2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del_rcu(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
104 ctx->portid = NETLINK_CB(skb).portid;
105 ctx->report = nlmsg_report(nlh);
106 ctx->seq = nlh->nlmsg_seq;
109 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
112 struct nft_trans *trans;
114 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
118 trans->msg_type = msg_type;
124 static void nft_trans_destroy(struct nft_trans *trans)
126 list_del(&trans->list);
134 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
135 const struct nlattr *nla)
137 struct nft_table *table;
139 list_for_each_entry(table, &afi->tables, list) {
140 if (!nla_strcmp(nla, table->name))
146 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
147 const struct nlattr *nla)
149 struct nft_table *table;
152 return ERR_PTR(-EINVAL);
154 table = nft_table_lookup(afi, nla);
158 return ERR_PTR(-ENOENT);
161 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
163 return ++table->hgenerator;
166 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
168 static const struct nf_chain_type *
169 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
173 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
174 if (chain_type[family][i] != NULL &&
175 !nla_strcmp(nla, chain_type[family][i]->name))
176 return chain_type[family][i];
181 static const struct nf_chain_type *
182 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
183 const struct nlattr *nla,
186 const struct nf_chain_type *type;
188 type = __nf_tables_chain_type_lookup(afi->family, nla);
191 #ifdef CONFIG_MODULES
193 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
194 request_module("nft-chain-%u-%.*s", afi->family,
195 nla_len(nla), (const char *)nla_data(nla));
196 nfnl_lock(NFNL_SUBSYS_NFTABLES);
197 type = __nf_tables_chain_type_lookup(afi->family, nla);
199 return ERR_PTR(-EAGAIN);
202 return ERR_PTR(-ENOENT);
205 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
206 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
207 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
210 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
211 int event, u32 flags, int family,
212 const struct nft_table *table)
214 struct nlmsghdr *nlh;
215 struct nfgenmsg *nfmsg;
217 event |= NFNL_SUBSYS_NFTABLES << 8;
218 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
220 goto nla_put_failure;
222 nfmsg = nlmsg_data(nlh);
223 nfmsg->nfgen_family = family;
224 nfmsg->version = NFNETLINK_V0;
227 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
228 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
229 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
230 goto nla_put_failure;
232 return nlmsg_end(skb, nlh);
235 nlmsg_trim(skb, nlh);
239 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
245 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
249 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
253 err = nf_tables_fill_table_info(skb, ctx->portid, ctx->seq, event, 0,
254 ctx->afi->family, ctx->table);
260 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
261 ctx->report, GFP_KERNEL);
264 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
270 static int nf_tables_dump_tables(struct sk_buff *skb,
271 struct netlink_callback *cb)
273 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
274 const struct nft_af_info *afi;
275 const struct nft_table *table;
276 unsigned int idx = 0, s_idx = cb->args[0];
277 struct net *net = sock_net(skb->sk);
278 int family = nfmsg->nfgen_family;
281 cb->seq = net->nft.base_seq;
283 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
284 if (family != NFPROTO_UNSPEC && family != afi->family)
287 list_for_each_entry_rcu(table, &afi->tables, list) {
291 memset(&cb->args[1], 0,
292 sizeof(cb->args) - sizeof(cb->args[0]));
293 if (nf_tables_fill_table_info(skb,
294 NETLINK_CB(cb->skb).portid,
298 afi->family, table) < 0)
301 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
312 /* Internal table flags */
313 #define NFT_TABLE_INACTIVE (1 << 15)
315 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
316 const struct nlmsghdr *nlh,
317 const struct nlattr * const nla[])
319 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
320 const struct nft_af_info *afi;
321 const struct nft_table *table;
322 struct sk_buff *skb2;
323 struct net *net = sock_net(skb->sk);
324 int family = nfmsg->nfgen_family;
327 if (nlh->nlmsg_flags & NLM_F_DUMP) {
328 struct netlink_dump_control c = {
329 .dump = nf_tables_dump_tables,
331 return netlink_dump_start(nlsk, skb, nlh, &c);
334 afi = nf_tables_afinfo_lookup(net, family, false);
338 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
340 return PTR_ERR(table);
341 if (table->flags & NFT_TABLE_INACTIVE)
344 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
348 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
349 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
354 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
361 static int nf_tables_table_enable(const struct nft_af_info *afi,
362 struct nft_table *table)
364 struct nft_chain *chain;
367 list_for_each_entry(chain, &table->chains, list) {
368 if (!(chain->flags & NFT_BASE_CHAIN))
371 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
379 list_for_each_entry(chain, &table->chains, list) {
380 if (!(chain->flags & NFT_BASE_CHAIN))
386 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
391 static void nf_tables_table_disable(const struct nft_af_info *afi,
392 struct nft_table *table)
394 struct nft_chain *chain;
396 list_for_each_entry(chain, &table->chains, list) {
397 if (chain->flags & NFT_BASE_CHAIN)
398 nf_unregister_hooks(nft_base_chain(chain)->ops,
403 static int nf_tables_updtable(struct nft_ctx *ctx)
405 struct nft_trans *trans;
409 if (!ctx->nla[NFTA_TABLE_FLAGS])
412 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
413 if (flags & ~NFT_TABLE_F_DORMANT)
416 if (flags == ctx->table->flags)
419 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
420 sizeof(struct nft_trans_table));
424 if ((flags & NFT_TABLE_F_DORMANT) &&
425 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
426 nft_trans_table_enable(trans) = false;
427 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
428 ctx->table->flags & NFT_TABLE_F_DORMANT) {
429 ret = nf_tables_table_enable(ctx->afi, ctx->table);
431 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
432 nft_trans_table_enable(trans) = true;
438 nft_trans_table_update(trans) = true;
439 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
442 nft_trans_destroy(trans);
446 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
448 struct nft_trans *trans;
450 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
454 if (msg_type == NFT_MSG_NEWTABLE)
455 ctx->table->flags |= NFT_TABLE_INACTIVE;
457 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
461 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
462 const struct nlmsghdr *nlh,
463 const struct nlattr * const nla[])
465 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
466 const struct nlattr *name;
467 struct nft_af_info *afi;
468 struct nft_table *table;
469 struct net *net = sock_net(skb->sk);
470 int family = nfmsg->nfgen_family;
475 afi = nf_tables_afinfo_lookup(net, family, true);
479 name = nla[NFTA_TABLE_NAME];
480 table = nf_tables_table_lookup(afi, name);
482 if (PTR_ERR(table) != -ENOENT)
483 return PTR_ERR(table);
488 if (table->flags & NFT_TABLE_INACTIVE)
490 if (nlh->nlmsg_flags & NLM_F_EXCL)
492 if (nlh->nlmsg_flags & NLM_F_REPLACE)
495 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
496 return nf_tables_updtable(&ctx);
499 if (nla[NFTA_TABLE_FLAGS]) {
500 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
501 if (flags & ~NFT_TABLE_F_DORMANT)
505 if (!try_module_get(afi->owner))
506 return -EAFNOSUPPORT;
508 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
510 module_put(afi->owner);
514 nla_strlcpy(table->name, name, nla_len(name));
515 INIT_LIST_HEAD(&table->chains);
516 INIT_LIST_HEAD(&table->sets);
517 table->flags = flags;
519 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
520 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
523 module_put(afi->owner);
526 list_add_tail_rcu(&table->list, &afi->tables);
530 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
531 const struct nlmsghdr *nlh,
532 const struct nlattr * const nla[])
534 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
535 struct nft_af_info *afi;
536 struct nft_table *table;
537 struct net *net = sock_net(skb->sk);
538 int family = nfmsg->nfgen_family, err;
541 afi = nf_tables_afinfo_lookup(net, family, false);
545 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
547 return PTR_ERR(table);
548 if (table->flags & NFT_TABLE_INACTIVE)
553 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
554 err = nft_trans_table_add(&ctx, NFT_MSG_DELTABLE);
558 list_del_rcu(&table->list);
562 static void nf_tables_table_destroy(struct nft_ctx *ctx)
564 BUG_ON(ctx->table->use > 0);
567 module_put(ctx->afi->owner);
570 int nft_register_chain_type(const struct nf_chain_type *ctype)
574 nfnl_lock(NFNL_SUBSYS_NFTABLES);
575 if (chain_type[ctype->family][ctype->type] != NULL) {
579 chain_type[ctype->family][ctype->type] = ctype;
581 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
584 EXPORT_SYMBOL_GPL(nft_register_chain_type);
586 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
588 nfnl_lock(NFNL_SUBSYS_NFTABLES);
589 chain_type[ctype->family][ctype->type] = NULL;
590 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
592 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
598 static struct nft_chain *
599 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
601 struct nft_chain *chain;
603 list_for_each_entry(chain, &table->chains, list) {
604 if (chain->handle == handle)
608 return ERR_PTR(-ENOENT);
611 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
612 const struct nlattr *nla)
614 struct nft_chain *chain;
617 return ERR_PTR(-EINVAL);
619 list_for_each_entry(chain, &table->chains, list) {
620 if (!nla_strcmp(nla, chain->name))
624 return ERR_PTR(-ENOENT);
627 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
628 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
629 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
630 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
631 .len = NFT_CHAIN_MAXNAMELEN - 1 },
632 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
633 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
634 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
635 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
638 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
639 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
640 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
643 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
645 struct nft_stats *cpu_stats, total;
651 memset(&total, 0, sizeof(total));
652 for_each_possible_cpu(cpu) {
653 cpu_stats = per_cpu_ptr(stats, cpu);
655 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
656 pkts = cpu_stats->pkts;
657 bytes = cpu_stats->bytes;
658 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
660 total.bytes += bytes;
662 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
664 goto nla_put_failure;
666 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
667 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
668 goto nla_put_failure;
670 nla_nest_end(skb, nest);
