2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
44 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47 * nft_unregister_afinfo - unregister nf_tables address family info
49 * @afi: address family info to unregister
51 * Unregister the address family for use with nf_tables.
53 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
62 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
64 struct nft_af_info *afi;
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
73 static struct nft_af_info *
74 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
76 struct nft_af_info *afi;
78 afi = nft_afinfo_lookup(net, family);
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
88 return ERR_PTR(-EAGAIN);
91 return ERR_PTR(-EAFNOSUPPORT);
94 static void nft_ctx_init(struct nft_ctx *ctx,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
113 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
116 struct nft_trans *trans;
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
122 trans->msg_type = msg_type;
128 static void nft_trans_destroy(struct nft_trans *trans)
130 list_del(&trans->list);
134 static int nft_register_basechain(struct nft_base_chain *basechain,
135 unsigned int hook_nops)
137 struct net *net = read_pnet(&basechain->pnet);
139 if (basechain->flags & NFT_BASECHAIN_DISABLED)
142 return nf_register_net_hooks(net, basechain->ops, hook_nops);
145 static void nft_unregister_basechain(struct nft_base_chain *basechain,
146 unsigned int hook_nops)
148 struct net *net = read_pnet(&basechain->pnet);
150 if (basechain->flags & NFT_BASECHAIN_DISABLED)
153 nf_unregister_net_hooks(net, basechain->ops, hook_nops);
156 static int nf_tables_register_hooks(const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !(chain->flags & NFT_BASE_CHAIN))
164 return nft_register_basechain(nft_base_chain(chain), hook_nops);
167 static void nf_tables_unregister_hooks(const struct nft_table *table,
168 struct nft_chain *chain,
169 unsigned int hook_nops)
171 if (table->flags & NFT_TABLE_F_DORMANT ||
172 !(chain->flags & NFT_BASE_CHAIN))
175 nft_unregister_basechain(nft_base_chain(chain), hook_nops);
178 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
180 struct nft_trans *trans;
182 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
186 if (msg_type == NFT_MSG_NEWTABLE)
187 nft_activate_next(ctx->net, ctx->table);
189 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
193 static int nft_deltable(struct nft_ctx *ctx)
197 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
201 nft_deactivate_next(ctx->net, ctx->table);
205 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
207 struct nft_trans *trans;
209 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
213 if (msg_type == NFT_MSG_NEWCHAIN)
214 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
216 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
220 static int nft_delchain(struct nft_ctx *ctx)
224 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
229 list_del_rcu(&ctx->chain->list);
235 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
237 /* You cannot delete the same rule twice */
238 if (nft_is_active_next(ctx->net, rule)) {
239 nft_deactivate_next(ctx->net, rule);
246 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
247 struct nft_rule *rule)
249 struct nft_trans *trans;
251 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
255 nft_trans_rule(trans) = rule;
256 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
261 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
263 struct nft_trans *trans;
266 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
270 err = nf_tables_delrule_deactivate(ctx, rule);
272 nft_trans_destroy(trans);
279 static int nft_delrule_by_chain(struct nft_ctx *ctx)
281 struct nft_rule *rule;
284 list_for_each_entry(rule, &ctx->chain->rules, list) {
285 err = nft_delrule(ctx, rule);
292 /* Internal set flag */
293 #define NFT_SET_INACTIVE (1 << 15)
295 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
298 struct nft_trans *trans;
300 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
304 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
305 nft_trans_set_id(trans) =
306 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
307 set->flags |= NFT_SET_INACTIVE;
309 nft_trans_set(trans) = set;
310 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
315 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
319 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
323 list_del_rcu(&set->list);
333 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
334 const struct nlattr *nla,
337 struct nft_table *table;
339 list_for_each_entry(table, &afi->tables, list) {
340 if (!nla_strcmp(nla, table->name) &&
341 nft_active_genmask(table, genmask))
347 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
348 const struct nlattr *nla,
351 struct nft_table *table;
354 return ERR_PTR(-EINVAL);
356 table = nft_table_lookup(afi, nla, genmask);
360 return ERR_PTR(-ENOENT);
363 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
365 return ++table->hgenerator;
368 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
370 static const struct nf_chain_type *
371 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
375 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
376 if (chain_type[family][i] != NULL &&
377 !nla_strcmp(nla, chain_type[family][i]->name))
378 return chain_type[family][i];
383 static const struct nf_chain_type *
384 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
385 const struct nlattr *nla,
388 const struct nf_chain_type *type;
390 type = __nf_tables_chain_type_lookup(afi->family, nla);
393 #ifdef CONFIG_MODULES
395 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
396 request_module("nft-chain-%u-%.*s", afi->family,
397 nla_len(nla), (const char *)nla_data(nla));
398 nfnl_lock(NFNL_SUBSYS_NFTABLES);
399 type = __nf_tables_chain_type_lookup(afi->family, nla);
401 return ERR_PTR(-EAGAIN);
404 return ERR_PTR(-ENOENT);
407 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
408 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
409 .len = NFT_TABLE_MAXNAMELEN - 1 },
410 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
413 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
414 u32 portid, u32 seq, int event, u32 flags,
415 int family, const struct nft_table *table)
417 struct nlmsghdr *nlh;
418 struct nfgenmsg *nfmsg;
420 event |= NFNL_SUBSYS_NFTABLES << 8;
421 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
423 goto nla_put_failure;
425 nfmsg = nlmsg_data(nlh);
426 nfmsg->nfgen_family = family;
427 nfmsg->version = NFNETLINK_V0;
428 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
430 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
431 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
432 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
433 goto nla_put_failure;
439 nlmsg_trim(skb, nlh);
443 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
449 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
453 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
457 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
458 event, 0, ctx->afi->family, ctx->table);
464 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
465 ctx->report, GFP_KERNEL);
468 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
474 static int nf_tables_dump_tables(struct sk_buff *skb,
475 struct netlink_callback *cb)
477 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
478 const struct nft_af_info *afi;
479 const struct nft_table *table;
480 unsigned int idx = 0, s_idx = cb->args[0];
481 struct net *net = sock_net(skb->sk);
482 int family = nfmsg->nfgen_family;
485 cb->seq = net->nft.base_seq;
487 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
488 if (family != NFPROTO_UNSPEC && family != afi->family)
491 list_for_each_entry_rcu(table, &afi->tables, list) {
495 memset(&cb->args[1], 0,
496 sizeof(cb->args) - sizeof(cb->args[0]));
497 if (!nft_is_active(net, table))
499 if (nf_tables_fill_table_info(skb, net,
500 NETLINK_CB(cb->skb).portid,
504 afi->family, table) < 0)
507 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
518 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
519 struct sk_buff *skb, const struct nlmsghdr *nlh,
520 const struct nlattr * const nla[])
522 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
523 u8 genmask = nft_genmask_cur(net);
524 const struct nft_af_info *afi;
525 const struct nft_table *table;
526 struct sk_buff *skb2;
527 int family = nfmsg->nfgen_family;
530 if (nlh->nlmsg_flags & NLM_F_DUMP) {
531 struct netlink_dump_control c = {
532 .dump = nf_tables_dump_tables,
534 return netlink_dump_start(nlsk, skb, nlh, &c);
537 afi = nf_tables_afinfo_lookup(net, family, false);
541 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
543 return PTR_ERR(table);
545 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
549 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
550 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
555 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
562 static int nf_tables_table_enable(const struct nft_af_info *afi,
563 struct nft_table *table)
565 struct nft_chain *chain;
568 list_for_each_entry(chain, &table->chains, list) {
569 if (!(chain->flags & NFT_BASE_CHAIN))
572 err = nft_register_basechain(nft_base_chain(chain), afi->nops);
580 list_for_each_entry(chain, &table->chains, list) {
581 if (!(chain->flags & NFT_BASE_CHAIN))
587 nft_unregister_basechain(nft_base_chain(chain), afi->nops);
592 static void nf_tables_table_disable(const struct nft_af_info *afi,
593 struct nft_table *table)
595 struct nft_chain *chain;
597 list_for_each_entry(chain, &table->chains, list) {
598 if (chain->flags & NFT_BASE_CHAIN)
599 nft_unregister_basechain(nft_base_chain(chain),
604 static int nf_tables_updtable(struct nft_ctx *ctx)
606 struct nft_trans *trans;
610 if (!ctx->nla[NFTA_TABLE_FLAGS])
613 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
614 if (flags & ~NFT_TABLE_F_DORMANT)
617 if (flags == ctx->table->flags)
620 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
621 sizeof(struct nft_trans_table));
625 if ((flags & NFT_TABLE_F_DORMANT) &&
626 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
627 nft_trans_table_enable(trans) = false;
628 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
629 ctx->table->flags & NFT_TABLE_F_DORMANT) {
630 ret = nf_tables_table_enable(ctx->afi, ctx->table);
632 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
633 nft_trans_table_enable(trans) = true;
639 nft_trans_table_update(trans) = true;
640 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
643 nft_trans_destroy(trans);
647 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
648 struct sk_buff *skb, const struct nlmsghdr *nlh,
649 const struct nlattr * const nla[])
651 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
652 u8 genmask = nft_genmask_next(net);
653 const struct nlattr *name;
654 struct nft_af_info *afi;
655 struct nft_table *table;
656 int family = nfmsg->nfgen_family;
661 afi = nf_tables_afinfo_lookup(net, family, true);
665 name = nla[NFTA_TABLE_NAME];
666 table = nf_tables_table_lookup(afi, name, genmask);
668 if (PTR_ERR(table) != -ENOENT)
669 return PTR_ERR(table);
674 if (nlh->nlmsg_flags & NLM_F_EXCL)
676 if (nlh->nlmsg_flags & NLM_F_REPLACE)
679 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
680 return nf_tables_updtable(&ctx);
683 if (nla[NFTA_TABLE_FLAGS]) {
684 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
685 if (flags & ~NFT_TABLE_F_DORMANT)
690 if (!try_module_get(afi->owner))
694 table = kzalloc(sizeof(*table), GFP_KERNEL);
698 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
699 INIT_LIST_HEAD(&table->chains);
700 INIT_LIST_HEAD(&table->sets);
701 table->flags = flags;
703 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
704 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
708 list_add_tail_rcu(&table->list, &afi->tables);
713 module_put(afi->owner);
718 static int nft_flush_table(struct nft_ctx *ctx)
721 struct nft_chain *chain, *nc;
722 struct nft_set *set, *ns;
724 list_for_each_entry(chain, &ctx->table->chains, list) {
727 err = nft_delrule_by_chain(ctx);
732 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
733 if (set->flags & NFT_SET_ANONYMOUS &&
734 !list_empty(&set->bindings))
737 err = nft_delset(ctx, set);
742 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
745 err = nft_delchain(ctx);
750 err = nft_deltable(ctx);
755 static int nft_flush(struct nft_ctx *ctx, int family)
757 struct nft_af_info *afi;
758 struct nft_table *table, *nt;
759 const struct nlattr * const *nla = ctx->nla;
762 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
763 if (family != AF_UNSPEC && afi->family != family)
767 list_for_each_entry_safe(table, nt, &afi->tables, list) {
768 if (!nft_is_active_next(ctx->net, table))
771 if (nla[NFTA_TABLE_NAME] &&
772 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
777 err = nft_flush_table(ctx);
786 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
787 struct sk_buff *skb, const struct nlmsghdr *nlh,
788 const struct nlattr * const nla[])
790 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
791 u8 genmask = nft_genmask_next(net);
792 struct nft_af_info *afi;
793 struct nft_table *table;
794 int family = nfmsg->nfgen_family;
797 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
798 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
799 return nft_flush(&ctx, family);
801 afi = nf_tables_afinfo_lookup(net, family, false);
805 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
807 return PTR_ERR(table);
812 return nft_flush_table(&ctx);
815 static void nf_tables_table_destroy(struct nft_ctx *ctx)
817 BUG_ON(ctx->table->use > 0);
820 module_put(ctx->afi->owner);
823 int nft_register_chain_type(const struct nf_chain_type *ctype)
827 nfnl_lock(NFNL_SUBSYS_NFTABLES);
828 if (chain_type[ctype->family][ctype->type] != NULL) {
832 chain_type[ctype->family][ctype->type] = ctype;
834 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
