1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/net_namespace.h>
22#include <net/sock.h>
23
24static LIST_HEAD(nf_tables_expressions);
25
26
27
28
29
30
31
32
33
34int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
35{
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41}
42EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
45
46
47
48
49
50
51
52
53void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
54{
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
59}
60EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
61
62static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
63{
64 struct nft_af_info *afi;
65
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
68 return afi;
69 }
70 return NULL;
71}
72
73static struct nft_af_info *
74nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
75{
76 struct nft_af_info *afi;
77
78 afi = nft_afinfo_lookup(net, family);
79 if (afi != NULL)
80 return afi;
81#ifdef CONFIG_MODULES
82 if (autoload) {
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
87 if (afi != NULL)
88 return ERR_PTR(-EAGAIN);
89 }
90#endif
91 return ERR_PTR(-EAFNOSUPPORT);
92}
93
94static void nft_ctx_init(struct nft_ctx *ctx,
95 struct net *net,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
102{
103 ctx->net = net;
104 ctx->afi = afi;
105 ctx->table = table;
106 ctx->chain = chain;
107 ctx->nla = nla;
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
111}
112
113static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
114 int msg_type, u32 size, gfp_t gfp)
115{
116 struct nft_trans *trans;
117
118 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
119 if (trans == NULL)
120 return NULL;
121
122 trans->msg_type = msg_type;
123 trans->ctx = *ctx;
124
125 return trans;
126}
127
128static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
129 int msg_type, u32 size)
130{
131 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
132}
133
134static void nft_trans_destroy(struct nft_trans *trans)
135{
136 list_del(&trans->list);
137 kfree(trans);
138}
139
140static int nft_register_basechain(struct nft_base_chain *basechain,
141 unsigned int hook_nops)
142{
143 return nf_register_hooks(basechain->ops, hook_nops);
144}
145
146static void nft_unregister_basechain(struct nft_base_chain *basechain,
147 unsigned int hook_nops)
148{
149 nf_unregister_hooks(basechain->ops, hook_nops);
150}
151
152static int nf_tables_register_hooks(const struct nft_table *table,
153 struct nft_chain *chain,
154 unsigned int hook_nops)
155{
156 if (table->flags & NFT_TABLE_F_DORMANT ||
157 !(chain->flags & NFT_BASE_CHAIN))
158 return 0;
159
160 return nft_register_basechain(nft_base_chain(chain), hook_nops);
161}
162
163static void nf_tables_unregister_hooks(const struct nft_table *table,
164 struct nft_chain *chain,
165 unsigned int hook_nops)
166{
167 if (table->flags & NFT_TABLE_F_DORMANT ||
168 !(chain->flags & NFT_BASE_CHAIN))
169 return;
170
171 nft_unregister_basechain(nft_base_chain(chain), hook_nops);
172}
173
174
175#define NFT_TABLE_INACTIVE (1 << 15)
176
177static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
178{
179 struct nft_trans *trans;
180
181 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
182 if (trans == NULL)
183 return -ENOMEM;
184
185 if (msg_type == NFT_MSG_NEWTABLE)
186 ctx->table->flags |= NFT_TABLE_INACTIVE;
187
188 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
189 return 0;
190}
191
192static int nft_deltable(struct nft_ctx *ctx)
193{
194 int err;
195
196 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
197 if (err < 0)
198 return err;
199
200 list_del_rcu(&ctx->table->list);
201 return err;
202}
203
204static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
205{
206 struct nft_trans *trans;
207
208 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
209 if (trans == NULL)
210 return -ENOMEM;
211
212 if (msg_type == NFT_MSG_NEWCHAIN)
213 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
214
215 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
216 return 0;
217}
218
219static int nft_delchain(struct nft_ctx *ctx)
220{
221 int err;
222
223 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
224 if (err < 0)
225 return err;
226
227 ctx->table->use--;
228 list_del_rcu(&ctx->chain->list);
229
230 return err;
231}
232
233static inline bool
234nft_rule_is_active(struct net *net, const struct nft_rule *rule)
235{
236 return (rule->genmask & nft_genmask_cur(net)) == 0;
237}
238
239static inline int
240nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
241{
242 return (rule->genmask & nft_genmask_next(net)) == 0;
243}
244
245static inline void
246nft_rule_activate_next(struct net *net, struct nft_rule *rule)
247{
248
249 rule->genmask = nft_genmask_cur(net);
250}
251
252static inline void
253nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
254{
255 rule->genmask = nft_genmask_next(net);
256}
257
258static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
259{
260 rule->genmask &= ~nft_genmask_next(net);
261}
262
263static int
264nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
265{
266
267 if (nft_rule_is_active_next(ctx->net, rule)) {
268 nft_rule_deactivate_next(ctx->net, rule);
269 ctx->chain->use--;
270 return 0;
271 }
272 return -ENOENT;
273}
274
275static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
276 struct nft_rule *rule)
277{
278 struct nft_trans *trans;
279
280 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
281 if (trans == NULL)
282 return NULL;
283
284 nft_trans_rule(trans) = rule;
285 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
286
287 return trans;
288}
289
290static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
291{
292 struct nft_trans *trans;
293 int err;
294
295 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
296 if (trans == NULL)
297 return -ENOMEM;
298
299 err = nf_tables_delrule_deactivate(ctx, rule);
300 if (err < 0) {
301 nft_trans_destroy(trans);
302 return err;
303 }
304
305 return 0;
306}
307
308static int nft_delrule_by_chain(struct nft_ctx *ctx)
309{
310 struct nft_rule *rule;
311 int err;
312
313 list_for_each_entry(rule, &ctx->chain->rules, list) {
314 if (!nft_rule_is_active_next(ctx->net, rule))
315 continue;
316
317 err = nft_delrule(ctx, rule);
318 if (err < 0)
319 return err;
320 }
321 return 0;
322}
323
324
325#define NFT_SET_INACTIVE (1 << 15)
326
327static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
328 struct nft_set *set)
329{
330 struct nft_trans *trans;
331
332 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
333 if (trans == NULL)
334 return -ENOMEM;
335
336 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
337 nft_trans_set_id(trans) =
338 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
339 set->flags |= NFT_SET_INACTIVE;
340 }
341 nft_trans_set(trans) = set;
342 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
343
344 return 0;
345}
346
347static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
348{
349 int err;
350
351 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
352 if (err < 0)
353 return err;
354
355 list_del_rcu(&set->list);
356 ctx->table->use--;
357
358 return err;
359}
360
361
362
363
364
365static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
366 const struct nlattr *nla)
367{
368 struct nft_table *table;
369
370 list_for_each_entry(table, &afi->tables, list) {
371 if (!nla_strcmp(nla, table->name))
372 return table;
373 }
374 return NULL;
375}
376
377static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
378 const struct nlattr *nla)
379{
380 struct nft_table *table;
381
382 if (nla == NULL)
383 return ERR_PTR(-EINVAL);
384
385 table = nft_table_lookup(afi, nla);
386 if (table != NULL)
387 return table;
388
389 return ERR_PTR(-ENOENT);
390}
391
392static inline u64 nf_tables_alloc_handle(struct nft_table *table)
393{
394 return ++table->hgenerator;
395}
396
397static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
398
399static const struct nf_chain_type *
400__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
401{
402 int i;
403
404 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
405 if (chain_type[family][i] != NULL &&
406 !nla_strcmp(nla, chain_type[family][i]->name))
407 return chain_type[family][i];
408 }
409 return NULL;
410}
411
412static const struct nf_chain_type *
413nf_tables_chain_type_lookup(const struct nft_af_info *afi,
414 const struct nlattr *nla,
415 bool autoload)
416{
417 const struct nf_chain_type *type;
418
419 type = __nf_tables_chain_type_lookup(afi->family, nla);
420 if (type != NULL)
421 return type;
422#ifdef CONFIG_MODULES
423 if (autoload) {
424 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
425 request_module("nft-chain-%u-%.*s", afi->family,
426 nla_len(nla), (const char *)nla_data(nla));
427 nfnl_lock(NFNL_SUBSYS_NFTABLES);
428 type = __nf_tables_chain_type_lookup(afi->family, nla);
429 if (type != NULL)
430 return ERR_PTR(-EAGAIN);
431 }
432#endif
433 return ERR_PTR(-ENOENT);
434}
435
436static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
437 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
438 .len = NFT_TABLE_MAXNAMELEN - 1 },
439 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
440};
441
442static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
443 u32 portid, u32 seq, int event, u32 flags,
444 int family, const struct nft_table *table)
445{
446 struct nlmsghdr *nlh;
447 struct nfgenmsg *nfmsg;
448
449 event |= NFNL_SUBSYS_NFTABLES << 8;
450 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
451 if (nlh == NULL)
452 goto nla_put_failure;
453
454 nfmsg = nlmsg_data(nlh);
455 nfmsg->nfgen_family = family;
456 nfmsg->version = NFNETLINK_V0;
457 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
458
459 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
460 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
461 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
462 goto nla_put_failure;
463
464 nlmsg_end(skb, nlh);
465 return 0;
466
467nla_put_failure:
468 nlmsg_trim(skb, nlh);
469 return -1;
470}
471
472static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
473{
474 struct sk_buff *skb;
475 int err;
476
477 if (!ctx->report &&
478 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
479 return 0;
480
481 err = -ENOBUFS;
482 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
483 if (skb == NULL)
484 goto err;
485
486 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
487 event, 0, ctx->afi->family, ctx->table);
488 if (err < 0) {
489 kfree_skb(skb);
490 goto err;
491 }
492
493 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
494 ctx->report, GFP_KERNEL);
495err:
496 if (err < 0) {
497 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
498 err);
499 }
500 return err;
501}
502
503static int nf_tables_dump_tables(struct sk_buff *skb,
504 struct netlink_callback *cb)
505{
506 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
507 const struct nft_af_info *afi;
508 const struct nft_table *table;
509 unsigned int idx = 0, s_idx = cb->args[0];
510 struct net *net = sock_net(skb->sk);
511 int family = nfmsg->nfgen_family;
512
513 rcu_read_lock();
514 cb->seq = net->nft.base_seq;
515
516 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
517 if (family != NFPROTO_UNSPEC && family != afi->family)
518 continue;
519
520 list_for_each_entry_rcu(table, &afi->tables, list) {
521 if (idx < s_idx)
522 goto cont;
523 if (idx > s_idx)
524 memset(&cb->args[1], 0,
525 sizeof(cb->args) - sizeof(cb->args[0]));
526 if (nf_tables_fill_table_info(skb, net,
527 NETLINK_CB(cb->skb).portid,
528 cb->nlh->nlmsg_seq,
529 NFT_MSG_NEWTABLE,
530 NLM_F_MULTI,
531 afi->family, table) < 0)
532 goto done;
533
534 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
535cont:
536 idx++;
537 }
538 }
539done:
540 rcu_read_unlock();
541 cb->args[0] = idx;
542 return skb->len;
543}
544
545static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
546 const struct nlmsghdr *nlh,
547 const struct nlattr * const nla[])
548{
549 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
550 const struct nft_af_info *afi;
551 const struct nft_table *table;
552 struct sk_buff *skb2;
553 struct net *net = sock_net(skb->sk);
554 int family = nfmsg->nfgen_family;
555 int err;
556
557 if (nlh->nlmsg_flags & NLM_F_DUMP) {
558 struct netlink_dump_control c = {
559 .dump = nf_tables_dump_tables,
560 };
561 return netlink_dump_start(nlsk, skb, nlh, &c);
562 }
563
564 afi = nf_tables_afinfo_lookup(net, family, false);
565 if (IS_ERR(afi))
566 return PTR_ERR(afi);
567
568 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
569 if (IS_ERR(table))
570 return PTR_ERR(table);
571 if (table->flags & NFT_TABLE_INACTIVE)
572 return -ENOENT;
573
574 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
575 if (!skb2)
576 return -ENOMEM;
577
578 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
579 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
580 family, table);
581 if (err < 0)
582 goto err;
583
584 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
585
586err:
587 kfree_skb(skb2);
588 return err;
589}
590
591static int nf_tables_table_enable(const struct nft_af_info *afi,
592 struct nft_table *table)
593{
594 struct nft_chain *chain;
595 int err, i = 0;
596
597 list_for_each_entry(chain, &table->chains, list) {
598 if (!(chain->flags & NFT_BASE_CHAIN))
599 continue;
600
601 err = nft_register_basechain(nft_base_chain(chain), afi->nops);
602 if (err < 0)
603 goto err;
604
605 i++;
606 }
607 return 0;
608err:
609 list_for_each_entry(chain, &table->chains, list) {
610 if (!(chain->flags & NFT_BASE_CHAIN))
611 continue;
612
613 if (i-- <= 0)
614 break;
615
616 nft_unregister_basechain(nft_base_chain(chain), afi->nops);
617 }
618 return err;
619}
620
621static void nf_tables_table_disable(const struct nft_af_info *afi,
622 struct nft_table *table)
623{
624 struct nft_chain *chain;
625
626 list_for_each_entry(chain, &table->chains, list) {
627 if (chain->flags & NFT_BASE_CHAIN)
628 nft_unregister_basechain(nft_base_chain(chain),
629 afi->nops);
630 }
631}
632
633static int nf_tables_updtable(struct nft_ctx *ctx)
634{
635 struct nft_trans *trans;
636 u32 flags;
637 int ret = 0;
638
639 if (!ctx->nla[NFTA_TABLE_FLAGS])
640 return 0;
641
642 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
643 if (flags & ~NFT_TABLE_F_DORMANT)
644 return -EINVAL;
645
646 if (flags == ctx->table->flags)
647 return 0;
648
649 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
650 sizeof(struct nft_trans_table));
651 if (trans == NULL)
652 return -ENOMEM;
653
654 if ((flags & NFT_TABLE_F_DORMANT) &&
655 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
656 nft_trans_table_enable(trans) = false;
657 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
658 ctx->table->flags & NFT_TABLE_F_DORMANT) {
659 ret = nf_tables_table_enable(ctx->afi, ctx->table);
660 if (ret >= 0) {
661 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
662 nft_trans_table_enable(trans) = true;
663 }
664 }
665 if (ret < 0)
666 goto err;
667
668 nft_trans_table_update(trans) = true;
669 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
670 return 0;
671err:
672 nft_trans_destroy(trans);
673 return ret;
674}
675
676static int nf_tables_newtable(struct net *net, struct sock *nlsk,
