1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27 static LIST_HEAD(nf_tables_flowtables);
28 static LIST_HEAD(nf_tables_destroy_list);
29 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
30 static u64 table_handle;
33 NFT_VALIDATE_SKIP = 0,
38 static struct rhltable nft_objname_ht;
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
44 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
48 static const struct rhashtable_params nft_chain_ht_params = {
49 .head_offset = offsetof(struct nft_chain, rhlhead),
50 .key_offset = offsetof(struct nft_chain, name),
51 .hashfn = nft_chain_hash,
52 .obj_hashfn = nft_chain_hash_obj,
53 .obj_cmpfn = nft_chain_hash_cmp,
54 .automatic_shrinking = true,
57 static const struct rhashtable_params nft_objname_ht_params = {
58 .head_offset = offsetof(struct nft_object, rhlhead),
59 .key_offset = offsetof(struct nft_object, key),
60 .hashfn = nft_objname_hash,
61 .obj_hashfn = nft_objname_hash_obj,
62 .obj_cmpfn = nft_objname_hash_cmp,
63 .automatic_shrinking = true,
66 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
68 switch (net->nft.validate_state) {
69 case NFT_VALIDATE_SKIP:
70 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
72 case NFT_VALIDATE_NEED:
75 if (new_validate_state == NFT_VALIDATE_NEED)
79 net->nft.validate_state = new_validate_state;
81 static void nf_tables_trans_destroy_work(struct work_struct *w);
82 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
84 static void nft_ctx_init(struct nft_ctx *ctx,
86 const struct sk_buff *skb,
87 const struct nlmsghdr *nlh,
89 struct nft_table *table,
90 struct nft_chain *chain,
91 const struct nlattr * const *nla)
99 ctx->portid = NETLINK_CB(skb).portid;
100 ctx->report = nlmsg_report(nlh);
101 ctx->flags = nlh->nlmsg_flags;
102 ctx->seq = nlh->nlmsg_seq;
105 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
106 int msg_type, u32 size, gfp_t gfp)
108 struct nft_trans *trans;
110 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 trans->msg_type = msg_type;
120 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
121 int msg_type, u32 size)
123 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126 static void nft_trans_destroy(struct nft_trans *trans)
128 list_del(&trans->list);
132 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
134 struct net *net = ctx->net;
135 struct nft_trans *trans;
137 if (!nft_set_is_anonymous(set))
140 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
141 switch (trans->msg_type) {
143 if (nft_trans_set(trans) == set)
144 nft_trans_set_bound(trans) = true;
146 case NFT_MSG_NEWSETELEM:
147 if (nft_trans_elem_set(trans) == set)
148 nft_trans_elem_set_bound(trans) = true;
154 static int nft_netdev_register_hooks(struct net *net,
155 struct list_head *hook_list)
157 struct nft_hook *hook;
161 list_for_each_entry(hook, hook_list, list) {
162 err = nf_register_net_hook(net, &hook->ops);
171 list_for_each_entry(hook, hook_list, list) {
175 nf_unregister_net_hook(net, &hook->ops);
180 static void nft_netdev_unregister_hooks(struct net *net,
181 struct list_head *hook_list)
183 struct nft_hook *hook;
185 list_for_each_entry(hook, hook_list, list)
186 nf_unregister_net_hook(net, &hook->ops);
189 static int nft_register_basechain_hooks(struct net *net, int family,
190 struct nft_base_chain *basechain)
192 if (family == NFPROTO_NETDEV)
193 return nft_netdev_register_hooks(net, &basechain->hook_list);
195 return nf_register_net_hook(net, &basechain->ops);
198 static void nft_unregister_basechain_hooks(struct net *net, int family,
199 struct nft_base_chain *basechain)
201 if (family == NFPROTO_NETDEV)
202 nft_netdev_unregister_hooks(net, &basechain->hook_list);
204 nf_unregister_net_hook(net, &basechain->ops);
207 static int nf_tables_register_hook(struct net *net,
208 const struct nft_table *table,
209 struct nft_chain *chain)
211 struct nft_base_chain *basechain;
212 const struct nf_hook_ops *ops;
214 if (table->flags & NFT_TABLE_F_DORMANT ||
215 !nft_is_base_chain(chain))
218 basechain = nft_base_chain(chain);
219 ops = &basechain->ops;
221 if (basechain->type->ops_register)
222 return basechain->type->ops_register(net, ops);
224 return nft_register_basechain_hooks(net, table->family, basechain);
227 static void nf_tables_unregister_hook(struct net *net,
228 const struct nft_table *table,
229 struct nft_chain *chain)
231 struct nft_base_chain *basechain;
232 const struct nf_hook_ops *ops;
234 if (table->flags & NFT_TABLE_F_DORMANT ||
235 !nft_is_base_chain(chain))
237 basechain = nft_base_chain(chain);
238 ops = &basechain->ops;
240 if (basechain->type->ops_unregister)
241 return basechain->type->ops_unregister(net, ops);
243 nft_unregister_basechain_hooks(net, table->family, basechain);
246 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
248 struct nft_trans *trans;
250 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
254 if (msg_type == NFT_MSG_NEWTABLE)
255 nft_activate_next(ctx->net, ctx->table);
257 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
261 static int nft_deltable(struct nft_ctx *ctx)
265 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
269 nft_deactivate_next(ctx->net, ctx->table);
273 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
275 struct nft_trans *trans;
277 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
279 return ERR_PTR(-ENOMEM);
281 if (msg_type == NFT_MSG_NEWCHAIN)
282 nft_activate_next(ctx->net, ctx->chain);
284 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
288 static int nft_delchain(struct nft_ctx *ctx)
290 struct nft_trans *trans;
292 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
294 return PTR_ERR(trans);
297 nft_deactivate_next(ctx->net, ctx->chain);
302 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
303 struct nft_rule *rule)
305 struct nft_expr *expr;
307 expr = nft_expr_first(rule);
308 while (expr != nft_expr_last(rule) && expr->ops) {
309 if (expr->ops->activate)
310 expr->ops->activate(ctx, expr);
312 expr = nft_expr_next(expr);
316 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
317 struct nft_rule *rule,
318 enum nft_trans_phase phase)
320 struct nft_expr *expr;
322 expr = nft_expr_first(rule);
323 while (expr != nft_expr_last(rule) && expr->ops) {
324 if (expr->ops->deactivate)
325 expr->ops->deactivate(ctx, expr, phase);
327 expr = nft_expr_next(expr);
332 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
334 /* You cannot delete the same rule twice */
335 if (nft_is_active_next(ctx->net, rule)) {
336 nft_deactivate_next(ctx->net, rule);
343 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
344 struct nft_rule *rule)
346 struct nft_trans *trans;
348 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
352 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
353 nft_trans_rule_id(trans) =
354 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
356 nft_trans_rule(trans) = rule;
357 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
362 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
364 struct nft_flow_rule *flow;
365 struct nft_trans *trans;
368 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
372 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
373 flow = nft_flow_rule_create(ctx->net, rule);
375 nft_trans_destroy(trans);
376 return PTR_ERR(flow);
379 nft_trans_flow_rule(trans) = flow;
382 err = nf_tables_delrule_deactivate(ctx, rule);
384 nft_trans_destroy(trans);
387 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
392 static int nft_delrule_by_chain(struct nft_ctx *ctx)
394 struct nft_rule *rule;
397 list_for_each_entry(rule, &ctx->chain->rules, list) {
398 if (!nft_is_active_next(ctx->net, rule))
401 err = nft_delrule(ctx, rule);
408 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
411 struct nft_trans *trans;
413 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
417 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
418 nft_trans_set_id(trans) =
419 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
420 nft_activate_next(ctx->net, set);
422 nft_trans_set(trans) = set;
423 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
428 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
432 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
436 nft_deactivate_next(ctx->net, set);
442 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
443 struct nft_object *obj)
445 struct nft_trans *trans;
447 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
451 if (msg_type == NFT_MSG_NEWOBJ)
452 nft_activate_next(ctx->net, obj);
454 nft_trans_obj(trans) = obj;
455 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
460 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
464 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
468 nft_deactivate_next(ctx->net, obj);
474 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
475 struct nft_flowtable *flowtable)
477 struct nft_trans *trans;
479 trans = nft_trans_alloc(ctx, msg_type,
480 sizeof(struct nft_trans_flowtable));
484 if (msg_type == NFT_MSG_NEWFLOWTABLE)
485 nft_activate_next(ctx->net, flowtable);
487 nft_trans_flowtable(trans) = flowtable;
488 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
493 static int nft_delflowtable(struct nft_ctx *ctx,
494 struct nft_flowtable *flowtable)
498 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
502 nft_deactivate_next(ctx->net, flowtable);
512 static struct nft_table *nft_table_lookup(const struct net *net,
513 const struct nlattr *nla,
514 u8 family, u8 genmask)
516 struct nft_table *table;
519 return ERR_PTR(-EINVAL);
521 list_for_each_entry_rcu(table, &net->nft.tables, list) {
522 if (!nla_strcmp(nla, table->name) &&
523 table->family == family &&
524 nft_active_genmask(table, genmask))
528 return ERR_PTR(-ENOENT);
531 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
532 const struct nlattr *nla,
535 struct nft_table *table;
537 list_for_each_entry(table, &net->nft.tables, list) {
538 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
539 nft_active_genmask(table, genmask))
543 return ERR_PTR(-ENOENT);
546 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
548 return ++table->hgenerator;
551 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
553 static const struct nft_chain_type *
554 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
558 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
559 if (chain_type[family][i] != NULL &&
560 !nla_strcmp(nla, chain_type[family][i]->name))
561 return chain_type[family][i];
567 * Loading a module requires dropping mutex that guards the
569 * We first need to abort any pending transactions as once
570 * mutex is unlocked a different client could start a new
571 * transaction. It must not see any 'future generation'
572 * changes * as these changes will never happen.
574 #ifdef CONFIG_MODULES
575 static int __nf_tables_abort(struct net *net);
577 static void nft_request_module(struct net *net, const char *fmt, ...)
579 char module_name[MODULE_NAME_LEN];
583 __nf_tables_abort(net);
586 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
588 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
591 mutex_unlock(&net->nft.commit_mutex);
592 request_module("%s", module_name);
593 mutex_lock(&net->nft.commit_mutex);
597 static void lockdep_nfnl_nft_mutex_not_held(void)
599 #ifdef CONFIG_PROVE_LOCKING
600 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
604 static const struct nft_chain_type *
605 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
606 u8 family, bool autoload)
608 const struct nft_chain_type *type;
610 type = __nf_tables_chain_type_lookup(nla, family);
614 lockdep_nfnl_nft_mutex_not_held();
615 #ifdef CONFIG_MODULES
617 nft_request_module(net, "nft-chain-%u-%.*s", family,
618 nla_len(nla), (const char *)nla_data(nla));
619 type = __nf_tables_chain_type_lookup(nla, family);
621 return ERR_PTR(-EAGAIN);
624 return ERR_PTR(-ENOENT);
627 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
628 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
629 .len = NFT_TABLE_MAXNAMELEN - 1 },
630 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
631 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
634 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
635 u32 portid, u32 seq, int event, u32 flags,
636 int family, const struct nft_table *table)
638 struct nlmsghdr *nlh;
639 struct nfgenmsg *nfmsg;
641 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
642 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
644 goto nla_put_failure;
646 nfmsg = nlmsg_data(nlh);
647 nfmsg->nfgen_family = family;
648 nfmsg->version = NFNETLINK_V0;
649 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
651 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
652 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
653 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
654 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
656 goto nla_put_failure;
662 nlmsg_trim(skb, nlh);
666 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
672 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
675 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
679 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
680 event, 0, ctx->family, ctx->table);
686 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
687 ctx->report, GFP_KERNEL);
690 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
693 static int nf_tables_dump_tables(struct sk_buff *skb,
694 struct netlink_callback *cb)
696 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
697 const struct nft_table *table;
698 unsigned int idx = 0, s_idx = cb->args[0];
699 struct net *net = sock_net(skb->sk);
700 int family = nfmsg->nfgen_family;
703 cb->seq = net->nft.base_seq;
705 list_for_each_entry_rcu(table, &net->nft.tables, list) {
706 if (family != NFPROTO_UNSPEC && family != table->family)
712 memset(&cb->args[1], 0,
713 sizeof(cb->args) - sizeof(cb->args[0]));
714 if (!nft_is_active(net, table))
716 if (nf_tables_fill_table_info(skb, net,
717 NETLINK_CB(cb->skb).portid,
719 NFT_MSG_NEWTABLE, NLM_F_MULTI,
720 table->family, table) < 0)
723 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
733 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
734 const struct nlmsghdr *nlh,
735 struct netlink_dump_control *c)
739 if (!try_module_get(THIS_MODULE))
743 err = netlink_dump_start(nlsk, skb, nlh, c);
745 module_put(THIS_MODULE);
750 /* called with rcu_read_lock held */
751 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
752 struct sk_buff *skb, const struct nlmsghdr *nlh,
753 const struct nlattr * const nla[],
754 struct netlink_ext_ack *extack)
756 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
757 u8 genmask = nft_genmask_cur(net);
758 const struct nft_table *table;
759 struct sk_buff *skb2;
760 int family = nfmsg->nfgen_family;
763 if (nlh->nlmsg_flags & NLM_F_DUMP) {
764 struct netlink_dump_control c = {
765 .dump = nf_tables_dump_tables,
766 .module = THIS_MODULE,
769 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
772 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
774 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
775 return PTR_ERR(table);
778 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
782 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
783 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
788 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
795 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
797 struct nft_chain *chain;
800 list_for_each_entry(chain, &table->chains, list) {
801 if (!nft_is_active_next(net, chain))
803 if (!nft_is_base_chain(chain))
806 if (cnt && i++ == cnt)
809 nft_unregister_basechain_hooks(net, table->family,
810 nft_base_chain(chain));
814 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
816 struct nft_chain *chain;
819 list_for_each_entry(chain, &table->chains, list) {
820 if (!nft_is_active_next(net, chain))
822 if (!nft_is_base_chain(chain))
825 err = nft_register_basechain_hooks(net, table->family,
826 nft_base_chain(chain));
828 goto err_register_hooks;
836 nft_table_disable(net, table, i);
840 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
842 nft_table_disable(net, table, 0);
845 static int nf_tables_updtable(struct nft_ctx *ctx)
847 struct nft_trans *trans;
851 if (!ctx->nla[NFTA_TABLE_FLAGS])
854 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
855 if (flags & ~NFT_TABLE_F_DORMANT)
858 if (flags == ctx->table->flags)
861 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
862 sizeof(struct nft_trans_table));
866 if ((flags & NFT_TABLE_F_DORMANT) &&
867 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
868 nft_trans_table_enable(trans) = false;
869 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
870 ctx->table->flags & NFT_TABLE_F_DORMANT) {
871 ret = nf_tables_table_enable(ctx->net, ctx->table);
873 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
874 nft_trans_table_enable(trans) = true;
880 nft_trans_table_update(trans) = true;
881 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
884 nft_trans_destroy(trans);
888 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
890 const char *name = data;
892 return jhash(name, strlen(name), seed);
895 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
897 const struct nft_chain *chain = data;
899 return nft_chain_hash(chain->name, 0, seed);
902 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
905 const struct nft_chain *chain = ptr;
906 const char *name = arg->key;
908 return strcmp(chain->name, name);
911 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
913 const struct nft_object_hash_key *k = data;
915 seed ^= hash_ptr(k->table, 32);
917 return jhash(k->name, strlen(k->name), seed);
920 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
922 const struct nft_object *obj = data;
924 return nft_objname_hash(&obj->key, 0, seed);
927 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
930 const struct nft_object_hash_key *k = arg->key;
931 const struct nft_object *obj = ptr;
933 if (obj->key.table != k->table)
936 return strcmp(obj->key.name, k->name);
939 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
940 struct sk_buff *skb, const struct nlmsghdr *nlh,
941 const struct nlattr * const nla[],
942 struct netlink_ext_ack *extack)
944 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
945 u8 genmask = nft_genmask_next(net);
946 int family = nfmsg->nfgen_family;
947 const struct nlattr *attr;
948 struct nft_table *table;
953 lockdep_assert_held(&net->nft.commit_mutex);
954 attr = nla[NFTA_TABLE_NAME];
955 table = nft_table_lookup(net, attr, family, genmask);
957 if (PTR_ERR(table) != -ENOENT)
958 return PTR_ERR(table);
960 if (nlh->nlmsg_flags & NLM_F_EXCL) {
961 NL_SET_BAD_ATTR(extack, attr);
964 if (nlh->nlmsg_flags & NLM_F_REPLACE)
967 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
968 return nf_tables_updtable(&ctx);
971 if (nla[NFTA_TABLE_FLAGS]) {
972 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
973 if (flags & ~NFT_TABLE_F_DORMANT)
978 table = kzalloc(sizeof(*table), GFP_KERNEL);
982 table->name = nla_strdup(attr, GFP_KERNEL);
983 if (table->name == NULL)
986 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
990 INIT_LIST_HEAD(&table->chains);
991 INIT_LIST_HEAD(&table->sets);
992 INIT_LIST_HEAD(&table->objects);
993 INIT_LIST_HEAD(&table->flowtables);
994 table->family = family;
995 table->flags = flags;
996 table->handle = ++table_handle;
998 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
999 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1003 list_add_tail_rcu(&table->list, &net->nft.tables);
1006 rhltable_destroy(&table->chains_ht);
1015 static int nft_flush_table(struct nft_ctx *ctx)
1017 struct nft_flowtable *flowtable, *nft;
1018 struct nft_chain *chain, *nc;
1019 struct nft_object *obj, *ne;
1020 struct nft_set *set, *ns;
1023 list_for_each_entry(chain, &ctx->table->chains, list) {
1024 if (!nft_is_active_next(ctx->net, chain))
1029 err = nft_delrule_by_chain(ctx);
1034 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1035 if (!nft_is_active_next(ctx->net, set))
1038 if (nft_set_is_anonymous(set) &&
1039 !list_empty(&set->bindings))
1042 err = nft_delset(ctx, set);
1047 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1048 err = nft_delflowtable(ctx, flowtable);
1053 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1054 err = nft_delobj(ctx, obj);
1059 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1060 if (!nft_is_active_next(ctx->net, chain))
1065 err = nft_delchain(ctx);
1070 err = nft_deltable(ctx);
1075 static int nft_flush(struct nft_ctx *ctx, int family)
1077 struct nft_table *table, *nt;
1078 const struct nlattr * const *nla = ctx->nla;
1081 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1082 if (family != AF_UNSPEC && table->family != family)
1085 ctx->family = table->family;
1087 if (!nft_is_active_next(ctx->net, table))
1090 if (nla[NFTA_TABLE_NAME] &&
1091 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1096 err = nft_flush_table(ctx);
1104 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1105 struct sk_buff *skb, const struct nlmsghdr *nlh,
1106 const struct nlattr * const nla[],
1107 struct netlink_ext_ack *extack)
1109 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1110 u8 genmask = nft_genmask_next(net);
1111 int family = nfmsg->nfgen_family;
1112 const struct nlattr *attr;
1113 struct nft_table *table;
1116 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1117 if (family == AF_UNSPEC ||
1118 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1119 return nft_flush(&ctx, family);
1121 if (nla[NFTA_TABLE_HANDLE]) {
1122 attr = nla[NFTA_TABLE_HANDLE];
1123 table = nft_table_lookup_byhandle(net, attr, genmask);
1125 attr = nla[NFTA_TABLE_NAME];
1126 table = nft_table_lookup(net, attr, family, genmask);
1129 if (IS_ERR(table)) {
1130 NL_SET_BAD_ATTR(extack, attr);
1131 return PTR_ERR(table);
1134 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1138 ctx.family = family;
1141 return nft_flush_table(&ctx);
1144 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1146 if (WARN_ON(ctx->table->use > 0))
1149 rhltable_destroy(&ctx->table->chains_ht);
1150 kfree(ctx->table->name);
1154 void nft_register_chain_type(const struct nft_chain_type *ctype)
1156 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1159 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1160 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1161 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1164 chain_type[ctype->family][ctype->type] = ctype;
1165 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1167 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1169 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1171 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1172 chain_type[ctype->family][ctype->type] = NULL;
