nft_active_genmask(table, genmask))
543 return ERR_PTR(-ENOENT);
546 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
548 return ++table->hgenerator;
551 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
553 static const struct nft_chain_type *
554 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
558 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
559 if (chain_type[family][i] != NULL &&
560 !nla_strcmp(nla, chain_type[family][i]->name))
561 return chain_type[family][i];
567 * Loading a module requires dropping mutex that guards the
569 * We first need to abort any pending transactions as once
570 * mutex is unlocked a different client could start a new
571 * transaction. It must not see any 'future generation'
572 * changes * as these changes will never happen.
574 #ifdef CONFIG_MODULES
575 static int __nf_tables_abort(struct net *net);
577 static void nft_request_module(struct net *net, const char *fmt, ...)
579 char module_name[MODULE_NAME_LEN];
583 __nf_tables_abort(net);
586 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
588 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
591 mutex_unlock(&net->nft.commit_mutex);
592 request_module("%s", module_name);
593 mutex_lock(&net->nft.commit_mutex);
597 static void lockdep_nfnl_nft_mutex_not_held(void)
599 #ifdef CONFIG_PROVE_LOCKING
600 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
604 static const struct nft_chain_type *
605 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
606 u8 family, bool autoload)
608 const struct nft_chain_type *type;
610 type = __nf_tables_chain_type_lookup(nla, family);
614 lockdep_nfnl_nft_mutex_not_held();
615 #ifdef CONFIG_MODULES
617 nft_request_module(net, "nft-chain-%u-%.*s", family,
618 nla_len(nla), (const char *)nla_data(nla));
619 type = __nf_tables_chain_type_lookup(nla, family);
621 return ERR_PTR(-EAGAIN);
624 return ERR_PTR(-ENOENT);
627 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
628 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
629 .len = NFT_TABLE_MAXNAMELEN - 1 },
630 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
631 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
634 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
635 u32 portid, u32 seq, int event, u32 flags,
636 int family, const struct nft_table *table)
638 struct nlmsghdr *nlh;
639 struct nfgenmsg *nfmsg;
641 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
642 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
644 goto nla_put_failure;
646 nfmsg = nlmsg_data(nlh);
647 nfmsg->nfgen_family = family;
648 nfmsg->version = NFNETLINK_V0;
649 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
651 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
652 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
653 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
654 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
656 goto nla_put_failure;
662 nlmsg_trim(skb, nlh);
666 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
672 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
675 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
679 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
680 event, 0, ctx->family, ctx->table);
686 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
687 ctx->report, GFP_KERNEL);
690 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
693 static int nf_tables_dump_tables(struct sk_buff *skb,
694 struct netlink_callback *cb)
696 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
697 const struct nft_table *table;
698 unsigned int idx = 0, s_idx = cb->args[0];
699 struct net *net = sock_net(skb->sk);
700 int family = nfmsg->nfgen_family;
703 cb->seq = net->nft.base_seq;
705 list_for_each_entry_rcu(table, &net->nft.tables, list) {
706 if (family != NFPROTO_UNSPEC && family != table->family)
712 memset(&cb->args[1], 0,
713 sizeof(cb->args) - sizeof(cb->args[0]));
714 if (!nft_is_active(net, table))
716 if (nf_tables_fill_table_info(skb, net,
717 NETLINK_CB(cb->skb).portid,
719 NFT_MSG_NEWTABLE, NLM_F_MULTI,
720 table->family, table) < 0)
723 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
733 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
734 const struct nlmsghdr *nlh,
735 struct netlink_dump_control *c)
739 if (!try_module_get(THIS_MODULE))
743 err = netlink_dump_start(nlsk, skb, nlh, c);
745 module_put(THIS_MODULE);
750 /* called with rcu_read_lock held */
751 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
752 struct sk_buff *skb, const struct nlmsghdr *nlh,
753 const struct nlattr * const nla[],
754 struct netlink_ext_ack *extack)
756 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
757 u8 genmask = nft_genmask_cur(net);
758 const struct nft_table *table;
759 struct sk_buff *skb2;
760 int family = nfmsg->nfgen_family;
763 if (nlh->nlmsg_flags & NLM_F_DUMP) {
764 struct netlink_dump_control c = {
765 .dump = nf_tables_dump_tables,
766 .module = THIS_MODULE,
769 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
772 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
774 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
775 return PTR_ERR(table);
778 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
782 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
783 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
788 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
795 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
797 struct nft_chain *chain;
800 list_for_each_entry(chain, &table->chains, list) {
801 if (!nft_is_active_next(net, chain))
803 if (!nft_is_base_chain(chain))
806 if (cnt && i++ == cnt)
809 nft_unregister_basechain_hooks(net, table->family,
810 nft_base_chain(chain));
814 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
816 struct nft_chain *chain;
819 list_for_each_entry(chain, &table->chains, list) {
820 if (!nft_is_active_next(net, chain))
822 if (!nft_is_base_chain(chain))
825 err = nft_register_basechain_hooks(net, table->family,
826 nft_base_chain(chain));
828 goto err_register_hooks;
836 nft_table_disable(net, table, i);
840 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
842 nft_table_disable(net, table, 0);
845 static int nf_tables_updtable(struct nft_ctx *ctx)
847 struct nft_trans *trans;
851 if (!ctx->nla[NFTA_TABLE_FLAGS])
854 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
855 if (flags & ~NFT_TABLE_F_DORMANT)
858 if (flags == ctx->table->flags)
861 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
862 sizeof(struct nft_trans_table));
866 if ((flags & NFT_TABLE_F_DORMANT) &&
867 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
868 nft_trans_table_enable(trans) = false;
869 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
870 ctx->table->flags & NFT_TABLE_F_DORMANT) {
871 ret = nf_tables_table_enable(ctx->net, ctx->table);
873 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
874 nft_trans_table_enable(trans) = true;
880 nft_trans_table_update(trans) = true;
881 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
884 nft_trans_destroy(trans);
888 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
890 const char *name = data;
892 return jhash(name, strlen(name), seed);
895 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
897 const struct nft_chain *chain = data;
899 return nft_chain_hash(chain->name, 0, seed);
902 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
905 const struct nft_chain *chain = ptr;
906 const char *name = arg->key;
908 return strcmp(chain->name, name);
911 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
913 const struct nft_object_hash_key *k = data;
915 seed ^= hash_ptr(k->table, 32);
917 return jhash(k->name, strlen(k->name), seed);
920 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
922 const struct nft_object *obj = data;
924 return nft_objname_hash(&obj->key, 0, seed);
927 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
930 const struct nft_object_hash_key *k = arg->key;
931 const struct nft_object *obj = ptr;
933 if (obj->key.table != k->table)
936 return strcmp(obj->key.name, k->name);
939 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
940 struct sk_buff *skb, const struct nlmsghdr *nlh,
941 const struct nlattr * const nla[],
942 struct netlink_ext_ack *extack)
944 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
945 u8 genmask = nft_genmask_next(net);
946 int family = nfmsg->nfgen_family;
947 const struct nlattr *attr;
948 struct nft_table *table;
953 lockdep_assert_held(&net->nft.commit_mutex);
954 attr = nla[NFTA_TABLE_NAME];
955 table = nft_table_lookup(net, attr, family, genmask);
957 if (PTR_ERR(table) != -ENOENT)
958 return PTR_ERR(table);
960 if (nlh->nlmsg_flags & NLM_F_EXCL) {
961 NL_SET_BAD_ATTR(extack, attr);
964 if (nlh->nlmsg_flags & NLM_F_REPLACE)
967 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
968 return nf_tables_updtable(&ctx);
971 if (nla[NFTA_TABLE_FLAGS]) {
972 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
973 if (flags & ~NFT_TABLE_F_DORMANT)
978 table = kzalloc(sizeof(*table), GFP_KERNEL);
982 table->name = nla_strdup(attr, GFP_KERNEL);
983 if (table->name == NULL)
986 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
990 INIT_LIST_HEAD(&table->chains);
991 INIT_LIST_HEAD(&table->sets);
992 INIT_LIST_HEAD(&table->objects);
993 INIT_LIST_HEAD(&table->flowtables);
994 table->family = family;
995 table->flags = flags;
996 table->handle = ++table_handle;
998 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
999 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1003 list_add_tail_rcu(&table->list, &net->nft.tables);
1006 rhltable_destroy(&table->chains_ht);
1015 static int nft_flush_table(struct nft_ctx *ctx)
1017 struct nft_flowtable *flowtable, *nft;
1018 struct nft_chain *chain, *nc;
1019 struct nft_object *obj, *ne;
1020 struct nft_set *set, *ns;
1023 list_for_each_entry(chain, &ctx->table->chains, list) {
1024 if (!nft_is_active_next(ctx->net, chain))
1029 err = nft_delrule_by_chain(ctx);
1034 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1035 if (!nft_is_active_next(ctx->net, set))
1038 if (nft_set_is_anonymous(set) &&
1039 !list_empty(&set->bindings))
1042 err = nft_delset(ctx, set);
1047 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1048 err = nft_delflowtable(ctx, flowtable);
1053 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1054 err = nft_delobj(ctx, obj);
1059 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1060 if (!nft_is_active_next(ctx->net, chain))
1065 err = nft_delchain(ctx);
1070 err = nft_deltable(ctx);
1075 static int nft_flush(struct nft_ctx *ctx, int family)
1077 struct nft_table *table, *nt;
1078 const struct nlattr * const *nla = ctx->nla;
1081 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1082 if (family != AF_UNSPEC && table->family != family)
1085 ctx->family = table->family;
1087 if (!nft_is_active_next(ctx->net, table))
1090 if (nla[NFTA_TABLE_NAME] &&
1091 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1096 err = nft_flush_table(ctx);
1104 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1105 struct sk_buff *skb, const struct nlmsghdr *nlh,
1106 const struct nlattr * const nla[],
1107 struct netlink_ext_ack *extack)
1109 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1110 u8 genmask = nft_genmask_next(net);
1111 int family = nfmsg->nfgen_family;
1112 const struct nlattr *attr;
1113 struct nft_table *table;
1116 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1117 if (family == AF_UNSPEC ||
1118 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1119 return nft_flush(&ctx, family);
1121 if (nla[NFTA_TABLE_HANDLE]) {
1122 attr = nla[NFTA_TABLE_HANDLE];
1123 table = nft_table_lookup_byhandle(net, attr, genmask);
1125 attr = nla[NFTA_TABLE_NAME];
1126 table = nft_table_lookup(net, attr, family, genmask);
1129 if (IS_ERR(table)) {
1130 NL_SET_BAD_ATTR(extack, attr);
1131 return PTR_ERR(table);
1134 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1138 ctx.family = family;
1141 return nft_flush_table(&ctx);
1144 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1146 if (WARN_ON(ctx->table->use > 0))
1149 rhltable_destroy(&ctx->table->chains_ht);
1150 kfree(ctx->table->name);
1154 void nft_register_chain_type(const struct nft_chain_type *ctype)
1156 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1159 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1160 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1161 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1164 chain_type[ctype->family][ctype->type] = ctype;
1165 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1167 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1169 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1171 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1172 chain_type[ctype->family][ctype->type] = NULL;
1173 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1175 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1181 static struct nft_chain *
1182 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1184 struct nft_chain *chain;
1186 list_for_each_entry(chain, &table->chains, list) {
1187 if (chain->handle == handle &&
1188 nft_active_genmask(chain, genmask))
1192 return ERR_PTR(-ENOENT);
1195 static bool lockdep_commit_lock_is_held(const struct net *net)
1197 #ifdef CONFIG_PROVE_LOCKING
1198 return lockdep_is_held(&net->nft.commit_mutex);
1204 static struct nft_chain *nft_chain_lookup(struct net *net,
1205 struct nft_table *table,
1206 const struct nlattr *nla, u8 genmask)
1208 char search[NFT_CHAIN_MAXNAMELEN + 1];
1209 struct rhlist_head *tmp, *list;
1210 struct nft_chain *chain;
1213 return ERR_PTR(-EINVAL);
1215 nla_strlcpy(search, nla, sizeof(search));
1217 WARN_ON(!rcu_read_lock_held() &&
1218 !lockdep_commit_lock_is_held(net));
1220 chain = ERR_PTR(-ENOENT);
1222 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1226 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1227 if (nft_active_genmask(chain, genmask))
1230 chain = ERR_PTR(-ENOENT);
1236 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1237 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1238 .len = NFT_TABLE_MAXNAMELEN - 1 },
1239 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1240 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1241 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1242 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1243 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1244 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1245 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1246 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1249 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1250 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1251 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1252 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1253 .len = IFNAMSIZ - 1 },
1256 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1258 struct nft_stats *cpu_stats, total;
1259 struct nlattr *nest;
1267 memset(&total, 0, sizeof(total));
1268 for_each_possible_cpu(cpu) {
1269 cpu_stats = per_cpu_ptr(stats, cpu);
1271 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1272 pkts = cpu_stats->pkts;
1273 bytes = cpu_stats->bytes;
1274 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1276 total.bytes += bytes;
1278 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1280 goto nla_put_failure;
1282 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1283 NFTA_COUNTER_PAD) ||
1284 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1286 goto nla_put_failure;
1288 nla_nest_end(skb, nest);
1295 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1296 const struct nft_base_chain *basechain)
1298 const struct nf_hook_ops *ops = &basechain->ops;
1299 struct nft_hook *hook, *first = NULL;
1300 struct nlattr *nest, *nest_devs;
1303 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1305 goto nla_put_failure;
1306 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1307 goto nla_put_failure;
1308 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1309 goto nla_put_failure;
1311 if (family == NFPROTO_NETDEV) {
1312 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1313 list_for_each_entry(hook, &basechain->hook_list, list) {
1317 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1318 hook->ops.dev->name))
1319 goto nla_put_failure;
1322 nla_nest_end(skb, nest_devs);
1325 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1326 goto nla_put_failure;
1328 nla_nest_end(skb, nest);
1335 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1336 u32 portid, u32 seq, int event, u32 flags,
1337 int family, const struct nft_table *table,
1338 const struct nft_chain *chain)
1340 struct nlmsghdr *nlh;
1341 struct nfgenmsg *nfmsg;
1343 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1344 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1346 goto nla_put_failure;
1348 nfmsg = nlmsg_data(nlh);
1349 nfmsg->nfgen_family = family;
1350 nfmsg->version = NFNETLINK_V0;
1351 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1353 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1354 goto nla_put_failure;
1355 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1357 goto nla_put_failure;
1358 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1359 goto nla_put_failure;
1361 if (nft_is_base_chain(chain)) {
1362 const struct nft_base_chain *basechain = nft_base_chain(chain);
1363 struct nft_stats __percpu *stats;
1365 if (nft_dump_basechain_hook(skb, family, basechain))
1366 goto nla_put_failure;
1368 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1369 htonl(basechain->policy)))
1370 goto nla_put_failure;
1372 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1373 goto nla_put_failure;
1375 stats = rcu_dereference_check(basechain->stats,
1376 lockdep_commit_lock_is_held(net));
1377 if (nft_dump_stats(skb, stats))
1378 goto nla_put_failure;
1381 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1382 goto nla_put_failure;
1384 nlmsg_end(skb, nlh);
1388 nlmsg_trim(skb, nlh);
1392 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1394 struct sk_buff *skb;
1398 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1401 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1405 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1406 event, 0, ctx->family, ctx->table,
1413 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1414 ctx->report, GFP_KERNEL);
1417 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1420 static int nf_tables_dump_chains(struct sk_buff *skb,
1421 struct netlink_callback *cb)
1423 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1424 const struct nft_table *table;
1425 const struct nft_chain *chain;
1426 unsigned int idx = 0, s_idx = cb->args[0];
1427 struct net *net = sock_net(skb->sk);
1428 int family = nfmsg->nfgen_family;
1431 cb->seq = net->nft.base_seq;
1433 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1434 if (family != NFPROTO_UNSPEC && family != table->family)
1437 list_for_each_entry_rcu(chain, &table->chains, list) {
1441 memset(&cb->args[1], 0,
1442 sizeof(cb->args) - sizeof(cb->args[0]));
1443 if (!nft_is_active(net, chain))
1445 if (nf_tables_fill_chain_info(skb, net,
1446 NETLINK_CB(cb->skb).portid,
1450 table->family, table,
1454 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1465 /* called with rcu_read_lock held */
1466 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1467 struct sk_buff *skb, const struct nlmsghdr *nlh,
1468 const struct nlattr * const nla[],
1469 struct netlink_ext_ack *extack)
1471 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1472 u8 genmask = nft_genmask_cur(net);
1473 const struct nft_chain *chain;
1474 struct nft_table *table;
1475 struct sk_buff *skb2;
1476 int family = nfmsg->nfgen_family;
1479 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1480 struct netlink_dump_control c = {
1481 .dump = nf_tables_dump_chains,
1482 .module = THIS_MODULE,
1485 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1488 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1489 if (IS_ERR(table)) {
1490 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1491 return PTR_ERR(table);
1494 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1495 if (IS_ERR(chain)) {
1496 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1497 return PTR_ERR(chain);
1500 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1504 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1505 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1506 family, table, chain);
1510 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1517 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1518 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1519 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1522 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1524 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1525 struct nft_stats __percpu *newstats;
1526 struct nft_stats *stats;
1529 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1530 nft_counter_policy, NULL);
1532 return ERR_PTR(err);
1534 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1535 return ERR_PTR(-EINVAL);
1537 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1538 if (newstats == NULL)
1539 return ERR_PTR(-ENOMEM);
1541 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1542 * are not exposed to userspace.
