2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
95 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
96 const struct nlattr *nla)
98 struct nft_table *table;
100 list_for_each_entry(table, &afi->tables, list) {
101 if (!nla_strcmp(nla, table->name))
107 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
108 const struct nlattr *nla)
110 struct nft_table *table;
113 return ERR_PTR(-EINVAL);
115 table = nft_table_lookup(afi, nla);
119 return ERR_PTR(-ENOENT);
122 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
124 return ++table->hgenerator;
127 static struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
129 static int __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
133 for (i=0; i<NFT_CHAIN_T_MAX; i++) {
134 if (chain_type[family][i] != NULL &&
135 !nla_strcmp(nla, chain_type[family][i]->name))
141 static int nf_tables_chain_type_lookup(const struct nft_af_info *afi,
142 const struct nlattr *nla,
147 type = __nf_tables_chain_type_lookup(afi->family, nla);
148 #ifdef CONFIG_MODULES
149 if (type < 0 && autoload) {
150 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
151 request_module("nft-chain-%u-%*.s", afi->family,
152 nla_len(nla)-1, (const char *)nla_data(nla));
153 nfnl_lock(NFNL_SUBSYS_NFTABLES);
154 type = __nf_tables_chain_type_lookup(afi->family, nla);
160 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
161 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
162 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
165 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
166 int event, u32 flags, int family,
167 const struct nft_table *table)
169 struct nlmsghdr *nlh;
170 struct nfgenmsg *nfmsg;
172 event |= NFNL_SUBSYS_NFTABLES << 8;
173 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
175 goto nla_put_failure;
177 nfmsg = nlmsg_data(nlh);
178 nfmsg->nfgen_family = family;
179 nfmsg->version = NFNETLINK_V0;
182 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
183 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
184 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
185 goto nla_put_failure;
187 return nlmsg_end(skb, nlh);
190 nlmsg_trim(skb, nlh);
194 static int nf_tables_table_notify(const struct sk_buff *oskb,
195 const struct nlmsghdr *nlh,
196 const struct nft_table *table,
197 int event, int family)
200 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
201 u32 seq = nlh ? nlh->nlmsg_seq : 0;
202 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
206 report = nlh ? nlmsg_report(nlh) : false;
207 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
211 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
215 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
222 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
226 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
230 static int nf_tables_dump_tables(struct sk_buff *skb,
231 struct netlink_callback *cb)
233 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
234 const struct nft_af_info *afi;
235 const struct nft_table *table;
236 unsigned int idx = 0, s_idx = cb->args[0];
237 struct net *net = sock_net(skb->sk);
238 int family = nfmsg->nfgen_family;
240 list_for_each_entry(afi, &net->nft.af_info, list) {
241 if (family != NFPROTO_UNSPEC && family != afi->family)
244 list_for_each_entry(table, &afi->tables, list) {
248 memset(&cb->args[1], 0,
249 sizeof(cb->args) - sizeof(cb->args[0]));
250 if (nf_tables_fill_table_info(skb,
251 NETLINK_CB(cb->skb).portid,
255 afi->family, table) < 0)
266 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
267 const struct nlmsghdr *nlh,
268 const struct nlattr * const nla[])
270 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
271 const struct nft_af_info *afi;
272 const struct nft_table *table;
273 struct sk_buff *skb2;
274 struct net *net = sock_net(skb->sk);
275 int family = nfmsg->nfgen_family;
278 if (nlh->nlmsg_flags & NLM_F_DUMP) {
279 struct netlink_dump_control c = {
280 .dump = nf_tables_dump_tables,
282 return netlink_dump_start(nlsk, skb, nlh, &c);
285 afi = nf_tables_afinfo_lookup(net, family, false);
289 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
291 return PTR_ERR(table);
293 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
297 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
298 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
303 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
310 static int nf_tables_table_enable(struct nft_table *table)
312 struct nft_chain *chain;
315 list_for_each_entry(chain, &table->chains, list) {
316 if (!(chain->flags & NFT_BASE_CHAIN))
319 err = nf_register_hook(&nft_base_chain(chain)->ops);
327 list_for_each_entry(chain, &table->chains, list) {
328 if (!(chain->flags & NFT_BASE_CHAIN))
334 nf_unregister_hook(&nft_base_chain(chain)->ops);
339 static int nf_tables_table_disable(struct nft_table *table)
341 struct nft_chain *chain;
343 list_for_each_entry(chain, &table->chains, list) {
344 if (chain->flags & NFT_BASE_CHAIN)
345 nf_unregister_hook(&nft_base_chain(chain)->ops);
351 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
352 const struct nlmsghdr *nlh,
353 const struct nlattr * const nla[],
354 struct nft_af_info *afi, struct nft_table *table)
356 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
357 int family = nfmsg->nfgen_family, ret = 0;
359 if (nla[NFTA_TABLE_FLAGS]) {
362 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
363 if (flags & ~NFT_TABLE_F_DORMANT)
366 if ((flags & NFT_TABLE_F_DORMANT) &&
367 !(table->flags & NFT_TABLE_F_DORMANT)) {
368 ret = nf_tables_table_disable(table);
370 table->flags |= NFT_TABLE_F_DORMANT;
371 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
372 table->flags & NFT_TABLE_F_DORMANT) {
373 ret = nf_tables_table_enable(table);
375 table->flags &= ~NFT_TABLE_F_DORMANT;
381 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
386 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
387 const struct nlmsghdr *nlh,
388 const struct nlattr * const nla[])
390 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
391 const struct nlattr *name;
392 struct nft_af_info *afi;
393 struct nft_table *table;
394 struct net *net = sock_net(skb->sk);
395 int family = nfmsg->nfgen_family;
397 afi = nf_tables_afinfo_lookup(net, family, true);
401 name = nla[NFTA_TABLE_NAME];
402 table = nf_tables_table_lookup(afi, name);
404 if (PTR_ERR(table) != -ENOENT)
405 return PTR_ERR(table);
410 if (nlh->nlmsg_flags & NLM_F_EXCL)
412 if (nlh->nlmsg_flags & NLM_F_REPLACE)
414 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
417 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
421 nla_strlcpy(table->name, name, nla_len(name));
422 INIT_LIST_HEAD(&table->chains);
423 INIT_LIST_HEAD(&table->sets);
425 if (nla[NFTA_TABLE_FLAGS]) {
428 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
429 if (flags & ~NFT_TABLE_F_DORMANT) {
434 table->flags |= flags;
437 list_add_tail(&table->list, &afi->tables);
438 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
442 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
443 const struct nlmsghdr *nlh,
444 const struct nlattr * const nla[])
446 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
447 struct nft_af_info *afi;
448 struct nft_table *table;
449 struct net *net = sock_net(skb->sk);
450 int family = nfmsg->nfgen_family;
452 afi = nf_tables_afinfo_lookup(net, family, false);
456 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
