1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/vmalloc.h>
17#include <linux/rhashtable.h>
18#include <linux/audit.h>
19#include <linux/netfilter.h>
20#include <linux/netfilter/nfnetlink.h>
21#include <linux/netfilter/nf_tables.h>
22#include <net/netfilter/nf_flow_table.h>
23#include <net/netfilter/nf_tables_core.h>
24#include <net/netfilter/nf_tables.h>
25#include <net/netfilter/nf_tables_offload.h>
26#include <net/net_namespace.h>
27#include <net/sock.h>
28
29#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
30
31static LIST_HEAD(nf_tables_expressions);
32static LIST_HEAD(nf_tables_objects);
33static LIST_HEAD(nf_tables_flowtables);
34static LIST_HEAD(nf_tables_destroy_list);
35static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
36static u64 table_handle;
37
38enum {
39 NFT_VALIDATE_SKIP = 0,
40 NFT_VALIDATE_NEED,
41 NFT_VALIDATE_DO,
42};
43
44static struct rhltable nft_objname_ht;
45
46static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
47static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
48static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
49
50static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
51static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
52static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
53
54static const struct rhashtable_params nft_chain_ht_params = {
55 .head_offset = offsetof(struct nft_chain, rhlhead),
56 .key_offset = offsetof(struct nft_chain, name),
57 .hashfn = nft_chain_hash,
58 .obj_hashfn = nft_chain_hash_obj,
59 .obj_cmpfn = nft_chain_hash_cmp,
60 .locks_mul = 1,
61 .automatic_shrinking = true,
62};
63
64static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71};
72
73static void nft_validate_state_update(struct net *net, u8 new_validate_state)
74{
75 switch (net->nft.validate_state) {
76 case NFT_VALIDATE_SKIP:
77 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
78 break;
79 case NFT_VALIDATE_NEED:
80 break;
81 case NFT_VALIDATE_DO:
82 if (new_validate_state == NFT_VALIDATE_NEED)
83 return;
84 }
85
86 net->nft.validate_state = new_validate_state;
87}
88static void nf_tables_trans_destroy_work(struct work_struct *w);
89static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
90
91static void nft_ctx_init(struct nft_ctx *ctx,
92 struct net *net,
93 const struct sk_buff *skb,
94 const struct nlmsghdr *nlh,
95 u8 family,
96 struct nft_table *table,
97 struct nft_chain *chain,
98 const struct nlattr * const *nla)
99{
100 ctx->net = net;
101 ctx->family = family;
102 ctx->level = 0;
103 ctx->table = table;
104 ctx->chain = chain;
105 ctx->nla = nla;
106 ctx->portid = NETLINK_CB(skb).portid;
107 ctx->report = nlmsg_report(nlh);
108 ctx->flags = nlh->nlmsg_flags;
109 ctx->seq = nlh->nlmsg_seq;
110}
111
112static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
113 int msg_type, u32 size, gfp_t gfp)
114{
115 struct nft_trans *trans;
116
117 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
118 if (trans == NULL)
119 return NULL;
120
121 trans->msg_type = msg_type;
122 trans->ctx = *ctx;
123
124 return trans;
125}
126
127static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
128 int msg_type, u32 size)
129{
130 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
131}
132
133static void nft_trans_destroy(struct nft_trans *trans)
134{
135 list_del(&trans->list);
136 kfree(trans);
137}
138
139static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
140{
141 struct net *net = ctx->net;
142 struct nft_trans *trans;
143
144 if (!nft_set_is_anonymous(set))
145 return;
146
147 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
148 switch (trans->msg_type) {
149 case NFT_MSG_NEWSET:
150 if (nft_trans_set(trans) == set)
151 nft_trans_set_bound(trans) = true;
152 break;
153 case NFT_MSG_NEWSETELEM:
154 if (nft_trans_elem_set(trans) == set)
155 nft_trans_elem_set_bound(trans) = true;
156 break;
157 }
158 }
159}
160
161static int nft_netdev_register_hooks(struct net *net,
162 struct list_head *hook_list)
163{
164 struct nft_hook *hook;
165 int err, j;
166
167 j = 0;
168 list_for_each_entry(hook, hook_list, list) {
169 err = nf_register_net_hook(net, &hook->ops);
170 if (err < 0)
171 goto err_register;
172
173 j++;
174 }
175 return 0;
176
177err_register:
178 list_for_each_entry(hook, hook_list, list) {
179 if (j-- <= 0)
180 break;
181
182 nf_unregister_net_hook(net, &hook->ops);
183 }
184 return err;
185}
186
187static void nft_netdev_unregister_hooks(struct net *net,
188 struct list_head *hook_list)
189{
190 struct nft_hook *hook;
191
192 list_for_each_entry(hook, hook_list, list)
193 nf_unregister_net_hook(net, &hook->ops);
194}
195
196static int nf_tables_register_hook(struct net *net,
197 const struct nft_table *table,
198 struct nft_chain *chain)
199{
200 struct nft_base_chain *basechain;
201 const struct nf_hook_ops *ops;
202
203 if (table->flags & NFT_TABLE_F_DORMANT ||
204 !nft_is_base_chain(chain))
205 return 0;
206
207 basechain = nft_base_chain(chain);
208 ops = &basechain->ops;
209
210 if (basechain->type->ops_register)
211 return basechain->type->ops_register(net, ops);
212
213 if (table->family == NFPROTO_NETDEV)
214 return nft_netdev_register_hooks(net, &basechain->hook_list);
215
216 return nf_register_net_hook(net, &basechain->ops);
217}
218
219static void nf_tables_unregister_hook(struct net *net,
220 const struct nft_table *table,
221 struct nft_chain *chain)
222{
223 struct nft_base_chain *basechain;
224 const struct nf_hook_ops *ops;
225
226 if (table->flags & NFT_TABLE_F_DORMANT ||
227 !nft_is_base_chain(chain))
228 return;
229 basechain = nft_base_chain(chain);
230 ops = &basechain->ops;
231
232 if (basechain->type->ops_unregister)
233 return basechain->type->ops_unregister(net, ops);
234
235 if (table->family == NFPROTO_NETDEV)
236 nft_netdev_unregister_hooks(net, &basechain->hook_list);
237 else
238 nf_unregister_net_hook(net, &basechain->ops);
239}
240
241static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
242{
243 struct nft_trans *trans;
244
245 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
246 if (trans == NULL)
247 return -ENOMEM;
248
249 if (msg_type == NFT_MSG_NEWTABLE)
250 nft_activate_next(ctx->net, ctx->table);
251
252 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
253 return 0;
254}
255
256static int nft_deltable(struct nft_ctx *ctx)
257{
258 int err;
259
260 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
261 if (err < 0)
262 return err;
263
264 nft_deactivate_next(ctx->net, ctx->table);
265 return err;
266}
267
268static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
269{
270 struct nft_trans *trans;
271
272 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
273 if (trans == NULL)
274 return ERR_PTR(-ENOMEM);
275
276 if (msg_type == NFT_MSG_NEWCHAIN)
277 nft_activate_next(ctx->net, ctx->chain);
278
279 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
280 return trans;
281}
282
283static int nft_delchain(struct nft_ctx *ctx)
284{
285 struct nft_trans *trans;
286
287 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
288 if (IS_ERR(trans))
289 return PTR_ERR(trans);
290
291 ctx->table->use--;
292 nft_deactivate_next(ctx->net, ctx->chain);
293
294 return 0;
295}
296
297static void nft_rule_expr_activate(const struct nft_ctx *ctx,
298 struct nft_rule *rule)
299{
300 struct nft_expr *expr;
301
302 expr = nft_expr_first(rule);
303 while (expr != nft_expr_last(rule) && expr->ops) {
304 if (expr->ops->activate)
305 expr->ops->activate(ctx, expr);
306
307 expr = nft_expr_next(expr);
308 }
309}
310
311static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
312 struct nft_rule *rule,
313 enum nft_trans_phase phase)
314{
315 struct nft_expr *expr;
316
317 expr = nft_expr_first(rule);
318 while (expr != nft_expr_last(rule) && expr->ops) {
319 if (expr->ops->deactivate)
320 expr->ops->deactivate(ctx, expr, phase);
321
322 expr = nft_expr_next(expr);
323 }
324}
325
326static int
327nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
328{
329
330 if (nft_is_active_next(ctx->net, rule)) {
331 nft_deactivate_next(ctx->net, rule);
332 ctx->chain->use--;
333 return 0;
334 }
335 return -ENOENT;
336}
337
338static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
339 struct nft_rule *rule)
340{
341 struct nft_trans *trans;
342
343 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
344 if (trans == NULL)
345 return NULL;
346
347 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
348 nft_trans_rule_id(trans) =
349 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
350 }
351 nft_trans_rule(trans) = rule;
352 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
353
354 return trans;
355}
356
357static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
358{
359 struct nft_flow_rule *flow;
360 struct nft_trans *trans;
361 int err;
362
363 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
364 if (trans == NULL)
365 return -ENOMEM;
366
367 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
368 flow = nft_flow_rule_create(ctx->net, rule);
369 if (IS_ERR(flow)) {
370 nft_trans_destroy(trans);
371 return PTR_ERR(flow);
372 }
373
374 nft_trans_flow_rule(trans) = flow;
375 }
376
377 err = nf_tables_delrule_deactivate(ctx, rule);
378 if (err < 0) {
379 nft_trans_destroy(trans);
380 return err;
381 }
382 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
383
384 return 0;
385}
386
387static int nft_delrule_by_chain(struct nft_ctx *ctx)
388{
389 struct nft_rule *rule;
390 int err;
391
392 list_for_each_entry(rule, &ctx->chain->rules, list) {
393 if (!nft_is_active_next(ctx->net, rule))
394 continue;
395
396 err = nft_delrule(ctx, rule);
397 if (err < 0)
398 return err;
399 }
400 return 0;
401}
402
403static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
404 struct nft_set *set)
405{
406 struct nft_trans *trans;
407
408 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
409 if (trans == NULL)
410 return -ENOMEM;
411
412 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
413 nft_trans_set_id(trans) =
414 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
415 nft_activate_next(ctx->net, set);
416 }
417 nft_trans_set(trans) = set;
418 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
419
420 return 0;
421}
422
423static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
424{
425 int err;
426
427 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
428 if (err < 0)
429 return err;
430
431 nft_deactivate_next(ctx->net, set);
432 ctx->table->use--;
433
434 return err;
435}
436
437static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
438 struct nft_object *obj)
439{
440 struct nft_trans *trans;
441
442 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
443 if (trans == NULL)
444 return -ENOMEM;
445
446 if (msg_type == NFT_MSG_NEWOBJ)
447 nft_activate_next(ctx->net, obj);
448
449 nft_trans_obj(trans) = obj;
450 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
451
452 return 0;
453}
454
455static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
456{
457 int err;
458
459 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
460 if (err < 0)
461 return err;
462
463 nft_deactivate_next(ctx->net, obj);
464 ctx->table->use--;
465
466 return err;
467}
468
469static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
470 struct nft_flowtable *flowtable)
471{
472 struct nft_trans *trans;
473
474 trans = nft_trans_alloc(ctx, msg_type,
475 sizeof(struct nft_trans_flowtable));
476 if (trans == NULL)
477 return -ENOMEM;
478
479 if (msg_type == NFT_MSG_NEWFLOWTABLE)
480 nft_activate_next(ctx->net, flowtable);
481
482 nft_trans_flowtable(trans) = flowtable;
483 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
484
485 return 0;
486}
487
488static int nft_delflowtable(struct nft_ctx *ctx,
489 struct nft_flowtable *flowtable)
490{
491 int err;
492
493 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
494 if (err < 0)
495 return err;
496
497 nft_deactivate_next(ctx->net, flowtable);
498 ctx->table->use--;
499
500 return err;
501}
502
503
504
505
506
507static struct nft_table *nft_table_lookup(const struct net *net,
508 const struct nlattr *nla,
509 u8 family, u8 genmask)
510{
511 struct nft_table *table;
512
513 if (nla == NULL)
514 return ERR_PTR(-EINVAL);
515
516 list_for_each_entry_rcu(table, &net->nft.tables, list) {
517 if (!nla_strcmp(nla, table->name) &&
518 table->family == family &&
519 nft_active_genmask(table, genmask))
520 return table;
521 }
522
523 return ERR_PTR(-ENOENT);
524}
525
526static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
527 const struct nlattr *nla,
528 u8 genmask)
529{
530 struct nft_table *table;
531
532 list_for_each_entry(table, &net->nft.tables, list) {
533 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
534 nft_active_genmask(table, genmask))
535 return table;
536 }
537
538 return ERR_PTR(-ENOENT);
539}
540
541static inline u64 nf_tables_alloc_handle(struct nft_table *table)
542{
543 return ++table->hgenerator;
544}
545
546static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
547
548static const struct nft_chain_type *
549__nft_chain_type_get(u8 family, enum nft_chain_types type)
550{
551 if (family >= NFPROTO_NUMPROTO ||
552 type >= NFT_CHAIN_T_MAX)
553 return NULL;
554
555 return chain_type[family][type];
556}
557
558static const struct nft_chain_type *
559__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
560{
561 const struct nft_chain_type *type;
562 int i;
563
564 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
565 type = __nft_chain_type_get(family, i);
566 if (!type)
567 continue;
568 if (!nla_strcmp(nla, type->name))
569 return type;
570 }
571 return NULL;
572}
573
574struct nft_module_request {
575 struct list_head list;
576 char module[MODULE_NAME_LEN];
577 bool done;
578};
579
580#ifdef CONFIG_MODULES
581static int nft_request_module(struct net *net, const char *fmt, ...)
582{
583 char module_name[MODULE_NAME_LEN];
584 struct nft_module_request *req;
585 va_list args;
586 int ret;
587
588 va_start(args, fmt);
589 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
590 va_end(args);
591 if (ret >= MODULE_NAME_LEN)
592 return 0;
593
594 list_for_each_entry(req, &net->nft_module_list, list) {
595 if (!strcmp(req->module, module_name)) {
596 if (req->done)
597 return 0;
598
599
600 return -EAGAIN;
601 }
602 }
603
604 req = kmalloc(sizeof(*req), GFP_KERNEL);
605 if (!req)
606 return -ENOMEM;
607
608 req->done = false;
609 strlcpy(req->module, module_name, MODULE_NAME_LEN);
610 list_add_tail(&req->list, &net->nft_module_list);
611
612 return -EAGAIN;
613}
614#endif
615
616static void lockdep_nfnl_nft_mutex_not_held(void)
617{
618#ifdef CONFIG_PROVE_LOCKING
619 if (debug_locks)
620 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
621#endif
622}
623
624static const struct nft_chain_type *
625nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
626 u8 family, bool autoload)
627{
628 const struct nft_chain_type *type;
629
630 type = __nf_tables_chain_type_lookup(nla, family);
631 if (type != NULL)
632 return type;
633
634 lockdep_nfnl_nft_mutex_not_held();
635#ifdef CONFIG_MODULES
636 if (autoload) {
637 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
638 nla_len(nla),
639 (const char *)nla_data(nla)) == -EAGAIN)
640 return ERR_PTR(-EAGAIN);
641 }
642#endif
643 return ERR_PTR(-ENOENT);
644}
645
646static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
647 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
648 .len = NFT_TABLE_MAXNAMELEN - 1 },
649 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
650 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
651};
652
653static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
654 u32 portid, u32 seq, int event, u32 flags,
655 int family, const struct nft_table *table)
656{
657 struct nlmsghdr *nlh;
658 struct nfgenmsg *nfmsg;
659
660 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
661 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
662 if (nlh == NULL)
663 goto nla_put_failure;
664
665 nfmsg = nlmsg_data(nlh);
666 nfmsg->nfgen_family = family;
667 nfmsg->version = NFNETLINK_V0;
668 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
669
670 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
671 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
672 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
673 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
674 NFTA_TABLE_PAD))
675 goto nla_put_failure;
676
677 nlmsg_end(skb, nlh);
678 return 0;
679
680nla_put_failure:
681 nlmsg_trim(skb, nlh);
682 return -1;
683}
684
685struct nftnl_skb_parms {
686 bool report;
687};
688#define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
689
690static void nft_notify_enqueue(struct sk_buff *skb, bool report,
691 struct list_head *notify_list)
692{
693 NFT_CB(skb).report = report;
694 list_add_tail(&skb->list, notify_list);
695}
696
697static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
698{
699 struct sk_buff *skb;
700 int err;
701 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
702 ctx->table->name, ctx->table->handle);
703
704 audit_log_nfcfg(buf,
705 ctx->family,
706 ctx->table->use,
707 event == NFT_MSG_NEWTABLE ?
708 AUDIT_NFT_OP_TABLE_REGISTER :
709 AUDIT_NFT_OP_TABLE_UNREGISTER,
710 GFP_KERNEL);
711 kfree(buf);
712
713 if (!ctx->report &&
714 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
715 return;
716
717 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
718 if (skb == NULL)
719 goto err;
720
721 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
722 event, 0, ctx->family, ctx->table);
723 if (err < 0) {
724 kfree_skb(skb);
725 goto err;
726 }
727
728 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft_notify_list);
729 return;
730err:
731 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
732}
733
734static int nf_tables_dump_tables(struct sk_buff *skb,
735 struct netlink_callback *cb)
736{
737 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
738 const struct nft_table *table;
739 unsigned int idx = 0, s_idx = cb->args[0];
740 struct net *net = sock_net(skb->sk);
741 int family = nfmsg->nfgen_family;
742
743 rcu_read_lock();
744 cb->seq = net->nft.base_seq;
745
746 list_for_each_entry_rcu(table, &net->nft.tables, list) {
747 if (family != NFPROTO_UNSPEC && family != table->family)
748 continue;
749
750 if (idx < s_idx)
751 goto cont;
752 if (idx > s_idx)
753 memset(&cb->args[1], 0,
754 sizeof(cb->args) - sizeof(cb->args[0]));
755 if (!nft_is_active(net, table))
756 continue;
757 if (nf_tables_fill_table_info(skb, net,
758 NETLINK_CB(cb->skb).portid,
759 cb->nlh->nlmsg_seq,
760 NFT_MSG_NEWTABLE, NLM_F_MULTI,
761 table->family, table) < 0)
762 goto done;
763
764 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
765cont:
766 idx++;
767 }
768done:
769 rcu_read_unlock();
770 cb->args[0] = idx;
771 return skb->len;
772}
773
774static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
775 const struct nlmsghdr *nlh,
776 struct netlink_dump_control *c)
777{
778 int err;
779
780 if (!try_module_get(THIS_MODULE))
781 return -EINVAL;
782
783 rcu_read_unlock();
784 err = netlink_dump_start(nlsk, skb, nlh, c);
785 rcu_read_lock();
786 module_put(THIS_MODULE);
787
788 return err;
789}
790
791
792static int nf_tables_gettable(struct net *net, struct sock *nlsk,
793 struct sk_buff *skb, const struct nlmsghdr *nlh,
794 const struct nlattr * const nla[],
795 struct netlink_ext_ack *extack)
796{
797 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
798 u8 genmask = nft_genmask_cur(net);
799 const struct nft_table *table;
800 struct sk_buff *skb2;
801 int family = nfmsg->nfgen_family;
802 int err;
803
804 if (nlh->nlmsg_flags & NLM_F_DUMP) {
805 struct netlink_dump_control c = {
806 .dump = nf_tables_dump_tables,
807 .module = THIS_MODULE,
808 };
809
810 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
811 }
812
813 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
814 if (IS_ERR(table)) {
815 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
816 return PTR_ERR(table);
817 }
818
819 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
820 if (!skb2)
821 return -ENOMEM;
822
823 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
824 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
825 family, table);
826 if (err < 0)
827 goto err_fill_table_info;
828
829 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
830
831err_fill_table_info:
832 kfree_skb(skb2);
833 return err;
834}
835
836static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
837{
838 struct nft_chain *chain;
839 u32 i = 0;
840
841 list_for_each_entry(chain, &table->chains, list) {
842 if (!nft_is_active_next(net, chain))
843 continue;
844 if (!nft_is_base_chain(chain))
845 continue;
846
847 if (cnt && i++ == cnt)
848 break;
849
850 nf_tables_unregister_hook(net, table, chain);
851 }
852}
853
854static int nf_tables_table_enable(struct net *net, struct nft_table *table)
855{
856 struct nft_chain *chain;
857 int err, i = 0;
858
859 list_for_each_entry(chain, &table->chains, list) {
860 if (!nft_is_active_next(net, chain))
861 continue;
862 if (!nft_is_base_chain(chain))
863 continue;
864
865 err = nf_tables_register_hook(net, table, chain);
866 if (err < 0)
867 goto err_register_hooks;
868
869 i++;
870 }
871 return 0;
872
873err_register_hooks:
874 if (i)
875 nft_table_disable(net, table, i);
876 return err;
877}
878
879static void nf_tables_table_disable(struct net *net, struct nft_table *table)
880{
881 nft_table_disable(net, table, 0);
882}
883
884static int nf_tables_updtable(struct nft_ctx *ctx)
885{
886 struct nft_trans *trans;
887 u32 flags;
888 int ret = 0;
889
890 if (!ctx->nla[NFTA_TABLE_FLAGS])
891 return 0;
892
893 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
894 if (flags & ~NFT_TABLE_F_DORMANT)
895 return -EINVAL;
896
897 if (flags == ctx->table->flags)
898 return 0;
899
900 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
901 sizeof(struct nft_trans_table));
902 if (trans == NULL)
903 return -ENOMEM;
904
905 if ((flags & NFT_TABLE_F_DORMANT) &&
906 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
907 nft_trans_table_enable(trans) = false;
908 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
909 ctx->table->flags & NFT_TABLE_F_DORMANT) {
910 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
911 ret = nf_tables_table_enable(ctx->net, ctx->table);
912 if (ret >= 0)
913 nft_trans_table_enable(trans) = true;
914 else
915 ctx->table->flags |= NFT_TABLE_F_DORMANT;
916 }
917 if (ret < 0)
918 goto err;
919
920 nft_trans_table_update(trans) = true;
921 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
922 return 0;
923err:
924 nft_trans_destroy(trans);
925 return ret;
926}
927
928static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
929{
930 const char *name = data;
931
932 return jhash(name, strlen(name), seed);
933}
934
935static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
936{
937 const struct nft_chain *chain = data;
938
939 return nft_chain_hash(chain->name, 0, seed);
940}
941
942static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
943 const void *ptr)
944{
945 const struct nft_chain *chain = ptr;
946 const char *name = arg->key;
947
948 return strcmp(chain->name, name);
949}
950
951static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
952{
953 const struct nft_object_hash_key *k = data;
954
955 seed ^= hash_ptr(k->table, 32);
956
957 return jhash(k->name, strlen(k->name), seed);
958}
959
960static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
961{
962 const struct nft_object *obj = data;
963
964 return nft_objname_hash(&obj->key, 0, seed);
965}
966
967static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
968 const void *ptr)
969{
970 const struct nft_object_hash_key *k = arg->key;
971 const struct nft_object *obj = ptr;
972
973 if (obj->key.table != k->table)
974 return -1;
975
976 return strcmp(obj->key.name, k->name);
977}
978
979static int nf_tables_newtable(struct net *net, struct sock *nlsk,
980 struct sk_buff *skb, const struct nlmsghdr *nlh,
981 const struct nlattr * const nla[],
982 struct netlink_ext_ack *extack)
983{
984 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
985 u8 genmask = nft_genmask_next(net);
986 int family = nfmsg->nfgen_family;
987 const struct nlattr *attr;
988 struct nft_table *table;
989 u32 flags = 0;
990 struct nft_ctx ctx;
991 int err;
992
993 lockdep_assert_held(&net->nft_commit_mutex);
994 attr = nla[NFTA_TABLE_NAME];
995 table = nft_table_lookup(net, attr, family, genmask);
996 if (IS_ERR(table)) {
997 if (PTR_ERR(table) != -ENOENT)
998 return PTR_ERR(table);
999 } else {
1000 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1001 NL_SET_BAD_ATTR(extack, attr);
1002 return -EEXIST;
1003 }
1004 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1005 return -EOPNOTSUPP;
1006
1007 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1008 return nf_tables_updtable(&ctx);
1009 }
1010
1011 if (nla[NFTA_TABLE_FLAGS]) {
1012 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1013 if (flags & ~NFT_TABLE_F_DORMANT)
1014 return -EINVAL;
1015 }
1016
1017 err = -ENOMEM;
1018 table = kzalloc(sizeof(*table), GFP_KERNEL);
1019 if (table == NULL)
1020 goto err_kzalloc;
1021
1022 table->name = nla_strdup(attr, GFP_KERNEL);
1023 if (table->name == NULL)
1024 goto err_strdup;
1025
1026 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1027 if (err)
1028 goto err_chain_ht;
1029
1030 INIT_LIST_HEAD(&table->chains);
1031 INIT_LIST_HEAD(&table->sets);
1032 INIT_LIST_HEAD(&table->objects);
1033 INIT_LIST_HEAD(&table->flowtables);
1034 table->family = family;
1035 table->flags = flags;
1036 table->handle = ++table_handle;
1037
1038 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1039 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1040 if (err < 0)
1041 goto err_trans;
1042
1043 list_add_tail_rcu(&table->list, &net->nft.tables);
1044 return 0;
1045err_trans:
1046 rhltable_destroy(&table->chains_ht);
1047err_chain_ht:
1048 kfree(table->name);
1049err_strdup:
1050 kfree(table);
1051err_kzalloc:
1052 return err;
1053}
1054
1055static int nft_flush_table(struct nft_ctx *ctx)
1056{
1057 struct nft_flowtable *flowtable, *nft;
1058 struct nft_chain *chain, *nc;
1059 struct nft_object *obj, *ne;
1060 struct nft_set *set, *ns;
1061 int err;
1062
1063 list_for_each_entry(chain, &ctx->table->chains, list) {
1064 if (!nft_is_active_next(ctx->net, chain))
1065 continue;
1066
1067 ctx->chain = chain;
1068
1069 err = nft_delrule_by_chain(ctx);
1070 if (err < 0)
1071 goto out;
1072 }
1073
1074 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1075 if (!nft_is_active_next(ctx->net, set))
1076 continue;
1077
1078 if (nft_set_is_anonymous(set) &&
1079 !list_empty(&set->bindings))
1080 continue;
1081
1082 err = nft_delset(ctx, set);
1083 if (err < 0)
1084 goto out;
1085 }
1086
1087 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1088 err = nft_delflowtable(ctx, flowtable);
1089 if (err < 0)
1090 goto out;
1091 }
1092
1093 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1094 err = nft_delobj(ctx, obj);
1095 if (err < 0)
1096 goto out;
1097 }
1098
1099 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1100 if (!nft_is_active_next(ctx->net, chain))
1101 continue;
1102
1103 ctx->chain = chain;
1104
1105 err = nft_delchain(ctx);
1106 if (err < 0)
1107 goto out;
1108 }
1109
1110 err = nft_deltable(ctx);
1111out:
1112 return err;
1113}
1114
1115static int nft_flush(struct nft_ctx *ctx, int family)
1116{
1117 struct nft_table *table, *nt;
1118 const struct nlattr * const *nla = ctx->nla;
1119 int err = 0;
1120
1121 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1122 if (family != AF_UNSPEC && table->family != family)
1123 continue;
1124
