1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/vmalloc.h>
17#include <linux/netfilter.h>
18#include <linux/netfilter/nfnetlink.h>
19#include <linux/netfilter/nf_tables.h>
20#include <net/netfilter/nf_tables_core.h>
21#include <net/netfilter/nf_tables.h>
22#include <net/net_namespace.h>
23#include <net/sock.h>
24
25static LIST_HEAD(nf_tables_expressions);
26static LIST_HEAD(nf_tables_objects);
27
28
29
30
31
32
33
34
35
36int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
37{
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 return 0;
43}
44EXPORT_SYMBOL_GPL(nft_register_afinfo);
45
46static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47
48
49
50
51
52
53
54
55void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
56{
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
61}
62EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
63
64static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
65{
66 struct nft_af_info *afi;
67
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
70 return afi;
71 }
72 return NULL;
73}
74
75static struct nft_af_info *
76nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
77{
78 struct nft_af_info *afi;
79
80 afi = nft_afinfo_lookup(net, family);
81 if (afi != NULL)
82 return afi;
83#ifdef CONFIG_MODULES
84 if (autoload) {
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
89 if (afi != NULL)
90 return ERR_PTR(-EAGAIN);
91 }
92#endif
93 return ERR_PTR(-EAFNOSUPPORT);
94}
95
96static void nft_ctx_init(struct nft_ctx *ctx,
97 struct net *net,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
104{
105 ctx->net = net;
106 ctx->afi = afi;
107 ctx->table = table;
108 ctx->chain = chain;
109 ctx->nla = nla;
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
113}
114
115static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
117{
118 struct nft_trans *trans;
119
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
121 if (trans == NULL)
122 return NULL;
123
124 trans->msg_type = msg_type;
125 trans->ctx = *ctx;
126
127 return trans;
128}
129
130static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
131 int msg_type, u32 size)
132{
133 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
134}
135
136static void nft_trans_destroy(struct nft_trans *trans)
137{
138 list_del(&trans->list);
139 kfree(trans);
140}
141
142static int nf_tables_register_hooks(struct net *net,
143 const struct nft_table *table,
144 struct nft_chain *chain,
145 unsigned int hook_nops)
146{
147 if (table->flags & NFT_TABLE_F_DORMANT ||
148 !nft_is_base_chain(chain))
149 return 0;
150
151 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
152 hook_nops);
153}
154
155static void nf_tables_unregister_hooks(struct net *net,
156 const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
159{
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !nft_is_base_chain(chain))
162 return;
163
164 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
165}
166
167static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
168{
169 struct nft_trans *trans;
170
171 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
172 if (trans == NULL)
173 return -ENOMEM;
174
175 if (msg_type == NFT_MSG_NEWTABLE)
176 nft_activate_next(ctx->net, ctx->table);
177
178 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
179 return 0;
180}
181
182static int nft_deltable(struct nft_ctx *ctx)
183{
184 int err;
185
186 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
187 if (err < 0)
188 return err;
189
190 nft_deactivate_next(ctx->net, ctx->table);
191 return err;
192}
193
194static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
195{
196 struct nft_trans *trans;
197
198 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
199 if (trans == NULL)
200 return -ENOMEM;
201
202 if (msg_type == NFT_MSG_NEWCHAIN)
203 nft_activate_next(ctx->net, ctx->chain);
204
205 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
206 return 0;
207}
208
209static int nft_delchain(struct nft_ctx *ctx)
210{
211 int err;
212
213 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
214 if (err < 0)
215 return err;
216
217 ctx->table->use--;
218 nft_deactivate_next(ctx->net, ctx->chain);
219
220 return err;
221}
222
223static int
224nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
225{
226
227 if (nft_is_active_next(ctx->net, rule)) {
228 nft_deactivate_next(ctx->net, rule);
229 ctx->chain->use--;
230 return 0;
231 }
232 return -ENOENT;
233}
234
235static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
236 struct nft_rule *rule)
237{
238 struct nft_trans *trans;
239
240 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
241 if (trans == NULL)
242 return NULL;
243
244 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
245 nft_trans_rule_id(trans) =
246 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
247 }
248 nft_trans_rule(trans) = rule;
249 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
250
251 return trans;
252}
253
254static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
255{
256 struct nft_trans *trans;
257 int err;
258
259 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
260 if (trans == NULL)
261 return -ENOMEM;
262
263 err = nf_tables_delrule_deactivate(ctx, rule);
264 if (err < 0) {
265 nft_trans_destroy(trans);
266 return err;
267 }
268
269 return 0;
270}
271
272static int nft_delrule_by_chain(struct nft_ctx *ctx)
273{
274 struct nft_rule *rule;
275 int err;
276
277 list_for_each_entry(rule, &ctx->chain->rules, list) {
278 err = nft_delrule(ctx, rule);
279 if (err < 0)
280 return err;
281 }
282 return 0;
283}
284
285static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
286 struct nft_set *set)
287{
288 struct nft_trans *trans;
289
290 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
291 if (trans == NULL)
292 return -ENOMEM;
293
294 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
295 nft_trans_set_id(trans) =
296 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
297 nft_activate_next(ctx->net, set);
298 }
299 nft_trans_set(trans) = set;
300 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
301
302 return 0;
303}
304
305static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
306{
307 int err;
308
309 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
310 if (err < 0)
311 return err;
312
313 nft_deactivate_next(ctx->net, set);
314 ctx->table->use--;
315
316 return err;
317}
318
319static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
320 struct nft_object *obj)
321{
322 struct nft_trans *trans;
323
324 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
325 if (trans == NULL)
326 return -ENOMEM;
327
328 if (msg_type == NFT_MSG_NEWOBJ)
329 nft_activate_next(ctx->net, obj);
330
331 nft_trans_obj(trans) = obj;
332 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
333
334 return 0;
335}
336
337static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
338{
339 int err;
340
341 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
342 if (err < 0)
343 return err;
344
345 nft_deactivate_next(ctx->net, obj);
346 ctx->table->use--;
347
348 return err;
349}
350
351
352
353
354
355static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
356 const struct nlattr *nla,
357 u8 genmask)
358{
359 struct nft_table *table;
360
361 list_for_each_entry(table, &afi->tables, list) {
362 if (!nla_strcmp(nla, table->name) &&
363 nft_active_genmask(table, genmask))
364 return table;
365 }
366 return NULL;
367}
368
369static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
370 const struct nlattr *nla,
371 u8 genmask)
372{
373 struct nft_table *table;
374
375 if (nla == NULL)
376 return ERR_PTR(-EINVAL);
377
378 table = nft_table_lookup(afi, nla, genmask);
379 if (table != NULL)
380 return table;
381
382 return ERR_PTR(-ENOENT);
383}
384
385static inline u64 nf_tables_alloc_handle(struct nft_table *table)
386{
387 return ++table->hgenerator;
388}
389
390static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
391
392static const struct nf_chain_type *
393__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
394{
395 int i;
396
397 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
398 if (chain_type[family][i] != NULL &&
399 !nla_strcmp(nla, chain_type[family][i]->name))
400 return chain_type[family][i];
401 }
402 return NULL;
403}
404
405static const struct nf_chain_type *
406nf_tables_chain_type_lookup(const struct nft_af_info *afi,
407 const struct nlattr *nla,
408 bool autoload)
409{
410 const struct nf_chain_type *type;
411
412 type = __nf_tables_chain_type_lookup(afi->family, nla);
413 if (type != NULL)
414 return type;
415#ifdef CONFIG_MODULES
416 if (autoload) {
417 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
418 request_module("nft-chain-%u-%.*s", afi->family,
419 nla_len(nla), (const char *)nla_data(nla));
420 nfnl_lock(NFNL_SUBSYS_NFTABLES);
421 type = __nf_tables_chain_type_lookup(afi->family, nla);
422 if (type != NULL)
423 return ERR_PTR(-EAGAIN);
424 }
425#endif
426 return ERR_PTR(-ENOENT);
427}
428
429static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
430 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
431 .len = NFT_TABLE_MAXNAMELEN - 1 },
432 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
433};
434
435static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
436 u32 portid, u32 seq, int event, u32 flags,
437 int family, const struct nft_table *table)
438{
439 struct nlmsghdr *nlh;
440 struct nfgenmsg *nfmsg;
441
442 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
443 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
444 if (nlh == NULL)
445 goto nla_put_failure;
446
447 nfmsg = nlmsg_data(nlh);
448 nfmsg->nfgen_family = family;
449 nfmsg->version = NFNETLINK_V0;
450 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
451
452 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
453 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
454 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
455 goto nla_put_failure;
456
457 nlmsg_end(skb, nlh);
458 return 0;
459
460nla_put_failure:
461 nlmsg_trim(skb, nlh);
462 return -1;
463}
464
465static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
466{
467 struct sk_buff *skb;
468 int err;
469
470 if (!ctx->report &&
471 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
472 return;
473
474 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
475 if (skb == NULL)
476 goto err;
477
478 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
479 event, 0, ctx->afi->family, ctx->table);
480 if (err < 0) {
481 kfree_skb(skb);
482 goto err;
483 }
484
485 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
486 ctx->report, GFP_KERNEL);
487 return;
488err:
489 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
490}
491
492static int nf_tables_dump_tables(struct sk_buff *skb,
493 struct netlink_callback *cb)
494{
495 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
496 const struct nft_af_info *afi;
497 const struct nft_table *table;
498 unsigned int idx = 0, s_idx = cb->args[0];
499 struct net *net = sock_net(skb->sk);
500 int family = nfmsg->nfgen_family;
501
502 rcu_read_lock();
503 cb->seq = net->nft.base_seq;
504
505 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
506 if (family != NFPROTO_UNSPEC && family != afi->family)
507 continue;
508
509 list_for_each_entry_rcu(table, &afi->tables, list) {
510 if (idx < s_idx)
511 goto cont;
512 if (idx > s_idx)
513 memset(&cb->args[1], 0,
514 sizeof(cb->args) - sizeof(cb->args[0]));
515 if (!nft_is_active(net, table))
516 continue;
517 if (nf_tables_fill_table_info(skb, net,
518 NETLINK_CB(cb->skb).portid,
519 cb->nlh->nlmsg_seq,
520 NFT_MSG_NEWTABLE,
521 NLM_F_MULTI,
522 afi->family, table) < 0)
523 goto done;
524
525 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
526cont:
527 idx++;
528 }
529 }
530done:
531 rcu_read_unlock();
532 cb->args[0] = idx;
533 return skb->len;
534}
535
536static int nf_tables_gettable(struct net *net, struct sock *nlsk,
537 struct sk_buff *skb, const struct nlmsghdr *nlh,
538 const struct nlattr * const nla[],
539 struct netlink_ext_ack *extack)
540{
541 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
542 u8 genmask = nft_genmask_cur(net);
543 const struct nft_af_info *afi;
544 const struct nft_table *table;
545 struct sk_buff *skb2;
546 int family = nfmsg->nfgen_family;
547 int err;
548
549 if (nlh->nlmsg_flags & NLM_F_DUMP) {
550 struct netlink_dump_control c = {
551 .dump = nf_tables_dump_tables,
552 };
553 return netlink_dump_start(nlsk, skb, nlh, &c);
554 }
555
556 afi = nf_tables_afinfo_lookup(net, family, false);
557 if (IS_ERR(afi))
558 return PTR_ERR(afi);
559
560 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
561 if (IS_ERR(table))
562 return PTR_ERR(table);
563
564 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
565 if (!skb2)
566 return -ENOMEM;
567
568 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
569 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
570 family, table);
571 if (err < 0)
572 goto err;
573
574 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
575
576err:
577 kfree_skb(skb2);
578 return err;
579}
580
581static void _nf_tables_table_disable(struct net *net,
582 const struct nft_af_info *afi,
583 struct nft_table *table,
584 u32 cnt)
585{
586 struct nft_chain *chain;
587 u32 i = 0;
588
589 list_for_each_entry(chain, &table->chains, list) {
590 if (!nft_is_active_next(net, chain))
591 continue;
592 if (!nft_is_base_chain(chain))
593 continue;
594
595 if (cnt && i++ == cnt)
596 break;
597
598 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
599 afi->nops);
600 }
601}
602
603static int nf_tables_table_enable(struct net *net,
604 const struct nft_af_info *afi,
605 struct nft_table *table)
606{
607 struct nft_chain *chain;
608 int err, i = 0;
609
610 list_for_each_entry(chain, &table->chains, list) {
611 if (!nft_is_active_next(net, chain))
612 continue;
613 if (!nft_is_base_chain(chain))
614 continue;
615
616 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
617 afi->nops);
618 if (err < 0)
619 goto err;
620
621 i++;
622 }
623 return 0;
624err:
625 if (i)
626 _nf_tables_table_disable(net, afi, table, i);
627 return err;
628}
629
630static void nf_tables_table_disable(struct net *net,
631 const struct nft_af_info *afi,
632 struct nft_table *table)
633{
634 _nf_tables_table_disable(net, afi, table, 0);
635}
636
637static int nf_tables_updtable(struct nft_ctx *ctx)
638{
639 struct nft_trans *trans;
640 u32 flags;
641 int ret = 0;
642
643 if (!ctx->nla[NFTA_TABLE_FLAGS])
644 return 0;
645
646 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
647 if (flags & ~NFT_TABLE_F_DORMANT)
648 return -EINVAL;
649
650 if (flags == ctx->table->flags)
651 return 0;
652
653 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
654 sizeof(struct nft_trans_table));
655 if (trans == NULL)
656 return -ENOMEM;
657
658 if ((flags & NFT_TABLE_F_DORMANT) &&
659 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
660 nft_trans_table_enable(trans) = false;
661 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
662 ctx->table->flags & NFT_TABLE_F_DORMANT) {
663 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
664 if (ret >= 0) {
665 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
666 nft_trans_table_enable(trans) = true;
667 }
668 }
669 if (ret < 0)
670 goto err;
671
672 nft_trans_table_update(trans) = true;
673 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
674 return 0;
675err:
676 nft_trans_destroy(trans);
677 return ret;
678}
679
680static int nf_tables_newtable(struct net *net, struct sock *nlsk,
681 struct sk_buff *skb, const struct nlmsghdr *nlh,
682 const struct nlattr * const nla[],
683 struct netlink_ext_ack *extack)
684{
685 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
686 u8 genmask = nft_genmask_next(net);
687 const struct nlattr *name;
688 struct nft_af_info *afi;
689 struct nft_table *table;
690 int family = nfmsg->nfgen_family;
691 u32 flags = 0;
692 struct nft_ctx ctx;
693 int err;
694
695 afi = nf_tables_afinfo_lookup(net, family, true);
696 if (IS_ERR(afi))
697 return PTR_ERR(afi);
698
699 name = nla[NFTA_TABLE_NAME];
700 table = nf_tables_table_lookup(afi, name, genmask);
701 if (IS_ERR(table)) {
702 if (PTR_ERR(table) != -ENOENT)
703 return PTR_ERR(table);
704 } else {
705 if (nlh->nlmsg_flags & NLM_F_EXCL)
706 return -EEXIST;
707 if (nlh->nlmsg_flags & NLM_F_REPLACE)
708 return -EOPNOTSUPP;
709
710 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
711 return nf_tables_updtable(&ctx);
712 }
713
714 if (nla[NFTA_TABLE_FLAGS]) {
715 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
716 if (flags & ~NFT_TABLE_F_DORMANT)
717 return -EINVAL;
718 }
719
720 err = -EAFNOSUPPORT;
721 if (!try_module_get(afi->owner))
722 goto err1;
723
724 err = -ENOMEM;
725 table = kzalloc(sizeof(*table), GFP_KERNEL);
726 if (table == NULL)
727 goto err2;
728
729 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
730 INIT_LIST_HEAD(&table->chains);
731 INIT_LIST_HEAD(&table->sets);
732 INIT_LIST_HEAD(&table->objects);
733 table->flags = flags;
734
735 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
736 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
737 if (err < 0)
738 goto err3;
739
740 list_add_tail_rcu(&table->list, &afi->tables);
741 return 0;
742err3:
743 kfree(table);
744err2:
745 module_put(afi->owner);
746err1:
747 return err;
748}
749
750static int nft_flush_table(struct nft_ctx *ctx)
751{
752 int err;
753 struct nft_chain *chain, *nc;
754 struct nft_object *obj, *ne;
755 struct nft_set *set, *ns;
756
757 list_for_each_entry(chain, &ctx->table->chains, list) {
758 if (!nft_is_active_next(ctx->net, chain))
759 continue;
760
761 ctx->chain = chain;
762
763 err = nft_delrule_by_chain(ctx);
764 if (err < 0)
765 goto out;
766 }
767
768 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
769 if (!nft_is_active_next(ctx->net, set))
770 continue;
771
772 if (set->flags & NFT_SET_ANONYMOUS &&
773 !list_empty(&set->bindings))
774 continue;
775
776 err = nft_delset(ctx, set);
777 if (err < 0)
778 goto out;
779 }
780
781 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
782 err = nft_delobj(ctx, obj);
783 if (err < 0)
784 goto out;
785 }
786
787 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
788 if (!nft_is_active_next(ctx->net, chain))
789 continue;
790
791 ctx->chain = chain;
792
793 err = nft_delchain(ctx);
794 if (err < 0)
795 goto out;
796 }
797
798 err = nft_deltable(ctx);
799out:
800 return err;
801}
802
803static int nft_flush(struct nft_ctx *ctx, int family)
804{
805 struct nft_af_info *afi;
806 struct nft_table *table, *nt;
807 const struct nlattr * const *nla = ctx->nla;
808 int err = 0;
809
810 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
