2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
108 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
111 struct nft_trans *trans;
113 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
117 trans->msg_type = msg_type;
123 static void nft_trans_destroy(struct nft_trans *trans)
125 list_del(&trans->list);
133 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
134 const struct nlattr *nla)
136 struct nft_table *table;
138 list_for_each_entry(table, &afi->tables, list) {
139 if (!nla_strcmp(nla, table->name))
145 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
146 const struct nlattr *nla)
148 struct nft_table *table;
151 return ERR_PTR(-EINVAL);
153 table = nft_table_lookup(afi, nla);
157 return ERR_PTR(-ENOENT);
160 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
162 return ++table->hgenerator;
165 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
167 static const struct nf_chain_type *
168 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
172 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
173 if (chain_type[family][i] != NULL &&
174 !nla_strcmp(nla, chain_type[family][i]->name))
175 return chain_type[family][i];
180 static const struct nf_chain_type *
181 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
182 const struct nlattr *nla,
185 const struct nf_chain_type *type;
187 type = __nf_tables_chain_type_lookup(afi->family, nla);
190 #ifdef CONFIG_MODULES
192 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
193 request_module("nft-chain-%u-%*.s", afi->family,
194 nla_len(nla)-1, (const char *)nla_data(nla));
195 nfnl_lock(NFNL_SUBSYS_NFTABLES);
196 type = __nf_tables_chain_type_lookup(afi->family, nla);
198 return ERR_PTR(-EAGAIN);
201 return ERR_PTR(-ENOENT);
204 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
205 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
206 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
209 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
210 int event, u32 flags, int family,
211 const struct nft_table *table)
213 struct nlmsghdr *nlh;
214 struct nfgenmsg *nfmsg;
216 event |= NFNL_SUBSYS_NFTABLES << 8;
217 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
219 goto nla_put_failure;
221 nfmsg = nlmsg_data(nlh);
222 nfmsg->nfgen_family = family;
223 nfmsg->version = NFNETLINK_V0;
226 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
227 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
228 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
229 goto nla_put_failure;
231 return nlmsg_end(skb, nlh);
234 nlmsg_trim(skb, nlh);
238 static int nf_tables_table_notify(const struct sk_buff *oskb,
239 const struct nlmsghdr *nlh,
240 const struct nft_table *table,
241 int event, int family)
244 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
245 u32 seq = nlh ? nlh->nlmsg_seq : 0;
246 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
250 report = nlh ? nlmsg_report(nlh) : false;
251 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
255 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
259 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
266 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
270 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
274 static int nf_tables_dump_tables(struct sk_buff *skb,
275 struct netlink_callback *cb)
277 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
278 const struct nft_af_info *afi;
279 const struct nft_table *table;
280 unsigned int idx = 0, s_idx = cb->args[0];
281 struct net *net = sock_net(skb->sk);
282 int family = nfmsg->nfgen_family;
284 list_for_each_entry(afi, &net->nft.af_info, list) {
285 if (family != NFPROTO_UNSPEC && family != afi->family)
288 list_for_each_entry(table, &afi->tables, list) {
292 memset(&cb->args[1], 0,
293 sizeof(cb->args) - sizeof(cb->args[0]));
294 if (nf_tables_fill_table_info(skb,
295 NETLINK_CB(cb->skb).portid,
299 afi->family, table) < 0)
310 /* Internal table flags */
311 #define NFT_TABLE_INACTIVE (1 << 15)
313 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
314 const struct nlmsghdr *nlh,
315 const struct nlattr * const nla[])
317 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
318 const struct nft_af_info *afi;
319 const struct nft_table *table;
320 struct sk_buff *skb2;
321 struct net *net = sock_net(skb->sk);
322 int family = nfmsg->nfgen_family;
325 if (nlh->nlmsg_flags & NLM_F_DUMP) {
326 struct netlink_dump_control c = {
327 .dump = nf_tables_dump_tables,
329 return netlink_dump_start(nlsk, skb, nlh, &c);
332 afi = nf_tables_afinfo_lookup(net, family, false);
336 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
338 return PTR_ERR(table);
339 if (table->flags & NFT_TABLE_INACTIVE)
342 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
346 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
347 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
352 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
359 static int nf_tables_table_enable(const struct nft_af_info *afi,
360 struct nft_table *table)
362 struct nft_chain *chain;
365 list_for_each_entry(chain, &table->chains, list) {
366 if (!(chain->flags & NFT_BASE_CHAIN))
369 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
377 list_for_each_entry(chain, &table->chains, list) {
378 if (!(chain->flags & NFT_BASE_CHAIN))
384 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
389 static void nf_tables_table_disable(const struct nft_af_info *afi,
390 struct nft_table *table)
392 struct nft_chain *chain;
394 list_for_each_entry(chain, &table->chains, list) {
395 if (chain->flags & NFT_BASE_CHAIN)
396 nf_unregister_hooks(nft_base_chain(chain)->ops,
401 static int nf_tables_updtable(struct nft_ctx *ctx)
403 struct nft_trans *trans;
407 if (!ctx->nla[NFTA_TABLE_FLAGS])
410 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
411 if (flags & ~NFT_TABLE_F_DORMANT)
414 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
415 sizeof(struct nft_trans_table));
419 if ((flags & NFT_TABLE_F_DORMANT) &&
420 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
421 nft_trans_table_enable(trans) = false;
422 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
423 ctx->table->flags & NFT_TABLE_F_DORMANT) {
424 ret = nf_tables_table_enable(ctx->afi, ctx->table);
426 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
427 nft_trans_table_enable(trans) = true;
433 nft_trans_table_update(trans) = true;
434 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
437 nft_trans_destroy(trans);
441 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
443 struct nft_trans *trans;
445 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
449 if (msg_type == NFT_MSG_NEWTABLE)
450 ctx->table->flags |= NFT_TABLE_INACTIVE;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
456 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
457 const struct nlmsghdr *nlh,
458 const struct nlattr * const nla[])
460 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
461 const struct nlattr *name;
462 struct nft_af_info *afi;
463 struct nft_table *table;
464 struct net *net = sock_net(skb->sk);
465 int family = nfmsg->nfgen_family;
470 afi = nf_tables_afinfo_lookup(net, family, true);
474 name = nla[NFTA_TABLE_NAME];
475 table = nf_tables_table_lookup(afi, name);
477 if (PTR_ERR(table) != -ENOENT)
478 return PTR_ERR(table);
483 if (table->flags & NFT_TABLE_INACTIVE)
485 if (nlh->nlmsg_flags & NLM_F_EXCL)
487 if (nlh->nlmsg_flags & NLM_F_REPLACE)
490 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
491 return nf_tables_updtable(&ctx);
494 if (nla[NFTA_TABLE_FLAGS]) {
495 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
496 if (flags & ~NFT_TABLE_F_DORMANT)
500 if (!try_module_get(afi->owner))
501 return -EAFNOSUPPORT;
503 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
505 module_put(afi->owner);
509 nla_strlcpy(table->name, name, nla_len(name));
510 INIT_LIST_HEAD(&table->chains);
511 INIT_LIST_HEAD(&table->sets);
512 table->flags = flags;
514 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
515 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
518 module_put(afi->owner);
521 list_add_tail(&table->list, &afi->tables);
525 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
526 const struct nlmsghdr *nlh,
527 const struct nlattr * const nla[])
529 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
530 struct nft_af_info *afi;
531 struct nft_table *table;
532 struct net *net = sock_net(skb->sk);
533 int family = nfmsg->nfgen_family, err;
536 afi = nf_tables_afinfo_lookup(net, family, false);
540 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
542 return PTR_ERR(table);
543 if (table->flags & NFT_TABLE_INACTIVE)
546 if (!list_empty(&table->chains) || !list_empty(&table->sets))
549 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
550 err = nft_trans_table_add(&ctx, NFT_MSG_DELTABLE);
554 list_del(&table->list);
558 static void nf_tables_table_destroy(struct nft_ctx *ctx)
561 module_put(ctx->afi->owner);
564 int nft_register_chain_type(const struct nf_chain_type *ctype)
568 nfnl_lock(NFNL_SUBSYS_NFTABLES);
569 if (chain_type[ctype->family][ctype->type] != NULL) {
573 chain_type[ctype->family][ctype->type] = ctype;
575 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
578 EXPORT_SYMBOL_GPL(nft_register_chain_type);
580 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
582 nfnl_lock(NFNL_SUBSYS_NFTABLES);
583 chain_type[ctype->family][ctype->type] = NULL;
584 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
586 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
592 static struct nft_chain *
593 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
595 struct nft_chain *chain;
597 list_for_each_entry(chain, &table->chains, list) {
598 if (chain->handle == handle)
602 return ERR_PTR(-ENOENT);
605 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
606 const struct nlattr *nla)
608 struct nft_chain *chain;
611 return ERR_PTR(-EINVAL);
613 list_for_each_entry(chain, &table->chains, list) {
614 if (!nla_strcmp(nla, chain->name))
618 return ERR_PTR(-ENOENT);
621 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
622 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
623 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
624 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
625 .len = NFT_CHAIN_MAXNAMELEN - 1 },
626 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
627 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
628 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
629 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
632 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
633 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
634 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
637 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
639 struct nft_stats *cpu_stats, total;
643 memset(&total, 0, sizeof(total));
644 for_each_possible_cpu(cpu) {
645 cpu_stats = per_cpu_ptr(stats, cpu);
646 total.pkts += cpu_stats->pkts;
647 total.bytes += cpu_stats->bytes;
649 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
651 goto nla_put_failure;
653 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
654 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
655 goto nla_put_failure;
657 nla_nest_end(skb, nest);
664 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
665 int event, u32 flags, int family,
666 const struct nft_table *table,
667 const struct nft_chain *chain)
