2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions
);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net
*net
, struct nft_af_info
*afi
)
36 INIT_LIST_HEAD(&afi
->tables
);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
38 list_add_tail_rcu(&afi
->list
, &net
->nft
.af_info
);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo
);
44 static void __nft_release_afinfo(struct net
*net
, struct nft_af_info
*afi
);
47 * nft_unregister_afinfo - unregister nf_tables address family info
49 * @afi: address family info to unregister
51 * Unregister the address family for use with nf_tables.
53 void nft_unregister_afinfo(struct net
*net
, struct nft_af_info
*afi
)
55 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
56 __nft_release_afinfo(net
, afi
);
57 list_del_rcu(&afi
->list
);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo
);
62 static struct nft_af_info
*nft_afinfo_lookup(struct net
*net
, int family
)
64 struct nft_af_info
*afi
;
66 list_for_each_entry(afi
, &net
->nft
.af_info
, list
) {
67 if (afi
->family
== family
)
73 static struct nft_af_info
*
74 nf_tables_afinfo_lookup(struct net
*net
, int family
, bool autoload
)
76 struct nft_af_info
*afi
;
78 afi
= nft_afinfo_lookup(net
, family
);
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
84 request_module("nft-afinfo-%u", family
);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
86 afi
= nft_afinfo_lookup(net
, family
);
88 return ERR_PTR(-EAGAIN
);
91 return ERR_PTR(-EAFNOSUPPORT
);
94 static void nft_ctx_init(struct nft_ctx
*ctx
,
96 const struct sk_buff
*skb
,
97 const struct nlmsghdr
*nlh
,
98 struct nft_af_info
*afi
,
99 struct nft_table
*table
,
100 struct nft_chain
*chain
,
101 const struct nlattr
* const *nla
)
108 ctx
->portid
= NETLINK_CB(skb
).portid
;
109 ctx
->report
= nlmsg_report(nlh
);
110 ctx
->seq
= nlh
->nlmsg_seq
;
113 static struct nft_trans
*nft_trans_alloc(struct nft_ctx
*ctx
, int msg_type
,
116 struct nft_trans
*trans
;
118 trans
= kzalloc(sizeof(struct nft_trans
) + size
, GFP_KERNEL
);
122 trans
->msg_type
= msg_type
;
128 static void nft_trans_destroy(struct nft_trans
*trans
)
130 list_del(&trans
->list
);
134 static int nf_tables_register_hooks(struct net
*net
,
135 const struct nft_table
*table
,
136 struct nft_chain
*chain
,
137 unsigned int hook_nops
)
139 if (table
->flags
& NFT_TABLE_F_DORMANT
||
140 !(chain
->flags
& NFT_BASE_CHAIN
))
143 return nf_register_net_hooks(net
, nft_base_chain(chain
)->ops
,
147 static void nf_tables_unregister_hooks(struct net
*net
,
148 const struct nft_table
*table
,
149 struct nft_chain
*chain
,
150 unsigned int hook_nops
)
152 if (table
->flags
& NFT_TABLE_F_DORMANT
||
153 !(chain
->flags
& NFT_BASE_CHAIN
))
156 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
, hook_nops
);
159 static int nft_trans_table_add(struct nft_ctx
*ctx
, int msg_type
)
161 struct nft_trans
*trans
;
163 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_table
));
167 if (msg_type
== NFT_MSG_NEWTABLE
)
168 nft_activate_next(ctx
->net
, ctx
->table
);
170 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
174 static int nft_deltable(struct nft_ctx
*ctx
)
178 err
= nft_trans_table_add(ctx
, NFT_MSG_DELTABLE
);
182 nft_deactivate_next(ctx
->net
, ctx
->table
);
186 static int nft_trans_chain_add(struct nft_ctx
*ctx
, int msg_type
)
188 struct nft_trans
*trans
;
190 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_chain
));
194 if (msg_type
== NFT_MSG_NEWCHAIN
)
195 nft_activate_next(ctx
->net
, ctx
->chain
);
197 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
201 static int nft_delchain(struct nft_ctx
*ctx
)
205 err
= nft_trans_chain_add(ctx
, NFT_MSG_DELCHAIN
);
210 nft_deactivate_next(ctx
->net
, ctx
->chain
);
216 nf_tables_delrule_deactivate(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
218 /* You cannot delete the same rule twice */
219 if (nft_is_active_next(ctx
->net
, rule
)) {
220 nft_deactivate_next(ctx
->net
, rule
);
227 static struct nft_trans
*nft_trans_rule_add(struct nft_ctx
*ctx
, int msg_type
,
228 struct nft_rule
*rule
)
230 struct nft_trans
*trans
;
232 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_rule
));
236 nft_trans_rule(trans
) = rule
;
237 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
242 static int nft_delrule(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
244 struct nft_trans
*trans
;
247 trans
= nft_trans_rule_add(ctx
, NFT_MSG_DELRULE
, rule
);
251 err
= nf_tables_delrule_deactivate(ctx
, rule
);
253 nft_trans_destroy(trans
);
260 static int nft_delrule_by_chain(struct nft_ctx
*ctx
)
262 struct nft_rule
*rule
;
265 list_for_each_entry(rule
, &ctx
->chain
->rules
, list
) {
266 err
= nft_delrule(ctx
, rule
);
273 static int nft_trans_set_add(struct nft_ctx
*ctx
, int msg_type
,
276 struct nft_trans
*trans
;
278 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_set
));
282 if (msg_type
== NFT_MSG_NEWSET
&& ctx
->nla
[NFTA_SET_ID
] != NULL
) {
283 nft_trans_set_id(trans
) =
284 ntohl(nla_get_be32(ctx
->nla
[NFTA_SET_ID
]));
285 nft_activate_next(ctx
->net
, set
);
287 nft_trans_set(trans
) = set
;
288 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
293 static int nft_delset(struct nft_ctx
*ctx
, struct nft_set
*set
)
297 err
= nft_trans_set_add(ctx
, NFT_MSG_DELSET
, set
);
301 nft_deactivate_next(ctx
->net
, set
);
311 static struct nft_table
*nft_table_lookup(const struct nft_af_info
*afi
,
312 const struct nlattr
*nla
,
315 struct nft_table
*table
;
317 list_for_each_entry(table
, &afi
->tables
, list
) {
318 if (!nla_strcmp(nla
, table
->name
) &&
319 nft_active_genmask(table
, genmask
))
325 static struct nft_table
*nf_tables_table_lookup(const struct nft_af_info
*afi
,
326 const struct nlattr
*nla
,
329 struct nft_table
*table
;
332 return ERR_PTR(-EINVAL
);
334 table
= nft_table_lookup(afi
, nla
, genmask
);
338 return ERR_PTR(-ENOENT
);
341 static inline u64
nf_tables_alloc_handle(struct nft_table
*table
)
343 return ++table
->hgenerator
;
346 static const struct nf_chain_type
*chain_type
[AF_MAX
][NFT_CHAIN_T_MAX
];
348 static const struct nf_chain_type
*
349 __nf_tables_chain_type_lookup(int family
, const struct nlattr
*nla
)
353 for (i
= 0; i
< NFT_CHAIN_T_MAX
; i
++) {
354 if (chain_type
[family
][i
] != NULL
&&
355 !nla_strcmp(nla
, chain_type
[family
][i
]->name
))
356 return chain_type
[family
][i
];
361 static const struct nf_chain_type
*
362 nf_tables_chain_type_lookup(const struct nft_af_info
*afi
,
363 const struct nlattr
*nla
,
366 const struct nf_chain_type
*type
;
368 type
= __nf_tables_chain_type_lookup(afi
->family
, nla
);
371 #ifdef CONFIG_MODULES
373 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
374 request_module("nft-chain-%u-%.*s", afi
->family
,
375 nla_len(nla
), (const char *)nla_data(nla
));
376 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
377 type
= __nf_tables_chain_type_lookup(afi
->family
, nla
);
379 return ERR_PTR(-EAGAIN
);
382 return ERR_PTR(-ENOENT
);
385 static const struct nla_policy nft_table_policy
[NFTA_TABLE_MAX
+ 1] = {
386 [NFTA_TABLE_NAME
] = { .type
= NLA_STRING
,
387 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
388 [NFTA_TABLE_FLAGS
] = { .type
= NLA_U32
},
391 static int nf_tables_fill_table_info(struct sk_buff
*skb
, struct net
*net
,
392 u32 portid
, u32 seq
, int event
, u32 flags
,
393 int family
, const struct nft_table
*table
)
395 struct nlmsghdr
*nlh
;
396 struct nfgenmsg
*nfmsg
;
398 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
399 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
401 goto nla_put_failure
;
403 nfmsg
= nlmsg_data(nlh
);
404 nfmsg
->nfgen_family
= family
;
405 nfmsg
->version
= NFNETLINK_V0
;
406 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
408 if (nla_put_string(skb
, NFTA_TABLE_NAME
, table
->name
) ||
409 nla_put_be32(skb
, NFTA_TABLE_FLAGS
, htonl(table
->flags
)) ||
410 nla_put_be32(skb
, NFTA_TABLE_USE
, htonl(table
->use
)))
411 goto nla_put_failure
;
417 nlmsg_trim(skb
, nlh
);
421 static int nf_tables_table_notify(const struct nft_ctx
*ctx
, int event
)
427 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
431 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
435 err
= nf_tables_fill_table_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
436 event
, 0, ctx
->afi
->family
, ctx
->table
);
442 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
443 ctx
->report
, GFP_KERNEL
);
446 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
452 static int nf_tables_dump_tables(struct sk_buff
*skb
,
453 struct netlink_callback
*cb
)
455 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
456 const struct nft_af_info
*afi
;
457 const struct nft_table
*table
;
458 unsigned int idx
= 0, s_idx
= cb
->args
[0];
459 struct net
*net
= sock_net(skb
->sk
);
460 int family
= nfmsg
->nfgen_family
;
463 cb
->seq
= net
->nft
.base_seq
;
465 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
466 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
469 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
473 memset(&cb
->args
[1], 0,
474 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
475 if (!nft_is_active(net
, table
))
477 if (nf_tables_fill_table_info(skb
, net
,
478 NETLINK_CB(cb
->skb
).portid
,
482 afi
->family
, table
) < 0)
485 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
496 static int nf_tables_gettable(struct net
*net
, struct sock
*nlsk
,
497 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
498 const struct nlattr
* const nla
[])
500 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
501 u8 genmask
= nft_genmask_cur(net
);
502 const struct nft_af_info
*afi
;
503 const struct nft_table
*table
;
504 struct sk_buff
*skb2
;
505 int family
= nfmsg
->nfgen_family
;
508 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
509 struct netlink_dump_control c
= {
510 .dump
= nf_tables_dump_tables
,
512 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
515 afi
= nf_tables_afinfo_lookup(net
, family
, false);
519 table
= nf_tables_table_lookup(afi
, nla
[NFTA_TABLE_NAME
], genmask
);
521 return PTR_ERR(table
);
523 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
527 err
= nf_tables_fill_table_info(skb2
, net
, NETLINK_CB(skb
).portid
,
528 nlh
->nlmsg_seq
, NFT_MSG_NEWTABLE
, 0,
533 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
540 static int nf_tables_table_enable(struct net
*net
,
541 const struct nft_af_info
*afi
,
542 struct nft_table
*table
)
544 struct nft_chain
*chain
;
547 list_for_each_entry(chain
, &table
->chains
, list
) {
548 if (!nft_is_active_next(net
, chain
))
550 if (!(chain
->flags
& NFT_BASE_CHAIN
))
553 err
= nf_register_net_hooks(net
, nft_base_chain(chain
)->ops
,
562 list_for_each_entry(chain
, &table
->chains
, list
) {
563 if (!nft_is_active_next(net
, chain
))
565 if (!(chain
->flags
& NFT_BASE_CHAIN
))
571 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
,
577 static void nf_tables_table_disable(struct net
*net
,
578 const struct nft_af_info
*afi
,
579 struct nft_table
*table
)
581 struct nft_chain
*chain
;
583 list_for_each_entry(chain
, &table
->chains
, list
) {
584 if (!nft_is_active_next(net
, chain
))
586 if (!(chain
->flags
& NFT_BASE_CHAIN
))
589 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
,
594 static int nf_tables_updtable(struct nft_ctx
*ctx
)
596 struct nft_trans
*trans
;
600 if (!ctx
->nla
[NFTA_TABLE_FLAGS
])
603 flags
= ntohl(nla_get_be32(ctx
->nla
[NFTA_TABLE_FLAGS
]));
604 if (flags
& ~NFT_TABLE_F_DORMANT
)
607 if (flags
== ctx
->table
->flags
)
610 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWTABLE
,
611 sizeof(struct nft_trans_table
));
615 if ((flags
& NFT_TABLE_F_DORMANT
) &&
616 !(ctx
->table
->flags
& NFT_TABLE_F_DORMANT
)) {
617 nft_trans_table_enable(trans
) = false;
618 } else if (!(flags
& NFT_TABLE_F_DORMANT
) &&
619 ctx
->table
->flags
& NFT_TABLE_F_DORMANT
) {
620 ret
= nf_tables_table_enable(ctx
->net
, ctx
