2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
91 static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
99 ctx->net = sock_net(skb->sk);
112 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
113 const struct nlattr *nla)
115 struct nft_table *table;
117 list_for_each_entry(table, &afi->tables, list) {
118 if (!nla_strcmp(nla, table->name))
124 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
125 const struct nlattr *nla)
127 struct nft_table *table;
130 return ERR_PTR(-EINVAL);
132 table = nft_table_lookup(afi, nla);
136 return ERR_PTR(-ENOENT);
139 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
141 return ++table->hgenerator;
144 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
146 static const struct nf_chain_type *
147 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
151 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
152 if (chain_type[family][i] != NULL &&
153 !nla_strcmp(nla, chain_type[family][i]->name))
154 return chain_type[family][i];
159 static const struct nf_chain_type *
160 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
161 const struct nlattr *nla,
164 const struct nf_chain_type *type;
166 type = __nf_tables_chain_type_lookup(afi->family, nla);
169 #ifdef CONFIG_MODULES
171 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
172 request_module("nft-chain-%u-%*.s", afi->family,
173 nla_len(nla)-1, (const char *)nla_data(nla));
174 nfnl_lock(NFNL_SUBSYS_NFTABLES);
175 type = __nf_tables_chain_type_lookup(afi->family, nla);
177 return ERR_PTR(-EAGAIN);
180 return ERR_PTR(-ENOENT);
183 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
184 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
185 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
188 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
189 int event, u32 flags, int family,
190 const struct nft_table *table)
192 struct nlmsghdr *nlh;
193 struct nfgenmsg *nfmsg;
195 event |= NFNL_SUBSYS_NFTABLES << 8;
196 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
198 goto nla_put_failure;
200 nfmsg = nlmsg_data(nlh);
201 nfmsg->nfgen_family = family;
202 nfmsg->version = NFNETLINK_V0;
205 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
206 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
207 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
208 goto nla_put_failure;
210 return nlmsg_end(skb, nlh);
213 nlmsg_trim(skb, nlh);
217 static int nf_tables_table_notify(const struct sk_buff *oskb,
218 const struct nlmsghdr *nlh,
219 const struct nft_table *table,
220 int event, int family)
223 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
224 u32 seq = nlh ? nlh->nlmsg_seq : 0;
225 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
229 report = nlh ? nlmsg_report(nlh) : false;
230 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
234 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
238 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
245 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
249 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
253 static int nf_tables_dump_tables(struct sk_buff *skb,
254 struct netlink_callback *cb)
256 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
257 const struct nft_af_info *afi;
258 const struct nft_table *table;
259 unsigned int idx = 0, s_idx = cb->args[0];
260 struct net *net = sock_net(skb->sk);
261 int family = nfmsg->nfgen_family;
263 list_for_each_entry(afi, &net->nft.af_info, list) {
264 if (family != NFPROTO_UNSPEC && family != afi->family)
267 list_for_each_entry(table, &afi->tables, list) {
271 memset(&cb->args[1], 0,
272 sizeof(cb->args) - sizeof(cb->args[0]));
273 if (nf_tables_fill_table_info(skb,
274 NETLINK_CB(cb->skb).portid,
278 afi->family, table) < 0)
289 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
290 const struct nlmsghdr *nlh,
291 const struct nlattr * const nla[])
293 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
294 const struct nft_af_info *afi;
295 const struct nft_table *table;
296 struct sk_buff *skb2;
297 struct net *net = sock_net(skb->sk);
298 int family = nfmsg->nfgen_family;
301 if (nlh->nlmsg_flags & NLM_F_DUMP) {
302 struct netlink_dump_control c = {
303 .dump = nf_tables_dump_tables,
305 return netlink_dump_start(nlsk, skb, nlh, &c);
308 afi = nf_tables_afinfo_lookup(net, family, false);
312 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
314 return PTR_ERR(table);
316 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
320 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
321 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
326 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
333 static int nf_tables_table_enable(const struct nft_af_info *afi,
334 struct nft_table *table)
336 struct nft_chain *chain;
339 list_for_each_entry(chain, &table->chains, list) {
340 if (!(chain->flags & NFT_BASE_CHAIN))
343 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
351 list_for_each_entry(chain, &table->chains, list) {
352 if (!(chain->flags & NFT_BASE_CHAIN))
358 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
363 static int nf_tables_table_disable(const struct nft_af_info *afi,
364 struct nft_table *table)
366 struct nft_chain *chain;
368 list_for_each_entry(chain, &table->chains, list) {
369 if (chain->flags & NFT_BASE_CHAIN)
370 nf_unregister_hooks(nft_base_chain(chain)->ops,
377 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
378 const struct nlmsghdr *nlh,
379 const struct nlattr * const nla[],
380 struct nft_af_info *afi, struct nft_table *table)
382 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
383 int family = nfmsg->nfgen_family, ret = 0;
385 if (nla[NFTA_TABLE_FLAGS]) {
388 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
389 if (flags & ~NFT_TABLE_F_DORMANT)
392 if ((flags & NFT_TABLE_F_DORMANT) &&
393 !(table->flags & NFT_TABLE_F_DORMANT)) {
394 ret = nf_tables_table_disable(afi, table);
396 table->flags |= NFT_TABLE_F_DORMANT;
397 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
398 table->flags & NFT_TABLE_F_DORMANT) {
399 ret = nf_tables_table_enable(afi, table);
401 table->flags &= ~NFT_TABLE_F_DORMANT;
407 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
412 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
413 const struct nlmsghdr *nlh,
414 const struct nlattr * const nla[])
416 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
417 const struct nlattr *name;
418 struct nft_af_info *afi;
419 struct nft_table *table;
420 struct net *net = sock_net(skb->sk);
421 int family = nfmsg->nfgen_family;
424 afi = nf_tables_afinfo_lookup(net, family, true);
428 name = nla[NFTA_TABLE_NAME];
429 table = nf_tables_table_lookup(afi, name);
431 if (PTR_ERR(table) != -ENOENT)
432 return PTR_ERR(table);
437 if (nlh->nlmsg_flags & NLM_F_EXCL)
439 if (nlh->nlmsg_flags & NLM_F_REPLACE)
441 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
444 if (nla[NFTA_TABLE_FLAGS]) {
445 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
446 if (flags & ~NFT_TABLE_F_DORMANT)
450 if (!try_module_get(afi->owner))
451 return -EAFNOSUPPORT;
453 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
455 module_put(afi->owner);
459 nla_strlcpy(table->name, name, nla_len(name));
460 INIT_LIST_HEAD(&table->chains);
461 INIT_LIST_HEAD(&table->sets);
462 table->flags = flags;
464 list_add_tail(&table->list, &afi->tables);
465 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
469 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
470 const struct nlmsghdr *nlh,
471 const struct nlattr * const nla[])
473 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
474 struct nft_af_info *afi;
475 struct nft_table *table;
476 struct net *net = sock_net(skb->sk);
477 int family = nfmsg->nfgen_family;
479 afi = nf_tables_afinfo_lookup(net, family, false);
483 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
485 return PTR_ERR(table);
487 if (!list_empty(&table->chains) || !list_empty(&table->sets))
490 list_del(&table->list);
491 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
493 module_put(afi->owner);
497 int nft_register_chain_type(const struct nf_chain_type *ctype)
501 nfnl_lock(NFNL_SUBSYS_NFTABLES);
502 if (chain_type[ctype->family][ctype->type] != NULL) {
506 chain_type[ctype->family][ctype->type] = ctype;
508 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
511 EXPORT_SYMBOL_GPL(nft_register_chain_type);
513 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
515 nfnl_lock(NFNL_SUBSYS_NFTABLES);
516 chain_type[ctype->family][ctype->type] = NULL;
517 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
519 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
525 static struct nft_chain *
526 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
528 struct nft_chain *chain;
530 list_for_each_entry(chain, &table->chains, list) {
531 if (chain->handle == handle)
535 return ERR_PTR(-ENOENT);
538 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
539 const struct nlattr *nla)
541 struct nft_chain *chain;
544 return ERR_PTR(-EINVAL);
546 list_for_each_entry(chain, &table->chains, list) {
547 if (!nla_strcmp(nla, chain->name))
551 return ERR_PTR(-ENOENT);
