1 // SPDX-License-Identifier: GPL-2.0-only
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
35 NFT_VALIDATE_SKIP = 0,
40 static struct rhltable nft_objname_ht;
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
59 static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
68 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 case NFT_VALIDATE_NEED:
77 if (new_validate_state == NFT_VALIDATE_NEED)
81 net->nft.validate_state = new_validate_state;
83 static void nf_tables_trans_destroy_work(struct work_struct *w);
84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86 static void nft_ctx_init(struct nft_ctx *ctx,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->flags = nlh->nlmsg_flags;
104 ctx->seq = nlh->nlmsg_seq;
107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
116 trans->msg_type = msg_type;
122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
139 if (!nft_set_is_anonymous(set))
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 switch (trans->msg_type) {
145 if (nft_trans_set(trans) == set)
146 nft_trans_set_bound(trans) = true;
148 case NFT_MSG_NEWSETELEM:
149 if (nft_trans_elem_set(trans) == set)
150 nft_trans_elem_set_bound(trans) = true;
156 static int nft_netdev_register_hooks(struct net *net,
157 struct list_head *hook_list)
159 struct nft_hook *hook;
163 list_for_each_entry(hook, hook_list, list) {
164 err = nf_register_net_hook(net, &hook->ops);
173 list_for_each_entry(hook, hook_list, list) {
177 nf_unregister_net_hook(net, &hook->ops);
182 static void nft_netdev_unregister_hooks(struct net *net,
183 struct list_head *hook_list)
185 struct nft_hook *hook;
187 list_for_each_entry(hook, hook_list, list)
188 nf_unregister_net_hook(net, &hook->ops);
191 static int nft_register_basechain_hooks(struct net *net, int family,
192 struct nft_base_chain *basechain)
194 if (family == NFPROTO_NETDEV)
195 return nft_netdev_register_hooks(net, &basechain->hook_list);
197 return nf_register_net_hook(net, &basechain->ops);
200 static void nft_unregister_basechain_hooks(struct net *net, int family,
201 struct nft_base_chain *basechain)
203 if (family == NFPROTO_NETDEV)
204 nft_netdev_unregister_hooks(net, &basechain->hook_list);
206 nf_unregister_net_hook(net, &basechain->ops);
209 static int nf_tables_register_hook(struct net *net,
210 const struct nft_table *table,
211 struct nft_chain *chain)
213 struct nft_base_chain *basechain;
214 const struct nf_hook_ops *ops;
216 if (table->flags & NFT_TABLE_F_DORMANT ||
217 !nft_is_base_chain(chain))
220 basechain = nft_base_chain(chain);
221 ops = &basechain->ops;
223 if (basechain->type->ops_register)
224 return basechain->type->ops_register(net, ops);
226 return nft_register_basechain_hooks(net, table->family, basechain);
229 static void nf_tables_unregister_hook(struct net *net,
230 const struct nft_table *table,
231 struct nft_chain *chain)
233 struct nft_base_chain *basechain;
234 const struct nf_hook_ops *ops;
236 if (table->flags & NFT_TABLE_F_DORMANT ||
237 !nft_is_base_chain(chain))
239 basechain = nft_base_chain(chain);
240 ops = &basechain->ops;
242 if (basechain->type->ops_unregister)
243 return basechain->type->ops_unregister(net, ops);
245 nft_unregister_basechain_hooks(net, table->family, basechain);
248 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
250 struct nft_trans *trans;
252 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
256 if (msg_type == NFT_MSG_NEWTABLE)
257 nft_activate_next(ctx->net, ctx->table);
259 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
263 static int nft_deltable(struct nft_ctx *ctx)
267 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
271 nft_deactivate_next(ctx->net, ctx->table);
275 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
277 struct nft_trans *trans;
279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
281 return ERR_PTR(-ENOMEM);
283 if (msg_type == NFT_MSG_NEWCHAIN) {
284 nft_activate_next(ctx->net, ctx->chain);
286 if (ctx->nla[NFTA_CHAIN_ID]) {
287 nft_trans_chain_id(trans) =
288 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
292 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
296 static int nft_delchain(struct nft_ctx *ctx)
298 struct nft_trans *trans;
300 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
302 return PTR_ERR(trans);
305 nft_deactivate_next(ctx->net, ctx->chain);
310 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
311 struct nft_rule *rule)
313 struct nft_expr *expr;
315 expr = nft_expr_first(rule);
316 while (expr != nft_expr_last(rule) && expr->ops) {
317 if (expr->ops->activate)
318 expr->ops->activate(ctx, expr);
320 expr = nft_expr_next(expr);
324 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
325 struct nft_rule *rule,
326 enum nft_trans_phase phase)
328 struct nft_expr *expr;
330 expr = nft_expr_first(rule);
331 while (expr != nft_expr_last(rule) && expr->ops) {
332 if (expr->ops->deactivate)
333 expr->ops->deactivate(ctx, expr, phase);
335 expr = nft_expr_next(expr);
340 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
342 /* You cannot delete the same rule twice */
343 if (nft_is_active_next(ctx->net, rule)) {
344 nft_deactivate_next(ctx->net, rule);
351 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
352 struct nft_rule *rule)
354 struct nft_trans *trans;
356 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
360 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
361 nft_trans_rule_id(trans) =
362 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
364 nft_trans_rule(trans) = rule;
365 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
370 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
372 struct nft_flow_rule *flow;
373 struct nft_trans *trans;
376 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
380 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
381 flow = nft_flow_rule_create(ctx->net, rule);
383 nft_trans_destroy(trans);
384 return PTR_ERR(flow);
387 nft_trans_flow_rule(trans) = flow;
390 err = nf_tables_delrule_deactivate(ctx, rule);
392 nft_trans_destroy(trans);
395 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
400 static int nft_delrule_by_chain(struct nft_ctx *ctx)
402 struct nft_rule *rule;
405 list_for_each_entry(rule, &ctx->chain->rules, list) {
406 if (!nft_is_active_next(ctx->net, rule))
409 err = nft_delrule(ctx, rule);
416 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
419 struct nft_trans *trans;
421 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
425 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
426 nft_trans_set_id(trans) =
427 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
428 nft_activate_next(ctx->net, set);
430 nft_trans_set(trans) = set;
431 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
436 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
440 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
444 nft_deactivate_next(ctx->net, set);
450 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
451 struct nft_object *obj)
453 struct nft_trans *trans;
455 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
459 if (msg_type == NFT_MSG_NEWOBJ)
460 nft_activate_next(ctx->net, obj);
462 nft_trans_obj(trans) = obj;
463 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
468 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
472 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
476 nft_deactivate_next(ctx->net, obj);
482 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
483 struct nft_flowtable *flowtable)
485 struct nft_trans *trans;
487 trans = nft_trans_alloc(ctx, msg_type,
488 sizeof(struct nft_trans_flowtable));
492 if (msg_type == NFT_MSG_NEWFLOWTABLE)
493 nft_activate_next(ctx->net, flowtable);
495 nft_trans_flowtable(trans) = flowtable;
496 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
501 static int nft_delflowtable(struct nft_ctx *ctx,
502 struct nft_flowtable *flowtable)
506 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
510 nft_deactivate_next(ctx->net, flowtable);
520 static struct nft_table *nft_table_lookup(const struct net *net,
521 const struct nlattr *nla,
522 u8 family, u8 genmask)
524 struct nft_table *table;
527 return ERR_PTR(-EINVAL);
529 list_for_each_entry_rcu(table, &net->nft.tables, list,
530 lockdep_is_held(&net->nft.commit_mutex)) {
531 if (!nla_strcmp(nla, table->name) &&
532 table->family == family &&
533 nft_active_genmask(table, genmask))
537 return ERR_PTR(-ENOENT);
540 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
541 const struct nlattr *nla,
544 struct nft_table *table;
546 list_for_each_entry(table, &net->nft.tables, list) {
547 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
548 nft_active_genmask(table, genmask))
552 return ERR_PTR(-ENOENT);
555 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
557 return ++table->hgenerator;
560 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
562 static const struct nft_chain_type *
563 __nft_chain_type_get(u8 family, enum nft_chain_types type)
565 if (family >= NFPROTO_NUMPROTO ||
566 type >= NFT_CHAIN_T_MAX)
569 return chain_type[family][type];
572 static const struct nft_chain_type *
573 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
575 const struct nft_chain_type *type;
578 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
579 type = __nft_chain_type_get(family, i);
582 if (!nla_strcmp(nla, type->name))
588 struct nft_module_request {
589 struct list_head list;
590 char module[MODULE_NAME_LEN];
594 #ifdef CONFIG_MODULES
595 static int nft_request_module(struct net *net, const char *fmt, ...)
597 char module_name[MODULE_NAME_LEN];
598 struct nft_module_request *req;
603 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
605 if (ret >= MODULE_NAME_LEN)
608 list_for_each_entry(req, &net->nft.module_list, list) {
609 if (!strcmp(req->module, module_name)) {
613 /* A request to load this module already exists. */
618 req = kmalloc(sizeof(*req), GFP_KERNEL);
623 strlcpy(req->module, module_name, MODULE_NAME_LEN);
624 list_add_tail(&req->list, &net->nft.module_list);
630 static void lockdep_nfnl_nft_mutex_not_held(void)
632 #ifdef CONFIG_PROVE_LOCKING
633 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
637 static const struct nft_chain_type *
638 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
639 u8 family, bool autoload)
641 const struct nft_chain_type *type;
643 type = __nf_tables_chain_type_lookup(nla, family);
647 lockdep_nfnl_nft_mutex_not_held();
648 #ifdef CONFIG_MODULES
650 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
652 (const char *)nla_data(nla)) == -EAGAIN)
653 return ERR_PTR(-EAGAIN);
656 return ERR_PTR(-ENOENT);
659 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
660 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
661 .len = NFT_TABLE_MAXNAMELEN - 1 },
662 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
663 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
666 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
667 u32 portid, u32 seq, int event, u32 flags,
668 int family, const struct nft_table *table)
670 struct nlmsghdr *nlh;
671 struct nfgenmsg *nfmsg;
673 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
674 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
676 goto nla_put_failure;
678 nfmsg = nlmsg_data(nlh);
679 nfmsg->nfgen_family = family;
680 nfmsg->version = NFNETLINK_V0;
681 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
683 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
684 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
685 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
686 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
688 goto nla_put_failure;
694 nlmsg_trim(skb, nlh);
698 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
704 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
707 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
711 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
712 event, 0, ctx->family, ctx->table);
718 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
719 ctx->report, GFP_KERNEL);
722 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
725 static int nf_tables_dump_tables(struct sk_buff *skb,
726 struct netlink_callback *cb)
728 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
729 const struct nft_table *table;
730 unsigned int idx = 0, s_idx = cb->args[0];
731 struct net *net = sock_net(skb->sk);
732 int family = nfmsg->nfgen_family;
735 cb->seq = net->nft.base_seq;
737 list_for_each_entry_rcu(table, &net->nft.tables, list) {
738 if (family != NFPROTO_UNSPEC && family != table->family)
744 memset(&cb->args[1], 0,
745 sizeof(cb->args) - sizeof(cb->args[0]));
746 if (!nft_is_active(net, table))
748 if (nf_tables_fill_table_info(skb, net,
749 NETLINK_CB(cb->skb).portid,
751 NFT_MSG_NEWTABLE, NLM_F_MULTI,
752 table->family, table) < 0)
755 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
765 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
766 const struct nlmsghdr *nlh,
767 struct netlink_dump_control *c)
771 if (!try_module_get(THIS_MODULE))
775 err = netlink_dump_start(nlsk, skb, nlh, c);
777 module_put(THIS_MODULE);
782 /* called with rcu_read_lock held */
783 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
784 struct sk_buff *skb, const struct nlmsghdr *nlh,
785 const struct nlattr * const nla[],
786 struct netlink_ext_ack *extack)
788 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
789 u8 genmask = nft_genmask_cur(net);
790 const struct nft_table *table;
791 struct sk_buff *skb2;
792 int family = nfmsg->nfgen_family;
795 if (nlh->nlmsg_flags & NLM_F_DUMP) {
796 struct netlink_dump_control c = {
797 .dump = nf_tables_dump_tables,
798 .module = THIS_MODULE,
801 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
804 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
806 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
807 return PTR_ERR(table);
810 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
814 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
815 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
820 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
827 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
829 struct nft_chain *chain;
832 list_for_each_entry(chain, &table->chains, list) {
833 if (!nft_is_active_next(net, chain))
835 if (!nft_is_base_chain(chain))
838 if (cnt && i++ == cnt)
841 nft_unregister_basechain_hooks(net, table->family,
842 nft_base_chain(chain));
846 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
848 struct nft_chain *chain;
851 list_for_each_entry(chain, &table->chains, list) {
852 if (!nft_is_active_next(net, chain))
854 if (!nft_is_base_chain(chain))
857 err = nft_register_basechain_hooks(net, table->family,
858 nft_base_chain(chain));
860 goto err_register_hooks;
868 nft_table_disable(net, table, i);
872 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
874 nft_table_disable(net, table, 0);
877 static int nf_tables_updtable(struct nft_ctx *ctx)
879 struct nft_trans *trans;
883 if (!ctx->nla[NFTA_TABLE_FLAGS])
886 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
887 if (flags & ~NFT_TABLE_F_DORMANT)
890 if (flags == ctx->table->flags)
893 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
894 sizeof(struct nft_trans_table));
898 if ((flags & NFT_TABLE_F_DORMANT) &&
899 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
900 nft_trans_table_enable(trans) = false;
901 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
902 ctx->table->flags & NFT_TABLE_F_DORMANT) {
903 ret = nf_tables_table_enable(ctx->net, ctx->table);
905 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
906 nft_trans_table_enable(trans) = true;
912 nft_trans_table_update(trans) = true;
913 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
916 nft_trans_destroy(trans);
920 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
922 const char *name = data;
924 return jhash(name, strlen(name), seed);
927 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
929 const struct nft_chain *chain = data;
931 return nft_chain_hash(chain->name, 0, seed);
934 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
937 const struct nft_chain *chain = ptr;
938 const char *name = arg->key;
940 return strcmp(chain->name, name);
943 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
945 const struct nft_object_hash_key *k = data;
947 seed ^= hash_ptr(k->table, 32);
949 return jhash(k->name, strlen(k->name), seed);
952 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
954 const struct nft_object *obj = data;
956 return nft_objname_hash(&obj->key, 0, seed);
959 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
962 const struct nft_object_hash_key *k = arg->key;
963 const struct nft_object *obj = ptr;
965 if (obj->key.table != k->table)
968 return strcmp(obj->key.name, k->name);
971 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
972 struct sk_buff *skb, const struct nlmsghdr *nlh,
973 const struct nlattr * const nla[],
974 struct netlink_ext_ack *extack)
976 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
977 u8 genmask = nft_genmask_next(net);
978 int family = nfmsg->nfgen_family;
979 const struct nlattr *attr;
980 struct nft_table *table;
985 lockdep_assert_held(&net->nft.commit_mutex);
986 attr = nla[NFTA_TABLE_NAME];
987 table = nft_table_lookup(net, attr, family, genmask);
989 if (PTR_ERR(table) != -ENOENT)
990 return PTR_ERR(table);
992 if (nlh->nlmsg_flags & NLM_F_EXCL) {
993 NL_SET_BAD_ATTR(extack, attr);
996 if (nlh->nlmsg_flags & NLM_F_REPLACE)
999 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1000 return nf_tables_updtable(&ctx);
1003 if (nla[NFTA_TABLE_FLAGS]) {
1004 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1005 if (flags & ~NFT_TABLE_F_DORMANT)
1010 table = kzalloc(sizeof(*table), GFP_KERNEL);
1014 table->name = nla_strdup(attr, GFP_KERNEL);
1015 if (table->name == NULL)
1018 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1022 INIT_LIST_HEAD(&table->chains);
1023 INIT_LIST_HEAD(&table->sets);
1024 INIT_LIST_HEAD(&table->objects);
1025 INIT_LIST_HEAD(&table->flowtables);
1026 table->family = family;
1027 table->flags = flags;
1028 table->handle = ++table_handle;
1030 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1031 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1035 list_add_tail_rcu(&table->list, &net->nft.tables);
1038 rhltable_destroy(&table->chains_ht);
1047 static int nft_flush_table(struct nft_ctx *ctx)
1049 struct nft_flowtable *flowtable, *nft;
1050 struct nft_chain *chain, *nc;
1051 struct nft_object *obj, *ne;
1052 struct nft_set *set, *ns;
1055 list_for_each_entry(chain, &ctx->table->chains, list) {
1056 if (!nft_is_active_next(ctx->net, chain))
1059 if (nft_chain_is_bound(chain))
1064 err = nft_delrule_by_chain(ctx);
1069 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1070 if (!nft_is_active_next(ctx->net, set))
1073 if (nft_set_is_anonymous(set) &&
1074 !list_empty(&set->bindings))
1077 err = nft_delset(ctx, set);
1082 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1083 if (!nft_is_active_next(ctx->net, flowtable))
1086 err = nft_delflowtable(ctx, flowtable);
1091 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1092 if (!nft_is_active_next(ctx->net, obj))
1095 err = nft_delobj(ctx, obj);
1100 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1101 if (!nft_is_active_next(ctx->net, chain))
1104 if (nft_chain_is_bound(chain))
1109 err = nft_delchain(ctx);
1114 err = nft_deltable(ctx);
1119 static int nft_flush(struct nft_ctx *ctx, int family)
1121 struct nft_table *table, *nt;
1122 const struct nlattr * const *nla = ctx->nla;
1125 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1126 if (family != AF_UNSPEC && table->family != family)
1129 ctx->family = table->family;
1131 if (!nft_is_active_next(ctx->net, table))
1134 if (nla[NFTA_TABLE_NAME] &&
1135 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1140 err = nft_flush_table(ctx);
1148 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1149 struct sk_buff *skb, const struct nlmsghdr *nlh,
1150 const struct nlattr * const nla[],
1151 struct netlink_ext_ack *extack)
1153 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1154 u8 genmask = nft_genmask_next(net);
1155 int family = nfmsg->nfgen_family;
1156 const struct nlattr *attr;
1157 struct nft_table *table;
1160 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1161 if (family == AF_UNSPEC ||
1162 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1163 return nft_flush(&ctx, family);
1165 if (nla[NFTA_TABLE_HANDLE]) {
1166 attr = nla[NFTA_TABLE_HANDLE];
1167 table = nft_table_lookup_byhandle(net, attr, genmask);
1169 attr = nla[NFTA_TABLE_NAME];
1170 table = nft_table_lookup(net, attr, family, genmask);
1173 if (IS_ERR(table)) {
1174 NL_SET_BAD_ATTR(extack, attr);
1175 return PTR_ERR(table);
1178 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1182 ctx.family = family;
1185 return nft_flush_table(&ctx);
1188 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1190 if (WARN_ON(ctx->table->use > 0))
1193 rhltable_destroy(&ctx->table->chains_ht);
1194 kfree(ctx->table->name);
1198 void nft_register_chain_type(const struct nft_chain_type *ctype)
1200 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1201 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1202 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1205 chain_type[ctype->family][ctype->type] = ctype;
1206 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1208 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1210 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1212 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1213 chain_type[ctype->family][ctype->type] = NULL;
1214 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1216 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1222 static struct nft_chain *
1223 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1225 struct nft_chain *chain;
1227 list_for_each_entry(chain, &table->chains, list) {
1228 if (chain->handle == handle &&
1229 nft_active_genmask(chain, genmask))
1233 return ERR_PTR(-ENOENT);
1236 static bool lockdep_commit_lock_is_held(const struct net *net)
1238 #ifdef CONFIG_PROVE_LOCKING
1239 return lockdep_is_held(&net->nft.commit_mutex);
1245 static struct nft_chain *nft_chain_lookup(struct net *net,
1246 struct nft_table *table,
1247 const struct nlattr *nla, u8 genmask)
1249 char search[NFT_CHAIN_MAXNAMELEN + 1];
1250 struct rhlist_head *tmp, *list;
1251 struct nft_chain *chain;
1254 return ERR_PTR(-EINVAL);
1256 nla_strlcpy(search, nla, sizeof(search));
1258 WARN_ON(!rcu_read_lock_held() &&
1259 !lockdep_commit_lock_is_held(net));
1261 chain = ERR_PTR(-ENOENT);
1263 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1267 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1268 if (nft_active_genmask(chain, genmask))
1271 chain = ERR_PTR(-ENOENT);
1277 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1278 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1279 .len = NFT_TABLE_MAXNAMELEN - 1 },
1280 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1281 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1282 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1283 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1284 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1285 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1286 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1287 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1288 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1289 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1292 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1293 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1294 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1295 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1296 .len = IFNAMSIZ - 1 },
1299 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1301 struct nft_stats *cpu_stats, total;
1302 struct nlattr *nest;
1310 memset(&total, 0, sizeof(total));
1311 for_each_possible_cpu(cpu) {
1312 cpu_stats = per_cpu_ptr(stats, cpu);
1314 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1315 pkts = cpu_stats->pkts;
1316 bytes = cpu_stats->bytes;
1317 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1319 total.bytes += bytes;
1321 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1323 goto nla_put_failure;
1325 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1326 NFTA_COUNTER_PAD) ||
1327 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1329 goto nla_put_failure;
1331 nla_nest_end(skb, nest);
1338 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1339 const struct nft_base_chain *basechain)
1341 const struct nf_hook_ops *ops = &basechain->ops;
1342 struct nft_hook *hook, *first = NULL;
1343 struct nlattr *nest, *nest_devs;
1346 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1348 goto nla_put_failure;
1349 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1350 goto nla_put_failure;
1351 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1352 goto nla_put_failure;
1354 if (family == NFPROTO_NETDEV) {
1355 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1356 list_for_each_entry(hook, &basechain->hook_list, list) {
1360 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1361 hook->ops.dev->name))
1362 goto nla_put_failure;
1365 nla_nest_end(skb, nest_devs);
1368 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1369 goto nla_put_failure;
1371 nla_nest_end(skb, nest);
1378 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1379 u32 portid, u32 seq, int event, u32 flags,
1380 int family, const struct nft_table *table,
1381 const struct nft_chain *chain)
1383 struct nlmsghdr *nlh;
1384 struct nfgenmsg *nfmsg;
1386 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1387 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1389 goto nla_put_failure;
1391 nfmsg = nlmsg_data(nlh);
1392 nfmsg->nfgen_family = family;
1393 nfmsg->version = NFNETLINK_V0;
1394 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1396 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1397 goto nla_put_failure;
1398 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1400 goto nla_put_failure;
1401 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1402 goto nla_put_failure;
1404 if (nft_is_base_chain(chain)) {
1405 const struct nft_base_chain *basechain = nft_base_chain(chain);
1406 struct nft_stats __percpu *stats;
1408 if (nft_dump_basechain_hook(skb, family, basechain))
1409 goto nla_put_failure;
1411 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1412 htonl(basechain->policy)))
1413 goto nla_put_failure;
1415 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1416 goto nla_put_failure;
1418 stats = rcu_dereference_check(basechain->stats,
1419 lockdep_commit_lock_is_held(net));
1420 if (nft_dump_stats(skb, stats))
1421 goto nla_put_failure;
1425 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1426 goto nla_put_failure;
1428 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1429 goto nla_put_failure;
1431 nlmsg_end(skb, nlh);
1435 nlmsg_trim(skb, nlh);
1439 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1441 struct sk_buff *skb;
1445 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1448 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1452 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1453 event, 0, ctx->family, ctx->table,
1460 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1461 ctx->report, GFP_KERNEL);
1464 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1467 static int nf_tables_dump_chains(struct sk_buff *skb,
1468 struct netlink_callback *cb)
1470 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1471 const struct nft_table *table;
1472 const struct nft_chain *chain;
1473 unsigned int idx = 0, s_idx = cb->args[0];
1474 struct net *net = sock_net(skb->sk);
1475 int family = nfmsg->nfgen_family;
1478 cb->seq = net->nft.base_seq;
1480 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1481 if (family != NFPROTO_UNSPEC && family != table->family)
1484 list_for_each_entry_rcu(chain, &table->chains, list) {
1488 memset(&cb->args[1], 0,
1489 sizeof(cb->args) - sizeof(cb->args[0]));
1490 if (!nft_is_active(net, chain))
1492 if (nf_tables_fill_chain_info(skb, net,
1493 NETLINK_CB(cb->skb).portid,
1497 table->family, table,
1501 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1512 /* called with rcu_read_lock held */
1513 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1514 struct sk_buff *skb, const struct nlmsghdr *nlh,
1515 const struct nlattr * const nla[],
1516 struct netlink_ext_ack *extack)
1518 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1519 u8 genmask = nft_genmask_cur(net);
1520 const struct nft_chain *chain;
1521 struct nft_table *table;
1522 struct sk_buff *skb2;
1523 int family = nfmsg->nfgen_family;
1526 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1527 struct netlink_dump_control c = {
1528 .dump = nf_tables_dump_chains,
1529 .module = THIS_MODULE,
1532 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1535 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1536 if (IS_ERR(table)) {
1537 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1538 return PTR_ERR(table);
1541 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1542 if (IS_ERR(chain)) {
1543 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1544 return PTR_ERR(chain);
1547 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1551 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1552 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1553 family, table, chain);
1557 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1564 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1565 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1566 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1569 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1571 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1572 struct nft_stats __percpu *newstats;
1573 struct nft_stats *stats;
1576 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1577 nft_counter_policy, NULL);
1579 return ERR_PTR(err);
1581 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1582 return ERR_PTR(-EINVAL);
1584 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1585 if (newstats == NULL)
1586 return ERR_PTR(-ENOMEM);
1588 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1589 * are not exposed to userspace.