->afi
, ctx
->table
);
622 ctx
->table
->flags
&= ~NFT_TABLE_F_DORMANT
;
623 nft_trans_table_enable(trans
) = true;
629 nft_trans_table_update(trans
) = true;
630 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
633 nft_trans_destroy(trans
);
637 static int nf_tables_newtable(struct net
*net
, struct sock
*nlsk
,
638 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
639 const struct nlattr
* const nla
[])
641 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
642 u8 genmask
= nft_genmask_next(net
);
643 const struct nlattr
*name
;
644 struct nft_af_info
*afi
;
645 struct nft_table
*table
;
646 int family
= nfmsg
->nfgen_family
;
651 afi
= nf_tables_afinfo_lookup(net
, family
, true);
655 name
= nla
[NFTA_TABLE_NAME
];
656 table
= nf_tables_table_lookup(afi
, name
, genmask
);
658 if (PTR_ERR(table
) != -ENOENT
)
659 return PTR_ERR(table
);
664 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
666 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
669 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
670 return nf_tables_updtable(&ctx
);
673 if (nla
[NFTA_TABLE_FLAGS
]) {
674 flags
= ntohl(nla_get_be32(nla
[NFTA_TABLE_FLAGS
]));
675 if (flags
& ~NFT_TABLE_F_DORMANT
)
680 if (!try_module_get(afi
->owner
))
684 table
= kzalloc(sizeof(*table
), GFP_KERNEL
);
688 nla_strlcpy(table
->name
, name
, NFT_TABLE_MAXNAMELEN
);
689 INIT_LIST_HEAD(&table
->chains
);
690 INIT_LIST_HEAD(&table
->sets
);
691 table
->flags
= flags
;
693 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
694 err
= nft_trans_table_add(&ctx
, NFT_MSG_NEWTABLE
);
698 list_add_tail_rcu(&table
->list
, &afi
->tables
);
703 module_put(afi
->owner
);
708 static int nft_flush_table(struct nft_ctx
*ctx
)
711 struct nft_chain
*chain
, *nc
;
712 struct nft_set
*set
, *ns
;
714 list_for_each_entry(chain
, &ctx
->table
->chains
, list
) {
715 if (!nft_is_active_next(ctx
->net
, chain
))
720 err
= nft_delrule_by_chain(ctx
);
725 list_for_each_entry_safe(set
, ns
, &ctx
->table
->sets
, list
) {
726 if (!nft_is_active_next(ctx
->net
, set
))
729 if (set
->flags
& NFT_SET_ANONYMOUS
&&
730 !list_empty(&set
->bindings
))
733 err
= nft_delset(ctx
, set
);
738 list_for_each_entry_safe(chain
, nc
, &ctx
->table
->chains
, list
) {
739 if (!nft_is_active_next(ctx
->net
, chain
))
744 err
= nft_delchain(ctx
);
749 err
= nft_deltable(ctx
);
754 static int nft_flush(struct nft_ctx
*ctx
, int family
)
756 struct nft_af_info
*afi
;
757 struct nft_table
*table
, *nt
;
758 const struct nlattr
* const *nla
= ctx
->nla
;
761 list_for_each_entry(afi
, &ctx
->net
->nft
.af_info
, list
) {
762 if (family
!= AF_UNSPEC
&& afi
->family
!= family
)
766 list_for_each_entry_safe(table
, nt
, &afi
->tables
, list
) {
767 if (!nft_is_active_next(ctx
->net
, table
))
770 if (nla
[NFTA_TABLE_NAME
] &&
771 nla_strcmp(nla
[NFTA_TABLE_NAME
], table
->name
) != 0)
776 err
= nft_flush_table(ctx
);
785 static int nf_tables_deltable(struct net
*net
, struct sock
*nlsk
,
786 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
787 const struct nlattr
* const nla
[])
789 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
790 u8 genmask
= nft_genmask_next(net
);
791 struct nft_af_info
*afi
;
792 struct nft_table
*table
;
793 int family
= nfmsg
->nfgen_family
;
796 nft_ctx_init(&ctx
, net
, skb
, nlh
, NULL
, NULL
, NULL
, nla
);
797 if (family
== AF_UNSPEC
|| nla
[NFTA_TABLE_NAME
] == NULL
)
798 return nft_flush(&ctx
, family
);
800 afi
= nf_tables_afinfo_lookup(net
, family
, false);
804 table
= nf_tables_table_lookup(afi
, nla
[NFTA_TABLE_NAME
], genmask
);
806 return PTR_ERR(table
);
811 return nft_flush_table(&ctx
);
814 static void nf_tables_table_destroy(struct nft_ctx
*ctx
)
816 BUG_ON(ctx
->table
->use
> 0);
819 module_put(ctx
->afi
->owner
);
822 int nft_register_chain_type(const struct nf_chain_type
*ctype
)
826 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
827 if (chain_type
[ctype
->family
][ctype
->type
] != NULL
) {
831 chain_type
[ctype
->family
][ctype
->type
] = ctype
;
833 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
836 EXPORT_SYMBOL_GPL(nft_register_chain_type
);
838 void nft_unregister_chain_type(const struct nf_chain_type
*ctype
)
840 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
841 chain_type
[ctype
->family
][ctype
->type
] = NULL
;
842 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
844 EXPORT_SYMBOL_GPL(nft_unregister_chain_type
);
850 static struct nft_chain
*
851 nf_tables_chain_lookup_byhandle(const struct nft_table
*table
, u64 handle
,
854 struct nft_chain
*chain
;
856 list_for_each_entry(chain
, &table
->chains
, list
) {
857 if (chain
->handle
== handle
&&
858 nft_active_genmask(chain
, genmask
))
862 return ERR_PTR(-ENOENT
);
865 static struct nft_chain
*nf_tables_chain_lookup(const struct nft_table
*table
,
866 const struct nlattr
*nla
,
869 struct nft_chain
*chain
;
872 return ERR_PTR(-EINVAL
);
874 list_for_each_entry(chain
, &table
->chains
, list
) {
875 if (!nla_strcmp(nla
, chain
->name
) &&
876 nft_active_genmask(chain
, genmask
))
880 return ERR_PTR(-ENOENT
);
883 static const struct nla_policy nft_chain_policy
[NFTA_CHAIN_MAX
+ 1] = {
884 [NFTA_CHAIN_TABLE
] = { .type
= NLA_STRING
},
885 [NFTA_CHAIN_HANDLE
] = { .type
= NLA_U64
},
886 [NFTA_CHAIN_NAME
] = { .type
= NLA_STRING
,
887 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
888 [NFTA_CHAIN_HOOK
] = { .type
= NLA_NESTED
},
889 [NFTA_CHAIN_POLICY
] = { .type
= NLA_U32
},
890 [NFTA_CHAIN_TYPE
] = { .type
= NLA_STRING
},
891 [NFTA_CHAIN_COUNTERS
] = { .type
= NLA_NESTED
},
894 static const struct nla_policy nft_hook_policy
[NFTA_HOOK_MAX
+ 1] = {
895 [NFTA_HOOK_HOOKNUM
] = { .type
= NLA_U32
},
896 [NFTA_HOOK_PRIORITY
] = { .type
= NLA_U32
},
897 [NFTA_HOOK_DEV
] = { .type
= NLA_STRING
,
898 .len
= IFNAMSIZ
- 1 },
901 static int nft_dump_stats(struct sk_buff
*skb
, struct nft_stats __percpu
*stats
)
903 struct nft_stats
*cpu_stats
, total
;
909 memset(&total
, 0, sizeof(total
));
910 for_each_possible_cpu(cpu
) {
911 cpu_stats
= per_cpu_ptr(stats
, cpu
);
913 seq
= u64_stats_fetch_begin_irq(&cpu_stats
->syncp
);
914 pkts
= cpu_stats
->pkts
;
915 bytes
= cpu_stats
->bytes
;
916 } while (u64_stats_fetch_retry_irq(&cpu_stats
->syncp
, seq
));
918 total
.bytes
+= bytes
;
920 nest
= nla_nest_start(skb
, NFTA_CHAIN_COUNTERS
);
922 goto nla_put_failure
;
924 if (nla_put_be64(skb
, NFTA_COUNTER_PACKETS
, cpu_to_be64(total
.pkts
),
926 nla_put_be64(skb
, NFTA_COUNTER_BYTES
, cpu_to_be64(total
.bytes
),
928 goto nla_put_failure
;
930 nla_nest_end(skb
, nest
);
937 static int nf_tables_fill_chain_info(struct sk_buff
*skb
, struct net
*net
,
938 u32 portid
, u32 seq
, int event
, u32 flags
,
939 int family
, const struct nft_table
*table
,
940 const struct nft_chain
*chain
)
942 struct nlmsghdr
*nlh
;
943 struct nfgenmsg
*nfmsg
;
945 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
946 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
948 goto nla_put_failure
;
950 nfmsg
= nlmsg_data(nlh
);
951 nfmsg
->nfgen_family
= family
;
952 nfmsg
->version
= NFNETLINK_V0
;
953 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
955 if (nla_put_string(skb
, NFTA_CHAIN_TABLE
, table
->name
))
956 goto nla_put_failure
;
957 if (nla_put_be64(skb
, NFTA_CHAIN_HANDLE
, cpu_to_be64(chain
->handle
),
959 goto nla_put_failure
;
960 if (nla_put_string(skb
, NFTA_CHAIN_NAME
, chain
->name
))
961 goto nla_put_failure
;
963 if (chain
->flags
& NFT_BASE_CHAIN
) {
964 const struct nft_base_chain
*basechain
= nft_base_chain(chain
);
965 const struct nf_hook_ops
*ops
= &basechain
->ops
[0];
968 nest
= nla_nest_start(skb
, NFTA_CHAIN_HOOK
);
970 goto nla_put_failure
;
971 if (nla_put_be32(skb
, NFTA_HOOK_HOOKNUM
, htonl(ops
->hooknum
)))
972 goto nla_put_failure
;
973 if (nla_put_be32(skb
, NFTA_HOOK_PRIORITY
, htonl(ops
->priority
)))
974 goto nla_put_failure
;
975 if (basechain
->dev_name
[0] &&
976 nla_put_string(skb
, NFTA_HOOK_DEV
, basechain
->dev_name
))
977 goto nla_put_failure
;
978 nla_nest_end(skb
, nest
);
980 if (nla_put_be32(skb
, NFTA_CHAIN_POLICY
,
981 htonl(basechain
->policy
)))
982 goto nla_put_failure
;
984 if (nla_put_string(skb
, NFTA_CHAIN_TYPE
, basechain
->type
->name
))
985 goto nla_put_failure
;
987 if (nft_dump_stats(skb
, nft_base_chain(chain
)->stats
))
988 goto nla_put_failure
;
991 if (nla_put_be32(skb
, NFTA_CHAIN_USE
, htonl(chain
->use
)))
992 goto nla_put_failure
;
998 nlmsg_trim(skb
, nlh
);
1002 static int nf_tables_chain_notify(const struct nft_ctx
*ctx
, int event
)
1004 struct sk_buff
*skb
;
1008 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1012 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1016 err
= nf_tables_fill_chain_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1017 event
, 0, ctx
->afi
->family
, ctx
->table
,
1024 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1025 ctx
->report
, GFP_KERNEL
);
1028 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1034 static int nf_tables_dump_chains(struct sk_buff
*skb
,
1035 struct netlink_callback
*cb
)
1037 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1038 const struct nft_af_info
*afi
;
1039 const struct nft_table
*table
;
1040 const struct nft_chain
*chain
;
1041 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1042 struct net
*net
= sock_net(skb
->sk
);
1043 int family
= nfmsg
->nfgen_family
;
1046 cb
->seq
= net
->nft
.base_seq
;
1048 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
1049 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
1052 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
1053 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1057 memset(&cb
->args
[1], 0,
1058 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1059 if (!nft_is_active(net
, chain
))
1061 if (nf_tables_fill_chain_info(skb
, net
,
1062 NETLINK_CB(cb
->skb
).portid
,
1066 afi
->family
, table
, chain
) < 0)
1069 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1081 static int nf_tables_getchain(struct net
*net
, struct sock
*nlsk
,
1082 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1083 const struct nlattr
* const nla
[])
1085 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1086 u8 genmask
= nft_genmask_cur(net
);
1087 const struct nft_af_info
*afi
;
1088 const struct nft_table
*table
;
1089 const struct nft_chain
*chain
;
1090 struct sk_buff
*skb2
;
1091 int family
= nfmsg
->nfgen_family
;
1094 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1095 struct netlink_dump_control c
= {
1096 .dump
= nf_tables_dump_chains
,
1098 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
1101 afi
= nf_tables_afinfo_lookup(net
, family
, false);
1103 return PTR_ERR(afi
);
1105 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1107 return PTR_ERR(table
);
1109 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1111 return PTR_ERR(chain
);
1113 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
1117 err
= nf_tables_fill_chain_info(skb2
, net
, NETLINK_CB(skb
).portid
,
1118 nlh
->nlmsg_seq
, NFT_MSG_NEWCHAIN
, 0,
1119 family
, table
, chain
);
1123 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
1130 static const struct nla_policy nft_counter_policy
[NFTA_COUNTER_MAX
+ 1] = {
1131 [NFTA_COUNTER_PACKETS
] = { .type
= NLA_U64
},
1132 [NFTA_COUNTER_BYTES
] = { .type
= NLA_U64
},
1135 static struct nft_stats __percpu
*nft_stats_alloc(const struct nlattr
*attr
)
1137 struct nlattr
*tb
[NFTA_COUNTER_MAX
+1];
1138 struct nft_stats __percpu
*newstats
;
1139 struct nft_stats
*stats
;
1142 err
= nla_parse_nested(tb
, NFTA_COUNTER_MAX
, attr
, nft_counter_policy
);
1144 return ERR_PTR(err
);
1146 if (!tb
[NFTA_COUNTER_BYTES
] || !tb
[NFTA_COUNTER_PACKETS
])
1147 return ERR_PTR(-EINVAL
);
1149 newstats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1150 if (newstats
== NULL
)
1151 return ERR_PTR(-ENOMEM
);
1153 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1154 * are not exposed to userspace.
