1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
28 unsigned int nf_tables_net_id __read_mostly
;
30 static LIST_HEAD(nf_tables_expressions
);
31 static LIST_HEAD(nf_tables_objects
);
32 static LIST_HEAD(nf_tables_flowtables
);
33 static LIST_HEAD(nf_tables_destroy_list
);
34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock
);
35 static u64 table_handle
;
38 NFT_VALIDATE_SKIP
= 0,
43 static struct rhltable nft_objname_ht
;
45 static u32
nft_chain_hash(const void *data
, u32 len
, u32 seed
);
46 static u32
nft_chain_hash_obj(const void *data
, u32 len
, u32 seed
);
47 static int nft_chain_hash_cmp(struct rhashtable_compare_arg
*, const void *);
49 static u32
nft_objname_hash(const void *data
, u32 len
, u32 seed
);
50 static u32
nft_objname_hash_obj(const void *data
, u32 len
, u32 seed
);
51 static int nft_objname_hash_cmp(struct rhashtable_compare_arg
*, const void *);
53 static const struct rhashtable_params nft_chain_ht_params
= {
54 .head_offset
= offsetof(struct nft_chain
, rhlhead
),
55 .key_offset
= offsetof(struct nft_chain
, name
),
56 .hashfn
= nft_chain_hash
,
57 .obj_hashfn
= nft_chain_hash_obj
,
58 .obj_cmpfn
= nft_chain_hash_cmp
,
59 .automatic_shrinking
= true,
62 static const struct rhashtable_params nft_objname_ht_params
= {
63 .head_offset
= offsetof(struct nft_object
, rhlhead
),
64 .key_offset
= offsetof(struct nft_object
, key
),
65 .hashfn
= nft_objname_hash
,
66 .obj_hashfn
= nft_objname_hash_obj
,
67 .obj_cmpfn
= nft_objname_hash_cmp
,
68 .automatic_shrinking
= true,
71 struct nft_audit_data
{
72 struct nft_table
*table
;
75 struct list_head list
;
78 static const u8 nft2audit_op
[NFT_MSG_MAX
] = { // enum nf_tables_msg_types
79 [NFT_MSG_NEWTABLE
] = AUDIT_NFT_OP_TABLE_REGISTER
,
80 [NFT_MSG_GETTABLE
] = AUDIT_NFT_OP_INVALID
,
81 [NFT_MSG_DELTABLE
] = AUDIT_NFT_OP_TABLE_UNREGISTER
,
82 [NFT_MSG_NEWCHAIN
] = AUDIT_NFT_OP_CHAIN_REGISTER
,
83 [NFT_MSG_GETCHAIN
] = AUDIT_NFT_OP_INVALID
,
84 [NFT_MSG_DELCHAIN
] = AUDIT_NFT_OP_CHAIN_UNREGISTER
,
85 [NFT_MSG_NEWRULE
] = AUDIT_NFT_OP_RULE_REGISTER
,
86 [NFT_MSG_GETRULE
] = AUDIT_NFT_OP_INVALID
,
87 [NFT_MSG_DELRULE
] = AUDIT_NFT_OP_RULE_UNREGISTER
,
88 [NFT_MSG_NEWSET
] = AUDIT_NFT_OP_SET_REGISTER
,
89 [NFT_MSG_GETSET
] = AUDIT_NFT_OP_INVALID
,
90 [NFT_MSG_DELSET
] = AUDIT_NFT_OP_SET_UNREGISTER
,
91 [NFT_MSG_NEWSETELEM
] = AUDIT_NFT_OP_SETELEM_REGISTER
,
92 [NFT_MSG_GETSETELEM
] = AUDIT_NFT_OP_INVALID
,
93 [NFT_MSG_DELSETELEM
] = AUDIT_NFT_OP_SETELEM_UNREGISTER
,
94 [NFT_MSG_NEWGEN
] = AUDIT_NFT_OP_GEN_REGISTER
,
95 [NFT_MSG_GETGEN
] = AUDIT_NFT_OP_INVALID
,
96 [NFT_MSG_TRACE
] = AUDIT_NFT_OP_INVALID
,
97 [NFT_MSG_NEWOBJ
] = AUDIT_NFT_OP_OBJ_REGISTER
,
98 [NFT_MSG_GETOBJ
] = AUDIT_NFT_OP_INVALID
,
99 [NFT_MSG_DELOBJ
] = AUDIT_NFT_OP_OBJ_UNREGISTER
,
100 [NFT_MSG_GETOBJ_RESET
] = AUDIT_NFT_OP_OBJ_RESET
,
101 [NFT_MSG_NEWFLOWTABLE
] = AUDIT_NFT_OP_FLOWTABLE_REGISTER
,
102 [NFT_MSG_GETFLOWTABLE
] = AUDIT_NFT_OP_INVALID
,
103 [NFT_MSG_DELFLOWTABLE
] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER
,
106 static void nft_validate_state_update(struct net
*net
, u8 new_validate_state
)
108 struct nftables_pernet
*nft_net
= nft_pernet(net
);
110 switch (nft_net
->validate_state
) {
111 case NFT_VALIDATE_SKIP
:
112 WARN_ON_ONCE(new_validate_state
== NFT_VALIDATE_DO
);
114 case NFT_VALIDATE_NEED
:
116 case NFT_VALIDATE_DO
:
117 if (new_validate_state
== NFT_VALIDATE_NEED
)
121 nft_net
->validate_state
= new_validate_state
;
123 static void nf_tables_trans_destroy_work(struct work_struct
*w
);
124 static DECLARE_WORK(trans_destroy_work
, nf_tables_trans_destroy_work
);
126 static void nft_ctx_init(struct nft_ctx
*ctx
,
128 const struct sk_buff
*skb
,
129 const struct nlmsghdr
*nlh
,
131 struct nft_table
*table
,
132 struct nft_chain
*chain
,
133 const struct nlattr
* const *nla
)
136 ctx
->family
= family
;
141 ctx
->portid
= NETLINK_CB(skb
).portid
;
142 ctx
->report
= nlmsg_report(nlh
);
143 ctx
->flags
= nlh
->nlmsg_flags
;
144 ctx
->seq
= nlh
->nlmsg_seq
;
147 static struct nft_trans
*nft_trans_alloc_gfp(const struct nft_ctx
*ctx
,
148 int msg_type
, u32 size
, gfp_t gfp
)
150 struct nft_trans
*trans
;
152 trans
= kzalloc(sizeof(struct nft_trans
) + size
, gfp
);
156 trans
->msg_type
= msg_type
;
162 static struct nft_trans
*nft_trans_alloc(const struct nft_ctx
*ctx
,
163 int msg_type
, u32 size
)
165 return nft_trans_alloc_gfp(ctx
, msg_type
, size
, GFP_KERNEL
);
168 static void nft_trans_destroy(struct nft_trans
*trans
)
170 list_del(&trans
->list
);
174 static void nft_set_trans_bind(const struct nft_ctx
*ctx
, struct nft_set
*set
)
176 struct nftables_pernet
*nft_net
;
177 struct net
*net
= ctx
->net
;
178 struct nft_trans
*trans
;
180 if (!nft_set_is_anonymous(set
))
183 nft_net
= nft_pernet(net
);
184 list_for_each_entry_reverse(trans
, &nft_net
->commit_list
, list
) {
185 switch (trans
->msg_type
) {
187 if (nft_trans_set(trans
) == set
)
188 nft_trans_set_bound(trans
) = true;
190 case NFT_MSG_NEWSETELEM
:
191 if (nft_trans_elem_set(trans
) == set
)
192 nft_trans_elem_set_bound(trans
) = true;
198 static int nft_netdev_register_hooks(struct net
*net
,
199 struct list_head
*hook_list
)
201 struct nft_hook
*hook
;
205 list_for_each_entry(hook
, hook_list
, list
) {
206 err
= nf_register_net_hook(net
, &hook
->ops
);
215 list_for_each_entry(hook
, hook_list
, list
) {
219 nf_unregister_net_hook(net
, &hook
->ops
);
224 static void nft_netdev_unregister_hooks(struct net
*net
,
225 struct list_head
*hook_list
)
227 struct nft_hook
*hook
;
229 list_for_each_entry(hook
, hook_list
, list
)
230 nf_unregister_net_hook(net
, &hook
->ops
);
233 static int nf_tables_register_hook(struct net
*net
,
234 const struct nft_table
*table
,
235 struct nft_chain
*chain
)
237 struct nft_base_chain
*basechain
;
238 const struct nf_hook_ops
*ops
;
240 if (table
->flags
& NFT_TABLE_F_DORMANT
||
241 !nft_is_base_chain(chain
))
244 basechain
= nft_base_chain(chain
);
245 ops
= &basechain
->ops
;
247 if (basechain
->type
->ops_register
)
248 return basechain
->type
->ops_register(net
, ops
);
250 if (nft_base_chain_netdev(table
->family
, basechain
->ops
.hooknum
))
251 return nft_netdev_register_hooks(net
, &basechain
->hook_list
);
253 return nf_register_net_hook(net
, &basechain
->ops
);
256 static void nf_tables_unregister_hook(struct net
*net
,
257 const struct nft_table
*table
,
258 struct nft_chain
*chain
)
260 struct nft_base_chain
*basechain
;
261 const struct nf_hook_ops
*ops
;
263 if (table
->flags
& NFT_TABLE_F_DORMANT
||
264 !nft_is_base_chain(chain
))
266 basechain
= nft_base_chain(chain
);
267 ops
= &basechain
->ops
;
269 if (basechain
->type
->ops_unregister
)
270 return basechain
->type
->ops_unregister(net
, ops
);
272 if (nft_base_chain_netdev(table
->family
, basechain
->ops
.hooknum
))
273 nft_netdev_unregister_hooks(net
, &basechain
->hook_list
);
275 nf_unregister_net_hook(net
, &basechain
->ops
);
278 static void nft_trans_commit_list_add_tail(struct net
*net
, struct nft_trans
*trans
)
280 struct nftables_pernet
*nft_net
= nft_pernet(net
);
282 list_add_tail(&trans
->list
, &nft_net
->commit_list
);
285 static int nft_trans_table_add(struct nft_ctx
*ctx
, int msg_type
)
287 struct nft_trans
*trans
;
289 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_table
));
293 if (msg_type
== NFT_MSG_NEWTABLE
)
294 nft_activate_next(ctx
->net
, ctx
->table
);
296 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
300 static int nft_deltable(struct nft_ctx
*ctx
)
304 err
= nft_trans_table_add(ctx
, NFT_MSG_DELTABLE
);
308 nft_deactivate_next(ctx
->net
, ctx
->table
);
312 static struct nft_trans
*nft_trans_chain_add(struct nft_ctx
*ctx
, int msg_type
)
314 struct nft_trans
*trans
;
316 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_chain
));
318 return ERR_PTR(-ENOMEM
);
320 if (msg_type
== NFT_MSG_NEWCHAIN
) {
321 nft_activate_next(ctx
->net
, ctx
->chain
);
323 if (ctx
->nla
[NFTA_CHAIN_ID
]) {
324 nft_trans_chain_id(trans
) =
325 ntohl(nla_get_be32(ctx
->nla
[NFTA_CHAIN_ID
]));
329 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
333 static int nft_delchain(struct nft_ctx
*ctx
)
335 struct nft_trans
*trans
;
337 trans
= nft_trans_chain_add(ctx
, NFT_MSG_DELCHAIN
);
339 return PTR_ERR(trans
);
342 nft_deactivate_next(ctx
->net
, ctx
->chain
);
347 static void nft_rule_expr_activate(const struct nft_ctx
*ctx
,
348 struct nft_rule
*rule
)
350 struct nft_expr
*expr
;
352 expr
= nft_expr_first(rule
);
353 while (nft_expr_more(rule
, expr
)) {
354 if (expr
->ops
->activate
)
355 expr
->ops
->activate(ctx
, expr
);
357 expr
= nft_expr_next(expr
);
361 static void nft_rule_expr_deactivate(const struct nft_ctx
*ctx
,
362 struct nft_rule
*rule
,
363 enum nft_trans_phase phase
)
365 struct nft_expr
*expr
;
367 expr
= nft_expr_first(rule
);
368 while (nft_expr_more(rule
, expr
)) {
369 if (expr
->ops
->deactivate
)
370 expr
->ops
->deactivate(ctx
, expr
, phase
);
372 expr
= nft_expr_next(expr
);
377 nf_tables_delrule_deactivate(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
379 /* You cannot delete the same rule twice */
380 if (nft_is_active_next(ctx
->net
, rule
)) {
381 nft_deactivate_next(ctx
->net
, rule
);
388 static struct nft_trans
*nft_trans_rule_add(struct nft_ctx
*ctx
, int msg_type
,
389 struct nft_rule
*rule
)
391 struct nft_trans
*trans
;
393 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_rule
));
397 if (msg_type
== NFT_MSG_NEWRULE
&& ctx
->nla
[NFTA_RULE_ID
] != NULL
) {
398 nft_trans_rule_id(trans
) =
399 ntohl(nla_get_be32(ctx
->nla
[NFTA_RULE_ID
]));
401 nft_trans_rule(trans
) = rule
;
402 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
407 static int nft_delrule(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
409 struct nft_flow_rule
*flow
;
410 struct nft_trans
*trans
;
413 trans
= nft_trans_rule_add(ctx
, NFT_MSG_DELRULE
, rule
);
417 if (ctx
->chain
->flags
& NFT_CHAIN_HW_OFFLOAD
) {
418 flow
= nft_flow_rule_create(ctx
->net
, rule
);
420 nft_trans_destroy(trans
);
421 return PTR_ERR(flow
);
424 nft_trans_flow_rule(trans
) = flow
;
427 err
= nf_tables_delrule_deactivate(ctx
, rule
);
429 nft_trans_destroy(trans
);
432 nft_rule_expr_deactivate(ctx
, rule
, NFT_TRANS_PREPARE
);
437 static int nft_delrule_by_chain(struct nft_ctx
*ctx
)
439 struct nft_rule
*rule
;
442 list_for_each_entry(rule
, &ctx
->chain
->rules
, list
) {
443 if (!nft_is_active_next(ctx
->net
, rule
))
446 err
= nft_delrule(ctx
, rule
);
453 static int nft_trans_set_add(const struct nft_ctx
*ctx
, int msg_type
,
456 struct nft_trans
*trans
;
458 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_set
));
462 if (msg_type
== NFT_MSG_NEWSET
&& ctx
->nla
[NFTA_SET_ID
] != NULL
) {
463 nft_trans_set_id(trans
) =
464 ntohl(nla_get_be32(ctx
->nla
[NFTA_SET_ID
]));
465 nft_activate_next(ctx
->net
, set
);
467 nft_trans_set(trans
) = set
;
468 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
473 static int nft_delset(const struct nft_ctx
*ctx
, struct nft_set
*set
)
477 err
= nft_trans_set_add(ctx
, NFT_MSG_DELSET
, set
);
481 nft_deactivate_next(ctx
->net
, set
);
487 static int nft_trans_obj_add(struct nft_ctx
*ctx
, int msg_type
,
488 struct nft_object
*obj
)
490 struct nft_trans
*trans
;
492 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_obj
));
496 if (msg_type
== NFT_MSG_NEWOBJ
)
497 nft_activate_next(ctx
->net
, obj
);
499 nft_trans_obj(trans
) = obj
;
500 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
505 static int nft_delobj(struct nft_ctx
*ctx
, struct nft_object
*obj
)
509 err
= nft_trans_obj_add(ctx
, NFT_MSG_DELOBJ
, obj
);
513 nft_deactivate_next(ctx
->net
, obj
);
519 static int nft_trans_flowtable_add(struct nft_ctx
*ctx
, int msg_type
,
520 struct nft_flowtable
*flowtable
)
522 struct nft_trans
*trans
;
524 trans
= nft_trans_alloc(ctx
, msg_type
,
525 sizeof(struct nft_trans_flowtable
));
529 if (msg_type
== NFT_MSG_NEWFLOWTABLE
)
530 nft_activate_next(ctx
->net
, flowtable
);
532 nft_trans_flowtable(trans
) = flowtable
;
533 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
538 static int nft_delflowtable(struct nft_ctx
*ctx
,
539 struct nft_flowtable
*flowtable
)
543 err
= nft_trans_flowtable_add(ctx
, NFT_MSG_DELFLOWTABLE
, flowtable
);
547 nft_deactivate_next(ctx
->net
, flowtable
);
557 static struct nft_table
*nft_table_lookup(const struct net
*net
,
558 const struct nlattr
*nla
,
559 u8 family
, u8 genmask
, u32 nlpid
)
561 struct nftables_pernet
*nft_net
;
562 struct nft_table
*table
;
565 return ERR_PTR(-EINVAL
);
567 nft_net
= nft_pernet(net
);
568 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
,
569 lockdep_is_held(&nft_net
->commit_mutex
)) {
570 if (!nla_strcmp(nla
, table
->name
) &&
571 table
->family
== family
&&
572 nft_active_genmask(table
, genmask
)) {
573 if (nft_table_has_owner(table
) &&
574 nlpid
&& table
->nlpid
!= nlpid
)
575 return ERR_PTR(-EPERM
);
581 return ERR_PTR(-ENOENT
);
584 static struct nft_table
*nft_table_lookup_byhandle(const struct net
*net
,
585 const struct nlattr
*nla
,
586 u8 genmask
, u32 nlpid
)
588 struct nftables_pernet
*nft_net
;
589 struct nft_table
*table
;
591 nft_net
= nft_pernet(net
);
592 list_for_each_entry(table
, &nft_net
->tables
, list
) {
593 if (be64_to_cpu(nla_get_be64(nla
)) == table
->handle
&&
594 nft_active_genmask(table
, genmask
)) {
595 if (nft_table_has_owner(table
) &&
596 nlpid
&& table
->nlpid
!= nlpid
)
597 return ERR_PTR(-EPERM
);
603 return ERR_PTR(-ENOENT
);
606 static inline u64
nf_tables_alloc_handle(struct nft_table
*table
)
608 return ++table
->hgenerator
;
611 static const struct nft_chain_type
*chain_type
[NFPROTO_NUMPROTO
][NFT_CHAIN_T_MAX
];
613 static const struct nft_chain_type
*
614 __nft_chain_type_get(u8 family
, enum nft_chain_types type
)
616 if (family
>= NFPROTO_NUMPROTO
||
617 type
>= NFT_CHAIN_T_MAX
)
620 return chain_type
[family
][type
];
623 static const struct nft_chain_type
*
624 __nf_tables_chain_type_lookup(const struct nlattr
*nla
, u8 family
)
626 const struct nft_chain_type
*type
;
629 for (i
= 0; i
< NFT_CHAIN_T_MAX
; i
++) {
630 type
= __nft_chain_type_get(family
, i
);
633 if (!nla_strcmp(nla
, type
->name
))
639 struct nft_module_request
{
640 struct list_head list
;
641 char module
[MODULE_NAME_LEN
];
645 #ifdef CONFIG_MODULES
646 __printf(2, 3) int nft_request_module(struct net
*net
, const char *fmt
,
649 char module_name
[MODULE_NAME_LEN
];
650 struct nftables_pernet
*nft_net
;
651 struct nft_module_request
*req
;
656 ret
= vsnprintf(module_name
, MODULE_NAME_LEN
, fmt
, args
);
658 if (ret
>= MODULE_NAME_LEN
)
661 nft_net
= nft_pernet(net
);
662 list_for_each_entry(req
, &nft_net
->module_list
, list
) {
663 if (!strcmp(req
->module
, module_name
)) {
667 /* A request to load this module already exists. */
672 req
= kmalloc(sizeof(*req
), GFP_KERNEL
);
677 strlcpy(req
->module
, module_name
, MODULE_NAME_LEN
);
678 list_add_tail(&req
->list
, &nft_net
->module_list
);
682 EXPORT_SYMBOL_GPL(nft_request_module
);
685 static void lockdep_nfnl_nft_mutex_not_held(void)
687 #ifdef CONFIG_PROVE_LOCKING
689 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES
));
693 static const struct nft_chain_type
*
694 nf_tables_chain_type_lookup(struct net
*net
, const struct nlattr
*nla
,
695 u8 family
, bool autoload
)
697 const struct nft_chain_type
*type
;
699 type
= __nf_tables_chain_type_lookup(nla
, family
);
703 lockdep_nfnl_nft_mutex_not_held();
704 #ifdef CONFIG_MODULES
706 if (nft_request_module(net
, "nft-chain-%u-%.*s", family
,
708 (const char *)nla_data(nla
)) == -EAGAIN
)
709 return ERR_PTR(-EAGAIN
);
712 return ERR_PTR(-ENOENT
);
715 static __be16
nft_base_seq(const struct net
*net
)
717 struct nftables_pernet
*nft_net
= nft_pernet(net
);
719 return htons(nft_net
->base_seq
& 0xffff);
722 static const struct nla_policy nft_table_policy
[NFTA_TABLE_MAX
+ 1] = {
723 [NFTA_TABLE_NAME
] = { .type
= NLA_STRING
,
724 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
725 [NFTA_TABLE_FLAGS
] = { .type
= NLA_U32
},
726 [NFTA_TABLE_HANDLE
] = { .type
= NLA_U64
},
727 [NFTA_TABLE_USERDATA
] = { .type
= NLA_BINARY
,
728 .len
= NFT_USERDATA_MAXLEN
}
731 static int nf_tables_fill_table_info(struct sk_buff
*skb
, struct net
*net
,
732 u32 portid
, u32 seq
, int event
, u32 flags
,
733 int family
, const struct nft_table
*table
)
735 struct nlmsghdr
*nlh
;
737 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
738 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
739 NFNETLINK_V0
, nft_base_seq(net
));
741 goto nla_put_failure
;
743 if (nla_put_string(skb
, NFTA_TABLE_NAME
, table
->name
) ||
744 nla_put_be32(skb
, NFTA_TABLE_FLAGS
,
745 htonl(table
->flags
& NFT_TABLE_F_MASK
)) ||
746 nla_put_be32(skb
, NFTA_TABLE_USE
, htonl(table
->use
)) ||
747 nla_put_be64(skb
, NFTA_TABLE_HANDLE
, cpu_to_be64(table
->handle
),
749 goto nla_put_failure
;
750 if (nft_table_has_owner(table
) &&
751 nla_put_be32(skb
, NFTA_TABLE_OWNER
, htonl(table
->nlpid
)))
752 goto nla_put_failure
;
755 if (nla_put(skb
, NFTA_TABLE_USERDATA
, table
->udlen
, table
->udata
))
756 goto nla_put_failure
;
763 nlmsg_trim(skb
, nlh
);
767 struct nftnl_skb_parms
{
770 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
772 static void nft_notify_enqueue(struct sk_buff
*skb
, bool report
,
773 struct list_head
*notify_list
)
775 NFT_CB(skb
).report
= report
;
776 list_add_tail(&skb
->list
, notify_list
);
779 static void nf_tables_table_notify(const struct nft_ctx
*ctx
, int event
)
781 struct nftables_pernet
*nft_net
;
787 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
790 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
794 if (ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
))
795 flags
|= ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
);
797 err
= nf_tables_fill_table_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
798 event
, flags
, ctx
->family
, ctx
->table
);
804 nft_net
= nft_pernet(ctx
->net
);
805 nft_notify_enqueue(skb
, ctx
->report
, &nft_net
->notify_list
);
808 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
811 static int nf_tables_dump_tables(struct sk_buff
*skb
,
812 struct netlink_callback
*cb
)
814 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
815 struct nftables_pernet
*nft_net
;
816 const struct nft_table
*table
;
817 unsigned int idx
= 0, s_idx
= cb
->args
[0];
818 struct net
*net
= sock_net(skb
->sk
);
819 int family
= nfmsg
->nfgen_family
;
822 nft_net
= nft_pernet(net
);
823 cb
->seq
= nft_net
->base_seq
;
825 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
826 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
832 memset(&cb
->args
[1], 0,
833 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
834 if (!nft_is_active(net
, table
))
836 if (nf_tables_fill_table_info(skb
, net
,
837 NETLINK_CB(cb
->skb
).portid
,
839 NFT_MSG_NEWTABLE
, NLM_F_MULTI
,
840 table
->family
, table
) < 0)
843 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
853 static int nft_netlink_dump_start_rcu(struct sock
*nlsk
, struct sk_buff
*skb
,
854 const struct nlmsghdr
*nlh
,
855 struct netlink_dump_control
*c
)
859 if (!try_module_get(THIS_MODULE
))
863 err
= netlink_dump_start(nlsk
, skb
, nlh
, c
);
865 module_put(THIS_MODULE
);
870 /* called with rcu_read_lock held */
871 static int nf_tables_gettable(struct sk_buff
*skb
, const struct nfnl_info
*info
,
872 const struct nlattr
* const nla
[])
874 struct netlink_ext_ack
*extack
= info
->extack
;
875 u8 genmask
= nft_genmask_cur(info
->net
);
876 u8 family
= info
->nfmsg
->nfgen_family
;
877 const struct nft_table
*table
;
878 struct net
*net
= info
->net
;
879 struct sk_buff
*skb2
;
882 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
883 struct netlink_dump_control c
= {
884 .dump
= nf_tables_dump_tables
,
885 .module
= THIS_MODULE
,
888 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
891 table
= nft_table_lookup(net
, nla
[NFTA_TABLE_NAME
], family
, genmask
, 0);
893 NL_SET_BAD_ATTR(extack
, nla
[NFTA_TABLE_NAME
]);
894 return PTR_ERR(table
);
897 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
901 err
= nf_tables_fill_table_info(skb2
, net
, NETLINK_CB(skb
).portid
,
902 info
->nlh
->nlmsg_seq
, NFT_MSG_NEWTABLE
,
905 goto err_fill_table_info
;
907 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
914 static void nft_table_disable(struct net
*net
, struct nft_table
*table
, u32 cnt
)
916 struct nft_chain
*chain
;
919 list_for_each_entry(chain
, &table
->chains
, list
) {
920 if (!nft_is_active_next(net
, chain
))
922 if (!nft_is_base_chain(chain
))
925 if (cnt
&& i
++ == cnt
)
928 nf_tables_unregister_hook(net
, table
, chain
);
932 static int nf_tables_table_enable(struct net
*net
, struct nft_table
*table
)
934 struct nft_chain
*chain
;
937 list_for_each_entry(chain
, &table
->chains
, list
) {
938 if (!nft_is_active_next(net
, chain
))
940 if (!nft_is_base_chain(chain
))
943 err
= nf_tables_register_hook(net
, table
, chain
);
945 goto err_register_hooks
;
953 nft_table_disable(net
, table
, i
);
957 static void nf_tables_table_disable(struct net
*net
, struct nft_table
*table
)
959 table
->flags
&= ~NFT_TABLE_F_DORMANT
;
960 nft_table_disable(net
, table
, 0);
961 table
->flags
|= NFT_TABLE_F_DORMANT
;
964 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
965 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
966 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
967 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
968 __NFT_TABLE_F_WAS_AWAKEN)
970 static int nf_tables_updtable(struct nft_ctx
*ctx
)
972 struct nft_trans
*trans
;
976 if (!ctx
->nla
[NFTA_TABLE_FLAGS
])
979 flags
= ntohl(nla_get_be32(ctx
->nla
[NFTA_TABLE_FLAGS
]));
980 if (flags
& ~NFT_TABLE_F_MASK
)
983 if (flags
== ctx
->table
->flags
)
986 if ((nft_table_has_owner(ctx
->table
) &&
987 !(flags
& NFT_TABLE_F_OWNER
)) ||
988 (!nft_table_has_owner(ctx
->table
) &&
989 flags
& NFT_TABLE_F_OWNER
))
992 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWTABLE
,
993 sizeof(struct nft_trans_table
));
997 if ((flags
& NFT_TABLE_F_DORMANT
) &&
998 !(ctx
->table
->flags
& NFT_TABLE_F_DORMANT
)) {
999 ctx
->table
->flags
|= NFT_TABLE_F_DORMANT
;
1000 if (!(ctx
->table
->flags
& __NFT_TABLE_F_UPDATE
))
1001 ctx
->table
->flags
|= __NFT_TABLE_F_WAS_AWAKEN
;
1002 } else if (!(flags
& NFT_TABLE_F_DORMANT
) &&
1003 ctx
->table
->flags
& NFT_TABLE_F_DORMANT
) {
1004 ctx
->table
->flags
&= ~NFT_TABLE_F_DORMANT
;
1005 if (!(ctx
->table
->flags
& __NFT_TABLE_F_UPDATE
)) {
1006 ret
= nf_tables_table_enable(ctx
->net
, ctx
->table
);
1008 goto err_register_hooks
;
1010 ctx
->table
->flags
|= __NFT_TABLE_F_WAS_DORMANT
;
1014 nft_trans_table_update(trans
) = true;
1015 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
1020 nft_trans_destroy(trans
);
1024 static u32
nft_chain_hash(const void *data
, u32 len
, u32 seed
)
1026 const char *name
= data
;
1028 return jhash(name
, strlen(name
), seed
);
1031 static u32
nft_chain_hash_obj(const void *data
, u32 len
, u32 seed
)
1033 const struct nft_chain
*chain
= data
;
1035 return nft_chain_hash(chain
->name
, 0, seed
);
1038 static int nft_chain_hash_cmp(struct rhashtable_compare_arg
*arg
,
1041 const struct nft_chain
*chain
= ptr
;
1042 const char *name
= arg
->key
;
1044 return strcmp(chain
->name
, name
);
1047 static u32
nft_objname_hash(const void *data
, u32 len
, u32 seed
)
1049 const struct nft_object_hash_key
*k
= data
;
1051 seed
^= hash_ptr(k
->table
, 32);
1053 return jhash(k
->name
, strlen(k
->name
), seed
);
1056 static u32
nft_objname_hash_obj(const void *data
, u32 len
, u32 seed
)
1058 const struct nft_object
*obj
= data
;
1060 return nft_objname_hash(&obj
->key
, 0, seed
);
1063 static int nft_objname_hash_cmp(struct rhashtable_compare_arg
*arg
,
1066 const struct nft_object_hash_key
*k
= arg
->key
;
1067 const struct nft_object
*obj
= ptr
;
1069 if (obj
->key
.table
!= k
->table
)
1072 return strcmp(obj
->key
.name
, k
->name
);
1075 static int nf_tables_newtable(struct sk_buff
*skb
, const struct nfnl_info
*info
,
1076 const struct nlattr
* const nla
[])
1078 struct nftables_pernet
*nft_net
= nft_pernet(info
->net
);
1079 struct netlink_ext_ack
*extack
= info
->extack
;
1080 u8 genmask
= nft_genmask_next(info
->net
);
1081 u8 family
= info
->nfmsg
->nfgen_family
;
1082 struct net
*net
= info
->net
;
1083 const struct nlattr
*attr
;
1084 struct nft_table
*table
;
1089 lockdep_assert_held(&nft_net
->commit_mutex
);
1090 attr
= nla
[NFTA_TABLE_NAME
];
1091 table
= nft_table_lookup(net
, attr
, family
, genmask
,
1092 NETLINK_CB(skb
).portid
);
1093 if (IS_ERR(table
)) {
1094 if (PTR_ERR(table
) != -ENOENT
)
1095 return PTR_ERR(table
);
1097 if (info
->nlh
->nlmsg_flags
& NLM_F_EXCL
) {
1098 NL_SET_BAD_ATTR(extack
, attr
);
1101 if (info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
)
1104 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
1106 return nf_tables_updtable(&ctx
);
1109 if (nla
[NFTA_TABLE_FLAGS
]) {
1110 flags
= ntohl(nla_get_be32(nla
[NFTA_TABLE_FLAGS
]));
1111 if (flags
& ~NFT_TABLE_F_MASK
)
1116 table
= kzalloc(sizeof(*table
), GFP_KERNEL
);
1120 table
->name
= nla_strdup(attr
, GFP_KERNEL
);
1121 if (table
->name
== NULL
)
1124 if (nla
[NFTA_TABLE_USERDATA
]) {
1125 table
->udata
= nla_memdup(nla
[NFTA_TABLE_USERDATA
], GFP_KERNEL
);
1126 if (table
->udata
== NULL
)
1127 goto err_table_udata
;
1129 table
->udlen
= nla_len(nla
[NFTA_TABLE_USERDATA
]);
1132 err
= rhltable_init(&table
->chains_ht
, &nft_chain_ht_params
);
1136 INIT_LIST_HEAD(&table
->chains
);
1137 INIT_LIST_HEAD(&table
->sets
);
1138 INIT_LIST_HEAD(&table
->objects
);
1139 INIT_LIST_HEAD(&table
->flowtables
);
1140 table
->family
= family
;
1141 table
->flags
= flags
;
1142 table
->handle
= ++table_handle
;
1143 if (table
->flags
& NFT_TABLE_F_OWNER
)
1144 table
->nlpid
= NETLINK_CB(skb
).portid
;
1146 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
1147 err
= nft_trans_table_add(&ctx
, NFT_MSG_NEWTABLE
);
1151 list_add_tail_rcu(&table
->list
, &nft_net
->tables
);
1154 rhltable_destroy(&table
->chains_ht
);
1156 kfree(table
->udata
);
1165 static int nft_flush_table(struct nft_ctx
*ctx
)
1167 struct nft_flowtable
*flowtable
, *nft
;
1168 struct nft_chain
*chain
, *nc
;
1169 struct nft_object
*obj
, *ne
;
1170 struct nft_set
*set
, *ns
;
1173 list_for_each_entry(chain
, &ctx
->table
->chains
, list
) {
1174 if (!nft_is_active_next(ctx
->net
, chain
))
1177 if (nft_chain_is_bound(chain
))
1182 err
= nft_delrule_by_chain(ctx
);
1187 list_for_each_entry_safe(set
, ns
, &ctx
->table
->sets
, list
) {
1188 if (!nft_is_active_next(ctx
->net
, set
))
1191 if (nft_set_is_anonymous(set
) &&
1192 !list_empty(&set
->bindings
))
1195 err
= nft_delset(ctx
, set
);
1200 list_for_each_entry_safe(flowtable
, nft
, &ctx
->table
->flowtables
, list
) {
1201 if (!nft_is_active_next(ctx
->net
, flowtable
))
1204 err
= nft_delflowtable(ctx
, flowtable
);
1209 list_for_each_entry_safe(obj
, ne
, &ctx
->table
->objects
, list
) {
1210 if (!nft_is_active_next(ctx
->net
, obj
))
1213 err
= nft_delobj(ctx
, obj
);
1218 list_for_each_entry_safe(chain
, nc
, &ctx
->table
->chains
, list
) {
1219 if (!nft_is_active_next(ctx
->net
, chain
))
1222 if (nft_chain_is_bound(chain
))
1227 err
= nft_delchain(ctx
);
1232 err
= nft_deltable(ctx
);
1237 static int nft_flush(struct nft_ctx
*ctx
, int family
)
1239 struct nftables_pernet
*nft_net
= nft_pernet(ctx
->net
);
1240 const struct nlattr
* const *nla
= ctx
->nla
;
1241 struct nft_table
*table
, *nt
;
1244 list_for_each_entry_safe(table
, nt
, &nft_net
->tables
, list
) {
1245 if (family
!= AF_UNSPEC
&& table
->family
!= family
)
1248 ctx
->family
= table
->family
;
1250 if (!nft_is_active_next(ctx
->net
, table
))
1253 if (nft_table_has_owner(table
) && table
->nlpid
!= ctx
->portid
)
1256 if (nla
[NFTA_TABLE_NAME
] &&
1257 nla_strcmp(nla
[NFTA_TABLE_NAME
], table
->name
) != 0)
1262 err
= nft_flush_table(ctx
);
1270 static int nf_tables_deltable(struct sk_buff
*skb
, const struct nfnl_info
*info
,
1271 const struct nlattr
* const nla
[])
1273 struct netlink_ext_ack
*extack
= info
->extack
;
1274 u8 genmask
= nft_genmask_next(info
->net
);
1275 u8 family
= info
->nfmsg
->nfgen_family
;
1276 struct net
*net
= info
->net
;
1277 const struct nlattr
*attr
;
1278 struct nft_table
*table
;
1281 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, 0, NULL
, NULL
, nla
);
1282 if (family
== AF_UNSPEC
||
1283 (!nla
[NFTA_TABLE_NAME
] && !nla
[NFTA_TABLE_HANDLE
]))
1284 return nft_flush(&ctx
, family
);
1286 if (nla
[NFTA_TABLE_HANDLE
]) {
1287 attr
= nla
[NFTA_TABLE_HANDLE
];
1288 table
= nft_table_lookup_byhandle(net
, attr
, genmask
,
1289 NETLINK_CB(skb
).portid
);
1291 attr
= nla
[NFTA_TABLE_NAME
];
1292 table
= nft_table_lookup(net
, attr
