2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
108 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, u32 size)
110 struct nft_trans *trans;
112 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
121 static void nft_trans_destroy(struct nft_trans *trans)
123 list_del(&trans->list);
131 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
132 const struct nlattr *nla)
134 struct nft_table *table;
136 list_for_each_entry(table, &afi->tables, list) {
137 if (!nla_strcmp(nla, table->name))
143 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
144 const struct nlattr *nla)
146 struct nft_table *table;
149 return ERR_PTR(-EINVAL);
151 table = nft_table_lookup(afi, nla);
155 return ERR_PTR(-ENOENT);
158 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
160 return ++table->hgenerator;
163 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
165 static const struct nf_chain_type *
166 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
170 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
171 if (chain_type[family][i] != NULL &&
172 !nla_strcmp(nla, chain_type[family][i]->name))
173 return chain_type[family][i];
178 static const struct nf_chain_type *
179 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
180 const struct nlattr *nla,
183 const struct nf_chain_type *type;
185 type = __nf_tables_chain_type_lookup(afi->family, nla);
188 #ifdef CONFIG_MODULES
190 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
191 request_module("nft-chain-%u-%*.s", afi->family,
192 nla_len(nla)-1, (const char *)nla_data(nla));
193 nfnl_lock(NFNL_SUBSYS_NFTABLES);
194 type = __nf_tables_chain_type_lookup(afi->family, nla);
196 return ERR_PTR(-EAGAIN);
199 return ERR_PTR(-ENOENT);
202 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
203 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
204 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
207 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
208 int event, u32 flags, int family,
209 const struct nft_table *table)
211 struct nlmsghdr *nlh;
212 struct nfgenmsg *nfmsg;
214 event |= NFNL_SUBSYS_NFTABLES << 8;
215 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
217 goto nla_put_failure;
219 nfmsg = nlmsg_data(nlh);
220 nfmsg->nfgen_family = family;
221 nfmsg->version = NFNETLINK_V0;
224 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
225 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
226 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
227 goto nla_put_failure;
229 return nlmsg_end(skb, nlh);
232 nlmsg_trim(skb, nlh);
236 static int nf_tables_table_notify(const struct sk_buff *oskb,
237 const struct nlmsghdr *nlh,
238 const struct nft_table *table,
239 int event, int family)
242 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
243 u32 seq = nlh ? nlh->nlmsg_seq : 0;
244 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
248 report = nlh ? nlmsg_report(nlh) : false;
249 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
253 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
257 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
264 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
268 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
272 static int nf_tables_dump_tables(struct sk_buff *skb,
273 struct netlink_callback *cb)
275 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
276 const struct nft_af_info *afi;
277 const struct nft_table *table;
278 unsigned int idx = 0, s_idx = cb->args[0];
279 struct net *net = sock_net(skb->sk);
280 int family = nfmsg->nfgen_family;
282 list_for_each_entry(afi, &net->nft.af_info, list) {
283 if (family != NFPROTO_UNSPEC && family != afi->family)
286 list_for_each_entry(table, &afi->tables, list) {
290 memset(&cb->args[1], 0,
291 sizeof(cb->args) - sizeof(cb->args[0]));
292 if (nf_tables_fill_table_info(skb,
293 NETLINK_CB(cb->skb).portid,
297 afi->family, table) < 0)
308 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
309 const struct nlmsghdr *nlh,
310 const struct nlattr * const nla[])
312 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
313 const struct nft_af_info *afi;
314 const struct nft_table *table;
315 struct sk_buff *skb2;
316 struct net *net = sock_net(skb->sk);
317 int family = nfmsg->nfgen_family;
320 if (nlh->nlmsg_flags & NLM_F_DUMP) {
321 struct netlink_dump_control c = {
322 .dump = nf_tables_dump_tables,
324 return netlink_dump_start(nlsk, skb, nlh, &c);
327 afi = nf_tables_afinfo_lookup(net, family, false);
331 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
333 return PTR_ERR(table);
335 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
339 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
340 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
345 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
352 static int nf_tables_table_enable(const struct nft_af_info *afi,
353 struct nft_table *table)
355 struct nft_chain *chain;
358 list_for_each_entry(chain, &table->chains, list) {
359 if (!(chain->flags & NFT_BASE_CHAIN))
362 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
370 list_for_each_entry(chain, &table->chains, list) {
371 if (!(chain->flags & NFT_BASE_CHAIN))
377 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
382 static int nf_tables_table_disable(const struct nft_af_info *afi,
383 struct nft_table *table)
385 struct nft_chain *chain;
387 list_for_each_entry(chain, &table->chains, list) {
388 if (chain->flags & NFT_BASE_CHAIN)
389 nf_unregister_hooks(nft_base_chain(chain)->ops,
396 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
397 const struct nlmsghdr *nlh,
398 const struct nlattr * const nla[],
399 struct nft_af_info *afi, struct nft_table *table)
401 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
402 int family = nfmsg->nfgen_family, ret = 0;
404 if (nla[NFTA_TABLE_FLAGS]) {
407 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
408 if (flags & ~NFT_TABLE_F_DORMANT)
411 if ((flags & NFT_TABLE_F_DORMANT) &&
412 !(table->flags & NFT_TABLE_F_DORMANT)) {
413 ret = nf_tables_table_disable(afi, table);
415 table->flags |= NFT_TABLE_F_DORMANT;
416 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
417 table->flags & NFT_TABLE_F_DORMANT) {
418 ret = nf_tables_table_enable(afi, table);
420 table->flags &= ~NFT_TABLE_F_DORMANT;
426 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
431 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
432 const struct nlmsghdr *nlh,
433 const struct nlattr * const nla[])
435 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
436 const struct nlattr *name;
437 struct nft_af_info *afi;
438 struct nft_table *table;
439 struct net *net = sock_net(skb->sk);
440 int family = nfmsg->nfgen_family;
443 afi = nf_tables_afinfo_lookup(net, family, true);
447 name = nla[NFTA_TABLE_NAME];
448 table = nf_tables_table_lookup(afi, name);
450 if (PTR_ERR(table) != -ENOENT)
451 return PTR_ERR(table);
456 if (nlh->nlmsg_flags & NLM_F_EXCL)
458 if (nlh->nlmsg_flags & NLM_F_REPLACE)
460 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
463 if (nla[NFTA_TABLE_FLAGS]) {
464 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
465 if (flags & ~NFT_TABLE_F_DORMANT)
469 if (!try_module_get(afi->owner))
470 return -EAFNOSUPPORT;
472 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
474 module_put(afi->owner);
478 nla_strlcpy(table->name, name, nla_len(name));
479 INIT_LIST_HEAD(&table->chains);
480 INIT_LIST_HEAD(&table->sets);
481 table->flags = flags;
483 list_add_tail(&table->list, &afi->tables);
484 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
488 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
489 const struct nlmsghdr *nlh,
490 const struct nlattr * const nla[])
492 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
493 struct nft_af_info *afi;
494 struct nft_table *table;
495 struct net *net = sock_net(skb->sk);
496 int family = nfmsg->nfgen_family;
498 afi = nf_tables_afinfo_lookup(net, family, false);
502 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
504 return PTR_ERR(table);
506 if (!list_empty(&table->chains) || !list_empty(&table->sets))
509 list_del(&table->list);
510 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
512 module_put(afi->owner);
516 int nft_register_chain_type(const struct nf_chain_type *ctype)
520 nfnl_lock(NFNL_SUBSYS_NFTABLES);
521 if (chain_type[ctype->family][ctype->type] != NULL) {
525 chain_type[ctype->family][ctype->type] = ctype;
527 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
530 EXPORT_SYMBOL_GPL(nft_register_chain_type);
532 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
534 nfnl_lock(NFNL_SUBSYS_NFTABLES);
535 chain_type[ctype->family][ctype->type] = NULL;
536 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
538 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
544 static struct nft_chain *
545 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
547 struct nft_chain *chain;
549 list_for_each_entry(chain, &table->chains, list) {
550 if (chain->handle == handle)
554 return ERR_PTR(-ENOENT);
557 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
558 const struct nlattr *nla)
560 struct nft_chain *chain;
563 return ERR_PTR(-EINVAL);
565 list_for_each_entry(chain, &table->chains, list) {
566 if (!nla_strcmp(nla, chain->name))
570 return ERR_PTR(-ENOENT);