837 EXPORT_SYMBOL_GPL(nft_register_chain_type);
839 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
841 nfnl_lock(NFNL_SUBSYS_NFTABLES);
842 chain_type[ctype->family][ctype->type] = NULL;
843 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
845 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
851 static struct nft_chain *
852 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
854 struct nft_chain *chain;
856 list_for_each_entry(chain, &table->chains, list) {
857 if (chain->handle == handle)
861 return ERR_PTR(-ENOENT);
864 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
865 const struct nlattr *nla)
867 struct nft_chain *chain;
870 return ERR_PTR(-EINVAL);
872 list_for_each_entry(chain, &table->chains, list) {
873 if (!nla_strcmp(nla, chain->name))
877 return ERR_PTR(-ENOENT);
880 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
881 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
882 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
883 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
884 .len = NFT_CHAIN_MAXNAMELEN - 1 },
885 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
886 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
887 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
888 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
891 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
892 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
893 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
894 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
895 .len = IFNAMSIZ - 1 },
898 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
900 struct nft_stats *cpu_stats, total;
906 memset(&total, 0, sizeof(total));
907 for_each_possible_cpu(cpu) {
908 cpu_stats = per_cpu_ptr(stats, cpu);
910 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
911 pkts = cpu_stats->pkts;
912 bytes = cpu_stats->bytes;
913 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
915 total.bytes += bytes;
917 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
919 goto nla_put_failure;
921 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
923 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
925 goto nla_put_failure;
927 nla_nest_end(skb, nest);
934 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
935 u32 portid, u32 seq, int event, u32 flags,
936 int family, const struct nft_table *table,
937 const struct nft_chain *chain)
939 struct nlmsghdr *nlh;
940 struct nfgenmsg *nfmsg;
942 event |= NFNL_SUBSYS_NFTABLES << 8;
943 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
945 goto nla_put_failure;
947 nfmsg = nlmsg_data(nlh);
948 nfmsg->nfgen_family = family;
949 nfmsg->version = NFNETLINK_V0;
950 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
952 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
953 goto nla_put_failure;
954 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
956 goto nla_put_failure;
957 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
958 goto nla_put_failure;
960 if (chain->flags & NFT_BASE_CHAIN) {
961 const struct nft_base_chain *basechain = nft_base_chain(chain);
962 const struct nf_hook_ops *ops = &basechain->ops[0];
965 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
967 goto nla_put_failure;
968 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
969 goto nla_put_failure;
970 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
971 goto nla_put_failure;
972 if (basechain->dev_name[0] &&
973 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
974 goto nla_put_failure;
975 nla_nest_end(skb, nest);
977 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
978 htonl(basechain->policy)))
979 goto nla_put_failure;
981 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
982 goto nla_put_failure;
984 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
985 goto nla_put_failure;
988 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
989 goto nla_put_failure;
995 nlmsg_trim(skb, nlh);
999 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1001 struct sk_buff *skb;
1005 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1009 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1013 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1014 event, 0, ctx->afi->family, ctx->table,
1021 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1022 ctx->report, GFP_KERNEL);
1025 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1031 static int nf_tables_dump_chains(struct sk_buff *skb,
1032 struct netlink_callback *cb)
1034 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1035 const struct nft_af_info *afi;
1036 const struct nft_table *table;
1037 const struct nft_chain *chain;
1038 unsigned int idx = 0, s_idx = cb->args[0];
1039 struct net *net = sock_net(skb->sk);
1040 int family = nfmsg->nfgen_family;
1043 cb->seq = net->nft.base_seq;
1045 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1046 if (family != NFPROTO_UNSPEC && family != afi->family)
1049 list_for_each_entry_rcu(table, &afi->tables, list) {
1050 list_for_each_entry_rcu(chain, &table->chains, list) {
1054 memset(&cb->args[1], 0,
1055 sizeof(cb->args) - sizeof(cb->args[0]));
1056 if (nf_tables_fill_chain_info(skb, net,
1057 NETLINK_CB(cb->skb).portid,
1061 afi->family, table, chain) < 0)
1064 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1076 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1077 struct sk_buff *skb, const struct nlmsghdr *nlh,
1078 const struct nlattr * const nla[])
1080 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1081 u8 genmask = nft_genmask_cur(net);
1082 const struct nft_af_info *afi;
1083 const struct nft_table *table;
1084 const struct nft_chain *chain;
1085 struct sk_buff *skb2;
1086 int family = nfmsg->nfgen_family;
1089 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1090 struct netlink_dump_control c = {
1091 .dump = nf_tables_dump_chains,
1093 return netlink_dump_start(nlsk, skb, nlh, &c);
1096 afi = nf_tables_afinfo_lookup(net, family, false);
1098 return PTR_ERR(afi);
1100 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1102 return PTR_ERR(table);
1104 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1106 return PTR_ERR(chain);
1107 if (chain->flags & NFT_CHAIN_INACTIVE)
1110 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1114 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1115 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1116 family, table, chain);
1120 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1127 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1128 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1129 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1132 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1134 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1135 struct nft_stats __percpu *newstats;
1136 struct nft_stats *stats;
1139 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1141 return ERR_PTR(err);
1143 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1144 return ERR_PTR(-EINVAL);
1146 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1147 if (newstats == NULL)
1148 return ERR_PTR(-ENOMEM);
1150 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1151 * are not exposed to userspace.
1154 stats = this_cpu_ptr(newstats);
1155 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1156 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1162 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1163 struct nft_stats __percpu *newstats)
1165 if (newstats == NULL)
1169 struct nft_stats __percpu *oldstats =
1170 nft_dereference(chain->stats);
1172 rcu_assign_pointer(chain->stats, newstats);
1174 free_percpu(oldstats);
1176 rcu_assign_pointer(chain->stats, newstats);
1179 static void nf_tables_chain_destroy(struct nft_chain *chain)
1181 BUG_ON(chain->use > 0);
1183 if (chain->flags & NFT_BASE_CHAIN) {
1184 struct nft_base_chain *basechain = nft_base_chain(chain);
1186 module_put(basechain->type->owner);
1187 free_percpu(basechain->stats);
1188 if (basechain->ops[0].dev != NULL)
1189 dev_put(basechain->ops[0].dev);
1196 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1197 struct sk_buff *skb, const struct nlmsghdr *nlh,
1198 const struct nlattr * const nla[])
1200 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1201 const struct nlattr * uninitialized_var(name);
1202 struct nft_af_info *afi;
1203 struct nft_table *table;
1204 struct nft_chain *chain;
1205 struct nft_base_chain *basechain = NULL;
1206 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1207 u8 genmask = nft_genmask_next(net);
1208 int family = nfmsg->nfgen_family;
1209 struct net_device *dev = NULL;
1210 u8 policy = NF_ACCEPT;
1213 struct nft_stats __percpu *stats;
1218 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1220 afi = nf_tables_afinfo_lookup(net, family, true);
1222 return PTR_ERR(afi);
1224 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1226 return PTR_ERR(table);
1229 name = nla[NFTA_CHAIN_NAME];
1231 if (nla[NFTA_CHAIN_HANDLE]) {
1232 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1233 chain = nf_tables_chain_lookup_byhandle(table, handle);
1235 return PTR_ERR(chain);
1237 chain = nf_tables_chain_lookup(table, name);
1238 if (IS_ERR(chain)) {
1239 if (PTR_ERR(chain) != -ENOENT)
1240 return PTR_ERR(chain);
1245 if (nla[NFTA_CHAIN_POLICY]) {
1246 if ((chain != NULL &&
1247 !(chain->flags & NFT_BASE_CHAIN)))
1250 if (chain == NULL &&
1251 nla[NFTA_CHAIN_HOOK] == NULL)
1254 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1264 if (chain != NULL) {
1265 struct nft_stats *stats = NULL;
1266 struct nft_trans *trans;
1268 if (chain->flags & NFT_CHAIN_INACTIVE)
1270 if (nlh->nlmsg_flags & NLM_F_EXCL)
1272 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1275 if (nla[NFTA_CHAIN_HANDLE] && name &&
1276 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1279 if (nla[NFTA_CHAIN_COUNTERS]) {
1280 if (!(chain->flags & NFT_BASE_CHAIN))
1283 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1285 return PTR_ERR(stats);
1288 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1289 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1290 sizeof(struct nft_trans_chain));
1291 if (trans == NULL) {
1296 nft_trans_chain_stats(trans) = stats;
1297 nft_trans_chain_update(trans) = true;
1299 if (nla[NFTA_CHAIN_POLICY])
1300 nft_trans_chain_policy(trans) = policy;
1302 nft_trans_chain_policy(trans) = -1;
1304 if (nla[NFTA_CHAIN_HANDLE] && name) {
1305 nla_strlcpy(nft_trans_chain_name(trans), name,
1306 NFT_CHAIN_MAXNAMELEN);
1308 list_add_tail(&trans->list, &net->nft.commit_list);
1312 if (table->use == UINT_MAX)
1315 if (nla[NFTA_CHAIN_HOOK]) {
1316 const struct nf_chain_type *type;
1317 struct nf_hook_ops *ops;
1319 u32 hooknum, priority;
1321 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1322 if (nla[NFTA_CHAIN_TYPE]) {
1323 type = nf_tables_chain_type_lookup(afi,
1324 nla[NFTA_CHAIN_TYPE],
1327 return PTR_ERR(type);
1330 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1334 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1335 ha[NFTA_HOOK_PRIORITY] == NULL)
1338 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1339 if (hooknum >= afi->nhooks)
1341 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1343 if (!(type->hook_mask & (1 << hooknum)))
1345 if (!try_module_get(type->owner))
1347 hookfn = type->hooks[hooknum];
1349 if (afi->flags & NFT_AF_NEEDS_DEV) {
1350 char ifname[IFNAMSIZ];
1352 if (!ha[NFTA_HOOK_DEV]) {
1353 module_put(type->owner);
1357 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1358 dev = dev_get_by_name(net, ifname);
1360 module_put(type->owner);
1363 } else if (ha[NFTA_HOOK_DEV]) {
1364 module_put(type->owner);
1368 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1369 if (basechain == NULL) {
1370 module_put(type->owner);
1377 strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
1379 if (nla[NFTA_CHAIN_COUNTERS]) {
1380 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1381 if (IS_ERR(stats)) {
1382 module_put(type->owner);
1386 return PTR_ERR(stats);
1388 basechain->stats = stats;
1390 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1391 if (stats == NULL) {
1392 module_put(type->owner);
1398 rcu_assign_pointer(basechain->stats, stats);
1401 write_pnet(&basechain->pnet, net);
1402 basechain->type = type;
1403 chain = &basechain->chain;
1405 for (i = 0; i < afi->nops; i++) {
1406 ops = &basechain->ops[i];
1408 ops->hooknum = hooknum;
1409 ops->priority = priority;
1411 ops->hook = afi->hooks[ops->hooknum];
1415 if (afi->hook_ops_init)
1416 afi->hook_ops_init(ops, i);
1419 chain->flags |= NFT_BASE_CHAIN;
1420 basechain->policy = policy;
1422 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1427 INIT_LIST_HEAD(&chain->rules);
1428 chain->handle = nf_tables_alloc_handle(table);
1429 chain->table = table;
1430 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1432 err = nf_tables_register_hooks(table, chain, afi->nops);
1436 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1437 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1442 list_add_tail_rcu(&chain->list, &table->chains);
1445 nf_tables_unregister_hooks(table, chain, afi->nops);
1447 nf_tables_chain_destroy(chain);
1451 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1452 struct sk_buff *skb, const struct nlmsghdr *nlh,
1453 const struct nlattr * const nla[])
1455 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1456 u8 genmask = nft_genmask_next(net);
1457 struct nft_af_info *afi;
1458 struct nft_table *table;
1459 struct nft_chain *chain;
1460 int family = nfmsg->nfgen_family;
1463 afi = nf_tables_afinfo_lookup(net, family, false);
1465 return PTR_ERR(afi);
1467 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1469 return PTR_ERR(table);
1471 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1473 return PTR_ERR(chain);
1477 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1479 return nft_delchain(&ctx);
1487 * nft_register_expr - register nf_tables expr type
1490 * Registers the expr type for use with nf_tables. Returns zero on
1491 * success or a negative errno code otherwise.
