1 // SPDX-License-Identifier: GPL-2.0-only
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
29 unsigned int nf_tables_net_id __read_mostly;
31 static LIST_HEAD(nf_tables_expressions);
32 static LIST_HEAD(nf_tables_objects);
33 static LIST_HEAD(nf_tables_flowtables);
34 static LIST_HEAD(nf_tables_destroy_list);
35 static LIST_HEAD(nf_tables_gc_list);
36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
40 NFT_VALIDATE_SKIP = 0,
45 static struct rhltable nft_objname_ht;
47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
55 static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
64 static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
73 struct nft_audit_data {
74 struct nft_table *table;
77 struct list_head list;
80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
115 case NFT_VALIDATE_NEED:
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
122 table->validate_state = new_validate_state;
124 static void nf_tables_trans_destroy_work(struct work_struct *w);
125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
127 static void nft_trans_gc_work(struct work_struct *work);
128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
130 static void nft_ctx_init(struct nft_ctx *ctx,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
140 ctx->family = family;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
151 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
152 int msg_type, u32 size, gfp_t gfp)
154 struct nft_trans *trans;
156 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
160 INIT_LIST_HEAD(&trans->list);
161 INIT_LIST_HEAD(&trans->binding_list);
162 trans->msg_type = msg_type;
168 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
169 int msg_type, u32 size)
171 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
174 static void nft_trans_list_del(struct nft_trans *trans)
176 list_del(&trans->list);
177 list_del(&trans->binding_list);
180 static void nft_trans_destroy(struct nft_trans *trans)
182 nft_trans_list_del(trans);
186 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
189 struct nftables_pernet *nft_net;
190 struct net *net = ctx->net;
191 struct nft_trans *trans;
193 if (!nft_set_is_anonymous(set))
196 nft_net = nft_pernet(net);
197 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
198 switch (trans->msg_type) {
200 if (nft_trans_set(trans) == set)
201 nft_trans_set_bound(trans) = bind;
203 case NFT_MSG_NEWSETELEM:
204 if (nft_trans_elem_set(trans) == set)
205 nft_trans_elem_set_bound(trans) = bind;
211 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
213 return __nft_set_trans_bind(ctx, set, true);
216 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
218 return __nft_set_trans_bind(ctx, set, false);
221 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
222 struct nft_chain *chain, bool bind)
224 struct nftables_pernet *nft_net;
225 struct net *net = ctx->net;
226 struct nft_trans *trans;
228 if (!nft_chain_binding(chain))
231 nft_net = nft_pernet(net);
232 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
233 switch (trans->msg_type) {
234 case NFT_MSG_NEWCHAIN:
235 if (nft_trans_chain(trans) == chain)
236 nft_trans_chain_bound(trans) = bind;
238 case NFT_MSG_NEWRULE:
239 if (trans->ctx.chain == chain)
240 nft_trans_rule_bound(trans) = bind;
246 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
247 struct nft_chain *chain)
249 __nft_chain_trans_bind(ctx, chain, true);
252 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
254 if (!nft_chain_binding(chain))
257 if (nft_chain_binding(ctx->chain))
263 if (!nft_use_inc(&chain->use))
267 nft_chain_trans_bind(ctx, chain);
272 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
274 __nft_chain_trans_bind(ctx, chain, false);
277 static int nft_netdev_register_hooks(struct net *net,
278 struct list_head *hook_list)
280 struct nft_hook *hook;
284 list_for_each_entry(hook, hook_list, list) {
285 err = nf_register_net_hook(net, &hook->ops);
294 list_for_each_entry(hook, hook_list, list) {
298 nf_unregister_net_hook(net, &hook->ops);
303 static void nft_netdev_unregister_hooks(struct net *net,
304 struct list_head *hook_list,
307 struct nft_hook *hook, *next;
309 list_for_each_entry_safe(hook, next, hook_list, list) {
310 nf_unregister_net_hook(net, &hook->ops);
311 if (release_netdev) {
312 list_del(&hook->list);
313 kfree_rcu(hook, rcu);
318 static int nf_tables_register_hook(struct net *net,
319 const struct nft_table *table,
320 struct nft_chain *chain)
322 struct nft_base_chain *basechain;
323 const struct nf_hook_ops *ops;
325 if (table->flags & NFT_TABLE_F_DORMANT ||
326 !nft_is_base_chain(chain))
329 basechain = nft_base_chain(chain);
330 ops = &basechain->ops;
332 if (basechain->type->ops_register)
333 return basechain->type->ops_register(net, ops);
335 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
336 return nft_netdev_register_hooks(net, &basechain->hook_list);
338 return nf_register_net_hook(net, &basechain->ops);
341 static void __nf_tables_unregister_hook(struct net *net,
342 const struct nft_table *table,
343 struct nft_chain *chain,
346 struct nft_base_chain *basechain;
347 const struct nf_hook_ops *ops;
349 if (table->flags & NFT_TABLE_F_DORMANT ||
350 !nft_is_base_chain(chain))
352 basechain = nft_base_chain(chain);
353 ops = &basechain->ops;
355 if (basechain->type->ops_unregister)
356 return basechain->type->ops_unregister(net, ops);
358 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
359 nft_netdev_unregister_hooks(net, &basechain->hook_list,
362 nf_unregister_net_hook(net, &basechain->ops);
365 static void nf_tables_unregister_hook(struct net *net,
366 const struct nft_table *table,
367 struct nft_chain *chain)
369 return __nf_tables_unregister_hook(net, table, chain, false);
372 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
374 struct nftables_pernet *nft_net = nft_pernet(net);
376 switch (trans->msg_type) {
378 if (!nft_trans_set_update(trans) &&
379 nft_set_is_anonymous(nft_trans_set(trans)))
380 list_add_tail(&trans->binding_list, &nft_net->binding_list);
382 case NFT_MSG_NEWCHAIN:
383 if (!nft_trans_chain_update(trans) &&
384 nft_chain_binding(nft_trans_chain(trans)))
385 list_add_tail(&trans->binding_list, &nft_net->binding_list);
389 list_add_tail(&trans->list, &nft_net->commit_list);
392 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
394 struct nft_trans *trans;
396 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
400 if (msg_type == NFT_MSG_NEWTABLE)
401 nft_activate_next(ctx->net, ctx->table);
403 nft_trans_commit_list_add_tail(ctx->net, trans);
407 static int nft_deltable(struct nft_ctx *ctx)
411 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
415 nft_deactivate_next(ctx->net, ctx->table);
419 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
421 struct nft_trans *trans;
423 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
425 return ERR_PTR(-ENOMEM);
427 if (msg_type == NFT_MSG_NEWCHAIN) {
428 nft_activate_next(ctx->net, ctx->chain);
430 if (ctx->nla[NFTA_CHAIN_ID]) {
431 nft_trans_chain_id(trans) =
432 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
435 nft_trans_chain(trans) = ctx->chain;
436 nft_trans_commit_list_add_tail(ctx->net, trans);
441 static int nft_delchain(struct nft_ctx *ctx)
443 struct nft_trans *trans;
445 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
447 return PTR_ERR(trans);
449 nft_use_dec(&ctx->table->use);
450 nft_deactivate_next(ctx->net, ctx->chain);
455 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
457 struct nft_expr *expr;
459 expr = nft_expr_first(rule);
460 while (nft_expr_more(rule, expr)) {
461 if (expr->ops->activate)
462 expr->ops->activate(ctx, expr);
464 expr = nft_expr_next(expr);
468 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
469 enum nft_trans_phase phase)
471 struct nft_expr *expr;
473 expr = nft_expr_first(rule);
474 while (nft_expr_more(rule, expr)) {
475 if (expr->ops->deactivate)
476 expr->ops->deactivate(ctx, expr, phase);
478 expr = nft_expr_next(expr);
483 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
485 /* You cannot delete the same rule twice */
486 if (nft_is_active_next(ctx->net, rule)) {
487 nft_deactivate_next(ctx->net, rule);
488 nft_use_dec(&ctx->chain->use);
494 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
495 struct nft_rule *rule)
497 struct nft_trans *trans;
499 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
503 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
504 nft_trans_rule_id(trans) =
505 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
507 nft_trans_rule(trans) = rule;
508 nft_trans_commit_list_add_tail(ctx->net, trans);
513 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
515 struct nft_flow_rule *flow;
516 struct nft_trans *trans;
519 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
523 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
524 flow = nft_flow_rule_create(ctx->net, rule);
526 nft_trans_destroy(trans);
527 return PTR_ERR(flow);
530 nft_trans_flow_rule(trans) = flow;
533 err = nf_tables_delrule_deactivate(ctx, rule);
535 nft_trans_destroy(trans);
538 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
543 static int nft_delrule_by_chain(struct nft_ctx *ctx)
545 struct nft_rule *rule;
548 list_for_each_entry(rule, &ctx->chain->rules, list) {
549 if (!nft_is_active_next(ctx->net, rule))
552 err = nft_delrule(ctx, rule);
559 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
561 const struct nft_set_desc *desc)
563 struct nft_trans *trans;
565 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
569 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
570 nft_trans_set_id(trans) =
571 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
572 nft_activate_next(ctx->net, set);
574 nft_trans_set(trans) = set;
576 nft_trans_set_update(trans) = true;
577 nft_trans_set_gc_int(trans) = desc->gc_int;
578 nft_trans_set_timeout(trans) = desc->timeout;
579 nft_trans_set_size(trans) = desc->size;
581 nft_trans_commit_list_add_tail(ctx->net, trans);
586 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
589 return __nft_trans_set_add(ctx, msg_type, set, NULL);
592 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
594 const struct nft_set_iter *iter,
595 struct nft_elem_priv *elem_priv)
597 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
599 if (!nft_set_elem_active(ext, iter->genmask))
602 nft_set_elem_change_active(ctx->net, set, ext);
603 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
608 struct nft_set_elem_catchall {
609 struct list_head list;
611 struct nft_elem_priv *elem;
614 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
617 u8 genmask = nft_genmask_next(ctx->net);
618 struct nft_set_elem_catchall *catchall;
619 struct nft_set_ext *ext;
621 list_for_each_entry(catchall, &set->catchall_list, list) {
622 ext = nft_set_elem_ext(set, catchall->elem);
623 if (!nft_set_elem_active(ext, genmask))
626 nft_set_elem_change_active(ctx->net, set, ext);
627 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
632 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
634 struct nft_set_iter iter = {
635 .genmask = nft_genmask_next(ctx->net),
636 .type = NFT_ITER_UPDATE,
637 .fn = nft_mapelem_deactivate,
640 set->ops->walk(ctx, set, &iter);
641 WARN_ON_ONCE(iter.err);
643 nft_map_catchall_deactivate(ctx, set);
646 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
650 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
654 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
655 nft_map_deactivate(ctx, set);
657 nft_deactivate_next(ctx->net, set);
658 nft_use_dec(&ctx->table->use);
663 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
664 struct nft_object *obj)
666 struct nft_trans *trans;
668 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
672 if (msg_type == NFT_MSG_NEWOBJ)
673 nft_activate_next(ctx->net, obj);
675 nft_trans_obj(trans) = obj;
676 nft_trans_commit_list_add_tail(ctx->net, trans);
681 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
685 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
689 nft_deactivate_next(ctx->net, obj);
690 nft_use_dec(&ctx->table->use);
695 static struct nft_trans *
696 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
697 struct nft_flowtable *flowtable)
699 struct nft_trans *trans;
701 trans = nft_trans_alloc(ctx, msg_type,
702 sizeof(struct nft_trans_flowtable));
704 return ERR_PTR(-ENOMEM);
706 if (msg_type == NFT_MSG_NEWFLOWTABLE)
707 nft_activate_next(ctx->net, flowtable);
709 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
710 nft_trans_flowtable(trans) = flowtable;
711 nft_trans_commit_list_add_tail(ctx->net, trans);
716 static int nft_delflowtable(struct nft_ctx *ctx,
717 struct nft_flowtable *flowtable)
719 struct nft_trans *trans;
721 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
723 return PTR_ERR(trans);
725 nft_deactivate_next(ctx->net, flowtable);
726 nft_use_dec(&ctx->table->use);
731 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
735 for (i = track->regs[dreg].num_reg; i > 0; i--)
736 __nft_reg_track_cancel(track, dreg - i);
739 static void __nft_reg_track_update(struct nft_regs_track *track,
740 const struct nft_expr *expr,
743 track->regs[dreg].selector = expr;
744 track->regs[dreg].bitwise = NULL;
745 track->regs[dreg].num_reg = num_reg;
748 void nft_reg_track_update(struct nft_regs_track *track,
749 const struct nft_expr *expr, u8 dreg, u8 len)
751 unsigned int regcount;
754 __nft_reg_track_clobber(track, dreg);
756 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
757 for (i = 0; i < regcount; i++, dreg++)
758 __nft_reg_track_update(track, expr, dreg, i);
760 EXPORT_SYMBOL_GPL(nft_reg_track_update);
762 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
764 unsigned int regcount;
767 __nft_reg_track_clobber(track, dreg);
769 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
770 for (i = 0; i < regcount; i++, dreg++)
771 __nft_reg_track_cancel(track, dreg);
773 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
775 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
777 track->regs[dreg].selector = NULL;
778 track->regs[dreg].bitwise = NULL;
779 track->regs[dreg].num_reg = 0;
781 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
787 static struct nft_table *nft_table_lookup(const struct net *net,
788 const struct nlattr *nla,
789 u8 family, u8 genmask, u32 nlpid)
791 struct nftables_pernet *nft_net;
792 struct nft_table *table;
795 return ERR_PTR(-EINVAL);
797 nft_net = nft_pernet(net);
798 list_for_each_entry_rcu(table, &nft_net->tables, list,
799 lockdep_is_held(&nft_net->commit_mutex)) {
800 if (!nla_strcmp(nla, table->name) &&
801 table->family == family &&
802 nft_active_genmask(table, genmask)) {
803 if (nft_table_has_owner(table) &&
804 nlpid && table->nlpid != nlpid)
805 return ERR_PTR(-EPERM);
811 return ERR_PTR(-ENOENT);
814 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
815 const struct nlattr *nla,
816 int family, u8 genmask, u32 nlpid)
818 struct nftables_pernet *nft_net;
819 struct nft_table *table;
821 nft_net = nft_pernet(net);
822 list_for_each_entry(table, &nft_net->tables, list) {
823 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
824 table->family == family &&
825 nft_active_genmask(table, genmask)) {
826 if (nft_table_has_owner(table) &&
827 nlpid && table->nlpid != nlpid)
828 return ERR_PTR(-EPERM);
834 return ERR_PTR(-ENOENT);
837 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
839 return ++table->hgenerator;
842 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
844 static const struct nft_chain_type *
845 __nft_chain_type_get(u8 family, enum nft_chain_types type)
847 if (family >= NFPROTO_NUMPROTO ||
848 type >= NFT_CHAIN_T_MAX)
851 return chain_type[family][type];
854 static const struct nft_chain_type *
855 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
857 const struct nft_chain_type *type;
860 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
861 type = __nft_chain_type_get(family, i);
864 if (!nla_strcmp(nla, type->name))
870 struct nft_module_request {
871 struct list_head list;
872 char module[MODULE_NAME_LEN];
876 #ifdef CONFIG_MODULES
877 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
880 char module_name[MODULE_NAME_LEN];
881 struct nftables_pernet *nft_net;
882 struct nft_module_request *req;
887 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
889 if (ret >= MODULE_NAME_LEN)
892 nft_net = nft_pernet(net);
893 list_for_each_entry(req, &nft_net->module_list, list) {
894 if (!strcmp(req->module, module_name)) {
898 /* A request to load this module already exists. */
903 req = kmalloc(sizeof(*req), GFP_KERNEL);
908 strscpy(req->module, module_name, MODULE_NAME_LEN);
909 list_add_tail(&req->list, &nft_net->module_list);
913 EXPORT_SYMBOL_GPL(nft_request_module);
916 static void lockdep_nfnl_nft_mutex_not_held(void)
918 #ifdef CONFIG_PROVE_LOCKING
920 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
924 static const struct nft_chain_type *
925 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
926 u8 family, bool autoload)
928 const struct nft_chain_type *type;
930 type = __nf_tables_chain_type_lookup(nla, family);
934 lockdep_nfnl_nft_mutex_not_held();
935 #ifdef CONFIG_MODULES
937 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
939 (const char *)nla_data(nla)) == -EAGAIN)
940 return ERR_PTR(-EAGAIN);
943 return ERR_PTR(-ENOENT);
946 static __be16 nft_base_seq(const struct net *net)
948 struct nftables_pernet *nft_net = nft_pernet(net);
950 return htons(nft_net->base_seq & 0xffff);
953 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
954 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
955 .len = NFT_TABLE_MAXNAMELEN - 1 },
956 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
957 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
958 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
959 .len = NFT_USERDATA_MAXLEN }
962 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
963 u32 portid, u32 seq, int event, u32 flags,
964 int family, const struct nft_table *table)
966 struct nlmsghdr *nlh;
968 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
969 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
970 NFNETLINK_V0, nft_base_seq(net));
972 goto nla_put_failure;
974 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
975 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
976 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
978 goto nla_put_failure;
980 if (event == NFT_MSG_DELTABLE) {
985 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
986 htonl(table->flags & NFT_TABLE_F_MASK)))
987 goto nla_put_failure;
989 if (nft_table_has_owner(table) &&
990 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
991 goto nla_put_failure;
994 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
995 goto nla_put_failure;
1002 nlmsg_trim(skb, nlh);
1006 struct nftnl_skb_parms {
1009 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1011 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1012 struct list_head *notify_list)
1014 NFT_CB(skb).report = report;
1015 list_add_tail(&skb->list, notify_list);
1018 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1020 struct nftables_pernet *nft_net;
1021 struct sk_buff *skb;
1026 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1029 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1033 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1034 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1036 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1037 event, flags, ctx->family, ctx->table);
1043 nft_net = nft_pernet(ctx->net);
1044 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1047 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1050 static int nf_tables_dump_tables(struct sk_buff *skb,
1051 struct netlink_callback *cb)
1053 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1054 struct nftables_pernet *nft_net;
1055 const struct nft_table *table;
1056 unsigned int idx = 0, s_idx = cb->args[0];
1057 struct net *net = sock_net(skb->sk);
1058 int family = nfmsg->nfgen_family;
1061 nft_net = nft_pernet(net);
1062 cb->seq = READ_ONCE(nft_net->base_seq);
1064 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1065 if (family != NFPROTO_UNSPEC && family != table->family)
1071 memset(&cb->args[1], 0,
1072 sizeof(cb->args) - sizeof(cb->args[0]));
1073 if (!nft_is_active(net, table))
1075 if (nf_tables_fill_table_info(skb, net,
1076 NETLINK_CB(cb->skb).portid,
1078 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1079 table->family, table) < 0)
1082 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1092 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1093 const struct nlmsghdr *nlh,
1094 struct netlink_dump_control *c)
1098 if (!try_module_get(THIS_MODULE))
1102 err = netlink_dump_start(nlsk, skb, nlh, c);
1104 module_put(THIS_MODULE);
1109 /* called with rcu_read_lock held */
1110 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1111 const struct nlattr * const nla[])
1113 struct netlink_ext_ack *extack = info->extack;
1114 u8 genmask = nft_genmask_cur(info->net);
1115 u8 family = info->nfmsg->nfgen_family;
1116 const struct nft_table *table;
1117 struct net *net = info->net;
1118 struct sk_buff *skb2;
1121 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1122 struct netlink_dump_control c = {
1123 .dump = nf_tables_dump_tables,
1124 .module = THIS_MODULE,
1127 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1130 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1131 if (IS_ERR(table)) {
1132 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1133 return PTR_ERR(table);
1136 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1140 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1141 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1144 goto err_fill_table_info;
1146 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1148 err_fill_table_info:
1153 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1155 struct nft_chain *chain;
1158 list_for_each_entry(chain, &table->chains, list) {
1159 if (!nft_is_active_next(net, chain))
1161 if (!nft_is_base_chain(chain))
1164 if (cnt && i++ == cnt)
1167 nf_tables_unregister_hook(net, table, chain);
1171 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1173 struct nft_chain *chain;
1176 list_for_each_entry(chain, &table->chains, list) {
1177 if (!nft_is_active_next(net, chain))
1179 if (!nft_is_base_chain(chain))
1182 err = nf_tables_register_hook(net, table, chain);
1184 goto err_register_hooks;
1192 nft_table_disable(net, table, i);
1196 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1198 table->flags &= ~NFT_TABLE_F_DORMANT;
1199 nft_table_disable(net, table, 0);
1200 table->flags |= NFT_TABLE_F_DORMANT;
1203 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1204 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1205 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1206 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1207 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1208 __NFT_TABLE_F_WAS_AWAKEN | \
1209 __NFT_TABLE_F_WAS_ORPHAN)
1211 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1213 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1214 struct nft_trans *trans;
1216 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1219 list_for_each_entry(trans, &nft_net->commit_list, list) {
1220 if (trans->ctx.table == ctx->table &&
1221 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1222 nft_trans_chain_update(trans)) ||
1223 (trans->msg_type == NFT_MSG_DELCHAIN &&
1224 nft_is_base_chain(trans->ctx.chain))))
1231 static int nf_tables_updtable(struct nft_ctx *ctx)
1233 struct nft_trans *trans;
1237 if (!ctx->nla[NFTA_TABLE_FLAGS])
1240 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1241 if (flags & ~NFT_TABLE_F_MASK)
1244 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1247 if ((nft_table_has_owner(ctx->table) &&
1248 !(flags & NFT_TABLE_F_OWNER)) ||
1249 (flags & NFT_TABLE_F_OWNER &&
1250 !nft_table_is_orphan(ctx->table)))
1253 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1256 /* No dormant off/on/off/on games in single transaction */
1257 if (nft_table_pending_update(ctx))
1260 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1261 sizeof(struct nft_trans_table));
1265 if ((flags & NFT_TABLE_F_DORMANT) &&
1266 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1267 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1268 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1269 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1270 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1271 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1272 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1273 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1274 ret = nf_tables_table_enable(ctx->net, ctx->table);
1276 goto err_register_hooks;
1278 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1282 if ((flags & NFT_TABLE_F_OWNER) &&
1283 !nft_table_has_owner(ctx->table)) {
1284 ctx->table->nlpid = ctx->portid;
1285 ctx->table->flags |= NFT_TABLE_F_OWNER |
1286 __NFT_TABLE_F_WAS_ORPHAN;
1289 nft_trans_table_update(trans) = true;
1290 nft_trans_commit_list_add_tail(ctx->net, trans);
1295 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1296 nft_trans_destroy(trans);
1300 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1302 const char *name = data;
1304 return jhash(name, strlen(name), seed);
1307 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1309 const struct nft_chain *chain = data;
1311 return nft_chain_hash(chain->name, 0, seed);
1314 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1317 const struct nft_chain *chain = ptr;
1318 const char *name = arg->key;
1320 return strcmp(chain->name, name);
1323 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1325 const struct nft_object_hash_key *k = data;
1327 seed ^= hash_ptr(k->table, 32);
1329 return jhash(k->name, strlen(k->name), seed);
1332 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1334 const struct nft_object *obj = data;
1336 return nft_objname_hash(&obj->key, 0, seed);
1339 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1342 const struct nft_object_hash_key *k = arg->key;
1343 const struct nft_object *obj = ptr;
1345 if (obj->key.table != k->table)
1348 return strcmp(obj->key.name, k->name);
1351 static bool nft_supported_family(u8 family)
1354 #ifdef CONFIG_NF_TABLES_INET
1355 || family == NFPROTO_INET
1357 #ifdef CONFIG_NF_TABLES_IPV4
1358 || family == NFPROTO_IPV4
1360 #ifdef CONFIG_NF_TABLES_ARP
1361 || family == NFPROTO_ARP
1363 #ifdef CONFIG_NF_TABLES_NETDEV
1364 || family == NFPROTO_NETDEV
1366 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1367 || family == NFPROTO_BRIDGE
1369 #ifdef CONFIG_NF_TABLES_IPV6
1370 || family == NFPROTO_IPV6
1375 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1376 const struct nlattr * const nla[])
1378 struct nftables_pernet *nft_net = nft_pernet(info->net);
1379 struct netlink_ext_ack *extack = info->extack;
1380 u8 genmask = nft_genmask_next(info->net);
1381 u8 family = info->nfmsg->nfgen_family;
1382 struct net *net = info->net;
1383 const struct nlattr *attr;
1384 struct nft_table *table;
1389 if (!nft_supported_family(family))
1392 lockdep_assert_held(&nft_net->commit_mutex);
1393 attr = nla[NFTA_TABLE_NAME];
1394 table = nft_table_lookup(net, attr, family, genmask,
1395 NETLINK_CB(skb).portid);
1396 if (IS_ERR(table)) {
1397 if (PTR_ERR(table) != -ENOENT)
1398 return PTR_ERR(table);
1400 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1401 NL_SET_BAD_ATTR(extack, attr);
1404 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1407 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1409 return nf_tables_updtable(&ctx);
1412 if (nla[NFTA_TABLE_FLAGS]) {
1413 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1414 if (flags & ~NFT_TABLE_F_MASK)
1419 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1423 table->validate_state = nft_net->validate_state;
1424 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1425 if (table->name == NULL)
1428 if (nla[NFTA_TABLE_USERDATA]) {
1429 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1430 if (table->udata == NULL)
1431 goto err_table_udata;
1433 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1436 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1440 INIT_LIST_HEAD(&table->chains);
1441 INIT_LIST_HEAD(&table->sets);
1442 INIT_LIST_HEAD(&table->objects);
1443 INIT_LIST_HEAD(&table->flowtables);
1444 table->family = family;
1445 table->flags = flags;
1446 table->handle = ++nft_net->table_handle;
1447 if (table->flags & NFT_TABLE_F_OWNER)
1448 table->nlpid = NETLINK_CB(skb).portid;
1450 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1451 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1455 list_add_tail_rcu(&table->list, &nft_net->tables);
1458 rhltable_destroy(&table->chains_ht);
1460 kfree(table->udata);
1469 static int nft_flush_table(struct nft_ctx *ctx)
1471 struct nft_flowtable *flowtable, *nft;
1472 struct nft_chain *chain, *nc;
1473 struct nft_object *obj, *ne;
1474 struct nft_set *set, *ns;
1477 list_for_each_entry(chain, &ctx->table->chains, list) {
1478 if (!nft_is_active_next(ctx->net, chain))
1481 if (nft_chain_binding(chain))
1486 err = nft_delrule_by_chain(ctx);
1491 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1492 if (!nft_is_active_next(ctx->net, set))
1495 if (nft_set_is_anonymous(set))
1498 err = nft_delset(ctx, set);
1503 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1504 if (!nft_is_active_next(ctx->net, flowtable))
1507 err = nft_delflowtable(ctx, flowtable);
1512 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1513 if (!nft_is_active_next(ctx->net, obj))
1516 err = nft_delobj(ctx, obj);
1521 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1522 if (!nft_is_active_next(ctx->net, chain))
1525 if (nft_chain_binding(chain))
1530 err = nft_delchain(ctx);
1535 err = nft_deltable(ctx);
1540 static int nft_flush(struct nft_ctx *ctx, int family)
1542 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1543 const struct nlattr * const *nla = ctx->nla;
1544 struct nft_table *table, *nt;
1547 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1548 if (family != AF_UNSPEC && table->family != family)
1551 ctx->family = table->family;
1553 if (!nft_is_active_next(ctx->net, table))
1556 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1559 if (nla[NFTA_TABLE_NAME] &&
1560 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1565 err = nft_flush_table(ctx);
1573 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1574 const struct nlattr * const nla[])
1576 struct netlink_ext_ack *extack = info->extack;
1577 u8 genmask = nft_genmask_next(info->net);
1578 u8 family = info->nfmsg->nfgen_family;
1579 struct net *net = info->net;
1580 const struct nlattr *attr;
1581 struct nft_table *table;
1584 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1585 if (family == AF_UNSPEC ||
1586 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1587 return nft_flush(&ctx, family);
1589 if (nla[NFTA_TABLE_HANDLE]) {
1590 attr = nla[NFTA_TABLE_HANDLE];
1591 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1592 NETLINK_CB(skb).portid);
1594 attr = nla[NFTA_TABLE_NAME];
1595 table = nft_table_lookup(net, attr, family, genmask,
1596 NETLINK_CB(skb).portid);
1599 if (IS_ERR(table)) {
1600 if (PTR_ERR(table) == -ENOENT &&
1601 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1604 NL_SET_BAD_ATTR(extack, attr);
1605 return PTR_ERR(table);
1608 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1612 ctx.family = family;
1615 return nft_flush_table(&ctx);
1618 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1620 if (WARN_ON(ctx->table->use > 0))
1623 rhltable_destroy(&ctx->table->chains_ht);
1624 kfree(ctx->table->name);
1625 kfree(ctx->table->udata);
1629 void nft_register_chain_type(const struct nft_chain_type *ctype)
1631 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1632 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1633 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1636 chain_type[ctype->family][ctype->type] = ctype;
1637 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1639 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1641 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1643 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1644 chain_type[ctype->family][ctype->type] = NULL;
1645 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1647 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1653 static struct nft_chain *
1654 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1656 struct nft_chain *chain;
1658 list_for_each_entry(chain, &table->chains, list) {
1659 if (chain->handle == handle &&
1660 nft_active_genmask(chain, genmask))
1664 return ERR_PTR(-ENOENT);
1667 static bool lockdep_commit_lock_is_held(const struct net *net)
1669 #ifdef CONFIG_PROVE_LOCKING
1670 struct nftables_pernet *nft_net = nft_pernet(net);
1672 return lockdep_is_held(&nft_net->commit_mutex);
1678 static struct nft_chain *nft_chain_lookup(struct net *net,
1679 struct nft_table *table,
1680 const struct nlattr *nla, u8 genmask)
1682 char search[NFT_CHAIN_MAXNAMELEN + 1];
1683 struct rhlist_head *tmp, *list;
1684 struct nft_chain *chain;
1687 return ERR_PTR(-EINVAL);
1689 nla_strscpy(search, nla, sizeof(search));
1691 WARN_ON(!rcu_read_lock_held() &&
1692 !lockdep_commit_lock_is_held(net));
1694 chain = ERR_PTR(-ENOENT);
1696 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1700 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1701 if (nft_active_genmask(chain, genmask))
1704 chain = ERR_PTR(-ENOENT);
1710 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1711 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1712 .len = NFT_TABLE_MAXNAMELEN - 1 },
1713 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1714 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1715 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1716 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1717 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1718 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1719 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1720 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1721 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1722 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1723 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1724 .len = NFT_USERDATA_MAXLEN },
1727 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1728 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1729 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1730 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1731 .len = IFNAMSIZ - 1 },
1734 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1736 struct nft_stats *cpu_stats, total;
1737 struct nlattr *nest;
1745 memset(&total, 0, sizeof(total));
1746 for_each_possible_cpu(cpu) {
1747 cpu_stats = per_cpu_ptr(stats, cpu);
1749 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1750 pkts = cpu_stats->pkts;
1751 bytes = cpu_stats->bytes;
1752 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1754 total.bytes += bytes;
1756 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1758 goto nla_put_failure;
1760 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1761 NFTA_COUNTER_PAD) ||
1762 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1764 goto nla_put_failure;
1766 nla_nest_end(skb, nest);
1773 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1774 const struct nft_base_chain *basechain,
1775 const struct list_head *hook_list)
1777 const struct nf_hook_ops *ops = &basechain->ops;
1778 struct nft_hook *hook, *first = NULL;
1779 struct nlattr *nest, *nest_devs;
1782 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1784 goto nla_put_failure;
1785 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1786 goto nla_put_failure;
1787 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1788 goto nla_put_failure;
1790 if (nft_base_chain_netdev(family, ops->hooknum)) {
1791 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1793 goto nla_put_failure;
1796 hook_list = &basechain->hook_list;
1798 list_for_each_entry(hook, hook_list, list) {
1802 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1803 hook->ops.dev->name))
1804 goto nla_put_failure;
1807 nla_nest_end(skb, nest_devs);
1810 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1811 goto nla_put_failure;
1813 nla_nest_end(skb, nest);
1820 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1821 u32 portid, u32 seq, int event, u32 flags,
1822 int family, const struct nft_table *table,
1823 const struct nft_chain *chain,
1824 const struct list_head *hook_list)
1826 struct nlmsghdr *nlh;
1828 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1829 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1830 NFNETLINK_V0, nft_base_seq(net));
1832 goto nla_put_failure;
1834 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1835 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1836 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1838 goto nla_put_failure;
1840 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1841 nlmsg_end(skb, nlh);
1845 if (nft_is_base_chain(chain)) {
1846 const struct nft_base_chain *basechain = nft_base_chain(chain);
1847 struct nft_stats __percpu *stats;
1849 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1850 goto nla_put_failure;
1852 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1853 htonl(basechain->policy)))
1854 goto nla_put_failure;
1856 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1857 goto nla_put_failure;
1859 stats = rcu_dereference_check(basechain->stats,
1860 lockdep_commit_lock_is_held(net));
1861 if (nft_dump_stats(skb, stats))
1862 goto nla_put_failure;
1866 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1867 goto nla_put_failure;
1869 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1870 goto nla_put_failure;
1873 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1874 goto nla_put_failure;
1876 nlmsg_end(skb, nlh);
1880 nlmsg_trim(skb, nlh);
1884 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1885 const struct list_head *hook_list)
1887 struct nftables_pernet *nft_net;
1888 struct sk_buff *skb;
1893 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1896 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1900 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1901 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1903 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1904 event, flags, ctx->family, ctx->table,
1905 ctx->chain, hook_list);
1911 nft_net = nft_pernet(ctx->net);
1912 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1915 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1918 static int nf_tables_dump_chains(struct sk_buff *skb,
1919 struct netlink_callback *cb)
1921 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1922 unsigned int idx = 0, s_idx = cb->args[0];
1923 struct net *net = sock_net(skb->sk);
1924 int family = nfmsg->nfgen_family;
1925 struct nftables_pernet *nft_net;
1926 const struct nft_table *table;
1927 const struct nft_chain *chain;
1930 nft_net = nft_pernet(net);
1931 cb->seq = READ_ONCE(nft_net->base_seq);
1933 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1934 if (family != NFPROTO_UNSPEC && family != table->family)
1937 list_for_each_entry_rcu(chain, &table->chains, list) {
1941 memset(&cb->args[1], 0,
1942 sizeof(cb->args) - sizeof(cb->args[0]));
1943 if (!nft_is_active(net, chain))
1945 if (nf_tables_fill_chain_info(skb, net,
1946 NETLINK_CB(cb->skb).portid,
1950 table->family, table,
1954 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1965 /* called with rcu_read_lock held */
1966 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1967 const struct nlattr * const nla[])
1969 struct netlink_ext_ack *extack = info->extack;
1970 u8 genmask = nft_genmask_cur(info->net);
1971 u8 family = info->nfmsg->nfgen_family;
1972 const struct nft_chain *chain;
1973 struct net *net = info->net;
1974 struct nft_table *table;
1975 struct sk_buff *skb2;
1978 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1979 struct netlink_dump_control c = {
1980 .dump = nf_tables_dump_chains,
1981 .module = THIS_MODULE,
1984 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1987 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1988 if (IS_ERR(table)) {
1989 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1990 return PTR_ERR(table);
1993 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1994 if (IS_ERR(chain)) {
1995 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1996 return PTR_ERR(chain);
1999 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2003 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2004 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2005 0, family, table, chain, NULL);
2007 goto err_fill_chain_info;
2009 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2011 err_fill_chain_info:
2016 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2017 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2018 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2021 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2023 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2024 struct nft_stats __percpu *newstats;
2025 struct nft_stats *stats;
2028 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2029 nft_counter_policy, NULL);
2031 return ERR_PTR(err);
2033 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2034 return ERR_PTR(-EINVAL);
2036 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2037 if (newstats == NULL)
2038 return ERR_PTR(-ENOMEM);
2040 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2041 * are not exposed to userspace.
