2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
44 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47 * nft_unregister_afinfo - unregister nf_tables address family info
49 * @afi: address family info to unregister
51 * Unregister the address family for use with nf_tables.
53 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
62 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
64 struct nft_af_info *afi;
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
73 static struct nft_af_info *
74 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
76 struct nft_af_info *afi;
78 afi = nft_afinfo_lookup(net, family);
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
88 return ERR_PTR(-EAGAIN);
91 return ERR_PTR(-EAFNOSUPPORT);
94 static void nft_ctx_init(struct nft_ctx *ctx,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
113 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
116 struct nft_trans *trans;
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
122 INIT_LIST_HEAD(&trans->list);
123 trans->msg_type = msg_type;
129 static void nft_trans_destroy(struct nft_trans *trans)
131 list_del(&trans->list);
135 static int nf_tables_register_hooks(struct net *net,
136 const struct nft_table *table,
137 struct nft_chain *chain,
138 unsigned int hook_nops)
140 if (table->flags & NFT_TABLE_F_DORMANT ||
141 !(chain->flags & NFT_BASE_CHAIN))
144 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
148 static void nf_tables_unregister_hooks(struct net *net,
149 const struct nft_table *table,
150 struct nft_chain *chain,
151 unsigned int hook_nops)
153 if (table->flags & NFT_TABLE_F_DORMANT ||
154 !(chain->flags & NFT_BASE_CHAIN))
157 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
160 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
162 struct nft_trans *trans;
164 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
168 if (msg_type == NFT_MSG_NEWTABLE)
169 nft_activate_next(ctx->net, ctx->table);
171 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
175 static int nft_deltable(struct nft_ctx *ctx)
179 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
183 nft_deactivate_next(ctx->net, ctx->table);
187 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
189 struct nft_trans *trans;
191 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
195 if (msg_type == NFT_MSG_NEWCHAIN)
196 nft_activate_next(ctx->net, ctx->chain);
198 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
202 static int nft_delchain(struct nft_ctx *ctx)
206 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
211 nft_deactivate_next(ctx->net, ctx->chain);
217 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
219 /* You cannot delete the same rule twice */
220 if (nft_is_active_next(ctx->net, rule)) {
221 nft_deactivate_next(ctx->net, rule);
228 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
229 struct nft_rule *rule)
231 struct nft_trans *trans;
233 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
237 nft_trans_rule(trans) = rule;
238 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
243 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
245 struct nft_trans *trans;
248 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
252 err = nf_tables_delrule_deactivate(ctx, rule);
254 nft_trans_destroy(trans);
261 static int nft_delrule_by_chain(struct nft_ctx *ctx)
263 struct nft_rule *rule;
266 list_for_each_entry(rule, &ctx->chain->rules, list) {
267 if (!nft_is_active_next(ctx->net, rule))
270 err = nft_delrule(ctx, rule);
277 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
280 struct nft_trans *trans;
282 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
286 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
287 nft_trans_set_id(trans) =
288 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
289 nft_activate_next(ctx->net, set);
291 nft_trans_set(trans) = set;
292 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
297 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
301 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
305 nft_deactivate_next(ctx->net, set);
315 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
316 const struct nlattr *nla,
319 struct nft_table *table;
321 list_for_each_entry(table, &afi->tables, list) {
322 if (!nla_strcmp(nla, table->name) &&
323 nft_active_genmask(table, genmask))
329 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
330 const struct nlattr *nla,
333 struct nft_table *table;
336 return ERR_PTR(-EINVAL);
338 table = nft_table_lookup(afi, nla, genmask);
342 return ERR_PTR(-ENOENT);
345 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
347 return ++table->hgenerator;
350 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
352 static const struct nf_chain_type *
353 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
357 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
358 if (chain_type[family][i] != NULL &&
359 !nla_strcmp(nla, chain_type[family][i]->name))
360 return chain_type[family][i];
365 static const struct nf_chain_type *
366 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
367 const struct nlattr *nla,
370 const struct nf_chain_type *type;
372 type = __nf_tables_chain_type_lookup(afi->family, nla);
375 #ifdef CONFIG_MODULES
377 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
378 request_module("nft-chain-%u-%.*s", afi->family,
379 nla_len(nla), (const char *)nla_data(nla));
380 nfnl_lock(NFNL_SUBSYS_NFTABLES);
381 type = __nf_tables_chain_type_lookup(afi->family, nla);
383 return ERR_PTR(-EAGAIN);
386 return ERR_PTR(-ENOENT);
389 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
390 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
391 .len = NFT_TABLE_MAXNAMELEN - 1 },
392 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
395 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
396 u32 portid, u32 seq, int event, u32 flags,
397 int family, const struct nft_table *table)
399 struct nlmsghdr *nlh;
400 struct nfgenmsg *nfmsg;
402 event |= NFNL_SUBSYS_NFTABLES << 8;
403 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
405 goto nla_put_failure;
407 nfmsg = nlmsg_data(nlh);
408 nfmsg->nfgen_family = family;
409 nfmsg->version = NFNETLINK_V0;
410 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
412 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
413 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
414 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
415 goto nla_put_failure;
421 nlmsg_trim(skb, nlh);
425 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
431 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
435 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
439 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
440 event, 0, ctx->afi->family, ctx->table);
446 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
447 ctx->report, GFP_KERNEL);
450 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
456 static int nf_tables_dump_tables(struct sk_buff *skb,
457 struct netlink_callback *cb)
459 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
460 const struct nft_af_info *afi;
461 const struct nft_table *table;
462 unsigned int idx = 0, s_idx = cb->args[0];
463 struct net *net = sock_net(skb->sk);
464 int family = nfmsg->nfgen_family;
467 cb->seq = net->nft.base_seq;
469 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
470 if (family != NFPROTO_UNSPEC && family != afi->family)
473 list_for_each_entry_rcu(table, &afi->tables, list) {
477 memset(&cb->args[1], 0,
478 sizeof(cb->args) - sizeof(cb->args[0]));
479 if (!nft_is_active(net, table))
481 if (nf_tables_fill_table_info(skb, net,
482 NETLINK_CB(cb->skb).portid,
486 afi->family, table) < 0)
489 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
500 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
501 struct sk_buff *skb, const struct nlmsghdr *nlh,
502 const struct nlattr * const nla[])
504 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
505 u8 genmask = nft_genmask_cur(net);
506 const struct nft_af_info *afi;
507 const struct nft_table *table;
508 struct sk_buff *skb2;
509 int family = nfmsg->nfgen_family;
512 if (nlh->nlmsg_flags & NLM_F_DUMP) {
513 struct netlink_dump_control c = {
514 .dump = nf_tables_dump_tables,
516 return netlink_dump_start(nlsk, skb, nlh, &c);
519 afi = nf_tables_afinfo_lookup(net, family, false);
523 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
525 return PTR_ERR(table);
527 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
531 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
532 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
537 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
544 static int nf_tables_table_enable(struct net *net,
545 const struct nft_af_info *afi,
546 struct nft_table *table)
548 struct nft_chain *chain;
551 list_for_each_entry(chain, &table->chains, list) {
552 if (!nft_is_active_next(net, chain))
554 if (!(chain->flags & NFT_BASE_CHAIN))
557 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
566 list_for_each_entry(chain, &table->chains, list) {
567 if (!nft_is_active_next(net, chain))
569 if (!(chain->flags & NFT_BASE_CHAIN))
575 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
581 static void nf_tables_table_disable(struct net *net,
582 const struct nft_af_info *afi,
583 struct nft_table *table)
585 struct nft_chain *chain;
587 list_for_each_entry(chain, &table->chains, list) {
588 if (!nft_is_active_next(net, chain))
590 if (!(chain->flags & NFT_BASE_CHAIN))
593 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
598 static int nf_tables_updtable(struct nft_ctx *ctx)
600 struct nft_trans *trans;
604 if (!ctx->nla[NFTA_TABLE_FLAGS])
607 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
608 if (flags & ~NFT_TABLE_F_DORMANT)
611 if (flags == ctx->table->flags)
614 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
615 sizeof(struct nft_trans_table));
619 if ((flags & NFT_TABLE_F_DORMANT) &&
620 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
621 nft_trans_table_enable(trans) = false;
622 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
623 ctx->table->flags & NFT_TABLE_F_DORMANT) {
624 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
626 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
627 nft_trans_table_enable(trans) = true;
633 nft_trans_table_update(trans) = true;
634 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
637 nft_trans_destroy(trans);
641 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
642 struct sk_buff *skb, const struct nlmsghdr *nlh,
643 const struct nlattr * const nla[])
645 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
646 u8 genmask = nft_genmask_next(net);
647 const struct nlattr *name;
648 struct nft_af_info *afi;
649 struct nft_table *table;
650 int family = nfmsg->nfgen_family;
655 afi = nf_tables_afinfo_lookup(net, family, true);
659 name = nla[NFTA_TABLE_NAME];
660 table = nf_tables_table_lookup(afi, name, genmask);
662 if (PTR_ERR(table) != -ENOENT)
663 return PTR_ERR(table);
668 if (nlh->nlmsg_flags & NLM_F_EXCL)
670 if (nlh->nlmsg_flags & NLM_F_REPLACE)
673 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
674 return nf_tables_updtable(&ctx);
677 if (nla[NFTA_TABLE_FLAGS]) {
678 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
679 if (flags & ~NFT_TABLE_F_DORMANT)
684 if (!try_module_get(afi->owner))
688 table = kzalloc(sizeof(*table), GFP_KERNEL);
692 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
693 INIT_LIST_HEAD(&table->chains);
694 INIT_LIST_HEAD(&table->sets);
695 table->flags = flags;
697 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
698 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
702 list_add_tail_rcu(&table->list, &afi->tables);
707 module_put(afi->owner);
712 static int nft_flush_table(struct nft_ctx *ctx)
715 struct nft_chain *chain, *nc;
716 struct nft_set *set, *ns;
718 list_for_each_entry(chain, &ctx->table->chains, list) {
719 if (!nft_is_active_next(ctx->net, chain))
724 err = nft_delrule_by_chain(ctx);
729 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
730 if (!nft_is_active_next(ctx->net, set))
733 if (set->flags & NFT_SET_ANONYMOUS &&
734 !list_empty(&set->bindings))
737 err = nft_delset(ctx, set);
742 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
743 if (!nft_is_active_next(ctx->net, chain))
748 err = nft_delchain(ctx);
753 err = nft_deltable(ctx);
758 static int nft_flush(struct nft_ctx *ctx, int family)
760 struct nft_af_info *afi;
761 struct nft_table *table, *nt;
762 const struct nlattr * const *nla = ctx->nla;
765 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
766 if (family != AF_UNSPEC && afi->family != family)
770 list_for_each_entry_safe(table, nt, &afi->tables, list) {
771 if (!nft_is_active_next(ctx->net, table))
774 if (nla[NFTA_TABLE_NAME] &&
775 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
780 err = nft_flush_table(ctx);
789 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
790 struct sk_buff *skb, const struct nlmsghdr *nlh,
791 const struct nlattr * const nla[])
793 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
794 u8 genmask = nft_genmask_next(net);
795 struct nft_af_info *afi;
796 struct nft_table *table;
797 int family = nfmsg->nfgen_family;
800 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
801 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
802 return nft_flush(&ctx, family);