1125 ctx->family = table->family;
1126
1127 if (!nft_is_active_next(ctx->net, table))
1128 continue;
1129
1130 if (nla[NFTA_TABLE_NAME] &&
1131 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1132 continue;
1133
1134 ctx->table = table;
1135
1136 err = nft_flush_table(ctx);
1137 if (err < 0)
1138 goto out;
1139 }
1140out:
1141 return err;
1142}
1143
1144static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1145 struct sk_buff *skb, const struct nlmsghdr *nlh,
1146 const struct nlattr * const nla[],
1147 struct netlink_ext_ack *extack)
1148{
1149 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1150 u8 genmask = nft_genmask_next(net);
1151 int family = nfmsg->nfgen_family;
1152 const struct nlattr *attr;
1153 struct nft_table *table;
1154 struct nft_ctx ctx;
1155
1156 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1157 if (family == AF_UNSPEC ||
1158 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1159 return nft_flush(&ctx, family);
1160
1161 if (nla[NFTA_TABLE_HANDLE]) {
1162 attr = nla[NFTA_TABLE_HANDLE];
1163 table = nft_table_lookup_byhandle(net, attr, genmask);
1164 } else {
1165 attr = nla[NFTA_TABLE_NAME];
1166 table = nft_table_lookup(net, attr, family, genmask);
1167 }
1168
1169 if (IS_ERR(table)) {
1170 NL_SET_BAD_ATTR(extack, attr);
1171 return PTR_ERR(table);
1172 }
1173
1174 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1175 table->use > 0)
1176 return -EBUSY;
1177
1178 ctx.family = family;
1179 ctx.table = table;
1180
1181 return nft_flush_table(&ctx);
1182}
1183
1184static void nf_tables_table_destroy(struct nft_ctx *ctx)
1185{
1186 if (WARN_ON(ctx->table->use > 0))
1187 return;
1188
1189 rhltable_destroy(&ctx->table->chains_ht);
1190 kfree(ctx->table->name);
1191 kfree(ctx->table);
1192}
1193
1194void nft_register_chain_type(const struct nft_chain_type *ctype)
1195{
1196 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1197 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1198 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1199 return;
1200 }
1201 chain_type[ctype->family][ctype->type] = ctype;
1202 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1203}
1204EXPORT_SYMBOL_GPL(nft_register_chain_type);
1205
1206void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1207{
1208 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1209 chain_type[ctype->family][ctype->type] = NULL;
1210 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1211}
1212EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1213
1214
1215
1216
1217
1218static struct nft_chain *
1219nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1220{
1221 struct nft_chain *chain;
1222
1223 list_for_each_entry(chain, &table->chains, list) {
1224 if (chain->handle == handle &&
1225 nft_active_genmask(chain, genmask))
1226 return chain;
1227 }
1228
1229 return ERR_PTR(-ENOENT);
1230}
1231
1232static bool lockdep_commit_lock_is_held(const struct net *net)
1233{
1234#ifdef CONFIG_PROVE_LOCKING
1235 return lockdep_is_held(&net->nft_commit_mutex);
1236#else
1237 return true;
1238#endif
1239}
1240
1241static struct nft_chain *nft_chain_lookup(struct net *net,
1242 struct nft_table *table,
1243 const struct nlattr *nla, u8 genmask)
1244{
1245 char search[NFT_CHAIN_MAXNAMELEN + 1];
1246 struct rhlist_head *tmp, *list;
1247 struct nft_chain *chain;
1248
1249 if (nla == NULL)
1250 return ERR_PTR(-EINVAL);
1251
1252 nla_strlcpy(search, nla, sizeof(search));
1253
1254 WARN_ON(!rcu_read_lock_held() &&
1255 !lockdep_commit_lock_is_held(net));
1256
1257 chain = ERR_PTR(-ENOENT);
1258 rcu_read_lock();
1259 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1260 if (!list)
1261 goto out_unlock;
1262
1263 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1264 if (nft_active_genmask(chain, genmask))
1265 goto out_unlock;
1266 }
1267 chain = ERR_PTR(-ENOENT);
1268out_unlock:
1269 rcu_read_unlock();
1270 return chain;
1271}
1272
1273static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1274 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1275 .len = NFT_TABLE_MAXNAMELEN - 1 },
1276 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1277 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1278 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1279 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1280 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1281 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1282 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1283 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1284 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1285};
1286
1287static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1288 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1289 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1290 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1291 .len = IFNAMSIZ - 1 },
1292};
1293
1294static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1295{
1296 struct nft_stats *cpu_stats, total;
1297 struct nlattr *nest;
1298 unsigned int seq;
1299 u64 pkts, bytes;
1300 int cpu;
1301
1302 if (!stats)
1303 return 0;
1304
1305 memset(&total, 0, sizeof(total));
1306 for_each_possible_cpu(cpu) {
1307 cpu_stats = per_cpu_ptr(stats, cpu);
1308 do {
1309 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1310 pkts = cpu_stats->pkts;
1311 bytes = cpu_stats->bytes;
1312 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1313 total.pkts += pkts;
1314 total.bytes += bytes;
1315 }
1316 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1317 if (nest == NULL)
1318 goto nla_put_failure;
1319
1320 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1321 NFTA_COUNTER_PAD) ||
1322 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1323 NFTA_COUNTER_PAD))
1324 goto nla_put_failure;
1325
1326 nla_nest_end(skb, nest);
1327 return 0;
1328
1329nla_put_failure:
1330 return -ENOSPC;
1331}
1332
1333static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1334 const struct nft_base_chain *basechain)
1335{
1336 const struct nf_hook_ops *ops = &basechain->ops;
1337 struct nft_hook *hook, *first = NULL;
1338 struct nlattr *nest, *nest_devs;
1339 int n = 0;
1340
1341 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1342 if (nest == NULL)
1343 goto nla_put_failure;
1344 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1345 goto nla_put_failure;
1346 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1347 goto nla_put_failure;
1348
1349 if (family == NFPROTO_NETDEV) {
1350 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1351 list_for_each_entry(hook, &basechain->hook_list, list) {
1352 if (!first)
1353 first = hook;
1354
1355 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1356 hook->ops.dev->name))
1357 goto nla_put_failure;
1358 n++;
1359 }
1360 nla_nest_end(skb, nest_devs);
1361
1362 if (n == 1 &&
1363 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1364 goto nla_put_failure;
1365 }
1366 nla_nest_end(skb, nest);
1367
1368 return 0;
1369nla_put_failure:
1370 return -1;
1371}
1372
1373static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1374 u32 portid, u32 seq, int event, u32 flags,
1375 int family, const struct nft_table *table,
1376 const struct nft_chain *chain)
1377{
1378 struct nlmsghdr *nlh;
1379 struct nfgenmsg *nfmsg;
1380
1381 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1382 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1383 if (nlh == NULL)
1384 goto nla_put_failure;
1385
1386 nfmsg = nlmsg_data(nlh);
1387 nfmsg->nfgen_family = family;
1388 nfmsg->version = NFNETLINK_V0;
1389 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1390
1391 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1392 goto nla_put_failure;
1393 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1394 NFTA_CHAIN_PAD))
1395 goto nla_put_failure;
1396 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1397 goto nla_put_failure;
1398
1399 if (nft_is_base_chain(chain)) {
1400 const struct nft_base_chain *basechain = nft_base_chain(chain);
1401 struct nft_stats __percpu *stats;
1402
1403 if (nft_dump_basechain_hook(skb, family, basechain))
1404 goto nla_put_failure;
1405
1406 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1407 htonl(basechain->policy)))
1408 goto nla_put_failure;
1409
1410 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1411 goto nla_put_failure;
1412
1413 stats = rcu_dereference_check(basechain->stats,
1414 lockdep_commit_lock_is_held(net));
1415 if (nft_dump_stats(skb, stats))
1416 goto nla_put_failure;
1417
1418 if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) &&
1419 nla_put_be32(skb, NFTA_CHAIN_FLAGS,
1420 htonl(NFT_CHAIN_HW_OFFLOAD)))
1421 goto nla_put_failure;
1422 }
1423
1424 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1425 goto nla_put_failure;
1426
1427 nlmsg_end(skb, nlh);
1428 return 0;
1429
1430nla_put_failure:
1431 nlmsg_trim(skb, nlh);
1432 return -1;
1433}
1434
1435static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1436{
1437 struct sk_buff *skb;
1438 int err;
1439 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1440 ctx->table->name, ctx->table->handle,
1441 ctx->chain->name, ctx->chain->handle);
1442
1443 audit_log_nfcfg(buf,
1444 ctx->family,
1445 ctx->chain->use,
1446 event == NFT_MSG_NEWCHAIN ?
1447 AUDIT_NFT_OP_CHAIN_REGISTER :
1448 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1449 GFP_KERNEL);
1450 kfree(buf);
1451
1452 if (!ctx->report &&
1453 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1454 return;
1455
1456 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1457 if (skb == NULL)
1458 goto err;
1459
1460 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1461 event, 0, ctx->family, ctx->table,
1462 ctx->chain);
1463 if (err < 0) {
1464 kfree_skb(skb);
1465 goto err;
1466 }
1467
1468 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft_notify_list);
1469 return;
1470err:
1471 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1472}
1473
1474static int nf_tables_dump_chains(struct sk_buff *skb,
1475 struct netlink_callback *cb)
1476{
1477 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1478 const struct nft_table *table;
1479 const struct nft_chain *chain;
1480 unsigned int idx = 0, s_idx = cb->args[0];
1481 struct net *net = sock_net(skb->sk);
1482 int family = nfmsg->nfgen_family;
1483
1484 rcu_read_lock();
1485 cb->seq = net->nft.base_seq;
1486
1487 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1488 if (family != NFPROTO_UNSPEC && family != table->family)
1489 continue;
1490
1491 list_for_each_entry_rcu(chain, &table->chains, list) {
1492 if (idx < s_idx)
1493 goto cont;
1494 if (idx > s_idx)
1495 memset(&cb->args[1], 0,
1496 sizeof(cb->args) - sizeof(cb->args[0]));
1497 if (!nft_is_active(net, chain))
1498 continue;
1499 if (nf_tables_fill_chain_info(skb, net,
1500 NETLINK_CB(cb->skb).portid,
1501 cb->nlh->nlmsg_seq,
1502 NFT_MSG_NEWCHAIN,
1503 NLM_F_MULTI,
1504 table->family, table,
1505 chain) < 0)
1506 goto done;
1507
1508 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1509cont:
1510 idx++;
1511 }
1512 }
1513done:
1514 rcu_read_unlock();
1515 cb->args[0] = idx;
1516 return skb->len;
1517}
1518
1519
1520static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1521 struct sk_buff *skb, const struct nlmsghdr *nlh,
1522 const struct nlattr * const nla[],
1523 struct netlink_ext_ack *extack)
1524{
1525 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1526 u8 genmask = nft_genmask_cur(net);
1527 const struct nft_chain *chain;
1528 struct nft_table *table;
1529 struct sk_buff *skb2;
1530 int family = nfmsg->nfgen_family;
1531 int err;
1532
1533 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1534 struct netlink_dump_control c = {
1535 .dump = nf_tables_dump_chains,
1536 .module = THIS_MODULE,
1537 };
1538
1539 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1540 }
1541
1542 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1543 if (IS_ERR(table)) {
1544 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1545 return PTR_ERR(table);
1546 }
1547
1548 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1549 if (IS_ERR(chain)) {
1550 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1551 return PTR_ERR(chain);
1552 }
1553
1554 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1555 if (!skb2)
1556 return -ENOMEM;
1557
1558 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1559 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1560 family, table, chain);
1561 if (err < 0)
1562 goto err_fill_chain_info;
1563
1564 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1565
1566err_fill_chain_info:
1567 kfree_skb(skb2);
1568 return err;
1569}
1570
1571static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1572 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1573 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1574};
1575
1576static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1577{
1578 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1579 struct nft_stats __percpu *newstats;
1580 struct nft_stats *stats;
1581 int err;
1582
1583 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1584 nft_counter_policy, NULL);
1585 if (err < 0)
1586 return ERR_PTR(err);
1587
1588 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1589 return ERR_PTR(-EINVAL);
1590
1591 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1592 if (newstats == NULL)
1593 return ERR_PTR(-ENOMEM);
1594
1595
1596
1597
1598 preempt_disable();
1599 stats = this_cpu_ptr(newstats);
1600 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1601 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1602 preempt_enable();
1603
1604 return newstats;
1605}
1606
1607static void nft_chain_stats_replace(struct net *net,
1608 struct nft_base_chain *chain,
1609 struct nft_stats __percpu *newstats)
1610{
1611 struct nft_stats __percpu *oldstats;
1612
1613 if (newstats == NULL)
1614 return;
1615
1616 if (rcu_access_pointer(chain->stats)) {
1617 oldstats = rcu_dereference_protected(chain->stats,
1618 lockdep_commit_lock_is_held(net));
1619 rcu_assign_pointer(chain->stats, newstats);
1620 synchronize_rcu();
1621 free_percpu(oldstats);
1622 } else {
1623 rcu_assign_pointer(chain->stats, newstats);
1624 static_branch_inc(&nft_counters_enabled);
1625 }
1626}
1627
1628static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1629{
1630 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1631 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1632
1633 if (g0 != g1)
1634 kvfree(g1);
1635 kvfree(g0);
1636
1637
1638 WARN_ON_ONCE(chain->rules_next);
1639 kvfree(chain->rules_next);
1640}
1641
1642static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1643{
1644 struct nft_chain *chain = ctx->chain;
1645 struct nft_hook *hook, *next;
1646
1647 if (WARN_ON(chain->use > 0))
1648 return;
1649
1650
1651 nf_tables_chain_free_chain_rules(chain);
1652
1653 if (nft_is_base_chain(chain)) {
1654 struct nft_base_chain *basechain = nft_base_chain(chain);
1655
1656 if (ctx->family == NFPROTO_NETDEV) {
1657 list_for_each_entry_safe(hook, next,
1658 &basechain->hook_list, list) {
1659 list_del_rcu(&hook->list);
1660 kfree_rcu(hook, rcu);
1661 }
1662 }
1663 module_put(basechain->type->owner);
1664 if (rcu_access_pointer(basechain->stats)) {
1665 static_branch_dec(&nft_counters_enabled);
1666 free_percpu(rcu_dereference_raw(basechain->stats));
1667 }
1668 kfree(chain->name);
1669 kfree(basechain);
1670 } else {
1671 kfree(chain->name);
1672 kfree(chain);
1673 }
1674}
1675
1676static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1677 const struct nlattr *attr)
1678{
1679 struct net_device *dev;
1680 char ifname[IFNAMSIZ];
1681 struct nft_hook *hook;
1682 int err;
1683
1684 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1685 if (!hook) {
1686 err = -ENOMEM;
1687 goto err_hook_alloc;
1688 }
1689
1690 nla_strlcpy(ifname, attr, IFNAMSIZ);
1691 dev = __dev_get_by_name(net, ifname);
1692 if (!dev) {
1693 err = -ENOENT;
1694 goto err_hook_dev;
1695 }
1696 hook->ops.dev = dev;
1697
1698 return hook;
1699
1700err_hook_dev:
1701 kfree(hook);
1702err_hook_alloc:
1703 return ERR_PTR(err);
1704}
1705
1706static bool nft_hook_list_find(struct list_head *hook_list,
1707 const struct nft_hook *this)
1708{
1709 struct nft_hook *hook;
1710
1711 list_for_each_entry(hook, hook_list, list) {
1712 if (this->ops.dev == hook->ops.dev)
1713 return true;
1714 }
1715
1716 return false;
1717}
1718
1719static int nf_tables_parse_netdev_hooks(struct net *net,
1720 const struct nlattr *attr,
1721 struct list_head *hook_list)
1722{
1723 struct nft_hook *hook, *next;
1724 const struct nlattr *tmp;
1725 int rem, n = 0, err;
1726
1727 nla_for_each_nested(tmp, attr, rem) {
1728 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1729 err = -EINVAL;
1730 goto err_hook;
1731 }
1732
1733 hook = nft_netdev_hook_alloc(net, tmp);
1734 if (IS_ERR(hook)) {
1735 err = PTR_ERR(hook);
1736 goto err_hook;
1737 }
1738 if (nft_hook_list_find(hook_list, hook)) {
1739 kfree(hook);
1740 err = -EEXIST;
1741 goto err_hook;
1742 }
1743 list_add_tail(&hook->list, hook_list);
1744 n++;
1745
1746 if (n == NFT_NETDEVICE_MAX) {
1747 err = -EFBIG;
1748 goto err_hook;
1749 }
1750 }
1751 if (!n)
1752 return -EINVAL;
1753
1754 return 0;
1755
1756err_hook:
1757 list_for_each_entry_safe(hook, next, hook_list, list) {
1758 list_del(&hook->list);
1759 kfree(hook);
1760 }
1761 return err;
1762}
1763
1764struct nft_chain_hook {
1765 u32 num;
1766 s32 priority;
1767 const struct nft_chain_type *type;
1768 struct list_head list;
1769};
1770
1771static int nft_chain_parse_netdev(struct net *net,
1772 struct nlattr *tb[],
1773 struct list_head *hook_list)
1774{
1775 struct nft_hook *hook;
1776 int err;
1777
1778 if (tb[NFTA_HOOK_DEV]) {
1779 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1780 if (IS_ERR(hook))
1781 return PTR_ERR(hook);
1782
1783 list_add_tail(&hook->list, hook_list);
1784 } else if (tb[NFTA_HOOK_DEVS]) {
1785 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1786 hook_list);
1787 if (err < 0)
1788 return err;
1789 } else {
1790 return -EINVAL;
1791 }
1792
1793 return 0;
1794}
1795
1796static int nft_chain_parse_hook(struct net *net,
1797 const struct nlattr * const nla[],
1798 struct nft_chain_hook *hook, u8 family,
1799 bool autoload)
1800{
1801 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1802 const struct nft_chain_type *type;
1803 int err;
1804
1805 lockdep_assert_held(&net->nft_commit_mutex);
1806 lockdep_nfnl_nft_mutex_not_held();
1807
1808 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1809 nla[NFTA_CHAIN_HOOK],
1810 nft_hook_policy, NULL);
1811 if (err < 0)
1812 return err;
1813
1814 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1815 ha[NFTA_HOOK_PRIORITY] == NULL)
1816 return -EINVAL;
1817
1818 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1819 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1820
1821 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1822 if (!type)
1823 return -EOPNOTSUPP;
1824
1825 if (nla[NFTA_CHAIN_TYPE]) {
1826 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1827 family, autoload);
1828 if (IS_ERR(type))
1829 return PTR_ERR(type);
1830 }
1831 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1832 return -EOPNOTSUPP;
1833
1834 if (type->type == NFT_CHAIN_T_NAT &&
1835 hook->priority <= NF_IP_PRI_CONNTRACK)
1836 return -EOPNOTSUPP;
1837
1838 if (!try_module_get(type->owner))
1839 return -ENOENT;
1840
1841 hook->type = type;
1842
1843 INIT_LIST_HEAD(&hook->list);
1844 if (family == NFPROTO_NETDEV) {
1845 err = nft_chain_parse_netdev(net, ha, &hook->list);
1846 if (err < 0) {
1847 module_put(type->owner);
1848 return err;
1849 }
1850 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1851 module_put(type->owner);
1852 return -EOPNOTSUPP;
1853 }
1854
1855 return 0;
1856}
1857
1858static void nft_chain_release_hook(struct nft_chain_hook *hook)
1859{
1860 struct nft_hook *h, *next;
1861
1862 list_for_each_entry_safe(h, next, &hook->list, list) {
1863 list_del(&h->list);
1864 kfree(h);
1865 }
1866 module_put(hook->type->owner);
1867}
1868
1869struct nft_rules_old {
1870 struct rcu_head h;
1871 struct nft_rule **start;
1872};
1873
1874static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1875 unsigned int alloc)
1876{
1877 if (alloc > INT_MAX)
1878 return NULL;
1879
1880 alloc += 1;
1881 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1882 return NULL;
1883
1884 alloc *= sizeof(struct nft_rule *);
1885 alloc += sizeof(struct nft_rules_old);
1886
1887 return kvmalloc(alloc, GFP_KERNEL);
1888}
1889
1890static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1891 const struct nft_chain_hook *hook,
1892 struct nft_chain *chain)
1893{
1894 ops->pf = family;
1895 ops->hooknum = hook->num;
1896 ops->priority = hook->priority;
1897 ops->priv = chain;
1898 ops->hook = hook->type->hooks[ops->hooknum];
1899}
1900
1901static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1902 struct nft_chain_hook *hook, u32 flags)
1903{
1904 struct nft_chain *chain;
1905 struct nft_hook *h;
1906
1907 basechain->type = hook->type;
1908 INIT_LIST_HEAD(&basechain->hook_list);
1909 chain = &basechain->chain;
1910
1911 if (family == NFPROTO_NETDEV) {
1912 list_splice_init(&hook->list, &basechain->hook_list);
1913 list_for_each_entry(h, &basechain->hook_list, list)
1914 nft_basechain_hook_init(&h->ops, family, hook, chain);
1915
1916 basechain->ops.hooknum = hook->num;
1917 basechain->ops.priority = hook->priority;
1918 } else {
1919 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1920 }
1921
1922 chain->flags |= NFT_BASE_CHAIN | flags;
1923 basechain->policy = NF_ACCEPT;
1924 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1925 nft_chain_offload_priority(basechain) < 0)
1926 return -EOPNOTSUPP;
1927
1928 flow_block_init(&basechain->flow_block);
1929
1930 return 0;
1931}
1932
1933static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1934 u8 policy, u32 flags)
1935{
1936 const struct nlattr * const *nla = ctx->nla;
1937 struct nft_table *table = ctx->table;
1938 struct nft_base_chain *basechain;
1939 struct nft_stats __percpu *stats;
1940 struct net *net = ctx->net;
1941 struct nft_trans *trans;
1942 struct nft_chain *chain;
1943 struct nft_rule **rules;
1944 int err;
1945
1946 if (table->use == UINT_MAX)
1947 return -EOVERFLOW;
1948
1949 if (nla[NFTA_CHAIN_HOOK]) {
1950 struct nft_chain_hook hook;
1951
1952 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1953 if (err < 0)
1954 return err;
1955
1956 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1957 if (basechain == NULL) {
1958 nft_chain_release_hook(&hook);
1959 return -ENOMEM;
1960 }
1961 chain = &basechain->chain;
1962
1963 if (nla[NFTA_CHAIN_COUNTERS]) {
1964 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1965 if (IS_ERR(stats)) {
1966 nft_chain_release_hook(&hook);
1967 kfree(basechain);
1968 return PTR_ERR(stats);
1969 }
1970 rcu_assign_pointer(basechain->stats, stats);
1971 static_branch_inc(&nft_counters_enabled);
1972 }
1973
1974 err = nft_basechain_init(basechain, family, &hook, flags);
1975 if (err < 0) {
1976 nft_chain_release_hook(&hook);
1977 kfree(basechain);
1978 return err;
1979 }
1980 } else {
1981 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1982 if (chain == NULL)
1983 return -ENOMEM;
1984 }
1985 ctx->chain = chain;
1986
1987 INIT_LIST_HEAD(&chain->rules);
1988 chain->handle = nf_tables_alloc_handle(table);
1989 chain->table = table;
1990 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1991 if (!chain->name) {
1992 err = -ENOMEM;
1993 goto err1;
1994 }
1995
1996 rules = nf_tables_chain_alloc_rules(chain, 0);
1997 if (!rules) {
1998 err = -ENOMEM;
1999 goto err1;
2000 }
2001
2002 *rules = NULL;
2003 rcu_assign_pointer(chain->rules_gen_0, rules);
2004 rcu_assign_pointer(chain->rules_gen_1, rules);
2005
2006 err = nf_tables_register_hook(net, table, chain);
2007 if (err < 0)
2008 goto err1;
2009
2010 err = rhltable_insert_key(&table->chains_ht, chain->name,
2011 &chain->rhlhead, nft_chain_ht_params);
2012 if (err)
2013 goto err2;
2014
2015 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2016 if (IS_ERR(trans)) {
2017 err = PTR_ERR(trans);
2018 rhltable_remove(&table->chains_ht, &chain->rhlhead,
2019 nft_chain_ht_params);
2020 goto err2;
2021 }
2022
2023 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2024 if (nft_is_base_chain(chain))
2025 nft_trans_chain_policy(trans) = policy;
2026
2027 table->use++;
2028 list_add_tail_rcu(&chain->list, &table->chains);
2029
2030 return 0;
2031err2:
2032 nf_tables_unregister_hook(net, table, chain);
2033err1:
2034 nf_tables_chain_destroy(ctx);
2035
2036 return err;
2037}
2038
2039static bool nft_hook_list_equal(struct list_head *hook_list1,
2040 struct list_head *hook_list2)
2041{
2042 struct nft_hook *hook;
2043 int n = 0, m = 0;
2044
2045 n = 0;
2046 list_for_each_entry(hook, hook_list2, list) {
2047 if (!nft_hook_list_find(hook_list1, hook))
2048 return false;
2049
2050 n++;
2051 }
2052 list_for_each_entry(hook, hook_list1, list)
2053 m++;
2054
2055 return n == m;
2056}
2057
2058static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2059 u32 flags)
2060{
2061 const struct nlattr * const *nla = ctx->nla;
2062 struct nft_table *table = ctx->table;
2063 struct nft_chain *chain = ctx->chain;
2064 struct nft_base_chain *basechain;
2065 struct nft_stats *stats = NULL;
2066 struct nft_chain_hook hook;
2067 struct nf_hook_ops *ops;
2068 struct nft_trans *trans;
2069 int err;
2070
2071 if (chain->flags ^ flags)
2072 return -EOPNOTSUPP;
2073
2074 if (nla[NFTA_CHAIN_HOOK]) {
2075 if (!nft_is_base_chain(chain))
2076 return -EBUSY;
2077
2078 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2079 false);
2080 if (err < 0)
2081 return err;
2082
2083 basechain = nft_base_chain(chain);
2084 if (basechain->type != hook.type) {
2085 nft_chain_release_hook(&hook);
2086 return -EBUSY;
2087 }
2088
2089 if (ctx->family == NFPROTO_NETDEV) {
2090 if (!nft_hook_list_equal(&basechain->hook_list,
2091 &hook.list)) {
2092 nft_chain_release_hook(&hook);
2093 return -EBUSY;
2094 }
2095 } else {
2096 ops = &basechain->ops;
2097 if (ops->hooknum != hook.num ||
2098 ops->priority != hook.priority) {
2099 nft_chain_release_hook(&hook);
2100 return -EBUSY;
2101 }
2102 }
2103 nft_chain_release_hook(&hook);
2104 }
2105
2106 if (nla[NFTA_CHAIN_HANDLE] &&
2107 nla[NFTA_CHAIN_NAME]) {
2108 struct nft_chain *chain2;
2109
2110 chain2 = nft_chain_lookup(ctx->net, table,
2111 nla[NFTA_CHAIN_NAME], genmask);
2112 if (!IS_ERR(chain2))
2113 return -EEXIST;
2114 }
2115
2116 if (nla[NFTA_CHAIN_COUNTERS]) {
2117 if (!nft_is_base_chain(chain))
2118 return -EOPNOTSUPP;
2119
2120 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2121 if (IS_ERR(stats))
2122 return PTR_ERR(stats);
2123 }
2124
2125 err = -ENOMEM;
2126 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2127 sizeof(struct nft_trans_chain));
2128 if (trans == NULL)
2129 goto err;
2130
2131 nft_trans_chain_stats(trans) = stats;
2132 nft_trans_chain_update(trans) = true;
2133
2134 if (nla[NFTA_CHAIN_POLICY])
2135 nft_trans_chain_policy(trans) = policy;
2136 else
2137 nft_trans_chain_policy(trans) = -1;
2138
2139 if (nla[NFTA_CHAIN_HANDLE] &&
2140 nla[NFTA_CHAIN_NAME]) {
2141 struct nft_trans *tmp;
2142 char *name;
2143
2144 err = -ENOMEM;
2145 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2146 if (!name)
2147 goto err;
2148
2149 err = -EEXIST;
2150 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2151 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2152 tmp->ctx.table == table &&
2153 nft_trans_chain_update(tmp) &&
2154 nft_trans_chain_name(tmp) &&
2155 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2156 kfree(name);
