1 // SPDX-License-Identifier: GPL-2.0-only
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
25 static LIST_HEAD(nf_tables_objects);
26 static LIST_HEAD(nf_tables_flowtables);
27 static LIST_HEAD(nf_tables_destroy_list);
28 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
29 static u64 table_handle;
32 NFT_VALIDATE_SKIP = 0,
37 static struct rhltable nft_objname_ht;
39 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
40 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
41 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
43 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
47 static const struct rhashtable_params nft_chain_ht_params = {
48 .head_offset = offsetof(struct nft_chain, rhlhead),
49 .key_offset = offsetof(struct nft_chain, name),
50 .hashfn = nft_chain_hash,
51 .obj_hashfn = nft_chain_hash_obj,
52 .obj_cmpfn = nft_chain_hash_cmp,
53 .automatic_shrinking = true,
56 static const struct rhashtable_params nft_objname_ht_params = {
57 .head_offset = offsetof(struct nft_object, rhlhead),
58 .key_offset = offsetof(struct nft_object, key),
59 .hashfn = nft_objname_hash,
60 .obj_hashfn = nft_objname_hash_obj,
61 .obj_cmpfn = nft_objname_hash_cmp,
62 .automatic_shrinking = true,
65 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
67 switch (net->nft.validate_state) {
68 case NFT_VALIDATE_SKIP:
69 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
71 case NFT_VALIDATE_NEED:
74 if (new_validate_state == NFT_VALIDATE_NEED)
78 net->nft.validate_state = new_validate_state;
80 static void nf_tables_trans_destroy_work(struct work_struct *w);
81 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
83 static void nft_ctx_init(struct nft_ctx *ctx,
85 const struct sk_buff *skb,
86 const struct nlmsghdr *nlh,
88 struct nft_table *table,
89 struct nft_chain *chain,
90 const struct nlattr * const *nla)
98 ctx->portid = NETLINK_CB(skb).portid;
99 ctx->report = nlmsg_report(nlh);
100 ctx->seq = nlh->nlmsg_seq;
103 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
104 int msg_type, u32 size, gfp_t gfp)
106 struct nft_trans *trans;
108 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
112 trans->msg_type = msg_type;
118 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
119 int msg_type, u32 size)
121 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
124 static void nft_trans_destroy(struct nft_trans *trans)
126 list_del(&trans->list);
130 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
132 struct net *net = ctx->net;
133 struct nft_trans *trans;
135 if (!nft_set_is_anonymous(set))
138 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
139 if (trans->msg_type == NFT_MSG_NEWSET &&
140 nft_trans_set(trans) == set) {
147 static int nf_tables_register_hook(struct net *net,
148 const struct nft_table *table,
149 struct nft_chain *chain)
151 const struct nft_base_chain *basechain;
152 const struct nf_hook_ops *ops;
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
158 basechain = nft_base_chain(chain);
159 ops = &basechain->ops;
161 if (basechain->type->ops_register)
162 return basechain->type->ops_register(net, ops);
164 return nf_register_net_hook(net, ops);
167 static void nf_tables_unregister_hook(struct net *net,
168 const struct nft_table *table,
169 struct nft_chain *chain)
171 const struct nft_base_chain *basechain;
172 const struct nf_hook_ops *ops;
174 if (table->flags & NFT_TABLE_F_DORMANT ||
175 !nft_is_base_chain(chain))
177 basechain = nft_base_chain(chain);
178 ops = &basechain->ops;
180 if (basechain->type->ops_unregister)
181 return basechain->type->ops_unregister(net, ops);
183 nf_unregister_net_hook(net, ops);
186 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
188 struct nft_trans *trans;
190 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
194 if (msg_type == NFT_MSG_NEWTABLE)
195 nft_activate_next(ctx->net, ctx->table);
197 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
201 static int nft_deltable(struct nft_ctx *ctx)
205 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
209 nft_deactivate_next(ctx->net, ctx->table);
213 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
215 struct nft_trans *trans;
217 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
219 return ERR_PTR(-ENOMEM);
221 if (msg_type == NFT_MSG_NEWCHAIN)
222 nft_activate_next(ctx->net, ctx->chain);
224 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
228 static int nft_delchain(struct nft_ctx *ctx)
230 struct nft_trans *trans;
232 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
234 return PTR_ERR(trans);
237 nft_deactivate_next(ctx->net, ctx->chain);
242 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
243 struct nft_rule *rule)
245 struct nft_expr *expr;
247 expr = nft_expr_first(rule);
248 while (expr != nft_expr_last(rule) && expr->ops) {
249 if (expr->ops->activate)
250 expr->ops->activate(ctx, expr);
252 expr = nft_expr_next(expr);
256 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
257 struct nft_rule *rule,
258 enum nft_trans_phase phase)
260 struct nft_expr *expr;
262 expr = nft_expr_first(rule);
263 while (expr != nft_expr_last(rule) && expr->ops) {
264 if (expr->ops->deactivate)
265 expr->ops->deactivate(ctx, expr, phase);
267 expr = nft_expr_next(expr);
272 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
274 /* You cannot delete the same rule twice */
275 if (nft_is_active_next(ctx->net, rule)) {
276 nft_deactivate_next(ctx->net, rule);
283 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
284 struct nft_rule *rule)
286 struct nft_trans *trans;
288 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
292 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
293 nft_trans_rule_id(trans) =
294 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
296 nft_trans_rule(trans) = rule;
297 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
302 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
304 struct nft_trans *trans;
307 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
311 err = nf_tables_delrule_deactivate(ctx, rule);
313 nft_trans_destroy(trans);
316 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
321 static int nft_delrule_by_chain(struct nft_ctx *ctx)
323 struct nft_rule *rule;
326 list_for_each_entry(rule, &ctx->chain->rules, list) {
327 if (!nft_is_active_next(ctx->net, rule))
330 err = nft_delrule(ctx, rule);
337 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
340 struct nft_trans *trans;
342 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
346 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
347 nft_trans_set_id(trans) =
348 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
349 nft_activate_next(ctx->net, set);
351 nft_trans_set(trans) = set;
352 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
357 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
361 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
365 nft_deactivate_next(ctx->net, set);
371 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
372 struct nft_object *obj)
374 struct nft_trans *trans;
376 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
380 if (msg_type == NFT_MSG_NEWOBJ)
381 nft_activate_next(ctx->net, obj);
383 nft_trans_obj(trans) = obj;
384 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
389 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
393 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
397 nft_deactivate_next(ctx->net, obj);
403 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
404 struct nft_flowtable *flowtable)
406 struct nft_trans *trans;
408 trans = nft_trans_alloc(ctx, msg_type,
409 sizeof(struct nft_trans_flowtable));
413 if (msg_type == NFT_MSG_NEWFLOWTABLE)
414 nft_activate_next(ctx->net, flowtable);
416 nft_trans_flowtable(trans) = flowtable;
417 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
422 static int nft_delflowtable(struct nft_ctx *ctx,
423 struct nft_flowtable *flowtable)
427 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
431 nft_deactivate_next(ctx->net, flowtable);
441 static struct nft_table *nft_table_lookup(const struct net *net,
442 const struct nlattr *nla,
443 u8 family, u8 genmask)
445 struct nft_table *table;
448 return ERR_PTR(-EINVAL);
450 list_for_each_entry_rcu(table, &net->nft.tables, list) {
451 if (!nla_strcmp(nla, table->name) &&
452 table->family == family &&
453 nft_active_genmask(table, genmask))
457 return ERR_PTR(-ENOENT);
460 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
461 const struct nlattr *nla,
464 struct nft_table *table;
466 list_for_each_entry(table, &net->nft.tables, list) {
467 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
468 nft_active_genmask(table, genmask))
472 return ERR_PTR(-ENOENT);
475 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
477 return ++table->hgenerator;
480 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
482 static const struct nft_chain_type *
483 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
487 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
488 if (chain_type[family][i] != NULL &&
489 !nla_strcmp(nla, chain_type[family][i]->name))
490 return chain_type[family][i];
496 * Loading a module requires dropping mutex that guards the
498 * We first need to abort any pending transactions as once
499 * mutex is unlocked a different client could start a new
500 * transaction. It must not see any 'future generation'
501 * changes * as these changes will never happen.
503 #ifdef CONFIG_MODULES
504 static int __nf_tables_abort(struct net *net);
506 static void nft_request_module(struct net *net, const char *fmt, ...)
508 char module_name[MODULE_NAME_LEN];
512 __nf_tables_abort(net);
515 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
517 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
520 mutex_unlock(&net->nft.commit_mutex);
521 request_module("%s", module_name);
522 mutex_lock(&net->nft.commit_mutex);
526 static void lockdep_nfnl_nft_mutex_not_held(void)
528 #ifdef CONFIG_PROVE_LOCKING
529 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
533 static const struct nft_chain_type *
534 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
535 u8 family, bool autoload)
537 const struct nft_chain_type *type;
539 type = __nf_tables_chain_type_lookup(nla, family);
543 lockdep_nfnl_nft_mutex_not_held();
544 #ifdef CONFIG_MODULES
546 nft_request_module(net, "nft-chain-%u-%.*s", family,
547 nla_len(nla), (const char *)nla_data(nla));
548 type = __nf_tables_chain_type_lookup(nla, family);
550 return ERR_PTR(-EAGAIN);
553 return ERR_PTR(-ENOENT);
556 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
557 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
558 .len = NFT_TABLE_MAXNAMELEN - 1 },
559 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
560 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
563 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
564 u32 portid, u32 seq, int event, u32 flags,
565 int family, const struct nft_table *table)
567 struct nlmsghdr *nlh;
568 struct nfgenmsg *nfmsg;
570 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
571 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
573 goto nla_put_failure;
575 nfmsg = nlmsg_data(nlh);
576 nfmsg->nfgen_family = family;
577 nfmsg->version = NFNETLINK_V0;
578 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
580 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
581 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
582 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
583 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
585 goto nla_put_failure;
591 nlmsg_trim(skb, nlh);
595 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
601 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
604 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
608 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
609 event, 0, ctx->family, ctx->table);
615 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
616 ctx->report, GFP_KERNEL);
619 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
622 static int nf_tables_dump_tables(struct sk_buff *skb,
623 struct netlink_callback *cb)
625 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
626 const struct nft_table *table;
627 unsigned int idx = 0, s_idx = cb->args[0];
628 struct net *net = sock_net(skb->sk);
629 int family = nfmsg->nfgen_family;
632 cb->seq = net->nft.base_seq;
634 list_for_each_entry_rcu(table, &net->nft.tables, list) {
635 if (family != NFPROTO_UNSPEC && family != table->family)
641 memset(&cb->args[1], 0,
642 sizeof(cb->args) - sizeof(cb->args[0]));
643 if (!nft_is_active(net, table))
645 if (nf_tables_fill_table_info(skb, net,
646 NETLINK_CB(cb->skb).portid,
648 NFT_MSG_NEWTABLE, NLM_F_MULTI,
649 table->family, table) < 0)
652 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
662 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
663 const struct nlmsghdr *nlh,
664 struct netlink_dump_control *c)
668 if (!try_module_get(THIS_MODULE))
672 err = netlink_dump_start(nlsk, skb, nlh, c);
674 module_put(THIS_MODULE);
679 /* called with rcu_read_lock held */
680 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
681 struct sk_buff *skb, const struct nlmsghdr *nlh,
682 const struct nlattr * const nla[],
683 struct netlink_ext_ack *extack)
685 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
686 u8 genmask = nft_genmask_cur(net);
687 const struct nft_table *table;
688 struct sk_buff *skb2;
689 int family = nfmsg->nfgen_family;
692 if (nlh->nlmsg_flags & NLM_F_DUMP) {
693 struct netlink_dump_control c = {
694 .dump = nf_tables_dump_tables,
695 .module = THIS_MODULE,
698 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
701 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
703 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
704 return PTR_ERR(table);
707 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
711 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
712 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
717 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
724 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
726 struct nft_chain *chain;
729 list_for_each_entry(chain, &table->chains, list) {
730 if (!nft_is_active_next(net, chain))
732 if (!nft_is_base_chain(chain))
735 if (cnt && i++ == cnt)
738 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
742 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
744 struct nft_chain *chain;
747 list_for_each_entry(chain, &table->chains, list) {
748 if (!nft_is_active_next(net, chain))
750 if (!nft_is_base_chain(chain))
753 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
762 nft_table_disable(net, table, i);
766 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
768 nft_table_disable(net, table, 0);
771 static int nf_tables_updtable(struct nft_ctx *ctx)
773 struct nft_trans *trans;
777 if (!ctx->nla[NFTA_TABLE_FLAGS])
780 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
781 if (flags & ~NFT_TABLE_F_DORMANT)
784 if (flags == ctx->table->flags)
787 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
788 sizeof(struct nft_trans_table));
792 if ((flags & NFT_TABLE_F_DORMANT) &&
793 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
794 nft_trans_table_enable(trans) = false;
795 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
796 ctx->table->flags & NFT_TABLE_F_DORMANT) {
797 ret = nf_tables_table_enable(ctx->net, ctx->table);
799 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
800 nft_trans_table_enable(trans) = true;
806 nft_trans_table_update(trans) = true;
807 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
810 nft_trans_destroy(trans);
814 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
816 const char *name = data;
818 return jhash(name, strlen(name), seed);
821 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
823 const struct nft_chain *chain = data;
825 return nft_chain_hash(chain->name, 0, seed);
828 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
831 const struct nft_chain *chain = ptr;
832 const char *name = arg->key;
834 return strcmp(chain->name, name);
837 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
839 const struct nft_object_hash_key *k = data;
841 seed ^= hash_ptr(k->table, 32);
843 return jhash(k->name, strlen(k->name), seed);
846 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
848 const struct nft_object *obj = data;
850 return nft_objname_hash(&obj->key, 0, seed);
853 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
856 const struct nft_object_hash_key *k = arg->key;
857 const struct nft_object *obj = ptr;
859 if (obj->key.table != k->table)
862 return strcmp(obj->key.name, k->name);
865 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
866 struct sk_buff *skb, const struct nlmsghdr *nlh,
867 const struct nlattr * const nla[],
868 struct netlink_ext_ack *extack)
870 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
871 u8 genmask = nft_genmask_next(net);
872 int family = nfmsg->nfgen_family;
873 const struct nlattr *attr;
874 struct nft_table *table;
879 lockdep_assert_held(&net->nft.commit_mutex);
880 attr = nla[NFTA_TABLE_NAME];
881 table = nft_table_lookup(net, attr, family, genmask);
883 if (PTR_ERR(table) != -ENOENT)
884 return PTR_ERR(table);
886 if (nlh->nlmsg_flags & NLM_F_EXCL) {
887 NL_SET_BAD_ATTR(extack, attr);
890 if (nlh->nlmsg_flags & NLM_F_REPLACE)
893 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
894 return nf_tables_updtable(&ctx);
897 if (nla[NFTA_TABLE_FLAGS]) {
898 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
899 if (flags & ~NFT_TABLE_F_DORMANT)
904 table = kzalloc(sizeof(*table), GFP_KERNEL);
908 table->name = nla_strdup(attr, GFP_KERNEL);
909 if (table->name == NULL)
912 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
916 INIT_LIST_HEAD(&table->chains);
917 INIT_LIST_HEAD(&table->sets);
918 INIT_LIST_HEAD(&table->objects);
919 INIT_LIST_HEAD(&table->flowtables);
920 table->family = family;
921 table->flags = flags;
922 table->handle = ++table_handle;
924 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
925 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
929 list_add_tail_rcu(&table->list, &net->nft.tables);
932 rhltable_destroy(&table->chains_ht);
941 static int nft_flush_table(struct nft_ctx *ctx)
943 struct nft_flowtable *flowtable, *nft;
944 struct nft_chain *chain, *nc;
945 struct nft_object *obj, *ne;
946 struct nft_set *set, *ns;
949 list_for_each_entry(chain, &ctx->table->chains, list) {
950 if (!nft_is_active_next(ctx->net, chain))
955 err = nft_delrule_by_chain(ctx);
960 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
961 if (!nft_is_active_next(ctx->net, set))
964 if (nft_set_is_anonymous(set) &&
965 !list_empty(&set->bindings))
968 err = nft_delset(ctx, set);
973 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
974 err = nft_delflowtable(ctx, flowtable);
979 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
980 err = nft_delobj(ctx, obj);
985 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
986 if (!nft_is_active_next(ctx->net, chain))
991 err = nft_delchain(ctx);
996 err = nft_deltable(ctx);
1001 static int nft_flush(struct nft_ctx *ctx, int family)
1003 struct nft_table *table, *nt;
1004 const struct nlattr * const *nla = ctx->nla;
1007 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1008 if (family != AF_UNSPEC && table->family != family)
1011 ctx->family = table->family;
1013 if (!nft_is_active_next(ctx->net, table))
1016 if (nla[NFTA_TABLE_NAME] &&
1017 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1022 err = nft_flush_table(ctx);
1030 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1031 struct sk_buff *skb, const struct nlmsghdr *nlh,
1032 const struct nlattr * const nla[],
1033 struct netlink_ext_ack *extack)
1035 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1036 u8 genmask = nft_genmask_next(net);
1037 int family = nfmsg->nfgen_family;
1038 const struct nlattr *attr;
1039 struct nft_table *table;
1042 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1043 if (family == AF_UNSPEC ||
1044 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1045 return nft_flush(&ctx, family);
1047 if (nla[NFTA_TABLE_HANDLE]) {
1048 attr = nla[NFTA_TABLE_HANDLE];
