2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
44 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47 * nft_unregister_afinfo - unregister nf_tables address family info
49 * @afi: address family info to unregister
51 * Unregister the address family for use with nf_tables.
53 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
62 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
64 struct nft_af_info *afi;
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
73 static struct nft_af_info *
74 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
76 struct nft_af_info *afi;
78 afi = nft_afinfo_lookup(net, family);
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
88 return ERR_PTR(-EAGAIN);
91 return ERR_PTR(-EAFNOSUPPORT);
94 static void nft_ctx_init(struct nft_ctx *ctx,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
113 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
116 struct nft_trans *trans;
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
122 trans->msg_type = msg_type;
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static int nft_register_basechain(struct nft_base_chain *basechain,
135 unsigned int hook_nops)
137 struct net *net = read_pnet(&basechain->pnet);
139 if (basechain->flags & NFT_BASECHAIN_DISABLED)
142 return nf_register_net_hooks(net, basechain->ops, hook_nops);
145 static void nft_unregister_basechain(struct nft_base_chain *basechain,
146 unsigned int hook_nops)
148 struct net *net = read_pnet(&basechain->pnet);
150 if (basechain->flags & NFT_BASECHAIN_DISABLED)
153 nf_unregister_net_hooks(net, basechain->ops, hook_nops);
156 static int nf_tables_register_hooks(const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !(chain->flags & NFT_BASE_CHAIN))
164 return nft_register_basechain(nft_base_chain(chain), hook_nops);
167 static void nf_tables_unregister_hooks(const struct nft_table *table,
168 struct nft_chain *chain,
169 unsigned int hook_nops)
171 if (table->flags & NFT_TABLE_F_DORMANT ||
172 !(chain->flags & NFT_BASE_CHAIN))
175 nft_unregister_basechain(nft_base_chain(chain), hook_nops);
178 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
180 struct nft_trans *trans;
182 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
186 if (msg_type == NFT_MSG_NEWTABLE)
187 nft_activate_next(ctx->net, ctx->table);
189 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
193 static int nft_deltable(struct nft_ctx *ctx)
197 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
201 nft_deactivate_next(ctx->net, ctx->table);
205 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
207 struct nft_trans *trans;
209 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
213 if (msg_type == NFT_MSG_NEWCHAIN)
214 nft_activate_next(ctx->net, ctx->chain);
216 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
220 static int nft_delchain(struct nft_ctx *ctx)
224 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
229 nft_deactivate_next(ctx->net, ctx->chain);
235 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
237 /* You cannot delete the same rule twice */
238 if (nft_is_active_next(ctx->net, rule)) {
239 nft_deactivate_next(ctx->net, rule);
246 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
247 struct nft_rule *rule)
249 struct nft_trans *trans;
251 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
255 nft_trans_rule(trans) = rule;
256 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
261 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
263 struct nft_trans *trans;
266 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
270 err = nf_tables_delrule_deactivate(ctx, rule);
272 nft_trans_destroy(trans);
279 static int nft_delrule_by_chain(struct nft_ctx *ctx)
281 struct nft_rule *rule;
284 list_for_each_entry(rule, &ctx->chain->rules, list) {
285 err = nft_delrule(ctx, rule);
292 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
295 struct nft_trans *trans;
297 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
301 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
302 nft_trans_set_id(trans) =
303 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
304 nft_activate_next(ctx->net, set);
306 nft_trans_set(trans) = set;
307 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
312 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
316 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
320 nft_deactivate_next(ctx->net, set);
330 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
331 const struct nlattr *nla,
334 struct nft_table *table;
336 list_for_each_entry(table, &afi->tables, list) {
337 if (!nla_strcmp(nla, table->name) &&
338 nft_active_genmask(table, genmask))
344 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
345 const struct nlattr *nla,
348 struct nft_table *table;
351 return ERR_PTR(-EINVAL);
353 table = nft_table_lookup(afi, nla, genmask);
357 return ERR_PTR(-ENOENT);
360 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
362 return ++table->hgenerator;
365 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
367 static const struct nf_chain_type *
368 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
372 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
373 if (chain_type[family][i] != NULL &&
374 !nla_strcmp(nla, chain_type[family][i]->name))
375 return chain_type[family][i];
380 static const struct nf_chain_type *
381 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
382 const struct nlattr *nla,
385 const struct nf_chain_type *type;
387 type = __nf_tables_chain_type_lookup(afi->family, nla);
390 #ifdef CONFIG_MODULES
392 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
393 request_module("nft-chain-%u-%.*s", afi->family,
394 nla_len(nla), (const char *)nla_data(nla));
395 nfnl_lock(NFNL_SUBSYS_NFTABLES);
396 type = __nf_tables_chain_type_lookup(afi->family, nla);
398 return ERR_PTR(-EAGAIN);
401 return ERR_PTR(-ENOENT);
404 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
405 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
406 .len = NFT_TABLE_MAXNAMELEN - 1 },
407 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
410 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
411 u32 portid, u32 seq, int event, u32 flags,
412 int family, const struct nft_table *table)
414 struct nlmsghdr *nlh;
415 struct nfgenmsg *nfmsg;
417 event |= NFNL_SUBSYS_NFTABLES << 8;
418 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
420 goto nla_put_failure;
422 nfmsg = nlmsg_data(nlh);
423 nfmsg->nfgen_family = family;
424 nfmsg->version = NFNETLINK_V0;
425 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
427 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
428 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
429 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
430 goto nla_put_failure;
436 nlmsg_trim(skb, nlh);
440 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
446 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
450 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
454 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
455 event, 0, ctx->afi->family, ctx->table);
461 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
462 ctx->report, GFP_KERNEL);
465 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
471 static int nf_tables_dump_tables(struct sk_buff *skb,
472 struct netlink_callback *cb)
474 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
475 const struct nft_af_info *afi;
476 const struct nft_table *table;
477 unsigned int idx = 0, s_idx = cb->args[0];
478 struct net *net = sock_net(skb->sk);
479 int family = nfmsg->nfgen_family;
482 cb->seq = net->nft.base_seq;
484 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
485 if (family != NFPROTO_UNSPEC && family != afi->family)
488 list_for_each_entry_rcu(table, &afi->tables, list) {
492 memset(&cb->args[1], 0,
493 sizeof(cb->args) - sizeof(cb->args[0]));
494 if (!nft_is_active(net, table))
496 if (nf_tables_fill_table_info(skb, net,
497 NETLINK_CB(cb->skb).portid,
501 afi->family, table) < 0)
504 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
515 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
516 struct sk_buff *skb, const struct nlmsghdr *nlh,
517 const struct nlattr * const nla[])
519 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
520 u8 genmask = nft_genmask_cur(net);
521 const struct nft_af_info *afi;
522 const struct nft_table *table;
523 struct sk_buff *skb2;
524 int family = nfmsg->nfgen_family;
527 if (nlh->nlmsg_flags & NLM_F_DUMP) {
528 struct netlink_dump_control c = {
529 .dump = nf_tables_dump_tables,
531 return netlink_dump_start(nlsk, skb, nlh, &c);
534 afi = nf_tables_afinfo_lookup(net, family, false);
538 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
540 return PTR_ERR(table);
542 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
546 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
547 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
552 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
559 static int nf_tables_table_enable(struct net *net,
560 const struct nft_af_info *afi,
561 struct nft_table *table)
563 struct nft_chain *chain;
566 list_for_each_entry(chain, &table->chains, list) {
567 if (!nft_is_active_next(net, chain))
569 if (!(chain->flags & NFT_BASE_CHAIN))
572 err = nft_register_basechain(nft_base_chain(chain), afi->nops);
580 list_for_each_entry(chain, &table->chains, list) {
581 if (!nft_is_active_next(net, chain))
583 if (!(chain->flags & NFT_BASE_CHAIN))
589 nft_unregister_basechain(nft_base_chain(chain), afi->nops);
594 static void nf_tables_table_disable(struct net *net,
595 const struct nft_af_info *afi,
596 struct nft_table *table)
598 struct nft_chain *chain;
600 list_for_each_entry(chain, &table->chains, list) {
601 if (!nft_is_active_next(net, chain))
603 if (chain->flags & NFT_BASE_CHAIN)
604 nft_unregister_basechain(nft_base_chain(chain),
609 static int nf_tables_updtable(struct nft_ctx *ctx)
611 struct nft_trans *trans;
615 if (!ctx->nla[NFTA_TABLE_FLAGS])
618 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
619 if (flags & ~NFT_TABLE_F_DORMANT)
622 if (flags == ctx->table->flags)
625 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
626 sizeof(struct nft_trans_table));
630 if ((flags & NFT_TABLE_F_DORMANT) &&
631 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
632 nft_trans_table_enable(trans) = false;
633 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
634 ctx->table->flags & NFT_TABLE_F_DORMANT) {
635 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
637 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
638 nft_trans_table_enable(trans) = true;
644 nft_trans_table_update(trans) = true;
645 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
648 nft_trans_destroy(trans);
652 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
653 struct sk_buff *skb, const struct nlmsghdr *nlh,
654 const struct nlattr * const nla[])
656 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
657 u8 genmask = nft_genmask_next(net);
658 const struct nlattr *name;
659 struct nft_af_info *afi;
660 struct nft_table *table;
661 int family = nfmsg->nfgen_family;
666 afi = nf_tables_afinfo_lookup(net, family, true);
670 name = nla[NFTA_TABLE_NAME];
671 table = nf_tables_table_lookup(afi, name, genmask);
673 if (PTR_ERR(table) != -ENOENT)
674 return PTR_ERR(table);
679 if (nlh->nlmsg_flags & NLM_F_EXCL)
681 if (nlh->nlmsg_flags & NLM_F_REPLACE)
684 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
685 return nf_tables_updtable(&ctx);
688 if (nla[NFTA_TABLE_FLAGS]) {
689 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
690 if (flags & ~NFT_TABLE_F_DORMANT)
695 if (!try_module_get(afi->owner))
699 table = kzalloc(sizeof(*table), GFP_KERNEL);
703 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
704 INIT_LIST_HEAD(&table->chains);
705 INIT_LIST_HEAD(&table->sets);
706 table->flags = flags;
708 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
709 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
713 list_add_tail_rcu(&table->list, &afi->tables);
718 module_put(afi->owner);
723 static int nft_flush_table(struct nft_ctx *ctx)
726 struct nft_chain *chain, *nc;
727 struct nft_set *set, *ns;
729 list_for_each_entry(chain, &ctx->table->chains, list) {
730 if (!nft_is_active_next(ctx->net, chain))
735 err = nft_delrule_by_chain(ctx);
740 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
741 if (!nft_is_active_next(ctx->net, set))
744 if (set->flags & NFT_SET_ANONYMOUS &&
745 !list_empty(&set->bindings))
748 err = nft_delset(ctx, set);
753 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
754 if (!nft_is_active_next(ctx->net, chain))
759 err = nft_delchain(ctx);
764 err = nft_deltable(ctx);
769 static int nft_flush(struct nft_ctx *ctx, int family)
771 struct nft_af_info *afi;
772 struct nft_table *table, *nt;
773 const struct nlattr * const *nla = ctx->nla;
