2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions
);
25 static LIST_HEAD(nf_tables_objects
);
28 * nft_register_afinfo - register nf_tables address family info
30 * @afi: address family info to register
32 * Register the address family for use with nf_tables. Returns zero on
33 * success or a negative errno code otherwise.
35 int nft_register_afinfo(struct net
*net
, struct nft_af_info
*afi
)
37 INIT_LIST_HEAD(&afi
->tables
);
38 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
39 list_add_tail_rcu(&afi
->list
, &net
->nft
.af_info
);
40 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
43 EXPORT_SYMBOL_GPL(nft_register_afinfo
);
45 static void __nft_release_afinfo(struct net
*net
, struct nft_af_info
*afi
);
48 * nft_unregister_afinfo - unregister nf_tables address family info
50 * @afi: address family info to unregister
52 * Unregister the address family for use with nf_tables.
54 void nft_unregister_afinfo(struct net
*net
, struct nft_af_info
*afi
)
56 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
57 __nft_release_afinfo(net
, afi
);
58 list_del_rcu(&afi
->list
);
59 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
61 EXPORT_SYMBOL_GPL(nft_unregister_afinfo
);
63 static struct nft_af_info
*nft_afinfo_lookup(struct net
*net
, int family
)
65 struct nft_af_info
*afi
;
67 list_for_each_entry(afi
, &net
->nft
.af_info
, list
) {
68 if (afi
->family
== family
)
74 static struct nft_af_info
*
75 nf_tables_afinfo_lookup(struct net
*net
, int family
, bool autoload
)
77 struct nft_af_info
*afi
;
79 afi
= nft_afinfo_lookup(net
, family
);
84 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
85 request_module("nft-afinfo-%u", family
);
86 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
87 afi
= nft_afinfo_lookup(net
, family
);
89 return ERR_PTR(-EAGAIN
);
92 return ERR_PTR(-EAFNOSUPPORT
);
95 static void nft_ctx_init(struct nft_ctx
*ctx
,
97 const struct sk_buff
*skb
,
98 const struct nlmsghdr
*nlh
,
99 struct nft_af_info
*afi
,
100 struct nft_table
*table
,
101 struct nft_chain
*chain
,
102 const struct nlattr
* const *nla
)
109 ctx
->portid
= NETLINK_CB(skb
).portid
;
110 ctx
->report
= nlmsg_report(nlh
);
111 ctx
->seq
= nlh
->nlmsg_seq
;
114 static struct nft_trans
*nft_trans_alloc_gfp(const struct nft_ctx
*ctx
,
115 int msg_type
, u32 size
, gfp_t gfp
)
117 struct nft_trans
*trans
;
119 trans
= kzalloc(sizeof(struct nft_trans
) + size
, gfp
);
123 trans
->msg_type
= msg_type
;
129 static struct nft_trans
*nft_trans_alloc(const struct nft_ctx
*ctx
,
130 int msg_type
, u32 size
)
132 return nft_trans_alloc_gfp(ctx
, msg_type
, size
, GFP_KERNEL
);
135 static void nft_trans_destroy(struct nft_trans
*trans
)
137 list_del(&trans
->list
);
141 static int nf_tables_register_hooks(struct net
*net
,
142 const struct nft_table
*table
,
143 struct nft_chain
*chain
,
144 unsigned int hook_nops
)
146 if (table
->flags
& NFT_TABLE_F_DORMANT
||
147 !(chain
->flags
& NFT_BASE_CHAIN
))
150 return nf_register_net_hooks(net
, nft_base_chain(chain
)->ops
,
154 static void nf_tables_unregister_hooks(struct net
*net
,
155 const struct nft_table
*table
,
156 struct nft_chain
*chain
,
157 unsigned int hook_nops
)
159 if (table
->flags
& NFT_TABLE_F_DORMANT
||
160 !(chain
->flags
& NFT_BASE_CHAIN
))
163 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
, hook_nops
);
166 static int nft_trans_table_add(struct nft_ctx
*ctx
, int msg_type
)
168 struct nft_trans
*trans
;
170 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_table
));
174 if (msg_type
== NFT_MSG_NEWTABLE
)
175 nft_activate_next(ctx
->net
, ctx
->table
);
177 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
181 static int nft_deltable(struct nft_ctx
*ctx
)
185 err
= nft_trans_table_add(ctx
, NFT_MSG_DELTABLE
);
189 nft_deactivate_next(ctx
->net
, ctx
->table
);
193 static int nft_trans_chain_add(struct nft_ctx
*ctx
, int msg_type
)
195 struct nft_trans
*trans
;
197 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_chain
));
201 if (msg_type
== NFT_MSG_NEWCHAIN
)
202 nft_activate_next(ctx
->net
, ctx
->chain
);
204 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
208 static int nft_delchain(struct nft_ctx
*ctx
)
212 err
= nft_trans_chain_add(ctx
, NFT_MSG_DELCHAIN
);
217 nft_deactivate_next(ctx
->net
, ctx
->chain
);
223 nf_tables_delrule_deactivate(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
225 /* You cannot delete the same rule twice */
226 if (nft_is_active_next(ctx
->net
, rule
)) {
227 nft_deactivate_next(ctx
->net
, rule
);
234 static struct nft_trans
*nft_trans_rule_add(struct nft_ctx
*ctx
, int msg_type
,
235 struct nft_rule
*rule
)
237 struct nft_trans
*trans
;
239 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_rule
));
243 nft_trans_rule(trans
) = rule
;
244 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
249 static int nft_delrule(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
251 struct nft_trans
*trans
;
254 trans
= nft_trans_rule_add(ctx
, NFT_MSG_DELRULE
, rule
);
258 err
= nf_tables_delrule_deactivate(ctx
, rule
);
260 nft_trans_destroy(trans
);
267 static int nft_delrule_by_chain(struct nft_ctx
*ctx
)
269 struct nft_rule
*rule
;
272 list_for_each_entry(rule
, &ctx
->chain
->rules
, list
) {
273 err
= nft_delrule(ctx
, rule
);
280 static int nft_trans_set_add(struct nft_ctx
*ctx
, int msg_type
,
283 struct nft_trans
*trans
;
285 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_set
));
289 if (msg_type
== NFT_MSG_NEWSET
&& ctx
->nla
[NFTA_SET_ID
] != NULL
) {
290 nft_trans_set_id(trans
) =
291 ntohl(nla_get_be32(ctx
->nla
[NFTA_SET_ID
]));
292 nft_activate_next(ctx
->net
, set
);
294 nft_trans_set(trans
) = set
;
295 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
300 static int nft_delset(struct nft_ctx
*ctx
, struct nft_set
*set
)
304 err
= nft_trans_set_add(ctx
, NFT_MSG_DELSET
, set
);
308 nft_deactivate_next(ctx
->net
, set
);
314 static int nft_trans_obj_add(struct nft_ctx
*ctx
, int msg_type
,
315 struct nft_object
*obj
)
317 struct nft_trans
*trans
;
319 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_obj
));
323 if (msg_type
== NFT_MSG_NEWOBJ
)
324 nft_activate_next(ctx
->net
, obj
);
326 nft_trans_obj(trans
) = obj
;
327 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
332 static int nft_delobj(struct nft_ctx
*ctx
, struct nft_object
*obj
)
336 err
= nft_trans_obj_add(ctx
, NFT_MSG_DELOBJ
, obj
);
340 nft_deactivate_next(ctx
->net
, obj
);
350 static struct nft_table
*nft_table_lookup(const struct nft_af_info
*afi
,
351 const struct nlattr
*nla
,
354 struct nft_table
*table
;
356 list_for_each_entry(table
, &afi
->tables
, list
) {
357 if (!nla_strcmp(nla
, table
->name
) &&
358 nft_active_genmask(table
, genmask
))
364 static struct nft_table
*nf_tables_table_lookup(const struct nft_af_info
*afi
,
365 const struct nlattr
*nla
,
368 struct nft_table
*table
;
371 return ERR_PTR(-EINVAL
);
373 table
= nft_table_lookup(afi
, nla
, genmask
);
377 return ERR_PTR(-ENOENT
);
380 static inline u64
nf_tables_alloc_handle(struct nft_table
*table
)
382 return ++table
->hgenerator
;
385 static const struct nf_chain_type
*chain_type
[AF_MAX
][NFT_CHAIN_T_MAX
];
387 static const struct nf_chain_type
*
388 __nf_tables_chain_type_lookup(int family
, const struct nlattr
*nla
)
392 for (i
= 0; i
< NFT_CHAIN_T_MAX
; i
++) {
393 if (chain_type
[family
][i
] != NULL
&&
394 !nla_strcmp(nla
, chain_type
[family
][i
]->name
))
395 return chain_type
[family
][i
];
400 static const struct nf_chain_type
*
401 nf_tables_chain_type_lookup(const struct nft_af_info
*afi
,
402 const struct nlattr
*nla
,
405 const struct nf_chain_type
*type
;
407 type
= __nf_tables_chain_type_lookup(afi
->family
, nla
);
410 #ifdef CONFIG_MODULES
412 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
413 request_module("nft-chain-%u-%.*s", afi
->family
,
414 nla_len(nla
), (const char *)nla_data(nla
));
415 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
416 type
= __nf_tables_chain_type_lookup(afi
->family
, nla
);
418 return ERR_PTR(-EAGAIN
);
421 return ERR_PTR(-ENOENT
);
424 static const struct nla_policy nft_table_policy
[NFTA_TABLE_MAX
+ 1] = {
425 [NFTA_TABLE_NAME
] = { .type
= NLA_STRING
,
426 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
427 [NFTA_TABLE_FLAGS
] = { .type
= NLA_U32
},
430 static int nf_tables_fill_table_info(struct sk_buff
*skb
, struct net
*net
,
431 u32 portid
, u32 seq
, int event
, u32 flags
,
432 int family
, const struct nft_table
*table
)
434 struct nlmsghdr
*nlh
;
435 struct nfgenmsg
*nfmsg
;
437 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
438 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
440 goto nla_put_failure
;
442 nfmsg
= nlmsg_data(nlh
);
443 nfmsg
->nfgen_family
= family
;
444 nfmsg
->version
= NFNETLINK_V0
;
445 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
447 if (nla_put_string(skb
, NFTA_TABLE_NAME
, table
->name
) ||
448 nla_put_be32(skb
, NFTA_TABLE_FLAGS
, htonl(table
->flags
)) ||
449 nla_put_be32(skb
, NFTA_TABLE_USE
, htonl(table
->use
)))
450 goto nla_put_failure
;
456 nlmsg_trim(skb
, nlh
);
460 static int nf_tables_table_notify(const struct nft_ctx
*ctx
, int event
)
466 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
470 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
474 err
= nf_tables_fill_table_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
475 event
, 0, ctx
->afi
->family
, ctx
->table
);
481 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
482 ctx
->report
, GFP_KERNEL
);
485 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
491 static int nf_tables_dump_tables(struct sk_buff
*skb
,
492 struct netlink_callback
*cb
)
494 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
495 const struct nft_af_info
*afi
;
496 const struct nft_table
*table
;
497 unsigned int idx
= 0, s_idx
= cb
->args
[0];
498 struct net
*net
= sock_net(skb
->sk
);
499 int family
= nfmsg
->nfgen_family
;
502 cb
->seq
= net
->nft
.base_seq
;
504 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
505 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
508 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
512 memset(&cb
->args
[1], 0,
513 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
514 if (!nft_is_active(net
, table
))
516 if (nf_tables_fill_table_info(skb
, net
,
517 NETLINK_CB(cb
->skb
).portid
,
521 afi
->family
, table
) < 0)
524 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
535 static int nf_tables_gettable(struct net
*net
, struct sock
*nlsk
,
536 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
537 const struct nlattr
* const nla
[])
539 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
540 u8 genmask
= nft_genmask_cur(net
);
541 const struct nft_af_info
*afi
;
542 const struct nft_table
*table
;
543 struct sk_buff
*skb2
;
544 int family
= nfmsg
->nfgen_family
;
547 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
548 struct netlink_dump_control c
= {
549 .dump
= nf_tables_dump_tables
,
551 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
554 afi
= nf_tables_afinfo_lookup(net
, family
, false);
558 table
= nf_tables_table_lookup(afi
, nla
[NFTA_TABLE_NAME
], genmask
);
560 return PTR_ERR(table
);
562 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
566 err
= nf_tables_fill_table_info(skb2
, net
, NETLINK_CB(skb
).portid
,
567 nlh
->nlmsg_seq
, NFT_MSG_NEWTABLE
, 0,
572 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
579 static int nf_tables_table_enable(struct net
*net
,
580 const struct nft_af_info
*afi
,
581 struct nft_table
*table
)
583 struct nft_chain
*chain
;
586 list_for_each_entry(chain
, &table
->chains
, list
) {
587 if (!nft_is_active_next(net
, chain
))
589 if (!(chain
->flags
& NFT_BASE_CHAIN
))
592 err
= nf_register_net_hooks(net
, nft_base_chain(chain
)->ops
,
601 list_for_each_entry(chain
, &table
->chains
, list
) {
602 if (!nft_is_active_next(net
, chain
))
604 if (!(chain
->flags
& NFT_BASE_CHAIN
))
610 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
,
616 static void nf_tables_table_disable(struct net
*net
,
617 const struct nft_af_info
*afi
,
618 struct nft_table
*table
)
620 struct nft_chain
*chain
;
622 list_for_each_entry(chain
, &table
->chains
, list
) {
623 if (!nft_is_active_next(net
, chain
))
625 if (!(chain
->flags
& NFT_BASE_CHAIN
))
628 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
,
633 static int nf_tables_updtable(struct nft_ctx
*ctx
)
635 struct nft_trans
*trans
;
639 if (!ctx
->nla
[NFTA_TABLE_FLAGS
])
642 flags
= ntohl(nla_get_be32(ctx
->nla
[NFTA_TABLE_FLAGS
]));
643 if (flags
& ~NFT_TABLE_F_DORMANT
)
646 if (flags
== ctx
->table
->flags
)
649 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWTABLE
,
650 sizeof(struct nft_trans_table
));
654 if ((flags
& NFT_TABLE_F_DORMANT
) &&
655 !(ctx
->table
->flags
& NFT_TABLE_F_DORMANT
)) {
656 nft_trans_table_enable(trans
) = false;
657 } else if (!(flags
& NFT_TABLE_F_DORMANT
) &&
658 ctx
->table
->flags
& NFT_TABLE_F_DORMANT
) {
659 ret
= nf_tables_table_enable(ctx
->net
, ctx
->afi
, ctx
->table
);
661 ctx
->table
->flags
&= ~NFT_TABLE_F_DORMANT
;
662 nft_trans_table_enable(trans
) = true;
668 nft_trans_table_update(trans
) = true;
669 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
672 nft_trans_destroy(trans
);
676 static int nf_tables_newtable(struct net
*net
, struct sock
*nlsk
,
677 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
678 const struct nlattr
* const nla
[])
680 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
681 u8 genmask
= nft_genmask_next(net
);
682 const struct nlattr
*name
;
683 struct nft_af_info
*afi
;
684 struct nft_table
*table
;
685 int family
= nfmsg
->nfgen_family
;
690 afi
= nf_tables_afinfo_lookup(net
, family
, true);
694 name
= nla
[NFTA_TABLE_NAME
];
695 table
= nf_tables_table_lookup(afi
, name
, genmask
);
697 if (PTR_ERR(table
) != -ENOENT
)
698 return PTR_ERR(table
);
703 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
705 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
708 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
709 return nf_tables_updtable(&ctx
);
712 if (nla
[NFTA_TABLE_FLAGS
]) {
713 flags
= ntohl(nla_get_be32(nla
[NFTA_TABLE_FLAGS
]));
714 if (flags
& ~NFT_TABLE_F_DORMANT
)
719 if (!try_module_get(afi
->owner
))
723 table
= kzalloc(sizeof(*table
), GFP_KERNEL
);
727 nla_strlcpy(table
->name
, name
, NFT_TABLE_MAXNAMELEN
);
728 INIT_LIST_HEAD(&table
->chains
);
729 INIT_LIST_HEAD(&table
->sets
);
730 INIT_LIST_HEAD(&table
->objects
);
731 table
->flags
= flags
;
733 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
734 err
= nft_trans_table_add(&ctx
, NFT_MSG_NEWTABLE
);
738 list_add_tail_rcu(&table
->list
, &afi
->tables
);
743 module_put(afi
->owner
);
748 static int nft_flush_table(struct nft_ctx
*ctx
)
751 struct nft_chain
*chain
, *nc
;
752 struct nft_object
*obj
, *ne
;
753 struct nft_set
*set
, *ns
;
755 list_for_each_entry(chain
, &ctx
->table
->chains
, list
) {
756 if (!nft_is_active_next(ctx
->net
, chain
))
761 err
= nft_delrule_by_chain(ctx
);
766 list_for_each_entry_safe(set
, ns
, &ctx
->table
->sets
, list
) {
767 if (!nft_is_active_next(ctx
->net
, set
))
770 if (set
->flags
& NFT_SET_ANONYMOUS
&&
771 !list_empty(&set
->bindings
))
774 err
= nft_delset(ctx
, set
);
779 list_for_each_entry_safe(obj
, ne
, &ctx
->table
->objects
, list
) {
780 err
= nft_delobj(ctx
, obj
);
785 list_for_each_entry_safe(chain
, nc
, &ctx
->table
->chains
, list
) {
786 if (!nft_is_active_next(ctx
->net
, chain
))
791 err
= nft_delchain(ctx
);
796 err
= nft_deltable(ctx
);
801 static int nft_flush(struct nft_ctx
*ctx
, int family
)
803 struct nft_af_info
*afi
;
804 struct nft_table
*table
, *nt
;
805 const struct nlattr
* const *nla
= ctx
->nla
;
808 list_for_each_entry(afi
, &ctx
->net
->nft
.af_info
, list
) {
809 if (family
!= AF_UNSPEC
&& afi
->family
!= family
)
813 list_for_each_entry_safe(table
, nt
, &afi
->tables
, list
) {
814 if (!nft_is_active_next(ctx
->net
, table
))
817 if (nla
[NFTA_TABLE_NAME
] &&
818 nla_strcmp(nla
[NFTA_TABLE_NAME
], table
->name
) != 0)
823 err
= nft_flush_table(ctx
);
832 static int nf_tables_deltable(struct net
*net
, struct sock
*nlsk
,
833 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
834 const struct nlattr
* const nla
[])
836 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
837 u8 genmask
= nft_genmask_next(net
);
838 struct nft_af_info
*afi
;
839 struct nft_table
*table
;
840 int family
= nfmsg
->nfgen_family
;
843 nft_ctx_init(&ctx
, net
, skb
, nlh
, NULL
, NULL
, NULL
, nla
);
844 if (family
== AF_UNSPEC
|| nla
[NFTA_TABLE_NAME
] == NULL
)
845 return nft_flush(&ctx
, family
);
847 afi
= nf_tables_afinfo_lookup(net
, family
, false);
851 table
= nf_tables_table_lookup(afi
, nla
[NFTA_TABLE_NAME
], genmask
);
853 return PTR_ERR(table
);
858 return nft_flush_table(&ctx
);
861 static void nf_tables_table_destroy(struct nft_ctx
*ctx
)
