2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del_rcu(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
104 ctx->portid = NETLINK_CB(skb).portid;
105 ctx->report = nlmsg_report(nlh);
106 ctx->seq = nlh->nlmsg_seq;
109 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
112 struct nft_trans *trans;
114 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
118 trans->msg_type = msg_type;
124 static void nft_trans_destroy(struct nft_trans *trans)
126 list_del(&trans->list);
134 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
135 const struct nlattr *nla)
137 struct nft_table *table;
139 list_for_each_entry(table, &afi->tables, list) {
140 if (!nla_strcmp(nla, table->name))
146 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
147 const struct nlattr *nla)
149 struct nft_table *table;
152 return ERR_PTR(-EINVAL);
154 table = nft_table_lookup(afi, nla);
158 return ERR_PTR(-ENOENT);
161 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
163 return ++table->hgenerator;
166 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
168 static const struct nf_chain_type *
169 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
173 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
174 if (chain_type[family][i] != NULL &&
175 !nla_strcmp(nla, chain_type[family][i]->name))
176 return chain_type[family][i];
181 static const struct nf_chain_type *
182 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
183 const struct nlattr *nla,
186 const struct nf_chain_type *type;
188 type = __nf_tables_chain_type_lookup(afi->family, nla);
191 #ifdef CONFIG_MODULES
193 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
194 request_module("nft-chain-%u-%.*s", afi->family,
195 nla_len(nla), (const char *)nla_data(nla));
196 nfnl_lock(NFNL_SUBSYS_NFTABLES);
197 type = __nf_tables_chain_type_lookup(afi->family, nla);
199 return ERR_PTR(-EAGAIN);
202 return ERR_PTR(-ENOENT);
205 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
206 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
207 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
210 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
211 int event, u32 flags, int family,
212 const struct nft_table *table)
214 struct nlmsghdr *nlh;
215 struct nfgenmsg *nfmsg;
217 event |= NFNL_SUBSYS_NFTABLES << 8;
218 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
220 goto nla_put_failure;
222 nfmsg = nlmsg_data(nlh);
223 nfmsg->nfgen_family = family;
224 nfmsg->version = NFNETLINK_V0;
227 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
228 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
229 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
230 goto nla_put_failure;
232 return nlmsg_end(skb, nlh);
235 nlmsg_trim(skb, nlh);
239 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
245 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
249 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
253 err = nf_tables_fill_table_info(skb, ctx->portid, ctx->seq, event, 0,
254 ctx->afi->family, ctx->table);
260 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
261 ctx->report, GFP_KERNEL);
264 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
270 static int nf_tables_dump_tables(struct sk_buff *skb,
271 struct netlink_callback *cb)
273 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
274 const struct nft_af_info *afi;
275 const struct nft_table *table;
276 unsigned int idx = 0, s_idx = cb->args[0];
277 struct net *net = sock_net(skb->sk);
278 int family = nfmsg->nfgen_family;
281 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
282 if (family != NFPROTO_UNSPEC && family != afi->family)
285 list_for_each_entry_rcu(table, &afi->tables, list) {
289 memset(&cb->args[1], 0,
290 sizeof(cb->args) - sizeof(cb->args[0]));
291 if (nf_tables_fill_table_info(skb,
292 NETLINK_CB(cb->skb).portid,
296 afi->family, table) < 0)
308 /* Internal table flags */
309 #define NFT_TABLE_INACTIVE (1 << 15)
311 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
312 const struct nlmsghdr *nlh,
313 const struct nlattr * const nla[])
315 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
316 const struct nft_af_info *afi;
317 const struct nft_table *table;
318 struct sk_buff *skb2;
319 struct net *net = sock_net(skb->sk);
320 int family = nfmsg->nfgen_family;
323 if (nlh->nlmsg_flags & NLM_F_DUMP) {
324 struct netlink_dump_control c = {
325 .dump = nf_tables_dump_tables,
327 return netlink_dump_start(nlsk, skb, nlh, &c);
330 afi = nf_tables_afinfo_lookup(net, family, false);
334 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
336 return PTR_ERR(table);
337 if (table->flags & NFT_TABLE_INACTIVE)
340 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
344 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
345 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
350 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
357 static int nf_tables_table_enable(const struct nft_af_info *afi,
358 struct nft_table *table)
360 struct nft_chain *chain;
363 list_for_each_entry(chain, &table->chains, list) {
364 if (!(chain->flags & NFT_BASE_CHAIN))
367 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
375 list_for_each_entry(chain, &table->chains, list) {
376 if (!(chain->flags & NFT_BASE_CHAIN))
382 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
387 static void nf_tables_table_disable(const struct nft_af_info *afi,
388 struct nft_table *table)
390 struct nft_chain *chain;
392 list_for_each_entry(chain, &table->chains, list) {
393 if (chain->flags & NFT_BASE_CHAIN)
394 nf_unregister_hooks(nft_base_chain(chain)->ops,
399 static int nf_tables_updtable(struct nft_ctx *ctx)
401 struct nft_trans *trans;
405 if (!ctx->nla[NFTA_TABLE_FLAGS])
408 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
409 if (flags & ~NFT_TABLE_F_DORMANT)
412 if (flags == ctx->table->flags)
415 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
416 sizeof(struct nft_trans_table));
420 if ((flags & NFT_TABLE_F_DORMANT) &&
421 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
422 nft_trans_table_enable(trans) = false;
423 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
424 ctx->table->flags & NFT_TABLE_F_DORMANT) {
425 ret = nf_tables_table_enable(ctx->afi, ctx->table);
427 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
428 nft_trans_table_enable(trans) = true;
434 nft_trans_table_update(trans) = true;
435 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
438 nft_trans_destroy(trans);
442 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
444 struct nft_trans *trans;
446 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
450 if (msg_type == NFT_MSG_NEWTABLE)
451 ctx->table->flags |= NFT_TABLE_INACTIVE;
453 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
457 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
458 const struct nlmsghdr *nlh,
459 const struct nlattr * const nla[])
461 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
462 const struct nlattr *name;
463 struct nft_af_info *afi;
464 struct nft_table *table;
465 struct net *net = sock_net(skb->sk);
466 int family = nfmsg->nfgen_family;
471 afi = nf_tables_afinfo_lookup(net, family, true);
475 name = nla[NFTA_TABLE_NAME];
476 table = nf_tables_table_lookup(afi, name);
478 if (PTR_ERR(table) != -ENOENT)
479 return PTR_ERR(table);
484 if (table->flags & NFT_TABLE_INACTIVE)
486 if (nlh->nlmsg_flags & NLM_F_EXCL)
488 if (nlh->nlmsg_flags & NLM_F_REPLACE)
491 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
492 return nf_tables_updtable(&ctx);
495 if (nla[NFTA_TABLE_FLAGS]) {
496 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
497 if (flags & ~NFT_TABLE_F_DORMANT)
501 if (!try_module_get(afi->owner))
502 return -EAFNOSUPPORT;
504 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
506 module_put(afi->owner);
510 nla_strlcpy(table->name, name, nla_len(name));
511 INIT_LIST_HEAD(&table->chains);
512 INIT_LIST_HEAD(&table->sets);
513 table->flags = flags;
515 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
516 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
519 module_put(afi->owner);
522 list_add_tail_rcu(&table->list, &afi->tables);
526 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
527 const struct nlmsghdr *nlh,
528 const struct nlattr * const nla[])
530 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
531 struct nft_af_info *afi;
532 struct nft_table *table;
533 struct net *net = sock_net(skb->sk);
534 int family = nfmsg->nfgen_family, err;
537 afi = nf_tables_afinfo_lookup(net, family, false);
541 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
543 return PTR_ERR(table);
544 if (table->flags & NFT_TABLE_INACTIVE)
549 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
550 err = nft_trans_table_add(&ctx, NFT_MSG_DELTABLE);
554 list_del_rcu(&table->list);
558 static void nf_tables_table_destroy(struct nft_ctx *ctx)
560 BUG_ON(ctx->table->use > 0);
563 module_put(ctx->afi->owner);
566 int nft_register_chain_type(const struct nf_chain_type *ctype)
570 nfnl_lock(NFNL_SUBSYS_NFTABLES);
571 if (chain_type[ctype->family][ctype->type] != NULL) {
575 chain_type[ctype->family][ctype->type] = ctype;
577 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
580 EXPORT_SYMBOL_GPL(nft_register_chain_type);
582 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
584 nfnl_lock(NFNL_SUBSYS_NFTABLES);
585 chain_type[ctype->family][ctype->type] = NULL;
586 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
588 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
594 static struct nft_chain *
595 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
597 struct nft_chain *chain;
599 list_for_each_entry(chain, &table->chains, list) {
600 if (chain->handle == handle)
604 return ERR_PTR(-ENOENT);
607 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
608 const struct nlattr *nla)
610 struct nft_chain *chain;
613 return ERR_PTR(-EINVAL);
615 list_for_each_entry(chain, &table->chains, list) {
616 if (!nla_strcmp(nla, chain->name))
620 return ERR_PTR(-ENOENT);
623 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
624 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
625 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
626 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
627 .len = NFT_CHAIN_MAXNAMELEN - 1 },
628 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
629 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
630 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
631 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
634 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
635 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
636 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
639 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
641 struct nft_stats *cpu_stats, total;
645 memset(&total, 0, sizeof(total));
646 for_each_possible_cpu(cpu) {
647 cpu_stats = per_cpu_ptr(stats, cpu);
648 total.pkts += cpu_stats->pkts;
649 total.bytes += cpu_stats->bytes;
651 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
653 goto nla_put_failure;
655 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
656 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
657 goto nla_put_failure;
659 nla_nest_end(skb, nest);
666 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