1173 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1175 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1181 static struct nft_chain *
1182 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1184 struct nft_chain *chain;
1186 list_for_each_entry(chain, &table->chains, list) {
1187 if (chain->handle == handle &&
1188 nft_active_genmask(chain, genmask))
1192 return ERR_PTR(-ENOENT);
1195 static bool lockdep_commit_lock_is_held(const struct net *net)
1197 #ifdef CONFIG_PROVE_LOCKING
1198 return lockdep_is_held(&net->nft.commit_mutex);
1204 static struct nft_chain *nft_chain_lookup(struct net *net,
1205 struct nft_table *table,
1206 const struct nlattr *nla, u8 genmask)
1208 char search[NFT_CHAIN_MAXNAMELEN + 1];
1209 struct rhlist_head *tmp, *list;
1210 struct nft_chain *chain;
1213 return ERR_PTR(-EINVAL);
1215 nla_strlcpy(search, nla, sizeof(search));
1217 WARN_ON(!rcu_read_lock_held() &&
1218 !lockdep_commit_lock_is_held(net));
1220 chain = ERR_PTR(-ENOENT);
1222 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1226 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1227 if (nft_active_genmask(chain, genmask))
1230 chain = ERR_PTR(-ENOENT);
1236 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1237 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1238 .len = NFT_TABLE_MAXNAMELEN - 1 },
1239 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1240 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1241 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1242 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1243 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1244 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1245 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1246 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1249 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1250 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1251 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1252 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1253 .len = IFNAMSIZ - 1 },
1256 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1258 struct nft_stats *cpu_stats, total;
1259 struct nlattr *nest;
1267 memset(&total, 0, sizeof(total));
1268 for_each_possible_cpu(cpu) {
1269 cpu_stats = per_cpu_ptr(stats, cpu);
1271 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1272 pkts = cpu_stats->pkts;
1273 bytes = cpu_stats->bytes;
1274 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1276 total.bytes += bytes;
1278 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1280 goto nla_put_failure;
1282 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1283 NFTA_COUNTER_PAD) ||
1284 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1286 goto nla_put_failure;
1288 nla_nest_end(skb, nest);
1295 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1296 const struct nft_base_chain *basechain)
1298 const struct nf_hook_ops *ops = &basechain->ops;
1299 struct nft_hook *hook, *first = NULL;
1300 struct nlattr *nest, *nest_devs;
1303 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1305 goto nla_put_failure;
1306 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1307 goto nla_put_failure;
1308 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1309 goto nla_put_failure;
1311 if (family == NFPROTO_NETDEV) {
1312 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1313 list_for_each_entry(hook, &basechain->hook_list, list) {
1317 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1318 hook->ops.dev->name))
1319 goto nla_put_failure;
1322 nla_nest_end(skb, nest_devs);
1325 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1326 goto nla_put_failure;
1328 nla_nest_end(skb, nest);
1335 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1336 u32 portid, u32 seq, int event, u32 flags,
1337 int family, const struct nft_table *table,
1338 const struct nft_chain *chain)
1340 struct nlmsghdr *nlh;
1341 struct nfgenmsg *nfmsg;
1343 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1344 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1346 goto nla_put_failure;
1348 nfmsg = nlmsg_data(nlh);
1349 nfmsg->nfgen_family = family;
1350 nfmsg->version = NFNETLINK_V0;
1351 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1353 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1354 goto nla_put_failure;
1355 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1357 goto nla_put_failure;
1358 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1359 goto nla_put_failure;
1361 if (nft_is_base_chain(chain)) {
1362 const struct nft_base_chain *basechain = nft_base_chain(chain);
1363 struct nft_stats __percpu *stats;
1365 if (nft_dump_basechain_hook(skb, family, basechain))
1366 goto nla_put_failure;
1368 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1369 htonl(basechain->policy)))
1370 goto nla_put_failure;
1372 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1373 goto nla_put_failure;
1375 stats = rcu_dereference_check(basechain->stats,
1376 lockdep_commit_lock_is_held(net));
1377 if (nft_dump_stats(skb, stats))
1378 goto nla_put_failure;
1381 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1382 goto nla_put_failure;
1384 nlmsg_end(skb, nlh);
1388 nlmsg_trim(skb, nlh);
1392 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1394 struct sk_buff *skb;
1398 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1401 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1405 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1406 event, 0, ctx->family, ctx->table,
1413 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1414 ctx->report, GFP_KERNEL);
1417 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1420 static int nf_tables_dump_chains(struct sk_buff *skb,
1421 struct netlink_callback *cb)
1423 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1424 const struct nft_table *table;
1425 const struct nft_chain *chain;
1426 unsigned int idx = 0, s_idx = cb->args[0];
1427 struct net *net = sock_net(skb->sk);
1428 int family = nfmsg->nfgen_family;
1431 cb->seq = net->nft.base_seq;
1433 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1434 if (family != NFPROTO_UNSPEC && family != table->family)
1437 list_for_each_entry_rcu(chain, &table->chains, list) {
1441 memset(&cb->args[1], 0,
1442 sizeof(cb->args) - sizeof(cb->args[0]));
1443 if (!nft_is_active(net, chain))
1445 if (nf_tables_fill_chain_info(skb, net,
1446 NETLINK_CB(cb->skb).portid,
1450 table->family, table,
1454 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1465 /* called with rcu_read_lock held */
1466 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1467 struct sk_buff *skb, const struct nlmsghdr *nlh,
1468 const struct nlattr * const nla[],
1469 struct netlink_ext_ack *extack)
1471 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1472 u8 genmask = nft_genmask_cur(net);
1473 const struct nft_chain *chain;
1474 struct nft_table *table;
1475 struct sk_buff *skb2;
1476 int family = nfmsg->nfgen_family;
1479 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1480 struct netlink_dump_control c = {
1481 .dump = nf_tables_dump_chains,
1482 .module = THIS_MODULE,
1485 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1488 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1489 if (IS_ERR(table)) {
1490 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1491 return PTR_ERR(table);
1494 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1495 if (IS_ERR(chain)) {
1496 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1497 return PTR_ERR(chain);
1500 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1504 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1505 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1506 family, table, chain);
1510 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1517 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1518 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1519 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1522 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1524 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1525 struct nft_stats __percpu *newstats;
1526 struct nft_stats *stats;
1529 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1530 nft_counter_policy, NULL);
1532 return ERR_PTR(err);
1534 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1535 return ERR_PTR(-EINVAL);
1537 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1538 if (newstats == NULL)
1539 return ERR_PTR(-ENOMEM);
1541 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1542 * are not exposed to userspace.
1545 stats = this_cpu_ptr(newstats);
1546 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1547 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1553 static void nft_chain_stats_replace(struct nft_trans *trans)
1555 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1557 if (!nft_trans_chain_stats(trans))
1560 nft_trans_chain_stats(trans) =
1561 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1562 lockdep_commit_lock_is_held(trans->ctx.net));
1564 if (!nft_trans_chain_stats(trans))
1565 static_branch_inc(&nft_counters_enabled);
1568 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1570 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1571 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1577 /* should be NULL either via abort or via successful commit */
1578 WARN_ON_ONCE(chain->rules_next);
1579 kvfree(chain->rules_next);
1582 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1584 struct nft_chain *chain = ctx->chain;
1585 struct nft_hook *hook, *next;
1587 if (WARN_ON(chain->use > 0))
1590 /* no concurrent access possible anymore */
1591 nf_tables_chain_free_chain_rules(chain);
1593 if (nft_is_base_chain(chain)) {
1594 struct nft_base_chain *basechain = nft_base_chain(chain);
1596 if (ctx->family == NFPROTO_NETDEV) {
1597 list_for_each_entry_safe(hook, next,
1598 &basechain->hook_list, list) {
1599 list_del_rcu(&hook->list);
1600 kfree_rcu(hook, rcu);
1603 module_put(basechain->type->owner);
1604 if (rcu_access_pointer(basechain->stats)) {
1605 static_branch_dec(&nft_counters_enabled);
1606 free_percpu(rcu_dereference_raw(basechain->stats));
1616 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1617 const struct nlattr *attr)
1619 struct net_device *dev;
1620 char ifname[IFNAMSIZ];
1621 struct nft_hook *hook;
1624 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1627 goto err_hook_alloc;
1630 nla_strlcpy(ifname, attr, IFNAMSIZ);
1631 dev = __dev_get_by_name(net, ifname);
1636 hook->ops.dev = dev;
1643 return ERR_PTR(err);
1646 static bool nft_hook_list_find(struct list_head *hook_list,
1647 const struct nft_hook *this)
1649 struct nft_hook *hook;
1651 list_for_each_entry(hook, hook_list, list) {
1652 if (this->ops.dev == hook->ops.dev)
1659 static int nf_tables_parse_netdev_hooks(struct net *net,
1660 const struct nlattr *attr,
1661 struct list_head *hook_list)
1663 struct nft_hook *hook, *next;
1664 const struct nlattr *tmp;
1665 int rem, n = 0, err;
1667 nla_for_each_nested(tmp, attr, rem) {
1668 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1673 hook = nft_netdev_hook_alloc(net, tmp);
1675 err = PTR_ERR(hook);
1678 if (nft_hook_list_find(hook_list, hook)) {
1682 list_add_tail(&hook->list, hook_list);
1685 if (n == NFT_NETDEVICE_MAX) {
1696 list_for_each_entry_safe(hook, next, hook_list, list) {
1697 list_del(&hook->list);
1703 struct nft_chain_hook {
1706 const struct nft_chain_type *type;
1707 struct list_head list;
1710 static int nft_chain_parse_netdev(struct net *net,
1711 struct nlattr *tb[],
1712 struct list_head *hook_list)
1714 struct nft_hook *hook;
1717 if (tb[NFTA_HOOK_DEV]) {
1718 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1720 return PTR_ERR(hook);
1722 list_add_tail(&hook->list, hook_list);
1723 } else if (tb[NFTA_HOOK_DEVS]) {
1724 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1735 static int nft_chain_parse_hook(struct net *net,
1736 const struct nlattr * const nla[],
1737 struct nft_chain_hook *hook, u8 family,
1740 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1741 const struct nft_chain_type *type;
1744 lockdep_assert_held(&net->nft.commit_mutex);
1745 lockdep_nfnl_nft_mutex_not_held();
1747 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1748 nla[NFTA_CHAIN_HOOK],
1749 nft_hook_policy, NULL);
1753 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1754 ha[NFTA_HOOK_PRIORITY] == NULL)
1757 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1758 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1760 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1761 if (nla[NFTA_CHAIN_TYPE]) {
1762 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1765 return PTR_ERR(type);
1767 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1770 if (type->type == NFT_CHAIN_T_NAT &&
1771 hook->priority <= NF_IP_PRI_CONNTRACK)
1774 if (!try_module_get(type->owner))
1779 INIT_LIST_HEAD(&hook->list);
1780 if (family == NFPROTO_NETDEV) {
1781 err = nft_chain_parse_netdev(net, ha, &hook->list);
1783 module_put(type->owner);
1786 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1787 module_put(type->owner);
1794 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1796 struct nft_hook *h, *next;
1798 list_for_each_entry_safe(h, next, &hook->list, list) {
1802 module_put(hook->type->owner);
1805 struct nft_rules_old {
1807 struct nft_rule **start;
1810 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1813 if (alloc > INT_MAX)
1816 alloc += 1; /* NULL, ends rules */
1817 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1820 alloc *= sizeof(struct nft_rule *);
1821 alloc += sizeof(struct nft_rules_old);
1823 return kvmalloc(alloc, GFP_KERNEL);
1826 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1827 const struct nft_chain_hook *hook,
1828 struct nft_chain *chain)
1831 ops->hooknum = hook->num;
1832 ops->priority = hook->priority;
1834 ops->hook = hook->type->hooks[ops->hooknum];
1837 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1838 struct nft_chain_hook *hook, u32 flags)
1840 struct nft_chain *chain;
1843 basechain->type = hook->type;
1844 INIT_LIST_HEAD(&basechain->hook_list);
1845 chain = &basechain->chain;
1847 if (family == NFPROTO_NETDEV) {
1848 list_splice_init(&hook->list, &basechain->hook_list);
1849 list_for_each_entry(h, &basechain->hook_list, list)
1850 nft_basechain_hook_init(&h->ops, family, hook, chain);
1852 basechain->ops.hooknum = hook->num;
1853 basechain->ops.priority = hook->priority;
1855 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1858 chain->flags |= NFT_BASE_CHAIN | flags;
1859 basechain->policy = NF_ACCEPT;
1860 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1861 nft_chain_offload_priority(basechain) < 0)
1864 flow_block_init(&basechain->flow_block);
1869 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1870 u8 policy, u32 flags)
1872 const struct nlattr * const *nla = ctx->nla;
1873 struct nft_table *table = ctx->table;
1874 struct nft_base_chain *basechain;
1875 struct nft_stats __percpu *stats;
1876 struct net *net = ctx->net;
1877 struct nft_trans *trans;
1878 struct nft_chain *chain;
1879 struct nft_rule **rules;
1882 if (table->use == UINT_MAX)
1885 if (nla[NFTA_CHAIN_HOOK]) {
1886 struct nft_chain_hook hook;
1888 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1892 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1893 if (basechain == NULL) {
1894 nft_chain_release_hook(&hook);
1897 chain = &basechain->chain;
1899 if (nla[NFTA_CHAIN_COUNTERS]) {
1900 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1901 if (IS_ERR(stats)) {
1902 nft_chain_release_hook(&hook);
1904 return PTR_ERR(stats);
1906 rcu_assign_pointer(basechain->stats, stats);
1907 static_branch_inc(&nft_counters_enabled);
1910 err = nft_basechain_init(basechain, family, &hook, flags);
1912 nft_chain_release_hook(&hook);
1917 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1923 INIT_LIST_HEAD(&chain->rules);
1924 chain->handle = nf_tables_alloc_handle(table);
1925 chain->table = table;
1926 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1932 rules = nf_tables_chain_alloc_rules(chain, 0);
1939 rcu_assign_pointer(chain->rules_gen_0, rules);
1940 rcu_assign_pointer(chain->rules_gen_1, rules);
1942 err = nf_tables_register_hook(net, table, chain);
1946 err = rhltable_insert_key(&table->chains_ht, chain->name,
1947 &chain->rhlhead, nft_chain_ht_params);
1951 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1952 if (IS_ERR(trans)) {
1953 err = PTR_ERR(trans);
1954 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1955 nft_chain_ht_params);
1959 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1960 if (nft_is_base_chain(chain))
1961 nft_trans_chain_policy(trans) = policy;
1964 list_add_tail_rcu(&chain->list, &table->chains);
1968 nf_tables_unregister_hook(net, table, chain);
1970 nf_tables_chain_destroy(ctx);
1975 static bool nft_hook_list_equal(struct list_head *hook_list1,
1976 struct list_head *hook_list2)
1978 struct nft_hook *hook;
1982 list_for_each_entry(hook, hook_list2, list) {
1983 if (!nft_hook_list_find(hook_list1, hook))
1988 list_for_each_entry(hook, hook_list1, list)
1994 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1997 const struct nlattr * const *nla = ctx->nla;
1998 struct nft_table *table = ctx->table;
1999 struct nft_chain *chain = ctx->chain;
2000 struct nft_base_chain *basechain;
2001 struct nft_stats *stats = NULL;
2002 struct nft_chain_hook hook;
2003 struct nf_hook_ops *ops;
2004 struct nft_trans *trans;
2007 if (chain->flags ^ flags)
2010 if (nla[NFTA_CHAIN_HOOK]) {
2011 if (!nft_is_base_chain(chain))
2014 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2019 basechain = nft_base_chain(chain);
2020 if (basechain->type != hook.type) {
2021 nft_chain_release_hook(&hook);
2025 if (ctx->family == NFPROTO_NETDEV) {
2026 if (!nft_hook_list_equal(&basechain->hook_list,
2028 nft_chain_release_hook(&hook);
2032 ops = &basechain->ops;
2033 if (ops->hooknum != hook.num ||
2034 ops->priority != hook.priority) {
2035 nft_chain_release_hook(&hook);
2039 nft_chain_release_hook(&hook);
2042 if (nla[NFTA_CHAIN_HANDLE] &&
2043 nla[NFTA_CHAIN_NAME]) {
2044 struct nft_chain *chain2;
2046 chain2 = nft_chain_lookup(ctx->net, table,
2047 nla[NFTA_CHAIN_NAME], genmask);
2048 if (!IS_ERR(chain2))
2052 if (nla[NFTA_CHAIN_COUNTERS]) {
2053 if (!nft_is_base_chain(chain))
2056 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2058 return PTR_ERR(stats);
2062 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2063 sizeof(struct nft_trans_chain));
2067 nft_trans_chain_stats(trans) = stats;
2068 nft_trans_chain_update(trans) = true;
2070 if (nla[NFTA_CHAIN_POLICY])
2071 nft_trans_chain_policy(trans) = policy;
2073 nft_trans_chain_policy(trans) = -1;
2075 if (nla[NFTA_CHAIN_HANDLE] &&
2076 nla[NFTA_CHAIN_NAME]) {
2077 struct nft_trans *tmp;
2081 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2086 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2087 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2088 tmp->ctx.table == table &&
2089 nft_trans_chain_update(tmp) &&
2090 nft_trans_chain_name(tmp) &&
2091 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2097 nft_trans_chain_name(trans) = name;
2099 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2108 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2109 struct sk_buff *skb, const struct nlmsghdr *nlh,
2110 const struct nlattr * const nla[],
2111 struct netlink_ext_ack *extack)
2113 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2114 u8 genmask = nft_genmask_next(net);
2115 int family = nfmsg->nfgen_family;
2116 const struct nlattr *attr;
2117 struct nft_table *table;
2118 struct nft_chain *chain;
2119 u8 policy = NF_ACCEPT;
2124 lockdep_assert_held(&net->nft.commit_mutex);
2126 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2127 if (IS_ERR(table)) {
2128 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2129 return PTR_ERR(table);
2133 attr = nla[NFTA_CHAIN_NAME];
2135 if (nla[NFTA_CHAIN_HANDLE]) {
2136 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2137 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2138 if (IS_ERR(chain)) {
2139 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2140 return PTR_ERR(chain);
2142 attr = nla[NFTA_CHAIN_HANDLE];
2144 chain = nft_chain_lookup(net, table, attr, genmask);
2145 if (IS_ERR(chain)) {
2146 if (PTR_ERR(chain) != -ENOENT) {
2147 NL_SET_BAD_ATTR(extack, attr);
2148 return PTR_ERR(chain);
2154 if (nla[NFTA_CHAIN_POLICY]) {
2155 if (chain != NULL &&
2156 !nft_is_base_chain(chain)) {
2157 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2161 if (chain == NULL &&
2162 nla[NFTA_CHAIN_HOOK] == NULL) {
2163 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2167 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2177 if (nla[NFTA_CHAIN_FLAGS])
2178 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2180 flags = chain->flags;
2182 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2184 if (chain != NULL) {
2185 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2186 NL_SET_BAD_ATTR(extack, attr);
2189 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2192 flags |= chain->flags & NFT_BASE_CHAIN;
2193 return nf_tables_updchain(&ctx, genmask, policy, flags);
2196 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2199 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2200 struct sk_buff *skb, const struct nlmsghdr *nlh,
2201 const struct nlattr * const nla[],
2202 struct netlink_ext_ack *extack)
2204 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2205 u8 genmask = nft_genmask_next(net);
2206 int family = nfmsg->nfgen_family;
2207 const struct nlattr *attr;
2208 struct nft_table *table;
2209 struct nft_chain *chain;
2210 struct nft_rule *rule;
2216 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2217 if (IS_ERR(table)) {
2218 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2219 return PTR_ERR(table);
2222 if (nla[NFTA_CHAIN_HANDLE]) {
2223 attr = nla[NFTA_CHAIN_HANDLE];
2224 handle = be64_to_cpu(nla_get_be64(attr));
2225 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2227 attr = nla[NFTA_CHAIN_NAME];
2228 chain = nft_chain_lookup(net, table, attr, genmask);
2230 if (IS_ERR(chain)) {
2231 NL_SET_BAD_ATTR(extack, attr);
2232 return PTR_ERR(chain);
2235 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2239 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2242 list_for_each_entry(rule, &chain->rules, list) {
2243 if (!nft_is_active_next(net, rule))
2247 err = nft_delrule(&ctx, rule);
2252 /* There are rules and elements that are still holding references to us,
2253 * we cannot do a recursive removal in this case.