863 BUG_ON(ctx
->table
->use
> 0);
866 module_put(ctx
->afi
->owner
);
869 int nft_register_chain_type(const struct nf_chain_type
*ctype
)
873 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
874 if (chain_type
[ctype
->family
][ctype
->type
] != NULL
) {
878 chain_type
[ctype
->family
][ctype
->type
] = ctype
;
880 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
883 EXPORT_SYMBOL_GPL(nft_register_chain_type
);
885 void nft_unregister_chain_type(const struct nf_chain_type
*ctype
)
887 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
888 chain_type
[ctype
->family
][ctype
->type
] = NULL
;
889 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
891 EXPORT_SYMBOL_GPL(nft_unregister_chain_type
);
897 static struct nft_chain
*
898 nf_tables_chain_lookup_byhandle(const struct nft_table
*table
, u64 handle
,
901 struct nft_chain
*chain
;
903 list_for_each_entry(chain
, &table
->chains
, list
) {
904 if (chain
->handle
== handle
&&
905 nft_active_genmask(chain
, genmask
))
909 return ERR_PTR(-ENOENT
);
912 static struct nft_chain
*nf_tables_chain_lookup(const struct nft_table
*table
,
913 const struct nlattr
*nla
,
916 struct nft_chain
*chain
;
919 return ERR_PTR(-EINVAL
);
921 list_for_each_entry(chain
, &table
->chains
, list
) {
922 if (!nla_strcmp(nla
, chain
->name
) &&
923 nft_active_genmask(chain
, genmask
))
927 return ERR_PTR(-ENOENT
);
930 static const struct nla_policy nft_chain_policy
[NFTA_CHAIN_MAX
+ 1] = {
931 [NFTA_CHAIN_TABLE
] = { .type
= NLA_STRING
,
932 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
933 [NFTA_CHAIN_HANDLE
] = { .type
= NLA_U64
},
934 [NFTA_CHAIN_NAME
] = { .type
= NLA_STRING
,
935 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
936 [NFTA_CHAIN_HOOK
] = { .type
= NLA_NESTED
},
937 [NFTA_CHAIN_POLICY
] = { .type
= NLA_U32
},
938 [NFTA_CHAIN_TYPE
] = { .type
= NLA_STRING
},
939 [NFTA_CHAIN_COUNTERS
] = { .type
= NLA_NESTED
},
942 static const struct nla_policy nft_hook_policy
[NFTA_HOOK_MAX
+ 1] = {
943 [NFTA_HOOK_HOOKNUM
] = { .type
= NLA_U32
},
944 [NFTA_HOOK_PRIORITY
] = { .type
= NLA_U32
},
945 [NFTA_HOOK_DEV
] = { .type
= NLA_STRING
,
946 .len
= IFNAMSIZ
- 1 },
949 static int nft_dump_stats(struct sk_buff
*skb
, struct nft_stats __percpu
*stats
)
951 struct nft_stats
*cpu_stats
, total
;
957 memset(&total
, 0, sizeof(total
));
958 for_each_possible_cpu(cpu
) {
959 cpu_stats
= per_cpu_ptr(stats
, cpu
);
961 seq
= u64_stats_fetch_begin_irq(&cpu_stats
->syncp
);
962 pkts
= cpu_stats
->pkts
;
963 bytes
= cpu_stats
->bytes
;
964 } while (u64_stats_fetch_retry_irq(&cpu_stats
->syncp
, seq
));
966 total
.bytes
+= bytes
;
968 nest
= nla_nest_start(skb
, NFTA_CHAIN_COUNTERS
);
970 goto nla_put_failure
;
972 if (nla_put_be64(skb
, NFTA_COUNTER_PACKETS
, cpu_to_be64(total
.pkts
),
974 nla_put_be64(skb
, NFTA_COUNTER_BYTES
, cpu_to_be64(total
.bytes
),
976 goto nla_put_failure
;
978 nla_nest_end(skb
, nest
);
985 static int nf_tables_fill_chain_info(struct sk_buff
*skb
, struct net
*net
,
986 u32 portid
, u32 seq
, int event
, u32 flags
,
987 int family
, const struct nft_table
*table
,
988 const struct nft_chain
*chain
)
990 struct nlmsghdr
*nlh
;
991 struct nfgenmsg
*nfmsg
;
993 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
994 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
996 goto nla_put_failure
;
998 nfmsg
= nlmsg_data(nlh
);
999 nfmsg
->nfgen_family
= family
;
1000 nfmsg
->version
= NFNETLINK_V0
;
1001 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
1003 if (nla_put_string(skb
, NFTA_CHAIN_TABLE
, table
->name
))
1004 goto nla_put_failure
;
1005 if (nla_put_be64(skb
, NFTA_CHAIN_HANDLE
, cpu_to_be64(chain
->handle
),
1007 goto nla_put_failure
;
1008 if (nla_put_string(skb
, NFTA_CHAIN_NAME
, chain
->name
))
1009 goto nla_put_failure
;
1011 if (chain
->flags
& NFT_BASE_CHAIN
) {
1012 const struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1013 const struct nf_hook_ops
*ops
= &basechain
->ops
[0];
1014 struct nlattr
*nest
;
1016 nest
= nla_nest_start(skb
, NFTA_CHAIN_HOOK
);
1018 goto nla_put_failure
;
1019 if (nla_put_be32(skb
, NFTA_HOOK_HOOKNUM
, htonl(ops
->hooknum
)))
1020 goto nla_put_failure
;
1021 if (nla_put_be32(skb
, NFTA_HOOK_PRIORITY
, htonl(ops
->priority
)))
1022 goto nla_put_failure
;
1023 if (basechain
->dev_name
[0] &&
1024 nla_put_string(skb
, NFTA_HOOK_DEV
, basechain
->dev_name
))
1025 goto nla_put_failure
;
1026 nla_nest_end(skb
, nest
);
1028 if (nla_put_be32(skb
, NFTA_CHAIN_POLICY
,
1029 htonl(basechain
->policy
)))
1030 goto nla_put_failure
;
1032 if (nla_put_string(skb
, NFTA_CHAIN_TYPE
, basechain
->type
->name
))
1033 goto nla_put_failure
;
1035 if (nft_dump_stats(skb
, nft_base_chain(chain
)->stats
))
1036 goto nla_put_failure
;
1039 if (nla_put_be32(skb
, NFTA_CHAIN_USE
, htonl(chain
->use
)))
1040 goto nla_put_failure
;
1042 nlmsg_end(skb
, nlh
);
1046 nlmsg_trim(skb
, nlh
);
1050 static int nf_tables_chain_notify(const struct nft_ctx
*ctx
, int event
)
1052 struct sk_buff
*skb
;
1056 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1060 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1064 err
= nf_tables_fill_chain_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1065 event
, 0, ctx
->afi
->family
, ctx
->table
,
1072 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1073 ctx
->report
, GFP_KERNEL
);
1076 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1082 static int nf_tables_dump_chains(struct sk_buff
*skb
,
1083 struct netlink_callback
*cb
)
1085 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1086 const struct nft_af_info
*afi
;
1087 const struct nft_table
*table
;
1088 const struct nft_chain
*chain
;
1089 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1090 struct net
*net
= sock_net(skb
->sk
);
1091 int family
= nfmsg
->nfgen_family
;
1094 cb
->seq
= net
->nft
.base_seq
;
1096 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
1097 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
1100 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
1101 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1105 memset(&cb
->args
[1], 0,
1106 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1107 if (!nft_is_active(net
, chain
))
1109 if (nf_tables_fill_chain_info(skb
, net
,
1110 NETLINK_CB(cb
->skb
).portid
,
1114 afi
->family
, table
, chain
) < 0)
1117 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1129 static int nf_tables_getchain(struct net
*net
, struct sock
*nlsk
,
1130 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1131 const struct nlattr
* const nla
[])
1133 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1134 u8 genmask
= nft_genmask_cur(net
);
1135 const struct nft_af_info
*afi
;
1136 const struct nft_table
*table
;
1137 const struct nft_chain
*chain
;
1138 struct sk_buff
*skb2
;
1139 int family
= nfmsg
->nfgen_family
;
1142 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1143 struct netlink_dump_control c
= {
1144 .dump
= nf_tables_dump_chains
,
1146 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
1149 afi
= nf_tables_afinfo_lookup(net
, family
, false);
1151 return PTR_ERR(afi
);
1153 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1155 return PTR_ERR(table
);
1157 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1159 return PTR_ERR(chain
);
1161 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
1165 err
= nf_tables_fill_chain_info(skb2
, net
, NETLINK_CB(skb
).portid
,
1166 nlh
->nlmsg_seq
, NFT_MSG_NEWCHAIN
, 0,
1167 family
, table
, chain
);
1171 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
1178 static const struct nla_policy nft_counter_policy
[NFTA_COUNTER_MAX
+ 1] = {
1179 [NFTA_COUNTER_PACKETS
] = { .type
= NLA_U64
},
1180 [NFTA_COUNTER_BYTES
] = { .type
= NLA_U64
},
1183 static struct nft_stats __percpu
*nft_stats_alloc(const struct nlattr
*attr
)
1185 struct nlattr
*tb
[NFTA_COUNTER_MAX
+1];
1186 struct nft_stats __percpu
*newstats
;
1187 struct nft_stats
*stats
;
1190 err
= nla_parse_nested(tb
, NFTA_COUNTER_MAX
, attr
, nft_counter_policy
);
1192 return ERR_PTR(err
);
1194 if (!tb
[NFTA_COUNTER_BYTES
] || !tb
[NFTA_COUNTER_PACKETS
])
1195 return ERR_PTR(-EINVAL
);
1197 newstats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1198 if (newstats
== NULL
)
1199 return ERR_PTR(-ENOMEM
);
1201 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1202 * are not exposed to userspace.
1205 stats
= this_cpu_ptr(newstats
);
1206 stats
->bytes
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_BYTES
]));
1207 stats
->pkts
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_PACKETS
]));
1213 static void nft_chain_stats_replace(struct nft_base_chain
*chain
,
1214 struct nft_stats __percpu
*newstats
)
1216 if (newstats
== NULL
)
1220 struct nft_stats __percpu
*oldstats
=
1221 nft_dereference(chain
->stats
);
1223 rcu_assign_pointer(chain
->stats
, newstats
);
1225 free_percpu(oldstats
);
1227 rcu_assign_pointer(chain
->stats
, newstats
);
1230 static void nf_tables_chain_destroy(struct nft_chain
*chain
)
1232 BUG_ON(chain
->use
> 0);
1234 if (chain
->flags
& NFT_BASE_CHAIN
) {
1235 struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1237 module_put(basechain
->type
->owner
);
1238 free_percpu(basechain
->stats
);
1239 if (basechain
->ops
[0].dev
!= NULL
)
1240 dev_put(basechain
->ops
[0].dev
);
1247 struct nft_chain_hook
{
1250 const struct nf_chain_type
*type
;
1251 struct net_device
*dev
;
1254 static int nft_chain_parse_hook(struct net
*net
,
1255 const struct nlattr
* const nla
[],
1256 struct nft_af_info
*afi
,
1257 struct nft_chain_hook
*hook
, bool create
)
1259 struct nlattr
*ha
[NFTA_HOOK_MAX
+ 1];
1260 const struct nf_chain_type
*type
;
1261 struct net_device
*dev
;
1264 err
= nla_parse_nested(ha
, NFTA_HOOK_MAX
, nla
[NFTA_CHAIN_HOOK
],
1269 if (ha
[NFTA_HOOK_HOOKNUM
] == NULL
||
1270 ha
[NFTA_HOOK_PRIORITY
] == NULL
)
1273 hook
->num
= ntohl(nla_get_be32(ha
[NFTA_HOOK_HOOKNUM
]));
1274 if (hook
->num
>= afi
->nhooks
)
1277 hook
->priority
= ntohl(nla_get_be32(ha
[NFTA_HOOK_PRIORITY
]));
1279 type
= chain_type
[afi
->family
][NFT_CHAIN_T_DEFAULT
];
1280 if (nla
[NFTA_CHAIN_TYPE
]) {
1281 type
= nf_tables_chain_type_lookup(afi
, nla
[NFTA_CHAIN_TYPE
],
1284 return PTR_ERR(type
);
1286 if (!(type
->hook_mask
& (1 << hook
->num
)))
1288 if (!try_module_get(type
->owner
))
1294 if (afi
->flags
& NFT_AF_NEEDS_DEV
) {
1295 char ifname
[IFNAMSIZ
];
1297 if (!ha
[NFTA_HOOK_DEV
]) {
1298 module_put(type
->owner
);
1302 nla_strlcpy(ifname
, ha
[NFTA_HOOK_DEV
], IFNAMSIZ
);
1303 dev
= dev_get_by_name(net
, ifname
);
1305 module_put(type
->owner
);
1309 } else if (ha
[NFTA_HOOK_DEV
]) {
1310 module_put(type
->owner
);
1317 static void nft_chain_release_hook(struct nft_chain_hook
*hook
)
1319 module_put(hook
->type
->owner
);
1320 if (hook
->dev
!= NULL
)
1324 static int nf_tables_newchain(struct net
*net
, struct sock
*nlsk
,
1325 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1326 const struct nlattr
* const nla
[])
1328 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1329 const struct nlattr
* uninitialized_var(name
);
1330 struct nft_af_info
*afi
;
1331 struct nft_table
*table
;
1332 struct nft_chain
*chain
;
1333 struct nft_base_chain
*basechain
= NULL
;
1334 u8 genmask
= nft_genmask_next(net
);
1335 int family
= nfmsg
->nfgen_family
;
1336 u8 policy
= NF_ACCEPT
;
1339 struct nft_stats __percpu
*stats
;
1344 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
1346 afi
= nf_tables_afinfo_lookup(net
, family
, true);
1348 return PTR_ERR(afi
);
1350 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1352 return PTR_ERR(table
);
1355 name
= nla
[NFTA_CHAIN_NAME
];
1357 if (nla
[NFTA_CHAIN_HANDLE
]) {
1358 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_CHAIN_HANDLE
]));
1359 chain
= nf_tables_chain_lookup_byhandle(table
, handle
, genmask
);
1361 return PTR_ERR(chain
);
1363 chain
= nf_tables_chain_lookup(table
, name
, genmask
);
1364 if (IS_ERR(chain
)) {
1365 if (PTR_ERR(chain
) != -ENOENT
)
1366 return PTR_ERR(chain
);
1371 if (nla
[NFTA_CHAIN_POLICY
]) {
1372 if ((chain
!= NULL
&&
1373 !(chain
->flags
& NFT_BASE_CHAIN
)))
1376 if (chain
== NULL
&&
1377 nla
[NFTA_CHAIN_HOOK
] == NULL
)
1380 policy
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_POLICY
]));
1390 if (chain
!= NULL
) {
1391 struct nft_stats
*stats
= NULL
;
1392 struct nft_trans
*trans
;
1394 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
1396 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
1399 if (nla
[NFTA_CHAIN_HOOK
]) {
1400 struct nft_base_chain
*basechain
;
1401 struct nft_chain_hook hook
;
1402 struct nf_hook_ops
*ops
;
1404 if (!(chain
->flags
& NFT_BASE_CHAIN
))
1407 err
= nft_chain_parse_hook(net
, nla
, afi
, &hook
,
1412 basechain
= nft_base_chain(chain
);
1413 if (basechain
->type
!= hook
.type
) {
1414 nft_chain_release_hook(&hook
);
1418 for (i
= 0; i
< afi
->nops
; i
++) {
1419 ops
= &basechain
->ops
[i
];
1420 if (ops
->hooknum
!= hook
.num
||
1421 ops
->priority
!= hook
.priority
||
1422 ops
->dev
!= hook
.dev
) {
1423 nft_chain_release_hook(&hook
);
1427 nft_chain_release_hook(&hook
);
1430 if (nla
[NFTA_CHAIN_HANDLE
] && name
) {
1431 struct nft_chain
*chain2
;
1433 chain2
= nf_tables_chain_lookup(table
,
1434 nla
[NFTA_CHAIN_NAME
],
1437 return PTR_ERR(chain2
);
1440 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1441 if (!(chain
->flags
& NFT_BASE_CHAIN
))
1444 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1446 return PTR_ERR(stats
);
1449 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1450 trans
= nft_trans_alloc(&ctx
, NFT_MSG_NEWCHAIN
,
1451 sizeof(struct nft_trans_chain
));
1452 if (trans
== NULL
) {
1457 nft_trans_chain_stats(trans
) = stats
;
1458 nft_trans_chain_update(trans
) = true;
1460 if (nla
[NFTA_CHAIN_POLICY
])
1461 nft_trans_chain_policy(trans
) = policy
;
1463 nft_trans_chain_policy(trans
) = -1;
1465 if (nla
[NFTA_CHAIN_HANDLE
] && name
) {
1466 nla_strlcpy(nft_trans_chain_name(trans
), name
,
1467 NFT_CHAIN_MAXNAMELEN
);
1469 list_add_tail(&trans
->list
, &net
->nft
.commit_list
);
1473 if (table
->use
== UINT_MAX
)
1476 if (nla
[NFTA_CHAIN_HOOK
]) {
1477 struct nft_chain_hook hook
;
1478 struct nf_hook_ops
*ops
;
1481 err
= nft_chain_parse_hook(net
, nla
, afi
, &hook
, create
);
1485 basechain
= kzalloc(sizeof(*basechain
), GFP_KERNEL
);
1486 if (basechain
== NULL
) {
1487 nft_chain_release_hook(&hook
);
1491 if (hook
.dev
!= NULL
)
1492 strncpy(basechain
->dev_name
, hook
.dev
->name
, IFNAMSIZ
);
1494 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1495 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1496 if (IS_ERR(stats
)) {
1497 nft_chain_release_hook(&hook
);
1499 return PTR_ERR(stats
);
1501 basechain
->stats
= stats
;
1503 stats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1504 if (stats
== NULL
) {
1505 nft_chain_release_hook(&hook
);
1509 rcu_assign_pointer(basechain
->stats
, stats
);
1512 hookfn
= hook
.type
->hooks
[hook
.num
];
1513 basechain
->type
= hook
.type
;
1514 chain
= &basechain
->chain
;
1516 for (i
= 0; i
< afi
->nops
; i
++) {
1517 ops
= &basechain
->ops
[i
];
1519 ops
->hooknum
= hook
.num
;
1520 ops
->priority
= hook
.priority
;
1522 ops
->hook
= afi
->hooks
[ops
->hooknum
];
1523 ops
->dev
= hook
.dev
;
1526 if (afi
->hook_ops_init
)
1527 afi
->hook_ops_init(ops
, i
);
1530 chain
->flags
|= NFT_BASE_CHAIN
;
1531 basechain
->policy
= policy
;
1533 chain
= kzalloc(sizeof(*chain
), GFP_KERNEL
);
1538 INIT_LIST_HEAD(&chain
->rules
);
1539 chain
->handle
= nf_tables_alloc_handle(table
);
1540 chain
->table
= table
;
1541 nla_strlcpy(chain
->name
, name
, NFT_CHAIN_MAXNAMELEN
);
1543 err
= nf_tables_register_hooks(net
, table
, chain
, afi
->nops
);
1547 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1548 err
= nft_trans_chain_add(&ctx
, NFT_MSG_NEWCHAIN
);
1553 list_add_tail_rcu(&chain
->list
, &table
->chains
);
1556 nf_tables_unregister_hooks(net
, table
, chain
, afi
->nops
);
1558 nf_tables_chain_destroy(chain
);
1562 static int nf_tables_delchain(struct net
*net
, struct sock
*nlsk
,
1563 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1564 const struct nlattr
* const nla
[])
1566 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1567 u8 genmask
= nft_genmask_next(net
);
1568 struct nft_af_info
*afi
;
1569 struct nft_table
*table
;
1570 struct nft_chain
*chain
;
1571 int family
= nfmsg
->nfgen_family
;
1574 afi
= nf_tables_afinfo_lookup(net
, family
, false);
1576 return PTR_ERR(afi
);
1578 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1580 return PTR_ERR(table
);
1582 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1584 return PTR_ERR(chain
);
1588 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1590 return nft_delchain(&ctx
);
1598 * nft_register_expr - register nf_tables expr type
1601 * Registers the expr type for use with nf_tables. Returns zero on
1602 * success or a negative errno code otherwise.