458 return PTR_ERR(table);
463 list_del(&table->list);
464 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
469 int nft_register_chain_type(struct nf_chain_type *ctype)
473 nfnl_lock(NFNL_SUBSYS_NFTABLES);
474 if (chain_type[ctype->family][ctype->type] != NULL) {
479 if (!try_module_get(ctype->me))
482 chain_type[ctype->family][ctype->type] = ctype;
484 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
487 EXPORT_SYMBOL_GPL(nft_register_chain_type);
489 void nft_unregister_chain_type(struct nf_chain_type *ctype)
491 nfnl_lock(NFNL_SUBSYS_NFTABLES);
492 chain_type[ctype->family][ctype->type] = NULL;
493 module_put(ctype->me);
494 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
496 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
502 static struct nft_chain *
503 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
505 struct nft_chain *chain;
507 list_for_each_entry(chain, &table->chains, list) {
508 if (chain->handle == handle)
512 return ERR_PTR(-ENOENT);
515 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
516 const struct nlattr *nla)
518 struct nft_chain *chain;
521 return ERR_PTR(-EINVAL);
523 list_for_each_entry(chain, &table->chains, list) {
524 if (!nla_strcmp(nla, chain->name))
528 return ERR_PTR(-ENOENT);
531 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
532 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
533 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
534 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
535 .len = NFT_CHAIN_MAXNAMELEN - 1 },
536 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
537 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
538 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
539 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
542 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
543 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
544 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
547 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
549 struct nft_stats *cpu_stats, total;
553 memset(&total, 0, sizeof(total));
554 for_each_possible_cpu(cpu) {
555 cpu_stats = per_cpu_ptr(stats, cpu);
556 total.pkts += cpu_stats->pkts;
557 total.bytes += cpu_stats->bytes;
559 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
561 goto nla_put_failure;
563 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
564 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
565 goto nla_put_failure;
567 nla_nest_end(skb, nest);
574 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
575 int event, u32 flags, int family,
576 const struct nft_table *table,
577 const struct nft_chain *chain)
579 struct nlmsghdr *nlh;
580 struct nfgenmsg *nfmsg;
582 event |= NFNL_SUBSYS_NFTABLES << 8;
583 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
585 goto nla_put_failure;
587 nfmsg = nlmsg_data(nlh);
588 nfmsg->nfgen_family = family;
589 nfmsg->version = NFNETLINK_V0;
592 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
593 goto nla_put_failure;
594 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
595 goto nla_put_failure;
596 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
597 goto nla_put_failure;
599 if (chain->flags & NFT_BASE_CHAIN) {
600 const struct nft_base_chain *basechain = nft_base_chain(chain);
601 const struct nf_hook_ops *ops = &basechain->ops;
604 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
606 goto nla_put_failure;
607 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
608 goto nla_put_failure;
609 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
610 goto nla_put_failure;
611 nla_nest_end(skb, nest);
613 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
614 htonl(basechain->policy)))
615 goto nla_put_failure;
617 if (nla_put_string(skb, NFTA_CHAIN_TYPE,
618 chain_type[ops->pf][nft_base_chain(chain)->type]->name))
619 goto nla_put_failure;
621 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
622 goto nla_put_failure;
625 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
626 goto nla_put_failure;
628 return nlmsg_end(skb, nlh);
631 nlmsg_trim(skb, nlh);
635 static int nf_tables_chain_notify(const struct sk_buff *oskb,
636 const struct nlmsghdr *nlh,
637 const struct nft_table *table,
638 const struct nft_chain *chain,
639 int event, int family)
642 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
643 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
644 u32 seq = nlh ? nlh->nlmsg_seq : 0;
648 report = nlh ? nlmsg_report(nlh) : false;
649 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
653 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
657 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
664 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
668 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
672 static int nf_tables_dump_chains(struct sk_buff *skb,
673 struct netlink_callback *cb)
675 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
676 const struct nft_af_info *afi;
677 const struct nft_table *table;
678 const struct nft_chain *chain;
679 unsigned int idx = 0, s_idx = cb->args[0];
680 struct net *net = sock_net(skb->sk);
681 int family = nfmsg->nfgen_family;
683 list_for_each_entry(afi, &net->nft.af_info, list) {
684 if (family != NFPROTO_UNSPEC && family != afi->family)
687 list_for_each_entry(table, &afi->tables, list) {
688 list_for_each_entry(chain, &table->chains, list) {
692 memset(&cb->args[1], 0,
693 sizeof(cb->args) - sizeof(cb->args[0]));
694 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
698 afi->family, table, chain) < 0)
711 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
712 const struct nlmsghdr *nlh,
713 const struct nlattr * const nla[])
715 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
716 const struct nft_af_info *afi;
717 const struct nft_table *table;
718 const struct nft_chain *chain;
719 struct sk_buff *skb2;
720 struct net *net = sock_net(skb->sk);
721 int family = nfmsg->nfgen_family;
724 if (nlh->nlmsg_flags & NLM_F_DUMP) {
725 struct netlink_dump_control c = {
726 .dump = nf_tables_dump_chains,
728 return netlink_dump_start(nlsk, skb, nlh, &c);
731 afi = nf_tables_afinfo_lookup(net, family, false);
735 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
737 return PTR_ERR(table);
739 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
741 return PTR_ERR(chain);
743 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
747 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
748 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
749 family, table, chain);
753 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
761 nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
763 switch (ntohl(nla_get_be32(attr))) {
765 chain->policy = NF_DROP;
768 chain->policy = NF_ACCEPT;
776 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
777 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
778 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
782 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
784 struct nlattr *tb[NFTA_COUNTER_MAX+1];
785 struct nft_stats __percpu *newstats;
786 struct nft_stats *stats;
789 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
793 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
796 newstats = alloc_percpu(struct nft_stats);
797 if (newstats == NULL)
800 /* Restore old counters on this cpu, no problem. Per-cpu statistics
801 * are not exposed to userspace.