, family
, genmask
,
1293 NETLINK_CB(skb
).portid
);
1296 if (IS_ERR(table
)) {
1297 NL_SET_BAD_ATTR(extack
, attr
);
1298 return PTR_ERR(table
);
1301 if (info
->nlh
->nlmsg_flags
& NLM_F_NONREC
&&
1305 ctx
.family
= family
;
1308 return nft_flush_table(&ctx
);
1311 static void nf_tables_table_destroy(struct nft_ctx
*ctx
)
1313 if (WARN_ON(ctx
->table
->use
> 0))
1316 rhltable_destroy(&ctx
->table
->chains_ht
);
1317 kfree(ctx
->table
->name
);
1318 kfree(ctx
->table
->udata
);
1322 void nft_register_chain_type(const struct nft_chain_type
*ctype
)
1324 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1325 if (WARN_ON(__nft_chain_type_get(ctype
->family
, ctype
->type
))) {
1326 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1329 chain_type
[ctype
->family
][ctype
->type
] = ctype
;
1330 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1332 EXPORT_SYMBOL_GPL(nft_register_chain_type
);
1334 void nft_unregister_chain_type(const struct nft_chain_type
*ctype
)
1336 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1337 chain_type
[ctype
->family
][ctype
->type
] = NULL
;
1338 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1340 EXPORT_SYMBOL_GPL(nft_unregister_chain_type
);
1346 static struct nft_chain
*
1347 nft_chain_lookup_byhandle(const struct nft_table
*table
, u64 handle
, u8 genmask
)
1349 struct nft_chain
*chain
;
1351 list_for_each_entry(chain
, &table
->chains
, list
) {
1352 if (chain
->handle
== handle
&&
1353 nft_active_genmask(chain
, genmask
))
1357 return ERR_PTR(-ENOENT
);
1360 static bool lockdep_commit_lock_is_held(const struct net
*net
)
1362 #ifdef CONFIG_PROVE_LOCKING
1363 struct nftables_pernet
*nft_net
= nft_pernet(net
);
1365 return lockdep_is_held(&nft_net
->commit_mutex
);
1371 static struct nft_chain
*nft_chain_lookup(struct net
*net
,
1372 struct nft_table
*table
,
1373 const struct nlattr
*nla
, u8 genmask
)
1375 char search
[NFT_CHAIN_MAXNAMELEN
+ 1];
1376 struct rhlist_head
*tmp
, *list
;
1377 struct nft_chain
*chain
;
1380 return ERR_PTR(-EINVAL
);
1382 nla_strscpy(search
, nla
, sizeof(search
));
1384 WARN_ON(!rcu_read_lock_held() &&
1385 !lockdep_commit_lock_is_held(net
));
1387 chain
= ERR_PTR(-ENOENT
);
1389 list
= rhltable_lookup(&table
->chains_ht
, search
, nft_chain_ht_params
);
1393 rhl_for_each_entry_rcu(chain
, tmp
, list
, rhlhead
) {
1394 if (nft_active_genmask(chain
, genmask
))
1397 chain
= ERR_PTR(-ENOENT
);
1403 static const struct nla_policy nft_chain_policy
[NFTA_CHAIN_MAX
+ 1] = {
1404 [NFTA_CHAIN_TABLE
] = { .type
= NLA_STRING
,
1405 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
1406 [NFTA_CHAIN_HANDLE
] = { .type
= NLA_U64
},
1407 [NFTA_CHAIN_NAME
] = { .type
= NLA_STRING
,
1408 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
1409 [NFTA_CHAIN_HOOK
] = { .type
= NLA_NESTED
},
1410 [NFTA_CHAIN_POLICY
] = { .type
= NLA_U32
},
1411 [NFTA_CHAIN_TYPE
] = { .type
= NLA_STRING
,
1412 .len
= NFT_MODULE_AUTOLOAD_LIMIT
},
1413 [NFTA_CHAIN_COUNTERS
] = { .type
= NLA_NESTED
},
1414 [NFTA_CHAIN_FLAGS
] = { .type
= NLA_U32
},
1415 [NFTA_CHAIN_ID
] = { .type
= NLA_U32
},
1416 [NFTA_CHAIN_USERDATA
] = { .type
= NLA_BINARY
,
1417 .len
= NFT_USERDATA_MAXLEN
},
1420 static const struct nla_policy nft_hook_policy
[NFTA_HOOK_MAX
+ 1] = {
1421 [NFTA_HOOK_HOOKNUM
] = { .type
= NLA_U32
},
1422 [NFTA_HOOK_PRIORITY
] = { .type
= NLA_U32
},
1423 [NFTA_HOOK_DEV
] = { .type
= NLA_STRING
,
1424 .len
= IFNAMSIZ
- 1 },
1427 static int nft_dump_stats(struct sk_buff
*skb
, struct nft_stats __percpu
*stats
)
1429 struct nft_stats
*cpu_stats
, total
;
1430 struct nlattr
*nest
;
1438 memset(&total
, 0, sizeof(total
));
1439 for_each_possible_cpu(cpu
) {
1440 cpu_stats
= per_cpu_ptr(stats
, cpu
);
1442 seq
= u64_stats_fetch_begin_irq(&cpu_stats
->syncp
);
1443 pkts
= cpu_stats
->pkts
;
1444 bytes
= cpu_stats
->bytes
;
1445 } while (u64_stats_fetch_retry_irq(&cpu_stats
->syncp
, seq
));
1447 total
.bytes
+= bytes
;
1449 nest
= nla_nest_start_noflag(skb
, NFTA_CHAIN_COUNTERS
);
1451 goto nla_put_failure
;
1453 if (nla_put_be64(skb
, NFTA_COUNTER_PACKETS
, cpu_to_be64(total
.pkts
),
1454 NFTA_COUNTER_PAD
) ||
1455 nla_put_be64(skb
, NFTA_COUNTER_BYTES
, cpu_to_be64(total
.bytes
),
1457 goto nla_put_failure
;
1459 nla_nest_end(skb
, nest
);
1466 static int nft_dump_basechain_hook(struct sk_buff
*skb
, int family
,
1467 const struct nft_base_chain
*basechain
)
1469 const struct nf_hook_ops
*ops
= &basechain
->ops
;
1470 struct nft_hook
*hook
, *first
= NULL
;
1471 struct nlattr
*nest
, *nest_devs
;
1474 nest
= nla_nest_start_noflag(skb
, NFTA_CHAIN_HOOK
);
1476 goto nla_put_failure
;
1477 if (nla_put_be32(skb
, NFTA_HOOK_HOOKNUM
, htonl(ops
->hooknum
)))
1478 goto nla_put_failure
;
1479 if (nla_put_be32(skb
, NFTA_HOOK_PRIORITY
, htonl(ops
->priority
)))
1480 goto nla_put_failure
;
1482 if (nft_base_chain_netdev(family
, ops
->hooknum
)) {
1483 nest_devs
= nla_nest_start_noflag(skb
, NFTA_HOOK_DEVS
);
1484 list_for_each_entry(hook
, &basechain
->hook_list
, list
) {
1488 if (nla_put_string(skb
, NFTA_DEVICE_NAME
,
1489 hook
->ops
.dev
->name
))
1490 goto nla_put_failure
;
1493 nla_nest_end(skb
, nest_devs
);
1496 nla_put_string(skb
, NFTA_HOOK_DEV
, first
->ops
.dev
->name
))
1497 goto nla_put_failure
;
1499 nla_nest_end(skb
, nest
);
1506 static int nf_tables_fill_chain_info(struct sk_buff
*skb
, struct net
*net
,
1507 u32 portid
, u32 seq
, int event
, u32 flags
,
1508 int family
, const struct nft_table
*table
,
1509 const struct nft_chain
*chain
)
1511 struct nlmsghdr
*nlh
;
1513 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
1514 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
1515 NFNETLINK_V0
, nft_base_seq(net
));
1517 goto nla_put_failure
;
1519 if (nla_put_string(skb
, NFTA_CHAIN_TABLE
, table
->name
))
1520 goto nla_put_failure
;
1521 if (nla_put_be64(skb
, NFTA_CHAIN_HANDLE
, cpu_to_be64(chain
->handle
),
1523 goto nla_put_failure
;
1524 if (nla_put_string(skb
, NFTA_CHAIN_NAME
, chain
->name
))
1525 goto nla_put_failure
;
1527 if (nft_is_base_chain(chain
)) {
1528 const struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1529 struct nft_stats __percpu
*stats
;
1531 if (nft_dump_basechain_hook(skb
, family
, basechain
))
1532 goto nla_put_failure
;
1534 if (nla_put_be32(skb
, NFTA_CHAIN_POLICY
,
1535 htonl(basechain
->policy
)))
1536 goto nla_put_failure
;
1538 if (nla_put_string(skb
, NFTA_CHAIN_TYPE
, basechain
->type
->name
))
1539 goto nla_put_failure
;
1541 stats
= rcu_dereference_check(basechain
->stats
,
1542 lockdep_commit_lock_is_held(net
));
1543 if (nft_dump_stats(skb
, stats
))
1544 goto nla_put_failure
;
1548 nla_put_be32(skb
, NFTA_CHAIN_FLAGS
, htonl(chain
->flags
)))
1549 goto nla_put_failure
;
1551 if (nla_put_be32(skb
, NFTA_CHAIN_USE
, htonl(chain
->use
)))
1552 goto nla_put_failure
;
1555 nla_put(skb
, NFTA_CHAIN_USERDATA
, chain
->udlen
, chain
->udata
))
1556 goto nla_put_failure
;
1558 nlmsg_end(skb
, nlh
);
1562 nlmsg_trim(skb
, nlh
);
1566 static void nf_tables_chain_notify(const struct nft_ctx
*ctx
, int event
)
1568 struct nftables_pernet
*nft_net
;
1569 struct sk_buff
*skb
;
1574 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1577 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1581 if (ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
))
1582 flags
|= ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
);
1584 err
= nf_tables_fill_chain_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1585 event
, flags
, ctx
->family
, ctx
->table
,
1592 nft_net
= nft_pernet(ctx
->net
);
1593 nft_notify_enqueue(skb
, ctx
->report
, &nft_net
->notify_list
);
1596 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
1599 static int nf_tables_dump_chains(struct sk_buff
*skb
,
1600 struct netlink_callback
*cb
)
1602 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1603 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1604 struct net
*net
= sock_net(skb
->sk
);
1605 int family
= nfmsg
->nfgen_family
;
1606 struct nftables_pernet
*nft_net
;
1607 const struct nft_table
*table
;
1608 const struct nft_chain
*chain
;
1611 nft_net
= nft_pernet(net
);
1612 cb
->seq
= nft_net
->base_seq
;
1614 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
1615 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
1618 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1622 memset(&cb
->args
[1], 0,
1623 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1624 if (!nft_is_active(net
, chain
))
1626 if (nf_tables_fill_chain_info(skb
, net
,
1627 NETLINK_CB(cb
->skb
).portid
,
1631 table
->family
, table
,
1635 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1646 /* called with rcu_read_lock held */
1647 static int nf_tables_getchain(struct sk_buff
*skb
, const struct nfnl_info
*info
,
1648 const struct nlattr
* const nla
[])
1650 struct netlink_ext_ack
*extack
= info
->extack
;
1651 u8 genmask
= nft_genmask_cur(info
->net
);
1652 u8 family
= info
->nfmsg
->nfgen_family
;
1653 const struct nft_chain
*chain
;
1654 struct net
*net
= info
->net
;
1655 struct nft_table
*table
;
1656 struct sk_buff
*skb2
;
1659 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1660 struct netlink_dump_control c
= {
1661 .dump
= nf_tables_dump_chains
,
1662 .module
= THIS_MODULE
,
1665 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
1668 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
, 0);
1669 if (IS_ERR(table
)) {
1670 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
1671 return PTR_ERR(table
);
1674 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1675 if (IS_ERR(chain
)) {
1676 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
1677 return PTR_ERR(chain
);
1680 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
1684 err
= nf_tables_fill_chain_info(skb2
, net
, NETLINK_CB(skb
).portid
,
1685 info
->nlh
->nlmsg_seq
, NFT_MSG_NEWCHAIN
,
1686 0, family
, table
, chain
);
1688 goto err_fill_chain_info
;
1690 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
1692 err_fill_chain_info
:
1697 static const struct nla_policy nft_counter_policy
[NFTA_COUNTER_MAX
+ 1] = {
1698 [NFTA_COUNTER_PACKETS
] = { .type
= NLA_U64
},
1699 [NFTA_COUNTER_BYTES
] = { .type
= NLA_U64
},
1702 static struct nft_stats __percpu
*nft_stats_alloc(const struct nlattr
*attr
)
1704 struct nlattr
*tb
[NFTA_COUNTER_MAX
+1];
1705 struct nft_stats __percpu
*newstats
;
1706 struct nft_stats
*stats
;
1709 err
= nla_parse_nested_deprecated(tb
, NFTA_COUNTER_MAX
, attr
,
1710 nft_counter_policy
, NULL
);
1712 return ERR_PTR(err
);
1714 if (!tb
[NFTA_COUNTER_BYTES
] || !tb
[NFTA_COUNTER_PACKETS
])
1715 return ERR_PTR(-EINVAL
);
1717 newstats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1718 if (newstats
== NULL
)
1719 return ERR_PTR(-ENOMEM
);
1721 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1722 * are not exposed to userspace.
1725 stats
= this_cpu_ptr(newstats
);
1726 stats
->bytes
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_BYTES
]));
1727 stats
->pkts
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_PACKETS
]));
1733 static void nft_chain_stats_replace(struct nft_trans
*trans
)
1735 struct nft_base_chain
*chain
= nft_base_chain(trans
->ctx
.chain
);
1737 if (!nft_trans_chain_stats(trans
))
1740 nft_trans_chain_stats(trans
) =
1741 rcu_replace_pointer(chain
->stats
, nft_trans_chain_stats(trans
),
1742 lockdep_commit_lock_is_held(trans
->ctx
.net
));
1744 if (!nft_trans_chain_stats(trans
))
1745 static_branch_inc(&nft_counters_enabled
);
1748 static void nf_tables_chain_free_chain_rules(struct nft_chain
*chain
)
1750 struct nft_rule
**g0
= rcu_dereference_raw(chain
->rules_gen_0
);
1751 struct nft_rule
**g1
= rcu_dereference_raw(chain
->rules_gen_1
);
1757 /* should be NULL either via abort or via successful commit */
1758 WARN_ON_ONCE(chain
->rules_next
);
1759 kvfree(chain
->rules_next
);
1762 void nf_tables_chain_destroy(struct nft_ctx
*ctx
)
1764 struct nft_chain
*chain
= ctx
->chain
;
1765 struct nft_hook
*hook
, *next
;
1767 if (WARN_ON(chain
->use
> 0))
1770 /* no concurrent access possible anymore */
1771 nf_tables_chain_free_chain_rules(chain
);
1773 if (nft_is_base_chain(chain
)) {
1774 struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1776 if (nft_base_chain_netdev(ctx
->family
, basechain
->ops
.hooknum
)) {
1777 list_for_each_entry_safe(hook
, next
,
1778 &basechain
->hook_list
, list
) {
1779 list_del_rcu(&hook
->list
);
1780 kfree_rcu(hook
, rcu
);
1783 module_put(basechain
->type
->owner
);
1784 if (rcu_access_pointer(basechain
->stats
)) {
1785 static_branch_dec(&nft_counters_enabled
);
1786 free_percpu(rcu_dereference_raw(basechain
->stats
));
1789 kfree(chain
->udata
);
1793 kfree(chain
->udata
);
1798 static struct nft_hook
*nft_netdev_hook_alloc(struct net
*net
,
1799 const struct nlattr
*attr
)
1801 struct net_device
*dev
;
1802 char ifname
[IFNAMSIZ
];
1803 struct nft_hook
*hook
;
1806 hook
= kmalloc(sizeof(struct nft_hook
), GFP_KERNEL
);
1809 goto err_hook_alloc
;
1812 nla_strscpy(ifname
, attr
, IFNAMSIZ
);
1813 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1814 * indirectly serializing all the other holders of the commit_mutex with
1817 dev
= __dev_get_by_name(net
, ifname
);
1822 hook
->ops
.dev
= dev
;
1823 hook
->inactive
= false;
1830 return ERR_PTR(err
);
1833 static struct nft_hook
*nft_hook_list_find(struct list_head
*hook_list
,
1834 const struct nft_hook
*this)
1836 struct nft_hook
*hook
;
1838 list_for_each_entry(hook
, hook_list
, list
) {
1839 if (this->ops
.dev
== hook
->ops
.dev
)
1846 static int nf_tables_parse_netdev_hooks(struct net
*net
,
1847 const struct nlattr
*attr
,
1848 struct list_head
*hook_list
)
1850 struct nft_hook
*hook
, *next
;
1851 const struct nlattr
*tmp
;
1852 int rem
, n
= 0, err
;
1854 nla_for_each_nested(tmp
, attr
, rem
) {
1855 if (nla_type(tmp
) != NFTA_DEVICE_NAME
) {
1860 hook
= nft_netdev_hook_alloc(net
, tmp
);
1862 err
= PTR_ERR(hook
);
1865 if (nft_hook_list_find(hook_list
, hook
)) {
1870 list_add_tail(&hook
->list
, hook_list
);
1873 if (n
== NFT_NETDEVICE_MAX
) {
1882 list_for_each_entry_safe(hook
, next
, hook_list
, list
) {
1883 list_del(&hook
->list
);
1889 struct nft_chain_hook
{
1892 const struct nft_chain_type
*type
;
1893 struct list_head list
;
1896 static int nft_chain_parse_netdev(struct net
*net
,
1897 struct nlattr
*tb
[],
1898 struct list_head
*hook_list
)
1900 struct nft_hook
*hook
;
1903 if (tb
[NFTA_HOOK_DEV
]) {
1904 hook
= nft_netdev_hook_alloc(net
, tb
[NFTA_HOOK_DEV
]);
1906 return PTR_ERR(hook
);
1908 list_add_tail(&hook
->list
, hook_list
);
1909 } else if (tb
[NFTA_HOOK_DEVS
]) {
1910 err
= nf_tables_parse_netdev_hooks(net
, tb
[NFTA_HOOK_DEVS
],
1915 if (list_empty(hook_list
))
1924 static int nft_chain_parse_hook(struct net
*net
,
1925 const struct nlattr
* const nla
[],
1926 struct nft_chain_hook
*hook
, u8 family
,
1927 struct netlink_ext_ack
*extack
, bool autoload
)
1929 struct nftables_pernet
*nft_net
= nft_pernet(net
);
1930 struct nlattr
*ha
[NFTA_HOOK_MAX
+ 1];
1931 const struct nft_chain_type
*type
;
1934 lockdep_assert_held(&nft_net
->commit_mutex
);
1935 lockdep_nfnl_nft_mutex_not_held();
1937 err
= nla_parse_nested_deprecated(ha
, NFTA_HOOK_MAX
,
1938 nla
[NFTA_CHAIN_HOOK
],
1939 nft_hook_policy
, NULL
);
1943 if (ha
[NFTA_HOOK_HOOKNUM
] == NULL
||
1944 ha
[NFTA_HOOK_PRIORITY
] == NULL
)
1947 hook
->num
= ntohl(nla_get_be32(ha
[NFTA_HOOK_HOOKNUM
]));
1948 hook
->priority
= ntohl(nla_get_be32(ha
[NFTA_HOOK_PRIORITY
]));
1950 type
= __nft_chain_type_get(family
, NFT_CHAIN_T_DEFAULT
);
1954 if (nla
[NFTA_CHAIN_TYPE
]) {
1955 type
= nf_tables_chain_type_lookup(net
, nla
[NFTA_CHAIN_TYPE
],
1958 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TYPE
]);
1959 return PTR_ERR(type
);
1962 if (hook
->num
>= NFT_MAX_HOOKS
|| !(type
->hook_mask
& (1 << hook
->num
)))
1965 if (type
->type
== NFT_CHAIN_T_NAT
&&
1966 hook
->priority
<= NF_IP_PRI_CONNTRACK
)
1969 if (!try_module_get(type
->owner
)) {
1970 if (nla
[NFTA_CHAIN_TYPE
])
1971 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TYPE
]);
1977 INIT_LIST_HEAD(&hook
->list
);
1978 if (nft_base_chain_netdev(family
, hook
->num
)) {
1979 err
= nft_chain_parse_netdev(net
, ha
, &hook
->list
);
1981 module_put(type
->owner
);
1984 } else if (ha
[NFTA_HOOK_DEV
] || ha
[NFTA_HOOK_DEVS
]) {
1985 module_put(type
->owner
);
1992 static void nft_chain_release_hook(struct nft_chain_hook
*hook
)
1994 struct nft_hook
*h
, *next
;
1996 list_for_each_entry_safe(h
, next
, &hook
->list
, list
) {
2000 module_put(hook
->type
->owner
);
2003 struct nft_rules_old
{
2005 struct nft_rule
**start
;
2008 static struct nft_rule
**nf_tables_chain_alloc_rules(const struct nft_chain
*chain
,
2011 if (alloc
> INT_MAX
)
2014 alloc
+= 1; /* NULL, ends rules */
2015 if (sizeof(struct nft_rule
*) > INT_MAX
/ alloc
)
2018 alloc
*= sizeof(struct nft_rule
*);
2019 alloc
+= sizeof(struct nft_rules_old
);
2021 return kvmalloc(alloc
, GFP_KERNEL
);
2024 static void nft_basechain_hook_init(struct nf_hook_ops
*ops
, u8 family
,
2025 const struct nft_chain_hook
*hook
,
2026 struct nft_chain
*chain
)
2029 ops
->hooknum
= hook
->num
;
2030 ops
->priority
= hook
->priority
;
2032 ops
->hook
= hook
->type
->hooks
[ops
->hooknum
];
2033 ops
->hook_ops_type
= NF_HOOK_OP_NF_TABLES
;
2036 static int nft_basechain_init(struct nft_base_chain
*basechain
, u8 family
,
2037 struct nft_chain_hook
*hook
, u32 flags
)
2039 struct nft_chain
*chain
;
2042 basechain
->type
= hook
->type
;
2043 INIT_LIST_HEAD(&basechain
->hook_list
);
2044 chain
= &basechain
->chain
;
2046 if (nft_base_chain_netdev(family
, hook
->num
)) {
2047 list_splice_init(&hook
->list
, &basechain
->hook_list
);
2048 list_for_each_entry(h
, &basechain
->hook_list
, list
)
2049 nft_basechain_hook_init(&h
->ops
, family
, hook
, chain
);
2051 basechain
->ops
.hooknum
= hook
->num
;
2052 basechain
->ops
.priority
= hook
->priority
;
2054 nft_basechain_hook_init(&basechain
->ops
, family
, hook
, chain
);
2057 chain
->flags
|= NFT_CHAIN_BASE
| flags
;
2058 basechain
->policy
= NF_ACCEPT
;
2059 if (chain
->flags
& NFT_CHAIN_HW_OFFLOAD
&&
2060 nft_chain_offload_priority(basechain
) < 0)
2063 flow_block_init(&basechain
->flow_block
);
2068 static int nft_chain_add(struct nft_table
*table
, struct nft_chain
*chain
)
2072 err
= rhltable_insert_key(&table
->chains_ht
, chain
->name
,
2073 &chain
->rhlhead
, nft_chain_ht_params
);
2077 list_add_tail_rcu(&chain
->list
, &table
->chains
);
2082 static u64 chain_id
;
2084 static int nf_tables_addchain(struct nft_ctx
*ctx
, u8 family
, u8 genmask
,
2085 u8 policy
, u32 flags
,
2086 struct netlink_ext_ack
*extack
)
2088 const struct nlattr
* const *nla
= ctx
->nla
;
2089 struct nft_table
*table
= ctx
->table
;
2090 struct nft_base_chain
*basechain
;
2091 struct nft_stats __percpu
*stats
;
2092 struct net
*net
= ctx
->net
;
2093 char name
[NFT_NAME_MAXLEN
];
2094 struct nft_trans
*trans
;
2095 struct nft_chain
*chain
;
2096 struct nft_rule
**rules
;
2099 if (table
->use
== UINT_MAX
)
2102 if (nla
[NFTA_CHAIN_HOOK
]) {
2103 struct nft_chain_hook hook
;
2105 if (flags
& NFT_CHAIN_BINDING
)
2108 err
= nft_chain_parse_hook(net
, nla
, &hook
, family
, extack
,
2113 basechain
= kzalloc(sizeof(*basechain
), GFP_KERNEL
);
2114 if (basechain
== NULL
) {
2115 nft_chain_release_hook(&hook
);
2118 chain
= &basechain
->chain
;
2120 if (nla
[NFTA_CHAIN_COUNTERS
]) {
2121 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
2122 if (IS_ERR(stats
)) {
2123 nft_chain_release_hook(&hook
);
2125 return PTR_ERR(stats
);
2127 rcu_assign_pointer(basechain
->stats
, stats
);
2128 static_branch_inc(&nft_counters_enabled
);
2131 err
= nft_basechain_init(basechain
, family
, &hook
, flags
);
2133 nft_chain_release_hook(&hook
);
2138 if (flags
& NFT_CHAIN_BASE
)
2140 if (flags
& NFT_CHAIN_HW_OFFLOAD
)
2143 chain
= kzalloc(sizeof(*chain
), GFP_KERNEL
);
2147 chain
->flags
= flags
;
2151 INIT_LIST_HEAD(&chain
->rules
);
2152 chain
->handle
= nf_tables_alloc_handle(table
);
2153 chain
->table
= table
;
2155 if (nla
[NFTA_CHAIN_NAME
]) {
2156 chain
->name
= nla_strdup(nla
[NFTA_CHAIN_NAME
], GFP_KERNEL
);
2158 if (!(flags
& NFT_CHAIN_BINDING
)) {
2160 goto err_destroy_chain
;
2163 snprintf(name
, sizeof(name
), "__chain%llu", ++chain_id
);
2164 chain
->name
= kstrdup(name
, GFP_KERNEL
);
2169 goto err_destroy_chain
;
2172 if (nla
[NFTA_CHAIN_USERDATA
]) {
2173 chain
->udata
= nla_memdup(nla
[NFTA_CHAIN_USERDATA
], GFP_KERNEL
);
2174 if (chain
->udata
== NULL
) {
2176 goto err_destroy_chain
;
2178 chain
->udlen
= nla_len(nla
[NFTA_CHAIN_USERDATA
]);
2181 rules
= nf_tables_chain_alloc_rules(chain
, 0);
2184 goto err_destroy_chain
;
2188 rcu_assign_pointer(chain
->rules_gen_0
, rules
);
2189 rcu_assign_pointer(chain
->rules_gen_1
, rules
);
2191 err
= nf_tables_register_hook(net
, table
, chain
);
2193 goto err_destroy_chain
;
2195 trans
= nft_trans_chain_add(ctx
, NFT_MSG_NEWCHAIN
);
2196 if (IS_ERR(trans
)) {
2197 err
= PTR_ERR(trans
);
2198 goto err_unregister_hook
;
2201 nft_trans_chain_policy(trans
) = NFT_CHAIN_POLICY_UNSET
;
2202 if (nft_is_base_chain(chain
))
2203 nft_trans_chain_policy(trans
) = policy
;
2205 err
= nft_chain_add(table
, chain
);
2207 nft_trans_destroy(trans
);
2208 goto err_unregister_hook
;
2214 err_unregister_hook
:
2215 nf_tables_unregister_hook(net
, table
, chain
);
2217 nf_tables_chain_destroy(ctx
);
2222 static bool nft_hook_list_equal(struct list_head
*hook_list1
,
2223 struct list_head
*hook_list2
)
2225 struct nft_hook
*hook
;
2229 list_for_each_entry(hook
, hook_list2
, list
) {
2230 if (!nft_hook_list_find(hook_list1
, hook
))
2235 list_for_each_entry(hook
, hook_list1
, list
)
2241 static int nf_tables_updchain(struct nft_ctx
*ctx
, u8 genmask
, u8 policy
,
2242 u32 flags
, const struct nlattr
*attr
,
2243 struct netlink_ext_ack
*extack
)
2245 const struct nlattr
* const *nla
= ctx
->nla
;
2246 struct nft_table
*table
= ctx
->table
;
2247 struct nft_chain
*chain
= ctx
->chain
;
2248 struct nft_base_chain
*basechain
;
2249 struct nft_stats
*stats
= NULL
;
2250 struct nft_chain_hook hook
;
2251 struct nf_hook_ops
*ops
;
2252 struct nft_trans
*trans
;
2255 if (chain
->flags
^ flags
)
2258 if (nla
[NFTA_CHAIN_HOOK
]) {
2259 if (!nft_is_base_chain(chain
)) {
2260 NL_SET_BAD_ATTR(extack
, attr
);
2263 err
= nft_chain_parse_hook(ctx
->net
, nla
, &hook
, ctx
->family
,
2268 basechain
= nft_base_chain(chain
);
2269 if (basechain
->type
!= hook
.type
) {
2270 nft_chain_release_hook(&hook
);
2271 NL_SET_BAD_ATTR(extack
, attr
);
2275 if (nft_base_chain_netdev(ctx
->family
, hook
.num
)) {
2276 if (!nft_hook_list_equal(&basechain
->hook_list
,
2278 nft_chain_release_hook(&hook
);
2279 NL_SET_BAD_ATTR(extack
, attr
);
2283 ops
= &basechain
->ops
;
2284 if (ops
->hooknum
!= hook
.num
||
2285 ops
->priority
!= hook
.priority
) {
2286 nft_chain_release_hook(&hook
);
2287 NL_SET_BAD_ATTR(extack
, attr
);
2291 nft_chain_release_hook(&hook
);
2294 if (nla
[NFTA_CHAIN_HANDLE
] &&
2295 nla
[NFTA_CHAIN_NAME
]) {
2296 struct nft_chain
*chain2
;
2298 chain2
= nft_chain_lookup(ctx
->net
, table
,
2299 nla
[NFTA_CHAIN_NAME
], genmask
);
2300 if (!IS_ERR(chain2
)) {
2301 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
2306 if (nla
[NFTA_CHAIN_COUNTERS
]) {
2307 if (!nft_is_base_chain(chain
))
2310 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
2312 return PTR_ERR(stats
);
2316 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWCHAIN
,
2317 sizeof(struct nft_trans_chain
));
2321 nft_trans_chain_stats(trans
) = stats
;
2322 nft_trans_chain_update(trans
) = true;
2324 if (nla
[NFTA_CHAIN_POLICY
])
2325 nft_trans_chain_policy(trans
) = policy
;
2327 nft_trans_chain_policy(trans
) = -1;
2329 if (nla
[NFTA_CHAIN_HANDLE
] &&
2330 nla
[NFTA_CHAIN_NAME
]) {
2331 struct nftables_pernet
*nft_net
= nft_pernet(ctx
->net
);
2332 struct nft_trans
*tmp
;
2336 name
= nla_strdup(nla
[NFTA_CHAIN_NAME
], GFP_KERNEL
);
2341 list_for_each_entry(tmp
, &nft_net
->commit_list
, list
) {
2342 if (tmp
->msg_type
== NFT_MSG_NEWCHAIN
&&
2343 tmp
->ctx
.table
== table
&&
2344 nft_trans_chain_update(tmp
) &&
2345 nft_trans_chain_name(tmp
) &&
2346 strcmp(name
, nft_trans_chain_name(tmp
)) == 0) {
2347 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_NAME
]);
2353 nft_trans_chain_name(trans
) = name
;
2355 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
2364 static struct nft_chain
*nft_chain_lookup_byid(const struct net
*net
,
2365 const struct nlattr
*nla
)
2367 struct nftables_pernet
*nft_net
= nft_pernet(net
);
2368 u32 id
= ntohl(nla_get_be32(nla
));
2369 struct nft_trans
*trans
;
2371 list_for_each_entry(trans
, &nft_net
->commit_list
, list
) {
2372 struct nft_chain
*chain
= trans
->ctx
.chain
;
2374 if (trans
->msg_type
== NFT_MSG_NEWCHAIN
&&
2375 id
== nft_trans_chain_id(trans
))
2378 return ERR_PTR(-ENOENT
);
2381 static int nf_tables_newchain(struct sk_buff
*skb
, const struct nfnl_info
*info
,
2382 const struct nlattr
* const nla
[])
2384 struct nftables_pernet
*nft_net
= nft_pernet(info
->net
);
2385 struct netlink_ext_ack
*extack
= info
->extack
;
2386 u8 genmask
= nft_genmask_next(info
->net
);
2387 u8 family
= info
->nfmsg
->nfgen_family
;
2388 struct nft_chain
*chain
= NULL
;
2389 struct net
*net
= info
->net
;
2390 const struct nlattr
*attr
;
2391 struct nft_table
*table
;
2392 u8 policy
= NF_ACCEPT
;
2397 lockdep_assert_held(&nft_net
->commit_mutex
);
2399 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
,
2400 NETLINK_CB(skb
).portid
);
2401 if (IS_ERR(table
)) {
2402 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
2403 return PTR_ERR(table
);
2407 attr
= nla
[NFTA_CHAIN_NAME
];
2409 if (nla
[NFTA_CHAIN_HANDLE
]) {
2410 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_CHAIN_HANDLE
]));
2411 chain
= nft_chain_lookup_byhandle(table
, handle
, genmask
);
2412 if (IS_ERR(chain
)) {
2413 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_HANDLE
]);
2414 return PTR_ERR(chain
);
2416 attr
= nla
[NFTA_CHAIN_HANDLE
];
2417 } else if (nla
[NFTA_CHAIN_NAME
]) {
2418 chain
= nft_chain_lookup(net
, table
, attr
, genmask
);
2419 if (IS_ERR(chain
)) {
2420 if (PTR_ERR(chain
) != -ENOENT
) {
2421 NL_SET_BAD_ATTR(extack
, attr
);
2422 return PTR_ERR(chain
);
2426 } else if (!nla
[NFTA_CHAIN_ID
]) {
2430 if (nla
[NFTA_CHAIN_POLICY
]) {
2431 if (chain
!= NULL
&&
2432 !nft_is_base_chain(chain
)) {
2433 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_POLICY
]);
2437 if (chain
== NULL
&&
2438 nla
[NFTA_CHAIN_HOOK
] == NULL
) {
2439 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_POLICY
]);
2443 policy
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_POLICY
]));
2453 if (nla
[NFTA_CHAIN_FLAGS
])
2454 flags
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_FLAGS
]));
2456 flags
= chain
->flags
;
2458 if (flags
& ~NFT_CHAIN_FLAGS
)
2461 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, chain
, nla
);
2463 if (chain
!= NULL
) {
2464 if (info
->nlh
->nlmsg_flags
& NLM_F_EXCL
) {
2465 NL_SET_BAD_ATTR(extack
, attr
);
2468 if (info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2471 flags
|= chain
->flags
& NFT_CHAIN_BASE
;
2472 return nf_tables_updchain(&ctx
, genmask
, policy
, flags
, attr
,
2476 return nf_tables_addchain(&ctx
, family
, genmask
, policy
, flags
, extack
);
2479 static int nf_tables_delchain(struct sk_buff
*skb
, const struct nfnl_info
*info
,
2480 const struct nlattr
* const nla
[])
2482 struct netlink_ext_ack
*extack
= info
->extack
;
2483 u8 genmask
= nft_genmask_next(info
->net
);
2484 u8 family
= info
->nfmsg
->nfgen_family
;
2485 struct net
*net
= info
->net
;
2486 const struct nlattr
*attr
;
2487 struct nft_table
*table
;
2488 struct nft_chain
*chain
;
2489 struct nft_rule
*rule
;
2495 table
= nft_table_lookup(net
, nla
[NFTA_CHAIN_TABLE
], family
, genmask
,
2496 NETLINK_CB(skb
).portid
);
2497 if (IS_ERR(table
)) {
2498 NL_SET_BAD_ATTR(extack
, nla
[NFTA_CHAIN_TABLE
]);
2499 return PTR_ERR(table
);
2502 if (nla
[NFTA_CHAIN_HANDLE
]) {
2503 attr
= nla
[NFTA_CHAIN_HANDLE
];
2504 handle
= be64_to_cpu(nla_get_be64(attr
));
2505 chain
= nft_chain_lookup_byhandle(table
, handle
, genmask
);
2507 attr
= nla
[NFTA_CHAIN_NAME
];
2508 chain
= nft_chain_lookup(net
, table
, attr
, genmask
);
2510 if (IS_ERR(chain
)) {
2511 NL_SET_BAD_ATTR(extack
, attr
);
2512 return PTR_ERR(chain
);
2515 if (info
->nlh
->nlmsg_flags
& NLM_F_NONREC
&&
2519 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, chain
, nla
);
2522 list_for_each_entry(rule
, &chain
->rules
, list
) {
2523 if (!nft_is_active_next(net
, rule
))
2527 err
= nft_delrule(&ctx
, rule
);
2532 /* There are rules and elements that are still holding references to us,
2533 * we cannot do a recursive removal in this case.