1157 stats
= this_cpu_ptr(newstats
);
1158 stats
->bytes
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_BYTES
]));
1159 stats
->pkts
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_PACKETS
]));
1165 static void nft_chain_stats_replace(struct nft_base_chain
*chain
,
1166 struct nft_stats __percpu
*newstats
)
1168 if (newstats
== NULL
)
1172 struct nft_stats __percpu
*oldstats
=
1173 nft_dereference(chain
->stats
);
1175 rcu_assign_pointer(chain
->stats
, newstats
);
1177 free_percpu(oldstats
);
1179 rcu_assign_pointer(chain
->stats
, newstats
);
1182 static void nf_tables_chain_destroy(struct nft_chain
*chain
)
1184 BUG_ON(chain
->use
> 0);
1186 if (chain
->flags
& NFT_BASE_CHAIN
) {
1187 struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1189 module_put(basechain
->type
->owner
);
1190 free_percpu(basechain
->stats
);
1191 if (basechain
->ops
[0].dev
!= NULL
)
1192 dev_put(basechain
->ops
[0].dev
);
1199 struct nft_chain_hook
{
1202 const struct nf_chain_type
*type
;
1203 struct net_device
*dev
;
1206 static int nft_chain_parse_hook(struct net
*net
,
1207 const struct nlattr
* const nla
[],
1208 struct nft_af_info
*afi
,
1209 struct nft_chain_hook
*hook
, bool create
)
1211 struct nlattr
*ha
[NFTA_HOOK_MAX
+ 1];
1212 const struct nf_chain_type
*type
;
1213 struct net_device
*dev
;
1216 err
= nla_parse_nested(ha
, NFTA_HOOK_MAX
, nla
[NFTA_CHAIN_HOOK
],
1221 if (ha
[NFTA_HOOK_HOOKNUM
] == NULL
||
1222 ha
[NFTA_HOOK_PRIORITY
] == NULL
)
1225 hook
->num
= ntohl(nla_get_be32(ha
[NFTA_HOOK_HOOKNUM
]));
1226 if (hook
->num
>= afi
->nhooks
)
1229 hook
->priority
= ntohl(nla_get_be32(ha
[NFTA_HOOK_PRIORITY
]));
1231 type
= chain_type
[afi
->family
][NFT_CHAIN_T_DEFAULT
];
1232 if (nla
[NFTA_CHAIN_TYPE
]) {
1233 type
= nf_tables_chain_type_lookup(afi
, nla
[NFTA_CHAIN_TYPE
],
1236 return PTR_ERR(type
);
1238 if (!(type
->hook_mask
& (1 << hook
->num
)))
1240 if (!try_module_get(type
->owner
))
1246 if (afi
->flags
& NFT_AF_NEEDS_DEV
) {
1247 char ifname
[IFNAMSIZ
];
1249 if (!ha
[NFTA_HOOK_DEV
]) {
1250 module_put(type
->owner
);
1254 nla_strlcpy(ifname
, ha
[NFTA_HOOK_DEV
], IFNAMSIZ
);
1255 dev
= dev_get_by_name(net
, ifname
);
1257 module_put(type
->owner
);
1261 } else if (ha
[NFTA_HOOK_DEV
]) {
1262 module_put(type
->owner
);
1269 static void nft_chain_release_hook(struct nft_chain_hook
*hook
)
1271 module_put(hook
->type
->owner
);
1272 if (hook
->dev
!= NULL
)
1276 static int nf_tables_newchain(struct net
*net
, struct sock
*nlsk
,
1277 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1278 const struct nlattr
* const nla
[])
1280 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1281 const struct nlattr
* uninitialized_var(name
);
1282 struct nft_af_info
*afi
;
1283 struct nft_table
*table
;
1284 struct nft_chain
*chain
;
1285 struct nft_base_chain
*basechain
= NULL
;
1286 u8 genmask
= nft_genmask_next(net
);
1287 int family
= nfmsg
->nfgen_family
;
1288 u8 policy
= NF_ACCEPT
;
1291 struct nft_stats __percpu
*stats
;
1296 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
1298 afi
= nf_tables_afinfo_lookup(net
, family
, true);
1300 return PTR_ERR(afi
);
1302 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1304 return PTR_ERR(table
);
1307 name
= nla
[NFTA_CHAIN_NAME
];
1309 if (nla
[NFTA_CHAIN_HANDLE
]) {
1310 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_CHAIN_HANDLE
]));
1311 chain
= nf_tables_chain_lookup_byhandle(table
, handle
, genmask
);
1313 return PTR_ERR(chain
);
1315 chain
= nf_tables_chain_lookup(table
, name
, genmask
);
1316 if (IS_ERR(chain
)) {
1317 if (PTR_ERR(chain
) != -ENOENT
)
1318 return PTR_ERR(chain
);
1323 if (nla
[NFTA_CHAIN_POLICY
]) {
1324 if ((chain
!= NULL
&&
1325 !(chain
->flags
& NFT_BASE_CHAIN
)))
1328 if (chain
== NULL
&&
1329 nla
[NFTA_CHAIN_HOOK
] == NULL
)
1332 policy
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_POLICY
]));
1342 if (chain
!= NULL
) {
1343 struct nft_stats
*stats
= NULL
;
1344 struct nft_trans
*trans
;
1346 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
1348 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
1351 if (nla
[NFTA_CHAIN_HOOK
]) {
1352 struct nft_base_chain
*basechain
;
1353 struct nft_chain_hook hook
;
1354 struct nf_hook_ops
*ops
;
1356 if (!(chain
->flags
& NFT_BASE_CHAIN
))
1359 err
= nft_chain_parse_hook(net
, nla
, afi
, &hook
,
1364 basechain
= nft_base_chain(chain
);
1365 if (basechain
->type
!= hook
.type
) {
1366 nft_chain_release_hook(&hook
);
1370 for (i
= 0; i
< afi
->nops
; i
++) {
1371 ops
= &basechain
->ops
[i
];
1372 if (ops
->hooknum
!= hook
.num
||
1373 ops
->priority
!= hook
.priority
||
1374 ops
->dev
!= hook
.dev
) {
1375 nft_chain_release_hook(&hook
);
1379 nft_chain_release_hook(&hook
);
1382 if (nla
[NFTA_CHAIN_HANDLE
] && name
) {
1383 struct nft_chain
*chain2
;
1385 chain2
= nf_tables_chain_lookup(table
,
1386 nla
[NFTA_CHAIN_NAME
],
1389 return PTR_ERR(chain2
);
1392 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1393 if (!(chain
->flags
& NFT_BASE_CHAIN
))
1396 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1398 return PTR_ERR(stats
);
1401 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1402 trans
= nft_trans_alloc(&ctx
, NFT_MSG_NEWCHAIN
,
1403 sizeof(struct nft_trans_chain
));
1404 if (trans
== NULL
) {
1409 nft_trans_chain_stats(trans
) = stats
;
1410 nft_trans_chain_update(trans
) = true;
1412 if (nla
[NFTA_CHAIN_POLICY
])
1413 nft_trans_chain_policy(trans
) = policy
;
1415 nft_trans_chain_policy(trans
) = -1;
1417 if (nla
[NFTA_CHAIN_HANDLE
] && name
) {
1418 nla_strlcpy(nft_trans_chain_name(trans
), name
,
1419 NFT_CHAIN_MAXNAMELEN
);
1421 list_add_tail(&trans
->list
, &net
->nft
.commit_list
);
1425 if (table
->use
== UINT_MAX
)
1428 if (nla
[NFTA_CHAIN_HOOK
]) {
1429 struct nft_chain_hook hook
;
1430 struct nf_hook_ops
*ops
;
1433 err
= nft_chain_parse_hook(net
, nla
, afi
, &hook
, create
);
1437 basechain
= kzalloc(sizeof(*basechain
), GFP_KERNEL
);
1438 if (basechain
== NULL
) {
1439 nft_chain_release_hook(&hook
);
1443 if (hook
.dev
!= NULL
)
1444 strncpy(basechain
->dev_name
, hook
.dev
->name
, IFNAMSIZ
);
1446 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1447 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1448 if (IS_ERR(stats
)) {
1449 nft_chain_release_hook(&hook
);
1451 return PTR_ERR(stats
);
1453 basechain
->stats
= stats
;
1455 stats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1456 if (stats
== NULL
) {
1457 nft_chain_release_hook(&hook
);
1461 rcu_assign_pointer(basechain
->stats
, stats
);
1464 hookfn
= hook
.type
->hooks
[hook
.num
];
1465 basechain
->type
= hook
.type
;
1466 chain
= &basechain
->chain
;
1468 for (i
= 0; i
< afi
->nops
; i
++) {
1469 ops
= &basechain
->ops
[i
];
1471 ops
->hooknum
= hook
.num
;
1472 ops
->priority
= hook
.priority
;
1474 ops
->hook
= afi
->hooks
[ops
->hooknum
];
1475 ops
->dev
= hook
.dev
;
1478 if (afi
->hook_ops_init
)
1479 afi
->hook_ops_init(ops
, i
);
1482 chain
->flags
|= NFT_BASE_CHAIN
;
1483 basechain
->policy
= policy
;
1485 chain
= kzalloc(sizeof(*chain
), GFP_KERNEL
);
1490 INIT_LIST_HEAD(&chain
->rules
);
1491 chain
->handle
= nf_tables_alloc_handle(table
);
1492 chain
->table
= table
;
1493 nla_strlcpy(chain
->name
, name
, NFT_CHAIN_MAXNAMELEN
);
1495 err
= nf_tables_register_hooks(net
, table
, chain
, afi
->nops
);
1499 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1500 err
= nft_trans_chain_add(&ctx
, NFT_MSG_NEWCHAIN
);
1505 list_add_tail_rcu(&chain
->list
, &table
->chains
);
1508 nf_tables_unregister_hooks(net
, table
, chain
, afi
->nops
);
1510 nf_tables_chain_destroy(chain
);
1514 static int nf_tables_delchain(struct net
*net
, struct sock
*nlsk
,
1515 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1516 const struct nlattr
* const nla
[])
1518 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1519 u8 genmask
= nft_genmask_next(net
);
1520 struct nft_af_info
*afi
;
1521 struct nft_table
*table
;
1522 struct nft_chain
*chain
;
1523 int family
= nfmsg
->nfgen_family
;
1526 afi
= nf_tables_afinfo_lookup(net
, family
, false);
1528 return PTR_ERR(afi
);
1530 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1532 return PTR_ERR(table
);
1534 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1536 return PTR_ERR(chain
);
1540 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1542 return nft_delchain(&ctx
);
1550 * nft_register_expr - register nf_tables expr type
1553 * Registers the expr type for use with nf_tables. Returns zero on
1554 * success or a negative errno code otherwise.
1556 int nft_register_expr(struct nft_expr_type
*type
)
1558 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1559 if (type
->family
== NFPROTO_UNSPEC
)
1560 list_add_tail_rcu(&type
->list
, &nf_tables_expressions
);
1562 list_add_rcu(&type
->list
, &nf_tables_expressions
);
1563 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1566 EXPORT_SYMBOL_GPL(nft_register_expr
);
1569 * nft_unregister_expr - unregister nf_tables expr type
1572 * Unregisters the expr typefor use with nf_tables.
1574 void nft_unregister_expr(struct nft_expr_type
*type
)
1576 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1577 list_del_rcu(&type
->list
);
1578 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1580 EXPORT_SYMBOL_GPL(nft_unregister_expr
);
1582 static const struct nft_expr_type
*__nft_expr_type_get(u8 family
,
1585 const struct nft_expr_type
*type
;
1587 list_for_each_entry(type
, &nf_tables_expressions
, list
) {
1588 if (!nla_strcmp(nla
, type
->name
) &&
1589 (!type
->family
|| type
->family
== family
))
1595 static const struct nft_expr_type
*nft_expr_type_get(u8 family
,
1598 const struct nft_expr_type
*type
;
1601 return ERR_PTR(-EINVAL
);
1603 type
= __nft_expr_type_get(family
, nla
);
1604 if (type
!= NULL
&& try_module_get(type
->owner
))
1607 #ifdef CONFIG_MODULES
1609 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1610 request_module("nft-expr-%u-%.*s", family
,
1611 nla_len(nla
), (char *)nla_data(nla
));
1612 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1613 if (__nft_expr_type_get(family
, nla
))
1614 return ERR_PTR(-EAGAIN
);
1616 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1617 request_module("nft-expr-%.*s",
1618 nla_len(nla
), (char *)nla_data(nla
));
1619 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1620 if (__nft_expr_type_get(family
, nla
))
1621 return ERR_PTR(-EAGAIN
);
1624 return ERR_PTR(-ENOENT
);
1627 static const struct nla_policy nft_expr_policy
[NFTA_EXPR_MAX
+ 1] = {
1628 [NFTA_EXPR_NAME
] = { .type
= NLA_STRING
},
1629 [NFTA_EXPR_DATA
] = { .type
= NLA_NESTED
},
1632 static int nf_tables_fill_expr_info(struct sk_buff
*skb
,
1633 const struct nft_expr
*expr
)
1635 if (nla_put_string(skb
, NFTA_EXPR_NAME
, expr
->ops
->type
->name
))
1636 goto nla_put_failure
;
1638 if (expr
->ops
->dump
) {
1639 struct nlattr
*data
= nla_nest_start(skb
, NFTA_EXPR_DATA
);
1641 goto nla_put_failure
;
1642 if (expr
->ops
->dump(skb
, expr
) < 0)
1643 goto nla_put_failure
;
1644 nla_nest_end(skb
, data
);
1653 int nft_expr_dump(struct sk_buff
*skb
, unsigned int attr
,
1654 const struct nft_expr
*expr
)
1656 struct nlattr
*nest
;
1658 nest
= nla_nest_start(skb
, attr
);
1660 goto nla_put_failure
;
1661 if (nf_tables_fill_expr_info(skb
, expr
) < 0)
1662 goto nla_put_failure
;
1663 nla_nest_end(skb
, nest
);
1670 struct nft_expr_info
{
1671 const struct nft_expr_ops
*ops
;
1672 struct nlattr
*tb
[NFT_EXPR_MAXATTR
+ 1];
1675 static int nf_tables_expr_parse(const struct nft_ctx
*ctx
,
1676 const struct nlattr
*nla
,
1677 struct nft_expr_info
*info
)
1679 const struct nft_expr_type
*type
;
1680 const struct nft_expr_ops
*ops
;
1681 struct nlattr
*tb
[NFTA_EXPR_MAX
+ 1];
1684 err
= nla_parse_nested(tb
, NFTA_EXPR_MAX
, nla
, nft_expr_policy
);
1688 type
= nft_expr_type_get(ctx
->afi
->family
, tb
[NFTA_EXPR_NAME
]);
1690 return PTR_ERR(type
);
1692 if (tb
[NFTA_EXPR_DATA
]) {
1693 err
= nla_parse_nested(info
->tb
, type
->maxattr
,
1694 tb
[NFTA_EXPR_DATA
], type
->policy
);
1698 memset(info
->tb
, 0, sizeof(info
->tb
[0]) * (type
->maxattr
+ 1));
1700 if (type
->select_ops
!= NULL
) {
1701 ops
= type
->select_ops(ctx
,
1702 (const struct nlattr
* const *)info
->tb
);
1714 module_put(type
->owner
);
1718 static int nf_tables_newexpr(const struct nft_ctx
*ctx
,
1719 const struct nft_expr_info
*info
,
1720 struct nft_expr
*expr
)
1722 const struct nft_expr_ops
*ops
= info
->ops
;
1727 err
= ops
->init(ctx
, expr
, (const struct nlattr
**)info
->tb
);
1739 static void nf_tables_expr_destroy(const struct nft_ctx
*ctx
,
1740 struct nft_expr
*expr
)
1742 if (expr
->ops
->destroy
)
1743 expr
->ops
->destroy(ctx
, expr
);
1744 module_put(expr
->ops
->type
->owner
);
1747 struct nft_expr
*nft_expr_init(const struct nft_ctx
*ctx
,
1748 const struct nlattr
*nla
)
1750 struct nft_expr_info info
;
1751 struct nft_expr
*expr
;
1754 err
= nf_tables_expr_parse(ctx
, nla
, &info
);
1759 expr
= kzalloc(info
.ops
->size
, GFP_KERNEL
);
1763 err
= nf_tables_newexpr(ctx
, &info
, expr
);
1771 module_put(info
.ops
->type
->owner
);
1773 return ERR_PTR(err
);
1776 void nft_expr_destroy(const struct nft_ctx
*ctx
, struct nft_expr
*expr
)
1778 nf_tables_expr_destroy(ctx
, expr
);
1786 static struct nft_rule
*__nf_tables_rule_lookup(const struct nft_chain
*chain
,
1789 struct nft_rule
*rule
;
1791 // FIXME: this sucks
1792 list_for_each_entry(rule
, &chain
->rules
, list
) {
1793 if (handle
== rule
->handle
)
1797 return ERR_PTR(-ENOENT
);
1800 static struct nft_rule
*nf_tables_rule_lookup(const struct nft_chain
*chain
,
1801 const struct nlattr
*nla
)
1804 return ERR_PTR(-EINVAL
);
1806 return __nf_tables_rule_lookup(chain
, be64_to_cpu(nla_get_be64(nla
)));
1809 static const struct nla_policy nft_rule_policy
[NFTA_RULE_MAX
+ 1] = {
1810 [NFTA_RULE_TABLE
] = { .type
= NLA_STRING
},
1811 [NFTA_RULE_CHAIN
] = { .type
= NLA_STRING
,
1812 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
1813 [NFTA_RULE_HANDLE
] = { .type
= NLA_U64
},
1814 [NFTA_RULE_EXPRESSIONS
] = { .type
= NLA_NESTED
},
1815 [NFTA_RULE_COMPAT
] = { .type
= NLA_NESTED
},
1816 [NFTA_RULE_POSITION
] = { .type
= NLA_U64
},
1817 [NFTA_RULE_USERDATA
] = { .type
= NLA_BINARY
,
1818 .len
= NFT_USERDATA_MAXLEN
},
1821 static int nf_tables_fill_rule_info(struct sk_buff
*skb
, struct net
*net
,
1822 u32 portid
, u32 seq
, int event
,
1823 u32 flags
, int family
,
1824 const struct nft_table
*table
,
1825 const struct nft_chain
*chain
,
1826 const struct nft_rule
*rule
)
1828 struct nlmsghdr
*nlh
;
1829 struct nfgenmsg
*nfmsg
;
1830 const struct nft_expr
*expr
, *next
;
1831 struct nlattr
*list
;
1832 const struct nft_rule
*prule
;
1833 int type
= event
| NFNL_SUBSYS_NFTABLES
<< 8;
1835 nlh
= nlmsg_put(skb
, portid
, seq
, type
, sizeof(struct nfgenmsg
),
1838 goto nla_put_failure
;
1840 nfmsg
= nlmsg_data(nlh
);
1841 nfmsg
->nfgen_family
= family
;
1842 nfmsg
->version
= NFNETLINK_V0
;
1843 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
1845 if (nla_put_string(skb
, NFTA_RULE_TABLE
, table
->name
))
1846 goto nla_put_failure
;
1847 if (nla_put_string(skb
, NFTA_RULE_CHAIN
, chain
->name
))
1848 goto nla_put_failure
;
1849 if (nla_put_be64(skb
, NFTA_RULE_HANDLE
, cpu_to_be64(rule
->handle
),
1851 goto nla_put_failure
;
1853 if ((event
!= NFT_MSG_DELRULE
) && (rule
->list
.prev
!= &chain
->rules
)) {
1854 prule
= list_entry(rule
->list
.prev
, struct nft_rule
, list
);
1855 if (nla_put_be64(skb
, NFTA_RULE_POSITION
,
1856 cpu_to_be64(prule
->handle
),
1858 goto nla_put_failure
;
1861 list
= nla_nest_start(skb
, NFTA_RULE_EXPRESSIONS
);
1863 goto nla_put_failure
;
1864 nft_rule_for_each_expr(expr
, next
, rule
) {
1865 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
1866 goto nla_put_failure
;
1868 nla_nest_end(skb
, list
);
1871 struct nft_userdata
*udata
= nft_userdata(rule
);
1872 if (nla_put(skb
, NFTA_RULE_USERDATA
, udata
->len
+ 1,
1874 goto nla_put_failure
;
1877 nlmsg_end(skb
, nlh
);
1881 nlmsg_trim(skb
, nlh
);
1885 static int nf_tables_rule_notify(const struct nft_ctx
*ctx
,
1886 const struct nft_rule
*rule
,
1889 struct sk_buff
*skb
;
1893 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1897 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1901 err
= nf_tables_fill_rule_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1902 event
, 0, ctx
->afi
->family
, ctx
->table
,
1909 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1910 ctx
->report
, GFP_KERNEL
);
1913 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1919 struct nft_rule_dump_ctx
{
1920 char table
[NFT_TABLE_MAXNAMELEN
];
1921 char chain
[NFT_CHAIN_MAXNAMELEN
];
1924 static int nf_tables_dump_rules(struct sk_buff
*skb
,
1925 struct netlink_callback
*cb
)
1927 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1928 const struct nft_rule_dump_ctx
*ctx
= cb
->data
;
1929 const struct nft_af_info
*afi
;
1930 const struct nft_table
*table
;
1931 const struct nft_chain
*chain
;
1932 const struct nft_rule
*rule
;
1933 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1934 struct net
*net
= sock_net(skb
->sk
);
1935 int family
= nfmsg
->nfgen_family
;
1938 cb
->seq
= net
->nft
.base_seq
;
1940 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
1941 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
1944 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
1945 if (ctx
&& ctx
->table
[0] &&
1946 strcmp(ctx
->table
, table
->name
) != 0)
1949 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1950 if (ctx
&& ctx
->chain
[0] &&
1951 strcmp(ctx
->chain
, chain
->name
) != 0)
1954 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
1955 if (!nft_is_active(net
, rule
))
1960 memset(&cb
->args
[1], 0,
1961 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1962 if (nf_tables_fill_rule_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
1965 NLM_F_MULTI
| NLM_F_APPEND
,
1966 afi
->family
, table
, chain
, rule
) < 0)
1969 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1983 static int nf_tables_dump_rules_done(struct netlink_callback
*cb
)
1989 static int nf_tables_getrule(struct net
*net
, struct sock
*nlsk
,
1990 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1991 const struct nlattr
* const nla
[])
1993 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1994 u8 genmask
= nft_genmask_cur(net
);
1995 const struct nft_af_info
*afi
;
1996 const struct nft_table
*table
;
1997 const struct nft_chain
*chain
;
1998 const struct nft_rule
*rule
;
1999 struct sk_buff
*skb2
;
2000 int family
= nfmsg
->nfgen_family
;
2003 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2004 struct netlink_dump_control c
= {
2005 .dump
= nf_tables_dump_rules
,
2006 .done
= nf_tables_dump_rules_done
,
2009 if (nla
[NFTA_RULE_TABLE
] || nla
[NFTA_RULE_CHAIN
]) {
2010 struct nft_rule_dump_ctx
*ctx
;
2012 ctx
= kzalloc(sizeof(*ctx
), GFP_KERNEL
);
2016 if (nla
[NFTA_RULE_TABLE
])
2017 nla_strlcpy(ctx
->table
, nla
[NFTA_RULE_TABLE
],
2018 sizeof(ctx
->table
));
2019 if (nla
[NFTA_RULE_CHAIN
])
2020 nla_strlcpy(ctx
->chain
, nla
[NFTA_RULE_CHAIN
],
2021 sizeof(ctx
->chain
));
2025 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
2028 afi
= nf_tables_afinfo_lookup(net
, family
, false);
2030 return PTR_ERR(afi
);
2032 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2034 return PTR_ERR(table
);
2036 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2038 return PTR_ERR(chain
);
2040 rule
= nf_tables_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
2042 return PTR_ERR(rule
);
2044 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
2048 err
= nf_tables_fill_rule_info(skb2
, net
, NETLINK_CB(skb
).portid
,
2049 nlh
->nlmsg_seq
, NFT_MSG_NEWRULE
, 0,
2050 family
, table
, chain
, rule
);
2054 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2061 static void nf_tables_rule_destroy(const struct nft_ctx
*ctx
,
2062 struct nft_rule
*rule
)
2064 struct nft_expr
*expr
;
2067 * Careful: some expressions might not be initialized in case this
2068 * is called on error from nf_tables_newrule().