811 if (family != AF_UNSPEC && afi->family != family)
812 continue;
813
814 ctx->afi = afi;
815 list_for_each_entry_safe(table, nt, &afi->tables, list) {
816 if (!nft_is_active_next(ctx->net, table))
817 continue;
818
819 if (nla[NFTA_TABLE_NAME] &&
820 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
821 continue;
822
823 ctx->table = table;
824
825 err = nft_flush_table(ctx);
826 if (err < 0)
827 goto out;
828 }
829 }
830out:
831 return err;
832}
833
834static int nf_tables_deltable(struct net *net, struct sock *nlsk,
835 struct sk_buff *skb, const struct nlmsghdr *nlh,
836 const struct nlattr * const nla[],
837 struct netlink_ext_ack *extack)
838{
839 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
840 u8 genmask = nft_genmask_next(net);
841 struct nft_af_info *afi;
842 struct nft_table *table;
843 int family = nfmsg->nfgen_family;
844 struct nft_ctx ctx;
845
846 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
847 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
848 return nft_flush(&ctx, family);
849
850 afi = nf_tables_afinfo_lookup(net, family, false);
851 if (IS_ERR(afi))
852 return PTR_ERR(afi);
853
854 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
855 if (IS_ERR(table))
856 return PTR_ERR(table);
857
858 ctx.afi = afi;
859 ctx.table = table;
860
861 return nft_flush_table(&ctx);
862}
863
864static void nf_tables_table_destroy(struct nft_ctx *ctx)
865{
866 BUG_ON(ctx->table->use > 0);
867
868 kfree(ctx->table);
869 module_put(ctx->afi->owner);
870}
871
872int nft_register_chain_type(const struct nf_chain_type *ctype)
873{
874 int err = 0;
875
876 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
877 return -EINVAL;
878
879 nfnl_lock(NFNL_SUBSYS_NFTABLES);
880 if (chain_type[ctype->family][ctype->type] != NULL) {
881 err = -EBUSY;
882 goto out;
883 }
884 chain_type[ctype->family][ctype->type] = ctype;
885out:
886 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
887 return err;
888}
889EXPORT_SYMBOL_GPL(nft_register_chain_type);
890
891void nft_unregister_chain_type(const struct nf_chain_type *ctype)
892{
893 nfnl_lock(NFNL_SUBSYS_NFTABLES);
894 chain_type[ctype->family][ctype->type] = NULL;
895 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
896}
897EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
898
899
900
901
902
903static struct nft_chain *
904nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
905 u8 genmask)
906{
907 struct nft_chain *chain;
908
909 list_for_each_entry(chain, &table->chains, list) {
910 if (chain->handle == handle &&
911 nft_active_genmask(chain, genmask))
912 return chain;
913 }
914
915 return ERR_PTR(-ENOENT);
916}
917
918static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
919 const struct nlattr *nla,
920 u8 genmask)
921{
922 struct nft_chain *chain;
923
924 if (nla == NULL)
925 return ERR_PTR(-EINVAL);
926
927 list_for_each_entry(chain, &table->chains, list) {
928 if (!nla_strcmp(nla, chain->name) &&
929 nft_active_genmask(chain, genmask))
930 return chain;
931 }
932
933 return ERR_PTR(-ENOENT);
934}
935
936static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
937 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
938 .len = NFT_TABLE_MAXNAMELEN - 1 },
939 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
940 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
941 .len = NFT_CHAIN_MAXNAMELEN - 1 },
942 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
943 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
944 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
945 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
946};
947
948static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
949 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
950 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
951 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
952 .len = IFNAMSIZ - 1 },
953};
954
955static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
956{
957 struct nft_stats *cpu_stats, total;
958 struct nlattr *nest;
959 unsigned int seq;
960 u64 pkts, bytes;
961 int cpu;
962
963 memset(&total, 0, sizeof(total));
964 for_each_possible_cpu(cpu) {
965 cpu_stats = per_cpu_ptr(stats, cpu);
966 do {
967 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
968 pkts = cpu_stats->pkts;
969 bytes = cpu_stats->bytes;
970 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
971 total.pkts += pkts;
972 total.bytes += bytes;
973 }
974 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
975 if (nest == NULL)
976 goto nla_put_failure;
977
978 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
979 NFTA_COUNTER_PAD) ||
980 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
981 NFTA_COUNTER_PAD))
982 goto nla_put_failure;
983
984 nla_nest_end(skb, nest);
985 return 0;
986
987nla_put_failure:
988 return -ENOSPC;
989}
990
991static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
992 u32 portid, u32 seq, int event, u32 flags,
993 int family, const struct nft_table *table,
994 const struct nft_chain *chain)
995{
996 struct nlmsghdr *nlh;
997 struct nfgenmsg *nfmsg;
998
999 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1000 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1001 if (nlh == NULL)
1002 goto nla_put_failure;
1003
1004 nfmsg = nlmsg_data(nlh);
1005 nfmsg->nfgen_family = family;
1006 nfmsg->version = NFNETLINK_V0;
1007 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1008
1009 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1010 goto nla_put_failure;
1011 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1012 NFTA_CHAIN_PAD))
1013 goto nla_put_failure;
1014 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1015 goto nla_put_failure;
1016
1017 if (nft_is_base_chain(chain)) {
1018 const struct nft_base_chain *basechain = nft_base_chain(chain);
1019 const struct nf_hook_ops *ops = &basechain->ops[0];
1020 struct nlattr *nest;
1021
1022 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1023 if (nest == NULL)
1024 goto nla_put_failure;
1025 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1026 goto nla_put_failure;
1027 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1028 goto nla_put_failure;
1029 if (basechain->dev_name[0] &&
1030 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1031 goto nla_put_failure;
1032 nla_nest_end(skb, nest);
1033
1034 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1035 htonl(basechain->policy)))
1036 goto nla_put_failure;
1037
1038 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1039 goto nla_put_failure;
1040
1041 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1042 goto nla_put_failure;
1043 }
1044
1045 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1046 goto nla_put_failure;
1047
1048 nlmsg_end(skb, nlh);
1049 return 0;
1050
1051nla_put_failure:
1052 nlmsg_trim(skb, nlh);
1053 return -1;
1054}
1055
1056static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1057{
1058 struct sk_buff *skb;
1059 int err;
1060
1061 if (!ctx->report &&
1062 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1063 return;
1064
1065 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1066 if (skb == NULL)
1067 goto err;
1068
1069 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1070 event, 0, ctx->afi->family, ctx->table,
1071 ctx->chain);
1072 if (err < 0) {
1073 kfree_skb(skb);
1074 goto err;
1075 }
1076
1077 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1078 ctx->report, GFP_KERNEL);
1079 return;
1080err:
1081 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1082}
1083
1084static int nf_tables_dump_chains(struct sk_buff *skb,
1085 struct netlink_callback *cb)
1086{
1087 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1088 const struct nft_af_info *afi;
1089 const struct nft_table *table;
1090 const struct nft_chain *chain;
1091 unsigned int idx = 0, s_idx = cb->args[0];
1092 struct net *net = sock_net(skb->sk);
1093 int family = nfmsg->nfgen_family;
1094
1095 rcu_read_lock();
1096 cb->seq = net->nft.base_seq;
1097
1098 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1099 if (family != NFPROTO_UNSPEC && family != afi->family)
1100 continue;
1101
1102 list_for_each_entry_rcu(table, &afi->tables, list) {
1103 list_for_each_entry_rcu(chain, &table->chains, list) {
1104 if (idx < s_idx)
1105 goto cont;
1106 if (idx > s_idx)
1107 memset(&cb->args[1], 0,
1108 sizeof(cb->args) - sizeof(cb->args[0]));
1109 if (!nft_is_active(net, chain))
1110 continue;
1111 if (nf_tables_fill_chain_info(skb, net,
1112 NETLINK_CB(cb->skb).portid,
1113 cb->nlh->nlmsg_seq,
1114 NFT_MSG_NEWCHAIN,
1115 NLM_F_MULTI,
1116 afi->family, table, chain) < 0)
1117 goto done;
1118
1119 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1120cont:
1121 idx++;
1122 }
1123 }
1124 }
1125done:
1126 rcu_read_unlock();
1127 cb->args[0] = idx;
1128 return skb->len;
1129}
1130
1131static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1132 struct sk_buff *skb, const struct nlmsghdr *nlh,
1133 const struct nlattr * const nla[],
1134 struct netlink_ext_ack *extack)
1135{
1136 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1137 u8 genmask = nft_genmask_cur(net);
1138 const struct nft_af_info *afi;
1139 const struct nft_table *table;
1140 const struct nft_chain *chain;
1141 struct sk_buff *skb2;
1142 int family = nfmsg->nfgen_family;
1143 int err;
1144
1145 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1146 struct netlink_dump_control c = {
1147 .dump = nf_tables_dump_chains,
1148 };
1149 return netlink_dump_start(nlsk, skb, nlh, &c);
1150 }
1151
1152 afi = nf_tables_afinfo_lookup(net, family, false);
1153 if (IS_ERR(afi))
1154 return PTR_ERR(afi);
1155
1156 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1157 if (IS_ERR(table))
1158 return PTR_ERR(table);
1159
1160 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1161 if (IS_ERR(chain))
1162 return PTR_ERR(chain);
1163
1164 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1165 if (!skb2)
1166 return -ENOMEM;
1167
1168 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1169 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1170 family, table, chain);
1171 if (err < 0)
1172 goto err;
1173
1174 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1175
1176err:
1177 kfree_skb(skb2);
1178 return err;
1179}
1180
1181static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1182 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1183 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1184};
1185
1186static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1187{
1188 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1189 struct nft_stats __percpu *newstats;
1190 struct nft_stats *stats;
1191 int err;
1192
1193 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1194 NULL);
1195 if (err < 0)
1196 return ERR_PTR(err);
1197
1198 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1199 return ERR_PTR(-EINVAL);
1200
1201 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1202 if (newstats == NULL)
1203 return ERR_PTR(-ENOMEM);
1204
1205
1206
1207
1208 preempt_disable();
1209 stats = this_cpu_ptr(newstats);
1210 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1211 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1212 preempt_enable();
1213
1214 return newstats;
1215}
1216
1217static void nft_chain_stats_replace(struct nft_base_chain *chain,
1218 struct nft_stats __percpu *newstats)
1219{
1220 if (newstats == NULL)
1221 return;
1222
1223 if (chain->stats) {
1224 struct nft_stats __percpu *oldstats =
1225 nft_dereference(chain->stats);
1226
1227 rcu_assign_pointer(chain->stats, newstats);
1228 synchronize_rcu();
1229 free_percpu(oldstats);
1230 } else
1231 rcu_assign_pointer(chain->stats, newstats);
1232}
1233
1234static void nf_tables_chain_destroy(struct nft_chain *chain)
1235{
1236 BUG_ON(chain->use > 0);
1237
1238 if (nft_is_base_chain(chain)) {
1239 struct nft_base_chain *basechain = nft_base_chain(chain);
1240
1241 module_put(basechain->type->owner);
1242 free_percpu(basechain->stats);
1243 if (basechain->ops[0].dev != NULL)
1244 dev_put(basechain->ops[0].dev);
1245 kfree(basechain);
1246 } else {
1247 kfree(chain);
1248 }
1249}
1250
1251struct nft_chain_hook {
1252 u32 num;
1253 u32 priority;
1254 const struct nf_chain_type *type;
1255 struct net_device *dev;
1256};
1257
1258static int nft_chain_parse_hook(struct net *net,
1259 const struct nlattr * const nla[],
1260 struct nft_af_info *afi,
1261 struct nft_chain_hook *hook, bool create)
1262{
1263 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1264 const struct nf_chain_type *type;
1265 struct net_device *dev;
1266 int err;
1267
1268 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1269 nft_hook_policy, NULL);
1270 if (err < 0)
1271 return err;
1272
1273 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1274 ha[NFTA_HOOK_PRIORITY] == NULL)
1275 return -EINVAL;
1276
1277 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1278 if (hook->num >= afi->nhooks)
1279 return -EINVAL;
1280
1281 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1282
1283 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1284 if (nla[NFTA_CHAIN_TYPE]) {
1285 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1286 create);
1287 if (IS_ERR(type))
1288 return PTR_ERR(type);
1289 }
1290 if (!(type->hook_mask & (1 << hook->num)))
1291 return -EOPNOTSUPP;
1292 if (!try_module_get(type->owner))
1293 return -ENOENT;
1294
1295 hook->type = type;
1296
1297 hook->dev = NULL;
1298 if (afi->flags & NFT_AF_NEEDS_DEV) {
1299 char ifname[IFNAMSIZ];
1300
1301 if (!ha[NFTA_HOOK_DEV]) {
1302 module_put(type->owner);
1303 return -EOPNOTSUPP;
1304 }
1305
1306 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1307 dev = dev_get_by_name(net, ifname);
1308 if (!dev) {
1309 module_put(type->owner);
1310 return -ENOENT;
1311 }
1312 hook->dev = dev;
1313 } else if (ha[NFTA_HOOK_DEV]) {
1314 module_put(type->owner);
1315 return -EOPNOTSUPP;
1316 }
1317
1318 return 0;
1319}
1320
1321static void nft_chain_release_hook(struct nft_chain_hook *hook)
1322{
1323 module_put(hook->type->owner);
1324 if (hook->dev != NULL)
1325 dev_put(hook->dev);
1326}
1327
1328static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1329 struct sk_buff *skb, const struct nlmsghdr *nlh,
1330 const struct nlattr * const nla[],
1331 struct netlink_ext_ack *extack)
1332{
1333 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1334 const struct nlattr * uninitialized_var(name);
1335 struct nft_af_info *afi;
1336 struct nft_table *table;
1337 struct nft_chain *chain;
1338 struct nft_base_chain *basechain = NULL;
1339 u8 genmask = nft_genmask_next(net);
1340 int family = nfmsg->nfgen_family;
1341 u8 policy = NF_ACCEPT;
1342 u64 handle = 0;
1343 unsigned int i;
1344 struct nft_stats __percpu *stats;
1345 int err;
1346 bool create;
1347 struct nft_ctx ctx;
1348
1349 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1350
1351 afi = nf_tables_afinfo_lookup(net, family, true);
1352 if (IS_ERR(afi))
1353 return PTR_ERR(afi);
1354
1355 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1356 if (IS_ERR(table))
1357 return PTR_ERR(table);
1358
1359 chain = NULL;
1360 name = nla[NFTA_CHAIN_NAME];
1361
1362 if (nla[NFTA_CHAIN_HANDLE]) {
1363 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1364 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1365 if (IS_ERR(chain))
1366 return PTR_ERR(chain);
1367 } else {
1368 chain = nf_tables_chain_lookup(table, name, genmask);
1369 if (IS_ERR(chain)) {
1370 if (PTR_ERR(chain) != -ENOENT)
1371 return PTR_ERR(chain);
1372 chain = NULL;
1373 }
1374 }
1375
1376 if (nla[NFTA_CHAIN_POLICY]) {
1377 if (chain != NULL &&
1378 !nft_is_base_chain(chain))
1379 return -EOPNOTSUPP;
1380
1381 if (chain == NULL &&
1382 nla[NFTA_CHAIN_HOOK] == NULL)
1383 return -EOPNOTSUPP;
1384
1385 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1386 switch (policy) {
1387 case NF_DROP:
1388 case NF_ACCEPT:
1389 break;
1390 default:
1391 return -EINVAL;
1392 }
1393 }
1394
1395 if (chain != NULL) {
1396 struct nft_stats *stats = NULL;
1397 struct nft_trans *trans;
1398
1399 if (nlh->nlmsg_flags & NLM_F_EXCL)
1400 return -EEXIST;
1401 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1402 return -EOPNOTSUPP;
1403
1404 if (nla[NFTA_CHAIN_HOOK]) {
1405 struct nft_base_chain *basechain;
1406 struct nft_chain_hook hook;
1407 struct nf_hook_ops *ops;
1408
1409 if (!nft_is_base_chain(chain))
1410 return -EBUSY;
1411
1412 err = nft_chain_parse_hook(net, nla, afi, &hook,
1413 create);
1414 if (err < 0)
1415 return err;
1416
1417 basechain = nft_base_chain(chain);
1418 if (basechain->type != hook.type) {
1419 nft_chain_release_hook(&hook);
1420 return -EBUSY;
1421 }
1422
1423 for (i = 0; i < afi->nops; i++) {
1424 ops = &basechain->ops[i];
1425 if (ops->hooknum != hook.num ||
1426 ops->priority != hook.priority ||
1427 ops->dev != hook.dev) {
1428 nft_chain_release_hook(&hook);
1429 return -EBUSY;
1430 }
1431 }
1432 nft_chain_release_hook(&hook);
1433 }
1434
1435 if (nla[NFTA_CHAIN_HANDLE] && name) {
1436 struct nft_chain *chain2;
1437
1438 chain2 = nf_tables_chain_lookup(table,
1439 nla[NFTA_CHAIN_NAME],
1440 genmask);
1441 if (IS_ERR(chain2))
1442 return PTR_ERR(chain2);
1443 }
1444
1445 if (nla[NFTA_CHAIN_COUNTERS]) {
1446 if (!nft_is_base_chain(chain))
1447 return -EOPNOTSUPP;
1448
1449 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1450 if (IS_ERR(stats))
1451 return PTR_ERR(stats);
1452 }
1453
1454 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1455 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1456 sizeof(struct nft_trans_chain));
1457 if (trans == NULL) {
1458 free_percpu(stats);
1459 return -ENOMEM;
1460 }
1461
1462 nft_trans_chain_stats(trans) = stats;
1463 nft_trans_chain_update(trans) = true;
1464
1465 if (nla[NFTA_CHAIN_POLICY])
1466 nft_trans_chain_policy(trans) = policy;
1467 else
1468 nft_trans_chain_policy(trans) = -1;
1469
1470 if (nla[NFTA_CHAIN_HANDLE] && name) {
1471 nla_strlcpy(nft_trans_chain_name(trans), name,
1472 NFT_CHAIN_MAXNAMELEN);
1473 }
1474 list_add_tail(&trans->list, &net->nft.commit_list);
1475 return 0;
1476 }
1477
1478 if (table->use == UINT_MAX)
1479 return -EOVERFLOW;
1480
1481 if (nla[NFTA_CHAIN_HOOK]) {
1482 struct nft_chain_hook hook;
1483 struct nf_hook_ops *ops;
1484 nf_hookfn *hookfn;
1485
1486 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1487 if (err < 0)
1488 return err;
1489
1490 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1491 if (basechain == NULL) {
1492 nft_chain_release_hook(&hook);
1493 return -ENOMEM;
1494 }
1495
1496 if (hook.dev != NULL)
1497 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1498
1499 if (nla[NFTA_CHAIN_COUNTERS]) {
1500 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1501 if (IS_ERR(stats)) {
