2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del_rcu(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
104 ctx->portid = NETLINK_CB(skb).portid;
105 ctx->report = nlmsg_report(nlh);
106 ctx->seq = nlh->nlmsg_seq;
109 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
112 struct nft_trans *trans;
114 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
118 trans->msg_type = msg_type;
124 static void nft_trans_destroy(struct nft_trans *trans)
126 list_del(&trans->list);
130 static void nf_tables_unregister_hooks(const struct nft_table *table,
131 const struct nft_chain *chain,
132 unsigned int hook_nops)
134 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
135 chain->flags & NFT_BASE_CHAIN)
136 nf_unregister_hooks(nft_base_chain(chain)->ops, hook_nops);
139 /* Internal table flags */
140 #define NFT_TABLE_INACTIVE (1 << 15)
142 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
144 struct nft_trans *trans;
146 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
150 if (msg_type == NFT_MSG_NEWTABLE)
151 ctx->table->flags |= NFT_TABLE_INACTIVE;
153 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
157 static int nft_deltable(struct nft_ctx *ctx)
161 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
165 list_del_rcu(&ctx->table->list);
169 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
171 struct nft_trans *trans;
173 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
177 if (msg_type == NFT_MSG_NEWCHAIN)
178 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
180 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
184 static int nft_delchain(struct nft_ctx *ctx)
188 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
193 list_del_rcu(&ctx->chain->list);
199 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
201 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
204 static inline int gencursor_next(struct net *net)
206 return net->nft.gencursor+1 == 1 ? 1 : 0;
210 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
212 return (rule->genmask & (1 << gencursor_next(net))) == 0;
216 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
218 /* Now inactive, will be active in the future */
219 rule->genmask = (1 << net->nft.gencursor);
223 nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
225 rule->genmask = (1 << gencursor_next(net));
228 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
230 rule->genmask &= ~(1 << gencursor_next(net));
234 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
236 /* You cannot delete the same rule twice */
237 if (nft_rule_is_active_next(ctx->net, rule)) {
238 nft_rule_deactivate_next(ctx->net, rule);
245 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
246 struct nft_rule *rule)
248 struct nft_trans *trans;
250 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
254 nft_trans_rule(trans) = rule;
255 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
260 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
262 struct nft_trans *trans;
265 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
269 err = nf_tables_delrule_deactivate(ctx, rule);
271 nft_trans_destroy(trans);
278 static int nft_delrule_by_chain(struct nft_ctx *ctx)
280 struct nft_rule *rule;
283 list_for_each_entry(rule, &ctx->chain->rules, list) {
284 err = nft_delrule(ctx, rule);
291 /* Internal set flag */
292 #define NFT_SET_INACTIVE (1 << 15)
294 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
297 struct nft_trans *trans;
299 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
303 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
304 nft_trans_set_id(trans) =
305 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
306 set->flags |= NFT_SET_INACTIVE;
308 nft_trans_set(trans) = set;
309 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
314 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
318 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
322 list_del_rcu(&set->list);
332 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
333 const struct nlattr *nla)
335 struct nft_table *table;
337 list_for_each_entry(table, &afi->tables, list) {
338 if (!nla_strcmp(nla, table->name))
344 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
345 const struct nlattr *nla)
347 struct nft_table *table;
350 return ERR_PTR(-EINVAL);
352 table = nft_table_lookup(afi, nla);
356 return ERR_PTR(-ENOENT);
359 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
361 return ++table->hgenerator;
364 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
366 static const struct nf_chain_type *
367 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
371 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
372 if (chain_type[family][i] != NULL &&
373 !nla_strcmp(nla, chain_type[family][i]->name))
374 return chain_type[family][i];
379 static const struct nf_chain_type *
380 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
381 const struct nlattr *nla,
384 const struct nf_chain_type *type;
386 type = __nf_tables_chain_type_lookup(afi->family, nla);
389 #ifdef CONFIG_MODULES
391 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
392 request_module("nft-chain-%u-%.*s", afi->family,
393 nla_len(nla), (const char *)nla_data(nla));
394 nfnl_lock(NFNL_SUBSYS_NFTABLES);
395 type = __nf_tables_chain_type_lookup(afi->family, nla);
397 return ERR_PTR(-EAGAIN);
400 return ERR_PTR(-ENOENT);
403 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
404 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
405 .len = NFT_TABLE_MAXNAMELEN - 1 },
406 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
409 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
410 u32 portid, u32 seq, int event, u32 flags,
411 int family, const struct nft_table *table)
413 struct nlmsghdr *nlh;
414 struct nfgenmsg *nfmsg;
416 event |= NFNL_SUBSYS_NFTABLES << 8;
417 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
419 goto nla_put_failure;
421 nfmsg = nlmsg_data(nlh);
422 nfmsg->nfgen_family = family;
423 nfmsg->version = NFNETLINK_V0;
424 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
426 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
427 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
428 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
429 goto nla_put_failure;
435 nlmsg_trim(skb, nlh);
439 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
445 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
449 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
453 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
454 event, 0, ctx->afi->family, ctx->table);
460 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
461 ctx->report, GFP_KERNEL);
464 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
470 static int nf_tables_dump_tables(struct sk_buff *skb,
471 struct netlink_callback *cb)
473 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
474 const struct nft_af_info *afi;
475 const struct nft_table *table;
476 unsigned int idx = 0, s_idx = cb->args[0];
477 struct net *net = sock_net(skb->sk);
478 int family = nfmsg->nfgen_family;
481 cb->seq = net->nft.base_seq;
483 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
484 if (family != NFPROTO_UNSPEC && family != afi->family)
487 list_for_each_entry_rcu(table, &afi->tables, list) {
491 memset(&cb->args[1], 0,
492 sizeof(cb->args) - sizeof(cb->args[0]));
493 if (nf_tables_fill_table_info(skb, net,
494 NETLINK_CB(cb->skb).portid,
498 afi->family, table) < 0)
501 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
512 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
513 const struct nlmsghdr *nlh,
514 const struct nlattr * const nla[])
516 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
517 const struct nft_af_info *afi;
518 const struct nft_table *table;
519 struct sk_buff *skb2;
520 struct net *net = sock_net(skb->sk);
521 int family = nfmsg->nfgen_family;
524 if (nlh->nlmsg_flags & NLM_F_DUMP) {
525 struct netlink_dump_control c = {
526 .dump = nf_tables_dump_tables,
528 return netlink_dump_start(nlsk, skb, nlh, &c);
531 afi = nf_tables_afinfo_lookup(net, family, false);
535 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
537 return PTR_ERR(table);
538 if (table->flags & NFT_TABLE_INACTIVE)
541 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
545 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
546 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
551 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
558 static int nf_tables_table_enable(const struct nft_af_info *afi,
559 struct nft_table *table)
561 struct nft_chain *chain;
564 list_for_each_entry(chain, &table->chains, list) {
565 if (!(chain->flags & NFT_BASE_CHAIN))
568 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
576 list_for_each_entry(chain, &table->chains, list) {
577 if (!(chain->flags & NFT_BASE_CHAIN))
583 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
588 static void nf_tables_table_disable(const struct nft_af_info *afi,
589 struct nft_table *table)
591 struct nft_chain *chain;
593 list_for_each_entry(chain, &table->chains, list) {
594 if (chain->flags & NFT_BASE_CHAIN)
595 nf_unregister_hooks(nft_base_chain(chain)->ops,
600 static int nf_tables_updtable(struct nft_ctx *ctx)
602 struct nft_trans *trans;
606 if (!ctx->nla[NFTA_TABLE_FLAGS])
609 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
610 if (flags & ~NFT_TABLE_F_DORMANT)
613 if (flags == ctx->table->flags)
616 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
617 sizeof(struct nft_trans_table));
621 if ((flags & NFT_TABLE_F_DORMANT) &&
622 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
623 nft_trans_table_enable(trans) = false;
624 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
625 ctx->table->flags & NFT_TABLE_F_DORMANT) {
626 ret = nf_tables_table_enable(ctx->afi, ctx->table);
628 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
629 nft_trans_table_enable(trans) = true;
635 nft_trans_table_update(trans) = true;
636 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
639 nft_trans_destroy(trans);
643 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
644 const struct nlmsghdr *nlh,
645 const struct nlattr * const nla[])
647 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
648 const struct nlattr *name;
