1 // SPDX-License-Identifier: GPL-2.0-only
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
29 /* limit compaction to avoid huge kmalloc/krealloc sizes. */
30 #define NFT_MAX_SET_NELEMS ((2048 - sizeof(struct nft_trans_elem)) / sizeof(struct nft_trans_one_elem))
32 unsigned int nf_tables_net_id __read_mostly;
34 static LIST_HEAD(nf_tables_expressions);
35 static LIST_HEAD(nf_tables_objects);
36 static LIST_HEAD(nf_tables_flowtables);
37 static LIST_HEAD(nf_tables_destroy_list);
38 static LIST_HEAD(nf_tables_gc_list);
39 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
40 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
43 NFT_VALIDATE_SKIP = 0,
48 static struct rhltable nft_objname_ht;
50 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
51 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
52 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
54 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
55 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
56 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
58 static const struct rhashtable_params nft_chain_ht_params = {
59 .head_offset = offsetof(struct nft_chain, rhlhead),
60 .key_offset = offsetof(struct nft_chain, name),
61 .hashfn = nft_chain_hash,
62 .obj_hashfn = nft_chain_hash_obj,
63 .obj_cmpfn = nft_chain_hash_cmp,
64 .automatic_shrinking = true,
67 static const struct rhashtable_params nft_objname_ht_params = {
68 .head_offset = offsetof(struct nft_object, rhlhead),
69 .key_offset = offsetof(struct nft_object, key),
70 .hashfn = nft_objname_hash,
71 .obj_hashfn = nft_objname_hash_obj,
72 .obj_cmpfn = nft_objname_hash_cmp,
73 .automatic_shrinking = true,
76 struct nft_audit_data {
77 struct nft_table *table;
80 struct list_head list;
83 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
84 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
85 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
87 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
88 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
90 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
91 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
93 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
94 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
96 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
97 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
99 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
100 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
102 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
103 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
104 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
105 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
106 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
107 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
108 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
109 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
112 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
114 switch (table->validate_state) {
115 case NFT_VALIDATE_SKIP:
116 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
118 case NFT_VALIDATE_NEED:
120 case NFT_VALIDATE_DO:
121 if (new_validate_state == NFT_VALIDATE_NEED)
125 table->validate_state = new_validate_state;
127 static void nf_tables_trans_destroy_work(struct work_struct *w);
128 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
130 static void nft_trans_gc_work(struct work_struct *work);
131 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
133 static void nft_ctx_init(struct nft_ctx *ctx,
135 const struct sk_buff *skb,
136 const struct nlmsghdr *nlh,
138 struct nft_table *table,
139 struct nft_chain *chain,
140 const struct nlattr * const *nla)
143 ctx->family = family;
148 ctx->portid = NETLINK_CB(skb).portid;
149 ctx->report = nlmsg_report(nlh);
150 ctx->flags = nlh->nlmsg_flags;
151 ctx->seq = nlh->nlmsg_seq;
153 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
156 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
157 int msg_type, u32 size, gfp_t gfp)
159 struct nft_trans *trans;
161 trans = kzalloc(size, gfp);
165 INIT_LIST_HEAD(&trans->list);
166 trans->msg_type = msg_type;
168 trans->net = ctx->net;
169 trans->table = ctx->table;
170 trans->seq = ctx->seq;
171 trans->flags = ctx->flags;
172 trans->report = ctx->report;
177 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
178 int msg_type, u32 size)
180 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
183 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
185 switch (trans->msg_type) {
186 case NFT_MSG_NEWCHAIN:
188 return container_of(trans, struct nft_trans_binding, nft_trans);
194 static void nft_trans_list_del(struct nft_trans *trans)
196 struct nft_trans_binding *trans_binding;
198 list_del(&trans->list);
200 trans_binding = nft_trans_get_binding(trans);
202 list_del(&trans_binding->binding_list);
205 static void nft_trans_destroy(struct nft_trans *trans)
207 nft_trans_list_del(trans);
211 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
214 struct nftables_pernet *nft_net;
215 struct net *net = ctx->net;
216 struct nft_trans *trans;
218 if (!nft_set_is_anonymous(set))
221 nft_net = nft_pernet(net);
222 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
223 switch (trans->msg_type) {
225 if (nft_trans_set(trans) == set)
226 nft_trans_set_bound(trans) = bind;
228 case NFT_MSG_NEWSETELEM:
229 if (nft_trans_elem_set(trans) == set)
230 nft_trans_elem_set_bound(trans) = bind;
236 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
238 return __nft_set_trans_bind(ctx, set, true);
241 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
243 return __nft_set_trans_bind(ctx, set, false);
246 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
247 struct nft_chain *chain, bool bind)
249 struct nftables_pernet *nft_net;
250 struct net *net = ctx->net;
251 struct nft_trans *trans;
253 if (!nft_chain_binding(chain))
256 nft_net = nft_pernet(net);
257 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
258 switch (trans->msg_type) {
259 case NFT_MSG_NEWCHAIN:
260 if (nft_trans_chain(trans) == chain)
261 nft_trans_chain_bound(trans) = bind;
263 case NFT_MSG_NEWRULE:
264 if (nft_trans_rule_chain(trans) == chain)
265 nft_trans_rule_bound(trans) = bind;
271 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
272 struct nft_chain *chain)
274 __nft_chain_trans_bind(ctx, chain, true);
277 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
279 if (!nft_chain_binding(chain))
282 if (nft_chain_binding(ctx->chain))
288 if (!nft_use_inc(&chain->use))
292 nft_chain_trans_bind(ctx, chain);
297 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
299 __nft_chain_trans_bind(ctx, chain, false);
302 static int nft_netdev_register_hooks(struct net *net,
303 struct list_head *hook_list)
305 struct nft_hook *hook;
309 list_for_each_entry(hook, hook_list, list) {
310 err = nf_register_net_hook(net, &hook->ops);
319 list_for_each_entry(hook, hook_list, list) {
323 nf_unregister_net_hook(net, &hook->ops);
328 static void nft_netdev_unregister_hooks(struct net *net,
329 struct list_head *hook_list,
332 struct nft_hook *hook, *next;
334 list_for_each_entry_safe(hook, next, hook_list, list) {
335 nf_unregister_net_hook(net, &hook->ops);
336 if (release_netdev) {
337 list_del(&hook->list);
338 kfree_rcu(hook, rcu);
343 static int nf_tables_register_hook(struct net *net,
344 const struct nft_table *table,
345 struct nft_chain *chain)
347 struct nft_base_chain *basechain;
348 const struct nf_hook_ops *ops;
350 if (table->flags & NFT_TABLE_F_DORMANT ||
351 !nft_is_base_chain(chain))
354 basechain = nft_base_chain(chain);
355 ops = &basechain->ops;
357 if (basechain->type->ops_register)
358 return basechain->type->ops_register(net, ops);
360 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
361 return nft_netdev_register_hooks(net, &basechain->hook_list);
363 return nf_register_net_hook(net, &basechain->ops);
366 static void __nf_tables_unregister_hook(struct net *net,
367 const struct nft_table *table,
368 struct nft_chain *chain,
371 struct nft_base_chain *basechain;
372 const struct nf_hook_ops *ops;
374 if (table->flags & NFT_TABLE_F_DORMANT ||
375 !nft_is_base_chain(chain))
377 basechain = nft_base_chain(chain);
378 ops = &basechain->ops;
380 if (basechain->type->ops_unregister)
381 return basechain->type->ops_unregister(net, ops);
383 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
384 nft_netdev_unregister_hooks(net, &basechain->hook_list,
387 nf_unregister_net_hook(net, &basechain->ops);
390 static void nf_tables_unregister_hook(struct net *net,
391 const struct nft_table *table,
392 struct nft_chain *chain)
394 return __nf_tables_unregister_hook(net, table, chain, false);
397 static bool nft_trans_collapse_set_elem_allowed(const struct nft_trans_elem *a, const struct nft_trans_elem *b)
399 /* NB: the ->bound equality check is defensive, at this time we only merge
400 * a new nft_trans_elem transaction request with the transaction tail
401 * element, but a->bound != b->bound would imply a NEWRULE transaction
402 * is queued in-between.
404 * The set check is mandatory, the NFT_MAX_SET_NELEMS check prevents
405 * huge krealloc() requests.
407 return a->set == b->set && a->bound == b->bound && a->nelems < NFT_MAX_SET_NELEMS;
410 static bool nft_trans_collapse_set_elem(struct nftables_pernet *nft_net,
411 struct nft_trans_elem *tail,
412 struct nft_trans_elem *trans,
415 unsigned int nelems, old_nelems = tail->nelems;
416 struct nft_trans_elem *new_trans;
418 if (!nft_trans_collapse_set_elem_allowed(tail, trans))
421 /* "cannot happen", at this time userspace element add
422 * requests always allocate a new transaction element.
424 * This serves as a reminder to adjust the list_add_tail
425 * logic below in case this ever changes.
427 if (WARN_ON_ONCE(trans->nelems != 1))
430 if (check_add_overflow(old_nelems, trans->nelems, &nelems))
433 /* krealloc might free tail which invalidates list pointers */
434 list_del_init(&tail->nft_trans.list);
436 new_trans = krealloc(tail, struct_size(tail, elems, nelems), gfp);
438 list_add_tail(&tail->nft_trans.list, &nft_net->commit_list);
443 * new_trans->nft_trans.list contains garbage, but
444 * list_add_tail() doesn't care.
446 new_trans->nelems = nelems;
447 new_trans->elems[old_nelems] = trans->elems[0];
448 list_add_tail(&new_trans->nft_trans.list, &nft_net->commit_list);
453 static bool nft_trans_try_collapse(struct nftables_pernet *nft_net,
454 struct nft_trans *trans, gfp_t gfp)
456 struct nft_trans *tail;
458 if (list_empty(&nft_net->commit_list))
461 tail = list_last_entry(&nft_net->commit_list, struct nft_trans, list);
463 if (tail->msg_type != trans->msg_type)
466 switch (trans->msg_type) {
467 case NFT_MSG_NEWSETELEM:
468 case NFT_MSG_DELSETELEM:
469 return nft_trans_collapse_set_elem(nft_net,
470 nft_trans_container_elem(tail),
471 nft_trans_container_elem(trans), gfp);
477 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
479 struct nftables_pernet *nft_net = nft_pernet(net);
480 struct nft_trans_binding *binding;
481 struct nft_trans_set *trans_set;
483 list_add_tail(&trans->list, &nft_net->commit_list);
485 binding = nft_trans_get_binding(trans);
489 switch (trans->msg_type) {
491 trans_set = nft_trans_container_set(trans);
493 if (!nft_trans_set_update(trans) &&
494 nft_set_is_anonymous(nft_trans_set(trans)))
495 list_add_tail(&binding->binding_list, &nft_net->binding_list);
497 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
499 case NFT_MSG_NEWCHAIN:
500 if (!nft_trans_chain_update(trans) &&
501 nft_chain_binding(nft_trans_chain(trans)))
502 list_add_tail(&binding->binding_list, &nft_net->binding_list);
507 static void nft_trans_commit_list_add_elem(struct net *net, struct nft_trans *trans,
510 struct nftables_pernet *nft_net = nft_pernet(net);
512 WARN_ON_ONCE(trans->msg_type != NFT_MSG_NEWSETELEM &&
513 trans->msg_type != NFT_MSG_DELSETELEM);
517 if (nft_trans_try_collapse(nft_net, trans, gfp)) {
522 nft_trans_commit_list_add_tail(net, trans);
525 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
527 struct nft_trans *trans;
529 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
533 if (msg_type == NFT_MSG_NEWTABLE)
534 nft_activate_next(ctx->net, ctx->table);
536 nft_trans_commit_list_add_tail(ctx->net, trans);
540 static int nft_deltable(struct nft_ctx *ctx)
544 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
548 nft_deactivate_next(ctx->net, ctx->table);
552 static struct nft_trans *
553 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
555 struct nft_trans_chain *trans_chain;
556 struct nft_trans *trans;
558 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
562 trans_chain = nft_trans_container_chain(trans);
563 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
564 trans_chain->chain = ctx->chain;
569 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
571 struct nft_trans *trans;
573 trans = nft_trans_alloc_chain(ctx, msg_type);
575 return ERR_PTR(-ENOMEM);
577 if (msg_type == NFT_MSG_NEWCHAIN) {
578 nft_activate_next(ctx->net, ctx->chain);
580 if (ctx->nla[NFTA_CHAIN_ID]) {
581 nft_trans_chain_id(trans) =
582 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
585 nft_trans_commit_list_add_tail(ctx->net, trans);
590 static int nft_delchain(struct nft_ctx *ctx)
592 struct nft_trans *trans;
594 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
596 return PTR_ERR(trans);
598 nft_use_dec(&ctx->table->use);
599 nft_deactivate_next(ctx->net, ctx->chain);
604 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
606 struct nft_expr *expr;
608 expr = nft_expr_first(rule);
609 while (nft_expr_more(rule, expr)) {
610 if (expr->ops->activate)
611 expr->ops->activate(ctx, expr);
613 expr = nft_expr_next(expr);
617 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
618 enum nft_trans_phase phase)
620 struct nft_expr *expr;
622 expr = nft_expr_first(rule);
623 while (nft_expr_more(rule, expr)) {
624 if (expr->ops->deactivate)
625 expr->ops->deactivate(ctx, expr, phase);
627 expr = nft_expr_next(expr);
632 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
634 /* You cannot delete the same rule twice */
635 if (nft_is_active_next(ctx->net, rule)) {
636 nft_deactivate_next(ctx->net, rule);
637 nft_use_dec(&ctx->chain->use);
643 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
644 struct nft_rule *rule)
646 struct nft_trans *trans;
648 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
652 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
653 nft_trans_rule_id(trans) =
654 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
656 nft_trans_rule(trans) = rule;
657 nft_trans_rule_chain(trans) = ctx->chain;
658 nft_trans_commit_list_add_tail(ctx->net, trans);
663 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
665 struct nft_flow_rule *flow;
666 struct nft_trans *trans;
669 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
673 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
674 flow = nft_flow_rule_create(ctx->net, rule);
676 nft_trans_destroy(trans);
677 return PTR_ERR(flow);
680 nft_trans_flow_rule(trans) = flow;
683 err = nf_tables_delrule_deactivate(ctx, rule);
685 nft_trans_destroy(trans);
688 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
693 static int nft_delrule_by_chain(struct nft_ctx *ctx)
695 struct nft_rule *rule;
698 list_for_each_entry(rule, &ctx->chain->rules, list) {
699 if (!nft_is_active_next(ctx->net, rule))
702 err = nft_delrule(ctx, rule);
709 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
711 const struct nft_set_desc *desc)
713 struct nft_trans_set *trans_set;
714 struct nft_trans *trans;
716 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
720 trans_set = nft_trans_container_set(trans);
721 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
722 INIT_LIST_HEAD(&trans_set->list_trans_newset);
724 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
725 nft_trans_set_id(trans) =
726 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
727 nft_activate_next(ctx->net, set);
729 nft_trans_set(trans) = set;
731 nft_trans_set_update(trans) = true;
732 nft_trans_set_gc_int(trans) = desc->gc_int;
733 nft_trans_set_timeout(trans) = desc->timeout;
734 nft_trans_set_size(trans) = desc->size;
736 nft_trans_commit_list_add_tail(ctx->net, trans);
741 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
744 return __nft_trans_set_add(ctx, msg_type, set, NULL);
747 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
749 const struct nft_set_iter *iter,
750 struct nft_elem_priv *elem_priv)
752 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
754 if (!nft_set_elem_active(ext, iter->genmask))
757 nft_set_elem_change_active(ctx->net, set, ext);
758 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
763 struct nft_set_elem_catchall {
764 struct list_head list;
766 struct nft_elem_priv *elem;
769 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
772 u8 genmask = nft_genmask_next(ctx->net);
773 struct nft_set_elem_catchall *catchall;
774 struct nft_set_ext *ext;
776 list_for_each_entry(catchall, &set->catchall_list, list) {
777 ext = nft_set_elem_ext(set, catchall->elem);
778 if (!nft_set_elem_active(ext, genmask))
781 nft_set_elem_change_active(ctx->net, set, ext);
782 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
787 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
789 struct nft_set_iter iter = {
790 .genmask = nft_genmask_next(ctx->net),
791 .type = NFT_ITER_UPDATE,
792 .fn = nft_mapelem_deactivate,
795 set->ops->walk(ctx, set, &iter);
796 WARN_ON_ONCE(iter.err);
798 nft_map_catchall_deactivate(ctx, set);
801 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
805 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
809 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
810 nft_map_deactivate(ctx, set);
812 nft_deactivate_next(ctx->net, set);
813 nft_use_dec(&ctx->table->use);
818 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
819 struct nft_object *obj)
821 struct nft_trans *trans;
823 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
827 if (msg_type == NFT_MSG_NEWOBJ)
828 nft_activate_next(ctx->net, obj);
830 nft_trans_obj(trans) = obj;
831 nft_trans_commit_list_add_tail(ctx->net, trans);
836 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
840 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
844 nft_deactivate_next(ctx->net, obj);
845 nft_use_dec(&ctx->table->use);
850 static struct nft_trans *
851 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
852 struct nft_flowtable *flowtable)
854 struct nft_trans *trans;
856 trans = nft_trans_alloc(ctx, msg_type,
857 sizeof(struct nft_trans_flowtable));
859 return ERR_PTR(-ENOMEM);
861 if (msg_type == NFT_MSG_NEWFLOWTABLE)
862 nft_activate_next(ctx->net, flowtable);
864 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
865 nft_trans_flowtable(trans) = flowtable;
866 nft_trans_commit_list_add_tail(ctx->net, trans);
871 static int nft_delflowtable(struct nft_ctx *ctx,
872 struct nft_flowtable *flowtable)
874 struct nft_trans *trans;
876 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
878 return PTR_ERR(trans);
880 nft_deactivate_next(ctx->net, flowtable);
881 nft_use_dec(&ctx->table->use);
886 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
890 for (i = track->regs[dreg].num_reg; i > 0; i--)
891 __nft_reg_track_cancel(track, dreg - i);
894 static void __nft_reg_track_update(struct nft_regs_track *track,
895 const struct nft_expr *expr,
898 track->regs[dreg].selector = expr;
899 track->regs[dreg].bitwise = NULL;
900 track->regs[dreg].num_reg = num_reg;
903 void nft_reg_track_update(struct nft_regs_track *track,
904 const struct nft_expr *expr, u8 dreg, u8 len)
906 unsigned int regcount;
909 __nft_reg_track_clobber(track, dreg);
911 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
912 for (i = 0; i < regcount; i++, dreg++)
913 __nft_reg_track_update(track, expr, dreg, i);
915 EXPORT_SYMBOL_GPL(nft_reg_track_update);
917 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
919 unsigned int regcount;
922 __nft_reg_track_clobber(track, dreg);
924 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
925 for (i = 0; i < regcount; i++, dreg++)
926 __nft_reg_track_cancel(track, dreg);
928 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
930 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
932 track->regs[dreg].selector = NULL;
933 track->regs[dreg].bitwise = NULL;
934 track->regs[dreg].num_reg = 0;
936 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
942 static struct nft_table *nft_table_lookup(const struct net *net,
943 const struct nlattr *nla,
944 u8 family, u8 genmask, u32 nlpid)
946 struct nftables_pernet *nft_net;
947 struct nft_table *table;
950 return ERR_PTR(-EINVAL);
952 nft_net = nft_pernet(net);
953 list_for_each_entry_rcu(table, &nft_net->tables, list,
954 lockdep_is_held(&nft_net->commit_mutex)) {
955 if (!nla_strcmp(nla, table->name) &&
956 table->family == family &&
957 nft_active_genmask(table, genmask)) {
958 if (nft_table_has_owner(table) &&
959 nlpid && table->nlpid != nlpid)
960 return ERR_PTR(-EPERM);
966 return ERR_PTR(-ENOENT);
969 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
970 const struct nlattr *nla,
971 int family, u8 genmask, u32 nlpid)
973 struct nftables_pernet *nft_net;
974 struct nft_table *table;
976 nft_net = nft_pernet(net);
977 list_for_each_entry(table, &nft_net->tables, list) {
978 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
979 table->family == family &&
980 nft_active_genmask(table, genmask)) {
981 if (nft_table_has_owner(table) &&
982 nlpid && table->nlpid != nlpid)
983 return ERR_PTR(-EPERM);
989 return ERR_PTR(-ENOENT);
992 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
994 return ++table->hgenerator;
997 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
999 static const struct nft_chain_type *
1000 __nft_chain_type_get(u8 family, enum nft_chain_types type)
1002 if (family >= NFPROTO_NUMPROTO ||
1003 type >= NFT_CHAIN_T_MAX)
1006 return chain_type[family][type];
1009 static const struct nft_chain_type *
1010 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
1012 const struct nft_chain_type *type;
1015 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
1016 type = __nft_chain_type_get(family, i);
1019 if (!nla_strcmp(nla, type->name))
1025 struct nft_module_request {
1026 struct list_head list;
1027 char module[MODULE_NAME_LEN];
1031 #ifdef CONFIG_MODULES
1032 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
1035 char module_name[MODULE_NAME_LEN];
1036 struct nftables_pernet *nft_net;
1037 struct nft_module_request *req;
1041 va_start(args, fmt);
1042 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
1044 if (ret >= MODULE_NAME_LEN)
1047 nft_net = nft_pernet(net);
1048 list_for_each_entry(req, &nft_net->module_list, list) {
1049 if (!strcmp(req->module, module_name)) {
1053 /* A request to load this module already exists. */
1058 req = kmalloc(sizeof(*req), GFP_KERNEL);
1063 strscpy(req->module, module_name, MODULE_NAME_LEN);
1064 list_add_tail(&req->list, &nft_net->module_list);
1068 EXPORT_SYMBOL_GPL(nft_request_module);
1071 static void lockdep_nfnl_nft_mutex_not_held(void)
1073 #ifdef CONFIG_PROVE_LOCKING
1075 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1079 static const struct nft_chain_type *
1080 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
1081 u8 family, bool autoload)
1083 const struct nft_chain_type *type;
1085 type = __nf_tables_chain_type_lookup(nla, family);
1089 lockdep_nfnl_nft_mutex_not_held();
1090 #ifdef CONFIG_MODULES
1092 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
1094 (const char *)nla_data(nla)) == -EAGAIN)
1095 return ERR_PTR(-EAGAIN);
1098 return ERR_PTR(-ENOENT);
1101 static __be16 nft_base_seq(const struct net *net)
1103 struct nftables_pernet *nft_net = nft_pernet(net);
1105 return htons(nft_net->base_seq & 0xffff);
1108 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1109 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
1110 .len = NFT_TABLE_MAXNAMELEN - 1 },
1111 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
1112 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
1113 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
1114 .len = NFT_USERDATA_MAXLEN }
1117 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1118 u32 portid, u32 seq, int event, u32 flags,
1119 int family, const struct nft_table *table)
1121 struct nlmsghdr *nlh;
1123 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1124 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1125 NFNETLINK_V0, nft_base_seq(net));
1127 goto nla_put_failure;
1129 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1130 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1131 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1133 goto nla_put_failure;
1135 if (event == NFT_MSG_DELTABLE) {
1136 nlmsg_end(skb, nlh);
1140 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1141 htonl(table->flags & NFT_TABLE_F_MASK)))
1142 goto nla_put_failure;
1144 if (nft_table_has_owner(table) &&
1145 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1146 goto nla_put_failure;
1149 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1150 goto nla_put_failure;
1153 nlmsg_end(skb, nlh);
1157 nlmsg_trim(skb, nlh);
1161 struct nftnl_skb_parms {
1164 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1166 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1167 struct list_head *notify_list)
1169 NFT_CB(skb).report = report;
1170 list_add_tail(&skb->list, notify_list);
1173 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1175 struct nftables_pernet *nft_net;
1176 struct sk_buff *skb;
1181 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1184 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1188 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1189 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1191 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1192 event, flags, ctx->family, ctx->table);
1198 nft_net = nft_pernet(ctx->net);
1199 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1202 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1205 static int nf_tables_dump_tables(struct sk_buff *skb,
1206 struct netlink_callback *cb)
1208 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1209 struct nftables_pernet *nft_net;
1210 const struct nft_table *table;
1211 unsigned int idx = 0, s_idx = cb->args[0];
1212 struct net *net = sock_net(skb->sk);
1213 int family = nfmsg->nfgen_family;
1216 nft_net = nft_pernet(net);
1217 cb->seq = READ_ONCE(nft_net->base_seq);
1219 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1220 if (family != NFPROTO_UNSPEC && family != table->family)
1226 memset(&cb->args[1], 0,
1227 sizeof(cb->args) - sizeof(cb->args[0]));
1228 if (!nft_is_active(net, table))
1230 if (nf_tables_fill_table_info(skb, net,
1231 NETLINK_CB(cb->skb).portid,
1233 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1234 table->family, table) < 0)
1237 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1247 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1248 const struct nlmsghdr *nlh,
1249 struct netlink_dump_control *c)
1253 if (!try_module_get(THIS_MODULE))
1257 err = netlink_dump_start(nlsk, skb, nlh, c);
1259 module_put(THIS_MODULE);
1264 /* called with rcu_read_lock held */
1265 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1266 const struct nlattr * const nla[])
1268 struct netlink_ext_ack *extack = info->extack;
1269 u8 genmask = nft_genmask_cur(info->net);
1270 u8 family = info->nfmsg->nfgen_family;
1271 const struct nft_table *table;
1272 struct net *net = info->net;
1273 struct sk_buff *skb2;
1276 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1277 struct netlink_dump_control c = {
1278 .dump = nf_tables_dump_tables,
1279 .module = THIS_MODULE,
1282 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1285 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1286 if (IS_ERR(table)) {
1287 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1288 return PTR_ERR(table);
1291 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1295 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1296 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1299 goto err_fill_table_info;
1301 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1303 err_fill_table_info:
1308 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1310 struct nft_chain *chain;
1313 list_for_each_entry(chain, &table->chains, list) {
1314 if (!nft_is_active_next(net, chain))
1316 if (!nft_is_base_chain(chain))
1319 if (cnt && i++ == cnt)
1322 nf_tables_unregister_hook(net, table, chain);
1326 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1328 struct nft_chain *chain;
1331 list_for_each_entry(chain, &table->chains, list) {
1332 if (!nft_is_active_next(net, chain))
1334 if (!nft_is_base_chain(chain))
1337 err = nf_tables_register_hook(net, table, chain);
1339 goto err_register_hooks;
1347 nft_table_disable(net, table, i);
1351 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1353 table->flags &= ~NFT_TABLE_F_DORMANT;
1354 nft_table_disable(net, table, 0);
1355 table->flags |= NFT_TABLE_F_DORMANT;
1358 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1359 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1360 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1361 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1362 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1363 __NFT_TABLE_F_WAS_AWAKEN | \
1364 __NFT_TABLE_F_WAS_ORPHAN)
1366 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1368 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1369 struct nft_trans *trans;
1371 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1374 list_for_each_entry(trans, &nft_net->commit_list, list) {
1375 if (trans->table == ctx->table &&
1376 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1377 nft_trans_chain_update(trans)) ||
1378 (trans->msg_type == NFT_MSG_DELCHAIN &&
1379 nft_is_base_chain(nft_trans_chain(trans)))))
1386 static int nf_tables_updtable(struct nft_ctx *ctx)
1388 struct nft_trans *trans;
1392 if (!ctx->nla[NFTA_TABLE_FLAGS])
1395 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1396 if (flags & ~NFT_TABLE_F_MASK)
1399 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1402 if ((nft_table_has_owner(ctx->table) &&
1403 !(flags & NFT_TABLE_F_OWNER)) ||
1404 (flags & NFT_TABLE_F_OWNER &&
1405 !nft_table_is_orphan(ctx->table)))
1408 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1411 /* No dormant off/on/off/on games in single transaction */
1412 if (nft_table_pending_update(ctx))
1415 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1416 sizeof(struct nft_trans_table));
1420 if ((flags & NFT_TABLE_F_DORMANT) &&
1421 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1422 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1423 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1424 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1425 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1426 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1427 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1428 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1429 ret = nf_tables_table_enable(ctx->net, ctx->table);
1431 goto err_register_hooks;
1433 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1437 if ((flags & NFT_TABLE_F_OWNER) &&
1438 !nft_table_has_owner(ctx->table)) {
1439 ctx->table->nlpid = ctx->portid;
1440 ctx->table->flags |= NFT_TABLE_F_OWNER |
1441 __NFT_TABLE_F_WAS_ORPHAN;
1444 nft_trans_table_update(trans) = true;
1445 nft_trans_commit_list_add_tail(ctx->net, trans);
1450 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1451 nft_trans_destroy(trans);
1455 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1457 const char *name = data;
1459 return jhash(name, strlen(name), seed);
1462 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1464 const struct nft_chain *chain = data;
1466 return nft_chain_hash(chain->name, 0, seed);
1469 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1472 const struct nft_chain *chain = ptr;
1473 const char *name = arg->key;
1475 return strcmp(chain->name, name);
1478 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1480 const struct nft_object_hash_key *k = data;
1482 seed ^= hash_ptr(k->table, 32);
1484 return jhash(k->name, strlen(k->name), seed);
1487 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1489 const struct nft_object *obj = data;
1491 return nft_objname_hash(&obj->key, 0, seed);
1494 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1497 const struct nft_object_hash_key *k = arg->key;
1498 const struct nft_object *obj = ptr;
1500 if (obj->key.table != k->table)
1503 return strcmp(obj->key.name, k->name);
1506 static bool nft_supported_family(u8 family)
1509 #ifdef CONFIG_NF_TABLES_INET
1510 || family == NFPROTO_INET
1512 #ifdef CONFIG_NF_TABLES_IPV4
1513 || family == NFPROTO_IPV4
1515 #ifdef CONFIG_NF_TABLES_ARP
1516 || family == NFPROTO_ARP
1518 #ifdef CONFIG_NF_TABLES_NETDEV
1519 || family == NFPROTO_NETDEV
1521 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1522 || family == NFPROTO_BRIDGE
1524 #ifdef CONFIG_NF_TABLES_IPV6
1525 || family == NFPROTO_IPV6
1530 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1531 const struct nlattr * const nla[])
1533 struct nftables_pernet *nft_net = nft_pernet(info->net);
1534 struct netlink_ext_ack *extack = info->extack;
1535 u8 genmask = nft_genmask_next(info->net);
1536 u8 family = info->nfmsg->nfgen_family;
1537 struct net *net = info->net;
1538 const struct nlattr *attr;
1539 struct nft_table *table;
1544 if (!nft_supported_family(family))
1547 lockdep_assert_held(&nft_net->commit_mutex);
1548 attr = nla[NFTA_TABLE_NAME];
1549 table = nft_table_lookup(net, attr, family, genmask,
1550 NETLINK_CB(skb).portid);
1551 if (IS_ERR(table)) {
1552 if (PTR_ERR(table) != -ENOENT)
1553 return PTR_ERR(table);
1555 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1556 NL_SET_BAD_ATTR(extack, attr);
1559 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1562 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1564 return nf_tables_updtable(&ctx);
1567 if (nla[NFTA_TABLE_FLAGS]) {
1568 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1569 if (flags & ~NFT_TABLE_F_MASK)
