2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del_rcu(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
104 ctx->portid = NETLINK_CB(skb).portid;
105 ctx->report = nlmsg_report(nlh);
106 ctx->seq = nlh->nlmsg_seq;
109 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
112 struct nft_trans *trans;
114 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
118 trans->msg_type = msg_type;
124 static void nft_trans_destroy(struct nft_trans *trans)
126 list_del(&trans->list);
130 static void nf_tables_unregister_hooks(const struct nft_table *table,
131 const struct nft_chain *chain,
132 unsigned int hook_nops)
134 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
135 chain->flags & NFT_BASE_CHAIN)
136 nf_unregister_hooks(nft_base_chain(chain)->ops, hook_nops);
139 /* Internal table flags */
140 #define NFT_TABLE_INACTIVE (1 << 15)
142 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
144 struct nft_trans *trans;
146 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
150 if (msg_type == NFT_MSG_NEWTABLE)
151 ctx->table->flags |= NFT_TABLE_INACTIVE;
153 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
157 static int nft_deltable(struct nft_ctx *ctx)
161 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
165 list_del_rcu(&ctx->table->list);
169 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
171 struct nft_trans *trans;
173 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
177 if (msg_type == NFT_MSG_NEWCHAIN)
178 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
180 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
184 static int nft_delchain(struct nft_ctx *ctx)
188 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
193 list_del_rcu(&ctx->chain->list);
199 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
201 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
204 static inline int gencursor_next(struct net *net)
206 return net->nft.gencursor+1 == 1 ? 1 : 0;
210 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
212 return (rule->genmask & (1 << gencursor_next(net))) == 0;
216 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
218 /* Now inactive, will be active in the future */
219 rule->genmask = (1 << net->nft.gencursor);
223 nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
225 rule->genmask = (1 << gencursor_next(net));
228 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
234 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
236 /* You cannot delete the same rule twice */
237 if (nft_rule_is_active_next(ctx->net, rule)) {
238 nft_rule_deactivate_next(ctx->net, rule);
245 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
246 struct nft_rule *rule)
248 struct nft_trans *trans;
250 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
254 nft_trans_rule(trans) = rule;
255 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
260 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
262 struct nft_trans *trans;
265 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
269 err = nf_tables_delrule_deactivate(ctx, rule);
271 nft_trans_destroy(trans);
278 static int nft_delrule_by_chain(struct nft_ctx *ctx)
280 struct nft_rule *rule;
283 list_for_each_entry(rule, &ctx->chain->rules, list) {
284 err = nft_delrule(ctx, rule);
291 /* Internal set flag */
292 #define NFT_SET_INACTIVE (1 << 15)
294 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
297 struct nft_trans *trans;
299 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
303 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
304 nft_trans_set_id(trans) =
305 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
306 set->flags |= NFT_SET_INACTIVE;
308 nft_trans_set(trans) = set;
309 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
314 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
318 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
322 list_del_rcu(&set->list);
332 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
333 const struct nlattr *nla)
335 struct nft_table *table;
337 list_for_each_entry(table, &afi->tables, list) {
338 if (!nla_strcmp(nla, table->name))
344 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
345 const struct nlattr *nla)
347 struct nft_table *table;
350 return ERR_PTR(-EINVAL);
352 table = nft_table_lookup(afi, nla);
356 return ERR_PTR(-ENOENT);
359 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
361 return ++table->hgenerator;
364 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
366 static const struct nf_chain_type *
367 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
371 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
372 if (chain_type[family][i] != NULL &&
373 !nla_strcmp(nla, chain_type[family][i]->name))
374 return chain_type[family][i];
379 static const struct nf_chain_type *
380 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
381 const struct nlattr *nla,
384 const struct nf_chain_type *type;
386 type = __nf_tables_chain_type_lookup(afi->family, nla);
389 #ifdef CONFIG_MODULES
391 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
392 request_module("nft-chain-%u-%.*s", afi->family,
393 nla_len(nla), (const char *)nla_data(nla));
394 nfnl_lock(NFNL_SUBSYS_NFTABLES);
395 type = __nf_tables_chain_type_lookup(afi->family, nla);
397 return ERR_PTR(-EAGAIN);
400 return ERR_PTR(-ENOENT);
403 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
404 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
405 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
408 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
409 int event, u32 flags, int family,
410 const struct nft_table *table)
412 struct nlmsghdr *nlh;
413 struct nfgenmsg *nfmsg;
415 event |= NFNL_SUBSYS_NFTABLES << 8;
416 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
418 goto nla_put_failure;
420 nfmsg = nlmsg_data(nlh);
421 nfmsg->nfgen_family = family;
422 nfmsg->version = NFNETLINK_V0;
425 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
426 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
427 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
428 goto nla_put_failure;
430 return nlmsg_end(skb, nlh);
433 nlmsg_trim(skb, nlh);
437 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
443 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
447 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
451 err = nf_tables_fill_table_info(skb, ctx->portid, ctx->seq, event, 0,
452 ctx->afi->family, ctx->table);
458 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
459 ctx->report, GFP_KERNEL);
462 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
468 static int nf_tables_dump_tables(struct sk_buff *skb,
469 struct netlink_callback *cb)
471 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
472 const struct nft_af_info *afi;
473 const struct nft_table *table;
474 unsigned int idx = 0, s_idx = cb->args[0];
475 struct net *net = sock_net(skb->sk);
476 int family = nfmsg->nfgen_family;
479 cb->seq = net->nft.base_seq;
481 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
482 if (family != NFPROTO_UNSPEC && family != afi->family)
485 list_for_each_entry_rcu(table, &afi->tables, list) {
489 memset(&cb->args[1], 0,
490 sizeof(cb->args) - sizeof(cb->args[0]));
491 if (nf_tables_fill_table_info(skb,
492 NETLINK_CB(cb->skb).portid,
496 afi->family, table) < 0)
499 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
510 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
511 const struct nlmsghdr *nlh,
512 const struct nlattr * const nla[])
514 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
515 const struct nft_af_info *afi;
516 const struct nft_table *table;
517 struct sk_buff *skb2;
518 struct net *net = sock_net(skb->sk);
519 int family = nfmsg->nfgen_family;
522 if (nlh->nlmsg_flags & NLM_F_DUMP) {
523 struct netlink_dump_control c = {
524 .dump = nf_tables_dump_tables,
526 return netlink_dump_start(nlsk, skb, nlh, &c);
529 afi = nf_tables_afinfo_lookup(net, family, false);
533 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
535 return PTR_ERR(table);
536 if (table->flags & NFT_TABLE_INACTIVE)
539 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
543 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
544 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
549 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
556 static int nf_tables_table_enable(const struct nft_af_info *afi,
557 struct nft_table *table)
559 struct nft_chain *chain;
562 list_for_each_entry(chain, &table->chains, list) {
563 if (!(chain->flags & NFT_BASE_CHAIN))
566 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
574 list_for_each_entry(chain, &table->chains, list) {
575 if (!(chain->flags & NFT_BASE_CHAIN))
581 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
586 static void nf_tables_table_disable(const struct nft_af_info *afi,
587 struct nft_table *table)
589 struct nft_chain *chain;
591 list_for_each_entry(chain, &table->chains, list) {
592 if (chain->flags & NFT_BASE_CHAIN)
593 nf_unregister_hooks(nft_base_chain(chain)->ops,
598 static int nf_tables_updtable(struct nft_ctx *ctx)
600 struct nft_trans *trans;
604 if (!ctx->nla[NFTA_TABLE_FLAGS])
607 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
608 if (flags & ~NFT_TABLE_F_DORMANT)
611 if (flags == ctx->table->flags)
614 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
615 sizeof(struct nft_trans_table));
619 if ((flags & NFT_TABLE_F_DORMANT) &&
620 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
621 nft_trans_table_enable(trans) = false;
622 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
623 ctx->table->flags & NFT_TABLE_F_DORMANT) {
