2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/net_namespace.h>
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
29 * nft_register_afinfo - register nf_tables address family info
31 * @afi: address family info to register
33 * Register the address family for use with nf_tables. Returns zero on
34 * success or a negative errno code otherwise.
36 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
44 EXPORT_SYMBOL_GPL(nft_register_afinfo);
46 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
49 * nft_unregister_afinfo - unregister nf_tables address family info
51 * @afi: address family info to unregister
53 * Unregister the address family for use with nf_tables.
55 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
62 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
64 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
66 struct nft_af_info *afi;
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
75 static struct nft_af_info *
76 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
78 struct nft_af_info *afi;
80 afi = nft_afinfo_lookup(net, family);
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
90 return ERR_PTR(-EAGAIN);
93 return ERR_PTR(-EAFNOSUPPORT);
96 static void nft_ctx_init(struct nft_ctx *ctx,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
115 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
118 struct nft_trans *trans;
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
124 trans->msg_type = msg_type;
130 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
131 int msg_type, u32 size)
133 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
136 static void nft_trans_destroy(struct nft_trans *trans)
138 list_del(&trans->list);
142 static int nf_tables_register_hooks(struct net *net,
143 const struct nft_table *table,
144 struct nft_chain *chain,
145 unsigned int hook_nops)
147 if (table->flags & NFT_TABLE_F_DORMANT ||
148 !nft_is_base_chain(chain))
151 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
155 static void nf_tables_unregister_hooks(struct net *net,
156 const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !nft_is_base_chain(chain))
164 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
167 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
169 struct nft_trans *trans;
171 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
175 if (msg_type == NFT_MSG_NEWTABLE)
176 nft_activate_next(ctx->net, ctx->table);
178 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
182 static int nft_deltable(struct nft_ctx *ctx)
186 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
190 nft_deactivate_next(ctx->net, ctx->table);
194 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
196 struct nft_trans *trans;
198 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
202 if (msg_type == NFT_MSG_NEWCHAIN)
203 nft_activate_next(ctx->net, ctx->chain);
205 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
209 static int nft_delchain(struct nft_ctx *ctx)
213 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
218 nft_deactivate_next(ctx->net, ctx->chain);
223 /* either expr ops provide both activate/deactivate, or neither */
224 static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
229 if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
235 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
236 struct nft_rule *rule)
238 struct nft_expr *expr;
240 expr = nft_expr_first(rule);
241 while (expr != nft_expr_last(rule) && expr->ops) {
242 if (expr->ops->activate)
243 expr->ops->activate(ctx, expr);
245 expr = nft_expr_next(expr);
249 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
250 struct nft_rule *rule)
252 struct nft_expr *expr;
254 expr = nft_expr_first(rule);
255 while (expr != nft_expr_last(rule) && expr->ops) {
256 if (expr->ops->deactivate)
257 expr->ops->deactivate(ctx, expr);
259 expr = nft_expr_next(expr);
264 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
266 /* You cannot delete the same rule twice */
267 if (nft_is_active_next(ctx->net, rule)) {
268 nft_deactivate_next(ctx->net, rule);
275 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
276 struct nft_rule *rule)
278 struct nft_trans *trans;
280 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
284 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
285 nft_trans_rule_id(trans) =
286 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
288 nft_trans_rule(trans) = rule;
289 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
294 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
296 struct nft_trans *trans;
299 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
303 err = nf_tables_delrule_deactivate(ctx, rule);
305 nft_trans_destroy(trans);
308 nft_rule_expr_deactivate(ctx, rule);
313 static int nft_delrule_by_chain(struct nft_ctx *ctx)
315 struct nft_rule *rule;
318 list_for_each_entry(rule, &ctx->chain->rules, list) {
319 if (!nft_is_active_next(ctx->net, rule))
322 err = nft_delrule(ctx, rule);
329 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
332 struct nft_trans *trans;
334 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
338 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
339 nft_trans_set_id(trans) =
340 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
341 nft_activate_next(ctx->net, set);
343 nft_trans_set(trans) = set;
344 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
349 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
353 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
357 nft_deactivate_next(ctx->net, set);
363 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
364 struct nft_object *obj)
366 struct nft_trans *trans;
368 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
372 if (msg_type == NFT_MSG_NEWOBJ)
373 nft_activate_next(ctx->net, obj);
375 nft_trans_obj(trans) = obj;
376 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
381 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
385 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
389 nft_deactivate_next(ctx->net, obj);
399 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
400 const struct nlattr *nla,
403 struct nft_table *table;
405 list_for_each_entry(table, &afi->tables, list) {
406 if (!nla_strcmp(nla, table->name) &&
407 nft_active_genmask(table, genmask))
413 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
414 const struct nlattr *nla,
417 struct nft_table *table;
420 return ERR_PTR(-EINVAL);
422 table = nft_table_lookup(afi, nla, genmask);
426 return ERR_PTR(-ENOENT);
429 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
431 return ++table->hgenerator;
434 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
436 static const struct nf_chain_type *
437 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
441 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
442 if (chain_type[family][i] != NULL &&
443 !nla_strcmp(nla, chain_type[family][i]->name))
444 return chain_type[family][i];
449 static const struct nf_chain_type *
450 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
451 const struct nlattr *nla,
454 const struct nf_chain_type *type;
456 type = __nf_tables_chain_type_lookup(afi->family, nla);
459 #ifdef CONFIG_MODULES
461 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
462 request_module("nft-chain-%u-%.*s", afi->family,
463 nla_len(nla), (const char *)nla_data(nla));
464 nfnl_lock(NFNL_SUBSYS_NFTABLES);
465 type = __nf_tables_chain_type_lookup(afi->family, nla);
467 return ERR_PTR(-EAGAIN);
470 return ERR_PTR(-ENOENT);
473 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
474 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
475 .len = NFT_TABLE_MAXNAMELEN - 1 },
476 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
479 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
480 u32 portid, u32 seq, int event, u32 flags,
481 int family, const struct nft_table *table)
483 struct nlmsghdr *nlh;
484 struct nfgenmsg *nfmsg;
486 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
487 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
489 goto nla_put_failure;
491 nfmsg = nlmsg_data(nlh);
492 nfmsg->nfgen_family = family;
493 nfmsg->version = NFNETLINK_V0;
494 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
496 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
497 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
498 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
499 goto nla_put_failure;
505 nlmsg_trim(skb, nlh);
509 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
515 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
518 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
522 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
523 event, 0, ctx->afi->family, ctx->table);
529 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
530 ctx->report, GFP_KERNEL);
533 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
536 static int nf_tables_dump_tables(struct sk_buff *skb,
537 struct netlink_callback *cb)
539 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
540 const struct nft_af_info *afi;
541 const struct nft_table *table;
542 unsigned int idx = 0, s_idx = cb->args[0];
543 struct net *net = sock_net(skb->sk);
544 int family = nfmsg->nfgen_family;
547 cb->seq = net->nft.base_seq;
549 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
550 if (family != NFPROTO_UNSPEC && family != afi->family)
553 list_for_each_entry_rcu(table, &afi->tables, list) {
557 memset(&cb->args[1], 0,
558 sizeof(cb->args) - sizeof(cb->args[0]));
559 if (!nft_is_active(net, table))
561 if (nf_tables_fill_table_info(skb, net,
562 NETLINK_CB(cb->skb).portid,
566 afi->family, table) < 0)
569 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
580 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
581 struct sk_buff *skb, const struct nlmsghdr *nlh,
582 const struct nlattr * const nla[],
583 struct netlink_ext_ack *extack)
585 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
586 u8 genmask = nft_genmask_cur(net);
587 const struct nft_af_info *afi;
588 const struct nft_table *table;
589 struct sk_buff *skb2;
590 int family = nfmsg->nfgen_family;
593 if (nlh->nlmsg_flags & NLM_F_DUMP) {
594 struct netlink_dump_control c = {
595 .dump = nf_tables_dump_tables,
597 return netlink_dump_start(nlsk, skb, nlh, &c);
600 afi = nf_tables_afinfo_lookup(net, family, false);
604 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
606 return PTR_ERR(table);
608 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
612 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
613 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
618 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
625 static void _nf_tables_table_disable(struct net *net,
626 const struct nft_af_info *afi,
627 struct nft_table *table,
630 struct nft_chain *chain;
633 list_for_each_entry(chain, &table->chains, list) {
634 if (!nft_is_active_next(net, chain))
636 if (!nft_is_base_chain(chain))
639 if (cnt && i++ == cnt)
642 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
647 static int nf_tables_table_enable(struct net *net,
648 const struct nft_af_info *afi,
649 struct nft_table *table)
651 struct nft_chain *chain;
654 list_for_each_entry(chain, &table->chains, list) {
655 if (!nft_is_active_next(net, chain))
657 if (!nft_is_base_chain(chain))
660 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
670 _nf_tables_table_disable(net, afi, table, i);
674 static void nf_tables_table_disable(struct net *net,
675 const struct nft_af_info *afi,
676 struct nft_table *table)
678 _nf_tables_table_disable(net, afi, table, 0);
681 static int nf_tables_updtable(struct nft_ctx *ctx)
683 struct nft_trans *trans;
687 if (!ctx->nla[NFTA_TABLE_FLAGS])
690 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
691 if (flags & ~NFT_TABLE_F_DORMANT)
694 if (flags == ctx->table->flags)
697 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
698 sizeof(struct nft_trans_table));
702 if ((flags & NFT_TABLE_F_DORMANT) &&
703 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
704 nft_trans_table_enable(trans) = false;
705 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
706 ctx->table->flags & NFT_TABLE_F_DORMANT) {
707 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
709 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
710 nft_trans_table_enable(trans) = true;
716 nft_trans_table_update(trans) = true;
717 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
720 nft_trans_destroy(trans);
724 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
725 struct sk_buff *skb, const struct nlmsghdr *nlh,
726 const struct nlattr * const nla[],
727 struct netlink_ext_ack *extack)
729 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
730 u8 genmask = nft_genmask_next(net);
731 const struct nlattr *name;
732 struct nft_af_info *afi;
733 struct nft_table *table;
734 int family = nfmsg->nfgen_family;
739 afi = nf_tables_afinfo_lookup(net, family, true);
743 name = nla[NFTA_TABLE_NAME];
744 table = nf_tables_table_lookup(afi, name, genmask);
746 if (PTR_ERR(table) != -ENOENT)
747 return PTR_ERR(table);
749 if (nlh->nlmsg_flags & NLM_F_EXCL)
751 if (nlh->nlmsg_flags & NLM_F_REPLACE)
754 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
755 return nf_tables_updtable(&ctx);
758 if (nla[NFTA_TABLE_FLAGS]) {
759 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
760 if (flags & ~NFT_TABLE_F_DORMANT)
765 if (!try_module_get(afi->owner))
769 table = kzalloc(sizeof(*table), GFP_KERNEL);
773 table->name = nla_strdup(name, GFP_KERNEL);
774 if (table->name == NULL)
777 INIT_LIST_HEAD(&table->chains);
778 INIT_LIST_HEAD(&table->sets);
779 INIT_LIST_HEAD(&table->objects);
780 table->flags = flags;
782 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
783 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
787 list_add_tail_rcu(&table->list, &afi->tables);
794 module_put(afi->owner);
799 static int nft_flush_table(struct nft_ctx *ctx)
802 struct nft_chain *chain, *nc;
803 struct nft_object *obj, *ne;
804 struct nft_set *set, *ns;
806 list_for_each_entry(chain, &ctx->table->chains, list) {
807 if (!nft_is_active_next(ctx->net, chain))
812 err = nft_delrule_by_chain(ctx);
817 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
818 if (!nft_is_active_next(ctx->net, set))
821 if (set->flags & NFT_SET_ANONYMOUS &&
822 !list_empty(&set->bindings))
825 err = nft_delset(ctx, set);
830 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
831 err = nft_delobj(ctx, obj);
836 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
837 if (!nft_is_active_next(ctx->net, chain))
842 err = nft_delchain(ctx);
847 err = nft_deltable(ctx);
852 static int nft_flush(struct nft_ctx *ctx, int family)
854 struct nft_af_info *afi;
855 struct nft_table *table, *nt;
856 const struct nlattr * const *nla = ctx->nla;
859 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
860 if (family != AF_UNSPEC && afi->family != family)
864 list_for_each_entry_safe(table, nt, &afi->tables, list) {
865 if (!nft_is_active_next(ctx->net, table))
868 if (nla[NFTA_TABLE_NAME] &&
869 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
874 err = nft_flush_table(ctx);
883 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
884 struct sk_buff *skb, const struct nlmsghdr *nlh,
885 const struct nlattr * const nla[],
886 struct netlink_ext_ack *extack)
888 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
889 u8 genmask = nft_genmask_next(net);
890 struct nft_af_info *afi;
891 struct nft_table *table;
892 int family = nfmsg->nfgen_family;
895 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
896 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
897 return nft_flush(&ctx, family);
899 afi = nf_tables_afinfo_lookup(net, family, false);
903 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
905 return PTR_ERR(table);
907 if (nlh->nlmsg_flags & NLM_F_NONREC &&
914 return nft_flush_table(&ctx);
917 static void nf_tables_table_destroy(struct nft_ctx *ctx)
919 BUG_ON(ctx->table->use > 0);
921 kfree(ctx->table->name);
923 module_put(ctx->afi->owner);
926 int nft_register_chain_type(const struct nf_chain_type *ctype)
930 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
933 nfnl_lock(NFNL_SUBSYS_NFTABLES);
934 if (chain_type[ctype->family][ctype->type] != NULL) {
938 chain_type[ctype->family][ctype->type] = ctype;
940 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
943 EXPORT_SYMBOL_GPL(nft_register_chain_type);
945 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
947 nfnl_lock(NFNL_SUBSYS_NFTABLES);
