1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/net_namespace.h>
22#include <net/sock.h>
23
24static LIST_HEAD(nf_tables_expressions);
25
26
27
28
29
30
31
32
33
34int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
35{
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41}
42EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44
45
46
47
48
49
50
51void nft_unregister_afinfo(struct nft_af_info *afi)
52{
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
56}
57EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
58
59static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
60{
61 struct nft_af_info *afi;
62
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
65 return afi;
66 }
67 return NULL;
68}
69
70static struct nft_af_info *
71nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
72{
73 struct nft_af_info *afi;
74
75 afi = nft_afinfo_lookup(net, family);
76 if (afi != NULL)
77 return afi;
78#ifdef CONFIG_MODULES
79 if (autoload) {
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
84 if (afi != NULL)
85 return ERR_PTR(-EAGAIN);
86 }
87#endif
88 return ERR_PTR(-EAFNOSUPPORT);
89}
90
91
92
93
94
95static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
96 const struct nlattr *nla)
97{
98 struct nft_table *table;
99
100 list_for_each_entry(table, &afi->tables, list) {
101 if (!nla_strcmp(nla, table->name))
102 return table;
103 }
104 return NULL;
105}
106
107static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
108 const struct nlattr *nla)
109{
110 struct nft_table *table;
111
112 if (nla == NULL)
113 return ERR_PTR(-EINVAL);
114
115 table = nft_table_lookup(afi, nla);
116 if (table != NULL)
117 return table;
118
119 return ERR_PTR(-ENOENT);
120}
121
122static inline u64 nf_tables_alloc_handle(struct nft_table *table)
123{
124 return ++table->hgenerator;
125}
126
127static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
128
129static const struct nf_chain_type *
130__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
131{
132 int i;
133
134 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
135 if (chain_type[family][i] != NULL &&
136 !nla_strcmp(nla, chain_type[family][i]->name))
137 return chain_type[family][i];
138 }
139 return NULL;
140}
141
142static const struct nf_chain_type *
143nf_tables_chain_type_lookup(const struct nft_af_info *afi,
144 const struct nlattr *nla,
145 bool autoload)
146{
147 const struct nf_chain_type *type;
148
149 type = __nf_tables_chain_type_lookup(afi->family, nla);
150 if (type != NULL)
151 return type;
152#ifdef CONFIG_MODULES
153 if (autoload) {
154 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
155 request_module("nft-chain-%u-%*.s", afi->family,
156 nla_len(nla)-1, (const char *)nla_data(nla));
157 nfnl_lock(NFNL_SUBSYS_NFTABLES);
158 type = __nf_tables_chain_type_lookup(afi->family, nla);
159 if (type != NULL)
160 return ERR_PTR(-EAGAIN);
161 }
162#endif
163 return ERR_PTR(-ENOENT);
164}
165
166static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
167 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
168 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
169};
170
171static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
172 int event, u32 flags, int family,
173 const struct nft_table *table)
174{
175 struct nlmsghdr *nlh;
176 struct nfgenmsg *nfmsg;
177
178 event |= NFNL_SUBSYS_NFTABLES << 8;
179 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
180 if (nlh == NULL)
181 goto nla_put_failure;
182
183 nfmsg = nlmsg_data(nlh);
184 nfmsg->nfgen_family = family;
185 nfmsg->version = NFNETLINK_V0;
186 nfmsg->res_id = 0;
187
188 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
189 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
190 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
191 goto nla_put_failure;
192
193 return nlmsg_end(skb, nlh);
194
195nla_put_failure:
196 nlmsg_trim(skb, nlh);
197 return -1;
198}
199
200static int nf_tables_table_notify(const struct sk_buff *oskb,
201 const struct nlmsghdr *nlh,
202 const struct nft_table *table,
203 int event, int family)
204{
205 struct sk_buff *skb;
206 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
207 u32 seq = nlh ? nlh->nlmsg_seq : 0;
208 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
209 bool report;
210 int err;
211
212 report = nlh ? nlmsg_report(nlh) : false;
213 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
214 return 0;
215
216 err = -ENOBUFS;
217 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
218 if (skb == NULL)
219 goto err;
220
221 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
222 family, table);
223 if (err < 0) {
224 kfree_skb(skb);
225 goto err;
226 }
227
228 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
229 GFP_KERNEL);
230err:
231 if (err < 0)
232 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
233 return err;
234}
235
236static int nf_tables_dump_tables(struct sk_buff *skb,
237 struct netlink_callback *cb)
238{
239 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
240 const struct nft_af_info *afi;
241 const struct nft_table *table;
242 unsigned int idx = 0, s_idx = cb->args[0];
243 struct net *net = sock_net(skb->sk);
244 int family = nfmsg->nfgen_family;
245
246 list_for_each_entry(afi, &net->nft.af_info, list) {
247 if (family != NFPROTO_UNSPEC && family != afi->family)
248 continue;
249
250 list_for_each_entry(table, &afi->tables, list) {
251 if (idx < s_idx)
252 goto cont;
253 if (idx > s_idx)
254 memset(&cb->args[1], 0,
255 sizeof(cb->args) - sizeof(cb->args[0]));
256 if (nf_tables_fill_table_info(skb,
257 NETLINK_CB(cb->skb).portid,
258 cb->nlh->nlmsg_seq,
259 NFT_MSG_NEWTABLE,
260 NLM_F_MULTI,
261 afi->family, table) < 0)
262 goto done;
263cont:
264 idx++;
265 }
266 }
267done:
268 cb->args[0] = idx;
269 return skb->len;
270}
271
272static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
273 const struct nlmsghdr *nlh,
274 const struct nlattr * const nla[])
275{
276 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
277 const struct nft_af_info *afi;
278 const struct nft_table *table;
279 struct sk_buff *skb2;
280 struct net *net = sock_net(skb->sk);
281 int family = nfmsg->nfgen_family;
282 int err;
283
284 if (nlh->nlmsg_flags & NLM_F_DUMP) {
285 struct netlink_dump_control c = {
286 .dump = nf_tables_dump_tables,
287 };
288 return netlink_dump_start(nlsk, skb, nlh, &c);
289 }
290
291 afi = nf_tables_afinfo_lookup(net, family, false);
292 if (IS_ERR(afi))
293 return PTR_ERR(afi);
294
295 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
296 if (IS_ERR(table))
297 return PTR_ERR(table);
298
299 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
300 if (!skb2)
301 return -ENOMEM;
302
303 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
304 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
305 family, table);
306 if (err < 0)
307 goto err;
308
309 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
310
311err:
312 kfree_skb(skb2);
313 return err;
314}
315
316static int nf_tables_table_enable(const struct nft_af_info *afi,
317 struct nft_table *table)
318{
319 struct nft_chain *chain;
320 int err, i = 0;
321
322 list_for_each_entry(chain, &table->chains, list) {
323 if (!(chain->flags & NFT_BASE_CHAIN))
324 continue;
325
326 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
327 if (err < 0)
328 goto err;
329
330 i++;
331 }
332 return 0;
333err:
334 list_for_each_entry(chain, &table->chains, list) {
335 if (!(chain->flags & NFT_BASE_CHAIN))
336 continue;
337
338 if (i-- <= 0)
339 break;
340
341 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
342 }
343 return err;
344}
345
346static int nf_tables_table_disable(const struct nft_af_info *afi,
347 struct nft_table *table)
348{
349 struct nft_chain *chain;
350
351 list_for_each_entry(chain, &table->chains, list) {
352 if (chain->flags & NFT_BASE_CHAIN)
353 nf_unregister_hooks(nft_base_chain(chain)->ops,
354 afi->nops);
355 }
356
357 return 0;
358}
359
360static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
361 const struct nlmsghdr *nlh,
362 const struct nlattr * const nla[],
363 struct nft_af_info *afi, struct nft_table *table)
364{
365 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
366 int family = nfmsg->nfgen_family, ret = 0;
367
368 if (nla[NFTA_TABLE_FLAGS]) {
369 u32 flags;
370
371 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
372 if (flags & ~NFT_TABLE_F_DORMANT)
373 return -EINVAL;
374
375 if ((flags & NFT_TABLE_F_DORMANT) &&
376 !(table->flags & NFT_TABLE_F_DORMANT)) {
377 ret = nf_tables_table_disable(afi, table);
378 if (ret >= 0)
379 table->flags |= NFT_TABLE_F_DORMANT;
380 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
381 table->flags & NFT_TABLE_F_DORMANT) {
382 ret = nf_tables_table_enable(afi, table);
383 if (ret >= 0)
384 table->flags &= ~NFT_TABLE_F_DORMANT;
385 }
386 if (ret < 0)
387 goto err;
388 }
389
390 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
391err:
392 return ret;
393}
394
395static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
396 const struct nlmsghdr *nlh,
397 const struct nlattr * const nla[])
398{
399 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
400 const struct nlattr *name;
401 struct nft_af_info *afi;
402 struct nft_table *table;
403 struct net *net = sock_net(skb->sk);
404 int family = nfmsg->nfgen_family;
405 u32 flags = 0;
406
407 afi = nf_tables_afinfo_lookup(net, family, true);
408 if (IS_ERR(afi))
409 return PTR_ERR(afi);
410
411 name = nla[NFTA_TABLE_NAME];
412 table = nf_tables_table_lookup(afi, name);
413 if (IS_ERR(table)) {
414 if (PTR_ERR(table) != -ENOENT)
415 return PTR_ERR(table);
416 table = NULL;
417 }
418
419 if (table != NULL) {
420 if (nlh->nlmsg_flags & NLM_F_EXCL)
421 return -EEXIST;
422 if (nlh->nlmsg_flags & NLM_F_REPLACE)
423 return -EOPNOTSUPP;
424 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
425 }
426
427 if (nla[NFTA_TABLE_FLAGS]) {
428 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
429 if (flags & ~NFT_TABLE_F_DORMANT)
430 return -EINVAL;
431 }
432
433 if (!try_module_get(afi->owner))
434 return -EAFNOSUPPORT;
435
436 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
437 if (table == NULL) {
438 module_put(afi->owner);
439 return -ENOMEM;
440 }
441
442 nla_strlcpy(table->name, name, nla_len(name));
443 INIT_LIST_HEAD(&table->chains);
444 INIT_LIST_HEAD(&table->sets);
445 table->flags = flags;
446
447 list_add_tail(&table->list, &afi->tables);
448 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
449 return 0;
450}
451
452static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
453 const struct nlmsghdr *nlh,
454 const struct nlattr * const nla[])
455{