1604 int nft_register_expr(struct nft_expr_type
*type
)
1606 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1607 if (type
->family
== NFPROTO_UNSPEC
)
1608 list_add_tail_rcu(&type
->list
, &nf_tables_expressions
);
1610 list_add_rcu(&type
->list
, &nf_tables_expressions
);
1611 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1614 EXPORT_SYMBOL_GPL(nft_register_expr
);
1617 * nft_unregister_expr - unregister nf_tables expr type
1620 * Unregisters the expr typefor use with nf_tables.
1622 void nft_unregister_expr(struct nft_expr_type
*type
)
1624 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1625 list_del_rcu(&type
->list
);
1626 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1628 EXPORT_SYMBOL_GPL(nft_unregister_expr
);
1630 static const struct nft_expr_type
*__nft_expr_type_get(u8 family
,
1633 const struct nft_expr_type
*type
;
1635 list_for_each_entry(type
, &nf_tables_expressions
, list
) {
1636 if (!nla_strcmp(nla
, type
->name
) &&
1637 (!type
->family
|| type
->family
== family
))
1643 static const struct nft_expr_type
*nft_expr_type_get(u8 family
,
1646 const struct nft_expr_type
*type
;
1649 return ERR_PTR(-EINVAL
);
1651 type
= __nft_expr_type_get(family
, nla
);
1652 if (type
!= NULL
&& try_module_get(type
->owner
))
1655 #ifdef CONFIG_MODULES
1657 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1658 request_module("nft-expr-%u-%.*s", family
,
1659 nla_len(nla
), (char *)nla_data(nla
));
1660 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1661 if (__nft_expr_type_get(family
, nla
))
1662 return ERR_PTR(-EAGAIN
);
1664 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1665 request_module("nft-expr-%.*s",
1666 nla_len(nla
), (char *)nla_data(nla
));
1667 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1668 if (__nft_expr_type_get(family
, nla
))
1669 return ERR_PTR(-EAGAIN
);
1672 return ERR_PTR(-ENOENT
);
1675 static const struct nla_policy nft_expr_policy
[NFTA_EXPR_MAX
+ 1] = {
1676 [NFTA_EXPR_NAME
] = { .type
= NLA_STRING
},
1677 [NFTA_EXPR_DATA
] = { .type
= NLA_NESTED
},
1680 static int nf_tables_fill_expr_info(struct sk_buff
*skb
,
1681 const struct nft_expr
*expr
)
1683 if (nla_put_string(skb
, NFTA_EXPR_NAME
, expr
->ops
->type
->name
))
1684 goto nla_put_failure
;
1686 if (expr
->ops
->dump
) {
1687 struct nlattr
*data
= nla_nest_start(skb
, NFTA_EXPR_DATA
);
1689 goto nla_put_failure
;
1690 if (expr
->ops
->dump(skb
, expr
) < 0)
1691 goto nla_put_failure
;
1692 nla_nest_end(skb
, data
);
1701 int nft_expr_dump(struct sk_buff
*skb
, unsigned int attr
,
1702 const struct nft_expr
*expr
)
1704 struct nlattr
*nest
;
1706 nest
= nla_nest_start(skb
, attr
);
1708 goto nla_put_failure
;
1709 if (nf_tables_fill_expr_info(skb
, expr
) < 0)
1710 goto nla_put_failure
;
1711 nla_nest_end(skb
, nest
);
1718 struct nft_expr_info
{
1719 const struct nft_expr_ops
*ops
;
1720 struct nlattr
*tb
[NFT_EXPR_MAXATTR
+ 1];
1723 static int nf_tables_expr_parse(const struct nft_ctx
*ctx
,
1724 const struct nlattr
*nla
,
1725 struct nft_expr_info
*info
)
1727 const struct nft_expr_type
*type
;
1728 const struct nft_expr_ops
*ops
;
1729 struct nlattr
*tb
[NFTA_EXPR_MAX
+ 1];
1732 err
= nla_parse_nested(tb
, NFTA_EXPR_MAX
, nla
, nft_expr_policy
);
1736 type
= nft_expr_type_get(ctx
->afi
->family
, tb
[NFTA_EXPR_NAME
]);
1738 return PTR_ERR(type
);
1740 if (tb
[NFTA_EXPR_DATA
]) {
1741 err
= nla_parse_nested(info
->tb
, type
->maxattr
,
1742 tb
[NFTA_EXPR_DATA
], type
->policy
);
1746 memset(info
->tb
, 0, sizeof(info
->tb
[0]) * (type
->maxattr
+ 1));
1748 if (type
->select_ops
!= NULL
) {
1749 ops
= type
->select_ops(ctx
,
1750 (const struct nlattr
* const *)info
->tb
);
1762 module_put(type
->owner
);
1766 static int nf_tables_newexpr(const struct nft_ctx
*ctx
,
1767 const struct nft_expr_info
*info
,
1768 struct nft_expr
*expr
)
1770 const struct nft_expr_ops
*ops
= info
->ops
;
1775 err
= ops
->init(ctx
, expr
, (const struct nlattr
**)info
->tb
);
1787 static void nf_tables_expr_destroy(const struct nft_ctx
*ctx
,
1788 struct nft_expr
*expr
)
1790 if (expr
->ops
->destroy
)
1791 expr
->ops
->destroy(ctx
, expr
);
1792 module_put(expr
->ops
->type
->owner
);
1795 struct nft_expr
*nft_expr_init(const struct nft_ctx
*ctx
,
1796 const struct nlattr
*nla
)
1798 struct nft_expr_info info
;
1799 struct nft_expr
*expr
;
1802 err
= nf_tables_expr_parse(ctx
, nla
, &info
);
1807 expr
= kzalloc(info
.ops
->size
, GFP_KERNEL
);
1811 err
= nf_tables_newexpr(ctx
, &info
, expr
);
1819 module_put(info
.ops
->type
->owner
);
1821 return ERR_PTR(err
);
1824 void nft_expr_destroy(const struct nft_ctx
*ctx
, struct nft_expr
*expr
)
1826 nf_tables_expr_destroy(ctx
, expr
);
1834 static struct nft_rule
*__nf_tables_rule_lookup(const struct nft_chain
*chain
,
1837 struct nft_rule
*rule
;
1839 // FIXME: this sucks
1840 list_for_each_entry(rule
, &chain
->rules
, list
) {
1841 if (handle
== rule
->handle
)
1845 return ERR_PTR(-ENOENT
);
1848 static struct nft_rule
*nf_tables_rule_lookup(const struct nft_chain
*chain
,
1849 const struct nlattr
*nla
)
1852 return ERR_PTR(-EINVAL
);
1854 return __nf_tables_rule_lookup(chain
, be64_to_cpu(nla_get_be64(nla
)));
1857 static const struct nla_policy nft_rule_policy
[NFTA_RULE_MAX
+ 1] = {
1858 [NFTA_RULE_TABLE
] = { .type
= NLA_STRING
,
1859 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
1860 [NFTA_RULE_CHAIN
] = { .type
= NLA_STRING
,
1861 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
1862 [NFTA_RULE_HANDLE
] = { .type
= NLA_U64
},
1863 [NFTA_RULE_EXPRESSIONS
] = { .type
= NLA_NESTED
},
1864 [NFTA_RULE_COMPAT
] = { .type
= NLA_NESTED
},
1865 [NFTA_RULE_POSITION
] = { .type
= NLA_U64
},
1866 [NFTA_RULE_USERDATA
] = { .type
= NLA_BINARY
,
1867 .len
= NFT_USERDATA_MAXLEN
},
1870 static int nf_tables_fill_rule_info(struct sk_buff
*skb
, struct net
*net
,
1871 u32 portid
, u32 seq
, int event
,
1872 u32 flags
, int family
,
1873 const struct nft_table
*table
,
1874 const struct nft_chain
*chain
,
1875 const struct nft_rule
*rule
)
1877 struct nlmsghdr
*nlh
;
1878 struct nfgenmsg
*nfmsg
;
1879 const struct nft_expr
*expr
, *next
;
1880 struct nlattr
*list
;
1881 const struct nft_rule
*prule
;
1882 int type
= event
| NFNL_SUBSYS_NFTABLES
<< 8;
1884 nlh
= nlmsg_put(skb
, portid
, seq
, type
, sizeof(struct nfgenmsg
),
1887 goto nla_put_failure
;
1889 nfmsg
= nlmsg_data(nlh
);
1890 nfmsg
->nfgen_family
= family
;
1891 nfmsg
->version
= NFNETLINK_V0
;
1892 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
1894 if (nla_put_string(skb
, NFTA_RULE_TABLE
, table
->name
))
1895 goto nla_put_failure
;
1896 if (nla_put_string(skb
, NFTA_RULE_CHAIN
, chain
->name
))
1897 goto nla_put_failure
;
1898 if (nla_put_be64(skb
, NFTA_RULE_HANDLE
, cpu_to_be64(rule
->handle
),
1900 goto nla_put_failure
;
1902 if ((event
!= NFT_MSG_DELRULE
) && (rule
->list
.prev
!= &chain
->rules
)) {
1903 prule
= list_entry(rule
->list
.prev
, struct nft_rule
, list
);
1904 if (nla_put_be64(skb
, NFTA_RULE_POSITION
,
1905 cpu_to_be64(prule
->handle
),
1907 goto nla_put_failure
;
1910 list
= nla_nest_start(skb
, NFTA_RULE_EXPRESSIONS
);
1912 goto nla_put_failure
;
1913 nft_rule_for_each_expr(expr
, next
, rule
) {
1914 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
1915 goto nla_put_failure
;
1917 nla_nest_end(skb
, list
);
1920 struct nft_userdata
*udata
= nft_userdata(rule
);
1921 if (nla_put(skb
, NFTA_RULE_USERDATA
, udata
->len
+ 1,
1923 goto nla_put_failure
;
1926 nlmsg_end(skb
, nlh
);
1930 nlmsg_trim(skb
, nlh
);
1934 static int nf_tables_rule_notify(const struct nft_ctx
*ctx
,
1935 const struct nft_rule
*rule
,
1938 struct sk_buff
*skb
;
1942 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1946 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1950 err
= nf_tables_fill_rule_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1951 event
, 0, ctx
->afi
->family
, ctx
->table
,
1958 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1959 ctx
->report
, GFP_KERNEL
);
1962 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1968 struct nft_rule_dump_ctx
{
1969 char table
[NFT_TABLE_MAXNAMELEN
];
1970 char chain
[NFT_CHAIN_MAXNAMELEN
];
1973 static int nf_tables_dump_rules(struct sk_buff
*skb
,
1974 struct netlink_callback
*cb
)
1976 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1977 const struct nft_rule_dump_ctx
*ctx
= cb
->data
;
1978 const struct nft_af_info
*afi
;
1979 const struct nft_table
*table
;
1980 const struct nft_chain
*chain
;
1981 const struct nft_rule
*rule
;
1982 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1983 struct net
*net
= sock_net(skb
->sk
);
1984 int family
= nfmsg
->nfgen_family
;
1987 cb
->seq
= net
->nft
.base_seq
;
1989 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
1990 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
1993 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
1994 if (ctx
&& ctx
->table
[0] &&
1995 strcmp(ctx
->table
, table
->name
) != 0)
1998 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1999 if (ctx
&& ctx
->chain
[0] &&
2000 strcmp(ctx
->chain
, chain
->name
) != 0)
2003 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2004 if (!nft_is_active(net
, rule
))
2009 memset(&cb
->args
[1], 0,
2010 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
2011 if (nf_tables_fill_rule_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
2014 NLM_F_MULTI
| NLM_F_APPEND
,
2015 afi
->family
, table
, chain
, rule
) < 0)
2018 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
2032 static int nf_tables_dump_rules_done(struct netlink_callback
*cb
)
2038 static int nf_tables_getrule(struct net
*net
, struct sock
*nlsk
,
2039 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2040 const struct nlattr
* const nla
[])
2042 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2043 u8 genmask
= nft_genmask_cur(net
);
2044 const struct nft_af_info
*afi
;
2045 const struct nft_table
*table
;
2046 const struct nft_chain
*chain
;
2047 const struct nft_rule
*rule
;
2048 struct sk_buff
*skb2
;
2049 int family
= nfmsg
->nfgen_family
;
2052 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2053 struct netlink_dump_control c
= {
2054 .dump
= nf_tables_dump_rules
,
2055 .done
= nf_tables_dump_rules_done
,
2058 if (nla
[NFTA_RULE_TABLE
] || nla
[NFTA_RULE_CHAIN
]) {
2059 struct nft_rule_dump_ctx
*ctx
;
2061 ctx
= kzalloc(sizeof(*ctx
), GFP_KERNEL
);
2065 if (nla
[NFTA_RULE_TABLE
])
2066 nla_strlcpy(ctx
->table
, nla
[NFTA_RULE_TABLE
],
2067 sizeof(ctx
->table
));
2068 if (nla
[NFTA_RULE_CHAIN
])
2069 nla_strlcpy(ctx
->chain
, nla
[NFTA_RULE_CHAIN
],
2070 sizeof(ctx
->chain
));
2074 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
2077 afi
= nf_tables_afinfo_lookup(net
, family
, false);
2079 return PTR_ERR(afi
);
2081 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2083 return PTR_ERR(table
);
2085 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2087 return PTR_ERR(chain
);
2089 rule
= nf_tables_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
2091 return PTR_ERR(rule
);
2093 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
2097 err
= nf_tables_fill_rule_info(skb2
, net
, NETLINK_CB(skb
).portid
,
2098 nlh
->nlmsg_seq
, NFT_MSG_NEWRULE
, 0,
2099 family
, table
, chain
, rule
);
2103 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2110 static void nf_tables_rule_destroy(const struct nft_ctx
*ctx
,
2111 struct nft_rule
*rule
)
2113 struct nft_expr
*expr
;
2116 * Careful: some expressions might not be initialized in case this
2117 * is called on error from nf_tables_newrule().