804 afi = nf_tables_afinfo_lookup(net, family, false);
808 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
810 return PTR_ERR(table);
815 return nft_flush_table(&ctx);
818 static void nf_tables_table_destroy(struct nft_ctx *ctx)
820 BUG_ON(ctx->table->use > 0);
823 module_put(ctx->afi->owner);
826 int nft_register_chain_type(const struct nf_chain_type *ctype)
830 nfnl_lock(NFNL_SUBSYS_NFTABLES);
831 if (chain_type[ctype->family][ctype->type] != NULL) {
835 chain_type[ctype->family][ctype->type] = ctype;
837 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
840 EXPORT_SYMBOL_GPL(nft_register_chain_type);
842 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
844 nfnl_lock(NFNL_SUBSYS_NFTABLES);
845 chain_type[ctype->family][ctype->type] = NULL;
846 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
848 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
854 static struct nft_chain *
855 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
858 struct nft_chain *chain;
860 list_for_each_entry(chain, &table->chains, list) {
861 if (chain->handle == handle &&
862 nft_active_genmask(chain, genmask))
866 return ERR_PTR(-ENOENT);
869 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
870 const struct nlattr *nla,
873 struct nft_chain *chain;
876 return ERR_PTR(-EINVAL);
878 list_for_each_entry(chain, &table->chains, list) {
879 if (!nla_strcmp(nla, chain->name) &&
880 nft_active_genmask(chain, genmask))
884 return ERR_PTR(-ENOENT);
887 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
888 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
889 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
890 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
891 .len = NFT_CHAIN_MAXNAMELEN - 1 },
892 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
893 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
894 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
895 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
898 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
899 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
900 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
901 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
902 .len = IFNAMSIZ - 1 },
905 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
907 struct nft_stats *cpu_stats, total;
913 memset(&total, 0, sizeof(total));
914 for_each_possible_cpu(cpu) {
915 cpu_stats = per_cpu_ptr(stats, cpu);
917 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
918 pkts = cpu_stats->pkts;
919 bytes = cpu_stats->bytes;
920 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
922 total.bytes += bytes;
924 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
926 goto nla_put_failure;
928 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
930 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
932 goto nla_put_failure;
934 nla_nest_end(skb, nest);
941 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
942 u32 portid, u32 seq, int event, u32 flags,
943 int family, const struct nft_table *table,
944 const struct nft_chain *chain)
946 struct nlmsghdr *nlh;
947 struct nfgenmsg *nfmsg;
949 event |= NFNL_SUBSYS_NFTABLES << 8;
950 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
952 goto nla_put_failure;
954 nfmsg = nlmsg_data(nlh);
955 nfmsg->nfgen_family = family;
956 nfmsg->version = NFNETLINK_V0;
957 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
959 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
960 goto nla_put_failure;
961 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
963 goto nla_put_failure;
964 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
965 goto nla_put_failure;
967 if (chain->flags & NFT_BASE_CHAIN) {
968 const struct nft_base_chain *basechain = nft_base_chain(chain);
969 const struct nf_hook_ops *ops = &basechain->ops[0];
972 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
974 goto nla_put_failure;
975 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
976 goto nla_put_failure;
977 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
978 goto nla_put_failure;
979 if (basechain->dev_name[0] &&
980 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
981 goto nla_put_failure;
982 nla_nest_end(skb, nest);
984 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
985 htonl(basechain->policy)))
986 goto nla_put_failure;
988 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
989 goto nla_put_failure;
991 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
992 goto nla_put_failure;
995 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
996 goto nla_put_failure;
1002 nlmsg_trim(skb, nlh);
1006 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1008 struct sk_buff *skb;
1012 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1016 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1020 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1021 event, 0, ctx->afi->family, ctx->table,
1028 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1029 ctx->report, GFP_KERNEL);
1032 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1038 static int nf_tables_dump_chains(struct sk_buff *skb,
1039 struct netlink_callback *cb)
1041 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1042 const struct nft_af_info *afi;
1043 const struct nft_table *table;
1044 const struct nft_chain *chain;
1045 unsigned int idx = 0, s_idx = cb->args[0];
1046 struct net *net = sock_net(skb->sk);
1047 int family = nfmsg->nfgen_family;
1050 cb->seq = net->nft.base_seq;
1052 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1053 if (family != NFPROTO_UNSPEC && family != afi->family)
1056 list_for_each_entry_rcu(table, &afi->tables, list) {
1057 list_for_each_entry_rcu(chain, &table->chains, list) {
1061 memset(&cb->args[1], 0,
1062 sizeof(cb->args) - sizeof(cb->args[0]));
1063 if (!nft_is_active(net, chain))
1065 if (nf_tables_fill_chain_info(skb, net,
1066 NETLINK_CB(cb->skb).portid,
1070 afi->family, table, chain) < 0)
1073 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1085 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1086 struct sk_buff *skb, const struct nlmsghdr *nlh,
1087 const struct nlattr * const nla[])
1089 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1090 u8 genmask = nft_genmask_cur(net);
1091 const struct nft_af_info *afi;
1092 const struct nft_table *table;
1093 const struct nft_chain *chain;
1094 struct sk_buff *skb2;
1095 int family = nfmsg->nfgen_family;
1098 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1099 struct netlink_dump_control c = {
1100 .dump = nf_tables_dump_chains,
1102 return netlink_dump_start(nlsk, skb, nlh, &c);
1105 afi = nf_tables_afinfo_lookup(net, family, false);
1107 return PTR_ERR(afi);
1109 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1111 return PTR_ERR(table);
1113 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1115 return PTR_ERR(chain);
1117 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1121 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1122 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1123 family, table, chain);
1127 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1134 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1135 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1136 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1139 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1141 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1142 struct nft_stats __percpu *newstats;
1143 struct nft_stats *stats;
1146 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1148 return ERR_PTR(err);
1150 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1151 return ERR_PTR(-EINVAL);
1153 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1154 if (newstats == NULL)
1155 return ERR_PTR(-ENOMEM);
1157 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1158 * are not exposed to userspace.
1161 stats = this_cpu_ptr(newstats);
1162 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1163 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1169 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1170 struct nft_stats __percpu *newstats)
1172 if (newstats == NULL)
1176 struct nft_stats __percpu *oldstats =
1177 nft_dereference(chain->stats);
1179 rcu_assign_pointer(chain->stats, newstats);
1181 free_percpu(oldstats);
1183 rcu_assign_pointer(chain->stats, newstats);
1186 static void nf_tables_chain_destroy(struct nft_chain *chain)
1188 BUG_ON(chain->use > 0);
1190 if (chain->flags & NFT_BASE_CHAIN) {
1191 struct nft_base_chain *basechain = nft_base_chain(chain);
1193 module_put(basechain->type->owner);
1194 free_percpu(basechain->stats);
1195 if (basechain->ops[0].dev != NULL)
1196 dev_put(basechain->ops[0].dev);
1203 struct nft_chain_hook {
1206 const struct nf_chain_type *type;
1207 struct net_device *dev;
1210 static int nft_chain_parse_hook(struct net *net,
1211 const struct nlattr * const nla[],
1212 struct nft_af_info *afi,
1213 struct nft_chain_hook *hook, bool create)
1215 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1216 const struct nf_chain_type *type;
1217 struct net_device *dev;
1220 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1225 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1226 ha[NFTA_HOOK_PRIORITY] == NULL)
1229 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1230 if (hook->num >= afi->nhooks)
1233 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1235 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1236 if (nla[NFTA_CHAIN_TYPE]) {
1237 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1240 return PTR_ERR(type);
1242 if (!(type->hook_mask & (1 << hook->num)))
1244 if (!try_module_get(type->owner))
1250 if (afi->flags & NFT_AF_NEEDS_DEV) {
1251 char ifname[IFNAMSIZ];
1253 if (!ha[NFTA_HOOK_DEV]) {
1254 module_put(type->owner);
1258 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1259 dev = dev_get_by_name(net, ifname);
1261 module_put(type->owner);
1265 } else if (ha[NFTA_HOOK_DEV]) {
1266 module_put(type->owner);
1273 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1275 module_put(hook->type->owner);
1276 if (hook->dev != NULL)
1280 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1281 struct sk_buff *skb, const struct nlmsghdr *nlh,
1282 const struct nlattr * const nla[])
1284 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1285 const struct nlattr * uninitialized_var(name);
1286 struct nft_af_info *afi;
1287 struct nft_table *table;
1288 struct nft_chain *chain;
1289 struct nft_base_chain *basechain = NULL;
1290 u8 genmask = nft_genmask_next(net);
1291 int family = nfmsg->nfgen_family;
1292 u8 policy = NF_ACCEPT;
1295 struct nft_stats __percpu *stats;
1300 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1302 afi = nf_tables_afinfo_lookup(net, family, true);
1304 return PTR_ERR(afi);
1306 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1308 return PTR_ERR(table);
1311 name = nla[NFTA_CHAIN_NAME];
1313 if (nla[NFTA_CHAIN_HANDLE]) {
1314 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1315 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1317 return PTR_ERR(chain);
1319 chain = nf_tables_chain_lookup(table, name, genmask);
1320 if (IS_ERR(chain)) {
1321 if (PTR_ERR(chain) != -ENOENT)
1322 return PTR_ERR(chain);
1327 if (nla[NFTA_CHAIN_POLICY]) {
1328 if ((chain != NULL &&
1329 !(chain->flags & NFT_BASE_CHAIN)))
1332 if (chain == NULL &&
1333 nla[NFTA_CHAIN_HOOK] == NULL)
1336 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1346 if (chain != NULL) {
1347 struct nft_stats *stats = NULL;
1348 struct nft_trans *trans;
1350 if (nlh->nlmsg_flags & NLM_F_EXCL)
1352 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1355 if (nla[NFTA_CHAIN_HOOK]) {
1356 struct nft_base_chain *basechain;
1357 struct nft_chain_hook hook;
1358 struct nf_hook_ops *ops;
1360 if (!(chain->flags & NFT_BASE_CHAIN))
1363 err = nft_chain_parse_hook(net, nla, afi, &hook,
1368 basechain = nft_base_chain(chain);
1369 if (basechain->type != hook.type) {
1370 nft_chain_release_hook(&hook);
1374 for (i = 0; i < afi->nops; i++) {
1375 ops = &basechain->ops[i];
1376 if (ops->hooknum != hook.num ||
1377 ops->priority != hook.priority ||
1378 ops->dev != hook.dev) {
1379 nft_chain_release_hook(&hook);
1383 nft_chain_release_hook(&hook);
1386 if (nla[NFTA_CHAIN_HANDLE] && name) {
1387 struct nft_chain *chain2;
1389 chain2 = nf_tables_chain_lookup(table,
1390 nla[NFTA_CHAIN_NAME],
1393 return PTR_ERR(chain2);
1396 if (nla[NFTA_CHAIN_COUNTERS]) {
1397 if (!(chain->flags & NFT_BASE_CHAIN))
1400 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1402 return PTR_ERR(stats);
1405 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1406 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1407 sizeof(struct nft_trans_chain));
1408 if (trans == NULL) {
1413 nft_trans_chain_stats(trans) = stats;
1414 nft_trans_chain_update(trans) = true;
1416 if (nla[NFTA_CHAIN_POLICY])
1417 nft_trans_chain_policy(trans) = policy;
1419 nft_trans_chain_policy(trans) = -1;
1421 if (nla[NFTA_CHAIN_HANDLE] && name) {
1422 nla_strlcpy(nft_trans_chain_name(trans), name,
1423 NFT_CHAIN_MAXNAMELEN);
1425 list_add_tail(&trans->list, &net->nft.commit_list);
1429 if (table->use == UINT_MAX)
1432 if (nla[NFTA_CHAIN_HOOK]) {
1433 struct nft_chain_hook hook;
1434 struct nf_hook_ops *ops;
1437 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1441 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1442 if (basechain == NULL) {