677 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
678 int event, u32 flags, int family,
679 const struct nft_table *table,
680 const struct nft_chain *chain)
682 struct nlmsghdr *nlh;
683 struct nfgenmsg *nfmsg;
685 event |= NFNL_SUBSYS_NFTABLES << 8;
686 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
688 goto nla_put_failure;
690 nfmsg = nlmsg_data(nlh);
691 nfmsg->nfgen_family = family;
692 nfmsg->version = NFNETLINK_V0;
695 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
696 goto nla_put_failure;
697 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
698 goto nla_put_failure;
699 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
700 goto nla_put_failure;
702 if (chain->flags & NFT_BASE_CHAIN) {
703 const struct nft_base_chain *basechain = nft_base_chain(chain);
704 const struct nf_hook_ops *ops = &basechain->ops[0];
707 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
709 goto nla_put_failure;
710 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
711 goto nla_put_failure;
712 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
713 goto nla_put_failure;
714 nla_nest_end(skb, nest);
716 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
717 htonl(basechain->policy)))
718 goto nla_put_failure;
720 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
721 goto nla_put_failure;
723 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
724 goto nla_put_failure;
727 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
728 goto nla_put_failure;
730 return nlmsg_end(skb, nlh);
733 nlmsg_trim(skb, nlh);
737 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
743 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
747 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
751 err = nf_tables_fill_chain_info(skb, ctx->portid, ctx->seq, event, 0,
752 ctx->afi->family, ctx->table,
759 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
760 ctx->report, GFP_KERNEL);
763 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
769 static int nf_tables_dump_chains(struct sk_buff *skb,
770 struct netlink_callback *cb)
772 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
773 const struct nft_af_info *afi;
774 const struct nft_table *table;
775 const struct nft_chain *chain;
776 unsigned int idx = 0, s_idx = cb->args[0];
777 struct net *net = sock_net(skb->sk);
778 int family = nfmsg->nfgen_family;
781 cb->seq = net->nft.base_seq;
783 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
784 if (family != NFPROTO_UNSPEC && family != afi->family)
787 list_for_each_entry_rcu(table, &afi->tables, list) {
788 list_for_each_entry_rcu(chain, &table->chains, list) {
792 memset(&cb->args[1], 0,
793 sizeof(cb->args) - sizeof(cb->args[0]));
794 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
798 afi->family, table, chain) < 0)
801 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
813 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
814 const struct nlmsghdr *nlh,
815 const struct nlattr * const nla[])
817 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
818 const struct nft_af_info *afi;
819 const struct nft_table *table;
820 const struct nft_chain *chain;
821 struct sk_buff *skb2;
822 struct net *net = sock_net(skb->sk);
823 int family = nfmsg->nfgen_family;
826 if (nlh->nlmsg_flags & NLM_F_DUMP) {
827 struct netlink_dump_control c = {
828 .dump = nf_tables_dump_chains,
830 return netlink_dump_start(nlsk, skb, nlh, &c);
833 afi = nf_tables_afinfo_lookup(net, family, false);
837 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
839 return PTR_ERR(table);
840 if (table->flags & NFT_TABLE_INACTIVE)
843 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
845 return PTR_ERR(chain);
846 if (chain->flags & NFT_CHAIN_INACTIVE)
849 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
853 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
854 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
855 family, table, chain);
859 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
866 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
867 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
868 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
871 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
873 struct nlattr *tb[NFTA_COUNTER_MAX+1];
874 struct nft_stats __percpu *newstats;
875 struct nft_stats *stats;
878 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
882 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
883 return ERR_PTR(-EINVAL);
885 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
886 if (newstats == NULL)
887 return ERR_PTR(-ENOMEM);
889 /* Restore old counters on this cpu, no problem. Per-cpu statistics
890 * are not exposed to userspace.
892 stats = this_cpu_ptr(newstats);
893 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
894 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
899 static void nft_chain_stats_replace(struct nft_base_chain *chain,
900 struct nft_stats __percpu *newstats)
902 if (newstats == NULL)
906 struct nft_stats __percpu *oldstats =
907 nft_dereference(chain->stats);
909 rcu_assign_pointer(chain->stats, newstats);
911 free_percpu(oldstats);
913 rcu_assign_pointer(chain->stats, newstats);
916 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
918 struct nft_trans *trans;
920 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
924 if (msg_type == NFT_MSG_NEWCHAIN)
925 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
927 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
931 static void nf_tables_chain_destroy(struct nft_chain *chain)
933 BUG_ON(chain->use > 0);
935 if (chain->flags & NFT_BASE_CHAIN) {
936 module_put(nft_base_chain(chain)->type->owner);
937 free_percpu(nft_base_chain(chain)->stats);
938 kfree(nft_base_chain(chain));
944 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
945 const struct nlmsghdr *nlh,
946 const struct nlattr * const nla[])
948 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
949 const struct nlattr * uninitialized_var(name);
950 struct nft_af_info *afi;
951 struct nft_table *table;
952 struct nft_chain *chain;
953 struct nft_base_chain *basechain = NULL;
954 struct nlattr *ha[NFTA_HOOK_MAX + 1];
955 struct net *net = sock_net(skb->sk);
956 int family = nfmsg->nfgen_family;
957 u8 policy = NF_ACCEPT;
960 struct nft_stats __percpu *stats;
965 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
967 afi = nf_tables_afinfo_lookup(net, family, true);
971 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
973 return PTR_ERR(table);
976 name = nla[NFTA_CHAIN_NAME];
978 if (nla[NFTA_CHAIN_HANDLE]) {
979 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
980 chain = nf_tables_chain_lookup_byhandle(table, handle);
982 return PTR_ERR(chain);
984 chain = nf_tables_chain_lookup(table, name);
986 if (PTR_ERR(chain) != -ENOENT)
987 return PTR_ERR(chain);
992 if (nla[NFTA_CHAIN_POLICY]) {
993 if ((chain != NULL &&
994 !(chain->flags & NFT_BASE_CHAIN)) ||
995 nla[NFTA_CHAIN_HOOK] == NULL)
998 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1008 if (chain != NULL) {
1009 struct nft_stats *stats = NULL;
1010 struct nft_trans *trans;
1012 if (chain->flags & NFT_CHAIN_INACTIVE)
1014 if (nlh->nlmsg_flags & NLM_F_EXCL)
1016 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1019 if (nla[NFTA_CHAIN_HANDLE] && name &&
1020 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1023 if (nla[NFTA_CHAIN_COUNTERS]) {
1024 if (!(chain->flags & NFT_BASE_CHAIN))
1027 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1029 return PTR_ERR(stats);
1032 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1033 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1034 sizeof(struct nft_trans_chain));
1038 nft_trans_chain_stats(trans) = stats;
1039 nft_trans_chain_update(trans) = true;
1041 if (nla[NFTA_CHAIN_POLICY])
1042 nft_trans_chain_policy(trans) = policy;
1044 nft_trans_chain_policy(trans) = -1;
1046 if (nla[NFTA_CHAIN_HANDLE] && name) {
1047 nla_strlcpy(nft_trans_chain_name(trans), name,
1048 NFT_CHAIN_MAXNAMELEN);
1050 list_add_tail(&trans->list, &net->nft.commit_list);
1054 if (table->use == UINT_MAX)
1057 if (nla[NFTA_CHAIN_HOOK]) {
1058 const struct nf_chain_type *type;
1059 struct nf_hook_ops *ops;
1061 u32 hooknum, priority;
1063 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1064 if (nla[NFTA_CHAIN_TYPE]) {
1065 type = nf_tables_chain_type_lookup(afi,
1066 nla[NFTA_CHAIN_TYPE],
1069 return PTR_ERR(type);
1072 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1076 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1077 ha[NFTA_HOOK_PRIORITY] == NULL)
1080 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1081 if (hooknum >= afi->nhooks)
1083 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1085 if (!(type->hook_mask & (1 << hooknum)))
1087 if (!try_module_get(type->owner))
1089 hookfn = type->hooks[hooknum];
1091 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1092 if (basechain == NULL)
1095 if (nla[NFTA_CHAIN_COUNTERS]) {
1096 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1097 if (IS_ERR(stats)) {
1098 module_put(type->owner);
1100 return PTR_ERR(stats);
1102 basechain->stats = stats;
1104 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1105 if (IS_ERR(stats)) {
1106 module_put(type->owner);
1108 return PTR_ERR(stats);
1110 rcu_assign_pointer(basechain->stats, stats);
1113 basechain->type = type;
1114 chain = &basechain->chain;
1116 for (i = 0; i < afi->nops; i++) {
1117 ops = &basechain->ops[i];
1119 ops->owner = afi->owner;
1120 ops->hooknum = hooknum;
1121 ops->priority = priority;
1123 ops->hook = afi->hooks[ops->hooknum];
1126 if (afi->hook_ops_init)
1127 afi->hook_ops_init(ops, i);
1130 chain->flags |= NFT_BASE_CHAIN;
1131 basechain->policy = policy;
1133 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1138 INIT_LIST_HEAD(&chain->rules);
1139 chain->handle = nf_tables_alloc_handle(table);
1141 chain->table = table;
1142 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1144 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1145 chain->flags & NFT_BASE_CHAIN) {
1146 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1151 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1152 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1157 list_add_tail_rcu(&chain->list, &table->chains);
1160 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1161 chain->flags & NFT_BASE_CHAIN) {
1162 nf_unregister_hooks(nft_base_chain(chain)->ops,
1166 nf_tables_chain_destroy(chain);
1170 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1171 const struct nlmsghdr *nlh,
1172 const struct nlattr * const nla[])
1174 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1175 struct nft_af_info *afi;
1176 struct nft_table *table;
1177 struct nft_chain *chain;
1178 struct net *net = sock_net(skb->sk);
1179 int family = nfmsg->nfgen_family;
1183 afi = nf_tables_afinfo_lookup(net, family, false);
1185 return PTR_ERR(afi);
1187 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1189 return PTR_ERR(table);
1190 if (table->flags & NFT_TABLE_INACTIVE)
1193 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1195 return PTR_ERR(chain);
1196 if (chain->flags & NFT_CHAIN_INACTIVE)
1201 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1202 err = nft_trans_chain_add(&ctx, NFT_MSG_DELCHAIN);
1207 list_del_rcu(&chain->list);
1216 * nft_register_expr - register nf_tables expr type
1219 * Registers the expr type for use with nf_tables. Returns zero on
1220 * success or a negative errno code otherwise.
