2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions
);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net
*net
, struct nft_af_info
*afi
)
36 INIT_LIST_HEAD(&afi
->tables
);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
38 list_add_tail_rcu(&afi
->list
, &net
->nft
.af_info
);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo
);
44 static void __nft_release_afinfo(struct net
*net
, struct nft_af_info
*afi
);
47 * nft_unregister_afinfo - unregister nf_tables address family info
49 * @afi: address family info to unregister
51 * Unregister the address family for use with nf_tables.
53 void nft_unregister_afinfo(struct net
*net
, struct nft_af_info
*afi
)
55 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
56 __nft_release_afinfo(net
, afi
);
57 list_del_rcu(&afi
->list
);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
60 EXPORT_SYMBOL_GPL(nft_unregister_afinfo
);
62 static struct nft_af_info
*nft_afinfo_lookup(struct net
*net
, int family
)
64 struct nft_af_info
*afi
;
66 list_for_each_entry(afi
, &net
->nft
.af_info
, list
) {
67 if (afi
->family
== family
)
73 static struct nft_af_info
*
74 nf_tables_afinfo_lookup(struct net
*net
, int family
, bool autoload
)
76 struct nft_af_info
*afi
;
78 afi
= nft_afinfo_lookup(net
, family
);
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
84 request_module("nft-afinfo-%u", family
);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
86 afi
= nft_afinfo_lookup(net
, family
);
88 return ERR_PTR(-EAGAIN
);
91 return ERR_PTR(-EAFNOSUPPORT
);
94 static void nft_ctx_init(struct nft_ctx
*ctx
,
96 const struct sk_buff
*skb
,
97 const struct nlmsghdr
*nlh
,
98 struct nft_af_info
*afi
,
99 struct nft_table
*table
,
100 struct nft_chain
*chain
,
101 const struct nlattr
* const *nla
)
108 ctx
->portid
= NETLINK_CB(skb
).portid
;
109 ctx
->report
= nlmsg_report(nlh
);
110 ctx
->seq
= nlh
->nlmsg_seq
;
113 static struct nft_trans
*nft_trans_alloc(struct nft_ctx
*ctx
, int msg_type
,
116 struct nft_trans
*trans
;
118 trans
= kzalloc(sizeof(struct nft_trans
) + size
, GFP_KERNEL
);
122 trans
->msg_type
= msg_type
;
128 static void nft_trans_destroy(struct nft_trans
*trans
)
130 list_del(&trans
->list
);
134 static int nf_tables_register_hooks(struct net
*net
,
135 const struct nft_table
*table
,
136 struct nft_chain
*chain
,
137 unsigned int hook_nops
)
139 if (table
->flags
& NFT_TABLE_F_DORMANT
||
140 !(chain
->flags
& NFT_BASE_CHAIN
))
143 return nf_register_net_hooks(net
, nft_base_chain(chain
)->ops
,
147 static void nf_tables_unregister_hooks(struct net
*net
,
148 const struct nft_table
*table
,
149 struct nft_chain
*chain
,
150 unsigned int hook_nops
)
152 if (table
->flags
& NFT_TABLE_F_DORMANT
||
153 !(chain
->flags
& NFT_BASE_CHAIN
))
156 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
, hook_nops
);
159 static int nft_trans_table_add(struct nft_ctx
*ctx
, int msg_type
)
161 struct nft_trans
*trans
;
163 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_table
));
167 if (msg_type
== NFT_MSG_NEWTABLE
)
168 nft_activate_next(ctx
->net
, ctx
->table
);
170 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
174 static int nft_deltable(struct nft_ctx
*ctx
)
178 err
= nft_trans_table_add(ctx
, NFT_MSG_DELTABLE
);
182 nft_deactivate_next(ctx
->net
, ctx
->table
);
186 static int nft_trans_chain_add(struct nft_ctx
*ctx
, int msg_type
)
188 struct nft_trans
*trans
;
190 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_chain
));
194 if (msg_type
== NFT_MSG_NEWCHAIN
)
195 nft_activate_next(ctx
->net
, ctx
->chain
);
197 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
201 static int nft_delchain(struct nft_ctx
*ctx
)
205 err
= nft_trans_chain_add(ctx
, NFT_MSG_DELCHAIN
);
210 nft_deactivate_next(ctx
->net
, ctx
->chain
);
216 nf_tables_delrule_deactivate(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
218 /* You cannot delete the same rule twice */
219 if (nft_is_active_next(ctx
->net
, rule
)) {
220 nft_deactivate_next(ctx
->net
, rule
);
227 static struct nft_trans
*nft_trans_rule_add(struct nft_ctx
*ctx
, int msg_type
,
228 struct nft_rule
*rule
)
230 struct nft_trans
*trans
;
232 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_rule
));
236 nft_trans_rule(trans
) = rule
;
237 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
242 static int nft_delrule(struct nft_ctx
*ctx
, struct nft_rule
*rule
)
244 struct nft_trans
*trans
;
247 trans
= nft_trans_rule_add(ctx
, NFT_MSG_DELRULE
, rule
);
251 err
= nf_tables_delrule_deactivate(ctx
, rule
);
253 nft_trans_destroy(trans
);
260 static int nft_delrule_by_chain(struct nft_ctx
*ctx
)
262 struct nft_rule
*rule
;
265 list_for_each_entry(rule
, &ctx
->chain
->rules
, list
) {
266 err
= nft_delrule(ctx
, rule
);
273 static int nft_trans_set_add(struct nft_ctx
*ctx
, int msg_type
,
276 struct nft_trans
*trans
;
278 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_set
));
282 if (msg_type
== NFT_MSG_NEWSET
&& ctx
->nla
[NFTA_SET_ID
] != NULL
) {
283 nft_trans_set_id(trans
) =
284 ntohl(nla_get_be32(ctx
->nla
[NFTA_SET_ID
]));
285 nft_activate_next(ctx
->net
, set
);
287 nft_trans_set(trans
) = set
;
288 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
293 static int nft_delset(struct nft_ctx
*ctx
, struct nft_set
*set
)
297 err
= nft_trans_set_add(ctx
, NFT_MSG_DELSET
, set
);
301 nft_deactivate_next(ctx
->net
, set
);
311 static struct nft_table
*nft_table_lookup(const struct nft_af_info
*afi
,
312 const struct nlattr
*nla
,
315 struct nft_table
*table
;
317 list_for_each_entry(table
, &afi
->tables
, list
) {
318 if (!nla_strcmp(nla
, table
->name
) &&
319 nft_active_genmask(table
, genmask
))
325 static struct nft_table
*nf_tables_table_lookup(const struct nft_af_info
*afi
,
326 const struct nlattr
*nla
,
329 struct nft_table
*table
;
332 return ERR_PTR(-EINVAL
);
334 table
= nft_table_lookup(afi
, nla
, genmask
);
338 return ERR_PTR(-ENOENT
);
341 static inline u64
nf_tables_alloc_handle(struct nft_table
*table
)
343 return ++table
->hgenerator
;
346 static const struct nf_chain_type
*chain_type
[AF_MAX
][NFT_CHAIN_T_MAX
];
348 static const struct nf_chain_type
*
349 __nf_tables_chain_type_lookup(int family
, const struct nlattr
*nla
)
353 for (i
= 0; i
< NFT_CHAIN_T_MAX
; i
++) {
354 if (chain_type
[family
][i
] != NULL
&&
355 !nla_strcmp(nla
, chain_type
[family
][i
]->name
))
356 return chain_type
[family
][i
];
361 static const struct nf_chain_type
*
362 nf_tables_chain_type_lookup(const struct nft_af_info
*afi
,
363 const struct nlattr
*nla
,
366 const struct nf_chain_type
*type
;
368 type
= __nf_tables_chain_type_lookup(afi
->family
, nla
);
371 #ifdef CONFIG_MODULES
373 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
374 request_module("nft-chain-%u-%.*s", afi
->family
,
375 nla_len(nla
), (const char *)nla_data(nla
));
376 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
377 type
= __nf_tables_chain_type_lookup(afi
->family
, nla
);
379 return ERR_PTR(-EAGAIN
);
382 return ERR_PTR(-ENOENT
);
385 static const struct nla_policy nft_table_policy
[NFTA_TABLE_MAX
+ 1] = {
386 [NFTA_TABLE_NAME
] = { .type
= NLA_STRING
,
387 .len
= NFT_TABLE_MAXNAMELEN
- 1 },
388 [NFTA_TABLE_FLAGS
] = { .type
= NLA_U32
},
391 static int nf_tables_fill_table_info(struct sk_buff
*skb
, struct net
*net
,
392 u32 portid
, u32 seq
, int event
, u32 flags
,
393 int family
, const struct nft_table
*table
)
395 struct nlmsghdr
*nlh
;
396 struct nfgenmsg
*nfmsg
;
398 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
399 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
401 goto nla_put_failure
;
403 nfmsg
= nlmsg_data(nlh
);
404 nfmsg
->nfgen_family
= family
;
405 nfmsg
->version
= NFNETLINK_V0
;
406 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
408 if (nla_put_string(skb
, NFTA_TABLE_NAME
, table
->name
) ||
409 nla_put_be32(skb
, NFTA_TABLE_FLAGS
, htonl(table
->flags
)) ||
410 nla_put_be32(skb
, NFTA_TABLE_USE
, htonl(table
->use
)))
411 goto nla_put_failure
;
417 nlmsg_trim(skb
, nlh
);
421 static int nf_tables_table_notify(const struct nft_ctx
*ctx
, int event
)
427 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
431 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
435 err
= nf_tables_fill_table_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
436 event
, 0, ctx
->afi
->family
, ctx
->table
);
442 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
443 ctx
->report
, GFP_KERNEL
);
446 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
452 static int nf_tables_dump_tables(struct sk_buff
*skb
,
453 struct netlink_callback
*cb
)
455 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
456 const struct nft_af_info
*afi
;
457 const struct nft_table
*table
;
458 unsigned int idx
= 0, s_idx
= cb
->args
[0];
459 struct net
*net
= sock_net(skb
->sk
);
460 int family
= nfmsg
->nfgen_family
;
463 cb
->seq
= net
->nft
.base_seq
;
465 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
466 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
469 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
473 memset(&cb
->args
[1], 0,
474 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
475 if (!nft_is_active(net
, table
))
477 if (nf_tables_fill_table_info(skb
, net
,
478 NETLINK_CB(cb
->skb
).portid
,
482 afi
->family
, table
) < 0)
485 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
496 static int nf_tables_gettable(struct net
*net
, struct sock
*nlsk
,
497 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
498 const struct nlattr
* const nla
[])
500 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
501 u8 genmask
= nft_genmask_cur(net
);
502 const struct nft_af_info
*afi
;
503 const struct nft_table
*table
;
504 struct sk_buff
*skb2
;
505 int family
= nfmsg
->nfgen_family
;
508 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
509 struct netlink_dump_control c
= {
510 .dump
= nf_tables_dump_tables
,
512 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
515 afi
= nf_tables_afinfo_lookup(net
, family
, false);
519 table
= nf_tables_table_lookup(afi
, nla
[NFTA_TABLE_NAME
], genmask
);
521 return PTR_ERR(table
);
523 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
527 err
= nf_tables_fill_table_info(skb2
, net
, NETLINK_CB(skb
).portid
,
528 nlh
->nlmsg_seq
, NFT_MSG_NEWTABLE
, 0,
533 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
540 static int nf_tables_table_enable(struct net
*net
,
541 const struct nft_af_info
*afi
,
542 struct nft_table
*table
)
544 struct nft_chain
*chain
;
547 list_for_each_entry(chain
, &table
->chains
, list
) {
548 if (!nft_is_active_next(net
, chain
))
550 if (!(chain
->flags
& NFT_BASE_CHAIN
))
553 err
= nf_register_net_hooks(net
, nft_base_chain(chain
)->ops
,
562 list_for_each_entry(chain
, &table
->chains
, list
) {
563 if (!nft_is_active_next(net
, chain
))
565 if (!(chain
->flags
& NFT_BASE_CHAIN
))
571 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
,
577 static void nf_tables_table_disable(struct net
*net
,
578 const struct nft_af_info
*afi
,
579 struct nft_table
*table
)
581 struct nft_chain
*chain
;
583 list_for_each_entry(chain
, &table
->chains
, list
) {
584 if (!nft_is_active_next(net
, chain
))
586 if (!(chain
->flags
& NFT_BASE_CHAIN
))
589 nf_unregister_net_hooks(net
, nft_base_chain(chain
)->ops
,
594 static int nf_tables_updtable(struct nft_ctx
*ctx
)
596 struct nft_trans
*trans
;
600 if (!ctx
->nla
[NFTA_TABLE_FLAGS
])
603 flags
= ntohl(nla_get_be32(ctx
->nla
[NFTA_TABLE_FLAGS
]));
604 if (flags
& ~NFT_TABLE_F_DORMANT
)
607 if (flags
== ctx
->table
->flags
)
610 trans
= nft_trans_alloc(ctx
, NFT_MSG_NEWTABLE
,
611 sizeof(struct nft_trans_table
));
615 if ((flags
& NFT_TABLE_F_DORMANT
) &&
616 !(ctx
->table
->flags
& NFT_TABLE_F_DORMANT
)) {
617 nft_trans_table_enable(trans
) = false;
618 } else if (!(flags
& NFT_TABLE_F_DORMANT
) &&
619 ctx
->table
->flags
& NFT_TABLE_F_DORMANT
) {
620 ret
= nf_tables_table_enable(ctx
->net
, ctx
->afi
, ctx
->table
);
622 ctx
->table
->flags
&= ~NFT_TABLE_F_DORMANT
;
623 nft_trans_table_enable(trans
) = true;
629 nft_trans_table_update(trans
) = true;
630 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
633 nft_trans_destroy(trans
);
637 static int nf_tables_newtable(struct net
*net
, struct sock
*nlsk
,
638 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
639 const struct nlattr
* const nla
[])
641 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
642 u8 genmask
= nft_genmask_next(net
);
643 const struct nlattr
*name
;
644 struct nft_af_info
*afi
;
645 struct nft_table
*table
;
646 int family
= nfmsg
->nfgen_family
;
651 afi
= nf_tables_afinfo_lookup(net
, family
, true);
655 name
= nla
[NFTA_TABLE_NAME
];
656 table
= nf_tables_table_lookup(afi
, name
, genmask
);
658 if (PTR_ERR(table
) != -ENOENT
)
659 return PTR_ERR(table
);
664 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
666 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
669 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
670 return nf_tables_updtable(&ctx
);
673 if (nla
[NFTA_TABLE_FLAGS
]) {
674 flags
= ntohl(nla_get_be32(nla
[NFTA_TABLE_FLAGS
]));
675 if (flags
& ~NFT_TABLE_F_DORMANT
)
680 if (!try_module_get(afi
->owner
))
684 table
= kzalloc(sizeof(*table
), GFP_KERNEL
);
688 nla_strlcpy(table
->name
, name
, NFT_TABLE_MAXNAMELEN
);
689 INIT_LIST_HEAD(&table
->chains
);
690 INIT_LIST_HEAD(&table
->sets
);
691 table
->flags
= flags
;
693 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
694 err
= nft_trans_table_add(&ctx
, NFT_MSG_NEWTABLE
);
698 list_add_tail_rcu(&table
->list
, &afi
->tables
);
703 module_put(afi
->owner
);
708 static int nft_flush_table(struct nft_ctx
*ctx
)
711 struct nft_chain
*chain
, *nc
;
712 struct nft_set
*set
, *ns
;
714 list_for_each_entry(chain
, &ctx
->table
->chains
, list
) {
715 if (!nft_is_active_next(ctx
->net
, chain
))
720 err
= nft_delrule_by_chain(ctx
);
725 list_for_each_entry_safe(set
, ns
, &ctx
->table
->sets
, list
) {
726 if (!nft_is_active_next(ctx
->net
, set
))
729 if (set
->flags
& NFT_SET_ANONYMOUS
&&
730 !list_empty(&set
->bindings
))
733 err
= nft_delset(ctx
, set
);
738 list_for_each_entry_safe(chain
, nc
, &ctx
->table
->chains
, list
) {
739 if (!nft_is_active_next(ctx
->net
, chain
))
744 err
= nft_delchain(ctx
);
749 err
= nft_deltable(ctx
);
754 static int nft_flush(struct nft_ctx
*ctx
, int family
)
756 struct nft_af_info
*afi
;
757 struct nft_table
*table
, *nt
;
758 const struct nlattr
* const *nla
= ctx
->nla
;
761 list_for_each_entry(afi
, &ctx
->net
->nft
.af_info
, list
) {
762 if (family
!= AF_UNSPEC
&& afi
->family
!= family
)
766 list_for_each_entry_safe(table
, nt
, &afi
->tables
, list
) {
767 if (!nft_is_active_next(ctx
->net
, table
))
770 if (nla
[NFTA_TABLE_NAME
] &&
771 nla_strcmp(nla
[NFTA_TABLE_NAME
], table
->name
) != 0)
776 err
= nft_flush_table(ctx
);
785 static int nf_tables_deltable(struct net
*net
, struct sock
*nlsk
,
786 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
787 const struct nlattr
* const nla
[])
789 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
790 u8 genmask
= nft_genmask_next(net
);
791 struct nft_af_info
*afi
;
792 struct nft_table
*table
;
793 int family
= nfmsg
->nfgen_family
;
796 nft_ctx_init(&ctx
, net
, skb
, nlh
, NULL
, NULL
, NULL
, nla
);
797 if (family
== AF_UNSPEC
|| nla
[NFTA_TABLE_NAME
] == NULL
)
798 return nft_flush(&ctx
, family
);
800 afi
= nf_tables_afinfo_lookup(net
, family
, false);
804 table
= nf_tables_table_lookup(afi
, nla
[NFTA_TABLE_NAME
], genmask
);
806 return PTR_ERR(table
);
811 return nft_flush_table(&ctx
);
814 static void nf_tables_table_destroy(struct nft_ctx
*ctx
)
816 BUG_ON(ctx
->table
->use
> 0);
819 module_put(ctx
->afi
->owner
);
822 int nft_register_chain_type(const struct nf_chain_type
*ctype
)
826 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
827 if (chain_type
[ctype
->family
][ctype
->type
] != NULL
) {
831 chain_type
[ctype
->family
][ctype
->type
] = ctype
;
833 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
836 EXPORT_SYMBOL_GPL(nft_register_chain_type
);
838 void nft_unregister_chain_type(const struct nf_chain_type
*ctype
)
840 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
841 chain_type
[ctype