776 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
777 if (family != AF_UNSPEC && afi->family != family)
781 list_for_each_entry_safe(table, nt, &afi->tables, list) {
782 if (!nft_is_active_next(ctx->net, table))
785 if (nla[NFTA_TABLE_NAME] &&
786 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
791 err = nft_flush_table(ctx);
800 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
801 struct sk_buff *skb, const struct nlmsghdr *nlh,
802 const struct nlattr * const nla[])
804 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
805 u8 genmask = nft_genmask_next(net);
806 struct nft_af_info *afi;
807 struct nft_table *table;
808 int family = nfmsg->nfgen_family;
811 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
812 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
813 return nft_flush(&ctx, family);
815 afi = nf_tables_afinfo_lookup(net, family, false);
819 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
821 return PTR_ERR(table);
826 return nft_flush_table(&ctx);
829 static void nf_tables_table_destroy(struct nft_ctx *ctx)
831 BUG_ON(ctx->table->use > 0);
834 module_put(ctx->afi->owner);
837 int nft_register_chain_type(const struct nf_chain_type *ctype)
841 nfnl_lock(NFNL_SUBSYS_NFTABLES);
842 if (chain_type[ctype->family][ctype->type] != NULL) {
846 chain_type[ctype->family][ctype->type] = ctype;
848 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
851 EXPORT_SYMBOL_GPL(nft_register_chain_type);
853 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
855 nfnl_lock(NFNL_SUBSYS_NFTABLES);
856 chain_type[ctype->family][ctype->type] = NULL;
857 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
859 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
865 static struct nft_chain *
866 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
869 struct nft_chain *chain;
871 list_for_each_entry(chain, &table->chains, list) {
872 if (chain->handle == handle &&
873 nft_active_genmask(chain, genmask))
877 return ERR_PTR(-ENOENT);
880 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
881 const struct nlattr *nla,
884 struct nft_chain *chain;
887 return ERR_PTR(-EINVAL);
889 list_for_each_entry(chain, &table->chains, list) {
890 if (!nla_strcmp(nla, chain->name) &&
891 nft_active_genmask(chain, genmask))
895 return ERR_PTR(-ENOENT);
898 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
899 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
900 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
901 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
902 .len = NFT_CHAIN_MAXNAMELEN - 1 },
903 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
904 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
905 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
906 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
909 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
910 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
911 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
912 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
913 .len = IFNAMSIZ - 1 },
916 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
918 struct nft_stats *cpu_stats, total;
924 memset(&total, 0, sizeof(total));
925 for_each_possible_cpu(cpu) {
926 cpu_stats = per_cpu_ptr(stats, cpu);
928 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
929 pkts = cpu_stats->pkts;
930 bytes = cpu_stats->bytes;
931 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
933 total.bytes += bytes;
935 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
937 goto nla_put_failure;
939 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
941 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
943 goto nla_put_failure;
945 nla_nest_end(skb, nest);
952 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
953 u32 portid, u32 seq, int event, u32 flags,
954 int family, const struct nft_table *table,
955 const struct nft_chain *chain)
957 struct nlmsghdr *nlh;
958 struct nfgenmsg *nfmsg;
960 event |= NFNL_SUBSYS_NFTABLES << 8;
961 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
963 goto nla_put_failure;
965 nfmsg = nlmsg_data(nlh);
966 nfmsg->nfgen_family = family;
967 nfmsg->version = NFNETLINK_V0;
968 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
970 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
971 goto nla_put_failure;
972 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
974 goto nla_put_failure;
975 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
976 goto nla_put_failure;
978 if (chain->flags & NFT_BASE_CHAIN) {
979 const struct nft_base_chain *basechain = nft_base_chain(chain);
980 const struct nf_hook_ops *ops = &basechain->ops[0];
983 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
985 goto nla_put_failure;
986 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
987 goto nla_put_failure;
988 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
989 goto nla_put_failure;
990 if (basechain->dev_name[0] &&
991 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
992 goto nla_put_failure;
993 nla_nest_end(skb, nest);
995 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
996 htonl(basechain->policy)))
997 goto nla_put_failure;
999 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1000 goto nla_put_failure;
1002 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1003 goto nla_put_failure;
1006 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1007 goto nla_put_failure;
1009 nlmsg_end(skb, nlh);
1013 nlmsg_trim(skb, nlh);
1017 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1019 struct sk_buff *skb;
1023 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1027 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1031 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1032 event, 0, ctx->afi->family, ctx->table,
1039 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1040 ctx->report, GFP_KERNEL);
1043 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1049 static int nf_tables_dump_chains(struct sk_buff *skb,
1050 struct netlink_callback *cb)
1052 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1053 const struct nft_af_info *afi;
1054 const struct nft_table *table;
1055 const struct nft_chain *chain;
1056 unsigned int idx = 0, s_idx = cb->args[0];
1057 struct net *net = sock_net(skb->sk);
1058 int family = nfmsg->nfgen_family;
1061 cb->seq = net->nft.base_seq;
1063 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1064 if (family != NFPROTO_UNSPEC && family != afi->family)
1067 list_for_each_entry_rcu(table, &afi->tables, list) {
1068 list_for_each_entry_rcu(chain, &table->chains, list) {
1072 memset(&cb->args[1], 0,
1073 sizeof(cb->args) - sizeof(cb->args[0]));
1074 if (!nft_is_active(net, chain))
1076 if (nf_tables_fill_chain_info(skb, net,
1077 NETLINK_CB(cb->skb).portid,
1081 afi->family, table, chain) < 0)
1084 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1096 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1097 struct sk_buff *skb, const struct nlmsghdr *nlh,
1098 const struct nlattr * const nla[])
1100 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1101 u8 genmask = nft_genmask_cur(net);
1102 const struct nft_af_info *afi;
1103 const struct nft_table *table;
1104 const struct nft_chain *chain;
1105 struct sk_buff *skb2;
1106 int family = nfmsg->nfgen_family;
1109 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1110 struct netlink_dump_control c = {
1111 .dump = nf_tables_dump_chains,
1113 return netlink_dump_start(nlsk, skb, nlh, &c);
1116 afi = nf_tables_afinfo_lookup(net, family, false);
1118 return PTR_ERR(afi);
1120 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1122 return PTR_ERR(table);
1124 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1126 return PTR_ERR(chain);
1128 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1132 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1133 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1134 family, table, chain);
1138 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1145 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1146 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1147 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1150 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1152 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1153 struct nft_stats __percpu *newstats;
1154 struct nft_stats *stats;
1157 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1159 return ERR_PTR(err);
1161 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1162 return ERR_PTR(-EINVAL);
1164 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1165 if (newstats == NULL)
1166 return ERR_PTR(-ENOMEM);
1168 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1169 * are not exposed to userspace.
1172 stats = this_cpu_ptr(newstats);
1173 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1174 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1180 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1181 struct nft_stats __percpu *newstats)
1183 if (newstats == NULL)
1187 struct nft_stats __percpu *oldstats =
1188 nft_dereference(chain->stats);
1190 rcu_assign_pointer(chain->stats, newstats);
1192 free_percpu(oldstats);
1194 rcu_assign_pointer(chain->stats, newstats);
1197 static void nf_tables_chain_destroy(struct nft_chain *chain)
1199 BUG_ON(chain->use > 0);
1201 if (chain->flags & NFT_BASE_CHAIN) {
1202 struct nft_base_chain *basechain = nft_base_chain(chain);
1204 module_put(basechain->type->owner);
1205 free_percpu(basechain->stats);
1206 if (basechain->ops[0].dev != NULL)
1207 dev_put(basechain->ops[0].dev);
1214 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1215 struct sk_buff *skb, const struct nlmsghdr *nlh,
1216 const struct nlattr * const nla[])
1218 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1219 const struct nlattr * uninitialized_var(name);
1220 struct nft_af_info *afi;
1221 struct nft_table *table;
1222 struct nft_chain *chain;
1223 struct nft_base_chain *basechain = NULL;
1224 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1225 u8 genmask = nft_genmask_next(net);
1226 int family = nfmsg->nfgen_family;
1227 struct net_device *dev = NULL;
1228 u8 policy = NF_ACCEPT;
1231 struct nft_stats __percpu *stats;
1236 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1238 afi = nf_tables_afinfo_lookup(net, family, true);
1240 return PTR_ERR(afi);
1242 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1244 return PTR_ERR(table);
1247 name = nla[NFTA_CHAIN_NAME];
1249 if (nla[NFTA_CHAIN_HANDLE]) {
1250 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1251 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1253 return PTR_ERR(chain);
1255 chain = nf_tables_chain_lookup(table, name, genmask);
1256 if (IS_ERR(chain)) {
1257 if (PTR_ERR(chain) != -ENOENT)
1258 return PTR_ERR(chain);
1263 if (nla[NFTA_CHAIN_POLICY]) {
1264 if ((chain != NULL &&
1265 !(chain->flags & NFT_BASE_CHAIN)))
1268 if (chain == NULL &&
1269 nla[NFTA_CHAIN_HOOK] == NULL)
1272 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1282 if (chain != NULL) {
1283 struct nft_stats *stats = NULL;
1284 struct nft_trans *trans;
1286 if (nlh->nlmsg_flags & NLM_F_EXCL)
1288 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1291 if (nla[NFTA_CHAIN_HANDLE] && name) {
1292 struct nft_chain *chain2;
1294 chain2 = nf_tables_chain_lookup(table,
1295 nla[NFTA_CHAIN_NAME],
1298 return PTR_ERR(chain2);
1301 if (nla[NFTA_CHAIN_COUNTERS]) {
1302 if (!(chain->flags & NFT_BASE_CHAIN))
1305 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1307 return PTR_ERR(stats);
1310 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1311 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1312 sizeof(struct nft_trans_chain));
1313 if (trans == NULL) {
1318 nft_trans_chain_stats(trans) = stats;
1319 nft_trans_chain_update(trans) = true;
1321 if (nla[NFTA_CHAIN_POLICY])
1322 nft_trans_chain_policy(trans) = policy;
1324 nft_trans_chain_policy(trans) = -1;
1326 if (nla[NFTA_CHAIN_HANDLE] && name) {
1327 nla_strlcpy(nft_trans_chain_name(trans), name,
1328 NFT_CHAIN_MAXNAMELEN);
1330 list_add_tail(&trans->list, &net->nft.commit_list);
1334 if (table->use == UINT_MAX)
1337 if (nla[NFTA_CHAIN_HOOK]) {
1338 const struct nf_chain_type *type;
1339 struct nf_hook_ops *ops;
1341 u32 hooknum, priority;
1343 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1344 if (nla[NFTA_CHAIN_TYPE]) {
1345 type = nf_tables_chain_type_lookup(afi,
1346 nla[NFTA_CHAIN_TYPE],
1349 return PTR_ERR(type);
1352 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1356 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1357 ha[NFTA_HOOK_PRIORITY] == NULL)
1360 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1361 if (hooknum >= afi->nhooks)
1363 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1365 if (!(type->hook_mask & (1 << hooknum)))