677 struct sk_buff *skb, const struct nlmsghdr *nlh,
678 const struct nlattr * const nla[])
679{
680 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
681 const struct nlattr *name;
682 struct nft_af_info *afi;
683 struct nft_table *table;
684 int family = nfmsg->nfgen_family;
685 u32 flags = 0;
686 struct nft_ctx ctx;
687 int err;
688
689 afi = nf_tables_afinfo_lookup(net, family, true);
690 if (IS_ERR(afi))
691 return PTR_ERR(afi);
692
693 name = nla[NFTA_TABLE_NAME];
694 table = nf_tables_table_lookup(afi, name);
695 if (IS_ERR(table)) {
696 if (PTR_ERR(table) != -ENOENT)
697 return PTR_ERR(table);
698 table = NULL;
699 }
700
701 if (table != NULL) {
702 if (table->flags & NFT_TABLE_INACTIVE)
703 return -ENOENT;
704 if (nlh->nlmsg_flags & NLM_F_EXCL)
705 return -EEXIST;
706 if (nlh->nlmsg_flags & NLM_F_REPLACE)
707 return -EOPNOTSUPP;
708
709 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
710 return nf_tables_updtable(&ctx);
711 }
712
713 if (nla[NFTA_TABLE_FLAGS]) {
714 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
715 if (flags & ~NFT_TABLE_F_DORMANT)
716 return -EINVAL;
717 }
718
719 if (!try_module_get(afi->owner))
720 return -EAFNOSUPPORT;
721
722 err = -ENOMEM;
723 table = kzalloc(sizeof(*table), GFP_KERNEL);
724 if (table == NULL)
725 goto err1;
726
727 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
728 INIT_LIST_HEAD(&table->chains);
729 INIT_LIST_HEAD(&table->sets);
730 table->flags = flags;
731
732 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
733 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
734 if (err < 0)
735 goto err2;
736
737 list_add_tail_rcu(&table->list, &afi->tables);
738 return 0;
739err2:
740 kfree(table);
741err1:
742 module_put(afi->owner);
743 return err;
744}
745
746static int nft_flush_table(struct nft_ctx *ctx)
747{
748 int err;
749 struct nft_chain *chain, *nc;
750 struct nft_set *set, *ns;
751
752 list_for_each_entry(chain, &ctx->table->chains, list) {
753 ctx->chain = chain;
754
755 err = nft_delrule_by_chain(ctx);
756 if (err < 0)
757 goto out;
758 }
759
760 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
761 if (set->flags & NFT_SET_ANONYMOUS &&
762 !list_empty(&set->bindings))
763 continue;
764
765 err = nft_delset(ctx, set);
766 if (err < 0)
767 goto out;
768 }
769
770 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
771 ctx->chain = chain;
772
773 err = nft_delchain(ctx);
774 if (err < 0)
775 goto out;
776 }
777
778 err = nft_deltable(ctx);
779out:
780 return err;
781}
782
783static int nft_flush(struct nft_ctx *ctx, int family)
784{
785 struct nft_af_info *afi;
786 struct nft_table *table, *nt;
787 const struct nlattr * const *nla = ctx->nla;
788 int err = 0;
789
790 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
791 if (family != AF_UNSPEC && afi->family != family)
792 continue;
793
794 ctx->afi = afi;
795 list_for_each_entry_safe(table, nt, &afi->tables, list) {
796 if (nla[NFTA_TABLE_NAME] &&
797 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
798 continue;
799
800 ctx->table = table;
801
802 err = nft_flush_table(ctx);
803 if (err < 0)
804 goto out;
805 }
806 }
807out:
808 return err;
809}
810
811static int nf_tables_deltable(struct net *net, struct sock *nlsk,
812 struct sk_buff *skb, const struct nlmsghdr *nlh,
813 const struct nlattr * const nla[])
814{
815 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
816 struct nft_af_info *afi;
817 struct nft_table *table;
818 int family = nfmsg->nfgen_family;
819 struct nft_ctx ctx;
820
821 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
822 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
823 return nft_flush(&ctx, family);
824
825 afi = nf_tables_afinfo_lookup(net, family, false);
826 if (IS_ERR(afi))
827 return PTR_ERR(afi);
828
829 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
830 if (IS_ERR(table))
831 return PTR_ERR(table);
832
833 ctx.afi = afi;
834 ctx.table = table;
835
836 return nft_flush_table(&ctx);
837}
838
839static void nf_tables_table_destroy(struct nft_ctx *ctx)
840{
841 BUG_ON(ctx->table->use > 0);
842
843 kfree(ctx->table);
844 module_put(ctx->afi->owner);
845}
846
847int nft_register_chain_type(const struct nf_chain_type *ctype)
848{
849 int err = 0;
850
851 nfnl_lock(NFNL_SUBSYS_NFTABLES);
852 if (chain_type[ctype->family][ctype->type] != NULL) {
853 err = -EBUSY;
854 goto out;
855 }
856 chain_type[ctype->family][ctype->type] = ctype;
857out:
858 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
859 return err;
860}
861EXPORT_SYMBOL_GPL(nft_register_chain_type);
862
863void nft_unregister_chain_type(const struct nf_chain_type *ctype)
864{
865 nfnl_lock(NFNL_SUBSYS_NFTABLES);
866 chain_type[ctype->family][ctype->type] = NULL;
867 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
868}
869EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
870
871
872
873
874
875static struct nft_chain *
876nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
877{
878 struct nft_chain *chain;
879
880 list_for_each_entry(chain, &table->chains, list) {
881 if (chain->handle == handle)
882 return chain;
883 }
884
885 return ERR_PTR(-ENOENT);
886}
887
888static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
889 const struct nlattr *nla)
890{
891 struct nft_chain *chain;
892
893 if (nla == NULL)
894 return ERR_PTR(-EINVAL);
895
896 list_for_each_entry(chain, &table->chains, list) {
897 if (!nla_strcmp(nla, chain->name))
898 return chain;
899 }
900
901 return ERR_PTR(-ENOENT);
902}
903
904static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
905 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
906 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
907 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
908 .len = NFT_CHAIN_MAXNAMELEN - 1 },
909 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
910 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
911 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
912 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
913};
914
915static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
916 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
917 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
918};
919
920static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
921{
922 struct nft_stats *cpu_stats, total;
923 struct nlattr *nest;
924 unsigned int seq;
925 u64 pkts, bytes;
926 int cpu;
927
928 memset(&total, 0, sizeof(total));
929 for_each_possible_cpu(cpu) {
930 cpu_stats = per_cpu_ptr(stats, cpu);
931 do {
932 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
933 pkts = cpu_stats->pkts;
934 bytes = cpu_stats->bytes;
935 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
936 total.pkts += pkts;
937 total.bytes += bytes;
938 }
939 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
940 if (nest == NULL)
941 goto nla_put_failure;
942
943 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
944 NFTA_COUNTER_PAD) ||
945 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
946 NFTA_COUNTER_PAD))
947 goto nla_put_failure;
948
949 nla_nest_end(skb, nest);
950 return 0;
951
952nla_put_failure:
953 return -ENOSPC;
954}
955
956static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
957 u32 portid, u32 seq, int event, u32 flags,
958 int family, const struct nft_table *table,
959 const struct nft_chain *chain)
960{
961 struct nlmsghdr *nlh;
962 struct nfgenmsg *nfmsg;
963
964 event |= NFNL_SUBSYS_NFTABLES << 8;
965 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
966 if (nlh == NULL)
967 goto nla_put_failure;
968
969 nfmsg = nlmsg_data(nlh);
970 nfmsg->nfgen_family = family;
971 nfmsg->version = NFNETLINK_V0;
972 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
973
974 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
975 goto nla_put_failure;
976 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
977 NFTA_CHAIN_PAD))
978 goto nla_put_failure;
979 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
980 goto nla_put_failure;
981
982 if (chain->flags & NFT_BASE_CHAIN) {
983 const struct nft_base_chain *basechain = nft_base_chain(chain);
984 const struct nf_hook_ops *ops = &basechain->ops[0];
985 struct nlattr *nest;
986
987 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
988 if (nest == NULL)
989 goto nla_put_failure;
990 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
991 goto nla_put_failure;
992 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
993 goto nla_put_failure;
994 nla_nest_end(skb, nest);
995
996 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
997 htonl(basechain->policy)))
998 goto nla_put_failure;
999
1000 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1001 goto nla_put_failure;
1002
1003 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1004 goto nla_put_failure;
1005 }
1006
1007 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1008 goto nla_put_failure;
1009
1010 nlmsg_end(skb, nlh);
1011 return 0;
1012
1013nla_put_failure:
1014 nlmsg_trim(skb, nlh);
1015 return -1;
1016}
1017
1018static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1019{
1020 struct sk_buff *skb;
1021 int err;
1022
1023 if (!ctx->report &&
1024 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1025 return 0;
1026
1027 err = -ENOBUFS;
1028 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1029 if (skb == NULL)
1030 goto err;
1031
1032 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1033 event, 0, ctx->afi->family, ctx->table,
1034 ctx->chain);
1035 if (err < 0) {
1036 kfree_skb(skb);
1037 goto err;
1038 }
1039
1040 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1041 ctx->report, GFP_KERNEL);
1042err:
1043 if (err < 0) {
1044 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1045 err);
1046 }
1047 return err;
1048}
1049
1050static int nf_tables_dump_chains(struct sk_buff *skb,
1051 struct netlink_callback *cb)
1052{
1053 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1054 const struct nft_af_info *afi;
1055 const struct nft_table *table;
1056 const struct nft_chain *chain;
1057 unsigned int idx = 0, s_idx = cb->args[0];
1058 struct net *net = sock_net(skb->sk);
1059 int family = nfmsg->nfgen_family;
1060
1061 rcu_read_lock();
1062 cb->seq = net->nft.base_seq;
1063
1064 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1065 if (family != NFPROTO_UNSPEC && family != afi->family)
1066 continue;
1067
1068 list_for_each_entry_rcu(table, &afi->tables, list) {
1069 list_for_each_entry_rcu(chain, &table->chains, list) {
1070 if (idx < s_idx)
1071 goto cont;
1072 if (idx > s_idx)
1073 memset(&cb->args[1], 0,
1074 sizeof(cb->args) - sizeof(cb->args[0]));
1075 if (nf_tables_fill_chain_info(skb, net,
1076 NETLINK_CB(cb->skb).portid,
1077 cb->nlh->nlmsg_seq,
1078 NFT_MSG_NEWCHAIN,
1079 NLM_F_MULTI,
1080 afi->family, table, chain) < 0)
1081 goto done;
1082
1083 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1084cont:
1085 idx++;
1086 }
1087 }
1088 }
1089done:
1090 rcu_read_unlock();
1091 cb->args[0] = idx;
1092 return skb->len;
1093}
1094
1095static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
1096 const struct nlmsghdr *nlh,
1097 const struct nlattr * const nla[])
1098{
1099 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1100 const struct nft_af_info *afi;
1101 const struct nft_table *table;
1102 const struct nft_chain *chain;
1103 struct sk_buff *skb2;
1104 struct net *net = sock_net(skb->sk);
1105 int family = nfmsg->nfgen_family;
1106 int err;
1107
1108 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1109 struct netlink_dump_control c = {
1110 .dump = nf_tables_dump_chains,
1111 };
1112 return netlink_dump_start(nlsk, skb, nlh, &c);
1113 }
1114
1115 afi = nf_tables_afinfo_lookup(net, family, false);
1116 if (IS_ERR(afi))
1117 return PTR_ERR(afi);
1118
1119 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1120 if (IS_ERR(table))
1121 return PTR_ERR(table);
1122 if (table->flags & NFT_TABLE_INACTIVE)
1123 return -ENOENT;
1124
1125 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1126 if (IS_ERR(chain))
1127 return PTR_ERR(chain);
1128 if (chain->flags & NFT_CHAIN_INACTIVE)
1129 return -ENOENT;
1130
1131 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1132 if (!skb2)
1133 return -ENOMEM;
1134
1135 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1136 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1137 family, table, chain);
1138 if (err < 0)
1139 goto err;
1140
1141 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1142
1143err:
1144 kfree_skb(skb2);
1145 return err;
1146}
1147
1148static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1149 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1150 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1151};
1152
1153static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1154{
1155 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1156 struct nft_stats __percpu *newstats;
1157 struct nft_stats *stats;
1158 int err;
1159
1160 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1161 if (err < 0)
1162 return ERR_PTR(err);
1163
1164 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1165 return ERR_PTR(-EINVAL);
1166
1167 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1168 if (newstats == NULL)
1169 return ERR_PTR(-ENOMEM);
1170
1171
1172
1173
1174 preempt_disable();
1175 stats = this_cpu_ptr(newstats);
1176 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1177 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1178 preempt_enable();
1179
1180 return newstats;
1181}
1182
1183static void nft_chain_stats_replace(struct nft_base_chain *chain,
1184 struct nft_stats __percpu *newstats)
1185{
1186 if (newstats == NULL)
1187 return;
1188
1189 if (chain->stats) {
1190 struct nft_stats __percpu *oldstats =
1191 nft_dereference(chain->stats);
1192
1193 rcu_assign_pointer(chain->stats, newstats);
1194 synchronize_rcu();
1195 free_percpu(oldstats);
1196 } else
1197 rcu_assign_pointer(chain->stats, newstats);
1198}
1199
1200static void nf_tables_chain_destroy(struct nft_chain *chain)
1201{
1202 BUG_ON(chain->use > 0);
1203
1204 if (chain->flags & NFT_BASE_CHAIN) {
1205 module_put(nft_base_chain(chain)->type->owner);
1206 free_percpu(nft_base_chain(chain)->stats);
1207 kfree(nft_base_chain(chain));
1208 } else {
1209 kfree(chain);
1210 }
1211}
1212
1213struct nft_chain_hook {
1214 u32 num;
1215 u32 priority;
1216 const struct nf_chain_type *type;
1217 struct net_device *dev;
1218};
1219
1220static int nft_chain_parse_hook(struct net *net,
1221 const struct nlattr * const nla[],
1222 struct nft_af_info *afi,
1223 struct nft_chain_hook *hook, bool create)
1224{
1225 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1226 const struct nf_chain_type *type;
1227 int err;
1228
1229 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1230 nft_hook_policy);
1231 if (err < 0)
1232 return err;
1233
1234 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1235 ha[NFTA_HOOK_PRIORITY] == NULL)
1236 return -EINVAL;
1237
1238 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1239 if (hook->num >= afi->nhooks)
1240 return -EINVAL;
1241
1242 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1243
1244 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1245 if (nla[NFTA_CHAIN_TYPE]) {