1049 table = nft_table_lookup_byhandle(net, attr, genmask);
1051 attr = nla[NFTA_TABLE_NAME];
1052 table = nft_table_lookup(net, attr, family, genmask);
1055 if (IS_ERR(table)) {
1056 NL_SET_BAD_ATTR(extack, attr);
1057 return PTR_ERR(table);
1060 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1064 ctx.family = family;
1067 return nft_flush_table(&ctx);
1070 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1072 if (WARN_ON(ctx->table->use > 0))
1075 rhltable_destroy(&ctx->table->chains_ht);
1076 kfree(ctx->table->name);
1080 void nft_register_chain_type(const struct nft_chain_type *ctype)
1082 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1085 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1086 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1087 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1090 chain_type[ctype->family][ctype->type] = ctype;
1091 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1093 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1095 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1097 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1098 chain_type[ctype->family][ctype->type] = NULL;
1099 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1101 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1107 static struct nft_chain *
1108 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1110 struct nft_chain *chain;
1112 list_for_each_entry(chain, &table->chains, list) {
1113 if (chain->handle == handle &&
1114 nft_active_genmask(chain, genmask))
1118 return ERR_PTR(-ENOENT);
1121 static bool lockdep_commit_lock_is_held(const struct net *net)
1123 #ifdef CONFIG_PROVE_LOCKING
1124 return lockdep_is_held(&net->nft.commit_mutex);
1130 static struct nft_chain *nft_chain_lookup(struct net *net,
1131 struct nft_table *table,
1132 const struct nlattr *nla, u8 genmask)
1134 char search[NFT_CHAIN_MAXNAMELEN + 1];
1135 struct rhlist_head *tmp, *list;
1136 struct nft_chain *chain;
1139 return ERR_PTR(-EINVAL);
1141 nla_strlcpy(search, nla, sizeof(search));
1143 WARN_ON(!rcu_read_lock_held() &&
1144 !lockdep_commit_lock_is_held(net));
1146 chain = ERR_PTR(-ENOENT);
1148 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1152 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1153 if (nft_active_genmask(chain, genmask))
1156 chain = ERR_PTR(-ENOENT);
1162 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1163 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1164 .len = NFT_TABLE_MAXNAMELEN - 1 },
1165 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1166 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1167 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1168 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1169 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1170 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1171 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1174 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1175 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1176 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1177 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1178 .len = IFNAMSIZ - 1 },
1181 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1183 struct nft_stats *cpu_stats, total;
1184 struct nlattr *nest;
1192 memset(&total, 0, sizeof(total));
1193 for_each_possible_cpu(cpu) {
1194 cpu_stats = per_cpu_ptr(stats, cpu);
1196 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1197 pkts = cpu_stats->pkts;
1198 bytes = cpu_stats->bytes;
1199 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1201 total.bytes += bytes;
1203 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1205 goto nla_put_failure;
1207 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1208 NFTA_COUNTER_PAD) ||
1209 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1211 goto nla_put_failure;
1213 nla_nest_end(skb, nest);
1220 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1221 u32 portid, u32 seq, int event, u32 flags,
1222 int family, const struct nft_table *table,
1223 const struct nft_chain *chain)
1225 struct nlmsghdr *nlh;
1226 struct nfgenmsg *nfmsg;
1228 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1229 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1231 goto nla_put_failure;
1233 nfmsg = nlmsg_data(nlh);
1234 nfmsg->nfgen_family = family;
1235 nfmsg->version = NFNETLINK_V0;
1236 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1238 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1239 goto nla_put_failure;
1240 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1242 goto nla_put_failure;
1243 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1244 goto nla_put_failure;
1246 if (nft_is_base_chain(chain)) {
1247 const struct nft_base_chain *basechain = nft_base_chain(chain);
1248 const struct nf_hook_ops *ops = &basechain->ops;
1249 struct nft_stats __percpu *stats;
1250 struct nlattr *nest;
1252 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1254 goto nla_put_failure;
1255 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1256 goto nla_put_failure;
1257 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1258 goto nla_put_failure;
1259 if (basechain->dev_name[0] &&
1260 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1261 goto nla_put_failure;
1262 nla_nest_end(skb, nest);
1264 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1265 htonl(basechain->policy)))
1266 goto nla_put_failure;
1268 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1269 goto nla_put_failure;
1271 stats = rcu_dereference_check(basechain->stats,
1272 lockdep_commit_lock_is_held(net));
1273 if (nft_dump_stats(skb, stats))
1274 goto nla_put_failure;
1277 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1278 goto nla_put_failure;
1280 nlmsg_end(skb, nlh);
1284 nlmsg_trim(skb, nlh);
1288 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1290 struct sk_buff *skb;
1294 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1297 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1301 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1302 event, 0, ctx->family, ctx->table,
1309 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1310 ctx->report, GFP_KERNEL);
1313 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1316 static int nf_tables_dump_chains(struct sk_buff *skb,
1317 struct netlink_callback *cb)
1319 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1320 const struct nft_table *table;
1321 const struct nft_chain *chain;
1322 unsigned int idx = 0, s_idx = cb->args[0];
1323 struct net *net = sock_net(skb->sk);
1324 int family = nfmsg->nfgen_family;
1327 cb->seq = net->nft.base_seq;
1329 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1330 if (family != NFPROTO_UNSPEC && family != table->family)
1333 list_for_each_entry_rcu(chain, &table->chains, list) {
1337 memset(&cb->args[1], 0,
1338 sizeof(cb->args) - sizeof(cb->args[0]));
1339 if (!nft_is_active(net, chain))
1341 if (nf_tables_fill_chain_info(skb, net,
1342 NETLINK_CB(cb->skb).portid,
1346 table->family, table,
1350 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1361 /* called with rcu_read_lock held */
1362 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1363 struct sk_buff *skb, const struct nlmsghdr *nlh,
1364 const struct nlattr * const nla[],
1365 struct netlink_ext_ack *extack)
1367 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1368 u8 genmask = nft_genmask_cur(net);
1369 const struct nft_chain *chain;
1370 struct nft_table *table;
1371 struct sk_buff *skb2;
1372 int family = nfmsg->nfgen_family;
1375 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1376 struct netlink_dump_control c = {
1377 .dump = nf_tables_dump_chains,
1378 .module = THIS_MODULE,
1381 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1384 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1385 if (IS_ERR(table)) {
1386 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1387 return PTR_ERR(table);
1390 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1391 if (IS_ERR(chain)) {
1392 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1393 return PTR_ERR(chain);
1396 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1400 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1401 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1402 family, table, chain);
1406 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1413 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1414 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1415 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1418 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1420 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1421 struct nft_stats __percpu *newstats;
1422 struct nft_stats *stats;
1425 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1426 nft_counter_policy, NULL);
1428 return ERR_PTR(err);
1430 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1431 return ERR_PTR(-EINVAL);
1433 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1434 if (newstats == NULL)
1435 return ERR_PTR(-ENOMEM);
1437 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1438 * are not exposed to userspace.
1441 stats = this_cpu_ptr(newstats);
1442 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1443 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1449 static void nft_chain_stats_replace(struct net *net,
1450 struct nft_base_chain *chain,
1451 struct nft_stats __percpu *newstats)
1453 struct nft_stats __percpu *oldstats;
1455 if (newstats == NULL)
1458 if (rcu_access_pointer(chain->stats)) {
1459 oldstats = rcu_dereference_protected(chain->stats,
1460 lockdep_commit_lock_is_held(net));
1461 rcu_assign_pointer(chain->stats, newstats);
1463 free_percpu(oldstats);
1465 rcu_assign_pointer(chain->stats, newstats);
1466 static_branch_inc(&nft_counters_enabled);
1470 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1472 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1473 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1479 /* should be NULL either via abort or via successful commit */
1480 WARN_ON_ONCE(chain->rules_next);
1481 kvfree(chain->rules_next);
1484 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1486 struct nft_chain *chain = ctx->chain;
1488 if (WARN_ON(chain->use > 0))
1491 /* no concurrent access possible anymore */
1492 nf_tables_chain_free_chain_rules(chain);
1494 if (nft_is_base_chain(chain)) {
1495 struct nft_base_chain *basechain = nft_base_chain(chain);
1497 module_put(basechain->type->owner);
1498 if (rcu_access_pointer(basechain->stats)) {
1499 static_branch_dec(&nft_counters_enabled);
1500 free_percpu(rcu_dereference_raw(basechain->stats));
1510 struct nft_chain_hook {
1513 const struct nft_chain_type *type;
1514 struct net_device *dev;
1517 static int nft_chain_parse_hook(struct net *net,
1518 const struct nlattr * const nla[],
1519 struct nft_chain_hook *hook, u8 family,
1522 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1523 const struct nft_chain_type *type;
1524 struct net_device *dev;
1527 lockdep_assert_held(&net->nft.commit_mutex);
1528 lockdep_nfnl_nft_mutex_not_held();
1530 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1531 nla[NFTA_CHAIN_HOOK],
1532 nft_hook_policy, NULL);
1536 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1537 ha[NFTA_HOOK_PRIORITY] == NULL)
1540 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1541 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1543 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1544 if (nla[NFTA_CHAIN_TYPE]) {
1545 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1548 return PTR_ERR(type);
1550 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1553 if (type->type == NFT_CHAIN_T_NAT &&
1554 hook->priority <= NF_IP_PRI_CONNTRACK)
1557 if (!try_module_get(type->owner))
1563 if (family == NFPROTO_NETDEV) {
1564 char ifname[IFNAMSIZ];
1566 if (!ha[NFTA_HOOK_DEV]) {
1567 module_put(type->owner);
1571 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1572 dev = __dev_get_by_name(net, ifname);
1574 module_put(type->owner);
1578 } else if (ha[NFTA_HOOK_DEV]) {
1579 module_put(type->owner);
1586 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1588 module_put(hook->type->owner);
1591 struct nft_rules_old {
1593 struct nft_rule **start;
1596 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1599 if (alloc > INT_MAX)
1602 alloc += 1; /* NULL, ends rules */
1603 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1606 alloc *= sizeof(struct nft_rule *);
1607 alloc += sizeof(struct nft_rules_old);
1609 return kvmalloc(alloc, GFP_KERNEL);
1612 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1615 const struct nlattr * const *nla = ctx->nla;
1616 struct nft_table *table = ctx->table;
1617 struct nft_base_chain *basechain;
1618 struct nft_stats __percpu *stats;
1619 struct net *net = ctx->net;
1620 struct nft_trans *trans;
1621 struct nft_chain *chain;
1622 struct nft_rule **rules;
1625 if (table->use == UINT_MAX)
1628 if (nla[NFTA_CHAIN_HOOK]) {
1629 struct nft_chain_hook hook;
1630 struct nf_hook_ops *ops;
1632 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1636 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1637 if (basechain == NULL) {
1638 nft_chain_release_hook(&hook);
1642 if (hook.dev != NULL)
1643 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1645 if (nla[NFTA_CHAIN_COUNTERS]) {
1646 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1647 if (IS_ERR(stats)) {
1648 nft_chain_release_hook(&hook);
1650 return PTR_ERR(stats);
1652 rcu_assign_pointer(basechain->stats, stats);
1653 static_branch_inc(&nft_counters_enabled);
1656 basechain->type = hook.type;
1657 chain = &basechain->chain;
1659 ops = &basechain->ops;
1661 ops->hooknum = hook.num;
1662 ops->priority = hook.priority;
1664 ops->hook = hook.type->hooks[ops->hooknum];
1665 ops->dev = hook.dev;
1667 chain->flags |= NFT_BASE_CHAIN;
1668 basechain->policy = NF_ACCEPT;
1670 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1676 INIT_LIST_HEAD(&chain->rules);
1677 chain->handle = nf_tables_alloc_handle(table);
1678 chain->table = table;
1679 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1685 rules = nf_tables_chain_alloc_rules(chain, 0);
1692 rcu_assign_pointer(chain->rules_gen_0, rules);
1693 rcu_assign_pointer(chain->rules_gen_1, rules);
1695 err = nf_tables_register_hook(net, table, chain);
1699 err = rhltable_insert_key(&table->chains_ht, chain->name,
1700 &chain->rhlhead, nft_chain_ht_params);
1704 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1705 if (IS_ERR(trans)) {
1706 err = PTR_ERR(trans);
1707 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1708 nft_chain_ht_params);
1712 nft_trans_chain_policy(trans) = -1;
1713 if (nft_is_base_chain(chain))
1714 nft_trans_chain_policy(trans) = policy;
1717 list_add_tail_rcu(&chain->list, &table->chains);
1721 nf_tables_unregister_hook(net, table, chain);
1723 nf_tables_chain_destroy(ctx);
1728 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1730 const struct nlattr * const *nla = ctx->nla;
1731 struct nft_table *table = ctx->table;
1732 struct nft_chain *chain = ctx->chain;
1733 struct nft_base_chain *basechain;
1734 struct nft_stats *stats = NULL;
1735 struct nft_chain_hook hook;
1736 struct nf_hook_ops *ops;
1737 struct nft_trans *trans;
1740 if (nla[NFTA_CHAIN_HOOK]) {
1741 if (!nft_is_base_chain(chain))
1744 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1749 basechain = nft_base_chain(chain);
1750 if (basechain->type != hook.type) {
1751 nft_chain_release_hook(&hook);
1755 ops = &basechain->ops;
1756 if (ops->hooknum != hook.num ||
1757 ops->priority != hook.priority ||
1758 ops->dev != hook.dev) {
1759 nft_chain_release_hook(&hook);
1762 nft_chain_release_hook(&hook);
1765 if (nla[NFTA_CHAIN_HANDLE] &&
1766 nla[NFTA_CHAIN_NAME]) {
1767 struct nft_chain *chain2;
1769 chain2 = nft_chain_lookup(ctx->net, table,
1770 nla[NFTA_CHAIN_NAME], genmask);
1771 if (!IS_ERR(chain2))
1775 if (nla[NFTA_CHAIN_COUNTERS]) {
1776 if (!nft_is_base_chain(chain))
1779 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1781 return PTR_ERR(stats);
1785 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1786 sizeof(struct nft_trans_chain));
1790 nft_trans_chain_stats(trans) = stats;
1791 nft_trans_chain_update(trans) = true;
1793 if (nla[NFTA_CHAIN_POLICY])
1794 nft_trans_chain_policy(trans) = policy;
1796 nft_trans_chain_policy(trans) = -1;
1798 if (nla[NFTA_CHAIN_HANDLE] &&
1799 nla[NFTA_CHAIN_NAME]) {
1800 struct nft_trans *tmp;
1804 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1809 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1810 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1811 tmp->ctx.table == table &&
1812 nft_trans_chain_update(tmp) &&
1813 nft_trans_chain_name(tmp) &&
1814 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1820 nft_trans_chain_name(trans) = name;
1822 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1831 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1832 struct sk_buff *skb, const struct nlmsghdr *nlh,
1833 const struct nlattr * const nla[],
1834 struct netlink_ext_ack *extack)
1836 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1837 u8 genmask = nft_genmask_next(net);
1838 int family = nfmsg->nfgen_family;
1839 const struct nlattr *attr;
1840 struct nft_table *table;
1841 struct nft_chain *chain;
1842 u8 policy = NF_ACCEPT;
1846 lockdep_assert_held(&net->nft.commit_mutex);
1848 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1849 if (IS_ERR(table)) {
1850 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1851 return PTR_ERR(table);
1855 attr = nla[NFTA_CHAIN_NAME];
1857 if (nla[NFTA_CHAIN_HANDLE]) {
1858 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1859 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1860 if (IS_ERR(chain)) {
1861 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1862 return PTR_ERR(chain);
1864 attr = nla[NFTA_CHAIN_HANDLE];
1866 chain = nft_chain_lookup(net, table, attr, genmask);
1867 if (IS_ERR(chain)) {
1868 if (PTR_ERR(chain) != -ENOENT) {
1869 NL_SET_BAD_ATTR(extack, attr);
1870 return PTR_ERR(chain);
1876 if (nla[NFTA_CHAIN_POLICY]) {
1877 if (chain != NULL &&
1878 !nft_is_base_chain(chain)) {
1879 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1883 if (chain == NULL &&
1884 nla[NFTA_CHAIN_HOOK] == NULL) {
1885 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1889 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1899 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1901 if (chain != NULL) {
1902 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1903 NL_SET_BAD_ATTR(extack, attr);
1906 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1909 return nf_tables_updchain(&ctx, genmask, policy);
1912 return nf_tables_addchain(&ctx, family, genmask, policy);
1915 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1916 struct sk_buff *skb, const struct nlmsghdr *nlh,
1917 const struct nlattr * const nla[],
1918 struct netlink_ext_ack *extack)
1920 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1921 u8 genmask = nft_genmask_next(net);
1922 int family = nfmsg->nfgen_family;
1923 const struct nlattr *attr;
1924 struct nft_table *table;
1925 struct nft_chain *chain;
1926 struct nft_rule *rule;
1932 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1933 if (IS_ERR(table)) {
1934 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1935 return PTR_ERR(table);
1938 if (nla[NFTA_CHAIN_HANDLE]) {
1939 attr = nla[NFTA_CHAIN_HANDLE];
1940 handle = be64_to_cpu(nla_get_be64(attr));
1941 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1943 attr = nla[NFTA_CHAIN_NAME];
1944 chain = nft_chain_lookup(net, table, attr, genmask);
1946 if (IS_ERR(chain)) {
1947 NL_SET_BAD_ATTR(extack, attr);
1948 return PTR_ERR(chain);
1951 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1955 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1958 list_for_each_entry(rule, &chain->rules, list) {
1959 if (!nft_is_active_next(net, rule))
1963 err = nft_delrule(&ctx, rule);
1968 /* There are rules and elements that are still holding references to us,
1969 * we cannot do a recursive removal in this case.