1443 nft_chain_release_hook(&hook);
1447 if (hook.dev != NULL)
1448 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1450 if (nla[NFTA_CHAIN_COUNTERS]) {
1451 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1452 if (IS_ERR(stats)) {
1453 nft_chain_release_hook(&hook);
1455 return PTR_ERR(stats);
1457 basechain->stats = stats;
1459 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1460 if (stats == NULL) {
1461 nft_chain_release_hook(&hook);
1465 rcu_assign_pointer(basechain->stats, stats);
1468 hookfn = hook.type->hooks[hook.num];
1469 basechain->type = hook.type;
1470 chain = &basechain->chain;
1472 for (i = 0; i < afi->nops; i++) {
1473 ops = &basechain->ops[i];
1475 ops->hooknum = hook.num;
1476 ops->priority = hook.priority;
1478 ops->hook = afi->hooks[ops->hooknum];
1479 ops->dev = hook.dev;
1482 if (afi->hook_ops_init)
1483 afi->hook_ops_init(ops, i);
1486 chain->flags |= NFT_BASE_CHAIN;
1487 basechain->policy = policy;
1489 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1494 INIT_LIST_HEAD(&chain->rules);
1495 chain->handle = nf_tables_alloc_handle(table);
1496 chain->table = table;
1497 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1499 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1503 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1504 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1509 list_add_tail_rcu(&chain->list, &table->chains);
1512 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1514 nf_tables_chain_destroy(chain);
1518 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1519 struct sk_buff *skb, const struct nlmsghdr *nlh,
1520 const struct nlattr * const nla[])
1522 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1523 u8 genmask = nft_genmask_next(net);
1524 struct nft_af_info *afi;
1525 struct nft_table *table;
1526 struct nft_chain *chain;
1527 int family = nfmsg->nfgen_family;
1530 afi = nf_tables_afinfo_lookup(net, family, false);
1532 return PTR_ERR(afi);
1534 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1536 return PTR_ERR(table);
1538 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1540 return PTR_ERR(chain);
1544 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1546 return nft_delchain(&ctx);
1554 * nft_register_expr - register nf_tables expr type
1557 * Registers the expr type for use with nf_tables. Returns zero on
1558 * success or a negative errno code otherwise.
1560 int nft_register_expr(struct nft_expr_type *type)
1562 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1563 if (type->family == NFPROTO_UNSPEC)
1564 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1566 list_add_rcu(&type->list, &nf_tables_expressions);
1567 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1570 EXPORT_SYMBOL_GPL(nft_register_expr);
1573 * nft_unregister_expr - unregister nf_tables expr type
1576 * Unregisters the expr typefor use with nf_tables.
1578 void nft_unregister_expr(struct nft_expr_type *type)
1580 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1581 list_del_rcu(&type->list);
1582 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1584 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1586 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1589 const struct nft_expr_type *type;
1591 list_for_each_entry(type, &nf_tables_expressions, list) {
1592 if (!nla_strcmp(nla, type->name) &&
1593 (!type->family || type->family == family))
1599 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1602 const struct nft_expr_type *type;
1605 return ERR_PTR(-EINVAL);
1607 type = __nft_expr_type_get(family, nla);
1608 if (type != NULL && try_module_get(type->owner))
1611 #ifdef CONFIG_MODULES
1613 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1614 request_module("nft-expr-%u-%.*s", family,
1615 nla_len(nla), (char *)nla_data(nla));
1616 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1617 if (__nft_expr_type_get(family, nla))
1618 return ERR_PTR(-EAGAIN);
1620 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1621 request_module("nft-expr-%.*s",
1622 nla_len(nla), (char *)nla_data(nla));
1623 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1624 if (__nft_expr_type_get(family, nla))
1625 return ERR_PTR(-EAGAIN);
1628 return ERR_PTR(-ENOENT);
1631 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1632 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1633 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1636 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1637 const struct nft_expr *expr)
1639 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1640 goto nla_put_failure;
1642 if (expr->ops->dump) {
1643 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1645 goto nla_put_failure;
1646 if (expr->ops->dump(skb, expr) < 0)
1647 goto nla_put_failure;
1648 nla_nest_end(skb, data);
1657 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1658 const struct nft_expr *expr)
1660 struct nlattr *nest;
1662 nest = nla_nest_start(skb, attr);
1664 goto nla_put_failure;
1665 if (nf_tables_fill_expr_info(skb, expr) < 0)
1666 goto nla_put_failure;
1667 nla_nest_end(skb, nest);
1674 struct nft_expr_info {
1675 const struct nft_expr_ops *ops;
1676 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1679 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1680 const struct nlattr *nla,
1681 struct nft_expr_info *info)
1683 const struct nft_expr_type *type;
1684 const struct nft_expr_ops *ops;
1685 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1688 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1692 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1694 return PTR_ERR(type);
1696 if (tb[NFTA_EXPR_DATA]) {
1697 err = nla_parse_nested(info->tb, type->maxattr,
1698 tb[NFTA_EXPR_DATA], type->policy);
1702 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1704 if (type->select_ops != NULL) {
1705 ops = type->select_ops(ctx,
1706 (const struct nlattr * const *)info->tb);
1718 module_put(type->owner);
1722 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1723 const struct nft_expr_info *info,
1724 struct nft_expr *expr)
1726 const struct nft_expr_ops *ops = info->ops;
1731 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1743 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1744 struct nft_expr *expr)
1746 if (expr->ops->destroy)
1747 expr->ops->destroy(ctx, expr);
1748 module_put(expr->ops->type->owner);
1751 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1752 const struct nlattr *nla)
1754 struct nft_expr_info info;
1755 struct nft_expr *expr;
1758 err = nf_tables_expr_parse(ctx, nla, &info);
1760 goto err_expr_parse;
1763 if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
1764 goto err_expr_stateful;
1767 expr = kzalloc(info.ops->size, GFP_KERNEL);
1769 goto err_expr_stateful;
1771 err = nf_tables_newexpr(ctx, &info, expr);
1779 module_put(info.ops->type->owner);
1781 return ERR_PTR(err);
1784 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1786 nf_tables_expr_destroy(ctx, expr);
1794 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1797 struct nft_rule *rule;
1799 // FIXME: this sucks
1800 list_for_each_entry(rule, &chain->rules, list) {
1801 if (handle == rule->handle)
1805 return ERR_PTR(-ENOENT);
1808 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1809 const struct nlattr *nla)
1812 return ERR_PTR(-EINVAL);
1814 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1817 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1818 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1819 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1820 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1821 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1822 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1823 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1824 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1825 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1826 .len = NFT_USERDATA_MAXLEN },
1829 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1830 u32 portid, u32 seq, int event,
1831 u32 flags, int family,
1832 const struct nft_table *table,
1833 const struct nft_chain *chain,
1834 const struct nft_rule *rule)
1836 struct nlmsghdr *nlh;
1837 struct nfgenmsg *nfmsg;
1838 const struct nft_expr *expr, *next;
1839 struct nlattr *list;
1840 const struct nft_rule *prule;
1841 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1843 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1846 goto nla_put_failure;
1848 nfmsg = nlmsg_data(nlh);
1849 nfmsg->nfgen_family = family;
1850 nfmsg->version = NFNETLINK_V0;
1851 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1853 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1854 goto nla_put_failure;
1855 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1856 goto nla_put_failure;
1857 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1859 goto nla_put_failure;
1861 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1862 prule = list_entry(rule->list.prev, struct nft_rule, list);
1863 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1864 cpu_to_be64(prule->handle),
1866 goto nla_put_failure;
1869 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1871 goto nla_put_failure;
1872 nft_rule_for_each_expr(expr, next, rule) {
1873 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1874 goto nla_put_failure;
1876 nla_nest_end(skb, list);
1879 struct nft_userdata *udata = nft_userdata(rule);
1880 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1882 goto nla_put_failure;
1885 nlmsg_end(skb, nlh);
1889 nlmsg_trim(skb, nlh);
1893 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1894 const struct nft_rule *rule,
1897 struct sk_buff *skb;
1901 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1905 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1909 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1910 event, 0, ctx->afi->family, ctx->table,
1917 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1918 ctx->report, GFP_KERNEL);
1921 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1927 struct nft_rule_dump_ctx {
1928 char table[NFT_TABLE_MAXNAMELEN];
1929 char chain[NFT_CHAIN_MAXNAMELEN];
1932 static int nf_tables_dump_rules(struct sk_buff *skb,
1933 struct netlink_callback *cb)
1935 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1936 const struct nft_rule_dump_ctx *ctx = cb->data;
1937 const struct nft_af_info *afi;
1938 const struct nft_table *table;
1939 const struct nft_chain *chain;
1940 const struct nft_rule *rule;
1941 unsigned int idx = 0, s_idx = cb->args[0];
1942 struct net *net = sock_net(skb->sk);
1943 int family = nfmsg->nfgen_family;
1946 cb->seq = net->nft.base_seq;
1948 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1949 if (family != NFPROTO_UNSPEC && family != afi->family)
1952 list_for_each_entry_rcu(table, &afi->tables, list) {
1953 if (ctx && ctx->table[0] &&
1954 strcmp(ctx->table, table->name) != 0)
1957 list_for_each_entry_rcu(chain, &table->chains, list) {
1958 if (ctx && ctx->chain[0] &&
1959 strcmp(ctx->chain, chain->name) != 0)
1962 list_for_each_entry_rcu(rule, &chain->rules, list) {
1963 if (!nft_is_active(net, rule))
1968 memset(&cb->args[1], 0,
1969 sizeof(cb->args) - sizeof(cb->args[0]));
1970 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1973 NLM_F_MULTI | NLM_F_APPEND,
1974 afi->family, table, chain, rule) < 0)
1977 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1991 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
1997 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1998 struct sk_buff *skb, const struct nlmsghdr *nlh,
1999 const struct nlattr * const nla[])
2001 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2002 u8 genmask = nft_genmask_cur(net);
2003 const struct nft_af_info *afi;
2004 const struct nft_table *table;
2005 const struct nft_chain *chain;
2006 const struct nft_rule *rule;
2007 struct sk_buff *skb2;
2008 int family = nfmsg->nfgen_family;
2011 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2012 struct netlink_dump_control c = {
2013 .dump = nf_tables_dump_rules,
2014 .done = nf_tables_dump_rules_done,
2017 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2018 struct nft_rule_dump_ctx *ctx;
2020 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2024 if (nla[NFTA_RULE_TABLE])
2025 nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
2026 sizeof(ctx->table));
2027 if (nla[NFTA_RULE_CHAIN])
2028 nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
2029 sizeof(ctx->chain));
2033 return netlink_dump_start(nlsk, skb, nlh, &c);
2036 afi = nf_tables_afinfo_lookup(net, family, false);
2038 return PTR_ERR(afi);
2040 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2042 return PTR_ERR(table);
2044 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2046 return PTR_ERR(chain);
2048 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2050 return PTR_ERR(rule);
2052 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2056 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2057 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2058 family, table, chain, rule);
2062 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2069 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2070 struct nft_rule *rule)
2072 struct nft_expr *expr;
2075 * Careful: some expressions might not be initialized in case this
2076 * is called on error from nf_tables_newrule().