2536 NL_SET_BAD_ATTR(extack
, attr
);
2540 return nft_delchain(&ctx
);
2548 * nft_register_expr - register nf_tables expr type
2551 * Registers the expr type for use with nf_tables. Returns zero on
2552 * success or a negative errno code otherwise.
2554 int nft_register_expr(struct nft_expr_type
*type
)
2556 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2557 if (type
->family
== NFPROTO_UNSPEC
)
2558 list_add_tail_rcu(&type
->list
, &nf_tables_expressions
);
2560 list_add_rcu(&type
->list
, &nf_tables_expressions
);
2561 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2564 EXPORT_SYMBOL_GPL(nft_register_expr
);
2567 * nft_unregister_expr - unregister nf_tables expr type
2570 * Unregisters the expr typefor use with nf_tables.
2572 void nft_unregister_expr(struct nft_expr_type
*type
)
2574 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2575 list_del_rcu(&type
->list
);
2576 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2578 EXPORT_SYMBOL_GPL(nft_unregister_expr
);
2580 static const struct nft_expr_type
*__nft_expr_type_get(u8 family
,
2583 const struct nft_expr_type
*type
, *candidate
= NULL
;
2585 list_for_each_entry(type
, &nf_tables_expressions
, list
) {
2586 if (!nla_strcmp(nla
, type
->name
)) {
2587 if (!type
->family
&& !candidate
)
2589 else if (type
->family
== family
)
2596 #ifdef CONFIG_MODULES
2597 static int nft_expr_type_request_module(struct net
*net
, u8 family
,
2600 if (nft_request_module(net
, "nft-expr-%u-%.*s", family
,
2601 nla_len(nla
), (char *)nla_data(nla
)) == -EAGAIN
)
2608 static const struct nft_expr_type
*nft_expr_type_get(struct net
*net
,
2612 const struct nft_expr_type
*type
;
2615 return ERR_PTR(-EINVAL
);
2617 type
= __nft_expr_type_get(family
, nla
);
2618 if (type
!= NULL
&& try_module_get(type
->owner
))
2621 lockdep_nfnl_nft_mutex_not_held();
2622 #ifdef CONFIG_MODULES
2624 if (nft_expr_type_request_module(net
, family
, nla
) == -EAGAIN
)
2625 return ERR_PTR(-EAGAIN
);
2627 if (nft_request_module(net
, "nft-expr-%.*s",
2629 (char *)nla_data(nla
)) == -EAGAIN
)
2630 return ERR_PTR(-EAGAIN
);
2633 return ERR_PTR(-ENOENT
);
2636 static const struct nla_policy nft_expr_policy
[NFTA_EXPR_MAX
+ 1] = {
2637 [NFTA_EXPR_NAME
] = { .type
= NLA_STRING
,
2638 .len
= NFT_MODULE_AUTOLOAD_LIMIT
},
2639 [NFTA_EXPR_DATA
] = { .type
= NLA_NESTED
},
2642 static int nf_tables_fill_expr_info(struct sk_buff
*skb
,
2643 const struct nft_expr
*expr
)
2645 if (nla_put_string(skb
, NFTA_EXPR_NAME
, expr
->ops
->type
->name
))
2646 goto nla_put_failure
;
2648 if (expr
->ops
->dump
) {
2649 struct nlattr
*data
= nla_nest_start_noflag(skb
,
2652 goto nla_put_failure
;
2653 if (expr
->ops
->dump(skb
, expr
) < 0)
2654 goto nla_put_failure
;
2655 nla_nest_end(skb
, data
);
2664 int nft_expr_dump(struct sk_buff
*skb
, unsigned int attr
,
2665 const struct nft_expr
*expr
)
2667 struct nlattr
*nest
;
2669 nest
= nla_nest_start_noflag(skb
, attr
);
2671 goto nla_put_failure
;
2672 if (nf_tables_fill_expr_info(skb
, expr
) < 0)
2673 goto nla_put_failure
;
2674 nla_nest_end(skb
, nest
);
2681 struct nft_expr_info
{
2682 const struct nft_expr_ops
*ops
;
2683 const struct nlattr
*attr
;
2684 struct nlattr
*tb
[NFT_EXPR_MAXATTR
+ 1];
2687 static int nf_tables_expr_parse(const struct nft_ctx
*ctx
,
2688 const struct nlattr
*nla
,
2689 struct nft_expr_info
*info
)
2691 const struct nft_expr_type
*type
;
2692 const struct nft_expr_ops
*ops
;
2693 struct nlattr
*tb
[NFTA_EXPR_MAX
+ 1];
2696 err
= nla_parse_nested_deprecated(tb
, NFTA_EXPR_MAX
, nla
,
2697 nft_expr_policy
, NULL
);
2701 type
= nft_expr_type_get(ctx
->net
, ctx
->family
, tb
[NFTA_EXPR_NAME
]);
2703 return PTR_ERR(type
);
2705 if (tb
[NFTA_EXPR_DATA
]) {
2706 err
= nla_parse_nested_deprecated(info
->tb
, type
->maxattr
,
2708 type
->policy
, NULL
);
2712 memset(info
->tb
, 0, sizeof(info
->tb
[0]) * (type
->maxattr
+ 1));
2714 if (type
->select_ops
!= NULL
) {
2715 ops
= type
->select_ops(ctx
,
2716 (const struct nlattr
* const *)info
->tb
);
2719 #ifdef CONFIG_MODULES
2721 if (nft_expr_type_request_module(ctx
->net
,
2723 tb
[NFTA_EXPR_NAME
]) != -EAGAIN
)
2737 module_put(type
->owner
);
2741 static int nf_tables_newexpr(const struct nft_ctx
*ctx
,
2742 const struct nft_expr_info
*expr_info
,
2743 struct nft_expr
*expr
)
2745 const struct nft_expr_ops
*ops
= expr_info
->ops
;
2750 err
= ops
->init(ctx
, expr
, (const struct nlattr
**)expr_info
->tb
);
2761 static void nf_tables_expr_destroy(const struct nft_ctx
*ctx
,
2762 struct nft_expr
*expr
)
2764 const struct nft_expr_type
*type
= expr
->ops
->type
;
2766 if (expr
->ops
->destroy
)
2767 expr
->ops
->destroy(ctx
, expr
);
2768 module_put(type
->owner
);
2771 static struct nft_expr
*nft_expr_init(const struct nft_ctx
*ctx
,
2772 const struct nlattr
*nla
)
2774 struct nft_expr_info expr_info
;
2775 struct nft_expr
*expr
;
2776 struct module
*owner
;
2779 err
= nf_tables_expr_parse(ctx
, nla
, &expr_info
);
2784 expr
= kzalloc(expr_info
.ops
->size
, GFP_KERNEL
);
2788 err
= nf_tables_newexpr(ctx
, &expr_info
, expr
);
2796 owner
= expr_info
.ops
->type
->owner
;
2797 if (expr_info
.ops
->type
->release_ops
)
2798 expr_info
.ops
->type
->release_ops(expr_info
.ops
);
2802 return ERR_PTR(err
);
2805 int nft_expr_clone(struct nft_expr
*dst
, struct nft_expr
*src
)
2809 if (src
->ops
->clone
) {
2810 dst
->ops
= src
->ops
;
2811 err
= src
->ops
->clone(dst
, src
);
2815 memcpy(dst
, src
, src
->ops
->size
);
2818 __module_get(src
->ops
->type
->owner
);
2823 void nft_expr_destroy(const struct nft_ctx
*ctx
, struct nft_expr
*expr
)
2825 nf_tables_expr_destroy(ctx
, expr
);
2833 static struct nft_rule
*__nft_rule_lookup(const struct nft_chain
*chain
,
2836 struct nft_rule
*rule
;
2838 // FIXME: this sucks
2839 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2840 if (handle
== rule
->handle
)
2844 return ERR_PTR(-ENOENT
);
2847 static struct nft_rule
*nft_rule_lookup(const struct nft_chain
*chain
,
2848 const struct nlattr
*nla
)
2851 return ERR_PTR(-EINVAL
);
2853 return __nft_rule_lookup(chain
, be64_to_cpu(nla_get_be64(nla
)));
2856 static const struct nla_policy nft_rule_policy
[NFTA_RULE_MAX
+ 1] = {
2857 [NFTA_RULE_TABLE
] = { .type
= NLA_STRING
,
2858 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
2859 [NFTA_RULE_CHAIN
] = { .type
= NLA_STRING
,
2860 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
2861 [NFTA_RULE_HANDLE
] = { .type
= NLA_U64
},
2862 [NFTA_RULE_EXPRESSIONS
] = { .type
= NLA_NESTED
},
2863 [NFTA_RULE_COMPAT
] = { .type
= NLA_NESTED
},
2864 [NFTA_RULE_POSITION
] = { .type
= NLA_U64
},
2865 [NFTA_RULE_USERDATA
] = { .type
= NLA_BINARY
,
2866 .len
= NFT_USERDATA_MAXLEN
},
2867 [NFTA_RULE_ID
] = { .type
= NLA_U32
},
2868 [NFTA_RULE_POSITION_ID
] = { .type
= NLA_U32
},
2869 [NFTA_RULE_CHAIN_ID
] = { .type
= NLA_U32
},
2872 static int nf_tables_fill_rule_info(struct sk_buff
*skb
, struct net
*net
,
2873 u32 portid
, u32 seq
, int event
,
2874 u32 flags
, int family
,
2875 const struct nft_table
*table
,
2876 const struct nft_chain
*chain
,
2877 const struct nft_rule
*rule
, u64 handle
)
2879 struct nlmsghdr
*nlh
;
2880 const struct nft_expr
*expr
, *next
;
2881 struct nlattr
*list
;
2882 u16 type
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
2884 nlh
= nfnl_msg_put(skb
, portid
, seq
, type
, flags
, family
, NFNETLINK_V0
,
2887 goto nla_put_failure
;
2889 if (nla_put_string(skb
, NFTA_RULE_TABLE
, table
->name
))
2890 goto nla_put_failure
;
2891 if (nla_put_string(skb
, NFTA_RULE_CHAIN
, chain
->name
))
2892 goto nla_put_failure
;
2893 if (nla_put_be64(skb
, NFTA_RULE_HANDLE
, cpu_to_be64(rule
->handle
),
2895 goto nla_put_failure
;
2897 if (event
!= NFT_MSG_DELRULE
&& handle
) {
2898 if (nla_put_be64(skb
, NFTA_RULE_POSITION
, cpu_to_be64(handle
),
2900 goto nla_put_failure
;
2903 if (chain
->flags
& NFT_CHAIN_HW_OFFLOAD
)
2904 nft_flow_rule_stats(chain
, rule
);
2906 list
= nla_nest_start_noflag(skb
, NFTA_RULE_EXPRESSIONS
);
2908 goto nla_put_failure
;
2909 nft_rule_for_each_expr(expr
, next
, rule
) {
2910 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
2911 goto nla_put_failure
;
2913 nla_nest_end(skb
, list
);
2916 struct nft_userdata
*udata
= nft_userdata(rule
);
2917 if (nla_put(skb
, NFTA_RULE_USERDATA
, udata
->len
+ 1,
2919 goto nla_put_failure
;
2922 nlmsg_end(skb
, nlh
);
2926 nlmsg_trim(skb
, nlh
);
2930 static void nf_tables_rule_notify(const struct nft_ctx
*ctx
,
2931 const struct nft_rule
*rule
, int event
)
2933 struct nftables_pernet
*nft_net
= nft_pernet(ctx
->net
);
2934 const struct nft_rule
*prule
;
2935 struct sk_buff
*skb
;
2941 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
2944 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
2948 if (event
== NFT_MSG_NEWRULE
&&
2949 !list_is_first(&rule
->list
, &ctx
->chain
->rules
) &&
2950 !list_is_last(&rule
->list
, &ctx
->chain
->rules
)) {
2951 prule
= list_prev_entry(rule
, list
);
2952 handle
= prule
->handle
;
2954 if (ctx
->flags
& (NLM_F_APPEND
| NLM_F_REPLACE
))
2955 flags
|= NLM_F_APPEND
;
2956 if (ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
))
2957 flags
|= ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
);
2959 err
= nf_tables_fill_rule_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
2960 event
, flags
, ctx
->family
, ctx
->table
,
2961 ctx
->chain
, rule
, handle
);
2967 nft_notify_enqueue(skb
, ctx
->report
, &nft_net
->notify_list
);
2970 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
2973 struct nft_rule_dump_ctx
{
2978 static int __nf_tables_dump_rules(struct sk_buff
*skb
,
2980 struct netlink_callback
*cb
,
2981 const struct nft_table
*table
,
2982 const struct nft_chain
*chain
)
2984 struct net
*net
= sock_net(skb
->sk
);
2985 const struct nft_rule
*rule
, *prule
;
2986 unsigned int s_idx
= cb
->args
[0];
2990 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
2991 if (!nft_is_active(net
, rule
))
2996 memset(&cb
->args
[1], 0,
2997 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
3000 handle
= prule
->handle
;
3004 if (nf_tables_fill_rule_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
3007 NLM_F_MULTI
| NLM_F_APPEND
,
3009 table
, chain
, rule
, handle
) < 0)
3012 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
3021 static int nf_tables_dump_rules(struct sk_buff
*skb
,
3022 struct netlink_callback
*cb
)
3024 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
3025 const struct nft_rule_dump_ctx
*ctx
= cb
->data
;
3026 struct nft_table
*table
;
3027 const struct nft_chain
*chain
;
3028 unsigned int idx
= 0;
3029 struct net
*net
= sock_net(skb
->sk
);
3030 int family
= nfmsg
->nfgen_family
;
3031 struct nftables_pernet
*nft_net
;
3034 nft_net
= nft_pernet(net
);
3035 cb
->seq
= nft_net
->base_seq
;
3037 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
3038 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
3041 if (ctx
&& ctx
->table
&& strcmp(ctx
->table
, table
->name
) != 0)
3044 if (ctx
&& ctx
->table
&& ctx
->chain
) {
3045 struct rhlist_head
*list
, *tmp
;
3047 list
= rhltable_lookup(&table
->chains_ht
, ctx
->chain
,
3048 nft_chain_ht_params
);
3052 rhl_for_each_entry_rcu(chain
, tmp
, list
, rhlhead
) {
3053 if (!nft_is_active(net
, chain
))
3055 __nf_tables_dump_rules(skb
, &idx
,
3062 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
3063 if (__nf_tables_dump_rules(skb
, &idx
, cb
, table
, chain
))
3067 if (ctx
&& ctx
->table
)
3077 static int nf_tables_dump_rules_start(struct netlink_callback
*cb
)
3079 const struct nlattr
* const *nla
= cb
->data
;
3080 struct nft_rule_dump_ctx
*ctx
= NULL
;
3082 if (nla
[NFTA_RULE_TABLE
] || nla
[NFTA_RULE_CHAIN
]) {
3083 ctx
= kzalloc(sizeof(*ctx
), GFP_ATOMIC
);
3087 if (nla
[NFTA_RULE_TABLE
]) {
3088 ctx
->table
= nla_strdup(nla
[NFTA_RULE_TABLE
],
3095 if (nla
[NFTA_RULE_CHAIN
]) {
3096 ctx
->chain
= nla_strdup(nla
[NFTA_RULE_CHAIN
],
3110 static int nf_tables_dump_rules_done(struct netlink_callback
*cb
)
3112 struct nft_rule_dump_ctx
*ctx
= cb
->data
;
3122 /* called with rcu_read_lock held */
3123 static int nf_tables_getrule(struct sk_buff
*skb
, const struct nfnl_info
*info
,
3124 const struct nlattr
* const nla
[])
3126 struct netlink_ext_ack
*extack
= info
->extack
;
3127 u8 genmask
= nft_genmask_cur(info
->net
);
3128 u8 family
= info
->nfmsg
->nfgen_family
;
3129 const struct nft_chain
*chain
;
3130 const struct nft_rule
*rule
;
3131 struct net
*net
= info
->net
;
3132 struct nft_table
*table
;
3133 struct sk_buff
*skb2
;
3136 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3137 struct netlink_dump_control c
= {
3138 .start
= nf_tables_dump_rules_start
,
3139 .dump
= nf_tables_dump_rules
,
3140 .done
= nf_tables_dump_rules_done
,
3141 .module
= THIS_MODULE
,
3142 .data
= (void *)nla
,
3145 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
3148 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
, 0);
3149 if (IS_ERR(table
)) {
3150 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
3151 return PTR_ERR(table
);
3154 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
], genmask
);
3155 if (IS_ERR(chain
)) {
3156 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
3157 return PTR_ERR(chain
);
3160 rule
= nft_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
3162 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3163 return PTR_ERR(rule
);
3166 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
3170 err
= nf_tables_fill_rule_info(skb2
, net
, NETLINK_CB(skb
).portid
,
3171 info
->nlh
->nlmsg_seq
, NFT_MSG_NEWRULE
, 0,
3172 family
, table
, chain
, rule
, 0);
3174 goto err_fill_rule_info
;
3176 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
3183 static void nf_tables_rule_destroy(const struct nft_ctx
*ctx
,
3184 struct nft_rule
*rule
)
3186 struct nft_expr
*expr
, *next
;
3189 * Careful: some expressions might not be initialized in case this
3190 * is called on error from nf_tables_newrule().
3192 expr
= nft_expr_first(rule
);
3193 while (nft_expr_more(rule
, expr
)) {
3194 next
= nft_expr_next(expr
);
3195 nf_tables_expr_destroy(ctx
, expr
);
3201 void nf_tables_rule_release(const struct nft_ctx
*ctx
, struct nft_rule
*rule
)
3203 nft_rule_expr_deactivate(ctx
, rule
, NFT_TRANS_RELEASE
);
3204 nf_tables_rule_destroy(ctx
, rule
);
3207 int nft_chain_validate(const struct nft_ctx
*ctx
, const struct nft_chain
*chain
)
3209 struct nft_expr
*expr
, *last
;
3210 const struct nft_data
*data
;
3211 struct nft_rule
*rule
;
3214 if (ctx
->level
== NFT_JUMP_STACK_SIZE
)
3217 list_for_each_entry(rule
, &chain
->rules
, list
) {
3218 if (!nft_is_active_next(ctx
->net
, rule
))
3221 nft_rule_for_each_expr(expr
, last
, rule
) {
3222 if (!expr
->ops
->validate
)
3225 err
= expr
->ops
->validate(ctx
, expr
, &data
);
3233 EXPORT_SYMBOL_GPL(nft_chain_validate
);
3235 static int nft_table_validate(struct net
*net
, const struct nft_table
*table
)
3237 struct nft_chain
*chain
;
3238 struct nft_ctx ctx
= {
3240 .family
= table
->family
,
3244 list_for_each_entry(chain
, &table
->chains
, list
) {
3245 if (!nft_is_base_chain(chain
))
3249 err
= nft_chain_validate(&ctx
, chain
);
3257 static struct nft_rule
*nft_rule_lookup_byid(const struct net
*net
,
3258 const struct nlattr
*nla
);
3260 #define NFT_RULE_MAXEXPRS 128
3262 static int nf_tables_newrule(struct sk_buff
*skb
, const struct nfnl_info
*info
,
3263 const struct nlattr
* const nla
[])
3265 struct nftables_pernet
*nft_net
= nft_pernet(info
->net
);
3266 struct netlink_ext_ack
*extack
= info
->extack
;
3267 unsigned int size
, i
, n
, ulen
= 0, usize
= 0;
3268 u8 genmask
= nft_genmask_next(info
->net
);
3269 struct nft_rule
*rule
, *old_rule
= NULL
;
3270 struct nft_expr_info
*expr_info
= NULL
;
3271 u8 family
= info
->nfmsg
->nfgen_family
;
3272 struct nft_flow_rule
*flow
= NULL
;
3273 struct net
*net
= info
->net
;
3274 struct nft_userdata
*udata
;
3275 struct nft_table
*table
;
3276 struct nft_chain
*chain
;
3277 struct nft_trans
*trans
;
3278 u64 handle
, pos_handle
;
3279 struct nft_expr
*expr
;
3284 lockdep_assert_held(&nft_net
->commit_mutex
);
3286 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
,
3287 NETLINK_CB(skb
).portid
);
3288 if (IS_ERR(table
)) {
3289 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
3290 return PTR_ERR(table
);
3293 if (nla
[NFTA_RULE_CHAIN
]) {
3294 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
],
3296 if (IS_ERR(chain
)) {
3297 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
3298 return PTR_ERR(chain
);
3300 if (nft_chain_is_bound(chain
))
3303 } else if (nla
[NFTA_RULE_CHAIN_ID
]) {
3304 chain
= nft_chain_lookup_byid(net
, nla
[NFTA_RULE_CHAIN_ID
]);
3305 if (IS_ERR(chain
)) {
3306 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN_ID
]);
3307 return PTR_ERR(chain
);
3313 if (nla
[NFTA_RULE_HANDLE
]) {
3314 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_HANDLE
]));
3315 rule
= __nft_rule_lookup(chain
, handle
);
3317 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3318 return PTR_ERR(rule
);
3321 if (info
->nlh
->nlmsg_flags
& NLM_F_EXCL
) {
3322 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3325 if (info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
)
3330 if (!(info
->nlh
->nlmsg_flags
& NLM_F_CREATE
) ||
3331 info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
)
3333 handle
= nf_tables_alloc_handle(table
);
3335 if (chain
->use
== UINT_MAX
)
3338 if (nla
[NFTA_RULE_POSITION
]) {
3339 pos_handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_POSITION
]));
3340 old_rule
= __nft_rule_lookup(chain
, pos_handle
);
3341 if (IS_ERR(old_rule
)) {
3342 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_POSITION
]);
3343 return PTR_ERR(old_rule
);
3345 } else if (nla
[NFTA_RULE_POSITION_ID
]) {
3346 old_rule
= nft_rule_lookup_byid(net
, nla
[NFTA_RULE_POSITION_ID
]);
3347 if (IS_ERR(old_rule
)) {
3348 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_POSITION_ID
]);
3349 return PTR_ERR(old_rule
);
3354 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, chain
, nla
);
3358 if (nla
[NFTA_RULE_EXPRESSIONS
]) {
3359 expr_info
= kvmalloc_array(NFT_RULE_MAXEXPRS
,
3360 sizeof(struct nft_expr_info
),
3365 nla_for_each_nested(tmp
, nla
[NFTA_RULE_EXPRESSIONS
], rem
) {
3367 if (nla_type(tmp
) != NFTA_LIST_ELEM
)
3368 goto err_release_expr
;
3369 if (n
== NFT_RULE_MAXEXPRS
)
3370 goto err_release_expr
;
3371 err
= nf_tables_expr_parse(&ctx
, tmp
, &expr_info
[n
]);
3373 NL_SET_BAD_ATTR(extack
, tmp
);
3374 goto err_release_expr
;
3376 size
+= expr_info
[n
].ops
->size
;
3380 /* Check for overflow of dlen field */
3382 if (size
>= 1 << 12)
3383 goto err_release_expr
;
3385 if (nla
[NFTA_RULE_USERDATA
]) {
3386 ulen
= nla_len(nla
[NFTA_RULE_USERDATA
]);
3388 usize
= sizeof(struct nft_userdata
) + ulen
;
3392 rule
= kzalloc(sizeof(*rule
) + size
+ usize
, GFP_KERNEL
);
3394 goto err_release_expr
;
3396 nft_activate_next(net
, rule
);
3398 rule
->handle
= handle
;
3400 rule
->udata
= ulen
? 1 : 0;
3403 udata
= nft_userdata(rule
);
3404 udata
->len
= ulen
- 1;
3405 nla_memcpy(udata
->data
, nla
[NFTA_RULE_USERDATA
], ulen
);
3408 expr
= nft_expr_first(rule
);
3409 for (i
= 0; i
< n
; i
++) {
3410 err
= nf_tables_newexpr(&ctx
, &expr_info
[i
], expr
);
3412 NL_SET_BAD_ATTR(extack
, expr_info
[i
].attr
);
3413 goto err_release_rule
;
3416 if (expr_info
[i
].ops
->validate
)
3417 nft_validate_state_update(net
, NFT_VALIDATE_NEED
);
3419 expr_info
[i
].ops
= NULL
;
3420 expr
= nft_expr_next(expr
);
3423 if (chain
->flags
& NFT_CHAIN_HW_OFFLOAD
) {
3424 flow
= nft_flow_rule_create(net
, rule
);
3426 err
= PTR_ERR(flow
);
3427 goto err_release_rule
;
3431 if (info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
3432 err
= nft_delrule(&ctx
, old_rule
);
3434 goto err_destroy_flow_rule
;
3436 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
);
3437 if (trans
== NULL
) {
3439 goto err_destroy_flow_rule
;
3441 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
3443 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
);
3446 goto err_destroy_flow_rule
;
3449 if (info
->nlh
->nlmsg_flags
& NLM_F_APPEND
) {
3451 list_add_rcu(&rule
->list
, &old_rule
->list
);
3453 list_add_tail_rcu(&rule
->list
, &chain
->rules
);
3456 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
3458 list_add_rcu(&rule
->list
, &chain
->rules
);
3465 nft_trans_flow_rule(trans
) = flow
;
3467 if (nft_net
->validate_state
== NFT_VALIDATE_DO
)
3468 return nft_table_validate(net
, table
);
3472 err_destroy_flow_rule
:
3474 nft_flow_rule_destroy(flow
);
3476 nf_tables_rule_release(&ctx
, rule
);
3478 for (i
= 0; i
< n
; i
++) {
3479 if (expr_info
[i
].ops
) {
3480 module_put(expr_info
[i
].ops
->type
->owner
);
3481 if (expr_info
[i
].ops
->type
->release_ops
)
3482 expr_info
[i
].ops
->type
->release_ops(expr_info
[i
].ops
);
3490 static struct nft_rule
*nft_rule_lookup_byid(const struct net
*net
,
3491 const struct nlattr
*nla
)
3493 struct nftables_pernet
*nft_net
= nft_pernet(net
);
3494 u32 id
= ntohl(nla_get_be32(nla
));
3495 struct nft_trans
*trans
;
3497 list_for_each_entry(trans
, &nft_net
->commit_list
, list
) {
3498 struct nft_rule
*rule
= nft_trans_rule(trans
);
3500 if (trans
->msg_type
== NFT_MSG_NEWRULE
&&
3501 id
== nft_trans_rule_id(trans
))
3504 return ERR_PTR(-ENOENT
);
3507 static int nf_tables_delrule(struct sk_buff
*skb
, const struct nfnl_info
*info
,
3508 const struct nlattr
* const nla
[])
3510 struct netlink_ext_ack
*extack
= info
->extack
;
3511 u8 genmask
= nft_genmask_next(info
->net
);
3512 u8 family
= info
->nfmsg
->nfgen_family
;
3513 struct nft_chain
*chain
= NULL
;
3514 struct net
*net
= info
->net
;
3515 struct nft_table
*table
;
3516 struct nft_rule
*rule
;
3520 table
= nft_table_lookup(net
, nla
[NFTA_RULE_TABLE
], family
, genmask
,
3521 NETLINK_CB(skb
).portid
);
3522 if (IS_ERR(table
)) {
3523 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_TABLE
]);
3524 return PTR_ERR(table
);
3527 if (nla
[NFTA_RULE_CHAIN
]) {
3528 chain
= nft_chain_lookup(net
, table
, nla
[NFTA_RULE_CHAIN
],
3530 if (IS_ERR(chain
)) {
3531 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_CHAIN
]);
3532 return PTR_ERR(chain
);
3534 if (nft_chain_is_bound(chain
))
3538 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, chain
, nla
);
3541 if (nla
[NFTA_RULE_HANDLE
]) {
3542 rule
= nft_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
3544 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_HANDLE
]);
3545 return PTR_ERR(rule
);
3548 err
= nft_delrule(&ctx
, rule
);
3549 } else if (nla
[NFTA_RULE_ID
]) {
3550 rule
= nft_rule_lookup_byid(net
, nla
[NFTA_RULE_ID
]);
3552 NL_SET_BAD_ATTR(extack
, nla
[NFTA_RULE_ID
]);
3553 return PTR_ERR(rule
);
3556 err
= nft_delrule(&ctx
, rule
);
3558 err
= nft_delrule_by_chain(&ctx
);
3561 list_for_each_entry(chain
, &table
->chains
, list
) {
3562 if (!nft_is_active_next(net
, chain
))
3566 err
= nft_delrule_by_chain(&ctx
);
3578 static const struct nft_set_type
*nft_set_types
[] = {
3579 &nft_set_hash_fast_type
,
3581 &nft_set_rhash_type
,
3582 &nft_set_bitmap_type
,
3583 &nft_set_rbtree_type
,
3584 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3585 &nft_set_pipapo_avx2_type
,
3587 &nft_set_pipapo_type
,
3590 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3591 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3594 static bool nft_set_ops_candidate(const struct nft_set_type
*type
, u32 flags
)
3596 return (flags
& type
->features
) == (flags
& NFT_SET_FEATURES
);
3600 * Select a set implementation based on the data characteristics and the
3601 * given policy. The total memory use might not be known if no size is
3602 * given, in that case the amount of memory per element is used.
