1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/vmalloc.h>
17#include <linux/netfilter.h>
18#include <linux/netfilter/nfnetlink.h>
19#include <linux/netfilter/nf_tables.h>
20#include <net/netfilter/nf_tables_core.h>
21#include <net/netfilter/nf_tables.h>
22#include <net/net_namespace.h>
23#include <net/sock.h>
24
25static LIST_HEAD(nf_tables_expressions);
26static LIST_HEAD(nf_tables_objects);
27
28
29
30
31
32
33
34
35
36int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
37{
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 return 0;
43}
44EXPORT_SYMBOL_GPL(nft_register_afinfo);
45
46static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47
48
49
50
51
52
53
54
55void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
56{
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
61}
62EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
63
64static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
65{
66 struct nft_af_info *afi;
67
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
70 return afi;
71 }
72 return NULL;
73}
74
75static struct nft_af_info *
76nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
77{
78 struct nft_af_info *afi;
79
80 afi = nft_afinfo_lookup(net, family);
81 if (afi != NULL)
82 return afi;
83#ifdef CONFIG_MODULES
84 if (autoload) {
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
89 if (afi != NULL)
90 return ERR_PTR(-EAGAIN);
91 }
92#endif
93 return ERR_PTR(-EAFNOSUPPORT);
94}
95
96static void nft_ctx_init(struct nft_ctx *ctx,
97 struct net *net,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
104{
105 ctx->net = net;
106 ctx->afi = afi;
107 ctx->table = table;
108 ctx->chain = chain;
109 ctx->nla = nla;
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
113}
114
115static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
117{
118 struct nft_trans *trans;
119
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
121 if (trans == NULL)
122 return NULL;
123
124 trans->msg_type = msg_type;
125 trans->ctx = *ctx;
126
127 return trans;
128}
129
130static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
131 int msg_type, u32 size)
132{
133 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
134}
135
136static void nft_trans_destroy(struct nft_trans *trans)
137{
138 list_del(&trans->list);
139 kfree(trans);
140}
141
142static int nf_tables_register_hooks(struct net *net,
143 const struct nft_table *table,
144 struct nft_chain *chain,
145 unsigned int hook_nops)
146{
147 if (table->flags & NFT_TABLE_F_DORMANT ||
148 !nft_is_base_chain(chain))
149 return 0;
150
151 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
152 hook_nops);
153}
154
155static void nf_tables_unregister_hooks(struct net *net,
156 const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
159{
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !nft_is_base_chain(chain))
162 return;
163
164 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
165}
166
167static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
168{
169 struct nft_trans *trans;
170
171 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
172 if (trans == NULL)
173 return -ENOMEM;
174
175 if (msg_type == NFT_MSG_NEWTABLE)
176 nft_activate_next(ctx->net, ctx->table);
177
178 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
179 return 0;
180}
181
182static int nft_deltable(struct nft_ctx *ctx)
183{
184 int err;
185
186 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
187 if (err < 0)
188 return err;
189
190 nft_deactivate_next(ctx->net, ctx->table);
191 return err;
192}
193
194static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
195{
196 struct nft_trans *trans;
197
198 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
199 if (trans == NULL)
200 return -ENOMEM;
201
202 if (msg_type == NFT_MSG_NEWCHAIN)
203 nft_activate_next(ctx->net, ctx->chain);
204
205 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
206 return 0;
207}
208
209static int nft_delchain(struct nft_ctx *ctx)
210{
211 int err;
212
213 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
214 if (err < 0)
215 return err;
216
217 ctx->table->use--;
218 nft_deactivate_next(ctx->net, ctx->chain);
219
220 return err;
221}
222
223static int
224nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
225{
226
227 if (nft_is_active_next(ctx->net, rule)) {
228 nft_deactivate_next(ctx->net, rule);
229 ctx->chain->use--;
230 return 0;
231 }
232 return -ENOENT;
233}
234
235static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
236 struct nft_rule *rule)
237{
238 struct nft_trans *trans;
239
240 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
241 if (trans == NULL)
242 return NULL;
243
244 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
245 nft_trans_rule_id(trans) =
246 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
247 }
248 nft_trans_rule(trans) = rule;
249 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
250
251 return trans;
252}
253
254static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
255{
256 struct nft_trans *trans;
257 int err;
258
259 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
260 if (trans == NULL)
261 return -ENOMEM;
262
263 err = nf_tables_delrule_deactivate(ctx, rule);
264 if (err < 0) {
265 nft_trans_destroy(trans);
266 return err;
267 }
268
269 return 0;
270}
271
272static int nft_delrule_by_chain(struct nft_ctx *ctx)
273{
274 struct nft_rule *rule;
275 int err;
276
277 list_for_each_entry(rule, &ctx->chain->rules, list) {
278 err = nft_delrule(ctx, rule);
279 if (err < 0)
280 return err;
281 }
282 return 0;
283}
284
285static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
286 struct nft_set *set)
287{
288 struct nft_trans *trans;
289
290 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
291 if (trans == NULL)
292 return -ENOMEM;
293
294 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
295 nft_trans_set_id(trans) =
296 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
297 nft_activate_next(ctx->net, set);
298 }
299 nft_trans_set(trans) = set;
300 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
301
302 return 0;
303}
304
305static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
306{
307 int err;
308
309 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
310 if (err < 0)
311 return err;
312
313 nft_deactivate_next(ctx->net, set);
314 ctx->table->use--;
315
316 return err;
317}
318
319static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
320 struct nft_object *obj)
321{
322 struct nft_trans *trans;
323
324 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
325 if (trans == NULL)
326 return -ENOMEM;
327
328 if (msg_type == NFT_MSG_NEWOBJ)
329 nft_activate_next(ctx->net, obj);
330
331 nft_trans_obj(trans) = obj;
332 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
333
334 return 0;
335}
336
337static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
338{
339 int err;
340
341 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
342 if (err < 0)
343 return err;
344
345 nft_deactivate_next(ctx->net, obj);
346 ctx->table->use--;
347
348 return err;
349}
350
351
352
353
354
355static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
356 const struct nlattr *nla,
357 u8 genmask)
358{
359 struct nft_table *table;
360
361 list_for_each_entry(table, &afi->tables, list) {
362 if (!nla_strcmp(nla, table->name) &&
363 nft_active_genmask(table, genmask))
364 return table;
365 }
366 return NULL;
367}
368
369static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
370 const struct nlattr *nla,
371 u8 genmask)
372{
373 struct nft_table *table;
374
375 if (nla == NULL)
376 return ERR_PTR(-EINVAL);
377
378 table = nft_table_lookup(afi, nla, genmask);
379 if (table != NULL)
380 return table;
381
382 return ERR_PTR(-ENOENT);
383}
384
385static inline u64 nf_tables_alloc_handle(struct nft_table *table)
386{
387 return ++table->hgenerator;
388}
389
390static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
391
392static const struct nf_chain_type *
393__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
394{
395 int i;
396
397 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
398 if (chain_type[family][i] != NULL &&
399 !nla_strcmp(nla, chain_type[family][i]->name))
400 return chain_type[family][i];
401 }
402 return NULL;
403}
404
405static const struct nf_chain_type *
406nf_tables_chain_type_lookup(const struct nft_af_info *afi,
407 const struct nlattr *nla,
408 bool autoload)
409{
410 const struct nf_chain_type *type;
411
412 type = __nf_tables_chain_type_lookup(afi->family, nla);
413 if (type != NULL)
414 return type;
415#ifdef CONFIG_MODULES
416 if (autoload) {
417 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
418 request_module("nft-chain-%u-%.*s", afi->family,
419 nla_len(nla), (const char *)nla_data(nla));
420 nfnl_lock(NFNL_SUBSYS_NFTABLES);
421 type = __nf_tables_chain_type_lookup(afi->family, nla);
422 if (type != NULL)
423 return ERR_PTR(-EAGAIN);
424 }
425#endif
426 return ERR_PTR(-ENOENT);
427}
428
429static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
430 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
431 .len = NFT_TABLE_MAXNAMELEN - 1 },
432 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
433};
434
435static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
436 u32 portid, u32 seq, int event, u32 flags,
437 int family, const struct nft_table *table)
438{
439 struct nlmsghdr *nlh;
440 struct nfgenmsg *nfmsg;
441
442 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
443 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
444 if (nlh == NULL)
445 goto nla_put_failure;
446
447 nfmsg = nlmsg_data(nlh);
448 nfmsg->nfgen_family = family;
449 nfmsg->version = NFNETLINK_V0;
450 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
451
452 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
453 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
454 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
455 goto nla_put_failure;
456
457 nlmsg_end(skb, nlh);
458 return 0;
459
460nla_put_failure:
461 nlmsg_trim(skb, nlh);
462 return -1;
463}
464
465static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
466{
467 struct sk_buff *skb;
468 int err;
469
470 if (!ctx->report &&
471 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
472 return;
473
474 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
475 if (skb == NULL)
476 goto err;
477
478 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
479 event, 0, ctx->afi->family, ctx->table);
480 if (err < 0) {
481 kfree_skb(skb);
482 goto err;
483 }
484
485 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
486 ctx->report, GFP_KERNEL);
487 return;
488err:
489 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
490}
491
492static int nf_tables_dump_tables(struct sk_buff *skb,
493 struct netlink_callback *cb)
494{
495 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
496 const struct nft_af_info *afi;
497 const struct nft_table *table;
498 unsigned int idx = 0, s_idx = cb->args[0];
499 struct net *net = sock_net(skb->sk);
500 int family = nfmsg->nfgen_family;
501
502 rcu_read_lock();
503 cb->seq = net->nft.base_seq;
504
505 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
506 if (family != NFPROTO_UNSPEC && family != afi->family)
507 continue;
508
509 list_for_each_entry_rcu(table, &afi->tables, list) {
510 if (idx < s_idx)
511 goto cont;
512 if (idx > s_idx)
513 memset(&cb->args[1], 0,
514 sizeof(cb->args) - sizeof(cb->args[0]));
515 if (!nft_is_active(net, table))
516 continue;
517 if (nf_tables_fill_table_info(skb, net,
518 NETLINK_CB(cb->skb).portid,
519 cb->nlh->nlmsg_seq,
520 NFT_MSG_NEWTABLE,
521 NLM_F_MULTI,
522 afi->family, table) < 0)
523 goto done;
524
525 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
526cont:
527 idx++;
528 }
529 }
530done:
531 rcu_read_unlock();
532 cb->args[0] = idx;
533 return skb->len;
534}
535
536static int nf_tables_gettable(struct net *net, struct sock *nlsk,
537 struct sk_buff *skb, const struct nlmsghdr *nlh,
538 const struct nlattr * const nla[],
539 struct netlink_ext_ack *extack)
540{
541 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
542 u8 genmask = nft_genmask_cur(net);
543 const struct nft_af_info *afi;
544 const struct nft_table *table;
545 struct sk_buff *skb2;
546 int family = nfmsg->nfgen_family;
547 int err;
548
549 if (nlh->nlmsg_flags & NLM_F_DUMP) {
550 struct netlink_dump_control c = {
551 .dump = nf_tables_dump_tables,
552 };
553 return netlink_dump_start(nlsk, skb, nlh, &c);
554 }
555
556 afi = nf_tables_afinfo_lookup(net, family, false);
557 if (IS_ERR(afi))
558 return PTR_ERR(afi);
559
560 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
561 if (IS_ERR(table))
562 return PTR_ERR(table);
563
564 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
565 if (!skb2)
566 return -ENOMEM;
567
568 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
569 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
570 family, table);
571 if (err < 0)
572 goto err;
573
574 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
575
576err:
577 kfree_skb(skb2);
578 return err;
579}
580
581static void _nf_tables_table_disable(struct net *net,
582 const struct nft_af_info *afi,
583 struct nft_table *table,
584 u32 cnt)
585{
586 struct nft_chain *chain;
587 u32 i = 0;
588
589 list_for_each_entry(chain, &table->chains, list) {
590 if (!nft_is_active_next(net, chain))
591 continue;
592 if (!nft_is_base_chain(chain))
593 continue;
594
595 if (cnt && i++ == cnt)
596 break;
597
598 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
599 afi->nops);
600 }
601}
602
603static int nf_tables_table_enable(struct net *net,
604 const struct nft_af_info *afi,
605 struct nft_table *table)
606{
607 struct nft_chain *chain;
608 int err, i = 0;
609
610 list_for_each_entry(chain, &table->chains, list) {
611 if (!nft_is_active_next(net, chain))
612 continue;
613 if (!nft_is_base_chain(chain))
614 continue;
615
616 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
617 afi->nops);
618 if (err < 0)
619 goto err;
620
621 i++;
622 }
623 return 0;
624err:
625 if (i)
626 _nf_tables_table_disable(net, afi, table, i);
627 return err;
628}
629
630static void nf_tables_table_disable(struct net *net,
631 const struct nft_af_info *afi,
632 struct nft_table *table)
633{
634 _nf_tables_table_disable(net, afi, table, 0);
635}
636
637static int nf_tables_updtable(struct nft_ctx *ctx)
638{
639 struct nft_trans *trans;
640 u32 flags;
641 int ret = 0;
642
643 if (!ctx->nla[NFTA_TABLE_FLAGS])
644 return 0;
645
646 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
647 if (flags & ~NFT_TABLE_F_DORMANT)
648 return -EINVAL;
649
650 if (flags == ctx->table->flags)
651 return 0;
652
653 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
654 sizeof(struct nft_trans_table));
655 if (trans == NULL)
656 return -ENOMEM;
657
658 if ((flags & NFT_TABLE_F_DORMANT) &&
659 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
660 nft_trans_table_enable(trans) = false;
661 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
662 ctx->table->flags & NFT_TABLE_F_DORMANT) {
663 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
664 if (ret >= 0) {
665 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
666 nft_trans_table_enable(trans) = true;
667 }
668 }
669 if (ret < 0)
670 goto err;
671
672 nft_trans_table_update(trans) = true;
673 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
674 return 0;
675err:
676 nft_trans_destroy(trans);
677 return ret;
678}
679
680static int nf_tables_newtable(struct net *net, struct sock *nlsk,
681 struct sk_buff *skb, const struct nlmsghdr *nlh,
682 const struct nlattr * const nla[],
683 struct netlink_ext_ack *extack)
684{
685 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
686 u8 genmask = nft_genmask_next(net);
687 const struct nlattr *name;
688 struct nft_af_info *afi;
689 struct nft_table *table;
690 int family = nfmsg->nfgen_family;
691 u32 flags = 0;
692 struct nft_ctx ctx;
693 int err;
694
695 afi = nf_tables_afinfo_lookup(net, family, true);
696 if (IS_ERR(afi))
697 return PTR_ERR(afi);
698
699 name = nla[NFTA_TABLE_NAME];
700 table = nf_tables_table_lookup(afi, name, genmask);
701 if (IS_ERR(table)) {
702 if (PTR_ERR(table) != -ENOENT)
703 return PTR_ERR(table);
704 } else {
705 if (nlh->nlmsg_flags & NLM_F_EXCL)
706 return -EEXIST;
707 if (nlh->nlmsg_flags & NLM_F_REPLACE)
708 return -EOPNOTSUPP;
709
710 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
711 return nf_tables_updtable(&ctx);
712 }
713
714 if (nla[NFTA_TABLE_FLAGS]) {
715 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
716 if (flags & ~NFT_TABLE_F_DORMANT)
717 return -EINVAL;
718 }
719
720 err = -EAFNOSUPPORT;
721 if (!try_module_get(afi->owner))
722 goto err1;
723
724 err = -ENOMEM;
725 table = kzalloc(sizeof(*table), GFP_KERNEL);
726 if (table == NULL)
727 goto err2;
728
729 table->name = nla_strdup(name, GFP_KERNEL);
730 if (table->name == NULL)
731 goto err3;
732
733 INIT_LIST_HEAD(&table->chains);
734 INIT_LIST_HEAD(&table->sets);
735 INIT_LIST_HEAD(&table->objects);
736 table->flags = flags;
737
738 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
739 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
740 if (err < 0)
741 goto err4;
742
743 list_add_tail_rcu(&table->list, &afi->tables);
744 return 0;
745err4:
746 kfree(table->name);
747err3:
748 kfree(table);
749err2:
750 module_put(afi->owner);
751err1:
752 return err;
753}
754
755static int nft_flush_table(struct nft_ctx *ctx)
756{
757 int err;
758 struct nft_chain *chain, *nc;
759 struct nft_object *obj, *ne;
760 struct nft_set *set, *ns;
761
762 list_for_each_entry(chain, &ctx->table->chains, list) {
763 if (!nft_is_active_next(ctx->net, chain))
764 continue;
765
766 ctx->chain = chain;
767
768 err = nft_delrule_by_chain(ctx);
769 if (err < 0)
770 goto out;
771 }
772
773 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
774 if (!nft_is_active_next(ctx->net, set))
775 continue;
776
777 if (set->flags & NFT_SET_ANONYMOUS &&
778 !list_empty(&set->bindings))
779 continue;
780
781 err = nft_delset(ctx, set);
782 if (err < 0)
783 goto out;
784 }
785
786 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
787 err = nft_delobj(ctx, obj);
788 if (err < 0)
789 goto out;
790 }
791
792 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
793 if (!nft_is_active_next(ctx->net, chain))
794 continue;
795
796 ctx->chain = chain;
797
798 err = nft_delchain(ctx);
799 if (err < 0)
800 goto out;
801 }
802
803 err = nft_deltable(ctx);
804out:
805 return err;
806}
807
808static int nft_flush(struct nft_ctx *ctx, int family)
809{
810 struct nft_af_info *afi;
811 struct nft_table *table, *nt;
812 const struct nlattr * const *nla = ctx->nla;
813 int err = 0;
814
815 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
816 if (family != AF_UNSPEC && afi->family != family)
817 continue;
818
819 ctx->afi = afi;
820 list_for_each_entry_safe(table, nt, &afi->tables, list) {
821 if (!nft_is_active_next(ctx->net, table))
822 continue;
823
824 if (nla[NFTA_TABLE_NAME] &&
825 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
826 continue;
827
828 ctx->table = table;
829
830 err = nft_flush_table(ctx);
831 if (err < 0)
832 goto out;
833 }
834 }
835out:
836 return err;
837}
838
839static int nf_tables_deltable(struct net *net, struct sock *nlsk,
840 struct sk_buff *skb, const struct nlmsghdr *nlh,
841 const struct nlattr * const nla[],
842 struct netlink_ext_ack *extack)
843{
844 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
845 u8 genmask = nft_genmask_next(net);
846 struct nft_af_info *afi;
847 struct nft_table *table;
848 int family = nfmsg->nfgen_family;
849 struct nft_ctx ctx;
850
851 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
852 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
853 return nft_flush(&ctx, family);
854
855 afi = nf_tables_afinfo_lookup(net, family, false);
856 if (IS_ERR(afi))
857 return PTR_ERR(afi);
858
859 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
860 if (IS_ERR(table))
861 return PTR_ERR(table);
862
863 if (nlh->nlmsg_flags & NLM_F_NONREC &&
864 table->use > 0)
865 return -EBUSY;
866
867 ctx.afi = afi;
868 ctx.table = table;
869
870 return nft_flush_table(&ctx);
871}
872
873static void nf_tables_table_destroy(struct nft_ctx *ctx)
874{
875 BUG_ON(ctx->table->use > 0);
876
877 kfree(ctx->table->name);
878 kfree(ctx->table);
879 module_put(ctx->afi->owner);
880}
881
882int nft_register_chain_type(const struct nf_chain_type *ctype)
883{
884 int err = 0;
885
886 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
887 return -EINVAL;
888
889 nfnl_lock(NFNL_SUBSYS_NFTABLES);
890 if (chain_type[ctype->family][ctype->type] != NULL) {
891 err = -EBUSY;
892 goto out;
893 }
894 chain_type[ctype->family][ctype->type] = ctype;
895out:
896 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
897 return err;
898}
899EXPORT_SYMBOL_GPL(nft_register_chain_type);
900
901void nft_unregister_chain_type(const struct nf_chain_type *ctype)
902{
903 nfnl_lock(NFNL_SUBSYS_NFTABLES);
904 chain_type[ctype->family][ctype->type] = NULL;
