1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/vmalloc.h>
17#include <linux/netfilter.h>
18#include <linux/netfilter/nfnetlink.h>
19#include <linux/netfilter/nf_tables.h>
20#include <net/netfilter/nf_flow_table.h>
21#include <net/netfilter/nf_tables_core.h>
22#include <net/netfilter/nf_tables.h>
23#include <net/net_namespace.h>
24#include <net/sock.h>
25
26static LIST_HEAD(nf_tables_expressions);
27static LIST_HEAD(nf_tables_objects);
28static LIST_HEAD(nf_tables_flowtables);
29static u64 table_handle;
30
31enum {
32 NFT_VALIDATE_SKIP = 0,
33 NFT_VALIDATE_NEED,
34 NFT_VALIDATE_DO,
35};
36
37static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
38static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
39static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
40
41static const struct rhashtable_params nft_chain_ht_params = {
42 .head_offset = offsetof(struct nft_chain, rhlhead),
43 .key_offset = offsetof(struct nft_chain, name),
44 .hashfn = nft_chain_hash,
45 .obj_hashfn = nft_chain_hash_obj,
46 .obj_cmpfn = nft_chain_hash_cmp,
47 .locks_mul = 1,
48 .automatic_shrinking = true,
49};
50
51static void nft_validate_state_update(struct net *net, u8 new_validate_state)
52{
53 switch (net->nft.validate_state) {
54 case NFT_VALIDATE_SKIP:
55 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
56 break;
57 case NFT_VALIDATE_NEED:
58 break;
59 case NFT_VALIDATE_DO:
60 if (new_validate_state == NFT_VALIDATE_NEED)
61 return;
62 }
63
64 net->nft.validate_state = new_validate_state;
65}
66
67static void nft_ctx_init(struct nft_ctx *ctx,
68 struct net *net,
69 const struct sk_buff *skb,
70 const struct nlmsghdr *nlh,
71 u8 family,
72 struct nft_table *table,
73 struct nft_chain *chain,
74 const struct nlattr * const *nla)
75{
76 ctx->net = net;
77 ctx->family = family;
78 ctx->level = 0;
79 ctx->table = table;
80 ctx->chain = chain;
81 ctx->nla = nla;
82 ctx->portid = NETLINK_CB(skb).portid;
83 ctx->report = nlmsg_report(nlh);
84 ctx->seq = nlh->nlmsg_seq;
85}
86
87static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
88 int msg_type, u32 size, gfp_t gfp)
89{
90 struct nft_trans *trans;
91
92 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
93 if (trans == NULL)
94 return NULL;
95
96 trans->msg_type = msg_type;
97 trans->ctx = *ctx;
98
99 return trans;
100}
101
102static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
103 int msg_type, u32 size)
104{
105 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
106}
107
108static void nft_trans_destroy(struct nft_trans *trans)
109{
110 list_del(&trans->list);
111 kfree(trans);
112}
113
114static int nf_tables_register_hook(struct net *net,
115 const struct nft_table *table,
116 struct nft_chain *chain)
117{
118 const struct nft_base_chain *basechain;
119 const struct nf_hook_ops *ops;
120
121 if (table->flags & NFT_TABLE_F_DORMANT ||
122 !nft_is_base_chain(chain))
123 return 0;
124
125 basechain = nft_base_chain(chain);
126 ops = &basechain->ops;
127
128 if (basechain->type->ops_register)
129 return basechain->type->ops_register(net, ops);
130
131 return nf_register_net_hook(net, ops);
132}
133
134static void nf_tables_unregister_hook(struct net *net,
135 const struct nft_table *table,
136 struct nft_chain *chain)
137{
138 const struct nft_base_chain *basechain;
139 const struct nf_hook_ops *ops;
140
141 if (table->flags & NFT_TABLE_F_DORMANT ||
142 !nft_is_base_chain(chain))
143 return;
144 basechain = nft_base_chain(chain);
145 ops = &basechain->ops;
146
147 if (basechain->type->ops_unregister)
148 return basechain->type->ops_unregister(net, ops);
149
150 nf_unregister_net_hook(net, ops);
151}
152
153static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
154{
155 struct nft_trans *trans;
156
157 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
158 if (trans == NULL)
159 return -ENOMEM;
160
161 if (msg_type == NFT_MSG_NEWTABLE)
162 nft_activate_next(ctx->net, ctx->table);
163
164 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
165 return 0;
166}
167
168static int nft_deltable(struct nft_ctx *ctx)
169{
170 int err;
171
172 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
173 if (err < 0)
174 return err;
175
176 nft_deactivate_next(ctx->net, ctx->table);
177 return err;
178}
179
180static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
181{
182 struct nft_trans *trans;
183
184 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
185 if (trans == NULL)
186 return -ENOMEM;
187
188 if (msg_type == NFT_MSG_NEWCHAIN)
189 nft_activate_next(ctx->net, ctx->chain);
190
191 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
192 return 0;
193}
194
195static int nft_delchain(struct nft_ctx *ctx)
196{
197 int err;
198
199 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
200 if (err < 0)
201 return err;
202
203 ctx->table->use--;
204 nft_deactivate_next(ctx->net, ctx->chain);
205
206 return err;
207}
208
209static void nft_rule_expr_activate(const struct nft_ctx *ctx,
210 struct nft_rule *rule)
211{
212 struct nft_expr *expr;
213
214 expr = nft_expr_first(rule);
215 while (expr != nft_expr_last(rule) && expr->ops) {
216 if (expr->ops->activate)
217 expr->ops->activate(ctx, expr);
218
219 expr = nft_expr_next(expr);
220 }
221}
222
223static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
224 struct nft_rule *rule)
225{
226 struct nft_expr *expr;
227
228 expr = nft_expr_first(rule);
229 while (expr != nft_expr_last(rule) && expr->ops) {
230 if (expr->ops->deactivate)
231 expr->ops->deactivate(ctx, expr);
232
233 expr = nft_expr_next(expr);
234 }
235}
236
237static int
238nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
239{
240
241 if (nft_is_active_next(ctx->net, rule)) {
242 nft_deactivate_next(ctx->net, rule);
243 ctx->chain->use--;
244 return 0;
245 }
246 return -ENOENT;
247}
248
249static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
250 struct nft_rule *rule)
251{
252 struct nft_trans *trans;
253
254 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
255 if (trans == NULL)
256 return NULL;
257
258 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
259 nft_trans_rule_id(trans) =
260 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
261 }
262 nft_trans_rule(trans) = rule;
263 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
264
265 return trans;
266}
267
268static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
269{
270 struct nft_trans *trans;
271 int err;
272
273 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
274 if (trans == NULL)
275 return -ENOMEM;
276
277 err = nf_tables_delrule_deactivate(ctx, rule);
278 if (err < 0) {
279 nft_trans_destroy(trans);
280 return err;
281 }
282 nft_rule_expr_deactivate(ctx, rule);
283
284 return 0;
285}
286
287static int nft_delrule_by_chain(struct nft_ctx *ctx)
288{
289 struct nft_rule *rule;
290 int err;
291
292 list_for_each_entry(rule, &ctx->chain->rules, list) {
293 err = nft_delrule(ctx, rule);
294 if (err < 0)
295 return err;
296 }
297 return 0;
298}
299
300static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
301 struct nft_set *set)
302{
303 struct nft_trans *trans;
304
305 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
306 if (trans == NULL)
307 return -ENOMEM;
308
309 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
310 nft_trans_set_id(trans) =
311 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
312 nft_activate_next(ctx->net, set);
313 }
314 nft_trans_set(trans) = set;
315 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
316
317 return 0;
318}
319
320static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
321{
322 int err;
323
324 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
325 if (err < 0)
326 return err;
327
328 nft_deactivate_next(ctx->net, set);
329 ctx->table->use--;
330
331 return err;
332}
333
334static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
335 struct nft_object *obj)
336{
337 struct nft_trans *trans;
338
339 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
340 if (trans == NULL)
341 return -ENOMEM;
342
343 if (msg_type == NFT_MSG_NEWOBJ)
344 nft_activate_next(ctx->net, obj);
345
346 nft_trans_obj(trans) = obj;
347 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
348
349 return 0;
350}
351
352static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
353{
354 int err;
355
356 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
357 if (err < 0)
358 return err;
359
360 nft_deactivate_next(ctx->net, obj);
361 ctx->table->use--;
362
363 return err;
364}
365
366static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
367 struct nft_flowtable *flowtable)
368{
369 struct nft_trans *trans;
370
371 trans = nft_trans_alloc(ctx, msg_type,
372 sizeof(struct nft_trans_flowtable));
373 if (trans == NULL)
374 return -ENOMEM;
375
376 if (msg_type == NFT_MSG_NEWFLOWTABLE)
377 nft_activate_next(ctx->net, flowtable);
378
379 nft_trans_flowtable(trans) = flowtable;
380 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
381
382 return 0;
383}
384
385static int nft_delflowtable(struct nft_ctx *ctx,
386 struct nft_flowtable *flowtable)
387{
388 int err;
389
390 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
391 if (err < 0)
392 return err;
393
394 nft_deactivate_next(ctx->net, flowtable);
395 ctx->table->use--;
396
397 return err;
398}
399
400
401
402
403
404static struct nft_table *nft_table_lookup(const struct net *net,
405 const struct nlattr *nla,
406 u8 family, u8 genmask)
407{
408 struct nft_table *table;
409
410 if (nla == NULL)
411 return ERR_PTR(-EINVAL);
412
413 list_for_each_entry_rcu(table, &net->nft.tables, list) {
414 if (!nla_strcmp(nla, table->name) &&
415 table->family == family &&
416 nft_active_genmask(table, genmask))
417 return table;
418 }
419
420 return ERR_PTR(-ENOENT);
421}
422
423static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
424 const struct nlattr *nla,
425 u8 genmask)
426{
427 struct nft_table *table;
428
429 list_for_each_entry(table, &net->nft.tables, list) {
430 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
431 nft_active_genmask(table, genmask))
432 return table;
433 }
434
435 return ERR_PTR(-ENOENT);
436}
437
438static inline u64 nf_tables_alloc_handle(struct nft_table *table)
439{
440 return ++table->hgenerator;
441}
442
443static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
444
445static const struct nft_chain_type *
446__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
447{
448 int i;
449
450 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
451 if (chain_type[family][i] != NULL &&
452 !nla_strcmp(nla, chain_type[family][i]->name))
453 return chain_type[family][i];
454 }
455 return NULL;
456}
457
458static const struct nft_chain_type *
459nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
460{
461 const struct nft_chain_type *type;
462
463 type = __nf_tables_chain_type_lookup(nla, family);
464 if (type != NULL)
465 return type;
466#ifdef CONFIG_MODULES
467 if (autoload) {
468 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
469 request_module("nft-chain-%u-%.*s", family,
470 nla_len(nla), (const char *)nla_data(nla));
471 nfnl_lock(NFNL_SUBSYS_NFTABLES);
472 type = __nf_tables_chain_type_lookup(nla, family);
473 if (type != NULL)
474 return ERR_PTR(-EAGAIN);
475 }
476#endif
477 return ERR_PTR(-ENOENT);
478}
479
480static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
481 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
482 .len = NFT_TABLE_MAXNAMELEN - 1 },
483 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
484 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
485};
486
487static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
488 u32 portid, u32 seq, int event, u32 flags,
489 int family, const struct nft_table *table)
490{
491 struct nlmsghdr *nlh;
492 struct nfgenmsg *nfmsg;
493
494 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
495 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
496 if (nlh == NULL)
497 goto nla_put_failure;
498
499 nfmsg = nlmsg_data(nlh);
500 nfmsg->nfgen_family = family;
501 nfmsg->version = NFNETLINK_V0;
502 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
503
504 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
505 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
506 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
507 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