948 chain_type[ctype->family][ctype->type] = NULL;
949 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
951 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
957 static struct nft_chain *
958 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
961 struct nft_chain *chain;
963 list_for_each_entry(chain, &table->chains, list) {
964 if (chain->handle == handle &&
965 nft_active_genmask(chain, genmask))
969 return ERR_PTR(-ENOENT);
972 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
973 const struct nlattr *nla,
976 struct nft_chain *chain;
979 return ERR_PTR(-EINVAL);
981 list_for_each_entry(chain, &table->chains, list) {
982 if (!nla_strcmp(nla, chain->name) &&
983 nft_active_genmask(chain, genmask))
987 return ERR_PTR(-ENOENT);
990 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
991 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
992 .len = NFT_TABLE_MAXNAMELEN - 1 },
993 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
994 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
995 .len = NFT_CHAIN_MAXNAMELEN - 1 },
996 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
997 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
998 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
999 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1002 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1003 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1004 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1005 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1006 .len = IFNAMSIZ - 1 },
1009 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1011 struct nft_stats *cpu_stats, total;
1012 struct nlattr *nest;
1017 memset(&total, 0, sizeof(total));
1018 for_each_possible_cpu(cpu) {
1019 cpu_stats = per_cpu_ptr(stats, cpu);
1021 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1022 pkts = cpu_stats->pkts;
1023 bytes = cpu_stats->bytes;
1024 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1026 total.bytes += bytes;
1028 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1030 goto nla_put_failure;
1032 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1033 NFTA_COUNTER_PAD) ||
1034 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1036 goto nla_put_failure;
1038 nla_nest_end(skb, nest);
1045 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1046 u32 portid, u32 seq, int event, u32 flags,
1047 int family, const struct nft_table *table,
1048 const struct nft_chain *chain)
1050 struct nlmsghdr *nlh;
1051 struct nfgenmsg *nfmsg;
1053 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1054 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1056 goto nla_put_failure;
1058 nfmsg = nlmsg_data(nlh);
1059 nfmsg->nfgen_family = family;
1060 nfmsg->version = NFNETLINK_V0;
1061 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1063 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1064 goto nla_put_failure;
1065 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1067 goto nla_put_failure;
1068 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1069 goto nla_put_failure;
1071 if (nft_is_base_chain(chain)) {
1072 const struct nft_base_chain *basechain = nft_base_chain(chain);
1073 const struct nf_hook_ops *ops = &basechain->ops[0];
1074 struct nlattr *nest;
1076 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1078 goto nla_put_failure;
1079 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1080 goto nla_put_failure;
1081 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1082 goto nla_put_failure;
1083 if (basechain->dev_name[0] &&
1084 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1085 goto nla_put_failure;
1086 nla_nest_end(skb, nest);
1088 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1089 htonl(basechain->policy)))
1090 goto nla_put_failure;
1092 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1093 goto nla_put_failure;
1095 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1096 goto nla_put_failure;
1099 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1100 goto nla_put_failure;
1102 nlmsg_end(skb, nlh);
1106 nlmsg_trim(skb, nlh);
1110 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1112 struct sk_buff *skb;
1116 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1119 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1123 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1124 event, 0, ctx->afi->family, ctx->table,
1131 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1132 ctx->report, GFP_KERNEL);
1135 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1138 static int nf_tables_dump_chains(struct sk_buff *skb,
1139 struct netlink_callback *cb)
1141 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1142 const struct nft_af_info *afi;
1143 const struct nft_table *table;
1144 const struct nft_chain *chain;
1145 unsigned int idx = 0, s_idx = cb->args[0];
1146 struct net *net = sock_net(skb->sk);
1147 int family = nfmsg->nfgen_family;
1150 cb->seq = net->nft.base_seq;
1152 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1153 if (family != NFPROTO_UNSPEC && family != afi->family)
1156 list_for_each_entry_rcu(table, &afi->tables, list) {
1157 list_for_each_entry_rcu(chain, &table->chains, list) {
1161 memset(&cb->args[1], 0,
1162 sizeof(cb->args) - sizeof(cb->args[0]));
1163 if (!nft_is_active(net, chain))
1165 if (nf_tables_fill_chain_info(skb, net,
1166 NETLINK_CB(cb->skb).portid,
1170 afi->family, table, chain) < 0)
1173 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1185 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1186 struct sk_buff *skb, const struct nlmsghdr *nlh,
1187 const struct nlattr * const nla[],
1188 struct netlink_ext_ack *extack)
1190 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1191 u8 genmask = nft_genmask_cur(net);
1192 const struct nft_af_info *afi;
1193 const struct nft_table *table;
1194 const struct nft_chain *chain;
1195 struct sk_buff *skb2;
1196 int family = nfmsg->nfgen_family;
1199 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1200 struct netlink_dump_control c = {
1201 .dump = nf_tables_dump_chains,
1203 return netlink_dump_start(nlsk, skb, nlh, &c);
1206 afi = nf_tables_afinfo_lookup(net, family, false);
1208 return PTR_ERR(afi);
1210 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1212 return PTR_ERR(table);
1214 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1216 return PTR_ERR(chain);
1218 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1222 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1223 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1224 family, table, chain);
1228 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1235 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1236 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1237 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1240 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1242 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1243 struct nft_stats __percpu *newstats;
1244 struct nft_stats *stats;
1247 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1250 return ERR_PTR(err);
1252 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1253 return ERR_PTR(-EINVAL);
1255 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1256 if (newstats == NULL)
1257 return ERR_PTR(-ENOMEM);
1259 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1260 * are not exposed to userspace.
1263 stats = this_cpu_ptr(newstats);
1264 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1265 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1271 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1272 struct nft_stats __percpu *newstats)
1274 if (newstats == NULL)
1278 struct nft_stats __percpu *oldstats =
1279 nft_dereference(chain->stats);
1281 rcu_assign_pointer(chain->stats, newstats);
1283 free_percpu(oldstats);
1285 rcu_assign_pointer(chain->stats, newstats);
1286 static_branch_inc(&nft_counters_enabled);
1290 static void nf_tables_chain_destroy(struct nft_chain *chain)
1292 BUG_ON(chain->use > 0);
1294 if (nft_is_base_chain(chain)) {
1295 struct nft_base_chain *basechain = nft_base_chain(chain);
1297 module_put(basechain->type->owner);
1298 free_percpu(basechain->stats);
1299 if (basechain->stats)
1300 static_branch_dec(&nft_counters_enabled);
1301 if (basechain->ops[0].dev != NULL)
1302 dev_put(basechain->ops[0].dev);
1311 struct nft_chain_hook {
1314 const struct nf_chain_type *type;
1315 struct net_device *dev;
1318 static int nft_chain_parse_hook(struct net *net,
1319 const struct nlattr * const nla[],
1320 struct nft_af_info *afi,
1321 struct nft_chain_hook *hook, bool create)
1323 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1324 const struct nf_chain_type *type;
1325 struct net_device *dev;
1328 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1329 nft_hook_policy, NULL);
1333 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1334 ha[NFTA_HOOK_PRIORITY] == NULL)
1337 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1338 if (hook->num >= afi->nhooks)
1341 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1343 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1344 if (nla[NFTA_CHAIN_TYPE]) {
1345 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1348 return PTR_ERR(type);
1350 if (!(type->hook_mask & (1 << hook->num)))
1352 if (!try_module_get(type->owner))
1358 if (afi->flags & NFT_AF_NEEDS_DEV) {
1359 char ifname[IFNAMSIZ];
1361 if (!ha[NFTA_HOOK_DEV]) {
1362 module_put(type->owner);
1366 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1367 dev = dev_get_by_name(net, ifname);
1369 module_put(type->owner);
1373 } else if (ha[NFTA_HOOK_DEV]) {
1374 module_put(type->owner);
1381 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1383 module_put(hook->type->owner);
1384 if (hook->dev != NULL)
1388 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1389 u8 policy, bool create)
1391 const struct nlattr * const *nla = ctx->nla;
1392 struct nft_table *table = ctx->table;
1393 struct nft_af_info *afi = ctx->afi;
1394 struct nft_base_chain *basechain;
1395 struct nft_stats __percpu *stats;
1396 struct net *net = ctx->net;
1397 struct nft_chain *chain;
1401 if (table->use == UINT_MAX)
1404 if (nla[NFTA_CHAIN_HOOK]) {
1405 struct nft_chain_hook hook;
1406 struct nf_hook_ops *ops;
1409 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1413 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1414 if (basechain == NULL) {
1415 nft_chain_release_hook(&hook);
1419 if (hook.dev != NULL)
1420 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1422 if (nla[NFTA_CHAIN_COUNTERS]) {
1423 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1424 if (IS_ERR(stats)) {
1425 nft_chain_release_hook(&hook);
1427 return PTR_ERR(stats);
1429 basechain->stats = stats;
1430 static_branch_inc(&nft_counters_enabled);
1433 hookfn = hook.type->hooks[hook.num];
1434 basechain->type = hook.type;
1435 chain = &basechain->chain;
1437 for (i = 0; i < afi->nops; i++) {
1438 ops = &basechain->ops[i];
1440 ops->hooknum = hook.num;
1441 ops->priority = hook.priority;
1443 ops->hook = afi->hooks[ops->hooknum];
1444 ops->dev = hook.dev;
1447 if (afi->hook_ops_init)
1448 afi->hook_ops_init(ops, i);
1451 chain->flags |= NFT_BASE_CHAIN;
1452 basechain->policy = policy;
1454 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1458 INIT_LIST_HEAD(&chain->rules);
1459 chain->handle = nf_tables_alloc_handle(table);
1460 chain->table = table;
1461 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1467 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1472 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1477 list_add_tail_rcu(&chain->list, &table->chains);
1481 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1483 nf_tables_chain_destroy(chain);
1488 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1491 const struct nlattr * const *nla = ctx->nla;
1492 struct nft_table *table = ctx->table;
1493 struct nft_chain *chain = ctx->chain;
1494 struct nft_af_info *afi = ctx->afi;
1495 struct nft_base_chain *basechain;
1496 struct nft_stats *stats = NULL;
1497 struct nft_chain_hook hook;
1498 struct nf_hook_ops *ops;
1499 struct nft_trans *trans;
1502 if (nla[NFTA_CHAIN_HOOK]) {
1503 if (!nft_is_base_chain(chain))
1506 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1511 basechain = nft_base_chain(chain);
1512 if (basechain->type != hook.type) {
1513 nft_chain_release_hook(&hook);
1517 for (i = 0; i < afi->nops; i++) {
1518 ops = &basechain->ops[i];
1519 if (ops->hooknum != hook.num ||
1520 ops->priority != hook.priority ||
1521 ops->dev != hook.dev) {
1522 nft_chain_release_hook(&hook);
1526 nft_chain_release_hook(&hook);
1529 if (nla[NFTA_CHAIN_HANDLE] &&
1530 nla[NFTA_CHAIN_NAME]) {
1531 struct nft_chain *chain2;
1533 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1535 if (!IS_ERR(chain2))
1539 if (nla[NFTA_CHAIN_COUNTERS]) {
1540 if (!nft_is_base_chain(chain))
1543 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1545 return PTR_ERR(stats);
1549 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1550 sizeof(struct nft_trans_chain));
1554 nft_trans_chain_stats(trans) = stats;
1555 nft_trans_chain_update(trans) = true;
1557 if (nla[NFTA_CHAIN_POLICY])
1558 nft_trans_chain_policy(trans) = policy;
1560 nft_trans_chain_policy(trans) = -1;
1562 if (nla[NFTA_CHAIN_HANDLE] &&
1563 nla[NFTA_CHAIN_NAME]) {
1564 struct nft_trans *tmp;
1568 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1573 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1574 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1575 tmp->ctx.table == table &&
1576 nft_trans_chain_update(tmp) &&
1577 nft_trans_chain_name(tmp) &&
1578 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1584 nft_trans_chain_name(trans) = name;
1586 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1595 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1596 struct sk_buff *skb, const struct nlmsghdr *nlh,
1597 const struct nlattr * const nla[],
1598 struct netlink_ext_ack *extack)
1600 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1601 const struct nlattr * uninitialized_var(name);
1602 u8 genmask = nft_genmask_next(net);
1603 int family = nfmsg->nfgen_family;
1604 struct nft_af_info *afi;
1605 struct nft_table *table;
1606 struct nft_chain *chain;
1607 u8 policy = NF_ACCEPT;
1612 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1614 afi = nf_tables_afinfo_lookup(net, family, true);
1616 return PTR_ERR(afi);
1618 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1620 return PTR_ERR(table);
1623 name = nla[NFTA_CHAIN_NAME];
1625 if (nla[NFTA_CHAIN_HANDLE]) {
1626 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1627 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1629 return PTR_ERR(chain);
1631 chain = nf_tables_chain_lookup(table, name, genmask);
1632 if (IS_ERR(chain)) {
1633 if (PTR_ERR(chain) != -ENOENT)
1634 return PTR_ERR(chain);
1639 if (nla[NFTA_CHAIN_POLICY]) {
1640 if (chain != NULL &&
1641 !nft_is_base_chain(chain))
1644 if (chain == NULL &&
1645 nla[NFTA_CHAIN_HOOK] == NULL)
1648 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1658 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1660 if (chain != NULL) {
1661 if (nlh->nlmsg_flags & NLM_F_EXCL)
1663 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1666 return nf_tables_updchain(&ctx, genmask, policy, create);
1669 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1672 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1673 struct sk_buff *skb, const struct nlmsghdr *nlh,
1674 const struct nlattr * const nla[],
1675 struct netlink_ext_ack *extack)
1677 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1678 u8 genmask = nft_genmask_next(net);
1679 struct nft_af_info *afi;
1680 struct nft_table *table;
1681 struct nft_chain *chain;
1682 struct nft_rule *rule;
1683 int family = nfmsg->nfgen_family;
1688 afi = nf_tables_afinfo_lookup(net, family, false);
1690 return PTR_ERR(afi);
1692 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1694 return PTR_ERR(table);
1696 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1698 return PTR_ERR(chain);
1700 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1704 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1707 list_for_each_entry(rule, &chain->rules, list) {
1708 if (!nft_is_active_next(net, rule))
1712 err = nft_delrule(&ctx, rule);
1717 /* There are rules and elements that are still holding references to us,
1718 * we cannot do a recursive removal in this case.