1222 int nft_register_expr(struct nft_expr_type *type)
1224 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1225 if (type->family == NFPROTO_UNSPEC)
1226 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1228 list_add_rcu(&type->list, &nf_tables_expressions);
1229 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1232 EXPORT_SYMBOL_GPL(nft_register_expr);
1235 * nft_unregister_expr - unregister nf_tables expr type
1238 * Unregisters the expr typefor use with nf_tables.
1240 void nft_unregister_expr(struct nft_expr_type *type)
1242 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1243 list_del_rcu(&type->list);
1244 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1246 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1248 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1251 const struct nft_expr_type *type;
1253 list_for_each_entry(type, &nf_tables_expressions, list) {
1254 if (!nla_strcmp(nla, type->name) &&
1255 (!type->family || type->family == family))
1261 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1264 const struct nft_expr_type *type;
1267 return ERR_PTR(-EINVAL);
1269 type = __nft_expr_type_get(family, nla);
1270 if (type != NULL && try_module_get(type->owner))
1273 #ifdef CONFIG_MODULES
1275 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1276 request_module("nft-expr-%u-%.*s", family,
1277 nla_len(nla), (char *)nla_data(nla));
1278 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1279 if (__nft_expr_type_get(family, nla))
1280 return ERR_PTR(-EAGAIN);
1282 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1283 request_module("nft-expr-%.*s",
1284 nla_len(nla), (char *)nla_data(nla));
1285 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1286 if (__nft_expr_type_get(family, nla))
1287 return ERR_PTR(-EAGAIN);
1290 return ERR_PTR(-ENOENT);
1293 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1294 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1295 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1298 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1299 const struct nft_expr *expr)
1301 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1302 goto nla_put_failure;
1304 if (expr->ops->dump) {
1305 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1307 goto nla_put_failure;
1308 if (expr->ops->dump(skb, expr) < 0)
1309 goto nla_put_failure;
1310 nla_nest_end(skb, data);
1319 struct nft_expr_info {
1320 const struct nft_expr_ops *ops;
1321 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1324 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1325 const struct nlattr *nla,
1326 struct nft_expr_info *info)
1328 const struct nft_expr_type *type;
1329 const struct nft_expr_ops *ops;
1330 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1333 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1337 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1339 return PTR_ERR(type);
1341 if (tb[NFTA_EXPR_DATA]) {
1342 err = nla_parse_nested(info->tb, type->maxattr,
1343 tb[NFTA_EXPR_DATA], type->policy);
1347 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1349 if (type->select_ops != NULL) {
1350 ops = type->select_ops(ctx,
1351 (const struct nlattr * const *)info->tb);
1363 module_put(type->owner);
1367 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1368 const struct nft_expr_info *info,
1369 struct nft_expr *expr)
1371 const struct nft_expr_ops *ops = info->ops;
1376 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1388 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1389 struct nft_expr *expr)
1391 if (expr->ops->destroy)
1392 expr->ops->destroy(ctx, expr);
1393 module_put(expr->ops->type->owner);
1400 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1403 struct nft_rule *rule;
1405 // FIXME: this sucks
1406 list_for_each_entry(rule, &chain->rules, list) {
1407 if (handle == rule->handle)
1411 return ERR_PTR(-ENOENT);
1414 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1415 const struct nlattr *nla)
1418 return ERR_PTR(-EINVAL);
1420 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1423 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1424 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1425 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1426 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1427 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1428 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1429 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1430 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1431 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1432 .len = NFT_USERDATA_MAXLEN },
1435 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1436 int event, u32 flags, int family,
1437 const struct nft_table *table,
1438 const struct nft_chain *chain,
1439 const struct nft_rule *rule)
1441 struct nlmsghdr *nlh;
1442 struct nfgenmsg *nfmsg;
1443 const struct nft_expr *expr, *next;
1444 struct nlattr *list;
1445 const struct nft_rule *prule;
1446 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1448 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1451 goto nla_put_failure;
1453 nfmsg = nlmsg_data(nlh);
1454 nfmsg->nfgen_family = family;
1455 nfmsg->version = NFNETLINK_V0;
1458 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1459 goto nla_put_failure;
1460 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1461 goto nla_put_failure;
1462 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1463 goto nla_put_failure;
1465 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1466 prule = list_entry(rule->list.prev, struct nft_rule, list);
1467 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1468 cpu_to_be64(prule->handle)))
1469 goto nla_put_failure;
1472 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1474 goto nla_put_failure;
1475 nft_rule_for_each_expr(expr, next, rule) {
1476 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1478 goto nla_put_failure;
1479 if (nf_tables_fill_expr_info(skb, expr) < 0)
1480 goto nla_put_failure;
1481 nla_nest_end(skb, elem);
1483 nla_nest_end(skb, list);
1486 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1487 goto nla_put_failure;
1489 return nlmsg_end(skb, nlh);
1492 nlmsg_trim(skb, nlh);
1496 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1497 const struct nft_rule *rule,
1500 struct sk_buff *skb;
1504 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1508 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1512 err = nf_tables_fill_rule_info(skb, ctx->portid, ctx->seq, event, 0,
1513 ctx->afi->family, ctx->table,
1520 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1521 ctx->report, GFP_KERNEL);
1524 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1531 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1533 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1536 static inline int gencursor_next(struct net *net)
1538 return net->nft.gencursor+1 == 1 ? 1 : 0;
1542 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1544 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1548 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1550 /* Now inactive, will be active in the future */
1551 rule->genmask = (1 << net->nft.gencursor);
1555 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1557 rule->genmask = (1 << gencursor_next(net));
1560 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1565 static int nf_tables_dump_rules(struct sk_buff *skb,
1566 struct netlink_callback *cb)
1568 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1569 const struct nft_af_info *afi;
1570 const struct nft_table *table;
1571 const struct nft_chain *chain;
1572 const struct nft_rule *rule;
1573 unsigned int idx = 0, s_idx = cb->args[0];
1574 struct net *net = sock_net(skb->sk);
1575 int family = nfmsg->nfgen_family;
1578 cb->seq = net->nft.base_seq;
1580 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1581 if (family != NFPROTO_UNSPEC && family != afi->family)
1584 list_for_each_entry_rcu(table, &afi->tables, list) {
1585 list_for_each_entry_rcu(chain, &table->chains, list) {
1586 list_for_each_entry_rcu(rule, &chain->rules, list) {
1587 if (!nft_rule_is_active(net, rule))
1592 memset(&cb->args[1], 0,
1593 sizeof(cb->args) - sizeof(cb->args[0]));
1594 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1597 NLM_F_MULTI | NLM_F_APPEND,
1598 afi->family, table, chain, rule) < 0)
1601 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1615 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1616 const struct nlmsghdr *nlh,
1617 const struct nlattr * const nla[])
1619 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1620 const struct nft_af_info *afi;
1621 const struct nft_table *table;
1622 const struct nft_chain *chain;
1623 const struct nft_rule *rule;
1624 struct sk_buff *skb2;
1625 struct net *net = sock_net(skb->sk);
1626 int family = nfmsg->nfgen_family;
1629 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1630 struct netlink_dump_control c = {
1631 .dump = nf_tables_dump_rules,
1633 return netlink_dump_start(nlsk, skb, nlh, &c);
1636 afi = nf_tables_afinfo_lookup(net, family, false);
1638 return PTR_ERR(afi);
1640 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1642 return PTR_ERR(table);
1643 if (table->flags & NFT_TABLE_INACTIVE)
1646 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1648 return PTR_ERR(chain);
1649 if (chain->flags & NFT_CHAIN_INACTIVE)
1652 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1654 return PTR_ERR(rule);
1656 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1660 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1661 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1662 family, table, chain, rule);
1666 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1673 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1674 struct nft_rule *rule)
1676 struct nft_expr *expr;
1679 * Careful: some expressions might not be initialized in case this
1680 * is called on error from nf_tables_newrule().