3604 static const struct nft_set_ops
*
3605 nft_select_set_ops(const struct nft_ctx
*ctx
,
3606 const struct nlattr
* const nla
[],
3607 const struct nft_set_desc
*desc
,
3608 enum nft_set_policies policy
)
3610 struct nftables_pernet
*nft_net
= nft_pernet(ctx
->net
);
3611 const struct nft_set_ops
*ops
, *bops
;
3612 struct nft_set_estimate est
, best
;
3613 const struct nft_set_type
*type
;
3617 lockdep_assert_held(&nft_net
->commit_mutex
);
3618 lockdep_nfnl_nft_mutex_not_held();
3620 if (nla
[NFTA_SET_FLAGS
] != NULL
)
3621 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
3628 for (i
= 0; i
< ARRAY_SIZE(nft_set_types
); i
++) {
3629 type
= nft_set_types
[i
];
3632 if (!nft_set_ops_candidate(type
, flags
))
3634 if (!ops
->estimate(desc
, flags
, &est
))
3638 case NFT_SET_POL_PERFORMANCE
:
3639 if (est
.lookup
< best
.lookup
)
3641 if (est
.lookup
== best
.lookup
&&
3642 est
.space
< best
.space
)
3645 case NFT_SET_POL_MEMORY
:
3647 if (est
.space
< best
.space
)
3649 if (est
.space
== best
.space
&&
3650 est
.lookup
< best
.lookup
)
3652 } else if (est
.size
< best
.size
|| !bops
) {
3667 return ERR_PTR(-EOPNOTSUPP
);
3670 static const struct nla_policy nft_set_policy
[NFTA_SET_MAX
+ 1] = {
3671 [NFTA_SET_TABLE
] = { .type
= NLA_STRING
,
3672 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
3673 [NFTA_SET_NAME
] = { .type
= NLA_STRING
,
3674 .len
= NFT_SET_MAXNAMELEN
- 1 },
3675 [NFTA_SET_FLAGS
] = { .type
= NLA_U32
},
3676 [NFTA_SET_KEY_TYPE
] = { .type
= NLA_U32
},
3677 [NFTA_SET_KEY_LEN
] = { .type
= NLA_U32
},
3678 [NFTA_SET_DATA_TYPE
] = { .type
= NLA_U32
},
3679 [NFTA_SET_DATA_LEN
] = { .type
= NLA_U32
},
3680 [NFTA_SET_POLICY
] = { .type
= NLA_U32
},
3681 [NFTA_SET_DESC
] = { .type
= NLA_NESTED
},
3682 [NFTA_SET_ID
] = { .type
= NLA_U32
},
3683 [NFTA_SET_TIMEOUT
] = { .type
= NLA_U64
},
3684 [NFTA_SET_GC_INTERVAL
] = { .type
= NLA_U32
},
3685 [NFTA_SET_USERDATA
] = { .type
= NLA_BINARY
,
3686 .len
= NFT_USERDATA_MAXLEN
},
3687 [NFTA_SET_OBJ_TYPE
] = { .type
= NLA_U32
},
3688 [NFTA_SET_HANDLE
] = { .type
= NLA_U64
},
3689 [NFTA_SET_EXPR
] = { .type
= NLA_NESTED
},
3690 [NFTA_SET_EXPRESSIONS
] = { .type
= NLA_NESTED
},
3693 static const struct nla_policy nft_set_desc_policy
[NFTA_SET_DESC_MAX
+ 1] = {
3694 [NFTA_SET_DESC_SIZE
] = { .type
= NLA_U32
},
3695 [NFTA_SET_DESC_CONCAT
] = { .type
= NLA_NESTED
},
3698 static struct nft_set
*nft_set_lookup(const struct nft_table
*table
,
3699 const struct nlattr
*nla
, u8 genmask
)
3701 struct nft_set
*set
;
3704 return ERR_PTR(-EINVAL
);
3706 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
3707 if (!nla_strcmp(nla
, set
->name
) &&
3708 nft_active_genmask(set
, genmask
))
3711 return ERR_PTR(-ENOENT
);
3714 static struct nft_set
*nft_set_lookup_byhandle(const struct nft_table
*table
,
3715 const struct nlattr
*nla
,
3718 struct nft_set
*set
;
3720 list_for_each_entry(set
, &table
->sets
, list
) {
3721 if (be64_to_cpu(nla_get_be64(nla
)) == set
->handle
&&
3722 nft_active_genmask(set
, genmask
))
3725 return ERR_PTR(-ENOENT
);
3728 static struct nft_set
*nft_set_lookup_byid(const struct net
*net
,
3729 const struct nlattr
*nla
, u8 genmask
)
3731 struct nftables_pernet
*nft_net
= nft_pernet(net
);
3732 u32 id
= ntohl(nla_get_be32(nla
));
3733 struct nft_trans
*trans
;
3735 list_for_each_entry(trans
, &nft_net
->commit_list
, list
) {
3736 if (trans
->msg_type
== NFT_MSG_NEWSET
) {
3737 struct nft_set
*set
= nft_trans_set(trans
);
3739 if (id
== nft_trans_set_id(trans
) &&
3740 nft_active_genmask(set
, genmask
))
3744 return ERR_PTR(-ENOENT
);
3747 struct nft_set
*nft_set_lookup_global(const struct net
*net
,
3748 const struct nft_table
*table
,
3749 const struct nlattr
*nla_set_name
,
3750 const struct nlattr
*nla_set_id
,
3753 struct nft_set
*set
;
3755 set
= nft_set_lookup(table
, nla_set_name
, genmask
);
3760 set
= nft_set_lookup_byid(net
, nla_set_id
, genmask
);
3764 EXPORT_SYMBOL_GPL(nft_set_lookup_global
);
3766 static int nf_tables_set_alloc_name(struct nft_ctx
*ctx
, struct nft_set
*set
,
3769 const struct nft_set
*i
;
3771 unsigned long *inuse
;
3772 unsigned int n
= 0, min
= 0;
3774 p
= strchr(name
, '%');
3776 if (p
[1] != 'd' || strchr(p
+ 2, '%'))
3779 inuse
= (unsigned long *)get_zeroed_page(GFP_KERNEL
);
3783 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
3786 if (!nft_is_active_next(ctx
->net
, set
))
3788 if (!sscanf(i
->name
, name
, &tmp
))
3790 if (tmp
< min
|| tmp
>= min
+ BITS_PER_BYTE
* PAGE_SIZE
)
3793 set_bit(tmp
- min
, inuse
);
3796 n
= find_first_zero_bit(inuse
, BITS_PER_BYTE
* PAGE_SIZE
);
3797 if (n
>= BITS_PER_BYTE
* PAGE_SIZE
) {
3798 min
+= BITS_PER_BYTE
* PAGE_SIZE
;
3799 memset(inuse
, 0, PAGE_SIZE
);
3802 free_page((unsigned long)inuse
);
3805 set
->name
= kasprintf(GFP_KERNEL
, name
, min
+ n
);
3809 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
3810 if (!nft_is_active_next(ctx
->net
, i
))
3812 if (!strcmp(set
->name
, i
->name
)) {
3821 int nf_msecs_to_jiffies64(const struct nlattr
*nla
, u64
*result
)
3823 u64 ms
= be64_to_cpu(nla_get_be64(nla
));
3824 u64 max
= (u64
)(~((u64
)0));
3826 max
= div_u64(max
, NSEC_PER_MSEC
);
3830 ms
*= NSEC_PER_MSEC
;
3831 *result
= nsecs_to_jiffies64(ms
);
3835 __be64
nf_jiffies64_to_msecs(u64 input
)
3837 return cpu_to_be64(jiffies64_to_msecs(input
));
3840 static int nf_tables_fill_set_concat(struct sk_buff
*skb
,
3841 const struct nft_set
*set
)
3843 struct nlattr
*concat
, *field
;
3846 concat
= nla_nest_start_noflag(skb
, NFTA_SET_DESC_CONCAT
);
3850 for (i
= 0; i
< set
->field_count
; i
++) {
3851 field
= nla_nest_start_noflag(skb
, NFTA_LIST_ELEM
);
3855 if (nla_put_be32(skb
, NFTA_SET_FIELD_LEN
,
3856 htonl(set
->field_len
[i
])))
3859 nla_nest_end(skb
, field
);
3862 nla_nest_end(skb
, concat
);
3867 static int nf_tables_fill_set(struct sk_buff
*skb
, const struct nft_ctx
*ctx
,
3868 const struct nft_set
*set
, u16 event
, u16 flags
)
3870 struct nlmsghdr
*nlh
;
3871 u32 portid
= ctx
->portid
;
3872 struct nlattr
*nest
;
3876 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
3877 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, ctx
->family
,
3878 NFNETLINK_V0
, nft_base_seq(ctx
->net
));
3880 goto nla_put_failure
;
3882 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3883 goto nla_put_failure
;
3884 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3885 goto nla_put_failure
;
3886 if (nla_put_be64(skb
, NFTA_SET_HANDLE
, cpu_to_be64(set
->handle
),
3888 goto nla_put_failure
;
3889 if (set
->flags
!= 0)
3890 if (nla_put_be32(skb
, NFTA_SET_FLAGS
, htonl(set
->flags
)))
3891 goto nla_put_failure
;
3893 if (nla_put_be32(skb
, NFTA_SET_KEY_TYPE
, htonl(set
->ktype
)))
3894 goto nla_put_failure
;
3895 if (nla_put_be32(skb
, NFTA_SET_KEY_LEN
, htonl(set
->klen
)))
3896 goto nla_put_failure
;
3897 if (set
->flags
& NFT_SET_MAP
) {
3898 if (nla_put_be32(skb
, NFTA_SET_DATA_TYPE
, htonl(set
->dtype
)))
3899 goto nla_put_failure
;
3900 if (nla_put_be32(skb
, NFTA_SET_DATA_LEN
, htonl(set
->dlen
)))
3901 goto nla_put_failure
;
3903 if (set
->flags
& NFT_SET_OBJECT
&&
3904 nla_put_be32(skb
, NFTA_SET_OBJ_TYPE
, htonl(set
->objtype
)))
3905 goto nla_put_failure
;
3908 nla_put_be64(skb
, NFTA_SET_TIMEOUT
,
3909 nf_jiffies64_to_msecs(set
->timeout
),
3911 goto nla_put_failure
;
3913 nla_put_be32(skb
, NFTA_SET_GC_INTERVAL
, htonl(set
->gc_int
)))
3914 goto nla_put_failure
;
3916 if (set
->policy
!= NFT_SET_POL_PERFORMANCE
) {
3917 if (nla_put_be32(skb
, NFTA_SET_POLICY
, htonl(set
->policy
)))
3918 goto nla_put_failure
;
3922 nla_put(skb
, NFTA_SET_USERDATA
, set
->udlen
, set
->udata
))
3923 goto nla_put_failure
;
3925 nest
= nla_nest_start_noflag(skb
, NFTA_SET_DESC
);
3927 goto nla_put_failure
;
3929 nla_put_be32(skb
, NFTA_SET_DESC_SIZE
, htonl(set
->size
)))
3930 goto nla_put_failure
;
3932 if (set
->field_count
> 1 &&
3933 nf_tables_fill_set_concat(skb
, set
))
3934 goto nla_put_failure
;
3936 nla_nest_end(skb
, nest
);
3938 if (set
->num_exprs
== 1) {
3939 nest
= nla_nest_start_noflag(skb
, NFTA_SET_EXPR
);
3940 if (nf_tables_fill_expr_info(skb
, set
->exprs
[0]) < 0)
3941 goto nla_put_failure
;
3943 nla_nest_end(skb
, nest
);
3944 } else if (set
->num_exprs
> 1) {
3945 nest
= nla_nest_start_noflag(skb
, NFTA_SET_EXPRESSIONS
);
3947 goto nla_put_failure
;
3949 for (i
= 0; i
< set
->num_exprs
; i
++) {
3950 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
,
3952 goto nla_put_failure
;
3954 nla_nest_end(skb
, nest
);
3957 nlmsg_end(skb
, nlh
);
3961 nlmsg_trim(skb
, nlh
);
3965 static void nf_tables_set_notify(const struct nft_ctx
*ctx
,
3966 const struct nft_set
*set
, int event
,
3969 struct nftables_pernet
*nft_net
= nft_pernet(ctx
->net
);
3970 u32 portid
= ctx
->portid
;
3971 struct sk_buff
*skb
;
3976 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
3979 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp_flags
);
3983 if (ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
))
3984 flags
|= ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
);
3986 err
= nf_tables_fill_set(skb
, ctx
, set
, event
, flags
);
3992 nft_notify_enqueue(skb
, ctx
->report
, &nft_net
->notify_list
);
3995 nfnetlink_set_err(ctx
->net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
3998 static int nf_tables_dump_sets(struct sk_buff
*skb
, struct netlink_callback
*cb
)
4000 const struct nft_set
*set
;
4001 unsigned int idx
, s_idx
= cb
->args
[0];
4002 struct nft_table
*table
, *cur_table
= (struct nft_table
*)cb
->args
[2];
4003 struct net
*net
= sock_net(skb
->sk
);
4004 struct nft_ctx
*ctx
= cb
->data
, ctx_set
;
4005 struct nftables_pernet
*nft_net
;
4011 nft_net
= nft_pernet(net
);
4012 cb
->seq
= nft_net
->base_seq
;
4014 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
4015 if (ctx
->family
!= NFPROTO_UNSPEC
&&
4016 ctx
->family
!= table
->family
)
4019 if (ctx
->table
&& ctx
->table
!= table
)
4023 if (cur_table
!= table
)
4029 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
4032 if (!nft_is_active(net
, set
))
4036 ctx_set
.table
= table
;
4037 ctx_set
.family
= table
->family
;
4039 if (nf_tables_fill_set(skb
, &ctx_set
, set
,
4043 cb
->args
[2] = (unsigned long) table
;
4046 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
4059 static int nf_tables_dump_sets_start(struct netlink_callback
*cb
)
4061 struct nft_ctx
*ctx_dump
= NULL
;
4063 ctx_dump
= kmemdup(cb
->data
, sizeof(*ctx_dump
), GFP_ATOMIC
);
4064 if (ctx_dump
== NULL
)
4067 cb
->data
= ctx_dump
;
4071 static int nf_tables_dump_sets_done(struct netlink_callback
*cb
)
4077 /* called with rcu_read_lock held */
4078 static int nf_tables_getset(struct sk_buff
*skb
, const struct nfnl_info
*info
,
4079 const struct nlattr
* const nla
[])
4081 struct netlink_ext_ack
*extack
= info
->extack
;
4082 u8 genmask
= nft_genmask_cur(info
->net
);
4083 u8 family
= info
->nfmsg
->nfgen_family
;
4084 struct nft_table
*table
= NULL
;
4085 struct net
*net
= info
->net
;
4086 const struct nft_set
*set
;
4087 struct sk_buff
*skb2
;
4091 if (nla
[NFTA_SET_TABLE
]) {
4092 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
,
4094 if (IS_ERR(table
)) {
4095 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
4096 return PTR_ERR(table
);
4100 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
4102 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
4103 struct netlink_dump_control c
= {
4104 .start
= nf_tables_dump_sets_start
,
4105 .dump
= nf_tables_dump_sets
,
4106 .done
= nf_tables_dump_sets_done
,
4108 .module
= THIS_MODULE
,
4111 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
4114 /* Only accept unspec with dump */
4115 if (info
->nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
4116 return -EAFNOSUPPORT
;
4117 if (!nla
[NFTA_SET_TABLE
])
4120 set
= nft_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
4122 return PTR_ERR(set
);
4124 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
4128 err
= nf_tables_fill_set(skb2
, &ctx
, set
, NFT_MSG_NEWSET
, 0);
4130 goto err_fill_set_info
;
4132 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
4139 static const struct nla_policy nft_concat_policy
[NFTA_SET_FIELD_MAX
+ 1] = {
4140 [NFTA_SET_FIELD_LEN
] = { .type
= NLA_U32
},
4143 static int nft_set_desc_concat_parse(const struct nlattr
*attr
,
4144 struct nft_set_desc
*desc
)
4146 struct nlattr
*tb
[NFTA_SET_FIELD_MAX
+ 1];
4150 err
= nla_parse_nested_deprecated(tb
, NFTA_SET_FIELD_MAX
, attr
,
4151 nft_concat_policy
, NULL
);
4155 if (!tb
[NFTA_SET_FIELD_LEN
])
4158 len
= ntohl(nla_get_be32(tb
[NFTA_SET_FIELD_LEN
]));
4160 if (len
* BITS_PER_BYTE
/ 32 > NFT_REG32_COUNT
)
4163 desc
->field_len
[desc
->field_count
++] = len
;
4168 static int nft_set_desc_concat(struct nft_set_desc
*desc
,
4169 const struct nlattr
*nla
)
4171 struct nlattr
*attr
;
4174 nla_for_each_nested(attr
, nla
, rem
) {
4175 if (nla_type(attr
) != NFTA_LIST_ELEM
)
4178 err
= nft_set_desc_concat_parse(attr
, desc
);
4186 static int nf_tables_set_desc_parse(struct nft_set_desc
*desc
,
4187 const struct nlattr
*nla
)
4189 struct nlattr
*da
[NFTA_SET_DESC_MAX
+ 1];
4192 err
= nla_parse_nested_deprecated(da
, NFTA_SET_DESC_MAX
, nla
,
4193 nft_set_desc_policy
, NULL
);
4197 if (da
[NFTA_SET_DESC_SIZE
] != NULL
)
4198 desc
->size
= ntohl(nla_get_be32(da
[NFTA_SET_DESC_SIZE
]));
4199 if (da
[NFTA_SET_DESC_CONCAT
])
4200 err
= nft_set_desc_concat(desc
, da
[NFTA_SET_DESC_CONCAT
]);
4205 static int nf_tables_newset(struct sk_buff
*skb
, const struct nfnl_info
*info
,
4206 const struct nlattr
* const nla
[])
4208 u32 ktype
, dtype
, flags
, policy
, gc_int
, objtype
;
4209 struct netlink_ext_ack
*extack
= info
->extack
;
4210 u8 genmask
= nft_genmask_next(info
->net
);
4211 u8 family
= info
->nfmsg
->nfgen_family
;
4212 const struct nft_set_ops
*ops
;
4213 struct nft_expr
*expr
= NULL
;
4214 struct net
*net
= info
->net
;
4215 struct nft_set_desc desc
;
4216 struct nft_table
*table
;
4217 unsigned char *udata
;
4218 struct nft_set
*set
;
4227 if (nla
[NFTA_SET_TABLE
] == NULL
||
4228 nla
[NFTA_SET_NAME
] == NULL
||
4229 nla
[NFTA_SET_KEY_LEN
] == NULL
||
4230 nla
[NFTA_SET_ID
] == NULL
)
4233 memset(&desc
, 0, sizeof(desc
));
4235 ktype
= NFT_DATA_VALUE
;
4236 if (nla
[NFTA_SET_KEY_TYPE
] != NULL
) {
4237 ktype
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_TYPE
]));
4238 if ((ktype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
)
4242 desc
.klen
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_LEN
]));
4243 if (desc
.klen
== 0 || desc
.klen
> NFT_DATA_VALUE_MAXLEN
)
4247 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
4248 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
4249 if (flags
& ~(NFT_SET_ANONYMOUS
| NFT_SET_CONSTANT
|
4250 NFT_SET_INTERVAL
| NFT_SET_TIMEOUT
|
4251 NFT_SET_MAP
| NFT_SET_EVAL
|
4252 NFT_SET_OBJECT
| NFT_SET_CONCAT
| NFT_SET_EXPR
))
4254 /* Only one of these operations is supported */
4255 if ((flags
& (NFT_SET_MAP
| NFT_SET_OBJECT
)) ==
4256 (NFT_SET_MAP
| NFT_SET_OBJECT
))
4258 if ((flags
& (NFT_SET_EVAL
| NFT_SET_OBJECT
)) ==
4259 (NFT_SET_EVAL
| NFT_SET_OBJECT
))
4264 if (nla
[NFTA_SET_DATA_TYPE
] != NULL
) {
4265 if (!(flags
& NFT_SET_MAP
))
4268 dtype
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_TYPE
]));
4269 if ((dtype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
&&
4270 dtype
!= NFT_DATA_VERDICT
)
4273 if (dtype
!= NFT_DATA_VERDICT
) {
4274 if (nla
[NFTA_SET_DATA_LEN
] == NULL
)
4276 desc
.dlen
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_LEN
]));
4277 if (desc
.dlen
== 0 || desc
.dlen
> NFT_DATA_VALUE_MAXLEN
)
4280 desc
.dlen
= sizeof(struct nft_verdict
);
4281 } else if (flags
& NFT_SET_MAP
)
4284 if (nla
[NFTA_SET_OBJ_TYPE
] != NULL
) {
4285 if (!(flags
& NFT_SET_OBJECT
))
4288 objtype
= ntohl(nla_get_be32(nla
[NFTA_SET_OBJ_TYPE
]));
4289 if (objtype
== NFT_OBJECT_UNSPEC
||
4290 objtype
> NFT_OBJECT_MAX
)
4292 } else if (flags
& NFT_SET_OBJECT
)
4295 objtype
= NFT_OBJECT_UNSPEC
;
4298 if (nla
[NFTA_SET_TIMEOUT
] != NULL
) {
4299 if (!(flags
& NFT_SET_TIMEOUT
))
4302 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_TIMEOUT
], &timeout
);
4307 if (nla
[NFTA_SET_GC_INTERVAL
] != NULL
) {
4308 if (!(flags
& NFT_SET_TIMEOUT
))
4310 gc_int
= ntohl(nla_get_be32(nla
[NFTA_SET_GC_INTERVAL
]));
4313 policy
= NFT_SET_POL_PERFORMANCE
;
4314 if (nla
[NFTA_SET_POLICY
] != NULL
)
4315 policy
= ntohl(nla_get_be32(nla
[NFTA_SET_POLICY
]));
4317 if (nla
[NFTA_SET_DESC
] != NULL
) {
4318 err
= nf_tables_set_desc_parse(&desc
, nla
[NFTA_SET_DESC
]);
4323 if (nla
[NFTA_SET_EXPR
] || nla
[NFTA_SET_EXPRESSIONS
])
4326 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
, genmask
,
4327 NETLINK_CB(skb
).portid
);
4328 if (IS_ERR(table
)) {
4329 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
4330 return PTR_ERR(table
);
4333 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
4335 set
= nft_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
4337 if (PTR_ERR(set
) != -ENOENT
) {
4338 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_NAME
]);
4339 return PTR_ERR(set
);
4342 if (info
->nlh
->nlmsg_flags
& NLM_F_EXCL
) {
4343 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_NAME
]);
4346 if (info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
)
4352 if (!(info
->nlh
->nlmsg_flags
& NLM_F_CREATE
))
4355 ops
= nft_select_set_ops(&ctx
, nla
, &desc
, policy
);
4357 return PTR_ERR(ops
);
4360 if (nla
[NFTA_SET_USERDATA
])
4361 udlen
= nla_len(nla
[NFTA_SET_USERDATA
]);
4364 if (ops
->privsize
!= NULL
)
4365 size
= ops
->privsize(nla
, &desc
);
4366 alloc_size
= sizeof(*set
) + size
+ udlen
;
4367 if (alloc_size
< size
|| alloc_size
> INT_MAX
)
4369 set
= kvzalloc(alloc_size
, GFP_KERNEL
);
4373 name
= nla_strdup(nla
[NFTA_SET_NAME
], GFP_KERNEL
);
4379 err
= nf_tables_set_alloc_name(&ctx
, set
, name
);
4386 udata
= set
->data
+ size
;
4387 nla_memcpy(udata
, nla
[NFTA_SET_USERDATA
], udlen
);
4390 INIT_LIST_HEAD(&set
->bindings
);
4391 INIT_LIST_HEAD(&set
->catchall_list
);
4393 write_pnet(&set
->net
, net
);
4396 set
->klen
= desc
.klen
;
4398 set
->objtype
= objtype
;
4399 set
->dlen
= desc
.dlen
;
4401 set
->size
= desc
.size
;
4402 set
->policy
= policy
;
4405 set
->timeout
= timeout
;
4406 set
->gc_int
= gc_int
;
4408 set
->field_count
= desc
.field_count
;
4409 for (i
= 0; i
< desc
.field_count
; i
++)
4410 set
->field_len
[i
] = desc
.field_len
[i
];
4412 err
= ops
->init(set
, &desc
, nla
);
4416 if (nla
[NFTA_SET_EXPR
]) {
4417 expr
= nft_set_elem_expr_alloc(&ctx
, set
, nla
[NFTA_SET_EXPR
]);
4419 err
= PTR_ERR(expr
);
4420 goto err_set_expr_alloc
;
4422 set
->exprs
[0] = expr
;
4424 } else if (nla
[NFTA_SET_EXPRESSIONS
]) {
4425 struct nft_expr
*expr
;
4429 if (!(flags
& NFT_SET_EXPR
)) {
4431 goto err_set_expr_alloc
;
4434 nla_for_each_nested(tmp
, nla
[NFTA_SET_EXPRESSIONS
], left
) {
4435 if (i
== NFT_SET_EXPR_MAX
) {
4437 goto err_set_expr_alloc
;
4439 if (nla_type(tmp
) != NFTA_LIST_ELEM
) {
4441 goto err_set_expr_alloc
;
4443 expr
= nft_set_elem_expr_alloc(&ctx
, set
, tmp
);
4445 err
= PTR_ERR(expr
);
4446 goto err_set_expr_alloc
;
4448 set
->exprs
[i
++] = expr
;
4453 set
->handle
= nf_tables_alloc_handle(table
);
4455 err
= nft_trans_set_add(&ctx
, NFT_MSG_NEWSET
, set
);
4457 goto err_set_expr_alloc
;
4459 list_add_tail_rcu(&set
->list
, &table
->sets
);
4464 for (i
= 0; i
< set
->num_exprs
; i
++)
4465 nft_expr_destroy(&ctx
, set
->exprs
[i
]);
4475 struct nft_set_elem_catchall
{
4476 struct list_head list
;
4477 struct rcu_head rcu
;
4481 static void nft_set_catchall_destroy(const struct nft_ctx
*ctx
,
4482 struct nft_set
*set
)
4484 struct nft_set_elem_catchall
*catchall
;
4486 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
4487 list_del_rcu(&catchall
->list
);
4488 nft_set_elem_destroy(set
, catchall
->elem
, true);
4489 kfree_rcu(catchall
);
4493 static void nft_set_destroy(const struct nft_ctx
*ctx
, struct nft_set
*set
)
4497 if (WARN_ON(set
->use
> 0))
4500 for (i
= 0; i
< set
->num_exprs
; i
++)
4501 nft_expr_destroy(ctx
, set
->exprs
[i
]);
4503 set
->ops
->destroy(set
);
4504 nft_set_catchall_destroy(ctx
, set
);
4509 static int nf_tables_delset(struct sk_buff
*skb
, const struct nfnl_info
*info
,
4510 const struct nlattr
* const nla
[])
4512 struct netlink_ext_ack
*extack
= info
->extack
;
4513 u8 genmask
= nft_genmask_next(info
->net
);
4514 u8 family
= info
->nfmsg
->nfgen_family
;
4515 struct net
*net
= info
->net
;
4516 const struct nlattr
*attr
;
4517 struct nft_table
*table
;
4518 struct nft_set
*set
;
4521 if (info
->nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
4522 return -EAFNOSUPPORT
;
4524 table
= nft_table_lookup(net
, nla
[NFTA_SET_TABLE
], family
,
4525 genmask
, NETLINK_CB(skb
).portid
);
4526 if (IS_ERR(table
)) {
4527 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_TABLE
]);
4528 return PTR_ERR(table
);
4531 if (nla
[NFTA_SET_HANDLE
]) {
4532 attr
= nla
[NFTA_SET_HANDLE
];
4533 set
= nft_set_lookup_byhandle(table
, attr
, genmask
);
4535 attr
= nla
[NFTA_SET_NAME
];
4536 set
= nft_set_lookup(table
, attr
, genmask
);
4540 NL_SET_BAD_ATTR(extack
, attr
);
4541 return PTR_ERR(set
);
4544 (info
->nlh
->nlmsg_flags
& NLM_F_NONREC
&&
4545 atomic_read(&set
->nelems
) > 0)) {
4546 NL_SET_BAD_ATTR(extack
, attr
);
4550 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
4552 return nft_delset(&ctx
, set
);
4555 static int nft_validate_register_store(const struct nft_ctx
*ctx
,
4556 enum nft_registers reg
,
4557 const struct nft_data
*data
,
4558 enum nft_data_types type
,
4561 static int nft_setelem_data_validate(const struct nft_ctx
*ctx
,
4562 struct nft_set
*set
,
4563 struct nft_set_elem
*elem
)
4565 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4566 enum nft_registers dreg
;
4568 dreg
= nft_type_to_reg(set
->dtype
);
4569 return nft_validate_register_store(ctx
, dreg
, nft_set_ext_data(ext
),
4570 set
->dtype
== NFT_DATA_VERDICT
?
4571 NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
4575 static int nf_tables_bind_check_setelem(const struct nft_ctx
*ctx
,
4576 struct nft_set
*set
,
4577 const struct nft_set_iter
*iter
,
4578 struct nft_set_elem
*elem
)
4580 return nft_setelem_data_validate(ctx
, set
, elem
);
4583 static int nft_set_catchall_bind_check(const struct nft_ctx
*ctx
,
4584 struct nft_set
*set
)
4586 u8 genmask
= nft_genmask_next(ctx
->net
);
4587 struct nft_set_elem_catchall
*catchall
;
4588 struct nft_set_elem elem
;
4589 struct nft_set_ext
*ext
;
4592 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
4593 ext
= nft_set_elem_ext(set
, catchall
->elem
);
4594 if (!nft_set_elem_active(ext
, genmask
))
4597 elem
.priv
= catchall
->elem
;
4598 ret
= nft_setelem_data_validate(ctx
, set
, &elem
);
4606 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
4607 struct nft_set_binding
*binding
)
4609 struct nft_set_binding
*i
;
4610 struct nft_set_iter iter
;
4612 if (set
->use
== UINT_MAX
)
4615 if (!list_empty(&set
->bindings
) && nft_set_is_anonymous(set
))
4618 if (binding
->flags
& NFT_SET_MAP
) {
4619 /* If the set is already bound to the same chain all
4620 * jumps are already validated for that chain.
4622 list_for_each_entry(i
, &set
->bindings
, list
) {
4623 if (i
->flags
& NFT_SET_MAP
&&
4624 i
->chain
== binding
->chain
)
4628 iter
.genmask
= nft_genmask_next(ctx
->net
);
4632 iter
.fn
= nf_tables_bind_check_setelem
;
4634 set
->ops
->walk(ctx
, set
, &iter
);
4636 iter
.err
= nft_set_catchall_bind_check(ctx
, set
);
4642 binding
->chain
= ctx
->chain
;
4643 list_add_tail_rcu(&binding
->list
, &set
->bindings
);
4644 nft_set_trans_bind(ctx
, set
);
4649 EXPORT_SYMBOL_GPL(nf_tables_bind_set
);
4651 static void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
4652 struct nft_set_binding
*binding
, bool event
)
4654 list_del_rcu(&binding
->list
);
4656 if (list_empty(&set
->bindings
) && nft_set_is_anonymous(set
)) {
4657 list_del_rcu(&set
->list
);
4659 nf_tables_set_notify(ctx
, set
, NFT_MSG_DELSET
,
4664 void nf_tables_deactivate_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
4665 struct nft_set_binding
*binding
,
4666 enum nft_trans_phase phase
)
4669 case NFT_TRANS_PREPARE
:
4672 case NFT_TRANS_ABORT
:
4673 case NFT_TRANS_RELEASE
:
4677 nf_tables_unbind_set(ctx
, set
, binding
,
4678 phase
== NFT_TRANS_COMMIT
);
4681 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set
);
4683 void nf_tables_destroy_set(const struct nft_ctx
*ctx
, struct nft_set
*set
)
4685 if (list_empty(&set
->bindings
) && nft_set_is_anonymous(set
))
4686 nft_set_destroy(ctx
, set
);
4688 EXPORT_SYMBOL_GPL(nf_tables_destroy_set
);
4690 const struct nft_set_ext_type nft_set_ext_types
[] = {
4691 [NFT_SET_EXT_KEY
] = {
4692 .align
= __alignof__(u32
),
4694 [NFT_SET_EXT_DATA
] = {
4695 .align
= __alignof__(u32
),
4697 [NFT_SET_EXT_EXPRESSIONS
] = {
4698 .align
= __alignof__(struct nft_set_elem_expr
),
4700 [NFT_SET_EXT_OBJREF
] = {
4701 .len
= sizeof(struct nft_object
*),
4702 .align
= __alignof__(struct nft_object
*),
4704 [NFT_SET_EXT_FLAGS
] = {
4706 .align
= __alignof__(u8
),
4708 [NFT_SET_EXT_TIMEOUT
] = {
4710 .align
= __alignof__(u64
),
4712 [NFT_SET_EXT_EXPIRATION
] = {
4714 .align
= __alignof__(u64
),
4716 [NFT_SET_EXT_USERDATA
] = {
4717 .len
= sizeof(struct nft_userdata
),
4718 .align
= __alignof__(struct nft_userdata
),
4720 [NFT_SET_EXT_KEY_END
] = {
4721 .align
= __alignof__(u32
),
4729 static const struct nla_policy nft_set_elem_policy
[NFTA_SET_ELEM_MAX
+ 1] = {
4730 [NFTA_SET_ELEM_KEY
] = { .type
= NLA_NESTED
},
4731 [NFTA_SET_ELEM_DATA
] = { .type
= NLA_NESTED
},
4732 [NFTA_SET_ELEM_FLAGS
] = { .type
= NLA_U32
},
4733 [NFTA_SET_ELEM_TIMEOUT
] = { .type
= NLA_U64
},
4734 [NFTA_SET_ELEM_EXPIRATION
] = { .type
= NLA_U64
},
4735 [NFTA_SET_ELEM_USERDATA
] = { .type
= NLA_BINARY
,
4736 .len
= NFT_USERDATA_MAXLEN
},
4737 [NFTA_SET_ELEM_EXPR
] = { .type
= NLA_NESTED
},
4738 [NFTA_SET_ELEM_OBJREF
] = { .type
= NLA_STRING
,
4739 .len
= NFT_OBJ_MAXNAMELEN
- 1 },
4740 [NFTA_SET_ELEM_KEY_END
] = { .type
= NLA_NESTED
},
4741 [NFTA_SET_ELEM_EXPRESSIONS
] = { .type
= NLA_NESTED
},
4744 static const struct nla_policy nft_set_elem_list_policy
[NFTA_SET_ELEM_LIST_MAX
+ 1] = {
4745 [NFTA_SET_ELEM_LIST_TABLE
] = { .type
= NLA_STRING
,
4746 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
4747 [NFTA_SET_ELEM_LIST_SET
] = { .type
= NLA_STRING
,
4748 .len
= NFT_SET_MAXNAMELEN
- 1 },
4749 [NFTA_SET_ELEM_LIST_ELEMENTS
] = { .type
= NLA_NESTED
},
4750 [NFTA_SET_ELEM_LIST_SET_ID
] = { .type
= NLA_U32
},
4753 static int nft_set_elem_expr_dump(struct sk_buff
*skb
,
4754 const struct nft_set
*set
,
4755 const struct nft_set_ext
*ext
)
4757 struct nft_set_elem_expr
*elem_expr
;
4758 u32 size
, num_exprs
= 0;
4759 struct nft_expr
*expr
;
4760 struct nlattr
*nest
;
4762 elem_expr
= nft_set_ext_expr(ext
);
4763 nft_setelem_expr_foreach(expr
, elem_expr
, size
)
4766 if (num_exprs
== 1) {
4767 expr
= nft_setelem_expr_at(elem_expr
, 0);
4768 if (nft_expr_dump(skb
, NFTA_SET_ELEM_EXPR
, expr
) < 0)
4772 } else if (num_exprs
> 1) {
4773 nest
= nla_nest_start_noflag(skb
, NFTA_SET_ELEM_EXPRESSIONS
);
4775 goto nla_put_failure
;
4777 nft_setelem_expr_foreach(expr
, elem_expr
, size
) {
4778 expr
= nft_setelem_expr_at(elem_expr
, size
);
4779 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
4780 goto nla_put_failure
;
4782 nla_nest_end(skb
, nest
);
4790 static int nf_tables_fill_setelem(struct sk_buff
*skb
,
4791 const struct nft_set
*set
,
4792 const struct nft_set_elem
*elem
)
4794 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4795 unsigned char *b
= skb_tail_pointer(skb
);
4796 struct nlattr
*nest
;
4798 nest
= nla_nest_start_noflag(skb
, NFTA_LIST_ELEM
);
4800 goto nla_put_failure
;
4802 if (nft_set_ext_exists(ext
, NFT_SET_EXT_KEY
) &&
4803 nft_data_dump(skb
, NFTA_SET_ELEM_KEY
, nft_set_ext_key(ext
),
4804 NFT_DATA_VALUE
, set
->klen
) < 0)
4805 goto nla_put_failure
;
4807 if (nft_set_ext_exists(ext
, NFT_SET_EXT_KEY_END
) &&
4808 nft_data_dump(skb
, NFTA_SET_ELEM_KEY_END
, nft_set_ext_key_end(ext
),
4809 NFT_DATA_VALUE
, set
->klen
) < 0)
4810 goto nla_put_failure
;
4812 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
4813 nft_data_dump(skb
, NFTA_SET_ELEM_DATA
, nft_set_ext_data(ext
),
4814 set
->dtype
== NFT_DATA_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
4816 goto nla_put_failure
;
4818 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPRESSIONS
) &&
4819 nft_set_elem_expr_dump(skb
, set
, ext
))
4820 goto nla_put_failure
;
4822 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
4823 nla_put_string(skb
, NFTA_SET_ELEM_OBJREF
,
4824 (*nft_set_ext_obj(ext
))->key
.name
) < 0)
4825 goto nla_put_failure
;
4827 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
4828 nla_put_be32(skb
, NFTA_SET_ELEM_FLAGS
,
4829 htonl(*nft_set_ext_flags(ext
))))
4830 goto nla_put_failure
;
4832 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
) &&
4833 nla_put_be64(skb
, NFTA_SET_ELEM_TIMEOUT
,
4834 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext
)),
4836 goto nla_put_failure
;
4838 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
4839 u64 expires
, now
= get_jiffies_64();
4841 expires
= *nft_set_ext_expiration(ext
);
4842 if (time_before64(now
, expires
))
4847 if (nla_put_be64(skb
, NFTA_SET_ELEM_EXPIRATION
,
4848 nf_jiffies64_to_msecs(expires
),
4850 goto nla_put_failure
;
4853 if (nft_set_ext_exists(ext
, NFT_SET_EXT_USERDATA
)) {
4854 struct nft_userdata
*udata
;
4856 udata
= nft_set_ext_userdata(ext
);
4857 if (nla_put(skb
, NFTA_SET_ELEM_USERDATA
,
4858 udata
->len
+ 1, udata
->data
))
4859 goto nla_put_failure
;
4862 nla_nest_end(skb
, nest
);
4870 struct nft_set_dump_args
{
4871 const struct netlink_callback
*cb
;
4872 struct nft_set_iter iter
;
4873 struct sk_buff
*skb
;
4876 static int nf_tables_dump_setelem(const struct nft_ctx
*ctx
,
4877 struct nft_set
*set
,
4878 const struct nft_set_iter
*iter
,
4879 struct nft_set_elem
*elem
)
4881 struct nft_set_dump_args
*args
;
4883 args
= container_of(iter
, struct nft_set_dump_args
, iter
);
4884 return nf_tables_fill_setelem(args
->skb
, set
, elem
);
4887 struct nft_set_dump_ctx
{
4888 const struct nft_set
*set
;
4892 static int nft_set_catchall_dump(struct net
*net
, struct sk_buff
*skb
,
4893 const struct nft_set
*set
)
4895 struct nft_set_elem_catchall
*catchall
;
4896 u8 genmask
= nft_genmask_cur(net
);
4897 struct nft_set_elem elem
;
4898 struct nft_set_ext
*ext
;
4901 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
4902 ext
= nft_set_elem_ext(set
, catchall
->elem
);
4903 if (!nft_set_elem_active(ext
, genmask
) ||
4904 nft_set_elem_expired(ext
))
4907 elem
.priv
= catchall
->elem
;
4908 ret
= nf_tables_fill_setelem(skb
, set
, &elem
);
4915 static int nf_tables_dump_set(struct sk_buff
*skb
, struct netlink_callback
*cb
)
4917 struct nft_set_dump_ctx
*dump_ctx
= cb
->data
;
4918 struct net
*net
= sock_net(skb
->sk
);
4919 struct nftables_pernet
*nft_net
;
4920 struct nft_table
*table
;
4921 struct nft_set
*set
;
4922 struct nft_set_dump_args args
;
4923 bool set_found
= false;
4924 struct nlmsghdr
*nlh
;
4925 struct nlattr
*nest
;
4930 nft_net
= nft_pernet(net
);
4931 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
4932 if (dump_ctx
->ctx
.family
!= NFPROTO_UNSPEC
&&
4933 dump_ctx
->ctx
.family
!= table
->family
)
4936 if (table
!= dump_ctx
->ctx
.table
)
4939 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
4940 if (set
== dump_ctx
->set
) {
4953 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, NFT_MSG_NEWSETELEM
);
4954 portid
= NETLINK_CB(cb
->skb
).portid
;
4955 seq
= cb
->nlh
->nlmsg_seq
;
4957 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, NLM_F_MULTI
,
4958 table
->family
, NFNETLINK_V0
, nft_base_seq(net
));
4960 goto nla_put_failure
;
4962 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_TABLE
, table
->name
))
4963 goto nla_put_failure
;
4964 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_SET
, set
->name
))