2157 goto err;
2158 }
2159 }
2160
2161 nft_trans_chain_name(trans) = name;
2162 }
2163 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2164
2165 return 0;
2166err:
2167 free_percpu(stats);
2168 kfree(trans);
2169 return err;
2170}
2171
2172static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2173 struct sk_buff *skb, const struct nlmsghdr *nlh,
2174 const struct nlattr * const nla[],
2175 struct netlink_ext_ack *extack)
2176{
2177 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2178 u8 genmask = nft_genmask_next(net);
2179 int family = nfmsg->nfgen_family;
2180 const struct nlattr *attr;
2181 struct nft_table *table;
2182 struct nft_chain *chain;
2183 u8 policy = NF_ACCEPT;
2184 struct nft_ctx ctx;
2185 u64 handle = 0;
2186 u32 flags = 0;
2187
2188 lockdep_assert_held(&net->nft_commit_mutex);
2189
2190 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2191 if (IS_ERR(table)) {
2192 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2193 return PTR_ERR(table);
2194 }
2195
2196 chain = NULL;
2197 attr = nla[NFTA_CHAIN_NAME];
2198
2199 if (nla[NFTA_CHAIN_HANDLE]) {
2200 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2201 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2202 if (IS_ERR(chain)) {
2203 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2204 return PTR_ERR(chain);
2205 }
2206 attr = nla[NFTA_CHAIN_HANDLE];
2207 } else {
2208 chain = nft_chain_lookup(net, table, attr, genmask);
2209 if (IS_ERR(chain)) {
2210 if (PTR_ERR(chain) != -ENOENT) {
2211 NL_SET_BAD_ATTR(extack, attr);
2212 return PTR_ERR(chain);
2213 }
2214 chain = NULL;
2215 }
2216 }
2217
2218 if (nla[NFTA_CHAIN_POLICY]) {
2219 if (chain != NULL &&
2220 !nft_is_base_chain(chain)) {
2221 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2222 return -EOPNOTSUPP;
2223 }
2224
2225 if (chain == NULL &&
2226 nla[NFTA_CHAIN_HOOK] == NULL) {
2227 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2228 return -EOPNOTSUPP;
2229 }
2230
2231 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2232 switch (policy) {
2233 case NF_DROP:
2234 case NF_ACCEPT:
2235 break;
2236 default:
2237 return -EINVAL;
2238 }
2239 }
2240
2241 if (nla[NFTA_CHAIN_FLAGS])
2242 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2243 else if (chain)
2244 flags = chain->flags;
2245
2246 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2247
2248 if (chain != NULL) {
2249 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2250 NL_SET_BAD_ATTR(extack, attr);
2251 return -EEXIST;
2252 }
2253 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2254 return -EOPNOTSUPP;
2255
2256 flags |= chain->flags & NFT_BASE_CHAIN;
2257 return nf_tables_updchain(&ctx, genmask, policy, flags);
2258 }
2259
2260 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2261}
2262
2263static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2264 struct sk_buff *skb, const struct nlmsghdr *nlh,
2265 const struct nlattr * const nla[],
2266 struct netlink_ext_ack *extack)
2267{
2268 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2269 u8 genmask = nft_genmask_next(net);
2270 int family = nfmsg->nfgen_family;
2271 const struct nlattr *attr;
2272 struct nft_table *table;
2273 struct nft_chain *chain;
2274 struct nft_rule *rule;
2275 struct nft_ctx ctx;
2276 u64 handle;
2277 u32 use;
2278 int err;
2279
2280 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2281 if (IS_ERR(table)) {
2282 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2283 return PTR_ERR(table);
2284 }
2285
2286 if (nla[NFTA_CHAIN_HANDLE]) {
2287 attr = nla[NFTA_CHAIN_HANDLE];
2288 handle = be64_to_cpu(nla_get_be64(attr));
2289 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2290 } else {
2291 attr = nla[NFTA_CHAIN_NAME];
2292 chain = nft_chain_lookup(net, table, attr, genmask);
2293 }
2294 if (IS_ERR(chain)) {
2295 NL_SET_BAD_ATTR(extack, attr);
2296 return PTR_ERR(chain);
2297 }
2298
2299 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2300 chain->use > 0)
2301 return -EBUSY;
2302
2303 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2304
2305 use = chain->use;
2306 list_for_each_entry(rule, &chain->rules, list) {
2307 if (!nft_is_active_next(net, rule))
2308 continue;
2309 use--;
2310
2311 err = nft_delrule(&ctx, rule);
2312 if (err < 0)
2313 return err;
2314 }
2315
2316
2317
2318
2319 if (use > 0) {
2320 NL_SET_BAD_ATTR(extack, attr);
2321 return -EBUSY;
2322 }
2323
2324 return nft_delchain(&ctx);
2325}
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338int nft_register_expr(struct nft_expr_type *type)
2339{
2340 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2341 if (type->family == NFPROTO_UNSPEC)
2342 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2343 else
2344 list_add_rcu(&type->list, &nf_tables_expressions);
2345 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2346 return 0;
2347}
2348EXPORT_SYMBOL_GPL(nft_register_expr);
2349
2350
2351
2352
2353
2354
2355
2356void nft_unregister_expr(struct nft_expr_type *type)
2357{
2358 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2359 list_del_rcu(&type->list);
2360 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2361}
2362EXPORT_SYMBOL_GPL(nft_unregister_expr);
2363
2364static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2365 struct nlattr *nla)
2366{
2367 const struct nft_expr_type *type;
2368
2369 list_for_each_entry(type, &nf_tables_expressions, list) {
2370 if (!nla_strcmp(nla, type->name) &&
2371 (!type->family || type->family == family))
2372 return type;
2373 }
2374 return NULL;
2375}
2376
2377#ifdef CONFIG_MODULES
2378static int nft_expr_type_request_module(struct net *net, u8 family,
2379 struct nlattr *nla)
2380{
2381 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2382 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2383 return -EAGAIN;
2384
2385 return 0;
2386}
2387#endif
2388
2389static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2390 u8 family,
2391 struct nlattr *nla)
2392{
2393 const struct nft_expr_type *type;
2394
2395 if (nla == NULL)
2396 return ERR_PTR(-EINVAL);
2397
2398 type = __nft_expr_type_get(family, nla);
2399 if (type != NULL && try_module_get(type->owner))
2400 return type;
2401
2402 lockdep_nfnl_nft_mutex_not_held();
2403#ifdef CONFIG_MODULES
2404 if (type == NULL) {
2405 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2406 return ERR_PTR(-EAGAIN);
2407
2408 if (nft_request_module(net, "nft-expr-%.*s",
2409 nla_len(nla),
2410 (char *)nla_data(nla)) == -EAGAIN)
2411 return ERR_PTR(-EAGAIN);
2412 }
2413#endif
2414 return ERR_PTR(-ENOENT);
2415}
2416
2417static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2418 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2419 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2420 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2421};
2422
2423static int nf_tables_fill_expr_info(struct sk_buff *skb,
2424 const struct nft_expr *expr)
2425{
2426 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2427 goto nla_put_failure;
2428
2429 if (expr->ops->dump) {
2430 struct nlattr *data = nla_nest_start_noflag(skb,
2431 NFTA_EXPR_DATA);
2432 if (data == NULL)
2433 goto nla_put_failure;
2434 if (expr->ops->dump(skb, expr) < 0)
2435 goto nla_put_failure;
2436 nla_nest_end(skb, data);
2437 }
2438
2439 return skb->len;
2440
2441nla_put_failure:
2442 return -1;
2443};
2444
2445int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2446 const struct nft_expr *expr)
2447{
2448 struct nlattr *nest;
2449
2450 nest = nla_nest_start_noflag(skb, attr);
2451 if (!nest)
2452 goto nla_put_failure;
2453 if (nf_tables_fill_expr_info(skb, expr) < 0)
2454 goto nla_put_failure;
2455 nla_nest_end(skb, nest);
2456 return 0;
2457
2458nla_put_failure:
2459 return -1;
2460}
2461
2462struct nft_expr_info {
2463 const struct nft_expr_ops *ops;
2464 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2465};
2466
2467static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2468 const struct nlattr *nla,
2469 struct nft_expr_info *info)
2470{
2471 const struct nft_expr_type *type;
2472 const struct nft_expr_ops *ops;
2473 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2474 int err;
2475
2476 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2477 nft_expr_policy, NULL);
2478 if (err < 0)
2479 return err;
2480
2481 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2482 if (IS_ERR(type))
2483 return PTR_ERR(type);
2484
2485 if (tb[NFTA_EXPR_DATA]) {
2486 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2487 tb[NFTA_EXPR_DATA],
2488 type->policy, NULL);
2489 if (err < 0)
2490 goto err1;
2491 } else
2492 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2493
2494 if (type->select_ops != NULL) {
2495 ops = type->select_ops(ctx,
2496 (const struct nlattr * const *)info->tb);
2497 if (IS_ERR(ops)) {
2498 err = PTR_ERR(ops);
2499#ifdef CONFIG_MODULES
2500 if (err == -EAGAIN)
2501 if (nft_expr_type_request_module(ctx->net,
2502 ctx->family,
2503 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2504 err = -ENOENT;
2505#endif
2506 goto err1;
2507 }
2508 } else
2509 ops = type->ops;
2510
2511 info->ops = ops;
2512 return 0;
2513
2514err1:
2515 module_put(type->owner);
2516 return err;
2517}
2518
2519static int nf_tables_newexpr(const struct nft_ctx *ctx,
2520 const struct nft_expr_info *info,
2521 struct nft_expr *expr)
2522{
2523 const struct nft_expr_ops *ops = info->ops;
2524 int err;
2525
2526 expr->ops = ops;
2527 if (ops->init) {
2528 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2529 if (err < 0)
2530 goto err1;
2531 }
2532
2533 return 0;
2534err1:
2535 expr->ops = NULL;
2536 return err;
2537}
2538
2539static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2540 struct nft_expr *expr)
2541{
2542 const struct nft_expr_type *type = expr->ops->type;
2543
2544 if (expr->ops->destroy)
2545 expr->ops->destroy(ctx, expr);
2546 module_put(type->owner);
2547}
2548
2549struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2550 const struct nlattr *nla)
2551{
2552 struct nft_expr_info info;
2553 struct nft_expr *expr;
2554 struct module *owner;
2555 int err;
2556
2557 err = nf_tables_expr_parse(ctx, nla, &info);
2558 if (err < 0)
2559 goto err1;
2560
2561 err = -ENOMEM;
2562 expr = kzalloc(info.ops->size, GFP_KERNEL);
2563 if (expr == NULL)
2564 goto err2;
2565
2566 err = nf_tables_newexpr(ctx, &info, expr);
2567 if (err < 0)
2568 goto err3;
2569
2570 return expr;
2571err3:
2572 kfree(expr);
2573err2:
2574 owner = info.ops->type->owner;
2575 if (info.ops->type->release_ops)
2576 info.ops->type->release_ops(info.ops);
2577
2578 module_put(owner);
2579err1:
2580 return ERR_PTR(err);
2581}
2582
2583void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2584{
2585 nf_tables_expr_destroy(ctx, expr);
2586 kfree(expr);
2587}
2588
2589
2590
2591
2592
2593static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2594 u64 handle)
2595{
2596 struct nft_rule *rule;
2597
2598
2599 list_for_each_entry_rcu(rule, &chain->rules, list) {
2600 if (handle == rule->handle)
2601 return rule;
2602 }
2603
2604 return ERR_PTR(-ENOENT);
2605}
2606
2607static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2608 const struct nlattr *nla)
2609{
2610 if (nla == NULL)
2611 return ERR_PTR(-EINVAL);
2612
2613 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2614}
2615
2616static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2617 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2618 .len = NFT_TABLE_MAXNAMELEN - 1 },
2619 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2620 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2621 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2622 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2623 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2624 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2625 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2626 .len = NFT_USERDATA_MAXLEN },
2627 [NFTA_RULE_ID] = { .type = NLA_U32 },
2628 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2629};
2630
2631static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2632 u32 portid, u32 seq, int event,
2633 u32 flags, int family,
2634 const struct nft_table *table,
2635 const struct nft_chain *chain,
2636 const struct nft_rule *rule,
2637 const struct nft_rule *prule)
2638{
2639 struct nlmsghdr *nlh;
2640 struct nfgenmsg *nfmsg;
2641 const struct nft_expr *expr, *next;
2642 struct nlattr *list;
2643 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2644
2645 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2646 if (nlh == NULL)
2647 goto nla_put_failure;
2648
2649 nfmsg = nlmsg_data(nlh);
2650 nfmsg->nfgen_family = family;
2651 nfmsg->version = NFNETLINK_V0;
2652 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2653
2654 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2655 goto nla_put_failure;
2656 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2657 goto nla_put_failure;
2658 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2659 NFTA_RULE_PAD))
2660 goto nla_put_failure;
2661
2662 if (event != NFT_MSG_DELRULE && prule) {
2663 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2664 cpu_to_be64(prule->handle),
2665 NFTA_RULE_PAD))
2666 goto nla_put_failure;
2667 }
2668
2669 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2670 if (list == NULL)
2671 goto nla_put_failure;
2672 nft_rule_for_each_expr(expr, next, rule) {
2673 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2674 goto nla_put_failure;
2675 }
2676 nla_nest_end(skb, list);
2677
2678 if (rule->udata) {
2679 struct nft_userdata *udata = nft_userdata(rule);
2680 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2681 udata->data) < 0)
2682 goto nla_put_failure;
2683 }
2684
2685 nlmsg_end(skb, nlh);
2686 return 0;
2687
2688nla_put_failure:
2689 nlmsg_trim(skb, nlh);
2690 return -1;
2691}
2692
2693static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2694 const struct nft_rule *rule, int event)
2695{
2696 struct sk_buff *skb;
2697 int err;
2698 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2699 ctx->table->name, ctx->table->handle,
2700 ctx->chain->name, ctx->chain->handle);
2701
2702 audit_log_nfcfg(buf,
2703 ctx->family,
2704 rule->handle,
2705 event == NFT_MSG_NEWRULE ?
2706 AUDIT_NFT_OP_RULE_REGISTER :
2707 AUDIT_NFT_OP_RULE_UNREGISTER,
2708 GFP_KERNEL);
2709 kfree(buf);
2710
2711 if (!ctx->report &&
2712 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2713 return;
2714
2715 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2716 if (skb == NULL)
2717 goto err;
2718
2719 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2720 event, 0, ctx->family, ctx->table,
2721 ctx->chain, rule, NULL);
2722 if (err < 0) {
2723 kfree_skb(skb);
2724 goto err;
2725 }
2726
2727 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft_notify_list);
2728 return;
2729err:
2730 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2731}
2732
2733struct nft_rule_dump_ctx {
2734 char *table;
2735 char *chain;
2736};
2737
2738static int __nf_tables_dump_rules(struct sk_buff *skb,
2739 unsigned int *idx,
2740 struct netlink_callback *cb,
2741 const struct nft_table *table,
2742 const struct nft_chain *chain)
2743{
2744 struct net *net = sock_net(skb->sk);
2745 const struct nft_rule *rule, *prule;
2746 unsigned int s_idx = cb->args[0];
2747
2748 prule = NULL;
2749 list_for_each_entry_rcu(rule, &chain->rules, list) {
2750 if (!nft_is_active(net, rule))
2751 goto cont_skip;
2752 if (*idx < s_idx)
2753 goto cont;
2754 if (*idx > s_idx) {
2755 memset(&cb->args[1], 0,
2756 sizeof(cb->args) - sizeof(cb->args[0]));
2757 }
2758 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2759 cb->nlh->nlmsg_seq,
2760 NFT_MSG_NEWRULE,
2761 NLM_F_MULTI | NLM_F_APPEND,
2762 table->family,
2763 table, chain, rule, prule) < 0)
2764 return 1;
2765
2766 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2767cont:
2768 prule = rule;
2769cont_skip:
2770 (*idx)++;
2771 }
2772 return 0;
2773}
2774
2775static int nf_tables_dump_rules(struct sk_buff *skb,
2776 struct netlink_callback *cb)
2777{
2778 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2779 const struct nft_rule_dump_ctx *ctx = cb->data;
2780 struct nft_table *table;
2781 const struct nft_chain *chain;
2782 unsigned int idx = 0;
2783 struct net *net = sock_net(skb->sk);
2784 int family = nfmsg->nfgen_family;
2785
2786 rcu_read_lock();
2787 cb->seq = net->nft.base_seq;
2788
2789 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2790 if (family != NFPROTO_UNSPEC && family != table->family)
2791 continue;
2792
2793 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2794 continue;
2795
2796 if (ctx && ctx->table && ctx->chain) {
2797 struct rhlist_head *list, *tmp;
2798
2799 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2800 nft_chain_ht_params);
2801 if (!list)
2802 goto done;
2803
2804 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2805 if (!nft_is_active(net, chain))
2806 continue;
2807 __nf_tables_dump_rules(skb, &idx,
2808 cb, table, chain);
2809 break;
2810 }
2811 goto done;
2812 }
2813
2814 list_for_each_entry_rcu(chain, &table->chains, list) {
2815 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2816 goto done;
2817 }
2818
2819 if (ctx && ctx->table)
2820 break;
2821 }
2822done:
2823 rcu_read_unlock();
2824
2825 cb->args[0] = idx;
2826 return skb->len;
2827}
2828
2829static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2830{
2831 const struct nlattr * const *nla = cb->data;
2832 struct nft_rule_dump_ctx *ctx = NULL;
2833
2834 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2835 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2836 if (!ctx)
2837 return -ENOMEM;
2838
2839 if (nla[NFTA_RULE_TABLE]) {
2840 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2841 GFP_ATOMIC);
2842 if (!ctx->table) {
2843 kfree(ctx);
2844 return -ENOMEM;
2845 }
2846 }
2847 if (nla[NFTA_RULE_CHAIN]) {
2848 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2849 GFP_ATOMIC);
2850 if (!ctx->chain) {
2851 kfree(ctx->table);
2852 kfree(ctx);
2853 return -ENOMEM;
2854 }
2855 }
2856 }
2857
2858 cb->data = ctx;
2859 return 0;
2860}
2861
2862static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2863{
2864 struct nft_rule_dump_ctx *ctx = cb->data;
2865
2866 if (ctx) {
2867 kfree(ctx->table);
2868 kfree(ctx->chain);
2869 kfree(ctx);
2870 }
2871 return 0;
2872}
2873
2874
2875static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2876 struct sk_buff *skb, const struct nlmsghdr *nlh,
2877 const struct nlattr * const nla[],
2878 struct netlink_ext_ack *extack)
2879{
2880 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2881 u8 genmask = nft_genmask_cur(net);
2882 const struct nft_chain *chain;
2883 const struct nft_rule *rule;
2884 struct nft_table *table;
2885 struct sk_buff *skb2;
2886 int family = nfmsg->nfgen_family;
2887 int err;
2888
2889 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2890 struct netlink_dump_control c = {
2891 .start= nf_tables_dump_rules_start,
2892 .dump = nf_tables_dump_rules,
2893 .done = nf_tables_dump_rules_done,
2894 .module = THIS_MODULE,
2895 .data = (void *)nla,
2896 };
2897
2898 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2899 }
2900
2901 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2902 if (IS_ERR(table)) {
2903 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2904 return PTR_ERR(table);
2905 }
2906
2907 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2908 if (IS_ERR(chain)) {
2909 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2910 return PTR_ERR(chain);
2911 }
2912
2913 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2914 if (IS_ERR(rule)) {
2915 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2916 return PTR_ERR(rule);
2917 }
2918
2919 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2920 if (!skb2)
2921 return -ENOMEM;
2922
2923 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2924 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2925 family, table, chain, rule, NULL);
2926 if (err < 0)
2927 goto err_fill_rule_info;
2928
2929 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2930
2931err_fill_rule_info:
2932 kfree_skb(skb2);
2933 return err;
2934}
2935
2936static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2937 struct nft_rule *rule)
2938{
2939 struct nft_expr *expr, *next;
2940
2941
2942
2943
2944
2945 expr = nft_expr_first(rule);
2946 while (expr != nft_expr_last(rule) && expr->ops) {
2947 next = nft_expr_next(expr);
2948 nf_tables_expr_destroy(ctx, expr);
2949 expr = next;
2950 }
2951 kfree(rule);
2952}
2953
2954static void nf_tables_rule_release(const struct nft_ctx *ctx,
2955 struct nft_rule *rule)
2956{
2957 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2958 nf_tables_rule_destroy(ctx, rule);
2959}
2960
2961int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2962{
2963 struct nft_expr *expr, *last;
2964 const struct nft_data *data;
2965 struct nft_rule *rule;
2966 int err;
2967
2968 if (ctx->level == NFT_JUMP_STACK_SIZE)
2969 return -EMLINK;
2970
2971 list_for_each_entry(rule, &chain->rules, list) {
2972 if (!nft_is_active_next(ctx->net, rule))
2973 continue;
2974
2975 nft_rule_for_each_expr(expr, last, rule) {
2976 if (!expr->ops->validate)
2977 continue;
2978
2979 err = expr->ops->validate(ctx, expr, &data);
2980 if (err < 0)
2981 return err;
2982 }
2983 }
2984
2985 return 0;
2986}
2987EXPORT_SYMBOL_GPL(nft_chain_validate);
2988
2989static int nft_table_validate(struct net *net, const struct nft_table *table)
2990{
2991 struct nft_chain *chain;
2992 struct nft_ctx ctx = {
2993 .net = net,
2994 .family = table->family,
2995 };
2996 int err;
2997
2998 list_for_each_entry(chain, &table->chains, list) {
2999 if (!nft_is_base_chain(chain))
3000 continue;
3001
3002 ctx.chain = chain;
3003 err = nft_chain_validate(&ctx, chain);
3004 if (err < 0)
3005 return err;
3006 }
3007
3008 return 0;
3009}
3010
3011static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3012 const struct nlattr *nla);
3013
3014#define NFT_RULE_MAXEXPRS 128
3015
3016static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3017 struct sk_buff *skb, const struct nlmsghdr *nlh,
3018 const struct nlattr * const nla[],
3019 struct netlink_ext_ack *extack)
3020{
3021 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3022 u8 genmask = nft_genmask_next(net);
3023 struct nft_expr_info *info = NULL;
3024 int family = nfmsg->nfgen_family;
3025 struct nft_flow_rule *flow;
3026 struct nft_table *table;
3027 struct nft_chain *chain;
3028 struct nft_rule *rule, *old_rule = NULL;
3029 struct nft_userdata *udata;
3030 struct nft_trans *trans = NULL;
3031 struct nft_expr *expr;
3032 struct nft_ctx ctx;
3033 struct nlattr *tmp;
3034 unsigned int size, i, n, ulen = 0, usize = 0;
3035 int err, rem;
3036 u64 handle, pos_handle;
3037
3038 lockdep_assert_held(&net->nft_commit_mutex);
3039
3040 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3041 if (IS_ERR(table)) {
3042 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3043 return PTR_ERR(table);
3044 }
3045
3046 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3047 if (IS_ERR(chain)) {
3048 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3049 return PTR_ERR(chain);
3050 }
3051
3052 if (nla[NFTA_RULE_HANDLE]) {
3053 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3054 rule = __nft_rule_lookup(chain, handle);
3055 if (IS_ERR(rule)) {
3056 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3057 return PTR_ERR(rule);
3058 }
3059
3060 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3061 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3062 return -EEXIST;
3063 }
3064 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3065 old_rule = rule;
3066 else
3067 return -EOPNOTSUPP;
3068 } else {
3069 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3070 nlh->nlmsg_flags & NLM_F_REPLACE)
3071 return -EINVAL;
3072 handle = nf_tables_alloc_handle(table);
3073
3074 if (chain->use == UINT_MAX)
3075 return -EOVERFLOW;
3076
3077 if (nla[NFTA_RULE_POSITION]) {
3078 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3079 old_rule = __nft_rule_lookup(chain, pos_handle);
3080 if (IS_ERR(old_rule)) {
3081 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3082 return PTR_ERR(old_rule);
3083 }
3084 } else if (nla[NFTA_RULE_POSITION_ID]) {
3085 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3086 if (IS_ERR(old_rule)) {
3087 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3088 return PTR_ERR(old_rule);
3089 }
3090 }
3091 }
3092
3093 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3094
3095 n = 0;
3096 size = 0;
3097 if (nla[NFTA_RULE_EXPRESSIONS]) {
3098 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3099 sizeof(struct nft_expr_info),
3100 GFP_KERNEL);
3101 if (!info)
3102 return -ENOMEM;
3103
3104 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3105 err = -EINVAL;
3106 if (nla_type(tmp) != NFTA_LIST_ELEM)
3107 goto err1;
3108 if (n == NFT_RULE_MAXEXPRS)
3109 goto err1;
3110 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3111 if (err < 0)
3112 goto err1;
3113 size += info[n].ops->size;
3114 n++;
3115 }
3116 }
3117
3118 err = -EFBIG;
3119 if (size >= 1 << 12)
3120 goto err1;
3121
3122 if (nla[NFTA_RULE_USERDATA]) {
3123 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3124 if (ulen > 0)
3125 usize = sizeof(struct nft_userdata) + ulen;
3126 }
3127
3128 err = -ENOMEM;
3129 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3130 if (rule == NULL)
3131 goto err1;
3132
3133 nft_activate_next(net, rule);
3134
3135 rule->handle = handle;
3136 rule->dlen = size;
3137 rule->udata = ulen ? 1 : 0;
3138
3139 if (ulen) {
3140 udata = nft_userdata(rule);
3141 udata->len = ulen - 1;
3142 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3143 }
3144
3145 expr = nft_expr_first(rule);
3146 for (i = 0; i < n; i++) {
3147 err = nf_tables_newexpr(&ctx, &info[i], expr);
3148 if (err < 0)
3149 goto err2;
3150
3151 if (info[i].ops->validate)
3152 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3153
3154 info[i].ops = NULL;
3155 expr = nft_expr_next(expr);
3156 }
3157
3158 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3159 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3160 if (trans == NULL) {
3161 err = -ENOMEM;
3162 goto err2;
3163 }
3164 err = nft_delrule(&ctx, old_rule);
3165 if (err < 0) {
3166 nft_trans_destroy(trans);
3167 goto err2;
3168 }
3169
3170 list_add_tail_rcu(&rule->list, &old_rule->list);
3171 } else {
3172 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3173 if (!trans) {
3174 err = -ENOMEM;
3175 goto err2;
3176 }
3177
3178 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3179 if (old_rule)
3180 list_add_rcu(&rule->list, &old_rule->list);
3181 else
3182 list_add_tail_rcu(&rule->list, &chain->rules);
3183 } else {
3184 if (old_rule)
3185 list_add_tail_rcu(&rule->list, &old_rule->list);
3186 else
3187 list_add_rcu(&rule->list, &chain->rules);
3188 }
3189 }
3190 kvfree(info);
3191 chain->use++;
3192
3193 if (net->nft.validate_state == NFT_VALIDATE_DO)
3194 return nft_table_validate(net, table);
3195
3196 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3197 flow = nft_flow_rule_create(net, rule);
3198 if (IS_ERR(flow))
3199 return PTR_ERR(flow);
3200
3201 nft_trans_flow_rule(trans) = flow;
3202 }
3203
3204 return 0;
3205err2:
3206 nf_tables_rule_release(&ctx, rule);
3207err1:
3208 for (i = 0; i < n; i++) {
3209 if (info[i].ops) {
3210 module_put(info[i].ops->type->owner);
3211 if (info[i].ops->type->release_ops)
3212 info[i].ops->type->release_ops(info[i].ops);
3213 }
3214 }
3215 kvfree(info);
3216 return err;
3217}
3218
3219static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3220 const struct nlattr *nla)
3221{
