2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
95 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
96 const struct nlattr *nla)
98 struct nft_table *table;
100 list_for_each_entry(table, &afi->tables, list) {
101 if (!nla_strcmp(nla, table->name))
107 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
108 const struct nlattr *nla)
110 struct nft_table *table;
113 return ERR_PTR(-EINVAL);
115 table = nft_table_lookup(afi, nla);
119 return ERR_PTR(-ENOENT);
122 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
124 return ++table->hgenerator;
127 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
129 static const struct nf_chain_type *
130 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
134 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
135 if (chain_type[family][i] != NULL &&
136 !nla_strcmp(nla, chain_type[family][i]->name))
137 return chain_type[family][i];
142 static const struct nf_chain_type *
143 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
144 const struct nlattr *nla,
147 const struct nf_chain_type *type;
149 type = __nf_tables_chain_type_lookup(afi->family, nla);
152 #ifdef CONFIG_MODULES
154 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
155 request_module("nft-chain-%u-%.*s", afi->family,
156 nla_len(nla), (const char *)nla_data(nla));
157 nfnl_lock(NFNL_SUBSYS_NFTABLES);
158 type = __nf_tables_chain_type_lookup(afi->family, nla);
160 return ERR_PTR(-EAGAIN);
163 return ERR_PTR(-ENOENT);
166 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
167 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
168 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
171 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
172 int event, u32 flags, int family,
173 const struct nft_table *table)
175 struct nlmsghdr *nlh;
176 struct nfgenmsg *nfmsg;
178 event |= NFNL_SUBSYS_NFTABLES << 8;
179 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
181 goto nla_put_failure;
183 nfmsg = nlmsg_data(nlh);
184 nfmsg->nfgen_family = family;
185 nfmsg->version = NFNETLINK_V0;
188 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
189 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
190 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
191 goto nla_put_failure;
193 return nlmsg_end(skb, nlh);
196 nlmsg_trim(skb, nlh);
200 static int nf_tables_table_notify(const struct sk_buff *oskb,
201 const struct nlmsghdr *nlh,
202 const struct nft_table *table,
203 int event, int family)
206 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
207 u32 seq = nlh ? nlh->nlmsg_seq : 0;
208 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
212 report = nlh ? nlmsg_report(nlh) : false;
213 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
217 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
221 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
228 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
232 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
236 static int nf_tables_dump_tables(struct sk_buff *skb,
237 struct netlink_callback *cb)
239 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
240 const struct nft_af_info *afi;
241 const struct nft_table *table;
242 unsigned int idx = 0, s_idx = cb->args[0];
243 struct net *net = sock_net(skb->sk);
244 int family = nfmsg->nfgen_family;
246 list_for_each_entry(afi, &net->nft.af_info, list) {
247 if (family != NFPROTO_UNSPEC && family != afi->family)
250 list_for_each_entry(table, &afi->tables, list) {
254 memset(&cb->args[1], 0,
255 sizeof(cb->args) - sizeof(cb->args[0]));
256 if (nf_tables_fill_table_info(skb,
257 NETLINK_CB(cb->skb).portid,
261 afi->family, table) < 0)
272 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
273 const struct nlmsghdr *nlh,
274 const struct nlattr * const nla[])
276 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
277 const struct nft_af_info *afi;
278 const struct nft_table *table;
279 struct sk_buff *skb2;
280 struct net *net = sock_net(skb->sk);
281 int family = nfmsg->nfgen_family;
284 if (nlh->nlmsg_flags & NLM_F_DUMP) {
285 struct netlink_dump_control c = {
286 .dump = nf_tables_dump_tables,
288 return netlink_dump_start(nlsk, skb, nlh, &c);
291 afi = nf_tables_afinfo_lookup(net, family, false);
295 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
297 return PTR_ERR(table);
299 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
303 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
304 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
309 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
316 static int nf_tables_table_enable(const struct nft_af_info *afi,
317 struct nft_table *table)
319 struct nft_chain *chain;
322 list_for_each_entry(chain, &table->chains, list) {
323 if (!(chain->flags & NFT_BASE_CHAIN))
326 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
334 list_for_each_entry(chain, &table->chains, list) {
335 if (!(chain->flags & NFT_BASE_CHAIN))
341 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
346 static int nf_tables_table_disable(const struct nft_af_info *afi,
347 struct nft_table *table)
349 struct nft_chain *chain;
351 list_for_each_entry(chain, &table->chains, list) {
352 if (chain->flags & NFT_BASE_CHAIN)
353 nf_unregister_hooks(nft_base_chain(chain)->ops,
360 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
361 const struct nlmsghdr *nlh,
362 const struct nlattr * const nla[],
363 struct nft_af_info *afi, struct nft_table *table)
365 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
366 int family = nfmsg->nfgen_family, ret = 0;
368 if (nla[NFTA_TABLE_FLAGS]) {
371 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
372 if (flags & ~NFT_TABLE_F_DORMANT)
375 if ((flags & NFT_TABLE_F_DORMANT) &&
376 !(table->flags & NFT_TABLE_F_DORMANT)) {
377 ret = nf_tables_table_disable(afi, table);
379 table->flags |= NFT_TABLE_F_DORMANT;
380 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
381 table->flags & NFT_TABLE_F_DORMANT) {
382 ret = nf_tables_table_enable(afi, table);
384 table->flags &= ~NFT_TABLE_F_DORMANT;
390 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
395 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
396 const struct nlmsghdr *nlh,
397 const struct nlattr * const nla[])
399 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
400 const struct nlattr *name;
401 struct nft_af_info *afi;
402 struct nft_table *table;
403 struct net *net = sock_net(skb->sk);
404 int family = nfmsg->nfgen_family;
407 afi = nf_tables_afinfo_lookup(net, family, true);
411 name = nla[NFTA_TABLE_NAME];
412 table = nf_tables_table_lookup(afi, name);
414 if (PTR_ERR(table) != -ENOENT)
415 return PTR_ERR(table);
420 if (nlh->nlmsg_flags & NLM_F_EXCL)
422 if (nlh->nlmsg_flags & NLM_F_REPLACE)
424 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
427 if (nla[NFTA_TABLE_FLAGS]) {
428 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
429 if (flags & ~NFT_TABLE_F_DORMANT)
433 if (!try_module_get(afi->owner))
434 return -EAFNOSUPPORT;
436 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
438 module_put(afi->owner);
442 nla_strlcpy(table->name, name, nla_len(name));
443 INIT_LIST_HEAD(&table->chains);
444 INIT_LIST_HEAD(&table->sets);
445 table->flags = flags;
447 list_add_tail(&table->list, &afi->tables);
448 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
452 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
453 const struct nlmsghdr *nlh,
454 const struct nlattr * const nla[])
456 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
457 struct nft_af_info *afi;
458 struct nft_table *table;
459 struct net *net = sock_net(skb->sk);
460 int family = nfmsg->nfgen_family;
462 afi = nf_tables_afinfo_lookup(net, family, false);
466 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
468 return PTR_ERR(table);
470 if (!list_empty(&table->chains) || !list_empty(&table->sets))
473 list_del(&table->list);
474 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
476 module_put(afi->owner);
480 int nft_register_chain_type(const struct nf_chain_type *ctype)
484 nfnl_lock(NFNL_SUBSYS_NFTABLES);
485 if (chain_type[ctype->family][ctype->type] != NULL) {
489 chain_type[ctype->family][ctype->type] = ctype;
491 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
494 EXPORT_SYMBOL_GPL(nft_register_chain_type);
496 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
498 nfnl_lock(NFNL_SUBSYS_NFTABLES);
499 chain_type[ctype->family][ctype->type] = NULL;
500 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
502 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
508 static struct nft_chain *
509 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
511 struct nft_chain *chain;
513 list_for_each_entry(chain, &table->chains, list) {
514 if (chain->handle == handle)
518 return ERR_PTR(-ENOENT);
521 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
522 const struct nlattr *nla)
524 struct nft_chain *chain;
527 return ERR_PTR(-EINVAL);
529 list_for_each_entry(chain, &table->chains, list) {
530 if (!nla_strcmp(nla, chain->name))
534 return ERR_PTR(-ENOENT);
537 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
538 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