2044 stats = this_cpu_ptr(newstats);
2045 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2046 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2052 static void nft_chain_stats_replace(struct nft_trans *trans)
2054 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
2056 if (!nft_trans_chain_stats(trans))
2059 nft_trans_chain_stats(trans) =
2060 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
2061 lockdep_commit_lock_is_held(trans->ctx.net));
2063 if (!nft_trans_chain_stats(trans))
2064 static_branch_inc(&nft_counters_enabled);
2067 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2069 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2070 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2076 /* should be NULL either via abort or via successful commit */
2077 WARN_ON_ONCE(chain->blob_next);
2078 kvfree(chain->blob_next);
2081 void nf_tables_chain_destroy(struct nft_ctx *ctx)
2083 struct nft_chain *chain = ctx->chain;
2084 struct nft_hook *hook, *next;
2086 if (WARN_ON(chain->use > 0))
2089 /* no concurrent access possible anymore */
2090 nf_tables_chain_free_chain_rules(chain);
2092 if (nft_is_base_chain(chain)) {
2093 struct nft_base_chain *basechain = nft_base_chain(chain);
2095 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2096 list_for_each_entry_safe(hook, next,
2097 &basechain->hook_list, list) {
2098 list_del_rcu(&hook->list);
2099 kfree_rcu(hook, rcu);
2102 module_put(basechain->type->owner);
2103 if (rcu_access_pointer(basechain->stats)) {
2104 static_branch_dec(&nft_counters_enabled);
2105 free_percpu(rcu_dereference_raw(basechain->stats));
2108 kfree(chain->udata);
2112 kfree(chain->udata);
2117 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2118 const struct nlattr *attr)
2120 struct net_device *dev;
2121 char ifname[IFNAMSIZ];
2122 struct nft_hook *hook;
2125 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2128 goto err_hook_alloc;
2131 nla_strscpy(ifname, attr, IFNAMSIZ);
2132 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2133 * indirectly serializing all the other holders of the commit_mutex with
2136 dev = __dev_get_by_name(net, ifname);
2141 hook->ops.dev = dev;
2148 return ERR_PTR(err);
2151 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2152 const struct nft_hook *this)
2154 struct nft_hook *hook;
2156 list_for_each_entry(hook, hook_list, list) {
2157 if (this->ops.dev == hook->ops.dev)
2164 static int nf_tables_parse_netdev_hooks(struct net *net,
2165 const struct nlattr *attr,
2166 struct list_head *hook_list,
2167 struct netlink_ext_ack *extack)
2169 struct nft_hook *hook, *next;
2170 const struct nlattr *tmp;
2171 int rem, n = 0, err;
2173 nla_for_each_nested(tmp, attr, rem) {
2174 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2179 hook = nft_netdev_hook_alloc(net, tmp);
2181 NL_SET_BAD_ATTR(extack, tmp);
2182 err = PTR_ERR(hook);
2185 if (nft_hook_list_find(hook_list, hook)) {
2186 NL_SET_BAD_ATTR(extack, tmp);
2191 list_add_tail(&hook->list, hook_list);
2194 if (n == NFT_NETDEVICE_MAX) {
2203 list_for_each_entry_safe(hook, next, hook_list, list) {
2204 list_del(&hook->list);
2210 struct nft_chain_hook {
2213 const struct nft_chain_type *type;
2214 struct list_head list;
2217 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2218 struct list_head *hook_list,
2219 struct netlink_ext_ack *extack, u32 flags)
2221 struct nft_hook *hook;
2224 if (tb[NFTA_HOOK_DEV]) {
2225 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2227 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2228 return PTR_ERR(hook);
2231 list_add_tail(&hook->list, hook_list);
2232 } else if (tb[NFTA_HOOK_DEVS]) {
2233 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2240 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2241 list_empty(hook_list))
2247 static int nft_chain_parse_hook(struct net *net,
2248 struct nft_base_chain *basechain,
2249 const struct nlattr * const nla[],
2250 struct nft_chain_hook *hook, u8 family,
2251 u32 flags, struct netlink_ext_ack *extack)
2253 struct nftables_pernet *nft_net = nft_pernet(net);
2254 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2255 const struct nft_chain_type *type;
2258 lockdep_assert_held(&nft_net->commit_mutex);
2259 lockdep_nfnl_nft_mutex_not_held();
2261 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2262 nla[NFTA_CHAIN_HOOK],
2263 nft_hook_policy, NULL);
2268 if (!ha[NFTA_HOOK_HOOKNUM] ||
2269 !ha[NFTA_HOOK_PRIORITY]) {
2270 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2274 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2275 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2277 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2281 if (nla[NFTA_CHAIN_TYPE]) {
2282 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2285 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2286 return PTR_ERR(type);
2289 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2292 if (type->type == NFT_CHAIN_T_NAT &&
2293 hook->priority <= NF_IP_PRI_CONNTRACK)
2296 if (ha[NFTA_HOOK_HOOKNUM]) {
2297 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2298 if (hook->num != basechain->ops.hooknum)
2301 if (ha[NFTA_HOOK_PRIORITY]) {
2302 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2303 if (hook->priority != basechain->ops.priority)
2307 if (nla[NFTA_CHAIN_TYPE]) {
2308 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2311 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2315 type = basechain->type;
2319 if (!try_module_get(type->owner)) {
2320 if (nla[NFTA_CHAIN_TYPE])
2321 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2327 INIT_LIST_HEAD(&hook->list);
2328 if (nft_base_chain_netdev(family, hook->num)) {
2329 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2331 module_put(type->owner);
2334 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2335 module_put(type->owner);
2342 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2344 struct nft_hook *h, *next;
2346 list_for_each_entry_safe(h, next, &hook->list, list) {
2350 module_put(hook->type->owner);
2353 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2355 struct nft_rule_dp_last *lrule;
2357 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2359 lrule = (struct nft_rule_dp_last *)ptr;
2360 lrule->end.is_last = 1;
2361 lrule->chain = chain;
2362 /* blob size does not include the trailer rule */
2365 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2368 struct nft_rule_blob *blob;
2373 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2375 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2380 nft_last_rule(chain, blob->data);
2385 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2386 const struct nft_chain_hook *hook,
2387 struct nft_chain *chain)
2390 ops->hooknum = hook->num;
2391 ops->priority = hook->priority;
2393 ops->hook = hook->type->hooks[ops->hooknum];
2394 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2397 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2398 struct nft_chain_hook *hook, u32 flags)
2400 struct nft_chain *chain;
2403 basechain->type = hook->type;
2404 INIT_LIST_HEAD(&basechain->hook_list);
2405 chain = &basechain->chain;
2407 if (nft_base_chain_netdev(family, hook->num)) {
2408 list_splice_init(&hook->list, &basechain->hook_list);
2409 list_for_each_entry(h, &basechain->hook_list, list)
2410 nft_basechain_hook_init(&h->ops, family, hook, chain);
2412 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2414 chain->flags |= NFT_CHAIN_BASE | flags;
2415 basechain->policy = NF_ACCEPT;
2416 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2417 !nft_chain_offload_support(basechain)) {
2418 list_splice_init(&basechain->hook_list, &hook->list);
2422 flow_block_init(&basechain->flow_block);
2427 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2431 err = rhltable_insert_key(&table->chains_ht, chain->name,
2432 &chain->rhlhead, nft_chain_ht_params);
2436 list_add_tail_rcu(&chain->list, &table->chains);
2441 static u64 chain_id;
2443 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2444 u8 policy, u32 flags,
2445 struct netlink_ext_ack *extack)
2447 const struct nlattr * const *nla = ctx->nla;
2448 struct nft_table *table = ctx->table;
2449 struct nft_base_chain *basechain;
2450 struct net *net = ctx->net;
2451 char name[NFT_NAME_MAXLEN];
2452 struct nft_rule_blob *blob;
2453 struct nft_trans *trans;
2454 struct nft_chain *chain;
2457 if (nla[NFTA_CHAIN_HOOK]) {
2458 struct nft_stats __percpu *stats = NULL;
2459 struct nft_chain_hook hook = {};
2461 if (table->flags & __NFT_TABLE_F_UPDATE)
2464 if (flags & NFT_CHAIN_BINDING)
2467 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2472 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2473 if (basechain == NULL) {
2474 nft_chain_release_hook(&hook);
2477 chain = &basechain->chain;
2479 if (nla[NFTA_CHAIN_COUNTERS]) {
2480 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2481 if (IS_ERR(stats)) {
2482 nft_chain_release_hook(&hook);
2484 return PTR_ERR(stats);
2486 rcu_assign_pointer(basechain->stats, stats);
2489 err = nft_basechain_init(basechain, family, &hook, flags);
2491 nft_chain_release_hook(&hook);
2497 static_branch_inc(&nft_counters_enabled);
2499 if (flags & NFT_CHAIN_BASE)
2501 if (flags & NFT_CHAIN_HW_OFFLOAD)
2504 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2508 chain->flags = flags;
2512 INIT_LIST_HEAD(&chain->rules);
2513 chain->handle = nf_tables_alloc_handle(table);
2514 chain->table = table;
2516 if (nla[NFTA_CHAIN_NAME]) {
2517 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2519 if (!(flags & NFT_CHAIN_BINDING)) {
2521 goto err_destroy_chain;
2524 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2525 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2530 goto err_destroy_chain;
2533 if (nla[NFTA_CHAIN_USERDATA]) {
2534 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2535 if (chain->udata == NULL) {
2537 goto err_destroy_chain;
2539 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2542 blob = nf_tables_chain_alloc_rules(chain, 0);
2545 goto err_destroy_chain;
2548 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2549 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2551 if (!nft_use_inc(&table->use)) {
2553 goto err_destroy_chain;
2556 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2557 if (IS_ERR(trans)) {
2558 err = PTR_ERR(trans);
2562 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2563 if (nft_is_base_chain(chain))
2564 nft_trans_chain_policy(trans) = policy;
2566 err = nft_chain_add(table, chain);
2570 /* This must be LAST to ensure no packets are walking over this chain. */
2571 err = nf_tables_register_hook(net, table, chain);
2573 goto err_register_hook;
2578 nft_chain_del(chain);
2580 nft_trans_destroy(trans);
2582 nft_use_dec_restore(&table->use);
2584 nf_tables_chain_destroy(ctx);
2589 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2590 u32 flags, const struct nlattr *attr,
2591 struct netlink_ext_ack *extack)
2593 const struct nlattr * const *nla = ctx->nla;
2594 struct nft_base_chain *basechain = NULL;
2595 struct nft_table *table = ctx->table;
2596 struct nft_chain *chain = ctx->chain;
2597 struct nft_chain_hook hook = {};
2598 struct nft_stats *stats = NULL;
2599 struct nft_hook *h, *next;
2600 struct nf_hook_ops *ops;
2601 struct nft_trans *trans;
2602 bool unregister = false;
2605 if (chain->flags ^ flags)
2608 INIT_LIST_HEAD(&hook.list);
2610 if (nla[NFTA_CHAIN_HOOK]) {
2611 if (!nft_is_base_chain(chain)) {
2612 NL_SET_BAD_ATTR(extack, attr);
2616 basechain = nft_base_chain(chain);
2617 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2618 ctx->family, flags, extack);
2622 if (basechain->type != hook.type) {
2623 nft_chain_release_hook(&hook);
2624 NL_SET_BAD_ATTR(extack, attr);
2628 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2629 list_for_each_entry_safe(h, next, &hook.list, list) {
2630 h->ops.pf = basechain->ops.pf;
2631 h->ops.hooknum = basechain->ops.hooknum;
2632 h->ops.priority = basechain->ops.priority;
2633 h->ops.priv = basechain->ops.priv;
2634 h->ops.hook = basechain->ops.hook;
2636 if (nft_hook_list_find(&basechain->hook_list, h)) {
2642 ops = &basechain->ops;
2643 if (ops->hooknum != hook.num ||
2644 ops->priority != hook.priority) {
2645 nft_chain_release_hook(&hook);
2646 NL_SET_BAD_ATTR(extack, attr);
2652 if (nla[NFTA_CHAIN_HANDLE] &&
2653 nla[NFTA_CHAIN_NAME]) {
2654 struct nft_chain *chain2;
2656 chain2 = nft_chain_lookup(ctx->net, table,
2657 nla[NFTA_CHAIN_NAME], genmask);
2658 if (!IS_ERR(chain2)) {
2659 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2665 if (table->flags & __NFT_TABLE_F_UPDATE &&
2666 !list_empty(&hook.list)) {
2667 NL_SET_BAD_ATTR(extack, attr);
2672 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2673 nft_is_base_chain(chain) &&
2674 !list_empty(&hook.list)) {
2675 basechain = nft_base_chain(chain);
2676 ops = &basechain->ops;
2678 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2679 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2687 if (nla[NFTA_CHAIN_COUNTERS]) {
2688 if (!nft_is_base_chain(chain)) {
2693 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2694 if (IS_ERR(stats)) {
2695 err = PTR_ERR(stats);
2701 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2702 sizeof(struct nft_trans_chain));
2706 nft_trans_chain_stats(trans) = stats;
2707 nft_trans_chain_update(trans) = true;
2709 if (nla[NFTA_CHAIN_POLICY])
2710 nft_trans_chain_policy(trans) = policy;
2712 nft_trans_chain_policy(trans) = -1;
2714 if (nla[NFTA_CHAIN_HANDLE] &&
2715 nla[NFTA_CHAIN_NAME]) {
2716 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2717 struct nft_trans *tmp;
2721 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2726 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2727 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2728 tmp->ctx.table == table &&
2729 nft_trans_chain_update(tmp) &&
2730 nft_trans_chain_name(tmp) &&
2731 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2732 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2738 nft_trans_chain_name(trans) = name;
2741 nft_trans_basechain(trans) = basechain;
2742 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2743 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2744 if (nla[NFTA_CHAIN_HOOK])
2745 module_put(hook.type->owner);
2747 nft_trans_commit_list_add_tail(ctx->net, trans);
2755 if (nla[NFTA_CHAIN_HOOK]) {
2756 list_for_each_entry_safe(h, next, &hook.list, list) {
2758 nf_unregister_net_hook(ctx->net, &h->ops);
2762 module_put(hook.type->owner);
2768 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2769 const struct nft_table *table,
2770 const struct nlattr *nla, u8 genmask)
2772 struct nftables_pernet *nft_net = nft_pernet(net);
2773 u32 id = ntohl(nla_get_be32(nla));
2774 struct nft_trans *trans;
2776 list_for_each_entry(trans, &nft_net->commit_list, list) {
2777 struct nft_chain *chain = trans->ctx.chain;
2779 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2780 chain->table == table &&
2781 id == nft_trans_chain_id(trans) &&
2782 nft_active_genmask(chain, genmask))
2785 return ERR_PTR(-ENOENT);
2788 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2789 const struct nlattr * const nla[])
2791 struct nftables_pernet *nft_net = nft_pernet(info->net);
2792 struct netlink_ext_ack *extack = info->extack;
2793 u8 genmask = nft_genmask_next(info->net);
2794 u8 family = info->nfmsg->nfgen_family;
2795 struct nft_chain *chain = NULL;
2796 struct net *net = info->net;
2797 const struct nlattr *attr;
2798 struct nft_table *table;
2799 u8 policy = NF_ACCEPT;
2804 lockdep_assert_held(&nft_net->commit_mutex);
2806 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2807 NETLINK_CB(skb).portid);
2808 if (IS_ERR(table)) {
2809 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2810 return PTR_ERR(table);
2814 attr = nla[NFTA_CHAIN_NAME];
2816 if (nla[NFTA_CHAIN_HANDLE]) {
2817 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2818 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2819 if (IS_ERR(chain)) {
2820 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2821 return PTR_ERR(chain);
2823 attr = nla[NFTA_CHAIN_HANDLE];
2824 } else if (nla[NFTA_CHAIN_NAME]) {
2825 chain = nft_chain_lookup(net, table, attr, genmask);
2826 if (IS_ERR(chain)) {
2827 if (PTR_ERR(chain) != -ENOENT) {
2828 NL_SET_BAD_ATTR(extack, attr);
2829 return PTR_ERR(chain);
2833 } else if (!nla[NFTA_CHAIN_ID]) {
2837 if (nla[NFTA_CHAIN_POLICY]) {
2838 if (chain != NULL &&
2839 !nft_is_base_chain(chain)) {
2840 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2844 if (chain == NULL &&
2845 nla[NFTA_CHAIN_HOOK] == NULL) {
2846 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2850 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2860 if (nla[NFTA_CHAIN_FLAGS])
2861 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2863 flags = chain->flags;
2865 if (flags & ~NFT_CHAIN_FLAGS)
2868 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2870 if (chain != NULL) {
2871 if (chain->flags & NFT_CHAIN_BINDING)
2874 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2875 NL_SET_BAD_ATTR(extack, attr);
2878 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2881 flags |= chain->flags & NFT_CHAIN_BASE;
2882 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2886 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2889 static int nft_delchain_hook(struct nft_ctx *ctx,
2890 struct nft_base_chain *basechain,
2891 struct netlink_ext_ack *extack)
2893 const struct nft_chain *chain = &basechain->chain;
2894 const struct nlattr * const *nla = ctx->nla;
2895 struct nft_chain_hook chain_hook = {};
2896 struct nft_hook *this, *hook;
2897 LIST_HEAD(chain_del_list);
2898 struct nft_trans *trans;
2901 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
2904 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2905 ctx->family, chain->flags, extack);
2909 list_for_each_entry(this, &chain_hook.list, list) {
2910 hook = nft_hook_list_find(&basechain->hook_list, this);
2913 goto err_chain_del_hook;
2915 list_move(&hook->list, &chain_del_list);
2918 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2919 sizeof(struct nft_trans_chain));
2922 goto err_chain_del_hook;
2925 nft_trans_basechain(trans) = basechain;
2926 nft_trans_chain_update(trans) = true;
2927 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2928 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2929 nft_chain_release_hook(&chain_hook);
2931 nft_trans_commit_list_add_tail(ctx->net, trans);
2936 list_splice(&chain_del_list, &basechain->hook_list);
2937 nft_chain_release_hook(&chain_hook);
2942 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2943 const struct nlattr * const nla[])
2945 struct netlink_ext_ack *extack = info->extack;
2946 u8 genmask = nft_genmask_next(info->net);
2947 u8 family = info->nfmsg->nfgen_family;
2948 struct net *net = info->net;
2949 const struct nlattr *attr;
2950 struct nft_table *table;
2951 struct nft_chain *chain;
2952 struct nft_rule *rule;
2958 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2959 NETLINK_CB(skb).portid);
2960 if (IS_ERR(table)) {
2961 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2962 return PTR_ERR(table);
2965 if (nla[NFTA_CHAIN_HANDLE]) {
2966 attr = nla[NFTA_CHAIN_HANDLE];
2967 handle = be64_to_cpu(nla_get_be64(attr));
2968 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2970 attr = nla[NFTA_CHAIN_NAME];
2971 chain = nft_chain_lookup(net, table, attr, genmask);
2973 if (IS_ERR(chain)) {
2974 if (PTR_ERR(chain) == -ENOENT &&
2975 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2978 NL_SET_BAD_ATTR(extack, attr);
2979 return PTR_ERR(chain);
2982 if (nft_chain_binding(chain))
2985 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2987 if (nla[NFTA_CHAIN_HOOK]) {
2988 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
2989 chain->flags & NFT_CHAIN_HW_OFFLOAD)
2992 if (nft_is_base_chain(chain)) {
2993 struct nft_base_chain *basechain = nft_base_chain(chain);
2995 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
2996 return nft_delchain_hook(&ctx, basechain, extack);
3000 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3005 list_for_each_entry(rule, &chain->rules, list) {
3006 if (!nft_is_active_next(net, rule))
3010 err = nft_delrule(&ctx, rule);
3015 /* There are rules and elements that are still holding references to us,
3016 * we cannot do a recursive removal in this case.
3019 NL_SET_BAD_ATTR(extack, attr);
3023 return nft_delchain(&ctx);
3031 * nft_register_expr - register nf_tables expr type
3034 * Registers the expr type for use with nf_tables. Returns zero on
3035 * success or a negative errno code otherwise.
3037 int nft_register_expr(struct nft_expr_type *type)
3039 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3042 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3043 if (type->family == NFPROTO_UNSPEC)
3044 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3046 list_add_rcu(&type->list, &nf_tables_expressions);
3047 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3050 EXPORT_SYMBOL_GPL(nft_register_expr);
3053 * nft_unregister_expr - unregister nf_tables expr type
3056 * Unregisters the expr typefor use with nf_tables.