624 ret = nf_tables_table_enable(ctx->afi, ctx->table);
626 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
627 nft_trans_table_enable(trans) = true;
633 nft_trans_table_update(trans) = true;
634 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
637 nft_trans_destroy(trans);
641 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
642 const struct nlmsghdr *nlh,
643 const struct nlattr * const nla[])
645 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
646 const struct nlattr *name;
647 struct nft_af_info *afi;
648 struct nft_table *table;
649 struct net *net = sock_net(skb->sk);
650 int family = nfmsg->nfgen_family;
655 afi = nf_tables_afinfo_lookup(net, family, true);
659 name = nla[NFTA_TABLE_NAME];
660 table = nf_tables_table_lookup(afi, name);
662 if (PTR_ERR(table) != -ENOENT)
663 return PTR_ERR(table);
668 if (table->flags & NFT_TABLE_INACTIVE)
670 if (nlh->nlmsg_flags & NLM_F_EXCL)
672 if (nlh->nlmsg_flags & NLM_F_REPLACE)
675 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
676 return nf_tables_updtable(&ctx);
679 if (nla[NFTA_TABLE_FLAGS]) {
680 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
681 if (flags & ~NFT_TABLE_F_DORMANT)
685 if (!try_module_get(afi->owner))
686 return -EAFNOSUPPORT;
688 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
690 module_put(afi->owner);
694 nla_strlcpy(table->name, name, nla_len(name));
695 INIT_LIST_HEAD(&table->chains);
696 INIT_LIST_HEAD(&table->sets);
697 table->flags = flags;
699 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
700 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
703 module_put(afi->owner);
706 list_add_tail_rcu(&table->list, &afi->tables);
710 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
711 const struct nlmsghdr *nlh,
712 const struct nlattr * const nla[])
714 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
715 struct nft_af_info *afi;
716 struct nft_table *table;
717 struct net *net = sock_net(skb->sk);
718 int family = nfmsg->nfgen_family;
721 afi = nf_tables_afinfo_lookup(net, family, false);
725 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
727 return PTR_ERR(table);
728 if (table->flags & NFT_TABLE_INACTIVE)
733 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
735 return nft_deltable(&ctx);
738 static void nf_tables_table_destroy(struct nft_ctx *ctx)
740 BUG_ON(ctx->table->use > 0);
743 module_put(ctx->afi->owner);
746 int nft_register_chain_type(const struct nf_chain_type *ctype)
750 nfnl_lock(NFNL_SUBSYS_NFTABLES);
751 if (chain_type[ctype->family][ctype->type] != NULL) {
755 chain_type[ctype->family][ctype->type] = ctype;
757 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
760 EXPORT_SYMBOL_GPL(nft_register_chain_type);
762 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
764 nfnl_lock(NFNL_SUBSYS_NFTABLES);
765 chain_type[ctype->family][ctype->type] = NULL;
766 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
768 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
774 static struct nft_chain *
775 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
777 struct nft_chain *chain;
779 list_for_each_entry(chain, &table->chains, list) {
780 if (chain->handle == handle)
784 return ERR_PTR(-ENOENT);
787 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
788 const struct nlattr *nla)
790 struct nft_chain *chain;
793 return ERR_PTR(-EINVAL);
795 list_for_each_entry(chain, &table->chains, list) {
796 if (!nla_strcmp(nla, chain->name))
800 return ERR_PTR(-ENOENT);
803 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
804 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
805 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
806 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
807 .len = NFT_CHAIN_MAXNAMELEN - 1 },
808 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
809 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
810 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
811 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
814 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
815 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
816 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
819 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
821 struct nft_stats *cpu_stats, total;
827 memset(&total, 0, sizeof(total));
828 for_each_possible_cpu(cpu) {
829 cpu_stats = per_cpu_ptr(stats, cpu);
831 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
832 pkts = cpu_stats->pkts;
833 bytes = cpu_stats->bytes;
834 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
836 total.bytes += bytes;
838 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
840 goto nla_put_failure;
842 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
843 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
844 goto nla_put_failure;
846 nla_nest_end(skb, nest);
853 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
854 int event, u32 flags, int family,
855 const struct nft_table *table,
856 const struct nft_chain *chain)
858 struct nlmsghdr *nlh;
859 struct nfgenmsg *nfmsg;
861 event |= NFNL_SUBSYS_NFTABLES << 8;
862 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
864 goto nla_put_failure;
866 nfmsg = nlmsg_data(nlh);
867 nfmsg->nfgen_family = family;
868 nfmsg->version = NFNETLINK_V0;
871 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
872 goto nla_put_failure;
873 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
874 goto nla_put_failure;
875 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
876 goto nla_put_failure;
878 if (chain->flags & NFT_BASE_CHAIN) {
879 const struct nft_base_chain *basechain = nft_base_chain(chain);
880 const struct nf_hook_ops *ops = &basechain->ops[0];
883 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
885 goto nla_put_failure;
886 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
887 goto nla_put_failure;
888 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
889 goto nla_put_failure;
890 nla_nest_end(skb, nest);
892 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
893 htonl(basechain->policy)))
894 goto nla_put_failure;
896 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
897 goto nla_put_failure;
899 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
900 goto nla_put_failure;
903 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
904 goto nla_put_failure;
906 return nlmsg_end(skb, nlh);
909 nlmsg_trim(skb, nlh);
913 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
919 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
923 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
927 err = nf_tables_fill_chain_info(skb, ctx->portid, ctx->seq, event, 0,
928 ctx->afi->family, ctx->table,
935 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
936 ctx->report, GFP_KERNEL);
939 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
945 static int nf_tables_dump_chains(struct sk_buff *skb,
946 struct netlink_callback *cb)
948 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
949 const struct nft_af_info *afi;
950 const struct nft_table *table;
951 const struct nft_chain *chain;
952 unsigned int idx = 0, s_idx = cb->args[0];
953 struct net *net = sock_net(skb->sk);
954 int family = nfmsg->nfgen_family;
957 cb->seq = net->nft.base_seq;
959 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
960 if (family != NFPROTO_UNSPEC && family != afi->family)
963 list_for_each_entry_rcu(table, &afi->tables, list) {
964 list_for_each_entry_rcu(chain, &table->chains, list) {
968 memset(&cb->args[1], 0,
969 sizeof(cb->args) - sizeof(cb->args[0]));
970 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
974 afi->family, table, chain) < 0)
977 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
989 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
990 const struct nlmsghdr *nlh,
991 const struct nlattr * const nla[])
993 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
994 const struct nft_af_info *afi;
995 const struct nft_table *table;
996 const struct nft_chain *chain;
997 struct sk_buff *skb2;
998 struct net *net = sock_net(skb->sk);
999 int family = nfmsg->nfgen_family;
1002 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1003 struct netlink_dump_control c = {
1004 .dump = nf_tables_dump_chains,
1006 return netlink_dump_start(nlsk, skb, nlh, &c);
1009 afi = nf_tables_afinfo_lookup(net, family, false);
1011 return PTR_ERR(afi);
1013 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1015 return PTR_ERR(table);
1016 if (table->flags & NFT_TABLE_INACTIVE)
1019 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1021 return PTR_ERR(chain);
1022 if (chain->flags & NFT_CHAIN_INACTIVE)
1025 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1029 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
1030 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1031 family, table, chain);
1035 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1042 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1043 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1044 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1047 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1049 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1050 struct nft_stats __percpu *newstats;
1051 struct nft_stats *stats;
1054 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1056 return ERR_PTR(err);
1058 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1059 return ERR_PTR(-EINVAL);
1061 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1062 if (newstats == NULL)
1063 return ERR_PTR(-ENOMEM);
1065 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1066 * are not exposed to userspace.