649 struct nft_af_info *afi;
650 struct nft_table *table;
651 struct net *net = sock_net(skb->sk);
652 int family = nfmsg->nfgen_family;
657 afi = nf_tables_afinfo_lookup(net, family, true);
661 name = nla[NFTA_TABLE_NAME];
662 table = nf_tables_table_lookup(afi, name);
664 if (PTR_ERR(table) != -ENOENT)
665 return PTR_ERR(table);
670 if (table->flags & NFT_TABLE_INACTIVE)
672 if (nlh->nlmsg_flags & NLM_F_EXCL)
674 if (nlh->nlmsg_flags & NLM_F_REPLACE)
677 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
678 return nf_tables_updtable(&ctx);
681 if (nla[NFTA_TABLE_FLAGS]) {
682 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
683 if (flags & ~NFT_TABLE_F_DORMANT)
687 if (!try_module_get(afi->owner))
688 return -EAFNOSUPPORT;
690 table = kzalloc(sizeof(*table), GFP_KERNEL);
692 module_put(afi->owner);
696 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
697 INIT_LIST_HEAD(&table->chains);
698 INIT_LIST_HEAD(&table->sets);
699 table->flags = flags;
701 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
702 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
705 module_put(afi->owner);
708 list_add_tail_rcu(&table->list, &afi->tables);
712 static int nft_flush_table(struct nft_ctx *ctx)
715 struct nft_chain *chain, *nc;
716 struct nft_set *set, *ns;
718 list_for_each_entry(chain, &ctx->table->chains, list) {
721 err = nft_delrule_by_chain(ctx);
726 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
727 if (set->flags & NFT_SET_ANONYMOUS &&
728 !list_empty(&set->bindings))
731 err = nft_delset(ctx, set);
736 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
739 err = nft_delchain(ctx);
744 err = nft_deltable(ctx);
749 static int nft_flush(struct nft_ctx *ctx, int family)
751 struct nft_af_info *afi;
752 struct nft_table *table, *nt;
753 const struct nlattr * const *nla = ctx->nla;
756 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
757 if (family != AF_UNSPEC && afi->family != family)
761 list_for_each_entry_safe(table, nt, &afi->tables, list) {
762 if (nla[NFTA_TABLE_NAME] &&
763 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
768 err = nft_flush_table(ctx);
777 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
778 const struct nlmsghdr *nlh,
779 const struct nlattr * const nla[])
781 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
782 struct nft_af_info *afi;
783 struct nft_table *table;
784 struct net *net = sock_net(skb->sk);
785 int family = nfmsg->nfgen_family;
788 nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
789 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
790 return nft_flush(&ctx, family);
792 afi = nf_tables_afinfo_lookup(net, family, false);
796 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
798 return PTR_ERR(table);
799 if (table->flags & NFT_TABLE_INACTIVE)
805 return nft_flush_table(&ctx);
808 static void nf_tables_table_destroy(struct nft_ctx *ctx)
810 BUG_ON(ctx->table->use > 0);
813 module_put(ctx->afi->owner);
816 int nft_register_chain_type(const struct nf_chain_type *ctype)
820 nfnl_lock(NFNL_SUBSYS_NFTABLES);
821 if (chain_type[ctype->family][ctype->type] != NULL) {
825 chain_type[ctype->family][ctype->type] = ctype;
827 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
830 EXPORT_SYMBOL_GPL(nft_register_chain_type);
832 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
834 nfnl_lock(NFNL_SUBSYS_NFTABLES);
835 chain_type[ctype->family][ctype->type] = NULL;
836 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
838 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
844 static struct nft_chain *
845 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
847 struct nft_chain *chain;
849 list_for_each_entry(chain, &table->chains, list) {
850 if (chain->handle == handle)
854 return ERR_PTR(-ENOENT);
857 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
858 const struct nlattr *nla)
860 struct nft_chain *chain;
863 return ERR_PTR(-EINVAL);
865 list_for_each_entry(chain, &table->chains, list) {
866 if (!nla_strcmp(nla, chain->name))
870 return ERR_PTR(-ENOENT);
873 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
874 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
875 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
876 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
877 .len = NFT_CHAIN_MAXNAMELEN - 1 },
878 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
879 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
880 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
881 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
884 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
885 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
886 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
889 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
891 struct nft_stats *cpu_stats, total;
897 memset(&total, 0, sizeof(total));
898 for_each_possible_cpu(cpu) {
899 cpu_stats = per_cpu_ptr(stats, cpu);
901 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
902 pkts = cpu_stats->pkts;
903 bytes = cpu_stats->bytes;
904 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
906 total.bytes += bytes;
908 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
910 goto nla_put_failure;
912 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
913 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
914 goto nla_put_failure;
916 nla_nest_end(skb, nest);
923 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
924 u32 portid, u32 seq, int event, u32 flags,
925 int family, const struct nft_table *table,
926 const struct nft_chain *chain)
928 struct nlmsghdr *nlh;
929 struct nfgenmsg *nfmsg;
931 event |= NFNL_SUBSYS_NFTABLES << 8;
932 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
934 goto nla_put_failure;
936 nfmsg = nlmsg_data(nlh);
937 nfmsg->nfgen_family = family;
938 nfmsg->version = NFNETLINK_V0;
939 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
941 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
942 goto nla_put_failure;
943 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
944 goto nla_put_failure;
945 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
946 goto nla_put_failure;
948 if (chain->flags & NFT_BASE_CHAIN) {
949 const struct nft_base_chain *basechain = nft_base_chain(chain);
950 const struct nf_hook_ops *ops = &basechain->ops[0];
953 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
955 goto nla_put_failure;
956 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
957 goto nla_put_failure;
958 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
959 goto nla_put_failure;
960 nla_nest_end(skb, nest);
962 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
963 htonl(basechain->policy)))
964 goto nla_put_failure;
966 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
967 goto nla_put_failure;
969 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
970 goto nla_put_failure;
973 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
974 goto nla_put_failure;
980 nlmsg_trim(skb, nlh);
984 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
990 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
994 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
998 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
999 event, 0, ctx->afi->family, ctx->table,
1006 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1007 ctx->report, GFP_KERNEL);
1010 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1016 static int nf_tables_dump_chains(struct sk_buff *skb,
1017 struct netlink_callback *cb)
1019 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1020 const struct nft_af_info *afi;
1021 const struct nft_table *table;
1022 const struct nft_chain *chain;
1023 unsigned int idx = 0, s_idx = cb->args[0];
1024 struct net *net = sock_net(skb->sk);
1025 int family = nfmsg->nfgen_family;
1028 cb->seq = net->nft.base_seq;
1030 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1031 if (family != NFPROTO_UNSPEC && family != afi->family)
1034 list_for_each_entry_rcu(table, &afi->tables, list) {
1035 list_for_each_entry_rcu(chain, &table->chains, list) {
1039 memset(&cb->args[1], 0,
1040 sizeof(cb->args) - sizeof(cb->args[0]));
1041 if (nf_tables_fill_chain_info(skb, net,
1042 NETLINK_CB(cb->skb).portid,
1046 afi->family, table, chain) < 0)
1049 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1061 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
1062 const struct nlmsghdr *nlh,
1063 const struct nlattr * const nla[])
1065 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1066 const struct nft_af_info *afi;
1067 const struct nft_table *table;
1068 const struct nft_chain *chain;
1069 struct sk_buff *skb2;
1070 struct net *net = sock_net(skb->sk);
1071 int family = nfmsg->nfgen_family;
1074 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1075 struct netlink_dump_control c = {
1076 .dump = nf_tables_dump_chains,
1078 return netlink_dump_start(nlsk, skb, nlh, &c);
1081 afi = nf_tables_afinfo_lookup(net, family, false);
1083 return PTR_ERR(afi);
1085 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1087 return PTR_ERR(table);
1088 if (table->flags & NFT_TABLE_INACTIVE)
1091 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1093 return PTR_ERR(chain);
1094 if (chain->flags & NFT_CHAIN_INACTIVE)
1097 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1101 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1102 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1103 family, table, chain);
1107 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1114 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1115 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1116 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1119 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1121 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1122 struct nft_stats __percpu *newstats;
1123 struct nft_stats *stats;
1126 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1128 return ERR_PTR(err);
1130 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1131 return ERR_PTR(-EINVAL);
1133 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1134 if (newstats == NULL)
1135 return ERR_PTR(-ENOMEM);
1137 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1138 * are not exposed to userspace.