667 int event, u32 flags, int family,
668 const struct nft_table *table,
669 const struct nft_chain *chain)
671 struct nlmsghdr *nlh;
672 struct nfgenmsg *nfmsg;
674 event |= NFNL_SUBSYS_NFTABLES << 8;
675 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
677 goto nla_put_failure;
679 nfmsg = nlmsg_data(nlh);
680 nfmsg->nfgen_family = family;
681 nfmsg->version = NFNETLINK_V0;
684 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
685 goto nla_put_failure;
686 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
687 goto nla_put_failure;
688 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
689 goto nla_put_failure;
691 if (chain->flags & NFT_BASE_CHAIN) {
692 const struct nft_base_chain *basechain = nft_base_chain(chain);
693 const struct nf_hook_ops *ops = &basechain->ops[0];
696 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
698 goto nla_put_failure;
699 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
700 goto nla_put_failure;
701 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
702 goto nla_put_failure;
703 nla_nest_end(skb, nest);
705 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
706 htonl(basechain->policy)))
707 goto nla_put_failure;
709 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
710 goto nla_put_failure;
712 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
713 goto nla_put_failure;
716 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
717 goto nla_put_failure;
719 return nlmsg_end(skb, nlh);
722 nlmsg_trim(skb, nlh);
726 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
732 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
736 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
740 err = nf_tables_fill_chain_info(skb, ctx->portid, ctx->seq, event, 0,
741 ctx->afi->family, ctx->table,
748 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
749 ctx->report, GFP_KERNEL);
752 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
758 static int nf_tables_dump_chains(struct sk_buff *skb,
759 struct netlink_callback *cb)
761 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
762 const struct nft_af_info *afi;
763 const struct nft_table *table;
764 const struct nft_chain *chain;
765 unsigned int idx = 0, s_idx = cb->args[0];
766 struct net *net = sock_net(skb->sk);
767 int family = nfmsg->nfgen_family;
770 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
771 if (family != NFPROTO_UNSPEC && family != afi->family)
774 list_for_each_entry_rcu(table, &afi->tables, list) {
775 list_for_each_entry_rcu(chain, &table->chains, list) {
779 memset(&cb->args[1], 0,
780 sizeof(cb->args) - sizeof(cb->args[0]));
781 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
785 afi->family, table, chain) < 0)
798 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
799 const struct nlmsghdr *nlh,
800 const struct nlattr * const nla[])
802 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
803 const struct nft_af_info *afi;
804 const struct nft_table *table;
805 const struct nft_chain *chain;
806 struct sk_buff *skb2;
807 struct net *net = sock_net(skb->sk);
808 int family = nfmsg->nfgen_family;
811 if (nlh->nlmsg_flags & NLM_F_DUMP) {
812 struct netlink_dump_control c = {
813 .dump = nf_tables_dump_chains,
815 return netlink_dump_start(nlsk, skb, nlh, &c);
818 afi = nf_tables_afinfo_lookup(net, family, false);
822 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
824 return PTR_ERR(table);
825 if (table->flags & NFT_TABLE_INACTIVE)
828 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
830 return PTR_ERR(chain);
831 if (chain->flags & NFT_CHAIN_INACTIVE)
834 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
838 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
839 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
840 family, table, chain);
844 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
851 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
852 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
853 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
856 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
858 struct nlattr *tb[NFTA_COUNTER_MAX+1];
859 struct nft_stats __percpu *newstats;
860 struct nft_stats *stats;
863 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
867 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
868 return ERR_PTR(-EINVAL);
870 newstats = alloc_percpu(struct nft_stats);
871 if (newstats == NULL)
872 return ERR_PTR(-ENOMEM);
874 /* Restore old counters on this cpu, no problem. Per-cpu statistics
875 * are not exposed to userspace.
877 stats = this_cpu_ptr(newstats);
878 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
879 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
884 static void nft_chain_stats_replace(struct nft_base_chain *chain,
885 struct nft_stats __percpu *newstats)
888 struct nft_stats __percpu *oldstats =
889 nft_dereference(chain->stats);
891 rcu_assign_pointer(chain->stats, newstats);
893 free_percpu(oldstats);
895 rcu_assign_pointer(chain->stats, newstats);
898 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
900 struct nft_trans *trans;
902 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
906 if (msg_type == NFT_MSG_NEWCHAIN)
907 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
909 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
913 static void nf_tables_chain_destroy(struct nft_chain *chain)
915 BUG_ON(chain->use > 0);
917 if (chain->flags & NFT_BASE_CHAIN) {
918 module_put(nft_base_chain(chain)->type->owner);
919 free_percpu(nft_base_chain(chain)->stats);
920 kfree(nft_base_chain(chain));
926 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
927 const struct nlmsghdr *nlh,
928 const struct nlattr * const nla[])
930 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
931 const struct nlattr * uninitialized_var(name);
932 struct nft_af_info *afi;
933 struct nft_table *table;
934 struct nft_chain *chain;
935 struct nft_base_chain *basechain = NULL;
936 struct nlattr *ha[NFTA_HOOK_MAX + 1];
937 struct net *net = sock_net(skb->sk);
938 int family = nfmsg->nfgen_family;
939 u8 policy = NF_ACCEPT;
942 struct nft_stats __percpu *stats;
947 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
949 afi = nf_tables_afinfo_lookup(net, family, true);
953 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
955 return PTR_ERR(table);
958 name = nla[NFTA_CHAIN_NAME];
960 if (nla[NFTA_CHAIN_HANDLE]) {
961 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
962 chain = nf_tables_chain_lookup_byhandle(table, handle);
964 return PTR_ERR(chain);
966 chain = nf_tables_chain_lookup(table, name);
968 if (PTR_ERR(chain) != -ENOENT)
969 return PTR_ERR(chain);
974 if (nla[NFTA_CHAIN_POLICY]) {
975 if ((chain != NULL &&
976 !(chain->flags & NFT_BASE_CHAIN)) ||
977 nla[NFTA_CHAIN_HOOK] == NULL)
980 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
991 struct nft_stats *stats = NULL;
992 struct nft_trans *trans;
994 if (chain->flags & NFT_CHAIN_INACTIVE)
996 if (nlh->nlmsg_flags & NLM_F_EXCL)
998 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1001 if (nla[NFTA_CHAIN_HANDLE] && name &&
1002 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1005 if (nla[NFTA_CHAIN_COUNTERS]) {
1006 if (!(chain->flags & NFT_BASE_CHAIN))
1009 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1011 return PTR_ERR(stats);
1014 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1015 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1016 sizeof(struct nft_trans_chain));
1020 nft_trans_chain_stats(trans) = stats;
1021 nft_trans_chain_update(trans) = true;
1023 if (nla[NFTA_CHAIN_POLICY])
1024 nft_trans_chain_policy(trans) = policy;
1026 nft_trans_chain_policy(trans) = -1;
1028 if (nla[NFTA_CHAIN_HANDLE] && name) {
1029 nla_strlcpy(nft_trans_chain_name(trans), name,
1030 NFT_CHAIN_MAXNAMELEN);
1032 list_add_tail(&trans->list, &net->nft.commit_list);
1036 if (table->use == UINT_MAX)
1039 if (nla[NFTA_CHAIN_HOOK]) {
1040 const struct nf_chain_type *type;
1041 struct nf_hook_ops *ops;
1043 u32 hooknum, priority;
1045 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1046 if (nla[NFTA_CHAIN_TYPE]) {
1047 type = nf_tables_chain_type_lookup(afi,
1048 nla[NFTA_CHAIN_TYPE],
1051 return PTR_ERR(type);
1054 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1058 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1059 ha[NFTA_HOOK_PRIORITY] == NULL)
1062 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1063 if (hooknum >= afi->nhooks)
1065 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1067 if (!(type->hook_mask & (1 << hooknum)))
1069 if (!try_module_get(type->owner))
1071 hookfn = type->hooks[hooknum];
1073 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1074 if (basechain == NULL)
1077 if (nla[NFTA_CHAIN_COUNTERS]) {
1078 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1079 if (IS_ERR(stats)) {
1080 module_put(type->owner);
1082 return PTR_ERR(stats);
1084 basechain->stats = stats;
1086 stats = alloc_percpu(struct nft_stats);
1087 if (IS_ERR(stats)) {
1088 module_put(type->owner);
1090 return PTR_ERR(stats);
1092 rcu_assign_pointer(basechain->stats, stats);
1095 basechain->type = type;
1096 chain = &basechain->chain;
1098 for (i = 0; i < afi->nops; i++) {
1099 ops = &basechain->ops[i];
1101 ops->owner = afi->owner;
1102 ops->hooknum = hooknum;
1103 ops->priority = priority;
1105 ops->hook = afi->hooks[ops->hooknum];
1108 if (afi->hook_ops_init)
1109 afi->hook_ops_init(ops, i);
1112 chain->flags |= NFT_BASE_CHAIN;
1113 basechain->policy = policy;
1115 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1120 INIT_LIST_HEAD(&chain->rules);
1121 chain->handle = nf_tables_alloc_handle(table);
1123 chain->table = table;
1124 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1126 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1127 chain->flags & NFT_BASE_CHAIN) {
1128 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1133 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1134 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1139 list_add_tail_rcu(&chain->list, &table->chains);
1142 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1143 chain->flags & NFT_BASE_CHAIN) {
1144 nf_unregister_hooks(nft_base_chain(chain)->ops,
1148 nf_tables_chain_destroy(chain);
1152 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1153 const struct nlmsghdr *nlh,
1154 const struct nlattr * const nla[])
1156 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1157 struct nft_af_info *afi;
1158 struct nft_table *table;
1159 struct nft_chain *chain;
1160 struct net *net = sock_net(skb->sk);
1161 int family = nfmsg->nfgen_family;
1165 afi = nf_tables_afinfo_lookup(net, family, false);
1167 return PTR_ERR(afi);
1169 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1171 return PTR_ERR(table);
1172 if (table->flags & NFT_TABLE_INACTIVE)
1175 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1177 return PTR_ERR(chain);
1178 if (chain->flags & NFT_CHAIN_INACTIVE)
1183 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1184 err = nft_trans_chain_add(&ctx, NFT_MSG_DELCHAIN);
1189 list_del_rcu(&chain->list);
1198 * nft_register_expr - register nf_tables expr type
1201 * Registers the expr type for use with nf_tables. Returns zero on
1202 * success or a negative errno code otherwise.