2078 expr = nft_expr_first(rule);
2079 while (expr != nft_expr_last(rule) && expr->ops) {
2080 nf_tables_expr_destroy(ctx, expr);
2081 expr = nft_expr_next(expr);
2086 #define NFT_RULE_MAXEXPRS 128
2088 static struct nft_expr_info *info;
2090 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2091 struct sk_buff *skb, const struct nlmsghdr *nlh,
2092 const struct nlattr * const nla[])
2094 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2095 u8 genmask = nft_genmask_next(net);
2096 struct nft_af_info *afi;
2097 struct nft_table *table;
2098 struct nft_chain *chain;
2099 struct nft_rule *rule, *old_rule = NULL;
2100 struct nft_userdata *udata;
2101 struct nft_trans *trans = NULL;
2102 struct nft_expr *expr;
2105 unsigned int size, i, n, ulen = 0, usize = 0;
2108 u64 handle, pos_handle;
2110 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2112 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2114 return PTR_ERR(afi);
2116 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2118 return PTR_ERR(table);
2120 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2122 return PTR_ERR(chain);
2124 if (nla[NFTA_RULE_HANDLE]) {
2125 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2126 rule = __nf_tables_rule_lookup(chain, handle);
2128 return PTR_ERR(rule);
2130 if (nlh->nlmsg_flags & NLM_F_EXCL)
2132 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2137 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2139 handle = nf_tables_alloc_handle(table);
2141 if (chain->use == UINT_MAX)
2145 if (nla[NFTA_RULE_POSITION]) {
2146 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2149 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2150 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2151 if (IS_ERR(old_rule))
2152 return PTR_ERR(old_rule);
2155 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2159 if (nla[NFTA_RULE_EXPRESSIONS]) {
2160 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2162 if (nla_type(tmp) != NFTA_LIST_ELEM)
2164 if (n == NFT_RULE_MAXEXPRS)
2166 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2169 size += info[n].ops->size;
2173 /* Check for overflow of dlen field */
2175 if (size >= 1 << 12)
2178 if (nla[NFTA_RULE_USERDATA]) {
2179 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2181 usize = sizeof(struct nft_userdata) + ulen;
2185 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2189 nft_activate_next(net, rule);
2191 rule->handle = handle;
2193 rule->udata = ulen ? 1 : 0;
2196 udata = nft_userdata(rule);
2197 udata->len = ulen - 1;
2198 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2201 expr = nft_expr_first(rule);
2202 for (i = 0; i < n; i++) {
2203 err = nf_tables_newexpr(&ctx, &info[i], expr);
2207 expr = nft_expr_next(expr);
2210 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2211 if (!nft_is_active_next(net, old_rule)) {
2215 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2217 if (trans == NULL) {
2221 nft_deactivate_next(net, old_rule);
2224 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2229 list_add_tail_rcu(&rule->list, &old_rule->list);
2231 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2236 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2238 list_add_rcu(&rule->list, &old_rule->list);
2240 list_add_tail_rcu(&rule->list, &chain->rules);
2243 list_add_tail_rcu(&rule->list, &old_rule->list);
2245 list_add_rcu(&rule->list, &chain->rules);
2252 nf_tables_rule_destroy(&ctx, rule);
2254 for (i = 0; i < n; i++) {
2255 if (info[i].ops != NULL)
2256 module_put(info[i].ops->type->owner);
2261 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2262 struct sk_buff *skb, const struct nlmsghdr *nlh,
2263 const struct nlattr * const nla[])
2265 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2266 u8 genmask = nft_genmask_next(net);
2267 struct nft_af_info *afi;
2268 struct nft_table *table;
2269 struct nft_chain *chain = NULL;
2270 struct nft_rule *rule;
2271 int family = nfmsg->nfgen_family, err = 0;
2274 afi = nf_tables_afinfo_lookup(net, family, false);
2276 return PTR_ERR(afi);
2278 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2280 return PTR_ERR(table);
2282 if (nla[NFTA_RULE_CHAIN]) {
2283 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2286 return PTR_ERR(chain);
2289 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2292 if (nla[NFTA_RULE_HANDLE]) {
2293 rule = nf_tables_rule_lookup(chain,
2294 nla[NFTA_RULE_HANDLE]);
2296 return PTR_ERR(rule);
2298 err = nft_delrule(&ctx, rule);
2300 err = nft_delrule_by_chain(&ctx);
2303 list_for_each_entry(chain, &table->chains, list) {
2304 if (!nft_is_active_next(net, chain))
2308 err = nft_delrule_by_chain(&ctx);
2321 static LIST_HEAD(nf_tables_set_ops);
2323 int nft_register_set(struct nft_set_ops *ops)
2325 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2326 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2327 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2330 EXPORT_SYMBOL_GPL(nft_register_set);
2332 void nft_unregister_set(struct nft_set_ops *ops)
2334 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2335 list_del_rcu(&ops->list);
2336 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2338 EXPORT_SYMBOL_GPL(nft_unregister_set);
2341 * Select a set implementation based on the data characteristics and the
2342 * given policy. The total memory use might not be known if no size is
2343 * given, in that case the amount of memory per element is used.
2345 static const struct nft_set_ops *
2346 nft_select_set_ops(const struct nlattr * const nla[],
2347 const struct nft_set_desc *desc,
2348 enum nft_set_policies policy)
2350 const struct nft_set_ops *ops, *bops;
2351 struct nft_set_estimate est, best;
2354 #ifdef CONFIG_MODULES
2355 if (list_empty(&nf_tables_set_ops)) {
2356 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2357 request_module("nft-set");
2358 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2359 if (!list_empty(&nf_tables_set_ops))
2360 return ERR_PTR(-EAGAIN);
2364 if (nla[NFTA_SET_FLAGS] != NULL) {
2365 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2366 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2373 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2374 if ((ops->features & features) != features)
2376 if (!ops->estimate(desc, features, &est))
2380 case NFT_SET_POL_PERFORMANCE:
2381 if (est.class < best.class)
2383 if (est.class == best.class && est.size < best.size)
2386 case NFT_SET_POL_MEMORY:
2387 if (est.size < best.size)
2389 if (est.size == best.size && est.class < best.class)
2396 if (!try_module_get(ops->owner))
2399 module_put(bops->owner);
2408 return ERR_PTR(-EOPNOTSUPP);
2411 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2412 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2413 [NFTA_SET_NAME] = { .type = NLA_STRING,
2414 .len = NFT_SET_MAXNAMELEN - 1 },
2415 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2416 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2417 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2418 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2419 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2420 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2421 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2422 [NFTA_SET_ID] = { .type = NLA_U32 },
2423 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2424 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2425 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2426 .len = NFT_USERDATA_MAXLEN },
2429 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2430 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2433 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2434 const struct sk_buff *skb,
2435 const struct nlmsghdr *nlh,
2436 const struct nlattr * const nla[],
2439 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2440 struct nft_af_info *afi = NULL;
2441 struct nft_table *table = NULL;
2443 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2444 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2446 return PTR_ERR(afi);
2449 if (nla[NFTA_SET_TABLE] != NULL) {
2451 return -EAFNOSUPPORT;
2453 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2456 return PTR_ERR(table);
2459 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2463 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2464 const struct nlattr *nla, u8 genmask)
2466 struct nft_set *set;
2469 return ERR_PTR(-EINVAL);
2471 list_for_each_entry(set, &table->sets, list) {
2472 if (!nla_strcmp(nla, set->name) &&
2473 nft_active_genmask(set, genmask))
2476 return ERR_PTR(-ENOENT);
2479 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2480 const struct nlattr *nla,
2483 struct nft_trans *trans;
2484 u32 id = ntohl(nla_get_be32(nla));
2486 list_for_each_entry(trans, &net->nft.commit_list, list) {
2487 if (trans->msg_type == NFT_MSG_NEWSET) {
2488 struct nft_set *set = nft_trans_set(trans);
2490 if (id == nft_trans_set_id(trans) &&
2491 nft_active_genmask(set, genmask))
2495 return ERR_PTR(-ENOENT);
2498 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2501 const struct nft_set *i;
2503 unsigned long *inuse;
2504 unsigned int n = 0, min = 0;
2506 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2508 if (p[1] != 'd' || strchr(p + 2, '%'))
2511 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2515 list_for_each_entry(i, &ctx->table->sets, list) {
2518 if (!nft_is_active_next(ctx->net, i))
2520 if (!sscanf(i->name, name, &tmp))
2522 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2525 set_bit(tmp - min, inuse);
2528 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2529 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2530 min += BITS_PER_BYTE * PAGE_SIZE;
2531 memset(inuse, 0, PAGE_SIZE);
2534 free_page((unsigned long)inuse);
2537 snprintf(set->name, sizeof(set->name), name, min + n);
2538 list_for_each_entry(i, &ctx->table->sets, list) {
2539 if (!nft_is_active_next(ctx->net, i))
2541 if (!strcmp(set->name, i->name))
2547 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2548 const struct nft_set *set, u16 event, u16 flags)
2550 struct nfgenmsg *nfmsg;
2551 struct nlmsghdr *nlh;
2552 struct nlattr *desc;
2553 u32 portid = ctx->portid;
2556 event |= NFNL_SUBSYS_NFTABLES << 8;
2557 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2560 goto nla_put_failure;
2562 nfmsg = nlmsg_data(nlh);
2563 nfmsg->nfgen_family = ctx->afi->family;
2564 nfmsg->version = NFNETLINK_V0;
2565 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2567 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2568 goto nla_put_failure;
2569 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2570 goto nla_put_failure;
2571 if (set->flags != 0)
2572 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2573 goto nla_put_failure;
2575 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2576 goto nla_put_failure;
2577 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2578 goto nla_put_failure;
2579 if (set->flags & NFT_SET_MAP) {
2580 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2581 goto nla_put_failure;
2582 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2583 goto nla_put_failure;
2587 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2588 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2590 goto nla_put_failure;
2592 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2593 goto nla_put_failure;
2595 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2596 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2597 goto nla_put_failure;
2601 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2602 goto nla_put_failure;
2604 desc = nla_nest_start(skb, NFTA_SET_DESC);
2606 goto nla_put_failure;
2608 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2609 goto nla_put_failure;
2610 nla_nest_end(skb, desc);
2612 nlmsg_end(skb, nlh);
2616 nlmsg_trim(skb, nlh);
2620 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2621 const struct nft_set *set,
2622 int event, gfp_t gfp_flags)
2624 struct sk_buff *skb;
2625 u32 portid = ctx->portid;
2629 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2633 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2637 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2643 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2644 ctx->report, gfp_flags);