456 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
457 struct nft_af_info *afi;
458 struct nft_table *table;
459 struct net *net = sock_net(skb->sk);
460 int family = nfmsg->nfgen_family;
461
462 afi = nf_tables_afinfo_lookup(net, family, false);
463 if (IS_ERR(afi))
464 return PTR_ERR(afi);
465
466 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
467 if (IS_ERR(table))
468 return PTR_ERR(table);
469
470 if (!list_empty(&table->chains) || !list_empty(&table->sets))
471 return -EBUSY;
472
473 list_del(&table->list);
474 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
475 kfree(table);
476 module_put(afi->owner);
477 return 0;
478}
479
480int nft_register_chain_type(const struct nf_chain_type *ctype)
481{
482 int err = 0;
483
484 nfnl_lock(NFNL_SUBSYS_NFTABLES);
485 if (chain_type[ctype->family][ctype->type] != NULL) {
486 err = -EBUSY;
487 goto out;
488 }
489 chain_type[ctype->family][ctype->type] = ctype;
490out:
491 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
492 return err;
493}
494EXPORT_SYMBOL_GPL(nft_register_chain_type);
495
496void nft_unregister_chain_type(const struct nf_chain_type *ctype)
497{
498 nfnl_lock(NFNL_SUBSYS_NFTABLES);
499 chain_type[ctype->family][ctype->type] = NULL;
500 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
501}
502EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
503
504
505
506
507
508static struct nft_chain *
509nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
510{
511 struct nft_chain *chain;
512
513 list_for_each_entry(chain, &table->chains, list) {
514 if (chain->handle == handle)
515 return chain;
516 }
517
518 return ERR_PTR(-ENOENT);
519}
520
521static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
522 const struct nlattr *nla)
523{
524 struct nft_chain *chain;
525
526 if (nla == NULL)
527 return ERR_PTR(-EINVAL);
528
529 list_for_each_entry(chain, &table->chains, list) {
530 if (!nla_strcmp(nla, chain->name))
531 return chain;
532 }
533
534 return ERR_PTR(-ENOENT);
535}
536
537static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
538 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
539 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
540 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
541 .len = NFT_CHAIN_MAXNAMELEN - 1 },
542 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
543 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
544 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
545 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
546};
547
548static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
549 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
550 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
551};
552
553static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
554{
555 struct nft_stats *cpu_stats, total;
556 struct nlattr *nest;
557 int cpu;
558
559 memset(&total, 0, sizeof(total));
560 for_each_possible_cpu(cpu) {
561 cpu_stats = per_cpu_ptr(stats, cpu);
562 total.pkts += cpu_stats->pkts;
563 total.bytes += cpu_stats->bytes;
564 }
565 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
566 if (nest == NULL)
567 goto nla_put_failure;
568
569 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
570 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
571 goto nla_put_failure;
572
573 nla_nest_end(skb, nest);
574 return 0;
575
576nla_put_failure:
577 return -ENOSPC;
578}
579
580static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
581 int event, u32 flags, int family,
582 const struct nft_table *table,
583 const struct nft_chain *chain)
584{
585 struct nlmsghdr *nlh;
586 struct nfgenmsg *nfmsg;
587
588 event |= NFNL_SUBSYS_NFTABLES << 8;
589 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
590 if (nlh == NULL)
591 goto nla_put_failure;
592
593 nfmsg = nlmsg_data(nlh);
594 nfmsg->nfgen_family = family;
595 nfmsg->version = NFNETLINK_V0;
596 nfmsg->res_id = 0;
597
598 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
599 goto nla_put_failure;
600 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
601 goto nla_put_failure;
602 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
603 goto nla_put_failure;
604
605 if (chain->flags & NFT_BASE_CHAIN) {
606 const struct nft_base_chain *basechain = nft_base_chain(chain);
607 const struct nf_hook_ops *ops = &basechain->ops[0];
608 struct nlattr *nest;
609
610 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
611 if (nest == NULL)
612 goto nla_put_failure;
613 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
614 goto nla_put_failure;
615 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
616 goto nla_put_failure;
617 nla_nest_end(skb, nest);
618
619 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
620 htonl(basechain->policy)))
621 goto nla_put_failure;
622
623 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
624 goto nla_put_failure;
625
626 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
627 goto nla_put_failure;
628 }
629
630 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
631 goto nla_put_failure;
632
633 return nlmsg_end(skb, nlh);
634
635nla_put_failure:
636 nlmsg_trim(skb, nlh);
637 return -1;
638}
639
640static int nf_tables_chain_notify(const struct sk_buff *oskb,
641 const struct nlmsghdr *nlh,
642 const struct nft_table *table,
643 const struct nft_chain *chain,
644 int event, int family)
645{
646 struct sk_buff *skb;
647 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
648 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
649 u32 seq = nlh ? nlh->nlmsg_seq : 0;
650 bool report;
651 int err;
652
653 report = nlh ? nlmsg_report(nlh) : false;
654 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
655 return 0;
656
657 err = -ENOBUFS;
658 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
659 if (skb == NULL)
660 goto err;
661
662 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
663 table, chain);
664 if (err < 0) {
665 kfree_skb(skb);
666 goto err;
667 }
668
669 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
670 GFP_KERNEL);
671err:
672 if (err < 0)
673 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
674 return err;
675}
676
677static int nf_tables_dump_chains(struct sk_buff *skb,
678 struct netlink_callback *cb)
679{
680 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
681 const struct nft_af_info *afi;
682 const struct nft_table *table;
683 const struct nft_chain *chain;
684 unsigned int idx = 0, s_idx = cb->args[0];
685 struct net *net = sock_net(skb->sk);
686 int family = nfmsg->nfgen_family;
687
688 list_for_each_entry(afi, &net->nft.af_info, list) {
689 if (family != NFPROTO_UNSPEC && family != afi->family)
690 continue;
691
692 list_for_each_entry(table, &afi->tables, list) {
693 list_for_each_entry(chain, &table->chains, list) {
694 if (idx < s_idx)
695 goto cont;
696 if (idx > s_idx)
697 memset(&cb->args[1], 0,
698 sizeof(cb->args) - sizeof(cb->args[0]));
699 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
700 cb->nlh->nlmsg_seq,
701 NFT_MSG_NEWCHAIN,
702 NLM_F_MULTI,
703 afi->family, table, chain) < 0)
704 goto done;
705cont:
706 idx++;
707 }
708 }
709 }
710done:
711 cb->args[0] = idx;
712 return skb->len;
713}
714
715
716static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
717 const struct nlmsghdr *nlh,
718 const struct nlattr * const nla[])
719{
720 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
721 const struct nft_af_info *afi;
722 const struct nft_table *table;
723 const struct nft_chain *chain;
724 struct sk_buff *skb2;
725 struct net *net = sock_net(skb->sk);
726 int family = nfmsg->nfgen_family;
727 int err;
728
729 if (nlh->nlmsg_flags & NLM_F_DUMP) {
730 struct netlink_dump_control c = {
731 .dump = nf_tables_dump_chains,
732 };
733 return netlink_dump_start(nlsk, skb, nlh, &c);
734 }
735
736 afi = nf_tables_afinfo_lookup(net, family, false);
737 if (IS_ERR(afi))
738 return PTR_ERR(afi);
739
740 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
741 if (IS_ERR(table))
742 return PTR_ERR(table);
743
744 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
745 if (IS_ERR(chain))
746 return PTR_ERR(chain);
747
748 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
749 if (!skb2)
750 return -ENOMEM;
751
752 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
753 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
754 family, table, chain);
755 if (err < 0)
756 goto err;
757
758 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
759
760err:
761 kfree_skb(skb2);
762 return err;
763}
764
765static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
766 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
767 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
768};
769
770static int
771nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
772{
773 struct nlattr *tb[NFTA_COUNTER_MAX+1];
774 struct nft_stats __percpu *newstats;
775 struct nft_stats *stats;
776 int err;
777
778 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
779 if (err < 0)
780 return err;
781
782 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
783 return -EINVAL;
784
785 newstats = alloc_percpu(struct nft_stats);
786 if (newstats == NULL)
787 return -ENOMEM;
788
789
790
791
792 stats = this_cpu_ptr(newstats);
793 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
794 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
795
796 if (chain->stats) {
797
798 struct nft_stats __percpu *oldstats =
799 rcu_dereference_protected(chain->stats, 1);
800
801 rcu_assign_pointer(chain->stats, newstats);
802 synchronize_rcu();
803 free_percpu(oldstats);
804 } else
805 rcu_assign_pointer(chain->stats, newstats);
806
807 return 0;
808}
809
810static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
811 const struct nlmsghdr *nlh,
812 const struct nlattr * const nla[])
813{
814 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
815 const struct nlattr * uninitialized_var(name);
816 const struct nft_af_info *afi;
817 struct nft_table *table;
818 struct nft_chain *chain;
819 struct nft_base_chain *basechain = NULL;
820 struct nlattr *ha[NFTA_HOOK_MAX + 1];
821 struct net *net = sock_net(skb->sk);
822 int family = nfmsg->nfgen_family;
823 u8 policy = NF_ACCEPT;
824 u64 handle = 0;
825 unsigned int i;
826 int err;
827 bool create;
828
829 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
830
831 afi = nf_tables_afinfo_lookup(net, family, true);
832 if (IS_ERR(afi))
833 return PTR_ERR(afi);
834
835 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
836 if (IS_ERR(table))
837 return PTR_ERR(table);
838
839 chain = NULL;
840 name = nla[NFTA_CHAIN_NAME];
841
842 if (nla[NFTA_CHAIN_HANDLE]) {
843 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