1204 int nft_register_expr(struct nft_expr_type *type)
1206 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1207 if (type->family == NFPROTO_UNSPEC)
1208 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1210 list_add_rcu(&type->list, &nf_tables_expressions);
1211 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1214 EXPORT_SYMBOL_GPL(nft_register_expr);
1217 * nft_unregister_expr - unregister nf_tables expr type
1220 * Unregisters the expr typefor use with nf_tables.
1222 void nft_unregister_expr(struct nft_expr_type *type)
1224 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1225 list_del_rcu(&type->list);
1226 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1228 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1230 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1233 const struct nft_expr_type *type;
1235 list_for_each_entry(type, &nf_tables_expressions, list) {
1236 if (!nla_strcmp(nla, type->name) &&
1237 (!type->family || type->family == family))
1243 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1246 const struct nft_expr_type *type;
1249 return ERR_PTR(-EINVAL);
1251 type = __nft_expr_type_get(family, nla);
1252 if (type != NULL && try_module_get(type->owner))
1255 #ifdef CONFIG_MODULES
1257 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1258 request_module("nft-expr-%u-%.*s", family,
1259 nla_len(nla), (char *)nla_data(nla));
1260 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1261 if (__nft_expr_type_get(family, nla))
1262 return ERR_PTR(-EAGAIN);
1264 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1265 request_module("nft-expr-%.*s",
1266 nla_len(nla), (char *)nla_data(nla));
1267 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1268 if (__nft_expr_type_get(family, nla))
1269 return ERR_PTR(-EAGAIN);
1272 return ERR_PTR(-ENOENT);
1275 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1276 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1277 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1280 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1281 const struct nft_expr *expr)
1283 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1284 goto nla_put_failure;
1286 if (expr->ops->dump) {
1287 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1289 goto nla_put_failure;
1290 if (expr->ops->dump(skb, expr) < 0)
1291 goto nla_put_failure;
1292 nla_nest_end(skb, data);
1301 struct nft_expr_info {
1302 const struct nft_expr_ops *ops;
1303 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1306 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1307 const struct nlattr *nla,
1308 struct nft_expr_info *info)
1310 const struct nft_expr_type *type;
1311 const struct nft_expr_ops *ops;
1312 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1315 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1319 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1321 return PTR_ERR(type);
1323 if (tb[NFTA_EXPR_DATA]) {
1324 err = nla_parse_nested(info->tb, type->maxattr,
1325 tb[NFTA_EXPR_DATA], type->policy);
1329 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1331 if (type->select_ops != NULL) {
1332 ops = type->select_ops(ctx,
1333 (const struct nlattr * const *)info->tb);
1345 module_put(type->owner);
1349 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1350 const struct nft_expr_info *info,
1351 struct nft_expr *expr)
1353 const struct nft_expr_ops *ops = info->ops;
1358 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1370 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1371 struct nft_expr *expr)
1373 if (expr->ops->destroy)
1374 expr->ops->destroy(ctx, expr);
1375 module_put(expr->ops->type->owner);
1382 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1385 struct nft_rule *rule;
1387 // FIXME: this sucks
1388 list_for_each_entry(rule, &chain->rules, list) {
1389 if (handle == rule->handle)
1393 return ERR_PTR(-ENOENT);
1396 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1397 const struct nlattr *nla)
1400 return ERR_PTR(-EINVAL);
1402 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1405 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1406 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1407 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1408 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1409 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1410 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1411 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1412 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1413 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1414 .len = NFT_USERDATA_MAXLEN },
1417 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1418 int event, u32 flags, int family,
1419 const struct nft_table *table,
1420 const struct nft_chain *chain,
1421 const struct nft_rule *rule)
1423 struct nlmsghdr *nlh;
1424 struct nfgenmsg *nfmsg;
1425 const struct nft_expr *expr, *next;
1426 struct nlattr *list;
1427 const struct nft_rule *prule;
1428 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1430 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1433 goto nla_put_failure;
1435 nfmsg = nlmsg_data(nlh);
1436 nfmsg->nfgen_family = family;
1437 nfmsg->version = NFNETLINK_V0;
1440 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1441 goto nla_put_failure;
1442 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1443 goto nla_put_failure;
1444 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1445 goto nla_put_failure;
1447 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1448 prule = list_entry(rule->list.prev, struct nft_rule, list);
1449 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1450 cpu_to_be64(prule->handle)))
1451 goto nla_put_failure;
1454 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1456 goto nla_put_failure;
1457 nft_rule_for_each_expr(expr, next, rule) {
1458 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1460 goto nla_put_failure;
1461 if (nf_tables_fill_expr_info(skb, expr) < 0)
1462 goto nla_put_failure;
1463 nla_nest_end(skb, elem);
1465 nla_nest_end(skb, list);
1468 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1469 goto nla_put_failure;
1471 return nlmsg_end(skb, nlh);
1474 nlmsg_trim(skb, nlh);
1478 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1479 const struct nft_rule *rule,
1482 struct sk_buff *skb;
1486 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1490 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1494 err = nf_tables_fill_rule_info(skb, ctx->portid, ctx->seq, event, 0,
1495 ctx->afi->family, ctx->table,
1502 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1503 ctx->report, GFP_KERNEL);
1506 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1513 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1515 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1518 static inline int gencursor_next(struct net *net)
1520 return net->nft.gencursor+1 == 1 ? 1 : 0;
1524 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1526 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1530 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1532 /* Now inactive, will be active in the future */
1533 rule->genmask = (1 << net->nft.gencursor);
1537 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1539 rule->genmask = (1 << gencursor_next(net));
1542 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1547 static int nf_tables_dump_rules(struct sk_buff *skb,
1548 struct netlink_callback *cb)
1550 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1551 const struct nft_af_info *afi;
1552 const struct nft_table *table;
1553 const struct nft_chain *chain;
1554 const struct nft_rule *rule;
1555 unsigned int idx = 0, s_idx = cb->args[0];
1556 struct net *net = sock_net(skb->sk);
1557 int family = nfmsg->nfgen_family;
1558 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1559 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1562 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1563 if (family != NFPROTO_UNSPEC && family != afi->family)
1566 list_for_each_entry_rcu(table, &afi->tables, list) {
1567 list_for_each_entry_rcu(chain, &table->chains, list) {
1568 list_for_each_entry_rcu(rule, &chain->rules, list) {
1569 if (!nft_rule_is_active(net, rule))
1574 memset(&cb->args[1], 0,
1575 sizeof(cb->args) - sizeof(cb->args[0]));
1576 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1579 NLM_F_MULTI | NLM_F_APPEND,
1580 afi->family, table, chain, rule) < 0)
1591 /* Invalidate this dump, a transition to the new generation happened */
1592 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1599 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1600 const struct nlmsghdr *nlh,
1601 const struct nlattr * const nla[])
1603 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1604 const struct nft_af_info *afi;
1605 const struct nft_table *table;
1606 const struct nft_chain *chain;
1607 const struct nft_rule *rule;
1608 struct sk_buff *skb2;
1609 struct net *net = sock_net(skb->sk);
1610 int family = nfmsg->nfgen_family;
1613 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1614 struct netlink_dump_control c = {
1615 .dump = nf_tables_dump_rules,
1617 return netlink_dump_start(nlsk, skb, nlh, &c);
1620 afi = nf_tables_afinfo_lookup(net, family, false);
1622 return PTR_ERR(afi);
1624 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1626 return PTR_ERR(table);
1627 if (table->flags & NFT_TABLE_INACTIVE)
1630 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1632 return PTR_ERR(chain);
1633 if (chain->flags & NFT_CHAIN_INACTIVE)
1636 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1638 return PTR_ERR(rule);
1640 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1644 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1645 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1646 family, table, chain, rule);
1650 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1657 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1658 struct nft_rule *rule)
1660 struct nft_expr *expr;
1663 * Careful: some expressions might not be initialized in case this
1664 * is called on error from nf_tables_newrule().