1068 stats = this_cpu_ptr(newstats);
1069 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1070 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1075 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1076 struct nft_stats __percpu *newstats)
1078 if (newstats == NULL)
1082 struct nft_stats __percpu *oldstats =
1083 nft_dereference(chain->stats);
1085 rcu_assign_pointer(chain->stats, newstats);
1087 free_percpu(oldstats);
1089 rcu_assign_pointer(chain->stats, newstats);
1092 static void nf_tables_chain_destroy(struct nft_chain *chain)
1094 BUG_ON(chain->use > 0);
1096 if (chain->flags & NFT_BASE_CHAIN) {
1097 module_put(nft_base_chain(chain)->type->owner);
1098 free_percpu(nft_base_chain(chain)->stats);
1099 kfree(nft_base_chain(chain));
1105 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
1106 const struct nlmsghdr *nlh,
1107 const struct nlattr * const nla[])
1109 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1110 const struct nlattr * uninitialized_var(name);
1111 struct nft_af_info *afi;
1112 struct nft_table *table;
1113 struct nft_chain *chain;
1114 struct nft_base_chain *basechain = NULL;
1115 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1116 struct net *net = sock_net(skb->sk);
1117 int family = nfmsg->nfgen_family;
1118 u8 policy = NF_ACCEPT;
1121 struct nft_stats __percpu *stats;
1126 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1128 afi = nf_tables_afinfo_lookup(net, family, true);
1130 return PTR_ERR(afi);
1132 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1134 return PTR_ERR(table);
1137 name = nla[NFTA_CHAIN_NAME];
1139 if (nla[NFTA_CHAIN_HANDLE]) {
1140 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1141 chain = nf_tables_chain_lookup_byhandle(table, handle);
1143 return PTR_ERR(chain);
1145 chain = nf_tables_chain_lookup(table, name);
1146 if (IS_ERR(chain)) {
1147 if (PTR_ERR(chain) != -ENOENT)
1148 return PTR_ERR(chain);
1153 if (nla[NFTA_CHAIN_POLICY]) {
1154 if ((chain != NULL &&
1155 !(chain->flags & NFT_BASE_CHAIN)) ||
1156 nla[NFTA_CHAIN_HOOK] == NULL)
1159 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1169 if (chain != NULL) {
1170 struct nft_stats *stats = NULL;
1171 struct nft_trans *trans;
1173 if (chain->flags & NFT_CHAIN_INACTIVE)
1175 if (nlh->nlmsg_flags & NLM_F_EXCL)
1177 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1180 if (nla[NFTA_CHAIN_HANDLE] && name &&
1181 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1184 if (nla[NFTA_CHAIN_COUNTERS]) {
1185 if (!(chain->flags & NFT_BASE_CHAIN))
1188 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1190 return PTR_ERR(stats);
1193 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1194 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1195 sizeof(struct nft_trans_chain));
1199 nft_trans_chain_stats(trans) = stats;
1200 nft_trans_chain_update(trans) = true;
1202 if (nla[NFTA_CHAIN_POLICY])
1203 nft_trans_chain_policy(trans) = policy;
1205 nft_trans_chain_policy(trans) = -1;
1207 if (nla[NFTA_CHAIN_HANDLE] && name) {
1208 nla_strlcpy(nft_trans_chain_name(trans), name,
1209 NFT_CHAIN_MAXNAMELEN);
1211 list_add_tail(&trans->list, &net->nft.commit_list);
1215 if (table->use == UINT_MAX)
1218 if (nla[NFTA_CHAIN_HOOK]) {
1219 const struct nf_chain_type *type;
1220 struct nf_hook_ops *ops;
1222 u32 hooknum, priority;
1224 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1225 if (nla[NFTA_CHAIN_TYPE]) {
1226 type = nf_tables_chain_type_lookup(afi,
1227 nla[NFTA_CHAIN_TYPE],
1230 return PTR_ERR(type);
1233 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1237 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1238 ha[NFTA_HOOK_PRIORITY] == NULL)
1241 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1242 if (hooknum >= afi->nhooks)
1244 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1246 if (!(type->hook_mask & (1 << hooknum)))
1248 if (!try_module_get(type->owner))
1250 hookfn = type->hooks[hooknum];
1252 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1253 if (basechain == NULL)
1256 if (nla[NFTA_CHAIN_COUNTERS]) {
1257 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1258 if (IS_ERR(stats)) {
1259 module_put(type->owner);
1261 return PTR_ERR(stats);
1263 basechain->stats = stats;
1265 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1266 if (IS_ERR(stats)) {
1267 module_put(type->owner);
1269 return PTR_ERR(stats);
1271 rcu_assign_pointer(basechain->stats, stats);
1274 basechain->type = type;
1275 chain = &basechain->chain;
1277 for (i = 0; i < afi->nops; i++) {
1278 ops = &basechain->ops[i];
1280 ops->owner = afi->owner;
1281 ops->hooknum = hooknum;
1282 ops->priority = priority;
1284 ops->hook = afi->hooks[ops->hooknum];
1287 if (afi->hook_ops_init)
1288 afi->hook_ops_init(ops, i);
1291 chain->flags |= NFT_BASE_CHAIN;
1292 basechain->policy = policy;
1294 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1299 INIT_LIST_HEAD(&chain->rules);
1300 chain->handle = nf_tables_alloc_handle(table);
1302 chain->table = table;
1303 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1305 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1306 chain->flags & NFT_BASE_CHAIN) {
1307 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1312 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1313 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1318 list_add_tail_rcu(&chain->list, &table->chains);
1321 nf_tables_unregister_hooks(table, chain, afi->nops);
1323 nf_tables_chain_destroy(chain);
1327 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1328 const struct nlmsghdr *nlh,
1329 const struct nlattr * const nla[])
1331 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1332 struct nft_af_info *afi;
1333 struct nft_table *table;
1334 struct nft_chain *chain;
1335 struct net *net = sock_net(skb->sk);
1336 int family = nfmsg->nfgen_family;
1339 afi = nf_tables_afinfo_lookup(net, family, false);
1341 return PTR_ERR(afi);
1343 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1345 return PTR_ERR(table);
1346 if (table->flags & NFT_TABLE_INACTIVE)
1349 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1351 return PTR_ERR(chain);
1352 if (chain->flags & NFT_CHAIN_INACTIVE)
1357 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1359 return nft_delchain(&ctx);
1367 * nft_register_expr - register nf_tables expr type
1370 * Registers the expr type for use with nf_tables. Returns zero on
1371 * success or a negative errno code otherwise.
1373 int nft_register_expr(struct nft_expr_type *type)
1375 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1376 if (type->family == NFPROTO_UNSPEC)
1377 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1379 list_add_rcu(&type->list, &nf_tables_expressions);
1380 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1383 EXPORT_SYMBOL_GPL(nft_register_expr);
1386 * nft_unregister_expr - unregister nf_tables expr type
1389 * Unregisters the expr typefor use with nf_tables.
1391 void nft_unregister_expr(struct nft_expr_type *type)
1393 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1394 list_del_rcu(&type->list);
1395 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1397 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1399 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1402 const struct nft_expr_type *type;
1404 list_for_each_entry(type, &nf_tables_expressions, list) {
1405 if (!nla_strcmp(nla, type->name) &&
1406 (!type->family || type->family == family))
1412 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1415 const struct nft_expr_type *type;
1418 return ERR_PTR(-EINVAL);
1420 type = __nft_expr_type_get(family, nla);
1421 if (type != NULL && try_module_get(type->owner))
1424 #ifdef CONFIG_MODULES
1426 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1427 request_module("nft-expr-%u-%.*s", family,
1428 nla_len(nla), (char *)nla_data(nla));
1429 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1430 if (__nft_expr_type_get(family, nla))
1431 return ERR_PTR(-EAGAIN);
1433 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1434 request_module("nft-expr-%.*s",
1435 nla_len(nla), (char *)nla_data(nla));
1436 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1437 if (__nft_expr_type_get(family, nla))
1438 return ERR_PTR(-EAGAIN);
1441 return ERR_PTR(-ENOENT);
1444 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1445 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1446 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1449 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1450 const struct nft_expr *expr)
1452 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1453 goto nla_put_failure;
1455 if (expr->ops->dump) {
1456 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1458 goto nla_put_failure;
1459 if (expr->ops->dump(skb, expr) < 0)
1460 goto nla_put_failure;
1461 nla_nest_end(skb, data);
1470 struct nft_expr_info {
1471 const struct nft_expr_ops *ops;
1472 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1475 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1476 const struct nlattr *nla,
1477 struct nft_expr_info *info)
1479 const struct nft_expr_type *type;
1480 const struct nft_expr_ops *ops;
1481 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1484 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1488 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1490 return PTR_ERR(type);
1492 if (tb[NFTA_EXPR_DATA]) {
1493 err = nla_parse_nested(info->tb, type->maxattr,
1494 tb[NFTA_EXPR_DATA], type->policy);
1498 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1500 if (type->select_ops != NULL) {
1501 ops = type->select_ops(ctx,
1502 (const struct nlattr * const *)info->tb);
1514 module_put(type->owner);
1518 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1519 const struct nft_expr_info *info,
1520 struct nft_expr *expr)
1522 const struct nft_expr_ops *ops = info->ops;
1527 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1539 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1540 struct nft_expr *expr)
1542 if (expr->ops->destroy)
1543 expr->ops->destroy(ctx, expr);
1544 module_put(expr->ops->type->owner);
1551 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1554 struct nft_rule *rule;
1556 // FIXME: this sucks
1557 list_for_each_entry(rule, &chain->rules, list) {
1558 if (handle == rule->handle)
1562 return ERR_PTR(-ENOENT);
1565 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1566 const struct nlattr *nla)
1569 return ERR_PTR(-EINVAL);
1571 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1574 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1575 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1576 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1577 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1578 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1579 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1580 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1581 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1582 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1583 .len = NFT_USERDATA_MAXLEN },
1586 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1587 int event, u32 flags, int family,
1588 const struct nft_table *table,
1589 const struct nft_chain *chain,
1590 const struct nft_rule *rule)
1592 struct nlmsghdr *nlh;
1593 struct nfgenmsg *nfmsg;
1594 const struct nft_expr *expr, *next;
1595 struct nlattr *list;
1596 const struct nft_rule *prule;
1597 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1599 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1602 goto nla_put_failure;
1604 nfmsg = nlmsg_data(nlh);
1605 nfmsg->nfgen_family = family;
1606 nfmsg->version = NFNETLINK_V0;
1609 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1610 goto nla_put_failure;
1611 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1612 goto nla_put_failure;
1613 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1614 goto nla_put_failure;
1616 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1617 prule = list_entry(rule->list.prev, struct nft_rule, list);
1618 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1619 cpu_to_be64(prule->handle)))
1620 goto nla_put_failure;
1623 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1625 goto nla_put_failure;
1626 nft_rule_for_each_expr(expr, next, rule) {
1627 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1629 goto nla_put_failure;
1630 if (nf_tables_fill_expr_info(skb, expr) < 0)
1631 goto nla_put_failure;
1632 nla_nest_end(skb, elem);
1634 nla_nest_end(skb, list);
1637 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1638 goto nla_put_failure;
1640 return nlmsg_end(skb, nlh);
1643 nlmsg_trim(skb, nlh);
1647 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1648 const struct nft_rule *rule,
1651 struct sk_buff *skb;
1655 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1659 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1663 err = nf_tables_fill_rule_info(skb, ctx->portid, ctx->seq, event, 0,
1664 ctx->afi->family, ctx->table,
1671 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1672 ctx->report, GFP_KERNEL);
1675 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1681 static int nf_tables_dump_rules(struct sk_buff *skb,
1682 struct netlink_callback *cb)
1684 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1685 const struct nft_af_info *afi;
1686 const struct nft_table *table;
1687 const struct nft_chain *chain;
1688 const struct nft_rule *rule;
1689 unsigned int idx = 0, s_idx = cb->args[0];
1690 struct net *net = sock_net(skb->sk);
1691 int family = nfmsg->nfgen_family;
1694 cb->seq = net->nft.base_seq;
1696 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1697 if (family != NFPROTO_UNSPEC && family != afi->family)
1700 list_for_each_entry_rcu(table, &afi->tables, list) {
1701 list_for_each_entry_rcu(chain, &table->chains, list) {
1702 list_for_each_entry_rcu(rule, &chain->rules, list) {
1703 if (!nft_rule_is_active(net, rule))
1708 memset(&cb->args[1], 0,
1709 sizeof(cb->args) - sizeof(cb->args[0]));
1710 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1713 NLM_F_MULTI | NLM_F_APPEND,
1714 afi->family, table, chain, rule) < 0)
1717 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1731 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1732 const struct nlmsghdr *nlh,
1733 const struct nlattr * const nla[])
1735 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1736 const struct nft_af_info *afi;
1737 const struct nft_table *table;
1738 const struct nft_chain *chain;
1739 const struct nft_rule *rule;
1740 struct sk_buff *skb2;
1741 struct net *net = sock_net(skb->sk);
1742 int family = nfmsg->nfgen_family;
1745 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1746 struct netlink_dump_control c = {
1747 .dump = nf_tables_dump_rules,
1749 return netlink_dump_start(nlsk, skb, nlh, &c);
1752 afi = nf_tables_afinfo_lookup(net, family, false);
1754 return PTR_ERR(afi);
1756 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1758 return PTR_ERR(table);
1759 if (table->flags & NFT_TABLE_INACTIVE)
1762 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1764 return PTR_ERR(chain);
1765 if (chain->flags & NFT_CHAIN_INACTIVE)
1768 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1770 return PTR_ERR(rule);
1772 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1776 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1777 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1778 family, table, chain, rule);
1782 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1789 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1790 struct nft_rule *rule)
1792 struct nft_expr *expr;
1795 * Careful: some expressions might not be initialized in case this
1796 * is called on error from nf_tables_newrule().