1574 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1578 table->validate_state = nft_net->validate_state;
1579 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1580 if (table->name == NULL)
1583 if (nla[NFTA_TABLE_USERDATA]) {
1584 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1585 if (table->udata == NULL)
1586 goto err_table_udata;
1588 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1591 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1595 INIT_LIST_HEAD(&table->chains);
1596 INIT_LIST_HEAD(&table->sets);
1597 INIT_LIST_HEAD(&table->objects);
1598 INIT_LIST_HEAD(&table->flowtables);
1599 table->family = family;
1600 table->flags = flags;
1601 table->handle = ++nft_net->table_handle;
1602 if (table->flags & NFT_TABLE_F_OWNER)
1603 table->nlpid = NETLINK_CB(skb).portid;
1605 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1606 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1610 list_add_tail_rcu(&table->list, &nft_net->tables);
1613 rhltable_destroy(&table->chains_ht);
1615 kfree(table->udata);
1624 static int nft_flush_table(struct nft_ctx *ctx)
1626 struct nft_flowtable *flowtable, *nft;
1627 struct nft_chain *chain, *nc;
1628 struct nft_object *obj, *ne;
1629 struct nft_set *set, *ns;
1632 list_for_each_entry(chain, &ctx->table->chains, list) {
1633 if (!nft_is_active_next(ctx->net, chain))
1636 if (nft_chain_binding(chain))
1641 err = nft_delrule_by_chain(ctx);
1646 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1647 if (!nft_is_active_next(ctx->net, set))
1650 if (nft_set_is_anonymous(set))
1653 err = nft_delset(ctx, set);
1658 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1659 if (!nft_is_active_next(ctx->net, flowtable))
1662 err = nft_delflowtable(ctx, flowtable);
1667 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1668 if (!nft_is_active_next(ctx->net, obj))
1671 err = nft_delobj(ctx, obj);
1676 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1677 if (!nft_is_active_next(ctx->net, chain))
1680 if (nft_chain_binding(chain))
1685 err = nft_delchain(ctx);
1690 err = nft_deltable(ctx);
1695 static int nft_flush(struct nft_ctx *ctx, int family)
1697 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1698 const struct nlattr * const *nla = ctx->nla;
1699 struct nft_table *table, *nt;
1702 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1703 if (family != AF_UNSPEC && table->family != family)
1706 ctx->family = table->family;
1708 if (!nft_is_active_next(ctx->net, table))
1711 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1714 if (nla[NFTA_TABLE_NAME] &&
1715 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1720 err = nft_flush_table(ctx);
1728 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1729 const struct nlattr * const nla[])
1731 struct netlink_ext_ack *extack = info->extack;
1732 u8 genmask = nft_genmask_next(info->net);
1733 u8 family = info->nfmsg->nfgen_family;
1734 struct net *net = info->net;
1735 const struct nlattr *attr;
1736 struct nft_table *table;
1739 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1740 if (family == AF_UNSPEC ||
1741 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1742 return nft_flush(&ctx, family);
1744 if (nla[NFTA_TABLE_HANDLE]) {
1745 attr = nla[NFTA_TABLE_HANDLE];
1746 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1747 NETLINK_CB(skb).portid);
1749 attr = nla[NFTA_TABLE_NAME];
1750 table = nft_table_lookup(net, attr, family, genmask,
1751 NETLINK_CB(skb).portid);
1754 if (IS_ERR(table)) {
1755 if (PTR_ERR(table) == -ENOENT &&
1756 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1759 NL_SET_BAD_ATTR(extack, attr);
1760 return PTR_ERR(table);
1763 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1767 ctx.family = family;
1770 return nft_flush_table(&ctx);
1773 static void nf_tables_table_destroy(struct nft_table *table)
1775 if (WARN_ON(table->use > 0))
1778 rhltable_destroy(&table->chains_ht);
1780 kfree(table->udata);
1784 void nft_register_chain_type(const struct nft_chain_type *ctype)
1786 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1787 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1788 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1791 chain_type[ctype->family][ctype->type] = ctype;
1792 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1794 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1796 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1798 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1799 chain_type[ctype->family][ctype->type] = NULL;
1800 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1802 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1808 static struct nft_chain *
1809 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1811 struct nft_chain *chain;
1813 list_for_each_entry(chain, &table->chains, list) {
1814 if (chain->handle == handle &&
1815 nft_active_genmask(chain, genmask))
1819 return ERR_PTR(-ENOENT);
1822 static bool lockdep_commit_lock_is_held(const struct net *net)
1824 #ifdef CONFIG_PROVE_LOCKING
1825 struct nftables_pernet *nft_net = nft_pernet(net);
1827 return lockdep_is_held(&nft_net->commit_mutex);
1833 static struct nft_chain *nft_chain_lookup(struct net *net,
1834 struct nft_table *table,
1835 const struct nlattr *nla, u8 genmask)
1837 char search[NFT_CHAIN_MAXNAMELEN + 1];
1838 struct rhlist_head *tmp, *list;
1839 struct nft_chain *chain;
1842 return ERR_PTR(-EINVAL);
1844 nla_strscpy(search, nla, sizeof(search));
1846 WARN_ON(!rcu_read_lock_held() &&
1847 !lockdep_commit_lock_is_held(net));
1849 chain = ERR_PTR(-ENOENT);
1851 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1855 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1856 if (nft_active_genmask(chain, genmask))
1859 chain = ERR_PTR(-ENOENT);
1865 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1866 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1867 .len = NFT_TABLE_MAXNAMELEN - 1 },
1868 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1869 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1870 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1871 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1872 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1873 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1874 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1875 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1876 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1877 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1878 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1879 .len = NFT_USERDATA_MAXLEN },
1882 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1883 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1884 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1885 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1886 .len = IFNAMSIZ - 1 },
1889 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1891 struct nft_stats *cpu_stats, total;
1892 struct nlattr *nest;
1900 memset(&total, 0, sizeof(total));
1901 for_each_possible_cpu(cpu) {
1902 cpu_stats = per_cpu_ptr(stats, cpu);
1904 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1905 pkts = cpu_stats->pkts;
1906 bytes = cpu_stats->bytes;
1907 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1909 total.bytes += bytes;
1911 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1913 goto nla_put_failure;
1915 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1916 NFTA_COUNTER_PAD) ||
1917 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1919 goto nla_put_failure;
1921 nla_nest_end(skb, nest);
1928 static int nft_dump_basechain_hook(struct sk_buff *skb,
1929 const struct net *net, int family,
1930 const struct nft_base_chain *basechain,
1931 const struct list_head *hook_list)
1933 const struct nf_hook_ops *ops = &basechain->ops;
1934 struct nft_hook *hook, *first = NULL;
1935 struct nlattr *nest, *nest_devs;
1938 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1940 goto nla_put_failure;
1941 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1942 goto nla_put_failure;
1943 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1944 goto nla_put_failure;
1946 if (nft_base_chain_netdev(family, ops->hooknum)) {
1947 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1949 goto nla_put_failure;
1952 hook_list = &basechain->hook_list;
1954 list_for_each_entry_rcu(hook, hook_list, list,
1955 lockdep_commit_lock_is_held(net)) {
1959 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1960 hook->ops.dev->name))
1961 goto nla_put_failure;
1964 nla_nest_end(skb, nest_devs);
1967 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1968 goto nla_put_failure;
1970 nla_nest_end(skb, nest);
1977 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1978 u32 portid, u32 seq, int event, u32 flags,
1979 int family, const struct nft_table *table,
1980 const struct nft_chain *chain,
1981 const struct list_head *hook_list)
1983 struct nlmsghdr *nlh;
1985 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1986 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1987 NFNETLINK_V0, nft_base_seq(net));
1989 goto nla_put_failure;
1991 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1992 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1993 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1995 goto nla_put_failure;
1997 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1998 nlmsg_end(skb, nlh);
2002 if (nft_is_base_chain(chain)) {
2003 const struct nft_base_chain *basechain = nft_base_chain(chain);
2004 struct nft_stats __percpu *stats;
2006 if (nft_dump_basechain_hook(skb, net, family, basechain, hook_list))
2007 goto nla_put_failure;
2009 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
2010 htonl(basechain->policy)))
2011 goto nla_put_failure;
2013 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
2014 goto nla_put_failure;
2016 stats = rcu_dereference_check(basechain->stats,
2017 lockdep_commit_lock_is_held(net));
2018 if (nft_dump_stats(skb, stats))
2019 goto nla_put_failure;
2023 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
2024 goto nla_put_failure;
2026 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
2027 goto nla_put_failure;
2030 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
2031 goto nla_put_failure;
2033 nlmsg_end(skb, nlh);
2037 nlmsg_trim(skb, nlh);
2041 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
2042 const struct list_head *hook_list)
2044 struct nftables_pernet *nft_net;
2045 struct sk_buff *skb;
2050 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2053 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2057 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
2058 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
2060 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
2061 event, flags, ctx->family, ctx->table,
2062 ctx->chain, hook_list);
2068 nft_net = nft_pernet(ctx->net);
2069 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
2072 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2075 static int nf_tables_dump_chains(struct sk_buff *skb,
2076 struct netlink_callback *cb)
2078 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2079 unsigned int idx = 0, s_idx = cb->args[0];
2080 struct net *net = sock_net(skb->sk);
2081 int family = nfmsg->nfgen_family;
2082 struct nftables_pernet *nft_net;
2083 const struct nft_table *table;
2084 const struct nft_chain *chain;
2087 nft_net = nft_pernet(net);
2088 cb->seq = READ_ONCE(nft_net->base_seq);
2090 list_for_each_entry_rcu(table, &nft_net->tables, list) {
2091 if (family != NFPROTO_UNSPEC && family != table->family)
2094 list_for_each_entry_rcu(chain, &table->chains, list) {
2098 memset(&cb->args[1], 0,
2099 sizeof(cb->args) - sizeof(cb->args[0]));
2100 if (!nft_is_active(net, chain))
2102 if (nf_tables_fill_chain_info(skb, net,
2103 NETLINK_CB(cb->skb).portid,
2107 table->family, table,
2111 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2122 /* called with rcu_read_lock held */
2123 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2124 const struct nlattr * const nla[])
2126 struct netlink_ext_ack *extack = info->extack;
2127 u8 genmask = nft_genmask_cur(info->net);
2128 u8 family = info->nfmsg->nfgen_family;
2129 const struct nft_chain *chain;
2130 struct net *net = info->net;
2131 struct nft_table *table;
2132 struct sk_buff *skb2;
2135 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2136 struct netlink_dump_control c = {
2137 .dump = nf_tables_dump_chains,
2138 .module = THIS_MODULE,
2141 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2144 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2145 if (IS_ERR(table)) {
2146 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2147 return PTR_ERR(table);
2150 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2151 if (IS_ERR(chain)) {
2152 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2153 return PTR_ERR(chain);
2156 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2160 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2161 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2162 0, family, table, chain, NULL);
2164 goto err_fill_chain_info;
2166 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2168 err_fill_chain_info:
2173 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2174 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2175 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2178 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2180 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2181 struct nft_stats __percpu *newstats;
2182 struct nft_stats *stats;
2185 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2186 nft_counter_policy, NULL);
2188 return ERR_PTR_PCPU(err);
2190 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2191 return ERR_PTR_PCPU(-EINVAL);
2193 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2194 if (newstats == NULL)
2195 return ERR_PTR_PCPU(-ENOMEM);
2197 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2198 * are not exposed to userspace.
2201 stats = this_cpu_ptr(newstats);
2202 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2203 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2209 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2211 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2212 struct nft_base_chain *chain = nft_base_chain(trans->chain);
2218 rcu_replace_pointer(chain->stats, trans->stats,
2219 lockdep_commit_lock_is_held(t->net));
2222 static_branch_inc(&nft_counters_enabled);
2225 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2227 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2228 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2234 /* should be NULL either via abort or via successful commit */
2235 WARN_ON_ONCE(chain->blob_next);
2236 kvfree(chain->blob_next);
2239 void nf_tables_chain_destroy(struct nft_chain *chain)
2241 const struct nft_table *table = chain->table;
2242 struct nft_hook *hook, *next;
2244 if (WARN_ON(chain->use > 0))
2247 /* no concurrent access possible anymore */
2248 nf_tables_chain_free_chain_rules(chain);
2250 if (nft_is_base_chain(chain)) {
2251 struct nft_base_chain *basechain = nft_base_chain(chain);
2253 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2254 list_for_each_entry_safe(hook, next,
2255 &basechain->hook_list, list) {
2256 list_del_rcu(&hook->list);
2257 kfree_rcu(hook, rcu);
2260 module_put(basechain->type->owner);
2261 if (rcu_access_pointer(basechain->stats)) {
2262 static_branch_dec(&nft_counters_enabled);
2263 free_percpu(rcu_dereference_raw(basechain->stats));
2266 kfree(chain->udata);
2270 kfree(chain->udata);
2275 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2276 const struct nlattr *attr)
2278 struct net_device *dev;
2279 char ifname[IFNAMSIZ];
2280 struct nft_hook *hook;
2283 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2286 goto err_hook_alloc;
2289 nla_strscpy(ifname, attr, IFNAMSIZ);
2290 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2291 * indirectly serializing all the other holders of the commit_mutex with
2294 dev = __dev_get_by_name(net, ifname);
2299 hook->ops.dev = dev;
2306 return ERR_PTR(err);
2309 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2310 const struct nft_hook *this)
2312 struct nft_hook *hook;
2314 list_for_each_entry(hook, hook_list, list) {
2315 if (this->ops.dev == hook->ops.dev)
2322 static int nf_tables_parse_netdev_hooks(struct net *net,
2323 const struct nlattr *attr,
2324 struct list_head *hook_list,
2325 struct netlink_ext_ack *extack)
2327 struct nft_hook *hook, *next;
2328 const struct nlattr *tmp;
2329 int rem, n = 0, err;
2331 nla_for_each_nested(tmp, attr, rem) {
2332 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2337 hook = nft_netdev_hook_alloc(net, tmp);
2339 NL_SET_BAD_ATTR(extack, tmp);
2340 err = PTR_ERR(hook);
2343 if (nft_hook_list_find(hook_list, hook)) {
2344 NL_SET_BAD_ATTR(extack, tmp);
2349 list_add_tail(&hook->list, hook_list);
2352 if (n == NFT_NETDEVICE_MAX) {
2361 list_for_each_entry_safe(hook, next, hook_list, list) {
2362 list_del(&hook->list);
2368 struct nft_chain_hook {
2371 const struct nft_chain_type *type;
2372 struct list_head list;
2375 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2376 struct list_head *hook_list,
2377 struct netlink_ext_ack *extack, u32 flags)
2379 struct nft_hook *hook;
2382 if (tb[NFTA_HOOK_DEV]) {
2383 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2385 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2386 return PTR_ERR(hook);
2389 list_add_tail(&hook->list, hook_list);
2390 } else if (tb[NFTA_HOOK_DEVS]) {
2391 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2398 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2399 list_empty(hook_list))
2405 static int nft_chain_parse_hook(struct net *net,
2406 struct nft_base_chain *basechain,
2407 const struct nlattr * const nla[],
2408 struct nft_chain_hook *hook, u8 family,
2409 u32 flags, struct netlink_ext_ack *extack)
2411 struct nftables_pernet *nft_net = nft_pernet(net);
2412 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2413 const struct nft_chain_type *type;
2416 lockdep_assert_held(&nft_net->commit_mutex);
2417 lockdep_nfnl_nft_mutex_not_held();
2419 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2420 nla[NFTA_CHAIN_HOOK],
2421 nft_hook_policy, NULL);
2426 if (!ha[NFTA_HOOK_HOOKNUM] ||
2427 !ha[NFTA_HOOK_PRIORITY]) {
2428 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2432 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2433 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2435 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2439 if (nla[NFTA_CHAIN_TYPE]) {
2440 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2443 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2444 return PTR_ERR(type);
2447 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2450 if (type->type == NFT_CHAIN_T_NAT &&
2451 hook->priority <= NF_IP_PRI_CONNTRACK)
2454 if (ha[NFTA_HOOK_HOOKNUM]) {
2455 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2456 if (hook->num != basechain->ops.hooknum)
2459 if (ha[NFTA_HOOK_PRIORITY]) {
2460 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2461 if (hook->priority != basechain->ops.priority)
2465 if (nla[NFTA_CHAIN_TYPE]) {
2466 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2469 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2473 type = basechain->type;
2477 if (!try_module_get(type->owner)) {
2478 if (nla[NFTA_CHAIN_TYPE])
2479 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2485 INIT_LIST_HEAD(&hook->list);
2486 if (nft_base_chain_netdev(family, hook->num)) {
2487 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2489 module_put(type->owner);
2492 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2493 module_put(type->owner);
2500 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2502 struct nft_hook *h, *next;
2504 list_for_each_entry_safe(h, next, &hook->list, list) {
2508 module_put(hook->type->owner);
2511 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2513 struct nft_rule_dp_last *lrule;
2515 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2517 lrule = (struct nft_rule_dp_last *)ptr;
2518 lrule->end.is_last = 1;
2519 lrule->chain = chain;
2520 /* blob size does not include the trailer rule */
2523 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2526 struct nft_rule_blob *blob;
2531 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2533 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2538 nft_last_rule(chain, blob->data);
2543 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2544 const struct nft_chain_hook *hook,
2545 struct nft_chain *chain)
2548 ops->hooknum = hook->num;
2549 ops->priority = hook->priority;
2551 ops->hook = hook->type->hooks[ops->hooknum];
2552 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2555 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2556 struct nft_chain_hook *hook, u32 flags)
2558 struct nft_chain *chain;
2561 basechain->type = hook->type;
2562 INIT_LIST_HEAD(&basechain->hook_list);
2563 chain = &basechain->chain;
2565 if (nft_base_chain_netdev(family, hook->num)) {
2566 list_splice_init(&hook->list, &basechain->hook_list);
2567 list_for_each_entry(h, &basechain->hook_list, list)
2568 nft_basechain_hook_init(&h->ops, family, hook, chain);
2570 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2572 chain->flags |= NFT_CHAIN_BASE | flags;
2573 basechain->policy = NF_ACCEPT;
2574 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2575 !nft_chain_offload_support(basechain)) {
2576 list_splice_init(&basechain->hook_list, &hook->list);
2580 flow_block_init(&basechain->flow_block);
2585 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2589 err = rhltable_insert_key(&table->chains_ht, chain->name,
2590 &chain->rhlhead, nft_chain_ht_params);
2594 list_add_tail_rcu(&chain->list, &table->chains);
2599 static u64 chain_id;
2601 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2602 u8 policy, u32 flags,
2603 struct netlink_ext_ack *extack)
2605 const struct nlattr * const *nla = ctx->nla;
2606 struct nft_table *table = ctx->table;
2607 struct nft_base_chain *basechain;
2608 struct net *net = ctx->net;
2609 char name[NFT_NAME_MAXLEN];
2610 struct nft_rule_blob *blob;
2611 struct nft_trans *trans;
2612 struct nft_chain *chain;
2615 if (nla[NFTA_CHAIN_HOOK]) {
2616 struct nft_stats __percpu *stats = NULL;
2617 struct nft_chain_hook hook = {};
2619 if (table->flags & __NFT_TABLE_F_UPDATE)
2622 if (flags & NFT_CHAIN_BINDING)
2625 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2630 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2631 if (basechain == NULL) {
2632 nft_chain_release_hook(&hook);
2635 chain = &basechain->chain;
2637 if (nla[NFTA_CHAIN_COUNTERS]) {
2638 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2639 if (IS_ERR_PCPU(stats)) {
2640 nft_chain_release_hook(&hook);
2642 return PTR_ERR_PCPU(stats);
2644 rcu_assign_pointer(basechain->stats, stats);
2647 err = nft_basechain_init(basechain, family, &hook, flags);
2649 nft_chain_release_hook(&hook);
2655 static_branch_inc(&nft_counters_enabled);
2657 if (flags & NFT_CHAIN_BASE)
2659 if (flags & NFT_CHAIN_HW_OFFLOAD)
2662 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2666 chain->flags = flags;
2670 INIT_LIST_HEAD(&chain->rules);
2671 chain->handle = nf_tables_alloc_handle(table);
2672 chain->table = table;
2674 if (nla[NFTA_CHAIN_NAME]) {
2675 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2677 if (!(flags & NFT_CHAIN_BINDING)) {
2679 goto err_destroy_chain;
2682 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2683 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2688 goto err_destroy_chain;
2691 if (nla[NFTA_CHAIN_USERDATA]) {
2692 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2693 if (chain->udata == NULL) {
2695 goto err_destroy_chain;
2697 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2700 blob = nf_tables_chain_alloc_rules(chain, 0);
2703 goto err_destroy_chain;
2706 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2707 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2709 if (!nft_use_inc(&table->use)) {
2711 goto err_destroy_chain;
2714 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2715 if (IS_ERR(trans)) {
2716 err = PTR_ERR(trans);
2720 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2721 if (nft_is_base_chain(chain))
2722 nft_trans_chain_policy(trans) = policy;
2724 err = nft_chain_add(table, chain);
2728 /* This must be LAST to ensure no packets are walking over this chain. */
2729 err = nf_tables_register_hook(net, table, chain);
2731 goto err_register_hook;
2736 nft_chain_del(chain);
2738 nft_trans_destroy(trans);
2740 nft_use_dec_restore(&table->use);
2742 nf_tables_chain_destroy(chain);
2747 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2748 u32 flags, const struct nlattr *attr,
2749 struct netlink_ext_ack *extack)
2751 const struct nlattr * const *nla = ctx->nla;
2752 struct nft_base_chain *basechain = NULL;
2753 struct nft_table *table = ctx->table;
2754 struct nft_chain *chain = ctx->chain;
2755 struct nft_chain_hook hook = {};
2756 struct nft_stats __percpu *stats = NULL;
2757 struct nft_hook *h, *next;
2758 struct nf_hook_ops *ops;
2759 struct nft_trans *trans;
2760 bool unregister = false;
2763 if (chain->flags ^ flags)
2766 INIT_LIST_HEAD(&hook.list);
2768 if (nla[NFTA_CHAIN_HOOK]) {
2769 if (!nft_is_base_chain(chain)) {
2770 NL_SET_BAD_ATTR(extack, attr);
2774 basechain = nft_base_chain(chain);
2775 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2776 ctx->family, flags, extack);
2780 if (basechain->type != hook.type) {
2781 nft_chain_release_hook(&hook);
2782 NL_SET_BAD_ATTR(extack, attr);
2786 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2787 list_for_each_entry_safe(h, next, &hook.list, list) {
2788 h->ops.pf = basechain->ops.pf;
2789 h->ops.hooknum = basechain->ops.hooknum;
2790 h->ops.priority = basechain->ops.priority;
2791 h->ops.priv = basechain->ops.priv;
2792 h->ops.hook = basechain->ops.hook;
2794 if (nft_hook_list_find(&basechain->hook_list, h)) {
2800 ops = &basechain->ops;
2801 if (ops->hooknum != hook.num ||
2802 ops->priority != hook.priority) {
2803 nft_chain_release_hook(&hook);
2804 NL_SET_BAD_ATTR(extack, attr);
2810 if (nla[NFTA_CHAIN_HANDLE] &&
2811 nla[NFTA_CHAIN_NAME]) {
2812 struct nft_chain *chain2;
2814 chain2 = nft_chain_lookup(ctx->net, table,
2815 nla[NFTA_CHAIN_NAME], genmask);
2816 if (!IS_ERR(chain2)) {
2817 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2823 if (table->flags & __NFT_TABLE_F_UPDATE &&
2824 !list_empty(&hook.list)) {
2825 NL_SET_BAD_ATTR(extack, attr);
2830 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2831 nft_is_base_chain(chain) &&
2832 !list_empty(&hook.list)) {
2833 basechain = nft_base_chain(chain);
2834 ops = &basechain->ops;
2836 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2837 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2845 if (nla[NFTA_CHAIN_COUNTERS]) {
2846 if (!nft_is_base_chain(chain)) {
2851 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2852 if (IS_ERR_PCPU(stats)) {
2853 err = PTR_ERR_PCPU(stats);
2859 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
2863 nft_trans_chain_stats(trans) = stats;
2864 nft_trans_chain_update(trans) = true;
2866 if (nla[NFTA_CHAIN_POLICY])
2867 nft_trans_chain_policy(trans) = policy;
2869 nft_trans_chain_policy(trans) = -1;
2871 if (nla[NFTA_CHAIN_HANDLE] &&
2872 nla[NFTA_CHAIN_NAME]) {
2873 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2874 struct nft_trans *tmp;
2878 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2883 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2884 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2885 tmp->table == table &&
2886 nft_trans_chain_update(tmp) &&
2887 nft_trans_chain_name(tmp) &&
2888 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2889 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2895 nft_trans_chain_name(trans) = name;
2898 nft_trans_basechain(trans) = basechain;
2899 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2900 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2901 if (nla[NFTA_CHAIN_HOOK])
2902 module_put(hook.type->owner);
2904 nft_trans_commit_list_add_tail(ctx->net, trans);
2912 if (nla[NFTA_CHAIN_HOOK]) {
2913 list_for_each_entry_safe(h, next, &hook.list, list) {
2915 nf_unregister_net_hook(ctx->net, &h->ops);
2919 module_put(hook.type->owner);
2925 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2926 const struct nft_table *table,
2927 const struct nlattr *nla, u8 genmask)
2929 struct nftables_pernet *nft_net = nft_pernet(net);
2930 u32 id = ntohl(nla_get_be32(nla));
2931 struct nft_trans *trans;
2933 list_for_each_entry(trans, &nft_net->commit_list, list) {
2934 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2935 nft_trans_chain(trans)->table == table &&
2936 id == nft_trans_chain_id(trans) &&
2937 nft_active_genmask(nft_trans_chain(trans), genmask))
2938 return nft_trans_chain(trans);
2940 return ERR_PTR(-ENOENT);
2943 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2944 const struct nlattr * const nla[])
2946 struct nftables_pernet *nft_net = nft_pernet(info->net);
2947 struct netlink_ext_ack *extack = info->extack;
2948 u8 genmask = nft_genmask_next(info->net);
2949 u8 family = info->nfmsg->nfgen_family;
2950 struct nft_chain *chain = NULL;
2951 struct net *net = info->net;
2952 const struct nlattr *attr;
2953 struct nft_table *table;
2954 u8 policy = NF_ACCEPT;
2959 lockdep_assert_held(&nft_net->commit_mutex);
2961 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2962 NETLINK_CB(skb).portid);
2963 if (IS_ERR(table)) {
2964 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2965 return PTR_ERR(table);
2969 attr = nla[NFTA_CHAIN_NAME];
2971 if (nla[NFTA_CHAIN_HANDLE]) {
2972 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2973 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2974 if (IS_ERR(chain)) {
2975 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2976 return PTR_ERR(chain);
2978 attr = nla[NFTA_CHAIN_HANDLE];
2979 } else if (nla[NFTA_CHAIN_NAME]) {
2980 chain = nft_chain_lookup(net, table, attr, genmask);
2981 if (IS_ERR(chain)) {
2982 if (PTR_ERR(chain) != -ENOENT) {
2983 NL_SET_BAD_ATTR(extack, attr);
2984 return PTR_ERR(chain);
2988 } else if (!nla[NFTA_CHAIN_ID]) {
2992 if (nla[NFTA_CHAIN_POLICY]) {
2993 if (chain != NULL &&
2994 !nft_is_base_chain(chain)) {
2995 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2999 if (chain == NULL &&
3000 nla[NFTA_CHAIN_HOOK] == NULL) {
3001 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
3005 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
3015 if (nla[NFTA_CHAIN_FLAGS])
3016 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
3018 flags = chain->flags;
3020 if (flags & ~NFT_CHAIN_FLAGS)
3023 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3025 if (chain != NULL) {
3026 if (chain->flags & NFT_CHAIN_BINDING)
3029 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3030 NL_SET_BAD_ATTR(extack, attr);
3033 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3036 flags |= chain->flags & NFT_CHAIN_BASE;
3037 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
3041 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
3044 static int nft_delchain_hook(struct nft_ctx *ctx,
3045 struct nft_base_chain *basechain,
3046 struct netlink_ext_ack *extack)
3048 const struct nft_chain *chain = &basechain->chain;
3049 const struct nlattr * const *nla = ctx->nla;
3050 struct nft_chain_hook chain_hook = {};
3051 struct nft_hook *this, *hook;
3052 LIST_HEAD(chain_del_list);
3053 struct nft_trans *trans;
3056 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
3059 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
3060 ctx->family, chain->flags, extack);
3064 list_for_each_entry(this, &chain_hook.list, list) {
3065 hook = nft_hook_list_find(&basechain->hook_list, this);
3068 goto err_chain_del_hook;
3070 list_move(&hook->list, &chain_del_list);
3073 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
3076 goto err_chain_del_hook;
3079 nft_trans_basechain(trans) = basechain;
3080 nft_trans_chain_update(trans) = true;
3081 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
3082 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
3083 nft_chain_release_hook(&chain_hook);
3085 nft_trans_commit_list_add_tail(ctx->net, trans);
3090 list_splice(&chain_del_list, &basechain->hook_list);
3091 nft_chain_release_hook(&chain_hook);
3096 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
3097 const struct nlattr * const nla[])
3099 struct netlink_ext_ack *extack = info->extack;
3100 u8 genmask = nft_genmask_next(info->net);
3101 u8 family = info->nfmsg->nfgen_family;
3102 struct net *net = info->net;
3103 const struct nlattr *attr;
3104 struct nft_table *table;
3105 struct nft_chain *chain;
3106 struct nft_rule *rule;
3112 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3113 NETLINK_CB(skb).portid);
3114 if (IS_ERR(table)) {
3115 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3116 return PTR_ERR(table);
3119 if (nla[NFTA_CHAIN_HANDLE]) {
3120 attr = nla[NFTA_CHAIN_HANDLE];
3121 handle = be64_to_cpu(nla_get_be64(attr));
3122 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3124 attr = nla[NFTA_CHAIN_NAME];
3125 chain = nft_chain_lookup(net, table, attr, genmask);
3127 if (IS_ERR(chain)) {
3128 if (PTR_ERR(chain) == -ENOENT &&
3129 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3132 NL_SET_BAD_ATTR(extack, attr);
3133 return PTR_ERR(chain);
3136 if (nft_chain_binding(chain))
3139 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3141 if (nla[NFTA_CHAIN_HOOK]) {
3142 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3143 chain->flags & NFT_CHAIN_HW_OFFLOAD)
3146 if (nft_is_base_chain(chain)) {
3147 struct nft_base_chain *basechain = nft_base_chain(chain);
3149 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3150 return nft_delchain_hook(&ctx, basechain, extack);
3154 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3159 list_for_each_entry(rule, &chain->rules, list) {
3160 if (!nft_is_active_next(net, rule))
3164 err = nft_delrule(&ctx, rule);
3169 /* There are rules and elements that are still holding references to us,
3170 * we cannot do a recursive removal in this case.
