2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
108 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
111 struct nft_trans *trans;
113 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
117 trans->msg_type = msg_type;
123 static void nft_trans_destroy(struct nft_trans *trans)
125 list_del(&trans->list);
133 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
134 const struct nlattr *nla)
136 struct nft_table *table;
138 list_for_each_entry(table, &afi->tables, list) {
139 if (!nla_strcmp(nla, table->name))
145 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
146 const struct nlattr *nla)
148 struct nft_table *table;
151 return ERR_PTR(-EINVAL);
153 table = nft_table_lookup(afi, nla);
157 return ERR_PTR(-ENOENT);
160 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
162 return ++table->hgenerator;
165 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
167 static const struct nf_chain_type *
168 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
172 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
173 if (chain_type[family][i] != NULL &&
174 !nla_strcmp(nla, chain_type[family][i]->name))
175 return chain_type[family][i];
180 static const struct nf_chain_type *
181 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
182 const struct nlattr *nla,
185 const struct nf_chain_type *type;
187 type = __nf_tables_chain_type_lookup(afi->family, nla);
190 #ifdef CONFIG_MODULES
192 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
193 request_module("nft-chain-%u-%*.s", afi->family,
194 nla_len(nla)-1, (const char *)nla_data(nla));
195 nfnl_lock(NFNL_SUBSYS_NFTABLES);
196 type = __nf_tables_chain_type_lookup(afi->family, nla);
198 return ERR_PTR(-EAGAIN);
201 return ERR_PTR(-ENOENT);
204 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
205 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
206 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
209 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
210 int event, u32 flags, int family,
211 const struct nft_table *table)
213 struct nlmsghdr *nlh;
214 struct nfgenmsg *nfmsg;
216 event |= NFNL_SUBSYS_NFTABLES << 8;
217 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
219 goto nla_put_failure;
221 nfmsg = nlmsg_data(nlh);
222 nfmsg->nfgen_family = family;
223 nfmsg->version = NFNETLINK_V0;
226 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
227 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
228 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
229 goto nla_put_failure;
231 return nlmsg_end(skb, nlh);
234 nlmsg_trim(skb, nlh);
238 static int nf_tables_table_notify(const struct sk_buff *oskb,
239 const struct nlmsghdr *nlh,
240 const struct nft_table *table,
241 int event, int family)
244 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
245 u32 seq = nlh ? nlh->nlmsg_seq : 0;
246 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
250 report = nlh ? nlmsg_report(nlh) : false;
251 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
255 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
259 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
266 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
270 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
274 static int nf_tables_dump_tables(struct sk_buff *skb,
275 struct netlink_callback *cb)
277 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
278 const struct nft_af_info *afi;
279 const struct nft_table *table;
280 unsigned int idx = 0, s_idx = cb->args[0];
281 struct net *net = sock_net(skb->sk);
282 int family = nfmsg->nfgen_family;
284 list_for_each_entry(afi, &net->nft.af_info, list) {
285 if (family != NFPROTO_UNSPEC && family != afi->family)
288 list_for_each_entry(table, &afi->tables, list) {
292 memset(&cb->args[1], 0,
293 sizeof(cb->args) - sizeof(cb->args[0]));
294 if (nf_tables_fill_table_info(skb,
295 NETLINK_CB(cb->skb).portid,
299 afi->family, table) < 0)
310 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
311 const struct nlmsghdr *nlh,
312 const struct nlattr * const nla[])
314 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
315 const struct nft_af_info *afi;
316 const struct nft_table *table;
317 struct sk_buff *skb2;
318 struct net *net = sock_net(skb->sk);
319 int family = nfmsg->nfgen_family;
322 if (nlh->nlmsg_flags & NLM_F_DUMP) {
323 struct netlink_dump_control c = {
324 .dump = nf_tables_dump_tables,
326 return netlink_dump_start(nlsk, skb, nlh, &c);
329 afi = nf_tables_afinfo_lookup(net, family, false);
333 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
335 return PTR_ERR(table);
337 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
341 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
342 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
347 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
354 static int nf_tables_table_enable(const struct nft_af_info *afi,
355 struct nft_table *table)
357 struct nft_chain *chain;
360 list_for_each_entry(chain, &table->chains, list) {
361 if (!(chain->flags & NFT_BASE_CHAIN))
364 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
372 list_for_each_entry(chain, &table->chains, list) {
373 if (!(chain->flags & NFT_BASE_CHAIN))
379 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
384 static void nf_tables_table_disable(const struct nft_af_info *afi,
385 struct nft_table *table)
387 struct nft_chain *chain;
389 list_for_each_entry(chain, &table->chains, list) {
390 if (chain->flags & NFT_BASE_CHAIN)
391 nf_unregister_hooks(nft_base_chain(chain)->ops,
396 static int nf_tables_updtable(struct nft_ctx *ctx)
398 const struct nfgenmsg *nfmsg = nlmsg_data(ctx->nlh);
399 int family = nfmsg->nfgen_family, ret = 0;
402 if (!ctx->nla[NFTA_TABLE_FLAGS])
405 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
406 if (flags & ~NFT_TABLE_F_DORMANT)
409 if ((flags & NFT_TABLE_F_DORMANT) &&
410 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
411 nf_tables_table_disable(ctx->afi, ctx->table);
412 ctx->table->flags |= NFT_TABLE_F_DORMANT;
413 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
414 ctx->table->flags & NFT_TABLE_F_DORMANT) {
415 ret = nf_tables_table_enable(ctx->afi, ctx->table);
417 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
422 nf_tables_table_notify(ctx->skb, ctx->nlh, ctx->table,
423 NFT_MSG_NEWTABLE, family);
428 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
429 const struct nlmsghdr *nlh,
430 const struct nlattr * const nla[])
432 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
433 const struct nlattr *name;
434 struct nft_af_info *afi;
435 struct nft_table *table;
436 struct net *net = sock_net(skb->sk);
437 int family = nfmsg->nfgen_family;
441 afi = nf_tables_afinfo_lookup(net, family, true);
445 name = nla[NFTA_TABLE_NAME];
446 table = nf_tables_table_lookup(afi, name);
448 if (PTR_ERR(table) != -ENOENT)
449 return PTR_ERR(table);
454 if (nlh->nlmsg_flags & NLM_F_EXCL)
456 if (nlh->nlmsg_flags & NLM_F_REPLACE)
459 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
460 return nf_tables_updtable(&ctx);
463 if (nla[NFTA_TABLE_FLAGS]) {
464 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
465 if (flags & ~NFT_TABLE_F_DORMANT)
469 if (!try_module_get(afi->owner))
470 return -EAFNOSUPPORT;
472 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
474 module_put(afi->owner);
478 nla_strlcpy(table->name, name, nla_len(name));
479 INIT_LIST_HEAD(&table->chains);
480 INIT_LIST_HEAD(&table->sets);
481 table->flags = flags;
483 list_add_tail(&table->list, &afi->tables);
484 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
488 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
489 const struct nlmsghdr *nlh,
490 const struct nlattr * const nla[])
492 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
493 struct nft_af_info *afi;
494 struct nft_table *table;
495 struct net *net = sock_net(skb->sk);
496 int family = nfmsg->nfgen_family;
498 afi = nf_tables_afinfo_lookup(net, family, false);
502 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
504 return PTR_ERR(table);
506 if (!list_empty(&table->chains) || !list_empty(&table->sets))
509 list_del(&table->list);
510 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
512 module_put(afi->owner);
516 int nft_register_chain_type(const struct nf_chain_type *ctype)
520 nfnl_lock(NFNL_SUBSYS_NFTABLES);
521 if (chain_type[ctype->family][ctype->type] != NULL) {
525 chain_type[ctype->family][ctype->type] = ctype;
527 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
530 EXPORT_SYMBOL_GPL(nft_register_chain_type);
532 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
534 nfnl_lock(NFNL_SUBSYS_NFTABLES);
535 chain_type[ctype->family][ctype->type] = NULL;
536 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
538 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
544 static struct nft_chain *
545 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
547 struct nft_chain *chain;
549 list_for_each_entry(chain, &table->chains, list) {
550 if (chain->handle == handle)
554 return ERR_PTR(-ENOENT);
557 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
558 const struct nlattr *nla)
560 struct nft_chain *chain;
563 return ERR_PTR(-EINVAL);
565 list_for_each_entry(chain, &table->chains, list) {
566 if (!nla_strcmp(nla, chain->name))
570 return ERR_PTR(-ENOENT);
573 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
574 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
575 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
576 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
577 .len = NFT_CHAIN_MAXNAMELEN - 1 },
578 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
579 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
580 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
581 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
584 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
585 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
586 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
589 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
591 struct nft_stats *cpu_stats, total;
595 memset(&total, 0, sizeof(total));
596 for_each_possible_cpu(cpu) {
597 cpu_stats = per_cpu_ptr(stats, cpu);
598 total.pkts += cpu_stats->pkts;
599 total.bytes += cpu_stats->bytes;
601 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
603 goto nla_put_failure;
605 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
606 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
607 goto nla_put_failure;
609 nla_nest_end(skb, nest);
616 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
617 int event, u32 flags, int family,
618 const struct nft_table *table,
619 const struct nft_chain *chain)
621 struct nlmsghdr *nlh;
622 struct nfgenmsg *nfmsg;
624 event |= NFNL_SUBSYS_NFTABLES << 8;
625 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
627 goto nla_put_failure;
629 nfmsg = nlmsg_data(nlh);
630 nfmsg->nfgen_family = family;
631 nfmsg->version = NFNETLINK_V0;
634 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