554 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
555 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
556 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
557 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
558 .len = NFT_CHAIN_MAXNAMELEN - 1 },
559 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
560 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
561 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
562 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
565 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
566 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
567 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
570 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
572 struct nft_stats *cpu_stats, total;
576 memset(&total, 0, sizeof(total));
577 for_each_possible_cpu(cpu) {
578 cpu_stats = per_cpu_ptr(stats, cpu);
579 total.pkts += cpu_stats->pkts;
580 total.bytes += cpu_stats->bytes;
582 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
584 goto nla_put_failure;
586 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
587 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
588 goto nla_put_failure;
590 nla_nest_end(skb, nest);
597 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
598 int event, u32 flags, int family,
599 const struct nft_table *table,
600 const struct nft_chain *chain)
602 struct nlmsghdr *nlh;
603 struct nfgenmsg *nfmsg;
605 event |= NFNL_SUBSYS_NFTABLES << 8;
606 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
608 goto nla_put_failure;
610 nfmsg = nlmsg_data(nlh);
611 nfmsg->nfgen_family = family;
612 nfmsg->version = NFNETLINK_V0;
615 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
616 goto nla_put_failure;
617 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
618 goto nla_put_failure;
619 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
620 goto nla_put_failure;
622 if (chain->flags & NFT_BASE_CHAIN) {
623 const struct nft_base_chain *basechain = nft_base_chain(chain);
624 const struct nf_hook_ops *ops = &basechain->ops[0];
627 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
629 goto nla_put_failure;
630 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
631 goto nla_put_failure;
632 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
633 goto nla_put_failure;
634 nla_nest_end(skb, nest);
636 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
637 htonl(basechain->policy)))
638 goto nla_put_failure;
640 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
641 goto nla_put_failure;
643 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
644 goto nla_put_failure;
647 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
648 goto nla_put_failure;
650 return nlmsg_end(skb, nlh);
653 nlmsg_trim(skb, nlh);
657 static int nf_tables_chain_notify(const struct sk_buff *oskb,
658 const struct nlmsghdr *nlh,
659 const struct nft_table *table,
660 const struct nft_chain *chain,
661 int event, int family)
664 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
665 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
666 u32 seq = nlh ? nlh->nlmsg_seq : 0;
670 report = nlh ? nlmsg_report(nlh) : false;
671 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
675 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
679 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
686 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
690 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
694 static int nf_tables_dump_chains(struct sk_buff *skb,
695 struct netlink_callback *cb)
697 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
698 const struct nft_af_info *afi;
699 const struct nft_table *table;
700 const struct nft_chain *chain;
701 unsigned int idx = 0, s_idx = cb->args[0];
702 struct net *net = sock_net(skb->sk);
703 int family = nfmsg->nfgen_family;
705 list_for_each_entry(afi, &net->nft.af_info, list) {
706 if (family != NFPROTO_UNSPEC && family != afi->family)
709 list_for_each_entry(table, &afi->tables, list) {
710 list_for_each_entry(chain, &table->chains, list) {
714 memset(&cb->args[1], 0,
715 sizeof(cb->args) - sizeof(cb->args[0]));
716 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
720 afi->family, table, chain) < 0)
733 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
734 const struct nlmsghdr *nlh,
735 const struct nlattr * const nla[])
737 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
738 const struct nft_af_info *afi;
739 const struct nft_table *table;
740 const struct nft_chain *chain;
741 struct sk_buff *skb2;
742 struct net *net = sock_net(skb->sk);
743 int family = nfmsg->nfgen_family;
746 if (nlh->nlmsg_flags & NLM_F_DUMP) {
747 struct netlink_dump_control c = {
748 .dump = nf_tables_dump_chains,
750 return netlink_dump_start(nlsk, skb, nlh, &c);
753 afi = nf_tables_afinfo_lookup(net, family, false);
757 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
759 return PTR_ERR(table);
761 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
763 return PTR_ERR(chain);
765 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
769 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
770 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
771 family, table, chain);
775 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
782 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
783 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
784 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
788 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
790 struct nlattr *tb[NFTA_COUNTER_MAX+1];
791 struct nft_stats __percpu *newstats;
792 struct nft_stats *stats;
795 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
799 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
802 newstats = alloc_percpu(struct nft_stats);
803 if (newstats == NULL)
806 /* Restore old counters on this cpu, no problem. Per-cpu statistics
807 * are not exposed to userspace.
809 stats = this_cpu_ptr(newstats);
810 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
811 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
814 struct nft_stats __percpu *oldstats =
815 nft_dereference(chain->stats);
817 rcu_assign_pointer(chain->stats, newstats);
819 free_percpu(oldstats);
821 rcu_assign_pointer(chain->stats, newstats);
826 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
827 const struct nlmsghdr *nlh,
828 const struct nlattr * const nla[])
830 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
831 const struct nlattr * uninitialized_var(name);
832 struct nft_af_info *afi;
833 struct nft_table *table;
834 struct nft_chain *chain;
835 struct nft_base_chain *basechain = NULL;
836 struct nlattr *ha[NFTA_HOOK_MAX + 1];
837 struct net *net = sock_net(skb->sk);
838 int family = nfmsg->nfgen_family;
839 u8 policy = NF_ACCEPT;
845 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
847 afi = nf_tables_afinfo_lookup(net, family, true);
851 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
853 return PTR_ERR(table);
856 name = nla[NFTA_CHAIN_NAME];
858 if (nla[NFTA_CHAIN_HANDLE]) {
859 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
860 chain = nf_tables_chain_lookup_byhandle(table, handle);
862 return PTR_ERR(chain);
864 chain = nf_tables_chain_lookup(table, name);
866 if (PTR_ERR(chain) != -ENOENT)
867 return PTR_ERR(chain);
872 if (nla[NFTA_CHAIN_POLICY]) {
873 if ((chain != NULL &&
874 !(chain->flags & NFT_BASE_CHAIN)) ||
875 nla[NFTA_CHAIN_HOOK] == NULL)
878 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
889 if (nlh->nlmsg_flags & NLM_F_EXCL)
891 if (nlh->nlmsg_flags & NLM_F_REPLACE)
894 if (nla[NFTA_CHAIN_HANDLE] && name &&
895 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
898 if (nla[NFTA_CHAIN_COUNTERS]) {
899 if (!(chain->flags & NFT_BASE_CHAIN))
902 err = nf_tables_counters(nft_base_chain(chain),
903 nla[NFTA_CHAIN_COUNTERS]);
908 if (nla[NFTA_CHAIN_POLICY])
909 nft_base_chain(chain)->policy = policy;
911 if (nla[NFTA_CHAIN_HANDLE] && name)
912 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
917 if (table->use == UINT_MAX)
920 if (nla[NFTA_CHAIN_HOOK]) {
921 const struct nf_chain_type *type;
922 struct nf_hook_ops *ops;
924 u32 hooknum, priority;
926 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
927 if (nla[NFTA_CHAIN_TYPE]) {
928 type = nf_tables_chain_type_lookup(afi,
929 nla[NFTA_CHAIN_TYPE],
932 return PTR_ERR(type);
935 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
939 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
940 ha[NFTA_HOOK_PRIORITY] == NULL)
943 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
944 if (hooknum >= afi->nhooks)
946 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
948 if (!(type->hook_mask & (1 << hooknum)))
950 if (!try_module_get(type->owner))
952 hookfn = type->hooks[hooknum];
954 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
955 if (basechain == NULL)
958 if (nla[NFTA_CHAIN_COUNTERS]) {
959 err = nf_tables_counters(basechain,
960 nla[NFTA_CHAIN_COUNTERS]);
962 module_put(type->owner);
967 struct nft_stats __percpu *newstats;
969 newstats = alloc_percpu(struct nft_stats);
970 if (newstats == NULL) {