1723 return nft_delchain(&ctx);
1731 * nft_register_expr - register nf_tables expr type
1734 * Registers the expr type for use with nf_tables. Returns zero on
1735 * success or a negative errno code otherwise.
1737 int nft_register_expr(struct nft_expr_type *type)
1739 if (!nft_expr_check_ops(type->ops))
1742 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1743 if (type->family == NFPROTO_UNSPEC)
1744 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1746 list_add_rcu(&type->list, &nf_tables_expressions);
1747 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1750 EXPORT_SYMBOL_GPL(nft_register_expr);
1753 * nft_unregister_expr - unregister nf_tables expr type
1756 * Unregisters the expr typefor use with nf_tables.
1758 void nft_unregister_expr(struct nft_expr_type *type)
1760 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1761 list_del_rcu(&type->list);
1762 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1764 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1766 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1769 const struct nft_expr_type *type;
1771 list_for_each_entry(type, &nf_tables_expressions, list) {
1772 if (!nla_strcmp(nla, type->name) &&
1773 (!type->family || type->family == family))
1779 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1782 const struct nft_expr_type *type;
1785 return ERR_PTR(-EINVAL);
1787 type = __nft_expr_type_get(family, nla);
1788 if (type != NULL && try_module_get(type->owner))
1791 #ifdef CONFIG_MODULES
1793 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1794 request_module("nft-expr-%u-%.*s", family,
1795 nla_len(nla), (char *)nla_data(nla));
1796 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1797 if (__nft_expr_type_get(family, nla))
1798 return ERR_PTR(-EAGAIN);
1800 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1801 request_module("nft-expr-%.*s",
1802 nla_len(nla), (char *)nla_data(nla));
1803 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1804 if (__nft_expr_type_get(family, nla))
1805 return ERR_PTR(-EAGAIN);
1808 return ERR_PTR(-ENOENT);
1811 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1812 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1813 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1816 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1817 const struct nft_expr *expr)
1819 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1820 goto nla_put_failure;
1822 if (expr->ops->dump) {
1823 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1825 goto nla_put_failure;
1826 if (expr->ops->dump(skb, expr) < 0)
1827 goto nla_put_failure;
1828 nla_nest_end(skb, data);
1837 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1838 const struct nft_expr *expr)
1840 struct nlattr *nest;
1842 nest = nla_nest_start(skb, attr);
1844 goto nla_put_failure;
1845 if (nf_tables_fill_expr_info(skb, expr) < 0)
1846 goto nla_put_failure;
1847 nla_nest_end(skb, nest);
1854 struct nft_expr_info {
1855 const struct nft_expr_ops *ops;
1856 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1859 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1860 const struct nlattr *nla,
1861 struct nft_expr_info *info)
1863 const struct nft_expr_type *type;
1864 const struct nft_expr_ops *ops;
1865 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1868 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1872 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1874 return PTR_ERR(type);
1876 if (tb[NFTA_EXPR_DATA]) {
1877 err = nla_parse_nested(info->tb, type->maxattr,
1878 tb[NFTA_EXPR_DATA], type->policy, NULL);
1882 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1884 if (type->select_ops != NULL) {
1885 ops = type->select_ops(ctx,
1886 (const struct nlattr * const *)info->tb);
1891 if (!nft_expr_check_ops(ops)) {
1902 module_put(type->owner);
1906 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1907 const struct nft_expr_info *info,
1908 struct nft_expr *expr)
1910 const struct nft_expr_ops *ops = info->ops;
1915 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1920 if (ops->validate) {
1921 const struct nft_data *data = NULL;
1923 err = ops->validate(ctx, expr, &data);
1932 ops->destroy(ctx, expr);
1938 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1939 struct nft_expr *expr)
1941 if (expr->ops->destroy)
1942 expr->ops->destroy(ctx, expr);
1943 module_put(expr->ops->type->owner);
1946 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1947 const struct nlattr *nla)
1949 struct nft_expr_info info;
1950 struct nft_expr *expr;
1953 err = nf_tables_expr_parse(ctx, nla, &info);
1958 expr = kzalloc(info.ops->size, GFP_KERNEL);
1962 err = nf_tables_newexpr(ctx, &info, expr);
1970 module_put(info.ops->type->owner);
1972 return ERR_PTR(err);
1975 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1977 nf_tables_expr_destroy(ctx, expr);
1985 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1988 struct nft_rule *rule;
1990 // FIXME: this sucks
1991 list_for_each_entry(rule, &chain->rules, list) {
1992 if (handle == rule->handle)
1996 return ERR_PTR(-ENOENT);
1999 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
2000 const struct nlattr *nla)
2003 return ERR_PTR(-EINVAL);
2005 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2008 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2009 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2010 .len = NFT_TABLE_MAXNAMELEN - 1 },
2011 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2012 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2013 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2014 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2015 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2016 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2017 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2018 .len = NFT_USERDATA_MAXLEN },
2019 [NFTA_RULE_ID] = { .type = NLA_U32 },
2022 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2023 u32 portid, u32 seq, int event,
2024 u32 flags, int family,
2025 const struct nft_table *table,
2026 const struct nft_chain *chain,
2027 const struct nft_rule *rule)
2029 struct nlmsghdr *nlh;
2030 struct nfgenmsg *nfmsg;
2031 const struct nft_expr *expr, *next;
2032 struct nlattr *list;
2033 const struct nft_rule *prule;
2034 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2036 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2038 goto nla_put_failure;
2040 nfmsg = nlmsg_data(nlh);
2041 nfmsg->nfgen_family = family;
2042 nfmsg->version = NFNETLINK_V0;
2043 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2045 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2046 goto nla_put_failure;
2047 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2048 goto nla_put_failure;
2049 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2051 goto nla_put_failure;
2053 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2054 prule = list_prev_entry(rule, list);
2055 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2056 cpu_to_be64(prule->handle),
2058 goto nla_put_failure;
2061 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2063 goto nla_put_failure;
2064 nft_rule_for_each_expr(expr, next, rule) {
2065 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2066 goto nla_put_failure;
2068 nla_nest_end(skb, list);
2071 struct nft_userdata *udata = nft_userdata(rule);
2072 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2074 goto nla_put_failure;
2077 nlmsg_end(skb, nlh);
2081 nlmsg_trim(skb, nlh);
2085 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2086 const struct nft_rule *rule, int event)
2088 struct sk_buff *skb;
2092 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2095 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2099 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2100 event, 0, ctx->afi->family, ctx->table,
2107 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2108 ctx->report, GFP_KERNEL);
2111 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2114 struct nft_rule_dump_ctx {
2119 static int nf_tables_dump_rules(struct sk_buff *skb,
2120 struct netlink_callback *cb)
2122 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2123 const struct nft_rule_dump_ctx *ctx = cb->data;
2124 const struct nft_af_info *afi;
2125 const struct nft_table *table;
2126 const struct nft_chain *chain;
2127 const struct nft_rule *rule;
2128 unsigned int idx = 0, s_idx = cb->args[0];
2129 struct net *net = sock_net(skb->sk);
2130 int family = nfmsg->nfgen_family;
2133 cb->seq = net->nft.base_seq;
2135 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2136 if (family != NFPROTO_UNSPEC && family != afi->family)
2139 list_for_each_entry_rcu(table, &afi->tables, list) {
2140 if (ctx && ctx->table &&
2141 strcmp(ctx->table, table->name) != 0)
2144 list_for_each_entry_rcu(chain, &table->chains, list) {
2145 if (ctx && ctx->chain &&
2146 strcmp(ctx->chain, chain->name) != 0)
2149 list_for_each_entry_rcu(rule, &chain->rules, list) {
2150 if (!nft_is_active(net, rule))
2155 memset(&cb->args[1], 0,
2156 sizeof(cb->args) - sizeof(cb->args[0]));
2157 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2160 NLM_F_MULTI | NLM_F_APPEND,
2161 afi->family, table, chain, rule) < 0)
2164 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2178 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2180 struct nft_rule_dump_ctx *ctx = cb->data;
2190 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2191 struct sk_buff *skb, const struct nlmsghdr *nlh,
2192 const struct nlattr * const nla[],
2193 struct netlink_ext_ack *extack)
2195 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2196 u8 genmask = nft_genmask_cur(net);
2197 const struct nft_af_info *afi;
2198 const struct nft_table *table;
2199 const struct nft_chain *chain;
2200 const struct nft_rule *rule;
2201 struct sk_buff *skb2;
2202 int family = nfmsg->nfgen_family;
2205 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2206 struct netlink_dump_control c = {
2207 .dump = nf_tables_dump_rules,
2208 .done = nf_tables_dump_rules_done,
2211 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2212 struct nft_rule_dump_ctx *ctx;
2214 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2218 if (nla[NFTA_RULE_TABLE]) {
2219 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2226 if (nla[NFTA_RULE_CHAIN]) {
2227 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2238 return netlink_dump_start(nlsk, skb, nlh, &c);
2241 afi = nf_tables_afinfo_lookup(net, family, false);
2243 return PTR_ERR(afi);
2245 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2247 return PTR_ERR(table);
2249 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2251 return PTR_ERR(chain);
2253 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2255 return PTR_ERR(rule);
2257 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2261 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2262 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2263 family, table, chain, rule);
2267 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2274 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2275 struct nft_rule *rule)
2277 struct nft_expr *expr, *next;
2280 * Careful: some expressions might not be initialized in case this
2281 * is called on error from nf_tables_newrule().
2283 expr = nft_expr_first(rule);
2284 while (expr != nft_expr_last(rule) && expr->ops) {
2285 next = nft_expr_next(expr);
2286 nf_tables_expr_destroy(ctx, expr);
2292 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2293 struct nft_rule *rule)
2295 nft_rule_expr_deactivate(ctx, rule);
2296 nf_tables_rule_destroy(ctx, rule);
2299 #define NFT_RULE_MAXEXPRS 128
2301 static struct nft_expr_info *info;
2303 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2304 struct sk_buff *skb, const struct nlmsghdr *nlh,
2305 const struct nlattr * const nla[],
2306 struct netlink_ext_ack *extack)
2308 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2309 u8 genmask = nft_genmask_next(net);
2310 struct nft_af_info *afi;
2311 struct nft_table *table;
2312 struct nft_chain *chain;
2313 struct nft_rule *rule, *old_rule = NULL;
2314 struct nft_userdata *udata;
2315 struct nft_trans *trans = NULL;
2316 struct nft_expr *expr;
2319 unsigned int size, i, n, ulen = 0, usize = 0;
2322 u64 handle, pos_handle;
2324 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2326 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2328 return PTR_ERR(afi);
2330 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2332 return PTR_ERR(table);
2334 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2336 return PTR_ERR(chain);
2338 if (nla[NFTA_RULE_HANDLE]) {
2339 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2340 rule = __nf_tables_rule_lookup(chain, handle);
2342 return PTR_ERR(rule);
2344 if (nlh->nlmsg_flags & NLM_F_EXCL)
2346 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2351 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2353 handle = nf_tables_alloc_handle(table);
2355 if (chain->use == UINT_MAX)
2359 if (nla[NFTA_RULE_POSITION]) {
2360 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2363 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2364 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2365 if (IS_ERR(old_rule))
2366 return PTR_ERR(old_rule);
2369 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2373 if (nla[NFTA_RULE_EXPRESSIONS]) {
2374 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2376 if (nla_type(tmp) != NFTA_LIST_ELEM)
2378 if (n == NFT_RULE_MAXEXPRS)
2380 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2383 size += info[n].ops->size;
2387 /* Check for overflow of dlen field */
2389 if (size >= 1 << 12)
2392 if (nla[NFTA_RULE_USERDATA]) {
2393 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2395 usize = sizeof(struct nft_userdata) + ulen;
2399 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2403 nft_activate_next(net, rule);
2405 rule->handle = handle;
2407 rule->udata = ulen ? 1 : 0;
2410 udata = nft_userdata(rule);
2411 udata->len = ulen - 1;
2412 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2415 expr = nft_expr_first(rule);
2416 for (i = 0; i < n; i++) {
2417 err = nf_tables_newexpr(&ctx, &info[i], expr);
2421 expr = nft_expr_next(expr);
2424 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2425 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2426 if (trans == NULL) {
2430 err = nft_delrule(&ctx, old_rule);
2432 nft_trans_destroy(trans);
2436 list_add_tail_rcu(&rule->list, &old_rule->list);
2438 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2443 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2445 list_add_rcu(&rule->list, &old_rule->list);
2447 list_add_tail_rcu(&rule->list, &chain->rules);
2450 list_add_tail_rcu(&rule->list, &old_rule->list);
2452 list_add_rcu(&rule->list, &chain->rules);
2459 nf_tables_rule_release(&ctx, rule);
2461 for (i = 0; i < n; i++) {
2462 if (info[i].ops != NULL)
2463 module_put(info[i].ops->type->owner);
2468 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2469 const struct nlattr *nla)
2471 u32 id = ntohl(nla_get_be32(nla));
2472 struct nft_trans *trans;
2474 list_for_each_entry(trans, &net->nft.commit_list, list) {
2475 struct nft_rule *rule = nft_trans_rule(trans);
2477 if (trans->msg_type == NFT_MSG_NEWRULE &&
2478 id == nft_trans_rule_id(trans))
2481 return ERR_PTR(-ENOENT);
2484 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2485 struct sk_buff *skb, const struct nlmsghdr *nlh,
2486 const struct nlattr * const nla[],
2487 struct netlink_ext_ack *extack)
2489 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2490 u8 genmask = nft_genmask_next(net);
2491 struct nft_af_info *afi;
2492 struct nft_table *table;
2493 struct nft_chain *chain = NULL;
2494 struct nft_rule *rule;
2495 int family = nfmsg->nfgen_family, err = 0;
2498 afi = nf_tables_afinfo_lookup(net, family, false);
2500 return PTR_ERR(afi);
2502 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2504 return PTR_ERR(table);
2506 if (nla[NFTA_RULE_CHAIN]) {
2507 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2510 return PTR_ERR(chain);
2513 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2516 if (nla[NFTA_RULE_HANDLE]) {
2517 rule = nf_tables_rule_lookup(chain,
2518 nla[NFTA_RULE_HANDLE]);
2520 return PTR_ERR(rule);
2522 err = nft_delrule(&ctx, rule);
2523 } else if (nla[NFTA_RULE_ID]) {
2524 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2526 return PTR_ERR(rule);
2528 err = nft_delrule(&ctx, rule);
2530 err = nft_delrule_by_chain(&ctx);
2533 list_for_each_entry(chain, &table->chains, list) {
2534 if (!nft_is_active_next(net, chain))
2538 err = nft_delrule_by_chain(&ctx);
2551 static LIST_HEAD(nf_tables_set_types);
2553 int nft_register_set(struct nft_set_type *type)
2555 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2556 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2557 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2560 EXPORT_SYMBOL_GPL(nft_register_set);
2562 void nft_unregister_set(struct nft_set_type *type)
2564 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2565 list_del_rcu(&type->list);
2566 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2568 EXPORT_SYMBOL_GPL(nft_unregister_set);
2570 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2571 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2573 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2575 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2579 * Select a set implementation based on the data characteristics and the
2580 * given policy. The total memory use might not be known if no size is
2581 * given, in that case the amount of memory per element is used.
