1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 static LIST_HEAD(nf_tables_expressions
);
29 static LIST_HEAD(nf_tables_objects
);
30 static LIST_HEAD(nf_tables_flowtables
);
31 static LIST_HEAD(nf_tables_destroy_list
);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock
);
33 static u64 table_handle
;
36 NFT_VALIDATE_SKIP
= 0,
41 static struct rhltable nft_objname_ht
;
43 static u32
nft_chain_hash(const void *data
, u32 len
, u32 seed
);
44 static u32
nft_chain_hash_obj(const void *data
, u32 len
, u32 seed
);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg
*, const void *);
47 static u32
nft_objname_hash(const void *data
, u32 len
, u32 seed
);
48 static u32
nft_objname_hash_obj(const void *data
, u32 len
, u32 seed
);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg
*, const void *);
51 static const struct rhashtable_params nft_chain_ht_params
= {
52 .head_offset
= offsetof(struct nft_chain
, rhlhead
),
53 .key_offset
= offsetof(struct nft_chain
, name
),
54 .hashfn
= nft_chain_hash
,
55 .obj_hashfn
= nft_chain_hash_obj
,
56 .obj_cmpfn
= nft_chain_hash_cmp
,
57 .automatic_shrinking
= true,
60 static const struct rhashtable_params nft_objname_ht_params
= {
61 .head_offset
= offsetof(struct nft_object
, rhlhead
),
62 .key_offset
= offsetof(struct nft_object
, key
),
63 .hashfn
= nft_objname_hash
,
64 .obj_hashfn
= nft_objname_hash_obj
,
65 .obj_cmpfn
= nft_objname_hash_cmp
,
66 .automatic_shrinking
= true,
69 struct nft_audit_data
{
70 struct nft_table
*table
;
73 struct list_head list
;
76 static const u8 nft2audit_op
[NFT_MSG_MAX
] = { // enum nf_tables_msg_types
77 [NFT_MSG_NEWTABLE
] = AUDIT_NFT_OP_TABLE_REGISTER
,
78 [NFT_MSG_GETTABLE
] = AUDIT_NFT_OP_INVALID
,
79 [NFT_MSG_DELTABLE
] = AUDIT_NFT_OP_TABLE_UNREGISTER
,
80 [NFT_MSG_NEWCHAIN
] = AUDIT_NFT_OP_CHAIN_REGISTER
,
81 [NFT_MSG_GETCHAIN
] = AUDIT_NFT_OP_INVALID
,
82 [NFT_MSG_DELCHAIN
] = AUDIT_NFT_OP_CHAIN_UNREGISTER
,
83 [NFT_MSG_NEWRULE
] = AUDIT_NFT_OP_RULE_REGISTER
,
84 [NFT_MSG_GETRULE
] = AUDIT_NFT_OP_INVALID
,
85 [NFT_MSG_DELRULE
] = AUDIT_NFT_OP_RULE_UNREGISTER
,
86 [NFT_MSG_NEWSET
] = AUDIT_NFT_OP_SET_REGISTER
,
87 [NFT_MSG_GETSET
] = AUDIT_NFT_OP_INVALID
,
88 [NFT_MSG_DELSET
] = AUDIT_NFT_OP_SET_UNREGISTER
,
89 [NFT_MSG_NEWSETELEM
] = AUDIT_NFT_OP_SETELEM_REGISTER
,
90 [NFT_MSG_GETSETELEM
] = AUDIT_NFT_OP_INVALID
,
91 [NFT_MSG_DELSETELEM
] = AUDIT_NFT_OP_SETELEM_UNREGISTER
,
92 [NFT_MSG_NEWGEN
] = AUDIT_NFT_OP_GEN_REGISTER
,
93 [NFT_MSG_GETGEN
] = AUDIT_NFT_OP_INVALID
,
94 [NFT_MSG_TRACE
] = AUDIT_NFT_OP_INVALID
,
95 [NFT_MSG_NEWOBJ
] = AUDIT_NFT_OP_OBJ_REGISTER
,
96 [NFT_MSG_GETOBJ
] = AUDIT_NFT_OP_INVALID
,
97 [NFT_MSG_DELOBJ
] = AUDIT_NFT_OP_OBJ_UNREGISTER
,
98 [NFT_MSG_GETOBJ_RESET
] = AUDIT_NFT_OP_OBJ_RESET
,
99 [NFT_MSG_NEWFLOWTABLE
] = AUDIT_NFT_OP_FLOWTABLE_REGISTER
,
100 [NFT_MSG_GETFLOWTABLE
] = AUDIT_NFT_OP_INVALID
,
101 [NFT_MSG_DELFLOWTABLE
] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER
,
104 static void nft_validate_state_update(struct net
*net
, u8 new_validate_state
)
106 switch (net
->nft
.validate_state
) {
107 case NFT_VALIDATE_SKIP
:
108 WARN_ON_ONCE(new_validate_state
== NFT_VALIDATE_DO
);
110 case NFT_VALIDATE_NEED
:
112 case NFT_VALIDATE_DO
:
113 if (new_validate_state
== NFT_VALIDATE_NEED
)
117 net
->nft
.validate_state
= new_validate_state
;
119 static void nf_tables_trans_destroy_work(struct work_struct
*w
);
120 static DECLARE_WORK(trans_destroy_work
, nf_tables_trans_destroy_work
);
122 static void nft_ctx_init(struct nft_ctx
*ctx
,
124 const struct sk_buff
*skb
,
125 const struct nlmsghdr
*nlh
,
127 struct nft_table
*table
,
128 struct nft_chain
*chain
,
129 const struct nlattr
* const *nla
)
132 ctx
->family
= family
;
137 ctx
->portid
= NETLINK_CB(skb
).portid
;
138 ctx
->report
= nlmsg_report(nlh
);
139 ctx
->flags
= nlh
->nlmsg_flags
;
140 ctx
->seq
= nlh
->nlmsg_seq
;
143 static struct nft_trans
*nft_trans_alloc_gfp(const struct nft_ctx
*ctx
,
144 int msg_type
, u32 size
, gfp_t gfp
)
146 struct nft_trans
*trans
;
148 trans
= kzalloc(sizeof(struct nft_trans
) + size
, gfp
);
152 trans
->msg_type
= msg_type
;
158 static struct nft_trans
*nft_trans_alloc(const struct nft_ctx
*ctx
,
159 int msg_type
, u32 size
)
161 return nft_trans_alloc_gfp(ctx
, msg_type
, size
, GFP_KERNEL
);
164 static void nft_trans_destroy(struct nft_trans
*trans
)
166 list_del(&trans
->list
);
170 static void nft_set_trans_bind(const struct nft_ctx
*ctx
, struct nft_set
*set
)
172 struct net
*net
= ctx
->net
;
173 struct nft_trans
*trans
;
175 if (!nft_set_is_anonymous(set
))
178 list_for_each_entry_reverse(trans
, &net
->nft
.commit_list
, list
) {
179 switch (trans
->msg_type
) {
181 if (nft_trans_set(trans
) == set
)
182 nft_trans_set_bound(trans
) = true;
184 case NFT_MSG_NEWSETELEM
:
185 if (nft_trans_elem_set(trans
) == set
)
186 nft_trans_elem_set_bound(trans
) = true;
192 static int nft_netdev_register_hooks(struct net
*net
,
193 struct list_head
*hook_list
)
195 struct nft_hook
*hook
;
199 list_for_each_entry(hook
, hook_list
, list
) {
200 err
= nf_register_net_hook(net
, &hook
->ops
);
209 list_for_each_entry(hook
, hook_list
, list
) {
213 nf_unregister_net_hook(net
, &hook
->ops
);
218 static void nft_netdev_unregister_hooks(struct net
*net
,
219 struct list_head
*hook_list
)
221 struct nft_hook
*hook
;
223 list_for_each_entry(hook
, hook_list
, list
)
224 nf_unregister_net_hook(net
, &hook
->ops
);
227 static int nf_tables_register_hook(struct net
*net
,
228 const struct nft_table
*table
,
229 struct nft_chain
*chain
)
231 struct nft_base_chain
*basechain
;
232 const struct nf_hook_ops
*ops
;
234 if (table
->flags
& NFT_TABLE_F_DORMANT
||
235 !nft_is_base_chain(chain
))
238 basechain
= nft_base_chain(chain
);
239 ops
= &basechain
->ops
;
241 if (basechain
->type
->ops_register
)
242 return basechain
->type
->ops_register(net
, ops
);
244 if (nft_base_chain_netdev(table
->family
, basechain
->ops
.hooknum
))
245 return nft_netdev_register_hooks(net
, &basechain
->hook_list
);
247 return nf_register_net_hook(net
, &basechain
->ops
);
250 static void nf_tables_unregister_hook(struct net
*net
,
251 const struct nft_table
*table
,
252 struct nft_chain
*chain
)
254 struct nft_base_chain
*basechain
;
255 const struct nf_hook_ops
*ops
;
257 if (table
->flags
& NFT_TABLE_F_DORMANT
||
258 !nft_is_base_chain(chain
))
260 basechain
= nft_base_chain(chain
);
261 ops
= &basechain
->ops
;
263 if (basechain
->type
->ops_unregister
)
264 return basechain
->type
->ops_unregister(net
, ops
);
266 if (nft_base_chain_netdev(table
->family
, basechain
->ops
.hooknum
))
267 nft_netdev_unregister_hooks(net
, &basechain
->hook_list
);
269 nf_unregister_net_hook(net
, &basechain
->ops
);
272 static int nft_trans_table_add(struct nft_ctx
*ctx
, int msg_type
)
274 struct nft_trans
*trans
;
276 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_table
));
280 if (msg_type
== NFT_MSG_NEWTABLE
)
281 nft_activate_next(ctx
->net
, ctx
->table
);
283 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
287 static int nft_deltable(struct nft_ctx
*ctx
)
291 err
= nft_trans_table_add(ctx
, NFT_MSG_DELTABLE
);
295 nft_deactivate_next(ctx
->net
, ctx
->table
);
299 static struct nft_trans
*nft_trans_chain_add(struct nft_ctx
*ctx
, int msg_type
)
301 struct nft_trans
*trans
;
303 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_chain
));
305 return ERR_PTR(-ENOMEM
);
307 if (msg_type
== NFT_MSG_NEWCHAIN
) {
308 nft_activate_next(ctx
->net
, ctx
->chain
);
310 if (ctx
->nla
[NFTA_CHAIN_ID
]) {
311 nft_trans_chain_id(trans
) =
312 ntohl(nla_get_be32(ctx
->nla
[NFTA_CHAIN_ID
]));
316 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
320 static int nft_delchain(struct nft_ctx
*ctx
)
322 struct nft_trans
*trans
;
324 trans
= nft_trans_chain_add(ctx
, NFT_MSG_DELCHAIN
);
326 return PTR_ERR(trans
);
329 nft_deactivate_next(ctx
->net
, ctx
->chain
);
334 static void nft_rule_expr_activate(const struct nft_ctx
*ctx
,
335 struct nft_rule
*rule
)
337 struct nft_expr
*expr
;
339 expr
= nft_expr_first(rule
);
340 while (nft_expr_more(rule
, expr
)) {
341 if (expr
->ops
->activate
)
342 expr
->ops
->activate(ctx
, expr
);
344 expr
= nft_expr_next(expr
);
348 static void nft_rule_expr_deactivate(const struct nft_ctx
*ctx
,
349 struct nft_rule
*rule
,
350 enum nft_trans_phase phase
)
352 struct nft_expr
*expr
;
354 expr
= nft_expr_first(rule
);
355 while (nft_expr_more(rule
, expr
)) {
356 if (expr
->ops
->deactivate
)
357 expr
->ops
->deactivate(ctx
, expr
, phase
);
359 expr
= nft_expr_next(expr
);
364 nf_tables_delrule_deactivate(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
366 /* You cannot delete the same rule twice */
367 if (nft_is_active_next(ctx
->net
, rule
)) {
368 nft_deactivate_next(ctx
->net
, rule
);
375 static struct nft_trans
*nft_trans_rule_add(struct nft_ctx
*ctx
, int msg_type
,
376 struct nft_rule
*rule
)
378 struct nft_trans
*trans
;
380 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_rule
));
384 if (msg_type
== NFT_MSG_NEWRULE
&& ctx
->nla
[NFTA_RULE_ID
] != NULL
) {
385 nft_trans_rule_id(trans
) =
386 ntohl(nla_get_be32(ctx
->nla
[NFTA_RULE_ID
]));
388 nft_trans_rule(trans
) = rule
;
389 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
394 static int nft_delrule(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
396 struct nft_flow_rule
*flow
;
397 struct nft_trans
*trans
;
400 trans
= nft_trans_rule_add(ctx
, NFT_MSG_DELRULE
, rule
);
404 if (ctx
->chain
->flags
& NFT_CHAIN_HW_OFFLOAD
) {
405 flow
= nft_flow_rule_create(ctx
->net
, rule
);
407 nft_trans_destroy(trans
);
408 return PTR_ERR(flow
);
411 nft_trans_flow_rule(trans
) = flow
;
414 err
= nf_tables_delrule_deactivate(ctx
, rule
);
416 nft_trans_destroy(trans
);
419 nft_rule_expr_deactivate(ctx
, rule
, NFT_TRANS_PREPARE
);
424 static int nft_delrule_by_chain(struct nft_ctx
*ctx
)
426 struct nft_rule
*rule
;
429 list_for_each_entry(rule
, &ctx
->chain
->rules
, list
) {
430 if (!nft_is_active_next(ctx
->net
, rule
))
433 err
= nft_delrule(ctx
, rule
);
440 static int nft_trans_set_add(const struct nft_ctx
*ctx
, int msg_type
,
443 struct nft_trans
*trans
;
445 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_set
));
449 if (msg_type
== NFT_MSG_NEWSET
&& ctx
->nla
[NFTA_SET_ID
] != NULL
) {
450 nft_trans_set_id(trans
) =
451 ntohl(nla_get_be32(ctx
->nla
[NFTA_SET_ID
]));
452 nft_activate_next(ctx
->net
, set
);
454 nft_trans_set(trans
) = set
;
455 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
460 static int nft_delset(const struct nft_ctx
*ctx
, struct nft_set
*set
)
464 err
= nft_trans_set_add(ctx
, NFT_MSG_DELSET
, set
);
468 nft_deactivate_next(ctx
->net
, set
);
474 static int nft_trans_obj_add(struct nft_ctx
*ctx
, int msg_type
,
475 struct nft_object
*obj
)
477 struct nft_trans
*trans
;
479 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_obj
));
483 if (msg_type
== NFT_MSG_NEWOBJ
)
484 nft_activate_next(ctx
->net
, obj
);
486 nft_trans_obj(trans
) = obj
;
487 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
492 static int nft_delobj(struct nft_ctx
*ctx
, struct nft_object
*obj
)
496 err
= nft_trans_obj_add(ctx
, NFT_MSG_DELOBJ
, obj
);
500 nft_deactivate_next(ctx
->net
, obj
);
506 static int nft_trans_flowtable_add(struct nft_ctx
*ctx
, int msg_type
,
507 struct nft_flowtable
*flowtable
)
509 struct nft_trans
*trans
;
511 trans
= nft_trans_alloc(ctx
, msg_type
,
512 sizeof(struct nft_trans_flowtable
));
516 if (msg_type
== NFT_MSG_NEWFLOWTABLE
)
517 nft_activate_next(ctx
->net
, flowtable
);
519 nft_trans_flowtable(trans
) = flowtable
;
520 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
525 static int nft_delflowtable(struct nft_ctx
*ctx
,
526 struct nft_flowtable
*flowtable
)
530 err
= nft_trans_flowtable_add(ctx
, NFT_MSG_DELFLOWTABLE
, flowtable
);
534 nft_deactivate_next(ctx
->net
, flowtable
);
544 static struct nft_table
*nft_table_lookup(const struct net
*net
,
545 const struct nlattr
*nla
,
546 u8 family
, u8 genmask
, u32 nlpid
)
548 struct nft_table
*table
;
551 return ERR_PTR(-EINVAL
);
553 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
,
554 lockdep_is_held(&net
->nft
.commit_mutex
)) {
555 if (!nla_strcmp(nla
, table
->name
) &&
556 table
->family
== family
&&
557 nft_active_genmask(table
, genmask
)) {
558 if (nft_table_has_owner(table
) &&
559 table
->nlpid
!= nlpid
)
560 return ERR_PTR(-EPERM
);
566 return ERR_PTR(-ENOENT
);
569 static struct nft_table
*nft_table_lookup_byhandle(const struct net
*net
,
570 const struct nlattr
*nla
,
573 struct nft_table
*table
;
575 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
576 if (be64_to_cpu(nla_get_be64(nla
)) == table
->handle
&&
577 nft_active_genmask(table
, genmask
))
581 return ERR_PTR(-ENOENT
);
584 static inline u64
nf_tables_alloc_handle(struct nft_table
*table
)
586 return ++table
->hgenerator
;
589 static const struct nft_chain_type
*chain_type
[NFPROTO_NUMPROTO
][NFT_CHAIN_T_MAX
];
591 static const struct nft_chain_type
*
592 __nft_chain_type_get(u8 family
, enum nft_chain_types type
)
594 if (family
>= NFPROTO_NUMPROTO
||
595 type
>= NFT_CHAIN_T_MAX
)
598 return chain_type
[family
][type
];
601 static const struct nft_chain_type
*
602 __nf_tables_chain_type_lookup(const struct nlattr
*nla
, u8 family
)
604 const struct nft_chain_type
*type
;
607 for (i
= 0; i
< NFT_CHAIN_T_MAX
; i
++) {
608 type
= __nft_chain_type_get(family
, i
);
611 if (!nla_strcmp(nla
, type
->name
))
617 struct nft_module_request
{
618 struct list_head list
;
619 char module
[MODULE_NAME_LEN
];
623 #ifdef CONFIG_MODULES
624 __printf(2, 3) int nft_request_module(struct net
*net
, const char *fmt
,
627 char module_name
[MODULE_NAME_LEN
];
628 struct nft_module_request
*req
;
633 ret
= vsnprintf(module_name
, MODULE_NAME_LEN
, fmt
, args
);
635 if (ret
>= MODULE_NAME_LEN
)
638 list_for_each_entry(req
, &net
->nft
.module_list
, list
) {
639 if (!strcmp(req
->module
, module_name
)) {
643 /* A request to load this module already exists. */
648 req
= kmalloc(sizeof(*req
), GFP_KERNEL
);
653 strlcpy(req
->module
, module_name
, MODULE_NAME_LEN
);
654 list_add_tail(&req
->list
, &net
->nft
.module_list
);
658 EXPORT_SYMBOL_GPL(nft_request_module
);
661 static void lockdep_nfnl_nft_mutex_not_held(void)
663 #ifdef CONFIG_PROVE_LOCKING
665 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES
));
669 static const struct nft_chain_type
*
670 nf_tables_chain_type_lookup(struct net
*net
, const struct nlattr
*nla
,
671 u8 family
, bool autoload
)
673 const struct nft_chain_type
*type
;
675 type
= __nf_tables_chain_type_lookup(nla
, family
);
679 lockdep_nfnl_nft_mutex_not_held();
680 #ifdef CONFIG_MODULES
682 if (nft_request_module(net
, "nft-chain-%u-%.*s", family
,
684 (const char *)nla_data(nla
)) == -EAGAIN
)
685 return ERR_PTR(-EAGAIN
);
688 return ERR_PTR(-ENOENT
);
691 static __be16
nft_base_seq(const struct net
*net
)
693 return htons(net
->nft
.base_seq
& 0xffff);
696 static const struct nla_policy nft_table_policy
[NFTA_TABLE_MAX
+ 1] = {
697 [NFTA_TABLE_NAME
] = { .type
= NLA_STRING
,
698 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
699 [NFTA_TABLE_FLAGS
] = { .type
= NLA_U32
},
700 [NFTA_TABLE_HANDLE
] = { .type
= NLA_U64
},
701 [NFTA_TABLE_USERDATA
] = { .type
= NLA_BINARY
,
702 .len
= NFT_USERDATA_MAXLEN
}
705 static int nf_tables_fill_table_info(struct sk_buff
*skb
, struct net
*net
,
706 u32 portid
, u32 seq
, int event
, u32 flags
,
707 int family
, const struct nft_table
*table
)
709 struct nlmsghdr
*nlh
;
711 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
712 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
713 NFNETLINK_V0
, nft_base_seq(net
));
715 goto nla_put_failure
;
717 if (nla_put_string(skb
, NFTA_TABLE_NAME
, table
->name
) ||
718 nla_put_be32(skb
, NFTA_TABLE_FLAGS
, htonl(table
->flags
)) ||
719 nla_put_be32(skb
, NFTA_TABLE_USE
, htonl(table
->use
)) ||
720 nla_put_be64(skb
, NFTA_TABLE_HANDLE
, cpu_to_be64(table
->handle
),
722 goto nla_put_failure
;
723 if (nft_table_has_owner(table
) &&
724 nla_put_be32(skb
, NFTA_TABLE_OWNER
, htonl(table
->nlpid
)))
725 goto nla_put_failure
;
728 if (nla_put(skb
, NFTA_TABLE_USERDATA
, table
->udlen
, table
->udata
))
729 goto nla_put_failure
;
736 nlmsg_trim(skb
, nlh
);
740 struct nftnl_skb_parms
{
743 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
745 static void nft_notify_enqueue(struct sk_buff
*skb
, bool report
,
746 struct list_head
*notify_list
)
748 NFT_CB(skb
).report
= report
;
749 list_add_tail(&skb
->list
, notify_list
);
752 static void nf_tables_table_notify(const struct nft_ctx
*ctx
, int event
)
758 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
761 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
765 err
= nf_tables_fill_table_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
766 event
, 0, ctx
->family
, ctx
->table
);
772 nft_notify_enqueue(skb
, ctx
->report
, &ctx
->net
->nft
.notify_list
);
775 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
778 static int nf_tables_dump_tables(struct sk_buff
*skb
,
779 struct netlink_callback
*cb
)
781 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
782 const struct nft_table
*table
;
783 unsigned int idx
= 0, s_idx
= cb
->args
[0];
784 struct net
*net
= sock_net(skb
->sk
);
785 int family
= nfmsg
->nfgen_family
;
788 cb
->seq
= net
->nft
.base_seq
;
790 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
791 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
797 memset(&cb
->args
[1], 0,
798 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
799 if (!nft_is_active(net
, table
))
801 if (nf_tables_fill_table_info(skb
, net
,
802 NETLINK_CB(cb
->skb
).portid
,
804 NFT_MSG_NEWTABLE
, NLM_F_MULTI
,
805 table
->family
, table
) < 0)
808 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
818 static int nft_netlink_dump_start_rcu(struct sock
*nlsk
, struct sk_buff
*skb
,
819 const struct nlmsghdr
*nlh
,
820 struct netlink_dump_control
*c
)
824 if (!try_module_get(THIS_MODULE
))
828 err
= netlink_dump_start(nlsk
, skb
, nlh
, c
);
830 module_put(THIS_MODULE
);
835 /* called with rcu_read_lock held */
836 static int nf_tables_gettable(struct net
*net
, struct sock
*nlsk
,
837 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
838 const struct nlattr
* const nla
[],
839 struct netlink_ext_ack
*extack
)
841 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
842 u8 genmask
= nft_genmask_cur(net
);
843 const struct nft_table
*table
;
844 struct sk_buff
*skb2
;
845 int family
= nfmsg
->nfgen_family
;
848 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
849 struct netlink_dump_control c
= {
850 .dump
= nf_tables_dump_tables
,
851 .module
= THIS_MODULE
,
854 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
857 table
= nft_table_lookup(net
, nla
[NFTA_TABLE_NAME
], family
, genmask
, 0);
859 NL_SET_BAD_ATTR(extack
, nla
[NFTA_TABLE_NAME
]);
860 return PTR_ERR(table
);
863 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
867 err
= nf_tables_fill_table_info(skb2
, net
, NETLINK_CB(skb
).portid
,
868 nlh
->nlmsg_seq
, NFT_MSG_NEWTABLE
, 0,
871 goto err_fill_table_info
;
873 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
880 static void nft_table_disable(struct net
*net
, struct nft_table
*table
, u32 cnt
)
882 struct nft_chain
*chain
;
885 list_for_each_entry(chain
, &table
->chains
, list
) {
886 if (!nft_is_active_next(net
, chain
))
888 if (!nft_is_base_chain(chain
))
891 if (cnt
&& i
++ == cnt
)
894 nf_tables_unregister_hook(net
, table
, chain
);
898 static int nf_tables_table_enable(struct net
*net
, struct nft_table
*table
)
900 struct nft_chain
*chain
;
903 list_for_each_entry(chain
, &table
->chains
, list
) {
904 if (!nft_is_active_next(net
, chain
))
906 if (!nft_is_base_chain(chain
))
909 err
= nf_tables_register_hook(net
, table
, chain
);
911 goto err_register_hooks
;
919 nft_table_disable(net
, table
, i
);
923 static void nf_tables_table_disable(struct net
*net
, struct nft_table
*table
)
925 nft_table_disable(net
, table
, 0);
929 NFT_TABLE_STATE_UNCHANGED
= 0,
930 NFT_TABLE_STATE_DORMANT
,
931 NFT_TABLE_STATE_WAKEUP
934 static int nf_tables_updtable(struct nft_ctx
*ctx
)
936 struct nft_trans
*trans
;
940 if (!ctx
->nla
[NFTA_TABLE_FLAGS
])
943 flags
= ntohl(nla_get_be32(ctx
->nla
[NFTA_TABLE_FLAGS
]));
944 if (flags
& ~NFT_TABLE_F_MASK
)
947 if (flags
== ctx
->table
->flags
)
950 if ((nft_table_has_owner(ctx
->table
) &&
951 !(flags
& NFT_TABLE_F_OWNER
)) ||
952 (!nft_table_has_owner(ctx
->table
) &&
953 flags
& NFT_TABLE_F_OWNER
))
956 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWTABLE
,
957 sizeof(struct nft_trans_table
));
961 if ((flags
& NFT_TABLE_F_DORMANT
) &&
962 !(ctx
->table
->flags
& NFT_TABLE_F_DORMANT
)) {
963 nft_trans_table_state(trans
) = NFT_TABLE_STATE_DORMANT
;
964 } else if (!(flags
& NFT_TABLE_F_DORMANT
) &&
965 ctx
->table
->flags
& NFT_TABLE_F_DORMANT
) {
966 ret
= nf_tables_table_enable(ctx
->net
, ctx
->table
);
968 nft_trans_table_state(trans
) = NFT_TABLE_STATE_WAKEUP
;
973 nft_trans_table_flags(trans
) = flags
;
974 nft_trans_table_update(trans
) = true;
975 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
978 nft_trans_destroy(trans
);
982 static u32
nft_chain_hash(const void *data
, u32 len
, u32 seed
)
984 const char *name
= data
;
986 return jhash(name
, strlen(name
), seed
);
989 static u32
nft_chain_hash_obj(const void *data
, u32 len
, u32 seed
)
991 const struct nft_chain
*chain
= data
;
993 return nft_chain_hash(chain
->name
, 0, seed
);
996 static int nft_chain_hash_cmp(struct rhashtable_compare_arg
*arg
,
999 const struct nft_chain
*chain
= ptr
;
1000 const char *name
= arg
->key
;
1002 return strcmp(chain
->name
, name
);
1005 static u32
nft_objname_hash(const void *data
, u32 len
, u32 seed
)
1007 const struct nft_object_hash_key
*k
= data
;
1009 seed
^= hash_ptr(k
->table
, 32);
1011 return jhash(k
->name
, strlen(k
->name
), seed
);
1014 static u32
nft_objname_hash_obj(const void *data
, u32 len
, u32 seed
)
1016 const struct nft_object
*obj
= data
;
1018 return nft_objname_hash(&obj
->key
, 0, seed
);
1021 static int nft_objname_hash_cmp(struct rhashtable_compare_arg
*arg
,
1024 const struct nft_object_hash_key
*k
= arg
->key
;
1025 const struct nft_object
*obj
= ptr
;
1027 if (obj
->key
.table
!= k
->table
)
1030 return strcmp(obj
->key
.name
, k
->name
);
1033 static int nf_tables_newtable(struct net
*net
, struct sock
*nlsk
,
1034 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1035 const struct nlattr
* const nla
[],
1036 struct netlink_ext_ack
*extack
)
1038 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1039 u8 genmask
= nft_genmask_next(net
);
1040 int family
= nfmsg
->nfgen_family
;
1041 const struct nlattr
*attr
;
1042 struct nft_table
*table
;
1047 lockdep_assert_held(&net
->nft
.commit_mutex
);
1048 attr
= nla
[NFTA_TABLE_NAME
];
1049 table
= nft_table_lookup(net
, attr
, family
, genmask
,
1050 NETLINK_CB(skb
).portid
);
1051 if (IS_ERR(table
)) {
1052 if (PTR_ERR(table
) != -ENOENT
)
1053 return PTR_ERR(table
);
1055 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
1056 NL_SET_BAD_ATTR(extack
, attr
);
1059 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
1062 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
1063 return nf_tables_updtable(&ctx
);
1066 if (nla
[NFTA_TABLE_FLAGS
]) {
1067 flags
= ntohl(nla_get_be32(nla
[NFTA_TABLE_FLAGS
]));
1068 if (flags
& ~NFT_TABLE_F_MASK
)
1073 table
= kzalloc(sizeof(*table
), GFP_KERNEL
);
1077 table
->name
= nla_strdup(attr
, GFP_KERNEL
);
1078 if (table
->name
== NULL
)
1081 if (nla
[NFTA_TABLE_USERDATA
]) {
1082 table
->udata
= nla_memdup(nla
[NFTA_TABLE_USERDATA
], GFP_KERNEL
);
1083 if (table
->udata
== NULL
)
1084 goto err_table_udata
;
1086 table
->udlen
= nla_len(nla
[NFTA_TABLE_USERDATA
]);
1089 err
= rhltable_init(&table
->chains_ht
, &nft_chain_ht_params
);
1093 INIT_LIST_HEAD(&table
->chains
);
1094 INIT_LIST_HEAD(&table
->sets
);
1095 INIT_LIST_HEAD(&table
->objects
);
1096 INIT_LIST_HEAD(&table
->flowtables
);
1097 table
->family
= family
;
1098 table
->flags
= flags
;
1099 table
->handle
= ++table_handle
;
1100 if (table
->flags
& NFT_TABLE_F_OWNER
)
1101 table
->nlpid
= NETLINK_CB(skb
).portid
;
1103 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
1104 err
= nft_trans_table_add(&ctx
, NFT_MSG_NEWTABLE
);
1108 list_add_tail_rcu(&table
->list
, &net
->nft
.tables
);
1111 rhltable_destroy(&table
->chains_ht
);
1113 kfree(table
->udata
);
1122 static int nft_flush_table(struct nft_ctx
*ctx
)
1124 struct nft_flowtable
*flowtable
, *nft
;
1125 struct nft_chain
*chain
, *nc
;
1126 struct nft_object
*obj
, *ne
;
1127 struct nft_set
*set
, *ns
;
1130 list_for_each_entry(chain
, &ctx
->table
->chains
, list
) {
1131 if (!nft_is_active_next(ctx
->net
, chain
))
1134 if (nft_chain_is_bound(chain
))
1139 err
= nft_delrule_by_chain(ctx
);
1144 list_for_each_entry_safe(set
, ns
, &ctx
->table
->sets
, list
) {
1145 if (!nft_is_active_next(ctx
->net
, set
))
1148 if (nft_set_is_anonymous(set
) &&
1149 !list_empty(&set
->bindings
))
1152 err
= nft_delset(ctx
, set
);
1157 list_for_each_entry_safe(flowtable
, nft
, &ctx
->table
->flowtables
, list
) {
1158 if (!nft_is_active_next(ctx
->net
, flowtable
))
1161 err
= nft_delflowtable(ctx
, flowtable
);
1166 list_for_each_entry_safe(obj
, ne
, &ctx
->table
->objects
, list
) {
1167 if (!nft_is_active_next(ctx
->net
, obj
))
1170 err
= nft_delobj(ctx
, obj
);
1175 list_for_each_entry_safe(chain
, nc
, &ctx
->table
->chains
, list
) {
1176 if (!nft_is_active_next(ctx
->net
, chain
))
1179 if (nft_chain_is_bound(chain
))
1184 err
= nft_delchain(ctx
);
1189 err
= nft_deltable(ctx
);
1194 static int nft_flush(struct nft_ctx
*ctx
, int family
)
1196 struct nft_table
*table
, *nt
;
1197 const struct nlattr
* const *nla
= ctx
->nla
;
1200 list_for_each_entry_safe(table
, nt
, &ctx
->net
->nft
.tables
, list
) {
1201 if (family
!= AF_UNSPEC
&& table
->family
!= family
)
1204 ctx
->family
= table
->family
;
1206 if (!nft_is_active_next(ctx
->net
, table
))
1209 if (nft_table_has_owner(table
) && table
->nlpid
!= ctx
->portid
)
1212 if (nla
[NFTA_TABLE_NAME
] &&
1213 nla_strcmp(nla
[NFTA_TABLE_NAME
], table
->name
) != 0)
1218 err
= nft_flush_table(ctx
);
1226 static int nf_tables_deltable(struct net
*net
, struct sock
*nlsk
,
1227 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1228 const struct nlattr
* const nla
[],
1229 struct netlink_ext_ack
*extack
)
1231 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1232 u8 genmask
= nft_genmask_next(net
);
1233 int family
= nfmsg
->nfgen_family
;
1234 const struct nlattr
*attr
;
1235 struct nft_table
*table
;
1238 nft_ctx_init(&ctx
, net
, skb
, nlh
, 0, NULL
, NULL
, nla
);
1239 if (family
== AF_UNSPEC
||
1240 (!nla
[NFTA_TABLE_NAME
] && !nla
[NFTA_TABLE_HANDLE
]))
1241 return nft_flush(&ctx
, family
);
1243 if (nla
[NFTA_TABLE_HANDLE
]) {
1244 attr
= nla
[NFTA_TABLE_HANDLE
];
1245 table
= nft_table_lookup_byhandle(net
, attr
, genmask
);
1247 attr
= nla
[NFTA_TABLE_NAME
];
1248 table
= nft_table_lookup(net
, attr
, family
, genmask
,
1249 NETLINK_CB(skb
).portid
);
1252 if (IS_ERR(table
)) {
1253 NL_SET_BAD_ATTR(extack
, attr
);
1254 return PTR_ERR(table
);
1257 if (nlh
->nlmsg_flags
& NLM_F_NONREC
&&
1261 ctx
.family
= family
;
1264 return nft_flush_table(&ctx
);
1267 static void nf_tables_table_destroy(struct nft_ctx
*ctx
)
1269 if (WARN_ON(ctx
->table
->use
> 0))
1272 rhltable_destroy(&ctx