971 module_put(type->owner);
975 rcu_assign_pointer(basechain->stats, newstats);
978 basechain->type = type;
979 chain = &basechain->chain;
981 for (i = 0; i < afi->nops; i++) {
982 ops = &basechain->ops[i];
984 ops->owner = afi->owner;
985 ops->hooknum = hooknum;
986 ops->priority = priority;
988 ops->hook = afi->hooks[ops->hooknum];
991 if (afi->hook_ops_init)
992 afi->hook_ops_init(ops, i);
995 chain->flags |= NFT_BASE_CHAIN;
996 basechain->policy = policy;
998 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1003 INIT_LIST_HEAD(&chain->rules);
1004 chain->handle = nf_tables_alloc_handle(table);
1006 chain->table = table;
1007 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1009 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1010 chain->flags & NFT_BASE_CHAIN) {
1011 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
1013 module_put(basechain->type->owner);
1014 free_percpu(basechain->stats);
1019 list_add_tail(&chain->list, &table->chains);
1022 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1027 static void nf_tables_chain_destroy(struct nft_chain *chain)
1029 BUG_ON(chain->use > 0);
1031 if (chain->flags & NFT_BASE_CHAIN) {
1032 module_put(nft_base_chain(chain)->type->owner);
1033 free_percpu(nft_base_chain(chain)->stats);
1034 kfree(nft_base_chain(chain));
1039 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1040 const struct nlmsghdr *nlh,
1041 const struct nlattr * const nla[])
1043 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1044 struct nft_af_info *afi;
1045 struct nft_table *table;
1046 struct nft_chain *chain;
1047 struct net *net = sock_net(skb->sk);
1048 int family = nfmsg->nfgen_family;
1050 afi = nf_tables_afinfo_lookup(net, family, false);
1052 return PTR_ERR(afi);
1054 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1056 return PTR_ERR(table);
1058 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1060 return PTR_ERR(chain);
1062 if (!list_empty(&chain->rules) || chain->use > 0)
1065 list_del(&chain->list);
1068 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1069 chain->flags & NFT_BASE_CHAIN)
1070 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
1072 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1075 /* Make sure all rule references are gone before this is released */
1078 nf_tables_chain_destroy(chain);
1087 * nft_register_expr - register nf_tables expr type
1090 * Registers the expr type for use with nf_tables. Returns zero on
1091 * success or a negative errno code otherwise.
1093 int nft_register_expr(struct nft_expr_type *type)
1095 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1096 if (type->family == NFPROTO_UNSPEC)
1097 list_add_tail(&type->list, &nf_tables_expressions);
1099 list_add(&type->list, &nf_tables_expressions);
1100 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1103 EXPORT_SYMBOL_GPL(nft_register_expr);
1106 * nft_unregister_expr - unregister nf_tables expr type
1109 * Unregisters the expr typefor use with nf_tables.
1111 void nft_unregister_expr(struct nft_expr_type *type)
1113 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1114 list_del(&type->list);
1115 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1117 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1119 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1122 const struct nft_expr_type *type;
1124 list_for_each_entry(type, &nf_tables_expressions, list) {
1125 if (!nla_strcmp(nla, type->name) &&
1126 (!type->family || type->family == family))
1132 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1135 const struct nft_expr_type *type;
1138 return ERR_PTR(-EINVAL);
1140 type = __nft_expr_type_get(family, nla);
1141 if (type != NULL && try_module_get(type->owner))
1144 #ifdef CONFIG_MODULES
1146 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1147 request_module("nft-expr-%u-%.*s", family,
1148 nla_len(nla), (char *)nla_data(nla));
1149 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1150 if (__nft_expr_type_get(family, nla))
1151 return ERR_PTR(-EAGAIN);
1153 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1154 request_module("nft-expr-%.*s",
1155 nla_len(nla), (char *)nla_data(nla));
1156 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1157 if (__nft_expr_type_get(family, nla))
1158 return ERR_PTR(-EAGAIN);
1161 return ERR_PTR(-ENOENT);
1164 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1165 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1166 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1169 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1170 const struct nft_expr *expr)
1172 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1173 goto nla_put_failure;
1175 if (expr->ops->dump) {
1176 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1178 goto nla_put_failure;
1179 if (expr->ops->dump(skb, expr) < 0)
1180 goto nla_put_failure;
1181 nla_nest_end(skb, data);
1190 struct nft_expr_info {
1191 const struct nft_expr_ops *ops;
1192 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1195 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1196 const struct nlattr *nla,
1197 struct nft_expr_info *info)
1199 const struct nft_expr_type *type;
1200 const struct nft_expr_ops *ops;
1201 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1204 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1208 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1210 return PTR_ERR(type);
1212 if (tb[NFTA_EXPR_DATA]) {
1213 err = nla_parse_nested(info->tb, type->maxattr,
1214 tb[NFTA_EXPR_DATA], type->policy);
1218 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1220 if (type->select_ops != NULL) {
1221 ops = type->select_ops(ctx,
1222 (const struct nlattr * const *)info->tb);
1234 module_put(type->owner);
1238 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1239 const struct nft_expr_info *info,
1240 struct nft_expr *expr)
1242 const struct nft_expr_ops *ops = info->ops;
1247 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1259 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1260 struct nft_expr *expr)
1262 if (expr->ops->destroy)
1263 expr->ops->destroy(ctx, expr);
1264 module_put(expr->ops->type->owner);
1271 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1274 struct nft_rule *rule;
1276 // FIXME: this sucks
1277 list_for_each_entry(rule, &chain->rules, list) {
1278 if (handle == rule->handle)
1282 return ERR_PTR(-ENOENT);
1285 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1286 const struct nlattr *nla)
1289 return ERR_PTR(-EINVAL);
1291 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1294 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1295 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1296 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1297 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1298 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1299 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1300 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1301 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1302 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1303 .len = NFT_USERDATA_MAXLEN },
1306 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1307 int event, u32 flags, int family,
1308 const struct nft_table *table,
1309 const struct nft_chain *chain,
1310 const struct nft_rule *rule)
1312 struct nlmsghdr *nlh;
1313 struct nfgenmsg *nfmsg;
1314 const struct nft_expr *expr, *next;
1315 struct nlattr *list;
1316 const struct nft_rule *prule;
1317 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1319 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1322 goto nla_put_failure;
1324 nfmsg = nlmsg_data(nlh);
1325 nfmsg->nfgen_family = family;
1326 nfmsg->version = NFNETLINK_V0;
1329 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1330 goto nla_put_failure;
1331 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1332 goto nla_put_failure;
1333 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1334 goto nla_put_failure;
1336 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1337 prule = list_entry(rule->list.prev, struct nft_rule, list);
1338 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1339 cpu_to_be64(prule->handle)))
1340 goto nla_put_failure;
1343 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1345 goto nla_put_failure;
1346 nft_rule_for_each_expr(expr, next, rule) {
1347 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1349 goto nla_put_failure;
1350 if (nf_tables_fill_expr_info(skb, expr) < 0)
1351 goto nla_put_failure;
1352 nla_nest_end(skb, elem);
1354 nla_nest_end(skb, list);
1357 nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
1358 goto nla_put_failure;
1360 return nlmsg_end(skb, nlh);
1363 nlmsg_trim(skb, nlh);
1367 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1368 const struct nlmsghdr *nlh,
1369 const struct nft_table *table,
1370 const struct nft_chain *chain,
1371 const struct nft_rule *rule,
1372 int event, u32 flags, int family)
1374 struct sk_buff *skb;
1375 u32 portid = NETLINK_CB(oskb).portid;
1376 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1377 u32 seq = nlh->nlmsg_seq;
