2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
108 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
111 struct nft_trans *trans;
113 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
117 trans->msg_type = msg_type;
123 static void nft_trans_destroy(struct nft_trans *trans)
125 list_del(&trans->list);
133 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
134 const struct nlattr *nla)
136 struct nft_table *table;
138 list_for_each_entry(table, &afi->tables, list) {
139 if (!nla_strcmp(nla, table->name))
145 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
146 const struct nlattr *nla)
148 struct nft_table *table;
151 return ERR_PTR(-EINVAL);
153 table = nft_table_lookup(afi, nla);
157 return ERR_PTR(-ENOENT);
160 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
162 return ++table->hgenerator;
165 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
167 static const struct nf_chain_type *
168 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
172 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
173 if (chain_type[family][i] != NULL &&
174 !nla_strcmp(nla, chain_type[family][i]->name))
175 return chain_type[family][i];
180 static const struct nf_chain_type *
181 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
182 const struct nlattr *nla,
185 const struct nf_chain_type *type;
187 type = __nf_tables_chain_type_lookup(afi->family, nla);
190 #ifdef CONFIG_MODULES
192 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
193 request_module("nft-chain-%u-%*.s", afi->family,
194 nla_len(nla)-1, (const char *)nla_data(nla));
195 nfnl_lock(NFNL_SUBSYS_NFTABLES);
196 type = __nf_tables_chain_type_lookup(afi->family, nla);
198 return ERR_PTR(-EAGAIN);
201 return ERR_PTR(-ENOENT);
204 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
205 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
206 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
209 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
210 int event, u32 flags, int family,
211 const struct nft_table *table)
213 struct nlmsghdr *nlh;
214 struct nfgenmsg *nfmsg;
216 event |= NFNL_SUBSYS_NFTABLES << 8;
217 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
219 goto nla_put_failure;
221 nfmsg = nlmsg_data(nlh);
222 nfmsg->nfgen_family = family;
223 nfmsg->version = NFNETLINK_V0;
226 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
227 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
228 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
229 goto nla_put_failure;
231 return nlmsg_end(skb, nlh);
234 nlmsg_trim(skb, nlh);
238 static int nf_tables_table_notify(const struct sk_buff *oskb,
239 const struct nlmsghdr *nlh,
240 const struct nft_table *table,
241 int event, int family)
244 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
245 u32 seq = nlh ? nlh->nlmsg_seq : 0;
246 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
250 report = nlh ? nlmsg_report(nlh) : false;
251 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
255 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
259 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
266 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
270 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
274 static int nf_tables_dump_tables(struct sk_buff *skb,
275 struct netlink_callback *cb)
277 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
278 const struct nft_af_info *afi;
279 const struct nft_table *table;
280 unsigned int idx = 0, s_idx = cb->args[0];
281 struct net *net = sock_net(skb->sk);
282 int family = nfmsg->nfgen_family;
284 list_for_each_entry(afi, &net->nft.af_info, list) {
285 if (family != NFPROTO_UNSPEC && family != afi->family)
288 list_for_each_entry(table, &afi->tables, list) {
292 memset(&cb->args[1], 0,
293 sizeof(cb->args) - sizeof(cb->args[0]));
294 if (nf_tables_fill_table_info(skb,
295 NETLINK_CB(cb->skb).portid,
299 afi->family, table) < 0)
310 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
311 const struct nlmsghdr *nlh,
312 const struct nlattr * const nla[])
314 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
315 const struct nft_af_info *afi;
316 const struct nft_table *table;
317 struct sk_buff *skb2;
318 struct net *net = sock_net(skb->sk);
319 int family = nfmsg->nfgen_family;
322 if (nlh->nlmsg_flags & NLM_F_DUMP) {
323 struct netlink_dump_control c = {
324 .dump = nf_tables_dump_tables,
326 return netlink_dump_start(nlsk, skb, nlh, &c);
329 afi = nf_tables_afinfo_lookup(net, family, false);
333 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
335 return PTR_ERR(table);
337 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
341 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
342 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
347 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
354 static int nf_tables_table_enable(const struct nft_af_info *afi,
355 struct nft_table *table)
357 struct nft_chain *chain;
360 list_for_each_entry(chain, &table->chains, list) {
361 if (!(chain->flags & NFT_BASE_CHAIN))
364 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
372 list_for_each_entry(chain, &table->chains, list) {
373 if (!(chain->flags & NFT_BASE_CHAIN))
379 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
384 static void nf_tables_table_disable(const struct nft_af_info *afi,
385 struct nft_table *table)
387 struct nft_chain *chain;
389 list_for_each_entry(chain, &table->chains, list) {
390 if (chain->flags & NFT_BASE_CHAIN)
391 nf_unregister_hooks(nft_base_chain(chain)->ops,
396 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
397 const struct nlmsghdr *nlh,
398 const struct nlattr * const nla[],
399 struct nft_af_info *afi, struct nft_table *table)
401 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
402 int family = nfmsg->nfgen_family, ret = 0;
404 if (nla[NFTA_TABLE_FLAGS]) {
407 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
408 if (flags & ~NFT_TABLE_F_DORMANT)
411 if ((flags & NFT_TABLE_F_DORMANT) &&
412 !(table->flags & NFT_TABLE_F_DORMANT)) {
413 nf_tables_table_disable(afi, table);
414 table->flags |= NFT_TABLE_F_DORMANT;
415 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
416 table->flags & NFT_TABLE_F_DORMANT) {
417 ret = nf_tables_table_enable(afi, table);
419 table->flags &= ~NFT_TABLE_F_DORMANT;
425 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
430 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
431 const struct nlmsghdr *nlh,
432 const struct nlattr * const nla[])
434 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
435 const struct nlattr *name;
436 struct nft_af_info *afi;
437 struct nft_table *table;
438 struct net *net = sock_net(skb->sk);
439 int family = nfmsg->nfgen_family;
442 afi = nf_tables_afinfo_lookup(net, family, true);
446 name = nla[NFTA_TABLE_NAME];
447 table = nf_tables_table_lookup(afi, name);
449 if (PTR_ERR(table) != -ENOENT)
450 return PTR_ERR(table);
455 if (nlh->nlmsg_flags & NLM_F_EXCL)
457 if (nlh->nlmsg_flags & NLM_F_REPLACE)
459 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
462 if (nla[NFTA_TABLE_FLAGS]) {
463 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
464 if (flags & ~NFT_TABLE_F_DORMANT)
468 if (!try_module_get(afi->owner))
469 return -EAFNOSUPPORT;
471 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
473 module_put(afi->owner);
477 nla_strlcpy(table->name, name, nla_len(name));
478 INIT_LIST_HEAD(&table->chains);
479 INIT_LIST_HEAD(&table->sets);
480 table->flags = flags;
482 list_add_tail(&table->list, &afi->tables);
483 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
487 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
488 const struct nlmsghdr *nlh,
489 const struct nlattr * const nla[])
491 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
492 struct nft_af_info *afi;
493 struct nft_table *table;
494 struct net *net = sock_net(skb->sk);
495 int family = nfmsg->nfgen_family;
497 afi = nf_tables_afinfo_lookup(net, family, false);
501 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
503 return PTR_ERR(table);
505 if (!list_empty(&table->chains) || !list_empty(&table->sets))
508 list_del(&table->list);
509 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
511 module_put(afi->owner);
515 int nft_register_chain_type(const struct nf_chain_type *ctype)
519 nfnl_lock(NFNL_SUBSYS_NFTABLES);
520 if (chain_type[ctype->family][ctype->type] != NULL) {
524 chain_type[ctype->family][ctype->type] = ctype;
526 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
529 EXPORT_SYMBOL_GPL(nft_register_chain_type);
531 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
533 nfnl_lock(NFNL_SUBSYS_NFTABLES);
534 chain_type[ctype->family][ctype->type] = NULL;
535 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
537 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
543 static struct nft_chain *
544 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
546 struct nft_chain *chain;
548 list_for_each_entry(chain, &table->chains, list) {
549 if (chain->handle == handle)
553 return ERR_PTR(-ENOENT);
556 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
557 const struct nlattr *nla)
559 struct nft_chain *chain;
562 return ERR_PTR(-EINVAL);
564 list_for_each_entry(chain, &table->chains, list) {
565 if (!nla_strcmp(nla, chain->name))
569 return ERR_PTR(-ENOENT);
572 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
573 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
574 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
575 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
576 .len = NFT_CHAIN_MAXNAMELEN - 1 },
577 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
578 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
579 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
580 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
583 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
584 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
585 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
588 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
590 struct nft_stats *cpu_stats, total;
594 memset(&total, 0, sizeof(total));
595 for_each_possible_cpu(cpu) {
596 cpu_stats = per_cpu_ptr(stats, cpu);
597 total.pkts += cpu_stats->pkts;
598 total.bytes += cpu_stats->bytes;
600 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
602 goto nla_put_failure;
604 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
605 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
606 goto nla_put_failure;
608 nla_nest_end(skb, nest);
615 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
616 int event, u32 flags, int family,
617 const struct nft_table *table,
618 const struct nft_chain *chain)
620 struct nlmsghdr *nlh;
621 struct nfgenmsg *nfmsg;
623 event |= NFNL_SUBSYS_NFTABLES << 8;
624 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
626 goto nla_put_failure;
628 nfmsg = nlmsg_data(nlh);
629 nfmsg->nfgen_family = family;
630 nfmsg->version = NFNETLINK_V0;
633 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
