2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
95 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
96 const struct nlattr *nla)
98 struct nft_table *table;
100 list_for_each_entry(table, &afi->tables, list) {
101 if (!nla_strcmp(nla, table->name))
107 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
108 const struct nlattr *nla)
110 struct nft_table *table;
113 return ERR_PTR(-EINVAL);
115 table = nft_table_lookup(afi, nla);
119 return ERR_PTR(-ENOENT);
122 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
124 return ++table->hgenerator;
127 static struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
129 static int __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
133 for (i=0; i<NFT_CHAIN_T_MAX; i++) {
134 if (chain_type[family][i] != NULL &&
135 !nla_strcmp(nla, chain_type[family][i]->name))
141 static int nf_tables_chain_type_lookup(const struct nft_af_info *afi,
142 const struct nlattr *nla,
147 type = __nf_tables_chain_type_lookup(afi->family, nla);
148 #ifdef CONFIG_MODULES
149 if (type < 0 && autoload) {
150 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
151 request_module("nft-chain-%u-%*.s", afi->family,
152 nla_len(nla)-1, (const char *)nla_data(nla));
153 nfnl_lock(NFNL_SUBSYS_NFTABLES);
154 type = __nf_tables_chain_type_lookup(afi->family, nla);
160 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
161 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
162 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
165 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
166 int event, u32 flags, int family,
167 const struct nft_table *table)
169 struct nlmsghdr *nlh;
170 struct nfgenmsg *nfmsg;
172 event |= NFNL_SUBSYS_NFTABLES << 8;
173 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
175 goto nla_put_failure;
177 nfmsg = nlmsg_data(nlh);
178 nfmsg->nfgen_family = family;
179 nfmsg->version = NFNETLINK_V0;
182 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
183 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)))
184 goto nla_put_failure;
186 return nlmsg_end(skb, nlh);
189 nlmsg_trim(skb, nlh);
193 static int nf_tables_table_notify(const struct sk_buff *oskb,
194 const struct nlmsghdr *nlh,
195 const struct nft_table *table,
196 int event, int family)
199 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
200 u32 seq = nlh ? nlh->nlmsg_seq : 0;
201 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
205 report = nlh ? nlmsg_report(nlh) : false;
206 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
210 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
214 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
221 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
225 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
229 static int nf_tables_dump_tables(struct sk_buff *skb,
230 struct netlink_callback *cb)
232 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
233 const struct nft_af_info *afi;
234 const struct nft_table *table;
235 unsigned int idx = 0, s_idx = cb->args[0];
236 struct net *net = sock_net(skb->sk);
237 int family = nfmsg->nfgen_family;
239 list_for_each_entry(afi, &net->nft.af_info, list) {
240 if (family != NFPROTO_UNSPEC && family != afi->family)
243 list_for_each_entry(table, &afi->tables, list) {
247 memset(&cb->args[1], 0,
248 sizeof(cb->args) - sizeof(cb->args[0]));
249 if (nf_tables_fill_table_info(skb,
250 NETLINK_CB(cb->skb).portid,
254 afi->family, table) < 0)
265 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
266 const struct nlmsghdr *nlh,
267 const struct nlattr * const nla[])
269 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
270 const struct nft_af_info *afi;
271 const struct nft_table *table;
272 struct sk_buff *skb2;
273 struct net *net = sock_net(skb->sk);
274 int family = nfmsg->nfgen_family;
277 if (nlh->nlmsg_flags & NLM_F_DUMP) {
278 struct netlink_dump_control c = {
279 .dump = nf_tables_dump_tables,
281 return netlink_dump_start(nlsk, skb, nlh, &c);
284 afi = nf_tables_afinfo_lookup(net, family, false);
288 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
290 return PTR_ERR(table);
292 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
296 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
297 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
302 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
309 static int nf_tables_table_enable(struct nft_table *table)
311 struct nft_chain *chain;
314 list_for_each_entry(chain, &table->chains, list) {
315 err = nf_register_hook(&nft_base_chain(chain)->ops);
323 list_for_each_entry(chain, &table->chains, list) {
327 nf_unregister_hook(&nft_base_chain(chain)->ops);
332 static int nf_tables_table_disable(struct nft_table *table)
334 struct nft_chain *chain;
336 list_for_each_entry(chain, &table->chains, list)
337 nf_unregister_hook(&nft_base_chain(chain)->ops);
342 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
343 const struct nlmsghdr *nlh,
344 const struct nlattr * const nla[],
345 struct nft_af_info *afi, struct nft_table *table)
347 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
348 int family = nfmsg->nfgen_family, ret = 0;
350 if (nla[NFTA_TABLE_FLAGS]) {
353 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
354 if (flags & ~NFT_TABLE_F_DORMANT)
357 if ((flags & NFT_TABLE_F_DORMANT) &&
358 !(table->flags & NFT_TABLE_F_DORMANT)) {
359 ret = nf_tables_table_disable(table);
361 table->flags |= NFT_TABLE_F_DORMANT;
362 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
363 table->flags & NFT_TABLE_F_DORMANT) {
364 ret = nf_tables_table_enable(table);
366 table->flags &= ~NFT_TABLE_F_DORMANT;
372 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
377 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
378 const struct nlmsghdr *nlh,
379 const struct nlattr * const nla[])
381 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
382 const struct nlattr *name;
383 struct nft_af_info *afi;
384 struct nft_table *table;
385 struct net *net = sock_net(skb->sk);
386 int family = nfmsg->nfgen_family;
388 afi = nf_tables_afinfo_lookup(net, family, true);
392 name = nla[NFTA_TABLE_NAME];
393 table = nf_tables_table_lookup(afi, name);
395 if (PTR_ERR(table) != -ENOENT)
396 return PTR_ERR(table);
401 if (nlh->nlmsg_flags & NLM_F_EXCL)
403 if (nlh->nlmsg_flags & NLM_F_REPLACE)
405 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
408 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
412 nla_strlcpy(table->name, name, nla_len(name));
413 INIT_LIST_HEAD(&table->chains);
414 INIT_LIST_HEAD(&table->sets);
416 if (nla[NFTA_TABLE_FLAGS]) {
419 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
420 if (flags & ~NFT_TABLE_F_DORMANT) {
425 table->flags |= flags;
428 list_add_tail(&table->list, &afi->tables);
429 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
433 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
434 const struct nlmsghdr *nlh,
435 const struct nlattr * const nla[])
437 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
438 struct nft_af_info *afi;
439 struct nft_table *table;
440 struct net *net = sock_net(skb->sk);
441 int family = nfmsg->nfgen_family;
443 afi = nf_tables_afinfo_lookup(net, family, false);
447 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
449 return PTR_ERR(table);
454 list_del(&table->list);