2070 expr
= nft_expr_first(rule
);
2071 while (expr
->ops
&& expr
!= nft_expr_last(rule
)) {
2072 nf_tables_expr_destroy(ctx
, expr
);
2073 expr
= nft_expr_next(expr
);
2078 #define NFT_RULE_MAXEXPRS 128
2080 static struct nft_expr_info
*info
;
2082 static int nf_tables_newrule(struct net
*net
, struct sock
*nlsk
,
2083 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2084 const struct nlattr
* const nla
[])
2086 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2087 u8 genmask
= nft_genmask_next(net
);
2088 struct nft_af_info
*afi
;
2089 struct nft_table
*table
;
2090 struct nft_chain
*chain
;
2091 struct nft_rule
*rule
, *old_rule
= NULL
;
2092 struct nft_userdata
*udata
;
2093 struct nft_trans
*trans
= NULL
;
2094 struct nft_expr
*expr
;
2097 unsigned int size
, i
, n
, ulen
= 0, usize
= 0;
2100 u64 handle
, pos_handle
;
2102 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
2104 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, create
);
2106 return PTR_ERR(afi
);
2108 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2110 return PTR_ERR(table
);
2112 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2114 return PTR_ERR(chain
);
2116 if (nla
[NFTA_RULE_HANDLE
]) {
2117 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_HANDLE
]));
2118 rule
= __nf_tables_rule_lookup(chain
, handle
);
2120 return PTR_ERR(rule
);
2122 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
2124 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2129 if (!create
|| nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2131 handle
= nf_tables_alloc_handle(table
);
2133 if (chain
->use
== UINT_MAX
)
2137 if (nla
[NFTA_RULE_POSITION
]) {
2138 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2141 pos_handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_POSITION
]));
2142 old_rule
= __nf_tables_rule_lookup(chain
, pos_handle
);
2143 if (IS_ERR(old_rule
))
2144 return PTR_ERR(old_rule
);
2147 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
2151 if (nla
[NFTA_RULE_EXPRESSIONS
]) {
2152 nla_for_each_nested(tmp
, nla
[NFTA_RULE_EXPRESSIONS
], rem
) {
2154 if (nla_type(tmp
) != NFTA_LIST_ELEM
)
2156 if (n
== NFT_RULE_MAXEXPRS
)
2158 err
= nf_tables_expr_parse(&ctx
, tmp
, &info
[n
]);
2161 size
+= info
[n
].ops
->size
;
2165 /* Check for overflow of dlen field */
2167 if (size
>= 1 << 12)
2170 if (nla
[NFTA_RULE_USERDATA
]) {
2171 ulen
= nla_len(nla
[NFTA_RULE_USERDATA
]);
2173 usize
= sizeof(struct nft_userdata
) + ulen
;
2177 rule
= kzalloc(sizeof(*rule
) + size
+ usize
, GFP_KERNEL
);
2181 nft_activate_next(net
, rule
);
2183 rule
->handle
= handle
;
2185 rule
->udata
= ulen
? 1 : 0;
2188 udata
= nft_userdata(rule
);
2189 udata
->len
= ulen
- 1;
2190 nla_memcpy(udata
->data
, nla
[NFTA_RULE_USERDATA
], ulen
);
2193 expr
= nft_expr_first(rule
);
2194 for (i
= 0; i
< n
; i
++) {
2195 err
= nf_tables_newexpr(&ctx
, &info
[i
], expr
);
2199 expr
= nft_expr_next(expr
);
2202 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
2203 if (nft_is_active_next(net
, old_rule
)) {
2204 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_DELRULE
,
2206 if (trans
== NULL
) {
2210 nft_deactivate_next(net
, old_rule
);
2212 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2217 } else if (nlh
->nlmsg_flags
& NLM_F_APPEND
)
2219 list_add_rcu(&rule
->list
, &old_rule
->list
);
2221 list_add_tail_rcu(&rule
->list
, &chain
->rules
);
2224 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2226 list_add_rcu(&rule
->list
, &chain
->rules
);
2229 if (nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
) == NULL
) {
2237 list_del_rcu(&rule
->list
);
2239 nf_tables_rule_destroy(&ctx
, rule
);
2241 for (i
= 0; i
< n
; i
++) {
2242 if (info
[i
].ops
!= NULL
)
2243 module_put(info
[i
].ops
->type
->owner
);
2248 static int nf_tables_delrule(struct net
*net
, struct sock
*nlsk
,
2249 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2250 const struct nlattr
* const nla
[])
2252 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2253 u8 genmask
= nft_genmask_next(net
);
2254 struct nft_af_info
*afi
;
2255 struct nft_table
*table
;
2256 struct nft_chain
*chain
= NULL
;
2257 struct nft_rule
*rule
;
2258 int family
= nfmsg
->nfgen_family
, err
= 0;
2261 afi
= nf_tables_afinfo_lookup(net
, family
, false);
2263 return PTR_ERR(afi
);
2265 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2267 return PTR_ERR(table
);
2269 if (nla
[NFTA_RULE_CHAIN
]) {
2270 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
],
2273 return PTR_ERR(chain
);
2276 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
2279 if (nla
[NFTA_RULE_HANDLE
]) {
2280 rule
= nf_tables_rule_lookup(chain
,
2281 nla
[NFTA_RULE_HANDLE
]);
2283 return PTR_ERR(rule
);
2285 err
= nft_delrule(&ctx
, rule
);
2287 err
= nft_delrule_by_chain(&ctx
);
2290 list_for_each_entry(chain
, &table
->chains
, list
) {
2291 if (!nft_is_active_next(net
, chain
))
2295 err
= nft_delrule_by_chain(&ctx
);
2308 static LIST_HEAD(nf_tables_set_ops
);
2310 int nft_register_set(struct nft_set_ops
*ops
)
2312 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2313 list_add_tail_rcu(&ops
->list
, &nf_tables_set_ops
);
2314 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2317 EXPORT_SYMBOL_GPL(nft_register_set
);
2319 void nft_unregister_set(struct nft_set_ops
*ops
)
2321 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2322 list_del_rcu(&ops
->list
);
2323 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2325 EXPORT_SYMBOL_GPL(nft_unregister_set
);
2328 * Select a set implementation based on the data characteristics and the
2329 * given policy. The total memory use might not be known if no size is
2330 * given, in that case the amount of memory per element is used.
2332 static const struct nft_set_ops
*
2333 nft_select_set_ops(const struct nlattr
* const nla
[],
2334 const struct nft_set_desc
*desc
,
2335 enum nft_set_policies policy
)
2337 const struct nft_set_ops
*ops
, *bops
;
2338 struct nft_set_estimate est
, best
;
2341 #ifdef CONFIG_MODULES
2342 if (list_empty(&nf_tables_set_ops
)) {
2343 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2344 request_module("nft-set");
2345 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2346 if (!list_empty(&nf_tables_set_ops
))
2347 return ERR_PTR(-EAGAIN
);
2351 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
2352 features
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2353 features
&= NFT_SET_INTERVAL
| NFT_SET_MAP
| NFT_SET_TIMEOUT
;
2360 list_for_each_entry(ops
, &nf_tables_set_ops
, list
) {
2361 if ((ops
->features
& features
) != features
)
2363 if (!ops
->estimate(desc
, features
, &est
))
2367 case NFT_SET_POL_PERFORMANCE
:
2368 if (est
.class < best
.class)
2370 if (est
.class == best
.class && est
.size
< best
.size
)
2373 case NFT_SET_POL_MEMORY
:
2374 if (est
.size
< best
.size
)
2376 if (est
.size
== best
.size
&& est
.class < best
.class)
2383 if (!try_module_get(ops
->owner
))
2386 module_put(bops
->owner
);
2395 return ERR_PTR(-EOPNOTSUPP
);
2398 static const struct nla_policy nft_set_policy
[NFTA_SET_MAX
+ 1] = {
2399 [NFTA_SET_TABLE
] = { .type
= NLA_STRING
},
2400 [NFTA_SET_NAME
] = { .type
= NLA_STRING
,
2401 .len
= NFT_SET_MAXNAMELEN
- 1 },
2402 [NFTA_SET_FLAGS
] = { .type
= NLA_U32
},
2403 [NFTA_SET_KEY_TYPE
] = { .type
= NLA_U32
},
2404 [NFTA_SET_KEY_LEN
] = { .type
= NLA_U32
},
2405 [NFTA_SET_DATA_TYPE
] = { .type
= NLA_U32
},
2406 [NFTA_SET_DATA_LEN
] = { .type
= NLA_U32
},
2407 [NFTA_SET_POLICY
] = { .type
= NLA_U32
},
2408 [NFTA_SET_DESC
] = { .type
= NLA_NESTED
},
2409 [NFTA_SET_ID
] = { .type
= NLA_U32
},
2410 [NFTA_SET_TIMEOUT
] = { .type
= NLA_U64
},
2411 [NFTA_SET_GC_INTERVAL
] = { .type
= NLA_U32
},
2412 [NFTA_SET_USERDATA
] = { .type
= NLA_BINARY
,
2413 .len
= NFT_USERDATA_MAXLEN
},
2416 static const struct nla_policy nft_set_desc_policy
[NFTA_SET_DESC_MAX
+ 1] = {
2417 [NFTA_SET_DESC_SIZE
] = { .type
= NLA_U32
},
2420 static int nft_ctx_init_from_setattr(struct nft_ctx
*ctx
, struct net
*net
,
2421 const struct sk_buff
*skb
,
2422 const struct nlmsghdr
*nlh
,
2423 const struct nlattr
* const nla
[],
2426 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2427 struct nft_af_info
*afi
= NULL
;
2428 struct nft_table
*table
= NULL
;
2430 if (nfmsg
->nfgen_family
!= NFPROTO_UNSPEC
) {
2431 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, false);
2433 return PTR_ERR(afi
);
2436 if (nla
[NFTA_SET_TABLE
] != NULL
) {
2438 return -EAFNOSUPPORT
;
2440 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_TABLE
],
2443 return PTR_ERR(table
);
2446 nft_ctx_init(ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
2450 struct nft_set
*nf_tables_set_lookup(const struct nft_table
*table
,
2451 const struct nlattr
*nla
, u8 genmask
)
2453 struct nft_set
*set
;
2456 return ERR_PTR(-EINVAL
);
2458 list_for_each_entry(set
, &table
->sets
, list
) {
2459 if (!nla_strcmp(nla
, set
->name
) &&
2460 nft_active_genmask(set
, genmask
))
2463 return ERR_PTR(-ENOENT
);
2466 struct nft_set
*nf_tables_set_lookup_byid(const struct net
*net
,
2467 const struct nlattr
*nla
,
2470 struct nft_trans
*trans
;
2471 u32 id
= ntohl(nla_get_be32(nla
));
2473 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
2474 struct nft_set
*set
= nft_trans_set(trans
);
2476 if (trans
->msg_type
== NFT_MSG_NEWSET
&&
2477 id
== nft_trans_set_id(trans
) &&
2478 nft_active_genmask(set
, genmask
))
2481 return ERR_PTR(-ENOENT
);
2484 static int nf_tables_set_alloc_name(struct nft_ctx
*ctx
, struct nft_set
*set
,
2487 const struct nft_set
*i
;
2489 unsigned long *inuse
;
2490 unsigned int n
= 0, min
= 0;
2492 p
= strnchr(name
, NFT_SET_MAXNAMELEN
, '%');
2494 if (p
[1] != 'd' || strchr(p
+ 2, '%'))
2497 inuse
= (unsigned long *)get_zeroed_page(GFP_KERNEL
);
2501 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
2504 if (!nft_is_active_next(ctx
->net
, set
))
2506 if (!sscanf(i
->name
, name
, &tmp
))
2508 if (tmp
< min
|| tmp
>= min
+ BITS_PER_BYTE
* PAGE_SIZE
)
2511 set_bit(tmp
- min
, inuse
);
2514 n
= find_first_zero_bit(inuse
, BITS_PER_BYTE
* PAGE_SIZE
);
2515 if (n
>= BITS_PER_BYTE
* PAGE_SIZE
) {
2516 min
+= BITS_PER_BYTE
* PAGE_SIZE
;
2517 memset(inuse
, 0, PAGE_SIZE
);
2520 free_page((unsigned long)inuse
);
2523 snprintf(set
->name
, sizeof(set
->name
), name
, min
+ n
);
2524 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
2525 if (!nft_is_active_next(ctx
->net
, i
))
2527 if (!strcmp(set
->name
, i
->name
))
2533 static int nf_tables_fill_set(struct sk_buff
*skb
, const struct nft_ctx
*ctx
,
2534 const struct nft_set
*set
, u16 event
, u16 flags
)
2536 struct nfgenmsg
*nfmsg
;
2537 struct nlmsghdr
*nlh
;
2538 struct nlattr
*desc
;
2539 u32 portid
= ctx
->portid
;
2542 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
2543 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
2546 goto nla_put_failure
;
2548 nfmsg
= nlmsg_data(nlh
);
2549 nfmsg