539 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
540 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
541 .len = NFT_CHAIN_MAXNAMELEN - 1 },
542 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
543 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
544 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
545 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
548 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
549 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
550 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
553 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
555 struct nft_stats *cpu_stats, total;
559 memset(&total, 0, sizeof(total));
560 for_each_possible_cpu(cpu) {
561 cpu_stats = per_cpu_ptr(stats, cpu);
562 total.pkts += cpu_stats->pkts;
563 total.bytes += cpu_stats->bytes;
565 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
567 goto nla_put_failure;
569 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
570 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
571 goto nla_put_failure;
573 nla_nest_end(skb, nest);
580 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
581 int event, u32 flags, int family,
582 const struct nft_table *table,
583 const struct nft_chain *chain)
585 struct nlmsghdr *nlh;
586 struct nfgenmsg *nfmsg;
588 event |= NFNL_SUBSYS_NFTABLES << 8;
589 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
591 goto nla_put_failure;
593 nfmsg = nlmsg_data(nlh);
594 nfmsg->nfgen_family = family;
595 nfmsg->version = NFNETLINK_V0;
598 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
599 goto nla_put_failure;
600 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
601 goto nla_put_failure;
602 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
603 goto nla_put_failure;
605 if (chain->flags & NFT_BASE_CHAIN) {
606 const struct nft_base_chain *basechain = nft_base_chain(chain);
607 const struct nf_hook_ops *ops = &basechain->ops[0];
610 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
612 goto nla_put_failure;
613 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
614 goto nla_put_failure;
615 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
616 goto nla_put_failure;
617 nla_nest_end(skb, nest);
619 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
620 htonl(basechain->policy)))
621 goto nla_put_failure;
623 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
624 goto nla_put_failure;
626 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
627 goto nla_put_failure;
630 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
631 goto nla_put_failure;
633 return nlmsg_end(skb, nlh);
636 nlmsg_trim(skb, nlh);
640 static int nf_tables_chain_notify(const struct sk_buff *oskb,
641 const struct nlmsghdr *nlh,
642 const struct nft_table *table,
643 const struct nft_chain *chain,
644 int event, int family)
647 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
648 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
649 u32 seq = nlh ? nlh->nlmsg_seq : 0;
653 report = nlh ? nlmsg_report(nlh) : false;
654 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
658 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
662 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
669 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
673 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
677 static int nf_tables_dump_chains(struct sk_buff *skb,
678 struct netlink_callback *cb)
680 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
681 const struct nft_af_info *afi;
682 const struct nft_table *table;
683 const struct nft_chain *chain;
684 unsigned int idx = 0, s_idx = cb->args[0];
685 struct net *net = sock_net(skb->sk);
686 int family = nfmsg->nfgen_family;
688 list_for_each_entry(afi, &net->nft.af_info, list) {
689 if (family != NFPROTO_UNSPEC && family != afi->family)
692 list_for_each_entry(table, &afi->tables, list) {
693 list_for_each_entry(chain, &table->chains, list) {
697 memset(&cb->args[1], 0,
698 sizeof(cb->args) - sizeof(cb->args[0]));
699 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
703 afi->family, table, chain) < 0)
716 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
717 const struct nlmsghdr *nlh,
718 const struct nlattr * const nla[])
720 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
721 const struct nft_af_info *afi;
722 const struct nft_table *table;
723 const struct nft_chain *chain;
724 struct sk_buff *skb2;
725 struct net *net = sock_net(skb->sk);
726 int family = nfmsg->nfgen_family;
729 if (nlh->nlmsg_flags & NLM_F_DUMP) {
730 struct netlink_dump_control c = {
731 .dump = nf_tables_dump_chains,
733 return netlink_dump_start(nlsk, skb, nlh, &c);
736 afi = nf_tables_afinfo_lookup(net, family, false);
740 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
742 return PTR_ERR(table);
744 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
746 return PTR_ERR(chain);
748 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
752 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
753 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
754 family, table, chain);
758 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
765 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
766 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
767 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
771 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
773 struct nlattr *tb[NFTA_COUNTER_MAX+1];
774 struct nft_stats __percpu *newstats;
775 struct nft_stats *stats;
778 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
782 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
785 newstats = alloc_percpu(struct nft_stats);
786 if (newstats == NULL)
789 /* Restore old counters on this cpu, no problem. Per-cpu statistics
790 * are not exposed to userspace.
792 stats = this_cpu_ptr(newstats);
793 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
794 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
797 struct nft_stats __percpu *oldstats =
798 nft_dereference(chain->stats);
800 rcu_assign_pointer(chain->stats, newstats);
802 free_percpu(oldstats);
804 rcu_assign_pointer(chain->stats, newstats);
809 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
810 const struct nlmsghdr *nlh,
811 const struct nlattr * const nla[])
813 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
814 const struct nlattr * uninitialized_var(name);
815 const struct nft_af_info *afi;
816 struct nft_table *table;
817 struct nft_chain *chain;
818 struct nft_base_chain *basechain = NULL;
819 struct nlattr *ha[NFTA_HOOK_MAX + 1];
820 struct net *net = sock_net(skb->sk);
821 int family = nfmsg->nfgen_family;
822 u8 policy = NF_ACCEPT;
828 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
830 afi = nf_tables_afinfo_lookup(net, family, true);
834 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
836 return PTR_ERR(table);
839 name = nla[NFTA_CHAIN_NAME];
841 if (nla[NFTA_CHAIN_HANDLE]) {
842 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
843 chain = nf_tables_chain_lookup_byhandle(table, handle);
845 return PTR_ERR(chain);
847 chain = nf_tables_chain_lookup(table, name);
849 if (PTR_ERR(chain) != -ENOENT)
850 return PTR_ERR(chain);
855 if (nla[NFTA_CHAIN_POLICY]) {
856 if ((chain != NULL &&
857 !(chain->flags & NFT_BASE_CHAIN)) ||
858 nla[NFTA_CHAIN_HOOK] == NULL)
861 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
872 if (nlh->nlmsg_flags & NLM_F_EXCL)
874 if (nlh->nlmsg_flags & NLM_F_REPLACE)
877 if (nla[NFTA_CHAIN_HANDLE] && name &&
878 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
881 if (nla[NFTA_CHAIN_COUNTERS]) {
882 if (!(chain->flags & NFT_BASE_CHAIN))
885 err = nf_tables_counters(nft_base_chain(chain),
886 nla[NFTA_CHAIN_COUNTERS]);
891 if (nla[NFTA_CHAIN_POLICY])
892 nft_base_chain(chain)->policy = policy;
894 if (nla[NFTA_CHAIN_HANDLE] && name)
895 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
900 if (table->use == UINT_MAX)
903 if (nla[NFTA_CHAIN_HOOK]) {
904 const struct nf_chain_type *type;
905 struct nf_hook_ops *ops;
907 u32 hooknum, priority;
909 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
910 if (nla[NFTA_CHAIN_TYPE]) {
911 type = nf_tables_chain_type_lookup(afi,
912 nla[NFTA_CHAIN_TYPE],
915 return PTR_ERR(type);
918 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
922 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
923 ha[NFTA_HOOK_PRIORITY] == NULL)
926 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
927 if (hooknum >= afi->nhooks)
929 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
931 if (!(type->hook_mask & (1 << hooknum)))
933 if (!try_module_get(type->owner))
935 hookfn = type->hooks[hooknum];
937 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
938 if (basechain == NULL)
941 if (nla[NFTA_CHAIN_COUNTERS]) {
942 err = nf_tables_counters(basechain,
943 nla[NFTA_CHAIN_COUNTERS]);
945 module_put(type->owner);
950 struct nft_stats __percpu *newstats;
952 newstats = alloc_percpu(struct nft_stats);
953 if (newstats == NULL) {
954 module_put(type->owner);
958 rcu_assign_pointer(basechain->stats, newstats);
961 basechain->type = type;
962 chain = &basechain->chain;