455 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
460 int nft_register_chain_type(struct nf_chain_type *ctype)
464 nfnl_lock(NFNL_SUBSYS_NFTABLES);
465 if (chain_type[ctype->family][ctype->type] != NULL) {
470 if (!try_module_get(ctype->me))
473 chain_type[ctype->family][ctype->type] = ctype;
475 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
478 EXPORT_SYMBOL_GPL(nft_register_chain_type);
480 void nft_unregister_chain_type(struct nf_chain_type *ctype)
482 nfnl_lock(NFNL_SUBSYS_NFTABLES);
483 chain_type[ctype->family][ctype->type] = NULL;
484 module_put(ctype->me);
485 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
487 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
493 static struct nft_chain *
494 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
496 struct nft_chain *chain;
498 list_for_each_entry(chain, &table->chains, list) {
499 if (chain->handle == handle)
503 return ERR_PTR(-ENOENT);
506 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
507 const struct nlattr *nla)
509 struct nft_chain *chain;
512 return ERR_PTR(-EINVAL);
514 list_for_each_entry(chain, &table->chains, list) {
515 if (!nla_strcmp(nla, chain->name))
519 return ERR_PTR(-ENOENT);
522 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
523 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
524 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
525 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
526 .len = NFT_CHAIN_MAXNAMELEN - 1 },
527 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
528 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
529 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
530 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
533 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
534 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
535 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
538 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
540 struct nft_stats *cpu_stats, total;
544 memset(&total, 0, sizeof(total));
545 for_each_possible_cpu(cpu) {
546 cpu_stats = per_cpu_ptr(stats, cpu);
547 total.pkts += cpu_stats->pkts;
548 total.bytes += cpu_stats->bytes;
550 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
552 goto nla_put_failure;
554 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
555 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
556 goto nla_put_failure;
558 nla_nest_end(skb, nest);
565 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
566 int event, u32 flags, int family,
567 const struct nft_table *table,
568 const struct nft_chain *chain)
570 struct nlmsghdr *nlh;
571 struct nfgenmsg *nfmsg;
573 event |= NFNL_SUBSYS_NFTABLES << 8;
574 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
576 goto nla_put_failure;
578 nfmsg = nlmsg_data(nlh);
579 nfmsg->nfgen_family = family;
580 nfmsg->version = NFNETLINK_V0;
583 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
584 goto nla_put_failure;
585 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
586 goto nla_put_failure;
587 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
588 goto nla_put_failure;
590 if (chain->flags & NFT_BASE_CHAIN) {
591 const struct nft_base_chain *basechain = nft_base_chain(chain);
592 const struct nf_hook_ops *ops = &basechain->ops;
595 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
597 goto nla_put_failure;
598 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
599 goto nla_put_failure;
600 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
601 goto nla_put_failure;
602 nla_nest_end(skb, nest);
604 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
605 htonl(basechain->policy)))
606 goto nla_put_failure;
608 if (nla_put_string(skb, NFTA_CHAIN_TYPE,
609 chain_type[ops->pf][nft_base_chain(chain)->type]->name))
610 goto nla_put_failure;
612 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
613 goto nla_put_failure;
616 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
617 goto nla_put_failure;
619 return nlmsg_end(skb, nlh);
622 nlmsg_trim(skb, nlh);
626 static int nf_tables_chain_notify(const struct sk_buff *oskb,
627 const struct nlmsghdr *nlh,
628 const struct nft_table *table,
629 const struct nft_chain *chain,
630 int event, int family)
633 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
634 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
635 u32 seq = nlh ? nlh->nlmsg_seq : 0;
639 report = nlh ? nlmsg_report(nlh) : false;
640 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
644 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
648 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
655 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
659 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
663 static int nf_tables_dump_chains(struct sk_buff *skb,
664 struct netlink_callback *cb)
666 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
667 const struct nft_af_info *afi;
668 const struct nft_table *table;
669 const struct nft_chain *chain;
670 unsigned int idx = 0, s_idx = cb->args[0];
671 struct net *net = sock_net(skb->sk);
672 int family = nfmsg->nfgen_family;
674 list_for_each_entry(afi, &net->nft.af_info, list) {
675 if (family != NFPROTO_UNSPEC && family != afi->family)
678 list_for_each_entry(table, &afi->tables, list) {
679 list_for_each_entry(chain, &table->chains, list) {
683 memset(&cb->args[1], 0,
684 sizeof(cb->args) - sizeof(cb->args[0]));
685 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
689 afi->family, table, chain) < 0)
702 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
703 const struct nlmsghdr *nlh,
704 const struct nlattr * const nla[])
706 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
707 const struct nft_af_info *afi;
708 const struct nft_table *table;
709 const struct nft_chain *chain;
710 struct sk_buff *skb2;
711 struct net *net = sock_net(skb->sk);
712 int family = nfmsg->nfgen_family;
715 if (nlh->nlmsg_flags & NLM_F_DUMP) {
716 struct netlink_dump_control c = {
717 .dump = nf_tables_dump_chains,
719 return netlink_dump_start(nlsk, skb, nlh, &c);
722 afi = nf_tables_afinfo_lookup(net, family, false);
726 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
728 return PTR_ERR(table);
730 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
732 return PTR_ERR(chain);
734 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
738 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
739 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
740 family, table, chain);
744 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
752 nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
754 switch (ntohl(nla_get_be32(attr))) {
756 chain->policy = NF_DROP;
759 chain->policy = NF_ACCEPT;
767 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
768 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
769 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
773 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
775 struct nlattr *tb[NFTA_COUNTER_MAX+1];
776 struct nft_stats __percpu *newstats;
777 struct nft_stats *stats;
780 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
784 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
787 newstats = alloc_percpu(struct nft_stats);
788 if (newstats == NULL)
791 /* Restore old counters on this cpu, no problem. Per-cpu statistics
792 * are not exposed to userspace.