669 struct nlmsghdr *nlh;
670 struct nfgenmsg *nfmsg;
672 event |= NFNL_SUBSYS_NFTABLES << 8;
673 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
675 goto nla_put_failure;
677 nfmsg = nlmsg_data(nlh);
678 nfmsg->nfgen_family = family;
679 nfmsg->version = NFNETLINK_V0;
682 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
683 goto nla_put_failure;
684 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
685 goto nla_put_failure;
686 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
687 goto nla_put_failure;
689 if (chain->flags & NFT_BASE_CHAIN) {
690 const struct nft_base_chain *basechain = nft_base_chain(chain);
691 const struct nf_hook_ops *ops = &basechain->ops[0];
694 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
696 goto nla_put_failure;
697 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
698 goto nla_put_failure;
699 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
700 goto nla_put_failure;
701 nla_nest_end(skb, nest);
703 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
704 htonl(basechain->policy)))
705 goto nla_put_failure;
707 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
708 goto nla_put_failure;
710 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
711 goto nla_put_failure;
714 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
715 goto nla_put_failure;
717 return nlmsg_end(skb, nlh);
720 nlmsg_trim(skb, nlh);
724 static int nf_tables_chain_notify(const struct sk_buff *oskb,
725 const struct nlmsghdr *nlh,
726 const struct nft_table *table,
727 const struct nft_chain *chain,
728 int event, int family)
731 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
732 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
733 u32 seq = nlh ? nlh->nlmsg_seq : 0;
737 report = nlh ? nlmsg_report(nlh) : false;
738 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
742 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
746 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
753 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
757 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
761 static int nf_tables_dump_chains(struct sk_buff *skb,
762 struct netlink_callback *cb)
764 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
765 const struct nft_af_info *afi;
766 const struct nft_table *table;
767 const struct nft_chain *chain;
768 unsigned int idx = 0, s_idx = cb->args[0];
769 struct net *net = sock_net(skb->sk);
770 int family = nfmsg->nfgen_family;
772 list_for_each_entry(afi, &net->nft.af_info, list) {
773 if (family != NFPROTO_UNSPEC && family != afi->family)
776 list_for_each_entry(table, &afi->tables, list) {
777 list_for_each_entry(chain, &table->chains, list) {
781 memset(&cb->args[1], 0,
782 sizeof(cb->args) - sizeof(cb->args[0]));
783 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
787 afi->family, table, chain) < 0)
800 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
801 const struct nlmsghdr *nlh,
802 const struct nlattr * const nla[])
804 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
805 const struct nft_af_info *afi;
806 const struct nft_table *table;
807 const struct nft_chain *chain;
808 struct sk_buff *skb2;
809 struct net *net = sock_net(skb->sk);
810 int family = nfmsg->nfgen_family;
813 if (nlh->nlmsg_flags & NLM_F_DUMP) {
814 struct netlink_dump_control c = {
815 .dump = nf_tables_dump_chains,
817 return netlink_dump_start(nlsk, skb, nlh, &c);
820 afi = nf_tables_afinfo_lookup(net, family, false);
824 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
826 return PTR_ERR(table);
827 if (table->flags & NFT_TABLE_INACTIVE)
830 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
832 return PTR_ERR(chain);
833 if (chain->flags & NFT_CHAIN_INACTIVE)
836 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
840 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
841 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
842 family, table, chain);
846 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
853 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
854 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
855 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
858 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
860 struct nlattr *tb[NFTA_COUNTER_MAX+1];
861 struct nft_stats __percpu *newstats;
862 struct nft_stats *stats;
865 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
869 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
870 return ERR_PTR(-EINVAL);
872 newstats = alloc_percpu(struct nft_stats);
873 if (newstats == NULL)
874 return ERR_PTR(-ENOMEM);
876 /* Restore old counters on this cpu, no problem. Per-cpu statistics
877 * are not exposed to userspace.
879 stats = this_cpu_ptr(newstats);
880 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
881 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
886 static void nft_chain_stats_replace(struct nft_base_chain *chain,
887 struct nft_stats __percpu *newstats)
890 struct nft_stats __percpu *oldstats =
891 nft_dereference(chain->stats);
893 rcu_assign_pointer(chain->stats, newstats);
895 free_percpu(oldstats);
897 rcu_assign_pointer(chain->stats, newstats);
900 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
902 struct nft_trans *trans;
904 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
908 if (msg_type == NFT_MSG_NEWCHAIN)
909 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
911 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
915 static void nf_tables_chain_destroy(struct nft_chain *chain)
917 BUG_ON(chain->use > 0);
919 if (chain->flags & NFT_BASE_CHAIN) {
920 module_put(nft_base_chain(chain)->type->owner);
921 free_percpu(nft_base_chain(chain)->stats);
922 kfree(nft_base_chain(chain));
928 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
929 const struct nlmsghdr *nlh,
930 const struct nlattr * const nla[])
932 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
933 const struct nlattr * uninitialized_var(name);
934 struct nft_af_info *afi;
935 struct nft_table *table;
936 struct nft_chain *chain;
937 struct nft_base_chain *basechain = NULL;
938 struct nlattr *ha[NFTA_HOOK_MAX + 1];
939 struct net *net = sock_net(skb->sk);
940 int family = nfmsg->nfgen_family;
941 u8 policy = NF_ACCEPT;
944 struct nft_stats __percpu *stats;
949 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
951 afi = nf_tables_afinfo_lookup(net, family, true);
955 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
957 return PTR_ERR(table);
960 name = nla[NFTA_CHAIN_NAME];
962 if (nla[NFTA_CHAIN_HANDLE]) {
963 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
964 chain = nf_tables_chain_lookup_byhandle(table, handle);
966 return PTR_ERR(chain);
968 chain = nf_tables_chain_lookup(table, name);
970 if (PTR_ERR(chain) != -ENOENT)
971 return PTR_ERR(chain);
976 if (nla[NFTA_CHAIN_POLICY]) {
977 if ((chain != NULL &&
978 !(chain->flags & NFT_BASE_CHAIN)) ||
979 nla[NFTA_CHAIN_HOOK] == NULL)
982 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
993 struct nft_stats *stats = NULL;
994 struct nft_trans *trans;
996 if (chain->flags & NFT_CHAIN_INACTIVE)
998 if (nlh->nlmsg_flags & NLM_F_EXCL)
1000 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1003 if (nla[NFTA_CHAIN_HANDLE] && name &&
1004 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1007 if (nla[NFTA_CHAIN_COUNTERS]) {
1008 if (!(chain->flags & NFT_BASE_CHAIN))
1011 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1013 return PTR_ERR(stats);
1016 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1017 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1018 sizeof(struct nft_trans_chain));
1022 nft_trans_chain_stats(trans) = stats;
1023 nft_trans_chain_update(trans) = true;
1025 if (nla[NFTA_CHAIN_POLICY])
1026 nft_trans_chain_policy(trans) = policy;
1028 nft_trans_chain_policy(trans) = -1;
1030 if (nla[NFTA_CHAIN_HANDLE] && name) {
1031 nla_strlcpy(nft_trans_chain_name(trans), name,
1032 NFT_CHAIN_MAXNAMELEN);
1034 list_add_tail(&trans->list, &net->nft.commit_list);
1038 if (table->use == UINT_MAX)
1041 if (nla[NFTA_CHAIN_HOOK]) {
1042 const struct nf_chain_type *type;
1043 struct nf_hook_ops *ops;
1045 u32 hooknum, priority;
1047 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1048 if (nla[NFTA_CHAIN_TYPE]) {
1049 type = nf_tables_chain_type_lookup(afi,
1050 nla[NFTA_CHAIN_TYPE],
1053 return PTR_ERR(type);
1056 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1060 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1061 ha[NFTA_HOOK_PRIORITY] == NULL)
1064 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1065 if (hooknum >= afi->nhooks)
1067 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1069 if (!(type->hook_mask & (1 << hooknum)))
1071 if (!try_module_get(type->owner))
1073 hookfn = type->hooks[hooknum];
1075 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1076 if (basechain == NULL)
1079 if (nla[NFTA_CHAIN_COUNTERS]) {
1080 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1081 if (IS_ERR(stats)) {
1082 module_put(type->owner);
1084 return PTR_ERR(stats);
1086 basechain->stats = stats;
1088 stats = alloc_percpu(struct nft_stats);
1089 if (IS_ERR(stats)) {
1090 module_put(type->owner);
1092 return PTR_ERR(stats);
1094 rcu_assign_pointer(basechain->stats, stats);
1097 basechain->type = type;
1098 chain = &basechain->chain;
1100 for (i = 0; i < afi->nops; i++) {
1101 ops = &basechain->ops[i];
1103 ops->owner = afi->owner;
1104 ops->hooknum = hooknum;
1105 ops->priority = priority;
1107 ops->hook = afi->hooks[ops->hooknum];
1110 if (afi->hook_ops_init)
1111 afi->hook_ops_init(ops, i);
1114 chain->flags |= NFT_BASE_CHAIN;
1115 basechain->policy = policy;
1117 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1122 INIT_LIST_HEAD(&chain->rules);
1123 chain->handle = nf_tables_alloc_handle(table);
1125 chain->table = table;
1126 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1128 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1129 chain->flags & NFT_BASE_CHAIN) {
1130 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1135 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1136 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1140 list_add_tail(&chain->list, &table->chains);
1143 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1144 chain->flags & NFT_BASE_CHAIN) {
1145 nf_unregister_hooks(nft_base_chain(chain)->ops,
1149 nf_tables_chain_destroy(chain);
1153 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1154 const struct nlmsghdr *nlh,
1155 const struct nlattr * const nla[])
1157 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1158 struct nft_af_info *afi;
1159 struct nft_table *table;
1160 struct nft_chain *chain;
1161 struct net *net = sock_net(skb->sk);
1162 int family = nfmsg->nfgen_family;
1166 afi = nf_tables_afinfo_lookup(net, family, false);
1168 return PTR_ERR(afi);
1170 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1172 return PTR_ERR(table);
1173 if (table->flags & NFT_TABLE_INACTIVE)
1176 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1178 return PTR_ERR(chain);
1179 if (chain->flags & NFT_CHAIN_INACTIVE)
1181 if (!list_empty(&chain->rules) || chain->use > 0)
1184 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1185 err = nft_trans_chain_add(&ctx, NFT_MSG_DELCHAIN);
1189 list_del(&chain->list);
1198 * nft_register_expr - register nf_tables expr type
1201 * Registers the expr type for use with nf_tables. Returns zero on
1202 * success or a negative errno code otherwise.