1798 expr = nft_expr_first(rule);
1799 while (expr->ops && expr != nft_expr_last(rule)) {
1800 nf_tables_expr_destroy(ctx, expr);
1801 expr = nft_expr_next(expr);
1806 #define NFT_RULE_MAXEXPRS 128
1808 static struct nft_expr_info *info;
1810 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1811 const struct nlmsghdr *nlh,
1812 const struct nlattr * const nla[])
1814 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1815 struct nft_af_info *afi;
1816 struct net *net = sock_net(skb->sk);
1817 struct nft_table *table;
1818 struct nft_chain *chain;
1819 struct nft_rule *rule, *old_rule = NULL;
1820 struct nft_trans *trans = NULL;
1821 struct nft_expr *expr;
1824 unsigned int size, i, n, ulen = 0;
1827 u64 handle, pos_handle;
1829 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1831 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1833 return PTR_ERR(afi);
1835 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1837 return PTR_ERR(table);
1839 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1841 return PTR_ERR(chain);
1843 if (nla[NFTA_RULE_HANDLE]) {
1844 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1845 rule = __nf_tables_rule_lookup(chain, handle);
1847 return PTR_ERR(rule);
1849 if (nlh->nlmsg_flags & NLM_F_EXCL)
1851 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1856 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1858 handle = nf_tables_alloc_handle(table);
1860 if (chain->use == UINT_MAX)
1864 if (nla[NFTA_RULE_POSITION]) {
1865 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1868 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1869 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1870 if (IS_ERR(old_rule))
1871 return PTR_ERR(old_rule);
1874 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1878 if (nla[NFTA_RULE_EXPRESSIONS]) {
1879 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1881 if (nla_type(tmp) != NFTA_LIST_ELEM)
1883 if (n == NFT_RULE_MAXEXPRS)
1885 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1888 size += info[n].ops->size;
1893 if (nla[NFTA_RULE_USERDATA])
1894 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1897 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1901 nft_rule_activate_next(net, rule);
1903 rule->handle = handle;
1908 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1910 expr = nft_expr_first(rule);
1911 for (i = 0; i < n; i++) {
1912 err = nf_tables_newexpr(&ctx, &info[i], expr);
1916 expr = nft_expr_next(expr);
1919 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1920 if (nft_rule_is_active_next(net, old_rule)) {
1921 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
1923 if (trans == NULL) {
1927 nft_rule_deactivate_next(net, old_rule);
1929 list_add_tail_rcu(&rule->list, &old_rule->list);
1934 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1936 list_add_rcu(&rule->list, &old_rule->list);
1938 list_add_tail_rcu(&rule->list, &chain->rules);
1941 list_add_tail_rcu(&rule->list, &old_rule->list);
1943 list_add_rcu(&rule->list, &chain->rules);
1946 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
1954 list_del_rcu(&rule->list);
1956 list_del_rcu(&nft_trans_rule(trans)->list);
1957 nft_rule_clear(net, nft_trans_rule(trans));
1958 nft_trans_destroy(trans);
1962 nf_tables_rule_destroy(&ctx, rule);
1964 for (i = 0; i < n; i++) {
1965 if (info[i].ops != NULL)
1966 module_put(info[i].ops->type->owner);
1971 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1972 const struct nlmsghdr *nlh,
1973 const struct nlattr * const nla[])
1975 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1976 struct nft_af_info *afi;
1977 struct net *net = sock_net(skb->sk);
1978 struct nft_table *table;
1979 struct nft_chain *chain = NULL;
1980 struct nft_rule *rule;
1981 int family = nfmsg->nfgen_family, err = 0;
1984 afi = nf_tables_afinfo_lookup(net, family, false);
1986 return PTR_ERR(afi);
1988 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1990 return PTR_ERR(table);
1991 if (table->flags & NFT_TABLE_INACTIVE)
1994 if (nla[NFTA_RULE_CHAIN]) {
1995 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1997 return PTR_ERR(chain);
2000 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
2003 if (nla[NFTA_RULE_HANDLE]) {
2004 rule = nf_tables_rule_lookup(chain,
2005 nla[NFTA_RULE_HANDLE]);
2007 return PTR_ERR(rule);
2009 err = nft_delrule(&ctx, rule);
2011 err = nft_delrule_by_chain(&ctx);
2014 list_for_each_entry(chain, &table->chains, list) {
2016 err = nft_delrule_by_chain(&ctx);
2029 static LIST_HEAD(nf_tables_set_ops);
2031 int nft_register_set(struct nft_set_ops *ops)
2033 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2034 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2035 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2038 EXPORT_SYMBOL_GPL(nft_register_set);
2040 void nft_unregister_set(struct nft_set_ops *ops)
2042 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2043 list_del_rcu(&ops->list);
2044 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2046 EXPORT_SYMBOL_GPL(nft_unregister_set);
2049 * Select a set implementation based on the data characteristics and the
2050 * given policy. The total memory use might not be known if no size is
2051 * given, in that case the amount of memory per element is used.