1367 if (!try_module_get(type->owner))
1369 hookfn = type->hooks[hooknum];
1371 if (afi->flags & NFT_AF_NEEDS_DEV) {
1372 char ifname[IFNAMSIZ];
1374 if (!ha[NFTA_HOOK_DEV]) {
1375 module_put(type->owner);
1379 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1380 dev = dev_get_by_name(net, ifname);
1382 module_put(type->owner);
1385 } else if (ha[NFTA_HOOK_DEV]) {
1386 module_put(type->owner);
1390 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1391 if (basechain == NULL) {
1392 module_put(type->owner);
1399 strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
1401 if (nla[NFTA_CHAIN_COUNTERS]) {
1402 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1403 if (IS_ERR(stats)) {
1404 module_put(type->owner);
1408 return PTR_ERR(stats);
1410 basechain->stats = stats;
1412 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1413 if (stats == NULL) {
1414 module_put(type->owner);
1420 rcu_assign_pointer(basechain->stats, stats);
1423 write_pnet(&basechain->pnet, net);
1424 basechain->type = type;
1425 chain = &basechain->chain;
1427 for (i = 0; i < afi->nops; i++) {
1428 ops = &basechain->ops[i];
1430 ops->hooknum = hooknum;
1431 ops->priority = priority;
1433 ops->hook = afi->hooks[ops->hooknum];
1437 if (afi->hook_ops_init)
1438 afi->hook_ops_init(ops, i);
1441 chain->flags |= NFT_BASE_CHAIN;
1442 basechain->policy = policy;
1444 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1449 INIT_LIST_HEAD(&chain->rules);
1450 chain->handle = nf_tables_alloc_handle(table);
1451 chain->table = table;
1452 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1454 err = nf_tables_register_hooks(table, chain, afi->nops);
1458 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1459 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1464 list_add_tail_rcu(&chain->list, &table->chains);
1467 nf_tables_unregister_hooks(table, chain, afi->nops);
1469 nf_tables_chain_destroy(chain);
1473 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1474 struct sk_buff *skb, const struct nlmsghdr *nlh,
1475 const struct nlattr * const nla[])
1477 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1478 u8 genmask = nft_genmask_next(net);
1479 struct nft_af_info *afi;
1480 struct nft_table *table;
1481 struct nft_chain *chain;
1482 int family = nfmsg->nfgen_family;
1485 afi = nf_tables_afinfo_lookup(net, family, false);
1487 return PTR_ERR(afi);
1489 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1491 return PTR_ERR(table);
1493 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1495 return PTR_ERR(chain);
1499 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1501 return nft_delchain(&ctx);
1509 * nft_register_expr - register nf_tables expr type
1512 * Registers the expr type for use with nf_tables. Returns zero on
1513 * success or a negative errno code otherwise.
1515 int nft_register_expr(struct nft_expr_type *type)
1517 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1518 if (type->family == NFPROTO_UNSPEC)
1519 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1521 list_add_rcu(&type->list, &nf_tables_expressions);
1522 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1525 EXPORT_SYMBOL_GPL(nft_register_expr);
1528 * nft_unregister_expr - unregister nf_tables expr type
1531 * Unregisters the expr typefor use with nf_tables.
1533 void nft_unregister_expr(struct nft_expr_type *type)
1535 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1536 list_del_rcu(&type->list);
1537 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1539 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1541 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1544 const struct nft_expr_type *type;
1546 list_for_each_entry(type, &nf_tables_expressions, list) {
1547 if (!nla_strcmp(nla, type->name) &&
1548 (!type->family || type->family == family))
1554 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1557 const struct nft_expr_type *type;
1560 return ERR_PTR(-EINVAL);
1562 type = __nft_expr_type_get(family, nla);
1563 if (type != NULL && try_module_get(type->owner))
1566 #ifdef CONFIG_MODULES
1568 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1569 request_module("nft-expr-%u-%.*s", family,
1570 nla_len(nla), (char *)nla_data(nla));
1571 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1572 if (__nft_expr_type_get(family, nla))
1573 return ERR_PTR(-EAGAIN);
1575 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1576 request_module("nft-expr-%.*s",
1577 nla_len(nla), (char *)nla_data(nla));
1578 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1579 if (__nft_expr_type_get(family, nla))
1580 return ERR_PTR(-EAGAIN);
1583 return ERR_PTR(-ENOENT);
1586 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1587 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1588 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1591 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1592 const struct nft_expr *expr)
1594 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1595 goto nla_put_failure;
1597 if (expr->ops->dump) {
1598 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1600 goto nla_put_failure;
1601 if (expr->ops->dump(skb, expr) < 0)
1602 goto nla_put_failure;
1603 nla_nest_end(skb, data);
1612 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1613 const struct nft_expr *expr)
1615 struct nlattr *nest;
1617 nest = nla_nest_start(skb, attr);
1619 goto nla_put_failure;
1620 if (nf_tables_fill_expr_info(skb, expr) < 0)
1621 goto nla_put_failure;
1622 nla_nest_end(skb, nest);
1629 struct nft_expr_info {
1630 const struct nft_expr_ops *ops;
1631 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1634 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1635 const struct nlattr *nla,
1636 struct nft_expr_info *info)
1638 const struct nft_expr_type *type;
1639 const struct nft_expr_ops *ops;
1640 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1643 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1647 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1649 return PTR_ERR(type);
1651 if (tb[NFTA_EXPR_DATA]) {
1652 err = nla_parse_nested(info->tb, type->maxattr,
1653 tb[NFTA_EXPR_DATA], type->policy);
1657 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1659 if (type->select_ops != NULL) {
1660 ops = type->select_ops(ctx,
1661 (const struct nlattr * const *)info->tb);
1673 module_put(type->owner);
1677 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1678 const struct nft_expr_info *info,
1679 struct nft_expr *expr)
1681 const struct nft_expr_ops *ops = info->ops;
1686 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1698 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1699 struct nft_expr *expr)
1701 if (expr->ops->destroy)
1702 expr->ops->destroy(ctx, expr);
1703 module_put(expr->ops->type->owner);
1706 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1707 const struct nlattr *nla)
1709 struct nft_expr_info info;
1710 struct nft_expr *expr;
1713 err = nf_tables_expr_parse(ctx, nla, &info);
1718 expr = kzalloc(info.ops->size, GFP_KERNEL);
1722 err = nf_tables_newexpr(ctx, &info, expr);
1728 module_put(info.ops->type->owner);
1730 return ERR_PTR(err);
1733 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1735 nf_tables_expr_destroy(ctx, expr);
1743 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1746 struct nft_rule *rule;
1748 // FIXME: this sucks
1749 list_for_each_entry(rule, &chain->rules, list) {
1750 if (handle == rule->handle)
1754 return ERR_PTR(-ENOENT);
1757 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1758 const struct nlattr *nla)
1761 return ERR_PTR(-EINVAL);
1763 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1766 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1767 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1768 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1769 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1770 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1771 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1772 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1773 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1774 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1775 .len = NFT_USERDATA_MAXLEN },
1778 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1779 u32 portid, u32 seq, int event,
1780 u32 flags, int family,
1781 const struct nft_table *table,
1782 const struct nft_chain *chain,
1783 const struct nft_rule *rule)
1785 struct nlmsghdr *nlh;
1786 struct nfgenmsg *nfmsg;
1787 const struct nft_expr *expr, *next;
1788 struct nlattr *list;
1789 const struct nft_rule *prule;
1790 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1792 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1795 goto nla_put_failure;
1797 nfmsg = nlmsg_data(nlh);
1798 nfmsg->nfgen_family = family;
1799 nfmsg->version = NFNETLINK_V0;
1800 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1802 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1803 goto nla_put_failure;
1804 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1805 goto nla_put_failure;
1806 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1808 goto nla_put_failure;
1810 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1811 prule = list_entry(rule->list.prev, struct nft_rule, list);
1812 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1813 cpu_to_be64(prule->handle),
1815 goto nla_put_failure;
1818 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1820 goto nla_put_failure;
1821 nft_rule_for_each_expr(expr, next, rule) {
1822 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1823 goto nla_put_failure;
1825 nla_nest_end(skb, list);
1828 struct nft_userdata *udata = nft_userdata(rule);
1829 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1831 goto nla_put_failure;
1834 nlmsg_end(skb, nlh);
1838 nlmsg_trim(skb, nlh);
1842 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1843 const struct nft_rule *rule,
1846 struct sk_buff *skb;
1850 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1854 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1858 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1859 event, 0, ctx->afi->family, ctx->table,
1866 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1867 ctx->report, GFP_KERNEL);
1870 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1876 static int nf_tables_dump_rules(struct sk_buff *skb,
1877 struct netlink_callback *cb)
1879 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1880 const struct nft_af_info *afi;
1881 const struct nft_table *table;
1882 const struct nft_chain *chain;
1883 const struct nft_rule *rule;
1884 unsigned int idx = 0, s_idx = cb->args[0];
1885 struct net *net = sock_net(skb->sk);
1886 int family = nfmsg->nfgen_family;
1889 cb->seq = net->nft.base_seq;
1891 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1892 if (family != NFPROTO_UNSPEC && family != afi->family)
1895 list_for_each_entry_rcu(table, &afi->tables, list) {
1896 list_for_each_entry_rcu(chain, &table->chains, list) {
1897 list_for_each_entry_rcu(rule, &chain->rules, list) {
1898 if (!nft_is_active(net, rule))
1903 memset(&cb->args[1], 0,
1904 sizeof(cb->args) - sizeof(cb->args[0]));
1905 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1908 NLM_F_MULTI | NLM_F_APPEND,
1909 afi->family, table, chain, rule) < 0)
1912 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1926 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1927 struct sk_buff *skb, const struct nlmsghdr *nlh,
1928 const struct nlattr * const nla[])
1930 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1931 u8 genmask = nft_genmask_cur(net);
1932 const struct nft_af_info *afi;
1933 const struct nft_table *table;
1934 const struct nft_chain *chain;
1935 const struct nft_rule *rule;
1936 struct sk_buff *skb2;
1937 int family = nfmsg->nfgen_family;
1940 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1941 struct netlink_dump_control c = {
1942 .dump = nf_tables_dump_rules,
1944 return netlink_dump_start(nlsk, skb, nlh, &c);
1947 afi = nf_tables_afinfo_lookup(net, family, false);
1949 return PTR_ERR(afi);
1951 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
1953 return PTR_ERR(table);
1955 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
1957 return PTR_ERR(chain);
1959 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1961 return PTR_ERR(rule);
1963 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1967 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1968 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1969 family, table, chain, rule);
1973 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1980 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1981 struct nft_rule *rule)
1983 struct nft_expr *expr;
1986 * Careful: some expressions might not be initialized in case this
1987 * is called on error from nf_tables_newrule().