1666 expr = nft_expr_first(rule);
1667 while (expr->ops && expr != nft_expr_last(rule)) {
1668 nf_tables_expr_destroy(ctx, expr);
1669 expr = nft_expr_next(expr);
1674 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
1675 struct nft_rule *rule)
1677 struct nft_trans *trans;
1679 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
1683 nft_trans_rule(trans) = rule;
1684 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1689 #define NFT_RULE_MAXEXPRS 128
1691 static struct nft_expr_info *info;
1693 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1694 const struct nlmsghdr *nlh,
1695 const struct nlattr * const nla[])
1697 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1698 struct nft_af_info *afi;
1699 struct net *net = sock_net(skb->sk);
1700 struct nft_table *table;
1701 struct nft_chain *chain;
1702 struct nft_rule *rule, *old_rule = NULL;
1703 struct nft_trans *trans = NULL;
1704 struct nft_expr *expr;
1707 unsigned int size, i, n, ulen = 0;
1710 u64 handle, pos_handle;
1712 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1714 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1716 return PTR_ERR(afi);
1718 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1720 return PTR_ERR(table);
1722 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1724 return PTR_ERR(chain);
1726 if (nla[NFTA_RULE_HANDLE]) {
1727 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1728 rule = __nf_tables_rule_lookup(chain, handle);
1730 return PTR_ERR(rule);
1732 if (nlh->nlmsg_flags & NLM_F_EXCL)
1734 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1739 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1741 handle = nf_tables_alloc_handle(table);
1743 if (chain->use == UINT_MAX)
1747 if (nla[NFTA_RULE_POSITION]) {
1748 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1751 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1752 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1753 if (IS_ERR(old_rule))
1754 return PTR_ERR(old_rule);
1757 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1761 if (nla[NFTA_RULE_EXPRESSIONS]) {
1762 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1764 if (nla_type(tmp) != NFTA_LIST_ELEM)
1766 if (n == NFT_RULE_MAXEXPRS)
1768 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1771 size += info[n].ops->size;
1776 if (nla[NFTA_RULE_USERDATA])
1777 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1780 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1784 nft_rule_activate_next(net, rule);
1786 rule->handle = handle;
1791 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1793 expr = nft_expr_first(rule);
1794 for (i = 0; i < n; i++) {
1795 err = nf_tables_newexpr(&ctx, &info[i], expr);
1799 expr = nft_expr_next(expr);
1802 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1803 if (nft_rule_is_active_next(net, old_rule)) {
1804 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
1806 if (trans == NULL) {
1810 nft_rule_disactivate_next(net, old_rule);
1812 list_add_tail_rcu(&rule->list, &old_rule->list);
1817 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1819 list_add_rcu(&rule->list, &old_rule->list);
1821 list_add_tail_rcu(&rule->list, &chain->rules);
1824 list_add_tail_rcu(&rule->list, &old_rule->list);
1826 list_add_rcu(&rule->list, &chain->rules);
1829 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
1837 list_del_rcu(&rule->list);
1839 list_del_rcu(&nft_trans_rule(trans)->list);
1840 nft_rule_clear(net, nft_trans_rule(trans));
1841 nft_trans_destroy(trans);
1845 nf_tables_rule_destroy(&ctx, rule);
1847 for (i = 0; i < n; i++) {
1848 if (info[i].ops != NULL)
1849 module_put(info[i].ops->type->owner);
1855 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1857 /* You cannot delete the same rule twice */
1858 if (nft_rule_is_active_next(ctx->net, rule)) {
1859 if (nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule) == NULL)
1861 nft_rule_disactivate_next(ctx->net, rule);
1868 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1870 struct nft_rule *rule;
1873 list_for_each_entry(rule, &ctx->chain->rules, list) {
1874 err = nf_tables_delrule_one(ctx, rule);
1881 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1882 const struct nlmsghdr *nlh,
1883 const struct nlattr * const nla[])
1885 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1886 struct nft_af_info *afi;
1887 struct net *net = sock_net(skb->sk);
1888 struct nft_table *table;
1889 struct nft_chain *chain = NULL;
1890 struct nft_rule *rule;
1891 int family = nfmsg->nfgen_family, err = 0;
1894 afi = nf_tables_afinfo_lookup(net, family, false);
1896 return PTR_ERR(afi);
1898 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1900 return PTR_ERR(table);
1901 if (table->flags & NFT_TABLE_INACTIVE)
1904 if (nla[NFTA_RULE_CHAIN]) {
1905 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1907 return PTR_ERR(chain);
1910 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1913 if (nla[NFTA_RULE_HANDLE]) {
1914 rule = nf_tables_rule_lookup(chain,
1915 nla[NFTA_RULE_HANDLE]);
1917 return PTR_ERR(rule);
1919 err = nf_tables_delrule_one(&ctx, rule);
1921 err = nf_table_delrule_by_chain(&ctx);
1924 list_for_each_entry(chain, &table->chains, list) {
1926 err = nf_table_delrule_by_chain(&ctx);
1939 static LIST_HEAD(nf_tables_set_ops);
1941 int nft_register_set(struct nft_set_ops *ops)
1943 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1944 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
1945 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1948 EXPORT_SYMBOL_GPL(nft_register_set);
1950 void nft_unregister_set(struct nft_set_ops *ops)
1952 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1953 list_del_rcu(&ops->list);
1954 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1956 EXPORT_SYMBOL_GPL(nft_unregister_set);
1959 * Select a set implementation based on the data characteristics and the
1960 * given policy. The total memory use might not be known if no size is
1961 * given, in that case the amount of memory per element is used.