3222 u32 id = ntohl(nla_get_be32(nla));
3223 struct nft_trans *trans;
3224
3225 list_for_each_entry(trans, &net->nft.commit_list, list) {
3226 struct nft_rule *rule = nft_trans_rule(trans);
3227
3228 if (trans->msg_type == NFT_MSG_NEWRULE &&
3229 id == nft_trans_rule_id(trans))
3230 return rule;
3231 }
3232 return ERR_PTR(-ENOENT);
3233}
3234
3235static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3236 struct sk_buff *skb, const struct nlmsghdr *nlh,
3237 const struct nlattr * const nla[],
3238 struct netlink_ext_ack *extack)
3239{
3240 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3241 u8 genmask = nft_genmask_next(net);
3242 struct nft_table *table;
3243 struct nft_chain *chain = NULL;
3244 struct nft_rule *rule;
3245 int family = nfmsg->nfgen_family, err = 0;
3246 struct nft_ctx ctx;
3247
3248 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3249 if (IS_ERR(table)) {
3250 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3251 return PTR_ERR(table);
3252 }
3253
3254 if (nla[NFTA_RULE_CHAIN]) {
3255 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3256 genmask);
3257 if (IS_ERR(chain)) {
3258 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3259 return PTR_ERR(chain);
3260 }
3261 }
3262
3263 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3264
3265 if (chain) {
3266 if (nla[NFTA_RULE_HANDLE]) {
3267 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3268 if (IS_ERR(rule)) {
3269 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3270 return PTR_ERR(rule);
3271 }
3272
3273 err = nft_delrule(&ctx, rule);
3274 } else if (nla[NFTA_RULE_ID]) {
3275 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3276 if (IS_ERR(rule)) {
3277 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3278 return PTR_ERR(rule);
3279 }
3280
3281 err = nft_delrule(&ctx, rule);
3282 } else {
3283 err = nft_delrule_by_chain(&ctx);
3284 }
3285 } else {
3286 list_for_each_entry(chain, &table->chains, list) {
3287 if (!nft_is_active_next(net, chain))
3288 continue;
3289
3290 ctx.chain = chain;
3291 err = nft_delrule_by_chain(&ctx);
3292 if (err < 0)
3293 break;
3294 }
3295 }
3296
3297 return err;
3298}
3299
3300
3301
3302
3303
3304static LIST_HEAD(nf_tables_set_types);
3305
3306int nft_register_set(struct nft_set_type *type)
3307{
3308 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3309 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3310 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3311 return 0;
3312}
3313EXPORT_SYMBOL_GPL(nft_register_set);
3314
3315void nft_unregister_set(struct nft_set_type *type)
3316{
3317 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3318 list_del_rcu(&type->list);
3319 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3320}
3321EXPORT_SYMBOL_GPL(nft_unregister_set);
3322
3323#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3324 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3325 NFT_SET_EVAL)
3326
3327static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3328{
3329 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3330}
3331
3332
3333
3334
3335
3336
3337static const struct nft_set_ops *
3338nft_select_set_ops(const struct nft_ctx *ctx,
3339 const struct nlattr * const nla[],
3340 const struct nft_set_desc *desc,
3341 enum nft_set_policies policy)
3342{
3343 const struct nft_set_ops *ops, *bops;
3344 struct nft_set_estimate est, best;
3345 const struct nft_set_type *type;
3346 u32 flags = 0;
3347
3348 lockdep_assert_held(&ctx->net->nft_commit_mutex);
3349 lockdep_nfnl_nft_mutex_not_held();
3350#ifdef CONFIG_MODULES
3351 if (list_empty(&nf_tables_set_types)) {
3352 if (nft_request_module(ctx->net, "nft-set") == -EAGAIN)
3353 return ERR_PTR(-EAGAIN);
3354 }
3355#endif
3356 if (nla[NFTA_SET_FLAGS] != NULL)
3357 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3358
3359 bops = NULL;
3360 best.size = ~0;
3361 best.lookup = ~0;
3362 best.space = ~0;
3363
3364 list_for_each_entry(type, &nf_tables_set_types, list) {
3365 ops = &type->ops;
3366
3367 if (!nft_set_ops_candidate(type, flags))
3368 continue;
3369 if (!ops->estimate(desc, flags, &est))
3370 continue;
3371
3372 switch (policy) {
3373 case NFT_SET_POL_PERFORMANCE:
3374 if (est.lookup < best.lookup)
3375 break;
3376 if (est.lookup == best.lookup &&
3377 est.space < best.space)
3378 break;
3379 continue;
3380 case NFT_SET_POL_MEMORY:
3381 if (!desc->size) {
3382 if (est.space < best.space)
3383 break;
3384 if (est.space == best.space &&
3385 est.lookup < best.lookup)
3386 break;
3387 } else if (est.size < best.size || !bops) {
3388 break;
3389 }
3390 continue;
3391 default:
3392 break;
3393 }
3394
3395 if (!try_module_get(type->owner))
3396 continue;
3397 if (bops != NULL)
3398 module_put(to_set_type(bops)->owner);
3399
3400 bops = ops;
3401 best = est;
3402 }
3403
3404 if (bops != NULL)
3405 return bops;
3406
3407 return ERR_PTR(-EOPNOTSUPP);
3408}
3409
3410static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3411 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3412 .len = NFT_TABLE_MAXNAMELEN - 1 },
3413 [NFTA_SET_NAME] = { .type = NLA_STRING,
3414 .len = NFT_SET_MAXNAMELEN - 1 },
3415 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3416 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3417 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3418 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3419 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3420 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3421 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3422 [NFTA_SET_ID] = { .type = NLA_U32 },
3423 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3424 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3425 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3426 .len = NFT_USERDATA_MAXLEN },
3427 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3428 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3429};
3430
3431static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3432 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3433 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3434};
3435
3436static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3437 const struct sk_buff *skb,
3438 const struct nlmsghdr *nlh,
3439 const struct nlattr * const nla[],
3440 struct netlink_ext_ack *extack,
3441 u8 genmask)
3442{
3443 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3444 int family = nfmsg->nfgen_family;
3445 struct nft_table *table = NULL;
3446
3447 if (nla[NFTA_SET_TABLE] != NULL) {
3448 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3449 genmask);
3450 if (IS_ERR(table)) {
3451 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3452 return PTR_ERR(table);
3453 }
3454 }
3455
3456 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3457 return 0;
3458}
3459
3460static struct nft_set *nft_set_lookup(const struct nft_table *table,
3461 const struct nlattr *nla, u8 genmask)
3462{
3463 struct nft_set *set;
3464
3465 if (nla == NULL)
3466 return ERR_PTR(-EINVAL);
3467
3468 list_for_each_entry_rcu(set, &table->sets, list) {
3469 if (!nla_strcmp(nla, set->name) &&
3470 nft_active_genmask(set, genmask))
3471 return set;
3472 }
3473 return ERR_PTR(-ENOENT);
3474}
3475
3476static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3477 const struct nlattr *nla,
3478 u8 genmask)
3479{
3480 struct nft_set *set;
3481
3482 list_for_each_entry(set, &table->sets, list) {
3483 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3484 nft_active_genmask(set, genmask))
3485 return set;
3486 }
3487 return ERR_PTR(-ENOENT);
3488}
3489
3490static struct nft_set *nft_set_lookup_byid(const struct net *net,
3491 const struct nlattr *nla, u8 genmask)
3492{
3493 struct nft_trans *trans;
3494 u32 id = ntohl(nla_get_be32(nla));
3495
3496 list_for_each_entry(trans, &net->nft.commit_list, list) {
3497 if (trans->msg_type == NFT_MSG_NEWSET) {
3498 struct nft_set *set = nft_trans_set(trans);
3499
3500 if (id == nft_trans_set_id(trans) &&
3501 nft_active_genmask(set, genmask))
3502 return set;
3503 }
3504 }
3505 return ERR_PTR(-ENOENT);
3506}
3507
3508struct nft_set *nft_set_lookup_global(const struct net *net,
3509 const struct nft_table *table,
3510 const struct nlattr *nla_set_name,
3511 const struct nlattr *nla_set_id,
3512 u8 genmask)
3513{
3514 struct nft_set *set;
3515
3516 set = nft_set_lookup(table, nla_set_name, genmask);
3517 if (IS_ERR(set)) {
3518 if (!nla_set_id)
3519 return set;
3520
3521 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3522 }
3523 return set;
3524}
3525EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3526
3527static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3528 const char *name)
3529{
3530 const struct nft_set *i;
3531 const char *p;
3532 unsigned long *inuse;
3533 unsigned int n = 0, min = 0;
3534
3535 p = strchr(name, '%');
3536 if (p != NULL) {
3537 if (p[1] != 'd' || strchr(p + 2, '%'))
3538 return -EINVAL;
3539
3540 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3541 if (inuse == NULL)
3542 return -ENOMEM;
3543cont:
3544 list_for_each_entry(i, &ctx->table->sets, list) {
3545 int tmp;
3546
3547 if (!nft_is_active_next(ctx->net, set))
3548 continue;
3549 if (!sscanf(i->name, name, &tmp))
3550 continue;
3551 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3552 continue;
3553
3554 set_bit(tmp - min, inuse);
3555 }
3556
3557 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3558 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3559 min += BITS_PER_BYTE * PAGE_SIZE;
3560 memset(inuse, 0, PAGE_SIZE);
3561 goto cont;
3562 }
3563 free_page((unsigned long)inuse);
3564 }
3565
3566 set->name = kasprintf(GFP_KERNEL, name, min + n);
3567 if (!set->name)
3568 return -ENOMEM;
3569
3570 list_for_each_entry(i, &ctx->table->sets, list) {
3571 if (!nft_is_active_next(ctx->net, i))
3572 continue;
3573 if (!strcmp(set->name, i->name)) {
3574 kfree(set->name);
3575 return -ENFILE;
3576 }
3577 }
3578 return 0;
3579}
3580
3581static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3582{
3583 u64 ms = be64_to_cpu(nla_get_be64(nla));
3584 u64 max = (u64)(~((u64)0));
3585
3586 max = div_u64(max, NSEC_PER_MSEC);
3587 if (ms >= max)
3588 return -ERANGE;
3589
3590 ms *= NSEC_PER_MSEC;
3591 *result = nsecs_to_jiffies64(ms);
3592 return 0;
3593}
3594
3595static __be64 nf_jiffies64_to_msecs(u64 input)
3596{
3597 u64 ms = jiffies64_to_nsecs(input);
3598
3599 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3600}
3601
3602static int nf_tables_fill_set_concat(struct sk_buff *skb,
3603 const struct nft_set *set)
3604{
3605 struct nlattr *concat, *field;
3606 int i;
3607
3608 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3609 if (!concat)
3610 return -ENOMEM;
3611
3612 for (i = 0; i < set->field_count; i++) {
3613 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3614 if (!field)
3615 return -ENOMEM;
3616
3617 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3618 htonl(set->field_len[i])))
3619 return -ENOMEM;
3620
3621 nla_nest_end(skb, field);
3622 }
3623
3624 nla_nest_end(skb, concat);
3625
3626 return 0;
3627}
3628
3629static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3630 const struct nft_set *set, u16 event, u16 flags)
3631{
3632 struct nfgenmsg *nfmsg;
3633 struct nlmsghdr *nlh;
3634 struct nlattr *desc;
3635 u32 portid = ctx->portid;
3636 u32 seq = ctx->seq;
3637
3638 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3639 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3640 flags);
3641 if (nlh == NULL)
3642 goto nla_put_failure;
3643
3644 nfmsg = nlmsg_data(nlh);
3645 nfmsg->nfgen_family = ctx->family;
3646 nfmsg->version = NFNETLINK_V0;
3647 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3648
3649 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3650 goto nla_put_failure;
3651 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3652 goto nla_put_failure;
3653 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3654 NFTA_SET_PAD))
3655 goto nla_put_failure;
3656 if (set->flags != 0)
3657 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3658 goto nla_put_failure;
3659
3660 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3661 goto nla_put_failure;
3662 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3663 goto nla_put_failure;
3664 if (set->flags & NFT_SET_MAP) {
3665 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3666 goto nla_put_failure;
3667 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3668 goto nla_put_failure;
3669 }
3670 if (set->flags & NFT_SET_OBJECT &&
3671 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3672 goto nla_put_failure;
3673
3674 if (set->timeout &&
3675 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3676 nf_jiffies64_to_msecs(set->timeout),
3677 NFTA_SET_PAD))
3678 goto nla_put_failure;
3679 if (set->gc_int &&
3680 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3681 goto nla_put_failure;
3682
3683 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3684 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3685 goto nla_put_failure;
3686 }
3687
3688 if (set->udata &&
3689 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3690 goto nla_put_failure;
3691
3692 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3693
3694 if (desc == NULL)
3695 goto nla_put_failure;
3696 if (set->size &&
3697 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3698 goto nla_put_failure;
3699
3700 if (set->field_count > 1 &&
3701 nf_tables_fill_set_concat(skb, set))
3702 goto nla_put_failure;
3703
3704 nla_nest_end(skb, desc);
3705
3706 nlmsg_end(skb, nlh);
3707 return 0;
3708
3709nla_put_failure:
3710 nlmsg_trim(skb, nlh);
3711 return -1;
3712}
3713
3714static void nf_tables_set_notify(const struct nft_ctx *ctx,
3715 const struct nft_set *set, int event,
3716 gfp_t gfp_flags)
3717{
3718 struct sk_buff *skb;
3719 u32 portid = ctx->portid;
3720 int err;
3721 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3722 ctx->table->name, ctx->table->handle,
3723 set->name, set->handle);
3724
3725 audit_log_nfcfg(buf,
3726 ctx->family,
3727 set->field_count,
3728 event == NFT_MSG_NEWSET ?
3729 AUDIT_NFT_OP_SET_REGISTER :
3730 AUDIT_NFT_OP_SET_UNREGISTER,
3731 gfp_flags);
3732 kfree(buf);
3733
3734 if (!ctx->report &&
3735 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3736 return;
3737
3738 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3739 if (skb == NULL)
3740 goto err;
3741
3742 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3743 if (err < 0) {
3744 kfree_skb(skb);
3745 goto err;
3746 }
3747
3748 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft_notify_list);
3749 return;
3750err:
3751 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3752}
3753
3754static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3755{
3756 const struct nft_set *set;
3757 unsigned int idx, s_idx = cb->args[0];
3758 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3759 struct net *net = sock_net(skb->sk);
3760 struct nft_ctx *ctx = cb->data, ctx_set;
3761
3762 if (cb->args[1])
3763 return skb->len;
3764
3765 rcu_read_lock();
3766 cb->seq = net->nft.base_seq;
3767
3768 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3769 if (ctx->family != NFPROTO_UNSPEC &&
3770 ctx->family != table->family)
3771 continue;
3772
3773 if (ctx->table && ctx->table != table)
3774 continue;
3775
3776 if (cur_table) {
3777 if (cur_table != table)
3778 continue;
3779
3780 cur_table = NULL;
3781 }
3782 idx = 0;
3783 list_for_each_entry_rcu(set, &table->sets, list) {
3784 if (idx < s_idx)
3785 goto cont;
3786 if (!nft_is_active(net, set))
3787 goto cont;
3788
3789 ctx_set = *ctx;
3790 ctx_set.table = table;
3791 ctx_set.family = table->family;
3792
3793 if (nf_tables_fill_set(skb, &ctx_set, set,
3794 NFT_MSG_NEWSET,
3795 NLM_F_MULTI) < 0) {
3796 cb->args[0] = idx;
3797 cb->args[2] = (unsigned long) table;
3798 goto done;
3799 }
3800 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3801cont:
3802 idx++;
3803 }
3804 if (s_idx)
3805 s_idx = 0;
3806 }
3807 cb->args[1] = 1;
3808done:
3809 rcu_read_unlock();
3810 return skb->len;
3811}
3812
3813static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3814{
3815 struct nft_ctx *ctx_dump = NULL;
3816
3817 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3818 if (ctx_dump == NULL)
3819 return -ENOMEM;
3820
3821 cb->data = ctx_dump;
3822 return 0;
3823}
3824
3825static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3826{
3827 kfree(cb->data);
3828 return 0;
3829}
3830
3831
3832static int nf_tables_getset(struct net *net, struct sock *nlsk,
3833 struct sk_buff *skb, const struct nlmsghdr *nlh,
3834 const struct nlattr * const nla[],
3835 struct netlink_ext_ack *extack)
3836{
3837 u8 genmask = nft_genmask_cur(net);
3838 const struct nft_set *set;
3839 struct nft_ctx ctx;
3840 struct sk_buff *skb2;
3841 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3842 int err;
3843
3844
3845 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3846 genmask);
3847 if (err < 0)
3848 return err;
3849
3850 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3851 struct netlink_dump_control c = {
3852 .start = nf_tables_dump_sets_start,
3853 .dump = nf_tables_dump_sets,
3854 .done = nf_tables_dump_sets_done,
3855 .data = &ctx,
3856 .module = THIS_MODULE,
3857 };
3858
3859 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3860 }
3861
3862
3863 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3864 return -EAFNOSUPPORT;
3865 if (!nla[NFTA_SET_TABLE])
3866 return -EINVAL;
3867
3868 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3869 if (IS_ERR(set))
3870 return PTR_ERR(set);
3871
3872 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3873 if (skb2 == NULL)
3874 return -ENOMEM;
3875
3876 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3877 if (err < 0)
3878 goto err_fill_set_info;
3879
3880 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3881
3882err_fill_set_info:
3883 kfree_skb(skb2);
3884 return err;
3885}
3886
3887static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
3888 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
3889};
3890
3891static int nft_set_desc_concat_parse(const struct nlattr *attr,
3892 struct nft_set_desc *desc)
3893{
3894 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
3895 u32 len;
3896 int err;
3897
3898 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
3899 nft_concat_policy, NULL);
3900 if (err < 0)
3901 return err;
3902
3903 if (!tb[NFTA_SET_FIELD_LEN])
3904 return -EINVAL;
3905
3906 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
3907
3908 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
3909 return -E2BIG;
3910
3911 desc->field_len[desc->field_count++] = len;
3912
3913 return 0;
3914}
3915
3916static int nft_set_desc_concat(struct nft_set_desc *desc,
3917 const struct nlattr *nla)
3918{
3919 struct nlattr *attr;
3920 int rem, err;
3921
3922 nla_for_each_nested(attr, nla, rem) {
3923 if (nla_type(attr) != NFTA_LIST_ELEM)
3924 return -EINVAL;
3925
3926 err = nft_set_desc_concat_parse(attr, desc);
3927 if (err < 0)
3928 return err;
3929 }
3930
3931 return 0;
3932}
3933
3934static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3935 const struct nlattr *nla)
3936{
3937 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3938 int err;
3939
3940 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3941 nft_set_desc_policy, NULL);
3942 if (err < 0)
3943 return err;
3944
3945 if (da[NFTA_SET_DESC_SIZE] != NULL)
3946 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3947 if (da[NFTA_SET_DESC_CONCAT])
3948 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
3949
3950 return err;
3951}
3952
3953static int nf_tables_newset(struct net *net, struct sock *nlsk,
3954 struct sk_buff *skb, const struct nlmsghdr *nlh,
3955 const struct nlattr * const nla[],
3956 struct netlink_ext_ack *extack)
3957{
3958 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3959 u8 genmask = nft_genmask_next(net);
3960 int family = nfmsg->nfgen_family;
3961 const struct nft_set_ops *ops;
3962 struct nft_table *table;
3963 struct nft_set *set;
3964 struct nft_ctx ctx;
3965 char *name;
3966 u64 size;
3967 u64 timeout;
3968 u32 ktype, dtype, flags, policy, gc_int, objtype;
3969 struct nft_set_desc desc;
3970 unsigned char *udata;
3971 u16 udlen;
3972 int err;
3973 int i;
3974
3975 if (nla[NFTA_SET_TABLE] == NULL ||
3976 nla[NFTA_SET_NAME] == NULL ||
3977 nla[NFTA_SET_KEY_LEN] == NULL ||
3978 nla[NFTA_SET_ID] == NULL)
3979 return -EINVAL;
3980
3981 memset(&desc, 0, sizeof(desc));
3982
3983 ktype = NFT_DATA_VALUE;
3984 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3985 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3986 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3987 return -EINVAL;
3988 }
3989
3990 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3991 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3992 return -EINVAL;
3993
3994 flags = 0;
3995 if (nla[NFTA_SET_FLAGS] != NULL) {
3996 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3997 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3998 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3999 NFT_SET_MAP | NFT_SET_EVAL |
4000 NFT_SET_OBJECT | NFT_SET_CONCAT))
4001 return -EOPNOTSUPP;
4002
4003 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4004 (NFT_SET_MAP | NFT_SET_OBJECT))
4005 return -EOPNOTSUPP;
4006 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4007 (NFT_SET_EVAL | NFT_SET_OBJECT))
4008 return -EOPNOTSUPP;
4009 }
4010
4011 dtype = 0;
4012 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4013 if (!(flags & NFT_SET_MAP))
4014 return -EINVAL;
4015
4016 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4017 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4018 dtype != NFT_DATA_VERDICT)
4019 return -EINVAL;
4020
4021 if (dtype != NFT_DATA_VERDICT) {
4022 if (nla[NFTA_SET_DATA_LEN] == NULL)
4023 return -EINVAL;
4024 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4025 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4026 return -EINVAL;
4027 } else
4028 desc.dlen = sizeof(struct nft_verdict);
4029 } else if (flags & NFT_SET_MAP)
4030 return -EINVAL;
4031
4032 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4033 if (!(flags & NFT_SET_OBJECT))
4034 return -EINVAL;
4035
4036 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4037 if (objtype == NFT_OBJECT_UNSPEC ||
4038 objtype > NFT_OBJECT_MAX)
4039 return -EOPNOTSUPP;
4040 } else if (flags & NFT_SET_OBJECT)
4041 return -EINVAL;
4042 else
4043 objtype = NFT_OBJECT_UNSPEC;
4044
4045 timeout = 0;
4046 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4047 if (!(flags & NFT_SET_TIMEOUT))
4048 return -EINVAL;
4049
4050 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4051 if (err)
4052 return err;
4053 }
4054 gc_int = 0;
4055 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4056 if (!(flags & NFT_SET_TIMEOUT))
4057 return -EINVAL;
4058 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4059 }
4060
4061 policy = NFT_SET_POL_PERFORMANCE;
4062 if (nla[NFTA_SET_POLICY] != NULL)
4063 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4064
4065 if (nla[NFTA_SET_DESC] != NULL) {
4066 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4067 if (err < 0)
4068 return err;
4069 }
4070
4071 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4072 if (IS_ERR(table)) {
4073 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4074 return PTR_ERR(table);
4075 }
4076
4077 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4078
4079 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4080 if (IS_ERR(set)) {
4081 if (PTR_ERR(set) != -ENOENT) {
4082 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4083 return PTR_ERR(set);
4084 }
4085 } else {
4086 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4087 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4088 return -EEXIST;
4089 }
4090 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4091 return -EOPNOTSUPP;
4092
4093 return 0;
4094 }
4095
4096 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4097 return -ENOENT;
4098
4099 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4100 if (IS_ERR(ops))
4101 return PTR_ERR(ops);
4102
4103 udlen = 0;
4104 if (nla[NFTA_SET_USERDATA])
4105 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4106
4107 size = 0;
4108 if (ops->privsize != NULL)
4109 size = ops->privsize(nla, &desc);
4110
4111 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4112 if (!set) {
4113 err = -ENOMEM;
4114 goto err1;
4115 }
4116
4117 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4118 if (!name) {
4119 err = -ENOMEM;
4120 goto err2;
4121 }
4122
4123 err = nf_tables_set_alloc_name(&ctx, set, name);
4124 kfree(name);
4125 if (err < 0)
4126 goto err2;
4127
4128 udata = NULL;
4129 if (udlen) {
4130 udata = set->data + size;
4131 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4132 }
4133
4134 INIT_LIST_HEAD(&set->bindings);
4135 set->table = table;
4136 write_pnet(&set->net, net);
4137 set->ops = ops;
4138 set->ktype = ktype;
4139 set->klen = desc.klen;
4140 set->dtype = dtype;
4141 set->objtype = objtype;
4142 set->dlen = desc.dlen;
4143 set->flags = flags;
4144 set->size = desc.size;
4145 set->policy = policy;
4146 set->udlen = udlen;
4147 set->udata = udata;
4148 set->timeout = timeout;
4149 set->gc_int = gc_int;
4150 set->handle = nf_tables_alloc_handle(table);
4151
4152 set->field_count = desc.field_count;
4153 for (i = 0; i < desc.field_count; i++)
4154 set->field_len[i] = desc.field_len[i];
4155
4156 err = ops->init(set, &desc, nla);
4157 if (err < 0)
4158 goto err3;
4159
4160 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4161 if (err < 0)
4162 goto err4;
4163
4164 list_add_tail_rcu(&set->list, &table->sets);
4165 table->use++;
4166 return 0;
4167
4168err4:
4169 ops->destroy(set);
4170err3:
4171 kfree(set->name);
4172err2:
4173 kvfree(set);
4174err1:
4175 module_put(to_set_type(ops)->owner);
4176 return err;
4177}
4178
4179static void nft_set_destroy(struct nft_set *set)
4180{
4181 set->ops->destroy(set);
4182 module_put(to_set_type(set->ops)->owner);
4183 kfree(set->name);
4184 kvfree(set);
4185}
4186
4187static int nf_tables_delset(struct net *net, struct sock *nlsk,
4188 struct sk_buff *skb, const struct nlmsghdr *nlh,
4189 const struct nlattr * const nla[],
4190 struct netlink_ext_ack *extack)
4191{
4192 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4193 u8 genmask = nft_genmask_next(net);
4194 const struct nlattr *attr;
4195 struct nft_set *set;
4196 struct nft_ctx ctx;
4197 int err;
4198
4199 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4200 return -EAFNOSUPPORT;
4201 if (nla[NFTA_SET_TABLE] == NULL)
4202 return -EINVAL;
4203
4204 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4205 genmask);
4206 if (err < 0)
4207 return err;
4208
4209 if (nla[NFTA_SET_HANDLE]) {
4210 attr = nla[NFTA_SET_HANDLE];
4211 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4212 } else {
4213 attr = nla[NFTA_SET_NAME];
4214 set = nft_set_lookup(ctx.table, attr, genmask);
4215 }
4216
4217 if (IS_ERR(set)) {
4218 NL_SET_BAD_ATTR(extack, attr);
4219 return PTR_ERR(set);
4220 }
4221 if (!list_empty(&set->bindings) ||
4222 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4223 NL_SET_BAD_ATTR(extack, attr);
4224 return -EBUSY;
4225 }
4226
4227 return nft_delset(&ctx, set);
4228}
4229
4230static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4231 struct nft_set *set,
4232 const struct nft_set_iter *iter,
4233 struct nft_set_elem *elem)
4234{
4235 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4236 enum nft_registers dreg;
4237
4238 dreg = nft_type_to_reg(set->dtype);
4239 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4240 set->dtype == NFT_DATA_VERDICT ?