1989 expr = nft_expr_first(rule);
1990 while (expr->ops && expr != nft_expr_last(rule)) {
1991 nf_tables_expr_destroy(ctx, expr);
1992 expr = nft_expr_next(expr);
1997 #define NFT_RULE_MAXEXPRS 128
1999 static struct nft_expr_info *info;
2001 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2002 struct sk_buff *skb, const struct nlmsghdr *nlh,
2003 const struct nlattr * const nla[])
2005 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2006 u8 genmask = nft_genmask_next(net);
2007 struct nft_af_info *afi;
2008 struct nft_table *table;
2009 struct nft_chain *chain;
2010 struct nft_rule *rule, *old_rule = NULL;
2011 struct nft_userdata *udata;
2012 struct nft_trans *trans = NULL;
2013 struct nft_expr *expr;
2016 unsigned int size, i, n, ulen = 0, usize = 0;
2019 u64 handle, pos_handle;
2021 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2023 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2025 return PTR_ERR(afi);
2027 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2029 return PTR_ERR(table);
2031 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2033 return PTR_ERR(chain);
2035 if (nla[NFTA_RULE_HANDLE]) {
2036 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2037 rule = __nf_tables_rule_lookup(chain, handle);
2039 return PTR_ERR(rule);
2041 if (nlh->nlmsg_flags & NLM_F_EXCL)
2043 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2048 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2050 handle = nf_tables_alloc_handle(table);
2052 if (chain->use == UINT_MAX)
2056 if (nla[NFTA_RULE_POSITION]) {
2057 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2060 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2061 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2062 if (IS_ERR(old_rule))
2063 return PTR_ERR(old_rule);
2066 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2070 if (nla[NFTA_RULE_EXPRESSIONS]) {
2071 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2073 if (nla_type(tmp) != NFTA_LIST_ELEM)
2075 if (n == NFT_RULE_MAXEXPRS)
2077 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2080 size += info[n].ops->size;
2084 /* Check for overflow of dlen field */
2086 if (size >= 1 << 12)
2089 if (nla[NFTA_RULE_USERDATA]) {
2090 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2092 usize = sizeof(struct nft_userdata) + ulen;
2096 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2100 nft_activate_next(net, rule);
2102 rule->handle = handle;
2104 rule->udata = ulen ? 1 : 0;
2107 udata = nft_userdata(rule);
2108 udata->len = ulen - 1;
2109 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2112 expr = nft_expr_first(rule);
2113 for (i = 0; i < n; i++) {
2114 err = nf_tables_newexpr(&ctx, &info[i], expr);
2118 expr = nft_expr_next(expr);
2121 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2122 if (nft_is_active_next(net, old_rule)) {
2123 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2125 if (trans == NULL) {
2129 nft_deactivate_next(net, old_rule);
2131 list_add_tail_rcu(&rule->list, &old_rule->list);
2136 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2138 list_add_rcu(&rule->list, &old_rule->list);
2140 list_add_tail_rcu(&rule->list, &chain->rules);
2143 list_add_tail_rcu(&rule->list, &old_rule->list);
2145 list_add_rcu(&rule->list, &chain->rules);
2148 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2156 list_del_rcu(&rule->list);
2158 nf_tables_rule_destroy(&ctx, rule);
2160 for (i = 0; i < n; i++) {
2161 if (info[i].ops != NULL)
2162 module_put(info[i].ops->type->owner);
2167 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2168 struct sk_buff *skb, const struct nlmsghdr *nlh,
2169 const struct nlattr * const nla[])
2171 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2172 u8 genmask = nft_genmask_next(net);
2173 struct nft_af_info *afi;
2174 struct nft_table *table;
2175 struct nft_chain *chain = NULL;
2176 struct nft_rule *rule;
2177 int family = nfmsg->nfgen_family, err = 0;
2180 afi = nf_tables_afinfo_lookup(net, family, false);
2182 return PTR_ERR(afi);
2184 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2186 return PTR_ERR(table);
2188 if (nla[NFTA_RULE_CHAIN]) {
2189 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2192 return PTR_ERR(chain);
2195 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2198 if (nla[NFTA_RULE_HANDLE]) {
2199 rule = nf_tables_rule_lookup(chain,
2200 nla[NFTA_RULE_HANDLE]);
2202 return PTR_ERR(rule);
2204 err = nft_delrule(&ctx, rule);
2206 err = nft_delrule_by_chain(&ctx);
2209 list_for_each_entry(chain, &table->chains, list) {
2210 if (!nft_is_active_next(net, chain))
2214 err = nft_delrule_by_chain(&ctx);
2227 static LIST_HEAD(nf_tables_set_ops);
2229 int nft_register_set(struct nft_set_ops *ops)
2231 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2232 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2233 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2236 EXPORT_SYMBOL_GPL(nft_register_set);
2238 void nft_unregister_set(struct nft_set_ops *ops)
2240 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2241 list_del_rcu(&ops->list);
2242 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2244 EXPORT_SYMBOL_GPL(nft_unregister_set);
2247 * Select a set implementation based on the data characteristics and the
2248 * given policy. The total memory use might not be known if no size is
2249 * given, in that case the amount of memory per element is used.
2251 static const struct nft_set_ops *
2252 nft_select_set_ops(const struct nlattr * const nla[],
2253 const struct nft_set_desc *desc,
2254 enum nft_set_policies policy)
2256 const struct nft_set_ops *ops, *bops;
2257 struct nft_set_estimate est, best;
2260 #ifdef CONFIG_MODULES
2261 if (list_empty(&nf_tables_set_ops)) {
2262 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2263 request_module("nft-set");
2264 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2265 if (!list_empty(&nf_tables_set_ops))
2266 return ERR_PTR(-EAGAIN);
2270 if (nla[NFTA_SET_FLAGS] != NULL) {
2271 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2272 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2279 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2280 if ((ops->features & features) != features)
2282 if (!ops->estimate(desc, features, &est))
2286 case NFT_SET_POL_PERFORMANCE:
2287 if (est.class < best.class)
2289 if (est.class == best.class && est.size < best.size)
2292 case NFT_SET_POL_MEMORY:
2293 if (est.size < best.size)
2295 if (est.size == best.size && est.class < best.class)
2302 if (!try_module_get(ops->owner))
2305 module_put(bops->owner);
2314 return ERR_PTR(-EOPNOTSUPP);
2317 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2318 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2319 [NFTA_SET_NAME] = { .type = NLA_STRING,
2320 .len = NFT_SET_MAXNAMELEN - 1 },
2321 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2322 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2323 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2324 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2325 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2326 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2327 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2328 [NFTA_SET_ID] = { .type = NLA_U32 },
2329 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2330 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2331 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2332 .len = NFT_USERDATA_MAXLEN },
2335 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2336 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2339 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2340 const struct sk_buff *skb,
2341 const struct nlmsghdr *nlh,
2342 const struct nlattr * const nla[],
2345 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2346 struct nft_af_info *afi = NULL;
2347 struct nft_table *table = NULL;
2349 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2350 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2352 return PTR_ERR(afi);
2355 if (nla[NFTA_SET_TABLE] != NULL) {
2357 return -EAFNOSUPPORT;
2359 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2362 return PTR_ERR(table);
2365 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2369 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2370 const struct nlattr *nla, u8 genmask)
2372 struct nft_set *set;
2375 return ERR_PTR(-EINVAL);
2377 list_for_each_entry(set, &table->sets, list) {
2378 if (!nla_strcmp(nla, set->name) &&
2379 nft_active_genmask(set, genmask))
2382 return ERR_PTR(-ENOENT);
2385 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2386 const struct nlattr *nla,
2389 struct nft_trans *trans;
2390 u32 id = ntohl(nla_get_be32(nla));
2392 list_for_each_entry(trans, &net->nft.commit_list, list) {
2393 struct nft_set *set = nft_trans_set(trans);
2395 if (trans->msg_type == NFT_MSG_NEWSET &&
2396 id == nft_trans_set_id(trans) &&
2397 nft_active_genmask(set, genmask))
2400 return ERR_PTR(-ENOENT);
2403 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2406 const struct nft_set *i;
2408 unsigned long *inuse;
2409 unsigned int n = 0, min = 0;
2411 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2413 if (p[1] != 'd' || strchr(p + 2, '%'))
2416 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2420 list_for_each_entry(i, &ctx->table->sets, list) {
2423 if (!nft_is_active_next(ctx->net, set))
2425 if (!sscanf(i->name, name, &tmp))
2427 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2430 set_bit(tmp - min, inuse);
2433 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2434 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2435 min += BITS_PER_BYTE * PAGE_SIZE;
2436 memset(inuse, 0, PAGE_SIZE);
2439 free_page((unsigned long)inuse);
2442 snprintf(set->name, sizeof(set->name), name, min + n);
2443 list_for_each_entry(i, &ctx->table->sets, list) {
2444 if (!nft_is_active_next(ctx->net, i))
2446 if (!strcmp(set->name, i->name))
2452 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2453 const struct nft_set *set, u16 event, u16 flags)
2455 struct nfgenmsg *nfmsg;
2456 struct nlmsghdr *nlh;
2457 struct nlattr *desc;
2458 u32 portid = ctx->portid;
2461 event |= NFNL_SUBSYS_NFTABLES << 8;
2462 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2465 goto nla_put_failure;
2467 nfmsg = nlmsg_data(nlh);
2468 nfmsg->nfgen_family = ctx->afi->family;
2469 nfmsg->version = NFNETLINK_V0;
2470 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2472 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2473 goto nla_put_failure;
2474 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2475 goto nla_put_failure;
2476 if (set->flags != 0)
2477 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2478 goto nla_put_failure;
2480 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2481 goto nla_put_failure;
2482 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2483 goto nla_put_failure;
2484 if (set->flags & NFT_SET_MAP) {
2485 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2486 goto nla_put_failure;
2487 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2488 goto nla_put_failure;
2492 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout),
2494 goto nla_put_failure;
2496 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2497 goto nla_put_failure;
2499 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2500 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2501 goto nla_put_failure;
2504 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2505 goto nla_put_failure;
2507 desc = nla_nest_start(skb, NFTA_SET_DESC);
2509 goto nla_put_failure;
2511 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2512 goto nla_put_failure;
2513 nla_nest_end(skb, desc);
2515 nlmsg_end(skb, nlh);
2519 nlmsg_trim(skb, nlh);
2523 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2524 const struct nft_set *set,
2525 int event, gfp_t gfp_flags)
2527 struct sk_buff *skb;
2528 u32 portid = ctx->portid;
2532 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2536 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2540 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2546 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2547 ctx->report, gfp_flags);