1141 stats = this_cpu_ptr(newstats);
1142 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1143 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1149 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1150 struct nft_stats __percpu *newstats)
1152 if (newstats == NULL)
1156 struct nft_stats __percpu *oldstats =
1157 nft_dereference(chain->stats);
1159 rcu_assign_pointer(chain->stats, newstats);
1161 free_percpu(oldstats);
1163 rcu_assign_pointer(chain->stats, newstats);
1166 static void nf_tables_chain_destroy(struct nft_chain *chain)
1168 BUG_ON(chain->use > 0);
1170 if (chain->flags & NFT_BASE_CHAIN) {
1171 module_put(nft_base_chain(chain)->type->owner);
1172 free_percpu(nft_base_chain(chain)->stats);
1173 kfree(nft_base_chain(chain));
1179 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
1180 const struct nlmsghdr *nlh,
1181 const struct nlattr * const nla[])
1183 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1184 const struct nlattr * uninitialized_var(name);
1185 struct nft_af_info *afi;
1186 struct nft_table *table;
1187 struct nft_chain *chain;
1188 struct nft_base_chain *basechain = NULL;
1189 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1190 struct net *net = sock_net(skb->sk);
1191 int family = nfmsg->nfgen_family;
1192 u8 policy = NF_ACCEPT;
1195 struct nft_stats __percpu *stats;
1200 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1202 afi = nf_tables_afinfo_lookup(net, family, true);
1204 return PTR_ERR(afi);
1206 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1208 return PTR_ERR(table);
1211 name = nla[NFTA_CHAIN_NAME];
1213 if (nla[NFTA_CHAIN_HANDLE]) {
1214 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1215 chain = nf_tables_chain_lookup_byhandle(table, handle);
1217 return PTR_ERR(chain);
1219 chain = nf_tables_chain_lookup(table, name);
1220 if (IS_ERR(chain)) {
1221 if (PTR_ERR(chain) != -ENOENT)
1222 return PTR_ERR(chain);
1227 if (nla[NFTA_CHAIN_POLICY]) {
1228 if ((chain != NULL &&
1229 !(chain->flags & NFT_BASE_CHAIN)) ||
1230 nla[NFTA_CHAIN_HOOK] == NULL)
1233 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1243 if (chain != NULL) {
1244 struct nft_stats *stats = NULL;
1245 struct nft_trans *trans;
1247 if (chain->flags & NFT_CHAIN_INACTIVE)
1249 if (nlh->nlmsg_flags & NLM_F_EXCL)
1251 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1254 if (nla[NFTA_CHAIN_HANDLE] && name &&
1255 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1258 if (nla[NFTA_CHAIN_COUNTERS]) {
1259 if (!(chain->flags & NFT_BASE_CHAIN))
1262 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1264 return PTR_ERR(stats);
1267 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1268 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1269 sizeof(struct nft_trans_chain));
1270 if (trans == NULL) {
1275 nft_trans_chain_stats(trans) = stats;
1276 nft_trans_chain_update(trans) = true;
1278 if (nla[NFTA_CHAIN_POLICY])
1279 nft_trans_chain_policy(trans) = policy;
1281 nft_trans_chain_policy(trans) = -1;
1283 if (nla[NFTA_CHAIN_HANDLE] && name) {
1284 nla_strlcpy(nft_trans_chain_name(trans), name,
1285 NFT_CHAIN_MAXNAMELEN);
1287 list_add_tail(&trans->list, &net->nft.commit_list);
1291 if (table->use == UINT_MAX)
1294 if (nla[NFTA_CHAIN_HOOK]) {
1295 const struct nf_chain_type *type;
1296 struct nf_hook_ops *ops;
1298 u32 hooknum, priority;
1300 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1301 if (nla[NFTA_CHAIN_TYPE]) {
1302 type = nf_tables_chain_type_lookup(afi,
1303 nla[NFTA_CHAIN_TYPE],
1306 return PTR_ERR(type);
1309 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1313 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1314 ha[NFTA_HOOK_PRIORITY] == NULL)
1317 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1318 if (hooknum >= afi->nhooks)
1320 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1322 if (!(type->hook_mask & (1 << hooknum)))
1324 if (!try_module_get(type->owner))
1326 hookfn = type->hooks[hooknum];
1328 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1329 if (basechain == NULL) {
1330 module_put(type->owner);
1334 if (nla[NFTA_CHAIN_COUNTERS]) {
1335 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1336 if (IS_ERR(stats)) {
1337 module_put(type->owner);
1339 return PTR_ERR(stats);
1341 basechain->stats = stats;
1343 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1344 if (stats == NULL) {
1345 module_put(type->owner);
1349 rcu_assign_pointer(basechain->stats, stats);
1352 basechain->type = type;
1353 chain = &basechain->chain;
1355 for (i = 0; i < afi->nops; i++) {
1356 ops = &basechain->ops[i];
1358 ops->owner = afi->owner;
1359 ops->hooknum = hooknum;
1360 ops->priority = priority;
1362 ops->hook = afi->hooks[ops->hooknum];
1365 if (afi->hook_ops_init)
1366 afi->hook_ops_init(ops, i);
1369 chain->flags |= NFT_BASE_CHAIN;
1370 basechain->policy = policy;
1372 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1377 INIT_LIST_HEAD(&chain->rules);
1378 chain->handle = nf_tables_alloc_handle(table);
1380 chain->table = table;
1381 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1383 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1384 chain->flags & NFT_BASE_CHAIN) {
1385 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1390 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1391 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1396 list_add_tail_rcu(&chain->list, &table->chains);
1399 nf_tables_unregister_hooks(table, chain, afi->nops);
1401 nf_tables_chain_destroy(chain);
1405 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1406 const struct nlmsghdr *nlh,
1407 const struct nlattr * const nla[])
1409 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1410 struct nft_af_info *afi;
1411 struct nft_table *table;
1412 struct nft_chain *chain;
1413 struct net *net = sock_net(skb->sk);
1414 int family = nfmsg->nfgen_family;
1417 afi = nf_tables_afinfo_lookup(net, family, false);
1419 return PTR_ERR(afi);
1421 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1423 return PTR_ERR(table);
1424 if (table->flags & NFT_TABLE_INACTIVE)
1427 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1429 return PTR_ERR(chain);
1430 if (chain->flags & NFT_CHAIN_INACTIVE)
1435 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1437 return nft_delchain(&ctx);
1445 * nft_register_expr - register nf_tables expr type
1448 * Registers the expr type for use with nf_tables. Returns zero on
1449 * success or a negative errno code otherwise.
1451 int nft_register_expr(struct nft_expr_type *type)
1453 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1454 if (type->family == NFPROTO_UNSPEC)
1455 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1457 list_add_rcu(&type->list, &nf_tables_expressions);
1458 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1461 EXPORT_SYMBOL_GPL(nft_register_expr);
1464 * nft_unregister_expr - unregister nf_tables expr type
1467 * Unregisters the expr typefor use with nf_tables.
1469 void nft_unregister_expr(struct nft_expr_type *type)
1471 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1472 list_del_rcu(&type->list);
1473 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1475 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1477 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1480 const struct nft_expr_type *type;
1482 list_for_each_entry(type, &nf_tables_expressions, list) {
1483 if (!nla_strcmp(nla, type->name) &&
1484 (!type->family || type->family == family))
1490 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1493 const struct nft_expr_type *type;
1496 return ERR_PTR(-EINVAL);
1498 type = __nft_expr_type_get(family, nla);
1499 if (type != NULL && try_module_get(type->owner))
1502 #ifdef CONFIG_MODULES
1504 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1505 request_module("nft-expr-%u-%.*s", family,
1506 nla_len(nla), (char *)nla_data(nla));
1507 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1508 if (__nft_expr_type_get(family, nla))
1509 return ERR_PTR(-EAGAIN);
1511 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1512 request_module("nft-expr-%.*s",
1513 nla_len(nla), (char *)nla_data(nla));
1514 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1515 if (__nft_expr_type_get(family, nla))
1516 return ERR_PTR(-EAGAIN);
1519 return ERR_PTR(-ENOENT);
1522 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1523 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1524 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1527 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1528 const struct nft_expr *expr)
1530 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1531 goto nla_put_failure;
1533 if (expr->ops->dump) {
1534 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1536 goto nla_put_failure;
1537 if (expr->ops->dump(skb, expr) < 0)
1538 goto nla_put_failure;
1539 nla_nest_end(skb, data);
1548 struct nft_expr_info {
1549 const struct nft_expr_ops *ops;
1550 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1553 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1554 const struct nlattr *nla,
1555 struct nft_expr_info *info)
1557 const struct nft_expr_type *type;
1558 const struct nft_expr_ops *ops;
1559 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1562 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1566 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1568 return PTR_ERR(type);
1570 if (tb[NFTA_EXPR_DATA]) {
1571 err = nla_parse_nested(info->tb, type->maxattr,
1572 tb[NFTA_EXPR_DATA], type->policy);
1576 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1578 if (type->select_ops != NULL) {
1579 ops = type->select_ops(ctx,
1580 (const struct nlattr * const *)info->tb);
1592 module_put(type->owner);
1596 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1597 const struct nft_expr_info *info,
1598 struct nft_expr *expr)
1600 const struct nft_expr_ops *ops = info->ops;
1605 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1617 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1618 struct nft_expr *expr)
1620 if (expr->ops->destroy)
1621 expr->ops->destroy(ctx, expr);
1622 module_put(expr->ops->type->owner);
1629 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1632 struct nft_rule *rule;
1634 // FIXME: this sucks
1635 list_for_each_entry(rule, &chain->rules, list) {
1636 if (handle == rule->handle)
1640 return ERR_PTR(-ENOENT);
1643 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1644 const struct nlattr *nla)
1647 return ERR_PTR(-EINVAL);
1649 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1652 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1653 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1654 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1655 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1656 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1657 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1658 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1659 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1660 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1661 .len = NFT_USERDATA_MAXLEN },
1664 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1665 u32 portid, u32 seq, int event,
1666 u32 flags, int family,
1667 const struct nft_table *table,
1668 const struct nft_chain *chain,
1669 const struct nft_rule *rule)
1671 struct nlmsghdr *nlh;
1672 struct nfgenmsg *nfmsg;
1673 const struct nft_expr *expr, *next;
1674 struct nlattr *list;
1675 const struct nft_rule *prule;
1676 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1678 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1681 goto nla_put_failure;
1683 nfmsg = nlmsg_data(nlh);
1684 nfmsg->nfgen_family = family;
1685 nfmsg->version = NFNETLINK_V0;
1686 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1688 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1689 goto nla_put_failure;
1690 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1691 goto nla_put_failure;
1692 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1693 goto nla_put_failure;
1695 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1696 prule = list_entry(rule->list.prev, struct nft_rule, list);
1697 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1698 cpu_to_be64(prule->handle)))
1699 goto nla_put_failure;
1702 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1704 goto nla_put_failure;
1705 nft_rule_for_each_expr(expr, next, rule) {
1706 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1708 goto nla_put_failure;
1709 if (nf_tables_fill_expr_info(skb, expr) < 0)
1710 goto nla_put_failure;
1711 nla_nest_end(skb, elem);
1713 nla_nest_end(skb, list);
1716 struct nft_userdata *udata = nft_userdata(rule);
1717 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1719 goto nla_put_failure;
1722 nlmsg_end(skb, nlh);
1726 nlmsg_trim(skb, nlh);
1730 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1731 const struct nft_rule *rule,
1734 struct sk_buff *skb;
1738 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1742 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1746 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1747 event, 0, ctx->afi->family, ctx->table,
1754 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1755 ctx->report, GFP_KERNEL);
1758 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1764 static int nf_tables_dump_rules(struct sk_buff *skb,
1765 struct netlink_callback *cb)
1767 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1768 const struct nft_af_info *afi;
1769 const struct nft_table *table;
1770 const struct nft_chain *chain;
1771 const struct nft_rule *rule;
1772 unsigned int idx = 0, s_idx = cb->args[0];
1773 struct net *net = sock_net(skb->sk);
1774 int family = nfmsg->nfgen_family;
1777 cb->seq = net->nft.base_seq;
1779 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1780 if (family != NFPROTO_UNSPEC && family != afi->family)
1783 list_for_each_entry_rcu(table, &afi->tables, list) {
1784 list_for_each_entry_rcu(chain, &table->chains, list) {
1785 list_for_each_entry_rcu(rule, &chain->rules, list) {
1786 if (!nft_rule_is_active(net, rule))
1791 memset(&cb->args[1], 0,
1792 sizeof(cb->args) - sizeof(cb->args[0]));
1793 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1796 NLM_F_MULTI | NLM_F_APPEND,
1797 afi->family, table, chain, rule) < 0)
1800 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1814 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1815 const struct nlmsghdr *nlh,
1816 const struct nlattr * const nla[])
1818 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1819 const struct nft_af_info *afi;
1820 const struct nft_table *table;
1821 const struct nft_chain *chain;
1822 const struct nft_rule *rule;
1823 struct sk_buff *skb2;
1824 struct net *net = sock_net(skb->sk);
1825 int family = nfmsg->nfgen_family;
1828 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1829 struct netlink_dump_control c = {
1830 .dump = nf_tables_dump_rules,
1832 return netlink_dump_start(nlsk, skb, nlh, &c);
1835 afi = nf_tables_afinfo_lookup(net, family, false);
1837 return PTR_ERR(afi);
1839 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1841 return PTR_ERR(table);
1842 if (table->flags & NFT_TABLE_INACTIVE)
1845 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1847 return PTR_ERR(chain);
1848 if (chain->flags & NFT_CHAIN_INACTIVE)
1851 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1853 return PTR_ERR(rule);
1855 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1859 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1860 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1861 family, table, chain, rule);
1865 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1872 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1873 struct nft_rule *rule)
1875 struct nft_expr *expr;
1878 * Careful: some expressions might not be initialized in case this
1879 * is called on error from nf_tables_newrule().