1493 int nft_register_expr(struct nft_expr_type *type)
1495 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1496 if (type->family == NFPROTO_UNSPEC)
1497 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1499 list_add_rcu(&type->list, &nf_tables_expressions);
1500 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1503 EXPORT_SYMBOL_GPL(nft_register_expr);
1506 * nft_unregister_expr - unregister nf_tables expr type
1509 * Unregisters the expr typefor use with nf_tables.
1511 void nft_unregister_expr(struct nft_expr_type *type)
1513 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1514 list_del_rcu(&type->list);
1515 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1517 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1519 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1522 const struct nft_expr_type *type;
1524 list_for_each_entry(type, &nf_tables_expressions, list) {
1525 if (!nla_strcmp(nla, type->name) &&
1526 (!type->family || type->family == family))
1532 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1535 const struct nft_expr_type *type;
1538 return ERR_PTR(-EINVAL);
1540 type = __nft_expr_type_get(family, nla);
1541 if (type != NULL && try_module_get(type->owner))
1544 #ifdef CONFIG_MODULES
1546 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1547 request_module("nft-expr-%u-%.*s", family,
1548 nla_len(nla), (char *)nla_data(nla));
1549 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1550 if (__nft_expr_type_get(family, nla))
1551 return ERR_PTR(-EAGAIN);
1553 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1554 request_module("nft-expr-%.*s",
1555 nla_len(nla), (char *)nla_data(nla));
1556 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1557 if (__nft_expr_type_get(family, nla))
1558 return ERR_PTR(-EAGAIN);
1561 return ERR_PTR(-ENOENT);
1564 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1565 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1566 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1569 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1570 const struct nft_expr *expr)
1572 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1573 goto nla_put_failure;
1575 if (expr->ops->dump) {
1576 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1578 goto nla_put_failure;
1579 if (expr->ops->dump(skb, expr) < 0)
1580 goto nla_put_failure;
1581 nla_nest_end(skb, data);
1590 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1591 const struct nft_expr *expr)
1593 struct nlattr *nest;
1595 nest = nla_nest_start(skb, attr);
1597 goto nla_put_failure;
1598 if (nf_tables_fill_expr_info(skb, expr) < 0)
1599 goto nla_put_failure;
1600 nla_nest_end(skb, nest);
1607 struct nft_expr_info {
1608 const struct nft_expr_ops *ops;
1609 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1612 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1613 const struct nlattr *nla,
1614 struct nft_expr_info *info)
1616 const struct nft_expr_type *type;
1617 const struct nft_expr_ops *ops;
1618 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1621 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1625 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1627 return PTR_ERR(type);
1629 if (tb[NFTA_EXPR_DATA]) {
1630 err = nla_parse_nested(info->tb, type->maxattr,
1631 tb[NFTA_EXPR_DATA], type->policy);
1635 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1637 if (type->select_ops != NULL) {
1638 ops = type->select_ops(ctx,
1639 (const struct nlattr * const *)info->tb);
1651 module_put(type->owner);
1655 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1656 const struct nft_expr_info *info,
1657 struct nft_expr *expr)
1659 const struct nft_expr_ops *ops = info->ops;
1664 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1676 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1677 struct nft_expr *expr)
1679 if (expr->ops->destroy)
1680 expr->ops->destroy(ctx, expr);
1681 module_put(expr->ops->type->owner);
1684 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1685 const struct nlattr *nla)
1687 struct nft_expr_info info;
1688 struct nft_expr *expr;
1691 err = nf_tables_expr_parse(ctx, nla, &info);
1696 expr = kzalloc(info.ops->size, GFP_KERNEL);
1700 err = nf_tables_newexpr(ctx, &info, expr);
1706 module_put(info.ops->type->owner);
1708 return ERR_PTR(err);
1711 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1713 nf_tables_expr_destroy(ctx, expr);
1721 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1724 struct nft_rule *rule;
1726 // FIXME: this sucks
1727 list_for_each_entry(rule, &chain->rules, list) {
1728 if (handle == rule->handle)
1732 return ERR_PTR(-ENOENT);
1735 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1736 const struct nlattr *nla)
1739 return ERR_PTR(-EINVAL);
1741 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1744 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1745 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1746 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1747 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1748 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1749 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1750 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1751 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1752 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1753 .len = NFT_USERDATA_MAXLEN },
1756 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1757 u32 portid, u32 seq, int event,
1758 u32 flags, int family,
1759 const struct nft_table *table,
1760 const struct nft_chain *chain,
1761 const struct nft_rule *rule)
1763 struct nlmsghdr *nlh;
1764 struct nfgenmsg *nfmsg;
1765 const struct nft_expr *expr, *next;
1766 struct nlattr *list;
1767 const struct nft_rule *prule;
1768 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1770 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1773 goto nla_put_failure;
1775 nfmsg = nlmsg_data(nlh);
1776 nfmsg->nfgen_family = family;
1777 nfmsg->version = NFNETLINK_V0;
1778 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1780 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1781 goto nla_put_failure;
1782 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1783 goto nla_put_failure;
1784 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1786 goto nla_put_failure;
1788 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1789 prule = list_entry(rule->list.prev, struct nft_rule, list);
1790 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1791 cpu_to_be64(prule->handle),
1793 goto nla_put_failure;
1796 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1798 goto nla_put_failure;
1799 nft_rule_for_each_expr(expr, next, rule) {
1800 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1801 goto nla_put_failure;
1803 nla_nest_end(skb, list);
1806 struct nft_userdata *udata = nft_userdata(rule);
1807 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1809 goto nla_put_failure;
1812 nlmsg_end(skb, nlh);
1816 nlmsg_trim(skb, nlh);
1820 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1821 const struct nft_rule *rule,
1824 struct sk_buff *skb;
1828 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1832 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1836 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1837 event, 0, ctx->afi->family, ctx->table,
1844 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1845 ctx->report, GFP_KERNEL);
1848 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1854 static int nf_tables_dump_rules(struct sk_buff *skb,
1855 struct netlink_callback *cb)
1857 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1858 const struct nft_af_info *afi;
1859 const struct nft_table *table;
1860 const struct nft_chain *chain;
1861 const struct nft_rule *rule;
1862 unsigned int idx = 0, s_idx = cb->args[0];
1863 struct net *net = sock_net(skb->sk);
1864 int family = nfmsg->nfgen_family;
1867 cb->seq = net->nft.base_seq;
1869 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1870 if (family != NFPROTO_UNSPEC && family != afi->family)
1873 list_for_each_entry_rcu(table, &afi->tables, list) {
1874 list_for_each_entry_rcu(chain, &table->chains, list) {
1875 list_for_each_entry_rcu(rule, &chain->rules, list) {
1876 if (!nft_is_active(net, rule))
1881 memset(&cb->args[1], 0,
1882 sizeof(cb->args) - sizeof(cb->args[0]));
1883 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1886 NLM_F_MULTI | NLM_F_APPEND,
1887 afi->family, table, chain, rule) < 0)
1890 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1904 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1905 struct sk_buff *skb, const struct nlmsghdr *nlh,
1906 const struct nlattr * const nla[])
1908 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1909 u8 genmask = nft_genmask_cur(net);
1910 const struct nft_af_info *afi;
1911 const struct nft_table *table;
1912 const struct nft_chain *chain;
1913 const struct nft_rule *rule;
1914 struct sk_buff *skb2;
1915 int family = nfmsg->nfgen_family;
1918 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1919 struct netlink_dump_control c = {
1920 .dump = nf_tables_dump_rules,
1922 return netlink_dump_start(nlsk, skb, nlh, &c);
1925 afi = nf_tables_afinfo_lookup(net, family, false);
1927 return PTR_ERR(afi);
1929 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
1931 return PTR_ERR(table);
1933 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1935 return PTR_ERR(chain);
1936 if (chain->flags & NFT_CHAIN_INACTIVE)
1939 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1941 return PTR_ERR(rule);
1943 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1947 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1948 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1949 family, table, chain, rule);
1953 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1960 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1961 struct nft_rule *rule)
1963 struct nft_expr *expr;
1966 * Careful: some expressions might not be initialized in case this
1967 * is called on error from nf_tables_newrule().