1682 expr = nft_expr_first(rule);
1683 while (expr->ops && expr != nft_expr_last(rule)) {
1684 nf_tables_expr_destroy(ctx, expr);
1685 expr = nft_expr_next(expr);
1690 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
1691 struct nft_rule *rule)
1693 struct nft_trans *trans;
1695 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
1699 nft_trans_rule(trans) = rule;
1700 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1705 #define NFT_RULE_MAXEXPRS 128
1707 static struct nft_expr_info *info;
1709 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1710 const struct nlmsghdr *nlh,
1711 const struct nlattr * const nla[])
1713 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1714 struct nft_af_info *afi;
1715 struct net *net = sock_net(skb->sk);
1716 struct nft_table *table;
1717 struct nft_chain *chain;
1718 struct nft_rule *rule, *old_rule = NULL;
1719 struct nft_trans *trans = NULL;
1720 struct nft_expr *expr;
1723 unsigned int size, i, n, ulen = 0;
1726 u64 handle, pos_handle;
1728 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1730 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1732 return PTR_ERR(afi);
1734 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1736 return PTR_ERR(table);
1738 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1740 return PTR_ERR(chain);
1742 if (nla[NFTA_RULE_HANDLE]) {
1743 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1744 rule = __nf_tables_rule_lookup(chain, handle);
1746 return PTR_ERR(rule);
1748 if (nlh->nlmsg_flags & NLM_F_EXCL)
1750 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1755 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1757 handle = nf_tables_alloc_handle(table);
1759 if (chain->use == UINT_MAX)
1763 if (nla[NFTA_RULE_POSITION]) {
1764 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1767 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1768 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1769 if (IS_ERR(old_rule))
1770 return PTR_ERR(old_rule);
1773 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1777 if (nla[NFTA_RULE_EXPRESSIONS]) {
1778 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1780 if (nla_type(tmp) != NFTA_LIST_ELEM)
1782 if (n == NFT_RULE_MAXEXPRS)
1784 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1787 size += info[n].ops->size;
1792 if (nla[NFTA_RULE_USERDATA])
1793 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1796 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1800 nft_rule_activate_next(net, rule);
1802 rule->handle = handle;
1807 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1809 expr = nft_expr_first(rule);
1810 for (i = 0; i < n; i++) {
1811 err = nf_tables_newexpr(&ctx, &info[i], expr);
1815 expr = nft_expr_next(expr);
1818 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1819 if (nft_rule_is_active_next(net, old_rule)) {
1820 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
1822 if (trans == NULL) {
1826 nft_rule_disactivate_next(net, old_rule);
1828 list_add_tail_rcu(&rule->list, &old_rule->list);
1833 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1835 list_add_rcu(&rule->list, &old_rule->list);
1837 list_add_tail_rcu(&rule->list, &chain->rules);
1840 list_add_tail_rcu(&rule->list, &old_rule->list);
1842 list_add_rcu(&rule->list, &chain->rules);
1845 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
1853 list_del_rcu(&rule->list);
1855 list_del_rcu(&nft_trans_rule(trans)->list);
1856 nft_rule_clear(net, nft_trans_rule(trans));
1857 nft_trans_destroy(trans);
1861 nf_tables_rule_destroy(&ctx, rule);
1863 for (i = 0; i < n; i++) {
1864 if (info[i].ops != NULL)
1865 module_put(info[i].ops->type->owner);
1871 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1873 /* You cannot delete the same rule twice */
1874 if (nft_rule_is_active_next(ctx->net, rule)) {
1875 if (nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule) == NULL)
1877 nft_rule_disactivate_next(ctx->net, rule);
1884 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1886 struct nft_rule *rule;
1889 list_for_each_entry(rule, &ctx->chain->rules, list) {
1890 err = nf_tables_delrule_one(ctx, rule);
1897 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1898 const struct nlmsghdr *nlh,
1899 const struct nlattr * const nla[])
1901 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1902 struct nft_af_info *afi;
1903 struct net *net = sock_net(skb->sk);
1904 struct nft_table *table;
1905 struct nft_chain *chain = NULL;
1906 struct nft_rule *rule;
1907 int family = nfmsg->nfgen_family, err = 0;
1910 afi = nf_tables_afinfo_lookup(net, family, false);
1912 return PTR_ERR(afi);
1914 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1916 return PTR_ERR(table);
1917 if (table->flags & NFT_TABLE_INACTIVE)
1920 if (nla[NFTA_RULE_CHAIN]) {
1921 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1923 return PTR_ERR(chain);
1926 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1929 if (nla[NFTA_RULE_HANDLE]) {
1930 rule = nf_tables_rule_lookup(chain,
1931 nla[NFTA_RULE_HANDLE]);
1933 return PTR_ERR(rule);
1935 err = nf_tables_delrule_one(&ctx, rule);
1937 err = nf_table_delrule_by_chain(&ctx);
1940 list_for_each_entry(chain, &table->chains, list) {
1942 err = nf_table_delrule_by_chain(&ctx);
1955 static LIST_HEAD(nf_tables_set_ops);
1957 int nft_register_set(struct nft_set_ops *ops)
1959 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1960 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
1961 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1964 EXPORT_SYMBOL_GPL(nft_register_set);
1966 void nft_unregister_set(struct nft_set_ops *ops)
1968 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1969 list_del_rcu(&ops->list);
1970 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1972 EXPORT_SYMBOL_GPL(nft_unregister_set);
1975 * Select a set implementation based on the data characteristics and the
1976 * given policy. The total memory use might not be known if no size is
1977 * given, in that case the amount of memory per element is used.