1204 int nft_register_expr(struct nft_expr_type *type)
1206 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1207 if (type->family == NFPROTO_UNSPEC)
1208 list_add_tail(&type->list, &nf_tables_expressions);
1210 list_add(&type->list, &nf_tables_expressions);
1211 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1214 EXPORT_SYMBOL_GPL(nft_register_expr);
1217 * nft_unregister_expr - unregister nf_tables expr type
1220 * Unregisters the expr typefor use with nf_tables.
1222 void nft_unregister_expr(struct nft_expr_type *type)
1224 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1225 list_del(&type->list);
1226 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1228 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1230 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1233 const struct nft_expr_type *type;
1235 list_for_each_entry(type, &nf_tables_expressions, list) {
1236 if (!nla_strcmp(nla, type->name) &&
1237 (!type->family || type->family == family))
1243 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1246 const struct nft_expr_type *type;
1249 return ERR_PTR(-EINVAL);
1251 type = __nft_expr_type_get(family, nla);
1252 if (type != NULL && try_module_get(type->owner))
1255 #ifdef CONFIG_MODULES
1257 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1258 request_module("nft-expr-%u-%.*s", family,
1259 nla_len(nla), (char *)nla_data(nla));
1260 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1261 if (__nft_expr_type_get(family, nla))
1262 return ERR_PTR(-EAGAIN);
1264 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1265 request_module("nft-expr-%.*s",
1266 nla_len(nla), (char *)nla_data(nla));
1267 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1268 if (__nft_expr_type_get(family, nla))
1269 return ERR_PTR(-EAGAIN);
1272 return ERR_PTR(-ENOENT);
1275 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1276 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1277 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1280 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1281 const struct nft_expr *expr)
1283 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1284 goto nla_put_failure;
1286 if (expr->ops->dump) {
1287 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1289 goto nla_put_failure;
1290 if (expr->ops->dump(skb, expr) < 0)
1291 goto nla_put_failure;
1292 nla_nest_end(skb, data);
1301 struct nft_expr_info {
1302 const struct nft_expr_ops *ops;
1303 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1306 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1307 const struct nlattr *nla,
1308 struct nft_expr_info *info)
1310 const struct nft_expr_type *type;
1311 const struct nft_expr_ops *ops;
1312 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1315 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1319 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1321 return PTR_ERR(type);
1323 if (tb[NFTA_EXPR_DATA]) {
1324 err = nla_parse_nested(info->tb, type->maxattr,
1325 tb[NFTA_EXPR_DATA], type->policy);
1329 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1331 if (type->select_ops != NULL) {
1332 ops = type->select_ops(ctx,
1333 (const struct nlattr * const *)info->tb);
1345 module_put(type->owner);
1349 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1350 const struct nft_expr_info *info,
1351 struct nft_expr *expr)
1353 const struct nft_expr_ops *ops = info->ops;
1358 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1370 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1371 struct nft_expr *expr)
1373 if (expr->ops->destroy)
1374 expr->ops->destroy(ctx, expr);
1375 module_put(expr->ops->type->owner);
1382 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1385 struct nft_rule *rule;
1387 // FIXME: this sucks
1388 list_for_each_entry(rule, &chain->rules, list) {
1389 if (handle == rule->handle)
1393 return ERR_PTR(-ENOENT);
1396 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1397 const struct nlattr *nla)
1400 return ERR_PTR(-EINVAL);
1402 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1405 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1406 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1407 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1408 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1409 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1410 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1411 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1412 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1413 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1414 .len = NFT_USERDATA_MAXLEN },
1417 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1418 int event, u32 flags, int family,
1419 const struct nft_table *table,
1420 const struct nft_chain *chain,
1421 const struct nft_rule *rule)
1423 struct nlmsghdr *nlh;
1424 struct nfgenmsg *nfmsg;
1425 const struct nft_expr *expr, *next;
1426 struct nlattr *list;
1427 const struct nft_rule *prule;
1428 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1430 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1433 goto nla_put_failure;
1435 nfmsg = nlmsg_data(nlh);
1436 nfmsg->nfgen_family = family;
1437 nfmsg->version = NFNETLINK_V0;
1440 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1441 goto nla_put_failure;
1442 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1443 goto nla_put_failure;
1444 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1445 goto nla_put_failure;
1447 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1448 prule = list_entry(rule->list.prev, struct nft_rule, list);
1449 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1450 cpu_to_be64(prule->handle)))
1451 goto nla_put_failure;
1454 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1456 goto nla_put_failure;
1457 nft_rule_for_each_expr(expr, next, rule) {
1458 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1460 goto nla_put_failure;
1461 if (nf_tables_fill_expr_info(skb, expr) < 0)
1462 goto nla_put_failure;
1463 nla_nest_end(skb, elem);
1465 nla_nest_end(skb, list);
1468 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1469 goto nla_put_failure;
1471 return nlmsg_end(skb, nlh);
1474 nlmsg_trim(skb, nlh);
1478 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1479 const struct nlmsghdr *nlh,
1480 const struct nft_table *table,
1481 const struct nft_chain *chain,
1482 const struct nft_rule *rule,
1483 int event, u32 flags, int family)
1485 struct sk_buff *skb;
1486 u32 portid = NETLINK_CB(oskb).portid;
1487 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1488 u32 seq = nlh->nlmsg_seq;
1492 report = nlmsg_report(nlh);
1493 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1497 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1501 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1502 family, table, chain, rule);
1508 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1512 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1517 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1519 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1522 static inline int gencursor_next(struct net *net)
1524 return net->nft.gencursor+1 == 1 ? 1 : 0;
1528 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1530 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1534 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1536 /* Now inactive, will be active in the future */
1537 rule->genmask = (1 << net->nft.gencursor);
1541 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1543 rule->genmask = (1 << gencursor_next(net));
1546 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1551 static int nf_tables_dump_rules(struct sk_buff *skb,
1552 struct netlink_callback *cb)
1554 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1555 const struct nft_af_info *afi;
1556 const struct nft_table *table;
1557 const struct nft_chain *chain;
1558 const struct nft_rule *rule;
1559 unsigned int idx = 0, s_idx = cb->args[0];
1560 struct net *net = sock_net(skb->sk);
1561 int family = nfmsg->nfgen_family;
1562 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1563 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1565 list_for_each_entry(afi, &net->nft.af_info, list) {
1566 if (family != NFPROTO_UNSPEC && family != afi->family)
1569 list_for_each_entry(table, &afi->tables, list) {
1570 list_for_each_entry(chain, &table->chains, list) {
1571 list_for_each_entry(rule, &chain->rules, list) {
1572 if (!nft_rule_is_active(net, rule))
1577 memset(&cb->args[1], 0,
1578 sizeof(cb->args) - sizeof(cb->args[0]));
1579 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1582 NLM_F_MULTI | NLM_F_APPEND,
1583 afi->family, table, chain, rule) < 0)
1592 /* Invalidate this dump, a transition to the new generation happened */
1593 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1600 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1601 const struct nlmsghdr *nlh,
1602 const struct nlattr * const nla[])
1604 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1605 const struct nft_af_info *afi;
1606 const struct nft_table *table;
1607 const struct nft_chain *chain;
1608 const struct nft_rule *rule;
1609 struct sk_buff *skb2;
1610 struct net *net = sock_net(skb->sk);
1611 int family = nfmsg->nfgen_family;
1614 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1615 struct netlink_dump_control c = {
1616 .dump = nf_tables_dump_rules,
1618 return netlink_dump_start(nlsk, skb, nlh, &c);
1621 afi = nf_tables_afinfo_lookup(net, family, false);
1623 return PTR_ERR(afi);
1625 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1627 return PTR_ERR(table);
1628 if (table->flags & NFT_TABLE_INACTIVE)
1631 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1633 return PTR_ERR(chain);
1634 if (chain->flags & NFT_CHAIN_INACTIVE)
1637 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1639 return PTR_ERR(rule);
1641 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1645 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1646 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1647 family, table, chain, rule);
1651 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1658 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1659 struct nft_rule *rule)
1661 struct nft_expr *expr;
1664 * Careful: some expressions might not be initialized in case this
1665 * is called on error from nf_tables_newrule().