->family
][ctype
->type
] = NULL
;
842 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
844 EXPORT_SYMBOL_GPL(nft_unregister_chain_type
);
850 static struct nft_chain
*
851 nf_tables_chain_lookup_byhandle(const struct nft_table
*table
, u64 handle
,
854 struct nft_chain
*chain
;
856 list_for_each_entry(chain
, &table
->chains
, list
) {
857 if (chain
->handle
== handle
&&
858 nft_active_genmask(chain
, genmask
))
862 return ERR_PTR(-ENOENT
);
865 static struct nft_chain
*nf_tables_chain_lookup(const struct nft_table
*table
,
866 const struct nlattr
*nla
,
869 struct nft_chain
*chain
;
872 return ERR_PTR(-EINVAL
);
874 list_for_each_entry(chain
, &table
->chains
, list
) {
875 if (!nla_strcmp(nla
, chain
->name
) &&
876 nft_active_genmask(chain
, genmask
))
880 return ERR_PTR(-ENOENT
);
883 static const struct nla_policy nft_chain_policy
[NFTA_CHAIN_MAX
+ 1] = {
884 [NFTA_CHAIN_TABLE
] = { .type
= NLA_STRING
},
885 [NFTA_CHAIN_HANDLE
] = { .type
= NLA_U64
},
886 [NFTA_CHAIN_NAME
] = { .type
= NLA_STRING
,
887 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
888 [NFTA_CHAIN_HOOK
] = { .type
= NLA_NESTED
},
889 [NFTA_CHAIN_POLICY
] = { .type
= NLA_U32
},
890 [NFTA_CHAIN_TYPE
] = { .type
= NLA_STRING
},
891 [NFTA_CHAIN_COUNTERS
] = { .type
= NLA_NESTED
},
894 static const struct nla_policy nft_hook_policy
[NFTA_HOOK_MAX
+ 1] = {
895 [NFTA_HOOK_HOOKNUM
] = { .type
= NLA_U32
},
896 [NFTA_HOOK_PRIORITY
] = { .type
= NLA_U32
},
897 [NFTA_HOOK_DEV
] = { .type
= NLA_STRING
,
898 .len
= IFNAMSIZ
- 1 },
901 static int nft_dump_stats(struct sk_buff
*skb
, struct nft_stats __percpu
*stats
)
903 struct nft_stats
*cpu_stats
, total
;
909 memset(&total
, 0, sizeof(total
));
910 for_each_possible_cpu(cpu
) {
911 cpu_stats
= per_cpu_ptr(stats
, cpu
);
913 seq
= u64_stats_fetch_begin_irq(&cpu_stats
->syncp
);
914 pkts
= cpu_stats
->pkts
;
915 bytes
= cpu_stats
->bytes
;
916 } while (u64_stats_fetch_retry_irq(&cpu_stats
->syncp
, seq
));
918 total
.bytes
+= bytes
;
920 nest
= nla_nest_start(skb
, NFTA_CHAIN_COUNTERS
);
922 goto nla_put_failure
;
924 if (nla_put_be64(skb
, NFTA_COUNTER_PACKETS
, cpu_to_be64(total
.pkts
),
926 nla_put_be64(skb
, NFTA_COUNTER_BYTES
, cpu_to_be64(total
.bytes
),
928 goto nla_put_failure
;
930 nla_nest_end(skb
, nest
);
937 static int nf_tables_fill_chain_info(struct sk_buff
*skb
, struct net
*net
,
938 u32 portid
, u32 seq
, int event
, u32 flags
,
939 int family
, const struct nft_table
*table
,
940 const struct nft_chain
*chain
)
942 struct nlmsghdr
*nlh
;
943 struct nfgenmsg
*nfmsg
;
945 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
946 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), flags
);
948 goto nla_put_failure
;
950 nfmsg
= nlmsg_data(nlh
);
951 nfmsg
->nfgen_family
= family
;
952 nfmsg
->version
= NFNETLINK_V0
;
953 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
955 if (nla_put_string(skb
, NFTA_CHAIN_TABLE
, table
->name
))
956 goto nla_put_failure
;
957 if (nla_put_be64(skb
, NFTA_CHAIN_HANDLE
, cpu_to_be64(chain
->handle
),
959 goto nla_put_failure
;
960 if (nla_put_string(skb
, NFTA_CHAIN_NAME
, chain
->name
))
961 goto nla_put_failure
;
963 if (chain
->flags
& NFT_BASE_CHAIN
) {
964 const struct nft_base_chain
*basechain
= nft_base_chain(chain
);
965 const struct nf_hook_ops
*ops
= &basechain
->ops
[0];
968 nest
= nla_nest_start(skb
, NFTA_CHAIN_HOOK
);
970 goto nla_put_failure
;
971 if (nla_put_be32(skb
, NFTA_HOOK_HOOKNUM
, htonl(ops
->hooknum
)))
972 goto nla_put_failure
;
973 if (nla_put_be32(skb
, NFTA_HOOK_PRIORITY
, htonl(ops
->priority
)))
974 goto nla_put_failure
;
975 if (basechain
->dev_name
[0] &&
976 nla_put_string(skb
, NFTA_HOOK_DEV
, basechain
->dev_name
))
977 goto nla_put_failure
;
978 nla_nest_end(skb
, nest
);
980 if (nla_put_be32(skb
, NFTA_CHAIN_POLICY
,
981 htonl(basechain
->policy
)))
982 goto nla_put_failure
;
984 if (nla_put_string(skb
, NFTA_CHAIN_TYPE
, basechain
->type
->name
))
985 goto nla_put_failure
;
987 if (nft_dump_stats(skb
, nft_base_chain(chain
)->stats
))
988 goto nla_put_failure
;
991 if (nla_put_be32(skb
, NFTA_CHAIN_USE
, htonl(chain
->use
)))
992 goto nla_put_failure
;
998 nlmsg_trim(skb
, nlh
);
1002 static int nf_tables_chain_notify(const struct nft_ctx
*ctx
, int event
)
1004 struct sk_buff
*skb
;
1008 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1012 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1016 err
= nf_tables_fill_chain_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1017 event
, 0, ctx
->afi
->family
, ctx
->table
,
1024 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1025 ctx
->report
, GFP_KERNEL
);
1028 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1034 static int nf_tables_dump_chains(struct sk_buff
*skb
,
1035 struct netlink_callback
*cb
)
1037 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1038 const struct nft_af_info
*afi
;
1039 const struct nft_table
*table
;
1040 const struct nft_chain
*chain
;
1041 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1042 struct net
*net
= sock_net(skb
->sk
);
1043 int family
= nfmsg
->nfgen_family
;
1046 cb
->seq
= net
->nft
.base_seq
;
1048 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
1049 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
1052 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
1053 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1057 memset(&cb
->args
[1], 0,
1058 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1059 if (!nft_is_active(net
, chain
))
1061 if (nf_tables_fill_chain_info(skb
, net
,
1062 NETLINK_CB(cb
->skb
).portid
,
1066 afi
->family
, table
, chain
) < 0)
1069 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1081 static int nf_tables_getchain(struct net
*net
, struct sock
*nlsk
,
1082 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1083 const struct nlattr
* const nla
[])
1085 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1086 u8 genmask
= nft_genmask_cur(net
);
1087 const struct nft_af_info
*afi
;
1088 const struct nft_table
*table
;
1089 const struct nft_chain
*chain
;
1090 struct sk_buff
*skb2
;
1091 int family
= nfmsg
->nfgen_family
;
1094 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1095 struct netlink_dump_control c
= {
1096 .dump
= nf_tables_dump_chains
,
1098 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
1101 afi
= nf_tables_afinfo_lookup(net
, family
, false);
1103 return PTR_ERR(afi
);
1105 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1107 return PTR_ERR(table
);
1109 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1111 return PTR_ERR(chain
);
1113 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
1117 err
= nf_tables_fill_chain_info(skb2
, net
, NETLINK_CB(skb
).portid
,
1118 nlh
->nlmsg_seq
, NFT_MSG_NEWCHAIN
, 0,
1119 family
, table
, chain
);
1123 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
1130 static const struct nla_policy nft_counter_policy
[NFTA_COUNTER_MAX
+ 1] = {
1131 [NFTA_COUNTER_PACKETS
] = { .type
= NLA_U64
},
1132 [NFTA_COUNTER_BYTES
] = { .type
= NLA_U64
},
1135 static struct nft_stats __percpu
*nft_stats_alloc(const struct nlattr
*attr
)
1137 struct nlattr
*tb
[NFTA_COUNTER_MAX
+1];
1138 struct nft_stats __percpu
*newstats
;
1139 struct nft_stats
*stats
;
1142 err
= nla_parse_nested(tb
, NFTA_COUNTER_MAX
, attr
, nft_counter_policy
);
1144 return ERR_PTR(err
);
1146 if (!tb
[NFTA_COUNTER_BYTES
] || !tb
[NFTA_COUNTER_PACKETS
])
1147 return ERR_PTR(-EINVAL
);
1149 newstats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1150 if (newstats
== NULL
)
1151 return ERR_PTR(-ENOMEM
);
1153 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1154 * are not exposed to userspace.
1157 stats
= this_cpu_ptr(newstats
);
1158 stats
->bytes
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_BYTES
]));
1159 stats
->pkts
= be64_to_cpu(nla_get_be64(tb
[NFTA_COUNTER_PACKETS
]));
1165 static void nft_chain_stats_replace(struct nft_base_chain
*chain
,
1166 struct nft_stats __percpu
*newstats
)
1168 if (newstats
== NULL
)
1172 struct nft_stats __percpu
*oldstats
=
1173 nft_dereference(chain
->stats
);
1175 rcu_assign_pointer(chain
->stats
, newstats
);
1177 free_percpu(oldstats
);
1179 rcu_assign_pointer(chain
->stats
, newstats
);
1182 static void nf_tables_chain_destroy(struct nft_chain
*chain
)
1184 BUG_ON(chain
->use
> 0);
1186 if (chain
->flags
& NFT_BASE_CHAIN
) {
1187 struct nft_base_chain
*basechain
= nft_base_chain(chain
);
1189 module_put(basechain
->type
->owner
);
1190 free_percpu(basechain
->stats
);
1191 if (basechain
->ops
[0].dev
!= NULL
)
1192 dev_put(basechain
->ops
[0].dev
);
1199 struct nft_chain_hook
{
1202 const struct nf_chain_type
*type
;
1203 struct net_device
*dev
;
1206 static int nft_chain_parse_hook(struct net
*net
,
1207 const struct nlattr
* const nla
[],
1208 struct nft_af_info
*afi
,
1209 struct nft_chain_hook
*hook
, bool create
)
1211 struct nlattr
*ha
[NFTA_HOOK_MAX
+ 1];
1212 const struct nf_chain_type
*type
;
1213 struct net_device
*dev
;
1216 err
= nla_parse_nested(ha
, NFTA_HOOK_MAX
, nla
[NFTA_CHAIN_HOOK
],
1221 if (ha
[NFTA_HOOK_HOOKNUM
] == NULL
||
1222 ha
[NFTA_HOOK_PRIORITY
] == NULL
)
1225 hook
->num
= ntohl(nla_get_be32(ha
[NFTA_HOOK_HOOKNUM
]));
1226 if (hook
->num
>= afi
->nhooks
)
1229 hook
->priority
= ntohl(nla_get_be32(ha
[NFTA_HOOK_PRIORITY
]));
1231 type
= chain_type
[afi
->family
][NFT_CHAIN_T_DEFAULT
];
1232 if (nla
[NFTA_CHAIN_TYPE
]) {
1233 type
= nf_tables_chain_type_lookup(afi
, nla
[NFTA_CHAIN_TYPE
],
1236 return PTR_ERR(type
);
1238 if (!(type
->hook_mask
& (1 << hook
->num
)))
1240 if (!try_module_get(type
->owner
))
1246 if (afi
->flags
& NFT_AF_NEEDS_DEV
) {
1247 char ifname
[IFNAMSIZ
];
1249 if (!ha
[NFTA_HOOK_DEV
]) {
1250 module_put(type
->owner
);
1254 nla_strlcpy(ifname
, ha
[NFTA_HOOK_DEV
], IFNAMSIZ
);
1255 dev
= dev_get_by_name(net
, ifname
);
1257 module_put(type
->owner
);
1261 } else if (ha
[NFTA_HOOK_DEV
]) {
1262 module_put(type
->owner
);
1269 static void nft_chain_release_hook(struct nft_chain_hook
*hook
)
1271 module_put(hook
->type
->owner
);
1272 if (hook
->dev
!= NULL
)
1276 static int nf_tables_newchain(struct net
*net
, struct sock
*nlsk
,
1277 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1278 const struct nlattr
* const nla
[])
1280 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1281 const struct nlattr
* uninitialized_var(name
);
1282 struct nft_af_info
*afi
;
1283 struct nft_table
*table
;
1284 struct nft_chain
*chain
;
1285 struct nft_base_chain
*basechain
= NULL
;
1286 u8 genmask
= nft_genmask_next(net
);
1287 int family
= nfmsg
->nfgen_family
;
1288 u8 policy
= NF_ACCEPT
;
1291 struct nft_stats __percpu
*stats
;
1296 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
1298 afi
= nf_tables_afinfo_lookup(net
, family
, true);
1300 return PTR_ERR(afi
);
1302 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1304 return PTR_ERR(table
);
1307 name
= nla
[NFTA_CHAIN_NAME
];
1309 if (nla
[NFTA_CHAIN_HANDLE
]) {
1310 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_CHAIN_HANDLE
]));
1311 chain
= nf_tables_chain_lookup_byhandle(table
, handle
, genmask
);
1313 return PTR_ERR(chain
);
1315 chain
= nf_tables_chain_lookup(table
, name
, genmask
);
1316 if (IS_ERR(chain
)) {
1317 if (PTR_ERR(chain
) != -ENOENT
)
1318 return PTR_ERR(chain
);
1323 if (nla
[NFTA_CHAIN_POLICY
]) {
1324 if ((chain
!= NULL
&&
1325 !(chain
->flags
& NFT_BASE_CHAIN
)))
1328 if (chain
== NULL
&&
1329 nla
[NFTA_CHAIN_HOOK
] == NULL
)
1332 policy
= ntohl(nla_get_be32(nla
[NFTA_CHAIN_POLICY
]));
1342 if (chain
!= NULL
) {
1343 struct nft_stats
*stats
= NULL
;
1344 struct nft_trans
*trans
;
1346 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
1348 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
1351 if (nla
[NFTA_CHAIN_HOOK
]) {
1352 struct nft_base_chain
*basechain
;
1353 struct nft_chain_hook hook
;
1354 struct nf_hook_ops
*ops
;
1356 if (!(chain
->flags
& NFT_BASE_CHAIN
))
1359 err
= nft_chain_parse_hook(net
, nla
, afi
, &hook
,
1364 basechain
= nft_base_chain(chain
);
1365 if (basechain
->type
!= hook
.type
) {
1366 nft_chain_release_hook(&hook
);
1370 for (i
= 0; i
< afi
->nops
; i
++) {
1371 ops
= &basechain
->ops
[i
];
1372 if (ops
->hooknum
!= hook
.num
||
1373 ops
->priority
!= hook
.priority
||
1374 ops
->dev
!= hook
.dev
) {
1375 nft_chain_release_hook(&hook
);
1379 nft_chain_release_hook(&hook
);
1382 if (nla
[NFTA_CHAIN_HANDLE
] && name
) {
1383 struct nft_chain
*chain2
;
1385 chain2
= nf_tables_chain_lookup(table
,
1386 nla
[NFTA_CHAIN_NAME
],
1389 return PTR_ERR(chain2
);
1392 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1393 if (!(chain
->flags
& NFT_BASE_CHAIN
))
1396 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1398 return PTR_ERR(stats
);
1401 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1402 trans
= nft_trans_alloc(&ctx
, NFT_MSG_NEWCHAIN
,
1403 sizeof(struct nft_trans_chain
));
1404 if (trans
== NULL
) {
1409 nft_trans_chain_stats(trans
) = stats
;
1410 nft_trans_chain_update(trans
) = true;
1412 if (nla
[NFTA_CHAIN_POLICY
])
1413 nft_trans_chain_policy(trans
) = policy
;
1415 nft_trans_chain_policy(trans
) = -1;
1417 if (nla
[NFTA_CHAIN_HANDLE
] && name
) {
1418 nla_strlcpy(nft_trans_chain_name(trans
), name
,
1419 NFT_CHAIN_MAXNAMELEN
);
1421 list_add_tail(&trans
->list
, &net
->nft
.commit_list
);
1425 if (table
->use
== UINT_MAX
)
1428 if (nla
[NFTA_CHAIN_HOOK
]) {
1429 struct nft_chain_hook hook
;
1430 struct nf_hook_ops
*ops
;
1433 err
= nft_chain_parse_hook(net
, nla
, afi
, &hook
, create
);
1437 basechain
= kzalloc(sizeof(*basechain
), GFP_KERNEL
);
1438 if (basechain
== NULL
) {
1439 nft_chain_release_hook(&hook
);
1443 if (hook
.dev
!= NULL
)
1444 strncpy(basechain
->dev_name
, hook
.dev
->name
, IFNAMSIZ
);
1446 if (nla
[NFTA_CHAIN_COUNTERS
]) {
1447 stats
= nft_stats_alloc(nla
[NFTA_CHAIN_COUNTERS
]);
1448 if (IS_ERR(stats
)) {
1449 nft_chain_release_hook(&hook
);
1451 return PTR_ERR(stats
);
1453 basechain
->stats
= stats
;
1455 stats
= netdev_alloc_pcpu_stats(struct nft_stats
);
1456 if (stats
== NULL
) {
1457 nft_chain_release_hook(&hook
);
1461 rcu_assign_pointer(basechain
->stats
, stats
);
1464 hookfn
= hook
.type
->hooks
[hook
.num
];
1465 basechain
->type
= hook
.type
;
1466 chain
= &basechain
->chain
;
1468 for (i
= 0; i
< afi
->nops
; i
++) {
1469 ops
= &basechain
->ops
[i
];
1471 ops
->hooknum
= hook
.num
;
1472 ops
->priority
= hook
.priority
;
1474 ops
->hook
= afi
->hooks
[ops
->hooknum
];
1475 ops
->dev
= hook
.dev
;
1478 if (afi
->hook_ops_init
)
1479 afi
->hook_ops_init(ops
, i
);
1482 chain
->flags
|= NFT_BASE_CHAIN
;
1483 basechain
->policy
= policy
;
1485 chain
= kzalloc(sizeof(*chain
), GFP_KERNEL
);
1490 INIT_LIST_HEAD(&chain
->rules
);
1491 chain
->handle
= nf_tables_alloc_handle(table
);
1492 chain
->table
= table
;
1493 nla_strlcpy(chain
->name
, name
, NFT_CHAIN_MAXNAMELEN
);
1495 err
= nf_tables_register_hooks(net
, table
, chain
, afi
->nops
);
1499 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1500 err
= nft_trans_chain_add(&ctx
, NFT_MSG_NEWCHAIN
);
1505 list_add_tail_rcu(&chain
->list
, &table
->chains
);
1508 nf_tables_unregister_hooks(net
, table
, chain
, afi
->nops
);
1510 nf_tables_chain_destroy(chain
);
1514 static int nf_tables_delchain(struct net
*net
, struct sock
*nlsk
,
1515 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1516 const struct nlattr
* const nla
[])
1518 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1519 u8 genmask
= nft_genmask_next(net
);
1520 struct nft_af_info
*afi
;
1521 struct nft_table
*table
;
1522 struct nft_chain
*chain
;
1523 int family
= nfmsg
->nfgen_family
;
1526 afi
= nf_tables_afinfo_lookup(net
, family
, false);
1528 return PTR_ERR(afi
);
1530 table
= nf_tables_table_lookup(afi
, nla
[NFTA_CHAIN_TABLE
], genmask
);
1532 return PTR_ERR(table
);
1534 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_CHAIN_NAME
], genmask
);
1536 return PTR_ERR(chain
);
1540 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
1542 return nft_delchain(&ctx
);
1550 * nft_register_expr - register nf_tables expr type
1553 * Registers the expr type for use with nf_tables. Returns zero on
1554 * success or a negative errno code otherwise.