4965 goto nla_put_failure
;
4967 nest
= nla_nest_start_noflag(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
4969 goto nla_put_failure
;
4973 args
.iter
.genmask
= nft_genmask_cur(net
);
4974 args
.iter
.skip
= cb
->args
[0];
4975 args
.iter
.count
= 0;
4977 args
.iter
.fn
= nf_tables_dump_setelem
;
4978 set
->ops
->walk(&dump_ctx
->ctx
, set
, &args
.iter
);
4980 if (!args
.iter
.err
&& args
.iter
.count
== cb
->args
[0])
4981 args
.iter
.err
= nft_set_catchall_dump(net
, skb
, set
);
4984 nla_nest_end(skb
, nest
);
4985 nlmsg_end(skb
, nlh
);
4987 if (args
.iter
.err
&& args
.iter
.err
!= -EMSGSIZE
)
4988 return args
.iter
.err
;
4989 if (args
.iter
.count
== cb
->args
[0])
4992 cb
->args
[0] = args
.iter
.count
;
5000 static int nf_tables_dump_set_start(struct netlink_callback
*cb
)
5002 struct nft_set_dump_ctx
*dump_ctx
= cb
->data
;
5004 cb
->data
= kmemdup(dump_ctx
, sizeof(*dump_ctx
), GFP_ATOMIC
);
5006 return cb
->data
? 0 : -ENOMEM
;
5009 static int nf_tables_dump_set_done(struct netlink_callback
*cb
)
5015 static int nf_tables_fill_setelem_info(struct sk_buff
*skb
,
5016 const struct nft_ctx
*ctx
, u32 seq
,
5017 u32 portid
, int event
, u16 flags
,
5018 const struct nft_set
*set
,
5019 const struct nft_set_elem
*elem
)
5021 struct nlmsghdr
*nlh
;
5022 struct nlattr
*nest
;
5025 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
5026 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, ctx
->family
,
5027 NFNETLINK_V0
, nft_base_seq(ctx
->net
));
5029 goto nla_put_failure
;
5031 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
5032 goto nla_put_failure
;
5033 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
5034 goto nla_put_failure
;
5036 nest
= nla_nest_start_noflag(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
5038 goto nla_put_failure
;
5040 err
= nf_tables_fill_setelem(skb
, set
, elem
);
5042 goto nla_put_failure
;
5044 nla_nest_end(skb
, nest
);
5046 nlmsg_end(skb
, nlh
);
5050 nlmsg_trim(skb
, nlh
);
5054 static int nft_setelem_parse_flags(const struct nft_set
*set
,
5055 const struct nlattr
*attr
, u32
*flags
)
5060 *flags
= ntohl(nla_get_be32(attr
));
5061 if (*flags
& ~(NFT_SET_ELEM_INTERVAL_END
| NFT_SET_ELEM_CATCHALL
))
5063 if (!(set
->flags
& NFT_SET_INTERVAL
) &&
5064 *flags
& NFT_SET_ELEM_INTERVAL_END
)
5070 static int nft_setelem_parse_key(struct nft_ctx
*ctx
, struct nft_set
*set
,
5071 struct nft_data
*key
, struct nlattr
*attr
)
5073 struct nft_data_desc desc
;
5076 err
= nft_data_init(ctx
, key
, NFT_DATA_VALUE_MAXLEN
, &desc
, attr
);
5080 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
) {
5081 nft_data_release(key
, desc
.type
);
5088 static int nft_setelem_parse_data(struct nft_ctx
*ctx
, struct nft_set
*set
,
5089 struct nft_data_desc
*desc
,
5090 struct nft_data
*data
,
5091 struct nlattr
*attr
)
5095 err
= nft_data_init(ctx
, data
, NFT_DATA_VALUE_MAXLEN
, desc
, attr
);
5099 if (desc
->type
!= NFT_DATA_VERDICT
&& desc
->len
!= set
->dlen
) {
5100 nft_data_release(data
, desc
->type
);
5107 static void *nft_setelem_catchall_get(const struct net
*net
,
5108 const struct nft_set
*set
)
5110 struct nft_set_elem_catchall
*catchall
;
5111 u8 genmask
= nft_genmask_cur(net
);
5112 struct nft_set_ext
*ext
;
5115 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
5116 ext
= nft_set_elem_ext(set
, catchall
->elem
);
5117 if (!nft_set_elem_active(ext
, genmask
) ||
5118 nft_set_elem_expired(ext
))
5121 priv
= catchall
->elem
;
5128 static int nft_setelem_get(struct nft_ctx
*ctx
, struct nft_set
*set
,
5129 struct nft_set_elem
*elem
, u32 flags
)
5133 if (!(flags
& NFT_SET_ELEM_CATCHALL
)) {
5134 priv
= set
->ops
->get(ctx
->net
, set
, elem
, flags
);
5136 return PTR_ERR(priv
);
5138 priv
= nft_setelem_catchall_get(ctx
->net
, set
);
5147 static int nft_get_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
5148 const struct nlattr
*attr
)
5150 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
5151 struct nft_set_elem elem
;
5152 struct sk_buff
*skb
;
5156 err
= nla_parse_nested_deprecated(nla
, NFTA_SET_ELEM_MAX
, attr
,
5157 nft_set_elem_policy
, NULL
);
5161 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
5165 if (!nla
[NFTA_SET_ELEM_KEY
] && !(flags
& NFT_SET_ELEM_CATCHALL
))
5168 if (nla
[NFTA_SET_ELEM_KEY
]) {
5169 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key
.val
,
5170 nla
[NFTA_SET_ELEM_KEY
]);
5175 if (nla
[NFTA_SET_ELEM_KEY_END
]) {
5176 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key_end
.val
,
5177 nla
[NFTA_SET_ELEM_KEY_END
]);
5182 err
= nft_setelem_get(ctx
, set
, &elem
, flags
);
5187 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_ATOMIC
);
5191 err
= nf_tables_fill_setelem_info(skb
, ctx
, ctx
->seq
, ctx
->portid
,
5192 NFT_MSG_NEWSETELEM
, 0, set
, &elem
);
5194 goto err_fill_setelem
;
5196 return nfnetlink_unicast(skb
, ctx
->net
, ctx
->portid
);
5203 /* called with rcu_read_lock held */
5204 static int nf_tables_getsetelem(struct sk_buff
*skb
,
5205 const struct nfnl_info
*info
,
5206 const struct nlattr
* const nla
[])
5208 struct netlink_ext_ack
*extack
= info
->extack
;
5209 u8 genmask
= nft_genmask_cur(info
->net
);
5210 u8 family
= info
->nfmsg
->nfgen_family
;
5211 struct net
*net
= info
->net
;
5212 struct nft_table
*table
;
5213 struct nft_set
*set
;
5214 struct nlattr
*attr
;
5218 table
= nft_table_lookup(net
, nla
[NFTA_SET_ELEM_LIST_TABLE
], family
,
5219 genmask
, NETLINK_CB(skb
).portid
);
5220 if (IS_ERR(table
)) {
5221 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_ELEM_LIST_TABLE
]);
5222 return PTR_ERR(table
);
5225 set
= nft_set_lookup(table
, nla
[NFTA_SET_ELEM_LIST_SET
], genmask
);
5227 return PTR_ERR(set
);
5229 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
5231 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
5232 struct netlink_dump_control c
= {
5233 .start
= nf_tables_dump_set_start
,
5234 .dump
= nf_tables_dump_set
,
5235 .done
= nf_tables_dump_set_done
,
5236 .module
= THIS_MODULE
,
5238 struct nft_set_dump_ctx dump_ctx
= {
5244 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
5247 if (!nla
[NFTA_SET_ELEM_LIST_ELEMENTS
])
5250 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
5251 err
= nft_get_set_elem(&ctx
, set
, attr
);
5259 static void nf_tables_setelem_notify(const struct nft_ctx
*ctx
,
5260 const struct nft_set
*set
,
5261 const struct nft_set_elem
*elem
,
5264 struct nftables_pernet
*nft_net
;
5265 struct net
*net
= ctx
->net
;
5266 u32 portid
= ctx
->portid
;
5267 struct sk_buff
*skb
;
5271 if (!ctx
->report
&& !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
5274 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
5278 if (ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
))
5279 flags
|= ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
);
5281 err
= nf_tables_fill_setelem_info(skb
, ctx
, 0, portid
, event
, flags
,
5288 nft_net
= nft_pernet(net
);
5289 nft_notify_enqueue(skb
, ctx
->report
, &nft_net
->notify_list
);
5292 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
5295 static struct nft_trans
*nft_trans_elem_alloc(struct nft_ctx
*ctx
,
5297 struct nft_set
*set
)
5299 struct nft_trans
*trans
;
5301 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_elem
));
5305 nft_trans_elem_set(trans
) = set
;
5309 struct nft_expr
*nft_set_elem_expr_alloc(const struct nft_ctx
*ctx
,
5310 const struct nft_set
*set
,
5311 const struct nlattr
*attr
)
5313 struct nft_expr
*expr
;
5316 expr
= nft_expr_init(ctx
, attr
);
5321 if (!(expr
->ops
->type
->flags
& NFT_EXPR_STATEFUL
))
5322 goto err_set_elem_expr
;
5324 if (expr
->ops
->type
->flags
& NFT_EXPR_GC
) {
5325 if (set
->flags
& NFT_SET_TIMEOUT
)
5326 goto err_set_elem_expr
;
5327 if (!set
->ops
->gc_init
)
5328 goto err_set_elem_expr
;
5329 set
->ops
->gc_init(set
);
5335 nft_expr_destroy(ctx
, expr
);
5336 return ERR_PTR(err
);
5339 void *nft_set_elem_init(const struct nft_set
*set
,
5340 const struct nft_set_ext_tmpl
*tmpl
,
5341 const u32
*key
, const u32
*key_end
,
5342 const u32
*data
, u64 timeout
, u64 expiration
, gfp_t gfp
)
5344 struct nft_set_ext
*ext
;
5347 elem
= kzalloc(set
->ops
->elemsize
+ tmpl
->len
, gfp
);
5351 ext
= nft_set_elem_ext(set
, elem
);
5352 nft_set_ext_init(ext
, tmpl
);
5354 if (nft_set_ext_exists(ext
, NFT_SET_EXT_KEY
))
5355 memcpy(nft_set_ext_key(ext
), key
, set
->klen
);
5356 if (nft_set_ext_exists(ext
, NFT_SET_EXT_KEY_END
))
5357 memcpy(nft_set_ext_key_end(ext
), key_end
, set
->klen
);
5358 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
5359 memcpy(nft_set_ext_data(ext
), data
, set
->dlen
);
5360 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
5361 *nft_set_ext_expiration(ext
) = get_jiffies_64() + expiration
;
5362 if (expiration
== 0)
5363 *nft_set_ext_expiration(ext
) += timeout
;
5365 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
))
5366 *nft_set_ext_timeout(ext
) = timeout
;
5371 static void __nft_set_elem_expr_destroy(const struct nft_ctx
*ctx
,
5372 struct nft_expr
*expr
)
5374 if (expr
->ops
->destroy_clone
) {
5375 expr
->ops
->destroy_clone(ctx
, expr
);
5376 module_put(expr
->ops
->type
->owner
);
5378 nf_tables_expr_destroy(ctx
, expr
);
5382 static void nft_set_elem_expr_destroy(const struct nft_ctx
*ctx
,
5383 struct nft_set_elem_expr
*elem_expr
)
5385 struct nft_expr
*expr
;
5388 nft_setelem_expr_foreach(expr
, elem_expr
, size
)
5389 __nft_set_elem_expr_destroy(ctx
, expr
);
5392 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
,
5395 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
5396 struct nft_ctx ctx
= {
5397 .net
= read_pnet(&set
->net
),
5398 .family
= set
->table
->family
,
5401 nft_data_release(nft_set_ext_key(ext
), NFT_DATA_VALUE
);
5402 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
5403 nft_data_release(nft_set_ext_data(ext
), set
->dtype
);
5404 if (destroy_expr
&& nft_set_ext_exists(ext
, NFT_SET_EXT_EXPRESSIONS
))
5405 nft_set_elem_expr_destroy(&ctx
, nft_set_ext_expr(ext
));
5407 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
5408 (*nft_set_ext_obj(ext
))->use
--;
5411 EXPORT_SYMBOL_GPL(nft_set_elem_destroy
);
5413 /* Only called from commit path, nft_setelem_data_deactivate() already deals
5414 * with the refcounting from the preparation phase.
5416 static void nf_tables_set_elem_destroy(const struct nft_ctx
*ctx
,
5417 const struct nft_set
*set
, void *elem
)
5419 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
5421 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPRESSIONS
))
5422 nft_set_elem_expr_destroy(ctx
, nft_set_ext_expr(ext
));
5427 int nft_set_elem_expr_clone(const struct nft_ctx
*ctx
, struct nft_set
*set
,
5428 struct nft_expr
*expr_array
[])
5430 struct nft_expr
*expr
;
5433 for (i
= 0; i
< set
->num_exprs
; i
++) {
5434 expr
= kzalloc(set
->exprs
[i
]->ops
->size
, GFP_KERNEL
);
5438 err
= nft_expr_clone(expr
, set
->exprs
[i
]);
5440 nft_expr_destroy(ctx
, expr
);
5443 expr_array
[i
] = expr
;
5449 for (k
= i
- 1; k
>= 0; k
--)
5450 nft_expr_destroy(ctx
, expr_array
[k
]);
5455 static int nft_set_elem_expr_setup(struct nft_ctx
*ctx
,
5456 const struct nft_set_ext
*ext
,
5457 struct nft_expr
*expr_array
[],
5460 struct nft_set_elem_expr
*elem_expr
= nft_set_ext_expr(ext
);
5461 struct nft_expr
*expr
;
5464 for (i
= 0; i
< num_exprs
; i
++) {
5465 expr
= nft_setelem_expr_at(elem_expr
, elem_expr
->size
);
5466 err
= nft_expr_clone(expr
, expr_array
[i
]);
5468 goto err_elem_expr_setup
;
5470 elem_expr
->size
+= expr_array
[i
]->ops
->size
;
5471 nft_expr_destroy(ctx
, expr_array
[i
]);
5472 expr_array
[i
] = NULL
;
5477 err_elem_expr_setup
:
5478 for (; i
< num_exprs
; i
++) {
5479 nft_expr_destroy(ctx
, expr_array
[i
]);
5480 expr_array
[i
] = NULL
;
5486 struct nft_set_ext
*nft_set_catchall_lookup(const struct net
*net
,
5487 const struct nft_set
*set
)
5489 struct nft_set_elem_catchall
*catchall
;
5490 u8 genmask
= nft_genmask_cur(net
);
5491 struct nft_set_ext
*ext
;
5493 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
5494 ext
= nft_set_elem_ext(set
, catchall
->elem
);
5495 if (nft_set_elem_active(ext
, genmask
) &&
5496 !nft_set_elem_expired(ext
))
5502 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup
);
5504 void *nft_set_catchall_gc(const struct nft_set
*set
)
5506 struct nft_set_elem_catchall
*catchall
, *next
;
5507 struct nft_set_ext
*ext
;
5510 list_for_each_entry_safe(catchall
, next
, &set
->catchall_list
, list
) {
5511 ext
= nft_set_elem_ext(set
, catchall
->elem
);
5513 if (!nft_set_elem_expired(ext
) ||
5514 nft_set_elem_mark_busy(ext
))
5517 elem
= catchall
->elem
;
5518 list_del_rcu(&catchall
->list
);
5519 kfree_rcu(catchall
, rcu
);
5525 EXPORT_SYMBOL_GPL(nft_set_catchall_gc
);
5527 static int nft_setelem_catchall_insert(const struct net
*net
,
5528 struct nft_set
*set
,
5529 const struct nft_set_elem
*elem
,
5530 struct nft_set_ext
**pext
)
5532 struct nft_set_elem_catchall
*catchall
;
5533 u8 genmask
= nft_genmask_next(net
);
5534 struct nft_set_ext
*ext
;
5536 list_for_each_entry(catchall
, &set
->catchall_list
, list
) {
5537 ext
= nft_set_elem_ext(set
, catchall
->elem
);
5538 if (nft_set_elem_active(ext
, genmask
)) {
5544 catchall
= kmalloc(sizeof(*catchall
), GFP_KERNEL
);
5548 catchall
->elem
= elem
->priv
;
5549 list_add_tail_rcu(&catchall
->list
, &set
->catchall_list
);
5554 static int nft_setelem_insert(const struct net
*net
,
5555 struct nft_set
*set
,
5556 const struct nft_set_elem
*elem
,
5557 struct nft_set_ext
**ext
, unsigned int flags
)
5561 if (flags
& NFT_SET_ELEM_CATCHALL
)
5562 ret
= nft_setelem_catchall_insert(net
, set
, elem
, ext
);
5564 ret
= set
->ops
->insert(net
, set
, elem
, ext
);
5569 static bool nft_setelem_is_catchall(const struct nft_set
*set
,
5570 const struct nft_set_elem
*elem
)
5572 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
5574 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
5575 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_CATCHALL
)
5581 static void nft_setelem_activate(struct net
*net
, struct nft_set
*set
,
5582 struct nft_set_elem
*elem
)
5584 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
5586 if (nft_setelem_is_catchall(set
, elem
)) {
5587 nft_set_elem_change_active(net
, set
, ext
);
5588 nft_set_elem_clear_busy(ext
);
5590 set
->ops
->activate(net
, set
, elem
);
5594 static int nft_setelem_catchall_deactivate(const struct net
*net
,
5595 struct nft_set
*set
,
5596 struct nft_set_elem
*elem
)
5598 struct nft_set_elem_catchall
*catchall
;
5599 struct nft_set_ext
*ext
;
5601 list_for_each_entry(catchall
, &set
->catchall_list
, list
) {
5602 ext
= nft_set_elem_ext(set
, catchall
->elem
);
5603 if (!nft_is_active(net
, ext
) ||
5604 nft_set_elem_mark_busy(ext
))
5608 elem
->priv
= catchall
->elem
;
5609 nft_set_elem_change_active(net
, set
, ext
);
5616 static int __nft_setelem_deactivate(const struct net
*net
,
5617 struct nft_set
*set
,
5618 struct nft_set_elem
*elem
)
5622 priv
= set
->ops
->deactivate(net
, set
, elem
);
5633 static int nft_setelem_deactivate(const struct net
*net
,
5634 struct nft_set
*set
,
5635 struct nft_set_elem
*elem
, u32 flags
)
5639 if (flags
& NFT_SET_ELEM_CATCHALL
)
5640 ret
= nft_setelem_catchall_deactivate(net
, set
, elem
);
5642 ret
= __nft_setelem_deactivate(net
, set
, elem
);
5647 static void nft_setelem_catchall_remove(const struct net
*net
,
5648 const struct nft_set
*set
,
5649 const struct nft_set_elem
*elem
)
5651 struct nft_set_elem_catchall
*catchall
, *next
;
5653 list_for_each_entry_safe(catchall
, next
, &set
->catchall_list
, list
) {
5654 if (catchall
->elem
== elem
->priv
) {
5655 list_del_rcu(&catchall
->list
);
5656 kfree_rcu(catchall
);
5662 static void nft_setelem_remove(const struct net
*net
,
5663 const struct nft_set
*set
,
5664 const struct nft_set_elem
*elem
)
5666 if (nft_setelem_is_catchall(set
, elem
))
5667 nft_setelem_catchall_remove(net
, set
, elem
);
5669 set
->ops
->remove(net
, set
, elem
);
5672 static int nft_add_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
5673 const struct nlattr
*attr
, u32 nlmsg_flags
)
5675 struct nft_expr
*expr_array
[NFT_SET_EXPR_MAX
] = {};
5676 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
5677 u8 genmask
= nft_genmask_next(ctx
->net
);
5678 u32 flags
= 0, size
= 0, num_exprs
= 0;
5679 struct nft_set_ext_tmpl tmpl
;
5680 struct nft_set_ext
*ext
, *ext2
;
5681 struct nft_set_elem elem
;
5682 struct nft_set_binding
*binding
;
5683 struct nft_object
*obj
= NULL
;
5684 struct nft_userdata
*udata
;
5685 struct nft_data_desc desc
;
5686 enum nft_registers dreg
;
5687 struct nft_trans
*trans
;
5693 err
= nla_parse_nested_deprecated(nla
, NFTA_SET_ELEM_MAX
, attr
,
5694 nft_set_elem_policy
, NULL
);
5698 nft_set_ext_prepare(&tmpl
);
5700 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
5704 if (!nla
[NFTA_SET_ELEM_KEY
] && !(flags
& NFT_SET_ELEM_CATCHALL
))
5708 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
5710 if (set
->flags
& NFT_SET_MAP
) {
5711 if (nla
[NFTA_SET_ELEM_DATA
] == NULL
&&
5712 !(flags
& NFT_SET_ELEM_INTERVAL_END
))
5715 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
5719 if ((flags
& NFT_SET_ELEM_INTERVAL_END
) &&
5720 (nla
[NFTA_SET_ELEM_DATA
] ||
5721 nla
[NFTA_SET_ELEM_OBJREF
] ||
5722 nla
[NFTA_SET_ELEM_TIMEOUT
] ||
5723 nla
[NFTA_SET_ELEM_EXPIRATION
] ||
5724 nla
[NFTA_SET_ELEM_USERDATA
] ||
5725 nla
[NFTA_SET_ELEM_EXPR
] ||
5726 nla
[NFTA_SET_ELEM_EXPRESSIONS
]))
5730 if (nla
[NFTA_SET_ELEM_TIMEOUT
] != NULL
) {
5731 if (!(set
->flags
& NFT_SET_TIMEOUT
))
5733 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_ELEM_TIMEOUT
],
5737 } else if (set
->flags
& NFT_SET_TIMEOUT
) {
5738 timeout
= set
->timeout
;
5742 if (nla
[NFTA_SET_ELEM_EXPIRATION
] != NULL
) {
5743 if (!(set
->flags
& NFT_SET_TIMEOUT
))
5745 err
= nf_msecs_to_jiffies64(nla
[NFTA_SET_ELEM_EXPIRATION
],
5751 if (nla
[NFTA_SET_ELEM_EXPR
]) {
5752 struct nft_expr
*expr
;
5754 if (set
->num_exprs
&& set
->num_exprs
!= 1)
5757 expr
= nft_set_elem_expr_alloc(ctx
, set
,
5758 nla
[NFTA_SET_ELEM_EXPR
]);
5760 return PTR_ERR(expr
);
5762 expr_array
[0] = expr
;
5765 if (set
->num_exprs
&& set
->exprs
[0]->ops
!= expr
->ops
) {
5767 goto err_set_elem_expr
;
5769 } else if (nla
[NFTA_SET_ELEM_EXPRESSIONS
]) {
5770 struct nft_expr
*expr
;
5775 nla_for_each_nested(tmp
, nla
[NFTA_SET_ELEM_EXPRESSIONS
], left
) {
5776 if (i
== NFT_SET_EXPR_MAX
||
5777 (set
->num_exprs
&& set
->num_exprs
== i
)) {
5779 goto err_set_elem_expr
;
5781 if (nla_type(tmp
) != NFTA_LIST_ELEM
) {
5783 goto err_set_elem_expr
;
5785 expr
= nft_set_elem_expr_alloc(ctx
, set
, tmp
);
5787 err
= PTR_ERR(expr
);
5788 goto err_set_elem_expr
;
5790 expr_array
[i
] = expr
;
5793 if (set
->num_exprs
&& expr
->ops
!= set
->exprs
[i
]->ops
) {
5795 goto err_set_elem_expr
;
5799 if (set
->num_exprs
&& set
->num_exprs
!= i
) {
5801 goto err_set_elem_expr
;
5803 } else if (set
->num_exprs
> 0) {
5804 err
= nft_set_elem_expr_clone(ctx
, set
, expr_array
);
5806 goto err_set_elem_expr_clone
;
5808 num_exprs
= set
->num_exprs
;
5811 if (nla
[NFTA_SET_ELEM_KEY
]) {
5812 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key
.val
,
5813 nla
[NFTA_SET_ELEM_KEY
]);
5815 goto err_set_elem_expr
;
5817 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, set
->klen
);
5820 if (nla
[NFTA_SET_ELEM_KEY_END
]) {
5821 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key_end
.val
,
5822 nla
[NFTA_SET_ELEM_KEY_END
]);
5826 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY_END
, set
->klen
);
5830 nft_set_ext_add(&tmpl
, NFT_SET_EXT_EXPIRATION
);
5831 if (timeout
!= set
->timeout
)
5832 nft_set_ext_add(&tmpl
, NFT_SET_EXT_TIMEOUT
);
5836 for (i
= 0; i
< num_exprs
; i
++)
5837 size
+= expr_array
[i
]->ops
->size
;
5839 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_EXPRESSIONS
,
5840 sizeof(struct nft_set_elem_expr
) +
5844 if (nla
[NFTA_SET_ELEM_OBJREF
] != NULL
) {
5845 if (!(set
->flags
& NFT_SET_OBJECT
)) {
5847 goto err_parse_key_end
;
5849 obj
= nft_obj_lookup(ctx
->net
, ctx
->table
,
5850 nla
[NFTA_SET_ELEM_OBJREF
],
5851 set
->objtype
, genmask
);
5854 goto err_parse_key_end
;
5856 nft_set_ext_add(&tmpl
, NFT_SET_EXT_OBJREF
);
5859 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
) {
5860 err
= nft_setelem_parse_data(ctx
, set
, &desc
, &elem
.data
.val
,
5861 nla
[NFTA_SET_ELEM_DATA
]);
5863 goto err_parse_key_end
;
5865 dreg
= nft_type_to_reg(set
->dtype
);
5866 list_for_each_entry(binding
, &set
->bindings
, list
) {
5867 struct nft_ctx bind_ctx
= {
5869 .family
= ctx
->family
,
5870 .table
= ctx
->table
,
5871 .chain
= (struct nft_chain
*)binding
->chain
,
5874 if (!(binding
->flags
& NFT_SET_MAP
))
5877 err
= nft_validate_register_store(&bind_ctx
, dreg
,
5879 desc
.type
, desc
.len
);
5881 goto err_parse_data
;
5883 if (desc
.type
== NFT_DATA_VERDICT
&&
5884 (elem
.data
.val
.verdict
.code
== NFT_GOTO
||
5885 elem
.data
.val
.verdict
.code
== NFT_JUMP
))
5886 nft_validate_state_update(ctx
->net
,
5890 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_DATA
, desc
.len
);
5893 /* The full maximum length of userdata can exceed the maximum
5894 * offset value (U8_MAX) for following extensions, therefor it
5895 * must be the last extension added.
5898 if (nla
[NFTA_SET_ELEM_USERDATA
] != NULL
) {
5899 ulen
= nla_len(nla
[NFTA_SET_ELEM_USERDATA
]);
5901 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_USERDATA
,
5906 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
,
5907 elem
.key_end
.val
.data
, elem
.data
.val
.data
,
5908 timeout
, expiration
, GFP_KERNEL
);
5909 if (elem
.priv
== NULL
)
5910 goto err_parse_data
;
5912 ext
= nft_set_elem_ext(set
, elem
.priv
);
5914 *nft_set_ext_flags(ext
) = flags
;
5916 udata
= nft_set_ext_userdata(ext
);
5917 udata
->len
= ulen
- 1;
5918 nla_memcpy(&udata
->data
, nla
[NFTA_SET_ELEM_USERDATA
], ulen
);
5921 *nft_set_ext_obj(ext
) = obj
;
5924 err
= nft_set_elem_expr_setup(ctx
, ext
, expr_array
, num_exprs
);
5928 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_NEWSETELEM
, set
);
5929 if (trans
== NULL
) {
5934 ext
->genmask
= nft_genmask_cur(ctx
->net
) | NFT_SET_ELEM_BUSY_MASK
;
5936 err
= nft_setelem_insert(ctx
->net
, set
, &elem
, &ext2
, flags
);
5938 if (err
== -EEXIST
) {
5939 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) ^
5940 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) ||
5941 nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) ^
5942 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
))
5943 goto err_element_clash
;
5944 if ((nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
5945 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) &&
5946 memcmp(nft_set_ext_data(ext
),
5947 nft_set_ext_data(ext2
), set
->dlen
) != 0) ||
5948 (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
) &&
5949 nft_set_ext_exists(ext2
, NFT_SET_EXT_OBJREF
) &&
5950 *nft_set_ext_obj(ext
) != *nft_set_ext_obj(ext2
)))
5951 goto err_element_clash
;
5952 else if (!(nlmsg_flags
& NLM_F_EXCL
))
5954 } else if (err
== -ENOTEMPTY
) {
5955 /* ENOTEMPTY reports overlapping between this element
5956 * and an existing one.
5960 goto err_element_clash
;
5963 if (!(flags
& NFT_SET_ELEM_CATCHALL
) && set
->size
&&
5964 !atomic_add_unless(&set
->nelems
, 1, set
->size
+ set
->ndeact
)) {
5969 nft_trans_elem(trans
) = elem
;
5970 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
5974 nft_setelem_remove(ctx
->net
, set
, &elem
);
5981 nf_tables_set_elem_destroy(ctx
, set
, elem
.priv
);
5983 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
5984 nft_data_release(&elem
.data
.val
, desc
.type
);
5986 nft_data_release(&elem
.key_end
.val
, NFT_DATA_VALUE
);
5988 nft_data_release(&elem
.key
.val
, NFT_DATA_VALUE
);
5990 for (i
= 0; i
< num_exprs
&& expr_array
[i
]; i
++)
5991 nft_expr_destroy(ctx
, expr_array
[i
]);
5992 err_set_elem_expr_clone
:
5996 static int nf_tables_newsetelem(struct sk_buff
*skb
,
5997 const struct nfnl_info
*info
,
5998 const struct nlattr
* const nla
[])
6000 struct nftables_pernet
*nft_net
= nft_pernet(info
->net
);
6001 struct netlink_ext_ack
*extack
= info
->extack
;
6002 u8 genmask
= nft_genmask_next(info
->net
);
6003 u8 family
= info
->nfmsg
->nfgen_family
;
6004 struct net
*net
= info
->net
;
6005 const struct nlattr
*attr
;
6006 struct nft_table
*table
;
6007 struct nft_set
*set
;
6011 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
6014 table
= nft_table_lookup(net
, nla
[NFTA_SET_ELEM_LIST_TABLE
], family
,
6015 genmask
, NETLINK_CB(skb
).portid
);
6016 if (IS_ERR(table
)) {
6017 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_ELEM_LIST_TABLE
]);
6018 return PTR_ERR(table
);
6021 set
= nft_set_lookup_global(net
, table
, nla
[NFTA_SET_ELEM_LIST_SET
],
6022 nla
[NFTA_SET_ELEM_LIST_SET_ID
], genmask
);
6024 return PTR_ERR(set
);
6026 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
6029 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
6031 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
6032 err
= nft_add_set_elem(&ctx
, set
, attr
, info
->nlh
->nlmsg_flags
);
6037 if (nft_net
->validate_state
== NFT_VALIDATE_DO
)
6038 return nft_table_validate(net
, table
);
6044 * nft_data_hold - hold a nft_data item
6046 * @data: struct nft_data to release
6047 * @type: type of data
6049 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6050 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
6051 * NFT_GOTO verdicts. This function must be called on active data objects
6052 * from the second phase of the commit protocol.
6054 void nft_data_hold(const struct nft_data
*data
, enum nft_data_types type
)
6056 struct nft_chain
*chain
;
6057 struct nft_rule
*rule
;
6059 if (type
== NFT_DATA_VERDICT
) {
6060 switch (data
->verdict
.code
) {
6063 chain
= data
->verdict
.chain
;
6066 if (!nft_chain_is_bound(chain
))
6069 chain
->table
->use
++;
6070 list_for_each_entry(rule
, &chain
->rules
, list
)
6073 nft_chain_add(chain
->table
, chain
);
6079 static void nft_setelem_data_activate(const struct net
*net
,
6080 const struct nft_set
*set
,
6081 struct nft_set_elem
*elem
)
6083 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
6085 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
6086 nft_data_hold(nft_set_ext_data(ext
), set
->dtype
);
6087 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
6088 (*nft_set_ext_obj(ext
))->use
++;
6091 static void nft_setelem_data_deactivate(const struct net
*net
,
6092 const struct nft_set
*set
,
6093 struct nft_set_elem
*elem
)
6095 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
6097 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
6098 nft_data_release(nft_set_ext_data(ext
), set
->dtype
);
6099 if (nft_set_ext_exists(ext
, NFT_SET_EXT_OBJREF
))
6100 (*nft_set_ext_obj(ext
))->use
--;
6103 static int nft_del_setelem(struct nft_ctx
*ctx
, struct nft_set
*set
,
6104 const struct nlattr
*attr
)
6106 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
6107 struct nft_set_ext_tmpl tmpl
;
6108 struct nft_set_elem elem
;
6109 struct nft_set_ext
*ext
;
6110 struct nft_trans
*trans
;
6114 err
= nla_parse_nested_deprecated(nla
, NFTA_SET_ELEM_MAX
, attr
,
6115 nft_set_elem_policy
, NULL
);
6119 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
6123 if (!nla
[NFTA_SET_ELEM_KEY
] && !(flags
& NFT_SET_ELEM_CATCHALL
))
6126 nft_set_ext_prepare(&tmpl
);
6129 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
6131 if (nla
[NFTA_SET_ELEM_KEY
]) {
6132 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key
.val
,
6133 nla
[NFTA_SET_ELEM_KEY
]);
6137 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, set
->klen
);
6140 if (nla
[NFTA_SET_ELEM_KEY_END
]) {
6141 err
= nft_setelem_parse_key(ctx
, set
, &elem
.key_end
.val
,
6142 nla
[NFTA_SET_ELEM_KEY_END
]);
6146 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY_END
, set
->klen
);
6150 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
,
6151 elem
.key_end
.val
.data
, NULL
, 0, 0,
6153 if (elem
.priv
== NULL
)
6156 ext
= nft_set_elem_ext(set
, elem
.priv
);
6158 *nft_set_ext_flags(ext
) = flags
;
6160 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_DELSETELEM
, set
);
6164 err
= nft_setelem_deactivate(ctx
->net
, set
, &elem
, flags
);
6168 nft_setelem_data_deactivate(ctx
->net
, set
, &elem
);
6170 nft_trans_elem(trans
) = elem
;
6171 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
6179 nft_data_release(&elem
.key
.val
, NFT_DATA_VALUE
);
6183 static int nft_setelem_flush(const struct nft_ctx
*ctx
,
6184 struct nft_set
*set
,
6185 const struct nft_set_iter
*iter
,
6186 struct nft_set_elem
*elem
)
6188 struct nft_trans
*trans
;
6191 trans
= nft_trans_alloc_gfp(ctx
, NFT_MSG_DELSETELEM
,
6192 sizeof(struct nft_trans_elem
), GFP_ATOMIC
);
6196 if (!set
->ops
->flush(ctx
->net
, set
, elem
->priv
)) {
6202 nft_setelem_data_deactivate(ctx
->net
, set
, elem
);
6203 nft_trans_elem_set(trans
) = set
;
6204 nft_trans_elem(trans
) = *elem
;
6205 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
6213 static int __nft_set_catchall_flush(const struct nft_ctx
*ctx
,
6214 struct nft_set
*set
,
6215 struct nft_set_elem
*elem
)
6217 struct nft_trans
*trans
;
6219 trans
= nft_trans_alloc_gfp(ctx
, NFT_MSG_DELSETELEM
,
6220 sizeof(struct nft_trans_elem
), GFP_KERNEL
);
6224 nft_setelem_data_deactivate(ctx
->net
, set
, elem
);
6225 nft_trans_elem_set(trans
) = set
;
6226 nft_trans_elem(trans
) = *elem
;
6227 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
6232 static int nft_set_catchall_flush(const struct nft_ctx
*ctx
,
6233 struct nft_set
*set
)
6235 u8 genmask
= nft_genmask_next(ctx
->net
);
6236 struct nft_set_elem_catchall
*catchall
;
6237 struct nft_set_elem elem
;
6238 struct nft_set_ext
*ext
;
6241 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
6242 ext
= nft_set_elem_ext(set
, catchall
->elem
);
6243 if (!nft_set_elem_active(ext
, genmask
) ||
6244 nft_set_elem_mark_busy(ext
))
6247 elem
.priv
= catchall
->elem
;
6248 ret
= __nft_set_catchall_flush(ctx
, set
, &elem
);
6256 static int nft_set_flush(struct nft_ctx
*ctx
, struct nft_set
*set
, u8 genmask
)
6258 struct nft_set_iter iter
= {
6260 .fn
= nft_setelem_flush
,
6263 set
->ops
->walk(ctx
, set
, &iter
);
6265 iter
.err
= nft_set_catchall_flush(ctx
, set
);
6270 static int nf_tables_delsetelem(struct sk_buff
*skb
,
6271 const struct nfnl_info
*info
,
6272 const struct nlattr
* const nla
[])
6274 struct netlink_ext_ack
*extack
= info
->extack
;
6275 u8 genmask
= nft_genmask_next(info
->net
);
6276 u8 family
= info
->nfmsg
->nfgen_family
;
6277 struct net
*net
= info
->net
;
6278 const struct nlattr
*attr
;
6279 struct nft_table
*table
;
6280 struct nft_set
*set
;
6284 table
= nft_table_lookup(net
, nla
[NFTA_SET_ELEM_LIST_TABLE
], family
,
6285 genmask
, NETLINK_CB(skb
).portid
);
6286 if (IS_ERR(table
)) {
6287 NL_SET_BAD_ATTR(extack
, nla
[NFTA_SET_ELEM_LIST_TABLE
]);
6288 return PTR_ERR(table
);
6291 set
= nft_set_lookup(table
, nla
[NFTA_SET_ELEM_LIST_SET
], genmask
);
6293 return PTR_ERR(set
);
6294 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
6297 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
6299 if (!nla
[NFTA_SET_ELEM_LIST_ELEMENTS
])
6300 return nft_set_flush(&ctx
, set
, genmask
);
6302 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
6303 err
= nft_del_setelem(&ctx
, set
, attr
);
6310 void nft_set_gc_batch_release(struct rcu_head
*rcu
)
6312 struct nft_set_gc_batch
*gcb
;
6315 gcb
= container_of(rcu
, struct nft_set_gc_batch
, head
.rcu
);
6316 for (i
= 0; i
< gcb
->head
.cnt
; i
++)
6317 nft_set_elem_destroy(gcb
->head
.set
, gcb
->elems
[i
], true);
6321 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
6324 struct nft_set_gc_batch
*gcb
;
6326 gcb
= kzalloc(sizeof(*gcb
), gfp
);
6329 gcb
->head
.set
= set
;
6338 * nft_register_obj- register nf_tables stateful object type
6339 * @obj_type: object type
6341 * Registers the object type for use with nf_tables. Returns zero on
6342 * success or a negative errno code otherwise.