3173 NL_SET_BAD_ATTR(extack, attr);
3177 return nft_delchain(&ctx);
3185 * nft_register_expr - register nf_tables expr type
3188 * Registers the expr type for use with nf_tables. Returns zero on
3189 * success or a negative errno code otherwise.
3191 int nft_register_expr(struct nft_expr_type *type)
3193 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3196 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3197 if (type->family == NFPROTO_UNSPEC)
3198 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3200 list_add_rcu(&type->list, &nf_tables_expressions);
3201 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3204 EXPORT_SYMBOL_GPL(nft_register_expr);
3207 * nft_unregister_expr - unregister nf_tables expr type
3210 * Unregisters the expr typefor use with nf_tables.
3212 void nft_unregister_expr(struct nft_expr_type *type)
3214 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3215 list_del_rcu(&type->list);
3216 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3218 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3220 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3223 const struct nft_expr_type *type, *candidate = NULL;
3225 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3226 if (!nla_strcmp(nla, type->name)) {
3227 if (!type->family && !candidate)
3229 else if (type->family == family)
3236 #ifdef CONFIG_MODULES
3237 static int nft_expr_type_request_module(struct net *net, u8 family,
3240 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3241 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3248 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3252 const struct nft_expr_type *type;
3255 return ERR_PTR(-EINVAL);
3258 type = __nft_expr_type_get(family, nla);
3259 if (type != NULL && try_module_get(type->owner)) {
3265 lockdep_nfnl_nft_mutex_not_held();
3266 #ifdef CONFIG_MODULES
3268 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3269 return ERR_PTR(-EAGAIN);
3271 if (nft_request_module(net, "nft-expr-%.*s",
3273 (char *)nla_data(nla)) == -EAGAIN)
3274 return ERR_PTR(-EAGAIN);
3277 return ERR_PTR(-ENOENT);
3280 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3281 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3282 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3283 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3286 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3287 const struct nft_expr *expr, bool reset)
3289 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3290 goto nla_put_failure;
3292 if (expr->ops->dump) {
3293 struct nlattr *data = nla_nest_start_noflag(skb,
3296 goto nla_put_failure;
3297 if (expr->ops->dump(skb, expr, reset) < 0)
3298 goto nla_put_failure;
3299 nla_nest_end(skb, data);
3308 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3309 const struct nft_expr *expr, bool reset)
3311 struct nlattr *nest;
3313 nest = nla_nest_start_noflag(skb, attr);
3315 goto nla_put_failure;
3316 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3317 goto nla_put_failure;
3318 nla_nest_end(skb, nest);
3325 struct nft_expr_info {
3326 const struct nft_expr_ops *ops;
3327 const struct nlattr *attr;
3328 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3331 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3332 const struct nlattr *nla,
3333 struct nft_expr_info *info)
3335 const struct nft_expr_type *type;
3336 const struct nft_expr_ops *ops;
3337 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3340 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3341 nft_expr_policy, NULL);
3345 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3347 return PTR_ERR(type);
3349 if (tb[NFTA_EXPR_DATA]) {
3350 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3352 type->policy, NULL);
3356 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3358 if (type->select_ops != NULL) {
3359 ops = type->select_ops(ctx,
3360 (const struct nlattr * const *)info->tb);
3363 #ifdef CONFIG_MODULES
3365 if (nft_expr_type_request_module(ctx->net,
3367 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3381 module_put(type->owner);
3385 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3386 struct nft_expr_info *info)
3388 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3389 const struct nft_expr_type *type;
3392 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3393 nft_expr_policy, NULL);
3397 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3402 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3408 if (!type->inner_ops) {
3413 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3415 type->policy, NULL);
3420 info->ops = type->inner_ops;
3422 /* No module reference will be taken on type->owner.
3423 * Presence of type->inner_ops implies that the expression
3424 * is builtin, so it cannot go away.
3434 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3435 const struct nft_expr_info *expr_info,
3436 struct nft_expr *expr)
3438 const struct nft_expr_ops *ops = expr_info->ops;
3443 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3454 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3455 struct nft_expr *expr)
3457 const struct nft_expr_type *type = expr->ops->type;
3459 if (expr->ops->destroy)
3460 expr->ops->destroy(ctx, expr);
3461 module_put(type->owner);
3464 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3465 const struct nlattr *nla)
3467 struct nft_expr_info expr_info;
3468 struct nft_expr *expr;
3469 struct module *owner;
3472 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3474 goto err_expr_parse;
3477 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3478 goto err_expr_stateful;
3481 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3483 goto err_expr_stateful;
3485 err = nf_tables_newexpr(ctx, &expr_info, expr);
3493 owner = expr_info.ops->type->owner;
3494 if (expr_info.ops->type->release_ops)
3495 expr_info.ops->type->release_ops(expr_info.ops);
3499 return ERR_PTR(err);
3502 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3506 if (WARN_ON_ONCE(!src->ops->clone))
3509 dst->ops = src->ops;
3510 err = src->ops->clone(dst, src, gfp);
3514 __module_get(src->ops->type->owner);
3519 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3521 nf_tables_expr_destroy(ctx, expr);
3529 static struct nft_rule *__nft_rule_lookup(const struct net *net,
3530 const struct nft_chain *chain,
3533 struct nft_rule *rule;
3535 // FIXME: this sucks
3536 list_for_each_entry_rcu(rule, &chain->rules, list,
3537 lockdep_commit_lock_is_held(net)) {
3538 if (handle == rule->handle)
3542 return ERR_PTR(-ENOENT);
3545 static struct nft_rule *nft_rule_lookup(const struct net *net,
3546 const struct nft_chain *chain,
3547 const struct nlattr *nla)
3550 return ERR_PTR(-EINVAL);
3552 return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla)));
3555 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3556 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3557 .len = NFT_TABLE_MAXNAMELEN - 1 },
3558 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3559 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3560 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3561 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3562 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3563 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3564 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3565 .len = NFT_USERDATA_MAXLEN },
3566 [NFTA_RULE_ID] = { .type = NLA_U32 },
3567 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3568 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3571 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3572 u32 portid, u32 seq, int event,
3573 u32 flags, int family,
3574 const struct nft_table *table,
3575 const struct nft_chain *chain,
3576 const struct nft_rule *rule, u64 handle,
3579 struct nlmsghdr *nlh;
3580 const struct nft_expr *expr, *next;
3581 struct nlattr *list;
3582 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3584 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3587 goto nla_put_failure;
3589 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3590 goto nla_put_failure;
3591 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3592 goto nla_put_failure;
3593 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3595 goto nla_put_failure;
3597 if (event != NFT_MSG_DELRULE && handle) {
3598 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3600 goto nla_put_failure;
3603 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3604 nft_flow_rule_stats(chain, rule);
3606 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3608 goto nla_put_failure;
3609 nft_rule_for_each_expr(expr, next, rule) {
3610 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3611 goto nla_put_failure;
3613 nla_nest_end(skb, list);
3616 struct nft_userdata *udata = nft_userdata(rule);
3617 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3619 goto nla_put_failure;
3622 nlmsg_end(skb, nlh);
3626 nlmsg_trim(skb, nlh);
3630 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3631 const struct nft_rule *rule, int event)
3633 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3634 const struct nft_rule *prule;
3635 struct sk_buff *skb;
3641 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3644 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3648 if (event == NFT_MSG_NEWRULE &&
3649 !list_is_first(&rule->list, &ctx->chain->rules) &&
3650 !list_is_last(&rule->list, &ctx->chain->rules)) {
3651 prule = list_prev_entry(rule, list);
3652 handle = prule->handle;
3654 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3655 flags |= NLM_F_APPEND;
3656 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3657 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3659 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3660 event, flags, ctx->family, ctx->table,
3661 ctx->chain, rule, handle, false);
3667 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3670 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3673 static void audit_log_rule_reset(const struct nft_table *table,
3674 unsigned int base_seq,
3675 unsigned int nentries)
3677 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3678 table->name, base_seq);
3680 audit_log_nfcfg(buf, table->family, nentries,
3681 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3685 struct nft_rule_dump_ctx {
3692 static int __nf_tables_dump_rules(struct sk_buff *skb,
3694 struct netlink_callback *cb,
3695 const struct nft_table *table,
3696 const struct nft_chain *chain)
3698 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3699 struct net *net = sock_net(skb->sk);
3700 const struct nft_rule *rule, *prule;
3701 unsigned int entries = 0;
3706 list_for_each_entry_rcu(rule, &chain->rules, list) {
3707 if (!nft_is_active(net, rule))
3709 if (*idx < ctx->s_idx)
3712 handle = prule->handle;
3716 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3719 NLM_F_MULTI | NLM_F_APPEND,
3721 table, chain, rule, handle, ctx->reset) < 0) {
3726 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3733 if (ctx->reset && entries)
3734 audit_log_rule_reset(table, cb->seq, entries);
3739 static int nf_tables_dump_rules(struct sk_buff *skb,
3740 struct netlink_callback *cb)
3742 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3743 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3744 struct nft_table *table;
3745 const struct nft_chain *chain;
3746 unsigned int idx = 0;
3747 struct net *net = sock_net(skb->sk);
3748 int family = nfmsg->nfgen_family;
3749 struct nftables_pernet *nft_net;
3752 nft_net = nft_pernet(net);
3753 cb->seq = READ_ONCE(nft_net->base_seq);
3755 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3756 if (family != NFPROTO_UNSPEC && family != table->family)
3759 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3762 if (ctx->table && ctx->chain) {
3763 struct rhlist_head *list, *tmp;
3765 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3766 nft_chain_ht_params);
3770 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3771 if (!nft_is_active(net, chain))
3773 __nf_tables_dump_rules(skb, &idx,
3780 list_for_each_entry_rcu(chain, &table->chains, list) {
3781 if (__nf_tables_dump_rules(skb, &idx,
3796 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3797 struct netlink_callback *cb)
3799 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3802 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3803 * do not underrun counters and quotas. The commit_mutex is used for
3804 * the lack a better lock, this is not transaction path.
3806 mutex_lock(&nft_net->commit_mutex);
3807 ret = nf_tables_dump_rules(skb, cb);
3808 mutex_unlock(&nft_net->commit_mutex);
3813 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3815 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3816 const struct nlattr * const *nla = cb->data;
3818 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3820 if (nla[NFTA_RULE_TABLE]) {
3821 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3825 if (nla[NFTA_RULE_CHAIN]) {
3826 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3835 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3837 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3841 return nf_tables_dump_rules_start(cb);
3844 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3846 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3853 /* Caller must hold rcu read lock or transaction mutex */
3854 static struct sk_buff *
3855 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3856 const struct nlattr * const nla[], bool reset)
3858 struct netlink_ext_ack *extack = info->extack;
3859 u8 genmask = nft_genmask_cur(info->net);
3860 u8 family = info->nfmsg->nfgen_family;
3861 const struct nft_chain *chain;
3862 const struct nft_rule *rule;
3863 struct net *net = info->net;
3864 struct nft_table *table;
3865 struct sk_buff *skb2;
3868 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3869 if (IS_ERR(table)) {
3870 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3871 return ERR_CAST(table);
3874 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3875 if (IS_ERR(chain)) {
3876 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3877 return ERR_CAST(chain);
3880 rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]);
3882 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3883 return ERR_CAST(rule);
3886 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3888 return ERR_PTR(-ENOMEM);
3890 err = nf_tables_fill_rule_info(skb2, net, portid,
3891 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3892 family, table, chain, rule, 0, reset);
3895 return ERR_PTR(err);
3901 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3902 const struct nlattr * const nla[])
3904 u32 portid = NETLINK_CB(skb).portid;
3905 struct net *net = info->net;
3906 struct sk_buff *skb2;
3908 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3909 struct netlink_dump_control c = {
3910 .start= nf_tables_dump_rules_start,
3911 .dump = nf_tables_dump_rules,
3912 .done = nf_tables_dump_rules_done,
3913 .module = THIS_MODULE,
3914 .data = (void *)nla,
3917 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3920 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3922 return PTR_ERR(skb2);
3924 return nfnetlink_unicast(skb2, net, portid);
3927 static int nf_tables_getrule_reset(struct sk_buff *skb,
3928 const struct nfnl_info *info,
3929 const struct nlattr * const nla[])
3931 struct nftables_pernet *nft_net = nft_pernet(info->net);
3932 u32 portid = NETLINK_CB(skb).portid;
3933 struct net *net = info->net;
3934 struct sk_buff *skb2;
3937 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3938 struct netlink_dump_control c = {
3939 .start= nf_tables_dumpreset_rules_start,
3940 .dump = nf_tables_dumpreset_rules,
3941 .done = nf_tables_dump_rules_done,
3942 .module = THIS_MODULE,
3943 .data = (void *)nla,
3946 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3949 if (!try_module_get(THIS_MODULE))
3952 mutex_lock(&nft_net->commit_mutex);
3953 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3954 mutex_unlock(&nft_net->commit_mutex);
3956 module_put(THIS_MODULE);
3959 return PTR_ERR(skb2);
3961 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3962 nla_len(nla[NFTA_RULE_TABLE]),
3963 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3965 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3966 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3969 return nfnetlink_unicast(skb2, net, portid);
3972 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3974 struct nft_expr *expr, *next;
3977 * Careful: some expressions might not be initialized in case this
3978 * is called on error from nf_tables_newrule().
3980 expr = nft_expr_first(rule);
3981 while (nft_expr_more(rule, expr)) {
3982 next = nft_expr_next(expr);
3983 nf_tables_expr_destroy(ctx, expr);
3989 /* can only be used if rule is no longer visible to dumps */
3990 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3992 lockdep_commit_lock_is_held(ctx->net);
3994 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3995 nf_tables_rule_destroy(ctx, rule);
3998 /** nft_chain_validate - loop detection and hook validation
4000 * @ctx: context containing call depth and base chain
4001 * @chain: chain to validate
4003 * Walk through the rules of the given chain and chase all jumps/gotos
4004 * and set lookups until either the jump limit is hit or all reachable
4005 * chains have been validated.
4007 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
4009 struct nft_expr *expr, *last;
4010 struct nft_rule *rule;
4013 if (ctx->level == NFT_JUMP_STACK_SIZE)
4016 list_for_each_entry(rule, &chain->rules, list) {
4017 if (fatal_signal_pending(current))
4020 if (!nft_is_active_next(ctx->net, rule))
4023 nft_rule_for_each_expr(expr, last, rule) {
4024 if (!expr->ops->validate)
4027 /* This may call nft_chain_validate() recursively,
4028 * callers that do so must increment ctx->level.
4030 err = expr->ops->validate(ctx, expr);
4038 EXPORT_SYMBOL_GPL(nft_chain_validate);
4040 static int nft_table_validate(struct net *net, const struct nft_table *table)
4042 struct nft_chain *chain;
4043 struct nft_ctx ctx = {
4045 .family = table->family,
4049 list_for_each_entry(chain, &table->chains, list) {
4050 if (!nft_is_base_chain(chain))
4054 err = nft_chain_validate(&ctx, chain);
4064 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
4065 const struct nft_set_iter *iter,
4066 struct nft_elem_priv *elem_priv)
4068 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
4069 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
4070 const struct nft_data *data;
4073 if (!nft_set_elem_active(ext, iter->genmask))
4076 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4077 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4080 data = nft_set_ext_data(ext);
4081 switch (data->verdict.code) {
4085 err = nft_chain_validate(ctx, data->verdict.chain);
4097 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
4099 struct nft_set_iter dummy_iter = {
4100 .genmask = nft_genmask_next(ctx->net),
4102 struct nft_set_elem_catchall *catchall;
4104 struct nft_set_ext *ext;
4107 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
4108 lockdep_commit_lock_is_held(ctx->net)) {
4109 ext = nft_set_elem_ext(set, catchall->elem);
4110 if (!nft_set_elem_active(ext, dummy_iter.genmask))
4113 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
4121 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4122 const struct nft_chain *chain,
4123 const struct nlattr *nla);
4125 #define NFT_RULE_MAXEXPRS 128
4127 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
4128 const struct nlattr * const nla[])
4130 struct nftables_pernet *nft_net = nft_pernet(info->net);
4131 struct netlink_ext_ack *extack = info->extack;
4132 unsigned int size, i, n, ulen = 0, usize = 0;
4133 u8 genmask = nft_genmask_next(info->net);
4134 struct nft_rule *rule, *old_rule = NULL;
4135 struct nft_expr_info *expr_info = NULL;
4136 u8 family = info->nfmsg->nfgen_family;
4137 struct nft_flow_rule *flow = NULL;
4138 struct net *net = info->net;
4139 struct nft_userdata *udata;
4140 struct nft_table *table;
4141 struct nft_chain *chain;
4142 struct nft_trans *trans;
4143 u64 handle, pos_handle;
4144 struct nft_expr *expr;
4149 lockdep_assert_held(&nft_net->commit_mutex);
4151 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4152 NETLINK_CB(skb).portid);
4153 if (IS_ERR(table)) {
4154 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4155 return PTR_ERR(table);
4158 if (nla[NFTA_RULE_CHAIN]) {
4159 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4161 if (IS_ERR(chain)) {
4162 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4163 return PTR_ERR(chain);
4166 } else if (nla[NFTA_RULE_CHAIN_ID]) {
4167 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4169 if (IS_ERR(chain)) {
4170 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4171 return PTR_ERR(chain);
4177 if (nft_chain_is_bound(chain))
4180 if (nla[NFTA_RULE_HANDLE]) {
4181 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4182 rule = __nft_rule_lookup(net, chain, handle);
4184 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4185 return PTR_ERR(rule);
4188 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4189 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4192 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4197 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4198 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4200 handle = nf_tables_alloc_handle(table);
4202 if (nla[NFTA_RULE_POSITION]) {
4203 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4204 old_rule = __nft_rule_lookup(net, chain, pos_handle);
4205 if (IS_ERR(old_rule)) {
4206 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4207 return PTR_ERR(old_rule);
4209 } else if (nla[NFTA_RULE_POSITION_ID]) {
4210 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4211 if (IS_ERR(old_rule)) {
4212 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4213 return PTR_ERR(old_rule);
4218 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4222 if (nla[NFTA_RULE_EXPRESSIONS]) {
4223 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4224 sizeof(struct nft_expr_info),
4229 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4231 if (nla_type(tmp) != NFTA_LIST_ELEM)
4232 goto err_release_expr;
4233 if (n == NFT_RULE_MAXEXPRS)
4234 goto err_release_expr;
4235 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4237 NL_SET_BAD_ATTR(extack, tmp);
4238 goto err_release_expr;
4240 size += expr_info[n].ops->size;
4244 /* Check for overflow of dlen field */
4246 if (size >= 1 << 12)
4247 goto err_release_expr;
4249 if (nla[NFTA_RULE_USERDATA]) {
4250 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4252 usize = sizeof(struct nft_userdata) + ulen;
4256 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4258 goto err_release_expr;
4260 nft_activate_next(net, rule);
4262 rule->handle = handle;
4264 rule->udata = ulen ? 1 : 0;
4267 udata = nft_userdata(rule);
4268 udata->len = ulen - 1;
4269 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4272 expr = nft_expr_first(rule);
4273 for (i = 0; i < n; i++) {
4274 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4276 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4277 goto err_release_rule;
4280 if (expr_info[i].ops->validate)
4281 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4283 expr_info[i].ops = NULL;
4284 expr = nft_expr_next(expr);
4287 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4288 flow = nft_flow_rule_create(net, rule);
4290 err = PTR_ERR(flow);
4291 goto err_release_rule;
4295 if (!nft_use_inc(&chain->use)) {
4297 goto err_release_rule;
4300 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4301 if (nft_chain_binding(chain)) {
4303 goto err_destroy_flow_rule;
4306 err = nft_delrule(&ctx, old_rule);
4308 goto err_destroy_flow_rule;
4310 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4311 if (trans == NULL) {
4313 goto err_destroy_flow_rule;
4315 list_add_tail_rcu(&rule->list, &old_rule->list);
4317 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4320 goto err_destroy_flow_rule;
4323 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4325 list_add_rcu(&rule->list, &old_rule->list);
4327 list_add_tail_rcu(&rule->list, &chain->rules);
4330 list_add_tail_rcu(&rule->list, &old_rule->list);
4332 list_add_rcu(&rule->list, &chain->rules);
4338 nft_trans_flow_rule(trans) = flow;
4340 if (table->validate_state == NFT_VALIDATE_DO)
4341 return nft_table_validate(net, table);
4345 err_destroy_flow_rule:
4346 nft_use_dec_restore(&chain->use);
4348 nft_flow_rule_destroy(flow);
4350 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4351 nf_tables_rule_destroy(&ctx, rule);
4353 for (i = 0; i < n; i++) {
4354 if (expr_info[i].ops) {
4355 module_put(expr_info[i].ops->type->owner);
4356 if (expr_info[i].ops->type->release_ops)
4357 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4365 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4366 const struct nft_chain *chain,
4367 const struct nlattr *nla)
4369 struct nftables_pernet *nft_net = nft_pernet(net);
4370 u32 id = ntohl(nla_get_be32(nla));
4371 struct nft_trans *trans;
4373 list_for_each_entry(trans, &nft_net->commit_list, list) {
4374 if (trans->msg_type == NFT_MSG_NEWRULE &&
4375 nft_trans_rule_chain(trans) == chain &&
4376 id == nft_trans_rule_id(trans))
4377 return nft_trans_rule(trans);
4379 return ERR_PTR(-ENOENT);
4382 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4383 const struct nlattr * const nla[])
4385 struct netlink_ext_ack *extack = info->extack;
4386 u8 genmask = nft_genmask_next(info->net);
4387 u8 family = info->nfmsg->nfgen_family;
4388 struct nft_chain *chain = NULL;
4389 struct net *net = info->net;
4390 struct nft_table *table;
4391 struct nft_rule *rule;
4395 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4396 NETLINK_CB(skb).portid);
4397 if (IS_ERR(table)) {
4398 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4399 return PTR_ERR(table);
4402 if (nla[NFTA_RULE_CHAIN]) {
4403 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4405 if (IS_ERR(chain)) {
4406 if (PTR_ERR(chain) == -ENOENT &&
4407 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4410 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4411 return PTR_ERR(chain);
4413 if (nft_chain_binding(chain))
4417 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4420 if (nla[NFTA_RULE_HANDLE]) {
4421 rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]);
4423 if (PTR_ERR(rule) == -ENOENT &&
4424 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4427 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4428 return PTR_ERR(rule);
4431 err = nft_delrule(&ctx, rule);
4432 } else if (nla[NFTA_RULE_ID]) {
4433 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4435 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4436 return PTR_ERR(rule);
4439 err = nft_delrule(&ctx, rule);
4441 err = nft_delrule_by_chain(&ctx);
4444 list_for_each_entry(chain, &table->chains, list) {
4445 if (!nft_is_active_next(net, chain))
4447 if (nft_chain_binding(chain))
4451 err = nft_delrule_by_chain(&ctx);
4463 static const struct nft_set_type *nft_set_types[] = {
4464 &nft_set_hash_fast_type,
4466 &nft_set_rhash_type,
4467 &nft_set_bitmap_type,
4468 &nft_set_rbtree_type,
4469 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4470 &nft_set_pipapo_avx2_type,
4472 &nft_set_pipapo_type,
4475 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4476 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4479 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4481 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4485 * Select a set implementation based on the data characteristics and the
4486 * given policy. The total memory use might not be known if no size is
4487 * given, in that case the amount of memory per element is used.