2119 expr
= nft_expr_first(rule
);
2120 while (expr
!= nft_expr_last(rule
) && expr
->ops
) {
2121 nf_tables_expr_destroy(ctx
, expr
);
2122 expr
= nft_expr_next(expr
);
2127 #define NFT_RULE_MAXEXPRS 128
2129 static struct nft_expr_info
*info
;
2131 static int nf_tables_newrule(struct net
*net
, struct sock
*nlsk
,
2132 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2133 const struct nlattr
* const nla
[])
2135 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2136 u8 genmask
= nft_genmask_next(net
);
2137 struct nft_af_info
*afi
;
2138 struct nft_table
*table
;
2139 struct nft_chain
*chain
;
2140 struct nft_rule
*rule
, *old_rule
= NULL
;
2141 struct nft_userdata
*udata
;
2142 struct nft_trans
*trans
= NULL
;
2143 struct nft_expr
*expr
;
2146 unsigned int size
, i
, n
, ulen
= 0, usize
= 0;
2149 u64 handle
, pos_handle
;
2151 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
2153 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, create
);
2155 return PTR_ERR(afi
);
2157 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2159 return PTR_ERR(table
);
2161 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2163 return PTR_ERR(chain
);
2165 if (nla
[NFTA_RULE_HANDLE
]) {
2166 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_HANDLE
]));
2167 rule
= __nf_tables_rule_lookup(chain
, handle
);
2169 return PTR_ERR(rule
);
2171 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
2173 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2178 if (!create
|| nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2180 handle
= nf_tables_alloc_handle(table
);
2182 if (chain
->use
== UINT_MAX
)
2186 if (nla
[NFTA_RULE_POSITION
]) {
2187 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2190 pos_handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_POSITION
]));
2191 old_rule
= __nf_tables_rule_lookup(chain
, pos_handle
);
2192 if (IS_ERR(old_rule
))
2193 return PTR_ERR(old_rule
);
2196 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
2200 if (nla
[NFTA_RULE_EXPRESSIONS
]) {
2201 nla_for_each_nested(tmp
, nla
[NFTA_RULE_EXPRESSIONS
], rem
) {
2203 if (nla_type(tmp
) != NFTA_LIST_ELEM
)
2205 if (n
== NFT_RULE_MAXEXPRS
)
2207 err
= nf_tables_expr_parse(&ctx
, tmp
, &info
[n
]);
2210 size
+= info
[n
].ops
->size
;
2214 /* Check for overflow of dlen field */
2216 if (size
>= 1 << 12)
2219 if (nla
[NFTA_RULE_USERDATA
]) {
2220 ulen
= nla_len(nla
[NFTA_RULE_USERDATA
]);
2222 usize
= sizeof(struct nft_userdata
) + ulen
;
2226 rule
= kzalloc(sizeof(*rule
) + size
+ usize
, GFP_KERNEL
);
2230 nft_activate_next(net
, rule
);
2232 rule
->handle
= handle
;
2234 rule
->udata
= ulen
? 1 : 0;
2237 udata
= nft_userdata(rule
);
2238 udata
->len
= ulen
- 1;
2239 nla_memcpy(udata
->data
, nla
[NFTA_RULE_USERDATA
], ulen
);
2242 expr
= nft_expr_first(rule
);
2243 for (i
= 0; i
< n
; i
++) {
2244 err
= nf_tables_newexpr(&ctx
, &info
[i
], expr
);
2248 expr
= nft_expr_next(expr
);
2251 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
2252 if (nft_is_active_next(net
, old_rule
)) {
2253 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_DELRULE
,
2255 if (trans
== NULL
) {
2259 nft_deactivate_next(net
, old_rule
);
2261 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2266 } else if (nlh
->nlmsg_flags
& NLM_F_APPEND
)
2268 list_add_rcu(&rule
->list
, &old_rule
->list
);
2270 list_add_tail_rcu(&rule
->list
, &chain
->rules
);
2273 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2275 list_add_rcu(&rule
->list
, &chain
->rules
);
2278 if (nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
) == NULL
) {
2286 list_del_rcu(&rule
->list
);
2288 nf_tables_rule_destroy(&ctx
, rule
);
2290 for (i
= 0; i
< n
; i
++) {
2291 if (info
[i
].ops
!= NULL
)
2292 module_put(info
[i
].ops
->type
->owner
);
2297 static int nf_tables_delrule(struct net
*net
, struct sock
*nlsk
,
2298 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2299 const struct nlattr
* const nla
[])
2301 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2302 u8 genmask
= nft_genmask_next(net
);
2303 struct nft_af_info
*afi
;
2304 struct nft_table
*table
;
2305 struct nft_chain
*chain
= NULL
;
2306 struct nft_rule
*rule
;
2307 int family
= nfmsg
->nfgen_family
, err
= 0;
2310 afi
= nf_tables_afinfo_lookup(net
, family
, false);
2312 return PTR_ERR(afi
);
2314 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2316 return PTR_ERR(table
);
2318 if (nla
[NFTA_RULE_CHAIN
]) {
2319 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
],
2322 return PTR_ERR(chain
);
2325 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
2328 if (nla
[NFTA_RULE_HANDLE
]) {
2329 rule
= nf_tables_rule_lookup(chain
,
2330 nla
[NFTA_RULE_HANDLE
]);
2332 return PTR_ERR(rule
);
2334 err
= nft_delrule(&ctx
, rule
);
2336 err
= nft_delrule_by_chain(&ctx
);
2339 list_for_each_entry(chain
, &table
->chains
, list
) {
2340 if (!nft_is_active_next(net
, chain
))
2344 err
= nft_delrule_by_chain(&ctx
);
2357 static LIST_HEAD(nf_tables_set_ops
);
2359 int nft_register_set(struct nft_set_ops
*ops
)
2361 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2362 list_add_tail_rcu(&ops
->list
, &nf_tables_set_ops
);
2363 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2366 EXPORT_SYMBOL_GPL(nft_register_set
);
2368 void nft_unregister_set(struct nft_set_ops
*ops
)
2370 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2371 list_del_rcu(&ops
->list
);
2372 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2374 EXPORT_SYMBOL_GPL(nft_unregister_set
);
2377 * Select a set implementation based on the data characteristics and the
2378 * given policy. The total memory use might not be known if no size is
2379 * given, in that case the amount of memory per element is used.
2381 static const struct nft_set_ops
*
2382 nft_select_set_ops(const struct nlattr
* const nla
[],
2383 const struct nft_set_desc
*desc
,
2384 enum nft_set_policies policy
)
2386 const struct nft_set_ops
*ops
, *bops
;
2387 struct nft_set_estimate est
, best
;
2390 #ifdef CONFIG_MODULES
2391 if (list_empty(&nf_tables_set_ops
)) {
2392 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2393 request_module("nft-set");
2394 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2395 if (!list_empty(&nf_tables_set_ops
))
2396 return ERR_PTR(-EAGAIN
);
2400 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
2401 features
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2402 features
&= NFT_SET_INTERVAL
| NFT_SET_MAP
| NFT_SET_TIMEOUT
;
2409 list_for_each_entry(ops
, &nf_tables_set_ops
, list
) {
2410 if ((ops
->features
& features
) != features
)
2412 if (!ops
->estimate(desc
, features
, &est
))
2416 case NFT_SET_POL_PERFORMANCE
:
2417 if (est
.class < best
.class)
2419 if (est
.class == best
.class && est
.size
< best
.size
)
2422 case NFT_SET_POL_MEMORY
:
2423 if (est
.size
< best
.size
)
2425 if (est
.size
== best
.size
&& est
.class < best
.class)
2432 if (!try_module_get(ops
->owner
))
2435 module_put(bops
->owner
);
2444 return ERR_PTR(-EOPNOTSUPP
);
2447 static const struct nla_policy nft_set_policy
[NFTA_SET_MAX
+ 1] = {
2448 [NFTA_SET_TABLE
] = { .type
= NLA_STRING
,
2449 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
2450 [NFTA_SET_NAME
] = { .type
= NLA_STRING
,
2451 .len
= NFT_SET_MAXNAMELEN
- 1 },
2452 [NFTA_SET_FLAGS
] = { .type
= NLA_U32
},
2453 [NFTA_SET_KEY_TYPE
] = { .type
= NLA_U32
},
2454 [NFTA_SET_KEY_LEN
] = { .type
= NLA_U32
},
2455 [NFTA_SET_DATA_TYPE
] = { .type
= NLA_U32
},
2456 [NFTA_SET_DATA_LEN
] = { .type
= NLA_U32
},
2457 [NFTA_SET_POLICY
] = { .type
= NLA_U32
},
2458 [NFTA_SET_DESC
] = { .type
= NLA_NESTED
},
2459 [NFTA_SET_ID
] = { .type
= NLA_U32
},
2460 [NFTA_SET_TIMEOUT
] = { .type
= NLA_U64
},
2461 [NFTA_SET_GC_INTERVAL
] = { .type
= NLA_U32
},
2462 [NFTA_SET_USERDATA
] = { .type
= NLA_BINARY
,
2463 .len
= NFT_USERDATA_MAXLEN
},
2464 [NFTA_SET_OBJ_TYPE
] = { .type
= NLA_U32
},
2467 static const struct nla_policy nft_set_desc_policy
[NFTA_SET_DESC_MAX
+ 1] = {
2468 [NFTA_SET_DESC_SIZE
] = { .type
= NLA_U32
},
2471 static int nft_ctx_init_from_setattr(struct nft_ctx
*ctx
, struct net
*net
,
2472 const struct sk_buff
*skb
,
2473 const struct nlmsghdr
*nlh
,
2474 const struct nlattr
* const nla
[],
2477 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2478 struct nft_af_info
*afi
= NULL
;
2479 struct nft_table
*table
= NULL
;
2481 if (nfmsg
->nfgen_family
!= NFPROTO_UNSPEC
) {
2482 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, false);
2484 return PTR_ERR(afi
);
2487 if (nla
[NFTA_SET_TABLE
] != NULL
) {
2489 return -EAFNOSUPPORT
;
2491 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_TABLE
],
2494 return PTR_ERR(table
);
2497 nft_ctx_init(ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
2501 struct nft_set
*nf_tables_set_lookup(const struct nft_table
*table
,
2502 const struct nlattr
*nla
, u8 genmask
)
2504 struct nft_set
*set
;
2507 return ERR_PTR(-EINVAL
);
2509 list_for_each_entry(set
, &table
->sets
, list
) {
2510 if (!nla_strcmp(nla
, set
->name
) &&
2511 nft_active_genmask(set
, genmask
))
2514 return ERR_PTR(-ENOENT
);
2516 EXPORT_SYMBOL_GPL(nf_tables_set_lookup
);
2518 struct nft_set
*nf_tables_set_lookup_byid(const struct net
*net
,
2519 const struct nlattr
*nla
,
2522 struct nft_trans
*trans
;
2523 u32 id
= ntohl(nla_get_be32(nla
));
2525 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
2526 struct nft_set
*set
= nft_trans_set(trans
);
2528 if (trans
->msg_type
== NFT_MSG_NEWSET
&&
2529 id
== nft_trans_set_id(trans
) &&
2530 nft_active_genmask(set
, genmask
))
2533 return ERR_PTR(-ENOENT
);
2535 EXPORT_SYMBOL_GPL(nf_tables_set_lookup_byid
);
2537 static int nf_tables_set_alloc_name(struct nft_ctx
*ctx
, struct nft_set
*set
,
2540 const struct nft_set
*i
;
2542 unsigned long *inuse
;
2543 unsigned int n
= 0, min
= 0;
2545 p
= strnchr(name
, NFT_SET_MAXNAMELEN
, '%');
2547 if (p
[1] != 'd' || strchr(p
+ 2, '%'))
2550 inuse
= (unsigned long *)get_zeroed_page(GFP_KERNEL
);
2554 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
2557 if (!nft_is_active_next(ctx
->net
, set
))
2559 if (!sscanf(i
->name
, name
, &tmp
))
2561 if (tmp
< min
|| tmp
>= min
+ BITS_PER_BYTE
* PAGE_SIZE
)
2564 set_bit(tmp
- min
, inuse
);
2567 n
= find_first_zero_bit(inuse
, BITS_PER_BYTE
* PAGE_SIZE
);
2568 if (n
>= BITS_PER_BYTE
* PAGE_SIZE
) {
2569 min
+= BITS_PER_BYTE
* PAGE_SIZE
;
2570 memset(inuse
, 0, PAGE_SIZE
);
2573 free_page((unsigned long)inuse
);
2576 snprintf(set
->name
, sizeof(set
->name
), name
, min
+ n
);
2577 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
2578 if (!nft_is_active_next(ctx
->net
, i
))
2580 if (!strcmp(set
->name
, i
->name
))
2586 static int nf_tables_fill_set(struct sk_buff
*skb
, const struct nft_ctx
*ctx
,
2587 const struct nft_set
*set
, u16 event
, u16 flags
)
2589 struct nfgenmsg
*nfmsg
;
2590 struct nlmsghdr
*nlh
;
2591 struct nlattr
*desc
;
2592 u32 portid
= ctx
->portid
;
2595 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
2596 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
2599 goto nla_put_failure
;
2601 nfmsg
= nlmsg_data(nlh
);
2602 nfmsg
->nfgen_family
= ctx
->afi
->family
;
2603 nfmsg
->version
= NFNETLINK_V0
;
2604 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
2606 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
2607 goto nla_put_failure
;
2608 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
2609 goto nla_put_failure
;
2610 if (set
->flags
!= 0)
2611 if (nla_put_be32(skb
, NFTA_SET_FLAGS
, htonl(set
->flags
)))
2612 goto nla_put_failure
;
2614 if (nla_put_be32(skb
, NFTA_SET_KEY_TYPE
, htonl(set
->ktype
)))
2615 goto nla_put_failure
;
2616 if (nla_put_be32(skb
, NFTA_SET_KEY_LEN
, htonl(set
->klen
)))
2617 goto nla_put_failure
;
2618 if (set
->flags
& NFT_SET_MAP
) {
2619 if (nla_put_be32(skb
, NFTA_SET_DATA_TYPE
, htonl(set
->dtype
)))
2620 goto nla_put_failure
;
2621 if (nla_put_be32(skb
, NFTA_SET_DATA_LEN
, htonl(set
->dlen
)))
2622 goto nla_put_failure
;
2624 if (set
->flags
& NFT_SET_OBJECT
&&
2625 nla_put_be32(skb
, NFTA_SET_OBJ_TYPE
, htonl(set
->objtype
)))
2626 goto nla_put_failure
;
2629 nla_put_be64(skb
, NFTA_SET_TIMEOUT
,
2630 cpu_to_be64(jiffies_to_msecs(set
->timeout
)),
2632 goto nla_put_failure
;
2634 nla_put_be32(skb
, NFTA_SET_GC_INTERVAL
, htonl(set
->gc_int
)))
2635 goto nla_put_failure
;
2637 if (set
->policy
!= NFT_SET_POL_PERFORMANCE
) {
2638 if (nla_put_be32(skb
, NFTA_SET_POLICY
, htonl(set
->policy
)))
2639 goto nla_put_failure
;
2642 if (nla_put(skb
, NFTA_SET_USERDATA
, set
->udlen
, set
->udata
))
2643 goto nla_put_failure
;
2645 desc
= nla_nest_start(skb
, NFTA_SET_DESC
);
2647 goto nla_put_failure
;
2649 nla_put_be32(skb
, NFTA_SET_DESC_SIZE
, htonl(set
->size
)))
2650 goto nla_put_failure
;
2651 nla_nest_end(skb
, desc
);
2653 nlmsg_end(skb
, nlh
);
2657 nlmsg_trim(skb
, nlh
);
2661 static int nf_tables_set_notify(const struct nft_ctx
*ctx
,
2662 const struct nft_set
*set
,
2663 int event
, gfp_t gfp_flags
)
2665 struct sk_buff
*skb
;
2666 u32 portid
= ctx
->portid
;
2670 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
2674 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp_flags
);
2678 err
= nf_tables_fill_set(skb
, ctx
, set
, event
, 0);
2684 err
= nfnetlink_send(skb
, ctx
->net
, portid
, NFNLGRP_NFTABLES
,
2685 ctx
->report
, gfp_flags
);
2688 nfnetlink_set_err(ctx
->net
, portid
, NFNLGRP_NFTABLES
, err
);
2692 static int nf_tables_dump_sets(struct sk_buff
*skb
, struct netlink_callback
*cb
)
2694 const struct nft_set
*set
;
2695 unsigned int idx
, s_idx
= cb
->args
[0];
2696 struct nft_af_info
*afi
;
2697 struct nft_table
*table
, *cur_table
= (struct nft_table
*)cb
->args
[2];
2698 struct net
*net
= sock_net(skb
->sk
);
2699 int cur_family
= cb
->args
[3];
2700 struct nft_ctx
*ctx
= cb
->data
, ctx_set
;
2706 cb
->seq
= net
->nft
.base_seq
;
2708 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
2709 if (ctx
->afi
&& ctx
->afi
!= afi
)
2713 if (afi
->family
!= cur_family
)
2718 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
2719 if (ctx
->table
&& ctx
->table
!= table
)
2723 if (cur_table
!= table
)
2729 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
2732 if (!nft_is_active(net
, set
))
2736 ctx_set
.table
= table
;
2738 if (nf_tables_fill_set(skb
, &ctx_set
, set
,
2742 cb
->args
[2] = (unsigned long) table
;
2743 cb
->args
[3] = afi
->family
;
2746 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
2760 static int nf_tables_dump_sets_done(struct netlink_callback
*cb
)
2766 static int nf_tables_getset(struct net
*net
, struct sock
*nlsk
,
2767 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2768 const struct nlattr
* const nla
[])
2770 u8 genmask
= nft_genmask_cur(net
);
2771 const struct nft_set
*set
;
2773 struct sk_buff
*skb2
;
2774 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2777 /* Verify existence before starting dump */
2778 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
2782 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2783 struct netlink_dump_control c
= {
2784 .dump
= nf_tables_dump_sets
,
2785 .done
= nf_tables_dump_sets_done
,
2787 struct nft_ctx
*ctx_dump
;
2789 ctx_dump
= kmalloc(sizeof(*ctx_dump
), GFP_KERNEL
);
2790 if (ctx_dump
== NULL
)
2796 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
2799 /* Only accept unspec with dump */
2800 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
2801 return -EAFNOSUPPORT
;
2802 if (!nla
[NFTA_SET_TABLE
])
2805 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
2807 return PTR_ERR(set
);
2809 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
2813 err
= nf_tables_fill_set(skb2
, &ctx
, set
, NFT_MSG_NEWSET
, 0);
2817 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2824 static int nf_tables_set_desc_parse(const struct nft_ctx
*ctx
,
2825 struct nft_set_desc
*desc
,
2826 const struct nlattr
*nla
)
2828 struct nlattr
*da
[NFTA_SET_DESC_MAX
+ 1];
2831 err
= nla_parse_nested(da
, NFTA_SET_DESC_MAX
, nla
, nft_set_desc_policy
);
2835 if (da
[NFTA_SET_DESC_SIZE
] != NULL
)
2836 desc
->size
= ntohl(nla_get_be32(da
[NFTA_SET_DESC_SIZE
]));
2841 static int nf_tables_newset(struct net
*net
, struct sock
*nlsk
,
2842 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2843 const struct nlattr
* const nla
[])
2845 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2846 u8 genmask
= nft_genmask_next(net
);
2847 const struct nft_set_ops
*ops
;
2848 struct nft_af_info
*afi
;
2849 struct nft_table
*table
;
2850 struct nft_set
*set
;
2852 char name
[NFT_SET_MAXNAMELEN
];
2856 u32 ktype
, dtype
, flags
, policy
, gc_int
, objtype
;
2857 struct nft_set_desc desc
;
2858 unsigned char *udata
;
2862 if (nla
[NFTA_SET_TABLE
] == NULL
||
2863 nla
[NFTA_SET_NAME
] == NULL
||
2864 nla
[NFTA_SET_KEY_LEN
] == NULL
||
2865 nla
[NFTA_SET_ID
] == NULL
)
2868 memset(&desc
, 0, sizeof(desc
));
2870 ktype
= NFT_DATA_VALUE
;
2871 if (nla
[NFTA_SET_KEY_TYPE
] != NULL
) {
2872 ktype
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_TYPE
]));
2873 if ((ktype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
)
2877 desc
.klen
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_LEN
]));
2878 if (desc
.klen
== 0 || desc
.klen
> NFT_DATA_VALUE_MAXLEN
)
2882 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
2883 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2884 if (flags
& ~(NFT_SET_ANONYMOUS
| NFT_SET_CONSTANT
|
2885 NFT_SET_INTERVAL
| NFT_SET_TIMEOUT
|
2886 NFT_SET_MAP
| NFT_SET_EVAL
|
2889 /* Only one of these operations is supported */
2890 if ((flags
& (NFT_SET_MAP
| NFT_SET_EVAL
| NFT_SET_OBJECT
)) ==
2891 (NFT_SET_MAP
| NFT_SET_EVAL
| NFT_SET_OBJECT
))
2896 if (nla
[NFTA_SET_DATA_TYPE
] != NULL
) {
2897 if (!(flags
& NFT_SET_MAP
))
2900 dtype
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_TYPE
]));
2901 if ((dtype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
&&
2902 dtype
!= NFT_DATA_VERDICT
)
2905 if (dtype
!= NFT_DATA_VERDICT
) {
2906 if (nla
[NFTA_SET_DATA_LEN
] == NULL
)
2908 desc
.dlen
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_LEN
]));
2909 if (desc
.dlen
== 0 || desc
.dlen
> NFT_DATA_VALUE_MAXLEN
)
2912 desc
.dlen
= sizeof(struct nft_verdict
);
2913 } else if (flags
& NFT_SET_MAP
)
2916 if (nla
[NFTA_SET_OBJ_TYPE
] != NULL
) {
2917 if (!(flags
& NFT_SET_OBJECT
))
2920 objtype
= ntohl(nla_get_be32(nla
[NFTA_SET_OBJ_TYPE
]));
2921 if (objtype
== NFT_OBJECT_UNSPEC
||
2922 objtype
> NFT_OBJECT_MAX
)