->table
->chains_ht
);
1273 kfree(ctx
->table
->name
);
1274 kfree(ctx
->table
->udata
);
1278 void nft_register_chain_type(const struct nft_chain_type
*ctype
)
1280 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1281 if (WARN_ON(__nft_chain_type_get(ctype
->family
, ctype
->type
))) {
1282 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1285 chain_type
[ctype
->family
][ctype
->type
] = ctype
;
1286 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1288 EXPORT_SYMBOL_GPL(nft_register_chain_type
);
1290 void nft_unregister_chain_type(const struct nft_chain_type
*ctype
)
1292 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1293 chain_type
[ctype
->family
][ctype
->type
] = NULL
;
1294 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1296 EXPORT_SYMBOL_GPL(nft_unregister_chain_type
);
1302 static struct nft_chain
*
1303 nft_chain_lookup_byhandle(const struct nft_table
*table
, u64 handle
, u8 genmask
)
1305 struct nft_chain
*chain
;
1307 list_for_each_entry(chain
, &table
->chains
, list
) {
1308 if (chain
->handle
== handle
&&
1309 nft_active_genmask(chain
, genmask
))
1313 return ERR_PTR(-ENOENT
);
1316 static bool lockdep_commit_lock_is_held(const struct net
*net
)
1318 #ifdef CONFIG_PROVE_LOCKING
1319 return lockdep_is_held(&net
->nft
.commit_mutex
);
1325 static struct nft_chain
*nft_chain_lookup(struct net
*net
,
1326 struct nft_table
*table
,
1327 const struct nlattr
*nla
, u8 genmask
)
1329 char search
[NFT_CHAIN_MAXNAMELEN
+ 1];
1330 struct rhlist_head
*tmp
, *list
;
1331 struct nft_chain
*chain
;
1334 return ERR_PTR(-EINVAL
);
1336 nla_strscpy(search
, nla
, sizeof(search
));
1338 WARN_ON(!rcu_read_lock_held() &&
1339 !lockdep_commit_lock_is_held(net
));
1341 chain
= ERR_PTR(-ENOENT
);
1343 list
= rhltable_lookup(&table
->chains_ht
, search
, nft_chain_ht_params
);
1347 rhl_for_each_entry_rcu(chain
, tmp
, list
, rhlhead
) {
1348 if (nft_active_genmask(chain
, genmask
))
1351 chain
= ERR_PTR(-ENOENT
);
1357 static const struct nla_policy nft_chain_policy
[NFTA_CHAIN_MAX
+ 1] = {
1358 [NFTA_CHAIN_TABLE
] = { .type
= NLA_STRING
,
1359 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
1360 [NFTA_CHAIN_HANDLE
] = { .type
= NLA_U64
},
1361 [NFTA_CHAIN_NAME
] = { .type
= NLA_STRING
,
1362 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
1363 [NFTA_CHAIN_HOOK
] = { .type
= NLA_NESTED
},
1364 [NFTA_CHAIN_POLICY
] = { .type
= NLA_U32
},
1365 [NFTA_CHAIN_TYPE
] = { .type
= NLA_STRING
,
1366 .len
= NFT_MODULE_AUTOLOAD_LIMIT
},
1367 [NFTA_CHAIN_COUNTERS
] = { .type
= NLA_NESTED
},
1368 [NFTA_CHAIN_FLAGS
] = { .type
= NLA_U32
},
1369 [NFTA_CHAIN_ID
] = { .type
= NLA_U32
},
1370 [NFTA_CHAIN_USERDATA
] = { .type
= NLA_BINARY
,
1371 .len
= NFT_USERDATA_MAXLEN
},
1374 static const struct nla_policy nft_hook_policy
[NFTA_HOOK_MAX
+ 1] = {
1375 [NFTA_HOOK_HOOKNUM
] = { .type
= NLA_U32
},
1376 [NFTA_HOOK_PRIORITY
] = { .type
= NLA_U32
},
1377 [NFTA_HOOK_DEV
] = { .type
= NLA_STRING
,
1378 .len
= IFNAMSIZ
- 1 },
1381 static int nft_dump_stats(struct sk_buff
*skb
, struct nft_stats __percpu
*stats
)
1383 struct nft_stats
*cpu_stats
, total
;
1384 struct nlattr
*nest
;
1392 memset(&total
, 0, sizeof(total
));
1393 for_each_possible_cpu(cpu
) {
1394 cpu_stats
= per_cpu_ptr(stats
, cpu
);
1396 seq
= u64_stats_fetch_begin_irq(&cpu_stats
->syncp
);
1397 pkts
= cpu_stats
->pkts
;
1398 bytes
= cpu_stats
->bytes
;
1399 } while (u64_stats_fetch_retry_irq(&cpu_stats
->syncp
, seq
));
1401 total
.bytes
+= bytes
;
1403 nest
= nla_nest_start_noflag(skb
, NFTA_CHAIN_COUNTERS
);
1405 goto nla_put_failure
;
1407 if (nla_put_be64(skb
, NFTA_COUNTER_PACKETS
, cpu_to_be64(total
.pkts
),
1408 NFTA_COUNTER_PAD
) ||
1409 nla_put_be64(skb
, NFTA_COUNTER_BYTES
, cpu_to_be64(total
.bytes
),
1411 goto nla_put_failure
;
1413 nla_nest_end(skb
, nest
);
1420 static int nft_dump_basechain_hook(struct sk_buff
*skb
, int family
,
1421 const struct nft_base_chain
*basechain
)
1423 const struct nf_hook_ops
*ops
= &basechain
->ops
;
1424 struct nft_hook
*hook
, *first
= NULL
;
1425 struct nlattr
*nest
, *nest_devs
;
1428 nest
= nla_nest_start_noflag(skb
, NFTA_CHAIN_HOOK
);
1430 goto nla_put_failure
;
1431 if (nla_put_be32(skb
, NFTA_HOOK_HOOKNUM
, htonl(ops
->hooknum
)))
1432 goto nla_put_failure
;
1433 if (nla_put_be32(skb
, NFTA_HOOK_PRIORITY
, htonl(ops
->priority
)))
1434 goto nla_put_failure
;
1436 if (nft_base_chain_netdev(family
, ops
->hooknum
)) {
1437 nest_devs
= nla_nest_start_noflag(skb
, NFTA_HOOK_DEVS
);
1438 list_for_each_entry(hook
, &basechain
->hook_list
, list
) {
1442 if (nla_put_string(skb
, NFTA_DEVICE_NAME
,
1443 hook
->ops
.dev
->name
))
1444 goto nla_put_failure
;
1447 nla_nest_end(skb
, nest_devs
);
1450 nla_put_string(skb
, NFTA_HOOK_DEV
, first
->ops
.dev
->name
))
1451 goto nla_put_failure
;
1453 nla_nest_end(skb
, nest
);
1460 static int nf_tables_fill_chain_info(struct sk_buff
*skb
, struct net
*net
,
1461 u32 portid
, u32 seq
, int event
, u32 flags
,
1462 int family
, const struct nft_table
*table
,
1463 const struct nft_chain
*chain
)
1465 struct nlmsghdr
*nlh
;
1467 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
1468 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
1469 NFNETLINK_V0
, nft_base_seq(net
));
1471 goto nla_put_failure
;
1473 if (nla_put_string(skb
, NFTA_CHAIN_TABLE
, table
->name
))
1474 goto nla_put_failure
;
1475 if (nla_put_be64(skb
, NFTA_CHAIN_HANDLE
, cpu_to_be64(chain
->handle
),
1477 goto nla_put_failure
;
1478 if (nla_put_string(skb
, NFTA_CHAIN_NAME
, chain
->name
))
1479 goto nla_put_failure
;
1481 if (nft_is_base_chain(chain
)) {
1482 const struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1483 struct nft_stats __percpu
*stats
;
1485 if (nft_dump_basechain_hook(skb
, family
, basechain
))
1486 goto nla_put_failure
;
1488 if (nla_put_be32(skb
, NFTA_CHAIN_POLICY
,
1489 htonl(basechain
->policy
)))
1490 goto nla_put_failure
;
1492 if (nla_put_string(skb
, NFTA_CHAIN_TYPE
, basechain
->type
->name
))
1493 goto nla_put_failure
;
1495 stats
= rcu_dereference_check(basechain
->stats
,
1496 lockdep_commit_lock_is_held(net
));
1497 if (nft_dump_stats(skb
, stats
))
1498 goto nla_put_failure
;
1502 nla_put_be32(skb
, NFTA_CHAIN_FLAGS
, htonl(chain
->flags
)))
1503 goto nla_put_failure
;
1505 if (nla_put_be32(skb
, NFTA_CHAIN_USE
, htonl(chain
->use
)))
1506 goto nla_put_failure
;
1509 nla_put(skb
, NFTA_CHAIN_USERDATA
, chain
->udlen
, chain
->udata
))
1510 goto nla_put_failure
;
1512 nlmsg_end(skb
, nlh
);
1516 nlmsg_trim(skb
, nlh
);
1520 static void nf_tables_chain_notify(const struct nft_ctx
*ctx
, int event
)
1522 struct sk_buff
*skb
;
1526 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1529 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1533 err
= nf_tables_fill_chain_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1534 event
, 0, ctx
->family
, ctx
->table
,
1541 nft_notify_enqueue(skb
, ctx
->report
, &ctx
->net
->nft
.notify_list
);
1544 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
1547 static int nf_tables_dump_chains(struct sk_buff
*skb
,
1548 struct netlink_callback
*cb
)
1550 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1551 const struct nft_table
*table
;
1552 const struct nft_chain
*chain
;
1553 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1554 struct net
*net
= sock_net(skb
->sk
);
1555 int family
= nfmsg
->nfgen_family
;
1558 cb
->seq
= net
->nft
.base_seq
;
1560 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
1561 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
1564 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1568 memset(&cb
->args
[1], 0,
1569 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1570 if (!nft_is_active(net
, chain
))
1572 if (nf_tables_fill_chain_info(skb
, net
,
1573 NETLINK_CB(cb
->skb
).portid
,
1577 table
->family
, table
,
1581 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1592 /* called with rcu_read_lock held */
1593 static int nf_tables_getchain(struct net
*net
, struct sock
*nlsk
,
1594 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1595 const struct nlattr
* const nla
[],
1596 struct netlink_ext_ack
*extack
)
1598 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1599 u8 genmask
= nft_genmask_cur(net
);
1600 const struct nft_chain
*chain
;
1601 struct nft_table
*table
;
1602 struct sk_buff
*skb2
;
1603 int family
= nfmsg
->nfgen_family
;
1606 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1607 struct netlink_dump_control c
= {
1608 .dump
= nf_tables_dump_chains
,
1609 .module
= THIS_MODULE
,
1612 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
1615 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
, 0);
1616 if (IS_ERR(table
)) {
1617 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
1618 return PTR_ERR(table
);
1621 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1622 if (IS_ERR(chain
)) {
1623 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
1624 return PTR_ERR(chain
);
1627 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
1631 err
= nf_tables_fill_chain_info(skb2
, net
, NETLINK_CB(skb
).portid
,
1632 nlh
->nlmsg_seq
, NFT_MSG_NEWCHAIN
, 0,
1633 family
, table
, chain
);
1635 goto err_fill_chain_info
;
1637 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
1639 err_fill_chain_info
:
1644 static const struct nla_policy nft_counter_policy
[NFTA_COUNTER_MAX
+ 1] = {
1645 [NFTA_COUNTER_PACKETS
] = { .type
= NLA_U64
},
1646 [NFTA_COUNTER_BYTES
] = { .type
= NLA_U64
},
1649 static struct nft_stats __percpu
*nft_stats_alloc(const struct nlattr
*attr
)
1651 struct nlattr
*tb
[NFTA_COUNTER_MAX
+1];
1652 struct nft_stats __percpu
*newstats
;
1653 struct nft_stats
*stats
;
1656 err
= nla_parse_nested_deprecated(tb
, NFTA_COUNTER_MAX
, attr
,
1657 nft_counter_policy
, NULL
);
1659 return ERR_PTR(err
);
1661 if (!tb
[NFTA_COUNTER_BYTES
] || !tb
[NFTA_COUNTER_PACKETS
])
1662 return ERR_PTR(-EINVAL
);
1664 newstats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1665 if (newstats
== NULL
)
1666 return ERR_PTR(-ENOMEM
);
1668 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1669 * are not exposed to userspace.
1672 stats
= this_cpu_ptr(newstats
);
1673 stats
->bytes
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_BYTES
]));
1674 stats
->pkts
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_PACKETS
]));
1680 static void nft_chain_stats_replace(struct nft_trans
*trans
)
1682 struct nft_base_chain
*chain
= nft_base_chain(trans
->ctx
.chain
);
1684 if (!nft_trans_chain_stats(trans
))
1687 nft_trans_chain_stats(trans
) =
1688 rcu_replace_pointer(chain
->stats
, nft_trans_chain_stats(trans
),
1689 lockdep_commit_lock_is_held(trans
->ctx
.net
));
1691 if (!nft_trans_chain_stats(trans
))
1692 static_branch_inc(&nft_counters_enabled
);
1695 static void nf_tables_chain_free_chain_rules(struct nft_chain
*chain
)
1697 struct nft_rule
**g0
= rcu_dereference_raw(chain
->rules_gen_0
);
1698 struct nft_rule
**g1
= rcu_dereference_raw(chain
->rules_gen_1
);
1704 /* should be NULL either via abort or via successful commit */
1705 WARN_ON_ONCE(chain
->rules_next
);
1706 kvfree(chain
->rules_next
);
1709 void nf_tables_chain_destroy(struct nft_ctx
*ctx
)
1711 struct nft_chain
*chain
= ctx
->chain
;
1712 struct nft_hook
*hook
, *next
;
1714 if (WARN_ON(chain
->use
> 0))
1717 /* no concurrent access possible anymore */
1718 nf_tables_chain_free_chain_rules(chain
);
1720 if (nft_is_base_chain(chain
)) {
1721 struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1723 if (nft_base_chain_netdev(ctx
->family
, basechain
->ops
.hooknum
)) {
1724 list_for_each_entry_safe(hook
, next
,
1725 &basechain
->hook_list
, list
) {
1726 list_del_rcu(&hook
->list
);
1727 kfree_rcu(hook
, rcu
);
1730 module_put(basechain
->type
->owner
);
1731 if (rcu_access_pointer(basechain
->stats
)) {
1732 static_branch_dec(&nft_counters_enabled
);
1733 free_percpu(rcu_dereference_raw(basechain
->stats
));
1736 kfree(chain
->udata
);
1740 kfree(chain
->udata
);
1745 static struct nft_hook
*nft_netdev_hook_alloc(struct net
*net
,
1746 const struct nlattr
*attr
)
1748 struct net_device
*dev
;
1749 char ifname
[IFNAMSIZ
];
1750 struct nft_hook
*hook
;
1753 hook
= kmalloc(sizeof(struct nft_hook
), GFP_KERNEL
);
1756 goto err_hook_alloc
;
1759 nla_strscpy(ifname
, attr
, IFNAMSIZ
);
1760 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1761 * indirectly serializing all the other holders of the commit_mutex with
1764 dev
= __dev_get_by_name(net
, ifname
);
1769 hook
->ops
.dev
= dev
;
1770 hook
->inactive
= false;
1777 return ERR_PTR(err
);
1780 static struct nft_hook
*nft_hook_list_find(struct list_head
*hook_list
,
1781 const struct nft_hook
*this)
1783 struct nft_hook
*hook
;
1785 list_for_each_entry(hook
, hook_list
, list
) {
1786 if (this->ops
.dev
== hook
->ops
.dev
)
1793 static int nf_tables_parse_netdev_hooks(struct net
*net
,
1794 const struct nlattr
*attr
,
1795 struct list_head
*hook_list
)
1797 struct nft_hook
*hook
, *next
;
1798 const struct nlattr
*tmp
;
1799 int rem
, n
= 0, err
;
1801 nla_for_each_nested(tmp
, attr
, rem
) {
1802 if (nla_type(tmp
) != NFTA_DEVICE_NAME
) {
1807 hook
= nft_netdev_hook_alloc(net
, tmp
);
1809 err
= PTR_ERR(hook
);
1812 if (nft_hook_list_find(hook_list
, hook
)) {
1817 list_add_tail(&hook
->list
, hook_list
);
1820 if (n
== NFT_NETDEVICE_MAX
) {
1829 list_for_each_entry_safe(hook
, next
, hook_list
, list
) {
1830 list_del(&hook
->list
);
1836 struct nft_chain_hook
{
1839 const struct nft_chain_type
*type
;
1840 struct list_head list
;
1843 static int nft_chain_parse_netdev(struct net
*net
,
1844 struct nlattr
*tb
[],
1845 struct list_head
*hook_list
)
1847 struct nft_hook
*hook
;
1850 if (tb
[NFTA_HOOK_DEV
]) {
1851 hook
= nft_netdev_hook_alloc(net
, tb
[NFTA_HOOK_DEV
]);
1853 return PTR_ERR(hook
);
1855 list_add_tail(&hook
->list
, hook_list
);
1856 } else if (tb
[NFTA_HOOK_DEVS
]) {
1857 err
= nf_tables_parse_netdev_hooks(net
, tb
[NFTA_HOOK_DEVS
],
1862 if (list_empty(hook_list
))
1871 static int nft_chain_parse_hook(struct net
*net
,
1872 const struct nlattr
* const nla
[],
1873 struct nft_chain_hook
*hook
, u8 family
,
1876 struct nlattr
*ha
[NFTA_HOOK_MAX
+ 1];
1877 const struct nft_chain_type
*type
;
1880 lockdep_assert_held(&net
->nft
.commit_mutex
);
1881 lockdep_nfnl_nft_mutex_not_held();
1883 err
= nla_parse_nested_deprecated(ha
, NFTA_HOOK_MAX
,
1884 nla
[NFTA_CHAIN_HOOK
],
1885 nft_hook_policy
, NULL
);
1889 if (ha
[NFTA_HOOK_HOOKNUM
] == NULL
||
1890 ha
[NFTA_HOOK_PRIORITY
] == NULL
)
1893 hook
->num
= ntohl(nla_get_be32(ha
[NFTA_HOOK_HOOKNUM
]));
1894 hook
->priority
= ntohl(nla_get_be32(ha
[NFTA_HOOK_PRIORITY
]));
1896 type
= __nft_chain_type_get(family
, NFT_CHAIN_T_DEFAULT
);
1900 if (nla
[NFTA_CHAIN_TYPE
]) {
1901 type
= nf_tables_chain_type_lookup(net
, nla
[NFTA_CHAIN_TYPE
],
1904 return PTR_ERR(type
);
1906 if (hook
->num
>= NFT_MAX_HOOKS
|| !(type
->hook_mask
& (1 << hook
->num
)))
1909 if (type
->type
== NFT_CHAIN_T_NAT
&&
1910 hook
->priority
<= NF_IP_PRI_CONNTRACK
)
1913 if (!try_module_get(type
->owner
))
1918 INIT_LIST_HEAD(&hook
->list
);
1919 if (nft_base_chain_netdev(family
, hook
->num
)) {
1920 err
= nft_chain_parse_netdev(net
, ha
, &hook
->list
);
1922 module_put(type
->owner
);
1925 } else if (ha
[NFTA_HOOK_DEV
] || ha
[NFTA_HOOK_DEVS
]) {
1926 module_put(type
->owner
);
1933 static void nft_chain_release_hook(struct nft_chain_hook
*hook
)
1935 struct nft_hook
*h
, *next
;
1937 list_for_each_entry_safe(h
, next
, &hook
->list
, list
) {
1941 module_put(hook
->type
->owner
);
1944 struct nft_rules_old
{
1946 struct nft_rule
**start
;
1949 static struct nft_rule
**nf_tables_chain_alloc_rules(const struct nft_chain
*chain
,
1952 if (alloc
> INT_MAX
)
1955 alloc
+= 1; /* NULL, ends rules */
1956 if (sizeof(struct nft_rule
*) > INT_MAX
/ alloc
)
1959 alloc
*= sizeof(struct nft_rule
*);
1960 alloc
+= sizeof(struct nft_rules_old
);
1962 return kvmalloc(alloc
, GFP_KERNEL
);
1965 static void nft_basechain_hook_init(struct nf_hook_ops
*ops
, u8 family
,
1966 const struct nft_chain_hook
*hook
,
1967 struct nft_chain
*chain
)
1970 ops
->hooknum
= hook
->num
;
1971 ops
->priority
= hook
->priority
;
1973 ops
->hook
= hook
->type
->hooks
[ops
->hooknum
];
1976 static int nft_basechain_init(struct nft_base_chain
*basechain
, u8 family
,
1977 struct nft_chain_hook
*hook
, u32 flags
)
1979 struct nft_chain
*chain
;
1982 basechain
->type
= hook
->type
;
1983 INIT_LIST_HEAD(&basechain
->hook_list
);
1984 chain
= &basechain
->chain
;
1986 if (nft_base_chain_netdev(family
, hook
->num
)) {
1987 list_splice_init(&hook
->list
, &basechain
->hook_list
);
1988 list_for_each_entry(h
, &basechain
->hook_list
, list
)
1989 nft_basechain_hook_init(&h
->ops
, family
, hook
, chain
);
1991 basechain
->ops
.hooknum
= hook
->num
;
1992 basechain
->ops
.priority
= hook
->priority
;
1994 nft_basechain_hook_init(&basechain
->ops
, family
, hook
, chain
);
1997 chain
->flags
|= NFT_CHAIN_BASE
| flags
;
1998 basechain
->policy
= NF_ACCEPT
;
1999 if (chain
->flags
& NFT_CHAIN_HW_OFFLOAD
&&
2000 nft_chain_offload_priority(basechain
) < 0)
2003 flow_block_init(&basechain
->flow_block
);
2008 static int nft_chain_add(struct nft_table
*table
, struct nft_chain
*chain
)
2012 err
= rhltable_insert_key(&table
->chains_ht
, chain
->name
,
2013 &chain
->rhlhead
, nft_chain_ht_params
);
2017 list_add_tail_rcu(&chain
->list
, &table
->chains
);
2022 static u64 chain_id
;
2024 static int nf_tables_addchain(struct nft_ctx
*ctx
, u8 family
, u8 genmask
,
2025 u8 policy
, u32 flags
)
2027 const struct nlattr
* const *nla
= ctx
->nla
;
2028 struct nft_table
*table
= ctx
->table
;
2029 struct nft_base_chain
*basechain
;
2030 struct nft_stats __percpu
*stats
;
2031 struct net
*net
= ctx
->net
;
2032 char name
[NFT_NAME_MAXLEN
];
2033 struct nft_trans
*trans
;
2034 struct nft_chain
*chain
;
2035 struct nft_rule
**rules
;
2038 if (table
->use
== UINT_MAX
)
2041 if (nla
[NFTA_CHAIN_HOOK
]) {
2042 struct nft_chain_hook hook
;
2044 if (flags
& NFT_CHAIN_BINDING
)
2047 err
= nft_chain_parse_hook(net
, nla
, &hook
, family
, true);
2051 basechain
= kzalloc(sizeof(*basechain
), GFP_KERNEL
);
2052 if (basechain
== NULL
) {
2053 nft_chain_release_hook(&hook
);
2056 chain
= &basechain
->chain
;
2058 if (nla
[NFTA_CHAIN_COUNTERS
]) {
2059 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
2060 if (IS_ERR(stats
)) {
2061 nft_chain_release_hook(&hook
);
2063 return PTR_ERR(stats
);
2065 rcu_assign_pointer(basechain
->stats
, stats
);
2066 static_branch_inc(&nft_counters_enabled
);
2069 err
= nft_basechain_init(basechain
, family
, &hook
, flags
);
2071 nft_chain_release_hook(&hook
);
2076 if (flags
& NFT_CHAIN_BASE
)
2078 if (flags
& NFT_CHAIN_HW_OFFLOAD
)
2081 chain
= kzalloc(sizeof(*chain
), GFP_KERNEL
);
2085 chain
->flags
= flags
;
2089 INIT_LIST_HEAD(&chain
->rules
);
2090 chain
->handle
= nf_tables_alloc_handle(table
);
2091 chain
->table
= table
;
2093 if (nla
[NFTA_CHAIN_NAME
]) {
2094 chain
->name
= nla_strdup(nla
[NFTA_CHAIN_NAME
], GFP_KERNEL
);
2096 if (!(flags
& NFT_CHAIN_BINDING
)) {
2098 goto err_destroy_chain
;
2101 snprintf(name
, sizeof(name
), "__chain%llu", ++chain_id
);
2102 chain
->name
= kstrdup(name
, GFP_KERNEL
);
2107 goto err_destroy_chain
;
2110 if (nla
[NFTA_CHAIN_USERDATA
]) {
2111 chain
->udata
= nla_memdup(nla
[NFTA_CHAIN_USERDATA
], GFP_KERNEL
);
2112 if (chain
->udata
== NULL
) {
2114 goto err_destroy_chain
;
2116 chain
->udlen
= nla_len(nla
[NFTA_CHAIN_USERDATA
]);
2119 rules
= nf_tables_chain_alloc_rules(chain
, 0);
2122 goto err_destroy_chain
;
2126 rcu_assign_pointer(chain
->rules_gen_0
, rules
);
2127 rcu_assign_pointer(chain
->rules_gen_1
, rules
);
2129 err
= nf_tables_register_hook(net
, table
, chain
);
2131 goto err_destroy_chain
;
2133 trans
= nft_trans_chain_add(ctx
, NFT_MSG_NEWCHAIN
);
2134 if (IS_ERR(trans
)) {
2135 err
= PTR_ERR(trans
);
2136 goto err_unregister_hook
;
2139 nft_trans_chain_policy(trans
) = NFT_CHAIN_POLICY_UNSET
;
2140 if (nft_is_base_chain(chain
))
2141 nft_trans_chain_policy(trans
) = policy
;
2143 err
= nft_chain_add(table
, chain
);
2145 nft_trans_destroy(trans
);
2146 goto err_unregister_hook
;
2152 err_unregister_hook
:
2153 nf_tables_unregister_hook(net
, table
, chain
);
2155 nf_tables_chain_destroy(ctx
);
2160 static bool nft_hook_list_equal(struct list_head
*hook_list1
,
2161 struct list_head
*hook_list2
)
2163 struct nft_hook
*hook
;
2167 list_for_each_entry(hook
, hook_list2
, list
) {
2168 if (!nft_hook_list_find(hook_list1
, hook
))
2173 list_for_each_entry(hook
, hook_list1
, list
)
2179 static int nf_tables_updchain(struct nft_ctx
*ctx
, u8 genmask
, u8 policy
,
2180 u32 flags
, const struct nlattr
*attr
,
2181 struct netlink_ext_ack
*extack
)
2183 const struct nlattr
* const *nla
= ctx
->nla
;
2184 struct nft_table
*table
= ctx
->table
;
2185 struct nft_chain
*chain
= ctx
->chain
;
2186 struct nft_base_chain
*basechain
;
2187 struct nft_stats
*stats
= NULL
;
2188 struct nft_chain_hook hook
;
2189 struct nf_hook_ops
*ops
;
2190 struct nft_trans
*trans
;
2193 if (chain
->flags
^ flags
)
2196 if (nla
[NFTA_CHAIN_HOOK
]) {
2197 if (!nft_is_base_chain(chain
)) {
2198 NL_SET_BAD_ATTR(extack
, attr
);
2201 err
= nft_chain_parse_hook(ctx
->net
, nla
, &hook
, ctx
->family
,
2206 basechain
= nft_base_chain(chain
);
2207 if (basechain
->type
!= hook
.type
) {
2208 nft_chain_release_hook(&hook
);
2209 NL_SET_BAD_ATTR(extack
, attr
);
2213 if (nft_base_chain_netdev(ctx
->family
, hook
.num
)) {
2214 if (!nft_hook_list_equal(&basechain
->hook_list
,
2216 nft_chain_release_hook(&hook
);
2217 NL_SET_BAD_ATTR(extack
, attr
);
2221 ops
= &basechain
->ops
;
2222 if (ops
->hooknum
!= hook
.num
||
2223 ops
->priority
!= hook
.priority
) {
2224 nft_chain_release_hook(&hook
);
2225 NL_SET_BAD_ATTR(extack
, attr
);
2229 nft_chain_release_hook(&hook
);
2232 if (nla
[NFTA_CHAIN_HANDLE
] &&
2233 nla
[NFTA_CHAIN_NAME
]) {
2234 struct nft_chain
*chain2
;
2236 chain2
= nft_chain_lookup(ctx
->net
, table
,
2237 nla
[NFTA_CHAIN_NAME
], genmask
);
2238 if (!IS_ERR(chain2
)) {
2239 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
2244 if (nla
[NFTA_CHAIN_COUNTERS
]) {
2245 if (!nft_is_base_chain(chain
))
2248 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
2250 return PTR_ERR(stats
);
2254 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWCHAIN
,
2255 sizeof(struct nft_trans_chain
));
2259 nft_trans_chain_stats(trans
) = stats
;
2260 nft_trans_chain_update(trans
) = true;
2262 if (nla
[NFTA_CHAIN_POLICY
])
2263 nft_trans_chain_policy(trans
) = policy
;
2265 nft_trans_chain_policy(trans
) = -1;
2267 if (nla
[NFTA_CHAIN_HANDLE
] &&
2268 nla
[NFTA_CHAIN_NAME
]) {
2269 struct nft_trans
*tmp
;
2273 name
= nla_strdup(nla
[NFTA_CHAIN_NAME
], GFP_KERNEL
);
2278 list_for_each_entry(tmp
, &ctx
->net
->nft
.commit_list
, list
) {
2279 if (tmp
->msg_type
== NFT_MSG_NEWCHAIN
&&
2280 tmp
->ctx
.table
== table
&&
2281 nft_trans_chain_update(tmp
) &&
2282 nft_trans_chain_name(tmp
) &&
2283 strcmp(name
, nft_trans_chain_name(tmp
)) == 0) {
2284 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
2290 nft_trans_chain_name(trans
) = name
;
2292 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
2301 static struct nft_chain
*nft_chain_lookup_byid(const struct net
*net
,
2302 const struct nlattr
*nla
)
2304 u32 id
= ntohl(nla_get_be32(nla
));
2305 struct nft_trans
*trans
;
2307 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
2308 struct nft_chain
*chain
= trans
->ctx
.chain
;
2310 if (trans
->msg_type
== NFT_MSG_NEWCHAIN
&&
2311 id
== nft_trans_chain_id(trans
))
2314 return ERR_PTR(-ENOENT
);
2317 static int nf_tables_newchain(struct net
*net
, struct sock
*nlsk
,
2318 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2319 const struct nlattr
* const nla
[],
2320 struct netlink_ext_ack
*extack
)
2322 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2323 u8 genmask
= nft_genmask_next(net
);
2324 int family
= nfmsg
->nfgen_family
;
2325 struct nft_chain
*chain
= NULL
;
2326 const struct nlattr
*attr
;
2327 struct nft_table
*table
;
2328 u8 policy
= NF_ACCEPT
;
2333 lockdep_assert_held(&net
->nft
.commit_mutex
);
2335 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
,
2336 NETLINK_CB(skb
).portid
);
2337 if (IS_ERR(table
)) {
2338 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
2339 return PTR_ERR(table
);
2343 attr
= nla
[NFTA_CHAIN_NAME
];
2345 if (nla
[NFTA_CHAIN_HANDLE
]) {
2346 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_CHAIN_HANDLE
]));
2347 chain
= nft_chain_lookup_byhandle(table
, handle
, genmask
);
2348 if (IS_ERR(chain
)) {
2349 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_HANDLE
]);
2350 return PTR_ERR(chain
);
2352 attr
= nla
[NFTA_CHAIN_HANDLE
];
2353 } else if (nla
[NFTA_CHAIN_NAME
]) {
2354 chain
= nft_chain_lookup(net
, table
, attr
, genmask
);
2355 if (IS_ERR(chain
)) {
2356 if (PTR_ERR(chain
) != -ENOENT
) {
2357 NL_SET_BAD_ATTR(extack
, attr
);
2358 return PTR_ERR(chain
);
2362 } else if (!nla
[NFTA_CHAIN_ID
]) {
2366 if (nla
[NFTA_CHAIN_POLICY
]) {
2367 if (chain
!= NULL
&&
2368 !nft_is_base_chain(chain
)) {
2369 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_POLICY
]);
2373 if (chain
== NULL
&&
2374 nla
[NFTA_CHAIN_HOOK
] == NULL
) {
2375 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_POLICY
]);
2379 policy
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_POLICY
]));
2389 if (nla
[NFTA_CHAIN_FLAGS
])
2390 flags
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_FLAGS
]));
2392 flags
= chain
->flags
;
2394 if (flags
& ~NFT_CHAIN_FLAGS
)
2397 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
2399 if (chain
!= NULL
) {
2400 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
2401 NL_SET_BAD_ATTR(extack
, attr
);
2404 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2407 flags
|= chain
->flags
& NFT_CHAIN_BASE
;
2408 return nf_tables_updchain(&ctx
, genmask
, policy
, flags
, attr
,
2412 return nf_tables_addchain(&ctx
, family
, genmask
, policy
, flags
);
2415 static int nf_tables_delchain(struct net
*net
, struct sock
*nlsk
,
2416 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2417 const struct nlattr
* const nla
[],
2418 struct netlink_ext_ack
*extack
)
2420 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2421 u8 genmask
= nft_genmask_next(net
);
2422 int family
= nfmsg
->nfgen_family
;
2423 const struct nlattr
*attr
;
2424 struct nft_table
*table
;
2425 struct nft_chain
*chain
;
2426 struct nft_rule
*rule
;
2432 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
,
2433 NETLINK_CB(skb
).portid
);
2434 if (IS_ERR(table
)) {
2435 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
2436 return PTR_ERR(table
);
2439 if (nla
[NFTA_CHAIN_HANDLE
]) {
2440 attr
= nla
[NFTA_CHAIN_HANDLE
];
2441 handle
= be64_to_cpu(nla_get_be64(attr
));
2442 chain
= nft_chain_lookup_byhandle(table
, handle
, genmask
);
2444 attr
= nla
[NFTA_CHAIN_NAME
];
2445 chain
= nft_chain_lookup(net
, table
, attr
, genmask
);
2447 if (IS_ERR(chain
)) {
2448 NL_SET_BAD_ATTR(extack
, attr
);
2449 return PTR_ERR(chain
);
2452 if (nlh
->nlmsg_flags
& NLM_F_NONREC
&&
2456 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
2459 list_for_each_entry(rule
, &chain
->rules
, list
) {
2460 if (!nft_is_active_next(net
, rule
))
2464 err
= nft_delrule(&ctx
, rule
);
2469 /* There are rules and elements that are still holding references to us,
2470 * we cannot do a recursive removal in this case.