4489 static const struct nft_set_ops *
4490 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4491 const struct nft_set_desc *desc)
4493 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4494 const struct nft_set_ops *ops, *bops;
4495 struct nft_set_estimate est, best;
4496 const struct nft_set_type *type;
4499 lockdep_assert_held(&nft_net->commit_mutex);
4500 lockdep_nfnl_nft_mutex_not_held();
4507 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4508 type = nft_set_types[i];
4511 if (!nft_set_ops_candidate(type, flags))
4513 if (!ops->estimate(desc, flags, &est))
4516 switch (desc->policy) {
4517 case NFT_SET_POL_PERFORMANCE:
4518 if (est.lookup < best.lookup)
4520 if (est.lookup == best.lookup &&
4521 est.space < best.space)
4524 case NFT_SET_POL_MEMORY:
4526 if (est.space < best.space)
4528 if (est.space == best.space &&
4529 est.lookup < best.lookup)
4531 } else if (est.size < best.size || !bops) {
4546 return ERR_PTR(-EOPNOTSUPP);
4549 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4550 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4551 .len = NFT_TABLE_MAXNAMELEN - 1 },
4552 [NFTA_SET_NAME] = { .type = NLA_STRING,
4553 .len = NFT_SET_MAXNAMELEN - 1 },
4554 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4555 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4556 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4557 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4558 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4559 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4560 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4561 [NFTA_SET_ID] = { .type = NLA_U32 },
4562 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4563 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4564 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4565 .len = NFT_USERDATA_MAXLEN },
4566 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4567 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4568 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4569 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4572 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4573 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4576 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4577 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4578 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4581 static struct nft_set *nft_set_lookup(const struct net *net,
4582 const struct nft_table *table,
4583 const struct nlattr *nla, u8 genmask)
4585 struct nft_set *set;
4588 return ERR_PTR(-EINVAL);
4590 list_for_each_entry_rcu(set, &table->sets, list,
4591 lockdep_commit_lock_is_held(net)) {
4592 if (!nla_strcmp(nla, set->name) &&
4593 nft_active_genmask(set, genmask))
4596 return ERR_PTR(-ENOENT);
4599 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4600 const struct nlattr *nla,
4603 struct nft_set *set;
4605 list_for_each_entry(set, &table->sets, list) {
4606 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4607 nft_active_genmask(set, genmask))
4610 return ERR_PTR(-ENOENT);
4613 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4614 const struct nft_table *table,
4615 const struct nlattr *nla, u8 genmask)
4617 struct nftables_pernet *nft_net = nft_pernet(net);
4618 u32 id = ntohl(nla_get_be32(nla));
4619 struct nft_trans_set *trans;
4621 /* its likely the id we need is at the tail, not at start */
4622 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
4623 struct nft_set *set = trans->set;
4625 if (id == trans->set_id &&
4626 set->table == table &&
4627 nft_active_genmask(set, genmask))
4630 return ERR_PTR(-ENOENT);
4633 struct nft_set *nft_set_lookup_global(const struct net *net,
4634 const struct nft_table *table,
4635 const struct nlattr *nla_set_name,
4636 const struct nlattr *nla_set_id,
4639 struct nft_set *set;
4641 set = nft_set_lookup(net, table, nla_set_name, genmask);
4646 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4650 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4652 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4655 const struct nft_set *i;
4657 unsigned long *inuse;
4658 unsigned int n = 0, min = 0;
4660 p = strchr(name, '%');
4662 if (p[1] != 'd' || strchr(p + 2, '%'))
4665 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4668 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4672 list_for_each_entry(i, &ctx->table->sets, list) {
4675 if (!nft_is_active_next(ctx->net, i))
4677 if (!sscanf(i->name, name, &tmp))
4679 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4682 set_bit(tmp - min, inuse);
4685 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4686 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4687 min += BITS_PER_BYTE * PAGE_SIZE;
4688 memset(inuse, 0, PAGE_SIZE);
4691 free_page((unsigned long)inuse);
4694 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4698 list_for_each_entry(i, &ctx->table->sets, list) {
4699 if (!nft_is_active_next(ctx->net, i))
4701 if (!strcmp(set->name, i->name)) {
4710 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4712 u64 ms = be64_to_cpu(nla_get_be64(nla));
4713 u64 max = (u64)(~((u64)0));
4715 max = div_u64(max, NSEC_PER_MSEC);
4719 ms *= NSEC_PER_MSEC;
4720 *result = nsecs_to_jiffies64(ms) ? : !!ms;
4724 __be64 nf_jiffies64_to_msecs(u64 input)
4726 return cpu_to_be64(jiffies64_to_msecs(input));
4729 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4730 const struct nft_set *set)
4732 struct nlattr *concat, *field;
4735 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4739 for (i = 0; i < set->field_count; i++) {
4740 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4744 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4745 htonl(set->field_len[i])))
4748 nla_nest_end(skb, field);
4751 nla_nest_end(skb, concat);
4756 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4757 const struct nft_set *set, u16 event, u16 flags)
4759 u64 timeout = READ_ONCE(set->timeout);
4760 u32 gc_int = READ_ONCE(set->gc_int);
4761 u32 portid = ctx->portid;
4762 struct nlmsghdr *nlh;
4763 struct nlattr *nest;
4767 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4768 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4769 NFNETLINK_V0, nft_base_seq(ctx->net));
4771 goto nla_put_failure;
4773 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4774 goto nla_put_failure;
4775 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4776 goto nla_put_failure;
4777 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4779 goto nla_put_failure;
4781 if (event == NFT_MSG_DELSET) {
4782 nlmsg_end(skb, nlh);
4786 if (set->flags != 0)
4787 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4788 goto nla_put_failure;
4790 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4791 goto nla_put_failure;
4792 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4793 goto nla_put_failure;
4794 if (set->flags & NFT_SET_MAP) {
4795 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4796 goto nla_put_failure;
4797 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4798 goto nla_put_failure;
4800 if (set->flags & NFT_SET_OBJECT &&
4801 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4802 goto nla_put_failure;
4805 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4806 nf_jiffies64_to_msecs(timeout),
4808 goto nla_put_failure;
4810 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4811 goto nla_put_failure;
4813 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4814 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4815 goto nla_put_failure;
4819 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4820 goto nla_put_failure;
4822 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4824 goto nla_put_failure;
4826 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4827 goto nla_put_failure;
4829 if (set->field_count > 1 &&
4830 nf_tables_fill_set_concat(skb, set))
4831 goto nla_put_failure;
4833 nla_nest_end(skb, nest);
4835 if (set->num_exprs == 1) {
4836 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4837 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4838 goto nla_put_failure;
4840 nla_nest_end(skb, nest);
4841 } else if (set->num_exprs > 1) {
4842 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4844 goto nla_put_failure;
4846 for (i = 0; i < set->num_exprs; i++) {
4847 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4848 set->exprs[i], false) < 0)
4849 goto nla_put_failure;
4851 nla_nest_end(skb, nest);
4854 nlmsg_end(skb, nlh);
4858 nlmsg_trim(skb, nlh);
4862 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4863 const struct nft_set *set, int event,
4866 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4867 u32 portid = ctx->portid;
4868 struct sk_buff *skb;
4873 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4876 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4880 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4881 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4883 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4889 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4892 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4895 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4897 const struct nft_set *set;
4898 unsigned int idx, s_idx = cb->args[0];
4899 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4900 struct net *net = sock_net(skb->sk);
4901 struct nft_ctx *ctx = cb->data, ctx_set;
4902 struct nftables_pernet *nft_net;
4908 nft_net = nft_pernet(net);
4909 cb->seq = READ_ONCE(nft_net->base_seq);
4911 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4912 if (ctx->family != NFPROTO_UNSPEC &&
4913 ctx->family != table->family)
4916 if (ctx->table && ctx->table != table)
4920 if (cur_table != table)
4926 list_for_each_entry_rcu(set, &table->sets, list) {
4929 if (!nft_is_active(net, set))
4933 ctx_set.table = table;
4934 ctx_set.family = table->family;
4936 if (nf_tables_fill_set(skb, &ctx_set, set,
4940 cb->args[2] = (unsigned long) table;
4943 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4956 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4958 struct nft_ctx *ctx_dump = NULL;
4960 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4961 if (ctx_dump == NULL)
4964 cb->data = ctx_dump;
4968 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4974 /* called with rcu_read_lock held */
4975 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4976 const struct nlattr * const nla[])
4978 struct netlink_ext_ack *extack = info->extack;
4979 u8 genmask = nft_genmask_cur(info->net);
4980 u8 family = info->nfmsg->nfgen_family;
4981 struct nft_table *table = NULL;
4982 struct net *net = info->net;
4983 const struct nft_set *set;
4984 struct sk_buff *skb2;
4988 if (nla[NFTA_SET_TABLE]) {
4989 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4991 if (IS_ERR(table)) {
4992 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4993 return PTR_ERR(table);
4997 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4999 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5000 struct netlink_dump_control c = {
5001 .start = nf_tables_dump_sets_start,
5002 .dump = nf_tables_dump_sets,
5003 .done = nf_tables_dump_sets_done,
5005 .module = THIS_MODULE,
5008 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5011 /* Only accept unspec with dump */
5012 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5013 return -EAFNOSUPPORT;
5014 if (!nla[NFTA_SET_TABLE])
5017 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5019 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5020 return PTR_ERR(set);
5023 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5027 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
5029 goto err_fill_set_info;
5031 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
5038 static int nft_set_desc_concat_parse(const struct nlattr *attr,
5039 struct nft_set_desc *desc)
5041 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
5045 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
5048 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
5049 nft_concat_policy, NULL);
5053 if (!tb[NFTA_SET_FIELD_LEN])
5056 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
5057 if (!len || len > U8_MAX)
5060 desc->field_len[desc->field_count++] = len;
5065 static int nft_set_desc_concat(struct nft_set_desc *desc,
5066 const struct nlattr *nla)
5068 u32 num_regs = 0, key_num_regs = 0;
5069 struct nlattr *attr;
5072 nla_for_each_nested(attr, nla, rem) {
5073 if (nla_type(attr) != NFTA_LIST_ELEM)
5076 err = nft_set_desc_concat_parse(attr, desc);
5081 for (i = 0; i < desc->field_count; i++)
5082 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
5084 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
5085 if (key_num_regs != num_regs)
5088 if (num_regs > NFT_REG32_COUNT)
5094 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
5095 const struct nlattr *nla)
5097 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
5100 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
5101 nft_set_desc_policy, NULL);
5105 if (da[NFTA_SET_DESC_SIZE] != NULL)
5106 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
5107 if (da[NFTA_SET_DESC_CONCAT])
5108 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
5113 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
5114 const struct nlattr * const *nla,
5115 struct nft_expr **exprs, int *num_exprs,
5118 struct nft_expr *expr;
5121 if (nla[NFTA_SET_EXPR]) {
5122 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
5124 err = PTR_ERR(expr);
5125 goto err_set_expr_alloc;
5129 } else if (nla[NFTA_SET_EXPRESSIONS]) {
5133 if (!(flags & NFT_SET_EXPR)) {
5135 goto err_set_expr_alloc;
5138 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5139 if (i == NFT_SET_EXPR_MAX) {
5141 goto err_set_expr_alloc;
5143 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5145 goto err_set_expr_alloc;
5147 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5149 err = PTR_ERR(expr);
5150 goto err_set_expr_alloc;
5160 for (i = 0; i < *num_exprs; i++)
5161 nft_expr_destroy(ctx, exprs[i]);
5166 static bool nft_set_is_same(const struct nft_set *set,
5167 const struct nft_set_desc *desc,
5168 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5172 if (set->ktype != desc->ktype ||
5173 set->dtype != desc->dtype ||
5174 set->flags != flags ||
5175 set->klen != desc->klen ||
5176 set->dlen != desc->dlen ||
5177 set->field_count != desc->field_count ||
5178 set->num_exprs != num_exprs)
5181 for (i = 0; i < desc->field_count; i++) {
5182 if (set->field_len[i] != desc->field_len[i])
5186 for (i = 0; i < num_exprs; i++) {
5187 if (set->exprs[i]->ops != exprs[i]->ops)
5194 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5195 const struct nlattr * const nla[])
5197 struct netlink_ext_ack *extack = info->extack;
5198 u8 genmask = nft_genmask_next(info->net);
5199 u8 family = info->nfmsg->nfgen_family;
5200 const struct nft_set_ops *ops;
5201 struct net *net = info->net;
5202 struct nft_set_desc desc;
5203 struct nft_table *table;
5204 unsigned char *udata;
5205 struct nft_set *set;
5215 if (nla[NFTA_SET_TABLE] == NULL ||
5216 nla[NFTA_SET_NAME] == NULL ||
5217 nla[NFTA_SET_KEY_LEN] == NULL ||
5218 nla[NFTA_SET_ID] == NULL)
5221 memset(&desc, 0, sizeof(desc));
5223 desc.ktype = NFT_DATA_VALUE;
5224 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5225 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5226 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5230 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5231 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5235 if (nla[NFTA_SET_FLAGS] != NULL) {
5236 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5237 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5238 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5239 NFT_SET_MAP | NFT_SET_EVAL |
5240 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5242 /* Only one of these operations is supported */
5243 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5244 (NFT_SET_MAP | NFT_SET_OBJECT))
5246 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5247 (NFT_SET_EVAL | NFT_SET_OBJECT))
5249 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5250 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5252 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5253 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5258 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5259 if (!(flags & NFT_SET_MAP))
5262 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5263 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5264 desc.dtype != NFT_DATA_VERDICT)
5267 if (desc.dtype != NFT_DATA_VERDICT) {
5268 if (nla[NFTA_SET_DATA_LEN] == NULL)
5270 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5271 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5274 desc.dlen = sizeof(struct nft_verdict);
5275 } else if (flags & NFT_SET_MAP)
5278 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5279 if (!(flags & NFT_SET_OBJECT))
5282 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5283 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5284 desc.objtype > NFT_OBJECT_MAX)
5286 } else if (flags & NFT_SET_OBJECT)
5289 desc.objtype = NFT_OBJECT_UNSPEC;
5292 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5293 if (!(flags & NFT_SET_TIMEOUT))
5296 if (flags & NFT_SET_ANONYMOUS)
5299 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5304 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5305 if (!(flags & NFT_SET_TIMEOUT))
5308 if (flags & NFT_SET_ANONYMOUS)
5311 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5314 desc.policy = NFT_SET_POL_PERFORMANCE;
5315 if (nla[NFTA_SET_POLICY] != NULL) {
5316 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5317 switch (desc.policy) {
5318 case NFT_SET_POL_PERFORMANCE:
5319 case NFT_SET_POL_MEMORY:
5326 if (nla[NFTA_SET_DESC] != NULL) {
5327 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5331 if (desc.field_count > 1) {
5332 if (!(flags & NFT_SET_CONCAT))
5334 } else if (flags & NFT_SET_CONCAT) {
5337 } else if (flags & NFT_SET_CONCAT) {
5341 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5344 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5345 NETLINK_CB(skb).portid);
5346 if (IS_ERR(table)) {
5347 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5348 return PTR_ERR(table);
5351 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5353 set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask);
5355 if (PTR_ERR(set) != -ENOENT) {
5356 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5357 return PTR_ERR(set);
5360 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5362 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5363 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5366 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5369 if (nft_set_is_anonymous(set))
5372 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5377 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5378 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5382 for (i = 0; i < num_exprs; i++)
5383 nft_expr_destroy(&ctx, exprs[i]);
5388 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5391 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5394 ops = nft_select_set_ops(&ctx, flags, &desc);
5396 return PTR_ERR(ops);
5399 if (nla[NFTA_SET_USERDATA])
5400 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5403 if (ops->privsize != NULL)
5404 size = ops->privsize(nla, &desc);
5405 alloc_size = sizeof(*set) + size + udlen;
5406 if (alloc_size < size || alloc_size > INT_MAX)
5409 if (!nft_use_inc(&table->use))
5412 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5418 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5424 err = nf_tables_set_alloc_name(&ctx, set, name);
5431 udata = set->data + size;
5432 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5435 INIT_LIST_HEAD(&set->bindings);
5436 INIT_LIST_HEAD(&set->catchall_list);
5437 refcount_set(&set->refs, 1);
5439 write_pnet(&set->net, net);
5441 set->ktype = desc.ktype;
5442 set->klen = desc.klen;
5443 set->dtype = desc.dtype;
5444 set->objtype = desc.objtype;
5445 set->dlen = desc.dlen;
5447 set->size = desc.size;
5448 set->policy = desc.policy;
5451 set->timeout = desc.timeout;
5452 set->gc_int = desc.gc_int;
5454 set->field_count = desc.field_count;
5455 for (i = 0; i < desc.field_count; i++)
5456 set->field_len[i] = desc.field_len[i];
5458 err = ops->init(set, &desc, nla);
5462 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5464 goto err_set_destroy;
5466 set->num_exprs = num_exprs;
5467 set->handle = nf_tables_alloc_handle(table);
5468 INIT_LIST_HEAD(&set->pending_update);
5470 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5472 goto err_set_expr_alloc;
5474 list_add_tail_rcu(&set->list, &table->sets);
5479 for (i = 0; i < set->num_exprs; i++)
5480 nft_expr_destroy(&ctx, set->exprs[i]);
5482 ops->destroy(&ctx, set);
5488 nft_use_dec_restore(&table->use);
5493 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5494 struct nft_set *set)
5496 struct nft_set_elem_catchall *next, *catchall;
5498 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5499 list_del_rcu(&catchall->list);
5500 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5501 kfree_rcu(catchall, rcu);
5505 static void nft_set_put(struct nft_set *set)
5507 if (refcount_dec_and_test(&set->refs)) {
5513 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5517 if (WARN_ON(set->use > 0))
5520 for (i = 0; i < set->num_exprs; i++)
5521 nft_expr_destroy(ctx, set->exprs[i]);
5523 set->ops->destroy(ctx, set);
5524 nft_set_catchall_destroy(ctx, set);
5528 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5529 const struct nlattr * const nla[])
5531 struct netlink_ext_ack *extack = info->extack;
5532 u8 genmask = nft_genmask_next(info->net);
5533 u8 family = info->nfmsg->nfgen_family;
5534 struct net *net = info->net;
5535 const struct nlattr *attr;
5536 struct nft_table *table;
5537 struct nft_set *set;
5540 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5541 return -EAFNOSUPPORT;
5543 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5544 genmask, NETLINK_CB(skb).portid);
5545 if (IS_ERR(table)) {
5546 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5547 return PTR_ERR(table);
5550 if (nla[NFTA_SET_HANDLE]) {
5551 attr = nla[NFTA_SET_HANDLE];
5552 set = nft_set_lookup_byhandle(table, attr, genmask);
5554 attr = nla[NFTA_SET_NAME];
5555 set = nft_set_lookup(net, table, attr, genmask);
5559 if (PTR_ERR(set) == -ENOENT &&
5560 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5563 NL_SET_BAD_ATTR(extack, attr);
5564 return PTR_ERR(set);
5567 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5568 atomic_read(&set->nelems) > 0)) {
5569 NL_SET_BAD_ATTR(extack, attr);
5573 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5575 return nft_delset(&ctx, set);
5578 static int nft_validate_register_store(const struct nft_ctx *ctx,
5579 enum nft_registers reg,
5580 const struct nft_data *data,
5581 enum nft_data_types type,
5584 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5585 struct nft_set *set,
5586 struct nft_elem_priv *elem_priv)
5588 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5589 enum nft_registers dreg;
5591 dreg = nft_type_to_reg(set->dtype);
5592 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5593 set->dtype == NFT_DATA_VERDICT ?
5594 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5598 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5599 struct nft_set *set,
5600 const struct nft_set_iter *iter,
5601 struct nft_elem_priv *elem_priv)
5603 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5605 if (!nft_set_elem_active(ext, iter->genmask))
5608 return nft_setelem_data_validate(ctx, set, elem_priv);
5611 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5612 struct nft_set *set)
5614 u8 genmask = nft_genmask_next(ctx->net);
5615 struct nft_set_elem_catchall *catchall;
5616 struct nft_set_ext *ext;
5619 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
5620 lockdep_commit_lock_is_held(ctx->net)) {
5621 ext = nft_set_elem_ext(set, catchall->elem);
5622 if (!nft_set_elem_active(ext, genmask))
5625 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5633 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5634 struct nft_set_binding *binding)
5636 struct nft_set_binding *i;
5637 struct nft_set_iter iter;
5639 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5642 if (binding->flags & NFT_SET_MAP) {
5643 /* If the set is already bound to the same chain all
5644 * jumps are already validated for that chain.
5646 list_for_each_entry(i, &set->bindings, list) {
5647 if (i->flags & NFT_SET_MAP &&
5648 i->chain == binding->chain)
5652 iter.genmask = nft_genmask_next(ctx->net);
5653 iter.type = NFT_ITER_UPDATE;
5657 iter.fn = nf_tables_bind_check_setelem;
5659 set->ops->walk(ctx, set, &iter);
5661 iter.err = nft_set_catchall_bind_check(ctx, set);
5667 if (!nft_use_inc(&set->use))
5670 binding->chain = ctx->chain;
5671 list_add_tail_rcu(&binding->list, &set->bindings);
5672 nft_set_trans_bind(ctx, set);
5676 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5678 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5679 struct nft_set_binding *binding, bool event)
5681 list_del_rcu(&binding->list);
5683 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5684 list_del_rcu(&set->list);
5687 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5692 static void nft_setelem_data_activate(const struct net *net,
5693 const struct nft_set *set,
5694 struct nft_elem_priv *elem_priv);
5696 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5697 struct nft_set *set,
5698 const struct nft_set_iter *iter,
5699 struct nft_elem_priv *elem_priv)
5701 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5703 /* called from abort path, reverse check to undo changes. */
5704 if (nft_set_elem_active(ext, iter->genmask))
5707 nft_clear(ctx->net, ext);
5708 nft_setelem_data_activate(ctx->net, set, elem_priv);
5713 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5714 struct nft_set *set)
5716 u8 genmask = nft_genmask_next(ctx->net);
5717 struct nft_set_elem_catchall *catchall;
5718 struct nft_set_ext *ext;
5720 list_for_each_entry(catchall, &set->catchall_list, list) {
5721 ext = nft_set_elem_ext(set, catchall->elem);
5722 if (!nft_set_elem_active(ext, genmask))
5725 nft_clear(ctx->net, ext);
5726 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5731 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5733 struct nft_set_iter iter = {
5734 .genmask = nft_genmask_next(ctx->net),
5735 .type = NFT_ITER_UPDATE,
5736 .fn = nft_mapelem_activate,
5739 set->ops->walk(ctx, set, &iter);
5740 WARN_ON_ONCE(iter.err);
5742 nft_map_catchall_activate(ctx, set);
5745 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5747 if (nft_set_is_anonymous(set)) {
5748 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5749 nft_map_activate(ctx, set);
5751 nft_clear(ctx->net, set);
5754 nft_use_inc_restore(&set->use);
5756 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5758 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5759 struct nft_set_binding *binding,
5760 enum nft_trans_phase phase)
5762 lockdep_commit_lock_is_held(ctx->net);
5765 case NFT_TRANS_PREPARE_ERROR:
5766 nft_set_trans_unbind(ctx, set);
5767 if (nft_set_is_anonymous(set))
5768 nft_deactivate_next(ctx->net, set);
5770 list_del_rcu(&binding->list);
5772 nft_use_dec(&set->use);
5774 case NFT_TRANS_PREPARE:
5775 if (nft_set_is_anonymous(set)) {
5776 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5777 nft_map_deactivate(ctx, set);
5779 nft_deactivate_next(ctx->net, set);
5781 nft_use_dec(&set->use);
5783 case NFT_TRANS_ABORT:
5784 case NFT_TRANS_RELEASE:
5785 if (nft_set_is_anonymous(set) &&
5786 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5787 nft_map_deactivate(ctx, set);
5789 nft_use_dec(&set->use);
5792 nf_tables_unbind_set(ctx, set, binding,
5793 phase == NFT_TRANS_COMMIT);
5796 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5798 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5800 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5801 nft_set_destroy(ctx, set);
5803 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5805 const struct nft_set_ext_type nft_set_ext_types[] = {
5806 [NFT_SET_EXT_KEY] = {
5807 .align = __alignof__(u32),
5809 [NFT_SET_EXT_DATA] = {
5810 .align = __alignof__(u32),
5812 [NFT_SET_EXT_EXPRESSIONS] = {
5813 .align = __alignof__(struct nft_set_elem_expr),
5815 [NFT_SET_EXT_OBJREF] = {
5816 .len = sizeof(struct nft_object *),
5817 .align = __alignof__(struct nft_object *),
5819 [NFT_SET_EXT_FLAGS] = {
5821 .align = __alignof__(u8),
5823 [NFT_SET_EXT_TIMEOUT] = {
5824 .len = sizeof(struct nft_timeout),
5825 .align = __alignof__(struct nft_timeout),
5827 [NFT_SET_EXT_USERDATA] = {
5828 .len = sizeof(struct nft_userdata),
5829 .align = __alignof__(struct nft_userdata),
5831 [NFT_SET_EXT_KEY_END] = {
5832 .align = __alignof__(u32),
5840 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5841 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5842 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5843 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5844 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5845 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5846 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5847 .len = NFT_USERDATA_MAXLEN },
5848 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5849 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5850 .len = NFT_OBJ_MAXNAMELEN - 1 },
5851 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5852 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5855 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5856 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5857 .len = NFT_TABLE_MAXNAMELEN - 1 },
5858 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5859 .len = NFT_SET_MAXNAMELEN - 1 },
5860 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5861 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5864 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5865 const struct nft_set *set,
5866 const struct nft_set_ext *ext,
5869 struct nft_set_elem_expr *elem_expr;
5870 u32 size, num_exprs = 0;
5871 struct nft_expr *expr;
5872 struct nlattr *nest;
5874 elem_expr = nft_set_ext_expr(ext);
5875 nft_setelem_expr_foreach(expr, elem_expr, size)
5878 if (num_exprs == 1) {
5879 expr = nft_setelem_expr_at(elem_expr, 0);
5880 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5884 } else if (num_exprs > 1) {
5885 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5887 goto nla_put_failure;
5889 nft_setelem_expr_foreach(expr, elem_expr, size) {
5890 expr = nft_setelem_expr_at(elem_expr, size);
5891 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5892 goto nla_put_failure;
5894 nla_nest_end(skb, nest);
5902 static int nf_tables_fill_setelem(struct sk_buff *skb,
5903 const struct nft_set *set,
5904 const struct nft_elem_priv *elem_priv,
5907 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5908 unsigned char *b = skb_tail_pointer(skb);
5909 struct nlattr *nest;
5911 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5913 goto nla_put_failure;
5915 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5916 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5917 NFT_DATA_VALUE, set->klen) < 0)
5918 goto nla_put_failure;
5920 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5921 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5922 NFT_DATA_VALUE, set->klen) < 0)
5923 goto nla_put_failure;
5925 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5926 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5927 nft_set_datatype(set), set->dlen) < 0)
5928 goto nla_put_failure;
5930 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5931 nft_set_elem_expr_dump(skb, set, ext, reset))
5932 goto nla_put_failure;
5934 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5935 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5936 (*nft_set_ext_obj(ext))->key.name) < 0)
5937 goto nla_put_failure;
5939 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5940 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5941 htonl(*nft_set_ext_flags(ext))))
5942 goto nla_put_failure;
5944 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
5945 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
5946 u64 set_timeout = READ_ONCE(set->timeout);
5949 if (set_timeout != timeout) {
5950 msecs = nf_jiffies64_to_msecs(timeout);
5951 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
5953 goto nla_put_failure;
5957 u64 expires, now = get_jiffies_64();
5959 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
5960 if (time_before64(now, expires))
5965 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5966 nf_jiffies64_to_msecs(expires),
5968 goto nla_put_failure;
5972 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5973 struct nft_userdata *udata;
5975 udata = nft_set_ext_userdata(ext);
5976 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5977 udata->len + 1, udata->data))
5978 goto nla_put_failure;
5981 nla_nest_end(skb, nest);
5989 struct nft_set_dump_args {
5990 const struct netlink_callback *cb;
5991 struct nft_set_iter iter;
5992 struct sk_buff *skb;
5996 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5997 struct nft_set *set,
5998 const struct nft_set_iter *iter,
5999 struct nft_elem_priv *elem_priv)
6001 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6002 struct nft_set_dump_args *args;
6004 if (!nft_set_elem_active(ext, iter->genmask))
6007 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
6010 args = container_of(iter, struct nft_set_dump_args, iter);
6011 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
6014 static void audit_log_nft_set_reset(const struct nft_table *table,
6015 unsigned int base_seq,
6016 unsigned int nentries)
6018 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
6020 audit_log_nfcfg(buf, table->family, nentries,
6021 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
6025 struct nft_set_dump_ctx {
6026 const struct nft_set *set;
6031 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
6032 const struct nft_set *set, bool reset,
6033 unsigned int base_seq)
6035 struct nft_set_elem_catchall *catchall;
6036 u8 genmask = nft_genmask_cur(net);
6037 struct nft_set_ext *ext;
6040 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6041 ext = nft_set_elem_ext(set, catchall->elem);
6042 if (!nft_set_elem_active(ext, genmask) ||
6043 nft_set_elem_expired(ext))
6046 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
6048 audit_log_nft_set_reset(set->table, base_seq, 1);
6055 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
6057 struct nft_set_dump_ctx *dump_ctx = cb->data;
6058 struct net *net = sock_net(skb->sk);
6059 struct nftables_pernet *nft_net;
6060 struct nft_table *table;
6061 struct nft_set *set;
6062 struct nft_set_dump_args args;
6063 bool set_found = false;
6064 struct nlmsghdr *nlh;
6065 struct nlattr *nest;
6070 nft_net = nft_pernet(net);
6071 cb->seq = READ_ONCE(nft_net->base_seq);
6073 list_for_each_entry_rcu(table, &nft_net->tables, list) {
6074 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
6075 dump_ctx->ctx.family != table->family)
6078 if (table != dump_ctx->ctx.table)
6081 list_for_each_entry_rcu(set, &table->sets, list) {
6082 if (set == dump_ctx->set) {
6095 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
6096 portid = NETLINK_CB(cb->skb).portid;
6097 seq = cb->nlh->nlmsg_seq;
6099 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
6100 table->family, NFNETLINK_V0, nft_base_seq(net));
6102 goto nla_put_failure;
6104 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
6105 goto nla_put_failure;
6106 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
6107 goto nla_put_failure;
6109 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6111 goto nla_put_failure;
6115 args.reset = dump_ctx->reset;
6116 args.iter.genmask = nft_genmask_cur(net);
6117 args.iter.type = NFT_ITER_READ;
6118 args.iter.skip = cb->args[0];
6119 args.iter.count = 0;
6121 args.iter.fn = nf_tables_dump_setelem;
6122 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
6124 if (!args.iter.err && args.iter.count == cb->args[0])
6125 args.iter.err = nft_set_catchall_dump(net, skb, set,
6126 dump_ctx->reset, cb->seq);
6127 nla_nest_end(skb, nest);
6128 nlmsg_end(skb, nlh);
6132 if (args.iter.err && args.iter.err != -EMSGSIZE)
6133 return args.iter.err;
6134 if (args.iter.count == cb->args[0])
6137 cb->args[0] = args.iter.count;
6145 static int nf_tables_dumpreset_set(struct sk_buff *skb,
6146 struct netlink_callback *cb)
6148 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
6149 struct nft_set_dump_ctx *dump_ctx = cb->data;
6150 int ret, skip = cb->args[0];
6152 mutex_lock(&nft_net->commit_mutex);
6154 ret = nf_tables_dump_set(skb, cb);
6156 if (cb->args[0] > skip)
6157 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
6158 cb->args[0] - skip);
6160 mutex_unlock(&nft_net->commit_mutex);
6165 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6167 struct nft_set_dump_ctx *dump_ctx = cb->data;
6169 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6171 return cb->data ? 0 : -ENOMEM;
6174 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6180 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6181 const struct nft_ctx *ctx, u32 seq,
6182 u32 portid, int event, u16 flags,
6183 const struct nft_set *set,
6184 const struct nft_elem_priv *elem_priv,
6187 struct nlmsghdr *nlh;
6188 struct nlattr *nest;
6191 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6192 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6193 NFNETLINK_V0, nft_base_seq(ctx->net));
6195 goto nla_put_failure;
6197 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6198 goto nla_put_failure;
6199 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6200 goto nla_put_failure;
6202 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6204 goto nla_put_failure;
6206 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6208 goto nla_put_failure;
6210 nla_nest_end(skb, nest);
6212 nlmsg_end(skb, nlh);
6216 nlmsg_trim(skb, nlh);
6220 static int nft_setelem_parse_flags(const struct nft_set *set,
6221 const struct nlattr *attr, u32 *flags)
6226 *flags = ntohl(nla_get_be32(attr));
6227 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6229 if (!(set->flags & NFT_SET_INTERVAL) &&
6230 *flags & NFT_SET_ELEM_INTERVAL_END)
6232 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6233 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6239 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6240 struct nft_data *key, struct nlattr *attr)
6242 struct nft_data_desc desc = {
6243 .type = NFT_DATA_VALUE,
6244 .size = NFT_DATA_VALUE_MAXLEN,
6248 return nft_data_init(ctx, key, &desc, attr);
6251 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6252 struct nft_data_desc *desc,
6253 struct nft_data *data,
6254 struct nlattr *attr)
6258 if (set->dtype == NFT_DATA_VERDICT)
6259 dtype = NFT_DATA_VERDICT;
6261 dtype = NFT_DATA_VALUE;
6264 desc->size = NFT_DATA_VALUE_MAXLEN;
6265 desc->len = set->dlen;
6266 desc->flags = NFT_DATA_DESC_SETELEM;
6268 return nft_data_init(ctx, data, desc, attr);
6271 static void *nft_setelem_catchall_get(const struct net *net,
6272 const struct nft_set *set)
6274 struct nft_set_elem_catchall *catchall;
6275 u8 genmask = nft_genmask_cur(net);
6276 struct nft_set_ext *ext;
6279 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6280 ext = nft_set_elem_ext(set, catchall->elem);
6281 if (!nft_set_elem_active(ext, genmask) ||
6282 nft_set_elem_expired(ext))
6285 priv = catchall->elem;
6292 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6293 struct nft_set_elem *elem, u32 flags)
6297 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6298 priv = set->ops->get(ctx->net, set, elem, flags);
6300 return PTR_ERR(priv);
6302 priv = nft_setelem_catchall_get(ctx->net, set);
6311 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6312 const struct nlattr *attr, bool reset)
6314 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6315 struct nft_set_elem elem;
6316 struct sk_buff *skb;
6320 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6321 nft_set_elem_policy, NULL);
6325 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6329 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6332 if (nla[NFTA_SET_ELEM_KEY]) {
6333 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6334 nla[NFTA_SET_ELEM_KEY]);
6339 if (nla[NFTA_SET_ELEM_KEY_END]) {
6340 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6341 nla[NFTA_SET_ELEM_KEY_END]);
6346 err = nft_setelem_get(ctx, set, &elem, flags);
6351 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6355 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6356 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6359 goto err_fill_setelem;
6361 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6368 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6369 const struct sk_buff *skb,
6370 const struct nfnl_info *info,
6371 const struct nlattr * const nla[],
6374 struct netlink_ext_ack *extack = info->extack;
6375 u8 genmask = nft_genmask_cur(info->net);
6376 u8 family = info->nfmsg->nfgen_family;
6377 struct net *net = info->net;
6378 struct nft_table *table;
6379 struct nft_set *set;
6381 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6383 if (IS_ERR(table)) {
6384 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6385 return PTR_ERR(table);
6388 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6390 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6391 return PTR_ERR(set);
6394 nft_ctx_init(&dump_ctx->ctx, net, skb,
6395 info->nlh, family, table, NULL, nla);
6396 dump_ctx->set = set;
6397 dump_ctx->reset = reset;
6401 /* called with rcu_read_lock held */
6402 static int nf_tables_getsetelem(struct sk_buff *skb,
6403 const struct nfnl_info *info,
6404 const struct nlattr * const nla[])
6406 struct netlink_ext_ack *extack = info->extack;
6407 struct nft_set_dump_ctx dump_ctx;
6408 struct nlattr *attr;
6411 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6412 struct netlink_dump_control c = {
6413 .start = nf_tables_dump_set_start,
6414 .dump = nf_tables_dump_set,
6415 .done = nf_tables_dump_set_done,
6416 .module = THIS_MODULE,
6419 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6424 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6427 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6430 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6434 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6435 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6437 NL_SET_BAD_ATTR(extack, attr);
6445 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6446 const struct nfnl_info *info,
6447 const struct nlattr * const nla[])
6449 struct nftables_pernet *nft_net = nft_pernet(info->net);
6450 struct netlink_ext_ack *extack = info->extack;
6451 struct nft_set_dump_ctx dump_ctx;
6452 int rem, err = 0, nelems = 0;
6453 struct nlattr *attr;
6455 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6456 struct netlink_dump_control c = {
6457 .start = nf_tables_dump_set_start,
6458 .dump = nf_tables_dumpreset_set,
6459 .done = nf_tables_dump_set_done,
6460 .module = THIS_MODULE,
6463 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6468 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6471 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6474 if (!try_module_get(THIS_MODULE))
6477 mutex_lock(&nft_net->commit_mutex);
6480 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6484 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6485 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6487 NL_SET_BAD_ATTR(extack, attr);
6492 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6496 mutex_unlock(&nft_net->commit_mutex);
6498 module_put(THIS_MODULE);
6503 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6504 const struct nft_set *set,
6505 const struct nft_elem_priv *elem_priv,
6508 struct nftables_pernet *nft_net;
6509 struct net *net = ctx->net;
6510 u32 portid = ctx->portid;
6511 struct sk_buff *skb;
6515 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6518 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6522 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6523 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6525 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6526 set, elem_priv, false);
6532 nft_net = nft_pernet(net);
6533 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6536 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6539 static struct nft_trans *nft_trans_elem_alloc(const struct nft_ctx *ctx,
6541 struct nft_set *set)
6543 struct nft_trans_elem *te;
6544 struct nft_trans *trans;
6546 trans = nft_trans_alloc(ctx, msg_type, struct_size(te, elems, 1));
6550 te = nft_trans_container_elem(trans);
6557 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6558 const struct nft_set *set,
6559 const struct nlattr *attr)
6561 struct nft_expr *expr;
6564 expr = nft_expr_init(ctx, attr);
6569 if (expr->ops->type->flags & NFT_EXPR_GC) {
6570 if (set->flags & NFT_SET_TIMEOUT)
6571 goto err_set_elem_expr;
6572 if (!set->ops->gc_init)
6573 goto err_set_elem_expr;
6574 set->ops->gc_init(set);
6580 nft_expr_destroy(ctx, expr);
6581 return ERR_PTR(err);
6584 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6586 len += nft_set_ext_types[id].len;
6587 if (len > tmpl->ext_len[id] ||
6594 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6595 void *to, const void *from, u32 len)
6597 if (nft_set_ext_check(tmpl, id, len) < 0)
6600 memcpy(to, from, len);
6605 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6606 const struct nft_set_ext_tmpl *tmpl,
6607 const u32 *key, const u32 *key_end,
6609 u64 timeout, u64 expiration, gfp_t gfp)
6611 struct nft_set_ext *ext;
6614 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6616 return ERR_PTR(-ENOMEM);
6618 ext = nft_set_elem_ext(set, elem);
6619 nft_set_ext_init(ext, tmpl);
6621 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6622 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6623 nft_set_ext_key(ext), key, set->klen) < 0)
6626 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6627 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6628 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6631 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6632 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6633 nft_set_ext_data(ext), data, set->dlen) < 0)
6636 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6637 nft_set_ext_timeout(ext)->timeout = timeout;
6639 if (expiration == 0)
6640 expiration = timeout;
6642 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
6650 return ERR_PTR(-EINVAL);
6653 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6654 struct nft_expr *expr)
6656 if (expr->ops->destroy_clone) {
6657 expr->ops->destroy_clone(ctx, expr);
6658 module_put(expr->ops->type->owner);
6660 nf_tables_expr_destroy(ctx, expr);
6664 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6665 struct nft_set_elem_expr *elem_expr)
6667 struct nft_expr *expr;
6670 nft_setelem_expr_foreach(expr, elem_expr, size)
6671 __nft_set_elem_expr_destroy(ctx, expr);
6674 /* Drop references and destroy. Called from gc, dynset and abort path. */
6675 static void __nft_set_elem_destroy(const struct nft_ctx *ctx,
6676 const struct nft_set *set,
6677 const struct nft_elem_priv *elem_priv,
6680 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6682 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6683 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6684 nft_data_release(nft_set_ext_data(ext), set->dtype);
6685 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6686 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6687 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6688 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6693 /* Drop references and destroy. Called from gc and dynset. */
6694 void nft_set_elem_destroy(const struct nft_set *set,
6695 const struct nft_elem_priv *elem_priv,
6698 struct nft_ctx ctx = {
6699 .net = read_pnet(&set->net),
6700 .family = set->table->family,
6703 __nft_set_elem_destroy(&ctx, set, elem_priv, destroy_expr);
6705 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6707 /* Drop references and destroy. Called from abort path. */
6708 static void nft_trans_set_elem_destroy(const struct nft_ctx *ctx, struct nft_trans_elem *te)
6712 for (i = 0; i < te->nelems; i++) {
6713 /* skip update request, see nft_trans_elems_new_abort() */
6714 if (!te->elems[i].priv)
6717 __nft_set_elem_destroy(ctx, te->set, te->elems[i].priv, true);
6721 /* Destroy element. References have been already dropped in the preparation
6722 * path via nft_setelem_data_deactivate().