508 NFTA_TABLE_PAD))
509 goto nla_put_failure;
510
511 nlmsg_end(skb, nlh);
512 return 0;
513
514nla_put_failure:
515 nlmsg_trim(skb, nlh);
516 return -1;
517}
518
519static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
520{
521 struct sk_buff *skb;
522 int err;
523
524 if (!ctx->report &&
525 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
526 return;
527
528 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
529 if (skb == NULL)
530 goto err;
531
532 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
533 event, 0, ctx->family, ctx->table);
534 if (err < 0) {
535 kfree_skb(skb);
536 goto err;
537 }
538
539 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
540 ctx->report, GFP_KERNEL);
541 return;
542err:
543 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
544}
545
546static int nf_tables_dump_tables(struct sk_buff *skb,
547 struct netlink_callback *cb)
548{
549 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
550 const struct nft_table *table;
551 unsigned int idx = 0, s_idx = cb->args[0];
552 struct net *net = sock_net(skb->sk);
553 int family = nfmsg->nfgen_family;
554
555 rcu_read_lock();
556 cb->seq = net->nft.base_seq;
557
558 list_for_each_entry_rcu(table, &net->nft.tables, list) {
559 if (family != NFPROTO_UNSPEC && family != table->family)
560 continue;
561
562 if (idx < s_idx)
563 goto cont;
564 if (idx > s_idx)
565 memset(&cb->args[1], 0,
566 sizeof(cb->args) - sizeof(cb->args[0]));
567 if (!nft_is_active(net, table))
568 continue;
569 if (nf_tables_fill_table_info(skb, net,
570 NETLINK_CB(cb->skb).portid,
571 cb->nlh->nlmsg_seq,
572 NFT_MSG_NEWTABLE, NLM_F_MULTI,
573 table->family, table) < 0)
574 goto done;
575
576 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
577cont:
578 idx++;
579 }
580done:
581 rcu_read_unlock();
582 cb->args[0] = idx;
583 return skb->len;
584}
585
586static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
587 const struct nlmsghdr *nlh,
588 struct netlink_dump_control *c)
589{
590 int err;
591
592 if (!try_module_get(THIS_MODULE))
593 return -EINVAL;
594
595 rcu_read_unlock();
596 err = netlink_dump_start(nlsk, skb, nlh, c);
597 rcu_read_lock();
598 module_put(THIS_MODULE);
599
600 return err;
601}
602
603
604static int nf_tables_gettable(struct net *net, struct sock *nlsk,
605 struct sk_buff *skb, const struct nlmsghdr *nlh,
606 const struct nlattr * const nla[],
607 struct netlink_ext_ack *extack)
608{
609 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
610 u8 genmask = nft_genmask_cur(net);
611 const struct nft_table *table;
612 struct sk_buff *skb2;
613 int family = nfmsg->nfgen_family;
614 int err;
615
616 if (nlh->nlmsg_flags & NLM_F_DUMP) {
617 struct netlink_dump_control c = {
618 .dump = nf_tables_dump_tables,
619 .module = THIS_MODULE,
620 };
621
622 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
623 }
624
625 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
626 if (IS_ERR(table)) {
627 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
628 return PTR_ERR(table);
629 }
630
631 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
632 if (!skb2)
633 return -ENOMEM;
634
635 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
636 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
637 family, table);
638 if (err < 0)
639 goto err;
640
641 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
642
643err:
644 kfree_skb(skb2);
645 return err;
646}
647
648static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
649{
650 struct nft_chain *chain;
651 u32 i = 0;
652
653 list_for_each_entry(chain, &table->chains, list) {
654 if (!nft_is_active_next(net, chain))
655 continue;
656 if (!nft_is_base_chain(chain))
657 continue;
658
659 if (cnt && i++ == cnt)
660 break;
661
662 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
663 }
664}
665
666static int nf_tables_table_enable(struct net *net, struct nft_table *table)
667{
668 struct nft_chain *chain;
669 int err, i = 0;
670
671 list_for_each_entry(chain, &table->chains, list) {
672 if (!nft_is_active_next(net, chain))
673 continue;
674 if (!nft_is_base_chain(chain))
675 continue;
676
677 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
678 if (err < 0)
679 goto err;
680
681 i++;
682 }
683 return 0;
684err:
685 if (i)
686 nft_table_disable(net, table, i);
687 return err;
688}
689
690static void nf_tables_table_disable(struct net *net, struct nft_table *table)
691{
692 nft_table_disable(net, table, 0);
693}
694
695static int nf_tables_updtable(struct nft_ctx *ctx)
696{
697 struct nft_trans *trans;
698 u32 flags;
699 int ret = 0;
700
701 if (!ctx->nla[NFTA_TABLE_FLAGS])
702 return 0;
703
704 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
705 if (flags & ~NFT_TABLE_F_DORMANT)
706 return -EINVAL;
707
708 if (flags == ctx->table->flags)
709 return 0;
710
711 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
712 sizeof(struct nft_trans_table));
713 if (trans == NULL)
714 return -ENOMEM;
715
716 if ((flags & NFT_TABLE_F_DORMANT) &&
717 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
718 nft_trans_table_enable(trans) = false;
719 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
720 ctx->table->flags & NFT_TABLE_F_DORMANT) {
721 ret = nf_tables_table_enable(ctx->net, ctx->table);
722 if (ret >= 0) {
723 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
724 nft_trans_table_enable(trans) = true;
725 }
726 }
727 if (ret < 0)
728 goto err;
729
730 nft_trans_table_update(trans) = true;
731 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
732 return 0;
733err:
734 nft_trans_destroy(trans);
735 return ret;
736}
737
738static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
739{
740 const char *name = data;
741
742 return jhash(name, strlen(name), seed);
743}
744
745static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
746{
747 const struct nft_chain *chain = data;
748
749 return nft_chain_hash(chain->name, 0, seed);
750}
751
752static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
753 const void *ptr)
754{
755 const struct nft_chain *chain = ptr;
756 const char *name = arg->key;
757
758 return strcmp(chain->name, name);
759}
760
761static int nf_tables_newtable(struct net *net, struct sock *nlsk,
762 struct sk_buff *skb, const struct nlmsghdr *nlh,
763 const struct nlattr * const nla[],
764 struct netlink_ext_ack *extack)
765{
766 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
767 u8 genmask = nft_genmask_next(net);
768 int family = nfmsg->nfgen_family;
769 const struct nlattr *attr;
770 struct nft_table *table;
771 u32 flags = 0;
772 struct nft_ctx ctx;
773 int err;
774
775 attr = nla[NFTA_TABLE_NAME];
776 table = nft_table_lookup(net, attr, family, genmask);
777 if (IS_ERR(table)) {
778 if (PTR_ERR(table) != -ENOENT)
779 return PTR_ERR(table);
780 } else {
781 if (nlh->nlmsg_flags & NLM_F_EXCL) {
782 NL_SET_BAD_ATTR(extack, attr);
783 return -EEXIST;
784 }
785 if (nlh->nlmsg_flags & NLM_F_REPLACE)
786 return -EOPNOTSUPP;
787
788 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
789 return nf_tables_updtable(&ctx);
790 }
791
792 if (nla[NFTA_TABLE_FLAGS]) {
793 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
794 if (flags & ~NFT_TABLE_F_DORMANT)
795 return -EINVAL;
796 }
797
798 err = -ENOMEM;
799 table = kzalloc(sizeof(*table), GFP_KERNEL);
800 if (table == NULL)
801 goto err_kzalloc;
802
803 table->name = nla_strdup(attr, GFP_KERNEL);
804 if (table->name == NULL)
805 goto err_strdup;
806
807 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
808 if (err)
809 goto err_chain_ht;
810
811 INIT_LIST_HEAD(&table->chains);
812 INIT_LIST_HEAD(&table->sets);
813 INIT_LIST_HEAD(&table->objects);
814 INIT_LIST_HEAD(&table->flowtables);
815 table->family = family;
816 table->flags = flags;
817 table->handle = ++table_handle;
818
819 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
820 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
821 if (err < 0)
822 goto err_trans;
823
824 list_add_tail_rcu(&table->list, &net->nft.tables);
825 return 0;
826err_trans:
827 rhltable_destroy(&table->chains_ht);
828err_chain_ht:
829 kfree(table->name);
830err_strdup:
831 kfree(table);
832err_kzalloc:
833 return err;
834}
835
836static int nft_flush_table(struct nft_ctx *ctx)
837{
838 struct nft_flowtable *flowtable, *nft;
839 struct nft_chain *chain, *nc;
840 struct nft_object *obj, *ne;
841 struct nft_set *set, *ns;
842 int err;
843
844 list_for_each_entry(chain, &ctx->table->chains, list) {
845 if (!nft_is_active_next(ctx->net, chain))
846 continue;
847
848 ctx->chain = chain;
849
850 err = nft_delrule_by_chain(ctx);
851 if (err < 0)
852 goto out;
853 }
854
855 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
856 if (!nft_is_active_next(ctx->net, set))
857 continue;
858
859 if (nft_set_is_anonymous(set) &&
860 !list_empty(&set->bindings))
861 continue;
862
863 err = nft_delset(ctx, set);
864 if (err < 0)
865 goto out;
866 }
867
868 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
869 err = nft_delflowtable(ctx, flowtable);
870 if (err < 0)
871 goto out;
872 }
873
874 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
875 err = nft_delobj(ctx, obj);
876 if (err < 0)
877 goto out;
878 }
879
880 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
881 if (!nft_is_active_next(ctx->net, chain))
882 continue;
883
884 ctx->chain = chain;
885
886 err = nft_delchain(ctx);
887 if (err < 0)
888 goto out;
889 }
890
891 err = nft_deltable(ctx);
892out:
893 return err;
894}
895
896static int nft_flush(struct nft_ctx *ctx, int family)
897{
898 struct nft_table *table, *nt;
899 const struct nlattr * const *nla = ctx->nla;
900 int err = 0;
901
902 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
903 if (family != AF_UNSPEC && table->family != family)
904 continue;
905
906 ctx->family = table->family;
907
908 if (!nft_is_active_next(ctx->net, table))
909 continue;
910
911 if (nla[NFTA_TABLE_NAME] &&
912 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
913 continue;
914
915 ctx->table = table;
916
917 err = nft_flush_table(ctx);
918 if (err < 0)
919 goto out;
920 }
921out:
922 return err;
923}
924
925static int nf_tables_deltable(struct net *net, struct sock *nlsk,
926 struct sk_buff *skb, const struct nlmsghdr *nlh,
927 const struct nlattr * const nla[],
928 struct netlink_ext_ack *extack)
929{
930 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
931 u8 genmask = nft_genmask_next(net);
932 int family = nfmsg->nfgen_family;
933 const struct nlattr *attr;
934 struct nft_table *table;
935 struct nft_ctx ctx;
936
937 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
938 if (family == AF_UNSPEC ||
939 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
940 return nft_flush(&ctx, family);
941
942 if (nla[NFTA_TABLE_HANDLE]) {
943 attr = nla[NFTA_TABLE_HANDLE];
944 table = nft_table_lookup_byhandle(net, attr, genmask);
945 } else {
946 attr = nla[NFTA_TABLE_NAME];
947 table = nft_table_lookup(net, attr, family, genmask);
948 }
949
950 if (IS_ERR(table)) {
951 NL_SET_BAD_ATTR(extack, attr);
952 return PTR_ERR(table);
953 }
954
955 if (nlh->nlmsg_flags & NLM_F_NONREC &&
956 table->use > 0)
957 return -EBUSY;
958
959 ctx.family = family;
960 ctx.table = table;
961
962 return nft_flush_table(&ctx);
963}
964
965static void nf_tables_table_destroy(struct nft_ctx *ctx)
966{
967 BUG_ON(ctx->table->use > 0);
968
969 rhltable_destroy(&ctx->table->chains_ht);
970 kfree(ctx->table->name);
971 kfree(ctx->table);
972}
973
974void nft_register_chain_type(const struct nft_chain_type *ctype)
975{
976 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
977 return;
978
979 nfnl_lock(NFNL_SUBSYS_NFTABLES);
980 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
981 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
982 return;
983 }
984 chain_type[ctype->family][ctype->type] = ctype;
985 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
986}
987EXPORT_SYMBOL_GPL(nft_register_chain_type);
988
989void nft_unregister_chain_type(const struct nft_chain_type *ctype)
990{
991 nfnl_lock(NFNL_SUBSYS_NFTABLES);
992 chain_type[ctype->family][ctype->type] = NULL;
993 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
994}
995EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
996
997
998
999
1000
1001static struct nft_chain *
1002nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1003{
1004 struct nft_chain *chain;