1592 stats = this_cpu_ptr(newstats);
1593 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1594 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1600 static void nft_chain_stats_replace(struct nft_trans *trans)
1602 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1604 if (!nft_trans_chain_stats(trans))
1607 nft_trans_chain_stats(trans) =
1608 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1609 lockdep_commit_lock_is_held(trans->ctx.net));
1611 if (!nft_trans_chain_stats(trans))
1612 static_branch_inc(&nft_counters_enabled);
1615 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1617 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1618 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1624 /* should be NULL either via abort or via successful commit */
1625 WARN_ON_ONCE(chain->rules_next);
1626 kvfree(chain->rules_next);
1629 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1631 struct nft_chain *chain = ctx->chain;
1632 struct nft_hook *hook, *next;
1634 if (WARN_ON(chain->use > 0))
1637 /* no concurrent access possible anymore */
1638 nf_tables_chain_free_chain_rules(chain);
1640 if (nft_is_base_chain(chain)) {
1641 struct nft_base_chain *basechain = nft_base_chain(chain);
1643 if (ctx->family == NFPROTO_NETDEV) {
1644 list_for_each_entry_safe(hook, next,
1645 &basechain->hook_list, list) {
1646 list_del_rcu(&hook->list);
1647 kfree_rcu(hook, rcu);
1650 module_put(basechain->type->owner);
1651 if (rcu_access_pointer(basechain->stats)) {
1652 static_branch_dec(&nft_counters_enabled);
1653 free_percpu(rcu_dereference_raw(basechain->stats));
1663 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1664 const struct nlattr *attr)
1666 struct net_device *dev;
1667 char ifname[IFNAMSIZ];
1668 struct nft_hook *hook;
1671 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1674 goto err_hook_alloc;
1677 nla_strlcpy(ifname, attr, IFNAMSIZ);
1678 dev = __dev_get_by_name(net, ifname);
1683 hook->ops.dev = dev;
1684 hook->inactive = false;
1691 return ERR_PTR(err);
1694 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1695 const struct nft_hook *this)
1697 struct nft_hook *hook;
1699 list_for_each_entry(hook, hook_list, list) {
1700 if (this->ops.dev == hook->ops.dev)
1707 static int nf_tables_parse_netdev_hooks(struct net *net,
1708 const struct nlattr *attr,
1709 struct list_head *hook_list)
1711 struct nft_hook *hook, *next;
1712 const struct nlattr *tmp;
1713 int rem, n = 0, err;
1715 nla_for_each_nested(tmp, attr, rem) {
1716 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1721 hook = nft_netdev_hook_alloc(net, tmp);
1723 err = PTR_ERR(hook);
1726 if (nft_hook_list_find(hook_list, hook)) {
1731 list_add_tail(&hook->list, hook_list);
1734 if (n == NFT_NETDEVICE_MAX) {
1743 list_for_each_entry_safe(hook, next, hook_list, list) {
1744 list_del(&hook->list);
1750 struct nft_chain_hook {
1753 const struct nft_chain_type *type;
1754 struct list_head list;
1757 static int nft_chain_parse_netdev(struct net *net,
1758 struct nlattr *tb[],
1759 struct list_head *hook_list)
1761 struct nft_hook *hook;
1764 if (tb[NFTA_HOOK_DEV]) {
1765 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1767 return PTR_ERR(hook);
1769 list_add_tail(&hook->list, hook_list);
1770 } else if (tb[NFTA_HOOK_DEVS]) {
1771 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1776 if (list_empty(hook_list))
1785 static int nft_chain_parse_hook(struct net *net,
1786 const struct nlattr * const nla[],
1787 struct nft_chain_hook *hook, u8 family,
1790 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1791 const struct nft_chain_type *type;
1794 lockdep_assert_held(&net->nft.commit_mutex);
1795 lockdep_nfnl_nft_mutex_not_held();
1797 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1798 nla[NFTA_CHAIN_HOOK],
1799 nft_hook_policy, NULL);
1803 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1804 ha[NFTA_HOOK_PRIORITY] == NULL)
1807 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1808 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1810 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1814 if (nla[NFTA_CHAIN_TYPE]) {
1815 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1818 return PTR_ERR(type);
1820 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1823 if (type->type == NFT_CHAIN_T_NAT &&
1824 hook->priority <= NF_IP_PRI_CONNTRACK)
1827 if (!try_module_get(type->owner))
1832 INIT_LIST_HEAD(&hook->list);
1833 if (family == NFPROTO_NETDEV) {
1834 err = nft_chain_parse_netdev(net, ha, &hook->list);
1836 module_put(type->owner);
1839 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1840 module_put(type->owner);
1847 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1849 struct nft_hook *h, *next;
1851 list_for_each_entry_safe(h, next, &hook->list, list) {
1855 module_put(hook->type->owner);
1858 struct nft_rules_old {
1860 struct nft_rule **start;
1863 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1866 if (alloc > INT_MAX)
1869 alloc += 1; /* NULL, ends rules */
1870 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1873 alloc *= sizeof(struct nft_rule *);
1874 alloc += sizeof(struct nft_rules_old);
1876 return kvmalloc(alloc, GFP_KERNEL);
1879 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1880 const struct nft_chain_hook *hook,
1881 struct nft_chain *chain)
1884 ops->hooknum = hook->num;
1885 ops->priority = hook->priority;
1887 ops->hook = hook->type->hooks[ops->hooknum];
1890 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1891 struct nft_chain_hook *hook, u32 flags)
1893 struct nft_chain *chain;
1896 basechain->type = hook->type;
1897 INIT_LIST_HEAD(&basechain->hook_list);
1898 chain = &basechain->chain;
1900 if (family == NFPROTO_NETDEV) {
1901 list_splice_init(&hook->list, &basechain->hook_list);
1902 list_for_each_entry(h, &basechain->hook_list, list)
1903 nft_basechain_hook_init(&h->ops, family, hook, chain);
1905 basechain->ops.hooknum = hook->num;
1906 basechain->ops.priority = hook->priority;
1908 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1911 chain->flags |= NFT_CHAIN_BASE | flags;
1912 basechain->policy = NF_ACCEPT;
1913 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1914 nft_chain_offload_priority(basechain) < 0)
1917 flow_block_init(&basechain->flow_block);
1922 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
1926 err = rhltable_insert_key(&table->chains_ht, chain->name,
1927 &chain->rhlhead, nft_chain_ht_params);
1931 list_add_tail_rcu(&chain->list, &table->chains);
1936 static u64 chain_id;
1938 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1939 u8 policy, u32 flags)
1941 const struct nlattr * const *nla = ctx->nla;
1942 struct nft_table *table = ctx->table;
1943 struct nft_base_chain *basechain;
1944 struct nft_stats __percpu *stats;
1945 struct net *net = ctx->net;
1946 char name[NFT_NAME_MAXLEN];
1947 struct nft_trans *trans;
1948 struct nft_chain *chain;
1949 struct nft_rule **rules;
1952 if (table->use == UINT_MAX)
1955 if (nla[NFTA_CHAIN_HOOK]) {
1956 struct nft_chain_hook hook;
1958 if (flags & NFT_CHAIN_BINDING)
1961 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1965 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1966 if (basechain == NULL) {
1967 nft_chain_release_hook(&hook);
1970 chain = &basechain->chain;
1972 if (nla[NFTA_CHAIN_COUNTERS]) {
1973 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1974 if (IS_ERR(stats)) {
1975 nft_chain_release_hook(&hook);
1977 return PTR_ERR(stats);
1979 rcu_assign_pointer(basechain->stats, stats);
1980 static_branch_inc(&nft_counters_enabled);
1983 err = nft_basechain_init(basechain, family, &hook, flags);
1985 nft_chain_release_hook(&hook);
1990 if (flags & NFT_CHAIN_BASE)
1992 if (flags & NFT_CHAIN_HW_OFFLOAD)
1995 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1999 chain->flags = flags;
2003 INIT_LIST_HEAD(&chain->rules);
2004 chain->handle = nf_tables_alloc_handle(table);
2005 chain->table = table;
2007 if (nla[NFTA_CHAIN_NAME]) {
2008 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2010 if (!(flags & NFT_CHAIN_BINDING))
2013 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2014 chain->name = kstrdup(name, GFP_KERNEL);
2022 rules = nf_tables_chain_alloc_rules(chain, 0);
2029 rcu_assign_pointer(chain->rules_gen_0, rules);
2030 rcu_assign_pointer(chain->rules_gen_1, rules);
2032 err = nf_tables_register_hook(net, table, chain);
2036 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2037 if (IS_ERR(trans)) {
2038 err = PTR_ERR(trans);
2042 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2043 if (nft_is_base_chain(chain))
2044 nft_trans_chain_policy(trans) = policy;
2046 err = nft_chain_add(table, chain);
2048 nft_trans_destroy(trans);
2056 nf_tables_unregister_hook(net, table, chain);
2058 nf_tables_chain_destroy(ctx);
2063 static bool nft_hook_list_equal(struct list_head *hook_list1,
2064 struct list_head *hook_list2)
2066 struct nft_hook *hook;
2070 list_for_each_entry(hook, hook_list2, list) {
2071 if (!nft_hook_list_find(hook_list1, hook))
2076 list_for_each_entry(hook, hook_list1, list)
2082 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2085 const struct nlattr * const *nla = ctx->nla;
2086 struct nft_table *table = ctx->table;
2087 struct nft_chain *chain = ctx->chain;
2088 struct nft_base_chain *basechain;
2089 struct nft_stats *stats = NULL;
2090 struct nft_chain_hook hook;
2091 struct nf_hook_ops *ops;
2092 struct nft_trans *trans;
2095 if (chain->flags ^ flags)
2098 if (nla[NFTA_CHAIN_HOOK]) {
2099 if (!nft_is_base_chain(chain))
2102 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2107 basechain = nft_base_chain(chain);
2108 if (basechain->type != hook.type) {
2109 nft_chain_release_hook(&hook);
2113 if (ctx->family == NFPROTO_NETDEV) {
2114 if (!nft_hook_list_equal(&basechain->hook_list,
2116 nft_chain_release_hook(&hook);
2120 ops = &basechain->ops;
2121 if (ops->hooknum != hook.num ||
2122 ops->priority != hook.priority) {
2123 nft_chain_release_hook(&hook);
2127 nft_chain_release_hook(&hook);
2130 if (nla[NFTA_CHAIN_HANDLE] &&
2131 nla[NFTA_CHAIN_NAME]) {
2132 struct nft_chain *chain2;
2134 chain2 = nft_chain_lookup(ctx->net, table,
2135 nla[NFTA_CHAIN_NAME], genmask);
2136 if (!IS_ERR(chain2))
2140 if (nla[NFTA_CHAIN_COUNTERS]) {
2141 if (!nft_is_base_chain(chain))
2144 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2146 return PTR_ERR(stats);
2150 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2151 sizeof(struct nft_trans_chain));
2155 nft_trans_chain_stats(trans) = stats;
2156 nft_trans_chain_update(trans) = true;
2158 if (nla[NFTA_CHAIN_POLICY])
2159 nft_trans_chain_policy(trans) = policy;
2161 nft_trans_chain_policy(trans) = -1;
2163 if (nla[NFTA_CHAIN_HANDLE] &&
2164 nla[NFTA_CHAIN_NAME]) {
2165 struct nft_trans *tmp;
2169 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2174 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2175 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2176 tmp->ctx.table == table &&
2177 nft_trans_chain_update(tmp) &&
2178 nft_trans_chain_name(tmp) &&
2179 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2185 nft_trans_chain_name(trans) = name;
2187 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2196 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2197 const struct nlattr *nla)
2199 u32 id = ntohl(nla_get_be32(nla));
2200 struct nft_trans *trans;
2202 list_for_each_entry(trans, &net->nft.commit_list, list) {
2203 struct nft_chain *chain = trans->ctx.chain;
2205 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2206 id == nft_trans_chain_id(trans))
2209 return ERR_PTR(-ENOENT);
2212 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2213 struct sk_buff *skb, const struct nlmsghdr *nlh,
2214 const struct nlattr * const nla[],
2215 struct netlink_ext_ack *extack)
2217 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2218 u8 genmask = nft_genmask_next(net);
2219 int family = nfmsg->nfgen_family;
2220 struct nft_chain *chain = NULL;
2221 const struct nlattr *attr;
2222 struct nft_table *table;
2223 u8 policy = NF_ACCEPT;
2228 lockdep_assert_held(&net->nft.commit_mutex);
2230 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2231 if (IS_ERR(table)) {
2232 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2233 return PTR_ERR(table);
2237 attr = nla[NFTA_CHAIN_NAME];
2239 if (nla[NFTA_CHAIN_HANDLE]) {
2240 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2241 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2242 if (IS_ERR(chain)) {
2243 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2244 return PTR_ERR(chain);
2246 attr = nla[NFTA_CHAIN_HANDLE];
2247 } else if (nla[NFTA_CHAIN_NAME]) {
2248 chain = nft_chain_lookup(net, table, attr, genmask);
2249 if (IS_ERR(chain)) {
2250 if (PTR_ERR(chain) != -ENOENT) {
2251 NL_SET_BAD_ATTR(extack, attr);
2252 return PTR_ERR(chain);
2256 } else if (!nla[NFTA_CHAIN_ID]) {
2260 if (nla[NFTA_CHAIN_POLICY]) {
2261 if (chain != NULL &&
2262 !nft_is_base_chain(chain)) {
2263 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2267 if (chain == NULL &&
2268 nla[NFTA_CHAIN_HOOK] == NULL) {
2269 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2273 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2283 if (nla[NFTA_CHAIN_FLAGS])
2284 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2286 flags = chain->flags;
2288 if (flags & ~NFT_CHAIN_FLAGS)
2291 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2293 if (chain != NULL) {
2294 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2295 NL_SET_BAD_ATTR(extack, attr);
2298 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2301 flags |= chain->flags & NFT_CHAIN_BASE;
2302 return nf_tables_updchain(&ctx, genmask, policy, flags);
2305 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2308 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2309 struct sk_buff *skb, const struct nlmsghdr *nlh,
2310 const struct nlattr * const nla[],
2311 struct netlink_ext_ack *extack)
2313 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2314 u8 genmask = nft_genmask_next(net);
2315 int family = nfmsg->nfgen_family;
2316 const struct nlattr *attr;
2317 struct nft_table *table;
2318 struct nft_chain *chain;
2319 struct nft_rule *rule;
2325 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2326 if (IS_ERR(table)) {
2327 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2328 return PTR_ERR(table);
2331 if (nla[NFTA_CHAIN_HANDLE]) {
2332 attr = nla[NFTA_CHAIN_HANDLE];
2333 handle = be64_to_cpu(nla_get_be64(attr));
2334 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2336 attr = nla[NFTA_CHAIN_NAME];
2337 chain = nft_chain_lookup(net, table, attr, genmask);
2339 if (IS_ERR(chain)) {
2340 NL_SET_BAD_ATTR(extack, attr);
2341 return PTR_ERR(chain);
2344 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2348 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2351 list_for_each_entry(rule, &chain->rules, list) {
2352 if (!nft_is_active_next(net, rule))
2356 err = nft_delrule(&ctx, rule);
2361 /* There are rules and elements that are still holding references to us,
2362 * we cannot do a recursive removal in this case.