794 stats = this_cpu_ptr(newstats);
795 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
796 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
799 /* nfnl_lock is held, add some nfnl function for this, later */
800 struct nft_stats __percpu *oldstats =
801 rcu_dereference_protected(chain->stats, 1);
803 rcu_assign_pointer(chain->stats, newstats);
805 free_percpu(oldstats);
807 rcu_assign_pointer(chain->stats, newstats);
812 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
813 const struct nlmsghdr *nlh,
814 const struct nlattr * const nla[])
816 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
817 const struct nlattr * uninitialized_var(name);
818 const struct nft_af_info *afi;
819 struct nft_table *table;
820 struct nft_chain *chain;
821 struct nft_base_chain *basechain = NULL;
822 struct nlattr *ha[NFTA_HOOK_MAX + 1];
823 struct net *net = sock_net(skb->sk);
824 int family = nfmsg->nfgen_family;
829 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
831 afi = nf_tables_afinfo_lookup(net, family, true);
835 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
837 return PTR_ERR(table);
839 if (table->use == UINT_MAX)
843 name = nla[NFTA_CHAIN_NAME];
845 if (nla[NFTA_CHAIN_HANDLE]) {
846 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
847 chain = nf_tables_chain_lookup_byhandle(table, handle);
849 return PTR_ERR(chain);
851 chain = nf_tables_chain_lookup(table, name);
853 if (PTR_ERR(chain) != -ENOENT)
854 return PTR_ERR(chain);
860 if (nlh->nlmsg_flags & NLM_F_EXCL)
862 if (nlh->nlmsg_flags & NLM_F_REPLACE)
865 if (nla[NFTA_CHAIN_HANDLE] && name &&
866 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
869 if (nla[NFTA_CHAIN_POLICY]) {
870 if (!(chain->flags & NFT_BASE_CHAIN))
873 err = nf_tables_chain_policy(nft_base_chain(chain),
874 nla[NFTA_CHAIN_POLICY]);
879 if (nla[NFTA_CHAIN_COUNTERS]) {
880 if (!(chain->flags & NFT_BASE_CHAIN))
883 err = nf_tables_counters(nft_base_chain(chain),
884 nla[NFTA_CHAIN_COUNTERS]);
889 if (nla[NFTA_CHAIN_HANDLE] && name)
890 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
895 if (nla[NFTA_CHAIN_HOOK]) {
896 struct nf_hook_ops *ops;
899 int type = NFT_CHAIN_T_DEFAULT;
901 if (nla[NFTA_CHAIN_TYPE]) {
902 type = nf_tables_chain_type_lookup(afi,
903 nla[NFTA_CHAIN_TYPE],
909 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
913 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
914 ha[NFTA_HOOK_PRIORITY] == NULL)
917 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
918 if (hooknum >= afi->nhooks)
921 hookfn = chain_type[family][type]->fn[hooknum];
925 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
926 if (basechain == NULL)
929 basechain->type = type;
930 chain = &basechain->chain;
932 ops = &basechain->ops;
934 ops->owner = afi->owner;
935 ops->hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
936 ops->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
939 if (afi->hooks[ops->hooknum])
940 ops->hook = afi->hooks[ops->hooknum];
942 chain->flags |= NFT_BASE_CHAIN;
944 if (nla[NFTA_CHAIN_POLICY]) {
945 err = nf_tables_chain_policy(basechain,
946 nla[NFTA_CHAIN_POLICY]);
948 free_percpu(basechain->stats);
953 basechain->policy = NF_ACCEPT;
955 if (nla[NFTA_CHAIN_COUNTERS]) {
956 err = nf_tables_counters(basechain,
957 nla[NFTA_CHAIN_COUNTERS]);
959 free_percpu(basechain->stats);
964 struct nft_stats __percpu *newstats;
966 newstats = alloc_percpu(struct nft_stats);
967 if (newstats == NULL)
970 rcu_assign_pointer(nft_base_chain(chain)->stats,
974 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
979 INIT_LIST_HEAD(&chain->rules);
980 chain->handle = nf_tables_alloc_handle(table);
982 chain->table = table;
983 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
985 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
986 chain->flags & NFT_BASE_CHAIN) {
987 err = nf_register_hook(&nft_base_chain(chain)->ops);
989 free_percpu(basechain->stats);
994 list_add_tail(&chain->list, &table->chains);
997 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1002 static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
1004 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
1006 BUG_ON(chain->use > 0);
1008 if (chain->flags & NFT_BASE_CHAIN) {
1009 free_percpu(nft_base_chain(chain)->stats);
1010 kfree(nft_base_chain(chain));
1015 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1016 const struct nlmsghdr *nlh,
1017 const struct nlattr * const nla[])
1019 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1020 const struct nft_af_info *afi;
1021 struct nft_table *table;
1022 struct nft_chain *chain;
1023 struct net *net = sock_net(skb->sk);
1024 int family = nfmsg->nfgen_family;
1026 afi = nf_tables_afinfo_lookup(net, family, false);
1028 return PTR_ERR(afi);
1030 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1032 return PTR_ERR(table);
1034 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1036 return PTR_ERR(chain);
1038 if (!list_empty(&chain->rules))
1041 list_del(&chain->list);
1044 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1045 chain->flags & NFT_BASE_CHAIN)
1046 nf_unregister_hook(&nft_base_chain(chain)->ops);
1048 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1051 /* Make sure all rule references are gone before this is released */
1052 call_rcu(&chain->rcu_head, nf_tables_rcu_chain_destroy);
1056 static void nft_ctx_init(struct nft_ctx *ctx,
1057 const struct sk_buff *skb,
1058 const struct nlmsghdr *nlh,
1059 const struct nft_af_info *afi,
1060 const struct nft_table *table,
1061 const struct nft_chain *chain,
1062 const struct nlattr * const *nla)
1064 ctx->net = sock_net(skb->sk);
1078 * nft_register_expr - register nf_tables expr type
1081 * Registers the expr type for use with nf_tables. Returns zero on
1082 * success or a negative errno code otherwise.
1084 int nft_register_expr(struct nft_expr_type *type)
1086 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1087 list_add_tail(&type->list, &nf_tables_expressions);
1088 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1091 EXPORT_SYMBOL_GPL(nft_register_expr);
1094 * nft_unregister_expr - unregister nf_tables expr type
1097 * Unregisters the expr typefor use with nf_tables.
1099 void nft_unregister_expr(struct nft_expr_type *type)
1101 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1102 list_del(&type->list);
1103 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1105 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1107 static const struct nft_expr_type *__nft_expr_type_get(struct nlattr *nla)
1109 const struct nft_expr_type *type;
1111 list_for_each_entry(type, &nf_tables_expressions, list) {
1112 if (!nla_strcmp(nla, type->name))
1118 static const struct nft_expr_type *nft_expr_type_get(struct nlattr *nla)
1120 const struct nft_expr_type *type;
1123 return ERR_PTR(-EINVAL);
1125 type = __nft_expr_type_get(nla);
1126 if (type != NULL && try_module_get(type->owner))
1129 #ifdef CONFIG_MODULES
1131 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1132 request_module("nft-expr-%.*s",
1133 nla_len(nla), (char *)nla_data(nla));
1134 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1135 if (__nft_expr_type_get(nla))
1136 return ERR_PTR(-EAGAIN);
1139 return ERR_PTR(-ENOENT);
1142 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1143 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1144 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1147 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1148 const struct nft_expr *expr)
1150 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1151 goto nla_put_failure;
1153 if (expr->ops->dump) {
1154 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1156 goto nla_put_failure;
1157 if (expr->ops->dump(skb, expr) < 0)
1158 goto nla_put_failure;
1159 nla_nest_end(skb, data);
1168 struct nft_expr_info {
1169 const struct nft_expr_ops *ops;
1170 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1173 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1174 const struct nlattr *nla,
1175 struct nft_expr_info *info)
1177 const struct nft_expr_type *type;
1178 const struct nft_expr_ops *ops;
1179 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1182 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1186 type = nft_expr_type_get(tb[NFTA_EXPR_NAME]);