844 chain = nf_tables_chain_lookup_byhandle(table, handle);
845 if (IS_ERR(chain))
846 return PTR_ERR(chain);
847 } else {
848 chain = nf_tables_chain_lookup(table, name);
849 if (IS_ERR(chain)) {
850 if (PTR_ERR(chain) != -ENOENT)
851 return PTR_ERR(chain);
852 chain = NULL;
853 }
854 }
855
856 if (nla[NFTA_CHAIN_POLICY]) {
857 if ((chain != NULL &&
858 !(chain->flags & NFT_BASE_CHAIN)) ||
859 nla[NFTA_CHAIN_HOOK] == NULL)
860 return -EOPNOTSUPP;
861
862 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
863 switch (policy) {
864 case NF_DROP:
865 case NF_ACCEPT:
866 break;
867 default:
868 return -EINVAL;
869 }
870 }
871
872 if (chain != NULL) {
873 if (nlh->nlmsg_flags & NLM_F_EXCL)
874 return -EEXIST;
875 if (nlh->nlmsg_flags & NLM_F_REPLACE)
876 return -EOPNOTSUPP;
877
878 if (nla[NFTA_CHAIN_HANDLE] && name &&
879 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
880 return -EEXIST;
881
882 if (nla[NFTA_CHAIN_COUNTERS]) {
883 if (!(chain->flags & NFT_BASE_CHAIN))
884 return -EOPNOTSUPP;
885
886 err = nf_tables_counters(nft_base_chain(chain),
887 nla[NFTA_CHAIN_COUNTERS]);
888 if (err < 0)
889 return err;
890 }
891
892 if (nla[NFTA_CHAIN_POLICY])
893 nft_base_chain(chain)->policy = policy;
894
895 if (nla[NFTA_CHAIN_HANDLE] && name)
896 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
897
898 goto notify;
899 }
900
901 if (table->use == UINT_MAX)
902 return -EOVERFLOW;
903
904 if (nla[NFTA_CHAIN_HOOK]) {
905 const struct nf_chain_type *type;
906 struct nf_hook_ops *ops;
907 nf_hookfn *hookfn;
908 u32 hooknum, priority;
909
910 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
911 if (nla[NFTA_CHAIN_TYPE]) {
912 type = nf_tables_chain_type_lookup(afi,
913 nla[NFTA_CHAIN_TYPE],
914 create);
915 if (IS_ERR(type))
916 return PTR_ERR(type);
917 }
918
919 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
920 nft_hook_policy);
921 if (err < 0)
922 return err;
923 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
924 ha[NFTA_HOOK_PRIORITY] == NULL)
925 return -EINVAL;
926
927 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
928 if (hooknum >= afi->nhooks)
929 return -EINVAL;
930 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
931
932 if (!(type->hook_mask & (1 << hooknum)))
933 return -EOPNOTSUPP;
934 if (!try_module_get(type->owner))
935 return -ENOENT;
936 hookfn = type->hooks[hooknum];
937
938 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
939 if (basechain == NULL)
940 return -ENOMEM;
941
942 if (nla[NFTA_CHAIN_COUNTERS]) {
943 err = nf_tables_counters(basechain,
944 nla[NFTA_CHAIN_COUNTERS]);
945 if (err < 0) {
946 module_put(type->owner);
947 kfree(basechain);
948 return err;
949 }
950 } else {
951 struct nft_stats __percpu *newstats;
952
953 newstats = alloc_percpu(struct nft_stats);
954 if (newstats == NULL) {
955 module_put(type->owner);
956 kfree(basechain);
957 return -ENOMEM;
958 }
959 rcu_assign_pointer(basechain->stats, newstats);
960 }
961
962 basechain->type = type;
963 chain = &basechain->chain;
964
965 for (i = 0; i < afi->nops; i++) {
966 ops = &basechain->ops[i];
967 ops->pf = family;
968 ops->owner = afi->owner;
969 ops->hooknum = hooknum;
970 ops->priority = priority;
971 ops->priv = chain;
972 ops->hook = afi->hooks[ops->hooknum];
973 if (hookfn)
974 ops->hook = hookfn;
975 if (afi->hook_ops_init)
976 afi->hook_ops_init(ops, i);
977 }
978
979 chain->flags |= NFT_BASE_CHAIN;
980 basechain->policy = policy;
981 } else {
982 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
983 if (chain == NULL)
984 return -ENOMEM;
985 }
986
987 INIT_LIST_HEAD(&chain->rules);
988 chain->handle = nf_tables_alloc_handle(table);
989 chain->net = net;
990 chain->table = table;
991 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
992
993 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
994 chain->flags & NFT_BASE_CHAIN) {
995 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
996 if (err < 0) {
997 module_put(basechain->type->owner);
998 free_percpu(basechain->stats);
999 kfree(basechain);
1000 return err;
1001 }
1002 }
1003 list_add_tail(&chain->list, &table->chains);
1004 table->use++;
1005notify:
1006 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1007 family);
1008 return 0;
1009}
1010
1011static void nf_tables_chain_destroy(struct nft_chain *chain)
1012{
1013 BUG_ON(chain->use > 0);
1014
1015 if (chain->flags & NFT_BASE_CHAIN) {
1016 module_put(nft_base_chain(chain)->type->owner);
1017 free_percpu(nft_base_chain(chain)->stats);
1018 kfree(nft_base_chain(chain));
1019 } else
1020 kfree(chain);
1021}
1022
1023static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1024 const struct nlmsghdr *nlh,
1025 const struct nlattr * const nla[])
1026{
1027 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1028 const struct nft_af_info *afi;
1029 struct nft_table *table;
1030 struct nft_chain *chain;
1031 struct net *net = sock_net(skb->sk);
1032 int family = nfmsg->nfgen_family;
1033
1034 afi = nf_tables_afinfo_lookup(net, family, false);
1035 if (IS_ERR(afi))
1036 return PTR_ERR(afi);
1037
1038 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1039 if (IS_ERR(table))
1040 return PTR_ERR(table);
1041
1042 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1043 if (IS_ERR(chain))
1044 return PTR_ERR(chain);
1045
1046 if (!list_empty(&chain->rules) || chain->use > 0)
1047 return -EBUSY;
1048
1049 list_del(&chain->list);
1050 table->use--;
1051
1052 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1053 chain->flags & NFT_BASE_CHAIN)
1054 nf_unregister_hooks(nft_base_chain(chain)->ops, afi->nops);
1055
1056 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1057 family);
1058
1059
1060 synchronize_rcu();
1061
1062 nf_tables_chain_destroy(chain);
1063 return 0;
1064}
1065
1066static void nft_ctx_init(struct nft_ctx *ctx,
1067 const struct sk_buff *skb,
1068 const struct nlmsghdr *nlh,
1069 const struct nft_af_info *afi,
1070 const struct nft_table *table,
1071 const struct nft_chain *chain,
1072 const struct nlattr * const *nla)
1073{
1074 ctx->net = sock_net(skb->sk);
1075 ctx->skb = skb;
1076 ctx->nlh = nlh;
1077 ctx->afi = afi;
1078 ctx->table = table;
1079 ctx->chain = chain;
1080 ctx->nla = nla;
1081}
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094int nft_register_expr(struct nft_expr_type *type)
1095{
1096 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1097 list_add_tail(&type->list, &nf_tables_expressions);
1098 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1099 return 0;
1100}
1101EXPORT_SYMBOL_GPL(nft_register_expr);
1102
1103
1104
1105
1106
1107
1108
1109void nft_unregister_expr(struct nft_expr_type *type)
1110{
1111 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1112 list_del(&type->list);
1113 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1114}
1115EXPORT_SYMBOL_GPL(nft_unregister_expr);
1116
1117static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1118 struct nlattr *nla)
1119{
1120 const struct nft_expr_type *type;
1121
1122 list_for_each_entry(type, &nf_tables_expressions, list) {
1123 if (!nla_strcmp(nla, type->name) &&
1124 (!type->family || type->family == family))
1125 return type;
1126 }
1127 return NULL;
1128}
1129
1130static const struct nft_expr_type *nft_expr_type_get(u8 family,
1131 struct nlattr *nla)
1132{
1133 const struct nft_expr_type *type;
1134
1135 if (nla == NULL)
1136 return ERR_PTR(-EINVAL);
1137
1138 type = __nft_expr_type_get(family, nla);
1139 if (type != NULL && try_module_get(type->owner))
1140 return type;
1141
1142#ifdef CONFIG_MODULES
1143 if (type == NULL) {
1144 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1145 request_module("nft-expr-%u-%.*s", family,
1146 nla_len(nla), (char *)nla_data(nla));
1147 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1148 if (__nft_expr_type_get(family, nla))
1149 return ERR_PTR(-EAGAIN);
1150
1151 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1152 request_module("nft-expr-%.*s",
1153 nla_len(nla), (char *)nla_data(nla));
1154 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1155 if (__nft_expr_type_get(family, nla))
1156 return ERR_PTR(-EAGAIN);
1157 }
1158#endif
1159 return ERR_PTR(-ENOENT);
1160}
1161
1162static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1163 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1164 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1165};
1166
1167static int nf_tables_fill_expr_info(struct sk_buff *skb,
1168 const struct nft_expr *expr)
1169{
1170 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1171 goto nla_put_failure;
1172
1173 if (expr->ops->dump) {
1174 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1175 if (data == NULL)
1176 goto nla_put_failure;
1177 if (expr->ops->dump(skb, expr) < 0)
1178 goto nla_put_failure;
1179 nla_nest_end(skb, data);
1180 }
1181
1182 return skb->len;
1183
1184nla_put_failure:
1185 return -1;
1186};
1187
1188struct nft_expr_info {
1189 const struct nft_expr_ops *ops;
1190 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1191};
1192
1193static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1194 const struct nlattr *nla,
1195 struct nft_expr_info *info)
1196{
1197 const struct nft_expr_type *type;
1198 const struct nft_expr_ops *ops;
1199 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1200 int err;
1201
1202 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1203 if (err < 0)
1204 return err;
1205
1206 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1207 if (IS_ERR(type))
1208 return PTR_ERR(type);
1209
1210 if (tb[NFTA_EXPR_DATA]) {
1211 err = nla_parse_nested(info->tb, type->maxattr,
1212 tb[NFTA_EXPR_DATA], type->policy);
1213 if (err < 0)
1214 goto err1;
1215 } else
1216 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1217
1218 if (type->select_ops != NULL) {
1219 ops = type->select_ops(ctx,
1220 (const struct nlattr * const *)info->tb);
1221 if (IS_ERR(ops)) {
1222 err = PTR_ERR(ops);
1223 goto err1;
1224 }
1225 } else
1226 ops = type->ops;
1227
1228 info->ops = ops;
1229 return 0;
1230
1231err1:
1232 module_put(type->owner);
1233 return err;
1234}
1235
1236static int nf_tables_newexpr(const struct nft_ctx *ctx,
1237 const struct nft_expr_info *info,
1238 struct nft_expr *expr)
1239{
1240 const struct nft_expr_ops *ops = info->ops;
1241 int err;
1242
1243 expr->ops = ops;
1244 if (ops->init) {
1245 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1246 if (err < 0)
1247 goto err1;
1248 }
1249
1250 return 0;
1251
1252err1:
1253 expr->ops = NULL;
1254 return err;
1255}
1256
1257static void nf_tables_expr_destroy(struct nft_expr *expr)
1258{
1259 if (expr->ops->destroy)
1260 expr->ops->destroy(expr);
1261 module_put(expr->ops->type->owner);
1262}
1263
1264