1545 stats = this_cpu_ptr(newstats);
1546 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1547 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1553 static void nft_chain_stats_replace(struct nft_trans *trans)
1555 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1557 if (!nft_trans_chain_stats(trans))
1560 rcu_swap_protected(chain->stats, nft_trans_chain_stats(trans),
1561 lockdep_commit_lock_is_held(trans->ctx.net));
1563 if (!nft_trans_chain_stats(trans))
1564 static_branch_inc(&nft_counters_enabled);
1567 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1569 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1570 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1576 /* should be NULL either via abort or via successful commit */
1577 WARN_ON_ONCE(chain->rules_next);
1578 kvfree(chain->rules_next);
1581 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1583 struct nft_chain *chain = ctx->chain;
1584 struct nft_hook *hook, *next;
1586 if (WARN_ON(chain->use > 0))
1589 /* no concurrent access possible anymore */
1590 nf_tables_chain_free_chain_rules(chain);
1592 if (nft_is_base_chain(chain)) {
1593 struct nft_base_chain *basechain = nft_base_chain(chain);
1595 if (ctx->family == NFPROTO_NETDEV) {
1596 list_for_each_entry_safe(hook, next,
1597 &basechain->hook_list, list) {
1598 list_del_rcu(&hook->list);
1599 kfree_rcu(hook, rcu);
1602 module_put(basechain->type->owner);
1603 if (rcu_access_pointer(basechain->stats)) {
1604 static_branch_dec(&nft_counters_enabled);
1605 free_percpu(rcu_dereference_raw(basechain->stats));
1615 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1616 const struct nlattr *attr)
1618 struct net_device *dev;
1619 char ifname[IFNAMSIZ];
1620 struct nft_hook *hook;
1623 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1626 goto err_hook_alloc;
1629 nla_strlcpy(ifname, attr, IFNAMSIZ);
1630 dev = __dev_get_by_name(net, ifname);
1635 hook->ops.dev = dev;
1642 return ERR_PTR(err);
1645 static bool nft_hook_list_find(struct list_head *hook_list,
1646 const struct nft_hook *this)
1648 struct nft_hook *hook;
1650 list_for_each_entry(hook, hook_list, list) {
1651 if (this->ops.dev == hook->ops.dev)
1658 static int nf_tables_parse_netdev_hooks(struct net *net,
1659 const struct nlattr *attr,
1660 struct list_head *hook_list)
1662 struct nft_hook *hook, *next;
1663 const struct nlattr *tmp;
1664 int rem, n = 0, err;
1666 nla_for_each_nested(tmp, attr, rem) {
1667 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1672 hook = nft_netdev_hook_alloc(net, tmp);
1674 err = PTR_ERR(hook);
1677 if (nft_hook_list_find(hook_list, hook)) {
1681 list_add_tail(&hook->list, hook_list);
1684 if (n == NFT_NETDEVICE_MAX) {
1695 list_for_each_entry_safe(hook, next, hook_list, list) {
1696 list_del(&hook->list);
1702 struct nft_chain_hook {
1705 const struct nft_chain_type *type;
1706 struct list_head list;
1709 static int nft_chain_parse_netdev(struct net *net,
1710 struct nlattr *tb[],
1711 struct list_head *hook_list)
1713 struct nft_hook *hook;
1716 if (tb[NFTA_HOOK_DEV]) {
1717 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1719 return PTR_ERR(hook);
1721 list_add_tail(&hook->list, hook_list);
1722 } else if (tb[NFTA_HOOK_DEVS]) {
1723 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1734 static int nft_chain_parse_hook(struct net *net,
1735 const struct nlattr * const nla[],
1736 struct nft_chain_hook *hook, u8 family,
1739 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1740 const struct nft_chain_type *type;
1743 lockdep_assert_held(&net->nft.commit_mutex);
1744 lockdep_nfnl_nft_mutex_not_held();
1746 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1747 nla[NFTA_CHAIN_HOOK],
1748 nft_hook_policy, NULL);
1752 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1753 ha[NFTA_HOOK_PRIORITY] == NULL)
1756 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1757 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1759 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1760 if (nla[NFTA_CHAIN_TYPE]) {
1761 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1764 return PTR_ERR(type);
1766 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1769 if (type->type == NFT_CHAIN_T_NAT &&
1770 hook->priority <= NF_IP_PRI_CONNTRACK)
1773 if (!try_module_get(type->owner))
1778 INIT_LIST_HEAD(&hook->list);
1779 if (family == NFPROTO_NETDEV) {
1780 err = nft_chain_parse_netdev(net, ha, &hook->list);
1782 module_put(type->owner);
1785 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1786 module_put(type->owner);
1793 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1795 struct nft_hook *h, *next;
1797 list_for_each_entry_safe(h, next, &hook->list, list) {
1801 module_put(hook->type->owner);
1804 struct nft_rules_old {
1806 struct nft_rule **start;
1809 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1812 if (alloc > INT_MAX)
1815 alloc += 1; /* NULL, ends rules */
1816 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1819 alloc *= sizeof(struct nft_rule *);
1820 alloc += sizeof(struct nft_rules_old);
1822 return kvmalloc(alloc, GFP_KERNEL);
1825 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1826 const struct nft_chain_hook *hook,
1827 struct nft_chain *chain)
1830 ops->hooknum = hook->num;
1831 ops->priority = hook->priority;
1833 ops->hook = hook->type->hooks[ops->hooknum];
1836 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1837 struct nft_chain_hook *hook, u32 flags)
1839 struct nft_chain *chain;
1842 basechain->type = hook->type;
1843 INIT_LIST_HEAD(&basechain->hook_list);
1844 chain = &basechain->chain;
1846 if (family == NFPROTO_NETDEV) {
1847 list_splice_init(&hook->list, &basechain->hook_list);
1848 list_for_each_entry(h, &basechain->hook_list, list)
1849 nft_basechain_hook_init(&h->ops, family, hook, chain);
1851 basechain->ops.hooknum = hook->num;
1852 basechain->ops.priority = hook->priority;
1854 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1857 chain->flags |= NFT_BASE_CHAIN | flags;
1858 basechain->policy = NF_ACCEPT;
1859 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1860 nft_chain_offload_priority(basechain) < 0)
1863 flow_block_init(&basechain->flow_block);
1868 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1869 u8 policy, u32 flags)
1871 const struct nlattr * const *nla = ctx->nla;
1872 struct nft_table *table = ctx->table;
1873 struct nft_base_chain *basechain;
1874 struct nft_stats __percpu *stats;
1875 struct net *net = ctx->net;
1876 struct nft_trans *trans;
1877 struct nft_chain *chain;
1878 struct nft_rule **rules;
1881 if (table->use == UINT_MAX)
1884 if (nla[NFTA_CHAIN_HOOK]) {
1885 struct nft_chain_hook hook;
1887 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1891 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1892 if (basechain == NULL) {
1893 nft_chain_release_hook(&hook);
1896 chain = &basechain->chain;
1898 if (nla[NFTA_CHAIN_COUNTERS]) {
1899 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1900 if (IS_ERR(stats)) {
1901 nft_chain_release_hook(&hook);
1903 return PTR_ERR(stats);
1905 rcu_assign_pointer(basechain->stats, stats);
1906 static_branch_inc(&nft_counters_enabled);
1909 err = nft_basechain_init(basechain, family, &hook, flags);
1911 nft_chain_release_hook(&hook);
1916 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1922 INIT_LIST_HEAD(&chain->rules);
1923 chain->handle = nf_tables_alloc_handle(table);
1924 chain->table = table;
1925 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1931 rules = nf_tables_chain_alloc_rules(chain, 0);
1938 rcu_assign_pointer(chain->rules_gen_0, rules);
1939 rcu_assign_pointer(chain->rules_gen_1, rules);
1941 err = nf_tables_register_hook(net, table, chain);
1945 err = rhltable_insert_key(&table->chains_ht, chain->name,
1946 &chain->rhlhead, nft_chain_ht_params);
1950 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1951 if (IS_ERR(trans)) {
1952 err = PTR_ERR(trans);
1953 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1954 nft_chain_ht_params);
1958 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1959 if (nft_is_base_chain(chain))
1960 nft_trans_chain_policy(trans) = policy;
1963 list_add_tail_rcu(&chain->list, &table->chains);
1967 nf_tables_unregister_hook(net, table, chain);
1969 nf_tables_chain_destroy(ctx);
1974 static bool nft_hook_list_equal(struct list_head *hook_list1,
1975 struct list_head *hook_list2)
1977 struct nft_hook *hook;
1981 list_for_each_entry(hook, hook_list2, list) {
1982 if (!nft_hook_list_find(hook_list1, hook))
1987 list_for_each_entry(hook, hook_list1, list)
1993 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1996 const struct nlattr * const *nla = ctx->nla;
1997 struct nft_table *table = ctx->table;
1998 struct nft_chain *chain = ctx->chain;
1999 struct nft_base_chain *basechain;
2000 struct nft_stats *stats = NULL;
2001 struct nft_chain_hook hook;
2002 struct nf_hook_ops *ops;
2003 struct nft_trans *trans;
2006 if (chain->flags ^ flags)
2009 if (nla[NFTA_CHAIN_HOOK]) {
2010 if (!nft_is_base_chain(chain))
2013 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2018 basechain = nft_base_chain(chain);
2019 if (basechain->type != hook.type) {
2020 nft_chain_release_hook(&hook);
2024 if (ctx->family == NFPROTO_NETDEV) {
2025 if (!nft_hook_list_equal(&basechain->hook_list,
2027 nft_chain_release_hook(&hook);
2031 ops = &basechain->ops;
2032 if (ops->hooknum != hook.num ||
2033 ops->priority != hook.priority) {
2034 nft_chain_release_hook(&hook);
2038 nft_chain_release_hook(&hook);
2041 if (nla[NFTA_CHAIN_HANDLE] &&
2042 nla[NFTA_CHAIN_NAME]) {
2043 struct nft_chain *chain2;
2045 chain2 = nft_chain_lookup(ctx->net, table,
2046 nla[NFTA_CHAIN_NAME], genmask);
2047 if (!IS_ERR(chain2))
2051 if (nla[NFTA_CHAIN_COUNTERS]) {
2052 if (!nft_is_base_chain(chain))
2055 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2057 return PTR_ERR(stats);
2061 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2062 sizeof(struct nft_trans_chain));
2066 nft_trans_chain_stats(trans) = stats;
2067 nft_trans_chain_update(trans) = true;
2069 if (nla[NFTA_CHAIN_POLICY])
2070 nft_trans_chain_policy(trans) = policy;
2072 nft_trans_chain_policy(trans) = -1;
2074 if (nla[NFTA_CHAIN_HANDLE] &&
2075 nla[NFTA_CHAIN_NAME]) {
2076 struct nft_trans *tmp;
2080 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2085 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2086 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2087 tmp->ctx.table == table &&
2088 nft_trans_chain_update(tmp) &&
2089 nft_trans_chain_name(tmp) &&
2090 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2096 nft_trans_chain_name(trans) = name;
2098 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2107 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2108 struct sk_buff *skb, const struct nlmsghdr *nlh,
2109 const struct nlattr * const nla[],
2110 struct netlink_ext_ack *extack)
2112 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2113 u8 genmask = nft_genmask_next(net);
2114 int family = nfmsg->nfgen_family;
2115 const struct nlattr *attr;
2116 struct nft_table *table;
2117 struct nft_chain *chain;
2118 u8 policy = NF_ACCEPT;
2123 lockdep_assert_held(&net->nft.commit_mutex);
2125 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2126 if (IS_ERR(table)) {
2127 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2128 return PTR_ERR(table);
2132 attr = nla[NFTA_CHAIN_NAME];
2134 if (nla[NFTA_CHAIN_HANDLE]) {
2135 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2136 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2137 if (IS_ERR(chain)) {
2138 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2139 return PTR_ERR(chain);
2141 attr = nla[NFTA_CHAIN_HANDLE];
2143 chain = nft_chain_lookup(net, table, attr, genmask);
2144 if (IS_ERR(chain)) {
2145 if (PTR_ERR(chain) != -ENOENT) {
2146 NL_SET_BAD_ATTR(extack, attr);
2147 return PTR_ERR(chain);
2153 if (nla[NFTA_CHAIN_POLICY]) {
2154 if (chain != NULL &&
2155 !nft_is_base_chain(chain)) {
2156 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2160 if (chain == NULL &&
2161 nla[NFTA_CHAIN_HOOK] == NULL) {
2162 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2166 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2176 if (nla[NFTA_CHAIN_FLAGS])
2177 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2179 flags = chain->flags;
2181 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2183 if (chain != NULL) {
2184 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2185 NL_SET_BAD_ATTR(extack, attr);
2188 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2191 flags |= chain->flags & NFT_BASE_CHAIN;
2192 return nf_tables_updchain(&ctx, genmask, policy, flags);
2195 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2198 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2199 struct sk_buff *skb, const struct nlmsghdr *nlh,
2200 const struct nlattr * const nla[],
2201 struct netlink_ext_ack *extack)
2203 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2204 u8 genmask = nft_genmask_next(net);
2205 int family = nfmsg->nfgen_family;
2206 const struct nlattr *attr;
2207 struct nft_table *table;
2208 struct nft_chain *chain;
2209 struct nft_rule *rule;
2215 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2216 if (IS_ERR(table)) {
2217 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2218 return PTR_ERR(table);
2221 if (nla[NFTA_CHAIN_HANDLE]) {
2222 attr = nla[NFTA_CHAIN_HANDLE];
2223 handle = be64_to_cpu(nla_get_be64(attr));
2224 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2226 attr = nla[NFTA_CHAIN_NAME];
2227 chain = nft_chain_lookup(net, table, attr, genmask);
2229 if (IS_ERR(chain)) {
2230 NL_SET_BAD_ATTR(extack, attr);
2231 return PTR_ERR(chain);
2234 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2238 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2241 list_for_each_entry(rule, &chain->rules, list) {
2242 if (!nft_is_active_next(net, rule))
2246 err = nft_delrule(&ctx, rule);
2251 /* There are rules and elements that are still holding references to us,
2252 * we cannot do a recursive removal in this case.
2255 NL_SET_BAD_ATTR(extack, attr);
2259 return nft_delchain(&ctx);
2267 * nft_register_expr - register nf_tables expr type
2270 * Registers the expr type for use with nf_tables. Returns zero on
2271 * success or a negative errno code otherwise.
2273 int nft_register_expr(struct nft_expr_type *type)
2275 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2276 if (type->family == NFPROTO_UNSPEC)
2277 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2279 list_add_rcu(&type->list, &nf_tables_expressions);
2280 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2283 EXPORT_SYMBOL_GPL(nft_register_expr);
2286 * nft_unregister_expr - unregister nf_tables expr type
2289 * Unregisters the expr typefor use with nf_tables.