1188 return PTR_ERR(type);
1190 if (tb[NFTA_EXPR_DATA]) {
1191 err = nla_parse_nested(info->tb, type->maxattr,
1192 tb[NFTA_EXPR_DATA], type->policy);
1196 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1198 if (type->select_ops != NULL) {
1199 ops = type->select_ops(ctx,
1200 (const struct nlattr * const *)info->tb);
1212 module_put(type->owner);
1216 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1217 const struct nft_expr_info *info,
1218 struct nft_expr *expr)
1220 const struct nft_expr_ops *ops = info->ops;
1225 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1237 static void nf_tables_expr_destroy(struct nft_expr *expr)
1239 if (expr->ops->destroy)
1240 expr->ops->destroy(expr);
1241 module_put(expr->ops->type->owner);
1248 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1251 struct nft_rule *rule;
1253 // FIXME: this sucks
1254 list_for_each_entry(rule, &chain->rules, list) {
1255 if (handle == rule->handle)
1259 return ERR_PTR(-ENOENT);
1262 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1263 const struct nlattr *nla)
1266 return ERR_PTR(-EINVAL);
1268 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1271 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1272 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1273 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1274 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1275 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1276 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1277 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1278 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1281 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1282 int event, u32 flags, int family,
1283 const struct nft_table *table,
1284 const struct nft_chain *chain,
1285 const struct nft_rule *rule)
1287 struct nlmsghdr *nlh;
1288 struct nfgenmsg *nfmsg;
1289 const struct nft_expr *expr, *next;
1290 struct nlattr *list;
1291 const struct nft_rule *prule;
1292 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1294 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1297 goto nla_put_failure;
1299 nfmsg = nlmsg_data(nlh);
1300 nfmsg->nfgen_family = family;
1301 nfmsg->version = NFNETLINK_V0;
1304 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1305 goto nla_put_failure;
1306 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1307 goto nla_put_failure;
1308 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1309 goto nla_put_failure;
1311 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1312 prule = list_entry(rule->list.prev, struct nft_rule, list);
1313 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1314 cpu_to_be64(prule->handle)))
1315 goto nla_put_failure;
1318 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1320 goto nla_put_failure;
1321 nft_rule_for_each_expr(expr, next, rule) {
1322 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1324 goto nla_put_failure;
1325 if (nf_tables_fill_expr_info(skb, expr) < 0)
1326 goto nla_put_failure;
1327 nla_nest_end(skb, elem);
1329 nla_nest_end(skb, list);
1331 return nlmsg_end(skb, nlh);
1334 nlmsg_trim(skb, nlh);
1338 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1339 const struct nlmsghdr *nlh,
1340 const struct nft_table *table,
1341 const struct nft_chain *chain,
1342 const struct nft_rule *rule,
1343 int event, u32 flags, int family)
1345 struct sk_buff *skb;
1346 u32 portid = NETLINK_CB(oskb).portid;
1347 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1348 u32 seq = nlh->nlmsg_seq;
1352 report = nlmsg_report(nlh);
1353 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1357 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1361 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1362 family, table, chain, rule);
1368 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1372 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1377 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1379 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1382 static inline int gencursor_next(struct net *net)
1384 return net->nft.gencursor+1 == 1 ? 1 : 0;
1388 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1390 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1394 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1396 /* Now inactive, will be active in the future */
1397 rule->genmask = (1 << net->nft.gencursor);
1401 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1403 rule->genmask = (1 << gencursor_next(net));
1406 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1411 static int nf_tables_dump_rules(struct sk_buff *skb,
1412 struct netlink_callback *cb)
1414 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1415 const struct nft_af_info *afi;
1416 const struct nft_table *table;
1417 const struct nft_chain *chain;
1418 const struct nft_rule *rule;
1419 unsigned int idx = 0, s_idx = cb->args[0];
1420 struct net *net = sock_net(skb->sk);
1421 int family = nfmsg->nfgen_family;
1422 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1423 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1425 list_for_each_entry(afi, &net->nft.af_info, list) {
1426 if (family != NFPROTO_UNSPEC && family != afi->family)
1429 list_for_each_entry(table, &afi->tables, list) {
1430 list_for_each_entry(chain, &table->chains, list) {
1431 list_for_each_entry(rule, &chain->rules, list) {
1432 if (!nft_rule_is_active(net, rule))
1437 memset(&cb->args[1], 0,
1438 sizeof(cb->args) - sizeof(cb->args[0]));
1439 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1442 NLM_F_MULTI | NLM_F_APPEND,
1443 afi->family, table, chain, rule) < 0)
1452 /* Invalidate this dump, a transition to the new generation happened */
1453 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1460 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1461 const struct nlmsghdr *nlh,
1462 const struct nlattr * const nla[])
1464 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1465 const struct nft_af_info *afi;
1466 const struct nft_table *table;
1467 const struct nft_chain *chain;
1468 const struct nft_rule *rule;
1469 struct sk_buff *skb2;
1470 struct net *net = sock_net(skb->sk);
1471 int family = nfmsg->nfgen_family;
1474 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1475 struct netlink_dump_control c = {
1476 .dump = nf_tables_dump_rules,
1478 return netlink_dump_start(nlsk, skb, nlh, &c);
1481 afi = nf_tables_afinfo_lookup(net, family, false);
1483 return PTR_ERR(afi);
1485 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1487 return PTR_ERR(table);
1489 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1491 return PTR_ERR(chain);
1493 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1495 return PTR_ERR(rule);
1497 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1501 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1502 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1503 family, table, chain, rule);
1507 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1514 static void nf_tables_rcu_rule_destroy(struct rcu_head *head)
1516 struct nft_rule *rule = container_of(head, struct nft_rule, rcu_head);
1517 struct nft_expr *expr;
1520 * Careful: some expressions might not be initialized in case this
1521 * is called on error from nf_tables_newrule().
1523 expr = nft_expr_first(rule);
1524 while (expr->ops && expr != nft_expr_last(rule)) {
1525 nf_tables_expr_destroy(expr);
1526 expr = nft_expr_next(expr);
1531 static void nf_tables_rule_destroy(struct nft_rule *rule)
1533 call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
1536 #define NFT_RULE_MAXEXPRS 128
1538 static struct nft_expr_info *info;
1540 static struct nft_rule_trans *
1541 nf_tables_trans_add(struct nft_rule *rule, const struct nft_ctx *ctx)
1543 struct nft_rule_trans *rupd;
1545 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1549 rupd->chain = ctx->chain;
1550 rupd->table = ctx->table;
1552 rupd->family = ctx->afi->family;
1553 rupd->nlh = ctx->nlh;
1554 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1559 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1560 const struct nlmsghdr *nlh,
1561 const struct nlattr * const nla[])
1563 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1564 const struct nft_af_info *afi;
1565 struct net *net = sock_net(skb->sk);