1246 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1247 create);
1248 if (IS_ERR(type))
1249 return PTR_ERR(type);
1250 }
1251 if (!(type->hook_mask & (1 << hook->num)))
1252 return -EOPNOTSUPP;
1253 if (!try_module_get(type->owner))
1254 return -ENOENT;
1255
1256 hook->type = type;
1257
1258 hook->dev = NULL;
1259
1260 return 0;
1261}
1262
1263static void nft_chain_release_hook(struct nft_chain_hook *hook)
1264{
1265 module_put(hook->type->owner);
1266 if (hook->dev != NULL)
1267 dev_put(hook->dev);
1268}
1269
1270static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1271 struct sk_buff *skb, const struct nlmsghdr *nlh,
1272 const struct nlattr * const nla[])
1273{
1274 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1275 const struct nlattr * uninitialized_var(name);
1276 struct nft_af_info *afi;
1277 struct nft_table *table;
1278 struct nft_chain *chain;
1279 struct nft_base_chain *basechain = NULL;
1280 int family = nfmsg->nfgen_family;
1281 u8 policy = NF_ACCEPT;
1282 u64 handle = 0;
1283 unsigned int i;
1284 struct nft_stats __percpu *stats;
1285 int err;
1286 bool create;
1287 struct nft_ctx ctx;
1288
1289 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1290
1291 afi = nf_tables_afinfo_lookup(net, family, true);
1292 if (IS_ERR(afi))
1293 return PTR_ERR(afi);
1294
1295 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1296 if (IS_ERR(table))
1297 return PTR_ERR(table);
1298
1299 chain = NULL;
1300 name = nla[NFTA_CHAIN_NAME];
1301
1302 if (nla[NFTA_CHAIN_HANDLE]) {
1303 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1304 chain = nf_tables_chain_lookup_byhandle(table, handle);
1305 if (IS_ERR(chain))
1306 return PTR_ERR(chain);
1307 } else {
1308 chain = nf_tables_chain_lookup(table, name);
1309 if (IS_ERR(chain)) {
1310 if (PTR_ERR(chain) != -ENOENT)
1311 return PTR_ERR(chain);
1312 chain = NULL;
1313 }
1314 }
1315
1316 if (nla[NFTA_CHAIN_POLICY]) {
1317 if ((chain != NULL &&
1318 !(chain->flags & NFT_BASE_CHAIN)))
1319 return -EOPNOTSUPP;
1320
1321 if (chain == NULL &&
1322 nla[NFTA_CHAIN_HOOK] == NULL)
1323 return -EOPNOTSUPP;
1324
1325 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1326 switch (policy) {
1327 case NF_DROP:
1328 case NF_ACCEPT:
1329 break;
1330 default:
1331 return -EINVAL;
1332 }
1333 }
1334
1335 if (chain != NULL) {
1336 struct nft_stats *stats = NULL;
1337 struct nft_trans *trans;
1338
1339 if (chain->flags & NFT_CHAIN_INACTIVE)
1340 return -ENOENT;
1341 if (nlh->nlmsg_flags & NLM_F_EXCL)
1342 return -EEXIST;
1343 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1344 return -EOPNOTSUPP;
1345
1346 if (nla[NFTA_CHAIN_HOOK]) {
1347 struct nft_base_chain *basechain;
1348 struct nft_chain_hook hook;
1349 struct nf_hook_ops *ops;
1350
1351 if (!(chain->flags & NFT_BASE_CHAIN))
1352 return -EBUSY;
1353
1354 err = nft_chain_parse_hook(net, nla, afi, &hook,
1355 create);
1356 if (err < 0)
1357 return err;
1358
1359 basechain = nft_base_chain(chain);
1360 if (basechain->type != hook.type) {
1361 nft_chain_release_hook(&hook);
1362 return -EBUSY;
1363 }
1364
1365 for (i = 0; i < afi->nops; i++) {
1366 ops = &basechain->ops[i];
1367 if (ops->hooknum != hook.num ||
1368 ops->priority != hook.priority) {
1369 nft_chain_release_hook(&hook);
1370 return -EBUSY;
1371 }
1372 }
1373 nft_chain_release_hook(&hook);
1374 }
1375
1376 if (nla[NFTA_CHAIN_HANDLE] && name &&
1377 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1378 return -EEXIST;
1379
1380 if (nla[NFTA_CHAIN_COUNTERS]) {
1381 if (!(chain->flags & NFT_BASE_CHAIN))
1382 return -EOPNOTSUPP;
1383
1384 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1385 if (IS_ERR(stats))
1386 return PTR_ERR(stats);
1387 }
1388
1389 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1390 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1391 sizeof(struct nft_trans_chain));
1392 if (trans == NULL) {
1393 free_percpu(stats);
1394 return -ENOMEM;
1395 }
1396
1397 nft_trans_chain_stats(trans) = stats;
1398 nft_trans_chain_update(trans) = true;
1399
1400 if (nla[NFTA_CHAIN_POLICY])
1401 nft_trans_chain_policy(trans) = policy;
1402 else
1403 nft_trans_chain_policy(trans) = -1;
1404
1405 if (nla[NFTA_CHAIN_HANDLE] && name) {
1406 nla_strlcpy(nft_trans_chain_name(trans), name,
1407 NFT_CHAIN_MAXNAMELEN);
1408 }
1409 list_add_tail(&trans->list, &net->nft.commit_list);
1410 return 0;
1411 }
1412
1413 if (table->use == UINT_MAX)
1414 return -EOVERFLOW;
1415
1416 if (nla[NFTA_CHAIN_HOOK]) {
1417 struct nft_chain_hook hook = { .type = NULL, };
1418 struct nf_hook_ops *ops;
1419 nf_hookfn *hookfn;
1420
1421 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1422 if (err < 0)
1423 return err;
1424 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1425 if (basechain == NULL) {
1426 nft_chain_release_hook(&hook);
1427 return -ENOMEM;
1428 }
1429
1430 if (nla[NFTA_CHAIN_COUNTERS]) {
1431 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1432 if (IS_ERR(stats)) {
1433 nft_chain_release_hook(&hook);
1434 kfree(basechain);
1435 return PTR_ERR(stats);
1436 }
1437 basechain->stats = stats;
1438 } else {
1439 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1440 if (stats == NULL) {
1441 nft_chain_release_hook(&hook);
1442 kfree(basechain);
1443 return -ENOMEM;
1444 }
1445 rcu_assign_pointer(basechain->stats, stats);
1446 }
1447
1448 write_pnet(&basechain->pnet, net);
1449 hookfn = hook.type->hooks[hook.num];
1450 basechain->type = hook.type;
1451 chain = &basechain->chain;
1452
1453 for (i = 0; i < afi->nops; i++) {
1454 ops = &basechain->ops[i];
1455 ops->pf = family;
1456 ops->owner = afi->owner;
1457 ops->hooknum = hook.num;
1458 ops->priority = hook.priority;
1459 ops->priv = chain;
1460 ops->hook = afi->hooks[ops->hooknum];
1461 if (hookfn)
1462 ops->hook = hookfn;
1463 if (afi->hook_ops_init)
1464 afi->hook_ops_init(ops, i);
1465 }
1466
1467 chain->flags |= NFT_BASE_CHAIN;
1468 basechain->policy = policy;
1469 } else {
1470 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1471 if (chain == NULL)
1472 return -ENOMEM;
1473 }
1474
1475 INIT_LIST_HEAD(&chain->rules);
1476 chain->handle = nf_tables_alloc_handle(table);
1477 chain->table = table;
1478 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1479
1480 err = nf_tables_register_hooks(table, chain, afi->nops);
1481 if (err < 0)
1482 goto err1;
1483
1484 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1485 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1486 if (err < 0)
1487 goto err2;
1488
1489 table->use++;
1490 list_add_tail_rcu(&chain->list, &table->chains);
1491 return 0;
1492err2:
1493 nf_tables_unregister_hooks(table, chain, afi->nops);
1494err1:
1495 nf_tables_chain_destroy(chain);
1496 return err;
1497}
1498
1499static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1500 struct sk_buff *skb, const struct nlmsghdr *nlh,
1501 const struct nlattr * const nla[])
1502{
1503 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1504 struct nft_af_info *afi;
1505 struct nft_table *table;
1506 struct nft_chain *chain;
1507 int family = nfmsg->nfgen_family;
1508 struct nft_ctx ctx;
1509
1510 afi = nf_tables_afinfo_lookup(net, family, false);
1511 if (IS_ERR(afi))
1512 return PTR_ERR(afi);
1513
1514 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1515 if (IS_ERR(table))
1516 return PTR_ERR(table);
1517
1518 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1519 if (IS_ERR(chain))
1520 return PTR_ERR(chain);
1521 if (chain->use > 0)
1522 return -EBUSY;
1523
1524 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1525
1526 return nft_delchain(&ctx);
1527}
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540int nft_register_expr(struct nft_expr_type *type)
1541{
1542 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1543 if (type->family == NFPROTO_UNSPEC)
1544 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1545 else
1546 list_add_rcu(&type->list, &nf_tables_expressions);
1547 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1548 return 0;
1549}
1550EXPORT_SYMBOL_GPL(nft_register_expr);
1551
1552
1553
1554
1555
1556
1557
1558void nft_unregister_expr(struct nft_expr_type *type)
1559{
1560 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1561 list_del_rcu(&type->list);
1562 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1563}
1564EXPORT_SYMBOL_GPL(nft_unregister_expr);
1565
1566static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1567 struct nlattr *nla)
1568{
1569 const struct nft_expr_type *type;
1570
1571 list_for_each_entry(type, &nf_tables_expressions, list) {
1572 if (!nla_strcmp(nla, type->name) &&
1573 (!type->family || type->family == family))
1574 return type;
1575 }
1576 return NULL;
1577}
1578
1579static const struct nft_expr_type *nft_expr_type_get(u8 family,
1580 struct nlattr *nla)
1581{
1582 const struct nft_expr_type *type;
1583
1584 if (nla == NULL)
1585 return ERR_PTR(-EINVAL);
1586
1587 type = __nft_expr_type_get(family, nla);
1588 if (type != NULL && try_module_get(type->owner))
1589 return type;
1590
1591#ifdef CONFIG_MODULES
1592 if (type == NULL) {
1593 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1594 request_module("nft-expr-%u-%.*s", family,
1595 nla_len(nla), (char *)nla_data(nla));
1596 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1597 if (__nft_expr_type_get(family, nla))
1598 return ERR_PTR(-EAGAIN);
1599
1600 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1601 request_module("nft-expr-%.*s",
1602 nla_len(nla), (char *)nla_data(nla));
1603 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1604 if (__nft_expr_type_get(family, nla))
1605 return ERR_PTR(-EAGAIN);
1606 }
1607#endif
1608 return ERR_PTR(-ENOENT);
1609}
1610
1611static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1612 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1613 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1614};
1615
1616static int nf_tables_fill_expr_info(struct sk_buff *skb,
1617 const struct nft_expr *expr)
1618{
1619 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1620 goto nla_put_failure;
1621
1622 if (expr->ops->dump) {
1623 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1624 if (data == NULL)
1625 goto nla_put_failure;
1626 if (expr->ops->dump(skb, expr) < 0)
1627 goto nla_put_failure;
1628 nla_nest_end(skb, data);
1629 }
1630
1631 return skb->len;
1632
1633nla_put_failure:
1634 return -1;
1635};
1636
1637int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1638 const struct nft_expr *expr)
1639{
1640 struct nlattr *nest;
1641
1642 nest = nla_nest_start(skb, attr);
1643 if (!nest)
1644 goto nla_put_failure;
1645 if (nf_tables_fill_expr_info(skb, expr) < 0)
1646 goto nla_put_failure;
1647 nla_nest_end(skb, nest);
1648 return 0;
1649
1650nla_put_failure:
1651 return -1;
1652}
1653
1654struct nft_expr_info {
1655 const struct nft_expr_ops *ops;
1656 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1657};
1658
1659static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1660 const struct nlattr *nla,
1661 struct nft_expr_info *info)
1662{
1663 const struct nft_expr_type *type;
1664 const struct nft_expr_ops *ops;
1665 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1666 int err;
1667
1668 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1669 if (err < 0)
1670 return err;
1671
1672 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1673 if (IS_ERR(type))
1674 return PTR_ERR(type);
1675
1676 if (tb[NFTA_EXPR_DATA]) {
1677 err = nla_parse_nested(info->tb, type->maxattr,
1678 tb[NFTA_EXPR_DATA], type->policy);
1679 if (err < 0)
1680 goto err1;
1681 } else
1682 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1683
1684 if (type->select_ops != NULL) {
1685 ops = type->select_ops(ctx,
1686 (const struct nlattr * const *)info->tb);
1687 if (IS_ERR(ops)) {
1688 err = PTR_ERR(ops);
1689 goto err1;
1690 }
1691 } else
1692 ops = type->ops;
1693
1694 info->ops = ops;
1695 return 0;
1696
1697err1:
1698 module_put(type->owner);
1699 return err;
1700}
1701
1702static int nf_tables_newexpr(const struct nft_ctx *ctx,
1703 const struct nft_expr_info *info,
1704 struct nft_expr *expr)
1705{
1706 const struct nft_expr_ops *ops = info->ops;
1707 int err;
1708
1709 expr->ops = ops;
1710 if (ops->init) {
1711 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1712 if (err < 0)
1713 goto err1;
1714 }
1715
1716 return 0;
1717
1718err1:
1719 expr->ops = NULL;
1720 return err;
1721}
1722
1723static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1724 struct nft_expr *expr)
1725{
1726 const struct nft_expr_type *type = expr->ops->type;
1727
1728 if (expr->ops->destroy)
1729 expr->ops->destroy(ctx, expr);
1730 module_put(type->owner);
1731}
1732
1733struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1734 const struct nlattr *nla)
1735{
1736 struct nft_expr_info info;
1737 struct nft_expr *expr;
1738 int err;
1739
1740 err = nf_tables_expr_parse(ctx, nla, &info);
1741 if (err < 0)
1742 goto err1;
1743
1744 err = -ENOMEM;
1745 expr = kzalloc(info.ops->size, GFP_KERNEL);
1746 if (expr == NULL)
1747 goto err2;
1748
1749 err = nf_tables_newexpr(ctx, &info, expr);
1750 if (err < 0)
1751 goto err2;
1752
1753 return expr;
1754err2:
1755 module_put(info.ops->type->owner);
1756err1:
1757 return ERR_PTR(err);
1758}
1759
1760void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1761{
1762 nf_tables_expr_destroy(ctx, expr);
1763 kfree(expr);
1764}
1765
1766
1767
1768
1769
1770static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1771 u64 handle)
1772{
1773 struct nft_rule *rule;
1774
1775
1776 list_for_each_entry(rule, &chain->rules, list) {
1777 if (handle == rule->handle)
1778 return rule;
1779 }
1780
1781 return ERR_PTR(-ENOENT);
1782}
1783
1784static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1785 const struct nlattr *nla)
1786{
1787 if (nla == NULL)
1788 return ERR_PTR(-EINVAL);
1789
1790 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1791}
1792
1793static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1794 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1795 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1796 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1797 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1798 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1799 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1800 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1801 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1802 .len = NFT_USERDATA_MAXLEN },
1803};
1804
1805static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1806 u32 portid, u32 seq, int event,
1807 u32 flags, int family,
1808 const struct nft_table *table,
1809 const struct nft_chain *chain,
1810 const struct nft_rule *rule)
1811{
1812 struct nlmsghdr *nlh;
1813 struct nfgenmsg *nfmsg;
1814 const struct nft_expr *expr, *next;
1815 struct nlattr *list;
1816 const struct nft_rule *prule;
1817 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1818
1819 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1820 flags);
1821 if (nlh == NULL)
1822 goto nla_put_failure;
1823
1824 nfmsg = nlmsg_data(nlh);
1825 nfmsg->nfgen_family = family;
1826 nfmsg->version = NFNETLINK_V0;
1827 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1828
