#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_offload.h>
#include <net/net_namespace.h>
-#include <net/netns/generic.h>
#include <net/sock.h>
#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
static void nft_validate_state_update(struct net *net, u8 new_validate_state)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
switch (nft_net->validate_state) {
case NFT_VALIDATE_SKIP:
if (!nft_set_is_anonymous(set))
return;
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
switch (trans->msg_type) {
case NFT_MSG_NEWSET:
static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
{
- struct nftables_pernet *nft_net;
+ struct nftables_pernet *nft_net = nft_pernet(net);
- nft_net = net_generic(net, nf_tables_net_id);
list_add_tail(&trans->list, &nft_net->commit_list);
}
if (nla == NULL)
return ERR_PTR(-EINVAL);
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
list_for_each_entry_rcu(table, &nft_net->tables, list,
lockdep_is_held(&nft_net->commit_mutex)) {
if (!nla_strcmp(nla, table->name) &&
struct nftables_pernet *nft_net;
struct nft_table *table;
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
list_for_each_entry(table, &nft_net->tables, list) {
if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
nft_active_genmask(table, genmask))
if (ret >= MODULE_NAME_LEN)
return 0;
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
list_for_each_entry(req, &nft_net->module_list, list) {
if (!strcmp(req->module, module_name)) {
if (req->done)
static __be16 nft_base_seq(const struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
return htons(nft_net->base_seq & 0xffff);
}
goto err;
}
- nft_net = net_generic(ctx->net, nf_tables_net_id);
+ nft_net = nft_pernet(ctx->net);
nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
return;
err:
int family = nfmsg->nfgen_family;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
cb->seq = nft_net->base_seq;
list_for_each_entry_rcu(table, &nft_net->tables, list) {
const struct nlattr * const nla[],
struct netlink_ext_ack *extack)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
u8 genmask = nft_genmask_next(net);
int family = nfmsg->nfgen_family;
static int nft_flush(struct nft_ctx *ctx, int family)
{
- struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
- struct nft_table *table, *nt;
+ struct nftables_pernet *nft_net = nft_pernet(ctx->net);
const struct nlattr * const *nla = ctx->nla;
+ struct nft_table *table, *nt;
int err = 0;
list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
static bool lockdep_commit_lock_is_held(const struct net *net)
{
#ifdef CONFIG_PROVE_LOCKING
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
return lockdep_is_held(&nft_net->commit_mutex);
#else
goto err;
}
- nft_net = net_generic(ctx->net, nf_tables_net_id);
+ nft_net = nft_pernet(ctx->net);
nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
return;
err:
struct netlink_callback *cb)
{
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
- const struct nft_table *table;
- const struct nft_chain *chain;
unsigned int idx = 0, s_idx = cb->args[0];
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
+ const struct nft_table *table;
+ const struct nft_chain *chain;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
cb->seq = nft_net->base_seq;
list_for_each_entry_rcu(table, &nft_net->tables, list) {
struct nft_chain_hook *hook, u8 family,
bool autoload)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nlattr *ha[NFTA_HOOK_MAX + 1];
const struct nft_chain_type *type;
int err;
if (nla[NFTA_CHAIN_HANDLE] &&
nla[NFTA_CHAIN_NAME]) {
- struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(ctx->net);
struct nft_trans *tmp;
char *name;
static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
const struct nlattr *nla)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
u32 id = ntohl(nla_get_be32(nla));
struct nft_trans *trans;
const struct nlattr * const nla[],
struct netlink_ext_ack *extack)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
u8 genmask = nft_genmask_next(net);
int family = nfmsg->nfgen_family;
static void nf_tables_rule_notify(const struct nft_ctx *ctx,
const struct nft_rule *rule, int event)
{
- struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(ctx->net);
struct sk_buff *skb;
int err;
struct nftables_pernet *nft_net;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
cb->seq = nft_net->base_seq;
list_for_each_entry_rcu(table, &nft_net->tables, list) {
const struct nlattr * const nla[],
struct netlink_ext_ack *extack)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
u8 genmask = nft_genmask_next(net);
struct nft_expr_info *info = NULL;
static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
const struct nlattr *nla)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
u32 id = ntohl(nla_get_be32(nla));
struct nft_trans *trans;
const struct nft_set_desc *desc,
enum nft_set_policies policy)
{
- struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(ctx->net);
const struct nft_set_ops *ops, *bops;
struct nft_set_estimate est, best;