3058 void nft_unregister_expr(struct nft_expr_type *type)
3060 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3061 list_del_rcu(&type->list);
3062 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3064 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3066 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3069 const struct nft_expr_type *type, *candidate = NULL;
3071 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3072 if (!nla_strcmp(nla, type->name)) {
3073 if (!type->family && !candidate)
3075 else if (type->family == family)
3082 #ifdef CONFIG_MODULES
3083 static int nft_expr_type_request_module(struct net *net, u8 family,
3086 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3087 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3094 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3098 const struct nft_expr_type *type;
3101 return ERR_PTR(-EINVAL);
3104 type = __nft_expr_type_get(family, nla);
3105 if (type != NULL && try_module_get(type->owner)) {
3111 lockdep_nfnl_nft_mutex_not_held();
3112 #ifdef CONFIG_MODULES
3114 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3115 return ERR_PTR(-EAGAIN);
3117 if (nft_request_module(net, "nft-expr-%.*s",
3119 (char *)nla_data(nla)) == -EAGAIN)
3120 return ERR_PTR(-EAGAIN);
3123 return ERR_PTR(-ENOENT);
3126 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3127 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3128 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3129 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3132 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3133 const struct nft_expr *expr, bool reset)
3135 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3136 goto nla_put_failure;
3138 if (expr->ops->dump) {
3139 struct nlattr *data = nla_nest_start_noflag(skb,
3142 goto nla_put_failure;
3143 if (expr->ops->dump(skb, expr, reset) < 0)
3144 goto nla_put_failure;
3145 nla_nest_end(skb, data);
3154 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3155 const struct nft_expr *expr, bool reset)
3157 struct nlattr *nest;
3159 nest = nla_nest_start_noflag(skb, attr);
3161 goto nla_put_failure;
3162 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3163 goto nla_put_failure;
3164 nla_nest_end(skb, nest);
3171 struct nft_expr_info {
3172 const struct nft_expr_ops *ops;
3173 const struct nlattr *attr;
3174 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3177 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3178 const struct nlattr *nla,
3179 struct nft_expr_info *info)
3181 const struct nft_expr_type *type;
3182 const struct nft_expr_ops *ops;
3183 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3186 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3187 nft_expr_policy, NULL);
3191 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3193 return PTR_ERR(type);
3195 if (tb[NFTA_EXPR_DATA]) {
3196 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3198 type->policy, NULL);
3202 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3204 if (type->select_ops != NULL) {
3205 ops = type->select_ops(ctx,
3206 (const struct nlattr * const *)info->tb);
3209 #ifdef CONFIG_MODULES
3211 if (nft_expr_type_request_module(ctx->net,
3213 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3227 module_put(type->owner);
3231 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3232 struct nft_expr_info *info)
3234 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3235 const struct nft_expr_type *type;
3238 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3239 nft_expr_policy, NULL);
3243 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3246 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3250 if (!type->inner_ops)
3253 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3255 type->policy, NULL);
3260 info->ops = type->inner_ops;
3268 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3269 const struct nft_expr_info *expr_info,
3270 struct nft_expr *expr)
3272 const struct nft_expr_ops *ops = expr_info->ops;
3277 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3288 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3289 struct nft_expr *expr)
3291 const struct nft_expr_type *type = expr->ops->type;
3293 if (expr->ops->destroy)
3294 expr->ops->destroy(ctx, expr);
3295 module_put(type->owner);
3298 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3299 const struct nlattr *nla)
3301 struct nft_expr_info expr_info;
3302 struct nft_expr *expr;
3303 struct module *owner;
3306 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3308 goto err_expr_parse;
3311 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3312 goto err_expr_stateful;
3315 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3317 goto err_expr_stateful;
3319 err = nf_tables_newexpr(ctx, &expr_info, expr);
3327 owner = expr_info.ops->type->owner;
3328 if (expr_info.ops->type->release_ops)
3329 expr_info.ops->type->release_ops(expr_info.ops);
3333 return ERR_PTR(err);
3336 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3340 if (WARN_ON_ONCE(!src->ops->clone))
3343 dst->ops = src->ops;
3344 err = src->ops->clone(dst, src, gfp);
3348 __module_get(src->ops->type->owner);
3353 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3355 nf_tables_expr_destroy(ctx, expr);
3363 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3366 struct nft_rule *rule;
3368 // FIXME: this sucks
3369 list_for_each_entry_rcu(rule, &chain->rules, list) {
3370 if (handle == rule->handle)
3374 return ERR_PTR(-ENOENT);
3377 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3378 const struct nlattr *nla)
3381 return ERR_PTR(-EINVAL);
3383 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3386 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3387 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3388 .len = NFT_TABLE_MAXNAMELEN - 1 },
3389 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3390 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3391 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3392 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3393 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3394 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3395 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3396 .len = NFT_USERDATA_MAXLEN },
3397 [NFTA_RULE_ID] = { .type = NLA_U32 },
3398 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3399 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3402 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3403 u32 portid, u32 seq, int event,
3404 u32 flags, int family,
3405 const struct nft_table *table,
3406 const struct nft_chain *chain,
3407 const struct nft_rule *rule, u64 handle,
3410 struct nlmsghdr *nlh;
3411 const struct nft_expr *expr, *next;
3412 struct nlattr *list;
3413 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3415 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3418 goto nla_put_failure;
3420 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3421 goto nla_put_failure;
3422 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3423 goto nla_put_failure;
3424 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3426 goto nla_put_failure;
3428 if (event != NFT_MSG_DELRULE && handle) {
3429 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3431 goto nla_put_failure;
3434 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3435 nft_flow_rule_stats(chain, rule);
3437 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3439 goto nla_put_failure;
3440 nft_rule_for_each_expr(expr, next, rule) {
3441 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3442 goto nla_put_failure;
3444 nla_nest_end(skb, list);
3447 struct nft_userdata *udata = nft_userdata(rule);
3448 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3450 goto nla_put_failure;
3453 nlmsg_end(skb, nlh);
3457 nlmsg_trim(skb, nlh);
3461 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3462 const struct nft_rule *rule, int event)
3464 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3465 const struct nft_rule *prule;
3466 struct sk_buff *skb;
3472 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3475 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3479 if (event == NFT_MSG_NEWRULE &&
3480 !list_is_first(&rule->list, &ctx->chain->rules) &&
3481 !list_is_last(&rule->list, &ctx->chain->rules)) {
3482 prule = list_prev_entry(rule, list);
3483 handle = prule->handle;
3485 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3486 flags |= NLM_F_APPEND;
3487 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3488 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3490 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3491 event, flags, ctx->family, ctx->table,
3492 ctx->chain, rule, handle, false);
3498 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3501 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3504 static void audit_log_rule_reset(const struct nft_table *table,
3505 unsigned int base_seq,
3506 unsigned int nentries)
3508 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3509 table->name, base_seq);
3511 audit_log_nfcfg(buf, table->family, nentries,
3512 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3516 struct nft_rule_dump_ctx {
3523 static int __nf_tables_dump_rules(struct sk_buff *skb,
3525 struct netlink_callback *cb,
3526 const struct nft_table *table,
3527 const struct nft_chain *chain)
3529 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3530 struct net *net = sock_net(skb->sk);
3531 const struct nft_rule *rule, *prule;
3532 unsigned int entries = 0;
3537 list_for_each_entry_rcu(rule, &chain->rules, list) {
3538 if (!nft_is_active(net, rule))
3540 if (*idx < ctx->s_idx)
3543 handle = prule->handle;
3547 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3550 NLM_F_MULTI | NLM_F_APPEND,
3552 table, chain, rule, handle, ctx->reset) < 0) {
3557 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3564 if (ctx->reset && entries)
3565 audit_log_rule_reset(table, cb->seq, entries);
3570 static int nf_tables_dump_rules(struct sk_buff *skb,
3571 struct netlink_callback *cb)
3573 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3574 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3575 struct nft_table *table;
3576 const struct nft_chain *chain;
3577 unsigned int idx = 0;
3578 struct net *net = sock_net(skb->sk);
3579 int family = nfmsg->nfgen_family;
3580 struct nftables_pernet *nft_net;
3583 nft_net = nft_pernet(net);
3584 cb->seq = READ_ONCE(nft_net->base_seq);
3586 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3587 if (family != NFPROTO_UNSPEC && family != table->family)
3590 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3593 if (ctx->table && ctx->chain) {
3594 struct rhlist_head *list, *tmp;
3596 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3597 nft_chain_ht_params);
3601 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3602 if (!nft_is_active(net, chain))
3604 __nf_tables_dump_rules(skb, &idx,
3611 list_for_each_entry_rcu(chain, &table->chains, list) {
3612 if (__nf_tables_dump_rules(skb, &idx,
3627 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3628 struct netlink_callback *cb)
3630 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3633 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3634 * do not underrun counters and quotas. The commit_mutex is used for
3635 * the lack a better lock, this is not transaction path.
3637 mutex_lock(&nft_net->commit_mutex);
3638 ret = nf_tables_dump_rules(skb, cb);
3639 mutex_unlock(&nft_net->commit_mutex);
3644 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3646 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3647 const struct nlattr * const *nla = cb->data;
3649 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3651 if (nla[NFTA_RULE_TABLE]) {
3652 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3656 if (nla[NFTA_RULE_CHAIN]) {
3657 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3666 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3668 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3672 return nf_tables_dump_rules_start(cb);
3675 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3677 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3684 /* called with rcu_read_lock held */
3685 static struct sk_buff *
3686 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3687 const struct nlattr * const nla[], bool reset)
3689 struct netlink_ext_ack *extack = info->extack;
3690 u8 genmask = nft_genmask_cur(info->net);
3691 u8 family = info->nfmsg->nfgen_family;
3692 const struct nft_chain *chain;
3693 const struct nft_rule *rule;
3694 struct net *net = info->net;
3695 struct nft_table *table;
3696 struct sk_buff *skb2;
3699 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3700 if (IS_ERR(table)) {
3701 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3702 return ERR_CAST(table);
3705 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3706 if (IS_ERR(chain)) {
3707 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3708 return ERR_CAST(chain);
3711 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3713 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3714 return ERR_CAST(rule);
3717 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3719 return ERR_PTR(-ENOMEM);
3721 err = nf_tables_fill_rule_info(skb2, net, portid,
3722 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3723 family, table, chain, rule, 0, reset);
3726 return ERR_PTR(err);
3732 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3733 const struct nlattr * const nla[])
3735 u32 portid = NETLINK_CB(skb).portid;
3736 struct net *net = info->net;
3737 struct sk_buff *skb2;
3739 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3740 struct netlink_dump_control c = {
3741 .start= nf_tables_dump_rules_start,
3742 .dump = nf_tables_dump_rules,
3743 .done = nf_tables_dump_rules_done,
3744 .module = THIS_MODULE,
3745 .data = (void *)nla,
3748 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3751 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3753 return PTR_ERR(skb2);
3755 return nfnetlink_unicast(skb2, net, portid);
3758 static int nf_tables_getrule_reset(struct sk_buff *skb,
3759 const struct nfnl_info *info,
3760 const struct nlattr * const nla[])
3762 struct nftables_pernet *nft_net = nft_pernet(info->net);
3763 u32 portid = NETLINK_CB(skb).portid;
3764 struct net *net = info->net;
3765 struct sk_buff *skb2;
3768 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3769 struct netlink_dump_control c = {
3770 .start= nf_tables_dumpreset_rules_start,
3771 .dump = nf_tables_dumpreset_rules,
3772 .done = nf_tables_dump_rules_done,
3773 .module = THIS_MODULE,
3774 .data = (void *)nla,
3777 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3780 if (!try_module_get(THIS_MODULE))
3783 mutex_lock(&nft_net->commit_mutex);
3784 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3785 mutex_unlock(&nft_net->commit_mutex);
3787 module_put(THIS_MODULE);
3790 return PTR_ERR(skb2);
3792 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3793 nla_len(nla[NFTA_RULE_TABLE]),
3794 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3796 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3797 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3800 return nfnetlink_unicast(skb2, net, portid);
3803 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3805 struct nft_expr *expr, *next;
3808 * Careful: some expressions might not be initialized in case this
3809 * is called on error from nf_tables_newrule().
3811 expr = nft_expr_first(rule);
3812 while (nft_expr_more(rule, expr)) {
3813 next = nft_expr_next(expr);
3814 nf_tables_expr_destroy(ctx, expr);
3820 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3822 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3823 nf_tables_rule_destroy(ctx, rule);
3826 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3828 struct nft_expr *expr, *last;
3829 const struct nft_data *data;
3830 struct nft_rule *rule;
3833 if (ctx->level == NFT_JUMP_STACK_SIZE)
3836 list_for_each_entry(rule, &chain->rules, list) {
3837 if (fatal_signal_pending(current))
3840 if (!nft_is_active_next(ctx->net, rule))
3843 nft_rule_for_each_expr(expr, last, rule) {
3844 if (!expr->ops->validate)
3847 err = expr->ops->validate(ctx, expr, &data);
3855 EXPORT_SYMBOL_GPL(nft_chain_validate);
3857 static int nft_table_validate(struct net *net, const struct nft_table *table)
3859 struct nft_chain *chain;
3860 struct nft_ctx ctx = {
3862 .family = table->family,
3866 list_for_each_entry(chain, &table->chains, list) {
3867 if (!nft_is_base_chain(chain))
3871 err = nft_chain_validate(&ctx, chain);
3881 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3882 const struct nft_set_iter *iter,
3883 struct nft_elem_priv *elem_priv)
3885 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3886 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3887 const struct nft_data *data;
3890 if (!nft_set_elem_active(ext, iter->genmask))
3893 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3894 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3897 data = nft_set_ext_data(ext);
3898 switch (data->verdict.code) {
3902 err = nft_chain_validate(ctx, data->verdict.chain);
3914 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3916 struct nft_set_iter dummy_iter = {
3917 .genmask = nft_genmask_next(ctx->net),
3919 struct nft_set_elem_catchall *catchall;
3921 struct nft_set_ext *ext;
3924 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3925 ext = nft_set_elem_ext(set, catchall->elem);
3926 if (!nft_set_elem_active(ext, dummy_iter.genmask))
3929 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
3937 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3938 const struct nft_chain *chain,
3939 const struct nlattr *nla);
3941 #define NFT_RULE_MAXEXPRS 128
3943 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3944 const struct nlattr * const nla[])
3946 struct nftables_pernet *nft_net = nft_pernet(info->net);
3947 struct netlink_ext_ack *extack = info->extack;
3948 unsigned int size, i, n, ulen = 0, usize = 0;
3949 u8 genmask = nft_genmask_next(info->net);
3950 struct nft_rule *rule, *old_rule = NULL;
3951 struct nft_expr_info *expr_info = NULL;
3952 u8 family = info->nfmsg->nfgen_family;
3953 struct nft_flow_rule *flow = NULL;
3954 struct net *net = info->net;
3955 struct nft_userdata *udata;
3956 struct nft_table *table;
3957 struct nft_chain *chain;
3958 struct nft_trans *trans;
3959 u64 handle, pos_handle;
3960 struct nft_expr *expr;
3965 lockdep_assert_held(&nft_net->commit_mutex);
3967 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3968 NETLINK_CB(skb).portid);
3969 if (IS_ERR(table)) {
3970 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3971 return PTR_ERR(table);
3974 if (nla[NFTA_RULE_CHAIN]) {
3975 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3977 if (IS_ERR(chain)) {
3978 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3979 return PTR_ERR(chain);
3982 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3983 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
3985 if (IS_ERR(chain)) {
3986 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3987 return PTR_ERR(chain);
3993 if (nft_chain_is_bound(chain))
3996 if (nla[NFTA_RULE_HANDLE]) {
3997 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3998 rule = __nft_rule_lookup(chain, handle);
4000 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4001 return PTR_ERR(rule);
4004 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4005 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4008 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4013 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4014 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4016 handle = nf_tables_alloc_handle(table);
4018 if (nla[NFTA_RULE_POSITION]) {
4019 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4020 old_rule = __nft_rule_lookup(chain, pos_handle);
4021 if (IS_ERR(old_rule)) {
4022 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4023 return PTR_ERR(old_rule);
4025 } else if (nla[NFTA_RULE_POSITION_ID]) {
4026 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4027 if (IS_ERR(old_rule)) {
4028 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4029 return PTR_ERR(old_rule);
4034 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4038 if (nla[NFTA_RULE_EXPRESSIONS]) {
4039 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4040 sizeof(struct nft_expr_info),
4045 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4047 if (nla_type(tmp) != NFTA_LIST_ELEM)
4048 goto err_release_expr;
4049 if (n == NFT_RULE_MAXEXPRS)
4050 goto err_release_expr;
4051 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4053 NL_SET_BAD_ATTR(extack, tmp);
4054 goto err_release_expr;
4056 size += expr_info[n].ops->size;
4060 /* Check for overflow of dlen field */
4062 if (size >= 1 << 12)
4063 goto err_release_expr;
4065 if (nla[NFTA_RULE_USERDATA]) {
4066 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4068 usize = sizeof(struct nft_userdata) + ulen;
4072 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4074 goto err_release_expr;
4076 nft_activate_next(net, rule);
4078 rule->handle = handle;
4080 rule->udata = ulen ? 1 : 0;
4083 udata = nft_userdata(rule);
4084 udata->len = ulen - 1;
4085 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4088 expr = nft_expr_first(rule);
4089 for (i = 0; i < n; i++) {
4090 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4092 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4093 goto err_release_rule;
4096 if (expr_info[i].ops->validate)
4097 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4099 expr_info[i].ops = NULL;
4100 expr = nft_expr_next(expr);
4103 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4104 flow = nft_flow_rule_create(net, rule);
4106 err = PTR_ERR(flow);
4107 goto err_release_rule;
4111 if (!nft_use_inc(&chain->use)) {
4113 goto err_release_rule;
4116 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4117 if (nft_chain_binding(chain)) {
4119 goto err_destroy_flow_rule;
4122 err = nft_delrule(&ctx, old_rule);
4124 goto err_destroy_flow_rule;
4126 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4127 if (trans == NULL) {
4129 goto err_destroy_flow_rule;
4131 list_add_tail_rcu(&rule->list, &old_rule->list);
4133 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4136 goto err_destroy_flow_rule;
4139 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4141 list_add_rcu(&rule->list, &old_rule->list);
4143 list_add_tail_rcu(&rule->list, &chain->rules);
4146 list_add_tail_rcu(&rule->list, &old_rule->list);
4148 list_add_rcu(&rule->list, &chain->rules);
4154 nft_trans_flow_rule(trans) = flow;
4156 if (table->validate_state == NFT_VALIDATE_DO)
4157 return nft_table_validate(net, table);
4161 err_destroy_flow_rule:
4162 nft_use_dec_restore(&chain->use);
4164 nft_flow_rule_destroy(flow);
4166 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4167 nf_tables_rule_destroy(&ctx, rule);
4169 for (i = 0; i < n; i++) {
4170 if (expr_info[i].ops) {
4171 module_put(expr_info[i].ops->type->owner);
4172 if (expr_info[i].ops->type->release_ops)
4173 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4181 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4182 const struct nft_chain *chain,
4183 const struct nlattr *nla)
4185 struct nftables_pernet *nft_net = nft_pernet(net);
4186 u32 id = ntohl(nla_get_be32(nla));
4187 struct nft_trans *trans;
4189 list_for_each_entry(trans, &nft_net->commit_list, list) {
4190 if (trans->msg_type == NFT_MSG_NEWRULE &&
4191 trans->ctx.chain == chain &&
4192 id == nft_trans_rule_id(trans))
4193 return nft_trans_rule(trans);
4195 return ERR_PTR(-ENOENT);
4198 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4199 const struct nlattr * const nla[])
4201 struct netlink_ext_ack *extack = info->extack;
4202 u8 genmask = nft_genmask_next(info->net);
4203 u8 family = info->nfmsg->nfgen_family;
4204 struct nft_chain *chain = NULL;
4205 struct net *net = info->net;
4206 struct nft_table *table;
4207 struct nft_rule *rule;
4211 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4212 NETLINK_CB(skb).portid);
4213 if (IS_ERR(table)) {
4214 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4215 return PTR_ERR(table);
4218 if (nla[NFTA_RULE_CHAIN]) {
4219 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4221 if (IS_ERR(chain)) {
4222 if (PTR_ERR(chain) == -ENOENT &&
4223 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4226 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4227 return PTR_ERR(chain);
4229 if (nft_chain_binding(chain))
4233 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4236 if (nla[NFTA_RULE_HANDLE]) {
4237 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4239 if (PTR_ERR(rule) == -ENOENT &&
4240 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4243 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4244 return PTR_ERR(rule);
4247 err = nft_delrule(&ctx, rule);
4248 } else if (nla[NFTA_RULE_ID]) {
4249 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4251 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4252 return PTR_ERR(rule);
4255 err = nft_delrule(&ctx, rule);
4257 err = nft_delrule_by_chain(&ctx);
4260 list_for_each_entry(chain, &table->chains, list) {
4261 if (!nft_is_active_next(net, chain))
4263 if (nft_chain_binding(chain))
4267 err = nft_delrule_by_chain(&ctx);
4279 static const struct nft_set_type *nft_set_types[] = {
4280 &nft_set_hash_fast_type,
4282 &nft_set_rhash_type,
4283 &nft_set_bitmap_type,
4284 &nft_set_rbtree_type,
4285 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4286 &nft_set_pipapo_avx2_type,
4288 &nft_set_pipapo_type,
4291 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4292 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4295 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4297 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4301 * Select a set implementation based on the data characteristics and the
4302 * given policy. The total memory use might not be known if no size is
4303 * given, in that case the amount of memory per element is used.