635 goto nla_put_failure;
636 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
637 goto nla_put_failure;
638 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
639 goto nla_put_failure;
641 if (chain->flags & NFT_BASE_CHAIN) {
642 const struct nft_base_chain *basechain = nft_base_chain(chain);
643 const struct nf_hook_ops *ops = &basechain->ops[0];
646 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
648 goto nla_put_failure;
649 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
650 goto nla_put_failure;
651 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
652 goto nla_put_failure;
653 nla_nest_end(skb, nest);
655 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
656 htonl(basechain->policy)))
657 goto nla_put_failure;
659 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
660 goto nla_put_failure;
662 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
663 goto nla_put_failure;
666 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
667 goto nla_put_failure;
669 return nlmsg_end(skb, nlh);
672 nlmsg_trim(skb, nlh);
676 static int nf_tables_chain_notify(const struct sk_buff *oskb,
677 const struct nlmsghdr *nlh,
678 const struct nft_table *table,
679 const struct nft_chain *chain,
680 int event, int family)
683 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
684 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
685 u32 seq = nlh ? nlh->nlmsg_seq : 0;
689 report = nlh ? nlmsg_report(nlh) : false;
690 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
694 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
698 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
705 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
709 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
713 static int nf_tables_dump_chains(struct sk_buff *skb,
714 struct netlink_callback *cb)
716 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
717 const struct nft_af_info *afi;
718 const struct nft_table *table;
719 const struct nft_chain *chain;
720 unsigned int idx = 0, s_idx = cb->args[0];
721 struct net *net = sock_net(skb->sk);
722 int family = nfmsg->nfgen_family;
724 list_for_each_entry(afi, &net->nft.af_info, list) {
725 if (family != NFPROTO_UNSPEC && family != afi->family)
728 list_for_each_entry(table, &afi->tables, list) {
729 list_for_each_entry(chain, &table->chains, list) {
733 memset(&cb->args[1], 0,
734 sizeof(cb->args) - sizeof(cb->args[0]));
735 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
739 afi->family, table, chain) < 0)
752 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
753 const struct nlmsghdr *nlh,
754 const struct nlattr * const nla[])
756 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
757 const struct nft_af_info *afi;
758 const struct nft_table *table;
759 const struct nft_chain *chain;
760 struct sk_buff *skb2;
761 struct net *net = sock_net(skb->sk);
762 int family = nfmsg->nfgen_family;
765 if (nlh->nlmsg_flags & NLM_F_DUMP) {
766 struct netlink_dump_control c = {
767 .dump = nf_tables_dump_chains,
769 return netlink_dump_start(nlsk, skb, nlh, &c);
772 afi = nf_tables_afinfo_lookup(net, family, false);
776 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
778 return PTR_ERR(table);
780 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
782 return PTR_ERR(chain);
783 if (chain->flags & NFT_CHAIN_INACTIVE)
786 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
790 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
791 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
792 family, table, chain);
796 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
803 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
804 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
805 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
808 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
810 struct nlattr *tb[NFTA_COUNTER_MAX+1];
811 struct nft_stats __percpu *newstats;
812 struct nft_stats *stats;
815 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
819 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
820 return ERR_PTR(-EINVAL);
822 newstats = alloc_percpu(struct nft_stats);
823 if (newstats == NULL)
824 return ERR_PTR(-ENOMEM);
826 /* Restore old counters on this cpu, no problem. Per-cpu statistics
827 * are not exposed to userspace.
829 stats = this_cpu_ptr(newstats);
830 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
831 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
836 static void nft_chain_stats_replace(struct nft_base_chain *chain,
837 struct nft_stats __percpu *newstats)
840 struct nft_stats __percpu *oldstats =
841 nft_dereference(chain->stats);
843 rcu_assign_pointer(chain->stats, newstats);
845 free_percpu(oldstats);
847 rcu_assign_pointer(chain->stats, newstats);
850 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
852 struct nft_trans *trans;
854 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
858 if (msg_type == NFT_MSG_NEWCHAIN)
859 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
861 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
865 static void nf_tables_chain_destroy(struct nft_chain *chain)
867 BUG_ON(chain->use > 0);
869 if (chain->flags & NFT_BASE_CHAIN) {
870 module_put(nft_base_chain(chain)->type->owner);
871 free_percpu(nft_base_chain(chain)->stats);
872 kfree(nft_base_chain(chain));
878 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
879 const struct nlmsghdr *nlh,
880 const struct nlattr * const nla[])
882 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
883 const struct nlattr * uninitialized_var(name);
884 struct nft_af_info *afi;
885 struct nft_table *table;
886 struct nft_chain *chain;
887 struct nft_base_chain *basechain = NULL;
888 struct nlattr *ha[NFTA_HOOK_MAX + 1];
889 struct net *net = sock_net(skb->sk);
890 int family = nfmsg->nfgen_family;
891 u8 policy = NF_ACCEPT;
894 struct nft_stats __percpu *stats;
899 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
901 afi = nf_tables_afinfo_lookup(net, family, true);
905 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
907 return PTR_ERR(table);
910 name = nla[NFTA_CHAIN_NAME];
912 if (nla[NFTA_CHAIN_HANDLE]) {
913 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
914 chain = nf_tables_chain_lookup_byhandle(table, handle);
916 return PTR_ERR(chain);
918 chain = nf_tables_chain_lookup(table, name);
920 if (PTR_ERR(chain) != -ENOENT)
921 return PTR_ERR(chain);
926 if (nla[NFTA_CHAIN_POLICY]) {
927 if ((chain != NULL &&
928 !(chain->flags & NFT_BASE_CHAIN)) ||
929 nla[NFTA_CHAIN_HOOK] == NULL)
932 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
943 struct nft_stats *stats = NULL;
944 struct nft_trans *trans;
946 if (chain->flags & NFT_CHAIN_INACTIVE)
948 if (nlh->nlmsg_flags & NLM_F_EXCL)
950 if (nlh->nlmsg_flags & NLM_F_REPLACE)
953 if (nla[NFTA_CHAIN_HANDLE] && name &&
954 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
957 if (nla[NFTA_CHAIN_COUNTERS]) {
958 if (!(chain->flags & NFT_BASE_CHAIN))
961 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
963 return PTR_ERR(stats);
966 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
967 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
968 sizeof(struct nft_trans_chain));
972 nft_trans_chain_stats(trans) = stats;
973 nft_trans_chain_update(trans) = true;
975 if (nla[NFTA_CHAIN_POLICY])
976 nft_trans_chain_policy(trans) = policy;
978 nft_trans_chain_policy(trans) = -1;
980 if (nla[NFTA_CHAIN_HANDLE] && name) {
981 nla_strlcpy(nft_trans_chain_name(trans), name,
982 NFT_CHAIN_MAXNAMELEN);
984 list_add_tail(&trans->list, &net->nft.commit_list);
988 if (table->use == UINT_MAX)
991 if (nla[NFTA_CHAIN_HOOK]) {
992 const struct nf_chain_type *type;
993 struct nf_hook_ops *ops;
995 u32 hooknum, priority;
997 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
998 if (nla[NFTA_CHAIN_TYPE]) {
999 type = nf_tables_chain_type_lookup(afi,
1000 nla[NFTA_CHAIN_TYPE],
1003 return PTR_ERR(type);
1006 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1010 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1011 ha[NFTA_HOOK_PRIORITY] == NULL)
1014 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1015 if (hooknum >= afi->nhooks)
1017 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1019 if (!(type->hook_mask & (1 << hooknum)))
1021 if (!try_module_get(type->owner))
1023 hookfn = type->hooks[hooknum];
1025 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1026 if (basechain == NULL)
1029 if (nla[NFTA_CHAIN_COUNTERS]) {
1030 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1031 if (IS_ERR(stats)) {
1032 module_put(type->owner);
1034 return PTR_ERR(stats);
1036 basechain->stats = stats;
1038 stats = alloc_percpu(struct nft_stats);
1039 if (IS_ERR(stats)) {
1040 module_put(type->owner);
1042 return PTR_ERR(stats);
1044 rcu_assign_pointer(basechain->stats, stats);
1047 basechain->type = type;
1048 chain = &basechain->chain;
1050 for (i = 0; i < afi->nops; i++) {
1051 ops = &basechain->ops[i];
1053 ops->owner = afi->owner;
1054 ops->hooknum = hooknum;
1055 ops->priority = priority;
1057 ops->hook = afi->hooks[ops->hooknum];
1060 if (afi->hook_ops_init)
1061 afi->hook_ops_init(ops, i);
1064 chain->flags |= NFT_BASE_CHAIN;
1065 basechain->policy = policy;
1067 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1072 INIT_LIST_HEAD(&chain->rules);
1073 chain->handle = nf_tables_alloc_handle(table);
1075 chain->table = table;
1076 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1078 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1079 chain->flags & NFT_BASE_CHAIN) {
1080 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1085 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1086 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1090 list_add_tail(&chain->list, &table->chains);
1093 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1094 chain->flags & NFT_BASE_CHAIN) {
1095 nf_unregister_hooks(nft_base_chain(chain)->ops,
1099 nf_tables_chain_destroy(chain);
1103 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1104 const struct nlmsghdr *nlh,
1105 const struct nlattr * const nla[])
1107 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1108 struct nft_af_info *afi;
1109 struct nft_table *table;
1110 struct nft_chain *chain;
1111 struct net *net = sock_net(skb->sk);
1112 int family = nfmsg->nfgen_family;
1116 afi = nf_tables_afinfo_lookup(net, family, false);
1118 return PTR_ERR(afi);
1120 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1122 return PTR_ERR(table);
1124 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1126 return PTR_ERR(chain);
1127 if (chain->flags & NFT_CHAIN_INACTIVE)
1129 if (!list_empty(&chain->rules) || chain->use > 0)
1132 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1133 err = nft_trans_chain_add(&ctx, NFT_MSG_DELCHAIN);
1137 list_del(&chain->list);
1146 * nft_register_expr - register nf_tables expr type
1149 * Registers the expr type for use with nf_tables. Returns zero on
1150 * success or a negative errno code otherwise.