803 stats = this_cpu_ptr(newstats);
804 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
805 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
808 /* nfnl_lock is held, add some nfnl function for this, later */
809 struct nft_stats __percpu *oldstats =
810 rcu_dereference_protected(chain->stats, 1);
812 rcu_assign_pointer(chain->stats, newstats);
814 free_percpu(oldstats);
816 rcu_assign_pointer(chain->stats, newstats);
821 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
822 const struct nlmsghdr *nlh,
823 const struct nlattr * const nla[])
825 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
826 const struct nlattr * uninitialized_var(name);
827 const struct nft_af_info *afi;
828 struct nft_table *table;
829 struct nft_chain *chain;
830 struct nft_base_chain *basechain = NULL;
831 struct nlattr *ha[NFTA_HOOK_MAX + 1];
832 struct net *net = sock_net(skb->sk);
833 int family = nfmsg->nfgen_family;
838 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
840 afi = nf_tables_afinfo_lookup(net, family, true);
844 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
846 return PTR_ERR(table);
848 if (table->use == UINT_MAX)
852 name = nla[NFTA_CHAIN_NAME];
854 if (nla[NFTA_CHAIN_HANDLE]) {
855 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
856 chain = nf_tables_chain_lookup_byhandle(table, handle);
858 return PTR_ERR(chain);
860 chain = nf_tables_chain_lookup(table, name);
862 if (PTR_ERR(chain) != -ENOENT)
863 return PTR_ERR(chain);
869 if (nlh->nlmsg_flags & NLM_F_EXCL)
871 if (nlh->nlmsg_flags & NLM_F_REPLACE)
874 if (nla[NFTA_CHAIN_HANDLE] && name &&
875 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
878 if (nla[NFTA_CHAIN_POLICY]) {
879 if (!(chain->flags & NFT_BASE_CHAIN))
882 err = nf_tables_chain_policy(nft_base_chain(chain),
883 nla[NFTA_CHAIN_POLICY]);
888 if (nla[NFTA_CHAIN_COUNTERS]) {
889 if (!(chain->flags & NFT_BASE_CHAIN))
892 err = nf_tables_counters(nft_base_chain(chain),
893 nla[NFTA_CHAIN_COUNTERS]);
898 if (nla[NFTA_CHAIN_HANDLE] && name)
899 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
904 if (nla[NFTA_CHAIN_HOOK]) {
905 struct nf_hook_ops *ops;
908 int type = NFT_CHAIN_T_DEFAULT;
910 if (nla[NFTA_CHAIN_TYPE]) {
911 type = nf_tables_chain_type_lookup(afi,
912 nla[NFTA_CHAIN_TYPE],
918 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
922 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
923 ha[NFTA_HOOK_PRIORITY] == NULL)
926 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
927 if (hooknum >= afi->nhooks)
930 hookfn = chain_type[family][type]->fn[hooknum];
934 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
935 if (basechain == NULL)
938 basechain->type = type;
939 chain = &basechain->chain;
941 ops = &basechain->ops;
943 ops->owner = afi->owner;
944 ops->hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
945 ops->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
948 if (afi->hooks[ops->hooknum])
949 ops->hook = afi->hooks[ops->hooknum];
951 chain->flags |= NFT_BASE_CHAIN;
953 if (nla[NFTA_CHAIN_POLICY]) {
954 err = nf_tables_chain_policy(basechain,
955 nla[NFTA_CHAIN_POLICY]);
957 free_percpu(basechain->stats);
962 basechain->policy = NF_ACCEPT;
964 if (nla[NFTA_CHAIN_COUNTERS]) {
965 err = nf_tables_counters(basechain,
966 nla[NFTA_CHAIN_COUNTERS]);
968 free_percpu(basechain->stats);
973 struct nft_stats __percpu *newstats;
975 newstats = alloc_percpu(struct nft_stats);
976 if (newstats == NULL)
979 rcu_assign_pointer(nft_base_chain(chain)->stats,
983 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
988 INIT_LIST_HEAD(&chain->rules);
989 chain->handle = nf_tables_alloc_handle(table);
991 chain->table = table;
992 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
994 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
995 chain->flags & NFT_BASE_CHAIN) {
996 err = nf_register_hook(&nft_base_chain(chain)->ops);
998 free_percpu(basechain->stats);
1003 list_add_tail(&chain->list, &table->chains);
1006 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1011 static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
1013 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
1015 BUG_ON(chain->use > 0);
1017 if (chain->flags & NFT_BASE_CHAIN) {
1018 free_percpu(nft_base_chain(chain)->stats);
1019 kfree(nft_base_chain(chain));
1024 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1025 const struct nlmsghdr *nlh,
1026 const struct nlattr * const nla[])
1028 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1029 const struct nft_af_info *afi;
1030 struct nft_table *table;
1031 struct nft_chain *chain;
1032 struct net *net = sock_net(skb->sk);
1033 int family = nfmsg->nfgen_family;
1035 afi = nf_tables_afinfo_lookup(net, family, false);
1037 return PTR_ERR(afi);
1039 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1041 return PTR_ERR(table);
1043 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1045 return PTR_ERR(chain);
1047 if (!list_empty(&chain->rules))
1050 list_del(&chain->list);
1053 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1054 chain->flags & NFT_BASE_CHAIN)
1055 nf_unregister_hook(&nft_base_chain(chain)->ops);
1057 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1060 /* Make sure all rule references are gone before this is released */
1061 call_rcu(&chain->rcu_head, nf_tables_rcu_chain_destroy);
1065 static void nft_ctx_init(struct nft_ctx *ctx,
1066 const struct sk_buff *skb,
1067 const struct nlmsghdr *nlh,
1068 const struct nft_af_info *afi,
1069 const struct nft_table *table,
1070 const struct nft_chain *chain,
1071 const struct nlattr * const *nla)
1073 ctx->net = sock_net(skb->sk);
1087 * nft_register_expr - register nf_tables expr type
1090 * Registers the expr type for use with nf_tables. Returns zero on
1091 * success or a negative errno code otherwise.
1093 int nft_register_expr(struct nft_expr_type *type)
1095 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1096 list_add_tail(&type->list, &nf_tables_expressions);
1097 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1100 EXPORT_SYMBOL_GPL(nft_register_expr);
1103 * nft_unregister_expr - unregister nf_tables expr type
1106 * Unregisters the expr typefor use with nf_tables.
1108 void nft_unregister_expr(struct nft_expr_type *type)
1110 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1111 list_del(&type->list);
1112 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1114 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1116 static const struct nft_expr_type *__nft_expr_type_get(struct nlattr *nla)
1118 const struct nft_expr_type *type;
1120 list_for_each_entry(type, &nf_tables_expressions, list) {
1121 if (!nla_strcmp(nla, type->name))
1127 static const struct nft_expr_type *nft_expr_type_get(struct nlattr *nla)
1129 const struct nft_expr_type *type;
1132 return ERR_PTR(-EINVAL);
1134 type = __nft_expr_type_get(nla);
1135 if (type != NULL && try_module_get(type->owner))
1138 #ifdef CONFIG_MODULES
1140 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1141 request_module("nft-expr-%.*s",