1556 int nft_register_expr(struct nft_expr_type
*type
)
1558 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1559 if (type
->family
== NFPROTO_UNSPEC
)
1560 list_add_tail_rcu(&type
->list
, &nf_tables_expressions
);
1562 list_add_rcu(&type
->list
, &nf_tables_expressions
);
1563 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1566 EXPORT_SYMBOL_GPL(nft_register_expr
);
1569 * nft_unregister_expr - unregister nf_tables expr type
1572 * Unregisters the expr typefor use with nf_tables.
1574 void nft_unregister_expr(struct nft_expr_type
*type
)
1576 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1577 list_del_rcu(&type
->list
);
1578 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1580 EXPORT_SYMBOL_GPL(nft_unregister_expr
);
1582 static const struct nft_expr_type
*__nft_expr_type_get(u8 family
,
1585 const struct nft_expr_type
*type
;
1587 list_for_each_entry(type
, &nf_tables_expressions
, list
) {
1588 if (!nla_strcmp(nla
, type
->name
) &&
1589 (!type
->family
|| type
->family
== family
))
1595 static const struct nft_expr_type
*nft_expr_type_get(u8 family
,
1598 const struct nft_expr_type
*type
;
1601 return ERR_PTR(-EINVAL
);
1603 type
= __nft_expr_type_get(family
, nla
);
1604 if (type
!= NULL
&& try_module_get(type
->owner
))
1607 #ifdef CONFIG_MODULES
1609 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1610 request_module("nft-expr-%u-%.*s", family
,
1611 nla_len(nla
), (char *)nla_data(nla
));
1612 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1613 if (__nft_expr_type_get(family
, nla
))
1614 return ERR_PTR(-EAGAIN
);
1616 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
1617 request_module("nft-expr-%.*s",
1618 nla_len(nla
), (char *)nla_data(nla
));
1619 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
1620 if (__nft_expr_type_get(family
, nla
))
1621 return ERR_PTR(-EAGAIN
);
1624 return ERR_PTR(-ENOENT
);
1627 static const struct nla_policy nft_expr_policy
[NFTA_EXPR_MAX
+ 1] = {
1628 [NFTA_EXPR_NAME
] = { .type
= NLA_STRING
},
1629 [NFTA_EXPR_DATA
] = { .type
= NLA_NESTED
},
1632 static int nf_tables_fill_expr_info(struct sk_buff
*skb
,
1633 const struct nft_expr
*expr
)
1635 if (nla_put_string(skb
, NFTA_EXPR_NAME
, expr
->ops
->type
->name
))
1636 goto nla_put_failure
;
1638 if (expr
->ops
->dump
) {
1639 struct nlattr
*data
= nla_nest_start(skb
, NFTA_EXPR_DATA
);
1641 goto nla_put_failure
;
1642 if (expr
->ops
->dump(skb
, expr
) < 0)
1643 goto nla_put_failure
;
1644 nla_nest_end(skb
, data
);
1653 int nft_expr_dump(struct sk_buff
*skb
, unsigned int attr
,
1654 const struct nft_expr
*expr
)
1656 struct nlattr
*nest
;
1658 nest
= nla_nest_start(skb
, attr
);
1660 goto nla_put_failure
;
1661 if (nf_tables_fill_expr_info(skb
, expr
) < 0)
1662 goto nla_put_failure
;
1663 nla_nest_end(skb
, nest
);
1670 struct nft_expr_info
{
1671 const struct nft_expr_ops
*ops
;
1672 struct nlattr
*tb
[NFT_EXPR_MAXATTR
+ 1];
1675 static int nf_tables_expr_parse(const struct nft_ctx
*ctx
,
1676 const struct nlattr
*nla
,
1677 struct nft_expr_info
*info
)
1679 const struct nft_expr_type
*type
;
1680 const struct nft_expr_ops
*ops
;
1681 struct nlattr
*tb
[NFTA_EXPR_MAX
+ 1];
1684 err
= nla_parse_nested(tb
, NFTA_EXPR_MAX
, nla
, nft_expr_policy
);
1688 type
= nft_expr_type_get(ctx
->afi
->family
, tb
[NFTA_EXPR_NAME
]);
1690 return PTR_ERR(type
);
1692 if (tb
[NFTA_EXPR_DATA
]) {
1693 err
= nla_parse_nested(info
->tb
, type
->maxattr
,
1694 tb
[NFTA_EXPR_DATA
], type
->policy
);
1698 memset(info
->tb
, 0, sizeof(info
->tb
[0]) * (type
->maxattr
+ 1));
1700 if (type
->select_ops
!= NULL
) {
1701 ops
= type
->select_ops(ctx
,
1702 (const struct nlattr
* const *)info
->tb
);
1714 module_put(type
->owner
);
1718 static int nf_tables_newexpr(const struct nft_ctx
*ctx
,
1719 const struct nft_expr_info
*info
,
1720 struct nft_expr
*expr
)
1722 const struct nft_expr_ops
*ops
= info
->ops
;
1727 err
= ops
->init(ctx
, expr
, (const struct nlattr
**)info
->tb
);
1739 static void nf_tables_expr_destroy(const struct nft_ctx
*ctx
,
1740 struct nft_expr
*expr
)
1742 if (expr
->ops
->destroy
)
1743 expr
->ops
->destroy(ctx
, expr
);
1744 module_put(expr
->ops
->type
->owner
);
1747 struct nft_expr
*nft_expr_init(const struct nft_ctx
*ctx
,
1748 const struct nlattr
*nla
)
1750 struct nft_expr_info info
;
1751 struct nft_expr
*expr
;
1754 err
= nf_tables_expr_parse(ctx
, nla
, &info
);
1759 expr
= kzalloc(info
.ops
->size
, GFP_KERNEL
);
1763 err
= nf_tables_newexpr(ctx
, &info
, expr
);
1771 module_put(info
.ops
->type
->owner
);
1773 return ERR_PTR(err
);
1776 void nft_expr_destroy(const struct nft_ctx
*ctx
, struct nft_expr
*expr
)
1778 nf_tables_expr_destroy(ctx
, expr
);
1786 static struct nft_rule
*__nf_tables_rule_lookup(const struct nft_chain
*chain
,
1789 struct nft_rule
*rule
;
1791 // FIXME: this sucks
1792 list_for_each_entry(rule
, &chain
->rules
, list
) {
1793 if (handle
== rule
->handle
)
1797 return ERR_PTR(-ENOENT
);
1800 static struct nft_rule
*nf_tables_rule_lookup(const struct nft_chain
*chain
,
1801 const struct nlattr
*nla
)
1804 return ERR_PTR(-EINVAL
);
1806 return __nf_tables_rule_lookup(chain
, be64_to_cpu(nla_get_be64(nla
)));
1809 static const struct nla_policy nft_rule_policy
[NFTA_RULE_MAX
+ 1] = {
1810 [NFTA_RULE_TABLE
] = { .type
= NLA_STRING
},
1811 [NFTA_RULE_CHAIN
] = { .type
= NLA_STRING
,
1812 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
1813 [NFTA_RULE_HANDLE
] = { .type
= NLA_U64
},
1814 [NFTA_RULE_EXPRESSIONS
] = { .type
= NLA_NESTED
},
1815 [NFTA_RULE_COMPAT
] = { .type
= NLA_NESTED
},
1816 [NFTA_RULE_POSITION
] = { .type
= NLA_U64
},
1817 [NFTA_RULE_USERDATA
] = { .type
= NLA_BINARY
,
1818 .len
= NFT_USERDATA_MAXLEN
},
1821 static int nf_tables_fill_rule_info(struct sk_buff
*skb
, struct net
*net
,
1822 u32 portid
, u32 seq
, int event
,
1823 u32 flags
, int family
,
1824 const struct nft_table
*table
,
1825 const struct nft_chain
*chain
,
1826 const struct nft_rule
*rule
)
1828 struct nlmsghdr
*nlh
;
1829 struct nfgenmsg
*nfmsg
;
1830 const struct nft_expr
*expr
, *next
;
1831 struct nlattr
*list
;
1832 const struct nft_rule
*prule
;
1833 int type
= event
| NFNL_SUBSYS_NFTABLES
<< 8;
1835 nlh
= nlmsg_put(skb
, portid
, seq
, type
, sizeof(struct nfgenmsg
),
1838 goto nla_put_failure
;
1840 nfmsg
= nlmsg_data(nlh
);
1841 nfmsg
->nfgen_family
= family
;
1842 nfmsg
->version
= NFNETLINK_V0
;
1843 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
1845 if (nla_put_string(skb
, NFTA_RULE_TABLE
, table
->name
))
1846 goto nla_put_failure
;
1847 if (nla_put_string(skb
, NFTA_RULE_CHAIN
, chain
->name
))
1848 goto nla_put_failure
;
1849 if (nla_put_be64(skb
, NFTA_RULE_HANDLE
, cpu_to_be64(rule
->handle
),
1851 goto nla_put_failure
;
1853 if ((event
!= NFT_MSG_DELRULE
) && (rule
->list
.prev
!= &chain
->rules
)) {
1854 prule
= list_entry(rule
->list
.prev
, struct nft_rule
, list
);
1855 if (nla_put_be64(skb
, NFTA_RULE_POSITION
,
1856 cpu_to_be64(prule
->handle
),
1858 goto nla_put_failure
;
1861 list
= nla_nest_start(skb
, NFTA_RULE_EXPRESSIONS
);
1863 goto nla_put_failure
;
1864 nft_rule_for_each_expr(expr
, next
, rule
) {
1865 if (nft_expr_dump(skb
, NFTA_LIST_ELEM
, expr
) < 0)
1866 goto nla_put_failure
;
1868 nla_nest_end(skb
, list
);
1871 struct nft_userdata
*udata
= nft_userdata(rule
);
1872 if (nla_put(skb
, NFTA_RULE_USERDATA
, udata
->len
+ 1,
1874 goto nla_put_failure
;
1877 nlmsg_end(skb
, nlh
);
1881 nlmsg_trim(skb
, nlh
);
1885 static int nf_tables_rule_notify(const struct nft_ctx
*ctx
,
1886 const struct nft_rule
*rule
,
1889 struct sk_buff
*skb
;
1893 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
1897 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
1901 err
= nf_tables_fill_rule_info(skb
, ctx
->net
, ctx
->portid
, ctx
->seq
,
1902 event
, 0, ctx
->afi
->family
, ctx
->table
,
1909 err
= nfnetlink_send(skb
, ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1910 ctx
->report
, GFP_KERNEL
);
1913 nfnetlink_set_err(ctx
->net
, ctx
->portid
, NFNLGRP_NFTABLES
,
1919 struct nft_rule_dump_ctx
{
1920 char table
[NFT_TABLE_MAXNAMELEN
];
1921 char chain
[NFT_CHAIN_MAXNAMELEN
];
1924 static int nf_tables_dump_rules(struct sk_buff
*skb
,
1925 struct netlink_callback
*cb
)
1927 const struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1928 const struct nft_rule_dump_ctx
*ctx
= cb
->data
;
1929 const struct nft_af_info
*afi
;
1930 const struct nft_table
*table
;
1931 const struct nft_chain
*chain
;
1932 const struct nft_rule
*rule
;
1933 unsigned int idx
= 0, s_idx
= cb
->args
[0];
1934 struct net
*net
= sock_net(skb
->sk
);
1935 int family
= nfmsg
->nfgen_family
;
1938 cb
->seq
= net
->nft
.base_seq
;
1940 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
1941 if (family
!= NFPROTO_UNSPEC
&& family
!= afi
->family
)
1944 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
1945 if (ctx
&& ctx
->table
[0] &&
1946 strcmp(ctx
->table
, table
->name
) != 0)
1949 list_for_each_entry_rcu(chain
, &table
->chains
, list
) {
1950 if (ctx
&& ctx
->chain
[0] &&
1951 strcmp(ctx
->chain
, chain
->name
) != 0)
1954 list_for_each_entry_rcu(rule
, &chain
->rules
, list
) {
1955 if (!nft_is_active(net
, rule
))
1960 memset(&cb
->args
[1], 0,
1961 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1962 if (nf_tables_fill_rule_info(skb
, net
, NETLINK_CB(cb
->skb
).portid
,
1965 NLM_F_MULTI
| NLM_F_APPEND
,
1966 afi
->family
, table
, chain
, rule
) < 0)
1969 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
1983 static int nf_tables_dump_rules_done(struct netlink_callback
*cb
)
1989 static int nf_tables_getrule(struct net
*net
, struct sock
*nlsk
,
1990 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
1991 const struct nlattr
* const nla
[])
1993 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1994 u8 genmask
= nft_genmask_cur(net
);
1995 const struct nft_af_info
*afi
;
1996 const struct nft_table
*table
;
1997 const struct nft_chain
*chain
;
1998 const struct nft_rule
*rule
;
1999 struct sk_buff
*skb2
;
2000 int family
= nfmsg
->nfgen_family
;
2003 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2004 struct netlink_dump_control c
= {
2005 .dump
= nf_tables_dump_rules
,
2006 .done
= nf_tables_dump_rules_done
,
2009 if (nla
[NFTA_RULE_TABLE
] || nla
[NFTA_RULE_CHAIN
]) {
2010 struct nft_rule_dump_ctx
*ctx
;
2012 ctx
= kzalloc(sizeof(*ctx
), GFP_KERNEL
);
2016 if (nla
[NFTA_RULE_TABLE
])
2017 nla_strlcpy(ctx
->table
, nla
[NFTA_RULE_TABLE
],
2018 sizeof(ctx
->table
));
2019 if (nla
[NFTA_RULE_CHAIN
])
2020 nla_strlcpy(ctx
->chain
, nla
[NFTA_RULE_CHAIN
],
2021 sizeof(ctx
->chain
));
2025 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
2028 afi
= nf_tables_afinfo_lookup(net
, family
, false);
2030 return PTR_ERR(afi
);
2032 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2034 return PTR_ERR(table
);
2036 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2038 return PTR_ERR(chain
);
2040 rule
= nf_tables_rule_lookup(chain
, nla
[NFTA_RULE_HANDLE
]);
2042 return PTR_ERR(rule
);
2044 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
2048 err
= nf_tables_fill_rule_info(skb2
, net
, NETLINK_CB(skb
).portid
,
2049 nlh
->nlmsg_seq
, NFT_MSG_NEWRULE
, 0,
2050 family
, table
, chain
, rule
);
2054 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2061 static void nf_tables_rule_destroy(const struct nft_ctx
*ctx
,
2062 struct nft_rule
*rule
)
2064 struct nft_expr
*expr
;
2067 * Careful: some expressions might not be initialized in case this
2068 * is called on error from nf_tables_newrule().