1972 NL_SET_BAD_ATTR(extack, attr);
1976 return nft_delchain(&ctx);
1984 * nft_register_expr - register nf_tables expr type
1987 * Registers the expr type for use with nf_tables. Returns zero on
1988 * success or a negative errno code otherwise.
1990 int nft_register_expr(struct nft_expr_type *type)
1992 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1993 if (type->family == NFPROTO_UNSPEC)
1994 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1996 list_add_rcu(&type->list, &nf_tables_expressions);
1997 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2000 EXPORT_SYMBOL_GPL(nft_register_expr);
2003 * nft_unregister_expr - unregister nf_tables expr type
2006 * Unregisters the expr typefor use with nf_tables.
2008 void nft_unregister_expr(struct nft_expr_type *type)
2010 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2011 list_del_rcu(&type->list);
2012 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2014 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2016 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2019 const struct nft_expr_type *type;
2021 list_for_each_entry(type, &nf_tables_expressions, list) {
2022 if (!nla_strcmp(nla, type->name) &&
2023 (!type->family || type->family == family))
2029 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2033 const struct nft_expr_type *type;
2036 return ERR_PTR(-EINVAL);
2038 type = __nft_expr_type_get(family, nla);
2039 if (type != NULL && try_module_get(type->owner))
2042 lockdep_nfnl_nft_mutex_not_held();
2043 #ifdef CONFIG_MODULES
2045 nft_request_module(net, "nft-expr-%u-%.*s", family,
2046 nla_len(nla), (char *)nla_data(nla));
2047 if (__nft_expr_type_get(family, nla))
2048 return ERR_PTR(-EAGAIN);
2050 nft_request_module(net, "nft-expr-%.*s",
2051 nla_len(nla), (char *)nla_data(nla));
2052 if (__nft_expr_type_get(family, nla))
2053 return ERR_PTR(-EAGAIN);
2056 return ERR_PTR(-ENOENT);
2059 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2060 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2061 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2064 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2065 const struct nft_expr *expr)
2067 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2068 goto nla_put_failure;
2070 if (expr->ops->dump) {
2071 struct nlattr *data = nla_nest_start_noflag(skb,
2074 goto nla_put_failure;
2075 if (expr->ops->dump(skb, expr) < 0)
2076 goto nla_put_failure;
2077 nla_nest_end(skb, data);
2086 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2087 const struct nft_expr *expr)
2089 struct nlattr *nest;
2091 nest = nla_nest_start_noflag(skb, attr);
2093 goto nla_put_failure;
2094 if (nf_tables_fill_expr_info(skb, expr) < 0)
2095 goto nla_put_failure;
2096 nla_nest_end(skb, nest);
2103 struct nft_expr_info {
2104 const struct nft_expr_ops *ops;
2105 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2108 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2109 const struct nlattr *nla,
2110 struct nft_expr_info *info)
2112 const struct nft_expr_type *type;
2113 const struct nft_expr_ops *ops;
2114 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2117 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2118 nft_expr_policy, NULL);
2122 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2124 return PTR_ERR(type);
2126 if (tb[NFTA_EXPR_DATA]) {
2127 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2129 type->policy, NULL);
2133 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2135 if (type->select_ops != NULL) {
2136 ops = type->select_ops(ctx,
2137 (const struct nlattr * const *)info->tb);
2149 module_put(type->owner);
2153 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2154 const struct nft_expr_info *info,
2155 struct nft_expr *expr)
2157 const struct nft_expr_ops *ops = info->ops;
2162 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2173 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2174 struct nft_expr *expr)
2176 const struct nft_expr_type *type = expr->ops->type;
2178 if (expr->ops->destroy)
2179 expr->ops->destroy(ctx, expr);
2180 module_put(type->owner);
2183 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2184 const struct nlattr *nla)
2186 struct nft_expr_info info;
2187 struct nft_expr *expr;
2188 struct module *owner;
2191 err = nf_tables_expr_parse(ctx, nla, &info);
2196 expr = kzalloc(info.ops->size, GFP_KERNEL);
2200 err = nf_tables_newexpr(ctx, &info, expr);
2208 owner = info.ops->type->owner;
2209 if (info.ops->type->release_ops)
2210 info.ops->type->release_ops(info.ops);
2214 return ERR_PTR(err);
2217 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2219 nf_tables_expr_destroy(ctx, expr);
2227 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2230 struct nft_rule *rule;
2232 // FIXME: this sucks
2233 list_for_each_entry_rcu(rule, &chain->rules, list) {
2234 if (handle == rule->handle)
2238 return ERR_PTR(-ENOENT);
2241 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2242 const struct nlattr *nla)
2245 return ERR_PTR(-EINVAL);
2247 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2250 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2251 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2252 .len = NFT_TABLE_MAXNAMELEN - 1 },
2253 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2254 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2255 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2256 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2257 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2258 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2259 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2260 .len = NFT_USERDATA_MAXLEN },
2261 [NFTA_RULE_ID] = { .type = NLA_U32 },
2262 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2265 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2266 u32 portid, u32 seq, int event,
2267 u32 flags, int family,
2268 const struct nft_table *table,
2269 const struct nft_chain *chain,
2270 const struct nft_rule *rule,
2271 const struct nft_rule *prule)
2273 struct nlmsghdr *nlh;
2274 struct nfgenmsg *nfmsg;
2275 const struct nft_expr *expr, *next;
2276 struct nlattr *list;
2277 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2279 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2281 goto nla_put_failure;
2283 nfmsg = nlmsg_data(nlh);
2284 nfmsg->nfgen_family = family;
2285 nfmsg->version = NFNETLINK_V0;
2286 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2288 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2289 goto nla_put_failure;
2290 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2291 goto nla_put_failure;
2292 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2294 goto nla_put_failure;
2296 if (event != NFT_MSG_DELRULE && prule) {
2297 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2298 cpu_to_be64(prule->handle),
2300 goto nla_put_failure;
2303 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2305 goto nla_put_failure;
2306 nft_rule_for_each_expr(expr, next, rule) {
2307 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2308 goto nla_put_failure;
2310 nla_nest_end(skb, list);
2313 struct nft_userdata *udata = nft_userdata(rule);
2314 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2316 goto nla_put_failure;
2319 nlmsg_end(skb, nlh);
2323 nlmsg_trim(skb, nlh);
2327 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2328 const struct nft_rule *rule, int event)
2330 struct sk_buff *skb;
2334 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2337 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2341 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2342 event, 0, ctx->family, ctx->table,
2343 ctx->chain, rule, NULL);
2349 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2350 ctx->report, GFP_KERNEL);
2353 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2356 struct nft_rule_dump_ctx {
2361 static int __nf_tables_dump_rules(struct sk_buff *skb,
2363 struct netlink_callback *cb,
2364 const struct nft_table *table,
2365 const struct nft_chain *chain)
2367 struct net *net = sock_net(skb->sk);
2368 const struct nft_rule *rule, *prule;
2369 unsigned int s_idx = cb->args[0];
2372 list_for_each_entry_rcu(rule, &chain->rules, list) {
2373 if (!nft_is_active(net, rule))
2378 memset(&cb->args[1], 0,
2379 sizeof(cb->args) - sizeof(cb->args[0]));
2381 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2384 NLM_F_MULTI | NLM_F_APPEND,
2386 table, chain, rule, prule) < 0)
2389 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2398 static int nf_tables_dump_rules(struct sk_buff *skb,
2399 struct netlink_callback *cb)
2401 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2402 const struct nft_rule_dump_ctx *ctx = cb->data;
2403 struct nft_table *table;
2404 const struct nft_chain *chain;
2405 unsigned int idx = 0;
2406 struct net *net = sock_net(skb->sk);
2407 int family = nfmsg->nfgen_family;
2410 cb->seq = net->nft.base_seq;
2412 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2413 if (family != NFPROTO_UNSPEC && family != table->family)
2416 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2419 if (ctx && ctx->table && ctx->chain) {
2420 struct rhlist_head *list, *tmp;
2422 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2423 nft_chain_ht_params);
2427 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2428 if (!nft_is_active(net, chain))
2430 __nf_tables_dump_rules(skb, &idx,
2437 list_for_each_entry_rcu(chain, &table->chains, list) {
2438 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2442 if (ctx && ctx->table)
2452 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2454 const struct nlattr * const *nla = cb->data;
2455 struct nft_rule_dump_ctx *ctx = NULL;
2457 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2458 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2462 if (nla[NFTA_RULE_TABLE]) {
2463 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2470 if (nla[NFTA_RULE_CHAIN]) {
2471 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2485 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2487 struct nft_rule_dump_ctx *ctx = cb->data;
2497 /* called with rcu_read_lock held */
2498 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2499 struct sk_buff *skb, const struct nlmsghdr *nlh,
2500 const struct nlattr * const nla[],
2501 struct netlink_ext_ack *extack)
2503 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2504 u8 genmask = nft_genmask_cur(net);
2505 const struct nft_chain *chain;
2506 const struct nft_rule *rule;
2507 struct nft_table *table;
2508 struct sk_buff *skb2;
2509 int family = nfmsg->nfgen_family;
2512 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2513 struct netlink_dump_control c = {
2514 .start= nf_tables_dump_rules_start,
2515 .dump = nf_tables_dump_rules,
2516 .done = nf_tables_dump_rules_done,
2517 .module = THIS_MODULE,
2518 .data = (void *)nla,
2521 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2524 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2525 if (IS_ERR(table)) {
2526 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2527 return PTR_ERR(table);
2530 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2531 if (IS_ERR(chain)) {
2532 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2533 return PTR_ERR(chain);
2536 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2538 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2539 return PTR_ERR(rule);
2542 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2546 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2547 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2548 family, table, chain, rule, NULL);
2552 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2559 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2560 struct nft_rule *rule)
2562 struct nft_expr *expr, *next;
2565 * Careful: some expressions might not be initialized in case this
2566 * is called on error from nf_tables_newrule().
2568 expr = nft_expr_first(rule);
2569 while (expr != nft_expr_last(rule) && expr->ops) {
2570 next = nft_expr_next(expr);
2571 nf_tables_expr_destroy(ctx, expr);
2577 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2578 struct nft_rule *rule)
2580 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2581 nf_tables_rule_destroy(ctx, rule);
2584 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2586 struct nft_expr *expr, *last;
2587 const struct nft_data *data;
2588 struct nft_rule *rule;
2591 if (ctx->level == NFT_JUMP_STACK_SIZE)
2594 list_for_each_entry(rule, &chain->rules, list) {
2595 if (!nft_is_active_next(ctx->net, rule))
2598 nft_rule_for_each_expr(expr, last, rule) {
2599 if (!expr->ops->validate)
2602 err = expr->ops->validate(ctx, expr, &data);
2610 EXPORT_SYMBOL_GPL(nft_chain_validate);
2612 static int nft_table_validate(struct net *net, const struct nft_table *table)
2614 struct nft_chain *chain;
2615 struct nft_ctx ctx = {
2617 .family = table->family,
2621 list_for_each_entry(chain, &table->chains, list) {
2622 if (!nft_is_base_chain(chain))
2626 err = nft_chain_validate(&ctx, chain);
2634 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2635 const struct nlattr *nla);
2637 #define NFT_RULE_MAXEXPRS 128
2639 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2640 struct sk_buff *skb, const struct nlmsghdr *nlh,
2641 const struct nlattr * const nla[],
2642 struct netlink_ext_ack *extack)
2644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2645 u8 genmask = nft_genmask_next(net);
2646 struct nft_expr_info *info = NULL;
2647 int family = nfmsg->nfgen_family;
2648 struct nft_table *table;
2649 struct nft_chain *chain;
2650 struct nft_rule *rule, *old_rule = NULL;
2651 struct nft_userdata *udata;
2652 struct nft_trans *trans = NULL;
2653 struct nft_expr *expr;
2656 unsigned int size, i, n, ulen = 0, usize = 0;
2658 u64 handle, pos_handle;
2660 lockdep_assert_held(&net->nft.commit_mutex);
2662 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2663 if (IS_ERR(table)) {
2664 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2665 return PTR_ERR(table);
2668 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2669 if (IS_ERR(chain)) {
2670 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2671 return PTR_ERR(chain);
2674 if (nla[NFTA_RULE_HANDLE]) {
2675 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2676 rule = __nft_rule_lookup(chain, handle);
2678 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2679 return PTR_ERR(rule);
2682 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2683 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2686 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2691 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2692 nlh->nlmsg_flags & NLM_F_REPLACE)
2694 handle = nf_tables_alloc_handle(table);
2696 if (chain->use == UINT_MAX)
2699 if (nla[NFTA_RULE_POSITION]) {
2700 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2701 old_rule = __nft_rule_lookup(chain, pos_handle);
2702 if (IS_ERR(old_rule)) {
2703 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2704 return PTR_ERR(old_rule);
2706 } else if (nla[NFTA_RULE_POSITION_ID]) {
2707 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2708 if (IS_ERR(old_rule)) {
2709 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2710 return PTR_ERR(old_rule);
2715 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2719 if (nla[NFTA_RULE_EXPRESSIONS]) {
2720 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2721 sizeof(struct nft_expr_info),
2726 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2728 if (nla_type(tmp) != NFTA_LIST_ELEM)
2730 if (n == NFT_RULE_MAXEXPRS)
2732 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2735 size += info[n].ops->size;
2739 /* Check for overflow of dlen field */
2741 if (size >= 1 << 12)
2744 if (nla[NFTA_RULE_USERDATA]) {
2745 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2747 usize = sizeof(struct nft_userdata) + ulen;
2751 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2755 nft_activate_next(net, rule);
2757 rule->handle = handle;
2759 rule->udata = ulen ? 1 : 0;
2762 udata = nft_userdata(rule);
2763 udata->len = ulen - 1;
2764 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2767 expr = nft_expr_first(rule);
2768 for (i = 0; i < n; i++) {
2769 err = nf_tables_newexpr(&ctx, &info[i], expr);
2773 if (info[i].ops->validate)
2774 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2777 expr = nft_expr_next(expr);
2780 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2781 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2782 if (trans == NULL) {
2786 err = nft_delrule(&ctx, old_rule);
2788 nft_trans_destroy(trans);
2792 list_add_tail_rcu(&rule->list, &old_rule->list);
2794 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2799 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2801 list_add_rcu(&rule->list, &old_rule->list);
2803 list_add_tail_rcu(&rule->list, &chain->rules);
2806 list_add_tail_rcu(&rule->list, &old_rule->list);
2808 list_add_rcu(&rule->list, &chain->rules);
2814 if (net->nft.validate_state == NFT_VALIDATE_DO)
2815 return nft_table_validate(net, table);
2819 nf_tables_rule_release(&ctx, rule);
2821 for (i = 0; i < n; i++) {
2823 module_put(info[i].ops->type->owner);
2824 if (info[i].ops->type->release_ops)
2825 info[i].ops->type->release_ops(info[i].ops);
2832 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2833 const struct nlattr *nla)
2835 u32 id = ntohl(nla_get_be32(nla));
2836 struct nft_trans *trans;
2838 list_for_each_entry(trans, &net->nft.commit_list, list) {
2839 struct nft_rule *rule = nft_trans_rule(trans);
2841 if (trans->msg_type == NFT_MSG_NEWRULE &&
2842 id == nft_trans_rule_id(trans))
2845 return ERR_PTR(-ENOENT);
2848 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2849 struct sk_buff *skb, const struct nlmsghdr *nlh,
2850 const struct nlattr * const nla[],
2851 struct netlink_ext_ack *extack)
2853 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2854 u8 genmask = nft_genmask_next(net);
2855 struct nft_table *table;
2856 struct nft_chain *chain = NULL;
2857 struct nft_rule *rule;
2858 int family = nfmsg->nfgen_family, err = 0;
2861 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2862 if (IS_ERR(table)) {
2863 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2864 return PTR_ERR(table);
2867 if (nla[NFTA_RULE_CHAIN]) {
2868 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2870 if (IS_ERR(chain)) {
2871 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2872 return PTR_ERR(chain);
2876 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2879 if (nla[NFTA_RULE_HANDLE]) {
2880 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2882 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2883 return PTR_ERR(rule);
2886 err = nft_delrule(&ctx, rule);
2887 } else if (nla[NFTA_RULE_ID]) {
2888 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2890 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2891 return PTR_ERR(rule);
2894 err = nft_delrule(&ctx, rule);
2896 err = nft_delrule_by_chain(&ctx);
2899 list_for_each_entry(chain, &table->chains, list) {
2900 if (!nft_is_active_next(net, chain))
2904 err = nft_delrule_by_chain(&ctx);
2917 static LIST_HEAD(nf_tables_set_types);
2919 int nft_register_set(struct nft_set_type *type)
2921 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2922 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2923 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2926 EXPORT_SYMBOL_GPL(nft_register_set);
2928 void nft_unregister_set(struct nft_set_type *type)
2930 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2931 list_del_rcu(&type->list);
2932 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2934 EXPORT_SYMBOL_GPL(nft_unregister_set);
2936 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2937 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2940 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2942 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2946 * Select a set implementation based on the data characteristics and the
2947 * given policy. The total memory use might not be known if no size is
2948 * given, in that case the amount of memory per element is used.