1667 expr = nft_expr_first(rule);
1668 while (expr->ops && expr != nft_expr_last(rule)) {
1669 nf_tables_expr_destroy(ctx, expr);
1670 expr = nft_expr_next(expr);
1675 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
1676 struct nft_rule *rule)
1678 struct nft_trans *trans;
1680 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
1684 nft_trans_rule(trans) = rule;
1685 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1690 #define NFT_RULE_MAXEXPRS 128
1692 static struct nft_expr_info *info;
1694 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1695 const struct nlmsghdr *nlh,
1696 const struct nlattr * const nla[])
1698 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1699 struct nft_af_info *afi;
1700 struct net *net = sock_net(skb->sk);
1701 struct nft_table *table;
1702 struct nft_chain *chain;
1703 struct nft_rule *rule, *old_rule = NULL;
1704 struct nft_trans *trans = NULL;
1705 struct nft_expr *expr;
1708 unsigned int size, i, n, ulen = 0;
1711 u64 handle, pos_handle;
1713 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1715 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1717 return PTR_ERR(afi);
1719 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1721 return PTR_ERR(table);
1723 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1725 return PTR_ERR(chain);
1727 if (nla[NFTA_RULE_HANDLE]) {
1728 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1729 rule = __nf_tables_rule_lookup(chain, handle);
1731 return PTR_ERR(rule);
1733 if (nlh->nlmsg_flags & NLM_F_EXCL)
1735 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1740 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1742 handle = nf_tables_alloc_handle(table);
1745 if (nla[NFTA_RULE_POSITION]) {
1746 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1749 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1750 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1751 if (IS_ERR(old_rule))
1752 return PTR_ERR(old_rule);
1755 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1759 if (nla[NFTA_RULE_EXPRESSIONS]) {
1760 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1762 if (nla_type(tmp) != NFTA_LIST_ELEM)
1764 if (n == NFT_RULE_MAXEXPRS)
1766 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1769 size += info[n].ops->size;
1774 if (nla[NFTA_RULE_USERDATA])
1775 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1778 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1782 nft_rule_activate_next(net, rule);
1784 rule->handle = handle;
1789 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1791 expr = nft_expr_first(rule);
1792 for (i = 0; i < n; i++) {
1793 err = nf_tables_newexpr(&ctx, &info[i], expr);
1797 expr = nft_expr_next(expr);
1800 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1801 if (nft_rule_is_active_next(net, old_rule)) {
1802 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE,
1804 if (trans == NULL) {
1808 nft_rule_disactivate_next(net, old_rule);
1809 list_add_tail(&rule->list, &old_rule->list);
1814 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1816 list_add_rcu(&rule->list, &old_rule->list);
1818 list_add_tail_rcu(&rule->list, &chain->rules);
1821 list_add_tail_rcu(&rule->list, &old_rule->list);
1823 list_add_rcu(&rule->list, &chain->rules);
1826 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
1833 list_del_rcu(&rule->list);
1835 list_del_rcu(&nft_trans_rule(trans)->list);
1836 nft_rule_clear(net, nft_trans_rule(trans));
1837 nft_trans_destroy(trans);
1840 nf_tables_rule_destroy(&ctx, rule);
1842 for (i = 0; i < n; i++) {
1843 if (info[i].ops != NULL)
1844 module_put(info[i].ops->type->owner);
1850 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1852 /* You cannot delete the same rule twice */
1853 if (nft_rule_is_active_next(ctx->net, rule)) {
1854 if (nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule) == NULL)
1856 nft_rule_disactivate_next(ctx->net, rule);
1862 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1864 struct nft_rule *rule;
1867 list_for_each_entry(rule, &ctx->chain->rules, list) {
1868 err = nf_tables_delrule_one(ctx, rule);
1875 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1876 const struct nlmsghdr *nlh,
1877 const struct nlattr * const nla[])
1879 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1880 struct nft_af_info *afi;
1881 struct net *net = sock_net(skb->sk);
1882 struct nft_table *table;
1883 struct nft_chain *chain = NULL;
1884 struct nft_rule *rule;
1885 int family = nfmsg->nfgen_family, err = 0;
1888 afi = nf_tables_afinfo_lookup(net, family, false);
1890 return PTR_ERR(afi);
1892 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1894 return PTR_ERR(table);
1895 if (table->flags & NFT_TABLE_INACTIVE)
1898 if (nla[NFTA_RULE_CHAIN]) {
1899 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1901 return PTR_ERR(chain);
1904 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1907 if (nla[NFTA_RULE_HANDLE]) {
1908 rule = nf_tables_rule_lookup(chain,
1909 nla[NFTA_RULE_HANDLE]);
1911 return PTR_ERR(rule);
1913 err = nf_tables_delrule_one(&ctx, rule);
1915 err = nf_table_delrule_by_chain(&ctx);
1918 list_for_each_entry(chain, &table->chains, list) {
1920 err = nf_table_delrule_by_chain(&ctx);
1933 static LIST_HEAD(nf_tables_set_ops);
1935 int nft_register_set(struct nft_set_ops *ops)
1937 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1938 list_add_tail(&ops->list, &nf_tables_set_ops);
1939 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1942 EXPORT_SYMBOL_GPL(nft_register_set);
1944 void nft_unregister_set(struct nft_set_ops *ops)
1946 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1947 list_del(&ops->list);
1948 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1950 EXPORT_SYMBOL_GPL(nft_unregister_set);
1953 * Select a set implementation based on the data characteristics and the
1954 * given policy. The total memory use might not be known if no size is
1955 * given, in that case the amount of memory per element is used.