1005
1006 list_for_each_entry(chain, &table->chains, list) {
1007 if (chain->handle == handle &&
1008 nft_active_genmask(chain, genmask))
1009 return chain;
1010 }
1011
1012 return ERR_PTR(-ENOENT);
1013}
1014
1015static struct nft_chain *nft_chain_lookup(struct nft_table *table,
1016 const struct nlattr *nla, u8 genmask)
1017{
1018 char search[NFT_CHAIN_MAXNAMELEN + 1];
1019 struct rhlist_head *tmp, *list;
1020 struct nft_chain *chain;
1021
1022 if (nla == NULL)
1023 return ERR_PTR(-EINVAL);
1024
1025 nla_strlcpy(search, nla, sizeof(search));
1026
1027 WARN_ON(!rcu_read_lock_held() &&
1028 !lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1029
1030 chain = ERR_PTR(-ENOENT);
1031 rcu_read_lock();
1032 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1033 if (!list)
1034 goto out_unlock;
1035
1036 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1037 if (nft_active_genmask(chain, genmask))
1038 goto out_unlock;
1039 }
1040 chain = ERR_PTR(-ENOENT);
1041out_unlock:
1042 rcu_read_unlock();
1043 return chain;
1044}
1045
1046static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1047 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1048 .len = NFT_TABLE_MAXNAMELEN - 1 },
1049 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1050 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1051 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1052 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1053 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1054 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1055 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1056};
1057
1058static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1059 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1060 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1061 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1062 .len = IFNAMSIZ - 1 },
1063};
1064
1065static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1066{
1067 struct nft_stats *cpu_stats, total;
1068 struct nlattr *nest;
1069 unsigned int seq;
1070 u64 pkts, bytes;
1071 int cpu;
1072
1073 memset(&total, 0, sizeof(total));
1074 for_each_possible_cpu(cpu) {
1075 cpu_stats = per_cpu_ptr(stats, cpu);
1076 do {
1077 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1078 pkts = cpu_stats->pkts;
1079 bytes = cpu_stats->bytes;
1080 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1081 total.pkts += pkts;
1082 total.bytes += bytes;
1083 }
1084 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1085 if (nest == NULL)
1086 goto nla_put_failure;
1087
1088 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1089 NFTA_COUNTER_PAD) ||
1090 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1091 NFTA_COUNTER_PAD))
1092 goto nla_put_failure;
1093
1094 nla_nest_end(skb, nest);
1095 return 0;
1096
1097nla_put_failure:
1098 return -ENOSPC;
1099}
1100
1101static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1102 u32 portid, u32 seq, int event, u32 flags,
1103 int family, const struct nft_table *table,
1104 const struct nft_chain *chain)
1105{
1106 struct nlmsghdr *nlh;
1107 struct nfgenmsg *nfmsg;
1108
1109 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1110 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1111 if (nlh == NULL)
1112 goto nla_put_failure;
1113
1114 nfmsg = nlmsg_data(nlh);
1115 nfmsg->nfgen_family = family;
1116 nfmsg->version = NFNETLINK_V0;
1117 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1118
1119 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1120 goto nla_put_failure;
1121 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1122 NFTA_CHAIN_PAD))
1123 goto nla_put_failure;
1124 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1125 goto nla_put_failure;
1126
1127 if (nft_is_base_chain(chain)) {
1128 const struct nft_base_chain *basechain = nft_base_chain(chain);
1129 const struct nf_hook_ops *ops = &basechain->ops;
1130 struct nlattr *nest;
1131
1132 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1133 if (nest == NULL)
1134 goto nla_put_failure;
1135 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1136 goto nla_put_failure;
1137 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1138 goto nla_put_failure;
1139 if (basechain->dev_name[0] &&
1140 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1141 goto nla_put_failure;
1142 nla_nest_end(skb, nest);
1143
1144 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1145 htonl(basechain->policy)))
1146 goto nla_put_failure;
1147
1148 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1149 goto nla_put_failure;
1150
1151 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1152 goto nla_put_failure;
1153 }
1154
1155 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1156 goto nla_put_failure;
1157
1158 nlmsg_end(skb, nlh);
1159 return 0;
1160
1161nla_put_failure:
1162 nlmsg_trim(skb, nlh);
1163 return -1;
1164}
1165
1166static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1167{
1168 struct sk_buff *skb;
1169 int err;
1170
1171 if (!ctx->report &&
1172 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1173 return;
1174
1175 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1176 if (skb == NULL)
1177 goto err;
1178
1179 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1180 event, 0, ctx->family, ctx->table,
1181 ctx->chain);
1182 if (err < 0) {
1183 kfree_skb(skb);
1184 goto err;
1185 }
1186
1187 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1188 ctx->report, GFP_KERNEL);
1189 return;
1190err:
1191 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1192}
1193
1194static int nf_tables_dump_chains(struct sk_buff *skb,
1195 struct netlink_callback *cb)
1196{
1197 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1198 const struct nft_table *table;
1199 const struct nft_chain *chain;
1200 unsigned int idx = 0, s_idx = cb->args[0];
1201 struct net *net = sock_net(skb->sk);
1202 int family = nfmsg->nfgen_family;
1203
1204 rcu_read_lock();
1205 cb->seq = net->nft.base_seq;
1206
1207 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1208 if (family != NFPROTO_UNSPEC && family != table->family)
1209 continue;
1210
1211 list_for_each_entry_rcu(chain, &table->chains, list) {
1212 if (idx < s_idx)
1213 goto cont;
1214 if (idx > s_idx)
1215 memset(&cb->args[1], 0,
1216 sizeof(cb->args) - sizeof(cb->args[0]));
1217 if (!nft_is_active(net, chain))
1218 continue;
1219 if (nf_tables_fill_chain_info(skb, net,
1220 NETLINK_CB(cb->skb).portid,
1221 cb->nlh->nlmsg_seq,
1222 NFT_MSG_NEWCHAIN,
1223 NLM_F_MULTI,
1224 table->family, table,
1225 chain) < 0)
1226 goto done;
1227
1228 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1229cont:
1230 idx++;
1231 }
1232 }
1233done:
1234 rcu_read_unlock();
1235 cb->args[0] = idx;
1236 return skb->len;
1237}
1238
1239
1240static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1241 struct sk_buff *skb, const struct nlmsghdr *nlh,
1242 const struct nlattr * const nla[],
1243 struct netlink_ext_ack *extack)
1244{
1245 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1246 u8 genmask = nft_genmask_cur(net);
1247 const struct nft_chain *chain;
1248 struct nft_table *table;
1249 struct sk_buff *skb2;
1250 int family = nfmsg->nfgen_family;
1251 int err;
1252
1253 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1254 struct netlink_dump_control c = {
1255 .dump = nf_tables_dump_chains,
1256 .module = THIS_MODULE,
1257 };
1258
1259 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1260 }
1261
1262 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1263 if (IS_ERR(table)) {
1264 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1265 return PTR_ERR(table);
1266 }
1267
1268 chain = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1269 if (IS_ERR(chain)) {
1270 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1271 return PTR_ERR(chain);
1272 }
1273
1274 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1275 if (!skb2)
1276 return -ENOMEM;
1277
1278 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1279 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1280 family, table, chain);
1281 if (err < 0)
1282 goto err;
1283
1284 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1285
1286err:
1287 kfree_skb(skb2);
1288 return err;
1289}
1290
1291static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1292 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1293 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1294};
1295
1296static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1297{
1298 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1299 struct nft_stats __percpu *newstats;
1300 struct nft_stats *stats;
1301 int err;
1302
1303 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1304 NULL);
1305 if (err < 0)
1306 return ERR_PTR(err);
1307
1308 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1309 return ERR_PTR(-EINVAL);
1310
1311 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1312 if (newstats == NULL)
1313 return ERR_PTR(-ENOMEM);
1314
1315
1316
1317
1318 preempt_disable();
1319 stats = this_cpu_ptr(newstats);
1320 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1321 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1322 preempt_enable();
1323
1324 return newstats;
1325}
1326
1327static void nft_chain_stats_replace(struct nft_base_chain *chain,
1328 struct nft_stats __percpu *newstats)
1329{
1330 struct nft_stats __percpu *oldstats;
1331
1332 if (newstats == NULL)
1333 return;
1334
1335 if (chain->stats) {
1336 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1337 rcu_assign_pointer(chain->stats, newstats);
1338 synchronize_rcu();
1339 free_percpu(oldstats);
1340 } else {
1341 rcu_assign_pointer(chain->stats, newstats);
1342 static_branch_inc(&nft_counters_enabled);
1343 }
1344}
1345
1346static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1347{
1348 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1349 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1350
1351 if (g0 != g1)
1352 kvfree(g1);
1353 kvfree(g0);
1354
1355
1356 WARN_ON_ONCE(chain->rules_next);
1357 kvfree(chain->rules_next);
1358}
1359
1360static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1361{
1362 struct nft_chain *chain = ctx->chain;
1363
1364 BUG_ON(chain->use > 0);
1365
1366
1367 nf_tables_chain_free_chain_rules(chain);
1368
1369 if (nft_is_base_chain(chain)) {
1370 struct nft_base_chain *basechain = nft_base_chain(chain);
1371
1372 module_put(basechain->type->owner);
1373 free_percpu(basechain->stats);
1374 if (basechain->stats)
1375 static_branch_dec(&nft_counters_enabled);
1376 kfree(chain->name);
1377 kfree(basechain);
1378 } else {
1379 kfree(chain->name);
1380 kfree(chain);
1381 }
1382}
1383
1384struct nft_chain_hook {
1385 u32 num;
1386 s32 priority;
1387 const struct nft_chain_type *type;
1388 struct net_device *dev;
1389};
1390
1391static int nft_chain_parse_hook(struct net *net,
1392 const struct nlattr * const nla[],
1393 struct nft_chain_hook *hook, u8 family,
1394 bool create)
1395{
1396 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1397 const struct nft_chain_type *type;
1398 struct net_device *dev;
1399 int err;
1400
1401 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1402 nft_hook_policy, NULL);
1403 if (err < 0)
1404 return err;
1405
1406 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1407 ha[NFTA_HOOK_PRIORITY] == NULL)
1408 return -EINVAL;
1409
1410 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1411 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1412
1413 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1414 if (nla[NFTA_CHAIN_TYPE]) {
1415 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1416 family, create);
1417 if (IS_ERR(type))
1418 return PTR_ERR(type);
1419 }
1420 if (!(type->hook_mask & (1 << hook->num)))
1421 return -EOPNOTSUPP;
1422
1423 if (type->type == NFT_CHAIN_T_NAT &&
1424 hook->priority <= NF_IP_PRI_CONNTRACK)
1425 return -EOPNOTSUPP;
1426
1427 if (!try_module_get(type->owner))
1428 return -ENOENT;
1429
1430 hook->type = type;
1431
1432 hook->dev = NULL;
1433 if (family == NFPROTO_NETDEV) {
1434 char ifname[IFNAMSIZ];
1435
1436 if (!ha[NFTA_HOOK_DEV]) {
1437 module_put(type->owner);
1438 return -EOPNOTSUPP;
1439 }
1440
1441 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1442 dev = __dev_get_by_name(net, ifname);