2647 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2651 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2653 const struct nft_set *set;
2654 unsigned int idx, s_idx = cb->args[0];
2655 struct nft_af_info *afi;
2656 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2657 struct net *net = sock_net(skb->sk);
2658 int cur_family = cb->args[3];
2659 struct nft_ctx *ctx = cb->data, ctx_set;
2665 cb->seq = net->nft.base_seq;
2667 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2668 if (ctx->afi && ctx->afi != afi)
2672 if (afi->family != cur_family)
2677 list_for_each_entry_rcu(table, &afi->tables, list) {
2678 if (ctx->table && ctx->table != table)
2682 if (cur_table != table)
2688 list_for_each_entry_rcu(set, &table->sets, list) {
2691 if (!nft_is_active(net, set))
2695 ctx_set.table = table;
2697 if (nf_tables_fill_set(skb, &ctx_set, set,
2701 cb->args[2] = (unsigned long) table;
2702 cb->args[3] = afi->family;
2705 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2719 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2725 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2726 struct sk_buff *skb, const struct nlmsghdr *nlh,
2727 const struct nlattr * const nla[])
2729 u8 genmask = nft_genmask_cur(net);
2730 const struct nft_set *set;
2732 struct sk_buff *skb2;
2733 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2736 /* Verify existence before starting dump */
2737 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2741 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2742 struct netlink_dump_control c = {
2743 .dump = nf_tables_dump_sets,
2744 .done = nf_tables_dump_sets_done,
2746 struct nft_ctx *ctx_dump;
2748 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2749 if (ctx_dump == NULL)
2755 return netlink_dump_start(nlsk, skb, nlh, &c);
2758 /* Only accept unspec with dump */
2759 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2760 return -EAFNOSUPPORT;
2761 if (!nla[NFTA_SET_TABLE])
2764 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2766 return PTR_ERR(set);
2768 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2772 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2776 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2783 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2784 struct nft_set_desc *desc,
2785 const struct nlattr *nla)
2787 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2790 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2794 if (da[NFTA_SET_DESC_SIZE] != NULL)
2795 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2800 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2801 struct sk_buff *skb, const struct nlmsghdr *nlh,
2802 const struct nlattr * const nla[])
2804 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2805 u8 genmask = nft_genmask_next(net);
2806 const struct nft_set_ops *ops;
2807 struct nft_af_info *afi;
2808 struct nft_table *table;
2809 struct nft_set *set;
2811 char name[NFT_SET_MAXNAMELEN];
2815 u32 ktype, dtype, flags, policy, gc_int;
2816 struct nft_set_desc desc;
2817 unsigned char *udata;
2821 if (nla[NFTA_SET_TABLE] == NULL ||
2822 nla[NFTA_SET_NAME] == NULL ||
2823 nla[NFTA_SET_KEY_LEN] == NULL ||
2824 nla[NFTA_SET_ID] == NULL)
2827 memset(&desc, 0, sizeof(desc));
2829 ktype = NFT_DATA_VALUE;
2830 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2831 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2832 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2836 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2837 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2841 if (nla[NFTA_SET_FLAGS] != NULL) {
2842 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2843 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2844 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2845 NFT_SET_MAP | NFT_SET_EVAL))
2847 /* Only one of both operations is supported */
2848 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2849 (NFT_SET_MAP | NFT_SET_EVAL))
2854 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2855 if (!(flags & NFT_SET_MAP))
2858 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2859 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2860 dtype != NFT_DATA_VERDICT)
2863 if (dtype != NFT_DATA_VERDICT) {
2864 if (nla[NFTA_SET_DATA_LEN] == NULL)
2866 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2867 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2870 desc.dlen = sizeof(struct nft_verdict);
2871 } else if (flags & NFT_SET_MAP)
2875 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2876 if (!(flags & NFT_SET_TIMEOUT))
2878 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2879 nla[NFTA_SET_TIMEOUT])));
2882 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2883 if (!(flags & NFT_SET_TIMEOUT))
2885 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2888 policy = NFT_SET_POL_PERFORMANCE;
2889 if (nla[NFTA_SET_POLICY] != NULL)
2890 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2892 if (nla[NFTA_SET_DESC] != NULL) {
2893 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2898 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2900 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2902 return PTR_ERR(afi);
2904 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2906 return PTR_ERR(table);
2908 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2910 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
2912 if (PTR_ERR(set) != -ENOENT)
2913 return PTR_ERR(set);
2918 if (nlh->nlmsg_flags & NLM_F_EXCL)
2920 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2925 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2928 ops = nft_select_set_ops(nla, &desc, policy);
2930 return PTR_ERR(ops);
2933 if (nla[NFTA_SET_USERDATA])
2934 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2937 if (ops->privsize != NULL)
2938 size = ops->privsize(nla);
2941 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2945 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2946 err = nf_tables_set_alloc_name(&ctx, set, name);
2952 udata = set->data + size;
2953 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2956 INIT_LIST_HEAD(&set->bindings);
2959 set->klen = desc.klen;
2961 set->dlen = desc.dlen;
2963 set->size = desc.size;
2964 set->policy = policy;
2967 set->timeout = timeout;
2968 set->gc_int = gc_int;
2970 err = ops->init(set, &desc, nla);
2974 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2978 list_add_tail_rcu(&set->list, &table->sets);
2987 module_put(ops->owner);
2991 static void nft_set_destroy(struct nft_set *set)
2993 set->ops->destroy(set);
2994 module_put(set->ops->owner);
2998 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3000 list_del_rcu(&set->list);
3001 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3002 nft_set_destroy(set);
3005 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3006 struct sk_buff *skb, const struct nlmsghdr *nlh,
3007 const struct nlattr * const nla[])
3009 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3010 u8 genmask = nft_genmask_next(net);
3011 struct nft_set *set;
3015 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3016 return -EAFNOSUPPORT;
3017 if (nla[NFTA_SET_TABLE] == NULL)
3020 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3024 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3026 return PTR_ERR(set);
3027 if (!list_empty(&set->bindings))
3030 return nft_delset(&ctx, set);
3033 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3034 const struct nft_set *set,
3035 const struct nft_set_iter *iter,
3036 const struct nft_set_elem *elem)
3038 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3039 enum nft_registers dreg;
3041 dreg = nft_type_to_reg(set->dtype);
3042 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3043 set->dtype == NFT_DATA_VERDICT ?
3044 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3048 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3049 struct nft_set_binding *binding)
3051 struct nft_set_binding *i;
3052 struct nft_set_iter iter;
3054 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3057 if (binding->flags & NFT_SET_MAP) {
3058 /* If the set is already bound to the same chain all
3059 * jumps are already validated for that chain.
3061 list_for_each_entry(i, &set->bindings, list) {
3062 if (i->flags & NFT_SET_MAP &&
3063 i->chain == binding->chain)
3067 iter.genmask = nft_genmask_next(ctx->net);
3071 iter.fn = nf_tables_bind_check_setelem;
3073 set->ops->walk(ctx, set, &iter);
3078 binding->chain = ctx->chain;
3079 list_add_tail_rcu(&binding->list, &set->bindings);
3083 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3084 struct nft_set_binding *binding)
3086 list_del_rcu(&binding->list);
3088 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3089 nft_is_active(ctx->net, set))
3090 nf_tables_set_destroy(ctx, set);
3093 const struct nft_set_ext_type nft_set_ext_types[] = {
3094 [NFT_SET_EXT_KEY] = {
3095 .align = __alignof__(u32),
3097 [NFT_SET_EXT_DATA] = {
3098 .align = __alignof__(u32),
3100 [NFT_SET_EXT_EXPR] = {
3101 .align = __alignof__(struct nft_expr),
3103 [NFT_SET_EXT_FLAGS] = {
3105 .align = __alignof__(u8),
3107 [NFT_SET_EXT_TIMEOUT] = {
3109 .align = __alignof__(u64),
3111 [NFT_SET_EXT_EXPIRATION] = {
3112 .len = sizeof(unsigned long),
3113 .align = __alignof__(unsigned long),
3115 [NFT_SET_EXT_USERDATA] = {
3116 .len = sizeof(struct nft_userdata),
3117 .align = __alignof__(struct nft_userdata),
3120 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3126 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3127 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3128 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3129 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3130 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3131 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3132 .len = NFT_USERDATA_MAXLEN },
3135 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3136 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3137 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3138 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3139 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3142 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3143 const struct sk_buff *skb,
3144 const struct nlmsghdr *nlh,
3145 const struct nlattr * const nla[],
3148 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3149 struct nft_af_info *afi;
3150 struct nft_table *table;
3152 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3154 return PTR_ERR(afi);
3156 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3159 return PTR_ERR(table);
3161 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3165 static int nf_tables_fill_setelem(struct sk_buff *skb,
3166 const struct nft_set *set,
3167 const struct nft_set_elem *elem)
3169 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3170 unsigned char *b = skb_tail_pointer(skb);
3171 struct nlattr *nest;
3173 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3175 goto nla_put_failure;
3177 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3178 NFT_DATA_VALUE, set->klen) < 0)
3179 goto nla_put_failure;
3181 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3182 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3183 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3185 goto nla_put_failure;
3187 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3188 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3189 goto nla_put_failure;
3191 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3192 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3193 htonl(*nft_set_ext_flags(ext))))
3194 goto nla_put_failure;
3196 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3197 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3198 cpu_to_be64(jiffies_to_msecs(
3199 *nft_set_ext_timeout(ext))),
3201 goto nla_put_failure;
3203 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3204 unsigned long expires, now = jiffies;
3206 expires = *nft_set_ext_expiration(ext);
3207 if (time_before(now, expires))