573 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
574 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
575 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
576 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
577 .len = NFT_CHAIN_MAXNAMELEN - 1 },
578 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
579 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
580 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
581 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
584 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
585 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
586 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
589 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
591 struct nft_stats *cpu_stats, total;
595 memset(&total, 0, sizeof(total));
596 for_each_possible_cpu(cpu) {
597 cpu_stats = per_cpu_ptr(stats, cpu);
598 total.pkts += cpu_stats->pkts;
599 total.bytes += cpu_stats->bytes;
601 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
603 goto nla_put_failure;
605 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
606 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
607 goto nla_put_failure;
609 nla_nest_end(skb, nest);
616 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
617 int event, u32 flags, int family,
618 const struct nft_table *table,
619 const struct nft_chain *chain)
621 struct nlmsghdr *nlh;
622 struct nfgenmsg *nfmsg;
624 event |= NFNL_SUBSYS_NFTABLES << 8;
625 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
627 goto nla_put_failure;
629 nfmsg = nlmsg_data(nlh);
630 nfmsg->nfgen_family = family;
631 nfmsg->version = NFNETLINK_V0;
634 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
635 goto nla_put_failure;
636 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
637 goto nla_put_failure;
638 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
639 goto nla_put_failure;
641 if (chain->flags & NFT_BASE_CHAIN) {
642 const struct nft_base_chain *basechain = nft_base_chain(chain);
643 const struct nf_hook_ops *ops = &basechain->ops[0];
646 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
648 goto nla_put_failure;
649 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
650 goto nla_put_failure;
651 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
652 goto nla_put_failure;
653 nla_nest_end(skb, nest);
655 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
656 htonl(basechain->policy)))
657 goto nla_put_failure;
659 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
660 goto nla_put_failure;
662 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
663 goto nla_put_failure;
666 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
667 goto nla_put_failure;
669 return nlmsg_end(skb, nlh);
672 nlmsg_trim(skb, nlh);
676 static int nf_tables_chain_notify(const struct sk_buff *oskb,
677 const struct nlmsghdr *nlh,
678 const struct nft_table *table,
679 const struct nft_chain *chain,
680 int event, int family)
683 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
684 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
685 u32 seq = nlh ? nlh->nlmsg_seq : 0;
689 report = nlh ? nlmsg_report(nlh) : false;
690 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
694 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
698 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
705 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
709 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
713 static int nf_tables_dump_chains(struct sk_buff *skb,
714 struct netlink_callback *cb)
716 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
717 const struct nft_af_info *afi;
718 const struct nft_table *table;
719 const struct nft_chain *chain;
720 unsigned int idx = 0, s_idx = cb->args[0];
721 struct net *net = sock_net(skb->sk);
722 int family = nfmsg->nfgen_family;
724 list_for_each_entry(afi, &net->nft.af_info, list) {
725 if (family != NFPROTO_UNSPEC && family != afi->family)
728 list_for_each_entry(table, &afi->tables, list) {
729 list_for_each_entry(chain, &table->chains, list) {
733 memset(&cb->args[1], 0,
734 sizeof(cb->args) - sizeof(cb->args[0]));
735 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
739 afi->family, table, chain) < 0)
752 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
753 const struct nlmsghdr *nlh,
754 const struct nlattr * const nla[])
756 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
757 const struct nft_af_info *afi;
758 const struct nft_table *table;
759 const struct nft_chain *chain;
760 struct sk_buff *skb2;
761 struct net *net = sock_net(skb->sk);
762 int family = nfmsg->nfgen_family;
765 if (nlh->nlmsg_flags & NLM_F_DUMP) {
766 struct netlink_dump_control c = {
767 .dump = nf_tables_dump_chains,
769 return netlink_dump_start(nlsk, skb, nlh, &c);
772 afi = nf_tables_afinfo_lookup(net, family, false);
776 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
778 return PTR_ERR(table);
780 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
782 return PTR_ERR(chain);
784 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
788 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
789 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
790 family, table, chain);
794 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
801 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
802 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
803 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
807 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
809 struct nlattr *tb[NFTA_COUNTER_MAX+1];
810 struct nft_stats __percpu *newstats;
811 struct nft_stats *stats;
814 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
818 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
821 newstats = alloc_percpu(struct nft_stats);
822 if (newstats == NULL)
825 /* Restore old counters on this cpu, no problem. Per-cpu statistics
826 * are not exposed to userspace.
828 stats = this_cpu_ptr(newstats);
829 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
830 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
833 struct nft_stats __percpu *oldstats =
834 nft_dereference(chain->stats);
836 rcu_assign_pointer(chain->stats, newstats);
838 free_percpu(oldstats);
840 rcu_assign_pointer(chain->stats, newstats);
845 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
846 const struct nlmsghdr *nlh,
847 const struct nlattr * const nla[])
849 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
850 const struct nlattr * uninitialized_var(name);
851 struct nft_af_info *afi;
852 struct nft_table *table;
853 struct nft_chain *chain;
854 struct nft_base_chain *basechain = NULL;
855 struct nlattr *ha[NFTA_HOOK_MAX + 1];
856 struct net *net = sock_net(skb->sk);
857 int family = nfmsg->nfgen_family;
858 u8 policy = NF_ACCEPT;
864 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
866 afi = nf_tables_afinfo_lookup(net, family, true);
870 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
872 return PTR_ERR(table);
875 name = nla[NFTA_CHAIN_NAME];
877 if (nla[NFTA_CHAIN_HANDLE]) {
878 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
879 chain = nf_tables_chain_lookup_byhandle(table, handle);
881 return PTR_ERR(chain);
883 chain = nf_tables_chain_lookup(table, name);
885 if (PTR_ERR(chain) != -ENOENT)
886 return PTR_ERR(chain);
891 if (nla[NFTA_CHAIN_POLICY]) {
892 if ((chain != NULL &&
893 !(chain->flags & NFT_BASE_CHAIN)) ||
894 nla[NFTA_CHAIN_HOOK] == NULL)
897 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
908 if (nlh->nlmsg_flags & NLM_F_EXCL)
910 if (nlh->nlmsg_flags & NLM_F_REPLACE)
913 if (nla[NFTA_CHAIN_HANDLE] && name &&
914 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
917 if (nla[NFTA_CHAIN_COUNTERS]) {
918 if (!(chain->flags & NFT_BASE_CHAIN))
921 err = nf_tables_counters(nft_base_chain(chain),
922 nla[NFTA_CHAIN_COUNTERS]);
927 if (nla[NFTA_CHAIN_POLICY])
928 nft_base_chain(chain)->policy = policy;
930 if (nla[NFTA_CHAIN_HANDLE] && name)
931 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
936 if (table->use == UINT_MAX)
939 if (nla[NFTA_CHAIN_HOOK]) {
940 const struct nf_chain_type *type;
941 struct nf_hook_ops *ops;
943 u32 hooknum, priority;
945 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
946 if (nla[NFTA_CHAIN_TYPE]) {
947 type = nf_tables_chain_type_lookup(afi,
948 nla[NFTA_CHAIN_TYPE],
951 return PTR_ERR(type);
954 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
958 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
959 ha[NFTA_HOOK_PRIORITY] == NULL)
962 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
963 if (hooknum >= afi->nhooks)
965 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
967 if (!(type->hook_mask & (1 << hooknum)))
969 if (!try_module_get(type->owner))
971 hookfn = type->hooks[hooknum];
973 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
974 if (basechain == NULL)
977 if (nla[NFTA_CHAIN_COUNTERS]) {
978 err = nf_tables_counters(basechain,
979 nla[NFTA_CHAIN_COUNTERS]);
981 module_put(type->owner);
986 struct nft_stats __percpu *newstats;
988 newstats = alloc_percpu(struct nft_stats);
989 if (newstats == NULL) {
990 module_put(type->owner);
994 rcu_assign_pointer(basechain->stats, newstats);
997 basechain->type = type;
998 chain = &basechain->chain;