1957 static const struct nft_set_ops *
1958 nft_select_set_ops(const struct nlattr * const nla[],
1959 const struct nft_set_desc *desc,
1960 enum nft_set_policies policy)
1962 const struct nft_set_ops *ops, *bops;
1963 struct nft_set_estimate est, best;
1966 #ifdef CONFIG_MODULES
1967 if (list_empty(&nf_tables_set_ops)) {
1968 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1969 request_module("nft-set");
1970 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1971 if (!list_empty(&nf_tables_set_ops))
1972 return ERR_PTR(-EAGAIN);
1976 if (nla[NFTA_SET_FLAGS] != NULL) {
1977 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1978 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1985 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1986 if ((ops->features & features) != features)
1988 if (!ops->estimate(desc, features, &est))
1992 case NFT_SET_POL_PERFORMANCE:
1993 if (est.class < best.class)
1995 if (est.class == best.class && est.size < best.size)
1998 case NFT_SET_POL_MEMORY:
1999 if (est.size < best.size)
2001 if (est.size == best.size && est.class < best.class)
2008 if (!try_module_get(ops->owner))
2011 module_put(bops->owner);
2020 return ERR_PTR(-EOPNOTSUPP);
2023 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2024 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2025 [NFTA_SET_NAME] = { .type = NLA_STRING },
2026 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2027 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2028 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2029 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2030 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2031 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2032 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2033 [NFTA_SET_ID] = { .type = NLA_U32 },
2036 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2037 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2040 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2041 const struct sk_buff *skb,
2042 const struct nlmsghdr *nlh,
2043 const struct nlattr * const nla[])
2045 struct net *net = sock_net(skb->sk);
2046 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2047 struct nft_af_info *afi = NULL;
2048 struct nft_table *table = NULL;
2050 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2051 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2053 return PTR_ERR(afi);
2056 if (nla[NFTA_SET_TABLE] != NULL) {
2058 return -EAFNOSUPPORT;
2060 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2062 return PTR_ERR(table);
2063 if (table->flags & NFT_TABLE_INACTIVE)
2067 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2071 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2072 const struct nlattr *nla)
2074 struct nft_set *set;
2077 return ERR_PTR(-EINVAL);
2079 list_for_each_entry(set, &table->sets, list) {
2080 if (!nla_strcmp(nla, set->name))
2083 return ERR_PTR(-ENOENT);
2086 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2087 const struct nlattr *nla)
2089 struct nft_trans *trans;
2090 u32 id = ntohl(nla_get_be32(nla));
2092 list_for_each_entry(trans, &net->nft.commit_list, list) {
2093 if (trans->msg_type == NFT_MSG_NEWSET &&
2094 id == nft_trans_set_id(trans))
2095 return nft_trans_set(trans);
2097 return ERR_PTR(-ENOENT);
2100 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2103 const struct nft_set *i;
2105 unsigned long *inuse;
2106 unsigned int n = 0, min = 0;
2108 p = strnchr(name, IFNAMSIZ, '%');
2110 if (p[1] != 'd' || strchr(p + 2, '%'))
2113 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2117 list_for_each_entry(i, &ctx->table->sets, list) {
2120 if (!sscanf(i->name, name, &tmp))
2122 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2125 set_bit(tmp - min, inuse);
2128 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2129 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2130 min += BITS_PER_BYTE * PAGE_SIZE;
2131 memset(inuse, 0, PAGE_SIZE);
2134 free_page((unsigned long)inuse);
2137 snprintf(set->name, sizeof(set->name), name, min + n);
2138 list_for_each_entry(i, &ctx->table->sets, list) {
2139 if (!strcmp(set->name, i->name))
2145 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2146 const struct nft_set *set, u16 event, u16 flags)
2148 struct nfgenmsg *nfmsg;
2149 struct nlmsghdr *nlh;
2150 struct nlattr *desc;
2151 u32 portid = NETLINK_CB(ctx->skb).portid;
2152 u32 seq = ctx->nlh->nlmsg_seq;
2154 event |= NFNL_SUBSYS_NFTABLES << 8;
2155 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2158 goto nla_put_failure;
2160 nfmsg = nlmsg_data(nlh);
2161 nfmsg->nfgen_family = ctx->afi->family;
2162 nfmsg->version = NFNETLINK_V0;
2165 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2166 goto nla_put_failure;
2167 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2168 goto nla_put_failure;
2169 if (set->flags != 0)
2170 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2171 goto nla_put_failure;
2173 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2174 goto nla_put_failure;
2175 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2176 goto nla_put_failure;
2177 if (set->flags & NFT_SET_MAP) {
2178 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2179 goto nla_put_failure;
2180 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2181 goto nla_put_failure;
2184 desc = nla_nest_start(skb, NFTA_SET_DESC);
2186 goto nla_put_failure;
2188 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2189 goto nla_put_failure;
2190 nla_nest_end(skb, desc);
2192 return nlmsg_end(skb, nlh);
2195 nlmsg_trim(skb, nlh);
2199 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2200 const struct nft_set *set,
2203 struct sk_buff *skb;
2204 u32 portid = NETLINK_CB(ctx->skb).portid;
2208 report = nlmsg_report(ctx->nlh);
2209 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2213 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2217 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2223 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2227 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2231 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2232 struct netlink_callback *cb)
2234 const struct nft_set *set;
2235 unsigned int idx = 0, s_idx = cb->args[0];
2240 list_for_each_entry(set, &ctx->table->sets, list) {
2243 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2256 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2257 struct netlink_callback *cb)
2259 const struct nft_set *set;
2260 unsigned int idx, s_idx = cb->args[0];
2261 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2266 list_for_each_entry(table, &ctx->afi->tables, list) {
2268 if (cur_table != table)
2275 list_for_each_entry(set, &ctx->table->sets, list) {
2278 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2281 cb->args[2] = (unsigned long) table;
2293 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2294 struct netlink_callback *cb)
2296 const struct nft_set *set;
2297 unsigned int idx, s_idx = cb->args[0];
2298 struct nft_af_info *afi;
2299 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2300 struct net *net = sock_net(skb->sk);
2301 int cur_family = cb->args[3];
2306 list_for_each_entry(afi, &net->nft.af_info, list) {
2308 if (afi->family != cur_family)
2314 list_for_each_entry(table, &afi->tables, list) {
2316 if (cur_table != table)
2325 list_for_each_entry(set, &ctx->table->sets, list) {
2328 if (nf_tables_fill_set(skb, ctx, set,
2332 cb->args[2] = (unsigned long) table;
2333 cb->args[3] = afi->family;
2348 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2350 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2351 struct nlattr *nla[NFTA_SET_MAX + 1];
2355 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2360 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2364 if (ctx.table == NULL) {
2365 if (ctx.afi == NULL)
2366 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2368 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2370 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2375 #define NFT_SET_INACTIVE (1 << 15) /* Internal set flag */
2377 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2378 const struct nlmsghdr *nlh,
2379 const struct nlattr * const nla[])
2381 const struct nft_set *set;
2383 struct sk_buff *skb2;
2384 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2387 /* Verify existance before starting dump */
2388 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2392 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2393 struct netlink_dump_control c = {
2394 .dump = nf_tables_dump_sets,
2396 return netlink_dump_start(nlsk, skb, nlh, &c);
2399 /* Only accept unspec with dump */
2400 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2401 return -EAFNOSUPPORT;
2403 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2405 return PTR_ERR(set);
2406 if (set->flags & NFT_SET_INACTIVE)
2409 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2413 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2417 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2424 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2425 struct nft_set_desc *desc,
2426 const struct nlattr *nla)
2428 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2431 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2435 if (da[NFTA_SET_DESC_SIZE] != NULL)
2436 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2441 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2442 struct nft_set *set)
2444 struct nft_trans *trans;
2446 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
2450 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
2451 nft_trans_set_id(trans) =
2452 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
2453 set->flags |= NFT_SET_INACTIVE;
2455 nft_trans_set(trans) = set;
2456 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2461 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2462 const struct nlmsghdr *nlh,
2463 const struct nlattr * const nla[])
2465 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2466 const struct nft_set_ops *ops;
2467 struct nft_af_info *afi;
2468 struct net *net = sock_net(skb->sk);
2469 struct nft_table *table;
2470 struct nft_set *set;
2472 char name[IFNAMSIZ];
2475 u32 ktype, dtype, flags, policy;
2476 struct nft_set_desc desc;
2479 if (nla[NFTA_SET_TABLE] == NULL ||
2480 nla[NFTA_SET_NAME] == NULL ||
2481 nla[NFTA_SET_KEY_LEN] == NULL ||
2482 nla[NFTA_SET_ID] == NULL)
2485 memset(&desc, 0, sizeof(desc));
2487 ktype = NFT_DATA_VALUE;
2488 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2489 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2490 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2494 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2495 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2499 if (nla[NFTA_SET_FLAGS] != NULL) {
2500 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2501 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2502 NFT_SET_INTERVAL | NFT_SET_MAP))
2507 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2508 if (!(flags & NFT_SET_MAP))
2511 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2512 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2513 dtype != NFT_DATA_VERDICT)
2516 if (dtype != NFT_DATA_VERDICT) {
2517 if (nla[NFTA_SET_DATA_LEN] == NULL)
2519 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2520 if (desc.dlen == 0 ||
2521 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2524 desc.dlen = sizeof(struct nft_data);
2525 } else if (flags & NFT_SET_MAP)
2528 policy = NFT_SET_POL_PERFORMANCE;
2529 if (nla[NFTA_SET_POLICY] != NULL)
2530 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2532 if (nla[NFTA_SET_DESC] != NULL) {
2533 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2538 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2540 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2542 return PTR_ERR(afi);
2544 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2546 return PTR_ERR(table);
2548 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2550 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2552 if (PTR_ERR(set) != -ENOENT)
2553 return PTR_ERR(set);
2558 if (nlh->nlmsg_flags & NLM_F_EXCL)
2560 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2565 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2568 ops = nft_select_set_ops(nla, &desc, policy);
2570 return PTR_ERR(ops);
2573 if (ops->privsize != NULL)
2574 size = ops->privsize(nla);
2577 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2581 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2582 err = nf_tables_set_alloc_name(&ctx, set, name);
2586 INIT_LIST_HEAD(&set->bindings);
2589 set->klen = desc.klen;
2591 set->dlen = desc.dlen;
2593 set->size = desc.size;
2595 err = ops->init(set, &desc, nla);
2599 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2603 list_add_tail(&set->list, &table->sets);
2609 module_put(ops->owner);
2613 static void nft_set_destroy(struct nft_set *set)
2615 set->ops->destroy(set);
2616 module_put(set->ops->owner);
2620 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2622 list_del(&set->list);
2623 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2624 nft_set_destroy(set);
2627 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2628 const struct nlmsghdr *nlh,
2629 const struct nlattr * const nla[])
2631 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2632 struct nft_set *set;
2636 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2637 return -EAFNOSUPPORT;
2638 if (nla[NFTA_SET_TABLE] == NULL)
2641 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2645 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2647 return PTR_ERR(set);
2648 if (set->flags & NFT_SET_INACTIVE)
2650 if (!list_empty(&set->bindings))
2653 err = nft_trans_set_add(&ctx, NFT_MSG_DELSET, set);
2657 list_del(&set->list);
2661 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2662 const struct nft_set *set,
2663 const struct nft_set_iter *iter,
2664 const struct nft_set_elem *elem)
2666 enum nft_registers dreg;
2668 dreg = nft_type_to_reg(set->dtype);
2669 return nft_validate_data_load(ctx, dreg, &elem->data,
2670 set->dtype == NFT_DATA_VERDICT ?