634 goto nla_put_failure;
635 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
636 goto nla_put_failure;
637 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
638 goto nla_put_failure;
640 if (chain->flags & NFT_BASE_CHAIN) {
641 const struct nft_base_chain *basechain = nft_base_chain(chain);
642 const struct nf_hook_ops *ops = &basechain->ops[0];
645 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
647 goto nla_put_failure;
648 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
649 goto nla_put_failure;
650 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
651 goto nla_put_failure;
652 nla_nest_end(skb, nest);
654 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
655 htonl(basechain->policy)))
656 goto nla_put_failure;
658 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
659 goto nla_put_failure;
661 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
662 goto nla_put_failure;
665 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
666 goto nla_put_failure;
668 return nlmsg_end(skb, nlh);
671 nlmsg_trim(skb, nlh);
675 static int nf_tables_chain_notify(const struct sk_buff *oskb,
676 const struct nlmsghdr *nlh,
677 const struct nft_table *table,
678 const struct nft_chain *chain,
679 int event, int family)
682 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
683 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
684 u32 seq = nlh ? nlh->nlmsg_seq : 0;
688 report = nlh ? nlmsg_report(nlh) : false;
689 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
693 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
697 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
704 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
708 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
712 static int nf_tables_dump_chains(struct sk_buff *skb,
713 struct netlink_callback *cb)
715 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
716 const struct nft_af_info *afi;
717 const struct nft_table *table;
718 const struct nft_chain *chain;
719 unsigned int idx = 0, s_idx = cb->args[0];
720 struct net *net = sock_net(skb->sk);
721 int family = nfmsg->nfgen_family;
723 list_for_each_entry(afi, &net->nft.af_info, list) {
724 if (family != NFPROTO_UNSPEC && family != afi->family)
727 list_for_each_entry(table, &afi->tables, list) {
728 list_for_each_entry(chain, &table->chains, list) {
732 memset(&cb->args[1], 0,
733 sizeof(cb->args) - sizeof(cb->args[0]));
734 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
738 afi->family, table, chain) < 0)
751 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
752 const struct nlmsghdr *nlh,
753 const struct nlattr * const nla[])
755 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
756 const struct nft_af_info *afi;
757 const struct nft_table *table;
758 const struct nft_chain *chain;
759 struct sk_buff *skb2;
760 struct net *net = sock_net(skb->sk);
761 int family = nfmsg->nfgen_family;
764 if (nlh->nlmsg_flags & NLM_F_DUMP) {
765 struct netlink_dump_control c = {
766 .dump = nf_tables_dump_chains,
768 return netlink_dump_start(nlsk, skb, nlh, &c);
771 afi = nf_tables_afinfo_lookup(net, family, false);
775 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
777 return PTR_ERR(table);
779 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
781 return PTR_ERR(chain);
782 if (chain->flags & NFT_CHAIN_INACTIVE)
785 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
789 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
790 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
791 family, table, chain);
795 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
802 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
803 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
804 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
807 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
809 struct nlattr *tb[NFTA_COUNTER_MAX+1];
810 struct nft_stats __percpu *newstats;
811 struct nft_stats *stats;
814 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
818 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
819 return ERR_PTR(-EINVAL);
821 newstats = alloc_percpu(struct nft_stats);
822 if (newstats == NULL)
823 return ERR_PTR(-ENOMEM);
825 /* Restore old counters on this cpu, no problem. Per-cpu statistics
826 * are not exposed to userspace.
828 stats = this_cpu_ptr(newstats);
829 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
830 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
835 static void nft_chain_stats_replace(struct nft_base_chain *chain,
836 struct nft_stats __percpu *newstats)
839 struct nft_stats __percpu *oldstats =
840 nft_dereference(chain->stats);
842 rcu_assign_pointer(chain->stats, newstats);
844 free_percpu(oldstats);
846 rcu_assign_pointer(chain->stats, newstats);
849 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
851 struct nft_trans *trans;
853 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
857 if (msg_type == NFT_MSG_NEWCHAIN)
858 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
860 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
864 static void nf_tables_chain_destroy(struct nft_chain *chain)
866 BUG_ON(chain->use > 0);
868 if (chain->flags & NFT_BASE_CHAIN) {
869 module_put(nft_base_chain(chain)->type->owner);
870 free_percpu(nft_base_chain(chain)->stats);
871 kfree(nft_base_chain(chain));
877 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
878 const struct nlmsghdr *nlh,
879 const struct nlattr * const nla[])
881 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
882 const struct nlattr * uninitialized_var(name);
883 struct nft_af_info *afi;
884 struct nft_table *table;
885 struct nft_chain *chain;
886 struct nft_base_chain *basechain = NULL;
887 struct nlattr *ha[NFTA_HOOK_MAX + 1];
888 struct net *net = sock_net(skb->sk);
889 int family = nfmsg->nfgen_family;
890 u8 policy = NF_ACCEPT;
893 struct nft_stats __percpu *stats;
898 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
900 afi = nf_tables_afinfo_lookup(net, family, true);
904 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
906 return PTR_ERR(table);
909 name = nla[NFTA_CHAIN_NAME];
911 if (nla[NFTA_CHAIN_HANDLE]) {
912 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
913 chain = nf_tables_chain_lookup_byhandle(table, handle);
915 return PTR_ERR(chain);
917 chain = nf_tables_chain_lookup(table, name);
919 if (PTR_ERR(chain) != -ENOENT)
920 return PTR_ERR(chain);
925 if (nla[NFTA_CHAIN_POLICY]) {
926 if ((chain != NULL &&
927 !(chain->flags & NFT_BASE_CHAIN)) ||
928 nla[NFTA_CHAIN_HOOK] == NULL)
931 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
942 struct nft_stats *stats = NULL;
943 struct nft_trans *trans;
945 if (chain->flags & NFT_CHAIN_INACTIVE)
947 if (nlh->nlmsg_flags & NLM_F_EXCL)
949 if (nlh->nlmsg_flags & NLM_F_REPLACE)
952 if (nla[NFTA_CHAIN_HANDLE] && name &&
953 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
956 if (nla[NFTA_CHAIN_COUNTERS]) {
957 if (!(chain->flags & NFT_BASE_CHAIN))
960 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
962 return PTR_ERR(stats);
965 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
966 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
967 sizeof(struct nft_trans_chain));
971 nft_trans_chain_stats(trans) = stats;
972 nft_trans_chain_update(trans) = true;
974 if (nla[NFTA_CHAIN_POLICY])
975 nft_trans_chain_policy(trans) = policy;
977 nft_trans_chain_policy(trans) = -1;
979 if (nla[NFTA_CHAIN_HANDLE] && name) {
980 nla_strlcpy(nft_trans_chain_name(trans), name,
981 NFT_CHAIN_MAXNAMELEN);
983 list_add_tail(&trans->list, &net->nft.commit_list);
987 if (table->use == UINT_MAX)
990 if (nla[NFTA_CHAIN_HOOK]) {
991 const struct nf_chain_type *type;
992 struct nf_hook_ops *ops;
994 u32 hooknum, priority;
996 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
997 if (nla[NFTA_CHAIN_TYPE]) {
998 type = nf_tables_chain_type_lookup(afi,
999 nla[NFTA_CHAIN_TYPE],
1002 return PTR_ERR(type);
1005 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1009 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1010 ha[NFTA_HOOK_PRIORITY] == NULL)
1013 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1014 if (hooknum >= afi->nhooks)
1016 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1018 if (!(type->hook_mask & (1 << hooknum)))
1020 if (!try_module_get(type->owner))
1022 hookfn = type->hooks[hooknum];
1024 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1025 if (basechain == NULL)
1028 if (nla[NFTA_CHAIN_COUNTERS]) {
1029 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1030 if (IS_ERR(stats)) {
1031 module_put(type->owner);
1033 return PTR_ERR(stats);
1035 basechain->stats = stats;
1037 stats = alloc_percpu(struct nft_stats);
1038 if (IS_ERR(stats)) {
1039 module_put(type->owner);
1041 return PTR_ERR(stats);
1043 rcu_assign_pointer(basechain->stats, stats);
1046 basechain->type = type;
1047 chain = &basechain->chain;
1049 for (i = 0; i < afi->nops; i++) {
1050 ops = &basechain->ops[i];
1052 ops->owner = afi->owner;
1053 ops->hooknum = hooknum;
1054 ops->priority = priority;
1056 ops->hook = afi->hooks[ops->hooknum];
1059 if (afi->hook_ops_init)
1060 afi->hook_ops_init(ops, i);
1063 chain->flags |= NFT_BASE_CHAIN;
1064 basechain->policy = policy;
1066 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1071 INIT_LIST_HEAD(&chain->rules);
1072 chain->handle = nf_tables_alloc_handle(table);
1074 chain->table = table;
1075 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1077 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1078 chain->flags & NFT_BASE_CHAIN) {
1079 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1084 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1085 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1089 list_add_tail(&chain->list, &table->chains);
1092 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1093 chain->flags & NFT_BASE_CHAIN) {
1094 nf_unregister_hooks(nft_base_chain(chain)->ops,
1098 nf_tables_chain_destroy(chain);
1102 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1103 const struct nlmsghdr *nlh,
1104 const struct nlattr * const nla[])
1106 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1107 struct nft_af_info *afi;
1108 struct nft_table *table;
1109 struct nft_chain *chain;
1110 struct net *net = sock_net(skb->sk);
1111 int family = nfmsg->nfgen_family;
1115 afi = nf_tables_afinfo_lookup(net, family, false);
1117 return PTR_ERR(afi);
1119 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1121 return PTR_ERR(table);
1123 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1125 return PTR_ERR(chain);
1126 if (chain->flags & NFT_CHAIN_INACTIVE)
1128 if (!list_empty(&chain->rules) || chain->use > 0)
1131 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1132 err = nft_trans_chain_add(&ctx, NFT_MSG_DELCHAIN);
1136 list_del(&chain->list);
1145 * nft_register_expr - register nf_tables expr type
1148 * Registers the expr type for use with nf_tables. Returns zero on
1149 * success or a negative errno code otherwise.