1265
1266
1267
1268static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1269 u64 handle)
1270{
1271 struct nft_rule *rule;
1272
1273
1274 list_for_each_entry(rule, &chain->rules, list) {
1275 if (handle == rule->handle)
1276 return rule;
1277 }
1278
1279 return ERR_PTR(-ENOENT);
1280}
1281
1282static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1283 const struct nlattr *nla)
1284{
1285 if (nla == NULL)
1286 return ERR_PTR(-EINVAL);
1287
1288 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1289}
1290
1291static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1292 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1293 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1294 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1295 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1296 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1297 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1298 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1299};
1300
1301static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1302 int event, u32 flags, int family,
1303 const struct nft_table *table,
1304 const struct nft_chain *chain,
1305 const struct nft_rule *rule)
1306{
1307 struct nlmsghdr *nlh;
1308 struct nfgenmsg *nfmsg;
1309 const struct nft_expr *expr, *next;
1310 struct nlattr *list;
1311 const struct nft_rule *prule;
1312 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1313
1314 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1315 flags);
1316 if (nlh == NULL)
1317 goto nla_put_failure;
1318
1319 nfmsg = nlmsg_data(nlh);
1320 nfmsg->nfgen_family = family;
1321 nfmsg->version = NFNETLINK_V0;
1322 nfmsg->res_id = 0;
1323
1324 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1325 goto nla_put_failure;
1326 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1327 goto nla_put_failure;
1328 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1329 goto nla_put_failure;
1330
1331 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1332 prule = list_entry(rule->list.prev, struct nft_rule, list);
1333 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1334 cpu_to_be64(prule->handle)))
1335 goto nla_put_failure;
1336 }
1337
1338 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1339 if (list == NULL)
1340 goto nla_put_failure;
1341 nft_rule_for_each_expr(expr, next, rule) {
1342 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1343 if (elem == NULL)
1344 goto nla_put_failure;
1345 if (nf_tables_fill_expr_info(skb, expr) < 0)
1346 goto nla_put_failure;
1347 nla_nest_end(skb, elem);
1348 }
1349 nla_nest_end(skb, list);
1350
1351 return nlmsg_end(skb, nlh);
1352
1353nla_put_failure:
1354 nlmsg_trim(skb, nlh);
1355 return -1;
1356}
1357
1358static int nf_tables_rule_notify(const struct sk_buff *oskb,
1359 const struct nlmsghdr *nlh,
1360 const struct nft_table *table,
1361 const struct nft_chain *chain,
1362 const struct nft_rule *rule,
1363 int event, u32 flags, int family)
1364{
1365 struct sk_buff *skb;
1366 u32 portid = NETLINK_CB(oskb).portid;
1367 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1368 u32 seq = nlh->nlmsg_seq;
1369 bool report;
1370 int err;
1371
1372 report = nlmsg_report(nlh);
1373 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1374 return 0;
1375
1376 err = -ENOBUFS;
1377 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1378 if (skb == NULL)
1379 goto err;
1380
1381 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1382 family, table, chain, rule);
1383 if (err < 0) {
1384 kfree_skb(skb);
1385 goto err;
1386 }
1387
1388 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1389 GFP_KERNEL);
1390err:
1391 if (err < 0)
1392 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1393 return err;
1394}
1395
1396static inline bool
1397nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1398{
1399 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1400}
1401
1402static inline int gencursor_next(struct net *net)
1403{
1404 return net->nft.gencursor+1 == 1 ? 1 : 0;
1405}
1406
1407static inline int
1408nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1409{
1410 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1411}
1412
1413static inline void
1414nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1415{
1416
1417 rule->genmask = (1 << net->nft.gencursor);
1418}
1419
1420static inline void
1421nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1422{
1423 rule->genmask = (1 << gencursor_next(net));
1424}
1425
1426static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1427{
1428 rule->genmask = 0;
1429}
1430
1431static int nf_tables_dump_rules(struct sk_buff *skb,
1432 struct netlink_callback *cb)
1433{
1434 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1435 const struct nft_af_info *afi;
1436 const struct nft_table *table;
1437 const struct nft_chain *chain;
1438 const struct nft_rule *rule;
1439 unsigned int idx = 0, s_idx = cb->args[0];
1440 struct net *net = sock_net(skb->sk);
1441 int family = nfmsg->nfgen_family;
1442 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1443 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1444
1445 list_for_each_entry(afi, &net->nft.af_info, list) {
1446 if (family != NFPROTO_UNSPEC && family != afi->family)
1447 continue;
1448
1449 list_for_each_entry(table, &afi->tables, list) {
1450 list_for_each_entry(chain, &table->chains, list) {
1451 list_for_each_entry(rule, &chain->rules, list) {
1452 if (!nft_rule_is_active(net, rule))
1453 goto cont;
1454 if (idx < s_idx)
1455 goto cont;
1456 if (idx > s_idx)
1457 memset(&cb->args[1], 0,
1458 sizeof(cb->args) - sizeof(cb->args[0]));
1459 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1460 cb->nlh->nlmsg_seq,
1461 NFT_MSG_NEWRULE,
1462 NLM_F_MULTI | NLM_F_APPEND,
1463 afi->family, table, chain, rule) < 0)
1464 goto done;
1465cont:
1466 idx++;
1467 }
1468 }
1469 }
1470 }
1471done:
1472
1473 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1474 return -EBUSY;
1475
1476 cb->args[0] = idx;
1477 return skb->len;
1478}
1479
1480static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1481 const struct nlmsghdr *nlh,
1482 const struct nlattr * const nla[])
1483{
1484 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1485 const struct nft_af_info *afi;
1486 const struct nft_table *table;
1487 const struct nft_chain *chain;
1488 const struct nft_rule *rule;
1489 struct sk_buff *skb2;
1490 struct net *net = sock_net(skb->sk);
1491 int family = nfmsg->nfgen_family;
1492 int err;
1493
1494 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1495 struct netlink_dump_control c = {
1496 .dump = nf_tables_dump_rules,
1497 };
1498 return netlink_dump_start(nlsk, skb, nlh, &c);
1499 }
1500
1501 afi = nf_tables_afinfo_lookup(net, family, false);
1502 if (IS_ERR(afi))
1503 return PTR_ERR(afi);
1504
1505 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1506 if (IS_ERR(table))
1507 return PTR_ERR(table);
1508
1509 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1510 if (IS_ERR(chain))
1511 return PTR_ERR(chain);
1512
1513 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1514 if (IS_ERR(rule))
1515 return PTR_ERR(rule);
1516
1517 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1518 if (!skb2)
1519 return -ENOMEM;
1520
1521 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1522 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1523 family, table, chain, rule);
1524 if (err < 0)
1525 goto err;
1526
1527 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1528
1529err:
1530 kfree_skb(skb2);
1531 return err;
1532}
1533
1534static void nf_tables_rule_destroy(struct nft_rule *rule)
1535{
1536 struct nft_expr *expr;
1537
1538
1539
1540
1541
1542 expr = nft_expr_first(rule);
1543 while (expr->ops && expr != nft_expr_last(rule)) {
1544 nf_tables_expr_destroy(expr);
1545 expr = nft_expr_next(expr);
1546 }
1547 kfree(rule);
1548}
1549
1550#define NFT_RULE_MAXEXPRS 128
1551
1552static struct nft_expr_info *info;
1553
1554static struct nft_rule_trans *
1555nf_tables_trans_add(struct nft_rule *rule, const struct nft_ctx *ctx)
1556{
1557 struct nft_rule_trans *rupd;
1558
1559 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1560 if (rupd == NULL)
1561 return NULL;
1562
1563 rupd->chain = ctx->chain;
1564 rupd->table = ctx->table;
1565 rupd->rule = rule;
1566 rupd->family = ctx->afi->family;
1567 rupd->nlh = ctx->nlh;
1568 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1569
1570 return rupd;
1571}
1572
1573static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1574 const struct nlmsghdr *nlh,
1575 const struct nlattr * const nla[])
1576{
1577 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1578 const struct nft_af_info *afi;
1579 struct net *net = sock_net(skb->sk);
1580 struct nft_table *table;
1581 struct nft_chain *chain;
1582 struct nft_rule *rule, *old_rule = NULL;
1583 struct nft_rule_trans *repl = NULL;
1584 struct nft_expr *expr;
1585 struct nft_ctx ctx;
1586 struct nlattr *tmp;
1587 unsigned int size, i, n;
1588 int err, rem;
1589 bool create;
1590 u64 handle, pos_handle;
1591
1592 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1593
1594 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1595 if (IS_ERR(afi))
1596 return PTR_ERR(afi);
1597
1598 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1599 if (IS_ERR(table))
1600 return PTR_ERR(table);
1601
1602 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1603 if (IS_ERR(chain))
1604 return PTR_ERR(chain);
1605
1606 if (nla[NFTA_RULE_HANDLE]) {
1607 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1608 rule = __nf_tables_rule_lookup(chain, handle);
1609 if (IS_ERR(rule))
1610 return PTR_ERR(rule);
1611
1612 if (nlh->nlmsg_flags & NLM_F_EXCL)
1613 return -EEXIST;
1614 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1615 old_rule = rule;
1616 else
1617 return -EOPNOTSUPP;
1618 } else {
1619 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1620 return -EINVAL;
1621 handle = nf_tables_alloc_handle(table);
1622 }
1623
1624 if (nla[NFTA_RULE_POSITION]) {
1625 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1626 return -EOPNOTSUPP;
1627
1628 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1629 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1630 if (IS_ERR(old_rule))
1631 return PTR_ERR(old_rule);
1632 }
1633
1634 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1635
1636 n = 0;
1637 size = 0;
1638 if (nla[NFTA_RULE_EXPRESSIONS]) {
1639 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1640 err = -EINVAL;
1641 if (nla_type(tmp) != NFTA_LIST_ELEM)
1642 goto err1;
1643 if (n == NFT_RULE_MAXEXPRS)
1644 goto err1;
1645 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1646 if (err < 0)