->nfgen_family
= ctx
->afi
->family
;
2550 nfmsg
->version
= NFNETLINK_V0
;
2551 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
2553 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
2554 goto nla_put_failure
;
2555 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
2556 goto nla_put_failure
;
2557 if (set
->flags
!= 0)
2558 if (nla_put_be32(skb
, NFTA_SET_FLAGS
, htonl(set
->flags
)))
2559 goto nla_put_failure
;
2561 if (nla_put_be32(skb
, NFTA_SET_KEY_TYPE
, htonl(set
->ktype
)))
2562 goto nla_put_failure
;
2563 if (nla_put_be32(skb
, NFTA_SET_KEY_LEN
, htonl(set
->klen
)))
2564 goto nla_put_failure
;
2565 if (set
->flags
& NFT_SET_MAP
) {
2566 if (nla_put_be32(skb
, NFTA_SET_DATA_TYPE
, htonl(set
->dtype
)))
2567 goto nla_put_failure
;
2568 if (nla_put_be32(skb
, NFTA_SET_DATA_LEN
, htonl(set
->dlen
)))
2569 goto nla_put_failure
;
2573 nla_put_be64(skb
, NFTA_SET_TIMEOUT
, cpu_to_be64(set
->timeout
),
2575 goto nla_put_failure
;
2577 nla_put_be32(skb
, NFTA_SET_GC_INTERVAL
, htonl(set
->gc_int
)))
2578 goto nla_put_failure
;
2580 if (set
->policy
!= NFT_SET_POL_PERFORMANCE
) {
2581 if (nla_put_be32(skb
, NFTA_SET_POLICY
, htonl(set
->policy
)))
2582 goto nla_put_failure
;
2585 if (nla_put(skb
, NFTA_SET_USERDATA
, set
->udlen
, set
->udata
))
2586 goto nla_put_failure
;
2588 desc
= nla_nest_start(skb
, NFTA_SET_DESC
);
2590 goto nla_put_failure
;
2592 nla_put_be32(skb
, NFTA_SET_DESC_SIZE
, htonl(set
->size
)))
2593 goto nla_put_failure
;
2594 nla_nest_end(skb
, desc
);
2596 nlmsg_end(skb
, nlh
);
2600 nlmsg_trim(skb
, nlh
);
2604 static int nf_tables_set_notify(const struct nft_ctx
*ctx
,
2605 const struct nft_set
*set
,
2606 int event
, gfp_t gfp_flags
)
2608 struct sk_buff
*skb
;
2609 u32 portid
= ctx
->portid
;
2613 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
2617 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp_flags
);
2621 err
= nf_tables_fill_set(skb
, ctx
, set
, event
, 0);
2627 err
= nfnetlink_send(skb
, ctx
->net
, portid
, NFNLGRP_NFTABLES
,
2628 ctx
->report
, gfp_flags
);
2631 nfnetlink_set_err(ctx
->net
, portid
, NFNLGRP_NFTABLES
, err
);
2635 static int nf_tables_dump_sets(struct sk_buff
*skb
, struct netlink_callback
*cb
)
2637 const struct nft_set
*set
;
2638 unsigned int idx
, s_idx
= cb
->args
[0];
2639 struct nft_af_info
*afi
;
2640 struct nft_table
*table
, *cur_table
= (struct nft_table
*)cb
->args
[2];
2641 struct net
*net
= sock_net(skb
->sk
);
2642 int cur_family
= cb
->args
[3];
2643 struct nft_ctx
*ctx
= cb
->data
, ctx_set
;
2649 cb
->seq
= net
->nft
.base_seq
;
2651 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
2652 if (ctx
->afi
&& ctx
->afi
!= afi
)
2656 if (afi
->family
!= cur_family
)
2661 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
2662 if (ctx
->table
&& ctx
->table
!= table
)
2666 if (cur_table
!= table
)
2672 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
2675 if (!nft_is_active(net
, set
))
2679 ctx_set
.table
= table
;
2681 if (nf_tables_fill_set(skb
, &ctx_set
, set
,
2685 cb
->args
[2] = (unsigned long) table
;
2686 cb
->args
[3] = afi
->family
;
2689 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
2703 static int nf_tables_dump_sets_done(struct netlink_callback
*cb
)
2709 static int nf_tables_getset(struct net
*net
, struct sock
*nlsk
,
2710 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2711 const struct nlattr
* const nla
[])
2713 u8 genmask
= nft_genmask_cur(net
);
2714 const struct nft_set
*set
;
2716 struct sk_buff
*skb2
;
2717 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2720 /* Verify existence before starting dump */
2721 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
2725 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2726 struct netlink_dump_control c
= {
2727 .dump
= nf_tables_dump_sets
,
2728 .done
= nf_tables_dump_sets_done
,
2730 struct nft_ctx
*ctx_dump
;
2732 ctx_dump
= kmalloc(sizeof(*ctx_dump
), GFP_KERNEL
);
2733 if (ctx_dump
== NULL
)
2739 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
2742 /* Only accept unspec with dump */
2743 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
2744 return -EAFNOSUPPORT
;
2745 if (!nla
[NFTA_SET_TABLE
])
2748 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
2750 return PTR_ERR(set
);
2752 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
2756 err
= nf_tables_fill_set(skb2
, &ctx
, set
, NFT_MSG_NEWSET
, 0);
2760 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2767 static int nf_tables_set_desc_parse(const struct nft_ctx
*ctx
,
2768 struct nft_set_desc
*desc
,
2769 const struct nlattr
*nla
)
2771 struct nlattr
*da
[NFTA_SET_DESC_MAX
+ 1];
2774 err
= nla_parse_nested(da
, NFTA_SET_DESC_MAX
, nla
, nft_set_desc_policy
);
2778 if (da
[NFTA_SET_DESC_SIZE
] != NULL
)
2779 desc
->size
= ntohl(nla_get_be32(da
[NFTA_SET_DESC_SIZE
]));
2784 static int nf_tables_newset(struct net
*net
, struct sock
*nlsk
,
2785 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2786 const struct nlattr
* const nla
[])
2788 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2789 u8 genmask
= nft_genmask_next(net
);
2790 const struct nft_set_ops
*ops
;
2791 struct nft_af_info
*afi
;
2792 struct nft_table
*table
;
2793 struct nft_set
*set
;
2795 char name
[NFT_SET_MAXNAMELEN
];
2799 u32 ktype
, dtype
, flags
, policy
, gc_int
;
2800 struct nft_set_desc desc
;
2801 unsigned char *udata
;
2805 if (nla
[NFTA_SET_TABLE
] == NULL
||
2806 nla
[NFTA_SET_NAME
] == NULL
||
2807 nla
[NFTA_SET_KEY_LEN
] == NULL
||
2808 nla
[NFTA_SET_ID
] == NULL
)
2811 memset(&desc
, 0, sizeof(desc
));
2813 ktype
= NFT_DATA_VALUE
;
2814 if (nla
[NFTA_SET_KEY_TYPE
] != NULL
) {
2815 ktype
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_TYPE
]));
2816 if ((ktype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
)
2820 desc
.klen
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_LEN
]));
2821 if (desc
.klen
== 0 || desc
.klen
> NFT_DATA_VALUE_MAXLEN
)
2825 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
2826 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2827 if (flags
& ~(NFT_SET_ANONYMOUS
| NFT_SET_CONSTANT
|
2828 NFT_SET_INTERVAL
| NFT_SET_TIMEOUT
|
2829 NFT_SET_MAP
| NFT_SET_EVAL
))
2831 /* Only one of both operations is supported */
2832 if ((flags
& (NFT_SET_MAP
| NFT_SET_EVAL
)) ==
2833 (NFT_SET_MAP
| NFT_SET_EVAL
))
2838 if (nla
[NFTA_SET_DATA_TYPE
] != NULL
) {
2839 if (!(flags
& NFT_SET_MAP
))
2842 dtype
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_TYPE
]));
2843 if ((dtype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
&&
2844 dtype
!= NFT_DATA_VERDICT
)
2847 if (dtype
!= NFT_DATA_VERDICT
) {
2848 if (nla
[NFTA_SET_DATA_LEN
] == NULL
)
2850 desc
.dlen
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_LEN
]));
2851 if (desc
.dlen
== 0 || desc
.dlen
> NFT_DATA_VALUE_MAXLEN
)
2854 desc
.dlen
= sizeof(struct nft_verdict
);
2855 } else if (flags
& NFT_SET_MAP
)
2859 if (nla
[NFTA_SET_TIMEOUT
] != NULL
) {
2860 if (!(flags
& NFT_SET_TIMEOUT
))
2862 timeout
= be64_to_cpu(nla_get_be64(nla
[NFTA_SET_TIMEOUT
]));
2865 if (nla
[NFTA_SET_GC_INTERVAL
] != NULL
) {
2866 if (!(flags
& NFT_SET_TIMEOUT
))
2868 gc_int
= ntohl(nla_get_be32(nla
[NFTA_SET_GC_INTERVAL
]));
2871 policy
= NFT_SET_POL_PERFORMANCE
;
2872 if (nla
[NFTA_SET_POLICY
] != NULL
)
2873 policy
= ntohl(nla_get_be32(nla
[NFTA_SET_POLICY
]));
2875 if (nla
[NFTA_SET_DESC
] != NULL
) {
2876 err
= nf_tables_set_desc_parse(&ctx
, &desc
, nla
[NFTA_SET_DESC
]);
2881 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
2883 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, create
);
2885 return PTR_ERR(afi
);
2887 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_TABLE
], genmask
);
2889 return PTR_ERR(table
);
2891 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
2893 set
= nf_tables_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
2895 if (PTR_ERR(set
) != -ENOENT
)
2896 return PTR_ERR(set
);
2901 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
2903 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2908 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2911 ops
= nft_select_set_ops(nla
, &desc
, policy
);
2913 return PTR_ERR(ops
);
2916 if (nla
[NFTA_SET_USERDATA
])
2917 udlen
= nla_len(nla
[NFTA_SET_USERDATA
]);
2920 if (ops
->privsize
!= NULL
)
2921 size
= ops
->privsize(nla
);
2924 set
= kzalloc(sizeof(*set
) + size
+ udlen
, GFP_KERNEL
);
2928 nla_strlcpy(name
, nla
[NFTA_SET_NAME
], sizeof(set
->name
));
2929 err
= nf_tables_set_alloc_name(&ctx
, set
, name
);
2935 udata
= set
->data
+ size
;
2936 nla_memcpy(udata
, nla
[NFTA_SET_USERDATA
], udlen
);
2939 INIT_LIST_HEAD(&set
->bindings
);
2942 set
->klen
= desc
.klen
;
2944 set
->dlen
= desc
.dlen
;
2946 set
->size
= desc
.size
;
2947 set
->policy
= policy
;
2950 set
->timeout
= timeout
;
2951 set
->gc_int
= gc_int
;
2953 err
= ops
->init(set
, &desc
, nla
);
2957 err
= nft_trans_set_add(&ctx
, NFT_MSG_NEWSET
, set
);
2961 list_add_tail_rcu(&set
->list
, &table
->sets
);
2970 module_put(ops
->owner
);
2974 static void nft_set_destroy(struct nft_set
*set
)
2976 set
->ops
->destroy(set
);
2977 module_put(set
->ops
->owner
);
2981 static void nf_tables_set_destroy(const struct nft_ctx
*ctx
, struct nft_set
*set
)
2983 list_del_rcu(&set
->list
);
2984 nf_tables_set_notify(ctx
, set
, NFT_MSG_DELSET
, GFP_ATOMIC
);
2985 nft_set_destroy(set
);
2988 static int nf_tables_delset(struct net
*net
, struct sock
*nlsk
,
2989 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2990 const struct nlattr
* const nla
[])
2992 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2993 u8 genmask
= nft_genmask_next(net
);
2994 struct nft_set
*set
;
2998 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
2999 return -EAFNOSUPPORT
;
3000 if (nla
[NFTA_SET_TABLE
] == NULL
)
3003 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3007 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
3009 return PTR_ERR(set
);
3010 if (!list_empty(&set
->bindings
))
3013 return nft_delset(&ctx
, set
);
3016 static int nf_tables_bind_check_setelem(const struct nft_ctx
*ctx
,
3017 const struct nft_set
*set
,
3018 const struct nft_set_iter
*iter
,
3019 const struct nft_set_elem
*elem
)
3021 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3022 enum nft_registers dreg
;
3024 dreg
= nft_type_to_reg(set
->dtype
);
3025 return nft_validate_register_store(ctx
, dreg
, nft_set_ext_data(ext
),
3026 set
->dtype
== NFT_DATA_VERDICT
?
3027 NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3031 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3032 struct nft_set_binding
*binding
)
3034 struct nft_set_binding
*i
;
3035 struct nft_set_iter iter
;
3037 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_ANONYMOUS
)
3040 if (binding
->flags
& NFT_SET_MAP
) {
3041 /* If the set is already bound to the same chain all
3042 * jumps are already validated for that chain.