1142 nla_len(nla), (char *)nla_data(nla));
1143 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1144 if (__nft_expr_type_get(nla))
1145 return ERR_PTR(-EAGAIN);
1148 return ERR_PTR(-ENOENT);
1151 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1152 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1153 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1156 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1157 const struct nft_expr *expr)
1159 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1160 goto nla_put_failure;
1162 if (expr->ops->dump) {
1163 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1165 goto nla_put_failure;
1166 if (expr->ops->dump(skb, expr) < 0)
1167 goto nla_put_failure;
1168 nla_nest_end(skb, data);
1177 struct nft_expr_info {
1178 const struct nft_expr_ops *ops;
1179 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1182 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1183 const struct nlattr *nla,
1184 struct nft_expr_info *info)
1186 const struct nft_expr_type *type;
1187 const struct nft_expr_ops *ops;
1188 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1191 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1195 type = nft_expr_type_get(tb[NFTA_EXPR_NAME]);
1197 return PTR_ERR(type);
1199 if (tb[NFTA_EXPR_DATA]) {
1200 err = nla_parse_nested(info->tb, type->maxattr,
1201 tb[NFTA_EXPR_DATA], type->policy);
1205 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1207 if (type->select_ops != NULL) {
1208 ops = type->select_ops(ctx,
1209 (const struct nlattr * const *)info->tb);
1221 module_put(type->owner);
1225 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1226 const struct nft_expr_info *info,
1227 struct nft_expr *expr)
1229 const struct nft_expr_ops *ops = info->ops;
1234 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1246 static void nf_tables_expr_destroy(struct nft_expr *expr)
1248 if (expr->ops->destroy)
1249 expr->ops->destroy(expr);
1250 module_put(expr->ops->type->owner);
1257 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1260 struct nft_rule *rule;
1262 // FIXME: this sucks
1263 list_for_each_entry(rule, &chain->rules, list) {
1264 if (handle == rule->handle)
1268 return ERR_PTR(-ENOENT);
1271 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1272 const struct nlattr *nla)
1275 return ERR_PTR(-EINVAL);
1277 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1280 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1281 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1282 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1283 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1284 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1285 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1286 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1287 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1290 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1291 int event, u32 flags, int family,
1292 const struct nft_table *table,
1293 const struct nft_chain *chain,
1294 const struct nft_rule *rule)
1296 struct nlmsghdr *nlh;
1297 struct nfgenmsg *nfmsg;
1298 const struct nft_expr *expr, *next;
1299 struct nlattr *list;
1300 const struct nft_rule *prule;
1301 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1303 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1306 goto nla_put_failure;
1308 nfmsg = nlmsg_data(nlh);
1309 nfmsg->nfgen_family = family;
1310 nfmsg->version = NFNETLINK_V0;
1313 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1314 goto nla_put_failure;
1315 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1316 goto nla_put_failure;
1317 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1318 goto nla_put_failure;
1320 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1321 prule = list_entry(rule->list.prev, struct nft_rule, list);
1322 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1323 cpu_to_be64(prule->handle)))
1324 goto nla_put_failure;
1327 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1329 goto nla_put_failure;
1330 nft_rule_for_each_expr(expr, next, rule) {
1331 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1333 goto nla_put_failure;
1334 if (nf_tables_fill_expr_info(skb, expr) < 0)
1335 goto nla_put_failure;
1336 nla_nest_end(skb, elem);
1338 nla_nest_end(skb, list);
1340 return nlmsg_end(skb, nlh);
1343 nlmsg_trim(skb, nlh);
1347 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1348 const struct nlmsghdr *nlh,
1349 const struct nft_table *table,
1350 const struct nft_chain *chain,
1351 const struct nft_rule *rule,
1352 int event, u32 flags, int family)
1354 struct sk_buff *skb;
1355 u32 portid = NETLINK_CB(oskb).portid;
1356 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1357 u32 seq = nlh->nlmsg_seq;
1361 report = nlmsg_report(nlh);
1362 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1366 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1370 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1371 family, table, chain, rule);
1377 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1381 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1386 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1388 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1391 static inline int gencursor_next(struct net *net)
1393 return net->nft.gencursor+1 == 1 ? 1 : 0;
1397 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1399 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1403 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1405 /* Now inactive, will be active in the future */
1406 rule->genmask = (1 << net->nft.gencursor);
1410 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1412 rule->genmask = (1 << gencursor_next(net));
1415 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1420 static int nf_tables_dump_rules(struct sk_buff *skb,
1421 struct netlink_callback *cb)
1423 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1424 const struct nft_af_info *afi;
1425 const struct nft_table *table;
1426 const struct nft_chain *chain;
1427 const struct nft_rule *rule;
1428 unsigned int idx = 0, s_idx = cb->args[0];
1429 struct net *net = sock_net(skb->sk);
1430 int family = nfmsg->nfgen_family;
1431 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1432 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1434 list_for_each_entry(afi, &net->nft.af_info, list) {
1435 if (family != NFPROTO_UNSPEC && family != afi->family)
1438 list_for_each_entry(table, &afi->tables, list) {
1439 list_for_each_entry(chain, &table->chains, list) {
1440 list_for_each_entry(rule, &chain->rules, list) {
1441 if (!nft_rule_is_active(net, rule))
1446 memset(&cb->args[1], 0,
1447 sizeof(cb->args) - sizeof(cb->args[0]));
1448 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1451 NLM_F_MULTI | NLM_F_APPEND,
1452 afi->family, table, chain, rule) < 0)
1461 /* Invalidate this dump, a transition to the new generation happened */
1462 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1469 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1470 const struct nlmsghdr *nlh,