2291 void nft_unregister_expr(struct nft_expr_type *type)
2293 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2294 list_del_rcu(&type->list);
2295 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2297 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2299 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2302 const struct nft_expr_type *type, *candidate = NULL;
2304 list_for_each_entry(type, &nf_tables_expressions, list) {
2305 if (!nla_strcmp(nla, type->name)) {
2306 if (!type->family && !candidate)
2308 else if (type->family == family)
2315 #ifdef CONFIG_MODULES
2316 static int nft_expr_type_request_module(struct net *net, u8 family,
2319 nft_request_module(net, "nft-expr-%u-%.*s", family,
2320 nla_len(nla), (char *)nla_data(nla));
2321 if (__nft_expr_type_get(family, nla))
2328 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2332 const struct nft_expr_type *type;
2335 return ERR_PTR(-EINVAL);
2337 type = __nft_expr_type_get(family, nla);
2338 if (type != NULL && try_module_get(type->owner))
2341 lockdep_nfnl_nft_mutex_not_held();
2342 #ifdef CONFIG_MODULES
2344 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2345 return ERR_PTR(-EAGAIN);
2347 nft_request_module(net, "nft-expr-%.*s",
2348 nla_len(nla), (char *)nla_data(nla));
2349 if (__nft_expr_type_get(family, nla))
2350 return ERR_PTR(-EAGAIN);
2353 return ERR_PTR(-ENOENT);
2356 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2357 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2358 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2361 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2362 const struct nft_expr *expr)
2364 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2365 goto nla_put_failure;
2367 if (expr->ops->dump) {
2368 struct nlattr *data = nla_nest_start_noflag(skb,
2371 goto nla_put_failure;
2372 if (expr->ops->dump(skb, expr) < 0)
2373 goto nla_put_failure;
2374 nla_nest_end(skb, data);
2383 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2384 const struct nft_expr *expr)
2386 struct nlattr *nest;
2388 nest = nla_nest_start_noflag(skb, attr);
2390 goto nla_put_failure;
2391 if (nf_tables_fill_expr_info(skb, expr) < 0)
2392 goto nla_put_failure;
2393 nla_nest_end(skb, nest);
2400 struct nft_expr_info {
2401 const struct nft_expr_ops *ops;
2402 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2405 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2406 const struct nlattr *nla,
2407 struct nft_expr_info *info)
2409 const struct nft_expr_type *type;
2410 const struct nft_expr_ops *ops;
2411 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2414 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2415 nft_expr_policy, NULL);
2419 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2421 return PTR_ERR(type);
2423 if (tb[NFTA_EXPR_DATA]) {
2424 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2426 type->policy, NULL);
2430 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2432 if (type->select_ops != NULL) {
2433 ops = type->select_ops(ctx,
2434 (const struct nlattr * const *)info->tb);
2437 #ifdef CONFIG_MODULES
2439 nft_expr_type_request_module(ctx->net,
2441 tb[NFTA_EXPR_NAME]);
2452 module_put(type->owner);
2456 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2457 const struct nft_expr_info *info,
2458 struct nft_expr *expr)
2460 const struct nft_expr_ops *ops = info->ops;
2465 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2476 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2477 struct nft_expr *expr)
2479 const struct nft_expr_type *type = expr->ops->type;
2481 if (expr->ops->destroy)
2482 expr->ops->destroy(ctx, expr);
2483 module_put(type->owner);
2486 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2487 const struct nlattr *nla)
2489 struct nft_expr_info info;
2490 struct nft_expr *expr;
2491 struct module *owner;
2494 err = nf_tables_expr_parse(ctx, nla, &info);
2499 expr = kzalloc(info.ops->size, GFP_KERNEL);
2503 err = nf_tables_newexpr(ctx, &info, expr);
2511 owner = info.ops->type->owner;
2512 if (info.ops->type->release_ops)
2513 info.ops->type->release_ops(info.ops);
2517 return ERR_PTR(err);
2520 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2522 nf_tables_expr_destroy(ctx, expr);
2530 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2533 struct nft_rule *rule;
2535 // FIXME: this sucks
2536 list_for_each_entry_rcu(rule, &chain->rules, list) {
2537 if (handle == rule->handle)
2541 return ERR_PTR(-ENOENT);
2544 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2545 const struct nlattr *nla)
2548 return ERR_PTR(-EINVAL);
2550 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2553 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2554 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2555 .len = NFT_TABLE_MAXNAMELEN - 1 },
2556 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2557 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2558 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2559 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2560 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2561 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2562 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2563 .len = NFT_USERDATA_MAXLEN },
2564 [NFTA_RULE_ID] = { .type = NLA_U32 },
2565 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2568 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2569 u32 portid, u32 seq, int event,
2570 u32 flags, int family,
2571 const struct nft_table *table,
2572 const struct nft_chain *chain,
2573 const struct nft_rule *rule,
2574 const struct nft_rule *prule)
2576 struct nlmsghdr *nlh;
2577 struct nfgenmsg *nfmsg;
2578 const struct nft_expr *expr, *next;
2579 struct nlattr *list;
2580 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2582 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2584 goto nla_put_failure;
2586 nfmsg = nlmsg_data(nlh);
2587 nfmsg->nfgen_family = family;
2588 nfmsg->version = NFNETLINK_V0;
2589 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2591 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2592 goto nla_put_failure;
2593 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2594 goto nla_put_failure;
2595 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2597 goto nla_put_failure;
2599 if (event != NFT_MSG_DELRULE && prule) {
2600 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2601 cpu_to_be64(prule->handle),
2603 goto nla_put_failure;
2606 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2608 goto nla_put_failure;
2609 nft_rule_for_each_expr(expr, next, rule) {
2610 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2611 goto nla_put_failure;
2613 nla_nest_end(skb, list);
2616 struct nft_userdata *udata = nft_userdata(rule);
2617 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2619 goto nla_put_failure;
2622 nlmsg_end(skb, nlh);
2626 nlmsg_trim(skb, nlh);
2630 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2631 const struct nft_rule *rule, int event)
2633 struct sk_buff *skb;
2637 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2640 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2644 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2645 event, 0, ctx->family, ctx->table,
2646 ctx->chain, rule, NULL);
2652 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2653 ctx->report, GFP_KERNEL);
2656 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2659 struct nft_rule_dump_ctx {
2664 static int __nf_tables_dump_rules(struct sk_buff *skb,
2666 struct netlink_callback *cb,
2667 const struct nft_table *table,
2668 const struct nft_chain *chain)
2670 struct net *net = sock_net(skb->sk);
2671 const struct nft_rule *rule, *prule;
2672 unsigned int s_idx = cb->args[0];
2675 list_for_each_entry_rcu(rule, &chain->rules, list) {
2676 if (!nft_is_active(net, rule))
2681 memset(&cb->args[1], 0,
2682 sizeof(cb->args) - sizeof(cb->args[0]));
2684 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2687 NLM_F_MULTI | NLM_F_APPEND,
2689 table, chain, rule, prule) < 0)
2692 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2701 static int nf_tables_dump_rules(struct sk_buff *skb,
2702 struct netlink_callback *cb)
2704 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2705 const struct nft_rule_dump_ctx *ctx = cb->data;
2706 struct nft_table *table;
2707 const struct nft_chain *chain;
2708 unsigned int idx = 0;
2709 struct net *net = sock_net(skb->sk);
2710 int family = nfmsg->nfgen_family;
2713 cb->seq = net->nft.base_seq;
2715 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2716 if (family != NFPROTO_UNSPEC && family != table->family)
2719 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2722 if (ctx && ctx->table && ctx->chain) {
2723 struct rhlist_head *list, *tmp;
2725 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2726 nft_chain_ht_params);
2730 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2731 if (!nft_is_active(net, chain))
2733 __nf_tables_dump_rules(skb, &idx,
2740 list_for_each_entry_rcu(chain, &table->chains, list) {
2741 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2745 if (ctx && ctx->table)
2755 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2757 const struct nlattr * const *nla = cb->data;
2758 struct nft_rule_dump_ctx *ctx = NULL;
2760 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2761 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2765 if (nla[NFTA_RULE_TABLE]) {
2766 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2773 if (nla[NFTA_RULE_CHAIN]) {
2774 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2788 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2790 struct nft_rule_dump_ctx *ctx = cb->data;
2800 /* called with rcu_read_lock held */
2801 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2802 struct sk_buff *skb, const struct nlmsghdr *nlh,
2803 const struct nlattr * const nla[],
2804 struct netlink_ext_ack *extack)
2806 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2807 u8 genmask = nft_genmask_cur(net);
2808 const struct nft_chain *chain;
2809 const struct nft_rule *rule;
2810 struct nft_table *table;
2811 struct sk_buff *skb2;
2812 int family = nfmsg->nfgen_family;
2815 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2816 struct netlink_dump_control c = {
2817 .start= nf_tables_dump_rules_start,
2818 .dump = nf_tables_dump_rules,
2819 .done = nf_tables_dump_rules_done,
2820 .module = THIS_MODULE,
2821 .data = (void *)nla,
2824 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2827 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2828 if (IS_ERR(table)) {
2829 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2830 return PTR_ERR(table);
2833 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2834 if (IS_ERR(chain)) {
2835 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2836 return PTR_ERR(chain);
2839 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2841 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2842 return PTR_ERR(rule);
2845 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2849 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2850 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2851 family, table, chain, rule, NULL);
2855 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2862 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2863 struct nft_rule *rule)
2865 struct nft_expr *expr, *next;
2868 * Careful: some expressions might not be initialized in case this
2869 * is called on error from nf_tables_newrule().
2871 expr = nft_expr_first(rule);
2872 while (expr != nft_expr_last(rule) && expr->ops) {
2873 next = nft_expr_next(expr);
2874 nf_tables_expr_destroy(ctx, expr);
2880 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2881 struct nft_rule *rule)
2883 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2884 nf_tables_rule_destroy(ctx, rule);
2887 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2889 struct nft_expr *expr, *last;
2890 const struct nft_data *data;
2891 struct nft_rule *rule;
2894 if (ctx->level == NFT_JUMP_STACK_SIZE)
2897 list_for_each_entry(rule, &chain->rules, list) {
2898 if (!nft_is_active_next(ctx->net, rule))
2901 nft_rule_for_each_expr(expr, last, rule) {
2902 if (!expr->ops->validate)
2905 err = expr->ops->validate(ctx, expr, &data);
2913 EXPORT_SYMBOL_GPL(nft_chain_validate);
2915 static int nft_table_validate(struct net *net, const struct nft_table *table)
2917 struct nft_chain *chain;
2918 struct nft_ctx ctx = {
2920 .family = table->family,
2924 list_for_each_entry(chain, &table->chains, list) {
2925 if (!nft_is_base_chain(chain))
2929 err = nft_chain_validate(&ctx, chain);
2937 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2938 const struct nlattr *nla);
2940 #define NFT_RULE_MAXEXPRS 128
2942 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2943 struct sk_buff *skb, const struct nlmsghdr *nlh,
2944 const struct nlattr * const nla[],
2945 struct netlink_ext_ack *extack)
2947 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2948 u8 genmask = nft_genmask_next(net);
2949 struct nft_expr_info *info = NULL;
2950 int family = nfmsg->nfgen_family;
2951 struct nft_flow_rule *flow;
2952 struct nft_table *table;
2953 struct nft_chain *chain;
2954 struct nft_rule *rule, *old_rule = NULL;
2955 struct nft_userdata *udata;
2956 struct nft_trans *trans = NULL;
2957 struct nft_expr *expr;
2960 unsigned int size, i, n, ulen = 0, usize = 0;
2962 u64 handle, pos_handle;
2964 lockdep_assert_held(&net->nft.commit_mutex);
2966 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2967 if (IS_ERR(table)) {
2968 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2969 return PTR_ERR(table);
2972 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2973 if (IS_ERR(chain)) {
2974 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2975 return PTR_ERR(chain);
2978 if (nla[NFTA_RULE_HANDLE]) {
2979 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2980 rule = __nft_rule_lookup(chain, handle);
2982 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2983 return PTR_ERR(rule);
2986 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2987 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2990 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2995 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2996 nlh->nlmsg_flags & NLM_F_REPLACE)
2998 handle = nf_tables_alloc_handle(table);
3000 if (chain->use == UINT_MAX)
3003 if (nla[NFTA_RULE_POSITION]) {
3004 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3005 old_rule = __nft_rule_lookup(chain, pos_handle);
3006 if (IS_ERR(old_rule)) {
3007 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3008 return PTR_ERR(old_rule);
3010 } else if (nla[NFTA_RULE_POSITION_ID]) {
3011 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3012 if (IS_ERR(old_rule)) {
3013 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3014 return PTR_ERR(old_rule);
3019 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3023 if (nla[NFTA_RULE_EXPRESSIONS]) {
3024 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3025 sizeof(struct nft_expr_info),
3030 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3032 if (nla_type(tmp) != NFTA_LIST_ELEM)
3034 if (n == NFT_RULE_MAXEXPRS)
3036 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3039 size += info[n].ops->size;
3043 /* Check for overflow of dlen field */
3045 if (size >= 1 << 12)
3048 if (nla[NFTA_RULE_USERDATA]) {
3049 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3051 usize = sizeof(struct nft_userdata) + ulen;
3055 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3059 nft_activate_next(net, rule);
3061 rule->handle = handle;
3063 rule->udata = ulen ? 1 : 0;
3066 udata = nft_userdata(rule);
3067 udata->len = ulen - 1;
3068 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3071 expr = nft_expr_first(rule);
3072 for (i = 0; i < n; i++) {
3073 err = nf_tables_newexpr(&ctx, &info[i], expr);
3077 if (info[i].ops->validate)
3078 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3081 expr = nft_expr_next(expr);
3084 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3085 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3086 if (trans == NULL) {
3090 err = nft_delrule(&ctx, old_rule);
3092 nft_trans_destroy(trans);
3096 list_add_tail_rcu(&rule->list, &old_rule->list);
3098 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3104 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3106 list_add_rcu(&rule->list, &old_rule->list);
3108 list_add_tail_rcu(&rule->list, &chain->rules);
3111 list_add_tail_rcu(&rule->list, &old_rule->list);
3113 list_add_rcu(&rule->list, &chain->rules);
3119 if (net->nft.validate_state == NFT_VALIDATE_DO)
3120 return nft_table_validate(net, table);
3122 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3123 flow = nft_flow_rule_create(net, rule);
3125 return PTR_ERR(flow);
3127 nft_trans_flow_rule(trans) = flow;
3132 nf_tables_rule_release(&ctx, rule);
3134 for (i = 0; i < n; i++) {
3136 module_put(info[i].ops->type->owner);
3137 if (info[i].ops->type->release_ops)
3138 info[i].ops->type->release_ops(info[i].ops);
3145 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3146 const struct nlattr *nla)
3148 u32 id = ntohl(nla_get_be32(nla));
3149 struct nft_trans *trans;
3151 list_for_each_entry(trans, &net->nft.commit_list, list) {
3152 struct nft_rule *rule = nft_trans_rule(trans);
3154 if (trans->msg_type == NFT_MSG_NEWRULE &&
3155 id == nft_trans_rule_id(trans))
3158 return ERR_PTR(-ENOENT);
3161 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3162 struct sk_buff *skb, const struct nlmsghdr *nlh,
3163 const struct nlattr * const nla[],
3164 struct netlink_ext_ack *extack)
3166 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3167 u8 genmask = nft_genmask_next(net);
3168 struct nft_table *table;
3169 struct nft_chain *chain = NULL;
3170 struct nft_rule *rule;
3171 int family = nfmsg->nfgen_family, err = 0;
3174 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3175 if (IS_ERR(table)) {
3176 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3177 return PTR_ERR(table);
3180 if (nla[NFTA_RULE_CHAIN]) {
3181 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3183 if (IS_ERR(chain)) {
3184 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3185 return PTR_ERR(chain);
3189 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3192 if (nla[NFTA_RULE_HANDLE]) {
3193 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3195 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3196 return PTR_ERR(rule);
3199 err = nft_delrule(&ctx, rule);
3200 } else if (nla[NFTA_RULE_ID]) {
3201 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3203 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3204 return PTR_ERR(rule);
3207 err = nft_delrule(&ctx, rule);
3209 err = nft_delrule_by_chain(&ctx);
3212 list_for_each_entry(chain, &table->chains, list) {
3213 if (!nft_is_active_next(net, chain))
3217 err = nft_delrule_by_chain(&ctx);
3230 static LIST_HEAD(nf_tables_set_types);
3232 int nft_register_set(struct nft_set_type *type)
3234 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3235 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3236 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3239 EXPORT_SYMBOL_GPL(nft_register_set);
3241 void nft_unregister_set(struct nft_set_type *type)
3243 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3244 list_del_rcu(&type->list);
3245 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3247 EXPORT_SYMBOL_GPL(nft_unregister_set);
3249 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3250 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3253 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3255 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3259 * Select a set implementation based on the data characteristics and the
3260 * given policy. The total memory use might not be known if no size is
3261 * given, in that case the amount of memory per element is used.