1152 int nft_register_expr(struct nft_expr_type *type)
1154 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1155 if (type->family == NFPROTO_UNSPEC)
1156 list_add_tail(&type->list, &nf_tables_expressions);
1158 list_add(&type->list, &nf_tables_expressions);
1159 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1162 EXPORT_SYMBOL_GPL(nft_register_expr);
1165 * nft_unregister_expr - unregister nf_tables expr type
1168 * Unregisters the expr typefor use with nf_tables.
1170 void nft_unregister_expr(struct nft_expr_type *type)
1172 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1173 list_del(&type->list);
1174 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1176 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1178 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1181 const struct nft_expr_type *type;
1183 list_for_each_entry(type, &nf_tables_expressions, list) {
1184 if (!nla_strcmp(nla, type->name) &&
1185 (!type->family || type->family == family))
1191 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1194 const struct nft_expr_type *type;
1197 return ERR_PTR(-EINVAL);
1199 type = __nft_expr_type_get(family, nla);
1200 if (type != NULL && try_module_get(type->owner))
1203 #ifdef CONFIG_MODULES
1205 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1206 request_module("nft-expr-%u-%.*s", family,
1207 nla_len(nla), (char *)nla_data(nla));
1208 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1209 if (__nft_expr_type_get(family, nla))
1210 return ERR_PTR(-EAGAIN);
1212 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1213 request_module("nft-expr-%.*s",
1214 nla_len(nla), (char *)nla_data(nla));
1215 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1216 if (__nft_expr_type_get(family, nla))
1217 return ERR_PTR(-EAGAIN);
1220 return ERR_PTR(-ENOENT);
1223 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1224 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1225 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1228 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1229 const struct nft_expr *expr)
1231 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1232 goto nla_put_failure;
1234 if (expr->ops->dump) {
1235 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1237 goto nla_put_failure;
1238 if (expr->ops->dump(skb, expr) < 0)
1239 goto nla_put_failure;
1240 nla_nest_end(skb, data);
1249 struct nft_expr_info {
1250 const struct nft_expr_ops *ops;
1251 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1254 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1255 const struct nlattr *nla,
1256 struct nft_expr_info *info)
1258 const struct nft_expr_type *type;
1259 const struct nft_expr_ops *ops;
1260 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1263 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1267 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1269 return PTR_ERR(type);
1271 if (tb[NFTA_EXPR_DATA]) {
1272 err = nla_parse_nested(info->tb, type->maxattr,
1273 tb[NFTA_EXPR_DATA], type->policy);
1277 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1279 if (type->select_ops != NULL) {
1280 ops = type->select_ops(ctx,
1281 (const struct nlattr * const *)info->tb);
1293 module_put(type->owner);
1297 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1298 const struct nft_expr_info *info,
1299 struct nft_expr *expr)
1301 const struct nft_expr_ops *ops = info->ops;
1306 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1318 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1319 struct nft_expr *expr)
1321 if (expr->ops->destroy)
1322 expr->ops->destroy(ctx, expr);
1323 module_put(expr->ops->type->owner);
1330 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1333 struct nft_rule *rule;
1335 // FIXME: this sucks
1336 list_for_each_entry(rule, &chain->rules, list) {
1337 if (handle == rule->handle)
1341 return ERR_PTR(-ENOENT);
1344 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1345 const struct nlattr *nla)
1348 return ERR_PTR(-EINVAL);
1350 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1353 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1354 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1355 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1356 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1357 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1358 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1359 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1360 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1361 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1362 .len = NFT_USERDATA_MAXLEN },
1365 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1366 int event, u32 flags, int family,
1367 const struct nft_table *table,
1368 const struct nft_chain *chain,
1369 const struct nft_rule *rule)
1371 struct nlmsghdr *nlh;
1372 struct nfgenmsg *nfmsg;
1373 const struct nft_expr *expr, *next;
1374 struct nlattr *list;
1375 const struct nft_rule *prule;
1376 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1378 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1381 goto nla_put_failure;
1383 nfmsg = nlmsg_data(nlh);
1384 nfmsg->nfgen_family = family;
1385 nfmsg->version = NFNETLINK_V0;
1388 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1389 goto nla_put_failure;
1390 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1391 goto nla_put_failure;
1392 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1393 goto nla_put_failure;
1395 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1396 prule = list_entry(rule->list.prev, struct nft_rule, list);
1397 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1398 cpu_to_be64(prule->handle)))
1399 goto nla_put_failure;
1402 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1404 goto nla_put_failure;
1405 nft_rule_for_each_expr(expr, next, rule) {
1406 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1408 goto nla_put_failure;
1409 if (nf_tables_fill_expr_info(skb, expr) < 0)
1410 goto nla_put_failure;
1411 nla_nest_end(skb, elem);
1413 nla_nest_end(skb, list);
1416 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1417 goto nla_put_failure;
1419 return nlmsg_end(skb, nlh);
1422 nlmsg_trim(skb, nlh);
1426 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1427 const struct nlmsghdr *nlh,
1428 const struct nft_table *table,
1429 const struct nft_chain *chain,
1430 const struct nft_rule *rule,
1431 int event, u32 flags, int family)
1433 struct sk_buff *skb;
1434 u32 portid = NETLINK_CB(oskb).portid;
1435 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1436 u32 seq = nlh->nlmsg_seq;
1440 report = nlmsg_report(nlh);
1441 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1445 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1449 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1450 family, table, chain, rule);
1456 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1460 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1465 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1467 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1470 static inline int gencursor_next(struct net *net)
1472 return net->nft.gencursor+1 == 1 ? 1 : 0;
1476 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1478 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1482 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1484 /* Now inactive, will be active in the future */
1485 rule->genmask = (1 << net->nft.gencursor);
1489 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1491 rule->genmask = (1 << gencursor_next(net));
1494 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1499 static int nf_tables_dump_rules(struct sk_buff *skb,
1500 struct netlink_callback *cb)
1502 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1503 const struct nft_af_info *afi;
1504 const struct nft_table *table;
1505 const struct nft_chain *chain;
1506 const struct nft_rule *rule;
1507 unsigned int idx = 0, s_idx = cb->args[0];
1508 struct net *net = sock_net(skb->sk);
1509 int family = nfmsg->nfgen_family;
1510 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1511 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1513 list_for_each_entry(afi, &net->nft.af_info, list) {
1514 if (family != NFPROTO_UNSPEC && family != afi->family)
1517 list_for_each_entry(table, &afi->tables, list) {
1518 list_for_each_entry(chain, &table->chains, list) {
1519 list_for_each_entry(rule, &chain->rules, list) {
1520 if (!nft_rule_is_active(net, rule))
1525 memset(&cb->args[1], 0,
1526 sizeof(cb->args) - sizeof(cb->args[0]));
1527 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1530 NLM_F_MULTI | NLM_F_APPEND,
1531 afi->family, table, chain, rule) < 0)
1540 /* Invalidate this dump, a transition to the new generation happened */
1541 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1548 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1549 const struct nlmsghdr *nlh,
1550 const struct nlattr * const nla[])
1552 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1553 const struct nft_af_info *afi;
1554 const struct nft_table *table;
1555 const struct nft_chain *chain;
1556 const struct nft_rule *rule;
1557 struct sk_buff *skb2;
1558 struct net *net = sock_net(skb->sk);
1559 int family = nfmsg->nfgen_family;
1562 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1563 struct netlink_dump_control c = {
1564 .dump = nf_tables_dump_rules,
1566 return netlink_dump_start(nlsk, skb, nlh, &c);
1569 afi = nf_tables_afinfo_lookup(net, family, false);
1571 return PTR_ERR(afi);
1573 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1575 return PTR_ERR(table);
1577 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1579 return PTR_ERR(chain);
1580 if (chain->flags & NFT_CHAIN_INACTIVE)
1583 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1585 return PTR_ERR(rule);
1587 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1591 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1592 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1593 family, table, chain, rule);
1597 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1604 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1605 struct nft_rule *rule)
1607 struct nft_expr *expr;
1610 * Careful: some expressions might not be initialized in case this
1611 * is called on error from nf_tables_newrule().