1963 static const struct nft_set_ops *
1964 nft_select_set_ops(const struct nlattr * const nla[],
1965 const struct nft_set_desc *desc,
1966 enum nft_set_policies policy)
1968 const struct nft_set_ops *ops, *bops;
1969 struct nft_set_estimate est, best;
1972 #ifdef CONFIG_MODULES
1973 if (list_empty(&nf_tables_set_ops)) {
1974 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1975 request_module("nft-set");
1976 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1977 if (!list_empty(&nf_tables_set_ops))
1978 return ERR_PTR(-EAGAIN);
1982 if (nla[NFTA_SET_FLAGS] != NULL) {
1983 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1984 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1991 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1992 if ((ops->features & features) != features)
1994 if (!ops->estimate(desc, features, &est))
1998 case NFT_SET_POL_PERFORMANCE:
1999 if (est.class < best.class)
2001 if (est.class == best.class && est.size < best.size)
2004 case NFT_SET_POL_MEMORY:
2005 if (est.size < best.size)
2007 if (est.size == best.size && est.class < best.class)
2014 if (!try_module_get(ops->owner))
2017 module_put(bops->owner);
2026 return ERR_PTR(-EOPNOTSUPP);
2029 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2030 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2031 [NFTA_SET_NAME] = { .type = NLA_STRING,
2032 .len = IFNAMSIZ - 1 },
2033 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2034 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2035 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2036 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2037 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2038 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2039 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2040 [NFTA_SET_ID] = { .type = NLA_U32 },
2043 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2044 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2047 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2048 const struct sk_buff *skb,
2049 const struct nlmsghdr *nlh,
2050 const struct nlattr * const nla[])
2052 struct net *net = sock_net(skb->sk);
2053 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2054 struct nft_af_info *afi = NULL;
2055 struct nft_table *table = NULL;
2057 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2058 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2060 return PTR_ERR(afi);
2063 if (nla[NFTA_SET_TABLE] != NULL) {
2065 return -EAFNOSUPPORT;
2067 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2069 return PTR_ERR(table);
2070 if (table->flags & NFT_TABLE_INACTIVE)
2074 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2078 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2079 const struct nlattr *nla)
2081 struct nft_set *set;
2084 return ERR_PTR(-EINVAL);
2086 list_for_each_entry(set, &table->sets, list) {
2087 if (!nla_strcmp(nla, set->name))
2090 return ERR_PTR(-ENOENT);
2093 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2094 const struct nlattr *nla)
2096 struct nft_trans *trans;
2097 u32 id = ntohl(nla_get_be32(nla));
2099 list_for_each_entry(trans, &net->nft.commit_list, list) {
2100 if (trans->msg_type == NFT_MSG_NEWSET &&
2101 id == nft_trans_set_id(trans))
2102 return nft_trans_set(trans);
2104 return ERR_PTR(-ENOENT);
2107 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2110 const struct nft_set *i;
2112 unsigned long *inuse;
2113 unsigned int n = 0, min = 0;
2115 p = strnchr(name, IFNAMSIZ, '%');
2117 if (p[1] != 'd' || strchr(p + 2, '%'))
2120 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2124 list_for_each_entry(i, &ctx->table->sets, list) {
2127 if (!sscanf(i->name, name, &tmp))
2129 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2132 set_bit(tmp - min, inuse);
2135 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2136 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2137 min += BITS_PER_BYTE * PAGE_SIZE;
2138 memset(inuse, 0, PAGE_SIZE);
2141 free_page((unsigned long)inuse);
2144 snprintf(set->name, sizeof(set->name), name, min + n);
2145 list_for_each_entry(i, &ctx->table->sets, list) {
2146 if (!strcmp(set->name, i->name))
2152 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2153 const struct nft_set *set, u16 event, u16 flags)
2155 struct nfgenmsg *nfmsg;
2156 struct nlmsghdr *nlh;
2157 struct nlattr *desc;
2158 u32 portid = ctx->portid;
2161 event |= NFNL_SUBSYS_NFTABLES << 8;
2162 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2165 goto nla_put_failure;
2167 nfmsg = nlmsg_data(nlh);
2168 nfmsg->nfgen_family = ctx->afi->family;
2169 nfmsg->version = NFNETLINK_V0;
2172 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2173 goto nla_put_failure;
2174 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2175 goto nla_put_failure;
2176 if (set->flags != 0)
2177 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2178 goto nla_put_failure;
2180 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2181 goto nla_put_failure;
2182 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2183 goto nla_put_failure;
2184 if (set->flags & NFT_SET_MAP) {
2185 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2186 goto nla_put_failure;
2187 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2188 goto nla_put_failure;
2191 desc = nla_nest_start(skb, NFTA_SET_DESC);
2193 goto nla_put_failure;
2195 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2196 goto nla_put_failure;
2197 nla_nest_end(skb, desc);
2199 return nlmsg_end(skb, nlh);
2202 nlmsg_trim(skb, nlh);
2206 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2207 const struct nft_set *set,
2208 int event, gfp_t gfp_flags)
2210 struct sk_buff *skb;
2211 u32 portid = ctx->portid;
2215 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2219 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2223 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2229 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2230 ctx->report, gfp_flags);
2233 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2237 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2238 struct netlink_callback *cb)
2240 const struct nft_set *set;
2241 unsigned int idx = 0, s_idx = cb->args[0];
2247 list_for_each_entry_rcu(set, &ctx->table->sets, list) {
2250 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2264 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2265 struct netlink_callback *cb)
2267 const struct nft_set *set;
2268 unsigned int idx, s_idx = cb->args[0];
2269 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2275 list_for_each_entry_rcu(table, &ctx->afi->tables, list) {
2277 if (cur_table != table)
2284 list_for_each_entry_rcu(set, &ctx->table->sets, list) {
2287 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2290 cb->args[2] = (unsigned long) table;
2303 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2304 struct netlink_callback *cb)
2306 const struct nft_set *set;
2307 unsigned int idx, s_idx = cb->args[0];
2308 struct nft_af_info *afi;
2309 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2310 struct net *net = sock_net(skb->sk);
2311 int cur_family = cb->args[3];
2317 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2319 if (afi->family != cur_family)
2325 list_for_each_entry_rcu(table, &afi->tables, list) {
2327 if (cur_table != table)
2336 list_for_each_entry_rcu(set, &ctx->table->sets, list) {
2339 if (nf_tables_fill_set(skb, ctx, set,
2343 cb->args[2] = (unsigned long) table;
2344 cb->args[3] = afi->family;
2360 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2362 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2363 struct nlattr *nla[NFTA_SET_MAX + 1];
2367 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2372 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2376 if (ctx.table == NULL) {
2377 if (ctx.afi == NULL)
2378 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2380 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2382 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2387 #define NFT_SET_INACTIVE (1 << 15) /* Internal set flag */
2389 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2390 const struct nlmsghdr *nlh,
2391 const struct nlattr * const nla[])
2393 const struct nft_set *set;
2395 struct sk_buff *skb2;
2396 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2399 /* Verify existance before starting dump */
2400 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2404 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2405 struct netlink_dump_control c = {
2406 .dump = nf_tables_dump_sets,
2408 return netlink_dump_start(nlsk, skb, nlh, &c);
2411 /* Only accept unspec with dump */
2412 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2413 return -EAFNOSUPPORT;
2415 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2417 return PTR_ERR(set);
2418 if (set->flags & NFT_SET_INACTIVE)
2421 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2425 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2429 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2436 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2437 struct nft_set_desc *desc,
2438 const struct nlattr *nla)
2440 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2443 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2447 if (da[NFTA_SET_DESC_SIZE] != NULL)
2448 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2453 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2454 struct nft_set *set)
2456 struct nft_trans *trans;
2458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
2462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
2463 nft_trans_set_id(trans) =
2464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
2465 set->flags |= NFT_SET_INACTIVE;
2467 nft_trans_set(trans) = set;
2468 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2473 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2474 const struct nlmsghdr *nlh,
2475 const struct nlattr * const nla[])
2477 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2478 const struct nft_set_ops *ops;
2479 struct nft_af_info *afi;
2480 struct net *net = sock_net(skb->sk);
2481 struct nft_table *table;
2482 struct nft_set *set;
2484 char name[IFNAMSIZ];
2487 u32 ktype, dtype, flags, policy;
2488 struct nft_set_desc desc;
2491 if (nla[NFTA_SET_TABLE] == NULL ||
2492 nla[NFTA_SET_NAME] == NULL ||
2493 nla[NFTA_SET_KEY_LEN] == NULL ||
2494 nla[NFTA_SET_ID] == NULL)
2497 memset(&desc, 0, sizeof(desc));
2499 ktype = NFT_DATA_VALUE;
2500 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2501 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2502 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2506 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2507 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2511 if (nla[NFTA_SET_FLAGS] != NULL) {
2512 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2513 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2514 NFT_SET_INTERVAL | NFT_SET_MAP))
2519 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2520 if (!(flags & NFT_SET_MAP))
2523 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2524 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2525 dtype != NFT_DATA_VERDICT)
2528 if (dtype != NFT_DATA_VERDICT) {
2529 if (nla[NFTA_SET_DATA_LEN] == NULL)
2531 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2532 if (desc.dlen == 0 ||
2533 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2536 desc.dlen = sizeof(struct nft_data);
2537 } else if (flags & NFT_SET_MAP)
2540 policy = NFT_SET_POL_PERFORMANCE;
2541 if (nla[NFTA_SET_POLICY] != NULL)
2542 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2544 if (nla[NFTA_SET_DESC] != NULL) {
2545 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2550 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2552 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2554 return PTR_ERR(afi);
2556 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2558 return PTR_ERR(table);
2560 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2562 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2564 if (PTR_ERR(set) != -ENOENT)
2565 return PTR_ERR(set);
2570 if (nlh->nlmsg_flags & NLM_F_EXCL)
2572 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2577 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2580 ops = nft_select_set_ops(nla, &desc, policy);
2582 return PTR_ERR(ops);
2585 if (ops->privsize != NULL)
2586 size = ops->privsize(nla);
2589 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2593 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2594 err = nf_tables_set_alloc_name(&ctx, set, name);
2598 INIT_LIST_HEAD(&set->bindings);
2601 set->klen = desc.klen;
2603 set->dlen = desc.dlen;
2605 set->size = desc.size;
2607 err = ops->init(set, &desc, nla);
2611 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2615 list_add_tail_rcu(&set->list, &table->sets);
2622 module_put(ops->owner);
2626 static void nft_set_destroy(struct nft_set *set)
2628 set->ops->destroy(set);
2629 module_put(set->ops->owner);
2633 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2635 list_del_rcu(&set->list);
2636 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2637 nft_set_destroy(set);
2640 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2641 const struct nlmsghdr *nlh,
2642 const struct nlattr * const nla[])
2644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2645 struct nft_set *set;
2649 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2650 return -EAFNOSUPPORT;
2651 if (nla[NFTA_SET_TABLE] == NULL)
2654 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2658 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2660 return PTR_ERR(set);
2661 if (set->flags & NFT_SET_INACTIVE)
2663 if (!list_empty(&set->bindings))
2666 err = nft_trans_set_add(&ctx, NFT_MSG_DELSET, set);
2670 list_del_rcu(&set->list);
2675 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2676 const struct nft_set *set,
2677 const struct nft_set_iter *iter,
2678 const struct nft_set_elem *elem)
2680 enum nft_registers dreg;
2682 dreg = nft_type_to_reg(set->dtype);
2683 return nft_validate_data_load(ctx, dreg, &elem->data,
2684 set->dtype == NFT_DATA_VERDICT ?