1647 goto err1;
1648 size += info[n].ops->size;
1649 n++;
1650 }
1651 }
1652
1653 err = -ENOMEM;
1654 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1655 if (rule == NULL)
1656 goto err1;
1657
1658 nft_rule_activate_next(net, rule);
1659
1660 rule->handle = handle;
1661 rule->dlen = size;
1662
1663 expr = nft_expr_first(rule);
1664 for (i = 0; i < n; i++) {
1665 err = nf_tables_newexpr(&ctx, &info[i], expr);
1666 if (err < 0)
1667 goto err2;
1668 info[i].ops = NULL;
1669 expr = nft_expr_next(expr);
1670 }
1671
1672 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1673 if (nft_rule_is_active_next(net, old_rule)) {
1674 repl = nf_tables_trans_add(old_rule, &ctx);
1675 if (repl == NULL) {
1676 err = -ENOMEM;
1677 goto err2;
1678 }
1679 nft_rule_disactivate_next(net, old_rule);
1680 list_add_tail(&rule->list, &old_rule->list);
1681 } else {
1682 err = -ENOENT;
1683 goto err2;
1684 }
1685 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1686 if (old_rule)
1687 list_add_rcu(&rule->list, &old_rule->list);
1688 else
1689 list_add_tail_rcu(&rule->list, &chain->rules);
1690 else {
1691 if (old_rule)
1692 list_add_tail_rcu(&rule->list, &old_rule->list);
1693 else
1694 list_add_rcu(&rule->list, &chain->rules);
1695 }
1696
1697 if (nf_tables_trans_add(rule, &ctx) == NULL) {
1698 err = -ENOMEM;
1699 goto err3;
1700 }
1701 return 0;
1702
1703err3:
1704 list_del_rcu(&rule->list);
1705 if (repl) {
1706 list_del_rcu(&repl->rule->list);
1707 list_del(&repl->list);
1708 nft_rule_clear(net, repl->rule);
1709 kfree(repl);
1710 }
1711err2:
1712 nf_tables_rule_destroy(rule);
1713err1:
1714 for (i = 0; i < n; i++) {
1715 if (info[i].ops != NULL)
1716 module_put(info[i].ops->type->owner);
1717 }
1718 return err;
1719}
1720
1721static int
1722nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1723{
1724
1725 if (nft_rule_is_active_next(ctx->net, rule)) {
1726 if (nf_tables_trans_add(rule, ctx) == NULL)
1727 return -ENOMEM;
1728 nft_rule_disactivate_next(ctx->net, rule);
1729 return 0;
1730 }
1731 return -ENOENT;
1732}
1733
1734static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1735{
1736 struct nft_rule *rule;
1737 int err;
1738
1739 list_for_each_entry(rule, &ctx->chain->rules, list) {
1740 err = nf_tables_delrule_one(ctx, rule);
1741 if (err < 0)
1742 return err;
1743 }
1744 return 0;
1745}
1746
1747static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1748 const struct nlmsghdr *nlh,
1749 const struct nlattr * const nla[])
1750{
1751 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1752 const struct nft_af_info *afi;
1753 struct net *net = sock_net(skb->sk);
1754 const struct nft_table *table;
1755 struct nft_chain *chain = NULL;
1756 struct nft_rule *rule;
1757 int family = nfmsg->nfgen_family, err = 0;
1758 struct nft_ctx ctx;
1759
1760 afi = nf_tables_afinfo_lookup(net, family, false);
1761 if (IS_ERR(afi))
1762 return PTR_ERR(afi);
1763
1764 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1765 if (IS_ERR(table))
1766 return PTR_ERR(table);
1767
1768 if (nla[NFTA_RULE_CHAIN]) {
1769 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1770 if (IS_ERR(chain))
1771 return PTR_ERR(chain);
1772 }
1773
1774 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1775
1776 if (chain) {
1777 if (nla[NFTA_RULE_HANDLE]) {
1778 rule = nf_tables_rule_lookup(chain,
1779 nla[NFTA_RULE_HANDLE]);
1780 if (IS_ERR(rule))
1781 return PTR_ERR(rule);
1782
1783 err = nf_tables_delrule_one(&ctx, rule);
1784 } else {
1785 err = nf_table_delrule_by_chain(&ctx);
1786 }
1787 } else {
1788 list_for_each_entry(chain, &table->chains, list) {
1789 ctx.chain = chain;
1790 err = nf_table_delrule_by_chain(&ctx);
1791 if (err < 0)
1792 break;
1793 }
1794 }
1795
1796 return err;
1797}
1798
1799static int nf_tables_commit(struct sk_buff *skb)
1800{
1801 struct net *net = sock_net(skb->sk);
1802 struct nft_rule_trans *rupd, *tmp;
1803
1804
1805 net->nft.genctr++;
1806
1807
1808 net->nft.gencursor = gencursor_next(net);
1809
1810
1811
1812
1813 synchronize_rcu();
1814
1815 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1816
1817
1818
1819
1820 if (nft_rule_is_active(net, rupd->rule)) {
1821 nft_rule_clear(net, rupd->rule);
1822 nf_tables_rule_notify(skb, rupd->nlh, rupd->table,
1823 rupd->chain, rupd->rule,
1824 NFT_MSG_NEWRULE, 0,
1825 rupd->family);
1826 list_del(&rupd->list);
1827 kfree(rupd);
1828 continue;
1829 }
1830
1831
1832 list_del_rcu(&rupd->rule->list);
1833 nf_tables_rule_notify(skb, rupd->nlh, rupd->table, rupd->chain,
1834 rupd->rule, NFT_MSG_DELRULE, 0,
1835 rupd->family);
1836 }
1837
1838
1839 synchronize_rcu();
1840
1841
1842 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1843 nf_tables_rule_destroy(rupd->rule);
1844 list_del(&rupd->list);
1845 kfree(rupd);
1846 }
1847
1848 return 0;
1849}
1850
1851static int nf_tables_abort(struct sk_buff *skb)
1852{
1853 struct net *net = sock_net(skb->sk);
1854 struct nft_rule_trans *rupd, *tmp;
1855
1856 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1857 if (!nft_rule_is_active_next(net, rupd->rule)) {
1858 nft_rule_clear(net, rupd->rule);
1859 list_del(&rupd->list);
1860 kfree(rupd);
1861 continue;
1862 }
1863
1864
1865 list_del_rcu(&rupd->rule->list);
1866 }
1867
1868
1869 synchronize_rcu();
1870
1871 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1872 nf_tables_rule_destroy(rupd->rule);
1873 list_del(&rupd->list);
1874 kfree(rupd);
1875 }
1876
1877 return 0;
1878}
1879
1880
1881
1882
1883
1884static LIST_HEAD(nf_tables_set_ops);
1885
1886int nft_register_set(struct nft_set_ops *ops)
1887{
1888 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1889 list_add_tail(&ops->list, &nf_tables_set_ops);
1890 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1891 return 0;
1892}
1893EXPORT_SYMBOL_GPL(nft_register_set);
1894
1895void nft_unregister_set(struct nft_set_ops *ops)
1896{
1897 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1898 list_del(&ops->list);
1899 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1900}
1901EXPORT_SYMBOL_GPL(nft_unregister_set);
1902
1903static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1904{
1905 const struct nft_set_ops *ops;
1906 u32 features;
1907
1908#ifdef CONFIG_MODULES
1909 if (list_empty(&nf_tables_set_ops)) {
1910 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1911 request_module("nft-set");
1912 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1913 if (!list_empty(&nf_tables_set_ops))
1914 return ERR_PTR(-EAGAIN);
1915 }
1916#endif
1917 features = 0;
1918 if (nla[NFTA_SET_FLAGS] != NULL) {
1919 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1920 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1921 }
1922
1923
1924 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1925 if ((ops->features & features) != features)
1926 continue;
1927 if (!try_module_get(ops->owner))
1928 continue;
1929 return ops;
1930 }
1931
1932 return ERR_PTR(-EOPNOTSUPP);
1933}
1934
1935static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1936 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1937 [NFTA_SET_NAME] = { .type = NLA_STRING },
1938 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1939 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1940 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1941 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1942 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1943};
1944
1945static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1946 const struct sk_buff *skb,
1947 const struct nlmsghdr *nlh,
1948 const struct nlattr * const nla[])
1949{
1950 struct net *net = sock_net(skb->sk);
1951 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1952 const struct nft_af_info *afi = NULL;
1953 const struct nft_table *table = NULL;
1954
1955 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1956 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1957 if (IS_ERR(afi))
1958 return PTR_ERR(afi);
1959 }
1960
1961 if (nla[NFTA_SET_TABLE] != NULL) {
1962 if (afi == NULL)
1963 return -EAFNOSUPPORT;
1964
1965 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1966 if (IS_ERR(table))
1967 return PTR_ERR(table);
1968 }
1969
1970 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1971 return 0;
1972}
1973
1974struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1975 const struct nlattr *nla)
1976{
1977 struct nft_set *set;
1978
1979 if (nla == NULL)
1980 return ERR_PTR(-EINVAL);
1981
1982 list_for_each_entry(set, &table->sets, list) {
1983 if (!nla_strcmp(nla, set->name))
1984 return set;
1985 }
1986 return ERR_PTR(-ENOENT);
1987}
1988
1989static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1990 const char *name)
1991{
1992 const struct nft_set *i;
1993 const char *p;
1994 unsigned long *inuse;
1995 unsigned int n = 0;
1996
1997 p = strnchr(name, IFNAMSIZ, '%');
1998 if (p != NULL) {
1999 if (p[1] != 'd' || strchr(p + 2, '%'))
2000 return -EINVAL;
2001
2002 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2003 if (inuse == NULL)
2004 return -ENOMEM;
2005
2006 list_for_each_entry(i, &ctx->table->sets, list) {
2007 int tmp;
2008
2009 if (!sscanf(i->name, name, &tmp))
2010 continue;
2011 if (tmp < 0 || tmp >= BITS_PER_BYTE * PAGE_SIZE)
2012 continue;
2013
2014 set_bit(tmp, inuse);
2015 }
2016
2017 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2018 free_page((unsigned long)inuse);
2019 }
2020
2021 snprintf(set->name, sizeof(set->name), name, n);
2022 list_for_each_entry(i, &ctx->table->sets, list) {
2023 if (!strcmp(set->name, i->name))
2024 return -ENFILE;
2025 }
2026 return 0;
2027}
2028
2029static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2030 const struct nft_set *set, u16 event, u16 flags)
2031{
2032 struct nfgenmsg *nfmsg;
2033 struct nlmsghdr *nlh;
2034 u32 portid = NETLINK_CB(ctx->skb).portid;
2035 u32 seq = ctx->nlh->nlmsg_seq;
2036
2037 event |= NFNL_SUBSYS_NFTABLES << 8;
2038 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2039 flags);
2040 if (nlh == NULL)
2041 goto nla_put_failure;
2042
2043 nfmsg = nlmsg_data(nlh);
2044 nfmsg->nfgen_family = ctx->afi->family;
2045 nfmsg->version = NFNETLINK_V0;
2046 nfmsg->res_id = 0;
2047
2048 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2049 goto nla_put_failure;
2050 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2051 goto nla_put_failure;
2052 if (set->flags != 0)
2053 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2054 goto nla_put_failure;
2055
2056 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2057 goto nla_put_failure;
2058 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2059 goto nla_put_failure;
2060 if (set->flags & NFT_SET_MAP) {