1613 expr = nft_expr_first(rule);
1614 while (expr->ops && expr != nft_expr_last(rule)) {
1615 nf_tables_expr_destroy(ctx, expr);
1616 expr = nft_expr_next(expr);
1621 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
1622 struct nft_rule *rule)
1624 struct nft_trans *trans;
1626 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
1630 nft_trans_rule(trans) = rule;
1631 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1636 #define NFT_RULE_MAXEXPRS 128
1638 static struct nft_expr_info *info;
1640 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1641 const struct nlmsghdr *nlh,
1642 const struct nlattr * const nla[])
1644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1645 struct nft_af_info *afi;
1646 struct net *net = sock_net(skb->sk);
1647 struct nft_table *table;
1648 struct nft_chain *chain;
1649 struct nft_rule *rule, *old_rule = NULL;
1650 struct nft_trans *trans = NULL;
1651 struct nft_expr *expr;
1654 unsigned int size, i, n, ulen = 0;
1657 u64 handle, pos_handle;
1659 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1661 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1663 return PTR_ERR(afi);
1665 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1667 return PTR_ERR(table);
1669 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1671 return PTR_ERR(chain);
1673 if (nla[NFTA_RULE_HANDLE]) {
1674 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1675 rule = __nf_tables_rule_lookup(chain, handle);
1677 return PTR_ERR(rule);
1679 if (nlh->nlmsg_flags & NLM_F_EXCL)
1681 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1686 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1688 handle = nf_tables_alloc_handle(table);
1691 if (nla[NFTA_RULE_POSITION]) {
1692 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1695 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1696 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1697 if (IS_ERR(old_rule))
1698 return PTR_ERR(old_rule);
1701 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1705 if (nla[NFTA_RULE_EXPRESSIONS]) {
1706 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1708 if (nla_type(tmp) != NFTA_LIST_ELEM)
1710 if (n == NFT_RULE_MAXEXPRS)
1712 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1715 size += info[n].ops->size;
1720 if (nla[NFTA_RULE_USERDATA])
1721 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1724 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1728 nft_rule_activate_next(net, rule);
1730 rule->handle = handle;
1735 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1737 expr = nft_expr_first(rule);
1738 for (i = 0; i < n; i++) {
1739 err = nf_tables_newexpr(&ctx, &info[i], expr);
1743 expr = nft_expr_next(expr);
1746 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1747 if (nft_rule_is_active_next(net, old_rule)) {
1748 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE,
1750 if (trans == NULL) {
1754 nft_rule_disactivate_next(net, old_rule);
1755 list_add_tail(&rule->list, &old_rule->list);
1760 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1762 list_add_rcu(&rule->list, &old_rule->list);
1764 list_add_tail_rcu(&rule->list, &chain->rules);
1767 list_add_tail_rcu(&rule->list, &old_rule->list);
1769 list_add_rcu(&rule->list, &chain->rules);
1772 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
1779 list_del_rcu(&rule->list);
1781 list_del_rcu(&nft_trans_rule(trans)->list);
1782 nft_rule_clear(net, nft_trans_rule(trans));
1783 nft_trans_destroy(trans);
1786 nf_tables_rule_destroy(&ctx, rule);
1788 for (i = 0; i < n; i++) {
1789 if (info[i].ops != NULL)
1790 module_put(info[i].ops->type->owner);
1796 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1798 /* You cannot delete the same rule twice */
1799 if (nft_rule_is_active_next(ctx->net, rule)) {
1800 if (nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule) == NULL)
1802 nft_rule_disactivate_next(ctx->net, rule);
1808 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1810 struct nft_rule *rule;
1813 list_for_each_entry(rule, &ctx->chain->rules, list) {
1814 err = nf_tables_delrule_one(ctx, rule);
1821 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1822 const struct nlmsghdr *nlh,
1823 const struct nlattr * const nla[])
1825 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1826 struct nft_af_info *afi;
1827 struct net *net = sock_net(skb->sk);
1828 struct nft_table *table;
1829 struct nft_chain *chain = NULL;
1830 struct nft_rule *rule;
1831 int family = nfmsg->nfgen_family, err = 0;
1834 afi = nf_tables_afinfo_lookup(net, family, false);
1836 return PTR_ERR(afi);
1838 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1840 return PTR_ERR(table);
1842 if (nla[NFTA_RULE_CHAIN]) {
1843 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1845 return PTR_ERR(chain);
1848 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1851 if (nla[NFTA_RULE_HANDLE]) {
1852 rule = nf_tables_rule_lookup(chain,
1853 nla[NFTA_RULE_HANDLE]);
1855 return PTR_ERR(rule);
1857 err = nf_tables_delrule_one(&ctx, rule);
1859 err = nf_table_delrule_by_chain(&ctx);
1862 list_for_each_entry(chain, &table->chains, list) {
1864 err = nf_table_delrule_by_chain(&ctx);
1877 static LIST_HEAD(nf_tables_set_ops);
1879 int nft_register_set(struct nft_set_ops *ops)
1881 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1882 list_add_tail(&ops->list, &nf_tables_set_ops);
1883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1886 EXPORT_SYMBOL_GPL(nft_register_set);
1888 void nft_unregister_set(struct nft_set_ops *ops)
1890 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1891 list_del(&ops->list);
1892 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1894 EXPORT_SYMBOL_GPL(nft_unregister_set);
1897 * Select a set implementation based on the data characteristics and the
1898 * given policy. The total memory use might not be known if no size is
1899 * given, in that case the amount of memory per element is used.