2950 static const struct nft_set_ops *
2951 nft_select_set_ops(const struct nft_ctx *ctx,
2952 const struct nlattr * const nla[],
2953 const struct nft_set_desc *desc,
2954 enum nft_set_policies policy)
2956 const struct nft_set_ops *ops, *bops;
2957 struct nft_set_estimate est, best;
2958 const struct nft_set_type *type;
2961 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2962 lockdep_nfnl_nft_mutex_not_held();
2963 #ifdef CONFIG_MODULES
2964 if (list_empty(&nf_tables_set_types)) {
2965 nft_request_module(ctx->net, "nft-set");
2966 if (!list_empty(&nf_tables_set_types))
2967 return ERR_PTR(-EAGAIN);
2970 if (nla[NFTA_SET_FLAGS] != NULL)
2971 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2978 list_for_each_entry(type, &nf_tables_set_types, list) {
2981 if (!nft_set_ops_candidate(type, flags))
2983 if (!ops->estimate(desc, flags, &est))
2987 case NFT_SET_POL_PERFORMANCE:
2988 if (est.lookup < best.lookup)
2990 if (est.lookup == best.lookup &&
2991 est.space < best.space)
2994 case NFT_SET_POL_MEMORY:
2996 if (est.space < best.space)
2998 if (est.space == best.space &&
2999 est.lookup < best.lookup)
3001 } else if (est.size < best.size || !bops) {
3009 if (!try_module_get(type->owner))
3012 module_put(to_set_type(bops)->owner);
3021 return ERR_PTR(-EOPNOTSUPP);
3024 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3025 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3026 .len = NFT_TABLE_MAXNAMELEN - 1 },
3027 [NFTA_SET_NAME] = { .type = NLA_STRING,
3028 .len = NFT_SET_MAXNAMELEN - 1 },
3029 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3030 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3031 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3032 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3033 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3034 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3035 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3036 [NFTA_SET_ID] = { .type = NLA_U32 },
3037 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3038 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3039 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3040 .len = NFT_USERDATA_MAXLEN },
3041 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3042 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3045 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3046 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3049 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3050 const struct sk_buff *skb,
3051 const struct nlmsghdr *nlh,
3052 const struct nlattr * const nla[],
3053 struct netlink_ext_ack *extack,
3056 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3057 int family = nfmsg->nfgen_family;
3058 struct nft_table *table = NULL;
3060 if (nla[NFTA_SET_TABLE] != NULL) {
3061 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3063 if (IS_ERR(table)) {
3064 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3065 return PTR_ERR(table);
3069 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3073 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3074 const struct nlattr *nla, u8 genmask)
3076 struct nft_set *set;
3079 return ERR_PTR(-EINVAL);
3081 list_for_each_entry_rcu(set, &table->sets, list) {
3082 if (!nla_strcmp(nla, set->name) &&
3083 nft_active_genmask(set, genmask))
3086 return ERR_PTR(-ENOENT);
3089 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3090 const struct nlattr *nla,
3093 struct nft_set *set;
3095 list_for_each_entry(set, &table->sets, list) {
3096 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3097 nft_active_genmask(set, genmask))
3100 return ERR_PTR(-ENOENT);
3103 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3104 const struct nlattr *nla, u8 genmask)
3106 struct nft_trans *trans;
3107 u32 id = ntohl(nla_get_be32(nla));
3109 list_for_each_entry(trans, &net->nft.commit_list, list) {
3110 if (trans->msg_type == NFT_MSG_NEWSET) {
3111 struct nft_set *set = nft_trans_set(trans);
3113 if (id == nft_trans_set_id(trans) &&
3114 nft_active_genmask(set, genmask))
3118 return ERR_PTR(-ENOENT);
3121 struct nft_set *nft_set_lookup_global(const struct net *net,
3122 const struct nft_table *table,
3123 const struct nlattr *nla_set_name,
3124 const struct nlattr *nla_set_id,
3127 struct nft_set *set;
3129 set = nft_set_lookup(table, nla_set_name, genmask);
3134 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3138 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3140 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3143 const struct nft_set *i;
3145 unsigned long *inuse;
3146 unsigned int n = 0, min = 0;
3148 p = strchr(name, '%');
3150 if (p[1] != 'd' || strchr(p + 2, '%'))
3153 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3157 list_for_each_entry(i, &ctx->table->sets, list) {
3160 if (!nft_is_active_next(ctx->net, set))
3162 if (!sscanf(i->name, name, &tmp))
3164 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3167 set_bit(tmp - min, inuse);
3170 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3171 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3172 min += BITS_PER_BYTE * PAGE_SIZE;
3173 memset(inuse, 0, PAGE_SIZE);
3176 free_page((unsigned long)inuse);
3179 set->name = kasprintf(GFP_KERNEL, name, min + n);
3183 list_for_each_entry(i, &ctx->table->sets, list) {
3184 if (!nft_is_active_next(ctx->net, i))
3186 if (!strcmp(set->name, i->name)) {
3194 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3196 u64 ms = be64_to_cpu(nla_get_be64(nla));
3197 u64 max = (u64)(~((u64)0));
3199 max = div_u64(max, NSEC_PER_MSEC);
3203 ms *= NSEC_PER_MSEC;
3204 *result = nsecs_to_jiffies64(ms);
3208 static __be64 nf_jiffies64_to_msecs(u64 input)
3210 return cpu_to_be64(jiffies64_to_msecs(input));
3213 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3214 const struct nft_set *set, u16 event, u16 flags)
3216 struct nfgenmsg *nfmsg;
3217 struct nlmsghdr *nlh;
3218 struct nlattr *desc;
3219 u32 portid = ctx->portid;
3222 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3223 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3226 goto nla_put_failure;
3228 nfmsg = nlmsg_data(nlh);
3229 nfmsg->nfgen_family = ctx->family;
3230 nfmsg->version = NFNETLINK_V0;
3231 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3233 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3234 goto nla_put_failure;
3235 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3236 goto nla_put_failure;
3237 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3239 goto nla_put_failure;
3240 if (set->flags != 0)
3241 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3242 goto nla_put_failure;
3244 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3245 goto nla_put_failure;
3246 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3247 goto nla_put_failure;
3248 if (set->flags & NFT_SET_MAP) {
3249 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3250 goto nla_put_failure;
3251 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3252 goto nla_put_failure;
3254 if (set->flags & NFT_SET_OBJECT &&
3255 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3256 goto nla_put_failure;
3259 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3260 nf_jiffies64_to_msecs(set->timeout),
3262 goto nla_put_failure;
3264 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3265 goto nla_put_failure;
3267 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3268 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3269 goto nla_put_failure;
3272 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3273 goto nla_put_failure;
3275 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3277 goto nla_put_failure;
3279 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3280 goto nla_put_failure;
3281 nla_nest_end(skb, desc);
3283 nlmsg_end(skb, nlh);
3287 nlmsg_trim(skb, nlh);
3291 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3292 const struct nft_set *set, int event,
3295 struct sk_buff *skb;
3296 u32 portid = ctx->portid;
3300 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3303 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3307 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3313 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3317 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3320 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3322 const struct nft_set *set;
3323 unsigned int idx, s_idx = cb->args[0];
3324 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3325 struct net *net = sock_net(skb->sk);
3326 struct nft_ctx *ctx = cb->data, ctx_set;
3332 cb->seq = net->nft.base_seq;
3334 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3335 if (ctx->family != NFPROTO_UNSPEC &&
3336 ctx->family != table->family)
3339 if (ctx->table && ctx->table != table)
3343 if (cur_table != table)
3349 list_for_each_entry_rcu(set, &table->sets, list) {
3352 if (!nft_is_active(net, set))
3356 ctx_set.table = table;
3357 ctx_set.family = table->family;
3359 if (nf_tables_fill_set(skb, &ctx_set, set,
3363 cb->args[2] = (unsigned long) table;
3366 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3379 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3381 struct nft_ctx *ctx_dump = NULL;
3383 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3384 if (ctx_dump == NULL)
3387 cb->data = ctx_dump;
3391 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3397 /* called with rcu_read_lock held */
3398 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3399 struct sk_buff *skb, const struct nlmsghdr *nlh,
3400 const struct nlattr * const nla[],
3401 struct netlink_ext_ack *extack)
3403 u8 genmask = nft_genmask_cur(net);
3404 const struct nft_set *set;
3406 struct sk_buff *skb2;
3407 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3410 /* Verify existence before starting dump */
3411 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3416 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3417 struct netlink_dump_control c = {
3418 .start = nf_tables_dump_sets_start,
3419 .dump = nf_tables_dump_sets,
3420 .done = nf_tables_dump_sets_done,
3422 .module = THIS_MODULE,
3425 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3428 /* Only accept unspec with dump */
3429 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3430 return -EAFNOSUPPORT;
3431 if (!nla[NFTA_SET_TABLE])
3434 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3436 return PTR_ERR(set);
3438 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3442 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3446 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3453 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3454 const struct nlattr *nla)
3456 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3459 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3460 nft_set_desc_policy, NULL);
3464 if (da[NFTA_SET_DESC_SIZE] != NULL)
3465 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3470 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3471 struct sk_buff *skb, const struct nlmsghdr *nlh,
3472 const struct nlattr * const nla[],
3473 struct netlink_ext_ack *extack)
3475 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3476 u8 genmask = nft_genmask_next(net);
3477 int family = nfmsg->nfgen_family;
3478 const struct nft_set_ops *ops;
3479 struct nft_table *table;
3480 struct nft_set *set;
3485 u32 ktype, dtype, flags, policy, gc_int, objtype;
3486 struct nft_set_desc desc;
3487 unsigned char *udata;
3491 if (nla[NFTA_SET_TABLE] == NULL ||
3492 nla[NFTA_SET_NAME] == NULL ||
3493 nla[NFTA_SET_KEY_LEN] == NULL ||
3494 nla[NFTA_SET_ID] == NULL)
3497 memset(&desc, 0, sizeof(desc));
3499 ktype = NFT_DATA_VALUE;
3500 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3501 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3502 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3506 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3507 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3511 if (nla[NFTA_SET_FLAGS] != NULL) {
3512 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3513 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3514 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3515 NFT_SET_MAP | NFT_SET_EVAL |
3518 /* Only one of these operations is supported */
3519 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3520 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3525 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3526 if (!(flags & NFT_SET_MAP))
3529 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3530 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3531 dtype != NFT_DATA_VERDICT)
3534 if (dtype != NFT_DATA_VERDICT) {
3535 if (nla[NFTA_SET_DATA_LEN] == NULL)
3537 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3538 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3541 desc.dlen = sizeof(struct nft_verdict);
3542 } else if (flags & NFT_SET_MAP)
3545 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3546 if (!(flags & NFT_SET_OBJECT))
3549 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3550 if (objtype == NFT_OBJECT_UNSPEC ||
3551 objtype > NFT_OBJECT_MAX)
3553 } else if (flags & NFT_SET_OBJECT)
3556 objtype = NFT_OBJECT_UNSPEC;
3559 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3560 if (!(flags & NFT_SET_TIMEOUT))
3563 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3568 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3569 if (!(flags & NFT_SET_TIMEOUT))
3571 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3574 policy = NFT_SET_POL_PERFORMANCE;
3575 if (nla[NFTA_SET_POLICY] != NULL)
3576 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3578 if (nla[NFTA_SET_DESC] != NULL) {
3579 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3584 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3585 if (IS_ERR(table)) {
3586 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3587 return PTR_ERR(table);
3590 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3592 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3594 if (PTR_ERR(set) != -ENOENT) {
3595 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3596 return PTR_ERR(set);
3599 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3600 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3603 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3609 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3612 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3614 return PTR_ERR(ops);
3617 if (nla[NFTA_SET_USERDATA])
3618 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3621 if (ops->privsize != NULL)
3622 size = ops->privsize(nla, &desc);
3624 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3630 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3636 err = nf_tables_set_alloc_name(&ctx, set, name);
3643 udata = set->data + size;
3644 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3647 INIT_LIST_HEAD(&set->bindings);
3649 write_pnet(&set->net, net);
3652 set->klen = desc.klen;
3654 set->objtype = objtype;
3655 set->dlen = desc.dlen;
3657 set->size = desc.size;
3658 set->policy = policy;
3661 set->timeout = timeout;
3662 set->gc_int = gc_int;
3663 set->handle = nf_tables_alloc_handle(table);
3665 err = ops->init(set, &desc, nla);
3669 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3673 list_add_tail_rcu(&set->list, &table->sets);
3684 module_put(to_set_type(ops)->owner);
3688 static void nft_set_destroy(struct nft_set *set)
3690 if (WARN_ON(set->use > 0))
3693 set->ops->destroy(set);
3694 module_put(to_set_type(set->ops)->owner);
3699 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3700 struct sk_buff *skb, const struct nlmsghdr *nlh,
3701 const struct nlattr * const nla[],
3702 struct netlink_ext_ack *extack)
3704 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3705 u8 genmask = nft_genmask_next(net);
3706 const struct nlattr *attr;
3707 struct nft_set *set;
3711 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3712 return -EAFNOSUPPORT;
3713 if (nla[NFTA_SET_TABLE] == NULL)
3716 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3721 if (nla[NFTA_SET_HANDLE]) {
3722 attr = nla[NFTA_SET_HANDLE];
3723 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3725 attr = nla[NFTA_SET_NAME];
3726 set = nft_set_lookup(ctx.table, attr, genmask);
3730 NL_SET_BAD_ATTR(extack, attr);
3731 return PTR_ERR(set);
3734 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3735 NL_SET_BAD_ATTR(extack, attr);
3739 return nft_delset(&ctx, set);
3742 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3743 struct nft_set *set,
3744 const struct nft_set_iter *iter,
3745 struct nft_set_elem *elem)
3747 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3748 enum nft_registers dreg;
3750 dreg = nft_type_to_reg(set->dtype);
3751 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3752 set->dtype == NFT_DATA_VERDICT ?
3753 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3757 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3758 struct nft_set_binding *binding)
3760 struct nft_set_binding *i;
3761 struct nft_set_iter iter;
3763 if (set->use == UINT_MAX)
3766 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3769 if (binding->flags & NFT_SET_MAP) {
3770 /* If the set is already bound to the same chain all
3771 * jumps are already validated for that chain.