1151 int nft_register_expr(struct nft_expr_type *type)
1153 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1154 if (type->family == NFPROTO_UNSPEC)
1155 list_add_tail(&type->list, &nf_tables_expressions);
1157 list_add(&type->list, &nf_tables_expressions);
1158 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1161 EXPORT_SYMBOL_GPL(nft_register_expr);
1164 * nft_unregister_expr - unregister nf_tables expr type
1167 * Unregisters the expr typefor use with nf_tables.
1169 void nft_unregister_expr(struct nft_expr_type *type)
1171 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1172 list_del(&type->list);
1173 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1175 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1177 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1180 const struct nft_expr_type *type;
1182 list_for_each_entry(type, &nf_tables_expressions, list) {
1183 if (!nla_strcmp(nla, type->name) &&
1184 (!type->family || type->family == family))
1190 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1193 const struct nft_expr_type *type;
1196 return ERR_PTR(-EINVAL);
1198 type = __nft_expr_type_get(family, nla);
1199 if (type != NULL && try_module_get(type->owner))
1202 #ifdef CONFIG_MODULES
1204 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1205 request_module("nft-expr-%u-%.*s", family,
1206 nla_len(nla), (char *)nla_data(nla));
1207 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1208 if (__nft_expr_type_get(family, nla))
1209 return ERR_PTR(-EAGAIN);
1211 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1212 request_module("nft-expr-%.*s",
1213 nla_len(nla), (char *)nla_data(nla));
1214 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1215 if (__nft_expr_type_get(family, nla))
1216 return ERR_PTR(-EAGAIN);
1219 return ERR_PTR(-ENOENT);
1222 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1223 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1224 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1227 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1228 const struct nft_expr *expr)
1230 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1231 goto nla_put_failure;
1233 if (expr->ops->dump) {
1234 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1236 goto nla_put_failure;
1237 if (expr->ops->dump(skb, expr) < 0)
1238 goto nla_put_failure;
1239 nla_nest_end(skb, data);
1248 struct nft_expr_info {
1249 const struct nft_expr_ops *ops;
1250 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1253 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1254 const struct nlattr *nla,
1255 struct nft_expr_info *info)
1257 const struct nft_expr_type *type;
1258 const struct nft_expr_ops *ops;
1259 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1262 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1266 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1268 return PTR_ERR(type);
1270 if (tb[NFTA_EXPR_DATA]) {
1271 err = nla_parse_nested(info->tb, type->maxattr,
1272 tb[NFTA_EXPR_DATA], type->policy);
1276 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1278 if (type->select_ops != NULL) {
1279 ops = type->select_ops(ctx,
1280 (const struct nlattr * const *)info->tb);
1292 module_put(type->owner);
1296 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1297 const struct nft_expr_info *info,
1298 struct nft_expr *expr)
1300 const struct nft_expr_ops *ops = info->ops;
1305 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1317 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1318 struct nft_expr *expr)
1320 if (expr->ops->destroy)
1321 expr->ops->destroy(ctx, expr);
1322 module_put(expr->ops->type->owner);
1329 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1332 struct nft_rule *rule;
1334 // FIXME: this sucks
1335 list_for_each_entry(rule, &chain->rules, list) {
1336 if (handle == rule->handle)
1340 return ERR_PTR(-ENOENT);
1343 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1344 const struct nlattr *nla)
1347 return ERR_PTR(-EINVAL);
1349 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1352 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1353 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1354 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1355 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1356 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1357 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1358 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1359 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1360 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1361 .len = NFT_USERDATA_MAXLEN },
1364 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1365 int event, u32 flags, int family,
1366 const struct nft_table *table,
1367 const struct nft_chain *chain,
1368 const struct nft_rule *rule)
1370 struct nlmsghdr *nlh;
1371 struct nfgenmsg *nfmsg;
1372 const struct nft_expr *expr, *next;
1373 struct nlattr *list;
1374 const struct nft_rule *prule;
1375 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1377 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1380 goto nla_put_failure;
1382 nfmsg = nlmsg_data(nlh);
1383 nfmsg->nfgen_family = family;
1384 nfmsg->version = NFNETLINK_V0;
1387 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1388 goto nla_put_failure;
1389 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1390 goto nla_put_failure;
1391 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1392 goto nla_put_failure;
1394 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1395 prule = list_entry(rule->list.prev, struct nft_rule, list);
1396 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1397 cpu_to_be64(prule->handle)))
1398 goto nla_put_failure;
1401 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1403 goto nla_put_failure;
1404 nft_rule_for_each_expr(expr, next, rule) {
1405 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1407 goto nla_put_failure;
1408 if (nf_tables_fill_expr_info(skb, expr) < 0)
1409 goto nla_put_failure;
1410 nla_nest_end(skb, elem);
1412 nla_nest_end(skb, list);
1415 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1416 goto nla_put_failure;
1418 return nlmsg_end(skb, nlh);
1421 nlmsg_trim(skb, nlh);
1425 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1426 const struct nlmsghdr *nlh,
1427 const struct nft_table *table,
1428 const struct nft_chain *chain,
1429 const struct nft_rule *rule,
1430 int event, u32 flags, int family)
1432 struct sk_buff *skb;
1433 u32 portid = NETLINK_CB(oskb).portid;
1434 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1435 u32 seq = nlh->nlmsg_seq;
1439 report = nlmsg_report(nlh);
1440 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1444 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1448 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1449 family, table, chain, rule);
1455 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1459 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1464 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1466 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1469 static inline int gencursor_next(struct net *net)
1471 return net->nft.gencursor+1 == 1 ? 1 : 0;
1475 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1477 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1481 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1483 /* Now inactive, will be active in the future */
1484 rule->genmask = (1 << net->nft.gencursor);
1488 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1490 rule->genmask = (1 << gencursor_next(net));
1493 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1498 static int nf_tables_dump_rules(struct sk_buff *skb,
1499 struct netlink_callback *cb)
1501 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1502 const struct nft_af_info *afi;
1503 const struct nft_table *table;
1504 const struct nft_chain *chain;
1505 const struct nft_rule *rule;
1506 unsigned int idx = 0, s_idx = cb->args[0];
1507 struct net *net = sock_net(skb->sk);
1508 int family = nfmsg->nfgen_family;
1509 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1510 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1512 list_for_each_entry(afi, &net->nft.af_info, list) {
1513 if (family != NFPROTO_UNSPEC && family != afi->family)
1516 list_for_each_entry(table, &afi->tables, list) {
1517 list_for_each_entry(chain, &table->chains, list) {
1518 list_for_each_entry(rule, &chain->rules, list) {
1519 if (!nft_rule_is_active(net, rule))
1524 memset(&cb->args[1], 0,
1525 sizeof(cb->args) - sizeof(cb->args[0]));
1526 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1529 NLM_F_MULTI | NLM_F_APPEND,
1530 afi->family, table, chain, rule) < 0)
1539 /* Invalidate this dump, a transition to the new generation happened */
1540 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1547 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1548 const struct nlmsghdr *nlh,
1549 const struct nlattr * const nla[])
1551 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1552 const struct nft_af_info *afi;
1553 const struct nft_table *table;
1554 const struct nft_chain *chain;
1555 const struct nft_rule *rule;
1556 struct sk_buff *skb2;
1557 struct net *net = sock_net(skb->sk);
1558 int family = nfmsg->nfgen_family;
1561 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1562 struct netlink_dump_control c = {
1563 .dump = nf_tables_dump_rules,
1565 return netlink_dump_start(nlsk, skb, nlh, &c);
1568 afi = nf_tables_afinfo_lookup(net, family, false);
1570 return PTR_ERR(afi);
1572 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1574 return PTR_ERR(table);
1576 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1578 return PTR_ERR(chain);
1579 if (chain->flags & NFT_CHAIN_INACTIVE)
1582 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1584 return PTR_ERR(rule);
1586 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1590 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1591 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1592 family, table, chain, rule);
1596 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1603 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1604 struct nft_rule *rule)
1606 struct nft_expr *expr;
1609 * Careful: some expressions might not be initialized in case this
1610 * is called on error from nf_tables_newrule().