964 for (i = 0; i < afi->nops; i++) {
965 ops = &basechain->ops[i];
967 ops->owner = afi->owner;
968 ops->hooknum = hooknum;
969 ops->priority = priority;
971 ops->hook = afi->hooks[ops->hooknum];
974 if (afi->hook_ops_init)
975 afi->hook_ops_init(ops, i);
978 chain->flags |= NFT_BASE_CHAIN;
979 basechain->policy = policy;
981 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
986 INIT_LIST_HEAD(&chain->rules);
987 chain->handle = nf_tables_alloc_handle(table);
989 chain->table = table;
990 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
992 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
993 chain->flags & NFT_BASE_CHAIN) {
994 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
996 module_put(basechain->type->owner);
997 free_percpu(basechain->stats);
1002 list_add_tail(&chain->list, &table->chains);
1005 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1010 static void nf_tables_chain_destroy(struct nft_chain *chain)
1012 BUG_ON(chain->use > 0);
1014 if (chain->flags & NFT_BASE_CHAIN) {
1015 module_put(nft_base_chain(chain)->type->owner);
1016 free_percpu(nft_base_chain(chain)->stats);
1017 kfree(nft_base_chain(chain));
1022 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1023 const struct nlmsghdr *nlh,
1024 const struct nlattr * const nla[])
1026 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1027 const struct nft_af_info *afi;
1028 struct nft_table *table;
1029 struct nft_chain *chain;
1030 struct net *net = sock_net(skb->sk);
1031 int family = nfmsg->nfgen_family;
1033 afi = nf_tables_afinfo_lookup(net, family, false);
1035 return PTR_ERR(afi);
1037 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1039 return PTR_ERR(table);
1041 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1043 return PTR_ERR(chain);
1045 if (!list_empty(&chain->rules) || chain->use > 0)
1048 list_del(&chain->list);
1051 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1052 chain->flags & NFT_BASE_CHAIN)
1053 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
1055 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1058 /* Make sure all rule references are gone before this is released */
1061 nf_tables_chain_destroy(chain);
1065 static void nft_ctx_init(struct nft_ctx *ctx,
1066 const struct sk_buff *skb,
1067 const struct nlmsghdr *nlh,
1068 const struct nft_af_info *afi,
1069 const struct nft_table *table,
1070 const struct nft_chain *chain,
1071 const struct nlattr * const *nla)
1073 ctx->net = sock_net(skb->sk);
1087 * nft_register_expr - register nf_tables expr type
1090 * Registers the expr type for use with nf_tables. Returns zero on
1091 * success or a negative errno code otherwise.
1093 int nft_register_expr(struct nft_expr_type *type)
1095 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1096 list_add_tail(&type->list, &nf_tables_expressions);
1097 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1100 EXPORT_SYMBOL_GPL(nft_register_expr);
1103 * nft_unregister_expr - unregister nf_tables expr type
1106 * Unregisters the expr typefor use with nf_tables.
1108 void nft_unregister_expr(struct nft_expr_type *type)
1110 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1111 list_del(&type->list);
1112 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1114 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1116 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1119 const struct nft_expr_type *type;
1121 list_for_each_entry(type, &nf_tables_expressions, list) {
1122 if (!nla_strcmp(nla, type->name) &&
1123 (!type->family || type->family == family))
1129 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1132 const struct nft_expr_type *type;
1135 return ERR_PTR(-EINVAL);
1137 type = __nft_expr_type_get(family, nla);
1138 if (type != NULL && try_module_get(type->owner))
1141 #ifdef CONFIG_MODULES
1143 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1144 request_module("nft-expr-%u-%.*s", family,
1145 nla_len(nla), (char *)nla_data(nla));
1146 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1147 if (__nft_expr_type_get(family, nla))
1148 return ERR_PTR(-EAGAIN);
1150 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1151 request_module("nft-expr-%.*s",
1152 nla_len(nla), (char *)nla_data(nla));
1153 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1154 if (__nft_expr_type_get(family, nla))
1155 return ERR_PTR(-EAGAIN);
1158 return ERR_PTR(-ENOENT);
1161 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1162 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1163 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1166 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1167 const struct nft_expr *expr)
1169 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1170 goto nla_put_failure;
1172 if (expr->ops->dump) {
1173 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1175 goto nla_put_failure;
1176 if (expr->ops->dump(skb, expr) < 0)
1177 goto nla_put_failure;
1178 nla_nest_end(skb, data);
1187 struct nft_expr_info {
1188 const struct nft_expr_ops *ops;
1189 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1192 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1193 const struct nlattr *nla,
1194 struct nft_expr_info *info)
1196 const struct nft_expr_type *type;
1197 const struct nft_expr_ops *ops;
1198 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1201 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1205 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1207 return PTR_ERR(type);
1209 if (tb[NFTA_EXPR_DATA]) {
1210 err = nla_parse_nested(info->tb, type->maxattr,
1211 tb[NFTA_EXPR_DATA], type->policy);
1215 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1217 if (type->select_ops != NULL) {
1218 ops = type->select_ops(ctx,
1219 (const struct nlattr * const *)info->tb);
1231 module_put(type->owner);
1235 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1236 const struct nft_expr_info *info,
1237 struct nft_expr *expr)
1239 const struct nft_expr_ops *ops = info->ops;
1244 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1256 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1257 struct nft_expr *expr)
1259 if (expr->ops->destroy)
1260 expr->ops->destroy(ctx, expr);
1261 module_put(expr->ops->type->owner);
1268 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1271 struct nft_rule *rule;
1273 // FIXME: this sucks
1274 list_for_each_entry(rule, &chain->rules, list) {
1275 if (handle == rule->handle)
1279 return ERR_PTR(-ENOENT);
1282 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1283 const struct nlattr *nla)
1286 return ERR_PTR(-EINVAL);
1288 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1291 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1292 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1293 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1294 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1295 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1296 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1297 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1298 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1299 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1300 .len = NFT_USERDATA_MAXLEN },
1303 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1304 int event, u32 flags, int family,
1305 const struct nft_table *table,
1306 const struct nft_chain *chain,
1307 const struct nft_rule *rule)
1309 struct nlmsghdr *nlh;
1310 struct nfgenmsg *nfmsg;
1311 const struct nft_expr *expr, *next;
1312 struct nlattr *list;
1313 const struct nft_rule *prule;
1314 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1316 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1319 goto nla_put_failure;
1321 nfmsg = nlmsg_data(nlh);
1322 nfmsg->nfgen_family = family;
1323 nfmsg->version = NFNETLINK_V0;
1326 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1327 goto nla_put_failure;
1328 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1329 goto nla_put_failure;
1330 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1331 goto nla_put_failure;
1333 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1334 prule = list_entry(rule->list.prev, struct nft_rule, list);
1335 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1336 cpu_to_be64(prule->handle)))
1337 goto nla_put_failure;
1340 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1342 goto nla_put_failure;
1343 nft_rule_for_each_expr(expr, next, rule) {
1344 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1346 goto nla_put_failure;
1347 if (nf_tables_fill_expr_info(skb, expr) < 0)
1348 goto nla_put_failure;
1349 nla_nest_end(skb, elem);
1351 nla_nest_end(skb, list);
1354 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1355 goto nla_put_failure;
1357 return nlmsg_end(skb, nlh);
1360 nlmsg_trim(skb, nlh);
1364 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1365 const struct nlmsghdr *nlh,
1366 const struct nft_table *table,
1367 const struct nft_chain *chain,
1368 const struct nft_rule *rule,
1369 int event, u32 flags, int family)
1371 struct sk_buff *skb;
1372 u32 portid = NETLINK_CB(oskb).portid;
1373 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1374 u32 seq = nlh->nlmsg_seq;