4305 static const struct nft_set_ops *
4306 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4307 const struct nft_set_desc *desc)
4309 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4310 const struct nft_set_ops *ops, *bops;
4311 struct nft_set_estimate est, best;
4312 const struct nft_set_type *type;
4315 lockdep_assert_held(&nft_net->commit_mutex);
4316 lockdep_nfnl_nft_mutex_not_held();
4323 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4324 type = nft_set_types[i];
4327 if (!nft_set_ops_candidate(type, flags))
4329 if (!ops->estimate(desc, flags, &est))
4332 switch (desc->policy) {
4333 case NFT_SET_POL_PERFORMANCE:
4334 if (est.lookup < best.lookup)
4336 if (est.lookup == best.lookup &&
4337 est.space < best.space)
4340 case NFT_SET_POL_MEMORY:
4342 if (est.space < best.space)
4344 if (est.space == best.space &&
4345 est.lookup < best.lookup)
4347 } else if (est.size < best.size || !bops) {
4362 return ERR_PTR(-EOPNOTSUPP);
4365 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4366 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4367 .len = NFT_TABLE_MAXNAMELEN - 1 },
4368 [NFTA_SET_NAME] = { .type = NLA_STRING,
4369 .len = NFT_SET_MAXNAMELEN - 1 },
4370 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4371 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4372 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4373 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4374 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4375 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4376 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4377 [NFTA_SET_ID] = { .type = NLA_U32 },
4378 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4379 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4380 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4381 .len = NFT_USERDATA_MAXLEN },
4382 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4383 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4384 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4385 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4388 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4389 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4392 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4393 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4394 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4397 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4398 const struct nlattr *nla, u8 genmask)
4400 struct nft_set *set;
4403 return ERR_PTR(-EINVAL);
4405 list_for_each_entry_rcu(set, &table->sets, list) {
4406 if (!nla_strcmp(nla, set->name) &&
4407 nft_active_genmask(set, genmask))
4410 return ERR_PTR(-ENOENT);
4413 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4414 const struct nlattr *nla,
4417 struct nft_set *set;
4419 list_for_each_entry(set, &table->sets, list) {
4420 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4421 nft_active_genmask(set, genmask))
4424 return ERR_PTR(-ENOENT);
4427 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4428 const struct nft_table *table,
4429 const struct nlattr *nla, u8 genmask)
4431 struct nftables_pernet *nft_net = nft_pernet(net);
4432 u32 id = ntohl(nla_get_be32(nla));
4433 struct nft_trans *trans;
4435 list_for_each_entry(trans, &nft_net->commit_list, list) {
4436 if (trans->msg_type == NFT_MSG_NEWSET) {
4437 struct nft_set *set = nft_trans_set(trans);
4439 if (id == nft_trans_set_id(trans) &&
4440 set->table == table &&
4441 nft_active_genmask(set, genmask))
4445 return ERR_PTR(-ENOENT);
4448 struct nft_set *nft_set_lookup_global(const struct net *net,
4449 const struct nft_table *table,
4450 const struct nlattr *nla_set_name,
4451 const struct nlattr *nla_set_id,
4454 struct nft_set *set;
4456 set = nft_set_lookup(table, nla_set_name, genmask);
4461 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4465 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4467 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4470 const struct nft_set *i;
4472 unsigned long *inuse;
4473 unsigned int n = 0, min = 0;
4475 p = strchr(name, '%');
4477 if (p[1] != 'd' || strchr(p + 2, '%'))
4480 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4483 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4487 list_for_each_entry(i, &ctx->table->sets, list) {
4490 if (!nft_is_active_next(ctx->net, i))
4492 if (!sscanf(i->name, name, &tmp))
4494 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4497 set_bit(tmp - min, inuse);
4500 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4501 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4502 min += BITS_PER_BYTE * PAGE_SIZE;
4503 memset(inuse, 0, PAGE_SIZE);
4506 free_page((unsigned long)inuse);
4509 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4513 list_for_each_entry(i, &ctx->table->sets, list) {
4514 if (!nft_is_active_next(ctx->net, i))
4516 if (!strcmp(set->name, i->name)) {
4525 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4527 u64 ms = be64_to_cpu(nla_get_be64(nla));
4528 u64 max = (u64)(~((u64)0));
4530 max = div_u64(max, NSEC_PER_MSEC);
4534 ms *= NSEC_PER_MSEC;
4535 *result = nsecs_to_jiffies64(ms);
4539 __be64 nf_jiffies64_to_msecs(u64 input)
4541 return cpu_to_be64(jiffies64_to_msecs(input));
4544 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4545 const struct nft_set *set)
4547 struct nlattr *concat, *field;
4550 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4554 for (i = 0; i < set->field_count; i++) {
4555 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4559 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4560 htonl(set->field_len[i])))
4563 nla_nest_end(skb, field);
4566 nla_nest_end(skb, concat);
4571 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4572 const struct nft_set *set, u16 event, u16 flags)
4574 u64 timeout = READ_ONCE(set->timeout);
4575 u32 gc_int = READ_ONCE(set->gc_int);
4576 u32 portid = ctx->portid;
4577 struct nlmsghdr *nlh;
4578 struct nlattr *nest;
4582 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4583 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4584 NFNETLINK_V0, nft_base_seq(ctx->net));
4586 goto nla_put_failure;
4588 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4589 goto nla_put_failure;
4590 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4591 goto nla_put_failure;
4592 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4594 goto nla_put_failure;
4596 if (event == NFT_MSG_DELSET) {
4597 nlmsg_end(skb, nlh);
4601 if (set->flags != 0)
4602 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4603 goto nla_put_failure;
4605 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4606 goto nla_put_failure;
4607 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4608 goto nla_put_failure;
4609 if (set->flags & NFT_SET_MAP) {
4610 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4611 goto nla_put_failure;
4612 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4613 goto nla_put_failure;
4615 if (set->flags & NFT_SET_OBJECT &&
4616 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4617 goto nla_put_failure;
4620 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4621 nf_jiffies64_to_msecs(timeout),
4623 goto nla_put_failure;
4625 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4626 goto nla_put_failure;
4628 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4629 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4630 goto nla_put_failure;
4634 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4635 goto nla_put_failure;
4637 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4639 goto nla_put_failure;
4641 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4642 goto nla_put_failure;
4644 if (set->field_count > 1 &&
4645 nf_tables_fill_set_concat(skb, set))
4646 goto nla_put_failure;
4648 nla_nest_end(skb, nest);
4650 if (set->num_exprs == 1) {
4651 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4652 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4653 goto nla_put_failure;
4655 nla_nest_end(skb, nest);
4656 } else if (set->num_exprs > 1) {
4657 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4659 goto nla_put_failure;
4661 for (i = 0; i < set->num_exprs; i++) {
4662 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4663 set->exprs[i], false) < 0)
4664 goto nla_put_failure;
4666 nla_nest_end(skb, nest);
4669 nlmsg_end(skb, nlh);
4673 nlmsg_trim(skb, nlh);
4677 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4678 const struct nft_set *set, int event,
4681 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4682 u32 portid = ctx->portid;
4683 struct sk_buff *skb;
4688 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4691 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4695 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4696 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4698 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4704 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4707 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4710 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4712 const struct nft_set *set;
4713 unsigned int idx, s_idx = cb->args[0];
4714 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4715 struct net *net = sock_net(skb->sk);
4716 struct nft_ctx *ctx = cb->data, ctx_set;
4717 struct nftables_pernet *nft_net;
4723 nft_net = nft_pernet(net);
4724 cb->seq = READ_ONCE(nft_net->base_seq);
4726 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4727 if (ctx->family != NFPROTO_UNSPEC &&
4728 ctx->family != table->family)
4731 if (ctx->table && ctx->table != table)
4735 if (cur_table != table)
4741 list_for_each_entry_rcu(set, &table->sets, list) {
4744 if (!nft_is_active(net, set))
4748 ctx_set.table = table;
4749 ctx_set.family = table->family;
4751 if (nf_tables_fill_set(skb, &ctx_set, set,
4755 cb->args[2] = (unsigned long) table;
4758 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4771 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4773 struct nft_ctx *ctx_dump = NULL;
4775 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4776 if (ctx_dump == NULL)
4779 cb->data = ctx_dump;
4783 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4789 /* called with rcu_read_lock held */
4790 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4791 const struct nlattr * const nla[])
4793 struct netlink_ext_ack *extack = info->extack;
4794 u8 genmask = nft_genmask_cur(info->net);
4795 u8 family = info->nfmsg->nfgen_family;
4796 struct nft_table *table = NULL;
4797 struct net *net = info->net;
4798 const struct nft_set *set;
4799 struct sk_buff *skb2;
4803 if (nla[NFTA_SET_TABLE]) {
4804 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4806 if (IS_ERR(table)) {
4807 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4808 return PTR_ERR(table);
4812 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4814 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4815 struct netlink_dump_control c = {
4816 .start = nf_tables_dump_sets_start,
4817 .dump = nf_tables_dump_sets,
4818 .done = nf_tables_dump_sets_done,
4820 .module = THIS_MODULE,
4823 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4826 /* Only accept unspec with dump */
4827 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4828 return -EAFNOSUPPORT;
4829 if (!nla[NFTA_SET_TABLE])
4832 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4834 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4835 return PTR_ERR(set);
4838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4842 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4844 goto err_fill_set_info;
4846 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4853 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4854 struct nft_set_desc *desc)
4856 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4860 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4863 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4864 nft_concat_policy, NULL);
4868 if (!tb[NFTA_SET_FIELD_LEN])
4871 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4872 if (!len || len > U8_MAX)
4875 desc->field_len[desc->field_count++] = len;
4880 static int nft_set_desc_concat(struct nft_set_desc *desc,
4881 const struct nlattr *nla)
4883 u32 num_regs = 0, key_num_regs = 0;
4884 struct nlattr *attr;
4887 nla_for_each_nested(attr, nla, rem) {
4888 if (nla_type(attr) != NFTA_LIST_ELEM)
4891 err = nft_set_desc_concat_parse(attr, desc);
4896 for (i = 0; i < desc->field_count; i++)
4897 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4899 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4900 if (key_num_regs != num_regs)
4903 if (num_regs > NFT_REG32_COUNT)
4909 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4910 const struct nlattr *nla)
4912 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4915 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4916 nft_set_desc_policy, NULL);
4920 if (da[NFTA_SET_DESC_SIZE] != NULL)
4921 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4922 if (da[NFTA_SET_DESC_CONCAT])
4923 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4928 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4929 const struct nlattr * const *nla,
4930 struct nft_expr **exprs, int *num_exprs,
4933 struct nft_expr *expr;
4936 if (nla[NFTA_SET_EXPR]) {
4937 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4939 err = PTR_ERR(expr);
4940 goto err_set_expr_alloc;
4944 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4948 if (!(flags & NFT_SET_EXPR)) {
4950 goto err_set_expr_alloc;
4953 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4954 if (i == NFT_SET_EXPR_MAX) {
4956 goto err_set_expr_alloc;
4958 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4960 goto err_set_expr_alloc;
4962 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4964 err = PTR_ERR(expr);
4965 goto err_set_expr_alloc;
4975 for (i = 0; i < *num_exprs; i++)
4976 nft_expr_destroy(ctx, exprs[i]);
4981 static bool nft_set_is_same(const struct nft_set *set,
4982 const struct nft_set_desc *desc,
4983 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4987 if (set->ktype != desc->ktype ||
4988 set->dtype != desc->dtype ||
4989 set->flags != flags ||
4990 set->klen != desc->klen ||
4991 set->dlen != desc->dlen ||
4992 set->field_count != desc->field_count ||
4993 set->num_exprs != num_exprs)
4996 for (i = 0; i < desc->field_count; i++) {
4997 if (set->field_len[i] != desc->field_len[i])
5001 for (i = 0; i < num_exprs; i++) {
5002 if (set->exprs[i]->ops != exprs[i]->ops)
5009 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5010 const struct nlattr * const nla[])
5012 struct netlink_ext_ack *extack = info->extack;
5013 u8 genmask = nft_genmask_next(info->net);
5014 u8 family = info->nfmsg->nfgen_family;
5015 const struct nft_set_ops *ops;
5016 struct net *net = info->net;
5017 struct nft_set_desc desc;
5018 struct nft_table *table;
5019 unsigned char *udata;
5020 struct nft_set *set;
5030 if (nla[NFTA_SET_TABLE] == NULL ||
5031 nla[NFTA_SET_NAME] == NULL ||
5032 nla[NFTA_SET_KEY_LEN] == NULL ||
5033 nla[NFTA_SET_ID] == NULL)
5036 memset(&desc, 0, sizeof(desc));
5038 desc.ktype = NFT_DATA_VALUE;
5039 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5040 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5041 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5045 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5046 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5050 if (nla[NFTA_SET_FLAGS] != NULL) {
5051 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5052 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5053 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5054 NFT_SET_MAP | NFT_SET_EVAL |
5055 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5057 /* Only one of these operations is supported */
5058 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5059 (NFT_SET_MAP | NFT_SET_OBJECT))
5061 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5062 (NFT_SET_EVAL | NFT_SET_OBJECT))
5064 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5065 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5067 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5068 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5073 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5074 if (!(flags & NFT_SET_MAP))
5077 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5078 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5079 desc.dtype != NFT_DATA_VERDICT)
5082 if (desc.dtype != NFT_DATA_VERDICT) {
5083 if (nla[NFTA_SET_DATA_LEN] == NULL)
5085 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5086 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5089 desc.dlen = sizeof(struct nft_verdict);
5090 } else if (flags & NFT_SET_MAP)
5093 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5094 if (!(flags & NFT_SET_OBJECT))
5097 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5098 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5099 desc.objtype > NFT_OBJECT_MAX)
5101 } else if (flags & NFT_SET_OBJECT)
5104 desc.objtype = NFT_OBJECT_UNSPEC;
5107 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5108 if (!(flags & NFT_SET_TIMEOUT))
5111 if (flags & NFT_SET_ANONYMOUS)
5114 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5119 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5120 if (!(flags & NFT_SET_TIMEOUT))
5123 if (flags & NFT_SET_ANONYMOUS)
5126 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5129 desc.policy = NFT_SET_POL_PERFORMANCE;
5130 if (nla[NFTA_SET_POLICY] != NULL) {
5131 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5132 switch (desc.policy) {
5133 case NFT_SET_POL_PERFORMANCE:
5134 case NFT_SET_POL_MEMORY:
5141 if (nla[NFTA_SET_DESC] != NULL) {
5142 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5146 if (desc.field_count > 1) {
5147 if (!(flags & NFT_SET_CONCAT))
5149 } else if (flags & NFT_SET_CONCAT) {
5152 } else if (flags & NFT_SET_CONCAT) {
5156 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5159 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5160 NETLINK_CB(skb).portid);
5161 if (IS_ERR(table)) {
5162 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5163 return PTR_ERR(table);
5166 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5168 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5170 if (PTR_ERR(set) != -ENOENT) {
5171 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5172 return PTR_ERR(set);
5175 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5177 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5178 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5181 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5184 if (nft_set_is_anonymous(set))
5187 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5192 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5193 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5197 for (i = 0; i < num_exprs; i++)
5198 nft_expr_destroy(&ctx, exprs[i]);
5203 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5206 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5209 ops = nft_select_set_ops(&ctx, flags, &desc);
5211 return PTR_ERR(ops);
5214 if (nla[NFTA_SET_USERDATA])
5215 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5218 if (ops->privsize != NULL)
5219 size = ops->privsize(nla, &desc);
5220 alloc_size = sizeof(*set) + size + udlen;
5221 if (alloc_size < size || alloc_size > INT_MAX)
5224 if (!nft_use_inc(&table->use))
5227 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5233 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5239 err = nf_tables_set_alloc_name(&ctx, set, name);
5246 udata = set->data + size;
5247 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5250 INIT_LIST_HEAD(&set->bindings);
5251 INIT_LIST_HEAD(&set->catchall_list);
5252 refcount_set(&set->refs, 1);
5254 write_pnet(&set->net, net);
5256 set->ktype = desc.ktype;
5257 set->klen = desc.klen;
5258 set->dtype = desc.dtype;
5259 set->objtype = desc.objtype;
5260 set->dlen = desc.dlen;
5262 set->size = desc.size;
5263 set->policy = desc.policy;
5266 set->timeout = desc.timeout;
5267 set->gc_int = desc.gc_int;
5269 set->field_count = desc.field_count;
5270 for (i = 0; i < desc.field_count; i++)
5271 set->field_len[i] = desc.field_len[i];
5273 err = ops->init(set, &desc, nla);
5277 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5279 goto err_set_destroy;
5281 set->num_exprs = num_exprs;
5282 set->handle = nf_tables_alloc_handle(table);
5283 INIT_LIST_HEAD(&set->pending_update);
5285 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5287 goto err_set_expr_alloc;
5289 list_add_tail_rcu(&set->list, &table->sets);
5294 for (i = 0; i < set->num_exprs; i++)
5295 nft_expr_destroy(&ctx, set->exprs[i]);
5297 ops->destroy(&ctx, set);
5303 nft_use_dec_restore(&table->use);
5308 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5309 struct nft_set *set)
5311 struct nft_set_elem_catchall *next, *catchall;
5313 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5314 list_del_rcu(&catchall->list);
5315 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5316 kfree_rcu(catchall, rcu);
5320 static void nft_set_put(struct nft_set *set)
5322 if (refcount_dec_and_test(&set->refs)) {
5328 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5332 if (WARN_ON(set->use > 0))
5335 for (i = 0; i < set->num_exprs; i++)
5336 nft_expr_destroy(ctx, set->exprs[i]);
5338 set->ops->destroy(ctx, set);
5339 nft_set_catchall_destroy(ctx, set);
5343 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5344 const struct nlattr * const nla[])
5346 struct netlink_ext_ack *extack = info->extack;
5347 u8 genmask = nft_genmask_next(info->net);
5348 u8 family = info->nfmsg->nfgen_family;
5349 struct net *net = info->net;
5350 const struct nlattr *attr;
5351 struct nft_table *table;
5352 struct nft_set *set;
5355 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5356 return -EAFNOSUPPORT;
5358 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5359 genmask, NETLINK_CB(skb).portid);
5360 if (IS_ERR(table)) {
5361 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5362 return PTR_ERR(table);
5365 if (nla[NFTA_SET_HANDLE]) {
5366 attr = nla[NFTA_SET_HANDLE];
5367 set = nft_set_lookup_byhandle(table, attr, genmask);
5369 attr = nla[NFTA_SET_NAME];
5370 set = nft_set_lookup(table, attr, genmask);
5374 if (PTR_ERR(set) == -ENOENT &&
5375 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5378 NL_SET_BAD_ATTR(extack, attr);
5379 return PTR_ERR(set);
5382 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5383 atomic_read(&set->nelems) > 0)) {
5384 NL_SET_BAD_ATTR(extack, attr);
5388 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5390 return nft_delset(&ctx, set);
5393 static int nft_validate_register_store(const struct nft_ctx *ctx,
5394 enum nft_registers reg,
5395 const struct nft_data *data,
5396 enum nft_data_types type,
5399 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5400 struct nft_set *set,
5401 struct nft_elem_priv *elem_priv)
5403 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5404 enum nft_registers dreg;
5406 dreg = nft_type_to_reg(set->dtype);
5407 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5408 set->dtype == NFT_DATA_VERDICT ?
5409 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5413 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5414 struct nft_set *set,
5415 const struct nft_set_iter *iter,
5416 struct nft_elem_priv *elem_priv)
5418 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5420 if (!nft_set_elem_active(ext, iter->genmask))
5423 return nft_setelem_data_validate(ctx, set, elem_priv);
5426 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5427 struct nft_set *set)
5429 u8 genmask = nft_genmask_next(ctx->net);
5430 struct nft_set_elem_catchall *catchall;
5431 struct nft_set_ext *ext;
5434 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5435 ext = nft_set_elem_ext(set, catchall->elem);
5436 if (!nft_set_elem_active(ext, genmask))
5439 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5447 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5448 struct nft_set_binding *binding)
5450 struct nft_set_binding *i;
5451 struct nft_set_iter iter;
5453 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5456 if (binding->flags & NFT_SET_MAP) {
5457 /* If the set is already bound to the same chain all
5458 * jumps are already validated for that chain.
5460 list_for_each_entry(i, &set->bindings, list) {
5461 if (i->flags & NFT_SET_MAP &&
5462 i->chain == binding->chain)
5466 iter.genmask = nft_genmask_next(ctx->net);
5467 iter.type = NFT_ITER_UPDATE;
5471 iter.fn = nf_tables_bind_check_setelem;
5473 set->ops->walk(ctx, set, &iter);
5475 iter.err = nft_set_catchall_bind_check(ctx, set);
5481 if (!nft_use_inc(&set->use))
5484 binding->chain = ctx->chain;
5485 list_add_tail_rcu(&binding->list, &set->bindings);
5486 nft_set_trans_bind(ctx, set);
5490 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5492 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5493 struct nft_set_binding *binding, bool event)
5495 list_del_rcu(&binding->list);
5497 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5498 list_del_rcu(&set->list);
5501 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5506 static void nft_setelem_data_activate(const struct net *net,
5507 const struct nft_set *set,
5508 struct nft_elem_priv *elem_priv);
5510 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5511 struct nft_set *set,
5512 const struct nft_set_iter *iter,
5513 struct nft_elem_priv *elem_priv)
5515 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5517 /* called from abort path, reverse check to undo changes. */
5518 if (nft_set_elem_active(ext, iter->genmask))
5521 nft_clear(ctx->net, ext);
5522 nft_setelem_data_activate(ctx->net, set, elem_priv);
5527 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5528 struct nft_set *set)
5530 u8 genmask = nft_genmask_next(ctx->net);
5531 struct nft_set_elem_catchall *catchall;
5532 struct nft_set_ext *ext;
5534 list_for_each_entry(catchall, &set->catchall_list, list) {
5535 ext = nft_set_elem_ext(set, catchall->elem);
5536 if (!nft_set_elem_active(ext, genmask))
5539 nft_clear(ctx->net, ext);
5540 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5545 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5547 struct nft_set_iter iter = {
5548 .genmask = nft_genmask_next(ctx->net),
5549 .type = NFT_ITER_UPDATE,
5550 .fn = nft_mapelem_activate,
5553 set->ops->walk(ctx, set, &iter);
5554 WARN_ON_ONCE(iter.err);
5556 nft_map_catchall_activate(ctx, set);
5559 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5561 if (nft_set_is_anonymous(set)) {
5562 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5563 nft_map_activate(ctx, set);
5565 nft_clear(ctx->net, set);
5568 nft_use_inc_restore(&set->use);
5570 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5572 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5573 struct nft_set_binding *binding,
5574 enum nft_trans_phase phase)
5577 case NFT_TRANS_PREPARE_ERROR:
5578 nft_set_trans_unbind(ctx, set);
5579 if (nft_set_is_anonymous(set))
5580 nft_deactivate_next(ctx->net, set);
5582 list_del_rcu(&binding->list);
5584 nft_use_dec(&set->use);
5586 case NFT_TRANS_PREPARE:
5587 if (nft_set_is_anonymous(set)) {
5588 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5589 nft_map_deactivate(ctx, set);
5591 nft_deactivate_next(ctx->net, set);
5593 nft_use_dec(&set->use);
5595 case NFT_TRANS_ABORT:
5596 case NFT_TRANS_RELEASE:
5597 if (nft_set_is_anonymous(set) &&
5598 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5599 nft_map_deactivate(ctx, set);
5601 nft_use_dec(&set->use);
5604 nf_tables_unbind_set(ctx, set, binding,
5605 phase == NFT_TRANS_COMMIT);
5608 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5610 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5612 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5613 nft_set_destroy(ctx, set);
5615 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5617 const struct nft_set_ext_type nft_set_ext_types[] = {
5618 [NFT_SET_EXT_KEY] = {
5619 .align = __alignof__(u32),
5621 [NFT_SET_EXT_DATA] = {
5622 .align = __alignof__(u32),
5624 [NFT_SET_EXT_EXPRESSIONS] = {
5625 .align = __alignof__(struct nft_set_elem_expr),
5627 [NFT_SET_EXT_OBJREF] = {
5628 .len = sizeof(struct nft_object *),
5629 .align = __alignof__(struct nft_object *),
5631 [NFT_SET_EXT_FLAGS] = {
5633 .align = __alignof__(u8),
5635 [NFT_SET_EXT_TIMEOUT] = {
5637 .align = __alignof__(u64),
5639 [NFT_SET_EXT_EXPIRATION] = {
5641 .align = __alignof__(u64),
5643 [NFT_SET_EXT_USERDATA] = {
5644 .len = sizeof(struct nft_userdata),
5645 .align = __alignof__(struct nft_userdata),
5647 [NFT_SET_EXT_KEY_END] = {
5648 .align = __alignof__(u32),
5656 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5657 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5658 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5659 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5660 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5661 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5662 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5663 .len = NFT_USERDATA_MAXLEN },
5664 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5665 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5666 .len = NFT_OBJ_MAXNAMELEN - 1 },
5667 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5668 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5671 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5672 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5673 .len = NFT_TABLE_MAXNAMELEN - 1 },
5674 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5675 .len = NFT_SET_MAXNAMELEN - 1 },
5676 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5677 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5680 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5681 const struct nft_set *set,
5682 const struct nft_set_ext *ext,
5685 struct nft_set_elem_expr *elem_expr;
5686 u32 size, num_exprs = 0;
5687 struct nft_expr *expr;
5688 struct nlattr *nest;
5690 elem_expr = nft_set_ext_expr(ext);
5691 nft_setelem_expr_foreach(expr, elem_expr, size)
5694 if (num_exprs == 1) {
5695 expr = nft_setelem_expr_at(elem_expr, 0);
5696 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5700 } else if (num_exprs > 1) {
5701 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5703 goto nla_put_failure;
5705 nft_setelem_expr_foreach(expr, elem_expr, size) {
5706 expr = nft_setelem_expr_at(elem_expr, size);
5707 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5708 goto nla_put_failure;
5710 nla_nest_end(skb, nest);
5718 static int nf_tables_fill_setelem(struct sk_buff *skb,
5719 const struct nft_set *set,
5720 const struct nft_elem_priv *elem_priv,
5723 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5724 unsigned char *b = skb_tail_pointer(skb);
5725 struct nlattr *nest;
5727 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5729 goto nla_put_failure;
5731 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5732 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5733 NFT_DATA_VALUE, set->klen) < 0)
5734 goto nla_put_failure;
5736 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5737 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5738 NFT_DATA_VALUE, set->klen) < 0)
5739 goto nla_put_failure;
5741 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5742 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5743 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
5745 goto nla_put_failure;
5747 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5748 nft_set_elem_expr_dump(skb, set, ext, reset))
5749 goto nla_put_failure;
5751 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5752 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5753 (*nft_set_ext_obj(ext))->key.name) < 0)
5754 goto nla_put_failure;
5756 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5757 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5758 htonl(*nft_set_ext_flags(ext))))
5759 goto nla_put_failure;
5761 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5762 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5763 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5765 goto nla_put_failure;
5767 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5768 u64 expires, now = get_jiffies_64();
5770 expires = *nft_set_ext_expiration(ext);
5771 if (time_before64(now, expires))
5776 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5777 nf_jiffies64_to_msecs(expires),
5779 goto nla_put_failure;
5782 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5783 struct nft_userdata *udata;
5785 udata = nft_set_ext_userdata(ext);
5786 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5787 udata->len + 1, udata->data))
5788 goto nla_put_failure;
5791 nla_nest_end(skb, nest);
5799 struct nft_set_dump_args {
5800 const struct netlink_callback *cb;
5801 struct nft_set_iter iter;
5802 struct sk_buff *skb;
5806 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5807 struct nft_set *set,
5808 const struct nft_set_iter *iter,
5809 struct nft_elem_priv *elem_priv)
5811 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5812 struct nft_set_dump_args *args;
5814 if (!nft_set_elem_active(ext, iter->genmask))
5817 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5820 args = container_of(iter, struct nft_set_dump_args, iter);
5821 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5824 static void audit_log_nft_set_reset(const struct nft_table *table,
5825 unsigned int base_seq,
5826 unsigned int nentries)
5828 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5830 audit_log_nfcfg(buf, table->family, nentries,
5831 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5835 struct nft_set_dump_ctx {
5836 const struct nft_set *set;
5841 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5842 const struct nft_set *set, bool reset,
5843 unsigned int base_seq)
5845 struct nft_set_elem_catchall *catchall;
5846 u8 genmask = nft_genmask_cur(net);
5847 struct nft_set_ext *ext;
5850 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5851 ext = nft_set_elem_ext(set, catchall->elem);
5852 if (!nft_set_elem_active(ext, genmask) ||
5853 nft_set_elem_expired(ext))
5856 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5858 audit_log_nft_set_reset(set->table, base_seq, 1);
5865 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5867 struct nft_set_dump_ctx *dump_ctx = cb->data;
5868 struct net *net = sock_net(skb->sk);
5869 struct nftables_pernet *nft_net;
5870 struct nft_table *table;
5871 struct nft_set *set;
5872 struct nft_set_dump_args args;
5873 bool set_found = false;
5874 struct nlmsghdr *nlh;
5875 struct nlattr *nest;
5880 nft_net = nft_pernet(net);
5881 cb->seq = READ_ONCE(nft_net->base_seq);
5883 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5884 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5885 dump_ctx->ctx.family != table->family)
5888 if (table != dump_ctx->ctx.table)
5891 list_for_each_entry_rcu(set, &table->sets, list) {
5892 if (set == dump_ctx->set) {
5905 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5906 portid = NETLINK_CB(cb->skb).portid;
5907 seq = cb->nlh->nlmsg_seq;
5909 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5910 table->family, NFNETLINK_V0, nft_base_seq(net));
5912 goto nla_put_failure;
5914 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5915 goto nla_put_failure;
5916 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5917 goto nla_put_failure;
5919 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5921 goto nla_put_failure;
5925 args.reset = dump_ctx->reset;
5926 args.iter.genmask = nft_genmask_cur(net);
5927 args.iter.type = NFT_ITER_READ;
5928 args.iter.skip = cb->args[0];
5929 args.iter.count = 0;
5931 args.iter.fn = nf_tables_dump_setelem;
5932 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5934 if (!args.iter.err && args.iter.count == cb->args[0])
5935 args.iter.err = nft_set_catchall_dump(net, skb, set,
5936 dump_ctx->reset, cb->seq);
5937 nla_nest_end(skb, nest);
5938 nlmsg_end(skb, nlh);
5942 if (args.iter.err && args.iter.err != -EMSGSIZE)
5943 return args.iter.err;
5944 if (args.iter.count == cb->args[0])
5947 cb->args[0] = args.iter.count;
5955 static int nf_tables_dumpreset_set(struct sk_buff *skb,
5956 struct netlink_callback *cb)
5958 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
5959 struct nft_set_dump_ctx *dump_ctx = cb->data;
5960 int ret, skip = cb->args[0];
5962 mutex_lock(&nft_net->commit_mutex);
5964 ret = nf_tables_dump_set(skb, cb);
5966 if (cb->args[0] > skip)
5967 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
5968 cb->args[0] - skip);
5970 mutex_unlock(&nft_net->commit_mutex);
5975 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5977 struct nft_set_dump_ctx *dump_ctx = cb->data;
5979 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5981 return cb->data ? 0 : -ENOMEM;
5984 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5990 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5991 const struct nft_ctx *ctx, u32 seq,
5992 u32 portid, int event, u16 flags,
5993 const struct nft_set *set,
5994 const struct nft_elem_priv *elem_priv,
5997 struct nlmsghdr *nlh;
5998 struct nlattr *nest;
6001 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6002 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6003 NFNETLINK_V0, nft_base_seq(ctx->net));
6005 goto nla_put_failure;
6007 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6008 goto nla_put_failure;
6009 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6010 goto nla_put_failure;
6012 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6014 goto nla_put_failure;
6016 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6018 goto nla_put_failure;
6020 nla_nest_end(skb, nest);
6022 nlmsg_end(skb, nlh);
6026 nlmsg_trim(skb, nlh);
6030 static int nft_setelem_parse_flags(const struct nft_set *set,
6031 const struct nlattr *attr, u32 *flags)
6036 *flags = ntohl(nla_get_be32(attr));
6037 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6039 if (!(set->flags & NFT_SET_INTERVAL) &&
6040 *flags & NFT_SET_ELEM_INTERVAL_END)
6042 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6043 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6049 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6050 struct nft_data *key, struct nlattr *attr)
6052 struct nft_data_desc desc = {
6053 .type = NFT_DATA_VALUE,
6054 .size = NFT_DATA_VALUE_MAXLEN,
6058 return nft_data_init(ctx, key, &desc, attr);
6061 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6062 struct nft_data_desc *desc,
6063 struct nft_data *data,
6064 struct nlattr *attr)
6068 if (set->dtype == NFT_DATA_VERDICT)
6069 dtype = NFT_DATA_VERDICT;
6071 dtype = NFT_DATA_VALUE;
6074 desc->size = NFT_DATA_VALUE_MAXLEN;
6075 desc->len = set->dlen;
6076 desc->flags = NFT_DATA_DESC_SETELEM;
6078 return nft_data_init(ctx, data, desc, attr);
6081 static void *nft_setelem_catchall_get(const struct net *net,
6082 const struct nft_set *set)
6084 struct nft_set_elem_catchall *catchall;
6085 u8 genmask = nft_genmask_cur(net);
6086 struct nft_set_ext *ext;
6089 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6090 ext = nft_set_elem_ext(set, catchall->elem);
6091 if (!nft_set_elem_active(ext, genmask) ||
6092 nft_set_elem_expired(ext))
6095 priv = catchall->elem;
6102 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6103 struct nft_set_elem *elem, u32 flags)
6107 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6108 priv = set->ops->get(ctx->net, set, elem, flags);
6110 return PTR_ERR(priv);
6112 priv = nft_setelem_catchall_get(ctx->net, set);
6121 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6122 const struct nlattr *attr, bool reset)
6124 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6125 struct nft_set_elem elem;
6126 struct sk_buff *skb;
6130 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6131 nft_set_elem_policy, NULL);
6135 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6139 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6142 if (nla[NFTA_SET_ELEM_KEY]) {
6143 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6144 nla[NFTA_SET_ELEM_KEY]);
6149 if (nla[NFTA_SET_ELEM_KEY_END]) {
6150 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6151 nla[NFTA_SET_ELEM_KEY_END]);
6156 err = nft_setelem_get(ctx, set, &elem, flags);
6161 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6165 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6166 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6169 goto err_fill_setelem;
6171 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6178 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6179 const struct sk_buff *skb,
6180 const struct nfnl_info *info,
6181 const struct nlattr * const nla[],
6184 struct netlink_ext_ack *extack = info->extack;
6185 u8 genmask = nft_genmask_cur(info->net);
6186 u8 family = info->nfmsg->nfgen_family;
6187 struct net *net = info->net;
6188 struct nft_table *table;
6189 struct nft_set *set;
6191 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6193 if (IS_ERR(table)) {
6194 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6195 return PTR_ERR(table);
6198 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6200 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6201 return PTR_ERR(set);
6204 nft_ctx_init(&dump_ctx->ctx, net, skb,
6205 info->nlh, family, table, NULL, nla);
6206 dump_ctx->set = set;
6207 dump_ctx->reset = reset;
6211 /* called with rcu_read_lock held */
6212 static int nf_tables_getsetelem(struct sk_buff *skb,
6213 const struct nfnl_info *info,
6214 const struct nlattr * const nla[])
6216 struct netlink_ext_ack *extack = info->extack;
6217 struct nft_set_dump_ctx dump_ctx;
6218 struct nlattr *attr;
6221 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6222 struct netlink_dump_control c = {
6223 .start = nf_tables_dump_set_start,
6224 .dump = nf_tables_dump_set,
6225 .done = nf_tables_dump_set_done,
6226 .module = THIS_MODULE,
6229 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6234 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6237 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6240 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6244 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6245 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6247 NL_SET_BAD_ATTR(extack, attr);
6255 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6256 const struct nfnl_info *info,
6257 const struct nlattr * const nla[])
6259 struct nftables_pernet *nft_net = nft_pernet(info->net);
6260 struct netlink_ext_ack *extack = info->extack;
6261 struct nft_set_dump_ctx dump_ctx;
6262 int rem, err = 0, nelems = 0;
6263 struct nlattr *attr;
6265 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6266 struct netlink_dump_control c = {
6267 .start = nf_tables_dump_set_start,
6268 .dump = nf_tables_dumpreset_set,
6269 .done = nf_tables_dump_set_done,
6270 .module = THIS_MODULE,
6273 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6278 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6281 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6284 if (!try_module_get(THIS_MODULE))
6287 mutex_lock(&nft_net->commit_mutex);
6290 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6294 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6295 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6297 NL_SET_BAD_ATTR(extack, attr);
6302 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6306 mutex_unlock(&nft_net->commit_mutex);
6308 module_put(THIS_MODULE);
6313 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6314 const struct nft_set *set,
6315 const struct nft_elem_priv *elem_priv,
6318 struct nftables_pernet *nft_net;
6319 struct net *net = ctx->net;
6320 u32 portid = ctx->portid;
6321 struct sk_buff *skb;
6325 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6328 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6332 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6333 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6335 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6336 set, elem_priv, false);
6342 nft_net = nft_pernet(net);
6343 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6346 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6349 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6351 struct nft_set *set)
6353 struct nft_trans *trans;
6355 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6359 nft_trans_elem_set(trans) = set;
6363 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6364 const struct nft_set *set,
6365 const struct nlattr *attr)
6367 struct nft_expr *expr;
6370 expr = nft_expr_init(ctx, attr);
6375 if (expr->ops->type->flags & NFT_EXPR_GC) {
6376 if (set->flags & NFT_SET_TIMEOUT)
6377 goto err_set_elem_expr;
6378 if (!set->ops->gc_init)
6379 goto err_set_elem_expr;
6380 set->ops->gc_init(set);
6386 nft_expr_destroy(ctx, expr);
6387 return ERR_PTR(err);
6390 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6392 len += nft_set_ext_types[id].len;
6393 if (len > tmpl->ext_len[id] ||
6400 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6401 void *to, const void *from, u32 len)
6403 if (nft_set_ext_check(tmpl, id, len) < 0)
6406 memcpy(to, from, len);
6411 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6412 const struct nft_set_ext_tmpl *tmpl,
6413 const u32 *key, const u32 *key_end,
6415 u64 timeout, u64 expiration, gfp_t gfp)
6417 struct nft_set_ext *ext;
6420 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6422 return ERR_PTR(-ENOMEM);
6424 ext = nft_set_elem_ext(set, elem);
6425 nft_set_ext_init(ext, tmpl);
6427 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6428 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6429 nft_set_ext_key(ext), key, set->klen) < 0)
6432 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6433 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6434 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6437 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6438 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6439 nft_set_ext_data(ext), data, set->dlen) < 0)
6442 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
6443 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6444 if (expiration == 0)
6445 *nft_set_ext_expiration(ext) += timeout;
6447 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
6448 *nft_set_ext_timeout(ext) = timeout;
6455 return ERR_PTR(-EINVAL);
6458 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6459 struct nft_expr *expr)
6461 if (expr->ops->destroy_clone) {
6462 expr->ops->destroy_clone(ctx, expr);
6463 module_put(expr->ops->type->owner);
6465 nf_tables_expr_destroy(ctx, expr);
6469 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6470 struct nft_set_elem_expr *elem_expr)
6472 struct nft_expr *expr;
6475 nft_setelem_expr_foreach(expr, elem_expr, size)
6476 __nft_set_elem_expr_destroy(ctx, expr);
6479 /* Drop references and destroy. Called from gc, dynset and abort path. */
6480 void nft_set_elem_destroy(const struct nft_set *set,
6481 const struct nft_elem_priv *elem_priv,
6484 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6485 struct nft_ctx ctx = {
6486 .net = read_pnet(&set->net),
6487 .family = set->table->family,
6490 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6491 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6492 nft_data_release(nft_set_ext_data(ext), set->dtype);
6493 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6494 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6495 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6496 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6500 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6502 /* Destroy element. References have been already dropped in the preparation
6503 * path via nft_setelem_data_deactivate().