2070 expr
= nft_expr_first(rule
);
2071 while (expr
->ops
&& expr
!= nft_expr_last(rule
)) {
2072 nf_tables_expr_destroy(ctx
, expr
);
2073 expr
= nft_expr_next(expr
);
2078 #define NFT_RULE_MAXEXPRS 128
2080 static struct nft_expr_info
*info
;
2082 static int nf_tables_newrule(struct net
*net
, struct sock
*nlsk
,
2083 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2084 const struct nlattr
* const nla
[])
2086 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2087 u8 genmask
= nft_genmask_next(net
);
2088 struct nft_af_info
*afi
;
2089 struct nft_table
*table
;
2090 struct nft_chain
*chain
;
2091 struct nft_rule
*rule
, *old_rule
= NULL
;
2092 struct nft_userdata
*udata
;
2093 struct nft_trans
*trans
= NULL
;
2094 struct nft_expr
*expr
;
2097 unsigned int size
, i
, n
, ulen
= 0, usize
= 0;
2100 u64 handle
, pos_handle
;
2102 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
2104 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, create
);
2106 return PTR_ERR(afi
);
2108 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2110 return PTR_ERR(table
);
2112 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
], genmask
);
2114 return PTR_ERR(chain
);
2116 if (nla
[NFTA_RULE_HANDLE
]) {
2117 handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_HANDLE
]));
2118 rule
= __nf_tables_rule_lookup(chain
, handle
);
2120 return PTR_ERR(rule
);
2122 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
2124 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2129 if (!create
|| nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2131 handle
= nf_tables_alloc_handle(table
);
2133 if (chain
->use
== UINT_MAX
)
2137 if (nla
[NFTA_RULE_POSITION
]) {
2138 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2141 pos_handle
= be64_to_cpu(nla_get_be64(nla
[NFTA_RULE_POSITION
]));
2142 old_rule
= __nf_tables_rule_lookup(chain
, pos_handle
);
2143 if (IS_ERR(old_rule
))
2144 return PTR_ERR(old_rule
);
2147 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
2151 if (nla
[NFTA_RULE_EXPRESSIONS
]) {
2152 nla_for_each_nested(tmp
, nla
[NFTA_RULE_EXPRESSIONS
], rem
) {
2154 if (nla_type(tmp
) != NFTA_LIST_ELEM
)
2156 if (n
== NFT_RULE_MAXEXPRS
)
2158 err
= nf_tables_expr_parse(&ctx
, tmp
, &info
[n
]);
2161 size
+= info
[n
].ops
->size
;
2165 /* Check for overflow of dlen field */
2167 if (size
>= 1 << 12)
2170 if (nla
[NFTA_RULE_USERDATA
]) {
2171 ulen
= nla_len(nla
[NFTA_RULE_USERDATA
]);
2173 usize
= sizeof(struct nft_userdata
) + ulen
;
2177 rule
= kzalloc(sizeof(*rule
) + size
+ usize
, GFP_KERNEL
);
2181 nft_activate_next(net
, rule
);
2183 rule
->handle
= handle
;
2185 rule
->udata
= ulen
? 1 : 0;
2188 udata
= nft_userdata(rule
);
2189 udata
->len
= ulen
- 1;
2190 nla_memcpy(udata
->data
, nla
[NFTA_RULE_USERDATA
], ulen
);
2193 expr
= nft_expr_first(rule
);
2194 for (i
= 0; i
< n
; i
++) {
2195 err
= nf_tables_newexpr(&ctx
, &info
[i
], expr
);
2199 expr
= nft_expr_next(expr
);
2202 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
2203 if (nft_is_active_next(net
, old_rule
)) {
2204 trans
= nft_trans_rule_add(&ctx
, NFT_MSG_DELRULE
,
2206 if (trans
== NULL
) {
2210 nft_deactivate_next(net
, old_rule
);
2212 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2217 } else if (nlh
->nlmsg_flags
& NLM_F_APPEND
)
2219 list_add_rcu(&rule
->list
, &old_rule
->list
);
2221 list_add_tail_rcu(&rule
->list
, &chain
->rules
);
2224 list_add_tail_rcu(&rule
->list
, &old_rule
->list
);
2226 list_add_rcu(&rule
->list
, &chain
->rules
);
2229 if (nft_trans_rule_add(&ctx
, NFT_MSG_NEWRULE
, rule
) == NULL
) {
2237 list_del_rcu(&rule
->list
);
2239 nf_tables_rule_destroy(&ctx
, rule
);
2241 for (i
= 0; i
< n
; i
++) {
2242 if (info
[i
].ops
!= NULL
)
2243 module_put(info
[i
].ops
->type
->owner
);
2248 static int nf_tables_delrule(struct net
*net
, struct sock
*nlsk
,
2249 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2250 const struct nlattr
* const nla
[])
2252 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2253 u8 genmask
= nft_genmask_next(net
);
2254 struct nft_af_info
*afi
;
2255 struct nft_table
*table
;
2256 struct nft_chain
*chain
= NULL
;
2257 struct nft_rule
*rule
;
2258 int family
= nfmsg
->nfgen_family
, err
= 0;
2261 afi
= nf_tables_afinfo_lookup(net
, family
, false);
2263 return PTR_ERR(afi
);
2265 table
= nf_tables_table_lookup(afi
, nla
[NFTA_RULE_TABLE
], genmask
);
2267 return PTR_ERR(table
);
2269 if (nla
[NFTA_RULE_CHAIN
]) {
2270 chain
= nf_tables_chain_lookup(table
, nla
[NFTA_RULE_CHAIN
],
2273 return PTR_ERR(chain
);
2276 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, chain
, nla
);
2279 if (nla
[NFTA_RULE_HANDLE
]) {
2280 rule
= nf_tables_rule_lookup(chain
,
2281 nla
[NFTA_RULE_HANDLE
]);
2283 return PTR_ERR(rule
);
2285 err
= nft_delrule(&ctx
, rule
);
2287 err
= nft_delrule_by_chain(&ctx
);
2290 list_for_each_entry(chain
, &table
->chains
, list
) {
2291 if (!nft_is_active_next(net
, chain
))
2295 err
= nft_delrule_by_chain(&ctx
);
2308 static LIST_HEAD(nf_tables_set_ops
);
2310 int nft_register_set(struct nft_set_ops
*ops
)
2312 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2313 list_add_tail_rcu(&ops
->list
, &nf_tables_set_ops
);
2314 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2317 EXPORT_SYMBOL_GPL(nft_register_set
);
2319 void nft_unregister_set(struct nft_set_ops
*ops
)
2321 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2322 list_del_rcu(&ops
->list
);
2323 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2325 EXPORT_SYMBOL_GPL(nft_unregister_set
);
2328 * Select a set implementation based on the data characteristics and the
2329 * given policy. The total memory use might not be known if no size is
2330 * given, in that case the amount of memory per element is used.
2332 static const struct nft_set_ops
*
2333 nft_select_set_ops(const struct nlattr
* const nla
[],
2334 const struct nft_set_desc
*desc
,
2335 enum nft_set_policies policy
)
2337 const struct nft_set_ops
*ops
, *bops
;
2338 struct nft_set_estimate est
, best
;
2341 #ifdef CONFIG_MODULES
2342 if (list_empty(&nf_tables_set_ops
)) {
2343 nfnl_unlock(NFNL_SUBSYS_NFTABLES
);
2344 request_module("nft-set");
2345 nfnl_lock(NFNL_SUBSYS_NFTABLES
);
2346 if (!list_empty(&nf_tables_set_ops
))
2347 return ERR_PTR(-EAGAIN
);
2351 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
2352 features
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2353 features
&= NFT_SET_INTERVAL
| NFT_SET_MAP
| NFT_SET_TIMEOUT
;
2360 list_for_each_entry(ops
, &nf_tables_set_ops
, list
) {
2361 if ((ops
->features
& features
) != features
)
2363 if (!ops
->estimate(desc
, features
, &est
))
2367 case NFT_SET_POL_PERFORMANCE
:
2368 if (est
.class < best
.class)
2370 if (est
.class == best
.class && est
.size
< best
.size
)
2373 case NFT_SET_POL_MEMORY
:
2374 if (est
.size
< best
.size
)
2376 if (est
.size
== best
.size
&& est
.class < best
.class)
2383 if (!try_module_get(ops
->owner
))
2386 module_put(bops
->owner
);
2395 return ERR_PTR(-EOPNOTSUPP
);
2398 static const struct nla_policy nft_set_policy
[NFTA_SET_MAX
+ 1] = {
2399 [NFTA_SET_TABLE
] = { .type
= NLA_STRING
},
2400 [NFTA_SET_NAME
] = { .type
= NLA_STRING
,
2401 .len
= NFT_SET_MAXNAMELEN
- 1 },
2402 [NFTA_SET_FLAGS
] = { .type
= NLA_U32
},
2403 [NFTA_SET_KEY_TYPE
] = { .type
= NLA_U32
},
2404 [NFTA_SET_KEY_LEN
] = { .type
= NLA_U32
},
2405 [NFTA_SET_DATA_TYPE
] = { .type
= NLA_U32
},
2406 [NFTA_SET_DATA_LEN
] = { .type
= NLA_U32
},
2407 [NFTA_SET_POLICY
] = { .type
= NLA_U32
},
2408 [NFTA_SET_DESC
] = { .type
= NLA_NESTED
},
2409 [NFTA_SET_ID
] = { .type
= NLA_U32
},
2410 [NFTA_SET_TIMEOUT
] = { .type
= NLA_U64
},
2411 [NFTA_SET_GC_INTERVAL
] = { .type
= NLA_U32
},
2412 [NFTA_SET_USERDATA
] = { .type
= NLA_BINARY
,
2413 .len
= NFT_USERDATA_MAXLEN
},
2416 static const struct nla_policy nft_set_desc_policy
[NFTA_SET_DESC_MAX
+ 1] = {
2417 [NFTA_SET_DESC_SIZE
] = { .type
= NLA_U32
},
2420 static int nft_ctx_init_from_setattr(struct nft_ctx
*ctx
, struct net
*net
,
2421 const struct sk_buff
*skb
,
2422 const struct nlmsghdr
*nlh
,
2423 const struct nlattr
* const nla
[],
2426 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2427 struct nft_af_info
*afi
= NULL
;
2428 struct nft_table
*table
= NULL
;
2430 if (nfmsg
->nfgen_family
!= NFPROTO_UNSPEC
) {
2431 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, false);
2433 return PTR_ERR(afi
);
2436 if (nla
[NFTA_SET_TABLE
] != NULL
) {
2438 return -EAFNOSUPPORT
;
2440 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_TABLE
],
2443 return PTR_ERR(table
);
2446 nft_ctx_init(ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
2450 struct nft_set
*nf_tables_set_lookup(const struct nft_table
*table
,
2451 const struct nlattr
*nla
, u8 genmask
)
2453 struct nft_set
*set
;
2456 return ERR_PTR(-EINVAL
);
2458 list_for_each_entry(set
, &table
->sets
, list
) {
2459 if (!nla_strcmp(nla
, set
->name
) &&
2460 nft_active_genmask(set
, genmask
))
2463 return ERR_PTR(-ENOENT
);
2466 struct nft_set
*nf_tables_set_lookup_byid(const struct net
*net
,
2467 const struct nlattr
*nla
,
2470 struct nft_trans
*trans
;
2471 u32 id
= ntohl(nla_get_be32(nla
));
2473 list_for_each_entry(trans
, &net
->nft
.commit_list
, list
) {
2474 struct nft_set
*set
= nft_trans_set(trans
);
2476 if (trans
->msg_type
== NFT_MSG_NEWSET
&&
2477 id
== nft_trans_set_id(trans
) &&
2478 nft_active_genmask(set
, genmask
))
2481 return ERR_PTR(-ENOENT
);
2484 static int nf_tables_set_alloc_name(struct nft_ctx
*ctx
, struct nft_set
*set
,
2487 const struct nft_set
*i
;
2489 unsigned long *inuse
;
2490 unsigned int n
= 0, min
= 0;
2492 p
= strnchr(name
, NFT_SET_MAXNAMELEN
, '%');
2494 if (p
[1] != 'd' || strchr(p
+ 2, '%'))
2497 inuse
= (unsigned long *)get_zeroed_page(GFP_KERNEL
);
2501 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
2504 if (!nft_is_active_next(ctx
->net
, set
))
2506 if (!sscanf(i
->name
, name
, &tmp
))
2508 if (tmp
< min
|| tmp
>= min
+ BITS_PER_BYTE
* PAGE_SIZE
)
2511 set_bit(tmp
- min
, inuse
);
2514 n
= find_first_zero_bit(inuse
, BITS_PER_BYTE
* PAGE_SIZE
);
2515 if (n
>= BITS_PER_BYTE
* PAGE_SIZE
) {
2516 min
+= BITS_PER_BYTE
* PAGE_SIZE
;
2517 memset(inuse
, 0, PAGE_SIZE
);
2520 free_page((unsigned long)inuse
);
2523 snprintf(set
->name
, sizeof(set
->name
), name
, min
+ n
);
2524 list_for_each_entry(i
, &ctx
->table
->sets
, list
) {
2525 if (!nft_is_active_next(ctx
->net
, i
))
2527 if (!strcmp(set
->name
, i
->name
))
2533 static int nf_tables_fill_set(struct sk_buff
*skb
, const struct nft_ctx
*ctx
,
2534 const struct nft_set
*set
, u16 event
, u16 flags
)
2536 struct nfgenmsg
*nfmsg
;
2537 struct nlmsghdr
*nlh
;
2538 struct nlattr
*desc
;
2539 u32 portid
= ctx
->portid
;
2542 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
2543 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
2546 goto nla_put_failure
;
2548 nfmsg
= nlmsg_data(nlh
);
2549 nfmsg
->nfgen_family
= ctx
->afi