1000 for (i = 0; i < afi->nops; i++) {
1001 ops = &basechain->ops[i];
1003 ops->owner = afi->owner;
1004 ops->hooknum = hooknum;
1005 ops->priority = priority;
1007 ops->hook = afi->hooks[ops->hooknum];
1010 if (afi->hook_ops_init)
1011 afi->hook_ops_init(ops, i);
1014 chain->flags |= NFT_BASE_CHAIN;
1015 basechain->policy = policy;
1017 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1022 INIT_LIST_HEAD(&chain->rules);
1023 chain->handle = nf_tables_alloc_handle(table);
1025 chain->table = table;
1026 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1028 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1029 chain->flags & NFT_BASE_CHAIN) {
1030 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1032 module_put(basechain->type->owner);
1033 free_percpu(basechain->stats);
1038 list_add_tail(&chain->list, &table->chains);
1041 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1046 static void nf_tables_chain_destroy(struct nft_chain *chain)
1048 BUG_ON(chain->use > 0);
1050 if (chain->flags & NFT_BASE_CHAIN) {
1051 module_put(nft_base_chain(chain)->type->owner);
1052 free_percpu(nft_base_chain(chain)->stats);
1053 kfree(nft_base_chain(chain));
1058 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1059 const struct nlmsghdr *nlh,
1060 const struct nlattr * const nla[])
1062 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1063 struct nft_af_info *afi;
1064 struct nft_table *table;
1065 struct nft_chain *chain;
1066 struct net *net = sock_net(skb->sk);
1067 int family = nfmsg->nfgen_family;
1069 afi = nf_tables_afinfo_lookup(net, family, false);
1071 return PTR_ERR(afi);
1073 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1075 return PTR_ERR(table);
1077 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1079 return PTR_ERR(chain);
1081 if (!list_empty(&chain->rules) || chain->use > 0)
1084 list_del(&chain->list);
1087 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1088 chain->flags & NFT_BASE_CHAIN)
1089 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
1091 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1094 /* Make sure all rule references are gone before this is released */
1097 nf_tables_chain_destroy(chain);
1106 * nft_register_expr - register nf_tables expr type
1109 * Registers the expr type for use with nf_tables. Returns zero on
1110 * success or a negative errno code otherwise.
1112 int nft_register_expr(struct nft_expr_type *type)
1114 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1115 if (type->family == NFPROTO_UNSPEC)
1116 list_add_tail(&type->list, &nf_tables_expressions);
1118 list_add(&type->list, &nf_tables_expressions);
1119 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1122 EXPORT_SYMBOL_GPL(nft_register_expr);
1125 * nft_unregister_expr - unregister nf_tables expr type
1128 * Unregisters the expr typefor use with nf_tables.
1130 void nft_unregister_expr(struct nft_expr_type *type)
1132 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1133 list_del(&type->list);
1134 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1136 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1138 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1141 const struct nft_expr_type *type;
1143 list_for_each_entry(type, &nf_tables_expressions, list) {
1144 if (!nla_strcmp(nla, type->name) &&
1145 (!type->family || type->family == family))
1151 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1154 const struct nft_expr_type *type;
1157 return ERR_PTR(-EINVAL);
1159 type = __nft_expr_type_get(family, nla);
1160 if (type != NULL && try_module_get(type->owner))
1163 #ifdef CONFIG_MODULES
1165 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1166 request_module("nft-expr-%u-%.*s", family,
1167 nla_len(nla), (char *)nla_data(nla));
1168 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1169 if (__nft_expr_type_get(family, nla))
1170 return ERR_PTR(-EAGAIN);
1172 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1173 request_module("nft-expr-%.*s",
1174 nla_len(nla), (char *)nla_data(nla));
1175 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1176 if (__nft_expr_type_get(family, nla))
1177 return ERR_PTR(-EAGAIN);
1180 return ERR_PTR(-ENOENT);
1183 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1184 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1185 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1188 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1189 const struct nft_expr *expr)
1191 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1192 goto nla_put_failure;
1194 if (expr->ops->dump) {
1195 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1197 goto nla_put_failure;
1198 if (expr->ops->dump(skb, expr) < 0)
1199 goto nla_put_failure;
1200 nla_nest_end(skb, data);
1209 struct nft_expr_info {
1210 const struct nft_expr_ops *ops;
1211 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1214 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1215 const struct nlattr *nla,
1216 struct nft_expr_info *info)
1218 const struct nft_expr_type *type;
1219 const struct nft_expr_ops *ops;
1220 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1223 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1227 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1229 return PTR_ERR(type);
1231 if (tb[NFTA_EXPR_DATA]) {
1232 err = nla_parse_nested(info->tb, type->maxattr,
1233 tb[NFTA_EXPR_DATA], type->policy);
1237 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1239 if (type->select_ops != NULL) {
1240 ops = type->select_ops(ctx,
1241 (const struct nlattr * const *)info->tb);
1253 module_put(type->owner);
1257 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1258 const struct nft_expr_info *info,
1259 struct nft_expr *expr)
1261 const struct nft_expr_ops *ops = info->ops;
1266 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1278 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1279 struct nft_expr *expr)
1281 if (expr->ops->destroy)
1282 expr->ops->destroy(ctx, expr);
1283 module_put(expr->ops->type->owner);
1290 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1293 struct nft_rule *rule;
1295 // FIXME: this sucks
1296 list_for_each_entry(rule, &chain->rules, list) {
1297 if (handle == rule->handle)
1301 return ERR_PTR(-ENOENT);
1304 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1305 const struct nlattr *nla)
1308 return ERR_PTR(-EINVAL);
1310 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1313 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1314 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1315 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1316 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1317 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1318 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1319 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1320 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1321 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1322 .len = NFT_USERDATA_MAXLEN },
1325 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1326 int event, u32 flags, int family,
1327 const struct nft_table *table,
1328 const struct nft_chain *chain,
1329 const struct nft_rule *rule)
1331 struct nlmsghdr *nlh;
1332 struct nfgenmsg *nfmsg;
1333 const struct nft_expr *expr, *next;
1334 struct nlattr *list;
1335 const struct nft_rule *prule;
1336 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1338 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1341 goto nla_put_failure;
1343 nfmsg = nlmsg_data(nlh);
1344 nfmsg->nfgen_family = family;
1345 nfmsg->version = NFNETLINK_V0;
1348 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1349 goto nla_put_failure;
1350 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1351 goto nla_put_failure;
1352 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1353 goto nla_put_failure;
1355 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1356 prule = list_entry(rule->list.prev, struct nft_rule, list);
1357 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1358 cpu_to_be64(prule->handle)))
1359 goto nla_put_failure;
1362 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1364 goto nla_put_failure;
1365 nft_rule_for_each_expr(expr, next, rule) {
1366 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1368 goto nla_put_failure;
1369 if (nf_tables_fill_expr_info(skb, expr) < 0)
1370 goto nla_put_failure;
1371 nla_nest_end(skb, elem);
1373 nla_nest_end(skb, list);
1376 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1377 goto nla_put_failure;
1379 return nlmsg_end(skb, nlh);
1382 nlmsg_trim(skb, nlh);
1386 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1387 const struct nlmsghdr *nlh,
1388 const struct nft_table *table,
1389 const struct nft_chain *chain,
1390 const struct nft_rule *rule,
1391 int event, u32 flags, int family)
1393 struct sk_buff *skb;
1394 u32 portid = NETLINK_CB(oskb).portid;
1395 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1396 u32 seq = nlh->nlmsg_seq;
1400 report = nlmsg_report(nlh);
1401 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1405 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1409 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1410 family, table, chain, rule);