2671 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2674 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2675 struct nft_set_binding *binding)
2677 struct nft_set_binding *i;
2678 struct nft_set_iter iter;
2680 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2683 if (set->flags & NFT_SET_MAP) {
2684 /* If the set is already bound to the same chain all
2685 * jumps are already validated for that chain.
2687 list_for_each_entry(i, &set->bindings, list) {
2688 if (i->chain == binding->chain)
2695 iter.fn = nf_tables_bind_check_setelem;
2697 set->ops->walk(ctx, set, &iter);
2699 /* Destroy anonymous sets if binding fails */
2700 if (set->flags & NFT_SET_ANONYMOUS)
2701 nf_tables_set_destroy(ctx, set);
2707 binding->chain = ctx->chain;
2708 list_add_tail(&binding->list, &set->bindings);
2712 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2713 struct nft_set_binding *binding)
2715 list_del(&binding->list);
2717 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2718 !(set->flags & NFT_SET_INACTIVE))
2719 nf_tables_set_destroy(ctx, set);
2726 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2727 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2728 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2729 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2732 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2733 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2734 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2735 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2736 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2739 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2740 const struct sk_buff *skb,
2741 const struct nlmsghdr *nlh,
2742 const struct nlattr * const nla[],
2745 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2746 struct nft_af_info *afi;
2747 struct nft_table *table;
2748 struct net *net = sock_net(skb->sk);
2750 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2752 return PTR_ERR(afi);
2754 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2756 return PTR_ERR(table);
2757 if (!trans && (table->flags & NFT_TABLE_INACTIVE))
2760 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2764 static int nf_tables_fill_setelem(struct sk_buff *skb,
2765 const struct nft_set *set,
2766 const struct nft_set_elem *elem)
2768 unsigned char *b = skb_tail_pointer(skb);
2769 struct nlattr *nest;
2771 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2773 goto nla_put_failure;
2775 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2777 goto nla_put_failure;
2779 if (set->flags & NFT_SET_MAP &&
2780 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2781 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2782 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2784 goto nla_put_failure;
2786 if (elem->flags != 0)
2787 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2788 goto nla_put_failure;
2790 nla_nest_end(skb, nest);
2798 struct nft_set_dump_args {
2799 const struct netlink_callback *cb;
2800 struct nft_set_iter iter;
2801 struct sk_buff *skb;
2804 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2805 const struct nft_set *set,
2806 const struct nft_set_iter *iter,
2807 const struct nft_set_elem *elem)
2809 struct nft_set_dump_args *args;
2811 args = container_of(iter, struct nft_set_dump_args, iter);
2812 return nf_tables_fill_setelem(args->skb, set, elem);
2815 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2817 const struct nft_set *set;
2818 struct nft_set_dump_args args;
2820 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2821 struct nfgenmsg *nfmsg;
2822 struct nlmsghdr *nlh;
2823 struct nlattr *nest;
2827 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2828 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2832 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
2837 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2839 return PTR_ERR(set);
2840 if (set->flags & NFT_SET_INACTIVE)
2843 event = NFT_MSG_NEWSETELEM;
2844 event |= NFNL_SUBSYS_NFTABLES << 8;
2845 portid = NETLINK_CB(cb->skb).portid;
2846 seq = cb->nlh->nlmsg_seq;
2848 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2851 goto nla_put_failure;
2853 nfmsg = nlmsg_data(nlh);
2854 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2855 nfmsg->version = NFNETLINK_V0;
2858 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2859 goto nla_put_failure;
2860 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2861 goto nla_put_failure;
2863 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2865 goto nla_put_failure;
2869 args.iter.skip = cb->args[0];
2870 args.iter.count = 0;
2872 args.iter.fn = nf_tables_dump_setelem;
2873 set->ops->walk(&ctx, set, &args.iter);
2875 nla_nest_end(skb, nest);
2876 nlmsg_end(skb, nlh);
2878 if (args.iter.err && args.iter.err != -EMSGSIZE)
2879 return args.iter.err;
2880 if (args.iter.count == cb->args[0])
2883 cb->args[0] = args.iter.count;
2890 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2891 const struct nlmsghdr *nlh,
2892 const struct nlattr * const nla[])
2894 const struct nft_set *set;
2898 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
2902 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2904 return PTR_ERR(set);
2905 if (set->flags & NFT_SET_INACTIVE)
2908 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2909 struct netlink_dump_control c = {
2910 .dump = nf_tables_dump_set,
2912 return netlink_dump_start(nlsk, skb, nlh, &c);
2917 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2918 const struct nft_ctx *ctx, u32 seq,
2919 u32 portid, int event, u16 flags,
2920 const struct nft_set *set,
2921 const struct nft_set_elem *elem)
2923 struct nfgenmsg *nfmsg;
2924 struct nlmsghdr *nlh;
2925 struct nlattr *nest;
2928 event |= NFNL_SUBSYS_NFTABLES << 8;
2929 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2932 goto nla_put_failure;
2934 nfmsg = nlmsg_data(nlh);
2935 nfmsg->nfgen_family = ctx->afi->family;
2936 nfmsg->version = NFNETLINK_V0;
2939 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2940 goto nla_put_failure;
2941 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2942 goto nla_put_failure;
2944 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2946 goto nla_put_failure;
2948 err = nf_tables_fill_setelem(skb, set, elem);
2950 goto nla_put_failure;
2952 nla_nest_end(skb, nest);
2954 return nlmsg_end(skb, nlh);
2957 nlmsg_trim(skb, nlh);
2961 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2962 const struct nft_set *set,
2963 const struct nft_set_elem *elem,
2964 int event, u16 flags)
2966 const struct sk_buff *oskb = ctx->skb;
2967 struct net *net = sock_net(oskb->sk);
2968 u32 portid = NETLINK_CB(oskb).portid;
2969 bool report = nlmsg_report(ctx->nlh);
2970 struct sk_buff *skb;
2973 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2977 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2981 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2988 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
2992 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
2996 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
2998 struct nft_set *set)
3000 struct nft_trans *trans;
3002 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3006 nft_trans_elem_set(trans) = set;
3010 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3011 const struct nlattr *attr)
3013 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3014 struct nft_data_desc d1, d2;
3015 struct nft_set_elem elem;
3016 struct nft_set_binding *binding;
3017 enum nft_registers dreg;
3018 struct nft_trans *trans;
3021 if (set->size && set->nelems == set->size)
3024 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3025 nft_set_elem_policy);
3029 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3033 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3034 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3035 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
3039 if (set->flags & NFT_SET_MAP) {
3040 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3041 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
3043 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3044 elem.flags & NFT_SET_ELEM_INTERVAL_END)
3047 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3051 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
3055 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3059 if (set->ops->get(set, &elem) == 0)
3062 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3063 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
3068 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3071 dreg = nft_type_to_reg(set->dtype);
3072 list_for_each_entry(binding, &set->bindings, list) {
3073 struct nft_ctx bind_ctx = {
3075 .table = ctx->table,
3076 .chain = (struct nft_chain *)binding->chain,
3079 err = nft_validate_data_load(&bind_ctx, dreg,
3080 &elem.data, d2.type);
3086 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3090 err = set->ops->insert(set, &elem);
3094 nft_trans_elem(trans) = elem;
3095 list_add(&trans->list, &ctx->net->nft.commit_list);
3101 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3102 nft_data_uninit(&elem.data, d2.type);
3104 nft_data_uninit(&elem.key, d1.type);
3109 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3110 const struct nlmsghdr *nlh,
3111 const struct nlattr * const nla[])
3113 struct net *net = sock_net(skb->sk);
3114 const struct nlattr *attr;
3115 struct nft_set *set;
3119 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3123 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3125 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3126 set = nf_tables_set_lookup_byid(net,
3127 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3130 return PTR_ERR(set);
3133 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3136 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3137 err = nft_add_set_elem(&ctx, set, attr);
3144 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3145 const struct nlattr *attr)
3147 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3148 struct nft_data_desc desc;
3149 struct nft_set_elem elem;