2583 static const struct nft_set_ops *
2584 nft_select_set_ops(const struct nft_ctx *ctx,
2585 const struct nlattr * const nla[],
2586 const struct nft_set_desc *desc,
2587 enum nft_set_policies policy)
2589 const struct nft_set_ops *ops, *bops;
2590 struct nft_set_estimate est, best;
2591 const struct nft_set_type *type;
2594 #ifdef CONFIG_MODULES
2595 if (list_empty(&nf_tables_set_types)) {
2596 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2597 request_module("nft-set");
2598 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2599 if (!list_empty(&nf_tables_set_types))
2600 return ERR_PTR(-EAGAIN);
2603 if (nla[NFTA_SET_FLAGS] != NULL)
2604 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2611 list_for_each_entry(type, &nf_tables_set_types, list) {
2612 if (!type->select_ops)
2615 ops = type->select_ops(ctx, desc, flags);
2619 if (!nft_set_ops_candidate(ops, flags))
2621 if (!ops->estimate(desc, flags, &est))
2625 case NFT_SET_POL_PERFORMANCE:
2626 if (est.lookup < best.lookup)
2628 if (est.lookup == best.lookup) {
2630 if (est.space < best.space)
2632 } else if (est.size < best.size) {
2637 case NFT_SET_POL_MEMORY:
2639 if (est.space < best.space)
2641 if (est.space == best.space &&
2642 est.lookup < best.lookup)
2644 } else if (est.size < best.size) {
2652 if (!try_module_get(type->owner))
2655 module_put(bops->type->owner);
2664 return ERR_PTR(-EOPNOTSUPP);
2667 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2668 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2669 .len = NFT_TABLE_MAXNAMELEN - 1 },
2670 [NFTA_SET_NAME] = { .type = NLA_STRING,
2671 .len = NFT_SET_MAXNAMELEN - 1 },
2672 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2673 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2674 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2675 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2676 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2677 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2678 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2679 [NFTA_SET_ID] = { .type = NLA_U32 },
2680 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2681 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2682 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2683 .len = NFT_USERDATA_MAXLEN },
2684 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2687 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2688 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2691 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2692 const struct sk_buff *skb,
2693 const struct nlmsghdr *nlh,
2694 const struct nlattr * const nla[],
2697 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2698 struct nft_af_info *afi = NULL;
2699 struct nft_table *table = NULL;
2701 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2702 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2704 return PTR_ERR(afi);
2707 if (nla[NFTA_SET_TABLE] != NULL) {
2709 return -EAFNOSUPPORT;
2711 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2714 return PTR_ERR(table);
2717 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2721 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2722 const struct nlattr *nla, u8 genmask)
2724 struct nft_set *set;
2727 return ERR_PTR(-EINVAL);
2729 list_for_each_entry(set, &table->sets, list) {
2730 if (!nla_strcmp(nla, set->name) &&
2731 nft_active_genmask(set, genmask))
2734 return ERR_PTR(-ENOENT);
2737 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2738 const struct nlattr *nla,
2741 struct nft_trans *trans;
2742 u32 id = ntohl(nla_get_be32(nla));
2744 list_for_each_entry(trans, &net->nft.commit_list, list) {
2745 if (trans->msg_type == NFT_MSG_NEWSET) {
2746 struct nft_set *set = nft_trans_set(trans);
2748 if (id == nft_trans_set_id(trans) &&
2749 nft_active_genmask(set, genmask))
2753 return ERR_PTR(-ENOENT);
2756 struct nft_set *nft_set_lookup(const struct net *net,
2757 const struct nft_table *table,
2758 const struct nlattr *nla_set_name,
2759 const struct nlattr *nla_set_id,
2762 struct nft_set *set;
2764 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2769 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2773 EXPORT_SYMBOL_GPL(nft_set_lookup);
2775 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2778 const struct nft_set *i;
2780 unsigned long *inuse;
2781 unsigned int n = 0, min = 0;
2783 p = strchr(name, '%');
2785 if (p[1] != 'd' || strchr(p + 2, '%'))
2788 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2792 list_for_each_entry(i, &ctx->table->sets, list) {
2795 if (!nft_is_active_next(ctx->net, set))
2797 if (!sscanf(i->name, name, &tmp))
2799 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2802 set_bit(tmp - min, inuse);
2805 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2806 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2807 min += BITS_PER_BYTE * PAGE_SIZE;
2808 memset(inuse, 0, PAGE_SIZE);
2811 free_page((unsigned long)inuse);
2814 set->name = kasprintf(GFP_KERNEL, name, min + n);
2818 list_for_each_entry(i, &ctx->table->sets, list) {
2819 if (!nft_is_active_next(ctx->net, i))
2821 if (!strcmp(set->name, i->name)) {
2829 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2830 const struct nft_set *set, u16 event, u16 flags)
2832 struct nfgenmsg *nfmsg;
2833 struct nlmsghdr *nlh;
2834 struct nlattr *desc;
2835 u32 portid = ctx->portid;
2838 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2839 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2842 goto nla_put_failure;
2844 nfmsg = nlmsg_data(nlh);
2845 nfmsg->nfgen_family = ctx->afi->family;
2846 nfmsg->version = NFNETLINK_V0;
2847 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2849 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2850 goto nla_put_failure;
2851 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2852 goto nla_put_failure;
2853 if (set->flags != 0)
2854 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2855 goto nla_put_failure;
2857 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2858 goto nla_put_failure;
2859 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2860 goto nla_put_failure;
2861 if (set->flags & NFT_SET_MAP) {
2862 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2863 goto nla_put_failure;
2864 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2865 goto nla_put_failure;
2867 if (set->flags & NFT_SET_OBJECT &&
2868 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2869 goto nla_put_failure;
2872 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2873 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2875 goto nla_put_failure;
2877 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2878 goto nla_put_failure;
2880 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2881 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2882 goto nla_put_failure;
2886 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2887 goto nla_put_failure;
2889 desc = nla_nest_start(skb, NFTA_SET_DESC);
2891 goto nla_put_failure;
2893 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2894 goto nla_put_failure;
2895 nla_nest_end(skb, desc);
2897 nlmsg_end(skb, nlh);
2901 nlmsg_trim(skb, nlh);
2905 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2906 const struct nft_set *set, int event,
2909 struct sk_buff *skb;
2910 u32 portid = ctx->portid;
2914 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2917 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2921 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2927 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2931 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2934 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2936 const struct nft_set *set;
2937 unsigned int idx, s_idx = cb->args[0];
2938 struct nft_af_info *afi;
2939 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2940 struct net *net = sock_net(skb->sk);
2941 int cur_family = cb->args[3];
2942 struct nft_ctx *ctx = cb->data, ctx_set;
2948 cb->seq = net->nft.base_seq;
2950 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2951 if (ctx->afi && ctx->afi != afi)
2955 if (afi->family != cur_family)
2960 list_for_each_entry_rcu(table, &afi->tables, list) {
2961 if (ctx->table && ctx->table != table)
2965 if (cur_table != table)
2971 list_for_each_entry_rcu(set, &table->sets, list) {
2974 if (!nft_is_active(net, set))
2978 ctx_set.table = table;
2980 if (nf_tables_fill_set(skb, &ctx_set, set,
2984 cb->args[2] = (unsigned long) table;
2985 cb->args[3] = afi->family;
2988 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3002 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3008 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3009 struct sk_buff *skb, const struct nlmsghdr *nlh,
3010 const struct nlattr * const nla[],
3011 struct netlink_ext_ack *extack)
3013 u8 genmask = nft_genmask_cur(net);
3014 const struct nft_set *set;
3016 struct sk_buff *skb2;
3017 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3020 /* Verify existence before starting dump */
3021 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3025 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3026 struct netlink_dump_control c = {
3027 .dump = nf_tables_dump_sets,
3028 .done = nf_tables_dump_sets_done,
3030 struct nft_ctx *ctx_dump;
3032 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3033 if (ctx_dump == NULL)
3039 return netlink_dump_start(nlsk, skb, nlh, &c);
3042 /* Only accept unspec with dump */
3043 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3044 return -EAFNOSUPPORT;
3045 if (!nla[NFTA_SET_TABLE])
3048 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3050 return PTR_ERR(set);
3052 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3056 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3060 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3067 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3068 struct nft_set_desc *desc,
3069 const struct nlattr *nla)
3071 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3074 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3075 nft_set_desc_policy, NULL);
3079 if (da[NFTA_SET_DESC_SIZE] != NULL)
3080 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3085 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3086 struct sk_buff *skb, const struct nlmsghdr *nlh,
3087 const struct nlattr * const nla[],
3088 struct netlink_ext_ack *extack)
3090 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3091 u8 genmask = nft_genmask_next(net);
3092 const struct nft_set_ops *ops;
3093 struct nft_af_info *afi;
3094 struct nft_table *table;
3095 struct nft_set *set;
3101 u32 ktype, dtype, flags, policy, gc_int, objtype;
3102 struct nft_set_desc desc;
3103 unsigned char *udata;
3107 if (nla[NFTA_SET_TABLE] == NULL ||
3108 nla[NFTA_SET_NAME] == NULL ||
3109 nla[NFTA_SET_KEY_LEN] == NULL ||
3110 nla[NFTA_SET_ID] == NULL)
3113 memset(&desc, 0, sizeof(desc));
3115 ktype = NFT_DATA_VALUE;
3116 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3117 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3118 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3122 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3123 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3127 if (nla[NFTA_SET_FLAGS] != NULL) {
3128 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3129 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3130 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3131 NFT_SET_MAP | NFT_SET_EVAL |
3134 /* Only one of these operations is supported */
3135 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3136 (NFT_SET_MAP | NFT_SET_OBJECT))
3138 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3139 (NFT_SET_EVAL | NFT_SET_OBJECT))
3144 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3145 if (!(flags & NFT_SET_MAP))
3148 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3149 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3150 dtype != NFT_DATA_VERDICT)
3153 if (dtype != NFT_DATA_VERDICT) {
3154 if (nla[NFTA_SET_DATA_LEN] == NULL)
3156 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3157 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3160 desc.dlen = sizeof(struct nft_verdict);
3161 } else if (flags & NFT_SET_MAP)
3164 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3165 if (!(flags & NFT_SET_OBJECT))
3168 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3169 if (objtype == NFT_OBJECT_UNSPEC ||
3170 objtype > NFT_OBJECT_MAX)
3172 } else if (flags & NFT_SET_OBJECT)
3175 objtype = NFT_OBJECT_UNSPEC;
3178 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3179 if (!(flags & NFT_SET_TIMEOUT))
3181 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3182 nla[NFTA_SET_TIMEOUT])));
3185 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3186 if (!(flags & NFT_SET_TIMEOUT))
3188 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3191 policy = NFT_SET_POL_PERFORMANCE;
3192 if (nla[NFTA_SET_POLICY] != NULL)
3193 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3195 if (nla[NFTA_SET_DESC] != NULL) {
3196 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3201 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3203 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3205 return PTR_ERR(afi);
3207 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3209 return PTR_ERR(table);
3211 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3213 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3215 if (PTR_ERR(set) != -ENOENT)
3216 return PTR_ERR(set);
3218 if (nlh->nlmsg_flags & NLM_F_EXCL)
3220 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3225 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3228 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3230 return PTR_ERR(ops);
3233 if (nla[NFTA_SET_USERDATA])
3234 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3237 if (ops->privsize != NULL)
3238 size = ops->privsize(nla, &desc);
3240 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3246 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3252 err = nf_tables_set_alloc_name(&ctx, set, name);
3259 udata = set->data + size;
3260 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3263 INIT_LIST_HEAD(&set->bindings);
3266 set->klen = desc.klen;
3268 set->objtype = objtype;
3269 set->dlen = desc.dlen;
3271 set->size = desc.size;
3272 set->policy = policy;
3275 set->timeout = timeout;
3276 set->gc_int = gc_int;
3278 err = ops->init(set, &desc, nla);
3282 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3286 list_add_tail_rcu(&set->list, &table->sets);
3297 module_put(ops->type->owner);
3301 static void nft_set_destroy(struct nft_set *set)
3303 set->ops->destroy(set);
3304 module_put(set->ops->type->owner);
3309 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3311 list_del_rcu(&set->list);
3312 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3313 nft_set_destroy(set);
3316 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3317 struct sk_buff *skb, const struct nlmsghdr *nlh,
3318 const struct nlattr * const nla[],
3319 struct netlink_ext_ack *extack)
3321 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3322 u8 genmask = nft_genmask_next(net);
3323 struct nft_set *set;
3327 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3328 return -EAFNOSUPPORT;
3329 if (nla[NFTA_SET_TABLE] == NULL)
3332 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3336 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3338 return PTR_ERR(set);
3340 if (!list_empty(&set->bindings) ||
3341 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3344 return nft_delset(&ctx, set);
3347 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3348 struct nft_set *set,
3349 const struct nft_set_iter *iter,
3350 struct nft_set_elem *elem)
3352 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3353 enum nft_registers dreg;
3355 dreg = nft_type_to_reg(set->dtype);
3356 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3357 set->dtype == NFT_DATA_VERDICT ?