3212 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3213 cpu_to_be64(jiffies_to_msecs(expires)),
3215 goto nla_put_failure;
3218 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3219 struct nft_userdata *udata;
3221 udata = nft_set_ext_userdata(ext);
3222 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3223 udata->len + 1, udata->data))
3224 goto nla_put_failure;
3227 nla_nest_end(skb, nest);
3235 struct nft_set_dump_args {
3236 const struct netlink_callback *cb;
3237 struct nft_set_iter iter;
3238 struct sk_buff *skb;
3241 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3242 const struct nft_set *set,
3243 const struct nft_set_iter *iter,
3244 const struct nft_set_elem *elem)
3246 struct nft_set_dump_args *args;
3248 args = container_of(iter, struct nft_set_dump_args, iter);
3249 return nf_tables_fill_setelem(args->skb, set, elem);
3252 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3254 struct net *net = sock_net(skb->sk);
3255 u8 genmask = nft_genmask_cur(net);
3256 const struct nft_set *set;
3257 struct nft_set_dump_args args;
3259 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3260 struct nfgenmsg *nfmsg;
3261 struct nlmsghdr *nlh;
3262 struct nlattr *nest;
3266 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3267 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3271 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3272 (void *)nla, genmask);
3276 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3279 return PTR_ERR(set);
3281 event = NFT_MSG_NEWSETELEM;
3282 event |= NFNL_SUBSYS_NFTABLES << 8;
3283 portid = NETLINK_CB(cb->skb).portid;
3284 seq = cb->nlh->nlmsg_seq;
3286 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3289 goto nla_put_failure;
3291 nfmsg = nlmsg_data(nlh);
3292 nfmsg->nfgen_family = ctx.afi->family;
3293 nfmsg->version = NFNETLINK_V0;
3294 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3296 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3297 goto nla_put_failure;
3298 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3299 goto nla_put_failure;
3301 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3303 goto nla_put_failure;
3307 args.iter.genmask = nft_genmask_cur(ctx.net);
3308 args.iter.skip = cb->args[0];
3309 args.iter.count = 0;
3311 args.iter.fn = nf_tables_dump_setelem;
3312 set->ops->walk(&ctx, set, &args.iter);
3314 nla_nest_end(skb, nest);
3315 nlmsg_end(skb, nlh);
3317 if (args.iter.err && args.iter.err != -EMSGSIZE)
3318 return args.iter.err;
3319 if (args.iter.count == cb->args[0])
3322 cb->args[0] = args.iter.count;
3329 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3330 struct sk_buff *skb, const struct nlmsghdr *nlh,
3331 const struct nlattr * const nla[])
3333 u8 genmask = nft_genmask_cur(net);
3334 const struct nft_set *set;
3338 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3342 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3345 return PTR_ERR(set);
3347 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3348 struct netlink_dump_control c = {
3349 .dump = nf_tables_dump_set,
3351 return netlink_dump_start(nlsk, skb, nlh, &c);
3356 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3357 const struct nft_ctx *ctx, u32 seq,
3358 u32 portid, int event, u16 flags,
3359 const struct nft_set *set,
3360 const struct nft_set_elem *elem)
3362 struct nfgenmsg *nfmsg;
3363 struct nlmsghdr *nlh;
3364 struct nlattr *nest;
3367 event |= NFNL_SUBSYS_NFTABLES << 8;
3368 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3371 goto nla_put_failure;
3373 nfmsg = nlmsg_data(nlh);
3374 nfmsg->nfgen_family = ctx->afi->family;
3375 nfmsg->version = NFNETLINK_V0;
3376 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3378 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3379 goto nla_put_failure;
3380 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3381 goto nla_put_failure;
3383 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3385 goto nla_put_failure;
3387 err = nf_tables_fill_setelem(skb, set, elem);
3389 goto nla_put_failure;
3391 nla_nest_end(skb, nest);
3393 nlmsg_end(skb, nlh);
3397 nlmsg_trim(skb, nlh);
3401 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3402 const struct nft_set *set,
3403 const struct nft_set_elem *elem,
3404 int event, u16 flags)
3406 struct net *net = ctx->net;
3407 u32 portid = ctx->portid;
3408 struct sk_buff *skb;
3411 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3415 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3419 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3426 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3430 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3434 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3436 struct nft_set *set)
3438 struct nft_trans *trans;
3440 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3444 nft_trans_elem_set(trans) = set;
3448 void *nft_set_elem_init(const struct nft_set *set,
3449 const struct nft_set_ext_tmpl *tmpl,
3450 const u32 *key, const u32 *data,
3451 u64 timeout, gfp_t gfp)
3453 struct nft_set_ext *ext;
3456 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3460 ext = nft_set_elem_ext(set, elem);
3461 nft_set_ext_init(ext, tmpl);
3463 memcpy(nft_set_ext_key(ext), key, set->klen);
3464 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3465 memcpy(nft_set_ext_data(ext), data, set->dlen);
3466 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3467 *nft_set_ext_expiration(ext) =
3469 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3470 *nft_set_ext_timeout(ext) = timeout;
3475 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3478 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3480 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3481 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3482 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3483 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3484 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3488 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3490 static int nft_setelem_parse_flags(const struct nft_set *set,
3491 const struct nlattr *attr, u32 *flags)
3496 *flags = ntohl(nla_get_be32(attr));
3497 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3499 if (!(set->flags & NFT_SET_INTERVAL) &&
3500 *flags & NFT_SET_ELEM_INTERVAL_END)
3506 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3507 const struct nlattr *attr, u32 nlmsg_flags)
3509 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3510 struct nft_data_desc d1, d2;
3511 struct nft_set_ext_tmpl tmpl;
3512 struct nft_set_ext *ext, *ext2;
3513 struct nft_set_elem elem;
3514 struct nft_set_binding *binding;
3515 struct nft_userdata *udata;
3516 struct nft_data data;
3517 enum nft_registers dreg;
3518 struct nft_trans *trans;
3524 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3525 nft_set_elem_policy);
3529 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3532 nft_set_ext_prepare(&tmpl);
3534 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3538 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3540 if (set->flags & NFT_SET_MAP) {
3541 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3542 !(flags & NFT_SET_ELEM_INTERVAL_END))
3544 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3545 flags & NFT_SET_ELEM_INTERVAL_END)
3548 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3553 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3554 if (!(set->flags & NFT_SET_TIMEOUT))
3556 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3557 nla[NFTA_SET_ELEM_TIMEOUT])));
3558 } else if (set->flags & NFT_SET_TIMEOUT) {
3559 timeout = set->timeout;
3562 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3563 nla[NFTA_SET_ELEM_KEY]);
3567 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3570 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3572 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3573 if (timeout != set->timeout)
3574 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3577 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3578 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3579 nla[NFTA_SET_ELEM_DATA]);
3584 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3587 dreg = nft_type_to_reg(set->dtype);
3588 list_for_each_entry(binding, &set->bindings, list) {
3589 struct nft_ctx bind_ctx = {
3592 .table = ctx->table,
3593 .chain = (struct nft_chain *)binding->chain,
3596 if (!(binding->flags & NFT_SET_MAP))
3599 err = nft_validate_register_store(&bind_ctx, dreg,
3606 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3609 /* The full maximum length of userdata can exceed the maximum
3610 * offset value (U8_MAX) for following extensions, therefor it
3611 * must be the last extension added.
3614 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3615 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3617 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3622 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3623 timeout, GFP_KERNEL);
3624 if (elem.priv == NULL)
3627 ext = nft_set_elem_ext(set, elem.priv);
3629 *nft_set_ext_flags(ext) = flags;
3631 udata = nft_set_ext_userdata(ext);
3632 udata->len = ulen - 1;
3633 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3636 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3640 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3641 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3643 if (err == -EEXIST) {
3644 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3645 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3646 memcmp(nft_set_ext_data(ext),
3647 nft_set_ext_data(ext2), set->dlen) != 0)
3649 else if (!(nlmsg_flags & NLM_F_EXCL))
3656 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
3661 nft_trans_elem(trans) = elem;
3662 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3666 set->ops->remove(set, &elem);
3672 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3673 nft_data_uninit(&data, d2.type);
3675 nft_data_uninit(&elem.key.val, d1.type);
3680 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3681 struct sk_buff *skb, const struct nlmsghdr *nlh,
3682 const struct nlattr * const nla[])
3684 u8 genmask = nft_genmask_next(net);
3685 const struct nlattr *attr;
3686 struct nft_set *set;
3690 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3693 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3697 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3700 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3701 set = nf_tables_set_lookup_byid(net,
3702 nla[NFTA_SET_ELEM_LIST_SET_ID],
3706 return PTR_ERR(set);
3709 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3712 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3713 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
3720 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3721 const struct nlattr *attr)
3723 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3724 struct nft_set_ext_tmpl tmpl;
3725 struct nft_data_desc desc;
3726 struct nft_set_elem elem;
3727 struct nft_set_ext *ext;
3728 struct nft_trans *trans;
3733 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3734 nft_set_elem_policy);
3739 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3742 nft_set_ext_prepare(&tmpl);
3744 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3748 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3750 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3751 nla[NFTA_SET_ELEM_KEY]);
3756 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3759 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3762 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3764 if (elem.priv == NULL)
3767 ext = nft_set_elem_ext(set, elem.priv);
3769 *nft_set_ext_flags(ext) = flags;
3771 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3772 if (trans == NULL) {
3777 priv = set->ops->deactivate(ctx->net, set, &elem);
3785 nft_trans_elem(trans) = elem;
3786 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3794 nft_data_uninit(&elem.key.val, desc.type);
3799 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3800 struct sk_buff *skb, const struct nlmsghdr *nlh,
3801 const struct nlattr * const nla[])
3803 u8 genmask = nft_genmask_next(net);
3804 const struct nlattr *attr;