1381 report = nlmsg_report(nlh);
1382 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1386 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1390 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1391 family, table, chain, rule);
1397 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1401 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1406 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1408 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1411 static inline int gencursor_next(struct net *net)
1413 return net->nft.gencursor+1 == 1 ? 1 : 0;
1417 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1419 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1423 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1425 /* Now inactive, will be active in the future */
1426 rule->genmask = (1 << net->nft.gencursor);
1430 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1432 rule->genmask = (1 << gencursor_next(net));
1435 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1440 static int nf_tables_dump_rules(struct sk_buff *skb,
1441 struct netlink_callback *cb)
1443 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1444 const struct nft_af_info *afi;
1445 const struct nft_table *table;
1446 const struct nft_chain *chain;
1447 const struct nft_rule *rule;
1448 unsigned int idx = 0, s_idx = cb->args[0];
1449 struct net *net = sock_net(skb->sk);
1450 int family = nfmsg->nfgen_family;
1451 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1452 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1454 list_for_each_entry(afi, &net->nft.af_info, list) {
1455 if (family != NFPROTO_UNSPEC && family != afi->family)
1458 list_for_each_entry(table, &afi->tables, list) {
1459 list_for_each_entry(chain, &table->chains, list) {
1460 list_for_each_entry(rule, &chain->rules, list) {
1461 if (!nft_rule_is_active(net, rule))
1466 memset(&cb->args[1], 0,
1467 sizeof(cb->args) - sizeof(cb->args[0]));
1468 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1471 NLM_F_MULTI | NLM_F_APPEND,
1472 afi->family, table, chain, rule) < 0)
1481 /* Invalidate this dump, a transition to the new generation happened */
1482 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1489 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1490 const struct nlmsghdr *nlh,
1491 const struct nlattr * const nla[])
1493 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1494 const struct nft_af_info *afi;
1495 const struct nft_table *table;
1496 const struct nft_chain *chain;
1497 const struct nft_rule *rule;
1498 struct sk_buff *skb2;
1499 struct net *net = sock_net(skb->sk);
1500 int family = nfmsg->nfgen_family;
1503 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1504 struct netlink_dump_control c = {
1505 .dump = nf_tables_dump_rules,
1507 return netlink_dump_start(nlsk, skb, nlh, &c);
1510 afi = nf_tables_afinfo_lookup(net, family, false);
1512 return PTR_ERR(afi);
1514 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1516 return PTR_ERR(table);
1518 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1520 return PTR_ERR(chain);
1522 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1524 return PTR_ERR(rule);
1526 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1530 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1531 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1532 family, table, chain, rule);
1536 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1543 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1544 struct nft_rule *rule)
1546 struct nft_expr *expr;
1549 * Careful: some expressions might not be initialized in case this
1550 * is called on error from nf_tables_newrule().
1552 expr = nft_expr_first(rule);
1553 while (expr->ops && expr != nft_expr_last(rule)) {
1554 nf_tables_expr_destroy(ctx, expr);
1555 expr = nft_expr_next(expr);
1560 #define NFT_RULE_MAXEXPRS 128
1562 static struct nft_expr_info *info;
1564 static struct nft_rule_trans *
1565 nf_tables_trans_add(struct nft_ctx *ctx, struct nft_rule *rule)
1567 struct nft_rule_trans *rupd;
1569 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1575 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1580 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1581 const struct nlmsghdr *nlh,
1582 const struct nlattr * const nla[])
1584 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1585 struct nft_af_info *afi;
1586 struct net *net = sock_net(skb->sk);
1587 struct nft_table *table;
1588 struct nft_chain *chain;
1589 struct nft_rule *rule, *old_rule = NULL;
1590 struct nft_rule_trans *repl = NULL;
1591 struct nft_expr *expr;
1594 unsigned int size, i, n, ulen = 0;
1597 u64 handle, pos_handle;
1599 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1601 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1603 return PTR_ERR(afi);
1605 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1607 return PTR_ERR(table);
1609 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1611 return PTR_ERR(chain);
1613 if (nla[NFTA_RULE_HANDLE]) {
1614 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1615 rule = __nf_tables_rule_lookup(chain, handle);
1617 return PTR_ERR(rule);
1619 if (nlh->nlmsg_flags & NLM_F_EXCL)
1621 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1626 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1628 handle = nf_tables_alloc_handle(table);
1631 if (nla[NFTA_RULE_POSITION]) {
1632 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1635 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1636 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1637 if (IS_ERR(old_rule))
1638 return PTR_ERR(old_rule);
1641 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1645 if (nla[NFTA_RULE_EXPRESSIONS]) {
1646 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1648 if (nla_type(tmp) != NFTA_LIST_ELEM)
1650 if (n == NFT_RULE_MAXEXPRS)
1652 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1655 size += info[n].ops->size;
1660 if (nla[NFTA_RULE_USERDATA])
1661 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
1664 rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
1668 nft_rule_activate_next(net, rule);
1670 rule->handle = handle;
1675 nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
1677 expr = nft_expr_first(rule);
1678 for (i = 0; i < n; i++) {
1679 err = nf_tables_newexpr(&ctx, &info[i], expr);
1683 expr = nft_expr_next(expr);
1686 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1687 if (nft_rule_is_active_next(net, old_rule)) {
1688 repl = nf_tables_trans_add(&ctx, old_rule);
1693 nft_rule_disactivate_next(net, old_rule);
1694 list_add_tail(&rule->list, &old_rule->list);
1699 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1701 list_add_rcu(&rule->list, &old_rule->list);
1703 list_add_tail_rcu(&rule->list, &chain->rules);
1706 list_add_tail_rcu(&rule->list, &old_rule->list);
1708 list_add_rcu(&rule->list, &chain->rules);
1711 if (nf_tables_trans_add(&ctx, rule) == NULL) {
1718 list_del_rcu(&rule->list);
1720 list_del_rcu(&repl->rule->list);
1721 list_del(&repl->list);
1722 nft_rule_clear(net, repl->rule);
1726 nf_tables_rule_destroy(&ctx, rule);
1728 for (i = 0; i < n; i++) {
1729 if (info[i].ops != NULL)
1730 module_put(info[i].ops->type->owner);
1736 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1738 /* You cannot delete the same rule twice */
1739 if (nft_rule_is_active_next(ctx->net, rule)) {
1740 if (nf_tables_trans_add(ctx, rule) == NULL)
1742 nft_rule_disactivate_next(ctx->net, rule);
1748 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1750 struct nft_rule *rule;
1753 list_for_each_entry(rule, &ctx->chain->rules, list) {
1754 err = nf_tables_delrule_one(ctx, rule);
1761 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1762 const struct nlmsghdr *nlh,
1763 const struct nlattr * const nla[])
1765 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1766 struct nft_af_info *afi;
1767 struct net *net = sock_net(skb->sk);
1768 struct nft_table *table;
1769 struct nft_chain *chain = NULL;
1770 struct nft_rule *rule;
1771 int family = nfmsg->nfgen_family, err = 0;
1774 afi = nf_tables_afinfo_lookup(net, family, false);
1776 return PTR_ERR(afi);
1778 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1780 return PTR_ERR(table);
1782 if (nla[NFTA_RULE_CHAIN]) {
1783 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1785 return PTR_ERR(chain);
1788 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1791 if (nla[NFTA_RULE_HANDLE]) {
1792 rule = nf_tables_rule_lookup(chain,
1793 nla[NFTA_RULE_HANDLE]);
1795 return PTR_ERR(rule);
1797 err = nf_tables_delrule_one(&ctx, rule);
1799 err = nf_table_delrule_by_chain(&ctx);
1802 list_for_each_entry(chain, &table->chains, list) {
1804 err = nf_table_delrule_by_chain(&ctx);
1813 static int nf_tables_commit(struct sk_buff *skb)
1815 struct net *net = sock_net(skb->sk);
1816 struct nft_rule_trans *rupd, *tmp;
1818 /* Bump generation counter, invalidate any dump in progress */
1821 /* A new generation has just started */
1822 net->nft.gencursor = gencursor_next(net);
1824 /* Make sure all packets have left the previous generation before
1825 * purging old rules.