1612 expr = nft_expr_first(rule);
1613 while (expr->ops && expr != nft_expr_last(rule)) {
1614 nf_tables_expr_destroy(ctx, expr);
1615 expr = nft_expr_next(expr);
1620 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
1621 struct nft_rule *rule)
1623 struct nft_trans *trans;
1625 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
1629 nft_trans_rule(trans) = rule;
1630 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1635 #define NFT_RULE_MAXEXPRS 128
1637 static struct nft_expr_info *info;
1639 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1640 const struct nlmsghdr *nlh,
1641 const struct nlattr * const nla[])
1643 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1644 struct nft_af_info *afi;
1645 struct net *net = sock_net(skb->sk);
1646 struct nft_table *table;
1647 struct nft_chain *chain;
1648 struct nft_rule *rule, *old_rule = NULL;
1649 struct nft_trans *trans = NULL;
1650 struct nft_expr *expr;
1653 unsigned int size, i, n, ulen = 0;
1656 u64 handle, pos_handle;
1658 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1660 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1662 return PTR_ERR(afi);
1664 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1666 return PTR_ERR(table);
1668 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1670 return PTR_ERR(chain);
1672 if (nla[NFTA_RULE_HANDLE]) {
1673 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1674 rule = __nf_tables_rule_lookup(chain, handle);
1676 return PTR_ERR(rule);
1678 if (nlh->nlmsg_flags & NLM_F_EXCL)
1680 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1685 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1687 handle = nf_tables_alloc_handle(table);
1690 if (nla[NFTA_RULE_POSITION]) {
1691 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1694 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1695 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1696 if (IS_ERR(old_rule))
1697 return PTR_ERR(old_rule);
1700 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1704 if (nla[NFTA_RULE_EXPRESSIONS]) {
1705 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1707 if (nla_type(tmp) != NFTA_LIST_ELEM)
1709 if (n == NFT_RULE_MAXEXPRS)
1711 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1714 size += info[n].ops->size;
1719 if (nla[NFTA_RULE_USERDATA])
1720 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1723 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1727 nft_rule_activate_next(net, rule);
1729 rule->handle = handle;
1734 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1736 expr = nft_expr_first(rule);
1737 for (i = 0; i < n; i++) {
1738 err = nf_tables_newexpr(&ctx, &info[i], expr);
1742 expr = nft_expr_next(expr);
1745 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1746 if (nft_rule_is_active_next(net, old_rule)) {
1747 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE,
1749 if (trans == NULL) {
1753 nft_rule_disactivate_next(net, old_rule);
1754 list_add_tail(&rule->list, &old_rule->list);
1759 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1761 list_add_rcu(&rule->list, &old_rule->list);
1763 list_add_tail_rcu(&rule->list, &chain->rules);
1766 list_add_tail_rcu(&rule->list, &old_rule->list);
1768 list_add_rcu(&rule->list, &chain->rules);
1771 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
1778 list_del_rcu(&rule->list);
1780 list_del_rcu(&nft_trans_rule(trans)->list);
1781 nft_rule_clear(net, nft_trans_rule(trans));
1782 nft_trans_destroy(trans);
1785 nf_tables_rule_destroy(&ctx, rule);
1787 for (i = 0; i < n; i++) {
1788 if (info[i].ops != NULL)
1789 module_put(info[i].ops->type->owner);
1795 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1797 /* You cannot delete the same rule twice */
1798 if (nft_rule_is_active_next(ctx->net, rule)) {
1799 if (nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule) == NULL)
1801 nft_rule_disactivate_next(ctx->net, rule);
1807 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1809 struct nft_rule *rule;
1812 list_for_each_entry(rule, &ctx->chain->rules, list) {
1813 err = nf_tables_delrule_one(ctx, rule);
1820 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1821 const struct nlmsghdr *nlh,
1822 const struct nlattr * const nla[])
1824 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1825 struct nft_af_info *afi;
1826 struct net *net = sock_net(skb->sk);
1827 struct nft_table *table;
1828 struct nft_chain *chain = NULL;
1829 struct nft_rule *rule;
1830 int family = nfmsg->nfgen_family, err = 0;
1833 afi = nf_tables_afinfo_lookup(net, family, false);
1835 return PTR_ERR(afi);
1837 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1839 return PTR_ERR(table);
1841 if (nla[NFTA_RULE_CHAIN]) {
1842 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1844 return PTR_ERR(chain);
1847 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1850 if (nla[NFTA_RULE_HANDLE]) {
1851 rule = nf_tables_rule_lookup(chain,
1852 nla[NFTA_RULE_HANDLE]);
1854 return PTR_ERR(rule);
1856 err = nf_tables_delrule_one(&ctx, rule);
1858 err = nf_table_delrule_by_chain(&ctx);
1861 list_for_each_entry(chain, &table->chains, list) {
1863 err = nf_table_delrule_by_chain(&ctx);
1876 static LIST_HEAD(nf_tables_set_ops);
1878 int nft_register_set(struct nft_set_ops *ops)
1880 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1881 list_add_tail(&ops->list, &nf_tables_set_ops);
1882 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1885 EXPORT_SYMBOL_GPL(nft_register_set);
1887 void nft_unregister_set(struct nft_set_ops *ops)
1889 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1890 list_del(&ops->list);
1891 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1893 EXPORT_SYMBOL_GPL(nft_unregister_set);
1896 * Select a set implementation based on the data characteristics and the
1897 * given policy. The total memory use might not be known if no size is
1898 * given, in that case the amount of memory per element is used.