3263 static const struct nft_set_ops *
3264 nft_select_set_ops(const struct nft_ctx *ctx,
3265 const struct nlattr * const nla[],
3266 const struct nft_set_desc *desc,
3267 enum nft_set_policies policy)
3269 const struct nft_set_ops *ops, *bops;
3270 struct nft_set_estimate est, best;
3271 const struct nft_set_type *type;
3274 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3275 lockdep_nfnl_nft_mutex_not_held();
3276 #ifdef CONFIG_MODULES
3277 if (list_empty(&nf_tables_set_types)) {
3278 nft_request_module(ctx->net, "nft-set");
3279 if (!list_empty(&nf_tables_set_types))
3280 return ERR_PTR(-EAGAIN);
3283 if (nla[NFTA_SET_FLAGS] != NULL)
3284 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3291 list_for_each_entry(type, &nf_tables_set_types, list) {
3294 if (!nft_set_ops_candidate(type, flags))
3296 if (!ops->estimate(desc, flags, &est))
3300 case NFT_SET_POL_PERFORMANCE:
3301 if (est.lookup < best.lookup)
3303 if (est.lookup == best.lookup &&
3304 est.space < best.space)
3307 case NFT_SET_POL_MEMORY:
3309 if (est.space < best.space)
3311 if (est.space == best.space &&
3312 est.lookup < best.lookup)
3314 } else if (est.size < best.size || !bops) {
3322 if (!try_module_get(type->owner))
3325 module_put(to_set_type(bops)->owner);
3334 return ERR_PTR(-EOPNOTSUPP);
3337 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3338 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3339 .len = NFT_TABLE_MAXNAMELEN - 1 },
3340 [NFTA_SET_NAME] = { .type = NLA_STRING,
3341 .len = NFT_SET_MAXNAMELEN - 1 },
3342 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3343 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3344 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3345 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3346 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3347 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3348 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3349 [NFTA_SET_ID] = { .type = NLA_U32 },
3350 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3351 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3352 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3353 .len = NFT_USERDATA_MAXLEN },
3354 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3355 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3358 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3359 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3362 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3363 const struct sk_buff *skb,
3364 const struct nlmsghdr *nlh,
3365 const struct nlattr * const nla[],
3366 struct netlink_ext_ack *extack,
3369 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3370 int family = nfmsg->nfgen_family;
3371 struct nft_table *table = NULL;
3373 if (nla[NFTA_SET_TABLE] != NULL) {
3374 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3376 if (IS_ERR(table)) {
3377 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3378 return PTR_ERR(table);
3382 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3386 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3387 const struct nlattr *nla, u8 genmask)
3389 struct nft_set *set;
3392 return ERR_PTR(-EINVAL);
3394 list_for_each_entry_rcu(set, &table->sets, list) {
3395 if (!nla_strcmp(nla, set->name) &&
3396 nft_active_genmask(set, genmask))
3399 return ERR_PTR(-ENOENT);
3402 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3403 const struct nlattr *nla,
3406 struct nft_set *set;
3408 list_for_each_entry(set, &table->sets, list) {
3409 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3410 nft_active_genmask(set, genmask))
3413 return ERR_PTR(-ENOENT);
3416 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3417 const struct nlattr *nla, u8 genmask)
3419 struct nft_trans *trans;
3420 u32 id = ntohl(nla_get_be32(nla));
3422 list_for_each_entry(trans, &net->nft.commit_list, list) {
3423 if (trans->msg_type == NFT_MSG_NEWSET) {
3424 struct nft_set *set = nft_trans_set(trans);
3426 if (id == nft_trans_set_id(trans) &&
3427 nft_active_genmask(set, genmask))
3431 return ERR_PTR(-ENOENT);
3434 struct nft_set *nft_set_lookup_global(const struct net *net,
3435 const struct nft_table *table,
3436 const struct nlattr *nla_set_name,
3437 const struct nlattr *nla_set_id,
3440 struct nft_set *set;
3442 set = nft_set_lookup(table, nla_set_name, genmask);
3447 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3451 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3453 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3456 const struct nft_set *i;
3458 unsigned long *inuse;
3459 unsigned int n = 0, min = 0;
3461 p = strchr(name, '%');
3463 if (p[1] != 'd' || strchr(p + 2, '%'))
3466 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3470 list_for_each_entry(i, &ctx->table->sets, list) {
3473 if (!nft_is_active_next(ctx->net, set))
3475 if (!sscanf(i->name, name, &tmp))
3477 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3480 set_bit(tmp - min, inuse);
3483 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3484 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3485 min += BITS_PER_BYTE * PAGE_SIZE;
3486 memset(inuse, 0, PAGE_SIZE);
3489 free_page((unsigned long)inuse);
3492 set->name = kasprintf(GFP_KERNEL, name, min + n);
3496 list_for_each_entry(i, &ctx->table->sets, list) {
3497 if (!nft_is_active_next(ctx->net, i))
3499 if (!strcmp(set->name, i->name)) {
3507 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3509 u64 ms = be64_to_cpu(nla_get_be64(nla));
3510 u64 max = (u64)(~((u64)0));
3512 max = div_u64(max, NSEC_PER_MSEC);
3516 ms *= NSEC_PER_MSEC;
3517 *result = nsecs_to_jiffies64(ms);
3521 static __be64 nf_jiffies64_to_msecs(u64 input)
3523 return cpu_to_be64(jiffies64_to_msecs(input));
3526 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3527 const struct nft_set *set, u16 event, u16 flags)
3529 struct nfgenmsg *nfmsg;
3530 struct nlmsghdr *nlh;
3531 struct nlattr *desc;
3532 u32 portid = ctx->portid;
3535 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3536 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3539 goto nla_put_failure;
3541 nfmsg = nlmsg_data(nlh);
3542 nfmsg->nfgen_family = ctx->family;
3543 nfmsg->version = NFNETLINK_V0;
3544 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3546 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3547 goto nla_put_failure;
3548 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3549 goto nla_put_failure;
3550 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3552 goto nla_put_failure;
3553 if (set->flags != 0)
3554 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3555 goto nla_put_failure;
3557 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3558 goto nla_put_failure;
3559 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3560 goto nla_put_failure;
3561 if (set->flags & NFT_SET_MAP) {
3562 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3563 goto nla_put_failure;
3564 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3565 goto nla_put_failure;
3567 if (set->flags & NFT_SET_OBJECT &&
3568 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3569 goto nla_put_failure;
3572 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3573 nf_jiffies64_to_msecs(set->timeout),
3575 goto nla_put_failure;
3577 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3578 goto nla_put_failure;
3580 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3581 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3582 goto nla_put_failure;
3585 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3586 goto nla_put_failure;
3588 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3590 goto nla_put_failure;
3592 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3593 goto nla_put_failure;
3594 nla_nest_end(skb, desc);
3596 nlmsg_end(skb, nlh);
3600 nlmsg_trim(skb, nlh);
3604 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3605 const struct nft_set *set, int event,
3608 struct sk_buff *skb;
3609 u32 portid = ctx->portid;
3613 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3616 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3620 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3626 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3630 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3633 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3635 const struct nft_set *set;
3636 unsigned int idx, s_idx = cb->args[0];
3637 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3638 struct net *net = sock_net(skb->sk);
3639 struct nft_ctx *ctx = cb->data, ctx_set;
3645 cb->seq = net->nft.base_seq;
3647 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3648 if (ctx->family != NFPROTO_UNSPEC &&
3649 ctx->family != table->family)
3652 if (ctx->table && ctx->table != table)
3656 if (cur_table != table)
3662 list_for_each_entry_rcu(set, &table->sets, list) {
3665 if (!nft_is_active(net, set))
3669 ctx_set.table = table;
3670 ctx_set.family = table->family;
3672 if (nf_tables_fill_set(skb, &ctx_set, set,
3676 cb->args[2] = (unsigned long) table;
3679 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3692 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3694 struct nft_ctx *ctx_dump = NULL;
3696 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3697 if (ctx_dump == NULL)
3700 cb->data = ctx_dump;
3704 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3710 /* called with rcu_read_lock held */
3711 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3712 struct sk_buff *skb, const struct nlmsghdr *nlh,
3713 const struct nlattr * const nla[],
3714 struct netlink_ext_ack *extack)
3716 u8 genmask = nft_genmask_cur(net);
3717 const struct nft_set *set;
3719 struct sk_buff *skb2;
3720 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3723 /* Verify existence before starting dump */
3724 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3729 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3730 struct netlink_dump_control c = {
3731 .start = nf_tables_dump_sets_start,
3732 .dump = nf_tables_dump_sets,
3733 .done = nf_tables_dump_sets_done,
3735 .module = THIS_MODULE,
3738 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3741 /* Only accept unspec with dump */
3742 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3743 return -EAFNOSUPPORT;
3744 if (!nla[NFTA_SET_TABLE])
3747 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3749 return PTR_ERR(set);
3751 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3755 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3759 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3766 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3767 const struct nlattr *nla)
3769 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3772 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3773 nft_set_desc_policy, NULL);
3777 if (da[NFTA_SET_DESC_SIZE] != NULL)
3778 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3783 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3784 struct sk_buff *skb, const struct nlmsghdr *nlh,
3785 const struct nlattr * const nla[],
3786 struct netlink_ext_ack *extack)
3788 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3789 u8 genmask = nft_genmask_next(net);
3790 int family = nfmsg->nfgen_family;
3791 const struct nft_set_ops *ops;
3792 struct nft_table *table;
3793 struct nft_set *set;
3798 u32 ktype, dtype, flags, policy, gc_int, objtype;
3799 struct nft_set_desc desc;
3800 unsigned char *udata;
3804 if (nla[NFTA_SET_TABLE] == NULL ||
3805 nla[NFTA_SET_NAME] == NULL ||
3806 nla[NFTA_SET_KEY_LEN] == NULL ||
3807 nla[NFTA_SET_ID] == NULL)
3810 memset(&desc, 0, sizeof(desc));
3812 ktype = NFT_DATA_VALUE;
3813 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3814 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3815 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3819 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3820 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3824 if (nla[NFTA_SET_FLAGS] != NULL) {
3825 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3826 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3827 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3828 NFT_SET_MAP | NFT_SET_EVAL |
3831 /* Only one of these operations is supported */
3832 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3833 (NFT_SET_MAP | NFT_SET_OBJECT))
3835 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3836 (NFT_SET_EVAL | NFT_SET_OBJECT))
3841 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3842 if (!(flags & NFT_SET_MAP))
3845 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3846 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3847 dtype != NFT_DATA_VERDICT)
3850 if (dtype != NFT_DATA_VERDICT) {
3851 if (nla[NFTA_SET_DATA_LEN] == NULL)
3853 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3854 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3857 desc.dlen = sizeof(struct nft_verdict);
3858 } else if (flags & NFT_SET_MAP)
3861 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3862 if (!(flags & NFT_SET_OBJECT))
3865 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3866 if (objtype == NFT_OBJECT_UNSPEC ||
3867 objtype > NFT_OBJECT_MAX)
3869 } else if (flags & NFT_SET_OBJECT)
3872 objtype = NFT_OBJECT_UNSPEC;
3875 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3876 if (!(flags & NFT_SET_TIMEOUT))
3879 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3884 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3885 if (!(flags & NFT_SET_TIMEOUT))
3887 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3890 policy = NFT_SET_POL_PERFORMANCE;
3891 if (nla[NFTA_SET_POLICY] != NULL)
3892 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3894 if (nla[NFTA_SET_DESC] != NULL) {
3895 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3900 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3901 if (IS_ERR(table)) {
3902 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3903 return PTR_ERR(table);
3906 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3908 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3910 if (PTR_ERR(set) != -ENOENT) {
3911 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3912 return PTR_ERR(set);
3915 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3916 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3919 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3925 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3928 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3930 return PTR_ERR(ops);
3933 if (nla[NFTA_SET_USERDATA])
3934 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3937 if (ops->privsize != NULL)
3938 size = ops->privsize(nla, &desc);
3940 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3946 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3952 err = nf_tables_set_alloc_name(&ctx, set, name);
3959 udata = set->data + size;
3960 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3963 INIT_LIST_HEAD(&set->bindings);
3965 write_pnet(&set->net, net);
3968 set->klen = desc.klen;
3970 set->objtype = objtype;
3971 set->dlen = desc.dlen;
3973 set->size = desc.size;
3974 set->policy = policy;
3977 set->timeout = timeout;
3978 set->gc_int = gc_int;
3979 set->handle = nf_tables_alloc_handle(table);
3981 err = ops->init(set, &desc, nla);
3985 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3989 list_add_tail_rcu(&set->list, &table->sets);
4000 module_put(to_set_type(ops)->owner);
4004 static void nft_set_destroy(struct nft_set *set)
4006 if (WARN_ON(set->use > 0))
4009 set->ops->destroy(set);
4010 module_put(to_set_type(set->ops)->owner);
4015 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4016 struct sk_buff *skb, const struct nlmsghdr *nlh,
4017 const struct nlattr * const nla[],
4018 struct netlink_ext_ack *extack)
4020 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4021 u8 genmask = nft_genmask_next(net);
4022 const struct nlattr *attr;
4023 struct nft_set *set;
4027 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4028 return -EAFNOSUPPORT;
4029 if (nla[NFTA_SET_TABLE] == NULL)
4032 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4037 if (nla[NFTA_SET_HANDLE]) {
4038 attr = nla[NFTA_SET_HANDLE];
4039 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4041 attr = nla[NFTA_SET_NAME];
4042 set = nft_set_lookup(ctx.table, attr, genmask);
4046 NL_SET_BAD_ATTR(extack, attr);
4047 return PTR_ERR(set);
4050 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4051 NL_SET_BAD_ATTR(extack, attr);
4055 return nft_delset(&ctx, set);
4058 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4059 struct nft_set *set,
4060 const struct nft_set_iter *iter,
4061 struct nft_set_elem *elem)
4063 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4064 enum nft_registers dreg;
4066 dreg = nft_type_to_reg(set->dtype);
4067 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4068 set->dtype == NFT_DATA_VERDICT ?
4069 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4073 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4074 struct nft_set_binding *binding)
4076 struct nft_set_binding *i;
4077 struct nft_set_iter iter;
4079 if (set->use == UINT_MAX)
4082 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4085 if (binding->flags & NFT_SET_MAP) {
4086 /* If the set is already bound to the same chain all
4087 * jumps are already validated for that chain.
4089 list_for_each_entry(i, &set->bindings, list) {
4090 if (i->flags & NFT_SET_MAP &&
4091 i->chain == binding->chain)
4095 iter.genmask = nft_genmask_next(ctx->net);
4099 iter.fn = nf_tables_bind_check_setelem;
4101 set->ops->walk(ctx, set, &iter);
4106 binding->chain = ctx->chain;
4107 list_add_tail_rcu(&binding->list, &set->bindings);
4108 nft_set_trans_bind(ctx, set);
4113 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4115 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4116 struct nft_set_binding *binding, bool event)
4118 list_del_rcu(&binding->list);
4120 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4121 list_del_rcu(&set->list);
4123 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4128 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4129 struct nft_set_binding *binding,
4130 enum nft_trans_phase phase)
4133 case NFT_TRANS_PREPARE:
4136 case NFT_TRANS_ABORT:
4137 case NFT_TRANS_RELEASE:
4141 nf_tables_unbind_set(ctx, set, binding,
4142 phase == NFT_TRANS_COMMIT);
4145 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4147 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4149 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4150 nft_set_destroy(set);
4152 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4154 const struct nft_set_ext_type nft_set_ext_types[] = {
4155 [NFT_SET_EXT_KEY] = {
4156 .align = __alignof__(u32),
4158 [NFT_SET_EXT_DATA] = {
4159 .align = __alignof__(u32),
4161 [NFT_SET_EXT_EXPR] = {
4162 .align = __alignof__(struct nft_expr),
4164 [NFT_SET_EXT_OBJREF] = {
4165 .len = sizeof(struct nft_object *),
4166 .align = __alignof__(struct nft_object *),
4168 [NFT_SET_EXT_FLAGS] = {
4170 .align = __alignof__(u8),
4172 [NFT_SET_EXT_TIMEOUT] = {
4174 .align = __alignof__(u64),
4176 [NFT_SET_EXT_EXPIRATION] = {
4178 .align = __alignof__(u64),
4180 [NFT_SET_EXT_USERDATA] = {
4181 .len = sizeof(struct nft_userdata),
4182 .align = __alignof__(struct nft_userdata),
4185 EXPORT_SYMBOL_GPL(nft_set_ext_types);
4191 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4192 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4193 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4194 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4195 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4196 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4197 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4198 .len = NFT_USERDATA_MAXLEN },
4199 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4200 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
4203 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4204 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4205 .len = NFT_TABLE_MAXNAMELEN - 1 },
4206 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4207 .len = NFT_SET_MAXNAMELEN - 1 },
4208 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4209 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4212 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4213 const struct sk_buff *skb,
4214 const struct nlmsghdr *nlh,
4215 const struct nlattr * const nla[],
4216 struct netlink_ext_ack *extack,
4219 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4220 int family = nfmsg->nfgen_family;
4221 struct nft_table *table;
4223 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4225 if (IS_ERR(table)) {
4226 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4227 return PTR_ERR(table);
4230 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4234 static int nf_tables_fill_setelem(struct sk_buff *skb,
4235 const struct nft_set *set,
4236 const struct nft_set_elem *elem)
4238 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4239 unsigned char *b = skb_tail_pointer(skb);
4240 struct nlattr *nest;
4242 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4244 goto nla_put_failure;
4246 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4247 NFT_DATA_VALUE, set->klen) < 0)
4248 goto nla_put_failure;
4250 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4251 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4252 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4254 goto nla_put_failure;
4256 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4257 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4258 goto nla_put_failure;
4260 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4261 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4262 (*nft_set_ext_obj(ext))->key.name) < 0)
4263 goto nla_put_failure;
4265 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4266 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4267 htonl(*nft_set_ext_flags(ext))))
4268 goto nla_put_failure;
4270 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4271 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4272 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4274 goto nla_put_failure;
4276 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4277 u64 expires, now = get_jiffies_64();
4279 expires = *nft_set_ext_expiration(ext);
4280 if (time_before64(now, expires))
4285 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4286 nf_jiffies64_to_msecs(expires),
4288 goto nla_put_failure;
4291 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4292 struct nft_userdata *udata;
4294 udata = nft_set_ext_userdata(ext);
4295 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4296 udata->len + 1, udata->data))
4297 goto nla_put_failure;
4300 nla_nest_end(skb, nest);
4308 struct nft_set_dump_args {
4309 const struct netlink_callback *cb;
4310 struct nft_set_iter iter;
4311 struct sk_buff *skb;
4314 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4315 struct nft_set *set,
4316 const struct nft_set_iter *iter,
4317 struct nft_set_elem *elem)
4319 struct nft_set_dump_args *args;
4321 args = container_of(iter, struct nft_set_dump_args, iter);
4322 return nf_tables_fill_setelem(args->skb, set, elem);
4325 struct nft_set_dump_ctx {
4326 const struct nft_set *set;
4330 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4332 struct nft_set_dump_ctx *dump_ctx = cb->data;
4333 struct net *net = sock_net(skb->sk);
4334 struct nft_table *table;
4335 struct nft_set *set;
4336 struct nft_set_dump_args args;
4337 bool set_found = false;
4338 struct nfgenmsg *nfmsg;
4339 struct nlmsghdr *nlh;
4340 struct nlattr *nest;
4345 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4346 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4347 dump_ctx->ctx.family != table->family)
4350 if (table != dump_ctx->ctx.table)
4353 list_for_each_entry_rcu(set, &table->sets, list) {
4354 if (set == dump_ctx->set) {
4367 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4368 portid = NETLINK_CB(cb->skb).portid;
4369 seq = cb->nlh->nlmsg_seq;
4371 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4374 goto nla_put_failure;
4376 nfmsg = nlmsg_data(nlh);
4377 nfmsg->nfgen_family = table->family;
4378 nfmsg->version = NFNETLINK_V0;
4379 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4381 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4382 goto nla_put_failure;
4383 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4384 goto nla_put_failure;
4386 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4388 goto nla_put_failure;
4392 args.iter.genmask = nft_genmask_cur(net);
4393 args.iter.skip = cb->args[0];
4394 args.iter.count = 0;
4396 args.iter.fn = nf_tables_dump_setelem;
4397 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4400 nla_nest_end(skb, nest);
4401 nlmsg_end(skb, nlh);
4403 if (args.iter.err && args.iter.err != -EMSGSIZE)
4404 return args.iter.err;
4405 if (args.iter.count == cb->args[0])
4408 cb->args[0] = args.iter.count;
4416 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4418 struct nft_set_dump_ctx *dump_ctx = cb->data;
4420 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4422 return cb->data ? 0 : -ENOMEM;
4425 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4431 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4432 const struct nft_ctx *ctx, u32 seq,
4433 u32 portid, int event, u16 flags,
4434 const struct nft_set *set,
4435 const struct nft_set_elem *elem)
4437 struct nfgenmsg *nfmsg;
4438 struct nlmsghdr *nlh;
4439 struct nlattr *nest;
4442 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4443 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4446 goto nla_put_failure;
4448 nfmsg = nlmsg_data(nlh);
4449 nfmsg->nfgen_family = ctx->family;
4450 nfmsg->version = NFNETLINK_V0;
4451 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4453 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4454 goto nla_put_failure;
4455 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4456 goto nla_put_failure;
4458 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4460 goto nla_put_failure;
4462 err = nf_tables_fill_setelem(skb, set, elem);
4464 goto nla_put_failure;
4466 nla_nest_end(skb, nest);
4468 nlmsg_end(skb, nlh);
4472 nlmsg_trim(skb, nlh);
4476 static int nft_setelem_parse_flags(const struct nft_set *set,
4477 const struct nlattr *attr, u32 *flags)
4482 *flags = ntohl(nla_get_be32(attr));
4483 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4485 if (!(set->flags & NFT_SET_INTERVAL) &&
4486 *flags & NFT_SET_ELEM_INTERVAL_END)
4492 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4493 const struct nlattr *attr)
4495 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4496 struct nft_data_desc desc;
4497 struct nft_set_elem elem;
4498 struct sk_buff *skb;
4503 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4504 nft_set_elem_policy, NULL);
4508 if (!nla[NFTA_SET_ELEM_KEY])
4511 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4515 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4516 nla[NFTA_SET_ELEM_KEY]);
4521 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4524 priv = set->ops->get(ctx->net, set, &elem, flags);
4526 return PTR_ERR(priv);
4531 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4535 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4536 NFT_MSG_NEWSETELEM, 0, set, &elem);
4540 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4541 /* This avoids a loop in nfnetlink. */
4549 /* this avoids a loop in nfnetlink. */
4550 return err == -EAGAIN ? -ENOBUFS : err;
4553 /* called with rcu_read_lock held */
4554 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4555 struct sk_buff *skb, const struct nlmsghdr *nlh,
4556 const struct nlattr * const nla[],
4557 struct netlink_ext_ack *extack)
4559 u8 genmask = nft_genmask_cur(net);
4560 struct nft_set *set;
4561 struct nlattr *attr;
4565 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4570 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4572 return PTR_ERR(set);
4574 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4575 struct netlink_dump_control c = {
4576 .start = nf_tables_dump_set_start,
4577 .dump = nf_tables_dump_set,
4578 .done = nf_tables_dump_set_done,
4579 .module = THIS_MODULE,
4581 struct nft_set_dump_ctx dump_ctx = {
4587 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4590 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4593 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4594 err = nft_get_set_elem(&ctx, set, attr);
4602 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4603 const struct nft_set *set,
4604 const struct nft_set_elem *elem,
4605 int event, u16 flags)
4607 struct net *net = ctx->net;
4608 u32 portid = ctx->portid;
4609 struct sk_buff *skb;
4612 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4615 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4619 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4626 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4630 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4633 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4635 struct nft_set *set)
4637 struct nft_trans *trans;
4639 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4643 nft_trans_elem_set(trans) = set;
4647 void *nft_set_elem_init(const struct nft_set *set,
4648 const struct nft_set_ext_tmpl *tmpl,
4649 const u32 *key, const u32 *data,
4650 u64 timeout, u64 expiration, gfp_t gfp)
4652 struct nft_set_ext *ext;
4655 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4659 ext = nft_set_elem_ext(set, elem);
4660 nft_set_ext_init(ext, tmpl);
4662 memcpy(nft_set_ext_key(ext), key, set->klen);
4663 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4664 memcpy(nft_set_ext_data(ext), data, set->dlen);
4665 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4666 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4667 if (expiration == 0)
4668 *nft_set_ext_expiration(ext) += timeout;
4670 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4671 *nft_set_ext_timeout(ext) = timeout;
4676 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4679 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4680 struct nft_ctx ctx = {
4681 .net = read_pnet(&set->net),
4682 .family = set->table->family,
4685 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4686 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4687 nft_data_release(nft_set_ext_data(ext), set->dtype);
4688 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4689 struct nft_expr *expr = nft_set_ext_expr(ext);
4691 if (expr->ops->destroy_clone) {
4692 expr->ops->destroy_clone(&ctx, expr);
4693 module_put(expr->ops->type->owner);
4695 nf_tables_expr_destroy(&ctx, expr);
4698 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4699 (*nft_set_ext_obj(ext))->use--;
4702 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4704 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4705 * the refcounting from the preparation phase.