1881 expr = nft_expr_first(rule);
1882 while (expr->ops && expr != nft_expr_last(rule)) {
1883 nf_tables_expr_destroy(ctx, expr);
1884 expr = nft_expr_next(expr);
1889 #define NFT_RULE_MAXEXPRS 128
1891 static struct nft_expr_info *info;
1893 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1894 const struct nlmsghdr *nlh,
1895 const struct nlattr * const nla[])
1897 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1898 struct nft_af_info *afi;
1899 struct net *net = sock_net(skb->sk);
1900 struct nft_table *table;
1901 struct nft_chain *chain;
1902 struct nft_rule *rule, *old_rule = NULL;
1903 struct nft_userdata *udata;
1904 struct nft_trans *trans = NULL;
1905 struct nft_expr *expr;
1908 unsigned int size, i, n, ulen = 0, usize = 0;
1911 u64 handle, pos_handle;
1913 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1915 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1917 return PTR_ERR(afi);
1919 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1921 return PTR_ERR(table);
1923 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1925 return PTR_ERR(chain);
1927 if (nla[NFTA_RULE_HANDLE]) {
1928 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1929 rule = __nf_tables_rule_lookup(chain, handle);
1931 return PTR_ERR(rule);
1933 if (nlh->nlmsg_flags & NLM_F_EXCL)
1935 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1940 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1942 handle = nf_tables_alloc_handle(table);
1944 if (chain->use == UINT_MAX)
1948 if (nla[NFTA_RULE_POSITION]) {
1949 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1952 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1953 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1954 if (IS_ERR(old_rule))
1955 return PTR_ERR(old_rule);
1958 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1962 if (nla[NFTA_RULE_EXPRESSIONS]) {
1963 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1965 if (nla_type(tmp) != NFTA_LIST_ELEM)
1967 if (n == NFT_RULE_MAXEXPRS)
1969 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1972 size += info[n].ops->size;
1976 /* Check for overflow of dlen field */
1978 if (size >= 1 << 12)
1981 if (nla[NFTA_RULE_USERDATA]) {
1982 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1984 usize = sizeof(struct nft_userdata) + ulen;
1988 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
1992 nft_rule_activate_next(net, rule);
1994 rule->handle = handle;
1996 rule->udata = ulen ? 1 : 0;
1999 udata = nft_userdata(rule);
2000 udata->len = ulen - 1;
2001 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2004 expr = nft_expr_first(rule);
2005 for (i = 0; i < n; i++) {
2006 err = nf_tables_newexpr(&ctx, &info[i], expr);
2010 expr = nft_expr_next(expr);
2013 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2014 if (nft_rule_is_active_next(net, old_rule)) {
2015 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2017 if (trans == NULL) {
2021 nft_rule_deactivate_next(net, old_rule);
2023 list_add_tail_rcu(&rule->list, &old_rule->list);
2028 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2030 list_add_rcu(&rule->list, &old_rule->list);
2032 list_add_tail_rcu(&rule->list, &chain->rules);
2035 list_add_tail_rcu(&rule->list, &old_rule->list);
2037 list_add_rcu(&rule->list, &chain->rules);
2040 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2048 list_del_rcu(&rule->list);
2050 nf_tables_rule_destroy(&ctx, rule);
2052 for (i = 0; i < n; i++) {
2053 if (info[i].ops != NULL)
2054 module_put(info[i].ops->type->owner);
2059 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
2060 const struct nlmsghdr *nlh,
2061 const struct nlattr * const nla[])
2063 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2064 struct nft_af_info *afi;
2065 struct net *net = sock_net(skb->sk);
2066 struct nft_table *table;
2067 struct nft_chain *chain = NULL;
2068 struct nft_rule *rule;
2069 int family = nfmsg->nfgen_family, err = 0;
2072 afi = nf_tables_afinfo_lookup(net, family, false);
2074 return PTR_ERR(afi);
2076 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2078 return PTR_ERR(table);
2079 if (table->flags & NFT_TABLE_INACTIVE)
2082 if (nla[NFTA_RULE_CHAIN]) {
2083 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2085 return PTR_ERR(chain);
2088 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
2091 if (nla[NFTA_RULE_HANDLE]) {
2092 rule = nf_tables_rule_lookup(chain,
2093 nla[NFTA_RULE_HANDLE]);
2095 return PTR_ERR(rule);
2097 err = nft_delrule(&ctx, rule);
2099 err = nft_delrule_by_chain(&ctx);
2102 list_for_each_entry(chain, &table->chains, list) {
2104 err = nft_delrule_by_chain(&ctx);
2117 static LIST_HEAD(nf_tables_set_ops);
2119 int nft_register_set(struct nft_set_ops *ops)
2121 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2122 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2123 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2126 EXPORT_SYMBOL_GPL(nft_register_set);
2128 void nft_unregister_set(struct nft_set_ops *ops)
2130 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2131 list_del_rcu(&ops->list);
2132 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2134 EXPORT_SYMBOL_GPL(nft_unregister_set);
2137 * Select a set implementation based on the data characteristics and the
2138 * given policy. The total memory use might not be known if no size is
2139 * given, in that case the amount of memory per element is used.