1900 static const struct nft_set_ops *
1901 nft_select_set_ops(const struct nlattr * const nla[],
1902 const struct nft_set_desc *desc,
1903 enum nft_set_policies policy)
1905 const struct nft_set_ops *ops, *bops;
1906 struct nft_set_estimate est, best;
1909 #ifdef CONFIG_MODULES
1910 if (list_empty(&nf_tables_set_ops)) {
1911 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1912 request_module("nft-set");
1913 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1914 if (!list_empty(&nf_tables_set_ops))
1915 return ERR_PTR(-EAGAIN);
1919 if (nla[NFTA_SET_FLAGS] != NULL) {
1920 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1921 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1928 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1929 if ((ops->features & features) != features)
1931 if (!ops->estimate(desc, features, &est))
1935 case NFT_SET_POL_PERFORMANCE:
1936 if (est.class < best.class)
1938 if (est.class == best.class && est.size < best.size)
1941 case NFT_SET_POL_MEMORY:
1942 if (est.size < best.size)
1944 if (est.size == best.size && est.class < best.class)
1951 if (!try_module_get(ops->owner))
1954 module_put(bops->owner);
1963 return ERR_PTR(-EOPNOTSUPP);
1966 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1967 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1968 [NFTA_SET_NAME] = { .type = NLA_STRING },
1969 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1970 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1971 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1972 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1973 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1974 [NFTA_SET_POLICY] = { .type = NLA_U32 },
1975 [NFTA_SET_DESC] = { .type = NLA_NESTED },
1976 [NFTA_SET_ID] = { .type = NLA_U32 },
1979 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
1980 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
1983 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1984 const struct sk_buff *skb,
1985 const struct nlmsghdr *nlh,
1986 const struct nlattr * const nla[])
1988 struct net *net = sock_net(skb->sk);
1989 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1990 struct nft_af_info *afi = NULL;
1991 struct nft_table *table = NULL;
1993 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1994 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1996 return PTR_ERR(afi);
1999 if (nla[NFTA_SET_TABLE] != NULL) {
2001 return -EAFNOSUPPORT;
2003 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2005 return PTR_ERR(table);
2008 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2012 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2013 const struct nlattr *nla)
2015 struct nft_set *set;
2018 return ERR_PTR(-EINVAL);
2020 list_for_each_entry(set, &table->sets, list) {
2021 if (!nla_strcmp(nla, set->name))
2024 return ERR_PTR(-ENOENT);
2027 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2028 const struct nlattr *nla)
2030 struct nft_trans *trans;
2031 u32 id = ntohl(nla_get_be32(nla));
2033 list_for_each_entry(trans, &net->nft.commit_list, list) {
2034 if (trans->msg_type == NFT_MSG_NEWSET &&
2035 id == nft_trans_set_id(trans))
2036 return nft_trans_set(trans);
2038 return ERR_PTR(-ENOENT);
2041 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2044 const struct nft_set *i;
2046 unsigned long *inuse;
2047 unsigned int n = 0, min = 0;
2049 p = strnchr(name, IFNAMSIZ, '%');
2051 if (p[1] != 'd' || strchr(p + 2, '%'))
2054 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2058 list_for_each_entry(i, &ctx->table->sets, list) {
2061 if (!sscanf(i->name, name, &tmp))
2063 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2066 set_bit(tmp - min, inuse);
2069 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2070 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2071 min += BITS_PER_BYTE * PAGE_SIZE;
2072 memset(inuse, 0, PAGE_SIZE);
2075 free_page((unsigned long)inuse);
2078 snprintf(set->name, sizeof(set->name), name, min + n);
2079 list_for_each_entry(i, &ctx->table->sets, list) {
2080 if (!strcmp(set->name, i->name))
2086 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2087 const struct nft_set *set, u16 event, u16 flags)
2089 struct nfgenmsg *nfmsg;
2090 struct nlmsghdr *nlh;
2091 struct nlattr *desc;
2092 u32 portid = NETLINK_CB(ctx->skb).portid;
2093 u32 seq = ctx->nlh->nlmsg_seq;
2095 event |= NFNL_SUBSYS_NFTABLES << 8;
2096 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2099 goto nla_put_failure;
2101 nfmsg = nlmsg_data(nlh);
2102 nfmsg->nfgen_family = ctx->afi->family;
2103 nfmsg->version = NFNETLINK_V0;
2106 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2107 goto nla_put_failure;
2108 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2109 goto nla_put_failure;
2110 if (set->flags != 0)
2111 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2112 goto nla_put_failure;
2114 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2115 goto nla_put_failure;
2116 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2117 goto nla_put_failure;
2118 if (set->flags & NFT_SET_MAP) {
2119 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2120 goto nla_put_failure;
2121 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2122 goto nla_put_failure;
2125 desc = nla_nest_start(skb, NFTA_SET_DESC);
2127 goto nla_put_failure;
2129 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2130 goto nla_put_failure;
2131 nla_nest_end(skb, desc);
2133 return nlmsg_end(skb, nlh);
2136 nlmsg_trim(skb, nlh);
2140 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2141 const struct nft_set *set,
2144 struct sk_buff *skb;
2145 u32 portid = NETLINK_CB(ctx->skb).portid;
2149 report = nlmsg_report(ctx->nlh);
2150 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2154 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2158 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2164 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2168 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2172 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2173 struct netlink_callback *cb)
2175 const struct nft_set *set;
2176 unsigned int idx = 0, s_idx = cb->args[0];
2181 list_for_each_entry(set, &ctx->table->sets, list) {
2184 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2197 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2198 struct netlink_callback *cb)
2200 const struct nft_set *set;
2201 unsigned int idx, s_idx = cb->args[0];
2202 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2207 list_for_each_entry(table, &ctx->afi->tables, list) {
2209 if (cur_table != table)
2216 list_for_each_entry(set, &ctx->table->sets, list) {
2219 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2222 cb->args[2] = (unsigned long) table;
2234 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2235 struct netlink_callback *cb)
2237 const struct nft_set *set;
2238 unsigned int idx, s_idx = cb->args[0];
2239 struct nft_af_info *afi;
2240 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2241 struct net *net = sock_net(skb->sk);
2242 int cur_family = cb->args[3];
2247 list_for_each_entry(afi, &net->nft.af_info, list) {
2249 if (afi->family != cur_family)
2255 list_for_each_entry(table, &afi->tables, list) {
2257 if (cur_table != table)
2266 list_for_each_entry(set, &ctx->table->sets, list) {
2269 if (nf_tables_fill_set(skb, ctx, set,
2273 cb->args[2] = (unsigned long) table;
2274 cb->args[3] = afi->family;
2289 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2291 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2292 struct nlattr *nla[NFTA_SET_MAX + 1];
2296 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2301 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2305 if (ctx.table == NULL) {
2306 if (ctx.afi == NULL)
2307 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2309 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2311 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2316 #define NFT_SET_INACTIVE (1 << 15) /* Internal set flag */
2318 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2319 const struct nlmsghdr *nlh,
2320 const struct nlattr * const nla[])
2322 const struct nft_set *set;
2324 struct sk_buff *skb2;
2325 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2328 /* Verify existance before starting dump */
2329 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2333 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2334 struct netlink_dump_control c = {
2335 .dump = nf_tables_dump_sets,
2337 return netlink_dump_start(nlsk, skb, nlh, &c);
2340 /* Only accept unspec with dump */
2341 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2342 return -EAFNOSUPPORT;
2344 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2346 return PTR_ERR(set);
2347 if (set->flags & NFT_SET_INACTIVE)
2350 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2354 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2358 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2365 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2366 struct nft_set_desc *desc,
2367 const struct nlattr *nla)
2369 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2372 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2376 if (da[NFTA_SET_DESC_SIZE] != NULL)
2377 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2382 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2383 struct nft_set *set)
2385 struct nft_trans *trans;
2387 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
2391 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
2392 nft_trans_set_id(trans) =
2393 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
2394 set->flags |= NFT_SET_INACTIVE;
2396 nft_trans_set(trans) = set;
2397 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2402 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2403 const struct nlmsghdr *nlh,
2404 const struct nlattr * const nla[])
2406 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2407 const struct nft_set_ops *ops;
2408 struct nft_af_info *afi;
2409 struct net *net = sock_net(skb->sk);
2410 struct nft_table *table;
2411 struct nft_set *set;
2413 char name[IFNAMSIZ];
2416 u32 ktype, dtype, flags, policy;
2417 struct nft_set_desc desc;
2420 if (nla[NFTA_SET_TABLE] == NULL ||
2421 nla[NFTA_SET_NAME] == NULL ||
2422 nla[NFTA_SET_KEY_LEN] == NULL ||
2423 nla[NFTA_SET_ID] == NULL)
2426 memset(&desc, 0, sizeof(desc));
2428 ktype = NFT_DATA_VALUE;
2429 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2430 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2431 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2435 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2436 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2440 if (nla[NFTA_SET_FLAGS] != NULL) {
2441 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2442 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2443 NFT_SET_INTERVAL | NFT_SET_MAP))
2448 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2449 if (!(flags & NFT_SET_MAP))
2452 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2453 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2454 dtype != NFT_DATA_VERDICT)
2457 if (dtype != NFT_DATA_VERDICT) {
2458 if (nla[NFTA_SET_DATA_LEN] == NULL)
2460 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2461 if (desc.dlen == 0 ||
2462 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2465 desc.dlen = sizeof(struct nft_data);
2466 } else if (flags & NFT_SET_MAP)
2469 policy = NFT_SET_POL_PERFORMANCE;
2470 if (nla[NFTA_SET_POLICY] != NULL)
2471 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2473 if (nla[NFTA_SET_DESC] != NULL) {
2474 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2479 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2481 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2483 return PTR_ERR(afi);
2485 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2487 return PTR_ERR(table);
2489 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2491 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2493 if (PTR_ERR(set) != -ENOENT)
2494 return PTR_ERR(set);
2499 if (nlh->nlmsg_flags & NLM_F_EXCL)
2501 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2506 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2509 ops = nft_select_set_ops(nla, &desc, policy);
2511 return PTR_ERR(ops);
2514 if (ops->privsize != NULL)
2515 size = ops->privsize(nla);
2518 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2522 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2523 err = nf_tables_set_alloc_name(&ctx, set, name);
2527 INIT_LIST_HEAD(&set->bindings);
2530 set->klen = desc.klen;
2532 set->dlen = desc.dlen;
2534 set->size = desc.size;
2536 err = ops->init(set, &desc, nla);
2540 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2544 list_add_tail(&set->list, &table->sets);
2550 module_put(ops->owner);
2554 static void nft_set_destroy(struct nft_set *set)
2556 set->ops->destroy(set);
2557 module_put(set->ops->owner);
2561 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2563 list_del(&set->list);
2564 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2565 nft_set_destroy(set);
2568 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2569 const struct nlmsghdr *nlh,
2570 const struct nlattr * const nla[])
2572 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2573 struct nft_set *set;
2577 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2578 return -EAFNOSUPPORT;
2579 if (nla[NFTA_SET_TABLE] == NULL)
2582 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2586 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2588 return PTR_ERR(set);
2589 if (set->flags & NFT_SET_INACTIVE)
2591 if (!list_empty(&set->bindings))
2594 err = nft_trans_set_add(&ctx, NFT_MSG_DELSET, set);
2598 list_del(&set->list);
2602 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2603 const struct nft_set *set,
2604 const struct nft_set_iter *iter,
2605 const struct nft_set_elem *elem)
2607 enum nft_registers dreg;
2609 dreg = nft_type_to_reg(set->dtype);
2610 return nft_validate_data_load(ctx, dreg, &elem->data,
2611 set->dtype == NFT_DATA_VERDICT ?