2473 NL_SET_BAD_ATTR(extack
, attr
);
2477 return nft_delchain(&ctx
);
2485 * nft_register_expr - register nf_tables expr type
2488 * Registers the expr type for use with nf_tables. Returns zero on
2489 * success or a negative errno code otherwise.
2491 int nft_register_expr(struct nft_expr_type
*type
)
2493 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2494 if (type
->family
== NFPROTO_UNSPEC
)
2495 list_add_tail_rcu(&type
->list
, &nf_tables_expressions
);
2497 list_add_rcu(&type
->list
, &nf_tables_expressions
);
2498 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2501 EXPORT_SYMBOL_GPL(nft_register_expr
);
2504 * nft_unregister_expr - unregister nf_tables expr type
2507 * Unregisters the expr typefor use with nf_tables.
2509 void nft_unregister_expr(struct nft_expr_type
*type
)
2511 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2512 list_del_rcu(&type
->list
);
2513 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2515 EXPORT_SYMBOL_GPL(nft_unregister_expr
);
2517 static const struct nft_expr_type
*__nft_expr_type_get(u8 family
,
2520 const struct nft_expr_type
*type
, *candidate
= NULL
;
2522 list_for_each_entry(type
, &nf_tables_expressions
, list
) {
2523 if (!nla_strcmp(nla
, type
->name
)) {
2524 if (!type
->family
&& !candidate
)
2526 else if (type
->family
== family
)
2533 #ifdef CONFIG_MODULES
2534 static int nft_expr_type_request_module(struct net
*net
, u8 family
,
2537 if (nft_request_module(net
, "nft-expr-%u-%.*s", family
,
2538 nla_len(nla
), (char *)nla_data(nla
)) == -EAGAIN
)
2545 static const struct nft_expr_type
*nft_expr_type_get(struct net
*net
,
2549 const struct nft_expr_type
*type
;
2552 return ERR_PTR(-EINVAL
);
2554 type
= __nft_expr_type_get(family
, nla
);
2555 if (type
!= NULL
&& try_module_get(type
->owner
))
2558 lockdep_nfnl_nft_mutex_not_held();
2559 #ifdef CONFIG_MODULES
2561 if (nft_expr_type_request_module(net
, family
, nla
) == -EAGAIN
)
2562 return ERR_PTR(-EAGAIN
);
2564 if (nft_request_module(net
, "nft-expr-%.*s",
2566 (char *)nla_data(nla
)) == -EAGAIN
)
2567 return ERR_PTR(-EAGAIN
);
2570 return ERR_PTR(-ENOENT
);
2573 static const struct nla_policy nft_expr_policy
[NFTA_EXPR_MAX
+ 1] = {
2574 [NFTA_EXPR_NAME
] = { .type
= NLA_STRING
,
2575 .len
= NFT_MODULE_AUTOLOAD_LIMIT
},
2576 [NFTA_EXPR_DATA
] = { .type
= NLA_NESTED
},
2579 static int nf_tables_fill_expr_info(struct sk_buff
*skb
,
2580 const struct nft_expr
*expr
)
2582 if (nla_put_string(skb
, NFTA_EXPR_NAME
, expr
->ops
->type
->name
))
2583 goto nla_put_failure
;
2585 if (expr
->ops
->dump
) {
2586 struct nlattr
*data
= nla_nest_start_noflag(skb
,
2589 goto nla_put_failure
;
2590 if (expr
->ops
->dump(skb
, expr
) < 0)
2591 goto nla_put_failure
;
2592 nla_nest_end(skb
, data
);
2601 int nft_expr_dump(struct sk_buff
*skb
, unsigned int attr
,
2602 const struct nft_expr
*expr
)
2604 struct nlattr
*nest
;
2606 nest
= nla_nest_start_noflag(skb
, attr
);
2608 goto nla_put_failure
;
2609 if (nf_tables_fill_expr_info(skb
, expr
) < 0)
2610 goto nla_put_failure
;
2611 nla_nest_end(skb
, nest
);
2618 struct nft_expr_info
{
2619 const struct nft_expr_ops
*ops
;
2620 const struct nlattr
*attr
;
2621 struct nlattr
*tb
[NFT_EXPR_MAXATTR
+ 1];
2624 static int nf_tables_expr_parse(const struct nft_ctx
*ctx
,
2625 const struct nlattr
*nla
,
2626 struct nft_expr_info
*info
)
2628 const struct nft_expr_type
*type
;
2629 const struct nft_expr_ops
*ops
;
2630 struct nlattr
*tb
[NFTA_EXPR_MAX
+ 1];
2633 err
= nla_parse_nested_deprecated(tb
, NFTA_EXPR_MAX
, nla
,
2634 nft_expr_policy
, NULL
);
2638 type
= nft_expr_type_get(ctx
->net
, ctx
->family
, tb
[NFTA_EXPR_NAME
]);
2640 return PTR_ERR(type
);
2642 if (tb
[NFTA_EXPR_DATA
]) {
2643 err
= nla_parse_nested_deprecated(info
->tb
, type
->maxattr
,
2645 type
->policy
, NULL
);
2649 memset(info
->tb
, 0, sizeof(info
->tb
[0]) * (type
->maxattr
+ 1));
2651 if (type
->select_ops
!= NULL
) {
2652 ops
= type
->select_ops(ctx
,
2653 (const struct nlattr
* const *)info
->tb
);
2656 #ifdef CONFIG_MODULES
2658 if (nft_expr_type_request_module(ctx
->net
,
2660 tb
[NFTA_EXPR_NAME
]) != -EAGAIN
)
2674 module_put(type
->owner
);
2678 static int nf_tables_newexpr(const struct nft_ctx
*ctx
,
2679 const struct nft_expr_info
*info
,
2680 struct nft_expr
*expr
)
2682 const struct nft_expr_ops
*ops
= info
->ops
;
2687 err
= ops
->init(ctx
, expr
, (const struct nlattr
**)info
->tb
);
2698 static void nf_tables_expr_destroy(const struct nft_ctx
*ctx
,
2699 struct nft_expr
*expr
)
2701 const struct nft_expr_type
*type
= expr
->ops
->type
;
2703 if (expr
->ops
->destroy
)
2704 expr
->ops
->destroy(ctx
, expr
);
2705 module_put(type
->owner
);
2708 static struct nft_expr
*nft_expr_init(const struct nft_ctx
*ctx
,
2709 const struct nlattr
*nla
)
2711 struct nft_expr_info info
;
2712 struct nft_expr
*expr
;
2713 struct module
*owner
;
2716 err
= nf_tables_expr_parse(ctx
, nla
, &info
);
2721 expr
= kzalloc(info
.ops
->size
, GFP_KERNEL
);
2725 err
= nf_tables_newexpr(ctx
, &info
, expr
);
2733 owner
= info
.ops
->type
->owner
;
2734 if (info
.ops
->type
->release_ops
)
2735 info
.ops
->type
->release_ops(info
.ops
);
2739 return ERR_PTR(err
);
2742 int nft_expr_clone(struct nft_expr
*dst
, struct nft_expr
*src
)
2746 if (src
->ops
->clone
) {
2747 dst
->ops
= src
->ops
;
2748 err
= src
->ops
->clone(dst
, src
);
2752 memcpy(dst
, src
, src
->ops
->size
);
2755 __module_get(src
->ops
->type
->owner
);
2760 void nft_expr_destroy(const struct nft_ctx
*ctx
, struct nft_expr
*expr
)
2762 nf_tables_expr_destroy(ctx
, expr
);
2770 static struct nft_rule
*__nft_rule_lookup(const struct nft_chain
*chain
,
2773 struct nft_rule
*rule
;
2775 // FIXME: this sucks
2776 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2777 if (handle
== rule
->handle
)
2781 return ERR_PTR(-ENOENT
);
2784 static struct nft_rule
*nft_rule_lookup(const struct nft_chain
*chain
,
2785 const struct nlattr
*nla
)
2788 return ERR_PTR(-EINVAL
);
2790 return __nft_rule_lookup(chain
, be64_to_cpu(nla_get_be64(nla
)));
2793 static const struct nla_policy nft_rule_policy
[NFTA_RULE_MAX
+ 1] = {
2794 [NFTA_RULE_TABLE
] = { .type
= NLA_STRING
,
2795 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
2796 [NFTA_RULE_CHAIN
] = { .type
= NLA_STRING
,
2797 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
2798 [NFTA_RULE_HANDLE
] = { .type
= NLA_U64
},
2799 [NFTA_RULE_EXPRESSIONS
] = { .type
= NLA_NESTED
},
2800 [NFTA_RULE_COMPAT
] = { .type
= NLA_NESTED
},
2801 [NFTA_RULE_POSITION
] = { .type
= NLA_U64
},
2802 [NFTA_RULE_USERDATA
] = { .type
= NLA_BINARY
,
2803 .len
= NFT_USERDATA_MAXLEN
},
2804 [NFTA_RULE_ID
] = { .type
= NLA_U32
},
2805 [NFTA_RULE_POSITION_ID
] = { .type
= NLA_U32
},
2806 [NFTA_RULE_CHAIN_ID
] = { .type
= NLA_U32
},
2809 static int nf_tables_fill_rule_info(struct sk_buff
*skb
, struct net
*net
,
2810 u32 portid
, u32 seq
, int event
,
2811 u32 flags
, int family
,
2812 const struct nft_table
*table
,
2813 const struct nft_chain
*chain
,
2814 const struct nft_rule
*rule
,
2815 const struct nft_rule
*prule
)
2817 struct nlmsghdr
*nlh
;
2818 const struct nft_expr
*expr
, *next
;
2819 struct nlattr
*list
;
2820 u16 type
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
2822 nlh
= nfnl_msg_put(skb
, portid
, seq
, type
, flags
, family
, NFNETLINK_V0
,
2825 goto nla_put_failure
;
2827 if (nla_put_string(skb
, NFTA_RULE_TABLE
, table
->name
))
2828 goto nla_put_failure
;
2829 if (nla_put_string(skb
, NFTA_RULE_CHAIN
, chain
->name
))
2830 goto nla_put_failure
;
2831 if (nla_put_be64(skb
, NFTA_RULE_HANDLE
, cpu_to_be64(rule
->handle
),
2833 goto nla_put_failure
;
2835 if (event
!= NFT_MSG_DELRULE
&& prule
) {
2836 if (nla_put_be64(skb
, NFTA_RULE_POSITION
,
2837 cpu_to_be64(prule
->handle
),
2839 goto nla_put_failure
;
2842 list
= nla_nest_start_noflag(skb
, NFTA_RULE_EXPRESSIONS
);
2844 goto nla_put_failure
;
2845 nft_rule_for_each_expr(expr
, next
, rule
) {
2846 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
2847 goto nla_put_failure
;
2849 nla_nest_end(skb
, list
);
2852 struct nft_userdata
*udata
= nft_userdata(rule
);
2853 if (nla_put(skb
, NFTA_RULE_USERDATA
, udata
->len
+ 1,
2855 goto nla_put_failure
;
2858 nlmsg_end(skb
, nlh
);
2862 nlmsg_trim(skb
, nlh
);
2866 static void nf_tables_rule_notify(const struct nft_ctx
*ctx
,
2867 const struct nft_rule
*rule
, int event
)
2869 struct sk_buff
*skb
;
2873 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
2876 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
2880 err
= nf_tables_fill_rule_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
2881 event
, 0, ctx
->family
, ctx
->table
,
2882 ctx
->chain
, rule
, NULL
);
2888 nft_notify_enqueue(skb
, ctx
->report
, &ctx
->net
->nft
.notify_list
);
2891 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
2894 struct nft_rule_dump_ctx
{
2899 static int __nf_tables_dump_rules(struct sk_buff
*skb
,
2901 struct netlink_callback
*cb
,
2902 const struct nft_table
*table
,
2903 const struct nft_chain
*chain
)
2905 struct net
*net
= sock_net(skb
->sk
);
2906 const struct nft_rule
*rule
, *prule
;
2907 unsigned int s_idx
= cb
->args
[0];
2910 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2911 if (!nft_is_active(net
, rule
))
2916 memset(&cb
->args
[1], 0,
2917 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
2919 if (nf_tables_fill_rule_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
2922 NLM_F_MULTI
| NLM_F_APPEND
,
2924 table
, chain
, rule
, prule
) < 0)
2927 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
2936 static int nf_tables_dump_rules(struct sk_buff
*skb
,
2937 struct netlink_callback
*cb
)
2939 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
2940 const struct nft_rule_dump_ctx
*ctx
= cb
->data
;
2941 struct nft_table
*table
;
2942 const struct nft_chain
*chain
;
2943 unsigned int idx
= 0;
2944 struct net
*net
= sock_net(skb
->sk
);
2945 int family
= nfmsg
->nfgen_family
;
2948 cb
->seq
= net
->nft
.base_seq
;
2950 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
2951 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
2954 if (ctx
&& ctx
->table
&& strcmp(ctx
->table
, table
->name
) != 0)
2957 if (ctx
&& ctx
->table
&& ctx
->chain
) {
2958 struct rhlist_head
*list
, *tmp
;
2960 list
= rhltable_lookup(&table
->chains_ht
, ctx
->chain
,
2961 nft_chain_ht_params
);
2965 rhl_for_each_entry_rcu(chain
, tmp
, list
, rhlhead
) {
2966 if (!nft_is_active(net
, chain
))
2968 __nf_tables_dump_rules(skb
, &idx
,
2975 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
2976 if (__nf_tables_dump_rules(skb
, &idx
, cb
, table
, chain
))
2980 if (ctx
&& ctx
->table
)
2990 static int nf_tables_dump_rules_start(struct netlink_callback
*cb
)
2992 const struct nlattr
* const *nla
= cb
->data
;
2993 struct nft_rule_dump_ctx
*ctx
= NULL
;
2995 if (nla
[NFTA_RULE_TABLE
] || nla
[NFTA_RULE_CHAIN
]) {
2996 ctx
= kzalloc(sizeof(*ctx
), GFP_ATOMIC
);
3000 if (nla
[NFTA_RULE_TABLE
]) {
3001 ctx
->table
= nla_strdup(nla
[NFTA_RULE_TABLE
],
3008 if (nla
[NFTA_RULE_CHAIN
]) {
3009 ctx
->chain
= nla_strdup(nla
[NFTA_RULE_CHAIN
],
3023 static int nf_tables_dump_rules_done(struct netlink_callback
*cb
)
3025 struct nft_rule_dump_ctx
*ctx
= cb
->data
;
3035 /* called with rcu_read_lock held */
3036 static int nf_tables_getrule(struct net
*net
, struct sock
*nlsk
,
3037 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3038 const struct nlattr
* const nla
[],
3039 struct netlink_ext_ack
*extack
)
3041 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3042 u8 genmask
= nft_genmask_cur(net
);
3043 const struct nft_chain
*chain
;
3044 const struct nft_rule
*rule
;
3045 struct nft_table
*table
;
3046 struct sk_buff
*skb2
;
3047 int family
= nfmsg
->nfgen_family
;
3050 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3051 struct netlink_dump_control c
= {
3052 .start
= nf_tables_dump_rules_start
,
3053 .dump
= nf_tables_dump_rules
,
3054 .done
= nf_tables_dump_rules_done
,
3055 .module
= THIS_MODULE
,
3056 .data
= (void *)nla
,
3059 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
3062 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
, 0);
3063 if (IS_ERR(table
)) {
3064 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
3065 return PTR_ERR(table
);
3068 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
], genmask
);
3069 if (IS_ERR(chain
)) {
3070 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
3071 return PTR_ERR(chain
);
3074 rule
= nft_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
3076 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3077 return PTR_ERR(rule
);
3080 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
3084 err
= nf_tables_fill_rule_info(skb2
, net
, NETLINK_CB(skb
).portid
,
3085 nlh
->nlmsg_seq
, NFT_MSG_NEWRULE
, 0,
3086 family
, table
, chain
, rule
, NULL
);
3088 goto err_fill_rule_info
;
3090 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
3097 static void nf_tables_rule_destroy(const struct nft_ctx
*ctx
,
3098 struct nft_rule
*rule
)
3100 struct nft_expr
*expr
, *next
;
3103 * Careful: some expressions might not be initialized in case this
3104 * is called on error from nf_tables_newrule().
3106 expr
= nft_expr_first(rule
);
3107 while (nft_expr_more(rule
, expr
)) {
3108 next
= nft_expr_next(expr
);
3109 nf_tables_expr_destroy(ctx
, expr
);
3115 void nf_tables_rule_release(const struct nft_ctx
*ctx
, struct nft_rule
*rule
)
3117 nft_rule_expr_deactivate(ctx
, rule
, NFT_TRANS_RELEASE
);
3118 nf_tables_rule_destroy(ctx
, rule
);
3121 int nft_chain_validate(const struct nft_ctx
*ctx
, const struct nft_chain
*chain
)
3123 struct nft_expr
*expr
, *last
;
3124 const struct nft_data
*data
;
3125 struct nft_rule
*rule
;
3128 if (ctx
->level
== NFT_JUMP_STACK_SIZE
)
3131 list_for_each_entry(rule
, &chain
->rules
, list
) {
3132 if (!nft_is_active_next(ctx
->net
, rule
))
3135 nft_rule_for_each_expr(expr
, last
, rule
) {
3136 if (!expr
->ops
->validate
)
3139 err
= expr
->ops
->validate(ctx
, expr
, &data
);
3147 EXPORT_SYMBOL_GPL(nft_chain_validate
);
3149 static int nft_table_validate(struct net
*net
, const struct nft_table
*table
)
3151 struct nft_chain
*chain
;
3152 struct nft_ctx ctx
= {
3154 .family
= table
->family
,
3158 list_for_each_entry(chain
, &table
->chains
, list
) {
3159 if (!nft_is_base_chain(chain
))
3163 err
= nft_chain_validate(&ctx
, chain
);
3171 static struct nft_rule
*nft_rule_lookup_byid(const struct net
*net
,
3172 const struct nlattr
*nla
);
3174 #define NFT_RULE_MAXEXPRS 128
3176 static int nf_tables_newrule(struct net
*net
, struct sock
*nlsk
,
3177 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3178 const struct nlattr
* const nla
[],
3179 struct netlink_ext_ack
*extack
)
3181 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3182 u8 genmask
= nft_genmask_next(net
);
3183 struct nft_expr_info
*info
= NULL
;
3184 int family
= nfmsg
->nfgen_family
;
3185 struct nft_flow_rule
*flow
;
3186 struct nft_table
*table
;
3187 struct nft_chain
*chain
;
3188 struct nft_rule
*rule
, *old_rule
= NULL
;
3189 struct nft_userdata
*udata
;
3190 struct nft_trans
*trans
= NULL
;
3191 struct nft_expr
*expr
;
3194 unsigned int size
, i
, n
, ulen
= 0, usize
= 0;
3196 u64 handle
, pos_handle
;
3198 lockdep_assert_held(&net
->nft
.commit_mutex
);
3200 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
,
3201 NETLINK_CB(skb
).portid
);
3202 if (IS_ERR(table
)) {
3203 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
3204 return PTR_ERR(table
);
3207 if (nla
[NFTA_RULE_CHAIN
]) {
3208 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
],
3210 if (IS_ERR(chain
)) {
3211 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
3212 return PTR_ERR(chain
);
3214 if (nft_chain_is_bound(chain
))
3217 } else if (nla
[NFTA_RULE_CHAIN_ID
]) {
3218 chain
= nft_chain_lookup_byid(net
, nla
[NFTA_RULE_CHAIN_ID
]);
3219 if (IS_ERR(chain
)) {
3220 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN_ID
]);
3221 return PTR_ERR(chain
);
3227 if (nla
[NFTA_RULE_HANDLE
]) {
3228 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_HANDLE
]));
3229 rule
= __nft_rule_lookup(chain
, handle
);
3231 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3232 return PTR_ERR(rule
);
3235 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
3236 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3239 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
3244 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
) ||
3245 nlh
->nlmsg_flags
& NLM_F_REPLACE
)
3247 handle
= nf_tables_alloc_handle(table
);
3249 if (chain
->use
== UINT_MAX
)
3252 if (nla
[NFTA_RULE_POSITION
]) {
3253 pos_handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_POSITION
]));
3254 old_rule
= __nft_rule_lookup(chain
, pos_handle
);
3255 if (IS_ERR(old_rule
)) {
3256 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_POSITION
]);
3257 return PTR_ERR(old_rule
);
3259 } else if (nla
[NFTA_RULE_POSITION_ID
]) {
3260 old_rule
= nft_rule_lookup_byid(net
, nla
[NFTA_RULE_POSITION_ID
]);
3261 if (IS_ERR(old_rule
)) {
3262 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_POSITION_ID
]);
3263 return PTR_ERR(old_rule
);
3268 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
3272 if (nla
[NFTA_RULE_EXPRESSIONS
]) {
3273 info
= kvmalloc_array(NFT_RULE_MAXEXPRS
,
3274 sizeof(struct nft_expr_info
),
3279 nla_for_each_nested(tmp
, nla
[NFTA_RULE_EXPRESSIONS
], rem
) {
3281 if (nla_type(tmp
) != NFTA_LIST_ELEM
)
3283 if (n
== NFT_RULE_MAXEXPRS
)
3285 err
= nf_tables_expr_parse(&ctx
, tmp
, &info
[n
]);
3288 size
+= info
[n
].ops
->size
;
3292 /* Check for overflow of dlen field */
3294 if (size
>= 1 << 12)
3297 if (nla
[NFTA_RULE_USERDATA
]) {
3298 ulen
= nla_len(nla
[NFTA_RULE_USERDATA
]);
3300 usize
= sizeof(struct nft_userdata
) + ulen
;
3304 rule
= kzalloc(sizeof(*rule
) + size
+ usize
, GFP_KERNEL
);
3308 nft_activate_next(net
, rule
);
3310 rule
->handle
= handle
;
3312 rule
->udata
= ulen
? 1 : 0;
3315 udata
= nft_userdata(rule
);
3316 udata
->len
= ulen
- 1;
3317 nla_memcpy(udata
->data
, nla
[NFTA_RULE_USERDATA
], ulen
);
3320 expr
= nft_expr_first(rule
);
3321 for (i
= 0; i
< n
; i
++) {
3322 err
= nf_tables_newexpr(&ctx
, &info
[i
], expr
);
3324 NL_SET_BAD_ATTR(extack
, info
[i
].attr
);
3328 if (info
[i
].ops
->validate
)
3329 nft_validate_state_update(net
, NFT_VALIDATE_NEED
);
3332 expr
= nft_expr_next(expr
);
3335 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
3336 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
);
3337 if (trans
== NULL
) {
3341 err
= nft_delrule(&ctx
, old_rule
);
3343 nft_trans_destroy(trans
);
3347 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
3349 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
);
3355 if (nlh
->nlmsg_flags
& NLM_F_APPEND
) {
3357 list_add_rcu(&rule
->list
, &old_rule
->list
);
3359 list_add_tail_rcu(&rule
->list
, &chain
->rules
);
3362 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
3364 list_add_rcu(&rule
->list
, &chain
->rules
);
3370 if (net
->nft
.validate_state
== NFT_VALIDATE_DO
)
3371 return nft_table_validate(net
, table
);
3373 if (chain
->flags
& NFT_CHAIN_HW_OFFLOAD
) {
3374 flow
= nft_flow_rule_create(net
, rule
);
3376 return PTR_ERR(flow
);
3378 nft_trans_flow_rule(trans
) = flow
;
3383 nf_tables_rule_release(&ctx
, rule
);
3385 for (i
= 0; i
< n
; i
++) {
3387 module_put(info
[i
].ops
->type
->owner
);
3388 if (info
[i
].ops
->type
->release_ops
)
3389 info
[i
].ops
->type
->release_ops(info
[i
].ops
);
3396 static struct nft_rule
*nft_rule_lookup_byid(const struct net
*net
,
3397 const struct nlattr
*nla
)
3399 u32 id
= ntohl(nla_get_be32(nla
));
3400 struct nft_trans
*trans
;
3402 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
3403 struct nft_rule
*rule
= nft_trans_rule(trans
);
3405 if (trans
->msg_type
== NFT_MSG_NEWRULE
&&
3406 id
== nft_trans_rule_id(trans
))
3409 return ERR_PTR(-ENOENT
);
3412 static int nf_tables_delrule(struct net
*net
, struct sock
*nlsk
,
3413 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3414 const struct nlattr
* const nla
[],
3415 struct netlink_ext_ack
*extack
)
3417 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3418 u8 genmask
= nft_genmask_next(net
);
3419 struct nft_table
*table
;
3420 struct nft_chain
*chain
= NULL
;
3421 struct nft_rule
*rule
;
3422 int family
= nfmsg
->nfgen_family
, err
= 0;
3425 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
,
3426 NETLINK_CB(skb
).portid
);
3427 if (IS_ERR(table
)) {
3428 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
3429 return PTR_ERR(table
);
3432 if (nla
[NFTA_RULE_CHAIN
]) {
3433 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
],
3435 if (IS_ERR(chain
)) {
3436 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
3437 return PTR_ERR(chain
);
3439 if (nft_chain_is_bound(chain
))
3443 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, chain
, nla
);
3446 if (nla
[NFTA_RULE_HANDLE
]) {
3447 rule
= nft_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
3449 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3450 return PTR_ERR(rule
);
3453 err
= nft_delrule(&ctx
, rule
);
3454 } else if (nla
[NFTA_RULE_ID
]) {
3455 rule
= nft_rule_lookup_byid(net
, nla
[NFTA_RULE_ID
]);
3457 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_ID
]);
3458 return PTR_ERR(rule
);
3461 err
= nft_delrule(&ctx
, rule
);
3463 err
= nft_delrule_by_chain(&ctx
);
3466 list_for_each_entry(chain
, &table
->chains
, list
) {
3467 if (!nft_is_active_next(net
, chain
))
3471 err
= nft_delrule_by_chain(&ctx
);
3483 static const struct nft_set_type
*nft_set_types
[] = {
3484 &nft_set_hash_fast_type
,
3486 &nft_set_rhash_type
,
3487 &nft_set_bitmap_type
,
3488 &nft_set_rbtree_type
,
3489 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3490 &nft_set_pipapo_avx2_type
,
3492 &nft_set_pipapo_type
,
3495 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3496 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3499 static bool nft_set_ops_candidate(const struct nft_set_type
*type
, u32 flags
)
3501 return (flags
& type
->features
) == (flags
& NFT_SET_FEATURES
);
3505 * Select a set implementation based on the data characteristics and the
3506 * given policy. The total memory use might not be known if no size is
3507 * given, in that case the amount of memory per element is used.