6505 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6506 const struct nft_set *set,
6507 const struct nft_elem_priv *elem_priv)
6509 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6511 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6512 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6517 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6518 struct nft_expr *expr_array[])
6520 struct nft_expr *expr;
6523 for (i = 0; i < set->num_exprs; i++) {
6524 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6528 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6533 expr_array[i] = expr;
6539 for (k = i - 1; k >= 0; k--)
6540 nft_expr_destroy(ctx, expr_array[k]);
6545 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6546 const struct nft_set_ext_tmpl *tmpl,
6547 const struct nft_set_ext *ext,
6548 struct nft_expr *expr_array[],
6551 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6552 u32 len = sizeof(struct nft_set_elem_expr);
6553 struct nft_expr *expr;
6559 for (i = 0; i < num_exprs; i++)
6560 len += expr_array[i]->ops->size;
6562 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6565 for (i = 0; i < num_exprs; i++) {
6566 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6567 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6569 goto err_elem_expr_setup;
6571 elem_expr->size += expr_array[i]->ops->size;
6572 nft_expr_destroy(ctx, expr_array[i]);
6573 expr_array[i] = NULL;
6578 err_elem_expr_setup:
6579 for (; i < num_exprs; i++) {
6580 nft_expr_destroy(ctx, expr_array[i]);
6581 expr_array[i] = NULL;
6587 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6588 const struct nft_set *set)
6590 struct nft_set_elem_catchall *catchall;
6591 u8 genmask = nft_genmask_cur(net);
6592 struct nft_set_ext *ext;
6594 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6595 ext = nft_set_elem_ext(set, catchall->elem);
6596 if (nft_set_elem_active(ext, genmask) &&
6597 !nft_set_elem_expired(ext) &&
6598 !nft_set_elem_is_dead(ext))
6604 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6606 static int nft_setelem_catchall_insert(const struct net *net,
6607 struct nft_set *set,
6608 const struct nft_set_elem *elem,
6609 struct nft_elem_priv **priv)
6611 struct nft_set_elem_catchall *catchall;
6612 u8 genmask = nft_genmask_next(net);
6613 struct nft_set_ext *ext;
6615 list_for_each_entry(catchall, &set->catchall_list, list) {
6616 ext = nft_set_elem_ext(set, catchall->elem);
6617 if (nft_set_elem_active(ext, genmask)) {
6618 *priv = catchall->elem;
6623 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6627 catchall->elem = elem->priv;
6628 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6633 static int nft_setelem_insert(const struct net *net,
6634 struct nft_set *set,
6635 const struct nft_set_elem *elem,
6636 struct nft_elem_priv **elem_priv,
6641 if (flags & NFT_SET_ELEM_CATCHALL)
6642 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6644 ret = set->ops->insert(net, set, elem, elem_priv);
6649 static bool nft_setelem_is_catchall(const struct nft_set *set,
6650 const struct nft_elem_priv *elem_priv)
6652 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6654 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6655 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6661 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6662 struct nft_elem_priv *elem_priv)
6664 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6666 if (nft_setelem_is_catchall(set, elem_priv)) {
6667 nft_clear(net, ext);
6669 set->ops->activate(net, set, elem_priv);
6673 static int nft_setelem_catchall_deactivate(const struct net *net,
6674 struct nft_set *set,
6675 struct nft_set_elem *elem)
6677 struct nft_set_elem_catchall *catchall;
6678 struct nft_set_ext *ext;
6680 list_for_each_entry(catchall, &set->catchall_list, list) {
6681 ext = nft_set_elem_ext(set, catchall->elem);
6682 if (!nft_is_active_next(net, ext))
6686 elem->priv = catchall->elem;
6687 nft_set_elem_change_active(net, set, ext);
6694 static int __nft_setelem_deactivate(const struct net *net,
6695 struct nft_set *set,
6696 struct nft_set_elem *elem)
6700 priv = set->ops->deactivate(net, set, elem);
6711 static int nft_setelem_deactivate(const struct net *net,
6712 struct nft_set *set,
6713 struct nft_set_elem *elem, u32 flags)
6717 if (flags & NFT_SET_ELEM_CATCHALL)
6718 ret = nft_setelem_catchall_deactivate(net, set, elem);
6720 ret = __nft_setelem_deactivate(net, set, elem);
6725 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6727 list_del_rcu(&catchall->list);
6728 kfree_rcu(catchall, rcu);
6731 static void nft_setelem_catchall_remove(const struct net *net,
6732 const struct nft_set *set,
6733 struct nft_elem_priv *elem_priv)
6735 struct nft_set_elem_catchall *catchall, *next;
6737 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6738 if (catchall->elem == elem_priv) {
6739 nft_setelem_catchall_destroy(catchall);
6745 static void nft_setelem_remove(const struct net *net,
6746 const struct nft_set *set,
6747 struct nft_elem_priv *elem_priv)
6749 if (nft_setelem_is_catchall(set, elem_priv))
6750 nft_setelem_catchall_remove(net, set, elem_priv);
6752 set->ops->remove(net, set, elem_priv);
6755 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6756 struct nlattr **nla, u32 flags)
6758 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6759 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6760 if (flags & NFT_SET_ELEM_INTERVAL_END)
6763 if (nla[NFTA_SET_ELEM_KEY_END] &&
6764 flags & NFT_SET_ELEM_CATCHALL)
6767 if (nla[NFTA_SET_ELEM_KEY_END])
6774 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6775 const struct nlattr *attr, u32 nlmsg_flags)
6777 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6778 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6779 u8 genmask = nft_genmask_next(ctx->net);
6780 u32 flags = 0, size = 0, num_exprs = 0;
6781 struct nft_set_ext_tmpl tmpl;
6782 struct nft_set_ext *ext, *ext2;
6783 struct nft_set_elem elem;
6784 struct nft_set_binding *binding;
6785 struct nft_elem_priv *elem_priv;
6786 struct nft_object *obj = NULL;
6787 struct nft_userdata *udata;
6788 struct nft_data_desc desc;
6789 enum nft_registers dreg;
6790 struct nft_trans *trans;
6796 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6797 nft_set_elem_policy, NULL);
6801 nft_set_ext_prepare(&tmpl);
6803 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6807 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6808 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6812 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6817 if (set->flags & NFT_SET_MAP) {
6818 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6819 !(flags & NFT_SET_ELEM_INTERVAL_END))
6822 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6826 if (set->flags & NFT_SET_OBJECT) {
6827 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6828 !(flags & NFT_SET_ELEM_INTERVAL_END))
6831 if (nla[NFTA_SET_ELEM_OBJREF])
6835 if (!nft_setelem_valid_key_end(set, nla, flags))
6838 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6839 (nla[NFTA_SET_ELEM_DATA] ||
6840 nla[NFTA_SET_ELEM_OBJREF] ||
6841 nla[NFTA_SET_ELEM_TIMEOUT] ||
6842 nla[NFTA_SET_ELEM_EXPIRATION] ||
6843 nla[NFTA_SET_ELEM_USERDATA] ||
6844 nla[NFTA_SET_ELEM_EXPR] ||
6845 nla[NFTA_SET_ELEM_KEY_END] ||
6846 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6850 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6851 if (!(set->flags & NFT_SET_TIMEOUT))
6853 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6857 } else if (set->flags & NFT_SET_TIMEOUT &&
6858 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6859 timeout = READ_ONCE(set->timeout);
6863 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6864 if (!(set->flags & NFT_SET_TIMEOUT))
6866 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6872 if (nla[NFTA_SET_ELEM_EXPR]) {
6873 struct nft_expr *expr;
6875 if (set->num_exprs && set->num_exprs != 1)
6878 expr = nft_set_elem_expr_alloc(ctx, set,
6879 nla[NFTA_SET_ELEM_EXPR]);
6881 return PTR_ERR(expr);
6883 expr_array[0] = expr;
6886 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6888 goto err_set_elem_expr;
6890 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6891 struct nft_expr *expr;
6896 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6897 if (i == NFT_SET_EXPR_MAX ||
6898 (set->num_exprs && set->num_exprs == i)) {
6900 goto err_set_elem_expr;
6902 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6904 goto err_set_elem_expr;
6906 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6908 err = PTR_ERR(expr);
6909 goto err_set_elem_expr;
6911 expr_array[i] = expr;
6914 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6916 goto err_set_elem_expr;
6920 if (set->num_exprs && set->num_exprs != i) {
6922 goto err_set_elem_expr;
6924 } else if (set->num_exprs > 0 &&
6925 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6926 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6928 goto err_set_elem_expr_clone;
6930 num_exprs = set->num_exprs;
6933 if (nla[NFTA_SET_ELEM_KEY]) {
6934 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6935 nla[NFTA_SET_ELEM_KEY]);
6937 goto err_set_elem_expr;
6939 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6944 if (nla[NFTA_SET_ELEM_KEY_END]) {
6945 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6946 nla[NFTA_SET_ELEM_KEY_END]);
6950 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6952 goto err_parse_key_end;
6956 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6958 goto err_parse_key_end;
6960 if (timeout != READ_ONCE(set->timeout)) {
6961 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6963 goto err_parse_key_end;
6968 for (i = 0; i < num_exprs; i++)
6969 size += expr_array[i]->ops->size;
6971 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6972 sizeof(struct nft_set_elem_expr) + size);
6974 goto err_parse_key_end;
6977 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6978 obj = nft_obj_lookup(ctx->net, ctx->table,
6979 nla[NFTA_SET_ELEM_OBJREF],
6980 set->objtype, genmask);
6984 goto err_parse_key_end;
6987 if (!nft_use_inc(&obj->use)) {
6990 goto err_parse_key_end;
6993 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6995 goto err_parse_key_end;
6998 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6999 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7000 nla[NFTA_SET_ELEM_DATA]);
7002 goto err_parse_key_end;
7004 dreg = nft_type_to_reg(set->dtype);
7005 list_for_each_entry(binding, &set->bindings, list) {
7006 struct nft_ctx bind_ctx = {
7008 .family = ctx->family,
7009 .table = ctx->table,
7010 .chain = (struct nft_chain *)binding->chain,
7013 if (!(binding->flags & NFT_SET_MAP))
7016 err = nft_validate_register_store(&bind_ctx, dreg,
7018 desc.type, desc.len);
7020 goto err_parse_data;
7022 if (desc.type == NFT_DATA_VERDICT &&
7023 (elem.data.val.verdict.code == NFT_GOTO ||
7024 elem.data.val.verdict.code == NFT_JUMP))
7025 nft_validate_state_update(ctx->table,
7029 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7031 goto err_parse_data;
7034 /* The full maximum length of userdata can exceed the maximum
7035 * offset value (U8_MAX) for following extensions, therefor it
7036 * must be the last extension added.
7039 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7040 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7042 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7045 goto err_parse_data;
7049 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7050 elem.key_end.val.data, elem.data.val.data,
7051 timeout, expiration, GFP_KERNEL_ACCOUNT);
7052 if (IS_ERR(elem.priv)) {
7053 err = PTR_ERR(elem.priv);
7054 goto err_parse_data;
7057 ext = nft_set_elem_ext(set, elem.priv);
7059 *nft_set_ext_flags(ext) = flags;
7062 *nft_set_ext_obj(ext) = obj;
7065 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7069 udata = nft_set_ext_userdata(ext);
7070 udata->len = ulen - 1;
7071 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7073 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7077 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7078 if (trans == NULL) {
7083 ext->genmask = nft_genmask_cur(ctx->net);
7085 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7087 if (err == -EEXIST) {
7088 ext2 = nft_set_elem_ext(set, elem_priv);
7089 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7090 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7091 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7092 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7093 goto err_element_clash;
7094 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7095 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7096 memcmp(nft_set_ext_data(ext),
7097 nft_set_ext_data(ext2), set->dlen) != 0) ||
7098 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7099 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7100 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7101 goto err_element_clash;
7102 else if (!(nlmsg_flags & NLM_F_EXCL))
7104 } else if (err == -ENOTEMPTY) {
7105 /* ENOTEMPTY reports overlapping between this element
7106 * and an existing one.
7110 goto err_element_clash;
7113 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7114 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7116 if (!atomic_add_unless(&set->nelems, 1, max)) {
7122 nft_trans_elem_priv(trans) = elem.priv;
7123 nft_trans_commit_list_add_tail(ctx->net, trans);
7127 nft_setelem_remove(ctx->net, set, elem.priv);
7131 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7133 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7134 nft_data_release(&elem.data.val, desc.type);
7137 nft_use_dec_restore(&obj->use);
7139 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7141 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7143 for (i = 0; i < num_exprs && expr_array[i]; i++)
7144 nft_expr_destroy(ctx, expr_array[i]);
7145 err_set_elem_expr_clone:
7149 static int nf_tables_newsetelem(struct sk_buff *skb,
7150 const struct nfnl_info *info,
7151 const struct nlattr * const nla[])
7153 struct netlink_ext_ack *extack = info->extack;
7154 u8 genmask = nft_genmask_next(info->net);
7155 u8 family = info->nfmsg->nfgen_family;
7156 struct net *net = info->net;
7157 const struct nlattr *attr;
7158 struct nft_table *table;
7159 struct nft_set *set;
7163 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7166 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7167 genmask, NETLINK_CB(skb).portid);
7168 if (IS_ERR(table)) {
7169 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7170 return PTR_ERR(table);
7173 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7174 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7176 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7177 return PTR_ERR(set);
7180 if (!list_empty(&set->bindings) &&
7181 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7184 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7186 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7187 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7189 NL_SET_BAD_ATTR(extack, attr);
7194 if (table->validate_state == NFT_VALIDATE_DO)
7195 return nft_table_validate(net, table);
7201 * nft_data_hold - hold a nft_data item
7203 * @data: struct nft_data to release
7204 * @type: type of data
7206 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7207 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7208 * NFT_GOTO verdicts. This function must be called on active data objects
7209 * from the second phase of the commit protocol.
7211 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7213 struct nft_chain *chain;
7215 if (type == NFT_DATA_VERDICT) {
7216 switch (data->verdict.code) {
7219 chain = data->verdict.chain;
7220 nft_use_inc_restore(&chain->use);
7226 static int nft_setelem_active_next(const struct net *net,
7227 const struct nft_set *set,
7228 struct nft_elem_priv *elem_priv)
7230 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7231 u8 genmask = nft_genmask_next(net);
7233 return nft_set_elem_active(ext, genmask);
7236 static void nft_setelem_data_activate(const struct net *net,
7237 const struct nft_set *set,
7238 struct nft_elem_priv *elem_priv)
7240 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7242 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7243 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7244 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7245 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7248 void nft_setelem_data_deactivate(const struct net *net,
7249 const struct nft_set *set,
7250 struct nft_elem_priv *elem_priv)
7252 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7254 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7255 nft_data_release(nft_set_ext_data(ext), set->dtype);
7256 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7257 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7260 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7261 const struct nlattr *attr)
7263 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7264 struct nft_set_ext_tmpl tmpl;
7265 struct nft_set_elem elem;
7266 struct nft_set_ext *ext;
7267 struct nft_trans *trans;
7271 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7272 nft_set_elem_policy, NULL);
7276 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7280 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7283 if (!nft_setelem_valid_key_end(set, nla, flags))
7286 nft_set_ext_prepare(&tmpl);
7289 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7294 if (nla[NFTA_SET_ELEM_KEY]) {
7295 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7296 nla[NFTA_SET_ELEM_KEY]);
7300 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7305 if (nla[NFTA_SET_ELEM_KEY_END]) {
7306 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7307 nla[NFTA_SET_ELEM_KEY_END]);
7311 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7313 goto fail_elem_key_end;
7317 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7318 elem.key_end.val.data, NULL, 0, 0,
7319 GFP_KERNEL_ACCOUNT);
7320 if (IS_ERR(elem.priv)) {
7321 err = PTR_ERR(elem.priv);
7322 goto fail_elem_key_end;
7325 ext = nft_set_elem_ext(set, elem.priv);
7327 *nft_set_ext_flags(ext) = flags;
7329 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7333 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7337 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7339 nft_trans_elem_priv(trans) = elem.priv;
7340 nft_trans_commit_list_add_tail(ctx->net, trans);
7348 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7350 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7354 static int nft_setelem_flush(const struct nft_ctx *ctx,
7355 struct nft_set *set,
7356 const struct nft_set_iter *iter,
7357 struct nft_elem_priv *elem_priv)
7359 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7360 struct nft_trans *trans;
7362 if (!nft_set_elem_active(ext, iter->genmask))
7365 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7366 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7370 set->ops->flush(ctx->net, set, elem_priv);
7373 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7374 nft_trans_elem_set(trans) = set;
7375 nft_trans_elem_priv(trans) = elem_priv;
7376 nft_trans_commit_list_add_tail(ctx->net, trans);
7381 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7382 struct nft_set *set,
7383 struct nft_elem_priv *elem_priv)
7385 struct nft_trans *trans;
7387 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7388 sizeof(struct nft_trans_elem), GFP_KERNEL);
7392 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7393 nft_trans_elem_set(trans) = set;
7394 nft_trans_elem_priv(trans) = elem_priv;
7395 nft_trans_commit_list_add_tail(ctx->net, trans);
7400 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7401 struct nft_set *set)
7403 u8 genmask = nft_genmask_next(ctx->net);
7404 struct nft_set_elem_catchall *catchall;
7405 struct nft_set_ext *ext;
7408 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7409 ext = nft_set_elem_ext(set, catchall->elem);
7410 if (!nft_set_elem_active(ext, genmask))
7413 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7416 nft_set_elem_change_active(ctx->net, set, ext);
7422 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7424 struct nft_set_iter iter = {
7426 .type = NFT_ITER_UPDATE,
7427 .fn = nft_setelem_flush,
7430 set->ops->walk(ctx, set, &iter);
7432 iter.err = nft_set_catchall_flush(ctx, set);
7437 static int nf_tables_delsetelem(struct sk_buff *skb,
7438 const struct nfnl_info *info,
7439 const struct nlattr * const nla[])
7441 struct netlink_ext_ack *extack = info->extack;
7442 u8 genmask = nft_genmask_next(info->net);
7443 u8 family = info->nfmsg->nfgen_family;
7444 struct net *net = info->net;
7445 const struct nlattr *attr;
7446 struct nft_table *table;
7447 struct nft_set *set;
7451 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7452 genmask, NETLINK_CB(skb).portid);
7453 if (IS_ERR(table)) {
7454 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7455 return PTR_ERR(table);
7458 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7460 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7461 return PTR_ERR(set);
7464 if (nft_set_is_anonymous(set))
7467 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7470 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7472 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7473 return nft_set_flush(&ctx, set, genmask);
7475 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7476 err = nft_del_setelem(&ctx, set, attr);
7477 if (err == -ENOENT &&
7478 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7482 NL_SET_BAD_ATTR(extack, attr);
7495 * nft_register_obj- register nf_tables stateful object type
7496 * @obj_type: object type
7498 * Registers the object type for use with nf_tables. Returns zero on
7499 * success or a negative errno code otherwise.
7501 int nft_register_obj(struct nft_object_type *obj_type)
7503 if (obj_type->type == NFT_OBJECT_UNSPEC)
7506 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7507 list_add_rcu(&obj_type->list, &nf_tables_objects);
7508 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7511 EXPORT_SYMBOL_GPL(nft_register_obj);
7514 * nft_unregister_obj - unregister nf_tables object type
7515 * @obj_type: object type
7517 * Unregisters the object type for use with nf_tables.