2924 } else if (flags
& NFT_SET_OBJECT
)
2927 objtype
= NFT_OBJECT_UNSPEC
;
2930 if (nla
[NFTA_SET_TIMEOUT
] != NULL
) {
2931 if (!(flags
& NFT_SET_TIMEOUT
))
2933 timeout
= msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2934 nla
[NFTA_SET_TIMEOUT
])));
2937 if (nla
[NFTA_SET_GC_INTERVAL
] != NULL
) {
2938 if (!(flags
& NFT_SET_TIMEOUT
))
2940 gc_int
= ntohl(nla_get_be32(nla
[NFTA_SET_GC_INTERVAL
]));
2943 policy
= NFT_SET_POL_PERFORMANCE
;
2944 if (nla
[NFTA_SET_POLICY
] != NULL
)
2945 policy
= ntohl(nla_get_be32(nla
[NFTA_SET_POLICY
]));
2947 if (nla
[NFTA_SET_DESC
] != NULL
) {
2948 err
= nf_tables_set_desc_parse(&ctx
, &desc
, nla
[NFTA_SET_DESC
]);
2953 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
2955 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, create
);
2957 return PTR_ERR(afi
);
2959 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_TABLE
], genmask
);
2961 return PTR_ERR(table
);
2963 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
2965 set
= nf_tables_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
2967 if (PTR_ERR(set
) != -ENOENT
)
2968 return PTR_ERR(set
);
2973 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
2975 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2980 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2983 ops
= nft_select_set_ops(nla
, &desc
, policy
);
2985 return PTR_ERR(ops
);
2988 if (nla
[NFTA_SET_USERDATA
])
2989 udlen
= nla_len(nla
[NFTA_SET_USERDATA
]);
2992 if (ops
->privsize
!= NULL
)
2993 size
= ops
->privsize(nla
);
2996 set
= kzalloc(sizeof(*set
) + size
+ udlen
, GFP_KERNEL
);
3000 nla_strlcpy(name
, nla
[NFTA_SET_NAME
], sizeof(set
->name
));
3001 err
= nf_tables_set_alloc_name(&ctx
, set
, name
);
3007 udata
= set
->data
+ size
;
3008 nla_memcpy(udata
, nla
[NFTA_SET_USERDATA
], udlen
);
3011 INIT_LIST_HEAD(&set
->bindings
);
3014 set
->klen
= desc
.klen
;
3016 set
->objtype
= objtype
;
3017 set
->dlen
= desc
.dlen
;
3019 set
->size
= desc
.size
;
3020 set
->policy
= policy
;
3023 set
->timeout
= timeout
;
3024 set
->gc_int
= gc_int
;
3026 err
= ops
->init(set
, &desc
, nla
);
3030 err
= nft_trans_set_add(&ctx
, NFT_MSG_NEWSET
, set
);
3034 list_add_tail_rcu(&set
->list
, &table
->sets
);
3043 module_put(ops
->owner
);
3047 static void nft_set_destroy(struct nft_set
*set
)
3049 set
->ops
->destroy(set
);
3050 module_put(set
->ops
->owner
);
3054 static void nf_tables_set_destroy(const struct nft_ctx
*ctx
, struct nft_set
*set
)
3056 list_del_rcu(&set
->list
);
3057 nf_tables_set_notify(ctx
, set
, NFT_MSG_DELSET
, GFP_ATOMIC
);
3058 nft_set_destroy(set
);
3061 static int nf_tables_delset(struct net
*net
, struct sock
*nlsk
,
3062 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3063 const struct nlattr
* const nla
[])
3065 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3066 u8 genmask
= nft_genmask_next(net
);
3067 struct nft_set
*set
;
3071 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
3072 return -EAFNOSUPPORT
;
3073 if (nla
[NFTA_SET_TABLE
] == NULL
)
3076 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3080 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
3082 return PTR_ERR(set
);
3083 if (!list_empty(&set
->bindings
))
3086 return nft_delset(&ctx
, set
);
3089 static int nf_tables_bind_check_setelem(const struct nft_ctx
*ctx
,
3090 struct nft_set
*set
,
3091 const struct nft_set_iter
*iter
,
3092 struct nft_set_elem
*elem
)
3094 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3095 enum nft_registers dreg
;
3097 dreg
= nft_type_to_reg(set
->dtype
);
3098 return nft_validate_register_store(ctx
, dreg
, nft_set_ext_data(ext
),
3099 set
->dtype
== NFT_DATA_VERDICT
?
3100 NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3104 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3105 struct nft_set_binding
*binding
)
3107 struct nft_set_binding
*i
;
3108 struct nft_set_iter iter
;
3110 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_ANONYMOUS
)
3113 if (binding
->flags
& NFT_SET_MAP
) {
3114 /* If the set is already bound to the same chain all
3115 * jumps are already validated for that chain.
3117 list_for_each_entry(i
, &set
->bindings
, list
) {
3118 if (i
->flags
& NFT_SET_MAP
&&
3119 i
->chain
== binding
->chain
)
3123 iter
.genmask
= nft_genmask_next(ctx
->net
);
3127 iter
.fn
= nf_tables_bind_check_setelem
;
3129 set
->ops
->walk(ctx
, set
, &iter
);
3134 binding
->chain
= ctx
->chain
;
3135 list_add_tail_rcu(&binding
->list
, &set
->bindings
);
3138 EXPORT_SYMBOL_GPL(nf_tables_bind_set
);
3140 void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3141 struct nft_set_binding
*binding
)
3143 list_del_rcu(&binding
->list
);
3145 if (list_empty(&set
->bindings
) && set
->flags
& NFT_SET_ANONYMOUS
&&
3146 nft_is_active(ctx
->net
, set
))
3147 nf_tables_set_destroy(ctx
, set
);
3149 EXPORT_SYMBOL_GPL(nf_tables_unbind_set
);
3151 const struct nft_set_ext_type nft_set_ext_types
[] = {
3152 [NFT_SET_EXT_KEY
] = {
3153 .align
= __alignof__(u32
),
3155 [NFT_SET_EXT_DATA
] = {
3156 .align
= __alignof__(u32
),
3158 [NFT_SET_EXT_EXPR
] = {
3159 .align
= __alignof__(struct nft_expr
),
3161 [NFT_SET_EXT_OBJREF
] = {
3162 .len
= sizeof(struct nft_object
*),
3163 .align
= __alignof__(struct nft_object
*),
3165 [NFT_SET_EXT_FLAGS
] = {
3167 .align
= __alignof__(u8
),
3169 [NFT_SET_EXT_TIMEOUT
] = {
3171 .align
= __alignof__(u64
),
3173 [NFT_SET_EXT_EXPIRATION
] = {
3174 .len
= sizeof(unsigned long),
3175 .align
= __alignof__(unsigned long),
3177 [NFT_SET_EXT_USERDATA
] = {
3178 .len
= sizeof(struct nft_userdata
),
3179 .align
= __alignof__(struct nft_userdata
),
3182 EXPORT_SYMBOL_GPL(nft_set_ext_types
);
3188 static const struct nla_policy nft_set_elem_policy
[NFTA_SET_ELEM_MAX
+ 1] = {
3189 [NFTA_SET_ELEM_KEY
] = { .type
= NLA_NESTED
},
3190 [NFTA_SET_ELEM_DATA
] = { .type
= NLA_NESTED
},
3191 [NFTA_SET_ELEM_FLAGS
] = { .type
= NLA_U32
},
3192 [NFTA_SET_ELEM_TIMEOUT
] = { .type
= NLA_U64
},
3193 [NFTA_SET_ELEM_USERDATA
] = { .type
= NLA_BINARY
,
3194 .len
= NFT_USERDATA_MAXLEN
},
3197 static const struct nla_policy nft_set_elem_list_policy
[NFTA_SET_ELEM_LIST_MAX
+ 1] = {
3198 [NFTA_SET_ELEM_LIST_TABLE
] = { .type
= NLA_STRING
,
3199 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
3200 [NFTA_SET_ELEM_LIST_SET
] = { .type
= NLA_STRING
,
3201 .len
= NFT_SET_MAXNAMELEN
- 1 },
3202 [NFTA_SET_ELEM_LIST_ELEMENTS
] = { .type
= NLA_NESTED
},
3203 [NFTA_SET_ELEM_LIST_SET_ID
] = { .type
= NLA_U32
},
3206 static int nft_ctx_init_from_elemattr(struct nft_ctx
*ctx
, struct net
*net
,
3207 const struct sk_buff
*skb
,
3208 const struct nlmsghdr
*nlh
,
3209 const struct nlattr
* const nla
[],
3212 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3213 struct nft_af_info
*afi
;
3214 struct nft_table
*table
;
3216 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, false);
3218 return PTR_ERR(afi
);
3220 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_ELEM_LIST_TABLE
],
3223 return PTR_ERR(table
);
3225 nft_ctx_init(ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
3229 static int nf_tables_fill_setelem(struct sk_buff
*skb
,
3230 const struct nft_set
*set
,
3231 const struct nft_set_elem
*elem
)
3233 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3234 unsigned char *b
= skb_tail_pointer(skb
);
3235 struct nlattr
*nest
;
3237 nest
= nla_nest_start(skb
, NFTA_LIST_ELEM
);
3239 goto nla_put_failure
;
3241 if (nft_data_dump(skb
, NFTA_SET_ELEM_KEY
, nft_set_ext_key(ext
),
3242 NFT_DATA_VALUE
, set
->klen
) < 0)
3243 goto nla_put_failure
;
3245 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3246 nft_data_dump(skb
, NFTA_SET_ELEM_DATA
, nft_set_ext_data(ext
),
3247 set
->dtype
== NFT_DATA_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3249 goto nla_put_failure
;
3251 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
) &&
3252 nft_expr_dump(skb
, NFTA_SET_ELEM_EXPR
, nft_set_ext_expr(ext
)) < 0)
3253 goto nla_put_failure
;
3255 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
3256 nla_put_string(skb
, NFTA_SET_ELEM_OBJREF
,
3257 (*nft_set_ext_obj(ext
))->name
) < 0)
3258 goto nla_put_failure
;
3260 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
3261 nla_put_be32(skb
, NFTA_SET_ELEM_FLAGS
,
3262 htonl(*nft_set_ext_flags(ext
))))
3263 goto nla_put_failure
;
3265 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
) &&
3266 nla_put_be64(skb
, NFTA_SET_ELEM_TIMEOUT
,
3267 cpu_to_be64(jiffies_to_msecs(
3268 *nft_set_ext_timeout(ext
))),
3270 goto nla_put_failure
;
3272 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
3273 unsigned long expires
, now
= jiffies
;
3275 expires
= *nft_set_ext_expiration(ext
);
3276 if (time_before(now
, expires
))
3281 if (nla_put_be64(skb
, NFTA_SET_ELEM_EXPIRATION
,
3282 cpu_to_be64(jiffies_to_msecs(expires
)),
3284 goto nla_put_failure
;
3287 if (nft_set_ext_exists(ext
, NFT_SET_EXT_USERDATA
)) {
3288 struct nft_userdata
*udata
;
3290 udata
= nft_set_ext_userdata(ext
);
3291 if (nla_put(skb
, NFTA_SET_ELEM_USERDATA
,
3292 udata
->len
+ 1, udata
->data
))
3293 goto nla_put_failure
;
3296 nla_nest_end(skb
, nest
);
3304 struct nft_set_dump_args
{
3305 const struct netlink_callback
*cb
;
3306 struct nft_set_iter iter
;
3307 struct sk_buff
*skb
;
3310 static int nf_tables_dump_setelem(const struct nft_ctx
*ctx
,
3311 struct nft_set
*set
,
3312 const struct nft_set_iter
*iter
,
3313 struct nft_set_elem
*elem
)
3315 struct nft_set_dump_args
*args
;
3317 args
= container_of(iter
, struct nft_set_dump_args
, iter
);
3318 return nf_tables_fill_setelem(args
->skb
, set
, elem
);
3321 static int nf_tables_dump_set(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3323 struct net
*net
= sock_net(skb
->sk
);
3324 u8 genmask
= nft_genmask_cur(net
);
3325 struct nft_set
*set
;
3326 struct nft_set_dump_args args
;
3328 struct nlattr
*nla
[NFTA_SET_ELEM_LIST_MAX
+ 1];
3329 struct nfgenmsg
*nfmsg
;
3330 struct nlmsghdr
*nlh
;
3331 struct nlattr
*nest
;
3335 err
= nlmsg_parse(cb
->nlh
, sizeof(struct nfgenmsg
), nla
,
3336 NFTA_SET_ELEM_LIST_MAX
, nft_set_elem_list_policy
);
3340 err
= nft_ctx_init_from_elemattr(&ctx
, net
, cb
->skb
, cb
->nlh
,
3341 (void *)nla
, genmask
);
3345 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3348 return PTR_ERR(set
);
3350 event
= NFT_MSG_NEWSETELEM
;
3351 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
3352 portid
= NETLINK_CB(cb
->skb
).portid
;
3353 seq
= cb
->nlh
->nlmsg_seq
;
3355 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3358 goto nla_put_failure
;
3360 nfmsg
= nlmsg_data(nlh
);
3361 nfmsg
->nfgen_family
= ctx
.afi
->family
;
3362 nfmsg
->version
= NFNETLINK_V0
;
3363 nfmsg
->res_id
= htons(ctx
.net
->nft
.base_seq
& 0xffff);
3365 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_TABLE
, ctx
.table
->name
))
3366 goto nla_put_failure
;
3367 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_SET
, set
->name
))
3368 goto nla_put_failure
;
3370 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3372 goto nla_put_failure
;
3376 args
.iter
.genmask
= nft_genmask_cur(ctx
.net
);
3377 args
.iter
.skip
= cb
->args
[0];
3378 args
.iter
.count
= 0;
3380 args
.iter
.fn
= nf_tables_dump_setelem
;
3381 set
->ops
->walk(&ctx
, set
, &args
.iter
);
3383 nla_nest_end(skb
, nest
);
3384 nlmsg_end(skb
, nlh
);
3386 if (args
.iter
.err
&& args
.iter
.err
!= -EMSGSIZE
)
3387 return args
.iter
.err
;
3388 if (args
.iter
.count
== cb
->args
[0])
3391 cb
->args
[0] = args
.iter
.count
;
3398 static int nf_tables_getsetelem(struct net
*net
, struct sock
*nlsk
,
3399 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3400 const struct nlattr
* const nla
[])
3402 u8 genmask
= nft_genmask_cur(net
);
3403 const struct nft_set
*set
;
3407 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3411 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3414 return PTR_ERR(set
);
3416 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3417 struct netlink_dump_control c
= {
3418 .dump
= nf_tables_dump_set
,
3420 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
3425 static int nf_tables_fill_setelem_info(struct sk_buff
*skb
,
3426 const struct nft_ctx
*ctx
, u32 seq
,
3427 u32 portid
, int event
, u16 flags
,
3428 const struct nft_set
*set
,
3429 const struct nft_set_elem
*elem
)
3431 struct nfgenmsg
*nfmsg
;
3432 struct nlmsghdr
*nlh
;
3433 struct nlattr
*nest
;
3436 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
3437 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3440 goto nla_put_failure
;
3442 nfmsg
= nlmsg_data(nlh
);
3443 nfmsg
->nfgen_family
= ctx
->afi
->family
;
3444 nfmsg
->version
= NFNETLINK_V0
;
3445 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
3447 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3448 goto nla_put_failure
;
3449 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3450 goto nla_put_failure
;
3452 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3454 goto nla_put_failure
;
3456 err
= nf_tables_fill_setelem(skb
, set
, elem
);
3458 goto nla_put_failure
;
3460 nla_nest_end(skb
, nest
);
3462 nlmsg_end(skb
, nlh
);
3466 nlmsg_trim(skb
, nlh
);
3470 static int nf_tables_setelem_notify(const struct nft_ctx
*ctx
,
3471 const struct nft_set
*set
,
3472 const struct nft_set_elem
*elem
,
3473 int event
, u16 flags
)
3475 struct net
*net
= ctx
->net
;
3476 u32 portid
= ctx
->portid
;
3477 struct sk_buff
*skb
;
3480 if (!ctx
->report
&& !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
3484 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
3488 err
= nf_tables_fill_setelem_info(skb
, ctx
, 0, portid
, event
, flags
,
3495 err
= nfnetlink_send(skb
, net
, portid
, NFNLGRP_NFTABLES
, ctx
->report
,
3499 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, err
);
3503 static struct nft_trans
*nft_trans_elem_alloc(struct nft_ctx
*ctx
,
3505 struct nft_set
*set
)
3507 struct nft_trans
*trans
;
3509 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_elem
));
3513 nft_trans_elem_set(trans
) = set
;
3517 void *nft_set_elem_init(const struct nft_set
*set
,
3518 const struct nft_set_ext_tmpl
*tmpl
,
3519 const u32
*key
, const u32
*data
,
3520 u64 timeout
, gfp_t gfp
)
3522 struct nft_set_ext
*ext
;
3525 elem
= kzalloc(set
->ops
->elemsize
+ tmpl
->len
, gfp
);
3529 ext
= nft_set_elem_ext(set
, elem
);
3530 nft_set_ext_init(ext
, tmpl
);
3532 memcpy(nft_set_ext_key(ext
), key
, set
->klen
);
3533 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
3534 memcpy(nft_set_ext_data(ext
), data
, set
->dlen
);
3535 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
))
3536 *nft_set_ext_expiration(ext
) =
3538 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
))
3539 *nft_set_ext_timeout(ext
) = timeout
;
3544 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
,
3547 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
3549 nft_data_uninit(nft_set_ext_key(ext
), NFT_DATA_VALUE
);
3550 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
3551 nft_data_uninit(nft_set_ext_data(ext
), set
->dtype
);
3552 if (destroy_expr
&& nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
))
3553 nf_tables_expr_destroy(NULL
, nft_set_ext_expr(ext
));
3554 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
3555 (*nft_set_ext_obj(ext
))->use
--;
3558 EXPORT_SYMBOL_GPL(nft_set_elem_destroy
);
3560 static int nft_setelem_parse_flags(const struct nft_set
*set
,
3561 const struct nlattr
*attr
, u32
*flags
)
3566 *flags
= ntohl(nla_get_be32(attr
));
3567 if (*flags
& ~NFT_SET_ELEM_INTERVAL_END
)
3569 if (!(set
->flags
& NFT_SET_INTERVAL
) &&
3570 *flags
& NFT_SET_ELEM_INTERVAL_END
)
3576 static int nft_add_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
3577 const struct nlattr
*attr
, u32 nlmsg_flags
)
3579 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
3580 u8 genmask
= nft_genmask_next(ctx
->net
);
3581 struct nft_data_desc d1
, d2
;
3582 struct nft_set_ext_tmpl tmpl
;
3583 struct nft_set_ext
*ext
, *ext2
;
3584 struct nft_set_elem elem
;
3585 struct nft_set_binding
*binding
;
3586 struct nft_object
*obj
= NULL
;
3587 struct nft_userdata
*udata
;
3588 struct nft_data data
;
3589 enum nft_registers dreg
;
3590 struct nft_trans
*trans
;
3596 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
3597 nft_set_elem_policy
);
3601 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
3604 nft_set_ext_prepare(&tmpl
);
3606 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
3610 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
3612 if (set
->flags
& NFT_SET_MAP
) {
3613 if (nla
[NFTA_SET_ELEM_DATA
] == NULL
&&
3614 !(flags
& NFT_SET_ELEM_INTERVAL_END
))
3616 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
&&
3617 flags
& NFT_SET_ELEM_INTERVAL_END
)
3620 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
3625 if (nla
[NFTA_SET_ELEM_TIMEOUT
] != NULL
) {
3626 if (!(set
->flags
& NFT_SET_TIMEOUT
))
3628 timeout
= msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3629 nla
[NFTA_SET_ELEM_TIMEOUT
])));
3630 } else if (set
->flags
& NFT_SET_TIMEOUT
) {
3631 timeout
= set
->timeout
;
3634 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &d1
,
3635 nla
[NFTA_SET_ELEM_KEY
]);
3639 if (d1
.type
!= NFT_DATA_VALUE
|| d1
.len
!= set
->klen
)
3642 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, d1
.len
);
3644 nft_set_ext_add(&tmpl
, NFT_SET_EXT_EXPIRATION
);
3645 if (timeout
!= set
->timeout
)
3646 nft_set_ext_add(&tmpl
, NFT_SET_EXT_TIMEOUT
);
3649 if (nla
[NFTA_SET_ELEM_OBJREF
] != NULL
) {
3650 if (!(set
->flags
& NFT_SET_OBJECT
)) {
3654 obj
= nf_tables_obj_lookup(ctx
->table
, nla
[NFTA_SET_ELEM_OBJREF
],
3655 set
->objtype
, genmask
);
3660 nft_set_ext_add(&tmpl
, NFT_SET_EXT_OBJREF
);
3663 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
) {
3664 err
= nft_data_init(ctx
, &data
, sizeof(data
), &d2
,
3665 nla
[NFTA_SET_ELEM_DATA
]);
3670 if (set
->dtype
!= NFT_DATA_VERDICT
&& d2
.len
!= set
->dlen
)
3673 dreg
= nft_type_to_reg(set
->dtype
);
3674 list_for_each_entry(binding
, &set
->bindings
, list
) {
3675 struct nft_ctx bind_ctx
= {
3678 .table
= ctx
->table
,
3679 .chain
= (struct nft_chain
*)binding
->chain
,
3682 if (!(binding
->flags
& NFT_SET_MAP
))
3685 err
= nft_validate_register_store(&bind_ctx
, dreg
,
3692 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_DATA
, d2
.len
);
3695 /* The full maximum length of userdata can exceed the maximum
3696 * offset value (U8_MAX) for following extensions, therefor it
3697 * must be the last extension added.