3509 static const struct nft_set_ops
*
3510 nft_select_set_ops(const struct nft_ctx
*ctx
,
3511 const struct nlattr
* const nla
[],
3512 const struct nft_set_desc
*desc
,
3513 enum nft_set_policies policy
)
3515 const struct nft_set_ops
*ops
, *bops
;
3516 struct nft_set_estimate est
, best
;
3517 const struct nft_set_type
*type
;
3521 lockdep_assert_held(&ctx
->net
->nft
.commit_mutex
);
3522 lockdep_nfnl_nft_mutex_not_held();
3524 if (nla
[NFTA_SET_FLAGS
] != NULL
)
3525 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
3532 for (i
= 0; i
< ARRAY_SIZE(nft_set_types
); i
++) {
3533 type
= nft_set_types
[i
];
3536 if (!nft_set_ops_candidate(type
, flags
))
3538 if (!ops
->estimate(desc
, flags
, &est
))
3542 case NFT_SET_POL_PERFORMANCE
:
3543 if (est
.lookup
< best
.lookup
)
3545 if (est
.lookup
== best
.lookup
&&
3546 est
.space
< best
.space
)
3549 case NFT_SET_POL_MEMORY
:
3551 if (est
.space
< best
.space
)
3553 if (est
.space
== best
.space
&&
3554 est
.lookup
< best
.lookup
)
3556 } else if (est
.size
< best
.size
|| !bops
) {
3571 return ERR_PTR(-EOPNOTSUPP
);
3574 static const struct nla_policy nft_set_policy
[NFTA_SET_MAX
+ 1] = {
3575 [NFTA_SET_TABLE
] = { .type
= NLA_STRING
,
3576 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
3577 [NFTA_SET_NAME
] = { .type
= NLA_STRING
,
3578 .len
= NFT_SET_MAXNAMELEN
- 1 },
3579 [NFTA_SET_FLAGS
] = { .type
= NLA_U32
},
3580 [NFTA_SET_KEY_TYPE
] = { .type
= NLA_U32
},
3581 [NFTA_SET_KEY_LEN
] = { .type
= NLA_U32
},
3582 [NFTA_SET_DATA_TYPE
] = { .type
= NLA_U32
},
3583 [NFTA_SET_DATA_LEN
] = { .type
= NLA_U32
},
3584 [NFTA_SET_POLICY
] = { .type
= NLA_U32
},
3585 [NFTA_SET_DESC
] = { .type
= NLA_NESTED
},
3586 [NFTA_SET_ID
] = { .type
= NLA_U32
},
3587 [NFTA_SET_TIMEOUT
] = { .type
= NLA_U64
},
3588 [NFTA_SET_GC_INTERVAL
] = { .type
= NLA_U32
},
3589 [NFTA_SET_USERDATA
] = { .type
= NLA_BINARY
,
3590 .len
= NFT_USERDATA_MAXLEN
},
3591 [NFTA_SET_OBJ_TYPE
] = { .type
= NLA_U32
},
3592 [NFTA_SET_HANDLE
] = { .type
= NLA_U64
},
3593 [NFTA_SET_EXPR
] = { .type
= NLA_NESTED
},
3594 [NFTA_SET_EXPRESSIONS
] = { .type
= NLA_NESTED
},
3597 static const struct nla_policy nft_set_desc_policy
[NFTA_SET_DESC_MAX
+ 1] = {
3598 [NFTA_SET_DESC_SIZE
] = { .type
= NLA_U32
},
3599 [NFTA_SET_DESC_CONCAT
] = { .type
= NLA_NESTED
},
3602 static int nft_ctx_init_from_setattr(struct nft_ctx
*ctx
, struct net
*net
,
3603 const struct sk_buff
*skb
,
3604 const struct nlmsghdr
*nlh
,
3605 const struct nlattr
* const nla
[],
3606 struct netlink_ext_ack
*extack
,
3607 u8 genmask
, u32 nlpid
)
3609 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3610 int family
= nfmsg
->nfgen_family
;
3611 struct nft_table
*table
= NULL
;
3613 if (nla
[NFTA_SET_TABLE
] != NULL
) {
3614 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
,
3616 if (IS_ERR(table
)) {
3617 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
3618 return PTR_ERR(table
);
3622 nft_ctx_init(ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
3626 static struct nft_set
*nft_set_lookup(const struct nft_table
*table
,
3627 const struct nlattr
*nla
, u8 genmask
)
3629 struct nft_set
*set
;
3632 return ERR_PTR(-EINVAL
);
3634 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
3635 if (!nla_strcmp(nla
, set
->name
) &&
3636 nft_active_genmask(set
, genmask
))
3639 return ERR_PTR(-ENOENT
);
3642 static struct nft_set
*nft_set_lookup_byhandle(const struct nft_table
*table
,
3643 const struct nlattr
*nla
,
3646 struct nft_set
*set
;
3648 list_for_each_entry(set
, &table
->sets
, list
) {
3649 if (be64_to_cpu(nla_get_be64(nla
)) == set
->handle
&&
3650 nft_active_genmask(set
, genmask
))
3653 return ERR_PTR(-ENOENT
);
3656 static struct nft_set
*nft_set_lookup_byid(const struct net
*net
,
3657 const struct nlattr
*nla
, u8 genmask
)
3659 struct nft_trans
*trans
;
3660 u32 id
= ntohl(nla_get_be32(nla
));
3662 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
3663 if (trans
->msg_type
== NFT_MSG_NEWSET
) {
3664 struct nft_set
*set
= nft_trans_set(trans
);
3666 if (id
== nft_trans_set_id(trans
) &&
3667 nft_active_genmask(set
, genmask
))
3671 return ERR_PTR(-ENOENT
);
3674 struct nft_set
*nft_set_lookup_global(const struct net
*net
,
3675 const struct nft_table
*table
,
3676 const struct nlattr
*nla_set_name
,
3677 const struct nlattr
*nla_set_id
,
3680 struct nft_set
*set
;
3682 set
= nft_set_lookup(table
, nla_set_name
, genmask
);
3687 set
= nft_set_lookup_byid(net
, nla_set_id
, genmask
);
3691 EXPORT_SYMBOL_GPL(nft_set_lookup_global
);
3693 static int nf_tables_set_alloc_name(struct nft_ctx
*ctx
, struct nft_set
*set
,
3696 const struct nft_set
*i
;
3698 unsigned long *inuse
;
3699 unsigned int n
= 0, min
= 0;
3701 p
= strchr(name
, '%');
3703 if (p
[1] != 'd' || strchr(p
+ 2, '%'))
3706 inuse
= (unsigned long *)get_zeroed_page(GFP_KERNEL
);
3710 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
3713 if (!nft_is_active_next(ctx
->net
, set
))
3715 if (!sscanf(i
->name
, name
, &tmp
))
3717 if (tmp
< min
|| tmp
>= min
+ BITS_PER_BYTE
* PAGE_SIZE
)
3720 set_bit(tmp
- min
, inuse
);
3723 n
= find_first_zero_bit(inuse
, BITS_PER_BYTE
* PAGE_SIZE
);
3724 if (n
>= BITS_PER_BYTE
* PAGE_SIZE
) {
3725 min
+= BITS_PER_BYTE
* PAGE_SIZE
;
3726 memset(inuse
, 0, PAGE_SIZE
);
3729 free_page((unsigned long)inuse
);
3732 set
->name
= kasprintf(GFP_KERNEL
, name
, min
+ n
);
3736 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
3737 if (!nft_is_active_next(ctx
->net
, i
))
3739 if (!strcmp(set
->name
, i
->name
)) {
3748 int nf_msecs_to_jiffies64(const struct nlattr
*nla
, u64
*result
)
3750 u64 ms
= be64_to_cpu(nla_get_be64(nla
));
3751 u64 max
= (u64
)(~((u64
)0));
3753 max
= div_u64(max
, NSEC_PER_MSEC
);
3757 ms
*= NSEC_PER_MSEC
;
3758 *result
= nsecs_to_jiffies64(ms
);
3762 __be64
nf_jiffies64_to_msecs(u64 input
)
3764 return cpu_to_be64(jiffies64_to_msecs(input
));
3767 static int nf_tables_fill_set_concat(struct sk_buff
*skb
,
3768 const struct nft_set
*set
)
3770 struct nlattr
*concat
, *field
;
3773 concat
= nla_nest_start_noflag(skb
, NFTA_SET_DESC_CONCAT
);
3777 for (i
= 0; i
< set
->field_count
; i
++) {
3778 field
= nla_nest_start_noflag(skb
, NFTA_LIST_ELEM
);
3782 if (nla_put_be32(skb
, NFTA_SET_FIELD_LEN
,
3783 htonl(set
->field_len
[i
])))
3786 nla_nest_end(skb
, field
);
3789 nla_nest_end(skb
, concat
);
3794 static int nf_tables_fill_set(struct sk_buff
*skb
, const struct nft_ctx
*ctx
,
3795 const struct nft_set
*set
, u16 event
, u16 flags
)
3797 struct nlmsghdr
*nlh
;
3798 u32 portid
= ctx
->portid
;
3799 struct nlattr
*nest
;
3803 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
3804 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, ctx
->family
,
3805 NFNETLINK_V0
, nft_base_seq(ctx
->net
));
3807 goto nla_put_failure
;
3809 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3810 goto nla_put_failure
;
3811 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3812 goto nla_put_failure
;
3813 if (nla_put_be64(skb
, NFTA_SET_HANDLE
, cpu_to_be64(set
->handle
),
3815 goto nla_put_failure
;
3816 if (set
->flags
!= 0)
3817 if (nla_put_be32(skb
, NFTA_SET_FLAGS
, htonl(set
->flags
)))
3818 goto nla_put_failure
;
3820 if (nla_put_be32(skb
, NFTA_SET_KEY_TYPE
, htonl(set
->ktype
)))
3821 goto nla_put_failure
;
3822 if (nla_put_be32(skb
, NFTA_SET_KEY_LEN
, htonl(set
->klen
)))
3823 goto nla_put_failure
;
3824 if (set
->flags
& NFT_SET_MAP
) {
3825 if (nla_put_be32(skb
, NFTA_SET_DATA_TYPE
, htonl(set
->dtype
)))
3826 goto nla_put_failure
;
3827 if (nla_put_be32(skb
, NFTA_SET_DATA_LEN
, htonl(set
->dlen
)))
3828 goto nla_put_failure
;
3830 if (set
->flags
& NFT_SET_OBJECT
&&
3831 nla_put_be32(skb
, NFTA_SET_OBJ_TYPE
, htonl(set
->objtype
)))
3832 goto nla_put_failure
;
3835 nla_put_be64(skb
, NFTA_SET_TIMEOUT
,
3836 nf_jiffies64_to_msecs(set
->timeout
),
3838 goto nla_put_failure
;
3840 nla_put_be32(skb
, NFTA_SET_GC_INTERVAL
, htonl(set
->gc_int
)))
3841 goto nla_put_failure
;
3843 if (set
->policy
!= NFT_SET_POL_PERFORMANCE
) {
3844 if (nla_put_be32(skb
, NFTA_SET_POLICY
, htonl(set
->policy
)))
3845 goto nla_put_failure
;
3849 nla_put(skb
, NFTA_SET_USERDATA
, set
->udlen
, set
->udata
))
3850 goto nla_put_failure
;
3852 nest
= nla_nest_start_noflag(skb
, NFTA_SET_DESC
);
3854 goto nla_put_failure
;
3856 nla_put_be32(skb
, NFTA_SET_DESC_SIZE
, htonl(set
->size
)))
3857 goto nla_put_failure
;
3859 if (set
->field_count
> 1 &&
3860 nf_tables_fill_set_concat(skb
, set
))
3861 goto nla_put_failure
;
3863 nla_nest_end(skb
, nest
);
3865 if (set
->num_exprs
== 1) {
3866 nest
= nla_nest_start_noflag(skb
, NFTA_SET_EXPR
);
3867 if (nf_tables_fill_expr_info(skb
, set
->exprs
[0]) < 0)
3868 goto nla_put_failure
;
3870 nla_nest_end(skb
, nest
);
3871 } else if (set
->num_exprs
> 1) {
3872 nest
= nla_nest_start_noflag(skb
, NFTA_SET_EXPRESSIONS
);
3874 goto nla_put_failure
;
3876 for (i
= 0; i
< set
->num_exprs
; i
++) {
3877 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
,
3879 goto nla_put_failure
;
3881 nla_nest_end(skb
, nest
);
3884 nlmsg_end(skb
, nlh
);
3888 nlmsg_trim(skb
, nlh
);
3892 static void nf_tables_set_notify(const struct nft_ctx
*ctx
,
3893 const struct nft_set
*set
, int event
,
3896 struct sk_buff
*skb
;
3897 u32 portid
= ctx
->portid
;
3901 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
3904 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp_flags
);
3908 err
= nf_tables_fill_set(skb
, ctx
, set
, event
, 0);
3914 nft_notify_enqueue(skb
, ctx
->report
, &ctx
->net
->nft
.notify_list
);
3917 nfnetlink_set_err(ctx
->net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
3920 static int nf_tables_dump_sets(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3922 const struct nft_set
*set
;
3923 unsigned int idx
, s_idx
= cb
->args
[0];
3924 struct nft_table
*table
, *cur_table
= (struct nft_table
*)cb
->args
[2];
3925 struct net
*net
= sock_net(skb
->sk
);
3926 struct nft_ctx
*ctx
= cb
->data
, ctx_set
;
3932 cb
->seq
= net
->nft
.base_seq
;
3934 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
3935 if (ctx
->family
!= NFPROTO_UNSPEC
&&
3936 ctx
->family
!= table
->family
)
3939 if (ctx
->table
&& ctx
->table
!= table
)
3943 if (cur_table
!= table
)
3949 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
3952 if (!nft_is_active(net
, set
))
3956 ctx_set
.table
= table
;
3957 ctx_set
.family
= table
->family
;
3959 if (nf_tables_fill_set(skb
, &ctx_set
, set
,
3963 cb
->args
[2] = (unsigned long) table
;
3966 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
3979 static int nf_tables_dump_sets_start(struct netlink_callback
*cb
)
3981 struct nft_ctx
*ctx_dump
= NULL
;
3983 ctx_dump
= kmemdup(cb
->data
, sizeof(*ctx_dump
), GFP_ATOMIC
);
3984 if (ctx_dump
== NULL
)
3987 cb
->data
= ctx_dump
;
3991 static int nf_tables_dump_sets_done(struct netlink_callback
*cb
)
3997 /* called with rcu_read_lock held */
3998 static int nf_tables_getset(struct net
*net
, struct sock
*nlsk
,
3999 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4000 const struct nlattr
* const nla
[],
4001 struct netlink_ext_ack
*extack
)
4003 u8 genmask
= nft_genmask_cur(net
);
4004 const struct nft_set
*set
;
4006 struct sk_buff
*skb2
;
4007 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4010 /* Verify existence before starting dump */
4011 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
4016 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
4017 struct netlink_dump_control c
= {
4018 .start
= nf_tables_dump_sets_start
,
4019 .dump
= nf_tables_dump_sets
,
4020 .done
= nf_tables_dump_sets_done
,
4022 .module
= THIS_MODULE
,
4025 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
4028 /* Only accept unspec with dump */
4029 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
4030 return -EAFNOSUPPORT
;
4031 if (!nla
[NFTA_SET_TABLE
])
4034 set
= nft_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
4036 return PTR_ERR(set
);
4038 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
4042 err
= nf_tables_fill_set(skb2
, &ctx
, set
, NFT_MSG_NEWSET
, 0);
4044 goto err_fill_set_info
;
4046 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
4053 static const struct nla_policy nft_concat_policy
[NFTA_SET_FIELD_MAX
+ 1] = {
4054 [NFTA_SET_FIELD_LEN
] = { .type
= NLA_U32
},
4057 static int nft_set_desc_concat_parse(const struct nlattr
*attr
,
4058 struct nft_set_desc
*desc
)
4060 struct nlattr
*tb
[NFTA_SET_FIELD_MAX
+ 1];
4064 err
= nla_parse_nested_deprecated(tb
, NFTA_SET_FIELD_MAX
, attr
,
4065 nft_concat_policy
, NULL
);
4069 if (!tb
[NFTA_SET_FIELD_LEN
])
4072 len
= ntohl(nla_get_be32(tb
[NFTA_SET_FIELD_LEN
]));
4074 if (len
* BITS_PER_BYTE
/ 32 > NFT_REG32_COUNT
)
4077 desc
->field_len
[desc
->field_count
++] = len
;
4082 static int nft_set_desc_concat(struct nft_set_desc
*desc
,
4083 const struct nlattr
*nla
)
4085 struct nlattr
*attr
;
4088 nla_for_each_nested(attr
, nla
, rem
) {
4089 if (nla_type(attr
) != NFTA_LIST_ELEM
)
4092 err
= nft_set_desc_concat_parse(attr
, desc
);
4100 static int nf_tables_set_desc_parse(struct nft_set_desc
*desc
,
4101 const struct nlattr
*nla
)
4103 struct nlattr
*da
[NFTA_SET_DESC_MAX
+ 1];
4106 err
= nla_parse_nested_deprecated(da
, NFTA_SET_DESC_MAX
, nla
,
4107 nft_set_desc_policy
, NULL
);
4111 if (da
[NFTA_SET_DESC_SIZE
] != NULL
)
4112 desc
->size
= ntohl(nla_get_be32(da
[NFTA_SET_DESC_SIZE
]));
4113 if (da
[NFTA_SET_DESC_CONCAT
])
4114 err
= nft_set_desc_concat(desc
, da
[NFTA_SET_DESC_CONCAT
]);
4119 static int nf_tables_newset(struct net
*net
, struct sock
*nlsk
,
4120 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4121 const struct nlattr
* const nla
[],
4122 struct netlink_ext_ack
*extack
)
4124 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4125 u8 genmask
= nft_genmask_next(net
);
4126 int family
= nfmsg
->nfgen_family
;
4127 const struct nft_set_ops
*ops
;
4128 struct nft_expr
*expr
= NULL
;
4129 struct nft_table
*table
;
4130 struct nft_set
*set
;
4135 u32 ktype
, dtype
, flags
, policy
, gc_int
, objtype
;
4136 struct nft_set_desc desc
;
4137 unsigned char *udata
;
4142 if (nla
[NFTA_SET_TABLE
] == NULL
||
4143 nla
[NFTA_SET_NAME
] == NULL
||
4144 nla
[NFTA_SET_KEY_LEN
] == NULL
||
4145 nla
[NFTA_SET_ID
] == NULL
)
4148 memset(&desc
, 0, sizeof(desc
));
4150 ktype
= NFT_DATA_VALUE
;
4151 if (nla
[NFTA_SET_KEY_TYPE
] != NULL
) {
4152 ktype
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_TYPE
]));
4153 if ((ktype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
)
4157 desc
.klen
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_LEN
]));
4158 if (desc
.klen
== 0 || desc
.klen
> NFT_DATA_VALUE_MAXLEN
)
4162 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
4163 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
4164 if (flags
& ~(NFT_SET_ANONYMOUS
| NFT_SET_CONSTANT
|
4165 NFT_SET_INTERVAL
| NFT_SET_TIMEOUT
|
4166 NFT_SET_MAP
| NFT_SET_EVAL
|
4167 NFT_SET_OBJECT
| NFT_SET_CONCAT
| NFT_SET_EXPR
))
4169 /* Only one of these operations is supported */
4170 if ((flags
& (NFT_SET_MAP
| NFT_SET_OBJECT
)) ==
4171 (NFT_SET_MAP
| NFT_SET_OBJECT
))
4173 if ((flags
& (NFT_SET_EVAL
| NFT_SET_OBJECT
)) ==
4174 (NFT_SET_EVAL
| NFT_SET_OBJECT
))
4179 if (nla
[NFTA_SET_DATA_TYPE
] != NULL
) {
4180 if (!(flags
& NFT_SET_MAP
))
4183 dtype
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_TYPE
]));
4184 if ((dtype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
&&
4185 dtype
!= NFT_DATA_VERDICT
)
4188 if (dtype
!= NFT_DATA_VERDICT
) {
4189 if (nla
[NFTA_SET_DATA_LEN
] == NULL
)
4191 desc
.dlen
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_LEN
]));
4192 if (desc
.dlen
== 0 || desc
.dlen
> NFT_DATA_VALUE_MAXLEN
)
4195 desc
.dlen
= sizeof(struct nft_verdict
);
4196 } else if (flags
& NFT_SET_MAP
)
4199 if (nla
[NFTA_SET_OBJ_TYPE
] != NULL
) {
4200 if (!(flags
& NFT_SET_OBJECT
))
4203 objtype
= ntohl(nla_get_be32(nla
[NFTA_SET_OBJ_TYPE
]));
4204 if (objtype
== NFT_OBJECT_UNSPEC
||
4205 objtype
> NFT_OBJECT_MAX
)
4207 } else if (flags
& NFT_SET_OBJECT
)
4210 objtype
= NFT_OBJECT_UNSPEC
;
4213 if (nla
[NFTA_SET_TIMEOUT
] != NULL
) {
4214 if (!(flags
& NFT_SET_TIMEOUT
))
4217 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_TIMEOUT
], &timeout
);
4222 if (nla
[NFTA_SET_GC_INTERVAL
] != NULL
) {
4223 if (!(flags
& NFT_SET_TIMEOUT
))
4225 gc_int
= ntohl(nla_get_be32(nla
[NFTA_SET_GC_INTERVAL
]));
4228 policy
= NFT_SET_POL_PERFORMANCE
;
4229 if (nla
[NFTA_SET_POLICY
] != NULL
)
4230 policy
= ntohl(nla_get_be32(nla
[NFTA_SET_POLICY
]));
4232 if (nla
[NFTA_SET_DESC
] != NULL
) {
4233 err
= nf_tables_set_desc_parse(&desc
, nla
[NFTA_SET_DESC
]);
4238 if (nla
[NFTA_SET_EXPR
] || nla
[NFTA_SET_EXPRESSIONS
])
4241 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
, genmask
,
4242 NETLINK_CB(skb
).portid
);
4243 if (IS_ERR(table
)) {
4244 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
4245 return PTR_ERR(table
);
4248 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
4250 set
= nft_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
4252 if (PTR_ERR(set
) != -ENOENT
) {
4253 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_NAME
]);
4254 return PTR_ERR(set
);
4257 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
4258 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_NAME
]);
4261 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
4267 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
4270 ops
= nft_select_set_ops(&ctx
, nla
, &desc
, policy
);
4272 return PTR_ERR(ops
);
4275 if (nla
[NFTA_SET_USERDATA
])
4276 udlen
= nla_len(nla
[NFTA_SET_USERDATA
]);
4279 if (ops
->privsize
!= NULL
)
4280 size
= ops
->privsize(nla
, &desc
);
4282 set
= kvzalloc(sizeof(*set
) + size
+ udlen
, GFP_KERNEL
);
4286 name
= nla_strdup(nla
[NFTA_SET_NAME
], GFP_KERNEL
);
4292 err
= nf_tables_set_alloc_name(&ctx
, set
, name
);
4295 goto err_set_alloc_name
;
4297 if (nla
[NFTA_SET_EXPR
]) {
4298 expr
= nft_set_elem_expr_alloc(&ctx
, set
, nla
[NFTA_SET_EXPR
]);
4300 err
= PTR_ERR(expr
);
4301 goto err_set_alloc_name
;
4303 set
->exprs
[0] = expr
;
4305 } else if (nla
[NFTA_SET_EXPRESSIONS
]) {
4306 struct nft_expr
*expr
;
4310 if (!(flags
& NFT_SET_EXPR
)) {
4312 goto err_set_alloc_name
;
4315 nla_for_each_nested(tmp
, nla
[NFTA_SET_EXPRESSIONS
], left
) {
4316 if (i
== NFT_SET_EXPR_MAX
) {
4320 if (nla_type(tmp
) != NFTA_LIST_ELEM
) {
4324 expr
= nft_set_elem_expr_alloc(&ctx
, set
, tmp
);
4326 err
= PTR_ERR(expr
);
4329 set
->exprs
[i
++] = expr
;
4336 udata
= set
->data
+ size
;
4337 nla_memcpy(udata
, nla
[NFTA_SET_USERDATA
], udlen
);
4340 INIT_LIST_HEAD(&set
->bindings
);
4342 write_pnet(&set
->net
, net
);
4345 set
->klen
= desc
.klen
;
4347 set
->objtype
= objtype
;
4348 set
->dlen
= desc
.dlen
;
4350 set
->size
= desc
.size
;
4351 set
->policy
= policy
;
4354 set
->timeout
= timeout
;
4355 set
->gc_int
= gc_int
;
4356 set
->handle
= nf_tables_alloc_handle(table
);
4358 set
->field_count
= desc
.field_count
;
4359 for (i
= 0; i
< desc
.field_count
; i
++)
4360 set
->field_len
[i
] = desc
.field_len
[i
];
4362 err
= ops
->init(set
, &desc
, nla
);
4366 err
= nft_trans_set_add(&ctx
, NFT_MSG_NEWSET
, set
);
4370 list_add_tail_rcu(&set
->list
, &table
->sets
);
4377 for (i
= 0; i
< set
->num_exprs
; i
++)
4378 nft_expr_destroy(&ctx
, set
->exprs
[i
]);
4386 static void nft_set_destroy(const struct nft_ctx
*ctx
, struct nft_set
*set
)
4390 if (WARN_ON(set
->use
> 0))
4393 for (i
= 0; i
< set
->num_exprs
; i
++)
4394 nft_expr_destroy(ctx
, set
->exprs
[i
]);
4396 set
->ops
->destroy(set
);
4401 static int nf_tables_delset(struct net
*net
, struct sock
*nlsk
,
4402 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
4403 const struct nlattr
* const nla
[],
4404 struct netlink_ext_ack
*extack
)
4406 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4407 u8 genmask
= nft_genmask_next(net
);
4408 const struct nlattr
*attr
;
4409 struct nft_set
*set
;
4413 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
4414 return -EAFNOSUPPORT
;
4415 if (nla
[NFTA_SET_TABLE
] == NULL
)
4418 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
4419 genmask
, NETLINK_CB(skb
).portid
);
4423 if (nla
[NFTA_SET_HANDLE
]) {
4424 attr
= nla
[NFTA_SET_HANDLE
];
4425 set
= nft_set_lookup_byhandle(ctx
.table
, attr
, genmask
);
4427 attr
= nla
[NFTA_SET_NAME
];
4428 set
= nft_set_lookup(ctx
.table
, attr
, genmask
);
4432 NL_SET_BAD_ATTR(extack
, attr
);
4433 return PTR_ERR(set
);
4436 (nlh
->nlmsg_flags
& NLM_F_NONREC
&& atomic_read(&set
->nelems
) > 0)) {
4437 NL_SET_BAD_ATTR(extack
, attr
);
4441 return nft_delset(&ctx
, set
);
4444 static int nft_validate_register_store(const struct nft_ctx
*ctx
,
4445 enum nft_registers reg
,
4446 const struct nft_data
*data
,
4447 enum nft_data_types type
,
4450 static int nf_tables_bind_check_setelem(const struct nft_ctx
*ctx
,
4451 struct nft_set
*set
,
4452 const struct nft_set_iter
*iter
,
4453 struct nft_set_elem
*elem
)
4455 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4456 enum nft_registers dreg
;
4458 dreg
= nft_type_to_reg(set
->dtype
);
4459 return nft_validate_register_store(ctx
, dreg
, nft_set_ext_data(ext
),
4460 set
->dtype
== NFT_DATA_VERDICT
?
4461 NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
4465 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
4466 struct nft_set_binding
*binding
)
4468 struct nft_set_binding
*i
;
4469 struct nft_set_iter iter
;
4471 if (set
->use
== UINT_MAX
)
4474 if (!list_empty(&set
->bindings
) && nft_set_is_anonymous(set
))
4477 if (binding
->flags
& NFT_SET_MAP
) {
4478 /* If the set is already bound to the same chain all
4479 * jumps are already validated for that chain.