3773 list_for_each_entry(i, &set->bindings, list) {
3774 if (i->flags & NFT_SET_MAP &&
3775 i->chain == binding->chain)
3779 iter.genmask = nft_genmask_next(ctx->net);
3783 iter.fn = nf_tables_bind_check_setelem;
3785 set->ops->walk(ctx, set, &iter);
3790 binding->chain = ctx->chain;
3791 list_add_tail_rcu(&binding->list, &set->bindings);
3792 nft_set_trans_bind(ctx, set);
3797 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3799 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3800 struct nft_set_binding *binding, bool event)
3802 list_del_rcu(&binding->list);
3804 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3805 list_del_rcu(&set->list);
3807 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3812 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3813 struct nft_set_binding *binding,
3814 enum nft_trans_phase phase)
3817 case NFT_TRANS_PREPARE:
3820 case NFT_TRANS_ABORT:
3821 case NFT_TRANS_RELEASE:
3825 nf_tables_unbind_set(ctx, set, binding,
3826 phase == NFT_TRANS_COMMIT);
3829 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3831 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3833 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3834 nft_set_destroy(set);
3836 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3838 const struct nft_set_ext_type nft_set_ext_types[] = {
3839 [NFT_SET_EXT_KEY] = {
3840 .align = __alignof__(u32),
3842 [NFT_SET_EXT_DATA] = {
3843 .align = __alignof__(u32),
3845 [NFT_SET_EXT_EXPR] = {
3846 .align = __alignof__(struct nft_expr),
3848 [NFT_SET_EXT_OBJREF] = {
3849 .len = sizeof(struct nft_object *),
3850 .align = __alignof__(struct nft_object *),
3852 [NFT_SET_EXT_FLAGS] = {
3854 .align = __alignof__(u8),
3856 [NFT_SET_EXT_TIMEOUT] = {
3858 .align = __alignof__(u64),
3860 [NFT_SET_EXT_EXPIRATION] = {
3862 .align = __alignof__(u64),
3864 [NFT_SET_EXT_USERDATA] = {
3865 .len = sizeof(struct nft_userdata),
3866 .align = __alignof__(struct nft_userdata),
3869 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3875 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3876 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3877 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3878 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3879 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3880 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3881 .len = NFT_USERDATA_MAXLEN },
3882 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3883 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3886 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3887 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3888 .len = NFT_TABLE_MAXNAMELEN - 1 },
3889 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3890 .len = NFT_SET_MAXNAMELEN - 1 },
3891 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3892 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3895 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3896 const struct sk_buff *skb,
3897 const struct nlmsghdr *nlh,
3898 const struct nlattr * const nla[],
3899 struct netlink_ext_ack *extack,
3902 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3903 int family = nfmsg->nfgen_family;
3904 struct nft_table *table;
3906 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3908 if (IS_ERR(table)) {
3909 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3910 return PTR_ERR(table);
3913 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3917 static int nf_tables_fill_setelem(struct sk_buff *skb,
3918 const struct nft_set *set,
3919 const struct nft_set_elem *elem)
3921 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3922 unsigned char *b = skb_tail_pointer(skb);
3923 struct nlattr *nest;
3925 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3927 goto nla_put_failure;
3929 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3930 NFT_DATA_VALUE, set->klen) < 0)
3931 goto nla_put_failure;
3933 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3934 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3935 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3937 goto nla_put_failure;
3939 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3940 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3941 goto nla_put_failure;
3943 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3944 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3945 (*nft_set_ext_obj(ext))->key.name) < 0)
3946 goto nla_put_failure;
3948 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3949 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3950 htonl(*nft_set_ext_flags(ext))))
3951 goto nla_put_failure;
3953 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3954 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3955 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3957 goto nla_put_failure;
3959 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3960 u64 expires, now = get_jiffies_64();
3962 expires = *nft_set_ext_expiration(ext);
3963 if (time_before64(now, expires))
3968 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3969 nf_jiffies64_to_msecs(expires),
3971 goto nla_put_failure;
3974 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3975 struct nft_userdata *udata;
3977 udata = nft_set_ext_userdata(ext);
3978 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3979 udata->len + 1, udata->data))
3980 goto nla_put_failure;
3983 nla_nest_end(skb, nest);
3991 struct nft_set_dump_args {
3992 const struct netlink_callback *cb;
3993 struct nft_set_iter iter;
3994 struct sk_buff *skb;
3997 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3998 struct nft_set *set,
3999 const struct nft_set_iter *iter,
4000 struct nft_set_elem *elem)
4002 struct nft_set_dump_args *args;
4004 args = container_of(iter, struct nft_set_dump_args, iter);
4005 return nf_tables_fill_setelem(args->skb, set, elem);
4008 struct nft_set_dump_ctx {
4009 const struct nft_set *set;
4013 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4015 struct nft_set_dump_ctx *dump_ctx = cb->data;
4016 struct net *net = sock_net(skb->sk);
4017 struct nft_table *table;
4018 struct nft_set *set;
4019 struct nft_set_dump_args args;
4020 bool set_found = false;
4021 struct nfgenmsg *nfmsg;
4022 struct nlmsghdr *nlh;
4023 struct nlattr *nest;
4028 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4029 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4030 dump_ctx->ctx.family != table->family)
4033 if (table != dump_ctx->ctx.table)
4036 list_for_each_entry_rcu(set, &table->sets, list) {
4037 if (set == dump_ctx->set) {
4050 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4051 portid = NETLINK_CB(cb->skb).portid;
4052 seq = cb->nlh->nlmsg_seq;
4054 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4057 goto nla_put_failure;
4059 nfmsg = nlmsg_data(nlh);
4060 nfmsg->nfgen_family = table->family;
4061 nfmsg->version = NFNETLINK_V0;
4062 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4064 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4065 goto nla_put_failure;
4066 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4067 goto nla_put_failure;
4069 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4071 goto nla_put_failure;
4075 args.iter.genmask = nft_genmask_cur(net);
4076 args.iter.skip = cb->args[0];
4077 args.iter.count = 0;
4079 args.iter.fn = nf_tables_dump_setelem;
4080 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4083 nla_nest_end(skb, nest);
4084 nlmsg_end(skb, nlh);
4086 if (args.iter.err && args.iter.err != -EMSGSIZE)
4087 return args.iter.err;
4088 if (args.iter.count == cb->args[0])
4091 cb->args[0] = args.iter.count;
4099 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4101 struct nft_set_dump_ctx *dump_ctx = cb->data;
4103 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4105 return cb->data ? 0 : -ENOMEM;
4108 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4114 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4115 const struct nft_ctx *ctx, u32 seq,
4116 u32 portid, int event, u16 flags,
4117 const struct nft_set *set,
4118 const struct nft_set_elem *elem)
4120 struct nfgenmsg *nfmsg;
4121 struct nlmsghdr *nlh;
4122 struct nlattr *nest;
4125 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4126 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4129 goto nla_put_failure;
4131 nfmsg = nlmsg_data(nlh);
4132 nfmsg->nfgen_family = ctx->family;
4133 nfmsg->version = NFNETLINK_V0;
4134 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4136 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4137 goto nla_put_failure;
4138 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4139 goto nla_put_failure;
4141 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4143 goto nla_put_failure;
4145 err = nf_tables_fill_setelem(skb, set, elem);
4147 goto nla_put_failure;
4149 nla_nest_end(skb, nest);
4151 nlmsg_end(skb, nlh);
4155 nlmsg_trim(skb, nlh);
4159 static int nft_setelem_parse_flags(const struct nft_set *set,
4160 const struct nlattr *attr, u32 *flags)
4165 *flags = ntohl(nla_get_be32(attr));
4166 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4168 if (!(set->flags & NFT_SET_INTERVAL) &&
4169 *flags & NFT_SET_ELEM_INTERVAL_END)
4175 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4176 const struct nlattr *attr)
4178 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4179 struct nft_data_desc desc;
4180 struct nft_set_elem elem;
4181 struct sk_buff *skb;
4186 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4187 nft_set_elem_policy, NULL);
4191 if (!nla[NFTA_SET_ELEM_KEY])
4194 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4198 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4199 nla[NFTA_SET_ELEM_KEY]);
4204 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4207 priv = set->ops->get(ctx->net, set, &elem, flags);
4209 return PTR_ERR(priv);
4214 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4218 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4219 NFT_MSG_NEWSETELEM, 0, set, &elem);
4223 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4224 /* This avoids a loop in nfnetlink. */
4232 /* this avoids a loop in nfnetlink. */
4233 return err == -EAGAIN ? -ENOBUFS : err;
4236 /* called with rcu_read_lock held */
4237 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4238 struct sk_buff *skb, const struct nlmsghdr *nlh,
4239 const struct nlattr * const nla[],
4240 struct netlink_ext_ack *extack)
4242 u8 genmask = nft_genmask_cur(net);
4243 struct nft_set *set;
4244 struct nlattr *attr;
4248 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4253 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4255 return PTR_ERR(set);
4257 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4258 struct netlink_dump_control c = {
4259 .start = nf_tables_dump_set_start,
4260 .dump = nf_tables_dump_set,
4261 .done = nf_tables_dump_set_done,
4262 .module = THIS_MODULE,
4264 struct nft_set_dump_ctx dump_ctx = {
4270 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4273 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4276 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4277 err = nft_get_set_elem(&ctx, set, attr);
4285 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4286 const struct nft_set *set,
4287 const struct nft_set_elem *elem,
4288 int event, u16 flags)
4290 struct net *net = ctx->net;
4291 u32 portid = ctx->portid;
4292 struct sk_buff *skb;
4295 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4298 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4302 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4309 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4313 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4316 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4318 struct nft_set *set)
4320 struct nft_trans *trans;
4322 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4326 nft_trans_elem_set(trans) = set;
4330 void *nft_set_elem_init(const struct nft_set *set,
4331 const struct nft_set_ext_tmpl *tmpl,
4332 const u32 *key, const u32 *data,
4333 u64 timeout, gfp_t gfp)
4335 struct nft_set_ext *ext;
4338 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4342 ext = nft_set_elem_ext(set, elem);
4343 nft_set_ext_init(ext, tmpl);
4345 memcpy(nft_set_ext_key(ext), key, set->klen);
4346 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4347 memcpy(nft_set_ext_data(ext), data, set->dlen);
4348 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4349 *nft_set_ext_expiration(ext) =
4350 get_jiffies_64() + timeout;
4351 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4352 *nft_set_ext_timeout(ext) = timeout;
4357 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4360 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4361 struct nft_ctx ctx = {
4362 .net = read_pnet(&set->net),
4363 .family = set->table->family,
4366 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4367 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4368 nft_data_release(nft_set_ext_data(ext), set->dtype);
4369 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4370 struct nft_expr *expr = nft_set_ext_expr(ext);
4372 if (expr->ops->destroy_clone) {
4373 expr->ops->destroy_clone(&ctx, expr);
4374 module_put(expr->ops->type->owner);
4376 nf_tables_expr_destroy(&ctx, expr);
4379 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4380 (*nft_set_ext_obj(ext))->use--;
4383 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4385 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4386 * the refcounting from the preparation phase.
4388 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4389 const struct nft_set *set, void *elem)
4391 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4393 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4394 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4398 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4399 const struct nlattr *attr, u32 nlmsg_flags)
4401 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4402 u8 genmask = nft_genmask_next(ctx->net);
4403 struct nft_data_desc d1, d2;
4404 struct nft_set_ext_tmpl tmpl;
4405 struct nft_set_ext *ext, *ext2;
4406 struct nft_set_elem elem;
4407 struct nft_set_binding *binding;
4408 struct nft_object *obj = NULL;
4409 struct nft_userdata *udata;
4410 struct nft_data data;
4411 enum nft_registers dreg;
4412 struct nft_trans *trans;
4418 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4419 nft_set_elem_policy, NULL);
4423 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4426 nft_set_ext_prepare(&tmpl);
4428 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4432 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4434 if (set->flags & NFT_SET_MAP) {
4435 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4436 !(flags & NFT_SET_ELEM_INTERVAL_END))
4438 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4439 flags & NFT_SET_ELEM_INTERVAL_END)
4442 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4447 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4448 if (!(set->flags & NFT_SET_TIMEOUT))
4450 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4454 } else if (set->flags & NFT_SET_TIMEOUT) {
4455 timeout = set->timeout;
4458 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4459 nla[NFTA_SET_ELEM_KEY]);
4463 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4466 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4468 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4469 if (timeout != set->timeout)
4470 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4473 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4474 if (!(set->flags & NFT_SET_OBJECT)) {
4478 obj = nft_obj_lookup(ctx->net, ctx->table,
4479 nla[NFTA_SET_ELEM_OBJREF],
4480 set->objtype, genmask);
4485 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4488 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4489 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4490 nla[NFTA_SET_ELEM_DATA]);
4495 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4498 dreg = nft_type_to_reg(set->dtype);
4499 list_for_each_entry(binding, &set->bindings, list) {
4500 struct nft_ctx bind_ctx = {
4502 .family = ctx->family,
4503 .table = ctx->table,
4504 .chain = (struct nft_chain *)binding->chain,
4507 if (!(binding->flags & NFT_SET_MAP))
4510 err = nft_validate_register_store(&bind_ctx, dreg,
4516 if (d2.type == NFT_DATA_VERDICT &&
4517 (data.verdict.code == NFT_GOTO ||
4518 data.verdict.code == NFT_JUMP))
4519 nft_validate_state_update(ctx->net,
4523 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4526 /* The full maximum length of userdata can exceed the maximum
4527 * offset value (U8_MAX) for following extensions, therefor it
4528 * must be the last extension added.
4531 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4532 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4534 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4539 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4540 timeout, GFP_KERNEL);
4541 if (elem.priv == NULL)
4544 ext = nft_set_elem_ext(set, elem.priv);
4546 *nft_set_ext_flags(ext) = flags;
4548 udata = nft_set_ext_userdata(ext);
4549 udata->len = ulen - 1;
4550 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4553 *nft_set_ext_obj(ext) = obj;
4557 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4561 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4562 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4564 if (err == -EEXIST) {
4565 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4566 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4567 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4568 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4572 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4573 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4574 memcmp(nft_set_ext_data(ext),
4575 nft_set_ext_data(ext2), set->dlen) != 0) ||
4576 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4577 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4578 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4580 else if (!(nlmsg_flags & NLM_F_EXCL))
4587 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4592 nft_trans_elem(trans) = elem;
4593 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4597 set->ops->remove(ctx->net, set, &elem);
4605 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4606 nft_data_release(&data, d2.type);
4608 nft_data_release(&elem.key.val, d1.type);
4613 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4614 struct sk_buff *skb, const struct nlmsghdr *nlh,
4615 const struct nlattr * const nla[],
4616 struct netlink_ext_ack *extack)
4618 u8 genmask = nft_genmask_next(net);
4619 const struct nlattr *attr;
4620 struct nft_set *set;
4624 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4627 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4632 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4633 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4635 return PTR_ERR(set);
4637 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4640 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4641 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4646 if (net->nft.validate_state == NFT_VALIDATE_DO)
4647 return nft_table_validate(net, ctx.table);
4653 * nft_data_hold - hold a nft_data item
4655 * @data: struct nft_data to release
4656 * @type: type of data
4658 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4659 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4660 * NFT_GOTO verdicts. This function must be called on active data objects
4661 * from the second phase of the commit protocol.
4663 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4665 if (type == NFT_DATA_VERDICT) {
4666 switch (data->verdict.code) {
4669 data->verdict.chain->use++;
4675 static void nft_set_elem_activate(const struct net *net,
4676 const struct nft_set *set,
4677 struct nft_set_elem *elem)
4679 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4681 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4682 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4683 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4684 (*nft_set_ext_obj(ext))->use++;
4687 static void nft_set_elem_deactivate(const struct net *net,
4688 const struct nft_set *set,
4689 struct nft_set_elem *elem)
4691 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4693 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4694 nft_data_release(nft_set_ext_data(ext), set->dtype);
4695 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4696 (*nft_set_ext_obj(ext))->use--;
4699 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4700 const struct nlattr *attr)
4702 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4703 struct nft_set_ext_tmpl tmpl;
4704 struct nft_data_desc desc;
4705 struct nft_set_elem elem;
4706 struct nft_set_ext *ext;
4707 struct nft_trans *trans;
4712 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4713 nft_set_elem_policy, NULL);
4718 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4721 nft_set_ext_prepare(&tmpl);
4723 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4727 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4729 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4730 nla[NFTA_SET_ELEM_KEY]);
4735 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4738 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4741 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4743 if (elem.priv == NULL)
4746 ext = nft_set_elem_ext(set, elem.priv);
4748 *nft_set_ext_flags(ext) = flags;
4750 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4751 if (trans == NULL) {
4756 priv = set->ops->deactivate(ctx->net, set, &elem);
4764 nft_set_elem_deactivate(ctx->net, set, &elem);
4766 nft_trans_elem(trans) = elem;
4767 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4775 nft_data_release(&elem.key.val, desc.type);
4780 static int nft_flush_set(const struct nft_ctx *ctx,
4781 struct nft_set *set,
4782 const struct nft_set_iter *iter,
4783 struct nft_set_elem *elem)
4785 struct nft_trans *trans;
4788 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4789 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4793 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4799 nft_set_elem_deactivate(ctx->net, set, elem);
4800 nft_trans_elem_set(trans) = set;
4801 nft_trans_elem(trans) = *elem;
4802 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4810 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4811 struct sk_buff *skb, const struct nlmsghdr *nlh,
4812 const struct nlattr * const nla[],
4813 struct netlink_ext_ack *extack)
4815 u8 genmask = nft_genmask_next(net);
4816 const struct nlattr *attr;
4817 struct nft_set *set;
4821 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4826 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4828 return PTR_ERR(set);
4829 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4832 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4833 struct nft_set_iter iter = {
4835 .fn = nft_flush_set,
4837 set->ops->walk(&ctx, set, &iter);
4842 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4843 err = nft_del_setelem(&ctx, set, attr);
4852 void nft_set_gc_batch_release(struct rcu_head *rcu)
4854 struct nft_set_gc_batch *gcb;
4857 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4858 for (i = 0; i < gcb->head.cnt; i++)
4859 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4862 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4864 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4867 struct nft_set_gc_batch *gcb;
4869 gcb = kzalloc(sizeof(*gcb), gfp);
4872 gcb->head.set = set;
4875 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4882 * nft_register_obj- register nf_tables stateful object type
4885 * Registers the object type for use with nf_tables. Returns zero on
4886 * success or a negative errno code otherwise.
4888 int nft_register_obj(struct nft_object_type *obj_type)
4890 if (obj_type->type == NFT_OBJECT_UNSPEC)
4893 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4894 list_add_rcu(&obj_type->list, &nf_tables_objects);
4895 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4898 EXPORT_SYMBOL_GPL(nft_register_obj);
4901 * nft_unregister_obj - unregister nf_tables object type
4904 * Unregisters the object type for use with nf_tables.