6344 int nft_register_obj(struct nft_object_type
*obj_type
)
6346 if (obj_type
->type
== NFT_OBJECT_UNSPEC
)
6349 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
6350 list_add_rcu(&obj_type
->list
, &nf_tables_objects
);
6351 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
6354 EXPORT_SYMBOL_GPL(nft_register_obj
);
6357 * nft_unregister_obj - unregister nf_tables object type
6358 * @obj_type: object type
6360 * Unregisters the object type for use with nf_tables.
6362 void nft_unregister_obj(struct nft_object_type
*obj_type
)
6364 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
6365 list_del_rcu(&obj_type
->list
);
6366 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
6368 EXPORT_SYMBOL_GPL(nft_unregister_obj
);
6370 struct nft_object
*nft_obj_lookup(const struct net
*net
,
6371 const struct nft_table
*table
,
6372 const struct nlattr
*nla
, u32 objtype
,
6375 struct nft_object_hash_key k
= { .table
= table
};
6376 char search
[NFT_OBJ_MAXNAMELEN
];
6377 struct rhlist_head
*tmp
, *list
;
6378 struct nft_object
*obj
;
6380 nla_strscpy(search
, nla
, sizeof(search
));
6383 WARN_ON_ONCE(!rcu_read_lock_held() &&
6384 !lockdep_commit_lock_is_held(net
));
6387 list
= rhltable_lookup(&nft_objname_ht
, &k
, nft_objname_ht_params
);
6391 rhl_for_each_entry_rcu(obj
, tmp
, list
, rhlhead
) {
6392 if (objtype
== obj
->ops
->type
->type
&&
6393 nft_active_genmask(obj
, genmask
)) {
6400 return ERR_PTR(-ENOENT
);
6402 EXPORT_SYMBOL_GPL(nft_obj_lookup
);
6404 static struct nft_object
*nft_obj_lookup_byhandle(const struct nft_table
*table
,
6405 const struct nlattr
*nla
,
6406 u32 objtype
, u8 genmask
)
6408 struct nft_object
*obj
;
6410 list_for_each_entry(obj
, &table
->objects
, list
) {
6411 if (be64_to_cpu(nla_get_be64(nla
)) == obj
->handle
&&
6412 objtype
== obj
->ops
->type
->type
&&
6413 nft_active_genmask(obj
, genmask
))
6416 return ERR_PTR(-ENOENT
);
6419 static const struct nla_policy nft_obj_policy
[NFTA_OBJ_MAX
+ 1] = {
6420 [NFTA_OBJ_TABLE
] = { .type
= NLA_STRING
,
6421 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
6422 [NFTA_OBJ_NAME
] = { .type
= NLA_STRING
,
6423 .len
= NFT_OBJ_MAXNAMELEN
- 1 },
6424 [NFTA_OBJ_TYPE
] = { .type
= NLA_U32
},
6425 [NFTA_OBJ_DATA
] = { .type
= NLA_NESTED
},
6426 [NFTA_OBJ_HANDLE
] = { .type
= NLA_U64
},
6427 [NFTA_OBJ_USERDATA
] = { .type
= NLA_BINARY
,
6428 .len
= NFT_USERDATA_MAXLEN
},
6431 static struct nft_object
*nft_obj_init(const struct nft_ctx
*ctx
,
6432 const struct nft_object_type
*type
,
6433 const struct nlattr
*attr
)
6436 const struct nft_object_ops
*ops
;
6437 struct nft_object
*obj
;
6440 tb
= kmalloc_array(type
->maxattr
+ 1, sizeof(*tb
), GFP_KERNEL
);
6445 err
= nla_parse_nested_deprecated(tb
, type
->maxattr
, attr
,
6446 type
->policy
, NULL
);
6450 memset(tb
, 0, sizeof(tb
[0]) * (type
->maxattr
+ 1));
6453 if (type
->select_ops
) {
6454 ops
= type
->select_ops(ctx
, (const struct nlattr
* const *)tb
);
6464 obj
= kzalloc(sizeof(*obj
) + ops
->size
, GFP_KERNEL
);
6468 err
= ops
->init(ctx
, (const struct nlattr
* const *)tb
, obj
);
6481 return ERR_PTR(err
);
6484 static int nft_object_dump(struct sk_buff
*skb
, unsigned int attr
,
6485 struct nft_object
*obj
, bool reset
)
6487 struct nlattr
*nest
;
6489 nest
= nla_nest_start_noflag(skb
, attr
);
6491 goto nla_put_failure
;
6492 if (obj
->ops
->dump(skb
, obj
, reset
) < 0)
6493 goto nla_put_failure
;
6494 nla_nest_end(skb
, nest
);
6501 static const struct nft_object_type
*__nft_obj_type_get(u32 objtype
)
6503 const struct nft_object_type
*type
;
6505 list_for_each_entry(type
, &nf_tables_objects
, list
) {
6506 if (objtype
== type
->type
)
6512 static const struct nft_object_type
*
6513 nft_obj_type_get(struct net
*net
, u32 objtype
)
6515 const struct nft_object_type
*type
;
6517 type
= __nft_obj_type_get(objtype
);
6518 if (type
!= NULL
&& try_module_get(type
->owner
))
6521 lockdep_nfnl_nft_mutex_not_held();
6522 #ifdef CONFIG_MODULES
6524 if (nft_request_module(net
, "nft-obj-%u", objtype
) == -EAGAIN
)
6525 return ERR_PTR(-EAGAIN
);
6528 return ERR_PTR(-ENOENT
);
6531 static int nf_tables_updobj(const struct nft_ctx
*ctx
,
6532 const struct nft_object_type
*type
,
6533 const struct nlattr
*attr
,
6534 struct nft_object
*obj
)
6536 struct nft_object
*newobj
;
6537 struct nft_trans
*trans
;
6540 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWOBJ
,
6541 sizeof(struct nft_trans_obj
));
6545 newobj
= nft_obj_init(ctx
, type
, attr
);
6546 if (IS_ERR(newobj
)) {
6547 err
= PTR_ERR(newobj
);
6548 goto err_free_trans
;
6551 nft_trans_obj(trans
) = obj
;
6552 nft_trans_obj_update(trans
) = true;
6553 nft_trans_obj_newobj(trans
) = newobj
;
6554 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
6563 static int nf_tables_newobj(struct sk_buff
*skb
, const struct nfnl_info
*info
,
6564 const struct nlattr
* const nla
[])
6566 struct netlink_ext_ack
*extack
= info
->extack
;
6567 u8 genmask
= nft_genmask_next(info
->net
);
6568 u8 family
= info
->nfmsg
->nfgen_family
;
6569 const struct nft_object_type
*type
;
6570 struct net
*net
= info
->net
;
6571 struct nft_table
*table
;
6572 struct nft_object
*obj
;
6577 if (!nla
[NFTA_OBJ_TYPE
] ||
6578 !nla
[NFTA_OBJ_NAME
] ||
6579 !nla
[NFTA_OBJ_DATA
])
6582 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
,
6583 NETLINK_CB(skb
).portid
);
6584 if (IS_ERR(table
)) {
6585 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
6586 return PTR_ERR(table
);
6589 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6590 obj
= nft_obj_lookup(net
, table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
6593 if (err
!= -ENOENT
) {
6594 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
6598 if (info
->nlh
->nlmsg_flags
& NLM_F_EXCL
) {
6599 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
6602 if (info
->nlh
->nlmsg_flags
& NLM_F_REPLACE
)
6605 type
= __nft_obj_type_get(objtype
);
6606 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
6608 return nf_tables_updobj(&ctx
, type
, nla
[NFTA_OBJ_DATA
], obj
);
6611 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
6613 type
= nft_obj_type_get(net
, objtype
);
6615 return PTR_ERR(type
);
6617 obj
= nft_obj_init(&ctx
, type
, nla
[NFTA_OBJ_DATA
]);
6622 obj
->key
.table
= table
;
6623 obj
->handle
= nf_tables_alloc_handle(table
);
6625 obj
->key
.name
= nla_strdup(nla
[NFTA_OBJ_NAME
], GFP_KERNEL
);
6626 if (!obj
->key
.name
) {
6631 if (nla
[NFTA_OBJ_USERDATA
]) {
6632 obj
->udata
= nla_memdup(nla
[NFTA_OBJ_USERDATA
], GFP_KERNEL
);
6633 if (obj
->udata
== NULL
)
6636 obj
->udlen
= nla_len(nla
[NFTA_OBJ_USERDATA
]);
6639 err
= nft_trans_obj_add(&ctx
, NFT_MSG_NEWOBJ
, obj
);
6643 err
= rhltable_insert(&nft_objname_ht
, &obj
->rhlhead
,
6644 nft_objname_ht_params
);
6648 list_add_tail_rcu(&obj
->list
, &table
->objects
);
6652 /* queued in transaction log */
6653 INIT_LIST_HEAD(&obj
->list
);
6658 kfree(obj
->key
.name
);
6660 if (obj
->ops
->destroy
)
6661 obj
->ops
->destroy(&ctx
, obj
);
6664 module_put(type
->owner
);
6668 static int nf_tables_fill_obj_info(struct sk_buff
*skb
, struct net
*net
,
6669 u32 portid
, u32 seq
, int event
, u32 flags
,
6670 int family
, const struct nft_table
*table
,
6671 struct nft_object
*obj
, bool reset
)
6673 struct nlmsghdr
*nlh
;
6675 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
6676 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
6677 NFNETLINK_V0
, nft_base_seq(net
));
6679 goto nla_put_failure
;
6681 if (nla_put_string(skb
, NFTA_OBJ_TABLE
, table
->name
) ||
6682 nla_put_string(skb
, NFTA_OBJ_NAME
, obj
->key
.name
) ||
6683 nla_put_be32(skb
, NFTA_OBJ_TYPE
, htonl(obj
->ops
->type
->type
)) ||
6684 nla_put_be32(skb
, NFTA_OBJ_USE
, htonl(obj
->use
)) ||
6685 nft_object_dump(skb
, NFTA_OBJ_DATA
, obj
, reset
) ||
6686 nla_put_be64(skb
, NFTA_OBJ_HANDLE
, cpu_to_be64(obj
->handle
),
6688 goto nla_put_failure
;
6691 nla_put(skb
, NFTA_OBJ_USERDATA
, obj
->udlen
, obj
->udata
))
6692 goto nla_put_failure
;
6694 nlmsg_end(skb
, nlh
);
6698 nlmsg_trim(skb
, nlh
);
6702 struct nft_obj_filter
{
6707 static int nf_tables_dump_obj(struct sk_buff
*skb
, struct netlink_callback
*cb
)
6709 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
6710 const struct nft_table
*table
;
6711 unsigned int idx
= 0, s_idx
= cb
->args
[0];
6712 struct nft_obj_filter
*filter
= cb
->data
;
6713 struct net
*net
= sock_net(skb
->sk
);
6714 int family
= nfmsg
->nfgen_family
;
6715 struct nftables_pernet
*nft_net
;
6716 struct nft_object
*obj
;
6719 if (NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
6723 nft_net
= nft_pernet(net
);
6724 cb
->seq
= nft_net
->base_seq
;
6726 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
6727 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
6730 list_for_each_entry_rcu(obj
, &table
->objects
, list
) {
6731 if (!nft_is_active(net
, obj
))
6736 memset(&cb
->args
[1], 0,
6737 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
6738 if (filter
&& filter
->table
&&
6739 strcmp(filter
->table
, table
->name
))
6742 filter
->type
!= NFT_OBJECT_UNSPEC
&&
6743 obj
->ops
->type
->type
!= filter
->type
)
6746 char *buf
= kasprintf(GFP_ATOMIC
,
6751 audit_log_nfcfg(buf
,
6754 AUDIT_NFT_OP_OBJ_RESET
,
6759 if (nf_tables_fill_obj_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
6762 NLM_F_MULTI
| NLM_F_APPEND
,
6763 table
->family
, table
,
6767 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
6779 static int nf_tables_dump_obj_start(struct netlink_callback
*cb
)
6781 const struct nlattr
* const *nla
= cb
->data
;
6782 struct nft_obj_filter
*filter
= NULL
;
6784 if (nla
[NFTA_OBJ_TABLE
] || nla
[NFTA_OBJ_TYPE
]) {
6785 filter
= kzalloc(sizeof(*filter
), GFP_ATOMIC
);
6789 if (nla
[NFTA_OBJ_TABLE
]) {
6790 filter
->table
= nla_strdup(nla
[NFTA_OBJ_TABLE
], GFP_ATOMIC
);
6791 if (!filter
->table
) {
6797 if (nla
[NFTA_OBJ_TYPE
])
6798 filter
->type
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6805 static int nf_tables_dump_obj_done(struct netlink_callback
*cb
)
6807 struct nft_obj_filter
*filter
= cb
->data
;
6810 kfree(filter
->table
);
6817 /* called with rcu_read_lock held */
6818 static int nf_tables_getobj(struct sk_buff
*skb
, const struct nfnl_info
*info
,
6819 const struct nlattr
* const nla
[])
6821 struct netlink_ext_ack
*extack
= info
->extack
;
6822 u8 genmask
= nft_genmask_cur(info
->net
);
6823 u8 family
= info
->nfmsg
->nfgen_family
;
6824 const struct nft_table
*table
;
6825 struct net
*net
= info
->net
;
6826 struct nft_object
*obj
;
6827 struct sk_buff
*skb2
;
6832 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
6833 struct netlink_dump_control c
= {
6834 .start
= nf_tables_dump_obj_start
,
6835 .dump
= nf_tables_dump_obj
,
6836 .done
= nf_tables_dump_obj_done
,
6837 .module
= THIS_MODULE
,
6838 .data
= (void *)nla
,
6841 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
6844 if (!nla
[NFTA_OBJ_NAME
] ||
6845 !nla
[NFTA_OBJ_TYPE
])
6848 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
, 0);
6849 if (IS_ERR(table
)) {
6850 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
6851 return PTR_ERR(table
);
6854 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6855 obj
= nft_obj_lookup(net
, table
, nla
[NFTA_OBJ_NAME
], objtype
, genmask
);
6857 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_NAME
]);
6858 return PTR_ERR(obj
);
6861 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
6865 if (NFNL_MSG_TYPE(info
->nlh
->nlmsg_type
) == NFT_MSG_GETOBJ_RESET
)
6869 const struct nftables_pernet
*nft_net
;
6872 nft_net
= nft_pernet(net
);
6873 buf
= kasprintf(GFP_ATOMIC
, "%s:%u", table
->name
, nft_net
->base_seq
);
6875 audit_log_nfcfg(buf
,
6878 AUDIT_NFT_OP_OBJ_RESET
,
6883 err
= nf_tables_fill_obj_info(skb2
, net
, NETLINK_CB(skb
).portid
,
6884 info
->nlh
->nlmsg_seq
, NFT_MSG_NEWOBJ
, 0,
6885 family
, table
, obj
, reset
);
6887 goto err_fill_obj_info
;
6889 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
6896 static void nft_obj_destroy(const struct nft_ctx
*ctx
, struct nft_object
*obj
)
6898 if (obj
->ops
->destroy
)
6899 obj
->ops
->destroy(ctx
, obj
);
6901 module_put(obj
->ops
->type
->owner
);
6902 kfree(obj
->key
.name
);
6907 static int nf_tables_delobj(struct sk_buff
*skb
, const struct nfnl_info
*info
,
6908 const struct nlattr
* const nla
[])
6910 struct netlink_ext_ack
*extack
= info
->extack
;
6911 u8 genmask
= nft_genmask_next(info
->net
);
6912 u8 family
= info
->nfmsg
->nfgen_family
;
6913 struct net
*net
= info
->net
;
6914 const struct nlattr
*attr
;
6915 struct nft_table
*table
;
6916 struct nft_object
*obj
;
6920 if (!nla
[NFTA_OBJ_TYPE
] ||
6921 (!nla
[NFTA_OBJ_NAME
] && !nla
[NFTA_OBJ_HANDLE
]))
6924 table
= nft_table_lookup(net
, nla
[NFTA_OBJ_TABLE
], family
, genmask
,
6925 NETLINK_CB(skb
).portid
);
6926 if (IS_ERR(table
)) {
6927 NL_SET_BAD_ATTR(extack
, nla
[NFTA_OBJ_TABLE
]);
6928 return PTR_ERR(table
);
6931 objtype
= ntohl(nla_get_be32(nla
[NFTA_OBJ_TYPE
]));
6932 if (nla
[NFTA_OBJ_HANDLE
]) {
6933 attr
= nla
[NFTA_OBJ_HANDLE
];
6934 obj
= nft_obj_lookup_byhandle(table
, attr
, objtype
, genmask
);
6936 attr
= nla
[NFTA_OBJ_NAME
];
6937 obj
= nft_obj_lookup(net
, table
, attr
, objtype
, genmask
);
6941 NL_SET_BAD_ATTR(extack
, attr
);
6942 return PTR_ERR(obj
);
6945 NL_SET_BAD_ATTR(extack
, attr
);
6949 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
6951 return nft_delobj(&ctx
, obj
);
6954 void nft_obj_notify(struct net
*net
, const struct nft_table
*table
,
6955 struct nft_object
*obj
, u32 portid
, u32 seq
, int event
,
6956 u16 flags
, int family
, int report
, gfp_t gfp
)
6958 struct nftables_pernet
*nft_net
= nft_pernet(net
);
6959 struct sk_buff
*skb
;
6961 char *buf
= kasprintf(gfp
, "%s:%u",
6962 table
->name
, nft_net
->base_seq
);
6964 audit_log_nfcfg(buf
,
6967 event
== NFT_MSG_NEWOBJ
?
6968 AUDIT_NFT_OP_OBJ_REGISTER
:
6969 AUDIT_NFT_OP_OBJ_UNREGISTER
,
6974 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
6977 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp
);
6981 err
= nf_tables_fill_obj_info(skb
, net
, portid
, seq
, event
,
6982 flags
& (NLM_F_CREATE
| NLM_F_EXCL
),
6983 family
, table
, obj
, false);
6989 nft_notify_enqueue(skb
, report
, &nft_net
->notify_list
);
6992 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
6994 EXPORT_SYMBOL_GPL(nft_obj_notify
);
6996 static void nf_tables_obj_notify(const struct nft_ctx
*ctx
,
6997 struct nft_object
*obj
, int event
)
6999 nft_obj_notify(ctx
->net
, ctx
->table
, obj
, ctx
->portid
, ctx
->seq
, event
,
7000 ctx
->flags
, ctx
->family
, ctx
->report
, GFP_KERNEL
);
7006 void nft_register_flowtable_type(struct nf_flowtable_type
*type
)
7008 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
7009 list_add_tail_rcu(&type
->list
, &nf_tables_flowtables
);
7010 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
7012 EXPORT_SYMBOL_GPL(nft_register_flowtable_type
);
7014 void nft_unregister_flowtable_type(struct nf_flowtable_type
*type
)
7016 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
7017 list_del_rcu(&type
->list
);
7018 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
7020 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type
);
7022 static const struct nla_policy nft_flowtable_policy
[NFTA_FLOWTABLE_MAX
+ 1] = {
7023 [NFTA_FLOWTABLE_TABLE
] = { .type
= NLA_STRING
,
7024 .len
= NFT_NAME_MAXLEN
- 1 },
7025 [NFTA_FLOWTABLE_NAME
] = { .type
= NLA_STRING
,
7026 .len
= NFT_NAME_MAXLEN
- 1 },
7027 [NFTA_FLOWTABLE_HOOK
] = { .type
= NLA_NESTED
},
7028 [NFTA_FLOWTABLE_HANDLE
] = { .type
= NLA_U64
},
7029 [NFTA_FLOWTABLE_FLAGS
] = { .type
= NLA_U32
},
7032 struct nft_flowtable
*nft_flowtable_lookup(const struct nft_table
*table
,
7033 const struct nlattr
*nla
, u8 genmask
)
7035 struct nft_flowtable
*flowtable
;
7037 list_for_each_entry_rcu(flowtable
, &table
->flowtables
, list
) {
7038 if (!nla_strcmp(nla
, flowtable
->name
) &&
7039 nft_active_genmask(flowtable
, genmask
))
7042 return ERR_PTR(-ENOENT
);
7044 EXPORT_SYMBOL_GPL(nft_flowtable_lookup
);
7046 void nf_tables_deactivate_flowtable(const struct nft_ctx
*ctx
,
7047 struct nft_flowtable
*flowtable
,
7048 enum nft_trans_phase phase
)
7051 case NFT_TRANS_PREPARE
:
7052 case NFT_TRANS_ABORT
:
7053 case NFT_TRANS_RELEASE
:
7060 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable
);
7062 static struct nft_flowtable
*
7063 nft_flowtable_lookup_byhandle(const struct nft_table
*table
,
7064 const struct nlattr
*nla
, u8 genmask
)
7066 struct nft_flowtable
*flowtable
;
7068 list_for_each_entry(flowtable
, &table
->flowtables
, list
) {
7069 if (be64_to_cpu(nla_get_be64(nla
)) == flowtable
->handle
&&
7070 nft_active_genmask(flowtable
, genmask
))
7073 return ERR_PTR(-ENOENT
);
7076 struct nft_flowtable_hook
{
7079 struct list_head list
;
7082 static const struct nla_policy nft_flowtable_hook_policy
[NFTA_FLOWTABLE_HOOK_MAX
+ 1] = {
7083 [NFTA_FLOWTABLE_HOOK_NUM
] = { .type
= NLA_U32
},
7084 [NFTA_FLOWTABLE_HOOK_PRIORITY
] = { .type
= NLA_U32
},
7085 [NFTA_FLOWTABLE_HOOK_DEVS
] = { .type
= NLA_NESTED
},
7088 static int nft_flowtable_parse_hook(const struct nft_ctx
*ctx
,
7089 const struct nlattr
*attr
,
7090 struct nft_flowtable_hook
*flowtable_hook
,
7091 struct nft_flowtable
*flowtable
, bool add
)
7093 struct nlattr
*tb
[NFTA_FLOWTABLE_HOOK_MAX
+ 1];
7094 struct nft_hook
*hook
;
7095 int hooknum
, priority
;
7098 INIT_LIST_HEAD(&flowtable_hook
->list
);
7100 err
= nla_parse_nested_deprecated(tb
, NFTA_FLOWTABLE_HOOK_MAX
, attr
,
7101 nft_flowtable_hook_policy
, NULL
);
7106 if (!tb
[NFTA_FLOWTABLE_HOOK_NUM
] ||
7107 !tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
])
7110 hooknum
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_NUM
]));
7111 if (hooknum
!= NF_NETDEV_INGRESS
)
7114 priority
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]));
7116 flowtable_hook
->priority
= priority
;
7117 flowtable_hook
->num
= hooknum
;
7119 if (tb
[NFTA_FLOWTABLE_HOOK_NUM
]) {
7120 hooknum
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_NUM
]));
7121 if (hooknum
!= flowtable
->hooknum
)
7125 if (tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]) {
7126 priority
= ntohl(nla_get_be32(tb
[NFTA_FLOWTABLE_HOOK_PRIORITY
]));
7127 if (priority
!= flowtable
->data
.priority
)
7131 flowtable_hook
->priority
= flowtable
->data
.priority
;
7132 flowtable_hook
->num
= flowtable
->hooknum
;
7135 if (tb
[NFTA_FLOWTABLE_HOOK_DEVS
]) {
7136 err
= nf_tables_parse_netdev_hooks(ctx
->net
,
7137 tb
[NFTA_FLOWTABLE_HOOK_DEVS
],
7138 &flowtable_hook
->list
);
7143 list_for_each_entry(hook
, &flowtable_hook
->list
, list
) {
7144 hook
->ops
.pf
= NFPROTO_NETDEV
;
7145 hook
->ops
.hooknum
= flowtable_hook
->num
;
7146 hook
->ops
.priority
= flowtable_hook
->priority
;
7147 hook
->ops
.priv
= &flowtable
->data
;
7148 hook
->ops
.hook
= flowtable
->data
.type
->hook
;
7154 static const struct nf_flowtable_type
*__nft_flowtable_type_get(u8 family
)
7156 const struct nf_flowtable_type
*type
;
7158 list_for_each_entry(type
, &nf_tables_flowtables
, list
) {
7159 if (family
== type
->family
)
7165 static const struct nf_flowtable_type
*
7166 nft_flowtable_type_get(struct net
*net
, u8 family
)
7168 const struct nf_flowtable_type
*type
;
7170 type
= __nft_flowtable_type_get(family
);
7171 if (type
!= NULL
&& try_module_get(type
->owner
))
7174 lockdep_nfnl_nft_mutex_not_held();
7175 #ifdef CONFIG_MODULES
7177 if (nft_request_module(net
, "nf-flowtable-%u", family
) == -EAGAIN
)
7178 return ERR_PTR(-EAGAIN
);
7181 return ERR_PTR(-ENOENT
);
7184 /* Only called from error and netdev event paths. */
7185 static void nft_unregister_flowtable_hook(struct net
*net
,
7186 struct nft_flowtable
*flowtable
,
7187 struct nft_hook
*hook
)
7189 nf_unregister_net_hook(net
, &hook
->ops
);
7190 flowtable
->data
.type
->setup(&flowtable
->data
, hook
->ops
.dev
,
7194 static void nft_unregister_flowtable_net_hooks(struct net
*net
,
7195 struct list_head
*hook_list
)
7197 struct nft_hook
*hook
;
7199 list_for_each_entry(hook
, hook_list
, list
)
7200 nf_unregister_net_hook(net
, &hook
->ops
);
7203 static int nft_register_flowtable_net_hooks(struct net
*net
,
7204 struct nft_table
*table
,
7205 struct list_head
*hook_list
,
7206 struct nft_flowtable
*flowtable
)
7208 struct nft_hook
*hook
, *hook2
, *next
;
7209 struct nft_flowtable
*ft
;
7212 list_for_each_entry(hook
, hook_list
, list
) {
7213 list_for_each_entry(ft
, &table
->flowtables
, list
) {
7214 if (!nft_is_active_next(net
, ft
))
7217 list_for_each_entry(hook2
, &ft
->hook_list
, list
) {
7218 if (hook
->ops
.dev
== hook2
->ops
.dev
&&
7219 hook
->ops
.pf
== hook2
->ops
.pf
) {
7221 goto err_unregister_net_hooks
;
7226 err
= flowtable
->data
.type
->setup(&flowtable
->data
,
7230 goto err_unregister_net_hooks
;
7232 err
= nf_register_net_hook(net
, &hook
->ops
);
7234 flowtable
->data
.type
->setup(&flowtable
->data
,
7237 goto err_unregister_net_hooks
;
7245 err_unregister_net_hooks
:
7246 list_for_each_entry_safe(hook
, next
, hook_list
, list
) {
7250 nft_unregister_flowtable_hook(net
, flowtable
, hook
);
7251 list_del_rcu(&hook
->list
);
7252 kfree_rcu(hook
, rcu
);
7258 static void nft_flowtable_hooks_destroy(struct list_head
*hook_list
)
7260 struct nft_hook
*hook
, *next
;
7262 list_for_each_entry_safe(hook
, next
, hook_list
, list
) {
7263 list_del_rcu(&hook
->list
);
7264 kfree_rcu(hook
, rcu
);
7268 static int nft_flowtable_update(struct nft_ctx
*ctx
, const struct nlmsghdr
*nlh
,
7269 struct nft_flowtable
*flowtable
)
7271 const struct nlattr
* const *nla
= ctx
->nla
;
7272 struct nft_flowtable_hook flowtable_hook
;
7273 struct nft_hook
*hook
, *next
;
7274 struct nft_trans
*trans
;
7275 bool unregister
= false;
7279 err
= nft_flowtable_parse_hook(ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
7280 &flowtable_hook
, flowtable
, false);
7284 list_for_each_entry_safe(hook
, next
, &flowtable_hook
.list
, list
) {
7285 if (nft_hook_list_find(&flowtable
->hook_list
, hook
)) {
7286 list_del(&hook
->list
);
7291 if (nla
[NFTA_FLOWTABLE_FLAGS
]) {
7292 flags
= ntohl(nla_get_be32(nla
[NFTA_FLOWTABLE_FLAGS
]));
7293 if (flags
& ~NFT_FLOWTABLE_MASK
)
7295 if ((flowtable
->data
.flags
& NFT_FLOWTABLE_HW_OFFLOAD
) ^
7296 (flags
& NFT_FLOWTABLE_HW_OFFLOAD
))
7299 flags
= flowtable
->data
.flags
;
7302 err
= nft_register_flowtable_net_hooks(ctx
->net
, ctx
->table
,
7303 &flowtable_hook
.list
, flowtable
);
7305 goto err_flowtable_update_hook
;
7307 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWFLOWTABLE
,
7308 sizeof(struct nft_trans_flowtable
));
7312 goto err_flowtable_update_hook
;
7315 nft_trans_flowtable_flags(trans
) = flags
;
7316 nft_trans_flowtable(trans
) = flowtable
;
7317 nft_trans_flowtable_update(trans
) = true;
7318 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans
));
7319 list_splice(&flowtable_hook
.list
, &nft_trans_flowtable_hooks(trans
));
7321 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
7325 err_flowtable_update_hook
:
7326 list_for_each_entry_safe(hook
, next
, &flowtable_hook
.list
, list
) {
7328 nft_unregister_flowtable_hook(ctx
->net
, flowtable
, hook
);
7329 list_del_rcu(&hook
->list
);
7330 kfree_rcu(hook
, rcu
);
7337 static int nf_tables_newflowtable(struct sk_buff
*skb
,
7338 const struct nfnl_info
*info
,
7339 const struct nlattr
* const nla
[])
7341 struct netlink_ext_ack
*extack
= info
->extack
;
7342 struct nft_flowtable_hook flowtable_hook
;
7343 u8 genmask
= nft_genmask_next(info
->net
);
7344 u8 family
= info
->nfmsg
->nfgen_family
;
7345 const struct nf_flowtable_type
*type
;
7346 struct nft_flowtable
*flowtable
;
7347 struct nft_hook
*hook
, *next
;
7348 struct net
*net
= info
->net
;
7349 struct nft_table
*table
;
7353 if (!nla
[NFTA_FLOWTABLE_TABLE
] ||
7354 !nla
[NFTA_FLOWTABLE_NAME
] ||
7355 !nla
[NFTA_FLOWTABLE_HOOK
])
7358 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
7359 genmask
, NETLINK_CB(skb
).portid
);
7360 if (IS_ERR(table
)) {
7361 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_TABLE
]);
7362 return PTR_ERR(table
);
7365 flowtable
= nft_flowtable_lookup(table
, nla
[NFTA_FLOWTABLE_NAME
],
7367 if (IS_ERR(flowtable
)) {
7368 err
= PTR_ERR(flowtable
);
7369 if (err
!= -ENOENT
) {
7370 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_NAME
]);
7374 if (info
->nlh
->nlmsg_flags
& NLM_F_EXCL
) {
7375 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_NAME
]);
7379 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
7381 return nft_flowtable_update(&ctx
, info
->nlh
, flowtable
);
7384 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
7386 flowtable
= kzalloc(sizeof(*flowtable
), GFP_KERNEL
);
7390 flowtable
->table
= table
;
7391 flowtable
->handle
= nf_tables_alloc_handle(table
);
7392 INIT_LIST_HEAD(&flowtable
->hook_list
);
7394 flowtable
->name
= nla_strdup(nla
[NFTA_FLOWTABLE_NAME
], GFP_KERNEL
);
7395 if (!flowtable
->name
) {
7400 type
= nft_flowtable_type_get(net
, family
);
7402 err
= PTR_ERR(type
);
7406 if (nla
[NFTA_FLOWTABLE_FLAGS
]) {
7407 flowtable
->data
.flags
=
7408 ntohl(nla_get_be32(nla
[NFTA_FLOWTABLE_FLAGS
]));
7409 if (flowtable
->data
.flags
& ~NFT_FLOWTABLE_MASK
) {
7415 write_pnet(&flowtable
->data
.net
, net
);
7416 flowtable
->data
.type
= type
;
7417 err
= type
->init(&flowtable
->data
);
7421 err
= nft_flowtable_parse_hook(&ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
7422 &flowtable_hook
, flowtable
, true);
7426 list_splice(&flowtable_hook
.list
, &flowtable
->hook_list
);
7427 flowtable
->data
.priority
= flowtable_hook
.priority
;
7428 flowtable
->hooknum
= flowtable_hook
.num
;
7430 err
= nft_register_flowtable_net_hooks(ctx
.net
, table
,
7431 &flowtable
->hook_list
,
7434 nft_flowtable_hooks_destroy(&flowtable
->hook_list
);
7438 err
= nft_trans_flowtable_add(&ctx
, NFT_MSG_NEWFLOWTABLE
, flowtable
);
7442 list_add_tail_rcu(&flowtable
->list
, &table
->flowtables
);
7447 list_for_each_entry_safe(hook
, next
, &flowtable
->hook_list
, list
) {
7448 nft_unregister_flowtable_hook(net
, flowtable
, hook
);
7449 list_del_rcu(&hook
->list
);
7450 kfree_rcu(hook
, rcu
);
7453 flowtable
->data
.type
->free(&flowtable
->data
);
7455 module_put(type
->owner
);
7457 kfree(flowtable
->name
);
7463 static void nft_flowtable_hook_release(struct nft_flowtable_hook
*flowtable_hook
)
7465 struct nft_hook
*this, *next
;
7467 list_for_each_entry_safe(this, next
, &flowtable_hook
->list
, list
) {
7468 list_del(&this->list
);
7473 static int nft_delflowtable_hook(struct nft_ctx
*ctx
,
7474 struct nft_flowtable
*flowtable
)
7476 const struct nlattr
* const *nla
= ctx
->nla
;
7477 struct nft_flowtable_hook flowtable_hook
;
7478 struct nft_hook
*this, *hook
;
7479 struct nft_trans
*trans
;
7482 err
= nft_flowtable_parse_hook(ctx
, nla
[NFTA_FLOWTABLE_HOOK
],
7483 &flowtable_hook
, flowtable
, false);
7487 list_for_each_entry(this, &flowtable_hook
.list
, list
) {
7488 hook
= nft_hook_list_find(&flowtable
->hook_list
, this);
7491 goto err_flowtable_del_hook
;
7493 hook
->inactive
= true;
7496 trans
= nft_trans_alloc(ctx
, NFT_MSG_DELFLOWTABLE
,
7497 sizeof(struct nft_trans_flowtable
));
7500 goto err_flowtable_del_hook
;
7503 nft_trans_flowtable(trans
) = flowtable
;
7504 nft_trans_flowtable_update(trans
) = true;
7505 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans
));
7506 nft_flowtable_hook_release(&flowtable_hook
);
7508 nft_trans_commit_list_add_tail(ctx
->net
, trans
);
7512 err_flowtable_del_hook
:
7513 list_for_each_entry(this, &flowtable_hook
.list
, list
) {
7514 hook
= nft_hook_list_find(&flowtable
->hook_list
, this);
7518 hook
->inactive
= false;
7520 nft_flowtable_hook_release(&flowtable_hook
);
7525 static int nf_tables_delflowtable(struct sk_buff
*skb
,
7526 const struct nfnl_info
*info
,
7527 const struct nlattr
* const nla
[])
7529 struct netlink_ext_ack
*extack
= info
->extack
;
7530 u8 genmask
= nft_genmask_next(info
->net
);
7531 u8 family
= info
->nfmsg
->nfgen_family
;
7532 struct nft_flowtable
*flowtable
;
7533 struct net
*net
= info
->net
;
7534 const struct nlattr