905 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
906}
907EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
908
909
910
911
912
913static struct nft_chain *
914nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
915 u8 genmask)
916{
917 struct nft_chain *chain;
918
919 list_for_each_entry(chain, &table->chains, list) {
920 if (chain->handle == handle &&
921 nft_active_genmask(chain, genmask))
922 return chain;
923 }
924
925 return ERR_PTR(-ENOENT);
926}
927
928static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
929 const struct nlattr *nla,
930 u8 genmask)
931{
932 struct nft_chain *chain;
933
934 if (nla == NULL)
935 return ERR_PTR(-EINVAL);
936
937 list_for_each_entry(chain, &table->chains, list) {
938 if (!nla_strcmp(nla, chain->name) &&
939 nft_active_genmask(chain, genmask))
940 return chain;
941 }
942
943 return ERR_PTR(-ENOENT);
944}
945
946static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
947 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
948 .len = NFT_TABLE_MAXNAMELEN - 1 },
949 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
950 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
951 .len = NFT_CHAIN_MAXNAMELEN - 1 },
952 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
953 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
954 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
955 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
956};
957
958static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
959 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
960 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
961 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
962 .len = IFNAMSIZ - 1 },
963};
964
965static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
966{
967 struct nft_stats *cpu_stats, total;
968 struct nlattr *nest;
969 unsigned int seq;
970 u64 pkts, bytes;
971 int cpu;
972
973 memset(&total, 0, sizeof(total));
974 for_each_possible_cpu(cpu) {
975 cpu_stats = per_cpu_ptr(stats, cpu);
976 do {
977 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
978 pkts = cpu_stats->pkts;
979 bytes = cpu_stats->bytes;
980 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
981 total.pkts += pkts;
982 total.bytes += bytes;
983 }
984 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
985 if (nest == NULL)
986 goto nla_put_failure;
987
988 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
989 NFTA_COUNTER_PAD) ||
990 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
991 NFTA_COUNTER_PAD))
992 goto nla_put_failure;
993
994 nla_nest_end(skb, nest);
995 return 0;
996
997nla_put_failure:
998 return -ENOSPC;
999}
1000
1001static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1002 u32 portid, u32 seq, int event, u32 flags,
1003 int family, const struct nft_table *table,
1004 const struct nft_chain *chain)
1005{
1006 struct nlmsghdr *nlh;
1007 struct nfgenmsg *nfmsg;
1008
1009 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1010 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1011 if (nlh == NULL)
1012 goto nla_put_failure;
1013
1014 nfmsg = nlmsg_data(nlh);
1015 nfmsg->nfgen_family = family;
1016 nfmsg->version = NFNETLINK_V0;
1017 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1018
1019 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1020 goto nla_put_failure;
1021 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1022 NFTA_CHAIN_PAD))
1023 goto nla_put_failure;
1024 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1025 goto nla_put_failure;
1026
1027 if (nft_is_base_chain(chain)) {
1028 const struct nft_base_chain *basechain = nft_base_chain(chain);
1029 const struct nf_hook_ops *ops = &basechain->ops[0];
1030 struct nlattr *nest;
1031
1032 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1033 if (nest == NULL)
1034 goto nla_put_failure;
1035 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1036 goto nla_put_failure;
1037 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1038 goto nla_put_failure;
1039 if (basechain->dev_name[0] &&
1040 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1041 goto nla_put_failure;
1042 nla_nest_end(skb, nest);
1043
1044 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1045 htonl(basechain->policy)))
1046 goto nla_put_failure;
1047
1048 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1049 goto nla_put_failure;
1050
1051 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1052 goto nla_put_failure;
1053 }
1054
1055 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1056 goto nla_put_failure;
1057
1058 nlmsg_end(skb, nlh);
1059 return 0;
1060
1061nla_put_failure:
1062 nlmsg_trim(skb, nlh);
1063 return -1;
1064}
1065
1066static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1067{
1068 struct sk_buff *skb;
1069 int err;
1070
1071 if (!ctx->report &&
1072 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1073 return;
1074
1075 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1076 if (skb == NULL)
1077 goto err;
1078
1079 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1080 event, 0, ctx->afi->family, ctx->table,
1081 ctx->chain);
1082 if (err < 0) {
1083 kfree_skb(skb);
1084 goto err;
1085 }
1086
1087 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1088 ctx->report, GFP_KERNEL);
1089 return;
1090err:
1091 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1092}
1093
1094static int nf_tables_dump_chains(struct sk_buff *skb,
1095 struct netlink_callback *cb)
1096{
1097 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1098 const struct nft_af_info *afi;
1099 const struct nft_table *table;
1100 const struct nft_chain *chain;
1101 unsigned int idx = 0, s_idx = cb->args[0];
1102 struct net *net = sock_net(skb->sk);
1103 int family = nfmsg->nfgen_family;
1104
1105 rcu_read_lock();
1106 cb->seq = net->nft.base_seq;
1107
1108 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1109 if (family != NFPROTO_UNSPEC && family != afi->family)
1110 continue;
1111
1112 list_for_each_entry_rcu(table, &afi->tables, list) {
1113 list_for_each_entry_rcu(chain, &table->chains, list) {
1114 if (idx < s_idx)
1115 goto cont;
1116 if (idx > s_idx)
1117 memset(&cb->args[1], 0,
1118 sizeof(cb->args) - sizeof(cb->args[0]));
1119 if (!nft_is_active(net, chain))
1120 continue;
1121 if (nf_tables_fill_chain_info(skb, net,
1122 NETLINK_CB(cb->skb).portid,
1123 cb->nlh->nlmsg_seq,
1124 NFT_MSG_NEWCHAIN,
1125 NLM_F_MULTI,
1126 afi->family, table, chain) < 0)
1127 goto done;
1128
1129 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1130cont:
1131 idx++;
1132 }
1133 }
1134 }
1135done:
1136 rcu_read_unlock();
1137 cb->args[0] = idx;
1138 return skb->len;
1139}
1140
1141static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1142 struct sk_buff *skb, const struct nlmsghdr *nlh,
1143 const struct nlattr * const nla[],
1144 struct netlink_ext_ack *extack)
1145{
1146 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1147 u8 genmask = nft_genmask_cur(net);
1148 const struct nft_af_info *afi;
1149 const struct nft_table *table;
1150 const struct nft_chain *chain;
1151 struct sk_buff *skb2;
1152 int family = nfmsg->nfgen_family;
1153 int err;
1154
1155 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1156 struct netlink_dump_control c = {
1157 .dump = nf_tables_dump_chains,
1158 };
1159 return netlink_dump_start(nlsk, skb, nlh, &c);
1160 }
1161
1162 afi = nf_tables_afinfo_lookup(net, family, false);
1163 if (IS_ERR(afi))
1164 return PTR_ERR(afi);
1165
1166 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1167 if (IS_ERR(table))
1168 return PTR_ERR(table);
1169
1170 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1171 if (IS_ERR(chain))
1172 return PTR_ERR(chain);
1173
1174 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1175 if (!skb2)
1176 return -ENOMEM;
1177
1178 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1179 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1180 family, table, chain);
1181 if (err < 0)
1182 goto err;
1183
1184 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1185
1186err:
1187 kfree_skb(skb2);
1188 return err;
1189}
1190
1191static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1192 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1193 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1194};
1195
1196static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1197{
1198 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1199 struct nft_stats __percpu *newstats;
1200 struct nft_stats *stats;
1201 int err;
1202
1203 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1204 NULL);
1205 if (err < 0)
1206 return ERR_PTR(err);
1207
1208 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1209 return ERR_PTR(-EINVAL);
1210
1211 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1212 if (newstats == NULL)
1213 return ERR_PTR(-ENOMEM);
1214
1215
1216
1217
1218 preempt_disable();
1219 stats = this_cpu_ptr(newstats);
1220 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1221 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1222 preempt_enable();
1223
1224 return newstats;
1225}
1226
1227static void nft_chain_stats_replace(struct nft_base_chain *chain,
1228 struct nft_stats __percpu *newstats)
1229{
1230 if (newstats == NULL)
1231 return;
1232
1233 if (chain->stats) {
1234 struct nft_stats __percpu *oldstats =
1235 nft_dereference(chain->stats);
1236
1237 rcu_assign_pointer(chain->stats, newstats);
1238 synchronize_rcu();
1239 free_percpu(oldstats);
1240 } else
1241 rcu_assign_pointer(chain->stats, newstats);
1242}
1243
1244static void nf_tables_chain_destroy(struct nft_chain *chain)
1245{
1246 BUG_ON(chain->use > 0);
1247
1248 if (nft_is_base_chain(chain)) {
1249 struct nft_base_chain *basechain = nft_base_chain(chain);
1250
1251 module_put(basechain->type->owner);
1252 free_percpu(basechain->stats);
1253 if (basechain->stats)
1254 static_branch_dec(&nft_counters_enabled);
1255 if (basechain->ops[0].dev != NULL)
1256 dev_put(basechain->ops[0].dev);
1257 kfree(chain->name);
1258 kfree(basechain);
1259 } else {
1260 kfree(chain->name);
1261 kfree(chain);
1262 }
1263}
1264
1265struct nft_chain_hook {
1266 u32 num;
1267 u32 priority;
1268 const struct nf_chain_type *type;
1269 struct net_device *dev;
1270};
1271
1272static int nft_chain_parse_hook(struct net *net,
1273 const struct nlattr * const nla[],
1274 struct nft_af_info *afi,
1275 struct nft_chain_hook *hook, bool create)
1276{
1277 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1278 const struct nf_chain_type *type;
1279 struct net_device *dev;
1280 int err;
1281
1282 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1283 nft_hook_policy, NULL);
1284 if (err < 0)
1285 return err;
1286
1287 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1288 ha[NFTA_HOOK_PRIORITY] == NULL)
1289 return -EINVAL;
1290
1291 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1292 if (hook->num >= afi->nhooks)
1293 return -EINVAL;
1294
1295 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1296
1297 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1298 if (nla[NFTA_CHAIN_TYPE]) {
1299 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1300 create);
1301 if (IS_ERR(type))
1302 return PTR_ERR(type);
1303 }
1304 if (!(type->hook_mask & (1 << hook->num)))
1305 return -EOPNOTSUPP;
1306 if (!try_module_get(type->owner))
1307 return -ENOENT;
1308
1309 hook->type = type;
1310
1311 hook->dev = NULL;
1312 if (afi->flags & NFT_AF_NEEDS_DEV) {
1313 char ifname[IFNAMSIZ];
1314
1315 if (!ha[NFTA_HOOK_DEV]) {
1316 module_put(type->owner);
1317 return -EOPNOTSUPP;
1318 }
1319
1320 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1321 dev = dev_get_by_name(net, ifname);
1322 if (!dev) {
1323 module_put(type->owner);
1324 return -ENOENT;
1325 }
1326 hook->dev = dev;
1327 } else if (ha[NFTA_HOOK_DEV]) {
1328 module_put(type->owner);
1329 return -EOPNOTSUPP;
1330 }
1331
1332 return 0;
1333}
1334
1335static void nft_chain_release_hook(struct nft_chain_hook *hook)
1336{
1337 module_put(hook->type->owner);
1338 if (hook->dev != NULL)
1339 dev_put(hook->dev);
1340}
1341
1342static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1343 u8 policy, bool create)
1344{
1345 const struct nlattr * const *nla = ctx->nla;
1346 struct nft_table *table = ctx->table;
1347 struct nft_af_info *afi = ctx->afi;
1348 struct nft_base_chain *basechain;
1349 struct nft_stats __percpu *stats;
1350 struct net *net = ctx->net;
1351 struct nft_chain *chain;
1352 unsigned int i;
1353 int err;
1354
1355 if (table->use == UINT_MAX)
1356 return -EOVERFLOW;
1357
1358 if (nla[NFTA_CHAIN_HOOK]) {
1359 struct nft_chain_hook hook;
1360 struct nf_hook_ops *ops;
1361 nf_hookfn *hookfn;
1362
1363 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1364 if (err < 0)
1365 return err;
1366
1367 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1368 if (basechain == NULL) {
1369 nft_chain_release_hook(&hook);
1370 return -ENOMEM;
1371 }
1372
1373 if (hook.dev != NULL)
1374 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1375
1376 if (nla[NFTA_CHAIN_COUNTERS]) {
1377 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1378 if (IS_ERR(stats)) {
1379 nft_chain_release_hook(&hook);
1380 kfree(basechain);
1381 return PTR_ERR(stats);
1382 }
1383 basechain->stats = stats;
1384 static_branch_inc(&nft_counters_enabled);
1385 }
1386
1387 hookfn = hook.type->hooks[hook.num];
1388 basechain->type = hook.type;
1389 chain = &basechain->chain;
1390
1391 for (i = 0; i < afi->nops; i++) {
1392 ops = &basechain->ops[i];
1393 ops->pf = family;
1394 ops->hooknum = hook.num;
1395 ops->priority = hook.priority;
1396 ops->priv = chain;
1397 ops->hook = afi->hooks[ops->hooknum];
1398 ops->dev = hook.dev;
1399 if (hookfn)
1400 ops->hook = hookfn;
1401 if (afi->hook_ops_init)
1402 afi->hook_ops_init(ops, i);
1403 }
1404
1405 chain->flags |= NFT_BASE_CHAIN;
1406 basechain->policy = policy;
1407 } else {
1408 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1409 if (chain == NULL)
1410 return -ENOMEM;
1411 }
1412 INIT_LIST_HEAD(&chain->rules);
1413 chain->handle = nf_tables_alloc_handle(table);
1414 chain->table = table;
1415 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1416 if (!chain->name) {
1417 err = -ENOMEM;
1418 goto err1;
1419 }
1420
1421 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1422 if (err < 0)
1423 goto err1;
1424
1425 ctx->chain = chain;
1426 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1427 if (err < 0)
1428 goto err2;
1429
1430 table->use++;
1431 list_add_tail_rcu(&chain->list, &table->chains);
1432
1433 return 0;
1434err2:
1435 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1436err1:
1437 nf_tables_chain_destroy(chain);
1438
1439 return err;
1440}
1441
1442static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1443 bool create)
1444{
1445 const struct nlattr * const *nla = ctx->nla;
1446 struct nft_table *table = ctx->table;
1447 struct nft_chain *chain = ctx->chain;
1448 struct nft_af_info *afi = ctx->afi;
1449 struct nft_base_chain *basechain;
1450 struct nft_stats *stats = NULL;
1451 struct nft_chain_hook hook;
1452 const struct nlattr *name;
1453 struct nf_hook_ops *ops;
1454 struct nft_trans *trans;
1455 int err, i;
1456
1457 if (nla[NFTA_CHAIN_HOOK]) {
1458 if (!nft_is_base_chain(chain))
1459 return -EBUSY;
1460
1461 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1462 create);
1463 if (err < 0)
1464 return err;
1465
1466 basechain = nft_base_chain(chain);
1467 if (basechain->type != hook.type) {
1468 nft_chain_release_hook(&hook);
1469 return -EBUSY;
1470 }
1471
1472 for (i = 0; i < afi->nops; i++) {
1473 ops = &basechain->ops[i];
1474 if (ops->hooknum != hook.num ||
1475 ops->priority != hook.priority ||
1476 ops->dev != hook.dev) {
1477 nft_chain_release_hook(&hook);
1478 return -EBUSY;
1479 }
1480 }
1481 nft_chain_release_hook(&hook);
1482 }
1483
1484 if (nla[NFTA_CHAIN_HANDLE] &&
1485 nla[NFTA_CHAIN_NAME]) {
1486 struct nft_chain *chain2;
1487
1488 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1489 genmask);
1490 if (!IS_ERR(chain2))
1491 return -EEXIST;
1492 }
1493
1494 if (nla[NFTA_CHAIN_COUNTERS]) {
1495 if (!nft_is_base_chain(chain))
1496 return -EOPNOTSUPP;
1497
1498 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1499 if (IS_ERR(stats))
1500 return PTR_ERR(stats);
1501 }
1502
1503 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1504 sizeof(struct nft_trans_chain));
1505 if (trans == NULL) {
1506 free_percpu(stats);
1507 return -ENOMEM;
1508 }
1509
1510 nft_trans_chain_stats(trans) = stats;
1511 nft_trans_chain_update(trans) = true;
1512
1513 if (nla[NFTA_CHAIN_POLICY])
1514 nft_trans_chain_policy(trans) = policy;
1515 else
1516 nft_trans_chain_policy(trans) = -1;
1517
1518 name = nla[NFTA_CHAIN_NAME];
1519 if (nla[NFTA_CHAIN_HANDLE] && name) {
1520 nft_trans_chain_name(trans) =
1521 nla_strdup(name, GFP_KERNEL);
1522 if (!nft_trans_chain_name(trans)) {
1523 kfree(trans);
1524 free_percpu(stats);
1525 return -ENOMEM;
1526 }
1527 }
1528 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1529
1530 return 0;
1531}
1532
1533static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1534 struct sk_buff *skb, const struct nlmsghdr *nlh,
1535 const struct nlattr * const nla[],
1536 struct netlink_ext_ack *extack)
1537{
1538 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1539 const struct nlattr * uninitialized_var(name);
1540 u8 genmask = nft_genmask_next(net);
1541 int family = nfmsg->nfgen_family;
1542 struct nft_af_info *afi;
1543 struct nft_table *table;
1544 struct nft_chain *chain;
1545 u8 policy = NF_ACCEPT;
1546 struct nft_ctx ctx;
1547 u64 handle = 0;
1548 bool create;
1549
1550 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1551
1552 afi = nf_tables_afinfo_lookup(net, family, true);
1553 if (IS_ERR(afi))
1554 return PTR_ERR(afi);
1555
1556 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1557 if (IS_ERR(table))
1558 return PTR_ERR(table);
1559
1560 chain = NULL;
1561 name = nla[NFTA_CHAIN_NAME];
1562
1563 if (nla[NFTA_CHAIN_HANDLE]) {
1564 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1565 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1566 if (IS_ERR(chain))
1567 return PTR_ERR(chain);
1568 } else {
1569 chain = nf_tables_chain_lookup(table, name, genmask);
1570 if (IS_ERR(chain)) {
1571 if (PTR_ERR(chain) != -ENOENT)
1572 return PTR_ERR(chain);
1573 chain = NULL;
1574 }
1575 }
1576
1577 if (nla[NFTA_CHAIN_POLICY]) {
1578 if (chain != NULL &&
1579 !nft_is_base_chain(chain))
1580 return -EOPNOTSUPP;
1581
1582 if (chain == NULL &&
1583 nla[NFTA_CHAIN_HOOK] == NULL)
1584 return -EOPNOTSUPP;
1585
1586 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1587 switch (policy) {
1588 case NF_DROP:
1589 case NF_ACCEPT:
1590 break;
1591 default:
1592 return -EINVAL;
1593 }
1594 }
1595
1596 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1597
1598 if (chain != NULL) {
1599 if (nlh->nlmsg_flags & NLM_F_EXCL)
1600 return -EEXIST;
1601 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1602 return -EOPNOTSUPP;
1603
1604 return nf_tables_updchain(&ctx, genmask, policy, create);
1605 }
1606
1607 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1608}
1609
1610static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1611 struct sk_buff *skb, const struct nlmsghdr *nlh,
1612 const struct nlattr * const nla[],
1613 struct netlink_ext_ack *extack)
1614{
1615 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1616 u8 genmask = nft_genmask_next(net);
1617 struct nft_af_info *afi;
1618 struct nft_table *table;
1619 struct nft_chain *chain;
1620 struct nft_rule *rule;
1621 int family = nfmsg->nfgen_family;
1622 struct nft_ctx ctx;
1623 u32 use;
1624 int err;
1625
1626 afi = nf_tables_afinfo_lookup(net, family, false);
1627 if (IS_ERR(afi))
1628 return PTR_ERR(afi);
1629
1630 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1631 if (IS_ERR(table))
1632 return PTR_ERR(table);
1633
1634 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1635 if (IS_ERR(chain))
1636 return PTR_ERR(chain);
1637
1638 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1639 chain->use > 0)
1640 return -EBUSY;
1641
1642 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1643
1644 use = chain->use;
1645 list_for_each_entry(rule, &chain->rules, list) {
1646 if (!nft_is_active_next(net, rule))
1647 continue;
1648 use--;
1649
1650 err = nft_delrule(&ctx, rule);
1651 if (err < 0)
1652 return err;
1653 }
1654
1655
1656
1657
1658 if (use > 0)
1659 return -EBUSY;
1660
1661 return nft_delchain(&ctx);
1662}
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675int nft_register_expr(struct nft_expr_type *type)
1676{
1677 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1678 if (type->family == NFPROTO_UNSPEC)
1679 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1680 else
1681 list_add_rcu(&type->list, &nf_tables_expressions);
1682 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1683 return 0;
1684}
1685EXPORT_SYMBOL_GPL(nft_register_expr);
1686
1687
1688
1689
1690
1691
1692
1693void nft_unregister_expr(struct nft_expr_type *type)
1694{