1471 const struct nlattr * const nla[])
1473 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1474 const struct nft_af_info *afi;
1475 const struct nft_table *table;
1476 const struct nft_chain *chain;
1477 const struct nft_rule *rule;
1478 struct sk_buff *skb2;
1479 struct net *net = sock_net(skb->sk);
1480 int family = nfmsg->nfgen_family;
1483 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1484 struct netlink_dump_control c = {
1485 .dump = nf_tables_dump_rules,
1487 return netlink_dump_start(nlsk, skb, nlh, &c);
1490 afi = nf_tables_afinfo_lookup(net, family, false);
1492 return PTR_ERR(afi);
1494 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1496 return PTR_ERR(table);
1498 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1500 return PTR_ERR(chain);
1502 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1504 return PTR_ERR(rule);
1506 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1510 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1511 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1512 family, table, chain, rule);
1516 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1523 static void nf_tables_rcu_rule_destroy(struct rcu_head *head)
1525 struct nft_rule *rule = container_of(head, struct nft_rule, rcu_head);
1526 struct nft_expr *expr;
1529 * Careful: some expressions might not be initialized in case this
1530 * is called on error from nf_tables_newrule().
1532 expr = nft_expr_first(rule);
1533 while (expr->ops && expr != nft_expr_last(rule)) {
1534 nf_tables_expr_destroy(expr);
1535 expr = nft_expr_next(expr);
1540 static void nf_tables_rule_destroy(struct nft_rule *rule)
1542 call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
1545 #define NFT_RULE_MAXEXPRS 128
1547 static struct nft_expr_info *info;
1549 static struct nft_rule_trans *
1550 nf_tables_trans_add(struct nft_rule *rule, const struct nft_ctx *ctx)
1552 struct nft_rule_trans *rupd;
1554 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1558 rupd->chain = ctx->chain;
1559 rupd->table = ctx->table;
1561 rupd->family = ctx->afi->family;
1562 rupd->nlh = ctx->nlh;
1563 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1568 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1569 const struct nlmsghdr *nlh,
1570 const struct nlattr * const nla[])
1572 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1573 const struct nft_af_info *afi;
1574 struct net *net = sock_net(skb->sk);
1575 struct nft_table *table;
1576 struct nft_chain *chain;
1577 struct nft_rule *rule, *old_rule = NULL;
1578 struct nft_rule_trans *repl = NULL;
1579 struct nft_expr *expr;
1582 unsigned int size, i, n;
1585 u64 handle, pos_handle;
1587 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1589 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1591 return PTR_ERR(afi);
1593 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1595 return PTR_ERR(table);
1597 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1599 return PTR_ERR(chain);
1601 if (nla[NFTA_RULE_HANDLE]) {
1602 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1603 rule = __nf_tables_rule_lookup(chain, handle);
1605 return PTR_ERR(rule);
1607 if (nlh->nlmsg_flags & NLM_F_EXCL)
1609 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1614 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1616 handle = nf_tables_alloc_handle(table);
1619 if (nla[NFTA_RULE_POSITION]) {
1620 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1623 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1624 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1625 if (IS_ERR(old_rule))
1626 return PTR_ERR(old_rule);
1629 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1633 if (nla[NFTA_RULE_EXPRESSIONS]) {
1634 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1636 if (nla_type(tmp) != NFTA_LIST_ELEM)
1638 if (n == NFT_RULE_MAXEXPRS)
1640 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1643 size += info[n].ops->size;
1649 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1653 nft_rule_activate_next(net, rule);
1655 rule->handle = handle;
1658 expr = nft_expr_first(rule);
1659 for (i = 0; i < n; i++) {
1660 err = nf_tables_newexpr(&ctx, &info[i], expr);
1664 expr = nft_expr_next(expr);
1667 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1668 if (nft_rule_is_active_next(net, old_rule)) {
1669 repl = nf_tables_trans_add(old_rule, &ctx);
1674 nft_rule_disactivate_next(net, old_rule);
1675 list_add_tail(&rule->list, &old_rule->list);
1680 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1682 list_add_rcu(&rule->list, &old_rule->list);
1684 list_add_tail_rcu(&rule->list, &chain->rules);
1687 list_add_tail_rcu(&rule->list, &old_rule->list);
1689 list_add_rcu(&rule->list, &chain->rules);
1692 if (nf_tables_trans_add(rule, &ctx) == NULL) {
1699 list_del_rcu(&rule->list);
1701 list_del_rcu(&repl->rule->list);
1702 list_del(&repl->list);
1703 nft_rule_clear(net, repl->rule);
1707 nf_tables_rule_destroy(rule);
1709 for (i = 0; i < n; i++) {
1710 if (info[i].ops != NULL)
1711 module_put(info[i].ops->type->owner);
1717 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1719 /* You cannot delete the same rule twice */
1720 if (nft_rule_is_active_next(ctx->net, rule)) {
1721 if (nf_tables_trans_add(rule, ctx) == NULL)
1723 nft_rule_disactivate_next(ctx->net, rule);
1729 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1731 struct nft_rule *rule;
1734 list_for_each_entry(rule, &ctx->chain->rules, list) {
1735 err = nf_tables_delrule_one(ctx, rule);
1742 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1743 const struct nlmsghdr *nlh,
1744 const struct nlattr * const nla[])
1746 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1747 const struct nft_af_info *afi;
1748 struct net *net = sock_net(skb->sk);
1749 const struct nft_table *table;
1750 struct nft_chain *chain = NULL;
1751 struct nft_rule *rule;
1752 int family = nfmsg->nfgen_family, err = 0;
1755 afi = nf_tables_afinfo_lookup(net, family, false);
1757 return PTR_ERR(afi);
1759 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1761 return PTR_ERR(table);
1763 if (nla[NFTA_RULE_CHAIN]) {
1764 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1766 return PTR_ERR(chain);
1769 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1772 if (nla[NFTA_RULE_HANDLE]) {
1773 rule = nf_tables_rule_lookup(chain,
1774 nla[NFTA_RULE_HANDLE]);
1776 return PTR_ERR(rule);
1778 err = nf_tables_delrule_one(&ctx, rule);
1780 err = nf_table_delrule_by_chain(&ctx);
1783 list_for_each_entry(chain, &table->chains, list) {
1785 err = nf_table_delrule_by_chain(&ctx);
1794 static int nf_tables_commit(struct sk_buff *skb)
1796 struct net *net = sock_net(skb->sk);
1797 struct nft_rule_trans *rupd, *tmp;
1799 /* Bump generation counter, invalidate any dump in progress */
1802 /* A new generation has just started */
1803 net->nft.gencursor = gencursor_next(net);
1805 /* Make sure all packets have left the previous generation before
1806 * purging old rules.