3044 list_for_each_entry(i
, &set
->bindings
, list
) {
3045 if (i
->flags
& NFT_SET_MAP
&&
3046 i
->chain
== binding
->chain
)
3050 iter
.genmask
= nft_genmask_next(ctx
->net
);
3054 iter
.fn
= nf_tables_bind_check_setelem
;
3056 set
->ops
->walk(ctx
, set
, &iter
);
3061 binding
->chain
= ctx
->chain
;
3062 list_add_tail_rcu(&binding
->list
, &set
->bindings
);
3066 void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3067 struct nft_set_binding
*binding
)
3069 list_del_rcu(&binding
->list
);
3071 if (list_empty(&set
->bindings
) && set
->flags
& NFT_SET_ANONYMOUS
&&
3072 nft_is_active(ctx
->net
, set
))
3073 nf_tables_set_destroy(ctx
, set
);
3076 const struct nft_set_ext_type nft_set_ext_types
[] = {
3077 [NFT_SET_EXT_KEY
] = {
3078 .align
= __alignof__(u32
),
3080 [NFT_SET_EXT_DATA
] = {
3081 .align
= __alignof__(u32
),
3083 [NFT_SET_EXT_EXPR
] = {
3084 .align
= __alignof__(struct nft_expr
),
3086 [NFT_SET_EXT_FLAGS
] = {
3088 .align
= __alignof__(u8
),
3090 [NFT_SET_EXT_TIMEOUT
] = {
3092 .align
= __alignof__(u64
),
3094 [NFT_SET_EXT_EXPIRATION
] = {
3095 .len
= sizeof(unsigned long),
3096 .align
= __alignof__(unsigned long),
3098 [NFT_SET_EXT_USERDATA
] = {
3099 .len
= sizeof(struct nft_userdata
),
3100 .align
= __alignof__(struct nft_userdata
),
3103 EXPORT_SYMBOL_GPL(nft_set_ext_types
);
3109 static const struct nla_policy nft_set_elem_policy
[NFTA_SET_ELEM_MAX
+ 1] = {
3110 [NFTA_SET_ELEM_KEY
] = { .type
= NLA_NESTED
},
3111 [NFTA_SET_ELEM_DATA
] = { .type
= NLA_NESTED
},
3112 [NFTA_SET_ELEM_FLAGS
] = { .type
= NLA_U32
},
3113 [NFTA_SET_ELEM_TIMEOUT
] = { .type
= NLA_U64
},
3114 [NFTA_SET_ELEM_USERDATA
] = { .type
= NLA_BINARY
,
3115 .len
= NFT_USERDATA_MAXLEN
},
3118 static const struct nla_policy nft_set_elem_list_policy
[NFTA_SET_ELEM_LIST_MAX
+ 1] = {
3119 [NFTA_SET_ELEM_LIST_TABLE
] = { .type
= NLA_STRING
},
3120 [NFTA_SET_ELEM_LIST_SET
] = { .type
= NLA_STRING
},
3121 [NFTA_SET_ELEM_LIST_ELEMENTS
] = { .type
= NLA_NESTED
},
3122 [NFTA_SET_ELEM_LIST_SET_ID
] = { .type
= NLA_U32
},
3125 static int nft_ctx_init_from_elemattr(struct nft_ctx
*ctx
, struct net
*net
,
3126 const struct sk_buff
*skb
,
3127 const struct nlmsghdr
*nlh
,
3128 const struct nlattr
* const nla
[],
3131 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3132 struct nft_af_info
*afi
;
3133 struct nft_table
*table
;
3135 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, false);
3137 return PTR_ERR(afi
);
3139 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_ELEM_LIST_TABLE
],
3142 return PTR_ERR(table
);
3144 nft_ctx_init(ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
3148 static int nf_tables_fill_setelem(struct sk_buff
*skb
,
3149 const struct nft_set
*set
,
3150 const struct nft_set_elem
*elem
)
3152 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3153 unsigned char *b
= skb_tail_pointer(skb
);
3154 struct nlattr
*nest
;
3156 nest
= nla_nest_start(skb
, NFTA_LIST_ELEM
);
3158 goto nla_put_failure
;
3160 if (nft_data_dump(skb
, NFTA_SET_ELEM_KEY
, nft_set_ext_key(ext
),
3161 NFT_DATA_VALUE
, set
->klen
) < 0)
3162 goto nla_put_failure
;
3164 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3165 nft_data_dump(skb
, NFTA_SET_ELEM_DATA
, nft_set_ext_data(ext
),
3166 set
->dtype
== NFT_DATA_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3168 goto nla_put_failure
;
3170 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
) &&
3171 nft_expr_dump(skb
, NFTA_SET_ELEM_EXPR
, nft_set_ext_expr(ext
)) < 0)
3172 goto nla_put_failure
;
3174 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
3175 nla_put_be32(skb
, NFTA_SET_ELEM_FLAGS
,
3176 htonl(*nft_set_ext_flags(ext
))))
3177 goto nla_put_failure
;
3179 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
) &&
3180 nla_put_be64(skb
, NFTA_SET_ELEM_TIMEOUT
,
3181 cpu_to_be64(*nft_set_ext_timeout(ext
)),
3183 goto nla_put_failure
;
3185 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
3186 unsigned long expires
, now
= jiffies
;
3188 expires
= *nft_set_ext_expiration(ext
);
3189 if (time_before(now
, expires
))
3194 if (nla_put_be64(skb
, NFTA_SET_ELEM_EXPIRATION
,
3195 cpu_to_be64(jiffies_to_msecs(expires
)),
3197 goto nla_put_failure
;
3200 if (nft_set_ext_exists(ext
, NFT_SET_EXT_USERDATA
)) {
3201 struct nft_userdata
*udata
;
3203 udata
= nft_set_ext_userdata(ext
);
3204 if (nla_put(skb
, NFTA_SET_ELEM_USERDATA
,
3205 udata
->len
+ 1, udata
->data
))
3206 goto nla_put_failure
;
3209 nla_nest_end(skb
, nest
);
3217 struct nft_set_dump_args
{
3218 const struct netlink_callback
*cb
;
3219 struct nft_set_iter iter
;
3220 struct sk_buff
*skb
;
3223 static int nf_tables_dump_setelem(const struct nft_ctx
*ctx
,
3224 const struct nft_set
*set
,
3225 const struct nft_set_iter
*iter
,
3226 const struct nft_set_elem
*elem
)
3228 struct nft_set_dump_args
*args
;
3230 args
= container_of(iter
, struct nft_set_dump_args
, iter
);
3231 return nf_tables_fill_setelem(args
->skb
, set
, elem
);
3234 static int nf_tables_dump_set(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3236 struct net
*net
= sock_net(skb
->sk
);
3237 u8 genmask
= nft_genmask_cur(net
);
3238 const struct nft_set
*set
;
3239 struct nft_set_dump_args args
;
3241 struct nlattr
*nla
[NFTA_SET_ELEM_LIST_MAX
+ 1];
3242 struct nfgenmsg
*nfmsg
;
3243 struct nlmsghdr
*nlh
;
3244 struct nlattr
*nest
;
3248 err
= nlmsg_parse(cb
->nlh
, sizeof(struct nfgenmsg
), nla
,
3249 NFTA_SET_ELEM_LIST_MAX
, nft_set_elem_list_policy
);
3253 err
= nft_ctx_init_from_elemattr(&ctx
, net
, cb
->skb
, cb
->nlh
,
3254 (void *)nla
, genmask
);
3258 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3261 return PTR_ERR(set
);
3263 event
= NFT_MSG_NEWSETELEM
;
3264 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
3265 portid
= NETLINK_CB(cb
->skb
).portid
;
3266 seq
= cb
->nlh
->nlmsg_seq
;
3268 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3271 goto nla_put_failure
;
3273 nfmsg
= nlmsg_data(nlh
);
3274 nfmsg
->nfgen_family
= ctx
.afi
->family
;
3275 nfmsg
->version
= NFNETLINK_V0
;
3276 nfmsg
->res_id
= htons(ctx
.net
->nft
.base_seq
& 0xffff);
3278 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_TABLE
, ctx
.table
->name
))
3279 goto nla_put_failure
;
3280 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_SET
, set
->name
))
3281 goto nla_put_failure
;
3283 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3285 goto nla_put_failure
;
3289 args
.iter
.genmask
= nft_genmask_cur(ctx
.net
);
3290 args
.iter
.skip
= cb
->args
[0];
3291 args
.iter
.count
= 0;
3293 args
.iter
.fn
= nf_tables_dump_setelem
;
3294 set
->ops
->walk(&ctx
, set
, &args
.iter
);
3296 nla_nest_end(skb
, nest
);
3297 nlmsg_end(skb
, nlh
);
3299 if (args
.iter
.err
&& args
.iter
.err
!= -EMSGSIZE
)
3300 return args
.iter
.err
;
3301 if (args
.iter
.count
== cb
->args
[0])
3304 cb
->args
[0] = args
.iter
.count
;
3311 static int nf_tables_getsetelem(struct net
*net
, struct sock
*nlsk
,
3312 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3313 const struct nlattr
* const nla
[])
3315 u8 genmask
= nft_genmask_cur(net
);
3316 const struct nft_set
*set
;
3320 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3324 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3327 return PTR_ERR(set
);
3329 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3330 struct netlink_dump_control c
= {
3331 .dump
= nf_tables_dump_set
,
3333 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
3338 static int nf_tables_fill_setelem_info(struct sk_buff
*skb
,
3339 const struct nft_ctx
*ctx
, u32 seq
,
3340 u32 portid
, int event
, u16 flags
,
3341 const struct nft_set
*set
,
3342 const struct nft_set_elem
*elem
)
3344 struct nfgenmsg
*nfmsg
;
3345 struct nlmsghdr
*nlh
;
3346 struct nlattr
*nest
;
3349 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
3350 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3353 goto nla_put_failure
;
3355 nfmsg
= nlmsg_data(nlh
);
3356 nfmsg
->nfgen_family
= ctx
->afi
->family
;
3357 nfmsg
->version
= NFNETLINK_V0
;
3358 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
3360 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3361 goto nla_put_failure
;
3362 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3363 goto nla_put_failure
;
3365 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3367 goto nla_put_failure
;
3369 err
= nf_tables_fill_setelem(skb
, set
, elem
);
3371 goto nla_put_failure
;
3373 nla_nest_end(skb
, nest
);
3375 nlmsg_end(skb
, nlh
);
3379 nlmsg_trim(skb
, nlh
);
3383 static int nf_tables_setelem_notify(const struct nft_ctx
*ctx
,
3384 const struct nft_set
*set
,
3385 const struct nft_set_elem
*elem
,
3386 int event
, u16 flags
)
3388 struct net
*net
= ctx
->net
;
3389 u32 portid
= ctx
->portid
;
3390 struct sk_buff
*skb
;
3393 if (!ctx
->report
&& !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
3397 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
3401 err
= nf_tables_fill_setelem_info(skb
, ctx
, 0, portid
, event
, flags
,
3408 err
= nfnetlink_send(skb
, net
, portid
, NFNLGRP_NFTABLES
, ctx
->report
,
3412 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, err
);
3416 static struct nft_trans
*nft_trans_elem_alloc(struct nft_ctx
*ctx
,
3418 struct nft_set
*set
)
3420 struct nft_trans
*trans
;
3422 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_elem
));
3426 nft_trans_elem_set(trans
) = set
;
3430 void *nft_set_elem_init(const struct nft_set
*set
,
3431 const struct nft_set_ext_tmpl
*tmpl
,
3432 const u32
*key
, const u32
*data
,
3433 u64 timeout
, gfp_t gfp
)
3435 struct nft_set_ext
*ext
;
3438 elem
= kzalloc(set
->ops
->elemsize
+ tmpl
->len
, gfp
);
3442 ext
= nft_set_elem_ext(set
, elem
);
3443 nft_set_ext_init(ext
, tmpl
);
3445 memcpy(nft_set_ext_key(ext
), key
, set
->klen
);
3446 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
3447 memcpy(nft_set_ext_data(ext
), data
, set
->dlen
);
3448 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
))
3449 *nft_set_ext_expiration(ext
) =
3450 jiffies
+ msecs_to_jiffies(timeout
);
3451 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
))
3452 *nft_set_ext_timeout(ext
) = timeout
;
3457 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
,
3460 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
3462 nft_data_uninit(nft_set_ext_key(ext
), NFT_DATA_VALUE
);
3463 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
3464 nft_data_uninit(nft_set_ext_data(ext
), set
->dtype
);
3465 if (destroy_expr
&& nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
))
3466 nf_tables_expr_destroy(NULL
, nft_set_ext_expr(ext
));
3470 EXPORT_SYMBOL_GPL(nft_set_elem_destroy
);
3472 static int nft_setelem_parse_flags(const struct nft_set
*set
,
3473 const struct nlattr
*attr
, u32
*flags
)
3478 *flags
= ntohl(nla_get_be32(attr
));
3479 if (*flags
& ~NFT_SET_ELEM_INTERVAL_END
)
3481 if (!(set
->flags
& NFT_SET_INTERVAL
) &&
3482 *flags
& NFT_SET_ELEM_INTERVAL_END
)
3488 static int nft_add_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
3489 const struct nlattr
*attr
, u32 nlmsg_flags
)
3491 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
3492 struct nft_data_desc d1
, d2
;
3493 struct nft_set_ext_tmpl tmpl
;
3494 struct nft_set_ext
*ext
, *ext2
;
3495 struct nft_set_elem elem
;
3496 struct nft_set_binding
*binding
;
3497 struct nft_userdata
*udata
;
3498 struct nft_data data
;
3499 enum nft_registers dreg
;
3500 struct nft_trans
*trans
;
3506 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
3507 nft_set_elem_policy
);
3511 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
3514 nft_set_ext_prepare(&tmpl
);
3516 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
3520 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
3522 if (set
->flags
& NFT_SET_MAP
) {
3523 if (nla
[NFTA_SET_ELEM_DATA
] == NULL
&&
3524 !(flags
& NFT_SET_ELEM_INTERVAL_END
))
3526 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
&&
3527 flags
& NFT_SET_ELEM_INTERVAL_END
)
3530 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
3535 if (nla
[NFTA_SET_ELEM_TIMEOUT
] != NULL
) {
3536 if (!(set
->flags
& NFT_SET_TIMEOUT
))
3538 timeout
= be64_to_cpu(nla_get_be64(nla
[NFTA_SET_ELEM_TIMEOUT
]));
3539 } else if (set
->flags
& NFT_SET_TIMEOUT
) {
3540 timeout
= set
->timeout
;
3543 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &d1
,
3544 nla
[NFTA_SET_ELEM_KEY
]);
3548 if (d1
.type
!= NFT_DATA_VALUE
|| d1
.len
!= set
->klen
)
3551 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, d1
.len
);
3553 nft_set_ext_add(&tmpl
, NFT_SET_EXT_EXPIRATION
);
3554 if (timeout
!= set
->timeout
)
3555 nft_set_ext_add(&tmpl
, NFT_SET_EXT_TIMEOUT
);
3558 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
) {
3559 err
= nft_data_init(ctx
, &data
, sizeof(data
), &d2
,
3560 nla
[NFTA_SET_ELEM_DATA
]);
3565 if (set
->dtype
!= NFT_DATA_VERDICT
&& d2
.len
!= set
->dlen
)
3568 dreg
= nft_type_to_reg(set
->dtype
);
3569 list_for_each_entry(binding
, &set
->bindings
, list
) {
3570 struct nft_ctx bind_ctx
= {
3572 .table
= ctx
->table
,
3573 .chain
= (struct nft_chain
*)binding
->chain
,
3576 if (!(binding
->flags
& NFT_SET_MAP
))
3579 err
= nft_validate_register_store(&bind_ctx
, dreg
,
3586 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_DATA
, d2
.len
);
3589 /* The full maximum length of userdata can exceed the maximum
3590 * offset value (U8_MAX) for following extensions, therefor it
3591 * must be the last extension added.