4481 list_for_each_entry(i
, &set
->bindings
, list
) {
4482 if (i
->flags
& NFT_SET_MAP
&&
4483 i
->chain
== binding
->chain
)
4487 iter
.genmask
= nft_genmask_next(ctx
->net
);
4491 iter
.fn
= nf_tables_bind_check_setelem
;
4493 set
->ops
->walk(ctx
, set
, &iter
);
4498 binding
->chain
= ctx
->chain
;
4499 list_add_tail_rcu(&binding
->list
, &set
->bindings
);
4500 nft_set_trans_bind(ctx
, set
);
4505 EXPORT_SYMBOL_GPL(nf_tables_bind_set
);
4507 static void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
4508 struct nft_set_binding
*binding
, bool event
)
4510 list_del_rcu(&binding
->list
);
4512 if (list_empty(&set
->bindings
) && nft_set_is_anonymous(set
)) {
4513 list_del_rcu(&set
->list
);
4515 nf_tables_set_notify(ctx
, set
, NFT_MSG_DELSET
,
4520 void nf_tables_deactivate_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
4521 struct nft_set_binding
*binding
,
4522 enum nft_trans_phase phase
)
4525 case NFT_TRANS_PREPARE
:
4528 case NFT_TRANS_ABORT
:
4529 case NFT_TRANS_RELEASE
:
4533 nf_tables_unbind_set(ctx
, set
, binding
,
4534 phase
== NFT_TRANS_COMMIT
);
4537 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set
);
4539 void nf_tables_destroy_set(const struct nft_ctx
*ctx
, struct nft_set
*set
)
4541 if (list_empty(&set
->bindings
) && nft_set_is_anonymous(set
))
4542 nft_set_destroy(ctx
, set
);
4544 EXPORT_SYMBOL_GPL(nf_tables_destroy_set
);
4546 const struct nft_set_ext_type nft_set_ext_types
[] = {
4547 [NFT_SET_EXT_KEY
] = {
4548 .align
= __alignof__(u32
),
4550 [NFT_SET_EXT_DATA
] = {
4551 .align
= __alignof__(u32
),
4553 [NFT_SET_EXT_EXPRESSIONS
] = {
4554 .align
= __alignof__(struct nft_set_elem_expr
),
4556 [NFT_SET_EXT_OBJREF
] = {
4557 .len
= sizeof(struct nft_object
*),
4558 .align
= __alignof__(struct nft_object
*),
4560 [NFT_SET_EXT_FLAGS
] = {
4562 .align
= __alignof__(u8
),
4564 [NFT_SET_EXT_TIMEOUT
] = {
4566 .align
= __alignof__(u64
),
4568 [NFT_SET_EXT_EXPIRATION
] = {
4570 .align
= __alignof__(u64
),
4572 [NFT_SET_EXT_USERDATA
] = {
4573 .len
= sizeof(struct nft_userdata
),
4574 .align
= __alignof__(struct nft_userdata
),
4576 [NFT_SET_EXT_KEY_END
] = {
4577 .align
= __alignof__(u32
),
4585 static const struct nla_policy nft_set_elem_policy
[NFTA_SET_ELEM_MAX
+ 1] = {
4586 [NFTA_SET_ELEM_KEY
] = { .type
= NLA_NESTED
},
4587 [NFTA_SET_ELEM_DATA
] = { .type
= NLA_NESTED
},
4588 [NFTA_SET_ELEM_FLAGS
] = { .type
= NLA_U32
},
4589 [NFTA_SET_ELEM_TIMEOUT
] = { .type
= NLA_U64
},
4590 [NFTA_SET_ELEM_EXPIRATION
] = { .type
= NLA_U64
},
4591 [NFTA_SET_ELEM_USERDATA
] = { .type
= NLA_BINARY
,
4592 .len
= NFT_USERDATA_MAXLEN
},
4593 [NFTA_SET_ELEM_EXPR
] = { .type
= NLA_NESTED
},
4594 [NFTA_SET_ELEM_OBJREF
] = { .type
= NLA_STRING
,
4595 .len
= NFT_OBJ_MAXNAMELEN
- 1 },
4596 [NFTA_SET_ELEM_KEY_END
] = { .type
= NLA_NESTED
},
4597 [NFTA_SET_ELEM_EXPRESSIONS
] = { .type
= NLA_NESTED
},
4600 static const struct nla_policy nft_set_elem_list_policy
[NFTA_SET_ELEM_LIST_MAX
+ 1] = {
4601 [NFTA_SET_ELEM_LIST_TABLE
] = { .type
= NLA_STRING
,
4602 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
4603 [NFTA_SET_ELEM_LIST_SET
] = { .type
= NLA_STRING
,
4604 .len
= NFT_SET_MAXNAMELEN
- 1 },
4605 [NFTA_SET_ELEM_LIST_ELEMENTS
] = { .type
= NLA_NESTED
},
4606 [NFTA_SET_ELEM_LIST_SET_ID
] = { .type
= NLA_U32
},
4609 static int nft_ctx_init_from_elemattr(struct nft_ctx
*ctx
, struct net
*net
,
4610 const struct sk_buff
*skb
,
4611 const struct nlmsghdr
*nlh
,
4612 const struct nlattr
* const nla
[],
4613 struct netlink_ext_ack
*extack
,
4614 u8 genmask
, u32 nlpid
)
4616 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
4617 int family
= nfmsg
->nfgen_family
;
4618 struct nft_table
*table
;
4620 table
= nft_table_lookup(net
, nla
[NFTA_SET_ELEM_LIST_TABLE
], family
,
4622 if (IS_ERR(table
)) {
4623 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_ELEM_LIST_TABLE
]);
4624 return PTR_ERR(table
);
4627 nft_ctx_init(ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
4631 static int nft_set_elem_expr_dump(struct sk_buff
*skb
,
4632 const struct nft_set
*set
,
4633 const struct nft_set_ext
*ext
)
4635 struct nft_set_elem_expr
*elem_expr
;
4636 u32 size
, num_exprs
= 0;
4637 struct nft_expr
*expr
;
4638 struct nlattr
*nest
;
4640 elem_expr
= nft_set_ext_expr(ext
);
4641 nft_setelem_expr_foreach(expr
, elem_expr
, size
)
4644 if (num_exprs
== 1) {
4645 expr
= nft_setelem_expr_at(elem_expr
, 0);
4646 if (nft_expr_dump(skb
, NFTA_SET_ELEM_EXPR
, expr
) < 0)
4650 } else if (num_exprs
> 1) {
4651 nest
= nla_nest_start_noflag(skb
, NFTA_SET_ELEM_EXPRESSIONS
);
4653 goto nla_put_failure
;
4655 nft_setelem_expr_foreach(expr
, elem_expr
, size
) {
4656 expr
= nft_setelem_expr_at(elem_expr
, size
);
4657 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
4658 goto nla_put_failure
;
4660 nla_nest_end(skb
, nest
);
4668 static int nf_tables_fill_setelem(struct sk_buff
*skb
,
4669 const struct nft_set
*set
,
4670 const struct nft_set_elem
*elem
)
4672 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4673 unsigned char *b
= skb_tail_pointer(skb
);
4674 struct nlattr
*nest
;
4676 nest
= nla_nest_start_noflag(skb
, NFTA_LIST_ELEM
);
4678 goto nla_put_failure
;
4680 if (nft_data_dump(skb
, NFTA_SET_ELEM_KEY
, nft_set_ext_key(ext
),
4681 NFT_DATA_VALUE
, set
->klen
) < 0)
4682 goto nla_put_failure
;
4684 if (nft_set_ext_exists(ext
, NFT_SET_EXT_KEY_END
) &&
4685 nft_data_dump(skb
, NFTA_SET_ELEM_KEY_END
, nft_set_ext_key_end(ext
),
4686 NFT_DATA_VALUE
, set
->klen
) < 0)
4687 goto nla_put_failure
;
4689 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
4690 nft_data_dump(skb
, NFTA_SET_ELEM_DATA
, nft_set_ext_data(ext
),
4691 set
->dtype
== NFT_DATA_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
4693 goto nla_put_failure
;
4695 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPRESSIONS
) &&
4696 nft_set_elem_expr_dump(skb
, set
, ext
))
4697 goto nla_put_failure
;
4699 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
4700 nla_put_string(skb
, NFTA_SET_ELEM_OBJREF
,
4701 (*nft_set_ext_obj(ext
))->key
.name
) < 0)
4702 goto nla_put_failure
;
4704 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
4705 nla_put_be32(skb
, NFTA_SET_ELEM_FLAGS
,
4706 htonl(*nft_set_ext_flags(ext
))))
4707 goto nla_put_failure
;
4709 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
) &&
4710 nla_put_be64(skb
, NFTA_SET_ELEM_TIMEOUT
,
4711 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext
)),
4713 goto nla_put_failure
;
4715 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
4716 u64 expires
, now
= get_jiffies_64();
4718 expires
= *nft_set_ext_expiration(ext
);
4719 if (time_before64(now
, expires
))
4724 if (nla_put_be64(skb
, NFTA_SET_ELEM_EXPIRATION
,
4725 nf_jiffies64_to_msecs(expires
),
4727 goto nla_put_failure
;
4730 if (nft_set_ext_exists(ext
, NFT_SET_EXT_USERDATA
)) {
4731 struct nft_userdata
*udata
;
4733 udata
= nft_set_ext_userdata(ext
);
4734 if (nla_put(skb
, NFTA_SET_ELEM_USERDATA
,
4735 udata
->len
+ 1, udata
->data
))
4736 goto nla_put_failure
;
4739 nla_nest_end(skb
, nest
);
4747 struct nft_set_dump_args
{
4748 const struct netlink_callback
*cb
;
4749 struct nft_set_iter iter
;
4750 struct sk_buff
*skb
;
4753 static int nf_tables_dump_setelem(const struct nft_ctx
*ctx
,
4754 struct nft_set
*set
,
4755 const struct nft_set_iter
*iter
,
4756 struct nft_set_elem
*elem
)
4758 struct nft_set_dump_args
*args
;
4760 args
= container_of(iter
, struct nft_set_dump_args
, iter
);
4761 return nf_tables_fill_setelem(args
->skb
, set
, elem
);
4764 struct nft_set_dump_ctx
{
4765 const struct nft_set
*set
;
4769 static int nf_tables_dump_set(struct sk_buff
*skb
, struct netlink_callback
*cb
)
4771 struct nft_set_dump_ctx
*dump_ctx
= cb
->data
;
4772 struct net
*net
= sock_net(skb
->sk
);
4773 struct nft_table
*table
;
4774 struct nft_set
*set
;
4775 struct nft_set_dump_args args
;
4776 bool set_found
= false;
4777 struct nlmsghdr
*nlh
;
4778 struct nlattr
*nest
;
4783 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
4784 if (dump_ctx
->ctx
.family
!= NFPROTO_UNSPEC
&&
4785 dump_ctx
->ctx
.family
!= table
->family
)
4788 if (table
!= dump_ctx
->ctx
.table
)
4791 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
4792 if (set
== dump_ctx
->set
) {
4805 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, NFT_MSG_NEWSETELEM
);
4806 portid
= NETLINK_CB(cb
->skb
).portid
;
4807 seq
= cb
->nlh
->nlmsg_seq
;
4809 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, NLM_F_MULTI
,
4810 table
->family
, NFNETLINK_V0
, nft_base_seq(net
));
4812 goto nla_put_failure
;
4814 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_TABLE
, table
->name
))
4815 goto nla_put_failure
;
4816 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_SET
, set
->name
))
4817 goto nla_put_failure
;
4819 nest
= nla_nest_start_noflag(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
4821 goto nla_put_failure
;
4825 args
.iter
.genmask
= nft_genmask_cur(net
);
4826 args
.iter
.skip
= cb
->args
[0];
4827 args
.iter
.count
= 0;
4829 args
.iter
.fn
= nf_tables_dump_setelem
;
4830 set
->ops
->walk(&dump_ctx
->ctx
, set
, &args
.iter
);
4833 nla_nest_end(skb
, nest
);
4834 nlmsg_end(skb
, nlh
);
4836 if (args
.iter
.err
&& args
.iter
.err
!= -EMSGSIZE
)
4837 return args
.iter
.err
;
4838 if (args
.iter
.count
== cb
->args
[0])
4841 cb
->args
[0] = args
.iter
.count
;
4849 static int nf_tables_dump_set_start(struct netlink_callback
*cb
)
4851 struct nft_set_dump_ctx
*dump_ctx
= cb
->data
;
4853 cb
->data
= kmemdup(dump_ctx
, sizeof(*dump_ctx
), GFP_ATOMIC
);
4855 return cb
->data
? 0 : -ENOMEM
;
4858 static int nf_tables_dump_set_done(struct netlink_callback
*cb
)
4864 static int nf_tables_fill_setelem_info(struct sk_buff
*skb
,
4865 const struct nft_ctx
*ctx
, u32 seq
,
4866 u32 portid
, int event
, u16 flags
,
4867 const struct nft_set
*set
,
4868 const struct nft_set_elem
*elem
)
4870 struct nlmsghdr
*nlh
;
4871 struct nlattr
*nest
;
4874 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
4875 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, ctx
->family
,
4876 NFNETLINK_V0
, nft_base_seq(ctx
->net
));
4878 goto nla_put_failure
;
4880 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
4881 goto nla_put_failure
;
4882 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
4883 goto nla_put_failure
;
4885 nest
= nla_nest_start_noflag(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
4887 goto nla_put_failure
;
4889 err
= nf_tables_fill_setelem(skb
, set
, elem
);
4891 goto nla_put_failure
;
4893 nla_nest_end(skb
, nest
);
4895 nlmsg_end(skb
, nlh
);
4899 nlmsg_trim(skb
, nlh
);
4903 static int nft_setelem_parse_flags(const struct nft_set
*set
,
4904 const struct nlattr
*attr
, u32
*flags
)
4909 *flags
= ntohl(nla_get_be32(attr
));
4910 if (*flags
& ~NFT_SET_ELEM_INTERVAL_END
)
4912 if (!(set
->flags
& NFT_SET_INTERVAL
) &&
4913 *flags
& NFT_SET_ELEM_INTERVAL_END
)
4919 static int nft_setelem_parse_key(struct nft_ctx
*ctx
, struct nft_set
*set
,
4920 struct nft_data
*key
, struct nlattr
*attr
)
4922 struct nft_data_desc desc
;
4925 err
= nft_data_init(ctx
, key
, NFT_DATA_VALUE_MAXLEN
, &desc
, attr
);
4929 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
) {
4930 nft_data_release(key
, desc
.type
);
4937 static int nft_setelem_parse_data(struct nft_ctx
*ctx
, struct nft_set
*set
,
4938 struct nft_data_desc
*desc
,
4939 struct nft_data
*data
,
4940 struct nlattr
*attr
)
4944 err
= nft_data_init(ctx
, data
, NFT_DATA_VALUE_MAXLEN
, desc
, attr
);
4948 if (desc
->type
!= NFT_DATA_VERDICT
&& desc
->len
!= set
->dlen
) {
4949 nft_data_release(data
, desc
->type
);
4956 static int nft_get_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
4957 const struct nlattr
*attr
)
4959 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
4960 struct nft_set_elem elem
;
4961 struct sk_buff
*skb
;
4966 err
= nla_parse_nested_deprecated(nla
, NFTA_SET_ELEM_MAX
, attr
,
4967 nft_set_elem_policy
, NULL
);
4971 if (!nla
[NFTA_SET_ELEM_KEY
])
4974 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
4978 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key
.val
,
4979 nla
[NFTA_SET_ELEM_KEY
]);
4983 if (nla
[NFTA_SET_ELEM_KEY_END
]) {
4984 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key_end
.val
,
4985 nla
[NFTA_SET_ELEM_KEY_END
]);
4990 priv
= set
->ops
->get(ctx
->net
, set
, &elem
, flags
);
4992 return PTR_ERR(priv
);
4997 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_ATOMIC
);
5001 err
= nf_tables_fill_setelem_info(skb
, ctx
, ctx
->seq
, ctx
->portid
,
5002 NFT_MSG_NEWSETELEM
, 0, set
, &elem
);
5004 goto err_fill_setelem
;
5006 return nfnetlink_unicast(skb
, ctx
->net
, ctx
->portid
);
5013 /* called with rcu_read_lock held */
5014 static int nf_tables_getsetelem(struct net
*net
, struct sock
*nlsk
,
5015 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
5016 const struct nlattr
* const nla
[],
5017 struct netlink_ext_ack
*extack
)
5019 u8 genmask
= nft_genmask_cur(net
);
5020 struct nft_set
*set
;
5021 struct nlattr
*attr
;
5025 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
5026 genmask
, NETLINK_CB(skb
).portid
);
5030 set
= nft_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
], genmask
);
5032 return PTR_ERR(set
);
5034 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
5035 struct netlink_dump_control c
= {
5036 .start
= nf_tables_dump_set_start
,
5037 .dump
= nf_tables_dump_set
,
5038 .done
= nf_tables_dump_set_done
,
5039 .module
= THIS_MODULE
,
5041 struct nft_set_dump_ctx dump_ctx
= {
5047 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
5050 if (!nla
[NFTA_SET_ELEM_LIST_ELEMENTS
])
5053 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
5054 err
= nft_get_set_elem(&ctx
, set
, attr
);
5062 static void nf_tables_setelem_notify(const struct nft_ctx
*ctx
,
5063 const struct nft_set
*set
,
5064 const struct nft_set_elem
*elem
,
5065 int event
, u16 flags
)
5067 struct net
*net
= ctx
->net
;
5068 u32 portid
= ctx
->portid
;
5069 struct sk_buff
*skb
;
5072 if (!ctx
->report
&& !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
5075 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
5079 err
= nf_tables_fill_setelem_info(skb
, ctx
, 0, portid
, event
, flags
,
5086 nft_notify_enqueue(skb
, ctx
->report
, &ctx
->net
->nft
.notify_list
);
5089 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
5092 static struct nft_trans
*nft_trans_elem_alloc(struct nft_ctx
*ctx
,
5094 struct nft_set
*set
)
5096 struct nft_trans
*trans
;
5098 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_elem
));
5102 nft_trans_elem_set(trans
) = set
;
5106 struct nft_expr
*nft_set_elem_expr_alloc(const struct nft_ctx
*ctx
,
5107 const struct nft_set
*set
,
5108 const struct nlattr
*attr
)
5110 struct nft_expr
*expr
;
5113 expr
= nft_expr_init(ctx
, attr
);
5118 if (!(expr
->ops
->type
->flags
& NFT_EXPR_STATEFUL
))
5119 goto err_set_elem_expr
;
5121 if (expr
->ops
->type
->flags
& NFT_EXPR_GC
) {
5122 if (set
->flags
& NFT_SET_TIMEOUT
)
5123 goto err_set_elem_expr
;
5124 if (!set
->ops
->gc_init
)
5125 goto err_set_elem_expr
;
5126 set
->ops
->gc_init(set
);
5132 nft_expr_destroy(ctx
, expr
);
5133 return ERR_PTR(err
);
5136 void *nft_set_elem_init(const struct nft_set
*set
,
5137 const struct nft_set_ext_tmpl
*tmpl
,
5138 const u32
*key
, const u32
*key_end
,
5139 const u32
*data
, u64 timeout
, u64 expiration
, gfp_t gfp
)
5141 struct nft_set_ext
*ext
;
5144 elem
= kzalloc(set
->ops
->elemsize
+ tmpl
->len
, gfp
);
5148 ext
= nft_set_elem_ext(set
, elem
);
5149 nft_set_ext_init(ext
, tmpl
);
5151 memcpy(nft_set_ext_key(ext
), key
, set
->klen
);
5152 if (nft_set_ext_exists(ext
, NFT_SET_EXT_KEY_END
))
5153 memcpy(nft_set_ext_key_end(ext
), key_end
, set
->klen
);
5154 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
5155 memcpy(nft_set_ext_data(ext
), data
, set
->dlen
);
5156 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
5157 *nft_set_ext_expiration(ext
) = get_jiffies_64() + expiration
;
5158 if (expiration
== 0)
5159 *nft_set_ext_expiration(ext
) += timeout
;
5161 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
))
5162 *nft_set_ext_timeout(ext
) = timeout
;
5167 static void __nft_set_elem_expr_destroy(const struct nft_ctx
*ctx
,
5168 struct nft_expr
*expr
)
5170 if (expr
->ops
->destroy_clone
) {
5171 expr
->ops
->destroy_clone(ctx
, expr
);
5172 module_put(expr
->ops
->type
->owner
);
5174 nf_tables_expr_destroy(ctx
, expr
);
5178 static void nft_set_elem_expr_destroy(const struct nft_ctx
*ctx
,
5179 struct nft_set_elem_expr
*elem_expr
)
5181 struct nft_expr
*expr
;
5184 nft_setelem_expr_foreach(expr
, elem_expr
, size
)
5185 __nft_set_elem_expr_destroy(ctx
, expr
);
5188 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
,
5191 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
5192 struct nft_ctx ctx
= {
5193 .net
= read_pnet(&set
->net
),
5194 .family
= set
->table
->family
,
5197 nft_data_release(nft_set_ext_key(ext
), NFT_DATA_VALUE
);
5198 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
5199 nft_data_release(nft_set_ext_data(ext
), set
->dtype
);
5200 if (destroy_expr
&& nft_set_ext_exists(ext
, NFT_SET_EXT_EXPRESSIONS
))
5201 nft_set_elem_expr_destroy(&ctx
, nft_set_ext_expr(ext
));
5203 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
5204 (*nft_set_ext_obj(ext
))->use
--;
5207 EXPORT_SYMBOL_GPL(nft_set_elem_destroy
);
5209 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5210 * the refcounting from the preparation phase.
5212 static void nf_tables_set_elem_destroy(const struct nft_ctx
*ctx
,
5213 const struct nft_set
*set
, void *elem
)
5215 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
5217 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPRESSIONS
))
5218 nft_set_elem_expr_destroy(ctx
, nft_set_ext_expr(ext
));
5223 int nft_set_elem_expr_clone(const struct nft_ctx
*ctx
, struct nft_set
*set
,
5224 struct nft_expr
*expr_array
[])
5226 struct nft_expr
*expr
;
5229 for (i
= 0; i
< set
->num_exprs
; i
++) {
5230 expr
= kzalloc(set
->exprs
[i
]->ops
->size
, GFP_KERNEL
);
5234 err
= nft_expr_clone(expr
, set
->exprs
[i
]);
5236 nft_expr_destroy(ctx
, expr
);
5239 expr_array
[i
] = expr
;
5245 for (k
= i
- 1; k
>= 0; k
--)
5246 nft_expr_destroy(ctx
, expr_array
[k
]);
5251 static void nft_set_elem_expr_setup(const struct nft_set_ext
*ext
, int i
,
5252 struct nft_expr
*expr_array
[])
5254 struct nft_set_elem_expr
*elem_expr
= nft_set_ext_expr(ext
);
5255 struct nft_expr
*expr
= nft_setelem_expr_at(elem_expr
, elem_expr
->size
);
5257 memcpy(expr
, expr_array
[i
], expr_array
[i
]->ops
->size
);
5258 elem_expr
->size
+= expr_array
[i
]->ops
->size
;
5259 kfree(expr_array
[i
]);
5260 expr_array
[i
] = NULL
;
5263 static int nft_add_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
5264 const struct nlattr
*attr
, u32 nlmsg_flags
)
5266 struct nft_expr
*expr_array
[NFT_SET_EXPR_MAX
] = {};
5267 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
5268 u8 genmask
= nft_genmask_next(ctx
->net
);
5269 u32 flags
= 0, size
= 0, num_exprs
= 0;
5270 struct nft_set_ext_tmpl tmpl
;
5271 struct nft_set_ext
*ext
, *ext2
;
5272 struct nft_set_elem elem
;
5273 struct nft_set_binding
*binding
;
5274 struct nft_object
*obj
= NULL
;
5275 struct nft_userdata
*udata
;
5276 struct nft_data_desc desc
;
5277 enum nft_registers dreg
;
5278 struct nft_trans
*trans
;
5284 err
= nla_parse_nested_deprecated(nla
, NFTA_SET_ELEM_MAX
, attr
,
5285 nft_set_elem_policy
, NULL
);
5289 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
5292 nft_set_ext_prepare(&tmpl
);
5294 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
5298 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
5300 if (set
->flags
& NFT_SET_MAP
) {
5301 if (nla
[NFTA_SET_ELEM_DATA
] == NULL
&&
5302 !(flags
& NFT_SET_ELEM_INTERVAL_END
))
5305 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
5309 if ((flags
& NFT_SET_ELEM_INTERVAL_END
) &&
5310 (nla
[NFTA_SET_ELEM_DATA
] ||
5311 nla
[NFTA_SET_ELEM_OBJREF
] ||
5312 nla
[NFTA_SET_ELEM_TIMEOUT
] ||
5313 nla
[NFTA_SET_ELEM_EXPIRATION
] ||
5314 nla
[NFTA_SET_ELEM_USERDATA
] ||
5315 nla
[NFTA_SET_ELEM_EXPR
] ||
5316 nla
[NFTA_SET_ELEM_EXPRESSIONS
]))
5320 if (nla
[NFTA_SET_ELEM_TIMEOUT
] != NULL
) {
5321 if (!(set
->flags
& NFT_SET_TIMEOUT
))
5323 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_ELEM_TIMEOUT
],
5327 } else if (set
->flags
& NFT_SET_TIMEOUT
) {
5328 timeout
= set
->timeout
;
5332 if (nla
[NFTA_SET_ELEM_EXPIRATION
] != NULL
) {
5333 if (!(set
->flags
& NFT_SET_TIMEOUT
))
5335 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_ELEM_EXPIRATION
],
5341 if (nla
[NFTA_SET_ELEM_EXPR
]) {
5342 struct nft_expr
*expr
;
5344 if (set
->num_exprs
&& set
->num_exprs
!= 1)
5347 expr
= nft_set_elem_expr_alloc(ctx
, set
,
5348 nla
[NFTA_SET_ELEM_EXPR
]);
5350 return PTR_ERR(expr
);
5352 expr_array
[0] = expr
;
5355 if (set
->num_exprs
&& set
->exprs
[0]->ops
!= expr
->ops
) {
5357 goto err_set_elem_expr
;
5359 } else if (nla
[NFTA_SET_ELEM_EXPRESSIONS
]) {
5360 struct nft_expr
*expr
;
5365 nla_for_each_nested(tmp
, nla
[NFTA_SET_ELEM_EXPRESSIONS
], left
) {
5366 if (i
== NFT_SET_EXPR_MAX
||
5367 (set
->num_exprs
&& set
->num_exprs
== i
)) {
5369 goto err_set_elem_expr
;
5371 if (nla_type(tmp
) != NFTA_LIST_ELEM
) {
5373 goto err_set_elem_expr
;
5375 expr
= nft_set_elem_expr_alloc(ctx
, set
, tmp
);
5377 err
= PTR_ERR(expr
);
5378 goto err_set_elem_expr
;
5380 expr_array
[i
] = expr
;
5383 if (set
->num_exprs
&& expr
->ops
!= set
->exprs
[i
]->ops
) {
5385 goto err_set_elem_expr
;
5389 if (set
->num_exprs
&& set
->num_exprs
!= i
) {
5391 goto err_set_elem_expr
;
5393 } else if (set
->num_exprs
> 0) {
5394 err
= nft_set_elem_expr_clone(ctx
, set
, expr_array
);
5396 goto err_set_elem_expr_clone
;
5398 num_exprs
= set
->num_exprs
;
5401 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key
.val
,
5402 nla
[NFTA_SET_ELEM_KEY
]);
5404 goto err_set_elem_expr
;
5406 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, set
->klen
);
5408 if (nla
[NFTA_SET_ELEM_KEY_END
]) {
5409 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key_end
.val
,
5410 nla
[NFTA_SET_ELEM_KEY_END
]);
5414 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY_END
, set
->klen
);
5418 nft_set_ext_add(&tmpl
, NFT_SET_EXT_EXPIRATION
);
5419 if (timeout
!= set
->timeout
)
5420 nft_set_ext_add(&tmpl
, NFT_SET_EXT_TIMEOUT
);
5424 for (i
= 0; i
< num_exprs
; i
++)
5425 size
+= expr_array
[i
]->ops
->size
;
5427 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_EXPRESSIONS
,
5428 sizeof(struct nft_set_elem_expr
) +
5432 if (nla
[NFTA_SET_ELEM_OBJREF
] != NULL
) {
5433 if (!(set
->flags
& NFT_SET_OBJECT
)) {
5435 goto err_parse_key_end
;
5437 obj
= nft_obj_lookup(ctx
->net
, ctx
->table
,
5438 nla
[NFTA_SET_ELEM_OBJREF
],
5439 set
->objtype
, genmask
);
5442 goto err_parse_key_end
;
5444 nft_set_ext_add(&tmpl
, NFT_SET_EXT_OBJREF
);
5447 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
) {
5448 err
= nft_setelem_parse_data(ctx
, set
, &desc
, &elem
.data
.val
,
5449 nla
[NFTA_SET_ELEM_DATA
]);
5451 goto err_parse_key_end
;
5453 dreg
= nft_type_to_reg(set
->dtype
);
5454 list_for_each_entry(binding
, &set
->bindings
, list
) {
5455 struct nft_ctx bind_ctx
= {
5457 .family
= ctx
->family
,
5458 .table
= ctx
->table
,
5459 .chain
= (struct nft_chain
*)binding
->chain
,
5462 if (!(binding
->flags
& NFT_SET_MAP
))
5465 err
= nft_validate_register_store(&bind_ctx
, dreg
,
5467 desc
.type
, desc
.len
);
5469 goto err_parse_data
;
5471 if (desc
.type
== NFT_DATA_VERDICT
&&
5472 (elem
.data
.val
.verdict
.code
== NFT_GOTO
||
5473 elem
.data
.val
.verdict
.code
== NFT_JUMP
))
5474 nft_validate_state_update(ctx
->net
,
5478 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_DATA
, desc
.len
);
5481 /* The full maximum length of userdata can exceed the maximum
5482 * offset value (U8_MAX) for following extensions, therefor it
5483 * must be the last extension added.
5486 if (nla
[NFTA_SET_ELEM_USERDATA
] != NULL
) {
5487 ulen
= nla_len(nla
[NFTA_SET_ELEM_USERDATA
]);
5489 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_USERDATA
,
5494 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
,
5495 elem
.key_end
.val
.data
, elem
.data
.val
.data
,
5496 timeout
, expiration
, GFP_KERNEL
);
5497 if (elem
.priv
== NULL
)
5498 goto err_parse_data
;
5500 ext
= nft_set_elem_ext(set
, elem
.priv
);
5502 *nft_set_ext_flags(ext
) = flags
;
5504 udata
= nft_set_ext_userdata(ext
);
5505 udata
->len
= ulen
- 1;
5506 nla_memcpy(&udata
->data
, nla
[NFTA_SET_ELEM_USERDATA
], ulen
);
5509 *nft_set_ext_obj(ext
) = obj
;
5512 for (i
= 0; i
< num_exprs
; i
++)
5513 nft_set_elem_expr_setup(ext
, i
, expr_array
);
5515 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_NEWSETELEM
, set
);
5519 ext
->genmask
= nft_genmask_cur(ctx
->net
) | NFT_SET_ELEM_BUSY_MASK
;
5520 err
= set
->ops
->insert(ctx
->net
, set
, &elem
, &ext2
);
5522 if (err
== -EEXIST
) {
5523 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) ^
5524 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) ||
5525 nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) ^
5526 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
))
5527 goto err_element_clash
;
5528 if ((nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
5529 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) &&
5530 memcmp(nft_set_ext_data(ext
),
5531 nft_set_ext_data(ext2
), set
->dlen
) != 0) ||
5532 (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
5533 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
) &&
5534 *nft_set_ext_obj(ext
) != *nft_set_ext_obj(ext2
)))
5535 goto err_element_clash
;
5536 else if (!(nlmsg_flags
& NLM_F_EXCL
))
5538 } else if (err
== -ENOTEMPTY
) {
5539 /* ENOTEMPTY reports overlapping between this element
5540 * and an existing one.
5544 goto err_element_clash
;
5548 !atomic_add_unless(&set
->nelems
, 1, set
->size
+ set
->ndeact
)) {
5553 nft_trans_elem(trans
) = elem
;
5554 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
5558 set
->ops
->remove(ctx
->net
, set
, &elem
);
5565 nf_tables_set_elem_destroy(ctx
, set
, elem
.priv
);
5567 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
5568 nft_data_release(&elem
.data
.val
, desc
.type
);
5570 nft_data_release(&elem
.key_end
.val
, NFT_DATA_VALUE
);
5572 nft_data_release(&elem
.key
.val
, NFT_DATA_VALUE
);
5574 for (i
= 0; i
< num_exprs
&& expr_array
[i
]; i
++)
5575 nft_expr_destroy(ctx
, expr_array
[i
]);
5576 err_set_elem_expr_clone
:
5580 static int nf_tables_newsetelem(struct net
*net
, struct sock
*nlsk
,
5581 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
5582 const struct nlattr
* const nla
[],
5583 struct netlink_ext_ack
*extack
)
5585 u8 genmask
= nft_genmask_next(net
);
5586 const struct nlattr
*attr
;
5587 struct nft_set
*set
;
5591 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
5594 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
5595 genmask
, NETLINK_CB(skb
).portid
);
5599 set
= nft_set_lookup_global(net
, ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
5600 nla
[NFTA_SET_ELEM_LIST_SET_ID
], genmask
);
5602 return PTR_ERR(set
);
5604 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
5607 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
5608 err
= nft_add_set_elem(&ctx
, set
, attr
, nlh
->nlmsg_flags
);
5613 if (net
->nft
.validate_state
== NFT_VALIDATE_DO
)
5614 return nft_table_validate(net
, ctx
.table
);
5620 * nft_data_hold - hold a nft_data item
5622 * @data: struct nft_data to release
5623 * @type: type of data
5625 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5626 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5627 * NFT_GOTO verdicts. This function must be called on active data objects
5628 * from the second phase of the commit protocol.
5630 void nft_data_hold(const struct nft_data
*data
, enum nft_data_types type
)
5632 struct nft_chain
*chain
;
5633 struct nft_rule
*rule
;
5635 if (type
== NFT_DATA_VERDICT
) {
5636 switch (data
->verdict
.code
) {
5639 chain
= data
->verdict
.chain
;
5642 if (!nft_chain_is_bound(chain
))
5645 chain
->table
->use
++;
5646 list_for_each_entry(rule
, &chain
->rules
, list
)
5649 nft_chain_add(chain
->table
, chain
);
5655 static void nft_set_elem_activate(const struct net
*net
,
5656 const struct nft_set
*set
,
5657 struct nft_set_elem
*elem
)
5659 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
5661 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
5662 nft_data_hold(nft_set_ext_data(ext
), set
->dtype
);
5663 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
5664 (*nft_set_ext_obj(ext
))->use
++;
5667 static void nft_set_elem_deactivate(const struct net
*net
,
5668 const struct nft_set
*set
,
5669 struct nft_set_elem
*elem
)
5671 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
5673 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
5674 nft_data_release(nft_set_ext_data(ext
), set
->dtype
);
5675 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
5676 (*nft_set_ext_obj(ext
))->use
--;
5679 static int nft_del_setelem(struct nft_ctx
*ctx
, struct nft_set
*set
,
5680 const struct nlattr
*attr
)
5682 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
5683 struct nft_set_ext_tmpl tmpl
;
5684 struct nft_set_elem elem
;
5685 struct nft_set_ext
*ext
;
5686 struct nft_trans
*trans
;
5691 err
= nla_parse_nested_deprecated(nla
, NFTA_SET_ELEM_MAX
, attr
,
5692 nft_set_elem_policy
, NULL
);
5696 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
5699 nft_set_ext_prepare(&tmpl
);
5701 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
5705 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
5707 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key
.val
,
5708 nla
[NFTA_SET_ELEM_KEY
]);
5712 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, set
->klen
);
5714 if (nla
[NFTA_SET_ELEM_KEY_END
]) {
5715 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key_end
.val
,
5716 nla
[NFTA_SET_ELEM_KEY_END
]);
5720 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY_END
, set
->klen
);
5724 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
,
5725 elem
.key_end
.val
.data
, NULL
, 0, 0,
5727 if (elem
.priv
== NULL
)
5730 ext
= nft_set_elem_ext(set
, elem
.priv
);
5732 *nft_set_ext_flags(ext
) = flags
;
5734 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_DELSETELEM
, set
);
5738 priv
= set
->ops
->deactivate(ctx
->net
, set
, &elem
);
5746 nft_set_elem_deactivate(ctx
->net
, set
, &elem
);
5748 nft_trans_elem(trans
) = elem
;
5749 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
5757 nft_data_release(&elem
.key
.val
, NFT_DATA_VALUE
);
5761 static int nft_flush_set(const struct nft_ctx
*ctx
,
5762 struct nft_set
*set
,
5763 const struct nft_set_iter
*iter
,
5764 struct nft_set_elem
*elem
)
5766 struct nft_trans
*trans
;
5769 trans
= nft_trans_alloc_gfp(ctx
, NFT_MSG_DELSETELEM
,
5770 sizeof(struct nft_trans_elem
), GFP_ATOMIC
);
5774 if (!set
->ops
->flush(ctx
->net
, set
, elem
->priv
)) {
5780 nft_set_elem_deactivate(ctx
->net
, set
, elem
);
5781 nft_trans_elem_set(trans
) = set
;
5782 nft_trans_elem(trans
) = *elem
;
5783 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
5791 static int nf_tables_delsetelem(struct net
*net
, struct sock
*nlsk
,
5792 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
5793 const struct nlattr
* const nla
[],
5794 struct netlink_ext_ack
*extack
)
5796 u8 genmask
= nft_genmask_next(net
);
5797 const struct nlattr
*attr
;
5798 struct nft_set
*set
;
5802 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, extack
,
5803 genmask
, NETLINK_CB(skb
).portid
);
5807 set
= nft_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
], genmask
);
5809 return PTR_ERR(set
);
5810 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
5813 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
) {
5814 struct nft_set_iter iter
= {
5816 .fn
= nft_flush_set
,
5818 set
->ops
->walk(&ctx
, set
, &iter
);
5823 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
5824 err
= nft_del_setelem(&ctx
, set
, attr
);
5833 void nft_set_gc_batch_release(struct rcu_head
*rcu
)
5835 struct nft_set_gc_batch
*gcb
;
5838 gcb
= container_of(rcu
, struct nft_set_gc_batch
, head
.rcu
);
5839 for (i
= 0; i
< gcb
->head
.cnt
; i
++)
5840 nft_set_elem_destroy(gcb
->head
.set
, gcb
->elems
[i
], true);
5844 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
5847 struct nft_set_gc_batch
*gcb
;
5849 gcb
= kzalloc(sizeof(*gcb
), gfp
);
5852 gcb
->head
.set
= set
;
5861 * nft_register_obj- register nf_tables stateful object type
5862 * @obj_type: object type
5864 * Registers the object type for use with nf_tables. Returns zero on
5865 * success or a negative errno code otherwise.
5867 int nft_register_obj(struct nft_object_type
*obj_type
)
5869 if (obj_type
->type
== NFT_OBJECT_UNSPEC
)
5872 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
5873 list_add_rcu(&obj_type
->list
, &nf_tables_objects
);
5874 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
5877 EXPORT_SYMBOL_GPL(nft_register_obj
);
5880 * nft_unregister_obj - unregister nf_tables object type
5881 * @obj_type: object type
5883 * Unregisters the object type for use with nf_tables.