4241 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4242 set->dlen);
4243}
4244
4245int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4246 struct nft_set_binding *binding)
4247{
4248 struct nft_set_binding *i;
4249 struct nft_set_iter iter;
4250
4251 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4252 return -EBUSY;
4253
4254 if (binding->flags & NFT_SET_MAP) {
4255
4256
4257
4258 list_for_each_entry(i, &set->bindings, list) {
4259 if (i->flags & NFT_SET_MAP &&
4260 i->chain == binding->chain)
4261 goto bind;
4262 }
4263
4264 iter.genmask = nft_genmask_next(ctx->net);
4265 iter.skip = 0;
4266 iter.count = 0;
4267 iter.err = 0;
4268 iter.fn = nf_tables_bind_check_setelem;
4269
4270 set->ops->walk(ctx, set, &iter);
4271 if (iter.err < 0)
4272 return iter.err;
4273 }
4274bind:
4275 binding->chain = ctx->chain;
4276 list_add_tail_rcu(&binding->list, &set->bindings);
4277 nft_set_trans_bind(ctx, set);
4278
4279 return 0;
4280}
4281EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4282
4283void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4284 struct nft_set_binding *binding, bool event)
4285{
4286 list_del_rcu(&binding->list);
4287
4288 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4289 list_del_rcu(&set->list);
4290 if (event)
4291 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4292 GFP_KERNEL);
4293 }
4294}
4295EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
4296
4297void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4298{
4299 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4300 nft_set_destroy(set);
4301}
4302EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4303
4304const struct nft_set_ext_type nft_set_ext_types[] = {
4305 [NFT_SET_EXT_KEY] = {
4306 .align = __alignof__(u32),
4307 },
4308 [NFT_SET_EXT_DATA] = {
4309 .align = __alignof__(u32),
4310 },
4311 [NFT_SET_EXT_EXPR] = {
4312 .align = __alignof__(struct nft_expr),
4313 },
4314 [NFT_SET_EXT_OBJREF] = {
4315 .len = sizeof(struct nft_object *),
4316 .align = __alignof__(struct nft_object *),
4317 },
4318 [NFT_SET_EXT_FLAGS] = {
4319 .len = sizeof(u8),
4320 .align = __alignof__(u8),
4321 },
4322 [NFT_SET_EXT_TIMEOUT] = {
4323 .len = sizeof(u64),
4324 .align = __alignof__(u64),
4325 },
4326 [NFT_SET_EXT_EXPIRATION] = {
4327 .len = sizeof(u64),
4328 .align = __alignof__(u64),
4329 },
4330 [NFT_SET_EXT_USERDATA] = {
4331 .len = sizeof(struct nft_userdata),
4332 .align = __alignof__(struct nft_userdata),
4333 },
4334 [NFT_SET_EXT_KEY_END] = {
4335 .align = __alignof__(u32),
4336 },
4337};
4338EXPORT_SYMBOL_GPL(nft_set_ext_types);
4339
4340
4341
4342
4343
4344static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4345 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4346 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4347 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4348 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4349 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4350 .len = NFT_USERDATA_MAXLEN },
4351 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4352 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4353 .len = NFT_OBJ_MAXNAMELEN - 1 },
4354 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4355};
4356
4357static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4358 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4359 .len = NFT_TABLE_MAXNAMELEN - 1 },
4360 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4361 .len = NFT_SET_MAXNAMELEN - 1 },
4362 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4363 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4364};
4365
4366static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4367 const struct sk_buff *skb,
4368 const struct nlmsghdr *nlh,
4369 const struct nlattr * const nla[],
4370 struct netlink_ext_ack *extack,
4371 u8 genmask)
4372{
4373 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4374 int family = nfmsg->nfgen_family;
4375 struct nft_table *table;
4376
4377 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4378 genmask);
4379 if (IS_ERR(table)) {
4380 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4381 return PTR_ERR(table);
4382 }
4383
4384 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4385 return 0;
4386}
4387
4388static int nf_tables_fill_setelem(struct sk_buff *skb,
4389 const struct nft_set *set,
4390 const struct nft_set_elem *elem)
4391{
4392 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4393 unsigned char *b = skb_tail_pointer(skb);
4394 struct nlattr *nest;
4395
4396 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4397 if (nest == NULL)
4398 goto nla_put_failure;
4399
4400 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4401 NFT_DATA_VALUE, set->klen) < 0)
4402 goto nla_put_failure;
4403
4404 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4405 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4406 NFT_DATA_VALUE, set->klen) < 0)
4407 goto nla_put_failure;
4408
4409 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4410 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4411 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4412 set->dlen) < 0)
4413 goto nla_put_failure;
4414
4415 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4416 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4417 goto nla_put_failure;
4418
4419 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4420 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4421 (*nft_set_ext_obj(ext))->key.name) < 0)
4422 goto nla_put_failure;
4423
4424 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4425 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4426 htonl(*nft_set_ext_flags(ext))))
4427 goto nla_put_failure;
4428
4429 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4430 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4431 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4432 NFTA_SET_ELEM_PAD))
4433 goto nla_put_failure;
4434
4435 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4436 u64 expires, now = get_jiffies_64();
4437
4438 expires = *nft_set_ext_expiration(ext);
4439 if (time_before64(now, expires))
4440 expires -= now;
4441 else
4442 expires = 0;
4443
4444 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4445 nf_jiffies64_to_msecs(expires),
4446 NFTA_SET_ELEM_PAD))
4447 goto nla_put_failure;
4448 }
4449
4450 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4451 struct nft_userdata *udata;
4452
4453 udata = nft_set_ext_userdata(ext);
4454 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4455 udata->len + 1, udata->data))
4456 goto nla_put_failure;
4457 }
4458
4459 nla_nest_end(skb, nest);
4460 return 0;
4461
4462nla_put_failure:
4463 nlmsg_trim(skb, b);
4464 return -EMSGSIZE;
4465}
4466
4467struct nft_set_dump_args {
4468 const struct netlink_callback *cb;
4469 struct nft_set_iter iter;
4470 struct sk_buff *skb;
4471};
4472
4473static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4474 struct nft_set *set,
4475 const struct nft_set_iter *iter,
4476 struct nft_set_elem *elem)
4477{
4478 struct nft_set_dump_args *args;
4479
4480 args = container_of(iter, struct nft_set_dump_args, iter);
4481 return nf_tables_fill_setelem(args->skb, set, elem);
4482}
4483
4484struct nft_set_dump_ctx {
4485 const struct nft_set *set;
4486 struct nft_ctx ctx;
4487};
4488
4489static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4490{
4491 struct nft_set_dump_ctx *dump_ctx = cb->data;
4492 struct net *net = sock_net(skb->sk);
4493 struct nft_table *table;
4494 struct nft_set *set;
4495 struct nft_set_dump_args args;
4496 bool set_found = false;
4497 struct nfgenmsg *nfmsg;
4498 struct nlmsghdr *nlh;
4499 struct nlattr *nest;
4500 u32 portid, seq;
4501 int event;
4502
4503 rcu_read_lock();
4504 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4505 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4506 dump_ctx->ctx.family != table->family)
4507 continue;
4508
4509 if (table != dump_ctx->ctx.table)
4510 continue;
4511
4512 list_for_each_entry_rcu(set, &table->sets, list) {
4513 if (set == dump_ctx->set) {
4514 set_found = true;
4515 break;
4516 }
4517 }
4518 break;
4519 }
4520
4521 if (!set_found) {
4522 rcu_read_unlock();
4523 return -ENOENT;
4524 }
4525
4526 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4527 portid = NETLINK_CB(cb->skb).portid;
4528 seq = cb->nlh->nlmsg_seq;
4529
4530 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4531 NLM_F_MULTI);
4532 if (nlh == NULL)
4533 goto nla_put_failure;
4534
4535 nfmsg = nlmsg_data(nlh);
4536 nfmsg->nfgen_family = table->family;
4537 nfmsg->version = NFNETLINK_V0;
4538 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4539
4540 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4541 goto nla_put_failure;
4542 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4543 goto nla_put_failure;
4544
4545 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4546 if (nest == NULL)
4547 goto nla_put_failure;
4548
4549 args.cb = cb;
4550 args.skb = skb;
4551 args.iter.genmask = nft_genmask_cur(net);
4552 args.iter.skip = cb->args[0];
4553 args.iter.count = 0;
4554 args.iter.err = 0;
4555 args.iter.fn = nf_tables_dump_setelem;
4556 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4557 rcu_read_unlock();
4558
4559 nla_nest_end(skb, nest);
4560 nlmsg_end(skb, nlh);
4561
4562 if (args.iter.err && args.iter.err != -EMSGSIZE)
4563 return args.iter.err;
4564 if (args.iter.count == cb->args[0])
4565 return 0;
4566
4567 cb->args[0] = args.iter.count;
4568 return skb->len;
4569
4570nla_put_failure:
4571 rcu_read_unlock();
4572 return -ENOSPC;
4573}
4574
4575static int nf_tables_dump_set_start(struct netlink_callback *cb)
4576{
4577 struct nft_set_dump_ctx *dump_ctx = cb->data;
4578
4579 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4580
4581 return cb->data ? 0 : -ENOMEM;
4582}
4583
4584static int nf_tables_dump_set_done(struct netlink_callback *cb)
4585{
4586 kfree(cb->data);
4587 return 0;
4588}
4589
4590static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4591 const struct nft_ctx *ctx, u32 seq,
4592 u32 portid, int event, u16 flags,
4593 const struct nft_set *set,
4594 const struct nft_set_elem *elem)
4595{
4596 struct nfgenmsg *nfmsg;
4597 struct nlmsghdr *nlh;
4598 struct nlattr *nest;
4599 int err;
4600
4601 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4602 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4603 flags);
4604 if (nlh == NULL)
4605 goto nla_put_failure;
4606
4607 nfmsg = nlmsg_data(nlh);
4608 nfmsg->nfgen_family = ctx->family;
4609 nfmsg->version = NFNETLINK_V0;
4610 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4611
4612 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4613 goto nla_put_failure;
4614 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4615 goto nla_put_failure;
4616
4617 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4618 if (nest == NULL)
4619 goto nla_put_failure;
4620
4621 err = nf_tables_fill_setelem(skb, set, elem);
4622 if (err < 0)
4623 goto nla_put_failure;
4624
4625 nla_nest_end(skb, nest);
4626
4627 nlmsg_end(skb, nlh);
4628 return 0;
4629
4630nla_put_failure:
4631 nlmsg_trim(skb, nlh);
4632 return -1;
4633}
4634
4635static int nft_setelem_parse_flags(const struct nft_set *set,
4636 const struct nlattr *attr, u32 *flags)
4637{
4638 if (attr == NULL)
4639 return 0;
4640
4641 *flags = ntohl(nla_get_be32(attr));
4642 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4643 return -EINVAL;
4644 if (!(set->flags & NFT_SET_INTERVAL) &&
4645 *flags & NFT_SET_ELEM_INTERVAL_END)
4646 return -EINVAL;
4647
4648 return 0;
4649}
4650
4651static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4652 struct nft_data *key, struct nlattr *attr)
4653{
4654 struct nft_data_desc desc;
4655 int err;
4656
4657 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4658 if (err < 0)
4659 return err;
4660
4661 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4662 nft_data_release(key, desc.type);
4663 return -EINVAL;
4664 }
4665
4666 return 0;
4667}
4668
4669static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4670 const struct nlattr *attr)
4671{
4672 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4673 struct nft_set_elem elem;
4674 struct sk_buff *skb;
4675 uint32_t flags = 0;
4676 void *priv;
4677 int err;
4678
4679 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4680 nft_set_elem_policy, NULL);
4681 if (err < 0)
4682 return err;
4683
4684 if (!nla[NFTA_SET_ELEM_KEY])
4685 return -EINVAL;
4686
4687 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4688 if (err < 0)
4689 return err;
4690
4691 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4692 nla[NFTA_SET_ELEM_KEY]);
4693 if (err < 0)
4694 return err;
4695
4696 if (nla[NFTA_SET_ELEM_KEY_END]) {
4697 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4698 nla[NFTA_SET_ELEM_KEY_END]);
4699 if (err < 0)
4700 return err;
4701 }
4702
4703 priv = set->ops->get(ctx->net, set, &elem, flags);
4704 if (IS_ERR(priv))
4705 return PTR_ERR(priv);
4706
4707 elem.priv = priv;
4708
4709 err = -ENOMEM;
4710 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4711 if (skb == NULL)
4712 return err;
4713
4714 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4715 NFT_MSG_NEWSETELEM, 0, set, &elem);
4716 if (err < 0)
4717 goto err_fill_setelem;
4718
4719 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4720
4721err_fill_setelem:
4722 kfree_skb(skb);
4723 return err;
4724}
4725
4726
4727static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4728 struct sk_buff *skb, const struct nlmsghdr *nlh,
4729 const struct nlattr * const nla[],
4730 struct netlink_ext_ack *extack)
4731{
4732 u8 genmask = nft_genmask_cur(net);
4733 struct nft_set *set;
4734 struct nlattr *attr;
4735 struct nft_ctx ctx;
4736 int rem, err = 0;
4737
4738 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4739 genmask);
4740 if (err < 0)
4741 return err;
4742
4743 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4744 if (IS_ERR(set))
4745 return PTR_ERR(set);
4746
4747 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4748 struct netlink_dump_control c = {
4749 .start = nf_tables_dump_set_start,
4750 .dump = nf_tables_dump_set,
4751 .done = nf_tables_dump_set_done,
4752 .module = THIS_MODULE,
4753 };
4754 struct nft_set_dump_ctx dump_ctx = {
4755 .set = set,
4756 .ctx = ctx,
4757 };
4758
4759 c.data = &dump_ctx;
4760 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4761 }
4762
4763 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4764 return -EINVAL;
4765
4766 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4767 err = nft_get_set_elem(&ctx, set, attr);
4768 if (err < 0)
4769 break;
4770 }
4771
4772 return err;
4773}
4774
4775static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4776 const struct nft_set *set,
4777 const struct nft_set_elem *elem,
4778 int event, u16 flags)
4779{
4780 struct net *net = ctx->net;
4781 u32 portid = ctx->portid;
4782 struct sk_buff *skb;
4783 int err;
4784 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
4785 ctx->table->name, ctx->table->handle,
4786 set->name, set->handle);
4787
4788 audit_log_nfcfg(buf,
4789 ctx->family,
4790 set->handle,
4791 event == NFT_MSG_NEWSETELEM ?
4792 AUDIT_NFT_OP_SETELEM_REGISTER :
4793 AUDIT_NFT_OP_SETELEM_UNREGISTER,
4794 GFP_KERNEL);
4795 kfree(buf);
4796
4797 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4798 return;
4799
4800 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4801 if (skb == NULL)
4802 goto err;
4803
4804 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4805 set, elem);
4806 if (err < 0) {
4807 kfree_skb(skb);
4808 goto err;
4809 }
4810
4811 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft_notify_list);
4812 return;
4813err:
4814 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4815}
4816
4817static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4818 int msg_type,
4819 struct nft_set *set)
4820{
4821 struct nft_trans *trans;
4822
4823 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4824 if (trans == NULL)
4825 return NULL;
4826
4827 nft_trans_elem_set(trans) = set;
4828 return trans;
4829}
4830
4831void *nft_set_elem_init(const struct nft_set *set,
4832 const struct nft_set_ext_tmpl *tmpl,
4833 const u32 *key, const u32 *key_end, const u32 *data,
4834 u64 timeout, gfp_t gfp)
4835{
4836 struct nft_set_ext *ext;
4837 void *elem;
4838
4839 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4840 if (elem == NULL)
4841 return NULL;
4842
4843 ext = nft_set_elem_ext(set, elem);
4844 nft_set_ext_init(ext, tmpl);
4845
4846 memcpy(nft_set_ext_key(ext), key, set->klen);
4847 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
4848 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
4849 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4850 memcpy(nft_set_ext_data(ext), data, set->dlen);
4851 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4852 *nft_set_ext_expiration(ext) =
4853 get_jiffies_64() + timeout;
4854 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4855 *nft_set_ext_timeout(ext) = timeout;
4856
4857 return elem;
4858}
4859
4860void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4861 bool destroy_expr)
4862{
4863 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4864 struct nft_ctx ctx = {
4865 .net = read_pnet(&set->net),
4866 .family = set->table->family,
4867 };
4868
4869 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4870 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4871 nft_data_release(nft_set_ext_data(ext), set->dtype);
4872 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4873 struct nft_expr *expr = nft_set_ext_expr(ext);
4874
4875 if (expr->ops->destroy_clone) {
4876 expr->ops->destroy_clone(&ctx, expr);
4877 module_put(expr->ops->type->owner);
4878 } else {
4879 nf_tables_expr_destroy(&ctx, expr);
4880 }
4881 }
4882 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4883 (*nft_set_ext_obj(ext))->use--;
4884 kfree(elem);
4885}
4886EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4887
4888
4889
4890
4891static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4892 const struct nft_set *set, void *elem)
4893{
4894 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4895
4896 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4897 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4898 kfree(elem);
4899}
4900
4901static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4902 const struct nlattr *attr, u32 nlmsg_flags)
4903{
4904 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4905 u8 genmask = nft_genmask_next(ctx->net);
4906 struct nft_set_ext_tmpl tmpl;
4907 struct nft_set_ext *ext, *ext2;
4908 struct nft_set_elem elem;
4909 struct nft_set_binding *binding;
4910 struct nft_object *obj = NULL;
4911 struct nft_userdata *udata;
4912 struct nft_data_desc desc;
4913 struct nft_data data;
4914 enum nft_registers dreg;
4915 struct nft_trans *trans;
4916 u32 flags = 0;
4917 u64 timeout;
4918 u8 ulen;
4919 int err;
4920
4921 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4922 nft_set_elem_policy, NULL);
4923 if (err < 0)
4924 return err;
4925
4926 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4927 return -EINVAL;
4928
4929 nft_set_ext_prepare(&tmpl);
4930
4931 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4932 if (err < 0)
4933 return err;
4934 if (flags != 0)
4935 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4936
4937 if (set->flags & NFT_SET_MAP) {
4938 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4939 !(flags & NFT_SET_ELEM_INTERVAL_END))
4940 return -EINVAL;
4941 } else {
4942 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4943 return -EINVAL;
4944 }
4945
4946 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4947 (nla[NFTA_SET_ELEM_DATA] ||
4948 nla[NFTA_SET_ELEM_OBJREF] ||
4949 nla[NFTA_SET_ELEM_TIMEOUT] ||
4950 nla[NFTA_SET_ELEM_EXPIRATION] ||
4951 nla[NFTA_SET_ELEM_USERDATA] ||
4952 nla[NFTA_SET_ELEM_EXPR]))
4953 return -EINVAL;
4954
4955 timeout = 0;
4956 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4957 if (!(set->flags & NFT_SET_TIMEOUT))
4958 return -EINVAL;
4959 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4960 &timeout);
4961 if (err)
4962 return err;
4963 } else if (set->flags & NFT_SET_TIMEOUT) {
4964 timeout = set->timeout;
4965 }
4966
4967 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4968 nla[NFTA_SET_ELEM_KEY]);
4969 if (err < 0)
4970 return err;
4971
4972 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
4973
4974 if (nla[NFTA_SET_ELEM_KEY_END]) {
4975 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4976 nla[NFTA_SET_ELEM_KEY_END]);
4977 if (err < 0)
4978 goto err_parse_key;
4979
4980 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
4981 }
4982
4983 if (timeout > 0) {
4984 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4985 if (timeout != set->timeout)
4986 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4987 }
4988
4989 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4990 if (!(set->flags & NFT_SET_OBJECT)) {
4991 err = -EINVAL;
4992 goto err_parse_key_end;
4993 }
4994 obj = nft_obj_lookup(ctx->net, ctx->table,
4995 nla[NFTA_SET_ELEM_OBJREF],
4996 set->objtype, genmask);
4997 if (IS_ERR(obj)) {
4998 err = PTR_ERR(obj);
4999 goto err_parse_key_end;
5000 }
5001 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5002 }
5003
5004 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5005 err = nft_data_init(ctx, &data, sizeof(data), &desc,
5006 nla[NFTA_SET_ELEM_DATA]);
5007 if (err < 0)
5008 goto err_parse_key_end;
5009
5010 err = -EINVAL;
5011 if (set->dtype != NFT_DATA_VERDICT && desc.len != set->dlen)
5012 goto err_parse_data;
5013
5014 dreg = nft_type_to_reg(set->dtype);
5015 list_for_each_entry(binding, &set->bindings, list) {
5016 struct nft_ctx bind_ctx = {
5017 .net = ctx->net,
5018 .family = ctx->family,
5019 .table = ctx->table,
5020 .chain = (struct nft_chain *)binding->chain,
5021 };
5022
5023 if (!(binding->flags & NFT_SET_MAP))
5024 continue;
5025
5026 err = nft_validate_register_store(&bind_ctx, dreg,
5027 &data,
5028 desc.type, desc.len);
5029 if (err < 0)
5030 goto err_parse_data;
5031
5032 if (desc.type == NFT_DATA_VERDICT &&
5033 (data.verdict.code == NFT_GOTO ||
5034 data.verdict.code == NFT_JUMP))
5035 nft_validate_state_update(ctx->net,
5036 NFT_VALIDATE_NEED);
5037 }
5038
5039 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5040 }
5041
5042
5043
5044
5045
5046 ulen = 0;
5047 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5048 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5049 if (ulen > 0)
5050 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5051 ulen);
5052 }
5053
5054 err = -ENOMEM;
5055 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5056 elem.key_end.val.data, data.data,
5057 timeout, GFP_KERNEL);
5058 if (elem.priv == NULL)
5059 goto err_parse_data;
5060
5061 ext = nft_set_elem_ext(set, elem.priv);
5062 if (flags)
5063 *nft_set_ext_flags(ext) = flags;
5064 if (ulen > 0) {
5065 udata = nft_set_ext_userdata(ext);
5066 udata->len = ulen - 1;
5067 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5068 }
5069 if (obj) {
5070 *nft_set_ext_obj(ext) = obj;
5071 obj->use++;
5072 }
5073
5074 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5075 if (trans == NULL)
5076 goto err_trans;
5077
5078 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5079 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5080 if (err) {
5081 if (err == -EEXIST) {
5082 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5083 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5084 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5085 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
5086 err = -EBUSY;
5087 goto err_element_clash;
5088 }
5089 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5090 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5091 memcmp(nft_set_ext_data(ext),
5092 nft_set_ext_data(ext2), set->dlen) != 0) ||
5093 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5094 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5095 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5096 err = -EBUSY;
5097 else if (!(nlmsg_flags & NLM_F_EXCL))
5098 err = 0;
5099 }
5100 goto err_element_clash;
5101 }
5102
5103 if (set->size &&
5104 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5105 err = -ENFILE;
5106 goto err_set_full;
5107 }
5108
5109 nft_trans_elem(trans) = elem;
5110 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5111 return 0;
5112
5113err_set_full:
5114 set->ops->remove(ctx->net, set, &elem);
5115err_element_clash:
5116 kfree(trans);
5117err_trans:
5118 if (obj)
5119 obj->use--;
5120 kfree(elem.priv);
5121err_parse_data:
5122 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5123 nft_data_release(&data, desc.type);
5124err_parse_key_end:
5125 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5126err_parse_key:
5127 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5128
5129 return err;
5130}
5131
5132static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5133 struct sk_buff *skb, const struct nlmsghdr *nlh,
5134 const struct nlattr * const nla[],
5135 struct netlink_ext_ack *extack)
5136{
5137 u8 genmask = nft_genmask_next(net);
5138 const struct nlattr *attr;
5139 struct nft_set *set;
5140 struct nft_ctx ctx;
5141 int rem, err;
5142
5143 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5144 return -EINVAL;
5145
5146 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5147 genmask);
5148 if (err < 0)
5149 return err;
5150
5151 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5152 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5153 if (IS_ERR(set))
5154 return PTR_ERR(set);
5155
5156 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5157 return -EBUSY;
5158
5159 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5160 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5161 if (err < 0)
5162 return err;
5163 }
5164
5165 if (net->nft.validate_state == NFT_VALIDATE_DO)
5166 return nft_table_validate(net, ctx.table);
5167
5168 return 0;
5169}
5170
5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5183{
5184 if (type == NFT_DATA_VERDICT) {
5185 switch (data->verdict.code) {
5186 case NFT_JUMP:
5187 case NFT_GOTO:
5188 data->verdict.chain->use++;
5189 break;
5190 }
5191 }
5192}
5193
5194static void nft_set_elem_activate(const struct net *net,
5195 const struct nft_set *set,
5196 struct nft_set_elem *elem)
5197{
5198 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5199
5200 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5201 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5202 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5203 (*nft_set_ext_obj(ext))->use++;
5204}
5205
5206static void nft_set_elem_deactivate(const struct net *net,
5207 const struct nft_set *set,
5208 struct nft_set_elem *elem)
5209{
5210 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5211
5212 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5213 nft_data_release(nft_set_ext_data(ext), set->dtype);
5214 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5215 (*nft_set_ext_obj(ext))->use--;
5216}
5217
5218static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5219 const struct nlattr *attr)
5220{
5221 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5222 struct nft_set_ext_tmpl tmpl;
5223 struct nft_set_elem elem;
5224 struct nft_set_ext *ext;
5225 struct nft_trans *trans;
5226 u32 flags = 0;
5227 void *priv;
5228 int err;
5229
5230 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5231 nft_set_elem_policy, NULL);
5232 if (err < 0)
5233 return err;
5234
5235 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5236 return -EINVAL;
5237
5238 nft_set_ext_prepare(&tmpl);
5239
5240 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5241 if (err < 0)
5242 return err;
5243 if (flags != 0)
5244 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5245
5246 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5247 nla[NFTA_SET_ELEM_KEY]);
5248 if (err < 0)
5249 return err;
5250
5251 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5252
5253 if (nla[NFTA_SET_ELEM_KEY_END]) {
5254 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5255 nla[NFTA_SET_ELEM_KEY_END]);
5256 if (err < 0)
5257 return err;
5258
5259 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5260 }
5261
5262 err = -ENOMEM;
5263 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5264 elem.key_end.val.data, NULL, 0,
5265 GFP_KERNEL);
5266 if (elem.priv == NULL)
5267 goto fail_elem;
5268
5269 ext = nft_set_elem_ext(set, elem.priv);
5270 if (flags)
5271 *nft_set_ext_flags(ext) = flags;
5272
5273 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5274 if (trans == NULL)
5275 goto fail_trans;
5276
5277 priv = set->ops->deactivate(ctx->net, set, &elem);
5278 if (priv == NULL) {
5279 err = -ENOENT;
5280 goto fail_ops;
5281 }
5282 kfree(elem.priv);
5283 elem.priv = priv;
5284
5285 nft_set_elem_deactivate(ctx->net, set, &elem);
5286
5287 nft_trans_elem(trans) = elem;
5288 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5289 return 0;
5290
5291fail_ops:
5292 kfree(trans);
5293fail_trans:
5294 kfree(elem.priv);
5295fail_elem:
5296 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5297 return err;
5298}
5299
5300static int nft_flush_set(const struct nft_ctx *ctx,
5301 struct nft_set *set,
5302 const struct nft_set_iter *iter,
5303 struct nft_set_elem *elem)
5304{
5305 struct nft_trans *trans;
5306 int err;
5307
5308 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5309 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5310 if (!trans)
5311 return -ENOMEM;
5312
5313 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5314 err = -ENOENT;
5315 goto err1;
5316 }
5317 set->ndeact++;
5318
5319 nft_set_elem_deactivate(ctx->net, set, elem);
5320 nft_trans_elem_set(trans) = set;
5321 nft_trans_elem(trans) = *elem;
5322 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5323
5324 return 0;
5325err1:
5326 kfree(trans);
5327 return err;
5328}
5329
5330static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5331 struct sk_buff *skb, const struct nlmsghdr *nlh,
5332 const struct nlattr * const nla[],
5333 struct netlink_ext_ack *extack)
5334{
5335 u8 genmask = nft_genmask_next(net);
5336 const struct nlattr *attr;
5337 struct nft_set *set;
5338 struct nft_ctx ctx;
5339 int rem, err = 0;
5340
5341 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5342 genmask);
5343 if (err < 0)
5344 return err;
5345
5346 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5347 if (IS_ERR(set))
5348 return PTR_ERR(set);
5349 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5350 return -EBUSY;
5351
5352 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5353 struct nft_set_iter iter = {
5354 .genmask = genmask,
5355 .fn = nft_flush_set,
5356 };
5357 set->ops->walk(&ctx, set, &iter);
5358
5359 return iter.err;
5360 }
5361
5362 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5363 err = nft_del_setelem(&ctx, set, attr);
5364 if (err < 0)
5365 break;
5366
5367 set->ndeact++;
5368 }
5369 return err;
5370}
5371
5372void nft_set_gc_batch_release(struct rcu_head *rcu)
5373{
5374 struct nft_set_gc_batch *gcb;
5375 unsigned int i;
5376
5377 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5378 for (i = 0; i < gcb->head.cnt; i++)
5379 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5380 kfree(gcb);
5381}
5382EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
5383
5384struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5385 gfp_t gfp)
5386{
5387 struct nft_set_gc_batch *gcb;
5388
5389 gcb = kzalloc(sizeof(*gcb), gfp);
5390 if (gcb == NULL)
5391 return gcb;
5392 gcb->head.set = set;
5393 return gcb;
5394}
5395EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408int nft_register_obj(struct nft_object_type *obj_type)
5409{
5410 if (obj_type->type == NFT_OBJECT_UNSPEC)
5411 return -EINVAL;
5412
5413 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5414 list_add_rcu(&obj_type->list, &nf_tables_objects);
5415 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5416 return 0;
5417}
5418EXPORT_SYMBOL_GPL(nft_register_obj);
5419
5420
5421
5422
5423
5424
5425