2061 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2062 goto nla_put_failure;
2063 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2064 goto nla_put_failure;
2065 }
2066
2067 return nlmsg_end(skb, nlh);
2068
2069nla_put_failure:
2070 nlmsg_trim(skb, nlh);
2071 return -1;
2072}
2073
2074static int nf_tables_set_notify(const struct nft_ctx *ctx,
2075 const struct nft_set *set,
2076 int event)
2077{
2078 struct sk_buff *skb;
2079 u32 portid = NETLINK_CB(ctx->skb).portid;
2080 bool report;
2081 int err;
2082
2083 report = nlmsg_report(ctx->nlh);
2084 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2085 return 0;
2086
2087 err = -ENOBUFS;
2088 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2089 if (skb == NULL)
2090 goto err;
2091
2092 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2093 if (err < 0) {
2094 kfree_skb(skb);
2095 goto err;
2096 }
2097
2098 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2099 GFP_KERNEL);
2100err:
2101 if (err < 0)
2102 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2103 return err;
2104}
2105
2106static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2107 struct netlink_callback *cb)
2108{
2109 const struct nft_set *set;
2110 unsigned int idx = 0, s_idx = cb->args[0];
2111
2112 if (cb->args[1])
2113 return skb->len;
2114
2115 list_for_each_entry(set, &ctx->table->sets, list) {
2116 if (idx < s_idx)
2117 goto cont;
2118 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2119 NLM_F_MULTI) < 0) {
2120 cb->args[0] = idx;
2121 goto done;
2122 }
2123cont:
2124 idx++;
2125 }
2126 cb->args[1] = 1;
2127done:
2128 return skb->len;
2129}
2130
2131static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2132 struct netlink_callback *cb)
2133{
2134 const struct nft_set *set;
2135 unsigned int idx, s_idx = cb->args[0];
2136 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2137
2138 if (cb->args[1])
2139 return skb->len;
2140
2141 list_for_each_entry(table, &ctx->afi->tables, list) {
2142 if (cur_table) {
2143 if (cur_table != table)
2144 continue;
2145
2146 cur_table = NULL;
2147 }
2148 ctx->table = table;
2149 idx = 0;
2150 list_for_each_entry(set, &ctx->table->sets, list) {
2151 if (idx < s_idx)
2152 goto cont;
2153 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2154 NLM_F_MULTI) < 0) {
2155 cb->args[0] = idx;
2156 cb->args[2] = (unsigned long) table;
2157 goto done;
2158 }
2159cont:
2160 idx++;
2161 }
2162 }
2163 cb->args[1] = 1;
2164done:
2165 return skb->len;
2166}
2167
2168static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2169 struct netlink_callback *cb)
2170{
2171 const struct nft_set *set;
2172 unsigned int idx, s_idx = cb->args[0];
2173 const struct nft_af_info *afi;
2174 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2175 struct net *net = sock_net(skb->sk);
2176 int cur_family = cb->args[3];
2177
2178 if (cb->args[1])
2179 return skb->len;
2180
2181 list_for_each_entry(afi, &net->nft.af_info, list) {
2182 if (cur_family) {
2183 if (afi->family != cur_family)
2184 continue;
2185
2186 cur_family = 0;
2187 }
2188
2189 list_for_each_entry(table, &afi->tables, list) {
2190 if (cur_table) {
2191 if (cur_table != table)
2192 continue;
2193
2194 cur_table = NULL;
2195 }
2196
2197 ctx->table = table;
2198 ctx->afi = afi;
2199 idx = 0;
2200 list_for_each_entry(set, &ctx->table->sets, list) {
2201 if (idx < s_idx)
2202 goto cont;
2203 if (nf_tables_fill_set(skb, ctx, set,
2204 NFT_MSG_NEWSET,
2205 NLM_F_MULTI) < 0) {
2206 cb->args[0] = idx;
2207 cb->args[2] = (unsigned long) table;
2208 cb->args[3] = afi->family;
2209 goto done;
2210 }
2211cont:
2212 idx++;
2213 }
2214 if (s_idx)
2215 s_idx = 0;
2216 }
2217 }
2218 cb->args[1] = 1;
2219done:
2220 return skb->len;
2221}
2222
2223static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2224{
2225 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2226 struct nlattr *nla[NFTA_SET_MAX + 1];
2227 struct nft_ctx ctx;
2228 int err, ret;
2229
2230 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2231 nft_set_policy);
2232 if (err < 0)
2233 return err;
2234
2235 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2236 if (err < 0)
2237 return err;
2238
2239 if (ctx.table == NULL) {
2240 if (ctx.afi == NULL)
2241 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2242 else
2243 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2244 } else
2245 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2246
2247 return ret;
2248}
2249
2250static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2251 const struct nlmsghdr *nlh,
2252 const struct nlattr * const nla[])
2253{
2254 const struct nft_set *set;
2255 struct nft_ctx ctx;
2256 struct sk_buff *skb2;
2257 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2258 int err;
2259
2260
2261 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2262 if (err < 0)
2263 return err;
2264
2265 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2266 struct netlink_dump_control c = {
2267 .dump = nf_tables_dump_sets,
2268 };
2269 return netlink_dump_start(nlsk, skb, nlh, &c);
2270 }
2271
2272
2273 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2274 return -EAFNOSUPPORT;
2275
2276 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2277 if (IS_ERR(set))
2278 return PTR_ERR(set);
2279
2280 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2281 if (skb2 == NULL)
2282 return -ENOMEM;
2283
2284 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2285 if (err < 0)
2286 goto err;
2287
2288 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2289
2290err:
2291 kfree_skb(skb2);
2292 return err;
2293}
2294
2295static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2296 const struct nlmsghdr *nlh,
2297 const struct nlattr * const nla[])
2298{
2299 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2300 const struct nft_set_ops *ops;
2301 const struct nft_af_info *afi;
2302 struct net *net = sock_net(skb->sk);
2303 struct nft_table *table;
2304 struct nft_set *set;
2305 struct nft_ctx ctx;
2306 char name[IFNAMSIZ];
2307 unsigned int size;
2308 bool create;
2309 u32 ktype, klen, dlen, dtype, flags;
2310 int err;
2311
2312 if (nla[NFTA_SET_TABLE] == NULL ||
2313 nla[NFTA_SET_NAME] == NULL ||
2314 nla[NFTA_SET_KEY_LEN] == NULL)
2315 return -EINVAL;
2316
2317 ktype = NFT_DATA_VALUE;
2318 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2319 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2320 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2321 return -EINVAL;
2322 }
2323
2324 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2325 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2326 return -EINVAL;
2327
2328 flags = 0;
2329 if (nla[NFTA_SET_FLAGS] != NULL) {
2330 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2331 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2332 NFT_SET_INTERVAL | NFT_SET_MAP))
2333 return -EINVAL;
2334 }
2335
2336 dtype = 0;
2337 dlen = 0;
2338 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2339 if (!(flags & NFT_SET_MAP))
2340 return -EINVAL;
2341
2342 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2343 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2344 dtype != NFT_DATA_VERDICT)
2345 return -EINVAL;
2346
2347 if (dtype != NFT_DATA_VERDICT) {
2348 if (nla[NFTA_SET_DATA_LEN] == NULL)
2349 return -EINVAL;
2350 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2351 if (dlen == 0 ||
2352 dlen > FIELD_SIZEOF(struct nft_data, data))
2353 return -EINVAL;
2354 } else
2355 dlen = sizeof(struct nft_data);
2356 } else if (flags & NFT_SET_MAP)
2357 return -EINVAL;
2358
2359 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2360
2361 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2362 if (IS_ERR(afi))
2363 return PTR_ERR(afi);
2364
2365 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2366 if (IS_ERR(table))
2367 return PTR_ERR(table);
2368
2369 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2370
2371 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2372 if (IS_ERR(set)) {
2373 if (PTR_ERR(set) != -ENOENT)
2374 return PTR_ERR(set);
2375 set = NULL;
2376 }
2377
2378 if (set != NULL) {
2379 if (nlh->nlmsg_flags & NLM_F_EXCL)
2380 return -EEXIST;
2381 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2382 return -EOPNOTSUPP;
2383 return 0;
2384 }
2385
2386 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2387 return -ENOENT;
2388
2389 ops = nft_select_set_ops(nla);
2390 if (IS_ERR(ops))
2391 return PTR_ERR(ops);
2392
2393 size = 0;
2394 if (ops->privsize != NULL)
2395 size = ops->privsize(nla);
2396
2397 err = -ENOMEM;
2398 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2399 if (set == NULL)
2400 goto err1;
2401
2402 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2403 err = nf_tables_set_alloc_name(&ctx, set, name);
2404 if (err < 0)
2405 goto err2;
2406
2407 INIT_LIST_HEAD(&set->bindings);
2408 set->ops = ops;
2409 set->ktype = ktype;
2410 set->klen = klen;
2411 set->dtype = dtype;
2412 set->dlen = dlen;
2413 set->flags = flags;
2414
2415 err = ops->init(set, nla);
2416 if (err < 0)
2417 goto err2;
2418
2419 list_add_tail(&set->list, &table->sets);
2420 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2421 return 0;
2422
2423err2:
2424 kfree(set);
2425err1:
2426 module_put(ops->owner);
2427 return err;
2428}
2429
2430static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2431{
2432 list_del(&set->list);
2433 if (!(set->flags & NFT_SET_ANONYMOUS))
2434 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2435
2436 set->ops->destroy(set);
2437 module_put(set->ops->owner);
2438 kfree(set);
2439}
2440
2441static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2442 const struct nlmsghdr *nlh,
2443 const struct nlattr * const nla[])
2444{
2445 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2446 struct nft_set *set;
2447 struct nft_ctx ctx;
2448 int err;
2449
2450 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2451 return -EAFNOSUPPORT;
2452 if (nla[NFTA_SET_TABLE] == NULL)
2453 return -EINVAL;
2454
2455 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2456 if (err < 0)
2457 return err;
2458
2459 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2460 if (IS_ERR(set))
2461 return PTR_ERR(set);
2462 if (!list_empty(&set->bindings))
2463 return -EBUSY;
2464
2465 nf_tables_set_destroy(&ctx, set);
2466 return 0;
2467}
2468
2469static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2470 const struct nft_set *set,
2471 const struct nft_set_iter *iter,
2472 const struct nft_set_elem *elem)
2473{
2474 enum nft_registers dreg;
2475
2476 dreg = nft_type_to_reg(set->dtype);
2477 return nft_validate_data_load(ctx, dreg, &elem->data,
2478 set->dtype == NFT_DATA_VERDICT ?