4707 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4708 const struct nft_set *set, void *elem)
4710 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4712 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4713 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4717 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4718 const struct nlattr *attr, u32 nlmsg_flags)
4720 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4721 u8 genmask = nft_genmask_next(ctx->net);
4722 struct nft_data_desc d1, d2;
4723 struct nft_set_ext_tmpl tmpl;
4724 struct nft_set_ext *ext, *ext2;
4725 struct nft_set_elem elem;
4726 struct nft_set_binding *binding;
4727 struct nft_object *obj = NULL;
4728 struct nft_userdata *udata;
4729 struct nft_data data;
4730 enum nft_registers dreg;
4731 struct nft_trans *trans;
4738 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4739 nft_set_elem_policy, NULL);
4743 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4746 nft_set_ext_prepare(&tmpl);
4748 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4752 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4754 if (set->flags & NFT_SET_MAP) {
4755 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4756 !(flags & NFT_SET_ELEM_INTERVAL_END))
4758 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4759 flags & NFT_SET_ELEM_INTERVAL_END)
4762 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4767 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4768 if (!(set->flags & NFT_SET_TIMEOUT))
4770 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4774 } else if (set->flags & NFT_SET_TIMEOUT) {
4775 timeout = set->timeout;
4779 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4780 if (!(set->flags & NFT_SET_TIMEOUT))
4782 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4788 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4789 nla[NFTA_SET_ELEM_KEY]);
4793 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4796 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4798 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4799 if (timeout != set->timeout)
4800 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4803 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4804 if (!(set->flags & NFT_SET_OBJECT)) {
4808 obj = nft_obj_lookup(ctx->net, ctx->table,
4809 nla[NFTA_SET_ELEM_OBJREF],
4810 set->objtype, genmask);
4815 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4818 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4819 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4820 nla[NFTA_SET_ELEM_DATA]);
4825 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4828 dreg = nft_type_to_reg(set->dtype);
4829 list_for_each_entry(binding, &set->bindings, list) {
4830 struct nft_ctx bind_ctx = {
4832 .family = ctx->family,
4833 .table = ctx->table,
4834 .chain = (struct nft_chain *)binding->chain,
4837 if (!(binding->flags & NFT_SET_MAP))
4840 err = nft_validate_register_store(&bind_ctx, dreg,
4846 if (d2.type == NFT_DATA_VERDICT &&
4847 (data.verdict.code == NFT_GOTO ||
4848 data.verdict.code == NFT_JUMP))
4849 nft_validate_state_update(ctx->net,
4853 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4856 /* The full maximum length of userdata can exceed the maximum
4857 * offset value (U8_MAX) for following extensions, therefor it
4858 * must be the last extension added.
4861 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4862 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4864 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4869 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4870 timeout, expiration, GFP_KERNEL);
4871 if (elem.priv == NULL)
4874 ext = nft_set_elem_ext(set, elem.priv);
4876 *nft_set_ext_flags(ext) = flags;
4878 udata = nft_set_ext_userdata(ext);
4879 udata->len = ulen - 1;
4880 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4883 *nft_set_ext_obj(ext) = obj;
4887 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4891 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4892 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4894 if (err == -EEXIST) {
4895 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4896 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4897 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4898 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4902 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4903 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4904 memcmp(nft_set_ext_data(ext),
4905 nft_set_ext_data(ext2), set->dlen) != 0) ||
4906 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4907 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4908 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4910 else if (!(nlmsg_flags & NLM_F_EXCL))
4917 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4922 nft_trans_elem(trans) = elem;
4923 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4927 set->ops->remove(ctx->net, set, &elem);
4935 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4936 nft_data_release(&data, d2.type);
4938 nft_data_release(&elem.key.val, d1.type);
4943 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4944 struct sk_buff *skb, const struct nlmsghdr *nlh,
4945 const struct nlattr * const nla[],
4946 struct netlink_ext_ack *extack)
4948 u8 genmask = nft_genmask_next(net);
4949 const struct nlattr *attr;
4950 struct nft_set *set;
4954 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4957 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4962 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4963 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4965 return PTR_ERR(set);
4967 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4970 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4971 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4976 if (net->nft.validate_state == NFT_VALIDATE_DO)
4977 return nft_table_validate(net, ctx.table);
4983 * nft_data_hold - hold a nft_data item
4985 * @data: struct nft_data to release
4986 * @type: type of data
4988 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4989 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4990 * NFT_GOTO verdicts. This function must be called on active data objects
4991 * from the second phase of the commit protocol.
4993 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4995 if (type == NFT_DATA_VERDICT) {
4996 switch (data->verdict.code) {
4999 data->verdict.chain->use++;
5005 static void nft_set_elem_activate(const struct net *net,
5006 const struct nft_set *set,
5007 struct nft_set_elem *elem)
5009 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5011 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5012 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5013 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5014 (*nft_set_ext_obj(ext))->use++;
5017 static void nft_set_elem_deactivate(const struct net *net,
5018 const struct nft_set *set,
5019 struct nft_set_elem *elem)
5021 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5023 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5024 nft_data_release(nft_set_ext_data(ext), set->dtype);
5025 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5026 (*nft_set_ext_obj(ext))->use--;
5029 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5030 const struct nlattr *attr)
5032 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5033 struct nft_set_ext_tmpl tmpl;
5034 struct nft_data_desc desc;
5035 struct nft_set_elem elem;
5036 struct nft_set_ext *ext;
5037 struct nft_trans *trans;
5042 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5043 nft_set_elem_policy, NULL);
5048 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5051 nft_set_ext_prepare(&tmpl);
5053 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5057 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5059 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
5060 nla[NFTA_SET_ELEM_KEY]);
5065 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
5068 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
5071 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
5073 if (elem.priv == NULL)
5076 ext = nft_set_elem_ext(set, elem.priv);
5078 *nft_set_ext_flags(ext) = flags;
5080 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5081 if (trans == NULL) {
5086 priv = set->ops->deactivate(ctx->net, set, &elem);
5094 nft_set_elem_deactivate(ctx->net, set, &elem);
5096 nft_trans_elem(trans) = elem;
5097 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5105 nft_data_release(&elem.key.val, desc.type);
5110 static int nft_flush_set(const struct nft_ctx *ctx,
5111 struct nft_set *set,
5112 const struct nft_set_iter *iter,
5113 struct nft_set_elem *elem)
5115 struct nft_trans *trans;
5118 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5119 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5123 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5129 nft_set_elem_deactivate(ctx->net, set, elem);
5130 nft_trans_elem_set(trans) = set;
5131 nft_trans_elem(trans) = *elem;
5132 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5140 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5141 struct sk_buff *skb, const struct nlmsghdr *nlh,
5142 const struct nlattr * const nla[],
5143 struct netlink_ext_ack *extack)
5145 u8 genmask = nft_genmask_next(net);
5146 const struct nlattr *attr;
5147 struct nft_set *set;
5151 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5156 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5158 return PTR_ERR(set);
5159 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5162 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5163 struct nft_set_iter iter = {
5165 .fn = nft_flush_set,
5167 set->ops->walk(&ctx, set, &iter);
5172 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5173 err = nft_del_setelem(&ctx, set, attr);
5182 void nft_set_gc_batch_release(struct rcu_head *rcu)
5184 struct nft_set_gc_batch *gcb;
5187 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5188 for (i = 0; i < gcb->head.cnt; i++)
5189 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5192 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
5194 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5197 struct nft_set_gc_batch *gcb;
5199 gcb = kzalloc(sizeof(*gcb), gfp);
5202 gcb->head.set = set;
5205 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
5212 * nft_register_obj- register nf_tables stateful object type
5215 * Registers the object type for use with nf_tables. Returns zero on
5216 * success or a negative errno code otherwise.
5218 int nft_register_obj(struct nft_object_type *obj_type)
5220 if (obj_type->type == NFT_OBJECT_UNSPEC)
5223 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5224 list_add_rcu(&obj_type->list, &nf_tables_objects);
5225 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5228 EXPORT_SYMBOL_GPL(nft_register_obj);
5231 * nft_unregister_obj - unregister nf_tables object type
5234 * Unregisters the object type for use with nf_tables.
5236 void nft_unregister_obj(struct nft_object_type *obj_type)
5238 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5239 list_del_rcu(&obj_type->list);
5240 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5242 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5244 struct nft_object *nft_obj_lookup(const struct net *net,
5245 const struct nft_table *table,
5246 const struct nlattr *nla, u32 objtype,
5249 struct nft_object_hash_key k = { .table = table };
5250 char search[NFT_OBJ_MAXNAMELEN];
5251 struct rhlist_head *tmp, *list;
5252 struct nft_object *obj;
5254 nla_strlcpy(search, nla, sizeof(search));
5257 WARN_ON_ONCE(!rcu_read_lock_held() &&
5258 !lockdep_commit_lock_is_held(net));
5261 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5265 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5266 if (objtype == obj->ops->type->type &&
5267 nft_active_genmask(obj, genmask)) {
5274 return ERR_PTR(-ENOENT);
5276 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5278 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5279 const struct nlattr *nla,
5280 u32 objtype, u8 genmask)
5282 struct nft_object *obj;
5284 list_for_each_entry(obj, &table->objects, list) {
5285 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5286 objtype == obj->ops->type->type &&
5287 nft_active_genmask(obj, genmask))
5290 return ERR_PTR(-ENOENT);
5293 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5294 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5295 .len = NFT_TABLE_MAXNAMELEN - 1 },
5296 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5297 .len = NFT_OBJ_MAXNAMELEN - 1 },
5298 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5299 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5300 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5303 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5304 const struct nft_object_type *type,
5305 const struct nlattr *attr)
5308 const struct nft_object_ops *ops;
5309 struct nft_object *obj;
5312 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5317 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5318 type->policy, NULL);
5322 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5325 if (type->select_ops) {
5326 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5336 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5340 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5353 return ERR_PTR(err);
5356 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5357 struct nft_object *obj, bool reset)
5359 struct nlattr *nest;
5361 nest = nla_nest_start_noflag(skb, attr);
5363 goto nla_put_failure;
5364 if (obj->ops->dump(skb, obj, reset) < 0)
5365 goto nla_put_failure;
5366 nla_nest_end(skb, nest);
5373 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5375 const struct nft_object_type *type;
5377 list_for_each_entry(type, &nf_tables_objects, list) {
5378 if (objtype == type->type)
5384 static const struct nft_object_type *
5385 nft_obj_type_get(struct net *net, u32 objtype)
5387 const struct nft_object_type *type;
5389 type = __nft_obj_type_get(objtype);
5390 if (type != NULL && try_module_get(type->owner))
5393 lockdep_nfnl_nft_mutex_not_held();
5394 #ifdef CONFIG_MODULES
5396 nft_request_module(net, "nft-obj-%u", objtype);
5397 if (__nft_obj_type_get(objtype))
5398 return ERR_PTR(-EAGAIN);
5401 return ERR_PTR(-ENOENT);
5404 static int nf_tables_updobj(const struct nft_ctx *ctx,
5405 const struct nft_object_type *type,
5406 const struct nlattr *attr,
5407 struct nft_object *obj)
5409 struct nft_object *newobj;
5410 struct nft_trans *trans;
5413 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5414 sizeof(struct nft_trans_obj));
5418 newobj = nft_obj_init(ctx, type, attr);
5419 if (IS_ERR(newobj)) {
5420 err = PTR_ERR(newobj);
5421 goto err_free_trans;
5424 nft_trans_obj(trans) = obj;
5425 nft_trans_obj_update(trans) = true;
5426 nft_trans_obj_newobj(trans) = newobj;
5427 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5436 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5437 struct sk_buff *skb, const struct nlmsghdr *nlh,
5438 const struct nlattr * const nla[],
5439 struct netlink_ext_ack *extack)
5441 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5442 const struct nft_object_type *type;
5443 u8 genmask = nft_genmask_next(net);
5444 int family = nfmsg->nfgen_family;
5445 struct nft_table *table;
5446 struct nft_object *obj;
5451 if (!nla[NFTA_OBJ_TYPE] ||
5452 !nla[NFTA_OBJ_NAME] ||
5453 !nla[NFTA_OBJ_DATA])
5456 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5457 if (IS_ERR(table)) {
5458 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5459 return PTR_ERR(table);
5462 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5463 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5466 if (err != -ENOENT) {
5467 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5471 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5472 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5475 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5478 type = nft_obj_type_get(net, objtype);
5479 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5481 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5484 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5486 type = nft_obj_type_get(net, objtype);
5488 return PTR_ERR(type);
5490 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5495 obj->key.table = table;
5496 obj->handle = nf_tables_alloc_handle(table);
5498 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5499 if (!obj->key.name) {
5504 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5508 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5509 nft_objname_ht_params);
5513 list_add_tail_rcu(&obj->list, &table->objects);
5517 /* queued in transaction log */
5518 INIT_LIST_HEAD(&obj->list);
5521 kfree(obj->key.name);
5523 if (obj->ops->destroy)
5524 obj->ops->destroy(&ctx, obj);
5527 module_put(type->owner);
5531 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5532 u32 portid, u32 seq, int event, u32 flags,
5533 int family, const struct nft_table *table,
5534 struct nft_object *obj, bool reset)
5536 struct nfgenmsg *nfmsg;
5537 struct nlmsghdr *nlh;
5539 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5540 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5542 goto nla_put_failure;
5544 nfmsg = nlmsg_data(nlh);
5545 nfmsg->nfgen_family = family;
5546 nfmsg->version = NFNETLINK_V0;
5547 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5549 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5550 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5551 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5552 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5553 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5554 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5556 goto nla_put_failure;
5558 nlmsg_end(skb, nlh);
5562 nlmsg_trim(skb, nlh);
5566 struct nft_obj_filter {
5571 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5573 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5574 const struct nft_table *table;
5575 unsigned int idx = 0, s_idx = cb->args[0];
5576 struct nft_obj_filter *filter = cb->data;
5577 struct net *net = sock_net(skb->sk);
5578 int family = nfmsg->nfgen_family;
5579 struct nft_object *obj;
5582 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5586 cb->seq = net->nft.base_seq;
5588 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5589 if (family != NFPROTO_UNSPEC && family != table->family)
5592 list_for_each_entry_rcu(obj, &table->objects, list) {
5593 if (!nft_is_active(net, obj))
5598 memset(&cb->args[1], 0,
5599 sizeof(cb->args) - sizeof(cb->args[0]));
5600 if (filter && filter->table &&
5601 strcmp(filter->table, table->name))
5604 filter->type != NFT_OBJECT_UNSPEC &&
5605 obj->ops->type->type != filter->type)
5608 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5611 NLM_F_MULTI | NLM_F_APPEND,
5612 table->family, table,
5616 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5628 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5630 const struct nlattr * const *nla = cb->data;
5631 struct nft_obj_filter *filter = NULL;
5633 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5634 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5638 if (nla[NFTA_OBJ_TABLE]) {
5639 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5640 if (!filter->table) {
5646 if (nla[NFTA_OBJ_TYPE])
5647 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5654 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5656 struct nft_obj_filter *filter = cb->data;
5659 kfree(filter->table);
5666 /* called with rcu_read_lock held */
5667 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5668 struct sk_buff *skb, const struct nlmsghdr *nlh,
5669 const struct nlattr * const nla[],
5670 struct netlink_ext_ack *extack)
5672 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5673 u8 genmask = nft_genmask_cur(net);
5674 int family = nfmsg->nfgen_family;
5675 const struct nft_table *table;
5676 struct nft_object *obj;
5677 struct sk_buff *skb2;
5682 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5683 struct netlink_dump_control c = {
5684 .start = nf_tables_dump_obj_start,
5685 .dump = nf_tables_dump_obj,
5686 .done = nf_tables_dump_obj_done,
5687 .module = THIS_MODULE,
5688 .data = (void *)nla,
5691 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5694 if (!nla[NFTA_OBJ_NAME] ||
5695 !nla[NFTA_OBJ_TYPE])
5698 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5699 if (IS_ERR(table)) {
5700 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5701 return PTR_ERR(table);
5704 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5705 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5707 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5708 return PTR_ERR(obj);
5711 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5715 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5718 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5719 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5720 family, table, obj, reset);
5724 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5730 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5732 if (obj->ops->destroy)
5733 obj->ops->destroy(ctx, obj);
5735 module_put(obj->ops->type->owner);
5736 kfree(obj->key.name);
5740 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5741 struct sk_buff *skb, const struct nlmsghdr *nlh,
5742 const struct nlattr * const nla[],
5743 struct netlink_ext_ack *extack)
5745 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5746 u8 genmask = nft_genmask_next(net);
5747 int family = nfmsg->nfgen_family;
5748 const struct nlattr *attr;
5749 struct nft_table *table;
5750 struct nft_object *obj;
5754 if (!nla[NFTA_OBJ_TYPE] ||
5755 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5758 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5759 if (IS_ERR(table)) {