1901 static const struct nft_set_ops *
1902 nft_select_set_ops(const struct nlattr * const nla[],
1903 const struct nft_set_desc *desc,
1904 enum nft_set_policies policy)
1906 const struct nft_set_ops *ops, *bops;
1907 struct nft_set_estimate est, best;
1910 #ifdef CONFIG_MODULES
1911 if (list_empty(&nf_tables_set_ops)) {
1912 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1913 request_module("nft-set");
1914 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1915 if (!list_empty(&nf_tables_set_ops))
1916 return ERR_PTR(-EAGAIN);
1920 if (nla[NFTA_SET_FLAGS] != NULL) {
1921 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1922 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1929 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1930 if ((ops->features & features) != features)
1932 if (!ops->estimate(desc, features, &est))
1936 case NFT_SET_POL_PERFORMANCE:
1937 if (est.class < best.class)
1939 if (est.class == best.class && est.size < best.size)
1942 case NFT_SET_POL_MEMORY:
1943 if (est.size < best.size)
1945 if (est.size == best.size && est.class < best.class)
1952 if (!try_module_get(ops->owner))
1955 module_put(bops->owner);
1964 return ERR_PTR(-EOPNOTSUPP);
1967 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1968 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1969 [NFTA_SET_NAME] = { .type = NLA_STRING },
1970 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1971 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1972 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1973 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1974 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1975 [NFTA_SET_POLICY] = { .type = NLA_U32 },
1976 [NFTA_SET_DESC] = { .type = NLA_NESTED },
1977 [NFTA_SET_ID] = { .type = NLA_U32 },
1980 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
1981 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
1984 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1985 const struct sk_buff *skb,
1986 const struct nlmsghdr *nlh,
1987 const struct nlattr * const nla[])
1989 struct net *net = sock_net(skb->sk);
1990 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1991 struct nft_af_info *afi = NULL;
1992 struct nft_table *table = NULL;
1994 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1995 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1997 return PTR_ERR(afi);
2000 if (nla[NFTA_SET_TABLE] != NULL) {
2002 return -EAFNOSUPPORT;
2004 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2006 return PTR_ERR(table);
2009 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2013 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2014 const struct nlattr *nla)
2016 struct nft_set *set;
2019 return ERR_PTR(-EINVAL);
2021 list_for_each_entry(set, &table->sets, list) {
2022 if (!nla_strcmp(nla, set->name))
2025 return ERR_PTR(-ENOENT);
2028 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2029 const struct nlattr *nla)
2031 struct nft_trans *trans;
2032 u32 id = ntohl(nla_get_be32(nla));
2034 list_for_each_entry(trans, &net->nft.commit_list, list) {
2035 if (trans->msg_type == NFT_MSG_NEWSET &&
2036 id == nft_trans_set_id(trans))
2037 return nft_trans_set(trans);
2039 return ERR_PTR(-ENOENT);
2042 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2045 const struct nft_set *i;
2047 unsigned long *inuse;
2048 unsigned int n = 0, min = 0;
2050 p = strnchr(name, IFNAMSIZ, '%');
2052 if (p[1] != 'd' || strchr(p + 2, '%'))
2055 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2059 list_for_each_entry(i, &ctx->table->sets, list) {
2062 if (!sscanf(i->name, name, &tmp))
2064 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2067 set_bit(tmp - min, inuse);
2070 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2071 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2072 min += BITS_PER_BYTE * PAGE_SIZE;
2073 memset(inuse, 0, PAGE_SIZE);
2076 free_page((unsigned long)inuse);
2079 snprintf(set->name, sizeof(set->name), name, min + n);
2080 list_for_each_entry(i, &ctx->table->sets, list) {
2081 if (!strcmp(set->name, i->name))
2087 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2088 const struct nft_set *set, u16 event, u16 flags)
2090 struct nfgenmsg *nfmsg;
2091 struct nlmsghdr *nlh;
2092 struct nlattr *desc;
2093 u32 portid = NETLINK_CB(ctx->skb).portid;
2094 u32 seq = ctx->nlh->nlmsg_seq;
2096 event |= NFNL_SUBSYS_NFTABLES << 8;
2097 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2100 goto nla_put_failure;
2102 nfmsg = nlmsg_data(nlh);
2103 nfmsg->nfgen_family = ctx->afi->family;
2104 nfmsg->version = NFNETLINK_V0;
2107 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2108 goto nla_put_failure;
2109 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2110 goto nla_put_failure;
2111 if (set->flags != 0)
2112 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2113 goto nla_put_failure;
2115 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2116 goto nla_put_failure;
2117 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2118 goto nla_put_failure;
2119 if (set->flags & NFT_SET_MAP) {
2120 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2121 goto nla_put_failure;
2122 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2123 goto nla_put_failure;
2126 desc = nla_nest_start(skb, NFTA_SET_DESC);
2128 goto nla_put_failure;
2130 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2131 goto nla_put_failure;
2132 nla_nest_end(skb, desc);
2134 return nlmsg_end(skb, nlh);
2137 nlmsg_trim(skb, nlh);
2141 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2142 const struct nft_set *set,
2145 struct sk_buff *skb;
2146 u32 portid = NETLINK_CB(ctx->skb).portid;
2150 report = nlmsg_report(ctx->nlh);
2151 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2155 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2159 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2165 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2169 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2173 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2174 struct netlink_callback *cb)
2176 const struct nft_set *set;
2177 unsigned int idx = 0, s_idx = cb->args[0];
2182 list_for_each_entry(set, &ctx->table->sets, list) {
2185 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2198 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2199 struct netlink_callback *cb)
2201 const struct nft_set *set;
2202 unsigned int idx, s_idx = cb->args[0];
2203 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2208 list_for_each_entry(table, &ctx->afi->tables, list) {
2210 if (cur_table != table)
2217 list_for_each_entry(set, &ctx->table->sets, list) {
2220 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2223 cb->args[2] = (unsigned long) table;
2235 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2236 struct netlink_callback *cb)
2238 const struct nft_set *set;
2239 unsigned int idx, s_idx = cb->args[0];
2240 struct nft_af_info *afi;
2241 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2242 struct net *net = sock_net(skb->sk);
2243 int cur_family = cb->args[3];
2248 list_for_each_entry(afi, &net->nft.af_info, list) {
2250 if (afi->family != cur_family)
2256 list_for_each_entry(table, &afi->tables, list) {
2258 if (cur_table != table)
2267 list_for_each_entry(set, &ctx->table->sets, list) {
2270 if (nf_tables_fill_set(skb, ctx, set,
2274 cb->args[2] = (unsigned long) table;
2275 cb->args[3] = afi->family;
2290 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2292 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2293 struct nlattr *nla[NFTA_SET_MAX + 1];
2297 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2302 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2306 if (ctx.table == NULL) {
2307 if (ctx.afi == NULL)
2308 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2310 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2312 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2317 #define NFT_SET_INACTIVE (1 << 15) /* Internal set flag */
2319 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2320 const struct nlmsghdr *nlh,
2321 const struct nlattr * const nla[])
2323 const struct nft_set *set;
2325 struct sk_buff *skb2;
2326 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2329 /* Verify existance before starting dump */
2330 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2334 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2335 struct netlink_dump_control c = {
2336 .dump = nf_tables_dump_sets,
2338 return netlink_dump_start(nlsk, skb, nlh, &c);
2341 /* Only accept unspec with dump */
2342 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2343 return -EAFNOSUPPORT;
2345 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2347 return PTR_ERR(set);
2348 if (set->flags & NFT_SET_INACTIVE)
2351 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2355 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2359 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2366 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2367 struct nft_set_desc *desc,
2368 const struct nlattr *nla)
2370 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2373 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2377 if (da[NFTA_SET_DESC_SIZE] != NULL)
2378 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2383 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2384 struct nft_set *set)
2386 struct nft_trans *trans;
2388 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
2392 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
2393 nft_trans_set_id(trans) =
2394 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
2395 set->flags |= NFT_SET_INACTIVE;
2397 nft_trans_set(trans) = set;
2398 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2403 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2404 const struct nlmsghdr *nlh,
2405 const struct nlattr * const nla[])
2407 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2408 const struct nft_set_ops *ops;
2409 struct nft_af_info *afi;
2410 struct net *net = sock_net(skb->sk);
2411 struct nft_table *table;
2412 struct nft_set *set;
2414 char name[IFNAMSIZ];
2417 u32 ktype, dtype, flags, policy;
2418 struct nft_set_desc desc;
2421 if (nla[NFTA_SET_TABLE] == NULL ||
2422 nla[NFTA_SET_NAME] == NULL ||
2423 nla[NFTA_SET_KEY_LEN] == NULL ||
2424 nla[NFTA_SET_ID] == NULL)
2427 memset(&desc, 0, sizeof(desc));
2429 ktype = NFT_DATA_VALUE;
2430 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2431 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2432 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2436 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2437 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2441 if (nla[NFTA_SET_FLAGS] != NULL) {
2442 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2443 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2444 NFT_SET_INTERVAL | NFT_SET_MAP))
2449 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2450 if (!(flags & NFT_SET_MAP))
2453 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2454 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2455 dtype != NFT_DATA_VERDICT)
2458 if (dtype != NFT_DATA_VERDICT) {
2459 if (nla[NFTA_SET_DATA_LEN] == NULL)
2461 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2462 if (desc.dlen == 0 ||
2463 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2466 desc.dlen = sizeof(struct nft_data);
2467 } else if (flags & NFT_SET_MAP)
2470 policy = NFT_SET_POL_PERFORMANCE;
2471 if (nla[NFTA_SET_POLICY] != NULL)
2472 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2474 if (nla[NFTA_SET_DESC] != NULL) {
2475 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2480 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2482 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2484 return PTR_ERR(afi);
2486 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2488 return PTR_ERR(table);
2490 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2492 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2494 if (PTR_ERR(set) != -ENOENT)
2495 return PTR_ERR(set);
2500 if (nlh->nlmsg_flags & NLM_F_EXCL)
2502 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2507 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2510 ops = nft_select_set_ops(nla, &desc, policy);
2512 return PTR_ERR(ops);
2515 if (ops->privsize != NULL)
2516 size = ops->privsize(nla);
2519 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2523 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2524 err = nf_tables_set_alloc_name(&ctx, set, name);
2528 INIT_LIST_HEAD(&set->bindings);
2531 set->klen = desc.klen;
2533 set->dlen = desc.dlen;
2535 set->size = desc.size;
2537 err = ops->init(set, &desc, nla);
2541 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2545 list_add_tail(&set->list, &table->sets);
2551 module_put(ops->owner);
2555 static void nft_set_destroy(struct nft_set *set)
2557 set->ops->destroy(set);
2558 module_put(set->ops->owner);
2562 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2564 list_del(&set->list);
2565 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2566 nft_set_destroy(set);
2569 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2570 const struct nlmsghdr *nlh,
2571 const struct nlattr * const nla[])
2573 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2574 struct nft_set *set;
2578 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2579 return -EAFNOSUPPORT;
2580 if (nla[NFTA_SET_TABLE] == NULL)
2583 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2587 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2589 return PTR_ERR(set);
2590 if (set->flags & NFT_SET_INACTIVE)
2592 if (!list_empty(&set->bindings))
2595 err = nft_trans_set_add(&ctx, NFT_MSG_DELSET, set);
2599 list_del(&set->list);
2603 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2604 const struct nft_set *set,
2605 const struct nft_set_iter *iter,
2606 const struct nft_set_elem *elem)
2608 enum nft_registers dreg;
2610 dreg = nft_type_to_reg(set->dtype);
2611 return nft_validate_data_load(ctx, dreg, &elem->data,
2612 set->dtype == NFT_DATA_VERDICT ?