1378 report = nlmsg_report(nlh);
1379 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1383 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1387 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1388 family, table, chain, rule);
1394 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1398 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1403 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1405 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1408 static inline int gencursor_next(struct net *net)
1410 return net->nft.gencursor+1 == 1 ? 1 : 0;
1414 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1416 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1420 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1422 /* Now inactive, will be active in the future */
1423 rule->genmask = (1 << net->nft.gencursor);
1427 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1429 rule->genmask = (1 << gencursor_next(net));
1432 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1437 static int nf_tables_dump_rules(struct sk_buff *skb,
1438 struct netlink_callback *cb)
1440 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1441 const struct nft_af_info *afi;
1442 const struct nft_table *table;
1443 const struct nft_chain *chain;
1444 const struct nft_rule *rule;
1445 unsigned int idx = 0, s_idx = cb->args[0];
1446 struct net *net = sock_net(skb->sk);
1447 int family = nfmsg->nfgen_family;
1448 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1449 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1451 list_for_each_entry(afi, &net->nft.af_info, list) {
1452 if (family != NFPROTO_UNSPEC && family != afi->family)
1455 list_for_each_entry(table, &afi->tables, list) {
1456 list_for_each_entry(chain, &table->chains, list) {
1457 list_for_each_entry(rule, &chain->rules, list) {
1458 if (!nft_rule_is_active(net, rule))
1463 memset(&cb->args[1], 0,
1464 sizeof(cb->args) - sizeof(cb->args[0]));
1465 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1468 NLM_F_MULTI | NLM_F_APPEND,
1469 afi->family, table, chain, rule) < 0)
1478 /* Invalidate this dump, a transition to the new generation happened */
1479 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1486 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1487 const struct nlmsghdr *nlh,
1488 const struct nlattr * const nla[])
1490 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1491 const struct nft_af_info *afi;
1492 const struct nft_table *table;
1493 const struct nft_chain *chain;
1494 const struct nft_rule *rule;
1495 struct sk_buff *skb2;
1496 struct net *net = sock_net(skb->sk);
1497 int family = nfmsg->nfgen_family;
1500 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1501 struct netlink_dump_control c = {
1502 .dump = nf_tables_dump_rules,
1504 return netlink_dump_start(nlsk, skb, nlh, &c);
1507 afi = nf_tables_afinfo_lookup(net, family, false);
1509 return PTR_ERR(afi);
1511 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1513 return PTR_ERR(table);
1515 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1517 return PTR_ERR(chain);
1519 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1521 return PTR_ERR(rule);
1523 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1527 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1528 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1529 family, table, chain, rule);
1533 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1540 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1541 struct nft_rule *rule)
1543 struct nft_expr *expr;
1546 * Careful: some expressions might not be initialized in case this
1547 * is called on error from nf_tables_newrule().
1549 expr = nft_expr_first(rule);
1550 while (expr->ops && expr != nft_expr_last(rule)) {
1551 nf_tables_expr_destroy(ctx, expr);
1552 expr = nft_expr_next(expr);
1557 #define NFT_RULE_MAXEXPRS 128
1559 static struct nft_expr_info *info;
1561 static struct nft_rule_trans *
1562 nf_tables_trans_add(struct nft_ctx *ctx, struct nft_rule *rule)
1564 struct nft_rule_trans *rupd;
1566 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1572 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1577 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1578 const struct nlmsghdr *nlh,
1579 const struct nlattr * const nla[])
1581 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1582 const struct nft_af_info *afi;
1583 struct net *net = sock_net(skb->sk);
1584 struct nft_table *table;
1585 struct nft_chain *chain;
1586 struct nft_rule *rule, *old_rule = NULL;
1587 struct nft_rule_trans *repl = NULL;
1588 struct nft_expr *expr;
1591 unsigned int size, i, n, ulen = 0;
1594 u64 handle, pos_handle;
1596 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1598 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1600 return PTR_ERR(afi);
1602 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1604 return PTR_ERR(table);
1606 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1608 return PTR_ERR(chain);
1610 if (nla[NFTA_RULE_HANDLE]) {
1611 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1612 rule = __nf_tables_rule_lookup(chain, handle);
1614 return PTR_ERR(rule);
1616 if (nlh->nlmsg_flags & NLM_F_EXCL)
1618 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1623 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1625 handle = nf_tables_alloc_handle(table);
1628 if (nla[NFTA_RULE_POSITION]) {
1629 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1632 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1633 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1634 if (IS_ERR(old_rule))
1635 return PTR_ERR(old_rule);
1638 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1642 if (nla[NFTA_RULE_EXPRESSIONS]) {
1643 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1645 if (nla_type(tmp) != NFTA_LIST_ELEM)
1647 if (n == NFT_RULE_MAXEXPRS)
1649 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1652 size += info[n].ops->size;
1657 if (nla[NFTA_RULE_USERDATA])
1658 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1661 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1665 nft_rule_activate_next(net, rule);
1667 rule->handle = handle;
1672 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1674 expr = nft_expr_first(rule);
1675 for (i = 0; i < n; i++) {
1676 err = nf_tables_newexpr(&ctx, &info[i], expr);
1680 expr = nft_expr_next(expr);
1683 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1684 if (nft_rule_is_active_next(net, old_rule)) {
1685 repl = nf_tables_trans_add(&ctx, old_rule);
1690 nft_rule_disactivate_next(net, old_rule);
1691 list_add_tail(&rule->list, &old_rule->list);
1696 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1698 list_add_rcu(&rule->list, &old_rule->list);
1700 list_add_tail_rcu(&rule->list, &chain->rules);
1703 list_add_tail_rcu(&rule->list, &old_rule->list);
1705 list_add_rcu(&rule->list, &chain->rules);
1708 if (nf_tables_trans_add(&ctx, rule) == NULL) {
1715 list_del_rcu(&rule->list);
1717 list_del_rcu(&repl->rule->list);
1718 list_del(&repl->list);
1719 nft_rule_clear(net, repl->rule);
1723 nf_tables_rule_destroy(&ctx, rule);
1725 for (i = 0; i < n; i++) {
1726 if (info[i].ops != NULL)
1727 module_put(info[i].ops->type->owner);
1733 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1735 /* You cannot delete the same rule twice */
1736 if (nft_rule_is_active_next(ctx->net, rule)) {
1737 if (nf_tables_trans_add(ctx, rule) == NULL)
1739 nft_rule_disactivate_next(ctx->net, rule);
1745 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1747 struct nft_rule *rule;
1750 list_for_each_entry(rule, &ctx->chain->rules, list) {
1751 err = nf_tables_delrule_one(ctx, rule);
1758 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1759 const struct nlmsghdr *nlh,
1760 const struct nlattr * const nla[])
1762 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1763 const struct nft_af_info *afi;
1764 struct net *net = sock_net(skb->sk);
1765 const struct nft_table *table;
1766 struct nft_chain *chain = NULL;
1767 struct nft_rule *rule;
1768 int family = nfmsg->nfgen_family, err = 0;
1771 afi = nf_tables_afinfo_lookup(net, family, false);
1773 return PTR_ERR(afi);
1775 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1777 return PTR_ERR(table);
1779 if (nla[NFTA_RULE_CHAIN]) {
1780 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1782 return PTR_ERR(chain);
1785 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1788 if (nla[NFTA_RULE_HANDLE]) {
1789 rule = nf_tables_rule_lookup(chain,
1790 nla[NFTA_RULE_HANDLE]);
1792 return PTR_ERR(rule);
1794 err = nf_tables_delrule_one(&ctx, rule);
1796 err = nf_table_delrule_by_chain(&ctx);
1799 list_for_each_entry(chain, &table->chains, list) {
1801 err = nf_table_delrule_by_chain(&ctx);
1810 static int nf_tables_commit(struct sk_buff *skb)
1812 struct net *net = sock_net(skb->sk);
1813 struct nft_rule_trans *rupd, *tmp;
1815 /* Bump generation counter, invalidate any dump in progress */
1818 /* A new generation has just started */
1819 net->nft.gencursor = gencursor_next(net);
1821 /* Make sure all packets have left the previous generation before
1822 * purging old rules.
