2 * Copyright (c) 2015 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/netlink.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter/nf_tables.h>
16 #include <net/netfilter/nf_tables.h>
17 #include <net/netfilter/nf_tables_core.h>
21 struct nft_set_ext_tmpl tmpl;
22 enum nft_dynset_ops op:8;
23 enum nft_registers sreg_key:8;
24 enum nft_registers sreg_data:8;
26 struct nft_expr *expr;
27 struct nft_set_binding binding;
30 static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
31 struct nft_regs *regs)
33 const struct nft_dynset *priv = nft_expr_priv(expr);
34 struct nft_set_ext *ext;
38 if (set->size && !atomic_add_unless(&set->nelems, 1, set->size))
41 timeout = priv->timeout ? : set->timeout;
42 elem = nft_set_elem_init(set, &priv->tmpl,
43 ®s->data[priv->sreg_key],
44 ®s->data[priv->sreg_data],
48 atomic_dec(&set->nelems);
52 ext = nft_set_elem_ext(set, elem);
53 if (priv->expr != NULL)
54 nft_expr_clone(nft_set_ext_expr(ext), priv->expr);
59 static void nft_dynset_eval(const struct nft_expr *expr,
60 struct nft_regs *regs,
61 const struct nft_pktinfo *pkt)
63 const struct nft_dynset *priv = nft_expr_priv(expr);
64 struct nft_set *set = priv->set;
65 const struct nft_set_ext *ext;
66 const struct nft_expr *sexpr;
69 if (set->ops->update(set, ®s->data[priv->sreg_key], nft_dynset_new,
72 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
73 sexpr = nft_set_ext_expr(ext);
75 if (priv->op == NFT_DYNSET_OP_UPDATE &&
76 nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
77 timeout = priv->timeout ? : set->timeout;
78 *nft_set_ext_expiration(ext) = jiffies + timeout;
79 } else if (sexpr == NULL)
83 sexpr->ops->eval(sexpr, regs, pkt);
87 regs->verdict.code = NFT_BREAK;
90 static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
91 [NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING },
92 [NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
93 [NFTA_DYNSET_OP] = { .type = NLA_U32 },
94 [NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
95 [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
96 [NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
97 [NFTA_DYNSET_EXPR] = { .type = NLA_NESTED },
100 static int nft_dynset_init(const struct nft_ctx *ctx,
101 const struct nft_expr *expr,
102 const struct nlattr * const tb[])
104 struct nft_dynset *priv = nft_expr_priv(expr);
109 if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
110 tb[NFTA_DYNSET_OP] == NULL ||
111 tb[NFTA_DYNSET_SREG_KEY] == NULL)
114 set = nf_tables_set_lookup(ctx->table, tb[NFTA_DYNSET_SET_NAME]);
116 if (tb[NFTA_DYNSET_SET_ID])
117 set = nf_tables_set_lookup_byid(ctx->net,
118 tb[NFTA_DYNSET_SET_ID]);
123 if (set->flags & NFT_SET_CONSTANT)
126 priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
128 case NFT_DYNSET_OP_ADD:
130 case NFT_DYNSET_OP_UPDATE:
131 if (!(set->flags & NFT_SET_TIMEOUT))
139 if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
140 if (!(set->flags & NFT_SET_TIMEOUT))
142 timeout = be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT]));
145 priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
146 err = nft_validate_register_load(priv->sreg_key, set->klen);;
150 if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
151 if (!(set->flags & NFT_SET_MAP))
153 if (set->dtype == NFT_DATA_VERDICT)
156 priv->sreg_data = nft_parse_register(tb[NFTA_DYNSET_SREG_DATA]);
157 err = nft_validate_register_load(priv->sreg_data, set->dlen);
160 } else if (set->flags & NFT_SET_MAP)
163 if (tb[NFTA_DYNSET_EXPR] != NULL) {
164 if (!(set->flags & NFT_SET_EVAL))
166 if (!(set->flags & NFT_SET_ANONYMOUS))
169 priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
170 if (IS_ERR(priv->expr))
171 return PTR_ERR(priv->expr);
174 if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
176 } else if (set->flags & NFT_SET_EVAL)
179 nft_set_ext_prepare(&priv->tmpl);
180 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
181 if (set->flags & NFT_SET_MAP)
182 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
183 if (priv->expr != NULL)
184 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPR,
185 priv->expr->ops->size);
186 if (set->flags & NFT_SET_TIMEOUT) {
187 if (timeout || set->timeout)
188 nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
191 priv->timeout = timeout;
193 err = nf_tables_bind_set(ctx, set, &priv->binding);
201 if (priv->expr != NULL)
202 nft_expr_destroy(ctx, priv->expr);
206 static void nft_dynset_destroy(const struct nft_ctx *ctx,
207 const struct nft_expr *expr)
209 struct nft_dynset *priv = nft_expr_priv(expr);
211 nf_tables_unbind_set(ctx, priv->set, &priv->binding);
212 if (priv->expr != NULL)
213 nft_expr_destroy(ctx, priv->expr);
216 static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
218 const struct nft_dynset *priv = nft_expr_priv(expr);
220 if (nft_dump_register(skb, NFTA_DYNSET_SREG_KEY, priv->sreg_key))
221 goto nla_put_failure;
222 if (priv->set->flags & NFT_SET_MAP &&
223 nft_dump_register(skb, NFTA_DYNSET_SREG_DATA, priv->sreg_data))
224 goto nla_put_failure;
225 if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
226 goto nla_put_failure;
227 if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
228 goto nla_put_failure;
229 if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT, cpu_to_be64(priv->timeout)))
230 goto nla_put_failure;
231 if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
232 goto nla_put_failure;
239 static struct nft_expr_type nft_dynset_type;
240 static const struct nft_expr_ops nft_dynset_ops = {
241 .type = &nft_dynset_type,
242 .size = NFT_EXPR_SIZE(sizeof(struct nft_dynset)),
243 .eval = nft_dynset_eval,
244 .init = nft_dynset_init,
245 .destroy = nft_dynset_destroy,
246 .dump = nft_dynset_dump,
249 static struct nft_expr_type nft_dynset_type __read_mostly = {
251 .ops = &nft_dynset_ops,
252 .policy = nft_dynset_policy,
253 .maxattr = NFTA_DYNSET_MAX,
254 .owner = THIS_MODULE,
257 int __init nft_dynset_module_init(void)
259 return nft_register_expr(&nft_dynset_type);
262 void nft_dynset_module_exit(void)
264 nft_unregister_expr(&nft_dynset_type);
Code Review / kvmfornfv.git / blob