1566 struct nft_table *table;
1567 struct nft_chain *chain;
1568 struct nft_rule *rule, *old_rule = NULL;
1569 struct nft_rule_trans *repl = NULL;
1570 struct nft_expr *expr;
1573 unsigned int size, i, n;
1576 u64 handle, pos_handle;
1578 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1580 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1582 return PTR_ERR(afi);
1584 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1586 return PTR_ERR(table);
1588 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1590 return PTR_ERR(chain);
1592 if (nla[NFTA_RULE_HANDLE]) {
1593 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1594 rule = __nf_tables_rule_lookup(chain, handle);
1596 return PTR_ERR(rule);
1598 if (nlh->nlmsg_flags & NLM_F_EXCL)
1600 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1605 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1607 handle = nf_tables_alloc_handle(table);
1610 if (nla[NFTA_RULE_POSITION]) {
1611 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1614 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1615 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1616 if (IS_ERR(old_rule))
1617 return PTR_ERR(old_rule);
1620 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1624 if (nla[NFTA_RULE_EXPRESSIONS]) {
1625 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1627 if (nla_type(tmp) != NFTA_LIST_ELEM)
1629 if (n == NFT_RULE_MAXEXPRS)
1631 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1634 size += info[n].ops->size;
1640 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1644 nft_rule_activate_next(net, rule);
1646 rule->handle = handle;
1649 expr = nft_expr_first(rule);
1650 for (i = 0; i < n; i++) {
1651 err = nf_tables_newexpr(&ctx, &info[i], expr);
1655 expr = nft_expr_next(expr);
1658 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1659 if (nft_rule_is_active_next(net, old_rule)) {
1660 repl = nf_tables_trans_add(old_rule, &ctx);
1665 nft_rule_disactivate_next(net, old_rule);
1666 list_add_tail(&rule->list, &old_rule->list);
1671 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1673 list_add_rcu(&rule->list, &old_rule->list);
1675 list_add_tail_rcu(&rule->list, &chain->rules);
1678 list_add_tail_rcu(&rule->list, &old_rule->list);
1680 list_add_rcu(&rule->list, &chain->rules);
1683 if (nf_tables_trans_add(rule, &ctx) == NULL) {
1690 list_del_rcu(&rule->list);
1692 list_del_rcu(&repl->rule->list);
1693 list_del(&repl->list);
1694 nft_rule_clear(net, repl->rule);
1698 nf_tables_rule_destroy(rule);
1700 for (i = 0; i < n; i++) {
1701 if (info[i].ops != NULL)
1702 module_put(info[i].ops->type->owner);
1708 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1710 /* You cannot delete the same rule twice */
1711 if (nft_rule_is_active_next(ctx->net, rule)) {
1712 if (nf_tables_trans_add(rule, ctx) == NULL)
1714 nft_rule_disactivate_next(ctx->net, rule);
1720 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1722 struct nft_rule *rule;
1725 list_for_each_entry(rule, &ctx->chain->rules, list) {
1726 err = nf_tables_delrule_one(ctx, rule);
1733 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1734 const struct nlmsghdr *nlh,
1735 const struct nlattr * const nla[])
1737 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1738 const struct nft_af_info *afi;
1739 struct net *net = sock_net(skb->sk);
1740 const struct nft_table *table;
1741 struct nft_chain *chain = NULL;
1742 struct nft_rule *rule;
1743 int family = nfmsg->nfgen_family, err = 0;
1746 afi = nf_tables_afinfo_lookup(net, family, false);
1748 return PTR_ERR(afi);
1750 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1752 return PTR_ERR(table);
1754 if (nla[NFTA_RULE_CHAIN]) {
1755 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1757 return PTR_ERR(chain);
1760 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1763 if (nla[NFTA_RULE_HANDLE]) {
1764 rule = nf_tables_rule_lookup(chain,
1765 nla[NFTA_RULE_HANDLE]);
1767 return PTR_ERR(rule);
1769 err = nf_tables_delrule_one(&ctx, rule);
1771 err = nf_table_delrule_by_chain(&ctx);
1774 list_for_each_entry(chain, &table->chains, list) {
1776 err = nf_table_delrule_by_chain(&ctx);
1785 static int nf_tables_commit(struct sk_buff *skb)
1787 struct net *net = sock_net(skb->sk);
1788 struct nft_rule_trans *rupd, *tmp;
1790 /* Bump generation counter, invalidate any dump in progress */
1793 /* A new generation has just started */
1794 net->nft.gencursor = gencursor_next(net);
1796 /* Make sure all packets have left the previous generation before
1797 * purging old rules.
1801 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1802 /* Delete this rule from the dirty list */
1803 list_del(&rupd->list);
1805 /* This rule was inactive in the past and just became active.
1806 * Clear the next bit of the genmask since its meaning has
1807 * changed, now it is the future.
1809 if (nft_rule_is_active(net, rupd->rule)) {
1810 nft_rule_clear(net, rupd->rule);
1811 nf_tables_rule_notify(skb, rupd->nlh, rupd->table,
1812 rupd->chain, rupd->rule,
1819 /* This rule is in the past, get rid of it */
1820 list_del_rcu(&rupd->rule->list);
1821 nf_tables_rule_notify(skb, rupd->nlh, rupd->table, rupd->chain,
1822 rupd->rule, NFT_MSG_DELRULE, 0,
1824 nf_tables_rule_destroy(rupd->rule);
1831 static int nf_tables_abort(struct sk_buff *skb)
1833 struct net *net = sock_net(skb->sk);
1834 struct nft_rule_trans *rupd, *tmp;
1836 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1837 /* Delete all rules from the dirty list */
1838 list_del(&rupd->list);
1840 if (!nft_rule_is_active_next(net, rupd->rule)) {
1841 nft_rule_clear(net, rupd->rule);
1846 /* This rule is inactive, get rid of it */
1847 list_del_rcu(&rupd->rule->list);
1848 nf_tables_rule_destroy(rupd->rule);
1858 static LIST_HEAD(nf_tables_set_ops);
1860 int nft_register_set(struct nft_set_ops *ops)
1862 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1863 list_add_tail(&ops->list, &nf_tables_set_ops);
1864 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1867 EXPORT_SYMBOL_GPL(nft_register_set);
1869 void nft_unregister_set(struct nft_set_ops *ops)
1871 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1872 list_del(&ops->list);
1873 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1875 EXPORT_SYMBOL_GPL(nft_unregister_set);
1877 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1879 const struct nft_set_ops *ops;
1882 #ifdef CONFIG_MODULES
1883 if (list_empty(&nf_tables_set_ops)) {
1884 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1885 request_module("nft-set");
1886 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1887 if (!list_empty(&nf_tables_set_ops))
1888 return ERR_PTR(-EAGAIN);
1892 if (nla[NFTA_SET_FLAGS] != NULL) {
1893 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1894 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1897 // FIXME: implement selection properly
1898 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1899 if ((ops->features & features) != features)
1901 if (!try_module_get(ops->owner))
1906 return ERR_PTR(-EOPNOTSUPP);
1909 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1910 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1911 [NFTA_SET_NAME] = { .type = NLA_STRING },
1912 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1913 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1914 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1915 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1916 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1919 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1920 const struct sk_buff *skb,
1921 const struct nlmsghdr *nlh,
1922 const struct nlattr * const nla[])
1924 struct net *net = sock_net(skb->sk);
1925 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1926 const struct nft_af_info *afi;
1927 const struct nft_table *table = NULL;
1929 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1931 return PTR_ERR(afi);
1933 if (nla[NFTA_SET_TABLE] != NULL) {
1934 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1936 return PTR_ERR(table);
1939 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1943 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1944 const struct nlattr *nla)
1946 struct nft_set *set;
1949 return ERR_PTR(-EINVAL);
1951 list_for_each_entry(set, &table->sets, list) {