1810 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1811 /* Delete this rule from the dirty list */
1812 list_del(&rupd->list);
1814 /* This rule was inactive in the past and just became active.
1815 * Clear the next bit of the genmask since its meaning has
1816 * changed, now it is the future.
1818 if (nft_rule_is_active(net, rupd->rule)) {
1819 nft_rule_clear(net, rupd->rule);
1820 nf_tables_rule_notify(skb, rupd->nlh, rupd->table,
1821 rupd->chain, rupd->rule,
1828 /* This rule is in the past, get rid of it */
1829 list_del_rcu(&rupd->rule->list);
1830 nf_tables_rule_notify(skb, rupd->nlh, rupd->table, rupd->chain,
1831 rupd->rule, NFT_MSG_DELRULE, 0,
1833 nf_tables_rule_destroy(rupd->rule);
1840 static int nf_tables_abort(struct sk_buff *skb)
1842 struct net *net = sock_net(skb->sk);
1843 struct nft_rule_trans *rupd, *tmp;
1845 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1846 /* Delete all rules from the dirty list */
1847 list_del(&rupd->list);
1849 if (!nft_rule_is_active_next(net, rupd->rule)) {
1850 nft_rule_clear(net, rupd->rule);
1855 /* This rule is inactive, get rid of it */
1856 list_del_rcu(&rupd->rule->list);
1857 nf_tables_rule_destroy(rupd->rule);
1867 static LIST_HEAD(nf_tables_set_ops);
1869 int nft_register_set(struct nft_set_ops *ops)
1871 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1872 list_add_tail(&ops->list, &nf_tables_set_ops);
1873 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1876 EXPORT_SYMBOL_GPL(nft_register_set);
1878 void nft_unregister_set(struct nft_set_ops *ops)
1880 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1881 list_del(&ops->list);
1882 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1884 EXPORT_SYMBOL_GPL(nft_unregister_set);
1886 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1888 const struct nft_set_ops *ops;
1891 #ifdef CONFIG_MODULES
1892 if (list_empty(&nf_tables_set_ops)) {
1893 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1894 request_module("nft-set");
1895 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1896 if (!list_empty(&nf_tables_set_ops))
1897 return ERR_PTR(-EAGAIN);
1901 if (nla[NFTA_SET_FLAGS] != NULL) {
1902 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1903 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1906 // FIXME: implement selection properly
1907 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1908 if ((ops->features & features) != features)
1910 if (!try_module_get(ops->owner))
1915 return ERR_PTR(-EOPNOTSUPP);
1918 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1919 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1920 [NFTA_SET_NAME] = { .type = NLA_STRING },
1921 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1922 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1923 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1924 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1925 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1928 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1929 const struct sk_buff *skb,
1930 const struct nlmsghdr *nlh,
1931 const struct nlattr * const nla[])
1933 struct net *net = sock_net(skb->sk);
1934 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1935 const struct nft_af_info *afi = NULL;
1936 const struct nft_table *table = NULL;
1938 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1939 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1941 return PTR_ERR(afi);
1944 if (nla[NFTA_SET_TABLE] != NULL) {
1945 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1947 return PTR_ERR(table);
1950 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1954 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1955 const struct nlattr *nla)
1957 struct nft_set *set;
1960 return ERR_PTR(-EINVAL);
1962 list_for_each_entry(set, &table->sets, list) {
1963 if (!nla_strcmp(nla, set->name))
1966 return ERR_PTR(-ENOENT);
1969 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1972 const struct nft_set *i;
1974 unsigned long *inuse;
1977 p = strnchr(name, IFNAMSIZ, '%');
1979 if (p[1] != 'd' || strchr(p + 2, '%'))
1982 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
1986 list_for_each_entry(i, &ctx->table->sets, list) {
1989 if (!sscanf(i->name, name, &tmp))
1991 if (tmp < 0 || tmp > BITS_PER_LONG * PAGE_SIZE)
1994 set_bit(tmp, inuse);
1997 n = find_first_zero_bit(inuse, BITS_PER_LONG * PAGE_SIZE);
1998 free_page((unsigned long)inuse);
2001 snprintf(set->name, sizeof(set->name), name, n);
2002 list_for_each_entry(i, &ctx->table->sets, list) {
2003 if (!strcmp(set->name, i->name))
2009 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2010 const struct nft_set *set, u16 event, u16 flags)
2012 struct nfgenmsg *nfmsg;
2013 struct nlmsghdr *nlh;
2014 u32 portid = NETLINK_CB(ctx->skb).portid;
2015 u32 seq = ctx->nlh->nlmsg_seq;
2017 event |= NFNL_SUBSYS_NFTABLES << 8;
2018 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2021 goto nla_put_failure;
2023 nfmsg = nlmsg_data(nlh);
2024 nfmsg->nfgen_family = ctx->afi->family;
2025 nfmsg->version = NFNETLINK_V0;
2028 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2029 goto nla_put_failure;
2030 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2031 goto nla_put_failure;
2032 if (set->flags != 0)
2033 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2034 goto nla_put_failure;
2036 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2037 goto nla_put_failure;
2038 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2039 goto nla_put_failure;
2040 if (set->flags & NFT_SET_MAP) {
2041 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2042 goto nla_put_failure;
2043 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2044 goto nla_put_failure;
2047 return nlmsg_end(skb, nlh);
2050 nlmsg_trim(skb, nlh);
2054 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2055 const struct nft_set *set,
2058 struct sk_buff *skb;
2059 u32 portid = NETLINK_CB(ctx->skb).portid;
2063 report = nlmsg_report(ctx->nlh);
2064 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2068 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2072 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2078 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2082 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2086 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2087 struct netlink_callback *cb)
2089 const struct nft_set *set;
2090 unsigned int idx = 0, s_idx = cb->args[0];
2095 list_for_each_entry(set, &ctx->table->sets, list) {
2098 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2111 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2112 struct netlink_callback *cb)
2114 const struct nft_set *set;
2115 unsigned int idx, s_idx = cb->args[0];
2116 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2121 list_for_each_entry(table, &ctx->afi->tables, list) {
2123 if (cur_table != table)
2130 list_for_each_entry(set, &ctx->table->sets, list) {
2133 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2136 cb->args[2] = (unsigned long) table;
2148 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2149 struct netlink_callback *cb)
2151 const struct nft_set *set;
2152 unsigned int idx, s_idx = cb->args[0];
2153 const struct nft_af_info *afi;
2154 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2155 struct net *net = sock_net(skb->sk);
2156 int cur_family = cb->args[3];
2161 list_for_each_entry(afi, &net->nft.af_info, list) {
2163 if (afi->family != cur_family)
2169 list_for_each_entry(table, &afi->tables, list) {
2171 if (cur_table != table)
2180 list_for_each_entry(set, &ctx->table->sets, list) {
2183 if (nf_tables_fill_set(skb, ctx, set,
2187 cb->args[2] = (unsigned long) table;
2188 cb->args[3] = afi->family;
2203 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2205 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2206 struct nlattr *nla[NFTA_SET_MAX + 1];
2210 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2215 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2219 if (ctx.table == NULL) {
2220 if (ctx.afi == NULL)
2221 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2223 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2225 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2230 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2231 const struct nlmsghdr *nlh,
2232 const struct nlattr * const nla[])
2234 const struct nft_set *set;
2236 struct sk_buff *skb2;
2237 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2240 /* Verify existance before starting dump */
2241 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2245 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2246 struct netlink_dump_control c = {
2247 .dump = nf_tables_dump_sets,
2249 return netlink_dump_start(nlsk, skb, nlh, &c);
2252 /* Only accept unspec with dump */
2253 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2254 return -EAFNOSUPPORT;
2256 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2258 return PTR_ERR(set);
2260 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2264 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2268 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2275 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2276 const struct nlmsghdr *nlh,
2277 const struct nlattr * const nla[])
2279 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2280 const struct nft_set_ops *ops;
2281 const struct nft_af_info *afi;
2282 struct net *net = sock_net(skb->sk);
2283 struct nft_table *table;
2284 struct nft_set *set;
2286 char name[IFNAMSIZ];
2289 u32 ktype, klen, dlen, dtype, flags;
2292 if (nla[NFTA_SET_TABLE] == NULL ||
2293 nla[NFTA_SET_NAME] == NULL ||
2294 nla[NFTA_SET_KEY_LEN] == NULL)
2297 ktype = NFT_DATA_VALUE;
2298 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2299 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2300 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2304 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2305 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2309 if (nla[NFTA_SET_FLAGS] != NULL) {
2310 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2311 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2312 NFT_SET_INTERVAL | NFT_SET_MAP))
2318 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2319 if (!(flags & NFT_SET_MAP))
2322 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2323 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2324 dtype != NFT_DATA_VERDICT)
2327 if (dtype != NFT_DATA_VERDICT) {
2328 if (nla[NFTA_SET_DATA_LEN] == NULL)
2330 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2332 dlen > FIELD_SIZEOF(struct nft_data, data))
2335 dlen = sizeof(struct nft_data);
2336 } else if (flags & NFT_SET_MAP)
2339 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2341 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2343 return PTR_ERR(afi);
2345 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2347 return PTR_ERR(table);
2349 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2351 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2353 if (PTR_ERR(set) != -ENOENT)
2354 return PTR_ERR(set);
2359 if (nlh->nlmsg_flags & NLM_F_EXCL)
2361 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2366 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2369 ops = nft_select_set_ops(nla);
2371 return PTR_ERR(ops);
2374 if (ops->privsize != NULL)
2375 size = ops->privsize(nla);
2378 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2382 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2383 err = nf_tables_set_alloc_name(&ctx, set, name);
2387 INIT_LIST_HEAD(&set->bindings);
2395 err = ops->init(set, nla);
2399 list_add_tail(&set->list, &table->sets);
2400 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2406 module_put(ops->owner);
2410 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2412 list_del(&set->list);
2413 if (!(set->flags & NFT_SET_ANONYMOUS))
2414 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2416 set->ops->destroy(set);
2417 module_put(set->ops->owner);
2421 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2422 const struct nlmsghdr *nlh,
2423 const struct nlattr * const nla[])
2425 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2426 struct nft_set *set;
2430 if (nla[NFTA_SET_TABLE] == NULL)
2433 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2437 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2438 return -EAFNOSUPPORT;
2440 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2442 return PTR_ERR(set);
2443 if (!list_empty(&set->bindings))
2446 nf_tables_set_destroy(&ctx, set);
2450 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2451 const struct nft_set *set,
2452 const struct nft_set_iter *iter,
2453 const struct nft_set_elem *elem)
2455 enum nft_registers dreg;
2457 dreg = nft_type_to_reg(set->dtype);
2458 return nft_validate_data_load(ctx, dreg, &elem->data,
2459 set->dtype == NFT_DATA_VERDICT ?
2460 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2463 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2464 struct nft_set_binding *binding)
2466 struct nft_set_binding *i;
2467 struct nft_set_iter iter;
2469 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2472 if (set->flags & NFT_SET_MAP) {
2473 /* If the set is already bound to the same chain all
2474 * jumps are already validated for that chain.