const struct nft_set_type *type;
static struct nft_set *nft_set_lookup_byid(const struct net *net,
const struct nlattr *nla, u8 genmask)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_trans *trans;
+ struct nftables_pernet *nft_net = nft_pernet(net);
u32 id = ntohl(nla_get_be32(nla));
+ struct nft_trans *trans;
list_for_each_entry(trans, &nft_net->commit_list, list) {
if (trans->msg_type == NFT_MSG_NEWSET) {
const struct nft_set *set, int event,
gfp_t gfp_flags)
{
- struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(ctx->net);
struct sk_buff *skb;
u32 portid = ctx->portid;
int err;
return skb->len;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
cb->seq = nft_net->base_seq;
list_for_each_entry_rcu(table, &nft_net->tables, list) {
int event;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
list_for_each_entry_rcu(table, &nft_net->tables, list) {
if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
dump_ctx->ctx.family != table->family)
goto err;
}
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
return;
err:
const struct nlattr * const nla[],
struct netlink_ext_ack *extack)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
u8 genmask = nft_genmask_next(net);
const struct nlattr *attr;
struct nft_set *set;
reset = true;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
cb->seq = nft_net->base_seq;
list_for_each_entry_rcu(table, &nft_net->tables, list) {
const struct nftables_pernet *nft_net;
char *buf;
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
audit_log_nfcfg(buf,
struct nft_object *obj, u32 portid, u32 seq, int event,
int family, int report, gfp_t gfp)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct sk_buff *skb;
int err;
char *buf = kasprintf(gfp, "%s:%u",
const struct nft_table *table;
rcu_read_lock();
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
cb->seq = nft_net->base_seq;
list_for_each_entry_rcu(table, &nft_net->tables, list) {
struct list_head *hook_list,
int event)
{
- struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(ctx->net);
struct sk_buff *skb;
int err;
static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
u32 portid, u32 seq)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nlmsghdr *nlh;
char buf[TASK_COMM_LEN];
int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
return 0;
net = dev_net(dev);
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
list_for_each_entry(flowtable, &table->flowtables, list) {
static int nf_tables_validate(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_table *table;
switch (nft_net->validate_state) {
static void nf_tables_commit_chain_prepare_cancel(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_trans *trans, *next;
list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
static void nf_tables_module_autoload_cleanup(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_module_request *req, *next;
WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
static void nf_tables_commit_release(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_trans *trans;
/* all side effects have to be made visible.
static void nft_commit_notify(struct net *net, u32 portid)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct sk_buff *batch_skb = NULL, *nskb, *skb;
unsigned char *data;
int len;
static int nf_tables_commit(struct net *net, struct sk_buff *skb)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_trans *trans, *next;
struct nft_trans_elem *te;
struct nft_chain *chain;
static void nf_tables_module_autoload(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_module_request *req, *next;
LIST_HEAD(module_list);
static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_trans *trans, *next;
struct nft_trans_elem *te;
struct nft_hook *hook;
static int nf_tables_abort(struct net *net, struct sk_buff *skb,
enum nfnl_abort_action action)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
int ret = __nf_tables_abort(net, action);
mutex_unlock(&nft_net->commit_mutex);
static bool nf_tables_valid_genid(struct net *net, u32 genid)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
bool genid_ok;
mutex_lock(&nft_net->commit_mutex);
static void __nft_release_hooks(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_table *table;
list_for_each_entry(table, &nft_net->tables, list) {
static void __nft_release_tables(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
struct nft_table *table, *nt;
list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
return NOTIFY_DONE;
- nft_net = net_generic(net, nf_tables_net_id);
+ nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
if (nft_table_has_owner(table) &&
static int __net_init nf_tables_init_net(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
INIT_LIST_HEAD(&nft_net->tables);
INIT_LIST_HEAD(&nft_net->commit_list);
static void __net_exit nf_tables_exit_net(struct net *net)
{
- struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
+ struct nftables_pernet *nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex);
if (!list_empty(&nft_net->commit_list))