1416 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1420 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1425 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1427 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1430 static inline int gencursor_next(struct net *net)
1432 return net->nft.gencursor+1 == 1 ? 1 : 0;
1436 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1438 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1442 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1444 /* Now inactive, will be active in the future */
1445 rule->genmask = (1 << net->nft.gencursor);
1449 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1451 rule->genmask = (1 << gencursor_next(net));
1454 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1459 static int nf_tables_dump_rules(struct sk_buff *skb,
1460 struct netlink_callback *cb)
1462 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1463 const struct nft_af_info *afi;
1464 const struct nft_table *table;
1465 const struct nft_chain *chain;
1466 const struct nft_rule *rule;
1467 unsigned int idx = 0, s_idx = cb->args[0];
1468 struct net *net = sock_net(skb->sk);
1469 int family = nfmsg->nfgen_family;
1470 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1471 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1473 list_for_each_entry(afi, &net->nft.af_info, list) {
1474 if (family != NFPROTO_UNSPEC && family != afi->family)
1477 list_for_each_entry(table, &afi->tables, list) {
1478 list_for_each_entry(chain, &table->chains, list) {
1479 list_for_each_entry(rule, &chain->rules, list) {
1480 if (!nft_rule_is_active(net, rule))
1485 memset(&cb->args[1], 0,
1486 sizeof(cb->args) - sizeof(cb->args[0]));
1487 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1490 NLM_F_MULTI | NLM_F_APPEND,
1491 afi->family, table, chain, rule) < 0)
1500 /* Invalidate this dump, a transition to the new generation happened */
1501 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1508 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1509 const struct nlmsghdr *nlh,
1510 const struct nlattr * const nla[])
1512 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1513 const struct nft_af_info *afi;
1514 const struct nft_table *table;
1515 const struct nft_chain *chain;
1516 const struct nft_rule *rule;
1517 struct sk_buff *skb2;
1518 struct net *net = sock_net(skb->sk);
1519 int family = nfmsg->nfgen_family;
1522 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1523 struct netlink_dump_control c = {
1524 .dump = nf_tables_dump_rules,
1526 return netlink_dump_start(nlsk, skb, nlh, &c);
1529 afi = nf_tables_afinfo_lookup(net, family, false);
1531 return PTR_ERR(afi);
1533 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1535 return PTR_ERR(table);
1537 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1539 return PTR_ERR(chain);
1541 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1543 return PTR_ERR(rule);
1545 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1549 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1550 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1551 family, table, chain, rule);
1555 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1562 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1563 struct nft_rule *rule)
1565 struct nft_expr *expr;
1568 * Careful: some expressions might not be initialized in case this
1569 * is called on error from nf_tables_newrule().
1571 expr = nft_expr_first(rule);
1572 while (expr->ops && expr != nft_expr_last(rule)) {
1573 nf_tables_expr_destroy(ctx, expr);
1574 expr = nft_expr_next(expr);
1579 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx,
1580 struct nft_rule *rule)
1582 struct nft_trans *trans;
1584 trans = nft_trans_alloc(ctx, sizeof(struct nft_trans_rule));
1588 nft_trans_rule(trans) = rule;
1589 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1594 #define NFT_RULE_MAXEXPRS 128
1596 static struct nft_expr_info *info;
1598 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1599 const struct nlmsghdr *nlh,
1600 const struct nlattr * const nla[])
1602 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1603 struct nft_af_info *afi;
1604 struct net *net = sock_net(skb->sk);
1605 struct nft_table *table;
1606 struct nft_chain *chain;
1607 struct nft_rule *rule, *old_rule = NULL;
1608 struct nft_trans *trans = NULL;
1609 struct nft_expr *expr;
1612 unsigned int size, i, n, ulen = 0;
1615 u64 handle, pos_handle;
1617 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1619 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1621 return PTR_ERR(afi);
1623 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1625 return PTR_ERR(table);
1627 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1629 return PTR_ERR(chain);
1631 if (nla[NFTA_RULE_HANDLE]) {
1632 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1633 rule = __nf_tables_rule_lookup(chain, handle);
1635 return PTR_ERR(rule);
1637 if (nlh->nlmsg_flags & NLM_F_EXCL)
1639 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1644 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1646 handle = nf_tables_alloc_handle(table);
1649 if (nla[NFTA_RULE_POSITION]) {
1650 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1653 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1654 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1655 if (IS_ERR(old_rule))
1656 return PTR_ERR(old_rule);
1659 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1663 if (nla[NFTA_RULE_EXPRESSIONS]) {
1664 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1666 if (nla_type(tmp) != NFTA_LIST_ELEM)
1668 if (n == NFT_RULE_MAXEXPRS)
1670 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1673 size += info[n].ops->size;
1678 if (nla[NFTA_RULE_USERDATA])
1679 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1682 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1686 nft_rule_activate_next(net, rule);
1688 rule->handle = handle;
1693 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1695 expr = nft_expr_first(rule);
1696 for (i = 0; i < n; i++) {
1697 err = nf_tables_newexpr(&ctx, &info[i], expr);
1701 expr = nft_expr_next(expr);
1704 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1705 if (nft_rule_is_active_next(net, old_rule)) {
1706 trans = nft_trans_rule_add(&ctx, old_rule);
1707 if (trans == NULL) {
1711 nft_rule_disactivate_next(net, old_rule);
1712 list_add_tail(&rule->list, &old_rule->list);
1717 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1719 list_add_rcu(&rule->list, &old_rule->list);
1721 list_add_tail_rcu(&rule->list, &chain->rules);
1724 list_add_tail_rcu(&rule->list, &old_rule->list);
1726 list_add_rcu(&rule->list, &chain->rules);
1729 if (nft_trans_rule_add(&ctx, rule) == NULL) {
1736 list_del_rcu(&rule->list);
1738 list_del_rcu(&nft_trans_rule(trans)->list);
1739 nft_rule_clear(net, nft_trans_rule(trans));
1740 nft_trans_destroy(trans);
1743 nf_tables_rule_destroy(&ctx, rule);
1745 for (i = 0; i < n; i++) {
1746 if (info[i].ops != NULL)
1747 module_put(info[i].ops->type->owner);
1753 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1755 /* You cannot delete the same rule twice */
1756 if (nft_rule_is_active_next(ctx->net, rule)) {
1757 if (nft_trans_rule_add(ctx, rule) == NULL)
1759 nft_rule_disactivate_next(ctx->net, rule);
1765 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1767 struct nft_rule *rule;
1770 list_for_each_entry(rule, &ctx->chain->rules, list) {
1771 err = nf_tables_delrule_one(ctx, rule);
1778 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1779 const struct nlmsghdr *nlh,
1780 const struct nlattr * const nla[])
1782 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1783 struct nft_af_info *afi;
1784 struct net *net = sock_net(skb->sk);
1785 struct nft_table *table;
1786 struct nft_chain *chain = NULL;
1787 struct nft_rule *rule;
1788 int family = nfmsg->nfgen_family, err = 0;
1791 afi = nf_tables_afinfo_lookup(net, family, false);
1793 return PTR_ERR(afi);
1795 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1797 return PTR_ERR(table);
1799 if (nla[NFTA_RULE_CHAIN]) {
1800 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1802 return PTR_ERR(chain);
1805 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1808 if (nla[NFTA_RULE_HANDLE]) {
1809 rule = nf_tables_rule_lookup(chain,
1810 nla[NFTA_RULE_HANDLE]);
1812 return PTR_ERR(rule);
1814 err = nf_tables_delrule_one(&ctx, rule);
1816 err = nf_table_delrule_by_chain(&ctx);
1819 list_for_each_entry(chain, &table->chains, list) {
1821 err = nf_table_delrule_by_chain(&ctx);
1834 static LIST_HEAD(nf_tables_set_ops);
1836 int nft_register_set(struct nft_set_ops *ops)
1838 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1839 list_add_tail(&ops->list, &nf_tables_set_ops);
1840 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1843 EXPORT_SYMBOL_GPL(nft_register_set);
1845 void nft_unregister_set(struct nft_set_ops *ops)
1847 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1848 list_del(&ops->list);
1849 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1851 EXPORT_SYMBOL_GPL(nft_unregister_set);
1854 * Select a set implementation based on the data characteristics and the
1855 * given policy. The total memory use might not be known if no size is
1856 * given, in that case the amount of memory per element is used.