2550 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2554 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2556 const struct nft_set *set;
2557 unsigned int idx, s_idx = cb->args[0];
2558 struct nft_af_info *afi;
2559 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2560 struct net *net = sock_net(skb->sk);
2561 int cur_family = cb->args[3];
2562 struct nft_ctx *ctx = cb->data, ctx_set;
2568 cb->seq = net->nft.base_seq;
2570 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2571 if (ctx->afi && ctx->afi != afi)
2575 if (afi->family != cur_family)
2580 list_for_each_entry_rcu(table, &afi->tables, list) {
2581 if (ctx->table && ctx->table != table)
2585 if (cur_table != table)
2591 list_for_each_entry_rcu(set, &table->sets, list) {
2594 if (!nft_is_active(net, set))
2598 ctx_set.table = table;
2600 if (nf_tables_fill_set(skb, &ctx_set, set,
2604 cb->args[2] = (unsigned long) table;
2605 cb->args[3] = afi->family;
2608 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2622 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2628 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2629 struct sk_buff *skb, const struct nlmsghdr *nlh,
2630 const struct nlattr * const nla[])
2632 u8 genmask = nft_genmask_cur(net);
2633 const struct nft_set *set;
2635 struct sk_buff *skb2;
2636 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2639 /* Verify existence before starting dump */
2640 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2644 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2645 struct netlink_dump_control c = {
2646 .dump = nf_tables_dump_sets,
2647 .done = nf_tables_dump_sets_done,
2649 struct nft_ctx *ctx_dump;
2651 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2652 if (ctx_dump == NULL)
2658 return netlink_dump_start(nlsk, skb, nlh, &c);
2661 /* Only accept unspec with dump */
2662 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2663 return -EAFNOSUPPORT;
2665 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2667 return PTR_ERR(set);
2669 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2673 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2677 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2684 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2685 struct nft_set_desc *desc,
2686 const struct nlattr *nla)
2688 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2691 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2695 if (da[NFTA_SET_DESC_SIZE] != NULL)
2696 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2701 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2702 struct sk_buff *skb, const struct nlmsghdr *nlh,
2703 const struct nlattr * const nla[])
2705 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2706 u8 genmask = nft_genmask_next(net);
2707 const struct nft_set_ops *ops;
2708 struct nft_af_info *afi;
2709 struct nft_table *table;
2710 struct nft_set *set;
2712 char name[NFT_SET_MAXNAMELEN];
2716 u32 ktype, dtype, flags, policy, gc_int;
2717 struct nft_set_desc desc;
2718 unsigned char *udata;
2722 if (nla[NFTA_SET_TABLE] == NULL ||
2723 nla[NFTA_SET_NAME] == NULL ||
2724 nla[NFTA_SET_KEY_LEN] == NULL ||
2725 nla[NFTA_SET_ID] == NULL)
2728 memset(&desc, 0, sizeof(desc));
2730 ktype = NFT_DATA_VALUE;
2731 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2732 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2733 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2737 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2738 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2742 if (nla[NFTA_SET_FLAGS] != NULL) {
2743 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2744 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2745 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2746 NFT_SET_MAP | NFT_SET_EVAL))
2748 /* Only one of both operations is supported */
2749 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2750 (NFT_SET_MAP | NFT_SET_EVAL))
2755 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2756 if (!(flags & NFT_SET_MAP))
2759 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2760 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2761 dtype != NFT_DATA_VERDICT)
2764 if (dtype != NFT_DATA_VERDICT) {
2765 if (nla[NFTA_SET_DATA_LEN] == NULL)
2767 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2768 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2771 desc.dlen = sizeof(struct nft_verdict);
2772 } else if (flags & NFT_SET_MAP)
2776 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2777 if (!(flags & NFT_SET_TIMEOUT))
2779 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT]));
2782 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2783 if (!(flags & NFT_SET_TIMEOUT))
2785 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2788 policy = NFT_SET_POL_PERFORMANCE;
2789 if (nla[NFTA_SET_POLICY] != NULL)
2790 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2792 if (nla[NFTA_SET_DESC] != NULL) {
2793 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2798 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2800 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2802 return PTR_ERR(afi);
2804 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2806 return PTR_ERR(table);
2808 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2810 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
2812 if (PTR_ERR(set) != -ENOENT)
2813 return PTR_ERR(set);
2818 if (nlh->nlmsg_flags & NLM_F_EXCL)
2820 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2825 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2828 ops = nft_select_set_ops(nla, &desc, policy);
2830 return PTR_ERR(ops);
2833 if (nla[NFTA_SET_USERDATA])
2834 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2837 if (ops->privsize != NULL)
2838 size = ops->privsize(nla);
2841 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2845 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2846 err = nf_tables_set_alloc_name(&ctx, set, name);
2852 udata = set->data + size;
2853 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2856 INIT_LIST_HEAD(&set->bindings);
2857 write_pnet(&set->pnet, net);
2860 set->klen = desc.klen;
2862 set->dlen = desc.dlen;
2864 set->size = desc.size;
2865 set->policy = policy;
2868 set->timeout = timeout;
2869 set->gc_int = gc_int;
2871 err = ops->init(set, &desc, nla);
2875 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2879 list_add_tail_rcu(&set->list, &table->sets);
2886 module_put(ops->owner);
2890 static void nft_set_destroy(struct nft_set *set)
2892 set->ops->destroy(set);
2893 module_put(set->ops->owner);
2897 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2899 list_del_rcu(&set->list);
2900 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2901 nft_set_destroy(set);
2904 static int nf_tables_delset(struct net *net, struct sock *nlsk,
2905 struct sk_buff *skb, const struct nlmsghdr *nlh,
2906 const struct nlattr * const nla[])
2908 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2909 u8 genmask = nft_genmask_next(net);
2910 struct nft_set *set;
2914 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2915 return -EAFNOSUPPORT;
2916 if (nla[NFTA_SET_TABLE] == NULL)
2919 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2923 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2925 return PTR_ERR(set);
2926 if (!list_empty(&set->bindings))
2929 return nft_delset(&ctx, set);
2932 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2933 const struct nft_set *set,
2934 const struct nft_set_iter *iter,
2935 const struct nft_set_elem *elem)
2937 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2938 enum nft_registers dreg;
2940 dreg = nft_type_to_reg(set->dtype);
2941 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2942 set->dtype == NFT_DATA_VERDICT ?
2943 NFT_DATA_VERDICT : NFT_DATA_VALUE,
2947 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2948 struct nft_set_binding *binding)
2950 struct nft_set_binding *i;
2951 struct nft_set_iter iter;
2953 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2956 if (binding->flags & NFT_SET_MAP) {
2957 /* If the set is already bound to the same chain all
2958 * jumps are already validated for that chain.
2960 list_for_each_entry(i, &set->bindings, list) {
2961 if (binding->flags & NFT_SET_MAP &&
2962 i->chain == binding->chain)
2969 iter.fn = nf_tables_bind_check_setelem;
2971 set->ops->walk(ctx, set, &iter);
2973 /* Destroy anonymous sets if binding fails */
2974 if (set->flags & NFT_SET_ANONYMOUS)
2975 nf_tables_set_destroy(ctx, set);
2981 binding->chain = ctx->chain;
2982 list_add_tail_rcu(&binding->list, &set->bindings);
2986 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2987 struct nft_set_binding *binding)
2989 list_del_rcu(&binding->list);
2991 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2992 nft_is_active(ctx->net, set))
2993 nf_tables_set_destroy(ctx, set);
2996 const struct nft_set_ext_type nft_set_ext_types[] = {
2997 [NFT_SET_EXT_KEY] = {
2998 .align = __alignof__(u32),
3000 [NFT_SET_EXT_DATA] = {
3001 .align = __alignof__(u32),
3003 [NFT_SET_EXT_EXPR] = {
3004 .align = __alignof__(struct nft_expr),
3006 [NFT_SET_EXT_FLAGS] = {
3008 .align = __alignof__(u8),
3010 [NFT_SET_EXT_TIMEOUT] = {
3012 .align = __alignof__(u64),
3014 [NFT_SET_EXT_EXPIRATION] = {
3015 .len = sizeof(unsigned long),
3016 .align = __alignof__(unsigned long),
3018 [NFT_SET_EXT_USERDATA] = {
3019 .len = sizeof(struct nft_userdata),
3020 .align = __alignof__(struct nft_userdata),
3023 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3029 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3030 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3031 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3032 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3033 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3034 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3035 .len = NFT_USERDATA_MAXLEN },
3038 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3039 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3040 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3041 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3042 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3045 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3046 const struct sk_buff *skb,
3047 const struct nlmsghdr *nlh,
3048 const struct nlattr * const nla[],
3051 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3052 struct nft_af_info *afi;
3053 struct nft_table *table;
3055 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3057 return PTR_ERR(afi);
3059 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3062 return PTR_ERR(table);
3064 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3068 static int nf_tables_fill_setelem(struct sk_buff *skb,
3069 const struct nft_set *set,
3070 const struct nft_set_elem *elem)
3072 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3073 unsigned char *b = skb_tail_pointer(skb);
3074 struct nlattr *nest;
3076 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3078 goto nla_put_failure;
3080 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3081 NFT_DATA_VALUE, set->klen) < 0)
3082 goto nla_put_failure;
3084 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3085 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3086 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3088 goto nla_put_failure;
3090 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3091 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3092 goto nla_put_failure;
3094 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3095 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3096 htonl(*nft_set_ext_flags(ext))))
3097 goto nla_put_failure;
3099 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3100 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3101 cpu_to_be64(*nft_set_ext_timeout(ext)),
3103 goto nla_put_failure;
3105 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3106 unsigned long expires, now = jiffies;