1829 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1830 /* This rule was inactive in the past and just became active.
1831 * Clear the next bit of the genmask since its meaning has
1832 * changed, now it is the future.
1834 if (nft_rule_is_active(net, rupd->rule)) {
1835 nft_rule_clear(net, rupd->rule);
1836 nf_tables_rule_notify(skb, rupd->ctx.nlh,
1837 rupd->ctx.table, rupd->ctx.chain,
1838 rupd->rule, NFT_MSG_NEWRULE, 0,
1839 rupd->ctx.afi->family);
1840 list_del(&rupd->list);
1845 /* This rule is in the past, get rid of it */
1846 list_del_rcu(&rupd->rule->list);
1847 nf_tables_rule_notify(skb, rupd->ctx.nlh,
1848 rupd->ctx.table, rupd->ctx.chain,
1849 rupd->rule, NFT_MSG_DELRULE, 0,
1850 rupd->ctx.afi->family);
1853 /* Make sure we don't see any packet traversing old rules */
1856 /* Now we can safely release unused old rules */
1857 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1858 nf_tables_rule_destroy(&rupd->ctx, rupd->rule);
1859 list_del(&rupd->list);
1866 static int nf_tables_abort(struct sk_buff *skb)
1868 struct net *net = sock_net(skb->sk);
1869 struct nft_rule_trans *rupd, *tmp;
1871 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1872 if (!nft_rule_is_active_next(net, rupd->rule)) {
1873 nft_rule_clear(net, rupd->rule);
1874 list_del(&rupd->list);
1879 /* This rule is inactive, get rid of it */
1880 list_del_rcu(&rupd->rule->list);
1883 /* Make sure we don't see any packet accessing aborted rules */
1886 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1887 nf_tables_rule_destroy(&rupd->ctx, rupd->rule);
1888 list_del(&rupd->list);
1899 static LIST_HEAD(nf_tables_set_ops);
1901 int nft_register_set(struct nft_set_ops *ops)
1903 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1904 list_add_tail(&ops->list, &nf_tables_set_ops);
1905 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1908 EXPORT_SYMBOL_GPL(nft_register_set);
1910 void nft_unregister_set(struct nft_set_ops *ops)
1912 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1913 list_del(&ops->list);
1914 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1916 EXPORT_SYMBOL_GPL(nft_unregister_set);
1919 * Select a set implementation based on the data characteristics and the
1920 * given policy. The total memory use might not be known if no size is
1921 * given, in that case the amount of memory per element is used.
1923 static const struct nft_set_ops *
1924 nft_select_set_ops(const struct nlattr * const nla[],
1925 const struct nft_set_desc *desc,
1926 enum nft_set_policies policy)
1928 const struct nft_set_ops *ops, *bops;
1929 struct nft_set_estimate est, best;
1932 #ifdef CONFIG_MODULES
1933 if (list_empty(&nf_tables_set_ops)) {
1934 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1935 request_module("nft-set");
1936 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1937 if (!list_empty(&nf_tables_set_ops))
1938 return ERR_PTR(-EAGAIN);
1942 if (nla[NFTA_SET_FLAGS] != NULL) {
1943 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1944 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1951 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1952 if ((ops->features & features) != features)
1954 if (!ops->estimate(desc, features, &est))
1958 case NFT_SET_POL_PERFORMANCE:
1959 if (est.class < best.class)
1961 if (est.class == best.class && est.size < best.size)
1964 case NFT_SET_POL_MEMORY:
1965 if (est.size < best.size)
1967 if (est.size == best.size && est.class < best.class)
1974 if (!try_module_get(ops->owner))
1977 module_put(bops->owner);
1986 return ERR_PTR(-EOPNOTSUPP);
1989 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1990 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1991 [NFTA_SET_NAME] = { .type = NLA_STRING },
1992 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1993 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1994 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1995 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1996 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1997 [NFTA_SET_POLICY] = { .type = NLA_U32 },
1998 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2001 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2002 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2005 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2006 const struct sk_buff *skb,
2007 const struct nlmsghdr *nlh,
2008 const struct nlattr * const nla[])
2010 struct net *net = sock_net(skb->sk);
2011 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2012 struct nft_af_info *afi = NULL;
2013 struct nft_table *table = NULL;
2015 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2016 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2018 return PTR_ERR(afi);
2021 if (nla[NFTA_SET_TABLE] != NULL) {
2023 return -EAFNOSUPPORT;
2025 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2027 return PTR_ERR(table);
2030 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2034 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2035 const struct nlattr *nla)
2037 struct nft_set *set;
2040 return ERR_PTR(-EINVAL);
2042 list_for_each_entry(set, &table->sets, list) {
2043 if (!nla_strcmp(nla, set->name))
2046 return ERR_PTR(-ENOENT);
2049 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2052 const struct nft_set *i;
2054 unsigned long *inuse;
2055 unsigned int n = 0, min = 0;
2057 p = strnchr(name, IFNAMSIZ, '%');
2059 if (p[1] != 'd' || strchr(p + 2, '%'))
2062 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2066 list_for_each_entry(i, &ctx->table->sets, list) {
2069 if (!sscanf(i->name, name, &tmp))
2071 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2074 set_bit(tmp - min, inuse);
2077 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2078 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2079 min += BITS_PER_BYTE * PAGE_SIZE;
2080 memset(inuse, 0, PAGE_SIZE);
2083 free_page((unsigned long)inuse);
2086 snprintf(set->name, sizeof(set->name), name, min + n);
2087 list_for_each_entry(i, &ctx->table->sets, list) {
2088 if (!strcmp(set->name, i->name))
2094 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2095 const struct nft_set *set, u16 event, u16 flags)
2097 struct nfgenmsg *nfmsg;
2098 struct nlmsghdr *nlh;
2099 struct nlattr *desc;
2100 u32 portid = NETLINK_CB(ctx->skb).portid;
2101 u32 seq = ctx->nlh->nlmsg_seq;
2103 event |= NFNL_SUBSYS_NFTABLES << 8;
2104 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2107 goto nla_put_failure;
2109 nfmsg = nlmsg_data(nlh);
2110 nfmsg->nfgen_family = ctx->afi->family;
2111 nfmsg->version = NFNETLINK_V0;
2114 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2115 goto nla_put_failure;
2116 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2117 goto nla_put_failure;
2118 if (set->flags != 0)
2119 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2120 goto nla_put_failure;
2122 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2123 goto nla_put_failure;
2124 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2125 goto nla_put_failure;
2126 if (set->flags & NFT_SET_MAP) {
2127 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2128 goto nla_put_failure;
2129 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2130 goto nla_put_failure;
2133 desc = nla_nest_start(skb, NFTA_SET_DESC);
2135 goto nla_put_failure;
2137 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2138 goto nla_put_failure;
2139 nla_nest_end(skb, desc);
2141 return nlmsg_end(skb, nlh);
2144 nlmsg_trim(skb, nlh);
2148 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2149 const struct nft_set *set,
2152 struct sk_buff *skb;
2153 u32 portid = NETLINK_CB(ctx->skb).portid;
2157 report = nlmsg_report(ctx->nlh);
2158 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2162 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2166 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2172 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2176 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2180 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2181 struct netlink_callback *cb)
2183 const struct nft_set *set;
2184 unsigned int idx = 0, s_idx = cb->args[0];
2189 list_for_each_entry(set, &ctx->table->sets, list) {
2192 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2205 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2206 struct netlink_callback *cb)
2208 const struct nft_set *set;
2209 unsigned int idx, s_idx = cb->args[0];
2210 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2215 list_for_each_entry(table, &ctx->afi->tables, list) {
2217 if (cur_table != table)
2224 list_for_each_entry(set, &ctx->table->sets, list) {
2227 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2230 cb->args[2] = (unsigned long) table;
2242 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2243 struct netlink_callback *cb)
2245 const struct nft_set *set;
2246 unsigned int idx, s_idx = cb->args[0];
2247 struct nft_af_info *afi;
2248 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2249 struct net *net = sock_net(skb->sk);
2250 int cur_family = cb->args[3];
2255 list_for_each_entry(afi, &net->nft.af_info, list) {
2257 if (afi->family != cur_family)
2263 list_for_each_entry(table, &afi->tables, list) {
2265 if (cur_table != table)
2274 list_for_each_entry(set, &ctx->table->sets, list) {
2277 if (nf_tables_fill_set(skb, ctx, set,
2281 cb->args[2] = (unsigned long) table;
2282 cb->args[3] = afi->family;