4906 void nft_unregister_obj(struct nft_object_type *obj_type)
4908 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4909 list_del_rcu(&obj_type->list);
4910 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4912 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4914 struct nft_object *nft_obj_lookup(const struct net *net,
4915 const struct nft_table *table,
4916 const struct nlattr *nla, u32 objtype,
4919 struct nft_object_hash_key k = { .table = table };
4920 char search[NFT_OBJ_MAXNAMELEN];
4921 struct rhlist_head *tmp, *list;
4922 struct nft_object *obj;
4924 nla_strlcpy(search, nla, sizeof(search));
4927 WARN_ON_ONCE(!rcu_read_lock_held() &&
4928 !lockdep_commit_lock_is_held(net));
4931 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4935 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
4936 if (objtype == obj->ops->type->type &&
4937 nft_active_genmask(obj, genmask)) {
4944 return ERR_PTR(-ENOENT);
4946 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4948 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4949 const struct nlattr *nla,
4950 u32 objtype, u8 genmask)
4952 struct nft_object *obj;
4954 list_for_each_entry(obj, &table->objects, list) {
4955 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4956 objtype == obj->ops->type->type &&
4957 nft_active_genmask(obj, genmask))
4960 return ERR_PTR(-ENOENT);
4963 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4964 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4965 .len = NFT_TABLE_MAXNAMELEN - 1 },
4966 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4967 .len = NFT_OBJ_MAXNAMELEN - 1 },
4968 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4969 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4970 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4973 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4974 const struct nft_object_type *type,
4975 const struct nlattr *attr)
4978 const struct nft_object_ops *ops;
4979 struct nft_object *obj;
4982 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4987 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
4988 type->policy, NULL);
4992 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4995 if (type->select_ops) {
4996 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5006 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5010 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5023 return ERR_PTR(err);
5026 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5027 struct nft_object *obj, bool reset)
5029 struct nlattr *nest;
5031 nest = nla_nest_start_noflag(skb, attr);
5033 goto nla_put_failure;
5034 if (obj->ops->dump(skb, obj, reset) < 0)
5035 goto nla_put_failure;
5036 nla_nest_end(skb, nest);
5043 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5045 const struct nft_object_type *type;
5047 list_for_each_entry(type, &nf_tables_objects, list) {
5048 if (objtype == type->type)
5054 static const struct nft_object_type *
5055 nft_obj_type_get(struct net *net, u32 objtype)
5057 const struct nft_object_type *type;
5059 type = __nft_obj_type_get(objtype);
5060 if (type != NULL && try_module_get(type->owner))
5063 lockdep_nfnl_nft_mutex_not_held();
5064 #ifdef CONFIG_MODULES
5066 nft_request_module(net, "nft-obj-%u", objtype);
5067 if (__nft_obj_type_get(objtype))
5068 return ERR_PTR(-EAGAIN);
5071 return ERR_PTR(-ENOENT);
5074 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5075 struct sk_buff *skb, const struct nlmsghdr *nlh,
5076 const struct nlattr * const nla[],
5077 struct netlink_ext_ack *extack)
5079 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5080 const struct nft_object_type *type;
5081 u8 genmask = nft_genmask_next(net);
5082 int family = nfmsg->nfgen_family;
5083 struct nft_table *table;
5084 struct nft_object *obj;
5089 if (!nla[NFTA_OBJ_TYPE] ||
5090 !nla[NFTA_OBJ_NAME] ||
5091 !nla[NFTA_OBJ_DATA])
5094 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5095 if (IS_ERR(table)) {
5096 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5097 return PTR_ERR(table);
5100 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5101 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5104 if (err != -ENOENT) {
5105 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5109 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5110 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5116 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5118 type = nft_obj_type_get(net, objtype);
5120 return PTR_ERR(type);
5122 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5127 obj->key.table = table;
5128 obj->handle = nf_tables_alloc_handle(table);
5130 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5131 if (!obj->key.name) {
5136 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5140 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5141 nft_objname_ht_params);
5145 list_add_tail_rcu(&obj->list, &table->objects);
5149 /* queued in transaction log */
5150 INIT_LIST_HEAD(&obj->list);
5153 kfree(obj->key.name);
5155 if (obj->ops->destroy)
5156 obj->ops->destroy(&ctx, obj);
5159 module_put(type->owner);
5163 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5164 u32 portid, u32 seq, int event, u32 flags,
5165 int family, const struct nft_table *table,
5166 struct nft_object *obj, bool reset)
5168 struct nfgenmsg *nfmsg;
5169 struct nlmsghdr *nlh;
5171 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5172 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5174 goto nla_put_failure;
5176 nfmsg = nlmsg_data(nlh);
5177 nfmsg->nfgen_family = family;
5178 nfmsg->version = NFNETLINK_V0;
5179 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5181 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5182 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5183 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5184 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5185 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5186 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5188 goto nla_put_failure;
5190 nlmsg_end(skb, nlh);
5194 nlmsg_trim(skb, nlh);
5198 struct nft_obj_filter {
5203 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5205 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5206 const struct nft_table *table;
5207 unsigned int idx = 0, s_idx = cb->args[0];
5208 struct nft_obj_filter *filter = cb->data;
5209 struct net *net = sock_net(skb->sk);
5210 int family = nfmsg->nfgen_family;
5211 struct nft_object *obj;
5214 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5218 cb->seq = net->nft.base_seq;
5220 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5221 if (family != NFPROTO_UNSPEC && family != table->family)
5224 list_for_each_entry_rcu(obj, &table->objects, list) {
5225 if (!nft_is_active(net, obj))
5230 memset(&cb->args[1], 0,
5231 sizeof(cb->args) - sizeof(cb->args[0]));
5232 if (filter && filter->table &&
5233 strcmp(filter->table, table->name))
5236 filter->type != NFT_OBJECT_UNSPEC &&
5237 obj->ops->type->type != filter->type)
5240 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5243 NLM_F_MULTI | NLM_F_APPEND,
5244 table->family, table,
5248 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5260 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5262 const struct nlattr * const *nla = cb->data;
5263 struct nft_obj_filter *filter = NULL;
5265 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5266 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5270 if (nla[NFTA_OBJ_TABLE]) {
5271 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5272 if (!filter->table) {
5278 if (nla[NFTA_OBJ_TYPE])
5279 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5286 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5288 struct nft_obj_filter *filter = cb->data;
5291 kfree(filter->table);
5298 /* called with rcu_read_lock held */
5299 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5300 struct sk_buff *skb, const struct nlmsghdr *nlh,
5301 const struct nlattr * const nla[],
5302 struct netlink_ext_ack *extack)
5304 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5305 u8 genmask = nft_genmask_cur(net);
5306 int family = nfmsg->nfgen_family;
5307 const struct nft_table *table;
5308 struct nft_object *obj;
5309 struct sk_buff *skb2;
5314 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5315 struct netlink_dump_control c = {
5316 .start = nf_tables_dump_obj_start,
5317 .dump = nf_tables_dump_obj,
5318 .done = nf_tables_dump_obj_done,
5319 .module = THIS_MODULE,
5320 .data = (void *)nla,
5323 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5326 if (!nla[NFTA_OBJ_NAME] ||
5327 !nla[NFTA_OBJ_TYPE])
5330 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5331 if (IS_ERR(table)) {
5332 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5333 return PTR_ERR(table);
5336 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5337 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5339 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5340 return PTR_ERR(obj);
5343 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5347 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5350 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5351 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5352 family, table, obj, reset);
5356 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5362 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5364 if (obj->ops->destroy)
5365 obj->ops->destroy(ctx, obj);
5367 module_put(obj->ops->type->owner);
5368 kfree(obj->key.name);
5372 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5373 struct sk_buff *skb, const struct nlmsghdr *nlh,
5374 const struct nlattr * const nla[],
5375 struct netlink_ext_ack *extack)
5377 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5378 u8 genmask = nft_genmask_next(net);
5379 int family = nfmsg->nfgen_family;
5380 const struct nlattr *attr;
5381 struct nft_table *table;
5382 struct nft_object *obj;
5386 if (!nla[NFTA_OBJ_TYPE] ||
5387 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5390 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5391 if (IS_ERR(table)) {
5392 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5393 return PTR_ERR(table);
5396 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5397 if (nla[NFTA_OBJ_HANDLE]) {
5398 attr = nla[NFTA_OBJ_HANDLE];
5399 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5401 attr = nla[NFTA_OBJ_NAME];
5402 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5406 NL_SET_BAD_ATTR(extack, attr);
5407 return PTR_ERR(obj);
5410 NL_SET_BAD_ATTR(extack, attr);
5414 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5416 return nft_delobj(&ctx, obj);
5419 void nft_obj_notify(struct net *net, const struct nft_table *table,
5420 struct nft_object *obj, u32 portid, u32 seq, int event,
5421 int family, int report, gfp_t gfp)
5423 struct sk_buff *skb;
5427 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5430 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5434 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5441 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5444 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5446 EXPORT_SYMBOL_GPL(nft_obj_notify);
5448 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5449 struct nft_object *obj, int event)
5451 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5452 ctx->family, ctx->report, GFP_KERNEL);
5458 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5460 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5461 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5462 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5464 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5466 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5468 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5469 list_del_rcu(&type->list);
5470 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5472 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5474 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5475 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5476 .len = NFT_NAME_MAXLEN - 1 },
5477 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5478 .len = NFT_NAME_MAXLEN - 1 },
5479 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5480 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5483 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5484 const struct nlattr *nla, u8 genmask)
5486 struct nft_flowtable *flowtable;
5488 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5489 if (!nla_strcmp(nla, flowtable->name) &&
5490 nft_active_genmask(flowtable, genmask))
5493 return ERR_PTR(-ENOENT);
5495 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5497 static struct nft_flowtable *
5498 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5499 const struct nlattr *nla, u8 genmask)
5501 struct nft_flowtable *flowtable;
5503 list_for_each_entry(flowtable, &table->flowtables, list) {
5504 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5505 nft_active_genmask(flowtable, genmask))
5508 return ERR_PTR(-ENOENT);
5511 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5512 const struct nlattr *attr,
5513 struct net_device *dev_array[], int *len)
5515 const struct nlattr *tmp;
5516 struct net_device *dev;
5517 char ifname[IFNAMSIZ];
5518 int rem, n = 0, err;
5520 nla_for_each_nested(tmp, attr, rem) {
5521 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5526 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5527 dev = __dev_get_by_name(ctx->net, ifname);
5533 dev_array[n++] = dev;
5534 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5548 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5549 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5550 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5551 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5554 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5555 const struct nlattr *attr,
5556 struct nft_flowtable *flowtable)
5558 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5559 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5560 struct nf_hook_ops *ops;
5561 int hooknum, priority;
5564 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5565 nft_flowtable_hook_policy, NULL);
5569 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5570 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5571 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5574 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5575 if (hooknum != NF_NETDEV_INGRESS)
5578 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5580 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5585 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5589 flowtable->hooknum = hooknum;
5590 flowtable->priority = priority;
5591 flowtable->ops = ops;
5592 flowtable->ops_len = n;
5594 for (i = 0; i < n; i++) {
5595 flowtable->ops[i].pf = NFPROTO_NETDEV;
5596 flowtable->ops[i].hooknum = hooknum;
5597 flowtable->ops[i].priority = priority;
5598 flowtable->ops[i].priv = &flowtable->data;
5599 flowtable->ops[i].hook = flowtable->data.type->hook;
5600 flowtable->ops[i].dev = dev_array[i];
5606 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5608 const struct nf_flowtable_type *type;
5610 list_for_each_entry(type, &nf_tables_flowtables, list) {
5611 if (family == type->family)
5617 static const struct nf_flowtable_type *
5618 nft_flowtable_type_get(struct net *net, u8 family)
5620 const struct nf_flowtable_type *type;
5622 type = __nft_flowtable_type_get(family);
5623 if (type != NULL && try_module_get(type->owner))
5626 lockdep_nfnl_nft_mutex_not_held();
5627 #ifdef CONFIG_MODULES
5629 nft_request_module(net, "nf-flowtable-%u", family);
5630 if (__nft_flowtable_type_get(family))
5631 return ERR_PTR(-EAGAIN);
5634 return ERR_PTR(-ENOENT);
5637 static void nft_unregister_flowtable_net_hooks(struct net *net,
5638 struct nft_flowtable *flowtable)
5642 for (i = 0; i < flowtable->ops_len; i++) {
5643 if (!flowtable->ops[i].dev)
5646 nf_unregister_net_hook(net, &flowtable->ops[i]);
5650 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5651 struct sk_buff *skb,
5652 const struct nlmsghdr *nlh,
5653 const struct nlattr * const nla[],
5654 struct netlink_ext_ack *extack)
5656 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5657 const struct nf_flowtable_type *type;
5658 struct nft_flowtable *flowtable, *ft;
5659 u8 genmask = nft_genmask_next(net);
5660 int family = nfmsg->nfgen_family;
5661 struct nft_table *table;
5665 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5666 !nla[NFTA_FLOWTABLE_NAME] ||
5667 !nla[NFTA_FLOWTABLE_HOOK])
5670 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5672 if (IS_ERR(table)) {
5673 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5674 return PTR_ERR(table);
5677 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5679 if (IS_ERR(flowtable)) {
5680 err = PTR_ERR(flowtable);
5681 if (err != -ENOENT) {
5682 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5686 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5687 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5694 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5696 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5700 flowtable->table = table;
5701 flowtable->handle = nf_tables_alloc_handle(table);
5703 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5704 if (!flowtable->name) {
5709 type = nft_flowtable_type_get(net, family);
5711 err = PTR_ERR(type);
5715 flowtable->data.type = type;
5716 err = type->init(&flowtable->data);
5720 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5725 for (i = 0; i < flowtable->ops_len; i++) {
5726 if (!flowtable->ops[i].dev)
5729 list_for_each_entry(ft, &table->flowtables, list) {
5730 for (k = 0; k < ft->ops_len; k++) {
5731 if (!ft->ops[k].dev)
5734 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5735 flowtable->ops[i].pf == ft->ops[k].pf) {
5742 err = nf_register_net_hook(net, &flowtable->ops[i]);
5747 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5751 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5756 i = flowtable->ops_len;
5758 for (k = i - 1; k >= 0; k--)
5759 nf_unregister_net_hook(net, &flowtable->ops[k]);
5761 kfree(flowtable->ops);
5763 flowtable->data.type->free(&flowtable->data);
5765 module_put(type->owner);
5767 kfree(flowtable->name);
5773 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5774 struct sk_buff *skb,
5775 const struct nlmsghdr *nlh,
5776 const struct nlattr * const nla[],
5777 struct netlink_ext_ack *extack)
5779 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5780 u8 genmask = nft_genmask_next(net);
5781 int family = nfmsg->nfgen_family;
5782 struct nft_flowtable *flowtable;
5783 const struct nlattr *attr;
5784 struct nft_table *table;
5787 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5788 (!nla[NFTA_FLOWTABLE_NAME] &&
5789 !nla[NFTA_FLOWTABLE_HANDLE]))
5792 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5794 if (IS_ERR(table)) {
5795 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5796 return PTR_ERR(table);
5799 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5800 attr = nla[NFTA_FLOWTABLE_HANDLE];
5801 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5803 attr = nla[NFTA_FLOWTABLE_NAME];
5804 flowtable = nft_flowtable_lookup(table, attr, genmask);
5807 if (IS_ERR(flowtable)) {
5808 NL_SET_BAD_ATTR(extack, attr);
5809 return PTR_ERR(flowtable);
5811 if (flowtable->use > 0) {
5812 NL_SET_BAD_ATTR(extack, attr);
5816 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5818 return nft_delflowtable(&ctx, flowtable);
5821 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5822 u32 portid, u32 seq, int event,
5823 u32 flags, int family,
5824 struct nft_flowtable *flowtable)
5826 struct nlattr *nest, *nest_devs;
5827 struct nfgenmsg *nfmsg;