1979 static const struct nft_set_ops *
1980 nft_select_set_ops(const struct nlattr * const nla[],
1981 const struct nft_set_desc *desc,
1982 enum nft_set_policies policy)
1984 const struct nft_set_ops *ops, *bops;
1985 struct nft_set_estimate est, best;
1988 #ifdef CONFIG_MODULES
1989 if (list_empty(&nf_tables_set_ops)) {
1990 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1991 request_module("nft-set");
1992 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1993 if (!list_empty(&nf_tables_set_ops))
1994 return ERR_PTR(-EAGAIN);
1998 if (nla[NFTA_SET_FLAGS] != NULL) {
1999 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2000 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
2007 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2008 if ((ops->features & features) != features)
2010 if (!ops->estimate(desc, features, &est))
2014 case NFT_SET_POL_PERFORMANCE:
2015 if (est.class < best.class)
2017 if (est.class == best.class && est.size < best.size)
2020 case NFT_SET_POL_MEMORY:
2021 if (est.size < best.size)
2023 if (est.size == best.size && est.class < best.class)
2030 if (!try_module_get(ops->owner))
2033 module_put(bops->owner);
2042 return ERR_PTR(-EOPNOTSUPP);
2045 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2046 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2047 [NFTA_SET_NAME] = { .type = NLA_STRING,
2048 .len = IFNAMSIZ - 1 },
2049 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2050 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2051 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2052 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2053 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2054 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2055 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2056 [NFTA_SET_ID] = { .type = NLA_U32 },
2059 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2060 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2063 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2064 const struct sk_buff *skb,
2065 const struct nlmsghdr *nlh,
2066 const struct nlattr * const nla[])
2068 struct net *net = sock_net(skb->sk);
2069 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2070 struct nft_af_info *afi = NULL;
2071 struct nft_table *table = NULL;
2073 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2074 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2076 return PTR_ERR(afi);
2079 if (nla[NFTA_SET_TABLE] != NULL) {
2081 return -EAFNOSUPPORT;
2083 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2085 return PTR_ERR(table);
2086 if (table->flags & NFT_TABLE_INACTIVE)
2090 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2094 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2095 const struct nlattr *nla)
2097 struct nft_set *set;
2100 return ERR_PTR(-EINVAL);
2102 list_for_each_entry(set, &table->sets, list) {
2103 if (!nla_strcmp(nla, set->name))
2106 return ERR_PTR(-ENOENT);
2109 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2110 const struct nlattr *nla)
2112 struct nft_trans *trans;
2113 u32 id = ntohl(nla_get_be32(nla));
2115 list_for_each_entry(trans, &net->nft.commit_list, list) {
2116 if (trans->msg_type == NFT_MSG_NEWSET &&
2117 id == nft_trans_set_id(trans))
2118 return nft_trans_set(trans);
2120 return ERR_PTR(-ENOENT);
2123 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2126 const struct nft_set *i;
2128 unsigned long *inuse;
2129 unsigned int n = 0, min = 0;
2131 p = strnchr(name, IFNAMSIZ, '%');
2133 if (p[1] != 'd' || strchr(p + 2, '%'))
2136 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2140 list_for_each_entry(i, &ctx->table->sets, list) {
2143 if (!sscanf(i->name, name, &tmp))
2145 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2148 set_bit(tmp - min, inuse);
2151 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2152 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2153 min += BITS_PER_BYTE * PAGE_SIZE;
2154 memset(inuse, 0, PAGE_SIZE);
2157 free_page((unsigned long)inuse);
2160 snprintf(set->name, sizeof(set->name), name, min + n);
2161 list_for_each_entry(i, &ctx->table->sets, list) {
2162 if (!strcmp(set->name, i->name))
2168 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2169 const struct nft_set *set, u16 event, u16 flags)
2171 struct nfgenmsg *nfmsg;
2172 struct nlmsghdr *nlh;
2173 struct nlattr *desc;
2174 u32 portid = ctx->portid;
2177 event |= NFNL_SUBSYS_NFTABLES << 8;
2178 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2181 goto nla_put_failure;
2183 nfmsg = nlmsg_data(nlh);
2184 nfmsg->nfgen_family = ctx->afi->family;
2185 nfmsg->version = NFNETLINK_V0;
2188 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2189 goto nla_put_failure;
2190 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2191 goto nla_put_failure;
2192 if (set->flags != 0)
2193 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2194 goto nla_put_failure;
2196 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2197 goto nla_put_failure;
2198 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2199 goto nla_put_failure;
2200 if (set->flags & NFT_SET_MAP) {
2201 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2202 goto nla_put_failure;
2203 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2204 goto nla_put_failure;
2207 desc = nla_nest_start(skb, NFTA_SET_DESC);
2209 goto nla_put_failure;
2211 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2212 goto nla_put_failure;
2213 nla_nest_end(skb, desc);
2215 return nlmsg_end(skb, nlh);
2218 nlmsg_trim(skb, nlh);
2222 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2223 const struct nft_set *set,
2224 int event, gfp_t gfp_flags)
2226 struct sk_buff *skb;
2227 u32 portid = ctx->portid;
2231 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2235 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2239 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2245 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2246 ctx->report, gfp_flags);
2249 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2253 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2255 const struct nft_set *set;
2256 unsigned int idx, s_idx = cb->args[0];
2257 struct nft_af_info *afi;
2258 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2259 struct net *net = sock_net(skb->sk);
2260 int cur_family = cb->args[3];
2261 struct nft_ctx *ctx = cb->data, ctx_set;
2267 cb->seq = net->nft.base_seq;
2269 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2270 if (ctx->afi && ctx->afi != afi)
2274 if (afi->family != cur_family)
2279 list_for_each_entry_rcu(table, &afi->tables, list) {
2280 if (ctx->table && ctx->table != table)
2284 if (cur_table != table)
2290 list_for_each_entry_rcu(set, &table->sets, list) {
2295 ctx_set.table = table;
2297 if (nf_tables_fill_set(skb, &ctx_set, set,
2301 cb->args[2] = (unsigned long) table;
2302 cb->args[3] = afi->family;
2305 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2319 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2325 #define NFT_SET_INACTIVE (1 << 15) /* Internal set flag */
2327 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2328 const struct nlmsghdr *nlh,
2329 const struct nlattr * const nla[])
2331 const struct nft_set *set;
2333 struct sk_buff *skb2;
2334 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2337 /* Verify existance before starting dump */
2338 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2342 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2343 struct netlink_dump_control c = {
2344 .dump = nf_tables_dump_sets,
2345 .done = nf_tables_dump_sets_done,
2347 struct nft_ctx *ctx_dump;
2349 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2350 if (ctx_dump == NULL)
2356 return netlink_dump_start(nlsk, skb, nlh, &c);
2359 /* Only accept unspec with dump */
2360 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2361 return -EAFNOSUPPORT;
2363 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2365 return PTR_ERR(set);
2366 if (set->flags & NFT_SET_INACTIVE)
2369 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2373 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2377 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2384 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2385 struct nft_set_desc *desc,
2386 const struct nlattr *nla)
2388 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2391 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2395 if (da[NFTA_SET_DESC_SIZE] != NULL)
2396 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2401 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2402 struct nft_set *set)
2404 struct nft_trans *trans;
2406 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
2410 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
2411 nft_trans_set_id(trans) =
2412 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
2413 set->flags |= NFT_SET_INACTIVE;
2415 nft_trans_set(trans) = set;
2416 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2421 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2422 const struct nlmsghdr *nlh,
2423 const struct nlattr * const nla[])
2425 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2426 const struct nft_set_ops *ops;
2427 struct nft_af_info *afi;
2428 struct net *net = sock_net(skb->sk);
2429 struct nft_table *table;
2430 struct nft_set *set;
2432 char name[IFNAMSIZ];
2435 u32 ktype, dtype, flags, policy;
2436 struct nft_set_desc desc;
2439 if (nla[NFTA_SET_TABLE] == NULL ||
2440 nla[NFTA_SET_NAME] == NULL ||
2441 nla[NFTA_SET_KEY_LEN] == NULL ||
2442 nla[NFTA_SET_ID] == NULL)
2445 memset(&desc, 0, sizeof(desc));
2447 ktype = NFT_DATA_VALUE;
2448 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2449 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2450 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2454 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2455 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2459 if (nla[NFTA_SET_FLAGS] != NULL) {
2460 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2461 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2462 NFT_SET_INTERVAL | NFT_SET_MAP))
2467 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2468 if (!(flags & NFT_SET_MAP))
2471 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2472 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2473 dtype != NFT_DATA_VERDICT)
2476 if (dtype != NFT_DATA_VERDICT) {
2477 if (nla[NFTA_SET_DATA_LEN] == NULL)
2479 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2480 if (desc.dlen == 0 ||
2481 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2484 desc.dlen = sizeof(struct nft_data);
2485 } else if (flags & NFT_SET_MAP)
2488 policy = NFT_SET_POL_PERFORMANCE;
2489 if (nla[NFTA_SET_POLICY] != NULL)
2490 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2492 if (nla[NFTA_SET_DESC] != NULL) {
2493 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2498 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2500 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2502 return PTR_ERR(afi);
2504 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2506 return PTR_ERR(table);
2508 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2510 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2512 if (PTR_ERR(set) != -ENOENT)
2513 return PTR_ERR(set);
2518 if (nlh->nlmsg_flags & NLM_F_EXCL)
2520 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2525 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2528 ops = nft_select_set_ops(nla, &desc, policy);
2530 return PTR_ERR(ops);
2533 if (ops->privsize != NULL)
2534 size = ops->privsize(nla);
2537 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2541 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2542 err = nf_tables_set_alloc_name(&ctx, set, name);
2546 INIT_LIST_HEAD(&set->bindings);
2549 set->klen = desc.klen;
2551 set->dlen = desc.dlen;
2553 set->size = desc.size;
2555 err = ops->init(set, &desc, nla);
2559 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2563 list_add_tail_rcu(&set->list, &table->sets);
2570 module_put(ops->owner);
2574 static void nft_set_destroy(struct nft_set *set)
2576 set->ops->destroy(set);
2577 module_put(set->ops->owner);
2581 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2583 list_del_rcu(&set->list);
2584 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2585 nft_set_destroy(set);
2588 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2589 const struct nlmsghdr *nlh,
2590 const struct nlattr * const nla[])
2592 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2593 struct nft_set *set;
2597 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2598 return -EAFNOSUPPORT;
2599 if (nla[NFTA_SET_TABLE] == NULL)
2602 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2606 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2608 return PTR_ERR(set);
2609 if (set->flags & NFT_SET_INACTIVE)
2611 if (!list_empty(&set->bindings))
2614 err = nft_trans_set_add(&ctx, NFT_MSG_DELSET, set);
2618 list_del_rcu(&set->list);
2623 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2624 const struct nft_set *set,
2625 const struct nft_set_iter *iter,
2626 const struct nft_set_elem *elem)
2628 enum nft_registers dreg;
2630 dreg = nft_type_to_reg(set->dtype);
2631 return nft_validate_data_load(ctx, dreg, &elem->data,
2632 set->dtype == NFT_DATA_VERDICT ?