*attr
;
7535 struct nft_table
*table
;
7538 if (!nla
[NFTA_FLOWTABLE_TABLE
] ||
7539 (!nla
[NFTA_FLOWTABLE_NAME
] &&
7540 !nla
[NFTA_FLOWTABLE_HANDLE
]))
7543 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
7544 genmask
, NETLINK_CB(skb
).portid
);
7545 if (IS_ERR(table
)) {
7546 NL_SET_BAD_ATTR(extack
, nla
[NFTA_FLOWTABLE_TABLE
]);
7547 return PTR_ERR(table
);
7550 if (nla
[NFTA_FLOWTABLE_HANDLE
]) {
7551 attr
= nla
[NFTA_FLOWTABLE_HANDLE
];
7552 flowtable
= nft_flowtable_lookup_byhandle(table
, attr
, genmask
);
7554 attr
= nla
[NFTA_FLOWTABLE_NAME
];
7555 flowtable
= nft_flowtable_lookup(table
, attr
, genmask
);
7558 if (IS_ERR(flowtable
)) {
7559 NL_SET_BAD_ATTR(extack
, attr
);
7560 return PTR_ERR(flowtable
);
7563 nft_ctx_init(&ctx
, net
, skb
, info
->nlh
, family
, table
, NULL
, nla
);
7565 if (nla
[NFTA_FLOWTABLE_HOOK
])
7566 return nft_delflowtable_hook(&ctx
, flowtable
);
7568 if (flowtable
->use
> 0) {
7569 NL_SET_BAD_ATTR(extack
, attr
);
7573 return nft_delflowtable(&ctx
, flowtable
);
7576 static int nf_tables_fill_flowtable_info(struct sk_buff
*skb
, struct net
*net
,
7577 u32 portid
, u32 seq
, int event
,
7578 u32 flags
, int family
,
7579 struct nft_flowtable
*flowtable
,
7580 struct list_head
*hook_list
)
7582 struct nlattr
*nest
, *nest_devs
;
7583 struct nft_hook
*hook
;
7584 struct nlmsghdr
*nlh
;
7586 event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, event
);
7587 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, flags
, family
,
7588 NFNETLINK_V0
, nft_base_seq(net
));
7590 goto nla_put_failure
;
7592 if (nla_put_string(skb
, NFTA_FLOWTABLE_TABLE
, flowtable
->table
->name
) ||
7593 nla_put_string(skb
, NFTA_FLOWTABLE_NAME
, flowtable
->name
) ||
7594 nla_put_be32(skb
, NFTA_FLOWTABLE_USE
, htonl(flowtable
->use
)) ||
7595 nla_put_be64(skb
, NFTA_FLOWTABLE_HANDLE
, cpu_to_be64(flowtable
->handle
),
7596 NFTA_FLOWTABLE_PAD
) ||
7597 nla_put_be32(skb
, NFTA_FLOWTABLE_FLAGS
, htonl(flowtable
->data
.flags
)))
7598 goto nla_put_failure
;
7600 nest
= nla_nest_start_noflag(skb
, NFTA_FLOWTABLE_HOOK
);
7602 goto nla_put_failure
;
7603 if (nla_put_be32(skb
, NFTA_FLOWTABLE_HOOK_NUM
, htonl(flowtable
->hooknum
)) ||
7604 nla_put_be32(skb
, NFTA_FLOWTABLE_HOOK_PRIORITY
, htonl(flowtable
->data
.priority
)))
7605 goto nla_put_failure
;
7607 nest_devs
= nla_nest_start_noflag(skb
, NFTA_FLOWTABLE_HOOK_DEVS
);
7609 goto nla_put_failure
;
7611 list_for_each_entry_rcu(hook
, hook_list
, list
) {
7612 if (nla_put_string(skb
, NFTA_DEVICE_NAME
, hook
->ops
.dev
->name
))
7613 goto nla_put_failure
;
7615 nla_nest_end(skb
, nest_devs
);
7616 nla_nest_end(skb
, nest
);
7618 nlmsg_end(skb
, nlh
);
7622 nlmsg_trim(skb
, nlh
);
7626 struct nft_flowtable_filter
{
7630 static int nf_tables_dump_flowtable(struct sk_buff
*skb
,
7631 struct netlink_callback
*cb
)
7633 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
7634 struct nft_flowtable_filter
*filter
= cb
->data
;
7635 unsigned int idx
= 0, s_idx
= cb
->args
[0];
7636 struct net
*net
= sock_net(skb
->sk
);
7637 int family
= nfmsg
->nfgen_family
;
7638 struct nft_flowtable
*flowtable
;
7639 struct nftables_pernet
*nft_net
;
7640 const struct nft_table
*table
;
7643 nft_net
= nft_pernet(net
);
7644 cb
->seq
= nft_net
->base_seq
;
7646 list_for_each_entry_rcu(table
, &nft_net
->tables
, list
) {
7647 if (family
!= NFPROTO_UNSPEC
&& family
!= table
->family
)
7650 list_for_each_entry_rcu(flowtable
, &table
->flowtables
, list
) {
7651 if (!nft_is_active(net
, flowtable
))
7656 memset(&cb
->args
[1], 0,
7657 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
7658 if (filter
&& filter
->table
&&
7659 strcmp(filter
->table
, table
->name
))
7662 if (nf_tables_fill_flowtable_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
7664 NFT_MSG_NEWFLOWTABLE
,
7665 NLM_F_MULTI
| NLM_F_APPEND
,
7668 &flowtable
->hook_list
) < 0)
7671 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
7683 static int nf_tables_dump_flowtable_start(struct netlink_callback
*cb
)
7685 const struct nlattr
* const *nla
= cb
->data
;
7686 struct nft_flowtable_filter
*filter
= NULL
;
7688 if (nla
[NFTA_FLOWTABLE_TABLE
]) {
7689 filter
= kzalloc(sizeof(*filter
), GFP_ATOMIC
);
7693 filter
->table
= nla_strdup(nla
[NFTA_FLOWTABLE_TABLE
],
7695 if (!filter
->table
) {
7705 static int nf_tables_dump_flowtable_done(struct netlink_callback
*cb
)
7707 struct nft_flowtable_filter
*filter
= cb
->data
;
7712 kfree(filter
->table
);
7718 /* called with rcu_read_lock held */
7719 static int nf_tables_getflowtable(struct sk_buff
*skb
,
7720 const struct nfnl_info
*info
,
7721 const struct nlattr
* const nla
[])
7723 u8 genmask
= nft_genmask_cur(info
->net
);
7724 u8 family
= info
->nfmsg
->nfgen_family
;
7725 struct nft_flowtable
*flowtable
;
7726 const struct nft_table
*table
;
7727 struct net
*net
= info
->net
;
7728 struct sk_buff
*skb2
;
7731 if (info
->nlh
->nlmsg_flags
& NLM_F_DUMP
) {
7732 struct netlink_dump_control c
= {
7733 .start
= nf_tables_dump_flowtable_start
,
7734 .dump
= nf_tables_dump_flowtable
,
7735 .done
= nf_tables_dump_flowtable_done
,
7736 .module
= THIS_MODULE
,
7737 .data
= (void *)nla
,
7740 return nft_netlink_dump_start_rcu(info
->sk
, skb
, info
->nlh
, &c
);
7743 if (!nla
[NFTA_FLOWTABLE_NAME
])
7746 table
= nft_table_lookup(net
, nla
[NFTA_FLOWTABLE_TABLE
], family
,
7749 return PTR_ERR(table
);
7751 flowtable
= nft_flowtable_lookup(table
, nla
[NFTA_FLOWTABLE_NAME
],
7753 if (IS_ERR(flowtable
))
7754 return PTR_ERR(flowtable
);
7756 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
7760 err
= nf_tables_fill_flowtable_info(skb2
, net
, NETLINK_CB(skb
).portid
,
7761 info
->nlh
->nlmsg_seq
,
7762 NFT_MSG_NEWFLOWTABLE
, 0, family
,
7763 flowtable
, &flowtable
->hook_list
);
7765 goto err_fill_flowtable_info
;
7767 return nfnetlink_unicast(skb2
, net
, NETLINK_CB(skb
).portid
);
7769 err_fill_flowtable_info
:
7774 static void nf_tables_flowtable_notify(struct nft_ctx
*ctx
,
7775 struct nft_flowtable
*flowtable
,
7776 struct list_head
*hook_list
,
7779 struct nftables_pernet
*nft_net
= nft_pernet(ctx
->net
);
7780 struct sk_buff
*skb
;
7785 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
7788 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
7792 if (ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
))
7793 flags
|= ctx
->flags
& (NLM_F_CREATE
| NLM_F_EXCL
);
7795 err
= nf_tables_fill_flowtable_info(skb
, ctx
->net
, ctx
->portid
,
7796 ctx
->seq
, event
, flags
,
7797 ctx
->family
, flowtable
, hook_list
);
7803 nft_notify_enqueue(skb
, ctx
->report
, &nft_net
->notify_list
);
7806 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
, -ENOBUFS
);
7809 static void nf_tables_flowtable_destroy(struct nft_flowtable
*flowtable
)
7811 struct nft_hook
*hook
, *next
;
7813 flowtable
->data
.type
->free(&flowtable
->data
);
7814 list_for_each_entry_safe(hook
, next
, &flowtable
->hook_list
, list
) {
7815 flowtable
->data
.type
->setup(&flowtable
->data
, hook
->ops
.dev
,
7817 list_del_rcu(&hook
->list
);
7820 kfree(flowtable
->name
);
7821 module_put(flowtable
->data
.type
->owner
);
7825 static int nf_tables_fill_gen_info(struct sk_buff
*skb
, struct net
*net
,
7826 u32 portid
, u32 seq
)
7828 struct nftables_pernet
*nft_net
= nft_pernet(net
);
7829 struct nlmsghdr
*nlh
;
7830 char buf
[TASK_COMM_LEN
];
7831 int event
= nfnl_msg_type(NFNL_SUBSYS_NFTABLES
, NFT_MSG_NEWGEN
);
7833 nlh
= nfnl_msg_put(skb
, portid
, seq
, event
, 0, AF_UNSPEC
,
7834 NFNETLINK_V0
, nft_base_seq(net
));
7836 goto nla_put_failure
;
7838 if (nla_put_be32(skb
, NFTA_GEN_ID
, htonl(nft_net
->base_seq
)) ||
7839 nla_put_be32(skb
, NFTA_GEN_PROC_PID
, htonl(task_pid_nr(current
))) ||
7840 nla_put_string(skb
, NFTA_GEN_PROC_NAME
, get_task_comm(buf
, current
)))
7841 goto nla_put_failure
;
7843 nlmsg_end(skb
, nlh
);
7847 nlmsg_trim(skb
, nlh
);
7851 static void nft_flowtable_event(unsigned long event
, struct net_device
*dev
,
7852 struct nft_flowtable
*flowtable
)
7854 struct nft_hook
*hook
;
7856 list_for_each_entry(hook
, &flowtable
->hook_list
, list
) {
7857 if (hook
->ops
.dev
!= dev
)
7860 /* flow_offload_netdev_event() cleans up entries for us. */
7861 nft_unregister_flowtable_hook(dev_net(dev
), flowtable
, hook
);
7862 list_del_rcu(&hook
->list
);
7863 kfree_rcu(hook
, rcu
);
7868 static int nf_tables_flowtable_event(struct notifier_block
*this,
7869 unsigned long event
, void *ptr
)
7871 struct net_device
*dev
= netdev_notifier_info_to_dev(ptr
);
7872 struct nft_flowtable
*flowtable
;
7873 struct nftables_pernet
*nft_net
;
7874 struct nft_table
*table
;
7877 if (event
!= NETDEV_UNREGISTER
)
7881 nft_net
= nft_pernet(net
);
7882 mutex_lock(&nft_net
->commit_mutex
);
7883 list_for_each_entry(table
, &nft_net
->tables
, list
) {
7884 list_for_each_entry(flowtable
, &table
->flowtables
, list
) {
7885 nft_flowtable_event(event
, dev
, flowtable
);
7888 mutex_unlock(&nft_net
->commit_mutex
);
7893 static struct notifier_block nf_tables_flowtable_notifier
= {
7894 .notifier_call
= nf_tables_flowtable_event
,
7897 static void nf_tables_gen_notify(struct net
*net
, struct sk_buff
*skb
,
7900 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
7901 struct sk_buff
*skb2
;
7904 if (!nlmsg_report(nlh
) &&
7905 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
7908 skb2
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
7912 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
7919 nfnetlink_send(skb2
, net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
7920 nlmsg_report(nlh
), GFP_KERNEL
);
7923 nfnetlink_set_err(net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
7927 static int nf_tables_getgen(struct sk_buff
*skb
, const struct nfnl_info
*info
,
7928 const struct nlattr
* const nla
[])
7930 struct sk_buff
*skb2
;
7933 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_ATOMIC
);
7937 err
= nf_tables_fill_gen_info(skb2
, info
->net
, NETLINK_CB(skb
).portid
,
7938 info
->nlh
->nlmsg_seq
);
7940 goto err_fill_gen_info
;
7942 return nfnetlink_unicast(skb2
, info
->net
, NETLINK_CB(skb
).portid
);
7949 static const struct nfnl_callback nf_tables_cb
[NFT_MSG_MAX
] = {
7950 [NFT_MSG_NEWTABLE
] = {
7951 .call
= nf_tables_newtable
,
7952 .type
= NFNL_CB_BATCH
,
7953 .attr_count
= NFTA_TABLE_MAX
,
7954 .policy
= nft_table_policy
,
7956 [NFT_MSG_GETTABLE
] = {
7957 .call
= nf_tables_gettable
,
7958 .type
= NFNL_CB_RCU
,
7959 .attr_count
= NFTA_TABLE_MAX
,
7960 .policy
= nft_table_policy
,
7962 [NFT_MSG_DELTABLE
] = {
7963 .call
= nf_tables_deltable
,
7964 .type
= NFNL_CB_BATCH
,
7965 .attr_count
= NFTA_TABLE_MAX
,
7966 .policy
= nft_table_policy
,
7968 [NFT_MSG_NEWCHAIN
] = {
7969 .call
= nf_tables_newchain
,
7970 .type
= NFNL_CB_BATCH
,
7971 .attr_count
= NFTA_CHAIN_MAX
,
7972 .policy
= nft_chain_policy
,
7974 [NFT_MSG_GETCHAIN
] = {
7975 .call
= nf_tables_getchain
,
7976 .type
= NFNL_CB_RCU
,
7977 .attr_count
= NFTA_CHAIN_MAX
,
7978 .policy
= nft_chain_policy
,
7980 [NFT_MSG_DELCHAIN
] = {
7981 .call
= nf_tables_delchain
,
7982 .type
= NFNL_CB_BATCH
,
7983 .attr_count
= NFTA_CHAIN_MAX
,
7984 .policy
= nft_chain_policy
,
7986 [NFT_MSG_NEWRULE
] = {
7987 .call
= nf_tables_newrule
,
7988 .type
= NFNL_CB_BATCH
,
7989 .attr_count
= NFTA_RULE_MAX
,
7990 .policy
= nft_rule_policy
,
7992 [NFT_MSG_GETRULE
] = {
7993 .call
= nf_tables_getrule
,
7994 .type
= NFNL_CB_RCU
,
7995 .attr_count
= NFTA_RULE_MAX
,
7996 .policy
= nft_rule_policy
,
7998 [NFT_MSG_DELRULE
] = {
7999 .call
= nf_tables_delrule
,
8000 .type
= NFNL_CB_BATCH
,
8001 .attr_count
= NFTA_RULE_MAX
,
8002 .policy
= nft_rule_policy
,
8004 [NFT_MSG_NEWSET
] = {
8005 .call
= nf_tables_newset
,
8006 .type
= NFNL_CB_BATCH
,
8007 .attr_count
= NFTA_SET_MAX
,
8008 .policy
= nft_set_policy
,
8010 [NFT_MSG_GETSET
] = {
8011 .call
= nf_tables_getset
,
8012 .type
= NFNL_CB_RCU
,
8013 .attr_count
= NFTA_SET_MAX
,
8014 .policy
= nft_set_policy
,
8016 [NFT_MSG_DELSET
] = {
8017 .call
= nf_tables_delset
,
8018 .type
= NFNL_CB_BATCH
,
8019 .attr_count
= NFTA_SET_MAX
,
8020 .policy
= nft_set_policy
,
8022 [NFT_MSG_NEWSETELEM
] = {
8023 .call
= nf_tables_newsetelem
,
8024 .type
= NFNL_CB_BATCH
,
8025 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
8026 .policy
= nft_set_elem_list_policy
,
8028 [NFT_MSG_GETSETELEM
] = {
8029 .call
= nf_tables_getsetelem
,
8030 .type
= NFNL_CB_RCU
,
8031 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
8032 .policy
= nft_set_elem_list_policy
,
8034 [NFT_MSG_DELSETELEM
] = {
8035 .call
= nf_tables_delsetelem
,
8036 .type
= NFNL_CB_BATCH
,
8037 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
8038 .policy
= nft_set_elem_list_policy
,
8040 [NFT_MSG_GETGEN
] = {
8041 .call
= nf_tables_getgen
,
8042 .type
= NFNL_CB_RCU
,
8044 [NFT_MSG_NEWOBJ
] = {
8045 .call
= nf_tables_newobj
,
8046 .type
= NFNL_CB_BATCH
,
8047 .attr_count
= NFTA_OBJ_MAX
,
8048 .policy
= nft_obj_policy
,
8050 [NFT_MSG_GETOBJ
] = {
8051 .call
= nf_tables_getobj
,
8052 .type
= NFNL_CB_RCU
,
8053 .attr_count
= NFTA_OBJ_MAX
,
8054 .policy
= nft_obj_policy
,
8056 [NFT_MSG_DELOBJ
] = {
8057 .call
= nf_tables_delobj
,
8058 .type
= NFNL_CB_BATCH
,
8059 .attr_count
= NFTA_OBJ_MAX
,
8060 .policy
= nft_obj_policy
,
8062 [NFT_MSG_GETOBJ_RESET
] = {
8063 .call
= nf_tables_getobj
,
8064 .type
= NFNL_CB_RCU
,
8065 .attr_count
= NFTA_OBJ_MAX
,
8066 .policy
= nft_obj_policy
,
8068 [NFT_MSG_NEWFLOWTABLE
] = {
8069 .call
= nf_tables_newflowtable
,
8070 .type
= NFNL_CB_BATCH
,
8071 .attr_count
= NFTA_FLOWTABLE_MAX
,
8072 .policy
= nft_flowtable_policy
,
8074 [NFT_MSG_GETFLOWTABLE
] = {
8075 .call
= nf_tables_getflowtable
,
8076 .type
= NFNL_CB_RCU
,
8077 .attr_count
= NFTA_FLOWTABLE_MAX
,
8078 .policy
= nft_flowtable_policy
,
8080 [NFT_MSG_DELFLOWTABLE
] = {
8081 .call
= nf_tables_delflowtable
,
8082 .type
= NFNL_CB_BATCH
,
8083 .attr_count
= NFTA_FLOWTABLE_MAX
,
8084 .policy
= nft_flowtable_policy
,
8088 static int nf_tables_validate(struct net
*net
)
8090 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8091 struct nft_table
*table
;
8093 switch (nft_net
->validate_state
) {
8094 case NFT_VALIDATE_SKIP
:
8096 case NFT_VALIDATE_NEED
:
8097 nft_validate_state_update(net
, NFT_VALIDATE_DO
);
8099 case NFT_VALIDATE_DO
:
8100 list_for_each_entry(table
, &nft_net
->tables
, list
) {
8101 if (nft_table_validate(net
, table
) < 0)
8110 /* a drop policy has to be deferred until all rules have been activated,
8111 * otherwise a large ruleset that contains a drop-policy base chain will
8112 * cause all packets to get dropped until the full transaction has been
8115 * We defer the drop policy until the transaction has been finalized.
8117 static void nft_chain_commit_drop_policy(struct nft_trans
*trans
)
8119 struct nft_base_chain
*basechain
;
8121 if (nft_trans_chain_policy(trans
) != NF_DROP
)
8124 if (!nft_is_base_chain(trans
->ctx
.chain
))
8127 basechain
= nft_base_chain(trans
->ctx
.chain
);
8128 basechain
->policy
= NF_DROP
;
8131 static void nft_chain_commit_update(struct nft_trans
*trans
)
8133 struct nft_base_chain
*basechain
;
8135 if (nft_trans_chain_name(trans
)) {
8136 rhltable_remove(&trans
->ctx
.table
->chains_ht
,
8137 &trans
->ctx
.chain
->rhlhead
,
8138 nft_chain_ht_params
);
8139 swap(trans
->ctx
.chain
->name
, nft_trans_chain_name(trans
));
8140 rhltable_insert_key(&trans
->ctx
.table
->chains_ht
,
8141 trans
->ctx
.chain
->name
,
8142 &trans
->ctx
.chain
->rhlhead
,
8143 nft_chain_ht_params
);
8146 if (!nft_is_base_chain(trans
->ctx
.chain
))
8149 nft_chain_stats_replace(trans
);
8151 basechain
= nft_base_chain(trans
->ctx
.chain
);
8153 switch (nft_trans_chain_policy(trans
)) {
8156 basechain
->policy
= nft_trans_chain_policy(trans
);
8161 static void nft_obj_commit_update(struct nft_trans
*trans
)
8163 struct nft_object
*newobj
;
8164 struct nft_object
*obj
;
8166 obj
= nft_trans_obj(trans
);
8167 newobj
= nft_trans_obj_newobj(trans
);
8169 if (obj
->ops
->update
)
8170 obj
->ops
->update(obj
, newobj
);
8175 static void nft_commit_release(struct nft_trans
*trans
)
8177 switch (trans
->msg_type
) {
8178 case NFT_MSG_DELTABLE
:
8179 nf_tables_table_destroy(&trans
->ctx
);
8181 case NFT_MSG_NEWCHAIN
:
8182 free_percpu(nft_trans_chain_stats(trans
));
8183 kfree(nft_trans_chain_name(trans
));
8185 case NFT_MSG_DELCHAIN
:
8186 nf_tables_chain_destroy(&trans
->ctx
);
8188 case NFT_MSG_DELRULE
:
8189 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
8191 case NFT_MSG_DELSET
:
8192 nft_set_destroy(&trans
->ctx
, nft_trans_set(trans
));
8194 case NFT_MSG_DELSETELEM
:
8195 nf_tables_set_elem_destroy(&trans
->ctx
,
8196 nft_trans_elem_set(trans
),
8197 nft_trans_elem(trans
).priv
);
8199 case NFT_MSG_DELOBJ
:
8200 nft_obj_destroy(&trans
->ctx
, nft_trans_obj(trans
));
8202 case NFT_MSG_DELFLOWTABLE
:
8203 if (nft_trans_flowtable_update(trans
))
8204 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans
));
8206 nf_tables_flowtable_destroy(nft_trans_flowtable(trans
));
8211 put_net(trans
->ctx
.net
);
8216 static void nf_tables_trans_destroy_work(struct work_struct
*w
)
8218 struct nft_trans
*trans
, *next
;
8221 spin_lock(&nf_tables_destroy_list_lock
);
8222 list_splice_init(&nf_tables_destroy_list
, &head
);
8223 spin_unlock(&nf_tables_destroy_list_lock
);
8225 if (list_empty(&head
))
8230 list_for_each_entry_safe(trans
, next
, &head
, list
) {
8231 list_del(&trans
->list
);
8232 nft_commit_release(trans
);
8236 void nf_tables_trans_destroy_flush_work(void)
8238 flush_work(&trans_destroy_work
);
8240 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work
);
8242 static int nf_tables_commit_chain_prepare(struct net
*net
, struct nft_chain
*chain
)
8244 struct nft_rule
*rule
;
8245 unsigned int alloc
= 0;
8248 /* already handled or inactive chain? */
8249 if (chain
->rules_next
|| !nft_is_active_next(net
, chain
))
8252 rule
= list_entry(&chain
->rules
, struct nft_rule
, list
);
8255 list_for_each_entry_continue(rule
, &chain
->rules
, list
) {
8256 if (nft_is_active_next(net
, rule
))
8260 chain
->rules_next
= nf_tables_chain_alloc_rules(chain
, alloc
);
8261 if (!chain
->rules_next
)
8264 list_for_each_entry_continue(rule
, &chain
->rules
, list
) {
8265 if (nft_is_active_next(net
, rule
))
8266 chain
->rules_next
[i
++] = rule
;
8269 chain
->rules_next
[i
] = NULL
;
8273 static void nf_tables_commit_chain_prepare_cancel(struct net
*net
)
8275 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8276 struct nft_trans
*trans
, *next
;
8278 list_for_each_entry_safe(trans
, next
, &nft_net
->commit_list
, list
) {
8279 struct nft_chain
*chain
= trans
->ctx
.chain
;
8281 if (trans
->msg_type
== NFT_MSG_NEWRULE
||
8282 trans
->msg_type
== NFT_MSG_DELRULE
) {
8283 kvfree(chain
->rules_next
);
8284 chain
->rules_next
= NULL
;
8289 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head
*h
)
8291 struct nft_rules_old
*o
= container_of(h
, struct nft_rules_old
, h
);
8296 static void nf_tables_commit_chain_free_rules_old(struct nft_rule
**rules
)
8298 struct nft_rule
**r
= rules
;
8299 struct nft_rules_old
*old
;
8304 r
++; /* rcu_head is after end marker */
8308 call_rcu(&old
->h
, __nf_tables_commit_chain_free_rules_old
);
8311 static void nf_tables_commit_chain(struct net
*net
, struct nft_chain
*chain
)
8313 struct nft_rule
**g0
, **g1
;
8316 next_genbit
= nft_gencursor_next(net
);
8318 g0
= rcu_dereference_protected(chain
->rules_gen_0
,
8319 lockdep_commit_lock_is_held(net
));
8320 g1
= rcu_dereference_protected(chain
->rules_gen_1
,
8321 lockdep_commit_lock_is_held(net
));
8323 /* No changes to this chain? */
8324 if (chain
->rules_next
== NULL
) {
8325 /* chain had no change in last or next generation */
8329 * chain had no change in this generation; make sure next
8330 * one uses same rules as current generation.
8333 rcu_assign_pointer(chain
->rules_gen_1
, g0
);
8334 nf_tables_commit_chain_free_rules_old(g1
);
8336 rcu_assign_pointer(chain
->rules_gen_0
, g1
);
8337 nf_tables_commit_chain_free_rules_old(g0
);
8344 rcu_assign_pointer(chain
->rules_gen_1
, chain
->rules_next
);
8346 rcu_assign_pointer(chain
->rules_gen_0
, chain
->rules_next
);
8348 chain
->rules_next
= NULL
;
8354 nf_tables_commit_chain_free_rules_old(g1
);
8356 nf_tables_commit_chain_free_rules_old(g0
);
8359 static void nft_obj_del(struct nft_object
*obj
)
8361 rhltable_remove(&nft_objname_ht
, &obj
->rhlhead
, nft_objname_ht_params
);
8362 list_del_rcu(&obj
->list
);
8365 void nft_chain_del(struct nft_chain
*chain
)
8367 struct nft_table
*table
= chain
->table
;
8369 WARN_ON_ONCE(rhltable_remove(&table
->chains_ht
, &chain
->rhlhead
,
8370 nft_chain_ht_params
));
8371 list_del_rcu(&chain
->list
);
8374 static void nft_flowtable_hooks_del(struct nft_flowtable
*flowtable
,
8375 struct list_head
*hook_list
)
8377 struct nft_hook
*hook
, *next
;
8379 list_for_each_entry_safe(hook
, next
, &flowtable
->hook_list
, list
) {
8381 list_move(&hook
->list
, hook_list
);
8385 static void nf_tables_module_autoload_cleanup(struct net
*net
)
8387 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8388 struct nft_module_request
*req
, *next
;
8390 WARN_ON_ONCE(!list_empty(&nft_net
->commit_list
));
8391 list_for_each_entry_safe(req
, next
, &nft_net
->module_list
, list
) {
8392 WARN_ON_ONCE(!req
->done
);
8393 list_del(&req
->list
);
8398 static void nf_tables_commit_release(struct net
*net
)
8400 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8401 struct nft_trans
*trans
;
8403 /* all side effects have to be made visible.
8404 * For example, if a chain named 'foo' has been deleted, a
8405 * new transaction must not find it anymore.
8407 * Memory reclaim happens asynchronously from work queue
8408 * to prevent expensive synchronize_rcu() in commit phase.
8410 if (list_empty(&nft_net
->commit_list
)) {
8411 nf_tables_module_autoload_cleanup(net
);
8412 mutex_unlock(&nft_net
->commit_mutex
);
8416 trans
= list_last_entry(&nft_net
->commit_list
,
8417 struct nft_trans
, list
);
8418 get_net(trans
->ctx
.net
);
8419 WARN_ON_ONCE(trans
->put_net
);
8421 trans
->put_net
= true;
8422 spin_lock(&nf_tables_destroy_list_lock
);
8423 list_splice_tail_init(&nft_net
->commit_list
, &nf_tables_destroy_list
);
8424 spin_unlock(&nf_tables_destroy_list_lock
);
8426 nf_tables_module_autoload_cleanup(net
);
8427 schedule_work(&trans_destroy_work
);
8429 mutex_unlock(&nft_net
->commit_mutex
);
8432 static void nft_commit_notify(struct net
*net
, u32 portid
)
8434 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8435 struct sk_buff
*batch_skb
= NULL
, *nskb
, *skb
;
8436 unsigned char *data
;
8439 list_for_each_entry_safe(skb
, nskb
, &nft_net
->notify_list
, list
) {
8443 len
= NLMSG_GOODSIZE
- skb
->len
;
8444 list_del(&skb
->list
);
8448 if (len
> 0 && NFT_CB(skb
).report
== NFT_CB(batch_skb
).report
) {
8449 data
= skb_put(batch_skb
, skb
->len
);
8450 memcpy(data
, skb
->data
, skb
->len
);
8451 list_del(&skb
->list
);
8455 nfnetlink_send(batch_skb
, net
, portid
, NFNLGRP_NFTABLES
,
8456 NFT_CB(batch_skb
).report
, GFP_KERNEL
);
8461 nfnetlink_send(batch_skb
, net
, portid
, NFNLGRP_NFTABLES
,
8462 NFT_CB(batch_skb
).report
, GFP_KERNEL
);
8465 WARN_ON_ONCE(!list_empty(&nft_net
->notify_list
));
8468 static int nf_tables_commit_audit_alloc(struct list_head
*adl
,
8469 struct nft_table
*table
)
8471 struct nft_audit_data
*adp
;
8473 list_for_each_entry(adp
, adl
, list
) {
8474 if (adp
->table
== table
)
8477 adp
= kzalloc(sizeof(*adp
), GFP_KERNEL
);
8481 list_add(&adp
->list
, adl
);
8485 static void nf_tables_commit_audit_free(struct list_head
*adl
)
8487 struct nft_audit_data
*adp
, *adn
;
8489 list_for_each_entry_safe(adp
, adn
, adl
, list
) {
8490 list_del(&adp
->list
);
8495 static void nf_tables_commit_audit_collect(struct list_head
*adl
,
8496 struct nft_table
*table
, u32 op
)
8498 struct nft_audit_data
*adp
;
8500 list_for_each_entry(adp
, adl
, list
) {
8501 if (adp
->table
== table
)
8504 WARN_ONCE(1, "table=%s not expected in commit list", table
->name
);
8508 if (!adp
->op
|| adp
->op
> op
)
8512 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8514 static void nf_tables_commit_audit_log(struct list_head
*adl
, u32 generation
)
8516 struct nft_audit_data
*adp
, *adn
;
8517 char aubuf
[AUNFTABLENAMELEN
];
8519 list_for_each_entry_safe(adp
, adn
, adl
, list
) {
8520 snprintf(aubuf
, AUNFTABLENAMELEN
, "%s:%u", adp
->table
->name
,
8522 audit_log_nfcfg(aubuf
, adp
->table
->family
, adp
->entries
,
8523 nft2audit_op
[adp
->op
], GFP_KERNEL
);
8524 list_del(&adp
->list
);
8529 static int nf_tables_commit(struct net
*net
, struct sk_buff
*skb
)
8531 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8532 struct nft_trans
*trans
, *next
;
8533 struct nft_trans_elem
*te
;
8534 struct nft_chain
*chain
;
8535 struct nft_table
*table
;
8539 if (list_empty(&nft_net
->commit_list
)) {
8540 mutex_unlock(&nft_net
->commit_mutex
);
8544 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8545 if (nf_tables_validate(net
) < 0)
8548 err
= nft_flow_rule_offload_commit(net
);
8552 /* 1. Allocate space for next generation rules_gen_X[] */
8553 list_for_each_entry_safe(trans
, next
, &nft_net
->commit_list
, list
) {
8556 ret
= nf_tables_commit_audit_alloc(&adl
, trans
->ctx
.table
);
8558 nf_tables_commit_chain_prepare_cancel(net
);
8559 nf_tables_commit_audit_free(&adl
);
8562 if (trans
->msg_type
== NFT_MSG_NEWRULE
||
8563 trans
->msg_type
== NFT_MSG_DELRULE
) {
8564 chain
= trans
->ctx
.chain
;
8566 ret
= nf_tables_commit_chain_prepare(net
, chain
);
8568 nf_tables_commit_chain_prepare_cancel(net
);
8569 nf_tables_commit_audit_free(&adl
);
8575 /* step 2. Make rules_gen_X visible to packet path */
8576 list_for_each_entry(table
, &nft_net
->tables
, list
) {
8577 list_for_each_entry(chain
, &table
->chains
, list
)
8578 nf_tables_commit_chain(net
, chain
);
8582 * Bump generation counter, invalidate any dump in progress.
8583 * Cannot fail after this point.
8585 while (++nft_net
->base_seq
== 0)
8588 /* step 3. Start new generation, rules_gen_X now in use. */
8589 net
->nft
.gencursor
= nft_gencursor_next(net
);
8591 list_for_each_entry_safe(trans
, next
, &nft_net
->commit_list
, list
) {
8592 nf_tables_commit_audit_collect(&adl
, trans
->ctx
.table
,
8594 switch (trans
->msg_type
) {
8595 case NFT_MSG_NEWTABLE
:
8596 if (nft_trans_table_update(trans
)) {
8597 if (!(trans
->ctx
.table
->flags
& __NFT_TABLE_F_UPDATE
)) {
8598 nft_trans_destroy(trans
);
8601 if (trans
->ctx
.table
->flags
& NFT_TABLE_F_DORMANT
)
8602 nf_tables_table_disable(net
, trans
->ctx
.table
);
8604 trans
->ctx
.table
->flags
&= ~__NFT_TABLE_F_UPDATE
;
8606 nft_clear(net
, trans
->ctx
.table
);
8608 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_NEWTABLE
);
8609 nft_trans_destroy(trans
);
8611 case NFT_MSG_DELTABLE
:
8612 list_del_rcu(&trans
->ctx
.table
->list
);
8613 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_DELTABLE
);
8615 case NFT_MSG_NEWCHAIN
:
8616 if (nft_trans_chain_update(trans
)) {
8617 nft_chain_commit_update(trans
);
8618 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
8619 /* trans destroyed after rcu grace period */
8621 nft_chain_commit_drop_policy(trans
);
8622 nft_clear(net
, trans
->ctx
.chain
);
8623 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
8624 nft_trans_destroy(trans
);
8627 case NFT_MSG_DELCHAIN
:
8628 nft_chain_del(trans
->ctx
.chain
);
8629 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_DELCHAIN
);
8630 nf_tables_unregister_hook(trans
->ctx
.net
,
8634 case NFT_MSG_NEWRULE
:
8635 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
8636 nf_tables_rule_notify(&trans
->ctx
,
8637 nft_trans_rule(trans
),
8639 nft_trans_destroy(trans
);
8641 case NFT_MSG_DELRULE
:
8642 list_del_rcu(&nft_trans_rule(trans
)->list
);
8643 nf_tables_rule_notify(&trans
->ctx
,
8644 nft_trans_rule(trans
),
8646 nft_rule_expr_deactivate(&trans
->ctx
,
8647 nft_trans_rule(trans
),
8650 case NFT_MSG_NEWSET
:
8651 nft_clear(net
, nft_trans_set(trans
));
8652 /* This avoids hitting -EBUSY when deleting the table
8653 * from the transaction.