1858 static const struct nft_set_ops *
1859 nft_select_set_ops(const struct nlattr * const nla[],
1860 const struct nft_set_desc *desc,
1861 enum nft_set_policies policy)
1863 const struct nft_set_ops *ops, *bops;
1864 struct nft_set_estimate est, best;
1867 #ifdef CONFIG_MODULES
1868 if (list_empty(&nf_tables_set_ops)) {
1869 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1870 request_module("nft-set");
1871 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1872 if (!list_empty(&nf_tables_set_ops))
1873 return ERR_PTR(-EAGAIN);
1877 if (nla[NFTA_SET_FLAGS] != NULL) {
1878 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1879 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1886 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1887 if ((ops->features & features) != features)
1889 if (!ops->estimate(desc, features, &est))
1893 case NFT_SET_POL_PERFORMANCE:
1894 if (est.class < best.class)
1896 if (est.class == best.class && est.size < best.size)
1899 case NFT_SET_POL_MEMORY:
1900 if (est.size < best.size)
1902 if (est.size == best.size && est.class < best.class)
1909 if (!try_module_get(ops->owner))
1912 module_put(bops->owner);
1921 return ERR_PTR(-EOPNOTSUPP);
1924 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1925 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1926 [NFTA_SET_NAME] = { .type = NLA_STRING },
1927 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1928 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1929 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1930 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1931 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1932 [NFTA_SET_POLICY] = { .type = NLA_U32 },
1933 [NFTA_SET_DESC] = { .type = NLA_NESTED },
1936 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
1937 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
1940 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1941 const struct sk_buff *skb,
1942 const struct nlmsghdr *nlh,
1943 const struct nlattr * const nla[])
1945 struct net *net = sock_net(skb->sk);
1946 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1947 struct nft_af_info *afi = NULL;
1948 struct nft_table *table = NULL;
1950 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1951 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1953 return PTR_ERR(afi);
1956 if (nla[NFTA_SET_TABLE] != NULL) {
1958 return -EAFNOSUPPORT;
1960 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1962 return PTR_ERR(table);
1965 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1969 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1970 const struct nlattr *nla)
1972 struct nft_set *set;
1975 return ERR_PTR(-EINVAL);
1977 list_for_each_entry(set, &table->sets, list) {
1978 if (!nla_strcmp(nla, set->name))
1981 return ERR_PTR(-ENOENT);
1984 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1987 const struct nft_set *i;
1989 unsigned long *inuse;
1990 unsigned int n = 0, min = 0;
1992 p = strnchr(name, IFNAMSIZ, '%');
1994 if (p[1] != 'd' || strchr(p + 2, '%'))
1997 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2001 list_for_each_entry(i, &ctx->table->sets, list) {
2004 if (!sscanf(i->name, name, &tmp))
2006 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2009 set_bit(tmp - min, inuse);
2012 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2013 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2014 min += BITS_PER_BYTE * PAGE_SIZE;
2015 memset(inuse, 0, PAGE_SIZE);
2018 free_page((unsigned long)inuse);
2021 snprintf(set->name, sizeof(set->name), name, min + n);
2022 list_for_each_entry(i, &ctx->table->sets, list) {
2023 if (!strcmp(set->name, i->name))
2029 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2030 const struct nft_set *set, u16 event, u16 flags)
2032 struct nfgenmsg *nfmsg;
2033 struct nlmsghdr *nlh;
2034 struct nlattr *desc;
2035 u32 portid = NETLINK_CB(ctx->skb).portid;
2036 u32 seq = ctx->nlh->nlmsg_seq;
2038 event |= NFNL_SUBSYS_NFTABLES << 8;
2039 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2042 goto nla_put_failure;
2044 nfmsg = nlmsg_data(nlh);
2045 nfmsg->nfgen_family = ctx->afi->family;
2046 nfmsg->version = NFNETLINK_V0;
2049 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2050 goto nla_put_failure;
2051 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2052 goto nla_put_failure;
2053 if (set->flags != 0)
2054 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2055 goto nla_put_failure;
2057 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2058 goto nla_put_failure;
2059 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2060 goto nla_put_failure;
2061 if (set->flags & NFT_SET_MAP) {
2062 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2063 goto nla_put_failure;
2064 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2065 goto nla_put_failure;
2068 desc = nla_nest_start(skb, NFTA_SET_DESC);
2070 goto nla_put_failure;
2072 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2073 goto nla_put_failure;
2074 nla_nest_end(skb, desc);
2076 return nlmsg_end(skb, nlh);
2079 nlmsg_trim(skb, nlh);
2083 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2084 const struct nft_set *set,
2087 struct sk_buff *skb;
2088 u32 portid = NETLINK_CB(ctx->skb).portid;
2092 report = nlmsg_report(ctx->nlh);
2093 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2097 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2101 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2107 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2111 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2115 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2116 struct netlink_callback *cb)
2118 const struct nft_set *set;
2119 unsigned int idx = 0, s_idx = cb->args[0];
2124 list_for_each_entry(set, &ctx->table->sets, list) {
2127 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2140 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2141 struct netlink_callback *cb)
2143 const struct nft_set *set;
2144 unsigned int idx, s_idx = cb->args[0];
2145 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2150 list_for_each_entry(table, &ctx->afi->tables, list) {
2152 if (cur_table != table)
2159 list_for_each_entry(set, &ctx->table->sets, list) {
2162 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2165 cb->args[2] = (unsigned long) table;
2177 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2178 struct netlink_callback *cb)
2180 const struct nft_set *set;
2181 unsigned int idx, s_idx = cb->args[0];
2182 struct nft_af_info *afi;
2183 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2184 struct net *net = sock_net(skb->sk);
2185 int cur_family = cb->args[3];
2190 list_for_each_entry(afi, &net->nft.af_info, list) {
2192 if (afi->family != cur_family)
2198 list_for_each_entry(table, &afi->tables, list) {
2200 if (cur_table != table)
2209 list_for_each_entry(set, &ctx->table->sets, list) {
2212 if (nf_tables_fill_set(skb, ctx, set,
2216 cb->args[2] = (unsigned long) table;
2217 cb->args[3] = afi->family;
2232 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2234 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2235 struct nlattr *nla[NFTA_SET_MAX + 1];
2239 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2244 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2248 if (ctx.table == NULL) {
2249 if (ctx.afi == NULL)
2250 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2252 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2254 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2259 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2260 const struct nlmsghdr *nlh,
2261 const struct nlattr * const nla[])
2263 const struct nft_set *set;
2265 struct sk_buff *skb2;
2266 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2269 /* Verify existance before starting dump */
2270 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2274 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2275 struct netlink_dump_control c = {
2276 .dump = nf_tables_dump_sets,
2278 return netlink_dump_start(nlsk, skb, nlh, &c);
2281 /* Only accept unspec with dump */
2282 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2283 return -EAFNOSUPPORT;
2285 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2287 return PTR_ERR(set);
2289 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2293 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2297 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2304 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2305 struct nft_set_desc *desc,
2306 const struct nlattr *nla)
2308 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2311 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2315 if (da[NFTA_SET_DESC_SIZE] != NULL)
2316 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2321 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2322 const struct nlmsghdr *nlh,
2323 const struct nlattr * const nla[])
2325 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2326 const struct nft_set_ops *ops;
2327 struct nft_af_info *afi;
2328 struct net *net = sock_net(skb->sk);
2329 struct nft_table *table;
2330 struct nft_set *set;
2332 char name[IFNAMSIZ];
2335 u32 ktype, dtype, flags, policy;
2336 struct nft_set_desc desc;
2339 if (nla[NFTA_SET_TABLE] == NULL ||
2340 nla[NFTA_SET_NAME] == NULL ||