2141 static const struct nft_set_ops *
2142 nft_select_set_ops(const struct nlattr * const nla[],
2143 const struct nft_set_desc *desc,
2144 enum nft_set_policies policy)
2146 const struct nft_set_ops *ops, *bops;
2147 struct nft_set_estimate est, best;
2150 #ifdef CONFIG_MODULES
2151 if (list_empty(&nf_tables_set_ops)) {
2152 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2153 request_module("nft-set");
2154 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2155 if (!list_empty(&nf_tables_set_ops))
2156 return ERR_PTR(-EAGAIN);
2160 if (nla[NFTA_SET_FLAGS] != NULL) {
2161 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2162 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
2169 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2170 if ((ops->features & features) != features)
2172 if (!ops->estimate(desc, features, &est))
2176 case NFT_SET_POL_PERFORMANCE:
2177 if (est.class < best.class)
2179 if (est.class == best.class && est.size < best.size)
2182 case NFT_SET_POL_MEMORY:
2183 if (est.size < best.size)
2185 if (est.size == best.size && est.class < best.class)
2192 if (!try_module_get(ops->owner))
2195 module_put(bops->owner);
2204 return ERR_PTR(-EOPNOTSUPP);
2207 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2208 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2209 [NFTA_SET_NAME] = { .type = NLA_STRING,
2210 .len = IFNAMSIZ - 1 },
2211 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2212 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2213 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2214 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2215 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2216 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2217 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2218 [NFTA_SET_ID] = { .type = NLA_U32 },
2221 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2222 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2225 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2226 const struct sk_buff *skb,
2227 const struct nlmsghdr *nlh,
2228 const struct nlattr * const nla[])
2230 struct net *net = sock_net(skb->sk);
2231 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2232 struct nft_af_info *afi = NULL;
2233 struct nft_table *table = NULL;
2235 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2236 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2238 return PTR_ERR(afi);
2241 if (nla[NFTA_SET_TABLE] != NULL) {
2243 return -EAFNOSUPPORT;
2245 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2247 return PTR_ERR(table);
2248 if (table->flags & NFT_TABLE_INACTIVE)
2252 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2256 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2257 const struct nlattr *nla)
2259 struct nft_set *set;
2262 return ERR_PTR(-EINVAL);
2264 list_for_each_entry(set, &table->sets, list) {
2265 if (!nla_strcmp(nla, set->name))
2268 return ERR_PTR(-ENOENT);
2271 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2272 const struct nlattr *nla)
2274 struct nft_trans *trans;
2275 u32 id = ntohl(nla_get_be32(nla));
2277 list_for_each_entry(trans, &net->nft.commit_list, list) {
2278 if (trans->msg_type == NFT_MSG_NEWSET &&
2279 id == nft_trans_set_id(trans))
2280 return nft_trans_set(trans);
2282 return ERR_PTR(-ENOENT);
2285 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2288 const struct nft_set *i;
2290 unsigned long *inuse;
2291 unsigned int n = 0, min = 0;
2293 p = strnchr(name, IFNAMSIZ, '%');
2295 if (p[1] != 'd' || strchr(p + 2, '%'))
2298 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2302 list_for_each_entry(i, &ctx->table->sets, list) {
2305 if (!sscanf(i->name, name, &tmp))
2307 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2310 set_bit(tmp - min, inuse);
2313 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2314 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2315 min += BITS_PER_BYTE * PAGE_SIZE;
2316 memset(inuse, 0, PAGE_SIZE);
2319 free_page((unsigned long)inuse);
2322 snprintf(set->name, sizeof(set->name), name, min + n);
2323 list_for_each_entry(i, &ctx->table->sets, list) {
2324 if (!strcmp(set->name, i->name))
2330 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2331 const struct nft_set *set, u16 event, u16 flags)
2333 struct nfgenmsg *nfmsg;
2334 struct nlmsghdr *nlh;
2335 struct nlattr *desc;
2336 u32 portid = ctx->portid;
2339 event |= NFNL_SUBSYS_NFTABLES << 8;
2340 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2343 goto nla_put_failure;
2345 nfmsg = nlmsg_data(nlh);
2346 nfmsg->nfgen_family = ctx->afi->family;
2347 nfmsg->version = NFNETLINK_V0;
2348 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2350 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2351 goto nla_put_failure;
2352 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2353 goto nla_put_failure;
2354 if (set->flags != 0)
2355 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2356 goto nla_put_failure;
2358 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2359 goto nla_put_failure;
2360 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2361 goto nla_put_failure;
2362 if (set->flags & NFT_SET_MAP) {
2363 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2364 goto nla_put_failure;
2365 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2366 goto nla_put_failure;
2369 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2370 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2371 goto nla_put_failure;
2374 desc = nla_nest_start(skb, NFTA_SET_DESC);
2376 goto nla_put_failure;
2378 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2379 goto nla_put_failure;
2380 nla_nest_end(skb, desc);
2382 nlmsg_end(skb, nlh);
2386 nlmsg_trim(skb, nlh);
2390 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2391 const struct nft_set *set,
2392 int event, gfp_t gfp_flags)
2394 struct sk_buff *skb;
2395 u32 portid = ctx->portid;
2399 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2403 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2407 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2413 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2414 ctx->report, gfp_flags);
2417 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2421 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2423 const struct nft_set *set;
2424 unsigned int idx, s_idx = cb->args[0];
2425 struct nft_af_info *afi;
2426 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2427 struct net *net = sock_net(skb->sk);
2428 int cur_family = cb->args[3];
2429 struct nft_ctx *ctx = cb->data, ctx_set;
2435 cb->seq = net->nft.base_seq;
2437 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2438 if (ctx->afi && ctx->afi != afi)
2442 if (afi->family != cur_family)
2447 list_for_each_entry_rcu(table, &afi->tables, list) {
2448 if (ctx->table && ctx->table != table)
2452 if (cur_table != table)
2458 list_for_each_entry_rcu(set, &table->sets, list) {
2463 ctx_set.table = table;
2465 if (nf_tables_fill_set(skb, &ctx_set, set,
2469 cb->args[2] = (unsigned long) table;
2470 cb->args[3] = afi->family;
2473 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2487 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2493 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2494 const struct nlmsghdr *nlh,
2495 const struct nlattr * const nla[])
2497 const struct nft_set *set;
2499 struct sk_buff *skb2;
2500 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2503 /* Verify existence before starting dump */
2504 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2508 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2509 struct netlink_dump_control c = {
2510 .dump = nf_tables_dump_sets,
2511 .done = nf_tables_dump_sets_done,
2513 struct nft_ctx *ctx_dump;
2515 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2516 if (ctx_dump == NULL)
2522 return netlink_dump_start(nlsk, skb, nlh, &c);
2525 /* Only accept unspec with dump */
2526 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2527 return -EAFNOSUPPORT;
2529 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2531 return PTR_ERR(set);
2532 if (set->flags & NFT_SET_INACTIVE)
2535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2539 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2543 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2550 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2551 struct nft_set_desc *desc,
2552 const struct nlattr *nla)
2554 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2557 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2561 if (da[NFTA_SET_DESC_SIZE] != NULL)
2562 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2567 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2568 const struct nlmsghdr *nlh,
2569 const struct nlattr * const nla[])
2571 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2572 const struct nft_set_ops *ops;
2573 struct nft_af_info *afi;
2574 struct net *net = sock_net(skb->sk);
2575 struct nft_table *table;
2576 struct nft_set *set;
2578 char name[IFNAMSIZ];
2581 u32 ktype, dtype, flags, policy;
2582 struct nft_set_desc desc;
2585 if (nla[NFTA_SET_TABLE] == NULL ||
2586 nla[NFTA_SET_NAME] == NULL ||
2587 nla[NFTA_SET_KEY_LEN] == NULL ||
2588 nla[NFTA_SET_ID] == NULL)
2591 memset(&desc, 0, sizeof(desc));
2593 ktype = NFT_DATA_VALUE;
2594 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2595 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2596 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2600 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2601 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2605 if (nla[NFTA_SET_FLAGS] != NULL) {
2606 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2607 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2608 NFT_SET_INTERVAL | NFT_SET_MAP))
2613 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2614 if (!(flags & NFT_SET_MAP))
2617 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2618 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2619 dtype != NFT_DATA_VERDICT)
2622 if (dtype != NFT_DATA_VERDICT) {
2623 if (nla[NFTA_SET_DATA_LEN] == NULL)
2625 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2626 if (desc.dlen == 0 ||
2627 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2630 desc.dlen = sizeof(struct nft_data);
2631 } else if (flags & NFT_SET_MAP)
2634 policy = NFT_SET_POL_PERFORMANCE;
2635 if (nla[NFTA_SET_POLICY] != NULL)
2636 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2638 if (nla[NFTA_SET_DESC] != NULL) {
2639 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2644 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2646 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2648 return PTR_ERR(afi);
2650 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2652 return PTR_ERR(table);
2654 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2656 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2658 if (PTR_ERR(set) != -ENOENT)
2659 return PTR_ERR(set);
2664 if (nlh->nlmsg_flags & NLM_F_EXCL)
2666 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2671 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2674 ops = nft_select_set_ops(nla, &desc, policy);
2676 return PTR_ERR(ops);
2679 if (ops->privsize != NULL)
2680 size = ops->privsize(nla);
2683 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2687 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2688 err = nf_tables_set_alloc_name(&ctx, set, name);
2692 INIT_LIST_HEAD(&set->bindings);
2695 set->klen = desc.klen;
2697 set->dlen = desc.dlen;
2699 set->size = desc.size;
2700 set->policy = policy;
2702 err = ops->init(set, &desc, nla);
2706 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2710 list_add_tail_rcu(&set->list, &table->sets);
2717 module_put(ops->owner);
2721 static void nft_set_destroy(struct nft_set *set)
2723 set->ops->destroy(set);
2724 module_put(set->ops->owner);
2728 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2730 list_del_rcu(&set->list);
2731 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2732 nft_set_destroy(set);
2735 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2736 const struct nlmsghdr *nlh,
2737 const struct nlattr * const nla[])
2739 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2740 struct nft_set *set;
2744 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2745 return -EAFNOSUPPORT;
2746 if (nla[NFTA_SET_TABLE] == NULL)
2749 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2753 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2755 return PTR_ERR(set);
2756 if (set->flags & NFT_SET_INACTIVE)
2758 if (!list_empty(&set->bindings))
2761 return nft_delset(&ctx, set);
2764 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2765 const struct nft_set *set,
2766 const struct nft_set_iter *iter,
2767 const struct nft_set_elem *elem)
2769 enum nft_registers dreg;
2771 dreg = nft_type_to_reg(set->dtype);
2772 return nft_validate_data_load(ctx, dreg, &elem->data,
2773 set->dtype == NFT_DATA_VERDICT ?
2774 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2777 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2778 struct nft_set_binding *binding)
2780 struct nft_set_binding *i;
2781 struct nft_set_iter iter;
2783 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2786 if (set->flags & NFT_SET_MAP) {
2787 /* If the set is already bound to the same chain all
2788 * jumps are already validated for that chain.