->family
;
2550 nfmsg
->version
= NFNETLINK_V0
;
2551 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
2553 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
2554 goto nla_put_failure
;
2555 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
2556 goto nla_put_failure
;
2557 if (set
->flags
!= 0)
2558 if (nla_put_be32(skb
, NFTA_SET_FLAGS
, htonl(set
->flags
)))
2559 goto nla_put_failure
;
2561 if (nla_put_be32(skb
, NFTA_SET_KEY_TYPE
, htonl(set
->ktype
)))
2562 goto nla_put_failure
;
2563 if (nla_put_be32(skb
, NFTA_SET_KEY_LEN
, htonl(set
->klen
)))
2564 goto nla_put_failure
;
2565 if (set
->flags
& NFT_SET_MAP
) {
2566 if (nla_put_be32(skb
, NFTA_SET_DATA_TYPE
, htonl(set
->dtype
)))
2567 goto nla_put_failure
;
2568 if (nla_put_be32(skb
, NFTA_SET_DATA_LEN
, htonl(set
->dlen
)))
2569 goto nla_put_failure
;
2573 nla_put_be64(skb
, NFTA_SET_TIMEOUT
,
2574 cpu_to_be64(jiffies_to_msecs(set
->timeout
)),
2576 goto nla_put_failure
;
2578 nla_put_be32(skb
, NFTA_SET_GC_INTERVAL
, htonl(set
->gc_int
)))
2579 goto nla_put_failure
;
2581 if (set
->policy
!= NFT_SET_POL_PERFORMANCE
) {
2582 if (nla_put_be32(skb
, NFTA_SET_POLICY
, htonl(set
->policy
)))
2583 goto nla_put_failure
;
2586 if (nla_put(skb
, NFTA_SET_USERDATA
, set
->udlen
, set
->udata
))
2587 goto nla_put_failure
;
2589 desc
= nla_nest_start(skb
, NFTA_SET_DESC
);
2591 goto nla_put_failure
;
2593 nla_put_be32(skb
, NFTA_SET_DESC_SIZE
, htonl(set
->size
)))
2594 goto nla_put_failure
;
2595 nla_nest_end(skb
, desc
);
2597 nlmsg_end(skb
, nlh
);
2601 nlmsg_trim(skb
, nlh
);
2605 static int nf_tables_set_notify(const struct nft_ctx
*ctx
,
2606 const struct nft_set
*set
,
2607 int event
, gfp_t gfp_flags
)
2609 struct sk_buff
*skb
;
2610 u32 portid
= ctx
->portid
;
2614 !nfnetlink_has_listeners(ctx
->net
, NFNLGRP_NFTABLES
))
2618 skb
= nlmsg_new(NLMSG_GOODSIZE
, gfp_flags
);
2622 err
= nf_tables_fill_set(skb
, ctx
, set
, event
, 0);
2628 err
= nfnetlink_send(skb
, ctx
->net
, portid
, NFNLGRP_NFTABLES
,
2629 ctx
->report
, gfp_flags
);
2632 nfnetlink_set_err(ctx
->net
, portid
, NFNLGRP_NFTABLES
, err
);
2636 static int nf_tables_dump_sets(struct sk_buff
*skb
, struct netlink_callback
*cb
)
2638 const struct nft_set
*set
;
2639 unsigned int idx
, s_idx
= cb
->args
[0];
2640 struct nft_af_info
*afi
;
2641 struct nft_table
*table
, *cur_table
= (struct nft_table
*)cb
->args
[2];
2642 struct net
*net
= sock_net(skb
->sk
);
2643 int cur_family
= cb
->args
[3];
2644 struct nft_ctx
*ctx
= cb
->data
, ctx_set
;
2650 cb
->seq
= net
->nft
.base_seq
;
2652 list_for_each_entry_rcu(afi
, &net
->nft
.af_info
, list
) {
2653 if (ctx
->afi
&& ctx
->afi
!= afi
)
2657 if (afi
->family
!= cur_family
)
2662 list_for_each_entry_rcu(table
, &afi
->tables
, list
) {
2663 if (ctx
->table
&& ctx
->table
!= table
)
2667 if (cur_table
!= table
)
2673 list_for_each_entry_rcu(set
, &table
->sets
, list
) {
2676 if (!nft_is_active(net
, set
))
2680 ctx_set
.table
= table
;
2682 if (nf_tables_fill_set(skb
, &ctx_set
, set
,
2686 cb
->args
[2] = (unsigned long) table
;
2687 cb
->args
[3] = afi
->family
;
2690 nl_dump_check_consistent(cb
, nlmsg_hdr(skb
));
2704 static int nf_tables_dump_sets_done(struct netlink_callback
*cb
)
2710 static int nf_tables_getset(struct net
*net
, struct sock
*nlsk
,
2711 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2712 const struct nlattr
* const nla
[])
2714 u8 genmask
= nft_genmask_cur(net
);
2715 const struct nft_set
*set
;
2717 struct sk_buff
*skb2
;
2718 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2721 /* Verify existence before starting dump */
2722 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
2726 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2727 struct netlink_dump_control c
= {
2728 .dump
= nf_tables_dump_sets
,
2729 .done
= nf_tables_dump_sets_done
,
2731 struct nft_ctx
*ctx_dump
;
2733 ctx_dump
= kmalloc(sizeof(*ctx_dump
), GFP_KERNEL
);
2734 if (ctx_dump
== NULL
)
2740 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
2743 /* Only accept unspec with dump */
2744 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
2745 return -EAFNOSUPPORT
;
2746 if (!nla
[NFTA_SET_TABLE
])
2749 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
2751 return PTR_ERR(set
);
2753 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
2757 err
= nf_tables_fill_set(skb2
, &ctx
, set
, NFT_MSG_NEWSET
, 0);
2761 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
2768 static int nf_tables_set_desc_parse(const struct nft_ctx
*ctx
,
2769 struct nft_set_desc
*desc
,
2770 const struct nlattr
*nla
)
2772 struct nlattr
*da
[NFTA_SET_DESC_MAX
+ 1];
2775 err
= nla_parse_nested(da
, NFTA_SET_DESC_MAX
, nla
, nft_set_desc_policy
);
2779 if (da
[NFTA_SET_DESC_SIZE
] != NULL
)
2780 desc
->size
= ntohl(nla_get_be32(da
[NFTA_SET_DESC_SIZE
]));
2785 static int nf_tables_newset(struct net
*net
, struct sock
*nlsk
,
2786 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2787 const struct nlattr
* const nla
[])
2789 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2790 u8 genmask
= nft_genmask_next(net
);
2791 const struct nft_set_ops
*ops
;
2792 struct nft_af_info
*afi
;
2793 struct nft_table
*table
;
2794 struct nft_set
*set
;
2796 char name
[NFT_SET_MAXNAMELEN
];
2800 u32 ktype
, dtype
, flags
, policy
, gc_int
;
2801 struct nft_set_desc desc
;
2802 unsigned char *udata
;
2806 if (nla
[NFTA_SET_TABLE
] == NULL
||
2807 nla
[NFTA_SET_NAME
] == NULL
||
2808 nla
[NFTA_SET_KEY_LEN
] == NULL
||
2809 nla
[NFTA_SET_ID
] == NULL
)
2812 memset(&desc
, 0, sizeof(desc
));
2814 ktype
= NFT_DATA_VALUE
;
2815 if (nla
[NFTA_SET_KEY_TYPE
] != NULL
) {
2816 ktype
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_TYPE
]));
2817 if ((ktype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
)
2821 desc
.klen
= ntohl(nla_get_be32(nla
[NFTA_SET_KEY_LEN
]));
2822 if (desc
.klen
== 0 || desc
.klen
> NFT_DATA_VALUE_MAXLEN
)
2826 if (nla
[NFTA_SET_FLAGS
] != NULL
) {
2827 flags
= ntohl(nla_get_be32(nla
[NFTA_SET_FLAGS
]));
2828 if (flags
& ~(NFT_SET_ANONYMOUS
| NFT_SET_CONSTANT
|
2829 NFT_SET_INTERVAL
| NFT_SET_TIMEOUT
|
2830 NFT_SET_MAP
| NFT_SET_EVAL
))
2832 /* Only one of both operations is supported */
2833 if ((flags
& (NFT_SET_MAP
| NFT_SET_EVAL
)) ==
2834 (NFT_SET_MAP
| NFT_SET_EVAL
))
2839 if (nla
[NFTA_SET_DATA_TYPE
] != NULL
) {
2840 if (!(flags
& NFT_SET_MAP
))
2843 dtype
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_TYPE
]));
2844 if ((dtype
& NFT_DATA_RESERVED_MASK
) == NFT_DATA_RESERVED_MASK
&&
2845 dtype
!= NFT_DATA_VERDICT
)
2848 if (dtype
!= NFT_DATA_VERDICT
) {
2849 if (nla
[NFTA_SET_DATA_LEN
] == NULL
)
2851 desc
.dlen
= ntohl(nla_get_be32(nla
[NFTA_SET_DATA_LEN
]));
2852 if (desc
.dlen
== 0 || desc
.dlen
> NFT_DATA_VALUE_MAXLEN
)
2855 desc
.dlen
= sizeof(struct nft_verdict
);
2856 } else if (flags
& NFT_SET_MAP
)
2860 if (nla
[NFTA_SET_TIMEOUT
] != NULL
) {
2861 if (!(flags
& NFT_SET_TIMEOUT
))
2863 timeout
= msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2864 nla
[NFTA_SET_TIMEOUT
])));
2867 if (nla
[NFTA_SET_GC_INTERVAL
] != NULL
) {
2868 if (!(flags
& NFT_SET_TIMEOUT
))
2870 gc_int
= ntohl(nla_get_be32(nla
[NFTA_SET_GC_INTERVAL
]));
2873 policy
= NFT_SET_POL_PERFORMANCE
;
2874 if (nla
[NFTA_SET_POLICY
] != NULL
)
2875 policy
= ntohl(nla_get_be32(nla
[NFTA_SET_POLICY
]));
2877 if (nla
[NFTA_SET_DESC
] != NULL
) {
2878 err
= nf_tables_set_desc_parse(&ctx
, &desc
, nla
[NFTA_SET_DESC
]);
2883 create
= nlh
->nlmsg_flags
& NLM_F_CREATE
? true : false;
2885 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, create
);
2887 return PTR_ERR(afi
);
2889 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_TABLE
], genmask
);
2891 return PTR_ERR(table
);
2893 nft_ctx_init(&ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
2895 set
= nf_tables_set_lookup(table
, nla
[NFTA_SET_NAME
], genmask
);
2897 if (PTR_ERR(set
) != -ENOENT
)
2898 return PTR_ERR(set
);
2903 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
2905 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
)
2910 if (!(nlh
->nlmsg_flags
& NLM_F_CREATE
))
2913 ops
= nft_select_set_ops(nla
, &desc
, policy
);
2915 return PTR_ERR(ops
);
2918 if (nla
[NFTA_SET_USERDATA
])
2919 udlen
= nla_len(nla
[NFTA_SET_USERDATA
]);
2922 if (ops
->privsize
!= NULL
)
2923 size
= ops
->privsize(nla
);
2926 set
= kzalloc(sizeof(*set
) + size
+ udlen
, GFP_KERNEL
);
2930 nla_strlcpy(name
, nla
[NFTA_SET_NAME
], sizeof(set
->name
));
2931 err
= nf_tables_set_alloc_name(&ctx
, set
, name
);
2937 udata
= set
->data
+ size
;
2938 nla_memcpy(udata
, nla
[NFTA_SET_USERDATA
], udlen
);
2941 INIT_LIST_HEAD(&set
->bindings
);
2944 set
->klen
= desc
.klen
;
2946 set
->dlen
= desc
.dlen
;
2948 set
->size
= desc
.size
;
2949 set
->policy
= policy
;
2952 set
->timeout
= timeout
;
2953 set
->gc_int
= gc_int
;
2955 err
= ops
->init(set
, &desc
, nla
);
2959 err
= nft_trans_set_add(&ctx
, NFT_MSG_NEWSET
, set
);
2963 list_add_tail_rcu(&set
->list
, &table
->sets
);
2972 module_put(ops
->owner
);
2976 static void nft_set_destroy(struct nft_set
*set
)
2978 set
->ops
->destroy(set
);
2979 module_put(set
->ops
->owner
);
2983 static void nf_tables_set_destroy(const struct nft_ctx
*ctx
, struct nft_set
*set
)
2985 list_del_rcu(&set
->list
);
2986 nf_tables_set_notify(ctx
, set
, NFT_MSG_DELSET
, GFP_ATOMIC
);
2987 nft_set_destroy(set
);
2990 static int nf_tables_delset(struct net
*net
, struct sock
*nlsk
,
2991 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
2992 const struct nlattr
* const nla
[])
2994 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2995 u8 genmask
= nft_genmask_next(net
);
2996 struct nft_set
*set
;
3000 if (nfmsg
->nfgen_family
== NFPROTO_UNSPEC
)
3001 return -EAFNOSUPPORT
;
3002 if (nla
[NFTA_SET_TABLE
] == NULL
)
3005 err
= nft_ctx_init_from_setattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3009 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_NAME
], genmask
);
3011 return PTR_ERR(set
);
3012 if (!list_empty(&set
->bindings
))
3015 return nft_delset(&ctx
, set
);
3018 static int nf_tables_bind_check_setelem(const struct nft_ctx
*ctx
,
3019 const struct nft_set
*set
,
3020 const struct nft_set_iter
*iter
,
3021 const struct nft_set_elem
*elem
)
3023 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3024 enum nft_registers dreg
;
3026 dreg
= nft_type_to_reg(set
->dtype
);
3027 return nft_validate_register_store(ctx
, dreg
, nft_set_ext_data(ext
),
3028 set
->dtype
== NFT_DATA_VERDICT
?
3029 NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3033 int nf_tables_bind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3034 struct nft_set_binding
*binding
)
3036 struct nft_set_binding
*i
;
3037 struct nft_set_iter iter
;
3039 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_ANONYMOUS
)
3042 if (binding
->flags
& NFT_SET_MAP
) {
3043 /* If the set is already bound to the same chain all
3044 * jumps are already validated for that chain.