5760 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5761 return PTR_ERR(table);
5764 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5765 if (nla[NFTA_OBJ_HANDLE]) {
5766 attr = nla[NFTA_OBJ_HANDLE];
5767 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5769 attr = nla[NFTA_OBJ_NAME];
5770 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5774 NL_SET_BAD_ATTR(extack, attr);
5775 return PTR_ERR(obj);
5778 NL_SET_BAD_ATTR(extack, attr);
5782 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5784 return nft_delobj(&ctx, obj);
5787 void nft_obj_notify(struct net *net, const struct nft_table *table,
5788 struct nft_object *obj, u32 portid, u32 seq, int event,
5789 int family, int report, gfp_t gfp)
5791 struct sk_buff *skb;
5795 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5798 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5802 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5809 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5812 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5814 EXPORT_SYMBOL_GPL(nft_obj_notify);
5816 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5817 struct nft_object *obj, int event)
5819 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5820 ctx->family, ctx->report, GFP_KERNEL);
5826 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5828 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5829 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5830 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5832 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5834 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5836 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5837 list_del_rcu(&type->list);
5838 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5840 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5842 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5843 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5844 .len = NFT_NAME_MAXLEN - 1 },
5845 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5846 .len = NFT_NAME_MAXLEN - 1 },
5847 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5848 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5849 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
5852 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5853 const struct nlattr *nla, u8 genmask)
5855 struct nft_flowtable *flowtable;
5857 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5858 if (!nla_strcmp(nla, flowtable->name) &&
5859 nft_active_genmask(flowtable, genmask))
5862 return ERR_PTR(-ENOENT);
5864 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5866 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5867 struct nft_flowtable *flowtable,
5868 enum nft_trans_phase phase)
5871 case NFT_TRANS_PREPARE:
5872 case NFT_TRANS_ABORT:
5873 case NFT_TRANS_RELEASE:
5880 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5882 static struct nft_flowtable *
5883 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5884 const struct nlattr *nla, u8 genmask)
5886 struct nft_flowtable *flowtable;
5888 list_for_each_entry(flowtable, &table->flowtables, list) {
5889 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5890 nft_active_genmask(flowtable, genmask))
5893 return ERR_PTR(-ENOENT);
5896 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5897 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5898 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5899 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5902 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5903 const struct nlattr *attr,
5904 struct nft_flowtable *flowtable)
5906 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5907 struct nft_hook *hook;
5908 int hooknum, priority;
5911 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5912 nft_flowtable_hook_policy, NULL);
5916 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5917 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5918 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5921 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5922 if (hooknum != NF_NETDEV_INGRESS)
5925 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5927 err = nf_tables_parse_netdev_hooks(ctx->net,
5928 tb[NFTA_FLOWTABLE_HOOK_DEVS],
5929 &flowtable->hook_list);
5933 flowtable->hooknum = hooknum;
5934 flowtable->data.priority = priority;
5936 list_for_each_entry(hook, &flowtable->hook_list, list) {
5937 hook->ops.pf = NFPROTO_NETDEV;
5938 hook->ops.hooknum = hooknum;
5939 hook->ops.priority = priority;
5940 hook->ops.priv = &flowtable->data;
5941 hook->ops.hook = flowtable->data.type->hook;
5947 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5949 const struct nf_flowtable_type *type;
5951 list_for_each_entry(type, &nf_tables_flowtables, list) {
5952 if (family == type->family)
5958 static const struct nf_flowtable_type *
5959 nft_flowtable_type_get(struct net *net, u8 family)
5961 const struct nf_flowtable_type *type;
5963 type = __nft_flowtable_type_get(family);
5964 if (type != NULL && try_module_get(type->owner))
5967 lockdep_nfnl_nft_mutex_not_held();
5968 #ifdef CONFIG_MODULES
5970 nft_request_module(net, "nf-flowtable-%u", family);
5971 if (__nft_flowtable_type_get(family))
5972 return ERR_PTR(-EAGAIN);
5975 return ERR_PTR(-ENOENT);
5978 static void nft_unregister_flowtable_hook(struct net *net,
5979 struct nft_flowtable *flowtable,
5980 struct nft_hook *hook)
5982 nf_unregister_net_hook(net, &hook->ops);
5983 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
5987 static void nft_unregister_flowtable_net_hooks(struct net *net,
5988 struct nft_flowtable *flowtable)
5990 struct nft_hook *hook;
5992 list_for_each_entry(hook, &flowtable->hook_list, list)
5993 nft_unregister_flowtable_hook(net, flowtable, hook);
5996 static int nft_register_flowtable_net_hooks(struct net *net,
5997 struct nft_table *table,
5998 struct nft_flowtable *flowtable)
6000 struct nft_hook *hook, *hook2, *next;
6001 struct nft_flowtable *ft;
6004 list_for_each_entry(hook, &flowtable->hook_list, list) {
6005 list_for_each_entry(ft, &table->flowtables, list) {
6006 list_for_each_entry(hook2, &ft->hook_list, list) {
6007 if (hook->ops.dev == hook2->ops.dev &&
6008 hook->ops.pf == hook2->ops.pf) {
6010 goto err_unregister_net_hooks;
6015 err = flowtable->data.type->setup(&flowtable->data,
6019 goto err_unregister_net_hooks;
6021 err = nf_register_net_hook(net, &hook->ops);
6023 flowtable->data.type->setup(&flowtable->data,
6026 goto err_unregister_net_hooks;
6034 err_unregister_net_hooks:
6035 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6039 nft_unregister_flowtable_hook(net, flowtable, hook);
6040 list_del_rcu(&hook->list);
6041 kfree_rcu(hook, rcu);
6047 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6048 struct sk_buff *skb,
6049 const struct nlmsghdr *nlh,
6050 const struct nlattr * const nla[],
6051 struct netlink_ext_ack *extack)
6053 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6054 const struct nf_flowtable_type *type;
6055 u8 genmask = nft_genmask_next(net);
6056 int family = nfmsg->nfgen_family;
6057 struct nft_flowtable *flowtable;
6058 struct nft_hook *hook, *next;
6059 struct nft_table *table;
6063 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6064 !nla[NFTA_FLOWTABLE_NAME] ||
6065 !nla[NFTA_FLOWTABLE_HOOK])
6068 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6070 if (IS_ERR(table)) {
6071 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6072 return PTR_ERR(table);
6075 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6077 if (IS_ERR(flowtable)) {
6078 err = PTR_ERR(flowtable);
6079 if (err != -ENOENT) {
6080 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6084 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6085 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6092 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6094 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6098 flowtable->table = table;
6099 flowtable->handle = nf_tables_alloc_handle(table);
6100 INIT_LIST_HEAD(&flowtable->hook_list);
6102 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6103 if (!flowtable->name) {
6108 type = nft_flowtable_type_get(net, family);
6110 err = PTR_ERR(type);
6114 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6115 flowtable->data.flags =
6116 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6117 if (flowtable->data.flags & ~NF_FLOWTABLE_HW_OFFLOAD)
6121 write_pnet(&flowtable->data.net, net);
6122 flowtable->data.type = type;
6123 err = type->init(&flowtable->data);
6127 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6132 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6136 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6140 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6145 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6146 nft_unregister_flowtable_hook(net, flowtable, hook);
6147 list_del_rcu(&hook->list);
6148 kfree_rcu(hook, rcu);
6151 flowtable->data.type->free(&flowtable->data);
6153 module_put(type->owner);
6155 kfree(flowtable->name);
6161 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6162 struct sk_buff *skb,
6163 const struct nlmsghdr *nlh,
6164 const struct nlattr * const nla[],
6165 struct netlink_ext_ack *extack)
6167 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6168 u8 genmask = nft_genmask_next(net);
6169 int family = nfmsg->nfgen_family;
6170 struct nft_flowtable *flowtable;
6171 const struct nlattr *attr;
6172 struct nft_table *table;
6175 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6176 (!nla[NFTA_FLOWTABLE_NAME] &&
6177 !nla[NFTA_FLOWTABLE_HANDLE]))
6180 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6182 if (IS_ERR(table)) {
6183 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6184 return PTR_ERR(table);
6187 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6188 attr = nla[NFTA_FLOWTABLE_HANDLE];
6189 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6191 attr = nla[NFTA_FLOWTABLE_NAME];
6192 flowtable = nft_flowtable_lookup(table, attr, genmask);
6195 if (IS_ERR(flowtable)) {
6196 NL_SET_BAD_ATTR(extack, attr);
6197 return PTR_ERR(flowtable);
6199 if (flowtable->use > 0) {
6200 NL_SET_BAD_ATTR(extack, attr);
6204 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6206 return nft_delflowtable(&ctx, flowtable);
6209 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6210 u32 portid, u32 seq, int event,
6211 u32 flags, int family,
6212 struct nft_flowtable *flowtable)
6214 struct nlattr *nest, *nest_devs;
6215 struct nfgenmsg *nfmsg;
6216 struct nft_hook *hook;
6217 struct nlmsghdr *nlh;
6219 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6220 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6222 goto nla_put_failure;
6224 nfmsg = nlmsg_data(nlh);
6225 nfmsg->nfgen_family = family;
6226 nfmsg->version = NFNETLINK_V0;
6227 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6229 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6230 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6231 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6232 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6233 NFTA_FLOWTABLE_PAD) ||
6234 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6235 goto nla_put_failure;
6237 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6239 goto nla_put_failure;
6240 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6241 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6242 goto nla_put_failure;
6244 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6246 goto nla_put_failure;
6248 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6249 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6250 goto nla_put_failure;
6252 nla_nest_end(skb, nest_devs);
6253 nla_nest_end(skb, nest);
6255 nlmsg_end(skb, nlh);
6259 nlmsg_trim(skb, nlh);
6263 struct nft_flowtable_filter {
6267 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6268 struct netlink_callback *cb)
6270 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6271 struct nft_flowtable_filter *filter = cb->data;
6272 unsigned int idx = 0, s_idx = cb->args[0];
6273 struct net *net = sock_net(skb->sk);
6274 int family = nfmsg->nfgen_family;
6275 struct nft_flowtable *flowtable;
6276 const struct nft_table *table;
6279 cb->seq = net->nft.base_seq;
6281 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6282 if (family != NFPROTO_UNSPEC && family != table->family)
6285 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6286 if (!nft_is_active(net, flowtable))
6291 memset(&cb->args[1], 0,
6292 sizeof(cb->args) - sizeof(cb->args[0]));
6293 if (filter && filter->table &&
6294 strcmp(filter->table, table->name))
6297 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6299 NFT_MSG_NEWFLOWTABLE,
6300 NLM_F_MULTI | NLM_F_APPEND,
6301 table->family, flowtable) < 0)
6304 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6316 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6318 const struct nlattr * const *nla = cb->data;
6319 struct nft_flowtable_filter *filter = NULL;
6321 if (nla[NFTA_FLOWTABLE_TABLE]) {
6322 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6326 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6328 if (!filter->table) {
6338 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6340 struct nft_flowtable_filter *filter = cb->data;
6345 kfree(filter->table);
6351 /* called with rcu_read_lock held */
6352 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6353 struct sk_buff *skb,
6354 const struct nlmsghdr *nlh,
6355 const struct nlattr * const nla[],
6356 struct netlink_ext_ack *extack)
6358 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6359 u8 genmask = nft_genmask_cur(net);
6360 int family = nfmsg->nfgen_family;
6361 struct nft_flowtable *flowtable;
6362 const struct nft_table *table;
6363 struct sk_buff *skb2;
6366 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6367 struct netlink_dump_control c = {
6368 .start = nf_tables_dump_flowtable_start,
6369 .dump = nf_tables_dump_flowtable,
6370 .done = nf_tables_dump_flowtable_done,
6371 .module = THIS_MODULE,
6372 .data = (void *)nla,
6375 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6378 if (!nla[NFTA_FLOWTABLE_NAME])
6381 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6384 return PTR_ERR(table);
6386 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6388 if (IS_ERR(flowtable))
6389 return PTR_ERR(flowtable);
6391 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6395 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6397 NFT_MSG_NEWFLOWTABLE, 0, family,
6402 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6408 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6409 struct nft_flowtable *flowtable,
6412 struct sk_buff *skb;
6416 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6419 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6423 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6425 ctx->family, flowtable);
6431 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6432 ctx->report, GFP_KERNEL);
6435 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6438 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6440 struct nft_hook *hook, *next;
6442 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6443 list_del_rcu(&hook->list);
6446 kfree(flowtable->name);
6447 flowtable->data.type->free(&flowtable->data);
6448 module_put(flowtable->data.type->owner);
6452 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6453 u32 portid, u32 seq)
6455 struct nlmsghdr *nlh;
6456 struct nfgenmsg *nfmsg;
6457 char buf[TASK_COMM_LEN];
6458 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6460 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6462 goto nla_put_failure;
6464 nfmsg = nlmsg_data(nlh);
6465 nfmsg->nfgen_family = AF_UNSPEC;
6466 nfmsg->version = NFNETLINK_V0;
6467 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6469 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6470 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6471 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6472 goto nla_put_failure;
6474 nlmsg_end(skb, nlh);
6478 nlmsg_trim(skb, nlh);
6482 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6483 struct nft_flowtable *flowtable)
6485 struct nft_hook *hook;
6487 list_for_each_entry(hook, &flowtable->hook_list, list) {
6488 if (hook->ops.dev != dev)
6491 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6492 list_del_rcu(&hook->list);
6493 kfree_rcu(hook, rcu);
6498 static int nf_tables_flowtable_event(struct notifier_block *this,
6499 unsigned long event, void *ptr)
6501 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6502 struct nft_flowtable *flowtable;
6503 struct nft_table *table;
6506 if (event != NETDEV_UNREGISTER)
6510 mutex_lock(&net->nft.commit_mutex);
6511 list_for_each_entry(table, &net->nft.tables, list) {
6512 list_for_each_entry(flowtable, &table->flowtables, list) {
6513 nft_flowtable_event(event, dev, flowtable);
6516 mutex_unlock(&net->nft.commit_mutex);
6521 static struct notifier_block nf_tables_flowtable_notifier = {
6522 .notifier_call = nf_tables_flowtable_event,
6525 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6528 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6529 struct sk_buff *skb2;
6532 if (nlmsg_report(nlh) &&
6533 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6536 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6540 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6547 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6548 nlmsg_report(nlh), GFP_KERNEL);
6551 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6555 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6556 struct sk_buff *skb, const struct nlmsghdr *nlh,
6557 const struct nlattr * const nla[],
6558 struct netlink_ext_ack *extack)
6560 struct sk_buff *skb2;
6563 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6567 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6572 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6578 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6579 [NFT_MSG_NEWTABLE] = {
6580 .call_batch = nf_tables_newtable,
6581 .attr_count = NFTA_TABLE_MAX,
6582 .policy = nft_table_policy,
6584 [NFT_MSG_GETTABLE] = {
6585 .call_rcu = nf_tables_gettable,
6586 .attr_count = NFTA_TABLE_MAX,
6587 .policy = nft_table_policy,
6589 [NFT_MSG_DELTABLE] = {
6590 .call_batch = nf_tables_deltable,
6591 .attr_count = NFTA_TABLE_MAX,
6592 .policy = nft_table_policy,
6594 [NFT_MSG_NEWCHAIN] = {
6595 .call_batch = nf_tables_newchain,
6596 .attr_count = NFTA_CHAIN_MAX,
6597 .policy = nft_chain_policy,
6599 [NFT_MSG_GETCHAIN] = {
6600 .call_rcu = nf_tables_getchain,
6601 .attr_count = NFTA_CHAIN_MAX,
6602 .policy = nft_chain_policy,
6604 [NFT_MSG_DELCHAIN] = {
6605 .call_batch = nf_tables_delchain,
6606 .attr_count = NFTA_CHAIN_MAX,
6607 .policy = nft_chain_policy,
6609 [NFT_MSG_NEWRULE] = {
6610 .call_batch = nf_tables_newrule,
6611 .attr_count = NFTA_RULE_MAX,
6612 .policy = nft_rule_policy,
6614 [NFT_MSG_GETRULE] = {
6615 .call_rcu = nf_tables_getrule,
6616 .attr_count = NFTA_RULE_MAX,
6617 .policy = nft_rule_policy,
6619 [NFT_MSG_DELRULE] = {
6620 .call_batch = nf_tables_delrule,
6621 .attr_count = NFTA_RULE_MAX,
6622 .policy = nft_rule_policy,
6624 [NFT_MSG_NEWSET] = {
6625 .call_batch = nf_tables_newset,
6626 .attr_count = NFTA_SET_MAX,
6627 .policy = nft_set_policy,
6629 [NFT_MSG_GETSET] = {
6630 .call_rcu = nf_tables_getset,
6631 .attr_count = NFTA_SET_MAX,
6632 .policy = nft_set_policy,
6634 [NFT_MSG_DELSET] = {
6635 .call_batch = nf_tables_delset,
6636 .attr_count = NFTA_SET_MAX,
6637 .policy = nft_set_policy,
6639 [NFT_MSG_NEWSETELEM] = {
6640 .call_batch = nf_tables_newsetelem,
6641 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6642 .policy = nft_set_elem_list_policy,
6644 [NFT_MSG_GETSETELEM] = {
6645 .call_rcu = nf_tables_getsetelem,
6646 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6647 .policy = nft_set_elem_list_policy,
6649 [NFT_MSG_DELSETELEM] = {
6650 .call_batch = nf_tables_delsetelem,
6651 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6652 .policy = nft_set_elem_list_policy,
6654 [NFT_MSG_GETGEN] = {
6655 .call_rcu = nf_tables_getgen,
6657 [NFT_MSG_NEWOBJ] = {
6658 .call_batch = nf_tables_newobj,
6659 .attr_count = NFTA_OBJ_MAX,
6660 .policy = nft_obj_policy,
6662 [NFT_MSG_GETOBJ] = {
6663 .call_rcu = nf_tables_getobj,
6664 .attr_count = NFTA_OBJ_MAX,
6665 .policy = nft_obj_policy,
6667 [NFT_MSG_DELOBJ] = {
6668 .call_batch = nf_tables_delobj,
6669 .attr_count = NFTA_OBJ_MAX,
6670 .policy = nft_obj_policy,
6672 [NFT_MSG_GETOBJ_RESET] = {
6673 .call_rcu = nf_tables_getobj,
6674 .attr_count = NFTA_OBJ_MAX,
6675 .policy = nft_obj_policy,
6677 [NFT_MSG_NEWFLOWTABLE] = {
6678 .call_batch = nf_tables_newflowtable,
6679 .attr_count = NFTA_FLOWTABLE_MAX,
6680 .policy = nft_flowtable_policy,
6682 [NFT_MSG_GETFLOWTABLE] = {
6683 .call_rcu = nf_tables_getflowtable,
6684 .attr_count = NFTA_FLOWTABLE_MAX,
6685 .policy = nft_flowtable_policy,
6687 [NFT_MSG_DELFLOWTABLE] = {
6688 .call_batch = nf_tables_delflowtable,
6689 .attr_count = NFTA_FLOWTABLE_MAX,
6690 .policy = nft_flowtable_policy,
6694 static int nf_tables_validate(struct net *net)
6696 struct nft_table *table;
6698 switch (net->nft.validate_state) {
6699 case NFT_VALIDATE_SKIP:
6701 case NFT_VALIDATE_NEED:
6702 nft_validate_state_update(net, NFT_VALIDATE_DO);
6704 case NFT_VALIDATE_DO:
6705 list_for_each_entry(table, &net->nft.tables, list) {
6706 if (nft_table_validate(net, table) < 0)
6715 /* a drop policy has to be deferred until all rules have been activated,
6716 * otherwise a large ruleset that contains a drop-policy base chain will
6717 * cause all packets to get dropped until the full transaction has been
6720 * We defer the drop policy until the transaction has been finalized.