1443 if (!dev) {
1444 module_put(type->owner);
1445 return -ENOENT;
1446 }
1447 hook->dev = dev;
1448 } else if (ha[NFTA_HOOK_DEV]) {
1449 module_put(type->owner);
1450 return -EOPNOTSUPP;
1451 }
1452
1453 return 0;
1454}
1455
1456static void nft_chain_release_hook(struct nft_chain_hook *hook)
1457{
1458 module_put(hook->type->owner);
1459}
1460
1461struct nft_rules_old {
1462 struct rcu_head h;
1463 struct nft_rule **start;
1464};
1465
1466static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1467 unsigned int alloc)
1468{
1469 if (alloc > INT_MAX)
1470 return NULL;
1471
1472 alloc += 1;
1473 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1474 return NULL;
1475
1476 alloc *= sizeof(struct nft_rule *);
1477 alloc += sizeof(struct nft_rules_old);
1478
1479 return kvmalloc(alloc, GFP_KERNEL);
1480}
1481
1482static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1483 u8 policy, bool create)
1484{
1485 const struct nlattr * const *nla = ctx->nla;
1486 struct nft_table *table = ctx->table;
1487 struct nft_base_chain *basechain;
1488 struct nft_stats __percpu *stats;
1489 struct net *net = ctx->net;
1490 struct nft_chain *chain;
1491 struct nft_rule **rules;
1492 int err;
1493
1494 if (table->use == UINT_MAX)
1495 return -EOVERFLOW;
1496
1497 if (nla[NFTA_CHAIN_HOOK]) {
1498 struct nft_chain_hook hook;
1499 struct nf_hook_ops *ops;
1500
1501 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1502 if (err < 0)
1503 return err;
1504
1505 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1506 if (basechain == NULL) {
1507 nft_chain_release_hook(&hook);
1508 return -ENOMEM;
1509 }
1510
1511 if (hook.dev != NULL)
1512 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1513
1514 if (nla[NFTA_CHAIN_COUNTERS]) {
1515 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1516 if (IS_ERR(stats)) {
1517 nft_chain_release_hook(&hook);
1518 kfree(basechain);
1519 return PTR_ERR(stats);
1520 }
1521 basechain->stats = stats;
1522 static_branch_inc(&nft_counters_enabled);
1523 }
1524
1525 basechain->type = hook.type;
1526 chain = &basechain->chain;
1527
1528 ops = &basechain->ops;
1529 ops->pf = family;
1530 ops->hooknum = hook.num;
1531 ops->priority = hook.priority;
1532 ops->priv = chain;
1533 ops->hook = hook.type->hooks[ops->hooknum];
1534 ops->dev = hook.dev;
1535
1536 chain->flags |= NFT_BASE_CHAIN;
1537 basechain->policy = policy;
1538 } else {
1539 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1540 if (chain == NULL)
1541 return -ENOMEM;
1542 }
1543 ctx->chain = chain;
1544
1545 INIT_LIST_HEAD(&chain->rules);
1546 chain->handle = nf_tables_alloc_handle(table);
1547 chain->table = table;
1548 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1549 if (!chain->name) {
1550 err = -ENOMEM;
1551 goto err1;
1552 }
1553
1554 rules = nf_tables_chain_alloc_rules(chain, 0);
1555 if (!rules) {
1556 err = -ENOMEM;
1557 goto err1;
1558 }
1559
1560 *rules = NULL;
1561 rcu_assign_pointer(chain->rules_gen_0, rules);
1562 rcu_assign_pointer(chain->rules_gen_1, rules);
1563
1564 err = nf_tables_register_hook(net, table, chain);
1565 if (err < 0)
1566 goto err1;
1567
1568 err = rhltable_insert_key(&table->chains_ht, chain->name,
1569 &chain->rhlhead, nft_chain_ht_params);
1570 if (err)
1571 goto err2;
1572
1573 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1574 if (err < 0) {
1575 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1576 nft_chain_ht_params);
1577 goto err2;
1578 }
1579
1580 table->use++;
1581 list_add_tail_rcu(&chain->list, &table->chains);
1582
1583 return 0;
1584err2:
1585 nf_tables_unregister_hook(net, table, chain);
1586err1:
1587 nf_tables_chain_destroy(ctx);
1588
1589 return err;
1590}
1591
1592static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1593 bool create)
1594{
1595 const struct nlattr * const *nla = ctx->nla;
1596 struct nft_table *table = ctx->table;
1597 struct nft_chain *chain = ctx->chain;
1598 struct nft_base_chain *basechain;
1599 struct nft_stats *stats = NULL;
1600 struct nft_chain_hook hook;
1601 struct nf_hook_ops *ops;
1602 struct nft_trans *trans;
1603 int err;
1604
1605 if (nla[NFTA_CHAIN_HOOK]) {
1606 if (!nft_is_base_chain(chain))
1607 return -EBUSY;
1608
1609 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1610 create);
1611 if (err < 0)
1612 return err;
1613
1614 basechain = nft_base_chain(chain);
1615 if (basechain->type != hook.type) {
1616 nft_chain_release_hook(&hook);
1617 return -EBUSY;
1618 }
1619
1620 ops = &basechain->ops;
1621 if (ops->hooknum != hook.num ||
1622 ops->priority != hook.priority ||
1623 ops->dev != hook.dev) {
1624 nft_chain_release_hook(&hook);
1625 return -EBUSY;
1626 }
1627 nft_chain_release_hook(&hook);
1628 }
1629
1630 if (nla[NFTA_CHAIN_HANDLE] &&
1631 nla[NFTA_CHAIN_NAME]) {
1632 struct nft_chain *chain2;
1633
1634 chain2 = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1635 if (!IS_ERR(chain2))
1636 return -EEXIST;
1637 }
1638
1639 if (nla[NFTA_CHAIN_COUNTERS]) {
1640 if (!nft_is_base_chain(chain))
1641 return -EOPNOTSUPP;
1642
1643 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1644 if (IS_ERR(stats))
1645 return PTR_ERR(stats);
1646 }
1647
1648 err = -ENOMEM;
1649 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1650 sizeof(struct nft_trans_chain));
1651 if (trans == NULL)
1652 goto err;
1653
1654 nft_trans_chain_stats(trans) = stats;
1655 nft_trans_chain_update(trans) = true;
1656
1657 if (nla[NFTA_CHAIN_POLICY])
1658 nft_trans_chain_policy(trans) = policy;
1659 else
1660 nft_trans_chain_policy(trans) = -1;
1661
1662 if (nla[NFTA_CHAIN_HANDLE] &&
1663 nla[NFTA_CHAIN_NAME]) {
1664 struct nft_trans *tmp;
1665 char *name;
1666
1667 err = -ENOMEM;
1668 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1669 if (!name)
1670 goto err;
1671
1672 err = -EEXIST;
1673 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1674 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1675 tmp->ctx.table == table &&
1676 nft_trans_chain_update(tmp) &&
1677 nft_trans_chain_name(tmp) &&
1678 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1679 kfree(name);
1680 goto err;
1681 }
1682 }
1683
1684 nft_trans_chain_name(trans) = name;
1685 }
1686 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1687
1688 return 0;
1689err:
1690 free_percpu(stats);
1691 kfree(trans);
1692 return err;
1693}
1694
1695static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1696 struct sk_buff *skb, const struct nlmsghdr *nlh,
1697 const struct nlattr * const nla[],
1698 struct netlink_ext_ack *extack)
1699{
1700 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1701 u8 genmask = nft_genmask_next(net);
1702 int family = nfmsg->nfgen_family;
1703 const struct nlattr *attr;
1704 struct nft_table *table;
1705 struct nft_chain *chain;
1706 u8 policy = NF_ACCEPT;
1707 struct nft_ctx ctx;
1708 u64 handle = 0;
1709 bool create;
1710
1711 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1712
1713 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1714 if (IS_ERR(table)) {
1715 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1716 return PTR_ERR(table);
1717 }
1718
1719 chain = NULL;
1720 attr = nla[NFTA_CHAIN_NAME];
1721
1722 if (nla[NFTA_CHAIN_HANDLE]) {
1723 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1724 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1725 if (IS_ERR(chain)) {
1726 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1727 return PTR_ERR(chain);
1728 }
1729 attr = nla[NFTA_CHAIN_HANDLE];
1730 } else {
1731 chain = nft_chain_lookup(table, attr, genmask);
1732 if (IS_ERR(chain)) {
1733 if (PTR_ERR(chain) != -ENOENT) {
1734 NL_SET_BAD_ATTR(extack, attr);
1735 return PTR_ERR(chain);
1736 }
1737 chain = NULL;
1738 }
1739 }
1740
1741 if (nla[NFTA_CHAIN_POLICY]) {
1742 if (chain != NULL &&
1743 !nft_is_base_chain(chain)) {
1744 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1745 return -EOPNOTSUPP;
1746 }
1747
1748 if (chain == NULL &&
1749 nla[NFTA_CHAIN_HOOK] == NULL) {
1750 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1751 return -EOPNOTSUPP;
1752 }
1753
1754 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1755 switch (policy) {
1756 case NF_DROP:
1757 case NF_ACCEPT:
1758 break;
1759 default:
1760 return -EINVAL;
1761 }
1762 }
1763
1764 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1765
1766 if (chain != NULL) {
1767 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1768 NL_SET_BAD_ATTR(extack, attr);
1769 return -EEXIST;
1770 }
1771 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1772 return -EOPNOTSUPP;
1773
1774 return nf_tables_updchain(&ctx, genmask, policy, create);
1775 }
1776
1777 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1778}
1779
1780static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1781 struct sk_buff *skb, const struct nlmsghdr *nlh,
1782 const struct nlattr * const nla[],
1783 struct netlink_ext_ack *extack)
1784{
1785 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1786 u8 genmask = nft_genmask_next(net);
1787 int family = nfmsg->nfgen_family;
1788 const struct nlattr *attr;
1789 struct nft_table *table;
1790 struct nft_chain *chain;
1791 struct nft_rule *rule;
1792 struct nft_ctx ctx;
1793 u64 handle;
1794 u32 use;
1795 int err;
1796
1797 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1798 if (IS_ERR(table)) {
1799 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1800 return PTR_ERR(table);
1801 }
1802
1803 if (nla[NFTA_CHAIN_HANDLE]) {
1804 attr = nla[NFTA_CHAIN_HANDLE];
1805 handle = be64_to_cpu(nla_get_be64(attr));
1806 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1807 } else {
1808 attr = nla[NFTA_CHAIN_NAME];
1809 chain = nft_chain_lookup(table, attr, genmask);
1810 }
1811 if (IS_ERR(chain)) {
1812 NL_SET_BAD_ATTR(extack, attr);
1813 return PTR_ERR(chain);
1814 }
1815
1816 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1817 chain->use > 0)
1818 return -EBUSY;
1819
1820 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1821
1822 use = chain->use;
1823 list_for_each_entry(rule, &chain->rules, list) {
1824 if (!nft_is_active_next(net, rule))
1825 continue;
1826 use--;
1827
1828 err = nft_delrule(&ctx, rule);
1829 if (err < 0)
1830 return err;
1831 }
1832
1833
1834
1835
1836 if (use > 0) {
1837 NL_SET_BAD_ATTR(extack, attr);
1838 return -EBUSY;
1839 }
1840
1841 return nft_delchain(&ctx);
1842}
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855int nft_register_expr(struct nft_expr_type *type)
1856{
1857 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1858 if (type->family == NFPROTO_UNSPEC)
1859 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1860 else
1861 list_add_rcu(&type->list, &nf_tables_expressions);
1862 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1863 return 0;
1864}
1865EXPORT_SYMBOL_GPL(nft_register_expr);
1866
1867
1868
1869
1870
1871
1872
1873void nft_unregister_expr(struct nft_expr_type *type)
1874{
1875 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1876 list_del_rcu(&type->list);
1877 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1878}
1879EXPORT_SYMBOL_GPL(nft_unregister_expr);
1880
1881static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1882 struct nlattr *nla)
1883{
1884 const struct nft_expr_type *type;
1885
1886 list_for_each_entry(type, &nf_tables_expressions, list) {
1887 if (!nla_strcmp(nla, type->name) &&
1888 (!type->family || type->family == family))
1889 return type;
1890 }
1891 return NULL;
1892}
1893
1894static const struct nft_expr_type *nft_expr_type_get(u8 family,
1895 struct nlattr *nla)
1896{
1897 const struct nft_expr_type *type;
1898
1899 if (nla == NULL)
1900 return ERR_PTR(-EINVAL);
1901
1902 type = __nft_expr_type_get(family, nla);
1903 if (type != NULL && try_module_get(type->owner))
1904 return type;
1905
1906#ifdef CONFIG_MODULES
1907 if (type == NULL) {
1908 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1909 request_module("nft-expr-%u-%.*s", family,
1910 nla_len(nla), (char *)nla_data(nla));
1911 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1912 if (__nft_expr_type_get(family, nla))
1913 return ERR_PTR(-EAGAIN);
1914
1915 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1916 request_module("nft-expr-%.*s",
1917 nla_len(nla), (char *)nla_data(nla));
1918 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1919 if (__nft_expr_type_get(family, nla))
1920 return ERR_PTR(-EAGAIN);