2297 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2299 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2300 struct nlattr *nla[NFTA_SET_MAX + 1];
2304 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2309 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2313 if (ctx.table == NULL) {
2314 if (ctx.afi == NULL)
2315 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2317 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2319 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2324 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2325 const struct nlmsghdr *nlh,
2326 const struct nlattr * const nla[])
2328 const struct nft_set *set;
2330 struct sk_buff *skb2;
2331 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2334 /* Verify existance before starting dump */
2335 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2339 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2340 struct netlink_dump_control c = {
2341 .dump = nf_tables_dump_sets,
2343 return netlink_dump_start(nlsk, skb, nlh, &c);
2346 /* Only accept unspec with dump */
2347 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2348 return -EAFNOSUPPORT;
2350 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2352 return PTR_ERR(set);
2354 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2358 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2362 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2369 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2370 struct nft_set_desc *desc,
2371 const struct nlattr *nla)
2373 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2376 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2380 if (da[NFTA_SET_DESC_SIZE] != NULL)
2381 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2386 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2387 const struct nlmsghdr *nlh,
2388 const struct nlattr * const nla[])
2390 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2391 const struct nft_set_ops *ops;
2392 struct nft_af_info *afi;
2393 struct net *net = sock_net(skb->sk);
2394 struct nft_table *table;
2395 struct nft_set *set;
2397 char name[IFNAMSIZ];
2400 u32 ktype, dtype, flags, policy;
2401 struct nft_set_desc desc;
2404 if (nla[NFTA_SET_TABLE] == NULL ||
2405 nla[NFTA_SET_NAME] == NULL ||
2406 nla[NFTA_SET_KEY_LEN] == NULL)
2409 memset(&desc, 0, sizeof(desc));
2411 ktype = NFT_DATA_VALUE;
2412 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2413 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2414 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2418 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2419 if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
2423 if (nla[NFTA_SET_FLAGS] != NULL) {
2424 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2425 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2426 NFT_SET_INTERVAL | NFT_SET_MAP))
2431 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2432 if (!(flags & NFT_SET_MAP))
2435 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2436 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2437 dtype != NFT_DATA_VERDICT)
2440 if (dtype != NFT_DATA_VERDICT) {
2441 if (nla[NFTA_SET_DATA_LEN] == NULL)
2443 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2444 if (desc.dlen == 0 ||
2445 desc.dlen > FIELD_SIZEOF(struct nft_data, data))
2448 desc.dlen = sizeof(struct nft_data);
2449 } else if (flags & NFT_SET_MAP)
2452 policy = NFT_SET_POL_PERFORMANCE;
2453 if (nla[NFTA_SET_POLICY] != NULL)
2454 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2456 if (nla[NFTA_SET_DESC] != NULL) {
2457 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2462 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2464 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2466 return PTR_ERR(afi);
2468 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2470 return PTR_ERR(table);
2472 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2474 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2476 if (PTR_ERR(set) != -ENOENT)
2477 return PTR_ERR(set);
2482 if (nlh->nlmsg_flags & NLM_F_EXCL)
2484 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2489 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2492 ops = nft_select_set_ops(nla, &desc, policy);
2494 return PTR_ERR(ops);
2497 if (ops->privsize != NULL)
2498 size = ops->privsize(nla);
2501 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2505 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2506 err = nf_tables_set_alloc_name(&ctx, set, name);
2510 INIT_LIST_HEAD(&set->bindings);
2513 set->klen = desc.klen;
2515 set->dlen = desc.dlen;
2517 set->size = desc.size;
2519 err = ops->init(set, &desc, nla);
2523 list_add_tail(&set->list, &table->sets);
2524 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2530 module_put(ops->owner);
2534 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2536 list_del(&set->list);
2537 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2539 set->ops->destroy(set);
2540 module_put(set->ops->owner);
2544 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2545 const struct nlmsghdr *nlh,
2546 const struct nlattr * const nla[])
2548 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2549 struct nft_set *set;
2553 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2554 return -EAFNOSUPPORT;
2555 if (nla[NFTA_SET_TABLE] == NULL)
2558 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2562 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2564 return PTR_ERR(set);
2565 if (!list_empty(&set->bindings))
2568 nf_tables_set_destroy(&ctx, set);
2572 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2573 const struct nft_set *set,
2574 const struct nft_set_iter *iter,
2575 const struct nft_set_elem *elem)
2577 enum nft_registers dreg;
2579 dreg = nft_type_to_reg(set->dtype);
2580 return nft_validate_data_load(ctx, dreg, &elem->data,
2581 set->dtype == NFT_DATA_VERDICT ?
2582 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2585 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2586 struct nft_set_binding *binding)
2588 struct nft_set_binding *i;
2589 struct nft_set_iter iter;
2591 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2594 if (set->flags & NFT_SET_MAP) {
2595 /* If the set is already bound to the same chain all
2596 * jumps are already validated for that chain.
2598 list_for_each_entry(i, &set->bindings, list) {
2599 if (i->chain == binding->chain)
2606 iter.fn = nf_tables_bind_check_setelem;
2608 set->ops->walk(ctx, set, &iter);
2610 /* Destroy anonymous sets if binding fails */
2611 if (set->flags & NFT_SET_ANONYMOUS)
2612 nf_tables_set_destroy(ctx, set);
2618 binding->chain = ctx->chain;
2619 list_add_tail(&binding->list, &set->bindings);
2623 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2624 struct nft_set_binding *binding)
2626 list_del(&binding->list);
2628 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2629 nf_tables_set_destroy(ctx, set);
2636 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2637 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2638 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2639 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2642 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2643 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2644 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2645 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2648 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2649 const struct sk_buff *skb,
2650 const struct nlmsghdr *nlh,
2651 const struct nlattr * const nla[])
2653 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2654 struct nft_af_info *afi;
2655 struct nft_table *table;
2656 struct net *net = sock_net(skb->sk);
2658 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2660 return PTR_ERR(afi);
2662 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2664 return PTR_ERR(table);
2666 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2670 static int nf_tables_fill_setelem(struct sk_buff *skb,
2671 const struct nft_set *set,
2672 const struct nft_set_elem *elem)
2674 unsigned char *b = skb_tail_pointer(skb);
2675 struct nlattr *nest;
2677 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2679 goto nla_put_failure;
2681 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2683 goto nla_put_failure;
2685 if (set->flags & NFT_SET_MAP &&
2686 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2687 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2688 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2690 goto nla_put_failure;
2692 if (elem->flags != 0)
2693 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2694 goto nla_put_failure;
2696 nla_nest_end(skb, nest);
2704 struct nft_set_dump_args {
2705 const struct netlink_callback *cb;
2706 struct nft_set_iter iter;
2707 struct sk_buff *skb;
2710 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2711 const struct nft_set *set,
2712 const struct nft_set_iter *iter,
2713 const struct nft_set_elem *elem)
2715 struct nft_set_dump_args *args;
2717 args = container_of(iter, struct nft_set_dump_args, iter);
2718 return nf_tables_fill_setelem(args->skb, set, elem);
2721 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2723 const struct nft_set *set;
2724 struct nft_set_dump_args args;
2726 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2727 struct nfgenmsg *nfmsg;
2728 struct nlmsghdr *nlh;
2729 struct nlattr *nest;