1502 nft_chain_release_hook(&hook);
1503 kfree(basechain);
1504 return PTR_ERR(stats);
1505 }
1506 basechain->stats = stats;
1507 } else {
1508 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1509 if (stats == NULL) {
1510 nft_chain_release_hook(&hook);
1511 kfree(basechain);
1512 return -ENOMEM;
1513 }
1514 rcu_assign_pointer(basechain->stats, stats);
1515 }
1516
1517 hookfn = hook.type->hooks[hook.num];
1518 basechain->type = hook.type;
1519 chain = &basechain->chain;
1520
1521 for (i = 0; i < afi->nops; i++) {
1522 ops = &basechain->ops[i];
1523 ops->pf = family;
1524 ops->hooknum = hook.num;
1525 ops->priority = hook.priority;
1526 ops->priv = chain;
1527 ops->hook = afi->hooks[ops->hooknum];
1528 ops->dev = hook.dev;
1529 if (hookfn)
1530 ops->hook = hookfn;
1531 if (afi->hook_ops_init)
1532 afi->hook_ops_init(ops, i);
1533 }
1534
1535 chain->flags |= NFT_BASE_CHAIN;
1536 basechain->policy = policy;
1537 } else {
1538 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1539 if (chain == NULL)
1540 return -ENOMEM;
1541 }
1542
1543 INIT_LIST_HEAD(&chain->rules);
1544 chain->handle = nf_tables_alloc_handle(table);
1545 chain->table = table;
1546 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1547
1548 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1549 if (err < 0)
1550 goto err1;
1551
1552 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1553 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1554 if (err < 0)
1555 goto err2;
1556
1557 table->use++;
1558 list_add_tail_rcu(&chain->list, &table->chains);
1559 return 0;
1560err2:
1561 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1562err1:
1563 nf_tables_chain_destroy(chain);
1564 return err;
1565}
1566
1567static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1568 struct sk_buff *skb, const struct nlmsghdr *nlh,
1569 const struct nlattr * const nla[],
1570 struct netlink_ext_ack *extack)
1571{
1572 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1573 u8 genmask = nft_genmask_next(net);
1574 struct nft_af_info *afi;
1575 struct nft_table *table;
1576 struct nft_chain *chain;
1577 int family = nfmsg->nfgen_family;
1578 struct nft_ctx ctx;
1579
1580 afi = nf_tables_afinfo_lookup(net, family, false);
1581 if (IS_ERR(afi))
1582 return PTR_ERR(afi);
1583
1584 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1585 if (IS_ERR(table))
1586 return PTR_ERR(table);
1587
1588 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1589 if (IS_ERR(chain))
1590 return PTR_ERR(chain);
1591 if (chain->use > 0)
1592 return -EBUSY;
1593
1594 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1595
1596 return nft_delchain(&ctx);
1597}
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610int nft_register_expr(struct nft_expr_type *type)
1611{
1612 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1613 if (type->family == NFPROTO_UNSPEC)
1614 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1615 else
1616 list_add_rcu(&type->list, &nf_tables_expressions);
1617 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1618 return 0;
1619}
1620EXPORT_SYMBOL_GPL(nft_register_expr);
1621
1622
1623
1624
1625
1626
1627
1628void nft_unregister_expr(struct nft_expr_type *type)
1629{
1630 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1631 list_del_rcu(&type->list);
1632 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1633}
1634EXPORT_SYMBOL_GPL(nft_unregister_expr);
1635
1636static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1637 struct nlattr *nla)
1638{
1639 const struct nft_expr_type *type;
1640
1641 list_for_each_entry(type, &nf_tables_expressions, list) {
1642 if (!nla_strcmp(nla, type->name) &&
1643 (!type->family || type->family == family))
1644 return type;
1645 }
1646 return NULL;
1647}
1648
1649static const struct nft_expr_type *nft_expr_type_get(u8 family,
1650 struct nlattr *nla)
1651{
1652 const struct nft_expr_type *type;
1653
1654 if (nla == NULL)
1655 return ERR_PTR(-EINVAL);
1656
1657 type = __nft_expr_type_get(family, nla);
1658 if (type != NULL && try_module_get(type->owner))
1659 return type;
1660
1661#ifdef CONFIG_MODULES
1662 if (type == NULL) {
1663 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1664 request_module("nft-expr-%u-%.*s", family,
1665 nla_len(nla), (char *)nla_data(nla));
1666 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1667 if (__nft_expr_type_get(family, nla))
1668 return ERR_PTR(-EAGAIN);
1669
1670 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1671 request_module("nft-expr-%.*s",
1672 nla_len(nla), (char *)nla_data(nla));
1673 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1674 if (__nft_expr_type_get(family, nla))
1675 return ERR_PTR(-EAGAIN);
1676 }
1677#endif
1678 return ERR_PTR(-ENOENT);
1679}
1680
1681static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1682 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1683 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1684};
1685
1686static int nf_tables_fill_expr_info(struct sk_buff *skb,
1687 const struct nft_expr *expr)
1688{
1689 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1690 goto nla_put_failure;
1691
1692 if (expr->ops->dump) {
1693 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1694 if (data == NULL)
1695 goto nla_put_failure;
1696 if (expr->ops->dump(skb, expr) < 0)
1697 goto nla_put_failure;
1698 nla_nest_end(skb, data);
1699 }
1700
1701 return skb->len;
1702
1703nla_put_failure:
1704 return -1;
1705};
1706
1707int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1708 const struct nft_expr *expr)
1709{
1710 struct nlattr *nest;
1711
1712 nest = nla_nest_start(skb, attr);
1713 if (!nest)
1714 goto nla_put_failure;
1715 if (nf_tables_fill_expr_info(skb, expr) < 0)
1716 goto nla_put_failure;
1717 nla_nest_end(skb, nest);
1718 return 0;
1719
1720nla_put_failure:
1721 return -1;
1722}
1723
1724struct nft_expr_info {
1725 const struct nft_expr_ops *ops;
1726 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1727};
1728
1729static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1730 const struct nlattr *nla,
1731 struct nft_expr_info *info)
1732{
1733 const struct nft_expr_type *type;
1734 const struct nft_expr_ops *ops;
1735 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1736 int err;
1737
1738 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1739 if (err < 0)
1740 return err;
1741
1742 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1743 if (IS_ERR(type))
1744 return PTR_ERR(type);
1745
1746 if (tb[NFTA_EXPR_DATA]) {
1747 err = nla_parse_nested(info->tb, type->maxattr,
1748 tb[NFTA_EXPR_DATA], type->policy, NULL);
1749 if (err < 0)
1750 goto err1;
1751 } else
1752 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1753
1754 if (type->select_ops != NULL) {
1755 ops = type->select_ops(ctx,
1756 (const struct nlattr * const *)info->tb);
1757 if (IS_ERR(ops)) {
1758 err = PTR_ERR(ops);
1759 goto err1;
1760 }
1761 } else
1762 ops = type->ops;
1763
1764 info->ops = ops;
1765 return 0;
1766
1767err1:
1768 module_put(type->owner);
1769 return err;
1770}
1771
1772static int nf_tables_newexpr(const struct nft_ctx *ctx,
1773 const struct nft_expr_info *info,
1774 struct nft_expr *expr)
1775{
1776 const struct nft_expr_ops *ops = info->ops;
1777 int err;
1778
1779 expr->ops = ops;
1780 if (ops->init) {
1781 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1782 if (err < 0)
1783 goto err1;
1784 }
1785
1786 if (ops->validate) {
1787 const struct nft_data *data = NULL;
1788
1789 err = ops->validate(ctx, expr, &data);
1790 if (err < 0)
1791 goto err2;
1792 }
1793
1794 return 0;
1795
1796err2:
1797 if (ops->destroy)
1798 ops->destroy(ctx, expr);
1799err1:
1800 expr->ops = NULL;
1801 return err;
1802}
1803
1804static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1805 struct nft_expr *expr)
1806{
1807 if (expr->ops->destroy)
1808 expr->ops->destroy(ctx, expr);
1809 module_put(expr->ops->type->owner);
1810}
1811
1812struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1813 const struct nlattr *nla)
1814{
1815 struct nft_expr_info info;
1816 struct nft_expr *expr;
1817 int err;
1818
1819 err = nf_tables_expr_parse(ctx, nla, &info);
1820 if (err < 0)
1821 goto err1;
1822
1823 err = -ENOMEM;
1824 expr = kzalloc(info.ops->size, GFP_KERNEL);
1825 if (expr == NULL)
1826 goto err2;
1827
1828 err = nf_tables_newexpr(ctx, &info, expr);
1829 if (err < 0)
1830 goto err3;
1831
1832 return expr;
1833err3:
1834 kfree(expr);
1835err2:
1836 module_put(info.ops->type->owner);
1837err1:
1838 return ERR_PTR(err);
1839}
1840
1841void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1842{
1843 nf_tables_expr_destroy(ctx, expr);
1844 kfree(expr);
1845}
1846
1847
1848
1849
1850
1851static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1852 u64 handle)
1853{
1854 struct nft_rule *rule;
1855
1856
1857 list_for_each_entry(rule, &chain->rules, list) {
1858 if (handle == rule->handle)
1859 return rule;
1860 }
1861
1862 return ERR_PTR(-ENOENT);
1863}
1864
1865static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1866 const struct nlattr *nla)
1867{
1868 if (nla == NULL)
1869 return ERR_PTR(-EINVAL);
1870
1871 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1872}
1873
1874static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1875 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1876 .len = NFT_TABLE_MAXNAMELEN - 1 },
1877 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1878 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1879 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1880 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1881 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1882 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1883 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1884 .len = NFT_USERDATA_MAXLEN },
1885};
1886
1887static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1888 u32 portid, u32 seq, int event,
1889 u32 flags, int family,
1890 const struct nft_table *table,
1891 const struct nft_chain *chain,
1892 const struct nft_rule *rule)
1893{
1894 struct nlmsghdr *nlh;
1895 struct nfgenmsg *nfmsg;
1896 const struct nft_expr *expr, *next;
1897 struct nlattr *list;
1898 const struct nft_rule *prule;
1899 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1900
1901 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1902 if (nlh == NULL)
1903 goto nla_put_failure;
1904
1905 nfmsg = nlmsg_data(nlh);
1906 nfmsg->nfgen_family = family;
1907 nfmsg->version = NFNETLINK_V0;
1908 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1909
1910 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1911 goto nla_put_failure;
1912 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1913 goto nla_put_failure;
1914 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1915 NFTA_RULE_PAD))
1916 goto nla_put_failure;
1917
1918 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1919 prule = list_prev_entry(rule, list);
1920 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1921 cpu_to_be64(prule->handle),
1922 NFTA_RULE_PAD))
1923 goto nla_put_failure;
1924 }
1925
1926 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1927 if (list == NULL)
1928 goto nla_put_failure;
1929 nft_rule_for_each_expr(expr, next, rule) {
1930 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1931 goto nla_put_failure;
1932 }
1933 nla_nest_end(skb, list);
1934
1935 if (rule->udata) {
1936 struct nft_userdata *udata = nft_userdata(rule);
1937 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1938 udata->data) < 0)
1939 goto nla_put_failure;
1940 }
1941
1942 nlmsg_end(skb, nlh);
1943 return 0;
1944
1945nla_put_failure:
1946 nlmsg_trim(skb, nlh);
1947 return -1;
1948}
1949
1950static void nf_tables_rule_notify(const struct nft_ctx *ctx,
1951 const struct nft_rule *rule, int event)
1952{
1953 struct sk_buff *skb;
1954 int err;
1955
1956 if (!ctx->report &&
1957 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1958 return;
1959
1960 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1961 if (skb == NULL)
1962 goto err;
1963
1964 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1965 event, 0, ctx->afi->family, ctx->table,
1966 ctx->chain, rule);
1967 if (err < 0) {
1968 kfree_skb(skb);
1969 goto err;
1970 }
1971
1972 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1973 ctx->report, GFP_KERNEL);
1974 return;
1975err:
1976 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1977}
1978
1979struct nft_rule_dump_ctx {
1980 char table[NFT_TABLE_MAXNAMELEN];
1981 char chain[NFT_CHAIN_MAXNAMELEN];
1982};
1983
1984static int nf_tables_dump_rules(struct sk_buff *skb,
1985 struct netlink_callback *cb)
1986{
1987 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1988 const struct nft_rule_dump_ctx *ctx = cb->data;
1989 const struct nft_af_info *afi;
1990 const struct nft_table *table;
1991 const struct nft_chain *chain;
1992 const struct nft_rule *rule;
1993 unsigned int idx = 0, s_idx = cb->args[0];
1994 struct net *net = sock_net(skb->sk);
1995 int family = nfmsg->nfgen_family;
1996
1997 rcu_read_lock();
1998 cb->seq = net->nft.base_seq;
1999
2000 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2001 if (family != NFPROTO_UNSPEC && family != afi->family)
2002 continue;
2003
2004 list_for_each_entry_rcu(table, &afi->tables, list) {
2005 if (ctx && ctx->table[0] &&
2006 strcmp(ctx->table, table->name) != 0)
2007 continue;
2008
2009 list_for_each_entry_rcu(chain, &table->chains, list) {
2010 if (ctx && ctx->chain[0] &&
2011 strcmp(ctx->chain, chain->name) != 0)
2012 continue;
2013
2014 list_for_each_entry_rcu(rule, &chain->rules, list) {
2015 if (!nft_is_active(net, rule))
2016 goto cont;
2017 if (idx < s_idx)
2018 goto cont;
2019 if (idx > s_idx)
2020 memset(&cb->args[1], 0,
2021 sizeof(cb->args) - sizeof(cb->args[0]));
2022 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2023 cb->nlh->nlmsg_seq,
2024 NFT_MSG_NEWRULE,
2025 NLM_F_MULTI | NLM_F_APPEND,
2026 afi->family, table, chain, rule) < 0)
2027 goto done;
2028
2029 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2030cont:
2031 idx++;
2032 }
2033 }
2034 }
2035 }
2036done:
2037 rcu_read_unlock();
2038
2039 cb->args[0] = idx;
2040 return skb->len;
2041}
2042
2043static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2044{
2045 kfree(cb->data);
2046 return 0;
2047}
2048
2049static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2050 struct sk_buff *skb, const struct nlmsghdr *nlh,
2051 const struct nlattr * const nla[],
2052 struct netlink_ext_ack *extack)
2053{
2054 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2055 u8 genmask = nft_genmask_cur(net);
2056 const struct nft_af_info *afi;
2057 const struct nft_table *table;
2058 const struct nft_chain *chain;
2059 const struct nft_rule *rule;
2060 struct sk_buff *skb2;
2061 int family = nfmsg->nfgen_family;
2062 int err;
2063
2064 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2065 struct netlink_dump_control c = {
2066 .dump = nf_tables_dump_rules,
2067 .done = nf_tables_dump_rules_done,
2068 };
2069
2070 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2071 struct nft_rule_dump_ctx *ctx;
2072
2073 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2074 if (!ctx)
2075 return -ENOMEM;
2076
2077 if (nla[NFTA_RULE_TABLE])
2078 nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
2079 sizeof(ctx->table));
2080 if (nla[NFTA_RULE_CHAIN])
2081 nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
2082 sizeof(ctx->chain));
2083 c.data = ctx;
2084 }
2085
2086 return netlink_dump_start(nlsk, skb, nlh, &c);
2087 }
2088
2089 afi = nf_tables_afinfo_lookup(net, family, false);
2090 if (IS_ERR(afi))
2091 return PTR_ERR(afi);
2092
2093 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2094 if (IS_ERR(table))
2095 return PTR_ERR(table);
2096
2097 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2098 if (IS_ERR(chain))
2099 return PTR_ERR(chain);
2100
2101 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2102 if (IS_ERR(rule))
2103 return PTR_ERR(rule);
2104
2105 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2106 if (!skb2)
2107 return -ENOMEM;
2108
2109 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2110 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2111 family, table, chain, rule);
2112 if (err < 0)
2113 goto err;
2114
2115 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2116
2117err:
2118 kfree_skb(skb2);
2119 return err;
2120}
2121
2122static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2123 struct nft_rule *rule)
2124{
2125 struct nft_expr *expr;
2126
2127
2128
2129
2130
2131 expr = nft_expr_first(rule);
2132 while (expr != nft_expr_last(rule) && expr->ops) {
2133 nf_tables_expr_destroy(ctx, expr);
2134 expr = nft_expr_next(expr);
2135 }
2136 kfree(rule);
2137}
2138
2139#define NFT_RULE_MAXEXPRS 128
2140
2141static struct nft_expr_info *info;
2142
2143static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2144 struct sk_buff *skb, const struct nlmsghdr *nlh,
2145 const struct nlattr * const nla[],
2146 struct netlink_ext_ack *extack)
2147{
2148 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2149 u8 genmask = nft_genmask_next(net);
2150 struct nft_af_info *afi;
2151 struct nft_table *table;
2152 struct nft_chain *chain;
2153 struct nft_rule *rule, *old_rule = NULL;
2154 struct nft_userdata *udata;
2155 struct nft_trans *trans = NULL;
2156 struct nft_expr *expr;
2157 struct nft_ctx ctx;
2158 struct nlattr *tmp;
2159 unsigned int size, i, n, ulen = 0, usize = 0;
2160 int err, rem;
2161 bool create;
2162 u64 handle, pos_handle;
2163
2164 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2165
2166 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2167 if (IS_ERR(afi))
2168 return PTR_ERR(afi);
2169
2170 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2171 if (IS_ERR(table))
2172 return PTR_ERR(table);
2173
2174 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2175 if (IS_ERR(chain))
2176 return PTR_ERR(chain);
2177
2178 if (nla[NFTA_RULE_HANDLE]) {
2179 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2180 rule = __nf_tables_rule_lookup(chain, handle);
2181 if (IS_ERR(rule))
2182 return PTR_ERR(rule);
2183
2184 if (nlh->nlmsg_flags & NLM_F_EXCL)
2185 return -EEXIST;
2186 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2187 old_rule = rule;
2188 else
2189 return -EOPNOTSUPP;
2190 } else {
2191 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2192 return -EINVAL;
2193 handle = nf_tables_alloc_handle(table);
2194
2195 if (chain->use == UINT_MAX)
2196 return -EOVERFLOW;
2197 }
2198
2199 if (nla[NFTA_RULE_POSITION]) {
2200 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2201 return -EOPNOTSUPP;
2202