2476 list_for_each_entry(i, &set->bindings, list) {
2477 if (i->chain == binding->chain)
2484 iter.fn = nf_tables_bind_check_setelem;
2486 set->ops->walk(ctx, set, &iter);
2488 /* Destroy anonymous sets if binding fails */
2489 if (set->flags & NFT_SET_ANONYMOUS)
2490 nf_tables_set_destroy(ctx, set);
2496 binding->chain = ctx->chain;
2497 list_add_tail(&binding->list, &set->bindings);
2501 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2502 struct nft_set_binding *binding)
2504 list_del(&binding->list);
2506 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2507 nf_tables_set_destroy(ctx, set);
2514 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2515 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2516 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2517 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2520 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2521 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2522 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2523 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2526 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2527 const struct sk_buff *skb,
2528 const struct nlmsghdr *nlh,
2529 const struct nlattr * const nla[])
2531 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2532 const struct nft_af_info *afi;
2533 const struct nft_table *table;
2534 struct net *net = sock_net(skb->sk);
2536 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2538 return PTR_ERR(afi);
2540 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2542 return PTR_ERR(table);
2544 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2548 static int nf_tables_fill_setelem(struct sk_buff *skb,
2549 const struct nft_set *set,
2550 const struct nft_set_elem *elem)
2552 unsigned char *b = skb_tail_pointer(skb);
2553 struct nlattr *nest;
2555 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2557 goto nla_put_failure;
2559 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2561 goto nla_put_failure;
2563 if (set->flags & NFT_SET_MAP &&
2564 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2565 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2566 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2568 goto nla_put_failure;
2570 if (elem->flags != 0)
2571 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2572 goto nla_put_failure;
2574 nla_nest_end(skb, nest);
2582 struct nft_set_dump_args {
2583 const struct netlink_callback *cb;
2584 struct nft_set_iter iter;
2585 struct sk_buff *skb;
2588 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2589 const struct nft_set *set,
2590 const struct nft_set_iter *iter,
2591 const struct nft_set_elem *elem)
2593 struct nft_set_dump_args *args;
2595 args = container_of(iter, struct nft_set_dump_args, iter);
2596 return nf_tables_fill_setelem(args->skb, set, elem);
2599 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2601 const struct nft_set *set;
2602 struct nft_set_dump_args args;
2604 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2605 struct nfgenmsg *nfmsg;
2606 struct nlmsghdr *nlh;
2607 struct nlattr *nest;
2611 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2612 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2616 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2620 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2622 return PTR_ERR(set);
2624 event = NFT_MSG_NEWSETELEM;
2625 event |= NFNL_SUBSYS_NFTABLES << 8;
2626 portid = NETLINK_CB(cb->skb).portid;
2627 seq = cb->nlh->nlmsg_seq;
2629 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2632 goto nla_put_failure;
2634 nfmsg = nlmsg_data(nlh);
2635 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2636 nfmsg->version = NFNETLINK_V0;
2639 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2640 goto nla_put_failure;
2641 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2642 goto nla_put_failure;
2644 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2646 goto nla_put_failure;
2650 args.iter.skip = cb->args[0];
2651 args.iter.count = 0;
2653 args.iter.fn = nf_tables_dump_setelem;
2654 set->ops->walk(&ctx, set, &args.iter);
2656 nla_nest_end(skb, nest);
2657 nlmsg_end(skb, nlh);
2659 if (args.iter.err && args.iter.err != -EMSGSIZE)
2660 return args.iter.err;
2661 if (args.iter.count == cb->args[0])
2664 cb->args[0] = args.iter.count;
2671 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2672 const struct nlmsghdr *nlh,
2673 const struct nlattr * const nla[])
2675 const struct nft_set *set;
2679 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2683 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2685 return PTR_ERR(set);
2687 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2688 struct netlink_dump_control c = {
2689 .dump = nf_tables_dump_set,
2691 return netlink_dump_start(nlsk, skb, nlh, &c);
2696 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2697 const struct nlattr *attr)
2699 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2700 struct nft_data_desc d1, d2;
2701 struct nft_set_elem elem;
2702 struct nft_set_binding *binding;
2703 enum nft_registers dreg;
2706 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2707 nft_set_elem_policy);
2711 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2715 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2716 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2717 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2721 if (set->flags & NFT_SET_MAP) {
2722 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2723 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2726 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2730 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2734 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2738 if (set->ops->get(set, &elem) == 0)
2741 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2742 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2747 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2750 dreg = nft_type_to_reg(set->dtype);
2751 list_for_each_entry(binding, &set->bindings, list) {
2752 struct nft_ctx bind_ctx = {
2754 .table = ctx->table,
2755 .chain = binding->chain,
2758 err = nft_validate_data_load(&bind_ctx, dreg,
2759 &elem.data, d2.type);
2765 err = set->ops->insert(set, &elem);
2772 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2773 nft_data_uninit(&elem.data, d2.type);
2775 nft_data_uninit(&elem.key, d1.type);
2780 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2781 const struct nlmsghdr *nlh,
2782 const struct nlattr * const nla[])
2784 const struct nlattr *attr;
2785 struct nft_set *set;
2789 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2793 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2795 return PTR_ERR(set);
2796 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2799 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2800 err = nft_add_set_elem(&ctx, set, attr);
2807 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2808 const struct nlattr *attr)
2810 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2811 struct nft_data_desc desc;
2812 struct nft_set_elem elem;
2815 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2816 nft_set_elem_policy);
2821 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2824 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2829 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2832 err = set->ops->get(set, &elem);
2836 set->ops->remove(set, &elem);
2838 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2839 if (set->flags & NFT_SET_MAP)
2840 nft_data_uninit(&elem.data, set->dtype);
2843 nft_data_uninit(&elem.key, desc.type);
2848 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2849 const struct nlmsghdr *nlh,
2850 const struct nlattr * const nla[])
2852 const struct nlattr *attr;
2853 struct nft_set *set;
2857 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2861 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2863 return PTR_ERR(set);
2864 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2867 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2868 err = nft_del_setelem(&ctx, set, attr);
2875 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2876 [NFT_MSG_NEWTABLE] = {
2877 .call = nf_tables_newtable,
2878 .attr_count = NFTA_TABLE_MAX,
2879 .policy = nft_table_policy,
2881 [NFT_MSG_GETTABLE] = {
2882 .call = nf_tables_gettable,
2883 .attr_count = NFTA_TABLE_MAX,
2884 .policy = nft_table_policy,
2886 [NFT_MSG_DELTABLE] = {
2887 .call = nf_tables_deltable,
2888 .attr_count = NFTA_TABLE_MAX,
2889 .policy = nft_table_policy,
2891 [NFT_MSG_NEWCHAIN] = {
2892 .call = nf_tables_newchain,
2893 .attr_count = NFTA_CHAIN_MAX,
2894 .policy = nft_chain_policy,
2896 [NFT_MSG_GETCHAIN] = {
2897 .call = nf_tables_getchain,
2898 .attr_count = NFTA_CHAIN_MAX,
2899 .policy = nft_chain_policy,
2901 [NFT_MSG_DELCHAIN] = {
2902 .call = nf_tables_delchain,
2903 .attr_count = NFTA_CHAIN_MAX,
2904 .policy = nft_chain_policy,
2906 [NFT_MSG_NEWRULE] = {
2907 .call_batch = nf_tables_newrule,
2908 .attr_count = NFTA_RULE_MAX,
2909 .policy = nft_rule_policy,
2911 [NFT_MSG_GETRULE] = {
2912 .call = nf_tables_getrule,
2913 .attr_count = NFTA_RULE_MAX,
2914 .policy = nft_rule_policy,
2916 [NFT_MSG_DELRULE] = {
2917 .call_batch = nf_tables_delrule,
2918 .attr_count = NFTA_RULE_MAX,
2919 .policy = nft_rule_policy,
2921 [NFT_MSG_NEWSET] = {
2922 .call = nf_tables_newset,
2923 .attr_count = NFTA_SET_MAX,
2924 .policy = nft_set_policy,
2926 [NFT_MSG_GETSET] = {
2927 .call = nf_tables_getset,
2928 .attr_count = NFTA_SET_MAX,
2929 .policy = nft_set_policy,
2931 [NFT_MSG_DELSET] = {
2932 .call = nf_tables_delset,
2933 .attr_count = NFTA_SET_MAX,
2934 .policy = nft_set_policy,
2936 [NFT_MSG_NEWSETELEM] = {
2937 .call = nf_tables_newsetelem,
2938 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2939 .policy = nft_set_elem_list_policy,
2941 [NFT_MSG_GETSETELEM] = {
2942 .call = nf_tables_getsetelem,
2943 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2944 .policy = nft_set_elem_list_policy,
2946 [NFT_MSG_DELSETELEM] = {
2947 .call = nf_tables_delsetelem,
2948 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2949 .policy = nft_set_elem_list_policy,
2953 static const struct nfnetlink_subsystem nf_tables_subsys = {
2954 .name = "nf_tables",
2955 .subsys_id = NFNL_SUBSYS_NFTABLES,
2956 .cb_count = NFT_MSG_MAX,
2958 .commit = nf_tables_commit,
2959 .abort = nf_tables_abort,
2963 * Loop detection - walk through the ruleset beginning at the destination chain
2964 * of a new jump until either the source chain is reached (loop) or all
2965 * reachable chains have been traversed.