1829 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1830 goto nla_put_failure;
1831 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1832 goto nla_put_failure;
1833 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1834 NFTA_RULE_PAD))
1835 goto nla_put_failure;
1836
1837 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1838 prule = list_entry(rule->list.prev, struct nft_rule, list);
1839 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1840 cpu_to_be64(prule->handle),
1841 NFTA_RULE_PAD))
1842 goto nla_put_failure;
1843 }
1844
1845 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1846 if (list == NULL)
1847 goto nla_put_failure;
1848 nft_rule_for_each_expr(expr, next, rule) {
1849 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1850 goto nla_put_failure;
1851 }
1852 nla_nest_end(skb, list);
1853
1854 if (rule->udata) {
1855 struct nft_userdata *udata = nft_userdata(rule);
1856 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1857 udata->data) < 0)
1858 goto nla_put_failure;
1859 }
1860
1861 nlmsg_end(skb, nlh);
1862 return 0;
1863
1864nla_put_failure:
1865 nlmsg_trim(skb, nlh);
1866 return -1;
1867}
1868
1869static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1870 const struct nft_rule *rule,
1871 int event)
1872{
1873 struct sk_buff *skb;
1874 int err;
1875
1876 if (!ctx->report &&
1877 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1878 return 0;
1879
1880 err = -ENOBUFS;
1881 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1882 if (skb == NULL)
1883 goto err;
1884
1885 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1886 event, 0, ctx->afi->family, ctx->table,
1887 ctx->chain, rule);
1888 if (err < 0) {
1889 kfree_skb(skb);
1890 goto err;
1891 }
1892
1893 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1894 ctx->report, GFP_KERNEL);
1895err:
1896 if (err < 0) {
1897 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1898 err);
1899 }
1900 return err;
1901}
1902
1903static int nf_tables_dump_rules(struct sk_buff *skb,
1904 struct netlink_callback *cb)
1905{
1906 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1907 const struct nft_af_info *afi;
1908 const struct nft_table *table;
1909 const struct nft_chain *chain;
1910 const struct nft_rule *rule;
1911 unsigned int idx = 0, s_idx = cb->args[0];
1912 struct net *net = sock_net(skb->sk);
1913 int family = nfmsg->nfgen_family;
1914
1915 rcu_read_lock();
1916 cb->seq = net->nft.base_seq;
1917
1918 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1919 if (family != NFPROTO_UNSPEC && family != afi->family)
1920 continue;
1921
1922 list_for_each_entry_rcu(table, &afi->tables, list) {
1923 list_for_each_entry_rcu(chain, &table->chains, list) {
1924 list_for_each_entry_rcu(rule, &chain->rules, list) {
1925 if (!nft_rule_is_active(net, rule))
1926 goto cont;
1927 if (idx < s_idx)
1928 goto cont;
1929 if (idx > s_idx)
1930 memset(&cb->args[1], 0,
1931 sizeof(cb->args) - sizeof(cb->args[0]));
1932 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1933 cb->nlh->nlmsg_seq,
1934 NFT_MSG_NEWRULE,
1935 NLM_F_MULTI | NLM_F_APPEND,
1936 afi->family, table, chain, rule) < 0)
1937 goto done;
1938
1939 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1940cont:
1941 idx++;
1942 }
1943 }
1944 }
1945 }
1946done:
1947 rcu_read_unlock();
1948
1949 cb->args[0] = idx;
1950 return skb->len;
1951}
1952
1953static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1954 const struct nlmsghdr *nlh,
1955 const struct nlattr * const nla[])
1956{
1957 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1958 const struct nft_af_info *afi;
1959 const struct nft_table *table;
1960 const struct nft_chain *chain;
1961 const struct nft_rule *rule;
1962 struct sk_buff *skb2;
1963 struct net *net = sock_net(skb->sk);
1964 int family = nfmsg->nfgen_family;
1965 int err;
1966
1967 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1968 struct netlink_dump_control c = {
1969 .dump = nf_tables_dump_rules,
1970 };
1971 return netlink_dump_start(nlsk, skb, nlh, &c);
1972 }
1973
1974 afi = nf_tables_afinfo_lookup(net, family, false);
1975 if (IS_ERR(afi))
1976 return PTR_ERR(afi);
1977
1978 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1979 if (IS_ERR(table))
1980 return PTR_ERR(table);
1981 if (table->flags & NFT_TABLE_INACTIVE)
1982 return -ENOENT;
1983
1984 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1985 if (IS_ERR(chain))
1986 return PTR_ERR(chain);
1987 if (chain->flags & NFT_CHAIN_INACTIVE)
1988 return -ENOENT;
1989
1990 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1991 if (IS_ERR(rule))
1992 return PTR_ERR(rule);
1993
1994 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1995 if (!skb2)
1996 return -ENOMEM;
1997
1998 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1999 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2000 family, table, chain, rule);
2001 if (err < 0)
2002 goto err;
2003
2004 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2005
2006err:
2007 kfree_skb(skb2);
2008 return err;
2009}
2010
2011static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2012 struct nft_rule *rule)
2013{
2014 struct nft_expr *expr, *next;
2015
2016
2017
2018
2019
2020 expr = nft_expr_first(rule);
2021 while (expr != nft_expr_last(rule) && expr->ops) {
2022 next = nft_expr_next(expr);
2023 nf_tables_expr_destroy(ctx, expr);
2024 expr = next;
2025 }
2026 kfree(rule);
2027}
2028
2029#define NFT_RULE_MAXEXPRS 128
2030
2031static struct nft_expr_info *info;
2032
2033static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2034 struct sk_buff *skb, const struct nlmsghdr *nlh,
2035 const struct nlattr * const nla[])
2036{
2037 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2038 struct nft_af_info *afi;
2039 struct nft_table *table;
2040 struct nft_chain *chain;
2041 struct nft_rule *rule, *old_rule = NULL;
2042 struct nft_userdata *udata;
2043 struct nft_trans *trans = NULL;
2044 struct nft_expr *expr;
2045 struct nft_ctx ctx;
2046 struct nlattr *tmp;
2047 unsigned int size, i, n, ulen = 0, usize = 0;
2048 int err, rem;
2049 bool create;
2050 u64 handle, pos_handle;
2051
2052 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2053
2054 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2055 if (IS_ERR(afi))
2056 return PTR_ERR(afi);
2057
2058 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2059 if (IS_ERR(table))
2060 return PTR_ERR(table);
2061
2062 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2063 if (IS_ERR(chain))
2064 return PTR_ERR(chain);
2065
2066 if (nla[NFTA_RULE_HANDLE]) {
2067 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2068 rule = __nf_tables_rule_lookup(chain, handle);
2069 if (IS_ERR(rule))
2070 return PTR_ERR(rule);
2071
2072 if (nlh->nlmsg_flags & NLM_F_EXCL)
2073 return -EEXIST;
2074 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2075 old_rule = rule;
2076 else
2077 return -EOPNOTSUPP;
2078 } else {
2079 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2080 return -EINVAL;
2081 handle = nf_tables_alloc_handle(table);
2082
2083 if (chain->use == UINT_MAX)
2084 return -EOVERFLOW;
2085
2086 if (nla[NFTA_RULE_POSITION]) {
2087 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2088 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2089 if (IS_ERR(old_rule))
2090 return PTR_ERR(old_rule);
2091 }
2092 }
2093
2094 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2095
2096 n = 0;
2097 size = 0;
2098 if (nla[NFTA_RULE_EXPRESSIONS]) {
2099 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2100 err = -EINVAL;
2101 if (nla_type(tmp) != NFTA_LIST_ELEM)
2102 goto err1;
2103 if (n == NFT_RULE_MAXEXPRS)
2104 goto err1;
2105 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2106 if (err < 0)
2107 goto err1;
2108 size += info[n].ops->size;
2109 n++;
2110 }
2111 }
2112
2113 err = -EFBIG;
2114 if (size >= 1 << 12)
2115 goto err1;
2116
2117 if (nla[NFTA_RULE_USERDATA]) {
2118 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2119 if (ulen > 0)
2120 usize = sizeof(struct nft_userdata) + ulen;
2121 }
2122
2123 err = -ENOMEM;
2124 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2125 if (rule == NULL)
2126 goto err1;
2127
2128 nft_rule_activate_next(net, rule);
2129
2130 rule->handle = handle;
2131 rule->dlen = size;
2132 rule->udata = ulen ? 1 : 0;
2133
2134 if (ulen) {
2135 udata = nft_userdata(rule);
2136 udata->len = ulen - 1;
2137 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2138 }
2139
2140 expr = nft_expr_first(rule);
2141 for (i = 0; i < n; i++) {
2142 err = nf_tables_newexpr(&ctx, &info[i], expr);
2143 if (err < 0)
2144 goto err2;
2145 info[i].ops = NULL;
2146 expr = nft_expr_next(expr);
2147 }
2148
2149 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2150 if (nft_rule_is_active_next(net, old_rule)) {
2151 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2152 old_rule);
2153 if (trans == NULL) {
2154 err = -ENOMEM;
2155 goto err2;
2156 }
2157 nft_rule_deactivate_next(net, old_rule);
2158 chain->use--;
2159 list_add_tail_rcu(&rule->list, &old_rule->list);
2160 } else {
2161 err = -ENOENT;
2162 goto err2;
2163 }
2164 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2165 if (old_rule)
2166 list_add_rcu(&rule->list, &old_rule->list);
2167 else
2168 list_add_tail_rcu(&rule->list, &chain->rules);
2169 else {
2170 if (old_rule)
2171 list_add_tail_rcu(&rule->list, &old_rule->list);
2172 else
2173 list_add_rcu(&rule->list, &chain->rules);
2174 }
2175
2176 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2177 err = -ENOMEM;
2178 goto err3;
2179 }
2180 chain->use++;
2181 return 0;
2182
2183err3:
2184 list_del_rcu(&rule->list);
2185err2:
2186 nf_tables_rule_destroy(&ctx, rule);
2187err1:
2188 for (i = 0; i < n; i++) {
2189 if (info[i].ops != NULL)
2190 module_put(info[i].ops->type->owner);
2191 }
2192 return err;
2193}
2194
2195static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2196 struct sk_buff *skb, const struct nlmsghdr *nlh,
2197 const struct nlattr * const nla[])
2198{
2199 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2200 struct nft_af_info *afi;
2201 struct nft_table *table;
2202 struct nft_chain *chain = NULL;
2203 struct nft_rule *rule;
2204 int family = nfmsg->nfgen_family, err = 0;
2205 struct nft_ctx ctx;
2206
2207 afi = nf_tables_afinfo_lookup(net, family, false);
2208 if (IS_ERR(afi))
2209 return PTR_ERR(afi);
2210
2211 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2212 if (IS_ERR(table))
2213 return PTR_ERR(table);
2214
2215 if (nla[NFTA_RULE_CHAIN]) {
2216 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2217 if (IS_ERR(chain))
2218 return PTR_ERR(chain);
2219 }
2220
2221 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2222
2223 if (chain) {
2224 if (nla[NFTA_RULE_HANDLE]) {
2225 rule = nf_tables_rule_lookup(chain,
2226 nla[NFTA_RULE_HANDLE]);
2227 if (IS_ERR(rule))
2228 return PTR_ERR(rule);
2229
2230 err = nft_delrule(&ctx, rule);
2231 } else {
2232 err = nft_delrule_by_chain(&ctx);
2233 }
2234 } else {
2235 list_for_each_entry(chain, &table->chains, list) {
2236 ctx.chain = chain;
2237 err = nft_delrule_by_chain(&ctx);
2238 if (err < 0)
2239 break;
2240 }
2241 }
2242
2243 return err;
2244}
2245
2246
2247
2248
2249
2250static LIST_HEAD(nf_tables_set_ops);
2251
2252int nft_register_set(struct nft_set_ops *ops)
2253{
2254 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2255 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2256 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2257 return 0;
2258}
2259EXPORT_SYMBOL_GPL(nft_register_set);
2260
2261void nft_unregister_set(struct nft_set_ops *ops)
2262{
2263 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2264 list_del_rcu(&ops->list);
2265 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2266}
2267EXPORT_SYMBOL_GPL(nft_unregister_set);
2268
2269
2270
2271
2272
2273
2274static const struct nft_set_ops *
2275nft_select_set_ops(const struct nlattr * const nla[],
2276 const struct nft_set_desc *desc,
2277 enum nft_set_policies policy)
2278{
2279 const struct nft_set_ops *ops, *bops;
2280 struct nft_set_estimate est, best;
2281 u32 features;
2282
2283#ifdef CONFIG_MODULES
2284 if (list_empty(&nf_tables_set_ops)) {
2285 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2286 request_module("nft-set");
2287 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2288 if (!list_empty(&nf_tables_set_ops))
2289 return ERR_PTR(-EAGAIN);
2290 }
2291#endif
2292 features = 0;
2293 if (nla[NFTA_SET_FLAGS] != NULL) {
2294 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2295 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2296 }
2297
2298 bops = NULL;
2299 best.size = ~0;
2300 best.class = ~0;
2301
2302 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2303 if ((ops->features & features) != features)
2304 continue;
2305 if (!ops->estimate(desc, features, &est))
2306 continue;
2307
2308 switch (policy) {
2309 case NFT_SET_POL_PERFORMANCE:
2310 if (est.class < best.class)
2311 break;
2312 if (est.class == best.class && est.size < best.size)
2313 break;
2314 continue;
2315 case NFT_SET_POL_MEMORY:
2316 if (est.size < best.size)
2317 break;
2318 if (est.size == best.size && est.class < best.class)
2319 break;
2320 continue;
2321 default:
2322 break;
2323 }
2324
2325 if (!try_module_get(ops->owner))
2326 continue;
2327 if (bops != NULL)
2328 module_put(bops->owner);
2329
2330 bops = ops;
2331 best = est;
2332 }
2333
2334 if (bops != NULL)
2335 return bops;
2336
2337 return ERR_PTR(-EOPNOTSUPP);
2338}
2339
2340static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2341 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2342 [NFTA_SET_NAME] = { .type = NLA_STRING,
2343 .len = IFNAMSIZ - 1 },
2344 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2345 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2346 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2347 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2348 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2349 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2350 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2351 [NFTA_SET_ID] = { .type = NLA_U32 },
2352 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2353 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2354 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2355 .len = NFT_USERDATA_MAXLEN },
2356};
2357
2358static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2359 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2360};
2361
2362static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2363 const struct sk_buff *skb,
2364 const struct nlmsghdr *nlh,
2365 const struct nlattr * const nla[])
2366{
2367 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2368 struct nft_af_info *afi = NULL;
2369 struct nft_table *table = NULL;
2370
2371 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2372 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2373 if (IS_ERR(afi))
2374 return PTR_ERR(afi);
2375 }
2376
2377 if (nla[NFTA_SET_TABLE] != NULL) {
2378 if (afi == NULL)
2379 return -EAFNOSUPPORT;
2380
2381 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2382 if (IS_ERR(table))
2383 return PTR_ERR(table);
2384 }
2385
2386 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2387 return 0;