2256 NL_SET_BAD_ATTR(extack, attr);
2260 return nft_delchain(&ctx);
2268 * nft_register_expr - register nf_tables expr type
2271 * Registers the expr type for use with nf_tables. Returns zero on
2272 * success or a negative errno code otherwise.
2274 int nft_register_expr(struct nft_expr_type *type)
2276 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2277 if (type->family == NFPROTO_UNSPEC)
2278 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2280 list_add_rcu(&type->list, &nf_tables_expressions);
2281 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2284 EXPORT_SYMBOL_GPL(nft_register_expr);
2287 * nft_unregister_expr - unregister nf_tables expr type
2290 * Unregisters the expr typefor use with nf_tables.
2292 void nft_unregister_expr(struct nft_expr_type *type)
2294 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2295 list_del_rcu(&type->list);
2296 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2298 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2300 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2303 const struct nft_expr_type *type, *candidate = NULL;
2305 list_for_each_entry(type, &nf_tables_expressions, list) {
2306 if (!nla_strcmp(nla, type->name)) {
2307 if (!type->family && !candidate)
2309 else if (type->family == family)
2316 #ifdef CONFIG_MODULES
2317 static int nft_expr_type_request_module(struct net *net, u8 family,
2320 nft_request_module(net, "nft-expr-%u-%.*s", family,
2321 nla_len(nla), (char *)nla_data(nla));
2322 if (__nft_expr_type_get(family, nla))
2329 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2333 const struct nft_expr_type *type;
2336 return ERR_PTR(-EINVAL);
2338 type = __nft_expr_type_get(family, nla);
2339 if (type != NULL && try_module_get(type->owner))
2342 lockdep_nfnl_nft_mutex_not_held();
2343 #ifdef CONFIG_MODULES
2345 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2346 return ERR_PTR(-EAGAIN);
2348 nft_request_module(net, "nft-expr-%.*s",
2349 nla_len(nla), (char *)nla_data(nla));
2350 if (__nft_expr_type_get(family, nla))
2351 return ERR_PTR(-EAGAIN);
2354 return ERR_PTR(-ENOENT);
2357 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2358 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2359 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2362 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2363 const struct nft_expr *expr)
2365 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2366 goto nla_put_failure;
2368 if (expr->ops->dump) {
2369 struct nlattr *data = nla_nest_start_noflag(skb,
2372 goto nla_put_failure;
2373 if (expr->ops->dump(skb, expr) < 0)
2374 goto nla_put_failure;
2375 nla_nest_end(skb, data);
2384 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2385 const struct nft_expr *expr)
2387 struct nlattr *nest;
2389 nest = nla_nest_start_noflag(skb, attr);
2391 goto nla_put_failure;
2392 if (nf_tables_fill_expr_info(skb, expr) < 0)
2393 goto nla_put_failure;
2394 nla_nest_end(skb, nest);
2401 struct nft_expr_info {
2402 const struct nft_expr_ops *ops;
2403 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2406 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2407 const struct nlattr *nla,
2408 struct nft_expr_info *info)
2410 const struct nft_expr_type *type;
2411 const struct nft_expr_ops *ops;
2412 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2415 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2416 nft_expr_policy, NULL);
2420 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2422 return PTR_ERR(type);
2424 if (tb[NFTA_EXPR_DATA]) {
2425 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2427 type->policy, NULL);
2431 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2433 if (type->select_ops != NULL) {
2434 ops = type->select_ops(ctx,
2435 (const struct nlattr * const *)info->tb);
2438 #ifdef CONFIG_MODULES
2440 nft_expr_type_request_module(ctx->net,
2442 tb[NFTA_EXPR_NAME]);
2453 module_put(type->owner);
2457 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2458 const struct nft_expr_info *info,
2459 struct nft_expr *expr)
2461 const struct nft_expr_ops *ops = info->ops;
2466 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2477 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2478 struct nft_expr *expr)
2480 const struct nft_expr_type *type = expr->ops->type;
2482 if (expr->ops->destroy)
2483 expr->ops->destroy(ctx, expr);
2484 module_put(type->owner);
2487 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2488 const struct nlattr *nla)
2490 struct nft_expr_info info;
2491 struct nft_expr *expr;
2492 struct module *owner;
2495 err = nf_tables_expr_parse(ctx, nla, &info);
2500 expr = kzalloc(info.ops->size, GFP_KERNEL);
2504 err = nf_tables_newexpr(ctx, &info, expr);
2512 owner = info.ops->type->owner;
2513 if (info.ops->type->release_ops)
2514 info.ops->type->release_ops(info.ops);
2518 return ERR_PTR(err);
2521 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2523 nf_tables_expr_destroy(ctx, expr);
2531 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2534 struct nft_rule *rule;
2536 // FIXME: this sucks
2537 list_for_each_entry_rcu(rule, &chain->rules, list) {
2538 if (handle == rule->handle)
2542 return ERR_PTR(-ENOENT);
2545 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2546 const struct nlattr *nla)
2549 return ERR_PTR(-EINVAL);
2551 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2554 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2555 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2556 .len = NFT_TABLE_MAXNAMELEN - 1 },
2557 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2558 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2559 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2560 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2561 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2562 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2563 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2564 .len = NFT_USERDATA_MAXLEN },
2565 [NFTA_RULE_ID] = { .type = NLA_U32 },
2566 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2569 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2570 u32 portid, u32 seq, int event,
2571 u32 flags, int family,
2572 const struct nft_table *table,
2573 const struct nft_chain *chain,
2574 const struct nft_rule *rule,
2575 const struct nft_rule *prule)
2577 struct nlmsghdr *nlh;
2578 struct nfgenmsg *nfmsg;
2579 const struct nft_expr *expr, *next;
2580 struct nlattr *list;
2581 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2583 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2585 goto nla_put_failure;
2587 nfmsg = nlmsg_data(nlh);
2588 nfmsg->nfgen_family = family;
2589 nfmsg->version = NFNETLINK_V0;
2590 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2592 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2593 goto nla_put_failure;
2594 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2595 goto nla_put_failure;
2596 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2598 goto nla_put_failure;
2600 if (event != NFT_MSG_DELRULE && prule) {
2601 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2602 cpu_to_be64(prule->handle),
2604 goto nla_put_failure;
2607 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2609 goto nla_put_failure;
2610 nft_rule_for_each_expr(expr, next, rule) {
2611 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2612 goto nla_put_failure;
2614 nla_nest_end(skb, list);
2617 struct nft_userdata *udata = nft_userdata(rule);
2618 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2620 goto nla_put_failure;
2623 nlmsg_end(skb, nlh);
2627 nlmsg_trim(skb, nlh);
2631 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2632 const struct nft_rule *rule, int event)
2634 struct sk_buff *skb;
2638 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2641 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2645 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2646 event, 0, ctx->family, ctx->table,
2647 ctx->chain, rule, NULL);
2653 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2654 ctx->report, GFP_KERNEL);
2657 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2660 struct nft_rule_dump_ctx {
2665 static int __nf_tables_dump_rules(struct sk_buff *skb,
2667 struct netlink_callback *cb,
2668 const struct nft_table *table,
2669 const struct nft_chain *chain)
2671 struct net *net = sock_net(skb->sk);
2672 const struct nft_rule *rule, *prule;
2673 unsigned int s_idx = cb->args[0];
2676 list_for_each_entry_rcu(rule, &chain->rules, list) {
2677 if (!nft_is_active(net, rule))
2682 memset(&cb->args[1], 0,
2683 sizeof(cb->args) - sizeof(cb->args[0]));
2685 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2688 NLM_F_MULTI | NLM_F_APPEND,
2690 table, chain, rule, prule) < 0)
2693 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2702 static int nf_tables_dump_rules(struct sk_buff *skb,
2703 struct netlink_callback *cb)
2705 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2706 const struct nft_rule_dump_ctx *ctx = cb->data;
2707 struct nft_table *table;
2708 const struct nft_chain *chain;
2709 unsigned int idx = 0;
2710 struct net *net = sock_net(skb->sk);
2711 int family = nfmsg->nfgen_family;
2714 cb->seq = net->nft.base_seq;
2716 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2717 if (family != NFPROTO_UNSPEC && family != table->family)
2720 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2723 if (ctx && ctx->table && ctx->chain) {
2724 struct rhlist_head *list, *tmp;
2726 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2727 nft_chain_ht_params);
2731 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2732 if (!nft_is_active(net, chain))
2734 __nf_tables_dump_rules(skb, &idx,
2741 list_for_each_entry_rcu(chain, &table->chains, list) {
2742 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2746 if (ctx && ctx->table)
2756 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2758 const struct nlattr * const *nla = cb->data;
2759 struct nft_rule_dump_ctx *ctx = NULL;
2761 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2762 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2766 if (nla[NFTA_RULE_TABLE]) {
2767 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2774 if (nla[NFTA_RULE_CHAIN]) {
2775 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2789 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2791 struct nft_rule_dump_ctx *ctx = cb->data;
2801 /* called with rcu_read_lock held */
2802 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2803 struct sk_buff *skb, const struct nlmsghdr *nlh,
2804 const struct nlattr * const nla[],
2805 struct netlink_ext_ack *extack)
2807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2808 u8 genmask = nft_genmask_cur(net);
2809 const struct nft_chain *chain;
2810 const struct nft_rule *rule;
2811 struct nft_table *table;
2812 struct sk_buff *skb2;
2813 int family = nfmsg->nfgen_family;
2816 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2817 struct netlink_dump_control c = {
2818 .start= nf_tables_dump_rules_start,
2819 .dump = nf_tables_dump_rules,
2820 .done = nf_tables_dump_rules_done,
2821 .module = THIS_MODULE,
2822 .data = (void *)nla,
2825 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2828 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2829 if (IS_ERR(table)) {
2830 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2831 return PTR_ERR(table);
2834 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2835 if (IS_ERR(chain)) {
2836 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2837 return PTR_ERR(chain);
2840 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2842 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2843 return PTR_ERR(rule);
2846 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2850 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2851 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2852 family, table, chain, rule, NULL);
2856 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2863 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2864 struct nft_rule *rule)
2866 struct nft_expr *expr, *next;
2869 * Careful: some expressions might not be initialized in case this
2870 * is called on error from nf_tables_newrule().
2872 expr = nft_expr_first(rule);
2873 while (expr != nft_expr_last(rule) && expr->ops) {
2874 next = nft_expr_next(expr);
2875 nf_tables_expr_destroy(ctx, expr);
2881 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2882 struct nft_rule *rule)
2884 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2885 nf_tables_rule_destroy(ctx, rule);
2888 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2890 struct nft_expr *expr, *last;
2891 const struct nft_data *data;
2892 struct nft_rule *rule;
2895 if (ctx->level == NFT_JUMP_STACK_SIZE)
2898 list_for_each_entry(rule, &chain->rules, list) {
2899 if (!nft_is_active_next(ctx->net, rule))
2902 nft_rule_for_each_expr(expr, last, rule) {
2903 if (!expr->ops->validate)
2906 err = expr->ops->validate(ctx, expr, &data);
2914 EXPORT_SYMBOL_GPL(nft_chain_validate);
2916 static int nft_table_validate(struct net *net, const struct nft_table *table)
2918 struct nft_chain *chain;
2919 struct nft_ctx ctx = {
2921 .family = table->family,
2925 list_for_each_entry(chain, &table->chains, list) {
2926 if (!nft_is_base_chain(chain))
2930 err = nft_chain_validate(&ctx, chain);
2938 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2939 const struct nlattr *nla);
2941 #define NFT_RULE_MAXEXPRS 128
2943 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2944 struct sk_buff *skb, const struct nlmsghdr *nlh,
2945 const struct nlattr * const nla[],
2946 struct netlink_ext_ack *extack)
2948 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2949 u8 genmask = nft_genmask_next(net);
2950 struct nft_expr_info *info = NULL;
2951 int family = nfmsg->nfgen_family;
2952 struct nft_flow_rule *flow;
2953 struct nft_table *table;
2954 struct nft_chain *chain;
2955 struct nft_rule *rule, *old_rule = NULL;
2956 struct nft_userdata *udata;
2957 struct nft_trans *trans = NULL;
2958 struct nft_expr *expr;
2961 unsigned int size, i, n, ulen = 0, usize = 0;
2963 u64 handle, pos_handle;
2965 lockdep_assert_held(&net->nft.commit_mutex);
2967 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2968 if (IS_ERR(table)) {
2969 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2970 return PTR_ERR(table);
2973 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2974 if (IS_ERR(chain)) {
2975 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2976 return PTR_ERR(chain);
2979 if (nla[NFTA_RULE_HANDLE]) {
2980 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2981 rule = __nft_rule_lookup(chain, handle);
2983 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2984 return PTR_ERR(rule);
2987 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2988 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2991 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2996 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2997 nlh->nlmsg_flags & NLM_F_REPLACE)
2999 handle = nf_tables_alloc_handle(table);
3001 if (chain->use == UINT_MAX)
3004 if (nla[NFTA_RULE_POSITION]) {
3005 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3006 old_rule = __nft_rule_lookup(chain, pos_handle);
3007 if (IS_ERR(old_rule)) {
3008 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3009 return PTR_ERR(old_rule);
3011 } else if (nla[NFTA_RULE_POSITION_ID]) {
3012 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3013 if (IS_ERR(old_rule)) {
3014 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3015 return PTR_ERR(old_rule);
3020 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3024 if (nla[NFTA_RULE_EXPRESSIONS]) {
3025 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3026 sizeof(struct nft_expr_info),
3031 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3033 if (nla_type(tmp) != NFTA_LIST_ELEM)
3035 if (n == NFT_RULE_MAXEXPRS)
3037 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3040 size += info[n].ops->size;
3044 /* Check for overflow of dlen field */
3046 if (size >= 1 << 12)
3049 if (nla[NFTA_RULE_USERDATA]) {
3050 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3052 usize = sizeof(struct nft_userdata) + ulen;
3056 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3060 nft_activate_next(net, rule);
3062 rule->handle = handle;
3064 rule->udata = ulen ? 1 : 0;
3067 udata = nft_userdata(rule);
3068 udata->len = ulen - 1;
3069 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3072 expr = nft_expr_first(rule);
3073 for (i = 0; i < n; i++) {
3074 err = nf_tables_newexpr(&ctx, &info[i], expr);
3078 if (info[i].ops->validate)
3079 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3082 expr = nft_expr_next(expr);
3085 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3086 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3087 if (trans == NULL) {
3091 err = nft_delrule(&ctx, old_rule);
3093 nft_trans_destroy(trans);
3097 list_add_tail_rcu(&rule->list, &old_rule->list);
3099 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3105 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3107 list_add_rcu(&rule->list, &old_rule->list);
3109 list_add_tail_rcu(&rule->list, &chain->rules);
3112 list_add_tail_rcu(&rule->list, &old_rule->list);
3114 list_add_rcu(&rule->list, &chain->rules);
3120 if (net->nft.validate_state == NFT_VALIDATE_DO)
3121 return nft_table_validate(net, table);
3123 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3124 flow = nft_flow_rule_create(net, rule);
3126 return PTR_ERR(flow);
3128 nft_trans_flow_rule(trans) = flow;
3133 nf_tables_rule_release(&ctx, rule);
3135 for (i = 0; i < n; i++) {
3137 module_put(info[i].ops->type->owner);
3138 if (info[i].ops->type->release_ops)
3139 info[i].ops->type->release_ops(info[i].ops);
3146 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3147 const struct nlattr *nla)
3149 u32 id = ntohl(nla_get_be32(nla));
3150 struct nft_trans *trans;
3152 list_for_each_entry(trans, &net->nft.commit_list, list) {
3153 struct nft_rule *rule = nft_trans_rule(trans);
3155 if (trans->msg_type == NFT_MSG_NEWRULE &&
3156 id == nft_trans_rule_id(trans))
3159 return ERR_PTR(-ENOENT);
3162 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3163 struct sk_buff *skb, const struct nlmsghdr *nlh,
3164 const struct nlattr * const nla[],
3165 struct netlink_ext_ack *extack)
3167 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3168 u8 genmask = nft_genmask_next(net);
3169 struct nft_table *table;
3170 struct nft_chain *chain = NULL;
3171 struct nft_rule *rule;
3172 int family = nfmsg->nfgen_family, err = 0;
3175 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3176 if (IS_ERR(table)) {
3177 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3178 return PTR_ERR(table);
3181 if (nla[NFTA_RULE_CHAIN]) {
3182 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3184 if (IS_ERR(chain)) {
3185 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3186 return PTR_ERR(chain);
3190 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3193 if (nla[NFTA_RULE_HANDLE]) {
3194 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3196 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3197 return PTR_ERR(rule);
3200 err = nft_delrule(&ctx, rule);
3201 } else if (nla[NFTA_RULE_ID]) {
3202 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3204 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3205 return PTR_ERR(rule);
3208 err = nft_delrule(&ctx, rule);
3210 err = nft_delrule_by_chain(&ctx);
3213 list_for_each_entry(chain, &table->chains, list) {
3214 if (!nft_is_active_next(net, chain))
3218 err = nft_delrule_by_chain(&ctx);
3231 static LIST_HEAD(nf_tables_set_types);
3233 int nft_register_set(struct nft_set_type *type)
3235 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3236 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3237 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3240 EXPORT_SYMBOL_GPL(nft_register_set);
3242 void nft_unregister_set(struct nft_set_type *type)
3244 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3245 list_del_rcu(&type->list);
3246 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3248 EXPORT_SYMBOL_GPL(nft_unregister_set);
3250 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3251 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3254 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3256 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3260 * Select a set implementation based on the data characteristics and the
3261 * given policy. The total memory use might not be known if no size is
3262 * given, in that case the amount of memory per element is used.