6724 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6725 const struct nft_set *set,
6726 const struct nft_elem_priv *elem_priv)
6728 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6730 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6731 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6736 static void nft_trans_elems_destroy(const struct nft_ctx *ctx,
6737 const struct nft_trans_elem *te)
6741 for (i = 0; i < te->nelems; i++)
6742 nf_tables_set_elem_destroy(ctx, te->set, te->elems[i].priv);
6745 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6746 struct nft_expr *expr_array[])
6748 struct nft_expr *expr;
6751 for (i = 0; i < set->num_exprs; i++) {
6752 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6756 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6761 expr_array[i] = expr;
6767 for (k = i - 1; k >= 0; k--)
6768 nft_expr_destroy(ctx, expr_array[k]);
6773 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6774 const struct nft_set_ext_tmpl *tmpl,
6775 const struct nft_set_ext *ext,
6776 struct nft_expr *expr_array[],
6779 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6780 u32 len = sizeof(struct nft_set_elem_expr);
6781 struct nft_expr *expr;
6787 for (i = 0; i < num_exprs; i++)
6788 len += expr_array[i]->ops->size;
6790 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6793 for (i = 0; i < num_exprs; i++) {
6794 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6795 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6797 goto err_elem_expr_setup;
6799 elem_expr->size += expr_array[i]->ops->size;
6800 nft_expr_destroy(ctx, expr_array[i]);
6801 expr_array[i] = NULL;
6806 err_elem_expr_setup:
6807 for (; i < num_exprs; i++) {
6808 nft_expr_destroy(ctx, expr_array[i]);
6809 expr_array[i] = NULL;
6815 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6816 const struct nft_set *set)
6818 struct nft_set_elem_catchall *catchall;
6819 u8 genmask = nft_genmask_cur(net);
6820 struct nft_set_ext *ext;
6822 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6823 ext = nft_set_elem_ext(set, catchall->elem);
6824 if (nft_set_elem_active(ext, genmask) &&
6825 !nft_set_elem_expired(ext) &&
6826 !nft_set_elem_is_dead(ext))
6832 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6834 static int nft_setelem_catchall_insert(const struct net *net,
6835 struct nft_set *set,
6836 const struct nft_set_elem *elem,
6837 struct nft_elem_priv **priv)
6839 struct nft_set_elem_catchall *catchall;
6840 u8 genmask = nft_genmask_next(net);
6841 struct nft_set_ext *ext;
6843 list_for_each_entry(catchall, &set->catchall_list, list) {
6844 ext = nft_set_elem_ext(set, catchall->elem);
6845 if (nft_set_elem_active(ext, genmask)) {
6846 *priv = catchall->elem;
6851 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
6855 catchall->elem = elem->priv;
6856 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6861 static int nft_setelem_insert(const struct net *net,
6862 struct nft_set *set,
6863 const struct nft_set_elem *elem,
6864 struct nft_elem_priv **elem_priv,
6869 if (flags & NFT_SET_ELEM_CATCHALL)
6870 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6872 ret = set->ops->insert(net, set, elem, elem_priv);
6877 static bool nft_setelem_is_catchall(const struct nft_set *set,
6878 const struct nft_elem_priv *elem_priv)
6880 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6882 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6883 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6889 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6890 struct nft_elem_priv *elem_priv)
6892 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6894 if (nft_setelem_is_catchall(set, elem_priv)) {
6895 nft_clear(net, ext);
6897 set->ops->activate(net, set, elem_priv);
6901 static void nft_trans_elem_update(const struct nft_set *set,
6902 const struct nft_trans_one_elem *elem)
6904 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6905 const struct nft_elem_update *update = elem->update;
6907 if (update->flags & NFT_TRANS_UPD_TIMEOUT)
6908 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout, update->timeout);
6910 if (update->flags & NFT_TRANS_UPD_EXPIRATION)
6911 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + update->expiration);
6914 static void nft_trans_elems_add(const struct nft_ctx *ctx,
6915 struct nft_trans_elem *te)
6919 for (i = 0; i < te->nelems; i++) {
6920 struct nft_trans_one_elem *elem = &te->elems[i];
6923 nft_trans_elem_update(te->set, elem);
6925 nft_setelem_activate(ctx->net, te->set, elem->priv);
6927 nf_tables_setelem_notify(ctx, te->set, elem->priv,
6928 NFT_MSG_NEWSETELEM);
6929 kfree(elem->update);
6933 static int nft_setelem_catchall_deactivate(const struct net *net,
6934 struct nft_set *set,
6935 struct nft_set_elem *elem)
6937 struct nft_set_elem_catchall *catchall;
6938 struct nft_set_ext *ext;
6940 list_for_each_entry(catchall, &set->catchall_list, list) {
6941 ext = nft_set_elem_ext(set, catchall->elem);
6942 if (!nft_is_active_next(net, ext))
6946 elem->priv = catchall->elem;
6947 nft_set_elem_change_active(net, set, ext);
6954 static int __nft_setelem_deactivate(const struct net *net,
6955 struct nft_set *set,
6956 struct nft_set_elem *elem)
6960 priv = set->ops->deactivate(net, set, elem);
6971 static int nft_setelem_deactivate(const struct net *net,
6972 struct nft_set *set,
6973 struct nft_set_elem *elem, u32 flags)
6977 if (flags & NFT_SET_ELEM_CATCHALL)
6978 ret = nft_setelem_catchall_deactivate(net, set, elem);
6980 ret = __nft_setelem_deactivate(net, set, elem);
6985 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6987 list_del_rcu(&catchall->list);
6988 kfree_rcu(catchall, rcu);
6991 static void nft_setelem_catchall_remove(const struct net *net,
6992 const struct nft_set *set,
6993 struct nft_elem_priv *elem_priv)
6995 struct nft_set_elem_catchall *catchall, *next;
6997 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6998 if (catchall->elem == elem_priv) {
6999 nft_setelem_catchall_destroy(catchall);
7005 static void nft_setelem_remove(const struct net *net,
7006 const struct nft_set *set,
7007 struct nft_elem_priv *elem_priv)
7009 if (nft_setelem_is_catchall(set, elem_priv))
7010 nft_setelem_catchall_remove(net, set, elem_priv);
7012 set->ops->remove(net, set, elem_priv);
7015 static void nft_trans_elems_remove(const struct nft_ctx *ctx,
7016 const struct nft_trans_elem *te)
7020 for (i = 0; i < te->nelems; i++) {
7021 WARN_ON_ONCE(te->elems[i].update);
7023 nf_tables_setelem_notify(ctx, te->set,
7025 te->nft_trans.msg_type);
7027 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7028 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv)) {
7029 atomic_dec(&te->set->nelems);
7035 static bool nft_setelem_valid_key_end(const struct nft_set *set,
7036 struct nlattr **nla, u32 flags)
7038 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
7039 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
7040 if (flags & NFT_SET_ELEM_INTERVAL_END)
7043 if (nla[NFTA_SET_ELEM_KEY_END] &&
7044 flags & NFT_SET_ELEM_CATCHALL)
7047 if (nla[NFTA_SET_ELEM_KEY_END])
7054 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
7055 const struct nlattr *attr, u32 nlmsg_flags)
7057 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
7058 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7059 u8 genmask = nft_genmask_next(ctx->net);
7060 u32 flags = 0, size = 0, num_exprs = 0;
7061 struct nft_set_ext_tmpl tmpl;
7062 struct nft_set_ext *ext, *ext2;
7063 struct nft_set_elem elem;
7064 struct nft_set_binding *binding;
7065 struct nft_elem_priv *elem_priv;
7066 struct nft_object *obj = NULL;
7067 struct nft_userdata *udata;
7068 struct nft_data_desc desc;
7069 enum nft_registers dreg;
7070 struct nft_trans *trans;
7076 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7077 nft_set_elem_policy, NULL);
7081 nft_set_ext_prepare(&tmpl);
7083 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7087 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
7088 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
7092 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7097 if (set->flags & NFT_SET_MAP) {
7098 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
7099 !(flags & NFT_SET_ELEM_INTERVAL_END))
7102 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7106 if (set->flags & NFT_SET_OBJECT) {
7107 if (!nla[NFTA_SET_ELEM_OBJREF] &&
7108 !(flags & NFT_SET_ELEM_INTERVAL_END))
7111 if (nla[NFTA_SET_ELEM_OBJREF])
7115 if (!nft_setelem_valid_key_end(set, nla, flags))
7118 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
7119 (nla[NFTA_SET_ELEM_DATA] ||
7120 nla[NFTA_SET_ELEM_OBJREF] ||
7121 nla[NFTA_SET_ELEM_TIMEOUT] ||
7122 nla[NFTA_SET_ELEM_EXPIRATION] ||
7123 nla[NFTA_SET_ELEM_USERDATA] ||
7124 nla[NFTA_SET_ELEM_EXPR] ||
7125 nla[NFTA_SET_ELEM_KEY_END] ||
7126 nla[NFTA_SET_ELEM_EXPRESSIONS]))
7130 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
7131 if (!(set->flags & NFT_SET_TIMEOUT))
7133 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
7137 } else if (set->flags & NFT_SET_TIMEOUT &&
7138 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7139 timeout = set->timeout;
7143 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
7144 if (!(set->flags & NFT_SET_TIMEOUT))
7149 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
7154 if (expiration > timeout)
7158 if (nla[NFTA_SET_ELEM_EXPR]) {
7159 struct nft_expr *expr;
7161 if (set->num_exprs && set->num_exprs != 1)
7164 expr = nft_set_elem_expr_alloc(ctx, set,
7165 nla[NFTA_SET_ELEM_EXPR]);
7167 return PTR_ERR(expr);
7169 expr_array[0] = expr;
7172 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
7174 goto err_set_elem_expr;
7176 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
7177 struct nft_expr *expr;
7182 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
7183 if (i == NFT_SET_EXPR_MAX ||
7184 (set->num_exprs && set->num_exprs == i)) {
7186 goto err_set_elem_expr;
7188 if (nla_type(tmp) != NFTA_LIST_ELEM) {
7190 goto err_set_elem_expr;
7192 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
7194 err = PTR_ERR(expr);
7195 goto err_set_elem_expr;
7197 expr_array[i] = expr;
7200 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
7202 goto err_set_elem_expr;
7206 if (set->num_exprs && set->num_exprs != i) {
7208 goto err_set_elem_expr;
7210 } else if (set->num_exprs > 0 &&
7211 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
7212 err = nft_set_elem_expr_clone(ctx, set, expr_array);
7214 goto err_set_elem_expr_clone;
7216 num_exprs = set->num_exprs;
7219 if (nla[NFTA_SET_ELEM_KEY]) {
7220 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7221 nla[NFTA_SET_ELEM_KEY]);
7223 goto err_set_elem_expr;
7225 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7230 if (nla[NFTA_SET_ELEM_KEY_END]) {
7231 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7232 nla[NFTA_SET_ELEM_KEY_END]);
7236 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7238 goto err_parse_key_end;
7241 if (set->flags & NFT_SET_TIMEOUT) {
7242 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7244 goto err_parse_key_end;
7248 for (i = 0; i < num_exprs; i++)
7249 size += expr_array[i]->ops->size;
7251 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7252 sizeof(struct nft_set_elem_expr) + size);
7254 goto err_parse_key_end;
7257 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7258 obj = nft_obj_lookup(ctx->net, ctx->table,
7259 nla[NFTA_SET_ELEM_OBJREF],
7260 set->objtype, genmask);
7264 goto err_parse_key_end;
7267 if (!nft_use_inc(&obj->use)) {
7270 goto err_parse_key_end;
7273 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7275 goto err_parse_key_end;
7278 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7279 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7280 nla[NFTA_SET_ELEM_DATA]);
7282 goto err_parse_key_end;
7284 dreg = nft_type_to_reg(set->dtype);
7285 list_for_each_entry(binding, &set->bindings, list) {
7286 struct nft_ctx bind_ctx = {
7288 .family = ctx->family,
7289 .table = ctx->table,
7290 .chain = (struct nft_chain *)binding->chain,
7293 if (!(binding->flags & NFT_SET_MAP))
7296 err = nft_validate_register_store(&bind_ctx, dreg,
7298 desc.type, desc.len);
7300 goto err_parse_data;
7302 if (desc.type == NFT_DATA_VERDICT &&
7303 (elem.data.val.verdict.code == NFT_GOTO ||
7304 elem.data.val.verdict.code == NFT_JUMP))
7305 nft_validate_state_update(ctx->table,
7309 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7311 goto err_parse_data;
7314 /* The full maximum length of userdata can exceed the maximum
7315 * offset value (U8_MAX) for following extensions, therefor it
7316 * must be the last extension added.
7319 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7320 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7322 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7325 goto err_parse_data;
7329 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7330 elem.key_end.val.data, elem.data.val.data,
7331 timeout, expiration, GFP_KERNEL_ACCOUNT);
7332 if (IS_ERR(elem.priv)) {
7333 err = PTR_ERR(elem.priv);
7334 goto err_parse_data;
7337 ext = nft_set_elem_ext(set, elem.priv);
7339 *nft_set_ext_flags(ext) = flags;
7342 *nft_set_ext_obj(ext) = obj;
7345 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7349 udata = nft_set_ext_userdata(ext);
7350 udata->len = ulen - 1;
7351 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7353 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7357 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7358 if (trans == NULL) {
7363 ext->genmask = nft_genmask_cur(ctx->net);
7365 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7367 if (err == -EEXIST) {
7368 ext2 = nft_set_elem_ext(set, elem_priv);
7369 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7370 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7371 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7372 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7373 goto err_element_clash;
7374 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7375 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7376 memcmp(nft_set_ext_data(ext),
7377 nft_set_ext_data(ext2), set->dlen) != 0) ||
7378 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7379 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7380 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7381 goto err_element_clash;
7382 else if (!(nlmsg_flags & NLM_F_EXCL)) {
7384 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
7385 struct nft_elem_update update = { };
7387 if (timeout != nft_set_ext_timeout(ext2)->timeout) {
7388 update.timeout = timeout;
7389 if (expiration == 0)
7390 expiration = timeout;
7392 update.flags |= NFT_TRANS_UPD_TIMEOUT;
7395 update.expiration = expiration;
7396 update.flags |= NFT_TRANS_UPD_EXPIRATION;
7400 struct nft_trans_one_elem *ue;
7402 ue = &nft_trans_container_elem(trans)->elems[0];
7404 ue->update = kmemdup(&update, sizeof(update), GFP_KERNEL);
7407 goto err_element_clash;
7410 ue->priv = elem_priv;
7411 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL);
7416 } else if (err == -ENOTEMPTY) {
7417 /* ENOTEMPTY reports overlapping between this element
7418 * and an existing one.
7422 goto err_element_clash;
7425 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7426 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7428 if (!atomic_add_unless(&set->nelems, 1, max)) {
7434 nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7435 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL);
7439 nft_setelem_remove(ctx->net, set, elem.priv);
7443 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7445 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7446 nft_data_release(&elem.data.val, desc.type);
7449 nft_use_dec_restore(&obj->use);
7451 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7453 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7455 for (i = 0; i < num_exprs && expr_array[i]; i++)
7456 nft_expr_destroy(ctx, expr_array[i]);
7457 err_set_elem_expr_clone:
7461 static int nf_tables_newsetelem(struct sk_buff *skb,
7462 const struct nfnl_info *info,
7463 const struct nlattr * const nla[])
7465 struct netlink_ext_ack *extack = info->extack;
7466 u8 genmask = nft_genmask_next(info->net);
7467 u8 family = info->nfmsg->nfgen_family;
7468 struct net *net = info->net;
7469 const struct nlattr *attr;
7470 struct nft_table *table;
7471 struct nft_set *set;
7475 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7478 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7479 genmask, NETLINK_CB(skb).portid);
7480 if (IS_ERR(table)) {
7481 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7482 return PTR_ERR(table);
7485 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7486 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7488 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7489 return PTR_ERR(set);
7492 if (!list_empty(&set->bindings) &&
7493 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7496 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7498 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7499 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7501 NL_SET_BAD_ATTR(extack, attr);
7506 if (table->validate_state == NFT_VALIDATE_DO)
7507 return nft_table_validate(net, table);
7513 * nft_data_hold - hold a nft_data item
7515 * @data: struct nft_data to release
7516 * @type: type of data
7518 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7519 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7520 * NFT_GOTO verdicts. This function must be called on active data objects
7521 * from the second phase of the commit protocol.
7523 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7525 struct nft_chain *chain;
7527 if (type == NFT_DATA_VERDICT) {
7528 switch (data->verdict.code) {
7531 chain = data->verdict.chain;
7532 nft_use_inc_restore(&chain->use);
7538 static int nft_setelem_active_next(const struct net *net,
7539 const struct nft_set *set,
7540 struct nft_elem_priv *elem_priv)
7542 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7543 u8 genmask = nft_genmask_next(net);
7545 return nft_set_elem_active(ext, genmask);
7548 static void nft_setelem_data_activate(const struct net *net,
7549 const struct nft_set *set,
7550 struct nft_elem_priv *elem_priv)
7552 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7554 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7555 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7556 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7557 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7560 void nft_setelem_data_deactivate(const struct net *net,
7561 const struct nft_set *set,
7562 struct nft_elem_priv *elem_priv)
7564 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7566 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7567 nft_data_release(nft_set_ext_data(ext), set->dtype);
7568 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7569 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7572 /* similar to nft_trans_elems_remove, but called from abort path to undo newsetelem.
7573 * No notifications and no ndeact changes.
7575 * Returns true if set had been added to (i.e., elements need to be removed again).
7577 static bool nft_trans_elems_new_abort(const struct nft_ctx *ctx,
7578 struct nft_trans_elem *te)
7580 bool removed = false;
7583 for (i = 0; i < te->nelems; i++) {
7584 if (te->elems[i].update) {
7585 kfree(te->elems[i].update);
7586 te->elems[i].update = NULL;
7587 /* Update request, so do not release this element */
7588 te->elems[i].priv = NULL;
7592 if (!te->set->ops->abort || nft_setelem_is_catchall(te->set, te->elems[i].priv))
7593 nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
7595 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7596 atomic_dec(&te->set->nelems);
7604 /* Called from abort path to undo DELSETELEM/DESTROYSETELEM. */
7605 static void nft_trans_elems_destroy_abort(const struct nft_ctx *ctx,
7606 const struct nft_trans_elem *te)
7610 for (i = 0; i < te->nelems; i++) {
7611 if (!nft_setelem_active_next(ctx->net, te->set, te->elems[i].priv)) {
7612 nft_setelem_data_activate(ctx->net, te->set, te->elems[i].priv);
7613 nft_setelem_activate(ctx->net, te->set, te->elems[i].priv);
7616 if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
7621 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7622 const struct nlattr *attr)
7624 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7625 struct nft_set_ext_tmpl tmpl;
7626 struct nft_set_elem elem;
7627 struct nft_set_ext *ext;
7628 struct nft_trans *trans;
7632 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7633 nft_set_elem_policy, NULL);
7637 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7641 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7644 if (!nft_setelem_valid_key_end(set, nla, flags))
7647 nft_set_ext_prepare(&tmpl);
7650 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7655 if (nla[NFTA_SET_ELEM_KEY]) {
7656 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7657 nla[NFTA_SET_ELEM_KEY]);
7661 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7666 if (nla[NFTA_SET_ELEM_KEY_END]) {
7667 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7668 nla[NFTA_SET_ELEM_KEY_END]);
7672 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7674 goto fail_elem_key_end;
7678 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7679 elem.key_end.val.data, NULL, 0, 0,
7680 GFP_KERNEL_ACCOUNT);
7681 if (IS_ERR(elem.priv)) {
7682 err = PTR_ERR(elem.priv);
7683 goto fail_elem_key_end;
7686 ext = nft_set_elem_ext(set, elem.priv);
7688 *nft_set_ext_flags(ext) = flags;
7690 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7694 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7698 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7700 nft_trans_container_elem(trans)->elems[0].priv = elem.priv;
7701 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL);
7709 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7711 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7715 static int nft_setelem_flush(const struct nft_ctx *ctx,
7716 struct nft_set *set,
7717 const struct nft_set_iter *iter,
7718 struct nft_elem_priv *elem_priv)
7720 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7721 struct nft_trans *trans;
7723 if (!nft_set_elem_active(ext, iter->genmask))
7726 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7727 struct_size_t(struct nft_trans_elem, elems, 1),
7732 set->ops->flush(ctx->net, set, elem_priv);
7735 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7736 nft_trans_elem_set(trans) = set;
7737 nft_trans_container_elem(trans)->nelems = 1;
7738 nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7739 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_ATOMIC);
7744 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7745 struct nft_set *set,
7746 struct nft_elem_priv *elem_priv)
7748 struct nft_trans *trans;
7750 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7754 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7755 nft_trans_container_elem(trans)->elems[0].priv = elem_priv;
7756 nft_trans_commit_list_add_elem(ctx->net, trans, GFP_KERNEL);
7761 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7762 struct nft_set *set)
7764 u8 genmask = nft_genmask_next(ctx->net);
7765 struct nft_set_elem_catchall *catchall;
7766 struct nft_set_ext *ext;
7769 list_for_each_entry_rcu(catchall, &set->catchall_list, list,
7770 lockdep_commit_lock_is_held(ctx->net)) {
7771 ext = nft_set_elem_ext(set, catchall->elem);
7772 if (!nft_set_elem_active(ext, genmask))
7775 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7778 nft_set_elem_change_active(ctx->net, set, ext);
7784 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7786 struct nft_set_iter iter = {
7788 .type = NFT_ITER_UPDATE,
7789 .fn = nft_setelem_flush,
7792 set->ops->walk(ctx, set, &iter);
7794 iter.err = nft_set_catchall_flush(ctx, set);
7799 static int nf_tables_delsetelem(struct sk_buff *skb,
7800 const struct nfnl_info *info,
7801 const struct nlattr * const nla[])
7803 struct netlink_ext_ack *extack = info->extack;
7804 u8 genmask = nft_genmask_next(info->net);
7805 u8 family = info->nfmsg->nfgen_family;
7806 struct net *net = info->net;
7807 const struct nlattr *attr;
7808 struct nft_table *table;
7809 struct nft_set *set;
7813 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7814 genmask, NETLINK_CB(skb).portid);
7815 if (IS_ERR(table)) {
7816 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7817 return PTR_ERR(table);
7820 set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7822 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7823 return PTR_ERR(set);
7826 if (nft_set_is_anonymous(set))
7829 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7832 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7834 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7835 return nft_set_flush(&ctx, set, genmask);
7837 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7838 err = nft_del_setelem(&ctx, set, attr);
7839 if (err == -ENOENT &&
7840 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7844 NL_SET_BAD_ATTR(extack, attr);
7857 * nft_register_obj- register nf_tables stateful object type
7858 * @obj_type: object type
7860 * Registers the object type for use with nf_tables. Returns zero on
7861 * success or a negative errno code otherwise.
7863 int nft_register_obj(struct nft_object_type *obj_type)
7865 if (obj_type->type == NFT_OBJECT_UNSPEC)
7868 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7869 list_add_rcu(&obj_type->list, &nf_tables_objects);
7870 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7873 EXPORT_SYMBOL_GPL(nft_register_obj);
7876 * nft_unregister_obj - unregister nf_tables object type
7877 * @obj_type: object type
7879 * Unregisters the object type for use with nf_tables.