2612 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2615 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2616 struct nft_set_binding *binding)
2618 struct nft_set_binding *i;
2619 struct nft_set_iter iter;
2621 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2624 if (set->flags & NFT_SET_MAP) {
2625 /* If the set is already bound to the same chain all
2626 * jumps are already validated for that chain.
2628 list_for_each_entry(i, &set->bindings, list) {
2629 if (i->chain == binding->chain)
2636 iter.fn = nf_tables_bind_check_setelem;
2638 set->ops->walk(ctx, set, &iter);
2640 /* Destroy anonymous sets if binding fails */
2641 if (set->flags & NFT_SET_ANONYMOUS)
2642 nf_tables_set_destroy(ctx, set);
2648 binding->chain = ctx->chain;
2649 list_add_tail(&binding->list, &set->bindings);
2653 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2654 struct nft_set_binding *binding)
2656 list_del(&binding->list);
2658 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2659 !(set->flags & NFT_SET_INACTIVE))
2660 nf_tables_set_destroy(ctx, set);
2667 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2668 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2669 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2670 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2673 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2674 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2675 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2676 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2677 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2680 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2681 const struct sk_buff *skb,
2682 const struct nlmsghdr *nlh,
2683 const struct nlattr * const nla[])
2685 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2686 struct nft_af_info *afi;
2687 struct nft_table *table;
2688 struct net *net = sock_net(skb->sk);
2690 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2692 return PTR_ERR(afi);
2694 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2696 return PTR_ERR(table);
2698 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2702 static int nf_tables_fill_setelem(struct sk_buff *skb,
2703 const struct nft_set *set,
2704 const struct nft_set_elem *elem)
2706 unsigned char *b = skb_tail_pointer(skb);
2707 struct nlattr *nest;
2709 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2711 goto nla_put_failure;
2713 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2715 goto nla_put_failure;
2717 if (set->flags & NFT_SET_MAP &&
2718 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2719 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2720 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2722 goto nla_put_failure;
2724 if (elem->flags != 0)
2725 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2726 goto nla_put_failure;
2728 nla_nest_end(skb, nest);
2736 struct nft_set_dump_args {
2737 const struct netlink_callback *cb;
2738 struct nft_set_iter iter;
2739 struct sk_buff *skb;
2742 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2743 const struct nft_set *set,
2744 const struct nft_set_iter *iter,
2745 const struct nft_set_elem *elem)
2747 struct nft_set_dump_args *args;
2749 args = container_of(iter, struct nft_set_dump_args, iter);
2750 return nf_tables_fill_setelem(args->skb, set, elem);
2753 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2755 const struct nft_set *set;
2756 struct nft_set_dump_args args;
2758 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2759 struct nfgenmsg *nfmsg;
2760 struct nlmsghdr *nlh;
2761 struct nlattr *nest;
2765 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2766 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2770 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2774 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2776 return PTR_ERR(set);
2777 if (set->flags & NFT_SET_INACTIVE)
2780 event = NFT_MSG_NEWSETELEM;
2781 event |= NFNL_SUBSYS_NFTABLES << 8;
2782 portid = NETLINK_CB(cb->skb).portid;
2783 seq = cb->nlh->nlmsg_seq;
2785 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2788 goto nla_put_failure;
2790 nfmsg = nlmsg_data(nlh);
2791 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2792 nfmsg->version = NFNETLINK_V0;
2795 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2796 goto nla_put_failure;
2797 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2798 goto nla_put_failure;
2800 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2802 goto nla_put_failure;
2806 args.iter.skip = cb->args[0];
2807 args.iter.count = 0;
2809 args.iter.fn = nf_tables_dump_setelem;
2810 set->ops->walk(&ctx, set, &args.iter);
2812 nla_nest_end(skb, nest);
2813 nlmsg_end(skb, nlh);
2815 if (args.iter.err && args.iter.err != -EMSGSIZE)
2816 return args.iter.err;
2817 if (args.iter.count == cb->args[0])
2820 cb->args[0] = args.iter.count;
2827 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2828 const struct nlmsghdr *nlh,
2829 const struct nlattr * const nla[])
2831 const struct nft_set *set;
2835 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2839 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2841 return PTR_ERR(set);
2842 if (set->flags & NFT_SET_INACTIVE)
2845 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2846 struct netlink_dump_control c = {
2847 .dump = nf_tables_dump_set,
2849 return netlink_dump_start(nlsk, skb, nlh, &c);
2854 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2855 const struct nft_ctx *ctx, u32 seq,
2856 u32 portid, int event, u16 flags,
2857 const struct nft_set *set,
2858 const struct nft_set_elem *elem)
2860 struct nfgenmsg *nfmsg;
2861 struct nlmsghdr *nlh;
2862 struct nlattr *nest;
2865 event |= NFNL_SUBSYS_NFTABLES << 8;
2866 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2869 goto nla_put_failure;
2871 nfmsg = nlmsg_data(nlh);
2872 nfmsg->nfgen_family = ctx->afi->family;
2873 nfmsg->version = NFNETLINK_V0;
2876 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2877 goto nla_put_failure;
2878 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2879 goto nla_put_failure;
2881 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2883 goto nla_put_failure;
2885 err = nf_tables_fill_setelem(skb, set, elem);
2887 goto nla_put_failure;
2889 nla_nest_end(skb, nest);
2891 return nlmsg_end(skb, nlh);
2894 nlmsg_trim(skb, nlh);
2898 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2899 const struct nft_set *set,
2900 const struct nft_set_elem *elem,
2901 int event, u16 flags)
2903 const struct sk_buff *oskb = ctx->skb;
2904 struct net *net = sock_net(oskb->sk);
2905 u32 portid = NETLINK_CB(oskb).portid;
2906 bool report = nlmsg_report(ctx->nlh);
2907 struct sk_buff *skb;
2910 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2914 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2918 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2925 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
2929 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
2933 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2934 const struct nlattr *attr)
2936 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2937 struct nft_data_desc d1, d2;
2938 struct nft_set_elem elem;
2939 struct nft_set_binding *binding;
2940 enum nft_registers dreg;
2943 if (set->size && set->nelems == set->size)
2946 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2947 nft_set_elem_policy);
2951 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2955 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2956 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2957 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2961 if (set->flags & NFT_SET_MAP) {
2962 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2963 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2965 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
2966 elem.flags & NFT_SET_ELEM_INTERVAL_END)
2969 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2973 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2977 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2981 if (set->ops->get(set, &elem) == 0)
2984 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2985 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2990 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2993 dreg = nft_type_to_reg(set->dtype);
2994 list_for_each_entry(binding, &set->bindings, list) {
2995 struct nft_ctx bind_ctx = {
2997 .table = ctx->table,
2998 .chain = (struct nft_chain *)binding->chain,
3001 err = nft_validate_data_load(&bind_ctx, dreg,
3002 &elem.data, d2.type);
3008 err = set->ops->insert(set, &elem);
3013 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_NEWSETELEM, 0);
3017 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3018 nft_data_uninit(&elem.data, d2.type);
3020 nft_data_uninit(&elem.key, d1.type);
3025 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3026 const struct nlmsghdr *nlh,