2388}
2389
2390struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2391 const struct nlattr *nla)
2392{
2393 struct nft_set *set;
2394
2395 if (nla == NULL)
2396 return ERR_PTR(-EINVAL);
2397
2398 list_for_each_entry(set, &table->sets, list) {
2399 if (!nla_strcmp(nla, set->name))
2400 return set;
2401 }
2402 return ERR_PTR(-ENOENT);
2403}
2404
2405struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2406 const struct nlattr *nla)
2407{
2408 struct nft_trans *trans;
2409 u32 id = ntohl(nla_get_be32(nla));
2410
2411 list_for_each_entry(trans, &net->nft.commit_list, list) {
2412 if (trans->msg_type == NFT_MSG_NEWSET &&
2413 id == nft_trans_set_id(trans))
2414 return nft_trans_set(trans);
2415 }
2416 return ERR_PTR(-ENOENT);
2417}
2418
2419static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2420 const char *name)
2421{
2422 const struct nft_set *i;
2423 const char *p;
2424 unsigned long *inuse;
2425 unsigned int n = 0, min = 0;
2426
2427 p = strnchr(name, IFNAMSIZ, '%');
2428 if (p != NULL) {
2429 if (p[1] != 'd' || strchr(p + 2, '%'))
2430 return -EINVAL;
2431
2432 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2433 if (inuse == NULL)
2434 return -ENOMEM;
2435cont:
2436 list_for_each_entry(i, &ctx->table->sets, list) {
2437 int tmp;
2438
2439 if (!sscanf(i->name, name, &tmp))
2440 continue;
2441 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2442 continue;
2443
2444 set_bit(tmp - min, inuse);
2445 }
2446
2447 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2448 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2449 min += BITS_PER_BYTE * PAGE_SIZE;
2450 memset(inuse, 0, PAGE_SIZE);
2451 goto cont;
2452 }
2453 free_page((unsigned long)inuse);
2454 }
2455
2456 snprintf(set->name, sizeof(set->name), name, min + n);
2457 list_for_each_entry(i, &ctx->table->sets, list) {
2458 if (!strcmp(set->name, i->name))
2459 return -ENFILE;
2460 }
2461 return 0;
2462}
2463
2464static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2465 const struct nft_set *set, u16 event, u16 flags)
2466{
2467 struct nfgenmsg *nfmsg;
2468 struct nlmsghdr *nlh;
2469 struct nlattr *desc;
2470 u32 portid = ctx->portid;
2471 u32 seq = ctx->seq;
2472
2473 event |= NFNL_SUBSYS_NFTABLES << 8;
2474 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2475 flags);
2476 if (nlh == NULL)
2477 goto nla_put_failure;
2478
2479 nfmsg = nlmsg_data(nlh);
2480 nfmsg->nfgen_family = ctx->afi->family;
2481 nfmsg->version = NFNETLINK_V0;
2482 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2483
2484 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2485 goto nla_put_failure;
2486 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2487 goto nla_put_failure;
2488 if (set->flags != 0)
2489 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2490 goto nla_put_failure;
2491
2492 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2493 goto nla_put_failure;
2494 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2495 goto nla_put_failure;
2496 if (set->flags & NFT_SET_MAP) {
2497 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2498 goto nla_put_failure;
2499 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2500 goto nla_put_failure;
2501 }
2502
2503 if (set->timeout &&
2504 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2505 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2506 NFTA_SET_PAD))
2507 goto nla_put_failure;
2508 if (set->gc_int &&
2509 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2510 goto nla_put_failure;
2511
2512 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2513 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2514 goto nla_put_failure;
2515 }
2516
2517 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2518 goto nla_put_failure;
2519
2520 desc = nla_nest_start(skb, NFTA_SET_DESC);
2521 if (desc == NULL)
2522 goto nla_put_failure;
2523 if (set->size &&
2524 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2525 goto nla_put_failure;
2526 nla_nest_end(skb, desc);
2527
2528 nlmsg_end(skb, nlh);
2529 return 0;
2530
2531nla_put_failure:
2532 nlmsg_trim(skb, nlh);
2533 return -1;
2534}
2535
2536static int nf_tables_set_notify(const struct nft_ctx *ctx,
2537 const struct nft_set *set,
2538 int event, gfp_t gfp_flags)
2539{
2540 struct sk_buff *skb;
2541 u32 portid = ctx->portid;
2542 int err;
2543
2544 if (!ctx->report &&
2545 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2546 return 0;
2547
2548 err = -ENOBUFS;
2549 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2550 if (skb == NULL)
2551 goto err;
2552
2553 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2554 if (err < 0) {
2555 kfree_skb(skb);
2556 goto err;
2557 }
2558
2559 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2560 ctx->report, gfp_flags);
2561err:
2562 if (err < 0)
2563 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2564 return err;
2565}
2566
2567static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2568{
2569 const struct nft_set *set;
2570 unsigned int idx, s_idx = cb->args[0];
2571 struct nft_af_info *afi;
2572 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2573 struct net *net = sock_net(skb->sk);
2574 int cur_family = cb->args[3];
2575 struct nft_ctx *ctx = cb->data, ctx_set;
2576
2577 if (cb->args[1])
2578 return skb->len;
2579
2580 rcu_read_lock();
2581 cb->seq = net->nft.base_seq;
2582
2583 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2584 if (ctx->afi && ctx->afi != afi)
2585 continue;
2586
2587 if (cur_family) {
2588 if (afi->family != cur_family)
2589 continue;
2590
2591 cur_family = 0;
2592 }
2593 list_for_each_entry_rcu(table, &afi->tables, list) {
2594 if (ctx->table && ctx->table != table)
2595 continue;
2596
2597 if (cur_table) {
2598 if (cur_table != table)
2599 continue;
2600
2601 cur_table = NULL;
2602 }
2603 idx = 0;
2604 list_for_each_entry_rcu(set, &table->sets, list) {
2605 if (idx < s_idx)
2606 goto cont;
2607
2608 ctx_set = *ctx;
2609 ctx_set.table = table;
2610 ctx_set.afi = afi;
2611 if (nf_tables_fill_set(skb, &ctx_set, set,
2612 NFT_MSG_NEWSET,
2613 NLM_F_MULTI) < 0) {
2614 cb->args[0] = idx;
2615 cb->args[2] = (unsigned long) table;
2616 cb->args[3] = afi->family;
2617 goto done;
2618 }
2619 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2620cont:
2621 idx++;
2622 }
2623 if (s_idx)
2624 s_idx = 0;
2625 }
2626 }
2627 cb->args[1] = 1;
2628done:
2629 rcu_read_unlock();
2630 return skb->len;
2631}
2632
2633static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2634{
2635 kfree(cb->data);
2636 return 0;
2637}
2638
2639static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2640 const struct nlmsghdr *nlh,
2641 const struct nlattr * const nla[])
2642{
2643 struct net *net = sock_net(skb->sk);
2644 const struct nft_set *set;
2645 struct nft_ctx ctx;
2646 struct sk_buff *skb2;
2647 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2648 int err;
2649
2650
2651 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
2652 if (err < 0)
2653 return err;
2654
2655 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2656 struct netlink_dump_control c = {
2657 .dump = nf_tables_dump_sets,
2658 .done = nf_tables_dump_sets_done,
2659 };
2660 struct nft_ctx *ctx_dump;
2661
2662 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2663 if (ctx_dump == NULL)
2664 return -ENOMEM;
2665
2666 *ctx_dump = ctx;
2667 c.data = ctx_dump;
2668
2669 return netlink_dump_start(nlsk, skb, nlh, &c);
2670 }
2671
2672
2673 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2674 return -EAFNOSUPPORT;
2675
2676 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2677 if (IS_ERR(set))
2678 return PTR_ERR(set);
2679 if (set->flags & NFT_SET_INACTIVE)
2680 return -ENOENT;
2681
2682 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2683 if (skb2 == NULL)
2684 return -ENOMEM;
2685
2686 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2687 if (err < 0)
2688 goto err;
2689
2690 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2691
2692err:
2693 kfree_skb(skb2);
2694 return err;
2695}
2696
2697static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2698 struct nft_set_desc *desc,
2699 const struct nlattr *nla)
2700{
2701 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2702 int err;
2703
2704 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2705 if (err < 0)
2706 return err;
2707
2708 if (da[NFTA_SET_DESC_SIZE] != NULL)
2709 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2710
2711 return 0;
2712}
2713
2714static int nf_tables_newset(struct net *net, struct sock *nlsk,
2715 struct sk_buff *skb, const struct nlmsghdr *nlh,
2716 const struct nlattr * const nla[])
2717{
2718 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2719 const struct nft_set_ops *ops;
2720 struct nft_af_info *afi;
2721 struct nft_table *table;
2722 struct nft_set *set;
2723 struct nft_ctx ctx;
2724 char name[IFNAMSIZ];
2725 u64 size;
2726 bool create;
2727 u64 timeout;
2728 u32 ktype, dtype, flags, policy, gc_int;
2729 struct nft_set_desc desc;
2730 unsigned char *udata;
2731 u16 udlen;
2732 int err;
2733
2734 if (nla[NFTA_SET_TABLE] == NULL ||
2735 nla[NFTA_SET_NAME] == NULL ||
2736 nla[NFTA_SET_KEY_LEN] == NULL ||
2737 nla[NFTA_SET_ID] == NULL)
2738 return -EINVAL;
2739
2740 memset(&desc, 0, sizeof(desc));
2741
2742 ktype = NFT_DATA_VALUE;
2743 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2744 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2745 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2746 return -EINVAL;
2747 }
2748
2749 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2750 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2751 return -EINVAL;
2752
2753 flags = 0;
2754 if (nla[NFTA_SET_FLAGS] != NULL) {
2755 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2756 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2757 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2758 NFT_SET_MAP | NFT_SET_EVAL))
2759 return -EINVAL;
2760
2761 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2762 (NFT_SET_MAP | NFT_SET_EVAL))
2763 return -EOPNOTSUPP;
2764 }
2765
2766 dtype = 0;
2767 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2768 if (!(flags & NFT_SET_MAP))
2769 return -EINVAL;
2770
2771 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2772 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2773 dtype != NFT_DATA_VERDICT)
2774 return -EINVAL;
2775
2776 if (dtype != NFT_DATA_VERDICT) {
2777 if (nla[NFTA_SET_DATA_LEN] == NULL)
2778 return -EINVAL;
2779 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2780 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2781 return -EINVAL;
2782 } else
2783 desc.dlen = sizeof(struct nft_verdict);
2784 } else if (flags & NFT_SET_MAP)
2785 return -EINVAL;
2786
2787 timeout = 0;
2788 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2789 if (!(flags & NFT_SET_TIMEOUT))
2790 return -EINVAL;
2791 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2792 nla[NFTA_SET_TIMEOUT])));
2793 }
2794 gc_int = 0;
2795 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2796 if (!(flags & NFT_SET_TIMEOUT))
2797 return -EINVAL;
2798 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2799 }
2800
2801 policy = NFT_SET_POL_PERFORMANCE;
2802 if (nla[NFTA_SET_POLICY] != NULL)
2803 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2804
2805 if (nla[NFTA_SET_DESC] != NULL) {
2806 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2807 if (err < 0)
2808 return err;
2809 }
2810
2811 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2812
2813 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2814 if (IS_ERR(afi))
2815 return PTR_ERR(afi);
2816
2817 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2818 if (IS_ERR(table))
2819 return PTR_ERR(table);
2820
2821 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2822
2823 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2824 if (IS_ERR(set)) {
2825 if (PTR_ERR(set) != -ENOENT)
2826 return PTR_ERR(set);
2827 set = NULL;
2828 }
2829
2830 if (set != NULL) {
2831 if (nlh->nlmsg_flags & NLM_F_EXCL)
2832 return -EEXIST;
2833 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2834 return -EOPNOTSUPP;
2835 return 0;
2836 }
2837
2838 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2839 return -ENOENT;
2840
2841 ops = nft_select_set_ops(nla, &desc, policy);
2842 if (IS_ERR(ops))
2843 return PTR_ERR(ops);
2844
2845 udlen = 0;
2846 if (nla[NFTA_SET_USERDATA])
2847 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2848
2849 size = 0;
2850 if (ops->privsize != NULL)
2851 size = ops->privsize(nla);
2852
2853 err = -ENOMEM;
2854 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2855 if (set == NULL)
2856 goto err1;
2857
2858 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2859 err = nf_tables_set_alloc_name(&ctx, set, name);
2860 if (err < 0)
2861 goto err2;
2862
2863 udata = NULL;
2864 if (udlen) {
2865 udata = set->data + size;
2866 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2867 }
2868
2869 INIT_LIST_HEAD(&set->bindings);
2870 write_pnet(&set->pnet, net);
2871 set->ops = ops;
2872 set->ktype = ktype;
2873 set->klen = desc.klen;
2874 set->dtype = dtype;
2875 set->dlen = desc.dlen;
2876 set->flags = flags;
2877 set->size = desc.size;
2878 set->policy = policy;
2879 set->udlen = udlen;
2880 set->udata = udata;
2881 set->timeout = timeout;
2882 set->gc_int = gc_int;
2883
2884 err = ops->init(set, &desc, nla);
2885 if (err < 0)
2886 goto err2;
2887
2888 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2889 if (err < 0)
2890 goto err3;
2891
2892 list_add_tail_rcu(&set->list, &table->sets);
2893 table->use++;
2894 return 0;
2895
2896err3:
2897 ops->destroy(set);
2898err2:
2899 kfree(set);
2900err1:
2901 module_put(ops->owner);
2902 return err;
2903}
2904
2905static void nft_set_destroy(struct nft_set *set)
2906{
2907 set->ops->destroy(set);
2908 module_put(set->ops->owner);
2909 kfree(set);
2910}
2911
2912static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2913{
2914 list_del_rcu(&set->list);
2915 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2916 nft_set_destroy(set);
2917}
2918
2919static int nf_tables_delset(struct net *net, struct sock *nlsk,
2920 struct sk_buff *skb, const struct nlmsghdr *nlh,
2921 const struct nlattr * const nla[])
2922{
2923 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2924 struct nft_set *set;
2925 struct nft_ctx ctx;
2926 int err;
2927
2928 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2929 return -EAFNOSUPPORT;
2930 if (nla[NFTA_SET_TABLE] == NULL)
2931 return -EINVAL;
2932
2933 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
2934 if (err < 0)
2935 return err;
2936
2937 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2938 if (IS_ERR(set))
2939 return PTR_ERR(set);
2940 if (!list_empty(&set->bindings))
2941 return -EBUSY;
2942
2943 return nft_delset(&ctx, set);
2944}
2945
2946static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2947 struct nft_set *set,
2948 const struct nft_set_iter *iter,
2949 struct nft_set_elem *elem)
2950{
2951 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2952 enum nft_registers dreg;
2953
2954 dreg = nft_type_to_reg(set->dtype);
2955 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2956 set->dtype == NFT_DATA_VERDICT ?