5828 struct nlmsghdr *nlh;
5831 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5832 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5834 goto nla_put_failure;
5836 nfmsg = nlmsg_data(nlh);
5837 nfmsg->nfgen_family = family;
5838 nfmsg->version = NFNETLINK_V0;
5839 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5841 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5842 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5843 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5844 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5845 NFTA_FLOWTABLE_PAD))
5846 goto nla_put_failure;
5848 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
5850 goto nla_put_failure;
5851 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5852 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5853 goto nla_put_failure;
5855 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5857 goto nla_put_failure;
5859 for (i = 0; i < flowtable->ops_len; i++) {
5860 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5863 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5864 goto nla_put_failure;
5866 nla_nest_end(skb, nest_devs);
5867 nla_nest_end(skb, nest);
5869 nlmsg_end(skb, nlh);
5873 nlmsg_trim(skb, nlh);
5877 struct nft_flowtable_filter {
5881 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5882 struct netlink_callback *cb)
5884 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5885 struct nft_flowtable_filter *filter = cb->data;
5886 unsigned int idx = 0, s_idx = cb->args[0];
5887 struct net *net = sock_net(skb->sk);
5888 int family = nfmsg->nfgen_family;
5889 struct nft_flowtable *flowtable;
5890 const struct nft_table *table;
5893 cb->seq = net->nft.base_seq;
5895 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5896 if (family != NFPROTO_UNSPEC && family != table->family)
5899 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5900 if (!nft_is_active(net, flowtable))
5905 memset(&cb->args[1], 0,
5906 sizeof(cb->args) - sizeof(cb->args[0]));
5907 if (filter && filter->table &&
5908 strcmp(filter->table, table->name))
5911 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5913 NFT_MSG_NEWFLOWTABLE,
5914 NLM_F_MULTI | NLM_F_APPEND,
5915 table->family, flowtable) < 0)
5918 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5930 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5932 const struct nlattr * const *nla = cb->data;
5933 struct nft_flowtable_filter *filter = NULL;
5935 if (nla[NFTA_FLOWTABLE_TABLE]) {
5936 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5940 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5942 if (!filter->table) {
5952 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5954 struct nft_flowtable_filter *filter = cb->data;
5959 kfree(filter->table);
5965 /* called with rcu_read_lock held */
5966 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5967 struct sk_buff *skb,
5968 const struct nlmsghdr *nlh,
5969 const struct nlattr * const nla[],
5970 struct netlink_ext_ack *extack)
5972 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5973 u8 genmask = nft_genmask_cur(net);
5974 int family = nfmsg->nfgen_family;
5975 struct nft_flowtable *flowtable;
5976 const struct nft_table *table;
5977 struct sk_buff *skb2;
5980 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5981 struct netlink_dump_control c = {
5982 .start = nf_tables_dump_flowtable_start,
5983 .dump = nf_tables_dump_flowtable,
5984 .done = nf_tables_dump_flowtable_done,
5985 .module = THIS_MODULE,
5986 .data = (void *)nla,
5989 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5992 if (!nla[NFTA_FLOWTABLE_NAME])
5995 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5998 return PTR_ERR(table);
6000 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6002 if (IS_ERR(flowtable))
6003 return PTR_ERR(flowtable);
6005 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6009 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6011 NFT_MSG_NEWFLOWTABLE, 0, family,
6016 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6022 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6023 struct nft_flowtable *flowtable,
6026 struct sk_buff *skb;
6030 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6033 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6037 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6039 ctx->family, flowtable);
6045 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6046 ctx->report, GFP_KERNEL);
6049 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6052 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6054 kfree(flowtable->ops);
6055 kfree(flowtable->name);
6056 flowtable->data.type->free(&flowtable->data);
6057 module_put(flowtable->data.type->owner);
6061 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6062 u32 portid, u32 seq)
6064 struct nlmsghdr *nlh;
6065 struct nfgenmsg *nfmsg;
6066 char buf[TASK_COMM_LEN];
6067 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6069 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6071 goto nla_put_failure;
6073 nfmsg = nlmsg_data(nlh);
6074 nfmsg->nfgen_family = AF_UNSPEC;
6075 nfmsg->version = NFNETLINK_V0;
6076 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6078 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6079 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6080 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6081 goto nla_put_failure;
6083 nlmsg_end(skb, nlh);
6087 nlmsg_trim(skb, nlh);
6091 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6092 struct nft_flowtable *flowtable)
6096 for (i = 0; i < flowtable->ops_len; i++) {
6097 if (flowtable->ops[i].dev != dev)
6100 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6101 flowtable->ops[i].dev = NULL;
6106 static int nf_tables_flowtable_event(struct notifier_block *this,
6107 unsigned long event, void *ptr)
6109 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6110 struct nft_flowtable *flowtable;
6111 struct nft_table *table;
6114 if (event != NETDEV_UNREGISTER)
6118 mutex_lock(&net->nft.commit_mutex);
6119 list_for_each_entry(table, &net->nft.tables, list) {
6120 list_for_each_entry(flowtable, &table->flowtables, list) {
6121 nft_flowtable_event(event, dev, flowtable);
6124 mutex_unlock(&net->nft.commit_mutex);
6129 static struct notifier_block nf_tables_flowtable_notifier = {
6130 .notifier_call = nf_tables_flowtable_event,
6133 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6136 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6137 struct sk_buff *skb2;
6140 if (nlmsg_report(nlh) &&
6141 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6144 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6148 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6155 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6156 nlmsg_report(nlh), GFP_KERNEL);
6159 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6163 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6164 struct sk_buff *skb, const struct nlmsghdr *nlh,
6165 const struct nlattr * const nla[],
6166 struct netlink_ext_ack *extack)
6168 struct sk_buff *skb2;
6171 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6175 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6180 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6186 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6187 [NFT_MSG_NEWTABLE] = {
6188 .call_batch = nf_tables_newtable,
6189 .attr_count = NFTA_TABLE_MAX,
6190 .policy = nft_table_policy,
6192 [NFT_MSG_GETTABLE] = {
6193 .call_rcu = nf_tables_gettable,
6194 .attr_count = NFTA_TABLE_MAX,
6195 .policy = nft_table_policy,
6197 [NFT_MSG_DELTABLE] = {
6198 .call_batch = nf_tables_deltable,
6199 .attr_count = NFTA_TABLE_MAX,
6200 .policy = nft_table_policy,
6202 [NFT_MSG_NEWCHAIN] = {
6203 .call_batch = nf_tables_newchain,
6204 .attr_count = NFTA_CHAIN_MAX,
6205 .policy = nft_chain_policy,
6207 [NFT_MSG_GETCHAIN] = {
6208 .call_rcu = nf_tables_getchain,
6209 .attr_count = NFTA_CHAIN_MAX,
6210 .policy = nft_chain_policy,
6212 [NFT_MSG_DELCHAIN] = {
6213 .call_batch = nf_tables_delchain,
6214 .attr_count = NFTA_CHAIN_MAX,
6215 .policy = nft_chain_policy,
6217 [NFT_MSG_NEWRULE] = {
6218 .call_batch = nf_tables_newrule,
6219 .attr_count = NFTA_RULE_MAX,
6220 .policy = nft_rule_policy,
6222 [NFT_MSG_GETRULE] = {
6223 .call_rcu = nf_tables_getrule,
6224 .attr_count = NFTA_RULE_MAX,
6225 .policy = nft_rule_policy,
6227 [NFT_MSG_DELRULE] = {
6228 .call_batch = nf_tables_delrule,
6229 .attr_count = NFTA_RULE_MAX,
6230 .policy = nft_rule_policy,
6232 [NFT_MSG_NEWSET] = {
6233 .call_batch = nf_tables_newset,
6234 .attr_count = NFTA_SET_MAX,
6235 .policy = nft_set_policy,
6237 [NFT_MSG_GETSET] = {
6238 .call_rcu = nf_tables_getset,
6239 .attr_count = NFTA_SET_MAX,
6240 .policy = nft_set_policy,
6242 [NFT_MSG_DELSET] = {
6243 .call_batch = nf_tables_delset,
6244 .attr_count = NFTA_SET_MAX,
6245 .policy = nft_set_policy,
6247 [NFT_MSG_NEWSETELEM] = {
6248 .call_batch = nf_tables_newsetelem,
6249 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6250 .policy = nft_set_elem_list_policy,
6252 [NFT_MSG_GETSETELEM] = {
6253 .call_rcu = nf_tables_getsetelem,
6254 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6255 .policy = nft_set_elem_list_policy,
6257 [NFT_MSG_DELSETELEM] = {
6258 .call_batch = nf_tables_delsetelem,
6259 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6260 .policy = nft_set_elem_list_policy,
6262 [NFT_MSG_GETGEN] = {
6263 .call_rcu = nf_tables_getgen,
6265 [NFT_MSG_NEWOBJ] = {
6266 .call_batch = nf_tables_newobj,
6267 .attr_count = NFTA_OBJ_MAX,
6268 .policy = nft_obj_policy,
6270 [NFT_MSG_GETOBJ] = {
6271 .call_rcu = nf_tables_getobj,
6272 .attr_count = NFTA_OBJ_MAX,
6273 .policy = nft_obj_policy,
6275 [NFT_MSG_DELOBJ] = {
6276 .call_batch = nf_tables_delobj,
6277 .attr_count = NFTA_OBJ_MAX,
6278 .policy = nft_obj_policy,
6280 [NFT_MSG_GETOBJ_RESET] = {
6281 .call_rcu = nf_tables_getobj,
6282 .attr_count = NFTA_OBJ_MAX,
6283 .policy = nft_obj_policy,
6285 [NFT_MSG_NEWFLOWTABLE] = {
6286 .call_batch = nf_tables_newflowtable,
6287 .attr_count = NFTA_FLOWTABLE_MAX,
6288 .policy = nft_flowtable_policy,
6290 [NFT_MSG_GETFLOWTABLE] = {
6291 .call_rcu = nf_tables_getflowtable,
6292 .attr_count = NFTA_FLOWTABLE_MAX,
6293 .policy = nft_flowtable_policy,
6295 [NFT_MSG_DELFLOWTABLE] = {
6296 .call_batch = nf_tables_delflowtable,
6297 .attr_count = NFTA_FLOWTABLE_MAX,
6298 .policy = nft_flowtable_policy,
6302 static int nf_tables_validate(struct net *net)
6304 struct nft_table *table;
6306 switch (net->nft.validate_state) {
6307 case NFT_VALIDATE_SKIP:
6309 case NFT_VALIDATE_NEED:
6310 nft_validate_state_update(net, NFT_VALIDATE_DO);
6312 case NFT_VALIDATE_DO:
6313 list_for_each_entry(table, &net->nft.tables, list) {
6314 if (nft_table_validate(net, table) < 0)
6323 /* a drop policy has to be deferred until all rules have been activated,
6324 * otherwise a large ruleset that contains a drop-policy base chain will
6325 * cause all packets to get dropped until the full transaction has been
6328 * We defer the drop policy until the transaction has been finalized.
6330 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6332 struct nft_base_chain *basechain;
6334 if (nft_trans_chain_policy(trans) != NF_DROP)
6337 if (!nft_is_base_chain(trans->ctx.chain))
6340 basechain = nft_base_chain(trans->ctx.chain);
6341 basechain->policy = NF_DROP;
6344 static void nft_chain_commit_update(struct nft_trans *trans)
6346 struct nft_base_chain *basechain;
6348 if (nft_trans_chain_name(trans)) {
6349 rhltable_remove(&trans->ctx.table->chains_ht,
6350 &trans->ctx.chain->rhlhead,
6351 nft_chain_ht_params);
6352 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6353 rhltable_insert_key(&trans->ctx.table->chains_ht,
6354 trans->ctx.chain->name,
6355 &trans->ctx.chain->rhlhead,
6356 nft_chain_ht_params);
6359 if (!nft_is_base_chain(trans->ctx.chain))
6362 basechain = nft_base_chain(trans->ctx.chain);
6363 nft_chain_stats_replace(trans->ctx.net, basechain,
6364 nft_trans_chain_stats(trans));
6366 switch (nft_trans_chain_policy(trans)) {
6369 basechain->policy = nft_trans_chain_policy(trans);
6374 static void nft_commit_release(struct nft_trans *trans)
6376 switch (trans->msg_type) {
6377 case NFT_MSG_DELTABLE:
6378 nf_tables_table_destroy(&trans->ctx);
6380 case NFT_MSG_NEWCHAIN:
6381 kfree(nft_trans_chain_name(trans));
6383 case NFT_MSG_DELCHAIN:
6384 nf_tables_chain_destroy(&trans->ctx);
6386 case NFT_MSG_DELRULE:
6387 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6389 case NFT_MSG_DELSET:
6390 nft_set_destroy(nft_trans_set(trans));
6392 case NFT_MSG_DELSETELEM:
6393 nf_tables_set_elem_destroy(&trans->ctx,
6394 nft_trans_elem_set(trans),
6395 nft_trans_elem(trans).priv);
6397 case NFT_MSG_DELOBJ:
6398 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6400 case NFT_MSG_DELFLOWTABLE:
6401 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6406 put_net(trans->ctx.net);
6411 static void nf_tables_trans_destroy_work(struct work_struct *w)
6413 struct nft_trans *trans, *next;
6416 spin_lock(&nf_tables_destroy_list_lock);
6417 list_splice_init(&nf_tables_destroy_list, &head);
6418 spin_unlock(&nf_tables_destroy_list_lock);
6420 if (list_empty(&head))
6425 list_for_each_entry_safe(trans, next, &head, list) {
6426 list_del(&trans->list);
6427 nft_commit_release(trans);
6431 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6433 struct nft_rule *rule;
6434 unsigned int alloc = 0;
6437 /* already handled or inactive chain? */
6438 if (chain->rules_next || !nft_is_active_next(net, chain))
6441 rule = list_entry(&chain->rules, struct nft_rule, list);
6444 list_for_each_entry_continue(rule, &chain->rules, list) {
6445 if (nft_is_active_next(net, rule))
6449 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6450 if (!chain->rules_next)
6453 list_for_each_entry_continue(rule, &chain->rules, list) {
6454 if (nft_is_active_next(net, rule))
6455 chain->rules_next[i++] = rule;
6458 chain->rules_next[i] = NULL;
6462 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6464 struct nft_trans *trans, *next;
6466 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6467 struct nft_chain *chain = trans->ctx.chain;
6469 if (trans->msg_type == NFT_MSG_NEWRULE ||
6470 trans->msg_type == NFT_MSG_DELRULE) {
6471 kvfree(chain->rules_next);
6472 chain->rules_next = NULL;
6477 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6479 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6484 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6486 struct nft_rule **r = rules;
6487 struct nft_rules_old *old;
6492 r++; /* rcu_head is after end marker */
6496 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6499 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6501 struct nft_rule **g0, **g1;
6504 next_genbit = nft_gencursor_next(net);
6506 g0 = rcu_dereference_protected(chain->rules_gen_0,
6507 lockdep_commit_lock_is_held(net));
6508 g1 = rcu_dereference_protected(chain->rules_gen_1,
6509 lockdep_commit_lock_is_held(net));
6511 /* No changes to this chain? */
6512 if (chain->rules_next == NULL) {
6513 /* chain had no change in last or next generation */
6517 * chain had no change in this generation; make sure next
6518 * one uses same rules as current generation.
6521 rcu_assign_pointer(chain->rules_gen_1, g0);
6522 nf_tables_commit_chain_free_rules_old(g1);
6524 rcu_assign_pointer(chain->rules_gen_0, g1);
6525 nf_tables_commit_chain_free_rules_old(g0);
6532 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6534 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6536 chain->rules_next = NULL;
6542 nf_tables_commit_chain_free_rules_old(g1);
6544 nf_tables_commit_chain_free_rules_old(g0);
6547 static void nft_obj_del(struct nft_object *obj)
6549 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6550 list_del_rcu(&obj->list);
6553 static void nft_chain_del(struct nft_chain *chain)
6555 struct nft_table *table = chain->table;
6557 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6558 nft_chain_ht_params));
6559 list_del_rcu(&chain->list);
6562 static void nf_tables_commit_release(struct net *net)
6564 struct nft_trans *trans;
6566 /* all side effects have to be made visible.
6567 * For example, if a chain named 'foo' has been deleted, a
6568 * new transaction must not find it anymore.
6570 * Memory reclaim happens asynchronously from work queue
6571 * to prevent expensive synchronize_rcu() in commit phase.
6573 if (list_empty(&net->nft.commit_list)) {
6574 mutex_unlock(&net->nft.commit_mutex);
6578 trans = list_last_entry(&net->nft.commit_list,
6579 struct nft_trans, list);
6580 get_net(trans->ctx.net);
6581 WARN_ON_ONCE(trans->put_net);
6583 trans->put_net = true;
6584 spin_lock(&nf_tables_destroy_list_lock);
6585 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6586 spin_unlock(&nf_tables_destroy_list_lock);
6588 mutex_unlock(&net->nft.commit_mutex);
6590 schedule_work(&trans_destroy_work);
6593 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6595 struct nft_trans *trans, *next;
6596 struct nft_trans_elem *te;
6597 struct nft_chain *chain;
6598 struct nft_table *table;
6600 if (list_empty(&net->nft.commit_list)) {
6601 mutex_unlock(&net->nft.commit_mutex);
6605 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6606 if (nf_tables_validate(net) < 0)
6609 /* 1. Allocate space for next generation rules_gen_X[] */
6610 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6613 if (trans->msg_type == NFT_MSG_NEWRULE ||
6614 trans->msg_type == NFT_MSG_DELRULE) {
6615 chain = trans->ctx.chain;
6617 ret = nf_tables_commit_chain_prepare(net, chain);
6619 nf_tables_commit_chain_prepare_cancel(net);
6625 /* step 2. Make rules_gen_X visible to packet path */
6626 list_for_each_entry(table, &net->nft.tables, list) {
6627 list_for_each_entry(chain, &table->chains, list)
6628 nf_tables_commit_chain(net, chain);
6632 * Bump generation counter, invalidate any dump in progress.
6633 * Cannot fail after this point.
6635 while (++net->nft.base_seq == 0);
6637 /* step 3. Start new generation, rules_gen_X now in use. */
6638 net->nft.gencursor = nft_gencursor_next(net);
6640 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6641 switch (trans->msg_type) {
6642 case NFT_MSG_NEWTABLE:
6643 if (nft_trans_table_update(trans)) {
6644 if (!nft_trans_table_enable(trans)) {
6645 nf_tables_table_disable(net,
6647 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6650 nft_clear(net, trans->ctx.table);
6652 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6653 nft_trans_destroy(trans);
6655 case NFT_MSG_DELTABLE:
6656 list_del_rcu(&trans->ctx.table->list);
6657 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6659 case NFT_MSG_NEWCHAIN:
6660 if (nft_trans_chain_update(trans)) {
6661 nft_chain_commit_update(trans);
6662 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6663 /* trans destroyed after rcu grace period */
6665 nft_chain_commit_drop_policy(trans);
6666 nft_clear(net, trans->ctx.chain);
6667 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6668 nft_trans_destroy(trans);
6671 case NFT_MSG_DELCHAIN:
6672 nft_chain_del(trans->ctx.chain);
6673 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6674 nf_tables_unregister_hook(trans->ctx.net,
6678 case NFT_MSG_NEWRULE:
6679 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6680 nf_tables_rule_notify(&trans->ctx,
6681 nft_trans_rule(trans),
6683 nft_trans_destroy(trans);
6685 case NFT_MSG_DELRULE:
6686 list_del_rcu(&nft_trans_rule(trans)->list);
6687 nf_tables_rule_notify(&trans->ctx,
6688 nft_trans_rule(trans),
6690 nft_rule_expr_deactivate(&trans->ctx,
6691 nft_trans_rule(trans),
6694 case NFT_MSG_NEWSET:
6695 nft_clear(net, nft_trans_set(trans));
6696 /* This avoids hitting -EBUSY when deleting the table
6697 * from the transaction.