1921 }
1922#endif
1923 return ERR_PTR(-ENOENT);
1924}
1925
1926static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1927 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1928 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1929};
1930
1931static int nf_tables_fill_expr_info(struct sk_buff *skb,
1932 const struct nft_expr *expr)
1933{
1934 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1935 goto nla_put_failure;
1936
1937 if (expr->ops->dump) {
1938 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1939 if (data == NULL)
1940 goto nla_put_failure;
1941 if (expr->ops->dump(skb, expr) < 0)
1942 goto nla_put_failure;
1943 nla_nest_end(skb, data);
1944 }
1945
1946 return skb->len;
1947
1948nla_put_failure:
1949 return -1;
1950};
1951
1952int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1953 const struct nft_expr *expr)
1954{
1955 struct nlattr *nest;
1956
1957 nest = nla_nest_start(skb, attr);
1958 if (!nest)
1959 goto nla_put_failure;
1960 if (nf_tables_fill_expr_info(skb, expr) < 0)
1961 goto nla_put_failure;
1962 nla_nest_end(skb, nest);
1963 return 0;
1964
1965nla_put_failure:
1966 return -1;
1967}
1968
1969struct nft_expr_info {
1970 const struct nft_expr_ops *ops;
1971 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1972};
1973
1974static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1975 const struct nlattr *nla,
1976 struct nft_expr_info *info)
1977{
1978 const struct nft_expr_type *type;
1979 const struct nft_expr_ops *ops;
1980 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1981 int err;
1982
1983 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1984 if (err < 0)
1985 return err;
1986
1987 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1988 if (IS_ERR(type))
1989 return PTR_ERR(type);
1990
1991 if (tb[NFTA_EXPR_DATA]) {
1992 err = nla_parse_nested(info->tb, type->maxattr,
1993 tb[NFTA_EXPR_DATA], type->policy, NULL);
1994 if (err < 0)
1995 goto err1;
1996 } else
1997 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1998
1999 if (type->select_ops != NULL) {
2000 ops = type->select_ops(ctx,
2001 (const struct nlattr * const *)info->tb);
2002 if (IS_ERR(ops)) {
2003 err = PTR_ERR(ops);
2004 goto err1;
2005 }
2006 } else
2007 ops = type->ops;
2008
2009 info->ops = ops;
2010 return 0;
2011
2012err1:
2013 module_put(type->owner);
2014 return err;
2015}
2016
2017static int nf_tables_newexpr(const struct nft_ctx *ctx,
2018 const struct nft_expr_info *info,
2019 struct nft_expr *expr)
2020{
2021 const struct nft_expr_ops *ops = info->ops;
2022 int err;
2023
2024 expr->ops = ops;
2025 if (ops->init) {
2026 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2027 if (err < 0)
2028 goto err1;
2029 }
2030
2031 return 0;
2032err1:
2033 expr->ops = NULL;
2034 return err;
2035}
2036
2037static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2038 struct nft_expr *expr)
2039{
2040 if (expr->ops->destroy)
2041 expr->ops->destroy(ctx, expr);
2042 module_put(expr->ops->type->owner);
2043}
2044
2045struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2046 const struct nlattr *nla)
2047{
2048 struct nft_expr_info info;
2049 struct nft_expr *expr;
2050 int err;
2051
2052 err = nf_tables_expr_parse(ctx, nla, &info);
2053 if (err < 0)
2054 goto err1;
2055
2056 err = -ENOMEM;
2057 expr = kzalloc(info.ops->size, GFP_KERNEL);
2058 if (expr == NULL)
2059 goto err2;
2060
2061 err = nf_tables_newexpr(ctx, &info, expr);
2062 if (err < 0)
2063 goto err3;
2064
2065 return expr;
2066err3:
2067 kfree(expr);
2068err2:
2069 module_put(info.ops->type->owner);
2070err1:
2071 return ERR_PTR(err);
2072}
2073
2074void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2075{
2076 nf_tables_expr_destroy(ctx, expr);
2077 kfree(expr);
2078}
2079
2080
2081
2082
2083
2084static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2085 u64 handle)
2086{
2087 struct nft_rule *rule;
2088
2089
2090 list_for_each_entry_rcu(rule, &chain->rules, list) {
2091 if (handle == rule->handle)
2092 return rule;
2093 }
2094
2095 return ERR_PTR(-ENOENT);
2096}
2097
2098static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2099 const struct nlattr *nla)
2100{
2101 if (nla == NULL)
2102 return ERR_PTR(-EINVAL);
2103
2104 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2105}
2106
2107static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2108 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2109 .len = NFT_TABLE_MAXNAMELEN - 1 },
2110 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2111 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2112 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2113 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2114 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2115 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2116 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2117 .len = NFT_USERDATA_MAXLEN },
2118 [NFTA_RULE_ID] = { .type = NLA_U32 },
2119};
2120
2121static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2122 u32 portid, u32 seq, int event,
2123 u32 flags, int family,
2124 const struct nft_table *table,
2125 const struct nft_chain *chain,
2126 const struct nft_rule *rule)
2127{
2128 struct nlmsghdr *nlh;
2129 struct nfgenmsg *nfmsg;
2130 const struct nft_expr *expr, *next;
2131 struct nlattr *list;
2132 const struct nft_rule *prule;
2133 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2134
2135 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2136 if (nlh == NULL)
2137 goto nla_put_failure;
2138
2139 nfmsg = nlmsg_data(nlh);
2140 nfmsg->nfgen_family = family;
2141 nfmsg->version = NFNETLINK_V0;
2142 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2143
2144 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2145 goto nla_put_failure;
2146 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2147 goto nla_put_failure;
2148 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2149 NFTA_RULE_PAD))
2150 goto nla_put_failure;
2151
2152 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2153 prule = list_prev_entry(rule, list);
2154 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2155 cpu_to_be64(prule->handle),
2156 NFTA_RULE_PAD))
2157 goto nla_put_failure;
2158 }
2159
2160 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2161 if (list == NULL)
2162 goto nla_put_failure;
2163 nft_rule_for_each_expr(expr, next, rule) {
2164 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2165 goto nla_put_failure;
2166 }
2167 nla_nest_end(skb, list);
2168
2169 if (rule->udata) {
2170 struct nft_userdata *udata = nft_userdata(rule);
2171 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2172 udata->data) < 0)
2173 goto nla_put_failure;
2174 }
2175
2176 nlmsg_end(skb, nlh);
2177 return 0;
2178
2179nla_put_failure:
2180 nlmsg_trim(skb, nlh);
2181 return -1;
2182}
2183
2184static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2185 const struct nft_rule *rule, int event)
2186{
2187 struct sk_buff *skb;
2188 int err;
2189
2190 if (!ctx->report &&
2191 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2192 return;
2193
2194 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2195 if (skb == NULL)
2196 goto err;
2197
2198 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2199 event, 0, ctx->family, ctx->table,
2200 ctx->chain, rule);
2201 if (err < 0) {
2202 kfree_skb(skb);
2203 goto err;
2204 }
2205
2206 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2207 ctx->report, GFP_KERNEL);
2208 return;
2209err:
2210 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2211}
2212
2213struct nft_rule_dump_ctx {
2214 char *table;
2215 char *chain;
2216};
2217
2218static int nf_tables_dump_rules(struct sk_buff *skb,
2219 struct netlink_callback *cb)
2220{
2221 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2222 const struct nft_rule_dump_ctx *ctx = cb->data;
2223 const struct nft_table *table;
2224 const struct nft_chain *chain;
2225 const struct nft_rule *rule;
2226 unsigned int idx = 0, s_idx = cb->args[0];
2227 struct net *net = sock_net(skb->sk);
2228 int family = nfmsg->nfgen_family;
2229
2230 rcu_read_lock();
2231 cb->seq = net->nft.base_seq;
2232
2233 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2234 if (family != NFPROTO_UNSPEC && family != table->family)
2235 continue;
2236
2237 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2238 continue;
2239
2240 list_for_each_entry_rcu(chain, &table->chains, list) {
2241 if (ctx && ctx->chain &&
2242 strcmp(ctx->chain, chain->name) != 0)
2243 continue;
2244
2245 list_for_each_entry_rcu(rule, &chain->rules, list) {
2246 if (!nft_is_active(net, rule))
2247 goto cont;
2248 if (idx < s_idx)
2249 goto cont;
2250 if (idx > s_idx)
2251 memset(&cb->args[1], 0,
2252 sizeof(cb->args) - sizeof(cb->args[0]));
2253 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2254 cb->nlh->nlmsg_seq,
2255 NFT_MSG_NEWRULE,
2256 NLM_F_MULTI | NLM_F_APPEND,
2257 table->family,
2258 table, chain, rule) < 0)
2259 goto done;
2260
2261 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2262cont:
2263 idx++;
2264 }
2265 }
2266 }
2267done:
2268 rcu_read_unlock();
2269
2270 cb->args[0] = idx;
2271 return skb->len;
2272}
2273
2274static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2275{
2276 const struct nlattr * const *nla = cb->data;
2277 struct nft_rule_dump_ctx *ctx = NULL;
2278
2279 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2280 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2281 if (!ctx)
2282 return -ENOMEM;
2283
2284 if (nla[NFTA_RULE_TABLE]) {
2285 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2286 GFP_ATOMIC);
2287 if (!ctx->table) {
2288 kfree(ctx);
2289 return -ENOMEM;
2290 }
2291 }
2292 if (nla[NFTA_RULE_CHAIN]) {
2293 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2294 GFP_ATOMIC);
2295 if (!ctx->chain) {
2296 kfree(ctx->table);
2297 kfree(ctx);
2298 return -ENOMEM;
2299 }
2300 }
2301 }
2302
2303 cb->data = ctx;
2304 return 0;
2305}
2306
2307static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2308{
2309 struct nft_rule_dump_ctx *ctx = cb->data;
2310
2311 if (ctx) {
2312 kfree(ctx->table);
2313 kfree(ctx->chain);
2314 kfree(ctx);
2315 }
2316 return 0;
2317}
2318
2319
2320static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2321 struct sk_buff *skb, const struct nlmsghdr *nlh,
2322 const struct nlattr * const nla[],
2323 struct netlink_ext_ack *extack)
2324{
2325 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2326 u8 genmask = nft_genmask_cur(net);
2327 const struct nft_chain *chain;
2328 const struct nft_rule *rule;
2329 struct nft_table *table;
2330 struct sk_buff *skb2;
2331 int family = nfmsg->nfgen_family;
2332 int err;
2333
2334 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2335 struct netlink_dump_control c = {
2336 .start= nf_tables_dump_rules_start,
2337 .dump = nf_tables_dump_rules,
2338 .done = nf_tables_dump_rules_done,
2339 .module = THIS_MODULE,
2340 .data = (void *)nla,
2341 };
2342
2343 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2344 }
2345
2346 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2347 if (IS_ERR(table)) {
2348 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2349 return PTR_ERR(table);
2350 }
2351
2352 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2353 if (IS_ERR(chain)) {
2354 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2355 return PTR_ERR(chain);
2356 }
2357
2358 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2359 if (IS_ERR(rule)) {
2360 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2361 return PTR_ERR(rule);
2362 }
2363
2364 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2365 if (!skb2)
2366 return -ENOMEM;
2367
2368 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2369 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2370 family, table, chain, rule);
2371 if (err < 0)
2372 goto err;
2373
2374 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2375
2376err:
2377 kfree_skb(skb2);
2378 return err;
2379}
2380
2381static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2382 struct nft_rule *rule)
2383{
2384 struct nft_expr *expr;
2385
2386
2387
2388
2389
2390 expr = nft_expr_first(rule);
2391 while (expr != nft_expr_last(rule) && expr->ops) {
2392 nf_tables_expr_destroy(ctx, expr);
2393 expr = nft_expr_next(expr);
2394 }
2395 kfree(rule);
2396}
2397