2633 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2636 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2637 struct nft_set_binding *binding)
2639 struct nft_set_binding *i;
2640 struct nft_set_iter iter;
2642 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2645 if (set->flags & NFT_SET_MAP) {
2646 /* If the set is already bound to the same chain all
2647 * jumps are already validated for that chain.
2649 list_for_each_entry(i, &set->bindings, list) {
2650 if (i->chain == binding->chain)
2657 iter.fn = nf_tables_bind_check_setelem;
2659 set->ops->walk(ctx, set, &iter);
2661 /* Destroy anonymous sets if binding fails */
2662 if (set->flags & NFT_SET_ANONYMOUS)
2663 nf_tables_set_destroy(ctx, set);
2669 binding->chain = ctx->chain;
2670 list_add_tail_rcu(&binding->list, &set->bindings);
2674 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2675 struct nft_set_binding *binding)
2677 list_del_rcu(&binding->list);
2679 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2680 !(set->flags & NFT_SET_INACTIVE))
2681 nf_tables_set_destroy(ctx, set);
2688 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2689 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2690 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2691 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2694 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2695 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2696 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2697 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2698 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2701 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2702 const struct sk_buff *skb,
2703 const struct nlmsghdr *nlh,
2704 const struct nlattr * const nla[],
2707 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2708 struct nft_af_info *afi;
2709 struct nft_table *table;
2710 struct net *net = sock_net(skb->sk);
2712 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2714 return PTR_ERR(afi);
2716 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2718 return PTR_ERR(table);
2719 if (!trans && (table->flags & NFT_TABLE_INACTIVE))
2722 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2726 static int nf_tables_fill_setelem(struct sk_buff *skb,
2727 const struct nft_set *set,
2728 const struct nft_set_elem *elem)
2730 unsigned char *b = skb_tail_pointer(skb);
2731 struct nlattr *nest;
2733 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2735 goto nla_put_failure;
2737 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2739 goto nla_put_failure;
2741 if (set->flags & NFT_SET_MAP &&
2742 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2743 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2744 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2746 goto nla_put_failure;
2748 if (elem->flags != 0)
2749 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2750 goto nla_put_failure;
2752 nla_nest_end(skb, nest);
2760 struct nft_set_dump_args {
2761 const struct netlink_callback *cb;
2762 struct nft_set_iter iter;
2763 struct sk_buff *skb;
2766 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2767 const struct nft_set *set,
2768 const struct nft_set_iter *iter,
2769 const struct nft_set_elem *elem)
2771 struct nft_set_dump_args *args;
2773 args = container_of(iter, struct nft_set_dump_args, iter);
2774 return nf_tables_fill_setelem(args->skb, set, elem);
2777 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2779 const struct nft_set *set;
2780 struct nft_set_dump_args args;
2782 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2783 struct nfgenmsg *nfmsg;
2784 struct nlmsghdr *nlh;
2785 struct nlattr *nest;
2789 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2790 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2794 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
2799 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2801 return PTR_ERR(set);
2802 if (set->flags & NFT_SET_INACTIVE)
2805 event = NFT_MSG_NEWSETELEM;
2806 event |= NFNL_SUBSYS_NFTABLES << 8;
2807 portid = NETLINK_CB(cb->skb).portid;
2808 seq = cb->nlh->nlmsg_seq;
2810 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2813 goto nla_put_failure;
2815 nfmsg = nlmsg_data(nlh);
2816 nfmsg->nfgen_family = ctx.afi->family;
2817 nfmsg->version = NFNETLINK_V0;
2820 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2821 goto nla_put_failure;
2822 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2823 goto nla_put_failure;
2825 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2827 goto nla_put_failure;
2831 args.iter.skip = cb->args[0];
2832 args.iter.count = 0;
2834 args.iter.fn = nf_tables_dump_setelem;
2835 set->ops->walk(&ctx, set, &args.iter);
2837 nla_nest_end(skb, nest);
2838 nlmsg_end(skb, nlh);
2840 if (args.iter.err && args.iter.err != -EMSGSIZE)
2841 return args.iter.err;
2842 if (args.iter.count == cb->args[0])
2845 cb->args[0] = args.iter.count;
2852 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2853 const struct nlmsghdr *nlh,
2854 const struct nlattr * const nla[])
2856 const struct nft_set *set;
2860 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
2864 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2866 return PTR_ERR(set);
2867 if (set->flags & NFT_SET_INACTIVE)
2870 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2871 struct netlink_dump_control c = {
2872 .dump = nf_tables_dump_set,
2874 return netlink_dump_start(nlsk, skb, nlh, &c);
2879 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2880 const struct nft_ctx *ctx, u32 seq,
2881 u32 portid, int event, u16 flags,
2882 const struct nft_set *set,
2883 const struct nft_set_elem *elem)
2885 struct nfgenmsg *nfmsg;
2886 struct nlmsghdr *nlh;
2887 struct nlattr *nest;
2890 event |= NFNL_SUBSYS_NFTABLES << 8;
2891 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2894 goto nla_put_failure;
2896 nfmsg = nlmsg_data(nlh);
2897 nfmsg->nfgen_family = ctx->afi->family;
2898 nfmsg->version = NFNETLINK_V0;
2901 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2902 goto nla_put_failure;
2903 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2904 goto nla_put_failure;
2906 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2908 goto nla_put_failure;
2910 err = nf_tables_fill_setelem(skb, set, elem);
2912 goto nla_put_failure;
2914 nla_nest_end(skb, nest);
2916 return nlmsg_end(skb, nlh);
2919 nlmsg_trim(skb, nlh);
2923 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2924 const struct nft_set *set,
2925 const struct nft_set_elem *elem,
2926 int event, u16 flags)
2928 struct net *net = ctx->net;
2929 u32 portid = ctx->portid;
2930 struct sk_buff *skb;
2933 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2937 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2941 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2948 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
2952 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
2956 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
2958 struct nft_set *set)
2960 struct nft_trans *trans;
2962 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
2966 nft_trans_elem_set(trans) = set;
2970 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
2971 const struct nlattr *attr)
2973 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2974 struct nft_data_desc d1, d2;
2975 struct nft_set_elem elem;
2976 struct nft_set_binding *binding;
2977 enum nft_registers dreg;
2978 struct nft_trans *trans;
2981 if (set->size && set->nelems == set->size)
2984 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2985 nft_set_elem_policy);
2989 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2993 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2994 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2995 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2999 if (set->flags & NFT_SET_MAP) {
3000 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3001 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
3003 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3004 elem.flags & NFT_SET_ELEM_INTERVAL_END)
3007 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3011 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
3015 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3019 if (set->ops->get(set, &elem) == 0)
3022 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3023 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
3028 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3031 dreg = nft_type_to_reg(set->dtype);
3032 list_for_each_entry(binding, &set->bindings, list) {
3033 struct nft_ctx bind_ctx = {
3035 .table = ctx->table,
3036 .chain = (struct nft_chain *)binding->chain,
3039 err = nft_validate_data_load(&bind_ctx, dreg,
3040 &elem.data, d2.type);
3046 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3050 err = set->ops->insert(set, &elem);
3054 nft_trans_elem(trans) = elem;
3055 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3061 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3062 nft_data_uninit(&elem.data, d2.type);
3064 nft_data_uninit(&elem.key, d1.type);
3069 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3070 const struct nlmsghdr *nlh,
3071 const struct nlattr * const nla[])
3073 struct net *net = sock_net(skb->sk);
3074 const struct nlattr *attr;
3075 struct nft_set *set;
3079 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3082 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3086 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3088 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3089 set = nf_tables_set_lookup_byid(net,
3090 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3093 return PTR_ERR(set);
3096 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3099 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3100 err = nft_add_set_elem(&ctx, set, attr);
3109 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3110 const struct nlattr *attr)
3112 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3113 struct nft_data_desc desc;
3114 struct nft_set_elem elem;
3115 struct nft_trans *trans;
3118 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3119 nft_set_elem_policy);
3124 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3127 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3132 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3135 err = set->ops->get(set, &elem);