3700 if (nla
[NFTA_SET_ELEM_USERDATA
] != NULL
) {
3701 ulen
= nla_len(nla
[NFTA_SET_ELEM_USERDATA
]);
3703 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_USERDATA
,
3708 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, data
.data
,
3709 timeout
, GFP_KERNEL
);
3710 if (elem
.priv
== NULL
)
3713 ext
= nft_set_elem_ext(set
, elem
.priv
);
3715 *nft_set_ext_flags(ext
) = flags
;
3717 udata
= nft_set_ext_userdata(ext
);
3718 udata
->len
= ulen
- 1;
3719 nla_memcpy(&udata
->data
, nla
[NFTA_SET_ELEM_USERDATA
], ulen
);
3722 *nft_set_ext_obj(ext
) = obj
;
3726 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_NEWSETELEM
, set
);
3730 ext
->genmask
= nft_genmask_cur(ctx
->net
) | NFT_SET_ELEM_BUSY_MASK
;
3731 err
= set
->ops
->insert(ctx
->net
, set
, &elem
, &ext2
);
3733 if (err
== -EEXIST
) {
3734 if ((nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3735 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) &&
3736 memcmp(nft_set_ext_data(ext
),
3737 nft_set_ext_data(ext2
), set
->dlen
) != 0) ||
3738 (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
3739 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
) &&
3740 *nft_set_ext_obj(ext
) != *nft_set_ext_obj(ext2
)))
3742 else if (!(nlmsg_flags
& NLM_F_EXCL
))
3749 !atomic_add_unless(&set
->nelems
, 1, set
->size
+ set
->ndeact
)) {
3754 nft_trans_elem(trans
) = elem
;
3755 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3759 set
->ops
->remove(set
, &elem
);
3765 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
3766 nft_data_uninit(&data
, d2
.type
);
3768 nft_data_uninit(&elem
.key
.val
, d1
.type
);
3773 static int nf_tables_newsetelem(struct net
*net
, struct sock
*nlsk
,
3774 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3775 const struct nlattr
* const nla
[])
3777 u8 genmask
= nft_genmask_next(net
);
3778 const struct nlattr
*attr
;
3779 struct nft_set
*set
;
3783 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
3786 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3790 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3793 if (nla
[NFTA_SET_ELEM_LIST_SET_ID
]) {
3794 set
= nf_tables_set_lookup_byid(net
,
3795 nla
[NFTA_SET_ELEM_LIST_SET_ID
],
3799 return PTR_ERR(set
);
3802 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
3805 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
3806 err
= nft_add_set_elem(&ctx
, set
, attr
, nlh
->nlmsg_flags
);
3813 static int nft_del_setelem(struct nft_ctx
*ctx
, struct nft_set
*set
,
3814 const struct nlattr
*attr
)
3816 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
3817 struct nft_set_ext_tmpl tmpl
;
3818 struct nft_data_desc desc
;
3819 struct nft_set_elem elem
;
3820 struct nft_set_ext
*ext
;
3821 struct nft_trans
*trans
;
3826 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
3827 nft_set_elem_policy
);
3832 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
3835 nft_set_ext_prepare(&tmpl
);
3837 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
3841 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
3843 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &desc
,
3844 nla
[NFTA_SET_ELEM_KEY
]);
3849 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
)
3852 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, desc
.len
);
3855 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, NULL
, 0,
3857 if (elem
.priv
== NULL
)
3860 ext
= nft_set_elem_ext(set
, elem
.priv
);
3862 *nft_set_ext_flags(ext
) = flags
;
3864 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_DELSETELEM
, set
);
3865 if (trans
== NULL
) {
3870 priv
= set
->ops
->deactivate(ctx
->net
, set
, &elem
);
3878 nft_trans_elem(trans
) = elem
;
3879 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3887 nft_data_uninit(&elem
.key
.val
, desc
.type
);
3892 static int nft_flush_set(const struct nft_ctx
*ctx
,
3893 struct nft_set
*set
,
3894 const struct nft_set_iter
*iter
,
3895 struct nft_set_elem
*elem
)
3897 struct nft_trans
*trans
;
3900 trans
= nft_trans_alloc_gfp(ctx
, NFT_MSG_DELSETELEM
,
3901 sizeof(struct nft_trans_elem
), GFP_ATOMIC
);
3905 if (!set
->ops
->deactivate_one(ctx
->net
, set
, elem
->priv
)) {
3911 nft_trans_elem_set(trans
) = set
;
3912 nft_trans_elem(trans
) = *elem
;
3913 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3921 static int nf_tables_delsetelem(struct net
*net
, struct sock
*nlsk
,
3922 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3923 const struct nlattr
* const nla
[])
3925 u8 genmask
= nft_genmask_next(net
);
3926 const struct nlattr
*attr
;
3927 struct nft_set
*set
;
3931 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3935 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3938 return PTR_ERR(set
);
3939 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
3942 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
) {
3943 struct nft_set_dump_args args
= {
3946 .fn
= nft_flush_set
,
3949 set
->ops
->walk(&ctx
, set
, &args
.iter
);
3951 return args
.iter
.err
;
3954 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
3955 err
= nft_del_setelem(&ctx
, set
, attr
);
3964 void nft_set_gc_batch_release(struct rcu_head
*rcu
)
3966 struct nft_set_gc_batch
*gcb
;
3969 gcb
= container_of(rcu
, struct nft_set_gc_batch
, head
.rcu
);
3970 for (i
= 0; i
< gcb
->head
.cnt
; i
++)
3971 nft_set_elem_destroy(gcb
->head
.set
, gcb
->elems
[i
], true);
3974 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release
);
3976 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
3979 struct nft_set_gc_batch
*gcb
;
3981 gcb
= kzalloc(sizeof(*gcb
), gfp
);
3984 gcb
->head
.set
= set
;
3987 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc
);
3994 * nft_register_obj- register nf_tables stateful object type
3997 * Registers the object type for use with nf_tables. Returns zero on
3998 * success or a negative errno code otherwise.
4000 int nft_register_obj(struct nft_object_type
*obj_type
)
4002 if (obj_type
->type
== NFT_OBJECT_UNSPEC
)
4005 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
4006 list_add_rcu(&obj_type
->list
, &nf_tables_objects
);
4007 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
4010 EXPORT_SYMBOL_GPL(nft_register_obj
);
4013 * nft_unregister_obj - unregister nf_tables object type
4016 * Unregisters the object type for use with nf_tables.
4018 void nft_unregister_obj(struct nft_object_type
*obj_type
)
4020 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
4021 list_del_rcu(&obj_type
->list
);
4022 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
4024 EXPORT_SYMBOL_GPL(nft_unregister_obj
);
4026 struct nft_object
*nf_tables_obj_lookup(const struct nft_table
*table
,
4027 const struct nlattr
*nla
,
4028 u32 objtype
, u8 genmask
)
4030 struct nft_object
*obj
;
4032 list_for_each_entry(obj
, &table
->objects
, list
) {
4033 if (!nla_strcmp(nla
, obj
->name
) &&
4034 objtype
== obj
->type
->type
&&
4035 nft_active_genmask(obj
, genmask
))
4038 return ERR_PTR(-ENOENT
);
4040 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup
);
4042 static const struct nla_policy nft_obj_policy
[NFTA_OBJ_MAX
+ 1] = {
4043 [NFTA_OBJ_TABLE
] = { .type
= NLA_STRING
,
4044 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
4045 [NFTA_OBJ_NAME
] = { .type
= NLA_STRING
,
4046 .len
= NFT_OBJ_MAXNAMELEN
- 1 },
4047 [NFTA_OBJ_TYPE
] = { .type
= NLA_U32
},
4048 [NFTA_OBJ_DATA
] = { .type
= NLA_NESTED
},
4051 static struct nft_object
*nft_obj_init(const struct nft_object_type
*type
,
4052 const struct nlattr
*attr
)
4054 struct nlattr
*tb
[type
->maxattr
+ 1];
4055 struct nft_object
*obj
;
4059 err
= nla_parse_nested(tb
, type
->maxattr
, attr
, type
->policy
);
4063 memset(tb
, 0, sizeof(tb
[0]) * (type
->maxattr
+ 1));
4067 obj
= kzalloc(sizeof(struct nft_object
) + type
->size
, GFP_KERNEL
);
4071 err
= type
->init((const struct nlattr
* const *)tb
, obj
);
4080 return ERR_PTR(err
);
4083 static int nft_object_dump(struct sk_buff
*skb
, unsigned int attr
,
4084 struct nft_object
*obj
, bool reset
)
4086 struct nlattr
*nest
;
4088 nest
= nla_nest_start(skb
, attr
);
4090 goto nla_put_failure
;
4091 if (obj
->type
->dump(skb
, obj
, reset
) < 0)
4092 goto nla_put_failure
;
4093 nla_nest_end(skb
, nest
);
4100 static const struct nft_object_type
*__nft_obj_type_get(u32 objtype
)
4102 const struct nft_object_type
*type
;
4104 list_for_each_entry(type
, &nf_tables_objects
, list
) {
4105 if (objtype
== type
->type
)
4111 static const struct nft_object_type
*nft_obj_type_get(u32 objtype
)
4113 const struct nft_object_type
*type
;
4115 type
= __nft_obj_type_get(objtype
);
4116 if (type
!= NULL
&& try_module_get(type
->owner
))
4119 #ifdef CONFIG_MODULES
4121 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
4122 request_module("nft-obj-%u", objtype
);
4123 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
4124 if (__nft_obj_type_get(objtype
))
4125 return ERR_PTR(-EAGAIN
);
4128 return ERR_PTR(-ENOENT
);
4131 static int nf_tables_newobj(struct net
*net
, struct sock
*nlsk
,
4132 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4133 const struct nlattr
* const nla
[])
4135 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4136 const struct nft_object_type
*type
;
4137 u8 genmask
= nft_genmask_next(net
);
4138 int family
= nfmsg
->nfgen_family
;
4139 struct nft_af_info
*afi
;
4140 struct nft_table
*table
;
4141 struct nft_object
*obj
;
4146 if (!nla
[NFTA_OBJ_TYPE
] ||
4147 !nla
[NFTA_OBJ_NAME
] ||
4148 !nla
[NFTA_OBJ_DATA
])
4151 afi
= nf_tables_afinfo_lookup(net
, family
, true);
4153 return PTR_ERR(afi
);
4155 table
= nf_tables_table_lookup(afi
, nla
[NFTA_OBJ_TABLE
], genmask
);
4157 return PTR_ERR(table
);
4159 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
4160 obj
= nf_tables_obj_lookup(table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
4170 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
4176 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
4178 type
= nft_obj_type_get(objtype
);
4180 return PTR_ERR(type
);
4182 obj
= nft_obj_init(type
, nla
[NFTA_OBJ_DATA
]);
4188 nla_strlcpy(obj
->name
, nla
[NFTA_OBJ_NAME
], NFT_OBJ_MAXNAMELEN
);
4190 err
= nft_trans_obj_add(&ctx
, NFT_MSG_NEWOBJ
, obj
);
4194 list_add_tail_rcu(&obj
->list
, &table
->objects
);
4198 if (obj
->type
->destroy
)
4199 obj
->type
->destroy(obj
);
4202 module_put(type
->owner
);
4206 static int nf_tables_fill_obj_info(struct sk_buff
*skb
, struct net
*net
,
4207 u32 portid
, u32 seq
, int event
, u32 flags
,
4208 int family
, const struct nft_table
*table
,
4209 struct nft_object
*obj
, bool reset
)
4211 struct nfgenmsg
*nfmsg
;
4212 struct nlmsghdr
*nlh
;
4214 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
4215 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
4217 goto nla_put_failure
;
4219 nfmsg
= nlmsg_data(nlh
);
4220 nfmsg
->nfgen_family
= family
;
4221 nfmsg
->version
= NFNETLINK_V0
;
4222 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
4224 if (nla_put_string(skb
, NFTA_OBJ_TABLE
, table
->name
) ||
4225 nla_put_string(skb
, NFTA_OBJ_NAME
, obj
->name
) ||
4226 nla_put_be32(skb
, NFTA_OBJ_TYPE
, htonl(obj
->type
->type
)) ||
4227 nla_put_be32(skb
, NFTA_OBJ_USE
, htonl(obj
->use
)) ||
4228 nft_object_dump(skb
, NFTA_OBJ_DATA
, obj
, reset
))
4229 goto nla_put_failure
;
4231 nlmsg_end(skb
, nlh
);
4235 nlmsg_trim(skb
, nlh
);
4239 struct nft_obj_filter
{
4240 char table
[NFT_OBJ_MAXNAMELEN
];
4244 static int nf_tables_dump_obj(struct sk_buff
*skb
, struct netlink_callback
*cb
)
4246 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
4247 const struct nft_af_info
*afi
;
4248 const struct nft_table
*table
;
4249 unsigned int idx
= 0, s_idx
= cb
->args
[0];
4250 struct nft_obj_filter
*filter
= cb
->data
;
4251 struct net
*net
= sock_net(skb
->sk
);
4252 int family
= nfmsg
->nfgen_family
;
4253 struct nft_object
*obj
;
4256 if (NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
4260 cb
->seq
= net
->nft
.base_seq
;
4262 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
4263 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
4266 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
4267 list_for_each_entry_rcu(obj
, &table
->objects
, list
) {
4268 if (!nft_is_active(net
, obj
))
4273 memset(&cb
->args
[1], 0,
4274 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
4275 if (filter
&& filter
->table
[0] &&
4276 strcmp(filter
->table
, table
->name
))
4279 filter
->type
!= NFT_OBJECT_UNSPEC
&&
4280 obj
->type
->type
!= filter
->type
)
4283 if (nf_tables_fill_obj_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
4286 NLM_F_MULTI
| NLM_F_APPEND
,
4287 afi
->family
, table
, obj
, reset
) < 0)
4290 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
4303 static int nf_tables_dump_obj_done(struct netlink_callback
*cb
)
4310 static struct nft_obj_filter
*
4311 nft_obj_filter_alloc(const struct nlattr
* const nla
[])
4313 struct nft_obj_filter
*filter
;
4315 filter
= kzalloc(sizeof(*filter
), GFP_KERNEL
);
4317 return ERR_PTR(-ENOMEM
);
4319 if (nla
[NFTA_OBJ_TABLE
])
4320 nla_strlcpy(filter
->table
, nla
[NFTA_OBJ_TABLE
],
4321 NFT_TABLE_MAXNAMELEN
);
4322 if (nla
[NFTA_OBJ_TYPE
])
4323 filter
->type
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
4328 static int nf_tables_getobj(struct net
*net
, struct sock
*nlsk
,
4329 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4330 const struct nlattr
* const nla
[])
4332 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4333 u8 genmask
= nft_genmask_cur(net
);
4334 int family
= nfmsg
->nfgen_family
;
4335 const struct nft_af_info
*afi
;
4336 const struct nft_table
*table
;
4337 struct nft_object
*obj
;
4338 struct sk_buff
*skb2
;
4343 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
4344 struct netlink_dump_control c
= {
4345 .dump
= nf_tables_dump_obj
,
4346 .done
= nf_tables_dump_obj_done
,
4349 if (nla
[NFTA_OBJ_TABLE
] ||
4350 nla
[NFTA_OBJ_TYPE
]) {
4351 struct nft_obj_filter
*filter
;
4353 filter
= nft_obj_filter_alloc(nla
);
4359 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
4362 if (!nla
[NFTA_OBJ_NAME
] ||
4363 !nla
[NFTA_OBJ_TYPE
])
4366 afi
= nf_tables_afinfo_lookup(net
, family
, false);
4368 return PTR_ERR(afi
);
4370 table
= nf_tables_table_lookup(afi
, nla
[NFTA_OBJ_TABLE
], genmask
);
4372 return PTR_ERR(table
);
4374 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
4375 obj
= nf_tables_obj_lookup(table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
4377 return PTR_ERR(obj
);
4379 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
4383 if (NFNL_MSG_TYPE(nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
4386 err
= nf_tables_fill_obj_info(skb2
, net
, NETLINK_CB(skb
).portid
,
4387 nlh
->nlmsg_seq
, NFT_MSG_NEWOBJ
, 0,
4388 family
, table
, obj
, reset
);
4392 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
4400 static void nft_obj_destroy(struct nft_object
*obj
)
4402 if (obj
->type
->destroy
)
4403 obj
->type
->destroy(obj
);
4405 module_put(obj
->type
->owner