6699 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6700 !list_empty(&nft_trans_set(trans)->bindings))
6701 trans->ctx.table->use--;
6703 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6704 NFT_MSG_NEWSET, GFP_KERNEL);
6705 nft_trans_destroy(trans);
6707 case NFT_MSG_DELSET:
6708 list_del_rcu(&nft_trans_set(trans)->list);
6709 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6710 NFT_MSG_DELSET, GFP_KERNEL);
6712 case NFT_MSG_NEWSETELEM:
6713 te = (struct nft_trans_elem *)trans->data;
6715 te->set->ops->activate(net, te->set, &te->elem);
6716 nf_tables_setelem_notify(&trans->ctx, te->set,
6718 NFT_MSG_NEWSETELEM, 0);
6719 nft_trans_destroy(trans);
6721 case NFT_MSG_DELSETELEM:
6722 te = (struct nft_trans_elem *)trans->data;
6724 nf_tables_setelem_notify(&trans->ctx, te->set,
6726 NFT_MSG_DELSETELEM, 0);
6727 te->set->ops->remove(net, te->set, &te->elem);
6728 atomic_dec(&te->set->nelems);
6731 case NFT_MSG_NEWOBJ:
6732 nft_clear(net, nft_trans_obj(trans));
6733 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6735 nft_trans_destroy(trans);
6737 case NFT_MSG_DELOBJ:
6738 nft_obj_del(nft_trans_obj(trans));
6739 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6742 case NFT_MSG_NEWFLOWTABLE:
6743 nft_clear(net, nft_trans_flowtable(trans));
6744 nf_tables_flowtable_notify(&trans->ctx,
6745 nft_trans_flowtable(trans),
6746 NFT_MSG_NEWFLOWTABLE);
6747 nft_trans_destroy(trans);
6749 case NFT_MSG_DELFLOWTABLE:
6750 list_del_rcu(&nft_trans_flowtable(trans)->list);
6751 nf_tables_flowtable_notify(&trans->ctx,
6752 nft_trans_flowtable(trans),
6753 NFT_MSG_DELFLOWTABLE);
6754 nft_unregister_flowtable_net_hooks(net,
6755 nft_trans_flowtable(trans));
6760 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6761 nf_tables_commit_release(net);
6766 static void nf_tables_abort_release(struct nft_trans *trans)
6768 switch (trans->msg_type) {
6769 case NFT_MSG_NEWTABLE:
6770 nf_tables_table_destroy(&trans->ctx);
6772 case NFT_MSG_NEWCHAIN:
6773 nf_tables_chain_destroy(&trans->ctx);
6775 case NFT_MSG_NEWRULE:
6776 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6778 case NFT_MSG_NEWSET:
6779 nft_set_destroy(nft_trans_set(trans));
6781 case NFT_MSG_NEWSETELEM:
6782 nft_set_elem_destroy(nft_trans_elem_set(trans),
6783 nft_trans_elem(trans).priv, true);
6785 case NFT_MSG_NEWOBJ:
6786 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6788 case NFT_MSG_NEWFLOWTABLE:
6789 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6795 static int __nf_tables_abort(struct net *net)
6797 struct nft_trans *trans, *next;
6798 struct nft_trans_elem *te;
6800 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6802 switch (trans->msg_type) {
6803 case NFT_MSG_NEWTABLE:
6804 if (nft_trans_table_update(trans)) {
6805 if (nft_trans_table_enable(trans)) {
6806 nf_tables_table_disable(net,
6808 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6810 nft_trans_destroy(trans);
6812 list_del_rcu(&trans->ctx.table->list);
6815 case NFT_MSG_DELTABLE:
6816 nft_clear(trans->ctx.net, trans->ctx.table);
6817 nft_trans_destroy(trans);
6819 case NFT_MSG_NEWCHAIN:
6820 if (nft_trans_chain_update(trans)) {
6821 free_percpu(nft_trans_chain_stats(trans));
6822 kfree(nft_trans_chain_name(trans));
6823 nft_trans_destroy(trans);
6825 trans->ctx.table->use--;
6826 nft_chain_del(trans->ctx.chain);
6827 nf_tables_unregister_hook(trans->ctx.net,
6832 case NFT_MSG_DELCHAIN:
6833 trans->ctx.table->use++;
6834 nft_clear(trans->ctx.net, trans->ctx.chain);
6835 nft_trans_destroy(trans);
6837 case NFT_MSG_NEWRULE:
6838 trans->ctx.chain->use--;
6839 list_del_rcu(&nft_trans_rule(trans)->list);
6840 nft_rule_expr_deactivate(&trans->ctx,
6841 nft_trans_rule(trans),
6844 case NFT_MSG_DELRULE:
6845 trans->ctx.chain->use++;
6846 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6847 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6848 nft_trans_destroy(trans);
6850 case NFT_MSG_NEWSET:
6851 trans->ctx.table->use--;
6852 if (nft_trans_set(trans)->bound) {
6853 nft_trans_destroy(trans);
6856 list_del_rcu(&nft_trans_set(trans)->list);
6858 case NFT_MSG_DELSET:
6859 trans->ctx.table->use++;
6860 nft_clear(trans->ctx.net, nft_trans_set(trans));
6861 nft_trans_destroy(trans);
6863 case NFT_MSG_NEWSETELEM:
6864 if (nft_trans_elem_set(trans)->bound) {
6865 nft_trans_destroy(trans);
6868 te = (struct nft_trans_elem *)trans->data;
6869 te->set->ops->remove(net, te->set, &te->elem);
6870 atomic_dec(&te->set->nelems);
6872 case NFT_MSG_DELSETELEM:
6873 te = (struct nft_trans_elem *)trans->data;
6875 nft_set_elem_activate(net, te->set, &te->elem);
6876 te->set->ops->activate(net, te->set, &te->elem);
6879 nft_trans_destroy(trans);
6881 case NFT_MSG_NEWOBJ:
6882 trans->ctx.table->use--;
6883 nft_obj_del(nft_trans_obj(trans));
6885 case NFT_MSG_DELOBJ:
6886 trans->ctx.table->use++;
6887 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6888 nft_trans_destroy(trans);
6890 case NFT_MSG_NEWFLOWTABLE:
6891 trans->ctx.table->use--;
6892 list_del_rcu(&nft_trans_flowtable(trans)->list);
6893 nft_unregister_flowtable_net_hooks(net,
6894 nft_trans_flowtable(trans));
6896 case NFT_MSG_DELFLOWTABLE:
6897 trans->ctx.table->use++;
6898 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6899 nft_trans_destroy(trans);
6906 list_for_each_entry_safe_reverse(trans, next,
6907 &net->nft.commit_list, list) {
6908 list_del(&trans->list);
6909 nf_tables_abort_release(trans);
6915 static void nf_tables_cleanup(struct net *net)
6917 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6920 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6922 int ret = __nf_tables_abort(net);
6924 mutex_unlock(&net->nft.commit_mutex);
6929 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6933 mutex_lock(&net->nft.commit_mutex);
6935 genid_ok = genid == 0 || net->nft.base_seq == genid;
6937 mutex_unlock(&net->nft.commit_mutex);
6939 /* else, commit mutex has to be released by commit or abort function */
6943 static const struct nfnetlink_subsystem nf_tables_subsys = {
6944 .name = "nf_tables",
6945 .subsys_id = NFNL_SUBSYS_NFTABLES,
6946 .cb_count = NFT_MSG_MAX,
6948 .commit = nf_tables_commit,
6949 .abort = nf_tables_abort,
6950 .cleanup = nf_tables_cleanup,
6951 .valid_genid = nf_tables_valid_genid,
6952 .owner = THIS_MODULE,
6955 int nft_chain_validate_dependency(const struct nft_chain *chain,
6956 enum nft_chain_types type)
6958 const struct nft_base_chain *basechain;
6960 if (nft_is_base_chain(chain)) {
6961 basechain = nft_base_chain(chain);
6962 if (basechain->type->type != type)
6967 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6969 int nft_chain_validate_hooks(const struct nft_chain *chain,
6970 unsigned int hook_flags)
6972 struct nft_base_chain *basechain;
6974 if (nft_is_base_chain(chain)) {
6975 basechain = nft_base_chain(chain);
6977 if ((1 << basechain->ops.hooknum) & hook_flags)
6985 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6988 * Loop detection - walk through the ruleset beginning at the destination chain
6989 * of a new jump until either the source chain is reached (loop) or all
6990 * reachable chains have been traversed.
6992 * The loop check is performed whenever a new jump verdict is added to an
6993 * expression or verdict map or a verdict map is bound to a new chain.
6996 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6997 const struct nft_chain *chain);
6999 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7000 struct nft_set *set,
7001 const struct nft_set_iter *iter,
7002 struct nft_set_elem *elem)
7004 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7005 const struct nft_data *data;
7007 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7008 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7011 data = nft_set_ext_data(ext);
7012 switch (data->verdict.code) {
7015 return nf_tables_check_loops(ctx, data->verdict.chain);
7021 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7022 const struct nft_chain *chain)
7024 const struct nft_rule *rule;
7025 const struct nft_expr *expr, *last;
7026 struct nft_set *set;
7027 struct nft_set_binding *binding;
7028 struct nft_set_iter iter;
7030 if (ctx->chain == chain)
7033 list_for_each_entry(rule, &chain->rules, list) {
7034 nft_rule_for_each_expr(expr, last, rule) {
7035 struct nft_immediate_expr *priv;
7036 const struct nft_data *data;
7039 if (strcmp(expr->ops->type->name, "immediate"))
7042 priv = nft_expr_priv(expr);
7043 if (priv->dreg != NFT_REG_VERDICT)
7047 switch (data->verdict.code) {
7050 err = nf_tables_check_loops(ctx,
7051 data->verdict.chain);
7060 list_for_each_entry(set, &ctx->table->sets, list) {
7061 if (!nft_is_active_next(ctx->net, set))
7063 if (!(set->flags & NFT_SET_MAP) ||
7064 set->dtype != NFT_DATA_VERDICT)
7067 list_for_each_entry(binding, &set->bindings, list) {
7068 if (!(binding->flags & NFT_SET_MAP) ||
7069 binding->chain != chain)
7072 iter.genmask = nft_genmask_next(ctx->net);
7076 iter.fn = nf_tables_loop_check_setelem;
7078 set->ops->walk(ctx, set, &iter);
7088 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7090 * @attr: netlink attribute to fetch value from
7091 * @max: maximum value to be stored in dest
7092 * @dest: pointer to the variable
7094 * Parse, check and store a given u32 netlink attribute into variable.
7095 * This function returns -ERANGE if the value goes over maximum value.
7096 * Otherwise a 0 is returned and the attribute value is stored in the
7097 * destination variable.
7099 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7103 val = ntohl(nla_get_be32(attr));
7110 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7113 * nft_parse_register - parse a register value from a netlink attribute
7115 * @attr: netlink attribute
7117 * Parse and translate a register value from a netlink attribute.
7118 * Registers used to be 128 bit wide, these register numbers will be
7119 * mapped to the corresponding 32 bit register numbers.
7121 unsigned int nft_parse_register(const struct nlattr *attr)
7125 reg = ntohl(nla_get_be32(attr));
7127 case NFT_REG_VERDICT...NFT_REG_4:
7128 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7130 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7133 EXPORT_SYMBOL_GPL(nft_parse_register);
7136 * nft_dump_register - dump a register value to a netlink attribute
7138 * @skb: socket buffer
7139 * @attr: attribute number
7140 * @reg: register number
7142 * Construct a netlink attribute containing the register number. For
7143 * compatibility reasons, register numbers being a multiple of 4 are
7144 * translated to the corresponding 128 bit register numbers.
7146 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7148 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7149 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7151 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7153 return nla_put_be32(skb, attr, htonl(reg));
7155 EXPORT_SYMBOL_GPL(nft_dump_register);
7158 * nft_validate_register_load - validate a load from a register
7160 * @reg: the register number
7161 * @len: the length of the data
7163 * Validate that the input register is one of the general purpose
7164 * registers and that the length of the load is within the bounds.
7166 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7168 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7172 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7177 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7180 * nft_validate_register_store - validate an expressions' register store
7182 * @ctx: context of the expression performing the load
7183 * @reg: the destination register number
7184 * @data: the data to load
7185 * @type: the data type
7186 * @len: the length of the data
7188 * Validate that a data load uses the appropriate data type for
7189 * the destination register and the length is within the bounds.
7190 * A value of NULL for the data means that its runtime gathered
7193 int nft_validate_register_store(const struct nft_ctx *ctx,
7194 enum nft_registers reg,
7195 const struct nft_data *data,
7196 enum nft_data_types type, unsigned int len)
7201 case NFT_REG_VERDICT:
7202 if (type != NFT_DATA_VERDICT)
7206 (data->verdict.code == NFT_GOTO ||
7207 data->verdict.code == NFT_JUMP)) {
7208 err = nf_tables_check_loops(ctx, data->verdict.chain);
7215 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7219 if (reg * NFT_REG32_SIZE + len >
7220 FIELD_SIZEOF(struct nft_regs, data))
7223 if (data != NULL && type != NFT_DATA_VALUE)
7228 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7230 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7231 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7232 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7233 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7236 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7237 struct nft_data_desc *desc, const struct nlattr *nla)
7239 u8 genmask = nft_genmask_next(ctx->net);
7240 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7241 struct nft_chain *chain;
7244 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7245 nft_verdict_policy, NULL);
7249 if (!tb[NFTA_VERDICT_CODE])
7251 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7253 switch (data->verdict.code) {
7255 switch (data->verdict.code & NF_VERDICT_MASK) {
7270 if (!tb[NFTA_VERDICT_CHAIN])
7272 chain = nft_chain_lookup(ctx->net, ctx->table,
7273 tb[NFTA_VERDICT_CHAIN], genmask);
7275 return PTR_ERR(chain);
7276 if (nft_is_base_chain(chain))
7280 data->verdict.chain = chain;
7284 desc->len = sizeof(data->verdict);
7285 desc->type = NFT_DATA_VERDICT;
7289 static void nft_verdict_uninit(const struct nft_data *data)
7291 switch (data->verdict.code) {
7294 data->verdict.chain->use--;
7299 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7301 struct nlattr *nest;
7303 nest = nla_nest_start_noflag(skb, type);
7305 goto nla_put_failure;
7307 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7308 goto nla_put_failure;
7313 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7315 goto nla_put_failure;
7317 nla_nest_end(skb, nest);
7324 static int nft_value_init(const struct nft_ctx *ctx,
7325 struct nft_data *data, unsigned int size,
7326 struct nft_data_desc *desc, const struct nlattr *nla)
7336 nla_memcpy(data->data, nla, len);
7337 desc->type = NFT_DATA_VALUE;
7342 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7345 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7348 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7349 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7350 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7354 * nft_data_init - parse nf_tables data netlink attributes
7356 * @ctx: context of the expression using the data
7357 * @data: destination struct nft_data
7358 * @size: maximum data length
7359 * @desc: data description
7360 * @nla: netlink attribute containing data
7362 * Parse the netlink data attributes and initialize a struct nft_data.
7363 * The type and length of data are returned in the data description.
7365 * The caller can indicate that it only wants to accept data of type
7366 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7368 int nft_data_init(const struct nft_ctx *ctx,
7369 struct nft_data *data, unsigned int size,
7370 struct nft_data_desc *desc, const struct nlattr *nla)
7372 struct nlattr *tb[NFTA_DATA_MAX + 1];
7375 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7376 nft_data_policy, NULL);
7380 if (tb[NFTA_DATA_VALUE])
7381 return nft_value_init(ctx, data, size, desc,
7382 tb[NFTA_DATA_VALUE]);
7383 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7384 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7387 EXPORT_SYMBOL_GPL(nft_data_init);
7390 * nft_data_release - release a nft_data item
7392 * @data: struct nft_data to release
7393 * @type: type of data
7395 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7396 * all others need to be released by calling this function.
7398 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7400 if (type < NFT_DATA_VERDICT)
7403 case NFT_DATA_VERDICT:
7404 return nft_verdict_uninit(data);
7409 EXPORT_SYMBOL_GPL(nft_data_release);
7411 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7412 enum nft_data_types type, unsigned int len)
7414 struct nlattr *nest;
7417 nest = nla_nest_start_noflag(skb, attr);
7422 case NFT_DATA_VALUE:
7423 err = nft_value_dump(skb, data, len);
7425 case NFT_DATA_VERDICT:
7426 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7433 nla_nest_end(skb, nest);
7436 EXPORT_SYMBOL_GPL(nft_data_dump);
7438 int __nft_release_basechain(struct nft_ctx *ctx)
7440 struct nft_rule *rule, *nr;
7442 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7445 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7446 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7447 list_del(&rule->list);
7449 nf_tables_rule_release(ctx, rule);
7451 nft_chain_del(ctx->chain);
7453 nf_tables_chain_destroy(ctx);
7457 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7459 static void __nft_release_tables(struct net *net)
7461 struct nft_flowtable *flowtable, *nf;
7462 struct nft_table *table, *nt;
7463 struct nft_chain *chain, *nc;
7464 struct nft_object *obj, *ne;
7465 struct nft_rule *rule, *nr;
7466 struct nft_set *set, *ns;
7467 struct nft_ctx ctx = {
7469 .family = NFPROTO_NETDEV,
7472 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7473 ctx.family = table->family;
7475 list_for_each_entry(chain, &table->chains, list)
7476 nf_tables_unregister_hook(net, table, chain);
7477 /* No packets are walking on these chains anymore. */
7479 list_for_each_entry(chain, &table->chains, list) {
7481 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7482 list_del(&rule->list);
7484 nf_tables_rule_release(&ctx, rule);
7487 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7488 list_del(&flowtable->list);
7490 nf_tables_flowtable_destroy(flowtable);
7492 list_for_each_entry_safe(set, ns, &table->sets, list) {
7493 list_del(&set->list);
7495 nft_set_destroy(set);
7497 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7500 nft_obj_destroy(&ctx, obj);
7502 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7504 nft_chain_del(chain);
7506 nf_tables_chain_destroy(&ctx);
7508 list_del(&table->list);
7509 nf_tables_table_destroy(&ctx);
7513 static int __net_init nf_tables_init_net(struct net *net)
7515 INIT_LIST_HEAD(&net->nft.tables);
7516 INIT_LIST_HEAD(&net->nft.commit_list);
7517 mutex_init(&net->nft.commit_mutex);
7518 net->nft.base_seq = 1;
7519 net->nft.validate_state = NFT_VALIDATE_SKIP;
7524 static void __net_exit nf_tables_exit_net(struct net *net)
7526 mutex_lock(&net->nft.commit_mutex);
7527 if (!list_empty(&net->nft.commit_list))
7528 __nf_tables_abort(net);
7529 __nft_release_tables(net);
7530 mutex_unlock(&net->nft.commit_mutex);
7531 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7534 static struct pernet_operations nf_tables_net_ops = {
7535 .init = nf_tables_init_net,
7536 .exit = nf_tables_exit_net,
7539 static int __init nf_tables_module_init(void)
7543 spin_lock_init(&nf_tables_destroy_list_lock);
7544 err = register_pernet_subsys(&nf_tables_net_ops);
7548 err = nft_chain_filter_init();
7552 err = nf_tables_core_module_init();
7556 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7560 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7565 err = nfnetlink_subsys_register(&nf_tables_subsys);
7569 nft_chain_route_init();
7572 rhltable_destroy(&nft_objname_ht);
7574 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7576 nf_tables_core_module_exit();
7578 nft_chain_filter_fini();
7580 unregister_pernet_subsys(&nf_tables_net_ops);
7584 static void __exit nf_tables_module_exit(void)
7586 nfnetlink_subsys_unregister(&nf_tables_subsys);
7587 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7588 nft_chain_filter_fini();
7589 nft_chain_route_fini();
7590 unregister_pernet_subsys(&nf_tables_net_ops);
7591 cancel_work_sync(&trans_destroy_work);
7593 rhltable_destroy(&nft_objname_ht);
7594 nf_tables_core_module_exit();
7597 module_init(nf_tables_module_init);
7598 module_exit(nf_tables_module_exit);
7600 MODULE_LICENSE("GPL");
7602 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux.git / blob