1826 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1827 /* This rule was inactive in the past and just became active.
1828 * Clear the next bit of the genmask since its meaning has
1829 * changed, now it is the future.
1831 if (nft_rule_is_active(net, rupd->rule)) {
1832 nft_rule_clear(net, rupd->rule);
1833 nf_tables_rule_notify(skb, rupd->ctx.nlh,
1834 rupd->ctx.table, rupd->ctx.chain,
1835 rupd->rule, NFT_MSG_NEWRULE, 0,
1836 rupd->ctx.afi->family);
1837 list_del(&rupd->list);
1842 /* This rule is in the past, get rid of it */
1843 list_del_rcu(&rupd->rule->list);
1844 nf_tables_rule_notify(skb, rupd->ctx.nlh,
1845 rupd->ctx.table, rupd->ctx.chain,
1846 rupd->rule, NFT_MSG_DELRULE, 0,
1847 rupd->ctx.afi->family);
1850 /* Make sure we don't see any packet traversing old rules */
1853 /* Now we can safely release unused old rules */
1854 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1855 nf_tables_rule_destroy(&rupd->ctx, rupd->rule);
1856 list_del(&rupd->list);
1863 static int nf_tables_abort(struct sk_buff *skb)
1865 struct net *net = sock_net(skb->sk);
1866 struct nft_rule_trans *rupd, *tmp;
1868 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1869 if (!nft_rule_is_active_next(net, rupd->rule)) {
1870 nft_rule_clear(net, rupd->rule);
1871 list_del(&rupd->list);
1876 /* This rule is inactive, get rid of it */
1877 list_del_rcu(&rupd->rule->list);
1880 /* Make sure we don't see any packet accessing aborted rules */
1883 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1884 nf_tables_rule_destroy(&rupd->ctx, rupd->rule);
1885 list_del(&rupd->list);
1896 static LIST_HEAD(nf_tables_set_ops);
1898 int nft_register_set(struct nft_set_ops *ops)
1900 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1901 list_add_tail(&ops->list, &nf_tables_set_ops);
1902 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1905 EXPORT_SYMBOL_GPL(nft_register_set);
1907 void nft_unregister_set(struct nft_set_ops *ops)
1909 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1910 list_del(&ops->list);
1911 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1913 EXPORT_SYMBOL_GPL(nft_unregister_set);
1915 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1917 const struct nft_set_ops *ops;
1920 #ifdef CONFIG_MODULES
1921 if (list_empty(&nf_tables_set_ops)) {
1922 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1923 request_module("nft-set");
1924 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1925 if (!list_empty(&nf_tables_set_ops))
1926 return ERR_PTR(-EAGAIN);
1930 if (nla[NFTA_SET_FLAGS] != NULL) {
1931 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1932 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1935 // FIXME: implement selection properly
1936 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1937 if ((ops->features & features) != features)
1939 if (!try_module_get(ops->owner))
1944 return ERR_PTR(-EOPNOTSUPP);
1947 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1948 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1949 [NFTA_SET_NAME] = { .type = NLA_STRING,
1950 .len = IFNAMSIZ - 1 },
1951 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1952 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1953 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1954 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1955 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1958 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1959 const struct sk_buff *skb,
1960 const struct nlmsghdr *nlh,
1961 const struct nlattr * const nla[])
1963 struct net *net = sock_net(skb->sk);
1964 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1965 const struct nft_af_info *afi = NULL;
1966 const struct nft_table *table = NULL;
1968 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1969 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1971 return PTR_ERR(afi);
1974 if (nla[NFTA_SET_TABLE] != NULL) {
1976 return -EAFNOSUPPORT;
1978 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1980 return PTR_ERR(table);
1983 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1987 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1988 const struct nlattr *nla)
1990 struct nft_set *set;
1993 return ERR_PTR(-EINVAL);
1995 list_for_each_entry(set, &table->sets, list) {
1996 if (!nla_strcmp(nla, set->name))
1999 return ERR_PTR(-ENOENT);
2002 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2005 const struct nft_set *i;
2007 unsigned long *inuse;
2010 p = strnchr(name, IFNAMSIZ, '%');
2012 if (p[1] != 'd' || strchr(p + 2, '%'))
2015 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2019 list_for_each_entry(i, &ctx->table->sets, list) {
2022 if (!sscanf(i->name, name, &tmp))
2024 if (tmp < 0 || tmp >= BITS_PER_BYTE * PAGE_SIZE)
2027 set_bit(tmp, inuse);
2030 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2031 free_page((unsigned long)inuse);
2034 snprintf(set->name, sizeof(set->name), name, n);
2035 list_for_each_entry(i, &ctx->table->sets, list) {
2036 if (!strcmp(set->name, i->name))
2042 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2043 const struct nft_set *set, u16 event, u16 flags)
2045 struct nfgenmsg *nfmsg;
2046 struct nlmsghdr *nlh;
2047 u32 portid = NETLINK_CB(ctx->skb).portid;
2048 u32 seq = ctx->nlh->nlmsg_seq;
2050 event |= NFNL_SUBSYS_NFTABLES << 8;
2051 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2054 goto nla_put_failure;
2056 nfmsg = nlmsg_data(nlh);
2057 nfmsg->nfgen_family = ctx->afi->family;
2058 nfmsg->version = NFNETLINK_V0;
2061 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2062 goto nla_put_failure;
2063 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2064 goto nla_put_failure;
2065 if (set->flags != 0)
2066 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2067 goto nla_put_failure;
2069 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2070 goto nla_put_failure;
2071 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2072 goto nla_put_failure;
2073 if (set->flags & NFT_SET_MAP) {
2074 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2075 goto nla_put_failure;
2076 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2077 goto nla_put_failure;
2080 return nlmsg_end(skb, nlh);
2083 nlmsg_trim(skb, nlh);
2087 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2088 const struct nft_set *set,
2091 struct sk_buff *skb;
2092 u32 portid = NETLINK_CB(ctx->skb).portid;
2096 report = nlmsg_report(ctx->nlh);
2097 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2101 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2105 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2111 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2115 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2119 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2120 struct netlink_callback *cb)
2122 const struct nft_set *set;