7881 void nft_unregister_obj(struct nft_object_type *obj_type)
7883 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7884 list_del_rcu(&obj_type->list);
7885 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7887 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7889 struct nft_object *nft_obj_lookup(const struct net *net,
7890 const struct nft_table *table,
7891 const struct nlattr *nla, u32 objtype,
7894 struct nft_object_hash_key k = { .table = table };
7895 char search[NFT_OBJ_MAXNAMELEN];
7896 struct rhlist_head *tmp, *list;
7897 struct nft_object *obj;
7899 nla_strscpy(search, nla, sizeof(search));
7902 WARN_ON_ONCE(!rcu_read_lock_held() &&
7903 !lockdep_commit_lock_is_held(net));
7906 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7910 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7911 if (objtype == obj->ops->type->type &&
7912 nft_active_genmask(obj, genmask)) {
7919 return ERR_PTR(-ENOENT);
7921 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7923 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7924 const struct nlattr *nla,
7925 u32 objtype, u8 genmask)
7927 struct nft_object *obj;
7929 list_for_each_entry(obj, &table->objects, list) {
7930 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7931 objtype == obj->ops->type->type &&
7932 nft_active_genmask(obj, genmask))
7935 return ERR_PTR(-ENOENT);
7938 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7939 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7940 .len = NFT_TABLE_MAXNAMELEN - 1 },
7941 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7942 .len = NFT_OBJ_MAXNAMELEN - 1 },
7943 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7944 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7945 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7946 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7947 .len = NFT_USERDATA_MAXLEN },
7950 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7951 const struct nft_object_type *type,
7952 const struct nlattr *attr)
7955 const struct nft_object_ops *ops;
7956 struct nft_object *obj;
7959 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7964 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7965 type->policy, NULL);
7969 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7972 if (type->select_ops) {
7973 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7983 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7987 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
8000 return ERR_PTR(err);
8003 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
8004 struct nft_object *obj, bool reset)
8006 struct nlattr *nest;
8008 nest = nla_nest_start_noflag(skb, attr);
8010 goto nla_put_failure;
8011 if (obj->ops->dump(skb, obj, reset) < 0)
8012 goto nla_put_failure;
8013 nla_nest_end(skb, nest);
8020 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
8022 const struct nft_object_type *type;
8024 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
8025 if (type->family != NFPROTO_UNSPEC &&
8026 type->family != family)
8029 if (objtype == type->type)
8035 static const struct nft_object_type *
8036 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
8038 const struct nft_object_type *type;
8041 type = __nft_obj_type_get(objtype, family);
8042 if (type != NULL && try_module_get(type->owner)) {
8048 lockdep_nfnl_nft_mutex_not_held();
8049 #ifdef CONFIG_MODULES
8051 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
8052 return ERR_PTR(-EAGAIN);
8055 return ERR_PTR(-ENOENT);
8058 static int nf_tables_updobj(const struct nft_ctx *ctx,
8059 const struct nft_object_type *type,
8060 const struct nlattr *attr,
8061 struct nft_object *obj)
8063 struct nft_object *newobj;
8064 struct nft_trans *trans;
8067 /* caller must have obtained type->owner reference. */
8068 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
8069 sizeof(struct nft_trans_obj));
8073 newobj = nft_obj_init(ctx, type, attr);
8074 if (IS_ERR(newobj)) {
8075 err = PTR_ERR(newobj);
8076 goto err_free_trans;
8079 nft_trans_obj(trans) = obj;
8080 nft_trans_obj_update(trans) = true;
8081 nft_trans_obj_newobj(trans) = newobj;
8082 nft_trans_commit_list_add_tail(ctx->net, trans);
8089 module_put(type->owner);
8093 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
8094 const struct nlattr * const nla[])
8096 struct netlink_ext_ack *extack = info->extack;
8097 u8 genmask = nft_genmask_next(info->net);
8098 u8 family = info->nfmsg->nfgen_family;
8099 const struct nft_object_type *type;
8100 struct net *net = info->net;
8101 struct nft_table *table;
8102 struct nft_object *obj;
8107 if (!nla[NFTA_OBJ_TYPE] ||
8108 !nla[NFTA_OBJ_NAME] ||
8109 !nla[NFTA_OBJ_DATA])
8112 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8113 NETLINK_CB(skb).portid);
8114 if (IS_ERR(table)) {
8115 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8116 return PTR_ERR(table);
8119 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8120 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8123 if (err != -ENOENT) {
8124 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8128 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8129 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8132 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
8135 if (!obj->ops->update)
8138 type = nft_obj_type_get(net, objtype, family);
8139 if (WARN_ON_ONCE(IS_ERR(type)))
8140 return PTR_ERR(type);
8142 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8144 /* type->owner reference is put when transaction object is released. */
8145 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
8148 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8150 if (!nft_use_inc(&table->use))
8153 type = nft_obj_type_get(net, objtype, family);
8155 err = PTR_ERR(type);
8159 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
8164 obj->key.table = table;
8165 obj->handle = nf_tables_alloc_handle(table);
8167 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
8168 if (!obj->key.name) {
8173 if (nla[NFTA_OBJ_USERDATA]) {
8174 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
8175 if (obj->udata == NULL)
8178 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
8181 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
8185 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
8186 nft_objname_ht_params);
8190 list_add_tail_rcu(&obj->list, &table->objects);
8194 /* queued in transaction log */
8195 INIT_LIST_HEAD(&obj->list);
8200 kfree(obj->key.name);
8202 if (obj->ops->destroy)
8203 obj->ops->destroy(&ctx, obj);
8206 module_put(type->owner);
8208 nft_use_dec_restore(&table->use);
8213 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
8214 u32 portid, u32 seq, int event, u32 flags,
8215 int family, const struct nft_table *table,
8216 struct nft_object *obj, bool reset)
8218 struct nlmsghdr *nlh;
8220 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8221 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8222 NFNETLINK_V0, nft_base_seq(net));
8224 goto nla_put_failure;
8226 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
8227 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
8228 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
8230 goto nla_put_failure;
8232 if (event == NFT_MSG_DELOBJ) {
8233 nlmsg_end(skb, nlh);
8237 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
8238 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
8239 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
8240 goto nla_put_failure;
8243 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
8244 goto nla_put_failure;
8246 nlmsg_end(skb, nlh);
8250 nlmsg_trim(skb, nlh);
8254 static void audit_log_obj_reset(const struct nft_table *table,
8255 unsigned int base_seq, unsigned int nentries)
8257 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
8259 audit_log_nfcfg(buf, table->family, nentries,
8260 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8264 struct nft_obj_dump_ctx {
8271 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
8273 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8274 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8275 struct net *net = sock_net(skb->sk);
8276 int family = nfmsg->nfgen_family;
8277 struct nftables_pernet *nft_net;
8278 const struct nft_table *table;
8279 unsigned int entries = 0;
8280 struct nft_object *obj;
8281 unsigned int idx = 0;
8285 nft_net = nft_pernet(net);
8286 cb->seq = READ_ONCE(nft_net->base_seq);
8288 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8289 if (family != NFPROTO_UNSPEC && family != table->family)
8293 list_for_each_entry_rcu(obj, &table->objects, list) {
8294 if (!nft_is_active(net, obj))
8296 if (idx < ctx->s_idx)
8298 if (ctx->table && strcmp(ctx->table, table->name))
8300 if (ctx->type != NFT_OBJECT_UNSPEC &&
8301 obj->ops->type->type != ctx->type)
8304 rc = nf_tables_fill_obj_info(skb, net,
8305 NETLINK_CB(cb->skb).portid,
8308 NLM_F_MULTI | NLM_F_APPEND,
8309 table->family, table,
8315 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8319 if (ctx->reset && entries)
8320 audit_log_obj_reset(table, nft_net->base_seq, entries);
8330 static int nf_tables_dumpreset_obj(struct sk_buff *skb,
8331 struct netlink_callback *cb)
8333 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
8336 mutex_lock(&nft_net->commit_mutex);
8337 ret = nf_tables_dump_obj(skb, cb);
8338 mutex_unlock(&nft_net->commit_mutex);
8343 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8345 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8346 const struct nlattr * const *nla = cb->data;
8348 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8350 if (nla[NFTA_OBJ_TABLE]) {
8351 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8356 if (nla[NFTA_OBJ_TYPE])
8357 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8362 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb)
8364 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8368 return nf_tables_dump_obj_start(cb);
8371 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8373 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8380 /* Caller must hold rcu read lock or transaction mutex */
8381 static struct sk_buff *
8382 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
8383 const struct nlattr * const nla[], bool reset)
8385 struct netlink_ext_ack *extack = info->extack;
8386 u8 genmask = nft_genmask_cur(info->net);
8387 u8 family = info->nfmsg->nfgen_family;
8388 const struct nft_table *table;
8389 struct net *net = info->net;
8390 struct nft_object *obj;
8391 struct sk_buff *skb2;
8395 if (!nla[NFTA_OBJ_NAME] ||
8396 !nla[NFTA_OBJ_TYPE])
8397 return ERR_PTR(-EINVAL);
8399 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8400 if (IS_ERR(table)) {
8401 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8402 return ERR_CAST(table);
8405 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8406 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8408 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8409 return ERR_CAST(obj);
8412 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8414 return ERR_PTR(-ENOMEM);
8416 err = nf_tables_fill_obj_info(skb2, net, portid,
8417 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8418 family, table, obj, reset);
8421 return ERR_PTR(err);
8427 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8428 const struct nlattr * const nla[])
8430 u32 portid = NETLINK_CB(skb).portid;
8431 struct sk_buff *skb2;
8433 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8434 struct netlink_dump_control c = {
8435 .start = nf_tables_dump_obj_start,
8436 .dump = nf_tables_dump_obj,
8437 .done = nf_tables_dump_obj_done,
8438 .module = THIS_MODULE,
8439 .data = (void *)nla,
8442 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8445 skb2 = nf_tables_getobj_single(portid, info, nla, false);
8447 return PTR_ERR(skb2);
8449 return nfnetlink_unicast(skb2, info->net, portid);
8452 static int nf_tables_getobj_reset(struct sk_buff *skb,
8453 const struct nfnl_info *info,
8454 const struct nlattr * const nla[])
8456 struct nftables_pernet *nft_net = nft_pernet(info->net);
8457 u32 portid = NETLINK_CB(skb).portid;
8458 struct net *net = info->net;
8459 struct sk_buff *skb2;
8462 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8463 struct netlink_dump_control c = {
8464 .start = nf_tables_dumpreset_obj_start,
8465 .dump = nf_tables_dumpreset_obj,
8466 .done = nf_tables_dump_obj_done,
8467 .module = THIS_MODULE,
8468 .data = (void *)nla,
8471 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8474 if (!try_module_get(THIS_MODULE))
8477 mutex_lock(&nft_net->commit_mutex);
8478 skb2 = nf_tables_getobj_single(portid, info, nla, true);
8479 mutex_unlock(&nft_net->commit_mutex);
8481 module_put(THIS_MODULE);
8484 return PTR_ERR(skb2);
8486 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8487 nla_len(nla[NFTA_OBJ_TABLE]),
8488 (char *)nla_data(nla[NFTA_OBJ_TABLE]),
8490 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8491 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8494 return nfnetlink_unicast(skb2, net, portid);
8497 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8499 if (obj->ops->destroy)
8500 obj->ops->destroy(ctx, obj);
8502 module_put(obj->ops->type->owner);
8503 kfree(obj->key.name);
8508 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8509 const struct nlattr * const nla[])
8511 struct netlink_ext_ack *extack = info->extack;
8512 u8 genmask = nft_genmask_next(info->net);
8513 u8 family = info->nfmsg->nfgen_family;
8514 struct net *net = info->net;
8515 const struct nlattr *attr;
8516 struct nft_table *table;
8517 struct nft_object *obj;
8521 if (!nla[NFTA_OBJ_TYPE] ||
8522 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8525 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8526 NETLINK_CB(skb).portid);
8527 if (IS_ERR(table)) {
8528 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8529 return PTR_ERR(table);
8532 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8533 if (nla[NFTA_OBJ_HANDLE]) {
8534 attr = nla[NFTA_OBJ_HANDLE];
8535 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8537 attr = nla[NFTA_OBJ_NAME];
8538 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8542 if (PTR_ERR(obj) == -ENOENT &&
8543 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8546 NL_SET_BAD_ATTR(extack, attr);
8547 return PTR_ERR(obj);
8550 NL_SET_BAD_ATTR(extack, attr);
8554 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8556 return nft_delobj(&ctx, obj);
8560 __nft_obj_notify(struct net *net, const struct nft_table *table,
8561 struct nft_object *obj, u32 portid, u32 seq, int event,
8562 u16 flags, int family, int report, gfp_t gfp)
8564 struct nftables_pernet *nft_net = nft_pernet(net);
8565 struct sk_buff *skb;
8569 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8572 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8576 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8577 flags & (NLM_F_CREATE | NLM_F_EXCL),
8578 family, table, obj, false);
8584 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8587 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8590 void nft_obj_notify(struct net *net, const struct nft_table *table,
8591 struct nft_object *obj, u32 portid, u32 seq, int event,
8592 u16 flags, int family, int report, gfp_t gfp)
8594 struct nftables_pernet *nft_net = nft_pernet(net);
8595 char *buf = kasprintf(gfp, "%s:%u",
8596 table->name, nft_net->base_seq);
8598 audit_log_nfcfg(buf,
8601 event == NFT_MSG_NEWOBJ ?
8602 AUDIT_NFT_OP_OBJ_REGISTER :
8603 AUDIT_NFT_OP_OBJ_UNREGISTER,
8607 __nft_obj_notify(net, table, obj, portid, seq, event,
8608 flags, family, report, gfp);
8610 EXPORT_SYMBOL_GPL(nft_obj_notify);
8612 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8613 struct nft_object *obj, int event)
8615 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8616 ctx->seq, event, ctx->flags, ctx->family,
8617 ctx->report, GFP_KERNEL);
8623 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8625 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8626 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8627 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8629 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8631 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8633 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8634 list_del_rcu(&type->list);
8635 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8637 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8639 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8640 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8641 .len = NFT_NAME_MAXLEN - 1 },
8642 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8643 .len = NFT_NAME_MAXLEN - 1 },
8644 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8645 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8646 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8649 struct nft_flowtable *nft_flowtable_lookup(const struct net *net,
8650 const struct nft_table *table,
8651 const struct nlattr *nla, u8 genmask)
8653 struct nft_flowtable *flowtable;
8655 list_for_each_entry_rcu(flowtable, &table->flowtables, list,
8656 lockdep_commit_lock_is_held(net)) {
8657 if (!nla_strcmp(nla, flowtable->name) &&
8658 nft_active_genmask(flowtable, genmask))
8661 return ERR_PTR(-ENOENT);
8663 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8665 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8666 struct nft_flowtable *flowtable,
8667 enum nft_trans_phase phase)
8670 case NFT_TRANS_PREPARE_ERROR:
8671 case NFT_TRANS_PREPARE:
8672 case NFT_TRANS_ABORT:
8673 case NFT_TRANS_RELEASE:
8674 nft_use_dec(&flowtable->use);
8680 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8682 static struct nft_flowtable *
8683 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8684 const struct nlattr *nla, u8 genmask)
8686 struct nft_flowtable *flowtable;
8688 list_for_each_entry(flowtable, &table->flowtables, list) {
8689 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8690 nft_active_genmask(flowtable, genmask))
8693 return ERR_PTR(-ENOENT);
8696 struct nft_flowtable_hook {
8699 struct list_head list;
8702 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8703 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8704 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8705 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8708 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8709 const struct nlattr * const nla[],
8710 struct nft_flowtable_hook *flowtable_hook,
8711 struct nft_flowtable *flowtable,
8712 struct netlink_ext_ack *extack, bool add)
8714 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8715 struct nft_hook *hook;
8716 int hooknum, priority;
8719 INIT_LIST_HEAD(&flowtable_hook->list);
8721 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8722 nla[NFTA_FLOWTABLE_HOOK],
8723 nft_flowtable_hook_policy, NULL);
8728 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8729 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8730 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8734 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8735 if (hooknum != NF_NETDEV_INGRESS)
8738 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8740 flowtable_hook->priority = priority;
8741 flowtable_hook->num = hooknum;
8743 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8744 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8745 if (hooknum != flowtable->hooknum)
8749 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8750 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8751 if (priority != flowtable->data.priority)
8755 flowtable_hook->priority = flowtable->data.priority;
8756 flowtable_hook->num = flowtable->hooknum;
8759 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8760 err = nf_tables_parse_netdev_hooks(ctx->net,
8761 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8762 &flowtable_hook->list,
8768 list_for_each_entry(hook, &flowtable_hook->list, list) {
8769 hook->ops.pf = NFPROTO_NETDEV;
8770 hook->ops.hooknum = flowtable_hook->num;
8771 hook->ops.priority = flowtable_hook->priority;
8772 hook->ops.priv = &flowtable->data;
8773 hook->ops.hook = flowtable->data.type->hook;
8779 /* call under rcu_read_lock */
8780 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8782 const struct nf_flowtable_type *type;
8784 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8785 if (family == type->family)
8791 static const struct nf_flowtable_type *
8792 nft_flowtable_type_get(struct net *net, u8 family)
8794 const struct nf_flowtable_type *type;
8797 type = __nft_flowtable_type_get(family);
8798 if (type != NULL && try_module_get(type->owner)) {
8804 lockdep_nfnl_nft_mutex_not_held();
8805 #ifdef CONFIG_MODULES
8807 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8808 return ERR_PTR(-EAGAIN);
8811 return ERR_PTR(-ENOENT);
8814 /* Only called from error and netdev event paths. */
8815 static void nft_unregister_flowtable_hook(struct net *net,
8816 struct nft_flowtable *flowtable,
8817 struct nft_hook *hook)
8819 nf_unregister_net_hook(net, &hook->ops);
8820 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8824 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8825 struct list_head *hook_list,
8826 bool release_netdev)
8828 struct nft_hook *hook, *next;
8830 list_for_each_entry_safe(hook, next, hook_list, list) {
8831 nf_unregister_net_hook(net, &hook->ops);
8832 if (release_netdev) {
8833 list_del(&hook->list);
8834 kfree_rcu(hook, rcu);
8839 static void nft_unregister_flowtable_net_hooks(struct net *net,
8840 struct list_head *hook_list)
8842 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8845 static int nft_register_flowtable_net_hooks(struct net *net,
8846 struct nft_table *table,
8847 struct list_head *hook_list,
8848 struct nft_flowtable *flowtable)
8850 struct nft_hook *hook, *hook2, *next;
8851 struct nft_flowtable *ft;
8854 list_for_each_entry(hook, hook_list, list) {
8855 list_for_each_entry(ft, &table->flowtables, list) {
8856 if (!nft_is_active_next(net, ft))
8859 list_for_each_entry(hook2, &ft->hook_list, list) {
8860 if (hook->ops.dev == hook2->ops.dev &&
8861 hook->ops.pf == hook2->ops.pf) {
8863 goto err_unregister_net_hooks;
8868 err = flowtable->data.type->setup(&flowtable->data,
8872 goto err_unregister_net_hooks;
8874 err = nf_register_net_hook(net, &hook->ops);
8876 flowtable->data.type->setup(&flowtable->data,
8879 goto err_unregister_net_hooks;
8887 err_unregister_net_hooks:
8888 list_for_each_entry_safe(hook, next, hook_list, list) {
8892 nft_unregister_flowtable_hook(net, flowtable, hook);
8893 list_del_rcu(&hook->list);
8894 kfree_rcu(hook, rcu);
8900 static void nft_hooks_destroy(struct list_head *hook_list)
8902 struct nft_hook *hook, *next;
8904 list_for_each_entry_safe(hook, next, hook_list, list) {
8905 list_del_rcu(&hook->list);
8906 kfree_rcu(hook, rcu);
8910 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8911 struct nft_flowtable *flowtable,
8912 struct netlink_ext_ack *extack)
8914 const struct nlattr * const *nla = ctx->nla;
8915 struct nft_flowtable_hook flowtable_hook;
8916 struct nft_hook *hook, *next;
8917 struct nft_trans *trans;
8918 bool unregister = false;
8922 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8927 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8928 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8929 list_del(&hook->list);
8934 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8935 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8936 if (flags & ~NFT_FLOWTABLE_MASK) {
8938 goto err_flowtable_update_hook;
8940 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8941 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8943 goto err_flowtable_update_hook;
8946 flags = flowtable->data.flags;
8949 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8950 &flowtable_hook.list, flowtable);
8952 goto err_flowtable_update_hook;
8954 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8955 sizeof(struct nft_trans_flowtable));
8959 goto err_flowtable_update_hook;
8962 nft_trans_flowtable_flags(trans) = flags;
8963 nft_trans_flowtable(trans) = flowtable;
8964 nft_trans_flowtable_update(trans) = true;
8965 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8966 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8968 nft_trans_commit_list_add_tail(ctx->net, trans);
8972 err_flowtable_update_hook:
8973 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8975 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8976 list_del_rcu(&hook->list);
8977 kfree_rcu(hook, rcu);
8984 static int nf_tables_newflowtable(struct sk_buff *skb,
8985 const struct nfnl_info *info,
8986 const struct nlattr * const nla[])
8988 struct netlink_ext_ack *extack = info->extack;
8989 struct nft_flowtable_hook flowtable_hook;
8990 u8 genmask = nft_genmask_next(info->net);
8991 u8 family = info->nfmsg->nfgen_family;
8992 const struct nf_flowtable_type *type;
8993 struct nft_flowtable *flowtable;
8994 struct net *net = info->net;
8995 struct nft_table *table;
8996 struct nft_trans *trans;
9000 if (!nla[NFTA_FLOWTABLE_TABLE] ||
9001 !nla[NFTA_FLOWTABLE_NAME] ||
9002 !nla[NFTA_FLOWTABLE_HOOK])
9005 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9006 genmask, NETLINK_CB(skb).portid);
9007 if (IS_ERR(table)) {
9008 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9009 return PTR_ERR(table);
9012 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9014 if (IS_ERR(flowtable)) {
9015 err = PTR_ERR(flowtable);
9016 if (err != -ENOENT) {
9017 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9021 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
9022 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9026 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9028 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
9031 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9033 if (!nft_use_inc(&table->use))
9036 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
9039 goto flowtable_alloc;
9042 flowtable->table = table;
9043 flowtable->handle = nf_tables_alloc_handle(table);
9044 INIT_LIST_HEAD(&flowtable->hook_list);
9046 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
9047 if (!flowtable->name) {
9052 type = nft_flowtable_type_get(net, family);
9054 err = PTR_ERR(type);
9058 if (nla[NFTA_FLOWTABLE_FLAGS]) {
9059 flowtable->data.flags =
9060 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
9061 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
9067 write_pnet(&flowtable->data.net, net);
9068 flowtable->data.type = type;
9069 err = type->init(&flowtable->data);
9073 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
9076 goto err_flowtable_parse_hooks;
9078 list_splice(&flowtable_hook.list, &flowtable->hook_list);
9079 flowtable->data.priority = flowtable_hook.priority;
9080 flowtable->hooknum = flowtable_hook.num;
9082 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
9083 if (IS_ERR(trans)) {
9084 err = PTR_ERR(trans);
9085 goto err_flowtable_trans;
9088 /* This must be LAST to ensure no packets are walking over this flowtable. */
9089 err = nft_register_flowtable_net_hooks(ctx.net, table,
9090 &flowtable->hook_list,
9093 goto err_flowtable_hooks;
9095 list_add_tail_rcu(&flowtable->list, &table->flowtables);
9099 err_flowtable_hooks:
9100 nft_trans_destroy(trans);
9101 err_flowtable_trans:
9102 nft_hooks_destroy(&flowtable->hook_list);
9103 err_flowtable_parse_hooks:
9104 flowtable->data.type->free(&flowtable->data);
9106 module_put(type->owner);
9108 kfree(flowtable->name);
9112 nft_use_dec_restore(&table->use);
9117 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
9119 struct nft_hook *this, *next;
9121 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
9122 list_del(&this->list);
9127 static int nft_delflowtable_hook(struct nft_ctx *ctx,
9128 struct nft_flowtable *flowtable,
9129 struct netlink_ext_ack *extack)
9131 const struct nlattr * const *nla = ctx->nla;
9132 struct nft_flowtable_hook flowtable_hook;
9133 LIST_HEAD(flowtable_del_list);
9134 struct nft_hook *this, *hook;
9135 struct nft_trans *trans;
9138 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
9143 list_for_each_entry(this, &flowtable_hook.list, list) {
9144 hook = nft_hook_list_find(&flowtable->hook_list, this);
9147 goto err_flowtable_del_hook;
9149 list_move(&hook->list, &flowtable_del_list);
9152 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
9153 sizeof(struct nft_trans_flowtable));
9156 goto err_flowtable_del_hook;
9159 nft_trans_flowtable(trans) = flowtable;
9160 nft_trans_flowtable_update(trans) = true;
9161 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
9162 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
9163 nft_flowtable_hook_release(&flowtable_hook);
9165 nft_trans_commit_list_add_tail(ctx->net, trans);
9169 err_flowtable_del_hook:
9170 list_splice(&flowtable_del_list, &flowtable->hook_list);
9171 nft_flowtable_hook_release(&flowtable_hook);
9176 static int nf_tables_delflowtable(struct sk_buff *skb,
9177 const struct nfnl_info *info,
9178 const struct nlattr * const nla[])
9180 struct netlink_ext_ack *extack = info->extack;
9181 u8 genmask = nft_genmask_next(info->net);
9182 u8 family = info->nfmsg->nfgen_family;
9183 struct nft_flowtable *flowtable;
9184 struct net *net = info->net;
9185 const struct nlattr *attr;
9186 struct nft_table *table;
9189 if (!nla[NFTA_FLOWTABLE_TABLE] ||
9190 (!nla[NFTA_FLOWTABLE_NAME] &&
9191 !nla[NFTA_FLOWTABLE_HANDLE]))
9194 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9195 genmask, NETLINK_CB(skb).portid);
9196 if (IS_ERR(table)) {
9197 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9198 return PTR_ERR(table);
9201 if (nla[NFTA_FLOWTABLE_HANDLE]) {
9202 attr = nla[NFTA_FLOWTABLE_HANDLE];
9203 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
9205 attr = nla[NFTA_FLOWTABLE_NAME];
9206 flowtable = nft_flowtable_lookup(net, table, attr, genmask);
9209 if (IS_ERR(flowtable)) {
9210 if (PTR_ERR(flowtable) == -ENOENT &&
9211 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
9214 NL_SET_BAD_ATTR(extack, attr);
9215 return PTR_ERR(flowtable);
9218 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
9220 if (nla[NFTA_FLOWTABLE_HOOK])
9221 return nft_delflowtable_hook(&ctx, flowtable, extack);
9223 if (flowtable->use > 0) {
9224 NL_SET_BAD_ATTR(extack, attr);
9228 return nft_delflowtable(&ctx, flowtable);
9231 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
9232 u32 portid, u32 seq, int event,
9233 u32 flags, int family,
9234 struct nft_flowtable *flowtable,
9235 struct list_head *hook_list)
9237 struct nlattr *nest, *nest_devs;
9238 struct nft_hook *hook;
9239 struct nlmsghdr *nlh;
9241 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
9242 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
9243 NFNETLINK_V0, nft_base_seq(net));
9245 goto nla_put_failure;
9247 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
9248 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
9249 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
9250 NFTA_FLOWTABLE_PAD))
9251 goto nla_put_failure;
9253 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
9254 nlmsg_end(skb, nlh);
9258 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
9259 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
9260 goto nla_put_failure;
9262 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
9264 goto nla_put_failure;
9265 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
9266 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
9267 goto nla_put_failure;
9269 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
9271 goto nla_put_failure;
9274 hook_list = &flowtable->hook_list;
9276 list_for_each_entry_rcu(hook, hook_list, list,
9277 lockdep_commit_lock_is_held(net)) {
9278 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
9279 goto nla_put_failure;
9281 nla_nest_end(skb, nest_devs);
9282 nla_nest_end(skb, nest);
9284 nlmsg_end(skb, nlh);
9288 nlmsg_trim(skb, nlh);
9292 struct nft_flowtable_filter {
9296 static int nf_tables_dump_flowtable(struct sk_buff *skb,
9297 struct netlink_callback *cb)
9299 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
9300 struct nft_flowtable_filter *filter = cb->data;
9301 unsigned int idx = 0, s_idx = cb->args[0];
9302 struct net *net = sock_net(skb->sk);
9303 int family = nfmsg->nfgen_family;
9304 struct nft_flowtable *flowtable;
9305 struct nftables_pernet *nft_net;
9306 const struct nft_table *table;
9309 nft_net = nft_pernet(net);
9310 cb->seq = READ_ONCE(nft_net->base_seq);
9312 list_for_each_entry_rcu(table, &nft_net->tables, list) {
9313 if (family != NFPROTO_UNSPEC && family != table->family)
9316 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
9317 if (!nft_is_active(net, flowtable))
9322 memset(&cb->args[1], 0,
9323 sizeof(cb->args) - sizeof(cb->args[0]));
9324 if (filter && filter->table &&
9325 strcmp(filter->table, table->name))
9328 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
9330 NFT_MSG_NEWFLOWTABLE,
9331 NLM_F_MULTI | NLM_F_APPEND,
9333 flowtable, NULL) < 0)
9336 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
9348 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
9350 const struct nlattr * const *nla = cb->data;
9351 struct nft_flowtable_filter *filter = NULL;
9353 if (nla[NFTA_FLOWTABLE_TABLE]) {
9354 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
9358 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
9360 if (!filter->table) {
9370 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9372 struct nft_flowtable_filter *filter = cb->data;
9377 kfree(filter->table);