3594 if (nla
[NFTA_SET_ELEM_USERDATA
] != NULL
) {
3595 ulen
= nla_len(nla
[NFTA_SET_ELEM_USERDATA
]);
3597 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_USERDATA
,
3602 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, data
.data
,
3603 timeout
, GFP_KERNEL
);
3604 if (elem
.priv
== NULL
)
3607 ext
= nft_set_elem_ext(set
, elem
.priv
);
3609 *nft_set_ext_flags(ext
) = flags
;
3611 udata
= nft_set_ext_userdata(ext
);
3612 udata
->len
= ulen
- 1;
3613 nla_memcpy(&udata
->data
, nla
[NFTA_SET_ELEM_USERDATA
], ulen
);
3616 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_NEWSETELEM
, set
);
3620 ext
->genmask
= nft_genmask_cur(ctx
->net
) | NFT_SET_ELEM_BUSY_MASK
;
3621 err
= set
->ops
->insert(ctx
->net
, set
, &elem
, &ext2
);
3623 if (err
== -EEXIST
) {
3624 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3625 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) &&
3626 memcmp(nft_set_ext_data(ext
),
3627 nft_set_ext_data(ext2
), set
->dlen
) != 0)
3629 else if (!(nlmsg_flags
& NLM_F_EXCL
))
3635 nft_trans_elem(trans
) = elem
;
3636 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3644 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
3645 nft_data_uninit(&data
, d2
.type
);
3647 nft_data_uninit(&elem
.key
.val
, d1
.type
);
3652 static int nf_tables_newsetelem(struct net
*net
, struct sock
*nlsk
,
3653 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3654 const struct nlattr
* const nla
[])
3656 u8 genmask
= nft_genmask_next(net
);
3657 const struct nlattr
*attr
;
3658 struct nft_set
*set
;
3662 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
3665 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3669 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3672 if (nla
[NFTA_SET_ELEM_LIST_SET_ID
]) {
3673 set
= nf_tables_set_lookup_byid(net
,
3674 nla
[NFTA_SET_ELEM_LIST_SET_ID
],
3678 return PTR_ERR(set
);
3681 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
3684 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
3686 !atomic_add_unless(&set
->nelems
, 1, set
->size
+ set
->ndeact
))
3689 err
= nft_add_set_elem(&ctx
, set
, attr
, nlh
->nlmsg_flags
);
3691 atomic_dec(&set
->nelems
);
3698 static int nft_del_setelem(struct nft_ctx
*ctx
, struct nft_set
*set
,
3699 const struct nlattr
*attr
)
3701 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
3702 struct nft_set_ext_tmpl tmpl
;
3703 struct nft_data_desc desc
;
3704 struct nft_set_elem elem
;
3705 struct nft_set_ext
*ext
;
3706 struct nft_trans
*trans
;
3711 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
3712 nft_set_elem_policy
);
3717 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
3720 nft_set_ext_prepare(&tmpl
);
3722 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
3726 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
3728 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &desc
,
3729 nla
[NFTA_SET_ELEM_KEY
]);
3734 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
)
3737 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, desc
.len
);
3740 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, NULL
, 0,
3742 if (elem
.priv
== NULL
)
3745 ext
= nft_set_elem_ext(set
, elem
.priv
);
3747 *nft_set_ext_flags(ext
) = flags
;
3749 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_DELSETELEM
, set
);
3750 if (trans
== NULL
) {
3755 priv
= set
->ops
->deactivate(ctx
->net
, set
, &elem
);
3763 nft_trans_elem(trans
) = elem
;
3764 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3772 nft_data_uninit(&elem
.key
.val
, desc
.type
);
3777 static int nf_tables_delsetelem(struct net
*net
, struct sock
*nlsk
,
3778 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3779 const struct nlattr
* const nla
[])
3781 u8 genmask
= nft_genmask_next(net
);
3782 const struct nlattr
*attr
;
3783 struct nft_set
*set
;
3787 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
3790 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3794 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3797 return PTR_ERR(set
);
3798 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
3801 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
3802 err
= nft_del_setelem(&ctx
, set
, attr
);
3811 void nft_set_gc_batch_release(struct rcu_head
*rcu
)
3813 struct nft_set_gc_batch
*gcb
;
3816 gcb
= container_of(rcu
, struct nft_set_gc_batch
, head
.rcu
);
3817 for (i
= 0; i
< gcb
->head
.cnt
; i
++)
3818 nft_set_elem_destroy(gcb
->head
.set
, gcb
->elems
[i
], true);
3821 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release
);
3823 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
3826 struct nft_set_gc_batch
*gcb
;
3828 gcb
= kzalloc(sizeof(*gcb
), gfp
);
3831 gcb
->head
.set
= set
;
3834 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc
);
3836 static int nf_tables_fill_gen_info(struct sk_buff
*skb
, struct net
*net
,
3837 u32 portid
, u32 seq
)
3839 struct nlmsghdr
*nlh
;
3840 struct nfgenmsg
*nfmsg
;
3841 int event
= (NFNL_SUBSYS_NFTABLES
<< 8) | NFT_MSG_NEWGEN
;
3843 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), 0);
3845 goto nla_put_failure
;
3847 nfmsg
= nlmsg_data(nlh
);
3848 nfmsg
->nfgen_family
= AF_UNSPEC
;
3849 nfmsg
->version
= NFNETLINK_V0
;
3850 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
3852 if (nla_put_be32(skb
, NFTA_GEN_ID
, htonl(net
->nft
.base_seq
)))
3853 goto nla_put_failure
;
3855 nlmsg_end(skb
, nlh
);
3859 nlmsg_trim(skb
, nlh
);
3863 static int nf_tables_gen_notify(struct net
*net
, struct sk_buff
*skb
, int event
)
3865 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
3866 struct sk_buff
*skb2
;
3869 if (nlmsg_report(nlh
) &&
3870 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
3874 skb2
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
3878 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
3885 err
= nfnetlink_send(skb2
, net
, NETLINK_CB(skb
).portid
,
3886 NFNLGRP_NFTABLES
, nlmsg_report(nlh
), GFP_KERNEL
);
3889 nfnetlink_set_err(net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
3895 static int nf_tables_getgen(struct net
*net
, struct sock
*nlsk
,
3896 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3897 const struct nlattr
* const nla
[])
3899 struct sk_buff
*skb2
;
3902 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
3906 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
3911 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
3917 static const struct nfnl_callback nf_tables_cb
[NFT_MSG_MAX
] = {
3918 [NFT_MSG_NEWTABLE
] = {
3919 .call_batch
= nf_tables_newtable
,
3920 .attr_count
= NFTA_TABLE_MAX
,
3921 .policy
= nft_table_policy
,
3923 [NFT_MSG_GETTABLE
] = {
3924 .call
= nf_tables_gettable
,
3925 .attr_count
= NFTA_TABLE_MAX
,
3926 .policy
= nft_table_policy
,
3928 [NFT_MSG_DELTABLE
] = {
3929 .call_batch
= nf_tables_deltable
,
3930 .attr_count
= NFTA_TABLE_MAX
,
3931 .policy
= nft_table_policy
,
3933 [NFT_MSG_NEWCHAIN
] = {
3934 .call_batch
= nf_tables_newchain
,
3935 .attr_count
= NFTA_CHAIN_MAX
,
3936 .policy
= nft_chain_policy
,
3938 [NFT_MSG_GETCHAIN
] = {
3939 .call
= nf_tables_getchain
,
3940 .attr_count
= NFTA_CHAIN_MAX
,
3941 .policy
= nft_chain_policy
,
3943 [NFT_MSG_DELCHAIN
] = {
3944 .call_batch
= nf_tables_delchain
,
3945 .attr_count
= NFTA_CHAIN_MAX
,
3946 .policy
= nft_chain_policy
,
3948 [NFT_MSG_NEWRULE
] = {
3949 .call_batch
= nf_tables_newrule
,
3950 .attr_count
= NFTA_RULE_MAX
,
3951 .policy
= nft_rule_policy
,
3953 [NFT_MSG_GETRULE
] = {
3954 .call
= nf_tables_getrule
,
3955 .attr_count
= NFTA_RULE_MAX
,
3956 .policy
= nft_rule_policy
,
3958 [NFT_MSG_DELRULE
] = {
3959 .call_batch
= nf_tables_delrule
,
3960 .attr_count
= NFTA_RULE_MAX
,
3961 .policy
= nft_rule_policy
,
3963 [NFT_MSG_NEWSET
] = {
3964 .call_batch
= nf_tables_newset
,
3965 .attr_count
= NFTA_SET_MAX
,
3966 .policy
= nft_set_policy
,
3968 [NFT_MSG_GETSET
] = {
3969 .call
= nf_tables_getset
,
3970 .attr_count
= NFTA_SET_MAX
,
3971 .policy
= nft_set_policy
,
3973 [NFT_MSG_DELSET
] = {
3974 .call_batch
= nf_tables_delset
,
3975 .attr_count
= NFTA_SET_MAX
,
3976 .policy
= nft_set_policy
,
3978 [NFT_MSG_NEWSETELEM
] = {
3979 .call_batch
= nf_tables_newsetelem
,
3980 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
3981 .policy
= nft_set_elem_list_policy
,
3983 [NFT_MSG_GETSETELEM
] = {
3984 .call
= nf_tables_getsetelem
,
3985 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
3986 .policy
= nft_set_elem_list_policy
,
3988 [NFT_MSG_DELSETELEM
] = {
3989 .call_batch
= nf_tables_delsetelem
,
3990 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
3991 .policy
= nft_set_elem_list_policy
,
3993 [NFT_MSG_GETGEN
] = {
3994 .call
= nf_tables_getgen
,
3998 static void nft_chain_commit_update(struct nft_trans
*trans
)
4000 struct nft_base_chain
*basechain
;
4002 if (nft_trans_chain_name(trans
)[0])
4003 strcpy(trans
->ctx
.chain
->name
, nft_trans_chain_name(trans
));
4005 if (!(trans
->ctx
.chain
->flags
& NFT_BASE_CHAIN
))
4008 basechain
= nft_base_chain(trans
->ctx
.chain
);
4009 nft_chain_stats_replace(basechain
, nft_trans_chain_stats(trans
));
4011 switch (nft_trans_chain_policy(trans
)) {
4014 basechain
->policy
= nft_trans_chain_policy(trans
);
4019 static void nf_tables_commit_release(struct nft_trans
*trans
)
4021 switch (trans
->msg_type
) {
4022 case NFT_MSG_DELTABLE
:
4023 nf_tables_table_destroy(&trans
->ctx
);
4025 case NFT_MSG_DELCHAIN
:
4026 nf_tables_chain_destroy(trans
->ctx
.chain
);
4028 case NFT_MSG_DELRULE
:
4029 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
4031 case NFT_MSG_DELSET
:
4032 nft_set_destroy(nft_trans_set(trans
));
4034 case NFT_MSG_DELSETELEM
:
4035 nft_set_elem_destroy(nft_trans_elem_set(trans
),
4036 nft_trans_elem(trans
).priv
, true);
4042 static int nf_tables_commit(struct net
*net
, struct sk_buff
*skb
)
4044 struct nft_trans
*trans
, *next
;
4045 struct nft_trans_elem
*te
;
4047 /* Bump generation counter, invalidate any dump in progress */
4048 while (++net
->nft
.base_seq
== 0);
4050 /* A new generation has just started */
4051 net
->nft
.gencursor
= nft_gencursor_next(net
);
4053 /* Make sure all packets have left the previous generation before
4054 * purging old rules.
4058 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
4059 switch (trans
->msg_type
) {
4060 case NFT_MSG_NEWTABLE
:
4061 if (nft_trans_table_update(trans
)) {
4062 if (!nft_trans_table_enable(trans
)) {
4063 nf_tables_table_disable(net
,
4066 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
4069 nft_clear(net
, trans
->ctx
.table
);
4071 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_NEWTABLE
);
4072 nft_trans_destroy(trans
);
4074 case NFT_MSG_DELTABLE
:
4075 list_del_rcu(&trans
->ctx
.table
->list
);
4076 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_DELTABLE
);
4078 case NFT_MSG_NEWCHAIN
:
4079 if (nft_trans_chain_update(trans
))
4080 nft_chain_commit_update(trans
);
4082 nft_clear(net
, trans
->ctx
.chain
);
4084 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
4085 nft_trans_destroy(trans
);
4087 case NFT_MSG_DELCHAIN
:
4088 list_del_rcu(&trans
->ctx
.chain
->list
);
4089 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_DELCHAIN
);
4090 nf_tables_unregister_hooks(trans
->ctx
.net
,
4093 trans
->ctx
.afi
->nops
);
4095 case NFT_MSG_NEWRULE
:
4096 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
4097 nf_tables_rule_notify(&trans
->ctx
,
4098 nft_trans_rule(trans
),
4100 nft_trans_destroy(trans
);
4102 case NFT_MSG_DELRULE
:
4103 list_del_rcu(&nft_trans_rule(trans
)->list
);
4104 nf_tables_rule_notify(&trans
->ctx
,
4105 nft_trans_rule(trans
),
4108 case NFT_MSG_NEWSET
:
4109 nft_clear(net
, nft_trans_set(trans
));
4110 /* This avoids hitting -EBUSY when deleting the table
4111 * from the transaction.
4113 if (nft_trans_set(trans
)->flags
& NFT_SET_ANONYMOUS
&&
4114 !list_empty(&nft_trans_set(trans
)->bindings
))
4115 trans
->ctx
.table
->use
--;
4117 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
4118 NFT_MSG_NEWSET
, GFP_KERNEL
);
4119 nft_trans_destroy(trans
);
4121 case NFT_MSG_DELSET
:
4122 list_del_rcu(&nft_trans_set(trans
)->list
);
4123 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
4124 NFT_MSG_DELSET
, GFP_KERNEL
);
4126 case NFT_MSG_NEWSETELEM
:
4127 te
= (struct nft_trans_elem
*)trans
->data
;
4129 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
4130 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
4132 NFT_MSG_NEWSETELEM
, 0);
4133 nft_trans_destroy(trans
);
4135 case NFT_MSG_DELSETELEM
:
4136 te
= (struct nft_trans_elem
*)trans
->data
;
4138 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
4140 NFT_MSG_DELSETELEM
, 0);
4141 te
->set
->ops
->remove(te
->set
, &te
->elem
);
4142 atomic_dec(&te
->set
->nelems
);
4150 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
4151 list_del(&trans
->list
);
4152 nf_tables_commit_release(trans
);
4155 nf_tables_gen_notify(net
, skb
, NFT_MSG_NEWGEN
);
4160 static void nf_tables_abort_release(struct nft_trans
*trans
)
4162 switch (trans
->msg_type
) {
4163 case NFT_MSG_NEWTABLE
:
4164 nf_tables_table_destroy(&trans
->ctx
);
4166 case NFT_MSG_NEWCHAIN
:
4167 nf_tables_chain_destroy(trans
->ctx
.chain
);
4169 case NFT_MSG_NEWRULE
:
4170 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
4172 case NFT_MSG_NEWSET
:
4173 nft_set_destroy(nft_trans_set(trans
));
4175 case NFT_MSG_NEWSETELEM
:
4176 nft_set_elem_destroy(nft_trans_elem_set(trans
),
4177 nft_trans_elem(trans
).priv
, true);
4183 static int nf_tables_abort(struct net
*net
, struct sk_buff
*skb
)
4185 struct nft_trans
*trans
, *next
;
4186 struct nft_trans_elem
*te
;
4188 list_for_each_entry_safe_reverse(trans
, next
, &net
->nft
.commit_list
,
4190 switch (trans
->msg_type
) {
4191 case NFT_MSG_NEWTABLE
:
4192 if (nft_trans_table_update(trans
)) {
4193 if (nft_trans_table_enable(trans
)) {
4194 nf_tables_table_disable(net
,
4197 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
4199 nft_trans_destroy(trans
);
4201 list_del_rcu(&trans
->ctx
.table
->list
);
4204 case NFT_MSG_DELTABLE
:
4205 nft_clear(trans
->ctx
.net
, trans
->ctx
.table
);
4206 nft_trans_destroy(trans
);
4208 case NFT_MSG_NEWCHAIN
:
4209 if (nft_trans_chain_update(trans
)) {
4210 free_percpu(nft_trans_chain_stats(trans
));
4212 nft_trans_destroy(trans
);
4214 trans
->ctx
.table
->use
--;
4215 list_del_rcu(&trans
->ctx
.chain
->list
);
4216 nf_tables_unregister_hooks(trans
->ctx
.net
,
4219 trans
->ctx
.afi
->nops
);
4222 case NFT_MSG_DELCHAIN
:
4223 trans
->ctx
.table
->use
++;
4224 nft_clear(trans
->ctx
.net
, trans
->ctx
.chain
);
4225 nft_trans_destroy(trans
);
4227 case NFT_MSG_NEWRULE
:
4228 trans
->ctx
.chain
->use
--;
4229 list_del_rcu(&nft_trans_rule(trans
)->list
);
4231 case NFT_MSG_DELRULE
:
4232 trans
->ctx
.chain
->use
++;
4233 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
4234 nft_trans_destroy(trans
);
4236 case NFT_MSG_NEWSET
:
4237 trans
->ctx
.table
->use
--;
4238 list_del_rcu(&nft_trans_set(trans
)->list
);
4240 case NFT_MSG_DELSET
:
4241 trans
->ctx
.table
->use
++;
4242 nft_clear(trans
->ctx
.net
, nft_trans_set(trans
));
4243 nft_trans_destroy(trans
);
4245 case NFT_MSG_NEWSETELEM
:
4246 te
= (struct nft_trans_elem
*)trans
->data
;
4248 te
->set
->ops
->remove(te
->set
, &te
->elem
);
4249 atomic_dec(&te
->set
->nelems
);
4251 case NFT_MSG_DELSETELEM
:
4252 te
= (struct nft_trans_elem
*)trans
->data
;
4254 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
4257 nft_trans_destroy(trans
);
4264 list_for_each_entry_safe_reverse(trans
, next
,
4265 &net
->nft
.commit_list
, list
) {
4266 list_del(&trans
->list
);
4267 nf_tables_abort_release(trans
);
4273 static const struct nfnetlink_subsystem nf_tables_subsys
= {
4274 .name
= "nf_tables",
4275 .subsys_id
= NFNL_SUBSYS_NFTABLES
,
4276 .cb_count
= NFT_MSG_MAX
,
4278 .commit
= nf_tables_commit
,
4279 .abort
= nf_tables_abort
,
4282 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
4283 enum nft_chain_type type
)
4285 const struct nft_base_chain
*basechain
;
4287 if (chain
->flags
& NFT_BASE_CHAIN
) {
4288 basechain
= nft_base_chain(chain
);
4289 if (basechain
->type
->type
!= type
)
4294 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency
);
4296 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
4297 unsigned int hook_flags
)
4299 struct nft_base_chain
*basechain
;
4301 if (chain
->flags
& NFT_BASE_CHAIN
) {
4302 basechain
= nft_base_chain(chain
);
4304 if ((1 << basechain
->ops
[0].hooknum
) & hook_flags
)
4312 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks
);
4315 * Loop detection - walk through the ruleset beginning at the destination chain
4316 * of a new jump until either the source chain is reached (loop) or all
4317 * reachable chains have been traversed.