5885 void nft_unregister_obj(struct nft_object_type
*obj_type
)
5887 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
5888 list_del_rcu(&obj_type
->list
);
5889 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
5891 EXPORT_SYMBOL_GPL(nft_unregister_obj
);
5893 struct nft_object
*nft_obj_lookup(const struct net
*net
,
5894 const struct nft_table
*table
,
5895 const struct nlattr
*nla
, u32 objtype
,
5898 struct nft_object_hash_key k
= { .table
= table
};
5899 char search
[NFT_OBJ_MAXNAMELEN
];
5900 struct rhlist_head
*tmp
, *list
;
5901 struct nft_object
*obj
;
5903 nla_strscpy(search
, nla
, sizeof(search
));
5906 WARN_ON_ONCE(!rcu_read_lock_held() &&
5907 !lockdep_commit_lock_is_held(net
));
5910 list
= rhltable_lookup(&nft_objname_ht
, &k
, nft_objname_ht_params
);
5914 rhl_for_each_entry_rcu(obj
, tmp
, list
, rhlhead
) {
5915 if (objtype
== obj
->ops
->type
->type
&&
5916 nft_active_genmask(obj
, genmask
)) {
5923 return ERR_PTR(-ENOENT
);
5925 EXPORT_SYMBOL_GPL(nft_obj_lookup
);
5927 static struct nft_object
*nft_obj_lookup_byhandle(const struct nft_table
*table
,
5928 const struct nlattr
*nla
,
5929 u32 objtype
, u8 genmask
)
5931 struct nft_object
*obj
;
5933 list_for_each_entry(obj
, &table
->objects
, list
) {
5934 if (be64_to_cpu(nla_get_be64(nla
)) == obj
->handle
&&
5935 objtype
== obj
->ops
->type
->type
&&
5936 nft_active_genmask(obj
, genmask
))
5939 return ERR_PTR(-ENOENT
);
5942 static const struct nla_policy nft_obj_policy
[NFTA_OBJ_MAX
+ 1] = {
5943 [NFTA_OBJ_TABLE
] = { .type
= NLA_STRING
,
5944 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
5945 [NFTA_OBJ_NAME
] = { .type
= NLA_STRING
,
5946 .len
= NFT_OBJ_MAXNAMELEN
- 1 },
5947 [NFTA_OBJ_TYPE
] = { .type
= NLA_U32
},
5948 [NFTA_OBJ_DATA
] = { .type
= NLA_NESTED
},
5949 [NFTA_OBJ_HANDLE
] = { .type
= NLA_U64
},
5950 [NFTA_OBJ_USERDATA
] = { .type
= NLA_BINARY
,
5951 .len
= NFT_USERDATA_MAXLEN
},
5954 static struct nft_object
*nft_obj_init(const struct nft_ctx
*ctx
,
5955 const struct nft_object_type
*type
,
5956 const struct nlattr
*attr
)
5959 const struct nft_object_ops
*ops
;
5960 struct nft_object
*obj
;
5963 tb
= kmalloc_array(type
->maxattr
+ 1, sizeof(*tb
), GFP_KERNEL
);
5968 err
= nla_parse_nested_deprecated(tb
, type
->maxattr
, attr
,
5969 type
->policy
, NULL
);
5973 memset(tb
, 0, sizeof(tb
[0]) * (type
->maxattr
+ 1));
5976 if (type
->select_ops
) {
5977 ops
= type
->select_ops(ctx
, (const struct nlattr
* const *)tb
);
5987 obj
= kzalloc(sizeof(*obj
) + ops
->size
, GFP_KERNEL
);
5991 err
= ops
->init(ctx
, (const struct nlattr
* const *)tb
, obj
);
6004 return ERR_PTR(err
);
6007 static int nft_object_dump(struct sk_buff
*skb
, unsigned int attr
,
6008 struct nft_object
*obj
, bool reset
)
6010 struct nlattr
*nest
;
6012 nest
= nla_nest_start_noflag(skb
, attr
);
6014 goto nla_put_failure
;
6015 if (obj
->ops
->dump(skb
, obj
, reset
) < 0)
6016 goto nla_put_failure
;
6017 nla_nest_end(skb
, nest
);
6024 static const struct nft_object_type
*__nft_obj_type_get(u32 objtype
)
6026 const struct nft_object_type
*type
;
6028 list_for_each_entry(type
, &nf_tables_objects
, list
) {
6029 if (objtype
== type
->type
)
6035 static const struct nft_object_type
*
6036 nft_obj_type_get(struct net
*net
, u32 objtype
)
6038 const struct nft_object_type
*type
;
6040 type
= __nft_obj_type_get(objtype
);
6041 if (type
!= NULL
&& try_module_get(type
->owner
))
6044 lockdep_nfnl_nft_mutex_not_held();
6045 #ifdef CONFIG_MODULES
6047 if (nft_request_module(net
, "nft-obj-%u", objtype
) == -EAGAIN
)
6048 return ERR_PTR(-EAGAIN
);
6051 return ERR_PTR(-ENOENT
);
6054 static int nf_tables_updobj(const struct nft_ctx
*ctx
,
6055 const struct nft_object_type
*type
,
6056 const struct nlattr
*attr
,
6057 struct nft_object
*obj
)
6059 struct nft_object
*newobj
;
6060 struct nft_trans
*trans
;
6063 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWOBJ
,
6064 sizeof(struct nft_trans_obj
));
6068 newobj
= nft_obj_init(ctx
, type
, attr
);
6069 if (IS_ERR(newobj
)) {
6070 err
= PTR_ERR(newobj
);
6071 goto err_free_trans
;
6074 nft_trans_obj(trans
) = obj
;
6075 nft_trans_obj_update(trans
) = true;
6076 nft_trans_obj_newobj(trans
) = newobj
;
6077 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
6086 static int nf_tables_newobj(struct net
*net
, struct sock
*nlsk
,
6087 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
6088 const struct nlattr
* const nla
[],
6089 struct netlink_ext_ack
*extack
)
6091 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
6092 const struct nft_object_type
*type
;
6093 u8 genmask
= nft_genmask_next(net
);
6094 int family
= nfmsg
->nfgen_family
;
6095 struct nft_table
*table
;
6096 struct nft_object
*obj
;
6101 if (!nla
[NFTA_OBJ_TYPE
] ||
6102 !nla
[NFTA_OBJ_NAME
] ||
6103 !nla
[NFTA_OBJ_DATA
])
6106 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
,
6107 NETLINK_CB(skb
).portid
);
6108 if (IS_ERR(table
)) {
6109 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
6110 return PTR_ERR(table
);
6113 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6114 obj
= nft_obj_lookup(net
, table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
6117 if (err
!= -ENOENT
) {
6118 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
6122 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
6123 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
6126 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
6129 type
= __nft_obj_type_get(objtype
);
6130 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
6132 return nf_tables_updobj(&ctx
, type
, nla
[NFTA_OBJ_DATA
], obj
);
6135 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
6137 type
= nft_obj_type_get(net
, objtype
);
6139 return PTR_ERR(type
);
6141 obj
= nft_obj_init(&ctx
, type
, nla
[NFTA_OBJ_DATA
]);
6146 obj
->key
.table
= table
;
6147 obj
->handle
= nf_tables_alloc_handle(table
);
6149 obj
->key
.name
= nla_strdup(nla
[NFTA_OBJ_NAME
], GFP_KERNEL
);
6150 if (!obj
->key
.name
) {
6155 if (nla
[NFTA_OBJ_USERDATA
]) {
6156 obj
->udata
= nla_memdup(nla
[NFTA_OBJ_USERDATA
], GFP_KERNEL
);
6157 if (obj
->udata
== NULL
)
6160 obj
->udlen
= nla_len(nla
[NFTA_OBJ_USERDATA
]);
6163 err
= nft_trans_obj_add(&ctx
, NFT_MSG_NEWOBJ
, obj
);
6167 err
= rhltable_insert(&nft_objname_ht
, &obj
->rhlhead
,
6168 nft_objname_ht_params
);
6172 list_add_tail_rcu(&obj
->list
, &table
->objects
);
6176 /* queued in transaction log */
6177 INIT_LIST_HEAD(&obj
->list
);
6180 kfree(obj
->key
.name
);
6184 if (obj
->ops
->destroy
)
6185 obj
->ops
->destroy(&ctx
, obj
);
6188 module_put(type
->owner
);
6192 static int nf_tables_fill_obj_info(struct sk_buff
*skb
, struct net
*net
,
6193 u32 portid
, u32 seq
, int event
, u32 flags
,
6194 int family
, const struct nft_table
*table
,
6195 struct nft_object
*obj
, bool reset
)
6197 struct nlmsghdr
*nlh
;
6199 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
6200 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
6201 NFNETLINK_V0
, nft_base_seq(net
));
6203 goto nla_put_failure
;
6205 if (nla_put_string(skb
, NFTA_OBJ_TABLE
, table
->name
) ||
6206 nla_put_string(skb
, NFTA_OBJ_NAME
, obj
->key
.name
) ||
6207 nla_put_be32(skb
, NFTA_OBJ_TYPE
, htonl(obj
->ops
->type
->type
)) ||
6208 nla_put_be32(skb
, NFTA_OBJ_USE
, htonl(obj
->use
)) ||
6209 nft_object_dump(skb
, NFTA_OBJ_DATA
, obj
, reset
) ||
6210 nla_put_be64(skb
, NFTA_OBJ_HANDLE
, cpu_to_be64(obj
->handle
),
6212 goto nla_put_failure
;
6215 nla_put(skb
, NFTA_OBJ_USERDATA
, obj
->udlen
, obj
->udata
))
6216 goto nla_put_failure
;
6218 nlmsg_end(skb
, nlh
);
6222 nlmsg_trim(skb
, nlh
);
6226 struct nft_obj_filter
{
6231 static int nf_tables_dump_obj(struct sk_buff
*skb
, struct netlink_callback
*cb
)
6233 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
6234 const struct nft_table
*table
;
6235 unsigned int idx
= 0, s_idx
= cb
->args
[0];
6236 struct nft_obj_filter
*filter
= cb
->data
;
6237 struct net
*net
= sock_net(skb
->sk
);
6238 int family
= nfmsg
->nfgen_family
;
6239 struct nft_object
*obj
;
6242 if (NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
6246 cb
->seq
= net
->nft
.base_seq
;
6248 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
6249 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
6252 list_for_each_entry_rcu(obj
, &table
->objects
, list
) {
6253 if (!nft_is_active(net
, obj
))
6258 memset(&cb
->args
[1], 0,
6259 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
6260 if (filter
&& filter
->table
&&
6261 strcmp(filter
->table
, table
->name
))
6264 filter
->type
!= NFT_OBJECT_UNSPEC
&&
6265 obj
->ops
->type
->type
!= filter
->type
)
6268 char *buf
= kasprintf(GFP_ATOMIC
,
6273 audit_log_nfcfg(buf
,
6276 AUDIT_NFT_OP_OBJ_RESET
,
6281 if (nf_tables_fill_obj_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
6284 NLM_F_MULTI
| NLM_F_APPEND
,
6285 table
->family
, table
,
6289 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
6301 static int nf_tables_dump_obj_start(struct netlink_callback
*cb
)
6303 const struct nlattr
* const *nla
= cb
->data
;
6304 struct nft_obj_filter
*filter
= NULL
;
6306 if (nla
[NFTA_OBJ_TABLE
] || nla
[NFTA_OBJ_TYPE
]) {
6307 filter
= kzalloc(sizeof(*filter
), GFP_ATOMIC
);
6311 if (nla
[NFTA_OBJ_TABLE
]) {
6312 filter
->table
= nla_strdup(nla
[NFTA_OBJ_TABLE
], GFP_ATOMIC
);
6313 if (!filter
->table
) {
6319 if (nla
[NFTA_OBJ_TYPE
])
6320 filter
->type
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6327 static int nf_tables_dump_obj_done(struct netlink_callback
*cb
)
6329 struct nft_obj_filter
*filter
= cb
->data
;
6332 kfree(filter
->table
);
6339 /* called with rcu_read_lock held */
6340 static int nf_tables_getobj(struct net
*net
, struct sock
*nlsk
,
6341 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
6342 const struct nlattr
* const nla
[],
6343 struct netlink_ext_ack
*extack
)
6345 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
6346 u8 genmask
= nft_genmask_cur(net
);
6347 int family
= nfmsg
->nfgen_family
;
6348 const struct nft_table
*table
;
6349 struct nft_object
*obj
;
6350 struct sk_buff
*skb2
;
6355 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
6356 struct netlink_dump_control c
= {
6357 .start
= nf_tables_dump_obj_start
,
6358 .dump
= nf_tables_dump_obj
,
6359 .done
= nf_tables_dump_obj_done
,
6360 .module
= THIS_MODULE
,
6361 .data
= (void *)nla
,
6364 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
6367 if (!nla
[NFTA_OBJ_NAME
] ||
6368 !nla
[NFTA_OBJ_TYPE
])
6371 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
, 0);
6372 if (IS_ERR(table
)) {
6373 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
6374 return PTR_ERR(table
);
6377 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6378 obj
= nft_obj_lookup(net
, table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
6380 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
6381 return PTR_ERR(obj
);
6384 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
6388 if (NFNL_MSG_TYPE(nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
6392 char *buf
= kasprintf(GFP_ATOMIC
, "%s:%u",
6393 table
->name
, net
->nft
.base_seq
);
6395 audit_log_nfcfg(buf
,
6398 AUDIT_NFT_OP_OBJ_RESET
,
6403 err
= nf_tables_fill_obj_info(skb2
, net
, NETLINK_CB(skb
).portid
,
6404 nlh
->nlmsg_seq
, NFT_MSG_NEWOBJ
, 0,
6405 family
, table
, obj
, reset
);
6407 goto err_fill_obj_info
;
6409 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
6416 static void nft_obj_destroy(const struct nft_ctx
*ctx
, struct nft_object
*obj
)
6418 if (obj
->ops
->destroy
)
6419 obj
->ops
->destroy(ctx
, obj
);
6421 module_put(obj
->ops
->type
->owner
);
6422 kfree(obj
->key
.name
);
6427 static int nf_tables_delobj(struct net
*net
, struct sock
*nlsk
,
6428 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
6429 const struct nlattr
* const nla
[],
6430 struct netlink_ext_ack
*extack
)
6432 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
6433 u8 genmask
= nft_genmask_next(net
);
6434 int family
= nfmsg
->nfgen_family
;
6435 const struct nlattr
*attr
;
6436 struct nft_table
*table
;
6437 struct nft_object
*obj
;
6441 if (!nla
[NFTA_OBJ_TYPE
] ||
6442 (!nla
[NFTA_OBJ_NAME
] && !nla
[NFTA_OBJ_HANDLE
]))
6445 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
,
6446 NETLINK_CB(skb
).portid
);
6447 if (IS_ERR(table
)) {
6448 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
6449 return PTR_ERR(table
);
6452 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6453 if (nla
[NFTA_OBJ_HANDLE
]) {
6454 attr
= nla
[NFTA_OBJ_HANDLE
];
6455 obj
= nft_obj_lookup_byhandle(table
, attr
, objtype
, genmask
);
6457 attr
= nla
[NFTA_OBJ_NAME
];
6458 obj
= nft_obj_lookup(net
, table
, attr
, objtype
, genmask
);
6462 NL_SET_BAD_ATTR(extack
, attr
);
6463 return PTR_ERR(obj
);
6466 NL_SET_BAD_ATTR(extack
, attr
);
6470 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
6472 return nft_delobj(&ctx
, obj
);
6475 void nft_obj_notify(struct net
*net
, const struct nft_table
*table
,
6476 struct nft_object
*obj
, u32 portid
, u32 seq
, int event
,
6477 int family
, int report
, gfp_t gfp
)
6479 struct sk_buff
*skb
;
6481 char *buf
= kasprintf(gfp
, "%s:%u",
6482 table
->name
, net
->nft
.base_seq
);
6484 audit_log_nfcfg(buf
,
6487 event
== NFT_MSG_NEWOBJ
?
6488 AUDIT_NFT_OP_OBJ_REGISTER
:
6489 AUDIT_NFT_OP_OBJ_UNREGISTER
,
6494 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
6497 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp
);
6501 err
= nf_tables_fill_obj_info(skb
, net
, portid
, seq
, event
, 0, family
,
6508 nft_notify_enqueue(skb
, report
, &net
->nft
.notify_list
);
6511 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
6513 EXPORT_SYMBOL_GPL(nft_obj_notify
);
6515 static void nf_tables_obj_notify(const struct nft_ctx
*ctx
,
6516 struct nft_object
*obj
, int event
)
6518 nft_obj_notify(ctx
->net
, ctx
->table
, obj
, ctx
->portid
, ctx
->seq
, event
,
6519 ctx
->family
, ctx
->report
, GFP_KERNEL
);
6525 void nft_register_flowtable_type(struct nf_flowtable_type
*type
)
6527 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
6528 list_add_tail_rcu(&type
->list
, &nf_tables_flowtables
);
6529 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
6531 EXPORT_SYMBOL_GPL(nft_register_flowtable_type
);
6533 void nft_unregister_flowtable_type(struct nf_flowtable_type
*type
)
6535 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
6536 list_del_rcu(&type
->list
);
6537 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
6539 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type
);
6541 static const struct nla_policy nft_flowtable_policy
[NFTA_FLOWTABLE_MAX
+ 1] = {
6542 [NFTA_FLOWTABLE_TABLE
] = { .type
= NLA_STRING
,
6543 .len
= NFT_NAME_MAXLEN
- 1 },
6544 [NFTA_FLOWTABLE_NAME
] = { .type
= NLA_STRING
,
6545 .len
= NFT_NAME_MAXLEN
- 1 },
6546 [NFTA_FLOWTABLE_HOOK
] = { .type
= NLA_NESTED
},
6547 [NFTA_FLOWTABLE_HANDLE
] = { .type
= NLA_U64
},
6548 [NFTA_FLOWTABLE_FLAGS
] = { .type
= NLA_U32
},
6551 struct nft_flowtable
*nft_flowtable_lookup(const struct nft_table
*table
,
6552 const struct nlattr
*nla
, u8 genmask
)
6554 struct nft_flowtable
*flowtable
;
6556 list_for_each_entry_rcu(flowtable
, &table
->flowtables
, list
) {
6557 if (!nla_strcmp(nla
, flowtable
->name
) &&
6558 nft_active_genmask(flowtable
, genmask
))
6561 return ERR_PTR(-ENOENT
);
6563 EXPORT_SYMBOL_GPL(nft_flowtable_lookup
);
6565 void nf_tables_deactivate_flowtable(const struct nft_ctx
*ctx
,
6566 struct nft_flowtable
*flowtable
,
6567 enum nft_trans_phase phase
)
6570 case NFT_TRANS_PREPARE
:
6571 case NFT_TRANS_ABORT
:
6572 case NFT_TRANS_RELEASE
:
6579 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable
);
6581 static struct nft_flowtable
*
6582 nft_flowtable_lookup_byhandle(const struct nft_table
*table
,
6583 const struct nlattr
*nla
, u8 genmask
)
6585 struct nft_flowtable
*flowtable
;
6587 list_for_each_entry(flowtable
, &table
->flowtables
, list
) {
6588 if (be64_to_cpu(nla_get_be64(nla
)) == flowtable
->handle
&&
6589 nft_active_genmask(flowtable
, genmask
))
6592 return ERR_PTR(-ENOENT
);
6595 struct nft_flowtable_hook
{
6598 struct list_head list
;
6601 static const struct nla_policy nft_flowtable_hook_policy
[NFTA_FLOWTABLE_HOOK_MAX
+ 1] = {
6602 [NFTA_FLOWTABLE_HOOK_NUM
] = { .type
= NLA_U32
},
6603 [NFTA_FLOWTABLE_HOOK_PRIORITY
] = { .type
= NLA_U32
},
6604 [NFTA_FLOWTABLE_HOOK_DEVS
] = { .type
= NLA_NESTED
},
6607 static int nft_flowtable_parse_hook(const struct nft_ctx
*ctx
,
6608 const struct nlattr
*attr
,
6609 struct nft_flowtable_hook
*flowtable_hook
,
6610 struct nft_flowtable
*flowtable
, bool add
)
6612 struct nlattr
*tb
[NFTA_FLOWTABLE_HOOK_MAX
+ 1];
6613 struct nft_hook
*hook
;
6614 int hooknum
, priority
;
6617 INIT_LIST_HEAD(&flowtable_hook
->list
);
6619 err
= nla_parse_nested_deprecated(tb
, NFTA_FLOWTABLE_HOOK_MAX
, attr
,
6620 nft_flowtable_hook_policy
, NULL
);
6625 if (!tb
[NFTA_FLOWTABLE_HOOK_NUM
] ||
6626 !tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
])
6629 hooknum
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_NUM
]));
6630 if (hooknum
!= NF_NETDEV_INGRESS
)
6633 priority
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]));
6635 flowtable_hook
->priority
= priority
;
6636 flowtable_hook
->num
= hooknum
;
6638 if (tb
[NFTA_FLOWTABLE_HOOK_NUM
]) {
6639 hooknum
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_NUM
]));
6640 if (hooknum
!= flowtable
->hooknum
)
6644 if (tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]) {
6645 priority
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]));
6646 if (priority
!= flowtable
->data
.priority
)
6650 flowtable_hook
->priority
= flowtable
->data
.priority
;
6651 flowtable_hook
->num
= flowtable
->hooknum
;
6654 if (tb
[NFTA_FLOWTABLE_HOOK_DEVS
]) {
6655 err
= nf_tables_parse_netdev_hooks(ctx
->net
,
6656 tb
[NFTA_FLOWTABLE_HOOK_DEVS
],
6657 &flowtable_hook
->list
);
6662 list_for_each_entry(hook
, &flowtable_hook
->list
, list
) {
6663 hook
->ops
.pf
= NFPROTO_NETDEV
;
6664 hook
->ops
.hooknum
= flowtable_hook
->num
;
6665 hook
->ops
.priority
= flowtable_hook
->priority
;
6666 hook
->ops
.priv
= &flowtable
->data
;
6667 hook
->ops
.hook
= flowtable
->data
.type
->hook
;
6673 static const struct nf_flowtable_type
*__nft_flowtable_type_get(u8 family
)
6675 const struct nf_flowtable_type
*type
;
6677 list_for_each_entry(type
, &nf_tables_flowtables
, list
) {
6678 if (family
== type
->family
)
6684 static const struct nf_flowtable_type
*
6685 nft_flowtable_type_get(struct net
*net
, u8 family
)
6687 const struct nf_flowtable_type
*type
;
6689 type
= __nft_flowtable_type_get(family
);
6690 if (type
!= NULL
&& try_module_get(type
->owner
))
6693 lockdep_nfnl_nft_mutex_not_held();
6694 #ifdef CONFIG_MODULES
6696 if (nft_request_module(net
, "nf-flowtable-%u", family
) == -EAGAIN
)
6697 return ERR_PTR(-EAGAIN
);
6700 return ERR_PTR(-ENOENT
);
6703 /* Only called from error and netdev event paths. */
6704 static void nft_unregister_flowtable_hook(struct net
*net
,
6705 struct nft_flowtable
*flowtable
,
6706 struct nft_hook
*hook
)
6708 nf_unregister_net_hook(net
, &hook
->ops
);
6709 flowtable
->data
.type
->setup(&flowtable
->data
, hook
->ops
.dev
,
6713 static void nft_unregister_flowtable_net_hooks(struct net
*net
,
6714 struct list_head
*hook_list
)
6716 struct nft_hook
*hook
;
6718 list_for_each_entry(hook
, hook_list
, list
)
6719 nf_unregister_net_hook(net
, &hook
->ops
);
6722 static int nft_register_flowtable_net_hooks(struct net
*net
,
6723 struct nft_table
*table
,
6724 struct list_head
*hook_list
,
6725 struct nft_flowtable
*flowtable
)
6727 struct nft_hook
*hook
, *hook2
, *next
;
6728 struct nft_flowtable
*ft
;
6731 list_for_each_entry(hook
, hook_list
, list
) {
6732 list_for_each_entry(ft
, &table
->flowtables
, list
) {
6733 if (!nft_is_active_next(net
, ft
))
6736 list_for_each_entry(hook2
, &ft
->hook_list
, list
) {
6737 if (hook
->ops
.dev
== hook2
->ops
.dev
&&
6738 hook
->ops
.pf
== hook2
->ops
.pf
) {
6740 goto err_unregister_net_hooks
;
6745 err
= flowtable
->data
.type
->setup(&flowtable
->data
,
6749 goto err_unregister_net_hooks
;
6751 err
= nf_register_net_hook(net
, &hook
->ops
);
6753 flowtable
->data
.type
->setup(&flowtable
->data
,
6756 goto err_unregister_net_hooks
;
6764 err_unregister_net_hooks
:
6765 list_for_each_entry_safe(hook
, next
, hook_list
, list
) {
6769 nft_unregister_flowtable_hook(net
, flowtable
, hook
);
6770 list_del_rcu(&hook
->list
);
6771 kfree_rcu(hook
, rcu
);
6777 static void nft_flowtable_hooks_destroy(struct list_head
*hook_list
)
6779 struct nft_hook
*hook
, *next
;
6781 list_for_each_entry_safe(hook
, next
, hook_list
, list
) {
6782 list_del_rcu(&hook
->list
);
6783 kfree_rcu(hook
, rcu
);
6787 static int nft_flowtable_update(struct nft_ctx
*ctx
, const struct nlmsghdr
*nlh
,
6788 struct nft_flowtable
*flowtable
)
6790 const struct nlattr
* const *nla
= ctx
->nla
;
6791 struct nft_flowtable_hook flowtable_hook
;
6792 struct nft_hook
*hook
, *next
;
6793 struct nft_trans
*trans
;
6794 bool unregister
= false;
6798 err
= nft_flowtable_parse_hook(ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
6799 &flowtable_hook
, flowtable
, false);
6803 list_for_each_entry_safe(hook
, next
, &flowtable_hook
.list
, list
) {
6804 if (nft_hook_list_find(&flowtable
->hook_list
, hook
)) {
6805 list_del(&hook
->list
);
6810 if (nla
[NFTA_FLOWTABLE_FLAGS
]) {
6811 flags
= ntohl(nla_get_be32(nla
[NFTA_FLOWTABLE_FLAGS
]));
6812 if (flags
& ~NFT_FLOWTABLE_MASK
)
6814 if ((flowtable
->data
.flags
& NFT_FLOWTABLE_HW_OFFLOAD
) ^
6815 (flags
& NFT_FLOWTABLE_HW_OFFLOAD
))
6818 flags
= flowtable
->data
.flags
;
6821 err
= nft_register_flowtable_net_hooks(ctx
->net
, ctx
->table
,
6822 &flowtable_hook
.list
, flowtable
);
6824 goto err_flowtable_update_hook
;
6826 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWFLOWTABLE
,
6827 sizeof(struct nft_trans_flowtable
));
6831 goto err_flowtable_update_hook
;
6834 nft_trans_flowtable_flags(trans
) = flags
;
6835 nft_trans_flowtable(trans
) = flowtable
;
6836 nft_trans_flowtable_update(trans
) = true;
6837 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans
));
6838 list_splice(&flowtable_hook
.list
, &nft_trans_flowtable_hooks(trans
));
6840 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
6844 err_flowtable_update_hook
:
6845 list_for_each_entry_safe(hook
, next
, &flowtable_hook
.list
, list
) {
6847 nft_unregister_flowtable_hook(ctx
->net
, flowtable
, hook
);
6848 list_del_rcu(&hook
->list
);
6849 kfree_rcu(hook
, rcu
);
6856 static int nf_tables_newflowtable(struct net
*net
, struct sock
*nlsk
,
6857 struct sk_buff
*skb
,
6858 const struct nlmsghdr
*nlh
,
6859 const struct nlattr
* const nla
[],
6860 struct netlink_ext_ack
*extack
)
6862 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
6863 struct nft_flowtable_hook flowtable_hook
;
6864 const struct nf_flowtable_type
*type
;
6865 u8 genmask
= nft_genmask_next(net
);
6866 int family
= nfmsg
->nfgen_family
;
6867 struct nft_flowtable
*flowtable
;
6868 struct nft_hook
*hook
, *next
;
6869 struct nft_table
*table
;
6873 if (!nla
[NFTA_FLOWTABLE_TABLE
] ||
6874 !nla
[NFTA_FLOWTABLE_NAME
] ||
6875 !nla
[NFTA_FLOWTABLE_HOOK
])
6878 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
6879 genmask
, NETLINK_CB(skb
).portid
);
6880 if (IS_ERR(table
)) {
6881 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_TABLE
]);
6882 return PTR_ERR(table
);
6885 flowtable
= nft_flowtable_lookup(table
, nla
[NFTA_FLOWTABLE_NAME
],
6887 if (IS_ERR(flowtable
)) {
6888 err
= PTR_ERR(flowtable
);
6889 if (err
!= -ENOENT
) {
6890 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_NAME
]);
6894 if (nlh
->nlmsg_flags
& NLM_F_EXCL
) {
6895 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_NAME
]);
6899 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
6901 return nft_flowtable_update(&ctx
, nlh
, flowtable
);
6904 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
6906 flowtable
= kzalloc(sizeof(*flowtable
), GFP_KERNEL
);
6910 flowtable
->table
= table
;
6911 flowtable
->handle
= nf_tables_alloc_handle(table
);
6912 INIT_LIST_HEAD(&flowtable
->hook_list
);
6914 flowtable
->name
= nla_strdup(nla
[NFTA_FLOWTABLE_NAME
], GFP_KERNEL
);
6915 if (!flowtable
->name
) {
6920 type
= nft_flowtable_type_get(net
, family
);
6922 err
= PTR_ERR(type
);
6926 if (nla
[NFTA_FLOWTABLE_FLAGS
]) {
6927 flowtable
->data
.flags
=
6928 ntohl(nla_get_be32(nla
[NFTA_FLOWTABLE_FLAGS
]));
6929 if (flowtable
->data
.flags
& ~NFT_FLOWTABLE_MASK
) {
6935 write_pnet(&flowtable
->data
.net
, net
);
6936 flowtable
->data
.type
= type
;
6937 err
= type
->init(&flowtable
->data
);
6941 err
= nft_flowtable_parse_hook(&ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
6942 &flowtable_hook
, flowtable
, true);
6946 list_splice(&flowtable_hook
.list
, &flowtable
->hook_list
);
6947 flowtable
->data
.priority
= flowtable_hook
.priority
;
6948 flowtable
->hooknum
= flowtable_hook
.num
;
6950 err
= nft_register_flowtable_net_hooks(ctx
.net
, table
,
6951 &flowtable
->hook_list
,
6954 nft_flowtable_hooks_destroy(&flowtable
->hook_list
);
6958 err
= nft_trans_flowtable_add(&ctx
, NFT_MSG_NEWFLOWTABLE
, flowtable
);
6962 list_add_tail_rcu(&flowtable
->list
, &table
->flowtables
);
6967 list_for_each_entry_safe(hook
, next
, &flowtable
->hook_list
, list
) {
6968 nft_unregister_flowtable_hook(net
, flowtable
, hook
);
6969 list_del_rcu(&hook
->list
);
6970 kfree_rcu(hook
, rcu
);
6973 flowtable
->data
.type
->free(&flowtable
->data
);
6975 module_put(type
->owner
);
6977 kfree(flowtable
->name
);
6983 static void nft_flowtable_hook_release(struct nft_flowtable_hook
*flowtable_hook
)
6985 struct nft_hook
*this, *next
;
6987 list_for_each_entry_safe(this, next
, &flowtable_hook
->list
, list
) {
6988 list_del(&this->list
);
6993 static int nft_delflowtable_hook(struct nft_ctx
*ctx
,
6994 struct nft_flowtable
*flowtable
)
6996 const struct nlattr
* const *nla
= ctx
->nla
;
6997 struct nft_flowtable_hook flowtable_hook
;
6998 struct nft_hook
*this, *hook
;
6999 struct nft_trans
*trans
;
7002 err
= nft_flowtable_parse_hook(ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
7003 &flowtable_hook
, flowtable
, false);
7007 list_for_each_entry(this, &flowtable_hook
.list
, list
) {
7008 hook
= nft_hook_list_find(&flowtable
->hook_list
, this);
7011 goto err_flowtable_del_hook
;
7013 hook
->inactive
= true;
7016 trans
= nft_trans_alloc(ctx
, NFT_MSG_DELFLOWTABLE
,
7017 sizeof(struct nft_trans_flowtable
));
7020 goto err_flowtable_del_hook
;
7023 nft_trans_flowtable(trans
) = flowtable
;
7024 nft_trans_flowtable_update(trans
) = true;
7025 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans
));
7026 nft_flowtable_hook_release(&flowtable_hook
);
7028 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
7032 err_flowtable_del_hook
:
7033 list_for_each_entry(this, &flowtable_hook
.list
, list
) {