1969 expr = nft_expr_first(rule);
1970 while (expr->ops && expr != nft_expr_last(rule)) {
1971 nf_tables_expr_destroy(ctx, expr);
1972 expr = nft_expr_next(expr);
1977 #define NFT_RULE_MAXEXPRS 128
1979 static struct nft_expr_info *info;
1981 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
1982 struct sk_buff *skb, const struct nlmsghdr *nlh,
1983 const struct nlattr * const nla[])
1985 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1986 u8 genmask = nft_genmask_next(net);
1987 struct nft_af_info *afi;
1988 struct nft_table *table;
1989 struct nft_chain *chain;
1990 struct nft_rule *rule, *old_rule = NULL;
1991 struct nft_userdata *udata;
1992 struct nft_trans *trans = NULL;
1993 struct nft_expr *expr;
1996 unsigned int size, i, n, ulen = 0, usize = 0;
1999 u64 handle, pos_handle;
2001 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2003 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2005 return PTR_ERR(afi);
2007 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2009 return PTR_ERR(table);
2011 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2013 return PTR_ERR(chain);
2015 if (nla[NFTA_RULE_HANDLE]) {
2016 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2017 rule = __nf_tables_rule_lookup(chain, handle);
2019 return PTR_ERR(rule);
2021 if (nlh->nlmsg_flags & NLM_F_EXCL)
2023 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2028 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2030 handle = nf_tables_alloc_handle(table);
2032 if (chain->use == UINT_MAX)
2036 if (nla[NFTA_RULE_POSITION]) {
2037 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2040 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2041 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2042 if (IS_ERR(old_rule))
2043 return PTR_ERR(old_rule);
2046 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2050 if (nla[NFTA_RULE_EXPRESSIONS]) {
2051 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2053 if (nla_type(tmp) != NFTA_LIST_ELEM)
2055 if (n == NFT_RULE_MAXEXPRS)
2057 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2060 size += info[n].ops->size;
2064 /* Check for overflow of dlen field */
2066 if (size >= 1 << 12)
2069 if (nla[NFTA_RULE_USERDATA]) {
2070 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2072 usize = sizeof(struct nft_userdata) + ulen;
2076 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2080 nft_activate_next(net, rule);
2082 rule->handle = handle;
2084 rule->udata = ulen ? 1 : 0;
2087 udata = nft_userdata(rule);
2088 udata->len = ulen - 1;
2089 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2092 expr = nft_expr_first(rule);
2093 for (i = 0; i < n; i++) {
2094 err = nf_tables_newexpr(&ctx, &info[i], expr);
2098 expr = nft_expr_next(expr);
2101 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2102 if (nft_is_active_next(net, old_rule)) {
2103 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2105 if (trans == NULL) {
2109 nft_deactivate_next(net, old_rule);
2111 list_add_tail_rcu(&rule->list, &old_rule->list);
2116 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2118 list_add_rcu(&rule->list, &old_rule->list);
2120 list_add_tail_rcu(&rule->list, &chain->rules);
2123 list_add_tail_rcu(&rule->list, &old_rule->list);
2125 list_add_rcu(&rule->list, &chain->rules);
2128 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2136 list_del_rcu(&rule->list);
2138 nf_tables_rule_destroy(&ctx, rule);
2140 for (i = 0; i < n; i++) {
2141 if (info[i].ops != NULL)
2142 module_put(info[i].ops->type->owner);
2147 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2148 struct sk_buff *skb, const struct nlmsghdr *nlh,
2149 const struct nlattr * const nla[])
2151 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2152 u8 genmask = nft_genmask_next(net);
2153 struct nft_af_info *afi;
2154 struct nft_table *table;
2155 struct nft_chain *chain = NULL;
2156 struct nft_rule *rule;
2157 int family = nfmsg->nfgen_family, err = 0;
2160 afi = nf_tables_afinfo_lookup(net, family, false);
2162 return PTR_ERR(afi);
2164 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2166 return PTR_ERR(table);
2168 if (nla[NFTA_RULE_CHAIN]) {
2169 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2171 return PTR_ERR(chain);
2174 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2177 if (nla[NFTA_RULE_HANDLE]) {
2178 rule = nf_tables_rule_lookup(chain,
2179 nla[NFTA_RULE_HANDLE]);
2181 return PTR_ERR(rule);
2183 err = nft_delrule(&ctx, rule);
2185 err = nft_delrule_by_chain(&ctx);
2188 list_for_each_entry(chain, &table->chains, list) {
2190 err = nft_delrule_by_chain(&ctx);
2203 static LIST_HEAD(nf_tables_set_ops);
2205 int nft_register_set(struct nft_set_ops *ops)
2207 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2208 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2209 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2212 EXPORT_SYMBOL_GPL(nft_register_set);
2214 void nft_unregister_set(struct nft_set_ops *ops)
2216 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2217 list_del_rcu(&ops->list);
2218 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2220 EXPORT_SYMBOL_GPL(nft_unregister_set);
2223 * Select a set implementation based on the data characteristics and the
2224 * given policy. The total memory use might not be known if no size is
2225 * given, in that case the amount of memory per element is used.
2227 static const struct nft_set_ops *
2228 nft_select_set_ops(const struct nlattr * const nla[],
2229 const struct nft_set_desc *desc,
2230 enum nft_set_policies policy)
2232 const struct nft_set_ops *ops, *bops;
2233 struct nft_set_estimate est, best;
2236 #ifdef CONFIG_MODULES
2237 if (list_empty(&nf_tables_set_ops)) {
2238 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2239 request_module("nft-set");
2240 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2241 if (!list_empty(&nf_tables_set_ops))
2242 return ERR_PTR(-EAGAIN);
2246 if (nla[NFTA_SET_FLAGS] != NULL) {
2247 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2248 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2255 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2256 if ((ops->features & features) != features)
2258 if (!ops->estimate(desc, features, &est))
2262 case NFT_SET_POL_PERFORMANCE:
2263 if (est.class < best.class)
2265 if (est.class == best.class && est.size < best.size)
2268 case NFT_SET_POL_MEMORY:
2269 if (est.size < best.size)
2271 if (est.size == best.size && est.class < best.class)
2278 if (!try_module_get(ops->owner))
2281 module_put(bops->owner);
2290 return ERR_PTR(-EOPNOTSUPP);
2293 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2294 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2295 [NFTA_SET_NAME] = { .type = NLA_STRING,
2296 .len = NFT_SET_MAXNAMELEN - 1 },
2297 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2298 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2299 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2300 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2301 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2302 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2303 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2304 [NFTA_SET_ID] = { .type = NLA_U32 },
2305 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2306 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2307 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2308 .len = NFT_USERDATA_MAXLEN },
2311 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2312 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2315 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2316 const struct sk_buff *skb,
2317 const struct nlmsghdr *nlh,
2318 const struct nlattr * const nla[],
2321 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2322 struct nft_af_info *afi = NULL;
2323 struct nft_table *table = NULL;
2325 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2326 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2328 return PTR_ERR(afi);
2331 if (nla[NFTA_SET_TABLE] != NULL) {
2333 return -EAFNOSUPPORT;
2335 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2338 return PTR_ERR(table);
2341 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2345 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2346 const struct nlattr *nla)
2348 struct nft_set *set;
2351 return ERR_PTR(-EINVAL);
2353 list_for_each_entry(set, &table->sets, list) {
2354 if (!nla_strcmp(nla, set->name))
2357 return ERR_PTR(-ENOENT);
2360 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2361 const struct nlattr *nla)
2363 struct nft_trans *trans;
2364 u32 id = ntohl(nla_get_be32(nla));
2366 list_for_each_entry(trans, &net->nft.commit_list, list) {
2367 if (trans->msg_type == NFT_MSG_NEWSET &&
2368 id == nft_trans_set_id(trans))
2369 return nft_trans_set(trans);
2371 return ERR_PTR(-ENOENT);
2374 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2377 const struct nft_set *i;
2379 unsigned long *inuse;
2380 unsigned int n = 0, min = 0;
2382 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2384 if (p[1] != 'd' || strchr(p + 2, '%'))
2387 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2391 list_for_each_entry(i, &ctx->table->sets, list) {
2394 if (!sscanf(i->name, name, &tmp))
2396 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2399 set_bit(tmp - min, inuse);
2402 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2403 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2404 min += BITS_PER_BYTE * PAGE_SIZE;
2405 memset(inuse, 0, PAGE_SIZE);
2408 free_page((unsigned long)inuse);
2411 snprintf(set->name, sizeof(set->name), name, min + n);
2412 list_for_each_entry(i, &ctx->table->sets, list) {
2413 if (!strcmp(set->name, i->name))
2419 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2420 const struct nft_set *set, u16 event, u16 flags)
2422 struct nfgenmsg *nfmsg;
2423 struct nlmsghdr *nlh;
2424 struct nlattr *desc;
2425 u32 portid = ctx->portid;
2428 event |= NFNL_SUBSYS_NFTABLES << 8;
2429 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2432 goto nla_put_failure;
2434 nfmsg = nlmsg_data(nlh);
2435 nfmsg->nfgen_family = ctx->afi->family;
2436 nfmsg->version = NFNETLINK_V0;
2437 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2439 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2440 goto nla_put_failure;
2441 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2442 goto nla_put_failure;
2443 if (set->flags != 0)
2444 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2445 goto nla_put_failure;
2447 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2448 goto nla_put_failure;
2449 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2450 goto nla_put_failure;
2451 if (set->flags & NFT_SET_MAP) {
2452 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2453 goto nla_put_failure;
2454 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2455 goto nla_put_failure;
2459 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout),
2461 goto nla_put_failure;
2463 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2464 goto nla_put_failure;
2466 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2467 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2468 goto nla_put_failure;
2471 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2472 goto nla_put_failure;
2474 desc = nla_nest_start(skb, NFTA_SET_DESC);
2476 goto nla_put_failure;
2478 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2479 goto nla_put_failure;
2480 nla_nest_end(skb, desc);
2482 nlmsg_end(skb, nlh);
2486 nlmsg_trim(skb, nlh);
2490 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2491 const struct nft_set *set,
2492 int event, gfp_t gfp_flags)
2494 struct sk_buff *skb;
2495 u32 portid = ctx->portid;
2499 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2503 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2507 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2513 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2514 ctx->report, gfp_flags);
2517 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2521 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2523 const struct nft_set *set;