8655 if (nft_set_is_anonymous(nft_trans_set(trans
)) &&
8656 !list_empty(&nft_trans_set(trans
)->bindings
))
8657 trans
->ctx
.table
->use
--;
8659 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
8660 NFT_MSG_NEWSET
, GFP_KERNEL
);
8661 nft_trans_destroy(trans
);
8663 case NFT_MSG_DELSET
:
8664 list_del_rcu(&nft_trans_set(trans
)->list
);
8665 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
8666 NFT_MSG_DELSET
, GFP_KERNEL
);
8668 case NFT_MSG_NEWSETELEM
:
8669 te
= (struct nft_trans_elem
*)trans
->data
;
8671 nft_setelem_activate(net
, te
->set
, &te
->elem
);
8672 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
8674 NFT_MSG_NEWSETELEM
);
8675 nft_trans_destroy(trans
);
8677 case NFT_MSG_DELSETELEM
:
8678 te
= (struct nft_trans_elem
*)trans
->data
;
8680 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
8682 NFT_MSG_DELSETELEM
);
8683 nft_setelem_remove(net
, te
->set
, &te
->elem
);
8684 if (!nft_setelem_is_catchall(te
->set
, &te
->elem
)) {
8685 atomic_dec(&te
->set
->nelems
);
8689 case NFT_MSG_NEWOBJ
:
8690 if (nft_trans_obj_update(trans
)) {
8691 nft_obj_commit_update(trans
);
8692 nf_tables_obj_notify(&trans
->ctx
,
8693 nft_trans_obj(trans
),
8696 nft_clear(net
, nft_trans_obj(trans
));
8697 nf_tables_obj_notify(&trans
->ctx
,
8698 nft_trans_obj(trans
),
8700 nft_trans_destroy(trans
);
8703 case NFT_MSG_DELOBJ
:
8704 nft_obj_del(nft_trans_obj(trans
));
8705 nf_tables_obj_notify(&trans
->ctx
, nft_trans_obj(trans
),
8708 case NFT_MSG_NEWFLOWTABLE
:
8709 if (nft_trans_flowtable_update(trans
)) {
8710 nft_trans_flowtable(trans
)->data
.flags
=
8711 nft_trans_flowtable_flags(trans
);
8712 nf_tables_flowtable_notify(&trans
->ctx
,
8713 nft_trans_flowtable(trans
),
8714 &nft_trans_flowtable_hooks(trans
),
8715 NFT_MSG_NEWFLOWTABLE
);
8716 list_splice(&nft_trans_flowtable_hooks(trans
),
8717 &nft_trans_flowtable(trans
)->hook_list
);
8719 nft_clear(net
, nft_trans_flowtable(trans
));
8720 nf_tables_flowtable_notify(&trans
->ctx
,
8721 nft_trans_flowtable(trans
),
8722 &nft_trans_flowtable(trans
)->hook_list
,
8723 NFT_MSG_NEWFLOWTABLE
);
8725 nft_trans_destroy(trans
);
8727 case NFT_MSG_DELFLOWTABLE
:
8728 if (nft_trans_flowtable_update(trans
)) {
8729 nft_flowtable_hooks_del(nft_trans_flowtable(trans
),
8730 &nft_trans_flowtable_hooks(trans
));
8731 nf_tables_flowtable_notify(&trans
->ctx
,
8732 nft_trans_flowtable(trans
),
8733 &nft_trans_flowtable_hooks(trans
),
8734 NFT_MSG_DELFLOWTABLE
);
8735 nft_unregister_flowtable_net_hooks(net
,
8736 &nft_trans_flowtable_hooks(trans
));
8738 list_del_rcu(&nft_trans_flowtable(trans
)->list
);
8739 nf_tables_flowtable_notify(&trans
->ctx
,
8740 nft_trans_flowtable(trans
),
8741 &nft_trans_flowtable(trans
)->hook_list
,
8742 NFT_MSG_DELFLOWTABLE
);
8743 nft_unregister_flowtable_net_hooks(net
,
8744 &nft_trans_flowtable(trans
)->hook_list
);
8750 nft_commit_notify(net
, NETLINK_CB(skb
).portid
);
8751 nf_tables_gen_notify(net
, skb
, NFT_MSG_NEWGEN
);
8752 nf_tables_commit_audit_log(&adl
, nft_net
->base_seq
);
8753 nf_tables_commit_release(net
);
8758 static void nf_tables_module_autoload(struct net
*net
)
8760 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8761 struct nft_module_request
*req
, *next
;
8762 LIST_HEAD(module_list
);
8764 list_splice_init(&nft_net
->module_list
, &module_list
);
8765 mutex_unlock(&nft_net
->commit_mutex
);
8766 list_for_each_entry_safe(req
, next
, &module_list
, list
) {
8767 request_module("%s", req
->module
);
8770 mutex_lock(&nft_net
->commit_mutex
);
8771 list_splice(&module_list
, &nft_net
->module_list
);
8774 static void nf_tables_abort_release(struct nft_trans
*trans
)
8776 switch (trans
->msg_type
) {
8777 case NFT_MSG_NEWTABLE
:
8778 nf_tables_table_destroy(&trans
->ctx
);
8780 case NFT_MSG_NEWCHAIN
:
8781 nf_tables_chain_destroy(&trans
->ctx
);
8783 case NFT_MSG_NEWRULE
:
8784 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
8786 case NFT_MSG_NEWSET
:
8787 nft_set_destroy(&trans
->ctx
, nft_trans_set(trans
));
8789 case NFT_MSG_NEWSETELEM
:
8790 nft_set_elem_destroy(nft_trans_elem_set(trans
),
8791 nft_trans_elem(trans
).priv
, true);
8793 case NFT_MSG_NEWOBJ
:
8794 nft_obj_destroy(&trans
->ctx
, nft_trans_obj(trans
));
8796 case NFT_MSG_NEWFLOWTABLE
:
8797 if (nft_trans_flowtable_update(trans
))
8798 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans
));
8800 nf_tables_flowtable_destroy(nft_trans_flowtable(trans
));
8806 static int __nf_tables_abort(struct net
*net
, enum nfnl_abort_action action
)
8808 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8809 struct nft_trans
*trans
, *next
;
8810 struct nft_trans_elem
*te
;
8811 struct nft_hook
*hook
;
8813 if (action
== NFNL_ABORT_VALIDATE
&&
8814 nf_tables_validate(net
) < 0)
8817 list_for_each_entry_safe_reverse(trans
, next
, &nft_net
->commit_list
,
8819 switch (trans
->msg_type
) {
8820 case NFT_MSG_NEWTABLE
:
8821 if (nft_trans_table_update(trans
)) {
8822 if (!(trans
->ctx
.table
->flags
& __NFT_TABLE_F_UPDATE
)) {
8823 nft_trans_destroy(trans
);
8826 if (trans
->ctx
.table
->flags
& __NFT_TABLE_F_WAS_DORMANT
) {
8827 nf_tables_table_disable(net
, trans
->ctx
.table
);
8828 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
8829 } else if (trans
->ctx
.table
->flags
& __NFT_TABLE_F_WAS_AWAKEN
) {
8830 trans
->ctx
.table
->flags
&= ~NFT_TABLE_F_DORMANT
;
8832 trans
->ctx
.table
->flags
&= ~__NFT_TABLE_F_UPDATE
;
8833 nft_trans_destroy(trans
);
8835 list_del_rcu(&trans
->ctx
.table
->list
);
8838 case NFT_MSG_DELTABLE
:
8839 nft_clear(trans
->ctx
.net
, trans
->ctx
.table
);
8840 nft_trans_destroy(trans
);
8842 case NFT_MSG_NEWCHAIN
:
8843 if (nft_trans_chain_update(trans
)) {
8844 free_percpu(nft_trans_chain_stats(trans
));
8845 kfree(nft_trans_chain_name(trans
));
8846 nft_trans_destroy(trans
);
8848 if (nft_chain_is_bound(trans
->ctx
.chain
)) {
8849 nft_trans_destroy(trans
);
8852 trans
->ctx
.table
->use
--;
8853 nft_chain_del(trans
->ctx
.chain
);
8854 nf_tables_unregister_hook(trans
->ctx
.net
,
8859 case NFT_MSG_DELCHAIN
:
8860 trans
->ctx
.table
->use
++;
8861 nft_clear(trans
->ctx
.net
, trans
->ctx
.chain
);
8862 nft_trans_destroy(trans
);
8864 case NFT_MSG_NEWRULE
:
8865 trans
->ctx
.chain
->use
--;
8866 list_del_rcu(&nft_trans_rule(trans
)->list
);
8867 nft_rule_expr_deactivate(&trans
->ctx
,
8868 nft_trans_rule(trans
),
8870 if (trans
->ctx
.chain
->flags
& NFT_CHAIN_HW_OFFLOAD
)
8871 nft_flow_rule_destroy(nft_trans_flow_rule(trans
));
8873 case NFT_MSG_DELRULE
:
8874 trans
->ctx
.chain
->use
++;
8875 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
8876 nft_rule_expr_activate(&trans
->ctx
, nft_trans_rule(trans
));
8877 if (trans
->ctx
.chain
->flags
& NFT_CHAIN_HW_OFFLOAD
)
8878 nft_flow_rule_destroy(nft_trans_flow_rule(trans
));
8880 nft_trans_destroy(trans
);
8882 case NFT_MSG_NEWSET
:
8883 trans
->ctx
.table
->use
--;
8884 if (nft_trans_set_bound(trans
)) {
8885 nft_trans_destroy(trans
);
8888 list_del_rcu(&nft_trans_set(trans
)->list
);
8890 case NFT_MSG_DELSET
:
8891 trans
->ctx
.table
->use
++;
8892 nft_clear(trans
->ctx
.net
, nft_trans_set(trans
));
8893 nft_trans_destroy(trans
);
8895 case NFT_MSG_NEWSETELEM
:
8896 if (nft_trans_elem_set_bound(trans
)) {
8897 nft_trans_destroy(trans
);
8900 te
= (struct nft_trans_elem
*)trans
->data
;
8901 nft_setelem_remove(net
, te
->set
, &te
->elem
);
8902 if (!nft_setelem_is_catchall(te
->set
, &te
->elem
))
8903 atomic_dec(&te
->set
->nelems
);
8905 case NFT_MSG_DELSETELEM
:
8906 te
= (struct nft_trans_elem
*)trans
->data
;
8908 nft_setelem_data_activate(net
, te
->set
, &te
->elem
);
8909 nft_setelem_activate(net
, te
->set
, &te
->elem
);
8910 if (!nft_setelem_is_catchall(te
->set
, &te
->elem
))
8913 nft_trans_destroy(trans
);
8915 case NFT_MSG_NEWOBJ
:
8916 if (nft_trans_obj_update(trans
)) {
8917 kfree(nft_trans_obj_newobj(trans
));
8918 nft_trans_destroy(trans
);
8920 trans
->ctx
.table
->use
--;
8921 nft_obj_del(nft_trans_obj(trans
));
8924 case NFT_MSG_DELOBJ
:
8925 trans
->ctx
.table
->use
++;
8926 nft_clear(trans
->ctx
.net
, nft_trans_obj(trans
));
8927 nft_trans_destroy(trans
);
8929 case NFT_MSG_NEWFLOWTABLE
:
8930 if (nft_trans_flowtable_update(trans
)) {
8931 nft_unregister_flowtable_net_hooks(net
,
8932 &nft_trans_flowtable_hooks(trans
));
8934 trans
->ctx
.table
->use
--;
8935 list_del_rcu(&nft_trans_flowtable(trans
)->list
);
8936 nft_unregister_flowtable_net_hooks(net
,
8937 &nft_trans_flowtable(trans
)->hook_list
);
8940 case NFT_MSG_DELFLOWTABLE
:
8941 if (nft_trans_flowtable_update(trans
)) {
8942 list_for_each_entry(hook
, &nft_trans_flowtable(trans
)->hook_list
, list
)
8943 hook
->inactive
= false;
8945 trans
->ctx
.table
->use
++;
8946 nft_clear(trans
->ctx
.net
, nft_trans_flowtable(trans
));
8948 nft_trans_destroy(trans
);
8955 list_for_each_entry_safe_reverse(trans
, next
,
8956 &nft_net
->commit_list
, list
) {
8957 list_del(&trans
->list
);
8958 nf_tables_abort_release(trans
);
8961 if (action
== NFNL_ABORT_AUTOLOAD
)
8962 nf_tables_module_autoload(net
);
8964 nf_tables_module_autoload_cleanup(net
);
8969 static void nf_tables_cleanup(struct net
*net
)
8971 nft_validate_state_update(net
, NFT_VALIDATE_SKIP
);
8974 static int nf_tables_abort(struct net
*net
, struct sk_buff
*skb
,
8975 enum nfnl_abort_action action
)
8977 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8978 int ret
= __nf_tables_abort(net
, action
);
8980 mutex_unlock(&nft_net
->commit_mutex
);
8985 static bool nf_tables_valid_genid(struct net
*net
, u32 genid
)
8987 struct nftables_pernet
*nft_net
= nft_pernet(net
);
8990 mutex_lock(&nft_net
->commit_mutex
);
8992 genid_ok
= genid
== 0 || nft_net
->base_seq
== genid
;
8994 mutex_unlock(&nft_net
->commit_mutex
);
8996 /* else, commit mutex has to be released by commit or abort function */
9000 static const struct nfnetlink_subsystem nf_tables_subsys
= {
9001 .name
= "nf_tables",
9002 .subsys_id
= NFNL_SUBSYS_NFTABLES
,
9003 .cb_count
= NFT_MSG_MAX
,
9005 .commit
= nf_tables_commit
,
9006 .abort
= nf_tables_abort
,
9007 .cleanup
= nf_tables_cleanup
,
9008 .valid_genid
= nf_tables_valid_genid
,
9009 .owner
= THIS_MODULE
,
9012 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
9013 enum nft_chain_types type
)
9015 const struct nft_base_chain
*basechain
;
9017 if (nft_is_base_chain(chain
)) {
9018 basechain
= nft_base_chain(chain
);
9019 if (basechain
->type
->type
!= type
)
9024 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency
);
9026 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
9027 unsigned int hook_flags
)
9029 struct nft_base_chain
*basechain
;
9031 if (nft_is_base_chain(chain
)) {
9032 basechain
= nft_base_chain(chain
);
9034 if ((1 << basechain
->ops
.hooknum
) & hook_flags
)
9042 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks
);
9045 * Loop detection - walk through the ruleset beginning at the destination chain
9046 * of a new jump until either the source chain is reached (loop) or all
9047 * reachable chains have been traversed.
9049 * The loop check is performed whenever a new jump verdict is added to an
9050 * expression or verdict map or a verdict map is bound to a new chain.
9053 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
9054 const struct nft_chain
*chain
);
9056 static int nft_check_loops(const struct nft_ctx
*ctx
,
9057 const struct nft_set_ext
*ext
)
9059 const struct nft_data
*data
;
9062 data
= nft_set_ext_data(ext
);
9063 switch (data
->verdict
.code
) {
9066 ret
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
9076 static int nf_tables_loop_check_setelem(const struct nft_ctx
*ctx
,
9077 struct nft_set
*set
,
9078 const struct nft_set_iter
*iter
,
9079 struct nft_set_elem
*elem
)
9081 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
9083 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
9084 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_INTERVAL_END
)
9087 return nft_check_loops(ctx
, ext
);
9090 static int nft_set_catchall_loops(const struct nft_ctx
*ctx
,
9091 struct nft_set
*set
)
9093 u8 genmask
= nft_genmask_next(ctx
->net
);
9094 struct nft_set_elem_catchall
*catchall
;
9095 struct nft_set_ext
*ext
;
9098 list_for_each_entry_rcu(catchall
, &set
->catchall_list
, list
) {
9099 ext
= nft_set_elem_ext(set
, catchall
->elem
);
9100 if (!nft_set_elem_active(ext
, genmask
))
9103 ret
= nft_check_loops(ctx
, ext
);
9111 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
9112 const struct nft_chain
*chain
)
9114 const struct nft_rule
*rule
;
9115 const struct nft_expr
*expr
, *last
;
9116 struct nft_set
*set
;
9117 struct nft_set_binding
*binding
;
9118 struct nft_set_iter iter
;
9120 if (ctx
->chain
== chain
)
9123 list_for_each_entry(rule
, &chain
->rules
, list
) {
9124 nft_rule_for_each_expr(expr
, last
, rule
) {
9125 struct nft_immediate_expr
*priv
;
9126 const struct nft_data
*data
;
9129 if (strcmp(expr
->ops
->type
->name
, "immediate"))
9132 priv
= nft_expr_priv(expr
);
9133 if (priv
->dreg
!= NFT_REG_VERDICT
)
9137 switch (data
->verdict
.code
) {
9140 err
= nf_tables_check_loops(ctx
,
9141 data
->verdict
.chain
);
9151 list_for_each_entry(set
, &ctx
->table
->sets
, list
) {
9152 if (!nft_is_active_next(ctx
->net
, set
))
9154 if (!(set
->flags
& NFT_SET_MAP
) ||
9155 set
->dtype
!= NFT_DATA_VERDICT
)
9158 list_for_each_entry(binding
, &set
->bindings
, list
) {
9159 if (!(binding
->flags
& NFT_SET_MAP
) ||
9160 binding
->chain
!= chain
)
9163 iter
.genmask
= nft_genmask_next(ctx
->net
);
9167 iter
.fn
= nf_tables_loop_check_setelem
;
9169 set
->ops
->walk(ctx
, set
, &iter
);
9171 iter
.err
= nft_set_catchall_loops(ctx
, set
);
9182 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
9184 * @attr: netlink attribute to fetch value from
9185 * @max: maximum value to be stored in dest
9186 * @dest: pointer to the variable
9188 * Parse, check and store a given u32 netlink attribute into variable.
9189 * This function returns -ERANGE if the value goes over maximum value.
9190 * Otherwise a 0 is returned and the attribute value is stored in the
9191 * destination variable.
9193 int nft_parse_u32_check(const struct nlattr
*attr
, int max
, u32
*dest
)
9197 val
= ntohl(nla_get_be32(attr
));
9204 EXPORT_SYMBOL_GPL(nft_parse_u32_check
);
9206 static unsigned int nft_parse_register(const struct nlattr
*attr
)
9210 reg
= ntohl(nla_get_be32(attr
));
9212 case NFT_REG_VERDICT
...NFT_REG_4
:
9213 return reg
* NFT_REG_SIZE
/ NFT_REG32_SIZE
;
9215 return reg
+ NFT_REG_SIZE
/ NFT_REG32_SIZE
- NFT_REG32_00
;
9220 * nft_dump_register - dump a register value to a netlink attribute
9222 * @skb: socket buffer
9223 * @attr: attribute number
9224 * @reg: register number
9226 * Construct a netlink attribute containing the register number. For
9227 * compatibility reasons, register numbers being a multiple of 4 are
9228 * translated to the corresponding 128 bit register numbers.
9230 int nft_dump_register(struct sk_buff
*skb
, unsigned int attr
, unsigned int reg
)
9232 if (reg
% (NFT_REG_SIZE
/ NFT_REG32_SIZE
) == 0)
9233 reg
= reg
/ (NFT_REG_SIZE
/ NFT_REG32_SIZE
);
9235 reg
= reg
- NFT_REG_SIZE
/ NFT_REG32_SIZE
+ NFT_REG32_00
;
9237 return nla_put_be32(skb
, attr
, htonl(reg
));
9239 EXPORT_SYMBOL_GPL(nft_dump_register
);
9241 static int nft_validate_register_load(enum nft_registers reg
, unsigned int len
)
9243 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
9247 if (reg
* NFT_REG32_SIZE
+ len
> sizeof_field(struct nft_regs
, data
))
9253 int nft_parse_register_load(const struct nlattr
*attr
, u8
*sreg
, u32 len
)
9258 reg
= nft_parse_register(attr
);
9259 err
= nft_validate_register_load(reg
, len
);
9266 EXPORT_SYMBOL_GPL(nft_parse_register_load
);
9268 static int nft_validate_register_store(const struct nft_ctx
*ctx
,
9269 enum nft_registers reg
,
9270 const struct nft_data
*data
,
9271 enum nft_data_types type
,
9277 case NFT_REG_VERDICT
:
9278 if (type
!= NFT_DATA_VERDICT
)
9282 (data
->verdict
.code
== NFT_GOTO
||
9283 data
->verdict
.code
== NFT_JUMP
)) {
9284 err
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
9291 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
9295 if (reg
* NFT_REG32_SIZE
+ len
>
9296 sizeof_field(struct nft_regs
, data
))
9299 if (data
!= NULL
&& type
!= NFT_DATA_VALUE
)
9305 int nft_parse_register_store(const struct nft_ctx
*ctx
,
9306 const struct nlattr
*attr
, u8
*dreg
,
9307 const struct nft_data
*data
,
9308 enum nft_data_types type
, unsigned int len
)
9313 reg
= nft_parse_register(attr
);
9314 err
= nft_validate_register_store(ctx
, reg
, data
, type
, len
);
9321 EXPORT_SYMBOL_GPL(nft_parse_register_store
);
9323 static const struct nla_policy nft_verdict_policy
[NFTA_VERDICT_MAX
+ 1] = {
9324 [NFTA_VERDICT_CODE
] = { .type
= NLA_U32
},
9325 [NFTA_VERDICT_CHAIN
] = { .type
= NLA_STRING
,
9326 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
9327 [NFTA_VERDICT_CHAIN_ID
] = { .type
= NLA_U32
},
9330 static int nft_verdict_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
9331 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
9333 u8 genmask
= nft_genmask_next(ctx
->net
);
9334 struct nlattr
*tb
[NFTA_VERDICT_MAX
+ 1];
9335 struct nft_chain
*chain
;
9338 err
= nla_parse_nested_deprecated(tb
, NFTA_VERDICT_MAX
, nla
,
9339 nft_verdict_policy
, NULL
);
9343 if (!tb
[NFTA_VERDICT_CODE
])
9345 data
->verdict
.code
= ntohl(nla_get_be32(tb
[NFTA_VERDICT_CODE
]));
9347 switch (data
->verdict
.code
) {
9349 switch (data
->verdict
.code
& NF_VERDICT_MASK
) {
9364 if (tb
[NFTA_VERDICT_CHAIN
]) {
9365 chain
= nft_chain_lookup(ctx
->net
, ctx
->table
,
9366 tb
[NFTA_VERDICT_CHAIN
],
9368 } else if (tb
[NFTA_VERDICT_CHAIN_ID
]) {
9369 chain
= nft_chain_lookup_byid(ctx
->net
,
9370 tb
[NFTA_VERDICT_CHAIN_ID
]);
9372 return PTR_ERR(chain
);
9378 return PTR_ERR(chain
);
9379 if (nft_is_base_chain(chain
))
9383 data
->verdict
.chain
= chain
;
9387 desc
->len
= sizeof(data
->verdict
);
9388 desc
->type
= NFT_DATA_VERDICT
;
9392 static void nft_verdict_uninit(const struct nft_data
*data
)
9394 struct nft_chain
*chain
;
9395 struct nft_rule
*rule
;
9397 switch (data
->verdict
.code
) {
9400 chain
= data
->verdict
.chain
;
9403 if (!nft_chain_is_bound(chain
))
9406 chain
->table
->use
--;
9407 list_for_each_entry(rule
, &chain
->rules
, list
)
9410 nft_chain_del(chain
);
9415 int nft_verdict_dump(struct sk_buff
*skb
, int type
, const struct nft_verdict
*v
)
9417 struct nlattr
*nest
;
9419 nest
= nla_nest_start_noflag(skb
, type
);
9421 goto nla_put_failure
;
9423 if (nla_put_be32(skb
, NFTA_VERDICT_CODE
, htonl(v
->code
)))
9424 goto nla_put_failure
;
9429 if (nla_put_string(skb
, NFTA_VERDICT_CHAIN
,
9431 goto nla_put_failure
;
9433 nla_nest_end(skb
, nest
);
9440 static int nft_value_init(const struct nft_ctx
*ctx
,
9441 struct nft_data
*data
, unsigned int size
,
9442 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
9452 nla_memcpy(data
->data
, nla
, len
);
9453 desc
->type
= NFT_DATA_VALUE
;
9458 static int nft_value_dump(struct sk_buff
*skb
, const struct nft_data
*data
,
9461 return nla_put(skb
, NFTA_DATA_VALUE
, len
, data
->data
);
9464 static const struct nla_policy nft_data_policy
[NFTA_DATA_MAX
+ 1] = {
9465 [NFTA_DATA_VALUE
] = { .type
= NLA_BINARY
},
9466 [NFTA_DATA_VERDICT
] = { .type
= NLA_NESTED
},
9470 * nft_data_init - parse nf_tables data netlink attributes
9472 * @ctx: context of the expression using the data
9473 * @data: destination struct nft_data
9474 * @size: maximum data length
9475 * @desc: data description
9476 * @nla: netlink attribute containing data
9478 * Parse the netlink data attributes and initialize a struct nft_data.
9479 * The type and length of data are returned in the data description.
9481 * The caller can indicate that it only wants to accept data of type
9482 * NFT_DATA_VALUE by passing NULL for the ctx argument.
9484 int nft_data_init(const struct nft_ctx
*ctx
,
9485 struct nft_data
*data
, unsigned int size
,
9486 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
9488 struct nlattr
*tb
[NFTA_DATA_MAX
+ 1];
9491 err
= nla_parse_nested_deprecated(tb
, NFTA_DATA_MAX
, nla
,
9492 nft_data_policy
, NULL
);
9496 if (tb
[NFTA_DATA_VALUE
])
9497 return nft_value_init(ctx
, data
, size
, desc
,
9498 tb
[NFTA_DATA_VALUE
]);
9499 if (tb
[NFTA_DATA_VERDICT
] && ctx
!= NULL
)
9500 return nft_verdict_init(ctx
, data
, desc
, tb
[NFTA_DATA_VERDICT
]);
9503 EXPORT_SYMBOL_GPL(nft_data_init
);
9506 * nft_data_release - release a nft_data item
9508 * @data: struct nft_data to release
9509 * @type: type of data
9511 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
9512 * all others need to be released by calling this function.
9514 void nft_data_release(const struct nft_data
*data
, enum nft_data_types type
)
9516 if (type
< NFT_DATA_VERDICT
)
9519 case NFT_DATA_VERDICT
:
9520 return nft_verdict_uninit(data
);
9525 EXPORT_SYMBOL_GPL(nft_data_release
);
9527 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
9528 enum nft_data_types type
, unsigned int len
)
9530 struct nlattr
*nest
;
9533 nest
= nla_nest_start_noflag(skb
, attr
);
9538 case NFT_DATA_VALUE
:
9539 err
= nft_value_dump(skb
, data
, len
);
9541 case NFT_DATA_VERDICT
:
9542 err
= nft_verdict_dump(skb
, NFTA_DATA_VERDICT
, &data
->verdict
);
9549 nla_nest_end(skb
, nest
);
9552 EXPORT_SYMBOL_GPL(nft_data_dump
);
9554 int __nft_release_basechain(struct nft_ctx
*ctx
)
9556 struct nft_rule
*rule
, *nr
;
9558 if (WARN_ON(!nft_is_base_chain(ctx
->chain
)))
9561 nf_tables_unregister_hook(ctx
->net
, ctx
->chain
->table
, ctx
->chain
);
9562 list_for_each_entry_safe(rule
, nr
, &ctx
->chain
->rules
, list
) {
9563 list_del(&rule
->list
);
9565 nf_tables_rule_release(ctx
, rule
);
9567 nft_chain_del(ctx
->chain
);
9569 nf_tables_chain_destroy(ctx
);
9573 EXPORT_SYMBOL_GPL(__nft_release_basechain
);
9575 static void __nft_release_hook(struct net
*net
, struct nft_table
*table
)
9577 struct nft_chain
*chain
;
9579 list_for_each_entry(chain
, &table
->chains
, list
)
9580 nf_tables_unregister_hook(net
, table
, chain
);
9583 static void __nft_release_hooks(struct net
*net
)
9585 struct nftables_pernet
*nft_net
= nft_pernet(net
);
9586 struct nft_table
*table
;
9588 list_for_each_entry(table
, &nft_net
->tables
, list
) {
9589 if (nft_table_has_owner(table
))
9592 __nft_release_hook(net
, table
);
9596 static void __nft_release_table(struct net
*net
, struct nft_table
*table
)
9598 struct nft_flowtable
*flowtable
, *nf
;
9599 struct nft_chain
*chain
, *nc
;
9600 struct nft_object
*obj
, *ne
;
9601 struct nft_rule
*rule
, *nr
;
9602 struct nft_set
*set
, *ns
;
9603 struct nft_ctx ctx
= {
9605 .family
= NFPROTO_NETDEV
,
9608 ctx
.family
= table
->family
;
9610 list_for_each_entry(chain
, &table
->chains
, list
) {
9612 list_for_each_entry_safe(rule
, nr
, &chain
->rules
, list
) {
9613 list_del(&rule
->list
);
9615 nf_tables_rule_release(&ctx
, rule
);
9618 list_for_each_entry_safe(flowtable
, nf
, &table
->flowtables
, list
) {
9619 list_del(&flowtable
->list
);
9621 nf_tables_flowtable_destroy(flowtable
);
9623 list_for_each_entry_safe(set
, ns
, &table
->sets
, list
) {
9624 list_del(&set
->list
);
9626 nft_set_destroy(&ctx
, set
);
9628 list_for_each_entry_safe(obj
, ne
, &table
->objects
, list
) {
9631 nft_obj_destroy(&ctx
, obj
);
9633 list_for_each_entry_safe(chain
, nc
, &table
->chains
, list
) {
9635 nft_chain_del(chain
);
9637 nf_tables_chain_destroy(&ctx
);
9639 nf_tables_table_destroy(&ctx
);
9642 static void __nft_release_tables(struct net
*net
)
9644 struct nftables_pernet
*nft_net
= nft_pernet(net
);
9645 struct nft_table
*table
, *nt
;
9647 list_for_each_entry_safe(table
, nt
, &nft_net
->tables
, list
) {
9648 if (nft_table_has_owner(table
))
9651 list_del(&table
->list
);
9653 __nft_release_table(net
, table
);
9657 static int nft_rcv_nl_event(struct notifier_block
*this, unsigned long event
,
9660 struct nft_table
*table
, *to_delete
[8];
9661 struct nftables_pernet
*nft_net
;
9662 struct netlink_notify
*n
= ptr
;
9663 struct net
*net
= n
->net
;
9664 unsigned int deleted
;
9665 bool restart
= false;
9667 if (event
!= NETLINK_URELEASE
|| n
->protocol
!= NETLINK_NETFILTER
)
9670 nft_net
= nft_pernet(net
);
9672 mutex_lock(&nft_net
->commit_mutex
);
9674 list_for_each_entry(table
, &nft_net
->tables
, list
) {
9675 if (nft_table_has_owner(table
) &&
9676 n
->portid
== table
->nlpid
) {
9677 __nft_release_hook(net
, table
);
9678 list_del_rcu(&table
->list
);
9679 to_delete
[deleted
++] = table
;
9680 if (deleted
>= ARRAY_SIZE(to_delete
))
9685 restart
= deleted
>= ARRAY_SIZE(to_delete
);
9688 __nft_release_table(net
, to_delete
[--deleted
]);
9693 mutex_unlock(&nft_net
->commit_mutex
);
9698 static struct notifier_block nft_nl_notifier
= {
9699 .notifier_call
= nft_rcv_nl_event
,
9702 static int __net_init
nf_tables_init_net(struct net
*net
)
9704 struct nftables_pernet
*nft_net
= nft_pernet(net
);
9706 INIT_LIST_HEAD(&nft_net
->tables
);
9707 INIT_LIST_HEAD(&nft_net
->commit_list
);
9708 INIT_LIST_HEAD(&nft_net
->module_list
);
9709 INIT_LIST_HEAD(&nft_net
->notify_list
);
9710 mutex_init(&nft_net
->commit_mutex
);
9711 nft_net
->base_seq
= 1;
9712 nft_net
->validate_state
= NFT_VALIDATE_SKIP
;
9717 static void __net_exit
nf_tables_pre_exit_net(struct net
*net
)
9719 __nft_release_hooks(net
);
9722 static void __net_exit
nf_tables_exit_net(struct net
*net
)
9724 struct nftables_pernet
*nft_net
= nft_pernet(net
);
9726 mutex_lock(&nft_net
->commit_mutex
);
9727 if (!list_empty(&nft_net
->commit_list
))
9728 __nf_tables_abort(net
, NFNL_ABORT_NONE
);
9729 __nft_release_tables(net
);
9730 mutex_unlock(&nft_net
->commit_mutex
);
9731 WARN_ON_ONCE(!list_empty(&nft_net
->tables
));
9732 WARN_ON_ONCE(!list_empty(&nft_net
->module_list
));
9733 WARN_ON_ONCE(!list_empty(&nft_net
->notify_list
));
9736 static struct pernet_operations nf_tables_net_ops
= {
9737 .init
= nf_tables_init_net
,
9738 .pre_exit
= nf_tables_pre_exit_net
,
9739 .exit
= nf_tables_exit_net
,
9740 .id
= &nf_tables_net_id
,
9741 .size
= sizeof(struct nftables_pernet
),
9744 static int __init
nf_tables_module_init(void)
9748 err
= register_pernet_subsys(&nf_tables_net_ops
);
9752 err
= nft_chain_filter_init();
9754 goto err_chain_filter
;
9756 err
= nf_tables_core_module_init();
9758 goto err_core_module
;
9760 err
= register_netdevice_notifier(&nf_tables_flowtable_notifier
);
9762 goto err_netdev_notifier
;
9764 err
= rhltable_init(&nft_objname_ht
, &nft_objname_ht_params
);
9766 goto err_rht_objname
;
9768 err
= nft_offload_init();
9772 err
= netlink_register_notifier(&nft_nl_notifier
);
9774 goto err_netlink_notifier
;
9777 err
= nfnetlink_subsys_register(&nf_tables_subsys
);
9779 goto err_nfnl_subsys
;
9781 nft_chain_route_init();
9786 netlink_unregister_notifier(&nft_nl_notifier
);
9787 err_netlink_notifier
:
9790 rhltable_destroy(&nft_objname_ht
);
9792 unregister_netdevice_notifier(&nf_tables_flowtable_notifier
);
9793 err_netdev_notifier
:
9794 nf_tables_core_module_exit();
9796 nft_chain_filter_fini();
9798 unregister_pernet_subsys(&nf_tables_net_ops
);
9802 static void __exit
nf_tables_module_exit(void)
9804 nfnetlink_subsys_unregister(&nf_tables_subsys
);
9805 netlink_unregister_notifier(&nft_nl_notifier
);
9807 unregister_netdevice_notifier(&nf_tables_flowtable_notifier
);
9808 nft_chain_filter_fini();
9809 nft_chain_route_fini();
9810 unregister_pernet_subsys(&nf_tables_net_ops
);
9811 cancel_work_sync(&trans_destroy_work
);
9813 rhltable_destroy(&nft_objname_ht
);
9814 nf_tables_core_module_exit();
9817 module_init(nf_tables_module_init
);
9818 module_exit(nf_tables_module_exit
);
9820 MODULE_LICENSE("GPL");
9821 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9822 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES
);