3027 const struct nlattr * const nla[])
3029 struct net *net = sock_net(skb->sk);
3030 const struct nlattr *attr;
3031 struct nft_set *set;
3035 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3039 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3041 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3042 set = nf_tables_set_lookup_byid(net,
3043 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3046 return PTR_ERR(set);
3049 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3052 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3053 err = nft_add_set_elem(&ctx, set, attr);
3060 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
3061 const struct nlattr *attr)
3063 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3064 struct nft_data_desc desc;
3065 struct nft_set_elem elem;
3068 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3069 nft_set_elem_policy);
3074 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3077 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3082 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3085 err = set->ops->get(set, &elem);
3089 set->ops->remove(set, &elem);
3092 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_DELSETELEM, 0);
3094 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
3095 if (set->flags & NFT_SET_MAP)
3096 nft_data_uninit(&elem.data, set->dtype);
3099 nft_data_uninit(&elem.key, desc.type);
3104 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3105 const struct nlmsghdr *nlh,
3106 const struct nlattr * const nla[])
3108 const struct nlattr *attr;
3109 struct nft_set *set;
3113 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3117 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3119 return PTR_ERR(set);
3120 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3123 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3124 err = nft_del_setelem(&ctx, set, attr);
3131 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3132 [NFT_MSG_NEWTABLE] = {
3133 .call = nf_tables_newtable,
3134 .attr_count = NFTA_TABLE_MAX,
3135 .policy = nft_table_policy,
3137 [NFT_MSG_GETTABLE] = {
3138 .call = nf_tables_gettable,
3139 .attr_count = NFTA_TABLE_MAX,
3140 .policy = nft_table_policy,
3142 [NFT_MSG_DELTABLE] = {
3143 .call = nf_tables_deltable,
3144 .attr_count = NFTA_TABLE_MAX,
3145 .policy = nft_table_policy,
3147 [NFT_MSG_NEWCHAIN] = {
3148 .call_batch = nf_tables_newchain,
3149 .attr_count = NFTA_CHAIN_MAX,
3150 .policy = nft_chain_policy,
3152 [NFT_MSG_GETCHAIN] = {
3153 .call = nf_tables_getchain,
3154 .attr_count = NFTA_CHAIN_MAX,
3155 .policy = nft_chain_policy,
3157 [NFT_MSG_DELCHAIN] = {
3158 .call_batch = nf_tables_delchain,
3159 .attr_count = NFTA_CHAIN_MAX,
3160 .policy = nft_chain_policy,
3162 [NFT_MSG_NEWRULE] = {
3163 .call_batch = nf_tables_newrule,
3164 .attr_count = NFTA_RULE_MAX,
3165 .policy = nft_rule_policy,
3167 [NFT_MSG_GETRULE] = {
3168 .call = nf_tables_getrule,
3169 .attr_count = NFTA_RULE_MAX,
3170 .policy = nft_rule_policy,
3172 [NFT_MSG_DELRULE] = {
3173 .call_batch = nf_tables_delrule,
3174 .attr_count = NFTA_RULE_MAX,
3175 .policy = nft_rule_policy,
3177 [NFT_MSG_NEWSET] = {
3178 .call_batch = nf_tables_newset,
3179 .attr_count = NFTA_SET_MAX,
3180 .policy = nft_set_policy,
3182 [NFT_MSG_GETSET] = {
3183 .call = nf_tables_getset,
3184 .attr_count = NFTA_SET_MAX,
3185 .policy = nft_set_policy,
3187 [NFT_MSG_DELSET] = {
3188 .call_batch = nf_tables_delset,
3189 .attr_count = NFTA_SET_MAX,
3190 .policy = nft_set_policy,
3192 [NFT_MSG_NEWSETELEM] = {
3193 .call_batch = nf_tables_newsetelem,
3194 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3195 .policy = nft_set_elem_list_policy,
3197 [NFT_MSG_GETSETELEM] = {
3198 .call = nf_tables_getsetelem,
3199 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3200 .policy = nft_set_elem_list_policy,
3202 [NFT_MSG_DELSETELEM] = {
3203 .call_batch = nf_tables_delsetelem,
3204 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3205 .policy = nft_set_elem_list_policy,
3209 static void nft_chain_commit_update(struct nft_trans *trans)
3211 struct nft_base_chain *basechain;
3213 if (nft_trans_chain_name(trans)[0])
3214 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3216 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3219 basechain = nft_base_chain(trans->ctx.chain);
3220 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3222 switch (nft_trans_chain_policy(trans)) {
3225 basechain->policy = nft_trans_chain_policy(trans);
3230 static int nf_tables_commit(struct sk_buff *skb)
3232 struct net *net = sock_net(skb->sk);
3233 struct nft_trans *trans, *next;
3235 /* Bump generation counter, invalidate any dump in progress */
3238 /* A new generation has just started */
3239 net->nft.gencursor = gencursor_next(net);
3241 /* Make sure all packets have left the previous generation before
3242 * purging old rules.
3246 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3247 switch (trans->msg_type) {
3248 case NFT_MSG_NEWCHAIN:
3249 if (nft_trans_chain_update(trans))
3250 nft_chain_commit_update(trans);
3252 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3253 trans->ctx.table->use++;
3255 nf_tables_chain_notify(trans->ctx.skb, trans->ctx.nlh,
3259 trans->ctx.afi->family);
3260 nft_trans_destroy(trans);
3262 case NFT_MSG_DELCHAIN:
3263 trans->ctx.table->use--;
3264 nf_tables_chain_notify(trans->ctx.skb, trans->ctx.nlh,
3268 trans->ctx.afi->family);
3269 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3270 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3271 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3272 trans->ctx.afi->nops);
3275 case NFT_MSG_NEWRULE:
3276 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3277 nf_tables_rule_notify(trans->ctx.skb, trans->ctx.nlh,
3280 nft_trans_rule(trans),
3282 trans->ctx.afi->family);
3283 nft_trans_destroy(trans);
3285 case NFT_MSG_DELRULE:
3286 list_del_rcu(&nft_trans_rule(trans)->list);
3287 nf_tables_rule_notify(trans->ctx.skb, trans->ctx.nlh,
3290 nft_trans_rule(trans), NFT_MSG_DELRULE, 0,
3291 trans->ctx.afi->family);
3293 case NFT_MSG_NEWSET:
3294 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3295 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3297 nft_trans_destroy(trans);
3299 case NFT_MSG_DELSET:
3300 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3306 /* Make sure we don't see any packet traversing old rules */
3309 /* Now we can safely release unused old rules */
3310 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3311 switch (trans->msg_type) {
3312 case NFT_MSG_DELCHAIN:
3313 nf_tables_chain_destroy(trans->ctx.chain);
3315 case NFT_MSG_DELRULE:
3316 nf_tables_rule_destroy(&trans->ctx,
3317 nft_trans_rule(trans));
3319 case NFT_MSG_DELSET:
3320 nft_set_destroy(nft_trans_set(trans));
3323 nft_trans_destroy(trans);
3329 static int nf_tables_abort(struct sk_buff *skb)
3331 struct net *net = sock_net(skb->sk);
3332 struct nft_trans *trans, *next;
3334 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3335 switch (trans->msg_type) {
3336 case NFT_MSG_NEWCHAIN:
3337 if (nft_trans_chain_update(trans)) {
3338 if (nft_trans_chain_stats(trans))
3339 free_percpu(nft_trans_chain_stats(trans));
3341 nft_trans_destroy(trans);
3343 list_del(&trans->ctx.chain->list);
3344 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3345 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3346 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3347 trans->ctx.afi->nops);
3351 case NFT_MSG_DELCHAIN:
3352 list_add_tail(&trans->ctx.chain->list,
3353 &trans->ctx.table->chains);
3354 nft_trans_destroy(trans);
3356 case NFT_MSG_NEWRULE:
3357 list_del_rcu(&nft_trans_rule(trans)->list);
3359 case NFT_MSG_DELRULE:
3360 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3361 nft_trans_destroy(trans);
3363 case NFT_MSG_NEWSET:
3364 list_del(&nft_trans_set(trans)->list);
3366 case NFT_MSG_DELSET:
3367 list_add_tail(&nft_trans_set(trans)->list,
3368 &trans->ctx.table->sets);
3369 nft_trans_destroy(trans);
3374 /* Make sure we don't see any packet accessing aborted rules */
3377 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3378 switch (trans->msg_type) {
3379 case NFT_MSG_NEWCHAIN:
3380 nf_tables_chain_destroy(trans->ctx.chain);
3382 case NFT_MSG_NEWRULE:
3383 nf_tables_rule_destroy(&trans->ctx,
3384 nft_trans_rule(trans));
3386 case NFT_MSG_NEWSET:
3387 nft_set_destroy(nft_trans_set(trans));
3390 nft_trans_destroy(trans);
3396 static const struct nfnetlink_subsystem nf_tables_subsys = {
3397 .name = "nf_tables",
3398 .subsys_id = NFNL_SUBSYS_NFTABLES,
3399 .cb_count = NFT_MSG_MAX,
3401 .commit = nf_tables_commit,
3402 .abort = nf_tables_abort,
3406 * Loop detection - walk through the ruleset beginning at the destination chain
3407 * of a new jump until either the source chain is reached (loop) or all
3408 * reachable chains have been traversed.