2613 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2616 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2617 struct nft_set_binding *binding)
2619 struct nft_set_binding *i;
2620 struct nft_set_iter iter;
2622 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2625 if (set->flags & NFT_SET_MAP) {
2626 /* If the set is already bound to the same chain all
2627 * jumps are already validated for that chain.
2629 list_for_each_entry(i, &set->bindings, list) {
2630 if (i->chain == binding->chain)
2637 iter.fn = nf_tables_bind_check_setelem;
2639 set->ops->walk(ctx, set, &iter);
2641 /* Destroy anonymous sets if binding fails */
2642 if (set->flags & NFT_SET_ANONYMOUS)
2643 nf_tables_set_destroy(ctx, set);
2649 binding->chain = ctx->chain;
2650 list_add_tail(&binding->list, &set->bindings);
2654 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2655 struct nft_set_binding *binding)
2657 list_del(&binding->list);
2659 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2660 !(set->flags & NFT_SET_INACTIVE))
2661 nf_tables_set_destroy(ctx, set);
2668 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2669 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2670 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2671 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2674 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2675 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2676 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2677 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2678 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
2681 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2682 const struct sk_buff *skb,
2683 const struct nlmsghdr *nlh,
2684 const struct nlattr * const nla[])
2686 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2687 struct nft_af_info *afi;
2688 struct nft_table *table;
2689 struct net *net = sock_net(skb->sk);
2691 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2693 return PTR_ERR(afi);
2695 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2697 return PTR_ERR(table);
2699 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2703 static int nf_tables_fill_setelem(struct sk_buff *skb,
2704 const struct nft_set *set,
2705 const struct nft_set_elem *elem)
2707 unsigned char *b = skb_tail_pointer(skb);
2708 struct nlattr *nest;
2710 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2712 goto nla_put_failure;
2714 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2716 goto nla_put_failure;
2718 if (set->flags & NFT_SET_MAP &&
2719 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2720 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2721 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2723 goto nla_put_failure;
2725 if (elem->flags != 0)
2726 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2727 goto nla_put_failure;
2729 nla_nest_end(skb, nest);
2737 struct nft_set_dump_args {
2738 const struct netlink_callback *cb;
2739 struct nft_set_iter iter;
2740 struct sk_buff *skb;
2743 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2744 const struct nft_set *set,
2745 const struct nft_set_iter *iter,
2746 const struct nft_set_elem *elem)
2748 struct nft_set_dump_args *args;
2750 args = container_of(iter, struct nft_set_dump_args, iter);
2751 return nf_tables_fill_setelem(args->skb, set, elem);
2754 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2756 const struct nft_set *set;
2757 struct nft_set_dump_args args;
2759 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2760 struct nfgenmsg *nfmsg;
2761 struct nlmsghdr *nlh;
2762 struct nlattr *nest;
2766 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2767 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2771 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2775 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2777 return PTR_ERR(set);
2778 if (set->flags & NFT_SET_INACTIVE)
2781 event = NFT_MSG_NEWSETELEM;
2782 event |= NFNL_SUBSYS_NFTABLES << 8;
2783 portid = NETLINK_CB(cb->skb).portid;
2784 seq = cb->nlh->nlmsg_seq;
2786 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2789 goto nla_put_failure;
2791 nfmsg = nlmsg_data(nlh);
2792 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2793 nfmsg->version = NFNETLINK_V0;
2796 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2797 goto nla_put_failure;
2798 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2799 goto nla_put_failure;
2801 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2803 goto nla_put_failure;
2807 args.iter.skip = cb->args[0];
2808 args.iter.count = 0;
2810 args.iter.fn = nf_tables_dump_setelem;
2811 set->ops->walk(&ctx, set, &args.iter);
2813 nla_nest_end(skb, nest);
2814 nlmsg_end(skb, nlh);
2816 if (args.iter.err && args.iter.err != -EMSGSIZE)
2817 return args.iter.err;
2818 if (args.iter.count == cb->args[0])
2821 cb->args[0] = args.iter.count;
2828 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2829 const struct nlmsghdr *nlh,
2830 const struct nlattr * const nla[])
2832 const struct nft_set *set;
2836 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2840 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2842 return PTR_ERR(set);
2843 if (set->flags & NFT_SET_INACTIVE)
2846 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2847 struct netlink_dump_control c = {
2848 .dump = nf_tables_dump_set,
2850 return netlink_dump_start(nlsk, skb, nlh, &c);
2855 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2856 const struct nft_ctx *ctx, u32 seq,
2857 u32 portid, int event, u16 flags,
2858 const struct nft_set *set,
2859 const struct nft_set_elem *elem)
2861 struct nfgenmsg *nfmsg;
2862 struct nlmsghdr *nlh;
2863 struct nlattr *nest;
2866 event |= NFNL_SUBSYS_NFTABLES << 8;
2867 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2870 goto nla_put_failure;
2872 nfmsg = nlmsg_data(nlh);
2873 nfmsg->nfgen_family = ctx->afi->family;
2874 nfmsg->version = NFNETLINK_V0;
2877 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2878 goto nla_put_failure;
2879 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2880 goto nla_put_failure;
2882 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2884 goto nla_put_failure;
2886 err = nf_tables_fill_setelem(skb, set, elem);
2888 goto nla_put_failure;
2890 nla_nest_end(skb, nest);
2892 return nlmsg_end(skb, nlh);
2895 nlmsg_trim(skb, nlh);
2899 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2900 const struct nft_set *set,
2901 const struct nft_set_elem *elem,
2902 int event, u16 flags)
2904 const struct sk_buff *oskb = ctx->skb;
2905 struct net *net = sock_net(oskb->sk);
2906 u32 portid = NETLINK_CB(oskb).portid;
2907 bool report = nlmsg_report(ctx->nlh);
2908 struct sk_buff *skb;
2911 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2915 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2919 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2926 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
2930 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
2934 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2935 const struct nlattr *attr)
2937 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2938 struct nft_data_desc d1, d2;
2939 struct nft_set_elem elem;
2940 struct nft_set_binding *binding;
2941 enum nft_registers dreg;
2944 if (set->size && set->nelems == set->size)
2947 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2948 nft_set_elem_policy);
2952 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2956 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2957 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2958 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2962 if (set->flags & NFT_SET_MAP) {
2963 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2964 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2966 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
2967 elem.flags & NFT_SET_ELEM_INTERVAL_END)
2970 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2974 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2978 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2982 if (set->ops->get(set, &elem) == 0)
2985 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2986 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2991 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2994 dreg = nft_type_to_reg(set->dtype);
2995 list_for_each_entry(binding, &set->bindings, list) {
2996 struct nft_ctx bind_ctx = {
2998 .table = ctx->table,
2999 .chain = (struct nft_chain *)binding->chain,
3002 err = nft_validate_data_load(&bind_ctx, dreg,
3003 &elem.data, d2.type);
3009 err = set->ops->insert(set, &elem);
3014 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_NEWSETELEM, 0);
3018 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3019 nft_data_uninit(&elem.data, d2.type);
3021 nft_data_uninit(&elem.key, d1.type);
3026 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3027 const struct nlmsghdr *nlh,