2790 list_for_each_entry(i, &set->bindings, list) {
2791 if (i->chain == binding->chain)
2798 iter.fn = nf_tables_bind_check_setelem;
2800 set->ops->walk(ctx, set, &iter);
2802 /* Destroy anonymous sets if binding fails */
2803 if (set->flags & NFT_SET_ANONYMOUS)
2804 nf_tables_set_destroy(ctx, set);
2810 binding->chain = ctx->chain;
2811 list_add_tail_rcu(&binding->list, &set->bindings);
2815 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2816 struct nft_set_binding *binding)
2818 list_del_rcu(&binding->list);
2820 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2821 !(set->flags & NFT_SET_INACTIVE))
2822 nf_tables_set_destroy(ctx, set);
2829 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2830 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2831 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2832 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2835 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2836 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2837 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2838 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2839 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2842 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2843 const struct sk_buff *skb,
2844 const struct nlmsghdr *nlh,
2845 const struct nlattr * const nla[],
2848 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2849 struct nft_af_info *afi;
2850 struct nft_table *table;
2851 struct net *net = sock_net(skb->sk);
2853 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2855 return PTR_ERR(afi);
2857 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2859 return PTR_ERR(table);
2860 if (!trans && (table->flags & NFT_TABLE_INACTIVE))
2863 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2867 static int nf_tables_fill_setelem(struct sk_buff *skb,
2868 const struct nft_set *set,
2869 const struct nft_set_elem *elem)
2871 unsigned char *b = skb_tail_pointer(skb);
2872 struct nlattr *nest;
2874 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2876 goto nla_put_failure;
2878 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2880 goto nla_put_failure;
2882 if (set->flags & NFT_SET_MAP &&
2883 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2884 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2885 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2887 goto nla_put_failure;
2889 if (elem->flags != 0)
2890 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2891 goto nla_put_failure;
2893 nla_nest_end(skb, nest);
2901 struct nft_set_dump_args {
2902 const struct netlink_callback *cb;
2903 struct nft_set_iter iter;
2904 struct sk_buff *skb;
2907 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2908 const struct nft_set *set,
2909 const struct nft_set_iter *iter,
2910 const struct nft_set_elem *elem)
2912 struct nft_set_dump_args *args;
2914 args = container_of(iter, struct nft_set_dump_args, iter);
2915 return nf_tables_fill_setelem(args->skb, set, elem);
2918 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2920 const struct nft_set *set;
2921 struct nft_set_dump_args args;
2923 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2924 struct nfgenmsg *nfmsg;
2925 struct nlmsghdr *nlh;
2926 struct nlattr *nest;
2930 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2931 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2935 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
2940 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2942 return PTR_ERR(set);
2943 if (set->flags & NFT_SET_INACTIVE)
2946 event = NFT_MSG_NEWSETELEM;
2947 event |= NFNL_SUBSYS_NFTABLES << 8;
2948 portid = NETLINK_CB(cb->skb).portid;
2949 seq = cb->nlh->nlmsg_seq;
2951 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2954 goto nla_put_failure;
2956 nfmsg = nlmsg_data(nlh);
2957 nfmsg->nfgen_family = ctx.afi->family;
2958 nfmsg->version = NFNETLINK_V0;
2959 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
2961 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2962 goto nla_put_failure;
2963 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2964 goto nla_put_failure;
2966 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2968 goto nla_put_failure;
2972 args.iter.skip = cb->args[0];
2973 args.iter.count = 0;
2975 args.iter.fn = nf_tables_dump_setelem;
2976 set->ops->walk(&ctx, set, &args.iter);
2978 nla_nest_end(skb, nest);
2979 nlmsg_end(skb, nlh);
2981 if (args.iter.err && args.iter.err != -EMSGSIZE)
2982 return args.iter.err;
2983 if (args.iter.count == cb->args[0])
2986 cb->args[0] = args.iter.count;
2993 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2994 const struct nlmsghdr *nlh,
2995 const struct nlattr * const nla[])
2997 const struct nft_set *set;
3001 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3005 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3007 return PTR_ERR(set);
3008 if (set->flags & NFT_SET_INACTIVE)
3011 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3012 struct netlink_dump_control c = {
3013 .dump = nf_tables_dump_set,
3015 return netlink_dump_start(nlsk, skb, nlh, &c);
3020 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3021 const struct nft_ctx *ctx, u32 seq,
3022 u32 portid, int event, u16 flags,
3023 const struct nft_set *set,
3024 const struct nft_set_elem *elem)
3026 struct nfgenmsg *nfmsg;
3027 struct nlmsghdr *nlh;
3028 struct nlattr *nest;
3031 event |= NFNL_SUBSYS_NFTABLES << 8;
3032 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3035 goto nla_put_failure;
3037 nfmsg = nlmsg_data(nlh);
3038 nfmsg->nfgen_family = ctx->afi->family;
3039 nfmsg->version = NFNETLINK_V0;
3040 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3042 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3043 goto nla_put_failure;
3044 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3045 goto nla_put_failure;
3047 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3049 goto nla_put_failure;
3051 err = nf_tables_fill_setelem(skb, set, elem);
3053 goto nla_put_failure;
3055 nla_nest_end(skb, nest);
3057 nlmsg_end(skb, nlh);
3061 nlmsg_trim(skb, nlh);
3065 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3066 const struct nft_set *set,
3067 const struct nft_set_elem *elem,
3068 int event, u16 flags)
3070 struct net *net = ctx->net;
3071 u32 portid = ctx->portid;
3072 struct sk_buff *skb;
3075 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3079 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3083 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3090 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3094 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3098 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3100 struct nft_set *set)
3102 struct nft_trans *trans;
3104 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3108 nft_trans_elem_set(trans) = set;
3112 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3113 const struct nlattr *attr)
3115 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3116 struct nft_data_desc d1, d2;
3117 struct nft_set_elem elem;
3118 struct nft_set_binding *binding;
3119 enum nft_registers dreg;
3120 struct nft_trans *trans;
3123 if (set->size && set->nelems == set->size)
3126 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3127 nft_set_elem_policy);
3131 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3135 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3136 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3137 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
3141 if (set->flags & NFT_SET_MAP) {
3142 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3143 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
3145 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3146 elem.flags & NFT_SET_ELEM_INTERVAL_END)
3149 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3153 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
3157 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3161 if (set->ops->get(set, &elem) == 0)
3164 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3165 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
3170 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3173 dreg = nft_type_to_reg(set->dtype);
3174 list_for_each_entry(binding, &set->bindings, list) {
3175 struct nft_ctx bind_ctx = {
3177 .table = ctx->table,
3178 .chain = (struct nft_chain *)binding->chain,
3181 err = nft_validate_data_load(&bind_ctx, dreg,
3182 &elem.data, d2.type);
3188 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3192 err = set->ops->insert(set, &elem);
3196 nft_trans_elem(trans) = elem;
3197 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3203 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3204 nft_data_uninit(&elem.data, d2.type);
3206 nft_data_uninit(&elem.key, d1.type);
3211 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3212 const struct nlmsghdr *nlh,
3213 const struct nlattr * const nla[])
3215 struct net *net = sock_net(skb->sk);
3216 const struct nlattr *attr;
3217 struct nft_set *set;
3221 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3224 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3228 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3230 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3231 set = nf_tables_set_lookup_byid(net,
3232 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3235 return PTR_ERR(set);
3238 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3241 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3242 err = nft_add_set_elem(&ctx, set, attr);
3251 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3252 const struct nlattr *attr)
3254 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3255 struct nft_data_desc desc;
3256 struct nft_set_elem elem;
3257 struct nft_trans *trans;
3260 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3261 nft_set_elem_policy);
3266 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3269 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3274 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3277 err = set->ops->get(set, &elem);
3281 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3282 if (trans == NULL) {
3287 nft_trans_elem(trans) = elem;
3288 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3291 nft_data_uninit(&elem.key, desc.type);
3296 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3297 const struct nlmsghdr *nlh,
3298 const struct nlattr * const nla[])
3300 const struct nlattr *attr;
3301 struct nft_set *set;
3305 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3308 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3312 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3314 return PTR_ERR(set);
3315 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3318 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3319 err = nft_del_setelem(&ctx, set, attr);
3328 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3329 u32 portid, u32 seq)
3331 struct nlmsghdr *nlh;
3332 struct nfgenmsg *nfmsg;
3333 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3335 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3337 goto nla_put_failure;
3339 nfmsg = nlmsg_data(nlh);
3340 nfmsg->nfgen_family = AF_UNSPEC;
3341 nfmsg->version = NFNETLINK_V0;