9383 /* called with rcu_read_lock held */
9384 static int nf_tables_getflowtable(struct sk_buff *skb,
9385 const struct nfnl_info *info,
9386 const struct nlattr * const nla[])
9388 struct netlink_ext_ack *extack = info->extack;
9389 u8 genmask = nft_genmask_cur(info->net);
9390 u8 family = info->nfmsg->nfgen_family;
9391 struct nft_flowtable *flowtable;
9392 const struct nft_table *table;
9393 struct net *net = info->net;
9394 struct sk_buff *skb2;
9397 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9398 struct netlink_dump_control c = {
9399 .start = nf_tables_dump_flowtable_start,
9400 .dump = nf_tables_dump_flowtable,
9401 .done = nf_tables_dump_flowtable_done,
9402 .module = THIS_MODULE,
9403 .data = (void *)nla,
9406 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9409 if (!nla[NFTA_FLOWTABLE_NAME])
9412 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9414 if (IS_ERR(table)) {
9415 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9416 return PTR_ERR(table);
9419 flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME],
9421 if (IS_ERR(flowtable)) {
9422 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9423 return PTR_ERR(flowtable);
9426 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9430 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9431 info->nlh->nlmsg_seq,
9432 NFT_MSG_NEWFLOWTABLE, 0, family,
9435 goto err_fill_flowtable_info;
9437 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9439 err_fill_flowtable_info:
9444 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9445 struct nft_flowtable *flowtable,
9446 struct list_head *hook_list, int event)
9448 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9449 struct sk_buff *skb;
9454 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9457 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9461 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9462 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9464 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9465 ctx->seq, event, flags,
9466 ctx->family, flowtable, hook_list);
9472 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9475 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9478 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9480 struct nft_hook *hook, *next;
9482 flowtable->data.type->free(&flowtable->data);
9483 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9484 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
9486 list_del_rcu(&hook->list);
9487 kfree_rcu(hook, rcu);
9489 kfree(flowtable->name);
9490 module_put(flowtable->data.type->owner);
9494 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9495 u32 portid, u32 seq)
9497 struct nftables_pernet *nft_net = nft_pernet(net);
9498 struct nlmsghdr *nlh;
9499 char buf[TASK_COMM_LEN];
9500 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9502 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9503 NFNETLINK_V0, nft_base_seq(net));
9505 goto nla_put_failure;
9507 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9508 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9509 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9510 goto nla_put_failure;
9512 nlmsg_end(skb, nlh);
9516 nlmsg_trim(skb, nlh);
9520 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9521 struct nft_flowtable *flowtable)
9523 struct nft_hook *hook;
9525 list_for_each_entry(hook, &flowtable->hook_list, list) {
9526 if (hook->ops.dev != dev)
9529 /* flow_offload_netdev_event() cleans up entries for us. */
9530 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9531 list_del_rcu(&hook->list);
9532 kfree_rcu(hook, rcu);
9537 static int nf_tables_flowtable_event(struct notifier_block *this,
9538 unsigned long event, void *ptr)
9540 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9541 struct nft_flowtable *flowtable;
9542 struct nftables_pernet *nft_net;
9543 struct nft_table *table;
9546 if (event != NETDEV_UNREGISTER)
9550 nft_net = nft_pernet(net);
9551 mutex_lock(&nft_net->commit_mutex);
9552 list_for_each_entry(table, &nft_net->tables, list) {
9553 list_for_each_entry(flowtable, &table->flowtables, list) {
9554 nft_flowtable_event(event, dev, flowtable);
9557 mutex_unlock(&nft_net->commit_mutex);
9562 static struct notifier_block nf_tables_flowtable_notifier = {
9563 .notifier_call = nf_tables_flowtable_event,
9566 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9569 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9570 struct sk_buff *skb2;
9573 if (!nlmsg_report(nlh) &&
9574 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9577 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9581 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9588 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9589 nlmsg_report(nlh), GFP_KERNEL);
9592 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9596 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9597 const struct nlattr * const nla[])
9599 struct sk_buff *skb2;
9602 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9606 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9607 info->nlh->nlmsg_seq);
9609 goto err_fill_gen_info;
9611 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9618 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9619 [NFT_MSG_NEWTABLE] = {
9620 .call = nf_tables_newtable,
9621 .type = NFNL_CB_BATCH,
9622 .attr_count = NFTA_TABLE_MAX,
9623 .policy = nft_table_policy,
9625 [NFT_MSG_GETTABLE] = {
9626 .call = nf_tables_gettable,
9627 .type = NFNL_CB_RCU,
9628 .attr_count = NFTA_TABLE_MAX,
9629 .policy = nft_table_policy,
9631 [NFT_MSG_DELTABLE] = {
9632 .call = nf_tables_deltable,
9633 .type = NFNL_CB_BATCH,
9634 .attr_count = NFTA_TABLE_MAX,
9635 .policy = nft_table_policy,
9637 [NFT_MSG_DESTROYTABLE] = {
9638 .call = nf_tables_deltable,
9639 .type = NFNL_CB_BATCH,
9640 .attr_count = NFTA_TABLE_MAX,
9641 .policy = nft_table_policy,
9643 [NFT_MSG_NEWCHAIN] = {
9644 .call = nf_tables_newchain,
9645 .type = NFNL_CB_BATCH,
9646 .attr_count = NFTA_CHAIN_MAX,
9647 .policy = nft_chain_policy,
9649 [NFT_MSG_GETCHAIN] = {
9650 .call = nf_tables_getchain,
9651 .type = NFNL_CB_RCU,
9652 .attr_count = NFTA_CHAIN_MAX,
9653 .policy = nft_chain_policy,
9655 [NFT_MSG_DELCHAIN] = {
9656 .call = nf_tables_delchain,
9657 .type = NFNL_CB_BATCH,
9658 .attr_count = NFTA_CHAIN_MAX,
9659 .policy = nft_chain_policy,
9661 [NFT_MSG_DESTROYCHAIN] = {
9662 .call = nf_tables_delchain,
9663 .type = NFNL_CB_BATCH,
9664 .attr_count = NFTA_CHAIN_MAX,
9665 .policy = nft_chain_policy,
9667 [NFT_MSG_NEWRULE] = {
9668 .call = nf_tables_newrule,
9669 .type = NFNL_CB_BATCH,
9670 .attr_count = NFTA_RULE_MAX,
9671 .policy = nft_rule_policy,
9673 [NFT_MSG_GETRULE] = {
9674 .call = nf_tables_getrule,
9675 .type = NFNL_CB_RCU,
9676 .attr_count = NFTA_RULE_MAX,
9677 .policy = nft_rule_policy,
9679 [NFT_MSG_GETRULE_RESET] = {
9680 .call = nf_tables_getrule_reset,
9681 .type = NFNL_CB_RCU,
9682 .attr_count = NFTA_RULE_MAX,
9683 .policy = nft_rule_policy,
9685 [NFT_MSG_DELRULE] = {
9686 .call = nf_tables_delrule,
9687 .type = NFNL_CB_BATCH,
9688 .attr_count = NFTA_RULE_MAX,
9689 .policy = nft_rule_policy,
9691 [NFT_MSG_DESTROYRULE] = {
9692 .call = nf_tables_delrule,
9693 .type = NFNL_CB_BATCH,
9694 .attr_count = NFTA_RULE_MAX,
9695 .policy = nft_rule_policy,
9697 [NFT_MSG_NEWSET] = {
9698 .call = nf_tables_newset,
9699 .type = NFNL_CB_BATCH,
9700 .attr_count = NFTA_SET_MAX,
9701 .policy = nft_set_policy,
9703 [NFT_MSG_GETSET] = {
9704 .call = nf_tables_getset,
9705 .type = NFNL_CB_RCU,
9706 .attr_count = NFTA_SET_MAX,
9707 .policy = nft_set_policy,
9709 [NFT_MSG_DELSET] = {
9710 .call = nf_tables_delset,
9711 .type = NFNL_CB_BATCH,
9712 .attr_count = NFTA_SET_MAX,
9713 .policy = nft_set_policy,
9715 [NFT_MSG_DESTROYSET] = {
9716 .call = nf_tables_delset,
9717 .type = NFNL_CB_BATCH,
9718 .attr_count = NFTA_SET_MAX,
9719 .policy = nft_set_policy,
9721 [NFT_MSG_NEWSETELEM] = {
9722 .call = nf_tables_newsetelem,
9723 .type = NFNL_CB_BATCH,
9724 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9725 .policy = nft_set_elem_list_policy,
9727 [NFT_MSG_GETSETELEM] = {
9728 .call = nf_tables_getsetelem,
9729 .type = NFNL_CB_RCU,
9730 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9731 .policy = nft_set_elem_list_policy,
9733 [NFT_MSG_GETSETELEM_RESET] = {
9734 .call = nf_tables_getsetelem_reset,
9735 .type = NFNL_CB_RCU,
9736 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9737 .policy = nft_set_elem_list_policy,
9739 [NFT_MSG_DELSETELEM] = {
9740 .call = nf_tables_delsetelem,
9741 .type = NFNL_CB_BATCH,
9742 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9743 .policy = nft_set_elem_list_policy,
9745 [NFT_MSG_DESTROYSETELEM] = {
9746 .call = nf_tables_delsetelem,
9747 .type = NFNL_CB_BATCH,
9748 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9749 .policy = nft_set_elem_list_policy,
9751 [NFT_MSG_GETGEN] = {
9752 .call = nf_tables_getgen,
9753 .type = NFNL_CB_RCU,
9755 [NFT_MSG_NEWOBJ] = {
9756 .call = nf_tables_newobj,
9757 .type = NFNL_CB_BATCH,
9758 .attr_count = NFTA_OBJ_MAX,
9759 .policy = nft_obj_policy,
9761 [NFT_MSG_GETOBJ] = {
9762 .call = nf_tables_getobj,
9763 .type = NFNL_CB_RCU,
9764 .attr_count = NFTA_OBJ_MAX,
9765 .policy = nft_obj_policy,
9767 [NFT_MSG_DELOBJ] = {
9768 .call = nf_tables_delobj,
9769 .type = NFNL_CB_BATCH,
9770 .attr_count = NFTA_OBJ_MAX,
9771 .policy = nft_obj_policy,
9773 [NFT_MSG_DESTROYOBJ] = {
9774 .call = nf_tables_delobj,
9775 .type = NFNL_CB_BATCH,
9776 .attr_count = NFTA_OBJ_MAX,
9777 .policy = nft_obj_policy,
9779 [NFT_MSG_GETOBJ_RESET] = {
9780 .call = nf_tables_getobj_reset,
9781 .type = NFNL_CB_RCU,
9782 .attr_count = NFTA_OBJ_MAX,
9783 .policy = nft_obj_policy,
9785 [NFT_MSG_NEWFLOWTABLE] = {
9786 .call = nf_tables_newflowtable,
9787 .type = NFNL_CB_BATCH,
9788 .attr_count = NFTA_FLOWTABLE_MAX,
9789 .policy = nft_flowtable_policy,
9791 [NFT_MSG_GETFLOWTABLE] = {
9792 .call = nf_tables_getflowtable,
9793 .type = NFNL_CB_RCU,
9794 .attr_count = NFTA_FLOWTABLE_MAX,
9795 .policy = nft_flowtable_policy,
9797 [NFT_MSG_DELFLOWTABLE] = {
9798 .call = nf_tables_delflowtable,
9799 .type = NFNL_CB_BATCH,
9800 .attr_count = NFTA_FLOWTABLE_MAX,
9801 .policy = nft_flowtable_policy,
9803 [NFT_MSG_DESTROYFLOWTABLE] = {
9804 .call = nf_tables_delflowtable,
9805 .type = NFNL_CB_BATCH,
9806 .attr_count = NFTA_FLOWTABLE_MAX,
9807 .policy = nft_flowtable_policy,
9811 static int nf_tables_validate(struct net *net)
9813 struct nftables_pernet *nft_net = nft_pernet(net);
9814 struct nft_table *table;
9816 list_for_each_entry(table, &nft_net->tables, list) {
9817 switch (table->validate_state) {
9818 case NFT_VALIDATE_SKIP:
9820 case NFT_VALIDATE_NEED:
9821 nft_validate_state_update(table, NFT_VALIDATE_DO);
9823 case NFT_VALIDATE_DO:
9824 if (nft_table_validate(net, table) < 0)
9827 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9835 /* a drop policy has to be deferred until all rules have been activated,
9836 * otherwise a large ruleset that contains a drop-policy base chain will
9837 * cause all packets to get dropped until the full transaction has been
9840 * We defer the drop policy until the transaction has been finalized.
9842 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
9844 struct nft_base_chain *basechain;
9846 if (trans->policy != NF_DROP)
9849 if (!nft_is_base_chain(trans->chain))
9852 basechain = nft_base_chain(trans->chain);
9853 basechain->policy = NF_DROP;
9856 static void nft_chain_commit_update(struct nft_trans_chain *trans)
9858 struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
9859 struct nft_base_chain *basechain;
9862 rhltable_remove(&table->chains_ht,
9863 &trans->chain->rhlhead,
9864 nft_chain_ht_params);
9865 swap(trans->chain->name, trans->name);
9866 rhltable_insert_key(&table->chains_ht,
9868 &trans->chain->rhlhead,
9869 nft_chain_ht_params);
9872 if (!nft_is_base_chain(trans->chain))
9875 nft_chain_stats_replace(trans);
9877 basechain = nft_base_chain(trans->chain);
9879 switch (trans->policy) {
9882 basechain->policy = trans->policy;
9887 static void nft_obj_commit_update(const struct nft_ctx *ctx,
9888 struct nft_trans *trans)
9890 struct nft_object *newobj;
9891 struct nft_object *obj;
9893 obj = nft_trans_obj(trans);
9894 newobj = nft_trans_obj_newobj(trans);
9896 if (WARN_ON_ONCE(!obj->ops->update))
9899 obj->ops->update(obj, newobj);
9900 nft_obj_destroy(ctx, newobj);
9903 static void nft_commit_release(struct nft_trans *trans)
9905 struct nft_ctx ctx = {
9909 nft_ctx_update(&ctx, trans);
9911 switch (trans->msg_type) {
9912 case NFT_MSG_DELTABLE:
9913 case NFT_MSG_DESTROYTABLE:
9914 nf_tables_table_destroy(trans->table);
9916 case NFT_MSG_NEWCHAIN:
9917 free_percpu(nft_trans_chain_stats(trans));
9918 kfree(nft_trans_chain_name(trans));
9920 case NFT_MSG_DELCHAIN:
9921 case NFT_MSG_DESTROYCHAIN:
9922 if (nft_trans_chain_update(trans))
9923 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9925 nf_tables_chain_destroy(nft_trans_chain(trans));
9927 case NFT_MSG_DELRULE:
9928 case NFT_MSG_DESTROYRULE:
9929 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
9931 case NFT_MSG_DELSET:
9932 case NFT_MSG_DESTROYSET:
9933 nft_set_destroy(&ctx, nft_trans_set(trans));
9935 case NFT_MSG_DELSETELEM:
9936 case NFT_MSG_DESTROYSETELEM:
9937 nft_trans_elems_destroy(&ctx, nft_trans_container_elem(trans));
9939 case NFT_MSG_DELOBJ:
9940 case NFT_MSG_DESTROYOBJ:
9941 nft_obj_destroy(&ctx, nft_trans_obj(trans));
9943 case NFT_MSG_DELFLOWTABLE:
9944 case NFT_MSG_DESTROYFLOWTABLE:
9945 if (nft_trans_flowtable_update(trans))
9946 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9948 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9953 put_net(trans->net);
9958 static void nf_tables_trans_destroy_work(struct work_struct *w)
9960 struct nft_trans *trans, *next;
9963 spin_lock(&nf_tables_destroy_list_lock);
9964 list_splice_init(&nf_tables_destroy_list, &head);
9965 spin_unlock(&nf_tables_destroy_list_lock);
9967 if (list_empty(&head))
9972 list_for_each_entry_safe(trans, next, &head, list) {
9973 nft_trans_list_del(trans);
9974 nft_commit_release(trans);
9978 void nf_tables_trans_destroy_flush_work(void)
9980 flush_work(&trans_destroy_work);
9982 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9984 static bool nft_expr_reduce(struct nft_regs_track *track,
9985 const struct nft_expr *expr)
9990 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9992 const struct nft_expr *expr, *last;
9993 struct nft_regs_track track = {};
9994 unsigned int size, data_size;
9995 void *data, *data_boundary;
9996 struct nft_rule_dp *prule;
9997 struct nft_rule *rule;
9999 /* already handled or inactive chain? */
10000 if (chain->blob_next || !nft_is_active_next(net, chain))
10004 list_for_each_entry(rule, &chain->rules, list) {
10005 if (nft_is_active_next(net, rule)) {
10006 data_size += sizeof(*prule) + rule->dlen;
10007 if (data_size > INT_MAX)
10012 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
10013 if (!chain->blob_next)
10016 data = (void *)chain->blob_next->data;
10017 data_boundary = data + data_size;
10020 list_for_each_entry(rule, &chain->rules, list) {
10021 if (!nft_is_active_next(net, rule))
10024 prule = (struct nft_rule_dp *)data;
10025 data += offsetof(struct nft_rule_dp, data);
10026 if (WARN_ON_ONCE(data > data_boundary))
10030 track.last = nft_expr_last(rule);
10031 nft_rule_for_each_expr(expr, last, rule) {
10034 if (nft_expr_reduce(&track, expr)) {
10039 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
10042 memcpy(data + size, expr, expr->ops->size);
10043 size += expr->ops->size;
10045 if (WARN_ON_ONCE(size >= 1 << 12))
10048 prule->handle = rule->handle;
10049 prule->dlen = size;
10050 prule->is_last = 0;
10054 chain->blob_next->size += (unsigned long)(data - (void *)prule);
10057 if (WARN_ON_ONCE(data > data_boundary))
10060 prule = (struct nft_rule_dp *)data;
10061 nft_last_rule(chain, prule);
10066 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
10068 struct nftables_pernet *nft_net = nft_pernet(net);
10069 struct nft_trans *trans, *next;
10071 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10072 if (trans->msg_type == NFT_MSG_NEWRULE ||
10073 trans->msg_type == NFT_MSG_DELRULE) {
10074 struct nft_chain *chain = nft_trans_rule_chain(trans);
10076 kvfree(chain->blob_next);
10077 chain->blob_next = NULL;
10082 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
10084 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
10089 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
10091 struct nft_rule_dp_last *last;
10093 /* last rule trailer is after end marker */
10094 last = (void *)blob + sizeof(*blob) + blob->size;
10097 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
10100 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
10102 struct nft_rule_blob *g0, *g1;
10105 next_genbit = nft_gencursor_next(net);
10107 g0 = rcu_dereference_protected(chain->blob_gen_0,
10108 lockdep_commit_lock_is_held(net));
10109 g1 = rcu_dereference_protected(chain->blob_gen_1,
10110 lockdep_commit_lock_is_held(net));
10112 /* No changes to this chain? */
10113 if (chain->blob_next == NULL) {
10114 /* chain had no change in last or next generation */
10118 * chain had no change in this generation; make sure next
10119 * one uses same rules as current generation.
10122 rcu_assign_pointer(chain->blob_gen_1, g0);
10123 nf_tables_commit_chain_free_rules_old(g1);
10125 rcu_assign_pointer(chain->blob_gen_0, g1);
10126 nf_tables_commit_chain_free_rules_old(g0);
10133 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
10135 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
10137 chain->blob_next = NULL;
10143 nf_tables_commit_chain_free_rules_old(g1);
10145 nf_tables_commit_chain_free_rules_old(g0);
10148 static void nft_obj_del(struct nft_object *obj)
10150 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
10151 list_del_rcu(&obj->list);
10154 void nft_chain_del(struct nft_chain *chain)
10156 struct nft_table *table = chain->table;
10158 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
10159 nft_chain_ht_params));
10160 list_del_rcu(&chain->list);
10163 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
10164 struct nft_trans_gc *trans)
10166 struct nft_elem_priv **priv = trans->priv;
10169 for (i = 0; i < trans->count; i++) {
10170 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
10171 nft_setelem_remove(ctx->net, trans->set, priv[i]);
10175 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
10177 nft_set_put(trans->set);
10178 put_net(trans->net);
10182 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
10184 struct nft_elem_priv *elem_priv;
10185 struct nft_trans_gc *trans;
10186 struct nft_ctx ctx = {};
10189 trans = container_of(rcu, struct nft_trans_gc, rcu);
10190 ctx.net = read_pnet(&trans->set->net);
10192 for (i = 0; i < trans->count; i++) {
10193 elem_priv = trans->priv[i];
10194 if (!nft_setelem_is_catchall(trans->set, elem_priv))
10195 atomic_dec(&trans->set->nelems);
10197 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
10200 nft_trans_gc_destroy(trans);
10203 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
10205 struct nftables_pernet *nft_net;
10206 struct nft_ctx ctx = {};
10208 nft_net = nft_pernet(trans->net);
10210 mutex_lock(&nft_net->commit_mutex);
10212 /* Check for race with transaction, otherwise this batch refers to
10213 * stale objects that might not be there anymore. Skip transaction if
10214 * set has been destroyed from control plane transaction in case gc
10215 * worker loses race.
10217 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
10218 mutex_unlock(&nft_net->commit_mutex);
10222 ctx.net = trans->net;
10223 ctx.table = trans->set->table;
10225 nft_trans_gc_setelem_remove(&ctx, trans);
10226 mutex_unlock(&nft_net->commit_mutex);
10231 static void nft_trans_gc_work(struct work_struct *work)
10233 struct nft_trans_gc *trans, *next;
10234 LIST_HEAD(trans_gc_list);
10236 spin_lock(&nf_tables_gc_list_lock);
10237 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
10238 spin_unlock(&nf_tables_gc_list_lock);
10240 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
10241 list_del(&trans->list);
10242 if (!nft_trans_gc_work_done(trans)) {
10243 nft_trans_gc_destroy(trans);
10246 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10250 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
10251 unsigned int gc_seq, gfp_t gfp)
10253 struct net *net = read_pnet(&set->net);
10254 struct nft_trans_gc *trans;
10256 trans = kzalloc(sizeof(*trans), gfp);
10260 trans->net = maybe_get_net(net);
10266 refcount_inc(&set->refs);
10268 trans->seq = gc_seq;
10273 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
10275 trans->priv[trans->count++] = priv;
10278 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
10280 spin_lock(&nf_tables_gc_list_lock);
10281 list_add_tail(&trans->list, &nf_tables_gc_list);
10282 spin_unlock(&nf_tables_gc_list_lock);
10284 schedule_work(&trans_gc_work);
10287 static int nft_trans_gc_space(struct nft_trans_gc *trans)
10289 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
10292 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
10293 unsigned int gc_seq, gfp_t gfp)
10295 struct nft_set *set;
10297 if (nft_trans_gc_space(gc))
10301 nft_trans_gc_queue_work(gc);
10303 return nft_trans_gc_alloc(set, gc_seq, gfp);
10306 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
10308 if (trans->count == 0) {
10309 nft_trans_gc_destroy(trans);
10313 nft_trans_gc_queue_work(trans);
10316 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
10318 struct nft_set *set;
10320 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
10323 if (nft_trans_gc_space(gc))
10327 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
10329 return nft_trans_gc_alloc(set, 0, gfp);
10332 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
10334 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
10336 if (trans->count == 0) {
10337 nft_trans_gc_destroy(trans);
10341 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10344 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
10345 unsigned int gc_seq)
10347 struct nft_set_elem_catchall *catchall;
10348 const struct nft_set *set = gc->set;
10349 struct nft_set_ext *ext;
10351 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10352 ext = nft_set_elem_ext(set, catchall->elem);
10354 if (!nft_set_elem_expired(ext))
10356 if (nft_set_elem_is_dead(ext))
10359 nft_set_elem_dead(ext);
10361 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
10365 nft_trans_gc_elem_add(gc, catchall->elem);
10371 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10373 struct nft_set_elem_catchall *catchall, *next;
10374 u64 tstamp = nft_net_tstamp(gc->net);
10375 const struct nft_set *set = gc->set;
10376 struct nft_elem_priv *elem_priv;
10377 struct nft_set_ext *ext;
10379 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10381 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10382 ext = nft_set_elem_ext(set, catchall->elem);
10384 if (!__nft_set_elem_expired(ext, tstamp))
10387 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10391 elem_priv = catchall->elem;
10392 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10393 nft_setelem_catchall_destroy(catchall);
10394 nft_trans_gc_elem_add(gc, elem_priv);
10400 static void nf_tables_module_autoload_cleanup(struct net *net)
10402 struct nftables_pernet *nft_net = nft_pernet(net);
10403 struct nft_module_request *req, *next;
10405 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10406 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10407 WARN_ON_ONCE(!req->done);
10408 list_del(&req->list);
10413 static void nf_tables_commit_release(struct net *net)
10415 struct nftables_pernet *nft_net = nft_pernet(net);
10416 struct nft_trans *trans;
10418 /* all side effects have to be made visible.
10419 * For example, if a chain named 'foo' has been deleted, a
10420 * new transaction must not find it anymore.
10422 * Memory reclaim happens asynchronously from work queue
10423 * to prevent expensive synchronize_rcu() in commit phase.
10425 if (list_empty(&nft_net->commit_list)) {
10426 nf_tables_module_autoload_cleanup(net);
10427 mutex_unlock(&nft_net->commit_mutex);
10431 trans = list_last_entry(&nft_net->commit_list,
10432 struct nft_trans, list);
10433 get_net(trans->net);
10434 WARN_ON_ONCE(trans->put_net);
10436 trans->put_net = true;
10437 spin_lock(&nf_tables_destroy_list_lock);
10438 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
10439 spin_unlock(&nf_tables_destroy_list_lock);
10441 nf_tables_module_autoload_cleanup(net);
10442 schedule_work(&trans_destroy_work);
10444 mutex_unlock(&nft_net->commit_mutex);
10447 static void nft_commit_notify(struct net *net, u32 portid)
10449 struct nftables_pernet *nft_net = nft_pernet(net);
10450 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10451 unsigned char *data;
10454 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10458 len = NLMSG_GOODSIZE - skb->len;
10459 list_del(&skb->list);
10463 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10464 data = skb_put(batch_skb, skb->len);
10465 memcpy(data, skb->data, skb->len);
10466 list_del(&skb->list);
10470 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10471 NFT_CB(batch_skb).report, GFP_KERNEL);
10476 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10477 NFT_CB(batch_skb).report, GFP_KERNEL);
10480 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10483 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10484 struct nft_table *table)
10486 struct nft_audit_data *adp;
10488 list_for_each_entry(adp, adl, list) {
10489 if (adp->table == table)
10492 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10495 adp->table = table;
10496 list_add(&adp->list, adl);
10500 static void nf_tables_commit_audit_free(struct list_head *adl)
10502 struct nft_audit_data *adp, *adn;
10504 list_for_each_entry_safe(adp, adn, adl, list) {
10505 list_del(&adp->list);
10510 /* nft audit emits the number of elements that get added/removed/updated,
10511 * so NEW/DELSETELEM needs to increment based on the total elem count.
10513 static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans)
10515 switch (trans->msg_type) {
10516 case NFT_MSG_NEWSETELEM:
10517 case NFT_MSG_DELSETELEM:
10518 return nft_trans_container_elem(trans)->nelems;
10524 static void nf_tables_commit_audit_collect(struct list_head *adl,
10525 const struct nft_trans *trans, u32 op)
10527 const struct nft_table *table = trans->table;
10528 struct nft_audit_data *adp;
10530 list_for_each_entry(adp, adl, list) {
10531 if (adp->table == table)
10534 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10537 adp->entries += nf_tables_commit_audit_entrycount(trans);
10538 if (!adp->op || adp->op > op)
10542 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10544 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10546 struct nft_audit_data *adp, *adn;
10547 char aubuf[AUNFTABLENAMELEN];
10549 list_for_each_entry_safe(adp, adn, adl, list) {
10550 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10552 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10553 nft2audit_op[adp->op], GFP_KERNEL);
10554 list_del(&adp->list);
10559 static void nft_set_commit_update(struct list_head *set_update_list)
10561 struct nft_set *set, *next;
10563 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10564 list_del_init(&set->pending_update);
10566 if (!set->ops->commit || set->dead)
10569 set->ops->commit(set);
10573 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10575 unsigned int gc_seq;
10577 /* Bump gc counter, it becomes odd, this is the busy mark. */
10578 gc_seq = READ_ONCE(nft_net->gc_seq);
10579 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10584 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10586 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10589 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10591 struct nftables_pernet *nft_net = nft_pernet(net);
10592 const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10593 struct nft_trans_binding *trans_binding;
10594 struct nft_trans *trans, *next;
10595 unsigned int base_seq, gc_seq;
10596 LIST_HEAD(set_update_list);
10597 struct nft_trans_elem *te;
10598 struct nft_chain *chain;
10599 struct nft_table *table;
10600 struct nft_ctx ctx;
10604 if (list_empty(&nft_net->commit_list)) {
10605 mutex_unlock(&nft_net->commit_mutex);
10609 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10611 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10612 trans = &trans_binding->nft_trans;
10613 switch (trans->msg_type) {
10614 case NFT_MSG_NEWSET:
10615 if (!nft_trans_set_update(trans) &&
10616 nft_set_is_anonymous(nft_trans_set(trans)) &&
10617 !nft_trans_set_bound(trans)) {
10618 pr_warn_once("nftables ruleset with unbound set\n");
10622 case NFT_MSG_NEWCHAIN:
10623 if (!nft_trans_chain_update(trans) &&
10624 nft_chain_binding(nft_trans_chain(trans)) &&
10625 !nft_trans_chain_bound(trans)) {
10626 pr_warn_once("nftables ruleset with unbound chain\n");
10631 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10636 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10637 if (nf_tables_validate(net) < 0) {
10638 nft_net->validate_state = NFT_VALIDATE_DO;
10642 err = nft_flow_rule_offload_commit(net);
10646 /* 1. Allocate space for next generation rules_gen_X[] */
10647 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10648 struct nft_table *table = trans->table;
10651 ret = nf_tables_commit_audit_alloc(&adl, table);
10653 nf_tables_commit_chain_prepare_cancel(net);
10654 nf_tables_commit_audit_free(&adl);
10657 if (trans->msg_type == NFT_MSG_NEWRULE ||
10658 trans->msg_type == NFT_MSG_DELRULE) {
10659 chain = nft_trans_rule_chain(trans);
10661 ret = nf_tables_commit_chain_prepare(net, chain);
10663 nf_tables_commit_chain_prepare_cancel(net);
10664 nf_tables_commit_audit_free(&adl);
10670 /* step 2. Make rules_gen_X visible to packet path */
10671 list_for_each_entry(table, &nft_net->tables, list) {
10672 list_for_each_entry(chain, &table->chains, list)
10673 nf_tables_commit_chain(net, chain);
10677 * Bump generation counter, invalidate any dump in progress.
10678 * Cannot fail after this point.
10680 base_seq = READ_ONCE(nft_net->base_seq);
10681 while (++base_seq == 0)
10684 WRITE_ONCE(nft_net->base_seq, base_seq);
10686 gc_seq = nft_gc_seq_begin(nft_net);
10688 /* step 3. Start new generation, rules_gen_X now in use. */
10689 net->nft.gencursor = nft_gencursor_next(net);
10691 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10692 struct nft_table *table = trans->table;
10694 nft_ctx_update(&ctx, trans);
10696 nf_tables_commit_audit_collect(&adl, trans, trans->msg_type);
10697 switch (trans->msg_type) {
10698 case NFT_MSG_NEWTABLE:
10699 if (nft_trans_table_update(trans)) {
10700 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10701 nft_trans_destroy(trans);
10704 if (table->flags & NFT_TABLE_F_DORMANT)
10705 nf_tables_table_disable(net, table);
10707 table->flags &= ~__NFT_TABLE_F_UPDATE;
10709 nft_clear(net, table);
10711 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
10712 nft_trans_destroy(trans);
10714 case NFT_MSG_DELTABLE:
10715 case NFT_MSG_DESTROYTABLE:
10716 list_del_rcu(&table->list);
10717 nf_tables_table_notify(&ctx, trans->msg_type);
10719 case NFT_MSG_NEWCHAIN:
10720 if (nft_trans_chain_update(trans)) {
10721 nft_chain_commit_update(nft_trans_container_chain(trans));
10722 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
10723 &nft_trans_chain_hooks(trans));
10724 list_splice(&nft_trans_chain_hooks(trans),
10725 &nft_trans_basechain(trans)->hook_list);
10726 /* trans destroyed after rcu grace period */
10728 nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
10729 nft_clear(net, nft_trans_chain(trans));
10730 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);
10731 nft_trans_destroy(trans);
10734 case NFT_MSG_DELCHAIN:
10735 case NFT_MSG_DESTROYCHAIN:
10736 if (nft_trans_chain_update(trans)) {
10737 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10738 &nft_trans_chain_hooks(trans));
10739 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10740 nft_netdev_unregister_hooks(net,
10741 &nft_trans_chain_hooks(trans),
10745 nft_chain_del(nft_trans_chain(trans));
10746 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10748 nf_tables_unregister_hook(ctx.net, ctx.table,
10749 nft_trans_chain(trans));
10752 case NFT_MSG_NEWRULE:
10753 nft_clear(net, nft_trans_rule(trans));
10754 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10756 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10757 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10759 nft_trans_destroy(trans);
10761 case NFT_MSG_DELRULE:
10762 case NFT_MSG_DESTROYRULE:
10763 list_del_rcu(&nft_trans_rule(trans)->list);
10764 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10766 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
10769 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10770 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10772 case NFT_MSG_NEWSET:
10773 list_del(&nft_trans_container_set(trans)->list_trans_newset);
10774 if (nft_trans_set_update(trans)) {
10775 struct nft_set *set = nft_trans_set(trans);
10777 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10778 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10780 if (nft_trans_set_size(trans))
10781 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10783 nft_clear(net, nft_trans_set(trans));
10784 /* This avoids hitting -EBUSY when deleting the table
10785 * from the transaction.