3264 static const struct nft_set_ops *
3265 nft_select_set_ops(const struct nft_ctx *ctx,
3266 const struct nlattr * const nla[],
3267 const struct nft_set_desc *desc,
3268 enum nft_set_policies policy)
3270 const struct nft_set_ops *ops, *bops;
3271 struct nft_set_estimate est, best;
3272 const struct nft_set_type *type;
3275 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3276 lockdep_nfnl_nft_mutex_not_held();
3277 #ifdef CONFIG_MODULES
3278 if (list_empty(&nf_tables_set_types)) {
3279 nft_request_module(ctx->net, "nft-set");
3280 if (!list_empty(&nf_tables_set_types))
3281 return ERR_PTR(-EAGAIN);
3284 if (nla[NFTA_SET_FLAGS] != NULL)
3285 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3292 list_for_each_entry(type, &nf_tables_set_types, list) {
3295 if (!nft_set_ops_candidate(type, flags))
3297 if (!ops->estimate(desc, flags, &est))
3301 case NFT_SET_POL_PERFORMANCE:
3302 if (est.lookup < best.lookup)
3304 if (est.lookup == best.lookup &&
3305 est.space < best.space)
3308 case NFT_SET_POL_MEMORY:
3310 if (est.space < best.space)
3312 if (est.space == best.space &&
3313 est.lookup < best.lookup)
3315 } else if (est.size < best.size || !bops) {
3323 if (!try_module_get(type->owner))
3326 module_put(to_set_type(bops)->owner);
3335 return ERR_PTR(-EOPNOTSUPP);
3338 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3339 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3340 .len = NFT_TABLE_MAXNAMELEN - 1 },
3341 [NFTA_SET_NAME] = { .type = NLA_STRING,
3342 .len = NFT_SET_MAXNAMELEN - 1 },
3343 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3344 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3345 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3346 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3347 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3348 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3349 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3350 [NFTA_SET_ID] = { .type = NLA_U32 },
3351 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3352 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3353 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3354 .len = NFT_USERDATA_MAXLEN },
3355 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3356 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3359 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3360 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3363 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3364 const struct sk_buff *skb,
3365 const struct nlmsghdr *nlh,
3366 const struct nlattr * const nla[],
3367 struct netlink_ext_ack *extack,
3370 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3371 int family = nfmsg->nfgen_family;
3372 struct nft_table *table = NULL;
3374 if (nla[NFTA_SET_TABLE] != NULL) {
3375 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3377 if (IS_ERR(table)) {
3378 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3379 return PTR_ERR(table);
3383 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3387 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3388 const struct nlattr *nla, u8 genmask)
3390 struct nft_set *set;
3393 return ERR_PTR(-EINVAL);
3395 list_for_each_entry_rcu(set, &table->sets, list) {
3396 if (!nla_strcmp(nla, set->name) &&
3397 nft_active_genmask(set, genmask))
3400 return ERR_PTR(-ENOENT);
3403 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3404 const struct nlattr *nla,
3407 struct nft_set *set;
3409 list_for_each_entry(set, &table->sets, list) {
3410 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3411 nft_active_genmask(set, genmask))
3414 return ERR_PTR(-ENOENT);
3417 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3418 const struct nlattr *nla, u8 genmask)
3420 struct nft_trans *trans;
3421 u32 id = ntohl(nla_get_be32(nla));
3423 list_for_each_entry(trans, &net->nft.commit_list, list) {
3424 if (trans->msg_type == NFT_MSG_NEWSET) {
3425 struct nft_set *set = nft_trans_set(trans);
3427 if (id == nft_trans_set_id(trans) &&
3428 nft_active_genmask(set, genmask))
3432 return ERR_PTR(-ENOENT);
3435 struct nft_set *nft_set_lookup_global(const struct net *net,
3436 const struct nft_table *table,
3437 const struct nlattr *nla_set_name,
3438 const struct nlattr *nla_set_id,
3441 struct nft_set *set;
3443 set = nft_set_lookup(table, nla_set_name, genmask);
3448 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3452 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3454 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3457 const struct nft_set *i;
3459 unsigned long *inuse;
3460 unsigned int n = 0, min = 0;
3462 p = strchr(name, '%');
3464 if (p[1] != 'd' || strchr(p + 2, '%'))
3467 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3471 list_for_each_entry(i, &ctx->table->sets, list) {
3474 if (!nft_is_active_next(ctx->net, set))
3476 if (!sscanf(i->name, name, &tmp))
3478 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3481 set_bit(tmp - min, inuse);
3484 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3485 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3486 min += BITS_PER_BYTE * PAGE_SIZE;
3487 memset(inuse, 0, PAGE_SIZE);
3490 free_page((unsigned long)inuse);
3493 set->name = kasprintf(GFP_KERNEL, name, min + n);
3497 list_for_each_entry(i, &ctx->table->sets, list) {
3498 if (!nft_is_active_next(ctx->net, i))
3500 if (!strcmp(set->name, i->name)) {
3508 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3510 u64 ms = be64_to_cpu(nla_get_be64(nla));
3511 u64 max = (u64)(~((u64)0));
3513 max = div_u64(max, NSEC_PER_MSEC);
3517 ms *= NSEC_PER_MSEC;
3518 *result = nsecs_to_jiffies64(ms);
3522 static __be64 nf_jiffies64_to_msecs(u64 input)
3524 return cpu_to_be64(jiffies64_to_msecs(input));
3527 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3528 const struct nft_set *set, u16 event, u16 flags)
3530 struct nfgenmsg *nfmsg;
3531 struct nlmsghdr *nlh;
3532 struct nlattr *desc;
3533 u32 portid = ctx->portid;
3536 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3537 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3540 goto nla_put_failure;
3542 nfmsg = nlmsg_data(nlh);
3543 nfmsg->nfgen_family = ctx->family;
3544 nfmsg->version = NFNETLINK_V0;
3545 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3547 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3548 goto nla_put_failure;
3549 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3550 goto nla_put_failure;
3551 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3553 goto nla_put_failure;
3554 if (set->flags != 0)
3555 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3556 goto nla_put_failure;
3558 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3559 goto nla_put_failure;
3560 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3561 goto nla_put_failure;
3562 if (set->flags & NFT_SET_MAP) {
3563 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3564 goto nla_put_failure;
3565 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3566 goto nla_put_failure;
3568 if (set->flags & NFT_SET_OBJECT &&
3569 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3570 goto nla_put_failure;
3573 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3574 nf_jiffies64_to_msecs(set->timeout),
3576 goto nla_put_failure;
3578 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3579 goto nla_put_failure;
3581 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3582 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3583 goto nla_put_failure;
3586 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3587 goto nla_put_failure;
3589 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3591 goto nla_put_failure;
3593 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3594 goto nla_put_failure;
3595 nla_nest_end(skb, desc);
3597 nlmsg_end(skb, nlh);
3601 nlmsg_trim(skb, nlh);
3605 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3606 const struct nft_set *set, int event,
3609 struct sk_buff *skb;
3610 u32 portid = ctx->portid;
3614 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3617 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3621 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3627 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3631 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3634 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3636 const struct nft_set *set;
3637 unsigned int idx, s_idx = cb->args[0];
3638 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3639 struct net *net = sock_net(skb->sk);
3640 struct nft_ctx *ctx = cb->data, ctx_set;
3646 cb->seq = net->nft.base_seq;
3648 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3649 if (ctx->family != NFPROTO_UNSPEC &&
3650 ctx->family != table->family)
3653 if (ctx->table && ctx->table != table)
3657 if (cur_table != table)
3663 list_for_each_entry_rcu(set, &table->sets, list) {
3666 if (!nft_is_active(net, set))
3670 ctx_set.table = table;
3671 ctx_set.family = table->family;
3673 if (nf_tables_fill_set(skb, &ctx_set, set,
3677 cb->args[2] = (unsigned long) table;
3680 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3693 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3695 struct nft_ctx *ctx_dump = NULL;
3697 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3698 if (ctx_dump == NULL)
3701 cb->data = ctx_dump;
3705 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3711 /* called with rcu_read_lock held */
3712 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3713 struct sk_buff *skb, const struct nlmsghdr *nlh,
3714 const struct nlattr * const nla[],
3715 struct netlink_ext_ack *extack)
3717 u8 genmask = nft_genmask_cur(net);
3718 const struct nft_set *set;
3720 struct sk_buff *skb2;
3721 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3724 /* Verify existence before starting dump */
3725 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3730 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3731 struct netlink_dump_control c = {
3732 .start = nf_tables_dump_sets_start,
3733 .dump = nf_tables_dump_sets,
3734 .done = nf_tables_dump_sets_done,
3736 .module = THIS_MODULE,
3739 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3742 /* Only accept unspec with dump */
3743 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3744 return -EAFNOSUPPORT;
3745 if (!nla[NFTA_SET_TABLE])
3748 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3750 return PTR_ERR(set);
3752 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3756 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3760 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3767 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3768 const struct nlattr *nla)
3770 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3773 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3774 nft_set_desc_policy, NULL);
3778 if (da[NFTA_SET_DESC_SIZE] != NULL)
3779 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3784 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3785 struct sk_buff *skb, const struct nlmsghdr *nlh,
3786 const struct nlattr * const nla[],
3787 struct netlink_ext_ack *extack)
3789 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3790 u8 genmask = nft_genmask_next(net);
3791 int family = nfmsg->nfgen_family;
3792 const struct nft_set_ops *ops;
3793 struct nft_table *table;
3794 struct nft_set *set;
3799 u32 ktype, dtype, flags, policy, gc_int, objtype;
3800 struct nft_set_desc desc;
3801 unsigned char *udata;
3805 if (nla[NFTA_SET_TABLE] == NULL ||
3806 nla[NFTA_SET_NAME] == NULL ||
3807 nla[NFTA_SET_KEY_LEN] == NULL ||
3808 nla[NFTA_SET_ID] == NULL)
3811 memset(&desc, 0, sizeof(desc));
3813 ktype = NFT_DATA_VALUE;
3814 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3815 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3816 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3820 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3821 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3825 if (nla[NFTA_SET_FLAGS] != NULL) {
3826 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3827 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3828 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3829 NFT_SET_MAP | NFT_SET_EVAL |
3832 /* Only one of these operations is supported */
3833 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3834 (NFT_SET_MAP | NFT_SET_OBJECT))
3836 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3837 (NFT_SET_EVAL | NFT_SET_OBJECT))
3842 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3843 if (!(flags & NFT_SET_MAP))
3846 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3847 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3848 dtype != NFT_DATA_VERDICT)
3851 if (dtype != NFT_DATA_VERDICT) {
3852 if (nla[NFTA_SET_DATA_LEN] == NULL)
3854 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3855 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3858 desc.dlen = sizeof(struct nft_verdict);
3859 } else if (flags & NFT_SET_MAP)
3862 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3863 if (!(flags & NFT_SET_OBJECT))
3866 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3867 if (objtype == NFT_OBJECT_UNSPEC ||
3868 objtype > NFT_OBJECT_MAX)
3870 } else if (flags & NFT_SET_OBJECT)
3873 objtype = NFT_OBJECT_UNSPEC;
3876 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3877 if (!(flags & NFT_SET_TIMEOUT))
3880 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3885 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3886 if (!(flags & NFT_SET_TIMEOUT))
3888 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3891 policy = NFT_SET_POL_PERFORMANCE;
3892 if (nla[NFTA_SET_POLICY] != NULL)
3893 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3895 if (nla[NFTA_SET_DESC] != NULL) {
3896 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3901 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3902 if (IS_ERR(table)) {
3903 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3904 return PTR_ERR(table);
3907 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3909 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3911 if (PTR_ERR(set) != -ENOENT) {
3912 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3913 return PTR_ERR(set);
3916 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3917 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3920 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3926 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3929 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3931 return PTR_ERR(ops);
3934 if (nla[NFTA_SET_USERDATA])
3935 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3938 if (ops->privsize != NULL)
3939 size = ops->privsize(nla, &desc);
3941 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3947 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3953 err = nf_tables_set_alloc_name(&ctx, set, name);
3960 udata = set->data + size;
3961 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3964 INIT_LIST_HEAD(&set->bindings);
3966 write_pnet(&set->net, net);
3969 set->klen = desc.klen;
3971 set->objtype = objtype;
3972 set->dlen = desc.dlen;
3974 set->size = desc.size;
3975 set->policy = policy;
3978 set->timeout = timeout;
3979 set->gc_int = gc_int;
3980 set->handle = nf_tables_alloc_handle(table);
3982 err = ops->init(set, &desc, nla);
3986 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3990 list_add_tail_rcu(&set->list, &table->sets);
4001 module_put(to_set_type(ops)->owner);
4005 static void nft_set_destroy(struct nft_set *set)
4007 if (WARN_ON(set->use > 0))
4010 set->ops->destroy(set);
4011 module_put(to_set_type(set->ops)->owner);
4016 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4017 struct sk_buff *skb, const struct nlmsghdr *nlh,
4018 const struct nlattr * const nla[],
4019 struct netlink_ext_ack *extack)
4021 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4022 u8 genmask = nft_genmask_next(net);
4023 const struct nlattr *attr;
4024 struct nft_set *set;
4028 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4029 return -EAFNOSUPPORT;
4030 if (nla[NFTA_SET_TABLE] == NULL)
4033 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4038 if (nla[NFTA_SET_HANDLE]) {
4039 attr = nla[NFTA_SET_HANDLE];
4040 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4042 attr = nla[NFTA_SET_NAME];
4043 set = nft_set_lookup(ctx.table, attr, genmask);
4047 NL_SET_BAD_ATTR(extack, attr);
4048 return PTR_ERR(set);
4051 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4052 NL_SET_BAD_ATTR(extack, attr);
4056 return nft_delset(&ctx, set);
4059 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4060 struct nft_set *set,
4061 const struct nft_set_iter *iter,
4062 struct nft_set_elem *elem)
4064 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4065 enum nft_registers dreg;
4067 dreg = nft_type_to_reg(set->dtype);
4068 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4069 set->dtype == NFT_DATA_VERDICT ?
4070 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4074 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4075 struct nft_set_binding *binding)
4077 struct nft_set_binding *i;
4078 struct nft_set_iter iter;
4080 if (set->use == UINT_MAX)
4083 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4086 if (binding->flags & NFT_SET_MAP) {
4087 /* If the set is already bound to the same chain all
4088 * jumps are already validated for that chain.