2398static void nf_tables_rule_release(const struct nft_ctx *ctx,
2399 struct nft_rule *rule)
2400{
2401 nft_rule_expr_deactivate(ctx, rule);
2402 nf_tables_rule_destroy(ctx, rule);
2403}
2404
2405int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2406{
2407 struct nft_expr *expr, *last;
2408 const struct nft_data *data;
2409 struct nft_rule *rule;
2410 int err;
2411
2412 if (ctx->level == NFT_JUMP_STACK_SIZE)
2413 return -EMLINK;
2414
2415 list_for_each_entry(rule, &chain->rules, list) {
2416 if (!nft_is_active_next(ctx->net, rule))
2417 continue;
2418
2419 nft_rule_for_each_expr(expr, last, rule) {
2420 if (!expr->ops->validate)
2421 continue;
2422
2423 err = expr->ops->validate(ctx, expr, &data);
2424 if (err < 0)
2425 return err;
2426 }
2427 }
2428
2429 return 0;
2430}
2431EXPORT_SYMBOL_GPL(nft_chain_validate);
2432
2433static int nft_table_validate(struct net *net, const struct nft_table *table)
2434{
2435 struct nft_chain *chain;
2436 struct nft_ctx ctx = {
2437 .net = net,
2438 .family = table->family,
2439 };
2440 int err;
2441
2442 list_for_each_entry(chain, &table->chains, list) {
2443 if (!nft_is_base_chain(chain))
2444 continue;
2445
2446 ctx.chain = chain;
2447 err = nft_chain_validate(&ctx, chain);
2448 if (err < 0)
2449 return err;
2450 }
2451
2452 return 0;
2453}
2454
2455#define NFT_RULE_MAXEXPRS 128
2456
2457static struct nft_expr_info *info;
2458
2459static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2460 struct sk_buff *skb, const struct nlmsghdr *nlh,
2461 const struct nlattr * const nla[],
2462 struct netlink_ext_ack *extack)
2463{
2464 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2465 u8 genmask = nft_genmask_next(net);
2466 int family = nfmsg->nfgen_family;
2467 struct nft_table *table;
2468 struct nft_chain *chain;
2469 struct nft_rule *rule, *old_rule = NULL;
2470 struct nft_userdata *udata;
2471 struct nft_trans *trans = NULL;
2472 struct nft_expr *expr;
2473 struct nft_ctx ctx;
2474 struct nlattr *tmp;
2475 unsigned int size, i, n, ulen = 0, usize = 0;
2476 int err, rem;
2477 bool create;
2478 u64 handle, pos_handle;
2479
2480 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2481
2482 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2483 if (IS_ERR(table)) {
2484 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2485 return PTR_ERR(table);
2486 }
2487
2488 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2489 if (IS_ERR(chain)) {
2490 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2491 return PTR_ERR(chain);
2492 }
2493
2494 if (nla[NFTA_RULE_HANDLE]) {
2495 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2496 rule = __nft_rule_lookup(chain, handle);
2497 if (IS_ERR(rule)) {
2498 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2499 return PTR_ERR(rule);
2500 }
2501
2502 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2503 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2504 return -EEXIST;
2505 }
2506 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2507 old_rule = rule;
2508 else
2509 return -EOPNOTSUPP;
2510 } else {
2511 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2512 return -EINVAL;
2513 handle = nf_tables_alloc_handle(table);
2514
2515 if (chain->use == UINT_MAX)
2516 return -EOVERFLOW;
2517 }
2518
2519 if (nla[NFTA_RULE_POSITION]) {
2520 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2521 return -EOPNOTSUPP;
2522
2523 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2524 old_rule = __nft_rule_lookup(chain, pos_handle);
2525 if (IS_ERR(old_rule)) {
2526 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2527 return PTR_ERR(old_rule);
2528 }
2529 }
2530
2531 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2532
2533 n = 0;
2534 size = 0;
2535 if (nla[NFTA_RULE_EXPRESSIONS]) {
2536 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2537 err = -EINVAL;
2538 if (nla_type(tmp) != NFTA_LIST_ELEM)
2539 goto err1;
2540 if (n == NFT_RULE_MAXEXPRS)
2541 goto err1;
2542 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2543 if (err < 0)
2544 goto err1;
2545 size += info[n].ops->size;
2546 n++;
2547 }
2548 }
2549
2550 err = -EFBIG;
2551 if (size >= 1 << 12)
2552 goto err1;
2553
2554 if (nla[NFTA_RULE_USERDATA]) {
2555 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2556 if (ulen > 0)
2557 usize = sizeof(struct nft_userdata) + ulen;
2558 }
2559
2560 err = -ENOMEM;
2561 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2562 if (rule == NULL)
2563 goto err1;
2564
2565 nft_activate_next(net, rule);
2566
2567 rule->handle = handle;
2568 rule->dlen = size;
2569 rule->udata = ulen ? 1 : 0;
2570
2571 if (ulen) {
2572 udata = nft_userdata(rule);
2573 udata->len = ulen - 1;
2574 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2575 }
2576
2577 expr = nft_expr_first(rule);
2578 for (i = 0; i < n; i++) {
2579 err = nf_tables_newexpr(&ctx, &info[i], expr);
2580 if (err < 0)
2581 goto err2;
2582
2583 if (info[i].ops->validate)
2584 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2585
2586 info[i].ops = NULL;
2587 expr = nft_expr_next(expr);
2588 }
2589
2590 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2591 if (!nft_is_active_next(net, old_rule)) {
2592 err = -ENOENT;
2593 goto err2;
2594 }
2595 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2596 old_rule);
2597 if (trans == NULL) {
2598 err = -ENOMEM;
2599 goto err2;
2600 }
2601 nft_deactivate_next(net, old_rule);
2602 chain->use--;
2603
2604 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2605 err = -ENOMEM;
2606 goto err2;
2607 }
2608
2609 list_add_tail_rcu(&rule->list, &old_rule->list);
2610 } else {
2611 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2612 err = -ENOMEM;
2613 goto err2;
2614 }
2615
2616 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2617 if (old_rule)
2618 list_add_rcu(&rule->list, &old_rule->list);
2619 else
2620 list_add_tail_rcu(&rule->list, &chain->rules);
2621 } else {
2622 if (old_rule)
2623 list_add_tail_rcu(&rule->list, &old_rule->list);
2624 else
2625 list_add_rcu(&rule->list, &chain->rules);
2626 }
2627 }
2628 chain->use++;
2629
2630 if (net->nft.validate_state == NFT_VALIDATE_DO)
2631 return nft_table_validate(net, table);
2632
2633 return 0;
2634err2:
2635 nf_tables_rule_release(&ctx, rule);
2636err1:
2637 for (i = 0; i < n; i++) {
2638 if (info[i].ops != NULL)
2639 module_put(info[i].ops->type->owner);
2640 }
2641 return err;
2642}
2643
2644static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2645 const struct nlattr *nla)
2646{
2647 u32 id = ntohl(nla_get_be32(nla));
2648 struct nft_trans *trans;
2649
2650 list_for_each_entry(trans, &net->nft.commit_list, list) {
2651 struct nft_rule *rule = nft_trans_rule(trans);
2652
2653 if (trans->msg_type == NFT_MSG_NEWRULE &&
2654 id == nft_trans_rule_id(trans))
2655 return rule;
2656 }
2657 return ERR_PTR(-ENOENT);
2658}
2659
2660static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2661 struct sk_buff *skb, const struct nlmsghdr *nlh,
2662 const struct nlattr * const nla[],
2663 struct netlink_ext_ack *extack)
2664{
2665 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2666 u8 genmask = nft_genmask_next(net);
2667 struct nft_table *table;
2668 struct nft_chain *chain = NULL;
2669 struct nft_rule *rule;
2670 int family = nfmsg->nfgen_family, err = 0;
2671 struct nft_ctx ctx;
2672
2673 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2674 if (IS_ERR(table)) {
2675 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2676 return PTR_ERR(table);
2677 }
2678
2679 if (nla[NFTA_RULE_CHAIN]) {
2680 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2681 if (IS_ERR(chain)) {
2682 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2683 return PTR_ERR(chain);
2684 }
2685 }
2686
2687 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2688
2689 if (chain) {
2690 if (nla[NFTA_RULE_HANDLE]) {
2691 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2692 if (IS_ERR(rule)) {
2693 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2694 return PTR_ERR(rule);
2695 }
2696
2697 err = nft_delrule(&ctx, rule);
2698 } else if (nla[NFTA_RULE_ID]) {
2699 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2700 if (IS_ERR(rule)) {
2701 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2702 return PTR_ERR(rule);
2703 }
2704
2705 err = nft_delrule(&ctx, rule);
2706 } else {
2707 err = nft_delrule_by_chain(&ctx);
2708 }
2709 } else {
2710 list_for_each_entry(chain, &table->chains, list) {
2711 if (!nft_is_active_next(net, chain))
2712 continue;
2713
2714 ctx.chain = chain;
2715 err = nft_delrule_by_chain(&ctx);
2716 if (err < 0)
2717 break;
2718 }
2719 }
2720
2721 return err;
2722}
2723
2724
2725
2726
2727
2728static LIST_HEAD(nf_tables_set_types);
2729
2730int nft_register_set(struct nft_set_type *type)
2731{
2732 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2733 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2734 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2735 return 0;
2736}
2737EXPORT_SYMBOL_GPL(nft_register_set);
2738
2739void nft_unregister_set(struct nft_set_type *type)
2740{
2741 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2742 list_del_rcu(&type->list);
2743 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2744}
2745EXPORT_SYMBOL_GPL(nft_unregister_set);
2746
2747#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2748 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2749 NFT_SET_EVAL)
2750
2751static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2752{
2753 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2754}
2755
2756
2757
2758
2759
2760
2761static const struct nft_set_ops *
2762nft_select_set_ops(const struct nft_ctx *ctx,
2763 const struct nlattr * const nla[],
2764 const struct nft_set_desc *desc,
2765 enum nft_set_policies policy)
2766{
2767 const struct nft_set_ops *ops, *bops;
2768 struct nft_set_estimate est, best;
2769 const struct nft_set_type *type;
2770 u32 flags = 0;
2771
2772#ifdef CONFIG_MODULES
2773 if (list_empty(&nf_tables_set_types)) {
2774 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2775 request_module("nft-set");
2776 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2777 if (!list_empty(&nf_tables_set_types))
2778 return ERR_PTR(-EAGAIN);
2779 }
2780#endif
2781 if (nla[NFTA_SET_FLAGS] != NULL)
2782 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2783
2784 bops = NULL;
2785 best.size = ~0;
2786 best.lookup = ~0;
2787 best.space = ~0;
2788
2789 list_for_each_entry(type, &nf_tables_set_types, list) {
2790 ops = &type->ops;
2791
2792 if (!nft_set_ops_candidate(type, flags))
2793 continue;
2794 if (!ops->estimate(desc, flags, &est))
2795 continue;
2796
2797 switch (policy) {
2798 case NFT_SET_POL_PERFORMANCE:
2799 if (est.lookup < best.lookup)
2800 break;
2801 if (est.lookup == best.lookup &&
2802 est.space < best.space)
2803 break;
2804 continue;
2805 case NFT_SET_POL_MEMORY:
2806 if (!desc->size) {
2807 if (est.space < best.space)
2808 break;
2809 if (est.space == best.space &&
2810 est.lookup < best.lookup)
2811 break;
2812 } else if (est.size < best.size || !bops) {
2813 break;
2814 }
2815 continue;
2816 default:
2817 break;
2818 }
2819
2820 if (!try_module_get(type->owner))
2821 continue;
2822 if (bops != NULL)
2823 module_put(to_set_type(bops)->owner);
2824
2825 bops = ops;
2826 best = est;
2827 }
2828
2829 if (bops != NULL)
2830 return bops;
2831
2832 return ERR_PTR(-EOPNOTSUPP);
2833}
2834
2835static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2836 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2837 .len = NFT_TABLE_MAXNAMELEN - 1 },
2838 [NFTA_SET_NAME] = { .type = NLA_STRING,
2839 .len = NFT_SET_MAXNAMELEN - 1 },
2840 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2841 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2842 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2843 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2844 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2845 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2846 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2847 [NFTA_SET_ID] = { .type = NLA_U32 },
2848 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2849 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2850 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2851 .len = NFT_USERDATA_MAXLEN },