3139 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3140 if (trans == NULL) {
3145 nft_trans_elem(trans) = elem;
3146 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3149 nft_data_uninit(&elem.key, desc.type);
3154 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3155 const struct nlmsghdr *nlh,
3156 const struct nlattr * const nla[])
3158 const struct nlattr *attr;
3159 struct nft_set *set;
3163 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3166 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3170 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3172 return PTR_ERR(set);
3173 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3176 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3177 err = nft_del_setelem(&ctx, set, attr);
3186 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3187 [NFT_MSG_NEWTABLE] = {
3188 .call_batch = nf_tables_newtable,
3189 .attr_count = NFTA_TABLE_MAX,
3190 .policy = nft_table_policy,
3192 [NFT_MSG_GETTABLE] = {
3193 .call = nf_tables_gettable,
3194 .attr_count = NFTA_TABLE_MAX,
3195 .policy = nft_table_policy,
3197 [NFT_MSG_DELTABLE] = {
3198 .call_batch = nf_tables_deltable,
3199 .attr_count = NFTA_TABLE_MAX,
3200 .policy = nft_table_policy,
3202 [NFT_MSG_NEWCHAIN] = {
3203 .call_batch = nf_tables_newchain,
3204 .attr_count = NFTA_CHAIN_MAX,
3205 .policy = nft_chain_policy,
3207 [NFT_MSG_GETCHAIN] = {
3208 .call = nf_tables_getchain,
3209 .attr_count = NFTA_CHAIN_MAX,
3210 .policy = nft_chain_policy,
3212 [NFT_MSG_DELCHAIN] = {
3213 .call_batch = nf_tables_delchain,
3214 .attr_count = NFTA_CHAIN_MAX,
3215 .policy = nft_chain_policy,
3217 [NFT_MSG_NEWRULE] = {
3218 .call_batch = nf_tables_newrule,
3219 .attr_count = NFTA_RULE_MAX,
3220 .policy = nft_rule_policy,
3222 [NFT_MSG_GETRULE] = {
3223 .call = nf_tables_getrule,
3224 .attr_count = NFTA_RULE_MAX,
3225 .policy = nft_rule_policy,
3227 [NFT_MSG_DELRULE] = {
3228 .call_batch = nf_tables_delrule,
3229 .attr_count = NFTA_RULE_MAX,
3230 .policy = nft_rule_policy,
3232 [NFT_MSG_NEWSET] = {
3233 .call_batch = nf_tables_newset,
3234 .attr_count = NFTA_SET_MAX,
3235 .policy = nft_set_policy,
3237 [NFT_MSG_GETSET] = {
3238 .call = nf_tables_getset,
3239 .attr_count = NFTA_SET_MAX,
3240 .policy = nft_set_policy,
3242 [NFT_MSG_DELSET] = {
3243 .call_batch = nf_tables_delset,
3244 .attr_count = NFTA_SET_MAX,
3245 .policy = nft_set_policy,
3247 [NFT_MSG_NEWSETELEM] = {
3248 .call_batch = nf_tables_newsetelem,
3249 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3250 .policy = nft_set_elem_list_policy,
3252 [NFT_MSG_GETSETELEM] = {
3253 .call = nf_tables_getsetelem,
3254 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3255 .policy = nft_set_elem_list_policy,
3257 [NFT_MSG_DELSETELEM] = {
3258 .call_batch = nf_tables_delsetelem,
3259 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3260 .policy = nft_set_elem_list_policy,
3264 static void nft_chain_commit_update(struct nft_trans *trans)
3266 struct nft_base_chain *basechain;
3268 if (nft_trans_chain_name(trans)[0])
3269 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3271 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3274 basechain = nft_base_chain(trans->ctx.chain);
3275 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3277 switch (nft_trans_chain_policy(trans)) {
3280 basechain->policy = nft_trans_chain_policy(trans);
3285 /* Schedule objects for release via rcu to make sure no packets are accesing
3288 static void nf_tables_commit_release_rcu(struct rcu_head *rt)
3290 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3292 switch (trans->msg_type) {
3293 case NFT_MSG_DELTABLE:
3294 nf_tables_table_destroy(&trans->ctx);
3296 case NFT_MSG_DELCHAIN:
3297 nf_tables_chain_destroy(trans->ctx.chain);
3299 case NFT_MSG_DELRULE:
3300 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3302 case NFT_MSG_DELSET:
3303 nft_set_destroy(nft_trans_set(trans));
3309 static int nf_tables_commit(struct sk_buff *skb)
3311 struct net *net = sock_net(skb->sk);
3312 struct nft_trans *trans, *next;
3313 struct nft_trans_elem *te;
3315 /* Bump generation counter, invalidate any dump in progress */
3316 while (++net->nft.base_seq == 0);
3318 /* A new generation has just started */
3319 net->nft.gencursor = gencursor_next(net);
3321 /* Make sure all packets have left the previous generation before
3322 * purging old rules.
3326 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3327 switch (trans->msg_type) {
3328 case NFT_MSG_NEWTABLE:
3329 if (nft_trans_table_update(trans)) {
3330 if (!nft_trans_table_enable(trans)) {
3331 nf_tables_table_disable(trans->ctx.afi,
3333 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3336 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3338 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3339 nft_trans_destroy(trans);
3341 case NFT_MSG_DELTABLE:
3342 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3344 case NFT_MSG_NEWCHAIN:
3345 if (nft_trans_chain_update(trans))
3346 nft_chain_commit_update(trans);
3348 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3350 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3351 nft_trans_destroy(trans);
3353 case NFT_MSG_DELCHAIN:
3354 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3355 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3356 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3357 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3358 trans->ctx.afi->nops);
3361 case NFT_MSG_NEWRULE:
3362 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3363 nf_tables_rule_notify(&trans->ctx,
3364 nft_trans_rule(trans),
3366 nft_trans_destroy(trans);
3368 case NFT_MSG_DELRULE:
3369 list_del_rcu(&nft_trans_rule(trans)->list);
3370 nf_tables_rule_notify(&trans->ctx,
3371 nft_trans_rule(trans),
3374 case NFT_MSG_NEWSET:
3375 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3376 /* This avoids hitting -EBUSY when deleting the table
3377 * from the transaction.
3379 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3380 !list_empty(&nft_trans_set(trans)->bindings))
3381 trans->ctx.table->use--;
3383 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3384 NFT_MSG_NEWSET, GFP_KERNEL);
3385 nft_trans_destroy(trans);
3387 case NFT_MSG_DELSET:
3388 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3389 NFT_MSG_DELSET, GFP_KERNEL);
3391 case NFT_MSG_NEWSETELEM:
3392 nf_tables_setelem_notify(&trans->ctx,
3393 nft_trans_elem_set(trans),
3394 &nft_trans_elem(trans),
3395 NFT_MSG_NEWSETELEM, 0);
3396 nft_trans_destroy(trans);
3398 case NFT_MSG_DELSETELEM:
3399 te = (struct nft_trans_elem *)trans->data;
3400 nf_tables_setelem_notify(&trans->ctx, te->set,
3402 NFT_MSG_DELSETELEM, 0);
3403 te->set->ops->get(te->set, &te->elem);
3404 te->set->ops->remove(te->set, &te->elem);
3405 nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
3406 if (te->elem.flags & NFT_SET_MAP) {
3407 nft_data_uninit(&te->elem.data,
3410 nft_trans_destroy(trans);
3415 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3416 list_del(&trans->list);
3417 trans->ctx.nla = NULL;
3418 call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
3424 /* Schedule objects for release via rcu to make sure no packets are accesing
3427 static void nf_tables_abort_release_rcu(struct rcu_head *rt)
3429 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3431 switch (trans->msg_type) {
3432 case NFT_MSG_NEWTABLE:
3433 nf_tables_table_destroy(&trans->ctx);
3435 case NFT_MSG_NEWCHAIN:
3436 nf_tables_chain_destroy(trans->ctx.chain);
3438 case NFT_MSG_NEWRULE:
3439 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3441 case NFT_MSG_NEWSET:
3442 nft_set_destroy(nft_trans_set(trans));
3448 static int nf_tables_abort(struct sk_buff *skb)
3450 struct net *net = sock_net(skb->sk);
3451 struct nft_trans *trans, *next;
3452 struct nft_set *set;
3454 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3455 switch (trans->msg_type) {
3456 case NFT_MSG_NEWTABLE:
3457 if (nft_trans_table_update(trans)) {
3458 if (nft_trans_table_enable(trans)) {
3459 nf_tables_table_disable(trans->ctx.afi,
3461 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3463 nft_trans_destroy(trans);
3465 list_del_rcu(&trans->ctx.table->list);
3468 case NFT_MSG_DELTABLE:
3469 list_add_tail_rcu(&trans->ctx.table->list,
3470 &trans->ctx.afi->tables);
3471 nft_trans_destroy(trans);
3473 case NFT_MSG_NEWCHAIN:
3474 if (nft_trans_chain_update(trans)) {
3475 if (nft_trans_chain_stats(trans))
3476 free_percpu(nft_trans_chain_stats(trans));
3478 nft_trans_destroy(trans);
3480 trans->ctx.table->use--;
3481 list_del_rcu(&trans->ctx.chain->list);
3482 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3483 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3484 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3485 trans->ctx.afi->nops);
3489 case NFT_MSG_DELCHAIN:
3490 trans->ctx.table->use++;
3491 list_add_tail_rcu(&trans->ctx.chain->list,
3492 &trans->ctx.table->chains);
3493 nft_trans_destroy(trans);
3495 case NFT_MSG_NEWRULE:
3496 trans->ctx.chain->use--;
3497 list_del_rcu(&nft_trans_rule(trans)->list);
3499 case NFT_MSG_DELRULE:
3500 trans->ctx.chain->use++;
3501 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3502 nft_trans_destroy(trans);
3504 case NFT_MSG_NEWSET:
3505 trans->ctx.table->use--;
3506 list_del_rcu(&nft_trans_set(trans)->list);
3508 case NFT_MSG_DELSET:
3509 trans->ctx.table->use++;
3510 list_add_tail_rcu(&nft_trans_set(trans)->list,
3511 &trans->ctx.table->sets);
3512 nft_trans_destroy(trans);
3514 case NFT_MSG_NEWSETELEM:
3515 nft_trans_elem_set(trans)->nelems--;
3516 set = nft_trans_elem_set(trans);
3517 set->ops->get(set, &nft_trans_elem(trans));
3518 set->ops->remove(set, &nft_trans_elem(trans));
3519 nft_trans_destroy(trans);
3521 case NFT_MSG_DELSETELEM:
3522 nft_trans_elem_set(trans)->nelems++;
3523 nft_trans_destroy(trans);
3528 list_for_each_entry_safe_reverse(trans, next,
3529 &net->nft.commit_list, list) {
3530 list_del(&trans->list);
3531 trans->ctx.nla = NULL;
3532 call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
3538 static const struct nfnetlink_subsystem nf_tables_subsys = {
3539 .name = "nf_tables",
3540 .subsys_id = NFNL_SUBSYS_NFTABLES,
3541 .cb_count = NFT_MSG_MAX,
3543 .commit = nf_tables_commit,
3544 .abort = nf_tables_abort,
3548 * Loop detection - walk through the ruleset beginning at the destination chain
3549 * of a new jump until either the source chain is reached (loop) or all
3550 * reachable chains have been traversed.