4090 list_for_each_entry(i, &set->bindings, list) {
4091 if (i->flags & NFT_SET_MAP &&
4092 i->chain == binding->chain)
4096 iter.genmask = nft_genmask_next(ctx->net);
4100 iter.fn = nf_tables_bind_check_setelem;
4102 set->ops->walk(ctx, set, &iter);
4107 binding->chain = ctx->chain;
4108 list_add_tail_rcu(&binding->list, &set->bindings);
4109 nft_set_trans_bind(ctx, set);
4114 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4116 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4117 struct nft_set_binding *binding, bool event)
4119 list_del_rcu(&binding->list);
4121 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4122 list_del_rcu(&set->list);
4124 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4129 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4130 struct nft_set_binding *binding,
4131 enum nft_trans_phase phase)
4134 case NFT_TRANS_PREPARE:
4137 case NFT_TRANS_ABORT:
4138 case NFT_TRANS_RELEASE:
4142 nf_tables_unbind_set(ctx, set, binding,
4143 phase == NFT_TRANS_COMMIT);
4146 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4148 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4150 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4151 nft_set_destroy(set);
4153 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4155 const struct nft_set_ext_type nft_set_ext_types[] = {
4156 [NFT_SET_EXT_KEY] = {
4157 .align = __alignof__(u32),
4159 [NFT_SET_EXT_DATA] = {
4160 .align = __alignof__(u32),
4162 [NFT_SET_EXT_EXPR] = {
4163 .align = __alignof__(struct nft_expr),
4165 [NFT_SET_EXT_OBJREF] = {
4166 .len = sizeof(struct nft_object *),
4167 .align = __alignof__(struct nft_object *),
4169 [NFT_SET_EXT_FLAGS] = {
4171 .align = __alignof__(u8),
4173 [NFT_SET_EXT_TIMEOUT] = {
4175 .align = __alignof__(u64),
4177 [NFT_SET_EXT_EXPIRATION] = {
4179 .align = __alignof__(u64),
4181 [NFT_SET_EXT_USERDATA] = {
4182 .len = sizeof(struct nft_userdata),
4183 .align = __alignof__(struct nft_userdata),
4186 EXPORT_SYMBOL_GPL(nft_set_ext_types);
4192 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4193 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4194 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4195 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4196 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4197 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4198 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4199 .len = NFT_USERDATA_MAXLEN },
4200 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4201 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
4204 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4205 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4206 .len = NFT_TABLE_MAXNAMELEN - 1 },
4207 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4208 .len = NFT_SET_MAXNAMELEN - 1 },
4209 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4210 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4213 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4214 const struct sk_buff *skb,
4215 const struct nlmsghdr *nlh,
4216 const struct nlattr * const nla[],
4217 struct netlink_ext_ack *extack,
4220 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4221 int family = nfmsg->nfgen_family;
4222 struct nft_table *table;
4224 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4226 if (IS_ERR(table)) {
4227 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4228 return PTR_ERR(table);
4231 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4235 static int nf_tables_fill_setelem(struct sk_buff *skb,
4236 const struct nft_set *set,
4237 const struct nft_set_elem *elem)
4239 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4240 unsigned char *b = skb_tail_pointer(skb);
4241 struct nlattr *nest;
4243 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4245 goto nla_put_failure;
4247 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4248 NFT_DATA_VALUE, set->klen) < 0)
4249 goto nla_put_failure;
4251 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4252 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4253 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4255 goto nla_put_failure;
4257 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4258 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4259 goto nla_put_failure;
4261 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4262 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4263 (*nft_set_ext_obj(ext))->key.name) < 0)
4264 goto nla_put_failure;
4266 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4267 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4268 htonl(*nft_set_ext_flags(ext))))
4269 goto nla_put_failure;
4271 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4272 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4273 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4275 goto nla_put_failure;
4277 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4278 u64 expires, now = get_jiffies_64();
4280 expires = *nft_set_ext_expiration(ext);
4281 if (time_before64(now, expires))
4286 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4287 nf_jiffies64_to_msecs(expires),
4289 goto nla_put_failure;
4292 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4293 struct nft_userdata *udata;
4295 udata = nft_set_ext_userdata(ext);
4296 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4297 udata->len + 1, udata->data))
4298 goto nla_put_failure;
4301 nla_nest_end(skb, nest);
4309 struct nft_set_dump_args {
4310 const struct netlink_callback *cb;
4311 struct nft_set_iter iter;
4312 struct sk_buff *skb;
4315 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4316 struct nft_set *set,
4317 const struct nft_set_iter *iter,
4318 struct nft_set_elem *elem)
4320 struct nft_set_dump_args *args;
4322 args = container_of(iter, struct nft_set_dump_args, iter);
4323 return nf_tables_fill_setelem(args->skb, set, elem);
4326 struct nft_set_dump_ctx {
4327 const struct nft_set *set;
4331 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4333 struct nft_set_dump_ctx *dump_ctx = cb->data;
4334 struct net *net = sock_net(skb->sk);
4335 struct nft_table *table;
4336 struct nft_set *set;
4337 struct nft_set_dump_args args;
4338 bool set_found = false;
4339 struct nfgenmsg *nfmsg;
4340 struct nlmsghdr *nlh;
4341 struct nlattr *nest;
4346 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4347 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4348 dump_ctx->ctx.family != table->family)
4351 if (table != dump_ctx->ctx.table)
4354 list_for_each_entry_rcu(set, &table->sets, list) {
4355 if (set == dump_ctx->set) {
4368 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4369 portid = NETLINK_CB(cb->skb).portid;
4370 seq = cb->nlh->nlmsg_seq;
4372 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4375 goto nla_put_failure;
4377 nfmsg = nlmsg_data(nlh);
4378 nfmsg->nfgen_family = table->family;
4379 nfmsg->version = NFNETLINK_V0;
4380 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4382 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4383 goto nla_put_failure;
4384 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4385 goto nla_put_failure;
4387 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4389 goto nla_put_failure;
4393 args.iter.genmask = nft_genmask_cur(net);
4394 args.iter.skip = cb->args[0];
4395 args.iter.count = 0;
4397 args.iter.fn = nf_tables_dump_setelem;
4398 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4401 nla_nest_end(skb, nest);
4402 nlmsg_end(skb, nlh);
4404 if (args.iter.err && args.iter.err != -EMSGSIZE)
4405 return args.iter.err;
4406 if (args.iter.count == cb->args[0])
4409 cb->args[0] = args.iter.count;
4417 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4419 struct nft_set_dump_ctx *dump_ctx = cb->data;
4421 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4423 return cb->data ? 0 : -ENOMEM;
4426 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4432 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4433 const struct nft_ctx *ctx, u32 seq,
4434 u32 portid, int event, u16 flags,
4435 const struct nft_set *set,
4436 const struct nft_set_elem *elem)
4438 struct nfgenmsg *nfmsg;
4439 struct nlmsghdr *nlh;
4440 struct nlattr *nest;
4443 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4444 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4447 goto nla_put_failure;
4449 nfmsg = nlmsg_data(nlh);
4450 nfmsg->nfgen_family = ctx->family;
4451 nfmsg->version = NFNETLINK_V0;
4452 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4454 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4455 goto nla_put_failure;
4456 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4457 goto nla_put_failure;
4459 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4461 goto nla_put_failure;
4463 err = nf_tables_fill_setelem(skb, set, elem);
4465 goto nla_put_failure;
4467 nla_nest_end(skb, nest);
4469 nlmsg_end(skb, nlh);
4473 nlmsg_trim(skb, nlh);
4477 static int nft_setelem_parse_flags(const struct nft_set *set,
4478 const struct nlattr *attr, u32 *flags)
4483 *flags = ntohl(nla_get_be32(attr));
4484 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4486 if (!(set->flags & NFT_SET_INTERVAL) &&
4487 *flags & NFT_SET_ELEM_INTERVAL_END)
4493 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4494 const struct nlattr *attr)
4496 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4497 struct nft_data_desc desc;
4498 struct nft_set_elem elem;
4499 struct sk_buff *skb;
4504 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4505 nft_set_elem_policy, NULL);
4509 if (!nla[NFTA_SET_ELEM_KEY])
4512 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4516 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4517 nla[NFTA_SET_ELEM_KEY]);
4522 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4523 nft_data_release(&elem.key.val, desc.type);
4527 priv = set->ops->get(ctx->net, set, &elem, flags);
4529 return PTR_ERR(priv);
4534 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4538 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4539 NFT_MSG_NEWSETELEM, 0, set, &elem);
4543 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4544 /* This avoids a loop in nfnetlink. */
4552 /* this avoids a loop in nfnetlink. */
4553 return err == -EAGAIN ? -ENOBUFS : err;
4556 /* called with rcu_read_lock held */
4557 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4558 struct sk_buff *skb, const struct nlmsghdr *nlh,
4559 const struct nlattr * const nla[],
4560 struct netlink_ext_ack *extack)
4562 u8 genmask = nft_genmask_cur(net);
4563 struct nft_set *set;
4564 struct nlattr *attr;
4568 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4573 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4575 return PTR_ERR(set);
4577 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4578 struct netlink_dump_control c = {
4579 .start = nf_tables_dump_set_start,
4580 .dump = nf_tables_dump_set,
4581 .done = nf_tables_dump_set_done,
4582 .module = THIS_MODULE,
4584 struct nft_set_dump_ctx dump_ctx = {
4590 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4593 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4596 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4597 err = nft_get_set_elem(&ctx, set, attr);
4605 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4606 const struct nft_set *set,
4607 const struct nft_set_elem *elem,
4608 int event, u16 flags)
4610 struct net *net = ctx->net;
4611 u32 portid = ctx->portid;
4612 struct sk_buff *skb;
4615 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4618 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4622 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4629 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4633 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4636 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4638 struct nft_set *set)
4640 struct nft_trans *trans;
4642 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4646 nft_trans_elem_set(trans) = set;
4650 void *nft_set_elem_init(const struct nft_set *set,
4651 const struct nft_set_ext_tmpl *tmpl,
4652 const u32 *key, const u32 *data,
4653 u64 timeout, u64 expiration, gfp_t gfp)
4655 struct nft_set_ext *ext;
4658 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4662 ext = nft_set_elem_ext(set, elem);
4663 nft_set_ext_init(ext, tmpl);
4665 memcpy(nft_set_ext_key(ext), key, set->klen);
4666 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4667 memcpy(nft_set_ext_data(ext), data, set->dlen);
4668 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4669 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4670 if (expiration == 0)
4671 *nft_set_ext_expiration(ext) += timeout;
4673 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4674 *nft_set_ext_timeout(ext) = timeout;
4679 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4682 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4683 struct nft_ctx ctx = {
4684 .net = read_pnet(&set->net),
4685 .family = set->table->family,
4688 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4689 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4690 nft_data_release(nft_set_ext_data(ext), set->dtype);
4691 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4692 struct nft_expr *expr = nft_set_ext_expr(ext);
4694 if (expr->ops->destroy_clone) {
4695 expr->ops->destroy_clone(&ctx, expr);
4696 module_put(expr->ops->type->owner);
4698 nf_tables_expr_destroy(&ctx, expr);
4701 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4702 (*nft_set_ext_obj(ext))->use--;
4705 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4707 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4708 * the refcounting from the preparation phase.
4710 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4711 const struct nft_set *set, void *elem)
4713 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4715 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4716 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4720 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4721 const struct nlattr *attr, u32 nlmsg_flags)
4723 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4724 u8 genmask = nft_genmask_next(ctx->net);
4725 struct nft_data_desc d1, d2;
4726 struct nft_set_ext_tmpl tmpl;
4727 struct nft_set_ext *ext, *ext2;
4728 struct nft_set_elem elem;
4729 struct nft_set_binding *binding;
4730 struct nft_object *obj = NULL;
4731 struct nft_userdata *udata;
4732 struct nft_data data;
4733 enum nft_registers dreg;
4734 struct nft_trans *trans;
4741 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4742 nft_set_elem_policy, NULL);
4746 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4749 nft_set_ext_prepare(&tmpl);
4751 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4755 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4757 if (set->flags & NFT_SET_MAP) {
4758 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4759 !(flags & NFT_SET_ELEM_INTERVAL_END))
4762 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4766 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4767 (nla[NFTA_SET_ELEM_DATA] ||
4768 nla[NFTA_SET_ELEM_OBJREF] ||
4769 nla[NFTA_SET_ELEM_TIMEOUT] ||
4770 nla[NFTA_SET_ELEM_EXPIRATION] ||
4771 nla[NFTA_SET_ELEM_USERDATA] ||
4772 nla[NFTA_SET_ELEM_EXPR]))
4776 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4777 if (!(set->flags & NFT_SET_TIMEOUT))
4779 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4783 } else if (set->flags & NFT_SET_TIMEOUT) {
4784 timeout = set->timeout;
4788 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4789 if (!(set->flags & NFT_SET_TIMEOUT))
4791 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4797 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4798 nla[NFTA_SET_ELEM_KEY]);
4802 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4805 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4807 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4808 if (timeout != set->timeout)
4809 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4812 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4813 if (!(set->flags & NFT_SET_OBJECT)) {
4817 obj = nft_obj_lookup(ctx->net, ctx->table,
4818 nla[NFTA_SET_ELEM_OBJREF],
4819 set->objtype, genmask);
4824 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4827 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4828 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4829 nla[NFTA_SET_ELEM_DATA]);
4834 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4837 dreg = nft_type_to_reg(set->dtype);
4838 list_for_each_entry(binding, &set->bindings, list) {
4839 struct nft_ctx bind_ctx = {
4841 .family = ctx->family,
4842 .table = ctx->table,
4843 .chain = (struct nft_chain *)binding->chain,
4846 if (!(binding->flags & NFT_SET_MAP))
4849 err = nft_validate_register_store(&bind_ctx, dreg,
4855 if (d2.type == NFT_DATA_VERDICT &&
4856 (data.verdict.code == NFT_GOTO ||
4857 data.verdict.code == NFT_JUMP))
4858 nft_validate_state_update(ctx->net,
4862 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4865 /* The full maximum length of userdata can exceed the maximum
4866 * offset value (U8_MAX) for following extensions, therefor it
4867 * must be the last extension added.
4870 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4871 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4873 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4878 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4879 timeout, expiration, GFP_KERNEL);
4880 if (elem.priv == NULL)
4883 ext = nft_set_elem_ext(set, elem.priv);
4885 *nft_set_ext_flags(ext) = flags;
4887 udata = nft_set_ext_userdata(ext);
4888 udata->len = ulen - 1;
4889 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4892 *nft_set_ext_obj(ext) = obj;
4896 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4900 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4901 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4903 if (err == -EEXIST) {
4904 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4905 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4906 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4907 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4911 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4912 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4913 memcmp(nft_set_ext_data(ext),
4914 nft_set_ext_data(ext2), set->dlen) != 0) ||
4915 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4916 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4917 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4919 else if (!(nlmsg_flags & NLM_F_EXCL))
4926 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4931 nft_trans_elem(trans) = elem;
4932 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4936 set->ops->remove(ctx->net, set, &elem);
4944 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4945 nft_data_release(&data, d2.type);
4947 nft_data_release(&elem.key.val, d1.type);
4952 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4953 struct sk_buff *skb, const struct nlmsghdr *nlh,
4954 const struct nlattr * const nla[],
4955 struct netlink_ext_ack *extack)
4957 u8 genmask = nft_genmask_next(net);
4958 const struct nlattr *attr;
4959 struct nft_set *set;
4963 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4966 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4971 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4972 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4974 return PTR_ERR(set);
4976 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4979 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4980 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4985 if (net->nft.validate_state == NFT_VALIDATE_DO)
4986 return nft_table_validate(net, ctx.table);
4992 * nft_data_hold - hold a nft_data item
4994 * @data: struct nft_data to release
4995 * @type: type of data
4997 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4998 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4999 * NFT_GOTO verdicts. This function must be called on active data objects
5000 * from the second phase of the commit protocol.
5002 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5004 if (type == NFT_DATA_VERDICT) {
5005 switch (data->verdict.code) {
5008 data->verdict.chain->use++;
5014 static void nft_set_elem_activate(const struct net *net,
5015 const struct nft_set *set,
5016 struct nft_set_elem *elem)
5018 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5020 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5021 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5022 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5023 (*nft_set_ext_obj(ext))->use++;
5026 static void nft_set_elem_deactivate(const struct net *net,
5027 const struct nft_set *set,
5028 struct nft_set_elem *elem)
5030 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5032 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5033 nft_data_release(nft_set_ext_data(ext), set->dtype);
5034 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5035 (*nft_set_ext_obj(ext))->use--;
5038 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5039 const struct nlattr *attr)
5041 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5042 struct nft_set_ext_tmpl tmpl;
5043 struct nft_data_desc desc;
5044 struct nft_set_elem elem;
5045 struct nft_set_ext *ext;
5046 struct nft_trans *trans;
5051 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5052 nft_set_elem_policy, NULL);
5057 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5060 nft_set_ext_prepare(&tmpl);
5062 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5066 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5068 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
5069 nla[NFTA_SET_ELEM_KEY]);
5074 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
5077 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
5080 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
5082 if (elem.priv == NULL)
5085 ext = nft_set_elem_ext(set, elem.priv);
5087 *nft_set_ext_flags(ext) = flags;
5089 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5090 if (trans == NULL) {
5095 priv = set->ops->deactivate(ctx->net, set, &elem);
5103 nft_set_elem_deactivate(ctx->net, set, &elem);
5105 nft_trans_elem(trans) = elem;
5106 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5114 nft_data_release(&elem.key.val, desc.type);
5119 static int nft_flush_set(const struct nft_ctx *ctx,
5120 struct nft_set *set,
5121 const struct nft_set_iter *iter,
5122 struct nft_set_elem *elem)
5124 struct nft_trans *trans;
5127 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5128 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5132 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5138 nft_set_elem_deactivate(ctx->net, set, elem);
5139 nft_trans_elem_set(trans) = set;
5140 nft_trans_elem(trans) = *elem;
5141 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5149 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5150 struct sk_buff *skb, const struct nlmsghdr *nlh,
5151 const struct nlattr * const nla[],
5152 struct netlink_ext_ack *extack)
5154 u8 genmask = nft_genmask_next(net);
5155 const struct nlattr *attr;
5156 struct nft_set *set;
5160 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5165 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5167 return PTR_ERR(set);
5168 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5171 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5172 struct nft_set_iter iter = {
5174 .fn = nft_flush_set,
5176 set->ops->walk(&ctx, set, &iter);
5181 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5182 err = nft_del_setelem(&ctx, set, attr);
5191 void nft_set_gc_batch_release(struct rcu_head *rcu)
5193 struct nft_set_gc_batch *gcb;
5196 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5197 for (i = 0; i < gcb->head.cnt; i++)
5198 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5201 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
5203 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5206 struct nft_set_gc_batch *gcb;
5208 gcb = kzalloc(sizeof(*gcb), gfp);
5211 gcb->head.set = set;
5214 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
5221 * nft_register_obj- register nf_tables stateful object type
5224 * Registers the object type for use with nf_tables. Returns zero on
5225 * success or a negative errno code otherwise.
5227 int nft_register_obj(struct nft_object_type *obj_type)
5229 if (obj_type->type == NFT_OBJECT_UNSPEC)
5232 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5233 list_add_rcu(&obj_type->list, &nf_tables_objects);
5234 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5237 EXPORT_SYMBOL_GPL(nft_register_obj);
5240 * nft_unregister_obj - unregister nf_tables object type
5243 * Unregisters the object type for use with nf_tables.