2053 static const struct nft_set_ops *
2054 nft_select_set_ops(const struct nlattr * const nla[],
2055 const struct nft_set_desc *desc,
2056 enum nft_set_policies policy)
2058 const struct nft_set_ops *ops, *bops;
2059 struct nft_set_estimate est, best;
2062 #ifdef CONFIG_MODULES
2063 if (list_empty(&nf_tables_set_ops)) {
2064 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2065 request_module("nft-set");
2066 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2067 if (!list_empty(&nf_tables_set_ops))
2068 return ERR_PTR(-EAGAIN);
2072 if (nla[NFTA_SET_FLAGS] != NULL) {
2073 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2074 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
2081 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2082 if ((ops->features & features) != features)
2084 if (!ops->estimate(desc, features, &est))
2088 case NFT_SET_POL_PERFORMANCE:
2089 if (est.class < best.class)
2091 if (est.class == best.class && est.size < best.size)
2094 case NFT_SET_POL_MEMORY:
2095 if (est.size < best.size)
2097 if (est.size == best.size && est.class < best.class)
2104 if (!try_module_get(ops->owner))
2107 module_put(bops->owner);
2116 return ERR_PTR(-EOPNOTSUPP);
2119 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2120 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2121 [NFTA_SET_NAME] = { .type = NLA_STRING,
2122 .len = IFNAMSIZ - 1 },
2123 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2124 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2125 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2126 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2127 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2128 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2129 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2130 [NFTA_SET_ID] = { .type = NLA_U32 },
2133 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2134 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2137 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2138 const struct sk_buff *skb,
2139 const struct nlmsghdr *nlh,
2140 const struct nlattr * const nla[])
2142 struct net *net = sock_net(skb->sk);
2143 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2144 struct nft_af_info *afi = NULL;
2145 struct nft_table *table = NULL;
2147 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2148 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2150 return PTR_ERR(afi);
2153 if (nla[NFTA_SET_TABLE] != NULL) {
2155 return -EAFNOSUPPORT;
2157 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2159 return PTR_ERR(table);
2160 if (table->flags & NFT_TABLE_INACTIVE)
2164 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2168 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2169 const struct nlattr *nla)
2171 struct nft_set *set;
2174 return ERR_PTR(-EINVAL);
2176 list_for_each_entry(set, &table->sets, list) {
2177 if (!nla_strcmp(nla, set->name))
2180 return ERR_PTR(-ENOENT);
2183 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2184 const struct nlattr *nla)
2186 struct nft_trans *trans;
2187 u32 id = ntohl(nla_get_be32(nla));
2189 list_for_each_entry(trans, &net->nft.commit_list, list) {
2190 if (trans->msg_type == NFT_MSG_NEWSET &&
2191 id == nft_trans_set_id(trans))
2192 return nft_trans_set(trans);
2194 return ERR_PTR(-ENOENT);
2197 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2200 const struct nft_set *i;
2202 unsigned long *inuse;
2203 unsigned int n = 0, min = 0;
2205 p = strnchr(name, IFNAMSIZ, '%');
2207 if (p[1] != 'd' || strchr(p + 2, '%'))
2210 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2214 list_for_each_entry(i, &ctx->table->sets, list) {
2217 if (!sscanf(i->name, name, &tmp))
2219 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2222 set_bit(tmp - min, inuse);
2225 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2226 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2227 min += BITS_PER_BYTE * PAGE_SIZE;
2228 memset(inuse, 0, PAGE_SIZE);
2231 free_page((unsigned long)inuse);
2234 snprintf(set->name, sizeof(set->name), name, min + n);
2235 list_for_each_entry(i, &ctx->table->sets, list) {
2236 if (!strcmp(set->name, i->name))
2242 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2243 const struct nft_set *set, u16 event, u16 flags)
2245 struct nfgenmsg *nfmsg;
2246 struct nlmsghdr *nlh;
2247 struct nlattr *desc;
2248 u32 portid = ctx->portid;
2251 event |= NFNL_SUBSYS_NFTABLES << 8;
2252 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2255 goto nla_put_failure;
2257 nfmsg = nlmsg_data(nlh);
2258 nfmsg->nfgen_family = ctx->afi->family;
2259 nfmsg->version = NFNETLINK_V0;
2262 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2263 goto nla_put_failure;
2264 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2265 goto nla_put_failure;
2266 if (set->flags != 0)
2267 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2268 goto nla_put_failure;
2270 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2271 goto nla_put_failure;
2272 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2273 goto nla_put_failure;
2274 if (set->flags & NFT_SET_MAP) {
2275 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2276 goto nla_put_failure;
2277 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2278 goto nla_put_failure;
2281 desc = nla_nest_start(skb, NFTA_SET_DESC);
2283 goto nla_put_failure;
2285 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2286 goto nla_put_failure;
2287 nla_nest_end(skb, desc);
2289 return nlmsg_end(skb, nlh);
2292 nlmsg_trim(skb, nlh);
2296 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2297 const struct nft_set *set,
2298 int event, gfp_t gfp_flags)
2300 struct sk_buff *skb;
2301 u32 portid = ctx->portid;
2305 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2309 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2313 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2319 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2320 ctx->report, gfp_flags);
2323 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2327 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2329 const struct nft_set *set;
2330 unsigned int idx, s_idx = cb->args[0];
2331 struct nft_af_info *afi;
2332 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2333 struct net *net = sock_net(skb->sk);
2334 int cur_family = cb->args[3];
2335 struct nft_ctx *ctx = cb->data, ctx_set;
2341 cb->seq = net->nft.base_seq;
2343 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2344 if (ctx->afi && ctx->afi != afi)
2348 if (afi->family != cur_family)
2353 list_for_each_entry_rcu(table, &afi->tables, list) {
2354 if (ctx->table && ctx->table != table)
2358 if (cur_table != table)
2364 list_for_each_entry_rcu(set, &table->sets, list) {
2369 ctx_set.table = table;
2371 if (nf_tables_fill_set(skb, &ctx_set, set,
2375 cb->args[2] = (unsigned long) table;
2376 cb->args[3] = afi->family;
2379 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2393 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2399 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2400 const struct nlmsghdr *nlh,
2401 const struct nlattr * const nla[])
2403 const struct nft_set *set;
2405 struct sk_buff *skb2;
2406 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2409 /* Verify existance before starting dump */
2410 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2414 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2415 struct netlink_dump_control c = {
2416 .dump = nf_tables_dump_sets,
2417 .done = nf_tables_dump_sets_done,
2419 struct nft_ctx *ctx_dump;
2421 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2422 if (ctx_dump == NULL)
2428 return netlink_dump_start(nlsk, skb, nlh, &c);
2431 /* Only accept unspec with dump */
2432 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2433 return -EAFNOSUPPORT;
2435 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2437 return PTR_ERR(set);
2438 if (set->flags & NFT_SET_INACTIVE)
2441 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2445 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2449 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2456 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2457 struct nft_set_desc *desc,
2458 const struct nlattr *nla)
2460 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2463 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2467 if (da[NFTA_SET_DESC_SIZE] != NULL)
2468 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2473 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2474 const struct nlmsghdr *nlh,
2475 const struct nlattr * const nla[])
2477 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2478 const struct nft_set_ops *ops;
2479 struct nft_af_info *afi;
2480 struct net *net = sock_net(skb->sk);
2481 struct nft_table *table;
2482 struct nft_set *set;
2484 char name[IFNAMSIZ];
2487 u32 ktype, dtype, flags, policy;
2488 struct nft_set_desc desc;
2491 if (nla[NFTA_SET_TABLE] == NULL ||
2492 nla[NFTA_SET_NAME] == NULL ||
2493 nla[NFTA_SET_KEY_LEN] == NULL ||
2494 nla[NFTA_SET_ID] == NULL)
2497 memset(&desc, 0, sizeof(desc));
2499 ktype = NFT_DATA_VALUE;
2500 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2501 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2502 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2506 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2507 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2511 if (nla[NFTA_SET_FLAGS] != NULL) {
2512 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2513 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2514 NFT_SET_INTERVAL | NFT_SET_MAP))
2519 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2520 if (!(flags & NFT_SET_MAP))
2523 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2524 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2525 dtype != NFT_DATA_VERDICT)
2528 if (dtype != NFT_DATA_VERDICT) {
2529 if (nla[NFTA_SET_DATA_LEN] == NULL)
2531 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2532 if (desc.dlen == 0 ||
2533 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2536 desc.dlen = sizeof(struct nft_data);
2537 } else if (flags & NFT_SET_MAP)
2540 policy = NFT_SET_POL_PERFORMANCE;
2541 if (nla[NFTA_SET_POLICY] != NULL)
2542 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2544 if (nla[NFTA_SET_DESC] != NULL) {
2545 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2550 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2552 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2554 return PTR_ERR(afi);
2556 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2558 return PTR_ERR(table);
2560 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2562 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2564 if (PTR_ERR(set) != -ENOENT)
2565 return PTR_ERR(set);
2570 if (nlh->nlmsg_flags & NLM_F_EXCL)
2572 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2577 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2580 ops = nft_select_set_ops(nla, &desc, policy);
2582 return PTR_ERR(ops);
2585 if (ops->privsize != NULL)
2586 size = ops->privsize(nla);
2589 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2593 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2594 err = nf_tables_set_alloc_name(&ctx, set, name);
2598 INIT_LIST_HEAD(&set->bindings);
2601 set->klen = desc.klen;
2603 set->dlen = desc.dlen;
2605 set->size = desc.size;
2607 err = ops->init(set, &desc, nla);
2611 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2615 list_add_tail_rcu(&set->list, &table->sets);
2622 module_put(ops->owner);
2626 static void nft_set_destroy(struct nft_set *set)
2628 set->ops->destroy(set);
2629 module_put(set->ops->owner);
2633 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2635 list_del_rcu(&set->list);
2636 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2637 nft_set_destroy(set);
2640 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2641 const struct nlmsghdr *nlh,
2642 const struct nlattr * const nla[])
2644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2645 struct nft_set *set;
2649 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2650 return -EAFNOSUPPORT;
2651 if (nla[NFTA_SET_TABLE] == NULL)
2654 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2658 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2660 return PTR_ERR(set);
2661 if (set->flags & NFT_SET_INACTIVE)
2663 if (!list_empty(&set->bindings))
2666 return nft_delset(&ctx, set);
2669 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2670 const struct nft_set *set,
2671 const struct nft_set_iter *iter,
2672 const struct nft_set_elem *elem)
2674 enum nft_registers dreg;
2676 dreg = nft_type_to_reg(set->dtype);
2677 return nft_validate_data_load(ctx, dreg, &elem->data,
2678 set->dtype == NFT_DATA_VERDICT ?