6722 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6724 struct nft_base_chain *basechain;
6726 if (nft_trans_chain_policy(trans) != NF_DROP)
6729 if (!nft_is_base_chain(trans->ctx.chain))
6732 basechain = nft_base_chain(trans->ctx.chain);
6733 basechain->policy = NF_DROP;
6736 static void nft_chain_commit_update(struct nft_trans *trans)
6738 struct nft_base_chain *basechain;
6740 if (nft_trans_chain_name(trans)) {
6741 rhltable_remove(&trans->ctx.table->chains_ht,
6742 &trans->ctx.chain->rhlhead,
6743 nft_chain_ht_params);
6744 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6745 rhltable_insert_key(&trans->ctx.table->chains_ht,
6746 trans->ctx.chain->name,
6747 &trans->ctx.chain->rhlhead,
6748 nft_chain_ht_params);
6751 if (!nft_is_base_chain(trans->ctx.chain))
6754 nft_chain_stats_replace(trans);
6756 basechain = nft_base_chain(trans->ctx.chain);
6758 switch (nft_trans_chain_policy(trans)) {
6761 basechain->policy = nft_trans_chain_policy(trans);
6766 static void nft_obj_commit_update(struct nft_trans *trans)
6768 struct nft_object *newobj;
6769 struct nft_object *obj;
6771 obj = nft_trans_obj(trans);
6772 newobj = nft_trans_obj_newobj(trans);
6774 if (obj->ops->update)
6775 obj->ops->update(obj, newobj);
6780 static void nft_commit_release(struct nft_trans *trans)
6782 switch (trans->msg_type) {
6783 case NFT_MSG_DELTABLE:
6784 nf_tables_table_destroy(&trans->ctx);
6786 case NFT_MSG_NEWCHAIN:
6787 free_percpu(nft_trans_chain_stats(trans));
6788 kfree(nft_trans_chain_name(trans));
6790 case NFT_MSG_DELCHAIN:
6791 nf_tables_chain_destroy(&trans->ctx);
6793 case NFT_MSG_DELRULE:
6794 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6796 case NFT_MSG_DELSET:
6797 nft_set_destroy(nft_trans_set(trans));
6799 case NFT_MSG_DELSETELEM:
6800 nf_tables_set_elem_destroy(&trans->ctx,
6801 nft_trans_elem_set(trans),
6802 nft_trans_elem(trans).priv);
6804 case NFT_MSG_DELOBJ:
6805 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6807 case NFT_MSG_DELFLOWTABLE:
6808 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6813 put_net(trans->ctx.net);
6818 static void nf_tables_trans_destroy_work(struct work_struct *w)
6820 struct nft_trans *trans, *next;
6823 spin_lock(&nf_tables_destroy_list_lock);
6824 list_splice_init(&nf_tables_destroy_list, &head);
6825 spin_unlock(&nf_tables_destroy_list_lock);
6827 if (list_empty(&head))
6832 list_for_each_entry_safe(trans, next, &head, list) {
6833 list_del(&trans->list);
6834 nft_commit_release(trans);
6838 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6840 struct nft_rule *rule;
6841 unsigned int alloc = 0;
6844 /* already handled or inactive chain? */
6845 if (chain->rules_next || !nft_is_active_next(net, chain))
6848 rule = list_entry(&chain->rules, struct nft_rule, list);
6851 list_for_each_entry_continue(rule, &chain->rules, list) {
6852 if (nft_is_active_next(net, rule))
6856 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6857 if (!chain->rules_next)
6860 list_for_each_entry_continue(rule, &chain->rules, list) {
6861 if (nft_is_active_next(net, rule))
6862 chain->rules_next[i++] = rule;
6865 chain->rules_next[i] = NULL;
6869 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6871 struct nft_trans *trans, *next;
6873 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6874 struct nft_chain *chain = trans->ctx.chain;
6876 if (trans->msg_type == NFT_MSG_NEWRULE ||
6877 trans->msg_type == NFT_MSG_DELRULE) {
6878 kvfree(chain->rules_next);
6879 chain->rules_next = NULL;
6884 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6886 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6891 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6893 struct nft_rule **r = rules;
6894 struct nft_rules_old *old;
6899 r++; /* rcu_head is after end marker */
6903 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6906 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6908 struct nft_rule **g0, **g1;
6911 next_genbit = nft_gencursor_next(net);
6913 g0 = rcu_dereference_protected(chain->rules_gen_0,
6914 lockdep_commit_lock_is_held(net));
6915 g1 = rcu_dereference_protected(chain->rules_gen_1,
6916 lockdep_commit_lock_is_held(net));
6918 /* No changes to this chain? */
6919 if (chain->rules_next == NULL) {
6920 /* chain had no change in last or next generation */
6924 * chain had no change in this generation; make sure next
6925 * one uses same rules as current generation.
6928 rcu_assign_pointer(chain->rules_gen_1, g0);
6929 nf_tables_commit_chain_free_rules_old(g1);
6931 rcu_assign_pointer(chain->rules_gen_0, g1);
6932 nf_tables_commit_chain_free_rules_old(g0);
6939 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6941 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6943 chain->rules_next = NULL;
6949 nf_tables_commit_chain_free_rules_old(g1);
6951 nf_tables_commit_chain_free_rules_old(g0);
6954 static void nft_obj_del(struct nft_object *obj)
6956 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6957 list_del_rcu(&obj->list);
6960 static void nft_chain_del(struct nft_chain *chain)
6962 struct nft_table *table = chain->table;
6964 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6965 nft_chain_ht_params));
6966 list_del_rcu(&chain->list);
6969 static void nf_tables_commit_release(struct net *net)
6971 struct nft_trans *trans;
6973 /* all side effects have to be made visible.
6974 * For example, if a chain named 'foo' has been deleted, a
6975 * new transaction must not find it anymore.
6977 * Memory reclaim happens asynchronously from work queue
6978 * to prevent expensive synchronize_rcu() in commit phase.
6980 if (list_empty(&net->nft.commit_list)) {
6981 mutex_unlock(&net->nft.commit_mutex);
6985 trans = list_last_entry(&net->nft.commit_list,
6986 struct nft_trans, list);
6987 get_net(trans->ctx.net);
6988 WARN_ON_ONCE(trans->put_net);
6990 trans->put_net = true;
6991 spin_lock(&nf_tables_destroy_list_lock);
6992 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6993 spin_unlock(&nf_tables_destroy_list_lock);
6995 mutex_unlock(&net->nft.commit_mutex);
6997 schedule_work(&trans_destroy_work);
7000 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7002 struct nft_trans *trans, *next;
7003 struct nft_trans_elem *te;
7004 struct nft_chain *chain;
7005 struct nft_table *table;
7008 if (list_empty(&net->nft.commit_list)) {
7009 mutex_unlock(&net->nft.commit_mutex);
7013 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7014 if (nf_tables_validate(net) < 0)
7017 err = nft_flow_rule_offload_commit(net);
7021 /* 1. Allocate space for next generation rules_gen_X[] */
7022 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7025 if (trans->msg_type == NFT_MSG_NEWRULE ||
7026 trans->msg_type == NFT_MSG_DELRULE) {
7027 chain = trans->ctx.chain;
7029 ret = nf_tables_commit_chain_prepare(net, chain);
7031 nf_tables_commit_chain_prepare_cancel(net);
7037 /* step 2. Make rules_gen_X visible to packet path */
7038 list_for_each_entry(table, &net->nft.tables, list) {
7039 list_for_each_entry(chain, &table->chains, list)
7040 nf_tables_commit_chain(net, chain);
7044 * Bump generation counter, invalidate any dump in progress.
7045 * Cannot fail after this point.
7047 while (++net->nft.base_seq == 0);
7049 /* step 3. Start new generation, rules_gen_X now in use. */
7050 net->nft.gencursor = nft_gencursor_next(net);
7052 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7053 switch (trans->msg_type) {
7054 case NFT_MSG_NEWTABLE:
7055 if (nft_trans_table_update(trans)) {
7056 if (!nft_trans_table_enable(trans)) {
7057 nf_tables_table_disable(net,
7059 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7062 nft_clear(net, trans->ctx.table);
7064 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7065 nft_trans_destroy(trans);
7067 case NFT_MSG_DELTABLE:
7068 list_del_rcu(&trans->ctx.table->list);
7069 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7071 case NFT_MSG_NEWCHAIN:
7072 if (nft_trans_chain_update(trans)) {
7073 nft_chain_commit_update(trans);
7074 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7075 /* trans destroyed after rcu grace period */
7077 nft_chain_commit_drop_policy(trans);
7078 nft_clear(net, trans->ctx.chain);
7079 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7080 nft_trans_destroy(trans);
7083 case NFT_MSG_DELCHAIN:
7084 nft_chain_del(trans->ctx.chain);
7085 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7086 nf_tables_unregister_hook(trans->ctx.net,
7090 case NFT_MSG_NEWRULE:
7091 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7092 nf_tables_rule_notify(&trans->ctx,
7093 nft_trans_rule(trans),
7095 nft_trans_destroy(trans);
7097 case NFT_MSG_DELRULE:
7098 list_del_rcu(&nft_trans_rule(trans)->list);
7099 nf_tables_rule_notify(&trans->ctx,
7100 nft_trans_rule(trans),
7102 nft_rule_expr_deactivate(&trans->ctx,
7103 nft_trans_rule(trans),
7106 case NFT_MSG_NEWSET:
7107 nft_clear(net, nft_trans_set(trans));
7108 /* This avoids hitting -EBUSY when deleting the table
7109 * from the transaction.