10787 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10788 !list_empty(&nft_trans_set(trans)->bindings))
10789 nft_use_dec(&table->use);
10791 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10792 NFT_MSG_NEWSET, GFP_KERNEL);
10793 nft_trans_destroy(trans);
10795 case NFT_MSG_DELSET:
10796 case NFT_MSG_DESTROYSET:
10797 nft_trans_set(trans)->dead = 1;
10798 list_del_rcu(&nft_trans_set(trans)->list);
10799 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10800 trans->msg_type, GFP_KERNEL);
10802 case NFT_MSG_NEWSETELEM:
10803 te = nft_trans_container_elem(trans);
10805 nft_trans_elems_add(&ctx, te);
10807 if (te->set->ops->commit &&
10808 list_empty(&te->set->pending_update)) {
10809 list_add_tail(&te->set->pending_update,
10812 nft_trans_destroy(trans);
10814 case NFT_MSG_DELSETELEM:
10815 case NFT_MSG_DESTROYSETELEM:
10816 te = nft_trans_container_elem(trans);
10818 nft_trans_elems_remove(&ctx, te);
10820 if (te->set->ops->commit &&
10821 list_empty(&te->set->pending_update)) {
10822 list_add_tail(&te->set->pending_update,
10826 case NFT_MSG_NEWOBJ:
10827 if (nft_trans_obj_update(trans)) {
10828 nft_obj_commit_update(&ctx, trans);
10829 nf_tables_obj_notify(&ctx,
10830 nft_trans_obj(trans),
10833 nft_clear(net, nft_trans_obj(trans));
10834 nf_tables_obj_notify(&ctx,
10835 nft_trans_obj(trans),
10837 nft_trans_destroy(trans);
10840 case NFT_MSG_DELOBJ:
10841 case NFT_MSG_DESTROYOBJ:
10842 nft_obj_del(nft_trans_obj(trans));
10843 nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
10846 case NFT_MSG_NEWFLOWTABLE:
10847 if (nft_trans_flowtable_update(trans)) {
10848 nft_trans_flowtable(trans)->data.flags =
10849 nft_trans_flowtable_flags(trans);
10850 nf_tables_flowtable_notify(&ctx,
10851 nft_trans_flowtable(trans),
10852 &nft_trans_flowtable_hooks(trans),
10853 NFT_MSG_NEWFLOWTABLE);
10854 list_splice(&nft_trans_flowtable_hooks(trans),
10855 &nft_trans_flowtable(trans)->hook_list);
10857 nft_clear(net, nft_trans_flowtable(trans));
10858 nf_tables_flowtable_notify(&ctx,
10859 nft_trans_flowtable(trans),
10861 NFT_MSG_NEWFLOWTABLE);
10863 nft_trans_destroy(trans);
10865 case NFT_MSG_DELFLOWTABLE:
10866 case NFT_MSG_DESTROYFLOWTABLE:
10867 if (nft_trans_flowtable_update(trans)) {
10868 nf_tables_flowtable_notify(&ctx,
10869 nft_trans_flowtable(trans),
10870 &nft_trans_flowtable_hooks(trans),
10872 nft_unregister_flowtable_net_hooks(net,
10873 &nft_trans_flowtable_hooks(trans));
10875 list_del_rcu(&nft_trans_flowtable(trans)->list);
10876 nf_tables_flowtable_notify(&ctx,
10877 nft_trans_flowtable(trans),
10880 nft_unregister_flowtable_net_hooks(net,
10881 &nft_trans_flowtable(trans)->hook_list);
10887 nft_set_commit_update(&set_update_list);
10889 nft_commit_notify(net, NETLINK_CB(skb).portid);
10890 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10891 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10893 nft_gc_seq_end(nft_net, gc_seq);
10894 nft_net->validate_state = NFT_VALIDATE_SKIP;
10895 nf_tables_commit_release(net);
10900 static void nf_tables_module_autoload(struct net *net)
10902 struct nftables_pernet *nft_net = nft_pernet(net);
10903 struct nft_module_request *req, *next;
10904 LIST_HEAD(module_list);
10906 list_splice_init(&nft_net->module_list, &module_list);
10907 mutex_unlock(&nft_net->commit_mutex);
10908 list_for_each_entry_safe(req, next, &module_list, list) {
10909 request_module("%s", req->module);
10912 mutex_lock(&nft_net->commit_mutex);
10913 list_splice(&module_list, &nft_net->module_list);
10916 static void nf_tables_abort_release(struct nft_trans *trans)
10918 struct nft_ctx ctx = { };
10920 nft_ctx_update(&ctx, trans);
10922 switch (trans->msg_type) {
10923 case NFT_MSG_NEWTABLE:
10924 nf_tables_table_destroy(trans->table);
10926 case NFT_MSG_NEWCHAIN:
10927 if (nft_trans_chain_update(trans))
10928 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10930 nf_tables_chain_destroy(nft_trans_chain(trans));
10932 case NFT_MSG_NEWRULE:
10933 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10935 case NFT_MSG_NEWSET:
10936 nft_set_destroy(&ctx, nft_trans_set(trans));
10938 case NFT_MSG_NEWSETELEM:
10939 nft_trans_set_elem_destroy(&ctx, nft_trans_container_elem(trans));
10941 case NFT_MSG_NEWOBJ:
10942 nft_obj_destroy(&ctx, nft_trans_obj(trans));
10944 case NFT_MSG_NEWFLOWTABLE:
10945 if (nft_trans_flowtable_update(trans))
10946 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10948 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10954 static void nft_set_abort_update(struct list_head *set_update_list)
10956 struct nft_set *set, *next;
10958 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10959 list_del_init(&set->pending_update);
10961 if (!set->ops->abort)
10964 set->ops->abort(set);
10968 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10970 struct nftables_pernet *nft_net = nft_pernet(net);
10971 struct nft_trans *trans, *next;
10972 LIST_HEAD(set_update_list);
10973 struct nft_trans_elem *te;
10974 struct nft_ctx ctx = {
10979 if (action == NFNL_ABORT_VALIDATE &&
10980 nf_tables_validate(net) < 0)
10983 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10985 struct nft_table *table = trans->table;
10987 nft_ctx_update(&ctx, trans);
10989 switch (trans->msg_type) {
10990 case NFT_MSG_NEWTABLE:
10991 if (nft_trans_table_update(trans)) {
10992 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10993 nft_trans_destroy(trans);
10996 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10997 nf_tables_table_disable(net, table);
10998 table->flags |= NFT_TABLE_F_DORMANT;
10999 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
11000 table->flags &= ~NFT_TABLE_F_DORMANT;
11002 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
11003 table->flags &= ~NFT_TABLE_F_OWNER;
11006 table->flags &= ~__NFT_TABLE_F_UPDATE;
11007 nft_trans_destroy(trans);
11009 list_del_rcu(&table->list);
11012 case NFT_MSG_DELTABLE:
11013 case NFT_MSG_DESTROYTABLE:
11014 nft_clear(trans->net, table);
11015 nft_trans_destroy(trans);
11017 case NFT_MSG_NEWCHAIN:
11018 if (nft_trans_chain_update(trans)) {
11019 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
11020 nft_netdev_unregister_hooks(net,
11021 &nft_trans_chain_hooks(trans),
11024 free_percpu(nft_trans_chain_stats(trans));
11025 kfree(nft_trans_chain_name(trans));
11026 nft_trans_destroy(trans);
11028 if (nft_trans_chain_bound(trans)) {
11029 nft_trans_destroy(trans);
11032 nft_use_dec_restore(&table->use);
11033 nft_chain_del(nft_trans_chain(trans));
11034 nf_tables_unregister_hook(trans->net, table,
11035 nft_trans_chain(trans));
11038 case NFT_MSG_DELCHAIN:
11039 case NFT_MSG_DESTROYCHAIN:
11040 if (nft_trans_chain_update(trans)) {
11041 list_splice(&nft_trans_chain_hooks(trans),
11042 &nft_trans_basechain(trans)->hook_list);
11044 nft_use_inc_restore(&table->use);
11045 nft_clear(trans->net, nft_trans_chain(trans));
11047 nft_trans_destroy(trans);
11049 case NFT_MSG_NEWRULE:
11050 if (nft_trans_rule_bound(trans)) {
11051 nft_trans_destroy(trans);
11054 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
11055 list_del_rcu(&nft_trans_rule(trans)->list);
11056 nft_rule_expr_deactivate(&ctx,
11057 nft_trans_rule(trans),
11059 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11060 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11062 case NFT_MSG_DELRULE:
11063 case NFT_MSG_DESTROYRULE:
11064 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
11065 nft_clear(trans->net, nft_trans_rule(trans));
11066 nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
11067 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
11068 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
11070 nft_trans_destroy(trans);
11072 case NFT_MSG_NEWSET:
11073 list_del(&nft_trans_container_set(trans)->list_trans_newset);
11074 if (nft_trans_set_update(trans)) {
11075 nft_trans_destroy(trans);
11078 nft_use_dec_restore(&table->use);
11079 if (nft_trans_set_bound(trans)) {
11080 nft_trans_destroy(trans);
11083 nft_trans_set(trans)->dead = 1;
11084 list_del_rcu(&nft_trans_set(trans)->list);
11086 case NFT_MSG_DELSET:
11087 case NFT_MSG_DESTROYSET:
11088 nft_use_inc_restore(&table->use);
11089 nft_clear(trans->net, nft_trans_set(trans));
11090 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11091 nft_map_activate(&ctx, nft_trans_set(trans));
11093 nft_trans_destroy(trans);
11095 case NFT_MSG_NEWSETELEM:
11096 if (nft_trans_elem_set_bound(trans)) {
11097 nft_trans_destroy(trans);
11100 te = nft_trans_container_elem(trans);
11101 if (!nft_trans_elems_new_abort(&ctx, te)) {
11102 nft_trans_destroy(trans);
11106 if (te->set->ops->abort &&
11107 list_empty(&te->set->pending_update)) {
11108 list_add_tail(&te->set->pending_update,
11112 case NFT_MSG_DELSETELEM:
11113 case NFT_MSG_DESTROYSETELEM:
11114 te = nft_trans_container_elem(trans);
11116 nft_trans_elems_destroy_abort(&ctx, te);
11118 if (te->set->ops->abort &&
11119 list_empty(&te->set->pending_update)) {
11120 list_add_tail(&te->set->pending_update,
11123 nft_trans_destroy(trans);
11125 case NFT_MSG_NEWOBJ:
11126 if (nft_trans_obj_update(trans)) {
11127 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
11128 nft_trans_destroy(trans);
11130 nft_use_dec_restore(&table->use);
11131 nft_obj_del(nft_trans_obj(trans));
11134 case NFT_MSG_DELOBJ:
11135 case NFT_MSG_DESTROYOBJ:
11136 nft_use_inc_restore(&table->use);
11137 nft_clear(trans->net, nft_trans_obj(trans));
11138 nft_trans_destroy(trans);
11140 case NFT_MSG_NEWFLOWTABLE:
11141 if (nft_trans_flowtable_update(trans)) {
11142 nft_unregister_flowtable_net_hooks(net,
11143 &nft_trans_flowtable_hooks(trans));
11145 nft_use_dec_restore(&table->use);
11146 list_del_rcu(&nft_trans_flowtable(trans)->list);
11147 nft_unregister_flowtable_net_hooks(net,
11148 &nft_trans_flowtable(trans)->hook_list);
11151 case NFT_MSG_DELFLOWTABLE:
11152 case NFT_MSG_DESTROYFLOWTABLE:
11153 if (nft_trans_flowtable_update(trans)) {
11154 list_splice(&nft_trans_flowtable_hooks(trans),
11155 &nft_trans_flowtable(trans)->hook_list);
11157 nft_use_inc_restore(&table->use);
11158 nft_clear(trans->net, nft_trans_flowtable(trans));
11160 nft_trans_destroy(trans);
11165 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11167 nft_set_abort_update(&set_update_list);
11171 list_for_each_entry_safe_reverse(trans, next,
11172 &nft_net->commit_list, list) {
11173 nft_trans_list_del(trans);
11174 nf_tables_abort_release(trans);
11180 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
11181 enum nfnl_abort_action action)
11183 struct nftables_pernet *nft_net = nft_pernet(net);
11184 unsigned int gc_seq;
11187 gc_seq = nft_gc_seq_begin(nft_net);
11188 ret = __nf_tables_abort(net, action);
11189 nft_gc_seq_end(nft_net, gc_seq);
11191 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11193 /* module autoload needs to happen after GC sequence update because it
11194 * temporarily releases and grabs mutex again.
11196 if (action == NFNL_ABORT_AUTOLOAD)
11197 nf_tables_module_autoload(net);
11199 nf_tables_module_autoload_cleanup(net);
11201 mutex_unlock(&nft_net->commit_mutex);
11206 static bool nf_tables_valid_genid(struct net *net, u32 genid)
11208 struct nftables_pernet *nft_net = nft_pernet(net);
11211 mutex_lock(&nft_net->commit_mutex);
11212 nft_net->tstamp = get_jiffies_64();
11214 genid_ok = genid == 0 || nft_net->base_seq == genid;
11216 mutex_unlock(&nft_net->commit_mutex);
11218 /* else, commit mutex has to be released by commit or abort function */
11222 static const struct nfnetlink_subsystem nf_tables_subsys = {
11223 .name = "nf_tables",
11224 .subsys_id = NFNL_SUBSYS_NFTABLES,
11225 .cb_count = NFT_MSG_MAX,
11226 .cb = nf_tables_cb,
11227 .commit = nf_tables_commit,
11228 .abort = nf_tables_abort,
11229 .valid_genid = nf_tables_valid_genid,
11230 .owner = THIS_MODULE,
11233 int nft_chain_validate_dependency(const struct nft_chain *chain,
11234 enum nft_chain_types type)
11236 const struct nft_base_chain *basechain;
11238 if (nft_is_base_chain(chain)) {
11239 basechain = nft_base_chain(chain);
11240 if (basechain->type->type != type)
11241 return -EOPNOTSUPP;
11245 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
11247 int nft_chain_validate_hooks(const struct nft_chain *chain,
11248 unsigned int hook_flags)
11250 struct nft_base_chain *basechain;
11252 if (nft_is_base_chain(chain)) {
11253 basechain = nft_base_chain(chain);
11255 if ((1 << basechain->ops.hooknum) & hook_flags)
11258 return -EOPNOTSUPP;
11263 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
11266 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
11268 * @attr: netlink attribute to fetch value from
11269 * @max: maximum value to be stored in dest
11270 * @dest: pointer to the variable
11272 * Parse, check and store a given u32 netlink attribute into variable.
11273 * This function returns -ERANGE if the value goes over maximum value.
11274 * Otherwise a 0 is returned and the attribute value is stored in the
11275 * destination variable.
11277 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
11281 val = ntohl(nla_get_be32(attr));
11288 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
11290 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
11294 reg = ntohl(nla_get_be32(attr));
11296 case NFT_REG_VERDICT...NFT_REG_4:
11297 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
11299 case NFT_REG32_00...NFT_REG32_15:
11300 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11310 * nft_dump_register - dump a register value to a netlink attribute
11312 * @skb: socket buffer
11313 * @attr: attribute number
11314 * @reg: register number
11316 * Construct a netlink attribute containing the register number. For
11317 * compatibility reasons, register numbers being a multiple of 4 are
11318 * translated to the corresponding 128 bit register numbers.
11320 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11322 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11323 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11325 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11327 return nla_put_be32(skb, attr, htonl(reg));
11329 EXPORT_SYMBOL_GPL(nft_dump_register);
11331 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11333 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11337 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11343 int nft_parse_register_load(const struct nft_ctx *ctx,
11344 const struct nlattr *attr, u8 *sreg, u32 len)
11346 int err, invalid_reg;
11347 u32 reg, next_register;
11349 err = nft_parse_register(attr, ®);
11353 err = nft_validate_register_load(reg, len);
11357 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
11359 /* Can't happen: nft_validate_register_load() should have failed */
11360 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
11363 /* find first register that did not see an earlier store. */
11364 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
11366 /* invalid register within the range that we're loading from? */
11367 if (invalid_reg < next_register)
11373 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11375 static void nft_saw_register_store(const struct nft_ctx *__ctx,
11376 int reg, unsigned int len)
11378 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
11379 struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
11381 if (WARN_ON_ONCE(len == 0 || reg < 0))
11384 bitmap_set(ctx->reg_inited, reg, registers);
11387 static int nft_validate_register_store(const struct nft_ctx *ctx,
11388 enum nft_registers reg,
11389 const struct nft_data *data,
11390 enum nft_data_types type,
11396 case NFT_REG_VERDICT:
11397 if (type != NFT_DATA_VERDICT)
11400 if (data != NULL &&
11401 (data->verdict.code == NFT_GOTO ||
11402 data->verdict.code == NFT_JUMP)) {
11403 err = nft_chain_validate(ctx, data->verdict.chain);
11410 if (type != NFT_DATA_VALUE)
11413 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11417 if (reg * NFT_REG32_SIZE + len >
11418 sizeof_field(struct nft_regs, data))
11424 nft_saw_register_store(ctx, reg, len);
11428 int nft_parse_register_store(const struct nft_ctx *ctx,
11429 const struct nlattr *attr, u8 *dreg,
11430 const struct nft_data *data,
11431 enum nft_data_types type, unsigned int len)
11436 err = nft_parse_register(attr, ®);
11440 err = nft_validate_register_store(ctx, reg, data, type, len);
11447 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11449 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11450 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11451 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11452 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11453 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11456 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11457 struct nft_data_desc *desc, const struct nlattr *nla)
11459 u8 genmask = nft_genmask_next(ctx->net);
11460 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11461 struct nft_chain *chain;
11464 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11465 nft_verdict_policy, NULL);
11469 if (!tb[NFTA_VERDICT_CODE])
11472 /* zero padding hole for memcmp */
11473 memset(data, 0, sizeof(*data));
11474 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11476 switch (data->verdict.code) {
11487 if (tb[NFTA_VERDICT_CHAIN]) {
11488 chain = nft_chain_lookup(ctx->net, ctx->table,
11489 tb[NFTA_VERDICT_CHAIN],
11491 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11492 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11493 tb[NFTA_VERDICT_CHAIN_ID],
11496 return PTR_ERR(chain);
11502 return PTR_ERR(chain);
11503 if (nft_is_base_chain(chain))
11504 return -EOPNOTSUPP;
11505 if (nft_chain_is_bound(chain))
11507 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11508 chain->flags & NFT_CHAIN_BINDING)
11510 if (!nft_use_inc(&chain->use))
11513 data->verdict.chain = chain;
11519 desc->len = sizeof(data->verdict);
11524 static void nft_verdict_uninit(const struct nft_data *data)
11526 struct nft_chain *chain;
11528 switch (data->verdict.code) {
11531 chain = data->verdict.chain;
11532 nft_use_dec(&chain->use);
11537 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11539 struct nlattr *nest;
11541 nest = nla_nest_start_noflag(skb, type);
11543 goto nla_put_failure;
11545 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11546 goto nla_put_failure;
11551 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11553 goto nla_put_failure;
11555 nla_nest_end(skb, nest);
11562 static int nft_value_init(const struct nft_ctx *ctx,
11563 struct nft_data *data, struct nft_data_desc *desc,
11564 const struct nlattr *nla)
11568 len = nla_len(nla);
11571 if (len > desc->size)
11574 if (len != desc->len)
11580 nla_memcpy(data->data, nla, len);
11585 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11588 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11591 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11592 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11593 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11597 * nft_data_init - parse nf_tables data netlink attributes
11599 * @ctx: context of the expression using the data
11600 * @data: destination struct nft_data
11601 * @desc: data description
11602 * @nla: netlink attribute containing data
11604 * Parse the netlink data attributes and initialize a struct nft_data.
11605 * The type and length of data are returned in the data description.
11607 * The caller can indicate that it only wants to accept data of type
11608 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11610 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11611 struct nft_data_desc *desc, const struct nlattr *nla)
11613 struct nlattr *tb[NFTA_DATA_MAX + 1];
11616 if (WARN_ON_ONCE(!desc->size))
11619 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11620 nft_data_policy, NULL);
11624 if (tb[NFTA_DATA_VALUE]) {
11625 if (desc->type != NFT_DATA_VALUE)
11628 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11629 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11630 if (desc->type != NFT_DATA_VERDICT)
11633 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11640 EXPORT_SYMBOL_GPL(nft_data_init);
11643 * nft_data_release - release a nft_data item
11645 * @data: struct nft_data to release
11646 * @type: type of data
11648 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11649 * all others need to be released by calling this function.
11651 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11653 if (type < NFT_DATA_VERDICT)
11656 case NFT_DATA_VERDICT:
11657 return nft_verdict_uninit(data);
11662 EXPORT_SYMBOL_GPL(nft_data_release);
11664 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11665 enum nft_data_types type, unsigned int len)
11667 struct nlattr *nest;
11670 nest = nla_nest_start_noflag(skb, attr);
11675 case NFT_DATA_VALUE:
11676 err = nft_value_dump(skb, data, len);
11678 case NFT_DATA_VERDICT:
11679 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11686 nla_nest_end(skb, nest);
11689 EXPORT_SYMBOL_GPL(nft_data_dump);
11691 static void __nft_release_basechain_now(struct nft_ctx *ctx)
11693 struct nft_rule *rule, *nr;
11695 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11696 list_del(&rule->list);
11697 nf_tables_rule_release(ctx, rule);
11699 nf_tables_chain_destroy(ctx->chain);
11702 int __nft_release_basechain(struct nft_ctx *ctx)
11704 struct nft_rule *rule;
11706 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
11709 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11710 list_for_each_entry(rule, &ctx->chain->rules, list)
11711 nft_use_dec(&ctx->chain->use);
11713 nft_chain_del(ctx->chain);
11714 nft_use_dec(&ctx->table->use);
11716 if (!maybe_get_net(ctx->net)) {
11717 __nft_release_basechain_now(ctx);
11721 /* wait for ruleset dumps to complete. Owning chain is no longer in
11722 * lists, so new dumps can't find any of these rules anymore.
11726 __nft_release_basechain_now(ctx);
11730 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11732 static void __nft_release_hook(struct net *net, struct nft_table *table)
11734 struct nft_flowtable *flowtable;
11735 struct nft_chain *chain;
11737 list_for_each_entry(chain, &table->chains, list)
11738 __nf_tables_unregister_hook(net, table, chain, true);
11739 list_for_each_entry(flowtable, &table->flowtables, list)
11740 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11744 static void __nft_release_hooks(struct net *net)
11746 struct nftables_pernet *nft_net = nft_pernet(net);
11747 struct nft_table *table;
11749 list_for_each_entry(table, &nft_net->tables, list) {
11750 if (nft_table_has_owner(table))
11753 __nft_release_hook(net, table);
11757 static void __nft_release_table(struct net *net, struct nft_table *table)
11759 struct nft_flowtable *flowtable, *nf;
11760 struct nft_chain *chain, *nc;
11761 struct nft_object *obj, *ne;
11762 struct nft_rule *rule, *nr;
11763 struct nft_set *set, *ns;
11764 struct nft_ctx ctx = {
11766 .family = NFPROTO_NETDEV,
11769 ctx.family = table->family;
11771 list_for_each_entry(chain, &table->chains, list) {
11772 if (nft_chain_binding(chain))
11776 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11777 list_del(&rule->list);
11778 nft_use_dec(&chain->use);
11779 nf_tables_rule_release(&ctx, rule);
11782 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11783 list_del(&flowtable->list);
11784 nft_use_dec(&table->use);
11785 nf_tables_flowtable_destroy(flowtable);
11787 list_for_each_entry_safe(set, ns, &table->sets, list) {
11788 list_del(&set->list);
11789 nft_use_dec(&table->use);
11790 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11791 nft_map_deactivate(&ctx, set);
11793 nft_set_destroy(&ctx, set);
11795 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11797 nft_use_dec(&table->use);
11798 nft_obj_destroy(&ctx, obj);
11800 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11801 nft_chain_del(chain);
11802 nft_use_dec(&table->use);
11803 nf_tables_chain_destroy(chain);
11805 nf_tables_table_destroy(table);
11808 static void __nft_release_tables(struct net *net)
11810 struct nftables_pernet *nft_net = nft_pernet(net);
11811 struct nft_table *table, *nt;
11813 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11814 if (nft_table_has_owner(table))
11817 list_del(&table->list);
11819 __nft_release_table(net, table);
11823 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11826 struct nft_table *table, *to_delete[8];
11827 struct nftables_pernet *nft_net;
11828 struct netlink_notify *n = ptr;
11829 struct net *net = n->net;
11830 unsigned int deleted;
11831 bool restart = false;
11832 unsigned int gc_seq;
11834 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11835 return NOTIFY_DONE;
11837 nft_net = nft_pernet(net);
11839 mutex_lock(&nft_net->commit_mutex);
11841 gc_seq = nft_gc_seq_begin(nft_net);
11843 nf_tables_trans_destroy_flush_work();
11845 list_for_each_entry(table, &nft_net->tables, list) {
11846 if (nft_table_has_owner(table) &&
11847 n->portid == table->nlpid) {
11848 if (table->flags & NFT_TABLE_F_PERSIST) {
11849 table->flags &= ~NFT_TABLE_F_OWNER;
11852 __nft_release_hook(net, table);
11853 list_del_rcu(&table->list);
11854 to_delete[deleted++] = table;
11855 if (deleted >= ARRAY_SIZE(to_delete))
11860 restart = deleted >= ARRAY_SIZE(to_delete);
11863 __nft_release_table(net, to_delete[--deleted]);
11868 nft_gc_seq_end(nft_net, gc_seq);
11870 mutex_unlock(&nft_net->commit_mutex);
11872 return NOTIFY_DONE;
11875 static struct notifier_block nft_nl_notifier = {
11876 .notifier_call = nft_rcv_nl_event,
11879 static int __net_init nf_tables_init_net(struct net *net)
11881 struct nftables_pernet *nft_net = nft_pernet(net);
11883 INIT_LIST_HEAD(&nft_net->tables);
11884 INIT_LIST_HEAD(&nft_net->commit_list);
11885 INIT_LIST_HEAD(&nft_net->commit_set_list);
11886 INIT_LIST_HEAD(&nft_net->binding_list);
11887 INIT_LIST_HEAD(&nft_net->module_list);
11888 INIT_LIST_HEAD(&nft_net->notify_list);
11889 mutex_init(&nft_net->commit_mutex);
11890 nft_net->base_seq = 1;
11891 nft_net->gc_seq = 0;
11892 nft_net->validate_state = NFT_VALIDATE_SKIP;
11897 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11899 struct nftables_pernet *nft_net = nft_pernet(net);
11901 mutex_lock(&nft_net->commit_mutex);
11902 __nft_release_hooks(net);
11903 mutex_unlock(&nft_net->commit_mutex);
11906 static void __net_exit nf_tables_exit_net(struct net *net)
11908 struct nftables_pernet *nft_net = nft_pernet(net);
11909 unsigned int gc_seq;
11911 mutex_lock(&nft_net->commit_mutex);
11913 gc_seq = nft_gc_seq_begin(nft_net);
11915 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11916 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11918 if (!list_empty(&nft_net->module_list))
11919 nf_tables_module_autoload_cleanup(net);
11921 __nft_release_tables(net);
11923 nft_gc_seq_end(nft_net, gc_seq);
11925 mutex_unlock(&nft_net->commit_mutex);
11926 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11927 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11928 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11931 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11933 flush_work(&trans_gc_work);
11936 static struct pernet_operations nf_tables_net_ops = {
11937 .init = nf_tables_init_net,
11938 .pre_exit = nf_tables_pre_exit_net,
11939 .exit = nf_tables_exit_net,
11940 .exit_batch = nf_tables_exit_batch,
11941 .id = &nf_tables_net_id,
11942 .size = sizeof(struct nftables_pernet),
11945 static int __init nf_tables_module_init(void)
11949 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
11950 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
11951 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
11952 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
11953 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
11954 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
11955 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
11957 err = register_pernet_subsys(&nf_tables_net_ops);
11961 err = nft_chain_filter_init();
11963 goto err_chain_filter;
11965 err = nf_tables_core_module_init();
11967 goto err_core_module;
11969 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11971 goto err_netdev_notifier;
11973 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11975 goto err_rht_objname;
11977 err = nft_offload_init();
11981 err = netlink_register_notifier(&nft_nl_notifier);
11983 goto err_netlink_notifier;
11986 err = nfnetlink_subsys_register(&nf_tables_subsys);
11988 goto err_nfnl_subsys;
11990 nft_chain_route_init();
11995 netlink_unregister_notifier(&nft_nl_notifier);
11996 err_netlink_notifier:
11997 nft_offload_exit();
11999 rhltable_destroy(&nft_objname_ht);
12001 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12002 err_netdev_notifier:
12003 nf_tables_core_module_exit();
12005 nft_chain_filter_fini();
12007 unregister_pernet_subsys(&nf_tables_net_ops);
12011 static void __exit nf_tables_module_exit(void)
12013 nfnetlink_subsys_unregister(&nf_tables_subsys);
12014 netlink_unregister_notifier(&nft_nl_notifier);
12015 nft_offload_exit();
12016 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
12017 nft_chain_filter_fini();
12018 nft_chain_route_fini();
12019 nf_tables_trans_destroy_flush_work();
12020 unregister_pernet_subsys(&nf_tables_net_ops);
12021 cancel_work_sync(&trans_gc_work);
12022 cancel_work_sync(&trans_destroy_work);
12024 rhltable_destroy(&nft_objname_ht);
12025 nf_tables_core_module_exit();
12028 module_init(nf_tables_module_init);
12029 module_exit(nf_tables_module_exit);
12031 MODULE_LICENSE("GPL");
12033 MODULE_DESCRIPTION("Framework for packet filtering and classification");
12034 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / J-linux.git / blob