3358 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3362 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3363 struct nft_set_binding *binding)
3365 struct nft_set_binding *i;
3366 struct nft_set_iter iter;
3368 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3371 if (binding->flags & NFT_SET_MAP) {
3372 /* If the set is already bound to the same chain all
3373 * jumps are already validated for that chain.
3375 list_for_each_entry(i, &set->bindings, list) {
3376 if (i->flags & NFT_SET_MAP &&
3377 i->chain == binding->chain)
3381 iter.genmask = nft_genmask_next(ctx->net);
3385 iter.fn = nf_tables_bind_check_setelem;
3387 set->ops->walk(ctx, set, &iter);
3392 binding->chain = ctx->chain;
3393 list_add_tail_rcu(&binding->list, &set->bindings);
3396 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3398 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3399 struct nft_set_binding *binding)
3401 list_del_rcu(&binding->list);
3403 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3404 nft_is_active(ctx->net, set))
3405 nf_tables_set_destroy(ctx, set);
3407 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3409 const struct nft_set_ext_type nft_set_ext_types[] = {
3410 [NFT_SET_EXT_KEY] = {
3411 .align = __alignof__(u32),
3413 [NFT_SET_EXT_DATA] = {
3414 .align = __alignof__(u32),
3416 [NFT_SET_EXT_EXPR] = {
3417 .align = __alignof__(struct nft_expr),
3419 [NFT_SET_EXT_OBJREF] = {
3420 .len = sizeof(struct nft_object *),
3421 .align = __alignof__(struct nft_object *),
3423 [NFT_SET_EXT_FLAGS] = {
3425 .align = __alignof__(u8),
3427 [NFT_SET_EXT_TIMEOUT] = {
3429 .align = __alignof__(u64),
3431 [NFT_SET_EXT_EXPIRATION] = {
3432 .len = sizeof(unsigned long),
3433 .align = __alignof__(unsigned long),
3435 [NFT_SET_EXT_USERDATA] = {
3436 .len = sizeof(struct nft_userdata),
3437 .align = __alignof__(struct nft_userdata),
3440 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3446 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3447 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3448 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3449 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3450 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3451 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3452 .len = NFT_USERDATA_MAXLEN },
3453 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3454 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3457 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3458 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3459 .len = NFT_TABLE_MAXNAMELEN - 1 },
3460 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3461 .len = NFT_SET_MAXNAMELEN - 1 },
3462 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3463 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3466 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3467 const struct sk_buff *skb,
3468 const struct nlmsghdr *nlh,
3469 const struct nlattr * const nla[],
3472 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3473 struct nft_af_info *afi;
3474 struct nft_table *table;
3476 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3478 return PTR_ERR(afi);
3480 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3483 return PTR_ERR(table);
3485 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3489 static int nf_tables_fill_setelem(struct sk_buff *skb,
3490 const struct nft_set *set,
3491 const struct nft_set_elem *elem)
3493 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3494 unsigned char *b = skb_tail_pointer(skb);
3495 struct nlattr *nest;
3497 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3499 goto nla_put_failure;
3501 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3502 NFT_DATA_VALUE, set->klen) < 0)
3503 goto nla_put_failure;
3505 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3506 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3507 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3509 goto nla_put_failure;
3511 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3512 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3513 goto nla_put_failure;
3515 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3516 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3517 (*nft_set_ext_obj(ext))->name) < 0)
3518 goto nla_put_failure;
3520 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3521 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3522 htonl(*nft_set_ext_flags(ext))))
3523 goto nla_put_failure;
3525 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3526 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3527 cpu_to_be64(jiffies_to_msecs(
3528 *nft_set_ext_timeout(ext))),
3530 goto nla_put_failure;
3532 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3533 unsigned long expires, now = jiffies;
3535 expires = *nft_set_ext_expiration(ext);
3536 if (time_before(now, expires))
3541 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3542 cpu_to_be64(jiffies_to_msecs(expires)),
3544 goto nla_put_failure;
3547 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3548 struct nft_userdata *udata;
3550 udata = nft_set_ext_userdata(ext);
3551 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3552 udata->len + 1, udata->data))
3553 goto nla_put_failure;
3556 nla_nest_end(skb, nest);
3564 struct nft_set_dump_args {
3565 const struct netlink_callback *cb;
3566 struct nft_set_iter iter;
3567 struct sk_buff *skb;
3570 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3571 struct nft_set *set,
3572 const struct nft_set_iter *iter,
3573 struct nft_set_elem *elem)
3575 struct nft_set_dump_args *args;
3577 args = container_of(iter, struct nft_set_dump_args, iter);
3578 return nf_tables_fill_setelem(args->skb, set, elem);
3581 struct nft_set_dump_ctx {
3582 const struct nft_set *set;
3586 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3588 struct nft_set_dump_ctx *dump_ctx = cb->data;
3589 struct net *net = sock_net(skb->sk);
3590 struct nft_af_info *afi;
3591 struct nft_table *table;
3592 struct nft_set *set;
3593 struct nft_set_dump_args args;
3594 bool set_found = false;
3595 struct nfgenmsg *nfmsg;
3596 struct nlmsghdr *nlh;
3597 struct nlattr *nest;
3602 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3603 if (afi != dump_ctx->ctx.afi)
3606 list_for_each_entry_rcu(table, &afi->tables, list) {
3607 if (table != dump_ctx->ctx.table)
3610 list_for_each_entry_rcu(set, &table->sets, list) {
3611 if (set == dump_ctx->set) {
3626 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3627 portid = NETLINK_CB(cb->skb).portid;
3628 seq = cb->nlh->nlmsg_seq;
3630 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3633 goto nla_put_failure;
3635 nfmsg = nlmsg_data(nlh);
3636 nfmsg->nfgen_family = afi->family;
3637 nfmsg->version = NFNETLINK_V0;
3638 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3640 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3641 goto nla_put_failure;
3642 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3643 goto nla_put_failure;
3645 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3647 goto nla_put_failure;
3651 args.iter.genmask = nft_genmask_cur(net);
3652 args.iter.skip = cb->args[0];
3653 args.iter.count = 0;
3655 args.iter.fn = nf_tables_dump_setelem;
3656 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3659 nla_nest_end(skb, nest);
3660 nlmsg_end(skb, nlh);
3662 if (args.iter.err && args.iter.err != -EMSGSIZE)
3663 return args.iter.err;
3664 if (args.iter.count == cb->args[0])
3667 cb->args[0] = args.iter.count;
3675 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3681 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3682 struct sk_buff *skb, const struct nlmsghdr *nlh,
3683 const struct nlattr * const nla[],
3684 struct netlink_ext_ack *extack)
3686 u8 genmask = nft_genmask_cur(net);
3687 const struct nft_set *set;
3691 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3695 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3698 return PTR_ERR(set);
3700 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3701 struct netlink_dump_control c = {
3702 .dump = nf_tables_dump_set,
3703 .done = nf_tables_dump_set_done,
3705 struct nft_set_dump_ctx *dump_ctx;
3707 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3711 dump_ctx->set = set;
3712 dump_ctx->ctx = ctx;
3715 return netlink_dump_start(nlsk, skb, nlh, &c);
3720 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3721 const struct nft_ctx *ctx, u32 seq,
3722 u32 portid, int event, u16 flags,
3723 const struct nft_set *set,
3724 const struct nft_set_elem *elem)
3726 struct nfgenmsg *nfmsg;
3727 struct nlmsghdr *nlh;
3728 struct nlattr *nest;
3731 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3732 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3735 goto nla_put_failure;
3737 nfmsg = nlmsg_data(nlh);
3738 nfmsg->nfgen_family = ctx->afi->family;
3739 nfmsg->version = NFNETLINK_V0;
3740 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3742 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3743 goto nla_put_failure;
3744 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3745 goto nla_put_failure;
3747 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3749 goto nla_put_failure;
3751 err = nf_tables_fill_setelem(skb, set, elem);
3753 goto nla_put_failure;
3755 nla_nest_end(skb, nest);
3757 nlmsg_end(skb, nlh);
3761 nlmsg_trim(skb, nlh);
3765 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3766 const struct nft_set *set,
3767 const struct nft_set_elem *elem,
3768 int event, u16 flags)
3770 struct net *net = ctx->net;
3771 u32 portid = ctx->portid;
3772 struct sk_buff *skb;
3775 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3778 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3782 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3789 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3793 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3796 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3798 struct nft_set *set)
3800 struct nft_trans *trans;
3802 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3806 nft_trans_elem_set(trans) = set;
3810 void *nft_set_elem_init(const struct nft_set *set,
3811 const struct nft_set_ext_tmpl *tmpl,
3812 const u32 *key, const u32 *data,
3813 u64 timeout, gfp_t gfp)
3815 struct nft_set_ext *ext;
3818 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3822 ext = nft_set_elem_ext(set, elem);
3823 nft_set_ext_init(ext, tmpl);
3825 memcpy(nft_set_ext_key(ext), key, set->klen);
3826 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3827 memcpy(nft_set_ext_data(ext), data, set->dlen);
3828 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3829 *nft_set_ext_expiration(ext) =
3831 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3832 *nft_set_ext_timeout(ext) = timeout;
3837 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3840 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3842 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3843 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3844 nft_data_release(nft_set_ext_data(ext), set->dtype);
3845 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3846 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3847 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3848 (*nft_set_ext_obj(ext))->use--;
3851 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3853 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3854 * the refcounting from the preparation phase.
3856 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3858 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3860 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3861 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3865 static int nft_setelem_parse_flags(const struct nft_set *set,
3866 const struct nlattr *attr, u32 *flags)
3871 *flags = ntohl(nla_get_be32(attr));
3872 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3874 if (!(set->flags & NFT_SET_INTERVAL) &&
3875 *flags & NFT_SET_ELEM_INTERVAL_END)
3881 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3882 const struct nlattr *attr, u32 nlmsg_flags)
3884 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3885 u8 genmask = nft_genmask_next(ctx->net);
3886 struct nft_data_desc d1, d2;
3887 struct nft_set_ext_tmpl tmpl;
3888 struct nft_set_ext *ext, *ext2;
3889 struct nft_set_elem elem;
3890 struct nft_set_binding *binding;
3891 struct nft_object *obj = NULL;
3892 struct nft_userdata *udata;
3893 struct nft_data data;
3894 enum nft_registers dreg;
3895 struct nft_trans *trans;
3901 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3902 nft_set_elem_policy, NULL);
3906 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3909 nft_set_ext_prepare(&tmpl);
3911 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3915 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3917 if (set->flags & NFT_SET_MAP) {
3918 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3919 !(flags & NFT_SET_ELEM_INTERVAL_END))
3922 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3926 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
3927 (nla[NFTA_SET_ELEM_DATA] ||
3928 nla[NFTA_SET_ELEM_OBJREF] ||
3929 nla[NFTA_SET_ELEM_TIMEOUT] ||
3930 nla[NFTA_SET_ELEM_EXPIRATION] ||
3931 nla[NFTA_SET_ELEM_USERDATA] ||
3932 nla[NFTA_SET_ELEM_EXPR]))
3936 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3937 if (!(set->flags & NFT_SET_TIMEOUT))
3939 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3940 nla[NFTA_SET_ELEM_TIMEOUT])));
3941 } else if (set->flags & NFT_SET_TIMEOUT) {
3942 timeout = set->timeout;
3945 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3946 nla[NFTA_SET_ELEM_KEY]);
3950 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3953 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3955 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3956 if (timeout != set->timeout)
3957 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3960 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3961 if (!(set->flags & NFT_SET_OBJECT)) {
3965 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3966 set->objtype, genmask);
3971 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3974 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3975 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3976 nla[NFTA_SET_ELEM_DATA]);
3981 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3984 dreg = nft_type_to_reg(set->dtype);
3985 list_for_each_entry(binding, &set->bindings, list) {
3986 struct nft_ctx bind_ctx = {
3989 .table = ctx->table,
3990 .chain = (struct nft_chain *)binding->chain,
3993 if (!(binding->flags & NFT_SET_MAP))
3996 err = nft_validate_register_store(&bind_ctx, dreg,
4003 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4006 /* The full maximum length of userdata can exceed the maximum
4007 * offset value (U8_MAX) for following extensions, therefor it
4008 * must be the last extension added.