3552 * The loop check is performed whenever a new jump verdict is added to an
3553 * expression or verdict map or a verdict map is bound to a new chain.
3556 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3557 const struct nft_chain *chain);
3559 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3560 const struct nft_set *set,
3561 const struct nft_set_iter *iter,
3562 const struct nft_set_elem *elem)
3564 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3567 switch (elem->data.verdict) {
3570 return nf_tables_check_loops(ctx, elem->data.chain);
3576 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3577 const struct nft_chain *chain)
3579 const struct nft_rule *rule;
3580 const struct nft_expr *expr, *last;
3581 const struct nft_set *set;
3582 struct nft_set_binding *binding;
3583 struct nft_set_iter iter;
3585 if (ctx->chain == chain)
3588 list_for_each_entry(rule, &chain->rules, list) {
3589 nft_rule_for_each_expr(expr, last, rule) {
3590 const struct nft_data *data = NULL;
3593 if (!expr->ops->validate)
3596 err = expr->ops->validate(ctx, expr, &data);
3603 switch (data->verdict) {
3606 err = nf_tables_check_loops(ctx, data->chain);
3615 list_for_each_entry(set, &ctx->table->sets, list) {
3616 if (!(set->flags & NFT_SET_MAP) ||
3617 set->dtype != NFT_DATA_VERDICT)
3620 list_for_each_entry(binding, &set->bindings, list) {
3621 if (binding->chain != chain)
3627 iter.fn = nf_tables_loop_check_setelem;
3629 set->ops->walk(ctx, set, &iter);
3639 * nft_validate_input_register - validate an expressions' input register
3641 * @reg: the register number
3643 * Validate that the input register is one of the general purpose
3646 int nft_validate_input_register(enum nft_registers reg)
3648 if (reg <= NFT_REG_VERDICT)
3650 if (reg > NFT_REG_MAX)
3654 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3657 * nft_validate_output_register - validate an expressions' output register
3659 * @reg: the register number
3661 * Validate that the output register is one of the general purpose
3662 * registers or the verdict register.
3664 int nft_validate_output_register(enum nft_registers reg)
3666 if (reg < NFT_REG_VERDICT)
3668 if (reg > NFT_REG_MAX)
3672 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3675 * nft_validate_data_load - validate an expressions' data load
3677 * @ctx: context of the expression performing the load
3678 * @reg: the destination register number
3679 * @data: the data to load
3680 * @type: the data type
3682 * Validate that a data load uses the appropriate data type for
3683 * the destination register. A value of NULL for the data means
3684 * that its runtime gathered data, which is always of type
3687 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3688 const struct nft_data *data,
3689 enum nft_data_types type)
3694 case NFT_REG_VERDICT:
3695 if (data == NULL || type != NFT_DATA_VERDICT)
3698 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3699 err = nf_tables_check_loops(ctx, data->chain);
3703 if (ctx->chain->level + 1 > data->chain->level) {
3704 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3706 data->chain->level = ctx->chain->level + 1;
3712 if (data != NULL && type != NFT_DATA_VALUE)
3717 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3719 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3720 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3721 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3722 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3725 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3726 struct nft_data_desc *desc, const struct nlattr *nla)
3728 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3729 struct nft_chain *chain;
3732 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3736 if (!tb[NFTA_VERDICT_CODE])
3738 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3740 switch (data->verdict) {
3742 switch (data->verdict & NF_VERDICT_MASK) {
3754 desc->len = sizeof(data->verdict);
3758 if (!tb[NFTA_VERDICT_CHAIN])
3760 chain = nf_tables_chain_lookup(ctx->table,
3761 tb[NFTA_VERDICT_CHAIN]);
3763 return PTR_ERR(chain);
3764 if (chain->flags & NFT_BASE_CHAIN)
3768 data->chain = chain;
3769 desc->len = sizeof(data);
3773 desc->type = NFT_DATA_VERDICT;
3777 static void nft_verdict_uninit(const struct nft_data *data)
3779 switch (data->verdict) {
3787 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3789 struct nlattr *nest;
3791 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3793 goto nla_put_failure;
3795 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3796 goto nla_put_failure;
3798 switch (data->verdict) {
3801 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3802 goto nla_put_failure;
3804 nla_nest_end(skb, nest);
3811 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3812 struct nft_data_desc *desc, const struct nlattr *nla)
3819 if (len > sizeof(data->data))
3822 nla_memcpy(data->data, nla, sizeof(data->data));
3823 desc->type = NFT_DATA_VALUE;
3828 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3831 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3834 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3835 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3836 .len = FIELD_SIZEOF(struct nft_data, data) },
3837 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3841 * nft_data_init - parse nf_tables data netlink attributes
3843 * @ctx: context of the expression using the data
3844 * @data: destination struct nft_data
3845 * @desc: data description
3846 * @nla: netlink attribute containing data
3848 * Parse the netlink data attributes and initialize a struct nft_data.
3849 * The type and length of data are returned in the data description.
3851 * The caller can indicate that it only wants to accept data of type
3852 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3854 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3855 struct nft_data_desc *desc, const struct nlattr *nla)
3857 struct nlattr *tb[NFTA_DATA_MAX + 1];
3860 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3864 if (tb[NFTA_DATA_VALUE])
3865 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3866 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3867 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3870 EXPORT_SYMBOL_GPL(nft_data_init);
3873 * nft_data_uninit - release a nft_data item
3875 * @data: struct nft_data to release
3876 * @type: type of data
3878 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3879 * all others need to be released by calling this function.
3881 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3884 case NFT_DATA_VALUE:
3886 case NFT_DATA_VERDICT:
3887 return nft_verdict_uninit(data);
3892 EXPORT_SYMBOL_GPL(nft_data_uninit);
3894 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3895 enum nft_data_types type, unsigned int len)
3897 struct nlattr *nest;
3900 nest = nla_nest_start(skb, attr);
3905 case NFT_DATA_VALUE:
3906 err = nft_value_dump(skb, data, len);
3908 case NFT_DATA_VERDICT:
3909 err = nft_verdict_dump(skb, data);
3916 nla_nest_end(skb, nest);
3919 EXPORT_SYMBOL_GPL(nft_data_dump);
3921 static int nf_tables_init_net(struct net *net)
3923 INIT_LIST_HEAD(&net->nft.af_info);
3924 INIT_LIST_HEAD(&net->nft.commit_list);
3925 net->nft.base_seq = 1;
3929 static struct pernet_operations nf_tables_net_ops = {
3930 .init = nf_tables_init_net,
3933 static int __init nf_tables_module_init(void)
3937 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3944 err = nf_tables_core_module_init();
3948 err = nfnetlink_subsys_register(&nf_tables_subsys);
3952 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3953 return register_pernet_subsys(&nf_tables_net_ops);
3955 nf_tables_core_module_exit();
3962 static void __exit nf_tables_module_exit(void)
3964 unregister_pernet_subsys(&nf_tables_net_ops);
3965 nfnetlink_subsys_unregister(&nf_tables_subsys);
3966 nf_tables_core_module_exit();
3970 module_init(nf_tables_module_init);
3971 module_exit(nf_tables_module_exit);
3973 MODULE_LICENSE("GPL");
3974 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3975 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.openpandora.org / pandora-kernel.git / blob