);
4409 static int nf_tables_delobj(struct net
*net
, struct sock
*nlsk
,
4410 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4411 const struct nlattr
* const nla
[])
4413 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4414 u8 genmask
= nft_genmask_next(net
);
4415 int family
= nfmsg
->nfgen_family
;
4416 struct nft_af_info
*afi
;
4417 struct nft_table
*table
;
4418 struct nft_object
*obj
;
4422 if (!nla
[NFTA_OBJ_TYPE
] ||
4423 !nla
[NFTA_OBJ_NAME
])
4426 afi
= nf_tables_afinfo_lookup(net
, family
, true);
4428 return PTR_ERR(afi
);
4430 table
= nf_tables_table_lookup(afi
, nla
[NFTA_OBJ_TABLE
], genmask
);
4432 return PTR_ERR(table
);
4434 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
4435 obj
= nf_tables_obj_lookup(table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
4437 return PTR_ERR(obj
);
4441 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
4443 return nft_delobj(&ctx
, obj
);
4446 int nft_obj_notify(struct net
*net
, struct nft_table
*table
,
4447 struct nft_object
*obj
, u32 portid
, u32 seq
, int event
,
4448 int family
, int report
, gfp_t gfp
)
4450 struct sk_buff
*skb
;
4454 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
4458 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp
);
4462 err
= nf_tables_fill_obj_info(skb
, net
, portid
, seq
, event
, 0, family
,
4469 err
= nfnetlink_send(skb
, net
, portid
, NFNLGRP_NFTABLES
, report
, gfp
);
4472 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, err
);
4476 EXPORT_SYMBOL_GPL(nft_obj_notify
);
4478 static int nf_tables_obj_notify(const struct nft_ctx
*ctx
,
4479 struct nft_object
*obj
, int event
)
4481 return nft_obj_notify(ctx
->net
, ctx
->table
, obj
, ctx
->portid
,
4482 ctx
->seq
, event
, ctx
->afi
->family
, ctx
->report
,
4486 static int nf_tables_fill_gen_info(struct sk_buff
*skb
, struct net
*net
,
4487 u32 portid
, u32 seq
)
4489 struct nlmsghdr
*nlh
;
4490 struct nfgenmsg
*nfmsg
;
4491 int event
= (NFNL_SUBSYS_NFTABLES
<< 8) | NFT_MSG_NEWGEN
;
4493 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), 0);
4495 goto nla_put_failure
;
4497 nfmsg
= nlmsg_data(nlh
);
4498 nfmsg
->nfgen_family
= AF_UNSPEC
;
4499 nfmsg
->version
= NFNETLINK_V0
;
4500 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
4502 if (nla_put_be32(skb
, NFTA_GEN_ID
, htonl(net
->nft
.base_seq
)))
4503 goto nla_put_failure
;
4505 nlmsg_end(skb
, nlh
);
4509 nlmsg_trim(skb
, nlh
);
4513 static int nf_tables_gen_notify(struct net
*net
, struct sk_buff
*skb
, int event
)
4515 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
4516 struct sk_buff
*skb2
;
4519 if (nlmsg_report(nlh
) &&
4520 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
4524 skb2
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
4528 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
4535 err
= nfnetlink_send(skb2
, net
, NETLINK_CB(skb
).portid
,
4536 NFNLGRP_NFTABLES
, nlmsg_report(nlh
), GFP_KERNEL
);
4539 nfnetlink_set_err(net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
4545 static int nf_tables_getgen(struct net
*net
, struct sock
*nlsk
,
4546 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4547 const struct nlattr
* const nla
[])
4549 struct sk_buff
*skb2
;
4552 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
4556 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
4561 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
4567 static const struct nfnl_callback nf_tables_cb
[NFT_MSG_MAX
] = {
4568 [NFT_MSG_NEWTABLE
] = {
4569 .call_batch
= nf_tables_newtable
,
4570 .attr_count
= NFTA_TABLE_MAX
,
4571 .policy
= nft_table_policy
,
4573 [NFT_MSG_GETTABLE
] = {
4574 .call
= nf_tables_gettable
,
4575 .attr_count
= NFTA_TABLE_MAX
,
4576 .policy
= nft_table_policy
,
4578 [NFT_MSG_DELTABLE
] = {
4579 .call_batch
= nf_tables_deltable
,
4580 .attr_count
= NFTA_TABLE_MAX
,
4581 .policy
= nft_table_policy
,
4583 [NFT_MSG_NEWCHAIN
] = {
4584 .call_batch
= nf_tables_newchain
,
4585 .attr_count
= NFTA_CHAIN_MAX
,
4586 .policy
= nft_chain_policy
,
4588 [NFT_MSG_GETCHAIN
] = {
4589 .call
= nf_tables_getchain
,
4590 .attr_count
= NFTA_CHAIN_MAX
,
4591 .policy
= nft_chain_policy
,
4593 [NFT_MSG_DELCHAIN
] = {
4594 .call_batch
= nf_tables_delchain
,
4595 .attr_count
= NFTA_CHAIN_MAX
,
4596 .policy
= nft_chain_policy
,
4598 [NFT_MSG_NEWRULE
] = {
4599 .call_batch
= nf_tables_newrule
,
4600 .attr_count
= NFTA_RULE_MAX
,
4601 .policy
= nft_rule_policy
,
4603 [NFT_MSG_GETRULE
] = {
4604 .call
= nf_tables_getrule
,
4605 .attr_count
= NFTA_RULE_MAX
,
4606 .policy
= nft_rule_policy
,
4608 [NFT_MSG_DELRULE
] = {
4609 .call_batch
= nf_tables_delrule
,
4610 .attr_count
= NFTA_RULE_MAX
,
4611 .policy
= nft_rule_policy
,
4613 [NFT_MSG_NEWSET
] = {
4614 .call_batch
= nf_tables_newset
,
4615 .attr_count
= NFTA_SET_MAX
,
4616 .policy
= nft_set_policy
,
4618 [NFT_MSG_GETSET
] = {
4619 .call
= nf_tables_getset
,
4620 .attr_count
= NFTA_SET_MAX
,
4621 .policy
= nft_set_policy
,
4623 [NFT_MSG_DELSET
] = {
4624 .call_batch
= nf_tables_delset
,
4625 .attr_count
= NFTA_SET_MAX
,
4626 .policy
= nft_set_policy
,
4628 [NFT_MSG_NEWSETELEM
] = {
4629 .call_batch
= nf_tables_newsetelem
,
4630 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
4631 .policy
= nft_set_elem_list_policy
,
4633 [NFT_MSG_GETSETELEM
] = {
4634 .call
= nf_tables_getsetelem
,
4635 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
4636 .policy
= nft_set_elem_list_policy
,
4638 [NFT_MSG_DELSETELEM
] = {
4639 .call_batch
= nf_tables_delsetelem
,
4640 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
4641 .policy
= nft_set_elem_list_policy
,
4643 [NFT_MSG_GETGEN
] = {
4644 .call
= nf_tables_getgen
,
4646 [NFT_MSG_NEWOBJ
] = {
4647 .call_batch
= nf_tables_newobj
,
4648 .attr_count
= NFTA_OBJ_MAX
,
4649 .policy
= nft_obj_policy
,
4651 [NFT_MSG_GETOBJ
] = {
4652 .call
= nf_tables_getobj
,
4653 .attr_count
= NFTA_OBJ_MAX
,
4654 .policy
= nft_obj_policy
,
4656 [NFT_MSG_DELOBJ
] = {
4657 .call_batch
= nf_tables_delobj
,
4658 .attr_count
= NFTA_OBJ_MAX
,
4659 .policy
= nft_obj_policy
,
4661 [NFT_MSG_GETOBJ_RESET
] = {
4662 .call
= nf_tables_getobj
,
4663 .attr_count
= NFTA_OBJ_MAX
,
4664 .policy
= nft_obj_policy
,
4668 static void nft_chain_commit_update(struct nft_trans
*trans
)
4670 struct nft_base_chain
*basechain
;
4672 if (nft_trans_chain_name(trans
)[0])
4673 strcpy(trans
->ctx
.chain
->name
, nft_trans_chain_name(trans
));
4675 if (!(trans
->ctx
.chain
->flags
& NFT_BASE_CHAIN
))
4678 basechain
= nft_base_chain(trans
->ctx
.chain
);
4679 nft_chain_stats_replace(basechain
, nft_trans_chain_stats(trans
));
4681 switch (nft_trans_chain_policy(trans
)) {
4684 basechain
->policy
= nft_trans_chain_policy(trans
);
4689 static void nf_tables_commit_release(struct nft_trans
*trans
)
4691 switch (trans
->msg_type
) {
4692 case NFT_MSG_DELTABLE
:
4693 nf_tables_table_destroy(&trans
->ctx
);
4695 case NFT_MSG_DELCHAIN
:
4696 nf_tables_chain_destroy(trans
->ctx
.chain
);
4698 case NFT_MSG_DELRULE
:
4699 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
4701 case NFT_MSG_DELSET
:
4702 nft_set_destroy(nft_trans_set(trans
));
4704 case NFT_MSG_DELSETELEM
:
4705 nft_set_elem_destroy(nft_trans_elem_set(trans
),
4706 nft_trans_elem(trans
).priv
, true);
4708 case NFT_MSG_DELOBJ
:
4709 nft_obj_destroy(nft_trans_obj(trans
));
4715 static int nf_tables_commit(struct net
*net
, struct sk_buff
*skb
)
4717 struct nft_trans
*trans
, *next
;
4718 struct nft_trans_elem
*te
;
4720 /* Bump generation counter, invalidate any dump in progress */
4721 while (++net
->nft
.base_seq
== 0);
4723 /* A new generation has just started */
4724 net
->nft
.gencursor
= nft_gencursor_next(net
);
4726 /* Make sure all packets have left the previous generation before
4727 * purging old rules.
4731 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
4732 switch (trans
->msg_type
) {
4733 case NFT_MSG_NEWTABLE
:
4734 if (nft_trans_table_update(trans
)) {
4735 if (!nft_trans_table_enable(trans
)) {
4736 nf_tables_table_disable(net
,
4739 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
4742 nft_clear(net
, trans
->ctx
.table
);
4744 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_NEWTABLE
);
4745 nft_trans_destroy(trans
);
4747 case NFT_MSG_DELTABLE
:
4748 list_del_rcu(&trans
->ctx
.table
->list
);
4749 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_DELTABLE
);
4751 case NFT_MSG_NEWCHAIN
:
4752 if (nft_trans_chain_update(trans
))
4753 nft_chain_commit_update(trans
);
4755 nft_clear(net
, trans
->ctx
.chain
);
4757 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
4758 nft_trans_destroy(trans
);
4760 case NFT_MSG_DELCHAIN
:
4761 list_del_rcu(&trans
->ctx
.chain
->list
);
4762 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_DELCHAIN
);
4763 nf_tables_unregister_hooks(trans
->ctx
.net
,
4766 trans
->ctx
.afi
->nops
);
4768 case NFT_MSG_NEWRULE
:
4769 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
4770 nf_tables_rule_notify(&trans
->ctx
,
4771 nft_trans_rule(trans
),
4773 nft_trans_destroy(trans
);
4775 case NFT_MSG_DELRULE
:
4776 list_del_rcu(&nft_trans_rule(trans
)->list
);
4777 nf_tables_rule_notify(&trans
->ctx
,
4778 nft_trans_rule(trans
),
4781 case NFT_MSG_NEWSET
:
4782 nft_clear(net
, nft_trans_set(trans
));
4783 /* This avoids hitting -EBUSY when deleting the table
4784 * from the transaction.
4786 if (nft_trans_set(trans
)->flags
& NFT_SET_ANONYMOUS
&&
4787 !list_empty(&nft_trans_set(trans
)->bindings
))
4788 trans
->ctx
.table
->use
--;
4790 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
4791 NFT_MSG_NEWSET
, GFP_KERNEL
);
4792 nft_trans_destroy(trans
);
4794 case NFT_MSG_DELSET
:
4795 list_del_rcu(&nft_trans_set(trans
)->list
);
4796 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
4797 NFT_MSG_DELSET
, GFP_KERNEL
);
4799 case NFT_MSG_NEWSETELEM
:
4800 te
= (struct nft_trans_elem
*)trans
->data
;
4802 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
4803 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
4805 NFT_MSG_NEWSETELEM
, 0);
4806 nft_trans_destroy(trans
);
4808 case NFT_MSG_DELSETELEM
:
4809 te
= (struct nft_trans_elem
*)trans
->data
;
4811 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
4813 NFT_MSG_DELSETELEM
, 0);
4814 te
->set
->ops
->remove(te
->set
, &te
->elem
);
4815 atomic_dec(&te
->set
->nelems
);
4818 case NFT_MSG_NEWOBJ
:
4819 nft_clear(net
, nft_trans_obj(trans
));
4820 nf_tables_obj_notify(&trans
->ctx
, nft_trans_obj(trans
),
4822 nft_trans_destroy(trans
);
4824 case NFT_MSG_DELOBJ
:
4825 list_del_rcu(&nft_trans_obj(trans
)->list
);
4826 nf_tables_obj_notify(&trans
->ctx
, nft_trans_obj(trans
),
4834 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
4835 list_del(&trans
->list
);
4836 nf_tables_commit_release(trans
);
4839 nf_tables_gen_notify(net
, skb
, NFT_MSG_NEWGEN
);
4844 static void nf_tables_abort_release(struct nft_trans
*trans
)
4846 switch (trans
->msg_type
) {
4847 case NFT_MSG_NEWTABLE
:
4848 nf_tables_table_destroy(&trans
->ctx
);
4850 case NFT_MSG_NEWCHAIN
:
4851 nf_tables_chain_destroy(trans
->ctx
.chain
);
4853 case NFT_MSG_NEWRULE
:
4854 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
4856 case NFT_MSG_NEWSET
:
4857 nft_set_destroy(nft_trans_set(trans
));
4859 case NFT_MSG_NEWSETELEM
:
4860 nft_set_elem_destroy(nft_trans_elem_set(trans
),
4861 nft_trans_elem(trans
).priv
, true);
4863 case NFT_MSG_NEWOBJ
:
4864 nft_obj_destroy(nft_trans_obj(trans
));
4870 static int nf_tables_abort(struct net
*net
, struct sk_buff
*skb
)
4872 struct nft_trans
*trans
, *next
;
4873 struct nft_trans_elem
*te
;
4875 list_for_each_entry_safe_reverse(trans
, next
, &net
->nft
.commit_list
,
4877 switch (trans
->msg_type
) {
4878 case NFT_MSG_NEWTABLE
:
4879 if (nft_trans_table_update(trans
)) {
4880 if (nft_trans_table_enable(trans
)) {
4881 nf_tables_table_disable(net
,
4884 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
4886 nft_trans_destroy(trans
);
4888 list_del_rcu(&trans
->ctx
.table
->list
);
4891 case NFT_MSG_DELTABLE
:
4892 nft_clear(trans
->ctx
.net
, trans
->ctx
.table
);
4893 nft_trans_destroy(trans
);
4895 case NFT_MSG_NEWCHAIN
:
4896 if (nft_trans_chain_update(trans
)) {
4897 free_percpu(nft_trans_chain_stats(trans
));
4899 nft_trans_destroy(trans
);
4901 trans
->ctx
.table
->use
--;
4902 list_del_rcu(&trans
->ctx
.chain
->list
);
4903 nf_tables_unregister_hooks(trans
->ctx
.net
,
4906 trans
->ctx
.afi
->nops
);
4909 case NFT_MSG_DELCHAIN
:
4910 trans
->ctx
.table
->use
++;
4911 nft_clear(trans
->ctx
.net
, trans
->ctx
.chain
);
4912 nft_trans_destroy(trans
);
4914 case NFT_MSG_NEWRULE
:
4915 trans
->ctx
.chain
->use
--;
4916 list_del_rcu(&nft_trans_rule(trans
)->list
);
4918 case NFT_MSG_DELRULE
:
4919 trans
->ctx
.chain
->use
++;
4920 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
4921 nft_trans_destroy(trans
);
4923 case NFT_MSG_NEWSET
:
4924 trans
->ctx
.table
->use
--;
4925 list_del_rcu(&nft_trans_set(trans
)->list
);
4927 case NFT_MSG_DELSET
:
4928 trans
->ctx
.table
->use
++;
4929 nft_clear(trans
->ctx
.net
, nft_trans_set(trans
));
4930 nft_trans_destroy(trans
);
4932 case NFT_MSG_NEWSETELEM
:
4933 te
= (struct nft_trans_elem
*)trans
->data
;
4935 te
->set
->ops
->remove(te
->set
, &te
->elem
);
4936 atomic_dec(&te
->set
->nelems
);
4938 case NFT_MSG_DELSETELEM
:
4939 te
= (struct nft_trans_elem
*)trans
->data
;
4941 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
4944 nft_trans_destroy(trans
);
4946 case NFT_MSG_NEWOBJ
:
4947 trans
->ctx
.table
->use
--;
4948 list_del_rcu(&nft_trans_obj(trans
)->list
);
4950 case NFT_MSG_DELOBJ
:
4951 trans
->ctx
.table
->use
++;
4952 nft_clear(trans
->ctx
.net
, nft_trans_obj(trans
));
4953 nft_trans_destroy(trans
);
4960 list_for_each_entry_safe_reverse(trans
, next
,
4961 &net
->nft
.commit_list
, list
) {
4962 list_del(&trans
->list
);
4963 nf_tables_abort_release(trans
);
4969 static const struct nfnetlink_subsystem nf_tables_subsys
= {
4970 .name
= "nf_tables",
4971 .subsys_id
= NFNL_SUBSYS_NFTABLES
,
4972 .cb_count
= NFT_MSG_MAX
,
4974 .commit
= nf_tables_commit
,
4975 .abort
= nf_tables_abort
,
4978 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
4979 enum nft_chain_type type
)
4981 const struct nft_base_chain
*basechain
;
4983 if (chain
->flags
& NFT_BASE_CHAIN
) {
4984 basechain
= nft_base_chain(chain
);
4985 if (basechain
->type
->type
!= type
)
4990 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency
);
4992 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
4993 unsigned int hook_flags
)
4995 struct nft_base_chain
*basechain
;
4997 if (chain
->flags
& NFT_BASE_CHAIN
) {
4998 basechain
= nft_base_chain(chain
);
5000 if ((1 << basechain
->ops
[0].hooknum
) & hook_flags
)
5008 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks
);
5011 * Loop detection - walk through the ruleset beginning at the destination chain
5012 * of a new jump until either the source chain is reached (loop) or all
5013 * reachable chains have been traversed.