3150 struct nft_trans *trans;
3153 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3154 nft_set_elem_policy);
3159 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3162 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3167 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3170 err = set->ops->get(set, &elem);
3174 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3178 nft_trans_elem(trans) = elem;
3179 list_add(&trans->list, &ctx->net->nft.commit_list);
3181 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
3182 if (set->flags & NFT_SET_MAP)
3183 nft_data_uninit(&elem.data, set->dtype);
3186 nft_data_uninit(&elem.key, desc.type);
3191 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3192 const struct nlmsghdr *nlh,
3193 const struct nlattr * const nla[])
3195 const struct nlattr *attr;
3196 struct nft_set *set;
3200 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3204 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3206 return PTR_ERR(set);
3207 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3210 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3211 err = nft_del_setelem(&ctx, set, attr);
3218 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3219 [NFT_MSG_NEWTABLE] = {
3220 .call_batch = nf_tables_newtable,
3221 .attr_count = NFTA_TABLE_MAX,
3222 .policy = nft_table_policy,
3224 [NFT_MSG_GETTABLE] = {
3225 .call = nf_tables_gettable,
3226 .attr_count = NFTA_TABLE_MAX,
3227 .policy = nft_table_policy,
3229 [NFT_MSG_DELTABLE] = {
3230 .call_batch = nf_tables_deltable,
3231 .attr_count = NFTA_TABLE_MAX,
3232 .policy = nft_table_policy,
3234 [NFT_MSG_NEWCHAIN] = {
3235 .call_batch = nf_tables_newchain,
3236 .attr_count = NFTA_CHAIN_MAX,
3237 .policy = nft_chain_policy,
3239 [NFT_MSG_GETCHAIN] = {
3240 .call = nf_tables_getchain,
3241 .attr_count = NFTA_CHAIN_MAX,
3242 .policy = nft_chain_policy,
3244 [NFT_MSG_DELCHAIN] = {
3245 .call_batch = nf_tables_delchain,
3246 .attr_count = NFTA_CHAIN_MAX,
3247 .policy = nft_chain_policy,
3249 [NFT_MSG_NEWRULE] = {
3250 .call_batch = nf_tables_newrule,
3251 .attr_count = NFTA_RULE_MAX,
3252 .policy = nft_rule_policy,
3254 [NFT_MSG_GETRULE] = {
3255 .call = nf_tables_getrule,
3256 .attr_count = NFTA_RULE_MAX,
3257 .policy = nft_rule_policy,
3259 [NFT_MSG_DELRULE] = {
3260 .call_batch = nf_tables_delrule,
3261 .attr_count = NFTA_RULE_MAX,
3262 .policy = nft_rule_policy,
3264 [NFT_MSG_NEWSET] = {
3265 .call_batch = nf_tables_newset,
3266 .attr_count = NFTA_SET_MAX,
3267 .policy = nft_set_policy,
3269 [NFT_MSG_GETSET] = {
3270 .call = nf_tables_getset,
3271 .attr_count = NFTA_SET_MAX,
3272 .policy = nft_set_policy,
3274 [NFT_MSG_DELSET] = {
3275 .call_batch = nf_tables_delset,
3276 .attr_count = NFTA_SET_MAX,
3277 .policy = nft_set_policy,
3279 [NFT_MSG_NEWSETELEM] = {
3280 .call_batch = nf_tables_newsetelem,
3281 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3282 .policy = nft_set_elem_list_policy,
3284 [NFT_MSG_GETSETELEM] = {
3285 .call = nf_tables_getsetelem,
3286 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3287 .policy = nft_set_elem_list_policy,
3289 [NFT_MSG_DELSETELEM] = {
3290 .call_batch = nf_tables_delsetelem,
3291 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3292 .policy = nft_set_elem_list_policy,
3296 static void nft_chain_commit_update(struct nft_trans *trans)
3298 struct nft_base_chain *basechain;
3300 if (nft_trans_chain_name(trans)[0])
3301 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3303 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3306 basechain = nft_base_chain(trans->ctx.chain);
3307 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3309 switch (nft_trans_chain_policy(trans)) {
3312 basechain->policy = nft_trans_chain_policy(trans);
3317 static int nf_tables_commit(struct sk_buff *skb)
3319 struct net *net = sock_net(skb->sk);
3320 struct nft_trans *trans, *next;
3321 struct nft_set *set;
3323 /* Bump generation counter, invalidate any dump in progress */
3326 /* A new generation has just started */
3327 net->nft.gencursor = gencursor_next(net);
3329 /* Make sure all packets have left the previous generation before
3330 * purging old rules.
3334 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3335 switch (trans->msg_type) {
3336 case NFT_MSG_NEWTABLE:
3337 if (nft_trans_table_update(trans)) {
3338 if (!nft_trans_table_enable(trans)) {
3339 nf_tables_table_disable(trans->ctx.afi,
3341 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3344 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3346 nf_tables_table_notify(trans->ctx.skb, trans->ctx.nlh,
3349 trans->ctx.afi->family);
3350 nft_trans_destroy(trans);
3352 case NFT_MSG_DELTABLE:
3353 nf_tables_table_notify(trans->ctx.skb, trans->ctx.nlh,
3356 trans->ctx.afi->family);
3358 case NFT_MSG_NEWCHAIN:
3359 if (nft_trans_chain_update(trans))
3360 nft_chain_commit_update(trans);
3362 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3363 trans->ctx.table->use++;
3365 nf_tables_chain_notify(trans->ctx.skb, trans->ctx.nlh,
3369 trans->ctx.afi->family);
3370 nft_trans_destroy(trans);
3372 case NFT_MSG_DELCHAIN:
3373 trans->ctx.table->use--;
3374 nf_tables_chain_notify(trans->ctx.skb, trans->ctx.nlh,
3378 trans->ctx.afi->family);
3379 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3380 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3381 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3382 trans->ctx.afi->nops);
3385 case NFT_MSG_NEWRULE:
3386 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3387 nf_tables_rule_notify(trans->ctx.skb, trans->ctx.nlh,
3390 nft_trans_rule(trans),
3392 trans->ctx.afi->family);
3393 nft_trans_destroy(trans);
3395 case NFT_MSG_DELRULE:
3396 list_del_rcu(&nft_trans_rule(trans)->list);
3397 nf_tables_rule_notify(trans->ctx.skb, trans->ctx.nlh,
3400 nft_trans_rule(trans), NFT_MSG_DELRULE, 0,
3401 trans->ctx.afi->family);
3403 case NFT_MSG_NEWSET:
3404 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3405 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3407 nft_trans_destroy(trans);
3409 case NFT_MSG_DELSET:
3410 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3413 case NFT_MSG_NEWSETELEM:
3414 nft_trans_elem_set(trans)->nelems++;
3415 nf_tables_setelem_notify(&trans->ctx,
3416 nft_trans_elem_set(trans),
3417 &nft_trans_elem(trans),
3418 NFT_MSG_NEWSETELEM, 0);
3419 nft_trans_destroy(trans);
3421 case NFT_MSG_DELSETELEM:
3422 nft_trans_elem_set(trans)->nelems--;
3423 nf_tables_setelem_notify(&trans->ctx,
3424 nft_trans_elem_set(trans),
3425 &nft_trans_elem(trans),
3426 NFT_MSG_DELSETELEM, 0);
3427 set = nft_trans_elem_set(trans);
3428 set->ops->get(set, &nft_trans_elem(trans));
3429 set->ops->remove(set, &nft_trans_elem(trans));
3430 nft_trans_destroy(trans);
3435 /* Make sure we don't see any packet traversing old rules */
3438 /* Now we can safely release unused old rules */
3439 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3440 switch (trans->msg_type) {
3441 case NFT_MSG_DELTABLE:
3442 nf_tables_table_destroy(&trans->ctx);
3444 case NFT_MSG_DELCHAIN:
3445 nf_tables_chain_destroy(trans->ctx.chain);
3447 case NFT_MSG_DELRULE:
3448 nf_tables_rule_destroy(&trans->ctx,
3449 nft_trans_rule(trans));
3451 case NFT_MSG_DELSET:
3452 nft_set_destroy(nft_trans_set(trans));
3455 nft_trans_destroy(trans);
3461 static int nf_tables_abort(struct sk_buff *skb)
3463 struct net *net = sock_net(skb->sk);
3464 struct nft_trans *trans, *next;
3465 struct nft_set *set;
3467 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3468 switch (trans->msg_type) {
3469 case NFT_MSG_NEWTABLE:
3470 if (nft_trans_table_update(trans)) {
3471 if (nft_trans_table_enable(trans)) {
3472 nf_tables_table_disable(trans->ctx.afi,
3474 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3476 nft_trans_destroy(trans);
3478 list_del(&trans->ctx.table->list);
3481 case NFT_MSG_DELTABLE:
3482 list_add_tail(&trans->ctx.table->list,
3483 &trans->ctx.afi->tables);
3484 nft_trans_destroy(trans);
3486 case NFT_MSG_NEWCHAIN:
3487 if (nft_trans_chain_update(trans)) {
3488 if (nft_trans_chain_stats(trans))
3489 free_percpu(nft_trans_chain_stats(trans));
3491 nft_trans_destroy(trans);
3493 list_del(&trans->ctx.chain->list);
3494 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3495 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3496 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3497 trans->ctx.afi->nops);
3501 case NFT_MSG_DELCHAIN:
3502 list_add_tail(&trans->ctx.chain->list,
3503 &trans->ctx.table->chains);
3504 nft_trans_destroy(trans);
3506 case NFT_MSG_NEWRULE:
3507 list_del_rcu(&nft_trans_rule(trans)->list);
3509 case NFT_MSG_DELRULE:
3510 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3511 nft_trans_destroy(trans);
3513 case NFT_MSG_NEWSET:
3514 list_del(&nft_trans_set(trans)->list);
3516 case NFT_MSG_DELSET:
3517 list_add_tail(&nft_trans_set(trans)->list,
3518 &trans->ctx.table->sets);
3519 nft_trans_destroy(trans);
3521 case NFT_MSG_NEWSETELEM:
3522 set = nft_trans_elem_set(trans);
3523 set->ops->get(set, &nft_trans_elem(trans));
3524 set->ops->remove(set, &nft_trans_elem(trans));
3525 nft_trans_destroy(trans);
3527 case NFT_MSG_DELSETELEM:
3528 nft_trans_destroy(trans);
3533 /* Make sure we don't see any packet accessing aborted rules */
3536 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3537 switch (trans->msg_type) {
3538 case NFT_MSG_NEWTABLE:
3539 nf_tables_table_destroy(&trans->ctx);
3541 case NFT_MSG_NEWCHAIN:
3542 nf_tables_chain_destroy(trans->ctx.chain);
3544 case NFT_MSG_NEWRULE:
3545 nf_tables_rule_destroy(&trans->ctx,
3546 nft_trans_rule(trans));
3548 case NFT_MSG_NEWSET:
3549 nft_set_destroy(nft_trans_set(trans));
3552 nft_trans_destroy(trans);
3558 static const struct nfnetlink_subsystem nf_tables_subsys = {
3559 .name = "nf_tables",
3560 .subsys_id = NFNL_SUBSYS_NFTABLES,
3561 .cb_count = NFT_MSG_MAX,
3563 .commit = nf_tables_commit,
3564 .abort = nf_tables_abort,
3568 * Loop detection - walk through the ruleset beginning at the destination chain
3569 * of a new jump until either the source chain is reached (loop) or all
3570 * reachable chains have been traversed.