2524 unsigned int idx, s_idx = cb->args[0];
2525 struct nft_af_info *afi;
2526 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2527 struct net *net = sock_net(skb->sk);
2528 int cur_family = cb->args[3];
2529 struct nft_ctx *ctx = cb->data, ctx_set;
2535 cb->seq = net->nft.base_seq;
2537 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2538 if (ctx->afi && ctx->afi != afi)
2542 if (afi->family != cur_family)
2547 list_for_each_entry_rcu(table, &afi->tables, list) {
2548 if (ctx->table && ctx->table != table)
2552 if (cur_table != table)
2558 list_for_each_entry_rcu(set, &table->sets, list) {
2563 ctx_set.table = table;
2565 if (nf_tables_fill_set(skb, &ctx_set, set,
2569 cb->args[2] = (unsigned long) table;
2570 cb->args[3] = afi->family;
2573 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2587 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2593 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2594 struct sk_buff *skb, const struct nlmsghdr *nlh,
2595 const struct nlattr * const nla[])
2597 u8 genmask = nft_genmask_cur(net);
2598 const struct nft_set *set;
2600 struct sk_buff *skb2;
2601 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2604 /* Verify existence before starting dump */
2605 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2609 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2610 struct netlink_dump_control c = {
2611 .dump = nf_tables_dump_sets,
2612 .done = nf_tables_dump_sets_done,
2614 struct nft_ctx *ctx_dump;
2616 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2617 if (ctx_dump == NULL)
2623 return netlink_dump_start(nlsk, skb, nlh, &c);
2626 /* Only accept unspec with dump */
2627 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2628 return -EAFNOSUPPORT;
2630 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2632 return PTR_ERR(set);
2633 if (set->flags & NFT_SET_INACTIVE)
2636 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2640 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2644 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2651 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2652 struct nft_set_desc *desc,
2653 const struct nlattr *nla)
2655 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2658 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2662 if (da[NFTA_SET_DESC_SIZE] != NULL)
2663 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2668 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2669 struct sk_buff *skb, const struct nlmsghdr *nlh,
2670 const struct nlattr * const nla[])
2672 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2673 u8 genmask = nft_genmask_next(net);
2674 const struct nft_set_ops *ops;
2675 struct nft_af_info *afi;
2676 struct nft_table *table;
2677 struct nft_set *set;
2679 char name[NFT_SET_MAXNAMELEN];
2683 u32 ktype, dtype, flags, policy, gc_int;
2684 struct nft_set_desc desc;
2685 unsigned char *udata;
2689 if (nla[NFTA_SET_TABLE] == NULL ||
2690 nla[NFTA_SET_NAME] == NULL ||
2691 nla[NFTA_SET_KEY_LEN] == NULL ||
2692 nla[NFTA_SET_ID] == NULL)
2695 memset(&desc, 0, sizeof(desc));
2697 ktype = NFT_DATA_VALUE;
2698 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2699 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2700 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2704 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2705 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2709 if (nla[NFTA_SET_FLAGS] != NULL) {
2710 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2711 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2712 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2713 NFT_SET_MAP | NFT_SET_EVAL))
2715 /* Only one of both operations is supported */
2716 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2717 (NFT_SET_MAP | NFT_SET_EVAL))
2722 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2723 if (!(flags & NFT_SET_MAP))
2726 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2727 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2728 dtype != NFT_DATA_VERDICT)
2731 if (dtype != NFT_DATA_VERDICT) {
2732 if (nla[NFTA_SET_DATA_LEN] == NULL)
2734 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2735 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2738 desc.dlen = sizeof(struct nft_verdict);
2739 } else if (flags & NFT_SET_MAP)
2743 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2744 if (!(flags & NFT_SET_TIMEOUT))
2746 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT]));
2749 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2750 if (!(flags & NFT_SET_TIMEOUT))
2752 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2755 policy = NFT_SET_POL_PERFORMANCE;
2756 if (nla[NFTA_SET_POLICY] != NULL)
2757 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2759 if (nla[NFTA_SET_DESC] != NULL) {
2760 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2765 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2767 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2769 return PTR_ERR(afi);
2771 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2773 return PTR_ERR(table);
2775 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2777 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2779 if (PTR_ERR(set) != -ENOENT)
2780 return PTR_ERR(set);
2785 if (nlh->nlmsg_flags & NLM_F_EXCL)
2787 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2792 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2795 ops = nft_select_set_ops(nla, &desc, policy);
2797 return PTR_ERR(ops);
2800 if (nla[NFTA_SET_USERDATA])
2801 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2804 if (ops->privsize != NULL)
2805 size = ops->privsize(nla);
2808 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2812 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2813 err = nf_tables_set_alloc_name(&ctx, set, name);
2819 udata = set->data + size;
2820 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2823 INIT_LIST_HEAD(&set->bindings);
2824 write_pnet(&set->pnet, net);
2827 set->klen = desc.klen;
2829 set->dlen = desc.dlen;
2831 set->size = desc.size;
2832 set->policy = policy;
2835 set->timeout = timeout;
2836 set->gc_int = gc_int;
2838 err = ops->init(set, &desc, nla);
2842 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2846 list_add_tail_rcu(&set->list, &table->sets);
2853 module_put(ops->owner);
2857 static void nft_set_destroy(struct nft_set *set)
2859 set->ops->destroy(set);
2860 module_put(set->ops->owner);
2864 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2866 list_del_rcu(&set->list);
2867 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2868 nft_set_destroy(set);
2871 static int nf_tables_delset(struct net *net, struct sock *nlsk,
2872 struct sk_buff *skb, const struct nlmsghdr *nlh,
2873 const struct nlattr * const nla[])
2875 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2876 u8 genmask = nft_genmask_next(net);
2877 struct nft_set *set;
2881 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2882 return -EAFNOSUPPORT;
2883 if (nla[NFTA_SET_TABLE] == NULL)
2886 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2890 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2892 return PTR_ERR(set);
2893 if (!list_empty(&set->bindings))
2896 return nft_delset(&ctx, set);
2899 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2900 const struct nft_set *set,
2901 const struct nft_set_iter *iter,
2902 const struct nft_set_elem *elem)
2904 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2905 enum nft_registers dreg;
2907 dreg = nft_type_to_reg(set->dtype);
2908 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2909 set->dtype == NFT_DATA_VERDICT ?
2910 NFT_DATA_VERDICT : NFT_DATA_VALUE,
2914 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2915 struct nft_set_binding *binding)
2917 struct nft_set_binding *i;
2918 struct nft_set_iter iter;
2920 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2923 if (binding->flags & NFT_SET_MAP) {
2924 /* If the set is already bound to the same chain all
2925 * jumps are already validated for that chain.
2927 list_for_each_entry(i, &set->bindings, list) {
2928 if (binding->flags & NFT_SET_MAP &&
2929 i->chain == binding->chain)
2936 iter.fn = nf_tables_bind_check_setelem;
2938 set->ops->walk(ctx, set, &iter);
2940 /* Destroy anonymous sets if binding fails */
2941 if (set->flags & NFT_SET_ANONYMOUS)
2942 nf_tables_set_destroy(ctx, set);
2948 binding->chain = ctx->chain;
2949 list_add_tail_rcu(&binding->list, &set->bindings);
2953 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2954 struct nft_set_binding *binding)
2956 list_del_rcu(&binding->list);
2958 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2959 !(set->flags & NFT_SET_INACTIVE))
2960 nf_tables_set_destroy(ctx, set);
2963 const struct nft_set_ext_type nft_set_ext_types[] = {
2964 [NFT_SET_EXT_KEY] = {
2965 .align = __alignof__(u32),
2967 [NFT_SET_EXT_DATA] = {
2968 .align = __alignof__(u32),
2970 [NFT_SET_EXT_EXPR] = {
2971 .align = __alignof__(struct nft_expr),
2973 [NFT_SET_EXT_FLAGS] = {
2975 .align = __alignof__(u8),
2977 [NFT_SET_EXT_TIMEOUT] = {
2979 .align = __alignof__(u64),
2981 [NFT_SET_EXT_EXPIRATION] = {
2982 .len = sizeof(unsigned long),
2983 .align = __alignof__(unsigned long),
2985 [NFT_SET_EXT_USERDATA] = {
2986 .len = sizeof(struct nft_userdata),
2987 .align = __alignof__(struct nft_userdata),
2990 EXPORT_SYMBOL_GPL(nft_set_ext_types);
2996 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2997 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2998 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2999 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3000 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3001 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3002 .len = NFT_USERDATA_MAXLEN },
3005 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3006 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3007 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3008 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3009 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3012 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3013 const struct sk_buff *skb,
3014 const struct nlmsghdr *nlh,
3015 const struct nlattr * const nla[],
3018 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3019 struct nft_af_info *afi;
3020 struct nft_table *table;
3022 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3024 return PTR_ERR(afi);
3026 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3029 return PTR_ERR(table);
3031 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3035 static int nf_tables_fill_setelem(struct sk_buff *skb,
3036 const struct nft_set *set,
3037 const struct nft_set_elem *elem)
3039 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3040 unsigned char *b = skb_tail_pointer(skb);
3041 struct nlattr *nest;
3043 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3045 goto nla_put_failure;
3047 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3048 NFT_DATA_VALUE, set->klen) < 0)
3049 goto nla_put_failure;
3051 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3052 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3053 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3055 goto nla_put_failure;
3057 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3058 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3059 goto nla_put_failure;
3061 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3062 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3063 htonl(*nft_set_ext_flags(ext))))
3064 goto nla_put_failure;
3066 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3067 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3068 cpu_to_be64(*nft_set_ext_timeout(ext)),
3070 goto nla_put_failure;
3072 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3073 unsigned long expires, now = jiffies;
3075 expires = *nft_set_ext_expiration(ext);
3076 if (time_before(now, expires))
3081 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3082 cpu_to_be64(jiffies_to_msecs(expires)),