7519 void nft_unregister_obj(struct nft_object_type *obj_type)
7521 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7522 list_del_rcu(&obj_type->list);
7523 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7525 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7527 struct nft_object *nft_obj_lookup(const struct net *net,
7528 const struct nft_table *table,
7529 const struct nlattr *nla, u32 objtype,
7532 struct nft_object_hash_key k = { .table = table };
7533 char search[NFT_OBJ_MAXNAMELEN];
7534 struct rhlist_head *tmp, *list;
7535 struct nft_object *obj;
7537 nla_strscpy(search, nla, sizeof(search));
7540 WARN_ON_ONCE(!rcu_read_lock_held() &&
7541 !lockdep_commit_lock_is_held(net));
7544 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7548 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7549 if (objtype == obj->ops->type->type &&
7550 nft_active_genmask(obj, genmask)) {
7557 return ERR_PTR(-ENOENT);
7559 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7561 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7562 const struct nlattr *nla,
7563 u32 objtype, u8 genmask)
7565 struct nft_object *obj;
7567 list_for_each_entry(obj, &table->objects, list) {
7568 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7569 objtype == obj->ops->type->type &&
7570 nft_active_genmask(obj, genmask))
7573 return ERR_PTR(-ENOENT);
7576 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7577 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7578 .len = NFT_TABLE_MAXNAMELEN - 1 },
7579 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7580 .len = NFT_OBJ_MAXNAMELEN - 1 },
7581 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7582 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7583 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7584 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7585 .len = NFT_USERDATA_MAXLEN },
7588 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7589 const struct nft_object_type *type,
7590 const struct nlattr *attr)
7593 const struct nft_object_ops *ops;
7594 struct nft_object *obj;
7597 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7602 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7603 type->policy, NULL);
7607 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7610 if (type->select_ops) {
7611 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7621 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7625 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7638 return ERR_PTR(err);
7641 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7642 struct nft_object *obj, bool reset)
7644 struct nlattr *nest;
7646 nest = nla_nest_start_noflag(skb, attr);
7648 goto nla_put_failure;
7649 if (obj->ops->dump(skb, obj, reset) < 0)
7650 goto nla_put_failure;
7651 nla_nest_end(skb, nest);
7658 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7660 const struct nft_object_type *type;
7662 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
7663 if (type->family != NFPROTO_UNSPEC &&
7664 type->family != family)
7667 if (objtype == type->type)
7673 static const struct nft_object_type *
7674 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7676 const struct nft_object_type *type;
7679 type = __nft_obj_type_get(objtype, family);
7680 if (type != NULL && try_module_get(type->owner)) {
7686 lockdep_nfnl_nft_mutex_not_held();
7687 #ifdef CONFIG_MODULES
7689 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7690 return ERR_PTR(-EAGAIN);
7693 return ERR_PTR(-ENOENT);
7696 static int nf_tables_updobj(const struct nft_ctx *ctx,
7697 const struct nft_object_type *type,
7698 const struct nlattr *attr,
7699 struct nft_object *obj)
7701 struct nft_object *newobj;
7702 struct nft_trans *trans;
7705 if (!try_module_get(type->owner))
7708 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7709 sizeof(struct nft_trans_obj));
7713 newobj = nft_obj_init(ctx, type, attr);
7714 if (IS_ERR(newobj)) {
7715 err = PTR_ERR(newobj);
7716 goto err_free_trans;
7719 nft_trans_obj(trans) = obj;
7720 nft_trans_obj_update(trans) = true;
7721 nft_trans_obj_newobj(trans) = newobj;
7722 nft_trans_commit_list_add_tail(ctx->net, trans);
7729 module_put(type->owner);
7733 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7734 const struct nlattr * const nla[])
7736 struct netlink_ext_ack *extack = info->extack;
7737 u8 genmask = nft_genmask_next(info->net);
7738 u8 family = info->nfmsg->nfgen_family;
7739 const struct nft_object_type *type;
7740 struct net *net = info->net;
7741 struct nft_table *table;
7742 struct nft_object *obj;
7747 if (!nla[NFTA_OBJ_TYPE] ||
7748 !nla[NFTA_OBJ_NAME] ||
7749 !nla[NFTA_OBJ_DATA])
7752 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7753 NETLINK_CB(skb).portid);
7754 if (IS_ERR(table)) {
7755 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7756 return PTR_ERR(table);
7759 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7760 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7763 if (err != -ENOENT) {
7764 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7768 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7769 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7772 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7775 type = __nft_obj_type_get(objtype, family);
7776 if (WARN_ON_ONCE(!type))
7779 if (!obj->ops->update)
7782 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7784 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7787 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7789 if (!nft_use_inc(&table->use))
7792 type = nft_obj_type_get(net, objtype, family);
7794 err = PTR_ERR(type);
7798 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7803 obj->key.table = table;
7804 obj->handle = nf_tables_alloc_handle(table);
7806 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7807 if (!obj->key.name) {
7812 if (nla[NFTA_OBJ_USERDATA]) {
7813 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7814 if (obj->udata == NULL)
7817 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7820 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7824 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7825 nft_objname_ht_params);
7829 list_add_tail_rcu(&obj->list, &table->objects);
7833 /* queued in transaction log */
7834 INIT_LIST_HEAD(&obj->list);
7839 kfree(obj->key.name);
7841 if (obj->ops->destroy)
7842 obj->ops->destroy(&ctx, obj);
7845 module_put(type->owner);
7847 nft_use_dec_restore(&table->use);
7852 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7853 u32 portid, u32 seq, int event, u32 flags,
7854 int family, const struct nft_table *table,
7855 struct nft_object *obj, bool reset)
7857 struct nlmsghdr *nlh;
7859 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7860 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7861 NFNETLINK_V0, nft_base_seq(net));
7863 goto nla_put_failure;
7865 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7866 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7867 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7869 goto nla_put_failure;
7871 if (event == NFT_MSG_DELOBJ) {
7872 nlmsg_end(skb, nlh);
7876 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7877 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7878 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7879 goto nla_put_failure;
7882 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7883 goto nla_put_failure;
7885 nlmsg_end(skb, nlh);
7889 nlmsg_trim(skb, nlh);
7893 static void audit_log_obj_reset(const struct nft_table *table,
7894 unsigned int base_seq, unsigned int nentries)
7896 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7898 audit_log_nfcfg(buf, table->family, nentries,
7899 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7903 struct nft_obj_dump_ctx {
7910 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7912 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7913 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7914 struct net *net = sock_net(skb->sk);
7915 int family = nfmsg->nfgen_family;
7916 struct nftables_pernet *nft_net;
7917 const struct nft_table *table;
7918 unsigned int entries = 0;
7919 struct nft_object *obj;
7920 unsigned int idx = 0;
7924 nft_net = nft_pernet(net);
7925 cb->seq = READ_ONCE(nft_net->base_seq);
7927 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7928 if (family != NFPROTO_UNSPEC && family != table->family)
7932 list_for_each_entry_rcu(obj, &table->objects, list) {
7933 if (!nft_is_active(net, obj))
7935 if (idx < ctx->s_idx)
7937 if (ctx->table && strcmp(ctx->table, table->name))
7939 if (ctx->type != NFT_OBJECT_UNSPEC &&
7940 obj->ops->type->type != ctx->type)
7943 rc = nf_tables_fill_obj_info(skb, net,
7944 NETLINK_CB(cb->skb).portid,
7947 NLM_F_MULTI | NLM_F_APPEND,
7948 table->family, table,
7954 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7958 if (ctx->reset && entries)
7959 audit_log_obj_reset(table, nft_net->base_seq, entries);
7969 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7971 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7972 const struct nlattr * const *nla = cb->data;
7974 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
7976 if (nla[NFTA_OBJ_TABLE]) {
7977 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7982 if (nla[NFTA_OBJ_TYPE])
7983 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7985 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
7991 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7993 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8000 /* called with rcu_read_lock held */
8001 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8002 const struct nlattr * const nla[])
8004 struct netlink_ext_ack *extack = info->extack;
8005 u8 genmask = nft_genmask_cur(info->net);
8006 u8 family = info->nfmsg->nfgen_family;
8007 const struct nft_table *table;
8008 struct net *net = info->net;
8009 struct nft_object *obj;
8010 struct sk_buff *skb2;
8015 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8016 struct netlink_dump_control c = {
8017 .start = nf_tables_dump_obj_start,
8018 .dump = nf_tables_dump_obj,
8019 .done = nf_tables_dump_obj_done,
8020 .module = THIS_MODULE,
8021 .data = (void *)nla,
8024 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8027 if (!nla[NFTA_OBJ_NAME] ||
8028 !nla[NFTA_OBJ_TYPE])
8031 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8032 if (IS_ERR(table)) {
8033 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8034 return PTR_ERR(table);
8037 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8038 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8040 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8041 return PTR_ERR(obj);
8044 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8048 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
8052 const struct nftables_pernet *nft_net;
8055 nft_net = nft_pernet(net);
8056 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
8058 audit_log_nfcfg(buf,
8061 AUDIT_NFT_OP_OBJ_RESET,
8066 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
8067 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8068 family, table, obj, reset);
8070 goto err_fill_obj_info;
8072 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
8079 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8081 if (obj->ops->destroy)
8082 obj->ops->destroy(ctx, obj);
8084 module_put(obj->ops->type->owner);
8085 kfree(obj->key.name);
8090 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8091 const struct nlattr * const nla[])
8093 struct netlink_ext_ack *extack = info->extack;
8094 u8 genmask = nft_genmask_next(info->net);
8095 u8 family = info->nfmsg->nfgen_family;
8096 struct net *net = info->net;
8097 const struct nlattr *attr;
8098 struct nft_table *table;
8099 struct nft_object *obj;
8103 if (!nla[NFTA_OBJ_TYPE] ||
8104 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8107 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8108 NETLINK_CB(skb).portid);
8109 if (IS_ERR(table)) {
8110 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8111 return PTR_ERR(table);
8114 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8115 if (nla[NFTA_OBJ_HANDLE]) {
8116 attr = nla[NFTA_OBJ_HANDLE];
8117 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8119 attr = nla[NFTA_OBJ_NAME];
8120 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8124 if (PTR_ERR(obj) == -ENOENT &&
8125 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8128 NL_SET_BAD_ATTR(extack, attr);
8129 return PTR_ERR(obj);
8132 NL_SET_BAD_ATTR(extack, attr);
8136 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8138 return nft_delobj(&ctx, obj);
8142 __nft_obj_notify(struct net *net, const struct nft_table *table,
8143 struct nft_object *obj, u32 portid, u32 seq, int event,
8144 u16 flags, int family, int report, gfp_t gfp)
8146 struct nftables_pernet *nft_net = nft_pernet(net);
8147 struct sk_buff *skb;
8151 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8154 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8158 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8159 flags & (NLM_F_CREATE | NLM_F_EXCL),
8160 family, table, obj, false);
8166 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8169 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8172 void nft_obj_notify(struct net *net, const struct nft_table *table,
8173 struct nft_object *obj, u32 portid, u32 seq, int event,
8174 u16 flags, int family, int report, gfp_t gfp)
8176 struct nftables_pernet *nft_net = nft_pernet(net);
8177 char *buf = kasprintf(gfp, "%s:%u",
8178 table->name, nft_net->base_seq);
8180 audit_log_nfcfg(buf,
8183 event == NFT_MSG_NEWOBJ ?
8184 AUDIT_NFT_OP_OBJ_REGISTER :
8185 AUDIT_NFT_OP_OBJ_UNREGISTER,
8189 __nft_obj_notify(net, table, obj, portid, seq, event,
8190 flags, family, report, gfp);
8192 EXPORT_SYMBOL_GPL(nft_obj_notify);
8194 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8195 struct nft_object *obj, int event)
8197 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8198 ctx->seq, event, ctx->flags, ctx->family,
8199 ctx->report, GFP_KERNEL);
8205 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8207 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8208 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8209 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8211 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8213 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8215 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8216 list_del_rcu(&type->list);
8217 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8219 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8221 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8222 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8223 .len = NFT_NAME_MAXLEN - 1 },
8224 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8225 .len = NFT_NAME_MAXLEN - 1 },
8226 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8227 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8228 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8231 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8232 const struct nlattr *nla, u8 genmask)
8234 struct nft_flowtable *flowtable;
8236 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8237 if (!nla_strcmp(nla, flowtable->name) &&
8238 nft_active_genmask(flowtable, genmask))
8241 return ERR_PTR(-ENOENT);
8243 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8245 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8246 struct nft_flowtable *flowtable,
8247 enum nft_trans_phase phase)
8250 case NFT_TRANS_PREPARE_ERROR:
8251 case NFT_TRANS_PREPARE:
8252 case NFT_TRANS_ABORT:
8253 case NFT_TRANS_RELEASE:
8254 nft_use_dec(&flowtable->use);
8260 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8262 static struct nft_flowtable *
8263 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8264 const struct nlattr *nla, u8 genmask)
8266 struct nft_flowtable *flowtable;
8268 list_for_each_entry(flowtable, &table->flowtables, list) {
8269 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8270 nft_active_genmask(flowtable, genmask))
8273 return ERR_PTR(-ENOENT);
8276 struct nft_flowtable_hook {
8279 struct list_head list;
8282 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8283 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8284 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8285 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8288 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8289 const struct nlattr * const nla[],
8290 struct nft_flowtable_hook *flowtable_hook,
8291 struct nft_flowtable *flowtable,
8292 struct netlink_ext_ack *extack, bool add)
8294 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8295 struct nft_hook *hook;
8296 int hooknum, priority;
8299 INIT_LIST_HEAD(&flowtable_hook->list);
8301 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8302 nla[NFTA_FLOWTABLE_HOOK],
8303 nft_flowtable_hook_policy, NULL);
8308 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8309 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8310 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8314 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8315 if (hooknum != NF_NETDEV_INGRESS)
8318 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8320 flowtable_hook->priority = priority;
8321 flowtable_hook->num = hooknum;
8323 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8324 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8325 if (hooknum != flowtable->hooknum)
8329 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8330 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8331 if (priority != flowtable->data.priority)
8335 flowtable_hook->priority = flowtable->data.priority;
8336 flowtable_hook->num = flowtable->hooknum;
8339 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8340 err = nf_tables_parse_netdev_hooks(ctx->net,
8341 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8342 &flowtable_hook->list,
8348 list_for_each_entry(hook, &flowtable_hook->list, list) {
8349 hook->ops.pf = NFPROTO_NETDEV;
8350 hook->ops.hooknum = flowtable_hook->num;
8351 hook->ops.priority = flowtable_hook->priority;
8352 hook->ops.priv = &flowtable->data;
8353 hook->ops.hook = flowtable->data.type->hook;
8359 /* call under rcu_read_lock */
8360 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8362 const struct nf_flowtable_type *type;
8364 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8365 if (family == type->family)
8371 static const struct nf_flowtable_type *
8372 nft_flowtable_type_get(struct net *net, u8 family)
8374 const struct nf_flowtable_type *type;
8377 type = __nft_flowtable_type_get(family);
8378 if (type != NULL && try_module_get(type->owner)) {
8384 lockdep_nfnl_nft_mutex_not_held();
8385 #ifdef CONFIG_MODULES
8387 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8388 return ERR_PTR(-EAGAIN);
8391 return ERR_PTR(-ENOENT);
8394 /* Only called from error and netdev event paths. */
8395 static void nft_unregister_flowtable_hook(struct net *net,
8396 struct nft_flowtable *flowtable,
8397 struct nft_hook *hook)
8399 nf_unregister_net_hook(net, &hook->ops);
8400 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8404 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8405 struct list_head *hook_list,
8406 bool release_netdev)
8408 struct nft_hook *hook, *next;
8410 list_for_each_entry_safe(hook, next, hook_list, list) {
8411 nf_unregister_net_hook(net, &hook->ops);
8412 if (release_netdev) {
8413 list_del(&hook->list);
8414 kfree_rcu(hook, rcu);
8419 static void nft_unregister_flowtable_net_hooks(struct net *net,
8420 struct list_head *hook_list)
8422 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8425 static int nft_register_flowtable_net_hooks(struct net *net,
8426 struct nft_table *table,
8427 struct list_head *hook_list,
8428 struct nft_flowtable *flowtable)
8430 struct nft_hook *hook, *hook2, *next;
8431 struct nft_flowtable *ft;
8434 list_for_each_entry(hook, hook_list, list) {
8435 list_for_each_entry(ft, &table->flowtables, list) {
8436 if (!nft_is_active_next(net, ft))
8439 list_for_each_entry(hook2, &ft->hook_list, list) {
8440 if (hook->ops.dev == hook2->ops.dev &&
8441 hook->ops.pf == hook2->ops.pf) {
8443 goto err_unregister_net_hooks;
8448 err = flowtable->data.type->setup(&flowtable->data,
8452 goto err_unregister_net_hooks;
8454 err = nf_register_net_hook(net, &hook->ops);
8456 flowtable->data.type->setup(&flowtable->data,
8459 goto err_unregister_net_hooks;
8467 err_unregister_net_hooks:
8468 list_for_each_entry_safe(hook, next, hook_list, list) {
8472 nft_unregister_flowtable_hook(net, flowtable, hook);
8473 list_del_rcu(&hook->list);
8474 kfree_rcu(hook, rcu);
8480 static void nft_hooks_destroy(struct list_head *hook_list)
8482 struct nft_hook *hook, *next;
8484 list_for_each_entry_safe(hook, next, hook_list, list) {
8485 list_del_rcu(&hook->list);
8486 kfree_rcu(hook, rcu);
8490 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8491 struct nft_flowtable *flowtable,
8492 struct netlink_ext_ack *extack)
8494 const struct nlattr * const *nla = ctx->nla;
8495 struct nft_flowtable_hook flowtable_hook;
8496 struct nft_hook *hook, *next;
8497 struct nft_trans *trans;
8498 bool unregister = false;
8502 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8507 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8508 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8509 list_del(&hook->list);
8514 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8515 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8516 if (flags & ~NFT_FLOWTABLE_MASK) {
8518 goto err_flowtable_update_hook;
8520 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8521 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8523 goto err_flowtable_update_hook;
8526 flags = flowtable->data.flags;
8529 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8530 &flowtable_hook.list, flowtable);
8532 goto err_flowtable_update_hook;
8534 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8535 sizeof(struct nft_trans_flowtable));
8539 goto err_flowtable_update_hook;
8542 nft_trans_flowtable_flags(trans) = flags;
8543 nft_trans_flowtable(trans) = flowtable;
8544 nft_trans_flowtable_update(trans) = true;
8545 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8546 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8548 nft_trans_commit_list_add_tail(ctx->net, trans);
8552 err_flowtable_update_hook:
8553 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8555 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8556 list_del_rcu(&hook->list);
8557 kfree_rcu(hook, rcu);
8564 static int nf_tables_newflowtable(struct sk_buff *skb,
8565 const struct nfnl_info *info,
8566 const struct nlattr * const nla[])
8568 struct netlink_ext_ack *extack = info->extack;
8569 struct nft_flowtable_hook flowtable_hook;
8570 u8 genmask = nft_genmask_next(info->net);
8571 u8 family = info->nfmsg->nfgen_family;
8572 const struct nf_flowtable_type *type;
8573 struct nft_flowtable *flowtable;
8574 struct net *net = info->net;
8575 struct nft_table *table;
8576 struct nft_trans *trans;
8580 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8581 !nla[NFTA_FLOWTABLE_NAME] ||
8582 !nla[NFTA_FLOWTABLE_HOOK])
8585 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8586 genmask, NETLINK_CB(skb).portid);
8587 if (IS_ERR(table)) {
8588 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8589 return PTR_ERR(table);
8592 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8594 if (IS_ERR(flowtable)) {
8595 err = PTR_ERR(flowtable);
8596 if (err != -ENOENT) {
8597 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8601 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8602 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8606 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8608 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8611 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8613 if (!nft_use_inc(&table->use))
8616 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8619 goto flowtable_alloc;
8622 flowtable->table = table;
8623 flowtable->handle = nf_tables_alloc_handle(table);
8624 INIT_LIST_HEAD(&flowtable->hook_list);
8626 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8627 if (!flowtable->name) {
8632 type = nft_flowtable_type_get(net, family);
8634 err = PTR_ERR(type);
8638 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8639 flowtable->data.flags =
8640 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8641 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8647 write_pnet(&flowtable->data.net, net);
8648 flowtable->data.type = type;
8649 err = type->init(&flowtable->data);
8653 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8656 goto err_flowtable_parse_hooks;
8658 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8659 flowtable->data.priority = flowtable_hook.priority;
8660 flowtable->hooknum = flowtable_hook.num;
8662 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8663 if (IS_ERR(trans)) {
8664 err = PTR_ERR(trans);
8665 goto err_flowtable_trans;
8668 /* This must be LAST to ensure no packets are walking over this flowtable. */
8669 err = nft_register_flowtable_net_hooks(ctx.net, table,
8670 &flowtable->hook_list,
8673 goto err_flowtable_hooks;
8675 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8679 err_flowtable_hooks:
8680 nft_trans_destroy(trans);
8681 err_flowtable_trans:
8682 nft_hooks_destroy(&flowtable->hook_list);
8683 err_flowtable_parse_hooks:
8684 flowtable->data.type->free(&flowtable->data);
8686 module_put(type->owner);
8688 kfree(flowtable->name);
8692 nft_use_dec_restore(&table->use);
8697 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8699 struct nft_hook *this, *next;
8701 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8702 list_del(&this->list);
8707 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8708 struct nft_flowtable *flowtable,
8709 struct netlink_ext_ack *extack)
8711 const struct nlattr * const *nla = ctx->nla;
8712 struct nft_flowtable_hook flowtable_hook;
8713 LIST_HEAD(flowtable_del_list);
8714 struct nft_hook *this, *hook;
8715 struct nft_trans *trans;
8718 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8723 list_for_each_entry(this, &flowtable_hook.list, list) {
8724 hook = nft_hook_list_find(&flowtable->hook_list, this);
8727 goto err_flowtable_del_hook;
8729 list_move(&hook->list, &flowtable_del_list);
8732 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8733 sizeof(struct nft_trans_flowtable));
8736 goto err_flowtable_del_hook;
8739 nft_trans_flowtable(trans) = flowtable;
8740 nft_trans_flowtable_update(trans) = true;
8741 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8742 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8743 nft_flowtable_hook_release(&flowtable_hook);
8745 nft_trans_commit_list_add_tail(ctx->net, trans);
8749 err_flowtable_del_hook:
8750 list_splice(&flowtable_del_list, &flowtable->hook_list);
8751 nft_flowtable_hook_release(&flowtable_hook);
8756 static int nf_tables_delflowtable(struct sk_buff *skb,
8757 const struct nfnl_info *info,
8758 const struct nlattr * const nla[])
8760 struct netlink_ext_ack *extack = info->extack;
8761 u8 genmask = nft_genmask_next(info->net);
8762 u8 family = info->nfmsg->nfgen_family;
8763 struct nft_flowtable *flowtable;
8764 struct net *net = info->net;
8765 const struct nlattr *attr;
8766 struct nft_table *table;
8769 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8770 (!nla[NFTA_FLOWTABLE_NAME] &&
8771 !nla[NFTA_FLOWTABLE_HANDLE]))
8774 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8775 genmask, NETLINK_CB(skb).portid);
8776 if (IS_ERR(table)) {
8777 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8778 return PTR_ERR(table);
8781 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8782 attr = nla[NFTA_FLOWTABLE_HANDLE];
8783 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8785 attr = nla[NFTA_FLOWTABLE_NAME];
8786 flowtable = nft_flowtable_lookup(table, attr, genmask);
8789 if (IS_ERR(flowtable)) {
8790 if (PTR_ERR(flowtable) == -ENOENT &&
8791 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8794 NL_SET_BAD_ATTR(extack, attr);
8795 return PTR_ERR(flowtable);
8798 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8800 if (nla[NFTA_FLOWTABLE_HOOK])
8801 return nft_delflowtable_hook(&ctx, flowtable, extack);
8803 if (flowtable->use > 0) {
8804 NL_SET_BAD_ATTR(extack, attr);
8808 return nft_delflowtable(&ctx, flowtable);
8811 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8812 u32 portid, u32 seq, int event,
8813 u32 flags, int family,
8814 struct nft_flowtable *flowtable,
8815 struct list_head *hook_list)
8817 struct nlattr *nest, *nest_devs;
8818 struct nft_hook *hook;
8819 struct nlmsghdr *nlh;
8821 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8822 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8823 NFNETLINK_V0, nft_base_seq(net));
8825 goto nla_put_failure;
8827 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8828 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8829 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8830 NFTA_FLOWTABLE_PAD))
8831 goto nla_put_failure;
8833 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8834 nlmsg_end(skb, nlh);
8838 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8839 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8840 goto nla_put_failure;
8842 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8844 goto nla_put_failure;
8845 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8846 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8847 goto nla_put_failure;
8849 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8851 goto nla_put_failure;
8854 hook_list = &flowtable->hook_list;
8856 list_for_each_entry_rcu(hook, hook_list, list) {
8857 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8858 goto nla_put_failure;
8860 nla_nest_end(skb, nest_devs);
8861 nla_nest_end(skb, nest);
8863 nlmsg_end(skb, nlh);
8867 nlmsg_trim(skb, nlh);
8871 struct nft_flowtable_filter {
8875 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8876 struct netlink_callback *cb)
8878 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8879 struct nft_flowtable_filter *filter = cb->data;
8880 unsigned int idx = 0, s_idx = cb->args[0];
8881 struct net *net = sock_net(skb->sk);
8882 int family = nfmsg->nfgen_family;
8883 struct nft_flowtable *flowtable;
8884 struct nftables_pernet *nft_net;
8885 const struct nft_table *table;
8888 nft_net = nft_pernet(net);
8889 cb->seq = READ_ONCE(nft_net->base_seq);
8891 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8892 if (family != NFPROTO_UNSPEC && family != table->family)
8895 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8896 if (!nft_is_active(net, flowtable))
8901 memset(&cb->args[1], 0,
8902 sizeof(cb->args) - sizeof(cb->args[0]));
8903 if (filter && filter->table &&
8904 strcmp(filter->table, table->name))
8907 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8909 NFT_MSG_NEWFLOWTABLE,
8910 NLM_F_MULTI | NLM_F_APPEND,
8912 flowtable, NULL) < 0)
8915 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8927 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8929 const struct nlattr * const *nla = cb->data;
8930 struct nft_flowtable_filter *filter = NULL;
8932 if (nla[NFTA_FLOWTABLE_TABLE]) {
8933 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8937 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8939 if (!filter->table) {
8949 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8951 struct nft_flowtable_filter *filter = cb->data;
8956 kfree(filter->table);
8962 /* called with rcu_read_lock held */
8963 static int nf_tables_getflowtable(struct sk_buff *skb,
8964 const struct nfnl_info *info,
8965 const struct nlattr * const nla[])
8967 struct netlink_ext_ack *extack = info->extack;
8968 u8 genmask = nft_genmask_cur(info->net);
8969 u8 family = info->nfmsg->nfgen_family;
8970 struct nft_flowtable *flowtable;
8971 const struct nft_table *table;
8972 struct net *net = info->net;
8973 struct sk_buff *skb2;
8976 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8977 struct netlink_dump_control c = {
8978 .start = nf_tables_dump_flowtable_start,
8979 .dump = nf_tables_dump_flowtable,
8980 .done = nf_tables_dump_flowtable_done,
8981 .module = THIS_MODULE,
8982 .data = (void *)nla,
8985 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8988 if (!nla[NFTA_FLOWTABLE_NAME])
8991 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8993 if (IS_ERR(table)) {
8994 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8995 return PTR_ERR(table);
8998 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
9000 if (IS_ERR(flowtable)) {
9001 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9002 return PTR_ERR(flowtable);
9005 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9009 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9010 info->nlh->nlmsg_seq,
9011 NFT_MSG_NEWFLOWTABLE, 0, family,
9014 goto err_fill_flowtable_info;
9016 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9018 err_fill_flowtable_info:
9023 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9024 struct nft_flowtable *flowtable,
9025 struct list_head *hook_list, int event)
9027 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9028 struct sk_buff *skb;
9033 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9036 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9040 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9041 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9043 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9044 ctx->seq, event, flags,
9045 ctx->family, flowtable, hook_list);
9051 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9054 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9057 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9059 struct nft_hook *hook, *next;
9061 flowtable->data.type->free(&flowtable->data);
9062 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9063 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
9065 list_del_rcu(&hook->list);
9068 kfree(flowtable->name);
9069 module_put(flowtable->data.type->owner);
9073 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9074 u32 portid, u32 seq)
9076 struct nftables_pernet *nft_net = nft_pernet(net);
9077 struct nlmsghdr *nlh;
9078 char buf[TASK_COMM_LEN];
9079 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9081 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9082 NFNETLINK_V0, nft_base_seq(net));
9084 goto nla_put_failure;
9086 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9087 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9088 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9089 goto nla_put_failure;
9091 nlmsg_end(skb, nlh);
9095 nlmsg_trim(skb, nlh);
9099 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9100 struct nft_flowtable *flowtable)
9102 struct nft_hook *hook;
9104 list_for_each_entry(hook, &flowtable->hook_list, list) {
9105 if (hook->ops.dev != dev)
9108 /* flow_offload_netdev_event() cleans up entries for us. */
9109 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9110 list_del_rcu(&hook->list);
9111 kfree_rcu(hook, rcu);
9116 static int nf_tables_flowtable_event(struct notifier_block *this,
9117 unsigned long event, void *ptr)
9119 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9120 struct nft_flowtable *flowtable;
9121 struct nftables_pernet *nft_net;
9122 struct nft_table *table;
9125 if (event != NETDEV_UNREGISTER)
9129 nft_net = nft_pernet(net);
9130 mutex_lock(&nft_net->commit_mutex);
9131 list_for_each_entry(table, &nft_net->tables, list) {
9132 list_for_each_entry(flowtable, &table->flowtables, list) {
9133 nft_flowtable_event(event, dev, flowtable);
9136 mutex_unlock(&nft_net->commit_mutex);
9141 static struct notifier_block nf_tables_flowtable_notifier = {
9142 .notifier_call = nf_tables_flowtable_event,
9145 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9148 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9149 struct sk_buff *skb2;
9152 if (!nlmsg_report(nlh) &&
9153 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9156 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9160 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9167 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9168 nlmsg_report(nlh), GFP_KERNEL);
9171 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9175 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9176 const struct nlattr * const nla[])
9178 struct sk_buff *skb2;
9181 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9185 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9186 info->nlh->nlmsg_seq);
9188 goto err_fill_gen_info;
9190 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9197 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9198 [NFT_MSG_NEWTABLE] = {
9199 .call = nf_tables_newtable,
9200 .type = NFNL_CB_BATCH,
9201 .attr_count = NFTA_TABLE_MAX,
9202 .policy = nft_table_policy,
9204 [NFT_MSG_GETTABLE] = {
9205 .call = nf_tables_gettable,
9206 .type = NFNL_CB_RCU,
9207 .attr_count = NFTA_TABLE_MAX,
9208 .policy = nft_table_policy,
9210 [NFT_MSG_DELTABLE] = {
9211 .call = nf_tables_deltable,
9212 .type = NFNL_CB_BATCH,
9213 .attr_count = NFTA_TABLE_MAX,
9214 .policy = nft_table_policy,
9216 [NFT_MSG_DESTROYTABLE] = {
9217 .call = nf_tables_deltable,
9218 .type = NFNL_CB_BATCH,
9219 .attr_count = NFTA_TABLE_MAX,
9220 .policy = nft_table_policy,
9222 [NFT_MSG_NEWCHAIN] = {
9223 .call = nf_tables_newchain,
9224 .type = NFNL_CB_BATCH,
9225 .attr_count = NFTA_CHAIN_MAX,
9226 .policy = nft_chain_policy,
9228 [NFT_MSG_GETCHAIN] = {
9229 .call = nf_tables_getchain,
9230 .type = NFNL_CB_RCU,
9231 .attr_count = NFTA_CHAIN_MAX,
9232 .policy = nft_chain_policy,
9234 [NFT_MSG_DELCHAIN] = {
9235 .call = nf_tables_delchain,
9236 .type = NFNL_CB_BATCH,
9237 .attr_count = NFTA_CHAIN_MAX,
9238 .policy = nft_chain_policy,
9240 [NFT_MSG_DESTROYCHAIN] = {
9241 .call = nf_tables_delchain,
9242 .type = NFNL_CB_BATCH,
9243 .attr_count = NFTA_CHAIN_MAX,
9244 .policy = nft_chain_policy,
9246 [NFT_MSG_NEWRULE] = {
9247 .call = nf_tables_newrule,
9248 .type = NFNL_CB_BATCH,
9249 .attr_count = NFTA_RULE_MAX,
9250 .policy = nft_rule_policy,
9252 [NFT_MSG_GETRULE] = {
9253 .call = nf_tables_getrule,
9254 .type = NFNL_CB_RCU,
9255 .attr_count = NFTA_RULE_MAX,
9256 .policy = nft_rule_policy,
9258 [NFT_MSG_GETRULE_RESET] = {
9259 .call = nf_tables_getrule_reset,
9260 .type = NFNL_CB_RCU,
9261 .attr_count = NFTA_RULE_MAX,
9262 .policy = nft_rule_policy,
9264 [NFT_MSG_DELRULE] = {
9265 .call = nf_tables_delrule,
9266 .type = NFNL_CB_BATCH,
9267 .attr_count = NFTA_RULE_MAX,
9268 .policy = nft_rule_policy,
9270 [NFT_MSG_DESTROYRULE] = {
9271 .call = nf_tables_delrule,
9272 .type = NFNL_CB_BATCH,
9273 .attr_count = NFTA_RULE_MAX,
9274 .policy = nft_rule_policy,
9276 [NFT_MSG_NEWSET] = {
9277 .call = nf_tables_newset,
9278 .type = NFNL_CB_BATCH,
9279 .attr_count = NFTA_SET_MAX,
9280 .policy = nft_set_policy,
9282 [NFT_MSG_GETSET] = {
9283 .call = nf_tables_getset,
9284 .type = NFNL_CB_RCU,
9285 .attr_count = NFTA_SET_MAX,
9286 .policy = nft_set_policy,
9288 [NFT_MSG_DELSET] = {
9289 .call = nf_tables_delset,
9290 .type = NFNL_CB_BATCH,
9291 .attr_count = NFTA_SET_MAX,
9292 .policy = nft_set_policy,
9294 [NFT_MSG_DESTROYSET] = {
9295 .call = nf_tables_delset,
9296 .type = NFNL_CB_BATCH,
9297 .attr_count = NFTA_SET_MAX,
9298 .policy = nft_set_policy,
9300 [NFT_MSG_NEWSETELEM] = {
9301 .call = nf_tables_newsetelem,
9302 .type = NFNL_CB_BATCH,
9303 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9304 .policy = nft_set_elem_list_policy,
9306 [NFT_MSG_GETSETELEM] = {
9307 .call = nf_tables_getsetelem,
9308 .type = NFNL_CB_RCU,
9309 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9310 .policy = nft_set_elem_list_policy,
9312 [NFT_MSG_GETSETELEM_RESET] = {
9313 .call = nf_tables_getsetelem_reset,
9314 .type = NFNL_CB_RCU,
9315 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9316 .policy = nft_set_elem_list_policy,
9318 [NFT_MSG_DELSETELEM] = {
9319 .call = nf_tables_delsetelem,
9320 .type = NFNL_CB_BATCH,
9321 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9322 .policy = nft_set_elem_list_policy,
9324 [NFT_MSG_DESTROYSETELEM] = {
9325 .call = nf_tables_delsetelem,
9326 .type = NFNL_CB_BATCH,
9327 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9328 .policy = nft_set_elem_list_policy,
9330 [NFT_MSG_GETGEN] = {
9331 .call = nf_tables_getgen,
9332 .type = NFNL_CB_RCU,
9334 [NFT_MSG_NEWOBJ] = {
9335 .call = nf_tables_newobj,
9336 .type = NFNL_CB_BATCH,
9337 .attr_count = NFTA_OBJ_MAX,
9338 .policy = nft_obj_policy,
9340 [NFT_MSG_GETOBJ] = {
9341 .call = nf_tables_getobj,
9342 .type = NFNL_CB_RCU,
9343 .attr_count = NFTA_OBJ_MAX,
9344 .policy = nft_obj_policy,
9346 [NFT_MSG_DELOBJ] = {
9347 .call = nf_tables_delobj,
9348 .type = NFNL_CB_BATCH,
9349 .attr_count = NFTA_OBJ_MAX,
9350 .policy = nft_obj_policy,
9352 [NFT_MSG_DESTROYOBJ] = {
9353 .call = nf_tables_delobj,
9354 .type = NFNL_CB_BATCH,
9355 .attr_count = NFTA_OBJ_MAX,
9356 .policy = nft_obj_policy,
9358 [NFT_MSG_GETOBJ_RESET] = {
9359 .call = nf_tables_getobj,
9360 .type = NFNL_CB_RCU,
9361 .attr_count = NFTA_OBJ_MAX,
9362 .policy = nft_obj_policy,
9364 [NFT_MSG_NEWFLOWTABLE] = {
9365 .call = nf_tables_newflowtable,
9366 .type = NFNL_CB_BATCH,
9367 .attr_count = NFTA_FLOWTABLE_MAX,
9368 .policy = nft_flowtable_policy,
9370 [NFT_MSG_GETFLOWTABLE] = {
9371 .call = nf_tables_getflowtable,
9372 .type = NFNL_CB_RCU,
9373 .attr_count = NFTA_FLOWTABLE_MAX,
9374 .policy = nft_flowtable_policy,
9376 [NFT_MSG_DELFLOWTABLE] = {
9377 .call = nf_tables_delflowtable,
9378 .type = NFNL_CB_BATCH,
9379 .attr_count = NFTA_FLOWTABLE_MAX,
9380 .policy = nft_flowtable_policy,
9382 [NFT_MSG_DESTROYFLOWTABLE] = {
9383 .call = nf_tables_delflowtable,
9384 .type = NFNL_CB_BATCH,
9385 .attr_count = NFTA_FLOWTABLE_MAX,
9386 .policy = nft_flowtable_policy,
9390 static int nf_tables_validate(struct net *net)
9392 struct nftables_pernet *nft_net = nft_pernet(net);
9393 struct nft_table *table;
9395 list_for_each_entry(table, &nft_net->tables, list) {
9396 switch (table->validate_state) {
9397 case NFT_VALIDATE_SKIP:
9399 case NFT_VALIDATE_NEED:
9400 nft_validate_state_update(table, NFT_VALIDATE_DO);
9402 case NFT_VALIDATE_DO:
9403 if (nft_table_validate(net, table) < 0)
9406 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9414 /* a drop policy has to be deferred until all rules have been activated,
9415 * otherwise a large ruleset that contains a drop-policy base chain will
9416 * cause all packets to get dropped until the full transaction has been
9419 * We defer the drop policy until the transaction has been finalized.