3572 * The loop check is performed whenever a new jump verdict is added to an
3573 * expression or verdict map or a verdict map is bound to a new chain.
3576 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3577 const struct nft_chain *chain);
3579 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3580 const struct nft_set *set,
3581 const struct nft_set_iter *iter,
3582 const struct nft_set_elem *elem)
3584 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3587 switch (elem->data.verdict) {
3590 return nf_tables_check_loops(ctx, elem->data.chain);
3596 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3597 const struct nft_chain *chain)
3599 const struct nft_rule *rule;
3600 const struct nft_expr *expr, *last;
3601 const struct nft_set *set;
3602 struct nft_set_binding *binding;
3603 struct nft_set_iter iter;
3605 if (ctx->chain == chain)
3608 list_for_each_entry(rule, &chain->rules, list) {
3609 nft_rule_for_each_expr(expr, last, rule) {
3610 const struct nft_data *data = NULL;
3613 if (!expr->ops->validate)
3616 err = expr->ops->validate(ctx, expr, &data);
3623 switch (data->verdict) {
3626 err = nf_tables_check_loops(ctx, data->chain);
3635 list_for_each_entry(set, &ctx->table->sets, list) {
3636 if (!(set->flags & NFT_SET_MAP) ||
3637 set->dtype != NFT_DATA_VERDICT)
3640 list_for_each_entry(binding, &set->bindings, list) {
3641 if (binding->chain != chain)
3647 iter.fn = nf_tables_loop_check_setelem;
3649 set->ops->walk(ctx, set, &iter);
3659 * nft_validate_input_register - validate an expressions' input register
3661 * @reg: the register number
3663 * Validate that the input register is one of the general purpose
3666 int nft_validate_input_register(enum nft_registers reg)
3668 if (reg <= NFT_REG_VERDICT)
3670 if (reg > NFT_REG_MAX)
3674 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3677 * nft_validate_output_register - validate an expressions' output register
3679 * @reg: the register number
3681 * Validate that the output register is one of the general purpose
3682 * registers or the verdict register.
3684 int nft_validate_output_register(enum nft_registers reg)
3686 if (reg < NFT_REG_VERDICT)
3688 if (reg > NFT_REG_MAX)
3692 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3695 * nft_validate_data_load - validate an expressions' data load
3697 * @ctx: context of the expression performing the load
3698 * @reg: the destination register number
3699 * @data: the data to load
3700 * @type: the data type
3702 * Validate that a data load uses the appropriate data type for
3703 * the destination register. A value of NULL for the data means
3704 * that its runtime gathered data, which is always of type
3707 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3708 const struct nft_data *data,
3709 enum nft_data_types type)
3714 case NFT_REG_VERDICT:
3715 if (data == NULL || type != NFT_DATA_VERDICT)
3718 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3719 err = nf_tables_check_loops(ctx, data->chain);
3723 if (ctx->chain->level + 1 > data->chain->level) {
3724 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3726 data->chain->level = ctx->chain->level + 1;
3732 if (data != NULL && type != NFT_DATA_VALUE)
3737 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3739 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3740 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3741 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3742 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3745 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3746 struct nft_data_desc *desc, const struct nlattr *nla)
3748 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3749 struct nft_chain *chain;
3752 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3756 if (!tb[NFTA_VERDICT_CODE])
3758 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3760 switch (data->verdict) {
3762 switch (data->verdict & NF_VERDICT_MASK) {
3774 desc->len = sizeof(data->verdict);
3778 if (!tb[NFTA_VERDICT_CHAIN])
3780 chain = nf_tables_chain_lookup(ctx->table,
3781 tb[NFTA_VERDICT_CHAIN]);
3783 return PTR_ERR(chain);
3784 if (chain->flags & NFT_BASE_CHAIN)
3788 data->chain = chain;
3789 desc->len = sizeof(data);
3793 desc->type = NFT_DATA_VERDICT;
3797 static void nft_verdict_uninit(const struct nft_data *data)
3799 switch (data->verdict) {
3807 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3809 struct nlattr *nest;
3811 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3813 goto nla_put_failure;
3815 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3816 goto nla_put_failure;
3818 switch (data->verdict) {
3821 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3822 goto nla_put_failure;
3824 nla_nest_end(skb, nest);
3831 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3832 struct nft_data_desc *desc, const struct nlattr *nla)
3839 if (len > sizeof(data->data))
3842 nla_memcpy(data->data, nla, sizeof(data->data));
3843 desc->type = NFT_DATA_VALUE;
3848 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3851 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3854 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3855 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3856 .len = FIELD_SIZEOF(struct nft_data, data) },
3857 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3861 * nft_data_init - parse nf_tables data netlink attributes
3863 * @ctx: context of the expression using the data
3864 * @data: destination struct nft_data
3865 * @desc: data description
3866 * @nla: netlink attribute containing data
3868 * Parse the netlink data attributes and initialize a struct nft_data.
3869 * The type and length of data are returned in the data description.
3871 * The caller can indicate that it only wants to accept data of type
3872 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3874 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3875 struct nft_data_desc *desc, const struct nlattr *nla)
3877 struct nlattr *tb[NFTA_DATA_MAX + 1];
3880 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3884 if (tb[NFTA_DATA_VALUE])
3885 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3886 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3887 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3890 EXPORT_SYMBOL_GPL(nft_data_init);
3893 * nft_data_uninit - release a nft_data item
3895 * @data: struct nft_data to release
3896 * @type: type of data
3898 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3899 * all others need to be released by calling this function.
3901 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3904 case NFT_DATA_VALUE:
3906 case NFT_DATA_VERDICT:
3907 return nft_verdict_uninit(data);
3912 EXPORT_SYMBOL_GPL(nft_data_uninit);
3914 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3915 enum nft_data_types type, unsigned int len)
3917 struct nlattr *nest;
3920 nest = nla_nest_start(skb, attr);
3925 case NFT_DATA_VALUE:
3926 err = nft_value_dump(skb, data, len);
3928 case NFT_DATA_VERDICT:
3929 err = nft_verdict_dump(skb, data);
3936 nla_nest_end(skb, nest);
3939 EXPORT_SYMBOL_GPL(nft_data_dump);
3941 static int nf_tables_init_net(struct net *net)
3943 INIT_LIST_HEAD(&net->nft.af_info);
3944 INIT_LIST_HEAD(&net->nft.commit_list);
3948 static struct pernet_operations nf_tables_net_ops = {
3949 .init = nf_tables_init_net,
3952 static int __init nf_tables_module_init(void)
3956 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3963 err = nf_tables_core_module_init();
3967 err = nfnetlink_subsys_register(&nf_tables_subsys);
3971 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3972 return register_pernet_subsys(&nf_tables_net_ops);
3974 nf_tables_core_module_exit();
3981 static void __exit nf_tables_module_exit(void)
3983 unregister_pernet_subsys(&nf_tables_net_ops);
3984 nfnetlink_subsys_unregister(&nf_tables_subsys);
3985 nf_tables_core_module_exit();
3989 module_init(nf_tables_module_init);
3990 module_exit(nf_tables_module_exit);
3992 MODULE_LICENSE("GPL");
3993 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3994 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.openpandora.org / pandora-kernel.git / blob