3046 list_for_each_entry(i
, &set
->bindings
, list
) {
3047 if (i
->flags
& NFT_SET_MAP
&&
3048 i
->chain
== binding
->chain
)
3052 iter
.genmask
= nft_genmask_next(ctx
->net
);
3056 iter
.fn
= nf_tables_bind_check_setelem
;
3058 set
->ops
->walk(ctx
, set
, &iter
);
3063 binding
->chain
= ctx
->chain
;
3064 list_add_tail_rcu(&binding
->list
, &set
->bindings
);
3068 void nf_tables_unbind_set(const struct nft_ctx
*ctx
, struct nft_set
*set
,
3069 struct nft_set_binding
*binding
)
3071 list_del_rcu(&binding
->list
);
3073 if (list_empty(&set
->bindings
) && set
->flags
& NFT_SET_ANONYMOUS
&&
3074 nft_is_active(ctx
->net
, set
))
3075 nf_tables_set_destroy(ctx
, set
);
3078 const struct nft_set_ext_type nft_set_ext_types
[] = {
3079 [NFT_SET_EXT_KEY
] = {
3080 .align
= __alignof__(u32
),
3082 [NFT_SET_EXT_DATA
] = {
3083 .align
= __alignof__(u32
),
3085 [NFT_SET_EXT_EXPR
] = {
3086 .align
= __alignof__(struct nft_expr
),
3088 [NFT_SET_EXT_FLAGS
] = {
3090 .align
= __alignof__(u8
),
3092 [NFT_SET_EXT_TIMEOUT
] = {
3094 .align
= __alignof__(u64
),
3096 [NFT_SET_EXT_EXPIRATION
] = {
3097 .len
= sizeof(unsigned long),
3098 .align
= __alignof__(unsigned long),
3100 [NFT_SET_EXT_USERDATA
] = {
3101 .len
= sizeof(struct nft_userdata
),
3102 .align
= __alignof__(struct nft_userdata
),
3105 EXPORT_SYMBOL_GPL(nft_set_ext_types
);
3111 static const struct nla_policy nft_set_elem_policy
[NFTA_SET_ELEM_MAX
+ 1] = {
3112 [NFTA_SET_ELEM_KEY
] = { .type
= NLA_NESTED
},
3113 [NFTA_SET_ELEM_DATA
] = { .type
= NLA_NESTED
},
3114 [NFTA_SET_ELEM_FLAGS
] = { .type
= NLA_U32
},
3115 [NFTA_SET_ELEM_TIMEOUT
] = { .type
= NLA_U64
},
3116 [NFTA_SET_ELEM_USERDATA
] = { .type
= NLA_BINARY
,
3117 .len
= NFT_USERDATA_MAXLEN
},
3120 static const struct nla_policy nft_set_elem_list_policy
[NFTA_SET_ELEM_LIST_MAX
+ 1] = {
3121 [NFTA_SET_ELEM_LIST_TABLE
] = { .type
= NLA_STRING
},
3122 [NFTA_SET_ELEM_LIST_SET
] = { .type
= NLA_STRING
},
3123 [NFTA_SET_ELEM_LIST_ELEMENTS
] = { .type
= NLA_NESTED
},
3124 [NFTA_SET_ELEM_LIST_SET_ID
] = { .type
= NLA_U32
},
3127 static int nft_ctx_init_from_elemattr(struct nft_ctx
*ctx
, struct net
*net
,
3128 const struct sk_buff
*skb
,
3129 const struct nlmsghdr
*nlh
,
3130 const struct nlattr
* const nla
[],
3133 const struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
3134 struct nft_af_info
*afi
;
3135 struct nft_table
*table
;
3137 afi
= nf_tables_afinfo_lookup(net
, nfmsg
->nfgen_family
, false);
3139 return PTR_ERR(afi
);
3141 table
= nf_tables_table_lookup(afi
, nla
[NFTA_SET_ELEM_LIST_TABLE
],
3144 return PTR_ERR(table
);
3146 nft_ctx_init(ctx
, net
, skb
, nlh
, afi
, table
, NULL
, nla
);
3150 static int nf_tables_fill_setelem(struct sk_buff
*skb
,
3151 const struct nft_set
*set
,
3152 const struct nft_set_elem
*elem
)
3154 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
3155 unsigned char *b
= skb_tail_pointer(skb
);
3156 struct nlattr
*nest
;
3158 nest
= nla_nest_start(skb
, NFTA_LIST_ELEM
);
3160 goto nla_put_failure
;
3162 if (nft_data_dump(skb
, NFTA_SET_ELEM_KEY
, nft_set_ext_key(ext
),
3163 NFT_DATA_VALUE
, set
->klen
) < 0)
3164 goto nla_put_failure
;
3166 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3167 nft_data_dump(skb
, NFTA_SET_ELEM_DATA
, nft_set_ext_data(ext
),
3168 set
->dtype
== NFT_DATA_VERDICT
? NFT_DATA_VERDICT
: NFT_DATA_VALUE
,
3170 goto nla_put_failure
;
3172 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
) &&
3173 nft_expr_dump(skb
, NFTA_SET_ELEM_EXPR
, nft_set_ext_expr(ext
)) < 0)
3174 goto nla_put_failure
;
3176 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
3177 nla_put_be32(skb
, NFTA_SET_ELEM_FLAGS
,
3178 htonl(*nft_set_ext_flags(ext
))))
3179 goto nla_put_failure
;
3181 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
) &&
3182 nla_put_be64(skb
, NFTA_SET_ELEM_TIMEOUT
,
3183 cpu_to_be64(jiffies_to_msecs(
3184 *nft_set_ext_timeout(ext
))),
3186 goto nla_put_failure
;
3188 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
)) {
3189 unsigned long expires
, now
= jiffies
;
3191 expires
= *nft_set_ext_expiration(ext
);
3192 if (time_before(now
, expires
))
3197 if (nla_put_be64(skb
, NFTA_SET_ELEM_EXPIRATION
,
3198 cpu_to_be64(jiffies_to_msecs(expires
)),
3200 goto nla_put_failure
;
3203 if (nft_set_ext_exists(ext
, NFT_SET_EXT_USERDATA
)) {
3204 struct nft_userdata
*udata
;
3206 udata
= nft_set_ext_userdata(ext
);
3207 if (nla_put(skb
, NFTA_SET_ELEM_USERDATA
,
3208 udata
->len
+ 1, udata
->data
))
3209 goto nla_put_failure
;
3212 nla_nest_end(skb
, nest
);
3220 struct nft_set_dump_args
{
3221 const struct netlink_callback
*cb
;
3222 struct nft_set_iter iter
;
3223 struct sk_buff
*skb
;
3226 static int nf_tables_dump_setelem(const struct nft_ctx
*ctx
,
3227 const struct nft_set
*set
,
3228 const struct nft_set_iter
*iter
,
3229 const struct nft_set_elem
*elem
)
3231 struct nft_set_dump_args
*args
;
3233 args
= container_of(iter
, struct nft_set_dump_args
, iter
);
3234 return nf_tables_fill_setelem(args
->skb
, set
, elem
);
3237 static int nf_tables_dump_set(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3239 struct net
*net
= sock_net(skb
->sk
);
3240 u8 genmask
= nft_genmask_cur(net
);
3241 const struct nft_set
*set
;
3242 struct nft_set_dump_args args
;
3244 struct nlattr
*nla
[NFTA_SET_ELEM_LIST_MAX
+ 1];
3245 struct nfgenmsg
*nfmsg
;
3246 struct nlmsghdr
*nlh
;
3247 struct nlattr
*nest
;
3251 err
= nlmsg_parse(cb
->nlh
, sizeof(struct nfgenmsg
), nla
,
3252 NFTA_SET_ELEM_LIST_MAX
, nft_set_elem_list_policy
);
3256 err
= nft_ctx_init_from_elemattr(&ctx
, net
, cb
->skb
, cb
->nlh
,
3257 (void *)nla
, genmask
);
3261 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3264 return PTR_ERR(set
);
3266 event
= NFT_MSG_NEWSETELEM
;
3267 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
3268 portid
= NETLINK_CB(cb
->skb
).portid
;
3269 seq
= cb
->nlh
->nlmsg_seq
;
3271 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3274 goto nla_put_failure
;
3276 nfmsg
= nlmsg_data(nlh
);
3277 nfmsg
->nfgen_family
= ctx
.afi
->family
;
3278 nfmsg
->version
= NFNETLINK_V0
;
3279 nfmsg
->res_id
= htons(ctx
.net
->nft
.base_seq
& 0xffff);
3281 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_TABLE
, ctx
.table
->name
))
3282 goto nla_put_failure
;
3283 if (nla_put_string(skb
, NFTA_SET_ELEM_LIST_SET
, set
->name
))
3284 goto nla_put_failure
;
3286 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3288 goto nla_put_failure
;
3292 args
.iter
.genmask
= nft_genmask_cur(ctx
.net
);
3293 args
.iter
.skip
= cb
->args
[0];
3294 args
.iter
.count
= 0;
3296 args
.iter
.fn
= nf_tables_dump_setelem
;
3297 set
->ops
->walk(&ctx
, set
, &args
.iter
);
3299 nla_nest_end(skb
, nest
);
3300 nlmsg_end(skb
, nlh
);
3302 if (args
.iter
.err
&& args
.iter
.err
!= -EMSGSIZE
)
3303 return args
.iter
.err
;
3304 if (args
.iter
.count
== cb
->args
[0])
3307 cb
->args
[0] = args
.iter
.count
;
3314 static int nf_tables_getsetelem(struct net
*net
, struct sock
*nlsk
,
3315 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3316 const struct nlattr
* const nla
[])
3318 u8 genmask
= nft_genmask_cur(net
);
3319 const struct nft_set
*set
;
3323 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3327 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3330 return PTR_ERR(set
);
3332 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3333 struct netlink_dump_control c
= {
3334 .dump
= nf_tables_dump_set
,
3336 return netlink_dump_start(nlsk
, skb
, nlh
, &c
);
3341 static int nf_tables_fill_setelem_info(struct sk_buff
*skb
,
3342 const struct nft_ctx
*ctx
, u32 seq
,
3343 u32 portid
, int event
, u16 flags
,
3344 const struct nft_set
*set
,
3345 const struct nft_set_elem
*elem
)
3347 struct nfgenmsg
*nfmsg
;
3348 struct nlmsghdr
*nlh
;
3349 struct nlattr
*nest
;
3352 event
|= NFNL_SUBSYS_NFTABLES
<< 8;
3353 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
),
3356 goto nla_put_failure
;
3358 nfmsg
= nlmsg_data(nlh
);
3359 nfmsg
->nfgen_family
= ctx
->afi
->family
;
3360 nfmsg
->version
= NFNETLINK_V0
;
3361 nfmsg
->res_id
= htons(ctx
->net
->nft
.base_seq
& 0xffff);
3363 if (nla_put_string(skb
, NFTA_SET_TABLE
, ctx
->table
->name
))
3364 goto nla_put_failure
;
3365 if (nla_put_string(skb
, NFTA_SET_NAME
, set
->name
))
3366 goto nla_put_failure
;
3368 nest
= nla_nest_start(skb
, NFTA_SET_ELEM_LIST_ELEMENTS
);
3370 goto nla_put_failure
;
3372 err
= nf_tables_fill_setelem(skb
, set
, elem
);
3374 goto nla_put_failure
;
3376 nla_nest_end(skb
, nest
);
3378 nlmsg_end(skb
, nlh
);
3382 nlmsg_trim(skb
, nlh
);
3386 static int nf_tables_setelem_notify(const struct nft_ctx
*ctx
,
3387 const struct nft_set
*set
,
3388 const struct nft_set_elem
*elem
,
3389 int event
, u16 flags
)
3391 struct net
*net
= ctx
->net
;
3392 u32 portid
= ctx
->portid
;
3393 struct sk_buff
*skb
;
3396 if (!ctx
->report
&& !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
3400 skb
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
3404 err
= nf_tables_fill_setelem_info(skb
, ctx
, 0, portid
, event
, flags
,
3411 err
= nfnetlink_send(skb
, net
, portid
, NFNLGRP_NFTABLES
, ctx
->report
,
3415 nfnetlink_set_err(net
, portid
, NFNLGRP_NFTABLES
, err
);
3419 static struct nft_trans
*nft_trans_elem_alloc(struct nft_ctx
*ctx
,
3421 struct nft_set
*set
)
3423 struct nft_trans
*trans
;
3425 trans
= nft_trans_alloc(ctx
, msg_type
, sizeof(struct nft_trans_elem
));
3429 nft_trans_elem_set(trans
) = set
;
3433 void *nft_set_elem_init(const struct nft_set
*set
,
3434 const struct nft_set_ext_tmpl
*tmpl
,
3435 const u32
*key
, const u32
*data
,
3436 u64 timeout
, gfp_t gfp
)
3438 struct nft_set_ext
*ext
;
3441 elem
= kzalloc(set
->ops
->elemsize
+ tmpl
->len
, gfp
);
3445 ext
= nft_set_elem_ext(set
, elem
);
3446 nft_set_ext_init(ext
, tmpl
);
3448 memcpy(nft_set_ext_key(ext
), key
, set
->klen
);
3449 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
3450 memcpy(nft_set_ext_data(ext
), data
, set
->dlen
);
3451 if (nft_set_ext_exists(ext
, NFT_SET_EXT_EXPIRATION
))
3452 *nft_set_ext_expiration(ext
) =
3454 if (nft_set_ext_exists(ext
, NFT_SET_EXT_TIMEOUT
))
3455 *nft_set_ext_timeout(ext
) = timeout
;
3460 void nft_set_elem_destroy(const struct nft_set
*set
, void *elem
,
3463 struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
);
3465 nft_data_uninit(nft_set_ext_key(ext
), NFT_DATA_VALUE
);
3466 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
))
3467 nft_data_uninit(nft_set_ext_data(ext
), set
->dtype
);
3468 if (destroy_expr
&& nft_set_ext_exists(ext
, NFT_SET_EXT_EXPR
))
3469 nf_tables_expr_destroy(NULL
, nft_set_ext_expr(ext
));
3473 EXPORT_SYMBOL_GPL(nft_set_elem_destroy
);
3475 static int nft_setelem_parse_flags(const struct nft_set
*set
,
3476 const struct nlattr
*attr
, u32
*flags
)
3481 *flags
= ntohl(nla_get_be32(attr
));
3482 if (*flags
& ~NFT_SET_ELEM_INTERVAL_END
)
3484 if (!(set
->flags
& NFT_SET_INTERVAL
) &&
3485 *flags
& NFT_SET_ELEM_INTERVAL_END
)
3491 static int nft_add_set_elem(struct nft_ctx
*ctx
, struct nft_set
*set
,
3492 const struct nlattr
*attr
, u32 nlmsg_flags
)
3494 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
3495 struct nft_data_desc d1
, d2
;
3496 struct nft_set_ext_tmpl tmpl
;
3497 struct nft_set_ext
*ext
, *ext2
;
3498 struct nft_set_elem elem
;
3499 struct nft_set_binding
*binding
;
3500 struct nft_userdata
*udata
;
3501 struct nft_data data
;
3502 enum nft_registers dreg
;
3503 struct nft_trans
*trans
;
3509 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
3510 nft_set_elem_policy
);
3514 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
3517 nft_set_ext_prepare(&tmpl
);
3519 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
3523 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
3525 if (set
->flags
& NFT_SET_MAP
) {
3526 if (nla
[NFTA_SET_ELEM_DATA
] == NULL
&&
3527 !(flags
& NFT_SET_ELEM_INTERVAL_END
))
3529 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
&&
3530 flags
& NFT_SET_ELEM_INTERVAL_END
)
3533 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
3538 if (nla
[NFTA_SET_ELEM_TIMEOUT
] != NULL
) {
3539 if (!(set
->flags
& NFT_SET_TIMEOUT
))
3541 timeout
= msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3542 nla
[NFTA_SET_ELEM_TIMEOUT
])));
3543 } else if (set
->flags
& NFT_SET_TIMEOUT
) {
3544 timeout
= set
->timeout
;
3547 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &d1
,
3548 nla
[NFTA_SET_ELEM_KEY
]);
3552 if (d1
.type
!= NFT_DATA_VALUE
|| d1
.len
!= set
->klen
)
3555 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, d1
.len
);
3557 nft_set_ext_add(&tmpl
, NFT_SET_EXT_EXPIRATION
);
3558 if (timeout
!= set
->timeout
)
3559 nft_set_ext_add(&tmpl
, NFT_SET_EXT_TIMEOUT
);
3562 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
) {
3563 err
= nft_data_init(ctx
, &data
, sizeof(data
), &d2
,
3564 nla
[NFTA_SET_ELEM_DATA
]);
3569 if (set
->dtype
!= NFT_DATA_VERDICT
&& d2
.len
!= set
->dlen
)
3572 dreg
= nft_type_to_reg(set
->dtype
);
3573 list_for_each_entry(binding
, &set
->bindings
, list
) {
3574 struct nft_ctx bind_ctx
= {
3577 .table
= ctx
->table
,
3578 .chain
= (struct nft_chain
*)binding
->chain
,
3581 if (!(binding
->flags
& NFT_SET_MAP
))
3584 err
= nft_validate_register_store(&bind_ctx
, dreg
,
3591 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_DATA
, d2
.len
);
3594 /* The full maximum length of userdata can exceed the maximum
3595 * offset value (U8_MAX) for following extensions, therefor it
3596 * must be the last extension added.