5245 void nft_unregister_obj(struct nft_object_type *obj_type)
5247 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5248 list_del_rcu(&obj_type->list);
5249 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5251 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5253 struct nft_object *nft_obj_lookup(const struct net *net,
5254 const struct nft_table *table,
5255 const struct nlattr *nla, u32 objtype,
5258 struct nft_object_hash_key k = { .table = table };
5259 char search[NFT_OBJ_MAXNAMELEN];
5260 struct rhlist_head *tmp, *list;
5261 struct nft_object *obj;
5263 nla_strlcpy(search, nla, sizeof(search));
5266 WARN_ON_ONCE(!rcu_read_lock_held() &&
5267 !lockdep_commit_lock_is_held(net));
5270 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5274 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5275 if (objtype == obj->ops->type->type &&
5276 nft_active_genmask(obj, genmask)) {
5283 return ERR_PTR(-ENOENT);
5285 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5287 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5288 const struct nlattr *nla,
5289 u32 objtype, u8 genmask)
5291 struct nft_object *obj;
5293 list_for_each_entry(obj, &table->objects, list) {
5294 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5295 objtype == obj->ops->type->type &&
5296 nft_active_genmask(obj, genmask))
5299 return ERR_PTR(-ENOENT);
5302 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5303 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5304 .len = NFT_TABLE_MAXNAMELEN - 1 },
5305 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5306 .len = NFT_OBJ_MAXNAMELEN - 1 },
5307 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5308 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5309 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5312 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5313 const struct nft_object_type *type,
5314 const struct nlattr *attr)
5317 const struct nft_object_ops *ops;
5318 struct nft_object *obj;
5321 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5326 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5327 type->policy, NULL);
5331 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5334 if (type->select_ops) {
5335 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5345 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5349 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5362 return ERR_PTR(err);
5365 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5366 struct nft_object *obj, bool reset)
5368 struct nlattr *nest;
5370 nest = nla_nest_start_noflag(skb, attr);
5372 goto nla_put_failure;
5373 if (obj->ops->dump(skb, obj, reset) < 0)
5374 goto nla_put_failure;
5375 nla_nest_end(skb, nest);
5382 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5384 const struct nft_object_type *type;
5386 list_for_each_entry(type, &nf_tables_objects, list) {
5387 if (objtype == type->type)
5393 static const struct nft_object_type *
5394 nft_obj_type_get(struct net *net, u32 objtype)
5396 const struct nft_object_type *type;
5398 type = __nft_obj_type_get(objtype);
5399 if (type != NULL && try_module_get(type->owner))
5402 lockdep_nfnl_nft_mutex_not_held();
5403 #ifdef CONFIG_MODULES
5405 nft_request_module(net, "nft-obj-%u", objtype);
5406 if (__nft_obj_type_get(objtype))
5407 return ERR_PTR(-EAGAIN);
5410 return ERR_PTR(-ENOENT);
5413 static int nf_tables_updobj(const struct nft_ctx *ctx,
5414 const struct nft_object_type *type,
5415 const struct nlattr *attr,
5416 struct nft_object *obj)
5418 struct nft_object *newobj;
5419 struct nft_trans *trans;
5422 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5423 sizeof(struct nft_trans_obj));
5427 newobj = nft_obj_init(ctx, type, attr);
5428 if (IS_ERR(newobj)) {
5429 err = PTR_ERR(newobj);
5430 goto err_free_trans;
5433 nft_trans_obj(trans) = obj;
5434 nft_trans_obj_update(trans) = true;
5435 nft_trans_obj_newobj(trans) = newobj;
5436 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5445 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5446 struct sk_buff *skb, const struct nlmsghdr *nlh,
5447 const struct nlattr * const nla[],
5448 struct netlink_ext_ack *extack)
5450 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5451 const struct nft_object_type *type;
5452 u8 genmask = nft_genmask_next(net);
5453 int family = nfmsg->nfgen_family;
5454 struct nft_table *table;
5455 struct nft_object *obj;
5460 if (!nla[NFTA_OBJ_TYPE] ||
5461 !nla[NFTA_OBJ_NAME] ||
5462 !nla[NFTA_OBJ_DATA])
5465 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5466 if (IS_ERR(table)) {
5467 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5468 return PTR_ERR(table);
5471 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5472 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5475 if (err != -ENOENT) {
5476 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5480 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5481 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5484 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5487 type = __nft_obj_type_get(objtype);
5488 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5490 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5493 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5495 type = nft_obj_type_get(net, objtype);
5497 return PTR_ERR(type);
5499 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5504 obj->key.table = table;
5505 obj->handle = nf_tables_alloc_handle(table);
5507 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5508 if (!obj->key.name) {
5513 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5517 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5518 nft_objname_ht_params);
5522 list_add_tail_rcu(&obj->list, &table->objects);
5526 /* queued in transaction log */
5527 INIT_LIST_HEAD(&obj->list);
5530 kfree(obj->key.name);
5532 if (obj->ops->destroy)
5533 obj->ops->destroy(&ctx, obj);
5536 module_put(type->owner);
5540 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5541 u32 portid, u32 seq, int event, u32 flags,
5542 int family, const struct nft_table *table,
5543 struct nft_object *obj, bool reset)
5545 struct nfgenmsg *nfmsg;
5546 struct nlmsghdr *nlh;
5548 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5549 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5551 goto nla_put_failure;
5553 nfmsg = nlmsg_data(nlh);
5554 nfmsg->nfgen_family = family;
5555 nfmsg->version = NFNETLINK_V0;
5556 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5558 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5559 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5560 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5561 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5562 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5563 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5565 goto nla_put_failure;
5567 nlmsg_end(skb, nlh);
5571 nlmsg_trim(skb, nlh);
5575 struct nft_obj_filter {
5580 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5582 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5583 const struct nft_table *table;
5584 unsigned int idx = 0, s_idx = cb->args[0];
5585 struct nft_obj_filter *filter = cb->data;
5586 struct net *net = sock_net(skb->sk);
5587 int family = nfmsg->nfgen_family;
5588 struct nft_object *obj;
5591 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5595 cb->seq = net->nft.base_seq;
5597 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5598 if (family != NFPROTO_UNSPEC && family != table->family)
5601 list_for_each_entry_rcu(obj, &table->objects, list) {
5602 if (!nft_is_active(net, obj))
5607 memset(&cb->args[1], 0,
5608 sizeof(cb->args) - sizeof(cb->args[0]));
5609 if (filter && filter->table &&
5610 strcmp(filter->table, table->name))
5613 filter->type != NFT_OBJECT_UNSPEC &&
5614 obj->ops->type->type != filter->type)
5617 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5620 NLM_F_MULTI | NLM_F_APPEND,
5621 table->family, table,
5625 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5637 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5639 const struct nlattr * const *nla = cb->data;
5640 struct nft_obj_filter *filter = NULL;
5642 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5643 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5647 if (nla[NFTA_OBJ_TABLE]) {
5648 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5649 if (!filter->table) {
5655 if (nla[NFTA_OBJ_TYPE])
5656 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5663 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5665 struct nft_obj_filter *filter = cb->data;
5668 kfree(filter->table);
5675 /* called with rcu_read_lock held */
5676 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5677 struct sk_buff *skb, const struct nlmsghdr *nlh,
5678 const struct nlattr * const nla[],
5679 struct netlink_ext_ack *extack)
5681 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5682 u8 genmask = nft_genmask_cur(net);
5683 int family = nfmsg->nfgen_family;
5684 const struct nft_table *table;
5685 struct nft_object *obj;
5686 struct sk_buff *skb2;
5691 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5692 struct netlink_dump_control c = {
5693 .start = nf_tables_dump_obj_start,
5694 .dump = nf_tables_dump_obj,
5695 .done = nf_tables_dump_obj_done,
5696 .module = THIS_MODULE,
5697 .data = (void *)nla,
5700 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5703 if (!nla[NFTA_OBJ_NAME] ||
5704 !nla[NFTA_OBJ_TYPE])
5707 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5708 if (IS_ERR(table)) {
5709 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5710 return PTR_ERR(table);
5713 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5714 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5716 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5717 return PTR_ERR(obj);
5720 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5724 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5727 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5728 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5729 family, table, obj, reset);
5733 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5739 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5741 if (obj->ops->destroy)
5742 obj->ops->destroy(ctx, obj);
5744 module_put(obj->ops->type->owner);
5745 kfree(obj->key.name);
5749 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5750 struct sk_buff *skb, const struct nlmsghdr *nlh,
5751 const struct nlattr * const nla[],
5752 struct netlink_ext_ack *extack)
5754 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5755 u8 genmask = nft_genmask_next(net);
5756 int family = nfmsg->nfgen_family;
5757 const struct nlattr *attr;
5758 struct nft_table *table;
5759 struct nft_object *obj;
5763 if (!nla[NFTA_OBJ_TYPE] ||
5764 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5767 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5768 if (IS_ERR(table)) {
5769 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5770 return PTR_ERR(table);
5773 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5774 if (nla[NFTA_OBJ_HANDLE]) {
5775 attr = nla[NFTA_OBJ_HANDLE];
5776 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5778 attr = nla[NFTA_OBJ_NAME];
5779 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5783 NL_SET_BAD_ATTR(extack, attr);
5784 return PTR_ERR(obj);
5787 NL_SET_BAD_ATTR(extack, attr);
5791 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5793 return nft_delobj(&ctx, obj);
5796 void nft_obj_notify(struct net *net, const struct nft_table *table,
5797 struct nft_object *obj, u32 portid, u32 seq, int event,
5798 int family, int report, gfp_t gfp)
5800 struct sk_buff *skb;
5804 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5807 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5811 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5818 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5821 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5823 EXPORT_SYMBOL_GPL(nft_obj_notify);
5825 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5826 struct nft_object *obj, int event)
5828 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5829 ctx->family, ctx->report, GFP_KERNEL);
5835 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5837 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5838 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5839 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5841 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5843 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5845 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5846 list_del_rcu(&type->list);
5847 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5849 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5851 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5852 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5853 .len = NFT_NAME_MAXLEN - 1 },
5854 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5855 .len = NFT_NAME_MAXLEN - 1 },
5856 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5857 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5858 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
5861 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5862 const struct nlattr *nla, u8 genmask)
5864 struct nft_flowtable *flowtable;
5866 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5867 if (!nla_strcmp(nla, flowtable->name) &&
5868 nft_active_genmask(flowtable, genmask))
5871 return ERR_PTR(-ENOENT);
5873 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5875 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5876 struct nft_flowtable *flowtable,
5877 enum nft_trans_phase phase)
5880 case NFT_TRANS_PREPARE:
5881 case NFT_TRANS_ABORT:
5882 case NFT_TRANS_RELEASE:
5889 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5891 static struct nft_flowtable *
5892 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5893 const struct nlattr *nla, u8 genmask)
5895 struct nft_flowtable *flowtable;
5897 list_for_each_entry(flowtable, &table->flowtables, list) {
5898 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5899 nft_active_genmask(flowtable, genmask))
5902 return ERR_PTR(-ENOENT);
5905 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5906 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5907 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5908 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5911 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5912 const struct nlattr *attr,
5913 struct nft_flowtable *flowtable)
5915 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5916 struct nft_hook *hook;
5917 int hooknum, priority;
5920 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5921 nft_flowtable_hook_policy, NULL);
5925 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5926 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5927 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5930 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5931 if (hooknum != NF_NETDEV_INGRESS)
5934 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5936 err = nf_tables_parse_netdev_hooks(ctx->net,
5937 tb[NFTA_FLOWTABLE_HOOK_DEVS],
5938 &flowtable->hook_list);
5942 flowtable->hooknum = hooknum;
5943 flowtable->data.priority = priority;
5945 list_for_each_entry(hook, &flowtable->hook_list, list) {
5946 hook->ops.pf = NFPROTO_NETDEV;
5947 hook->ops.hooknum = hooknum;
5948 hook->ops.priority = priority;
5949 hook->ops.priv = &flowtable->data;
5950 hook->ops.hook = flowtable->data.type->hook;
5956 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5958 const struct nf_flowtable_type *type;
5960 list_for_each_entry(type, &nf_tables_flowtables, list) {
5961 if (family == type->family)
5967 static const struct nf_flowtable_type *
5968 nft_flowtable_type_get(struct net *net, u8 family)
5970 const struct nf_flowtable_type *type;
5972 type = __nft_flowtable_type_get(family);
5973 if (type != NULL && try_module_get(type->owner))
5976 lockdep_nfnl_nft_mutex_not_held();
5977 #ifdef CONFIG_MODULES
5979 nft_request_module(net, "nf-flowtable-%u", family);
5980 if (__nft_flowtable_type_get(family))
5981 return ERR_PTR(-EAGAIN);
5984 return ERR_PTR(-ENOENT);
5987 /* Only called from error and netdev event paths. */
5988 static void nft_unregister_flowtable_hook(struct net *net,
5989 struct nft_flowtable *flowtable,
5990 struct nft_hook *hook)
5992 nf_unregister_net_hook(net, &hook->ops);
5993 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
5997 static void nft_unregister_flowtable_net_hooks(struct net *net,
5998 struct nft_flowtable *flowtable)
6000 struct nft_hook *hook;
6002 list_for_each_entry(hook, &flowtable->hook_list, list)
6003 nf_unregister_net_hook(net, &hook->ops);
6006 static int nft_register_flowtable_net_hooks(struct net *net,
6007 struct nft_table *table,
6008 struct nft_flowtable *flowtable)
6010 struct nft_hook *hook, *hook2, *next;
6011 struct nft_flowtable *ft;
6014 list_for_each_entry(hook, &flowtable->hook_list, list) {
6015 list_for_each_entry(ft, &table->flowtables, list) {
6016 list_for_each_entry(hook2, &ft->hook_list, list) {
6017 if (hook->ops.dev == hook2->ops.dev &&
6018 hook->ops.pf == hook2->ops.pf) {
6020 goto err_unregister_net_hooks;
6025 err = flowtable->data.type->setup(&flowtable->data,
6029 goto err_unregister_net_hooks;
6031 err = nf_register_net_hook(net, &hook->ops);
6033 flowtable->data.type->setup(&flowtable->data,
6036 goto err_unregister_net_hooks;
6044 err_unregister_net_hooks:
6045 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6049 nft_unregister_flowtable_hook(net, flowtable, hook);
6050 list_del_rcu(&hook->list);
6051 kfree_rcu(hook, rcu);
6057 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6058 struct sk_buff *skb,
6059 const struct nlmsghdr *nlh,
6060 const struct nlattr * const nla[],
6061 struct netlink_ext_ack *extack)
6063 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6064 const struct nf_flowtable_type *type;
6065 u8 genmask = nft_genmask_next(net);
6066 int family = nfmsg->nfgen_family;
6067 struct nft_flowtable *flowtable;
6068 struct nft_hook *hook, *next;
6069 struct nft_table *table;
6073 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6074 !nla[NFTA_FLOWTABLE_NAME] ||
6075 !nla[NFTA_FLOWTABLE_HOOK])
6078 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6080 if (IS_ERR(table)) {
6081 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6082 return PTR_ERR(table);
6085 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6087 if (IS_ERR(flowtable)) {
6088 err = PTR_ERR(flowtable);
6089 if (err != -ENOENT) {
6090 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6094 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6095 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6102 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6104 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6108 flowtable->table = table;
6109 flowtable->handle = nf_tables_alloc_handle(table);
6110 INIT_LIST_HEAD(&flowtable->hook_list);
6112 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6113 if (!flowtable->name) {
6118 type = nft_flowtable_type_get(net, family);
6120 err = PTR_ERR(type);
6124 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6125 flowtable->data.flags =
6126 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6127 if (flowtable->data.flags & ~NF_FLOWTABLE_HW_OFFLOAD)
6131 write_pnet(&flowtable->data.net, net);
6132 flowtable->data.type = type;
6133 err = type->init(&flowtable->data);
6137 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6142 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6146 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6150 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6155 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6156 nft_unregister_flowtable_hook(net, flowtable, hook);
6157 list_del_rcu(&hook->list);
6158 kfree_rcu(hook, rcu);
6161 flowtable->data.type->free(&flowtable->data);
6163 module_put(type->owner);
6165 kfree(flowtable->name);
6171 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6172 struct sk_buff *skb,
6173 const struct nlmsghdr *nlh,
6174 const struct nlattr * const nla[],
6175 struct netlink_ext_ack *extack)
6177 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6178 u8 genmask = nft_genmask_next(net);
6179 int family = nfmsg->nfgen_family;
6180 struct nft_flowtable *flowtable;
6181 const struct nlattr *attr;
6182 struct nft_table *table;
6185 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6186 (!nla[NFTA_FLOWTABLE_NAME] &&
6187 !nla[NFTA_FLOWTABLE_HANDLE]))
6190 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6192 if (IS_ERR(table)) {
6193 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6194 return PTR_ERR(table);
6197 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6198 attr = nla[NFTA_FLOWTABLE_HANDLE];
6199 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6201 attr = nla[NFTA_FLOWTABLE_NAME];