2967 * The loop check is performed whenever a new jump verdict is added to an
2968 * expression or verdict map or a verdict map is bound to a new chain.
2971 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2972 const struct nft_chain *chain);
2974 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2975 const struct nft_set *set,
2976 const struct nft_set_iter *iter,
2977 const struct nft_set_elem *elem)
2979 switch (elem->data.verdict) {
2982 return nf_tables_check_loops(ctx, elem->data.chain);
2988 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2989 const struct nft_chain *chain)
2991 const struct nft_rule *rule;
2992 const struct nft_expr *expr, *last;
2993 const struct nft_set *set;
2994 struct nft_set_binding *binding;
2995 struct nft_set_iter iter;
2997 if (ctx->chain == chain)
3000 list_for_each_entry(rule, &chain->rules, list) {
3001 nft_rule_for_each_expr(expr, last, rule) {
3002 const struct nft_data *data = NULL;
3005 if (!expr->ops->validate)
3008 err = expr->ops->validate(ctx, expr, &data);
3015 switch (data->verdict) {
3018 err = nf_tables_check_loops(ctx, data->chain);
3027 list_for_each_entry(set, &ctx->table->sets, list) {
3028 if (!(set->flags & NFT_SET_MAP) ||
3029 set->dtype != NFT_DATA_VERDICT)
3032 list_for_each_entry(binding, &set->bindings, list) {
3033 if (binding->chain != chain)
3039 iter.fn = nf_tables_loop_check_setelem;
3041 set->ops->walk(ctx, set, &iter);
3051 * nft_validate_input_register - validate an expressions' input register
3053 * @reg: the register number
3055 * Validate that the input register is one of the general purpose
3058 int nft_validate_input_register(enum nft_registers reg)
3060 if (reg <= NFT_REG_VERDICT)
3062 if (reg > NFT_REG_MAX)
3066 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3069 * nft_validate_output_register - validate an expressions' output register
3071 * @reg: the register number
3073 * Validate that the output register is one of the general purpose
3074 * registers or the verdict register.
3076 int nft_validate_output_register(enum nft_registers reg)
3078 if (reg < NFT_REG_VERDICT)
3080 if (reg > NFT_REG_MAX)
3084 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3087 * nft_validate_data_load - validate an expressions' data load
3089 * @ctx: context of the expression performing the load
3090 * @reg: the destination register number
3091 * @data: the data to load
3092 * @type: the data type
3094 * Validate that a data load uses the appropriate data type for
3095 * the destination register. A value of NULL for the data means
3096 * that its runtime gathered data, which is always of type
3099 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3100 const struct nft_data *data,
3101 enum nft_data_types type)
3106 case NFT_REG_VERDICT:
3107 if (data == NULL || type != NFT_DATA_VERDICT)
3110 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3111 err = nf_tables_check_loops(ctx, data->chain);
3115 if (ctx->chain->level + 1 > data->chain->level) {
3116 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3118 data->chain->level = ctx->chain->level + 1;
3124 if (data != NULL && type != NFT_DATA_VALUE)
3129 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3131 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3132 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3133 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3134 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3137 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3138 struct nft_data_desc *desc, const struct nlattr *nla)
3140 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3141 struct nft_chain *chain;
3144 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3148 if (!tb[NFTA_VERDICT_CODE])
3150 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3152 switch (data->verdict) {
3159 desc->len = sizeof(data->verdict);
3163 if (!tb[NFTA_VERDICT_CHAIN])
3165 chain = nf_tables_chain_lookup(ctx->table,
3166 tb[NFTA_VERDICT_CHAIN]);
3168 return PTR_ERR(chain);
3169 if (chain->flags & NFT_BASE_CHAIN)
3173 data->chain = chain;
3174 desc->len = sizeof(data);
3180 desc->type = NFT_DATA_VERDICT;
3184 static void nft_verdict_uninit(const struct nft_data *data)
3186 switch (data->verdict) {
3194 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3196 struct nlattr *nest;
3198 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3200 goto nla_put_failure;
3202 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3203 goto nla_put_failure;
3205 switch (data->verdict) {
3208 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3209 goto nla_put_failure;
3211 nla_nest_end(skb, nest);
3218 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3219 struct nft_data_desc *desc, const struct nlattr *nla)
3226 if (len > sizeof(data->data))
3229 nla_memcpy(data->data, nla, sizeof(data->data));
3230 desc->type = NFT_DATA_VALUE;
3235 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3238 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3241 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3242 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3243 .len = FIELD_SIZEOF(struct nft_data, data) },
3244 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3248 * nft_data_init - parse nf_tables data netlink attributes
3250 * @ctx: context of the expression using the data
3251 * @data: destination struct nft_data
3252 * @desc: data description
3253 * @nla: netlink attribute containing data
3255 * Parse the netlink data attributes and initialize a struct nft_data.
3256 * The type and length of data are returned in the data description.
3258 * The caller can indicate that it only wants to accept data of type
3259 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3261 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3262 struct nft_data_desc *desc, const struct nlattr *nla)
3264 struct nlattr *tb[NFTA_DATA_MAX + 1];
3267 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3271 if (tb[NFTA_DATA_VALUE])
3272 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3273 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3274 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3277 EXPORT_SYMBOL_GPL(nft_data_init);
3280 * nft_data_uninit - release a nft_data item
3282 * @data: struct nft_data to release
3283 * @type: type of data
3285 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3286 * all others need to be released by calling this function.
3288 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3291 case NFT_DATA_VALUE:
3293 case NFT_DATA_VERDICT:
3294 return nft_verdict_uninit(data);
3299 EXPORT_SYMBOL_GPL(nft_data_uninit);
3301 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3302 enum nft_data_types type, unsigned int len)
3304 struct nlattr *nest;
3307 nest = nla_nest_start(skb, attr);
3312 case NFT_DATA_VALUE:
3313 err = nft_value_dump(skb, data, len);
3315 case NFT_DATA_VERDICT:
3316 err = nft_verdict_dump(skb, data);
3323 nla_nest_end(skb, nest);
3326 EXPORT_SYMBOL_GPL(nft_data_dump);
3328 static int nf_tables_init_net(struct net *net)
3330 INIT_LIST_HEAD(&net->nft.af_info);
3331 INIT_LIST_HEAD(&net->nft.commit_list);
3335 static struct pernet_operations nf_tables_net_ops = {
3336 .init = nf_tables_init_net,
3339 static int __init nf_tables_module_init(void)
3343 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3350 err = nf_tables_core_module_init();
3354 err = nfnetlink_subsys_register(&nf_tables_subsys);
3358 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3359 return register_pernet_subsys(&nf_tables_net_ops);
3361 nf_tables_core_module_exit();
3368 static void __exit nf_tables_module_exit(void)
3370 unregister_pernet_subsys(&nf_tables_net_ops);
3371 nfnetlink_subsys_unregister(&nf_tables_subsys);
3372 nf_tables_core_module_exit();
3376 module_init(nf_tables_module_init);
3377 module_exit(nf_tables_module_exit);
3379 MODULE_LICENSE("GPL");
3380 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3381 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / karo-tx-linux.git / blob