3108 expires = *nft_set_ext_expiration(ext);
3109 if (time_before(now, expires))
3114 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3115 cpu_to_be64(jiffies_to_msecs(expires)),
3117 goto nla_put_failure;
3120 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3121 struct nft_userdata *udata;
3123 udata = nft_set_ext_userdata(ext);
3124 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3125 udata->len + 1, udata->data))
3126 goto nla_put_failure;
3129 nla_nest_end(skb, nest);
3137 struct nft_set_dump_args {
3138 const struct netlink_callback *cb;
3139 struct nft_set_iter iter;
3140 struct sk_buff *skb;
3143 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3144 const struct nft_set *set,
3145 const struct nft_set_iter *iter,
3146 const struct nft_set_elem *elem)
3148 struct nft_set_dump_args *args;
3150 args = container_of(iter, struct nft_set_dump_args, iter);
3151 return nf_tables_fill_setelem(args->skb, set, elem);
3154 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3156 struct net *net = sock_net(skb->sk);
3157 u8 genmask = nft_genmask_cur(net);
3158 const struct nft_set *set;
3159 struct nft_set_dump_args args;
3161 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3162 struct nfgenmsg *nfmsg;
3163 struct nlmsghdr *nlh;
3164 struct nlattr *nest;
3168 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3169 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3173 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3174 (void *)nla, genmask);
3178 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3181 return PTR_ERR(set);
3183 event = NFT_MSG_NEWSETELEM;
3184 event |= NFNL_SUBSYS_NFTABLES << 8;
3185 portid = NETLINK_CB(cb->skb).portid;
3186 seq = cb->nlh->nlmsg_seq;
3188 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3191 goto nla_put_failure;
3193 nfmsg = nlmsg_data(nlh);
3194 nfmsg->nfgen_family = ctx.afi->family;
3195 nfmsg->version = NFNETLINK_V0;
3196 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3198 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3199 goto nla_put_failure;
3200 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3201 goto nla_put_failure;
3203 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3205 goto nla_put_failure;
3209 args.iter.skip = cb->args[0];
3210 args.iter.count = 0;
3212 args.iter.fn = nf_tables_dump_setelem;
3213 set->ops->walk(&ctx, set, &args.iter);
3215 nla_nest_end(skb, nest);
3216 nlmsg_end(skb, nlh);
3218 if (args.iter.err && args.iter.err != -EMSGSIZE)
3219 return args.iter.err;
3220 if (args.iter.count == cb->args[0])
3223 cb->args[0] = args.iter.count;
3230 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3231 struct sk_buff *skb, const struct nlmsghdr *nlh,
3232 const struct nlattr * const nla[])
3234 u8 genmask = nft_genmask_cur(net);
3235 const struct nft_set *set;
3239 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3243 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3246 return PTR_ERR(set);
3248 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3249 struct netlink_dump_control c = {
3250 .dump = nf_tables_dump_set,
3252 return netlink_dump_start(nlsk, skb, nlh, &c);
3257 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3258 const struct nft_ctx *ctx, u32 seq,
3259 u32 portid, int event, u16 flags,
3260 const struct nft_set *set,
3261 const struct nft_set_elem *elem)
3263 struct nfgenmsg *nfmsg;
3264 struct nlmsghdr *nlh;
3265 struct nlattr *nest;
3268 event |= NFNL_SUBSYS_NFTABLES << 8;
3269 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3272 goto nla_put_failure;
3274 nfmsg = nlmsg_data(nlh);
3275 nfmsg->nfgen_family = ctx->afi->family;
3276 nfmsg->version = NFNETLINK_V0;
3277 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3279 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3280 goto nla_put_failure;
3281 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3282 goto nla_put_failure;
3284 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3286 goto nla_put_failure;
3288 err = nf_tables_fill_setelem(skb, set, elem);
3290 goto nla_put_failure;
3292 nla_nest_end(skb, nest);
3294 nlmsg_end(skb, nlh);
3298 nlmsg_trim(skb, nlh);
3302 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3303 const struct nft_set *set,
3304 const struct nft_set_elem *elem,
3305 int event, u16 flags)
3307 struct net *net = ctx->net;
3308 u32 portid = ctx->portid;
3309 struct sk_buff *skb;
3312 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3316 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3320 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3327 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3331 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3335 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3337 struct nft_set *set)
3339 struct nft_trans *trans;
3341 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3345 nft_trans_elem_set(trans) = set;
3349 void *nft_set_elem_init(const struct nft_set *set,
3350 const struct nft_set_ext_tmpl *tmpl,
3351 const u32 *key, const u32 *data,
3352 u64 timeout, gfp_t gfp)
3354 struct nft_set_ext *ext;
3357 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3361 ext = nft_set_elem_ext(set, elem);
3362 nft_set_ext_init(ext, tmpl);
3364 memcpy(nft_set_ext_key(ext), key, set->klen);
3365 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3366 memcpy(nft_set_ext_data(ext), data, set->dlen);
3367 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3368 *nft_set_ext_expiration(ext) =
3369 jiffies + msecs_to_jiffies(timeout);
3370 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3371 *nft_set_ext_timeout(ext) = timeout;
3376 void nft_set_elem_destroy(const struct nft_set *set, void *elem)
3378 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3380 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3381 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3382 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3383 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3384 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3388 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3390 static int nft_setelem_parse_flags(const struct nft_set *set,
3391 const struct nlattr *attr, u32 *flags)
3396 *flags = ntohl(nla_get_be32(attr));
3397 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3399 if (!(set->flags & NFT_SET_INTERVAL) &&
3400 *flags & NFT_SET_ELEM_INTERVAL_END)
3406 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3407 const struct nlattr *attr)
3409 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3410 struct nft_data_desc d1, d2;
3411 struct nft_set_ext_tmpl tmpl;
3412 struct nft_set_ext *ext;
3413 struct nft_set_elem elem;
3414 struct nft_set_binding *binding;
3415 struct nft_userdata *udata;
3416 struct nft_data data;
3417 enum nft_registers dreg;
3418 struct nft_trans *trans;
3424 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3425 nft_set_elem_policy);
3429 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3432 nft_set_ext_prepare(&tmpl);
3434 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3438 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3440 if (set->flags & NFT_SET_MAP) {
3441 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3442 !(flags & NFT_SET_ELEM_INTERVAL_END))
3444 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3445 flags & NFT_SET_ELEM_INTERVAL_END)
3448 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3453 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3454 if (!(set->flags & NFT_SET_TIMEOUT))
3456 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT]));
3457 } else if (set->flags & NFT_SET_TIMEOUT) {
3458 timeout = set->timeout;
3461 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3462 nla[NFTA_SET_ELEM_KEY]);
3466 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3469 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3471 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3472 if (timeout != set->timeout)
3473 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3476 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3477 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3478 nla[NFTA_SET_ELEM_DATA]);
3483 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3486 dreg = nft_type_to_reg(set->dtype);
3487 list_for_each_entry(binding, &set->bindings, list) {
3488 struct nft_ctx bind_ctx = {
3490 .table = ctx->table,
3491 .chain = (struct nft_chain *)binding->chain,
3494 if (!(binding->flags & NFT_SET_MAP))
3497 err = nft_validate_register_store(&bind_ctx, dreg,
3504 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3507 /* The full maximum length of userdata can exceed the maximum
3508 * offset value (U8_MAX) for following extensions, therefor it
3509 * must be the last extension added.
3512 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3513 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3515 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3520 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3521 timeout, GFP_KERNEL);
3522 if (elem.priv == NULL)
3525 ext = nft_set_elem_ext(set, elem.priv);
3527 *nft_set_ext_flags(ext) = flags;
3529 udata = nft_set_ext_userdata(ext);
3530 udata->len = ulen - 1;
3531 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3534 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3538 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3539 err = set->ops->insert(set, &elem);
3543 nft_trans_elem(trans) = elem;
3544 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3552 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3553 nft_data_uninit(&data, d2.type);
3555 nft_data_uninit(&elem.key.val, d1.type);
3560 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3561 struct sk_buff *skb, const struct nlmsghdr *nlh,
3562 const struct nlattr * const nla[])
3564 u8 genmask = nft_genmask_next(net);
3565 const struct nlattr *attr;
3566 struct nft_set *set;
3570 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3573 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3577 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3580 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3581 set = nf_tables_set_lookup_byid(net,
3582 nla[NFTA_SET_ELEM_LIST_SET_ID],
3586 return PTR_ERR(set);
3589 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3592 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3594 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3597 err = nft_add_set_elem(&ctx, set, attr);
3599 atomic_dec(&set->nelems);
3606 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3607 const struct nlattr *attr)
3609 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3610 struct nft_set_ext_tmpl tmpl;
3611 struct nft_data_desc desc;
3612 struct nft_set_elem elem;
3613 struct nft_set_ext *ext;
3614 struct nft_trans *trans;
3619 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3620 nft_set_elem_policy);
3625 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3628 nft_set_ext_prepare(&tmpl);
3630 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3634 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3636 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3637 nla[NFTA_SET_ELEM_KEY]);
3642 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3645 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3648 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3650 if (elem.priv == NULL)
3653 ext = nft_set_elem_ext(set, elem.priv);
3655 *nft_set_ext_flags(ext) = flags;
3657 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3658 if (trans == NULL) {
3663 priv = set->ops->deactivate(set, &elem);
3671 nft_trans_elem(trans) = elem;
3672 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3680 nft_data_uninit(&elem.key.val, desc.type);
3685 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3686 struct sk_buff *skb, const struct nlmsghdr *nlh,
3687 const struct nlattr * const nla[])
3689 u8 genmask = nft_genmask_next(net);
3690 const struct nlattr *attr;
3691 struct nft_set *set;