5426void nft_unregister_obj(struct nft_object_type *obj_type)
5427{
5428 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5429 list_del_rcu(&obj_type->list);
5430 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5431}
5432EXPORT_SYMBOL_GPL(nft_unregister_obj);
5433
5434struct nft_object *nft_obj_lookup(const struct net *net,
5435 const struct nft_table *table,
5436 const struct nlattr *nla, u32 objtype,
5437 u8 genmask)
5438{
5439 struct nft_object_hash_key k = { .table = table };
5440 char search[NFT_OBJ_MAXNAMELEN];
5441 struct rhlist_head *tmp, *list;
5442 struct nft_object *obj;
5443
5444 nla_strlcpy(search, nla, sizeof(search));
5445 k.name = search;
5446
5447 WARN_ON_ONCE(!rcu_read_lock_held() &&
5448 !lockdep_commit_lock_is_held(net));
5449
5450 rcu_read_lock();
5451 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5452 if (!list)
5453 goto out;
5454
5455 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5456 if (objtype == obj->ops->type->type &&
5457 nft_active_genmask(obj, genmask)) {
5458 rcu_read_unlock();
5459 return obj;
5460 }
5461 }
5462out:
5463 rcu_read_unlock();
5464 return ERR_PTR(-ENOENT);
5465}
5466EXPORT_SYMBOL_GPL(nft_obj_lookup);
5467
5468static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5469 const struct nlattr *nla,
5470 u32 objtype, u8 genmask)
5471{
5472 struct nft_object *obj;
5473
5474 list_for_each_entry(obj, &table->objects, list) {
5475 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5476 objtype == obj->ops->type->type &&
5477 nft_active_genmask(obj, genmask))
5478 return obj;
5479 }
5480 return ERR_PTR(-ENOENT);
5481}
5482
5483static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5484 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5485 .len = NFT_TABLE_MAXNAMELEN - 1 },
5486 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5487 .len = NFT_OBJ_MAXNAMELEN - 1 },
5488 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5489 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5490 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5491};
5492
5493static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5494 const struct nft_object_type *type,
5495 const struct nlattr *attr)
5496{
5497 struct nlattr **tb;
5498 const struct nft_object_ops *ops;
5499 struct nft_object *obj;
5500 int err = -ENOMEM;
5501
5502 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5503 if (!tb)
5504 goto err1;
5505
5506 if (attr) {
5507 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5508 type->policy, NULL);
5509 if (err < 0)
5510 goto err2;
5511 } else {
5512 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5513 }
5514
5515 if (type->select_ops) {
5516 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5517 if (IS_ERR(ops)) {
5518 err = PTR_ERR(ops);
5519 goto err2;
5520 }
5521 } else {
5522 ops = type->ops;
5523 }
5524
5525 err = -ENOMEM;
5526 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5527 if (!obj)
5528 goto err2;
5529
5530 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5531 if (err < 0)
5532 goto err3;
5533
5534 obj->ops = ops;
5535
5536 kfree(tb);
5537 return obj;
5538err3:
5539 kfree(obj);
5540err2:
5541 kfree(tb);
5542err1:
5543 return ERR_PTR(err);
5544}
5545
5546static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5547 struct nft_object *obj, bool reset)
5548{
5549 struct nlattr *nest;
5550
5551 nest = nla_nest_start_noflag(skb, attr);
5552 if (!nest)
5553 goto nla_put_failure;
5554 if (obj->ops->dump(skb, obj, reset) < 0)
5555 goto nla_put_failure;
5556 nla_nest_end(skb, nest);
5557 return 0;
5558
5559nla_put_failure:
5560 return -1;
5561}
5562
5563static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5564{
5565 const struct nft_object_type *type;
5566
5567 list_for_each_entry(type, &nf_tables_objects, list) {
5568 if (objtype == type->type)
5569 return type;
5570 }
5571 return NULL;
5572}
5573
5574static const struct nft_object_type *
5575nft_obj_type_get(struct net *net, u32 objtype)
5576{
5577 const struct nft_object_type *type;
5578
5579 type = __nft_obj_type_get(objtype);
5580 if (type != NULL && try_module_get(type->owner))
5581 return type;
5582
5583 lockdep_nfnl_nft_mutex_not_held();
5584#ifdef CONFIG_MODULES
5585 if (type == NULL) {
5586 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5587 return ERR_PTR(-EAGAIN);
5588 }
5589#endif
5590 return ERR_PTR(-ENOENT);
5591}
5592
5593static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5594 struct sk_buff *skb, const struct nlmsghdr *nlh,
5595 const struct nlattr * const nla[],
5596 struct netlink_ext_ack *extack)
5597{
5598 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5599 const struct nft_object_type *type;
5600 u8 genmask = nft_genmask_next(net);
5601 int family = nfmsg->nfgen_family;
5602 struct nft_table *table;
5603 struct nft_object *obj;
5604 struct nft_ctx ctx;
5605 u32 objtype;
5606 int err;
5607
5608 if (!nla[NFTA_OBJ_TYPE] ||
5609 !nla[NFTA_OBJ_NAME] ||
5610 !nla[NFTA_OBJ_DATA])
5611 return -EINVAL;
5612
5613 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5614 if (IS_ERR(table)) {
5615 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5616 return PTR_ERR(table);
5617 }
5618
5619 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5620 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5621 if (IS_ERR(obj)) {
5622 err = PTR_ERR(obj);
5623 if (err != -ENOENT) {
5624 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5625 return err;
5626 }
5627 } else {
5628 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5629 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5630 return -EEXIST;
5631 }
5632 return 0;
5633 }
5634
5635 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5636
5637 type = nft_obj_type_get(net, objtype);
5638 if (IS_ERR(type))
5639 return PTR_ERR(type);
5640
5641 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5642 if (IS_ERR(obj)) {
5643 err = PTR_ERR(obj);
5644 goto err1;
5645 }
5646 obj->key.table = table;
5647 obj->handle = nf_tables_alloc_handle(table);
5648
5649 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5650 if (!obj->key.name) {
5651 err = -ENOMEM;
5652 goto err2;
5653 }
5654
5655 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5656 if (err < 0)
5657 goto err3;
5658
5659 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5660 nft_objname_ht_params);
5661 if (err < 0)
5662 goto err4;
5663
5664 list_add_tail_rcu(&obj->list, &table->objects);
5665 table->use++;
5666 return 0;
5667err4:
5668
5669 INIT_LIST_HEAD(&obj->list);
5670 return err;
5671err3:
5672 kfree(obj->key.name);
5673err2:
5674 if (obj->ops->destroy)
5675 obj->ops->destroy(&ctx, obj);
5676 kfree(obj);
5677err1:
5678 module_put(type->owner);
5679 return err;
5680}
5681
5682static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5683 u32 portid, u32 seq, int event, u32 flags,
5684 int family, const struct nft_table *table,
5685 struct nft_object *obj, bool reset)
5686{
5687 struct nfgenmsg *nfmsg;
5688 struct nlmsghdr *nlh;
5689
5690 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5691 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5692 if (nlh == NULL)
5693 goto nla_put_failure;
5694
5695 nfmsg = nlmsg_data(nlh);
5696 nfmsg->nfgen_family = family;
5697 nfmsg->version = NFNETLINK_V0;
5698 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5699
5700 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5701 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5702 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5703 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5704 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5705 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5706 NFTA_OBJ_PAD))
5707 goto nla_put_failure;
5708
5709 nlmsg_end(skb, nlh);
5710 return 0;
5711
5712nla_put_failure:
5713 nlmsg_trim(skb, nlh);
5714 return -1;
5715}
5716
5717struct nft_obj_filter {
5718 char *table;
5719 u32 type;
5720};
5721
5722static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5723{
5724 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5725 const struct nft_table *table;
5726 unsigned int idx = 0, s_idx = cb->args[0];
5727 struct nft_obj_filter *filter = cb->data;
5728 struct net *net = sock_net(skb->sk);
5729 int family = nfmsg->nfgen_family;
5730 struct nft_object *obj;
5731 bool reset = false;
5732
5733 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5734 reset = true;
5735
5736 rcu_read_lock();
5737 cb->seq = net->nft.base_seq;
5738
5739 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5740 if (family != NFPROTO_UNSPEC && family != table->family)
5741 continue;
5742
5743 list_for_each_entry_rcu(obj, &table->objects, list) {
5744 if (!nft_is_active(net, obj))
5745 goto cont;
5746 if (idx < s_idx)
5747 goto cont;
5748 if (idx > s_idx)
5749 memset(&cb->args[1], 0,
5750 sizeof(cb->args) - sizeof(cb->args[0]));
5751 if (filter && filter->table &&
5752 strcmp(filter->table, table->name))
5753 goto cont;
5754 if (filter &&
5755 filter->type != NFT_OBJECT_UNSPEC &&
5756 obj->ops->type->type != filter->type)
5757 goto cont;
5758
5759 if (reset) {
5760 char *buf = kasprintf(GFP_ATOMIC,
5761 "%s:%llu;?:0",
5762 table->name,
5763 table->handle);
5764
5765 audit_log_nfcfg(buf,
5766 family,
5767 obj->handle,
5768 AUDIT_NFT_OP_OBJ_RESET,
5769 GFP_ATOMIC);
5770 kfree(buf);
5771 }
5772
5773 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5774 cb->nlh->nlmsg_seq,
5775 NFT_MSG_NEWOBJ,
5776 NLM_F_MULTI | NLM_F_APPEND,
5777 table->family, table,
5778 obj, reset) < 0)
5779 goto done;
5780
5781 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5782cont:
5783 idx++;
5784 }
5785 }
5786done:
5787 rcu_read_unlock();
5788
5789 cb->args[0] = idx;
5790 return skb->len;
5791}
5792
5793static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5794{
5795 const struct nlattr * const *nla = cb->data;
5796 struct nft_obj_filter *filter = NULL;
5797
5798 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5799 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5800 if (!filter)
5801 return -ENOMEM;
5802
5803 if (nla[NFTA_OBJ_TABLE]) {
5804 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5805 if (!filter->table) {
5806 kfree(filter);
5807 return -ENOMEM;
5808 }
5809 }
5810
5811 if (nla[NFTA_OBJ_TYPE])
5812 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5813 }
5814
5815 cb->data = filter;
5816 return 0;
5817}
5818
5819static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5820{
5821 struct nft_obj_filter *filter = cb->data;
5822
5823 if (filter) {
5824 kfree(filter->table);
5825 kfree(filter);
5826 }
5827
5828 return 0;
5829}
5830
5831
5832static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5833 struct sk_buff *skb, const struct nlmsghdr *nlh,
5834 const struct nlattr * const nla[],
5835 struct netlink_ext_ack *extack)
5836{
5837 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5838 u8 genmask = nft_genmask_cur(net);
5839 int family = nfmsg->nfgen_family;
5840 const struct nft_table *table;
5841 struct nft_object *obj;
5842 struct sk_buff *skb2;
5843 bool reset = false;
5844 u32 objtype;
5845 int err;
5846
5847 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5848 struct netlink_dump_control c = {
5849 .start = nf_tables_dump_obj_start,
5850 .dump = nf_tables_dump_obj,
5851 .done = nf_tables_dump_obj_done,
5852 .module = THIS_MODULE,
5853 .data = (void *)nla,
5854 };
5855
5856 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5857 }
5858
5859 if (!nla[NFTA_OBJ_NAME] ||
5860 !nla[NFTA_OBJ_TYPE])
5861 return -EINVAL;
5862
5863 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5864 if (IS_ERR(table)) {
5865 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5866 return PTR_ERR(table);
5867 }
5868
5869 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5870 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5871 if (IS_ERR(obj)) {
5872 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5873 return PTR_ERR(obj);
5874 }
5875
5876 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5877 if (!skb2)
5878 return -ENOMEM;
5879
5880 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5881 reset = true;
5882
5883 if (reset) {
5884 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
5885 table->name, table->handle);
5886
5887 audit_log_nfcfg(buf,
5888 family,
5889 obj->handle,
5890 AUDIT_NFT_OP_OBJ_RESET,
5891 GFP_ATOMIC);
5892 kfree(buf);
5893 }
5894
5895 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5896 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5897 family, table, obj, reset);
5898 if (err < 0)
5899 goto err_fill_obj_info;
5900
5901 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
5902
5903err_fill_obj_info:
5904 kfree_skb(skb2);
5905 return err;
5906}
5907
5908static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5909{
5910 if (obj->ops->destroy)
5911 obj->ops->destroy(ctx, obj);
5912
5913 module_put(obj->ops->type->owner);
5914 kfree(obj->key.name);
5915 kfree(obj);
5916}
5917
5918static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5919 struct sk_buff *skb, const struct nlmsghdr *nlh,
5920 const struct nlattr * const nla[],
5921 struct netlink_ext_ack *extack)
5922{
5923 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5924 u8 genmask = nft_genmask_next(net);
5925 int family = nfmsg->nfgen_family;
5926 const struct nlattr *attr;
5927 struct nft_table *table;
5928 struct nft_object *obj;
5929 struct nft_ctx ctx;
5930 u32 objtype;
5931
5932 if (!nla[NFTA_OBJ_TYPE] ||
5933 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5934 return -EINVAL;
5935
5936 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5937 if (IS_ERR(table)) {
5938 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5939 return PTR_ERR(table);
5940 }
5941
5942 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5943 if (nla[NFTA_OBJ_HANDLE]) {
5944 attr = nla[NFTA_OBJ_HANDLE];
5945 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5946 } else {
5947 attr = nla[NFTA_OBJ_NAME];
5948 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5949 }
5950
5951 if (IS_ERR(obj)) {
5952 NL_SET_BAD_ATTR(extack, attr);
5953 return PTR_ERR(obj);
5954 }
5955 if (obj->use > 0) {
5956 NL_SET_BAD_ATTR(extack, attr);
5957 return -EBUSY;
5958 }
5959
5960 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5961
5962 return nft_delobj(&ctx, obj);
5963}
5964
5965void nft_obj_notify(struct net *net, const struct nft_table *table,
5966 struct nft_object *obj, u32 portid, u32 seq, int event,
5967 int family, int report, gfp_t gfp)
5968{
5969 struct sk_buff *skb;
5970 int err;
5971 char *buf = kasprintf(gfp, "%s:%llu;?:0",
5972 table->name, table->handle);
5973
5974 audit_log_nfcfg(buf,
5975 family,
5976 obj->handle,
5977 event == NFT_MSG_NEWOBJ ?
5978 AUDIT_NFT_OP_OBJ_REGISTER :
5979 AUDIT_NFT_OP_OBJ_UNREGISTER,
5980 gfp);
5981 kfree(buf);
5982
5983 if (!report &&
5984 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5985 return;
5986
5987 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5988 if (skb == NULL)
5989 goto err;
5990
5991 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5992 table, obj, false);
5993 if (err < 0) {
5994 kfree_skb(skb);
5995 goto err;
5996 }
5997
5998 nft_notify_enqueue(skb, report, &net->nft_notify_list);
5999 return;
6000err:
6001 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6002}
6003EXPORT_SYMBOL_GPL(nft_obj_notify);
6004
6005static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6006 struct nft_object *obj, int event)
6007{
6008 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6009 ctx->family, ctx->report, GFP_KERNEL);
6010}
6011
6012
6013
6014
6015void nft_register_flowtable_type(struct nf_flowtable_type *type)
6016{
6017 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6018 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6019 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6020}
6021EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6022
6023void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6024{
6025 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6026 list_del_rcu(&type->list);
6027 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6028}
6029EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6030
6031static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6032 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6033 .len = NFT_NAME_MAXLEN - 1 },
6034 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6035 .len = NFT_NAME_MAXLEN - 1 },
6036 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6037 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6038 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6039};
6040
6041struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6042 const struct nlattr *nla, u8 genmask)
6043{
6044 struct nft_flowtable *flowtable;
6045
6046 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6047 if (!nla_strcmp(nla, flowtable->name) &&
6048 nft_active_genmask(flowtable, genmask))
6049 return flowtable;
6050 }
6051 return ERR_PTR(-ENOENT);
6052}
6053EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6054
6055static struct nft_flowtable *
6056nft_flowtable_lookup_byhandle(const struct nft_table *table,
6057 const struct nlattr *nla, u8 genmask)
6058{
6059 struct nft_flowtable *flowtable;
6060
6061 list_for_each_entry(flowtable, &table->flowtables, list) {
6062 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6063 nft_active_genmask(flowtable, genmask))
6064 return flowtable;
6065 }
6066 return ERR_PTR(-ENOENT);
6067}
6068
6069static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6070 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6071 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6072 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6073};
6074
6075static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
6076 const struct nlattr *attr,
6077 struct nft_flowtable *flowtable)
6078{
6079 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6080 struct nft_hook *hook;
6081 int hooknum, priority;
6082 int err;
6083
6084 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6085 nft_flowtable_hook_policy, NULL);
6086 if (err < 0)
6087 return err;
6088
6089 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6090 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
6091 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
6092 return -EINVAL;
6093
6094 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6095 if (hooknum != NF_NETDEV_INGRESS)
6096 return -EINVAL;
6097
6098 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6099
6100 err = nf_tables_parse_netdev_hooks(ctx->net,
6101 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6102 &flowtable->hook_list);
6103 if (err < 0)
6104 return err;
6105
6106 flowtable->hooknum = hooknum;
6107 flowtable->data.priority = priority;
6108
6109 list_for_each_entry(hook, &flowtable->hook_list, list) {
6110 hook->ops.pf = NFPROTO_NETDEV;
6111 hook->ops.hooknum = hooknum;
6112 hook->ops.priority = priority;
6113 hook->ops.priv = &flowtable->data;
6114 hook->ops.hook = flowtable->data.type->hook;
6115 }
6116
6117 return err;
6118}
6119
6120static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6121{
6122 const struct nf_flowtable_type *type;
6123
6124 list_for_each_entry(type, &nf_tables_flowtables, list) {
6125 if (family == type->family)
6126 return type;
6127 }
6128 return NULL;
6129}
6130
6131static const struct nf_flowtable_type *
6132nft_flowtable_type_get(struct net *net, u8 family)
6133{
6134 const struct nf_flowtable_type *type;
6135
6136 type = __nft_flowtable_type_get(family);
6137 if (type != NULL && try_module_get(type->owner))
6138 return type;
6139
6140 lockdep_nfnl_nft_mutex_not_held();
6141#ifdef CONFIG_MODULES
6142 if (type == NULL) {
6143 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6144 return ERR_PTR(-EAGAIN);
6145 }
6146#endif
6147 return ERR_PTR(-ENOENT);
6148}
6149
6150
6151static void nft_unregister_flowtable_hook(struct net *net,
6152 struct nft_flowtable *flowtable,
6153 struct nft_hook *hook)
6154{
6155 nf_unregister_net_hook(net, &hook->ops);
6156 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6157 FLOW_BLOCK_UNBIND);
6158}
6159
6160static void nft_unregister_flowtable_net_hooks(struct net *net,
6161 struct nft_flowtable *flowtable)
6162{
6163 struct nft_hook *hook;
6164
6165 list_for_each_entry(hook, &flowtable->hook_list, list)
6166 nf_unregister_net_hook(net, &hook->ops);
6167}
6168
6169static int nft_register_flowtable_net_hooks(struct net *net,
6170 struct nft_table *table,
6171 struct nft_flowtable *flowtable)
6172{
6173 struct nft_hook *hook, *hook2, *next;
6174 struct nft_flowtable *ft;
6175 int err, i = 0;
6176
6177 list_for_each_entry(hook, &flowtable->hook_list, list) {
6178 list_for_each_entry(ft, &table->flowtables, list) {
6179 list_for_each_entry(hook2, &ft->hook_list, list) {
6180 if (hook->ops.dev == hook2->ops.dev &&
6181 hook->ops.pf == hook2->ops.pf) {
6182 err = -EBUSY;
6183 goto err_unregister_net_hooks;
6184 }
6185 }
6186 }
6187
6188 err = flowtable->data.type->setup(&flowtable->data,
6189 hook->ops.dev,
6190 FLOW_BLOCK_BIND);
6191 if (err < 0)
6192 goto err_unregister_net_hooks;
6193
6194 err = nf_register_net_hook(net, &hook->ops);
6195 if (err < 0) {
6196 flowtable->data.type->setup(&flowtable->data,
6197 hook->ops.dev,
6198 FLOW_BLOCK_UNBIND);
6199 goto err_unregister_net_hooks;
6200 }
6201
6202 i++;
6203 }
6204
6205 return 0;
6206
6207err_unregister_net_hooks:
6208 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6209 if (i-- <= 0)
6210 break;
6211
6212 nft_unregister_flowtable_hook(net, flowtable, hook);
6213 list_del_rcu(&hook->list);
6214 kfree_rcu(hook, rcu);
6215 }
6216
6217 return err;
6218}
6219
6220static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6221 struct sk_buff *skb,
6222 const struct nlmsghdr *nlh,
6223 const struct nlattr * const nla[],
6224 struct netlink_ext_ack *extack)
6225{
6226 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6227 const struct nf_flowtable_type *type;
6228 u8 genmask = nft_genmask_next(net);
6229 int family = nfmsg->nfgen_family;
6230 struct nft_flowtable *flowtable;
6231 struct nft_hook *hook, *next;
6232 struct nft_table *table;
6233 struct nft_ctx ctx;
6234 int err;
6235
6236 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6237 !nla[NFTA_FLOWTABLE_NAME] ||
6238 !nla[NFTA_FLOWTABLE_HOOK])
6239 return -EINVAL;
6240
6241 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6242 genmask);
6243 if (IS_ERR(table)) {
6244 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6245 return PTR_ERR(table);
6246 }
6247
6248 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6249 genmask);
6250 if (IS_ERR(flowtable)) {
6251 err = PTR_ERR(flowtable);
6252 if (err != -ENOENT) {
6253 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6254 return err;
6255 }
6256 } else {
6257 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6258 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6259 return -EEXIST;
6260 }
6261
6262 return 0;
6263 }
6264
6265 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6266
6267 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6268 if (!flowtable)
6269 return -ENOMEM;
6270
6271 flowtable->table = table;
6272 flowtable->handle = nf_tables_alloc_handle(table);
6273 INIT_LIST_HEAD(&flowtable->hook_list);
6274
6275 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6276 if (!flowtable->name) {
6277 err = -ENOMEM;
6278 goto err1;
6279 }
6280
6281 type = nft_flowtable_type_get(net, family);
6282 if (IS_ERR(type)) {
6283 err = PTR_ERR(type);
6284 goto err2;
6285 }
6286
6287 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6288 flowtable->data.flags =
6289 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6290 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6291 goto err3;
6292 }
6293
6294 write_pnet(&flowtable->data.net, net);
6295 flowtable->data.type = type;
6296 err = type->init(&flowtable->data);
6297 if (err < 0)
6298 goto err3;
6299
6300 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6301 flowtable);
6302 if (err < 0)
6303 goto err4;
6304
6305 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6306 if (err < 0) {
6307 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6308 list_del_rcu(&hook->list);
6309 kfree_rcu(hook, rcu);
6310 }
6311 goto err4;
6312 }
6313
6314 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6315 if (err < 0)
6316 goto err5;
6317
6318 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6319 table->use++;
6320
6321 return 0;
6322err5:
6323 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6324 nft_unregister_flowtable_hook(net, flowtable, hook);
6325 list_del_rcu(&hook->list);
6326 kfree_rcu(hook, rcu);
6327 }
6328err4:
6329 flowtable->data.type->free(&flowtable->data);
6330err3:
6331 module_put(type->owner);
6332err2:
6333 kfree(flowtable->name);
6334err1:
6335 kfree(flowtable);
6336 return err;
6337}
6338
6339static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6340 struct sk_buff *skb,
6341 const struct nlmsghdr *nlh,
6342 const struct nlattr * const nla[],
6343 struct netlink_ext_ack *extack)
6344{
6345 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6346 u8 genmask = nft_genmask_next(net);
6347 int family = nfmsg->nfgen_family;
6348 struct nft_flowtable *flowtable;
6349 const struct nlattr *attr;
6350 struct nft_table *table;
6351 struct nft_ctx ctx;
6352
6353 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6354 (!nla[NFTA_FLOWTABLE_NAME] &&
6355 !nla[NFTA_FLOWTABLE_HANDLE]))
6356 return -EINVAL;
6357
6358 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6359 genmask);
6360 if (IS_ERR(table)) {
6361 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6362 return PTR_ERR(table);
6363 }
6364
6365 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6366 attr = nla[NFTA_FLOWTABLE_HANDLE];
6367 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6368 } else {
6369 attr = nla[NFTA_FLOWTABLE_NAME];
6370 flowtable = nft_flowtable_lookup(table, attr, genmask);
6371 }
6372
6373 if (IS_ERR(flowtable)) {
6374 NL_SET_BAD_ATTR(extack, attr);
6375 return PTR_ERR(flowtable);
6376 }
6377 if (flowtable->use > 0) {
6378 NL_SET_BAD_ATTR(extack, attr);
6379 return -EBUSY;
6380 }
6381
6382 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6383
6384 return nft_delflowtable(&ctx, flowtable);
6385}
6386
6387static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6388 u32 portid, u32 seq, int event,
6389 u32 flags, int family,
6390 struct nft_flowtable *flowtable)
6391{
6392 struct nlattr *nest, *nest_devs;
6393 struct nfgenmsg *nfmsg;
6394 struct nft_hook *hook;
6395 struct nlmsghdr *nlh;
6396
6397 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6398 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6399 if (nlh == NULL)
6400 goto nla_put_failure;
6401
6402 nfmsg = nlmsg_data(nlh);
6403 nfmsg->nfgen_family = family;
6404 nfmsg->version = NFNETLINK_V0;
6405 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6406
6407 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6408 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6409 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6410 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6411 NFTA_FLOWTABLE_PAD) ||
6412 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6413 goto nla_put_failure;
6414
6415 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6416 if (!nest)
6417 goto nla_put_failure;
6418 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6419 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6420 goto nla_put_failure;
6421
6422 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6423 if (!nest_devs)
6424 goto nla_put_failure;
6425
6426 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6427 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6428 goto nla_put_failure;
6429 }
6430 nla_nest_end(skb, nest_devs);
6431 nla_nest_end(skb, nest);
6432
6433 nlmsg_end(skb, nlh);
6434 return 0;
6435
6436nla_put_failure:
6437 nlmsg_trim(skb, nlh);
6438 return -1;
6439}
6440
6441struct nft_flowtable_filter {
6442 char *table;
6443};
6444
6445static int nf_tables_dump_flowtable(struct sk_buff *skb,
6446 struct netlink_callback *cb)
6447{
6448 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6449 struct nft_flowtable_filter *filter = cb->data;
6450 unsigned int idx = 0, s_idx = cb->args[0];
6451 struct net *net = sock_net(skb->sk);
6452 int family = nfmsg->nfgen_family;
6453 struct nft_flowtable *flowtable;
6454 const struct nft_table *table;
6455
6456 rcu_read_lock();
6457 cb->seq = net->nft.base_seq;
6458
6459 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6460 if (family != NFPROTO_UNSPEC && family != table->family)
6461 continue;
6462
6463 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6464 if (!nft_is_active(net, flowtable))
6465 goto cont;
6466 if (idx < s_idx)
6467 goto cont;
6468 if (idx > s_idx)
6469 memset(&cb->args[1], 0,
6470 sizeof(cb->args) - sizeof(cb->args[0]));
6471 if (filter && filter->table &&
6472 strcmp(filter->table, table->name))
6473 goto cont;
6474
6475 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6476 cb->nlh->nlmsg_seq,
6477 NFT_MSG_NEWFLOWTABLE,
6478 NLM_F_MULTI | NLM_F_APPEND,
6479 table->family, flowtable) < 0)
6480 goto done;
6481
6482 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6483cont:
6484 idx++;
6485 }
6486 }
6487done:
6488 rcu_read_unlock();
6489
6490 cb->args[0] = idx;
6491 return skb->len;
6492}
6493
6494static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6495{
6496 const struct nlattr * const *nla = cb->data;
6497 struct nft_flowtable_filter *filter = NULL;
6498
6499 if (nla[NFTA_FLOWTABLE_TABLE]) {
6500 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6501 if (!filter)
6502 return -ENOMEM;
6503
6504 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6505 GFP_ATOMIC);
6506 if (!filter->table) {
6507 kfree(filter);
6508 return -ENOMEM;
6509 }
6510 }
6511
6512 cb->data = filter;
6513 return 0;
6514}
6515
6516static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6517{
6518 struct nft_flowtable_filter *filter = cb->data;
6519
6520 if (!filter)
6521 return 0;
6522
6523 kfree(filter->table);
6524 kfree(filter);
6525
6526 return 0;
6527}
6528
6529
6530static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6531 struct sk_buff *skb,
6532 const struct nlmsghdr *nlh,
6533 const struct nlattr * const nla[],
6534 struct netlink_ext_ack *extack)
6535{
6536 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6537 u8 genmask = nft_genmask_cur(net);
6538 int family = nfmsg->nfgen_family;
6539 struct nft_flowtable *flowtable;
6540 const struct nft_table *table;
6541 struct sk_buff *skb2;
6542 int err;
6543
6544 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6545 struct netlink_dump_control c = {
6546 .start = nf_tables_dump_flowtable_start,
6547 .dump = nf_tables_dump_flowtable,
6548 .done = nf_tables_dump_flowtable_done,
6549 .module = THIS_MODULE,
6550 .data = (void *)nla,
6551 };
6552
6553 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6554 }
6555
6556 if (!nla[NFTA_FLOWTABLE_NAME])
6557 return -EINVAL;
6558
6559 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6560 genmask);
6561 if (IS_ERR(table))
6562 return PTR_ERR(table);
6563
6564 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6565 genmask);
6566 if (IS_ERR(flowtable))
6567 return PTR_ERR(flowtable);
6568
6569 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6570 if (!skb2)
6571 return -ENOMEM;
6572
6573 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6574 nlh->nlmsg_seq,
6575 NFT_MSG_NEWFLOWTABLE, 0, family,
6576 flowtable);
6577 if (err < 0)
6578 goto err_fill_flowtable_info;
6579
6580 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6581
6582err_fill_flowtable_info:
6583 kfree_skb(skb2);
6584 return err;
6585}
6586
6587static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6588 struct nft_flowtable *flowtable,
6589 int event)
6590{
6591 struct sk_buff *skb;
6592 int err;
6593 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
6594 flowtable->table->name, flowtable->table->handle,
6595 flowtable->name, flowtable->handle);
6596
6597 audit_log_nfcfg(buf,
6598 ctx->family,
6599 flowtable->hooknum,
6600 event == NFT_MSG_NEWFLOWTABLE ?