2685 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2688 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2689 struct nft_set_binding *binding)
2691 struct nft_set_binding *i;
2692 struct nft_set_iter iter;
2694 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2697 if (set->flags & NFT_SET_MAP) {
2698 /* If the set is already bound to the same chain all
2699 * jumps are already validated for that chain.
2701 list_for_each_entry(i, &set->bindings, list) {
2702 if (i->chain == binding->chain)
2709 iter.fn = nf_tables_bind_check_setelem;
2711 set->ops->walk(ctx, set, &iter);
2713 /* Destroy anonymous sets if binding fails */
2714 if (set->flags & NFT_SET_ANONYMOUS)
2715 nf_tables_set_destroy(ctx, set);
2721 binding->chain = ctx->chain;
2722 list_add_tail_rcu(&binding->list, &set->bindings);
2726 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2727 struct nft_set_binding *binding)
2729 list_del_rcu(&binding->list);
2731 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2732 !(set->flags & NFT_SET_INACTIVE))
2733 nf_tables_set_destroy(ctx, set);
2740 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2741 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2742 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2743 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2746 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2747 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2748 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2749 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2750 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2753 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2754 const struct sk_buff *skb,
2755 const struct nlmsghdr *nlh,
2756 const struct nlattr * const nla[],
2759 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2760 struct nft_af_info *afi;
2761 struct nft_table *table;
2762 struct net *net = sock_net(skb->sk);
2764 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2766 return PTR_ERR(afi);
2768 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2770 return PTR_ERR(table);
2771 if (!trans && (table->flags & NFT_TABLE_INACTIVE))
2774 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2778 static int nf_tables_fill_setelem(struct sk_buff *skb,
2779 const struct nft_set *set,
2780 const struct nft_set_elem *elem)
2782 unsigned char *b = skb_tail_pointer(skb);
2783 struct nlattr *nest;
2785 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2787 goto nla_put_failure;
2789 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2791 goto nla_put_failure;
2793 if (set->flags & NFT_SET_MAP &&
2794 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2795 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2796 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2798 goto nla_put_failure;
2800 if (elem->flags != 0)
2801 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2802 goto nla_put_failure;
2804 nla_nest_end(skb, nest);
2812 struct nft_set_dump_args {
2813 const struct netlink_callback *cb;
2814 struct nft_set_iter iter;
2815 struct sk_buff *skb;
2818 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2819 const struct nft_set *set,
2820 const struct nft_set_iter *iter,
2821 const struct nft_set_elem *elem)
2823 struct nft_set_dump_args *args;
2825 args = container_of(iter, struct nft_set_dump_args, iter);
2826 return nf_tables_fill_setelem(args->skb, set, elem);
2829 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2831 const struct nft_set *set;
2832 struct nft_set_dump_args args;
2834 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2835 struct nfgenmsg *nfmsg;
2836 struct nlmsghdr *nlh;
2837 struct nlattr *nest;
2841 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2842 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2846 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
2851 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2853 return PTR_ERR(set);
2854 if (set->flags & NFT_SET_INACTIVE)
2857 event = NFT_MSG_NEWSETELEM;
2858 event |= NFNL_SUBSYS_NFTABLES << 8;
2859 portid = NETLINK_CB(cb->skb).portid;
2860 seq = cb->nlh->nlmsg_seq;
2862 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2865 goto nla_put_failure;
2867 nfmsg = nlmsg_data(nlh);
2868 nfmsg->nfgen_family = ctx.afi->family;
2869 nfmsg->version = NFNETLINK_V0;
2872 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2873 goto nla_put_failure;
2874 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2875 goto nla_put_failure;
2877 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2879 goto nla_put_failure;
2883 args.iter.skip = cb->args[0];
2884 args.iter.count = 0;
2886 args.iter.fn = nf_tables_dump_setelem;
2887 set->ops->walk(&ctx, set, &args.iter);
2889 nla_nest_end(skb, nest);
2890 nlmsg_end(skb, nlh);
2892 if (args.iter.err && args.iter.err != -EMSGSIZE)
2893 return args.iter.err;
2894 if (args.iter.count == cb->args[0])
2897 cb->args[0] = args.iter.count;
2904 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2905 const struct nlmsghdr *nlh,
2906 const struct nlattr * const nla[])
2908 const struct nft_set *set;
2912 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
2916 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2918 return PTR_ERR(set);
2919 if (set->flags & NFT_SET_INACTIVE)
2922 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2923 struct netlink_dump_control c = {
2924 .dump = nf_tables_dump_set,
2926 return netlink_dump_start(nlsk, skb, nlh, &c);
2931 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2932 const struct nft_ctx *ctx, u32 seq,
2933 u32 portid, int event, u16 flags,
2934 const struct nft_set *set,
2935 const struct nft_set_elem *elem)
2937 struct nfgenmsg *nfmsg;
2938 struct nlmsghdr *nlh;
2939 struct nlattr *nest;
2942 event |= NFNL_SUBSYS_NFTABLES << 8;
2943 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2946 goto nla_put_failure;
2948 nfmsg = nlmsg_data(nlh);
2949 nfmsg->nfgen_family = ctx->afi->family;
2950 nfmsg->version = NFNETLINK_V0;
2953 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2954 goto nla_put_failure;
2955 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2956 goto nla_put_failure;
2958 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2960 goto nla_put_failure;
2962 err = nf_tables_fill_setelem(skb, set, elem);
2964 goto nla_put_failure;
2966 nla_nest_end(skb, nest);
2968 return nlmsg_end(skb, nlh);
2971 nlmsg_trim(skb, nlh);
2975 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2976 const struct nft_set *set,
2977 const struct nft_set_elem *elem,
2978 int event, u16 flags)
2980 struct net *net = ctx->net;
2981 u32 portid = ctx->portid;
2982 struct sk_buff *skb;
2985 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2989 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2993 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3000 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3004 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3008 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3010 struct nft_set *set)
3012 struct nft_trans *trans;
3014 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3018 nft_trans_elem_set(trans) = set;
3022 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3023 const struct nlattr *attr)
3025 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3026 struct nft_data_desc d1, d2;
3027 struct nft_set_elem elem;
3028 struct nft_set_binding *binding;
3029 enum nft_registers dreg;
3030 struct nft_trans *trans;
3033 if (set->size && set->nelems == set->size)
3036 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3037 nft_set_elem_policy);
3041 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3045 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3046 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3047 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
3051 if (set->flags & NFT_SET_MAP) {
3052 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3053 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
3055 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3056 elem.flags & NFT_SET_ELEM_INTERVAL_END)
3059 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3063 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
3067 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3071 if (set->ops->get(set, &elem) == 0)
3074 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3075 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
3080 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3083 dreg = nft_type_to_reg(set->dtype);
3084 list_for_each_entry(binding, &set->bindings, list) {
3085 struct nft_ctx bind_ctx = {
3087 .table = ctx->table,
3088 .chain = (struct nft_chain *)binding->chain,
3091 err = nft_validate_data_load(&bind_ctx, dreg,
3092 &elem.data, d2.type);
3098 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3102 err = set->ops->insert(set, &elem);
3106 nft_trans_elem(trans) = elem;
3107 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3113 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3114 nft_data_uninit(&elem.data, d2.type);
3116 nft_data_uninit(&elem.key, d1.type);
3121 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3122 const struct nlmsghdr *nlh,
3123 const struct nlattr * const nla[])
3125 struct net *net = sock_net(skb->sk);
3126 const struct nlattr *attr;
3127 struct nft_set *set;
3131 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3135 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3137 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3138 set = nf_tables_set_lookup_byid(net,
3139 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3142 return PTR_ERR(set);
3145 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3148 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3149 err = nft_add_set_elem(&ctx, set, attr);
3158 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3159 const struct nlattr *attr)
3161 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3162 struct nft_data_desc desc;
3163 struct nft_set_elem elem;
3164 struct nft_trans *trans;
3167 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3168 nft_set_elem_policy);
3173 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3176 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3181 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3184 err = set->ops->get(set, &elem);