2852 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2853 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2854};
2855
2856static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2857 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2858};
2859
2860static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2861 const struct sk_buff *skb,
2862 const struct nlmsghdr *nlh,
2863 const struct nlattr * const nla[],
2864 struct netlink_ext_ack *extack,
2865 u8 genmask)
2866{
2867 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2868 int family = nfmsg->nfgen_family;
2869 struct nft_table *table = NULL;
2870
2871 if (nla[NFTA_SET_TABLE] != NULL) {
2872 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2873 genmask);
2874 if (IS_ERR(table)) {
2875 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2876 return PTR_ERR(table);
2877 }
2878 }
2879
2880 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2881 return 0;
2882}
2883
2884static struct nft_set *nft_set_lookup(const struct nft_table *table,
2885 const struct nlattr *nla, u8 genmask)
2886{
2887 struct nft_set *set;
2888
2889 if (nla == NULL)
2890 return ERR_PTR(-EINVAL);
2891
2892 list_for_each_entry_rcu(set, &table->sets, list) {
2893 if (!nla_strcmp(nla, set->name) &&
2894 nft_active_genmask(set, genmask))
2895 return set;
2896 }
2897 return ERR_PTR(-ENOENT);
2898}
2899
2900static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2901 const struct nlattr *nla,
2902 u8 genmask)
2903{
2904 struct nft_set *set;
2905
2906 list_for_each_entry(set, &table->sets, list) {
2907 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2908 nft_active_genmask(set, genmask))
2909 return set;
2910 }
2911 return ERR_PTR(-ENOENT);
2912}
2913
2914static struct nft_set *nft_set_lookup_byid(const struct net *net,
2915 const struct nlattr *nla, u8 genmask)
2916{
2917 struct nft_trans *trans;
2918 u32 id = ntohl(nla_get_be32(nla));
2919
2920 list_for_each_entry(trans, &net->nft.commit_list, list) {
2921 if (trans->msg_type == NFT_MSG_NEWSET) {
2922 struct nft_set *set = nft_trans_set(trans);
2923
2924 if (id == nft_trans_set_id(trans) &&
2925 nft_active_genmask(set, genmask))
2926 return set;
2927 }
2928 }
2929 return ERR_PTR(-ENOENT);
2930}
2931
2932struct nft_set *nft_set_lookup_global(const struct net *net,
2933 const struct nft_table *table,
2934 const struct nlattr *nla_set_name,
2935 const struct nlattr *nla_set_id,
2936 u8 genmask)
2937{
2938 struct nft_set *set;
2939
2940 set = nft_set_lookup(table, nla_set_name, genmask);
2941 if (IS_ERR(set)) {
2942 if (!nla_set_id)
2943 return set;
2944
2945 set = nft_set_lookup_byid(net, nla_set_id, genmask);
2946 }
2947 return set;
2948}
2949EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2950
2951static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2952 const char *name)
2953{
2954 const struct nft_set *i;
2955 const char *p;
2956 unsigned long *inuse;
2957 unsigned int n = 0, min = 0;
2958
2959 p = strchr(name, '%');
2960 if (p != NULL) {
2961 if (p[1] != 'd' || strchr(p + 2, '%'))
2962 return -EINVAL;
2963
2964 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2965 if (inuse == NULL)
2966 return -ENOMEM;
2967cont:
2968 list_for_each_entry(i, &ctx->table->sets, list) {
2969 int tmp;
2970
2971 if (!nft_is_active_next(ctx->net, set))
2972 continue;
2973 if (!sscanf(i->name, name, &tmp))
2974 continue;
2975 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2976 continue;
2977
2978 set_bit(tmp - min, inuse);
2979 }
2980
2981 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2982 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2983 min += BITS_PER_BYTE * PAGE_SIZE;
2984 memset(inuse, 0, PAGE_SIZE);
2985 goto cont;
2986 }
2987 free_page((unsigned long)inuse);
2988 }
2989
2990 set->name = kasprintf(GFP_KERNEL, name, min + n);
2991 if (!set->name)
2992 return -ENOMEM;
2993
2994 list_for_each_entry(i, &ctx->table->sets, list) {
2995 if (!nft_is_active_next(ctx->net, i))
2996 continue;
2997 if (!strcmp(set->name, i->name)) {
2998 kfree(set->name);
2999 return -ENFILE;
3000 }
3001 }
3002 return 0;
3003}
3004
3005static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3006{
3007 u64 ms = be64_to_cpu(nla_get_be64(nla));
3008 u64 max = (u64)(~((u64)0));
3009
3010 max = div_u64(max, NSEC_PER_MSEC);
3011 if (ms >= max)
3012 return -ERANGE;
3013
3014 ms *= NSEC_PER_MSEC;
3015 *result = nsecs_to_jiffies64(ms);
3016 return 0;
3017}
3018
3019static __be64 nf_jiffies64_to_msecs(u64 input)
3020{
3021 u64 ms = jiffies64_to_nsecs(input);
3022
3023 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
3024}
3025
3026static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3027 const struct nft_set *set, u16 event, u16 flags)
3028{
3029 struct nfgenmsg *nfmsg;
3030 struct nlmsghdr *nlh;
3031 struct nlattr *desc;
3032 u32 portid = ctx->portid;
3033 u32 seq = ctx->seq;
3034
3035 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3036 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3037 flags);
3038 if (nlh == NULL)
3039 goto nla_put_failure;
3040
3041 nfmsg = nlmsg_data(nlh);
3042 nfmsg->nfgen_family = ctx->family;
3043 nfmsg->version = NFNETLINK_V0;
3044 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3045
3046 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3047 goto nla_put_failure;
3048 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3049 goto nla_put_failure;
3050 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3051 NFTA_SET_PAD))
3052 goto nla_put_failure;
3053 if (set->flags != 0)
3054 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3055 goto nla_put_failure;
3056
3057 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3058 goto nla_put_failure;
3059 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3060 goto nla_put_failure;
3061 if (set->flags & NFT_SET_MAP) {
3062 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3063 goto nla_put_failure;
3064 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3065 goto nla_put_failure;
3066 }
3067 if (set->flags & NFT_SET_OBJECT &&
3068 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3069 goto nla_put_failure;
3070
3071 if (set->timeout &&
3072 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3073 nf_jiffies64_to_msecs(set->timeout),
3074 NFTA_SET_PAD))
3075 goto nla_put_failure;
3076 if (set->gc_int &&
3077 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3078 goto nla_put_failure;
3079
3080 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3081 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3082 goto nla_put_failure;
3083 }
3084
3085 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3086 goto nla_put_failure;
3087
3088 desc = nla_nest_start(skb, NFTA_SET_DESC);
3089 if (desc == NULL)
3090 goto nla_put_failure;
3091 if (set->size &&
3092 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3093 goto nla_put_failure;
3094 nla_nest_end(skb, desc);
3095
3096 nlmsg_end(skb, nlh);
3097 return 0;
3098
3099nla_put_failure:
3100 nlmsg_trim(skb, nlh);
3101 return -1;
3102}
3103
3104static void nf_tables_set_notify(const struct nft_ctx *ctx,
3105 const struct nft_set *set, int event,
3106 gfp_t gfp_flags)
3107{
3108 struct sk_buff *skb;
3109 u32 portid = ctx->portid;
3110 int err;
3111
3112 if (!ctx->report &&
3113 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3114 return;
3115
3116 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3117 if (skb == NULL)
3118 goto err;
3119
3120 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3121 if (err < 0) {
3122 kfree_skb(skb);
3123 goto err;
3124 }
3125
3126 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3127 gfp_flags);
3128 return;
3129err:
3130 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3131}
3132
3133static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3134{
3135 const struct nft_set *set;
3136 unsigned int idx, s_idx = cb->args[0];
3137 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3138 struct net *net = sock_net(skb->sk);
3139 struct nft_ctx *ctx = cb->data, ctx_set;
3140
3141 if (cb->args[1])
3142 return skb->len;
3143
3144 rcu_read_lock();
3145 cb->seq = net->nft.base_seq;
3146
3147 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3148 if (ctx->family != NFPROTO_UNSPEC &&
3149 ctx->family != table->family)
3150 continue;
3151
3152 if (ctx->table && ctx->table != table)
3153 continue;
3154
3155 if (cur_table) {
3156 if (cur_table != table)
3157 continue;
3158
3159 cur_table = NULL;
3160 }
3161 idx = 0;
3162 list_for_each_entry_rcu(set, &table->sets, list) {
3163 if (idx < s_idx)
3164 goto cont;
3165 if (!nft_is_active(net, set))
3166 goto cont;
3167
3168 ctx_set = *ctx;
3169 ctx_set.table = table;
3170 ctx_set.family = table->family;
3171
3172 if (nf_tables_fill_set(skb, &ctx_set, set,
3173 NFT_MSG_NEWSET,
3174 NLM_F_MULTI) < 0) {
3175 cb->args[0] = idx;
3176 cb->args[2] = (unsigned long) table;
3177 goto done;
3178 }
3179 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3180cont:
3181 idx++;
3182 }
3183 if (s_idx)
3184 s_idx = 0;
3185 }
3186 cb->args[1] = 1;
3187done:
3188 rcu_read_unlock();
3189 return skb->len;
3190}
3191
3192static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3193{
3194 struct nft_ctx *ctx_dump = NULL;
3195
3196 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3197 if (ctx_dump == NULL)
3198 return -ENOMEM;
3199
3200 cb->data = ctx_dump;
3201 return 0;
3202}
3203
3204static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3205{
3206 kfree(cb->data);
3207 return 0;
3208}
3209
3210
3211static int nf_tables_getset(struct net *net, struct sock *nlsk,
3212 struct sk_buff *skb, const struct nlmsghdr *nlh,
3213 const struct nlattr * const nla[],
3214 struct netlink_ext_ack *extack)
3215{
3216 u8 genmask = nft_genmask_cur(net);
3217 const struct nft_set *set;
3218 struct nft_ctx ctx;
3219 struct sk_buff *skb2;
3220 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3221 int err;
3222
3223
3224 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3225 genmask);
3226 if (err < 0)
3227 return err;
3228
3229 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3230 struct netlink_dump_control c = {
3231 .start = nf_tables_dump_sets_start,
3232 .dump = nf_tables_dump_sets,
3233 .done = nf_tables_dump_sets_done,
3234 .data = &ctx,
3235 .module = THIS_MODULE,
3236 };
3237
3238 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3239 }
3240
3241
3242 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3243 return -EAFNOSUPPORT;
3244 if (!nla[NFTA_SET_TABLE])
3245 return -EINVAL;
3246
3247 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3248 if (IS_ERR(set))
3249 return PTR_ERR(set);
3250
3251 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3252 if (skb2 == NULL)
3253 return -ENOMEM;
3254
3255 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3256 if (err < 0)
3257 goto err;
3258
3259 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3260
3261err:
3262 kfree_skb(skb2);
3263 return err;
3264}
3265
3266static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3267 struct nft_set_desc *desc,
3268 const struct nlattr *nla)
3269{
3270 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3271 int err;
3272
3273 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3274 nft_set_desc_policy, NULL);
3275 if (err < 0)
3276 return err;
3277
3278 if (da[NFTA_SET_DESC_SIZE] != NULL)
3279 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3280
3281 return 0;
3282}
3283
3284static int nf_tables_newset(struct net *net, struct sock *nlsk,
3285 struct sk_buff *skb, const struct nlmsghdr *nlh,
3286 const struct nlattr * const nla[],
3287 struct netlink_ext_ack *extack)
3288{
3289 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3290 u8 genmask = nft_genmask_next(net);
3291 int family = nfmsg->nfgen_family;
3292 const struct nft_set_ops *ops;
3293 struct nft_table *table;
3294 struct nft_set *set;
3295 struct nft_ctx ctx;
3296 char *name;
3297 unsigned int size;
3298 bool create;
3299 u64 timeout;
3300 u32 ktype, dtype, flags, policy, gc_int, objtype;
3301 struct nft_set_desc desc;
3302 unsigned char *udata;
3303 u16 udlen;
3304 int err;
3305
3306 if (nla[NFTA_SET_TABLE] == NULL ||
3307 nla[NFTA_SET_NAME] == NULL ||
3308 nla[NFTA_SET_KEY_LEN] == NULL ||
3309 nla[NFTA_SET_ID] == NULL)
3310 return -EINVAL;
3311
3312 memset(&desc, 0, sizeof(desc));
3313
3314 ktype = NFT_DATA_VALUE;