2365 NL_SET_BAD_ATTR(extack, attr);
2369 return nft_delchain(&ctx);
2377 * nft_register_expr - register nf_tables expr type
2380 * Registers the expr type for use with nf_tables. Returns zero on
2381 * success or a negative errno code otherwise.
2383 int nft_register_expr(struct nft_expr_type *type)
2385 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2386 if (type->family == NFPROTO_UNSPEC)
2387 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2389 list_add_rcu(&type->list, &nf_tables_expressions);
2390 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2393 EXPORT_SYMBOL_GPL(nft_register_expr);
2396 * nft_unregister_expr - unregister nf_tables expr type
2399 * Unregisters the expr typefor use with nf_tables.
2401 void nft_unregister_expr(struct nft_expr_type *type)
2403 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2404 list_del_rcu(&type->list);
2405 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2407 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2409 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2412 const struct nft_expr_type *type, *candidate = NULL;
2414 list_for_each_entry(type, &nf_tables_expressions, list) {
2415 if (!nla_strcmp(nla, type->name)) {
2416 if (!type->family && !candidate)
2418 else if (type->family == family)
2425 #ifdef CONFIG_MODULES
2426 static int nft_expr_type_request_module(struct net *net, u8 family,
2429 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2430 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2437 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2441 const struct nft_expr_type *type;
2444 return ERR_PTR(-EINVAL);
2446 type = __nft_expr_type_get(family, nla);
2447 if (type != NULL && try_module_get(type->owner))
2450 lockdep_nfnl_nft_mutex_not_held();
2451 #ifdef CONFIG_MODULES
2453 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2454 return ERR_PTR(-EAGAIN);
2456 if (nft_request_module(net, "nft-expr-%.*s",
2458 (char *)nla_data(nla)) == -EAGAIN)
2459 return ERR_PTR(-EAGAIN);
2462 return ERR_PTR(-ENOENT);
2465 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2466 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2467 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2468 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2471 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2472 const struct nft_expr *expr)
2474 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2475 goto nla_put_failure;
2477 if (expr->ops->dump) {
2478 struct nlattr *data = nla_nest_start_noflag(skb,
2481 goto nla_put_failure;
2482 if (expr->ops->dump(skb, expr) < 0)
2483 goto nla_put_failure;
2484 nla_nest_end(skb, data);
2493 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2494 const struct nft_expr *expr)
2496 struct nlattr *nest;
2498 nest = nla_nest_start_noflag(skb, attr);
2500 goto nla_put_failure;
2501 if (nf_tables_fill_expr_info(skb, expr) < 0)
2502 goto nla_put_failure;
2503 nla_nest_end(skb, nest);
2510 struct nft_expr_info {
2511 const struct nft_expr_ops *ops;
2512 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2515 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2516 const struct nlattr *nla,
2517 struct nft_expr_info *info)
2519 const struct nft_expr_type *type;
2520 const struct nft_expr_ops *ops;
2521 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2524 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2525 nft_expr_policy, NULL);
2529 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2531 return PTR_ERR(type);
2533 if (tb[NFTA_EXPR_DATA]) {
2534 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2536 type->policy, NULL);
2540 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2542 if (type->select_ops != NULL) {
2543 ops = type->select_ops(ctx,
2544 (const struct nlattr * const *)info->tb);
2547 #ifdef CONFIG_MODULES
2549 if (nft_expr_type_request_module(ctx->net,
2551 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2563 module_put(type->owner);
2567 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2568 const struct nft_expr_info *info,
2569 struct nft_expr *expr)
2571 const struct nft_expr_ops *ops = info->ops;
2576 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2587 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2588 struct nft_expr *expr)
2590 const struct nft_expr_type *type = expr->ops->type;
2592 if (expr->ops->destroy)
2593 expr->ops->destroy(ctx, expr);
2594 module_put(type->owner);
2597 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2598 const struct nlattr *nla)
2600 struct nft_expr_info info;
2601 struct nft_expr *expr;
2602 struct module *owner;
2605 err = nf_tables_expr_parse(ctx, nla, &info);
2610 expr = kzalloc(info.ops->size, GFP_KERNEL);
2614 err = nf_tables_newexpr(ctx, &info, expr);
2622 owner = info.ops->type->owner;
2623 if (info.ops->type->release_ops)
2624 info.ops->type->release_ops(info.ops);
2628 return ERR_PTR(err);
2631 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2635 if (src->ops->clone) {
2636 dst->ops = src->ops;
2637 err = src->ops->clone(dst, src);
2641 memcpy(dst, src, src->ops->size);
2644 __module_get(src->ops->type->owner);
2649 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2651 nf_tables_expr_destroy(ctx, expr);
2659 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2662 struct nft_rule *rule;
2664 // FIXME: this sucks
2665 list_for_each_entry_rcu(rule, &chain->rules, list) {
2666 if (handle == rule->handle)
2670 return ERR_PTR(-ENOENT);
2673 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2674 const struct nlattr *nla)
2677 return ERR_PTR(-EINVAL);
2679 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2682 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2683 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2684 .len = NFT_TABLE_MAXNAMELEN - 1 },
2685 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2686 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2687 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2688 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2689 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2690 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2691 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2692 .len = NFT_USERDATA_MAXLEN },
2693 [NFTA_RULE_ID] = { .type = NLA_U32 },
2694 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2695 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2698 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2699 u32 portid, u32 seq, int event,
2700 u32 flags, int family,
2701 const struct nft_table *table,
2702 const struct nft_chain *chain,
2703 const struct nft_rule *rule,
2704 const struct nft_rule *prule)
2706 struct nlmsghdr *nlh;
2707 struct nfgenmsg *nfmsg;
2708 const struct nft_expr *expr, *next;
2709 struct nlattr *list;
2710 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2712 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2714 goto nla_put_failure;
2716 nfmsg = nlmsg_data(nlh);
2717 nfmsg->nfgen_family = family;
2718 nfmsg->version = NFNETLINK_V0;
2719 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2721 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2722 goto nla_put_failure;
2723 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2724 goto nla_put_failure;
2725 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2727 goto nla_put_failure;
2729 if (event != NFT_MSG_DELRULE && prule) {
2730 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2731 cpu_to_be64(prule->handle),
2733 goto nla_put_failure;
2736 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2738 goto nla_put_failure;
2739 nft_rule_for_each_expr(expr, next, rule) {
2740 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2741 goto nla_put_failure;
2743 nla_nest_end(skb, list);
2746 struct nft_userdata *udata = nft_userdata(rule);
2747 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2749 goto nla_put_failure;
2752 nlmsg_end(skb, nlh);
2756 nlmsg_trim(skb, nlh);
2760 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2761 const struct nft_rule *rule, int event)
2763 struct sk_buff *skb;
2767 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2770 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2774 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2775 event, 0, ctx->family, ctx->table,
2776 ctx->chain, rule, NULL);
2782 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2783 ctx->report, GFP_KERNEL);
2786 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2789 struct nft_rule_dump_ctx {
2794 static int __nf_tables_dump_rules(struct sk_buff *skb,
2796 struct netlink_callback *cb,
2797 const struct nft_table *table,
2798 const struct nft_chain *chain)
2800 struct net *net = sock_net(skb->sk);
2801 const struct nft_rule *rule, *prule;
2802 unsigned int s_idx = cb->args[0];
2805 list_for_each_entry_rcu(rule, &chain->rules, list) {
2806 if (!nft_is_active(net, rule))
2811 memset(&cb->args[1], 0,
2812 sizeof(cb->args) - sizeof(cb->args[0]));
2814 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2817 NLM_F_MULTI | NLM_F_APPEND,
2819 table, chain, rule, prule) < 0)
2822 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2831 static int nf_tables_dump_rules(struct sk_buff *skb,
2832 struct netlink_callback *cb)
2834 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2835 const struct nft_rule_dump_ctx *ctx = cb->data;
2836 struct nft_table *table;
2837 const struct nft_chain *chain;
2838 unsigned int idx = 0;
2839 struct net *net = sock_net(skb->sk);
2840 int family = nfmsg->nfgen_family;
2843 cb->seq = net->nft.base_seq;
2845 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2846 if (family != NFPROTO_UNSPEC && family != table->family)
2849 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2852 if (ctx && ctx->table && ctx->chain) {
2853 struct rhlist_head *list, *tmp;
2855 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2856 nft_chain_ht_params);
2860 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2861 if (!nft_is_active(net, chain))
2863 __nf_tables_dump_rules(skb, &idx,
2870 list_for_each_entry_rcu(chain, &table->chains, list) {
2871 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2875 if (ctx && ctx->table)
2885 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2887 const struct nlattr * const *nla = cb->data;
2888 struct nft_rule_dump_ctx *ctx = NULL;
2890 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2891 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2895 if (nla[NFTA_RULE_TABLE]) {
2896 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2903 if (nla[NFTA_RULE_CHAIN]) {
2904 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2918 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2920 struct nft_rule_dump_ctx *ctx = cb->data;
2930 /* called with rcu_read_lock held */
2931 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2932 struct sk_buff *skb, const struct nlmsghdr *nlh,
2933 const struct nlattr * const nla[],
2934 struct netlink_ext_ack *extack)
2936 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2937 u8 genmask = nft_genmask_cur(net);
2938 const struct nft_chain *chain;
2939 const struct nft_rule *rule;
2940 struct nft_table *table;
2941 struct sk_buff *skb2;
2942 int family = nfmsg->nfgen_family;
2945 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2946 struct netlink_dump_control c = {
2947 .start= nf_tables_dump_rules_start,
2948 .dump = nf_tables_dump_rules,
2949 .done = nf_tables_dump_rules_done,
2950 .module = THIS_MODULE,
2951 .data = (void *)nla,
2954 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2957 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2958 if (IS_ERR(table)) {
2959 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2960 return PTR_ERR(table);
2963 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2964 if (IS_ERR(chain)) {
2965 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2966 return PTR_ERR(chain);
2969 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2971 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2972 return PTR_ERR(rule);
2975 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2979 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2980 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2981 family, table, chain, rule, NULL);
2985 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2992 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2993 struct nft_rule *rule)
2995 struct nft_expr *expr, *next;
2998 * Careful: some expressions might not be initialized in case this
2999 * is called on error from nf_tables_newrule().
3001 expr = nft_expr_first(rule);
3002 while (expr != nft_expr_last(rule) && expr->ops) {
3003 next = nft_expr_next(expr);
3004 nf_tables_expr_destroy(ctx, expr);
3010 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3012 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3013 nf_tables_rule_destroy(ctx, rule);
3016 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3018 struct nft_expr *expr, *last;
3019 const struct nft_data *data;
3020 struct nft_rule *rule;
3023 if (ctx->level == NFT_JUMP_STACK_SIZE)
3026 list_for_each_entry(rule, &chain->rules, list) {
3027 if (!nft_is_active_next(ctx->net, rule))
3030 nft_rule_for_each_expr(expr, last, rule) {
3031 if (!expr->ops->validate)
3034 err = expr->ops->validate(ctx, expr, &data);
3042 EXPORT_SYMBOL_GPL(nft_chain_validate);
3044 static int nft_table_validate(struct net *net, const struct nft_table *table)
3046 struct nft_chain *chain;
3047 struct nft_ctx ctx = {
3049 .family = table->family,
3053 list_for_each_entry(chain, &table->chains, list) {
3054 if (!nft_is_base_chain(chain))
3058 err = nft_chain_validate(&ctx, chain);
3066 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3067 const struct nlattr *nla);
3069 #define NFT_RULE_MAXEXPRS 128
3071 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3072 struct sk_buff *skb, const struct nlmsghdr *nlh,
3073 const struct nlattr * const nla[],
3074 struct netlink_ext_ack *extack)
3076 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3077 u8 genmask = nft_genmask_next(net);
3078 struct nft_expr_info *info = NULL;
3079 int family = nfmsg->nfgen_family;
3080 struct nft_flow_rule *flow;
3081 struct nft_table *table;
3082 struct nft_chain *chain;
3083 struct nft_rule *rule, *old_rule = NULL;
3084 struct nft_userdata *udata;
3085 struct nft_trans *trans = NULL;
3086 struct nft_expr *expr;
3089 unsigned int size, i, n, ulen = 0, usize = 0;
3091 u64 handle, pos_handle;
3093 lockdep_assert_held(&net->nft.commit_mutex);
3095 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3096 if (IS_ERR(table)) {
3097 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3098 return PTR_ERR(table);
3101 if (nla[NFTA_RULE_CHAIN]) {
3102 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3104 if (IS_ERR(chain)) {
3105 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3106 return PTR_ERR(chain);
3108 if (nft_chain_is_bound(chain))
3111 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3112 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3113 if (IS_ERR(chain)) {
3114 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3115 return PTR_ERR(chain);
3121 if (nla[NFTA_RULE_HANDLE]) {
3122 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3123 rule = __nft_rule_lookup(chain, handle);
3125 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3126 return PTR_ERR(rule);
3129 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3130 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3133 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3138 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3139 nlh->nlmsg_flags & NLM_F_REPLACE)
3141 handle = nf_tables_alloc_handle(table);
3143 if (chain->use == UINT_MAX)
3146 if (nla[NFTA_RULE_POSITION]) {
3147 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3148 old_rule = __nft_rule_lookup(chain, pos_handle);
3149 if (IS_ERR(old_rule)) {
3150 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3151 return PTR_ERR(old_rule);
3153 } else if (nla[NFTA_RULE_POSITION_ID]) {
3154 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3155 if (IS_ERR(old_rule)) {
3156 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3157 return PTR_ERR(old_rule);
3162 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3166 if (nla[NFTA_RULE_EXPRESSIONS]) {
3167 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3168 sizeof(struct nft_expr_info),
3173 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3175 if (nla_type(tmp) != NFTA_LIST_ELEM)
3177 if (n == NFT_RULE_MAXEXPRS)
3179 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3182 size += info[n].ops->size;
3186 /* Check for overflow of dlen field */
3188 if (size >= 1 << 12)
3191 if (nla[NFTA_RULE_USERDATA]) {
3192 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3194 usize = sizeof(struct nft_userdata) + ulen;
3198 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3202 nft_activate_next(net, rule);
3204 rule->handle = handle;
3206 rule->udata = ulen ? 1 : 0;
3209 udata = nft_userdata(rule);
3210 udata->len = ulen - 1;
3211 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3214 expr = nft_expr_first(rule);
3215 for (i = 0; i < n; i++) {
3216 err = nf_tables_newexpr(&ctx, &info[i], expr);
3220 if (info[i].ops->validate)
3221 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3224 expr = nft_expr_next(expr);
3227 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3228 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3229 if (trans == NULL) {
3233 err = nft_delrule(&ctx, old_rule);
3235 nft_trans_destroy(trans);
3239 list_add_tail_rcu(&rule->list, &old_rule->list);
3241 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3247 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3249 list_add_rcu(&rule->list, &old_rule->list);
3251 list_add_tail_rcu(&rule->list, &chain->rules);
3254 list_add_tail_rcu(&rule->list, &old_rule->list);
3256 list_add_rcu(&rule->list, &chain->rules);
3262 if (net->nft.validate_state == NFT_VALIDATE_DO)
3263 return nft_table_validate(net, table);
3265 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3266 flow = nft_flow_rule_create(net, rule);
3268 return PTR_ERR(flow);
3270 nft_trans_flow_rule(trans) = flow;
3275 nf_tables_rule_release(&ctx, rule);
3277 for (i = 0; i < n; i++) {
3279 module_put(info[i].ops->type->owner);
3280 if (info[i].ops->type->release_ops)
3281 info[i].ops->type->release_ops(info[i].ops);
3288 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3289 const struct nlattr *nla)
3291 u32 id = ntohl(nla_get_be32(nla));
3292 struct nft_trans *trans;
3294 list_for_each_entry(trans, &net->nft.commit_list, list) {
3295 struct nft_rule *rule = nft_trans_rule(trans);
3297 if (trans->msg_type == NFT_MSG_NEWRULE &&
3298 id == nft_trans_rule_id(trans))
3301 return ERR_PTR(-ENOENT);
3304 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3305 struct sk_buff *skb, const struct nlmsghdr *nlh,
3306 const struct nlattr * const nla[],
3307 struct netlink_ext_ack *extack)
3309 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3310 u8 genmask = nft_genmask_next(net);
3311 struct nft_table *table;
3312 struct nft_chain *chain = NULL;
3313 struct nft_rule *rule;
3314 int family = nfmsg->nfgen_family, err = 0;
3317 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3318 if (IS_ERR(table)) {
3319 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3320 return PTR_ERR(table);
3323 if (nla[NFTA_RULE_CHAIN]) {
3324 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3326 if (IS_ERR(chain)) {
3327 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3328 return PTR_ERR(chain);
3330 if (nft_chain_is_bound(chain))
3334 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3337 if (nla[NFTA_RULE_HANDLE]) {
3338 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3340 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3341 return PTR_ERR(rule);
3344 err = nft_delrule(&ctx, rule);
3345 } else if (nla[NFTA_RULE_ID]) {
3346 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3348 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3349 return PTR_ERR(rule);
3352 err = nft_delrule(&ctx, rule);
3354 err = nft_delrule_by_chain(&ctx);
3357 list_for_each_entry(chain, &table->chains, list) {
3358 if (!nft_is_active_next(net, chain))
3362 err = nft_delrule_by_chain(&ctx);
3374 static const struct nft_set_type *nft_set_types[] = {
3375 &nft_set_hash_fast_type,
3377 &nft_set_rhash_type,
3378 &nft_set_bitmap_type,
3379 &nft_set_rbtree_type,
3380 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3381 &nft_set_pipapo_avx2_type,
3383 &nft_set_pipapo_type,
3386 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3387 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3390 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3392 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3396 * Select a set implementation based on the data characteristics and the
3397 * given policy. The total memory use might not be known if no size is
3398 * given, in that case the amount of memory per element is used.