2123 unsigned int idx = 0, s_idx = cb->args[0];
2128 list_for_each_entry(set, &ctx->table->sets, list) {
2131 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2144 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2145 struct netlink_callback *cb)
2147 const struct nft_set *set;
2148 unsigned int idx, s_idx = cb->args[0];
2149 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2154 list_for_each_entry(table, &ctx->afi->tables, list) {
2156 if (cur_table != table)
2163 list_for_each_entry(set, &ctx->table->sets, list) {
2166 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2169 cb->args[2] = (unsigned long) table;
2181 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2182 struct netlink_callback *cb)
2184 const struct nft_set *set;
2185 unsigned int idx, s_idx = cb->args[0];
2186 const struct nft_af_info *afi;
2187 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2188 struct net *net = sock_net(skb->sk);
2189 int cur_family = cb->args[3];
2194 list_for_each_entry(afi, &net->nft.af_info, list) {
2196 if (afi->family != cur_family)
2202 list_for_each_entry(table, &afi->tables, list) {
2204 if (cur_table != table)
2213 list_for_each_entry(set, &ctx->table->sets, list) {
2216 if (nf_tables_fill_set(skb, ctx, set,
2220 cb->args[2] = (unsigned long) table;
2221 cb->args[3] = afi->family;
2236 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2238 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2239 struct nlattr *nla[NFTA_SET_MAX + 1];
2243 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2248 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2252 if (ctx.table == NULL) {
2253 if (ctx.afi == NULL)
2254 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2256 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2258 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2263 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2264 const struct nlmsghdr *nlh,
2265 const struct nlattr * const nla[])
2267 const struct nft_set *set;
2269 struct sk_buff *skb2;
2270 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2273 /* Verify existance before starting dump */
2274 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2278 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2279 struct netlink_dump_control c = {
2280 .dump = nf_tables_dump_sets,
2282 return netlink_dump_start(nlsk, skb, nlh, &c);
2285 /* Only accept unspec with dump */
2286 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2287 return -EAFNOSUPPORT;
2289 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2291 return PTR_ERR(set);
2293 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2297 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2301 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2308 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2309 const struct nlmsghdr *nlh,
2310 const struct nlattr * const nla[])
2312 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2313 const struct nft_set_ops *ops;
2314 const struct nft_af_info *afi;
2315 struct net *net = sock_net(skb->sk);
2316 struct nft_table *table;
2317 struct nft_set *set;
2319 char name[IFNAMSIZ];
2322 u32 ktype, klen, dlen, dtype, flags;
2325 if (nla[NFTA_SET_TABLE] == NULL ||
2326 nla[NFTA_SET_NAME] == NULL ||
2327 nla[NFTA_SET_KEY_LEN] == NULL)
2330 ktype = NFT_DATA_VALUE;
2331 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2332 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2333 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2337 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2338 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2342 if (nla[NFTA_SET_FLAGS] != NULL) {
2343 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2344 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2345 NFT_SET_INTERVAL | NFT_SET_MAP))
2351 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2352 if (!(flags & NFT_SET_MAP))
2355 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2356 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2357 dtype != NFT_DATA_VERDICT)
2360 if (dtype != NFT_DATA_VERDICT) {
2361 if (nla[NFTA_SET_DATA_LEN] == NULL)
2363 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2365 dlen > FIELD_SIZEOF(struct nft_data, data))
2368 dlen = sizeof(struct nft_data);
2369 } else if (flags & NFT_SET_MAP)
2372 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2374 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2376 return PTR_ERR(afi);
2378 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2380 return PTR_ERR(table);
2382 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2384 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2386 if (PTR_ERR(set) != -ENOENT)
2387 return PTR_ERR(set);
2392 if (nlh->nlmsg_flags & NLM_F_EXCL)
2394 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2399 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2402 ops = nft_select_set_ops(nla);
2404 return PTR_ERR(ops);
2407 if (ops->privsize != NULL)
2408 size = ops->privsize(nla);
2411 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2415 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2416 err = nf_tables_set_alloc_name(&ctx, set, name);
2420 INIT_LIST_HEAD(&set->bindings);
2428 err = ops->init(set, nla);
2432 list_add_tail(&set->list, &table->sets);
2433 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2439 module_put(ops->owner);
2443 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2445 list_del(&set->list);
2446 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2448 set->ops->destroy(set);
2449 module_put(set->ops->owner);
2453 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2454 const struct nlmsghdr *nlh,
2455 const struct nlattr * const nla[])
2457 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2458 struct nft_set *set;
2462 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2463 return -EAFNOSUPPORT;
2464 if (nla[NFTA_SET_TABLE] == NULL)
2467 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2471 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2473 return PTR_ERR(set);
2474 if (!list_empty(&set->bindings))
2477 nf_tables_set_destroy(&ctx, set);
2481 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2482 const struct nft_set *set,
2483 const struct nft_set_iter *iter,
2484 const struct nft_set_elem *elem)
2486 enum nft_registers dreg;
2488 dreg = nft_type_to_reg(set->dtype);
2489 return nft_validate_data_load(ctx, dreg, &elem->data,
2490 set->dtype == NFT_DATA_VERDICT ?
2491 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2494 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2495 struct nft_set_binding *binding)
2497 struct nft_set_binding *i;
2498 struct nft_set_iter iter;
2500 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2503 if (set->flags & NFT_SET_MAP) {
2504 /* If the set is already bound to the same chain all
2505 * jumps are already validated for that chain.