2341 nla[NFTA_SET_KEY_LEN] == NULL)
2344 memset(&desc, 0, sizeof(desc));
2346 ktype = NFT_DATA_VALUE;
2347 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2348 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2349 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2353 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2354 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2358 if (nla[NFTA_SET_FLAGS] != NULL) {
2359 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2360 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2361 NFT_SET_INTERVAL | NFT_SET_MAP))
2366 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2367 if (!(flags & NFT_SET_MAP))
2370 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2371 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2372 dtype != NFT_DATA_VERDICT)
2375 if (dtype != NFT_DATA_VERDICT) {
2376 if (nla[NFTA_SET_DATA_LEN] == NULL)
2378 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2379 if (desc.dlen == 0 ||
2380 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2383 desc.dlen = sizeof(struct nft_data);
2384 } else if (flags & NFT_SET_MAP)
2387 policy = NFT_SET_POL_PERFORMANCE;
2388 if (nla[NFTA_SET_POLICY] != NULL)
2389 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2391 if (nla[NFTA_SET_DESC] != NULL) {
2392 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2397 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2399 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2401 return PTR_ERR(afi);
2403 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2405 return PTR_ERR(table);
2407 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2409 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2411 if (PTR_ERR(set) != -ENOENT)
2412 return PTR_ERR(set);
2417 if (nlh->nlmsg_flags & NLM_F_EXCL)
2419 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2424 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2427 ops = nft_select_set_ops(nla, &desc, policy);
2429 return PTR_ERR(ops);
2432 if (ops->privsize != NULL)
2433 size = ops->privsize(nla);
2436 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2440 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2441 err = nf_tables_set_alloc_name(&ctx, set, name);
2445 INIT_LIST_HEAD(&set->bindings);
2448 set->klen = desc.klen;
2450 set->dlen = desc.dlen;
2452 set->size = desc.size;
2454 err = ops->init(set, &desc, nla);
2458 list_add_tail(&set->list, &table->sets);
2459 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2465 module_put(ops->owner);
2469 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2471 list_del(&set->list);
2472 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2474 set->ops->destroy(set);
2475 module_put(set->ops->owner);
2479 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2480 const struct nlmsghdr *nlh,
2481 const struct nlattr * const nla[])
2483 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2484 struct nft_set *set;
2488 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2489 return -EAFNOSUPPORT;
2490 if (nla[NFTA_SET_TABLE] == NULL)
2493 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2497 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2499 return PTR_ERR(set);
2500 if (!list_empty(&set->bindings))
2503 nf_tables_set_destroy(&ctx, set);
2507 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2508 const struct nft_set *set,
2509 const struct nft_set_iter *iter,
2510 const struct nft_set_elem *elem)
2512 enum nft_registers dreg;
2514 dreg = nft_type_to_reg(set->dtype);
2515 return nft_validate_data_load(ctx, dreg, &elem->data,
2516 set->dtype == NFT_DATA_VERDICT ?
2517 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2520 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2521 struct nft_set_binding *binding)
2523 struct nft_set_binding *i;
2524 struct nft_set_iter iter;
2526 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2529 if (set->flags & NFT_SET_MAP) {
2530 /* If the set is already bound to the same chain all
2531 * jumps are already validated for that chain.
2533 list_for_each_entry(i, &set->bindings, list) {
2534 if (i->chain == binding->chain)
2541 iter.fn = nf_tables_bind_check_setelem;
2543 set->ops->walk(ctx, set, &iter);
2545 /* Destroy anonymous sets if binding fails */
2546 if (set->flags & NFT_SET_ANONYMOUS)
2547 nf_tables_set_destroy(ctx, set);
2553 binding->chain = ctx->chain;
2554 list_add_tail(&binding->list, &set->bindings);
2558 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2559 struct nft_set_binding *binding)
2561 list_del(&binding->list);
2563 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2564 nf_tables_set_destroy(ctx, set);
2571 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2572 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2573 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2574 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2577 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2578 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2579 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2580 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2583 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2584 const struct sk_buff *skb,
2585 const struct nlmsghdr *nlh,
2586 const struct nlattr * const nla[])
2588 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2589 struct nft_af_info *afi;
2590 struct nft_table *table;
2591 struct net *net = sock_net(skb->sk);
2593 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2595 return PTR_ERR(afi);
2597 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2599 return PTR_ERR(table);
2601 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2605 static int nf_tables_fill_setelem(struct sk_buff *skb,
2606 const struct nft_set *set,
2607 const struct nft_set_elem *elem)
2609 unsigned char *b = skb_tail_pointer(skb);
2610 struct nlattr *nest;
2612 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2614 goto nla_put_failure;
2616 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2618 goto nla_put_failure;
2620 if (set->flags & NFT_SET_MAP &&
2621 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2622 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2623 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2625 goto nla_put_failure;
2627 if (elem->flags != 0)
2628 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2629 goto nla_put_failure;
2631 nla_nest_end(skb, nest);
2639 struct nft_set_dump_args {
2640 const struct netlink_callback *cb;
2641 struct nft_set_iter iter;
2642 struct sk_buff *skb;
2645 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2646 const struct nft_set *set,
2647 const struct nft_set_iter *iter,
2648 const struct nft_set_elem *elem)
2650 struct nft_set_dump_args *args;
2652 args = container_of(iter, struct nft_set_dump_args, iter);
2653 return nf_tables_fill_setelem(args->skb, set, elem);
2656 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2658 const struct nft_set *set;
2659 struct nft_set_dump_args args;
2661 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2662 struct nfgenmsg *nfmsg;
2663 struct nlmsghdr *nlh;
2664 struct nlattr *nest;
2668 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2669 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2673 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2677 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2679 return PTR_ERR(set);
2681 event = NFT_MSG_NEWSETELEM;
2682 event |= NFNL_SUBSYS_NFTABLES << 8;
2683 portid = NETLINK_CB(cb->skb).portid;
2684 seq = cb->nlh->nlmsg_seq;
2686 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2689 goto nla_put_failure;
2691 nfmsg = nlmsg_data(nlh);
2692 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2693 nfmsg->version = NFNETLINK_V0;
2696 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2697 goto nla_put_failure;
2698 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2699 goto nla_put_failure;
2701 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2703 goto nla_put_failure;
2707 args.iter.skip = cb->args[0];
2708 args.iter.count = 0;
2710 args.iter.fn = nf_tables_dump_setelem;
2711 set->ops->walk(&ctx, set, &args.iter);
2713 nla_nest_end(skb, nest);
2714 nlmsg_end(skb, nlh);
2716 if (args.iter.err && args.iter.err != -EMSGSIZE)
2717 return args.iter.err;
2718 if (args.iter.count == cb->args[0])
2721 cb->args[0] = args.iter.count;
2728 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2729 const struct nlmsghdr *nlh,
2730 const struct nlattr * const nla[])
2732 const struct nft_set *set;
2736 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2740 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2742 return PTR_ERR(set);
2744 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2745 struct netlink_dump_control c = {
2746 .dump = nf_tables_dump_set,
2748 return netlink_dump_start(nlsk, skb, nlh, &c);
2753 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2754 const struct nft_ctx *ctx, u32 seq,
2755 u32 portid, int event, u16 flags,
2756 const struct nft_set *set,
2757 const struct nft_set_elem *elem)
2759 struct nfgenmsg *nfmsg;
2760 struct nlmsghdr *nlh;
2761 struct nlattr *nest;
2764 event |= NFNL_SUBSYS_NFTABLES << 8;
2765 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2768 goto nla_put_failure;
2770 nfmsg = nlmsg_data(nlh);