6202 flowtable = nft_flowtable_lookup(table, attr, genmask);
6205 if (IS_ERR(flowtable)) {
6206 NL_SET_BAD_ATTR(extack, attr);
6207 return PTR_ERR(flowtable);
6209 if (flowtable->use > 0) {
6210 NL_SET_BAD_ATTR(extack, attr);
6214 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6216 return nft_delflowtable(&ctx, flowtable);
6219 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6220 u32 portid, u32 seq, int event,
6221 u32 flags, int family,
6222 struct nft_flowtable *flowtable)
6224 struct nlattr *nest, *nest_devs;
6225 struct nfgenmsg *nfmsg;
6226 struct nft_hook *hook;
6227 struct nlmsghdr *nlh;
6229 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6230 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6232 goto nla_put_failure;
6234 nfmsg = nlmsg_data(nlh);
6235 nfmsg->nfgen_family = family;
6236 nfmsg->version = NFNETLINK_V0;
6237 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6239 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6240 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6241 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6242 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6243 NFTA_FLOWTABLE_PAD) ||
6244 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6245 goto nla_put_failure;
6247 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6249 goto nla_put_failure;
6250 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6251 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6252 goto nla_put_failure;
6254 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6256 goto nla_put_failure;
6258 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6259 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6260 goto nla_put_failure;
6262 nla_nest_end(skb, nest_devs);
6263 nla_nest_end(skb, nest);
6265 nlmsg_end(skb, nlh);
6269 nlmsg_trim(skb, nlh);
6273 struct nft_flowtable_filter {
6277 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6278 struct netlink_callback *cb)
6280 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6281 struct nft_flowtable_filter *filter = cb->data;
6282 unsigned int idx = 0, s_idx = cb->args[0];
6283 struct net *net = sock_net(skb->sk);
6284 int family = nfmsg->nfgen_family;
6285 struct nft_flowtable *flowtable;
6286 const struct nft_table *table;
6289 cb->seq = net->nft.base_seq;
6291 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6292 if (family != NFPROTO_UNSPEC && family != table->family)
6295 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6296 if (!nft_is_active(net, flowtable))
6301 memset(&cb->args[1], 0,
6302 sizeof(cb->args) - sizeof(cb->args[0]));
6303 if (filter && filter->table &&
6304 strcmp(filter->table, table->name))
6307 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6309 NFT_MSG_NEWFLOWTABLE,
6310 NLM_F_MULTI | NLM_F_APPEND,
6311 table->family, flowtable) < 0)
6314 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6326 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6328 const struct nlattr * const *nla = cb->data;
6329 struct nft_flowtable_filter *filter = NULL;
6331 if (nla[NFTA_FLOWTABLE_TABLE]) {
6332 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6336 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6338 if (!filter->table) {
6348 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6350 struct nft_flowtable_filter *filter = cb->data;
6355 kfree(filter->table);
6361 /* called with rcu_read_lock held */
6362 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6363 struct sk_buff *skb,
6364 const struct nlmsghdr *nlh,
6365 const struct nlattr * const nla[],
6366 struct netlink_ext_ack *extack)
6368 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6369 u8 genmask = nft_genmask_cur(net);
6370 int family = nfmsg->nfgen_family;
6371 struct nft_flowtable *flowtable;
6372 const struct nft_table *table;
6373 struct sk_buff *skb2;
6376 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6377 struct netlink_dump_control c = {
6378 .start = nf_tables_dump_flowtable_start,
6379 .dump = nf_tables_dump_flowtable,
6380 .done = nf_tables_dump_flowtable_done,
6381 .module = THIS_MODULE,
6382 .data = (void *)nla,
6385 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6388 if (!nla[NFTA_FLOWTABLE_NAME])
6391 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6394 return PTR_ERR(table);
6396 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6398 if (IS_ERR(flowtable))
6399 return PTR_ERR(flowtable);
6401 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6405 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6407 NFT_MSG_NEWFLOWTABLE, 0, family,
6412 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6418 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6419 struct nft_flowtable *flowtable,
6422 struct sk_buff *skb;
6426 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6429 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6433 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6435 ctx->family, flowtable);
6441 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6442 ctx->report, GFP_KERNEL);
6445 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6448 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6450 struct nft_hook *hook, *next;
6452 flowtable->data.type->free(&flowtable->data);
6453 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6454 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6456 list_del_rcu(&hook->list);
6459 kfree(flowtable->name);
6460 module_put(flowtable->data.type->owner);
6464 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6465 u32 portid, u32 seq)
6467 struct nlmsghdr *nlh;
6468 struct nfgenmsg *nfmsg;
6469 char buf[TASK_COMM_LEN];
6470 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6472 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6474 goto nla_put_failure;
6476 nfmsg = nlmsg_data(nlh);
6477 nfmsg->nfgen_family = AF_UNSPEC;
6478 nfmsg->version = NFNETLINK_V0;
6479 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6481 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6482 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6483 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6484 goto nla_put_failure;
6486 nlmsg_end(skb, nlh);
6490 nlmsg_trim(skb, nlh);
6494 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6495 struct nft_flowtable *flowtable)
6497 struct nft_hook *hook;
6499 list_for_each_entry(hook, &flowtable->hook_list, list) {
6500 if (hook->ops.dev != dev)
6503 /* flow_offload_netdev_event() cleans up entries for us. */
6504 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6505 list_del_rcu(&hook->list);
6506 kfree_rcu(hook, rcu);
6511 static int nf_tables_flowtable_event(struct notifier_block *this,
6512 unsigned long event, void *ptr)
6514 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6515 struct nft_flowtable *flowtable;
6516 struct nft_table *table;
6519 if (event != NETDEV_UNREGISTER)
6523 mutex_lock(&net->nft.commit_mutex);
6524 list_for_each_entry(table, &net->nft.tables, list) {
6525 list_for_each_entry(flowtable, &table->flowtables, list) {
6526 nft_flowtable_event(event, dev, flowtable);
6529 mutex_unlock(&net->nft.commit_mutex);
6534 static struct notifier_block nf_tables_flowtable_notifier = {
6535 .notifier_call = nf_tables_flowtable_event,
6538 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6541 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6542 struct sk_buff *skb2;
6545 if (nlmsg_report(nlh) &&
6546 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6549 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6553 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6560 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6561 nlmsg_report(nlh), GFP_KERNEL);
6564 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6568 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6569 struct sk_buff *skb, const struct nlmsghdr *nlh,
6570 const struct nlattr * const nla[],
6571 struct netlink_ext_ack *extack)
6573 struct sk_buff *skb2;
6576 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6580 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6585 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6591 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6592 [NFT_MSG_NEWTABLE] = {
6593 .call_batch = nf_tables_newtable,
6594 .attr_count = NFTA_TABLE_MAX,
6595 .policy = nft_table_policy,
6597 [NFT_MSG_GETTABLE] = {
6598 .call_rcu = nf_tables_gettable,
6599 .attr_count = NFTA_TABLE_MAX,
6600 .policy = nft_table_policy,
6602 [NFT_MSG_DELTABLE] = {
6603 .call_batch = nf_tables_deltable,
6604 .attr_count = NFTA_TABLE_MAX,
6605 .policy = nft_table_policy,
6607 [NFT_MSG_NEWCHAIN] = {
6608 .call_batch = nf_tables_newchain,
6609 .attr_count = NFTA_CHAIN_MAX,
6610 .policy = nft_chain_policy,
6612 [NFT_MSG_GETCHAIN] = {
6613 .call_rcu = nf_tables_getchain,
6614 .attr_count = NFTA_CHAIN_MAX,
6615 .policy = nft_chain_policy,
6617 [NFT_MSG_DELCHAIN] = {
6618 .call_batch = nf_tables_delchain,
6619 .attr_count = NFTA_CHAIN_MAX,
6620 .policy = nft_chain_policy,
6622 [NFT_MSG_NEWRULE] = {
6623 .call_batch = nf_tables_newrule,
6624 .attr_count = NFTA_RULE_MAX,
6625 .policy = nft_rule_policy,
6627 [NFT_MSG_GETRULE] = {
6628 .call_rcu = nf_tables_getrule,
6629 .attr_count = NFTA_RULE_MAX,
6630 .policy = nft_rule_policy,
6632 [NFT_MSG_DELRULE] = {
6633 .call_batch = nf_tables_delrule,
6634 .attr_count = NFTA_RULE_MAX,
6635 .policy = nft_rule_policy,
6637 [NFT_MSG_NEWSET] = {
6638 .call_batch = nf_tables_newset,
6639 .attr_count = NFTA_SET_MAX,
6640 .policy = nft_set_policy,
6642 [NFT_MSG_GETSET] = {
6643 .call_rcu = nf_tables_getset,
6644 .attr_count = NFTA_SET_MAX,
6645 .policy = nft_set_policy,
6647 [NFT_MSG_DELSET] = {
6648 .call_batch = nf_tables_delset,
6649 .attr_count = NFTA_SET_MAX,
6650 .policy = nft_set_policy,
6652 [NFT_MSG_NEWSETELEM] = {
6653 .call_batch = nf_tables_newsetelem,
6654 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6655 .policy = nft_set_elem_list_policy,
6657 [NFT_MSG_GETSETELEM] = {
6658 .call_rcu = nf_tables_getsetelem,
6659 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6660 .policy = nft_set_elem_list_policy,
6662 [NFT_MSG_DELSETELEM] = {
6663 .call_batch = nf_tables_delsetelem,
6664 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6665 .policy = nft_set_elem_list_policy,
6667 [NFT_MSG_GETGEN] = {
6668 .call_rcu = nf_tables_getgen,
6670 [NFT_MSG_NEWOBJ] = {
6671 .call_batch = nf_tables_newobj,
6672 .attr_count = NFTA_OBJ_MAX,
6673 .policy = nft_obj_policy,
6675 [NFT_MSG_GETOBJ] = {
6676 .call_rcu = nf_tables_getobj,
6677 .attr_count = NFTA_OBJ_MAX,
6678 .policy = nft_obj_policy,
6680 [NFT_MSG_DELOBJ] = {
6681 .call_batch = nf_tables_delobj,
6682 .attr_count = NFTA_OBJ_MAX,
6683 .policy = nft_obj_policy,
6685 [NFT_MSG_GETOBJ_RESET] = {
6686 .call_rcu = nf_tables_getobj,
6687 .attr_count = NFTA_OBJ_MAX,
6688 .policy = nft_obj_policy,
6690 [NFT_MSG_NEWFLOWTABLE] = {
6691 .call_batch = nf_tables_newflowtable,
6692 .attr_count = NFTA_FLOWTABLE_MAX,
6693 .policy = nft_flowtable_policy,
6695 [NFT_MSG_GETFLOWTABLE] = {
6696 .call_rcu = nf_tables_getflowtable,
6697 .attr_count = NFTA_FLOWTABLE_MAX,
6698 .policy = nft_flowtable_policy,
6700 [NFT_MSG_DELFLOWTABLE] = {
6701 .call_batch = nf_tables_delflowtable,
6702 .attr_count = NFTA_FLOWTABLE_MAX,
6703 .policy = nft_flowtable_policy,
6707 static int nf_tables_validate(struct net *net)
6709 struct nft_table *table;
6711 switch (net->nft.validate_state) {
6712 case NFT_VALIDATE_SKIP:
6714 case NFT_VALIDATE_NEED:
6715 nft_validate_state_update(net, NFT_VALIDATE_DO);
6717 case NFT_VALIDATE_DO:
6718 list_for_each_entry(table, &net->nft.tables, list) {
6719 if (nft_table_validate(net, table) < 0)
6728 /* a drop policy has to be deferred until all rules have been activated,
6729 * otherwise a large ruleset that contains a drop-policy base chain will
6730 * cause all packets to get dropped until the full transaction has been
6733 * We defer the drop policy until the transaction has been finalized.
6735 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6737 struct nft_base_chain *basechain;
6739 if (nft_trans_chain_policy(trans) != NF_DROP)
6742 if (!nft_is_base_chain(trans->ctx.chain))
6745 basechain = nft_base_chain(trans->ctx.chain);
6746 basechain->policy = NF_DROP;
6749 static void nft_chain_commit_update(struct nft_trans *trans)
6751 struct nft_base_chain *basechain;
6753 if (nft_trans_chain_name(trans)) {
6754 rhltable_remove(&trans->ctx.table->chains_ht,
6755 &trans->ctx.chain->rhlhead,
6756 nft_chain_ht_params);
6757 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6758 rhltable_insert_key(&trans->ctx.table->chains_ht,
6759 trans->ctx.chain->name,
6760 &trans->ctx.chain->rhlhead,
6761 nft_chain_ht_params);
6764 if (!nft_is_base_chain(trans->ctx.chain))
6767 nft_chain_stats_replace(trans);
6769 basechain = nft_base_chain(trans->ctx.chain);
6771 switch (nft_trans_chain_policy(trans)) {
6774 basechain->policy = nft_trans_chain_policy(trans);
6779 static void nft_obj_commit_update(struct nft_trans *trans)
6781 struct nft_object *newobj;
6782 struct nft_object *obj;
6784 obj = nft_trans_obj(trans);
6785 newobj = nft_trans_obj_newobj(trans);
6787 if (obj->ops->update)
6788 obj->ops->update(obj, newobj);
6793 static void nft_commit_release(struct nft_trans *trans)
6795 switch (trans->msg_type) {
6796 case NFT_MSG_DELTABLE:
6797 nf_tables_table_destroy(&trans->ctx);
6799 case NFT_MSG_NEWCHAIN:
6800 free_percpu(nft_trans_chain_stats(trans));
6801 kfree(nft_trans_chain_name(trans));
6803 case NFT_MSG_DELCHAIN:
6804 nf_tables_chain_destroy(&trans->ctx);
6806 case NFT_MSG_DELRULE:
6807 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6809 case NFT_MSG_DELSET:
6810 nft_set_destroy(nft_trans_set(trans));
6812 case NFT_MSG_DELSETELEM:
6813 nf_tables_set_elem_destroy(&trans->ctx,
6814 nft_trans_elem_set(trans),
6815 nft_trans_elem(trans).priv);
6817 case NFT_MSG_DELOBJ:
6818 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6820 case NFT_MSG_DELFLOWTABLE:
6821 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6826 put_net(trans->ctx.net);
6831 static void nf_tables_trans_destroy_work(struct work_struct *w)
6833 struct nft_trans *trans, *next;
6836 spin_lock(&nf_tables_destroy_list_lock);
6837 list_splice_init(&nf_tables_destroy_list, &head);
6838 spin_unlock(&nf_tables_destroy_list_lock);
6840 if (list_empty(&head))
6845 list_for_each_entry_safe(trans, next, &head, list) {
6846 list_del(&trans->list);
6847 nft_commit_release(trans);
6851 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6853 struct nft_rule *rule;
6854 unsigned int alloc = 0;
6857 /* already handled or inactive chain? */
6858 if (chain->rules_next || !nft_is_active_next(net, chain))
6861 rule = list_entry(&chain->rules, struct nft_rule, list);
6864 list_for_each_entry_continue(rule, &chain->rules, list) {
6865 if (nft_is_active_next(net, rule))
6869 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6870 if (!chain->rules_next)
6873 list_for_each_entry_continue(rule, &chain->rules, list) {
6874 if (nft_is_active_next(net, rule))
6875 chain->rules_next[i++] = rule;
6878 chain->rules_next[i] = NULL;
6882 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6884 struct nft_trans *trans, *next;
6886 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6887 struct nft_chain *chain = trans->ctx.chain;
6889 if (trans->msg_type == NFT_MSG_NEWRULE ||
6890 trans->msg_type == NFT_MSG_DELRULE) {
6891 kvfree(chain->rules_next);
6892 chain->rules_next = NULL;
6897 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6899 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6904 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6906 struct nft_rule **r = rules;
6907 struct nft_rules_old *old;
6912 r++; /* rcu_head is after end marker */
6916 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6919 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6921 struct nft_rule **g0, **g1;
6924 next_genbit = nft_gencursor_next(net);
6926 g0 = rcu_dereference_protected(chain->rules_gen_0,
6927 lockdep_commit_lock_is_held(net));
6928 g1 = rcu_dereference_protected(chain->rules_gen_1,
6929 lockdep_commit_lock_is_held(net));
6931 /* No changes to this chain? */
6932 if (chain->rules_next == NULL) {
6933 /* chain had no change in last or next generation */
6937 * chain had no change in this generation; make sure next
6938 * one uses same rules as current generation.
6941 rcu_assign_pointer(chain->rules_gen_1, g0);
6942 nf_tables_commit_chain_free_rules_old(g1);
6944 rcu_assign_pointer(chain->rules_gen_0, g1);
6945 nf_tables_commit_chain_free_rules_old(g0);
6952 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6954 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6956 chain->rules_next = NULL;
6962 nf_tables_commit_chain_free_rules_old(g1);
6964 nf_tables_commit_chain_free_rules_old(g0);
6967 static void nft_obj_del(struct nft_object *obj)
6969 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6970 list_del_rcu(&obj->list);
6973 static void nft_chain_del(struct nft_chain *chain)
6975 struct nft_table *table = chain->table;
6977 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6978 nft_chain_ht_params));
6979 list_del_rcu(&chain->list);
6982 static void nf_tables_commit_release(struct net *net)
6984 struct nft_trans *trans;
6986 /* all side effects have to be made visible.
6987 * For example, if a chain named 'foo' has been deleted, a
6988 * new transaction must not find it anymore.
6990 * Memory reclaim happens asynchronously from work queue
6991 * to prevent expensive synchronize_rcu() in commit phase.
6993 if (list_empty(&net->nft.commit_list)) {
6994 mutex_unlock(&net->nft.commit_mutex);
6998 trans = list_last_entry(&net->nft.commit_list,
6999 struct nft_trans, list);
7000 get_net(trans->ctx.net);
7001 WARN_ON_ONCE(trans->put_net);
7003 trans->put_net = true;
7004 spin_lock(&nf_tables_destroy_list_lock);
7005 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7006 spin_unlock(&nf_tables_destroy_list_lock);
7008 mutex_unlock(&net->nft.commit_mutex);
7010 schedule_work(&trans_destroy_work);
7013 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7015 struct nft_trans *trans, *next;
7016 struct nft_trans_elem *te;
7017 struct nft_chain *chain;
7018 struct nft_table *table;
7021 if (list_empty(&net->nft.commit_list)) {
7022 mutex_unlock(&net->nft.commit_mutex);
7026 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7027 if (nf_tables_validate(net) < 0)
7030 err = nft_flow_rule_offload_commit(net);
7034 /* 1. Allocate space for next generation rules_gen_X[] */
7035 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7038 if (trans->msg_type == NFT_MSG_NEWRULE ||
7039 trans->msg_type == NFT_MSG_DELRULE) {
7040 chain = trans->ctx.chain;
7042 ret = nf_tables_commit_chain_prepare(net, chain);
7044 nf_tables_commit_chain_prepare_cancel(net);
7050 /* step 2. Make rules_gen_X visible to packet path */
7051 list_for_each_entry(table, &net->nft.tables, list) {
7052 list_for_each_entry(chain, &table->chains, list)
7053 nf_tables_commit_chain(net, chain);
7057 * Bump generation counter, invalidate any dump in progress.
7058 * Cannot fail after this point.
7060 while (++net->nft.base_seq == 0);
7062 /* step 3. Start new generation, rules_gen_X now in use. */
7063 net->nft.gencursor = nft_gencursor_next(net);
7065 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7066 switch (trans->msg_type) {
7067 case NFT_MSG_NEWTABLE:
7068 if (nft_trans_table_update(trans)) {
7069 if (!nft_trans_table_enable(trans)) {
7070 nf_tables_table_disable(net,
7072 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7075 nft_clear(net, trans->ctx.table);
7077 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7078 nft_trans_destroy(trans);
7080 case NFT_MSG_DELTABLE:
7081 list_del_rcu(&trans->ctx.table->list);
7082 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7084 case NFT_MSG_NEWCHAIN:
7085 if (nft_trans_chain_update(trans)) {
7086 nft_chain_commit_update(trans);
7087 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7088 /* trans destroyed after rcu grace period */
7090 nft_chain_commit_drop_policy(trans);
7091 nft_clear(net, trans->ctx.chain);
7092 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7093 nft_trans_destroy(trans);
7096 case NFT_MSG_DELCHAIN:
7097 nft_chain_del(trans->ctx.chain);
7098 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7099 nf_tables_unregister_hook(trans->ctx.net,
7103 case NFT_MSG_NEWRULE:
7104 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7105 nf_tables_rule_notify(&trans->ctx,
7106 nft_trans_rule(trans),
7108 nft_trans_destroy(trans);
7110 case NFT_MSG_DELRULE:
7111 list_del_rcu(&nft_trans_rule(trans)->list);
7112 nf_tables_rule_notify(&trans->ctx,
7113 nft_trans_rule(trans),
7115 nft_rule_expr_deactivate(&trans->ctx,
7116 nft_trans_rule(trans),
7119 case NFT_MSG_NEWSET:
7120 nft_clear(net, nft_trans_set(trans));
7121 /* This avoids hitting -EBUSY when deleting the table
7122 * from the transaction.