3188 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3192 nft_trans_elem(trans) = elem;
3193 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3195 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
3196 if (set->flags & NFT_SET_MAP)
3197 nft_data_uninit(&elem.data, set->dtype);
3200 nft_data_uninit(&elem.key, desc.type);
3205 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3206 const struct nlmsghdr *nlh,
3207 const struct nlattr * const nla[])
3209 const struct nlattr *attr;
3210 struct nft_set *set;
3214 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3218 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3220 return PTR_ERR(set);
3221 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3224 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3225 err = nft_del_setelem(&ctx, set, attr);
3234 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3235 [NFT_MSG_NEWTABLE] = {
3236 .call_batch = nf_tables_newtable,
3237 .attr_count = NFTA_TABLE_MAX,
3238 .policy = nft_table_policy,
3240 [NFT_MSG_GETTABLE] = {
3241 .call = nf_tables_gettable,
3242 .attr_count = NFTA_TABLE_MAX,
3243 .policy = nft_table_policy,
3245 [NFT_MSG_DELTABLE] = {
3246 .call_batch = nf_tables_deltable,
3247 .attr_count = NFTA_TABLE_MAX,
3248 .policy = nft_table_policy,
3250 [NFT_MSG_NEWCHAIN] = {
3251 .call_batch = nf_tables_newchain,
3252 .attr_count = NFTA_CHAIN_MAX,
3253 .policy = nft_chain_policy,
3255 [NFT_MSG_GETCHAIN] = {
3256 .call = nf_tables_getchain,
3257 .attr_count = NFTA_CHAIN_MAX,
3258 .policy = nft_chain_policy,
3260 [NFT_MSG_DELCHAIN] = {
3261 .call_batch = nf_tables_delchain,
3262 .attr_count = NFTA_CHAIN_MAX,
3263 .policy = nft_chain_policy,
3265 [NFT_MSG_NEWRULE] = {
3266 .call_batch = nf_tables_newrule,
3267 .attr_count = NFTA_RULE_MAX,
3268 .policy = nft_rule_policy,
3270 [NFT_MSG_GETRULE] = {
3271 .call = nf_tables_getrule,
3272 .attr_count = NFTA_RULE_MAX,
3273 .policy = nft_rule_policy,
3275 [NFT_MSG_DELRULE] = {
3276 .call_batch = nf_tables_delrule,
3277 .attr_count = NFTA_RULE_MAX,
3278 .policy = nft_rule_policy,
3280 [NFT_MSG_NEWSET] = {
3281 .call_batch = nf_tables_newset,
3282 .attr_count = NFTA_SET_MAX,
3283 .policy = nft_set_policy,
3285 [NFT_MSG_GETSET] = {
3286 .call = nf_tables_getset,
3287 .attr_count = NFTA_SET_MAX,
3288 .policy = nft_set_policy,
3290 [NFT_MSG_DELSET] = {
3291 .call_batch = nf_tables_delset,
3292 .attr_count = NFTA_SET_MAX,
3293 .policy = nft_set_policy,
3295 [NFT_MSG_NEWSETELEM] = {
3296 .call_batch = nf_tables_newsetelem,
3297 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3298 .policy = nft_set_elem_list_policy,
3300 [NFT_MSG_GETSETELEM] = {
3301 .call = nf_tables_getsetelem,
3302 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3303 .policy = nft_set_elem_list_policy,
3305 [NFT_MSG_DELSETELEM] = {
3306 .call_batch = nf_tables_delsetelem,
3307 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3308 .policy = nft_set_elem_list_policy,
3312 static void nft_chain_commit_update(struct nft_trans *trans)
3314 struct nft_base_chain *basechain;
3316 if (nft_trans_chain_name(trans)[0])
3317 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3319 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3322 basechain = nft_base_chain(trans->ctx.chain);
3323 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3325 switch (nft_trans_chain_policy(trans)) {
3328 basechain->policy = nft_trans_chain_policy(trans);
3333 /* Schedule objects for release via rcu to make sure no packets are accesing
3336 static void nf_tables_commit_release_rcu(struct rcu_head *rt)
3338 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3340 switch (trans->msg_type) {
3341 case NFT_MSG_DELTABLE:
3342 nf_tables_table_destroy(&trans->ctx);
3344 case NFT_MSG_DELCHAIN:
3345 nf_tables_chain_destroy(trans->ctx.chain);
3347 case NFT_MSG_DELRULE:
3348 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3350 case NFT_MSG_DELSET:
3351 nft_set_destroy(nft_trans_set(trans));
3357 static int nf_tables_commit(struct sk_buff *skb)
3359 struct net *net = sock_net(skb->sk);
3360 struct nft_trans *trans, *next;
3361 struct nft_set *set;
3363 /* Bump generation counter, invalidate any dump in progress */
3366 /* A new generation has just started */
3367 net->nft.gencursor = gencursor_next(net);
3369 /* Make sure all packets have left the previous generation before
3370 * purging old rules.
3374 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3375 switch (trans->msg_type) {
3376 case NFT_MSG_NEWTABLE:
3377 if (nft_trans_table_update(trans)) {
3378 if (!nft_trans_table_enable(trans)) {
3379 nf_tables_table_disable(trans->ctx.afi,
3381 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3384 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3386 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3387 nft_trans_destroy(trans);
3389 case NFT_MSG_DELTABLE:
3390 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3392 case NFT_MSG_NEWCHAIN:
3393 if (nft_trans_chain_update(trans))
3394 nft_chain_commit_update(trans);
3396 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3398 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3399 nft_trans_destroy(trans);
3401 case NFT_MSG_DELCHAIN:
3402 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3403 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3404 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3405 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3406 trans->ctx.afi->nops);
3409 case NFT_MSG_NEWRULE:
3410 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3411 nf_tables_rule_notify(&trans->ctx,
3412 nft_trans_rule(trans),
3414 nft_trans_destroy(trans);
3416 case NFT_MSG_DELRULE:
3417 list_del_rcu(&nft_trans_rule(trans)->list);
3418 nf_tables_rule_notify(&trans->ctx,
3419 nft_trans_rule(trans),
3422 case NFT_MSG_NEWSET:
3423 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3424 /* This avoids hitting -EBUSY when deleting the table
3425 * from the transaction.
3427 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3428 !list_empty(&nft_trans_set(trans)->bindings))
3429 trans->ctx.table->use--;
3431 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3432 NFT_MSG_NEWSET, GFP_KERNEL);
3433 nft_trans_destroy(trans);
3435 case NFT_MSG_DELSET:
3436 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3437 NFT_MSG_DELSET, GFP_KERNEL);
3439 case NFT_MSG_NEWSETELEM:
3440 nf_tables_setelem_notify(&trans->ctx,
3441 nft_trans_elem_set(trans),
3442 &nft_trans_elem(trans),
3443 NFT_MSG_NEWSETELEM, 0);
3444 nft_trans_destroy(trans);
3446 case NFT_MSG_DELSETELEM:
3447 nf_tables_setelem_notify(&trans->ctx,
3448 nft_trans_elem_set(trans),
3449 &nft_trans_elem(trans),
3450 NFT_MSG_DELSETELEM, 0);
3451 set = nft_trans_elem_set(trans);
3452 set->ops->get(set, &nft_trans_elem(trans));
3453 set->ops->remove(set, &nft_trans_elem(trans));
3454 nft_trans_destroy(trans);
3459 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3460 list_del(&trans->list);
3461 trans->ctx.nla = NULL;
3462 call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
3468 /* Schedule objects for release via rcu to make sure no packets are accesing
3471 static void nf_tables_abort_release_rcu(struct rcu_head *rt)
3473 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3475 switch (trans->msg_type) {
3476 case NFT_MSG_NEWTABLE:
3477 nf_tables_table_destroy(&trans->ctx);
3479 case NFT_MSG_NEWCHAIN:
3480 nf_tables_chain_destroy(trans->ctx.chain);
3482 case NFT_MSG_NEWRULE:
3483 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3485 case NFT_MSG_NEWSET:
3486 nft_set_destroy(nft_trans_set(trans));
3492 static int nf_tables_abort(struct sk_buff *skb)
3494 struct net *net = sock_net(skb->sk);
3495 struct nft_trans *trans, *next;
3496 struct nft_set *set;
3498 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3499 switch (trans->msg_type) {
3500 case NFT_MSG_NEWTABLE:
3501 if (nft_trans_table_update(trans)) {
3502 if (nft_trans_table_enable(trans)) {
3503 nf_tables_table_disable(trans->ctx.afi,
3505 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3507 nft_trans_destroy(trans);
3509 list_del_rcu(&trans->ctx.table->list);
3512 case NFT_MSG_DELTABLE:
3513 list_add_tail_rcu(&trans->ctx.table->list,
3514 &trans->ctx.afi->tables);
3515 nft_trans_destroy(trans);
3517 case NFT_MSG_NEWCHAIN:
3518 if (nft_trans_chain_update(trans)) {
3519 if (nft_trans_chain_stats(trans))
3520 free_percpu(nft_trans_chain_stats(trans));
3522 nft_trans_destroy(trans);
3524 trans->ctx.table->use--;
3525 list_del_rcu(&trans->ctx.chain->list);
3526 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3527 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3528 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3529 trans->ctx.afi->nops);
3533 case NFT_MSG_DELCHAIN:
3534 trans->ctx.table->use++;
3535 list_add_tail_rcu(&trans->ctx.chain->list,
3536 &trans->ctx.table->chains);
3537 nft_trans_destroy(trans);
3539 case NFT_MSG_NEWRULE:
3540 trans->ctx.chain->use--;
3541 list_del_rcu(&nft_trans_rule(trans)->list);
3543 case NFT_MSG_DELRULE:
3544 trans->ctx.chain->use++;
3545 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3546 nft_trans_destroy(trans);
3548 case NFT_MSG_NEWSET:
3549 trans->ctx.table->use--;
3550 list_del_rcu(&nft_trans_set(trans)->list);
3552 case NFT_MSG_DELSET:
3553 trans->ctx.table->use++;
3554 list_add_tail_rcu(&nft_trans_set(trans)->list,
3555 &trans->ctx.table->sets);
3556 nft_trans_destroy(trans);
3558 case NFT_MSG_NEWSETELEM:
3559 nft_trans_elem_set(trans)->nelems--;
3560 set = nft_trans_elem_set(trans);
3561 set->ops->get(set, &nft_trans_elem(trans));
3562 set->ops->remove(set, &nft_trans_elem(trans));
3563 nft_trans_destroy(trans);
3565 case NFT_MSG_DELSETELEM:
3566 nft_trans_elem_set(trans)->nelems++;
3567 nft_trans_destroy(trans);
3572 list_for_each_entry_safe_reverse(trans, next,
3573 &net->nft.commit_list, list) {
3574 list_del(&trans->list);
3575 trans->ctx.nla = NULL;
3576 call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
3582 static const struct nfnetlink_subsystem nf_tables_subsys = {
3583 .name = "nf_tables",
3584 .subsys_id = NFNL_SUBSYS_NFTABLES,
3585 .cb_count = NFT_MSG_MAX,
3587 .commit = nf_tables_commit,
3588 .abort = nf_tables_abort,
3592 * Loop detection - walk through the ruleset beginning at the destination chain
3593 * of a new jump until either the source chain is reached (loop) or all
3594 * reachable chains have been traversed.