3084 goto nla_put_failure;
3087 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3088 struct nft_userdata *udata;
3090 udata = nft_set_ext_userdata(ext);
3091 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3092 udata->len + 1, udata->data))
3093 goto nla_put_failure;
3096 nla_nest_end(skb, nest);
3104 struct nft_set_dump_args {
3105 const struct netlink_callback *cb;
3106 struct nft_set_iter iter;
3107 struct sk_buff *skb;
3110 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3111 const struct nft_set *set,
3112 const struct nft_set_iter *iter,
3113 const struct nft_set_elem *elem)
3115 struct nft_set_dump_args *args;
3117 args = container_of(iter, struct nft_set_dump_args, iter);
3118 return nf_tables_fill_setelem(args->skb, set, elem);
3121 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3123 struct net *net = sock_net(skb->sk);
3124 u8 genmask = nft_genmask_cur(net);
3125 const struct nft_set *set;
3126 struct nft_set_dump_args args;
3128 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3129 struct nfgenmsg *nfmsg;
3130 struct nlmsghdr *nlh;
3131 struct nlattr *nest;
3135 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3136 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3140 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3141 (void *)nla, genmask);
3145 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3147 return PTR_ERR(set);
3148 if (set->flags & NFT_SET_INACTIVE)
3151 event = NFT_MSG_NEWSETELEM;
3152 event |= NFNL_SUBSYS_NFTABLES << 8;
3153 portid = NETLINK_CB(cb->skb).portid;
3154 seq = cb->nlh->nlmsg_seq;
3156 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3159 goto nla_put_failure;
3161 nfmsg = nlmsg_data(nlh);
3162 nfmsg->nfgen_family = ctx.afi->family;
3163 nfmsg->version = NFNETLINK_V0;
3164 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3166 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3167 goto nla_put_failure;
3168 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3169 goto nla_put_failure;
3171 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3173 goto nla_put_failure;
3177 args.iter.skip = cb->args[0];
3178 args.iter.count = 0;
3180 args.iter.fn = nf_tables_dump_setelem;
3181 set->ops->walk(&ctx, set, &args.iter);
3183 nla_nest_end(skb, nest);
3184 nlmsg_end(skb, nlh);
3186 if (args.iter.err && args.iter.err != -EMSGSIZE)
3187 return args.iter.err;
3188 if (args.iter.count == cb->args[0])
3191 cb->args[0] = args.iter.count;
3198 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3199 struct sk_buff *skb, const struct nlmsghdr *nlh,
3200 const struct nlattr * const nla[])
3202 u8 genmask = nft_genmask_cur(net);
3203 const struct nft_set *set;
3207 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3211 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3213 return PTR_ERR(set);
3214 if (set->flags & NFT_SET_INACTIVE)
3217 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3218 struct netlink_dump_control c = {
3219 .dump = nf_tables_dump_set,
3221 return netlink_dump_start(nlsk, skb, nlh, &c);
3226 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3227 const struct nft_ctx *ctx, u32 seq,
3228 u32 portid, int event, u16 flags,
3229 const struct nft_set *set,
3230 const struct nft_set_elem *elem)
3232 struct nfgenmsg *nfmsg;
3233 struct nlmsghdr *nlh;
3234 struct nlattr *nest;
3237 event |= NFNL_SUBSYS_NFTABLES << 8;
3238 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3241 goto nla_put_failure;
3243 nfmsg = nlmsg_data(nlh);
3244 nfmsg->nfgen_family = ctx->afi->family;
3245 nfmsg->version = NFNETLINK_V0;
3246 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3248 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3249 goto nla_put_failure;
3250 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3251 goto nla_put_failure;
3253 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3255 goto nla_put_failure;
3257 err = nf_tables_fill_setelem(skb, set, elem);
3259 goto nla_put_failure;
3261 nla_nest_end(skb, nest);
3263 nlmsg_end(skb, nlh);
3267 nlmsg_trim(skb, nlh);
3271 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3272 const struct nft_set *set,
3273 const struct nft_set_elem *elem,
3274 int event, u16 flags)
3276 struct net *net = ctx->net;
3277 u32 portid = ctx->portid;
3278 struct sk_buff *skb;
3281 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3285 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3289 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3296 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3300 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3304 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3306 struct nft_set *set)
3308 struct nft_trans *trans;
3310 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3314 nft_trans_elem_set(trans) = set;
3318 void *nft_set_elem_init(const struct nft_set *set,
3319 const struct nft_set_ext_tmpl *tmpl,
3320 const u32 *key, const u32 *data,
3321 u64 timeout, gfp_t gfp)
3323 struct nft_set_ext *ext;
3326 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3330 ext = nft_set_elem_ext(set, elem);
3331 nft_set_ext_init(ext, tmpl);
3333 memcpy(nft_set_ext_key(ext), key, set->klen);
3334 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3335 memcpy(nft_set_ext_data(ext), data, set->dlen);
3336 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3337 *nft_set_ext_expiration(ext) =
3338 jiffies + msecs_to_jiffies(timeout);
3339 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3340 *nft_set_ext_timeout(ext) = timeout;
3345 void nft_set_elem_destroy(const struct nft_set *set, void *elem)
3347 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3349 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3350 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3351 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3352 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3353 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3357 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3359 static int nft_setelem_parse_flags(const struct nft_set *set,
3360 const struct nlattr *attr, u32 *flags)
3365 *flags = ntohl(nla_get_be32(attr));
3366 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3368 if (!(set->flags & NFT_SET_INTERVAL) &&
3369 *flags & NFT_SET_ELEM_INTERVAL_END)
3375 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3376 const struct nlattr *attr)
3378 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3379 struct nft_data_desc d1, d2;
3380 struct nft_set_ext_tmpl tmpl;
3381 struct nft_set_ext *ext;
3382 struct nft_set_elem elem;
3383 struct nft_set_binding *binding;
3384 struct nft_userdata *udata;
3385 struct nft_data data;
3386 enum nft_registers dreg;
3387 struct nft_trans *trans;
3393 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3394 nft_set_elem_policy);
3398 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3401 nft_set_ext_prepare(&tmpl);
3403 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3407 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3409 if (set->flags & NFT_SET_MAP) {
3410 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3411 !(flags & NFT_SET_ELEM_INTERVAL_END))
3413 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3414 flags & NFT_SET_ELEM_INTERVAL_END)
3417 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3422 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3423 if (!(set->flags & NFT_SET_TIMEOUT))
3425 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT]));
3426 } else if (set->flags & NFT_SET_TIMEOUT) {
3427 timeout = set->timeout;
3430 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3431 nla[NFTA_SET_ELEM_KEY]);
3435 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3438 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3440 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3441 if (timeout != set->timeout)
3442 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3445 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3446 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3447 nla[NFTA_SET_ELEM_DATA]);
3452 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3455 dreg = nft_type_to_reg(set->dtype);
3456 list_for_each_entry(binding, &set->bindings, list) {
3457 struct nft_ctx bind_ctx = {
3459 .table = ctx->table,
3460 .chain = (struct nft_chain *)binding->chain,
3463 if (!(binding->flags & NFT_SET_MAP))
3466 err = nft_validate_register_store(&bind_ctx, dreg,
3473 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3476 /* The full maximum length of userdata can exceed the maximum
3477 * offset value (U8_MAX) for following extensions, therefor it
3478 * must be the last extension added.
3481 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3482 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3484 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3489 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3490 timeout, GFP_KERNEL);
3491 if (elem.priv == NULL)
3494 ext = nft_set_elem_ext(set, elem.priv);
3496 *nft_set_ext_flags(ext) = flags;
3498 udata = nft_set_ext_userdata(ext);
3499 udata->len = ulen - 1;
3500 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3503 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3507 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3508 err = set->ops->insert(set, &elem);
3512 nft_trans_elem(trans) = elem;
3513 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3521 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3522 nft_data_uninit(&data, d2.type);
3524 nft_data_uninit(&elem.key.val, d1.type);
3529 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3530 struct sk_buff *skb, const struct nlmsghdr *nlh,
3531 const struct nlattr * const nla[])
3533 u8 genmask = nft_genmask_next(net);
3534 const struct nlattr *attr;
3535 struct nft_set *set;
3539 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3542 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3546 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3548 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3549 set = nf_tables_set_lookup_byid(net,
3550 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3553 return PTR_ERR(set);
3556 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3559 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3561 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3564 err = nft_add_set_elem(&ctx, set, attr);
3566 atomic_dec(&set->nelems);
3573 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3574 const struct nlattr *attr)
3576 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3577 struct nft_set_ext_tmpl tmpl;
3578 struct nft_data_desc desc;
3579 struct nft_set_elem elem;
3580 struct nft_set_ext *ext;
3581 struct nft_trans *trans;
3586 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3587 nft_set_elem_policy);
3592 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3595 nft_set_ext_prepare(&tmpl);
3597 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3601 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3603 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3604 nla[NFTA_SET_ELEM_KEY]);
3609 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3612 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3615 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3617 if (elem.priv == NULL)
3620 ext = nft_set_elem_ext(set, elem.priv);
3622 *nft_set_ext_flags(ext) = flags;
3624 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3625 if (trans == NULL) {
3630 priv = set->ops->deactivate(set, &elem);
3638 nft_trans_elem(trans) = elem;
3639 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3647 nft_data_uninit(&elem.key.val, desc.type);
3652 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3653 struct sk_buff *skb, const struct nlmsghdr *nlh,
3654 const struct nlattr * const nla[])
3656 u8 genmask = nft_genmask_next(net);
3657 const struct nlattr *attr;
3658 struct nft_set *set;
3662 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3665 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3669 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3671 return PTR_ERR(set);