2507 list_for_each_entry(i, &set->bindings, list) {
2508 if (i->chain == binding->chain)
2515 iter.fn = nf_tables_bind_check_setelem;
2517 set->ops->walk(ctx, set, &iter);
2519 /* Destroy anonymous sets if binding fails */
2520 if (set->flags & NFT_SET_ANONYMOUS)
2521 nf_tables_set_destroy(ctx, set);
2527 binding->chain = ctx->chain;
2528 list_add_tail(&binding->list, &set->bindings);
2532 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2533 struct nft_set_binding *binding)
2535 list_del(&binding->list);
2537 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2538 nf_tables_set_destroy(ctx, set);
2545 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2546 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2547 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2548 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2551 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2552 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2553 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2554 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2557 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2558 const struct sk_buff *skb,
2559 const struct nlmsghdr *nlh,
2560 const struct nlattr * const nla[])
2562 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2563 const struct nft_af_info *afi;
2564 const struct nft_table *table;
2565 struct net *net = sock_net(skb->sk);
2567 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2569 return PTR_ERR(afi);
2571 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2573 return PTR_ERR(table);
2575 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2579 static int nf_tables_fill_setelem(struct sk_buff *skb,
2580 const struct nft_set *set,
2581 const struct nft_set_elem *elem)
2583 unsigned char *b = skb_tail_pointer(skb);
2584 struct nlattr *nest;
2586 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2588 goto nla_put_failure;
2590 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2592 goto nla_put_failure;
2594 if (set->flags & NFT_SET_MAP &&
2595 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2596 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2597 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2599 goto nla_put_failure;
2601 if (elem->flags != 0)
2602 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2603 goto nla_put_failure;
2605 nla_nest_end(skb, nest);
2613 struct nft_set_dump_args {
2614 const struct netlink_callback *cb;
2615 struct nft_set_iter iter;
2616 struct sk_buff *skb;
2619 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2620 const struct nft_set *set,
2621 const struct nft_set_iter *iter,
2622 const struct nft_set_elem *elem)
2624 struct nft_set_dump_args *args;
2626 args = container_of(iter, struct nft_set_dump_args, iter);
2627 return nf_tables_fill_setelem(args->skb, set, elem);
2630 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2632 const struct nft_set *set;
2633 struct nft_set_dump_args args;
2635 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2636 struct nfgenmsg *nfmsg;
2637 struct nlmsghdr *nlh;
2638 struct nlattr *nest;
2642 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2643 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2647 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2651 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2653 return PTR_ERR(set);
2655 event = NFT_MSG_NEWSETELEM;
2656 event |= NFNL_SUBSYS_NFTABLES << 8;
2657 portid = NETLINK_CB(cb->skb).portid;
2658 seq = cb->nlh->nlmsg_seq;
2660 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2663 goto nla_put_failure;
2665 nfmsg = nlmsg_data(nlh);
2666 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2667 nfmsg->version = NFNETLINK_V0;
2670 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2671 goto nla_put_failure;
2672 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2673 goto nla_put_failure;
2675 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2677 goto nla_put_failure;
2681 args.iter.skip = cb->args[0];
2682 args.iter.count = 0;
2684 args.iter.fn = nf_tables_dump_setelem;
2685 set->ops->walk(&ctx, set, &args.iter);
2687 nla_nest_end(skb, nest);
2688 nlmsg_end(skb, nlh);
2690 if (args.iter.err && args.iter.err != -EMSGSIZE)
2691 return args.iter.err;
2692 if (args.iter.count == cb->args[0])
2695 cb->args[0] = args.iter.count;
2702 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2703 const struct nlmsghdr *nlh,
2704 const struct nlattr * const nla[])
2706 const struct nft_set *set;
2710 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2714 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2716 return PTR_ERR(set);
2718 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2719 struct netlink_dump_control c = {
2720 .dump = nf_tables_dump_set,
2722 return netlink_dump_start(nlsk, skb, nlh, &c);
2727 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2728 const struct nlattr *attr)
2730 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2731 struct nft_data_desc d1, d2;
2732 struct nft_set_elem elem;
2733 struct nft_set_binding *binding;
2734 enum nft_registers dreg;
2737 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2738 nft_set_elem_policy);
2742 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2746 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2747 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2748 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2752 if (set->flags & NFT_SET_MAP) {
2753 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2754 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2756 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
2757 elem.flags & NFT_SET_ELEM_INTERVAL_END)
2760 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2764 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2768 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2772 if (set->ops->get(set, &elem) == 0)
2775 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2776 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2781 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2784 dreg = nft_type_to_reg(set->dtype);
2785 list_for_each_entry(binding, &set->bindings, list) {
2786 struct nft_ctx bind_ctx = {
2788 .table = ctx->table,
2789 .chain = binding->chain,
2792 err = nft_validate_data_load(&bind_ctx, dreg,
2793 &elem.data, d2.type);
2799 err = set->ops->insert(set, &elem);
2806 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2807 nft_data_uninit(&elem.data, d2.type);
2809 nft_data_uninit(&elem.key, d1.type);
2814 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2815 const struct nlmsghdr *nlh,
2816 const struct nlattr * const nla[])
2818 const struct nlattr *attr;
2819 struct nft_set *set;
2823 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2827 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2829 return PTR_ERR(set);
2830 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2833 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2834 err = nft_add_set_elem(&ctx, set, attr);
2841 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2842 const struct nlattr *attr)
2844 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2845 struct nft_data_desc desc;
2846 struct nft_set_elem elem;
2849 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2850 nft_set_elem_policy);
2855 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2858 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2863 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2866 err = set->ops->get(set, &elem);
2870 set->ops->remove(set, &elem);
2872 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2873 if (set->flags & NFT_SET_MAP)
2874 nft_data_uninit(&elem.data, set->dtype);
2877 nft_data_uninit(&elem.key, desc.type);
2882 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2883 const struct nlmsghdr *nlh,
2884 const struct nlattr * const nla[])
2886 const struct nlattr *attr;
2887 struct nft_set *set;
2891 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2895 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2897 return PTR_ERR(set);
2898 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2901 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2902 err = nft_del_setelem(&ctx, set, attr);
2909 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2910 [NFT_MSG_NEWTABLE] = {
2911 .call = nf_tables_newtable,
2912 .attr_count = NFTA_TABLE_MAX,
2913 .policy = nft_table_policy,
2915 [NFT_MSG_GETTABLE] = {
2916 .call = nf_tables_gettable,
2917 .attr_count = NFTA_TABLE_MAX,
2918 .policy = nft_table_policy,
2920 [NFT_MSG_DELTABLE] = {
2921 .call = nf_tables_deltable,
2922 .attr_count = NFTA_TABLE_MAX,
2923 .policy = nft_table_policy,
2925 [NFT_MSG_NEWCHAIN] = {
2926 .call = nf_tables_newchain,
2927 .attr_count = NFTA_CHAIN_MAX,
2928 .policy = nft_chain_policy,
2930 [NFT_MSG_GETCHAIN] = {
2931 .call = nf_tables_getchain,
2932 .attr_count = NFTA_CHAIN_MAX,
2933 .policy = nft_chain_policy,
2935 [NFT_MSG_DELCHAIN] = {
2936 .call = nf_tables_delchain,
2937 .attr_count = NFTA_CHAIN_MAX,
2938 .policy = nft_chain_policy,
2940 [NFT_MSG_NEWRULE] = {
2941 .call_batch = nf_tables_newrule,
2942 .attr_count = NFTA_RULE_MAX,
2943 .policy = nft_rule_policy,
2945 [NFT_MSG_GETRULE] = {
2946 .call = nf_tables_getrule,
2947 .attr_count = NFTA_RULE_MAX,
2948 .policy = nft_rule_policy,
2950 [NFT_MSG_DELRULE] = {
2951 .call_batch = nf_tables_delrule,
2952 .attr_count = NFTA_RULE_MAX,
2953 .policy = nft_rule_policy,
2955 [NFT_MSG_NEWSET] = {
2956 .call = nf_tables_newset,
2957 .attr_count = NFTA_SET_MAX,
2958 .policy = nft_set_policy,
2960 [NFT_MSG_GETSET] = {
2961 .call = nf_tables_getset,
2962 .attr_count = NFTA_SET_MAX,
2963 .policy = nft_set_policy,
2965 [NFT_MSG_DELSET] = {
2966 .call = nf_tables_delset,
2967 .attr_count = NFTA_SET_MAX,
2968 .policy = nft_set_policy,
2970 [NFT_MSG_NEWSETELEM] = {
2971 .call = nf_tables_newsetelem,
2972 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2973 .policy = nft_set_elem_list_policy,
2975 [NFT_MSG_GETSETELEM] = {
2976 .call = nf_tables_getsetelem,
2977 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2978 .policy = nft_set_elem_list_policy,
2980 [NFT_MSG_DELSETELEM] = {
2981 .call = nf_tables_delsetelem,
2982 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2983 .policy = nft_set_elem_list_policy,
2987 static const struct nfnetlink_subsystem nf_tables_subsys = {
2988 .name = "nf_tables",
2989 .subsys_id = NFNL_SUBSYS_NFTABLES,
2990 .cb_count = NFT_MSG_MAX,
2992 .commit = nf_tables_commit,
2993 .abort = nf_tables_abort,
2997 * Loop detection - walk through the ruleset beginning at the destination chain
2998 * of a new jump until either the source chain is reached (loop) or all
2999 * reachable chains have been traversed.