2679 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2682 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2683 struct nft_set_binding *binding)
2685 struct nft_set_binding *i;
2686 struct nft_set_iter iter;
2688 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2691 if (set->flags & NFT_SET_MAP) {
2692 /* If the set is already bound to the same chain all
2693 * jumps are already validated for that chain.
2695 list_for_each_entry(i, &set->bindings, list) {
2696 if (i->chain == binding->chain)
2703 iter.fn = nf_tables_bind_check_setelem;
2705 set->ops->walk(ctx, set, &iter);
2707 /* Destroy anonymous sets if binding fails */
2708 if (set->flags & NFT_SET_ANONYMOUS)
2709 nf_tables_set_destroy(ctx, set);
2715 binding->chain = ctx->chain;
2716 list_add_tail_rcu(&binding->list, &set->bindings);
2720 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2721 struct nft_set_binding *binding)
2723 list_del_rcu(&binding->list);
2725 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2726 !(set->flags & NFT_SET_INACTIVE))
2727 nf_tables_set_destroy(ctx, set);
2734 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2735 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2736 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2737 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2740 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2741 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2742 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2743 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2744 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2747 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2748 const struct sk_buff *skb,
2749 const struct nlmsghdr *nlh,
2750 const struct nlattr * const nla[],
2753 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2754 struct nft_af_info *afi;
2755 struct nft_table *table;
2756 struct net *net = sock_net(skb->sk);
2758 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2760 return PTR_ERR(afi);
2762 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2764 return PTR_ERR(table);
2765 if (!trans && (table->flags & NFT_TABLE_INACTIVE))
2768 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2772 static int nf_tables_fill_setelem(struct sk_buff *skb,
2773 const struct nft_set *set,
2774 const struct nft_set_elem *elem)
2776 unsigned char *b = skb_tail_pointer(skb);
2777 struct nlattr *nest;
2779 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2781 goto nla_put_failure;
2783 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2785 goto nla_put_failure;
2787 if (set->flags & NFT_SET_MAP &&
2788 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2789 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2790 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2792 goto nla_put_failure;
2794 if (elem->flags != 0)
2795 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2796 goto nla_put_failure;
2798 nla_nest_end(skb, nest);
2806 struct nft_set_dump_args {
2807 const struct netlink_callback *cb;
2808 struct nft_set_iter iter;
2809 struct sk_buff *skb;
2812 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2813 const struct nft_set *set,
2814 const struct nft_set_iter *iter,
2815 const struct nft_set_elem *elem)
2817 struct nft_set_dump_args *args;
2819 args = container_of(iter, struct nft_set_dump_args, iter);
2820 return nf_tables_fill_setelem(args->skb, set, elem);
2823 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2825 const struct nft_set *set;
2826 struct nft_set_dump_args args;
2828 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2829 struct nfgenmsg *nfmsg;
2830 struct nlmsghdr *nlh;
2831 struct nlattr *nest;
2835 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2836 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2840 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
2845 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2847 return PTR_ERR(set);
2848 if (set->flags & NFT_SET_INACTIVE)
2851 event = NFT_MSG_NEWSETELEM;
2852 event |= NFNL_SUBSYS_NFTABLES << 8;
2853 portid = NETLINK_CB(cb->skb).portid;
2854 seq = cb->nlh->nlmsg_seq;
2856 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2859 goto nla_put_failure;
2861 nfmsg = nlmsg_data(nlh);
2862 nfmsg->nfgen_family = ctx.afi->family;
2863 nfmsg->version = NFNETLINK_V0;
2866 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2867 goto nla_put_failure;
2868 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2869 goto nla_put_failure;
2871 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2873 goto nla_put_failure;
2877 args.iter.skip = cb->args[0];
2878 args.iter.count = 0;
2880 args.iter.fn = nf_tables_dump_setelem;
2881 set->ops->walk(&ctx, set, &args.iter);
2883 nla_nest_end(skb, nest);
2884 nlmsg_end(skb, nlh);
2886 if (args.iter.err && args.iter.err != -EMSGSIZE)
2887 return args.iter.err;
2888 if (args.iter.count == cb->args[0])
2891 cb->args[0] = args.iter.count;
2898 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2899 const struct nlmsghdr *nlh,
2900 const struct nlattr * const nla[])
2902 const struct nft_set *set;
2906 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
2910 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2912 return PTR_ERR(set);
2913 if (set->flags & NFT_SET_INACTIVE)
2916 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2917 struct netlink_dump_control c = {
2918 .dump = nf_tables_dump_set,
2920 return netlink_dump_start(nlsk, skb, nlh, &c);
2925 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2926 const struct nft_ctx *ctx, u32 seq,
2927 u32 portid, int event, u16 flags,
2928 const struct nft_set *set,
2929 const struct nft_set_elem *elem)
2931 struct nfgenmsg *nfmsg;
2932 struct nlmsghdr *nlh;
2933 struct nlattr *nest;
2936 event |= NFNL_SUBSYS_NFTABLES << 8;
2937 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2940 goto nla_put_failure;
2942 nfmsg = nlmsg_data(nlh);
2943 nfmsg->nfgen_family = ctx->afi->family;
2944 nfmsg->version = NFNETLINK_V0;
2947 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2948 goto nla_put_failure;
2949 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2950 goto nla_put_failure;
2952 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2954 goto nla_put_failure;
2956 err = nf_tables_fill_setelem(skb, set, elem);
2958 goto nla_put_failure;
2960 nla_nest_end(skb, nest);
2962 return nlmsg_end(skb, nlh);
2965 nlmsg_trim(skb, nlh);
2969 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2970 const struct nft_set *set,
2971 const struct nft_set_elem *elem,
2972 int event, u16 flags)
2974 struct net *net = ctx->net;
2975 u32 portid = ctx->portid;
2976 struct sk_buff *skb;
2979 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2983 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2987 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2994 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
2998 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3002 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3004 struct nft_set *set)
3006 struct nft_trans *trans;
3008 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3012 nft_trans_elem_set(trans) = set;
3016 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3017 const struct nlattr *attr)
3019 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3020 struct nft_data_desc d1, d2;
3021 struct nft_set_elem elem;
3022 struct nft_set_binding *binding;
3023 enum nft_registers dreg;
3024 struct nft_trans *trans;
3027 if (set->size && set->nelems == set->size)
3030 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3031 nft_set_elem_policy);
3035 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3039 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3040 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3041 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
3045 if (set->flags & NFT_SET_MAP) {
3046 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3047 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
3049 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3050 elem.flags & NFT_SET_ELEM_INTERVAL_END)
3053 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3057 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
3061 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3065 if (set->ops->get(set, &elem) == 0)
3068 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3069 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
3074 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3077 dreg = nft_type_to_reg(set->dtype);
3078 list_for_each_entry(binding, &set->bindings, list) {
3079 struct nft_ctx bind_ctx = {
3081 .table = ctx->table,
3082 .chain = (struct nft_chain *)binding->chain,
3085 err = nft_validate_data_load(&bind_ctx, dreg,
3086 &elem.data, d2.type);
3092 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3096 err = set->ops->insert(set, &elem);
3100 nft_trans_elem(trans) = elem;
3101 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3107 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3108 nft_data_uninit(&elem.data, d2.type);
3110 nft_data_uninit(&elem.key, d1.type);
3115 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3116 const struct nlmsghdr *nlh,
3117 const struct nlattr * const nla[])
3119 struct net *net = sock_net(skb->sk);
3120 const struct nlattr *attr;
3121 struct nft_set *set;
3125 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3128 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3132 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3134 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3135 set = nf_tables_set_lookup_byid(net,
3136 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3139 return PTR_ERR(set);
3142 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3145 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3146 err = nft_add_set_elem(&ctx, set, attr);
3155 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3156 const struct nlattr *attr)
3158 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3159 struct nft_data_desc desc;
3160 struct nft_set_elem elem;
3161 struct nft_trans *trans;
3164 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3165 nft_set_elem_policy);
3170 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3173 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3178 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3181 err = set->ops->get(set, &elem);