3410 * The loop check is performed whenever a new jump verdict is added to an
3411 * expression or verdict map or a verdict map is bound to a new chain.
3414 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3415 const struct nft_chain *chain);
3417 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3418 const struct nft_set *set,
3419 const struct nft_set_iter *iter,
3420 const struct nft_set_elem *elem)
3422 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3425 switch (elem->data.verdict) {
3428 return nf_tables_check_loops(ctx, elem->data.chain);
3434 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3435 const struct nft_chain *chain)
3437 const struct nft_rule *rule;
3438 const struct nft_expr *expr, *last;
3439 const struct nft_set *set;
3440 struct nft_set_binding *binding;
3441 struct nft_set_iter iter;
3443 if (ctx->chain == chain)
3446 list_for_each_entry(rule, &chain->rules, list) {
3447 nft_rule_for_each_expr(expr, last, rule) {
3448 const struct nft_data *data = NULL;
3451 if (!expr->ops->validate)
3454 err = expr->ops->validate(ctx, expr, &data);
3461 switch (data->verdict) {
3464 err = nf_tables_check_loops(ctx, data->chain);
3473 list_for_each_entry(set, &ctx->table->sets, list) {
3474 if (!(set->flags & NFT_SET_MAP) ||
3475 set->dtype != NFT_DATA_VERDICT)
3478 list_for_each_entry(binding, &set->bindings, list) {
3479 if (binding->chain != chain)
3485 iter.fn = nf_tables_loop_check_setelem;
3487 set->ops->walk(ctx, set, &iter);
3497 * nft_validate_input_register - validate an expressions' input register
3499 * @reg: the register number
3501 * Validate that the input register is one of the general purpose
3504 int nft_validate_input_register(enum nft_registers reg)
3506 if (reg <= NFT_REG_VERDICT)
3508 if (reg > NFT_REG_MAX)
3512 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3515 * nft_validate_output_register - validate an expressions' output register
3517 * @reg: the register number
3519 * Validate that the output register is one of the general purpose
3520 * registers or the verdict register.
3522 int nft_validate_output_register(enum nft_registers reg)
3524 if (reg < NFT_REG_VERDICT)
3526 if (reg > NFT_REG_MAX)
3530 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3533 * nft_validate_data_load - validate an expressions' data load
3535 * @ctx: context of the expression performing the load
3536 * @reg: the destination register number
3537 * @data: the data to load
3538 * @type: the data type
3540 * Validate that a data load uses the appropriate data type for
3541 * the destination register. A value of NULL for the data means
3542 * that its runtime gathered data, which is always of type
3545 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3546 const struct nft_data *data,
3547 enum nft_data_types type)
3552 case NFT_REG_VERDICT:
3553 if (data == NULL || type != NFT_DATA_VERDICT)
3556 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3557 err = nf_tables_check_loops(ctx, data->chain);
3561 if (ctx->chain->level + 1 > data->chain->level) {
3562 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3564 data->chain->level = ctx->chain->level + 1;
3570 if (data != NULL && type != NFT_DATA_VALUE)
3575 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3577 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3578 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3579 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3580 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3583 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3584 struct nft_data_desc *desc, const struct nlattr *nla)
3586 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3587 struct nft_chain *chain;
3590 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3594 if (!tb[NFTA_VERDICT_CODE])
3596 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3598 switch (data->verdict) {
3600 switch (data->verdict & NF_VERDICT_MASK) {
3612 desc->len = sizeof(data->verdict);
3616 if (!tb[NFTA_VERDICT_CHAIN])
3618 chain = nf_tables_chain_lookup(ctx->table,
3619 tb[NFTA_VERDICT_CHAIN]);
3621 return PTR_ERR(chain);
3622 if (chain->flags & NFT_BASE_CHAIN)
3626 data->chain = chain;
3627 desc->len = sizeof(data);
3631 desc->type = NFT_DATA_VERDICT;
3635 static void nft_verdict_uninit(const struct nft_data *data)
3637 switch (data->verdict) {
3645 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3647 struct nlattr *nest;
3649 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3651 goto nla_put_failure;
3653 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3654 goto nla_put_failure;
3656 switch (data->verdict) {
3659 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3660 goto nla_put_failure;
3662 nla_nest_end(skb, nest);
3669 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3670 struct nft_data_desc *desc, const struct nlattr *nla)
3677 if (len > sizeof(data->data))
3680 nla_memcpy(data->data, nla, sizeof(data->data));
3681 desc->type = NFT_DATA_VALUE;
3686 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3689 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3692 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3693 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3694 .len = FIELD_SIZEOF(struct nft_data, data) },
3695 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3699 * nft_data_init - parse nf_tables data netlink attributes
3701 * @ctx: context of the expression using the data
3702 * @data: destination struct nft_data
3703 * @desc: data description
3704 * @nla: netlink attribute containing data
3706 * Parse the netlink data attributes and initialize a struct nft_data.
3707 * The type and length of data are returned in the data description.
3709 * The caller can indicate that it only wants to accept data of type
3710 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3712 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3713 struct nft_data_desc *desc, const struct nlattr *nla)
3715 struct nlattr *tb[NFTA_DATA_MAX + 1];
3718 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3722 if (tb[NFTA_DATA_VALUE])
3723 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3724 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3725 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3728 EXPORT_SYMBOL_GPL(nft_data_init);
3731 * nft_data_uninit - release a nft_data item
3733 * @data: struct nft_data to release
3734 * @type: type of data
3736 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3737 * all others need to be released by calling this function.
3739 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3742 case NFT_DATA_VALUE:
3744 case NFT_DATA_VERDICT:
3745 return nft_verdict_uninit(data);
3750 EXPORT_SYMBOL_GPL(nft_data_uninit);
3752 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3753 enum nft_data_types type, unsigned int len)
3755 struct nlattr *nest;
3758 nest = nla_nest_start(skb, attr);
3763 case NFT_DATA_VALUE:
3764 err = nft_value_dump(skb, data, len);
3766 case NFT_DATA_VERDICT:
3767 err = nft_verdict_dump(skb, data);
3774 nla_nest_end(skb, nest);
3777 EXPORT_SYMBOL_GPL(nft_data_dump);
3779 static int nf_tables_init_net(struct net *net)
3781 INIT_LIST_HEAD(&net->nft.af_info);
3782 INIT_LIST_HEAD(&net->nft.commit_list);
3786 static struct pernet_operations nf_tables_net_ops = {
3787 .init = nf_tables_init_net,
3790 static int __init nf_tables_module_init(void)
3794 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3801 err = nf_tables_core_module_init();
3805 err = nfnetlink_subsys_register(&nf_tables_subsys);
3809 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3810 return register_pernet_subsys(&nf_tables_net_ops);
3812 nf_tables_core_module_exit();
3819 static void __exit nf_tables_module_exit(void)
3821 unregister_pernet_subsys(&nf_tables_net_ops);
3822 nfnetlink_subsys_unregister(&nf_tables_subsys);
3823 nf_tables_core_module_exit();
3827 module_init(nf_tables_module_init);
3828 module_exit(nf_tables_module_exit);
3830 MODULE_LICENSE("GPL");
3831 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3832 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.openpandora.org / pandora-kernel.git / blob