3001 * The loop check is performed whenever a new jump verdict is added to an
3002 * expression or verdict map or a verdict map is bound to a new chain.
3005 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3006 const struct nft_chain *chain);
3008 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3009 const struct nft_set *set,
3010 const struct nft_set_iter *iter,
3011 const struct nft_set_elem *elem)
3013 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3016 switch (elem->data.verdict) {
3019 return nf_tables_check_loops(ctx, elem->data.chain);
3025 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3026 const struct nft_chain *chain)
3028 const struct nft_rule *rule;
3029 const struct nft_expr *expr, *last;
3030 const struct nft_set *set;
3031 struct nft_set_binding *binding;
3032 struct nft_set_iter iter;
3034 if (ctx->chain == chain)
3037 list_for_each_entry(rule, &chain->rules, list) {
3038 nft_rule_for_each_expr(expr, last, rule) {
3039 const struct nft_data *data = NULL;
3042 if (!expr->ops->validate)
3045 err = expr->ops->validate(ctx, expr, &data);
3052 switch (data->verdict) {
3055 err = nf_tables_check_loops(ctx, data->chain);
3064 list_for_each_entry(set, &ctx->table->sets, list) {
3065 if (!(set->flags & NFT_SET_MAP) ||
3066 set->dtype != NFT_DATA_VERDICT)
3069 list_for_each_entry(binding, &set->bindings, list) {
3070 if (binding->chain != chain)
3076 iter.fn = nf_tables_loop_check_setelem;
3078 set->ops->walk(ctx, set, &iter);
3088 * nft_validate_input_register - validate an expressions' input register
3090 * @reg: the register number
3092 * Validate that the input register is one of the general purpose
3095 int nft_validate_input_register(enum nft_registers reg)
3097 if (reg <= NFT_REG_VERDICT)
3099 if (reg > NFT_REG_MAX)
3103 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3106 * nft_validate_output_register - validate an expressions' output register
3108 * @reg: the register number
3110 * Validate that the output register is one of the general purpose
3111 * registers or the verdict register.
3113 int nft_validate_output_register(enum nft_registers reg)
3115 if (reg < NFT_REG_VERDICT)
3117 if (reg > NFT_REG_MAX)
3121 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3124 * nft_validate_data_load - validate an expressions' data load
3126 * @ctx: context of the expression performing the load
3127 * @reg: the destination register number
3128 * @data: the data to load
3129 * @type: the data type
3131 * Validate that a data load uses the appropriate data type for
3132 * the destination register. A value of NULL for the data means
3133 * that its runtime gathered data, which is always of type
3136 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3137 const struct nft_data *data,
3138 enum nft_data_types type)
3143 case NFT_REG_VERDICT:
3144 if (data == NULL || type != NFT_DATA_VERDICT)
3147 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3148 err = nf_tables_check_loops(ctx, data->chain);
3152 if (ctx->chain->level + 1 > data->chain->level) {
3153 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3155 data->chain->level = ctx->chain->level + 1;
3161 if (data != NULL && type != NFT_DATA_VALUE)
3166 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3168 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3169 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3170 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3171 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3174 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3175 struct nft_data_desc *desc, const struct nlattr *nla)
3177 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3178 struct nft_chain *chain;
3181 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3185 if (!tb[NFTA_VERDICT_CODE])
3187 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3189 switch (data->verdict) {
3191 switch (data->verdict & NF_VERDICT_MASK) {
3203 desc->len = sizeof(data->verdict);
3207 if (!tb[NFTA_VERDICT_CHAIN])
3209 chain = nf_tables_chain_lookup(ctx->table,
3210 tb[NFTA_VERDICT_CHAIN]);
3212 return PTR_ERR(chain);
3213 if (chain->flags & NFT_BASE_CHAIN)
3217 data->chain = chain;
3218 desc->len = sizeof(data);
3222 desc->type = NFT_DATA_VERDICT;
3226 static void nft_verdict_uninit(const struct nft_data *data)
3228 switch (data->verdict) {
3236 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3238 struct nlattr *nest;
3240 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3242 goto nla_put_failure;
3244 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3245 goto nla_put_failure;
3247 switch (data->verdict) {
3250 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3251 goto nla_put_failure;
3253 nla_nest_end(skb, nest);
3260 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3261 struct nft_data_desc *desc, const struct nlattr *nla)
3268 if (len > sizeof(data->data))
3271 nla_memcpy(data->data, nla, sizeof(data->data));
3272 desc->type = NFT_DATA_VALUE;
3277 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3280 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3283 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3284 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3285 .len = FIELD_SIZEOF(struct nft_data, data) },
3286 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3290 * nft_data_init - parse nf_tables data netlink attributes
3292 * @ctx: context of the expression using the data
3293 * @data: destination struct nft_data
3294 * @desc: data description
3295 * @nla: netlink attribute containing data
3297 * Parse the netlink data attributes and initialize a struct nft_data.
3298 * The type and length of data are returned in the data description.
3300 * The caller can indicate that it only wants to accept data of type
3301 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3303 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3304 struct nft_data_desc *desc, const struct nlattr *nla)
3306 struct nlattr *tb[NFTA_DATA_MAX + 1];
3309 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3313 if (tb[NFTA_DATA_VALUE])
3314 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3315 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3316 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3319 EXPORT_SYMBOL_GPL(nft_data_init);
3322 * nft_data_uninit - release a nft_data item
3324 * @data: struct nft_data to release
3325 * @type: type of data
3327 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3328 * all others need to be released by calling this function.
3330 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3333 case NFT_DATA_VALUE:
3335 case NFT_DATA_VERDICT:
3336 return nft_verdict_uninit(data);
3341 EXPORT_SYMBOL_GPL(nft_data_uninit);
3343 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3344 enum nft_data_types type, unsigned int len)
3346 struct nlattr *nest;
3349 nest = nla_nest_start(skb, attr);
3354 case NFT_DATA_VALUE:
3355 err = nft_value_dump(skb, data, len);
3357 case NFT_DATA_VERDICT:
3358 err = nft_verdict_dump(skb, data);
3365 nla_nest_end(skb, nest);
3368 EXPORT_SYMBOL_GPL(nft_data_dump);
3370 static int nf_tables_init_net(struct net *net)
3372 INIT_LIST_HEAD(&net->nft.af_info);
3373 INIT_LIST_HEAD(&net->nft.commit_list);
3377 static struct pernet_operations nf_tables_net_ops = {
3378 .init = nf_tables_init_net,
3381 static int __init nf_tables_module_init(void)
3385 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3392 err = nf_tables_core_module_init();
3396 err = nfnetlink_subsys_register(&nf_tables_subsys);
3400 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3401 return register_pernet_subsys(&nf_tables_net_ops);
3403 nf_tables_core_module_exit();
3410 static void __exit nf_tables_module_exit(void)
3412 unregister_pernet_subsys(&nf_tables_net_ops);
3413 nfnetlink_subsys_unregister(&nf_tables_subsys);
3414 nf_tables_core_module_exit();
3418 module_init(nf_tables_module_init);
3419 module_exit(nf_tables_module_exit);
3421 MODULE_LICENSE("GPL");
3422 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3423 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / karo-tx-linux.git / blob