7111 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7112 !list_empty(&nft_trans_set(trans)->bindings))
7113 trans->ctx.table->use--;
7115 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7116 NFT_MSG_NEWSET, GFP_KERNEL);
7117 nft_trans_destroy(trans);
7119 case NFT_MSG_DELSET:
7120 list_del_rcu(&nft_trans_set(trans)->list);
7121 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7122 NFT_MSG_DELSET, GFP_KERNEL);
7124 case NFT_MSG_NEWSETELEM:
7125 te = (struct nft_trans_elem *)trans->data;
7127 te->set->ops->activate(net, te->set, &te->elem);
7128 nf_tables_setelem_notify(&trans->ctx, te->set,
7130 NFT_MSG_NEWSETELEM, 0);
7131 nft_trans_destroy(trans);
7133 case NFT_MSG_DELSETELEM:
7134 te = (struct nft_trans_elem *)trans->data;
7136 nf_tables_setelem_notify(&trans->ctx, te->set,
7138 NFT_MSG_DELSETELEM, 0);
7139 te->set->ops->remove(net, te->set, &te->elem);
7140 atomic_dec(&te->set->nelems);
7143 case NFT_MSG_NEWOBJ:
7144 if (nft_trans_obj_update(trans)) {
7145 nft_obj_commit_update(trans);
7146 nf_tables_obj_notify(&trans->ctx,
7147 nft_trans_obj(trans),
7150 nft_clear(net, nft_trans_obj(trans));
7151 nf_tables_obj_notify(&trans->ctx,
7152 nft_trans_obj(trans),
7154 nft_trans_destroy(trans);
7157 case NFT_MSG_DELOBJ:
7158 nft_obj_del(nft_trans_obj(trans));
7159 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7162 case NFT_MSG_NEWFLOWTABLE:
7163 nft_clear(net, nft_trans_flowtable(trans));
7164 nf_tables_flowtable_notify(&trans->ctx,
7165 nft_trans_flowtable(trans),
7166 NFT_MSG_NEWFLOWTABLE);
7167 nft_trans_destroy(trans);
7169 case NFT_MSG_DELFLOWTABLE:
7170 list_del_rcu(&nft_trans_flowtable(trans)->list);
7171 nf_tables_flowtable_notify(&trans->ctx,
7172 nft_trans_flowtable(trans),
7173 NFT_MSG_DELFLOWTABLE);
7174 nft_unregister_flowtable_net_hooks(net,
7175 nft_trans_flowtable(trans));
7180 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7181 nf_tables_commit_release(net);
7186 static void nf_tables_abort_release(struct nft_trans *trans)
7188 switch (trans->msg_type) {
7189 case NFT_MSG_NEWTABLE:
7190 nf_tables_table_destroy(&trans->ctx);
7192 case NFT_MSG_NEWCHAIN:
7193 nf_tables_chain_destroy(&trans->ctx);
7195 case NFT_MSG_NEWRULE:
7196 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7198 case NFT_MSG_NEWSET:
7199 nft_set_destroy(nft_trans_set(trans));
7201 case NFT_MSG_NEWSETELEM:
7202 nft_set_elem_destroy(nft_trans_elem_set(trans),
7203 nft_trans_elem(trans).priv, true);
7205 case NFT_MSG_NEWOBJ:
7206 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7208 case NFT_MSG_NEWFLOWTABLE:
7209 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7215 static int __nf_tables_abort(struct net *net)
7217 struct nft_trans *trans, *next;
7218 struct nft_trans_elem *te;
7220 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7222 switch (trans->msg_type) {
7223 case NFT_MSG_NEWTABLE:
7224 if (nft_trans_table_update(trans)) {
7225 if (nft_trans_table_enable(trans)) {
7226 nf_tables_table_disable(net,
7228 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7230 nft_trans_destroy(trans);
7232 list_del_rcu(&trans->ctx.table->list);
7235 case NFT_MSG_DELTABLE:
7236 nft_clear(trans->ctx.net, trans->ctx.table);
7237 nft_trans_destroy(trans);
7239 case NFT_MSG_NEWCHAIN:
7240 if (nft_trans_chain_update(trans)) {
7241 free_percpu(nft_trans_chain_stats(trans));
7242 kfree(nft_trans_chain_name(trans));
7243 nft_trans_destroy(trans);
7245 trans->ctx.table->use--;
7246 nft_chain_del(trans->ctx.chain);
7247 nf_tables_unregister_hook(trans->ctx.net,
7252 case NFT_MSG_DELCHAIN:
7253 trans->ctx.table->use++;
7254 nft_clear(trans->ctx.net, trans->ctx.chain);
7255 nft_trans_destroy(trans);
7257 case NFT_MSG_NEWRULE:
7258 trans->ctx.chain->use--;
7259 list_del_rcu(&nft_trans_rule(trans)->list);
7260 nft_rule_expr_deactivate(&trans->ctx,
7261 nft_trans_rule(trans),
7264 case NFT_MSG_DELRULE:
7265 trans->ctx.chain->use++;
7266 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7267 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7268 nft_trans_destroy(trans);
7270 case NFT_MSG_NEWSET:
7271 trans->ctx.table->use--;
7272 if (nft_trans_set_bound(trans)) {
7273 nft_trans_destroy(trans);
7276 list_del_rcu(&nft_trans_set(trans)->list);
7278 case NFT_MSG_DELSET:
7279 trans->ctx.table->use++;
7280 nft_clear(trans->ctx.net, nft_trans_set(trans));
7281 nft_trans_destroy(trans);
7283 case NFT_MSG_NEWSETELEM:
7284 if (nft_trans_elem_set_bound(trans)) {
7285 nft_trans_destroy(trans);
7288 te = (struct nft_trans_elem *)trans->data;
7289 te->set->ops->remove(net, te->set, &te->elem);
7290 atomic_dec(&te->set->nelems);
7292 case NFT_MSG_DELSETELEM:
7293 te = (struct nft_trans_elem *)trans->data;
7295 nft_set_elem_activate(net, te->set, &te->elem);
7296 te->set->ops->activate(net, te->set, &te->elem);
7299 nft_trans_destroy(trans);
7301 case NFT_MSG_NEWOBJ:
7302 if (nft_trans_obj_update(trans)) {
7303 kfree(nft_trans_obj_newobj(trans));
7304 nft_trans_destroy(trans);
7306 trans->ctx.table->use--;
7307 nft_obj_del(nft_trans_obj(trans));
7310 case NFT_MSG_DELOBJ:
7311 trans->ctx.table->use++;
7312 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7313 nft_trans_destroy(trans);
7315 case NFT_MSG_NEWFLOWTABLE:
7316 trans->ctx.table->use--;
7317 list_del_rcu(&nft_trans_flowtable(trans)->list);
7318 nft_unregister_flowtable_net_hooks(net,
7319 nft_trans_flowtable(trans));
7321 case NFT_MSG_DELFLOWTABLE:
7322 trans->ctx.table->use++;
7323 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7324 nft_trans_destroy(trans);
7331 list_for_each_entry_safe_reverse(trans, next,
7332 &net->nft.commit_list, list) {
7333 list_del(&trans->list);
7334 nf_tables_abort_release(trans);
7340 static void nf_tables_cleanup(struct net *net)
7342 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7345 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7347 int ret = __nf_tables_abort(net);
7349 mutex_unlock(&net->nft.commit_mutex);
7354 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7358 mutex_lock(&net->nft.commit_mutex);
7360 genid_ok = genid == 0 || net->nft.base_seq == genid;
7362 mutex_unlock(&net->nft.commit_mutex);
7364 /* else, commit mutex has to be released by commit or abort function */
7368 static const struct nfnetlink_subsystem nf_tables_subsys = {
7369 .name = "nf_tables",
7370 .subsys_id = NFNL_SUBSYS_NFTABLES,
7371 .cb_count = NFT_MSG_MAX,
7373 .commit = nf_tables_commit,
7374 .abort = nf_tables_abort,
7375 .cleanup = nf_tables_cleanup,
7376 .valid_genid = nf_tables_valid_genid,
7377 .owner = THIS_MODULE,
7380 int nft_chain_validate_dependency(const struct nft_chain *chain,
7381 enum nft_chain_types type)
7383 const struct nft_base_chain *basechain;
7385 if (nft_is_base_chain(chain)) {
7386 basechain = nft_base_chain(chain);
7387 if (basechain->type->type != type)
7392 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7394 int nft_chain_validate_hooks(const struct nft_chain *chain,
7395 unsigned int hook_flags)
7397 struct nft_base_chain *basechain;
7399 if (nft_is_base_chain(chain)) {
7400 basechain = nft_base_chain(chain);
7402 if ((1 << basechain->ops.hooknum) & hook_flags)
7410 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7413 * Loop detection - walk through the ruleset beginning at the destination chain
7414 * of a new jump until either the source chain is reached (loop) or all
7415 * reachable chains have been traversed.
7417 * The loop check is performed whenever a new jump verdict is added to an
7418 * expression or verdict map or a verdict map is bound to a new chain.
7421 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7422 const struct nft_chain *chain);
7424 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7425 struct nft_set *set,
7426 const struct nft_set_iter *iter,
7427 struct nft_set_elem *elem)
7429 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7430 const struct nft_data *data;
7432 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7433 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7436 data = nft_set_ext_data(ext);
7437 switch (data->verdict.code) {
7440 return nf_tables_check_loops(ctx, data->verdict.chain);
7446 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7447 const struct nft_chain *chain)
7449 const struct nft_rule *rule;
7450 const struct nft_expr *expr, *last;
7451 struct nft_set *set;
7452 struct nft_set_binding *binding;
7453 struct nft_set_iter iter;
7455 if (ctx->chain == chain)
7458 list_for_each_entry(rule, &chain->rules, list) {
7459 nft_rule_for_each_expr(expr, last, rule) {
7460 struct nft_immediate_expr *priv;
7461 const struct nft_data *data;
7464 if (strcmp(expr->ops->type->name, "immediate"))
7467 priv = nft_expr_priv(expr);
7468 if (priv->dreg != NFT_REG_VERDICT)
7472 switch (data->verdict.code) {
7475 err = nf_tables_check_loops(ctx,
7476 data->verdict.chain);
7485 list_for_each_entry(set, &ctx->table->sets, list) {
7486 if (!nft_is_active_next(ctx->net, set))
7488 if (!(set->flags & NFT_SET_MAP) ||
7489 set->dtype != NFT_DATA_VERDICT)
7492 list_for_each_entry(binding, &set->bindings, list) {
7493 if (!(binding->flags & NFT_SET_MAP) ||
7494 binding->chain != chain)
7497 iter.genmask = nft_genmask_next(ctx->net);
7501 iter.fn = nf_tables_loop_check_setelem;
7503 set->ops->walk(ctx, set, &iter);
7513 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7515 * @attr: netlink attribute to fetch value from
7516 * @max: maximum value to be stored in dest
7517 * @dest: pointer to the variable
7519 * Parse, check and store a given u32 netlink attribute into variable.
7520 * This function returns -ERANGE if the value goes over maximum value.
7521 * Otherwise a 0 is returned and the attribute value is stored in the
7522 * destination variable.
7524 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7528 val = ntohl(nla_get_be32(attr));
7535 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7538 * nft_parse_register - parse a register value from a netlink attribute
7540 * @attr: netlink attribute
7542 * Parse and translate a register value from a netlink attribute.
7543 * Registers used to be 128 bit wide, these register numbers will be
7544 * mapped to the corresponding 32 bit register numbers.
7546 unsigned int nft_parse_register(const struct nlattr *attr)
7550 reg = ntohl(nla_get_be32(attr));
7552 case NFT_REG_VERDICT...NFT_REG_4:
7553 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7555 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7558 EXPORT_SYMBOL_GPL(nft_parse_register);
7561 * nft_dump_register - dump a register value to a netlink attribute
7563 * @skb: socket buffer
7564 * @attr: attribute number
7565 * @reg: register number
7567 * Construct a netlink attribute containing the register number. For
7568 * compatibility reasons, register numbers being a multiple of 4 are
7569 * translated to the corresponding 128 bit register numbers.
7571 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7573 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7574 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7576 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7578 return nla_put_be32(skb, attr, htonl(reg));
7580 EXPORT_SYMBOL_GPL(nft_dump_register);
7583 * nft_validate_register_load - validate a load from a register
7585 * @reg: the register number
7586 * @len: the length of the data
7588 * Validate that the input register is one of the general purpose
7589 * registers and that the length of the load is within the bounds.
7591 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7593 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7597 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7602 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7605 * nft_validate_register_store - validate an expressions' register store
7607 * @ctx: context of the expression performing the load
7608 * @reg: the destination register number
7609 * @data: the data to load
7610 * @type: the data type
7611 * @len: the length of the data
7613 * Validate that a data load uses the appropriate data type for
7614 * the destination register and the length is within the bounds.
7615 * A value of NULL for the data means that its runtime gathered
7618 int nft_validate_register_store(const struct nft_ctx *ctx,
7619 enum nft_registers reg,
7620 const struct nft_data *data,
7621 enum nft_data_types type, unsigned int len)
7626 case NFT_REG_VERDICT:
7627 if (type != NFT_DATA_VERDICT)
7631 (data->verdict.code == NFT_GOTO ||
7632 data->verdict.code == NFT_JUMP)) {
7633 err = nf_tables_check_loops(ctx, data->verdict.chain);
7640 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7644 if (reg * NFT_REG32_SIZE + len >
7645 FIELD_SIZEOF(struct nft_regs, data))
7648 if (data != NULL && type != NFT_DATA_VALUE)
7653 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7655 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7656 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7657 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7658 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7661 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7662 struct nft_data_desc *desc, const struct nlattr *nla)
7664 u8 genmask = nft_genmask_next(ctx->net);
7665 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7666 struct nft_chain *chain;
7669 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7670 nft_verdict_policy, NULL);
7674 if (!tb[NFTA_VERDICT_CODE])
7676 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7678 switch (data->verdict.code) {
7680 switch (data->verdict.code & NF_VERDICT_MASK) {
7695 if (!tb[NFTA_VERDICT_CHAIN])
7697 chain = nft_chain_lookup(ctx->net, ctx->table,
7698 tb[NFTA_VERDICT_CHAIN], genmask);
7700 return PTR_ERR(chain);
7701 if (nft_is_base_chain(chain))
7705 data->verdict.chain = chain;
7709 desc->len = sizeof(data->verdict);
7710 desc->type = NFT_DATA_VERDICT;
7714 static void nft_verdict_uninit(const struct nft_data *data)
7716 switch (data->verdict.code) {
7719 data->verdict.chain->use--;
7724 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7726 struct nlattr *nest;
7728 nest = nla_nest_start_noflag(skb, type);
7730 goto nla_put_failure;
7732 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7733 goto nla_put_failure;
7738 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7740 goto nla_put_failure;
7742 nla_nest_end(skb, nest);
7749 static int nft_value_init(const struct nft_ctx *ctx,
7750 struct nft_data *data, unsigned int size,
7751 struct nft_data_desc *desc, const struct nlattr *nla)
7761 nla_memcpy(data->data, nla, len);
7762 desc->type = NFT_DATA_VALUE;
7767 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7770 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7773 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7774 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7775 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7779 * nft_data_init - parse nf_tables data netlink attributes
7781 * @ctx: context of the expression using the data
7782 * @data: destination struct nft_data
7783 * @size: maximum data length
7784 * @desc: data description
7785 * @nla: netlink attribute containing data
7787 * Parse the netlink data attributes and initialize a struct nft_data.
7788 * The type and length of data are returned in the data description.
7790 * The caller can indicate that it only wants to accept data of type
7791 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7793 int nft_data_init(const struct nft_ctx *ctx,
7794 struct nft_data *data, unsigned int size,
7795 struct nft_data_desc *desc, const struct nlattr *nla)
7797 struct nlattr *tb[NFTA_DATA_MAX + 1];
7800 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7801 nft_data_policy, NULL);
7805 if (tb[NFTA_DATA_VALUE])
7806 return nft_value_init(ctx, data, size, desc,
7807 tb[NFTA_DATA_VALUE]);
7808 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7809 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7812 EXPORT_SYMBOL_GPL(nft_data_init);
7815 * nft_data_release - release a nft_data item
7817 * @data: struct nft_data to release
7818 * @type: type of data
7820 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7821 * all others need to be released by calling this function.
7823 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7825 if (type < NFT_DATA_VERDICT)
7828 case NFT_DATA_VERDICT:
7829 return nft_verdict_uninit(data);
7834 EXPORT_SYMBOL_GPL(nft_data_release);
7836 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7837 enum nft_data_types type, unsigned int len)
7839 struct nlattr *nest;
7842 nest = nla_nest_start_noflag(skb, attr);
7847 case NFT_DATA_VALUE:
7848 err = nft_value_dump(skb, data, len);
7850 case NFT_DATA_VERDICT:
7851 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7858 nla_nest_end(skb, nest);
7861 EXPORT_SYMBOL_GPL(nft_data_dump);
7863 int __nft_release_basechain(struct nft_ctx *ctx)
7865 struct nft_rule *rule, *nr;
7867 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7870 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7871 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7872 list_del(&rule->list);
7874 nf_tables_rule_release(ctx, rule);
7876 nft_chain_del(ctx->chain);
7878 nf_tables_chain_destroy(ctx);
7882 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7884 static void __nft_release_tables(struct net *net)
7886 struct nft_flowtable *flowtable, *nf;
7887 struct nft_table *table, *nt;
7888 struct nft_chain *chain, *nc;
7889 struct nft_object *obj, *ne;
7890 struct nft_rule *rule, *nr;
7891 struct nft_set *set, *ns;
7892 struct nft_ctx ctx = {
7894 .family = NFPROTO_NETDEV,
7897 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7898 ctx.family = table->family;
7900 list_for_each_entry(chain, &table->chains, list)
7901 nf_tables_unregister_hook(net, table, chain);
7902 /* No packets are walking on these chains anymore. */
7904 list_for_each_entry(chain, &table->chains, list) {
7906 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7907 list_del(&rule->list);
7909 nf_tables_rule_release(&ctx, rule);
7912 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7913 list_del(&flowtable->list);
7915 nf_tables_flowtable_destroy(flowtable);
7917 list_for_each_entry_safe(set, ns, &table->sets, list) {
7918 list_del(&set->list);
7920 nft_set_destroy(set);
7922 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7925 nft_obj_destroy(&ctx, obj);
7927 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7929 nft_chain_del(chain);
7931 nf_tables_chain_destroy(&ctx);
7933 list_del(&table->list);
7934 nf_tables_table_destroy(&ctx);
7938 static int __net_init nf_tables_init_net(struct net *net)
7940 INIT_LIST_HEAD(&net->nft.tables);
7941 INIT_LIST_HEAD(&net->nft.commit_list);
7942 mutex_init(&net->nft.commit_mutex);
7943 net->nft.base_seq = 1;
7944 net->nft.validate_state = NFT_VALIDATE_SKIP;
7949 static void __net_exit nf_tables_exit_net(struct net *net)
7951 mutex_lock(&net->nft.commit_mutex);
7952 if (!list_empty(&net->nft.commit_list))
7953 __nf_tables_abort(net);
7954 __nft_release_tables(net);
7955 mutex_unlock(&net->nft.commit_mutex);
7956 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7959 static struct pernet_operations nf_tables_net_ops = {
7960 .init = nf_tables_init_net,
7961 .exit = nf_tables_exit_net,
7964 static int __init nf_tables_module_init(void)
7968 spin_lock_init(&nf_tables_destroy_list_lock);
7969 err = register_pernet_subsys(&nf_tables_net_ops);
7973 err = nft_chain_filter_init();
7977 err = nf_tables_core_module_init();
7981 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7985 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7989 err = nft_offload_init();
7994 err = nfnetlink_subsys_register(&nf_tables_subsys);
7998 nft_chain_route_init();
8004 rhltable_destroy(&nft_objname_ht);
8006 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8008 nf_tables_core_module_exit();
8010 nft_chain_filter_fini();
8012 unregister_pernet_subsys(&nf_tables_net_ops);
8016 static void __exit nf_tables_module_exit(void)
8018 nfnetlink_subsys_unregister(&nf_tables_subsys);
8020 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8021 nft_chain_filter_fini();
8022 nft_chain_route_fini();
8023 unregister_pernet_subsys(&nf_tables_net_ops);
8024 cancel_work_sync(&trans_destroy_work);
8026 rhltable_destroy(&nft_objname_ht);
8027 nf_tables_core_module_exit();
8030 module_init(nf_tables_module_init);
8031 module_exit(nf_tables_module_exit);
8033 MODULE_LICENSE("GPL");
8034 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8035 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);