2203 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2204 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2205 if (IS_ERR(old_rule))
2206 return PTR_ERR(old_rule);
2207 }
2208
2209 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2210
2211 n = 0;
2212 size = 0;
2213 if (nla[NFTA_RULE_EXPRESSIONS]) {
2214 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2215 err = -EINVAL;
2216 if (nla_type(tmp) != NFTA_LIST_ELEM)
2217 goto err1;
2218 if (n == NFT_RULE_MAXEXPRS)
2219 goto err1;
2220 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2221 if (err < 0)
2222 goto err1;
2223 size += info[n].ops->size;
2224 n++;
2225 }
2226 }
2227
2228 err = -EFBIG;
2229 if (size >= 1 << 12)
2230 goto err1;
2231
2232 if (nla[NFTA_RULE_USERDATA]) {
2233 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2234 if (ulen > 0)
2235 usize = sizeof(struct nft_userdata) + ulen;
2236 }
2237
2238 err = -ENOMEM;
2239 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2240 if (rule == NULL)
2241 goto err1;
2242
2243 nft_activate_next(net, rule);
2244
2245 rule->handle = handle;
2246 rule->dlen = size;
2247 rule->udata = ulen ? 1 : 0;
2248
2249 if (ulen) {
2250 udata = nft_userdata(rule);
2251 udata->len = ulen - 1;
2252 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2253 }
2254
2255 expr = nft_expr_first(rule);
2256 for (i = 0; i < n; i++) {
2257 err = nf_tables_newexpr(&ctx, &info[i], expr);
2258 if (err < 0)
2259 goto err2;
2260 info[i].ops = NULL;
2261 expr = nft_expr_next(expr);
2262 }
2263
2264 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2265 if (nft_is_active_next(net, old_rule)) {
2266 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2267 old_rule);
2268 if (trans == NULL) {
2269 err = -ENOMEM;
2270 goto err2;
2271 }
2272 nft_deactivate_next(net, old_rule);
2273 chain->use--;
2274 list_add_tail_rcu(&rule->list, &old_rule->list);
2275 } else {
2276 err = -ENOENT;
2277 goto err2;
2278 }
2279 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2280 if (old_rule)
2281 list_add_rcu(&rule->list, &old_rule->list);
2282 else
2283 list_add_tail_rcu(&rule->list, &chain->rules);
2284 else {
2285 if (old_rule)
2286 list_add_tail_rcu(&rule->list, &old_rule->list);
2287 else
2288 list_add_rcu(&rule->list, &chain->rules);
2289 }
2290
2291 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2292 err = -ENOMEM;
2293 goto err3;
2294 }
2295 chain->use++;
2296 return 0;
2297
2298err3:
2299 list_del_rcu(&rule->list);
2300err2:
2301 nf_tables_rule_destroy(&ctx, rule);
2302err1:
2303 for (i = 0; i < n; i++) {
2304 if (info[i].ops != NULL)
2305 module_put(info[i].ops->type->owner);
2306 }
2307 return err;
2308}
2309
2310static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2311 const struct nlattr *nla)
2312{
2313 u32 id = ntohl(nla_get_be32(nla));
2314 struct nft_trans *trans;
2315
2316 list_for_each_entry(trans, &net->nft.commit_list, list) {
2317 struct nft_rule *rule = nft_trans_rule(trans);
2318
2319 if (trans->msg_type == NFT_MSG_NEWRULE &&
2320 id == nft_trans_rule_id(trans))
2321 return rule;
2322 }
2323 return ERR_PTR(-ENOENT);
2324}
2325
2326static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2327 struct sk_buff *skb, const struct nlmsghdr *nlh,
2328 const struct nlattr * const nla[],
2329 struct netlink_ext_ack *extack)
2330{
2331 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2332 u8 genmask = nft_genmask_next(net);
2333 struct nft_af_info *afi;
2334 struct nft_table *table;
2335 struct nft_chain *chain = NULL;
2336 struct nft_rule *rule;
2337 int family = nfmsg->nfgen_family, err = 0;
2338 struct nft_ctx ctx;
2339
2340 afi = nf_tables_afinfo_lookup(net, family, false);
2341 if (IS_ERR(afi))
2342 return PTR_ERR(afi);
2343
2344 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2345 if (IS_ERR(table))
2346 return PTR_ERR(table);
2347
2348 if (nla[NFTA_RULE_CHAIN]) {
2349 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2350 genmask);
2351 if (IS_ERR(chain))
2352 return PTR_ERR(chain);
2353 }
2354
2355 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2356
2357 if (chain) {
2358 if (nla[NFTA_RULE_HANDLE]) {
2359 rule = nf_tables_rule_lookup(chain,
2360 nla[NFTA_RULE_HANDLE]);
2361 if (IS_ERR(rule))
2362 return PTR_ERR(rule);
2363
2364 err = nft_delrule(&ctx, rule);
2365 } else if (nla[NFTA_RULE_ID]) {
2366 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2367 if (IS_ERR(rule))
2368 return PTR_ERR(rule);
2369
2370 err = nft_delrule(&ctx, rule);
2371 } else {
2372 err = nft_delrule_by_chain(&ctx);
2373 }
2374 } else {
2375 list_for_each_entry(chain, &table->chains, list) {
2376 if (!nft_is_active_next(net, chain))
2377 continue;
2378
2379 ctx.chain = chain;
2380 err = nft_delrule_by_chain(&ctx);
2381 if (err < 0)
2382 break;
2383 }
2384 }
2385
2386 return err;
2387}
2388
2389
2390
2391
2392
2393static LIST_HEAD(nf_tables_set_types);
2394
2395int nft_register_set(struct nft_set_type *type)
2396{
2397 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2398 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2399 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2400 return 0;
2401}
2402EXPORT_SYMBOL_GPL(nft_register_set);
2403
2404void nft_unregister_set(struct nft_set_type *type)
2405{
2406 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2407 list_del_rcu(&type->list);
2408 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2409}
2410EXPORT_SYMBOL_GPL(nft_unregister_set);
2411
2412#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2413 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2414
2415static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2416{
2417 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2418}
2419
2420
2421
2422
2423
2424
2425static const struct nft_set_ops *
2426nft_select_set_ops(const struct nft_ctx *ctx,
2427 const struct nlattr * const nla[],
2428 const struct nft_set_desc *desc,
2429 enum nft_set_policies policy)
2430{
2431 const struct nft_set_ops *ops, *bops;
2432 struct nft_set_estimate est, best;
2433 const struct nft_set_type *type;
2434 u32 flags = 0;
2435
2436#ifdef CONFIG_MODULES
2437 if (list_empty(&nf_tables_set_types)) {
2438 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2439 request_module("nft-set");
2440 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2441 if (!list_empty(&nf_tables_set_types))
2442 return ERR_PTR(-EAGAIN);
2443 }
2444#endif
2445 if (nla[NFTA_SET_FLAGS] != NULL)
2446 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2447
2448 bops = NULL;
2449 best.size = ~0;
2450 best.lookup = ~0;
2451 best.space = ~0;
2452
2453 list_for_each_entry(type, &nf_tables_set_types, list) {
2454 if (!type->select_ops)
2455 ops = type->ops;
2456 else
2457 ops = type->select_ops(ctx, desc, flags);
2458 if (!ops)
2459 continue;
2460
2461 if (!nft_set_ops_candidate(ops, flags))
2462 continue;
2463 if (!ops->estimate(desc, flags, &est))
2464 continue;
2465
2466 switch (policy) {
2467 case NFT_SET_POL_PERFORMANCE:
2468 if (est.lookup < best.lookup)
2469 break;
2470 if (est.lookup == best.lookup) {
2471 if (!desc->size) {
2472 if (est.space < best.space)
2473 break;
2474 } else if (est.size < best.size) {
2475 break;
2476 }
2477 }
2478 continue;
2479 case NFT_SET_POL_MEMORY:
2480 if (!desc->size) {
2481 if (est.space < best.space)
2482 break;
2483 if (est.space == best.space &&
2484 est.lookup < best.lookup)
2485 break;
2486 } else if (est.size < best.size) {
2487 break;
2488 }
2489 continue;
2490 default:
2491 break;
2492 }
2493
2494 if (!try_module_get(type->owner))
2495 continue;
2496 if (bops != NULL)
2497 module_put(bops->type->owner);
2498
2499 bops = ops;
2500 best = est;
2501 }
2502
2503 if (bops != NULL)
2504 return bops;
2505
2506 return ERR_PTR(-EOPNOTSUPP);
2507}
2508
2509static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2510 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2511 .len = NFT_TABLE_MAXNAMELEN - 1 },
2512 [NFTA_SET_NAME] = { .type = NLA_STRING,
2513 .len = NFT_SET_MAXNAMELEN - 1 },
2514 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2515 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2516 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2517 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2518 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2519 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2520 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2521 [NFTA_SET_ID] = { .type = NLA_U32 },
2522 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2523 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2524 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2525 .len = NFT_USERDATA_MAXLEN },
2526 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2527};
2528
2529static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2530 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2531};
2532
2533static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2534 const struct sk_buff *skb,
2535 const struct nlmsghdr *nlh,
2536 const struct nlattr * const nla[],
2537 u8 genmask)
2538{
2539 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2540 struct nft_af_info *afi = NULL;
2541 struct nft_table *table = NULL;
2542
2543 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2544 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2545 if (IS_ERR(afi))
2546 return PTR_ERR(afi);
2547 }
2548
2549 if (nla[NFTA_SET_TABLE] != NULL) {
2550 if (afi == NULL)
2551 return -EAFNOSUPPORT;
2552
2553 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2554 genmask);
2555 if (IS_ERR(table))
2556 return PTR_ERR(table);
2557 }
2558
2559 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2560 return 0;
2561}
2562
2563static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2564 const struct nlattr *nla, u8 genmask)
2565{
2566 struct nft_set *set;
2567
2568 if (nla == NULL)
2569 return ERR_PTR(-EINVAL);
2570
2571 list_for_each_entry(set, &table->sets, list) {
2572 if (!nla_strcmp(nla, set->name) &&
2573 nft_active_genmask(set, genmask))
2574 return set;
2575 }
2576 return ERR_PTR(-ENOENT);
2577}
2578
2579static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2580 const struct nlattr *nla,
2581 u8 genmask)
2582{
2583 struct nft_trans *trans;
2584 u32 id = ntohl(nla_get_be32(nla));
2585
2586 list_for_each_entry(trans, &net->nft.commit_list, list) {
2587 struct nft_set *set = nft_trans_set(trans);
2588
2589 if (trans->msg_type == NFT_MSG_NEWSET &&
2590 id == nft_trans_set_id(trans) &&
2591 nft_active_genmask(set, genmask))
2592 return set;
2593 }
2594 return ERR_PTR(-ENOENT);
2595}
2596
2597struct nft_set *nft_set_lookup(const struct net *net,
2598 const struct nft_table *table,
2599 const struct nlattr *nla_set_name,
2600 const struct nlattr *nla_set_id,
2601 u8 genmask)
2602{
2603 struct nft_set *set;
2604
2605 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2606 if (IS_ERR(set)) {
2607 if (!nla_set_id)
2608 return set;
2609
2610 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2611 }
2612 return set;
2613}
2614EXPORT_SYMBOL_GPL(nft_set_lookup);
2615
2616static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2617 const char *name)
2618{
2619 const struct nft_set *i;
2620 const char *p;
2621 unsigned long *inuse;
2622 unsigned int n = 0, min = 0;
2623
2624 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2625 if (p != NULL) {
2626 if (p[1] != 'd' || strchr(p + 2, '%'))
2627 return -EINVAL;
2628
2629 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2630 if (inuse == NULL)
2631 return -ENOMEM;
2632cont:
2633 list_for_each_entry(i, &ctx->table->sets, list) {
2634 int tmp;
2635
2636 if (!nft_is_active_next(ctx->net, set))
2637 continue;
2638 if (!sscanf(i->name, name, &tmp))
2639 continue;
2640 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2641 continue;
2642
2643 set_bit(tmp - min, inuse);
2644 }
2645
2646 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2647 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2648 min += BITS_PER_BYTE * PAGE_SIZE;
2649 memset(inuse, 0, PAGE_SIZE);
2650 goto cont;
2651 }
2652 free_page((unsigned long)inuse);
2653 }
2654
2655 snprintf(set->name, sizeof(set->name), name, min + n);
2656 list_for_each_entry(i, &ctx->table->sets, list) {
2657 if (!nft_is_active_next(ctx->net, i))
2658 continue;
2659 if (!strcmp(set->name, i->name))
2660 return -ENFILE;
2661 }
2662 return 0;
2663}
2664
2665static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2666 const struct nft_set *set, u16 event, u16 flags)
2667{
2668 struct nfgenmsg *nfmsg;
2669 struct nlmsghdr *nlh;
2670 struct nlattr *desc;
2671 u32 portid = ctx->portid;
2672 u32 seq = ctx->seq;
2673
2674 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2675 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2676 flags);
2677 if (nlh == NULL)
2678 goto nla_put_failure;
2679
2680 nfmsg = nlmsg_data(nlh);
2681 nfmsg->nfgen_family = ctx->afi->family;
2682 nfmsg->version = NFNETLINK_V0;
2683 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2684
2685 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2686 goto nla_put_failure;
2687 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2688 goto nla_put_failure;
2689 if (set->flags != 0)
2690 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2691 goto nla_put_failure;
2692
2693 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2694 goto nla_put_failure;
2695 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2696 goto nla_put_failure;
2697 if (set->flags & NFT_SET_MAP) {
2698 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2699 goto nla_put_failure;
2700 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2701 goto nla_put_failure;
2702 }
2703 if (set->flags & NFT_SET_OBJECT &&
2704 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2705 goto nla_put_failure;
2706
2707 if (set->timeout &&
2708 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2709 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2710 NFTA_SET_PAD))
2711 goto nla_put_failure;
2712 if (set->gc_int &&
2713 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2714 goto nla_put_failure;
2715
2716 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2717 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2718 goto nla_put_failure;
2719 }
2720
2721 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2722 goto nla_put_failure;
2723
2724 desc = nla_nest_start(skb, NFTA_SET_DESC);
2725 if (desc == NULL)
2726 goto nla_put_failure;
2727 if (set->size &&
2728 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2729 goto nla_put_failure;
2730 nla_nest_end(skb, desc);
2731
2732 nlmsg_end(skb, nlh);
2733 return 0;
2734
2735nla_put_failure:
2736 nlmsg_trim(skb, nlh);
2737 return -1;
2738}
2739
2740static void nf_tables_set_notify(const struct nft_ctx *ctx,
2741 const struct nft_set *set, int event,
2742 gfp_t gfp_flags)
2743{
2744 struct sk_buff *skb;
2745 u32 portid = ctx->portid;
2746 int err;
2747
2748 if (!ctx->report &&
2749 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2750 return;
2751
2752 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2753 if (skb == NULL)
2754 goto err;
2755
2756 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2757 if (err < 0) {
2758 kfree_skb(skb);
2759 goto err;
2760 }
2761
2762 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2763 gfp_flags);
2764 return;
2765err:
2766 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2767}
2768
2769static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2770{
2771 const struct nft_set *set;
2772 unsigned int idx, s_idx = cb->args[0];
2773 struct nft_af_info *afi;
2774 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2775 struct net *net = sock_net(skb->sk);
2776 int cur_family = cb->args[3];
2777 struct nft_ctx *ctx = cb->data, ctx_set;
2778
2779 if (cb->args[1])
2780 return skb->len;
2781
2782 rcu_read_lock();
2783 cb->seq = net->nft.base_seq;
2784
2785 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2786 if (ctx->afi && ctx->afi != afi)
2787 continue;
2788
2789 if (cur_family) {
2790 if (afi->family != cur_family)
2791 continue;
2792
2793 cur_family = 0;
2794 }
2795 list_for_each_entry_rcu(table, &afi->tables, list) {
2796 if (ctx->table && ctx->table != table)
2797 continue;
2798
2799 if (cur_table) {
2800 if (cur_table != table)
2801 continue;
2802
2803 cur_table = NULL;
2804 }
2805 idx = 0;
2806 list_for_each_entry_rcu(set, &table->sets, list) {
2807 if (idx < s_idx)
2808 goto cont;
2809 if (!nft_is_active(net, set))
2810 goto cont;
2811
2812 ctx_set = *ctx;
2813 ctx_set.table = table;
2814 ctx_set.afi = afi;
2815 if (nf_tables_fill_set(skb, &ctx_set, set,
2816 NFT_MSG_NEWSET,
2817 NLM_F_MULTI) < 0) {
2818 cb->args[0] = idx;
2819 cb->args[2] = (unsigned long) table;
2820 cb->args[3] = afi->family;
2821 goto done;
2822 }
2823 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2824cont:
2825 idx++;
2826 }
2827 if (s_idx)
2828 s_idx = 0;
2829 }
2830 }
2831 cb->args[1] = 1;
2832done:
2833 rcu_read_unlock();
2834 return skb->len;
2835}
2836
2837static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2838{
2839 kfree(cb->data);
2840 return 0;
2841}
2842
2843static int nf_tables_getset(struct net *net, struct sock *nlsk,
2844 struct sk_buff *skb, const struct nlmsghdr *nlh,
2845 const struct nlattr * const nla[],
2846 struct netlink_ext_ack *extack)
2847{
2848 u8 genmask = nft_genmask_cur(net);
2849 const struct nft_set *set;
2850 struct nft_ctx ctx;
2851 struct sk_buff *skb2;
2852 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2853 int err;
2854
2855
2856 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2857 if (err < 0)
2858 return err;
2859
2860 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2861 struct netlink_dump_control c = {
2862 .dump = nf_tables_dump_sets,
2863 .done = nf_tables_dump_sets_done,
2864 };
2865 struct nft_ctx *ctx_dump;
2866
2867 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2868 if (ctx_dump == NULL)
2869 return -ENOMEM;
2870
2871 *ctx_dump = ctx;
2872 c.data = ctx_dump;
2873
2874 return netlink_dump_start(nlsk, skb, nlh, &c);
2875 }
2876
2877
2878 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2879 return -EAFNOSUPPORT;
2880 if (!nla[NFTA_SET_TABLE])
2881 return -EINVAL;
2882
2883 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2884 if (IS_ERR(set))
2885 return PTR_ERR(set);
2886
2887 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2888 if (skb2 == NULL)
2889 return -ENOMEM;
2890
2891 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2892 if (err < 0)
2893 goto err;
2894
2895 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2896
2897err:
2898 kfree_skb(skb2);
2899 return err;
2900}
2901
2902static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2903 struct nft_set_desc *desc,
2904 const struct nlattr *nla)
2905{
2906 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2907 int err;