3400 static const struct nft_set_ops *
3401 nft_select_set_ops(const struct nft_ctx *ctx,
3402 const struct nlattr * const nla[],
3403 const struct nft_set_desc *desc,
3404 enum nft_set_policies policy)
3406 const struct nft_set_ops *ops, *bops;
3407 struct nft_set_estimate est, best;
3408 const struct nft_set_type *type;
3412 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3413 lockdep_nfnl_nft_mutex_not_held();
3415 if (nla[NFTA_SET_FLAGS] != NULL)
3416 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3423 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3424 type = nft_set_types[i];
3427 if (!nft_set_ops_candidate(type, flags))
3429 if (!ops->estimate(desc, flags, &est))
3433 case NFT_SET_POL_PERFORMANCE:
3434 if (est.lookup < best.lookup)
3436 if (est.lookup == best.lookup &&
3437 est.space < best.space)
3440 case NFT_SET_POL_MEMORY:
3442 if (est.space < best.space)
3444 if (est.space == best.space &&
3445 est.lookup < best.lookup)
3447 } else if (est.size < best.size || !bops) {
3462 return ERR_PTR(-EOPNOTSUPP);
3465 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3466 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3467 .len = NFT_TABLE_MAXNAMELEN - 1 },
3468 [NFTA_SET_NAME] = { .type = NLA_STRING,
3469 .len = NFT_SET_MAXNAMELEN - 1 },
3470 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3471 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3472 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3473 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3474 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3475 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3476 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3477 [NFTA_SET_ID] = { .type = NLA_U32 },
3478 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3479 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3480 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3481 .len = NFT_USERDATA_MAXLEN },
3482 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3483 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3484 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3487 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3488 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3489 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3492 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3493 const struct sk_buff *skb,
3494 const struct nlmsghdr *nlh,
3495 const struct nlattr * const nla[],
3496 struct netlink_ext_ack *extack,
3499 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3500 int family = nfmsg->nfgen_family;
3501 struct nft_table *table = NULL;
3503 if (nla[NFTA_SET_TABLE] != NULL) {
3504 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3506 if (IS_ERR(table)) {
3507 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3508 return PTR_ERR(table);
3512 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3516 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3517 const struct nlattr *nla, u8 genmask)
3519 struct nft_set *set;
3522 return ERR_PTR(-EINVAL);
3524 list_for_each_entry_rcu(set, &table->sets, list) {
3525 if (!nla_strcmp(nla, set->name) &&
3526 nft_active_genmask(set, genmask))
3529 return ERR_PTR(-ENOENT);
3532 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3533 const struct nlattr *nla,
3536 struct nft_set *set;
3538 list_for_each_entry(set, &table->sets, list) {
3539 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3540 nft_active_genmask(set, genmask))
3543 return ERR_PTR(-ENOENT);
3546 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3547 const struct nlattr *nla, u8 genmask)
3549 struct nft_trans *trans;
3550 u32 id = ntohl(nla_get_be32(nla));
3552 list_for_each_entry(trans, &net->nft.commit_list, list) {
3553 if (trans->msg_type == NFT_MSG_NEWSET) {
3554 struct nft_set *set = nft_trans_set(trans);
3556 if (id == nft_trans_set_id(trans) &&
3557 nft_active_genmask(set, genmask))
3561 return ERR_PTR(-ENOENT);
3564 struct nft_set *nft_set_lookup_global(const struct net *net,
3565 const struct nft_table *table,
3566 const struct nlattr *nla_set_name,
3567 const struct nlattr *nla_set_id,
3570 struct nft_set *set;
3572 set = nft_set_lookup(table, nla_set_name, genmask);
3577 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3581 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3583 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3586 const struct nft_set *i;
3588 unsigned long *inuse;
3589 unsigned int n = 0, min = 0;
3591 p = strchr(name, '%');
3593 if (p[1] != 'd' || strchr(p + 2, '%'))
3596 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3600 list_for_each_entry(i, &ctx->table->sets, list) {
3603 if (!nft_is_active_next(ctx->net, set))
3605 if (!sscanf(i->name, name, &tmp))
3607 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3610 set_bit(tmp - min, inuse);
3613 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3614 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3615 min += BITS_PER_BYTE * PAGE_SIZE;
3616 memset(inuse, 0, PAGE_SIZE);
3619 free_page((unsigned long)inuse);
3622 set->name = kasprintf(GFP_KERNEL, name, min + n);
3626 list_for_each_entry(i, &ctx->table->sets, list) {
3627 if (!nft_is_active_next(ctx->net, i))
3629 if (!strcmp(set->name, i->name)) {
3638 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3640 u64 ms = be64_to_cpu(nla_get_be64(nla));
3641 u64 max = (u64)(~((u64)0));
3643 max = div_u64(max, NSEC_PER_MSEC);
3647 ms *= NSEC_PER_MSEC;
3648 *result = nsecs_to_jiffies64(ms);
3652 static __be64 nf_jiffies64_to_msecs(u64 input)
3654 return cpu_to_be64(jiffies64_to_msecs(input));
3657 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3658 const struct nft_set *set)
3660 struct nlattr *concat, *field;
3663 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3667 for (i = 0; i < set->field_count; i++) {
3668 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3672 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3673 htonl(set->field_len[i])))
3676 nla_nest_end(skb, field);
3679 nla_nest_end(skb, concat);
3684 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3685 const struct nft_set *set, u16 event, u16 flags)
3687 struct nfgenmsg *nfmsg;
3688 struct nlmsghdr *nlh;
3689 u32 portid = ctx->portid;
3690 struct nlattr *nest;
3693 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3694 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3697 goto nla_put_failure;
3699 nfmsg = nlmsg_data(nlh);
3700 nfmsg->nfgen_family = ctx->family;
3701 nfmsg->version = NFNETLINK_V0;
3702 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3704 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3705 goto nla_put_failure;
3706 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3707 goto nla_put_failure;
3708 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3710 goto nla_put_failure;
3711 if (set->flags != 0)
3712 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3713 goto nla_put_failure;
3715 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3716 goto nla_put_failure;
3717 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3718 goto nla_put_failure;
3719 if (set->flags & NFT_SET_MAP) {
3720 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3721 goto nla_put_failure;
3722 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3723 goto nla_put_failure;
3725 if (set->flags & NFT_SET_OBJECT &&
3726 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3727 goto nla_put_failure;
3730 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3731 nf_jiffies64_to_msecs(set->timeout),
3733 goto nla_put_failure;
3735 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3736 goto nla_put_failure;
3738 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3739 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3740 goto nla_put_failure;
3743 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3744 goto nla_put_failure;
3746 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3748 goto nla_put_failure;
3750 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3751 goto nla_put_failure;
3753 if (set->field_count > 1 &&
3754 nf_tables_fill_set_concat(skb, set))
3755 goto nla_put_failure;
3757 nla_nest_end(skb, nest);
3760 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3761 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3762 goto nla_put_failure;
3764 nla_nest_end(skb, nest);
3767 nlmsg_end(skb, nlh);
3771 nlmsg_trim(skb, nlh);
3775 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3776 const struct nft_set *set, int event,
3779 struct sk_buff *skb;
3780 u32 portid = ctx->portid;
3784 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3787 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3791 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3797 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3801 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3804 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3806 const struct nft_set *set;
3807 unsigned int idx, s_idx = cb->args[0];
3808 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3809 struct net *net = sock_net(skb->sk);
3810 struct nft_ctx *ctx = cb->data, ctx_set;
3816 cb->seq = net->nft.base_seq;
3818 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3819 if (ctx->family != NFPROTO_UNSPEC &&
3820 ctx->family != table->family)
3823 if (ctx->table && ctx->table != table)
3827 if (cur_table != table)
3833 list_for_each_entry_rcu(set, &table->sets, list) {
3836 if (!nft_is_active(net, set))
3840 ctx_set.table = table;
3841 ctx_set.family = table->family;
3843 if (nf_tables_fill_set(skb, &ctx_set, set,
3847 cb->args[2] = (unsigned long) table;
3850 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3863 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3865 struct nft_ctx *ctx_dump = NULL;
3867 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3868 if (ctx_dump == NULL)
3871 cb->data = ctx_dump;
3875 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3881 /* called with rcu_read_lock held */
3882 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3883 struct sk_buff *skb, const struct nlmsghdr *nlh,
3884 const struct nlattr * const nla[],
3885 struct netlink_ext_ack *extack)
3887 u8 genmask = nft_genmask_cur(net);
3888 const struct nft_set *set;
3890 struct sk_buff *skb2;
3891 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3894 /* Verify existence before starting dump */
3895 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3900 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3901 struct netlink_dump_control c = {
3902 .start = nf_tables_dump_sets_start,
3903 .dump = nf_tables_dump_sets,
3904 .done = nf_tables_dump_sets_done,
3906 .module = THIS_MODULE,
3909 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3912 /* Only accept unspec with dump */
3913 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3914 return -EAFNOSUPPORT;
3915 if (!nla[NFTA_SET_TABLE])
3918 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3920 return PTR_ERR(set);
3922 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3926 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3930 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3937 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
3938 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
3941 static int nft_set_desc_concat_parse(const struct nlattr *attr,
3942 struct nft_set_desc *desc)
3944 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
3948 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
3949 nft_concat_policy, NULL);
3953 if (!tb[NFTA_SET_FIELD_LEN])
3956 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
3958 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
3961 desc->field_len[desc->field_count++] = len;
3966 static int nft_set_desc_concat(struct nft_set_desc *desc,
3967 const struct nlattr *nla)
3969 struct nlattr *attr;
3972 nla_for_each_nested(attr, nla, rem) {
3973 if (nla_type(attr) != NFTA_LIST_ELEM)
3976 err = nft_set_desc_concat_parse(attr, desc);
3984 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3985 const struct nlattr *nla)
3987 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3990 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3991 nft_set_desc_policy, NULL);
3995 if (da[NFTA_SET_DESC_SIZE] != NULL)
3996 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3997 if (da[NFTA_SET_DESC_CONCAT])
3998 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4003 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4004 struct sk_buff *skb, const struct nlmsghdr *nlh,
4005 const struct nlattr * const nla[],
4006 struct netlink_ext_ack *extack)
4008 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4009 u8 genmask = nft_genmask_next(net);
4010 int family = nfmsg->nfgen_family;
4011 const struct nft_set_ops *ops;
4012 struct nft_expr *expr = NULL;
4013 struct nft_table *table;
4014 struct nft_set *set;
4019 u32 ktype, dtype, flags, policy, gc_int, objtype;
4020 struct nft_set_desc desc;
4021 unsigned char *udata;
4026 if (nla[NFTA_SET_TABLE] == NULL ||
4027 nla[NFTA_SET_NAME] == NULL ||
4028 nla[NFTA_SET_KEY_LEN] == NULL ||
4029 nla[NFTA_SET_ID] == NULL)
4032 memset(&desc, 0, sizeof(desc));
4034 ktype = NFT_DATA_VALUE;
4035 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4036 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4037 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4041 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4042 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4046 if (nla[NFTA_SET_FLAGS] != NULL) {
4047 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4048 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4049 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4050 NFT_SET_MAP | NFT_SET_EVAL |
4051 NFT_SET_OBJECT | NFT_SET_CONCAT))
4053 /* Only one of these operations is supported */
4054 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4055 (NFT_SET_MAP | NFT_SET_OBJECT))
4057 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4058 (NFT_SET_EVAL | NFT_SET_OBJECT))
4063 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4064 if (!(flags & NFT_SET_MAP))
4067 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4068 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4069 dtype != NFT_DATA_VERDICT)
4072 if (dtype != NFT_DATA_VERDICT) {
4073 if (nla[NFTA_SET_DATA_LEN] == NULL)
4075 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4076 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4079 desc.dlen = sizeof(struct nft_verdict);
4080 } else if (flags & NFT_SET_MAP)
4083 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4084 if (!(flags & NFT_SET_OBJECT))
4087 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4088 if (objtype == NFT_OBJECT_UNSPEC ||
4089 objtype > NFT_OBJECT_MAX)
4091 } else if (flags & NFT_SET_OBJECT)
4094 objtype = NFT_OBJECT_UNSPEC;
4097 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4098 if (!(flags & NFT_SET_TIMEOUT))
4101 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4106 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4107 if (!(flags & NFT_SET_TIMEOUT))
4109 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4112 policy = NFT_SET_POL_PERFORMANCE;
4113 if (nla[NFTA_SET_POLICY] != NULL)
4114 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4116 if (nla[NFTA_SET_DESC] != NULL) {
4117 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4122 if (nla[NFTA_SET_EXPR])
4125 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4126 if (IS_ERR(table)) {
4127 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4128 return PTR_ERR(table);
4131 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4133 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4135 if (PTR_ERR(set) != -ENOENT) {
4136 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4137 return PTR_ERR(set);
4140 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4141 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4144 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4150 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4153 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4155 return PTR_ERR(ops);
4158 if (nla[NFTA_SET_USERDATA])
4159 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4162 if (ops->privsize != NULL)
4163 size = ops->privsize(nla, &desc);
4165 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4169 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4175 err = nf_tables_set_alloc_name(&ctx, set, name);
4178 goto err_set_alloc_name;
4180 if (nla[NFTA_SET_EXPR]) {
4181 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4183 err = PTR_ERR(expr);
4184 goto err_set_alloc_name;
4190 udata = set->data + size;
4191 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4194 INIT_LIST_HEAD(&set->bindings);
4196 write_pnet(&set->net, net);
4199 set->klen = desc.klen;
4201 set->objtype = objtype;
4202 set->dlen = desc.dlen;
4205 set->size = desc.size;
4206 set->policy = policy;
4209 set->timeout = timeout;
4210 set->gc_int = gc_int;
4211 set->handle = nf_tables_alloc_handle(table);
4213 set->field_count = desc.field_count;
4214 for (i = 0; i < desc.field_count; i++)
4215 set->field_len[i] = desc.field_len[i];
4217 err = ops->init(set, &desc, nla);
4221 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4225 list_add_tail_rcu(&set->list, &table->sets);
4233 nft_expr_destroy(&ctx, expr);
4241 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4243 if (WARN_ON(set->use > 0))
4247 nft_expr_destroy(ctx, set->expr);
4249 set->ops->destroy(set);
4254 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4255 struct sk_buff *skb, const struct nlmsghdr *nlh,
4256 const struct nlattr * const nla[],
4257 struct netlink_ext_ack *extack)
4259 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4260 u8 genmask = nft_genmask_next(net);
4261 const struct nlattr *attr;
4262 struct nft_set *set;
4266 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4267 return -EAFNOSUPPORT;
4268 if (nla[NFTA_SET_TABLE] == NULL)
4271 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4276 if (nla[NFTA_SET_HANDLE]) {
4277 attr = nla[NFTA_SET_HANDLE];
4278 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4280 attr = nla[NFTA_SET_NAME];
4281 set = nft_set_lookup(ctx.table, attr, genmask);
4285 NL_SET_BAD_ATTR(extack, attr);
4286 return PTR_ERR(set);
4289 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4290 NL_SET_BAD_ATTR(extack, attr);
4294 return nft_delset(&ctx, set);
4297 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4298 struct nft_set *set,
4299 const struct nft_set_iter *iter,
4300 struct nft_set_elem *elem)
4302 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4303 enum nft_registers dreg;
4305 dreg = nft_type_to_reg(set->dtype);
4306 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4307 set->dtype == NFT_DATA_VERDICT ?
4308 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4312 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4313 struct nft_set_binding *binding)
4315 struct nft_set_binding *i;
4316 struct nft_set_iter iter;
4318 if (set->use == UINT_MAX)
4321 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4324 if (binding->flags & NFT_SET_MAP) {
4325 /* If the set is already bound to the same chain all
4326 * jumps are already validated for that chain.
4328 list_for_each_entry(i, &set->bindings, list) {
4329 if (i->flags & NFT_SET_MAP &&
4330 i->chain == binding->chain)
4334 iter.genmask = nft_genmask_next(ctx->net);
4338 iter.fn = nf_tables_bind_check_setelem;
4340 set->ops->walk(ctx, set, &iter);
4345 binding->chain = ctx->chain;
4346 list_add_tail_rcu(&binding->list, &set->bindings);
4347 nft_set_trans_bind(ctx, set);
4352 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4354 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4355 struct nft_set_binding *binding, bool event)
4357 list_del_rcu(&binding->list);
4359 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4360 list_del_rcu(&set->list);
4362 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4367 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4368 struct nft_set_binding *binding,
4369 enum nft_trans_phase phase)
4372 case NFT_TRANS_PREPARE:
4375 case NFT_TRANS_ABORT:
4376 case NFT_TRANS_RELEASE:
4380 nf_tables_unbind_set(ctx, set, binding,
4381 phase == NFT_TRANS_COMMIT);
4384 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4386 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4388 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4389 nft_set_destroy(ctx, set);
4391 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4393 const struct nft_set_ext_type nft_set_ext_types[] = {
4394 [NFT_SET_EXT_KEY] = {
4395 .align = __alignof__(u32),
4397 [NFT_SET_EXT_DATA] = {
4398 .align = __alignof__(u32),
4400 [NFT_SET_EXT_EXPR] = {
4401 .align = __alignof__(struct nft_expr),
4403 [NFT_SET_EXT_OBJREF] = {
4404 .len = sizeof(struct nft_object *),
4405 .align = __alignof__(struct nft_object *),
4407 [NFT_SET_EXT_FLAGS] = {
4409 .align = __alignof__(u8),
4411 [NFT_SET_EXT_TIMEOUT] = {
4413 .align = __alignof__(u64),
4415 [NFT_SET_EXT_EXPIRATION] = {
4417 .align = __alignof__(u64),
4419 [NFT_SET_EXT_USERDATA] = {
4420 .len = sizeof(struct nft_userdata),
4421 .align = __alignof__(struct nft_userdata),
4423 [NFT_SET_EXT_KEY_END] = {
4424 .align = __alignof__(u32),
4432 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4433 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4434 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4435 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4436 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4437 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4438 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4439 .len = NFT_USERDATA_MAXLEN },
4440 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4441 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4442 .len = NFT_OBJ_MAXNAMELEN - 1 },
4443 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4446 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4447 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4448 .len = NFT_TABLE_MAXNAMELEN - 1 },
4449 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4450 .len = NFT_SET_MAXNAMELEN - 1 },
4451 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4452 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4455 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4456 const struct sk_buff *skb,
4457 const struct nlmsghdr *nlh,
4458 const struct nlattr * const nla[],
4459 struct netlink_ext_ack *extack,
4462 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4463 int family = nfmsg->nfgen_family;
4464 struct nft_table *table;
4466 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4468 if (IS_ERR(table)) {
4469 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4470 return PTR_ERR(table);
4473 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4477 static int nf_tables_fill_setelem(struct sk_buff *skb,
4478 const struct nft_set *set,
4479 const struct nft_set_elem *elem)
4481 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4482 unsigned char *b = skb_tail_pointer(skb);
4483 struct nlattr *nest;
4485 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4487 goto nla_put_failure;
4489 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4490 NFT_DATA_VALUE, set->klen) < 0)
4491 goto nla_put_failure;
4493 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4494 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4495 NFT_DATA_VALUE, set->klen) < 0)
4496 goto nla_put_failure;
4498 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4499 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4500 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4502 goto nla_put_failure;
4504 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4505 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4506 goto nla_put_failure;
4508 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4509 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4510 (*nft_set_ext_obj(ext))->key.name) < 0)
4511 goto nla_put_failure;
4513 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4514 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4515 htonl(*nft_set_ext_flags(ext))))
4516 goto nla_put_failure;
4518 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4519 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4520 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4522 goto nla_put_failure;
4524 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4525 u64 expires, now = get_jiffies_64();
4527 expires = *nft_set_ext_expiration(ext);
4528 if (time_before64(now, expires))
4533 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4534 nf_jiffies64_to_msecs(expires),
4536 goto nla_put_failure;
4539 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4540 struct nft_userdata *udata;
4542 udata = nft_set_ext_userdata(ext);
4543 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4544 udata->len + 1, udata->data))
4545 goto nla_put_failure;
4548 nla_nest_end(skb, nest);
4556 struct nft_set_dump_args {
4557 const struct netlink_callback *cb;
4558 struct nft_set_iter iter;
4559 struct sk_buff *skb;
4562 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4563 struct nft_set *set,
4564 const struct nft_set_iter *iter,
4565 struct nft_set_elem *elem)
4567 struct nft_set_dump_args *args;
4569 args = container_of(iter, struct nft_set_dump_args, iter);
4570 return nf_tables_fill_setelem(args->skb, set, elem);
4573 struct nft_set_dump_ctx {
4574 const struct nft_set *set;
4578 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4580 struct nft_set_dump_ctx *dump_ctx = cb->data;
4581 struct net *net = sock_net(skb->sk);
4582 struct nft_table *table;
4583 struct nft_set *set;
4584 struct nft_set_dump_args args;
4585 bool set_found = false;
4586 struct nfgenmsg *nfmsg;
4587 struct nlmsghdr *nlh;
4588 struct nlattr *nest;
4593 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4594 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4595 dump_ctx->ctx.family != table->family)
4598 if (table != dump_ctx->ctx.table)
4601 list_for_each_entry_rcu(set, &table->sets, list) {
4602 if (set == dump_ctx->set) {
4615 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4616 portid = NETLINK_CB(cb->skb).portid;
4617 seq = cb->nlh->nlmsg_seq;
4619 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4622 goto nla_put_failure;
4624 nfmsg = nlmsg_data(nlh);
4625 nfmsg->nfgen_family = table->family;
4626 nfmsg->version = NFNETLINK_V0;
4627 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4629 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4630 goto nla_put_failure;
4631 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4632 goto nla_put_failure;
4634 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4636 goto nla_put_failure;
4640 args.iter.genmask = nft_genmask_cur(net);
4641 args.iter.skip = cb->args[0];
4642 args.iter.count = 0;
4644 args.iter.fn = nf_tables_dump_setelem;
4645 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4648 nla_nest_end(skb, nest);
4649 nlmsg_end(skb, nlh);
4651 if (args.iter.err && args.iter.err != -EMSGSIZE)
4652 return args.iter.err;
4653 if (args.iter.count == cb->args[0])
4656 cb->args[0] = args.iter.count;
4664 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4666 struct nft_set_dump_ctx *dump_ctx = cb->data;
4668 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4670 return cb->data ? 0 : -ENOMEM;
4673 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4679 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4680 const struct nft_ctx *ctx, u32 seq,
4681 u32 portid, int event, u16 flags,
4682 const struct nft_set *set,
4683 const struct nft_set_elem *elem)
4685 struct nfgenmsg *nfmsg;
4686 struct nlmsghdr *nlh;
4687 struct nlattr *nest;
4690 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4691 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4694 goto nla_put_failure;
4696 nfmsg = nlmsg_data(nlh);
4697 nfmsg->nfgen_family = ctx->family;
4698 nfmsg->version = NFNETLINK_V0;
4699 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4701 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4702 goto nla_put_failure;
4703 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4704 goto nla_put_failure;
4706 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4708 goto nla_put_failure;
4710 err = nf_tables_fill_setelem(skb, set, elem);
4712 goto nla_put_failure;
4714 nla_nest_end(skb, nest);
4716 nlmsg_end(skb, nlh);
4720 nlmsg_trim(skb, nlh);
4724 static int nft_setelem_parse_flags(const struct nft_set *set,
4725 const struct nlattr *attr, u32 *flags)
4730 *flags = ntohl(nla_get_be32(attr));
4731 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4733 if (!(set->flags & NFT_SET_INTERVAL) &&
4734 *flags & NFT_SET_ELEM_INTERVAL_END)
4740 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4741 struct nft_data *key, struct nlattr *attr)
4743 struct nft_data_desc desc;
4746 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4750 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4751 nft_data_release(key, desc.type);
4758 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4759 struct nft_data_desc *desc,
4760 struct nft_data *data,
4761 struct nlattr *attr)
4765 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4769 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4770 nft_data_release(data, desc->type);
4777 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4778 const struct nlattr *attr)
4780 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4781 struct nft_set_elem elem;
4782 struct sk_buff *skb;
4787 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4788 nft_set_elem_policy, NULL);
4792 if (!nla[NFTA_SET_ELEM_KEY])
4795 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4799 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4800 nla[NFTA_SET_ELEM_KEY]);
4804 if (nla[NFTA_SET_ELEM_KEY_END]) {
4805 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4806 nla[NFTA_SET_ELEM_KEY_END]);
4811 priv = set->ops->get(ctx->net, set, &elem, flags);
4813 return PTR_ERR(priv);
4818 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4822 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4823 NFT_MSG_NEWSETELEM, 0, set, &elem);
4827 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4828 /* This avoids a loop in nfnetlink. */
4836 /* this avoids a loop in nfnetlink. */
4837 return err == -EAGAIN ? -ENOBUFS : err;
4840 /* called with rcu_read_lock held */
4841 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4842 struct sk_buff *skb, const struct nlmsghdr *nlh,
4843 const struct nlattr * const nla[],
4844 struct netlink_ext_ack *extack)
4846 u8 genmask = nft_genmask_cur(net);
4847 struct nft_set *set;
4848 struct nlattr *attr;
4852 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4857 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4859 return PTR_ERR(set);
4861 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4862 struct netlink_dump_control c = {
4863 .start = nf_tables_dump_set_start,
4864 .dump = nf_tables_dump_set,
4865 .done = nf_tables_dump_set_done,
4866 .module = THIS_MODULE,
4868 struct nft_set_dump_ctx dump_ctx = {
4874 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4877 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4880 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4881 err = nft_get_set_elem(&ctx, set, attr);
4889 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4890 const struct nft_set *set,
4891 const struct nft_set_elem *elem,
4892 int event, u16 flags)
4894 struct net *net = ctx->net;
4895 u32 portid = ctx->portid;
4896 struct sk_buff *skb;
4899 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4902 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4906 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4913 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4917 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4920 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4922 struct nft_set *set)
4924 struct nft_trans *trans;
4926 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4930 nft_trans_elem_set(trans) = set;
4934 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
4935 const struct nft_set *set,
4936 const struct nlattr *attr)
4938 struct nft_expr *expr;
4941 expr = nft_expr_init(ctx, attr);
4946 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
4947 goto err_set_elem_expr;
4949 if (expr->ops->type->flags & NFT_EXPR_GC) {
4950 if (set->flags & NFT_SET_TIMEOUT)
4951 goto err_set_elem_expr;
4952 if (!set->ops->gc_init)
4953 goto err_set_elem_expr;
4954 set->ops->gc_init(set);
4960 nft_expr_destroy(ctx, expr);
4961 return ERR_PTR(err);
4964 void *nft_set_elem_init(const struct nft_set *set,
4965 const struct nft_set_ext_tmpl *tmpl,
4966 const u32 *key, const u32 *key_end,
4967 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
4969 struct nft_set_ext *ext;
4972 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4976 ext = nft_set_elem_ext(set, elem);
4977 nft_set_ext_init(ext, tmpl);
4979 memcpy(nft_set_ext_key(ext), key, set->klen);
4980 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
4981 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
4982 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4983 memcpy(nft_set_ext_data(ext), data, set->dlen);
4984 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4985 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4986 if (expiration == 0)
4987 *nft_set_ext_expiration(ext) += timeout;
4989 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4990 *nft_set_ext_timeout(ext) = timeout;
4995 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
4996 struct nft_expr *expr)
4998 if (expr->ops->destroy_clone) {
4999 expr->ops->destroy_clone(ctx, expr);
5000 module_put(expr->ops->type->owner);
5002 nf_tables_expr_destroy(ctx, expr);
5006 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5009 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5010 struct nft_ctx ctx = {
5011 .net = read_pnet(&set->net),
5012 .family = set->table->family,
5015 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5016 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5017 nft_data_release(nft_set_ext_data(ext), set->dtype);
5018 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5019 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5021 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5022 (*nft_set_ext_obj(ext))->use--;
5025 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5027 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5028 * the refcounting from the preparation phase.