3596 * The loop check is performed whenever a new jump verdict is added to an
3597 * expression or verdict map or a verdict map is bound to a new chain.
3600 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3601 const struct nft_chain *chain);
3603 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3604 const struct nft_set *set,
3605 const struct nft_set_iter *iter,
3606 const struct nft_set_elem *elem)
3608 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3611 switch (elem->data.verdict) {
3614 return nf_tables_check_loops(ctx, elem->data.chain);
3620 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3621 const struct nft_chain *chain)
3623 const struct nft_rule *rule;
3624 const struct nft_expr *expr, *last;
3625 const struct nft_set *set;
3626 struct nft_set_binding *binding;
3627 struct nft_set_iter iter;
3629 if (ctx->chain == chain)
3632 list_for_each_entry(rule, &chain->rules, list) {
3633 nft_rule_for_each_expr(expr, last, rule) {
3634 const struct nft_data *data = NULL;
3637 if (!expr->ops->validate)
3640 err = expr->ops->validate(ctx, expr, &data);
3647 switch (data->verdict) {
3650 err = nf_tables_check_loops(ctx, data->chain);
3659 list_for_each_entry(set, &ctx->table->sets, list) {
3660 if (!(set->flags & NFT_SET_MAP) ||
3661 set->dtype != NFT_DATA_VERDICT)
3664 list_for_each_entry(binding, &set->bindings, list) {
3665 if (binding->chain != chain)
3671 iter.fn = nf_tables_loop_check_setelem;
3673 set->ops->walk(ctx, set, &iter);
3683 * nft_validate_input_register - validate an expressions' input register
3685 * @reg: the register number
3687 * Validate that the input register is one of the general purpose
3690 int nft_validate_input_register(enum nft_registers reg)
3692 if (reg <= NFT_REG_VERDICT)
3694 if (reg > NFT_REG_MAX)
3698 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3701 * nft_validate_output_register - validate an expressions' output register
3703 * @reg: the register number
3705 * Validate that the output register is one of the general purpose
3706 * registers or the verdict register.
3708 int nft_validate_output_register(enum nft_registers reg)
3710 if (reg < NFT_REG_VERDICT)
3712 if (reg > NFT_REG_MAX)
3716 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3719 * nft_validate_data_load - validate an expressions' data load
3721 * @ctx: context of the expression performing the load
3722 * @reg: the destination register number
3723 * @data: the data to load
3724 * @type: the data type
3726 * Validate that a data load uses the appropriate data type for
3727 * the destination register. A value of NULL for the data means
3728 * that its runtime gathered data, which is always of type
3731 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3732 const struct nft_data *data,
3733 enum nft_data_types type)
3738 case NFT_REG_VERDICT:
3739 if (data == NULL || type != NFT_DATA_VERDICT)
3742 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3743 err = nf_tables_check_loops(ctx, data->chain);
3747 if (ctx->chain->level + 1 > data->chain->level) {
3748 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3750 data->chain->level = ctx->chain->level + 1;
3756 if (data != NULL && type != NFT_DATA_VALUE)
3761 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3763 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3764 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3765 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3766 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3769 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3770 struct nft_data_desc *desc, const struct nlattr *nla)
3772 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3773 struct nft_chain *chain;
3776 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3780 if (!tb[NFTA_VERDICT_CODE])
3782 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3784 switch (data->verdict) {
3786 switch (data->verdict & NF_VERDICT_MASK) {
3798 desc->len = sizeof(data->verdict);
3802 if (!tb[NFTA_VERDICT_CHAIN])
3804 chain = nf_tables_chain_lookup(ctx->table,
3805 tb[NFTA_VERDICT_CHAIN]);
3807 return PTR_ERR(chain);
3808 if (chain->flags & NFT_BASE_CHAIN)
3812 data->chain = chain;
3813 desc->len = sizeof(data);
3817 desc->type = NFT_DATA_VERDICT;
3821 static void nft_verdict_uninit(const struct nft_data *data)
3823 switch (data->verdict) {
3831 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3833 struct nlattr *nest;
3835 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3837 goto nla_put_failure;
3839 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3840 goto nla_put_failure;
3842 switch (data->verdict) {
3845 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3846 goto nla_put_failure;
3848 nla_nest_end(skb, nest);
3855 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3856 struct nft_data_desc *desc, const struct nlattr *nla)
3863 if (len > sizeof(data->data))
3866 nla_memcpy(data->data, nla, sizeof(data->data));
3867 desc->type = NFT_DATA_VALUE;
3872 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3875 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3878 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3879 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3880 .len = FIELD_SIZEOF(struct nft_data, data) },
3881 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3885 * nft_data_init - parse nf_tables data netlink attributes
3887 * @ctx: context of the expression using the data
3888 * @data: destination struct nft_data
3889 * @desc: data description
3890 * @nla: netlink attribute containing data
3892 * Parse the netlink data attributes and initialize a struct nft_data.
3893 * The type and length of data are returned in the data description.
3895 * The caller can indicate that it only wants to accept data of type
3896 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3898 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3899 struct nft_data_desc *desc, const struct nlattr *nla)
3901 struct nlattr *tb[NFTA_DATA_MAX + 1];
3904 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3908 if (tb[NFTA_DATA_VALUE])
3909 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3910 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3911 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3914 EXPORT_SYMBOL_GPL(nft_data_init);
3917 * nft_data_uninit - release a nft_data item
3919 * @data: struct nft_data to release
3920 * @type: type of data
3922 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3923 * all others need to be released by calling this function.
3925 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3928 case NFT_DATA_VALUE:
3930 case NFT_DATA_VERDICT:
3931 return nft_verdict_uninit(data);
3936 EXPORT_SYMBOL_GPL(nft_data_uninit);
3938 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3939 enum nft_data_types type, unsigned int len)
3941 struct nlattr *nest;
3944 nest = nla_nest_start(skb, attr);
3949 case NFT_DATA_VALUE:
3950 err = nft_value_dump(skb, data, len);
3952 case NFT_DATA_VERDICT:
3953 err = nft_verdict_dump(skb, data);
3960 nla_nest_end(skb, nest);
3963 EXPORT_SYMBOL_GPL(nft_data_dump);
3965 static int nf_tables_init_net(struct net *net)
3967 INIT_LIST_HEAD(&net->nft.af_info);
3968 INIT_LIST_HEAD(&net->nft.commit_list);
3972 static struct pernet_operations nf_tables_net_ops = {
3973 .init = nf_tables_init_net,
3976 static int __init nf_tables_module_init(void)
3980 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3987 err = nf_tables_core_module_init();
3991 err = nfnetlink_subsys_register(&nf_tables_subsys);
3995 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3996 return register_pernet_subsys(&nf_tables_net_ops);
3998 nf_tables_core_module_exit();
4005 static void __exit nf_tables_module_exit(void)
4007 unregister_pernet_subsys(&nf_tables_net_ops);
4008 nfnetlink_subsys_unregister(&nf_tables_subsys);
4009 nf_tables_core_module_exit();
4013 module_init(nf_tables_module_init);
4014 module_exit(nf_tables_module_exit);
4016 MODULE_LICENSE("GPL");
4017 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4018 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / karo-tx-linux.git / blob