6601 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
6602 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
6603 GFP_KERNEL);
6604 kfree(buf);
6605
6606 if (!ctx->report &&
6607 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6608 return;
6609
6610 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6611 if (skb == NULL)
6612 goto err;
6613
6614 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6615 ctx->seq, event, 0,
6616 ctx->family, flowtable);
6617 if (err < 0) {
6618 kfree_skb(skb);
6619 goto err;
6620 }
6621
6622 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft_notify_list);
6623 return;
6624err:
6625 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6626}
6627
6628static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6629{
6630 struct nft_hook *hook, *next;
6631
6632 flowtable->data.type->free(&flowtable->data);
6633 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6634 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6635 FLOW_BLOCK_UNBIND);
6636 list_del_rcu(&hook->list);
6637 kfree(hook);
6638 }
6639 kfree(flowtable->name);
6640 module_put(flowtable->data.type->owner);
6641 kfree(flowtable);
6642}
6643
6644static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6645 u32 portid, u32 seq)
6646{
6647 struct nlmsghdr *nlh;
6648 struct nfgenmsg *nfmsg;
6649 char buf[TASK_COMM_LEN];
6650 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6651
6652 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6653 if (nlh == NULL)
6654 goto nla_put_failure;
6655
6656 nfmsg = nlmsg_data(nlh);
6657 nfmsg->nfgen_family = AF_UNSPEC;
6658 nfmsg->version = NFNETLINK_V0;
6659 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6660
6661 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6662 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6663 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6664 goto nla_put_failure;
6665
6666 nlmsg_end(skb, nlh);
6667 return 0;
6668
6669nla_put_failure:
6670 nlmsg_trim(skb, nlh);
6671 return -EMSGSIZE;
6672}
6673
6674static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6675 struct nft_flowtable *flowtable)
6676{
6677 struct nft_hook *hook;
6678
6679 list_for_each_entry(hook, &flowtable->hook_list, list) {
6680 if (hook->ops.dev != dev)
6681 continue;
6682
6683
6684 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6685 list_del_rcu(&hook->list);
6686 kfree_rcu(hook, rcu);
6687 break;
6688 }
6689}
6690
6691static int nf_tables_flowtable_event(struct notifier_block *this,
6692 unsigned long event, void *ptr)
6693{
6694 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6695 struct nft_flowtable *flowtable;
6696 struct nft_table *table;
6697 struct net *net;
6698
6699 if (event != NETDEV_UNREGISTER)
6700 return 0;
6701
6702 net = dev_net(dev);
6703 mutex_lock(&net->nft_commit_mutex);
6704 list_for_each_entry(table, &net->nft.tables, list) {
6705 list_for_each_entry(flowtable, &table->flowtables, list) {
6706 nft_flowtable_event(event, dev, flowtable);
6707 }
6708 }
6709 mutex_unlock(&net->nft_commit_mutex);
6710
6711 return NOTIFY_DONE;
6712}
6713
6714static struct notifier_block nf_tables_flowtable_notifier = {
6715 .notifier_call = nf_tables_flowtable_event,
6716};
6717
6718static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6719 int event)
6720{
6721 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6722 struct sk_buff *skb2;
6723 int err;
6724
6725 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
6726 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
6727
6728 if (!nlmsg_report(nlh) &&
6729 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6730 return;
6731
6732 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6733 if (skb2 == NULL)
6734 goto err;
6735
6736 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6737 nlh->nlmsg_seq);
6738 if (err < 0) {
6739 kfree_skb(skb2);
6740 goto err;
6741 }
6742
6743 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6744 nlmsg_report(nlh), GFP_KERNEL);
6745 return;
6746err:
6747 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6748 -ENOBUFS);
6749}
6750
6751static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6752 struct sk_buff *skb, const struct nlmsghdr *nlh,
6753 const struct nlattr * const nla[],
6754 struct netlink_ext_ack *extack)
6755{
6756 struct sk_buff *skb2;
6757 int err;
6758
6759 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6760 if (skb2 == NULL)
6761 return -ENOMEM;
6762
6763 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6764 nlh->nlmsg_seq);
6765 if (err < 0)
6766 goto err_fill_gen_info;
6767
6768 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6769
6770err_fill_gen_info:
6771 kfree_skb(skb2);
6772 return err;
6773}
6774
6775static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6776 [NFT_MSG_NEWTABLE] = {
6777 .call_batch = nf_tables_newtable,
6778 .attr_count = NFTA_TABLE_MAX,
6779 .policy = nft_table_policy,
6780 },
6781 [NFT_MSG_GETTABLE] = {
6782 .call_rcu = nf_tables_gettable,
6783 .attr_count = NFTA_TABLE_MAX,
6784 .policy = nft_table_policy,
6785 },
6786 [NFT_MSG_DELTABLE] = {
6787 .call_batch = nf_tables_deltable,
6788 .attr_count = NFTA_TABLE_MAX,
6789 .policy = nft_table_policy,
6790 },
6791 [NFT_MSG_NEWCHAIN] = {
6792 .call_batch = nf_tables_newchain,
6793 .attr_count = NFTA_CHAIN_MAX,
6794 .policy = nft_chain_policy,
6795 },
6796 [NFT_MSG_GETCHAIN] = {
6797 .call_rcu = nf_tables_getchain,
6798 .attr_count = NFTA_CHAIN_MAX,
6799 .policy = nft_chain_policy,
6800 },
6801 [NFT_MSG_DELCHAIN] = {
6802 .call_batch = nf_tables_delchain,
6803 .attr_count = NFTA_CHAIN_MAX,
6804 .policy = nft_chain_policy,
6805 },
6806 [NFT_MSG_NEWRULE] = {
6807 .call_batch = nf_tables_newrule,
6808 .attr_count = NFTA_RULE_MAX,
6809 .policy = nft_rule_policy,
6810 },
6811 [NFT_MSG_GETRULE] = {
6812 .call_rcu = nf_tables_getrule,
6813 .attr_count = NFTA_RULE_MAX,
6814 .policy = nft_rule_policy,
6815 },
6816 [NFT_MSG_DELRULE] = {
6817 .call_batch = nf_tables_delrule,
6818 .attr_count = NFTA_RULE_MAX,
6819 .policy = nft_rule_policy,
6820 },
6821 [NFT_MSG_NEWSET] = {
6822 .call_batch = nf_tables_newset,
6823 .attr_count = NFTA_SET_MAX,
6824 .policy = nft_set_policy,
6825 },
6826 [NFT_MSG_GETSET] = {
6827 .call_rcu = nf_tables_getset,
6828 .attr_count = NFTA_SET_MAX,
6829 .policy = nft_set_policy,
6830 },
6831 [NFT_MSG_DELSET] = {
6832 .call_batch = nf_tables_delset,
6833 .attr_count = NFTA_SET_MAX,
6834 .policy = nft_set_policy,
6835 },
6836 [NFT_MSG_NEWSETELEM] = {
6837 .call_batch = nf_tables_newsetelem,
6838 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6839 .policy = nft_set_elem_list_policy,
6840 },
6841 [NFT_MSG_GETSETELEM] = {
6842 .call_rcu = nf_tables_getsetelem,
6843 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6844 .policy = nft_set_elem_list_policy,
6845 },
6846 [NFT_MSG_DELSETELEM] = {
6847 .call_batch = nf_tables_delsetelem,
6848 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6849 .policy = nft_set_elem_list_policy,
6850 },
6851 [NFT_MSG_GETGEN] = {
6852 .call_rcu = nf_tables_getgen,
6853 },
6854 [NFT_MSG_NEWOBJ] = {
6855 .call_batch = nf_tables_newobj,
6856 .attr_count = NFTA_OBJ_MAX,
6857 .policy = nft_obj_policy,
6858 },
6859 [NFT_MSG_GETOBJ] = {
6860 .call_rcu = nf_tables_getobj,
6861 .attr_count = NFTA_OBJ_MAX,
6862 .policy = nft_obj_policy,
6863 },
6864 [NFT_MSG_DELOBJ] = {
6865 .call_batch = nf_tables_delobj,
6866 .attr_count = NFTA_OBJ_MAX,
6867 .policy = nft_obj_policy,
6868 },
6869 [NFT_MSG_GETOBJ_RESET] = {
6870 .call_rcu = nf_tables_getobj,
6871 .attr_count = NFTA_OBJ_MAX,
6872 .policy = nft_obj_policy,
6873 },
6874 [NFT_MSG_NEWFLOWTABLE] = {
6875 .call_batch = nf_tables_newflowtable,
6876 .attr_count = NFTA_FLOWTABLE_MAX,
6877 .policy = nft_flowtable_policy,
6878 },
6879 [NFT_MSG_GETFLOWTABLE] = {
6880 .call_rcu = nf_tables_getflowtable,
6881 .attr_count = NFTA_FLOWTABLE_MAX,
6882 .policy = nft_flowtable_policy,
6883 },
6884 [NFT_MSG_DELFLOWTABLE] = {
6885 .call_batch = nf_tables_delflowtable,
6886 .attr_count = NFTA_FLOWTABLE_MAX,
6887 .policy = nft_flowtable_policy,
6888 },
6889};
6890
6891static int nf_tables_validate(struct net *net)
6892{
6893 struct nft_table *table;
6894
6895 switch (net->nft.validate_state) {
6896 case NFT_VALIDATE_SKIP:
6897 break;
6898 case NFT_VALIDATE_NEED:
6899 nft_validate_state_update(net, NFT_VALIDATE_DO);
6900
6901 case NFT_VALIDATE_DO:
6902 list_for_each_entry(table, &net->nft.tables, list) {
6903 if (nft_table_validate(net, table) < 0)
6904 return -EAGAIN;
6905 }
6906 break;
6907 }
6908
6909 return 0;
6910}
6911
6912
6913
6914
6915
6916
6917
6918
6919static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6920{
6921 struct nft_base_chain *basechain;
6922
6923 if (nft_trans_chain_policy(trans) != NF_DROP)
6924 return;
6925
6926 if (!nft_is_base_chain(trans->ctx.chain))
6927 return;
6928
6929 basechain = nft_base_chain(trans->ctx.chain);
6930 basechain->policy = NF_DROP;
6931}
6932
6933static void nft_chain_commit_update(struct nft_trans *trans)
6934{
6935 struct nft_base_chain *basechain;
6936
6937 if (nft_trans_chain_name(trans)) {
6938 rhltable_remove(&trans->ctx.table->chains_ht,
6939 &trans->ctx.chain->rhlhead,
6940 nft_chain_ht_params);
6941 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6942 rhltable_insert_key(&trans->ctx.table->chains_ht,
6943 trans->ctx.chain->name,
6944 &trans->ctx.chain->rhlhead,
6945 nft_chain_ht_params);
6946 }
6947
6948 if (!nft_is_base_chain(trans->ctx.chain))
6949 return;
6950
6951 basechain = nft_base_chain(trans->ctx.chain);
6952 nft_chain_stats_replace(trans->ctx.net, basechain,
6953 nft_trans_chain_stats(trans));
6954
6955 switch (nft_trans_chain_policy(trans)) {
6956 case NF_DROP:
6957 case NF_ACCEPT:
6958 basechain->policy = nft_trans_chain_policy(trans);
6959 break;
6960 }
6961}
6962
6963static void nft_commit_release(struct nft_trans *trans)
6964{
6965 switch (trans->msg_type) {
6966 case NFT_MSG_DELTABLE:
6967 nf_tables_table_destroy(&trans->ctx);
6968 break;
6969 case NFT_MSG_NEWCHAIN:
6970 kfree(nft_trans_chain_name(trans));
6971 break;
6972 case NFT_MSG_DELCHAIN:
6973 nf_tables_chain_destroy(&trans->ctx);
6974 break;
6975 case NFT_MSG_DELRULE:
6976 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6977 break;
6978 case NFT_MSG_DELSET:
6979 nft_set_destroy(nft_trans_set(trans));
6980 break;
6981 case NFT_MSG_DELSETELEM:
6982 nf_tables_set_elem_destroy(&trans->ctx,
6983 nft_trans_elem_set(trans),
6984 nft_trans_elem(trans).priv);
6985 break;
6986 case NFT_MSG_DELOBJ:
6987 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6988 break;
6989 case NFT_MSG_DELFLOWTABLE:
6990 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6991 break;
6992 }
6993
6994 if (trans->put_net)
6995 put_net(trans->ctx.net);
6996
6997 kfree(trans);
6998}
6999
7000static void nf_tables_trans_destroy_work(struct work_struct *w)
7001{
7002 struct nft_trans *trans, *next;
7003 LIST_HEAD(head);
7004
7005 spin_lock(&nf_tables_destroy_list_lock);
7006 list_splice_init(&nf_tables_destroy_list, &head);
7007 spin_unlock(&nf_tables_destroy_list_lock);
7008
7009 if (list_empty(&head))
7010 return;
7011
7012 synchronize_rcu();
7013
7014 list_for_each_entry_safe(trans, next, &head, list) {
7015 list_del(&trans->list);
7016 nft_commit_release(trans);
7017 }
7018}
7019
7020static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7021{
7022 struct nft_rule *rule;
7023 unsigned int alloc = 0;
7024 int i;
7025
7026
7027 if (chain->rules_next || !nft_is_active_next(net, chain))
7028 return 0;
7029
7030 rule = list_entry(&chain->rules, struct nft_rule, list);
7031 i = 0;
7032
7033 list_for_each_entry_continue(rule, &chain->rules, list) {
7034 if (nft_is_active_next(net, rule))
7035 alloc++;
7036 }
7037
7038 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7039 if (!chain->rules_next)
7040 return -ENOMEM;
7041
7042 list_for_each_entry_continue(rule, &chain->rules, list) {
7043 if (nft_is_active_next(net, rule))
7044 chain->rules_next[i++] = rule;
7045 }
7046
7047 chain->rules_next[i] = NULL;
7048 return 0;
7049}
7050
7051static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7052{
7053 struct nft_trans *trans, *next;
7054
7055 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7056 struct nft_chain *chain = trans->ctx.chain;
7057
7058 if (trans->msg_type == NFT_MSG_NEWRULE ||
7059 trans->msg_type == NFT_MSG_DELRULE) {
7060 kvfree(chain->rules_next);
7061 chain->rules_next = NULL;
7062 }
7063 }
7064}
7065
7066static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7067{
7068 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7069
7070 kvfree(o->start);
7071}
7072
7073static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7074{
7075 struct nft_rule **r = rules;
7076 struct nft_rules_old *old;
7077
7078 while (*r)
7079 r++;
7080
7081 r++;
7082 old = (void *) r;
7083 old->start = rules;
7084
7085 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7086}
7087
7088static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7089{
7090 struct nft_rule **g0, **g1;
7091 bool next_genbit;
7092
7093 next_genbit = nft_gencursor_next(net);
7094
7095 g0 = rcu_dereference_protected(chain->rules_gen_0,
7096 lockdep_commit_lock_is_held(net));
7097 g1 = rcu_dereference_protected(chain->rules_gen_1,
7098 lockdep_commit_lock_is_held(net));
7099
7100
7101 if (chain->rules_next == NULL) {
7102
7103 if (g0 == g1)
7104 return;
7105
7106
7107
7108
7109 if (next_genbit) {
7110 rcu_assign_pointer(chain->rules_gen_1, g0);
7111 nf_tables_commit_chain_free_rules_old(g1);
7112 } else {
7113 rcu_assign_pointer(chain->rules_gen_0, g1);
7114 nf_tables_commit_chain_free_rules_old(g0);
7115 }
7116
7117 return;
7118 }
7119
7120 if (next_genbit)
7121 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7122 else
7123 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7124
7125 chain->rules_next = NULL;
7126
7127 if (g0 == g1)
7128 return;
7129
7130 if (next_genbit)
7131 nf_tables_commit_chain_free_rules_old(g1);
7132 else
7133 nf_tables_commit_chain_free_rules_old(g0);
7134}
7135
7136static void nft_obj_del(struct nft_object *obj)
7137{
7138 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7139 list_del_rcu(&obj->list);
7140}
7141
7142static void nft_chain_del(struct nft_chain *chain)
7143{
7144 struct nft_table *table = chain->table;
7145
7146 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7147 nft_chain_ht_params));
7148 list_del_rcu(&chain->list);
7149}
7150
7151static void nf_tables_module_autoload_cleanup(struct net *net)
7152{
7153 struct nft_module_request *req, *next;
7154
7155 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7156 list_for_each_entry_safe(req, next, &net->nft_module_list, list) {
7157 WARN_ON_ONCE(!req->done);
7158 list_del(&req->list);
7159 kfree(req);
7160 }
7161}
7162
7163static void nf_tables_commit_release(struct net *net)
7164{
7165 struct nft_trans *trans;
7166
7167
7168
7169
7170
7171
7172
7173
7174 if (list_empty(&net->nft.commit_list)) {
7175 nf_tables_module_autoload_cleanup(net);
7176 mutex_unlock(&net->nft_commit_mutex);
7177 return;
7178 }
7179
7180 trans = list_last_entry(&net->nft.commit_list,
7181 struct nft_trans, list);
7182 get_net(trans->ctx.net);
7183 WARN_ON_ONCE(trans->put_net);
7184
7185 trans->put_net = true;
7186 spin_lock(&nf_tables_destroy_list_lock);
7187 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7188 spin_unlock(&nf_tables_destroy_list_lock);
7189
7190 nf_tables_module_autoload_cleanup(net);
7191 mutex_unlock(&net->nft_commit_mutex);
7192
7193 schedule_work(&trans_destroy_work);
7194}
7195
7196static void nft_commit_notify(struct net *net, u32 portid)
7197{
7198 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7199 unsigned char *data;
7200 int len;
7201
7202 list_for_each_entry_safe(skb, nskb, &net->nft_notify_list, list) {
7203 if (!batch_skb) {
7204new_batch:
7205 batch_skb = skb;
7206 len = NLMSG_GOODSIZE - skb->len;
7207 list_del(&skb->list);
7208 continue;
7209 }
7210 len -= skb->len;
7211 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7212 data = skb_put(batch_skb, skb->len);
7213 memcpy(data, skb->data, skb->len);
7214 list_del(&skb->list);
7215 kfree_skb(skb);
7216 continue;
7217 }
7218 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7219 NFT_CB(batch_skb).report, GFP_KERNEL);
7220 goto new_batch;
7221 }
7222
7223 if (batch_skb) {
7224 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7225 NFT_CB(batch_skb).report, GFP_KERNEL);
7226 }
7227
7228 WARN_ON_ONCE(!list_empty(&net->nft_notify_list));
7229}
7230
7231static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7232{
7233 struct nft_trans *trans, *next;
7234 struct nft_trans_elem *te;
7235 struct nft_chain *chain;
7236 struct nft_table *table;
7237 int err;
7238
7239
7240 if (nf_tables_validate(net) < 0)
7241 return -EAGAIN;
7242
7243 err = nft_flow_rule_offload_commit(net);
7244 if (err < 0)
7245 return err;
7246
7247
7248 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7249 int ret;
7250
7251 if (trans->msg_type == NFT_MSG_NEWRULE ||
7252 trans->msg_type == NFT_MSG_DELRULE) {
7253 chain = trans->ctx.chain;
7254
7255 ret = nf_tables_commit_chain_prepare(net, chain);
7256 if (ret < 0) {
7257 nf_tables_commit_chain_prepare_cancel(net);
7258 return ret;
7259 }
7260 }
7261 }
7262
7263
7264 list_for_each_entry(table, &net->nft.tables, list) {
7265 list_for_each_entry(chain, &table->chains, list)
7266 nf_tables_commit_chain(net, chain);
7267 }
7268
7269
7270
7271
7272
7273 while (++net->nft.base_seq == 0);
7274
7275
7276 net->nft.gencursor = nft_gencursor_next(net);
7277
7278 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7279 switch (trans->msg_type) {
7280 case NFT_MSG_NEWTABLE:
7281 if (nft_trans_table_update(trans)) {
7282 if (!nft_trans_table_enable(trans)) {
7283 nf_tables_table_disable(net,
7284 trans->ctx.table);
7285 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7286 }
7287 } else {
7288 nft_clear(net, trans->ctx.table);
7289 }
7290 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7291 nft_trans_destroy(trans);
7292 break;
7293 case NFT_MSG_DELTABLE:
7294 list_del_rcu(&trans->ctx.table->list);
7295 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7296 break;
7297 case NFT_MSG_NEWCHAIN:
7298 if (nft_trans_chain_update(trans)) {
7299 nft_chain_commit_update(trans);
7300 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7301
7302 } else {
7303 nft_chain_commit_drop_policy(trans);
7304 nft_clear(net, trans->ctx.chain);
7305 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7306 nft_trans_destroy(trans);
7307 }
7308 break;
7309 case NFT_MSG_DELCHAIN:
7310 nft_chain_del(trans->ctx.chain);
7311 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7312 nf_tables_unregister_hook(trans->ctx.net,
7313 trans->ctx.table,
7314 trans->ctx.chain);
7315 break;
7316 case NFT_MSG_NEWRULE:
7317 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7318 nf_tables_rule_notify(&trans->ctx,
7319 nft_trans_rule(trans),
7320 NFT_MSG_NEWRULE);
7321 nft_trans_destroy(trans);
7322 break;
7323 case NFT_MSG_DELRULE:
7324 list_del_rcu(&nft_trans_rule(trans)->list);
7325 nf_tables_rule_notify(&trans->ctx,
7326 nft_trans_rule(trans),
7327 NFT_MSG_DELRULE);
7328 nft_rule_expr_deactivate(&trans->ctx,
7329 nft_trans_rule(trans),
7330 NFT_TRANS_COMMIT);
7331 break;
7332 case NFT_MSG_NEWSET:
7333 nft_clear(net, nft_trans_set(trans));
7334
7335
7336
7337 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7338 !list_empty(&nft_trans_set(trans)->bindings))
7339 trans->ctx.table->use--;
7340
7341 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7342 NFT_MSG_NEWSET, GFP_KERNEL);
7343 nft_trans_destroy(trans);
7344 break;
7345 case NFT_MSG_DELSET:
7346 list_del_rcu(&nft_trans_set(trans)->list);
7347 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7348 NFT_MSG_DELSET, GFP_KERNEL);
7349 break;
7350 case NFT_MSG_NEWSETELEM:
7351 te = (struct nft_trans_elem *)trans->data;
7352
7353 te->set->ops->activate(net, te->set, &te->elem);
7354 nf_tables_setelem_notify(&trans->ctx, te->set,
7355 &te->elem,
7356 NFT_MSG_NEWSETELEM, 0);
7357 nft_trans_destroy(trans);
7358 break;
7359 case NFT_MSG_DELSETELEM:
7360 te = (struct nft_trans_elem *)trans->data;
7361
7362 nf_tables_setelem_notify(&trans->ctx, te->set,
7363 &te->elem,
7364 NFT_MSG_DELSETELEM, 0);
7365 te->set->ops->remove(net, te->set, &te->elem);
7366 atomic_dec(&te->set->nelems);
7367 te->set->ndeact--;
7368 break;
7369 case NFT_MSG_NEWOBJ:
7370 nft_clear(net, nft_trans_obj(trans));
7371 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7372 NFT_MSG_NEWOBJ);
7373 nft_trans_destroy(trans);
7374 break;
7375 case NFT_MSG_DELOBJ:
7376 nft_obj_del(nft_trans_obj(trans));
7377 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7378 NFT_MSG_DELOBJ);
7379 break;
7380 case NFT_MSG_NEWFLOWTABLE:
7381 nft_clear(net, nft_trans_flowtable(trans));
7382 nf_tables_flowtable_notify(&trans->ctx,
7383 nft_trans_flowtable(trans),
7384 NFT_MSG_NEWFLOWTABLE);
7385 nft_trans_destroy(trans);
7386 break;
7387 case NFT_MSG_DELFLOWTABLE:
7388 list_del_rcu(&nft_trans_flowtable(trans)->list);
7389 nf_tables_flowtable_notify(&trans->ctx,
7390 nft_trans_flowtable(trans),
7391 NFT_MSG_DELFLOWTABLE);
7392 nft_unregister_flowtable_net_hooks(net,
7393 nft_trans_flowtable(trans));
7394 break;
7395 }
7396 }
7397
7398 nft_commit_notify(net, NETLINK_CB(skb).portid);
7399 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7400 nf_tables_commit_release(net);
7401
7402 return 0;
7403}
7404
7405static void nf_tables_module_autoload(struct net *net)
7406{
7407 struct nft_module_request *req, *next;
7408 LIST_HEAD(module_list);
7409