1695 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1696 list_del_rcu(&type->list);
1697 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1698}
1699EXPORT_SYMBOL_GPL(nft_unregister_expr);
1700
1701static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1702 struct nlattr *nla)
1703{
1704 const struct nft_expr_type *type;
1705
1706 list_for_each_entry(type, &nf_tables_expressions, list) {
1707 if (!nla_strcmp(nla, type->name) &&
1708 (!type->family || type->family == family))
1709 return type;
1710 }
1711 return NULL;
1712}
1713
1714static const struct nft_expr_type *nft_expr_type_get(u8 family,
1715 struct nlattr *nla)
1716{
1717 const struct nft_expr_type *type;
1718
1719 if (nla == NULL)
1720 return ERR_PTR(-EINVAL);
1721
1722 type = __nft_expr_type_get(family, nla);
1723 if (type != NULL && try_module_get(type->owner))
1724 return type;
1725
1726#ifdef CONFIG_MODULES
1727 if (type == NULL) {
1728 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1729 request_module("nft-expr-%u-%.*s", family,
1730 nla_len(nla), (char *)nla_data(nla));
1731 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1732 if (__nft_expr_type_get(family, nla))
1733 return ERR_PTR(-EAGAIN);
1734
1735 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1736 request_module("nft-expr-%.*s",
1737 nla_len(nla), (char *)nla_data(nla));
1738 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1739 if (__nft_expr_type_get(family, nla))
1740 return ERR_PTR(-EAGAIN);
1741 }
1742#endif
1743 return ERR_PTR(-ENOENT);
1744}
1745
1746static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1747 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1748 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1749};
1750
1751static int nf_tables_fill_expr_info(struct sk_buff *skb,
1752 const struct nft_expr *expr)
1753{
1754 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1755 goto nla_put_failure;
1756
1757 if (expr->ops->dump) {
1758 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1759 if (data == NULL)
1760 goto nla_put_failure;
1761 if (expr->ops->dump(skb, expr) < 0)
1762 goto nla_put_failure;
1763 nla_nest_end(skb, data);
1764 }
1765
1766 return skb->len;
1767
1768nla_put_failure:
1769 return -1;
1770};
1771
1772int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1773 const struct nft_expr *expr)
1774{
1775 struct nlattr *nest;
1776
1777 nest = nla_nest_start(skb, attr);
1778 if (!nest)
1779 goto nla_put_failure;
1780 if (nf_tables_fill_expr_info(skb, expr) < 0)
1781 goto nla_put_failure;
1782 nla_nest_end(skb, nest);
1783 return 0;
1784
1785nla_put_failure:
1786 return -1;
1787}
1788
1789struct nft_expr_info {
1790 const struct nft_expr_ops *ops;
1791 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1792};
1793
1794static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1795 const struct nlattr *nla,
1796 struct nft_expr_info *info)
1797{
1798 const struct nft_expr_type *type;
1799 const struct nft_expr_ops *ops;
1800 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1801 int err;
1802
1803 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1804 if (err < 0)
1805 return err;
1806
1807 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1808 if (IS_ERR(type))
1809 return PTR_ERR(type);
1810
1811 if (tb[NFTA_EXPR_DATA]) {
1812 err = nla_parse_nested(info->tb, type->maxattr,
1813 tb[NFTA_EXPR_DATA], type->policy, NULL);
1814 if (err < 0)
1815 goto err1;
1816 } else
1817 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1818
1819 if (type->select_ops != NULL) {
1820 ops = type->select_ops(ctx,
1821 (const struct nlattr * const *)info->tb);
1822 if (IS_ERR(ops)) {
1823 err = PTR_ERR(ops);
1824 goto err1;
1825 }
1826 } else
1827 ops = type->ops;
1828
1829 info->ops = ops;
1830 return 0;
1831
1832err1:
1833 module_put(type->owner);
1834 return err;
1835}
1836
1837static int nf_tables_newexpr(const struct nft_ctx *ctx,
1838 const struct nft_expr_info *info,
1839 struct nft_expr *expr)
1840{
1841 const struct nft_expr_ops *ops = info->ops;
1842 int err;
1843
1844 expr->ops = ops;
1845 if (ops->init) {
1846 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1847 if (err < 0)
1848 goto err1;
1849 }
1850
1851 if (ops->validate) {
1852 const struct nft_data *data = NULL;
1853
1854 err = ops->validate(ctx, expr, &data);
1855 if (err < 0)
1856 goto err2;
1857 }
1858
1859 return 0;
1860
1861err2:
1862 if (ops->destroy)
1863 ops->destroy(ctx, expr);
1864err1:
1865 expr->ops = NULL;
1866 return err;
1867}
1868
1869static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1870 struct nft_expr *expr)
1871{
1872 if (expr->ops->destroy)
1873 expr->ops->destroy(ctx, expr);
1874 module_put(expr->ops->type->owner);
1875}
1876
1877struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1878 const struct nlattr *nla)
1879{
1880 struct nft_expr_info info;
1881 struct nft_expr *expr;
1882 int err;
1883
1884 err = nf_tables_expr_parse(ctx, nla, &info);
1885 if (err < 0)
1886 goto err1;
1887
1888 err = -ENOMEM;
1889 expr = kzalloc(info.ops->size, GFP_KERNEL);
1890 if (expr == NULL)
1891 goto err2;
1892
1893 err = nf_tables_newexpr(ctx, &info, expr);
1894 if (err < 0)
1895 goto err3;
1896
1897 return expr;
1898err3:
1899 kfree(expr);
1900err2:
1901 module_put(info.ops->type->owner);
1902err1:
1903 return ERR_PTR(err);
1904}
1905
1906void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1907{
1908 nf_tables_expr_destroy(ctx, expr);
1909 kfree(expr);
1910}
1911
1912
1913
1914
1915
1916static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1917 u64 handle)
1918{
1919 struct nft_rule *rule;
1920
1921
1922 list_for_each_entry(rule, &chain->rules, list) {
1923 if (handle == rule->handle)
1924 return rule;
1925 }
1926
1927 return ERR_PTR(-ENOENT);
1928}
1929
1930static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1931 const struct nlattr *nla)
1932{
1933 if (nla == NULL)
1934 return ERR_PTR(-EINVAL);
1935
1936 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1937}
1938
1939static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1940 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
1941 .len = NFT_TABLE_MAXNAMELEN - 1 },
1942 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1943 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1944 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1945 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1946 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1947 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1948 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1949 .len = NFT_USERDATA_MAXLEN },
1950};
1951
1952static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1953 u32 portid, u32 seq, int event,
1954 u32 flags, int family,
1955 const struct nft_table *table,
1956 const struct nft_chain *chain,
1957 const struct nft_rule *rule)
1958{
1959 struct nlmsghdr *nlh;
1960 struct nfgenmsg *nfmsg;
1961 const struct nft_expr *expr, *next;
1962 struct nlattr *list;
1963 const struct nft_rule *prule;
1964 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1965
1966 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
1967 if (nlh == NULL)
1968 goto nla_put_failure;
1969
1970 nfmsg = nlmsg_data(nlh);
1971 nfmsg->nfgen_family = family;
1972 nfmsg->version = NFNETLINK_V0;
1973 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1974
1975 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1976 goto nla_put_failure;
1977 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1978 goto nla_put_failure;
1979 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1980 NFTA_RULE_PAD))
1981 goto nla_put_failure;
1982
1983 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1984 prule = list_prev_entry(rule, list);
1985 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1986 cpu_to_be64(prule->handle),
1987 NFTA_RULE_PAD))
1988 goto nla_put_failure;
1989 }
1990
1991 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1992 if (list == NULL)
1993 goto nla_put_failure;
1994 nft_rule_for_each_expr(expr, next, rule) {
1995 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1996 goto nla_put_failure;
1997 }
1998 nla_nest_end(skb, list);
1999
2000 if (rule->udata) {
2001 struct nft_userdata *udata = nft_userdata(rule);
2002 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2003 udata->data) < 0)
2004 goto nla_put_failure;
2005 }
2006
2007 nlmsg_end(skb, nlh);
2008 return 0;
2009
2010nla_put_failure:
2011 nlmsg_trim(skb, nlh);
2012 return -1;
2013}
2014
2015static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2016 const struct nft_rule *rule, int event)
2017{
2018 struct sk_buff *skb;
2019 int err;
2020
2021 if (!ctx->report &&
2022 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2023 return;
2024
2025 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2026 if (skb == NULL)
2027 goto err;
2028
2029 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2030 event, 0, ctx->afi->family, ctx->table,
2031 ctx->chain, rule);
2032 if (err < 0) {
2033 kfree_skb(skb);
2034 goto err;
2035 }
2036
2037 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2038 ctx->report, GFP_KERNEL);
2039 return;
2040err:
2041 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2042}
2043
2044struct nft_rule_dump_ctx {
2045 char *table;
2046 char *chain;
2047};
2048
2049static int nf_tables_dump_rules(struct sk_buff *skb,
2050 struct netlink_callback *cb)
2051{
2052 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2053 const struct nft_rule_dump_ctx *ctx = cb->data;
2054 const struct nft_af_info *afi;
2055 const struct nft_table *table;
2056 const struct nft_chain *chain;
2057 const struct nft_rule *rule;
2058 unsigned int idx = 0, s_idx = cb->args[0];
2059 struct net *net = sock_net(skb->sk);
2060 int family = nfmsg->nfgen_family;
2061
2062 rcu_read_lock();
2063 cb->seq = net->nft.base_seq;
2064
2065 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2066 if (family != NFPROTO_UNSPEC && family != afi->family)
2067 continue;
2068
2069 list_for_each_entry_rcu(table, &afi->tables, list) {
2070 if (ctx && ctx->table &&
2071 strcmp(ctx->table, table->name) != 0)
2072 continue;
2073
2074 list_for_each_entry_rcu(chain, &table->chains, list) {
2075 if (ctx && ctx->chain &&
2076 strcmp(ctx->chain, chain->name) != 0)
2077 continue;
2078
2079 list_for_each_entry_rcu(rule, &chain->rules, list) {
2080 if (!nft_is_active(net, rule))
2081 goto cont;
2082 if (idx < s_idx)
2083 goto cont;
2084 if (idx > s_idx)
2085 memset(&cb->args[1], 0,
2086 sizeof(cb->args) - sizeof(cb->args[0]));
2087 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2088 cb->nlh->nlmsg_seq,
2089 NFT_MSG_NEWRULE,
2090 NLM_F_MULTI | NLM_F_APPEND,
2091 afi->family, table, chain, rule) < 0)
2092 goto done;
2093
2094 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2095cont:
2096 idx++;
2097 }
2098 }
2099 }
2100 }
2101done:
2102 rcu_read_unlock();
2103
2104 cb->args[0] = idx;
2105 return skb->len;
2106}
2107
2108static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2109{
2110 struct nft_rule_dump_ctx *ctx = cb->data;
2111
2112 if (ctx) {
2113 kfree(ctx->table);
2114 kfree(ctx->chain);
2115 kfree(ctx);
2116 }
2117 return 0;
2118}
2119
2120static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2121 struct sk_buff *skb, const struct nlmsghdr *nlh,
2122 const struct nlattr * const nla[],
2123 struct netlink_ext_ack *extack)
2124{
2125 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2126 u8 genmask = nft_genmask_cur(net);
2127 const struct nft_af_info *afi;
2128 const struct nft_table *table;
2129 const struct nft_chain *chain;
2130 const struct nft_rule *rule;
2131 struct sk_buff *skb2;
2132 int family = nfmsg->nfgen_family;
2133 int err;
2134
2135 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2136 struct netlink_dump_control c = {
2137 .dump = nf_tables_dump_rules,
2138 .done = nf_tables_dump_rules_done,
2139 };
2140
2141 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2142 struct nft_rule_dump_ctx *ctx;
2143
2144 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2145 if (!ctx)
2146 return -ENOMEM;
2147
2148 if (nla[NFTA_RULE_TABLE]) {
2149 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2150 GFP_KERNEL);
2151 if (!ctx->table) {
2152 kfree(ctx);
2153 return -ENOMEM;
2154 }
2155 }
2156 if (nla[NFTA_RULE_CHAIN]) {
2157 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2158 GFP_KERNEL);
2159 if (!ctx->chain) {
2160 kfree(ctx->table);
2161 kfree(ctx);
2162 return -ENOMEM;
2163 }
2164 }
2165 c.data = ctx;
2166 }
2167
2168 return netlink_dump_start(nlsk, skb, nlh, &c);
2169 }
2170
2171 afi = nf_tables_afinfo_lookup(net, family, false);
2172 if (IS_ERR(afi))
2173 return PTR_ERR(afi);
2174
2175 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2176 if (IS_ERR(table))
2177 return PTR_ERR(table);
2178
2179 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2180 if (IS_ERR(chain))
2181 return PTR_ERR(chain);
2182
2183 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2184 if (IS_ERR(rule))
2185 return PTR_ERR(rule);
2186
2187 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2188 if (!skb2)
2189 return -ENOMEM;
2190
2191 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2192 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2193 family, table, chain, rule);
2194 if (err < 0)
2195 goto err;
2196
2197 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2198
2199err:
2200 kfree_skb(skb2);
2201 return err;
2202}
2203
2204static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2205 struct nft_rule *rule)
2206{
2207 struct nft_expr *expr;
2208
2209
2210
2211
2212
2213 expr = nft_expr_first(rule);
2214 while (expr != nft_expr_last(rule) && expr->ops) {
2215 nf_tables_expr_destroy(ctx, expr);
2216 expr = nft_expr_next(expr);
2217 }
2218 kfree(rule);
2219}
2220
2221#define NFT_RULE_MAXEXPRS 128
2222
2223static struct nft_expr_info *info;
2224
2225static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2226 struct sk_buff *skb, const struct nlmsghdr *nlh,
2227 const struct nlattr * const nla[],
2228 struct netlink_ext_ack *extack)
2229{
2230 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2231 u8 genmask = nft_genmask_next(net);
2232 struct nft_af_info *afi;
2233 struct nft_table *table;
2234 struct nft_chain *chain;
2235 struct nft_rule *rule, *old_rule = NULL;
2236 struct nft_userdata *udata;
2237 struct nft_trans *trans = NULL;
2238 struct nft_expr *expr;
2239 struct nft_ctx ctx;
2240 struct nlattr *tmp;
2241 unsigned int size, i, n, ulen = 0, usize = 0;
2242 int err, rem;
2243 bool create;
2244 u64 handle, pos_handle;
2245
2246 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2247
2248 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2249 if (IS_ERR(afi))
2250 return PTR_ERR(afi);
2251
2252 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2253 if (IS_ERR(table))
2254 return PTR_ERR(table);
2255
2256 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2257 if (IS_ERR(chain))
2258 return PTR_ERR(chain);
2259
2260 if (nla[NFTA_RULE_HANDLE]) {
2261 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2262 rule = __nf_tables_rule_lookup(chain, handle);
2263 if (IS_ERR(rule))
2264 return PTR_ERR(rule);
2265
2266 if (nlh->nlmsg_flags & NLM_F_EXCL)
2267 return -EEXIST;
2268 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2269 old_rule = rule;
2270 else
2271 return -EOPNOTSUPP;
2272 } else {
2273 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2274 return -EINVAL;
2275 handle = nf_tables_alloc_handle(table);
2276
2277 if (chain->use == UINT_MAX)
2278 return -EOVERFLOW;
2279 }
2280
2281 if (nla[NFTA_RULE_POSITION]) {
2282 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2283 return -EOPNOTSUPP;
2284
2285 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2286 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2287 if (IS_ERR(old_rule))
2288 return PTR_ERR(old_rule);
2289 }
2290
2291 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2292
2293 n = 0;
2294 size = 0;
2295 if (nla[NFTA_RULE_EXPRESSIONS]) {
2296 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2297 err = -EINVAL;
2298 if (nla_type(tmp) != NFTA_LIST_ELEM)
2299 goto err1;
2300 if (n == NFT_RULE_MAXEXPRS)
2301 goto err1;
2302 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2303 if (err < 0)
2304 goto err1;
2305 size += info[n].ops->size;
2306 n++;
2307 }
2308 }
2309
2310 err = -EFBIG;
2311 if (size >= 1 << 12)
2312 goto err1;
2313
2314 if (nla[NFTA_RULE_USERDATA]) {
2315 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2316 if (ulen > 0)
2317 usize = sizeof(struct nft_userdata) + ulen;
2318 }
2319
2320 err = -ENOMEM;
2321 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2322 if (rule == NULL)
2323 goto err1;
2324
2325 nft_activate_next(net, rule);
2326
2327 rule->handle = handle;
2328 rule->dlen = size;
2329 rule->udata = ulen ? 1 : 0;
2330
2331 if (ulen) {
2332 udata = nft_userdata(rule);
2333 udata->len = ulen - 1;
2334 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2335 }
2336
2337 expr = nft_expr_first(rule);
2338 for (i = 0; i < n; i++) {
2339 err = nf_tables_newexpr(&ctx, &info[i], expr);
2340 if (err < 0)
2341 goto err2;
2342 info[i].ops = NULL;
2343 expr = nft_expr_next(expr);
2344 }
2345
2346 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2347 if (nft_is_active_next(net, old_rule)) {
2348 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2349 old_rule);
2350 if (trans == NULL) {
2351 err = -ENOMEM;
2352 goto err2;
2353 }
2354 nft_deactivate_next(net, old_rule);
2355 chain->use--;
2356 list_add_tail_rcu(&rule->list, &old_rule->list);
2357 } else {
2358 err = -ENOENT;
2359 goto err2;
2360 }
2361 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2362 if (old_rule)
2363 list_add_rcu(&rule->list, &old_rule->list);
2364 else
2365 list_add_tail_rcu(&rule->list, &chain->rules);
2366 else {
2367 if (old_rule)
2368 list_add_tail_rcu(&rule->list, &old_rule->list);
2369 else
2370 list_add_rcu(&rule->list, &chain->rules);
2371 }
2372
2373 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2374 err = -ENOMEM;
2375 goto err3;
2376 }
2377 chain->use++;
2378 return 0;
2379
2380err3:
2381 list_del_rcu(&rule->list);
2382err2:
2383 nf_tables_rule_destroy(&ctx, rule);
2384err1:
2385 for (i = 0; i < n; i++) {
2386 if (info[i].ops != NULL)
2387 module_put(info[i].ops->type->owner);
2388 }
2389 return err;
2390}
2391
2392static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2393 const struct nlattr *nla)
2394{
2395 u32 id = ntohl(nla_get_be32(nla));
2396 struct nft_trans *trans;
2397
2398 list_for_each_entry(trans, &net->nft.commit_list, list) {
2399 struct nft_rule *rule = nft_trans_rule(trans);
2400
2401 if (trans->msg_type == NFT_MSG_NEWRULE &&
2402 id == nft_trans_rule_id(trans))
2403 return rule;
2404 }
2405 return ERR_PTR(-ENOENT);
2406}
2407
2408static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2409 struct sk_buff *skb, const struct nlmsghdr *nlh,
2410 const struct nlattr * const nla[],
2411 struct netlink_ext_ack *extack)
2412{
2413 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2414 u8 genmask = nft_genmask_next(net);
2415 struct nft_af_info *afi;
2416 struct nft_table *table;
2417 struct nft_chain *chain = NULL;
2418 struct nft_rule *rule;
2419 int family = nfmsg->nfgen_family, err = 0;
2420 struct nft_ctx ctx;
2421
2422 afi = nf_tables_afinfo_lookup(net, family, false);
2423 if (IS_ERR(afi))
2424 return PTR_ERR(afi);
2425
2426 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2427 if (IS_ERR(table))
2428 return PTR_ERR(table);
2429
2430 if (nla[NFTA_RULE_CHAIN]) {
2431 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2432 genmask);
2433 if (IS_ERR(chain))
2434 return PTR_ERR(chain);
2435 }
2436
2437 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2438
2439 if (chain) {
2440 if (nla[NFTA_RULE_HANDLE]) {
2441 rule = nf_tables_rule_lookup(chain,
2442 nla[NFTA_RULE_HANDLE]);
2443 if (IS_ERR(rule))
2444 return PTR_ERR(rule);
2445
2446 err = nft_delrule(&ctx, rule);
2447 } else if (nla[NFTA_RULE_ID]) {
2448 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2449 if (IS_ERR(rule))
2450 return PTR_ERR(rule);
2451
2452 err = nft_delrule(&ctx, rule);
2453 } else {
2454 err = nft_delrule_by_chain(&ctx);
2455 }
2456 } else {
2457 list_for_each_entry(chain, &table->chains, list) {
2458 if (!nft_is_active_next(net, chain))
2459 continue;
2460
2461 ctx.chain = chain;
2462 err = nft_delrule_by_chain(&ctx);
2463 if (err < 0)
2464 break;
2465 }
2466 }
2467
2468 return err;
2469}
2470
2471
2472
2473
2474
2475static LIST_HEAD(nf_tables_set_types);
2476
2477int nft_register_set(struct nft_set_type *type)
2478{
2479 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2480 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2481 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2482 return 0;
2483}
2484EXPORT_SYMBOL_GPL(nft_register_set);
2485
2486void nft_unregister_set(struct nft_set_type *type)
2487{
2488 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2489 list_del_rcu(&type->list);
2490 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2491}
2492EXPORT_SYMBOL_GPL(nft_unregister_set);
2493