5030 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5031 const struct nft_set *set, void *elem)
5033 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5035 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5036 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5041 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5042 const struct nlattr *attr, u32 nlmsg_flags)
5044 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5045 u8 genmask = nft_genmask_next(ctx->net);
5046 struct nft_set_ext_tmpl tmpl;
5047 struct nft_set_ext *ext, *ext2;
5048 struct nft_set_elem elem;
5049 struct nft_set_binding *binding;
5050 struct nft_object *obj = NULL;
5051 struct nft_expr *expr = NULL;
5052 struct nft_userdata *udata;
5053 struct nft_data_desc desc;
5054 enum nft_registers dreg;
5055 struct nft_trans *trans;
5062 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5063 nft_set_elem_policy, NULL);
5067 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5070 nft_set_ext_prepare(&tmpl);
5072 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5076 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5078 if (set->flags & NFT_SET_MAP) {
5079 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5080 !(flags & NFT_SET_ELEM_INTERVAL_END))
5083 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5087 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5088 (nla[NFTA_SET_ELEM_DATA] ||
5089 nla[NFTA_SET_ELEM_OBJREF] ||
5090 nla[NFTA_SET_ELEM_TIMEOUT] ||
5091 nla[NFTA_SET_ELEM_EXPIRATION] ||
5092 nla[NFTA_SET_ELEM_USERDATA] ||
5093 nla[NFTA_SET_ELEM_EXPR]))
5097 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5098 if (!(set->flags & NFT_SET_TIMEOUT))
5100 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5104 } else if (set->flags & NFT_SET_TIMEOUT) {
5105 timeout = set->timeout;
5109 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5110 if (!(set->flags & NFT_SET_TIMEOUT))
5112 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5118 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5119 expr = nft_set_elem_expr_alloc(ctx, set,
5120 nla[NFTA_SET_ELEM_EXPR]);
5122 return PTR_ERR(expr);
5125 if (set->expr && set->expr->ops != expr->ops)
5126 goto err_set_elem_expr;
5127 } else if (set->expr) {
5128 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5132 err = nft_expr_clone(expr, set->expr);
5134 goto err_set_elem_expr;
5137 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5138 nla[NFTA_SET_ELEM_KEY]);
5140 goto err_set_elem_expr;
5142 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5144 if (nla[NFTA_SET_ELEM_KEY_END]) {
5145 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5146 nla[NFTA_SET_ELEM_KEY_END]);
5150 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5154 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5155 if (timeout != set->timeout)
5156 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5160 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5163 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5164 if (!(set->flags & NFT_SET_OBJECT)) {
5166 goto err_parse_key_end;
5168 obj = nft_obj_lookup(ctx->net, ctx->table,
5169 nla[NFTA_SET_ELEM_OBJREF],
5170 set->objtype, genmask);
5173 goto err_parse_key_end;
5175 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5178 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5179 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5180 nla[NFTA_SET_ELEM_DATA]);
5182 goto err_parse_key_end;
5184 dreg = nft_type_to_reg(set->dtype);
5185 list_for_each_entry(binding, &set->bindings, list) {
5186 struct nft_ctx bind_ctx = {
5188 .family = ctx->family,
5189 .table = ctx->table,
5190 .chain = (struct nft_chain *)binding->chain,
5193 if (!(binding->flags & NFT_SET_MAP))
5196 err = nft_validate_register_store(&bind_ctx, dreg,
5198 desc.type, desc.len);
5200 goto err_parse_data;
5202 if (desc.type == NFT_DATA_VERDICT &&
5203 (elem.data.val.verdict.code == NFT_GOTO ||
5204 elem.data.val.verdict.code == NFT_JUMP))
5205 nft_validate_state_update(ctx->net,
5209 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5212 /* The full maximum length of userdata can exceed the maximum
5213 * offset value (U8_MAX) for following extensions, therefor it
5214 * must be the last extension added.
5217 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5218 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5220 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5225 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5226 elem.key_end.val.data, elem.data.val.data,
5227 timeout, expiration, GFP_KERNEL);
5228 if (elem.priv == NULL)
5229 goto err_parse_data;
5231 ext = nft_set_elem_ext(set, elem.priv);
5233 *nft_set_ext_flags(ext) = flags;
5235 udata = nft_set_ext_userdata(ext);
5236 udata->len = ulen - 1;
5237 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5240 *nft_set_ext_obj(ext) = obj;
5244 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5249 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5253 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5254 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5256 if (err == -EEXIST) {
5257 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5258 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5259 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5260 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
5262 goto err_element_clash;
5264 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5265 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5266 memcmp(nft_set_ext_data(ext),
5267 nft_set_ext_data(ext2), set->dlen) != 0) ||
5268 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5269 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5270 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5272 else if (!(nlmsg_flags & NLM_F_EXCL))
5274 } else if (err == -ENOTEMPTY) {
5275 /* ENOTEMPTY reports overlapping between this element
5276 * and an existing one.
5280 goto err_element_clash;
5284 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5289 nft_trans_elem(trans) = elem;
5290 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5294 set->ops->remove(ctx->net, set, &elem);
5301 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5303 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5304 nft_data_release(&elem.data.val, desc.type);
5306 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5308 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5311 nft_expr_destroy(ctx, expr);
5316 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5317 struct sk_buff *skb, const struct nlmsghdr *nlh,
5318 const struct nlattr * const nla[],
5319 struct netlink_ext_ack *extack)
5321 u8 genmask = nft_genmask_next(net);
5322 const struct nlattr *attr;
5323 struct nft_set *set;
5327 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5330 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5335 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5336 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5338 return PTR_ERR(set);
5340 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5343 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5344 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5349 if (net->nft.validate_state == NFT_VALIDATE_DO)
5350 return nft_table_validate(net, ctx.table);
5356 * nft_data_hold - hold a nft_data item
5358 * @data: struct nft_data to release
5359 * @type: type of data
5361 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5362 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5363 * NFT_GOTO verdicts. This function must be called on active data objects
5364 * from the second phase of the commit protocol.
5366 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5368 struct nft_chain *chain;
5369 struct nft_rule *rule;
5371 if (type == NFT_DATA_VERDICT) {
5372 switch (data->verdict.code) {
5375 chain = data->verdict.chain;
5378 if (!nft_chain_is_bound(chain))
5381 chain->table->use++;
5382 list_for_each_entry(rule, &chain->rules, list)
5385 nft_chain_add(chain->table, chain);
5391 static void nft_set_elem_activate(const struct net *net,
5392 const struct nft_set *set,
5393 struct nft_set_elem *elem)
5395 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5397 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5398 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5399 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5400 (*nft_set_ext_obj(ext))->use++;
5403 static void nft_set_elem_deactivate(const struct net *net,
5404 const struct nft_set *set,
5405 struct nft_set_elem *elem)
5407 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5409 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5410 nft_data_release(nft_set_ext_data(ext), set->dtype);
5411 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5412 (*nft_set_ext_obj(ext))->use--;
5415 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5416 const struct nlattr *attr)
5418 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5419 struct nft_set_ext_tmpl tmpl;
5420 struct nft_set_elem elem;
5421 struct nft_set_ext *ext;
5422 struct nft_trans *trans;
5427 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5428 nft_set_elem_policy, NULL);
5432 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5435 nft_set_ext_prepare(&tmpl);
5437 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5441 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5443 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5444 nla[NFTA_SET_ELEM_KEY]);
5448 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5450 if (nla[NFTA_SET_ELEM_KEY_END]) {
5451 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5452 nla[NFTA_SET_ELEM_KEY_END]);
5456 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5460 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5461 elem.key_end.val.data, NULL, 0, 0,
5463 if (elem.priv == NULL)
5466 ext = nft_set_elem_ext(set, elem.priv);
5468 *nft_set_ext_flags(ext) = flags;
5470 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5474 priv = set->ops->deactivate(ctx->net, set, &elem);
5482 nft_set_elem_deactivate(ctx->net, set, &elem);
5484 nft_trans_elem(trans) = elem;
5485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5493 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5497 static int nft_flush_set(const struct nft_ctx *ctx,
5498 struct nft_set *set,
5499 const struct nft_set_iter *iter,
5500 struct nft_set_elem *elem)
5502 struct nft_trans *trans;
5505 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5506 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5510 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5516 nft_set_elem_deactivate(ctx->net, set, elem);
5517 nft_trans_elem_set(trans) = set;
5518 nft_trans_elem(trans) = *elem;
5519 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5527 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5528 struct sk_buff *skb, const struct nlmsghdr *nlh,
5529 const struct nlattr * const nla[],
5530 struct netlink_ext_ack *extack)
5532 u8 genmask = nft_genmask_next(net);
5533 const struct nlattr *attr;
5534 struct nft_set *set;
5538 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5543 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5545 return PTR_ERR(set);
5546 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5549 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5550 struct nft_set_iter iter = {
5552 .fn = nft_flush_set,
5554 set->ops->walk(&ctx, set, &iter);
5559 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5560 err = nft_del_setelem(&ctx, set, attr);
5569 void nft_set_gc_batch_release(struct rcu_head *rcu)
5571 struct nft_set_gc_batch *gcb;
5574 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5575 for (i = 0; i < gcb->head.cnt; i++)
5576 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5580 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5583 struct nft_set_gc_batch *gcb;
5585 gcb = kzalloc(sizeof(*gcb), gfp);
5588 gcb->head.set = set;
5597 * nft_register_obj- register nf_tables stateful object type
5598 * @obj_type: object type
5600 * Registers the object type for use with nf_tables. Returns zero on
5601 * success or a negative errno code otherwise.
5603 int nft_register_obj(struct nft_object_type *obj_type)
5605 if (obj_type->type == NFT_OBJECT_UNSPEC)
5608 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5609 list_add_rcu(&obj_type->list, &nf_tables_objects);
5610 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5613 EXPORT_SYMBOL_GPL(nft_register_obj);
5616 * nft_unregister_obj - unregister nf_tables object type
5617 * @obj_type: object type
5619 * Unregisters the object type for use with nf_tables.