3185 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3186 if (trans == NULL) {
3191 nft_trans_elem(trans) = elem;
3192 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3195 nft_data_uninit(&elem.key, desc.type);
3200 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3201 const struct nlmsghdr *nlh,
3202 const struct nlattr * const nla[])
3204 const struct nlattr *attr;
3205 struct nft_set *set;
3209 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3212 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3216 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3218 return PTR_ERR(set);
3219 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3222 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3223 err = nft_del_setelem(&ctx, set, attr);
3232 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3233 [NFT_MSG_NEWTABLE] = {
3234 .call_batch = nf_tables_newtable,
3235 .attr_count = NFTA_TABLE_MAX,
3236 .policy = nft_table_policy,
3238 [NFT_MSG_GETTABLE] = {
3239 .call = nf_tables_gettable,
3240 .attr_count = NFTA_TABLE_MAX,
3241 .policy = nft_table_policy,
3243 [NFT_MSG_DELTABLE] = {
3244 .call_batch = nf_tables_deltable,
3245 .attr_count = NFTA_TABLE_MAX,
3246 .policy = nft_table_policy,
3248 [NFT_MSG_NEWCHAIN] = {
3249 .call_batch = nf_tables_newchain,
3250 .attr_count = NFTA_CHAIN_MAX,
3251 .policy = nft_chain_policy,
3253 [NFT_MSG_GETCHAIN] = {
3254 .call = nf_tables_getchain,
3255 .attr_count = NFTA_CHAIN_MAX,
3256 .policy = nft_chain_policy,
3258 [NFT_MSG_DELCHAIN] = {
3259 .call_batch = nf_tables_delchain,
3260 .attr_count = NFTA_CHAIN_MAX,
3261 .policy = nft_chain_policy,
3263 [NFT_MSG_NEWRULE] = {
3264 .call_batch = nf_tables_newrule,
3265 .attr_count = NFTA_RULE_MAX,
3266 .policy = nft_rule_policy,
3268 [NFT_MSG_GETRULE] = {
3269 .call = nf_tables_getrule,
3270 .attr_count = NFTA_RULE_MAX,
3271 .policy = nft_rule_policy,
3273 [NFT_MSG_DELRULE] = {
3274 .call_batch = nf_tables_delrule,
3275 .attr_count = NFTA_RULE_MAX,
3276 .policy = nft_rule_policy,
3278 [NFT_MSG_NEWSET] = {
3279 .call_batch = nf_tables_newset,
3280 .attr_count = NFTA_SET_MAX,
3281 .policy = nft_set_policy,
3283 [NFT_MSG_GETSET] = {
3284 .call = nf_tables_getset,
3285 .attr_count = NFTA_SET_MAX,
3286 .policy = nft_set_policy,
3288 [NFT_MSG_DELSET] = {
3289 .call_batch = nf_tables_delset,
3290 .attr_count = NFTA_SET_MAX,
3291 .policy = nft_set_policy,
3293 [NFT_MSG_NEWSETELEM] = {
3294 .call_batch = nf_tables_newsetelem,
3295 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3296 .policy = nft_set_elem_list_policy,
3298 [NFT_MSG_GETSETELEM] = {
3299 .call = nf_tables_getsetelem,
3300 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3301 .policy = nft_set_elem_list_policy,
3303 [NFT_MSG_DELSETELEM] = {
3304 .call_batch = nf_tables_delsetelem,
3305 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3306 .policy = nft_set_elem_list_policy,
3310 static void nft_chain_commit_update(struct nft_trans *trans)
3312 struct nft_base_chain *basechain;
3314 if (nft_trans_chain_name(trans)[0])
3315 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3317 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3320 basechain = nft_base_chain(trans->ctx.chain);
3321 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3323 switch (nft_trans_chain_policy(trans)) {
3326 basechain->policy = nft_trans_chain_policy(trans);
3331 /* Schedule objects for release via rcu to make sure no packets are accesing
3334 static void nf_tables_commit_release_rcu(struct rcu_head *rt)
3336 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3338 switch (trans->msg_type) {
3339 case NFT_MSG_DELTABLE:
3340 nf_tables_table_destroy(&trans->ctx);
3342 case NFT_MSG_DELCHAIN:
3343 nf_tables_chain_destroy(trans->ctx.chain);
3345 case NFT_MSG_DELRULE:
3346 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3348 case NFT_MSG_DELSET:
3349 nft_set_destroy(nft_trans_set(trans));
3355 static int nf_tables_commit(struct sk_buff *skb)
3357 struct net *net = sock_net(skb->sk);
3358 struct nft_trans *trans, *next;
3359 struct nft_trans_elem *te;
3361 /* Bump generation counter, invalidate any dump in progress */
3362 while (++net->nft.base_seq == 0);
3364 /* A new generation has just started */
3365 net->nft.gencursor = gencursor_next(net);
3367 /* Make sure all packets have left the previous generation before
3368 * purging old rules.
3372 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3373 switch (trans->msg_type) {
3374 case NFT_MSG_NEWTABLE:
3375 if (nft_trans_table_update(trans)) {
3376 if (!nft_trans_table_enable(trans)) {
3377 nf_tables_table_disable(trans->ctx.afi,
3379 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3382 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3384 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3385 nft_trans_destroy(trans);
3387 case NFT_MSG_DELTABLE:
3388 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3390 case NFT_MSG_NEWCHAIN:
3391 if (nft_trans_chain_update(trans))
3392 nft_chain_commit_update(trans);
3394 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3396 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3397 nft_trans_destroy(trans);
3399 case NFT_MSG_DELCHAIN:
3400 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3401 nf_tables_unregister_hooks(trans->ctx.table,
3403 trans->ctx.afi->nops);
3405 case NFT_MSG_NEWRULE:
3406 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3407 nf_tables_rule_notify(&trans->ctx,
3408 nft_trans_rule(trans),
3410 nft_trans_destroy(trans);
3412 case NFT_MSG_DELRULE:
3413 list_del_rcu(&nft_trans_rule(trans)->list);
3414 nf_tables_rule_notify(&trans->ctx,
3415 nft_trans_rule(trans),
3418 case NFT_MSG_NEWSET:
3419 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3420 /* This avoids hitting -EBUSY when deleting the table
3421 * from the transaction.
3423 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3424 !list_empty(&nft_trans_set(trans)->bindings))
3425 trans->ctx.table->use--;
3427 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3428 NFT_MSG_NEWSET, GFP_KERNEL);
3429 nft_trans_destroy(trans);
3431 case NFT_MSG_DELSET:
3432 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3433 NFT_MSG_DELSET, GFP_KERNEL);
3435 case NFT_MSG_NEWSETELEM:
3436 nf_tables_setelem_notify(&trans->ctx,
3437 nft_trans_elem_set(trans),
3438 &nft_trans_elem(trans),
3439 NFT_MSG_NEWSETELEM, 0);
3440 nft_trans_destroy(trans);
3442 case NFT_MSG_DELSETELEM:
3443 te = (struct nft_trans_elem *)trans->data;
3444 nf_tables_setelem_notify(&trans->ctx, te->set,
3446 NFT_MSG_DELSETELEM, 0);
3447 te->set->ops->get(te->set, &te->elem);
3448 te->set->ops->remove(te->set, &te->elem);
3449 nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
3450 if (te->elem.flags & NFT_SET_MAP) {
3451 nft_data_uninit(&te->elem.data,
3454 nft_trans_destroy(trans);
3459 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3460 list_del(&trans->list);
3461 trans->ctx.nla = NULL;
3462 call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
3468 /* Schedule objects for release via rcu to make sure no packets are accesing
3471 static void nf_tables_abort_release_rcu(struct rcu_head *rt)
3473 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3475 switch (trans->msg_type) {
3476 case NFT_MSG_NEWTABLE:
3477 nf_tables_table_destroy(&trans->ctx);
3479 case NFT_MSG_NEWCHAIN:
3480 nf_tables_chain_destroy(trans->ctx.chain);
3482 case NFT_MSG_NEWRULE:
3483 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3485 case NFT_MSG_NEWSET:
3486 nft_set_destroy(nft_trans_set(trans));
3492 static int nf_tables_abort(struct sk_buff *skb)
3494 struct net *net = sock_net(skb->sk);
3495 struct nft_trans *trans, *next;
3496 struct nft_set *set;
3498 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3499 switch (trans->msg_type) {
3500 case NFT_MSG_NEWTABLE:
3501 if (nft_trans_table_update(trans)) {
3502 if (nft_trans_table_enable(trans)) {
3503 nf_tables_table_disable(trans->ctx.afi,
3505 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3507 nft_trans_destroy(trans);
3509 list_del_rcu(&trans->ctx.table->list);
3512 case NFT_MSG_DELTABLE:
3513 list_add_tail_rcu(&trans->ctx.table->list,
3514 &trans->ctx.afi->tables);
3515 nft_trans_destroy(trans);
3517 case NFT_MSG_NEWCHAIN:
3518 if (nft_trans_chain_update(trans)) {
3519 if (nft_trans_chain_stats(trans))
3520 free_percpu(nft_trans_chain_stats(trans));
3522 nft_trans_destroy(trans);
3524 trans->ctx.table->use--;
3525 list_del_rcu(&trans->ctx.chain->list);
3526 nf_tables_unregister_hooks(trans->ctx.table,
3528 trans->ctx.afi->nops);
3531 case NFT_MSG_DELCHAIN:
3532 trans->ctx.table->use++;
3533 list_add_tail_rcu(&trans->ctx.chain->list,
3534 &trans->ctx.table->chains);
3535 nft_trans_destroy(trans);
3537 case NFT_MSG_NEWRULE:
3538 trans->ctx.chain->use--;
3539 list_del_rcu(&nft_trans_rule(trans)->list);
3541 case NFT_MSG_DELRULE:
3542 trans->ctx.chain->use++;
3543 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3544 nft_trans_destroy(trans);
3546 case NFT_MSG_NEWSET:
3547 trans->ctx.table->use--;
3548 list_del_rcu(&nft_trans_set(trans)->list);
3550 case NFT_MSG_DELSET:
3551 trans->ctx.table->use++;
3552 list_add_tail_rcu(&nft_trans_set(trans)->list,
3553 &trans->ctx.table->sets);
3554 nft_trans_destroy(trans);
3556 case NFT_MSG_NEWSETELEM:
3557 nft_trans_elem_set(trans)->nelems--;
3558 set = nft_trans_elem_set(trans);
3559 set->ops->get(set, &nft_trans_elem(trans));
3560 set->ops->remove(set, &nft_trans_elem(trans));
3561 nft_trans_destroy(trans);
3563 case NFT_MSG_DELSETELEM:
3564 nft_trans_elem_set(trans)->nelems++;
3565 nft_trans_destroy(trans);
3570 list_for_each_entry_safe_reverse(trans, next,
3571 &net->nft.commit_list, list) {
3572 list_del(&trans->list);
3573 trans->ctx.nla = NULL;
3574 call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
3580 static const struct nfnetlink_subsystem nf_tables_subsys = {
3581 .name = "nf_tables",
3582 .subsys_id = NFNL_SUBSYS_NFTABLES,
3583 .cb_count = NFT_MSG_MAX,
3585 .commit = nf_tables_commit,
3586 .abort = nf_tables_abort,
3590 * Loop detection - walk through the ruleset beginning at the destination chain
3591 * of a new jump until either the source chain is reached (loop) or all
3592 * reachable chains have been traversed.