1952 if (!nla_strcmp(nla, set->name))
1955 return ERR_PTR(-ENOENT);
1958 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1961 const struct nft_set *i;
1963 unsigned long *inuse;
1966 p = strnchr(name, IFNAMSIZ, '%');
1968 if (p[1] != 'd' || strchr(p + 2, '%'))
1971 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
1975 list_for_each_entry(i, &ctx->table->sets, list) {
1976 if (!sscanf(i->name, name, &n))
1978 if (n < 0 || n > BITS_PER_LONG * PAGE_SIZE)
1983 n = find_first_zero_bit(inuse, BITS_PER_LONG * PAGE_SIZE);
1984 free_page((unsigned long)inuse);
1987 snprintf(set->name, sizeof(set->name), name, n);
1988 list_for_each_entry(i, &ctx->table->sets, list) {
1989 if (!strcmp(set->name, i->name))
1995 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
1996 const struct nft_set *set, u16 event, u16 flags)
1998 struct nfgenmsg *nfmsg;
1999 struct nlmsghdr *nlh;
2000 u32 portid = NETLINK_CB(ctx->skb).portid;
2001 u32 seq = ctx->nlh->nlmsg_seq;
2003 event |= NFNL_SUBSYS_NFTABLES << 8;
2004 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2007 goto nla_put_failure;
2009 nfmsg = nlmsg_data(nlh);
2010 nfmsg->nfgen_family = ctx->afi->family;
2011 nfmsg->version = NFNETLINK_V0;
2014 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2015 goto nla_put_failure;
2016 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2017 goto nla_put_failure;
2018 if (set->flags != 0)
2019 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2020 goto nla_put_failure;
2022 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2023 goto nla_put_failure;
2024 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2025 goto nla_put_failure;
2026 if (set->flags & NFT_SET_MAP) {
2027 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2028 goto nla_put_failure;
2029 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2030 goto nla_put_failure;
2033 return nlmsg_end(skb, nlh);
2036 nlmsg_trim(skb, nlh);
2040 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2041 const struct nft_set *set,
2044 struct sk_buff *skb;
2045 u32 portid = NETLINK_CB(ctx->skb).portid;
2049 report = nlmsg_report(ctx->nlh);
2050 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2054 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2058 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2064 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2068 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2072 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2073 struct netlink_callback *cb)
2075 const struct nft_set *set;
2076 unsigned int idx = 0, s_idx = cb->args[0];
2081 list_for_each_entry(set, &ctx->table->sets, list) {
2084 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2097 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2098 struct netlink_callback *cb)
2100 const struct nft_set *set;
2101 unsigned int idx = 0, s_idx = cb->args[0];
2102 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2107 list_for_each_entry(table, &ctx->afi->tables, list) {
2108 if (cur_table && cur_table != table)
2112 list_for_each_entry(set, &ctx->table->sets, list) {
2115 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2118 cb->args[2] = (unsigned long) table;
2130 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2132 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2133 struct nlattr *nla[NFTA_SET_MAX + 1];
2137 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2142 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2146 if (ctx.table == NULL)
2147 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2149 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2154 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2155 const struct nlmsghdr *nlh,
2156 const struct nlattr * const nla[])
2158 const struct nft_set *set;
2160 struct sk_buff *skb2;
2163 /* Verify existance before starting dump */
2164 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2168 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2169 struct netlink_dump_control c = {
2170 .dump = nf_tables_dump_sets,
2172 return netlink_dump_start(nlsk, skb, nlh, &c);
2175 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2177 return PTR_ERR(set);
2179 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2183 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2187 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2194 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2195 const struct nlmsghdr *nlh,
2196 const struct nlattr * const nla[])
2198 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2199 const struct nft_set_ops *ops;
2200 const struct nft_af_info *afi;
2201 struct net *net = sock_net(skb->sk);
2202 struct nft_table *table;
2203 struct nft_set *set;
2205 char name[IFNAMSIZ];
2208 u32 ktype, klen, dlen, dtype, flags;
2211 if (nla[NFTA_SET_TABLE] == NULL ||
2212 nla[NFTA_SET_NAME] == NULL ||
2213 nla[NFTA_SET_KEY_LEN] == NULL)
2216 ktype = NFT_DATA_VALUE;
2217 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2218 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2219 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2223 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2224 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2228 if (nla[NFTA_SET_FLAGS] != NULL) {
2229 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2230 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2231 NFT_SET_INTERVAL | NFT_SET_MAP))
2237 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2238 if (!(flags & NFT_SET_MAP))
2241 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2242 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2243 dtype != NFT_DATA_VERDICT)
2246 if (dtype != NFT_DATA_VERDICT) {
2247 if (nla[NFTA_SET_DATA_LEN] == NULL)
2249 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2251 dlen > FIELD_SIZEOF(struct nft_data, data))
2254 dlen = sizeof(struct nft_data);
2255 } else if (flags & NFT_SET_MAP)
2258 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2260 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2262 return PTR_ERR(afi);
2264 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2266 return PTR_ERR(table);
2268 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2270 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2272 if (PTR_ERR(set) != -ENOENT)
2273 return PTR_ERR(set);
2278 if (nlh->nlmsg_flags & NLM_F_EXCL)
2280 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2285 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2288 ops = nft_select_set_ops(nla);
2290 return PTR_ERR(ops);
2293 if (ops->privsize != NULL)
2294 size = ops->privsize(nla);
2297 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2301 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2302 err = nf_tables_set_alloc_name(&ctx, set, name);
2306 INIT_LIST_HEAD(&set->bindings);
2314 err = ops->init(set, nla);
2318 list_add_tail(&set->list, &table->sets);
2319 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2325 module_put(ops->owner);
2329 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2331 list_del(&set->list);
2332 if (!(set->flags & NFT_SET_ANONYMOUS))
2333 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2335 set->ops->destroy(set);
2336 module_put(set->ops->owner);
2340 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2341 const struct nlmsghdr *nlh,
2342 const struct nlattr * const nla[])
2344 struct nft_set *set;
2348 if (nla[NFTA_SET_TABLE] == NULL)
2351 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2355 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2357 return PTR_ERR(set);
2358 if (!list_empty(&set->bindings))
2361 nf_tables_set_destroy(&ctx, set);
2365 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2366 const struct nft_set *set,
2367 const struct nft_set_iter *iter,
2368 const struct nft_set_elem *elem)
2370 enum nft_registers dreg;
2372 dreg = nft_type_to_reg(set->dtype);
2373 return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
2376 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2377 struct nft_set_binding *binding)
2379 struct nft_set_binding *i;
2380 struct nft_set_iter iter;
2382 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2385 if (set->flags & NFT_SET_MAP) {
2386 /* If the set is already bound to the same chain all
2387 * jumps are already validated for that chain.