2494#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2495 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2496
2497static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2498{
2499 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2500}
2501
2502
2503
2504
2505
2506
2507static const struct nft_set_ops *
2508nft_select_set_ops(const struct nft_ctx *ctx,
2509 const struct nlattr * const nla[],
2510 const struct nft_set_desc *desc,
2511 enum nft_set_policies policy)
2512{
2513 const struct nft_set_ops *ops, *bops;
2514 struct nft_set_estimate est, best;
2515 const struct nft_set_type *type;
2516 u32 flags = 0;
2517
2518#ifdef CONFIG_MODULES
2519 if (list_empty(&nf_tables_set_types)) {
2520 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2521 request_module("nft-set");
2522 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2523 if (!list_empty(&nf_tables_set_types))
2524 return ERR_PTR(-EAGAIN);
2525 }
2526#endif
2527 if (nla[NFTA_SET_FLAGS] != NULL)
2528 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2529
2530 bops = NULL;
2531 best.size = ~0;
2532 best.lookup = ~0;
2533 best.space = ~0;
2534
2535 list_for_each_entry(type, &nf_tables_set_types, list) {
2536 if (!type->select_ops)
2537 ops = type->ops;
2538 else
2539 ops = type->select_ops(ctx, desc, flags);
2540 if (!ops)
2541 continue;
2542
2543 if (!nft_set_ops_candidate(ops, flags))
2544 continue;
2545 if (!ops->estimate(desc, flags, &est))
2546 continue;
2547
2548 switch (policy) {
2549 case NFT_SET_POL_PERFORMANCE:
2550 if (est.lookup < best.lookup)
2551 break;
2552 if (est.lookup == best.lookup &&
2553 est.space < best.space)
2554 break;
2555 continue;
2556 case NFT_SET_POL_MEMORY:
2557 if (!desc->size) {
2558 if (est.space < best.space)
2559 break;
2560 if (est.space == best.space &&
2561 est.lookup < best.lookup)
2562 break;
2563 } else if (est.size < best.size) {
2564 break;
2565 }
2566 continue;
2567 default:
2568 break;
2569 }
2570
2571 if (!try_module_get(type->owner))
2572 continue;
2573 if (bops != NULL)
2574 module_put(bops->type->owner);
2575
2576 bops = ops;
2577 best = est;
2578 }
2579
2580 if (bops != NULL)
2581 return bops;
2582
2583 return ERR_PTR(-EOPNOTSUPP);
2584}
2585
2586static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2587 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2588 .len = NFT_TABLE_MAXNAMELEN - 1 },
2589 [NFTA_SET_NAME] = { .type = NLA_STRING,
2590 .len = NFT_SET_MAXNAMELEN - 1 },
2591 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2592 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2593 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2594 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2595 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2596 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2597 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2598 [NFTA_SET_ID] = { .type = NLA_U32 },
2599 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2600 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2601 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2602 .len = NFT_USERDATA_MAXLEN },
2603 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2604};
2605
2606static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2607 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2608};
2609
2610static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2611 const struct sk_buff *skb,
2612 const struct nlmsghdr *nlh,
2613 const struct nlattr * const nla[],
2614 u8 genmask)
2615{
2616 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2617 struct nft_af_info *afi = NULL;
2618 struct nft_table *table = NULL;
2619
2620 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2621 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2622 if (IS_ERR(afi))
2623 return PTR_ERR(afi);
2624 }
2625
2626 if (nla[NFTA_SET_TABLE] != NULL) {
2627 if (afi == NULL)
2628 return -EAFNOSUPPORT;
2629
2630 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2631 genmask);
2632 if (IS_ERR(table))
2633 return PTR_ERR(table);
2634 }
2635
2636 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2637 return 0;
2638}
2639
2640static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2641 const struct nlattr *nla, u8 genmask)
2642{
2643 struct nft_set *set;
2644
2645 if (nla == NULL)
2646 return ERR_PTR(-EINVAL);
2647
2648 list_for_each_entry(set, &table->sets, list) {
2649 if (!nla_strcmp(nla, set->name) &&
2650 nft_active_genmask(set, genmask))
2651 return set;
2652 }
2653 return ERR_PTR(-ENOENT);
2654}
2655
2656static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2657 const struct nlattr *nla,
2658 u8 genmask)
2659{
2660 struct nft_trans *trans;
2661 u32 id = ntohl(nla_get_be32(nla));
2662
2663 list_for_each_entry(trans, &net->nft.commit_list, list) {
2664 struct nft_set *set = nft_trans_set(trans);
2665
2666 if (trans->msg_type == NFT_MSG_NEWSET &&
2667 id == nft_trans_set_id(trans) &&
2668 nft_active_genmask(set, genmask))
2669 return set;
2670 }
2671 return ERR_PTR(-ENOENT);
2672}
2673
2674struct nft_set *nft_set_lookup(const struct net *net,
2675 const struct nft_table *table,
2676 const struct nlattr *nla_set_name,
2677 const struct nlattr *nla_set_id,
2678 u8 genmask)
2679{
2680 struct nft_set *set;
2681
2682 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2683 if (IS_ERR(set)) {
2684 if (!nla_set_id)
2685 return set;
2686
2687 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2688 }
2689 return set;
2690}
2691EXPORT_SYMBOL_GPL(nft_set_lookup);
2692
2693static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2694 const char *name)
2695{
2696 const struct nft_set *i;
2697 const char *p;
2698 unsigned long *inuse;
2699 unsigned int n = 0, min = 0;
2700
2701 p = strchr(name, '%');
2702 if (p != NULL) {
2703 if (p[1] != 'd' || strchr(p + 2, '%'))
2704 return -EINVAL;
2705
2706 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2707 if (inuse == NULL)
2708 return -ENOMEM;
2709cont:
2710 list_for_each_entry(i, &ctx->table->sets, list) {
2711 int tmp;
2712
2713 if (!nft_is_active_next(ctx->net, set))
2714 continue;
2715 if (!sscanf(i->name, name, &tmp))
2716 continue;
2717 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2718 continue;
2719
2720 set_bit(tmp - min, inuse);
2721 }
2722
2723 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2724 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2725 min += BITS_PER_BYTE * PAGE_SIZE;
2726 memset(inuse, 0, PAGE_SIZE);
2727 goto cont;
2728 }
2729 free_page((unsigned long)inuse);
2730 }
2731
2732 set->name = kasprintf(GFP_KERNEL, name, min + n);
2733 if (!set->name)
2734 return -ENOMEM;
2735
2736 list_for_each_entry(i, &ctx->table->sets, list) {
2737 if (!nft_is_active_next(ctx->net, i))
2738 continue;
2739 if (!strcmp(set->name, i->name)) {
2740 kfree(set->name);
2741 return -ENFILE;
2742 }
2743 }
2744 return 0;
2745}
2746
2747static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2748 const struct nft_set *set, u16 event, u16 flags)
2749{
2750 struct nfgenmsg *nfmsg;
2751 struct nlmsghdr *nlh;
2752 struct nlattr *desc;
2753 u32 portid = ctx->portid;
2754 u32 seq = ctx->seq;
2755
2756 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2757 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2758 flags);
2759 if (nlh == NULL)
2760 goto nla_put_failure;
2761
2762 nfmsg = nlmsg_data(nlh);
2763 nfmsg->nfgen_family = ctx->afi->family;
2764 nfmsg->version = NFNETLINK_V0;
2765 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2766
2767 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2768 goto nla_put_failure;
2769 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2770 goto nla_put_failure;
2771 if (set->flags != 0)
2772 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2773 goto nla_put_failure;
2774
2775 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2776 goto nla_put_failure;
2777 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2778 goto nla_put_failure;
2779 if (set->flags & NFT_SET_MAP) {
2780 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2781 goto nla_put_failure;
2782 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2783 goto nla_put_failure;
2784 }
2785 if (set->flags & NFT_SET_OBJECT &&
2786 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2787 goto nla_put_failure;
2788
2789 if (set->timeout &&
2790 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2791 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2792 NFTA_SET_PAD))
2793 goto nla_put_failure;
2794 if (set->gc_int &&
2795 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2796 goto nla_put_failure;
2797
2798 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2799 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2800 goto nla_put_failure;
2801 }
2802
2803 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2804 goto nla_put_failure;
2805
2806 desc = nla_nest_start(skb, NFTA_SET_DESC);
2807 if (desc == NULL)
2808 goto nla_put_failure;
2809 if (set->size &&
2810 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2811 goto nla_put_failure;
2812 nla_nest_end(skb, desc);
2813
2814 nlmsg_end(skb, nlh);
2815 return 0;
2816
2817nla_put_failure:
2818 nlmsg_trim(skb, nlh);
2819 return -1;
2820}
2821
2822static void nf_tables_set_notify(const struct nft_ctx *ctx,
2823 const struct nft_set *set, int event,
2824 gfp_t gfp_flags)
2825{
2826 struct sk_buff *skb;
2827 u32 portid = ctx->portid;
2828 int err;
2829
2830 if (!ctx->report &&
2831 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2832 return;
2833
2834 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2835 if (skb == NULL)
2836 goto err;
2837
2838 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2839 if (err < 0) {
2840 kfree_skb(skb);
2841 goto err;
2842 }
2843
2844 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2845 gfp_flags);
2846 return;
2847err:
2848 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2849}
2850
2851static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2852{
2853 const struct nft_set *set;
2854 unsigned int idx, s_idx = cb->args[0];
2855 struct nft_af_info *afi;
2856 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2857 struct net *net = sock_net(skb->sk);
2858 int cur_family = cb->args[3];
2859 struct nft_ctx *ctx = cb->data, ctx_set;
2860
2861 if (cb->args[1])
2862 return skb->len;
2863
2864 rcu_read_lock();
2865 cb->seq = net->nft.base_seq;
2866
2867 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2868 if (ctx->afi && ctx->afi != afi)
2869 continue;
2870
2871 if (cur_family) {
2872 if (afi->family != cur_family)
2873 continue;
2874
2875 cur_family = 0;
2876 }
2877 list_for_each_entry_rcu(table, &afi->tables, list) {
2878 if (ctx->table && ctx->table != table)
2879 continue;
2880
2881 if (cur_table) {
2882 if (cur_table != table)
2883 continue;
2884
2885 cur_table = NULL;
2886 }
2887 idx = 0;
2888 list_for_each_entry_rcu(set, &table->sets, list) {
2889 if (idx < s_idx)
2890 goto cont;
2891 if (!nft_is_active(net, set))
2892 goto cont;
2893
2894 ctx_set = *ctx;
2895 ctx_set.table = table;
2896 ctx_set.afi = afi;
2897 if (nf_tables_fill_set(skb, &ctx_set, set,
2898 NFT_MSG_NEWSET,
2899 NLM_F_MULTI) < 0) {
2900 cb->args[0] = idx;
2901 cb->args[2] = (unsigned long) table;
2902 cb->args[3] = afi->family;
2903 goto done;
2904 }
2905 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2906cont:
2907 idx++;
2908 }
2909 if (s_idx)
2910 s_idx = 0;
2911 }
2912 }
2913 cb->args[1] = 1;
2914done:
2915 rcu_read_unlock();
2916 return skb->len;
2917}
2918
2919static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2920{
2921 kfree(cb->data);
2922 return 0;
2923}
2924
2925static int nf_tables_getset(struct net *net, struct sock *nlsk,
2926 struct sk_buff *skb, const struct nlmsghdr *nlh,
2927 const struct nlattr * const nla[],
2928 struct netlink_ext_ack *extack)
2929{
2930 u8 genmask = nft_genmask_cur(net);
2931 const struct nft_set *set;
2932 struct nft_ctx ctx;
2933 struct sk_buff *skb2;
2934 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2935 int err;
2936
2937
2938 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2939 if (err < 0)
2940 return err;
2941
2942 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2943 struct netlink_dump_control c = {
2944 .dump = nf_tables_dump_sets,
2945 .done = nf_tables_dump_sets_done,
2946 };
2947 struct nft_ctx *ctx_dump;
2948
2949 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2950 if (ctx_dump == NULL)
2951 return -ENOMEM;
2952
2953 *ctx_dump = ctx;
2954 c.data = ctx_dump;
2955
2956 return netlink_dump_start(nlsk, skb, nlh, &c);
2957 }
2958
2959
2960 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2961 return -EAFNOSUPPORT;
2962 if (!nla[NFTA_SET_TABLE])
2963 return -EINVAL;
2964
2965 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2966 if (IS_ERR(set))
2967 return PTR_ERR(set);
2968
2969 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2970 if (skb2 == NULL)
2971 return -ENOMEM;
2972
2973 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2974 if (err < 0)
2975 goto err;
2976
2977 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2978
2979err:
2980 kfree_skb(skb2);
2981 return err;
2982}
2983
2984static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2985 struct nft_set_desc *desc,
2986 const struct nlattr *nla)
2987{
2988 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2989 int err;
2990
2991 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
2992 nft_set_desc_policy, NULL);
2993 if (err < 0)
2994 return err;
2995
2996 if (da[NFTA_SET_DESC_SIZE] != NULL)
2997 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2998
2999 return 0;
3000}
3001
3002static int nf_tables_newset(struct net *net, struct sock *nlsk,
3003 struct sk_buff *skb, const struct nlmsghdr *nlh,
3004 const struct nlattr * const nla[],
3005 struct netlink_ext_ack *extack)
3006{
3007 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3008 u8 genmask = nft_genmask_next(net);
3009 const struct nft_set_ops *ops;
3010 struct nft_af_info *afi;
3011 struct nft_table *table;
3012 struct nft_set *set;
3013 struct nft_ctx ctx;
3014 char *name;
3015 unsigned int size;
3016 bool create;
3017 u64 timeout;
3018 u32 ktype, dtype, flags, policy, gc_int, objtype;
3019 struct nft_set_desc desc;
3020 unsigned char *udata;
3021 u16 udlen;
3022 int err;
3023
3024 if (nla[NFTA_SET_TABLE] == NULL ||
3025 nla[NFTA_SET_NAME] == NULL ||
3026 nla[NFTA_SET_KEY_LEN] == NULL ||
3027 nla[NFTA_SET_ID] == NULL)
3028 return -EINVAL;
3029
3030 memset(&desc, 0, sizeof(desc));
3031
3032 ktype = NFT_DATA_VALUE;
3033 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3034 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3035 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3036 return -EINVAL;
3037 }
3038
3039 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3040 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3041 return -EINVAL;
3042
3043 flags = 0;
3044 if (nla[NFTA_SET_FLAGS] != NULL) {
3045 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3046 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3047 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3048 NFT_SET_MAP | NFT_SET_EVAL |
3049 NFT_SET_OBJECT))
3050 return -EINVAL;
3051
3052 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3053 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3054 return -EOPNOTSUPP;
3055 }
3056
3057 dtype = 0;
3058 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3059 if (!(flags & NFT_SET_MAP))
3060 return -EINVAL;
3061
3062 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3063 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3064 dtype != NFT_DATA_VERDICT)
3065 return -EINVAL;
3066
3067 if (dtype != NFT_DATA_VERDICT) {
3068 if (nla[NFTA_SET_DATA_LEN] == NULL)
3069 return -EINVAL;
3070 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3071 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3072 return -EINVAL;
3073 } else
3074 desc.dlen = sizeof(struct nft_verdict);
3075 } else if (flags & NFT_SET_MAP)
3076 return -EINVAL;
3077
3078 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3079 if (!(flags & NFT_SET_OBJECT))
3080 return -EINVAL;
3081
3082 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3083 if (objtype == NFT_OBJECT_UNSPEC ||
3084 objtype > NFT_OBJECT_MAX)
3085 return -EINVAL;
3086 } else if (flags & NFT_SET_OBJECT)
3087 return -EINVAL;
3088 else
3089 objtype = NFT_OBJECT_UNSPEC;
3090
3091 timeout = 0;
3092 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3093 if (!(flags & NFT_SET_TIMEOUT))
3094 return -EINVAL;
3095 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3096 nla[NFTA_SET_TIMEOUT])));
3097 }
3098 gc_int = 0;
3099 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3100 if (!(flags & NFT_SET_TIMEOUT))
3101 return -EINVAL;
3102 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3103 }
3104
3105 policy = NFT_SET_POL_PERFORMANCE;
3106 if (nla[NFTA_SET_POLICY] != NULL)
3107 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3108
3109 if (nla[NFTA_SET_DESC] != NULL) {
3110 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3111 if (err < 0)
3112 return err;
3113 }
3114
3115 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3116
3117 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3118 if (IS_ERR(afi))
3119 return PTR_ERR(afi);
3120
3121 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3122 if (IS_ERR(table))
3123 return PTR_ERR(table);
3124
3125 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3126
3127 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3128 if (IS_ERR(set)) {
3129 if (PTR_ERR(set) != -ENOENT)
3130 return PTR_ERR(set);
3131 } else {
3132 if (nlh->nlmsg_flags & NLM_F_EXCL)
3133 return -EEXIST;
3134 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3135 return -EOPNOTSUPP;
3136 return 0;
3137 }
3138
3139 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3140 return -ENOENT;
3141
3142 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3143 if (IS_ERR(ops))
3144 return PTR_ERR(ops);
3145
3146 udlen = 0;
3147 if (nla[NFTA_SET_USERDATA])
3148 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3149
3150 size = 0;
3151 if (ops->privsize != NULL)
3152 size = ops->privsize(nla, &desc);
3153
3154 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3155 if (!set) {
3156 err = -ENOMEM;
3157 goto err1;
3158 }
3159
3160 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3161 if (!name) {
3162 err = -ENOMEM;
3163 goto err2;
3164 }
3165
3166 err = nf_tables_set_alloc_name(&ctx, set, name);
3167 kfree(name);
3168 if (err < 0)
3169 goto err2;
3170
3171 udata = NULL;
3172 if (udlen) {
3173 udata = set->data + size;
3174 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3175 }
3176
3177 INIT_LIST_HEAD(&set->bindings);
3178 set->ops = ops;
3179 set->ktype = ktype;
3180 set->klen = desc.klen;
3181 set->dtype = dtype;
3182 set->objtype = objtype;
3183 set->dlen = desc.dlen;
3184 set->flags = flags;
3185 set->size = desc.size;
3186 set->policy = policy;
3187 set->udlen = udlen;
3188 set->udata = udata;
3189 set->timeout = timeout;
3190 set->gc_int = gc_int;
3191
3192 err = ops->init(set, &desc, nla);
3193 if (err < 0)
3194 goto err2;
3195
3196 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3197 if (err < 0)
3198 goto err3;
3199
3200 list_add_tail_rcu(&set->list, &table->sets);
3201 table->use++;
3202 return 0;
3203
3204err3:
3205 ops->destroy(set);
3206err2:
3207 kvfree(set);
3208err1:
3209 module_put(ops->type->owner);
3210 return err;
3211}
3212
3213static void nft_set_destroy(struct nft_set *set)
3214{
3215 set->ops->destroy(set);
3216 module_put(set->ops->type->owner);
3217 kfree(set->name);
3218 kvfree(set);
3219}
3220
3221static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3222{
3223 list_del_rcu(&set->list);
3224 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3225 nft_set_destroy(set);
3226}
3227
3228static int nf_tables_delset(struct net *net, struct sock *nlsk,
3229 struct sk_buff *skb, const struct nlmsghdr *nlh,
3230 const struct nlattr * const nla[],
3231 struct netlink_ext_ack *extack)
3232{
3233 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3234 u8 genmask = nft_genmask_next(net);
3235 struct nft_set *set;
3236 struct nft_ctx ctx;
3237 int err;
3238
3239 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3240 return -EAFNOSUPPORT;
3241 if (nla[NFTA_SET_TABLE] == NULL)
3242 return -EINVAL;
3243
3244 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3245 if (err < 0)
3246 return err;
3247
3248 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3249 if (IS_ERR(set))
3250 return PTR_ERR(set);
3251
3252 if (!list_empty(&set->bindings) ||
3253 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3254 return -EBUSY;
3255
3256 return nft_delset(&ctx, set);
3257}
3258
3259static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3260 struct nft_set *set,
3261 const struct nft_set_iter *iter,
3262 struct nft_set_elem *elem)
3263{
3264 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3265 enum nft_registers dreg;
3266
3267 dreg = nft_type_to_reg(set->dtype);
3268 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3269 set->dtype == NFT_DATA_VERDICT ?