7410 list_splice_init(&net->nft_module_list, &module_list);
7411 mutex_unlock(&net->nft_commit_mutex);
7412 list_for_each_entry_safe(req, next, &module_list, list) {
7413 request_module("%s", req->module);
7414 req->done = true;
7415 }
7416 mutex_lock(&net->nft_commit_mutex);
7417 list_splice(&module_list, &net->nft_module_list);
7418}
7419
7420static void nf_tables_abort_release(struct nft_trans *trans)
7421{
7422 switch (trans->msg_type) {
7423 case NFT_MSG_NEWTABLE:
7424 nf_tables_table_destroy(&trans->ctx);
7425 break;
7426 case NFT_MSG_NEWCHAIN:
7427 nf_tables_chain_destroy(&trans->ctx);
7428 break;
7429 case NFT_MSG_NEWRULE:
7430 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7431 break;
7432 case NFT_MSG_NEWSET:
7433 nft_set_destroy(nft_trans_set(trans));
7434 break;
7435 case NFT_MSG_NEWSETELEM:
7436 nft_set_elem_destroy(nft_trans_elem_set(trans),
7437 nft_trans_elem(trans).priv, true);
7438 break;
7439 case NFT_MSG_NEWOBJ:
7440 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7441 break;
7442 case NFT_MSG_NEWFLOWTABLE:
7443 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7444 break;
7445 }
7446 kfree(trans);
7447}
7448
7449static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
7450{
7451 struct nft_trans *trans, *next;
7452 struct nft_trans_elem *te;
7453
7454 if (action == NFNL_ABORT_VALIDATE &&
7455 nf_tables_validate(net) < 0)
7456 return -EAGAIN;
7457
7458 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7459 list) {
7460 switch (trans->msg_type) {
7461 case NFT_MSG_NEWTABLE:
7462 if (nft_trans_table_update(trans)) {
7463 if (nft_trans_table_enable(trans)) {
7464 nf_tables_table_disable(net,
7465 trans->ctx.table);
7466 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7467 }
7468 nft_trans_destroy(trans);
7469 } else {
7470 list_del_rcu(&trans->ctx.table->list);
7471 }
7472 break;
7473 case NFT_MSG_DELTABLE:
7474 nft_clear(trans->ctx.net, trans->ctx.table);
7475 nft_trans_destroy(trans);
7476 break;
7477 case NFT_MSG_NEWCHAIN:
7478 if (nft_trans_chain_update(trans)) {
7479 free_percpu(nft_trans_chain_stats(trans));
7480 kfree(nft_trans_chain_name(trans));
7481 nft_trans_destroy(trans);
7482 } else {
7483 trans->ctx.table->use--;
7484 nft_chain_del(trans->ctx.chain);
7485 nf_tables_unregister_hook(trans->ctx.net,
7486 trans->ctx.table,
7487 trans->ctx.chain);
7488 }
7489 break;
7490 case NFT_MSG_DELCHAIN:
7491 trans->ctx.table->use++;
7492 nft_clear(trans->ctx.net, trans->ctx.chain);
7493 nft_trans_destroy(trans);
7494 break;
7495 case NFT_MSG_NEWRULE:
7496 trans->ctx.chain->use--;
7497 list_del_rcu(&nft_trans_rule(trans)->list);
7498 nft_rule_expr_deactivate(&trans->ctx,
7499 nft_trans_rule(trans),
7500 NFT_TRANS_ABORT);
7501 break;
7502 case NFT_MSG_DELRULE:
7503 trans->ctx.chain->use++;
7504 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7505 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7506 nft_trans_destroy(trans);
7507 break;
7508 case NFT_MSG_NEWSET:
7509 trans->ctx.table->use--;
7510 if (nft_trans_set_bound(trans)) {
7511 nft_trans_destroy(trans);
7512 break;
7513 }
7514 list_del_rcu(&nft_trans_set(trans)->list);
7515 break;
7516 case NFT_MSG_DELSET:
7517 trans->ctx.table->use++;
7518 nft_clear(trans->ctx.net, nft_trans_set(trans));
7519 nft_trans_destroy(trans);
7520 break;
7521 case NFT_MSG_NEWSETELEM:
7522 if (nft_trans_elem_set_bound(trans)) {
7523 nft_trans_destroy(trans);
7524 break;
7525 }
7526 te = (struct nft_trans_elem *)trans->data;
7527 te->set->ops->remove(net, te->set, &te->elem);
7528 atomic_dec(&te->set->nelems);
7529 break;
7530 case NFT_MSG_DELSETELEM:
7531 te = (struct nft_trans_elem *)trans->data;
7532
7533 nft_set_elem_activate(net, te->set, &te->elem);
7534 te->set->ops->activate(net, te->set, &te->elem);
7535 te->set->ndeact--;
7536
7537 nft_trans_destroy(trans);
7538 break;
7539 case NFT_MSG_NEWOBJ:
7540 trans->ctx.table->use--;
7541 nft_obj_del(nft_trans_obj(trans));
7542 break;
7543 case NFT_MSG_DELOBJ:
7544 trans->ctx.table->use++;
7545 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7546 nft_trans_destroy(trans);
7547 break;
7548 case NFT_MSG_NEWFLOWTABLE:
7549 trans->ctx.table->use--;
7550 list_del_rcu(&nft_trans_flowtable(trans)->list);
7551 nft_unregister_flowtable_net_hooks(net,
7552 nft_trans_flowtable(trans));
7553 break;
7554 case NFT_MSG_DELFLOWTABLE:
7555 trans->ctx.table->use++;
7556 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7557 nft_trans_destroy(trans);
7558 break;
7559 }
7560 }
7561
7562 synchronize_rcu();
7563
7564 list_for_each_entry_safe_reverse(trans, next,
7565 &net->nft.commit_list, list) {
7566 list_del(&trans->list);
7567 nf_tables_abort_release(trans);
7568 }
7569
7570 if (action == NFNL_ABORT_AUTOLOAD)
7571 nf_tables_module_autoload(net);
7572 else
7573 nf_tables_module_autoload_cleanup(net);
7574
7575 return 0;
7576}
7577
7578static void nf_tables_cleanup(struct net *net)
7579{
7580 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7581}
7582
7583static int nf_tables_abort(struct net *net, struct sk_buff *skb,
7584 enum nfnl_abort_action action)
7585{
7586 int ret = __nf_tables_abort(net, action);
7587
7588 mutex_unlock(&net->nft_commit_mutex);
7589
7590 return ret;
7591}
7592
7593static bool nf_tables_valid_genid(struct net *net, u32 genid)
7594{
7595 bool genid_ok;
7596
7597 mutex_lock(&net->nft_commit_mutex);
7598
7599 genid_ok = genid == 0 || net->nft.base_seq == genid;
7600 if (!genid_ok)
7601 mutex_unlock(&net->nft_commit_mutex);
7602
7603
7604 return genid_ok;
7605}
7606
7607static const struct nfnetlink_subsystem nf_tables_subsys = {
7608 .name = "nf_tables",
7609 .subsys_id = NFNL_SUBSYS_NFTABLES,
7610 .cb_count = NFT_MSG_MAX,
7611 .cb = nf_tables_cb,
7612 .commit = nf_tables_commit,
7613 .abort = nf_tables_abort,
7614 .cleanup = nf_tables_cleanup,
7615 .valid_genid = nf_tables_valid_genid,
7616 .owner = THIS_MODULE,
7617};
7618
7619int nft_chain_validate_dependency(const struct nft_chain *chain,
7620 enum nft_chain_types type)
7621{
7622 const struct nft_base_chain *basechain;
7623
7624 if (nft_is_base_chain(chain)) {
7625 basechain = nft_base_chain(chain);
7626 if (basechain->type->type != type)
7627 return -EOPNOTSUPP;
7628 }
7629 return 0;
7630}
7631EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7632
7633int nft_chain_validate_hooks(const struct nft_chain *chain,
7634 unsigned int hook_flags)
7635{
7636 struct nft_base_chain *basechain;
7637
7638 if (nft_is_base_chain(chain)) {
7639 basechain = nft_base_chain(chain);
7640
7641 if ((1 << basechain->ops.hooknum) & hook_flags)
7642 return 0;
7643
7644 return -EOPNOTSUPP;
7645 }
7646
7647 return 0;
7648}
7649EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7650
7651
7652
7653
7654
7655
7656
7657
7658
7659
7660static int nf_tables_check_loops(const struct nft_ctx *ctx,
7661 const struct nft_chain *chain);
7662
7663static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7664 struct nft_set *set,
7665 const struct nft_set_iter *iter,
7666 struct nft_set_elem *elem)
7667{
7668 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7669 const struct nft_data *data;
7670
7671 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7672 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7673 return 0;
7674
7675 data = nft_set_ext_data(ext);
7676 switch (data->verdict.code) {
7677 case NFT_JUMP:
7678 case NFT_GOTO:
7679 return nf_tables_check_loops(ctx, data->verdict.chain);
7680 default:
7681 return 0;
7682 }
7683}
7684
7685static int nf_tables_check_loops(const struct nft_ctx *ctx,
7686 const struct nft_chain *chain)
7687{
7688 const struct nft_rule *rule;
7689 const struct nft_expr *expr, *last;
7690 struct nft_set *set;
7691 struct nft_set_binding *binding;
7692 struct nft_set_iter iter;
7693
7694 if (ctx->chain == chain)
7695 return -ELOOP;
7696
7697 list_for_each_entry(rule, &chain->rules, list) {
7698 nft_rule_for_each_expr(expr, last, rule) {
7699 struct nft_immediate_expr *priv;
7700 const struct nft_data *data;
7701 int err;
7702
7703 if (strcmp(expr->ops->type->name, "immediate"))
7704 continue;
7705
7706 priv = nft_expr_priv(expr);
7707 if (priv->dreg != NFT_REG_VERDICT)
7708 continue;
7709
7710 data = &priv->data;
7711 switch (data->verdict.code) {
7712 case NFT_JUMP:
7713 case NFT_GOTO:
7714 err = nf_tables_check_loops(ctx,
7715 data->verdict.chain);
7716 if (err < 0)
7717 return err;
7718 default:
7719 break;
7720 }
7721 }
7722 }
7723
7724 list_for_each_entry(set, &ctx->table->sets, list) {
7725 if (!nft_is_active_next(ctx->net, set))
7726 continue;
7727 if (!(set->flags & NFT_SET_MAP) ||
7728 set->dtype != NFT_DATA_VERDICT)
7729 continue;
7730
7731 list_for_each_entry(binding, &set->bindings, list) {
7732 if (!(binding->flags & NFT_SET_MAP) ||
7733 binding->chain != chain)
7734 continue;
7735
7736 iter.genmask = nft_genmask_next(ctx->net);
7737 iter.skip = 0;
7738 iter.count = 0;
7739 iter.err = 0;
7740 iter.fn = nf_tables_loop_check_setelem;
7741
7742 set->ops->walk(ctx, set, &iter);
7743 if (iter.err < 0)
7744 return iter.err;
7745 }
7746 }
7747
7748 return 0;
7749}
7750
7751
7752
7753
7754
7755
7756
7757
7758
7759
7760
7761
7762
7763int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7764{
7765 u32 val;
7766
7767 val = ntohl(nla_get_be32(attr));
7768 if (val > max)
7769 return -ERANGE;
7770
7771 *dest = val;
7772 return 0;
7773}
7774EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7775
7776
7777
7778
7779
7780
7781
7782
7783
7784
7785unsigned int nft_parse_register(const struct nlattr *attr)
7786{
7787 unsigned int reg;
7788
7789 reg = ntohl(nla_get_be32(attr));
7790 switch (reg) {
7791 case NFT_REG_VERDICT...NFT_REG_4:
7792 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7793 default:
7794 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7795 }
7796}
7797EXPORT_SYMBOL_GPL(nft_parse_register);
7798
7799
7800
7801
7802
7803
7804
7805
7806
7807
7808
7809
7810int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7811{
7812 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7813 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7814 else
7815 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7816
7817 return nla_put_be32(skb, attr, htonl(reg));
7818}
7819EXPORT_SYMBOL_GPL(nft_dump_register);
7820
7821
7822
7823
7824
7825
7826
7827
7828
7829
7830int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7831{
7832 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7833 return -EINVAL;
7834 if (len == 0)
7835 return -EINVAL;
7836 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7837 return -ERANGE;
7838
7839 return 0;
7840}
7841EXPORT_SYMBOL_GPL(nft_validate_register_load);
7842
7843
7844
7845
7846
7847
7848
7849
7850
7851
7852
7853
7854
7855
7856
7857int nft_validate_register_store(const struct nft_ctx *ctx,
7858 enum nft_registers reg,
7859 const struct nft_data *data,
7860 enum nft_data_types type, unsigned int len)
7861{
7862 int err;
7863
7864 switch (reg) {
7865 case NFT_REG_VERDICT:
7866 if (type != NFT_DATA_VERDICT)
7867 return -EINVAL;
7868
7869 if (data != NULL &&
7870 (data->verdict.code == NFT_GOTO ||
7871 data->verdict.code == NFT_JUMP)) {
7872 err = nf_tables_check_loops(ctx, data->verdict.chain);
7873 if (err < 0)
7874 return err;
7875 }
7876
7877 return 0;
7878 default:
7879 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7880 return -EINVAL;
7881 if (len == 0)
7882 return -EINVAL;
7883 if (reg * NFT_REG32_SIZE + len >
7884 FIELD_SIZEOF(struct nft_regs, data))
7885 return -ERANGE;
7886
7887 if (data != NULL && type != NFT_DATA_VALUE)
7888 return -EINVAL;
7889 return 0;
7890 }
7891}
7892EXPORT_SYMBOL_GPL(nft_validate_register_store);
7893
7894static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7895 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7896 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7897 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7898};
7899
7900static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7901 struct nft_data_desc *desc, const struct nlattr *nla)
7902{
7903 u8 genmask = nft_genmask_next(ctx->net);
7904 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7905 struct nft_chain *chain;
7906 int err;
7907
7908 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7909 nft_verdict_policy, NULL);
7910 if (err < 0)
7911 return err;
7912
7913 if (!tb[NFTA_VERDICT_CODE])
7914 return -EINVAL;
7915 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7916
7917 switch (data->verdict.code) {
7918 default:
7919 switch (data->verdict.code & NF_VERDICT_MASK) {
7920 case NF_ACCEPT:
7921 case NF_DROP:
7922 case NF_QUEUE:
7923 break;
7924 default:
7925 return -EINVAL;
7926 }
7927
7928 case NFT_CONTINUE:
7929 case NFT_BREAK:
7930 case NFT_RETURN:
7931 break;
7932 case NFT_JUMP:
7933 case NFT_GOTO:
7934 if (!tb[NFTA_VERDICT_CHAIN])
7935 return -EINVAL;
7936 chain = nft_chain_lookup(ctx->net, ctx->table,
7937 tb[NFTA_VERDICT_CHAIN], genmask);
7938 if (IS_ERR(chain))
7939 return PTR_ERR(chain);
7940 if (nft_is_base_chain(chain))
7941 return -EOPNOTSUPP;
7942
7943 chain->use++;
7944 data->verdict.chain = chain;
7945 break;
7946 }
7947
7948 desc->len = sizeof(data->verdict);
7949 desc->type = NFT_DATA_VERDICT;
7950 return 0;
7951}
7952
7953static void nft_verdict_uninit(const struct nft_data *data)
7954{
7955 switch (data->verdict.code) {
7956 case NFT_JUMP:
7957 case NFT_GOTO:
7958 data->verdict.chain->use--;
7959 break;
7960 }
7961}
7962
7963int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7964{
7965 struct nlattr *nest;
7966
7967 nest = nla_nest_start_noflag(skb, type);
7968 if (!nest)
7969 goto nla_put_failure;
7970
7971 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7972 goto nla_put_failure;
7973
7974 switch (v->code) {
7975 case NFT_JUMP:
7976 case NFT_GOTO:
7977 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7978 v->chain->name))
7979 goto nla_put_failure;
7980 }
7981 nla_nest_end(skb, nest);
7982 return 0;
7983
7984nla_put_failure:
7985 return -1;
7986}
7987
7988static int nft_value_init(const struct nft_ctx *ctx,
7989 struct nft_data *data, unsigned int size,
7990 struct nft_data_desc *desc, const struct nlattr *nla)
7991{
7992 unsigned int len;
7993
7994 len = nla_len(nla);
7995 if (len == 0)
7996 return -EINVAL;
7997 if (len > size)
7998 return -EOVERFLOW;
7999
8000 nla_memcpy(data->data, nla, len);
8001 desc->type = NFT_DATA_VALUE;
8002 desc->len = len;
8003 return 0;
8004}
8005
8006static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8007 unsigned int len)
8008{
8009 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8010}
8011
8012static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8013 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8014 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8015};
8016
8017
8018
8019
8020
8021
8022
8023
8024
8025
8026
8027
8028
8029
8030
8031
8032int nft_data_init(const struct nft_ctx *ctx,
8033 struct nft_data *data, unsigned int size,
8034 struct nft_data_desc *desc, const struct nlattr *nla)
8035{
8036 struct nlattr *tb[NFTA_DATA_MAX + 1];
8037 int err;
8038
8039 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8040 nft_data_policy, NULL);
8041 if (err < 0)
8042 return err;
8043
8044 if (tb[NFTA_DATA_VALUE])
8045 return nft_value_init(ctx, data, size, desc,
8046 tb[NFTA_DATA_VALUE]);
8047 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8048 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8049 return -EINVAL;
8050}
8051EXPORT_SYMBOL_GPL(nft_data_init);
8052
8053
8054
8055
8056
8057
8058
8059
8060
8061
8062void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8063{
8064 if (type < NFT_DATA_VERDICT)
8065 return;
8066 switch (type) {
8067 case NFT_DATA_VERDICT:
8068 return nft_verdict_uninit(data);
8069 default:
8070 WARN_ON(1);
8071 }
8072}
8073EXPORT_SYMBOL_GPL(nft_data_release);
8074
8075int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8076 enum nft_data_types type, unsigned int len)
8077{
8078 struct nlattr *nest;
8079 int err;
8080
8081 nest = nla_nest_start_noflag(skb, attr);
8082 if (nest == NULL)
8083 return -1;
8084
8085 switch (type) {
8086 case NFT_DATA_VALUE:
8087 err = nft_value_dump(skb, data, len);
8088 break;
8089 case NFT_DATA_VERDICT:
8090 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8091 break;
8092 default:
8093 err = -EINVAL;
8094 WARN_ON(1);
8095 }
8096
8097 nla_nest_end(skb, nest);
8098 return err;
8099}
8100EXPORT_SYMBOL_GPL(nft_data_dump);
8101
8102int __nft_release_basechain(struct nft_ctx *ctx)
8103{
8104 struct nft_rule *rule, *nr;
8105
8106 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8107 return 0;
8108
8109 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8110 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8111 list_del(&rule->list);
8112 ctx->chain->use--;
8113 nf_tables_rule_release(ctx, rule);
8114 }
8115 nft_chain_del(ctx->chain);
8116 ctx->table->use--;
8117 nf_tables_chain_destroy(ctx);
8118
8119 return 0;
8120}
8121EXPORT_SYMBOL_GPL(__nft_release_basechain);
8122
8123static void __nft_release_hooks(struct net *net)
8124{
8125 struct nft_table *table;
8126 struct nft_chain *chain;
8127
8128 list_for_each_entry(table, &net->nft.tables, list) {
8129 list_for_each_entry(chain, &table->chains, list)
8130 nf_tables_unregister_hook(net, table, chain);
8131 }
8132}
8133
8134static void __nft_release_tables(struct net *net)
8135{
8136 struct nft_flowtable *flowtable, *nf;
8137 struct nft_table *table, *nt;
8138 struct nft_chain *chain, *nc;
8139 struct nft_object *obj, *ne;
8140 struct nft_rule *rule, *nr;
8141 struct nft_set *set, *ns;
8142 struct nft_ctx ctx = {
8143 .net = net,
8144 .family = NFPROTO_NETDEV,
8145 };
8146
8147 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8148 ctx.family = table->family;
8149 ctx.table = table;
8150 list_for_each_entry(chain, &table->chains, list) {
8151 ctx.chain = chain;
8152 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8153 list_del(&rule->list);
8154 chain->use--;
8155 nf_tables_rule_release(&ctx, rule);
8156 }
8157 }
8158 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8159 list_del(&flowtable->list);
8160 table->use--;
8161 nf_tables_flowtable_destroy(flowtable);
8162 }
8163 list_for_each_entry_safe(set, ns, &table->sets, list) {
8164 list_del(&set->list);
8165 table->use--;
8166 nft_set_destroy(set);
8167 }
8168 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8169 nft_obj_del(obj);
8170 table->use--;
8171 nft_obj_destroy(&ctx, obj);
8172 }
8173 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8174 ctx.chain = chain;
8175 nft_chain_del(chain);
8176 table->use--;
8177 nf_tables_chain_destroy(&ctx);
8178 }
8179 list_del(&table->list);
8180 nf_tables_table_destroy(&ctx);
8181 }
8182}
8183
8184static int __net_init nf_tables_init_net(struct net *net)
8185{
8186 INIT_LIST_HEAD(&net->nft.tables);
8187 INIT_LIST_HEAD(&net->nft.commit_list);
8188 INIT_LIST_HEAD(&net->nft_module_list);
8189 INIT_LIST_HEAD(&net->nft_notify_list);
8190 mutex_init(&net->nft_commit_mutex);
8191 net->nft.base_seq = 1;
8192 net->nft.validate_state = NFT_VALIDATE_SKIP;
8193
8194 return 0;
8195}
8196
8197static void __net_exit nf_tables_pre_exit_net(struct net *net)
8198{
8199 __nft_release_hooks(net);
8200}
8201
8202static void __net_exit nf_tables_exit_net(struct net *net)
8203{
8204 mutex_lock(&net->nft_commit_mutex);
8205 if (!list_empty(&net->nft.commit_list))
8206 __nf_tables_abort(net, NFNL_ABORT_NONE);
8207 __nft_release_tables(net);
8208 mutex_unlock(&net->nft_commit_mutex);
8209 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8210 WARN_ON_ONCE(!list_empty(&net->nft_module_list));
8211 WARN_ON_ONCE(!list_empty(&net->nft_notify_list));
8212}
8213
8214static struct pernet_operations nf_tables_net_ops = {
8215 .init = nf_tables_init_net,
8216 .pre_exit = nf_tables_pre_exit_net,
8217 .exit = nf_tables_exit_net,
8218};
8219
8220static int __init nf_tables_module_init(void)
8221{
8222 int err;
8223
8224 spin_lock_init(&nf_tables_destroy_list_lock);
8225 err = register_pernet_subsys(&nf_tables_net_ops);
8226 if (err < 0)
8227 return err;
8228
8229 err = nft_chain_filter_init();
8230 if (err < 0)
8231 goto err1;
8232
8233 err = nf_tables_core_module_init();
8234 if (err < 0)
8235 goto err2;
8236
8237 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8238 if (err < 0)
8239 goto err3;
8240
8241 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8242 if (err < 0)
8243 goto err4;
8244
8245 err = nft_offload_init();
8246 if (err < 0)
8247 goto err5;
8248
8249
8250 err = nfnetlink_subsys_register(&nf_tables_subsys);
8251 if (err < 0)
8252 goto err6;
8253
8254 nft_chain_route_init();
8255
8256 return err;
8257err6:
8258 nft_offload_exit();
8259err5:
8260 rhltable_destroy(&nft_objname_ht);
8261err4:
8262 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8263err3:
8264 nf_tables_core_module_exit();
8265err2:
8266 nft_chain_filter_fini();
8267err1:
8268 unregister_pernet_subsys(&nf_tables_net_ops);
8269 return err;
8270}
8271
8272static void __exit nf_tables_module_exit(void)
8273{
8274 nfnetlink_subsys_unregister(&nf_tables_subsys);
8275 nft_offload_exit();
8276 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8277 nft_chain_filter_fini();
8278 nft_chain_route_fini();
8279 unregister_pernet_subsys(&nf_tables_net_ops);
8280 cancel_work_sync(&trans_destroy_work);
8281 rcu_barrier();
8282 rhltable_destroy(&nft_objname_ht);
8283 nf_tables_core_module_exit();
8284}
8285
8286module_init(nf_tables_module_init);
8287module_exit(nf_tables_module_exit);
8288
8289MODULE_LICENSE("GPL");
8290MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8291MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
8292