7034 hook
= nft_hook_list_find(&flowtable
->hook_list
, this);
7038 hook
->inactive
= false;
7040 nft_flowtable_hook_release(&flowtable_hook
);
7045 static int nf_tables_delflowtable(struct net
*net
, struct sock
*nlsk
,
7046 struct sk_buff
*skb
,
7047 const struct nlmsghdr
*nlh
,
7048 const struct nlattr
* const nla
[],
7049 struct netlink_ext_ack
*extack
)
7051 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
7052 u8 genmask
= nft_genmask_next(net
);
7053 int family
= nfmsg
->nfgen_family
;
7054 struct nft_flowtable
*flowtable
;
7055 const struct nlattr
*attr
;
7056 struct nft_table
*table
;
7059 if (!nla
[NFTA_FLOWTABLE_TABLE
] ||
7060 (!nla
[NFTA_FLOWTABLE_NAME
] &&
7061 !nla
[NFTA_FLOWTABLE_HANDLE
]))
7064 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
7065 genmask
, NETLINK_CB(skb
).portid
);
7066 if (IS_ERR(table
)) {
7067 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_TABLE
]);
7068 return PTR_ERR(table
);
7071 if (nla
[NFTA_FLOWTABLE_HANDLE
]) {
7072 attr
= nla
[NFTA_FLOWTABLE_HANDLE
];
7073 flowtable
= nft_flowtable_lookup_byhandle(table
, attr
, genmask
);
7075 attr
= nla
[NFTA_FLOWTABLE_NAME
];
7076 flowtable
= nft_flowtable_lookup(table
, attr
, genmask
);
7079 if (IS_ERR(flowtable
)) {
7080 NL_SET_BAD_ATTR(extack
, attr
);
7081 return PTR_ERR(flowtable
);
7084 nft_ctx_init(&ctx
, net
, skb
, nlh
, family
, table
, NULL
, nla
);
7086 if (nla
[NFTA_FLOWTABLE_HOOK
])
7087 return nft_delflowtable_hook(&ctx
, flowtable
);
7089 if (flowtable
->use
> 0) {
7090 NL_SET_BAD_ATTR(extack
, attr
);
7094 return nft_delflowtable(&ctx
, flowtable
);
7097 static int nf_tables_fill_flowtable_info(struct sk_buff
*skb
, struct net
*net
,
7098 u32 portid
, u32 seq
, int event
,
7099 u32 flags
, int family
,
7100 struct nft_flowtable
*flowtable
,
7101 struct list_head
*hook_list
)
7103 struct nlattr
*nest
, *nest_devs
;
7104 struct nft_hook
*hook
;
7105 struct nlmsghdr
*nlh
;
7107 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
7108 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
7109 NFNETLINK_V0
, nft_base_seq(net
));
7111 goto nla_put_failure
;
7113 if (nla_put_string(skb
, NFTA_FLOWTABLE_TABLE
, flowtable
->table
->name
) ||
7114 nla_put_string(skb
, NFTA_FLOWTABLE_NAME
, flowtable
->name
) ||
7115 nla_put_be32(skb
, NFTA_FLOWTABLE_USE
, htonl(flowtable
->use
)) ||
7116 nla_put_be64(skb
, NFTA_FLOWTABLE_HANDLE
, cpu_to_be64(flowtable
->handle
),
7117 NFTA_FLOWTABLE_PAD
) ||
7118 nla_put_be32(skb
, NFTA_FLOWTABLE_FLAGS
, htonl(flowtable
->data
.flags
)))
7119 goto nla_put_failure
;
7121 nest
= nla_nest_start_noflag(skb
, NFTA_FLOWTABLE_HOOK
);
7123 goto nla_put_failure
;
7124 if (nla_put_be32(skb
, NFTA_FLOWTABLE_HOOK_NUM
, htonl(flowtable
->hooknum
)) ||
7125 nla_put_be32(skb
, NFTA_FLOWTABLE_HOOK_PRIORITY
, htonl(flowtable
->data
.priority
)))
7126 goto nla_put_failure
;
7128 nest_devs
= nla_nest_start_noflag(skb
, NFTA_FLOWTABLE_HOOK_DEVS
);
7130 goto nla_put_failure
;
7132 list_for_each_entry_rcu(hook
, hook_list
, list
) {
7133 if (nla_put_string(skb
, NFTA_DEVICE_NAME
, hook
->ops
.dev
->name
))
7134 goto nla_put_failure
;
7136 nla_nest_end(skb
, nest_devs
);
7137 nla_nest_end(skb
, nest
);
7139 nlmsg_end(skb
, nlh
);
7143 nlmsg_trim(skb
, nlh
);
7147 struct nft_flowtable_filter
{
7151 static int nf_tables_dump_flowtable(struct sk_buff
*skb
,
7152 struct netlink_callback
*cb
)
7154 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
7155 struct nft_flowtable_filter
*filter
= cb
->data
;
7156 unsigned int idx
= 0, s_idx
= cb
->args
[0];
7157 struct net
*net
= sock_net(skb
->sk
);
7158 int family
= nfmsg
->nfgen_family
;
7159 struct nft_flowtable
*flowtable
;
7160 const struct nft_table
*table
;
7163 cb
->seq
= net
->nft
.base_seq
;
7165 list_for_each_entry_rcu(table
, &net
->nft
.tables
, list
) {
7166 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
7169 list_for_each_entry_rcu(flowtable
, &table
->flowtables
, list
) {
7170 if (!nft_is_active(net
, flowtable
))
7175 memset(&cb
->args
[1], 0,
7176 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
7177 if (filter
&& filter
->table
&&
7178 strcmp(filter
->table
, table
->name
))
7181 if (nf_tables_fill_flowtable_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
7183 NFT_MSG_NEWFLOWTABLE
,
7184 NLM_F_MULTI
| NLM_F_APPEND
,
7187 &flowtable
->hook_list
) < 0)
7190 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
7202 static int nf_tables_dump_flowtable_start(struct netlink_callback
*cb
)
7204 const struct nlattr
* const *nla
= cb
->data
;
7205 struct nft_flowtable_filter
*filter
= NULL
;
7207 if (nla
[NFTA_FLOWTABLE_TABLE
]) {
7208 filter
= kzalloc(sizeof(*filter
), GFP_ATOMIC
);
7212 filter
->table
= nla_strdup(nla
[NFTA_FLOWTABLE_TABLE
],
7214 if (!filter
->table
) {
7224 static int nf_tables_dump_flowtable_done(struct netlink_callback
*cb
)
7226 struct nft_flowtable_filter
*filter
= cb
->data
;
7231 kfree(filter
->table
);
7237 /* called with rcu_read_lock held */
7238 static int nf_tables_getflowtable(struct net
*net
, struct sock
*nlsk
,
7239 struct sk_buff
*skb
,
7240 const struct nlmsghdr
*nlh
,
7241 const struct nlattr
* const nla
[],
7242 struct netlink_ext_ack
*extack
)
7244 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
7245 u8 genmask
= nft_genmask_cur(net
);
7246 int family
= nfmsg
->nfgen_family
;
7247 struct nft_flowtable
*flowtable
;
7248 const struct nft_table
*table
;
7249 struct sk_buff
*skb2
;
7252 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
7253 struct netlink_dump_control c
= {
7254 .start
= nf_tables_dump_flowtable_start
,
7255 .dump
= nf_tables_dump_flowtable
,
7256 .done
= nf_tables_dump_flowtable_done
,
7257 .module
= THIS_MODULE
,
7258 .data
= (void *)nla
,
7261 return nft_netlink_dump_start_rcu(nlsk
, skb
, nlh
, &c
);
7264 if (!nla
[NFTA_FLOWTABLE_NAME
])
7267 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
7270 return PTR_ERR(table
);
7272 flowtable
= nft_flowtable_lookup(table
, nla
[NFTA_FLOWTABLE_NAME
],
7274 if (IS_ERR(flowtable
))
7275 return PTR_ERR(flowtable
);
7277 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
7281 err
= nf_tables_fill_flowtable_info(skb2
, net
, NETLINK_CB(skb
).portid
,
7283 NFT_MSG_NEWFLOWTABLE
, 0, family
,
7284 flowtable
, &flowtable
->hook_list
);
7286 goto err_fill_flowtable_info
;
7288 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
7290 err_fill_flowtable_info
:
7295 static void nf_tables_flowtable_notify(struct nft_ctx
*ctx
,
7296 struct nft_flowtable
*flowtable
,
7297 struct list_head
*hook_list
,
7300 struct sk_buff
*skb
;
7304 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
7307 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
7311 err
= nf_tables_fill_flowtable_info(skb
, ctx
->net
, ctx
->portid
,
7313 ctx
->family
, flowtable
, hook_list
);
7319 nft_notify_enqueue(skb
, ctx
->report
, &ctx
->net
->nft
.notify_list
);
7322 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
7325 static void nf_tables_flowtable_destroy(struct nft_flowtable
*flowtable
)
7327 struct nft_hook
*hook
, *next
;
7329 flowtable
->data
.type
->free(&flowtable
->data
);
7330 list_for_each_entry_safe(hook
, next
, &flowtable
->hook_list
, list
) {
7331 flowtable
->data
.type
->setup(&flowtable
->data
, hook
->ops
.dev
,
7333 list_del_rcu(&hook
->list
);
7336 kfree(flowtable
->name
);
7337 module_put(flowtable
->data
.type
->owner
);
7341 static int nf_tables_fill_gen_info(struct sk_buff
*skb
, struct net
*net
,
7342 u32 portid
, u32 seq
)
7344 struct nlmsghdr
*nlh
;
7345 char buf
[TASK_COMM_LEN
];
7346 int event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, NFT_MSG_NEWGEN
);
7348 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, 0, AF_UNSPEC
,
7349 NFNETLINK_V0
, nft_base_seq(net
));
7351 goto nla_put_failure
;
7353 if (nla_put_be32(skb
, NFTA_GEN_ID
, htonl(net
->nft
.base_seq
)) ||
7354 nla_put_be32(skb
, NFTA_GEN_PROC_PID
, htonl(task_pid_nr(current
))) ||
7355 nla_put_string(skb
, NFTA_GEN_PROC_NAME
, get_task_comm(buf
, current
)))
7356 goto nla_put_failure
;
7358 nlmsg_end(skb
, nlh
);
7362 nlmsg_trim(skb
, nlh
);
7366 static void nft_flowtable_event(unsigned long event
, struct net_device
*dev
,
7367 struct nft_flowtable
*flowtable
)
7369 struct nft_hook
*hook
;
7371 list_for_each_entry(hook
, &flowtable
->hook_list
, list
) {
7372 if (hook
->ops
.dev
!= dev
)
7375 /* flow_offload_netdev_event() cleans up entries for us. */
7376 nft_unregister_flowtable_hook(dev_net(dev
), flowtable
, hook
);
7377 list_del_rcu(&hook
->list
);
7378 kfree_rcu(hook
, rcu
);
7383 static int nf_tables_flowtable_event(struct notifier_block
*this,
7384 unsigned long event
, void *ptr
)
7386 struct net_device
*dev
= netdev_notifier_info_to_dev(ptr
);
7387 struct nft_flowtable
*flowtable
;
7388 struct nft_table
*table
;
7391 if (event
!= NETDEV_UNREGISTER
)
7395 mutex_lock(&net
->nft
.commit_mutex
);
7396 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
7397 list_for_each_entry(flowtable
, &table
->flowtables
, list
) {
7398 nft_flowtable_event(event
, dev
, flowtable
);
7401 mutex_unlock(&net
->nft
.commit_mutex
);
7406 static struct notifier_block nf_tables_flowtable_notifier
= {
7407 .notifier_call
= nf_tables_flowtable_event
,
7410 static void nf_tables_gen_notify(struct net
*net
, struct sk_buff
*skb
,
7413 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
7414 struct sk_buff
*skb2
;
7417 if (!nlmsg_report(nlh
) &&
7418 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
7421 skb2
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
7425 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
7432 nfnetlink_send(skb2
, net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
7433 nlmsg_report(nlh
), GFP_KERNEL
);
7436 nfnetlink_set_err(net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
7440 static int nf_tables_getgen(struct net
*net
, struct sock
*nlsk
,
7441 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
7442 const struct nlattr
* const nla
[],
7443 struct netlink_ext_ack
*extack
)
7445 struct sk_buff
*skb2
;
7448 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
7452 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
7455 goto err_fill_gen_info
;
7457 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
7464 static const struct nfnl_callback nf_tables_cb
[NFT_MSG_MAX
] = {
7465 [NFT_MSG_NEWTABLE
] = {
7466 .call_batch
= nf_tables_newtable
,
7467 .attr_count
= NFTA_TABLE_MAX
,
7468 .policy
= nft_table_policy
,
7470 [NFT_MSG_GETTABLE
] = {
7471 .call_rcu
= nf_tables_gettable
,
7472 .attr_count
= NFTA_TABLE_MAX
,
7473 .policy
= nft_table_policy
,
7475 [NFT_MSG_DELTABLE
] = {
7476 .call_batch
= nf_tables_deltable
,
7477 .attr_count
= NFTA_TABLE_MAX
,
7478 .policy
= nft_table_policy
,
7480 [NFT_MSG_NEWCHAIN
] = {
7481 .call_batch
= nf_tables_newchain
,
7482 .attr_count
= NFTA_CHAIN_MAX
,
7483 .policy
= nft_chain_policy
,
7485 [NFT_MSG_GETCHAIN
] = {
7486 .call_rcu
= nf_tables_getchain
,
7487 .attr_count
= NFTA_CHAIN_MAX
,
7488 .policy
= nft_chain_policy
,
7490 [NFT_MSG_DELCHAIN
] = {
7491 .call_batch
= nf_tables_delchain
,
7492 .attr_count
= NFTA_CHAIN_MAX
,
7493 .policy
= nft_chain_policy
,
7495 [NFT_MSG_NEWRULE
] = {
7496 .call_batch
= nf_tables_newrule
,
7497 .attr_count
= NFTA_RULE_MAX
,
7498 .policy
= nft_rule_policy
,
7500 [NFT_MSG_GETRULE
] = {
7501 .call_rcu
= nf_tables_getrule
,
7502 .attr_count
= NFTA_RULE_MAX
,
7503 .policy
= nft_rule_policy
,
7505 [NFT_MSG_DELRULE
] = {
7506 .call_batch
= nf_tables_delrule
,
7507 .attr_count
= NFTA_RULE_MAX
,
7508 .policy
= nft_rule_policy
,
7510 [NFT_MSG_NEWSET
] = {
7511 .call_batch
= nf_tables_newset
,
7512 .attr_count
= NFTA_SET_MAX
,
7513 .policy
= nft_set_policy
,
7515 [NFT_MSG_GETSET
] = {
7516 .call_rcu
= nf_tables_getset
,
7517 .attr_count
= NFTA_SET_MAX
,
7518 .policy
= nft_set_policy
,
7520 [NFT_MSG_DELSET
] = {
7521 .call_batch
= nf_tables_delset
,
7522 .attr_count
= NFTA_SET_MAX
,
7523 .policy
= nft_set_policy
,
7525 [NFT_MSG_NEWSETELEM
] = {
7526 .call_batch
= nf_tables_newsetelem
,
7527 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
7528 .policy
= nft_set_elem_list_policy
,
7530 [NFT_MSG_GETSETELEM
] = {
7531 .call_rcu
= nf_tables_getsetelem
,
7532 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
7533 .policy
= nft_set_elem_list_policy
,
7535 [NFT_MSG_DELSETELEM
] = {
7536 .call_batch
= nf_tables_delsetelem
,
7537 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
7538 .policy
= nft_set_elem_list_policy
,
7540 [NFT_MSG_GETGEN
] = {
7541 .call_rcu
= nf_tables_getgen
,
7543 [NFT_MSG_NEWOBJ
] = {
7544 .call_batch
= nf_tables_newobj
,
7545 .attr_count
= NFTA_OBJ_MAX
,
7546 .policy
= nft_obj_policy
,
7548 [NFT_MSG_GETOBJ
] = {
7549 .call_rcu
= nf_tables_getobj
,
7550 .attr_count
= NFTA_OBJ_MAX
,
7551 .policy
= nft_obj_policy
,
7553 [NFT_MSG_DELOBJ
] = {
7554 .call_batch
= nf_tables_delobj
,
7555 .attr_count
= NFTA_OBJ_MAX
,
7556 .policy
= nft_obj_policy
,
7558 [NFT_MSG_GETOBJ_RESET
] = {
7559 .call_rcu
= nf_tables_getobj
,
7560 .attr_count
= NFTA_OBJ_MAX
,
7561 .policy
= nft_obj_policy
,
7563 [NFT_MSG_NEWFLOWTABLE
] = {
7564 .call_batch
= nf_tables_newflowtable
,
7565 .attr_count
= NFTA_FLOWTABLE_MAX
,
7566 .policy
= nft_flowtable_policy
,
7568 [NFT_MSG_GETFLOWTABLE
] = {
7569 .call_rcu
= nf_tables_getflowtable
,
7570 .attr_count
= NFTA_FLOWTABLE_MAX
,
7571 .policy
= nft_flowtable_policy
,
7573 [NFT_MSG_DELFLOWTABLE
] = {
7574 .call_batch
= nf_tables_delflowtable
,
7575 .attr_count
= NFTA_FLOWTABLE_MAX
,
7576 .policy
= nft_flowtable_policy
,
7580 static int nf_tables_validate(struct net
*net
)
7582 struct nft_table
*table
;
7584 switch (net
->nft
.validate_state
) {
7585 case NFT_VALIDATE_SKIP
:
7587 case NFT_VALIDATE_NEED
:
7588 nft_validate_state_update(net
, NFT_VALIDATE_DO
);
7590 case NFT_VALIDATE_DO
:
7591 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
7592 if (nft_table_validate(net
, table
) < 0)
7601 /* a drop policy has to be deferred until all rules have been activated,
7602 * otherwise a large ruleset that contains a drop-policy base chain will
7603 * cause all packets to get dropped until the full transaction has been
7606 * We defer the drop policy until the transaction has been finalized.
7608 static void nft_chain_commit_drop_policy(struct nft_trans
*trans
)
7610 struct nft_base_chain
*basechain
;
7612 if (nft_trans_chain_policy(trans
) != NF_DROP
)
7615 if (!nft_is_base_chain(trans
->ctx
.chain
))
7618 basechain
= nft_base_chain(trans
->ctx
.chain
);
7619 basechain
->policy
= NF_DROP
;
7622 static void nft_chain_commit_update(struct nft_trans
*trans
)
7624 struct nft_base_chain
*basechain
;
7626 if (nft_trans_chain_name(trans
)) {
7627 rhltable_remove(&trans
->ctx
.table
->chains_ht
,
7628 &trans
->ctx
.chain
->rhlhead
,
7629 nft_chain_ht_params
);
7630 swap(trans
->ctx
.chain
->name
, nft_trans_chain_name(trans
));
7631 rhltable_insert_key(&trans
->ctx
.table
->chains_ht
,
7632 trans
->ctx
.chain
->name
,
7633 &trans
->ctx
.chain
->rhlhead
,
7634 nft_chain_ht_params
);
7637 if (!nft_is_base_chain(trans
->ctx
.chain
))
7640 nft_chain_stats_replace(trans
);
7642 basechain
= nft_base_chain(trans
->ctx
.chain
);
7644 switch (nft_trans_chain_policy(trans
)) {
7647 basechain
->policy
= nft_trans_chain_policy(trans
);
7652 static void nft_obj_commit_update(struct nft_trans
*trans
)
7654 struct nft_object
*newobj
;
7655 struct nft_object
*obj
;
7657 obj
= nft_trans_obj(trans
);
7658 newobj
= nft_trans_obj_newobj(trans
);
7660 if (obj
->ops
->update
)
7661 obj
->ops
->update(obj
, newobj
);
7666 static void nft_commit_release(struct nft_trans
*trans
)
7668 switch (trans
->msg_type
) {
7669 case NFT_MSG_DELTABLE
:
7670 nf_tables_table_destroy(&trans
->ctx
);
7672 case NFT_MSG_NEWCHAIN
:
7673 free_percpu(nft_trans_chain_stats(trans
));
7674 kfree(nft_trans_chain_name(trans
));
7676 case NFT_MSG_DELCHAIN
:
7677 nf_tables_chain_destroy(&trans
->ctx
);
7679 case NFT_MSG_DELRULE
:
7680 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
7682 case NFT_MSG_DELSET
:
7683 nft_set_destroy(&trans
->ctx
, nft_trans_set(trans
));
7685 case NFT_MSG_DELSETELEM
:
7686 nf_tables_set_elem_destroy(&trans
->ctx
,
7687 nft_trans_elem_set(trans
),
7688 nft_trans_elem(trans
).priv
);
7690 case NFT_MSG_DELOBJ
:
7691 nft_obj_destroy(&trans
->ctx
, nft_trans_obj(trans
));
7693 case NFT_MSG_DELFLOWTABLE
:
7694 if (nft_trans_flowtable_update(trans
))
7695 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans
));
7697 nf_tables_flowtable_destroy(nft_trans_flowtable(trans
));
7702 put_net(trans
->ctx
.net
);
7707 static void nf_tables_trans_destroy_work(struct work_struct
*w
)
7709 struct nft_trans
*trans
, *next
;
7712 spin_lock(&nf_tables_destroy_list_lock
);
7713 list_splice_init(&nf_tables_destroy_list
, &head
);
7714 spin_unlock(&nf_tables_destroy_list_lock
);
7716 if (list_empty(&head
))
7721 list_for_each_entry_safe(trans
, next
, &head
, list
) {
7722 list_del(&trans
->list
);
7723 nft_commit_release(trans
);
7727 void nf_tables_trans_destroy_flush_work(void)
7729 flush_work(&trans_destroy_work
);
7731 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work
);
7733 static int nf_tables_commit_chain_prepare(struct net
*net
, struct nft_chain
*chain
)
7735 struct nft_rule
*rule
;
7736 unsigned int alloc
= 0;
7739 /* already handled or inactive chain? */
7740 if (chain
->rules_next
|| !nft_is_active_next(net
, chain
))
7743 rule
= list_entry(&chain
->rules
, struct nft_rule
, list
);
7746 list_for_each_entry_continue(rule
, &chain
->rules
, list
) {
7747 if (nft_is_active_next(net
, rule
))
7751 chain
->rules_next
= nf_tables_chain_alloc_rules(chain
, alloc
);
7752 if (!chain
->rules_next
)
7755 list_for_each_entry_continue(rule
, &chain
->rules
, list
) {
7756 if (nft_is_active_next(net
, rule
))
7757 chain
->rules_next
[i
++] = rule
;
7760 chain
->rules_next
[i
] = NULL
;
7764 static void nf_tables_commit_chain_prepare_cancel(struct net
*net
)
7766 struct nft_trans
*trans
, *next
;
7768 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
7769 struct nft_chain
*chain
= trans
->ctx
.chain
;
7771 if (trans
->msg_type
== NFT_MSG_NEWRULE
||
7772 trans
->msg_type
== NFT_MSG_DELRULE
) {
7773 kvfree(chain
->rules_next
);
7774 chain
->rules_next
= NULL
;
7779 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head
*h
)
7781 struct nft_rules_old
*o
= container_of(h
, struct nft_rules_old
, h
);
7786 static void nf_tables_commit_chain_free_rules_old(struct nft_rule
**rules
)
7788 struct nft_rule
**r
= rules
;
7789 struct nft_rules_old
*old
;
7794 r
++; /* rcu_head is after end marker */
7798 call_rcu(&old
->h
, __nf_tables_commit_chain_free_rules_old
);
7801 static void nf_tables_commit_chain(struct net
*net
, struct nft_chain
*chain
)
7803 struct nft_rule
**g0
, **g1
;
7806 next_genbit
= nft_gencursor_next(net
);
7808 g0
= rcu_dereference_protected(chain
->rules_gen_0
,
7809 lockdep_commit_lock_is_held(net
));
7810 g1
= rcu_dereference_protected(chain
->rules_gen_1
,
7811 lockdep_commit_lock_is_held(net
));
7813 /* No changes to this chain? */
7814 if (chain
->rules_next
== NULL
) {
7815 /* chain had no change in last or next generation */
7819 * chain had no change in this generation; make sure next
7820 * one uses same rules as current generation.
7823 rcu_assign_pointer(chain
->rules_gen_1
, g0
);
7824 nf_tables_commit_chain_free_rules_old(g1
);
7826 rcu_assign_pointer(chain
->rules_gen_0
, g1
);
7827 nf_tables_commit_chain_free_rules_old(g0
);
7834 rcu_assign_pointer(chain
->rules_gen_1
, chain
->rules_next
);
7836 rcu_assign_pointer(chain
->rules_gen_0
, chain
->rules_next
);
7838 chain
->rules_next
= NULL
;
7844 nf_tables_commit_chain_free_rules_old(g1
);
7846 nf_tables_commit_chain_free_rules_old(g0
);
7849 static void nft_obj_del(struct nft_object
*obj
)
7851 rhltable_remove(&nft_objname_ht
, &obj
->rhlhead
, nft_objname_ht_params
);
7852 list_del_rcu(&obj
->list
);
7855 void nft_chain_del(struct nft_chain
*chain
)
7857 struct nft_table
*table
= chain
->table
;
7859 WARN_ON_ONCE(rhltable_remove(&table
->chains_ht
, &chain
->rhlhead
,
7860 nft_chain_ht_params
));
7861 list_del_rcu(&chain
->list
);
7864 static void nft_flowtable_hooks_del(struct nft_flowtable
*flowtable
,
7865 struct list_head
*hook_list
)
7867 struct nft_hook
*hook
, *next
;
7869 list_for_each_entry_safe(hook
, next
, &flowtable
->hook_list
, list
) {
7871 list_move(&hook
->list
, hook_list
);
7875 static void nf_tables_module_autoload_cleanup(struct net
*net
)
7877 struct nft_module_request
*req
, *next
;
7879 WARN_ON_ONCE(!list_empty(&net
->nft
.commit_list
));
7880 list_for_each_entry_safe(req
, next
, &net
->nft
.module_list
, list
) {
7881 WARN_ON_ONCE(!req
->done
);
7882 list_del(&req
->list
);
7887 static void nf_tables_commit_release(struct net
*net
)
7889 struct nft_trans
*trans
;
7891 /* all side effects have to be made visible.
7892 * For example, if a chain named 'foo' has been deleted, a
7893 * new transaction must not find it anymore.
7895 * Memory reclaim happens asynchronously from work queue
7896 * to prevent expensive synchronize_rcu() in commit phase.
7898 if (list_empty(&net
->nft
.commit_list
)) {
7899 nf_tables_module_autoload_cleanup(net
);
7900 mutex_unlock(&net
->nft
.commit_mutex
);
7904 trans
= list_last_entry(&net
->nft
.commit_list
,
7905 struct nft_trans
, list
);
7906 get_net(trans
->ctx
.net
);
7907 WARN_ON_ONCE(trans
->put_net
);
7909 trans
->put_net
= true;
7910 spin_lock(&nf_tables_destroy_list_lock
);
7911 list_splice_tail_init(&net
->nft
.commit_list
, &nf_tables_destroy_list
);
7912 spin_unlock(&nf_tables_destroy_list_lock
);
7914 nf_tables_module_autoload_cleanup(net
);
7915 schedule_work(&trans_destroy_work
);
7917 mutex_unlock(&net
->nft
.commit_mutex
);
7920 static void nft_commit_notify(struct net
*net
, u32 portid
)
7922 struct sk_buff
*batch_skb
= NULL
, *nskb
, *skb
;
7923 unsigned char *data
;
7926 list_for_each_entry_safe(skb
, nskb
, &net
->nft
.notify_list
, list
) {
7930 len
= NLMSG_GOODSIZE
- skb
->len
;
7931 list_del(&skb
->list
);
7935 if (len
> 0 && NFT_CB(skb
).report
== NFT_CB(batch_skb
).report
) {
7936 data
= skb_put(batch_skb
, skb
->len
);
7937 memcpy(data
, skb
->data
, skb
->len
);
7938 list_del(&skb
->list
);
7942 nfnetlink_send(batch_skb
, net
, portid
, NFNLGRP_NFTABLES
,
7943 NFT_CB(batch_skb
).report
, GFP_KERNEL
);
7948 nfnetlink_send(batch_skb
, net
, portid
, NFNLGRP_NFTABLES
,
7949 NFT_CB(batch_skb
).report
, GFP_KERNEL
);
7952 WARN_ON_ONCE(!list_empty(&net
->nft
.notify_list
));
7955 static int nf_tables_commit_audit_alloc(struct list_head
*adl
,
7956 struct nft_table
*table
)
7958 struct nft_audit_data
*adp
;
7960 list_for_each_entry(adp
, adl
, list
) {
7961 if (adp
->table
== table
)
7964 adp
= kzalloc(sizeof(*adp
), GFP_KERNEL
);
7968 list_add(&adp
->list
, adl
);
7972 static void nf_tables_commit_audit_collect(struct list_head
*adl
,
7973 struct nft_table
*table
, u32 op
)
7975 struct nft_audit_data
*adp
;
7977 list_for_each_entry(adp
, adl
, list
) {
7978 if (adp
->table
== table
)
7981 WARN_ONCE("table=%s not expected in commit list", table
->name
);
7985 if (!adp
->op
|| adp
->op
> op
)
7989 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
7991 static void nf_tables_commit_audit_log(struct list_head
*adl
, u32 generation
)
7993 struct nft_audit_data
*adp
, *adn
;
7994 char aubuf
[AUNFTABLENAMELEN
];
7996 list_for_each_entry_safe(adp
, adn
, adl
, list
) {
7997 snprintf(aubuf
, AUNFTABLENAMELEN
, "%s:%u", adp
->table
->name
,
7999 audit_log_nfcfg(aubuf
, adp
->table
->family
, adp
->entries
,
8000 nft2audit_op
[adp
->op
], GFP_KERNEL
);
8001 list_del(&adp
->list
);
8006 static int nf_tables_commit(struct net
*net
, struct sk_buff
*skb
)
8008 struct nft_trans
*trans
, *next
;
8009 struct nft_trans_elem
*te
;
8010 struct nft_chain
*chain
;
8011 struct nft_table
*table
;
8015 if (list_empty(&net
->nft
.commit_list
)) {
8016 mutex_unlock(&net
->nft
.commit_mutex
);
8020 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8021 if (nf_tables_validate(net
) < 0)
8024 err
= nft_flow_rule_offload_commit(net
);
8028 /* 1. Allocate space for next generation rules_gen_X[] */
8029 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
8032 ret
= nf_tables_commit_audit_alloc(&adl
, trans
->ctx
.table
);
8034 nf_tables_commit_chain_prepare_cancel(net
);
8037 if (trans
->msg_type
== NFT_MSG_NEWRULE
||
8038 trans
->msg_type
== NFT_MSG_DELRULE
) {
8039 chain
= trans
->ctx
.chain
;
8041 ret
= nf_tables_commit_chain_prepare(net
, chain
);
8043 nf_tables_commit_chain_prepare_cancel(net
);
8049 /* step 2. Make rules_gen_X visible to packet path */
8050 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
8051 list_for_each_entry(chain
, &table
->chains
, list
)
8052 nf_tables_commit_chain(net
, chain
);
8056 * Bump generation counter, invalidate any dump in progress.
8057 * Cannot fail after this point.
8059 while (++net
->nft
.base_seq
== 0);
8061 /* step 3. Start new generation, rules_gen_X now in use. */
8062 net
->nft
.gencursor
= nft_gencursor_next(net
);
8064 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
8065 nf_tables_commit_audit_collect(&adl
, trans
->ctx
.table
,
8067 switch (trans
->msg_type
) {
8068 case NFT_MSG_NEWTABLE
:
8069 if (nft_trans_table_update(trans
)) {
8070 if (nft_trans_table_state(trans
) == NFT_TABLE_STATE_DORMANT
)
8071 nf_tables_table_disable(net
, trans
->ctx
.table
);
8073 trans
->ctx
.table
->flags
= nft_trans_table_flags(trans
);
8075 nft_clear(net
, trans
->ctx
.table
);
8077 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_NEWTABLE
);
8078 nft_trans_destroy(trans
);
8080 case NFT_MSG_DELTABLE
:
8081 list_del_rcu(&trans
->ctx
.table
->list
);
8082 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_DELTABLE
);
8084 case NFT_MSG_NEWCHAIN
:
8085 if (nft_trans_chain_update(trans
)) {
8086 nft_chain_commit_update(trans
);
8087 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
8088 /* trans destroyed after rcu grace period */
8090 nft_chain_commit_drop_policy(trans
);
8091 nft_clear(net
, trans
->ctx
.chain
);
8092 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
8093 nft_trans_destroy(trans
);
8096 case NFT_MSG_DELCHAIN
:
8097 nft_chain_del(trans
->ctx
.chain
);
8098 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_DELCHAIN
);
8099 nf_tables_unregister_hook(trans
->ctx
.net
,
8103 case NFT_MSG_NEWRULE
:
8104 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
8105 nf_tables_rule_notify(&trans
->ctx
,
8106 nft_trans_rule(trans
),
8108 nft_trans_destroy(trans
);
8110 case NFT_MSG_DELRULE
:
8111 list_del_rcu(&nft_trans_rule(trans
)->list
);
8112 nf_tables_rule_notify(&trans
->ctx
,
8113 nft_trans_rule(trans
),
8115 nft_rule_expr_deactivate(&trans
->ctx
,
8116 nft_trans_rule(trans
),
8119 case NFT_MSG_NEWSET
:
8120 nft_clear(net
, nft_trans_set(trans
));
8121 /* This avoids hitting -EBUSY when deleting the table
8122 * from the transaction.