3599 if (nla
[NFTA_SET_ELEM_USERDATA
] != NULL
) {
3600 ulen
= nla_len(nla
[NFTA_SET_ELEM_USERDATA
]);
3602 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_USERDATA
,
3607 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, data
.data
,
3608 timeout
, GFP_KERNEL
);
3609 if (elem
.priv
== NULL
)
3612 ext
= nft_set_elem_ext(set
, elem
.priv
);
3614 *nft_set_ext_flags(ext
) = flags
;
3616 udata
= nft_set_ext_userdata(ext
);
3617 udata
->len
= ulen
- 1;
3618 nla_memcpy(&udata
->data
, nla
[NFTA_SET_ELEM_USERDATA
], ulen
);
3621 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_NEWSETELEM
, set
);
3625 ext
->genmask
= nft_genmask_cur(ctx
->net
) | NFT_SET_ELEM_BUSY_MASK
;
3626 err
= set
->ops
->insert(ctx
->net
, set
, &elem
, &ext2
);
3628 if (err
== -EEXIST
) {
3629 if (nft_set_ext_exists(ext
, NFT_SET_EXT_DATA
) &&
3630 nft_set_ext_exists(ext2
, NFT_SET_EXT_DATA
) &&
3631 memcmp(nft_set_ext_data(ext
),
3632 nft_set_ext_data(ext2
), set
->dlen
) != 0)
3634 else if (!(nlmsg_flags
& NLM_F_EXCL
))
3640 nft_trans_elem(trans
) = elem
;
3641 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3649 if (nla
[NFTA_SET_ELEM_DATA
] != NULL
)
3650 nft_data_uninit(&data
, d2
.type
);
3652 nft_data_uninit(&elem
.key
.val
, d1
.type
);
3657 static int nf_tables_newsetelem(struct net
*net
, struct sock
*nlsk
,
3658 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3659 const struct nlattr
* const nla
[])
3661 u8 genmask
= nft_genmask_next(net
);
3662 const struct nlattr
*attr
;
3663 struct nft_set
*set
;
3667 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
3670 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3674 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3677 if (nla
[NFTA_SET_ELEM_LIST_SET_ID
]) {
3678 set
= nf_tables_set_lookup_byid(net
,
3679 nla
[NFTA_SET_ELEM_LIST_SET_ID
],
3683 return PTR_ERR(set
);
3686 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
3689 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
3691 !atomic_add_unless(&set
->nelems
, 1, set
->size
+ set
->ndeact
))
3694 err
= nft_add_set_elem(&ctx
, set
, attr
, nlh
->nlmsg_flags
);
3696 atomic_dec(&set
->nelems
);
3703 static int nft_del_setelem(struct nft_ctx
*ctx
, struct nft_set
*set
,
3704 const struct nlattr
*attr
)
3706 struct nlattr
*nla
[NFTA_SET_ELEM_MAX
+ 1];
3707 struct nft_set_ext_tmpl tmpl
;
3708 struct nft_data_desc desc
;
3709 struct nft_set_elem elem
;
3710 struct nft_set_ext
*ext
;
3711 struct nft_trans
*trans
;
3716 err
= nla_parse_nested(nla
, NFTA_SET_ELEM_MAX
, attr
,
3717 nft_set_elem_policy
);
3722 if (nla
[NFTA_SET_ELEM_KEY
] == NULL
)
3725 nft_set_ext_prepare(&tmpl
);
3727 err
= nft_setelem_parse_flags(set
, nla
[NFTA_SET_ELEM_FLAGS
], &flags
);
3731 nft_set_ext_add(&tmpl
, NFT_SET_EXT_FLAGS
);
3733 err
= nft_data_init(ctx
, &elem
.key
.val
, sizeof(elem
.key
), &desc
,
3734 nla
[NFTA_SET_ELEM_KEY
]);
3739 if (desc
.type
!= NFT_DATA_VALUE
|| desc
.len
!= set
->klen
)
3742 nft_set_ext_add_length(&tmpl
, NFT_SET_EXT_KEY
, desc
.len
);
3745 elem
.priv
= nft_set_elem_init(set
, &tmpl
, elem
.key
.val
.data
, NULL
, 0,
3747 if (elem
.priv
== NULL
)
3750 ext
= nft_set_elem_ext(set
, elem
.priv
);
3752 *nft_set_ext_flags(ext
) = flags
;
3754 trans
= nft_trans_elem_alloc(ctx
, NFT_MSG_DELSETELEM
, set
);
3755 if (trans
== NULL
) {
3760 priv
= set
->ops
->deactivate(ctx
->net
, set
, &elem
);
3768 nft_trans_elem(trans
) = elem
;
3769 list_add_tail(&trans
->list
, &ctx
->net
->nft
.commit_list
);
3777 nft_data_uninit(&elem
.key
.val
, desc
.type
);
3782 static int nf_tables_delsetelem(struct net
*net
, struct sock
*nlsk
,
3783 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3784 const struct nlattr
* const nla
[])
3786 u8 genmask
= nft_genmask_next(net
);
3787 const struct nlattr
*attr
;
3788 struct nft_set
*set
;
3792 if (nla
[NFTA_SET_ELEM_LIST_ELEMENTS
] == NULL
)
3795 err
= nft_ctx_init_from_elemattr(&ctx
, net
, skb
, nlh
, nla
, genmask
);
3799 set
= nf_tables_set_lookup(ctx
.table
, nla
[NFTA_SET_ELEM_LIST_SET
],
3802 return PTR_ERR(set
);
3803 if (!list_empty(&set
->bindings
) && set
->flags
& NFT_SET_CONSTANT
)
3806 nla_for_each_nested(attr
, nla
[NFTA_SET_ELEM_LIST_ELEMENTS
], rem
) {
3807 err
= nft_del_setelem(&ctx
, set
, attr
);
3816 void nft_set_gc_batch_release(struct rcu_head
*rcu
)
3818 struct nft_set_gc_batch
*gcb
;
3821 gcb
= container_of(rcu
, struct nft_set_gc_batch
, head
.rcu
);
3822 for (i
= 0; i
< gcb
->head
.cnt
; i
++)
3823 nft_set_elem_destroy(gcb
->head
.set
, gcb
->elems
[i
], true);
3826 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release
);
3828 struct nft_set_gc_batch
*nft_set_gc_batch_alloc(const struct nft_set
*set
,
3831 struct nft_set_gc_batch
*gcb
;
3833 gcb
= kzalloc(sizeof(*gcb
), gfp
);
3836 gcb
->head
.set
= set
;
3839 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc
);
3841 static int nf_tables_fill_gen_info(struct sk_buff
*skb
, struct net
*net
,
3842 u32 portid
, u32 seq
)
3844 struct nlmsghdr
*nlh
;
3845 struct nfgenmsg
*nfmsg
;
3846 int event
= (NFNL_SUBSYS_NFTABLES
<< 8) | NFT_MSG_NEWGEN
;
3848 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(struct nfgenmsg
), 0);
3850 goto nla_put_failure
;
3852 nfmsg
= nlmsg_data(nlh
);
3853 nfmsg
->nfgen_family
= AF_UNSPEC
;
3854 nfmsg
->version
= NFNETLINK_V0
;
3855 nfmsg
->res_id
= htons(net
->nft
.base_seq
& 0xffff);
3857 if (nla_put_be32(skb
, NFTA_GEN_ID
, htonl(net
->nft
.base_seq
)))
3858 goto nla_put_failure
;
3860 nlmsg_end(skb
, nlh
);
3864 nlmsg_trim(skb
, nlh
);
3868 static int nf_tables_gen_notify(struct net
*net
, struct sk_buff
*skb
, int event
)
3870 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
3871 struct sk_buff
*skb2
;
3874 if (nlmsg_report(nlh
) &&
3875 !nfnetlink_has_listeners(net
, NFNLGRP_NFTABLES
))
3879 skb2
= nlmsg_new(NLMSG_GOODSIZE
, GFP_KERNEL
);
3883 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
3890 err
= nfnetlink_send(skb2
, net
, NETLINK_CB(skb
).portid
,
3891 NFNLGRP_NFTABLES
, nlmsg_report(nlh
), GFP_KERNEL
);
3894 nfnetlink_set_err(net
, NETLINK_CB(skb
).portid
, NFNLGRP_NFTABLES
,
3900 static int nf_tables_getgen(struct net
*net
, struct sock
*nlsk
,
3901 struct sk_buff
*skb
, const struct nlmsghdr
*nlh
,
3902 const struct nlattr
* const nla
[])
3904 struct sk_buff
*skb2
;
3907 skb2
= alloc_skb(NLMSG_GOODSIZE
, GFP_KERNEL
);
3911 err
= nf_tables_fill_gen_info(skb2
, net
, NETLINK_CB(skb
).portid
,
3916 return nlmsg_unicast(nlsk
, skb2
, NETLINK_CB(skb
).portid
);
3922 static const struct nfnl_callback nf_tables_cb
[NFT_MSG_MAX
] = {
3923 [NFT_MSG_NEWTABLE
] = {
3924 .call_batch
= nf_tables_newtable
,
3925 .attr_count
= NFTA_TABLE_MAX
,
3926 .policy
= nft_table_policy
,
3928 [NFT_MSG_GETTABLE
] = {
3929 .call
= nf_tables_gettable
,
3930 .attr_count
= NFTA_TABLE_MAX
,
3931 .policy
= nft_table_policy
,
3933 [NFT_MSG_DELTABLE
] = {
3934 .call_batch
= nf_tables_deltable
,
3935 .attr_count
= NFTA_TABLE_MAX
,
3936 .policy
= nft_table_policy
,
3938 [NFT_MSG_NEWCHAIN
] = {
3939 .call_batch
= nf_tables_newchain
,
3940 .attr_count
= NFTA_CHAIN_MAX
,
3941 .policy
= nft_chain_policy
,
3943 [NFT_MSG_GETCHAIN
] = {
3944 .call
= nf_tables_getchain
,
3945 .attr_count
= NFTA_CHAIN_MAX
,
3946 .policy
= nft_chain_policy
,
3948 [NFT_MSG_DELCHAIN
] = {
3949 .call_batch
= nf_tables_delchain
,
3950 .attr_count
= NFTA_CHAIN_MAX
,
3951 .policy
= nft_chain_policy
,
3953 [NFT_MSG_NEWRULE
] = {
3954 .call_batch
= nf_tables_newrule
,
3955 .attr_count
= NFTA_RULE_MAX
,
3956 .policy
= nft_rule_policy
,
3958 [NFT_MSG_GETRULE
] = {
3959 .call
= nf_tables_getrule
,
3960 .attr_count
= NFTA_RULE_MAX
,
3961 .policy
= nft_rule_policy
,
3963 [NFT_MSG_DELRULE
] = {
3964 .call_batch
= nf_tables_delrule
,
3965 .attr_count
= NFTA_RULE_MAX
,
3966 .policy
= nft_rule_policy
,
3968 [NFT_MSG_NEWSET
] = {
3969 .call_batch
= nf_tables_newset
,
3970 .attr_count
= NFTA_SET_MAX
,
3971 .policy
= nft_set_policy
,
3973 [NFT_MSG_GETSET
] = {
3974 .call
= nf_tables_getset
,
3975 .attr_count
= NFTA_SET_MAX
,
3976 .policy
= nft_set_policy
,
3978 [NFT_MSG_DELSET
] = {
3979 .call_batch
= nf_tables_delset
,
3980 .attr_count
= NFTA_SET_MAX
,
3981 .policy
= nft_set_policy
,
3983 [NFT_MSG_NEWSETELEM
] = {
3984 .call_batch
= nf_tables_newsetelem
,
3985 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
3986 .policy
= nft_set_elem_list_policy
,
3988 [NFT_MSG_GETSETELEM
] = {
3989 .call
= nf_tables_getsetelem
,
3990 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
3991 .policy
= nft_set_elem_list_policy
,
3993 [NFT_MSG_DELSETELEM
] = {
3994 .call_batch
= nf_tables_delsetelem
,
3995 .attr_count
= NFTA_SET_ELEM_LIST_MAX
,
3996 .policy
= nft_set_elem_list_policy
,
3998 [NFT_MSG_GETGEN
] = {
3999 .call
= nf_tables_getgen
,
4003 static void nft_chain_commit_update(struct nft_trans
*trans
)
4005 struct nft_base_chain
*basechain
;
4007 if (nft_trans_chain_name(trans
)[0])
4008 strcpy(trans
->ctx
.chain
->name
, nft_trans_chain_name(trans
));
4010 if (!(trans
->ctx
.chain
->flags
& NFT_BASE_CHAIN
))
4013 basechain
= nft_base_chain(trans
->ctx
.chain
);
4014 nft_chain_stats_replace(basechain
, nft_trans_chain_stats(trans
));
4016 switch (nft_trans_chain_policy(trans
)) {
4019 basechain
->policy
= nft_trans_chain_policy(trans
);
4024 static void nf_tables_commit_release(struct nft_trans
*trans
)
4026 switch (trans
->msg_type
) {
4027 case NFT_MSG_DELTABLE
:
4028 nf_tables_table_destroy(&trans
->ctx
);
4030 case NFT_MSG_DELCHAIN
:
4031 nf_tables_chain_destroy(trans
->ctx
.chain
);
4033 case NFT_MSG_DELRULE
:
4034 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
4036 case NFT_MSG_DELSET
:
4037 nft_set_destroy(nft_trans_set(trans
));
4039 case NFT_MSG_DELSETELEM
:
4040 nft_set_elem_destroy(nft_trans_elem_set(trans
),
4041 nft_trans_elem(trans
).priv
, true);
4047 static int nf_tables_commit(struct net
*net
, struct sk_buff
*skb
)
4049 struct nft_trans
*trans
, *next
;
4050 struct nft_trans_elem
*te
;
4052 /* Bump generation counter, invalidate any dump in progress */
4053 while (++net
->nft
.base_seq
== 0);
4055 /* A new generation has just started */
4056 net
->nft
.gencursor
= nft_gencursor_next(net
);
4058 /* Make sure all packets have left the previous generation before
4059 * purging old rules.
4063 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
4064 switch (trans
->msg_type
) {
4065 case NFT_MSG_NEWTABLE
:
4066 if (nft_trans_table_update(trans
)) {
4067 if (!nft_trans_table_enable(trans
)) {
4068 nf_tables_table_disable(net
,
4071 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
4074 nft_clear(net
, trans
->ctx
.table
);
4076 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_NEWTABLE
);
4077 nft_trans_destroy(trans
);
4079 case NFT_MSG_DELTABLE
:
4080 list_del_rcu(&trans
->ctx
.table
->list
);
4081 nf_tables_table_notify(&trans
->ctx
, NFT_MSG_DELTABLE
);
4083 case NFT_MSG_NEWCHAIN
:
4084 if (nft_trans_chain_update(trans
))
4085 nft_chain_commit_update(trans
);
4087 nft_clear(net
, trans
->ctx
.chain
);
4089 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_NEWCHAIN
);
4090 nft_trans_destroy(trans
);
4092 case NFT_MSG_DELCHAIN
:
4093 list_del_rcu(&trans
->ctx
.chain
->list
);
4094 nf_tables_chain_notify(&trans
->ctx
, NFT_MSG_DELCHAIN
);
4095 nf_tables_unregister_hooks(trans
->ctx
.net
,
4098 trans
->ctx
.afi
->nops
);
4100 case NFT_MSG_NEWRULE
:
4101 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
4102 nf_tables_rule_notify(&trans
->ctx
,
4103 nft_trans_rule(trans
),
4105 nft_trans_destroy(trans
);
4107 case NFT_MSG_DELRULE
:
4108 list_del_rcu(&nft_trans_rule(trans
)->list
);
4109 nf_tables_rule_notify(&trans
->ctx
,
4110 nft_trans_rule(trans
),
4113 case NFT_MSG_NEWSET
:
4114 nft_clear(net
, nft_trans_set(trans
));
4115 /* This avoids hitting -EBUSY when deleting the table
4116 * from the transaction.
4118 if (nft_trans_set(trans
)->flags
& NFT_SET_ANONYMOUS
&&
4119 !list_empty(&nft_trans_set(trans
)->bindings
))
4120 trans
->ctx
.table
->use
--;
4122 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
4123 NFT_MSG_NEWSET
, GFP_KERNEL
);
4124 nft_trans_destroy(trans
);
4126 case NFT_MSG_DELSET
:
4127 list_del_rcu(&nft_trans_set(trans
)->list
);
4128 nf_tables_set_notify(&trans
->ctx
, nft_trans_set(trans
),
4129 NFT_MSG_DELSET
, GFP_KERNEL
);
4131 case NFT_MSG_NEWSETELEM
:
4132 te
= (struct nft_trans_elem
*)trans
->data
;
4134 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
4135 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
4137 NFT_MSG_NEWSETELEM
, 0);
4138 nft_trans_destroy(trans
);
4140 case NFT_MSG_DELSETELEM
:
4141 te
= (struct nft_trans_elem
*)trans
->data
;
4143 nf_tables_setelem_notify(&trans
->ctx
, te
->set
,
4145 NFT_MSG_DELSETELEM
, 0);
4146 te
->set
->ops
->remove(te
->set
, &te
->elem
);
4147 atomic_dec(&te
->set
->nelems
);
4155 list_for_each_entry_safe(trans
, next
, &net
->nft
.commit_list
, list
) {
4156 list_del(&trans
->list
);
4157 nf_tables_commit_release(trans
);
4160 nf_tables_gen_notify(net
, skb
, NFT_MSG_NEWGEN
);
4165 static void nf_tables_abort_release(struct nft_trans
*trans
)
4167 switch (trans
->msg_type
) {
4168 case NFT_MSG_NEWTABLE
:
4169 nf_tables_table_destroy(&trans
->ctx
);
4171 case NFT_MSG_NEWCHAIN
:
4172 nf_tables_chain_destroy(trans
->ctx
.chain
);
4174 case NFT_MSG_NEWRULE
:
4175 nf_tables_rule_destroy(&trans
->ctx
, nft_trans_rule(trans
));
4177 case NFT_MSG_NEWSET
:
4178 nft_set_destroy(nft_trans_set(trans
));
4180 case NFT_MSG_NEWSETELEM
:
4181 nft_set_elem_destroy(nft_trans_elem_set(trans
),
4182 nft_trans_elem(trans
).priv
, true);
4188 static int nf_tables_abort(struct net
*net
, struct sk_buff
*skb
)
4190 struct nft_trans
*trans
, *next
;
4191 struct nft_trans_elem
*te
;
4193 list_for_each_entry_safe_reverse(trans
, next
, &net
->nft
.commit_list
,
4195 switch (trans
->msg_type
) {
4196 case NFT_MSG_NEWTABLE
:
4197 if (nft_trans_table_update(trans
)) {
4198 if (nft_trans_table_enable(trans
)) {
4199 nf_tables_table_disable(net
,
4202 trans
->ctx
.table
->flags
|= NFT_TABLE_F_DORMANT
;
4204 nft_trans_destroy(trans
);
4206 list_del_rcu(&trans
->ctx
.table
->list
);
4209 case NFT_MSG_DELTABLE
:
4210 nft_clear(trans
->ctx
.net
, trans
->ctx
.table
);
4211 nft_trans_destroy(trans
);
4213 case NFT_MSG_NEWCHAIN
:
4214 if (nft_trans_chain_update(trans
)) {
4215 free_percpu(nft_trans_chain_stats(trans
));
4217 nft_trans_destroy(trans
);
4219 trans
->ctx
.table
->use
--;
4220 list_del_rcu(&trans
->ctx
.chain
->list
);
4221 nf_tables_unregister_hooks(trans
->ctx
.net
,
4224 trans
->ctx
.afi
->nops
);
4227 case NFT_MSG_DELCHAIN
:
4228 trans
->ctx
.table
->use
++;
4229 nft_clear(trans
->ctx
.net
, trans
->ctx
.chain
);
4230 nft_trans_destroy(trans
);
4232 case NFT_MSG_NEWRULE
:
4233 trans
->ctx
.chain
->use
--;
4234 list_del_rcu(&nft_trans_rule(trans
)->list
);
4236 case NFT_MSG_DELRULE
:
4237 trans
->ctx
.chain
->use
++;
4238 nft_clear(trans
->ctx
.net
, nft_trans_rule(trans
));
4239 nft_trans_destroy(trans
);
4241 case NFT_MSG_NEWSET
:
4242 trans
->ctx
.table
->use
--;
4243 list_del_rcu(&nft_trans_set(trans
)->list
);
4245 case NFT_MSG_DELSET
:
4246 trans
->ctx
.table
->use
++;
4247 nft_clear(trans
->ctx
.net
, nft_trans_set(trans
));
4248 nft_trans_destroy(trans
);
4250 case NFT_MSG_NEWSETELEM
:
4251 te
= (struct nft_trans_elem
*)trans
->data
;
4253 te
->set
->ops
->remove(te
->set
, &te
->elem
);
4254 atomic_dec(&te
->set
->nelems
);
4256 case NFT_MSG_DELSETELEM
:
4257 te
= (struct nft_trans_elem
*)trans
->data
;
4259 te
->set
->ops
->activate(net
, te
->set
, &te
->elem
);
4262 nft_trans_destroy(trans
);
4269 list_for_each_entry_safe_reverse(trans
, next
,
4270 &net
->nft
.commit_list
, list
) {
4271 list_del(&trans
->list
);
4272 nf_tables_abort_release(trans
);
4278 static const struct nfnetlink_subsystem nf_tables_subsys
= {
4279 .name
= "nf_tables",
4280 .subsys_id
= NFNL_SUBSYS_NFTABLES
,
4281 .cb_count
= NFT_MSG_MAX
,
4283 .commit
= nf_tables_commit
,
4284 .abort
= nf_tables_abort
,
4287 int nft_chain_validate_dependency(const struct nft_chain
*chain
,
4288 enum nft_chain_type type
)
4290 const struct nft_base_chain
*basechain
;
4292 if (chain
->flags
& NFT_BASE_CHAIN
) {
4293 basechain
= nft_base_chain(chain
);
4294 if (basechain
->type
->type
!= type
)
4299 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency
);
4301 int nft_chain_validate_hooks(const struct nft_chain
*chain
,
4302 unsigned int hook_flags
)
4304 struct nft_base_chain
*basechain
;
4306 if (chain
->flags
& NFT_BASE_CHAIN
) {
4307 basechain
= nft_base_chain(chain
);
4309 if ((1 << basechain
->ops
[0].hooknum
) & hook_flags
)
4317 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks
);
4320 * Loop detection - walk through the ruleset beginning at the destination chain
4321 * of a new jump until either the source chain is reached (loop) or all
4322 * reachable chains have been traversed.