2908
2909 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
2910 nft_set_desc_policy, NULL);
2911 if (err < 0)
2912 return err;
2913
2914 if (da[NFTA_SET_DESC_SIZE] != NULL)
2915 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2916
2917 return 0;
2918}
2919
2920static int nf_tables_newset(struct net *net, struct sock *nlsk,
2921 struct sk_buff *skb, const struct nlmsghdr *nlh,
2922 const struct nlattr * const nla[],
2923 struct netlink_ext_ack *extack)
2924{
2925 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2926 u8 genmask = nft_genmask_next(net);
2927 const struct nft_set_ops *ops;
2928 struct nft_af_info *afi;
2929 struct nft_table *table;
2930 struct nft_set *set;
2931 struct nft_ctx ctx;
2932 char name[NFT_SET_MAXNAMELEN];
2933 unsigned int size;
2934 bool create;
2935 u64 timeout;
2936 u32 ktype, dtype, flags, policy, gc_int, objtype;
2937 struct nft_set_desc desc;
2938 unsigned char *udata;
2939 u16 udlen;
2940 int err;
2941
2942 if (nla[NFTA_SET_TABLE] == NULL ||
2943 nla[NFTA_SET_NAME] == NULL ||
2944 nla[NFTA_SET_KEY_LEN] == NULL ||
2945 nla[NFTA_SET_ID] == NULL)
2946 return -EINVAL;
2947
2948 memset(&desc, 0, sizeof(desc));
2949
2950 ktype = NFT_DATA_VALUE;
2951 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2952 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2953 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2954 return -EINVAL;
2955 }
2956
2957 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2958 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2959 return -EINVAL;
2960
2961 flags = 0;
2962 if (nla[NFTA_SET_FLAGS] != NULL) {
2963 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2964 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2965 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2966 NFT_SET_MAP | NFT_SET_EVAL |
2967 NFT_SET_OBJECT))
2968 return -EINVAL;
2969
2970 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
2971 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
2972 return -EOPNOTSUPP;
2973 }
2974
2975 dtype = 0;
2976 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2977 if (!(flags & NFT_SET_MAP))
2978 return -EINVAL;
2979
2980 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2981 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2982 dtype != NFT_DATA_VERDICT)
2983 return -EINVAL;
2984
2985 if (dtype != NFT_DATA_VERDICT) {
2986 if (nla[NFTA_SET_DATA_LEN] == NULL)
2987 return -EINVAL;
2988 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2989 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2990 return -EINVAL;
2991 } else
2992 desc.dlen = sizeof(struct nft_verdict);
2993 } else if (flags & NFT_SET_MAP)
2994 return -EINVAL;
2995
2996 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
2997 if (!(flags & NFT_SET_OBJECT))
2998 return -EINVAL;
2999
3000 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3001 if (objtype == NFT_OBJECT_UNSPEC ||
3002 objtype > NFT_OBJECT_MAX)
3003 return -EINVAL;
3004 } else if (flags & NFT_SET_OBJECT)
3005 return -EINVAL;
3006 else
3007 objtype = NFT_OBJECT_UNSPEC;
3008
3009 timeout = 0;
3010 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3011 if (!(flags & NFT_SET_TIMEOUT))
3012 return -EINVAL;
3013 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3014 nla[NFTA_SET_TIMEOUT])));
3015 }
3016 gc_int = 0;
3017 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3018 if (!(flags & NFT_SET_TIMEOUT))
3019 return -EINVAL;
3020 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3021 }
3022
3023 policy = NFT_SET_POL_PERFORMANCE;
3024 if (nla[NFTA_SET_POLICY] != NULL)
3025 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3026
3027 if (nla[NFTA_SET_DESC] != NULL) {
3028 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3029 if (err < 0)
3030 return err;
3031 }
3032
3033 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3034
3035 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3036 if (IS_ERR(afi))
3037 return PTR_ERR(afi);
3038
3039 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3040 if (IS_ERR(table))
3041 return PTR_ERR(table);
3042
3043 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3044
3045 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3046 if (IS_ERR(set)) {
3047 if (PTR_ERR(set) != -ENOENT)
3048 return PTR_ERR(set);
3049 } else {
3050 if (nlh->nlmsg_flags & NLM_F_EXCL)
3051 return -EEXIST;
3052 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3053 return -EOPNOTSUPP;
3054 return 0;
3055 }
3056
3057 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3058 return -ENOENT;
3059
3060 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3061 if (IS_ERR(ops))
3062 return PTR_ERR(ops);
3063
3064 udlen = 0;
3065 if (nla[NFTA_SET_USERDATA])
3066 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3067
3068 size = 0;
3069 if (ops->privsize != NULL)
3070 size = ops->privsize(nla, &desc);
3071
3072 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3073 if (!set) {
3074 err = -ENOMEM;
3075 goto err1;
3076 }
3077
3078 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
3079 err = nf_tables_set_alloc_name(&ctx, set, name);
3080 if (err < 0)
3081 goto err2;
3082
3083 udata = NULL;
3084 if (udlen) {
3085 udata = set->data + size;
3086 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3087 }
3088
3089 INIT_LIST_HEAD(&set->bindings);
3090 set->ops = ops;
3091 set->ktype = ktype;
3092 set->klen = desc.klen;
3093 set->dtype = dtype;
3094 set->objtype = objtype;
3095 set->dlen = desc.dlen;
3096 set->flags = flags;
3097 set->size = desc.size;
3098 set->policy = policy;
3099 set->udlen = udlen;
3100 set->udata = udata;
3101 set->timeout = timeout;
3102 set->gc_int = gc_int;
3103
3104 err = ops->init(set, &desc, nla);
3105 if (err < 0)
3106 goto err2;
3107
3108 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3109 if (err < 0)
3110 goto err3;
3111
3112 list_add_tail_rcu(&set->list, &table->sets);
3113 table->use++;
3114 return 0;
3115
3116err3:
3117 ops->destroy(set);
3118err2:
3119 kvfree(set);
3120err1:
3121 module_put(ops->type->owner);
3122 return err;
3123}
3124
3125static void nft_set_destroy(struct nft_set *set)
3126{
3127 set->ops->destroy(set);
3128 module_put(set->ops->type->owner);
3129 kvfree(set);
3130}
3131
3132static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3133{
3134 list_del_rcu(&set->list);
3135 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3136 nft_set_destroy(set);
3137}
3138
3139static int nf_tables_delset(struct net *net, struct sock *nlsk,
3140 struct sk_buff *skb, const struct nlmsghdr *nlh,
3141 const struct nlattr * const nla[],
3142 struct netlink_ext_ack *extack)
3143{
3144 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3145 u8 genmask = nft_genmask_next(net);
3146 struct nft_set *set;
3147 struct nft_ctx ctx;
3148 int err;
3149
3150 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3151 return -EAFNOSUPPORT;
3152 if (nla[NFTA_SET_TABLE] == NULL)
3153 return -EINVAL;
3154
3155 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3156 if (err < 0)
3157 return err;
3158
3159 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3160 if (IS_ERR(set))
3161 return PTR_ERR(set);
3162 if (!list_empty(&set->bindings))
3163 return -EBUSY;
3164
3165 return nft_delset(&ctx, set);
3166}
3167
3168static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3169 struct nft_set *set,
3170 const struct nft_set_iter *iter,
3171 struct nft_set_elem *elem)
3172{
3173 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3174 enum nft_registers dreg;
3175
3176 dreg = nft_type_to_reg(set->dtype);
3177 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3178 set->dtype == NFT_DATA_VERDICT ?
3179 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3180 set->dlen);
3181}
3182
3183int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3184 struct nft_set_binding *binding)
3185{
3186 struct nft_set_binding *i;
3187 struct nft_set_iter iter;
3188
3189 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3190 return -EBUSY;
3191
3192 if (binding->flags & NFT_SET_MAP) {
3193
3194
3195
3196 list_for_each_entry(i, &set->bindings, list) {
3197 if (i->flags & NFT_SET_MAP &&
3198 i->chain == binding->chain)
3199 goto bind;
3200 }
3201
3202 iter.genmask = nft_genmask_next(ctx->net);
3203 iter.skip = 0;
3204 iter.count = 0;
3205 iter.err = 0;
3206 iter.fn = nf_tables_bind_check_setelem;
3207
3208 set->ops->walk(ctx, set, &iter);
3209 if (iter.err < 0)
3210 return iter.err;
3211 }
3212bind:
3213 binding->chain = ctx->chain;
3214 list_add_tail_rcu(&binding->list, &set->bindings);
3215 return 0;
3216}
3217EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3218
3219void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3220 struct nft_set_binding *binding)
3221{
3222 list_del_rcu(&binding->list);
3223
3224 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3225 nft_is_active(ctx->net, set))
3226 nf_tables_set_destroy(ctx, set);
3227}
3228EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3229
3230const struct nft_set_ext_type nft_set_ext_types[] = {
3231 [NFT_SET_EXT_KEY] = {
3232 .align = __alignof__(u32),
3233 },
3234 [NFT_SET_EXT_DATA] = {
3235 .align = __alignof__(u32),
3236 },
3237 [NFT_SET_EXT_EXPR] = {
3238 .align = __alignof__(struct nft_expr),
3239 },
3240 [NFT_SET_EXT_OBJREF] = {
3241 .len = sizeof(struct nft_object *),
3242 .align = __alignof__(struct nft_object *),
3243 },
3244 [NFT_SET_EXT_FLAGS] = {
3245 .len = sizeof(u8),
3246 .align = __alignof__(u8),
3247 },
3248 [NFT_SET_EXT_TIMEOUT] = {
3249 .len = sizeof(u64),
3250 .align = __alignof__(u64),
3251 },
3252 [NFT_SET_EXT_EXPIRATION] = {
3253 .len = sizeof(unsigned long),
3254 .align = __alignof__(unsigned long),
3255 },
3256 [NFT_SET_EXT_USERDATA] = {
3257 .len = sizeof(struct nft_userdata),
3258 .align = __alignof__(struct nft_userdata),
3259 },
3260};
3261EXPORT_SYMBOL_GPL(nft_set_ext_types);
3262
3263
3264
3265
3266
3267static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3268 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3269 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3270 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3271 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3272 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3273 .len = NFT_USERDATA_MAXLEN },
3274};
3275
3276static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3277 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3278 .len = NFT_TABLE_MAXNAMELEN - 1 },
3279 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3280 .len = NFT_SET_MAXNAMELEN - 1 },
3281 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3282 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3283};
3284
3285static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3286 const struct sk_buff *skb,
3287 const struct nlmsghdr *nlh,
3288 const struct nlattr * const nla[],
3289 u8 genmask)
3290{
3291 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3292 struct nft_af_info *afi;
3293 struct nft_table *table;
3294
3295 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3296 if (IS_ERR(afi))
3297 return PTR_ERR(afi);
3298
3299 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3300 genmask);
3301 if (IS_ERR(table))
3302 return PTR_ERR(table);
3303
3304 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3305 return 0;
3306}
3307
3308static int nf_tables_fill_setelem(struct sk_buff *skb,
3309 const struct nft_set *set,
3310 const struct nft_set_elem *elem)
3311{
3312 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3313 unsigned char *b = skb_tail_pointer(skb);
3314 struct nlattr *nest;
3315
3316 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3317 if (nest == NULL)
3318 goto nla_put_failure;
3319
3320 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3321 NFT_DATA_VALUE, set->klen) < 0)
3322 goto nla_put_failure;
3323
3324 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3325 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3326 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3327 set->dlen) < 0)
3328 goto nla_put_failure;
3329
3330 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3331 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3332 goto nla_put_failure;
3333
3334 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3335 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3336 (*nft_set_ext_obj(ext))->name) < 0)
3337 goto nla_put_failure;
3338
3339 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3340 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3341 htonl(*nft_set_ext_flags(ext))))
3342 goto nla_put_failure;
3343
3344 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3345 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3346 cpu_to_be64(jiffies_to_msecs(
3347 *nft_set_ext_timeout(ext))),
3348 NFTA_SET_ELEM_PAD))
3349 goto nla_put_failure;
3350
3351 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3352 unsigned long expires, now = jiffies;
3353
3354 expires = *nft_set_ext_expiration(ext);
3355 if (time_before(now, expires))
3356 expires -= now;
3357 else
3358 expires = 0;
3359
3360 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3361 cpu_to_be64(jiffies_to_msecs(expires)),
3362 NFTA_SET_ELEM_PAD))
3363 goto nla_put_failure;
3364 }
3365
3366 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3367 struct nft_userdata *udata;
3368
3369 udata = nft_set_ext_userdata(ext);
3370 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3371 udata->len + 1, udata->data))
3372 goto nla_put_failure;
3373 }
3374
3375 nla_nest_end(skb, nest);
3376 return 0;
3377
3378nla_put_failure:
3379 nlmsg_trim(skb, b);
3380 return -EMSGSIZE;
3381}
3382
3383struct nft_set_dump_args {
3384 const struct netlink_callback *cb;
3385 struct nft_set_iter iter;
3386 struct sk_buff *skb;
3387};
3388
3389static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3390 struct nft_set *set,
3391 const struct nft_set_iter *iter,
3392 struct nft_set_elem *elem)
3393{
3394 struct nft_set_dump_args *args;
3395
3396 args = container_of(iter, struct nft_set_dump_args, iter);
3397 return nf_tables_fill_setelem(args->skb, set, elem);
3398}
3399
3400struct nft_set_dump_ctx {
3401 const struct nft_set *set;
3402 struct nft_ctx ctx;
3403};
3404
3405static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3406{
3407 struct nft_set_dump_ctx *dump_ctx = cb->data;
3408 struct net *net = sock_net(skb->sk);
3409 struct nft_af_info *afi;
3410 struct nft_table *table;
3411 struct nft_set *set;
3412 struct nft_set_dump_args args;
3413 bool set_found = false;
3414 struct nfgenmsg *nfmsg;
3415 struct nlmsghdr *nlh;
3416 struct nlattr *nest;
3417 u32 portid, seq;
3418 int event;
3419
3420 rcu_read_lock();
3421 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3422 if (afi != dump_ctx->ctx.afi)
3423 continue;
3424
3425 list_for_each_entry_rcu(table, &afi->tables, list) {
3426 if (table != dump_ctx->ctx.table)
3427 continue;
3428
3429 list_for_each_entry_rcu(set, &table->sets, list) {
3430 if (set == dump_ctx->set) {
3431 set_found = true;
3432 break;
3433 }
3434 }
3435 break;
3436 }
3437 break;
3438 }
3439
3440 if (!set_found) {
3441 rcu_read_unlock();
3442 return -ENOENT;
3443 }
3444
3445 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3446 portid = NETLINK_CB(cb->skb).portid;
3447 seq = cb->nlh->nlmsg_seq;
3448
3449 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3450 NLM_F_MULTI);
3451 if (nlh == NULL)
3452 goto nla_put_failure;
3453
3454 nfmsg = nlmsg_data(nlh);
3455 nfmsg->nfgen_family = afi->family;
3456 nfmsg->version = NFNETLINK_V0;
3457 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3458
3459 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3460 goto nla_put_failure;
3461 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3462 goto nla_put_failure;
3463
3464 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3465 if (nest == NULL)
3466 goto nla_put_failure;
3467
3468 args.cb = cb;
3469 args.skb = skb;
3470 args.iter.genmask = nft_genmask_cur(net);
3471 args.iter.skip = cb->args[0];
3472 args.iter.count = 0;
3473 args.iter.err = 0;
3474 args.iter.fn = nf_tables_dump_setelem;
3475 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3476 rcu_read_unlock();
3477
3478 nla_nest_end(skb, nest);
3479 nlmsg_end(skb, nlh);
3480
3481 if (args.iter.err && args.iter.err != -EMSGSIZE)
3482 return args.iter.err;
3483 if (args.iter.count == cb->args[0])
3484 return 0;
3485
3486 cb->args[0] = args.iter.count;
3487 return skb->len;
3488
3489nla_put_failure:
3490 rcu_read_unlock();
3491 return -ENOSPC;
3492}
3493
3494static int nf_tables_dump_set_done(struct netlink_callback *cb)
3495{
3496 kfree(cb->data);
3497 return 0;
3498}
3499
3500static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3501 struct sk_buff *skb, const struct nlmsghdr *nlh,
3502 const struct nlattr * const nla[],
3503 struct netlink_ext_ack *extack)
3504{
3505 u8 genmask = nft_genmask_cur(net);
3506 const struct nft_set *set;
3507 struct nft_ctx ctx;
3508 int err;
3509
3510 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3511 if (err < 0)
3512 return err;
3513
3514 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3515 genmask);
3516 if (IS_ERR(set))
3517 return PTR_ERR(set);
3518
3519 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3520 struct netlink_dump_control c = {
3521 .dump = nf_tables_dump_set,
3522 .done = nf_tables_dump_set_done,
3523 };
3524 struct nft_set_dump_ctx *dump_ctx;
3525
3526 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3527 if (!dump_ctx)
3528 return -ENOMEM;
3529
3530 dump_ctx->set = set;
3531 dump_ctx->ctx = ctx;
3532
3533 c.data = dump_ctx;
3534 return netlink_dump_start(nlsk, skb, nlh, &c);
3535 }
3536 return -EOPNOTSUPP;
3537}
3538
3539static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3540 const struct nft_ctx *ctx, u32 seq,
3541 u32 portid, int event, u16 flags,
3542 const struct nft_set *set,
3543 const struct nft_set_elem *elem)
3544{
3545 struct nfgenmsg *nfmsg;
3546 struct nlmsghdr *nlh;
3547 struct nlattr *nest;
3548 int err;
3549
3550 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3551 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3552 flags);
3553 if (nlh == NULL)
3554 goto nla_put_failure;
3555
3556 nfmsg = nlmsg_data(nlh);
3557 nfmsg->nfgen_family = ctx->afi->family;
3558 nfmsg->version = NFNETLINK_V0;
3559 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3560
3561 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3562 goto nla_put_failure;
3563 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3564 goto nla_put_failure;
3565
3566 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3567 if (nest == NULL)
3568 goto nla_put_failure;
3569
3570 err = nf_tables_fill_setelem(skb, set, elem);