8124 if (nft_set_is_anonymous(nft_trans_set(trans
)) &&
8125 !list_empty(&nft_trans_set(trans
)->bindings
))
8126 trans
->ctx
.table
->use
--;
8128 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
8129 NFT_MSG_NEWSET
, GFP_KERNEL
);
8130 nft_trans_destroy(trans
);
8132 case NFT_MSG_DELSET
:
8133 list_del_rcu(&nft_trans_set(trans
)->list
);
8134 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
8135 NFT_MSG_DELSET
, GFP_KERNEL
);
8137 case NFT_MSG_NEWSETELEM
:
8138 te
= (struct nft_trans_elem
*)trans
->data
;
8140 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
8141 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
8143 NFT_MSG_NEWSETELEM
, 0);
8144 nft_trans_destroy(trans
);
8146 case NFT_MSG_DELSETELEM
:
8147 te
= (struct nft_trans_elem
*)trans
->data
;
8149 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
8151 NFT_MSG_DELSETELEM
, 0);
8152 te
->set
->ops
->remove(net
, te
->set
, &te
->elem
);
8153 atomic_dec(&te
->set
->nelems
);
8156 case NFT_MSG_NEWOBJ
:
8157 if (nft_trans_obj_update(trans
)) {
8158 nft_obj_commit_update(trans
);
8159 nf_tables_obj_notify(&trans
->ctx
,
8160 nft_trans_obj(trans
),
8163 nft_clear(net
, nft_trans_obj(trans
));
8164 nf_tables_obj_notify(&trans
->ctx
,
8165 nft_trans_obj(trans
),
8167 nft_trans_destroy(trans
);
8170 case NFT_MSG_DELOBJ
:
8171 nft_obj_del(nft_trans_obj(trans
));
8172 nf_tables_obj_notify(&trans
->ctx
, nft_trans_obj(trans
),
8175 case NFT_MSG_NEWFLOWTABLE
:
8176 if (nft_trans_flowtable_update(trans
)) {
8177 nft_trans_flowtable(trans
)->data
.flags
=
8178 nft_trans_flowtable_flags(trans
);
8179 nf_tables_flowtable_notify(&trans
->ctx
,
8180 nft_trans_flowtable(trans
),
8181 &nft_trans_flowtable_hooks(trans
),
8182 NFT_MSG_NEWFLOWTABLE
);
8183 list_splice(&nft_trans_flowtable_hooks(trans
),
8184 &nft_trans_flowtable(trans
)->hook_list
);
8186 nft_clear(net
, nft_trans_flowtable(trans
));
8187 nf_tables_flowtable_notify(&trans
->ctx
,
8188 nft_trans_flowtable(trans
),
8189 &nft_trans_flowtable(trans
)->hook_list
,
8190 NFT_MSG_NEWFLOWTABLE
);
8192 nft_trans_destroy(trans
);
8194 case NFT_MSG_DELFLOWTABLE
:
8195 if (nft_trans_flowtable_update(trans
)) {
8196 nft_flowtable_hooks_del(nft_trans_flowtable(trans
),
8197 &nft_trans_flowtable_hooks(trans
));
8198 nf_tables_flowtable_notify(&trans
->ctx
,
8199 nft_trans_flowtable(trans
),
8200 &nft_trans_flowtable_hooks(trans
),
8201 NFT_MSG_DELFLOWTABLE
);
8202 nft_unregister_flowtable_net_hooks(net
,
8203 &nft_trans_flowtable_hooks(trans
));
8205 list_del_rcu(&nft_trans_flowtable(trans
)->list
);
8206 nf_tables_flowtable_notify(&trans
->ctx
,
8207 nft_trans_flowtable(trans
),
8208 &nft_trans_flowtable(trans
)->hook_list
,
8209 NFT_MSG_DELFLOWTABLE
);
8210 nft_unregister_flowtable_net_hooks(net
,
8211 &nft_trans_flowtable(trans
)->hook_list
);
8217 nft_commit_notify(net
, NETLINK_CB(skb
).portid
);
8218 nf_tables_gen_notify(net
, skb
, NFT_MSG_NEWGEN
);
8219 nf_tables_commit_audit_log(&adl
, net
->nft
.base_seq
);
8220 nf_tables_commit_release(net
);
8225 static void nf_tables_module_autoload(struct net
*net
)
8227 struct nft_module_request
*req
, *next
;
8228 LIST_HEAD(module_list
);
8230 list_splice_init(&net
->nft
.module_list
, &module_list
);
8231 mutex_unlock(&net
->nft
.commit_mutex
);
8232 list_for_each_entry_safe(req
, next
, &module_list
, list
) {
8233 request_module("%s", req
->module
);
8236 mutex_lock(&net
->nft
.commit_mutex
);
8237 list_splice(&module_list
, &net
->nft
.module_list
);
8240 static void nf_tables_abort_release(struct nft_trans
*trans
)
8242 switch (trans
->msg_type
) {
8243 case NFT_MSG_NEWTABLE
:
8244 nf_tables_table_destroy(&trans
->ctx
);
8246 case NFT_MSG_NEWCHAIN
:
8247 nf_tables_chain_destroy(&trans
->ctx
);
8249 case NFT_MSG_NEWRULE
:
8250 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
8252 case NFT_MSG_NEWSET
:
8253 nft_set_destroy(&trans
->ctx
, nft_trans_set(trans
));
8255 case NFT_MSG_NEWSETELEM
:
8256 nft_set_elem_destroy(nft_trans_elem_set(trans
),
8257 nft_trans_elem(trans
).priv
, true);
8259 case NFT_MSG_NEWOBJ
:
8260 nft_obj_destroy(&trans
->ctx
, nft_trans_obj(trans
));
8262 case NFT_MSG_NEWFLOWTABLE
:
8263 if (nft_trans_flowtable_update(trans
))
8264 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans
));
8266 nf_tables_flowtable_destroy(nft_trans_flowtable(trans
));
8272 static int __nf_tables_abort(struct net
*net
, enum nfnl_abort_action action
)
8274 struct nft_trans
*trans
, *next
;
8275 struct nft_trans_elem
*te
;
8276 struct nft_hook
*hook
;
8278 if (action
== NFNL_ABORT_VALIDATE
&&
8279 nf_tables_validate(net
) < 0)
8282 list_for_each_entry_safe_reverse(trans
, next
, &net
->nft
.commit_list
,
8284 switch (trans
->msg_type
) {
8285 case NFT_MSG_NEWTABLE
:
8286 if (nft_trans_table_update(trans
)) {
8287 if (nft_trans_table_state(trans
) == NFT_TABLE_STATE_WAKEUP
)
8288 nf_tables_table_disable(net
, trans
->ctx
.table
);
8290 nft_trans_destroy(trans
);
8292 list_del_rcu(&trans
->ctx
.table
->list
);
8295 case NFT_MSG_DELTABLE
:
8296 nft_clear(trans
->ctx
.net
, trans
->ctx
.table
);
8297 nft_trans_destroy(trans
);
8299 case NFT_MSG_NEWCHAIN
:
8300 if (nft_trans_chain_update(trans
)) {
8301 free_percpu(nft_trans_chain_stats(trans
));
8302 kfree(nft_trans_chain_name(trans
));
8303 nft_trans_destroy(trans
);
8305 if (nft_chain_is_bound(trans
->ctx
.chain
)) {
8306 nft_trans_destroy(trans
);
8309 trans
->ctx
.table
->use
--;
8310 nft_chain_del(trans
->ctx
.chain
);
8311 nf_tables_unregister_hook(trans
->ctx
.net
,
8316 case NFT_MSG_DELCHAIN
:
8317 trans
->ctx
.table
->use
++;
8318 nft_clear(trans
->ctx
.net
, trans
->ctx
.chain
);
8319 nft_trans_destroy(trans
);
8321 case NFT_MSG_NEWRULE
:
8322 trans
->ctx
.chain
->use
--;
8323 list_del_rcu(&nft_trans_rule(trans
)->list
);
8324 nft_rule_expr_deactivate(&trans
->ctx
,
8325 nft_trans_rule(trans
),
8328 case NFT_MSG_DELRULE
:
8329 trans
->ctx
.chain
->use
++;
8330 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
8331 nft_rule_expr_activate(&trans
->ctx
, nft_trans_rule(trans
));
8332 nft_trans_destroy(trans
);
8334 case NFT_MSG_NEWSET
:
8335 trans
->ctx
.table
->use
--;
8336 if (nft_trans_set_bound(trans
)) {
8337 nft_trans_destroy(trans
);
8340 list_del_rcu(&nft_trans_set(trans
)->list
);
8342 case NFT_MSG_DELSET
:
8343 trans
->ctx
.table
->use
++;
8344 nft_clear(trans
->ctx
.net
, nft_trans_set(trans
));
8345 nft_trans_destroy(trans
);
8347 case NFT_MSG_NEWSETELEM
:
8348 if (nft_trans_elem_set_bound(trans
)) {
8349 nft_trans_destroy(trans
);
8352 te
= (struct nft_trans_elem
*)trans
->data
;
8353 te
->set
->ops
->remove(net
, te
->set
, &te
->elem
);
8354 atomic_dec(&te
->set
->nelems
);
8356 case NFT_MSG_DELSETELEM
:
8357 te
= (struct nft_trans_elem
*)trans
->data
;
8359 nft_set_elem_activate(net
, te
->set
, &te
->elem
);
8360 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
8363 nft_trans_destroy(trans
);
8365 case NFT_MSG_NEWOBJ
:
8366 if (nft_trans_obj_update(trans
)) {
8367 kfree(nft_trans_obj_newobj(trans
));
8368 nft_trans_destroy(trans
);
8370 trans
->ctx
.table
->use
--;
8371 nft_obj_del(nft_trans_obj(trans
));
8374 case NFT_MSG_DELOBJ
:
8375 trans
->ctx
.table
->use
++;
8376 nft_clear(trans
->ctx
.net
, nft_trans_obj(trans
));
8377 nft_trans_destroy(trans
);
8379 case NFT_MSG_NEWFLOWTABLE
:
8380 if (nft_trans_flowtable_update(trans
)) {
8381 nft_unregister_flowtable_net_hooks(net
,
8382 &nft_trans_flowtable_hooks(trans
));
8384 trans
->ctx
.table
->use
--;
8385 list_del_rcu(&nft_trans_flowtable(trans
)->list
);
8386 nft_unregister_flowtable_net_hooks(net
,
8387 &nft_trans_flowtable(trans
)->hook_list
);
8390 case NFT_MSG_DELFLOWTABLE
:
8391 if (nft_trans_flowtable_update(trans
)) {
8392 list_for_each_entry(hook
, &nft_trans_flowtable(trans
)->hook_list
, list
)
8393 hook
->inactive
= false;
8395 trans
->ctx
.table
->use
++;
8396 nft_clear(trans
->ctx
.net
, nft_trans_flowtable(trans
));
8398 nft_trans_destroy(trans
);
8405 list_for_each_entry_safe_reverse(trans
, next
,
8406 &net
->nft
.commit_list
, list
) {
8407 list_del(&trans
->list
);
8408 nf_tables_abort_release(trans
);
8411 if (action
== NFNL_ABORT_AUTOLOAD
)
8412 nf_tables_module_autoload(net
);
8414 nf_tables_module_autoload_cleanup(net
);
8419 static void nf_tables_cleanup(struct net
*net
)
8421 nft_validate_state_update(net
, NFT_VALIDATE_SKIP
);
8424 static int nf_tables_abort(struct net
*net
, struct sk_buff
*skb
,
8425 enum nfnl_abort_action action
)
8427 int ret
= __nf_tables_abort(net
, action
);
8429 mutex_unlock(&net
->nft
.commit_mutex
);
8434 static bool nf_tables_valid_genid(struct net
*net
, u32 genid
)
8438 mutex_lock(&net
->nft
.commit_mutex
);
8440 genid_ok
= genid
== 0 || net
->nft
.base_seq
== genid
;
8442 mutex_unlock(&net
->nft
.commit_mutex
);
8444 /* else, commit mutex has to be released by commit or abort function */
8448 static const struct nfnetlink_subsystem nf_tables_subsys
= {
8449 .name
= "nf_tables",
8450 .subsys_id
= NFNL_SUBSYS_NFTABLES
,
8451 .cb_count
= NFT_MSG_MAX
,
8453 .commit
= nf_tables_commit
,
8454 .abort
= nf_tables_abort
,
8455 .cleanup
= nf_tables_cleanup
,
8456 .valid_genid
= nf_tables_valid_genid
,
8457 .owner
= THIS_MODULE
,
8460 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
8461 enum nft_chain_types type
)
8463 const struct nft_base_chain
*basechain
;
8465 if (nft_is_base_chain(chain
)) {
8466 basechain
= nft_base_chain(chain
);
8467 if (basechain
->type
->type
!= type
)
8472 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency
);
8474 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
8475 unsigned int hook_flags
)
8477 struct nft_base_chain
*basechain
;
8479 if (nft_is_base_chain(chain
)) {
8480 basechain
= nft_base_chain(chain
);
8482 if ((1 << basechain
->ops
.hooknum
) & hook_flags
)
8490 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks
);
8493 * Loop detection - walk through the ruleset beginning at the destination chain
8494 * of a new jump until either the source chain is reached (loop) or all
8495 * reachable chains have been traversed.
8497 * The loop check is performed whenever a new jump verdict is added to an
8498 * expression or verdict map or a verdict map is bound to a new chain.
8501 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
8502 const struct nft_chain
*chain
);
8504 static int nf_tables_loop_check_setelem(const struct nft_ctx
*ctx
,
8505 struct nft_set
*set
,
8506 const struct nft_set_iter
*iter
,
8507 struct nft_set_elem
*elem
)
8509 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
8510 const struct nft_data
*data
;
8512 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
8513 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_INTERVAL_END
)
8516 data
= nft_set_ext_data(ext
);
8517 switch (data
->verdict
.code
) {
8520 return nf_tables_check_loops(ctx
, data
->verdict
.chain
);
8526 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
8527 const struct nft_chain
*chain
)
8529 const struct nft_rule
*rule
;
8530 const struct nft_expr
*expr
, *last
;
8531 struct nft_set
*set
;
8532 struct nft_set_binding
*binding
;
8533 struct nft_set_iter iter
;
8535 if (ctx
->chain
== chain
)
8538 list_for_each_entry(rule
, &chain
->rules
, list
) {
8539 nft_rule_for_each_expr(expr
, last
, rule
) {
8540 struct nft_immediate_expr
*priv
;
8541 const struct nft_data
*data
;
8544 if (strcmp(expr
->ops
->type
->name
, "immediate"))
8547 priv
= nft_expr_priv(expr
);
8548 if (priv
->dreg
!= NFT_REG_VERDICT
)
8552 switch (data
->verdict
.code
) {
8555 err
= nf_tables_check_loops(ctx
,
8556 data
->verdict
.chain
);
8566 list_for_each_entry(set
, &ctx
->table
->sets
, list
) {
8567 if (!nft_is_active_next(ctx
->net
, set
))
8569 if (!(set
->flags
& NFT_SET_MAP
) ||
8570 set
->dtype
!= NFT_DATA_VERDICT
)
8573 list_for_each_entry(binding
, &set
->bindings
, list
) {
8574 if (!(binding
->flags
& NFT_SET_MAP
) ||
8575 binding
->chain
!= chain
)
8578 iter
.genmask
= nft_genmask_next(ctx
->net
);
8582 iter
.fn
= nf_tables_loop_check_setelem
;
8584 set
->ops
->walk(ctx
, set
, &iter
);
8594 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8596 * @attr: netlink attribute to fetch value from
8597 * @max: maximum value to be stored in dest
8598 * @dest: pointer to the variable
8600 * Parse, check and store a given u32 netlink attribute into variable.
8601 * This function returns -ERANGE if the value goes over maximum value.
8602 * Otherwise a 0 is returned and the attribute value is stored in the
8603 * destination variable.
8605 int nft_parse_u32_check(const struct nlattr
*attr
, int max
, u32
*dest
)
8609 val
= ntohl(nla_get_be32(attr
));
8616 EXPORT_SYMBOL_GPL(nft_parse_u32_check
);
8619 * nft_parse_register - parse a register value from a netlink attribute
8621 * @attr: netlink attribute
8623 * Parse and translate a register value from a netlink attribute.
8624 * Registers used to be 128 bit wide, these register numbers will be
8625 * mapped to the corresponding 32 bit register numbers.
8627 static unsigned int nft_parse_register(const struct nlattr
*attr
)
8631 reg
= ntohl(nla_get_be32(attr
));
8633 case NFT_REG_VERDICT
...NFT_REG_4
:
8634 return reg
* NFT_REG_SIZE
/ NFT_REG32_SIZE
;
8636 return reg
+ NFT_REG_SIZE
/ NFT_REG32_SIZE
- NFT_REG32_00
;
8641 * nft_dump_register - dump a register value to a netlink attribute
8643 * @skb: socket buffer
8644 * @attr: attribute number
8645 * @reg: register number
8647 * Construct a netlink attribute containing the register number. For
8648 * compatibility reasons, register numbers being a multiple of 4 are
8649 * translated to the corresponding 128 bit register numbers.
8651 int nft_dump_register(struct sk_buff
*skb
, unsigned int attr
, unsigned int reg
)
8653 if (reg
% (NFT_REG_SIZE
/ NFT_REG32_SIZE
) == 0)
8654 reg
= reg
/ (NFT_REG_SIZE
/ NFT_REG32_SIZE
);
8656 reg
= reg
- NFT_REG_SIZE
/ NFT_REG32_SIZE
+ NFT_REG32_00
;
8658 return nla_put_be32(skb
, attr
, htonl(reg
));
8660 EXPORT_SYMBOL_GPL(nft_dump_register
);
8663 * nft_validate_register_load - validate a load from a register
8665 * @reg: the register number
8666 * @len: the length of the data
8668 * Validate that the input register is one of the general purpose
8669 * registers and that the length of the load is within the bounds.
8671 static int nft_validate_register_load(enum nft_registers reg
, unsigned int len
)
8673 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
8677 if (reg
* NFT_REG32_SIZE
+ len
> sizeof_field(struct nft_regs
, data
))
8683 int nft_parse_register_load(const struct nlattr
*attr
, u8
*sreg
, u32 len
)
8688 reg
= nft_parse_register(attr
);
8689 err
= nft_validate_register_load(reg
, len
);
8696 EXPORT_SYMBOL_GPL(nft_parse_register_load
);
8699 * nft_validate_register_store - validate an expressions' register store
8701 * @ctx: context of the expression performing the load
8702 * @reg: the destination register number
8703 * @data: the data to load
8704 * @type: the data type
8705 * @len: the length of the data
8707 * Validate that a data load uses the appropriate data type for
8708 * the destination register and the length is within the bounds.
8709 * A value of NULL for the data means that its runtime gathered
8712 static int nft_validate_register_store(const struct nft_ctx
*ctx
,
8713 enum nft_registers reg
,
8714 const struct nft_data
*data
,
8715 enum nft_data_types type
,
8721 case NFT_REG_VERDICT
:
8722 if (type
!= NFT_DATA_VERDICT
)
8726 (data
->verdict
.code
== NFT_GOTO
||
8727 data
->verdict
.code
== NFT_JUMP
)) {
8728 err
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
8735 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
8739 if (reg
* NFT_REG32_SIZE
+ len
>
8740 sizeof_field(struct nft_regs
, data
))
8743 if (data
!= NULL
&& type
!= NFT_DATA_VALUE
)
8749 int nft_parse_register_store(const struct nft_ctx
*ctx
,
8750 const struct nlattr
*attr
, u8
*dreg
,
8751 const struct nft_data
*data
,
8752 enum nft_data_types type
, unsigned int len
)
8757 reg
= nft_parse_register(attr
);
8758 err
= nft_validate_register_store(ctx
, reg
, data
, type
, len
);
8765 EXPORT_SYMBOL_GPL(nft_parse_register_store
);
8767 static const struct nla_policy nft_verdict_policy
[NFTA_VERDICT_MAX
+ 1] = {
8768 [NFTA_VERDICT_CODE
] = { .type
= NLA_U32
},
8769 [NFTA_VERDICT_CHAIN
] = { .type
= NLA_STRING
,
8770 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
8771 [NFTA_VERDICT_CHAIN_ID
] = { .type
= NLA_U32
},
8774 static int nft_verdict_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
8775 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
8777 u8 genmask
= nft_genmask_next(ctx
->net
);
8778 struct nlattr
*tb
[NFTA_VERDICT_MAX
+ 1];
8779 struct nft_chain
*chain
;
8782 err
= nla_parse_nested_deprecated(tb
, NFTA_VERDICT_MAX
, nla
,
8783 nft_verdict_policy
, NULL
);
8787 if (!tb
[NFTA_VERDICT_CODE
])
8789 data
->verdict
.code
= ntohl(nla_get_be32(tb
[NFTA_VERDICT_CODE
]));
8791 switch (data
->verdict
.code
) {
8793 switch (data
->verdict
.code
& NF_VERDICT_MASK
) {
8808 if (tb
[NFTA_VERDICT_CHAIN
]) {
8809 chain
= nft_chain_lookup(ctx
->net
, ctx
->table
,
8810 tb
[NFTA_VERDICT_CHAIN
],
8812 } else if (tb
[NFTA_VERDICT_CHAIN_ID
]) {
8813 chain
= nft_chain_lookup_byid(ctx
->net
,
8814 tb
[NFTA_VERDICT_CHAIN_ID
]);
8816 return PTR_ERR(chain
);
8822 return PTR_ERR(chain
);
8823 if (nft_is_base_chain(chain
))
8827 data
->verdict
.chain
= chain
;
8831 desc
->len
= sizeof(data
->verdict
);
8832 desc
->type
= NFT_DATA_VERDICT
;
8836 static void nft_verdict_uninit(const struct nft_data
*data
)
8838 struct nft_chain
*chain
;
8839 struct nft_rule
*rule
;
8841 switch (data
->verdict
.code
) {
8844 chain
= data
->verdict
.chain
;
8847 if (!nft_chain_is_bound(chain
))
8850 chain
->table
->use
--;
8851 list_for_each_entry(rule
, &chain
->rules
, list
)
8854 nft_chain_del(chain
);
8859 int nft_verdict_dump(struct sk_buff
*skb
, int type
, const struct nft_verdict
*v
)
8861 struct nlattr
*nest
;
8863 nest
= nla_nest_start_noflag(skb
, type
);
8865 goto nla_put_failure
;
8867 if (nla_put_be32(skb
, NFTA_VERDICT_CODE
, htonl(v
->code
)))
8868 goto nla_put_failure
;
8873 if (nla_put_string(skb
, NFTA_VERDICT_CHAIN
,
8875 goto nla_put_failure
;
8877 nla_nest_end(skb
, nest
);
8884 static int nft_value_init(const struct nft_ctx
*ctx
,
8885 struct nft_data
*data
, unsigned int size
,
8886 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
8896 nla_memcpy(data
->data
, nla
, len
);
8897 desc
->type
= NFT_DATA_VALUE
;
8902 static int nft_value_dump(struct sk_buff
*skb
, const struct nft_data
*data
,
8905 return nla_put(skb
, NFTA_DATA_VALUE
, len
, data
->data
);
8908 static const struct nla_policy nft_data_policy
[NFTA_DATA_MAX
+ 1] = {
8909 [NFTA_DATA_VALUE
] = { .type
= NLA_BINARY
},
8910 [NFTA_DATA_VERDICT
] = { .type
= NLA_NESTED
},
8914 * nft_data_init - parse nf_tables data netlink attributes
8916 * @ctx: context of the expression using the data
8917 * @data: destination struct nft_data
8918 * @size: maximum data length
8919 * @desc: data description
8920 * @nla: netlink attribute containing data
8922 * Parse the netlink data attributes and initialize a struct nft_data.
8923 * The type and length of data are returned in the data description.
8925 * The caller can indicate that it only wants to accept data of type
8926 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8928 int nft_data_init(const struct nft_ctx
*ctx
,
8929 struct nft_data
*data
, unsigned int size
,
8930 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
8932 struct nlattr
*tb
[NFTA_DATA_MAX
+ 1];
8935 err
= nla_parse_nested_deprecated(tb
, NFTA_DATA_MAX
, nla
,
8936 nft_data_policy
, NULL
);
8940 if (tb
[NFTA_DATA_VALUE
])
8941 return nft_value_init(ctx
, data
, size
, desc
,
8942 tb
[NFTA_DATA_VALUE
]);
8943 if (tb
[NFTA_DATA_VERDICT
] && ctx
!= NULL
)
8944 return nft_verdict_init(ctx
, data
, desc
, tb
[NFTA_DATA_VERDICT
]);
8947 EXPORT_SYMBOL_GPL(nft_data_init
);
8950 * nft_data_release - release a nft_data item
8952 * @data: struct nft_data to release
8953 * @type: type of data
8955 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8956 * all others need to be released by calling this function.
8958 void nft_data_release(const struct nft_data
*data
, enum nft_data_types type
)
8960 if (type
< NFT_DATA_VERDICT
)
8963 case NFT_DATA_VERDICT
:
8964 return nft_verdict_uninit(data
);
8969 EXPORT_SYMBOL_GPL(nft_data_release
);
8971 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
8972 enum nft_data_types type
, unsigned int len
)
8974 struct nlattr
*nest
;
8977 nest
= nla_nest_start_noflag(skb
, attr
);
8982 case NFT_DATA_VALUE
:
8983 err
= nft_value_dump(skb
, data
, len
);
8985 case NFT_DATA_VERDICT
:
8986 err
= nft_verdict_dump(skb
, NFTA_DATA_VERDICT
, &data
->verdict
);
8993 nla_nest_end(skb
, nest
);
8996 EXPORT_SYMBOL_GPL(nft_data_dump
);
8998 int __nft_release_basechain(struct nft_ctx
*ctx
)
9000 struct nft_rule
*rule
, *nr
;
9002 if (WARN_ON(!nft_is_base_chain(ctx
->chain
)))
9005 nf_tables_unregister_hook(ctx
->net
, ctx
->chain
->table
, ctx
->chain
);
9006 list_for_each_entry_safe(rule
, nr
, &ctx
->chain
->rules
, list
) {
9007 list_del(&rule
->list
);
9009 nf_tables_rule_release(ctx
, rule
);
9011 nft_chain_del(ctx
->chain
);
9013 nf_tables_chain_destroy(ctx
);
9017 EXPORT_SYMBOL_GPL(__nft_release_basechain
);
9019 static void __nft_release_hook(struct net
*net
, struct nft_table
*table
)
9021 struct nft_chain
*chain
;
9023 list_for_each_entry(chain
, &table
->chains
, list
)
9024 nf_tables_unregister_hook(net
, table
, chain
);
9027 static void __nft_release_hooks(struct net
*net
)
9029 struct nft_table
*table
;
9031 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
9032 if (nft_table_has_owner(table
))
9035 __nft_release_hook(net
, table
);
9039 static void __nft_release_table(struct net
*net
, struct nft_table
*table
)
9041 struct nft_flowtable
*flowtable
, *nf
;
9042 struct nft_chain
*chain
, *nc
;
9043 struct nft_object
*obj
, *ne
;
9044 struct nft_rule
*rule
, *nr
;
9045 struct nft_set
*set
, *ns
;
9046 struct nft_ctx ctx
= {
9048 .family
= NFPROTO_NETDEV
,
9051 ctx
.family
= table
->family
;
9053 list_for_each_entry(chain
, &table
->chains
, list
) {
9055 list_for_each_entry_safe(rule
, nr
, &chain
->rules
, list
) {
9056 list_del(&rule
->list
);
9058 nf_tables_rule_release(&ctx
, rule
);
9061 list_for_each_entry_safe(flowtable
, nf
, &table
->flowtables
, list
) {
9062 list_del(&flowtable
->list
);
9064 nf_tables_flowtable_destroy(flowtable
);
9066 list_for_each_entry_safe(set
, ns
, &table
->sets
, list
) {
9067 list_del(&set
->list
);
9069 nft_set_destroy(&ctx
, set
);
9071 list_for_each_entry_safe(obj
, ne
, &table
->objects
, list
) {
9074 nft_obj_destroy(&ctx
, obj
);
9076 list_for_each_entry_safe(chain
, nc
, &table
->chains
, list
) {
9078 nft_chain_del(chain
);
9080 nf_tables_chain_destroy(&ctx
);
9082 list_del(&table
->list
);
9083 nf_tables_table_destroy(&ctx
);
9086 static void __nft_release_tables(struct net
*net
)
9088 struct nft_table
*table
, *nt
;
9090 list_for_each_entry_safe(table
, nt
, &net
->nft
.tables
, list
) {
9091 if (nft_table_has_owner(table
))
9094 __nft_release_table(net
, table
);
9098 static int nft_rcv_nl_event(struct notifier_block
*this, unsigned long event
,
9101 struct netlink_notify
*n
= ptr
;
9102 struct nft_table
*table
, *nt
;
9103 struct net
*net
= n
->net
;
9104 bool release
= false;
9106 if (event
!= NETLINK_URELEASE
|| n
->protocol
!= NETLINK_NETFILTER
)
9109 mutex_lock(&net
->nft
.commit_mutex
);
9110 list_for_each_entry(table
, &net
->nft
.tables
, list
) {
9111 if (nft_table_has_owner(table
) &&
9112 n
->portid
== table
->nlpid
) {
9113 __nft_release_hook(net
, table
);
9119 list_for_each_entry_safe(table
, nt
, &net
->nft
.tables
, list
) {
9120 if (nft_table_has_owner(table
) &&
9121 n
->portid
== table
->nlpid
)
9122 __nft_release_table(net
, table
);
9125 mutex_unlock(&net
->nft
.commit_mutex
);
9130 static struct notifier_block nft_nl_notifier
= {
9131 .notifier_call
= nft_rcv_nl_event
,
9134 static int __net_init
nf_tables_init_net(struct net
*net
)
9136 INIT_LIST_HEAD(&net
->nft
.tables
);
9137 INIT_LIST_HEAD(&net
->nft
.commit_list
);
9138 INIT_LIST_HEAD(&net
->nft
.module_list
);
9139 INIT_LIST_HEAD(&net
->nft
.notify_list
);
9140 mutex_init(&net
->nft
.commit_mutex
);
9141 net
->nft
.base_seq
= 1;
9142 net
->nft
.validate_state
= NFT_VALIDATE_SKIP
;
9147 static void __net_exit
nf_tables_pre_exit_net(struct net
*net
)
9149 __nft_release_hooks(net
);
9152 static void __net_exit
nf_tables_exit_net(struct net
*net
)
9154 mutex_lock(&net
->nft
.commit_mutex
);
9155 if (!list_empty(&net
->nft
.commit_list
))
9156 __nf_tables_abort(net
, NFNL_ABORT_NONE
);
9157 __nft_release_tables(net
);
9158 mutex_unlock(&net
->nft
.commit_mutex
);
9159 WARN_ON_ONCE(!list_empty(&net
->nft
.tables
));
9160 WARN_ON_ONCE(!list_empty(&net
->nft
.module_list
));
9161 WARN_ON_ONCE(!list_empty(&net
->nft
.notify_list
));
9164 static struct pernet_operations nf_tables_net_ops
= {
9165 .init
= nf_tables_init_net
,
9166 .pre_exit
= nf_tables_pre_exit_net
,
9167 .exit
= nf_tables_exit_net
,
9170 static int __init
nf_tables_module_init(void)
9174 err
= register_pernet_subsys(&nf_tables_net_ops
);
9178 err
= nft_chain_filter_init();
9180 goto err_chain_filter
;
9182 err
= nf_tables_core_module_init();
9184 goto err_core_module
;
9186 err
= register_netdevice_notifier(&nf_tables_flowtable_notifier
);
9188 goto err_netdev_notifier
;
9190 err
= rhltable_init(&nft_objname_ht
, &nft_objname_ht_params
);
9192 goto err_rht_objname
;
9194 err
= nft_offload_init();
9198 err
= netlink_register_notifier(&nft_nl_notifier
);
9200 goto err_netlink_notifier
;
9203 err
= nfnetlink_subsys_register(&nf_tables_subsys
);
9205 goto err_nfnl_subsys
;
9207 nft_chain_route_init();
9212 netlink_unregister_notifier(&nft_nl_notifier
);
9213 err_netlink_notifier
:
9216 rhltable_destroy(&nft_objname_ht
);
9218 unregister_netdevice_notifier(&nf_tables_flowtable_notifier
);
9219 err_netdev_notifier
:
9220 nf_tables_core_module_exit();
9222 nft_chain_filter_fini();
9224 unregister_pernet_subsys(&nf_tables_net_ops
);
9228 static void __exit
nf_tables_module_exit(void)
9230 nfnetlink_subsys_unregister(&nf_tables_subsys
);
9231 netlink_unregister_notifier(&nft_nl_notifier
);
9233 unregister_netdevice_notifier(&nf_tables_flowtable_notifier
);
9234 nft_chain_filter_fini();
9235 nft_chain_route_fini();
9236 unregister_pernet_subsys(&nf_tables_net_ops
);
9237 cancel_work_sync(&trans_destroy_work
);
9239 rhltable_destroy(&nft_objname_ht
);
9240 nf_tables_core_module_exit();
9243 module_init(nf_tables_module_init
);
9244 module_exit(nf_tables_module_exit
);
9246 MODULE_LICENSE("GPL");
9247 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9248 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES
);