3805 struct nft_set *set;
3809 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3812 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3816 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3819 return PTR_ERR(set);
3820 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3823 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3824 err = nft_del_setelem(&ctx, set, attr);
3833 void nft_set_gc_batch_release(struct rcu_head *rcu)
3835 struct nft_set_gc_batch *gcb;
3838 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3839 for (i = 0; i < gcb->head.cnt; i++)
3840 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
3843 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3845 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3848 struct nft_set_gc_batch *gcb;
3850 gcb = kzalloc(sizeof(*gcb), gfp);
3853 gcb->head.set = set;
3856 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3858 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3859 u32 portid, u32 seq)
3861 struct nlmsghdr *nlh;
3862 struct nfgenmsg *nfmsg;
3863 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3865 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3867 goto nla_put_failure;
3869 nfmsg = nlmsg_data(nlh);
3870 nfmsg->nfgen_family = AF_UNSPEC;
3871 nfmsg->version = NFNETLINK_V0;
3872 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3874 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3875 goto nla_put_failure;
3877 nlmsg_end(skb, nlh);
3881 nlmsg_trim(skb, nlh);
3885 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3887 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3888 struct sk_buff *skb2;
3891 if (nlmsg_report(nlh) &&
3892 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3896 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3900 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3907 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3908 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3911 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3917 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3918 struct sk_buff *skb, const struct nlmsghdr *nlh,
3919 const struct nlattr * const nla[])
3921 struct sk_buff *skb2;
3924 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3928 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3933 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3939 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3940 [NFT_MSG_NEWTABLE] = {
3941 .call_batch = nf_tables_newtable,
3942 .attr_count = NFTA_TABLE_MAX,
3943 .policy = nft_table_policy,
3945 [NFT_MSG_GETTABLE] = {
3946 .call = nf_tables_gettable,
3947 .attr_count = NFTA_TABLE_MAX,
3948 .policy = nft_table_policy,
3950 [NFT_MSG_DELTABLE] = {
3951 .call_batch = nf_tables_deltable,
3952 .attr_count = NFTA_TABLE_MAX,
3953 .policy = nft_table_policy,
3955 [NFT_MSG_NEWCHAIN] = {
3956 .call_batch = nf_tables_newchain,
3957 .attr_count = NFTA_CHAIN_MAX,
3958 .policy = nft_chain_policy,
3960 [NFT_MSG_GETCHAIN] = {
3961 .call = nf_tables_getchain,
3962 .attr_count = NFTA_CHAIN_MAX,
3963 .policy = nft_chain_policy,
3965 [NFT_MSG_DELCHAIN] = {
3966 .call_batch = nf_tables_delchain,
3967 .attr_count = NFTA_CHAIN_MAX,
3968 .policy = nft_chain_policy,
3970 [NFT_MSG_NEWRULE] = {
3971 .call_batch = nf_tables_newrule,
3972 .attr_count = NFTA_RULE_MAX,
3973 .policy = nft_rule_policy,
3975 [NFT_MSG_GETRULE] = {
3976 .call = nf_tables_getrule,
3977 .attr_count = NFTA_RULE_MAX,
3978 .policy = nft_rule_policy,
3980 [NFT_MSG_DELRULE] = {
3981 .call_batch = nf_tables_delrule,
3982 .attr_count = NFTA_RULE_MAX,
3983 .policy = nft_rule_policy,
3985 [NFT_MSG_NEWSET] = {
3986 .call_batch = nf_tables_newset,
3987 .attr_count = NFTA_SET_MAX,
3988 .policy = nft_set_policy,
3990 [NFT_MSG_GETSET] = {
3991 .call = nf_tables_getset,
3992 .attr_count = NFTA_SET_MAX,
3993 .policy = nft_set_policy,
3995 [NFT_MSG_DELSET] = {
3996 .call_batch = nf_tables_delset,
3997 .attr_count = NFTA_SET_MAX,
3998 .policy = nft_set_policy,
4000 [NFT_MSG_NEWSETELEM] = {
4001 .call_batch = nf_tables_newsetelem,
4002 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4003 .policy = nft_set_elem_list_policy,
4005 [NFT_MSG_GETSETELEM] = {
4006 .call = nf_tables_getsetelem,
4007 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4008 .policy = nft_set_elem_list_policy,
4010 [NFT_MSG_DELSETELEM] = {
4011 .call_batch = nf_tables_delsetelem,
4012 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4013 .policy = nft_set_elem_list_policy,
4015 [NFT_MSG_GETGEN] = {
4016 .call = nf_tables_getgen,
4020 static void nft_chain_commit_update(struct nft_trans *trans)
4022 struct nft_base_chain *basechain;
4024 if (nft_trans_chain_name(trans)[0])
4025 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
4027 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
4030 basechain = nft_base_chain(trans->ctx.chain);
4031 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
4033 switch (nft_trans_chain_policy(trans)) {
4036 basechain->policy = nft_trans_chain_policy(trans);
4041 static void nf_tables_commit_release(struct nft_trans *trans)
4043 switch (trans->msg_type) {
4044 case NFT_MSG_DELTABLE:
4045 nf_tables_table_destroy(&trans->ctx);
4047 case NFT_MSG_DELCHAIN:
4048 nf_tables_chain_destroy(trans->ctx.chain);
4050 case NFT_MSG_DELRULE:
4051 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4053 case NFT_MSG_DELSET:
4054 nft_set_destroy(nft_trans_set(trans));
4056 case NFT_MSG_DELSETELEM:
4057 nft_set_elem_destroy(nft_trans_elem_set(trans),
4058 nft_trans_elem(trans).priv, true);
4064 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
4066 struct nft_trans *trans, *next;
4067 struct nft_trans_elem *te;
4069 /* Bump generation counter, invalidate any dump in progress */
4070 while (++net->nft.base_seq == 0);
4072 /* A new generation has just started */
4073 net->nft.gencursor = nft_gencursor_next(net);
4075 /* Make sure all packets have left the previous generation before
4076 * purging old rules.
4080 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4081 switch (trans->msg_type) {
4082 case NFT_MSG_NEWTABLE:
4083 if (nft_trans_table_update(trans)) {
4084 if (!nft_trans_table_enable(trans)) {
4085 nf_tables_table_disable(net,
4088 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4091 nft_clear(net, trans->ctx.table);
4093 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
4094 nft_trans_destroy(trans);
4096 case NFT_MSG_DELTABLE:
4097 list_del_rcu(&trans->ctx.table->list);
4098 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4100 case NFT_MSG_NEWCHAIN:
4101 if (nft_trans_chain_update(trans))
4102 nft_chain_commit_update(trans);
4104 nft_clear(net, trans->ctx.chain);
4106 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4107 nft_trans_destroy(trans);
4109 case NFT_MSG_DELCHAIN:
4110 list_del_rcu(&trans->ctx.chain->list);
4111 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4112 nf_tables_unregister_hooks(trans->ctx.net,
4115 trans->ctx.afi->nops);
4117 case NFT_MSG_NEWRULE:
4118 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4119 nf_tables_rule_notify(&trans->ctx,
4120 nft_trans_rule(trans),
4122 nft_trans_destroy(trans);
4124 case NFT_MSG_DELRULE:
4125 list_del_rcu(&nft_trans_rule(trans)->list);
4126 nf_tables_rule_notify(&trans->ctx,
4127 nft_trans_rule(trans),
4130 case NFT_MSG_NEWSET:
4131 nft_clear(net, nft_trans_set(trans));
4132 /* This avoids hitting -EBUSY when deleting the table
4133 * from the transaction.
4135 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4136 !list_empty(&nft_trans_set(trans)->bindings))
4137 trans->ctx.table->use--;
4139 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4140 NFT_MSG_NEWSET, GFP_KERNEL);
4141 nft_trans_destroy(trans);
4143 case NFT_MSG_DELSET:
4144 list_del_rcu(&nft_trans_set(trans)->list);
4145 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4146 NFT_MSG_DELSET, GFP_KERNEL);
4148 case NFT_MSG_NEWSETELEM:
4149 te = (struct nft_trans_elem *)trans->data;
4151 te->set->ops->activate(net, te->set, &te->elem);
4152 nf_tables_setelem_notify(&trans->ctx, te->set,
4154 NFT_MSG_NEWSETELEM, 0);
4155 nft_trans_destroy(trans);
4157 case NFT_MSG_DELSETELEM:
4158 te = (struct nft_trans_elem *)trans->data;
4160 nf_tables_setelem_notify(&trans->ctx, te->set,
4162 NFT_MSG_DELSETELEM, 0);
4163 te->set->ops->remove(te->set, &te->elem);
4164 atomic_dec(&te->set->nelems);
4172 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4173 list_del(&trans->list);
4174 nf_tables_commit_release(trans);
4177 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4182 static void nf_tables_abort_release(struct nft_trans *trans)
4184 switch (trans->msg_type) {
4185 case NFT_MSG_NEWTABLE:
4186 nf_tables_table_destroy(&trans->ctx);
4188 case NFT_MSG_NEWCHAIN:
4189 nf_tables_chain_destroy(trans->ctx.chain);
4191 case NFT_MSG_NEWRULE:
4192 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4194 case NFT_MSG_NEWSET:
4195 nft_set_destroy(nft_trans_set(trans));
4197 case NFT_MSG_NEWSETELEM:
4198 nft_set_elem_destroy(nft_trans_elem_set(trans),
4199 nft_trans_elem(trans).priv, true);
4205 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4207 struct nft_trans *trans, *next;
4208 struct nft_trans_elem *te;
4210 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4212 switch (trans->msg_type) {
4213 case NFT_MSG_NEWTABLE:
4214 if (nft_trans_table_update(trans)) {
4215 if (nft_trans_table_enable(trans)) {
4216 nf_tables_table_disable(net,
4219 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4221 nft_trans_destroy(trans);
4223 list_del_rcu(&trans->ctx.table->list);
4226 case NFT_MSG_DELTABLE:
4227 nft_clear(trans->ctx.net, trans->ctx.table);
4228 nft_trans_destroy(trans);
4230 case NFT_MSG_NEWCHAIN:
4231 if (nft_trans_chain_update(trans)) {
4232 free_percpu(nft_trans_chain_stats(trans));
4234 nft_trans_destroy(trans);
4236 trans->ctx.table->use--;
4237 list_del_rcu(&trans->ctx.chain->list);
4238 nf_tables_unregister_hooks(trans->ctx.net,
4241 trans->ctx.afi->nops);
4244 case NFT_MSG_DELCHAIN:
4245 trans->ctx.table->use++;
4246 nft_clear(trans->ctx.net, trans->ctx.chain);
4247 nft_trans_destroy(trans);
4249 case NFT_MSG_NEWRULE:
4250 trans->ctx.chain->use--;
4251 list_del_rcu(&nft_trans_rule(trans)->list);
4253 case NFT_MSG_DELRULE:
4254 trans->ctx.chain->use++;
4255 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4256 nft_trans_destroy(trans);
4258 case NFT_MSG_NEWSET:
4259 trans->ctx.table->use--;
4260 list_del_rcu(&nft_trans_set(trans)->list);
4262 case NFT_MSG_DELSET:
4263 trans->ctx.table->use++;
4264 nft_clear(trans->ctx.net, nft_trans_set(trans));
4265 nft_trans_destroy(trans);
4267 case NFT_MSG_NEWSETELEM:
4268 te = (struct nft_trans_elem *)trans->data;
4270 te->set->ops->remove(te->set, &te->elem);
4271 atomic_dec(&te->set->nelems);
4273 case NFT_MSG_DELSETELEM:
4274 te = (struct nft_trans_elem *)trans->data;
4276 te->set->ops->activate(net, te->set, &te->elem);
4279 nft_trans_destroy(trans);
4286 list_for_each_entry_safe_reverse(trans, next,
4287 &net->nft.commit_list, list) {
4288 list_del(&trans->list);
4289 nf_tables_abort_release(trans);
4295 static const struct nfnetlink_subsystem nf_tables_subsys = {
4296 .name = "nf_tables",
4297 .subsys_id = NFNL_SUBSYS_NFTABLES,
4298 .cb_count = NFT_MSG_MAX,
4300 .commit = nf_tables_commit,
4301 .abort = nf_tables_abort,
4304 int nft_chain_validate_dependency(const struct nft_chain *chain,
4305 enum nft_chain_type type)
4307 const struct nft_base_chain *basechain;
4309 if (chain->flags & NFT_BASE_CHAIN) {
4310 basechain = nft_base_chain(chain);
4311 if (basechain->type->type != type)
4316 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4318 int nft_chain_validate_hooks(const struct nft_chain *chain,
4319 unsigned int hook_flags)
4321 struct nft_base_chain *basechain;
4323 if (chain->flags & NFT_BASE_CHAIN) {
4324 basechain = nft_base_chain(chain);
4326 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4334 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4337 * Loop detection - walk through the ruleset beginning at the destination chain
4338 * of a new jump until either the source chain is reached (loop) or all
4339 * reachable chains have been traversed.