2957 NFT_DATA_VERDICT : NFT_DATA_VALUE,
2958 set->dlen);
2959}
2960
2961int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2962 struct nft_set_binding *binding)
2963{
2964 struct nft_set_binding *i;
2965 struct nft_set_iter iter;
2966
2967 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2968 return -EBUSY;
2969
2970 if (binding->flags & NFT_SET_MAP) {
2971
2972
2973
2974 list_for_each_entry(i, &set->bindings, list) {
2975 if (binding->flags & NFT_SET_MAP &&
2976 i->chain == binding->chain)
2977 goto bind;
2978 }
2979
2980 iter.skip = 0;
2981 iter.count = 0;
2982 iter.err = 0;
2983 iter.fn = nf_tables_bind_check_setelem;
2984
2985 set->ops->walk(ctx, set, &iter);
2986 if (iter.err < 0) {
2987
2988 if (set->flags & NFT_SET_ANONYMOUS)
2989 nf_tables_set_destroy(ctx, set);
2990
2991 return iter.err;
2992 }
2993 }
2994bind:
2995 binding->chain = ctx->chain;
2996 list_add_tail_rcu(&binding->list, &set->bindings);
2997 return 0;
2998}
2999
3000void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3001 struct nft_set_binding *binding)
3002{
3003 list_del_rcu(&binding->list);
3004
3005 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3006 !(set->flags & NFT_SET_INACTIVE))
3007 nf_tables_set_destroy(ctx, set);
3008}
3009
3010const struct nft_set_ext_type nft_set_ext_types[] = {
3011 [NFT_SET_EXT_KEY] = {
3012 .align = __alignof__(u32),
3013 },
3014 [NFT_SET_EXT_DATA] = {
3015 .align = __alignof__(u32),
3016 },
3017 [NFT_SET_EXT_EXPR] = {
3018 .align = __alignof__(struct nft_expr),
3019 },
3020 [NFT_SET_EXT_FLAGS] = {
3021 .len = sizeof(u8),
3022 .align = __alignof__(u8),
3023 },
3024 [NFT_SET_EXT_TIMEOUT] = {
3025 .len = sizeof(u64),
3026 .align = __alignof__(u64),
3027 },
3028 [NFT_SET_EXT_EXPIRATION] = {
3029 .len = sizeof(unsigned long),
3030 .align = __alignof__(unsigned long),
3031 },
3032 [NFT_SET_EXT_USERDATA] = {
3033 .len = sizeof(struct nft_userdata),
3034 .align = __alignof__(struct nft_userdata),
3035 },
3036};
3037EXPORT_SYMBOL_GPL(nft_set_ext_types);
3038
3039
3040
3041
3042
3043static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3044 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3045 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3046 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3047 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3048 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3049 .len = NFT_USERDATA_MAXLEN },
3050 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3051};
3052
3053static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3054 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3055 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3056 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3057 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3058};
3059
3060static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3061 const struct sk_buff *skb,
3062 const struct nlmsghdr *nlh,
3063 const struct nlattr * const nla[])
3064{
3065 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3066 struct nft_af_info *afi;
3067 struct nft_table *table;
3068
3069 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3070 if (IS_ERR(afi))
3071 return PTR_ERR(afi);
3072
3073 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
3074 if (IS_ERR(table))
3075 return PTR_ERR(table);
3076
3077 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3078 return 0;
3079}
3080
3081static int nf_tables_fill_setelem(struct sk_buff *skb,
3082 const struct nft_set *set,
3083 const struct nft_set_elem *elem)
3084{
3085 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3086 unsigned char *b = skb_tail_pointer(skb);
3087 struct nlattr *nest;
3088
3089 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3090 if (nest == NULL)
3091 goto nla_put_failure;
3092
3093 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3094 NFT_DATA_VALUE, set->klen) < 0)
3095 goto nla_put_failure;
3096
3097 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3098 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3099 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3100 set->dlen) < 0)
3101 goto nla_put_failure;
3102
3103 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3104 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3105 goto nla_put_failure;
3106
3107 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3108 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3109 htonl(*nft_set_ext_flags(ext))))
3110 goto nla_put_failure;
3111
3112 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3113 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3114 cpu_to_be64(jiffies_to_msecs(
3115 *nft_set_ext_timeout(ext))),
3116 NFTA_SET_ELEM_PAD))
3117 goto nla_put_failure;
3118
3119 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3120 unsigned long expires, now = jiffies;
3121
3122 expires = *nft_set_ext_expiration(ext);
3123 if (time_before(now, expires))
3124 expires -= now;
3125 else
3126 expires = 0;
3127
3128 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3129 cpu_to_be64(jiffies_to_msecs(expires)),
3130 NFTA_SET_ELEM_PAD))
3131 goto nla_put_failure;
3132 }
3133
3134 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3135 struct nft_userdata *udata;
3136
3137 udata = nft_set_ext_userdata(ext);
3138 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3139 udata->len + 1, udata->data))
3140 goto nla_put_failure;
3141 }
3142
3143 nla_nest_end(skb, nest);
3144 return 0;
3145
3146nla_put_failure:
3147 nlmsg_trim(skb, b);
3148 return -EMSGSIZE;
3149}
3150
3151struct nft_set_dump_args {
3152 const struct netlink_callback *cb;
3153 struct nft_set_iter iter;
3154 struct sk_buff *skb;
3155};
3156
3157static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3158 struct nft_set *set,
3159 const struct nft_set_iter *iter,
3160 struct nft_set_elem *elem)
3161{
3162 struct nft_set_dump_args *args;
3163
3164 args = container_of(iter, struct nft_set_dump_args, iter);
3165 return nf_tables_fill_setelem(args->skb, set, elem);
3166}
3167
3168static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3169{
3170 struct net *net = sock_net(skb->sk);
3171 struct nft_set *set;
3172 struct nft_set_dump_args args;
3173 struct nft_ctx ctx;
3174 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3175 struct nfgenmsg *nfmsg;
3176 struct nlmsghdr *nlh;
3177 struct nlattr *nest;
3178 u32 portid, seq;
3179 int event, err;
3180
3181 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3182 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3183 if (err < 0)
3184 return err;
3185
3186 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3187 (void *)nla);
3188 if (err < 0)
3189 return err;
3190 if (ctx.table->flags & NFT_TABLE_INACTIVE)
3191 return -ENOENT;
3192
3193 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3194 if (IS_ERR(set))
3195 return PTR_ERR(set);
3196 if (set->flags & NFT_SET_INACTIVE)
3197 return -ENOENT;
3198
3199 event = NFT_MSG_NEWSETELEM;
3200 event |= NFNL_SUBSYS_NFTABLES << 8;
3201 portid = NETLINK_CB(cb->skb).portid;
3202 seq = cb->nlh->nlmsg_seq;
3203
3204 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3205 NLM_F_MULTI);
3206 if (nlh == NULL)
3207 goto nla_put_failure;
3208
3209 nfmsg = nlmsg_data(nlh);
3210 nfmsg->nfgen_family = ctx.afi->family;
3211 nfmsg->version = NFNETLINK_V0;
3212 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3213
3214 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3215 goto nla_put_failure;
3216 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3217 goto nla_put_failure;
3218
3219 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3220 if (nest == NULL)
3221 goto nla_put_failure;
3222
3223 args.cb = cb;
3224 args.skb = skb;
3225 args.iter.skip = cb->args[0];
3226 args.iter.count = 0;
3227 args.iter.err = 0;
3228 args.iter.fn = nf_tables_dump_setelem;
3229 set->ops->walk(&ctx, set, &args.iter);
3230
3231 nla_nest_end(skb, nest);
3232 nlmsg_end(skb, nlh);
3233
3234 if (args.iter.err && args.iter.err != -EMSGSIZE)
3235 return args.iter.err;
3236 if (args.iter.count == cb->args[0])
3237 return 0;
3238
3239 cb->args[0] = args.iter.count;
3240 return skb->len;
3241
3242nla_put_failure:
3243 return -ENOSPC;
3244}
3245
3246static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
3247 const struct nlmsghdr *nlh,
3248 const struct nlattr * const nla[])
3249{
3250 struct net *net = sock_net(skb->sk);
3251 const struct nft_set *set;
3252 struct nft_ctx ctx;
3253 int err;
3254
3255 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3256 if (err < 0)
3257 return err;
3258 if (ctx.table->flags & NFT_TABLE_INACTIVE)
3259 return -ENOENT;
3260
3261 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3262 if (IS_ERR(set))
3263 return PTR_ERR(set);
3264 if (set->flags & NFT_SET_INACTIVE)
3265 return -ENOENT;
3266
3267 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3268 struct netlink_dump_control c = {
3269 .dump = nf_tables_dump_set,
3270 };
3271 return netlink_dump_start(nlsk, skb, nlh, &c);
3272 }
3273 return -EOPNOTSUPP;
3274}
3275
3276static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3277 const struct nft_ctx *ctx, u32 seq,
3278 u32 portid, int event, u16 flags,
3279 const struct nft_set *set,
3280 const struct nft_set_elem *elem)
3281{
3282 struct nfgenmsg *nfmsg;
3283 struct nlmsghdr *nlh;
3284 struct nlattr *nest;
3285 int err;
3286
3287 event |= NFNL_SUBSYS_NFTABLES << 8;
3288 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3289 flags);
3290 if (nlh == NULL)
3291 goto nla_put_failure;
3292
3293 nfmsg = nlmsg_data(nlh);
3294 nfmsg->nfgen_family = ctx->afi->family;
3295 nfmsg->version = NFNETLINK_V0;
3296 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3297
3298 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3299 goto nla_put_failure;
3300 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3301 goto nla_put_failure;
3302
3303 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3304 if (nest == NULL)
3305 goto nla_put_failure;
3306
3307 err = nf_tables_fill_setelem(skb, set, elem);
3308 if (err < 0)
3309 goto nla_put_failure;
3310
3311 nla_nest_end(skb, nest);
3312
3313 nlmsg_end(skb, nlh);
3314 return 0;
3315
3316nla_put_failure:
3317 nlmsg_trim(skb, nlh);
3318 return -1;
3319}
3320
3321static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3322 const struct nft_set *set,
3323 const struct nft_set_elem *elem,
3324 int event, u16 flags)
3325{
3326 struct net *net = ctx->net;
3327 u32 portid = ctx->portid;
3328 struct sk_buff *skb;
3329 int err;
3330
3331 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3332 return 0;
3333
3334 err = -ENOBUFS;
3335 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3336 if (skb == NULL)
3337 goto err;
3338
3339 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3340 set, elem);
3341 if (err < 0) {
3342 kfree_skb(skb);
3343 goto err;
3344 }
3345
3346 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3347 GFP_KERNEL);
3348err:
3349 if (err < 0)
3350 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3351 return err;
3352}
3353
3354static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3355 int msg_type,
3356 struct nft_set *set)
3357{
3358 struct nft_trans *trans;
3359
3360 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3361 if (trans == NULL)
3362 return NULL;
3363
3364 nft_trans_elem_set(trans) = set;
3365 return trans;
3366}
3367
3368void *nft_set_elem_init(const struct nft_set *set,
3369 const struct nft_set_ext_tmpl *tmpl,
3370 const u32 *key, const u32 *data,
3371 u64 timeout, gfp_t gfp)
3372{
3373 struct nft_set_ext *ext;
3374 void *elem;
3375
3376 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3377 if (elem == NULL)
3378 return NULL;
3379
3380 ext = nft_set_elem_ext(set, elem);
3381 nft_set_ext_init(ext, tmpl);
3382
3383 memcpy(nft_set_ext_key(ext), key, set->klen);
3384 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3385 memcpy(nft_set_ext_data(ext), data, set->dlen);
3386 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3387 *nft_set_ext_expiration(ext) =
3388 jiffies + timeout;
3389 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3390 *nft_set_ext_timeout(ext) = timeout;
3391
3392 return elem;
3393}
3394
3395void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3396 bool destroy_expr)
3397{
3398 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3399
3400 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3401 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3402 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3403 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3404 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3405
3406 kfree(elem);
3407}
3408EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3409
3410static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3411 const struct nlattr *attr)
3412{
3413 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3414 struct nft_data_desc d1, d2;
3415 struct nft_set_ext_tmpl tmpl;
3416 struct nft_set_ext *ext;
3417 struct nft_set_elem elem;
3418 struct nft_set_binding *binding;
3419 struct nft_userdata *udata;
3420 struct nft_data data;
3421 enum nft_registers dreg;
3422 struct nft_trans *trans;
3423 u64 timeout;
3424 u32 flags;
3425 u8 ulen;
3426 int err;
3427
3428 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3429 nft_set_elem_policy);
3430 if (err < 0)
3431 return err;
3432
3433 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3434 return -EINVAL;
3435
3436 nft_set_ext_prepare(&tmpl);
3437
3438 flags = 0;
3439 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3440 flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3441 if (flags & ~NFT_SET_ELEM_INTERVAL_END)
3442 return -EINVAL;
3443 if (!(set->flags & NFT_SET_INTERVAL) &&
3444 flags & NFT_SET_ELEM_INTERVAL_END)
3445 return -EINVAL;
3446 if (flags != 0)
3447 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3448 }
3449
3450 if (set->flags & NFT_SET_MAP) {
3451 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3452 !(flags & NFT_SET_ELEM_INTERVAL_END))
3453 return -EINVAL;
3454 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3455 flags & NFT_SET_ELEM_INTERVAL_END)
3456 return -EINVAL;
3457 } else {
3458 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3459 return -EINVAL;
3460 }
3461
3462 timeout = 0;
3463 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3464 if (!(set->flags & NFT_SET_TIMEOUT))
3465 return -EINVAL;
3466 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3467 nla[NFTA_SET_ELEM_TIMEOUT])));
3468 } else if (set->flags & NFT_SET_TIMEOUT) {
3469 timeout = set->timeout;
3470 }
3471
3472 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3473 nla[NFTA_SET_ELEM_KEY]);
3474 if (err < 0)
3475 goto err1;
3476 err = -EINVAL;
3477 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3478 goto err2;
3479
3480 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3481 if (timeout > 0) {
3482 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3483 if (timeout != set->timeout)
3484 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3485 }
3486
3487 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3488 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3489 nla[NFTA_SET_ELEM_DATA]);
3490 if (err < 0)
3491 goto err2;
3492
3493 err = -EINVAL;
3494 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3495 goto err3;
3496
3497 dreg = nft_type_to_reg(set->dtype);
3498 list_for_each_entry(binding, &set->bindings, list) {
3499 struct nft_ctx bind_ctx = {
3500 .afi = ctx->afi,
3501 .table = ctx->table,
3502 .chain = (struct nft_chain *)binding->chain,
3503 };
3504
3505 if (!(binding->flags & NFT_SET_MAP))
3506 continue;
3507
3508 err = nft_validate_register_store(&bind_ctx, dreg,