2771 nfmsg->nfgen_family = ctx->afi->family;
2772 nfmsg->version = NFNETLINK_V0;
2775 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2776 goto nla_put_failure;
2777 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2778 goto nla_put_failure;
2780 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2782 goto nla_put_failure;
2784 err = nf_tables_fill_setelem(skb, set, elem);
2786 goto nla_put_failure;
2788 nla_nest_end(skb, nest);
2790 return nlmsg_end(skb, nlh);
2793 nlmsg_trim(skb, nlh);
2797 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2798 const struct nft_set *set,
2799 const struct nft_set_elem *elem,
2800 int event, u16 flags)
2802 const struct sk_buff *oskb = ctx->skb;
2803 struct net *net = sock_net(oskb->sk);
2804 u32 portid = NETLINK_CB(oskb).portid;
2805 bool report = nlmsg_report(ctx->nlh);
2806 struct sk_buff *skb;
2809 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2813 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2817 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2824 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
2828 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
2832 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2833 const struct nlattr *attr)
2835 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2836 struct nft_data_desc d1, d2;
2837 struct nft_set_elem elem;
2838 struct nft_set_binding *binding;
2839 enum nft_registers dreg;
2842 if (set->size && set->nelems == set->size)
2845 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2846 nft_set_elem_policy);
2850 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2854 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2855 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2856 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2860 if (set->flags & NFT_SET_MAP) {
2861 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2862 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2864 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
2865 elem.flags & NFT_SET_ELEM_INTERVAL_END)
2868 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2872 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2876 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2880 if (set->ops->get(set, &elem) == 0)
2883 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2884 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2889 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2892 dreg = nft_type_to_reg(set->dtype);
2893 list_for_each_entry(binding, &set->bindings, list) {
2894 struct nft_ctx bind_ctx = {
2896 .table = ctx->table,
2897 .chain = (struct nft_chain *)binding->chain,
2900 err = nft_validate_data_load(&bind_ctx, dreg,
2901 &elem.data, d2.type);
2907 err = set->ops->insert(set, &elem);
2912 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_NEWSETELEM, 0);
2916 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2917 nft_data_uninit(&elem.data, d2.type);
2919 nft_data_uninit(&elem.key, d1.type);
2924 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2925 const struct nlmsghdr *nlh,
2926 const struct nlattr * const nla[])
2928 const struct nlattr *attr;
2929 struct nft_set *set;
2933 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2937 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2939 return PTR_ERR(set);
2940 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2943 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2944 err = nft_add_set_elem(&ctx, set, attr);
2951 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2952 const struct nlattr *attr)
2954 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2955 struct nft_data_desc desc;
2956 struct nft_set_elem elem;
2959 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2960 nft_set_elem_policy);
2965 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2968 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2973 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2976 err = set->ops->get(set, &elem);
2980 set->ops->remove(set, &elem);
2983 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_DELSETELEM, 0);
2985 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2986 if (set->flags & NFT_SET_MAP)
2987 nft_data_uninit(&elem.data, set->dtype);
2990 nft_data_uninit(&elem.key, desc.type);
2995 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2996 const struct nlmsghdr *nlh,
2997 const struct nlattr * const nla[])
2999 const struct nlattr *attr;
3000 struct nft_set *set;
3004 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3008 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3010 return PTR_ERR(set);
3011 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3014 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3015 err = nft_del_setelem(&ctx, set, attr);
3022 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3023 [NFT_MSG_NEWTABLE] = {
3024 .call = nf_tables_newtable,
3025 .attr_count = NFTA_TABLE_MAX,
3026 .policy = nft_table_policy,
3028 [NFT_MSG_GETTABLE] = {
3029 .call = nf_tables_gettable,
3030 .attr_count = NFTA_TABLE_MAX,
3031 .policy = nft_table_policy,
3033 [NFT_MSG_DELTABLE] = {
3034 .call = nf_tables_deltable,
3035 .attr_count = NFTA_TABLE_MAX,
3036 .policy = nft_table_policy,
3038 [NFT_MSG_NEWCHAIN] = {
3039 .call = nf_tables_newchain,
3040 .attr_count = NFTA_CHAIN_MAX,
3041 .policy = nft_chain_policy,
3043 [NFT_MSG_GETCHAIN] = {
3044 .call = nf_tables_getchain,
3045 .attr_count = NFTA_CHAIN_MAX,
3046 .policy = nft_chain_policy,
3048 [NFT_MSG_DELCHAIN] = {
3049 .call = nf_tables_delchain,
3050 .attr_count = NFTA_CHAIN_MAX,
3051 .policy = nft_chain_policy,
3053 [NFT_MSG_NEWRULE] = {
3054 .call_batch = nf_tables_newrule,
3055 .attr_count = NFTA_RULE_MAX,
3056 .policy = nft_rule_policy,
3058 [NFT_MSG_GETRULE] = {
3059 .call = nf_tables_getrule,
3060 .attr_count = NFTA_RULE_MAX,
3061 .policy = nft_rule_policy,
3063 [NFT_MSG_DELRULE] = {
3064 .call_batch = nf_tables_delrule,
3065 .attr_count = NFTA_RULE_MAX,
3066 .policy = nft_rule_policy,
3068 [NFT_MSG_NEWSET] = {
3069 .call = nf_tables_newset,
3070 .attr_count = NFTA_SET_MAX,
3071 .policy = nft_set_policy,
3073 [NFT_MSG_GETSET] = {
3074 .call = nf_tables_getset,
3075 .attr_count = NFTA_SET_MAX,
3076 .policy = nft_set_policy,
3078 [NFT_MSG_DELSET] = {
3079 .call = nf_tables_delset,
3080 .attr_count = NFTA_SET_MAX,
3081 .policy = nft_set_policy,
3083 [NFT_MSG_NEWSETELEM] = {
3084 .call = nf_tables_newsetelem,
3085 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3086 .policy = nft_set_elem_list_policy,
3088 [NFT_MSG_GETSETELEM] = {
3089 .call = nf_tables_getsetelem,
3090 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3091 .policy = nft_set_elem_list_policy,
3093 [NFT_MSG_DELSETELEM] = {
3094 .call = nf_tables_delsetelem,
3095 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3096 .policy = nft_set_elem_list_policy,
3100 static int nf_tables_commit(struct sk_buff *skb)
3102 struct net *net = sock_net(skb->sk);
3103 struct nft_trans *trans, *next;
3105 /* Bump generation counter, invalidate any dump in progress */
3108 /* A new generation has just started */
3109 net->nft.gencursor = gencursor_next(net);
3111 /* Make sure all packets have left the previous generation before
3112 * purging old rules.
3116 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3117 /* This rule was inactive in the past and just became active.
3118 * Clear the next bit of the genmask since its meaning has
3119 * changed, now it is the future.
3121 if (nft_rule_is_active(net, nft_trans_rule(trans))) {
3122 nft_rule_clear(net, nft_trans_rule(trans));
3123 nf_tables_rule_notify(skb, trans->ctx.nlh,
3126 nft_trans_rule(trans),
3128 trans->ctx.afi->family);
3129 nft_trans_destroy(trans);
3133 /* This rule is in the past, get rid of it */
3134 list_del_rcu(&nft_trans_rule(trans)->list);
3135 nf_tables_rule_notify(skb, trans->ctx.nlh,
3136 trans->ctx.table, trans->ctx.chain,
3137 nft_trans_rule(trans), NFT_MSG_DELRULE,
3138 0, trans->ctx.afi->family);
3141 /* Make sure we don't see any packet traversing old rules */
3144 /* Now we can safely release unused old rules */
3145 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3146 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3147 nft_trans_destroy(trans);
3153 static int nf_tables_abort(struct sk_buff *skb)
3155 struct net *net = sock_net(skb->sk);
3156 struct nft_trans *trans, *next;
3158 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3159 if (!nft_rule_is_active_next(net, nft_trans_rule(trans))) {
3160 nft_rule_clear(net, nft_trans_rule(trans));
3161 nft_trans_destroy(trans);
3165 /* This rule is inactive, get rid of it */
3166 list_del_rcu(&nft_trans_rule(trans)->list);
3169 /* Make sure we don't see any packet accessing aborted rules */
3172 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3173 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3174 nft_trans_destroy(trans);
3180 static const struct nfnetlink_subsystem nf_tables_subsys = {
3181 .name = "nf_tables",
3182 .subsys_id = NFNL_SUBSYS_NFTABLES,
3183 .cb_count = NFT_MSG_MAX,
3185 .commit = nf_tables_commit,
3186 .abort = nf_tables_abort,
3190 * Loop detection - walk through the ruleset beginning at the destination chain
3191 * of a new jump until either the source chain is reached (loop) or all
3192 * reachable chains have been traversed.