3342 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3344 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3345 goto nla_put_failure;
3347 nlmsg_end(skb, nlh);
3351 nlmsg_trim(skb, nlh);
3355 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3357 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3358 struct sk_buff *skb2;
3361 if (nlmsg_report(nlh) &&
3362 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3366 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3370 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3377 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3378 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3381 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3387 static int nf_tables_getgen(struct sock *nlsk, struct sk_buff *skb,
3388 const struct nlmsghdr *nlh,
3389 const struct nlattr * const nla[])
3391 struct net *net = sock_net(skb->sk);
3392 struct sk_buff *skb2;
3395 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3399 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3404 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3410 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3411 [NFT_MSG_NEWTABLE] = {
3412 .call_batch = nf_tables_newtable,
3413 .attr_count = NFTA_TABLE_MAX,
3414 .policy = nft_table_policy,
3416 [NFT_MSG_GETTABLE] = {
3417 .call = nf_tables_gettable,
3418 .attr_count = NFTA_TABLE_MAX,
3419 .policy = nft_table_policy,
3421 [NFT_MSG_DELTABLE] = {
3422 .call_batch = nf_tables_deltable,
3423 .attr_count = NFTA_TABLE_MAX,
3424 .policy = nft_table_policy,
3426 [NFT_MSG_NEWCHAIN] = {
3427 .call_batch = nf_tables_newchain,
3428 .attr_count = NFTA_CHAIN_MAX,
3429 .policy = nft_chain_policy,
3431 [NFT_MSG_GETCHAIN] = {
3432 .call = nf_tables_getchain,
3433 .attr_count = NFTA_CHAIN_MAX,
3434 .policy = nft_chain_policy,
3436 [NFT_MSG_DELCHAIN] = {
3437 .call_batch = nf_tables_delchain,
3438 .attr_count = NFTA_CHAIN_MAX,
3439 .policy = nft_chain_policy,
3441 [NFT_MSG_NEWRULE] = {
3442 .call_batch = nf_tables_newrule,
3443 .attr_count = NFTA_RULE_MAX,
3444 .policy = nft_rule_policy,
3446 [NFT_MSG_GETRULE] = {
3447 .call = nf_tables_getrule,
3448 .attr_count = NFTA_RULE_MAX,
3449 .policy = nft_rule_policy,
3451 [NFT_MSG_DELRULE] = {
3452 .call_batch = nf_tables_delrule,
3453 .attr_count = NFTA_RULE_MAX,
3454 .policy = nft_rule_policy,
3456 [NFT_MSG_NEWSET] = {
3457 .call_batch = nf_tables_newset,
3458 .attr_count = NFTA_SET_MAX,
3459 .policy = nft_set_policy,
3461 [NFT_MSG_GETSET] = {
3462 .call = nf_tables_getset,
3463 .attr_count = NFTA_SET_MAX,
3464 .policy = nft_set_policy,
3466 [NFT_MSG_DELSET] = {
3467 .call_batch = nf_tables_delset,
3468 .attr_count = NFTA_SET_MAX,
3469 .policy = nft_set_policy,
3471 [NFT_MSG_NEWSETELEM] = {
3472 .call_batch = nf_tables_newsetelem,
3473 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3474 .policy = nft_set_elem_list_policy,
3476 [NFT_MSG_GETSETELEM] = {
3477 .call = nf_tables_getsetelem,
3478 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3479 .policy = nft_set_elem_list_policy,
3481 [NFT_MSG_DELSETELEM] = {
3482 .call_batch = nf_tables_delsetelem,
3483 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3484 .policy = nft_set_elem_list_policy,
3486 [NFT_MSG_GETGEN] = {
3487 .call = nf_tables_getgen,
3491 static void nft_chain_commit_update(struct nft_trans *trans)
3493 struct nft_base_chain *basechain;
3495 if (nft_trans_chain_name(trans)[0])
3496 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3498 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3501 basechain = nft_base_chain(trans->ctx.chain);
3502 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3504 switch (nft_trans_chain_policy(trans)) {
3507 basechain->policy = nft_trans_chain_policy(trans);
3512 static void nf_tables_commit_release(struct nft_trans *trans)
3514 switch (trans->msg_type) {
3515 case NFT_MSG_DELTABLE:
3516 nf_tables_table_destroy(&trans->ctx);
3518 case NFT_MSG_DELCHAIN:
3519 nf_tables_chain_destroy(trans->ctx.chain);
3521 case NFT_MSG_DELRULE:
3522 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3524 case NFT_MSG_DELSET:
3525 nft_set_destroy(nft_trans_set(trans));
3531 static int nf_tables_commit(struct sk_buff *skb)
3533 struct net *net = sock_net(skb->sk);
3534 struct nft_trans *trans, *next;
3535 struct nft_trans_elem *te;
3537 /* Bump generation counter, invalidate any dump in progress */
3538 while (++net->nft.base_seq == 0);
3540 /* A new generation has just started */
3541 net->nft.gencursor = gencursor_next(net);
3543 /* Make sure all packets have left the previous generation before
3544 * purging old rules.
3548 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3549 switch (trans->msg_type) {
3550 case NFT_MSG_NEWTABLE:
3551 if (nft_trans_table_update(trans)) {
3552 if (!nft_trans_table_enable(trans)) {
3553 nf_tables_table_disable(trans->ctx.afi,
3555 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3558 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3560 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3561 nft_trans_destroy(trans);
3563 case NFT_MSG_DELTABLE:
3564 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3566 case NFT_MSG_NEWCHAIN:
3567 if (nft_trans_chain_update(trans))
3568 nft_chain_commit_update(trans);
3570 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3572 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3573 nft_trans_destroy(trans);
3575 case NFT_MSG_DELCHAIN:
3576 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3577 nf_tables_unregister_hooks(trans->ctx.table,
3579 trans->ctx.afi->nops);
3581 case NFT_MSG_NEWRULE:
3582 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3583 nf_tables_rule_notify(&trans->ctx,
3584 nft_trans_rule(trans),
3586 nft_trans_destroy(trans);
3588 case NFT_MSG_DELRULE:
3589 list_del_rcu(&nft_trans_rule(trans)->list);
3590 nf_tables_rule_notify(&trans->ctx,
3591 nft_trans_rule(trans),
3594 case NFT_MSG_NEWSET:
3595 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3596 /* This avoids hitting -EBUSY when deleting the table
3597 * from the transaction.
3599 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3600 !list_empty(&nft_trans_set(trans)->bindings))
3601 trans->ctx.table->use--;
3603 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3604 NFT_MSG_NEWSET, GFP_KERNEL);
3605 nft_trans_destroy(trans);
3607 case NFT_MSG_DELSET:
3608 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3609 NFT_MSG_DELSET, GFP_KERNEL);
3611 case NFT_MSG_NEWSETELEM:
3612 nf_tables_setelem_notify(&trans->ctx,
3613 nft_trans_elem_set(trans),
3614 &nft_trans_elem(trans),
3615 NFT_MSG_NEWSETELEM, 0);
3616 nft_trans_destroy(trans);
3618 case NFT_MSG_DELSETELEM:
3619 te = (struct nft_trans_elem *)trans->data;
3620 nf_tables_setelem_notify(&trans->ctx, te->set,
3622 NFT_MSG_DELSETELEM, 0);
3623 te->set->ops->get(te->set, &te->elem);
3624 nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
3625 if (te->set->flags & NFT_SET_MAP &&
3626 !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
3627 nft_data_uninit(&te->elem.data, te->set->dtype);
3628 te->set->ops->remove(te->set, &te->elem);
3629 nft_trans_destroy(trans);
3636 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3637 list_del(&trans->list);
3638 nf_tables_commit_release(trans);
3641 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
3646 static void nf_tables_abort_release(struct nft_trans *trans)
3648 switch (trans->msg_type) {
3649 case NFT_MSG_NEWTABLE:
3650 nf_tables_table_destroy(&trans->ctx);
3652 case NFT_MSG_NEWCHAIN:
3653 nf_tables_chain_destroy(trans->ctx.chain);
3655 case NFT_MSG_NEWRULE:
3656 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3658 case NFT_MSG_NEWSET:
3659 nft_set_destroy(nft_trans_set(trans));
3665 static int nf_tables_abort(struct sk_buff *skb)
3667 struct net *net = sock_net(skb->sk);
3668 struct nft_trans *trans, *next;
3669 struct nft_trans_elem *te;
3671 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3672 switch (trans->msg_type) {
3673 case NFT_MSG_NEWTABLE:
3674 if (nft_trans_table_update(trans)) {
3675 if (nft_trans_table_enable(trans)) {
3676 nf_tables_table_disable(trans->ctx.afi,
3678 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3680 nft_trans_destroy(trans);
3682 list_del_rcu(&trans->ctx.table->list);
3685 case NFT_MSG_DELTABLE:
3686 list_add_tail_rcu(&trans->ctx.table->list,
3687 &trans->ctx.afi->tables);
3688 nft_trans_destroy(trans);
3690 case NFT_MSG_NEWCHAIN:
3691 if (nft_trans_chain_update(trans)) {
3692 free_percpu(nft_trans_chain_stats(trans));
3694 nft_trans_destroy(trans);
3696 trans->ctx.table->use--;
3697 list_del_rcu(&trans->ctx.chain->list);
3698 nf_tables_unregister_hooks(trans->ctx.table,
3700 trans->ctx.afi->nops);
3703 case NFT_MSG_DELCHAIN:
3704 trans->ctx.table->use++;
3705 list_add_tail_rcu(&trans->ctx.chain->list,
3706 &trans->ctx.table->chains);
3707 nft_trans_destroy(trans);
3709 case NFT_MSG_NEWRULE:
3710 trans->ctx.chain->use--;
3711 list_del_rcu(&nft_trans_rule(trans)->list);
3713 case NFT_MSG_DELRULE:
3714 trans->ctx.chain->use++;
3715 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3716 nft_trans_destroy(trans);
3718 case NFT_MSG_NEWSET:
3719 trans->ctx.table->use--;
3720 list_del_rcu(&nft_trans_set(trans)->list);
3722 case NFT_MSG_DELSET:
3723 trans->ctx.table->use++;
3724 list_add_tail_rcu(&nft_trans_set(trans)->list,
3725 &trans->ctx.table->sets);
3726 nft_trans_destroy(trans);
3728 case NFT_MSG_NEWSETELEM:
3729 nft_trans_elem_set(trans)->nelems--;
3730 te = (struct nft_trans_elem *)trans->data;
3731 te->set->ops->get(te->set, &te->elem);
3732 nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
3733 if (te->set->flags & NFT_SET_MAP &&
3734 !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
3735 nft_data_uninit(&te->elem.data, te->set->dtype);
3736 te->set->ops->remove(te->set, &te->elem);
3737 nft_trans_destroy(trans);
3739 case NFT_MSG_DELSETELEM:
3740 nft_trans_elem_set(trans)->nelems++;
3741 nft_trans_destroy(trans);
3748 list_for_each_entry_safe_reverse(trans, next,
3749 &net->nft.commit_list, list) {
3750 list_del(&trans->list);
3751 nf_tables_abort_release(trans);
3757 static const struct nfnetlink_subsystem nf_tables_subsys = {
3758 .name = "nf_tables",
3759 .subsys_id = NFNL_SUBSYS_NFTABLES,
3760 .cb_count = NFT_MSG_MAX,
3762 .commit = nf_tables_commit,
3763 .abort = nf_tables_abort,
3766 int nft_chain_validate_dependency(const struct nft_chain *chain,
3767 enum nft_chain_type type)
3769 const struct nft_base_chain *basechain;
3771 if (chain->flags & NFT_BASE_CHAIN) {
3772 basechain = nft_base_chain(chain);
3773 if (basechain->type->type != type)
3778 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
3780 int nft_chain_validate_hooks(const struct nft_chain *chain,
3781 unsigned int hook_flags)
3783 struct nft_base_chain *basechain;
3785 if (chain->flags & NFT_BASE_CHAIN) {
3786 basechain = nft_base_chain(chain);
3788 if ((1 << basechain->ops[0].hooknum) & hook_flags)
3796 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
3799 * Loop detection - walk through the ruleset beginning at the destination chain
3800 * of a new jump until either the source chain is reached (loop) or all
3801 * reachable chains have been traversed.