3672 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3675 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3676 err = nft_del_setelem(&ctx, set, attr);
3685 void nft_set_gc_batch_release(struct rcu_head *rcu)
3687 struct nft_set_gc_batch *gcb;
3690 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3691 for (i = 0; i < gcb->head.cnt; i++)
3692 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]);
3695 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3697 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3700 struct nft_set_gc_batch *gcb;
3702 gcb = kzalloc(sizeof(*gcb), gfp);
3705 gcb->head.set = set;
3708 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3710 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3711 u32 portid, u32 seq)
3713 struct nlmsghdr *nlh;
3714 struct nfgenmsg *nfmsg;
3715 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3717 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3719 goto nla_put_failure;
3721 nfmsg = nlmsg_data(nlh);
3722 nfmsg->nfgen_family = AF_UNSPEC;
3723 nfmsg->version = NFNETLINK_V0;
3724 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3726 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3727 goto nla_put_failure;
3729 nlmsg_end(skb, nlh);
3733 nlmsg_trim(skb, nlh);
3737 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3739 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3740 struct sk_buff *skb2;
3743 if (nlmsg_report(nlh) &&
3744 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3748 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3752 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3759 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3760 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3763 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3769 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3770 struct sk_buff *skb, const struct nlmsghdr *nlh,
3771 const struct nlattr * const nla[])
3773 struct sk_buff *skb2;
3776 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3780 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3785 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3791 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3792 [NFT_MSG_NEWTABLE] = {
3793 .call_batch = nf_tables_newtable,
3794 .attr_count = NFTA_TABLE_MAX,
3795 .policy = nft_table_policy,
3797 [NFT_MSG_GETTABLE] = {
3798 .call = nf_tables_gettable,
3799 .attr_count = NFTA_TABLE_MAX,
3800 .policy = nft_table_policy,
3802 [NFT_MSG_DELTABLE] = {
3803 .call_batch = nf_tables_deltable,
3804 .attr_count = NFTA_TABLE_MAX,
3805 .policy = nft_table_policy,
3807 [NFT_MSG_NEWCHAIN] = {
3808 .call_batch = nf_tables_newchain,
3809 .attr_count = NFTA_CHAIN_MAX,
3810 .policy = nft_chain_policy,
3812 [NFT_MSG_GETCHAIN] = {
3813 .call = nf_tables_getchain,
3814 .attr_count = NFTA_CHAIN_MAX,
3815 .policy = nft_chain_policy,
3817 [NFT_MSG_DELCHAIN] = {
3818 .call_batch = nf_tables_delchain,
3819 .attr_count = NFTA_CHAIN_MAX,
3820 .policy = nft_chain_policy,
3822 [NFT_MSG_NEWRULE] = {
3823 .call_batch = nf_tables_newrule,
3824 .attr_count = NFTA_RULE_MAX,
3825 .policy = nft_rule_policy,
3827 [NFT_MSG_GETRULE] = {
3828 .call = nf_tables_getrule,
3829 .attr_count = NFTA_RULE_MAX,
3830 .policy = nft_rule_policy,
3832 [NFT_MSG_DELRULE] = {
3833 .call_batch = nf_tables_delrule,
3834 .attr_count = NFTA_RULE_MAX,
3835 .policy = nft_rule_policy,
3837 [NFT_MSG_NEWSET] = {
3838 .call_batch = nf_tables_newset,
3839 .attr_count = NFTA_SET_MAX,
3840 .policy = nft_set_policy,
3842 [NFT_MSG_GETSET] = {
3843 .call = nf_tables_getset,
3844 .attr_count = NFTA_SET_MAX,
3845 .policy = nft_set_policy,
3847 [NFT_MSG_DELSET] = {
3848 .call_batch = nf_tables_delset,
3849 .attr_count = NFTA_SET_MAX,
3850 .policy = nft_set_policy,
3852 [NFT_MSG_NEWSETELEM] = {
3853 .call_batch = nf_tables_newsetelem,
3854 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3855 .policy = nft_set_elem_list_policy,
3857 [NFT_MSG_GETSETELEM] = {
3858 .call = nf_tables_getsetelem,
3859 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3860 .policy = nft_set_elem_list_policy,
3862 [NFT_MSG_DELSETELEM] = {
3863 .call_batch = nf_tables_delsetelem,
3864 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3865 .policy = nft_set_elem_list_policy,
3867 [NFT_MSG_GETGEN] = {
3868 .call = nf_tables_getgen,
3872 static void nft_chain_commit_update(struct nft_trans *trans)
3874 struct nft_base_chain *basechain;
3876 if (nft_trans_chain_name(trans)[0])
3877 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3879 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3882 basechain = nft_base_chain(trans->ctx.chain);
3883 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3885 switch (nft_trans_chain_policy(trans)) {
3888 basechain->policy = nft_trans_chain_policy(trans);
3893 static void nf_tables_commit_release(struct nft_trans *trans)
3895 switch (trans->msg_type) {
3896 case NFT_MSG_DELTABLE:
3897 nf_tables_table_destroy(&trans->ctx);
3899 case NFT_MSG_DELCHAIN:
3900 nf_tables_chain_destroy(trans->ctx.chain);
3902 case NFT_MSG_DELRULE:
3903 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3905 case NFT_MSG_DELSET:
3906 nft_set_destroy(nft_trans_set(trans));
3908 case NFT_MSG_DELSETELEM:
3909 nft_set_elem_destroy(nft_trans_elem_set(trans),
3910 nft_trans_elem(trans).priv);
3916 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
3918 struct nft_trans *trans, *next;
3919 struct nft_trans_elem *te;
3921 /* Bump generation counter, invalidate any dump in progress */
3922 while (++net->nft.base_seq == 0);
3924 /* A new generation has just started */
3925 net->nft.gencursor = nft_gencursor_next(net);
3927 /* Make sure all packets have left the previous generation before
3928 * purging old rules.
3932 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3933 switch (trans->msg_type) {
3934 case NFT_MSG_NEWTABLE:
3935 if (nft_trans_table_update(trans)) {
3936 if (!nft_trans_table_enable(trans)) {
3937 nf_tables_table_disable(trans->ctx.afi,
3939 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3942 nft_clear(net, trans->ctx.table);
3944 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3945 nft_trans_destroy(trans);
3947 case NFT_MSG_DELTABLE:
3948 list_del_rcu(&trans->ctx.table->list);
3949 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3951 case NFT_MSG_NEWCHAIN:
3952 if (nft_trans_chain_update(trans))
3953 nft_chain_commit_update(trans);
3955 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3957 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3958 nft_trans_destroy(trans);
3960 case NFT_MSG_DELCHAIN:
3961 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3962 nf_tables_unregister_hooks(trans->ctx.table,
3964 trans->ctx.afi->nops);
3966 case NFT_MSG_NEWRULE:
3967 nft_clear(trans->ctx.net, nft_trans_rule(trans));
3968 nf_tables_rule_notify(&trans->ctx,
3969 nft_trans_rule(trans),
3971 nft_trans_destroy(trans);
3973 case NFT_MSG_DELRULE:
3974 list_del_rcu(&nft_trans_rule(trans)->list);
3975 nf_tables_rule_notify(&trans->ctx,
3976 nft_trans_rule(trans),
3979 case NFT_MSG_NEWSET:
3980 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3981 /* This avoids hitting -EBUSY when deleting the table
3982 * from the transaction.
3984 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3985 !list_empty(&nft_trans_set(trans)->bindings))
3986 trans->ctx.table->use--;
3988 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3989 NFT_MSG_NEWSET, GFP_KERNEL);
3990 nft_trans_destroy(trans);
3992 case NFT_MSG_DELSET:
3993 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3994 NFT_MSG_DELSET, GFP_KERNEL);
3996 case NFT_MSG_NEWSETELEM:
3997 te = (struct nft_trans_elem *)trans->data;
3999 te->set->ops->activate(te->set, &te->elem);
4000 nf_tables_setelem_notify(&trans->ctx, te->set,
4002 NFT_MSG_NEWSETELEM, 0);
4003 nft_trans_destroy(trans);
4005 case NFT_MSG_DELSETELEM:
4006 te = (struct nft_trans_elem *)trans->data;
4008 nf_tables_setelem_notify(&trans->ctx, te->set,
4010 NFT_MSG_DELSETELEM, 0);
4011 te->set->ops->remove(te->set, &te->elem);
4012 atomic_dec(&te->set->nelems);
4020 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4021 list_del(&trans->list);
4022 nf_tables_commit_release(trans);
4025 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4030 static void nf_tables_abort_release(struct nft_trans *trans)
4032 switch (trans->msg_type) {
4033 case NFT_MSG_NEWTABLE:
4034 nf_tables_table_destroy(&trans->ctx);
4036 case NFT_MSG_NEWCHAIN:
4037 nf_tables_chain_destroy(trans->ctx.chain);
4039 case NFT_MSG_NEWRULE:
4040 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4042 case NFT_MSG_NEWSET:
4043 nft_set_destroy(nft_trans_set(trans));
4045 case NFT_MSG_NEWSETELEM:
4046 nft_set_elem_destroy(nft_trans_elem_set(trans),
4047 nft_trans_elem(trans).priv);
4053 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4055 struct nft_trans *trans, *next;
4056 struct nft_trans_elem *te;
4058 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4060 switch (trans->msg_type) {
4061 case NFT_MSG_NEWTABLE:
4062 if (nft_trans_table_update(trans)) {
4063 if (nft_trans_table_enable(trans)) {
4064 nf_tables_table_disable(trans->ctx.afi,
4066 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4068 nft_trans_destroy(trans);
4070 list_del_rcu(&trans->ctx.table->list);
4073 case NFT_MSG_DELTABLE:
4074 nft_clear(trans->ctx.net, trans->ctx.table);
4075 nft_trans_destroy(trans);
4077 case NFT_MSG_NEWCHAIN:
4078 if (nft_trans_chain_update(trans)) {
4079 free_percpu(nft_trans_chain_stats(trans));
4081 nft_trans_destroy(trans);
4083 trans->ctx.table->use--;
4084 list_del_rcu(&trans->ctx.chain->list);
4085 nf_tables_unregister_hooks(trans->ctx.table,
4087 trans->ctx.afi->nops);
4090 case NFT_MSG_DELCHAIN:
4091 trans->ctx.table->use++;
4092 list_add_tail_rcu(&trans->ctx.chain->list,
4093 &trans->ctx.table->chains);
4094 nft_trans_destroy(trans);
4096 case NFT_MSG_NEWRULE:
4097 trans->ctx.chain->use--;
4098 list_del_rcu(&nft_trans_rule(trans)->list);
4100 case NFT_MSG_DELRULE:
4101 trans->ctx.chain->use++;
4102 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4103 nft_trans_destroy(trans);
4105 case NFT_MSG_NEWSET:
4106 trans->ctx.table->use--;
4107 list_del_rcu(&nft_trans_set(trans)->list);
4109 case NFT_MSG_DELSET:
4110 trans->ctx.table->use++;
4111 list_add_tail_rcu(&nft_trans_set(trans)->list,
4112 &trans->ctx.table->sets);
4113 nft_trans_destroy(trans);
4115 case NFT_MSG_NEWSETELEM:
4116 te = (struct nft_trans_elem *)trans->data;
4118 te->set->ops->remove(te->set, &te->elem);
4119 atomic_dec(&te->set->nelems);
4121 case NFT_MSG_DELSETELEM:
4122 te = (struct nft_trans_elem *)trans->data;
4124 te->set->ops->activate(te->set, &te->elem);
4127 nft_trans_destroy(trans);
4134 list_for_each_entry_safe_reverse(trans, next,
4135 &net->nft.commit_list, list) {
4136 list_del(&trans->list);
4137 nf_tables_abort_release(trans);
4143 static const struct nfnetlink_subsystem nf_tables_subsys = {
4144 .name = "nf_tables",
4145 .subsys_id = NFNL_SUBSYS_NFTABLES,
4146 .cb_count = NFT_MSG_MAX,
4148 .commit = nf_tables_commit,
4149 .abort = nf_tables_abort,
4152 int nft_chain_validate_dependency(const struct nft_chain *chain,
4153 enum nft_chain_type type)
4155 const struct nft_base_chain *basechain;
4157 if (chain->flags & NFT_BASE_CHAIN) {
4158 basechain = nft_base_chain(chain);
4159 if (basechain->type->type != type)
4164 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4166 int nft_chain_validate_hooks(const struct nft_chain *chain,
4167 unsigned int hook_flags)
4169 struct nft_base_chain *basechain;
4171 if (chain->flags & NFT_BASE_CHAIN) {
4172 basechain = nft_base_chain(chain);
4174 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4182 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4185 * Loop detection - walk through the ruleset beginning at the destination chain
4186 * of a new jump until either the source chain is reached (loop) or all
4187 * reachable chains have been traversed.