5015 * The loop check is performed whenever a new jump verdict is added to an
5016 * expression or verdict map or a verdict map is bound to a new chain.
5019 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
5020 const struct nft_chain
*chain
);
5022 static int nf_tables_loop_check_setelem(const struct nft_ctx
*ctx
,
5023 struct nft_set
*set
,
5024 const struct nft_set_iter
*iter
,
5025 struct nft_set_elem
*elem
)
5027 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
5028 const struct nft_data
*data
;
5030 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
5031 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_INTERVAL_END
)
5034 data
= nft_set_ext_data(ext
);
5035 switch (data
->verdict
.code
) {
5038 return nf_tables_check_loops(ctx
, data
->verdict
.chain
);
5044 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
5045 const struct nft_chain
*chain
)
5047 const struct nft_rule
*rule
;
5048 const struct nft_expr
*expr
, *last
;
5049 struct nft_set
*set
;
5050 struct nft_set_binding
*binding
;
5051 struct nft_set_iter iter
;
5053 if (ctx
->chain
== chain
)
5056 list_for_each_entry(rule
, &chain
->rules
, list
) {
5057 nft_rule_for_each_expr(expr
, last
, rule
) {
5058 const struct nft_data
*data
= NULL
;
5061 if (!expr
->ops
->validate
)
5064 err
= expr
->ops
->validate(ctx
, expr
, &data
);
5071 switch (data
->verdict
.code
) {
5074 err
= nf_tables_check_loops(ctx
,
5075 data
->verdict
.chain
);
5084 list_for_each_entry(set
, &ctx
->table
->sets
, list
) {
5085 if (!nft_is_active_next(ctx
->net
, set
))
5087 if (!(set
->flags
& NFT_SET_MAP
) ||
5088 set
->dtype
!= NFT_DATA_VERDICT
)
5091 list_for_each_entry(binding
, &set
->bindings
, list
) {
5092 if (!(binding
->flags
& NFT_SET_MAP
) ||
5093 binding
->chain
!= chain
)
5096 iter
.genmask
= nft_genmask_next(ctx
->net
);
5100 iter
.fn
= nf_tables_loop_check_setelem
;
5102 set
->ops
->walk(ctx
, set
, &iter
);
5112 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5114 * @attr: netlink attribute to fetch value from
5115 * @max: maximum value to be stored in dest
5116 * @dest: pointer to the variable
5118 * Parse, check and store a given u32 netlink attribute into variable.
5119 * This function returns -ERANGE if the value goes over maximum value.
5120 * Otherwise a 0 is returned and the attribute value is stored in the
5121 * destination variable.
5123 int nft_parse_u32_check(const struct nlattr
*attr
, int max
, u32
*dest
)
5127 val
= ntohl(nla_get_be32(attr
));
5134 EXPORT_SYMBOL_GPL(nft_parse_u32_check
);
5137 * nft_parse_register - parse a register value from a netlink attribute
5139 * @attr: netlink attribute
5141 * Parse and translate a register value from a netlink attribute.
5142 * Registers used to be 128 bit wide, these register numbers will be
5143 * mapped to the corresponding 32 bit register numbers.
5145 unsigned int nft_parse_register(const struct nlattr
*attr
)
5149 reg
= ntohl(nla_get_be32(attr
));
5151 case NFT_REG_VERDICT
...NFT_REG_4
:
5152 return reg
* NFT_REG_SIZE
/ NFT_REG32_SIZE
;
5154 return reg
+ NFT_REG_SIZE
/ NFT_REG32_SIZE
- NFT_REG32_00
;
5157 EXPORT_SYMBOL_GPL(nft_parse_register
);
5160 * nft_dump_register - dump a register value to a netlink attribute
5162 * @skb: socket buffer
5163 * @attr: attribute number
5164 * @reg: register number
5166 * Construct a netlink attribute containing the register number. For
5167 * compatibility reasons, register numbers being a multiple of 4 are
5168 * translated to the corresponding 128 bit register numbers.
5170 int nft_dump_register(struct sk_buff
*skb
, unsigned int attr
, unsigned int reg
)
5172 if (reg
% (NFT_REG_SIZE
/ NFT_REG32_SIZE
) == 0)
5173 reg
= reg
/ (NFT_REG_SIZE
/ NFT_REG32_SIZE
);
5175 reg
= reg
- NFT_REG_SIZE
/ NFT_REG32_SIZE
+ NFT_REG32_00
;
5177 return nla_put_be32(skb
, attr
, htonl(reg
));
5179 EXPORT_SYMBOL_GPL(nft_dump_register
);
5182 * nft_validate_register_load - validate a load from a register
5184 * @reg: the register number
5185 * @len: the length of the data
5187 * Validate that the input register is one of the general purpose
5188 * registers and that the length of the load is within the bounds.
5190 int nft_validate_register_load(enum nft_registers reg
, unsigned int len
)
5192 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
5196 if (reg
* NFT_REG32_SIZE
+ len
> FIELD_SIZEOF(struct nft_regs
, data
))
5201 EXPORT_SYMBOL_GPL(nft_validate_register_load
);
5204 * nft_validate_register_store - validate an expressions' register store
5206 * @ctx: context of the expression performing the load
5207 * @reg: the destination register number
5208 * @data: the data to load
5209 * @type: the data type
5210 * @len: the length of the data
5212 * Validate that a data load uses the appropriate data type for
5213 * the destination register and the length is within the bounds.
5214 * A value of NULL for the data means that its runtime gathered
5217 int nft_validate_register_store(const struct nft_ctx
*ctx
,
5218 enum nft_registers reg
,
5219 const struct nft_data
*data
,
5220 enum nft_data_types type
, unsigned int len
)
5225 case NFT_REG_VERDICT
:
5226 if (type
!= NFT_DATA_VERDICT
)
5230 (data
->verdict
.code
== NFT_GOTO
||
5231 data
->verdict
.code
== NFT_JUMP
)) {
5232 err
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
5236 if (ctx
->chain
->level
+ 1 >
5237 data
->verdict
.chain
->level
) {
5238 if (ctx
->chain
->level
+ 1 == NFT_JUMP_STACK_SIZE
)
5240 data
->verdict
.chain
->level
= ctx
->chain
->level
+ 1;
5246 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
5250 if (reg
* NFT_REG32_SIZE
+ len
>
5251 FIELD_SIZEOF(struct nft_regs
, data
))
5254 if (data
!= NULL
&& type
!= NFT_DATA_VALUE
)
5259 EXPORT_SYMBOL_GPL(nft_validate_register_store
);
5261 static const struct nla_policy nft_verdict_policy
[NFTA_VERDICT_MAX
+ 1] = {
5262 [NFTA_VERDICT_CODE
] = { .type
= NLA_U32
},
5263 [NFTA_VERDICT_CHAIN
] = { .type
= NLA_STRING
,
5264 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
5267 static int nft_verdict_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
5268 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
5270 u8 genmask
= nft_genmask_next(ctx
->net
);
5271 struct nlattr
*tb
[NFTA_VERDICT_MAX
+ 1];
5272 struct nft_chain
*chain
;
5275 err
= nla_parse_nested(tb
, NFTA_VERDICT_MAX
, nla
, nft_verdict_policy
);
5279 if (!tb
[NFTA_VERDICT_CODE
])
5281 data
->verdict
.code
= ntohl(nla_get_be32(tb
[NFTA_VERDICT_CODE
]));
5283 switch (data
->verdict
.code
) {
5285 switch (data
->verdict
.code
& NF_VERDICT_MASK
) {
5300 if (!tb
[NFTA_VERDICT_CHAIN
])
5302 chain
= nf_tables_chain_lookup(ctx
->table
,
5303 tb
[NFTA_VERDICT_CHAIN
], genmask
);
5305 return PTR_ERR(chain
);
5306 if (chain
->flags
& NFT_BASE_CHAIN
)
5310 data
->verdict
.chain
= chain
;
5314 desc
->len
= sizeof(data
->verdict
);
5315 desc
->type
= NFT_DATA_VERDICT
;
5319 static void nft_verdict_uninit(const struct nft_data
*data
)
5321 switch (data
->verdict
.code
) {
5324 data
->verdict
.chain
->use
--;
5329 int nft_verdict_dump(struct sk_buff
*skb
, int type
, const struct nft_verdict
*v
)
5331 struct nlattr
*nest
;
5333 nest
= nla_nest_start(skb
, type
);
5335 goto nla_put_failure
;
5337 if (nla_put_be32(skb
, NFTA_VERDICT_CODE
, htonl(v
->code
)))
5338 goto nla_put_failure
;
5343 if (nla_put_string(skb
, NFTA_VERDICT_CHAIN
,
5345 goto nla_put_failure
;
5347 nla_nest_end(skb
, nest
);
5354 static int nft_value_init(const struct nft_ctx
*ctx
,
5355 struct nft_data
*data
, unsigned int size
,
5356 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
5366 nla_memcpy(data
->data
, nla
, len
);
5367 desc
->type
= NFT_DATA_VALUE
;
5372 static int nft_value_dump(struct sk_buff
*skb
, const struct nft_data
*data
,
5375 return nla_put(skb
, NFTA_DATA_VALUE
, len
, data
->data
);
5378 static const struct nla_policy nft_data_policy
[NFTA_DATA_MAX
+ 1] = {
5379 [NFTA_DATA_VALUE
] = { .type
= NLA_BINARY
},
5380 [NFTA_DATA_VERDICT
] = { .type
= NLA_NESTED
},
5384 * nft_data_init - parse nf_tables data netlink attributes
5386 * @ctx: context of the expression using the data
5387 * @data: destination struct nft_data
5388 * @size: maximum data length
5389 * @desc: data description
5390 * @nla: netlink attribute containing data
5392 * Parse the netlink data attributes and initialize a struct nft_data.
5393 * The type and length of data are returned in the data description.
5395 * The caller can indicate that it only wants to accept data of type
5396 * NFT_DATA_VALUE by passing NULL for the ctx argument.
5398 int nft_data_init(const struct nft_ctx
*ctx
,
5399 struct nft_data
*data
, unsigned int size
,
5400 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
5402 struct nlattr
*tb
[NFTA_DATA_MAX
+ 1];
5405 err
= nla_parse_nested(tb
, NFTA_DATA_MAX
, nla
, nft_data_policy
);
5409 if (tb
[NFTA_DATA_VALUE
])
5410 return nft_value_init(ctx
, data
, size
, desc
,
5411 tb
[NFTA_DATA_VALUE
]);
5412 if (tb
[NFTA_DATA_VERDICT
] && ctx
!= NULL
)
5413 return nft_verdict_init(ctx
, data
, desc
, tb
[NFTA_DATA_VERDICT
]);
5416 EXPORT_SYMBOL_GPL(nft_data_init
);
5419 * nft_data_uninit - release a nft_data item
5421 * @data: struct nft_data to release
5422 * @type: type of data
5424 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5425 * all others need to be released by calling this function.
5427 void nft_data_uninit(const struct nft_data
*data
, enum nft_data_types type
)
5429 if (type
< NFT_DATA_VERDICT
)
5432 case NFT_DATA_VERDICT
:
5433 return nft_verdict_uninit(data
);
5438 EXPORT_SYMBOL_GPL(nft_data_uninit
);
5440 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
5441 enum nft_data_types type
, unsigned int len
)
5443 struct nlattr
*nest
;
5446 nest
= nla_nest_start(skb
, attr
);
5451 case NFT_DATA_VALUE
:
5452 err
= nft_value_dump(skb
, data
, len
);
5454 case NFT_DATA_VERDICT
:
5455 err
= nft_verdict_dump(skb
, NFTA_DATA_VERDICT
, &data
->verdict
);
5462 nla_nest_end(skb
, nest
);
5465 EXPORT_SYMBOL_GPL(nft_data_dump
);
5467 static int __net_init
nf_tables_init_net(struct net
*net
)
5469 INIT_LIST_HEAD(&net
->nft
.af_info
);
5470 INIT_LIST_HEAD(&net
->nft
.commit_list
);
5471 net
->nft
.base_seq
= 1;
5475 int __nft_release_basechain(struct nft_ctx
*ctx
)
5477 struct nft_rule
*rule
, *nr
;
5479 BUG_ON(!(ctx
->chain
->flags
& NFT_BASE_CHAIN
));
5481 nf_tables_unregister_hooks(ctx
->net
, ctx
->chain
->table
, ctx
->chain
,
5483 list_for_each_entry_safe(rule
, nr
, &ctx
->chain
->rules
, list
) {
5484 list_del(&rule
->list
);
5486 nf_tables_rule_destroy(ctx
, rule
);
5488 list_del(&ctx
->chain
->list
);
5490 nf_tables_chain_destroy(ctx
->chain
);
5494 EXPORT_SYMBOL_GPL(__nft_release_basechain
);
5496 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
5497 static void __nft_release_afinfo(struct net
*net
, struct nft_af_info
*afi
)
5499 struct nft_table
*table
, *nt
;
5500 struct nft_chain
*chain
, *nc
;
5501 struct nft_object
*obj
, *ne
;
5502 struct nft_rule
*rule
, *nr
;
5503 struct nft_set
*set
, *ns
;
5504 struct nft_ctx ctx
= {
5509 list_for_each_entry_safe(table
, nt
, &afi
->tables
, list
) {
5510 list_for_each_entry(chain
, &table
->chains
, list
)
5511 nf_tables_unregister_hooks(net
, table
, chain
,
5513 /* No packets are walking on these chains anymore. */
5515 list_for_each_entry(chain
, &table
->chains
, list
) {
5517 list_for_each_entry_safe(rule
, nr
, &chain
->rules
, list
) {
5518 list_del(&rule
->list
);
5520 nf_tables_rule_destroy(&ctx
, rule
);
5523 list_for_each_entry_safe(set
, ns
, &table
->sets
, list
) {
5524 list_del(&set
->list
);
5526 nft_set_destroy(set
);
5528 list_for_each_entry_safe(obj
, ne
, &table
->objects
, list
) {
5529 list_del(&obj
->list
);
5531 nft_obj_destroy(obj
);
5533 list_for_each_entry_safe(chain
, nc
, &table
->chains
, list
) {
5534 list_del(&chain
->list
);
5536 nf_tables_chain_destroy(chain
);
5538 list_del(&table
->list
);
5539 nf_tables_table_destroy(&ctx
);
5543 static struct pernet_operations nf_tables_net_ops
= {
5544 .init
= nf_tables_init_net
,
5547 static int __init
nf_tables_module_init(void)
5551 info
= kmalloc(sizeof(struct nft_expr_info
) * NFT_RULE_MAXEXPRS
,
5558 err
= nf_tables_core_module_init();
5562 err
= nfnetlink_subsys_register(&nf_tables_subsys
);
5566 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
5567 return register_pernet_subsys(&nf_tables_net_ops
);
5569 nf_tables_core_module_exit();
5576 static void __exit
nf_tables_module_exit(void)
5578 unregister_pernet_subsys(&nf_tables_net_ops
);
5579 nfnetlink_subsys_unregister(&nf_tables_subsys
);
5581 nf_tables_core_module_exit();
5585 module_init(nf_tables_module_init
);
5586 module_exit(nf_tables_module_exit
);
5588 MODULE_LICENSE("GPL");
5589 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
5590 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES
);