2479 NFT_DATA_VERDICT : NFT_DATA_VALUE);
2480}
2481
2482int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2483 struct nft_set_binding *binding)
2484{
2485 struct nft_set_binding *i;
2486 struct nft_set_iter iter;
2487
2488 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2489 return -EBUSY;
2490
2491 if (set->flags & NFT_SET_MAP) {
2492
2493
2494
2495 list_for_each_entry(i, &set->bindings, list) {
2496 if (i->chain == binding->chain)
2497 goto bind;
2498 }
2499
2500 iter.skip = 0;
2501 iter.count = 0;
2502 iter.err = 0;
2503 iter.fn = nf_tables_bind_check_setelem;
2504
2505 set->ops->walk(ctx, set, &iter);
2506 if (iter.err < 0) {
2507
2508 if (set->flags & NFT_SET_ANONYMOUS)
2509 nf_tables_set_destroy(ctx, set);
2510
2511 return iter.err;
2512 }
2513 }
2514bind:
2515 binding->chain = ctx->chain;
2516 list_add_tail(&binding->list, &set->bindings);
2517 return 0;
2518}
2519
2520void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2521 struct nft_set_binding *binding)
2522{
2523 list_del(&binding->list);
2524
2525 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2526 nf_tables_set_destroy(ctx, set);
2527}
2528
2529
2530
2531
2532
2533static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2534 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2535 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2536 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2537};
2538
2539static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2540 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2541 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2542 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2543};
2544
2545static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2546 const struct sk_buff *skb,
2547 const struct nlmsghdr *nlh,
2548 const struct nlattr * const nla[])
2549{
2550 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2551 const struct nft_af_info *afi;
2552 const struct nft_table *table;
2553 struct net *net = sock_net(skb->sk);
2554
2555 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2556 if (IS_ERR(afi))
2557 return PTR_ERR(afi);
2558
2559 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2560 if (IS_ERR(table))
2561 return PTR_ERR(table);
2562
2563 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2564 return 0;
2565}
2566
2567static int nf_tables_fill_setelem(struct sk_buff *skb,
2568 const struct nft_set *set,
2569 const struct nft_set_elem *elem)
2570{
2571 unsigned char *b = skb_tail_pointer(skb);
2572 struct nlattr *nest;
2573
2574 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2575 if (nest == NULL)
2576 goto nla_put_failure;
2577
2578 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2579 set->klen) < 0)
2580 goto nla_put_failure;
2581
2582 if (set->flags & NFT_SET_MAP &&
2583 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2584 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2585 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2586 set->dlen) < 0)
2587 goto nla_put_failure;
2588
2589 if (elem->flags != 0)
2590 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2591 goto nla_put_failure;
2592
2593 nla_nest_end(skb, nest);
2594 return 0;
2595
2596nla_put_failure:
2597 nlmsg_trim(skb, b);
2598 return -EMSGSIZE;
2599}
2600
2601struct nft_set_dump_args {
2602 const struct netlink_callback *cb;
2603 struct nft_set_iter iter;
2604 struct sk_buff *skb;
2605};
2606
2607static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2608 const struct nft_set *set,
2609 const struct nft_set_iter *iter,
2610 const struct nft_set_elem *elem)
2611{
2612 struct nft_set_dump_args *args;
2613
2614 args = container_of(iter, struct nft_set_dump_args, iter);
2615 return nf_tables_fill_setelem(args->skb, set, elem);
2616}
2617
2618static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2619{
2620 const struct nft_set *set;
2621 struct nft_set_dump_args args;
2622 struct nft_ctx ctx;
2623 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2624 struct nfgenmsg *nfmsg;
2625 struct nlmsghdr *nlh;
2626 struct nlattr *nest;
2627 u32 portid, seq;
2628 int event, err;
2629
2630 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2631 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2632 if (err < 0)
2633 return err;
2634
2635 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2636 if (err < 0)
2637 return err;
2638
2639 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2640 if (IS_ERR(set))
2641 return PTR_ERR(set);
2642
2643 event = NFT_MSG_NEWSETELEM;
2644 event |= NFNL_SUBSYS_NFTABLES << 8;
2645 portid = NETLINK_CB(cb->skb).portid;
2646 seq = cb->nlh->nlmsg_seq;
2647
2648 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2649 NLM_F_MULTI);
2650 if (nlh == NULL)
2651 goto nla_put_failure;
2652
2653 nfmsg = nlmsg_data(nlh);
2654 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2655 nfmsg->version = NFNETLINK_V0;
2656 nfmsg->res_id = 0;
2657
2658 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2659 goto nla_put_failure;
2660 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2661 goto nla_put_failure;
2662
2663 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2664 if (nest == NULL)
2665 goto nla_put_failure;
2666
2667 args.cb = cb;
2668 args.skb = skb;
2669 args.iter.skip = cb->args[0];
2670 args.iter.count = 0;
2671 args.iter.err = 0;
2672 args.iter.fn = nf_tables_dump_setelem;
2673 set->ops->walk(&ctx, set, &args.iter);
2674
2675 nla_nest_end(skb, nest);
2676 nlmsg_end(skb, nlh);
2677
2678 if (args.iter.err && args.iter.err != -EMSGSIZE)
2679 return args.iter.err;
2680 if (args.iter.count == cb->args[0])
2681 return 0;
2682
2683 cb->args[0] = args.iter.count;
2684 return skb->len;
2685
2686nla_put_failure:
2687 return -ENOSPC;
2688}
2689
2690static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2691 const struct nlmsghdr *nlh,
2692 const struct nlattr * const nla[])
2693{
2694 const struct nft_set *set;
2695 struct nft_ctx ctx;
2696 int err;
2697
2698 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2699 if (err < 0)
2700 return err;
2701
2702 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2703 if (IS_ERR(set))
2704 return PTR_ERR(set);
2705
2706 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2707 struct netlink_dump_control c = {
2708 .dump = nf_tables_dump_set,
2709 };
2710 return netlink_dump_start(nlsk, skb, nlh, &c);
2711 }
2712 return -EOPNOTSUPP;
2713}
2714
2715static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2716 const struct nlattr *attr)
2717{
2718 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2719 struct nft_data_desc d1, d2;
2720 struct nft_set_elem elem;
2721 struct nft_set_binding *binding;
2722 enum nft_registers dreg;
2723 int err;
2724
2725 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2726 nft_set_elem_policy);
2727 if (err < 0)
2728 return err;
2729
2730 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2731 return -EINVAL;
2732
2733 elem.flags = 0;
2734 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2735 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2736 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2737 return -EINVAL;
2738 }
2739
2740 if (set->flags & NFT_SET_MAP) {
2741 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2742 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2743 return -EINVAL;
2744 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
2745 elem.flags & NFT_SET_ELEM_INTERVAL_END)
2746 return -EINVAL;
2747 } else {
2748 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2749 return -EINVAL;
2750 }
2751
2752 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2753 if (err < 0)
2754 goto err1;
2755 err = -EINVAL;
2756 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2757 goto err2;
2758
2759 err = -EEXIST;
2760 if (set->ops->get(set, &elem) == 0)
2761 goto err2;
2762
2763 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2764 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2765 if (err < 0)
2766 goto err2;
2767
2768 err = -EINVAL;
2769 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2770 goto err3;
2771
2772 dreg = nft_type_to_reg(set->dtype);
2773 list_for_each_entry(binding, &set->bindings, list) {
2774 struct nft_ctx bind_ctx = {
2775 .afi = ctx->afi,
2776 .table = ctx->table,
2777 .chain = binding->chain,
2778 };
2779
2780 err = nft_validate_data_load(&bind_ctx, dreg,
2781 &elem.data, d2.type);
2782 if (err < 0)
2783 goto err3;
2784 }
2785 }
2786
2787 err = set->ops->insert(set, &elem);
2788 if (err < 0)
2789 goto err3;
2790
2791 return 0;
2792
2793err3:
2794 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2795 nft_data_uninit(&elem.data, d2.type);
2796err2:
2797 nft_data_uninit(&elem.key, d1.type);
2798err1:
2799 return err;
2800}
2801
2802static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2803 const struct nlmsghdr *nlh,
2804 const struct nlattr * const nla[])
2805{
2806 const struct nlattr *attr;
2807 struct nft_set *set;
2808 struct nft_ctx ctx;
2809 int rem, err;
2810
2811 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2812 if (err < 0)
2813 return err;
2814
2815 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2816 if (IS_ERR(set))
2817 return PTR_ERR(set);
2818 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2819 return -EBUSY;
2820
2821 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2822 err = nft_add_set_elem(&ctx, set, attr);
2823 if (err < 0)
2824 return err;
2825 }
2826 return 0;
2827}
2828
2829static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2830 const struct nlattr *attr)
2831{
2832 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2833 struct nft_data_desc desc;
2834 struct nft_set_elem elem;
2835 int err;
2836
2837 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2838 nft_set_elem_policy);
2839 if (err < 0)
2840 goto err1;
2841
2842 err = -EINVAL;
2843 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2844 goto err1;
2845
2846 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2847 if (err < 0)
2848 goto err1;
2849
2850 err = -EINVAL;
2851 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2852 goto err2;
2853
2854 err = set->ops->get(set, &elem);
2855 if (err < 0)
2856 goto err2;
2857
2858 set->ops->remove(set, &elem);
2859
2860 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2861 if (set->flags & NFT_SET_MAP)
2862 nft_data_uninit(&elem.data, set->dtype);
2863
2864err2:
2865 nft_data_uninit(&elem.key, desc.type);
2866err1:
2867 return err;
2868}
2869
2870static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2871 const struct nlmsghdr *nlh,
2872 const struct nlattr * const nla[])
2873{
2874 const struct nlattr *attr;
2875 struct nft_set *set;
2876 struct nft_ctx ctx;
2877 int rem, err;
2878
2879 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2880 if (err < 0)
2881 return err;
2882
2883 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2884 if (IS_ERR(set))
2885 return PTR_ERR(set);
2886 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2887 return -EBUSY;
2888
2889 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2890 err = nft_del_setelem(&ctx, set, attr);
2891 if (err < 0)
2892 return err;
2893 }
2894 return 0;
2895}
2896
2897static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2898 [NFT_MSG_NEWTABLE] = {
2899 .call = nf_tables_newtable,
2900 .attr_count = NFTA_TABLE_MAX,
2901 .policy = nft_table_policy,
2902 },