3194 * The loop check is performed whenever a new jump verdict is added to an
3195 * expression or verdict map or a verdict map is bound to a new chain.
3198 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3199 const struct nft_chain *chain);
3201 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3202 const struct nft_set *set,
3203 const struct nft_set_iter *iter,
3204 const struct nft_set_elem *elem)
3206 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3209 switch (elem->data.verdict) {
3212 return nf_tables_check_loops(ctx, elem->data.chain);
3218 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3219 const struct nft_chain *chain)
3221 const struct nft_rule *rule;
3222 const struct nft_expr *expr, *last;
3223 const struct nft_set *set;
3224 struct nft_set_binding *binding;
3225 struct nft_set_iter iter;
3227 if (ctx->chain == chain)
3230 list_for_each_entry(rule, &chain->rules, list) {
3231 nft_rule_for_each_expr(expr, last, rule) {
3232 const struct nft_data *data = NULL;
3235 if (!expr->ops->validate)
3238 err = expr->ops->validate(ctx, expr, &data);
3245 switch (data->verdict) {
3248 err = nf_tables_check_loops(ctx, data->chain);
3257 list_for_each_entry(set, &ctx->table->sets, list) {
3258 if (!(set->flags & NFT_SET_MAP) ||
3259 set->dtype != NFT_DATA_VERDICT)
3262 list_for_each_entry(binding, &set->bindings, list) {
3263 if (binding->chain != chain)
3269 iter.fn = nf_tables_loop_check_setelem;
3271 set->ops->walk(ctx, set, &iter);
3281 * nft_validate_input_register - validate an expressions' input register
3283 * @reg: the register number
3285 * Validate that the input register is one of the general purpose
3288 int nft_validate_input_register(enum nft_registers reg)
3290 if (reg <= NFT_REG_VERDICT)
3292 if (reg > NFT_REG_MAX)
3296 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3299 * nft_validate_output_register - validate an expressions' output register
3301 * @reg: the register number
3303 * Validate that the output register is one of the general purpose
3304 * registers or the verdict register.
3306 int nft_validate_output_register(enum nft_registers reg)
3308 if (reg < NFT_REG_VERDICT)
3310 if (reg > NFT_REG_MAX)
3314 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3317 * nft_validate_data_load - validate an expressions' data load
3319 * @ctx: context of the expression performing the load
3320 * @reg: the destination register number
3321 * @data: the data to load
3322 * @type: the data type
3324 * Validate that a data load uses the appropriate data type for
3325 * the destination register. A value of NULL for the data means
3326 * that its runtime gathered data, which is always of type
3329 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3330 const struct nft_data *data,
3331 enum nft_data_types type)
3336 case NFT_REG_VERDICT:
3337 if (data == NULL || type != NFT_DATA_VERDICT)
3340 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3341 err = nf_tables_check_loops(ctx, data->chain);
3345 if (ctx->chain->level + 1 > data->chain->level) {
3346 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3348 data->chain->level = ctx->chain->level + 1;
3354 if (data != NULL && type != NFT_DATA_VALUE)
3359 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3361 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3362 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3363 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3364 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3367 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3368 struct nft_data_desc *desc, const struct nlattr *nla)
3370 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3371 struct nft_chain *chain;
3374 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3378 if (!tb[NFTA_VERDICT_CODE])
3380 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3382 switch (data->verdict) {
3384 switch (data->verdict & NF_VERDICT_MASK) {
3396 desc->len = sizeof(data->verdict);
3400 if (!tb[NFTA_VERDICT_CHAIN])
3402 chain = nf_tables_chain_lookup(ctx->table,
3403 tb[NFTA_VERDICT_CHAIN]);
3405 return PTR_ERR(chain);
3406 if (chain->flags & NFT_BASE_CHAIN)
3410 data->chain = chain;
3411 desc->len = sizeof(data);
3415 desc->type = NFT_DATA_VERDICT;
3419 static void nft_verdict_uninit(const struct nft_data *data)
3421 switch (data->verdict) {
3429 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3431 struct nlattr *nest;
3433 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3435 goto nla_put_failure;
3437 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3438 goto nla_put_failure;
3440 switch (data->verdict) {
3443 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3444 goto nla_put_failure;
3446 nla_nest_end(skb, nest);
3453 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3454 struct nft_data_desc *desc, const struct nlattr *nla)
3461 if (len > sizeof(data->data))
3464 nla_memcpy(data->data, nla, sizeof(data->data));
3465 desc->type = NFT_DATA_VALUE;
3470 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3473 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3476 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3477 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3478 .len = FIELD_SIZEOF(struct nft_data, data) },
3479 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3483 * nft_data_init - parse nf_tables data netlink attributes
3485 * @ctx: context of the expression using the data
3486 * @data: destination struct nft_data
3487 * @desc: data description
3488 * @nla: netlink attribute containing data
3490 * Parse the netlink data attributes and initialize a struct nft_data.
3491 * The type and length of data are returned in the data description.
3493 * The caller can indicate that it only wants to accept data of type
3494 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3496 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3497 struct nft_data_desc *desc, const struct nlattr *nla)
3499 struct nlattr *tb[NFTA_DATA_MAX + 1];
3502 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3506 if (tb[NFTA_DATA_VALUE])
3507 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3508 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3509 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3512 EXPORT_SYMBOL_GPL(nft_data_init);
3515 * nft_data_uninit - release a nft_data item
3517 * @data: struct nft_data to release
3518 * @type: type of data
3520 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3521 * all others need to be released by calling this function.
3523 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3526 case NFT_DATA_VALUE:
3528 case NFT_DATA_VERDICT:
3529 return nft_verdict_uninit(data);
3534 EXPORT_SYMBOL_GPL(nft_data_uninit);
3536 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3537 enum nft_data_types type, unsigned int len)
3539 struct nlattr *nest;
3542 nest = nla_nest_start(skb, attr);
3547 case NFT_DATA_VALUE:
3548 err = nft_value_dump(skb, data, len);
3550 case NFT_DATA_VERDICT:
3551 err = nft_verdict_dump(skb, data);
3558 nla_nest_end(skb, nest);
3561 EXPORT_SYMBOL_GPL(nft_data_dump);
3563 static int nf_tables_init_net(struct net *net)
3565 INIT_LIST_HEAD(&net->nft.af_info);
3566 INIT_LIST_HEAD(&net->nft.commit_list);
3570 static struct pernet_operations nf_tables_net_ops = {
3571 .init = nf_tables_init_net,
3574 static int __init nf_tables_module_init(void)
3578 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3585 err = nf_tables_core_module_init();
3589 err = nfnetlink_subsys_register(&nf_tables_subsys);
3593 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3594 return register_pernet_subsys(&nf_tables_net_ops);
3596 nf_tables_core_module_exit();
3603 static void __exit nf_tables_module_exit(void)
3605 unregister_pernet_subsys(&nf_tables_net_ops);
3606 nfnetlink_subsys_unregister(&nf_tables_subsys);
3607 nf_tables_core_module_exit();
3611 module_init(nf_tables_module_init);
3612 module_exit(nf_tables_module_exit);
3614 MODULE_LICENSE("GPL");
3615 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3616 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.openpandora.org / pandora-kernel.git / blob