3695 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3698 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3702 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3705 return PTR_ERR(set);
3706 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3709 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3710 err = nft_del_setelem(&ctx, set, attr);
3719 void nft_set_gc_batch_release(struct rcu_head *rcu)
3721 struct nft_set_gc_batch *gcb;
3724 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3725 for (i = 0; i < gcb->head.cnt; i++)
3726 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]);
3729 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3731 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3734 struct nft_set_gc_batch *gcb;
3736 gcb = kzalloc(sizeof(*gcb), gfp);
3739 gcb->head.set = set;
3742 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3744 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3745 u32 portid, u32 seq)
3747 struct nlmsghdr *nlh;
3748 struct nfgenmsg *nfmsg;
3749 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3751 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3753 goto nla_put_failure;
3755 nfmsg = nlmsg_data(nlh);
3756 nfmsg->nfgen_family = AF_UNSPEC;
3757 nfmsg->version = NFNETLINK_V0;
3758 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3760 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3761 goto nla_put_failure;
3763 nlmsg_end(skb, nlh);
3767 nlmsg_trim(skb, nlh);
3771 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3773 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3774 struct sk_buff *skb2;
3777 if (nlmsg_report(nlh) &&
3778 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3782 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3786 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3793 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3794 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3797 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3803 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3804 struct sk_buff *skb, const struct nlmsghdr *nlh,
3805 const struct nlattr * const nla[])
3807 struct sk_buff *skb2;
3810 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3814 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3819 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3825 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3826 [NFT_MSG_NEWTABLE] = {
3827 .call_batch = nf_tables_newtable,
3828 .attr_count = NFTA_TABLE_MAX,
3829 .policy = nft_table_policy,
3831 [NFT_MSG_GETTABLE] = {
3832 .call = nf_tables_gettable,
3833 .attr_count = NFTA_TABLE_MAX,
3834 .policy = nft_table_policy,
3836 [NFT_MSG_DELTABLE] = {
3837 .call_batch = nf_tables_deltable,
3838 .attr_count = NFTA_TABLE_MAX,
3839 .policy = nft_table_policy,
3841 [NFT_MSG_NEWCHAIN] = {
3842 .call_batch = nf_tables_newchain,
3843 .attr_count = NFTA_CHAIN_MAX,
3844 .policy = nft_chain_policy,
3846 [NFT_MSG_GETCHAIN] = {
3847 .call = nf_tables_getchain,
3848 .attr_count = NFTA_CHAIN_MAX,
3849 .policy = nft_chain_policy,
3851 [NFT_MSG_DELCHAIN] = {
3852 .call_batch = nf_tables_delchain,
3853 .attr_count = NFTA_CHAIN_MAX,
3854 .policy = nft_chain_policy,
3856 [NFT_MSG_NEWRULE] = {
3857 .call_batch = nf_tables_newrule,
3858 .attr_count = NFTA_RULE_MAX,
3859 .policy = nft_rule_policy,
3861 [NFT_MSG_GETRULE] = {
3862 .call = nf_tables_getrule,
3863 .attr_count = NFTA_RULE_MAX,
3864 .policy = nft_rule_policy,
3866 [NFT_MSG_DELRULE] = {
3867 .call_batch = nf_tables_delrule,
3868 .attr_count = NFTA_RULE_MAX,
3869 .policy = nft_rule_policy,
3871 [NFT_MSG_NEWSET] = {
3872 .call_batch = nf_tables_newset,
3873 .attr_count = NFTA_SET_MAX,
3874 .policy = nft_set_policy,
3876 [NFT_MSG_GETSET] = {
3877 .call = nf_tables_getset,
3878 .attr_count = NFTA_SET_MAX,
3879 .policy = nft_set_policy,
3881 [NFT_MSG_DELSET] = {
3882 .call_batch = nf_tables_delset,
3883 .attr_count = NFTA_SET_MAX,
3884 .policy = nft_set_policy,
3886 [NFT_MSG_NEWSETELEM] = {
3887 .call_batch = nf_tables_newsetelem,
3888 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3889 .policy = nft_set_elem_list_policy,
3891 [NFT_MSG_GETSETELEM] = {
3892 .call = nf_tables_getsetelem,
3893 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3894 .policy = nft_set_elem_list_policy,
3896 [NFT_MSG_DELSETELEM] = {
3897 .call_batch = nf_tables_delsetelem,
3898 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3899 .policy = nft_set_elem_list_policy,
3901 [NFT_MSG_GETGEN] = {
3902 .call = nf_tables_getgen,
3906 static void nft_chain_commit_update(struct nft_trans *trans)
3908 struct nft_base_chain *basechain;
3910 if (nft_trans_chain_name(trans)[0])
3911 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3913 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3916 basechain = nft_base_chain(trans->ctx.chain);
3917 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3919 switch (nft_trans_chain_policy(trans)) {
3922 basechain->policy = nft_trans_chain_policy(trans);
3927 static void nf_tables_commit_release(struct nft_trans *trans)
3929 switch (trans->msg_type) {
3930 case NFT_MSG_DELTABLE:
3931 nf_tables_table_destroy(&trans->ctx);
3933 case NFT_MSG_DELCHAIN:
3934 nf_tables_chain_destroy(trans->ctx.chain);
3936 case NFT_MSG_DELRULE:
3937 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3939 case NFT_MSG_DELSET:
3940 nft_set_destroy(nft_trans_set(trans));
3942 case NFT_MSG_DELSETELEM:
3943 nft_set_elem_destroy(nft_trans_elem_set(trans),
3944 nft_trans_elem(trans).priv);
3950 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
3952 struct nft_trans *trans, *next;
3953 struct nft_trans_elem *te;
3955 /* Bump generation counter, invalidate any dump in progress */
3956 while (++net->nft.base_seq == 0);
3958 /* A new generation has just started */
3959 net->nft.gencursor = nft_gencursor_next(net);
3961 /* Make sure all packets have left the previous generation before
3962 * purging old rules.
3966 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3967 switch (trans->msg_type) {
3968 case NFT_MSG_NEWTABLE:
3969 if (nft_trans_table_update(trans)) {
3970 if (!nft_trans_table_enable(trans)) {
3971 nf_tables_table_disable(net,
3974 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3977 nft_clear(net, trans->ctx.table);
3979 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3980 nft_trans_destroy(trans);
3982 case NFT_MSG_DELTABLE:
3983 list_del_rcu(&trans->ctx.table->list);
3984 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3986 case NFT_MSG_NEWCHAIN:
3987 if (nft_trans_chain_update(trans))
3988 nft_chain_commit_update(trans);
3990 nft_clear(net, trans->ctx.chain);
3992 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3993 nft_trans_destroy(trans);
3995 case NFT_MSG_DELCHAIN:
3996 list_del_rcu(&trans->ctx.chain->list);
3997 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3998 nf_tables_unregister_hooks(trans->ctx.table,
4000 trans->ctx.afi->nops);
4002 case NFT_MSG_NEWRULE:
4003 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4004 nf_tables_rule_notify(&trans->ctx,
4005 nft_trans_rule(trans),
4007 nft_trans_destroy(trans);
4009 case NFT_MSG_DELRULE:
4010 list_del_rcu(&nft_trans_rule(trans)->list);
4011 nf_tables_rule_notify(&trans->ctx,
4012 nft_trans_rule(trans),
4015 case NFT_MSG_NEWSET:
4016 nft_clear(net, nft_trans_set(trans));
4017 /* This avoids hitting -EBUSY when deleting the table
4018 * from the transaction.
4020 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4021 !list_empty(&nft_trans_set(trans)->bindings))
4022 trans->ctx.table->use--;
4024 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4025 NFT_MSG_NEWSET, GFP_KERNEL);
4026 nft_trans_destroy(trans);
4028 case NFT_MSG_DELSET:
4029 list_del_rcu(&nft_trans_set(trans)->list);
4030 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4031 NFT_MSG_DELSET, GFP_KERNEL);
4033 case NFT_MSG_NEWSETELEM:
4034 te = (struct nft_trans_elem *)trans->data;
4036 te->set->ops->activate(te->set, &te->elem);
4037 nf_tables_setelem_notify(&trans->ctx, te->set,
4039 NFT_MSG_NEWSETELEM, 0);
4040 nft_trans_destroy(trans);
4042 case NFT_MSG_DELSETELEM:
4043 te = (struct nft_trans_elem *)trans->data;
4045 nf_tables_setelem_notify(&trans->ctx, te->set,
4047 NFT_MSG_DELSETELEM, 0);
4048 te->set->ops->remove(te->set, &te->elem);
4049 atomic_dec(&te->set->nelems);
4057 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4058 list_del(&trans->list);
4059 nf_tables_commit_release(trans);
4062 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4067 static void nf_tables_abort_release(struct nft_trans *trans)
4069 switch (trans->msg_type) {
4070 case NFT_MSG_NEWTABLE:
4071 nf_tables_table_destroy(&trans->ctx);
4073 case NFT_MSG_NEWCHAIN:
4074 nf_tables_chain_destroy(trans->ctx.chain);
4076 case NFT_MSG_NEWRULE:
4077 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4079 case NFT_MSG_NEWSET:
4080 nft_set_destroy(nft_trans_set(trans));
4082 case NFT_MSG_NEWSETELEM:
4083 nft_set_elem_destroy(nft_trans_elem_set(trans),
4084 nft_trans_elem(trans).priv);
4090 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4092 struct nft_trans *trans, *next;
4093 struct nft_trans_elem *te;
4095 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4097 switch (trans->msg_type) {
4098 case NFT_MSG_NEWTABLE:
4099 if (nft_trans_table_update(trans)) {
4100 if (nft_trans_table_enable(trans)) {
4101 nf_tables_table_disable(net,
4104 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4106 nft_trans_destroy(trans);
4108 list_del_rcu(&trans->ctx.table->list);
4111 case NFT_MSG_DELTABLE:
4112 nft_clear(trans->ctx.net, trans->ctx.table);
4113 nft_trans_destroy(trans);
4115 case NFT_MSG_NEWCHAIN:
4116 if (nft_trans_chain_update(trans)) {
4117 free_percpu(nft_trans_chain_stats(trans));
4119 nft_trans_destroy(trans);
4121 trans->ctx.table->use--;
4122 list_del_rcu(&trans->ctx.chain->list);
4123 nf_tables_unregister_hooks(trans->ctx.table,
4125 trans->ctx.afi->nops);
4128 case NFT_MSG_DELCHAIN:
4129 trans->ctx.table->use++;
4130 nft_clear(trans->ctx.net, trans->ctx.chain);
4131 nft_trans_destroy(trans);
4133 case NFT_MSG_NEWRULE:
4134 trans->ctx.chain->use--;
4135 list_del_rcu(&nft_trans_rule(trans)->list);
4137 case NFT_MSG_DELRULE:
4138 trans->ctx.chain->use++;
4139 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4140 nft_trans_destroy(trans);
4142 case NFT_MSG_NEWSET:
4143 trans->ctx.table->use--;
4144 list_del_rcu(&nft_trans_set(trans)->list);
4146 case NFT_MSG_DELSET:
4147 trans->ctx.table->use++;
4148 nft_clear(trans->ctx.net, nft_trans_set(trans));
4149 nft_trans_destroy(trans);
4151 case NFT_MSG_NEWSETELEM:
4152 te = (struct nft_trans_elem *)trans->data;
4154 te->set->ops->remove(te->set, &te->elem);
4155 atomic_dec(&te->set->nelems);
4157 case NFT_MSG_DELSETELEM:
4158 te = (struct nft_trans_elem *)trans->data;
4160 te->set->ops->activate(te->set, &te->elem);
4163 nft_trans_destroy(trans);
4170 list_for_each_entry_safe_reverse(trans, next,
4171 &net->nft.commit_list, list) {
4172 list_del(&trans->list);
4173 nf_tables_abort_release(trans);
4179 static const struct nfnetlink_subsystem nf_tables_subsys = {
4180 .name = "nf_tables",
4181 .subsys_id = NFNL_SUBSYS_NFTABLES,
4182 .cb_count = NFT_MSG_MAX,
4184 .commit = nf_tables_commit,
4185 .abort = nf_tables_abort,
4188 int nft_chain_validate_dependency(const struct nft_chain *chain,
4189 enum nft_chain_type type)
4191 const struct nft_base_chain *basechain;
4193 if (chain->flags & NFT_BASE_CHAIN) {
4194 basechain = nft_base_chain(chain);
4195 if (basechain->type->type != type)
4200 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4202 int nft_chain_validate_hooks(const struct nft_chain *chain,
4203 unsigned int hook_flags)
4205 struct nft_base_chain *basechain;
4207 if (chain->flags & NFT_BASE_CHAIN) {
4208 basechain = nft_base_chain(chain);
4210 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4218 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4221 * Loop detection - walk through the ruleset beginning at the destination chain
4222 * of a new jump until either the source chain is reached (loop) or all
4223 * reachable chains have been traversed.