5621 void nft_unregister_obj(struct nft_object_type *obj_type)
5623 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5624 list_del_rcu(&obj_type->list);
5625 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5627 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5629 struct nft_object *nft_obj_lookup(const struct net *net,
5630 const struct nft_table *table,
5631 const struct nlattr *nla, u32 objtype,
5634 struct nft_object_hash_key k = { .table = table };
5635 char search[NFT_OBJ_MAXNAMELEN];
5636 struct rhlist_head *tmp, *list;
5637 struct nft_object *obj;
5639 nla_strlcpy(search, nla, sizeof(search));
5642 WARN_ON_ONCE(!rcu_read_lock_held() &&
5643 !lockdep_commit_lock_is_held(net));
5646 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5650 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5651 if (objtype == obj->ops->type->type &&
5652 nft_active_genmask(obj, genmask)) {
5659 return ERR_PTR(-ENOENT);
5661 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5663 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5664 const struct nlattr *nla,
5665 u32 objtype, u8 genmask)
5667 struct nft_object *obj;
5669 list_for_each_entry(obj, &table->objects, list) {
5670 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5671 objtype == obj->ops->type->type &&
5672 nft_active_genmask(obj, genmask))
5675 return ERR_PTR(-ENOENT);
5678 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5679 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5680 .len = NFT_TABLE_MAXNAMELEN - 1 },
5681 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5682 .len = NFT_OBJ_MAXNAMELEN - 1 },
5683 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5684 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5685 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5688 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5689 const struct nft_object_type *type,
5690 const struct nlattr *attr)
5693 const struct nft_object_ops *ops;
5694 struct nft_object *obj;
5697 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5702 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5703 type->policy, NULL);
5707 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5710 if (type->select_ops) {
5711 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5721 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5725 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5738 return ERR_PTR(err);
5741 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5742 struct nft_object *obj, bool reset)
5744 struct nlattr *nest;
5746 nest = nla_nest_start_noflag(skb, attr);
5748 goto nla_put_failure;
5749 if (obj->ops->dump(skb, obj, reset) < 0)
5750 goto nla_put_failure;
5751 nla_nest_end(skb, nest);
5758 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5760 const struct nft_object_type *type;
5762 list_for_each_entry(type, &nf_tables_objects, list) {
5763 if (objtype == type->type)
5769 static const struct nft_object_type *
5770 nft_obj_type_get(struct net *net, u32 objtype)
5772 const struct nft_object_type *type;
5774 type = __nft_obj_type_get(objtype);
5775 if (type != NULL && try_module_get(type->owner))
5778 lockdep_nfnl_nft_mutex_not_held();
5779 #ifdef CONFIG_MODULES
5781 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5782 return ERR_PTR(-EAGAIN);
5785 return ERR_PTR(-ENOENT);
5788 static int nf_tables_updobj(const struct nft_ctx *ctx,
5789 const struct nft_object_type *type,
5790 const struct nlattr *attr,
5791 struct nft_object *obj)
5793 struct nft_object *newobj;
5794 struct nft_trans *trans;
5797 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5798 sizeof(struct nft_trans_obj));
5802 newobj = nft_obj_init(ctx, type, attr);
5803 if (IS_ERR(newobj)) {
5804 err = PTR_ERR(newobj);
5805 goto err_free_trans;
5808 nft_trans_obj(trans) = obj;
5809 nft_trans_obj_update(trans) = true;
5810 nft_trans_obj_newobj(trans) = newobj;
5811 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5820 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5821 struct sk_buff *skb, const struct nlmsghdr *nlh,
5822 const struct nlattr * const nla[],
5823 struct netlink_ext_ack *extack)
5825 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5826 const struct nft_object_type *type;
5827 u8 genmask = nft_genmask_next(net);
5828 int family = nfmsg->nfgen_family;
5829 struct nft_table *table;
5830 struct nft_object *obj;
5835 if (!nla[NFTA_OBJ_TYPE] ||
5836 !nla[NFTA_OBJ_NAME] ||
5837 !nla[NFTA_OBJ_DATA])
5840 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5841 if (IS_ERR(table)) {
5842 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5843 return PTR_ERR(table);
5846 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5847 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5850 if (err != -ENOENT) {
5851 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5855 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5856 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5859 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5862 type = __nft_obj_type_get(objtype);
5863 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5865 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5868 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5870 type = nft_obj_type_get(net, objtype);
5872 return PTR_ERR(type);
5874 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5879 obj->key.table = table;
5880 obj->handle = nf_tables_alloc_handle(table);
5882 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5883 if (!obj->key.name) {
5888 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5892 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5893 nft_objname_ht_params);
5897 list_add_tail_rcu(&obj->list, &table->objects);
5901 /* queued in transaction log */
5902 INIT_LIST_HEAD(&obj->list);
5905 kfree(obj->key.name);
5907 if (obj->ops->destroy)
5908 obj->ops->destroy(&ctx, obj);
5911 module_put(type->owner);
5915 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5916 u32 portid, u32 seq, int event, u32 flags,
5917 int family, const struct nft_table *table,
5918 struct nft_object *obj, bool reset)
5920 struct nfgenmsg *nfmsg;
5921 struct nlmsghdr *nlh;
5923 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5924 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5926 goto nla_put_failure;
5928 nfmsg = nlmsg_data(nlh);
5929 nfmsg->nfgen_family = family;
5930 nfmsg->version = NFNETLINK_V0;
5931 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5933 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5934 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5935 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5936 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5937 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5938 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5940 goto nla_put_failure;
5942 nlmsg_end(skb, nlh);
5946 nlmsg_trim(skb, nlh);
5950 struct nft_obj_filter {
5955 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5957 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5958 const struct nft_table *table;
5959 unsigned int idx = 0, s_idx = cb->args[0];
5960 struct nft_obj_filter *filter = cb->data;
5961 struct net *net = sock_net(skb->sk);
5962 int family = nfmsg->nfgen_family;
5963 struct nft_object *obj;
5966 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5970 cb->seq = net->nft.base_seq;
5972 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5973 if (family != NFPROTO_UNSPEC && family != table->family)
5976 list_for_each_entry_rcu(obj, &table->objects, list) {
5977 if (!nft_is_active(net, obj))
5982 memset(&cb->args[1], 0,
5983 sizeof(cb->args) - sizeof(cb->args[0]));
5984 if (filter && filter->table &&
5985 strcmp(filter->table, table->name))
5988 filter->type != NFT_OBJECT_UNSPEC &&
5989 obj->ops->type->type != filter->type)
5992 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5995 NLM_F_MULTI | NLM_F_APPEND,
5996 table->family, table,
6000 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6012 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6014 const struct nlattr * const *nla = cb->data;
6015 struct nft_obj_filter *filter = NULL;
6017 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6018 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6022 if (nla[NFTA_OBJ_TABLE]) {
6023 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6024 if (!filter->table) {
6030 if (nla[NFTA_OBJ_TYPE])
6031 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6038 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6040 struct nft_obj_filter *filter = cb->data;
6043 kfree(filter->table);
6050 /* called with rcu_read_lock held */
6051 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6052 struct sk_buff *skb, const struct nlmsghdr *nlh,
6053 const struct nlattr * const nla[],
6054 struct netlink_ext_ack *extack)
6056 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6057 u8 genmask = nft_genmask_cur(net);
6058 int family = nfmsg->nfgen_family;
6059 const struct nft_table *table;
6060 struct nft_object *obj;
6061 struct sk_buff *skb2;
6066 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6067 struct netlink_dump_control c = {
6068 .start = nf_tables_dump_obj_start,
6069 .dump = nf_tables_dump_obj,
6070 .done = nf_tables_dump_obj_done,
6071 .module = THIS_MODULE,
6072 .data = (void *)nla,
6075 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6078 if (!nla[NFTA_OBJ_NAME] ||
6079 !nla[NFTA_OBJ_TYPE])
6082 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6083 if (IS_ERR(table)) {
6084 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6085 return PTR_ERR(table);
6088 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6089 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6091 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6092 return PTR_ERR(obj);
6095 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6099 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6102 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6103 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6104 family, table, obj, reset);
6108 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6114 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6116 if (obj->ops->destroy)
6117 obj->ops->destroy(ctx, obj);
6119 module_put(obj->ops->type->owner);
6120 kfree(obj->key.name);
6124 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6125 struct sk_buff *skb, const struct nlmsghdr *nlh,
6126 const struct nlattr * const nla[],
6127 struct netlink_ext_ack *extack)
6129 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6130 u8 genmask = nft_genmask_next(net);
6131 int family = nfmsg->nfgen_family;
6132 const struct nlattr *attr;
6133 struct nft_table *table;
6134 struct nft_object *obj;
6138 if (!nla[NFTA_OBJ_TYPE] ||
6139 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6142 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6143 if (IS_ERR(table)) {
6144 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6145 return PTR_ERR(table);
6148 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6149 if (nla[NFTA_OBJ_HANDLE]) {
6150 attr = nla[NFTA_OBJ_HANDLE];
6151 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6153 attr = nla[NFTA_OBJ_NAME];
6154 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6158 NL_SET_BAD_ATTR(extack, attr);
6159 return PTR_ERR(obj);
6162 NL_SET_BAD_ATTR(extack, attr);
6166 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6168 return nft_delobj(&ctx, obj);
6171 void nft_obj_notify(struct net *net, const struct nft_table *table,
6172 struct nft_object *obj, u32 portid, u32 seq, int event,
6173 int family, int report, gfp_t gfp)
6175 struct sk_buff *skb;
6179 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6182 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6186 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6193 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
6196 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6198 EXPORT_SYMBOL_GPL(nft_obj_notify);
6200 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6201 struct nft_object *obj, int event)
6203 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6204 ctx->family, ctx->report, GFP_KERNEL);
6210 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6212 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6213 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6214 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6216 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6218 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6220 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6221 list_del_rcu(&type->list);
6222 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6224 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6226 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6227 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6228 .len = NFT_NAME_MAXLEN - 1 },
6229 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6230 .len = NFT_NAME_MAXLEN - 1 },
6231 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6232 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6233 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6236 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6237 const struct nlattr *nla, u8 genmask)
6239 struct nft_flowtable *flowtable;
6241 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6242 if (!nla_strcmp(nla, flowtable->name) &&
6243 nft_active_genmask(flowtable, genmask))
6246 return ERR_PTR(-ENOENT);
6248 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6250 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6251 struct nft_flowtable *flowtable,
6252 enum nft_trans_phase phase)
6255 case NFT_TRANS_PREPARE:
6256 case NFT_TRANS_ABORT:
6257 case NFT_TRANS_RELEASE:
6264 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6266 static struct nft_flowtable *
6267 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6268 const struct nlattr *nla, u8 genmask)
6270 struct nft_flowtable *flowtable;
6272 list_for_each_entry(flowtable, &table->flowtables, list) {
6273 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6274 nft_active_genmask(flowtable, genmask))
6277 return ERR_PTR(-ENOENT);
6280 struct nft_flowtable_hook {
6283 struct list_head list;
6286 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6287 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6288 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6289 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6292 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6293 const struct nlattr *attr,
6294 struct nft_flowtable_hook *flowtable_hook,
6295 struct nft_flowtable *flowtable, bool add)
6297 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6298 struct nft_hook *hook;
6299 int hooknum, priority;
6302 INIT_LIST_HEAD(&flowtable_hook->list);
6304 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6305 nft_flowtable_hook_policy, NULL);
6310 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6311 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6314 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6315 if (hooknum != NF_NETDEV_INGRESS)
6318 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6320 flowtable_hook->priority = priority;
6321 flowtable_hook->num = hooknum;
6323 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6324 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6325 if (hooknum != flowtable->hooknum)
6329 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6330 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6331 if (priority != flowtable->data.priority)
6335 flowtable_hook->priority = flowtable->data.priority;
6336 flowtable_hook->num = flowtable->hooknum;
6339 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6340 err = nf_tables_parse_netdev_hooks(ctx->net,
6341 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6342 &flowtable_hook->list);
6347 list_for_each_entry(hook, &flowtable_hook->list, list) {
6348 hook->ops.pf = NFPROTO_NETDEV;
6349 hook->ops.hooknum = flowtable_hook->num;
6350 hook->ops.priority = flowtable_hook->priority;
6351 hook->ops.priv = &flowtable->data;
6352 hook->ops.hook = flowtable->data.type->hook;
6358 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6360 const struct nf_flowtable_type *type;
6362 list_for_each_entry(type, &nf_tables_flowtables, list) {
6363 if (family == type->family)
6369 static const struct nf_flowtable_type *
6370 nft_flowtable_type_get(struct net *net, u8 family)
6372 const struct nf_flowtable_type *type;
6374 type = __nft_flowtable_type_get(family);
6375 if (type != NULL && try_module_get(type->owner))
6378 lockdep_nfnl_nft_mutex_not_held();
6379 #ifdef CONFIG_MODULES
6381 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6382 return ERR_PTR(-EAGAIN);
6385 return ERR_PTR(-ENOENT);
6388 /* Only called from error and netdev event paths. */
6389 static void nft_unregister_flowtable_hook(struct net *net,
6390 struct nft_flowtable *flowtable,
6391 struct nft_hook *hook)
6393 nf_unregister_net_hook(net, &hook->ops);
6394 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6398 static void nft_unregister_flowtable_net_hooks(struct net *net,
6399 struct list_head *hook_list)
6401 struct nft_hook *hook;
6403 list_for_each_entry(hook, hook_list, list)
6404 nf_unregister_net_hook(net, &hook->ops);
6407 static int nft_register_flowtable_net_hooks(struct net *net,
6408 struct nft_table *table,
6409 struct list_head *hook_list,
6410 struct nft_flowtable *flowtable)
6412 struct nft_hook *hook, *hook2, *next;
6413 struct nft_flowtable *ft;
6416 list_for_each_entry(hook, hook_list, list) {
6417 list_for_each_entry(ft, &table->flowtables, list) {
6418 list_for_each_entry(hook2, &ft->hook_list, list) {
6419 if (hook->ops.dev == hook2->ops.dev &&
6420 hook->ops.pf == hook2->ops.pf) {
6422 goto err_unregister_net_hooks;
6427 err = flowtable->data.type->setup(&flowtable->data,
6431 goto err_unregister_net_hooks;
6433 err = nf_register_net_hook(net, &hook->ops);
6435 flowtable->data.type->setup(&flowtable->data,
6438 goto err_unregister_net_hooks;
6446 err_unregister_net_hooks:
6447 list_for_each_entry_safe(hook, next, hook_list, list) {
6451 nft_unregister_flowtable_hook(net, flowtable, hook);
6452 list_del_rcu(&hook->list);
6453 kfree_rcu(hook, rcu);
6459 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6461 struct nft_hook *hook, *next;
6463 list_for_each_entry_safe(hook, next, hook_list, list) {
6464 list_del_rcu(&hook->list);
6465 kfree_rcu(hook, rcu);
6469 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6470 struct nft_flowtable *flowtable)
6472 const struct nlattr * const *nla = ctx->nla;
6473 struct nft_flowtable_hook flowtable_hook;
6474 struct nft_hook *hook, *next;
6475 struct nft_trans *trans;
6476 bool unregister = false;
6479 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6480 &flowtable_hook, flowtable, false);
6484 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6485 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6486 list_del(&hook->list);
6491 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6492 &flowtable_hook.list, flowtable);
6494 goto err_flowtable_update_hook;
6496 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6497 sizeof(struct nft_trans_flowtable));
6501 goto err_flowtable_update_hook;
6504 nft_trans_flowtable(trans) = flowtable;
6505 nft_trans_flowtable_update(trans) = true;
6506 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6507 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6509 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6513 err_flowtable_update_hook:
6514 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6516 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6517 list_del_rcu(&hook->list);
6518 kfree_rcu(hook, rcu);
6525 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6526 struct sk_buff *skb,
6527 const struct nlmsghdr *nlh,
6528 const struct nlattr * const nla[],
6529 struct netlink_ext_ack *extack)
6531 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6532 struct nft_flowtable_hook flowtable_hook;
6533 const struct nf_flowtable_type *type;
6534 u8 genmask = nft_genmask_next(net);
6535 int family = nfmsg->nfgen_family;
6536 struct nft_flowtable *flowtable;
6537 struct nft_hook *hook, *next;
6538 struct nft_table *table;
6542 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6543 !nla[NFTA_FLOWTABLE_NAME] ||
6544 !nla[NFTA_FLOWTABLE_HOOK])
6547 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6549 if (IS_ERR(table)) {
6550 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6551 return PTR_ERR(table);
6554 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6556 if (IS_ERR(flowtable)) {
6557 err = PTR_ERR(flowtable);
6558 if (err != -ENOENT) {
6559 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6563 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6564 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6568 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6570 return nft_flowtable_update(&ctx, nlh, flowtable);
6573 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6575 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6579 flowtable->table = table;
6580 flowtable->handle = nf_tables_alloc_handle(table);
6581 INIT_LIST_HEAD(&flowtable->hook_list);
6583 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6584 if (!flowtable->name) {
6589 type = nft_flowtable_type_get(net, family);
6591 err = PTR_ERR(type);
6595 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6596 flowtable->data.flags =
6597 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6598 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6602 write_pnet(&flowtable->data.net, net);
6603 flowtable->data.type = type;
6604 err = type->init(&flowtable->data);
6608 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6609 &flowtable_hook, flowtable, true);
6613 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6614 flowtable->data.priority = flowtable_hook.priority;
6615 flowtable->hooknum = flowtable_hook.num;
6617 err = nft_register_flowtable_net_hooks(ctx.net, table,
6618 &flowtable->hook_list,
6621 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6625 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6629 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6634 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6635 nft_unregister_flowtable_hook(net, flowtable, hook);
6636 list_del_rcu(&hook->list);
6637 kfree_rcu(hook, rcu);
6640 flowtable->data.type->free(&flowtable->data);
6642 module_put(type->owner);
6644 kfree(flowtable->name);
6650 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
6652 struct nft_hook *this, *next;
6654 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
6655 list_del(&this->list);
6660 static int nft_delflowtable_hook(struct nft_ctx *ctx,
6661 struct nft_flowtable *flowtable)
6663 const struct nlattr * const *nla = ctx->nla;
6664 struct nft_flowtable_hook flowtable_hook;
6665 struct nft_hook *this, *hook;
6666 struct nft_trans *trans;
6669 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6670 &flowtable_hook, flowtable, false);
6674 list_for_each_entry(this, &flowtable_hook.list, list) {
6675 hook = nft_hook_list_find(&flowtable->hook_list, this);
6678 goto err_flowtable_del_hook;
6680 hook->inactive = true;
6683 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