3571 if (err < 0)
3572 goto nla_put_failure;
3573
3574 nla_nest_end(skb, nest);
3575
3576 nlmsg_end(skb, nlh);
3577 return 0;
3578
3579nla_put_failure:
3580 nlmsg_trim(skb, nlh);
3581 return -1;
3582}
3583
3584static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3585 const struct nft_set *set,
3586 const struct nft_set_elem *elem,
3587 int event, u16 flags)
3588{
3589 struct net *net = ctx->net;
3590 u32 portid = ctx->portid;
3591 struct sk_buff *skb;
3592 int err;
3593
3594 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3595 return;
3596
3597 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3598 if (skb == NULL)
3599 goto err;
3600
3601 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3602 set, elem);
3603 if (err < 0) {
3604 kfree_skb(skb);
3605 goto err;
3606 }
3607
3608 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3609 GFP_KERNEL);
3610 return;
3611err:
3612 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3613}
3614
3615static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3616 int msg_type,
3617 struct nft_set *set)
3618{
3619 struct nft_trans *trans;
3620
3621 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3622 if (trans == NULL)
3623 return NULL;
3624
3625 nft_trans_elem_set(trans) = set;
3626 return trans;
3627}
3628
3629void *nft_set_elem_init(const struct nft_set *set,
3630 const struct nft_set_ext_tmpl *tmpl,
3631 const u32 *key, const u32 *data,
3632 u64 timeout, gfp_t gfp)
3633{
3634 struct nft_set_ext *ext;
3635 void *elem;
3636
3637 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3638 if (elem == NULL)
3639 return NULL;
3640
3641 ext = nft_set_elem_ext(set, elem);
3642 nft_set_ext_init(ext, tmpl);
3643
3644 memcpy(nft_set_ext_key(ext), key, set->klen);
3645 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3646 memcpy(nft_set_ext_data(ext), data, set->dlen);
3647 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3648 *nft_set_ext_expiration(ext) =
3649 jiffies + timeout;
3650 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3651 *nft_set_ext_timeout(ext) = timeout;
3652
3653 return elem;
3654}
3655
3656void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3657 bool destroy_expr)
3658{
3659 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3660
3661 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3662 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3663 nft_data_release(nft_set_ext_data(ext), set->dtype);
3664 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3665 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3666 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3667 (*nft_set_ext_obj(ext))->use--;
3668 kfree(elem);
3669}
3670EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3671
3672
3673
3674
3675static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3676{
3677 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3678
3679 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3680 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3681 kfree(elem);
3682}
3683
3684static int nft_setelem_parse_flags(const struct nft_set *set,
3685 const struct nlattr *attr, u32 *flags)
3686{
3687 if (attr == NULL)
3688 return 0;
3689
3690 *flags = ntohl(nla_get_be32(attr));
3691 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3692 return -EINVAL;
3693 if (!(set->flags & NFT_SET_INTERVAL) &&
3694 *flags & NFT_SET_ELEM_INTERVAL_END)
3695 return -EINVAL;
3696
3697 return 0;
3698}
3699
3700static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3701 const struct nlattr *attr, u32 nlmsg_flags)
3702{
3703 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3704 u8 genmask = nft_genmask_next(ctx->net);
3705 struct nft_data_desc d1, d2;
3706 struct nft_set_ext_tmpl tmpl;
3707 struct nft_set_ext *ext, *ext2;
3708 struct nft_set_elem elem;
3709 struct nft_set_binding *binding;
3710 struct nft_object *obj = NULL;
3711 struct nft_userdata *udata;
3712 struct nft_data data;
3713 enum nft_registers dreg;
3714 struct nft_trans *trans;
3715 u32 flags = 0;
3716 u64 timeout;
3717 u8 ulen;
3718 int err;
3719
3720 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3721 nft_set_elem_policy, NULL);
3722 if (err < 0)
3723 return err;
3724
3725 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3726 return -EINVAL;
3727
3728 nft_set_ext_prepare(&tmpl);
3729
3730 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3731 if (err < 0)
3732 return err;
3733 if (flags != 0)
3734 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3735
3736 if (set->flags & NFT_SET_MAP) {
3737 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3738 !(flags & NFT_SET_ELEM_INTERVAL_END))
3739 return -EINVAL;
3740 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3741 flags & NFT_SET_ELEM_INTERVAL_END)
3742 return -EINVAL;
3743 } else {
3744 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3745 return -EINVAL;
3746 }
3747
3748 timeout = 0;
3749 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3750 if (!(set->flags & NFT_SET_TIMEOUT))
3751 return -EINVAL;
3752 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3753 nla[NFTA_SET_ELEM_TIMEOUT])));
3754 } else if (set->flags & NFT_SET_TIMEOUT) {
3755 timeout = set->timeout;
3756 }
3757
3758 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3759 nla[NFTA_SET_ELEM_KEY]);
3760 if (err < 0)
3761 goto err1;
3762 err = -EINVAL;
3763 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3764 goto err2;
3765
3766 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3767 if (timeout > 0) {
3768 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3769 if (timeout != set->timeout)
3770 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3771 }
3772
3773 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3774 if (!(set->flags & NFT_SET_OBJECT)) {
3775 err = -EINVAL;
3776 goto err2;
3777 }
3778 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3779 set->objtype, genmask);
3780 if (IS_ERR(obj)) {
3781 err = PTR_ERR(obj);
3782 goto err2;
3783 }
3784 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3785 }
3786
3787 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3788 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3789 nla[NFTA_SET_ELEM_DATA]);
3790 if (err < 0)
3791 goto err2;
3792
3793 err = -EINVAL;
3794 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3795 goto err3;
3796
3797 dreg = nft_type_to_reg(set->dtype);
3798 list_for_each_entry(binding, &set->bindings, list) {
3799 struct nft_ctx bind_ctx = {
3800 .net = ctx->net,
3801 .afi = ctx->afi,
3802 .table = ctx->table,
3803 .chain = (struct nft_chain *)binding->chain,
3804 };
3805
3806 if (!(binding->flags & NFT_SET_MAP))
3807 continue;
3808
3809 err = nft_validate_register_store(&bind_ctx, dreg,
3810 &data,
3811 d2.type, d2.len);
3812 if (err < 0)
3813 goto err3;
3814 }
3815
3816 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3817 }
3818
3819
3820
3821
3822
3823 ulen = 0;
3824 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3825 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3826 if (ulen > 0)
3827 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3828 ulen);
3829 }
3830
3831 err = -ENOMEM;
3832 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3833 timeout, GFP_KERNEL);
3834 if (elem.priv == NULL)
3835 goto err3;
3836
3837 ext = nft_set_elem_ext(set, elem.priv);
3838 if (flags)
3839 *nft_set_ext_flags(ext) = flags;
3840 if (ulen > 0) {
3841 udata = nft_set_ext_userdata(ext);
3842 udata->len = ulen - 1;
3843 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3844 }
3845 if (obj) {
3846 *nft_set_ext_obj(ext) = obj;
3847 obj->use++;
3848 }
3849
3850 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3851 if (trans == NULL)
3852 goto err4;
3853
3854 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3855 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3856 if (err) {
3857 if (err == -EEXIST) {
3858 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
3859 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
3860 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
3861 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
3862 return -EBUSY;
3863 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3864 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3865 memcmp(nft_set_ext_data(ext),
3866 nft_set_ext_data(ext2), set->dlen) != 0) ||
3867 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3868 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
3869 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
3870 err = -EBUSY;
3871 else if (!(nlmsg_flags & NLM_F_EXCL))
3872 err = 0;
3873 }
3874 goto err5;
3875 }
3876
3877 if (set->size &&
3878 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
3879 err = -ENFILE;
3880 goto err6;
3881 }
3882
3883 nft_trans_elem(trans) = elem;
3884 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3885 return 0;
3886
3887err6:
3888 set->ops->remove(ctx->net, set, &elem);
3889err5:
3890 kfree(trans);
3891err4:
3892 kfree(elem.priv);
3893err3:
3894 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3895 nft_data_release(&data, d2.type);
3896err2:
3897 nft_data_release(&elem.key.val, d1.type);
3898err1:
3899 return err;
3900}
3901
3902static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3903 struct sk_buff *skb, const struct nlmsghdr *nlh,
3904 const struct nlattr * const nla[],
3905 struct netlink_ext_ack *extack)
3906{
3907 u8 genmask = nft_genmask_next(net);
3908 const struct nlattr *attr;
3909 struct nft_set *set;
3910 struct nft_ctx ctx;
3911 int rem, err = 0;
3912
3913 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3914 return -EINVAL;
3915
3916 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3917 if (err < 0)
3918 return err;
3919
3920 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3921 genmask);
3922 if (IS_ERR(set)) {
3923 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3924 set = nf_tables_set_lookup_byid(net,
3925 nla[NFTA_SET_ELEM_LIST_SET_ID],
3926 genmask);
3927 }
3928 if (IS_ERR(set))
3929 return PTR_ERR(set);
3930 }
3931
3932 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3933 return -EBUSY;
3934
3935 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3936 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
3937 if (err < 0)
3938 break;
3939 }
3940 return err;
3941}
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
3955{
3956 if (type == NFT_DATA_VERDICT) {
3957 switch (data->verdict.code) {
3958 case NFT_JUMP:
3959 case NFT_GOTO:
3960 data->verdict.chain->use++;
3961 break;
3962 }
3963 }
3964}
3965
3966static void nft_set_elem_activate(const struct net *net,
3967 const struct nft_set *set,
3968 struct nft_set_elem *elem)
3969{
3970 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3971
3972 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3973 nft_data_hold(nft_set_ext_data(ext), set->dtype);
3974 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3975 (*nft_set_ext_obj(ext))->use++;
3976}
3977
3978static void nft_set_elem_deactivate(const struct net *net,
3979 const struct nft_set *set,
3980 struct nft_set_elem *elem)
3981{
3982 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3983
3984 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3985 nft_data_release(nft_set_ext_data(ext), set->dtype);
3986 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3987 (*nft_set_ext_obj(ext))->use--;
3988}
3989
3990static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3991 const struct nlattr *attr)
3992{
3993 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3994 struct nft_set_ext_tmpl tmpl;
3995 struct nft_data_desc desc;
3996 struct nft_set_elem elem;
3997 struct nft_set_ext *ext;
3998 struct nft_trans *trans;
3999 u32 flags = 0;
4000 void *priv;
4001 int err;
4002
4003 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4004 nft_set_elem_policy, NULL);
4005 if (err < 0)
4006 goto err1;
4007
4008 err = -EINVAL;
4009 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4010 goto err1;
4011
4012 nft_set_ext_prepare(&tmpl);
4013
4014 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4015 if (err < 0)
4016 return err;
4017 if (flags != 0)
4018 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4019
4020 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4021 nla[NFTA_SET_ELEM_KEY]);
4022 if (err < 0)
4023 goto err1;
4024
4025 err = -EINVAL;
4026 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4027 goto err2;
4028
4029 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4030
4031 err = -ENOMEM;
4032 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4033 GFP_KERNEL);
4034 if (elem.priv == NULL)
4035 goto err2;
4036
4037 ext = nft_set_elem_ext(set, elem.priv);
4038 if (flags)
4039 *nft_set_ext_flags(ext) = flags;
4040
4041 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4042 if (trans == NULL) {
4043 err = -ENOMEM;
4044 goto err3;
4045 }
4046
4047 priv = set->ops->deactivate(ctx->net, set, &elem);
4048 if (priv == NULL) {
4049 err = -ENOENT;
4050 goto err4;
4051 }
4052 kfree(elem.priv);
4053 elem.priv = priv;
4054
4055 nft_set_elem_deactivate(ctx->net, set, &elem);
4056
4057 nft_trans_elem(trans) = elem;
4058 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4059 return 0;
4060
4061err4:
4062 kfree(trans);
4063err3:
4064 kfree(elem.priv);
4065err2:
4066 nft_data_release(&elem.key.val, desc.type);
4067err1:
4068 return err;
4069}
4070
4071static int nft_flush_set(const struct nft_ctx *ctx,
4072 struct nft_set *set,
4073 const struct nft_set_iter *iter,
4074 struct nft_set_elem *elem)
4075{
4076 struct nft_trans *trans;
4077 int err;
4078
4079 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4080 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4081 if (!trans)
4082 return -ENOMEM;
4083
4084 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4085 err = -ENOENT;
4086 goto err1;
4087 }
4088 set->ndeact++;
4089
4090 nft_trans_elem_set(trans) = set;
4091 nft_trans_elem(trans) = *elem;
4092 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4093
4094 return 0;
4095err1:
4096 kfree(trans);
4097 return err;
4098}
4099
4100static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4101 struct sk_buff *skb, const struct nlmsghdr *nlh,
4102 const struct nlattr * const nla[],
4103 struct netlink_ext_ack *extack)
4104{
4105 u8 genmask = nft_genmask_next(net);
4106 const struct nlattr *attr;
4107 struct nft_set *set;
4108 struct nft_ctx ctx;
4109 int rem, err = 0;
4110
4111 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4112 if (err < 0)
4113 return err;
4114
4115 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4116 genmask);
4117 if (IS_ERR(set))
4118 return PTR_ERR(set);
4119 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4120 return -EBUSY;
4121
4122 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4123 struct nft_set_iter iter = {
4124 .genmask = genmask,
4125 .fn = nft_flush_set,
4126 };
4127 set->ops->walk(&ctx, set, &iter);
4128
4129 return iter.err;
4130 }
4131
4132 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4133 err = nft_del_setelem(&ctx, set, attr);
4134 if (err < 0)
4135 break;
4136
4137 set->ndeact++;
4138 }
4139 return err;
4140}
4141
4142void nft_set_gc_batch_release(struct rcu_head *rcu)
4143{
4144 struct nft_set_gc_batch *gcb;
4145 unsigned int i;
4146
4147 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4148 for (i = 0; i < gcb->head.cnt; i++)
4149 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4150 kfree(gcb);
4151}
4152EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4153
4154struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4155 gfp_t gfp)
4156{
4157 struct nft_set_gc_batch *gcb;
4158
4159 gcb = kzalloc(sizeof(*gcb), gfp);
4160 if (gcb == NULL)
4161 return gcb;
4162 gcb->head.set = set;
4163 return gcb;
4164}
4165EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178int nft_register_obj(struct nft_object_type *obj_type)
4179{
4180 if (obj_type->type == NFT_OBJECT_UNSPEC)
4181 return -EINVAL;
4182
4183 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4184 list_add_rcu(&obj_type->list, &nf_tables_objects);
4185 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4186 return 0;
4187}
4188EXPORT_SYMBOL_GPL(nft_register_obj);
4189
4190
4191
4192
4193
4194
4195
4196void nft_unregister_obj(struct nft_object_type *obj_type)
4197{
4198 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4199 list_del_rcu(&obj_type->list);
4200 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4201}
4202EXPORT_SYMBOL_GPL(nft_unregister_obj);
4203
4204struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4205 const struct nlattr *nla,
4206 u32 objtype, u8 genmask)
4207{
4208 struct nft_object *obj;
4209
4210 list_for_each_entry(obj, &table->objects, list) {
4211 if (!nla_strcmp(nla, obj->name) &&
4212 objtype == obj->type->type &&
4213 nft_active_genmask(obj, genmask))
4214 return obj;
4215 }
4216 return ERR_PTR(-ENOENT);
4217}
4218EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4219
4220static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4221 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4222 .len = NFT_TABLE_MAXNAMELEN - 1 },
4223 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4224 .len = NFT_OBJ_MAXNAMELEN - 1 },
4225 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4226 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4227};
4228
4229static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4230 const struct nft_object_type *type,
4231 const struct nlattr *attr)
4232{
4233 struct nlattr *tb[type->maxattr + 1];
4234 struct nft_object *obj;
4235 int err;
4236
4237 if (attr) {
4238 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4239 NULL);
4240 if (err < 0)
4241 goto err1;
4242 } else {
4243 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4244 }
4245
4246 err = -ENOMEM;
4247 obj = kzalloc(sizeof(struct nft_object) + type->size, GFP_KERNEL);
4248 if (obj == NULL)
4249 goto err1;
4250
4251 err = type->init(ctx, (const struct nlattr * const *)tb, obj);
4252 if (err < 0)
4253 goto err2;
4254
4255 obj->type = type;
4256 return obj;
4257err2:
4258 kfree(obj);
4259err1:
4260 return ERR_PTR(err);
4261}
4262
4263static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4264 struct nft_object *obj, bool reset)
4265{
4266 struct nlattr *nest;
4267
4268 nest = nla_nest_start(skb, attr);
4269 if (!nest)
4270 goto nla_put_failure;
4271 if (obj->type->dump(skb, obj, reset) < 0)
4272 goto nla_put_failure;
4273 nla_nest_end(skb, nest);
4274 return 0;
4275
4276nla_put_failure:
4277 return -1;
4278}
4279
4280static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4281{
4282 const struct nft_object_type *type;
4283
4284 list_for_each_entry(type, &nf_tables_objects, list) {
4285 if (objtype == type->type)
4286 return type;