2733 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2734 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2738 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2742 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2744 return PTR_ERR(set);
2746 event = NFT_MSG_NEWSETELEM;
2747 event |= NFNL_SUBSYS_NFTABLES << 8;
2748 portid = NETLINK_CB(cb->skb).portid;
2749 seq = cb->nlh->nlmsg_seq;
2751 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2754 goto nla_put_failure;
2756 nfmsg = nlmsg_data(nlh);
2757 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2758 nfmsg->version = NFNETLINK_V0;
2761 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2762 goto nla_put_failure;
2763 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2764 goto nla_put_failure;
2766 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2768 goto nla_put_failure;
2772 args.iter.skip = cb->args[0];
2773 args.iter.count = 0;
2775 args.iter.fn = nf_tables_dump_setelem;
2776 set->ops->walk(&ctx, set, &args.iter);
2778 nla_nest_end(skb, nest);
2779 nlmsg_end(skb, nlh);
2781 if (args.iter.err && args.iter.err != -EMSGSIZE)
2782 return args.iter.err;
2783 if (args.iter.count == cb->args[0])
2786 cb->args[0] = args.iter.count;
2793 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2794 const struct nlmsghdr *nlh,
2795 const struct nlattr * const nla[])
2797 const struct nft_set *set;
2801 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2805 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2807 return PTR_ERR(set);
2809 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2810 struct netlink_dump_control c = {
2811 .dump = nf_tables_dump_set,
2813 return netlink_dump_start(nlsk, skb, nlh, &c);
2818 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
2819 const struct nft_ctx *ctx, u32 seq,
2820 u32 portid, int event, u16 flags,
2821 const struct nft_set *set,
2822 const struct nft_set_elem *elem)
2824 struct nfgenmsg *nfmsg;
2825 struct nlmsghdr *nlh;
2826 struct nlattr *nest;
2829 event |= NFNL_SUBSYS_NFTABLES << 8;
2830 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2833 goto nla_put_failure;
2835 nfmsg = nlmsg_data(nlh);
2836 nfmsg->nfgen_family = ctx->afi->family;
2837 nfmsg->version = NFNETLINK_V0;
2840 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2841 goto nla_put_failure;
2842 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2843 goto nla_put_failure;
2845 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2847 goto nla_put_failure;
2849 err = nf_tables_fill_setelem(skb, set, elem);
2851 goto nla_put_failure;
2853 nla_nest_end(skb, nest);
2855 return nlmsg_end(skb, nlh);
2858 nlmsg_trim(skb, nlh);
2862 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
2863 const struct nft_set *set,
2864 const struct nft_set_elem *elem,
2865 int event, u16 flags)
2867 const struct sk_buff *oskb = ctx->skb;
2868 struct net *net = sock_net(oskb->sk);
2869 u32 portid = NETLINK_CB(oskb).portid;
2870 bool report = nlmsg_report(ctx->nlh);
2871 struct sk_buff *skb;
2874 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
2878 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2882 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
2889 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
2893 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
2897 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2898 const struct nlattr *attr)
2900 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2901 struct nft_data_desc d1, d2;
2902 struct nft_set_elem elem;
2903 struct nft_set_binding *binding;
2904 enum nft_registers dreg;
2907 if (set->size && set->nelems == set->size)
2910 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2911 nft_set_elem_policy);
2915 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2919 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2920 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2921 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2925 if (set->flags & NFT_SET_MAP) {
2926 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2927 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2929 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
2930 elem.flags & NFT_SET_ELEM_INTERVAL_END)
2933 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2937 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2941 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2945 if (set->ops->get(set, &elem) == 0)
2948 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2949 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2954 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2957 dreg = nft_type_to_reg(set->dtype);
2958 list_for_each_entry(binding, &set->bindings, list) {
2959 struct nft_ctx bind_ctx = {
2961 .table = ctx->table,
2962 .chain = (struct nft_chain *)binding->chain,
2965 err = nft_validate_data_load(&bind_ctx, dreg,
2966 &elem.data, d2.type);
2972 err = set->ops->insert(set, &elem);
2977 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_NEWSETELEM, 0);
2981 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2982 nft_data_uninit(&elem.data, d2.type);
2984 nft_data_uninit(&elem.key, d1.type);
2989 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2990 const struct nlmsghdr *nlh,
2991 const struct nlattr * const nla[])
2993 const struct nlattr *attr;
2994 struct nft_set *set;
2998 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3002 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3004 return PTR_ERR(set);
3005 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3008 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3009 err = nft_add_set_elem(&ctx, set, attr);
3016 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
3017 const struct nlattr *attr)
3019 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3020 struct nft_data_desc desc;
3021 struct nft_set_elem elem;
3024 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3025 nft_set_elem_policy);
3030 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3033 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
3038 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3041 err = set->ops->get(set, &elem);
3045 set->ops->remove(set, &elem);
3048 nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_DELSETELEM, 0);
3050 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
3051 if (set->flags & NFT_SET_MAP)
3052 nft_data_uninit(&elem.data, set->dtype);
3055 nft_data_uninit(&elem.key, desc.type);
3060 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3061 const struct nlmsghdr *nlh,
3062 const struct nlattr * const nla[])
3064 const struct nlattr *attr;
3065 struct nft_set *set;
3069 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
3073 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3075 return PTR_ERR(set);
3076 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3079 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3080 err = nft_del_setelem(&ctx, set, attr);
3087 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3088 [NFT_MSG_NEWTABLE] = {
3089 .call = nf_tables_newtable,
3090 .attr_count = NFTA_TABLE_MAX,
3091 .policy = nft_table_policy,
3093 [NFT_MSG_GETTABLE] = {
3094 .call = nf_tables_gettable,
3095 .attr_count = NFTA_TABLE_MAX,
3096 .policy = nft_table_policy,
3098 [NFT_MSG_DELTABLE] = {
3099 .call = nf_tables_deltable,
3100 .attr_count = NFTA_TABLE_MAX,
3101 .policy = nft_table_policy,
3103 [NFT_MSG_NEWCHAIN] = {
3104 .call = nf_tables_newchain,
3105 .attr_count = NFTA_CHAIN_MAX,
3106 .policy = nft_chain_policy,
3108 [NFT_MSG_GETCHAIN] = {
3109 .call = nf_tables_getchain,
3110 .attr_count = NFTA_CHAIN_MAX,
3111 .policy = nft_chain_policy,
3113 [NFT_MSG_DELCHAIN] = {
3114 .call = nf_tables_delchain,
3115 .attr_count = NFTA_CHAIN_MAX,
3116 .policy = nft_chain_policy,
3118 [NFT_MSG_NEWRULE] = {
3119 .call_batch = nf_tables_newrule,
3120 .attr_count = NFTA_RULE_MAX,
3121 .policy = nft_rule_policy,
3123 [NFT_MSG_GETRULE] = {
3124 .call = nf_tables_getrule,
3125 .attr_count = NFTA_RULE_MAX,
3126 .policy = nft_rule_policy,
3128 [NFT_MSG_DELRULE] = {
3129 .call_batch = nf_tables_delrule,
3130 .attr_count = NFTA_RULE_MAX,
3131 .policy = nft_rule_policy,
3133 [NFT_MSG_NEWSET] = {
3134 .call = nf_tables_newset,
3135 .attr_count = NFTA_SET_MAX,
3136 .policy = nft_set_policy,
3138 [NFT_MSG_GETSET] = {
3139 .call = nf_tables_getset,
3140 .attr_count = NFTA_SET_MAX,
3141 .policy = nft_set_policy,
3143 [NFT_MSG_DELSET] = {
3144 .call = nf_tables_delset,
3145 .attr_count = NFTA_SET_MAX,
3146 .policy = nft_set_policy,
3148 [NFT_MSG_NEWSETELEM] = {
3149 .call = nf_tables_newsetelem,
3150 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3151 .policy = nft_set_elem_list_policy,
3153 [NFT_MSG_GETSETELEM] = {
3154 .call = nf_tables_getsetelem,
3155 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3156 .policy = nft_set_elem_list_policy,
3158 [NFT_MSG_DELSETELEM] = {
3159 .call = nf_tables_delsetelem,
3160 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3161 .policy = nft_set_elem_list_policy,
3165 static const struct nfnetlink_subsystem nf_tables_subsys = {
3166 .name = "nf_tables",
3167 .subsys_id = NFNL_SUBSYS_NFTABLES,
3168 .cb_count = NFT_MSG_MAX,
3170 .commit = nf_tables_commit,
3171 .abort = nf_tables_abort,
3175 * Loop detection - walk through the ruleset beginning at the destination chain
3176 * of a new jump until either the source chain is reached (loop) or all
3177 * reachable chains have been traversed.