4225 * The loop check is performed whenever a new jump verdict is added to an
4226 * expression or verdict map or a verdict map is bound to a new chain.
4229 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4230 const struct nft_chain *chain);
4232 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4233 const struct nft_set *set,
4234 const struct nft_set_iter *iter,
4235 const struct nft_set_elem *elem)
4237 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4238 const struct nft_data *data;
4240 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4241 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4244 data = nft_set_ext_data(ext);
4245 switch (data->verdict.code) {
4248 return nf_tables_check_loops(ctx, data->verdict.chain);
4254 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4255 const struct nft_chain *chain)
4257 const struct nft_rule *rule;
4258 const struct nft_expr *expr, *last;
4259 const struct nft_set *set;
4260 struct nft_set_binding *binding;
4261 struct nft_set_iter iter;
4263 if (ctx->chain == chain)
4266 list_for_each_entry(rule, &chain->rules, list) {
4267 nft_rule_for_each_expr(expr, last, rule) {
4268 const struct nft_data *data = NULL;
4271 if (!expr->ops->validate)
4274 err = expr->ops->validate(ctx, expr, &data);
4281 switch (data->verdict.code) {
4284 err = nf_tables_check_loops(ctx,
4285 data->verdict.chain);
4294 list_for_each_entry(set, &ctx->table->sets, list) {
4295 if (!nft_is_active_next(ctx->net, set))
4297 if (!(set->flags & NFT_SET_MAP) ||
4298 set->dtype != NFT_DATA_VERDICT)
4301 list_for_each_entry(binding, &set->bindings, list) {
4302 if (!(binding->flags & NFT_SET_MAP) ||
4303 binding->chain != chain)
4309 iter.fn = nf_tables_loop_check_setelem;
4311 set->ops->walk(ctx, set, &iter);
4321 * nft_parse_register - parse a register value from a netlink attribute
4323 * @attr: netlink attribute
4325 * Parse and translate a register value from a netlink attribute.
4326 * Registers used to be 128 bit wide, these register numbers will be
4327 * mapped to the corresponding 32 bit register numbers.
4329 unsigned int nft_parse_register(const struct nlattr *attr)
4333 reg = ntohl(nla_get_be32(attr));
4335 case NFT_REG_VERDICT...NFT_REG_4:
4336 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4338 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4341 EXPORT_SYMBOL_GPL(nft_parse_register);
4344 * nft_dump_register - dump a register value to a netlink attribute
4346 * @skb: socket buffer
4347 * @attr: attribute number
4348 * @reg: register number
4350 * Construct a netlink attribute containing the register number. For
4351 * compatibility reasons, register numbers being a multiple of 4 are
4352 * translated to the corresponding 128 bit register numbers.
4354 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4356 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4357 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4359 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4361 return nla_put_be32(skb, attr, htonl(reg));
4363 EXPORT_SYMBOL_GPL(nft_dump_register);
4366 * nft_validate_register_load - validate a load from a register
4368 * @reg: the register number
4369 * @len: the length of the data
4371 * Validate that the input register is one of the general purpose
4372 * registers and that the length of the load is within the bounds.
4374 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4376 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4380 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4385 EXPORT_SYMBOL_GPL(nft_validate_register_load);
4388 * nft_validate_register_store - validate an expressions' register store
4390 * @ctx: context of the expression performing the load
4391 * @reg: the destination register number
4392 * @data: the data to load
4393 * @type: the data type
4394 * @len: the length of the data
4396 * Validate that a data load uses the appropriate data type for
4397 * the destination register and the length is within the bounds.
4398 * A value of NULL for the data means that its runtime gathered
4401 int nft_validate_register_store(const struct nft_ctx *ctx,
4402 enum nft_registers reg,
4403 const struct nft_data *data,
4404 enum nft_data_types type, unsigned int len)
4409 case NFT_REG_VERDICT:
4410 if (type != NFT_DATA_VERDICT)
4414 (data->verdict.code == NFT_GOTO ||
4415 data->verdict.code == NFT_JUMP)) {
4416 err = nf_tables_check_loops(ctx, data->verdict.chain);
4420 if (ctx->chain->level + 1 >
4421 data->verdict.chain->level) {
4422 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4424 data->verdict.chain->level = ctx->chain->level + 1;
4430 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4434 if (reg * NFT_REG32_SIZE + len >
4435 FIELD_SIZEOF(struct nft_regs, data))
4438 if (data != NULL && type != NFT_DATA_VALUE)
4443 EXPORT_SYMBOL_GPL(nft_validate_register_store);
4445 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4446 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4447 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4448 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4451 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4452 struct nft_data_desc *desc, const struct nlattr *nla)
4454 u8 genmask = nft_genmask_next(ctx->net);
4455 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4456 struct nft_chain *chain;
4459 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4463 if (!tb[NFTA_VERDICT_CODE])
4465 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4467 switch (data->verdict.code) {
4469 switch (data->verdict.code & NF_VERDICT_MASK) {
4484 if (!tb[NFTA_VERDICT_CHAIN])
4486 chain = nf_tables_chain_lookup(ctx->table,
4487 tb[NFTA_VERDICT_CHAIN], genmask);
4489 return PTR_ERR(chain);
4490 if (chain->flags & NFT_BASE_CHAIN)
4494 data->verdict.chain = chain;
4498 desc->len = sizeof(data->verdict);
4499 desc->type = NFT_DATA_VERDICT;
4503 static void nft_verdict_uninit(const struct nft_data *data)
4505 switch (data->verdict.code) {
4508 data->verdict.chain->use--;
4513 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4515 struct nlattr *nest;
4517 nest = nla_nest_start(skb, type);
4519 goto nla_put_failure;
4521 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4522 goto nla_put_failure;
4527 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4529 goto nla_put_failure;
4531 nla_nest_end(skb, nest);
4538 static int nft_value_init(const struct nft_ctx *ctx,
4539 struct nft_data *data, unsigned int size,
4540 struct nft_data_desc *desc, const struct nlattr *nla)
4550 nla_memcpy(data->data, nla, len);
4551 desc->type = NFT_DATA_VALUE;
4556 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4559 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4562 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4563 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4564 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4568 * nft_data_init - parse nf_tables data netlink attributes
4570 * @ctx: context of the expression using the data
4571 * @data: destination struct nft_data
4572 * @size: maximum data length
4573 * @desc: data description
4574 * @nla: netlink attribute containing data
4576 * Parse the netlink data attributes and initialize a struct nft_data.
4577 * The type and length of data are returned in the data description.
4579 * The caller can indicate that it only wants to accept data of type
4580 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4582 int nft_data_init(const struct nft_ctx *ctx,
4583 struct nft_data *data, unsigned int size,
4584 struct nft_data_desc *desc, const struct nlattr *nla)
4586 struct nlattr *tb[NFTA_DATA_MAX + 1];
4589 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4593 if (tb[NFTA_DATA_VALUE])
4594 return nft_value_init(ctx, data, size, desc,
4595 tb[NFTA_DATA_VALUE]);
4596 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4597 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4600 EXPORT_SYMBOL_GPL(nft_data_init);
4603 * nft_data_uninit - release a nft_data item
4605 * @data: struct nft_data to release
4606 * @type: type of data
4608 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4609 * all others need to be released by calling this function.
4611 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4613 if (type < NFT_DATA_VERDICT)
4616 case NFT_DATA_VERDICT:
4617 return nft_verdict_uninit(data);
4622 EXPORT_SYMBOL_GPL(nft_data_uninit);
4624 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4625 enum nft_data_types type, unsigned int len)
4627 struct nlattr *nest;
4630 nest = nla_nest_start(skb, attr);
4635 case NFT_DATA_VALUE:
4636 err = nft_value_dump(skb, data, len);
4638 case NFT_DATA_VERDICT:
4639 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4646 nla_nest_end(skb, nest);
4649 EXPORT_SYMBOL_GPL(nft_data_dump);
4651 static int __net_init nf_tables_init_net(struct net *net)
4653 INIT_LIST_HEAD(&net->nft.af_info);
4654 INIT_LIST_HEAD(&net->nft.commit_list);
4655 net->nft.base_seq = 1;
4659 int __nft_release_basechain(struct nft_ctx *ctx)
4661 struct nft_rule *rule, *nr;
4663 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4665 nf_tables_unregister_hooks(ctx->chain->table, ctx->chain,
4667 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4668 list_del(&rule->list);
4670 nf_tables_rule_destroy(ctx, rule);
4672 list_del(&ctx->chain->list);
4674 nf_tables_chain_destroy(ctx->chain);
4678 EXPORT_SYMBOL_GPL(__nft_release_basechain);
4680 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4681 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4683 struct nft_table *table, *nt;
4684 struct nft_chain *chain, *nc;
4685 struct nft_rule *rule, *nr;
4686 struct nft_set *set, *ns;
4687 struct nft_ctx ctx = {
4692 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4693 list_for_each_entry(chain, &table->chains, list)
4694 nf_tables_unregister_hooks(table, chain, afi->nops);
4695 /* No packets are walking on these chains anymore. */
4697 list_for_each_entry(chain, &table->chains, list) {
4699 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4700 list_del(&rule->list);
4702 nf_tables_rule_destroy(&ctx, rule);
4705 list_for_each_entry_safe(set, ns, &table->sets, list) {
4706 list_del(&set->list);
4708 nft_set_destroy(set);
4710 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4711 list_del(&chain->list);
4713 nf_tables_chain_destroy(chain);
4715 list_del(&table->list);
4716 nf_tables_table_destroy(&ctx);
4720 static struct pernet_operations nf_tables_net_ops = {
4721 .init = nf_tables_init_net,
4724 static int __init nf_tables_module_init(void)
4728 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4735 err = nf_tables_core_module_init();
4739 err = nfnetlink_subsys_register(&nf_tables_subsys);
4743 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4744 return register_pernet_subsys(&nf_tables_net_ops);
4746 nf_tables_core_module_exit();
4753 static void __exit nf_tables_module_exit(void)
4755 unregister_pernet_subsys(&nf_tables_net_ops);
4756 nfnetlink_subsys_unregister(&nf_tables_subsys);
4758 nf_tables_core_module_exit();
4762 module_init(nf_tables_module_init);
4763 module_exit(nf_tables_module_exit);
4765 MODULE_LICENSE("GPL");
4766 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4767 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / cascardo / linux.git / blob