3028 const struct nlattr * const nla[])
3030 struct net *net = sock_net(skb->sk);
3031 const struct nlattr *attr;
3032 struct nft_set *set;
3036 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3040 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3042 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3043 set = nf_tables_set_lookup_byid(net,
3044 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3047 return PTR_ERR(set);
3050 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3053 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3054 err = nft_add_set_elem(&ctx, set, attr);
3061 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
3062 const struct nlattr *attr)
3064 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3065 struct nft_data_desc desc;
3066 struct nft_set_elem elem;
3069 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3070 nft_set_elem_policy);
3075 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3078 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3083 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3086 err = set->ops->get(set, &elem);
3090 set->ops->remove(set, &elem);
3093 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_DELSETELEM, 0);
3095 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
3096 if (set->flags & NFT_SET_MAP)
3097 nft_data_uninit(&elem.data, set->dtype);
3100 nft_data_uninit(&elem.key, desc.type);
3105 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3106 const struct nlmsghdr *nlh,
3107 const struct nlattr * const nla[])
3109 const struct nlattr *attr;
3110 struct nft_set *set;
3114 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3118 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3120 return PTR_ERR(set);
3121 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3124 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3125 err = nft_del_setelem(&ctx, set, attr);
3132 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3133 [NFT_MSG_NEWTABLE] = {
3134 .call = nf_tables_newtable,
3135 .attr_count = NFTA_TABLE_MAX,
3136 .policy = nft_table_policy,
3138 [NFT_MSG_GETTABLE] = {
3139 .call = nf_tables_gettable,
3140 .attr_count = NFTA_TABLE_MAX,
3141 .policy = nft_table_policy,
3143 [NFT_MSG_DELTABLE] = {
3144 .call = nf_tables_deltable,
3145 .attr_count = NFTA_TABLE_MAX,
3146 .policy = nft_table_policy,
3148 [NFT_MSG_NEWCHAIN] = {
3149 .call_batch = nf_tables_newchain,
3150 .attr_count = NFTA_CHAIN_MAX,
3151 .policy = nft_chain_policy,
3153 [NFT_MSG_GETCHAIN] = {
3154 .call = nf_tables_getchain,
3155 .attr_count = NFTA_CHAIN_MAX,
3156 .policy = nft_chain_policy,
3158 [NFT_MSG_DELCHAIN] = {
3159 .call_batch = nf_tables_delchain,
3160 .attr_count = NFTA_CHAIN_MAX,
3161 .policy = nft_chain_policy,
3163 [NFT_MSG_NEWRULE] = {
3164 .call_batch = nf_tables_newrule,
3165 .attr_count = NFTA_RULE_MAX,
3166 .policy = nft_rule_policy,
3168 [NFT_MSG_GETRULE] = {
3169 .call = nf_tables_getrule,
3170 .attr_count = NFTA_RULE_MAX,
3171 .policy = nft_rule_policy,
3173 [NFT_MSG_DELRULE] = {
3174 .call_batch = nf_tables_delrule,
3175 .attr_count = NFTA_RULE_MAX,
3176 .policy = nft_rule_policy,
3178 [NFT_MSG_NEWSET] = {
3179 .call_batch = nf_tables_newset,
3180 .attr_count = NFTA_SET_MAX,
3181 .policy = nft_set_policy,
3183 [NFT_MSG_GETSET] = {
3184 .call = nf_tables_getset,
3185 .attr_count = NFTA_SET_MAX,
3186 .policy = nft_set_policy,
3188 [NFT_MSG_DELSET] = {
3189 .call_batch = nf_tables_delset,
3190 .attr_count = NFTA_SET_MAX,
3191 .policy = nft_set_policy,
3193 [NFT_MSG_NEWSETELEM] = {
3194 .call_batch = nf_tables_newsetelem,
3195 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3196 .policy = nft_set_elem_list_policy,
3198 [NFT_MSG_GETSETELEM] = {
3199 .call = nf_tables_getsetelem,
3200 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3201 .policy = nft_set_elem_list_policy,
3203 [NFT_MSG_DELSETELEM] = {
3204 .call_batch = nf_tables_delsetelem,
3205 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3206 .policy = nft_set_elem_list_policy,
3210 static void nft_chain_commit_update(struct nft_trans *trans)
3212 struct nft_base_chain *basechain;
3214 if (nft_trans_chain_name(trans)[0])
3215 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3217 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3220 basechain = nft_base_chain(trans->ctx.chain);
3221 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3223 switch (nft_trans_chain_policy(trans)) {
3226 basechain->policy = nft_trans_chain_policy(trans);
3231 static int nf_tables_commit(struct sk_buff *skb)
3233 struct net *net = sock_net(skb->sk);
3234 struct nft_trans *trans, *next;
3236 /* Bump generation counter, invalidate any dump in progress */
3239 /* A new generation has just started */
3240 net->nft.gencursor = gencursor_next(net);
3242 /* Make sure all packets have left the previous generation before
3243 * purging old rules.
3247 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3248 switch (trans->msg_type) {
3249 case NFT_MSG_NEWCHAIN:
3250 if (nft_trans_chain_update(trans))
3251 nft_chain_commit_update(trans);
3253 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3254 trans->ctx.table->use++;
3256 nf_tables_chain_notify(trans->ctx.skb, trans->ctx.nlh,
3260 trans->ctx.afi->family);
3261 nft_trans_destroy(trans);
3263 case NFT_MSG_DELCHAIN:
3264 trans->ctx.table->use--;
3265 nf_tables_chain_notify(trans->ctx.skb, trans->ctx.nlh,
3269 trans->ctx.afi->family);
3270 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3271 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3272 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3273 trans->ctx.afi->nops);
3276 case NFT_MSG_NEWRULE:
3277 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3278 nf_tables_rule_notify(trans->ctx.skb, trans->ctx.nlh,
3281 nft_trans_rule(trans),
3283 trans->ctx.afi->family);
3284 nft_trans_destroy(trans);
3286 case NFT_MSG_DELRULE:
3287 list_del_rcu(&nft_trans_rule(trans)->list);
3288 nf_tables_rule_notify(trans->ctx.skb, trans->ctx.nlh,
3291 nft_trans_rule(trans), NFT_MSG_DELRULE, 0,
3292 trans->ctx.afi->family);
3294 case NFT_MSG_NEWSET:
3295 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3296 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3298 nft_trans_destroy(trans);
3300 case NFT_MSG_DELSET:
3301 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3307 /* Make sure we don't see any packet traversing old rules */
3310 /* Now we can safely release unused old rules */
3311 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3312 switch (trans->msg_type) {
3313 case NFT_MSG_DELCHAIN:
3314 nf_tables_chain_destroy(trans->ctx.chain);
3316 case NFT_MSG_DELRULE:
3317 nf_tables_rule_destroy(&trans->ctx,
3318 nft_trans_rule(trans));
3320 case NFT_MSG_DELSET:
3321 nft_set_destroy(nft_trans_set(trans));
3324 nft_trans_destroy(trans);
3330 static int nf_tables_abort(struct sk_buff *skb)
3332 struct net *net = sock_net(skb->sk);
3333 struct nft_trans *trans, *next;
3335 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3336 switch (trans->msg_type) {
3337 case NFT_MSG_NEWCHAIN:
3338 if (nft_trans_chain_update(trans)) {
3339 if (nft_trans_chain_stats(trans))
3340 free_percpu(nft_trans_chain_stats(trans));
3342 nft_trans_destroy(trans);
3344 list_del(&trans->ctx.chain->list);
3345 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
3346 trans->ctx.chain->flags & NFT_BASE_CHAIN) {
3347 nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
3348 trans->ctx.afi->nops);
3352 case NFT_MSG_DELCHAIN:
3353 list_add_tail(&trans->ctx.chain->list,
3354 &trans->ctx.table->chains);
3355 nft_trans_destroy(trans);
3357 case NFT_MSG_NEWRULE:
3358 list_del_rcu(&nft_trans_rule(trans)->list);
3360 case NFT_MSG_DELRULE:
3361 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3362 nft_trans_destroy(trans);
3364 case NFT_MSG_NEWSET:
3365 list_del(&nft_trans_set(trans)->list);
3367 case NFT_MSG_DELSET:
3368 list_add_tail(&nft_trans_set(trans)->list,
3369 &trans->ctx.table->sets);
3370 nft_trans_destroy(trans);
3375 /* Make sure we don't see any packet accessing aborted rules */
3378 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3379 switch (trans->msg_type) {
3380 case NFT_MSG_NEWCHAIN:
3381 nf_tables_chain_destroy(trans->ctx.chain);
3383 case NFT_MSG_NEWRULE:
3384 nf_tables_rule_destroy(&trans->ctx,
3385 nft_trans_rule(trans));
3387 case NFT_MSG_NEWSET:
3388 nft_set_destroy(nft_trans_set(trans));
3391 nft_trans_destroy(trans);
3397 static const struct nfnetlink_subsystem nf_tables_subsys = {
3398 .name = "nf_tables",
3399 .subsys_id = NFNL_SUBSYS_NFTABLES,
3400 .cb_count = NFT_MSG_MAX,
3402 .commit = nf_tables_commit,
3403 .abort = nf_tables_abort,
3407 * Loop detection - walk through the ruleset beginning at the destination chain
3408 * of a new jump until either the source chain is reached (loop) or all
3409 * reachable chains have been traversed.