3270 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3271 set->dlen);
3272}
3273
3274int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3275 struct nft_set_binding *binding)
3276{
3277 struct nft_set_binding *i;
3278 struct nft_set_iter iter;
3279
3280 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3281 return -EBUSY;
3282
3283 if (binding->flags & NFT_SET_MAP) {
3284
3285
3286
3287 list_for_each_entry(i, &set->bindings, list) {
3288 if (i->flags & NFT_SET_MAP &&
3289 i->chain == binding->chain)
3290 goto bind;
3291 }
3292
3293 iter.genmask = nft_genmask_next(ctx->net);
3294 iter.skip = 0;
3295 iter.count = 0;
3296 iter.err = 0;
3297 iter.fn = nf_tables_bind_check_setelem;
3298
3299 set->ops->walk(ctx, set, &iter);
3300 if (iter.err < 0)
3301 return iter.err;
3302 }
3303bind:
3304 binding->chain = ctx->chain;
3305 list_add_tail_rcu(&binding->list, &set->bindings);
3306 return 0;
3307}
3308EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3309
3310void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3311 struct nft_set_binding *binding)
3312{
3313 list_del_rcu(&binding->list);
3314
3315 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3316 nft_is_active(ctx->net, set))
3317 nf_tables_set_destroy(ctx, set);
3318}
3319EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3320
3321const struct nft_set_ext_type nft_set_ext_types[] = {
3322 [NFT_SET_EXT_KEY] = {
3323 .align = __alignof__(u32),
3324 },
3325 [NFT_SET_EXT_DATA] = {
3326 .align = __alignof__(u32),
3327 },
3328 [NFT_SET_EXT_EXPR] = {
3329 .align = __alignof__(struct nft_expr),
3330 },
3331 [NFT_SET_EXT_OBJREF] = {
3332 .len = sizeof(struct nft_object *),
3333 .align = __alignof__(struct nft_object *),
3334 },
3335 [NFT_SET_EXT_FLAGS] = {
3336 .len = sizeof(u8),
3337 .align = __alignof__(u8),
3338 },
3339 [NFT_SET_EXT_TIMEOUT] = {
3340 .len = sizeof(u64),
3341 .align = __alignof__(u64),
3342 },
3343 [NFT_SET_EXT_EXPIRATION] = {
3344 .len = sizeof(unsigned long),
3345 .align = __alignof__(unsigned long),
3346 },
3347 [NFT_SET_EXT_USERDATA] = {
3348 .len = sizeof(struct nft_userdata),
3349 .align = __alignof__(struct nft_userdata),
3350 },
3351};
3352EXPORT_SYMBOL_GPL(nft_set_ext_types);
3353
3354
3355
3356
3357
3358static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3359 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3360 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3361 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3362 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3363 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3364 .len = NFT_USERDATA_MAXLEN },
3365};
3366
3367static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3368 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3369 .len = NFT_TABLE_MAXNAMELEN - 1 },
3370 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3371 .len = NFT_SET_MAXNAMELEN - 1 },
3372 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3373 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3374};
3375
3376static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3377 const struct sk_buff *skb,
3378 const struct nlmsghdr *nlh,
3379 const struct nlattr * const nla[],
3380 u8 genmask)
3381{
3382 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3383 struct nft_af_info *afi;
3384 struct nft_table *table;
3385
3386 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3387 if (IS_ERR(afi))
3388 return PTR_ERR(afi);
3389
3390 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3391 genmask);
3392 if (IS_ERR(table))
3393 return PTR_ERR(table);
3394
3395 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3396 return 0;
3397}
3398
3399static int nf_tables_fill_setelem(struct sk_buff *skb,
3400 const struct nft_set *set,
3401 const struct nft_set_elem *elem)
3402{
3403 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3404 unsigned char *b = skb_tail_pointer(skb);
3405 struct nlattr *nest;
3406
3407 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3408 if (nest == NULL)
3409 goto nla_put_failure;
3410
3411 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3412 NFT_DATA_VALUE, set->klen) < 0)
3413 goto nla_put_failure;
3414
3415 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3416 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3417 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3418 set->dlen) < 0)
3419 goto nla_put_failure;
3420
3421 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3422 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3423 goto nla_put_failure;
3424
3425 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3426 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3427 (*nft_set_ext_obj(ext))->name) < 0)
3428 goto nla_put_failure;
3429
3430 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3431 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3432 htonl(*nft_set_ext_flags(ext))))
3433 goto nla_put_failure;
3434
3435 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3436 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3437 cpu_to_be64(jiffies_to_msecs(
3438 *nft_set_ext_timeout(ext))),
3439 NFTA_SET_ELEM_PAD))
3440 goto nla_put_failure;
3441
3442 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3443 unsigned long expires, now = jiffies;
3444
3445 expires = *nft_set_ext_expiration(ext);
3446 if (time_before(now, expires))
3447 expires -= now;
3448 else
3449 expires = 0;
3450
3451 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3452 cpu_to_be64(jiffies_to_msecs(expires)),
3453 NFTA_SET_ELEM_PAD))
3454 goto nla_put_failure;
3455 }
3456
3457 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3458 struct nft_userdata *udata;
3459
3460 udata = nft_set_ext_userdata(ext);
3461 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3462 udata->len + 1, udata->data))
3463 goto nla_put_failure;
3464 }
3465
3466 nla_nest_end(skb, nest);
3467 return 0;
3468
3469nla_put_failure:
3470 nlmsg_trim(skb, b);
3471 return -EMSGSIZE;
3472}
3473
3474struct nft_set_dump_args {
3475 const struct netlink_callback *cb;
3476 struct nft_set_iter iter;
3477 struct sk_buff *skb;
3478};
3479
3480static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3481 struct nft_set *set,
3482 const struct nft_set_iter *iter,
3483 struct nft_set_elem *elem)
3484{
3485 struct nft_set_dump_args *args;
3486
3487 args = container_of(iter, struct nft_set_dump_args, iter);
3488 return nf_tables_fill_setelem(args->skb, set, elem);
3489}
3490
3491struct nft_set_dump_ctx {
3492 const struct nft_set *set;
3493 struct nft_ctx ctx;
3494};
3495
3496static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3497{
3498 struct nft_set_dump_ctx *dump_ctx = cb->data;
3499 struct net *net = sock_net(skb->sk);
3500 struct nft_af_info *afi;
3501 struct nft_table *table;
3502 struct nft_set *set;
3503 struct nft_set_dump_args args;
3504 bool set_found = false;
3505 struct nfgenmsg *nfmsg;
3506 struct nlmsghdr *nlh;
3507 struct nlattr *nest;
3508 u32 portid, seq;
3509 int event;
3510
3511 rcu_read_lock();
3512 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3513 if (afi != dump_ctx->ctx.afi)
3514 continue;
3515
3516 list_for_each_entry_rcu(table, &afi->tables, list) {
3517 if (table != dump_ctx->ctx.table)
3518 continue;
3519
3520 list_for_each_entry_rcu(set, &table->sets, list) {
3521 if (set == dump_ctx->set) {
3522 set_found = true;
3523 break;
3524 }
3525 }
3526 break;
3527 }
3528 break;
3529 }
3530
3531 if (!set_found) {
3532 rcu_read_unlock();
3533 return -ENOENT;
3534 }
3535
3536 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3537 portid = NETLINK_CB(cb->skb).portid;
3538 seq = cb->nlh->nlmsg_seq;
3539
3540 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3541 NLM_F_MULTI);
3542 if (nlh == NULL)
3543 goto nla_put_failure;
3544
3545 nfmsg = nlmsg_data(nlh);
3546 nfmsg->nfgen_family = afi->family;
3547 nfmsg->version = NFNETLINK_V0;
3548 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3549
3550 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3551 goto nla_put_failure;
3552 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3553 goto nla_put_failure;
3554
3555 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3556 if (nest == NULL)
3557 goto nla_put_failure;
3558
3559 args.cb = cb;
3560 args.skb = skb;
3561 args.iter.genmask = nft_genmask_cur(net);
3562 args.iter.skip = cb->args[0];
3563 args.iter.count = 0;
3564 args.iter.err = 0;
3565 args.iter.fn = nf_tables_dump_setelem;
3566 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3567 rcu_read_unlock();
3568
3569 nla_nest_end(skb, nest);
3570 nlmsg_end(skb, nlh);
3571
3572 if (args.iter.err && args.iter.err != -EMSGSIZE)
3573 return args.iter.err;
3574 if (args.iter.count == cb->args[0])
3575 return 0;
3576
3577 cb->args[0] = args.iter.count;
3578 return skb->len;
3579
3580nla_put_failure:
3581 rcu_read_unlock();
3582 return -ENOSPC;
3583}
3584
3585static int nf_tables_dump_set_done(struct netlink_callback *cb)
3586{
3587 kfree(cb->data);
3588 return 0;
3589}
3590
3591static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3592 const struct nft_ctx *ctx, u32 seq,
3593 u32 portid, int event, u16 flags,
3594 const struct nft_set *set,
3595 const struct nft_set_elem *elem)
3596{
3597 struct nfgenmsg *nfmsg;
3598 struct nlmsghdr *nlh;
3599 struct nlattr *nest;
3600 int err;
3601
3602 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3603 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3604 flags);
3605 if (nlh == NULL)
3606 goto nla_put_failure;
3607
3608 nfmsg = nlmsg_data(nlh);
3609 nfmsg->nfgen_family = ctx->afi->family;
3610 nfmsg->version = NFNETLINK_V0;
3611 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3612
3613 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3614 goto nla_put_failure;
3615 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3616 goto nla_put_failure;
3617
3618 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3619 if (nest == NULL)
3620 goto nla_put_failure;
3621
3622 err = nf_tables_fill_setelem(skb, set, elem);
3623 if (err < 0)
3624 goto nla_put_failure;
3625
3626 nla_nest_end(skb, nest);
3627
3628 nlmsg_end(skb, nlh);
3629 return 0;
3630
3631nla_put_failure:
3632 nlmsg_trim(skb, nlh);
3633 return -1;
3634}
3635
3636static int nft_setelem_parse_flags(const struct nft_set *set,
3637 const struct nlattr *attr, u32 *flags)
3638{
3639 if (attr == NULL)
3640 return 0;
3641
3642 *flags = ntohl(nla_get_be32(attr));
3643 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3644 return -EINVAL;
3645 if (!(set->flags & NFT_SET_INTERVAL) &&
3646 *flags & NFT_SET_ELEM_INTERVAL_END)
3647 return -EINVAL;
3648
3649 return 0;
3650}
3651
3652static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3653 const struct nlattr *attr)
3654{
3655 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3656 const struct nft_set_ext *ext;
3657 struct nft_data_desc desc;
3658 struct nft_set_elem elem;
3659 struct sk_buff *skb;
3660 uint32_t flags = 0;
3661 void *priv;
3662 int err;
3663
3664 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3665 nft_set_elem_policy, NULL);
3666 if (err < 0)
3667 return err;
3668
3669 if (!nla[NFTA_SET_ELEM_KEY])
3670 return -EINVAL;
3671
3672 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3673 if (err < 0)
3674 return err;
3675
3676 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3677 nla[NFTA_SET_ELEM_KEY]);
3678 if (err < 0)
3679 return err;
3680
3681 err = -EINVAL;
3682 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3683 return err;
3684
3685 priv = set->ops->get(ctx->net, set, &elem, flags);
3686 if (IS_ERR(priv))
3687 return PTR_ERR(priv);
3688
3689 elem.priv = priv;
3690 ext = nft_set_elem_ext(set, &elem);
3691
3692 err = -ENOMEM;
3693 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3694 if (skb == NULL)
3695 goto err1;
3696
3697 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3698 NFT_MSG_NEWSETELEM, 0, set, &elem);
3699 if (err < 0)
3700 goto err2;
3701
3702 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3703
3704 if (err < 0)
3705 goto err1;
3706
3707 return 0;
3708err2:
3709 kfree_skb(skb);
3710err1:
3711
3712 return err == -EAGAIN ? -ENOBUFS : err;
3713}
3714
3715static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3716 struct sk_buff *skb, const struct nlmsghdr *nlh,
3717 const struct nlattr * const nla[],
3718 struct netlink_ext_ack *extack)
3719{
3720 u8 genmask = nft_genmask_cur(net);
3721 struct nft_set *set;
3722 struct nlattr *attr;
3723 struct nft_ctx ctx;
3724 int rem, err = 0;
3725
3726 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3727 if (err < 0)
3728 return err;
3729
3730 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3731 genmask);
3732 if (IS_ERR(set))
3733 return PTR_ERR(set);
3734
3735 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3736 struct netlink_dump_control c = {
3737 .dump = nf_tables_dump_set,
3738 .done = nf_tables_dump_set_done,
3739 };
3740 struct nft_set_dump_ctx *dump_ctx;
3741
3742 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3743 if (!dump_ctx)
3744 return -ENOMEM;
3745
3746 dump_ctx->set = set;
3747 dump_ctx->ctx = ctx;
3748
3749 c.data = dump_ctx;
3750 return netlink_dump_start(nlsk, skb, nlh, &c);
3751 }
3752
3753 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3754 return -EINVAL;
3755
3756 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3757 err = nft_get_set_elem(&ctx, set, attr);
3758 if (err < 0)
3759 break;
3760 }
3761
3762 return err;
3763}
3764
3765static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3766 const struct nft_set *set,
3767 const struct nft_set_elem *elem,
3768 int event, u16 flags)
3769{
3770 struct net *net = ctx->net;
3771 u32 portid = ctx->portid;
3772 struct sk_buff *skb;
3773 int err;
3774
3775 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3776 return;
3777
3778 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3779 if (skb == NULL)
3780 goto err;
3781
3782 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3783 set, elem);
3784 if (err < 0) {
3785 kfree_skb(skb);
3786 goto err;
3787 }
3788
3789 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3790 GFP_KERNEL);
3791 return;
3792err:
3793 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3794}
3795
3796static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3797 int msg_type,
3798 struct nft_set *set)
3799{
3800 struct nft_trans *trans;
3801
3802 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3803 if (trans == NULL)
3804 return NULL;
3805
3806 nft_trans_elem_set(trans) = set;
3807 return trans;
3808}
3809
3810void *nft_set_elem_init(const struct nft_set *set,
3811 const struct nft_set_ext_tmpl *tmpl,
3812 const u32 *key, const u32 *data,
3813 u64 timeout, gfp_t gfp)
3814{
3815 struct nft_set_ext *ext;
3816 void *elem;
3817
3818 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3819 if (elem == NULL)
3820 return NULL;
3821
3822 ext = nft_set_elem_ext(set, elem);
3823 nft_set_ext_init(ext, tmpl);
3824
3825 memcpy(nft_set_ext_key(ext), key, set->klen);
3826 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3827 memcpy(nft_set_ext_data(ext), data, set->dlen);
3828 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3829 *nft_set_ext_expiration(ext) =
3830 jiffies + timeout;
3831 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3832 *nft_set_ext_timeout(ext) = timeout;
3833
3834 return elem;
3835}
3836
3837void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3838 bool destroy_expr)
3839{
3840 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3841
3842 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3843 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3844 nft_data_release(nft_set_ext_data(ext), set->dtype);
3845 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3846 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3847 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3848 (*nft_set_ext_obj(ext))->use--;
3849 kfree(elem);
3850}
3851EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3852
3853
3854
3855
3856static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3857{
3858 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3859
3860 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3861 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3862 kfree(elem);
3863}
3864
3865static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3866 const struct nlattr *attr, u32 nlmsg_flags)
3867{
3868 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3869 u8 genmask = nft_genmask_next(ctx->net);
3870 struct nft_data_desc d1, d2;
3871 struct nft_set_ext_tmpl tmpl;
3872 struct nft_set_ext *ext, *ext2;
3873 struct nft_set_elem elem;
3874 struct nft_set_binding *binding;
3875 struct nft_object *obj = NULL;
3876 struct nft_userdata *udata;
3877 struct nft_data data;
3878 enum nft_registers dreg;
3879 struct nft_trans *trans;
3880 u32 flags = 0;
3881 u64 timeout;
3882 u8 ulen;
3883 int err;
3884
3885 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3886 nft_set_elem_policy, NULL);
3887 if (err < 0)
3888 return err;
3889
3890 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3891 return -EINVAL;
3892
3893 nft_set_ext_prepare(&tmpl);
3894
3895 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3896 if (err < 0)
3897 return err;
3898 if (flags != 0)
3899 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3900
3901 if (set->flags & NFT_SET_MAP) {
3902 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3903 !(flags & NFT_SET_ELEM_INTERVAL_END))
3904 return -EINVAL;