4287 }
4288 return NULL;
4289}
4290
4291static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4292{
4293 const struct nft_object_type *type;
4294
4295 type = __nft_obj_type_get(objtype);
4296 if (type != NULL && try_module_get(type->owner))
4297 return type;
4298
4299#ifdef CONFIG_MODULES
4300 if (type == NULL) {
4301 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4302 request_module("nft-obj-%u", objtype);
4303 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4304 if (__nft_obj_type_get(objtype))
4305 return ERR_PTR(-EAGAIN);
4306 }
4307#endif
4308 return ERR_PTR(-ENOENT);
4309}
4310
4311static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4312 struct sk_buff *skb, const struct nlmsghdr *nlh,
4313 const struct nlattr * const nla[],
4314 struct netlink_ext_ack *extack)
4315{
4316 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4317 const struct nft_object_type *type;
4318 u8 genmask = nft_genmask_next(net);
4319 int family = nfmsg->nfgen_family;
4320 struct nft_af_info *afi;
4321 struct nft_table *table;
4322 struct nft_object *obj;
4323 struct nft_ctx ctx;
4324 u32 objtype;
4325 int err;
4326
4327 if (!nla[NFTA_OBJ_TYPE] ||
4328 !nla[NFTA_OBJ_NAME] ||
4329 !nla[NFTA_OBJ_DATA])
4330 return -EINVAL;
4331
4332 afi = nf_tables_afinfo_lookup(net, family, true);
4333 if (IS_ERR(afi))
4334 return PTR_ERR(afi);
4335
4336 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4337 if (IS_ERR(table))
4338 return PTR_ERR(table);
4339
4340 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4341 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4342 if (IS_ERR(obj)) {
4343 err = PTR_ERR(obj);
4344 if (err != -ENOENT)
4345 return err;
4346
4347 } else {
4348 if (nlh->nlmsg_flags & NLM_F_EXCL)
4349 return -EEXIST;
4350
4351 return 0;
4352 }
4353
4354 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4355
4356 type = nft_obj_type_get(objtype);
4357 if (IS_ERR(type))
4358 return PTR_ERR(type);
4359
4360 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4361 if (IS_ERR(obj)) {
4362 err = PTR_ERR(obj);
4363 goto err1;
4364 }
4365 obj->table = table;
4366 nla_strlcpy(obj->name, nla[NFTA_OBJ_NAME], NFT_OBJ_MAXNAMELEN);
4367
4368 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4369 if (err < 0)
4370 goto err2;
4371
4372 list_add_tail_rcu(&obj->list, &table->objects);
4373 table->use++;
4374 return 0;
4375err2:
4376 if (obj->type->destroy)
4377 obj->type->destroy(obj);
4378 kfree(obj);
4379err1:
4380 module_put(type->owner);
4381 return err;
4382}
4383
4384static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4385 u32 portid, u32 seq, int event, u32 flags,
4386 int family, const struct nft_table *table,
4387 struct nft_object *obj, bool reset)
4388{
4389 struct nfgenmsg *nfmsg;
4390 struct nlmsghdr *nlh;
4391
4392 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4393 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4394 if (nlh == NULL)
4395 goto nla_put_failure;
4396
4397 nfmsg = nlmsg_data(nlh);
4398 nfmsg->nfgen_family = family;
4399 nfmsg->version = NFNETLINK_V0;
4400 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4401
4402 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4403 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4404 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->type->type)) ||
4405 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4406 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4407 goto nla_put_failure;
4408
4409 nlmsg_end(skb, nlh);
4410 return 0;
4411
4412nla_put_failure:
4413 nlmsg_trim(skb, nlh);
4414 return -1;
4415}
4416
4417struct nft_obj_filter {
4418 char table[NFT_OBJ_MAXNAMELEN];
4419 u32 type;
4420};
4421
4422static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4423{
4424 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4425 const struct nft_af_info *afi;
4426 const struct nft_table *table;
4427 unsigned int idx = 0, s_idx = cb->args[0];
4428 struct nft_obj_filter *filter = cb->data;
4429 struct net *net = sock_net(skb->sk);
4430 int family = nfmsg->nfgen_family;
4431 struct nft_object *obj;
4432 bool reset = false;
4433
4434 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4435 reset = true;
4436
4437 rcu_read_lock();
4438 cb->seq = net->nft.base_seq;
4439
4440 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4441 if (family != NFPROTO_UNSPEC && family != afi->family)
4442 continue;
4443
4444 list_for_each_entry_rcu(table, &afi->tables, list) {
4445 list_for_each_entry_rcu(obj, &table->objects, list) {
4446 if (!nft_is_active(net, obj))
4447 goto cont;
4448 if (idx < s_idx)
4449 goto cont;
4450 if (idx > s_idx)
4451 memset(&cb->args[1], 0,
4452 sizeof(cb->args) - sizeof(cb->args[0]));
4453 if (filter && filter->table[0] &&
4454 strcmp(filter->table, table->name))
4455 goto cont;
4456 if (filter &&
4457 filter->type != NFT_OBJECT_UNSPEC &&
4458 obj->type->type != filter->type)
4459 goto cont;
4460
4461 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4462 cb->nlh->nlmsg_seq,
4463 NFT_MSG_NEWOBJ,
4464 NLM_F_MULTI | NLM_F_APPEND,
4465 afi->family, table, obj, reset) < 0)
4466 goto done;
4467
4468 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4469cont:
4470 idx++;
4471 }
4472 }
4473 }
4474done:
4475 rcu_read_unlock();
4476
4477 cb->args[0] = idx;
4478 return skb->len;
4479}
4480
4481static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4482{
4483 kfree(cb->data);
4484
4485 return 0;
4486}
4487
4488static struct nft_obj_filter *
4489nft_obj_filter_alloc(const struct nlattr * const nla[])
4490{
4491 struct nft_obj_filter *filter;
4492
4493 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4494 if (!filter)
4495 return ERR_PTR(-ENOMEM);
4496
4497 if (nla[NFTA_OBJ_TABLE])
4498 nla_strlcpy(filter->table, nla[NFTA_OBJ_TABLE],
4499 NFT_TABLE_MAXNAMELEN);
4500 if (nla[NFTA_OBJ_TYPE])
4501 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4502
4503 return filter;
4504}
4505
4506static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4507 struct sk_buff *skb, const struct nlmsghdr *nlh,
4508 const struct nlattr * const nla[],
4509 struct netlink_ext_ack *extack)
4510{
4511 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4512 u8 genmask = nft_genmask_cur(net);
4513 int family = nfmsg->nfgen_family;
4514 const struct nft_af_info *afi;
4515 const struct nft_table *table;
4516 struct nft_object *obj;
4517 struct sk_buff *skb2;
4518 bool reset = false;
4519 u32 objtype;
4520 int err;
4521
4522 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4523 struct netlink_dump_control c = {
4524 .dump = nf_tables_dump_obj,
4525 .done = nf_tables_dump_obj_done,
4526 };
4527
4528 if (nla[NFTA_OBJ_TABLE] ||
4529 nla[NFTA_OBJ_TYPE]) {
4530 struct nft_obj_filter *filter;
4531
4532 filter = nft_obj_filter_alloc(nla);
4533 if (IS_ERR(filter))
4534 return -ENOMEM;
4535
4536 c.data = filter;
4537 }
4538 return netlink_dump_start(nlsk, skb, nlh, &c);
4539 }
4540
4541 if (!nla[NFTA_OBJ_NAME] ||
4542 !nla[NFTA_OBJ_TYPE])
4543 return -EINVAL;
4544
4545 afi = nf_tables_afinfo_lookup(net, family, false);
4546 if (IS_ERR(afi))
4547 return PTR_ERR(afi);
4548
4549 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4550 if (IS_ERR(table))
4551 return PTR_ERR(table);
4552
4553 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4554 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4555 if (IS_ERR(obj))
4556 return PTR_ERR(obj);
4557
4558 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4559 if (!skb2)
4560 return -ENOMEM;
4561
4562 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4563 reset = true;
4564
4565 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4566 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4567 family, table, obj, reset);
4568 if (err < 0)
4569 goto err;
4570
4571 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4572err:
4573 kfree_skb(skb2);
4574 return err;
4575}
4576
4577static void nft_obj_destroy(struct nft_object *obj)
4578{
4579 if (obj->type->destroy)
4580 obj->type->destroy(obj);
4581
4582 module_put(obj->type->owner);
4583 kfree(obj);
4584}
4585
4586static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4587 struct sk_buff *skb, const struct nlmsghdr *nlh,
4588 const struct nlattr * const nla[],
4589 struct netlink_ext_ack *extack)
4590{
4591 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4592 u8 genmask = nft_genmask_next(net);
4593 int family = nfmsg->nfgen_family;
4594 struct nft_af_info *afi;
4595 struct nft_table *table;
4596 struct nft_object *obj;
4597 struct nft_ctx ctx;
4598 u32 objtype;
4599
4600 if (!nla[NFTA_OBJ_TYPE] ||
4601 !nla[NFTA_OBJ_NAME])
4602 return -EINVAL;
4603
4604 afi = nf_tables_afinfo_lookup(net, family, true);
4605 if (IS_ERR(afi))
4606 return PTR_ERR(afi);
4607
4608 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4609 if (IS_ERR(table))
4610 return PTR_ERR(table);
4611
4612 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4613 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4614 if (IS_ERR(obj))
4615 return PTR_ERR(obj);
4616 if (obj->use > 0)
4617 return -EBUSY;
4618
4619 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4620
4621 return nft_delobj(&ctx, obj);
4622}
4623
4624void nft_obj_notify(struct net *net, struct nft_table *table,
4625 struct nft_object *obj, u32 portid, u32 seq, int event,
4626 int family, int report, gfp_t gfp)
4627{
4628 struct sk_buff *skb;
4629 int err;
4630
4631 if (!report &&
4632 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4633 return;
4634
4635 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4636 if (skb == NULL)
4637 goto err;
4638
4639 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4640 table, obj, false);
4641 if (err < 0) {
4642 kfree_skb(skb);
4643 goto err;
4644 }
4645
4646 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4647 return;
4648err:
4649 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4650}
4651EXPORT_SYMBOL_GPL(nft_obj_notify);
4652
4653static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4654 struct nft_object *obj, int event)
4655{
4656 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4657 ctx->afi->family, ctx->report, GFP_KERNEL);
4658}
4659
4660static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4661 u32 portid, u32 seq)
4662{
4663 struct nlmsghdr *nlh;
4664 struct nfgenmsg *nfmsg;
4665 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
4666
4667 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4668 if (nlh == NULL)
4669 goto nla_put_failure;
4670
4671 nfmsg = nlmsg_data(nlh);
4672 nfmsg->nfgen_family = AF_UNSPEC;
4673 nfmsg->version = NFNETLINK_V0;
4674 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4675
4676 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
4677 goto nla_put_failure;
4678
4679 nlmsg_end(skb, nlh);
4680 return 0;
4681
4682nla_put_failure:
4683 nlmsg_trim(skb, nlh);
4684 return -EMSGSIZE;
4685}
4686
4687static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
4688 int event)
4689{
4690 struct nlmsghdr *nlh = nlmsg_hdr(skb);
4691 struct sk_buff *skb2;
4692 int err;
4693
4694 if (nlmsg_report(nlh) &&
4695 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4696 return;
4697
4698 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4699 if (skb2 == NULL)
4700 goto err;
4701
4702 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4703 nlh->nlmsg_seq);
4704 if (err < 0) {
4705 kfree_skb(skb2);
4706 goto err;
4707 }
4708
4709 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4710 nlmsg_report(nlh), GFP_KERNEL);
4711 return;
4712err:
4713 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4714 -ENOBUFS);
4715}
4716
4717static int nf_tables_getgen(struct net *net, struct sock *nlsk,
4718 struct sk_buff *skb, const struct nlmsghdr *nlh,
4719 const struct nlattr * const nla[],
4720 struct netlink_ext_ack *extack)
4721{
4722 struct sk_buff *skb2;
4723 int err;
4724
4725 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4726 if (skb2 == NULL)
4727 return -ENOMEM;
4728
4729 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4730 nlh->nlmsg_seq);
4731 if (err < 0)
4732 goto err;
4733
4734 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4735err:
4736 kfree_skb(skb2);
4737 return err;
4738}
4739
4740static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
4741 [NFT_MSG_NEWTABLE] = {
4742 .call_batch = nf_tables_newtable,
4743 .attr_count = NFTA_TABLE_MAX,
4744 .policy = nft_table_policy,
4745 },
4746 [NFT_MSG_GETTABLE] = {
4747 .call = nf_tables_gettable,
4748 .attr_count = NFTA_TABLE_MAX,
4749 .policy = nft_table_policy,
4750 },
4751 [NFT_MSG_DELTABLE] = {
4752 .call_batch = nf_tables_deltable,
4753 .attr_count = NFTA_TABLE_MAX,
4754 .policy = nft_table_policy,
4755 },
4756 [NFT_MSG_NEWCHAIN] = {
4757 .call_batch = nf_tables_newchain,
4758 .attr_count = NFTA_CHAIN_MAX,
4759 .policy = nft_chain_policy,
4760 },
4761 [NFT_MSG_GETCHAIN] = {
4762 .call = nf_tables_getchain,
4763 .attr_count = NFTA_CHAIN_MAX,
4764 .policy = nft_chain_policy,
4765 },
4766 [NFT_MSG_DELCHAIN] = {
4767 .call_batch = nf_tables_delchain,
4768 .attr_count = NFTA_CHAIN_MAX,
4769 .policy = nft_chain_policy,
4770 },
4771 [NFT_MSG_NEWRULE] = {
4772 .call_batch = nf_tables_newrule,
4773 .attr_count = NFTA_RULE_MAX,
4774 .policy = nft_rule_policy,
4775 },
4776 [NFT_MSG_GETRULE] = {
4777 .call = nf_tables_getrule,
4778 .attr_count = NFTA_RULE_MAX,
4779 .policy = nft_rule_policy,
4780 },
4781 [NFT_MSG_DELRULE] = {
4782 .call_batch = nf_tables_delrule,
4783 .attr_count = NFTA_RULE_MAX,
4784 .policy = nft_rule_policy,
4785 },
4786 [NFT_MSG_NEWSET] = {
4787 .call_batch = nf_tables_newset,
4788 .attr_count = NFTA_SET_MAX,
4789 .policy = nft_set_policy,
4790 },
4791 [NFT_MSG_GETSET] = {
4792 .call = nf_tables_getset,
4793 .attr_count = NFTA_SET_MAX,
4794 .policy = nft_set_policy,
4795 },
4796 [NFT_MSG_DELSET] = {
4797 .call_batch = nf_tables_delset,
4798 .attr_count = NFTA_SET_MAX,
4799 .policy = nft_set_policy,
4800 },
4801 [NFT_MSG_NEWSETELEM] = {
4802 .call_batch = nf_tables_newsetelem,
4803 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4804 .policy = nft_set_elem_list_policy,
4805 },
4806 [NFT_MSG_GETSETELEM] = {
4807 .call = nf_tables_getsetelem,
4808 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4809 .policy = nft_set_elem_list_policy,
4810 },
4811 [NFT_MSG_DELSETELEM] = {
4812 .call_batch = nf_tables_delsetelem,
4813 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4814 .policy = nft_set_elem_list_policy,
4815 },
4816 [NFT_MSG_GETGEN] = {
4817 .call = nf_tables_getgen,
4818 },
4819 [NFT_MSG_NEWOBJ] = {
4820 .call_batch = nf_tables_newobj,
4821 .attr_count = NFTA_OBJ_MAX,
4822 .policy = nft_obj_policy,
4823 },
4824 [NFT_MSG_GETOBJ] = {
4825 .call = nf_tables_getobj,
4826 .attr_count = NFTA_OBJ_MAX,
4827 .policy = nft_obj_policy,
4828 },
4829 [NFT_MSG_DELOBJ] = {
4830 .call_batch = nf_tables_delobj,
4831 .attr_count = NFTA_OBJ_MAX,
4832 .policy = nft_obj_policy,
4833 },
4834 [NFT_MSG_GETOBJ_RESET] = {
4835 .call = nf_tables_getobj,
4836 .attr_count = NFTA_OBJ_MAX,
4837 .policy = nft_obj_policy,
4838 },
4839};
4840
4841static void nft_chain_commit_update(struct nft_trans *trans)
4842{
4843 struct nft_base_chain *basechain;
4844
4845 if (nft_trans_chain_name(trans)[0])
4846 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
4847
4848 if (!nft_is_base_chain(trans->ctx.chain))
4849 return;
4850
4851 basechain = nft_base_chain(trans->ctx.chain);
4852 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
4853
4854 switch (nft_trans_chain_policy(trans)) {
4855 case NF_DROP:
4856 case NF_ACCEPT:
4857 basechain->policy = nft_trans_chain_policy(trans);
4858 break;
4859 }
4860}
4861
4862static void nf_tables_commit_release(struct nft_trans *trans)
4863{
4864 switch (trans->msg_type) {
4865 case NFT_MSG_DELTABLE:
4866 nf_tables_table_destroy(&trans->ctx);
4867 break;
4868 case NFT_MSG_DELCHAIN:
4869 nf_tables_chain_destroy(trans->ctx.chain);
4870 break;
4871 case NFT_MSG_DELRULE:
4872 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4873 break;
4874 case NFT_MSG_DELSET:
4875 nft_set_destroy(nft_trans_set(trans));
4876 break;
4877 case NFT_MSG_DELSETELEM:
4878 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
4879 nft_trans_elem(trans).priv);
4880 break;
4881 case NFT_MSG_DELOBJ:
4882 nft_obj_destroy(nft_trans_obj(trans));
4883 break;
4884 }
4885 kfree(trans);
4886}
4887
4888static int nf_tables_commit(struct net *net, struct sk_buff *skb)
4889{
4890 struct nft_trans *trans, *next;
4891 struct nft_trans_elem *te;
4892
4893
4894 while (++net->nft.base_seq == 0);
4895
4896
4897 net->nft.gencursor = nft_gencursor_next(net);
4898
4899
4900
4901
4902 synchronize_rcu();
4903
4904 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4905 switch (trans->msg_type) {
4906 case NFT_MSG_NEWTABLE:
4907 if (nft_trans_table_update(trans)) {
4908 if (!nft_trans_table_enable(trans)) {
4909 nf_tables_table_disable(net,
4910 trans->ctx.afi,
4911 trans->ctx.table);
4912 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4913 }
4914 } else {
4915 nft_clear(net, trans->ctx.table);
4916 }
4917 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
4918 nft_trans_destroy(trans);
4919 break;
4920 case NFT_MSG_DELTABLE:
4921 list_del_rcu(&trans->ctx.table->list);
4922 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4923 break;
4924 case NFT_MSG_NEWCHAIN:
4925 if (nft_trans_chain_update(trans))
4926 nft_chain_commit_update(trans);
4927 else
4928 nft_clear(net, trans->ctx.chain);
4929
4930 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4931 nft_trans_destroy(trans);
4932 break;
4933 case NFT_MSG_DELCHAIN:
4934 list_del_rcu(&trans->ctx.chain->list);
4935 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4936 nf_tables_unregister_hooks(trans->ctx.net,
4937 trans->ctx.table,
4938 trans->ctx.chain,
4939 trans->ctx.afi->nops);
4940 break;
4941 case NFT_MSG_NEWRULE:
4942 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4943 nf_tables_rule_notify(&trans->ctx,
4944 nft_trans_rule(trans),
4945 NFT_MSG_NEWRULE);
4946 nft_trans_destroy(trans);
4947 break;
4948 case NFT_MSG_DELRULE:
4949 list_del_rcu(&nft_trans_rule(trans)->list);
4950 nf_tables_rule_notify(&trans->ctx,
4951 nft_trans_rule(trans),
4952 NFT_MSG_DELRULE);
4953 break;
4954 case NFT_MSG_NEWSET:
4955 nft_clear(net, nft_trans_set(trans));
4956
4957
4958
4959 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4960 !list_empty(&nft_trans_set(trans)->bindings))
4961 trans->ctx.table->use--;
4962
4963 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4964 NFT_MSG_NEWSET, GFP_KERNEL);
4965 nft_trans_destroy(trans);
4966 break;
4967 case NFT_MSG_DELSET:
4968 list_del_rcu(&nft_trans_set(trans)->list);
4969 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4970 NFT_MSG_DELSET, GFP_KERNEL);