3411 * The loop check is performed whenever a new jump verdict is added to an
3412 * expression or verdict map or a verdict map is bound to a new chain.
3415 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3416 const struct nft_chain *chain);
3418 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3419 const struct nft_set *set,
3420 const struct nft_set_iter *iter,
3421 const struct nft_set_elem *elem)
3423 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3426 switch (elem->data.verdict) {
3429 return nf_tables_check_loops(ctx, elem->data.chain);
3435 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3436 const struct nft_chain *chain)
3438 const struct nft_rule *rule;
3439 const struct nft_expr *expr, *last;
3440 const struct nft_set *set;
3441 struct nft_set_binding *binding;
3442 struct nft_set_iter iter;
3444 if (ctx->chain == chain)
3447 list_for_each_entry(rule, &chain->rules, list) {
3448 nft_rule_for_each_expr(expr, last, rule) {
3449 const struct nft_data *data = NULL;
3452 if (!expr->ops->validate)
3455 err = expr->ops->validate(ctx, expr, &data);
3462 switch (data->verdict) {
3465 err = nf_tables_check_loops(ctx, data->chain);
3474 list_for_each_entry(set, &ctx->table->sets, list) {
3475 if (!(set->flags & NFT_SET_MAP) ||
3476 set->dtype != NFT_DATA_VERDICT)
3479 list_for_each_entry(binding, &set->bindings, list) {
3480 if (binding->chain != chain)
3486 iter.fn = nf_tables_loop_check_setelem;
3488 set->ops->walk(ctx, set, &iter);
3498 * nft_validate_input_register - validate an expressions' input register
3500 * @reg: the register number
3502 * Validate that the input register is one of the general purpose
3505 int nft_validate_input_register(enum nft_registers reg)
3507 if (reg <= NFT_REG_VERDICT)
3509 if (reg > NFT_REG_MAX)
3513 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3516 * nft_validate_output_register - validate an expressions' output register
3518 * @reg: the register number
3520 * Validate that the output register is one of the general purpose
3521 * registers or the verdict register.
3523 int nft_validate_output_register(enum nft_registers reg)
3525 if (reg < NFT_REG_VERDICT)
3527 if (reg > NFT_REG_MAX)
3531 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3534 * nft_validate_data_load - validate an expressions' data load
3536 * @ctx: context of the expression performing the load
3537 * @reg: the destination register number
3538 * @data: the data to load
3539 * @type: the data type
3541 * Validate that a data load uses the appropriate data type for
3542 * the destination register. A value of NULL for the data means
3543 * that its runtime gathered data, which is always of type
3546 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3547 const struct nft_data *data,
3548 enum nft_data_types type)
3553 case NFT_REG_VERDICT:
3554 if (data == NULL || type != NFT_DATA_VERDICT)
3557 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3558 err = nf_tables_check_loops(ctx, data->chain);
3562 if (ctx->chain->level + 1 > data->chain->level) {
3563 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3565 data->chain->level = ctx->chain->level + 1;
3571 if (data != NULL && type != NFT_DATA_VALUE)
3576 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3578 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3579 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3580 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3581 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3584 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3585 struct nft_data_desc *desc, const struct nlattr *nla)
3587 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3588 struct nft_chain *chain;
3591 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3595 if (!tb[NFTA_VERDICT_CODE])
3597 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3599 switch (data->verdict) {
3601 switch (data->verdict & NF_VERDICT_MASK) {
3613 desc->len = sizeof(data->verdict);
3617 if (!tb[NFTA_VERDICT_CHAIN])
3619 chain = nf_tables_chain_lookup(ctx->table,
3620 tb[NFTA_VERDICT_CHAIN]);
3622 return PTR_ERR(chain);
3623 if (chain->flags & NFT_BASE_CHAIN)
3627 data->chain = chain;
3628 desc->len = sizeof(data);
3632 desc->type = NFT_DATA_VERDICT;
3636 static void nft_verdict_uninit(const struct nft_data *data)
3638 switch (data->verdict) {
3646 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3648 struct nlattr *nest;
3650 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3652 goto nla_put_failure;
3654 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3655 goto nla_put_failure;
3657 switch (data->verdict) {
3660 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3661 goto nla_put_failure;
3663 nla_nest_end(skb, nest);
3670 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3671 struct nft_data_desc *desc, const struct nlattr *nla)
3678 if (len > sizeof(data->data))
3681 nla_memcpy(data->data, nla, sizeof(data->data));
3682 desc->type = NFT_DATA_VALUE;
3687 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3690 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3693 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3694 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3695 .len = FIELD_SIZEOF(struct nft_data, data) },
3696 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3700 * nft_data_init - parse nf_tables data netlink attributes
3702 * @ctx: context of the expression using the data
3703 * @data: destination struct nft_data
3704 * @desc: data description
3705 * @nla: netlink attribute containing data
3707 * Parse the netlink data attributes and initialize a struct nft_data.
3708 * The type and length of data are returned in the data description.
3710 * The caller can indicate that it only wants to accept data of type
3711 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3713 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3714 struct nft_data_desc *desc, const struct nlattr *nla)
3716 struct nlattr *tb[NFTA_DATA_MAX + 1];
3719 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3723 if (tb[NFTA_DATA_VALUE])
3724 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3725 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3726 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3729 EXPORT_SYMBOL_GPL(nft_data_init);
3732 * nft_data_uninit - release a nft_data item
3734 * @data: struct nft_data to release
3735 * @type: type of data
3737 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3738 * all others need to be released by calling this function.
3740 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3743 case NFT_DATA_VALUE:
3745 case NFT_DATA_VERDICT:
3746 return nft_verdict_uninit(data);
3751 EXPORT_SYMBOL_GPL(nft_data_uninit);
3753 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3754 enum nft_data_types type, unsigned int len)
3756 struct nlattr *nest;
3759 nest = nla_nest_start(skb, attr);
3764 case NFT_DATA_VALUE:
3765 err = nft_value_dump(skb, data, len);
3767 case NFT_DATA_VERDICT:
3768 err = nft_verdict_dump(skb, data);
3775 nla_nest_end(skb, nest);
3778 EXPORT_SYMBOL_GPL(nft_data_dump);
3780 static int nf_tables_init_net(struct net *net)
3782 INIT_LIST_HEAD(&net->nft.af_info);
3783 INIT_LIST_HEAD(&net->nft.commit_list);
3787 static struct pernet_operations nf_tables_net_ops = {
3788 .init = nf_tables_init_net,
3791 static int __init nf_tables_module_init(void)
3795 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3802 err = nf_tables_core_module_init();
3806 err = nfnetlink_subsys_register(&nf_tables_subsys);
3810 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3811 return register_pernet_subsys(&nf_tables_net_ops);
3813 nf_tables_core_module_exit();
3820 static void __exit nf_tables_module_exit(void)
3822 unregister_pernet_subsys(&nf_tables_net_ops);
3823 nfnetlink_subsys_unregister(&nf_tables_subsys);
3824 nf_tables_core_module_exit();
3828 module_init(nf_tables_module_init);
3829 module_exit(nf_tables_module_exit);
3831 MODULE_LICENSE("GPL");
3832 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3833 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / karo-tx-linux.git / blob