4189 * The loop check is performed whenever a new jump verdict is added to an
4190 * expression or verdict map or a verdict map is bound to a new chain.
4193 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4194 const struct nft_chain *chain);
4196 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4197 const struct nft_set *set,
4198 const struct nft_set_iter *iter,
4199 const struct nft_set_elem *elem)
4201 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4202 const struct nft_data *data;
4204 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4205 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4208 data = nft_set_ext_data(ext);
4209 switch (data->verdict.code) {
4212 return nf_tables_check_loops(ctx, data->verdict.chain);
4218 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4219 const struct nft_chain *chain)
4221 const struct nft_rule *rule;
4222 const struct nft_expr *expr, *last;
4223 const struct nft_set *set;
4224 struct nft_set_binding *binding;
4225 struct nft_set_iter iter;
4227 if (ctx->chain == chain)
4230 list_for_each_entry(rule, &chain->rules, list) {
4231 nft_rule_for_each_expr(expr, last, rule) {
4232 const struct nft_data *data = NULL;
4235 if (!expr->ops->validate)
4238 err = expr->ops->validate(ctx, expr, &data);
4245 switch (data->verdict.code) {
4248 err = nf_tables_check_loops(ctx,
4249 data->verdict.chain);
4258 list_for_each_entry(set, &ctx->table->sets, list) {
4259 if (!(set->flags & NFT_SET_MAP) ||
4260 set->dtype != NFT_DATA_VERDICT)
4263 list_for_each_entry(binding, &set->bindings, list) {
4264 if (!(binding->flags & NFT_SET_MAP) ||
4265 binding->chain != chain)
4271 iter.fn = nf_tables_loop_check_setelem;
4273 set->ops->walk(ctx, set, &iter);
4283 * nft_parse_register - parse a register value from a netlink attribute
4285 * @attr: netlink attribute
4287 * Parse and translate a register value from a netlink attribute.
4288 * Registers used to be 128 bit wide, these register numbers will be
4289 * mapped to the corresponding 32 bit register numbers.
4291 unsigned int nft_parse_register(const struct nlattr *attr)
4295 reg = ntohl(nla_get_be32(attr));
4297 case NFT_REG_VERDICT...NFT_REG_4:
4298 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4300 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4303 EXPORT_SYMBOL_GPL(nft_parse_register);
4306 * nft_dump_register - dump a register value to a netlink attribute
4308 * @skb: socket buffer
4309 * @attr: attribute number
4310 * @reg: register number
4312 * Construct a netlink attribute containing the register number. For
4313 * compatibility reasons, register numbers being a multiple of 4 are
4314 * translated to the corresponding 128 bit register numbers.
4316 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4318 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4319 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4321 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4323 return nla_put_be32(skb, attr, htonl(reg));
4325 EXPORT_SYMBOL_GPL(nft_dump_register);
4328 * nft_validate_register_load - validate a load from a register
4330 * @reg: the register number
4331 * @len: the length of the data
4333 * Validate that the input register is one of the general purpose
4334 * registers and that the length of the load is within the bounds.
4336 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4338 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4342 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4347 EXPORT_SYMBOL_GPL(nft_validate_register_load);
4350 * nft_validate_register_store - validate an expressions' register store
4352 * @ctx: context of the expression performing the load
4353 * @reg: the destination register number
4354 * @data: the data to load
4355 * @type: the data type
4356 * @len: the length of the data
4358 * Validate that a data load uses the appropriate data type for
4359 * the destination register and the length is within the bounds.
4360 * A value of NULL for the data means that its runtime gathered
4363 int nft_validate_register_store(const struct nft_ctx *ctx,
4364 enum nft_registers reg,
4365 const struct nft_data *data,
4366 enum nft_data_types type, unsigned int len)
4371 case NFT_REG_VERDICT:
4372 if (type != NFT_DATA_VERDICT)
4376 (data->verdict.code == NFT_GOTO ||
4377 data->verdict.code == NFT_JUMP)) {
4378 err = nf_tables_check_loops(ctx, data->verdict.chain);
4382 if (ctx->chain->level + 1 >
4383 data->verdict.chain->level) {
4384 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4386 data->verdict.chain->level = ctx->chain->level + 1;
4392 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4396 if (reg * NFT_REG32_SIZE + len >
4397 FIELD_SIZEOF(struct nft_regs, data))
4400 if (data != NULL && type != NFT_DATA_VALUE)
4405 EXPORT_SYMBOL_GPL(nft_validate_register_store);
4407 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4408 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4409 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4410 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4413 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4414 struct nft_data_desc *desc, const struct nlattr *nla)
4416 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4417 struct nft_chain *chain;
4420 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4424 if (!tb[NFTA_VERDICT_CODE])
4426 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4428 switch (data->verdict.code) {
4430 switch (data->verdict.code & NF_VERDICT_MASK) {
4445 if (!tb[NFTA_VERDICT_CHAIN])
4447 chain = nf_tables_chain_lookup(ctx->table,
4448 tb[NFTA_VERDICT_CHAIN]);
4450 return PTR_ERR(chain);
4451 if (chain->flags & NFT_BASE_CHAIN)
4455 data->verdict.chain = chain;
4459 desc->len = sizeof(data->verdict);
4460 desc->type = NFT_DATA_VERDICT;
4464 static void nft_verdict_uninit(const struct nft_data *data)
4466 switch (data->verdict.code) {
4469 data->verdict.chain->use--;
4474 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4476 struct nlattr *nest;
4478 nest = nla_nest_start(skb, type);
4480 goto nla_put_failure;
4482 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4483 goto nla_put_failure;
4488 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4490 goto nla_put_failure;
4492 nla_nest_end(skb, nest);
4499 static int nft_value_init(const struct nft_ctx *ctx,
4500 struct nft_data *data, unsigned int size,
4501 struct nft_data_desc *desc, const struct nlattr *nla)
4511 nla_memcpy(data->data, nla, len);
4512 desc->type = NFT_DATA_VALUE;
4517 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4520 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4523 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4524 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4525 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4529 * nft_data_init - parse nf_tables data netlink attributes
4531 * @ctx: context of the expression using the data
4532 * @data: destination struct nft_data
4533 * @size: maximum data length
4534 * @desc: data description
4535 * @nla: netlink attribute containing data
4537 * Parse the netlink data attributes and initialize a struct nft_data.
4538 * The type and length of data are returned in the data description.
4540 * The caller can indicate that it only wants to accept data of type
4541 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4543 int nft_data_init(const struct nft_ctx *ctx,
4544 struct nft_data *data, unsigned int size,
4545 struct nft_data_desc *desc, const struct nlattr *nla)
4547 struct nlattr *tb[NFTA_DATA_MAX + 1];
4550 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4554 if (tb[NFTA_DATA_VALUE])
4555 return nft_value_init(ctx, data, size, desc,
4556 tb[NFTA_DATA_VALUE]);
4557 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4558 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4561 EXPORT_SYMBOL_GPL(nft_data_init);
4564 * nft_data_uninit - release a nft_data item
4566 * @data: struct nft_data to release
4567 * @type: type of data
4569 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4570 * all others need to be released by calling this function.
4572 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4574 if (type < NFT_DATA_VERDICT)
4577 case NFT_DATA_VERDICT:
4578 return nft_verdict_uninit(data);
4583 EXPORT_SYMBOL_GPL(nft_data_uninit);
4585 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4586 enum nft_data_types type, unsigned int len)
4588 struct nlattr *nest;
4591 nest = nla_nest_start(skb, attr);
4596 case NFT_DATA_VALUE:
4597 err = nft_value_dump(skb, data, len);
4599 case NFT_DATA_VERDICT:
4600 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4607 nla_nest_end(skb, nest);
4610 EXPORT_SYMBOL_GPL(nft_data_dump);
4612 static int __net_init nf_tables_init_net(struct net *net)
4614 INIT_LIST_HEAD(&net->nft.af_info);
4615 INIT_LIST_HEAD(&net->nft.commit_list);
4616 net->nft.base_seq = 1;
4620 int __nft_release_basechain(struct nft_ctx *ctx)
4622 struct nft_rule *rule, *nr;
4624 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4626 nf_tables_unregister_hooks(ctx->chain->table, ctx->chain,
4628 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4629 list_del(&rule->list);
4631 nf_tables_rule_destroy(ctx, rule);
4633 list_del(&ctx->chain->list);
4635 nf_tables_chain_destroy(ctx->chain);
4639 EXPORT_SYMBOL_GPL(__nft_release_basechain);
4641 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4642 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4644 struct nft_table *table, *nt;
4645 struct nft_chain *chain, *nc;
4646 struct nft_rule *rule, *nr;
4647 struct nft_set *set, *ns;
4648 struct nft_ctx ctx = {
4653 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4654 list_for_each_entry(chain, &table->chains, list)
4655 nf_tables_unregister_hooks(table, chain, afi->nops);
4656 /* No packets are walking on these chains anymore. */
4658 list_for_each_entry(chain, &table->chains, list) {
4660 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4661 list_del(&rule->list);
4663 nf_tables_rule_destroy(&ctx, rule);
4666 list_for_each_entry_safe(set, ns, &table->sets, list) {
4667 list_del(&set->list);
4669 nft_set_destroy(set);
4671 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4672 list_del(&chain->list);
4674 nf_tables_chain_destroy(chain);
4676 list_del(&table->list);
4677 nf_tables_table_destroy(&ctx);
4681 static struct pernet_operations nf_tables_net_ops = {
4682 .init = nf_tables_init_net,
4685 static int __init nf_tables_module_init(void)
4689 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4696 err = nf_tables_core_module_init();
4700 err = nfnetlink_subsys_register(&nf_tables_subsys);
4704 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4705 return register_pernet_subsys(&nf_tables_net_ops);
4707 nf_tables_core_module_exit();
4714 static void __exit nf_tables_module_exit(void)
4716 unregister_pernet_subsys(&nf_tables_net_ops);
4717 nfnetlink_subsys_unregister(&nf_tables_subsys);
4719 nf_tables_core_module_exit();
4723 module_init(nf_tables_module_init);
4724 module_exit(nf_tables_module_exit);
4726 MODULE_LICENSE("GPL");
4727 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4728 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / cascardo / linux.git / blob