6684 sizeof(struct nft_trans_flowtable));
6687 goto err_flowtable_del_hook;
6690 nft_trans_flowtable(trans) = flowtable;
6691 nft_trans_flowtable_update(trans) = true;
6692 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6693 nft_flowtable_hook_release(&flowtable_hook);
6695 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6699 err_flowtable_del_hook:
6700 list_for_each_entry(this, &flowtable_hook.list, list) {
6701 hook = nft_hook_list_find(&flowtable->hook_list, this);
6705 hook->inactive = false;
6707 nft_flowtable_hook_release(&flowtable_hook);
6712 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6713 struct sk_buff *skb,
6714 const struct nlmsghdr *nlh,
6715 const struct nlattr * const nla[],
6716 struct netlink_ext_ack *extack)
6718 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6719 u8 genmask = nft_genmask_next(net);
6720 int family = nfmsg->nfgen_family;
6721 struct nft_flowtable *flowtable;
6722 const struct nlattr *attr;
6723 struct nft_table *table;
6726 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6727 (!nla[NFTA_FLOWTABLE_NAME] &&
6728 !nla[NFTA_FLOWTABLE_HANDLE]))
6731 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6733 if (IS_ERR(table)) {
6734 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6735 return PTR_ERR(table);
6738 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6739 attr = nla[NFTA_FLOWTABLE_HANDLE];
6740 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6742 attr = nla[NFTA_FLOWTABLE_NAME];
6743 flowtable = nft_flowtable_lookup(table, attr, genmask);
6746 if (IS_ERR(flowtable)) {
6747 NL_SET_BAD_ATTR(extack, attr);
6748 return PTR_ERR(flowtable);
6751 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6753 if (nla[NFTA_FLOWTABLE_HOOK])
6754 return nft_delflowtable_hook(&ctx, flowtable);
6756 if (flowtable->use > 0) {
6757 NL_SET_BAD_ATTR(extack, attr);
6761 return nft_delflowtable(&ctx, flowtable);
6764 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6765 u32 portid, u32 seq, int event,
6766 u32 flags, int family,
6767 struct nft_flowtable *flowtable,
6768 struct list_head *hook_list)
6770 struct nlattr *nest, *nest_devs;
6771 struct nfgenmsg *nfmsg;
6772 struct nft_hook *hook;
6773 struct nlmsghdr *nlh;
6775 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6776 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6778 goto nla_put_failure;
6780 nfmsg = nlmsg_data(nlh);
6781 nfmsg->nfgen_family = family;
6782 nfmsg->version = NFNETLINK_V0;
6783 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6785 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6786 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6787 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6788 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6789 NFTA_FLOWTABLE_PAD) ||
6790 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6791 goto nla_put_failure;
6793 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6795 goto nla_put_failure;
6796 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6797 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6798 goto nla_put_failure;
6800 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6802 goto nla_put_failure;
6804 list_for_each_entry_rcu(hook, hook_list, list) {
6805 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6806 goto nla_put_failure;
6808 nla_nest_end(skb, nest_devs);
6809 nla_nest_end(skb, nest);
6811 nlmsg_end(skb, nlh);
6815 nlmsg_trim(skb, nlh);
6819 struct nft_flowtable_filter {
6823 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6824 struct netlink_callback *cb)
6826 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6827 struct nft_flowtable_filter *filter = cb->data;
6828 unsigned int idx = 0, s_idx = cb->args[0];
6829 struct net *net = sock_net(skb->sk);
6830 int family = nfmsg->nfgen_family;
6831 struct nft_flowtable *flowtable;
6832 const struct nft_table *table;
6835 cb->seq = net->nft.base_seq;
6837 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6838 if (family != NFPROTO_UNSPEC && family != table->family)
6841 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6842 if (!nft_is_active(net, flowtable))
6847 memset(&cb->args[1], 0,
6848 sizeof(cb->args) - sizeof(cb->args[0]));
6849 if (filter && filter->table &&
6850 strcmp(filter->table, table->name))
6853 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6855 NFT_MSG_NEWFLOWTABLE,
6856 NLM_F_MULTI | NLM_F_APPEND,
6859 &flowtable->hook_list) < 0)
6862 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6874 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6876 const struct nlattr * const *nla = cb->data;
6877 struct nft_flowtable_filter *filter = NULL;
6879 if (nla[NFTA_FLOWTABLE_TABLE]) {
6880 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6884 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6886 if (!filter->table) {
6896 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6898 struct nft_flowtable_filter *filter = cb->data;
6903 kfree(filter->table);
6909 /* called with rcu_read_lock held */
6910 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6911 struct sk_buff *skb,
6912 const struct nlmsghdr *nlh,
6913 const struct nlattr * const nla[],
6914 struct netlink_ext_ack *extack)
6916 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6917 u8 genmask = nft_genmask_cur(net);
6918 int family = nfmsg->nfgen_family;
6919 struct nft_flowtable *flowtable;
6920 const struct nft_table *table;
6921 struct sk_buff *skb2;
6924 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6925 struct netlink_dump_control c = {
6926 .start = nf_tables_dump_flowtable_start,
6927 .dump = nf_tables_dump_flowtable,
6928 .done = nf_tables_dump_flowtable_done,
6929 .module = THIS_MODULE,
6930 .data = (void *)nla,
6933 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6936 if (!nla[NFTA_FLOWTABLE_NAME])
6939 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6942 return PTR_ERR(table);
6944 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6946 if (IS_ERR(flowtable))
6947 return PTR_ERR(flowtable);
6949 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6953 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6955 NFT_MSG_NEWFLOWTABLE, 0, family,
6956 flowtable, &flowtable->hook_list);
6960 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6966 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6967 struct nft_flowtable *flowtable,
6968 struct list_head *hook_list,
6971 struct sk_buff *skb;
6975 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6978 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6982 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6984 ctx->family, flowtable, hook_list);
6990 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6991 ctx->report, GFP_KERNEL);
6994 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6997 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6999 struct nft_hook *hook, *next;
7001 flowtable->data.type->free(&flowtable->data);
7002 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7003 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7005 list_del_rcu(&hook->list);
7008 kfree(flowtable->name);
7009 module_put(flowtable->data.type->owner);
7013 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7014 u32 portid, u32 seq)
7016 struct nlmsghdr *nlh;
7017 struct nfgenmsg *nfmsg;
7018 char buf[TASK_COMM_LEN];
7019 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7021 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7023 goto nla_put_failure;
7025 nfmsg = nlmsg_data(nlh);
7026 nfmsg->nfgen_family = AF_UNSPEC;
7027 nfmsg->version = NFNETLINK_V0;
7028 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7030 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7031 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7032 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7033 goto nla_put_failure;
7035 nlmsg_end(skb, nlh);
7039 nlmsg_trim(skb, nlh);
7043 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7044 struct nft_flowtable *flowtable)
7046 struct nft_hook *hook;
7048 list_for_each_entry(hook, &flowtable->hook_list, list) {
7049 if (hook->ops.dev != dev)
7052 /* flow_offload_netdev_event() cleans up entries for us. */
7053 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7054 list_del_rcu(&hook->list);
7055 kfree_rcu(hook, rcu);
7060 static int nf_tables_flowtable_event(struct notifier_block *this,
7061 unsigned long event, void *ptr)
7063 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7064 struct nft_flowtable *flowtable;
7065 struct nft_table *table;
7068 if (event != NETDEV_UNREGISTER)
7072 mutex_lock(&net->nft.commit_mutex);
7073 list_for_each_entry(table, &net->nft.tables, list) {
7074 list_for_each_entry(flowtable, &table->flowtables, list) {
7075 nft_flowtable_event(event, dev, flowtable);
7078 mutex_unlock(&net->nft.commit_mutex);
7083 static struct notifier_block nf_tables_flowtable_notifier = {
7084 .notifier_call = nf_tables_flowtable_event,
7087 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7090 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7091 struct sk_buff *skb2;
7094 if (nlmsg_report(nlh) &&
7095 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7098 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7102 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7109 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7110 nlmsg_report(nlh), GFP_KERNEL);
7113 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7117 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7118 struct sk_buff *skb, const struct nlmsghdr *nlh,
7119 const struct nlattr * const nla[],
7120 struct netlink_ext_ack *extack)
7122 struct sk_buff *skb2;
7125 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7129 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7134 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
7140 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7141 [NFT_MSG_NEWTABLE] = {
7142 .call_batch = nf_tables_newtable,
7143 .attr_count = NFTA_TABLE_MAX,
7144 .policy = nft_table_policy,
7146 [NFT_MSG_GETTABLE] = {
7147 .call_rcu = nf_tables_gettable,
7148 .attr_count = NFTA_TABLE_MAX,
7149 .policy = nft_table_policy,
7151 [NFT_MSG_DELTABLE] = {
7152 .call_batch = nf_tables_deltable,
7153 .attr_count = NFTA_TABLE_MAX,
7154 .policy = nft_table_policy,
7156 [NFT_MSG_NEWCHAIN] = {
7157 .call_batch = nf_tables_newchain,
7158 .attr_count = NFTA_CHAIN_MAX,
7159 .policy = nft_chain_policy,
7161 [NFT_MSG_GETCHAIN] = {
7162 .call_rcu = nf_tables_getchain,
7163 .attr_count = NFTA_CHAIN_MAX,
7164 .policy = nft_chain_policy,
7166 [NFT_MSG_DELCHAIN] = {
7167 .call_batch = nf_tables_delchain,
7168 .attr_count = NFTA_CHAIN_MAX,
7169 .policy = nft_chain_policy,
7171 [NFT_MSG_NEWRULE] = {
7172 .call_batch = nf_tables_newrule,
7173 .attr_count = NFTA_RULE_MAX,
7174 .policy = nft_rule_policy,
7176 [NFT_MSG_GETRULE] = {
7177 .call_rcu = nf_tables_getrule,
7178 .attr_count = NFTA_RULE_MAX,
7179 .policy = nft_rule_policy,
7181 [NFT_MSG_DELRULE] = {
7182 .call_batch = nf_tables_delrule,
7183 .attr_count = NFTA_RULE_MAX,
7184 .policy = nft_rule_policy,
7186 [NFT_MSG_NEWSET] = {
7187 .call_batch = nf_tables_newset,
7188 .attr_count = NFTA_SET_MAX,
7189 .policy = nft_set_policy,
7191 [NFT_MSG_GETSET] = {
7192 .call_rcu = nf_tables_getset,
7193 .attr_count = NFTA_SET_MAX,
7194 .policy = nft_set_policy,
7196 [NFT_MSG_DELSET] = {
7197 .call_batch = nf_tables_delset,
7198 .attr_count = NFTA_SET_MAX,
7199 .policy = nft_set_policy,
7201 [NFT_MSG_NEWSETELEM] = {
7202 .call_batch = nf_tables_newsetelem,
7203 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7204 .policy = nft_set_elem_list_policy,
7206 [NFT_MSG_GETSETELEM] = {
7207 .call_rcu = nf_tables_getsetelem,
7208 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7209 .policy = nft_set_elem_list_policy,
7211 [NFT_MSG_DELSETELEM] = {
7212 .call_batch = nf_tables_delsetelem,
7213 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7214 .policy = nft_set_elem_list_policy,
7216 [NFT_MSG_GETGEN] = {
7217 .call_rcu = nf_tables_getgen,
7219 [NFT_MSG_NEWOBJ] = {
7220 .call_batch = nf_tables_newobj,
7221 .attr_count = NFTA_OBJ_MAX,
7222 .policy = nft_obj_policy,
7224 [NFT_MSG_GETOBJ] = {
7225 .call_rcu = nf_tables_getobj,
7226 .attr_count = NFTA_OBJ_MAX,
7227 .policy = nft_obj_policy,
7229 [NFT_MSG_DELOBJ] = {
7230 .call_batch = nf_tables_delobj,
7231 .attr_count = NFTA_OBJ_MAX,
7232 .policy = nft_obj_policy,
7234 [NFT_MSG_GETOBJ_RESET] = {
7235 .call_rcu = nf_tables_getobj,
7236 .attr_count = NFTA_OBJ_MAX,
7237 .policy = nft_obj_policy,
7239 [NFT_MSG_NEWFLOWTABLE] = {
7240 .call_batch = nf_tables_newflowtable,
7241 .attr_count = NFTA_FLOWTABLE_MAX,
7242 .policy = nft_flowtable_policy,
7244 [NFT_MSG_GETFLOWTABLE] = {
7245 .call_rcu = nf_tables_getflowtable,
7246 .attr_count = NFTA_FLOWTABLE_MAX,
7247 .policy = nft_flowtable_policy,
7249 [NFT_MSG_DELFLOWTABLE] = {
7250 .call_batch = nf_tables_delflowtable,
7251 .attr_count = NFTA_FLOWTABLE_MAX,
7252 .policy = nft_flowtable_policy,
7256 static int nf_tables_validate(struct net *net)
7258 struct nft_table *table;
7260 switch (net->nft.validate_state) {
7261 case NFT_VALIDATE_SKIP:
7263 case NFT_VALIDATE_NEED:
7264 nft_validate_state_update(net, NFT_VALIDATE_DO);
7266 case NFT_VALIDATE_DO:
7267 list_for_each_entry(table, &net->nft.tables, list) {
7268 if (nft_table_validate(net, table) < 0)
7277 /* a drop policy has to be deferred until all rules have been activated,
7278 * otherwise a large ruleset that contains a drop-policy base chain will
7279 * cause all packets to get dropped until the full transaction has been
7282 * We defer the drop policy until the transaction has been finalized.
7284 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7286 struct nft_base_chain *basechain;
7288 if (nft_trans_chain_policy(trans) != NF_DROP)
7291 if (!nft_is_base_chain(trans->ctx.chain))
7294 basechain = nft_base_chain(trans->ctx.chain);
7295 basechain->policy = NF_DROP;
7298 static void nft_chain_commit_update(struct nft_trans *trans)
7300 struct nft_base_chain *basechain;
7302 if (nft_trans_chain_name(trans)) {
7303 rhltable_remove(&trans->ctx.table->chains_ht,
7304 &trans->ctx.chain->rhlhead,
7305 nft_chain_ht_params);
7306 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7307 rhltable_insert_key(&trans->ctx.table->chains_ht,
7308 trans->ctx.chain->name,
7309 &trans->ctx.chain->rhlhead,
7310 nft_chain_ht_params);
7313 if (!nft_is_base_chain(trans->ctx.chain))
7316 nft_chain_stats_replace(trans);
7318 basechain = nft_base_chain(trans->ctx.chain);
7320 switch (nft_trans_chain_policy(trans)) {
7323 basechain->policy = nft_trans_chain_policy(trans);
7328 static void nft_obj_commit_update(struct nft_trans *trans)
7330 struct nft_object *newobj;
7331 struct nft_object *obj;
7333 obj = nft_trans_obj(trans);
7334 newobj = nft_trans_obj_newobj(trans);
7336 if (obj->ops->update)
7337 obj->ops->update(obj, newobj);
7342 static void nft_commit_release(struct nft_trans *trans)
7344 switch (trans->msg_type) {
7345 case NFT_MSG_DELTABLE:
7346 nf_tables_table_destroy(&trans->ctx);
7348 case NFT_MSG_NEWCHAIN:
7349 free_percpu(nft_trans_chain_stats(trans));
7350 kfree(nft_trans_chain_name(trans));
7352 case NFT_MSG_DELCHAIN:
7353 nf_tables_chain_destroy(&trans->ctx);
7355 case NFT_MSG_DELRULE:
7356 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7358 case NFT_MSG_DELSET:
7359 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7361 case NFT_MSG_DELSETELEM:
7362 nf_tables_set_elem_destroy(&trans->ctx,
7363 nft_trans_elem_set(trans),
7364 nft_trans_elem(trans).priv);
7366 case NFT_MSG_DELOBJ:
7367 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7369 case NFT_MSG_DELFLOWTABLE:
7370 if (nft_trans_flowtable_update(trans))
7371 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7373 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7378 put_net(trans->ctx.net);
7383 static void nf_tables_trans_destroy_work(struct work_struct *w)
7385 struct nft_trans *trans, *next;
7388 spin_lock(&nf_tables_destroy_list_lock);
7389 list_splice_init(&nf_tables_destroy_list, &head);
7390 spin_unlock(&nf_tables_destroy_list_lock);
7392 if (list_empty(&head))
7397 list_for_each_entry_safe(trans, next, &head, list) {
7398 list_del(&trans->list);
7399 nft_commit_release(trans);
7403 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7405 struct nft_rule *rule;
7406 unsigned int alloc = 0;
7409 /* already handled or inactive chain? */
7410 if (chain->rules_next || !nft_is_active_next(net, chain))
7413 rule = list_entry(&chain->rules, struct nft_rule, list);
7416 list_for_each_entry_continue(rule, &chain->rules, list) {
7417 if (nft_is_active_next(net, rule))
7421 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7422 if (!chain->rules_next)
7425 list_for_each_entry_continue(rule, &chain->rules, list) {
7426 if (nft_is_active_next(net, rule))
7427 chain->rules_next[i++] = rule;
7430 chain->rules_next[i] = NULL;
7434 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7436 struct nft_trans *trans, *next;
7438 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7439 struct nft_chain *chain = trans->ctx.chain;
7441 if (trans->msg_type == NFT_MSG_NEWRULE ||
7442 trans->msg_type == NFT_MSG_DELRULE) {
7443 kvfree(chain->rules_next);
7444 chain->rules_next = NULL;
7449 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7451 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7456 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7458 struct nft_rule **r = rules;
7459 struct nft_rules_old *old;
7464 r++; /* rcu_head is after end marker */
7468 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7471 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7473 struct nft_rule **g0, **g1;
7476 next_genbit = nft_gencursor_next(net);
7478 g0 = rcu_dereference_protected(chain->rules_gen_0,
7479 lockdep_commit_lock_is_held(net));
7480 g1 = rcu_dereference_protected(chain->rules_gen_1,
7481 lockdep_commit_lock_is_held(net));
7483 /* No changes to this chain? */
7484 if (chain->rules_next == NULL) {
7485 /* chain had no change in last or next generation */
7489 * chain had no change in this generation; make sure next
7490 * one uses same rules as current generation.
7493 rcu_assign_pointer(chain->rules_gen_1, g0);
7494 nf_tables_commit_chain_free_rules_old(g1);
7496 rcu_assign_pointer(chain->rules_gen_0, g1);
7497 nf_tables_commit_chain_free_rules_old(g0);
7504 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7506 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7508 chain->rules_next = NULL;
7514 nf_tables_commit_chain_free_rules_old(g1);
7516 nf_tables_commit_chain_free_rules_old(g0);
7519 static void nft_obj_del(struct nft_object *obj)
7521 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7522 list_del_rcu(&obj->list);
7525 void nft_chain_del(struct nft_chain *chain)
7527 struct nft_table *table = chain->table;
7529 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7530 nft_chain_ht_params));
7531 list_del_rcu(&chain->list);
7534 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7535 struct list_head *hook_list)
7537 struct nft_hook *hook, *next;
7539 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7541 list_move(&hook->list, hook_list);
7545 static void nf_tables_module_autoload_cleanup(struct net *net)
7547 struct nft_module_request *req, *next;
7549 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7550 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7551 WARN_ON_ONCE(!req->done);
7552 list_del(&req->list);
7557 static void nf_tables_commit_release(struct net *net)
7559 struct nft_trans *trans;
7561 /* all side effects have to be made visible.
7562 * For example, if a chain named 'foo' has been deleted, a
7563 * new transaction must not find it anymore.
7565 * Memory reclaim happens asynchronously from work queue
7566 * to prevent expensive synchronize_rcu() in commit phase.
7568 if (list_empty(&net->nft.commit_list)) {
7569 nf_tables_module_autoload_cleanup(net);
7570 mutex_unlock(&net->nft.commit_mutex);
7574 trans = list_last_entry(&net->nft.commit_list,
7575 struct nft_trans, list);
7576 get_net(trans->ctx.net);
7577 WARN_ON_ONCE(trans->put_net);
7579 trans->put_net = true;
7580 spin_lock(&nf_tables_destroy_list_lock);
7581 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7582 spin_unlock(&nf_tables_destroy_list_lock);
7584 nf_tables_module_autoload_cleanup(net);
7585 mutex_unlock(&net->nft.commit_mutex);
7587 schedule_work(&trans_destroy_work);
7590 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7592 struct nft_trans *trans, *next;
7593 struct nft_trans_elem *te;
7594 struct nft_chain *chain;
7595 struct nft_table *table;
7598 if (list_empty(&net->nft.commit_list)) {
7599 mutex_unlock(&net->nft.commit_mutex);
7603 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7604 if (nf_tables_validate(net) < 0)
7607 err = nft_flow_rule_offload_commit(net);
7611 /* 1. Allocate space for next generation rules_gen_X[] */
7612 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7615 if (trans->msg_type == NFT_MSG_NEWRULE ||
7616 trans->msg_type == NFT_MSG_DELRULE) {
7617 chain = trans->ctx.chain;
7619 ret = nf_tables_commit_chain_prepare(net, chain);
7621 nf_tables_commit_chain_prepare_cancel(net);
7627 /* step 2. Make rules_gen_X visible to packet path */
7628 list_for_each_entry(table, &net->nft.tables, list) {
7629 list_for_each_entry(chain, &table->chains, list)
7630 nf_tables_commit_chain(net, chain);
7634 * Bump generation counter, invalidate any dump in progress.
7635 * Cannot fail after this point.
7637 while (++net->nft.base_seq == 0);
7639 /* step 3. Start new generation, rules_gen_X now in use. */
7640 net->nft.gencursor = nft_gencursor_next(net);
7642 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7643 switch (trans->msg_type) {
7644 case NFT_MSG_NEWTABLE:
7645 if (nft_trans_table_update(trans)) {
7646 if (!nft_trans_table_enable(trans)) {
7647 nf_tables_table_disable(net,
7649 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7652 nft_clear(net, trans->ctx.table);
7654 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7655 nft_trans_destroy(trans);
7657 case NFT_MSG_DELTABLE:
7658 list_del_rcu(&trans->ctx.table->list);
7659 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7661 case NFT_MSG_NEWCHAIN:
7662 if (nft_trans_chain_update(trans)) {
7663 nft_chain_commit_update(trans);
7664 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7665 /* trans destroyed after rcu grace period */
7667 nft_chain_commit_drop_policy(trans);
7668 nft_clear(net, trans->ctx.chain);
7669 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7670 nft_trans_destroy(trans);
7673 case NFT_MSG_DELCHAIN:
7674 nft_chain_del(trans->ctx.chain);
7675 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7676 nf_tables_unregister_hook(trans->ctx.net,
7680 case NFT_MSG_NEWRULE:
7681 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7682 nf_tables_rule_notify(&trans->ctx,
7683 nft_trans_rule(trans),
7685 nft_trans_destroy(trans);
7687 case NFT_MSG_DELRULE:
7688 list_del_rcu(&nft_trans_rule(trans)->list);
7689 nf_tables_rule_notify(&trans->ctx,
7690 nft_trans_rule(trans),
7692 nft_rule_expr_deactivate(&trans->ctx,
7693 nft_trans_rule(trans),
7696 case NFT_MSG_NEWSET:
7697 nft_clear(net, nft_trans_set(trans));
7698 /* This avoids hitting -EBUSY when deleting the table
7699 * from the transaction.