7124 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7125 !list_empty(&nft_trans_set(trans)->bindings))
7126 trans->ctx.table->use--;
7128 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7129 NFT_MSG_NEWSET, GFP_KERNEL);
7130 nft_trans_destroy(trans);
7132 case NFT_MSG_DELSET:
7133 list_del_rcu(&nft_trans_set(trans)->list);
7134 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7135 NFT_MSG_DELSET, GFP_KERNEL);
7137 case NFT_MSG_NEWSETELEM:
7138 te = (struct nft_trans_elem *)trans->data;
7140 te->set->ops->activate(net, te->set, &te->elem);
7141 nf_tables_setelem_notify(&trans->ctx, te->set,
7143 NFT_MSG_NEWSETELEM, 0);
7144 nft_trans_destroy(trans);
7146 case NFT_MSG_DELSETELEM:
7147 te = (struct nft_trans_elem *)trans->data;
7149 nf_tables_setelem_notify(&trans->ctx, te->set,
7151 NFT_MSG_DELSETELEM, 0);
7152 te->set->ops->remove(net, te->set, &te->elem);
7153 atomic_dec(&te->set->nelems);
7156 case NFT_MSG_NEWOBJ:
7157 if (nft_trans_obj_update(trans)) {
7158 nft_obj_commit_update(trans);
7159 nf_tables_obj_notify(&trans->ctx,
7160 nft_trans_obj(trans),
7163 nft_clear(net, nft_trans_obj(trans));
7164 nf_tables_obj_notify(&trans->ctx,
7165 nft_trans_obj(trans),
7167 nft_trans_destroy(trans);
7170 case NFT_MSG_DELOBJ:
7171 nft_obj_del(nft_trans_obj(trans));
7172 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7175 case NFT_MSG_NEWFLOWTABLE:
7176 nft_clear(net, nft_trans_flowtable(trans));
7177 nf_tables_flowtable_notify(&trans->ctx,
7178 nft_trans_flowtable(trans),
7179 NFT_MSG_NEWFLOWTABLE);
7180 nft_trans_destroy(trans);
7182 case NFT_MSG_DELFLOWTABLE:
7183 list_del_rcu(&nft_trans_flowtable(trans)->list);
7184 nf_tables_flowtable_notify(&trans->ctx,
7185 nft_trans_flowtable(trans),
7186 NFT_MSG_DELFLOWTABLE);
7187 nft_unregister_flowtable_net_hooks(net,
7188 nft_trans_flowtable(trans));
7193 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7194 nf_tables_commit_release(net);
7199 static void nf_tables_abort_release(struct nft_trans *trans)
7201 switch (trans->msg_type) {
7202 case NFT_MSG_NEWTABLE:
7203 nf_tables_table_destroy(&trans->ctx);
7205 case NFT_MSG_NEWCHAIN:
7206 nf_tables_chain_destroy(&trans->ctx);
7208 case NFT_MSG_NEWRULE:
7209 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7211 case NFT_MSG_NEWSET:
7212 nft_set_destroy(nft_trans_set(trans));
7214 case NFT_MSG_NEWSETELEM:
7215 nft_set_elem_destroy(nft_trans_elem_set(trans),
7216 nft_trans_elem(trans).priv, true);
7218 case NFT_MSG_NEWOBJ:
7219 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7221 case NFT_MSG_NEWFLOWTABLE:
7222 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7228 static int __nf_tables_abort(struct net *net)
7230 struct nft_trans *trans, *next;
7231 struct nft_trans_elem *te;
7233 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7235 switch (trans->msg_type) {
7236 case NFT_MSG_NEWTABLE:
7237 if (nft_trans_table_update(trans)) {
7238 if (nft_trans_table_enable(trans)) {
7239 nf_tables_table_disable(net,
7241 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7243 nft_trans_destroy(trans);
7245 list_del_rcu(&trans->ctx.table->list);
7248 case NFT_MSG_DELTABLE:
7249 nft_clear(trans->ctx.net, trans->ctx.table);
7250 nft_trans_destroy(trans);
7252 case NFT_MSG_NEWCHAIN:
7253 if (nft_trans_chain_update(trans)) {
7254 free_percpu(nft_trans_chain_stats(trans));
7255 kfree(nft_trans_chain_name(trans));
7256 nft_trans_destroy(trans);
7258 trans->ctx.table->use--;
7259 nft_chain_del(trans->ctx.chain);
7260 nf_tables_unregister_hook(trans->ctx.net,
7265 case NFT_MSG_DELCHAIN:
7266 trans->ctx.table->use++;
7267 nft_clear(trans->ctx.net, trans->ctx.chain);
7268 nft_trans_destroy(trans);
7270 case NFT_MSG_NEWRULE:
7271 trans->ctx.chain->use--;
7272 list_del_rcu(&nft_trans_rule(trans)->list);
7273 nft_rule_expr_deactivate(&trans->ctx,
7274 nft_trans_rule(trans),
7277 case NFT_MSG_DELRULE:
7278 trans->ctx.chain->use++;
7279 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7280 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7281 nft_trans_destroy(trans);
7283 case NFT_MSG_NEWSET:
7284 trans->ctx.table->use--;
7285 if (nft_trans_set_bound(trans)) {
7286 nft_trans_destroy(trans);
7289 list_del_rcu(&nft_trans_set(trans)->list);
7291 case NFT_MSG_DELSET:
7292 trans->ctx.table->use++;
7293 nft_clear(trans->ctx.net, nft_trans_set(trans));
7294 nft_trans_destroy(trans);
7296 case NFT_MSG_NEWSETELEM:
7297 if (nft_trans_elem_set_bound(trans)) {
7298 nft_trans_destroy(trans);
7301 te = (struct nft_trans_elem *)trans->data;
7302 te->set->ops->remove(net, te->set, &te->elem);
7303 atomic_dec(&te->set->nelems);
7305 case NFT_MSG_DELSETELEM:
7306 te = (struct nft_trans_elem *)trans->data;
7308 nft_set_elem_activate(net, te->set, &te->elem);
7309 te->set->ops->activate(net, te->set, &te->elem);
7312 nft_trans_destroy(trans);
7314 case NFT_MSG_NEWOBJ:
7315 if (nft_trans_obj_update(trans)) {
7316 kfree(nft_trans_obj_newobj(trans));
7317 nft_trans_destroy(trans);
7319 trans->ctx.table->use--;
7320 nft_obj_del(nft_trans_obj(trans));
7323 case NFT_MSG_DELOBJ:
7324 trans->ctx.table->use++;
7325 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7326 nft_trans_destroy(trans);
7328 case NFT_MSG_NEWFLOWTABLE:
7329 trans->ctx.table->use--;
7330 list_del_rcu(&nft_trans_flowtable(trans)->list);
7331 nft_unregister_flowtable_net_hooks(net,
7332 nft_trans_flowtable(trans));
7334 case NFT_MSG_DELFLOWTABLE:
7335 trans->ctx.table->use++;
7336 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7337 nft_trans_destroy(trans);
7344 list_for_each_entry_safe_reverse(trans, next,
7345 &net->nft.commit_list, list) {
7346 list_del(&trans->list);
7347 nf_tables_abort_release(trans);
7353 static void nf_tables_cleanup(struct net *net)
7355 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7358 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7360 int ret = __nf_tables_abort(net);
7362 mutex_unlock(&net->nft.commit_mutex);
7367 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7371 mutex_lock(&net->nft.commit_mutex);
7373 genid_ok = genid == 0 || net->nft.base_seq == genid;
7375 mutex_unlock(&net->nft.commit_mutex);
7377 /* else, commit mutex has to be released by commit or abort function */
7381 static const struct nfnetlink_subsystem nf_tables_subsys = {
7382 .name = "nf_tables",
7383 .subsys_id = NFNL_SUBSYS_NFTABLES,
7384 .cb_count = NFT_MSG_MAX,
7386 .commit = nf_tables_commit,
7387 .abort = nf_tables_abort,
7388 .cleanup = nf_tables_cleanup,
7389 .valid_genid = nf_tables_valid_genid,
7390 .owner = THIS_MODULE,
7393 int nft_chain_validate_dependency(const struct nft_chain *chain,
7394 enum nft_chain_types type)
7396 const struct nft_base_chain *basechain;
7398 if (nft_is_base_chain(chain)) {
7399 basechain = nft_base_chain(chain);
7400 if (basechain->type->type != type)
7405 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7407 int nft_chain_validate_hooks(const struct nft_chain *chain,
7408 unsigned int hook_flags)
7410 struct nft_base_chain *basechain;
7412 if (nft_is_base_chain(chain)) {
7413 basechain = nft_base_chain(chain);
7415 if ((1 << basechain->ops.hooknum) & hook_flags)
7423 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7426 * Loop detection - walk through the ruleset beginning at the destination chain
7427 * of a new jump until either the source chain is reached (loop) or all
7428 * reachable chains have been traversed.
7430 * The loop check is performed whenever a new jump verdict is added to an
7431 * expression or verdict map or a verdict map is bound to a new chain.
7434 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7435 const struct nft_chain *chain);
7437 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7438 struct nft_set *set,
7439 const struct nft_set_iter *iter,
7440 struct nft_set_elem *elem)
7442 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7443 const struct nft_data *data;
7445 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7446 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7449 data = nft_set_ext_data(ext);
7450 switch (data->verdict.code) {
7453 return nf_tables_check_loops(ctx, data->verdict.chain);
7459 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7460 const struct nft_chain *chain)
7462 const struct nft_rule *rule;
7463 const struct nft_expr *expr, *last;
7464 struct nft_set *set;
7465 struct nft_set_binding *binding;
7466 struct nft_set_iter iter;
7468 if (ctx->chain == chain)
7471 list_for_each_entry(rule, &chain->rules, list) {
7472 nft_rule_for_each_expr(expr, last, rule) {
7473 struct nft_immediate_expr *priv;
7474 const struct nft_data *data;
7477 if (strcmp(expr->ops->type->name, "immediate"))
7480 priv = nft_expr_priv(expr);
7481 if (priv->dreg != NFT_REG_VERDICT)
7485 switch (data->verdict.code) {
7488 err = nf_tables_check_loops(ctx,
7489 data->verdict.chain);
7498 list_for_each_entry(set, &ctx->table->sets, list) {
7499 if (!nft_is_active_next(ctx->net, set))
7501 if (!(set->flags & NFT_SET_MAP) ||
7502 set->dtype != NFT_DATA_VERDICT)
7505 list_for_each_entry(binding, &set->bindings, list) {
7506 if (!(binding->flags & NFT_SET_MAP) ||
7507 binding->chain != chain)
7510 iter.genmask = nft_genmask_next(ctx->net);
7514 iter.fn = nf_tables_loop_check_setelem;
7516 set->ops->walk(ctx, set, &iter);
7526 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7528 * @attr: netlink attribute to fetch value from
7529 * @max: maximum value to be stored in dest
7530 * @dest: pointer to the variable
7532 * Parse, check and store a given u32 netlink attribute into variable.
7533 * This function returns -ERANGE if the value goes over maximum value.
7534 * Otherwise a 0 is returned and the attribute value is stored in the
7535 * destination variable.
7537 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7541 val = ntohl(nla_get_be32(attr));
7548 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7551 * nft_parse_register - parse a register value from a netlink attribute
7553 * @attr: netlink attribute
7555 * Parse and translate a register value from a netlink attribute.
7556 * Registers used to be 128 bit wide, these register numbers will be
7557 * mapped to the corresponding 32 bit register numbers.
7559 unsigned int nft_parse_register(const struct nlattr *attr)
7563 reg = ntohl(nla_get_be32(attr));
7565 case NFT_REG_VERDICT...NFT_REG_4:
7566 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7568 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7571 EXPORT_SYMBOL_GPL(nft_parse_register);
7574 * nft_dump_register - dump a register value to a netlink attribute
7576 * @skb: socket buffer
7577 * @attr: attribute number
7578 * @reg: register number
7580 * Construct a netlink attribute containing the register number. For
7581 * compatibility reasons, register numbers being a multiple of 4 are
7582 * translated to the corresponding 128 bit register numbers.
7584 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7586 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7587 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7589 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7591 return nla_put_be32(skb, attr, htonl(reg));
7593 EXPORT_SYMBOL_GPL(nft_dump_register);
7596 * nft_validate_register_load - validate a load from a register
7598 * @reg: the register number
7599 * @len: the length of the data
7601 * Validate that the input register is one of the general purpose
7602 * registers and that the length of the load is within the bounds.
7604 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7606 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7610 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
7615 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7618 * nft_validate_register_store - validate an expressions' register store
7620 * @ctx: context of the expression performing the load
7621 * @reg: the destination register number
7622 * @data: the data to load
7623 * @type: the data type
7624 * @len: the length of the data
7626 * Validate that a data load uses the appropriate data type for
7627 * the destination register and the length is within the bounds.
7628 * A value of NULL for the data means that its runtime gathered
7631 int nft_validate_register_store(const struct nft_ctx *ctx,
7632 enum nft_registers reg,
7633 const struct nft_data *data,
7634 enum nft_data_types type, unsigned int len)
7639 case NFT_REG_VERDICT:
7640 if (type != NFT_DATA_VERDICT)
7644 (data->verdict.code == NFT_GOTO ||
7645 data->verdict.code == NFT_JUMP)) {
7646 err = nf_tables_check_loops(ctx, data->verdict.chain);
7653 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7657 if (reg * NFT_REG32_SIZE + len >
7658 sizeof_field(struct nft_regs, data))
7661 if (data != NULL && type != NFT_DATA_VALUE)
7666 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7668 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7669 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7670 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7671 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7674 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7675 struct nft_data_desc *desc, const struct nlattr *nla)
7677 u8 genmask = nft_genmask_next(ctx->net);
7678 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7679 struct nft_chain *chain;
7682 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7683 nft_verdict_policy, NULL);
7687 if (!tb[NFTA_VERDICT_CODE])
7689 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7691 switch (data->verdict.code) {
7693 switch (data->verdict.code & NF_VERDICT_MASK) {
7708 if (!tb[NFTA_VERDICT_CHAIN])
7710 chain = nft_chain_lookup(ctx->net, ctx->table,
7711 tb[NFTA_VERDICT_CHAIN], genmask);
7713 return PTR_ERR(chain);
7714 if (nft_is_base_chain(chain))
7718 data->verdict.chain = chain;
7722 desc->len = sizeof(data->verdict);
7723 desc->type = NFT_DATA_VERDICT;
7727 static void nft_verdict_uninit(const struct nft_data *data)
7729 switch (data->verdict.code) {
7732 data->verdict.chain->use--;
7737 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7739 struct nlattr *nest;
7741 nest = nla_nest_start_noflag(skb, type);
7743 goto nla_put_failure;
7745 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7746 goto nla_put_failure;
7751 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7753 goto nla_put_failure;
7755 nla_nest_end(skb, nest);
7762 static int nft_value_init(const struct nft_ctx *ctx,
7763 struct nft_data *data, unsigned int size,
7764 struct nft_data_desc *desc, const struct nlattr *nla)
7774 nla_memcpy(data->data, nla, len);
7775 desc->type = NFT_DATA_VALUE;
7780 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7783 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7786 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7787 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7788 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7792 * nft_data_init - parse nf_tables data netlink attributes
7794 * @ctx: context of the expression using the data
7795 * @data: destination struct nft_data
7796 * @size: maximum data length
7797 * @desc: data description
7798 * @nla: netlink attribute containing data
7800 * Parse the netlink data attributes and initialize a struct nft_data.
7801 * The type and length of data are returned in the data description.
7803 * The caller can indicate that it only wants to accept data of type
7804 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7806 int nft_data_init(const struct nft_ctx *ctx,
7807 struct nft_data *data, unsigned int size,
7808 struct nft_data_desc *desc, const struct nlattr *nla)
7810 struct nlattr *tb[NFTA_DATA_MAX + 1];
7813 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7814 nft_data_policy, NULL);
7818 if (tb[NFTA_DATA_VALUE])
7819 return nft_value_init(ctx, data, size, desc,
7820 tb[NFTA_DATA_VALUE]);
7821 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7822 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7825 EXPORT_SYMBOL_GPL(nft_data_init);
7828 * nft_data_release - release a nft_data item
7830 * @data: struct nft_data to release
7831 * @type: type of data
7833 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7834 * all others need to be released by calling this function.
7836 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7838 if (type < NFT_DATA_VERDICT)
7841 case NFT_DATA_VERDICT:
7842 return nft_verdict_uninit(data);
7847 EXPORT_SYMBOL_GPL(nft_data_release);
7849 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7850 enum nft_data_types type, unsigned int len)
7852 struct nlattr *nest;
7855 nest = nla_nest_start_noflag(skb, attr);
7860 case NFT_DATA_VALUE:
7861 err = nft_value_dump(skb, data, len);
7863 case NFT_DATA_VERDICT:
7864 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7871 nla_nest_end(skb, nest);
7874 EXPORT_SYMBOL_GPL(nft_data_dump);
7876 int __nft_release_basechain(struct nft_ctx *ctx)
7878 struct nft_rule *rule, *nr;
7880 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7883 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7884 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7885 list_del(&rule->list);
7887 nf_tables_rule_release(ctx, rule);
7889 nft_chain_del(ctx->chain);
7891 nf_tables_chain_destroy(ctx);
7895 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7897 static void __nft_release_tables(struct net *net)
7899 struct nft_flowtable *flowtable, *nf;
7900 struct nft_table *table, *nt;
7901 struct nft_chain *chain, *nc;
7902 struct nft_object *obj, *ne;
7903 struct nft_rule *rule, *nr;
7904 struct nft_set *set, *ns;
7905 struct nft_ctx ctx = {
7907 .family = NFPROTO_NETDEV,
7910 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7911 ctx.family = table->family;
7913 list_for_each_entry(chain, &table->chains, list)
7914 nf_tables_unregister_hook(net, table, chain);
7915 /* No packets are walking on these chains anymore. */
7917 list_for_each_entry(chain, &table->chains, list) {
7919 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7920 list_del(&rule->list);
7922 nf_tables_rule_release(&ctx, rule);
7925 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7926 list_del(&flowtable->list);
7928 nf_tables_flowtable_destroy(flowtable);
7930 list_for_each_entry_safe(set, ns, &table->sets, list) {
7931 list_del(&set->list);
7933 nft_set_destroy(set);
7935 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7938 nft_obj_destroy(&ctx, obj);
7940 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7942 nft_chain_del(chain);
7944 nf_tables_chain_destroy(&ctx);
7946 list_del(&table->list);
7947 nf_tables_table_destroy(&ctx);
7951 static int __net_init nf_tables_init_net(struct net *net)
7953 INIT_LIST_HEAD(&net->nft.tables);
7954 INIT_LIST_HEAD(&net->nft.commit_list);
7955 mutex_init(&net->nft.commit_mutex);
7956 net->nft.base_seq = 1;
7957 net->nft.validate_state = NFT_VALIDATE_SKIP;
7962 static void __net_exit nf_tables_exit_net(struct net *net)
7964 mutex_lock(&net->nft.commit_mutex);
7965 if (!list_empty(&net->nft.commit_list))
7966 __nf_tables_abort(net);
7967 __nft_release_tables(net);
7968 mutex_unlock(&net->nft.commit_mutex);
7969 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7972 static struct pernet_operations nf_tables_net_ops = {
7973 .init = nf_tables_init_net,
7974 .exit = nf_tables_exit_net,
7977 static int __init nf_tables_module_init(void)
7981 spin_lock_init(&nf_tables_destroy_list_lock);
7982 err = register_pernet_subsys(&nf_tables_net_ops);
7986 err = nft_chain_filter_init();
7990 err = nf_tables_core_module_init();
7994 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7998 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8002 err = nft_offload_init();
8007 err = nfnetlink_subsys_register(&nf_tables_subsys);
8011 nft_chain_route_init();
8017 rhltable_destroy(&nft_objname_ht);
8019 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8021 nf_tables_core_module_exit();
8023 nft_chain_filter_fini();
8025 unregister_pernet_subsys(&nf_tables_net_ops);
8029 static void __exit nf_tables_module_exit(void)
8031 nfnetlink_subsys_unregister(&nf_tables_subsys);
8033 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8034 nft_chain_filter_fini();
8035 nft_chain_route_fini();
8036 unregister_pernet_subsys(&nf_tables_net_ops);
8037 cancel_work_sync(&trans_destroy_work);
8039 rhltable_destroy(&nft_objname_ht);
8040 nf_tables_core_module_exit();
8043 module_init(nf_tables_module_init);
8044 module_exit(nf_tables_module_exit);
8046 MODULE_LICENSE("GPL");
8047 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8048 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux.git / blob