2903 [NFT_MSG_GETTABLE] = {
2904 .call = nf_tables_gettable,
2905 .attr_count = NFTA_TABLE_MAX,
2906 .policy = nft_table_policy,
2907 },
2908 [NFT_MSG_DELTABLE] = {
2909 .call = nf_tables_deltable,
2910 .attr_count = NFTA_TABLE_MAX,
2911 .policy = nft_table_policy,
2912 },
2913 [NFT_MSG_NEWCHAIN] = {
2914 .call = nf_tables_newchain,
2915 .attr_count = NFTA_CHAIN_MAX,
2916 .policy = nft_chain_policy,
2917 },
2918 [NFT_MSG_GETCHAIN] = {
2919 .call = nf_tables_getchain,
2920 .attr_count = NFTA_CHAIN_MAX,
2921 .policy = nft_chain_policy,
2922 },
2923 [NFT_MSG_DELCHAIN] = {
2924 .call = nf_tables_delchain,
2925 .attr_count = NFTA_CHAIN_MAX,
2926 .policy = nft_chain_policy,
2927 },
2928 [NFT_MSG_NEWRULE] = {
2929 .call_batch = nf_tables_newrule,
2930 .attr_count = NFTA_RULE_MAX,
2931 .policy = nft_rule_policy,
2932 },
2933 [NFT_MSG_GETRULE] = {
2934 .call = nf_tables_getrule,
2935 .attr_count = NFTA_RULE_MAX,
2936 .policy = nft_rule_policy,
2937 },
2938 [NFT_MSG_DELRULE] = {
2939 .call_batch = nf_tables_delrule,
2940 .attr_count = NFTA_RULE_MAX,
2941 .policy = nft_rule_policy,
2942 },
2943 [NFT_MSG_NEWSET] = {
2944 .call = nf_tables_newset,
2945 .attr_count = NFTA_SET_MAX,
2946 .policy = nft_set_policy,
2947 },
2948 [NFT_MSG_GETSET] = {
2949 .call = nf_tables_getset,
2950 .attr_count = NFTA_SET_MAX,
2951 .policy = nft_set_policy,
2952 },
2953 [NFT_MSG_DELSET] = {
2954 .call = nf_tables_delset,
2955 .attr_count = NFTA_SET_MAX,
2956 .policy = nft_set_policy,
2957 },
2958 [NFT_MSG_NEWSETELEM] = {
2959 .call = nf_tables_newsetelem,
2960 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2961 .policy = nft_set_elem_list_policy,
2962 },
2963 [NFT_MSG_GETSETELEM] = {
2964 .call = nf_tables_getsetelem,
2965 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2966 .policy = nft_set_elem_list_policy,
2967 },
2968 [NFT_MSG_DELSETELEM] = {
2969 .call = nf_tables_delsetelem,
2970 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2971 .policy = nft_set_elem_list_policy,
2972 },
2973};
2974
2975static const struct nfnetlink_subsystem nf_tables_subsys = {
2976 .name = "nf_tables",
2977 .subsys_id = NFNL_SUBSYS_NFTABLES,
2978 .cb_count = NFT_MSG_MAX,
2979 .cb = nf_tables_cb,
2980 .commit = nf_tables_commit,
2981 .abort = nf_tables_abort,
2982};
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993static int nf_tables_check_loops(const struct nft_ctx *ctx,
2994 const struct nft_chain *chain);
2995
2996static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2997 const struct nft_set *set,
2998 const struct nft_set_iter *iter,
2999 const struct nft_set_elem *elem)
3000{
3001 if (elem->flags & NFT_SET_ELEM_INTERVAL_END)
3002 return 0;
3003
3004 switch (elem->data.verdict) {
3005 case NFT_JUMP:
3006 case NFT_GOTO:
3007 return nf_tables_check_loops(ctx, elem->data.chain);
3008 default:
3009 return 0;
3010 }
3011}
3012
3013static int nf_tables_check_loops(const struct nft_ctx *ctx,
3014 const struct nft_chain *chain)
3015{
3016 const struct nft_rule *rule;
3017 const struct nft_expr *expr, *last;
3018 const struct nft_set *set;
3019 struct nft_set_binding *binding;
3020 struct nft_set_iter iter;
3021
3022 if (ctx->chain == chain)
3023 return -ELOOP;
3024
3025 list_for_each_entry(rule, &chain->rules, list) {
3026 nft_rule_for_each_expr(expr, last, rule) {
3027 const struct nft_data *data = NULL;
3028 int err;
3029
3030 if (!expr->ops->validate)
3031 continue;
3032
3033 err = expr->ops->validate(ctx, expr, &data);
3034 if (err < 0)
3035 return err;
3036
3037 if (data == NULL)
3038 continue;
3039
3040 switch (data->verdict) {
3041 case NFT_JUMP:
3042 case NFT_GOTO:
3043 err = nf_tables_check_loops(ctx, data->chain);
3044 if (err < 0)
3045 return err;
3046 default:
3047 break;
3048 }
3049 }
3050 }
3051
3052 list_for_each_entry(set, &ctx->table->sets, list) {
3053 if (!(set->flags & NFT_SET_MAP) ||
3054 set->dtype != NFT_DATA_VERDICT)
3055 continue;
3056
3057 list_for_each_entry(binding, &set->bindings, list) {
3058 if (binding->chain != chain)
3059 continue;
3060
3061 iter.skip = 0;
3062 iter.count = 0;
3063 iter.err = 0;
3064 iter.fn = nf_tables_loop_check_setelem;
3065
3066 set->ops->walk(ctx, set, &iter);
3067 if (iter.err < 0)
3068 return iter.err;
3069 }
3070 }
3071
3072 return 0;
3073}
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083int nft_validate_input_register(enum nft_registers reg)
3084{
3085 if (reg <= NFT_REG_VERDICT)
3086 return -EINVAL;
3087 if (reg > NFT_REG_MAX)
3088 return -ERANGE;
3089 return 0;
3090}
3091EXPORT_SYMBOL_GPL(nft_validate_input_register);
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101int nft_validate_output_register(enum nft_registers reg)
3102{
3103 if (reg < NFT_REG_VERDICT)
3104 return -EINVAL;
3105 if (reg > NFT_REG_MAX)
3106 return -ERANGE;
3107 return 0;
3108}
3109EXPORT_SYMBOL_GPL(nft_validate_output_register);
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3125 const struct nft_data *data,
3126 enum nft_data_types type)
3127{
3128 int err;
3129
3130 switch (reg) {
3131 case NFT_REG_VERDICT:
3132 if (data == NULL || type != NFT_DATA_VERDICT)
3133 return -EINVAL;
3134
3135 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3136 err = nf_tables_check_loops(ctx, data->chain);
3137 if (err < 0)
3138 return err;
3139
3140 if (ctx->chain->level + 1 > data->chain->level) {
3141 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3142 return -EMLINK;
3143 data->chain->level = ctx->chain->level + 1;
3144 }
3145 }
3146
3147 return 0;
3148 default:
3149 if (data != NULL && type != NFT_DATA_VALUE)
3150 return -EINVAL;
3151 return 0;
3152 }
3153}
3154EXPORT_SYMBOL_GPL(nft_validate_data_load);
3155
3156static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3157 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3158 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3159 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3160};
3161
3162static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3163 struct nft_data_desc *desc, const struct nlattr *nla)
3164{
3165 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3166 struct nft_chain *chain;
3167 int err;
3168
3169 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3170 if (err < 0)
3171 return err;
3172
3173 if (!tb[NFTA_VERDICT_CODE])
3174 return -EINVAL;
3175 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3176
3177 switch (data->verdict) {
3178 case NF_ACCEPT:
3179 case NF_DROP:
3180 case NF_QUEUE:
3181 case NFT_CONTINUE:
3182 case NFT_BREAK:
3183 case NFT_RETURN:
3184 desc->len = sizeof(data->verdict);
3185 break;
3186 case NFT_JUMP:
3187 case NFT_GOTO:
3188 if (!tb[NFTA_VERDICT_CHAIN])
3189 return -EINVAL;
3190 chain = nf_tables_chain_lookup(ctx->table,
3191 tb[NFTA_VERDICT_CHAIN]);
3192 if (IS_ERR(chain))
3193 return PTR_ERR(chain);
3194 if (chain->flags & NFT_BASE_CHAIN)
3195 return -EOPNOTSUPP;
3196
3197 chain->use++;
3198 data->chain = chain;
3199 desc->len = sizeof(data);
3200 break;
3201 default:
3202 return -EINVAL;
3203 }
3204
3205 desc->type = NFT_DATA_VERDICT;
3206 return 0;
3207}
3208
3209static void nft_verdict_uninit(const struct nft_data *data)
3210{
3211 switch (data->verdict) {
3212 case NFT_JUMP:
3213 case NFT_GOTO:
3214 data->chain->use--;
3215 break;
3216 }
3217}
3218
3219static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3220{
3221 struct nlattr *nest;
3222
3223 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3224 if (!nest)
3225 goto nla_put_failure;
3226
3227 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3228 goto nla_put_failure;
3229
3230 switch (data->verdict) {
3231 case NFT_JUMP:
3232 case NFT_GOTO:
3233 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3234 goto nla_put_failure;
3235 }
3236 nla_nest_end(skb, nest);
3237 return 0;
3238
3239nla_put_failure:
3240 return -1;
3241}
3242
3243static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3244 struct nft_data_desc *desc, const struct nlattr *nla)
3245{
3246 unsigned int len;
3247
3248 len = nla_len(nla);
3249 if (len == 0)
3250 return -EINVAL;
3251 if (len > sizeof(data->data))
3252 return -EOVERFLOW;
3253
3254 nla_memcpy(data->data, nla, sizeof(data->data));
3255 desc->type = NFT_DATA_VALUE;
3256 desc->len = len;
3257 return 0;
3258}
3259
3260static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3261 unsigned int len)
3262{
3263 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3264}
3265
3266static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3267 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3268 .len = FIELD_SIZEOF(struct nft_data, data) },
3269 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3270};
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3287 struct nft_data_desc *desc, const struct nlattr *nla)
3288{
3289 struct nlattr *tb[NFTA_DATA_MAX + 1];
3290 int err;
3291
3292 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3293 if (err < 0)
3294 return err;
3295
3296 if (tb[NFTA_DATA_VALUE])
3297 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3298 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3299 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3300 return -EINVAL;
3301}
3302EXPORT_SYMBOL_GPL(nft_data_init);
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3314{
3315 switch (type) {
3316 case NFT_DATA_VALUE:
3317 return;
3318 case NFT_DATA_VERDICT:
3319 return nft_verdict_uninit(data);
3320 default:
3321 WARN_ON(1);
3322 }
3323}
3324EXPORT_SYMBOL_GPL(nft_data_uninit);
3325
3326int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3327 enum nft_data_types type, unsigned int len)
3328{
3329 struct nlattr *nest;
3330 int err;
3331
3332 nest = nla_nest_start(skb, attr);
3333 if (nest == NULL)
3334 return -1;
3335
3336 switch (type) {
3337 case NFT_DATA_VALUE:
3338 err = nft_value_dump(skb, data, len);
3339 break;
3340 case NFT_DATA_VERDICT:
3341 err = nft_verdict_dump(skb, data);
3342 break;
3343 default:
3344 err = -EINVAL;
3345 WARN_ON(1);
3346 }
3347
3348 nla_nest_end(skb, nest);
3349 return err;
3350}
3351EXPORT_SYMBOL_GPL(nft_data_dump);
3352
3353static int nf_tables_init_net(struct net *net)
3354{
3355 INIT_LIST_HEAD(&net->nft.af_info);
3356 INIT_LIST_HEAD(&net->nft.commit_list);
3357 return 0;
3358}
3359
3360static struct pernet_operations nf_tables_net_ops = {
3361 .init = nf_tables_init_net,
3362};
3363
3364static int __init nf_tables_module_init(void)
3365{
3366 int err;
3367
3368 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3369 GFP_KERNEL);
3370 if (info == NULL) {
3371 err = -ENOMEM;
3372 goto err1;
3373 }
3374
3375 err = nf_tables_core_module_init();
3376 if (err < 0)
3377 goto err2;
3378
3379 err = nfnetlink_subsys_register(&nf_tables_subsys);
3380 if (err < 0)
3381 goto err3;
3382
3383 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3384 return register_pernet_subsys(&nf_tables_net_ops);
3385err3:
3386 nf_tables_core_module_exit();
3387err2:
3388 kfree(info);
3389err1:
3390 return err;
3391}
3392
3393static void __exit nf_tables_module_exit(void)
3394{
3395 unregister_pernet_subsys(&nf_tables_net_ops);
3396 nfnetlink_subsys_unregister(&nf_tables_subsys);
3397 nf_tables_core_module_exit();
3398 kfree(info);
3399}
3400
3401module_init(nf_tables_module_init);
3402module_exit(nf_tables_module_exit);
3403
3404MODULE_LICENSE("GPL");
3405MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3406MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
3407