3179 * The loop check is performed whenever a new jump verdict is added to an
3180 * expression or verdict map or a verdict map is bound to a new chain.
3183 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3184 const struct nft_chain *chain);
3186 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
3187 const struct nft_set *set,
3188 const struct nft_set_iter *iter,
3189 const struct nft_set_elem *elem)
3191 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3194 switch (elem->data.verdict) {
3197 return nf_tables_check_loops(ctx, elem->data.chain);
3203 static int nf_tables_check_loops(const struct nft_ctx *ctx,
3204 const struct nft_chain *chain)
3206 const struct nft_rule *rule;
3207 const struct nft_expr *expr, *last;
3208 const struct nft_set *set;
3209 struct nft_set_binding *binding;
3210 struct nft_set_iter iter;
3212 if (ctx->chain == chain)
3215 list_for_each_entry(rule, &chain->rules, list) {
3216 nft_rule_for_each_expr(expr, last, rule) {
3217 const struct nft_data *data = NULL;
3220 if (!expr->ops->validate)
3223 err = expr->ops->validate(ctx, expr, &data);
3230 switch (data->verdict) {
3233 err = nf_tables_check_loops(ctx, data->chain);
3242 list_for_each_entry(set, &ctx->table->sets, list) {
3243 if (!(set->flags & NFT_SET_MAP) ||
3244 set->dtype != NFT_DATA_VERDICT)
3247 list_for_each_entry(binding, &set->bindings, list) {
3248 if (binding->chain != chain)
3254 iter.fn = nf_tables_loop_check_setelem;
3256 set->ops->walk(ctx, set, &iter);
3266 * nft_validate_input_register - validate an expressions' input register
3268 * @reg: the register number
3270 * Validate that the input register is one of the general purpose
3273 int nft_validate_input_register(enum nft_registers reg)
3275 if (reg <= NFT_REG_VERDICT)
3277 if (reg > NFT_REG_MAX)
3281 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3284 * nft_validate_output_register - validate an expressions' output register
3286 * @reg: the register number
3288 * Validate that the output register is one of the general purpose
3289 * registers or the verdict register.
3291 int nft_validate_output_register(enum nft_registers reg)
3293 if (reg < NFT_REG_VERDICT)
3295 if (reg > NFT_REG_MAX)
3299 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3302 * nft_validate_data_load - validate an expressions' data load
3304 * @ctx: context of the expression performing the load
3305 * @reg: the destination register number
3306 * @data: the data to load
3307 * @type: the data type
3309 * Validate that a data load uses the appropriate data type for
3310 * the destination register. A value of NULL for the data means
3311 * that its runtime gathered data, which is always of type
3314 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3315 const struct nft_data *data,
3316 enum nft_data_types type)
3321 case NFT_REG_VERDICT:
3322 if (data == NULL || type != NFT_DATA_VERDICT)
3325 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3326 err = nf_tables_check_loops(ctx, data->chain);
3330 if (ctx->chain->level + 1 > data->chain->level) {
3331 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3333 data->chain->level = ctx->chain->level + 1;
3339 if (data != NULL && type != NFT_DATA_VALUE)
3344 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3346 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3347 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3348 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3349 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3352 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3353 struct nft_data_desc *desc, const struct nlattr *nla)
3355 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3356 struct nft_chain *chain;
3359 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3363 if (!tb[NFTA_VERDICT_CODE])
3365 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3367 switch (data->verdict) {
3369 switch (data->verdict & NF_VERDICT_MASK) {
3381 desc->len = sizeof(data->verdict);
3385 if (!tb[NFTA_VERDICT_CHAIN])
3387 chain = nf_tables_chain_lookup(ctx->table,
3388 tb[NFTA_VERDICT_CHAIN]);
3390 return PTR_ERR(chain);
3391 if (chain->flags & NFT_BASE_CHAIN)
3395 data->chain = chain;
3396 desc->len = sizeof(data);
3400 desc->type = NFT_DATA_VERDICT;
3404 static void nft_verdict_uninit(const struct nft_data *data)
3406 switch (data->verdict) {
3414 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3416 struct nlattr *nest;
3418 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3420 goto nla_put_failure;
3422 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3423 goto nla_put_failure;
3425 switch (data->verdict) {
3428 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3429 goto nla_put_failure;
3431 nla_nest_end(skb, nest);
3438 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3439 struct nft_data_desc *desc, const struct nlattr *nla)
3446 if (len > sizeof(data->data))
3449 nla_memcpy(data->data, nla, sizeof(data->data));
3450 desc->type = NFT_DATA_VALUE;
3455 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3458 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3461 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3462 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3463 .len = FIELD_SIZEOF(struct nft_data, data) },
3464 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3468 * nft_data_init - parse nf_tables data netlink attributes
3470 * @ctx: context of the expression using the data
3471 * @data: destination struct nft_data
3472 * @desc: data description
3473 * @nla: netlink attribute containing data
3475 * Parse the netlink data attributes and initialize a struct nft_data.
3476 * The type and length of data are returned in the data description.
3478 * The caller can indicate that it only wants to accept data of type
3479 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3481 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3482 struct nft_data_desc *desc, const struct nlattr *nla)
3484 struct nlattr *tb[NFTA_DATA_MAX + 1];
3487 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3491 if (tb[NFTA_DATA_VALUE])
3492 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3493 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3494 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3497 EXPORT_SYMBOL_GPL(nft_data_init);
3500 * nft_data_uninit - release a nft_data item
3502 * @data: struct nft_data to release
3503 * @type: type of data
3505 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3506 * all others need to be released by calling this function.
3508 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3511 case NFT_DATA_VALUE:
3513 case NFT_DATA_VERDICT:
3514 return nft_verdict_uninit(data);
3519 EXPORT_SYMBOL_GPL(nft_data_uninit);
3521 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3522 enum nft_data_types type, unsigned int len)
3524 struct nlattr *nest;
3527 nest = nla_nest_start(skb, attr);
3532 case NFT_DATA_VALUE:
3533 err = nft_value_dump(skb, data, len);
3535 case NFT_DATA_VERDICT:
3536 err = nft_verdict_dump(skb, data);
3543 nla_nest_end(skb, nest);
3546 EXPORT_SYMBOL_GPL(nft_data_dump);
3548 static int nf_tables_init_net(struct net *net)
3550 INIT_LIST_HEAD(&net->nft.af_info);
3551 INIT_LIST_HEAD(&net->nft.commit_list);
3555 static struct pernet_operations nf_tables_net_ops = {
3556 .init = nf_tables_init_net,
3559 static int __init nf_tables_module_init(void)
3563 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3570 err = nf_tables_core_module_init();
3574 err = nfnetlink_subsys_register(&nf_tables_subsys);
3578 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3579 return register_pernet_subsys(&nf_tables_net_ops);
3581 nf_tables_core_module_exit();
3588 static void __exit nf_tables_module_exit(void)
3590 unregister_pernet_subsys(&nf_tables_net_ops);
3591 nfnetlink_subsys_unregister(&nf_tables_subsys);
3592 nf_tables_core_module_exit();
3596 module_init(nf_tables_module_init);
3597 module_exit(nf_tables_module_exit);
3599 MODULE_LICENSE("GPL");
3600 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3601 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / firefly-linux-kernel-4.4.55.git / blob