3803 * The loop check is performed whenever a new jump verdict is added to an
3804 * expression or verdict map or a verdict map is bound to a new chain.
3807 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3808 const struct nft_chain *chain);
3810 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3811 const struct nft_set *set,
3812 const struct nft_set_iter *iter,
3813 const struct nft_set_elem *elem)
3815 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3818 switch (elem->data.verdict) {
3821 return nf_tables_check_loops(ctx, elem->data.chain);
3827 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3828 const struct nft_chain *chain)
3830 const struct nft_rule *rule;
3831 const struct nft_expr *expr, *last;
3832 const struct nft_set *set;
3833 struct nft_set_binding *binding;
3834 struct nft_set_iter iter;
3836 if (ctx->chain == chain)
3839 list_for_each_entry(rule, &chain->rules, list) {
3840 nft_rule_for_each_expr(expr, last, rule) {
3841 const struct nft_data *data = NULL;
3844 if (!expr->ops->validate)
3847 err = expr->ops->validate(ctx, expr, &data);
3854 switch (data->verdict) {
3857 err = nf_tables_check_loops(ctx, data->chain);
3866 list_for_each_entry(set, &ctx->table->sets, list) {
3867 if (!(set->flags & NFT_SET_MAP) ||
3868 set->dtype != NFT_DATA_VERDICT)
3871 list_for_each_entry(binding, &set->bindings, list) {
3872 if (binding->chain != chain)
3878 iter.fn = nf_tables_loop_check_setelem;
3880 set->ops->walk(ctx, set, &iter);
3890 * nft_validate_input_register - validate an expressions' input register
3892 * @reg: the register number
3894 * Validate that the input register is one of the general purpose
3897 int nft_validate_input_register(enum nft_registers reg)
3899 if (reg <= NFT_REG_VERDICT)
3901 if (reg > NFT_REG_MAX)
3905 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3908 * nft_validate_output_register - validate an expressions' output register
3910 * @reg: the register number
3912 * Validate that the output register is one of the general purpose
3913 * registers or the verdict register.
3915 int nft_validate_output_register(enum nft_registers reg)
3917 if (reg < NFT_REG_VERDICT)
3919 if (reg > NFT_REG_MAX)
3923 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3926 * nft_validate_data_load - validate an expressions' data load
3928 * @ctx: context of the expression performing the load
3929 * @reg: the destination register number
3930 * @data: the data to load
3931 * @type: the data type
3933 * Validate that a data load uses the appropriate data type for
3934 * the destination register. A value of NULL for the data means
3935 * that its runtime gathered data, which is always of type
3938 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3939 const struct nft_data *data,
3940 enum nft_data_types type)
3945 case NFT_REG_VERDICT:
3946 if (data == NULL || type != NFT_DATA_VERDICT)
3949 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3950 err = nf_tables_check_loops(ctx, data->chain);
3954 if (ctx->chain->level + 1 > data->chain->level) {
3955 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3957 data->chain->level = ctx->chain->level + 1;
3963 if (data != NULL && type != NFT_DATA_VALUE)
3968 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3970 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3971 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3972 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3973 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3976 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3977 struct nft_data_desc *desc, const struct nlattr *nla)
3979 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3980 struct nft_chain *chain;
3983 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3987 if (!tb[NFTA_VERDICT_CODE])
3989 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3991 switch (data->verdict) {
3993 switch (data->verdict & NF_VERDICT_MASK) {
4005 desc->len = sizeof(data->verdict);
4009 if (!tb[NFTA_VERDICT_CHAIN])
4011 chain = nf_tables_chain_lookup(ctx->table,
4012 tb[NFTA_VERDICT_CHAIN]);
4014 return PTR_ERR(chain);
4015 if (chain->flags & NFT_BASE_CHAIN)
4019 data->chain = chain;
4020 desc->len = sizeof(data);
4024 desc->type = NFT_DATA_VERDICT;
4028 static void nft_verdict_uninit(const struct nft_data *data)
4030 switch (data->verdict) {
4038 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
4040 struct nlattr *nest;
4042 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
4044 goto nla_put_failure;
4046 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
4047 goto nla_put_failure;
4049 switch (data->verdict) {
4052 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
4053 goto nla_put_failure;
4055 nla_nest_end(skb, nest);
4062 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
4063 struct nft_data_desc *desc, const struct nlattr *nla)
4070 if (len > sizeof(data->data))
4073 nla_memcpy(data->data, nla, sizeof(data->data));
4074 desc->type = NFT_DATA_VALUE;
4079 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4082 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4085 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4086 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
4087 .len = FIELD_SIZEOF(struct nft_data, data) },
4088 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4092 * nft_data_init - parse nf_tables data netlink attributes
4094 * @ctx: context of the expression using the data
4095 * @data: destination struct nft_data
4096 * @desc: data description
4097 * @nla: netlink attribute containing data
4099 * Parse the netlink data attributes and initialize a struct nft_data.
4100 * The type and length of data are returned in the data description.
4102 * The caller can indicate that it only wants to accept data of type
4103 * NFT_DATA_VALUE by passing NULL for the ctx argument.
4105 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
4106 struct nft_data_desc *desc, const struct nlattr *nla)
4108 struct nlattr *tb[NFTA_DATA_MAX + 1];
4111 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4115 if (tb[NFTA_DATA_VALUE])
4116 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
4117 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4118 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4121 EXPORT_SYMBOL_GPL(nft_data_init);
4124 * nft_data_uninit - release a nft_data item
4126 * @data: struct nft_data to release
4127 * @type: type of data
4129 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4130 * all others need to be released by calling this function.
4132 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4135 case NFT_DATA_VALUE:
4137 case NFT_DATA_VERDICT:
4138 return nft_verdict_uninit(data);
4143 EXPORT_SYMBOL_GPL(nft_data_uninit);
4145 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4146 enum nft_data_types type, unsigned int len)
4148 struct nlattr *nest;
4151 nest = nla_nest_start(skb, attr);
4156 case NFT_DATA_VALUE:
4157 err = nft_value_dump(skb, data, len);
4159 case NFT_DATA_VERDICT:
4160 err = nft_verdict_dump(skb, data);
4167 nla_nest_end(skb, nest);
4170 EXPORT_SYMBOL_GPL(nft_data_dump);
4172 static int nf_tables_init_net(struct net *net)
4174 INIT_LIST_HEAD(&net->nft.af_info);
4175 INIT_LIST_HEAD(&net->nft.commit_list);
4176 net->nft.base_seq = 1;
4180 static struct pernet_operations nf_tables_net_ops = {
4181 .init = nf_tables_init_net,
4184 static int __init nf_tables_module_init(void)
4188 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4195 err = nf_tables_core_module_init();
4199 err = nfnetlink_subsys_register(&nf_tables_subsys);
4203 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4204 return register_pernet_subsys(&nf_tables_net_ops);
4206 nf_tables_core_module_exit();
4213 static void __exit nf_tables_module_exit(void)
4215 unregister_pernet_subsys(&nf_tables_net_ops);
4216 nfnetlink_subsys_unregister(&nf_tables_subsys);
4218 nf_tables_core_module_exit();
4222 module_init(nf_tables_module_init);
4223 module_exit(nf_tables_module_exit);
4225 MODULE_LICENSE("GPL");
4226 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4227 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / cascardo / linux.git / blob