4011 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4012 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4014 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4019 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4020 timeout, GFP_KERNEL);
4021 if (elem.priv == NULL)
4024 ext = nft_set_elem_ext(set, elem.priv);
4026 *nft_set_ext_flags(ext) = flags;
4028 udata = nft_set_ext_userdata(ext);
4029 udata->len = ulen - 1;
4030 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4033 *nft_set_ext_obj(ext) = obj;
4037 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4041 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4042 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4044 if (err == -EEXIST) {
4045 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4046 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4047 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4048 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4052 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4053 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4054 memcmp(nft_set_ext_data(ext),
4055 nft_set_ext_data(ext2), set->dlen) != 0) ||
4056 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4057 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4058 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4060 else if (!(nlmsg_flags & NLM_F_EXCL))
4067 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4072 nft_trans_elem(trans) = elem;
4073 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4077 set->ops->remove(ctx->net, set, &elem);
4085 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4086 nft_data_release(&data, d2.type);
4088 nft_data_release(&elem.key.val, d1.type);
4093 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4094 struct sk_buff *skb, const struct nlmsghdr *nlh,
4095 const struct nlattr * const nla[],
4096 struct netlink_ext_ack *extack)
4098 u8 genmask = nft_genmask_next(net);
4099 const struct nlattr *attr;
4100 struct nft_set *set;
4104 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4107 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4111 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4114 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4115 set = nf_tables_set_lookup_byid(net,
4116 nla[NFTA_SET_ELEM_LIST_SET_ID],
4120 return PTR_ERR(set);
4123 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4126 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4127 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4135 * nft_data_hold - hold a nft_data item
4137 * @data: struct nft_data to release
4138 * @type: type of data
4140 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4141 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4142 * NFT_GOTO verdicts. This function must be called on active data objects
4143 * from the second phase of the commit protocol.
4145 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4147 if (type == NFT_DATA_VERDICT) {
4148 switch (data->verdict.code) {
4151 data->verdict.chain->use++;
4157 static void nft_set_elem_activate(const struct net *net,
4158 const struct nft_set *set,
4159 struct nft_set_elem *elem)
4161 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4163 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4164 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4165 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4166 (*nft_set_ext_obj(ext))->use++;
4169 static void nft_set_elem_deactivate(const struct net *net,
4170 const struct nft_set *set,
4171 struct nft_set_elem *elem)
4173 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4175 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4176 nft_data_release(nft_set_ext_data(ext), set->dtype);
4177 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4178 (*nft_set_ext_obj(ext))->use--;
4181 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4182 const struct nlattr *attr)
4184 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4185 struct nft_set_ext_tmpl tmpl;
4186 struct nft_data_desc desc;
4187 struct nft_set_elem elem;
4188 struct nft_set_ext *ext;
4189 struct nft_trans *trans;
4194 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4195 nft_set_elem_policy, NULL);
4200 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4203 nft_set_ext_prepare(&tmpl);
4205 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4209 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4211 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4212 nla[NFTA_SET_ELEM_KEY]);
4217 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4220 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4223 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4225 if (elem.priv == NULL)
4228 ext = nft_set_elem_ext(set, elem.priv);
4230 *nft_set_ext_flags(ext) = flags;
4232 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4233 if (trans == NULL) {
4238 priv = set->ops->deactivate(ctx->net, set, &elem);
4246 nft_set_elem_deactivate(ctx->net, set, &elem);
4248 nft_trans_elem(trans) = elem;
4249 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4257 nft_data_release(&elem.key.val, desc.type);
4262 static int nft_flush_set(const struct nft_ctx *ctx,
4263 struct nft_set *set,
4264 const struct nft_set_iter *iter,
4265 struct nft_set_elem *elem)
4267 struct nft_trans *trans;
4270 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4271 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4275 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4281 nft_set_elem_deactivate(ctx->net, set, elem);
4282 nft_trans_elem_set(trans) = set;
4283 nft_trans_elem(trans) = *elem;
4284 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4292 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4293 struct sk_buff *skb, const struct nlmsghdr *nlh,
4294 const struct nlattr * const nla[],
4295 struct netlink_ext_ack *extack)
4297 u8 genmask = nft_genmask_next(net);
4298 const struct nlattr *attr;
4299 struct nft_set *set;
4303 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4307 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4310 return PTR_ERR(set);
4311 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4314 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4315 struct nft_set_iter iter = {
4317 .fn = nft_flush_set,
4319 set->ops->walk(&ctx, set, &iter);
4324 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4325 err = nft_del_setelem(&ctx, set, attr);
4334 void nft_set_gc_batch_release(struct rcu_head *rcu)
4336 struct nft_set_gc_batch *gcb;
4339 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4340 for (i = 0; i < gcb->head.cnt; i++)
4341 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4344 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4346 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4349 struct nft_set_gc_batch *gcb;
4351 gcb = kzalloc(sizeof(*gcb), gfp);
4354 gcb->head.set = set;
4357 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4364 * nft_register_obj- register nf_tables stateful object type
4367 * Registers the object type for use with nf_tables. Returns zero on
4368 * success or a negative errno code otherwise.
4370 int nft_register_obj(struct nft_object_type *obj_type)
4372 if (obj_type->type == NFT_OBJECT_UNSPEC)
4375 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4376 list_add_rcu(&obj_type->list, &nf_tables_objects);
4377 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4380 EXPORT_SYMBOL_GPL(nft_register_obj);
4383 * nft_unregister_obj - unregister nf_tables object type
4386 * Unregisters the object type for use with nf_tables.
4388 void nft_unregister_obj(struct nft_object_type *obj_type)
4390 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4391 list_del_rcu(&obj_type->list);
4392 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4394 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4396 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4397 const struct nlattr *nla,
4398 u32 objtype, u8 genmask)
4400 struct nft_object *obj;
4402 list_for_each_entry(obj, &table->objects, list) {
4403 if (!nla_strcmp(nla, obj->name) &&
4404 objtype == obj->ops->type->type &&
4405 nft_active_genmask(obj, genmask))
4408 return ERR_PTR(-ENOENT);
4410 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4412 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4413 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4414 .len = NFT_TABLE_MAXNAMELEN - 1 },
4415 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4416 .len = NFT_OBJ_MAXNAMELEN - 1 },
4417 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4418 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4421 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4422 const struct nft_object_type *type,
4423 const struct nlattr *attr)
4425 struct nlattr *tb[type->maxattr + 1];
4426 const struct nft_object_ops *ops;
4427 struct nft_object *obj;
4431 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4436 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4439 if (type->select_ops) {
4440 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4450 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4454 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4464 return ERR_PTR(err);
4467 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4468 struct nft_object *obj, bool reset)
4470 struct nlattr *nest;
4472 nest = nla_nest_start(skb, attr);
4474 goto nla_put_failure;
4475 if (obj->ops->dump(skb, obj, reset) < 0)
4476 goto nla_put_failure;
4477 nla_nest_end(skb, nest);
4484 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4486 const struct nft_object_type *type;
4488 list_for_each_entry(type, &nf_tables_objects, list) {
4489 if (objtype == type->type)
4495 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4497 const struct nft_object_type *type;
4499 type = __nft_obj_type_get(objtype);
4500 if (type != NULL && try_module_get(type->owner))
4503 #ifdef CONFIG_MODULES
4505 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4506 request_module("nft-obj-%u", objtype);
4507 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4508 if (__nft_obj_type_get(objtype))
4509 return ERR_PTR(-EAGAIN);
4512 return ERR_PTR(-ENOENT);
4515 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4516 struct sk_buff *skb, const struct nlmsghdr *nlh,
4517 const struct nlattr * const nla[],
4518 struct netlink_ext_ack *extack)
4520 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4521 const struct nft_object_type *type;
4522 u8 genmask = nft_genmask_next(net);
4523 int family = nfmsg->nfgen_family;
4524 struct nft_af_info *afi;
4525 struct nft_table *table;
4526 struct nft_object *obj;
4531 if (!nla[NFTA_OBJ_TYPE] ||
4532 !nla[NFTA_OBJ_NAME] ||
4533 !nla[NFTA_OBJ_DATA])
4536 afi = nf_tables_afinfo_lookup(net, family, true);
4538 return PTR_ERR(afi);
4540 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4542 return PTR_ERR(table);
4544 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4545 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4552 if (nlh->nlmsg_flags & NLM_F_EXCL)
4558 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4560 type = nft_obj_type_get(objtype);
4562 return PTR_ERR(type);
4564 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4570 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4576 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4580 list_add_tail_rcu(&obj->list, &table->objects);
4586 if (obj->ops->destroy)
4587 obj->ops->destroy(obj);
4590 module_put(type->owner);
4594 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4595 u32 portid, u32 seq, int event, u32 flags,
4596 int family, const struct nft_table *table,
4597 struct nft_object *obj, bool reset)
4599 struct nfgenmsg *nfmsg;
4600 struct nlmsghdr *nlh;
4602 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4603 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4605 goto nla_put_failure;
4607 nfmsg = nlmsg_data(nlh);
4608 nfmsg->nfgen_family = family;
4609 nfmsg->version = NFNETLINK_V0;
4610 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4612 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4613 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4614 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4615 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4616 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4617 goto nla_put_failure;
4619 nlmsg_end(skb, nlh);
4623 nlmsg_trim(skb, nlh);
4627 struct nft_obj_filter {
4632 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4634 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4635 const struct nft_af_info *afi;
4636 const struct nft_table *table;
4637 unsigned int idx = 0, s_idx = cb->args[0];
4638 struct nft_obj_filter *filter = cb->data;
4639 struct net *net = sock_net(skb->sk);
4640 int family = nfmsg->nfgen_family;
4641 struct nft_object *obj;
4644 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4648 cb->seq = net->nft.base_seq;
4650 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4651 if (family != NFPROTO_UNSPEC && family != afi->family)
4654 list_for_each_entry_rcu(table, &afi->tables, list) {
4655 list_for_each_entry_rcu(obj, &table->objects, list) {
4656 if (!nft_is_active(net, obj))
4661 memset(&cb->args[1], 0,
4662 sizeof(cb->args) - sizeof(cb->args[0]));
4663 if (filter && filter->table &&
4664 strcmp(filter->table, table->name))
4667 filter->type != NFT_OBJECT_UNSPEC &&
4668 obj->ops->type->type != filter->type)
4671 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4674 NLM_F_MULTI | NLM_F_APPEND,
4675 afi->family, table, obj, reset) < 0)
4678 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4691 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4693 struct nft_obj_filter *filter = cb->data;
4696 kfree(filter->table);
4703 static struct nft_obj_filter *
4704 nft_obj_filter_alloc(const struct nlattr * const nla[])
4706 struct nft_obj_filter *filter;
4708 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4710 return ERR_PTR(-ENOMEM);
4712 if (nla[NFTA_OBJ_TABLE]) {
4713 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4714 if (!filter->table) {
4716 return ERR_PTR(-ENOMEM);
4719 if (nla[NFTA_OBJ_TYPE])
4720 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4725 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4726 struct sk_buff *skb, const struct nlmsghdr *nlh,
4727 const struct nlattr * const nla[],
4728 struct netlink_ext_ack *extack)
4730 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4731 u8 genmask = nft_genmask_cur(net);
4732 int family = nfmsg->nfgen_family;
4733 const struct nft_af_info *afi;
4734 const struct nft_table *table;
4735 struct nft_object *obj;
4736 struct sk_buff *skb2;
4741 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4742 struct netlink_dump_control c = {
4743 .dump = nf_tables_dump_obj,
4744 .done = nf_tables_dump_obj_done,
4747 if (nla[NFTA_OBJ_TABLE] ||
4748 nla[NFTA_OBJ_TYPE]) {
4749 struct nft_obj_filter *filter;
4751 filter = nft_obj_filter_alloc(nla);
4757 return netlink_dump_start(nlsk, skb, nlh, &c);
4760 if (!nla[NFTA_OBJ_NAME] ||
4761 !nla[NFTA_OBJ_TYPE])
4764 afi = nf_tables_afinfo_lookup(net, family, false);
4766 return PTR_ERR(afi);
4768 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4770 return PTR_ERR(table);