3509 &data,
3510 d2.type, d2.len);
3511 if (err < 0)
3512 goto err3;
3513 }
3514
3515 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3516 }
3517
3518
3519
3520
3521
3522 ulen = 0;
3523 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3524 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3525 if (ulen > 0)
3526 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3527 ulen);
3528 }
3529
3530 err = -ENOMEM;
3531 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3532 timeout, GFP_KERNEL);
3533 if (elem.priv == NULL)
3534 goto err3;
3535
3536 ext = nft_set_elem_ext(set, elem.priv);
3537 if (flags)
3538 *nft_set_ext_flags(ext) = flags;
3539 if (ulen > 0) {
3540 udata = nft_set_ext_userdata(ext);
3541 udata->len = ulen - 1;
3542 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3543 }
3544
3545 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3546 if (trans == NULL)
3547 goto err4;
3548
3549 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3550 err = set->ops->insert(set, &elem);
3551 if (err < 0)
3552 goto err5;
3553
3554 nft_trans_elem(trans) = elem;
3555 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3556 return 0;
3557
3558err5:
3559 kfree(trans);
3560err4:
3561 kfree(elem.priv);
3562err3:
3563 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3564 nft_data_uninit(&data, d2.type);
3565err2:
3566 nft_data_uninit(&elem.key.val, d1.type);
3567err1:
3568 return err;
3569}
3570
3571static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3572 struct sk_buff *skb, const struct nlmsghdr *nlh,
3573 const struct nlattr * const nla[])
3574{
3575 const struct nlattr *attr;
3576 struct nft_set *set;
3577 struct nft_ctx ctx;
3578 int rem, err = 0;
3579
3580 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3581 return -EINVAL;
3582
3583 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3584 if (err < 0)
3585 return err;
3586
3587 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3588 if (IS_ERR(set)) {
3589 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3590 set = nf_tables_set_lookup_byid(net,
3591 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3592 }
3593 if (IS_ERR(set))
3594 return PTR_ERR(set);
3595 }
3596
3597 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3598 return -EBUSY;
3599
3600 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3601 if (set->size &&
3602 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3603 return -ENFILE;
3604
3605 err = nft_add_set_elem(&ctx, set, attr);
3606 if (err < 0) {
3607 atomic_dec(&set->nelems);
3608 break;
3609 }
3610 }
3611 return err;
3612}
3613
3614static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3615 const struct nlattr *attr)
3616{
3617 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3618 struct nft_data_desc desc;
3619 struct nft_set_elem elem;
3620 struct nft_trans *trans;
3621 int err;
3622
3623 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3624 nft_set_elem_policy);
3625 if (err < 0)
3626 goto err1;
3627
3628 err = -EINVAL;
3629 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3630 goto err1;
3631
3632 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3633 nla[NFTA_SET_ELEM_KEY]);
3634 if (err < 0)
3635 goto err1;
3636
3637 err = -EINVAL;
3638 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3639 goto err2;
3640
3641 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3642 if (trans == NULL) {
3643 err = -ENOMEM;
3644 goto err2;
3645 }
3646
3647 elem.priv = set->ops->deactivate(set, &elem);
3648 if (elem.priv == NULL) {
3649 err = -ENOENT;
3650 goto err3;
3651 }
3652
3653 nft_trans_elem(trans) = elem;
3654 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3655 return 0;
3656
3657err3:
3658 kfree(trans);
3659err2:
3660 nft_data_uninit(&elem.key.val, desc.type);
3661err1:
3662 return err;
3663}
3664
3665static int nft_flush_set(const struct nft_ctx *ctx,
3666 struct nft_set *set,
3667 const struct nft_set_iter *iter,
3668 struct nft_set_elem *elem)
3669{
3670 struct nft_trans *trans;
3671 int err;
3672
3673 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
3674 sizeof(struct nft_trans_elem), GFP_ATOMIC);
3675 if (!trans)
3676 return -ENOMEM;
3677
3678 if (!set->ops->deactivate_one(set, elem->priv)) {
3679 err = -ENOENT;
3680 goto err1;
3681 }
3682 set->ndeact++;
3683
3684 nft_trans_elem_set(trans) = set;
3685 nft_trans_elem(trans) = *elem;
3686 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3687
3688 return 0;
3689err1:
3690 kfree(trans);
3691 return err;
3692}
3693
3694static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3695 struct sk_buff *skb, const struct nlmsghdr *nlh,
3696 const struct nlattr * const nla[])
3697{
3698 const struct nlattr *attr;
3699 struct nft_set *set;
3700 struct nft_ctx ctx;
3701 int rem, err = 0;
3702
3703 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3704 if (err < 0)
3705 return err;
3706
3707 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3708 if (IS_ERR(set))
3709 return PTR_ERR(set);
3710 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3711 return -EBUSY;
3712
3713 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
3714 struct nft_set_dump_args args = {
3715 .iter = {
3716 .fn = nft_flush_set,
3717 },
3718 };
3719 set->ops->walk(&ctx, set, &args.iter);
3720
3721 return args.iter.err;
3722 }
3723
3724 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3725 err = nft_del_setelem(&ctx, set, attr);
3726 if (err < 0)
3727 break;
3728
3729 set->ndeact++;
3730 }
3731 return err;
3732}
3733
3734void nft_set_gc_batch_release(struct rcu_head *rcu)
3735{
3736 struct nft_set_gc_batch *gcb;
3737 unsigned int i;
3738
3739 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3740 for (i = 0; i < gcb->head.cnt; i++)
3741 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
3742 kfree(gcb);
3743}
3744EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3745
3746struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3747 gfp_t gfp)
3748{
3749 struct nft_set_gc_batch *gcb;
3750
3751 gcb = kzalloc(sizeof(*gcb), gfp);
3752 if (gcb == NULL)
3753 return gcb;
3754 gcb->head.set = set;
3755 return gcb;
3756}
3757EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3758
3759static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3760 u32 portid, u32 seq)
3761{
3762 struct nlmsghdr *nlh;
3763 struct nfgenmsg *nfmsg;
3764 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3765
3766 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3767 if (nlh == NULL)
3768 goto nla_put_failure;
3769
3770 nfmsg = nlmsg_data(nlh);
3771 nfmsg->nfgen_family = AF_UNSPEC;
3772 nfmsg->version = NFNETLINK_V0;
3773 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3774
3775 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3776 goto nla_put_failure;
3777
3778 nlmsg_end(skb, nlh);
3779 return 0;
3780
3781nla_put_failure:
3782 nlmsg_trim(skb, nlh);
3783 return -EMSGSIZE;
3784}
3785
3786static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3787{
3788 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3789 struct sk_buff *skb2;
3790 int err;
3791
3792 if (nlmsg_report(nlh) &&
3793 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3794 return 0;
3795
3796 err = -ENOBUFS;
3797 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3798 if (skb2 == NULL)
3799 goto err;
3800
3801 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3802 nlh->nlmsg_seq);
3803 if (err < 0) {
3804 kfree_skb(skb2);
3805 goto err;
3806 }
3807
3808 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3809 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3810err:
3811 if (err < 0) {
3812 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3813 err);
3814 }
3815 return err;
3816}
3817
3818static int nf_tables_getgen(struct sock *nlsk, struct sk_buff *skb,
3819 const struct nlmsghdr *nlh,
3820 const struct nlattr * const nla[])
3821{
3822 struct net *net = sock_net(skb->sk);
3823 struct sk_buff *skb2;
3824 int err;
3825
3826 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3827 if (skb2 == NULL)
3828 return -ENOMEM;
3829
3830 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3831 nlh->nlmsg_seq);
3832 if (err < 0)
3833 goto err;
3834
3835 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3836err:
3837 kfree_skb(skb2);
3838 return err;
3839}
3840
3841static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3842 [NFT_MSG_NEWTABLE] = {
3843 .call_batch = nf_tables_newtable,
3844 .attr_count = NFTA_TABLE_MAX,
3845 .policy = nft_table_policy,
3846 },
3847 [NFT_MSG_GETTABLE] = {
3848 .call = nf_tables_gettable,
3849 .attr_count = NFTA_TABLE_MAX,
3850 .policy = nft_table_policy,
3851 },
3852 [NFT_MSG_DELTABLE] = {
3853 .call_batch = nf_tables_deltable,
3854 .attr_count = NFTA_TABLE_MAX,
3855 .policy = nft_table_policy,
3856 },
3857 [NFT_MSG_NEWCHAIN] = {
3858 .call_batch = nf_tables_newchain,
3859 .attr_count = NFTA_CHAIN_MAX,
3860 .policy = nft_chain_policy,
3861 },
3862 [NFT_MSG_GETCHAIN] = {
3863 .call = nf_tables_getchain,
3864 .attr_count = NFTA_CHAIN_MAX,
3865 .policy = nft_chain_policy,
3866 },
3867 [NFT_MSG_DELCHAIN] = {
3868 .call_batch = nf_tables_delchain,
3869 .attr_count = NFTA_CHAIN_MAX,
3870 .policy = nft_chain_policy,
3871 },
3872 [NFT_MSG_NEWRULE] = {
3873 .call_batch = nf_tables_newrule,
3874 .attr_count = NFTA_RULE_MAX,
3875 .policy = nft_rule_policy,
3876 },
3877 [NFT_MSG_GETRULE] = {
3878 .call = nf_tables_getrule,
3879 .attr_count = NFTA_RULE_MAX,
3880 .policy = nft_rule_policy,
3881 },
3882 [NFT_MSG_DELRULE] = {
3883 .call_batch = nf_tables_delrule,
3884 .attr_count = NFTA_RULE_MAX,
3885 .policy = nft_rule_policy,
3886 },
3887 [NFT_MSG_NEWSET] = {
3888 .call_batch = nf_tables_newset,
3889 .attr_count = NFTA_SET_MAX,
3890 .policy = nft_set_policy,
3891 },
3892 [NFT_MSG_GETSET] = {
3893 .call = nf_tables_getset,
3894 .attr_count = NFTA_SET_MAX,
3895 .policy = nft_set_policy,
3896 },
3897 [NFT_MSG_DELSET] = {
3898 .call_batch = nf_tables_delset,
3899 .attr_count = NFTA_SET_MAX,
3900 .policy = nft_set_policy,
3901 },
3902 [NFT_MSG_NEWSETELEM] = {
3903 .call_batch = nf_tables_newsetelem,
3904 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3905 .policy = nft_set_elem_list_policy,
3906 },
3907 [NFT_MSG_GETSETELEM] = {
3908 .call = nf_tables_getsetelem,
3909 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3910 .policy = nft_set_elem_list_policy,
3911 },
3912 [NFT_MSG_DELSETELEM] = {
3913 .call_batch = nf_tables_delsetelem,
3914 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3915 .policy = nft_set_elem_list_policy,
3916 },
3917 [NFT_MSG_GETGEN] = {
3918 .call = nf_tables_getgen,
3919 },
3920};
3921
3922static void nft_chain_commit_update(struct nft_trans *trans)
3923{
3924 struct nft_base_chain *basechain;
3925
3926 if (nft_trans_chain_name(trans)[0])
3927 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3928
3929 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3930 return;
3931
3932 basechain = nft_base_chain(trans->ctx.chain);
3933 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3934
3935 switch (nft_trans_chain_policy(trans)) {
3936 case NF_DROP:
3937 case NF_ACCEPT:
3938 basechain->policy = nft_trans_chain_policy(trans);
3939 break;
3940 }
3941}
3942
3943static void nf_tables_commit_release(struct nft_trans *trans)
3944{
3945 switch (trans->msg_type) {
3946 case NFT_MSG_DELTABLE:
3947 nf_tables_table_destroy(&trans->ctx);
3948 break;
3949 case NFT_MSG_DELCHAIN:
3950 nf_tables_chain_destroy(trans->ctx.chain);
3951 break;
3952 case NFT_MSG_DELRULE:
3953 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3954 break;
3955 case NFT_MSG_DELSET:
3956 nft_set_destroy(nft_trans_set(trans));
3957 break;
3958 case NFT_MSG_DELSETELEM:
3959 nft_set_elem_destroy(nft_trans_elem_set(trans),
3960 nft_trans_elem(trans).priv, true);
3961 break;
3962 }
3963 kfree(trans);
3964}
3965
3966static int nf_tables_commit(struct sk_buff *skb)
3967{
3968 struct net *net = sock_net(skb->sk);
3969 struct nft_trans *trans, *next;
3970 struct nft_trans_elem *te;
3971
3972
3973 while (++net->nft.base_seq == 0);
3974
3975
3976 net->nft.gencursor = nft_gencursor_next(net);
3977
3978
3979
3980
3981 synchronize_rcu();
3982
3983 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3984 switch (trans->msg_type) {
3985 case NFT_MSG_NEWTABLE:
3986 if (nft_trans_table_update(trans)) {
3987 if (!nft_trans_table_enable(trans)) {
3988 nf_tables_table_disable(trans->ctx.afi,
3989 trans->ctx.table);
3990 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3991 }
3992 } else {
3993 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3994 }
3995 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3996 nft_trans_destroy(trans);
3997 break;
3998 case NFT_MSG_DELTABLE:
3999 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4000 break;
4001 case NFT_MSG_NEWCHAIN:
4002 if (nft_trans_chain_update(trans))
4003 nft_chain_commit_update(trans);
4004 else
4005 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
4006
4007 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4008 nft_trans_destroy(trans);
4009 break;
4010 case NFT_MSG_DELCHAIN:
4011 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4012 nf_tables_unregister_hooks(trans->ctx.table,
4013 trans->ctx.chain,
4014 trans->ctx.afi->nops);
4015 break;
4016 case NFT_MSG_NEWRULE:
4017 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
4018 nf_tables_rule_notify(&trans->ctx,
4019 nft_trans_rule(trans),
4020 NFT_MSG_NEWRULE);
4021 nft_trans_destroy(trans);
4022 break;
4023 case NFT_MSG_DELRULE:
4024 list_del_rcu(&nft_trans_rule(trans)->list);
4025 nf_tables_rule_notify(&trans->ctx,
4026 nft_trans_rule(trans),
4027 NFT_MSG_DELRULE);
4028 break;
4029 case NFT_MSG_NEWSET:
4030 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
4031
4032
4033
4034 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4035 !list_empty(&nft_trans_set(trans)->bindings))
4036 trans->ctx.table->use--;
4037
4038 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4039 NFT_MSG_NEWSET, GFP_KERNEL);
4040 nft_trans_destroy(trans);
4041 break;
4042 case NFT_MSG_DELSET:
4043 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4044 NFT_MSG_DELSET, GFP_KERNEL);
4045 break;
4046 case NFT_MSG_NEWSETELEM:
4047 te = (struct nft_trans_elem *)trans->data;
4048
4049 te->set->ops->activate(te->set, &te->elem);
4050 nf_tables_setelem_notify(&trans->ctx, te->set,
4051 &te->elem,
4052 NFT_MSG_NEWSETELEM, 0);
4053 nft_trans_destroy(trans);
4054 break;
4055 case NFT_MSG_DELSETELEM:
4056 te = (struct nft_trans_elem *)trans->data;
4057
4058 nf_tables_setelem_notify(&trans->ctx, te->set,
4059 &te->elem,
4060 NFT_MSG_DELSETELEM, 0);
4061 te->set->ops->remove(te->set, &te->elem);
4062 atomic_dec(&te->set->nelems);
4063 te->set->ndeact--;
4064 break;
4065 }
4066 }
4067
4068 synchronize_rcu();
4069
4070 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4071 list_del(&trans->list);
4072 nf_tables_commit_release(trans);
4073 }
4074
4075 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4076
4077 return 0;
4078}
4079
4080static void nf_tables_abort_release(struct nft_trans *trans)
4081{
4082 switch (trans->msg_type) {
4083 case NFT_MSG_NEWTABLE:
4084 nf_tables_table_destroy(&trans->ctx);
4085 break;
4086 case NFT_MSG_NEWCHAIN:
4087 nf_tables_chain_destroy(trans->ctx.chain);
4088 break;
4089 case NFT_MSG_NEWRULE:
4090 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4091 break;
4092 case NFT_MSG_NEWSET:
4093 nft_set_destroy(nft_trans_set(trans));
4094 break;
4095 case NFT_MSG_NEWSETELEM:
4096 nft_set_elem_destroy(nft_trans_elem_set(trans),
4097 nft_trans_elem(trans).priv, true);
4098 break;
4099 }
4100 kfree(trans);
4101}
4102
4103static int __nf_tables_abort(struct net *net)
4104{
4105 struct nft_trans *trans, *next;