4341 * The loop check is performed whenever a new jump verdict is added to an
4342 * expression or verdict map or a verdict map is bound to a new chain.
4345 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4346 const struct nft_chain *chain);
4348 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4349 const struct nft_set *set,
4350 const struct nft_set_iter *iter,
4351 const struct nft_set_elem *elem)
4353 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4354 const struct nft_data *data;
4356 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4357 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4360 data = nft_set_ext_data(ext);
4361 switch (data->verdict.code) {
4364 return nf_tables_check_loops(ctx, data->verdict.chain);
4370 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4371 const struct nft_chain *chain)
4373 const struct nft_rule *rule;
4374 const struct nft_expr *expr, *last;
4375 const struct nft_set *set;
4376 struct nft_set_binding *binding;
4377 struct nft_set_iter iter;
4379 if (ctx->chain == chain)
4382 list_for_each_entry(rule, &chain->rules, list) {
4383 nft_rule_for_each_expr(expr, last, rule) {
4384 const struct nft_data *data = NULL;
4387 if (!expr->ops->validate)
4390 err = expr->ops->validate(ctx, expr, &data);
4397 switch (data->verdict.code) {
4400 err = nf_tables_check_loops(ctx,
4401 data->verdict.chain);
4410 list_for_each_entry(set, &ctx->table->sets, list) {
4411 if (!nft_is_active_next(ctx->net, set))
4413 if (!(set->flags & NFT_SET_MAP) ||
4414 set->dtype != NFT_DATA_VERDICT)
4417 list_for_each_entry(binding, &set->bindings, list) {
4418 if (!(binding->flags & NFT_SET_MAP) ||
4419 binding->chain != chain)
4422 iter.genmask = nft_genmask_next(ctx->net);
4426 iter.fn = nf_tables_loop_check_setelem;
4428 set->ops->walk(ctx, set, &iter);
4438 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
4440 * @attr: netlink attribute to fetch value from
4441 * @max: maximum value to be stored in dest
4442 * @dest: pointer to the variable
4444 * Parse, check and store a given u32 netlink attribute into variable.
4445 * This function returns -ERANGE if the value goes over maximum value.
4446 * Otherwise a 0 is returned and the attribute value is stored in the
4447 * destination variable.
4449 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
4453 val = ntohl(nla_get_be32(attr));
4460 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
4463 * nft_parse_register - parse a register value from a netlink attribute
4465 * @attr: netlink attribute
4467 * Parse and translate a register value from a netlink attribute.
4468 * Registers used to be 128 bit wide, these register numbers will be
4469 * mapped to the corresponding 32 bit register numbers.
4471 unsigned int nft_parse_register(const struct nlattr *attr)
4475 reg = ntohl(nla_get_be32(attr));
4477 case NFT_REG_VERDICT...NFT_REG_4:
4478 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4480 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4483 EXPORT_SYMBOL_GPL(nft_parse_register);
4486 * nft_dump_register - dump a register value to a netlink attribute
4488 * @skb: socket buffer
4489 * @attr: attribute number
4490 * @reg: register number
4492 * Construct a netlink attribute containing the register number. For
4493 * compatibility reasons, register numbers being a multiple of 4 are
4494 * translated to the corresponding 128 bit register numbers.
4496 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4498 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4499 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4501 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4503 return nla_put_be32(skb, attr, htonl(reg));
4505 EXPORT_SYMBOL_GPL(nft_dump_register);
4508 * nft_validate_register_load - validate a load from a register
4510 * @reg: the register number
4511 * @len: the length of the data
4513 * Validate that the input register is one of the general purpose
4514 * registers and that the length of the load is within the bounds.
4516 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4518 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4522 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4527 EXPORT_SYMBOL_GPL(nft_validate_register_load);
4530 * nft_validate_register_store - validate an expressions' register store
4532 * @ctx: context of the expression performing the load
4533 * @reg: the destination register number
4534 * @data: the data to load
4535 * @type: the data type
4536 * @len: the length of the data
4538 * Validate that a data load uses the appropriate data type for
4539 * the destination register and the length is within the bounds.
4540 * A value of NULL for the data means that its runtime gathered
4543 int nft_validate_register_store(const struct nft_ctx *ctx,
4544 enum nft_registers reg,
4545 const struct nft_data *data,
4546 enum nft_data_types type, unsigned int len)
4551 case NFT_REG_VERDICT:
4552 if (type != NFT_DATA_VERDICT)
4556 (data->verdict.code == NFT_GOTO ||
4557 data->verdict.code == NFT_JUMP)) {
4558 err = nf_tables_check_loops(ctx, data->verdict.chain);
4562 if (ctx->chain->level + 1 >
4563 data->verdict.chain->level) {
4564 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4566 data->verdict.chain->level = ctx->chain->level + 1;
4572 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4576 if (reg * NFT_REG32_SIZE + len >
4577 FIELD_SIZEOF(struct nft_regs, data))
4580 if (data != NULL && type != NFT_DATA_VALUE)
4585 EXPORT_SYMBOL_GPL(nft_validate_register_store);
4587 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4588 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4589 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4590 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4593 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4594 struct nft_data_desc *desc, const struct nlattr *nla)
4596 u8 genmask = nft_genmask_next(ctx->net);
4597 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4598 struct nft_chain *chain;
4601 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4605 if (!tb[NFTA_VERDICT_CODE])
4607 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4609 switch (data->verdict.code) {
4611 switch (data->verdict.code & NF_VERDICT_MASK) {
4626 if (!tb[NFTA_VERDICT_CHAIN])
4628 chain = nf_tables_chain_lookup(ctx->table,
4629 tb[NFTA_VERDICT_CHAIN], genmask);
4631 return PTR_ERR(chain);
4632 if (chain->flags & NFT_BASE_CHAIN)
4636 data->verdict.chain = chain;
4640 desc->len = sizeof(data->verdict);
4641 desc->type = NFT_DATA_VERDICT;
4645 static void nft_verdict_uninit(const struct nft_data *data)
4647 switch (data->verdict.code) {
4650 data->verdict.chain->use--;
4655 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4657 struct nlattr *nest;
4659 nest = nla_nest_start(skb, type);
4661 goto nla_put_failure;
4663 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4664 goto nla_put_failure;
4669 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4671 goto nla_put_failure;
4673 nla_nest_end(skb, nest);
4680 static int nft_value_init(const struct nft_ctx *ctx,
4681 struct nft_data *data, unsigned int size,
4682 struct nft_data_desc *desc, const struct nlattr *nla)
4692 nla_memcpy(data->data, nla, len);
4693 desc->type = NFT_DATA_VALUE;
4698 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4701 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4704 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4705 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4706 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4710 * nft_data_init - parse nf_tables data netlink attributes
4712 * @ctx: context of the expression using the data
4713 * @data: destination struct nft_data
4714 * @size: maximum data length
4715 * @desc: data description
4716 * @nla: netlink attribute containing data
4718 * Parse the netlink data attributes and initialize a struct nft_data.
4719 * The type and length of data are returned in the data description.
4721 * The caller can indicate that it only wants to accept data of type
4722 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4724 int nft_data_init(const struct nft_ctx *ctx,
4725 struct nft_data *data, unsigned int size,
4726 struct nft_data_desc *desc, const struct nlattr *nla)
4728 struct nlattr *tb[NFTA_DATA_MAX + 1];
4731 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4735 if (tb[NFTA_DATA_VALUE])
4736 return nft_value_init(ctx, data, size, desc,
4737 tb[NFTA_DATA_VALUE]);
4738 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4739 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4742 EXPORT_SYMBOL_GPL(nft_data_init);
4745 * nft_data_uninit - release a nft_data item
4747 * @data: struct nft_data to release
4748 * @type: type of data
4750 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4751 * all others need to be released by calling this function.
4753 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4755 if (type < NFT_DATA_VERDICT)
4758 case NFT_DATA_VERDICT:
4759 return nft_verdict_uninit(data);
4764 EXPORT_SYMBOL_GPL(nft_data_uninit);
4766 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4767 enum nft_data_types type, unsigned int len)
4769 struct nlattr *nest;
4772 nest = nla_nest_start(skb, attr);
4777 case NFT_DATA_VALUE:
4778 err = nft_value_dump(skb, data, len);
4780 case NFT_DATA_VERDICT:
4781 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4788 nla_nest_end(skb, nest);
4791 EXPORT_SYMBOL_GPL(nft_data_dump);
4793 static int __net_init nf_tables_init_net(struct net *net)
4795 INIT_LIST_HEAD(&net->nft.af_info);
4796 INIT_LIST_HEAD(&net->nft.commit_list);
4797 net->nft.base_seq = 1;
4801 int __nft_release_basechain(struct nft_ctx *ctx)
4803 struct nft_rule *rule, *nr;
4805 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4807 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
4809 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4810 list_del(&rule->list);
4812 nf_tables_rule_destroy(ctx, rule);
4814 list_del(&ctx->chain->list);
4816 nf_tables_chain_destroy(ctx->chain);
4820 EXPORT_SYMBOL_GPL(__nft_release_basechain);
4822 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4823 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4825 struct nft_table *table, *nt;
4826 struct nft_chain *chain, *nc;
4827 struct nft_rule *rule, *nr;
4828 struct nft_set *set, *ns;
4829 struct nft_ctx ctx = {
4834 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4835 list_for_each_entry(chain, &table->chains, list)
4836 nf_tables_unregister_hooks(net, table, chain,
4838 /* No packets are walking on these chains anymore. */
4840 list_for_each_entry(chain, &table->chains, list) {
4842 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4843 list_del(&rule->list);
4845 nf_tables_rule_destroy(&ctx, rule);
4848 list_for_each_entry_safe(set, ns, &table->sets, list) {
4849 list_del(&set->list);
4851 nft_set_destroy(set);
4853 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4854 list_del(&chain->list);
4856 nf_tables_chain_destroy(chain);
4858 list_del(&table->list);
4859 nf_tables_table_destroy(&ctx);
4863 static struct pernet_operations nf_tables_net_ops = {
4864 .init = nf_tables_init_net,
4867 static int __init nf_tables_module_init(void)
4871 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4878 err = nf_tables_core_module_init();
4882 err = nfnetlink_subsys_register(&nf_tables_subsys);
4886 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4887 return register_pernet_subsys(&nf_tables_net_ops);
4889 nf_tables_core_module_exit();
4896 static void __exit nf_tables_module_exit(void)
4898 unregister_pernet_subsys(&nf_tables_net_ops);
4899 nfnetlink_subsys_unregister(&nf_tables_subsys);
4901 nf_tables_core_module_exit();
4905 module_init(nf_tables_module_init);
4906 module_exit(nf_tables_module_exit);
4908 MODULE_LICENSE("GPL");
4909 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4910 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / releases.git / blob