4772 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4773 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4775 return PTR_ERR(obj);
4777 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4781 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4784 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4785 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4786 family, table, obj, reset);
4790 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4796 static void nft_obj_destroy(struct nft_object *obj)
4798 if (obj->ops->destroy)
4799 obj->ops->destroy(obj);
4801 module_put(obj->ops->type->owner);
4806 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4807 struct sk_buff *skb, const struct nlmsghdr *nlh,
4808 const struct nlattr * const nla[],
4809 struct netlink_ext_ack *extack)
4811 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4812 u8 genmask = nft_genmask_next(net);
4813 int family = nfmsg->nfgen_family;
4814 struct nft_af_info *afi;
4815 struct nft_table *table;
4816 struct nft_object *obj;
4820 if (!nla[NFTA_OBJ_TYPE] ||
4821 !nla[NFTA_OBJ_NAME])
4824 afi = nf_tables_afinfo_lookup(net, family, true);
4826 return PTR_ERR(afi);
4828 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4830 return PTR_ERR(table);
4832 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4833 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4835 return PTR_ERR(obj);
4839 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4841 return nft_delobj(&ctx, obj);
4844 void nft_obj_notify(struct net *net, struct nft_table *table,
4845 struct nft_object *obj, u32 portid, u32 seq, int event,
4846 int family, int report, gfp_t gfp)
4848 struct sk_buff *skb;
4852 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4855 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4859 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4866 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4869 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4871 EXPORT_SYMBOL_GPL(nft_obj_notify);
4873 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4874 struct nft_object *obj, int event)
4876 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4877 ctx->afi->family, ctx->report, GFP_KERNEL);
4880 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4881 u32 portid, u32 seq)
4883 struct nlmsghdr *nlh;
4884 struct nfgenmsg *nfmsg;
4885 char buf[TASK_COMM_LEN];
4886 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
4888 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4890 goto nla_put_failure;
4892 nfmsg = nlmsg_data(nlh);
4893 nfmsg->nfgen_family = AF_UNSPEC;
4894 nfmsg->version = NFNETLINK_V0;
4895 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4897 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
4898 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
4899 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
4900 goto nla_put_failure;
4902 nlmsg_end(skb, nlh);
4906 nlmsg_trim(skb, nlh);
4910 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
4913 struct nlmsghdr *nlh = nlmsg_hdr(skb);
4914 struct sk_buff *skb2;
4917 if (nlmsg_report(nlh) &&
4918 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4921 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4925 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4932 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4933 nlmsg_report(nlh), GFP_KERNEL);
4936 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4940 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
4941 struct sk_buff *skb, const struct nlmsghdr *nlh,
4942 const struct nlattr * const nla[],
4943 struct netlink_ext_ack *extack)
4945 struct sk_buff *skb2;
4948 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4952 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4957 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4963 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
4964 [NFT_MSG_NEWTABLE] = {
4965 .call_batch = nf_tables_newtable,
4966 .attr_count = NFTA_TABLE_MAX,
4967 .policy = nft_table_policy,
4969 [NFT_MSG_GETTABLE] = {
4970 .call = nf_tables_gettable,
4971 .attr_count = NFTA_TABLE_MAX,
4972 .policy = nft_table_policy,
4974 [NFT_MSG_DELTABLE] = {
4975 .call_batch = nf_tables_deltable,
4976 .attr_count = NFTA_TABLE_MAX,
4977 .policy = nft_table_policy,
4979 [NFT_MSG_NEWCHAIN] = {
4980 .call_batch = nf_tables_newchain,
4981 .attr_count = NFTA_CHAIN_MAX,
4982 .policy = nft_chain_policy,
4984 [NFT_MSG_GETCHAIN] = {
4985 .call = nf_tables_getchain,
4986 .attr_count = NFTA_CHAIN_MAX,
4987 .policy = nft_chain_policy,
4989 [NFT_MSG_DELCHAIN] = {
4990 .call_batch = nf_tables_delchain,
4991 .attr_count = NFTA_CHAIN_MAX,
4992 .policy = nft_chain_policy,
4994 [NFT_MSG_NEWRULE] = {
4995 .call_batch = nf_tables_newrule,
4996 .attr_count = NFTA_RULE_MAX,
4997 .policy = nft_rule_policy,
4999 [NFT_MSG_GETRULE] = {
5000 .call = nf_tables_getrule,
5001 .attr_count = NFTA_RULE_MAX,
5002 .policy = nft_rule_policy,
5004 [NFT_MSG_DELRULE] = {
5005 .call_batch = nf_tables_delrule,
5006 .attr_count = NFTA_RULE_MAX,
5007 .policy = nft_rule_policy,
5009 [NFT_MSG_NEWSET] = {
5010 .call_batch = nf_tables_newset,
5011 .attr_count = NFTA_SET_MAX,
5012 .policy = nft_set_policy,
5014 [NFT_MSG_GETSET] = {
5015 .call = nf_tables_getset,
5016 .attr_count = NFTA_SET_MAX,
5017 .policy = nft_set_policy,
5019 [NFT_MSG_DELSET] = {
5020 .call_batch = nf_tables_delset,
5021 .attr_count = NFTA_SET_MAX,
5022 .policy = nft_set_policy,
5024 [NFT_MSG_NEWSETELEM] = {
5025 .call_batch = nf_tables_newsetelem,
5026 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5027 .policy = nft_set_elem_list_policy,
5029 [NFT_MSG_GETSETELEM] = {
5030 .call = nf_tables_getsetelem,
5031 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5032 .policy = nft_set_elem_list_policy,
5034 [NFT_MSG_DELSETELEM] = {
5035 .call_batch = nf_tables_delsetelem,
5036 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5037 .policy = nft_set_elem_list_policy,
5039 [NFT_MSG_GETGEN] = {
5040 .call = nf_tables_getgen,
5042 [NFT_MSG_NEWOBJ] = {
5043 .call_batch = nf_tables_newobj,
5044 .attr_count = NFTA_OBJ_MAX,
5045 .policy = nft_obj_policy,
5047 [NFT_MSG_GETOBJ] = {
5048 .call = nf_tables_getobj,
5049 .attr_count = NFTA_OBJ_MAX,
5050 .policy = nft_obj_policy,
5052 [NFT_MSG_DELOBJ] = {
5053 .call_batch = nf_tables_delobj,
5054 .attr_count = NFTA_OBJ_MAX,
5055 .policy = nft_obj_policy,
5057 [NFT_MSG_GETOBJ_RESET] = {
5058 .call = nf_tables_getobj,
5059 .attr_count = NFTA_OBJ_MAX,
5060 .policy = nft_obj_policy,
5064 static void nft_chain_commit_update(struct nft_trans *trans)
5066 struct nft_base_chain *basechain;
5068 if (nft_trans_chain_name(trans))
5069 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5071 if (!nft_is_base_chain(trans->ctx.chain))
5074 basechain = nft_base_chain(trans->ctx.chain);
5075 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5077 switch (nft_trans_chain_policy(trans)) {
5080 basechain->policy = nft_trans_chain_policy(trans);
5085 static void nf_tables_commit_release(struct nft_trans *trans)
5087 switch (trans->msg_type) {
5088 case NFT_MSG_DELTABLE:
5089 nf_tables_table_destroy(&trans->ctx);
5091 case NFT_MSG_NEWCHAIN:
5092 kfree(nft_trans_chain_name(trans));
5094 case NFT_MSG_DELCHAIN:
5095 nf_tables_chain_destroy(trans->ctx.chain);
5097 case NFT_MSG_DELRULE:
5098 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5100 case NFT_MSG_DELSET:
5101 nft_set_destroy(nft_trans_set(trans));
5103 case NFT_MSG_DELSETELEM:
5104 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5105 nft_trans_elem(trans).priv);
5107 case NFT_MSG_DELOBJ:
5108 nft_obj_destroy(nft_trans_obj(trans));
5114 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5116 struct nft_trans *trans, *next;
5117 struct nft_trans_elem *te;
5119 /* Bump generation counter, invalidate any dump in progress */
5120 while (++net->nft.base_seq == 0);
5122 /* A new generation has just started */
5123 net->nft.gencursor = nft_gencursor_next(net);
5125 /* Make sure all packets have left the previous generation before
5126 * purging old rules.
5130 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5131 switch (trans->msg_type) {
5132 case NFT_MSG_NEWTABLE:
5133 if (nft_trans_table_update(trans)) {
5134 if (!nft_trans_table_enable(trans)) {
5135 nf_tables_table_disable(net,
5138 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5141 nft_clear(net, trans->ctx.table);
5143 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5144 nft_trans_destroy(trans);
5146 case NFT_MSG_DELTABLE:
5147 list_del_rcu(&trans->ctx.table->list);
5148 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5150 case NFT_MSG_NEWCHAIN:
5151 if (nft_trans_chain_update(trans)) {
5152 nft_chain_commit_update(trans);
5153 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5154 /* trans destroyed after rcu grace period */
5156 nft_clear(net, trans->ctx.chain);
5157 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5158 nft_trans_destroy(trans);
5161 case NFT_MSG_DELCHAIN:
5162 list_del_rcu(&trans->ctx.chain->list);
5163 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5164 nf_tables_unregister_hooks(trans->ctx.net,
5167 trans->ctx.afi->nops);
5169 case NFT_MSG_NEWRULE:
5170 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5171 nf_tables_rule_notify(&trans->ctx,
5172 nft_trans_rule(trans),
5174 nft_trans_destroy(trans);
5176 case NFT_MSG_DELRULE:
5177 list_del_rcu(&nft_trans_rule(trans)->list);
5178 nf_tables_rule_notify(&trans->ctx,
5179 nft_trans_rule(trans),
5182 case NFT_MSG_NEWSET:
5183 nft_clear(net, nft_trans_set(trans));
5184 /* This avoids hitting -EBUSY when deleting the table
5185 * from the transaction.
5187 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
5188 !list_empty(&nft_trans_set(trans)->bindings))
5189 trans->ctx.table->use--;
5191 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5192 NFT_MSG_NEWSET, GFP_KERNEL);
5193 nft_trans_destroy(trans);
5195 case NFT_MSG_DELSET:
5196 list_del_rcu(&nft_trans_set(trans)->list);
5197 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5198 NFT_MSG_DELSET, GFP_KERNEL);
5200 case NFT_MSG_NEWSETELEM:
5201 te = (struct nft_trans_elem *)trans->data;
5203 te->set->ops->activate(net, te->set, &te->elem);
5204 nf_tables_setelem_notify(&trans->ctx, te->set,
5206 NFT_MSG_NEWSETELEM, 0);
5207 nft_trans_destroy(trans);
5209 case NFT_MSG_DELSETELEM:
5210 te = (struct nft_trans_elem *)trans->data;
5212 nf_tables_setelem_notify(&trans->ctx, te->set,
5214 NFT_MSG_DELSETELEM, 0);
5215 te->set->ops->remove(net, te->set, &te->elem);
5216 atomic_dec(&te->set->nelems);
5219 case NFT_MSG_NEWOBJ:
5220 nft_clear(net, nft_trans_obj(trans));
5221 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5223 nft_trans_destroy(trans);
5225 case NFT_MSG_DELOBJ:
5226 list_del_rcu(&nft_trans_obj(trans)->list);
5227 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5235 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5236 list_del(&trans->list);
5237 nf_tables_commit_release(trans);
5240 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5245 static void nf_tables_abort_release(struct nft_trans *trans)
5247 switch (trans->msg_type) {
5248 case NFT_MSG_NEWTABLE:
5249 nf_tables_table_destroy(&trans->ctx);
5251 case NFT_MSG_NEWCHAIN:
5252 nf_tables_chain_destroy(trans->ctx.chain);
5254 case NFT_MSG_NEWRULE:
5255 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5257 case NFT_MSG_NEWSET:
5258 nft_set_destroy(nft_trans_set(trans));
5260 case NFT_MSG_NEWSETELEM:
5261 nft_set_elem_destroy(nft_trans_elem_set(trans),
5262 nft_trans_elem(trans).priv, true);
5264 case NFT_MSG_NEWOBJ:
5265 nft_obj_destroy(nft_trans_obj(trans));
5271 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5273 struct nft_trans *trans, *next;
5274 struct nft_trans_elem *te;
5276 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5278 switch (trans->msg_type) {
5279 case NFT_MSG_NEWTABLE:
5280 if (nft_trans_table_update(trans)) {
5281 if (nft_trans_table_enable(trans)) {
5282 nf_tables_table_disable(net,
5285 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5287 nft_trans_destroy(trans);
5289 list_del_rcu(&trans->ctx.table->list);
5292 case NFT_MSG_DELTABLE:
5293 nft_clear(trans->ctx.net, trans->ctx.table);
5294 nft_trans_destroy(trans);
5296 case NFT_MSG_NEWCHAIN:
5297 if (nft_trans_chain_update(trans)) {
5298 free_percpu(nft_trans_chain_stats(trans));
5299 kfree(nft_trans_chain_name(trans));
5300 nft_trans_destroy(trans);
5302 trans->ctx.table->use--;
5303 list_del_rcu(&trans->ctx.chain->list);
5304 nf_tables_unregister_hooks(trans->ctx.net,
5307 trans->ctx.afi->nops);
5310 case NFT_MSG_DELCHAIN:
5311 trans->ctx.table->use++;
5312 nft_clear(trans->ctx.net, trans->ctx.chain);
5313 nft_trans_destroy(trans);
5315 case NFT_MSG_NEWRULE:
5316 trans->ctx.chain->use--;
5317 list_del_rcu(&nft_trans_rule(trans)->list);
5318 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
5320 case NFT_MSG_DELRULE:
5321 trans->ctx.chain->use++;
5322 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5323 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
5324 nft_trans_destroy(trans);
5326 case NFT_MSG_NEWSET:
5327 trans->ctx.table->use--;
5328 list_del_rcu(&nft_trans_set(trans)->list);
5330 case NFT_MSG_DELSET:
5331 trans->ctx.table->use++;
5332 nft_clear(trans->ctx.net, nft_trans_set(trans));
5333 nft_trans_destroy(trans);
5335 case NFT_MSG_NEWSETELEM:
5336 te = (struct nft_trans_elem *)trans->data;
5338 te->set->ops->remove(net, te->set, &te->elem);
5339 atomic_dec(&te->set->nelems);
5341 case NFT_MSG_DELSETELEM:
5342 te = (struct nft_trans_elem *)trans->data;
5344 nft_set_elem_activate(net, te->set, &te->elem);
5345 te->set->ops->activate(net, te->set, &te->elem);
5348 nft_trans_destroy(trans);
5350 case NFT_MSG_NEWOBJ:
5351 trans->ctx.table->use--;
5352 list_del_rcu(&nft_trans_obj(trans)->list);
5354 case NFT_MSG_DELOBJ:
5355 trans->ctx.table->use++;
5356 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5357 nft_trans_destroy(trans);
5364 list_for_each_entry_safe_reverse(trans, next,
5365 &net->nft.commit_list, list) {
5366 list_del(&trans->list);
5367 nf_tables_abort_release(trans);
5373 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5375 return net->nft.base_seq == genid;
5378 static const struct nfnetlink_subsystem nf_tables_subsys = {
5379 .name = "nf_tables",
5380 .subsys_id = NFNL_SUBSYS_NFTABLES,
5381 .cb_count = NFT_MSG_MAX,
5383 .commit = nf_tables_commit,
5384 .abort = nf_tables_abort,
5385 .valid_genid = nf_tables_valid_genid,
5388 int nft_chain_validate_dependency(const struct nft_chain *chain,
5389 enum nft_chain_type type)
5391 const struct nft_base_chain *basechain;
5393 if (nft_is_base_chain(chain)) {
5394 basechain = nft_base_chain(chain);
5395 if (basechain->type->type != type)
5400 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5402 int nft_chain_validate_hooks(const struct nft_chain *chain,
5403 unsigned int hook_flags)
5405 struct nft_base_chain *basechain;
5407 if (nft_is_base_chain(chain)) {
5408 basechain = nft_base_chain(chain);
5410 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5418 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5421 * Loop detection - walk through the ruleset beginning at the destination chain
5422 * of a new jump until either the source chain is reached (loop) or all
5423 * reachable chains have been traversed.