2389 list_for_each_entry(i, &set->bindings, list) {
2390 if (i->chain == binding->chain)
2397 iter.fn = nf_tables_bind_check_setelem;
2399 set->ops->walk(ctx, set, &iter);
2401 /* Destroy anonymous sets if binding fails */
2402 if (set->flags & NFT_SET_ANONYMOUS)
2403 nf_tables_set_destroy(ctx, set);
2409 binding->chain = ctx->chain;
2410 list_add_tail(&binding->list, &set->bindings);
2414 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2415 struct nft_set_binding *binding)
2417 list_del(&binding->list);
2419 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2420 nf_tables_set_destroy(ctx, set);
2427 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2428 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2429 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2430 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2433 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2434 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2435 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2436 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2439 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2440 const struct sk_buff *skb,
2441 const struct nlmsghdr *nlh,
2442 const struct nlattr * const nla[])
2444 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2445 const struct nft_af_info *afi;
2446 const struct nft_table *table;
2447 struct net *net = sock_net(skb->sk);
2449 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2451 return PTR_ERR(afi);
2453 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2455 return PTR_ERR(table);
2457 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2461 static int nf_tables_fill_setelem(struct sk_buff *skb,
2462 const struct nft_set *set,
2463 const struct nft_set_elem *elem)
2465 unsigned char *b = skb_tail_pointer(skb);
2466 struct nlattr *nest;
2468 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2470 goto nla_put_failure;
2472 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2474 goto nla_put_failure;
2476 if (set->flags & NFT_SET_MAP &&
2477 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2478 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2479 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2481 goto nla_put_failure;
2483 if (elem->flags != 0)
2484 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2485 goto nla_put_failure;
2487 nla_nest_end(skb, nest);
2495 struct nft_set_dump_args {
2496 const struct netlink_callback *cb;
2497 struct nft_set_iter iter;
2498 struct sk_buff *skb;
2501 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2502 const struct nft_set *set,
2503 const struct nft_set_iter *iter,
2504 const struct nft_set_elem *elem)
2506 struct nft_set_dump_args *args;
2508 args = container_of(iter, struct nft_set_dump_args, iter);
2509 return nf_tables_fill_setelem(args->skb, set, elem);
2512 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2514 const struct nft_set *set;
2515 struct nft_set_dump_args args;
2517 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2518 struct nfgenmsg *nfmsg;
2519 struct nlmsghdr *nlh;
2520 struct nlattr *nest;
2524 nfmsg = nlmsg_data(cb->nlh);
2525 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_ELEM_LIST_MAX,
2526 nft_set_elem_list_policy);
2530 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2534 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2536 return PTR_ERR(set);
2538 event = NFT_MSG_NEWSETELEM;
2539 event |= NFNL_SUBSYS_NFTABLES << 8;
2540 portid = NETLINK_CB(cb->skb).portid;
2541 seq = cb->nlh->nlmsg_seq;
2543 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2546 goto nla_put_failure;
2548 nfmsg = nlmsg_data(nlh);
2549 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2550 nfmsg->version = NFNETLINK_V0;
2553 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2554 goto nla_put_failure;
2555 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2556 goto nla_put_failure;
2558 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2560 goto nla_put_failure;
2564 args.iter.skip = cb->args[0];
2565 args.iter.count = 0;
2567 args.iter.fn = nf_tables_dump_setelem;
2568 set->ops->walk(&ctx, set, &args.iter);
2570 nla_nest_end(skb, nest);
2571 nlmsg_end(skb, nlh);
2573 if (args.iter.err && args.iter.err != -EMSGSIZE)
2574 return args.iter.err;
2575 if (args.iter.count == cb->args[0])
2578 cb->args[0] = args.iter.count;
2585 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2586 const struct nlmsghdr *nlh,
2587 const struct nlattr * const nla[])
2589 const struct nft_set *set;
2593 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2597 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2599 return PTR_ERR(set);
2601 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2602 struct netlink_dump_control c = {
2603 .dump = nf_tables_dump_set,
2605 return netlink_dump_start(nlsk, skb, nlh, &c);
2610 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2611 const struct nlattr *attr)
2613 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2614 struct nft_data_desc d1, d2;
2615 struct nft_set_elem elem;
2616 struct nft_set_binding *binding;
2617 enum nft_registers dreg;
2620 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2621 nft_set_elem_policy);
2625 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2629 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2630 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2631 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2635 if (set->flags & NFT_SET_MAP) {
2636 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2637 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2640 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2644 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2648 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2652 if (set->ops->get(set, &elem) == 0)
2655 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2656 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2661 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2664 dreg = nft_type_to_reg(set->dtype);
2665 list_for_each_entry(binding, &set->bindings, list) {
2666 struct nft_ctx bind_ctx = {
2668 .table = ctx->table,
2669 .chain = binding->chain,
2672 err = nft_validate_data_load(&bind_ctx, dreg,
2673 &elem.data, d2.type);
2679 err = set->ops->insert(set, &elem);
2686 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2687 nft_data_uninit(&elem.data, d2.type);
2689 nft_data_uninit(&elem.key, d1.type);
2694 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2695 const struct nlmsghdr *nlh,
2696 const struct nlattr * const nla[])
2698 const struct nlattr *attr;
2699 struct nft_set *set;
2703 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2707 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2709 return PTR_ERR(set);
2710 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2713 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2714 err = nft_add_set_elem(&ctx, set, attr);
2721 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2722 const struct nlattr *attr)
2724 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2725 struct nft_data_desc desc;
2726 struct nft_set_elem elem;
2729 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2730 nft_set_elem_policy);
2735 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2738 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2743 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2746 err = set->ops->get(set, &elem);
2750 set->ops->remove(set, &elem);
2752 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2753 if (set->flags & NFT_SET_MAP)
2754 nft_data_uninit(&elem.data, set->dtype);
2757 nft_data_uninit(&elem.key, desc.type);
2762 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2763 const struct nlmsghdr *nlh,
2764 const struct nlattr * const nla[])
2766 const struct nlattr *attr;
2767 struct nft_set *set;
2771 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2775 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2777 return PTR_ERR(set);
2778 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2781 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2782 err = nft_del_setelem(&ctx, set, attr);
2789 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2790 [NFT_MSG_NEWTABLE] = {
2791 .call = nf_tables_newtable,
2792 .attr_count = NFTA_TABLE_MAX,
2793 .policy = nft_table_policy,
2795 [NFT_MSG_GETTABLE] = {
2796 .call = nf_tables_gettable,
2797 .attr_count = NFTA_TABLE_MAX,
2798 .policy = nft_table_policy,
2800 [NFT_MSG_DELTABLE] = {
2801 .call = nf_tables_deltable,
2802 .attr_count = NFTA_TABLE_MAX,
2803 .policy = nft_table_policy,
2805 [NFT_MSG_NEWCHAIN] = {
2806 .call = nf_tables_newchain,
2807 .attr_count = NFTA_CHAIN_MAX,
2808 .policy = nft_chain_policy,
2810 [NFT_MSG_GETCHAIN] = {
2811 .call = nf_tables_getchain,
2812 .attr_count = NFTA_CHAIN_MAX,
2813 .policy = nft_chain_policy,
2815 [NFT_MSG_DELCHAIN] = {
2816 .call = nf_tables_delchain,
2817 .attr_count = NFTA_CHAIN_MAX,
2818 .policy = nft_chain_policy,
2820 [NFT_MSG_NEWRULE] = {
2821 .call_batch = nf_tables_newrule,
2822 .attr_count = NFTA_RULE_MAX,
2823 .policy = nft_rule_policy,
2825 [NFT_MSG_GETRULE] = {
2826 .call = nf_tables_getrule,
2827 .attr_count = NFTA_RULE_MAX,
2828 .policy = nft_rule_policy,
2830 [NFT_MSG_DELRULE] = {
2831 .call_batch = nf_tables_delrule,
2832 .attr_count = NFTA_RULE_MAX,
2833 .policy = nft_rule_policy,
2835 [NFT_MSG_NEWSET] = {
2836 .call = nf_tables_newset,
2837 .attr_count = NFTA_SET_MAX,
2838 .policy = nft_set_policy,
2840 [NFT_MSG_GETSET] = {
2841 .call = nf_tables_getset,
2842 .attr_count = NFTA_SET_MAX,
2843 .policy = nft_set_policy,
2845 [NFT_MSG_DELSET] = {
2846 .call = nf_tables_delset,
2847 .attr_count = NFTA_SET_MAX,
2848 .policy = nft_set_policy,
2850 [NFT_MSG_NEWSETELEM] = {
2851 .call = nf_tables_newsetelem,
2852 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2853 .policy = nft_set_elem_list_policy,
2855 [NFT_MSG_GETSETELEM] = {
2856 .call = nf_tables_getsetelem,
2857 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2858 .policy = nft_set_elem_list_policy,
2860 [NFT_MSG_DELSETELEM] = {
2861 .call = nf_tables_delsetelem,
2862 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2863 .policy = nft_set_elem_list_policy,
2867 static const struct nfnetlink_subsystem nf_tables_subsys = {
2868 .name = "nf_tables",
2869 .subsys_id = NFNL_SUBSYS_NFTABLES,
2870 .cb_count = NFT_MSG_MAX,
2872 .commit = nf_tables_commit,
2873 .abort = nf_tables_abort,
2877 * Loop detection - walk through the ruleset beginning at the destination chain
2878 * of a new jump until either the source chain is reached (loop) or all
2879 * reachable chains have been traversed.