3594 * The loop check is performed whenever a new jump verdict is added to an
3595 * expression or verdict map or a verdict map is bound to a new chain.
3598 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3599 const struct nft_chain *chain);
3601 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3602 const struct nft_set *set,
3603 const struct nft_set_iter *iter,
3604 const struct nft_set_elem *elem)
3606 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3609 switch (elem->data.verdict) {
3612 return nf_tables_check_loops(ctx, elem->data.chain);
3618 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3619 const struct nft_chain *chain)
3621 const struct nft_rule *rule;
3622 const struct nft_expr *expr, *last;
3623 const struct nft_set *set;
3624 struct nft_set_binding *binding;
3625 struct nft_set_iter iter;
3627 if (ctx->chain == chain)
3630 list_for_each_entry(rule, &chain->rules, list) {
3631 nft_rule_for_each_expr(expr, last, rule) {
3632 const struct nft_data *data = NULL;
3635 if (!expr->ops->validate)
3638 err = expr->ops->validate(ctx, expr, &data);
3645 switch (data->verdict) {
3648 err = nf_tables_check_loops(ctx, data->chain);
3657 list_for_each_entry(set, &ctx->table->sets, list) {
3658 if (!(set->flags & NFT_SET_MAP) ||
3659 set->dtype != NFT_DATA_VERDICT)
3662 list_for_each_entry(binding, &set->bindings, list) {
3663 if (binding->chain != chain)
3669 iter.fn = nf_tables_loop_check_setelem;
3671 set->ops->walk(ctx, set, &iter);
3681 * nft_validate_input_register - validate an expressions' input register
3683 * @reg: the register number
3685 * Validate that the input register is one of the general purpose
3688 int nft_validate_input_register(enum nft_registers reg)
3690 if (reg <= NFT_REG_VERDICT)
3692 if (reg > NFT_REG_MAX)
3696 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3699 * nft_validate_output_register - validate an expressions' output register
3701 * @reg: the register number
3703 * Validate that the output register is one of the general purpose
3704 * registers or the verdict register.
3706 int nft_validate_output_register(enum nft_registers reg)
3708 if (reg < NFT_REG_VERDICT)
3710 if (reg > NFT_REG_MAX)
3714 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3717 * nft_validate_data_load - validate an expressions' data load
3719 * @ctx: context of the expression performing the load
3720 * @reg: the destination register number
3721 * @data: the data to load
3722 * @type: the data type
3724 * Validate that a data load uses the appropriate data type for
3725 * the destination register. A value of NULL for the data means
3726 * that its runtime gathered data, which is always of type
3729 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3730 const struct nft_data *data,
3731 enum nft_data_types type)
3736 case NFT_REG_VERDICT:
3737 if (data == NULL || type != NFT_DATA_VERDICT)
3740 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3741 err = nf_tables_check_loops(ctx, data->chain);
3745 if (ctx->chain->level + 1 > data->chain->level) {
3746 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3748 data->chain->level = ctx->chain->level + 1;
3754 if (data != NULL && type != NFT_DATA_VALUE)
3759 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3761 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3762 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3763 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3764 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3767 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3768 struct nft_data_desc *desc, const struct nlattr *nla)
3770 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3771 struct nft_chain *chain;
3774 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3778 if (!tb[NFTA_VERDICT_CODE])
3780 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3782 switch (data->verdict) {
3784 switch (data->verdict & NF_VERDICT_MASK) {
3796 desc->len = sizeof(data->verdict);
3800 if (!tb[NFTA_VERDICT_CHAIN])
3802 chain = nf_tables_chain_lookup(ctx->table,
3803 tb[NFTA_VERDICT_CHAIN]);
3805 return PTR_ERR(chain);
3806 if (chain->flags & NFT_BASE_CHAIN)
3810 data->chain = chain;
3811 desc->len = sizeof(data);
3815 desc->type = NFT_DATA_VERDICT;
3819 static void nft_verdict_uninit(const struct nft_data *data)
3821 switch (data->verdict) {
3829 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3831 struct nlattr *nest;
3833 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3835 goto nla_put_failure;
3837 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3838 goto nla_put_failure;
3840 switch (data->verdict) {
3843 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3844 goto nla_put_failure;
3846 nla_nest_end(skb, nest);
3853 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3854 struct nft_data_desc *desc, const struct nlattr *nla)
3861 if (len > sizeof(data->data))
3864 nla_memcpy(data->data, nla, sizeof(data->data));
3865 desc->type = NFT_DATA_VALUE;
3870 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3873 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3876 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3877 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3878 .len = FIELD_SIZEOF(struct nft_data, data) },
3879 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3883 * nft_data_init - parse nf_tables data netlink attributes
3885 * @ctx: context of the expression using the data
3886 * @data: destination struct nft_data
3887 * @desc: data description
3888 * @nla: netlink attribute containing data
3890 * Parse the netlink data attributes and initialize a struct nft_data.
3891 * The type and length of data are returned in the data description.
3893 * The caller can indicate that it only wants to accept data of type
3894 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3896 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3897 struct nft_data_desc *desc, const struct nlattr *nla)
3899 struct nlattr *tb[NFTA_DATA_MAX + 1];
3902 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3906 if (tb[NFTA_DATA_VALUE])
3907 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3908 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3909 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3912 EXPORT_SYMBOL_GPL(nft_data_init);
3915 * nft_data_uninit - release a nft_data item
3917 * @data: struct nft_data to release
3918 * @type: type of data
3920 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3921 * all others need to be released by calling this function.
3923 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3926 case NFT_DATA_VALUE:
3928 case NFT_DATA_VERDICT:
3929 return nft_verdict_uninit(data);
3934 EXPORT_SYMBOL_GPL(nft_data_uninit);
3936 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3937 enum nft_data_types type, unsigned int len)
3939 struct nlattr *nest;
3942 nest = nla_nest_start(skb, attr);
3947 case NFT_DATA_VALUE:
3948 err = nft_value_dump(skb, data, len);
3950 case NFT_DATA_VERDICT:
3951 err = nft_verdict_dump(skb, data);
3958 nla_nest_end(skb, nest);
3961 EXPORT_SYMBOL_GPL(nft_data_dump);
3963 static int nf_tables_init_net(struct net *net)
3965 INIT_LIST_HEAD(&net->nft.af_info);
3966 INIT_LIST_HEAD(&net->nft.commit_list);
3967 net->nft.base_seq = 1;
3971 static struct pernet_operations nf_tables_net_ops = {
3972 .init = nf_tables_init_net,
3975 static int __init nf_tables_module_init(void)
3979 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3986 err = nf_tables_core_module_init();
3990 err = nfnetlink_subsys_register(&nf_tables_subsys);
3994 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3995 return register_pernet_subsys(&nf_tables_net_ops);
3997 nf_tables_core_module_exit();
4004 static void __exit nf_tables_module_exit(void)
4006 unregister_pernet_subsys(&nf_tables_net_ops);
4007 nfnetlink_subsys_unregister(&nf_tables_subsys);
4008 nf_tables_core_module_exit();
4012 module_init(nf_tables_module_init);
4013 module_exit(nf_tables_module_exit);
4015 MODULE_LICENSE("GPL");
4016 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4017 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / karo-tx-linux.git / blob