5425 * The loop check is performed whenever a new jump verdict is added to an
5426 * expression or verdict map or a verdict map is bound to a new chain.
5429 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5430 const struct nft_chain *chain);
5432 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5433 struct nft_set *set,
5434 const struct nft_set_iter *iter,
5435 struct nft_set_elem *elem)
5437 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5438 const struct nft_data *data;
5440 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5441 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5444 data = nft_set_ext_data(ext);
5445 switch (data->verdict.code) {
5448 return nf_tables_check_loops(ctx, data->verdict.chain);
5454 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5455 const struct nft_chain *chain)
5457 const struct nft_rule *rule;
5458 const struct nft_expr *expr, *last;
5459 struct nft_set *set;
5460 struct nft_set_binding *binding;
5461 struct nft_set_iter iter;
5463 if (ctx->chain == chain)
5466 list_for_each_entry(rule, &chain->rules, list) {
5467 nft_rule_for_each_expr(expr, last, rule) {
5468 const struct nft_data *data = NULL;
5471 if (!expr->ops->validate)
5474 err = expr->ops->validate(ctx, expr, &data);
5481 switch (data->verdict.code) {
5484 err = nf_tables_check_loops(ctx,
5485 data->verdict.chain);
5494 list_for_each_entry(set, &ctx->table->sets, list) {
5495 if (!nft_is_active_next(ctx->net, set))
5497 if (!(set->flags & NFT_SET_MAP) ||
5498 set->dtype != NFT_DATA_VERDICT)
5501 list_for_each_entry(binding, &set->bindings, list) {
5502 if (!(binding->flags & NFT_SET_MAP) ||
5503 binding->chain != chain)
5506 iter.genmask = nft_genmask_next(ctx->net);
5510 iter.fn = nf_tables_loop_check_setelem;
5512 set->ops->walk(ctx, set, &iter);
5522 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5524 * @attr: netlink attribute to fetch value from
5525 * @max: maximum value to be stored in dest
5526 * @dest: pointer to the variable
5528 * Parse, check and store a given u32 netlink attribute into variable.
5529 * This function returns -ERANGE if the value goes over maximum value.
5530 * Otherwise a 0 is returned and the attribute value is stored in the
5531 * destination variable.
5533 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5537 val = ntohl(nla_get_be32(attr));
5544 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5547 * nft_parse_register - parse a register value from a netlink attribute
5549 * @attr: netlink attribute
5551 * Parse and translate a register value from a netlink attribute.
5552 * Registers used to be 128 bit wide, these register numbers will be
5553 * mapped to the corresponding 32 bit register numbers.
5555 unsigned int nft_parse_register(const struct nlattr *attr)
5559 reg = ntohl(nla_get_be32(attr));
5561 case NFT_REG_VERDICT...NFT_REG_4:
5562 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5564 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5567 EXPORT_SYMBOL_GPL(nft_parse_register);
5570 * nft_dump_register - dump a register value to a netlink attribute
5572 * @skb: socket buffer
5573 * @attr: attribute number
5574 * @reg: register number
5576 * Construct a netlink attribute containing the register number. For
5577 * compatibility reasons, register numbers being a multiple of 4 are
5578 * translated to the corresponding 128 bit register numbers.
5580 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5582 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5583 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5585 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5587 return nla_put_be32(skb, attr, htonl(reg));
5589 EXPORT_SYMBOL_GPL(nft_dump_register);
5592 * nft_validate_register_load - validate a load from a register
5594 * @reg: the register number
5595 * @len: the length of the data
5597 * Validate that the input register is one of the general purpose
5598 * registers and that the length of the load is within the bounds.
5600 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5602 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5606 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5611 EXPORT_SYMBOL_GPL(nft_validate_register_load);
5614 * nft_validate_register_store - validate an expressions' register store
5616 * @ctx: context of the expression performing the load
5617 * @reg: the destination register number
5618 * @data: the data to load
5619 * @type: the data type
5620 * @len: the length of the data
5622 * Validate that a data load uses the appropriate data type for
5623 * the destination register and the length is within the bounds.
5624 * A value of NULL for the data means that its runtime gathered
5627 int nft_validate_register_store(const struct nft_ctx *ctx,
5628 enum nft_registers reg,
5629 const struct nft_data *data,
5630 enum nft_data_types type, unsigned int len)
5635 case NFT_REG_VERDICT:
5636 if (type != NFT_DATA_VERDICT)
5640 (data->verdict.code == NFT_GOTO ||
5641 data->verdict.code == NFT_JUMP)) {
5642 err = nf_tables_check_loops(ctx, data->verdict.chain);
5646 if (ctx->chain->level + 1 >
5647 data->verdict.chain->level) {
5648 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5650 data->verdict.chain->level = ctx->chain->level + 1;
5656 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5660 if (reg * NFT_REG32_SIZE + len >
5661 FIELD_SIZEOF(struct nft_regs, data))
5664 if (data != NULL && type != NFT_DATA_VALUE)
5669 EXPORT_SYMBOL_GPL(nft_validate_register_store);
5671 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5672 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5673 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5674 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5677 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5678 struct nft_data_desc *desc, const struct nlattr *nla)
5680 u8 genmask = nft_genmask_next(ctx->net);
5681 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5682 struct nft_chain *chain;
5685 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5690 if (!tb[NFTA_VERDICT_CODE])
5692 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5694 switch (data->verdict.code) {
5696 switch (data->verdict.code & NF_VERDICT_MASK) {
5711 if (!tb[NFTA_VERDICT_CHAIN])
5713 chain = nf_tables_chain_lookup(ctx->table,
5714 tb[NFTA_VERDICT_CHAIN], genmask);
5716 return PTR_ERR(chain);
5717 if (nft_is_base_chain(chain))
5721 data->verdict.chain = chain;
5725 desc->len = sizeof(data->verdict);
5726 desc->type = NFT_DATA_VERDICT;
5730 static void nft_verdict_uninit(const struct nft_data *data)
5732 switch (data->verdict.code) {
5735 data->verdict.chain->use--;
5740 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5742 struct nlattr *nest;
5744 nest = nla_nest_start(skb, type);
5746 goto nla_put_failure;
5748 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5749 goto nla_put_failure;
5754 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5756 goto nla_put_failure;
5758 nla_nest_end(skb, nest);
5765 static int nft_value_init(const struct nft_ctx *ctx,
5766 struct nft_data *data, unsigned int size,
5767 struct nft_data_desc *desc, const struct nlattr *nla)
5777 nla_memcpy(data->data, nla, len);
5778 desc->type = NFT_DATA_VALUE;
5783 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5786 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5789 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5790 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5791 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5795 * nft_data_init - parse nf_tables data netlink attributes
5797 * @ctx: context of the expression using the data
5798 * @data: destination struct nft_data
5799 * @size: maximum data length
5800 * @desc: data description
5801 * @nla: netlink attribute containing data
5803 * Parse the netlink data attributes and initialize a struct nft_data.
5804 * The type and length of data are returned in the data description.
5806 * The caller can indicate that it only wants to accept data of type
5807 * NFT_DATA_VALUE by passing NULL for the ctx argument.
5809 int nft_data_init(const struct nft_ctx *ctx,
5810 struct nft_data *data, unsigned int size,
5811 struct nft_data_desc *desc, const struct nlattr *nla)
5813 struct nlattr *tb[NFTA_DATA_MAX + 1];
5816 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
5820 if (tb[NFTA_DATA_VALUE])
5821 return nft_value_init(ctx, data, size, desc,
5822 tb[NFTA_DATA_VALUE]);
5823 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5824 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5827 EXPORT_SYMBOL_GPL(nft_data_init);
5830 * nft_data_release - release a nft_data item
5832 * @data: struct nft_data to release
5833 * @type: type of data
5835 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5836 * all others need to be released by calling this function.
5838 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
5840 if (type < NFT_DATA_VERDICT)
5843 case NFT_DATA_VERDICT:
5844 return nft_verdict_uninit(data);
5849 EXPORT_SYMBOL_GPL(nft_data_release);
5851 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5852 enum nft_data_types type, unsigned int len)
5854 struct nlattr *nest;
5857 nest = nla_nest_start(skb, attr);
5862 case NFT_DATA_VALUE:
5863 err = nft_value_dump(skb, data, len);
5865 case NFT_DATA_VERDICT:
5866 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
5873 nla_nest_end(skb, nest);
5876 EXPORT_SYMBOL_GPL(nft_data_dump);
5878 static int __net_init nf_tables_init_net(struct net *net)
5880 INIT_LIST_HEAD(&net->nft.af_info);
5881 INIT_LIST_HEAD(&net->nft.commit_list);
5882 net->nft.base_seq = 1;
5886 int __nft_release_basechain(struct nft_ctx *ctx)
5888 struct nft_rule *rule, *nr;
5890 BUG_ON(!nft_is_base_chain(ctx->chain));
5892 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
5894 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
5895 list_del(&rule->list);
5897 nf_tables_rule_release(ctx, rule);
5899 list_del(&ctx->chain->list);
5901 nf_tables_chain_destroy(ctx->chain);
5905 EXPORT_SYMBOL_GPL(__nft_release_basechain);
5907 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
5908 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
5910 struct nft_table *table, *nt;
5911 struct nft_chain *chain, *nc;
5912 struct nft_object *obj, *ne;
5913 struct nft_rule *rule, *nr;
5914 struct nft_set *set, *ns;
5915 struct nft_ctx ctx = {
5920 list_for_each_entry_safe(table, nt, &afi->tables, list) {
5921 list_for_each_entry(chain, &table->chains, list)
5922 nf_tables_unregister_hooks(net, table, chain,
5924 /* No packets are walking on these chains anymore. */
5926 list_for_each_entry(chain, &table->chains, list) {
5928 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
5929 list_del(&rule->list);
5931 nf_tables_rule_release(&ctx, rule);
5934 list_for_each_entry_safe(set, ns, &table->sets, list) {
5935 list_del(&set->list);
5937 nft_set_destroy(set);
5939 list_for_each_entry_safe(obj, ne, &table->objects, list) {
5940 list_del(&obj->list);
5942 nft_obj_destroy(obj);
5944 list_for_each_entry_safe(chain, nc, &table->chains, list) {
5945 list_del(&chain->list);
5947 nf_tables_chain_destroy(chain);
5949 list_del(&table->list);
5950 nf_tables_table_destroy(&ctx);
5954 static struct pernet_operations nf_tables_net_ops = {
5955 .init = nf_tables_init_net,
5958 static int __init nf_tables_module_init(void)
5962 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
5969 err = nf_tables_core_module_init();
5973 err = nfnetlink_subsys_register(&nf_tables_subsys);
5977 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
5978 return register_pernet_subsys(&nf_tables_net_ops);
5980 nf_tables_core_module_exit();
5987 static void __exit nf_tables_module_exit(void)
5989 unregister_pernet_subsys(&nf_tables_net_ops);
5990 nfnetlink_subsys_unregister(&nf_tables_subsys);
5992 nf_tables_core_module_exit();
5996 module_init(nf_tables_module_init);
5997 module_exit(nf_tables_module_exit);
5999 MODULE_LICENSE("GPL");
6000 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6001 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / releases.git / blob