2881 * The loop check is performed whenever a new jump verdict is added to an
2882 * expression or verdict map or a verdict map is bound to a new chain.
2885 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2886 const struct nft_chain *chain);
2888 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2889 const struct nft_set *set,
2890 const struct nft_set_iter *iter,
2891 const struct nft_set_elem *elem)
2893 switch (elem->data.verdict) {
2896 return nf_tables_check_loops(ctx, elem->data.chain);
2902 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2903 const struct nft_chain *chain)
2905 const struct nft_rule *rule;
2906 const struct nft_expr *expr, *last;
2907 const struct nft_set *set;
2908 struct nft_set_binding *binding;
2909 struct nft_set_iter iter;
2911 if (ctx->chain == chain)
2914 list_for_each_entry(rule, &chain->rules, list) {
2915 nft_rule_for_each_expr(expr, last, rule) {
2916 const struct nft_data *data = NULL;
2919 if (!expr->ops->validate)
2922 err = expr->ops->validate(ctx, expr, &data);
2929 switch (data->verdict) {
2932 err = nf_tables_check_loops(ctx, data->chain);
2941 list_for_each_entry(set, &ctx->table->sets, list) {
2942 if (!(set->flags & NFT_SET_MAP) ||
2943 set->dtype != NFT_DATA_VERDICT)
2946 list_for_each_entry(binding, &set->bindings, list) {
2947 if (binding->chain != chain)
2953 iter.fn = nf_tables_loop_check_setelem;
2955 set->ops->walk(ctx, set, &iter);
2965 * nft_validate_input_register - validate an expressions' input register
2967 * @reg: the register number
2969 * Validate that the input register is one of the general purpose
2972 int nft_validate_input_register(enum nft_registers reg)
2974 if (reg <= NFT_REG_VERDICT)
2976 if (reg > NFT_REG_MAX)
2980 EXPORT_SYMBOL_GPL(nft_validate_input_register);
2983 * nft_validate_output_register - validate an expressions' output register
2985 * @reg: the register number
2987 * Validate that the output register is one of the general purpose
2988 * registers or the verdict register.
2990 int nft_validate_output_register(enum nft_registers reg)
2992 if (reg < NFT_REG_VERDICT)
2994 if (reg > NFT_REG_MAX)
2998 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3001 * nft_validate_data_load - validate an expressions' data load
3003 * @ctx: context of the expression performing the load
3004 * @reg: the destination register number
3005 * @data: the data to load
3006 * @type: the data type
3008 * Validate that a data load uses the appropriate data type for
3009 * the destination register. A value of NULL for the data means
3010 * that its runtime gathered data, which is always of type
3013 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3014 const struct nft_data *data,
3015 enum nft_data_types type)
3020 case NFT_REG_VERDICT:
3021 if (data == NULL || type != NFT_DATA_VERDICT)
3024 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3025 err = nf_tables_check_loops(ctx, data->chain);
3029 if (ctx->chain->level + 1 > data->chain->level) {
3030 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3032 data->chain->level = ctx->chain->level + 1;
3038 if (data != NULL && type != NFT_DATA_VALUE)
3043 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3045 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3046 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3047 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3048 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3051 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3052 struct nft_data_desc *desc, const struct nlattr *nla)
3054 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3055 struct nft_chain *chain;
3058 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3062 if (!tb[NFTA_VERDICT_CODE])
3064 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3066 switch (data->verdict) {
3073 desc->len = sizeof(data->verdict);
3077 if (!tb[NFTA_VERDICT_CHAIN])
3079 chain = nf_tables_chain_lookup(ctx->table,
3080 tb[NFTA_VERDICT_CHAIN]);
3082 return PTR_ERR(chain);
3083 if (chain->flags & NFT_BASE_CHAIN)
3087 data->chain = chain;
3088 desc->len = sizeof(data);
3094 desc->type = NFT_DATA_VERDICT;
3098 static void nft_verdict_uninit(const struct nft_data *data)
3100 switch (data->verdict) {
3108 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3110 struct nlattr *nest;
3112 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3114 goto nla_put_failure;
3116 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3117 goto nla_put_failure;
3119 switch (data->verdict) {
3122 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3123 goto nla_put_failure;
3125 nla_nest_end(skb, nest);
3132 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3133 struct nft_data_desc *desc, const struct nlattr *nla)
3140 if (len > sizeof(data->data))
3143 nla_memcpy(data->data, nla, sizeof(data->data));
3144 desc->type = NFT_DATA_VALUE;
3149 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3152 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3155 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3156 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3157 .len = FIELD_SIZEOF(struct nft_data, data) },
3158 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3162 * nft_data_init - parse nf_tables data netlink attributes
3164 * @ctx: context of the expression using the data
3165 * @data: destination struct nft_data
3166 * @desc: data description
3167 * @nla: netlink attribute containing data
3169 * Parse the netlink data attributes and initialize a struct nft_data.
3170 * The type and length of data are returned in the data description.
3172 * The caller can indicate that it only wants to accept data of type
3173 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3175 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3176 struct nft_data_desc *desc, const struct nlattr *nla)
3178 struct nlattr *tb[NFTA_DATA_MAX + 1];
3181 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3185 if (tb[NFTA_DATA_VALUE])
3186 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3187 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3188 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3191 EXPORT_SYMBOL_GPL(nft_data_init);
3194 * nft_data_uninit - release a nft_data item
3196 * @data: struct nft_data to release
3197 * @type: type of data
3199 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3200 * all others need to be released by calling this function.
3202 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3205 case NFT_DATA_VALUE:
3207 case NFT_DATA_VERDICT:
3208 return nft_verdict_uninit(data);
3213 EXPORT_SYMBOL_GPL(nft_data_uninit);
3215 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3216 enum nft_data_types type, unsigned int len)
3218 struct nlattr *nest;
3221 nest = nla_nest_start(skb, attr);
3226 case NFT_DATA_VALUE:
3227 err = nft_value_dump(skb, data, len);
3229 case NFT_DATA_VERDICT:
3230 err = nft_verdict_dump(skb, data);
3237 nla_nest_end(skb, nest);
3240 EXPORT_SYMBOL_GPL(nft_data_dump);
3242 static int nf_tables_init_net(struct net *net)
3244 INIT_LIST_HEAD(&net->nft.af_info);
3245 INIT_LIST_HEAD(&net->nft.commit_list);
3249 static struct pernet_operations nf_tables_net_ops = {
3250 .init = nf_tables_init_net,
3253 static int __init nf_tables_module_init(void)
3257 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3264 err = nf_tables_core_module_init();
3268 err = nfnetlink_subsys_register(&nf_tables_subsys);
3272 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3273 return register_pernet_subsys(&nf_tables_net_ops);
3275 nf_tables_core_module_exit();
3282 static void __exit nf_tables_module_exit(void)
3284 unregister_pernet_subsys(&nf_tables_net_ops);
3285 nfnetlink_subsys_unregister(&nf_tables_subsys);
3286 nf_tables_core_module_exit();
3290 module_init(nf_tables_module_init);
3291 module_exit(nf_tables_module_exit);
3293 MODULE_LICENSE("GPL");
3294 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3295 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / linux-drm-fsl-dcu.git / blob