9421 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
9423 struct nft_base_chain *basechain;
9425 if (nft_trans_chain_policy(trans) != NF_DROP)
9428 if (!nft_is_base_chain(trans->ctx.chain))
9431 basechain = nft_base_chain(trans->ctx.chain);
9432 basechain->policy = NF_DROP;
9435 static void nft_chain_commit_update(struct nft_trans *trans)
9437 struct nft_base_chain *basechain;
9439 if (nft_trans_chain_name(trans)) {
9440 rhltable_remove(&trans->ctx.table->chains_ht,
9441 &trans->ctx.chain->rhlhead,
9442 nft_chain_ht_params);
9443 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
9444 rhltable_insert_key(&trans->ctx.table->chains_ht,
9445 trans->ctx.chain->name,
9446 &trans->ctx.chain->rhlhead,
9447 nft_chain_ht_params);
9450 if (!nft_is_base_chain(trans->ctx.chain))
9453 nft_chain_stats_replace(trans);
9455 basechain = nft_base_chain(trans->ctx.chain);
9457 switch (nft_trans_chain_policy(trans)) {
9460 basechain->policy = nft_trans_chain_policy(trans);
9465 static void nft_obj_commit_update(struct nft_trans *trans)
9467 struct nft_object *newobj;
9468 struct nft_object *obj;
9470 obj = nft_trans_obj(trans);
9471 newobj = nft_trans_obj_newobj(trans);
9473 if (WARN_ON_ONCE(!obj->ops->update))
9476 obj->ops->update(obj, newobj);
9477 nft_obj_destroy(&trans->ctx, newobj);
9480 static void nft_commit_release(struct nft_trans *trans)
9482 switch (trans->msg_type) {
9483 case NFT_MSG_DELTABLE:
9484 case NFT_MSG_DESTROYTABLE:
9485 nf_tables_table_destroy(&trans->ctx);
9487 case NFT_MSG_NEWCHAIN:
9488 free_percpu(nft_trans_chain_stats(trans));
9489 kfree(nft_trans_chain_name(trans));
9491 case NFT_MSG_DELCHAIN:
9492 case NFT_MSG_DESTROYCHAIN:
9493 if (nft_trans_chain_update(trans))
9494 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9496 nf_tables_chain_destroy(&trans->ctx);
9498 case NFT_MSG_DELRULE:
9499 case NFT_MSG_DESTROYRULE:
9500 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9502 case NFT_MSG_DELSET:
9503 case NFT_MSG_DESTROYSET:
9504 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9506 case NFT_MSG_DELSETELEM:
9507 case NFT_MSG_DESTROYSETELEM:
9508 nf_tables_set_elem_destroy(&trans->ctx,
9509 nft_trans_elem_set(trans),
9510 nft_trans_elem_priv(trans));
9512 case NFT_MSG_DELOBJ:
9513 case NFT_MSG_DESTROYOBJ:
9514 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9516 case NFT_MSG_DELFLOWTABLE:
9517 case NFT_MSG_DESTROYFLOWTABLE:
9518 if (nft_trans_flowtable_update(trans))
9519 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9521 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9526 put_net(trans->ctx.net);
9531 static void nf_tables_trans_destroy_work(struct work_struct *w)
9533 struct nft_trans *trans, *next;
9536 spin_lock(&nf_tables_destroy_list_lock);
9537 list_splice_init(&nf_tables_destroy_list, &head);
9538 spin_unlock(&nf_tables_destroy_list_lock);
9540 if (list_empty(&head))
9545 list_for_each_entry_safe(trans, next, &head, list) {
9546 nft_trans_list_del(trans);
9547 nft_commit_release(trans);
9551 void nf_tables_trans_destroy_flush_work(void)
9553 flush_work(&trans_destroy_work);
9555 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9557 static bool nft_expr_reduce(struct nft_regs_track *track,
9558 const struct nft_expr *expr)
9563 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9565 const struct nft_expr *expr, *last;
9566 struct nft_regs_track track = {};
9567 unsigned int size, data_size;
9568 void *data, *data_boundary;
9569 struct nft_rule_dp *prule;
9570 struct nft_rule *rule;
9572 /* already handled or inactive chain? */
9573 if (chain->blob_next || !nft_is_active_next(net, chain))
9577 list_for_each_entry(rule, &chain->rules, list) {
9578 if (nft_is_active_next(net, rule)) {
9579 data_size += sizeof(*prule) + rule->dlen;
9580 if (data_size > INT_MAX)
9585 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9586 if (!chain->blob_next)
9589 data = (void *)chain->blob_next->data;
9590 data_boundary = data + data_size;
9593 list_for_each_entry(rule, &chain->rules, list) {
9594 if (!nft_is_active_next(net, rule))
9597 prule = (struct nft_rule_dp *)data;
9598 data += offsetof(struct nft_rule_dp, data);
9599 if (WARN_ON_ONCE(data > data_boundary))
9603 track.last = nft_expr_last(rule);
9604 nft_rule_for_each_expr(expr, last, rule) {
9607 if (nft_expr_reduce(&track, expr)) {
9612 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9615 memcpy(data + size, expr, expr->ops->size);
9616 size += expr->ops->size;
9618 if (WARN_ON_ONCE(size >= 1 << 12))
9621 prule->handle = rule->handle;
9627 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9630 if (WARN_ON_ONCE(data > data_boundary))
9633 prule = (struct nft_rule_dp *)data;
9634 nft_last_rule(chain, prule);
9639 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9641 struct nftables_pernet *nft_net = nft_pernet(net);
9642 struct nft_trans *trans, *next;
9644 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9645 struct nft_chain *chain = trans->ctx.chain;
9647 if (trans->msg_type == NFT_MSG_NEWRULE ||
9648 trans->msg_type == NFT_MSG_DELRULE) {
9649 kvfree(chain->blob_next);
9650 chain->blob_next = NULL;
9655 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9657 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9662 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9664 struct nft_rule_dp_last *last;
9666 /* last rule trailer is after end marker */
9667 last = (void *)blob + sizeof(*blob) + blob->size;
9670 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9673 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9675 struct nft_rule_blob *g0, *g1;
9678 next_genbit = nft_gencursor_next(net);
9680 g0 = rcu_dereference_protected(chain->blob_gen_0,
9681 lockdep_commit_lock_is_held(net));
9682 g1 = rcu_dereference_protected(chain->blob_gen_1,
9683 lockdep_commit_lock_is_held(net));
9685 /* No changes to this chain? */
9686 if (chain->blob_next == NULL) {
9687 /* chain had no change in last or next generation */
9691 * chain had no change in this generation; make sure next
9692 * one uses same rules as current generation.
9695 rcu_assign_pointer(chain->blob_gen_1, g0);
9696 nf_tables_commit_chain_free_rules_old(g1);
9698 rcu_assign_pointer(chain->blob_gen_0, g1);
9699 nf_tables_commit_chain_free_rules_old(g0);
9706 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9708 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9710 chain->blob_next = NULL;
9716 nf_tables_commit_chain_free_rules_old(g1);
9718 nf_tables_commit_chain_free_rules_old(g0);
9721 static void nft_obj_del(struct nft_object *obj)
9723 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9724 list_del_rcu(&obj->list);
9727 void nft_chain_del(struct nft_chain *chain)
9729 struct nft_table *table = chain->table;
9731 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9732 nft_chain_ht_params));
9733 list_del_rcu(&chain->list);
9736 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9737 struct nft_trans_gc *trans)
9739 struct nft_elem_priv **priv = trans->priv;
9742 for (i = 0; i < trans->count; i++) {
9743 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9744 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9748 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9750 nft_set_put(trans->set);
9751 put_net(trans->net);
9755 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9757 struct nft_elem_priv *elem_priv;
9758 struct nft_trans_gc *trans;
9759 struct nft_ctx ctx = {};
9762 trans = container_of(rcu, struct nft_trans_gc, rcu);
9763 ctx.net = read_pnet(&trans->set->net);
9765 for (i = 0; i < trans->count; i++) {
9766 elem_priv = trans->priv[i];
9767 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9768 atomic_dec(&trans->set->nelems);
9770 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9773 nft_trans_gc_destroy(trans);
9776 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9778 struct nftables_pernet *nft_net;
9779 struct nft_ctx ctx = {};
9781 nft_net = nft_pernet(trans->net);
9783 mutex_lock(&nft_net->commit_mutex);
9785 /* Check for race with transaction, otherwise this batch refers to
9786 * stale objects that might not be there anymore. Skip transaction if
9787 * set has been destroyed from control plane transaction in case gc
9788 * worker loses race.
9790 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9791 mutex_unlock(&nft_net->commit_mutex);
9795 ctx.net = trans->net;
9796 ctx.table = trans->set->table;
9798 nft_trans_gc_setelem_remove(&ctx, trans);
9799 mutex_unlock(&nft_net->commit_mutex);
9804 static void nft_trans_gc_work(struct work_struct *work)
9806 struct nft_trans_gc *trans, *next;
9807 LIST_HEAD(trans_gc_list);
9809 spin_lock(&nf_tables_gc_list_lock);
9810 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9811 spin_unlock(&nf_tables_gc_list_lock);
9813 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9814 list_del(&trans->list);
9815 if (!nft_trans_gc_work_done(trans)) {
9816 nft_trans_gc_destroy(trans);
9819 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9823 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9824 unsigned int gc_seq, gfp_t gfp)
9826 struct net *net = read_pnet(&set->net);
9827 struct nft_trans_gc *trans;
9829 trans = kzalloc(sizeof(*trans), gfp);
9833 trans->net = maybe_get_net(net);
9839 refcount_inc(&set->refs);
9841 trans->seq = gc_seq;
9846 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9848 trans->priv[trans->count++] = priv;
9851 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9853 spin_lock(&nf_tables_gc_list_lock);
9854 list_add_tail(&trans->list, &nf_tables_gc_list);
9855 spin_unlock(&nf_tables_gc_list_lock);
9857 schedule_work(&trans_gc_work);
9860 static int nft_trans_gc_space(struct nft_trans_gc *trans)
9862 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9865 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9866 unsigned int gc_seq, gfp_t gfp)
9868 struct nft_set *set;
9870 if (nft_trans_gc_space(gc))
9874 nft_trans_gc_queue_work(gc);
9876 return nft_trans_gc_alloc(set, gc_seq, gfp);
9879 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9881 if (trans->count == 0) {
9882 nft_trans_gc_destroy(trans);
9886 nft_trans_gc_queue_work(trans);
9889 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9891 struct nft_set *set;
9893 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9896 if (nft_trans_gc_space(gc))
9900 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
9902 return nft_trans_gc_alloc(set, 0, gfp);
9905 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9907 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9909 if (trans->count == 0) {
9910 nft_trans_gc_destroy(trans);
9914 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9917 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9918 unsigned int gc_seq)
9920 struct nft_set_elem_catchall *catchall;
9921 const struct nft_set *set = gc->set;
9922 struct nft_set_ext *ext;
9924 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9925 ext = nft_set_elem_ext(set, catchall->elem);
9927 if (!nft_set_elem_expired(ext))
9929 if (nft_set_elem_is_dead(ext))
9932 nft_set_elem_dead(ext);
9934 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9938 nft_trans_gc_elem_add(gc, catchall->elem);
9944 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
9946 struct nft_set_elem_catchall *catchall, *next;
9947 u64 tstamp = nft_net_tstamp(gc->net);
9948 const struct nft_set *set = gc->set;
9949 struct nft_elem_priv *elem_priv;
9950 struct nft_set_ext *ext;
9952 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
9954 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
9955 ext = nft_set_elem_ext(set, catchall->elem);
9957 if (!__nft_set_elem_expired(ext, tstamp))
9960 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
9964 elem_priv = catchall->elem;
9965 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
9966 nft_setelem_catchall_destroy(catchall);
9967 nft_trans_gc_elem_add(gc, elem_priv);
9973 static void nf_tables_module_autoload_cleanup(struct net *net)
9975 struct nftables_pernet *nft_net = nft_pernet(net);
9976 struct nft_module_request *req, *next;
9978 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9979 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
9980 WARN_ON_ONCE(!req->done);
9981 list_del(&req->list);
9986 static void nf_tables_commit_release(struct net *net)
9988 struct nftables_pernet *nft_net = nft_pernet(net);
9989 struct nft_trans *trans;
9991 /* all side effects have to be made visible.
9992 * For example, if a chain named 'foo' has been deleted, a
9993 * new transaction must not find it anymore.
9995 * Memory reclaim happens asynchronously from work queue
9996 * to prevent expensive synchronize_rcu() in commit phase.
9998 if (list_empty(&nft_net->commit_list)) {
9999 nf_tables_module_autoload_cleanup(net);
10000 mutex_unlock(&nft_net->commit_mutex);
10004 trans = list_last_entry(&nft_net->commit_list,
10005 struct nft_trans, list);
10006 get_net(trans->ctx.net);
10007 WARN_ON_ONCE(trans->put_net);
10009 trans->put_net = true;
10010 spin_lock(&nf_tables_destroy_list_lock);
10011 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
10012 spin_unlock(&nf_tables_destroy_list_lock);
10014 nf_tables_module_autoload_cleanup(net);
10015 schedule_work(&trans_destroy_work);
10017 mutex_unlock(&nft_net->commit_mutex);
10020 static void nft_commit_notify(struct net *net, u32 portid)
10022 struct nftables_pernet *nft_net = nft_pernet(net);
10023 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10024 unsigned char *data;
10027 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10031 len = NLMSG_GOODSIZE - skb->len;
10032 list_del(&skb->list);
10036 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10037 data = skb_put(batch_skb, skb->len);
10038 memcpy(data, skb->data, skb->len);
10039 list_del(&skb->list);
10043 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10044 NFT_CB(batch_skb).report, GFP_KERNEL);
10049 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10050 NFT_CB(batch_skb).report, GFP_KERNEL);
10053 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10056 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10057 struct nft_table *table)
10059 struct nft_audit_data *adp;
10061 list_for_each_entry(adp, adl, list) {
10062 if (adp->table == table)
10065 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10068 adp->table = table;
10069 list_add(&adp->list, adl);
10073 static void nf_tables_commit_audit_free(struct list_head *adl)
10075 struct nft_audit_data *adp, *adn;
10077 list_for_each_entry_safe(adp, adn, adl, list) {
10078 list_del(&adp->list);
10083 static void nf_tables_commit_audit_collect(struct list_head *adl,
10084 struct nft_table *table, u32 op)
10086 struct nft_audit_data *adp;
10088 list_for_each_entry(adp, adl, list) {
10089 if (adp->table == table)
10092 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10096 if (!adp->op || adp->op > op)
10100 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10102 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10104 struct nft_audit_data *adp, *adn;
10105 char aubuf[AUNFTABLENAMELEN];
10107 list_for_each_entry_safe(adp, adn, adl, list) {
10108 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10110 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10111 nft2audit_op[adp->op], GFP_KERNEL);
10112 list_del(&adp->list);
10117 static void nft_set_commit_update(struct list_head *set_update_list)
10119 struct nft_set *set, *next;
10121 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10122 list_del_init(&set->pending_update);
10124 if (!set->ops->commit || set->dead)
10127 set->ops->commit(set);
10131 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10133 unsigned int gc_seq;
10135 /* Bump gc counter, it becomes odd, this is the busy mark. */
10136 gc_seq = READ_ONCE(nft_net->gc_seq);
10137 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10142 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10144 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10147 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10149 struct nftables_pernet *nft_net = nft_pernet(net);
10150 struct nft_trans *trans, *next;
10151 unsigned int base_seq, gc_seq;
10152 LIST_HEAD(set_update_list);
10153 struct nft_trans_elem *te;
10154 struct nft_chain *chain;
10155 struct nft_table *table;
10159 if (list_empty(&nft_net->commit_list)) {
10160 mutex_unlock(&nft_net->commit_mutex);
10164 list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
10165 switch (trans->msg_type) {
10166 case NFT_MSG_NEWSET:
10167 if (!nft_trans_set_update(trans) &&
10168 nft_set_is_anonymous(nft_trans_set(trans)) &&
10169 !nft_trans_set_bound(trans)) {
10170 pr_warn_once("nftables ruleset with unbound set\n");
10174 case NFT_MSG_NEWCHAIN:
10175 if (!nft_trans_chain_update(trans) &&
10176 nft_chain_binding(nft_trans_chain(trans)) &&
10177 !nft_trans_chain_bound(trans)) {
10178 pr_warn_once("nftables ruleset with unbound chain\n");
10185 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10186 if (nf_tables_validate(net) < 0) {
10187 nft_net->validate_state = NFT_VALIDATE_DO;
10191 err = nft_flow_rule_offload_commit(net);
10195 /* 1. Allocate space for next generation rules_gen_X[] */
10196 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10199 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
10201 nf_tables_commit_chain_prepare_cancel(net);
10202 nf_tables_commit_audit_free(&adl);
10205 if (trans->msg_type == NFT_MSG_NEWRULE ||
10206 trans->msg_type == NFT_MSG_DELRULE) {
10207 chain = trans->ctx.chain;
10209 ret = nf_tables_commit_chain_prepare(net, chain);
10211 nf_tables_commit_chain_prepare_cancel(net);
10212 nf_tables_commit_audit_free(&adl);
10218 /* step 2. Make rules_gen_X visible to packet path */
10219 list_for_each_entry(table, &nft_net->tables, list) {
10220 list_for_each_entry(chain, &table->chains, list)
10221 nf_tables_commit_chain(net, chain);
10225 * Bump generation counter, invalidate any dump in progress.
10226 * Cannot fail after this point.
10228 base_seq = READ_ONCE(nft_net->base_seq);
10229 while (++base_seq == 0)
10232 WRITE_ONCE(nft_net->base_seq, base_seq);
10234 gc_seq = nft_gc_seq_begin(nft_net);
10236 /* step 3. Start new generation, rules_gen_X now in use. */
10237 net->nft.gencursor = nft_gencursor_next(net);
10239 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10240 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
10242 switch (trans->msg_type) {
10243 case NFT_MSG_NEWTABLE:
10244 if (nft_trans_table_update(trans)) {
10245 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10246 nft_trans_destroy(trans);
10249 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
10250 nf_tables_table_disable(net, trans->ctx.table);
10252 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10254 nft_clear(net, trans->ctx.table);
10256 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
10257 nft_trans_destroy(trans);
10259 case NFT_MSG_DELTABLE:
10260 case NFT_MSG_DESTROYTABLE:
10261 list_del_rcu(&trans->ctx.table->list);
10262 nf_tables_table_notify(&trans->ctx, trans->msg_type);
10264 case NFT_MSG_NEWCHAIN:
10265 if (nft_trans_chain_update(trans)) {
10266 nft_chain_commit_update(trans);
10267 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
10268 &nft_trans_chain_hooks(trans));
10269 list_splice(&nft_trans_chain_hooks(trans),
10270 &nft_trans_basechain(trans)->hook_list);
10271 /* trans destroyed after rcu grace period */
10273 nft_chain_commit_drop_policy(trans);
10274 nft_clear(net, trans->ctx.chain);
10275 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
10276 nft_trans_destroy(trans);
10279 case NFT_MSG_DELCHAIN:
10280 case NFT_MSG_DESTROYCHAIN:
10281 if (nft_trans_chain_update(trans)) {
10282 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10283 &nft_trans_chain_hooks(trans));
10284 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
10285 nft_netdev_unregister_hooks(net,
10286 &nft_trans_chain_hooks(trans),
10290 nft_chain_del(trans->ctx.chain);
10291 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10293 nf_tables_unregister_hook(trans->ctx.net,
10298 case NFT_MSG_NEWRULE:
10299 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10300 nf_tables_rule_notify(&trans->ctx,
10301 nft_trans_rule(trans),
10303 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10304 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10306 nft_trans_destroy(trans);
10308 case NFT_MSG_DELRULE:
10309 case NFT_MSG_DESTROYRULE:
10310 list_del_rcu(&nft_trans_rule(trans)->list);
10311 nf_tables_rule_notify(&trans->ctx,
10312 nft_trans_rule(trans),
10314 nft_rule_expr_deactivate(&trans->ctx,
10315 nft_trans_rule(trans),
10318 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10319 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10321 case NFT_MSG_NEWSET:
10322 if (nft_trans_set_update(trans)) {
10323 struct nft_set *set = nft_trans_set(trans);
10325 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10326 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10328 if (nft_trans_set_size(trans))
10329 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10331 nft_clear(net, nft_trans_set(trans));
10332 /* This avoids hitting -EBUSY when deleting the table
10333 * from the transaction.