7701 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7702 !list_empty(&nft_trans_set(trans)->bindings))
7703 trans->ctx.table->use--;
7705 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7706 NFT_MSG_NEWSET, GFP_KERNEL);
7707 nft_trans_destroy(trans);
7709 case NFT_MSG_DELSET:
7710 list_del_rcu(&nft_trans_set(trans)->list);
7711 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7712 NFT_MSG_DELSET, GFP_KERNEL);
7714 case NFT_MSG_NEWSETELEM:
7715 te = (struct nft_trans_elem *)trans->data;
7717 te->set->ops->activate(net, te->set, &te->elem);
7718 nf_tables_setelem_notify(&trans->ctx, te->set,
7720 NFT_MSG_NEWSETELEM, 0);
7721 nft_trans_destroy(trans);
7723 case NFT_MSG_DELSETELEM:
7724 te = (struct nft_trans_elem *)trans->data;
7726 nf_tables_setelem_notify(&trans->ctx, te->set,
7728 NFT_MSG_DELSETELEM, 0);
7729 te->set->ops->remove(net, te->set, &te->elem);
7730 atomic_dec(&te->set->nelems);
7733 case NFT_MSG_NEWOBJ:
7734 if (nft_trans_obj_update(trans)) {
7735 nft_obj_commit_update(trans);
7736 nf_tables_obj_notify(&trans->ctx,
7737 nft_trans_obj(trans),
7740 nft_clear(net, nft_trans_obj(trans));
7741 nf_tables_obj_notify(&trans->ctx,
7742 nft_trans_obj(trans),
7744 nft_trans_destroy(trans);
7747 case NFT_MSG_DELOBJ:
7748 nft_obj_del(nft_trans_obj(trans));
7749 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7752 case NFT_MSG_NEWFLOWTABLE:
7753 if (nft_trans_flowtable_update(trans)) {
7754 nf_tables_flowtable_notify(&trans->ctx,
7755 nft_trans_flowtable(trans),
7756 &nft_trans_flowtable_hooks(trans),
7757 NFT_MSG_NEWFLOWTABLE);
7758 list_splice(&nft_trans_flowtable_hooks(trans),
7759 &nft_trans_flowtable(trans)->hook_list);
7761 nft_clear(net, nft_trans_flowtable(trans));
7762 nf_tables_flowtable_notify(&trans->ctx,
7763 nft_trans_flowtable(trans),
7764 &nft_trans_flowtable(trans)->hook_list,
7765 NFT_MSG_NEWFLOWTABLE);
7767 nft_trans_destroy(trans);
7769 case NFT_MSG_DELFLOWTABLE:
7770 if (nft_trans_flowtable_update(trans)) {
7771 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
7772 &nft_trans_flowtable_hooks(trans));
7773 nf_tables_flowtable_notify(&trans->ctx,
7774 nft_trans_flowtable(trans),
7775 &nft_trans_flowtable_hooks(trans),
7776 NFT_MSG_DELFLOWTABLE);
7777 nft_unregister_flowtable_net_hooks(net,
7778 &nft_trans_flowtable_hooks(trans));
7780 list_del_rcu(&nft_trans_flowtable(trans)->list);
7781 nf_tables_flowtable_notify(&trans->ctx,
7782 nft_trans_flowtable(trans),
7783 &nft_trans_flowtable(trans)->hook_list,
7784 NFT_MSG_DELFLOWTABLE);
7785 nft_unregister_flowtable_net_hooks(net,
7786 &nft_trans_flowtable(trans)->hook_list);
7792 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7793 nf_tables_commit_release(net);
7798 static void nf_tables_module_autoload(struct net *net)
7800 struct nft_module_request *req, *next;
7801 LIST_HEAD(module_list);
7803 list_splice_init(&net->nft.module_list, &module_list);
7804 mutex_unlock(&net->nft.commit_mutex);
7805 list_for_each_entry_safe(req, next, &module_list, list) {
7806 request_module("%s", req->module);
7809 mutex_lock(&net->nft.commit_mutex);
7810 list_splice(&module_list, &net->nft.module_list);
7813 static void nf_tables_abort_release(struct nft_trans *trans)
7815 switch (trans->msg_type) {
7816 case NFT_MSG_NEWTABLE:
7817 nf_tables_table_destroy(&trans->ctx);
7819 case NFT_MSG_NEWCHAIN:
7820 nf_tables_chain_destroy(&trans->ctx);
7822 case NFT_MSG_NEWRULE:
7823 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7825 case NFT_MSG_NEWSET:
7826 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7828 case NFT_MSG_NEWSETELEM:
7829 nft_set_elem_destroy(nft_trans_elem_set(trans),
7830 nft_trans_elem(trans).priv, true);
7832 case NFT_MSG_NEWOBJ:
7833 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7835 case NFT_MSG_NEWFLOWTABLE:
7836 if (nft_trans_flowtable_update(trans))
7837 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7839 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7845 static int __nf_tables_abort(struct net *net, bool autoload)
7847 struct nft_trans *trans, *next;
7848 struct nft_trans_elem *te;
7849 struct nft_hook *hook;
7851 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7853 switch (trans->msg_type) {
7854 case NFT_MSG_NEWTABLE:
7855 if (nft_trans_table_update(trans)) {
7856 if (nft_trans_table_enable(trans)) {
7857 nf_tables_table_disable(net,
7859 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7861 nft_trans_destroy(trans);
7863 list_del_rcu(&trans->ctx.table->list);
7866 case NFT_MSG_DELTABLE:
7867 nft_clear(trans->ctx.net, trans->ctx.table);
7868 nft_trans_destroy(trans);
7870 case NFT_MSG_NEWCHAIN:
7871 if (nft_trans_chain_update(trans)) {
7872 free_percpu(nft_trans_chain_stats(trans));
7873 kfree(nft_trans_chain_name(trans));
7874 nft_trans_destroy(trans);
7876 if (nft_chain_is_bound(trans->ctx.chain)) {
7877 nft_trans_destroy(trans);
7880 trans->ctx.table->use--;
7881 nft_chain_del(trans->ctx.chain);
7882 nf_tables_unregister_hook(trans->ctx.net,
7887 case NFT_MSG_DELCHAIN:
7888 trans->ctx.table->use++;
7889 nft_clear(trans->ctx.net, trans->ctx.chain);
7890 nft_trans_destroy(trans);
7892 case NFT_MSG_NEWRULE:
7893 trans->ctx.chain->use--;
7894 list_del_rcu(&nft_trans_rule(trans)->list);
7895 nft_rule_expr_deactivate(&trans->ctx,
7896 nft_trans_rule(trans),
7899 case NFT_MSG_DELRULE:
7900 trans->ctx.chain->use++;
7901 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7902 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7903 nft_trans_destroy(trans);
7905 case NFT_MSG_NEWSET:
7906 trans->ctx.table->use--;
7907 if (nft_trans_set_bound(trans)) {
7908 nft_trans_destroy(trans);
7911 list_del_rcu(&nft_trans_set(trans)->list);
7913 case NFT_MSG_DELSET:
7914 trans->ctx.table->use++;
7915 nft_clear(trans->ctx.net, nft_trans_set(trans));
7916 nft_trans_destroy(trans);
7918 case NFT_MSG_NEWSETELEM:
7919 if (nft_trans_elem_set_bound(trans)) {
7920 nft_trans_destroy(trans);
7923 te = (struct nft_trans_elem *)trans->data;
7924 te->set->ops->remove(net, te->set, &te->elem);
7925 atomic_dec(&te->set->nelems);
7927 case NFT_MSG_DELSETELEM:
7928 te = (struct nft_trans_elem *)trans->data;
7930 nft_set_elem_activate(net, te->set, &te->elem);
7931 te->set->ops->activate(net, te->set, &te->elem);
7934 nft_trans_destroy(trans);
7936 case NFT_MSG_NEWOBJ:
7937 if (nft_trans_obj_update(trans)) {
7938 kfree(nft_trans_obj_newobj(trans));
7939 nft_trans_destroy(trans);
7941 trans->ctx.table->use--;
7942 nft_obj_del(nft_trans_obj(trans));
7945 case NFT_MSG_DELOBJ:
7946 trans->ctx.table->use++;
7947 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7948 nft_trans_destroy(trans);
7950 case NFT_MSG_NEWFLOWTABLE:
7951 if (nft_trans_flowtable_update(trans)) {
7952 nft_unregister_flowtable_net_hooks(net,
7953 &nft_trans_flowtable_hooks(trans));
7955 trans->ctx.table->use--;
7956 list_del_rcu(&nft_trans_flowtable(trans)->list);
7957 nft_unregister_flowtable_net_hooks(net,
7958 &nft_trans_flowtable(trans)->hook_list);
7961 case NFT_MSG_DELFLOWTABLE:
7962 if (nft_trans_flowtable_update(trans)) {
7963 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
7964 hook->inactive = false;
7966 trans->ctx.table->use++;
7967 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7969 nft_trans_destroy(trans);
7976 list_for_each_entry_safe_reverse(trans, next,
7977 &net->nft.commit_list, list) {
7978 list_del(&trans->list);
7979 nf_tables_abort_release(trans);
7983 nf_tables_module_autoload(net);
7985 nf_tables_module_autoload_cleanup(net);
7990 static void nf_tables_cleanup(struct net *net)
7992 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7995 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
7997 int ret = __nf_tables_abort(net, autoload);
7999 mutex_unlock(&net->nft.commit_mutex);
8004 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8008 mutex_lock(&net->nft.commit_mutex);
8010 genid_ok = genid == 0 || net->nft.base_seq == genid;
8012 mutex_unlock(&net->nft.commit_mutex);
8014 /* else, commit mutex has to be released by commit or abort function */
8018 static const struct nfnetlink_subsystem nf_tables_subsys = {
8019 .name = "nf_tables",
8020 .subsys_id = NFNL_SUBSYS_NFTABLES,
8021 .cb_count = NFT_MSG_MAX,
8023 .commit = nf_tables_commit,
8024 .abort = nf_tables_abort,
8025 .cleanup = nf_tables_cleanup,
8026 .valid_genid = nf_tables_valid_genid,
8027 .owner = THIS_MODULE,
8030 int nft_chain_validate_dependency(const struct nft_chain *chain,
8031 enum nft_chain_types type)
8033 const struct nft_base_chain *basechain;
8035 if (nft_is_base_chain(chain)) {
8036 basechain = nft_base_chain(chain);
8037 if (basechain->type->type != type)
8042 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8044 int nft_chain_validate_hooks(const struct nft_chain *chain,
8045 unsigned int hook_flags)
8047 struct nft_base_chain *basechain;
8049 if (nft_is_base_chain(chain)) {
8050 basechain = nft_base_chain(chain);
8052 if ((1 << basechain->ops.hooknum) & hook_flags)
8060 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8063 * Loop detection - walk through the ruleset beginning at the destination chain
8064 * of a new jump until either the source chain is reached (loop) or all
8065 * reachable chains have been traversed.
8067 * The loop check is performed whenever a new jump verdict is added to an
8068 * expression or verdict map or a verdict map is bound to a new chain.
8071 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8072 const struct nft_chain *chain);
8074 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8075 struct nft_set *set,
8076 const struct nft_set_iter *iter,
8077 struct nft_set_elem *elem)
8079 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8080 const struct nft_data *data;
8082 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8083 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8086 data = nft_set_ext_data(ext);
8087 switch (data->verdict.code) {
8090 return nf_tables_check_loops(ctx, data->verdict.chain);
8096 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8097 const struct nft_chain *chain)
8099 const struct nft_rule *rule;
8100 const struct nft_expr *expr, *last;
8101 struct nft_set *set;
8102 struct nft_set_binding *binding;
8103 struct nft_set_iter iter;
8105 if (ctx->chain == chain)
8108 list_for_each_entry(rule, &chain->rules, list) {
8109 nft_rule_for_each_expr(expr, last, rule) {
8110 struct nft_immediate_expr *priv;
8111 const struct nft_data *data;
8114 if (strcmp(expr->ops->type->name, "immediate"))
8117 priv = nft_expr_priv(expr);
8118 if (priv->dreg != NFT_REG_VERDICT)
8122 switch (data->verdict.code) {
8125 err = nf_tables_check_loops(ctx,
8126 data->verdict.chain);
8135 list_for_each_entry(set, &ctx->table->sets, list) {
8136 if (!nft_is_active_next(ctx->net, set))
8138 if (!(set->flags & NFT_SET_MAP) ||
8139 set->dtype != NFT_DATA_VERDICT)
8142 list_for_each_entry(binding, &set->bindings, list) {
8143 if (!(binding->flags & NFT_SET_MAP) ||
8144 binding->chain != chain)
8147 iter.genmask = nft_genmask_next(ctx->net);
8151 iter.fn = nf_tables_loop_check_setelem;
8153 set->ops->walk(ctx, set, &iter);
8163 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8165 * @attr: netlink attribute to fetch value from
8166 * @max: maximum value to be stored in dest
8167 * @dest: pointer to the variable
8169 * Parse, check and store a given u32 netlink attribute into variable.
8170 * This function returns -ERANGE if the value goes over maximum value.
8171 * Otherwise a 0 is returned and the attribute value is stored in the
8172 * destination variable.
8174 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8178 val = ntohl(nla_get_be32(attr));
8185 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8188 * nft_parse_register - parse a register value from a netlink attribute
8190 * @attr: netlink attribute
8192 * Parse and translate a register value from a netlink attribute.
8193 * Registers used to be 128 bit wide, these register numbers will be
8194 * mapped to the corresponding 32 bit register numbers.
8196 unsigned int nft_parse_register(const struct nlattr *attr)
8200 reg = ntohl(nla_get_be32(attr));
8202 case NFT_REG_VERDICT...NFT_REG_4:
8203 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8205 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8208 EXPORT_SYMBOL_GPL(nft_parse_register);
8211 * nft_dump_register - dump a register value to a netlink attribute
8213 * @skb: socket buffer
8214 * @attr: attribute number
8215 * @reg: register number
8217 * Construct a netlink attribute containing the register number. For
8218 * compatibility reasons, register numbers being a multiple of 4 are
8219 * translated to the corresponding 128 bit register numbers.
8221 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8223 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8224 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8226 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8228 return nla_put_be32(skb, attr, htonl(reg));
8230 EXPORT_SYMBOL_GPL(nft_dump_register);
8233 * nft_validate_register_load - validate a load from a register
8235 * @reg: the register number
8236 * @len: the length of the data
8238 * Validate that the input register is one of the general purpose
8239 * registers and that the length of the load is within the bounds.
8241 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8243 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8247 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8252 EXPORT_SYMBOL_GPL(nft_validate_register_load);
8255 * nft_validate_register_store - validate an expressions' register store
8257 * @ctx: context of the expression performing the load
8258 * @reg: the destination register number
8259 * @data: the data to load
8260 * @type: the data type
8261 * @len: the length of the data
8263 * Validate that a data load uses the appropriate data type for
8264 * the destination register and the length is within the bounds.
8265 * A value of NULL for the data means that its runtime gathered
8268 int nft_validate_register_store(const struct nft_ctx *ctx,
8269 enum nft_registers reg,
8270 const struct nft_data *data,
8271 enum nft_data_types type, unsigned int len)
8276 case NFT_REG_VERDICT:
8277 if (type != NFT_DATA_VERDICT)
8281 (data->verdict.code == NFT_GOTO ||
8282 data->verdict.code == NFT_JUMP)) {
8283 err = nf_tables_check_loops(ctx, data->verdict.chain);
8290 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8294 if (reg * NFT_REG32_SIZE + len >
8295 sizeof_field(struct nft_regs, data))
8298 if (data != NULL && type != NFT_DATA_VALUE)
8303 EXPORT_SYMBOL_GPL(nft_validate_register_store);
8305 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8306 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8307 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8308 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8309 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8312 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8313 struct nft_data_desc *desc, const struct nlattr *nla)
8315 u8 genmask = nft_genmask_next(ctx->net);
8316 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8317 struct nft_chain *chain;
8320 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8321 nft_verdict_policy, NULL);
8325 if (!tb[NFTA_VERDICT_CODE])
8327 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8329 switch (data->verdict.code) {
8331 switch (data->verdict.code & NF_VERDICT_MASK) {
8346 if (tb[NFTA_VERDICT_CHAIN]) {
8347 chain = nft_chain_lookup(ctx->net, ctx->table,
8348 tb[NFTA_VERDICT_CHAIN],
8350 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8351 chain = nft_chain_lookup_byid(ctx->net,
8352 tb[NFTA_VERDICT_CHAIN_ID]);
8354 return PTR_ERR(chain);
8360 return PTR_ERR(chain);
8361 if (nft_is_base_chain(chain))
8365 data->verdict.chain = chain;
8369 desc->len = sizeof(data->verdict);
8370 desc->type = NFT_DATA_VERDICT;
8374 static void nft_verdict_uninit(const struct nft_data *data)
8376 struct nft_chain *chain;
8377 struct nft_rule *rule;
8379 switch (data->verdict.code) {
8382 chain = data->verdict.chain;
8385 if (!nft_chain_is_bound(chain))
8388 chain->table->use--;
8389 list_for_each_entry(rule, &chain->rules, list)
8392 nft_chain_del(chain);
8397 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8399 struct nlattr *nest;
8401 nest = nla_nest_start_noflag(skb, type);
8403 goto nla_put_failure;
8405 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8406 goto nla_put_failure;
8411 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8413 goto nla_put_failure;
8415 nla_nest_end(skb, nest);
8422 static int nft_value_init(const struct nft_ctx *ctx,
8423 struct nft_data *data, unsigned int size,
8424 struct nft_data_desc *desc, const struct nlattr *nla)
8434 nla_memcpy(data->data, nla, len);
8435 desc->type = NFT_DATA_VALUE;
8440 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8443 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8446 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8447 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8448 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8452 * nft_data_init - parse nf_tables data netlink attributes
8454 * @ctx: context of the expression using the data
8455 * @data: destination struct nft_data
8456 * @size: maximum data length
8457 * @desc: data description
8458 * @nla: netlink attribute containing data
8460 * Parse the netlink data attributes and initialize a struct nft_data.
8461 * The type and length of data are returned in the data description.
8463 * The caller can indicate that it only wants to accept data of type
8464 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8466 int nft_data_init(const struct nft_ctx *ctx,
8467 struct nft_data *data, unsigned int size,
8468 struct nft_data_desc *desc, const struct nlattr *nla)
8470 struct nlattr *tb[NFTA_DATA_MAX + 1];
8473 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8474 nft_data_policy, NULL);
8478 if (tb[NFTA_DATA_VALUE])
8479 return nft_value_init(ctx, data, size, desc,
8480 tb[NFTA_DATA_VALUE]);
8481 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8482 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8485 EXPORT_SYMBOL_GPL(nft_data_init);
8488 * nft_data_release - release a nft_data item
8490 * @data: struct nft_data to release
8491 * @type: type of data
8493 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8494 * all others need to be released by calling this function.
8496 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8498 if (type < NFT_DATA_VERDICT)
8501 case NFT_DATA_VERDICT:
8502 return nft_verdict_uninit(data);
8507 EXPORT_SYMBOL_GPL(nft_data_release);
8509 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8510 enum nft_data_types type, unsigned int len)
8512 struct nlattr *nest;
8515 nest = nla_nest_start_noflag(skb, attr);
8520 case NFT_DATA_VALUE:
8521 err = nft_value_dump(skb, data, len);
8523 case NFT_DATA_VERDICT:
8524 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8531 nla_nest_end(skb, nest);
8534 EXPORT_SYMBOL_GPL(nft_data_dump);
8536 int __nft_release_basechain(struct nft_ctx *ctx)
8538 struct nft_rule *rule, *nr;
8540 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8543 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8544 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8545 list_del(&rule->list);
8547 nf_tables_rule_release(ctx, rule);
8549 nft_chain_del(ctx->chain);
8551 nf_tables_chain_destroy(ctx);
8555 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8557 static void __nft_release_tables(struct net *net)
8559 struct nft_flowtable *flowtable, *nf;
8560 struct nft_table *table, *nt;
8561 struct nft_chain *chain, *nc;
8562 struct nft_object *obj, *ne;
8563 struct nft_rule *rule, *nr;
8564 struct nft_set *set, *ns;
8565 struct nft_ctx ctx = {
8567 .family = NFPROTO_NETDEV,
8570 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8571 ctx.family = table->family;
8573 list_for_each_entry(chain, &table->chains, list)
8574 nf_tables_unregister_hook(net, table, chain);
8575 /* No packets are walking on these chains anymore. */
8577 list_for_each_entry(chain, &table->chains, list) {
8579 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8580 list_del(&rule->list);
8582 nf_tables_rule_release(&ctx, rule);
8585 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8586 list_del(&flowtable->list);
8588 nf_tables_flowtable_destroy(flowtable);
8590 list_for_each_entry_safe(set, ns, &table->sets, list) {
8591 list_del(&set->list);
8593 nft_set_destroy(&ctx, set);
8595 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8598 nft_obj_destroy(&ctx, obj);
8600 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8602 nft_chain_del(chain);
8604 nf_tables_chain_destroy(&ctx);
8606 list_del(&table->list);
8607 nf_tables_table_destroy(&ctx);
8611 static int __net_init nf_tables_init_net(struct net *net)
8613 INIT_LIST_HEAD(&net->nft.tables);
8614 INIT_LIST_HEAD(&net->nft.commit_list);
8615 INIT_LIST_HEAD(&net->nft.module_list);
8616 mutex_init(&net->nft.commit_mutex);
8617 net->nft.base_seq = 1;
8618 net->nft.validate_state = NFT_VALIDATE_SKIP;
8623 static void __net_exit nf_tables_exit_net(struct net *net)
8625 mutex_lock(&net->nft.commit_mutex);
8626 if (!list_empty(&net->nft.commit_list))
8627 __nf_tables_abort(net, false);
8628 __nft_release_tables(net);
8629 mutex_unlock(&net->nft.commit_mutex);
8630 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8631 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8634 static struct pernet_operations nf_tables_net_ops = {
8635 .init = nf_tables_init_net,
8636 .exit = nf_tables_exit_net,
8639 static int __init nf_tables_module_init(void)
8643 spin_lock_init(&nf_tables_destroy_list_lock);
8644 err = register_pernet_subsys(&nf_tables_net_ops);
8648 err = nft_chain_filter_init();
8652 err = nf_tables_core_module_init();
8656 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8660 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8664 err = nft_offload_init();
8669 err = nfnetlink_subsys_register(&nf_tables_subsys);
8673 nft_chain_route_init();
8679 rhltable_destroy(&nft_objname_ht);
8681 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8683 nf_tables_core_module_exit();
8685 nft_chain_filter_fini();
8687 unregister_pernet_subsys(&nf_tables_net_ops);
8691 static void __exit nf_tables_module_exit(void)
8693 nfnetlink_subsys_unregister(&nf_tables_subsys);
8695 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8696 nft_chain_filter_fini();
8697 nft_chain_route_fini();
8698 unregister_pernet_subsys(&nf_tables_net_ops);
8699 cancel_work_sync(&trans_destroy_work);
8701 rhltable_destroy(&nft_objname_ht);
8702 nf_tables_core_module_exit();
8705 module_init(nf_tables_module_init);
8706 module_exit(nf_tables_module_exit);
8708 MODULE_LICENSE("GPL");
8710 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux.git / blob