4106 struct nft_trans_elem *te;
4107
4108 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4109 list) {
4110 switch (trans->msg_type) {
4111 case NFT_MSG_NEWTABLE:
4112 if (nft_trans_table_update(trans)) {
4113 if (nft_trans_table_enable(trans)) {
4114 nf_tables_table_disable(trans->ctx.afi,
4115 trans->ctx.table);
4116 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4117 }
4118 nft_trans_destroy(trans);
4119 } else {
4120 list_del_rcu(&trans->ctx.table->list);
4121 }
4122 break;
4123 case NFT_MSG_DELTABLE:
4124 list_add_tail_rcu(&trans->ctx.table->list,
4125 &trans->ctx.afi->tables);
4126 nft_trans_destroy(trans);
4127 break;
4128 case NFT_MSG_NEWCHAIN:
4129 if (nft_trans_chain_update(trans)) {
4130 free_percpu(nft_trans_chain_stats(trans));
4131
4132 nft_trans_destroy(trans);
4133 } else {
4134 trans->ctx.table->use--;
4135 list_del_rcu(&trans->ctx.chain->list);
4136 nf_tables_unregister_hooks(trans->ctx.table,
4137 trans->ctx.chain,
4138 trans->ctx.afi->nops);
4139 }
4140 break;
4141 case NFT_MSG_DELCHAIN:
4142 trans->ctx.table->use++;
4143 list_add_tail_rcu(&trans->ctx.chain->list,
4144 &trans->ctx.table->chains);
4145 nft_trans_destroy(trans);
4146 break;
4147 case NFT_MSG_NEWRULE:
4148 trans->ctx.chain->use--;
4149 list_del_rcu(&nft_trans_rule(trans)->list);
4150 break;
4151 case NFT_MSG_DELRULE:
4152 trans->ctx.chain->use++;
4153 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
4154 nft_trans_destroy(trans);
4155 break;
4156 case NFT_MSG_NEWSET:
4157 trans->ctx.table->use--;
4158 list_del_rcu(&nft_trans_set(trans)->list);
4159 break;
4160 case NFT_MSG_DELSET:
4161 trans->ctx.table->use++;
4162 list_add_tail_rcu(&nft_trans_set(trans)->list,
4163 &trans->ctx.table->sets);
4164 nft_trans_destroy(trans);
4165 break;
4166 case NFT_MSG_NEWSETELEM:
4167 te = (struct nft_trans_elem *)trans->data;
4168
4169 te->set->ops->remove(te->set, &te->elem);
4170 atomic_dec(&te->set->nelems);
4171 break;
4172 case NFT_MSG_DELSETELEM:
4173 te = (struct nft_trans_elem *)trans->data;
4174
4175 te->set->ops->activate(te->set, &te->elem);
4176 te->set->ndeact--;
4177
4178 nft_trans_destroy(trans);
4179 break;
4180 }
4181 }
4182
4183 synchronize_rcu();
4184
4185 list_for_each_entry_safe_reverse(trans, next,
4186 &net->nft.commit_list, list) {
4187 list_del(&trans->list);
4188 nf_tables_abort_release(trans);
4189 }
4190
4191 return 0;
4192}
4193
4194static int nf_tables_abort(struct sk_buff *skb)
4195{
4196 struct net *net = sock_net(skb->sk);
4197
4198 return __nf_tables_abort(net);
4199}
4200
4201static const struct nfnetlink_subsystem nf_tables_subsys = {
4202 .name = "nf_tables",
4203 .subsys_id = NFNL_SUBSYS_NFTABLES,
4204 .cb_count = NFT_MSG_MAX,
4205 .cb = nf_tables_cb,
4206 .commit = nf_tables_commit,
4207 .abort = nf_tables_abort,
4208 .owner = THIS_MODULE,
4209};
4210
4211int nft_chain_validate_dependency(const struct nft_chain *chain,
4212 enum nft_chain_type type)
4213{
4214 const struct nft_base_chain *basechain;
4215
4216 if (chain->flags & NFT_BASE_CHAIN) {
4217 basechain = nft_base_chain(chain);
4218 if (basechain->type->type != type)
4219 return -EOPNOTSUPP;
4220 }
4221 return 0;
4222}
4223EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4224
4225int nft_chain_validate_hooks(const struct nft_chain *chain,
4226 unsigned int hook_flags)
4227{
4228 struct nft_base_chain *basechain;
4229
4230 if (chain->flags & NFT_BASE_CHAIN) {
4231 basechain = nft_base_chain(chain);
4232
4233 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4234 return 0;
4235
4236 return -EOPNOTSUPP;
4237 }
4238
4239 return 0;
4240}
4241EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252static int nf_tables_check_loops(const struct nft_ctx *ctx,
4253 const struct nft_chain *chain);
4254
4255static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4256 struct nft_set *set,
4257 const struct nft_set_iter *iter,
4258 struct nft_set_elem *elem)
4259{
4260 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4261 const struct nft_data *data;
4262
4263 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4264 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4265 return 0;
4266
4267 data = nft_set_ext_data(ext);
4268 switch (data->verdict.code) {
4269 case NFT_JUMP:
4270 case NFT_GOTO:
4271 return nf_tables_check_loops(ctx, data->verdict.chain);
4272 default:
4273 return 0;
4274 }
4275}
4276
4277static int nf_tables_check_loops(const struct nft_ctx *ctx,
4278 const struct nft_chain *chain)
4279{
4280 const struct nft_rule *rule;
4281 const struct nft_expr *expr, *last;
4282 struct nft_set *set;
4283 struct nft_set_binding *binding;
4284 struct nft_set_iter iter;
4285
4286 if (ctx->chain == chain)
4287 return -ELOOP;
4288
4289 list_for_each_entry(rule, &chain->rules, list) {
4290 nft_rule_for_each_expr(expr, last, rule) {
4291 const struct nft_data *data = NULL;
4292 int err;
4293
4294 if (!expr->ops->validate)
4295 continue;
4296
4297 err = expr->ops->validate(ctx, expr, &data);
4298 if (err < 0)
4299 return err;
4300
4301 if (data == NULL)
4302 continue;
4303
4304 switch (data->verdict.code) {
4305 case NFT_JUMP:
4306 case NFT_GOTO:
4307 err = nf_tables_check_loops(ctx,
4308 data->verdict.chain);
4309 if (err < 0)
4310 return err;
4311 default:
4312 break;
4313 }
4314 }
4315 }
4316
4317 list_for_each_entry(set, &ctx->table->sets, list) {
4318 if (!(set->flags & NFT_SET_MAP) ||
4319 set->dtype != NFT_DATA_VERDICT)
4320 continue;
4321
4322 list_for_each_entry(binding, &set->bindings, list) {
4323 if (!(binding->flags & NFT_SET_MAP) ||
4324 binding->chain != chain)
4325 continue;
4326
4327 iter.skip = 0;
4328 iter.count = 0;
4329 iter.err = 0;
4330 iter.fn = nf_tables_loop_check_setelem;
4331
4332 set->ops->walk(ctx, set, &iter);
4333 if (iter.err < 0)
4334 return iter.err;
4335 }
4336 }
4337
4338 return 0;
4339}
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
4354{
4355 u32 val;
4356
4357 val = ntohl(nla_get_be32(attr));
4358 if (val > max)
4359 return -ERANGE;
4360
4361 *dest = val;
4362 return 0;
4363}
4364EXPORT_SYMBOL_GPL(nft_parse_u32_check);
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375unsigned int nft_parse_register(const struct nlattr *attr)
4376{
4377 unsigned int reg;
4378
4379 reg = ntohl(nla_get_be32(attr));
4380 switch (reg) {
4381 case NFT_REG_VERDICT...NFT_REG_4:
4382 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4383 default:
4384 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4385 }
4386}
4387EXPORT_SYMBOL_GPL(nft_parse_register);
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4401{
4402 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4403 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4404 else
4405 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4406
4407 return nla_put_be32(skb, attr, htonl(reg));
4408}
4409EXPORT_SYMBOL_GPL(nft_dump_register);
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4421{
4422 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4423 return -EINVAL;
4424 if (len == 0)
4425 return -EINVAL;
4426 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4427 return -ERANGE;
4428
4429 return 0;
4430}
4431EXPORT_SYMBOL_GPL(nft_validate_register_load);
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447int nft_validate_register_store(const struct nft_ctx *ctx,
4448 enum nft_registers reg,
4449 const struct nft_data *data,
4450 enum nft_data_types type, unsigned int len)
4451{
4452 int err;
4453
4454 switch (reg) {
4455 case NFT_REG_VERDICT:
4456 if (type != NFT_DATA_VERDICT)
4457 return -EINVAL;
4458
4459 if (data != NULL &&
4460 (data->verdict.code == NFT_GOTO ||
4461 data->verdict.code == NFT_JUMP)) {
4462 err = nf_tables_check_loops(ctx, data->verdict.chain);
4463 if (err < 0)
4464 return err;
4465
4466 if (ctx->chain->level + 1 >
4467 data->verdict.chain->level) {
4468 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4469 return -EMLINK;
4470 data->verdict.chain->level = ctx->chain->level + 1;
4471 }
4472 }
4473
4474 return 0;
4475 default:
4476 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4477 return -EINVAL;
4478 if (len == 0)
4479 return -EINVAL;
4480 if (reg * NFT_REG32_SIZE + len >
4481 FIELD_SIZEOF(struct nft_regs, data))
4482 return -ERANGE;
4483
4484 if (data != NULL && type != NFT_DATA_VALUE)
4485 return -EINVAL;
4486 return 0;
4487 }
4488}
4489EXPORT_SYMBOL_GPL(nft_validate_register_store);
4490
4491static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4492 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4493 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4494 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4495};
4496
4497static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4498 struct nft_data_desc *desc, const struct nlattr *nla)
4499{
4500 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4501 struct nft_chain *chain;
4502 int err;
4503
4504 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4505 if (err < 0)
4506 return err;
4507
4508 if (!tb[NFTA_VERDICT_CODE])
4509 return -EINVAL;
4510 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4511
4512 switch (data->verdict.code) {
4513 default:
4514 switch (data->verdict.code & NF_VERDICT_MASK) {
4515 case NF_ACCEPT:
4516 case NF_DROP:
4517 case NF_QUEUE:
4518 break;
4519 default:
4520 return -EINVAL;
4521 }
4522
4523 case NFT_CONTINUE:
4524 case NFT_BREAK:
4525 case NFT_RETURN:
4526 break;
4527 case NFT_JUMP:
4528 case NFT_GOTO:
4529 if (!tb[NFTA_VERDICT_CHAIN])
4530 return -EINVAL;
4531 chain = nf_tables_chain_lookup(ctx->table,
4532 tb[NFTA_VERDICT_CHAIN]);
4533 if (IS_ERR(chain))
4534 return PTR_ERR(chain);
4535 if (chain->flags & NFT_BASE_CHAIN)
4536 return -EOPNOTSUPP;
4537
4538 chain->use++;
4539 data->verdict.chain = chain;
4540 break;
4541 }
4542
4543 desc->len = sizeof(data->verdict);
4544 desc->type = NFT_DATA_VERDICT;
4545 return 0;
4546}
4547
4548static void nft_verdict_uninit(const struct nft_data *data)
4549{
4550 switch (data->verdict.code) {
4551 case NFT_JUMP:
4552 case NFT_GOTO:
4553 data->verdict.chain->use--;
4554 break;
4555 }
4556}
4557
4558int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4559{
4560 struct nlattr *nest;
4561
4562 nest = nla_nest_start(skb, type);
4563 if (!nest)
4564 goto nla_put_failure;
4565
4566 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4567 goto nla_put_failure;
4568
4569 switch (v->code) {
4570 case NFT_JUMP:
4571 case NFT_GOTO:
4572 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4573 v->chain->name))
4574 goto nla_put_failure;
4575 }
4576 nla_nest_end(skb, nest);
4577 return 0;
4578
4579nla_put_failure:
4580 return -1;
4581}
4582
4583static int nft_value_init(const struct nft_ctx *ctx,
4584 struct nft_data *data, unsigned int size,
4585 struct nft_data_desc *desc, const struct nlattr *nla)
4586{
4587 unsigned int len;
4588
4589 len = nla_len(nla);
4590 if (len == 0)
4591 return -EINVAL;
4592 if (len > size)
4593 return -EOVERFLOW;
4594
4595 nla_memcpy(data->data, nla, len);
4596 desc->type = NFT_DATA_VALUE;
4597 desc->len = len;
4598 return 0;
4599}
4600
4601static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4602 unsigned int len)
4603{
4604 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4605}
4606
4607static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4608 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4609 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4610};
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627int nft_data_init(const struct nft_ctx *ctx,
4628 struct nft_data *data, unsigned int size,
4629 struct nft_data_desc *desc, const struct nlattr *nla)
4630{
4631 struct nlattr *tb[NFTA_DATA_MAX + 1];
4632 int err;
4633
4634 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4635 if (err < 0)
4636 return err;
4637
4638 if (tb[NFTA_DATA_VALUE])
4639 return nft_value_init(ctx, data, size, desc,
4640 tb[NFTA_DATA_VALUE]);
4641 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4642 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4643 return -EINVAL;
4644}
4645EXPORT_SYMBOL_GPL(nft_data_init);
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4657{
4658 if (type < NFT_DATA_VERDICT)
4659 return;
4660 switch (type) {
4661 case NFT_DATA_VERDICT:
4662 return nft_verdict_uninit(data);
4663 default:
4664 WARN_ON(1);
4665 }
4666}
4667EXPORT_SYMBOL_GPL(nft_data_uninit);
4668
4669int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4670 enum nft_data_types type, unsigned int len)
4671{
4672 struct nlattr *nest;
4673 int err;
4674
4675 nest = nla_nest_start(skb, attr);
4676 if (nest == NULL)
4677 return -1;
4678
4679 switch (type) {
4680 case NFT_DATA_VALUE:
4681 err = nft_value_dump(skb, data, len);
4682 break;
4683 case NFT_DATA_VERDICT:
4684 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4685 break;
4686 default:
4687 err = -EINVAL;
4688 WARN_ON(1);
4689 }
4690
4691 nla_nest_end(skb, nest);
4692 return err;
4693}
4694EXPORT_SYMBOL_GPL(nft_data_dump);
4695
4696
4697static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4698{
4699 struct nft_table *table, *nt;
4700 struct nft_chain *chain, *nc;
4701 struct nft_rule *rule, *nr;
4702 struct nft_set *set, *ns;
4703 struct nft_ctx ctx = {
4704 .net = net,
4705 .afi = afi,
4706 };
4707
4708 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4709 list_for_each_entry(chain, &table->chains, list)
4710 nf_tables_unregister_hooks(table, chain, afi->nops);
4711
4712 ctx.table = table;
4713 list_for_each_entry(chain, &table->chains, list) {
4714 ctx.chain = chain;
4715 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4716 list_del(&rule->list);
4717 chain->use--;
4718 nf_tables_rule_destroy(&ctx, rule);
4719 }
4720 }
4721 list_for_each_entry_safe(set, ns, &table->sets, list) {
4722 list_del(&set->list);
4723 table->use--;
4724 nft_set_destroy(set);
4725 }
4726 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4727 list_del(&chain->list);
4728 table->use--;
4729 nf_tables_chain_destroy(chain);
4730 }
4731 list_del(&table->list);
4732 nf_tables_table_destroy(&ctx);
4733 }
4734}
4735
4736static int __net_init nf_tables_init_net(struct net *net)
4737{
4738 INIT_LIST_HEAD(&net->nft.af_info);
4739 INIT_LIST_HEAD(&net->nft.commit_list);
4740 net->nft.base_seq = 1;
4741 return 0;
4742}
4743
4744static void __net_exit nf_tables_exit_net(struct net *net)
4745{
4746 if (!list_empty(&net->nft.commit_list))
4747 __nf_tables_abort(net);
4748}
4749
4750static struct pernet_operations nf_tables_net_ops = {
4751 .init = nf_tables_init_net,
4752 .exit = nf_tables_exit_net,
4753};
4754
4755static int __init nf_tables_module_init(void)
4756{
4757 int err;
4758
4759 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4760 GFP_KERNEL);
4761 if (info == NULL) {
4762 err = -ENOMEM;
4763 goto err1;
4764 }
4765
4766 err = nf_tables_core_module_init();
4767 if (err < 0)
4768 goto err2;
4769
4770 err = register_pernet_subsys(&nf_tables_net_ops);
4771 if (err < 0)
4772 goto err3;
4773
4774
4775 err = nfnetlink_subsys_register(&nf_tables_subsys);
4776 if (err < 0)
4777 goto err4;
4778
4779 return err;
4780err4:
4781 unregister_pernet_subsys(&nf_tables_net_ops);
4782err3:
4783 nf_tables_core_module_exit();
4784err2:
4785 kfree(info);
4786err1:
4787 return err;
4788}
4789
4790static void __exit nf_tables_module_exit(void)
4791{
4792 nfnetlink_subsys_unregister(&nf_tables_subsys);
4793 unregister_pernet_subsys(&nf_tables_net_ops);
4794 rcu_barrier();
4795 nf_tables_core_module_exit();
4796 kfree(info);
4797}
4798
4799module_init(nf_tables_module_init);
4800module_exit(nf_tables_module_exit);
4801
4802MODULE_LICENSE("GPL");
4803MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4804MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
4805