3905 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3906 flags & NFT_SET_ELEM_INTERVAL_END)
3907 return -EINVAL;
3908 } else {
3909 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3910 return -EINVAL;
3911 }
3912
3913 timeout = 0;
3914 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3915 if (!(set->flags & NFT_SET_TIMEOUT))
3916 return -EINVAL;
3917 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3918 nla[NFTA_SET_ELEM_TIMEOUT])));
3919 } else if (set->flags & NFT_SET_TIMEOUT) {
3920 timeout = set->timeout;
3921 }
3922
3923 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3924 nla[NFTA_SET_ELEM_KEY]);
3925 if (err < 0)
3926 goto err1;
3927 err = -EINVAL;
3928 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3929 goto err2;
3930
3931 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3932 if (timeout > 0) {
3933 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3934 if (timeout != set->timeout)
3935 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3936 }
3937
3938 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3939 if (!(set->flags & NFT_SET_OBJECT)) {
3940 err = -EINVAL;
3941 goto err2;
3942 }
3943 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3944 set->objtype, genmask);
3945 if (IS_ERR(obj)) {
3946 err = PTR_ERR(obj);
3947 goto err2;
3948 }
3949 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3950 }
3951
3952 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3953 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3954 nla[NFTA_SET_ELEM_DATA]);
3955 if (err < 0)
3956 goto err2;
3957
3958 err = -EINVAL;
3959 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3960 goto err3;
3961
3962 dreg = nft_type_to_reg(set->dtype);
3963 list_for_each_entry(binding, &set->bindings, list) {
3964 struct nft_ctx bind_ctx = {
3965 .net = ctx->net,
3966 .afi = ctx->afi,
3967 .table = ctx->table,
3968 .chain = (struct nft_chain *)binding->chain,
3969 };
3970
3971 if (!(binding->flags & NFT_SET_MAP))
3972 continue;
3973
3974 err = nft_validate_register_store(&bind_ctx, dreg,
3975 &data,
3976 d2.type, d2.len);
3977 if (err < 0)
3978 goto err3;
3979 }
3980
3981 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3982 }
3983
3984
3985
3986
3987
3988 ulen = 0;
3989 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3990 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3991 if (ulen > 0)
3992 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3993 ulen);
3994 }
3995
3996 err = -ENOMEM;
3997 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3998 timeout, GFP_KERNEL);
3999 if (elem.priv == NULL)
4000 goto err3;
4001
4002 ext = nft_set_elem_ext(set, elem.priv);
4003 if (flags)
4004 *nft_set_ext_flags(ext) = flags;
4005 if (ulen > 0) {
4006 udata = nft_set_ext_userdata(ext);
4007 udata->len = ulen - 1;
4008 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4009 }
4010 if (obj) {
4011 *nft_set_ext_obj(ext) = obj;
4012 obj->use++;
4013 }
4014
4015 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4016 if (trans == NULL)
4017 goto err4;
4018
4019 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4020 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4021 if (err) {
4022 if (err == -EEXIST) {
4023 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4024 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4025 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4026 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
4027 return -EBUSY;
4028 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4029 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4030 memcmp(nft_set_ext_data(ext),
4031 nft_set_ext_data(ext2), set->dlen) != 0) ||
4032 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4033 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4034 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4035 err = -EBUSY;
4036 else if (!(nlmsg_flags & NLM_F_EXCL))
4037 err = 0;
4038 }
4039 goto err5;
4040 }
4041
4042 if (set->size &&
4043 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4044 err = -ENFILE;
4045 goto err6;
4046 }
4047
4048 nft_trans_elem(trans) = elem;
4049 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4050 return 0;
4051
4052err6:
4053 set->ops->remove(ctx->net, set, &elem);
4054err5:
4055 kfree(trans);
4056err4:
4057 kfree(elem.priv);
4058err3:
4059 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4060 nft_data_release(&data, d2.type);
4061err2:
4062 nft_data_release(&elem.key.val, d1.type);
4063err1:
4064 return err;
4065}
4066
4067static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4068 struct sk_buff *skb, const struct nlmsghdr *nlh,
4069 const struct nlattr * const nla[],
4070 struct netlink_ext_ack *extack)
4071{
4072 u8 genmask = nft_genmask_next(net);
4073 const struct nlattr *attr;
4074 struct nft_set *set;
4075 struct nft_ctx ctx;
4076 int rem, err = 0;
4077
4078 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4079 return -EINVAL;
4080
4081 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4082 if (err < 0)
4083 return err;
4084
4085 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4086 genmask);
4087 if (IS_ERR(set)) {
4088 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4089 set = nf_tables_set_lookup_byid(net,
4090 nla[NFTA_SET_ELEM_LIST_SET_ID],
4091 genmask);
4092 }
4093 if (IS_ERR(set))
4094 return PTR_ERR(set);
4095 }
4096
4097 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4098 return -EBUSY;
4099
4100 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4101 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4102 if (err < 0)
4103 break;
4104 }
4105 return err;
4106}
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4120{
4121 if (type == NFT_DATA_VERDICT) {
4122 switch (data->verdict.code) {
4123 case NFT_JUMP:
4124 case NFT_GOTO:
4125 data->verdict.chain->use++;
4126 break;
4127 }
4128 }
4129}
4130
4131static void nft_set_elem_activate(const struct net *net,
4132 const struct nft_set *set,
4133 struct nft_set_elem *elem)
4134{
4135 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4136
4137 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4138 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4139 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4140 (*nft_set_ext_obj(ext))->use++;
4141}
4142
4143static void nft_set_elem_deactivate(const struct net *net,
4144 const struct nft_set *set,
4145 struct nft_set_elem *elem)
4146{
4147 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4148
4149 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4150 nft_data_release(nft_set_ext_data(ext), set->dtype);
4151 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4152 (*nft_set_ext_obj(ext))->use--;
4153}
4154
4155static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4156 const struct nlattr *attr)
4157{
4158 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4159 struct nft_set_ext_tmpl tmpl;
4160 struct nft_data_desc desc;
4161 struct nft_set_elem elem;
4162 struct nft_set_ext *ext;
4163 struct nft_trans *trans;
4164 u32 flags = 0;
4165 void *priv;
4166 int err;
4167
4168 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4169 nft_set_elem_policy, NULL);
4170 if (err < 0)
4171 goto err1;
4172
4173 err = -EINVAL;
4174 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4175 goto err1;
4176
4177 nft_set_ext_prepare(&tmpl);
4178
4179 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4180 if (err < 0)
4181 return err;
4182 if (flags != 0)
4183 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4184
4185 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4186 nla[NFTA_SET_ELEM_KEY]);
4187 if (err < 0)
4188 goto err1;
4189
4190 err = -EINVAL;
4191 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4192 goto err2;
4193
4194 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4195
4196 err = -ENOMEM;
4197 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4198 GFP_KERNEL);
4199 if (elem.priv == NULL)
4200 goto err2;
4201
4202 ext = nft_set_elem_ext(set, elem.priv);
4203 if (flags)
4204 *nft_set_ext_flags(ext) = flags;
4205
4206 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4207 if (trans == NULL) {
4208 err = -ENOMEM;
4209 goto err3;
4210 }
4211
4212 priv = set->ops->deactivate(ctx->net, set, &elem);
4213 if (priv == NULL) {
4214 err = -ENOENT;
4215 goto err4;
4216 }
4217 kfree(elem.priv);
4218 elem.priv = priv;
4219
4220 nft_set_elem_deactivate(ctx->net, set, &elem);
4221
4222 nft_trans_elem(trans) = elem;
4223 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4224 return 0;
4225
4226err4:
4227 kfree(trans);
4228err3:
4229 kfree(elem.priv);
4230err2:
4231 nft_data_release(&elem.key.val, desc.type);
4232err1:
4233 return err;
4234}
4235
4236static int nft_flush_set(const struct nft_ctx *ctx,
4237 struct nft_set *set,
4238 const struct nft_set_iter *iter,
4239 struct nft_set_elem *elem)
4240{
4241 struct nft_trans *trans;
4242 int err;
4243
4244 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4245 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4246 if (!trans)
4247 return -ENOMEM;
4248
4249 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4250 err = -ENOENT;
4251 goto err1;
4252 }
4253 set->ndeact++;
4254
4255 nft_trans_elem_set(trans) = set;
4256 nft_trans_elem(trans) = *elem;
4257 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4258
4259 return 0;
4260err1:
4261 kfree(trans);
4262 return err;
4263}
4264
4265static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4266 struct sk_buff *skb, const struct nlmsghdr *nlh,
4267 const struct nlattr * const nla[],
4268 struct netlink_ext_ack *extack)
4269{
4270 u8 genmask = nft_genmask_next(net);
4271 const struct nlattr *attr;
4272 struct nft_set *set;
4273 struct nft_ctx ctx;
4274 int rem, err = 0;
4275
4276 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4277 if (err < 0)
4278 return err;
4279
4280 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4281 genmask);
4282 if (IS_ERR(set))
4283 return PTR_ERR(set);
4284 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4285 return -EBUSY;
4286
4287 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4288 struct nft_set_iter iter = {
4289 .genmask = genmask,
4290 .fn = nft_flush_set,
4291 };
4292 set->ops->walk(&ctx, set, &iter);
4293
4294 return iter.err;
4295 }
4296
4297 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4298 err = nft_del_setelem(&ctx, set, attr);
4299 if (err < 0)
4300 break;
4301
4302 set->ndeact++;
4303 }
4304 return err;
4305}
4306
4307void nft_set_gc_batch_release(struct rcu_head *rcu)
4308{
4309 struct nft_set_gc_batch *gcb;
4310 unsigned int i;
4311
4312 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4313 for (i = 0; i < gcb->head.cnt; i++)
4314 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4315 kfree(gcb);
4316}
4317EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4318
4319struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4320 gfp_t gfp)
4321{
4322 struct nft_set_gc_batch *gcb;
4323
4324 gcb = kzalloc(sizeof(*gcb), gfp);
4325 if (gcb == NULL)
4326 return gcb;
4327 gcb->head.set = set;
4328 return gcb;
4329}
4330EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343int nft_register_obj(struct nft_object_type *obj_type)
4344{
4345 if (obj_type->type == NFT_OBJECT_UNSPEC)
4346 return -EINVAL;
4347
4348 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4349 list_add_rcu(&obj_type->list, &nf_tables_objects);
4350 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4351 return 0;
4352}
4353EXPORT_SYMBOL_GPL(nft_register_obj);
4354
4355
4356
4357
4358
4359
4360
4361void nft_unregister_obj(struct nft_object_type *obj_type)
4362{
4363 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4364 list_del_rcu(&obj_type->list);
4365 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4366}
4367EXPORT_SYMBOL_GPL(nft_unregister_obj);
4368
4369struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4370 const struct nlattr *nla,
4371 u32 objtype, u8 genmask)
4372{
4373 struct nft_object *obj;
4374
4375 list_for_each_entry(obj, &table->objects, list) {
4376 if (!nla_strcmp(nla, obj->name) &&
4377 objtype == obj->ops->type->type &&
4378 nft_active_genmask(obj, genmask))
4379 return obj;
4380 }
4381 return ERR_PTR(-ENOENT);
4382}
4383EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4384
4385static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4386 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4387 .len = NFT_TABLE_MAXNAMELEN - 1 },
4388 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4389 .len = NFT_OBJ_MAXNAMELEN - 1 },
4390 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4391 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4392};
4393
4394static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4395 const struct nft_object_type *type,
4396 const struct nlattr *attr)
4397{
4398 struct nlattr *tb[type->maxattr + 1];
4399 const struct nft_object_ops *ops;
4400 struct nft_object *obj;
4401 int err;
4402
4403 if (attr) {
4404 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4405 NULL);
4406 if (err < 0)
4407 goto err1;
4408 } else {
4409 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4410 }
4411
4412 if (type->select_ops) {
4413 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4414 if (IS_ERR(ops)) {
4415 err = PTR_ERR(ops);
4416 goto err1;
4417 }
4418 } else {
4419 ops = type->ops;
4420 }
4421
4422 err = -ENOMEM;
4423 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4424 if (obj == NULL)
4425 goto err1;
4426
4427 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4428 if (err < 0)
4429 goto err2;
4430
4431 obj->ops = ops;
4432
4433 return obj;
4434err2:
4435 kfree(obj);
4436err1:
4437 return ERR_PTR(err);
4438}
4439
4440static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4441 struct nft_object *obj, bool reset)
4442{
4443 struct nlattr *nest;
4444
4445 nest = nla_nest_start(skb, attr);
4446 if (!nest)
4447 goto nla_put_failure;
4448 if (obj->ops->dump(skb, obj, reset) < 0)
4449 goto nla_put_failure;
4450 nla_nest_end(skb, nest);
4451 return 0;
4452
4453nla_put_failure:
4454 return -1;
4455}
4456
4457static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4458{
4459 const struct nft_object_type *type;
4460
4461 list_for_each_entry(type, &nf_tables_objects, list) {
4462 if (objtype == type->type)
4463 return type;
4464 }
4465 return NULL;
4466}
4467
4468static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4469{
4470 const struct nft_object_type *type;
4471
4472 type = __nft_obj_type_get(objtype);
4473 if (type != NULL && try_module_get(type->owner))
4474 return type;
4475
4476#ifdef CONFIG_MODULES
4477 if (type == NULL) {
4478 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4479 request_module("nft-obj-%u", objtype);
4480 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4481 if (__nft_obj_type_get(objtype))
4482 return ERR_PTR(-EAGAIN);
4483 }
4484#endif
4485 return ERR_PTR(-ENOENT);
4486}
4487
4488static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4489 struct sk_buff *skb, const struct nlmsghdr *nlh,
4490 const struct nlattr * const nla[],
4491 struct netlink_ext_ack *extack)
4492{
4493 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4494 const struct nft_object_type *type;
4495 u8 genmask = nft_genmask_next(net);
4496 int family = nfmsg->nfgen_family;
4497 struct nft_af_info *afi;
4498 struct nft_table *table;
4499 struct nft_object *obj;
4500 struct nft_ctx ctx;
4501 u32 objtype;
4502 int err;
4503
4504 if (!nla[NFTA_OBJ_TYPE] ||
4505 !nla[NFTA_OBJ_NAME] ||
4506 !nla[NFTA_OBJ_DATA])
4507 return -EINVAL;
4508
4509 afi = nf_tables_afinfo_lookup(net, family, true);
4510 if (IS_ERR(afi))
4511 return PTR_ERR(afi);
4512
4513 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4514 if (IS_ERR(table))
4515 return PTR_ERR(table);
4516
4517 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4518 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4519 if (IS_ERR(obj)) {
4520 err = PTR_ERR(obj);
4521 if (err != -ENOENT)
4522 return err;
4523
4524 } else {
4525 if (nlh->nlmsg_flags & NLM_F_EXCL)
4526 return -EEXIST;
4527
4528 return 0;
4529 }
4530
4531 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4532
4533 type = nft_obj_type_get(objtype);
4534 if (IS_ERR(type))
4535 return PTR_ERR(type);
4536
4537 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4538 if (IS_ERR(obj)) {
4539 err = PTR_ERR(obj);
4540 goto err1;
4541 }
4542 obj->table = table;
4543 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4544 if (!obj->name) {
4545 err = -ENOMEM;
4546 goto err2;
4547 }
4548
4549 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4550 if (err < 0)
4551 goto err3;
4552
4553 list_add_tail_rcu(&obj->list, &table->objects);
4554 table->use++;
4555 return 0;
4556err3:
4557 kfree(obj->name);
4558err2:
4559 if (obj->ops->destroy)
4560 obj->ops->destroy(obj);
4561 kfree(obj);
4562err1:
4563 module_put(type->owner);
4564 return err;
4565}
4566
4567static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4568 u32 portid, u32 seq, int event, u32 flags,
4569 int family, const struct nft_table *table,
4570 struct nft_object *obj, bool reset)
4571{
4572 struct nfgenmsg *nfmsg;
4573 struct nlmsghdr *nlh;
4574
4575 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4576 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4577 if (nlh == NULL)
4578 goto nla_put_failure;
4579
4580 nfmsg = nlmsg_data(nlh);
4581 nfmsg->nfgen_family = family;
4582 nfmsg->version = NFNETLINK_V0;
4583 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4584