4319 * The loop check is performed whenever a new jump verdict is added to an
4320 * expression or verdict map or a verdict map is bound to a new chain.
4323 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
4324 const struct nft_chain
*chain
);
4326 static int nf_tables_loop_check_setelem(const struct nft_ctx
*ctx
,
4327 const struct nft_set
*set
,
4328 const struct nft_set_iter
*iter
,
4329 const struct nft_set_elem
*elem
)
4331 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4332 const struct nft_data
*data
;
4334 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
4335 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_INTERVAL_END
)
4338 data
= nft_set_ext_data(ext
);
4339 switch (data
->verdict
.code
) {
4342 return nf_tables_check_loops(ctx
, data
->verdict
.chain
);
4348 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
4349 const struct nft_chain
*chain
)
4351 const struct nft_rule
*rule
;
4352 const struct nft_expr
*expr
, *last
;
4353 const struct nft_set
*set
;
4354 struct nft_set_binding
*binding
;
4355 struct nft_set_iter iter
;
4357 if (ctx
->chain
== chain
)
4360 list_for_each_entry(rule
, &chain
->rules
, list
) {
4361 nft_rule_for_each_expr(expr
, last
, rule
) {
4362 const struct nft_data
*data
= NULL
;
4365 if (!expr
->ops
->validate
)
4368 err
= expr
->ops
->validate(ctx
, expr
, &data
);
4375 switch (data
->verdict
.code
) {
4378 err
= nf_tables_check_loops(ctx
,
4379 data
->verdict
.chain
);
4388 list_for_each_entry(set
, &ctx
->table
->sets
, list
) {
4389 if (!nft_is_active_next(ctx
->net
, set
))
4391 if (!(set
->flags
& NFT_SET_MAP
) ||
4392 set
->dtype
!= NFT_DATA_VERDICT
)
4395 list_for_each_entry(binding
, &set
->bindings
, list
) {
4396 if (!(binding
->flags
& NFT_SET_MAP
) ||
4397 binding
->chain
!= chain
)
4400 iter
.genmask
= nft_genmask_next(ctx
->net
);
4404 iter
.fn
= nf_tables_loop_check_setelem
;
4406 set
->ops
->walk(ctx
, set
, &iter
);
4416 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
4418 * @attr: netlink attribute to fetch value from
4419 * @max: maximum value to be stored in dest
4420 * @dest: pointer to the variable
4422 * Parse, check and store a given u32 netlink attribute into variable.
4423 * This function returns -ERANGE if the value goes over maximum value.
4424 * Otherwise a 0 is returned and the attribute value is stored in the
4425 * destination variable.
4427 int nft_parse_u32_check(const struct nlattr
*attr
, int max
, u32
*dest
)
4431 val
= ntohl(nla_get_be32(attr
));
4438 EXPORT_SYMBOL_GPL(nft_parse_u32_check
);
4441 * nft_parse_register - parse a register value from a netlink attribute
4443 * @attr: netlink attribute
4445 * Parse and translate a register value from a netlink attribute.
4446 * Registers used to be 128 bit wide, these register numbers will be
4447 * mapped to the corresponding 32 bit register numbers.
4449 unsigned int nft_parse_register(const struct nlattr
*attr
)
4453 reg
= ntohl(nla_get_be32(attr
));
4455 case NFT_REG_VERDICT
...NFT_REG_4
:
4456 return reg
* NFT_REG_SIZE
/ NFT_REG32_SIZE
;
4458 return reg
+ NFT_REG_SIZE
/ NFT_REG32_SIZE
- NFT_REG32_00
;
4461 EXPORT_SYMBOL_GPL(nft_parse_register
);
4464 * nft_dump_register - dump a register value to a netlink attribute
4466 * @skb: socket buffer
4467 * @attr: attribute number
4468 * @reg: register number
4470 * Construct a netlink attribute containing the register number. For
4471 * compatibility reasons, register numbers being a multiple of 4 are
4472 * translated to the corresponding 128 bit register numbers.
4474 int nft_dump_register(struct sk_buff
*skb
, unsigned int attr
, unsigned int reg
)
4476 if (reg
% (NFT_REG_SIZE
/ NFT_REG32_SIZE
) == 0)
4477 reg
= reg
/ (NFT_REG_SIZE
/ NFT_REG32_SIZE
);
4479 reg
= reg
- NFT_REG_SIZE
/ NFT_REG32_SIZE
+ NFT_REG32_00
;
4481 return nla_put_be32(skb
, attr
, htonl(reg
));
4483 EXPORT_SYMBOL_GPL(nft_dump_register
);
4486 * nft_validate_register_load - validate a load from a register
4488 * @reg: the register number
4489 * @len: the length of the data
4491 * Validate that the input register is one of the general purpose
4492 * registers and that the length of the load is within the bounds.
4494 int nft_validate_register_load(enum nft_registers reg
, unsigned int len
)
4496 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
4500 if (reg
* NFT_REG32_SIZE
+ len
> FIELD_SIZEOF(struct nft_regs
, data
))
4505 EXPORT_SYMBOL_GPL(nft_validate_register_load
);
4508 * nft_validate_register_store - validate an expressions' register store
4510 * @ctx: context of the expression performing the load
4511 * @reg: the destination register number
4512 * @data: the data to load
4513 * @type: the data type
4514 * @len: the length of the data
4516 * Validate that a data load uses the appropriate data type for
4517 * the destination register and the length is within the bounds.
4518 * A value of NULL for the data means that its runtime gathered
4521 int nft_validate_register_store(const struct nft_ctx
*ctx
,
4522 enum nft_registers reg
,
4523 const struct nft_data
*data
,
4524 enum nft_data_types type
, unsigned int len
)
4529 case NFT_REG_VERDICT
:
4530 if (type
!= NFT_DATA_VERDICT
)
4534 (data
->verdict
.code
== NFT_GOTO
||
4535 data
->verdict
.code
== NFT_JUMP
)) {
4536 err
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
4540 if (ctx
->chain
->level
+ 1 >
4541 data
->verdict
.chain
->level
) {
4542 if (ctx
->chain
->level
+ 1 == NFT_JUMP_STACK_SIZE
)
4544 data
->verdict
.chain
->level
= ctx
->chain
->level
+ 1;
4550 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
4554 if (reg
* NFT_REG32_SIZE
+ len
>
4555 FIELD_SIZEOF(struct nft_regs
, data
))
4558 if (data
!= NULL
&& type
!= NFT_DATA_VALUE
)
4563 EXPORT_SYMBOL_GPL(nft_validate_register_store
);
4565 static const struct nla_policy nft_verdict_policy
[NFTA_VERDICT_MAX
+ 1] = {
4566 [NFTA_VERDICT_CODE
] = { .type
= NLA_U32
},
4567 [NFTA_VERDICT_CHAIN
] = { .type
= NLA_STRING
,
4568 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
4571 static int nft_verdict_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
4572 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
4574 u8 genmask
= nft_genmask_next(ctx
->net
);
4575 struct nlattr
*tb
[NFTA_VERDICT_MAX
+ 1];
4576 struct nft_chain
*chain
;
4579 err
= nla_parse_nested(tb
, NFTA_VERDICT_MAX
, nla
, nft_verdict_policy
);
4583 if (!tb
[NFTA_VERDICT_CODE
])
4585 data
->verdict
.code
= ntohl(nla_get_be32(tb
[NFTA_VERDICT_CODE
]));
4587 switch (data
->verdict
.code
) {
4589 switch (data
->verdict
.code
& NF_VERDICT_MASK
) {
4604 if (!tb
[NFTA_VERDICT_CHAIN
])
4606 chain
= nf_tables_chain_lookup(ctx
->table
,
4607 tb
[NFTA_VERDICT_CHAIN
], genmask
);
4609 return PTR_ERR(chain
);
4610 if (chain
->flags
& NFT_BASE_CHAIN
)
4614 data
->verdict
.chain
= chain
;
4618 desc
->len
= sizeof(data
->verdict
);
4619 desc
->type
= NFT_DATA_VERDICT
;
4623 static void nft_verdict_uninit(const struct nft_data
*data
)
4625 switch (data
->verdict
.code
) {
4628 data
->verdict
.chain
->use
--;
4633 int nft_verdict_dump(struct sk_buff
*skb
, int type
, const struct nft_verdict
*v
)
4635 struct nlattr
*nest
;
4637 nest
= nla_nest_start(skb
, type
);
4639 goto nla_put_failure
;
4641 if (nla_put_be32(skb
, NFTA_VERDICT_CODE
, htonl(v
->code
)))
4642 goto nla_put_failure
;
4647 if (nla_put_string(skb
, NFTA_VERDICT_CHAIN
,
4649 goto nla_put_failure
;
4651 nla_nest_end(skb
, nest
);
4658 static int nft_value_init(const struct nft_ctx
*ctx
,
4659 struct nft_data
*data
, unsigned int size
,
4660 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
4670 nla_memcpy(data
->data
, nla
, len
);
4671 desc
->type
= NFT_DATA_VALUE
;
4676 static int nft_value_dump(struct sk_buff
*skb
, const struct nft_data
*data
,
4679 return nla_put(skb
, NFTA_DATA_VALUE
, len
, data
->data
);
4682 static const struct nla_policy nft_data_policy
[NFTA_DATA_MAX
+ 1] = {
4683 [NFTA_DATA_VALUE
] = { .type
= NLA_BINARY
},
4684 [NFTA_DATA_VERDICT
] = { .type
= NLA_NESTED
},
4688 * nft_data_init - parse nf_tables data netlink attributes
4690 * @ctx: context of the expression using the data
4691 * @data: destination struct nft_data
4692 * @size: maximum data length
4693 * @desc: data description
4694 * @nla: netlink attribute containing data
4696 * Parse the netlink data attributes and initialize a struct nft_data.
4697 * The type and length of data are returned in the data description.
4699 * The caller can indicate that it only wants to accept data of type
4700 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4702 int nft_data_init(const struct nft_ctx
*ctx
,
4703 struct nft_data
*data
, unsigned int size
,
4704 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
4706 struct nlattr
*tb
[NFTA_DATA_MAX
+ 1];
4709 err
= nla_parse_nested(tb
, NFTA_DATA_MAX
, nla
, nft_data_policy
);
4713 if (tb
[NFTA_DATA_VALUE
])
4714 return nft_value_init(ctx
, data
, size
, desc
,
4715 tb
[NFTA_DATA_VALUE
]);
4716 if (tb
[NFTA_DATA_VERDICT
] && ctx
!= NULL
)
4717 return nft_verdict_init(ctx
, data
, desc
, tb
[NFTA_DATA_VERDICT
]);
4720 EXPORT_SYMBOL_GPL(nft_data_init
);
4723 * nft_data_uninit - release a nft_data item
4725 * @data: struct nft_data to release
4726 * @type: type of data
4728 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4729 * all others need to be released by calling this function.
4731 void nft_data_uninit(const struct nft_data
*data
, enum nft_data_types type
)
4733 if (type
< NFT_DATA_VERDICT
)
4736 case NFT_DATA_VERDICT
:
4737 return nft_verdict_uninit(data
);
4742 EXPORT_SYMBOL_GPL(nft_data_uninit
);
4744 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
4745 enum nft_data_types type
, unsigned int len
)
4747 struct nlattr
*nest
;
4750 nest
= nla_nest_start(skb
, attr
);
4755 case NFT_DATA_VALUE
:
4756 err
= nft_value_dump(skb
, data
, len
);
4758 case NFT_DATA_VERDICT
:
4759 err
= nft_verdict_dump(skb
, NFTA_DATA_VERDICT
, &data
->verdict
);
4766 nla_nest_end(skb
, nest
);
4769 EXPORT_SYMBOL_GPL(nft_data_dump
);
4771 static int __net_init
nf_tables_init_net(struct net
*net
)
4773 INIT_LIST_HEAD(&net
->nft
.af_info
);
4774 INIT_LIST_HEAD(&net
->nft
.commit_list
);
4775 net
->nft
.base_seq
= 1;
4779 int __nft_release_basechain(struct nft_ctx
*ctx
)
4781 struct nft_rule
*rule
, *nr
;
4783 BUG_ON(!(ctx
->chain
->flags
& NFT_BASE_CHAIN
));
4785 nf_tables_unregister_hooks(ctx
->net
, ctx
->chain
->table
, ctx
->chain
,
4787 list_for_each_entry_safe(rule
, nr
, &ctx
->chain
->rules
, list
) {
4788 list_del(&rule
->list
);
4790 nf_tables_rule_destroy(ctx
, rule
);
4792 list_del(&ctx
->chain
->list
);
4794 nf_tables_chain_destroy(ctx
->chain
);
4798 EXPORT_SYMBOL_GPL(__nft_release_basechain
);
4800 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4801 static void __nft_release_afinfo(struct net
*net
, struct nft_af_info
*afi
)
4803 struct nft_table
*table
, *nt
;
4804 struct nft_chain
*chain
, *nc
;
4805 struct nft_rule
*rule
, *nr
;
4806 struct nft_set
*set
, *ns
;
4807 struct nft_ctx ctx
= {
4812 list_for_each_entry_safe(table
, nt
, &afi
->tables
, list
) {
4813 list_for_each_entry(chain
, &table
->chains
, list
)
4814 nf_tables_unregister_hooks(net
, table
, chain
,
4816 /* No packets are walking on these chains anymore. */
4818 list_for_each_entry(chain
, &table
->chains
, list
) {
4820 list_for_each_entry_safe(rule
, nr
, &chain
->rules
, list
) {
4821 list_del(&rule
->list
);
4823 nf_tables_rule_destroy(&ctx
, rule
);
4826 list_for_each_entry_safe(set
, ns
, &table
->sets
, list
) {
4827 list_del(&set
->list
);
4829 nft_set_destroy(set
);
4831 list_for_each_entry_safe(chain
, nc
, &table
->chains
, list
) {
4832 list_del(&chain
->list
);
4834 nf_tables_chain_destroy(chain
);
4836 list_del(&table
->list
);
4837 nf_tables_table_destroy(&ctx
);
4841 static struct pernet_operations nf_tables_net_ops
= {
4842 .init
= nf_tables_init_net
,
4845 static int __init
nf_tables_module_init(void)
4849 info
= kmalloc(sizeof(struct nft_expr_info
) * NFT_RULE_MAXEXPRS
,
4856 err
= nf_tables_core_module_init();
4860 err
= nfnetlink_subsys_register(&nf_tables_subsys
);
4864 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4865 return register_pernet_subsys(&nf_tables_net_ops
);
4867 nf_tables_core_module_exit();
4874 static void __exit
nf_tables_module_exit(void)
4876 unregister_pernet_subsys(&nf_tables_net_ops
);
4877 nfnetlink_subsys_unregister(&nf_tables_subsys
);
4879 nf_tables_core_module_exit();
4883 module_init(nf_tables_module_init
);
4884 module_exit(nf_tables_module_exit
);
4886 MODULE_LICENSE("GPL");
4887 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4888 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES
);
projects / mirror_ubuntu-artful-kernel.git / blob