4971 break;
4972 case NFT_MSG_NEWSETELEM:
4973 te = (struct nft_trans_elem *)trans->data;
4974
4975 te->set->ops->activate(net, te->set, &te->elem);
4976 nf_tables_setelem_notify(&trans->ctx, te->set,
4977 &te->elem,
4978 NFT_MSG_NEWSETELEM, 0);
4979 nft_trans_destroy(trans);
4980 break;
4981 case NFT_MSG_DELSETELEM:
4982 te = (struct nft_trans_elem *)trans->data;
4983
4984 nf_tables_setelem_notify(&trans->ctx, te->set,
4985 &te->elem,
4986 NFT_MSG_DELSETELEM, 0);
4987 te->set->ops->remove(net, te->set, &te->elem);
4988 atomic_dec(&te->set->nelems);
4989 te->set->ndeact--;
4990 break;
4991 case NFT_MSG_NEWOBJ:
4992 nft_clear(net, nft_trans_obj(trans));
4993 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
4994 NFT_MSG_NEWOBJ);
4995 nft_trans_destroy(trans);
4996 break;
4997 case NFT_MSG_DELOBJ:
4998 list_del_rcu(&nft_trans_obj(trans)->list);
4999 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5000 NFT_MSG_DELOBJ);
5001 break;
5002 }
5003 }
5004
5005 synchronize_rcu();
5006
5007 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5008 list_del(&trans->list);
5009 nf_tables_commit_release(trans);
5010 }
5011
5012 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5013
5014 return 0;
5015}
5016
5017static void nf_tables_abort_release(struct nft_trans *trans)
5018{
5019 switch (trans->msg_type) {
5020 case NFT_MSG_NEWTABLE:
5021 nf_tables_table_destroy(&trans->ctx);
5022 break;
5023 case NFT_MSG_NEWCHAIN:
5024 nf_tables_chain_destroy(trans->ctx.chain);
5025 break;
5026 case NFT_MSG_NEWRULE:
5027 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5028 break;
5029 case NFT_MSG_NEWSET:
5030 nft_set_destroy(nft_trans_set(trans));
5031 break;
5032 case NFT_MSG_NEWSETELEM:
5033 nft_set_elem_destroy(nft_trans_elem_set(trans),
5034 nft_trans_elem(trans).priv, true);
5035 break;
5036 case NFT_MSG_NEWOBJ:
5037 nft_obj_destroy(nft_trans_obj(trans));
5038 break;
5039 }
5040 kfree(trans);
5041}
5042
5043static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5044{
5045 struct nft_trans *trans, *next;
5046 struct nft_trans_elem *te;
5047
5048 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5049 list) {
5050 switch (trans->msg_type) {
5051 case NFT_MSG_NEWTABLE:
5052 if (nft_trans_table_update(trans)) {
5053 if (nft_trans_table_enable(trans)) {
5054 nf_tables_table_disable(net,
5055 trans->ctx.afi,
5056 trans->ctx.table);
5057 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5058 }
5059 nft_trans_destroy(trans);
5060 } else {
5061 list_del_rcu(&trans->ctx.table->list);
5062 }
5063 break;
5064 case NFT_MSG_DELTABLE:
5065 nft_clear(trans->ctx.net, trans->ctx.table);
5066 nft_trans_destroy(trans);
5067 break;
5068 case NFT_MSG_NEWCHAIN:
5069 if (nft_trans_chain_update(trans)) {
5070 free_percpu(nft_trans_chain_stats(trans));
5071
5072 nft_trans_destroy(trans);
5073 } else {
5074 trans->ctx.table->use--;
5075 list_del_rcu(&trans->ctx.chain->list);
5076 nf_tables_unregister_hooks(trans->ctx.net,
5077 trans->ctx.table,
5078 trans->ctx.chain,
5079 trans->ctx.afi->nops);
5080 }
5081 break;
5082 case NFT_MSG_DELCHAIN:
5083 trans->ctx.table->use++;
5084 nft_clear(trans->ctx.net, trans->ctx.chain);
5085 nft_trans_destroy(trans);
5086 break;
5087 case NFT_MSG_NEWRULE:
5088 trans->ctx.chain->use--;
5089 list_del_rcu(&nft_trans_rule(trans)->list);
5090 break;
5091 case NFT_MSG_DELRULE:
5092 trans->ctx.chain->use++;
5093 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5094 nft_trans_destroy(trans);
5095 break;
5096 case NFT_MSG_NEWSET:
5097 trans->ctx.table->use--;
5098 list_del_rcu(&nft_trans_set(trans)->list);
5099 break;
5100 case NFT_MSG_DELSET:
5101 trans->ctx.table->use++;
5102 nft_clear(trans->ctx.net, nft_trans_set(trans));
5103 nft_trans_destroy(trans);
5104 break;
5105 case NFT_MSG_NEWSETELEM:
5106 te = (struct nft_trans_elem *)trans->data;
5107
5108 te->set->ops->remove(net, te->set, &te->elem);
5109 atomic_dec(&te->set->nelems);
5110 break;
5111 case NFT_MSG_DELSETELEM:
5112 te = (struct nft_trans_elem *)trans->data;
5113
5114 nft_set_elem_activate(net, te->set, &te->elem);
5115 te->set->ops->activate(net, te->set, &te->elem);
5116 te->set->ndeact--;
5117
5118 nft_trans_destroy(trans);
5119 break;
5120 case NFT_MSG_NEWOBJ:
5121 trans->ctx.table->use--;
5122 list_del_rcu(&nft_trans_obj(trans)->list);
5123 break;
5124 case NFT_MSG_DELOBJ:
5125 trans->ctx.table->use++;
5126 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5127 nft_trans_destroy(trans);
5128 break;
5129 }
5130 }
5131
5132 synchronize_rcu();
5133
5134 list_for_each_entry_safe_reverse(trans, next,
5135 &net->nft.commit_list, list) {
5136 list_del(&trans->list);
5137 nf_tables_abort_release(trans);
5138 }
5139
5140 return 0;
5141}
5142
5143static bool nf_tables_valid_genid(struct net *net, u32 genid)
5144{
5145 return net->nft.base_seq == genid;
5146}
5147
5148static const struct nfnetlink_subsystem nf_tables_subsys = {
5149 .name = "nf_tables",
5150 .subsys_id = NFNL_SUBSYS_NFTABLES,
5151 .cb_count = NFT_MSG_MAX,
5152 .cb = nf_tables_cb,
5153 .commit = nf_tables_commit,
5154 .abort = nf_tables_abort,
5155 .valid_genid = nf_tables_valid_genid,
5156};
5157
5158int nft_chain_validate_dependency(const struct nft_chain *chain,
5159 enum nft_chain_type type)
5160{
5161 const struct nft_base_chain *basechain;
5162
5163 if (nft_is_base_chain(chain)) {
5164 basechain = nft_base_chain(chain);
5165 if (basechain->type->type != type)
5166 return -EOPNOTSUPP;
5167 }
5168 return 0;
5169}
5170EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5171
5172int nft_chain_validate_hooks(const struct nft_chain *chain,
5173 unsigned int hook_flags)
5174{
5175 struct nft_base_chain *basechain;
5176
5177 if (nft_is_base_chain(chain)) {
5178 basechain = nft_base_chain(chain);
5179
5180 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5181 return 0;
5182
5183 return -EOPNOTSUPP;
5184 }
5185
5186 return 0;
5187}
5188EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199static int nf_tables_check_loops(const struct nft_ctx *ctx,
5200 const struct nft_chain *chain);
5201
5202static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5203 struct nft_set *set,
5204 const struct nft_set_iter *iter,
5205 struct nft_set_elem *elem)
5206{
5207 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5208 const struct nft_data *data;
5209
5210 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5211 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5212 return 0;
5213
5214 data = nft_set_ext_data(ext);
5215 switch (data->verdict.code) {
5216 case NFT_JUMP:
5217 case NFT_GOTO:
5218 return nf_tables_check_loops(ctx, data->verdict.chain);
5219 default:
5220 return 0;
5221 }
5222}
5223
5224static int nf_tables_check_loops(const struct nft_ctx *ctx,
5225 const struct nft_chain *chain)
5226{
5227 const struct nft_rule *rule;
5228 const struct nft_expr *expr, *last;
5229 struct nft_set *set;
5230 struct nft_set_binding *binding;
5231 struct nft_set_iter iter;
5232
5233 if (ctx->chain == chain)
5234 return -ELOOP;
5235
5236 list_for_each_entry(rule, &chain->rules, list) {
5237 nft_rule_for_each_expr(expr, last, rule) {
5238 const struct nft_data *data = NULL;
5239 int err;
5240
5241 if (!expr->ops->validate)
5242 continue;
5243
5244 err = expr->ops->validate(ctx, expr, &data);
5245 if (err < 0)
5246 return err;
5247
5248 if (data == NULL)
5249 continue;
5250
5251 switch (data->verdict.code) {
5252 case NFT_JUMP:
5253 case NFT_GOTO:
5254 err = nf_tables_check_loops(ctx,
5255 data->verdict.chain);
5256 if (err < 0)
5257 return err;
5258 default:
5259 break;
5260 }
5261 }
5262 }
5263
5264 list_for_each_entry(set, &ctx->table->sets, list) {
5265 if (!nft_is_active_next(ctx->net, set))
5266 continue;
5267 if (!(set->flags & NFT_SET_MAP) ||
5268 set->dtype != NFT_DATA_VERDICT)
5269 continue;
5270
5271 list_for_each_entry(binding, &set->bindings, list) {
5272 if (!(binding->flags & NFT_SET_MAP) ||
5273 binding->chain != chain)
5274 continue;
5275
5276 iter.genmask = nft_genmask_next(ctx->net);
5277 iter.skip = 0;
5278 iter.count = 0;
5279 iter.err = 0;
5280 iter.fn = nf_tables_loop_check_setelem;
5281
5282 set->ops->walk(ctx, set, &iter);
5283 if (iter.err < 0)
5284 return iter.err;
5285 }
5286 }
5287
5288 return 0;
5289}
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5304{
5305 u32 val;
5306
5307 val = ntohl(nla_get_be32(attr));
5308 if (val > max)
5309 return -ERANGE;
5310
5311 *dest = val;
5312 return 0;
5313}
5314EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325unsigned int nft_parse_register(const struct nlattr *attr)
5326{
5327 unsigned int reg;
5328
5329 reg = ntohl(nla_get_be32(attr));
5330 switch (reg) {
5331 case NFT_REG_VERDICT...NFT_REG_4:
5332 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5333 default:
5334 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5335 }
5336}
5337EXPORT_SYMBOL_GPL(nft_parse_register);
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5351{
5352 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5353 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5354 else
5355 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5356
5357 return nla_put_be32(skb, attr, htonl(reg));
5358}
5359EXPORT_SYMBOL_GPL(nft_dump_register);
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5371{
5372 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5373 return -EINVAL;
5374 if (len == 0)
5375 return -EINVAL;
5376 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5377 return -ERANGE;
5378
5379 return 0;
5380}
5381EXPORT_SYMBOL_GPL(nft_validate_register_load);
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397int nft_validate_register_store(const struct nft_ctx *ctx,
5398 enum nft_registers reg,
5399 const struct nft_data *data,
5400 enum nft_data_types type, unsigned int len)
5401{
5402 int err;
5403
5404 switch (reg) {
5405 case NFT_REG_VERDICT:
5406 if (type != NFT_DATA_VERDICT)
5407 return -EINVAL;
5408
5409 if (data != NULL &&
5410 (data->verdict.code == NFT_GOTO ||
5411 data->verdict.code == NFT_JUMP)) {
5412 err = nf_tables_check_loops(ctx, data->verdict.chain);
5413 if (err < 0)
5414 return err;
5415
5416 if (ctx->chain->level + 1 >
5417 data->verdict.chain->level) {
5418 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5419 return -EMLINK;
5420 data->verdict.chain->level = ctx->chain->level + 1;
5421 }
5422 }
5423
5424 return 0;
5425 default:
5426 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5427 return -EINVAL;
5428 if (len == 0)
5429 return -EINVAL;
5430 if (reg * NFT_REG32_SIZE + len >
5431 FIELD_SIZEOF(struct nft_regs, data))
5432 return -ERANGE;
5433
5434 if (data != NULL && type != NFT_DATA_VALUE)
5435 return -EINVAL;
5436 return 0;
5437 }
5438}
5439EXPORT_SYMBOL_GPL(nft_validate_register_store);
5440
5441static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5442 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5443 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5444 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5445};
5446
5447static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5448 struct nft_data_desc *desc, const struct nlattr *nla)
5449{
5450 u8 genmask = nft_genmask_next(ctx->net);
5451 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5452 struct nft_chain *chain;
5453 int err;
5454
5455 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5456 NULL);
5457 if (err < 0)
5458 return err;
5459
5460 if (!tb[NFTA_VERDICT_CODE])
5461 return -EINVAL;
5462 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5463
5464 switch (data->verdict.code) {
5465 default:
5466 switch (data->verdict.code & NF_VERDICT_MASK) {
5467 case NF_ACCEPT:
5468 case NF_DROP:
5469 case NF_QUEUE:
5470 break;
5471 default:
5472 return -EINVAL;
5473 }
5474
5475 case NFT_CONTINUE:
5476 case NFT_BREAK:
5477 case NFT_RETURN:
5478 break;
5479 case NFT_JUMP:
5480 case NFT_GOTO:
5481 if (!tb[NFTA_VERDICT_CHAIN])
5482 return -EINVAL;
5483 chain = nf_tables_chain_lookup(ctx->table,
5484 tb[NFTA_VERDICT_CHAIN], genmask);
5485 if (IS_ERR(chain))
5486 return PTR_ERR(chain);
5487 if (nft_is_base_chain(chain))
5488 return -EOPNOTSUPP;
5489
5490 chain->use++;
5491 data->verdict.chain = chain;
5492 break;
5493 }
5494
5495 desc->len = sizeof(data->verdict);
5496 desc->type = NFT_DATA_VERDICT;
5497 return 0;
5498}
5499
5500static void nft_verdict_uninit(const struct nft_data *data)
5501{
5502 switch (data->verdict.code) {
5503 case NFT_JUMP:
5504 case NFT_GOTO:
5505 data->verdict.chain->use--;
5506 break;
5507 }
5508}
5509
5510int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5511{
5512 struct nlattr *nest;
5513
5514 nest = nla_nest_start(skb, type);
5515 if (!nest)
5516 goto nla_put_failure;
5517
5518 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5519 goto nla_put_failure;
5520
5521 switch (v->code) {
5522 case NFT_JUMP:
5523 case NFT_GOTO:
5524 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5525 v->chain->name))
5526 goto nla_put_failure;
5527 }
5528 nla_nest_end(skb, nest);
5529 return 0;
5530
5531nla_put_failure:
5532 return -1;
5533}
5534
5535static int nft_value_init(const struct nft_ctx *ctx,
5536 struct nft_data *data, unsigned int size,
5537 struct nft_data_desc *desc, const struct nlattr *nla)
5538{
5539 unsigned int len;
5540
5541 len = nla_len(nla);
5542 if (len == 0)
5543 return -EINVAL;
5544 if (len > size)
5545 return -EOVERFLOW;
5546
5547 nla_memcpy(data->data, nla, len);
5548 desc->type = NFT_DATA_VALUE;
5549 desc->len = len;
5550 return 0;
5551}
5552
5553static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5554 unsigned int len)
5555{
5556 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5557}
5558
5559static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5560 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5561 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5562};
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5579int nft_data_init(const struct nft_ctx *ctx,
5580 struct nft_data *data, unsigned int size,
5581 struct nft_data_desc *desc, const struct nlattr *nla)
5582{
5583 struct nlattr *tb[NFTA_DATA_MAX + 1];
5584 int err;
5585
5586 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
5587 if (err < 0)
5588 return err;
5589
5590 if (tb[NFTA_DATA_VALUE])
5591 return nft_value_init(ctx, data, size, desc,
5592 tb[NFTA_DATA_VALUE]);
5593 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5594 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5595 return -EINVAL;
5596}
5597EXPORT_SYMBOL_GPL(nft_data_init);
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608void nft_data_release(const struct nft_data *data, enum nft_data_types type)
5609{
5610 if (type < NFT_DATA_VERDICT)
5611 return;
5612 switch (type) {
5613 case NFT_DATA_VERDICT:
5614 return nft_verdict_uninit(data);
5615 default:
5616 WARN_ON(1);
5617 }
5618}
5619EXPORT_SYMBOL_GPL(nft_data_release);
5620
5621int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5622 enum nft_data_types type, unsigned int len)
5623{
5624 struct nlattr *nest;
5625 int err;
5626
5627 nest = nla_nest_start(skb, attr);
5628 if (nest == NULL)
5629 return -1;
5630
5631 switch (type) {
5632 case NFT_DATA_VALUE:
5633 err = nft_value_dump(skb, data, len);
5634 break;
5635 case NFT_DATA_VERDICT:
5636 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
5637 break;
5638 default:
5639 err = -EINVAL;
5640 WARN_ON(1);
5641 }
5642
5643 nla_nest_end(skb, nest);
5644 return err;
5645}
5646EXPORT_SYMBOL_GPL(nft_data_dump);
5647
5648static int __net_init nf_tables_init_net(struct net *net)
5649{
5650 INIT_LIST_HEAD(&net->nft.af_info);
5651 INIT_LIST_HEAD(&net->nft.commit_list);
5652 net->nft.base_seq = 1;
5653 return 0;
5654}
5655
5656int __nft_release_basechain(struct nft_ctx *ctx)
5657{
5658 struct nft_rule *rule, *nr;
5659
5660 BUG_ON(!nft_is_base_chain(ctx->chain));
5661
5662 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
5663 ctx->afi->nops);
5664 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
5665 list_del(&rule->list);
5666 ctx->chain->use--;
5667 nf_tables_rule_destroy(ctx, rule);
5668 }
5669 list_del(&ctx->chain->list);
5670 ctx->table->use--;
5671 nf_tables_chain_destroy(ctx->chain);
5672
5673 return 0;
5674}
5675EXPORT_SYMBOL_GPL(__nft_release_basechain);
5676
5677
5678static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
5679{
5680 struct nft_table *table, *nt;
5681 struct nft_chain *chain, *nc;
5682 struct nft_object *obj, *ne;
5683 struct nft_rule *rule, *nr;
5684 struct nft_set *set, *ns;
5685 struct nft_ctx ctx = {
5686 .net = net,
5687 .afi = afi,
5688 };
5689
5690 list_for_each_entry_safe(table, nt, &afi->tables, list) {
5691 list_for_each_entry(chain, &table->chains, list)
5692 nf_tables_unregister_hooks(net, table, chain,
5693 afi->nops);
5694
5695 ctx.table = table;
5696 list_for_each_entry(chain, &table->chains, list) {
5697 ctx.chain = chain;
5698 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
5699 list_del(&rule->list);
5700 chain->use--;
5701 nf_tables_rule_destroy(&ctx, rule);
5702 }
5703 }
5704 list_for_each_entry_safe(set, ns, &table->sets, list) {
5705 list_del(&set->list);
5706 table->use--;
5707 nft_set_destroy(set);
5708 }
5709 list_for_each_entry_safe(obj, ne, &table->objects, list) {
5710 list_del(&obj->list);
5711 table->use--;
5712 nft_obj_destroy(obj);
5713 }
5714 list_for_each_entry_safe(chain, nc, &table->chains, list) {
5715 list_del(&chain->list);
5716 table->use--;
5717 nf_tables_chain_destroy(chain);
5718 }
5719 list_del(&table->list);
5720 nf_tables_table_destroy(&ctx);
5721 }
5722}
5723
5724static struct pernet_operations nf_tables_net_ops = {
5725 .init = nf_tables_init_net,
5726};
5727
5728static int __init nf_tables_module_init(void)
5729{
5730 int err;
5731
5732 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
5733 GFP_KERNEL);
5734 if (info == NULL) {
5735 err = -ENOMEM;
5736 goto err1;
5737 }
5738
5739 err = nf_tables_core_module_init();
5740 if (err < 0)
5741 goto err2;
5742
5743 err = nfnetlink_subsys_register(&nf_tables_subsys);
5744 if (err < 0)
5745 goto err3;
5746
5747 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
5748 return register_pernet_subsys(&nf_tables_net_ops);
5749err3:
5750 nf_tables_core_module_exit();
5751err2:
5752 kfree(info);
5753err1:
5754 return err;
5755}
5756
5757static void __exit nf_tables_module_exit(void)
5758{
5759 unregister_pernet_subsys(&nf_tables_net_ops);
5760 nfnetlink_subsys_unregister(&nf_tables_subsys);
5761 rcu_barrier();
5762 nf_tables_core_module_exit();
5763 kfree(info);
5764}
5765
5766module_init(nf_tables_module_init);
5767module_exit(nf_tables_module_exit);
5768
5769MODULE_LICENSE("GPL");
5770MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
5771MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
5772