4585 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4586 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4587 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4588 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4589 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4590 goto nla_put_failure;
4591
4592 nlmsg_end(skb, nlh);
4593 return 0;
4594
4595nla_put_failure:
4596 nlmsg_trim(skb, nlh);
4597 return -1;
4598}
4599
4600struct nft_obj_filter {
4601 char *table;
4602 u32 type;
4603};
4604
4605static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4606{
4607 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4608 const struct nft_af_info *afi;
4609 const struct nft_table *table;
4610 unsigned int idx = 0, s_idx = cb->args[0];
4611 struct nft_obj_filter *filter = cb->data;
4612 struct net *net = sock_net(skb->sk);
4613 int family = nfmsg->nfgen_family;
4614 struct nft_object *obj;
4615 bool reset = false;
4616
4617 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4618 reset = true;
4619
4620 rcu_read_lock();
4621 cb->seq = net->nft.base_seq;
4622
4623 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4624 if (family != NFPROTO_UNSPEC && family != afi->family)
4625 continue;
4626
4627 list_for_each_entry_rcu(table, &afi->tables, list) {
4628 list_for_each_entry_rcu(obj, &table->objects, list) {
4629 if (!nft_is_active(net, obj))
4630 goto cont;
4631 if (idx < s_idx)
4632 goto cont;
4633 if (idx > s_idx)
4634 memset(&cb->args[1], 0,
4635 sizeof(cb->args) - sizeof(cb->args[0]));
4636 if (filter && filter->table[0] &&
4637 strcmp(filter->table, table->name))
4638 goto cont;
4639 if (filter &&
4640 filter->type != NFT_OBJECT_UNSPEC &&
4641 obj->ops->type->type != filter->type)
4642 goto cont;
4643
4644 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4645 cb->nlh->nlmsg_seq,
4646 NFT_MSG_NEWOBJ,
4647 NLM_F_MULTI | NLM_F_APPEND,
4648 afi->family, table, obj, reset) < 0)
4649 goto done;
4650
4651 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4652cont:
4653 idx++;
4654 }
4655 }
4656 }
4657done:
4658 rcu_read_unlock();
4659
4660 cb->args[0] = idx;
4661 return skb->len;
4662}
4663
4664static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4665{
4666 struct nft_obj_filter *filter = cb->data;
4667
4668 if (filter) {
4669 kfree(filter->table);
4670 kfree(filter);
4671 }
4672
4673 return 0;
4674}
4675
4676static struct nft_obj_filter *
4677nft_obj_filter_alloc(const struct nlattr * const nla[])
4678{
4679 struct nft_obj_filter *filter;
4680
4681 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4682 if (!filter)
4683 return ERR_PTR(-ENOMEM);
4684
4685 if (nla[NFTA_OBJ_TABLE]) {
4686 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4687 if (!filter->table) {
4688 kfree(filter);
4689 return ERR_PTR(-ENOMEM);
4690 }
4691 }
4692 if (nla[NFTA_OBJ_TYPE])
4693 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4694
4695 return filter;
4696}
4697
4698static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4699 struct sk_buff *skb, const struct nlmsghdr *nlh,
4700 const struct nlattr * const nla[],
4701 struct netlink_ext_ack *extack)
4702{
4703 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4704 u8 genmask = nft_genmask_cur(net);
4705 int family = nfmsg->nfgen_family;
4706 const struct nft_af_info *afi;
4707 const struct nft_table *table;
4708 struct nft_object *obj;
4709 struct sk_buff *skb2;
4710 bool reset = false;
4711 u32 objtype;
4712 int err;
4713
4714 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4715 struct netlink_dump_control c = {
4716 .dump = nf_tables_dump_obj,
4717 .done = nf_tables_dump_obj_done,
4718 };
4719
4720 if (nla[NFTA_OBJ_TABLE] ||
4721 nla[NFTA_OBJ_TYPE]) {
4722 struct nft_obj_filter *filter;
4723
4724 filter = nft_obj_filter_alloc(nla);
4725 if (IS_ERR(filter))
4726 return -ENOMEM;
4727
4728 c.data = filter;
4729 }
4730 return netlink_dump_start(nlsk, skb, nlh, &c);
4731 }
4732
4733 if (!nla[NFTA_OBJ_NAME] ||
4734 !nla[NFTA_OBJ_TYPE])
4735 return -EINVAL;
4736
4737 afi = nf_tables_afinfo_lookup(net, family, false);
4738 if (IS_ERR(afi))
4739 return PTR_ERR(afi);
4740
4741 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4742 if (IS_ERR(table))
4743 return PTR_ERR(table);
4744
4745 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4746 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4747 if (IS_ERR(obj))
4748 return PTR_ERR(obj);
4749
4750 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4751 if (!skb2)
4752 return -ENOMEM;
4753
4754 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4755 reset = true;
4756
4757 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4758 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4759 family, table, obj, reset);
4760 if (err < 0)
4761 goto err;
4762
4763 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4764err:
4765 kfree_skb(skb2);
4766 return err;
4767}
4768
4769static void nft_obj_destroy(struct nft_object *obj)
4770{
4771 if (obj->ops->destroy)
4772 obj->ops->destroy(obj);
4773
4774 module_put(obj->ops->type->owner);
4775 kfree(obj->name);
4776 kfree(obj);
4777}
4778
4779static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4780 struct sk_buff *skb, const struct nlmsghdr *nlh,
4781 const struct nlattr * const nla[],
4782 struct netlink_ext_ack *extack)
4783{
4784 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4785 u8 genmask = nft_genmask_next(net);
4786 int family = nfmsg->nfgen_family;
4787 struct nft_af_info *afi;
4788 struct nft_table *table;
4789 struct nft_object *obj;
4790 struct nft_ctx ctx;
4791 u32 objtype;
4792
4793 if (!nla[NFTA_OBJ_TYPE] ||
4794 !nla[NFTA_OBJ_NAME])
4795 return -EINVAL;
4796
4797 afi = nf_tables_afinfo_lookup(net, family, true);
4798 if (IS_ERR(afi))
4799 return PTR_ERR(afi);
4800
4801 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4802 if (IS_ERR(table))
4803 return PTR_ERR(table);
4804
4805 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4806 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4807 if (IS_ERR(obj))
4808 return PTR_ERR(obj);
4809 if (obj->use > 0)
4810 return -EBUSY;
4811
4812 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4813
4814 return nft_delobj(&ctx, obj);
4815}
4816
4817void nft_obj_notify(struct net *net, struct nft_table *table,
4818 struct nft_object *obj, u32 portid, u32 seq, int event,
4819 int family, int report, gfp_t gfp)
4820{
4821 struct sk_buff *skb;
4822 int err;
4823
4824 if (!report &&
4825 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4826 return;
4827
4828 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4829 if (skb == NULL)
4830 goto err;
4831
4832 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4833 table, obj, false);
4834 if (err < 0) {
4835 kfree_skb(skb);
4836 goto err;
4837 }
4838
4839 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4840 return;
4841err:
4842 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4843}
4844EXPORT_SYMBOL_GPL(nft_obj_notify);
4845
4846static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4847 struct nft_object *obj, int event)
4848{
4849 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4850 ctx->afi->family, ctx->report, GFP_KERNEL);
4851}
4852
4853static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4854 u32 portid, u32 seq)
4855{
4856 struct nlmsghdr *nlh;
4857 struct nfgenmsg *nfmsg;
4858 char buf[TASK_COMM_LEN];
4859 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
4860
4861 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4862 if (nlh == NULL)
4863 goto nla_put_failure;
4864
4865 nfmsg = nlmsg_data(nlh);
4866 nfmsg->nfgen_family = AF_UNSPEC;
4867 nfmsg->version = NFNETLINK_V0;
4868 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4869
4870 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
4871 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
4872 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
4873 goto nla_put_failure;
4874
4875 nlmsg_end(skb, nlh);
4876 return 0;
4877
4878nla_put_failure:
4879 nlmsg_trim(skb, nlh);
4880 return -EMSGSIZE;
4881}
4882
4883static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
4884 int event)
4885{
4886 struct nlmsghdr *nlh = nlmsg_hdr(skb);
4887 struct sk_buff *skb2;
4888 int err;
4889
4890 if (nlmsg_report(nlh) &&
4891 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4892 return;
4893
4894 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4895 if (skb2 == NULL)
4896 goto err;
4897
4898 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4899 nlh->nlmsg_seq);
4900 if (err < 0) {
4901 kfree_skb(skb2);
4902 goto err;
4903 }
4904
4905 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4906 nlmsg_report(nlh), GFP_KERNEL);
4907 return;
4908err:
4909 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4910 -ENOBUFS);
4911}
4912
4913static int nf_tables_getgen(struct net *net, struct sock *nlsk,
4914 struct sk_buff *skb, const struct nlmsghdr *nlh,
4915 const struct nlattr * const nla[],
4916 struct netlink_ext_ack *extack)
4917{
4918 struct sk_buff *skb2;
4919 int err;
4920
4921 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4922 if (skb2 == NULL)
4923 return -ENOMEM;
4924
4925 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4926 nlh->nlmsg_seq);
4927 if (err < 0)
4928 goto err;
4929
4930 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4931err:
4932 kfree_skb(skb2);
4933 return err;
4934}
4935
4936static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
4937 [NFT_MSG_NEWTABLE] = {
4938 .call_batch = nf_tables_newtable,
4939 .attr_count = NFTA_TABLE_MAX,
4940 .policy = nft_table_policy,
4941 },
4942 [NFT_MSG_GETTABLE] = {
4943 .call = nf_tables_gettable,
4944 .attr_count = NFTA_TABLE_MAX,
4945 .policy = nft_table_policy,
4946 },
4947 [NFT_MSG_DELTABLE] = {
4948 .call_batch = nf_tables_deltable,
4949 .attr_count = NFTA_TABLE_MAX,
4950 .policy = nft_table_policy,
4951 },
4952 [NFT_MSG_NEWCHAIN] = {
4953 .call_batch = nf_tables_newchain,
4954 .attr_count = NFTA_CHAIN_MAX,
4955 .policy = nft_chain_policy,
4956 },
4957 [NFT_MSG_GETCHAIN] = {
4958 .call = nf_tables_getchain,
4959 .attr_count = NFTA_CHAIN_MAX,
4960 .policy = nft_chain_policy,
4961 },
4962 [NFT_MSG_DELCHAIN] = {
4963 .call_batch = nf_tables_delchain,
4964 .attr_count = NFTA_CHAIN_MAX,
4965 .policy = nft_chain_policy,
4966 },
4967 [NFT_MSG_NEWRULE] = {
4968 .call_batch = nf_tables_newrule,
4969 .attr_count = NFTA_RULE_MAX,
4970 .policy = nft_rule_policy,
4971 },
4972 [NFT_MSG_GETRULE] = {
4973 .call = nf_tables_getrule,
4974 .attr_count = NFTA_RULE_MAX,
4975 .policy = nft_rule_policy,
4976 },
4977 [NFT_MSG_DELRULE] = {
4978 .call_batch = nf_tables_delrule,
4979 .attr_count = NFTA_RULE_MAX,
4980 .policy = nft_rule_policy,
4981 },
4982 [NFT_MSG_NEWSET] = {
4983 .call_batch = nf_tables_newset,
4984 .attr_count = NFTA_SET_MAX,
4985 .policy = nft_set_policy,
4986 },
4987 [NFT_MSG_GETSET] = {
4988 .call = nf_tables_getset,
4989 .attr_count = NFTA_SET_MAX,
4990 .policy = nft_set_policy,
4991 },
4992 [NFT_MSG_DELSET] = {
4993 .call_batch = nf_tables_delset,
4994 .attr_count = NFTA_SET_MAX,
4995 .policy = nft_set_policy,
4996 },
4997 [NFT_MSG_NEWSETELEM] = {
4998 .call_batch = nf_tables_newsetelem,
4999 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5000 .policy = nft_set_elem_list_policy,
5001 },
5002 [NFT_MSG_GETSETELEM] = {
5003 .call = nf_tables_getsetelem,
5004 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5005 .policy = nft_set_elem_list_policy,
5006 },
5007 [NFT_MSG_DELSETELEM] = {
5008 .call_batch = nf_tables_delsetelem,
5009 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5010 .policy = nft_set_elem_list_policy,
5011 },
5012 [NFT_MSG_GETGEN] = {
5013 .call = nf_tables_getgen,
5014 },
5015 [NFT_MSG_NEWOBJ] = {
5016 .call_batch = nf_tables_newobj,
5017 .attr_count = NFTA_OBJ_MAX,
5018 .policy = nft_obj_policy,
5019 },
5020 [NFT_MSG_GETOBJ] = {
5021 .call = nf_tables_getobj,
5022 .attr_count = NFTA_OBJ_MAX,
5023 .policy = nft_obj_policy,
5024 },
5025 [NFT_MSG_DELOBJ] = {
5026 .call_batch = nf_tables_delobj,
5027 .attr_count = NFTA_OBJ_MAX,
5028 .policy = nft_obj_policy,
5029 },
5030 [NFT_MSG_GETOBJ_RESET] = {
5031 .call = nf_tables_getobj,
5032 .attr_count = NFTA_OBJ_MAX,
5033 .policy = nft_obj_policy,
5034 },
5035};
5036
5037static void nft_chain_commit_update(struct nft_trans *trans)
5038{
5039 struct nft_base_chain *basechain;
5040
5041 if (nft_trans_chain_name(trans))
5042 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
5043
5044 if (!nft_is_base_chain(trans->ctx.chain))
5045 return;
5046
5047 basechain = nft_base_chain(trans->ctx.chain);
5048 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5049
5050 switch (nft_trans_chain_policy(trans)) {
5051 case NF_DROP:
5052 case NF_ACCEPT:
5053 basechain->policy = nft_trans_chain_policy(trans);
5054 break;
5055 }
5056}
5057
5058static void nf_tables_commit_release(struct nft_trans *trans)
5059{
5060 switch (trans->msg_type) {
5061 case NFT_MSG_DELTABLE:
5062 nf_tables_table_destroy(&trans->ctx);
5063 break;
5064 case NFT_MSG_DELCHAIN:
5065 nf_tables_chain_destroy(trans->ctx.chain);
5066 break;
5067 case NFT_MSG_DELRULE:
5068 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5069 break;
5070 case NFT_MSG_DELSET:
5071 nft_set_destroy(nft_trans_set(trans));
5072 break;
5073 case NFT_MSG_DELSETELEM:
5074 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5075 nft_trans_elem(trans).priv);
5076 break;
5077 case NFT_MSG_DELOBJ:
5078 nft_obj_destroy(nft_trans_obj(trans));
5079 break;
5080 }
5081 kfree(trans);
5082}
5083
5084static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5085{
5086 struct nft_trans *trans, *next;
5087 struct nft_trans_elem *te;
5088
5089
5090 while (++net->nft.base_seq == 0);
5091
5092
5093 net->nft.gencursor = nft_gencursor_next(net);
5094
5095
5096
5097
5098 synchronize_rcu();
5099
5100 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5101 switch (trans->msg_type) {
5102 case NFT_MSG_NEWTABLE:
5103 if (nft_trans_table_update(trans)) {
5104 if (!nft_trans_table_enable(trans)) {
5105 nf_tables_table_disable(net,
5106 trans->ctx.afi,
5107 trans->ctx.table);
5108 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5109 }
5110 } else {
5111 nft_clear(net, trans->ctx.table);
5112 }
5113 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5114 nft_trans_destroy(trans);
5115 break;
5116 case NFT_MSG_DELTABLE:
5117 list_del_rcu(&trans->ctx.table->list);
5118 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5119 break;
5120 case NFT_MSG_NEWCHAIN:
5121 if (nft_trans_chain_update(trans))
5122 nft_chain_commit_update(trans);
5123 else
5124 nft_clear(net, trans->ctx.chain);
5125
5126 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5127 nft_trans_destroy(trans);
5128 break;
5129 case NFT_MSG_DELCHAIN:
5130 list_del_rcu(&trans->ctx.chain->list);
5131 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5132 nf_tables_unregister_hooks(trans->ctx.net,
5133 trans->ctx.table,
5134 trans->ctx.chain,
5135 trans->ctx.afi->nops);
5136 break;
5137 case NFT_MSG_NEWRULE:
5138 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5139 nf_tables_rule_notify(&trans->ctx,
5140 nft_trans_rule(trans),
5141 NFT_MSG_NEWRULE);
5142 nft_trans_destroy(trans);
5143 break;
5144 case NFT_MSG_DELRULE:
5145 list_del_rcu(&nft_trans_rule(trans)->list);
5146 nf_tables_rule_notify(&trans->ctx,
5147 nft_trans_rule(trans),
5148 NFT_MSG_DELRULE);
5149 break;
5150 case NFT_MSG_NEWSET:
5151 nft_clear(net, nft_trans_set(trans));
5152
5153
5154
5155 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
5156 !list_empty(&nft_trans_set(trans)->bindings))
5157 trans->ctx.table->use--;
5158
5159 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5160 NFT_MSG_NEWSET, GFP_KERNEL);
5161 nft_trans_destroy(trans);
5162 break;
5163 case NFT_MSG_DELSET:
5164 list_del_rcu(&nft_trans_set(trans)->list);
5165 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5166 NFT_MSG_DELSET, GFP_KERNEL);
5167 break;
5168 case NFT_MSG_NEWSETELEM:
5169 te = (struct nft_trans_elem *)trans->data;
5170
5171 te->set->ops->activate(net, te->set, &te->elem);
5172 nf_tables_setelem_notify(&trans->ctx, te->set,
5173 &te->elem,
5174 NFT_MSG_NEWSETELEM, 0);
5175 nft_trans_destroy(trans);
5176 break;
5177 case NFT_MSG_DELSETELEM:
5178 te = (struct nft_trans_elem *)trans->data;
5179
5180 nf_tables_setelem_notify(&trans->ctx, te->set,
5181 &te->elem,
5182 NFT_MSG_DELSETELEM, 0);
5183 te->set->ops->remove(net, te->set, &te->elem);
5184 atomic_dec(&te->set->nelems);
5185 te->set->ndeact--;
5186 break;
5187 case NFT_MSG_NEWOBJ:
5188 nft_clear(net, nft_trans_obj(trans));
5189 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5190 NFT_MSG_NEWOBJ);
5191 nft_trans_destroy(trans);
5192 break;
5193 case NFT_MSG_DELOBJ:
5194 list_del_rcu(&nft_trans_obj(trans)->list);
5195 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5196 NFT_MSG_DELOBJ);
5197 break;
5198 }
5199 }
5200
5201 synchronize_rcu();
5202
5203 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5204 list_del(&trans->list);
5205 nf_tables_commit_release(trans);
5206 }
5207
5208 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5209
5210 return 0;
5211}
5212
5213static void nf_tables_abort_release(struct nft_trans *trans)
5214{
5215 switch (trans->msg_type) {
5216 case NFT_MSG_NEWTABLE:
5217 nf_tables_table_destroy(&trans->ctx);
5218 break;
5219 case NFT_MSG_NEWCHAIN:
5220 nf_tables_chain_destroy(trans->ctx.chain);
5221 break;
5222 case NFT_MSG_NEWRULE:
5223 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5224 break;
5225 case NFT_MSG_NEWSET:
5226 nft_set_destroy(nft_trans_set(trans));
5227 break;
5228 case NFT_MSG_NEWSETELEM:
5229 nft_set_elem_destroy(nft_trans_elem_set(trans),
5230 nft_trans_elem(trans).priv, true);
5231 break;
5232 case NFT_MSG_NEWOBJ:
5233 nft_obj_destroy(nft_trans_obj(trans));
5234 break;
5235 }
5236 kfree(trans);
5237}
5238
5239static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5240{
5241 struct nft_trans *trans, *next;
5242 struct nft_trans_elem *te;
5243
5244 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5245 list) {
5246 switch (trans->msg_type) {
5247 case NFT_MSG_NEWTABLE:
5248 if (nft_trans_table_update(trans)) {
5249 if (nft_trans_table_enable(trans)) {
5250 nf_tables_table_disable(net,
5251 trans->ctx.afi,
5252 trans->ctx.table);
5253 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5254 }
5255 nft_trans_destroy(trans);
5256 } else {
5257 list_del_rcu(&trans->ctx.table->list);
5258 }
5259 break;
5260 case NFT_MSG_DELTABLE:
5261 nft_clear(trans->ctx.net, trans->ctx.table);
5262 nft_trans_destroy(trans);
5263 break;
5264 case NFT_MSG_NEWCHAIN:
5265 if (nft_trans_chain_update(trans)) {
5266 free_percpu(nft_trans_chain_stats(trans));
5267
5268 nft_trans_destroy(trans);
5269 } else {
5270 trans->ctx.table->use--;
5271 list_del_rcu(&trans->ctx.chain->list);
5272 nf_tables_unregister_hooks(trans->ctx.net,
5273 trans->ctx.table,
5274 trans->ctx.chain,
5275 trans->ctx.afi->nops);
5276 }
5277 break;
5278 case NFT_MSG_DELCHAIN:
5279 trans->ctx.table->use++;
5280 nft_clear(trans->ctx.net, trans->ctx.chain);
5281 nft_trans_destroy(trans);
5282 break;
5283 case NFT_MSG_NEWRULE:
5284 trans->ctx.chain->use--;
5285 list_del_rcu(&nft_trans_rule(trans)->list);
5286 break;
5287 case NFT_MSG_DELRULE:
5288 trans->ctx.chain->use++;
5289 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5290 nft_trans_destroy(trans);
5291 break;
5292 case NFT_MSG_NEWSET:
5293 trans->ctx.table->use--;
5294 list_del_rcu(&nft_trans_set(trans)->list);
5295 break;
5296 case NFT_MSG_DELSET:
5297 trans->ctx.table->use++;
5298 nft_clear(trans->ctx.net, nft_trans_set(trans));
5299 nft_trans_destroy(trans);
5300 break;
5301 case NFT_MSG_NEWSETELEM:
5302 te = (struct nft_trans_elem *)trans->data;
5303
5304 te->set->ops->remove(net, te->set, &te->elem);
5305 atomic_dec(&te->set->nelems);
5306 break;
5307 case NFT_MSG_DELSETELEM:
5308 te = (struct nft_trans_elem *)trans->data;
5309
5310 nft_set_elem_activate(net, te->set, &te->elem);
5311 te->set->ops->activate(net, te->set, &te->elem);
5312 te->set->ndeact--;
5313
5314 nft_trans_destroy(trans);
5315 break;
5316 case NFT_MSG_NEWOBJ:
5317 trans->ctx.table->use--;
5318 list_del_rcu(&nft_trans_obj(trans)->list);
5319 break;
5320 case NFT_MSG_DELOBJ:
5321 trans->ctx.table->use++;
5322 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5323 nft_trans_destroy(trans);
5324 break;
5325 }
5326 }
5327
5328 synchronize_rcu();
5329
5330 list_for_each_entry_safe_reverse(trans, next,
5331 &net->nft.commit_list, list) {
5332 list_del(&trans->list);
5333 nf_tables_abort_release(trans);
5334 }
5335
5336 return 0;
5337}
5338
5339static bool nf_tables_valid_genid(struct net *net, u32 genid)
5340{
5341 return net->nft.base_seq == genid;
5342}
5343
5344static const struct nfnetlink_subsystem nf_tables_subsys = {
5345 .name = "nf_tables",
5346 .subsys_id = NFNL_SUBSYS_NFTABLES,
5347 .cb_count = NFT_MSG_MAX,
5348 .cb = nf_tables_cb,
5349 .commit = nf_tables_commit,
5350 .abort = nf_tables_abort,
5351 .valid_genid = nf_tables_valid_genid,
5352};
5353
5354int nft_chain_validate_dependency(const struct nft_chain *chain,
5355 enum nft_chain_type type)
5356{
5357 const struct nft_base_chain *basechain;
5358
5359 if (nft_is_base_chain(chain)) {
5360 basechain = nft_base_chain(chain);
5361 if (basechain->type->type != type)
5362 return -EOPNOTSUPP;
5363 }
5364 return 0;
5365}
5366EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5367
5368int nft_chain_validate_hooks(const struct nft_chain *chain,
5369 unsigned int hook_flags)
5370{
5371 struct nft_base_chain *basechain;
5372
5373 if (nft_is_base_chain(chain)) {
5374 basechain = nft_base_chain(chain);
5375
5376 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5377 return 0;
5378
5379 return -EOPNOTSUPP;
5380 }
5381
5382 return 0;
5383}
5384EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395static int nf_tables_check_loops(const struct nft_ctx *ctx,
5396 const struct nft_chain *chain);
5397
5398static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5399 struct nft_set *set,
5400 const struct nft_set_iter *iter,
5401 struct nft_set_elem *elem)
5402{
5403 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5404 const struct nft_data *data;
5405
5406 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5407 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5408 return 0;
5409
5410 data = nft_set_ext_data(ext);
5411 switch (data->verdict.code) {
5412 case NFT_JUMP:
5413 case NFT_GOTO:
5414 return nf_tables_check_loops(ctx, data->verdict.chain);
5415 default:
5416 return 0;
5417 }
5418}
5419
5420static int nf_tables_check_loops(const struct nft_ctx *ctx,
5421 const struct nft_chain *chain)
5422{
5423 const struct nft_rule *rule;
5424 const struct nft_expr *expr, *last;
5425 struct nft_set *set;
5426 struct nft_set_binding *binding;
5427 struct nft_set_iter iter;
5428
5429 if (ctx->chain == chain)
5430 return -ELOOP;
5431
5432 list_for_each_entry(rule, &chain->rules, list) {
5433 nft_rule_for_each_expr(expr, last, rule) {
5434 const struct nft_data *data = NULL;
5435 int err;
5436
5437 if (!expr->ops->validate)
5438 continue;
5439
5440 err = expr->ops->validate(ctx, expr, &data);
5441 if (err < 0)
5442 return err;
5443
5444 if (data == NULL)
5445 continue;
5446
5447 switch (data->verdict.code) {
5448 case NFT_JUMP:
5449 case NFT_GOTO:
5450 err = nf_tables_check_loops(ctx,
5451 data->verdict.chain);
5452 if (err < 0)
5453 return err;
5454 default:
5455 break;
5456 }
5457 }
5458 }
5459
5460 list_for_each_entry(set, &ctx->table->sets, list) {
5461 if (!nft_is_active_next(ctx->net, set))
5462 continue;
5463 if (!(set->flags & NFT_SET_MAP) ||
5464 set->dtype != NFT_DATA_VERDICT)
5465 continue;
5466
5467 list_for_each_entry(binding, &set->bindings, list) {
5468 if (!(binding->flags & NFT_SET_MAP) ||
5469 binding->chain != chain)
5470 continue;
5471
5472 iter.genmask = nft_genmask_next(ctx->net);
5473 iter.skip = 0;
5474 iter.count = 0;
5475 iter.err = 0;
5476 iter.fn = nf_tables_loop_check_setelem;
5477
5478 set->ops->walk(ctx, set, &iter);
5479 if (iter.err < 0)
5480 return iter.err;
5481 }
5482 }
5483
5484 return 0;
5485}
5486
5487
5488
5489
5490
5491
5492
5493
5494
5495
5496
5497
5498
5499int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5500{
5501 u32 val;
5502
5503 val = ntohl(nla_get_be32(attr));
5504 if (val > max)
5505 return -ERANGE;
5506
5507 *dest = val;
5508 return 0;
5509}
5510EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521unsigned int nft_parse_register(const struct nlattr *attr)
5522{
5523 unsigned int reg;
5524
5525 reg = ntohl(nla_get_be32(attr));
5526 switch (reg) {
5527 case NFT_REG_VERDICT...NFT_REG_4:
5528 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5529 default:
5530 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5531 }
5532}
5533EXPORT_SYMBOL_GPL(nft_parse_register);
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5547{
5548 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5549 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5550 else
5551 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5552
5553 return nla_put_be32(skb, attr, htonl(reg));
5554}
5555EXPORT_SYMBOL_GPL(nft_dump_register);
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5567{
5568 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5569 return -EINVAL;
5570 if (len == 0)
5571 return -EINVAL;
5572 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5573 return -ERANGE;
5574
5575 return 0;
5576}
5577EXPORT_SYMBOL_GPL(nft_validate_register_load);
5578
5579
5580
5581
5582
5583
5584
5585
5586
5587
5588
5589
5590
5591
5592
5593int nft_validate_register_store(const struct nft_ctx *ctx,
5594 enum nft_registers reg,
5595 const struct nft_data *data,
5596 enum nft_data_types type, unsigned int len)
5597{
5598 int err;
5599
5600 switch (reg) {
5601 case NFT_REG_VERDICT:
5602 if (type != NFT_DATA_VERDICT)
5603 return -EINVAL;
5604
5605 if (data != NULL &&
5606 (data->verdict.code == NFT_GOTO ||
5607 data->verdict.code == NFT_JUMP)) {
5608 err = nf_tables_check_loops(ctx, data->verdict.chain);
5609 if (err < 0)
5610 return err;
5611
5612 if (ctx->chain->level + 1 >
5613 data->verdict.chain->level) {
5614 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5615 return -EMLINK;
5616 data->verdict.chain->level = ctx->chain->level + 1;
5617 }
5618 }
5619
5620 return 0;
5621 default:
5622 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5623 return -EINVAL;
5624 if (len == 0)
5625 return -EINVAL;
5626 if (reg * NFT_REG32_SIZE + len >
5627 FIELD_SIZEOF(struct nft_regs, data))
5628 return -ERANGE;
5629
5630 if (data != NULL && type != NFT_DATA_VALUE)
5631 return -EINVAL;
5632 return 0;
5633 }
5634}
5635EXPORT_SYMBOL_GPL(nft_validate_register_store);
5636
5637static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5638 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5639 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5640 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5641};
5642
5643static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5644 struct nft_data_desc *desc, const struct nlattr *nla)
5645{
5646 u8 genmask = nft_genmask_next(ctx->net);
5647 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5648 struct nft_chain *chain;
5649 int err;
5650
5651 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5652 NULL);
5653 if (err < 0)
5654 return err;
5655
5656 if (!tb[NFTA_VERDICT_CODE])
5657 return -EINVAL;
5658 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5659
5660 switch (data->verdict.code) {
5661 default:
5662 switch (data->verdict.code & NF_VERDICT_MASK) {
5663 case NF_ACCEPT:
5664 case NF_DROP:
5665 case NF_QUEUE:
5666 break;
5667 default:
5668 return -EINVAL;
5669 }
5670
5671 case NFT_CONTINUE:
5672 case NFT_BREAK:
5673 case NFT_RETURN:
5674 break;
5675 case NFT_JUMP:
5676 case NFT_GOTO:
5677 if (!tb[NFTA_VERDICT_CHAIN])
5678 return -EINVAL;
5679 chain = nf_tables_chain_lookup(ctx->table,
5680 tb[NFTA_VERDICT_CHAIN], genmask);
5681 if (IS_ERR(chain))
5682 return PTR_ERR(chain);
5683 if (nft_is_base_chain(chain))
5684 return -EOPNOTSUPP;
5685
5686 chain->use++;
5687 data->verdict.chain = chain;
5688 break;
5689 }
5690
5691 desc->len = sizeof(data->verdict);
5692 desc->type = NFT_DATA_VERDICT;
5693 return 0;
5694}
5695
5696static void nft_verdict_uninit(const struct nft_data *data)
5697{
5698 switch (data->verdict.code) {
5699 case NFT_JUMP:
5700 case NFT_GOTO:
5701 data->verdict.chain->use--;
5702 break;
5703 }
5704}
5705
5706int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5707{
5708 struct nlattr *nest;
5709
5710 nest = nla_nest_start(skb, type);
5711 if (!nest)
5712 goto nla_put_failure;
5713
5714 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5715 goto nla_put_failure;
5716
5717 switch (v->code) {
5718 case NFT_JUMP:
5719 case NFT_GOTO:
5720 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5721 v->chain->name))
5722 goto nla_put_failure;
5723 }
5724 nla_nest_end(skb, nest);
5725 return 0;
5726
5727nla_put_failure:
5728 return -1;
5729}
5730
5731static int nft_value_init(const struct nft_ctx *ctx,
5732 struct nft_data *data, unsigned int size,
5733 struct nft_data_desc *desc, const struct nlattr *nla)
5734{
5735 unsigned int len;
5736
5737 len = nla_len(nla);
5738 if (len == 0)
5739 return -EINVAL;
5740 if (len > size)
5741 return -EOVERFLOW;
5742
5743 nla_memcpy(data->data, nla, len);
5744 desc->type = NFT_DATA_VALUE;
5745 desc->len = len;
5746 return 0;
5747}
5748
5749static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5750 unsigned int len)
5751{
5752 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5753}
5754
5755static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5756 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5757 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5758};
5759
5760
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775int nft_data_init(const struct nft_ctx *ctx,
5776 struct nft_data *data, unsigned int size,
5777 struct nft_data_desc *desc, const struct nlattr *nla)
5778{
5779 struct nlattr *tb[NFTA_DATA_MAX + 1];
5780 int err;
5781
5782 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
5783 if (err < 0)
5784 return err;
5785
5786 if (tb[NFTA_DATA_VALUE])
5787 return nft_value_init(ctx, data, size, desc,
5788 tb[NFTA_DATA_VALUE]);
5789 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5790 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5791 return -EINVAL;
5792}
5793EXPORT_SYMBOL_GPL(nft_data_init);
5794
5795
5796
5797
5798
5799
5800
5801
5802
5803
5804void nft_data_release(const struct nft_data *data, enum nft_data_types type)
5805{
5806 if (type < NFT_DATA_VERDICT)
5807 return;
5808 switch (type) {
5809 case NFT_DATA_VERDICT:
5810 return nft_verdict_uninit(data);
5811 default:
5812 WARN_ON(1);
5813 }
5814}
5815EXPORT_SYMBOL_GPL(nft_data_release);
5816
5817int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5818 enum nft_data_types type, unsigned int len)
5819{
5820 struct nlattr *nest;
5821 int err;
5822
5823 nest = nla_nest_start(skb, attr);
5824 if (nest == NULL)
5825 return -1;
5826
5827 switch (type) {
5828 case NFT_DATA_VALUE:
5829 err = nft_value_dump(skb, data, len);
5830 break;
5831 case NFT_DATA_VERDICT:
5832 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
5833 break;
5834 default:
5835 err = -EINVAL;
5836 WARN_ON(1);
5837 }
5838
5839 nla_nest_end(skb, nest);
5840 return err;
5841}
5842EXPORT_SYMBOL_GPL(nft_data_dump);
5843
5844static int __net_init nf_tables_init_net(struct net *net)
5845{
5846 INIT_LIST_HEAD(&net->nft.af_info);
5847 INIT_LIST_HEAD(&net->nft.commit_list);
5848 net->nft.base_seq = 1;
5849 return 0;
5850}
5851
5852static void __net_exit nf_tables_exit_net(struct net *net)
5853{
5854 WARN_ON_ONCE(!list_empty(&net->nft.af_info));
5855 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
5856}
5857
5858int __nft_release_basechain(struct nft_ctx *ctx)
5859{
5860 struct nft_rule *rule, *nr;
5861
5862 BUG_ON(!nft_is_base_chain(ctx->chain));
5863
5864 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
5865 ctx->afi->nops);
5866 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
5867 list_del(&rule->list);
5868 ctx->chain->use--;
5869 nf_tables_rule_destroy(ctx, rule);
5870 }
5871 list_del(&ctx->chain->list);
5872 ctx->table->use--;
5873 nf_tables_chain_destroy(ctx->chain);
5874
5875 return 0;
5876}
5877EXPORT_SYMBOL_GPL(__nft_release_basechain);
5878
5879
5880static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
5881{
5882 struct nft_table *table, *nt;
5883 struct nft_chain *chain, *nc;
5884 struct nft_object *obj, *ne;
5885 struct nft_rule *rule, *nr;
5886 struct nft_set *set, *ns;
5887 struct nft_ctx ctx = {
5888 .net = net,
5889 .afi = afi,
5890 };
5891
5892 list_for_each_entry_safe(table, nt, &afi->tables, list) {
5893 list_for_each_entry(chain, &table->chains, list)
5894 nf_tables_unregister_hooks(net, table, chain,
5895 afi->nops);
5896
5897 ctx.table = table;
5898 list_for_each_entry(chain, &table->chains, list) {
5899 ctx.chain = chain;
5900 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
5901 list_del(&rule->list);
5902 chain->use--;
5903 nf_tables_rule_destroy(&ctx, rule);
5904 }
5905 }
5906 list_for_each_entry_safe(set, ns, &table->sets, list) {
5907 list_del(&set->list);
5908 table->use--;
5909 nft_set_destroy(set);
5910 }
5911 list_for_each_entry_safe(obj, ne, &table->objects, list) {
5912 list_del(&obj->list);
5913 table->use--;
5914 nft_obj_destroy(obj);
5915 }
5916 list_for_each_entry_safe(chain, nc, &table->chains, list) {
5917 list_del(&chain->list);
5918 table->use--;
5919 nf_tables_chain_destroy(chain);
5920 }
5921 list_del(&table->list);
5922 nf_tables_table_destroy(&ctx);
5923 }
5924}
5925
5926static struct pernet_operations nf_tables_net_ops = {
5927 .init = nf_tables_init_net,
5928 .exit = nf_tables_exit_net,
5929};
5930
5931static int __init nf_tables_module_init(void)
5932{
5933 int err;
5934
5935 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
5936 GFP_KERNEL);
5937 if (info == NULL) {
5938 err = -ENOMEM;
5939 goto err1;
5940 }
5941
5942 err = nf_tables_core_module_init();
5943 if (err < 0)
5944 goto err2;
5945
5946 err = nfnetlink_subsys_register(&nf_tables_subsys);
5947 if (err < 0)
5948 goto err3;
5949
5950 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
5951 return register_pernet_subsys(&nf_tables_net_ops);
5952err3:
5953 nf_tables_core_module_exit();
5954err2:
5955 kfree(info);
5956err1:
5957 return err;
5958}
5959
5960static void __exit nf_tables_module_exit(void)
5961{
5962 unregister_pernet_subsys(&nf_tables_net_ops);
5963 nfnetlink_subsys_unregister(&nf_tables_subsys);
5964 rcu_barrier();
5965 nf_tables_core_module_exit();
5966 kfree(info);
5967}
5968
5969module_init(nf_tables_module_init);
5970module_exit(nf_tables_module_exit);
5971
5972MODULE_LICENSE("GPL");
5973MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
5974MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
5975