10335 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10336 !list_empty(&nft_trans_set(trans)->bindings))
10337 nft_use_dec(&trans->ctx.table->use);
10339 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10340 NFT_MSG_NEWSET, GFP_KERNEL);
10341 nft_trans_destroy(trans);
10343 case NFT_MSG_DELSET:
10344 case NFT_MSG_DESTROYSET:
10345 nft_trans_set(trans)->dead = 1;
10346 list_del_rcu(&nft_trans_set(trans)->list);
10347 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10348 trans->msg_type, GFP_KERNEL);
10350 case NFT_MSG_NEWSETELEM:
10351 te = (struct nft_trans_elem *)trans->data;
10353 nft_setelem_activate(net, te->set, te->elem_priv);
10354 nf_tables_setelem_notify(&trans->ctx, te->set,
10356 NFT_MSG_NEWSETELEM);
10357 if (te->set->ops->commit &&
10358 list_empty(&te->set->pending_update)) {
10359 list_add_tail(&te->set->pending_update,
10362 nft_trans_destroy(trans);
10364 case NFT_MSG_DELSETELEM:
10365 case NFT_MSG_DESTROYSETELEM:
10366 te = (struct nft_trans_elem *)trans->data;
10368 nf_tables_setelem_notify(&trans->ctx, te->set,
10371 nft_setelem_remove(net, te->set, te->elem_priv);
10372 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10373 atomic_dec(&te->set->nelems);
10376 if (te->set->ops->commit &&
10377 list_empty(&te->set->pending_update)) {
10378 list_add_tail(&te->set->pending_update,
10382 case NFT_MSG_NEWOBJ:
10383 if (nft_trans_obj_update(trans)) {
10384 nft_obj_commit_update(trans);
10385 nf_tables_obj_notify(&trans->ctx,
10386 nft_trans_obj(trans),
10389 nft_clear(net, nft_trans_obj(trans));
10390 nf_tables_obj_notify(&trans->ctx,
10391 nft_trans_obj(trans),
10393 nft_trans_destroy(trans);
10396 case NFT_MSG_DELOBJ:
10397 case NFT_MSG_DESTROYOBJ:
10398 nft_obj_del(nft_trans_obj(trans));
10399 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
10402 case NFT_MSG_NEWFLOWTABLE:
10403 if (nft_trans_flowtable_update(trans)) {
10404 nft_trans_flowtable(trans)->data.flags =
10405 nft_trans_flowtable_flags(trans);
10406 nf_tables_flowtable_notify(&trans->ctx,
10407 nft_trans_flowtable(trans),
10408 &nft_trans_flowtable_hooks(trans),
10409 NFT_MSG_NEWFLOWTABLE);
10410 list_splice(&nft_trans_flowtable_hooks(trans),
10411 &nft_trans_flowtable(trans)->hook_list);
10413 nft_clear(net, nft_trans_flowtable(trans));
10414 nf_tables_flowtable_notify(&trans->ctx,
10415 nft_trans_flowtable(trans),
10417 NFT_MSG_NEWFLOWTABLE);
10419 nft_trans_destroy(trans);
10421 case NFT_MSG_DELFLOWTABLE:
10422 case NFT_MSG_DESTROYFLOWTABLE:
10423 if (nft_trans_flowtable_update(trans)) {
10424 nf_tables_flowtable_notify(&trans->ctx,
10425 nft_trans_flowtable(trans),
10426 &nft_trans_flowtable_hooks(trans),
10428 nft_unregister_flowtable_net_hooks(net,
10429 &nft_trans_flowtable_hooks(trans));
10431 list_del_rcu(&nft_trans_flowtable(trans)->list);
10432 nf_tables_flowtable_notify(&trans->ctx,
10433 nft_trans_flowtable(trans),
10436 nft_unregister_flowtable_net_hooks(net,
10437 &nft_trans_flowtable(trans)->hook_list);
10443 nft_set_commit_update(&set_update_list);
10445 nft_commit_notify(net, NETLINK_CB(skb).portid);
10446 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10447 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10449 nft_gc_seq_end(nft_net, gc_seq);
10450 nft_net->validate_state = NFT_VALIDATE_SKIP;
10451 nf_tables_commit_release(net);
10456 static void nf_tables_module_autoload(struct net *net)
10458 struct nftables_pernet *nft_net = nft_pernet(net);
10459 struct nft_module_request *req, *next;
10460 LIST_HEAD(module_list);
10462 list_splice_init(&nft_net->module_list, &module_list);
10463 mutex_unlock(&nft_net->commit_mutex);
10464 list_for_each_entry_safe(req, next, &module_list, list) {
10465 request_module("%s", req->module);
10468 mutex_lock(&nft_net->commit_mutex);
10469 list_splice(&module_list, &nft_net->module_list);
10472 static void nf_tables_abort_release(struct nft_trans *trans)
10474 switch (trans->msg_type) {
10475 case NFT_MSG_NEWTABLE:
10476 nf_tables_table_destroy(&trans->ctx);
10478 case NFT_MSG_NEWCHAIN:
10479 if (nft_trans_chain_update(trans))
10480 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10482 nf_tables_chain_destroy(&trans->ctx);
10484 case NFT_MSG_NEWRULE:
10485 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
10487 case NFT_MSG_NEWSET:
10488 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
10490 case NFT_MSG_NEWSETELEM:
10491 nft_set_elem_destroy(nft_trans_elem_set(trans),
10492 nft_trans_elem_priv(trans), true);
10494 case NFT_MSG_NEWOBJ:
10495 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
10497 case NFT_MSG_NEWFLOWTABLE:
10498 if (nft_trans_flowtable_update(trans))
10499 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10501 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10507 static void nft_set_abort_update(struct list_head *set_update_list)
10509 struct nft_set *set, *next;
10511 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10512 list_del_init(&set->pending_update);
10514 if (!set->ops->abort)
10517 set->ops->abort(set);
10521 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10523 struct nftables_pernet *nft_net = nft_pernet(net);
10524 struct nft_trans *trans, *next;
10525 LIST_HEAD(set_update_list);
10526 struct nft_trans_elem *te;
10529 if (action == NFNL_ABORT_VALIDATE &&
10530 nf_tables_validate(net) < 0)
10533 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10535 switch (trans->msg_type) {
10536 case NFT_MSG_NEWTABLE:
10537 if (nft_trans_table_update(trans)) {
10538 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10539 nft_trans_destroy(trans);
10542 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10543 nf_tables_table_disable(net, trans->ctx.table);
10544 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
10545 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10546 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
10548 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
10549 trans->ctx.table->flags &= ~NFT_TABLE_F_OWNER;
10550 trans->ctx.table->nlpid = 0;
10552 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10553 nft_trans_destroy(trans);
10555 list_del_rcu(&trans->ctx.table->list);
10558 case NFT_MSG_DELTABLE:
10559 case NFT_MSG_DESTROYTABLE:
10560 nft_clear(trans->ctx.net, trans->ctx.table);
10561 nft_trans_destroy(trans);
10563 case NFT_MSG_NEWCHAIN:
10564 if (nft_trans_chain_update(trans)) {
10565 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
10566 nft_netdev_unregister_hooks(net,
10567 &nft_trans_chain_hooks(trans),
10570 free_percpu(nft_trans_chain_stats(trans));
10571 kfree(nft_trans_chain_name(trans));
10572 nft_trans_destroy(trans);
10574 if (nft_trans_chain_bound(trans)) {
10575 nft_trans_destroy(trans);
10578 nft_use_dec_restore(&trans->ctx.table->use);
10579 nft_chain_del(trans->ctx.chain);
10580 nf_tables_unregister_hook(trans->ctx.net,
10585 case NFT_MSG_DELCHAIN:
10586 case NFT_MSG_DESTROYCHAIN:
10587 if (nft_trans_chain_update(trans)) {
10588 list_splice(&nft_trans_chain_hooks(trans),
10589 &nft_trans_basechain(trans)->hook_list);
10591 nft_use_inc_restore(&trans->ctx.table->use);
10592 nft_clear(trans->ctx.net, trans->ctx.chain);
10594 nft_trans_destroy(trans);
10596 case NFT_MSG_NEWRULE:
10597 if (nft_trans_rule_bound(trans)) {
10598 nft_trans_destroy(trans);
10601 nft_use_dec_restore(&trans->ctx.chain->use);
10602 list_del_rcu(&nft_trans_rule(trans)->list);
10603 nft_rule_expr_deactivate(&trans->ctx,
10604 nft_trans_rule(trans),
10606 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10607 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10609 case NFT_MSG_DELRULE:
10610 case NFT_MSG_DESTROYRULE:
10611 nft_use_inc_restore(&trans->ctx.chain->use);
10612 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10613 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
10614 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10615 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10617 nft_trans_destroy(trans);
10619 case NFT_MSG_NEWSET:
10620 if (nft_trans_set_update(trans)) {
10621 nft_trans_destroy(trans);
10624 nft_use_dec_restore(&trans->ctx.table->use);
10625 if (nft_trans_set_bound(trans)) {
10626 nft_trans_destroy(trans);
10629 nft_trans_set(trans)->dead = 1;
10630 list_del_rcu(&nft_trans_set(trans)->list);
10632 case NFT_MSG_DELSET:
10633 case NFT_MSG_DESTROYSET:
10634 nft_use_inc_restore(&trans->ctx.table->use);
10635 nft_clear(trans->ctx.net, nft_trans_set(trans));
10636 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10637 nft_map_activate(&trans->ctx, nft_trans_set(trans));
10639 nft_trans_destroy(trans);
10641 case NFT_MSG_NEWSETELEM:
10642 if (nft_trans_elem_set_bound(trans)) {
10643 nft_trans_destroy(trans);
10646 te = (struct nft_trans_elem *)trans->data;
10647 nft_setelem_remove(net, te->set, te->elem_priv);
10648 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10649 atomic_dec(&te->set->nelems);
10651 if (te->set->ops->abort &&
10652 list_empty(&te->set->pending_update)) {
10653 list_add_tail(&te->set->pending_update,
10657 case NFT_MSG_DELSETELEM:
10658 case NFT_MSG_DESTROYSETELEM:
10659 te = (struct nft_trans_elem *)trans->data;
10661 if (!nft_setelem_active_next(net, te->set, te->elem_priv)) {
10662 nft_setelem_data_activate(net, te->set, te->elem_priv);
10663 nft_setelem_activate(net, te->set, te->elem_priv);
10665 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10668 if (te->set->ops->abort &&
10669 list_empty(&te->set->pending_update)) {
10670 list_add_tail(&te->set->pending_update,
10673 nft_trans_destroy(trans);
10675 case NFT_MSG_NEWOBJ:
10676 if (nft_trans_obj_update(trans)) {
10677 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
10678 nft_trans_destroy(trans);
10680 nft_use_dec_restore(&trans->ctx.table->use);
10681 nft_obj_del(nft_trans_obj(trans));
10684 case NFT_MSG_DELOBJ:
10685 case NFT_MSG_DESTROYOBJ:
10686 nft_use_inc_restore(&trans->ctx.table->use);
10687 nft_clear(trans->ctx.net, nft_trans_obj(trans));
10688 nft_trans_destroy(trans);
10690 case NFT_MSG_NEWFLOWTABLE:
10691 if (nft_trans_flowtable_update(trans)) {
10692 nft_unregister_flowtable_net_hooks(net,
10693 &nft_trans_flowtable_hooks(trans));
10695 nft_use_dec_restore(&trans->ctx.table->use);
10696 list_del_rcu(&nft_trans_flowtable(trans)->list);
10697 nft_unregister_flowtable_net_hooks(net,
10698 &nft_trans_flowtable(trans)->hook_list);
10701 case NFT_MSG_DELFLOWTABLE:
10702 case NFT_MSG_DESTROYFLOWTABLE:
10703 if (nft_trans_flowtable_update(trans)) {
10704 list_splice(&nft_trans_flowtable_hooks(trans),
10705 &nft_trans_flowtable(trans)->hook_list);
10707 nft_use_inc_restore(&trans->ctx.table->use);
10708 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
10710 nft_trans_destroy(trans);
10715 nft_set_abort_update(&set_update_list);
10719 list_for_each_entry_safe_reverse(trans, next,
10720 &nft_net->commit_list, list) {
10721 nft_trans_list_del(trans);
10722 nf_tables_abort_release(trans);
10728 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10729 enum nfnl_abort_action action)
10731 struct nftables_pernet *nft_net = nft_pernet(net);
10732 unsigned int gc_seq;
10735 gc_seq = nft_gc_seq_begin(nft_net);
10736 ret = __nf_tables_abort(net, action);
10737 nft_gc_seq_end(nft_net, gc_seq);
10739 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10741 /* module autoload needs to happen after GC sequence update because it
10742 * temporarily releases and grabs mutex again.
10744 if (action == NFNL_ABORT_AUTOLOAD)
10745 nf_tables_module_autoload(net);
10747 nf_tables_module_autoload_cleanup(net);
10749 mutex_unlock(&nft_net->commit_mutex);
10754 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10756 struct nftables_pernet *nft_net = nft_pernet(net);
10759 mutex_lock(&nft_net->commit_mutex);
10760 nft_net->tstamp = get_jiffies_64();
10762 genid_ok = genid == 0 || nft_net->base_seq == genid;
10764 mutex_unlock(&nft_net->commit_mutex);
10766 /* else, commit mutex has to be released by commit or abort function */
10770 static const struct nfnetlink_subsystem nf_tables_subsys = {
10771 .name = "nf_tables",
10772 .subsys_id = NFNL_SUBSYS_NFTABLES,
10773 .cb_count = NFT_MSG_MAX,
10774 .cb = nf_tables_cb,
10775 .commit = nf_tables_commit,
10776 .abort = nf_tables_abort,
10777 .valid_genid = nf_tables_valid_genid,
10778 .owner = THIS_MODULE,
10781 int nft_chain_validate_dependency(const struct nft_chain *chain,
10782 enum nft_chain_types type)
10784 const struct nft_base_chain *basechain;
10786 if (nft_is_base_chain(chain)) {
10787 basechain = nft_base_chain(chain);
10788 if (basechain->type->type != type)
10789 return -EOPNOTSUPP;
10793 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10795 int nft_chain_validate_hooks(const struct nft_chain *chain,
10796 unsigned int hook_flags)
10798 struct nft_base_chain *basechain;
10800 if (nft_is_base_chain(chain)) {
10801 basechain = nft_base_chain(chain);
10803 if ((1 << basechain->ops.hooknum) & hook_flags)
10806 return -EOPNOTSUPP;
10811 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10814 * Loop detection - walk through the ruleset beginning at the destination chain
10815 * of a new jump until either the source chain is reached (loop) or all
10816 * reachable chains have been traversed.
10818 * The loop check is performed whenever a new jump verdict is added to an
10819 * expression or verdict map or a verdict map is bound to a new chain.
10822 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10823 const struct nft_chain *chain);
10825 static int nft_check_loops(const struct nft_ctx *ctx,
10826 const struct nft_set_ext *ext)
10828 const struct nft_data *data;
10831 data = nft_set_ext_data(ext);
10832 switch (data->verdict.code) {
10835 ret = nf_tables_check_loops(ctx, data->verdict.chain);
10845 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
10846 struct nft_set *set,
10847 const struct nft_set_iter *iter,
10848 struct nft_elem_priv *elem_priv)
10850 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
10852 if (!nft_set_elem_active(ext, iter->genmask))
10855 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
10856 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
10859 return nft_check_loops(ctx, ext);
10862 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
10863 struct nft_set *set)
10865 u8 genmask = nft_genmask_next(ctx->net);
10866 struct nft_set_elem_catchall *catchall;
10867 struct nft_set_ext *ext;
10870 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10871 ext = nft_set_elem_ext(set, catchall->elem);
10872 if (!nft_set_elem_active(ext, genmask))
10875 ret = nft_check_loops(ctx, ext);
10883 static int nf_tables_check_loops(const struct nft_ctx *ctx,
10884 const struct nft_chain *chain)
10886 const struct nft_rule *rule;
10887 const struct nft_expr *expr, *last;
10888 struct nft_set *set;
10889 struct nft_set_binding *binding;
10890 struct nft_set_iter iter;
10892 if (ctx->chain == chain)
10895 if (fatal_signal_pending(current))
10898 list_for_each_entry(rule, &chain->rules, list) {
10899 nft_rule_for_each_expr(expr, last, rule) {
10900 struct nft_immediate_expr *priv;
10901 const struct nft_data *data;
10904 if (strcmp(expr->ops->type->name, "immediate"))
10907 priv = nft_expr_priv(expr);
10908 if (priv->dreg != NFT_REG_VERDICT)
10911 data = &priv->data;
10912 switch (data->verdict.code) {
10915 err = nf_tables_check_loops(ctx,
10916 data->verdict.chain);
10926 list_for_each_entry(set, &ctx->table->sets, list) {
10927 if (!nft_is_active_next(ctx->net, set))
10929 if (!(set->flags & NFT_SET_MAP) ||
10930 set->dtype != NFT_DATA_VERDICT)
10933 list_for_each_entry(binding, &set->bindings, list) {
10934 if (!(binding->flags & NFT_SET_MAP) ||
10935 binding->chain != chain)
10938 iter.genmask = nft_genmask_next(ctx->net);
10939 iter.type = NFT_ITER_UPDATE;
10943 iter.fn = nf_tables_loop_check_setelem;
10945 set->ops->walk(ctx, set, &iter);
10947 iter.err = nft_set_catchall_loops(ctx, set);
10958 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10960 * @attr: netlink attribute to fetch value from
10961 * @max: maximum value to be stored in dest
10962 * @dest: pointer to the variable
10964 * Parse, check and store a given u32 netlink attribute into variable.
10965 * This function returns -ERANGE if the value goes over maximum value.
10966 * Otherwise a 0 is returned and the attribute value is stored in the
10967 * destination variable.
10969 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10973 val = ntohl(nla_get_be32(attr));
10980 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10982 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10986 reg = ntohl(nla_get_be32(attr));
10988 case NFT_REG_VERDICT...NFT_REG_4:
10989 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10991 case NFT_REG32_00...NFT_REG32_15:
10992 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11002 * nft_dump_register - dump a register value to a netlink attribute
11004 * @skb: socket buffer
11005 * @attr: attribute number
11006 * @reg: register number
11008 * Construct a netlink attribute containing the register number. For
11009 * compatibility reasons, register numbers being a multiple of 4 are
11010 * translated to the corresponding 128 bit register numbers.
11012 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11014 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11015 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11017 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11019 return nla_put_be32(skb, attr, htonl(reg));
11021 EXPORT_SYMBOL_GPL(nft_dump_register);
11023 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11025 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11029 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11035 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
11040 err = nft_parse_register(attr, ®);
11044 err = nft_validate_register_load(reg, len);
11051 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11053 static int nft_validate_register_store(const struct nft_ctx *ctx,
11054 enum nft_registers reg,
11055 const struct nft_data *data,
11056 enum nft_data_types type,
11062 case NFT_REG_VERDICT:
11063 if (type != NFT_DATA_VERDICT)
11066 if (data != NULL &&
11067 (data->verdict.code == NFT_GOTO ||
11068 data->verdict.code == NFT_JUMP)) {
11069 err = nf_tables_check_loops(ctx, data->verdict.chain);
11076 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11080 if (reg * NFT_REG32_SIZE + len >
11081 sizeof_field(struct nft_regs, data))
11084 if (data != NULL && type != NFT_DATA_VALUE)
11090 int nft_parse_register_store(const struct nft_ctx *ctx,
11091 const struct nlattr *attr, u8 *dreg,
11092 const struct nft_data *data,
11093 enum nft_data_types type, unsigned int len)
11098 err = nft_parse_register(attr, ®);
11102 err = nft_validate_register_store(ctx, reg, data, type, len);
11109 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11111 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11112 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11113 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11114 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11115 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11118 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11119 struct nft_data_desc *desc, const struct nlattr *nla)
11121 u8 genmask = nft_genmask_next(ctx->net);
11122 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11123 struct nft_chain *chain;
11126 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11127 nft_verdict_policy, NULL);
11131 if (!tb[NFTA_VERDICT_CODE])
11134 /* zero padding hole for memcmp */
11135 memset(data, 0, sizeof(*data));
11136 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11138 switch (data->verdict.code) {
11149 if (tb[NFTA_VERDICT_CHAIN]) {
11150 chain = nft_chain_lookup(ctx->net, ctx->table,
11151 tb[NFTA_VERDICT_CHAIN],
11153 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11154 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11155 tb[NFTA_VERDICT_CHAIN_ID],
11158 return PTR_ERR(chain);
11164 return PTR_ERR(chain);
11165 if (nft_is_base_chain(chain))
11166 return -EOPNOTSUPP;
11167 if (nft_chain_is_bound(chain))
11169 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11170 chain->flags & NFT_CHAIN_BINDING)
11172 if (!nft_use_inc(&chain->use))
11175 data->verdict.chain = chain;
11181 desc->len = sizeof(data->verdict);
11186 static void nft_verdict_uninit(const struct nft_data *data)
11188 struct nft_chain *chain;
11190 switch (data->verdict.code) {
11193 chain = data->verdict.chain;
11194 nft_use_dec(&chain->use);
11199 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11201 struct nlattr *nest;
11203 nest = nla_nest_start_noflag(skb, type);
11205 goto nla_put_failure;
11207 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11208 goto nla_put_failure;
11213 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11215 goto nla_put_failure;
11217 nla_nest_end(skb, nest);
11224 static int nft_value_init(const struct nft_ctx *ctx,
11225 struct nft_data *data, struct nft_data_desc *desc,
11226 const struct nlattr *nla)
11230 len = nla_len(nla);
11233 if (len > desc->size)
11236 if (len != desc->len)
11242 nla_memcpy(data->data, nla, len);
11247 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11250 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11253 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11254 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11255 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11259 * nft_data_init - parse nf_tables data netlink attributes
11261 * @ctx: context of the expression using the data
11262 * @data: destination struct nft_data
11263 * @desc: data description
11264 * @nla: netlink attribute containing data
11266 * Parse the netlink data attributes and initialize a struct nft_data.
11267 * The type and length of data are returned in the data description.
11269 * The caller can indicate that it only wants to accept data of type
11270 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11272 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11273 struct nft_data_desc *desc, const struct nlattr *nla)
11275 struct nlattr *tb[NFTA_DATA_MAX + 1];
11278 if (WARN_ON_ONCE(!desc->size))
11281 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11282 nft_data_policy, NULL);
11286 if (tb[NFTA_DATA_VALUE]) {
11287 if (desc->type != NFT_DATA_VALUE)
11290 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11291 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11292 if (desc->type != NFT_DATA_VERDICT)
11295 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11302 EXPORT_SYMBOL_GPL(nft_data_init);
11305 * nft_data_release - release a nft_data item
11307 * @data: struct nft_data to release
11308 * @type: type of data
11310 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11311 * all others need to be released by calling this function.
11313 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11315 if (type < NFT_DATA_VERDICT)
11318 case NFT_DATA_VERDICT:
11319 return nft_verdict_uninit(data);
11324 EXPORT_SYMBOL_GPL(nft_data_release);
11326 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11327 enum nft_data_types type, unsigned int len)
11329 struct nlattr *nest;
11332 nest = nla_nest_start_noflag(skb, attr);
11337 case NFT_DATA_VALUE:
11338 err = nft_value_dump(skb, data, len);
11340 case NFT_DATA_VERDICT:
11341 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11348 nla_nest_end(skb, nest);
11351 EXPORT_SYMBOL_GPL(nft_data_dump);
11353 int __nft_release_basechain(struct nft_ctx *ctx)
11355 struct nft_rule *rule, *nr;
11357 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11360 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11361 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11362 list_del(&rule->list);
11363 nft_use_dec(&ctx->chain->use);
11364 nf_tables_rule_release(ctx, rule);
11366 nft_chain_del(ctx->chain);
11367 nft_use_dec(&ctx->table->use);
11368 nf_tables_chain_destroy(ctx);
11372 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11374 static void __nft_release_hook(struct net *net, struct nft_table *table)
11376 struct nft_flowtable *flowtable;
11377 struct nft_chain *chain;
11379 list_for_each_entry(chain, &table->chains, list)
11380 __nf_tables_unregister_hook(net, table, chain, true);
11381 list_for_each_entry(flowtable, &table->flowtables, list)
11382 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11386 static void __nft_release_hooks(struct net *net)
11388 struct nftables_pernet *nft_net = nft_pernet(net);
11389 struct nft_table *table;
11391 list_for_each_entry(table, &nft_net->tables, list) {
11392 if (nft_table_has_owner(table))
11395 __nft_release_hook(net, table);
11399 static void __nft_release_table(struct net *net, struct nft_table *table)
11401 struct nft_flowtable *flowtable, *nf;
11402 struct nft_chain *chain, *nc;
11403 struct nft_object *obj, *ne;
11404 struct nft_rule *rule, *nr;
11405 struct nft_set *set, *ns;
11406 struct nft_ctx ctx = {
11408 .family = NFPROTO_NETDEV,
11411 ctx.family = table->family;
11413 list_for_each_entry(chain, &table->chains, list) {
11414 if (nft_chain_binding(chain))
11418 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11419 list_del(&rule->list);
11420 nft_use_dec(&chain->use);
11421 nf_tables_rule_release(&ctx, rule);
11424 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11425 list_del(&flowtable->list);
11426 nft_use_dec(&table->use);
11427 nf_tables_flowtable_destroy(flowtable);
11429 list_for_each_entry_safe(set, ns, &table->sets, list) {
11430 list_del(&set->list);
11431 nft_use_dec(&table->use);
11432 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11433 nft_map_deactivate(&ctx, set);
11435 nft_set_destroy(&ctx, set);
11437 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11439 nft_use_dec(&table->use);
11440 nft_obj_destroy(&ctx, obj);
11442 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11444 nft_chain_del(chain);
11445 nft_use_dec(&table->use);
11446 nf_tables_chain_destroy(&ctx);
11448 nf_tables_table_destroy(&ctx);
11451 static void __nft_release_tables(struct net *net)
11453 struct nftables_pernet *nft_net = nft_pernet(net);
11454 struct nft_table *table, *nt;
11456 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11457 if (nft_table_has_owner(table))
11460 list_del(&table->list);
11462 __nft_release_table(net, table);
11466 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11469 struct nft_table *table, *to_delete[8];
11470 struct nftables_pernet *nft_net;
11471 struct netlink_notify *n = ptr;
11472 struct net *net = n->net;
11473 unsigned int deleted;
11474 bool restart = false;
11475 unsigned int gc_seq;
11477 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11478 return NOTIFY_DONE;
11480 nft_net = nft_pernet(net);
11482 mutex_lock(&nft_net->commit_mutex);
11484 gc_seq = nft_gc_seq_begin(nft_net);
11486 if (!list_empty(&nf_tables_destroy_list))
11487 nf_tables_trans_destroy_flush_work();
11489 list_for_each_entry(table, &nft_net->tables, list) {
11490 if (nft_table_has_owner(table) &&
11491 n->portid == table->nlpid) {
11492 if (table->flags & NFT_TABLE_F_PERSIST) {
11493 table->flags &= ~NFT_TABLE_F_OWNER;
11496 __nft_release_hook(net, table);
11497 list_del_rcu(&table->list);
11498 to_delete[deleted++] = table;
11499 if (deleted >= ARRAY_SIZE(to_delete))
11504 restart = deleted >= ARRAY_SIZE(to_delete);
11507 __nft_release_table(net, to_delete[--deleted]);
11512 nft_gc_seq_end(nft_net, gc_seq);
11514 mutex_unlock(&nft_net->commit_mutex);
11516 return NOTIFY_DONE;
11519 static struct notifier_block nft_nl_notifier = {
11520 .notifier_call = nft_rcv_nl_event,
11523 static int __net_init nf_tables_init_net(struct net *net)
11525 struct nftables_pernet *nft_net = nft_pernet(net);
11527 INIT_LIST_HEAD(&nft_net->tables);
11528 INIT_LIST_HEAD(&nft_net->commit_list);
11529 INIT_LIST_HEAD(&nft_net->binding_list);
11530 INIT_LIST_HEAD(&nft_net->module_list);
11531 INIT_LIST_HEAD(&nft_net->notify_list);
11532 mutex_init(&nft_net->commit_mutex);
11533 nft_net->base_seq = 1;
11534 nft_net->gc_seq = 0;
11535 nft_net->validate_state = NFT_VALIDATE_SKIP;
11540 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11542 struct nftables_pernet *nft_net = nft_pernet(net);
11544 mutex_lock(&nft_net->commit_mutex);
11545 __nft_release_hooks(net);
11546 mutex_unlock(&nft_net->commit_mutex);
11549 static void __net_exit nf_tables_exit_net(struct net *net)
11551 struct nftables_pernet *nft_net = nft_pernet(net);
11552 unsigned int gc_seq;
11554 mutex_lock(&nft_net->commit_mutex);
11556 gc_seq = nft_gc_seq_begin(nft_net);
11558 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11560 if (!list_empty(&nft_net->module_list))
11561 nf_tables_module_autoload_cleanup(net);
11563 __nft_release_tables(net);
11565 nft_gc_seq_end(nft_net, gc_seq);
11567 mutex_unlock(&nft_net->commit_mutex);
11568 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11569 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11570 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11573 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11575 flush_work(&trans_gc_work);
11578 static struct pernet_operations nf_tables_net_ops = {
11579 .init = nf_tables_init_net,
11580 .pre_exit = nf_tables_pre_exit_net,
11581 .exit = nf_tables_exit_net,
11582 .exit_batch = nf_tables_exit_batch,
11583 .id = &nf_tables_net_id,
11584 .size = sizeof(struct nftables_pernet),
11587 static int __init nf_tables_module_init(void)
11591 err = register_pernet_subsys(&nf_tables_net_ops);
11595 err = nft_chain_filter_init();
11597 goto err_chain_filter;
11599 err = nf_tables_core_module_init();
11601 goto err_core_module;
11603 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11605 goto err_netdev_notifier;
11607 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11609 goto err_rht_objname;
11611 err = nft_offload_init();
11615 err = netlink_register_notifier(&nft_nl_notifier);
11617 goto err_netlink_notifier;
11620 err = nfnetlink_subsys_register(&nf_tables_subsys);
11622 goto err_nfnl_subsys;
11624 nft_chain_route_init();
11629 netlink_unregister_notifier(&nft_nl_notifier);
11630 err_netlink_notifier:
11631 nft_offload_exit();
11633 rhltable_destroy(&nft_objname_ht);
11635 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11636 err_netdev_notifier:
11637 nf_tables_core_module_exit();
11639 nft_chain_filter_fini();
11641 unregister_pernet_subsys(&nf_tables_net_ops);
11645 static void __exit nf_tables_module_exit(void)
11647 nfnetlink_subsys_unregister(&nf_tables_subsys);
11648 netlink_unregister_notifier(&nft_nl_notifier);
11649 nft_offload_exit();
11650 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11651 nft_chain_filter_fini();
11652 nft_chain_route_fini();
11653 nf_tables_trans_destroy_flush_work();
11654 unregister_pernet_subsys(&nf_tables_net_ops);
11655 cancel_work_sync(&trans_gc_work);
11656 cancel_work_sync(&trans_destroy_work);
11658 rhltable_destroy(&nft_objname_ht);
11659 nf_tables_core_module_exit();
11662 module_init(nf_tables_module_init);
11663 module_exit(nf_tables_module_exit);
11665 MODULE_LICENSE("GPL");
11667 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11668 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / J-linux.git / blob