4324 * The loop check is performed whenever a new jump verdict is added to an
4325 * expression or verdict map or a verdict map is bound to a new chain.
4328 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
4329 const struct nft_chain
*chain
);
4331 static int nf_tables_loop_check_setelem(const struct nft_ctx
*ctx
,
4332 const struct nft_set
*set
,
4333 const struct nft_set_iter
*iter
,
4334 const struct nft_set_elem
*elem
)
4336 const struct nft_set_ext
*ext
= nft_set_elem_ext(set
, elem
->priv
);
4337 const struct nft_data
*data
;
4339 if (nft_set_ext_exists(ext
, NFT_SET_EXT_FLAGS
) &&
4340 *nft_set_ext_flags(ext
) & NFT_SET_ELEM_INTERVAL_END
)
4343 data
= nft_set_ext_data(ext
);
4344 switch (data
->verdict
.code
) {
4347 return nf_tables_check_loops(ctx
, data
->verdict
.chain
);
4353 static int nf_tables_check_loops(const struct nft_ctx
*ctx
,
4354 const struct nft_chain
*chain
)
4356 const struct nft_rule
*rule
;
4357 const struct nft_expr
*expr
, *last
;
4358 const struct nft_set
*set
;
4359 struct nft_set_binding
*binding
;
4360 struct nft_set_iter iter
;
4362 if (ctx
->chain
== chain
)
4365 list_for_each_entry(rule
, &chain
->rules
, list
) {
4366 nft_rule_for_each_expr(expr
, last
, rule
) {
4367 const struct nft_data
*data
= NULL
;
4370 if (!expr
->ops
->validate
)
4373 err
= expr
->ops
->validate(ctx
, expr
, &data
);
4380 switch (data
->verdict
.code
) {
4383 err
= nf_tables_check_loops(ctx
,
4384 data
->verdict
.chain
);
4393 list_for_each_entry(set
, &ctx
->table
->sets
, list
) {
4394 if (!nft_is_active_next(ctx
->net
, set
))
4396 if (!(set
->flags
& NFT_SET_MAP
) ||
4397 set
->dtype
!= NFT_DATA_VERDICT
)
4400 list_for_each_entry(binding
, &set
->bindings
, list
) {
4401 if (!(binding
->flags
& NFT_SET_MAP
) ||
4402 binding
->chain
!= chain
)
4405 iter
.genmask
= nft_genmask_next(ctx
->net
);
4409 iter
.fn
= nf_tables_loop_check_setelem
;
4411 set
->ops
->walk(ctx
, set
, &iter
);
4421 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
4423 * @attr: netlink attribute to fetch value from
4424 * @max: maximum value to be stored in dest
4425 * @dest: pointer to the variable
4427 * Parse, check and store a given u32 netlink attribute into variable.
4428 * This function returns -ERANGE if the value goes over maximum value.
4429 * Otherwise a 0 is returned and the attribute value is stored in the
4430 * destination variable.
4432 int nft_parse_u32_check(const struct nlattr
*attr
, int max
, u32
*dest
)
4436 val
= ntohl(nla_get_be32(attr
));
4443 EXPORT_SYMBOL_GPL(nft_parse_u32_check
);
4446 * nft_parse_register - parse a register value from a netlink attribute
4448 * @attr: netlink attribute
4450 * Parse and translate a register value from a netlink attribute.
4451 * Registers used to be 128 bit wide, these register numbers will be
4452 * mapped to the corresponding 32 bit register numbers.
4454 unsigned int nft_parse_register(const struct nlattr
*attr
)
4458 reg
= ntohl(nla_get_be32(attr
));
4460 case NFT_REG_VERDICT
...NFT_REG_4
:
4461 return reg
* NFT_REG_SIZE
/ NFT_REG32_SIZE
;
4463 return reg
+ NFT_REG_SIZE
/ NFT_REG32_SIZE
- NFT_REG32_00
;
4466 EXPORT_SYMBOL_GPL(nft_parse_register
);
4469 * nft_dump_register - dump a register value to a netlink attribute
4471 * @skb: socket buffer
4472 * @attr: attribute number
4473 * @reg: register number
4475 * Construct a netlink attribute containing the register number. For
4476 * compatibility reasons, register numbers being a multiple of 4 are
4477 * translated to the corresponding 128 bit register numbers.
4479 int nft_dump_register(struct sk_buff
*skb
, unsigned int attr
, unsigned int reg
)
4481 if (reg
% (NFT_REG_SIZE
/ NFT_REG32_SIZE
) == 0)
4482 reg
= reg
/ (NFT_REG_SIZE
/ NFT_REG32_SIZE
);
4484 reg
= reg
- NFT_REG_SIZE
/ NFT_REG32_SIZE
+ NFT_REG32_00
;
4486 return nla_put_be32(skb
, attr
, htonl(reg
));
4488 EXPORT_SYMBOL_GPL(nft_dump_register
);
4491 * nft_validate_register_load - validate a load from a register
4493 * @reg: the register number
4494 * @len: the length of the data
4496 * Validate that the input register is one of the general purpose
4497 * registers and that the length of the load is within the bounds.
4499 int nft_validate_register_load(enum nft_registers reg
, unsigned int len
)
4501 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
4505 if (reg
* NFT_REG32_SIZE
+ len
> FIELD_SIZEOF(struct nft_regs
, data
))
4510 EXPORT_SYMBOL_GPL(nft_validate_register_load
);
4513 * nft_validate_register_store - validate an expressions' register store
4515 * @ctx: context of the expression performing the load
4516 * @reg: the destination register number
4517 * @data: the data to load
4518 * @type: the data type
4519 * @len: the length of the data
4521 * Validate that a data load uses the appropriate data type for
4522 * the destination register and the length is within the bounds.
4523 * A value of NULL for the data means that its runtime gathered
4526 int nft_validate_register_store(const struct nft_ctx
*ctx
,
4527 enum nft_registers reg
,
4528 const struct nft_data
*data
,
4529 enum nft_data_types type
, unsigned int len
)
4534 case NFT_REG_VERDICT
:
4535 if (type
!= NFT_DATA_VERDICT
)
4539 (data
->verdict
.code
== NFT_GOTO
||
4540 data
->verdict
.code
== NFT_JUMP
)) {
4541 err
= nf_tables_check_loops(ctx
, data
->verdict
.chain
);
4545 if (ctx
->chain
->level
+ 1 >
4546 data
->verdict
.chain
->level
) {
4547 if (ctx
->chain
->level
+ 1 == NFT_JUMP_STACK_SIZE
)
4549 data
->verdict
.chain
->level
= ctx
->chain
->level
+ 1;
4555 if (reg
< NFT_REG_1
* NFT_REG_SIZE
/ NFT_REG32_SIZE
)
4559 if (reg
* NFT_REG32_SIZE
+ len
>
4560 FIELD_SIZEOF(struct nft_regs
, data
))
4563 if (data
!= NULL
&& type
!= NFT_DATA_VALUE
)
4568 EXPORT_SYMBOL_GPL(nft_validate_register_store
);
4570 static const struct nla_policy nft_verdict_policy
[NFTA_VERDICT_MAX
+ 1] = {
4571 [NFTA_VERDICT_CODE
] = { .type
= NLA_U32
},
4572 [NFTA_VERDICT_CHAIN
] = { .type
= NLA_STRING
,
4573 .len
= NFT_CHAIN_MAXNAMELEN
- 1 },
4576 static int nft_verdict_init(const struct nft_ctx
*ctx
, struct nft_data
*data
,
4577 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
4579 u8 genmask
= nft_genmask_next(ctx
->net
);
4580 struct nlattr
*tb
[NFTA_VERDICT_MAX
+ 1];
4581 struct nft_chain
*chain
;
4584 err
= nla_parse_nested(tb
, NFTA_VERDICT_MAX
, nla
, nft_verdict_policy
);
4588 if (!tb
[NFTA_VERDICT_CODE
])
4590 data
->verdict
.code
= ntohl(nla_get_be32(tb
[NFTA_VERDICT_CODE
]));
4592 switch (data
->verdict
.code
) {
4594 switch (data
->verdict
.code
& NF_VERDICT_MASK
) {
4609 if (!tb
[NFTA_VERDICT_CHAIN
])
4611 chain
= nf_tables_chain_lookup(ctx
->table
,
4612 tb
[NFTA_VERDICT_CHAIN
], genmask
);
4614 return PTR_ERR(chain
);
4615 if (chain
->flags
& NFT_BASE_CHAIN
)
4619 data
->verdict
.chain
= chain
;
4623 desc
->len
= sizeof(data
->verdict
);
4624 desc
->type
= NFT_DATA_VERDICT
;
4628 static void nft_verdict_uninit(const struct nft_data
*data
)
4630 switch (data
->verdict
.code
) {
4633 data
->verdict
.chain
->use
--;
4638 int nft_verdict_dump(struct sk_buff
*skb
, int type
, const struct nft_verdict
*v
)
4640 struct nlattr
*nest
;
4642 nest
= nla_nest_start(skb
, type
);
4644 goto nla_put_failure
;
4646 if (nla_put_be32(skb
, NFTA_VERDICT_CODE
, htonl(v
->code
)))
4647 goto nla_put_failure
;
4652 if (nla_put_string(skb
, NFTA_VERDICT_CHAIN
,
4654 goto nla_put_failure
;
4656 nla_nest_end(skb
, nest
);
4663 static int nft_value_init(const struct nft_ctx
*ctx
,
4664 struct nft_data
*data
, unsigned int size
,
4665 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
4675 nla_memcpy(data
->data
, nla
, len
);
4676 desc
->type
= NFT_DATA_VALUE
;
4681 static int nft_value_dump(struct sk_buff
*skb
, const struct nft_data
*data
,
4684 return nla_put(skb
, NFTA_DATA_VALUE
, len
, data
->data
);
4687 static const struct nla_policy nft_data_policy
[NFTA_DATA_MAX
+ 1] = {
4688 [NFTA_DATA_VALUE
] = { .type
= NLA_BINARY
},
4689 [NFTA_DATA_VERDICT
] = { .type
= NLA_NESTED
},
4693 * nft_data_init - parse nf_tables data netlink attributes
4695 * @ctx: context of the expression using the data
4696 * @data: destination struct nft_data
4697 * @size: maximum data length
4698 * @desc: data description
4699 * @nla: netlink attribute containing data
4701 * Parse the netlink data attributes and initialize a struct nft_data.
4702 * The type and length of data are returned in the data description.
4704 * The caller can indicate that it only wants to accept data of type
4705 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4707 int nft_data_init(const struct nft_ctx
*ctx
,
4708 struct nft_data
*data
, unsigned int size
,
4709 struct nft_data_desc
*desc
, const struct nlattr
*nla
)
4711 struct nlattr
*tb
[NFTA_DATA_MAX
+ 1];
4714 err
= nla_parse_nested(tb
, NFTA_DATA_MAX
, nla
, nft_data_policy
);
4718 if (tb
[NFTA_DATA_VALUE
])
4719 return nft_value_init(ctx
, data
, size
, desc
,
4720 tb
[NFTA_DATA_VALUE
]);
4721 if (tb
[NFTA_DATA_VERDICT
] && ctx
!= NULL
)
4722 return nft_verdict_init(ctx
, data
, desc
, tb
[NFTA_DATA_VERDICT
]);
4725 EXPORT_SYMBOL_GPL(nft_data_init
);
4728 * nft_data_uninit - release a nft_data item
4730 * @data: struct nft_data to release
4731 * @type: type of data
4733 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4734 * all others need to be released by calling this function.
4736 void nft_data_uninit(const struct nft_data
*data
, enum nft_data_types type
)
4738 if (type
< NFT_DATA_VERDICT
)
4741 case NFT_DATA_VERDICT
:
4742 return nft_verdict_uninit(data
);
4747 EXPORT_SYMBOL_GPL(nft_data_uninit
);
4749 int nft_data_dump(struct sk_buff
*skb
, int attr
, const struct nft_data
*data
,
4750 enum nft_data_types type
, unsigned int len
)
4752 struct nlattr
*nest
;
4755 nest
= nla_nest_start(skb
, attr
);
4760 case NFT_DATA_VALUE
:
4761 err
= nft_value_dump(skb
, data
, len
);
4763 case NFT_DATA_VERDICT
:
4764 err
= nft_verdict_dump(skb
, NFTA_DATA_VERDICT
, &data
->verdict
);
4771 nla_nest_end(skb
, nest
);
4774 EXPORT_SYMBOL_GPL(nft_data_dump
);
4776 static int __net_init
nf_tables_init_net(struct net
*net
)
4778 INIT_LIST_HEAD(&net
->nft
.af_info
);
4779 INIT_LIST_HEAD(&net
->nft
.commit_list
);
4780 net
->nft
.base_seq
= 1;
4784 int __nft_release_basechain(struct nft_ctx
*ctx
)
4786 struct nft_rule
*rule
, *nr
;
4788 BUG_ON(!(ctx
->chain
->flags
& NFT_BASE_CHAIN
));
4790 nf_tables_unregister_hooks(ctx
->net
, ctx
->chain
->table
, ctx
->chain
,
4792 list_for_each_entry_safe(rule
, nr
, &ctx
->chain
->rules
, list
) {
4793 list_del(&rule
->list
);
4795 nf_tables_rule_destroy(ctx
, rule
);
4797 list_del(&ctx
->chain
->list
);
4799 nf_tables_chain_destroy(ctx
->chain
);
4803 EXPORT_SYMBOL_GPL(__nft_release_basechain
);
4805 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
4806 static void __nft_release_afinfo(struct net
*net
, struct nft_af_info
*afi
)
4808 struct nft_table
*table
, *nt
;
4809 struct nft_chain
*chain
, *nc
;
4810 struct nft_rule
*rule
, *nr
;
4811 struct nft_set
*set
, *ns
;
4812 struct nft_ctx ctx
= {
4817 list_for_each_entry_safe(table
, nt
, &afi
->tables
, list
) {
4818 list_for_each_entry(chain
, &table
->chains
, list
)
4819 nf_tables_unregister_hooks(net
, table
, chain
,
4821 /* No packets are walking on these chains anymore. */
4823 list_for_each_entry(chain
, &table
->chains
, list
) {
4825 list_for_each_entry_safe(rule
, nr
, &chain
->rules
, list
) {
4826 list_del(&rule
->list
);
4828 nf_tables_rule_destroy(&ctx
, rule
);
4831 list_for_each_entry_safe(set
, ns
, &table
->sets
, list
) {
4832 list_del(&set
->list
);
4834 nft_set_destroy(set
);
4836 list_for_each_entry_safe(chain
, nc
, &table
->chains
, list
) {
4837 list_del(&chain
->list
);
4839 nf_tables_chain_destroy(chain
);
4841 list_del(&table
->list
);
4842 nf_tables_table_destroy(&ctx
);
4846 static struct pernet_operations nf_tables_net_ops
= {
4847 .init
= nf_tables_init_net
,
4850 static int __init
nf_tables_module_init(void)
4854 info
= kmalloc(sizeof(struct nft_expr_info
) * NFT_RULE_MAXEXPRS
,
4861 err
= nf_tables_core_module_init();
4865 err
= nfnetlink_subsys_register(&nf_tables_subsys
);
4869 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4870 return register_pernet_subsys(&nf_tables_net_ops
);
4872 nf_tables_core_module_exit();
4879 static void __exit
nf_tables_module_exit(void)
4881 unregister_pernet_subsys(&nf_tables_net_ops
);
4882 nfnetlink_subsys_unregister(&nf_tables_subsys
);
4884 nf_tables_core_module_exit();
4888 module_init(nf_tables_module_init
);
4889 module_exit(nf_tables_module_exit
);
4891 MODULE_LICENSE("GPL");
4892 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4893 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES
);
projects / mirror_ubuntu-artful-kernel.git / blob