3315 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3316 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3317 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3318 return -EINVAL;
3319 }
3320
3321 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3322 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3323 return -EINVAL;
3324
3325 flags = 0;
3326 if (nla[NFTA_SET_FLAGS] != NULL) {
3327 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3328 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3329 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3330 NFT_SET_MAP | NFT_SET_EVAL |
3331 NFT_SET_OBJECT))
3332 return -EINVAL;
3333
3334 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3335 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3336 return -EOPNOTSUPP;
3337 }
3338
3339 dtype = 0;
3340 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3341 if (!(flags & NFT_SET_MAP))
3342 return -EINVAL;
3343
3344 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3345 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3346 dtype != NFT_DATA_VERDICT)
3347 return -EINVAL;
3348
3349 if (dtype != NFT_DATA_VERDICT) {
3350 if (nla[NFTA_SET_DATA_LEN] == NULL)
3351 return -EINVAL;
3352 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3353 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3354 return -EINVAL;
3355 } else
3356 desc.dlen = sizeof(struct nft_verdict);
3357 } else if (flags & NFT_SET_MAP)
3358 return -EINVAL;
3359
3360 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3361 if (!(flags & NFT_SET_OBJECT))
3362 return -EINVAL;
3363
3364 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3365 if (objtype == NFT_OBJECT_UNSPEC ||
3366 objtype > NFT_OBJECT_MAX)
3367 return -EINVAL;
3368 } else if (flags & NFT_SET_OBJECT)
3369 return -EINVAL;
3370 else
3371 objtype = NFT_OBJECT_UNSPEC;
3372
3373 timeout = 0;
3374 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3375 if (!(flags & NFT_SET_TIMEOUT))
3376 return -EINVAL;
3377
3378 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3379 if (err)
3380 return err;
3381 }
3382 gc_int = 0;
3383 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3384 if (!(flags & NFT_SET_TIMEOUT))
3385 return -EINVAL;
3386 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3387 }
3388
3389 policy = NFT_SET_POL_PERFORMANCE;
3390 if (nla[NFTA_SET_POLICY] != NULL)
3391 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3392
3393 if (nla[NFTA_SET_DESC] != NULL) {
3394 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3395 if (err < 0)
3396 return err;
3397 }
3398
3399 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3400
3401 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3402 if (IS_ERR(table)) {
3403 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3404 return PTR_ERR(table);
3405 }
3406
3407 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3408
3409 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3410 if (IS_ERR(set)) {
3411 if (PTR_ERR(set) != -ENOENT) {
3412 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3413 return PTR_ERR(set);
3414 }
3415 } else {
3416 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3417 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3418 return -EEXIST;
3419 }
3420 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3421 return -EOPNOTSUPP;
3422
3423 return 0;
3424 }
3425
3426 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3427 return -ENOENT;
3428
3429 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3430 if (IS_ERR(ops))
3431 return PTR_ERR(ops);
3432
3433 udlen = 0;
3434 if (nla[NFTA_SET_USERDATA])
3435 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3436
3437 size = 0;
3438 if (ops->privsize != NULL)
3439 size = ops->privsize(nla, &desc);
3440
3441 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3442 if (!set) {
3443 err = -ENOMEM;
3444 goto err1;
3445 }
3446
3447 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3448 if (!name) {
3449 err = -ENOMEM;
3450 goto err2;
3451 }
3452
3453 err = nf_tables_set_alloc_name(&ctx, set, name);
3454 kfree(name);
3455 if (err < 0)
3456 goto err2;
3457
3458 udata = NULL;
3459 if (udlen) {
3460 udata = set->data + size;
3461 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3462 }
3463
3464 INIT_LIST_HEAD(&set->bindings);
3465 set->table = table;
3466 write_pnet(&set->net, net);
3467 set->ops = ops;
3468 set->ktype = ktype;
3469 set->klen = desc.klen;
3470 set->dtype = dtype;
3471 set->objtype = objtype;
3472 set->dlen = desc.dlen;
3473 set->flags = flags;
3474 set->size = desc.size;
3475 set->policy = policy;
3476 set->udlen = udlen;
3477 set->udata = udata;
3478 set->timeout = timeout;
3479 set->gc_int = gc_int;
3480 set->handle = nf_tables_alloc_handle(table);
3481
3482 err = ops->init(set, &desc, nla);
3483 if (err < 0)
3484 goto err3;
3485
3486 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3487 if (err < 0)
3488 goto err4;
3489
3490 list_add_tail_rcu(&set->list, &table->sets);
3491 table->use++;
3492 return 0;
3493
3494err4:
3495 ops->destroy(set);
3496err3:
3497 kfree(set->name);
3498err2:
3499 kvfree(set);
3500err1:
3501 module_put(to_set_type(ops)->owner);
3502 return err;
3503}
3504
3505static void nft_set_destroy(struct nft_set *set)
3506{
3507 set->ops->destroy(set);
3508 module_put(to_set_type(set->ops)->owner);
3509 kfree(set->name);
3510 kvfree(set);
3511}
3512
3513static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3514{
3515 list_del_rcu(&set->list);
3516 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3517 nft_set_destroy(set);
3518}
3519
3520static int nf_tables_delset(struct net *net, struct sock *nlsk,
3521 struct sk_buff *skb, const struct nlmsghdr *nlh,
3522 const struct nlattr * const nla[],
3523 struct netlink_ext_ack *extack)
3524{
3525 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3526 u8 genmask = nft_genmask_next(net);
3527 const struct nlattr *attr;
3528 struct nft_set *set;
3529 struct nft_ctx ctx;
3530 int err;
3531
3532 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3533 return -EAFNOSUPPORT;
3534 if (nla[NFTA_SET_TABLE] == NULL)
3535 return -EINVAL;
3536
3537 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3538 genmask);
3539 if (err < 0)
3540 return err;
3541
3542 if (nla[NFTA_SET_HANDLE]) {
3543 attr = nla[NFTA_SET_HANDLE];
3544 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3545 } else {
3546 attr = nla[NFTA_SET_NAME];
3547 set = nft_set_lookup(ctx.table, attr, genmask);
3548 }
3549
3550 if (IS_ERR(set)) {
3551 NL_SET_BAD_ATTR(extack, attr);
3552 return PTR_ERR(set);
3553 }
3554 if (!list_empty(&set->bindings) ||
3555 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3556 NL_SET_BAD_ATTR(extack, attr);
3557 return -EBUSY;
3558 }
3559
3560 return nft_delset(&ctx, set);
3561}
3562
3563static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3564 struct nft_set *set,
3565 const struct nft_set_iter *iter,
3566 struct nft_set_elem *elem)
3567{
3568 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3569 enum nft_registers dreg;
3570
3571 dreg = nft_type_to_reg(set->dtype);
3572 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3573 set->dtype == NFT_DATA_VERDICT ?
3574 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3575 set->dlen);
3576}
3577
3578int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3579 struct nft_set_binding *binding)
3580{
3581 struct nft_set_binding *i;
3582 struct nft_set_iter iter;
3583
3584 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3585 return -EBUSY;
3586
3587 if (binding->flags & NFT_SET_MAP) {
3588
3589
3590
3591 list_for_each_entry(i, &set->bindings, list) {
3592 if (i->flags & NFT_SET_MAP &&
3593 i->chain == binding->chain)
3594 goto bind;
3595 }
3596
3597 iter.genmask = nft_genmask_next(ctx->net);
3598 iter.skip = 0;
3599 iter.count = 0;
3600 iter.err = 0;
3601 iter.fn = nf_tables_bind_check_setelem;
3602
3603 set->ops->walk(ctx, set, &iter);
3604 if (iter.err < 0)
3605 return iter.err;
3606 }
3607bind:
3608 binding->chain = ctx->chain;
3609 list_add_tail_rcu(&binding->list, &set->bindings);
3610 return 0;
3611}
3612EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3613
3614void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3615 struct nft_set_binding *binding)
3616{
3617 list_del_rcu(&binding->list);
3618
3619 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3620 nft_is_active(ctx->net, set))
3621 nf_tables_set_destroy(ctx, set);
3622}
3623EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3624
3625const struct nft_set_ext_type nft_set_ext_types[] = {
3626 [NFT_SET_EXT_KEY] = {
3627 .align = __alignof__(u32),
3628 },
3629 [NFT_SET_EXT_DATA] = {
3630 .align = __alignof__(u32),
3631 },
3632 [NFT_SET_EXT_EXPR] = {
3633 .align = __alignof__(struct nft_expr),
3634 },
3635 [NFT_SET_EXT_OBJREF] = {
3636 .len = sizeof(struct nft_object *),
3637 .align = __alignof__(struct nft_object *),
3638 },
3639 [NFT_SET_EXT_FLAGS] = {
3640 .len = sizeof(u8),
3641 .align = __alignof__(u8),
3642 },
3643 [NFT_SET_EXT_TIMEOUT] = {
3644 .len = sizeof(u64),
3645 .align = __alignof__(u64),
3646 },
3647 [NFT_SET_EXT_EXPIRATION] = {
3648 .len = sizeof(u64),
3649 .align = __alignof__(u64),
3650 },
3651 [NFT_SET_EXT_USERDATA] = {
3652 .len = sizeof(struct nft_userdata),
3653 .align = __alignof__(struct nft_userdata),
3654 },
3655};
3656EXPORT_SYMBOL_GPL(nft_set_ext_types);
3657
3658
3659
3660
3661
3662static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3663 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3664 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3665 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3666 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3667 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3668 .len = NFT_USERDATA_MAXLEN },
3669 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3670 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3671};
3672
3673static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3674 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3675 .len = NFT_TABLE_MAXNAMELEN - 1 },
3676 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3677 .len = NFT_SET_MAXNAMELEN - 1 },
3678 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3679 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3680};
3681
3682static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3683 const struct sk_buff *skb,
3684 const struct nlmsghdr *nlh,
3685 const struct nlattr * const nla[],
3686 struct netlink_ext_ack *extack,
3687 u8 genmask)
3688{
3689 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3690 int family = nfmsg->nfgen_family;
3691 struct nft_table *table;
3692
3693 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3694 genmask);
3695 if (IS_ERR(table)) {
3696 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3697 return PTR_ERR(table);
3698 }
3699
3700 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3701 return 0;
3702}
3703
3704static int nf_tables_fill_setelem(struct sk_buff *skb,
3705 const struct nft_set *set,
3706 const struct nft_set_elem *elem)
3707{
3708 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3709 unsigned char *b = skb_tail_pointer(skb);
3710 struct nlattr *nest;
3711
3712 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3713 if (nest == NULL)
3714 goto nla_put_failure;
3715
3716 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3717 NFT_DATA_VALUE, set->klen) < 0)
3718 goto nla_put_failure;
3719
3720 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3721 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3722 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3723 set->dlen) < 0)
3724 goto nla_put_failure;
3725
3726 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3727 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3728 goto nla_put_failure;
3729
3730 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3731 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3732 (*nft_set_ext_obj(ext))->name) < 0)
3733 goto nla_put_failure;
3734
3735 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3736 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3737 htonl(*nft_set_ext_flags(ext))))
3738 goto nla_put_failure;
3739
3740 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3741 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3742 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3743 NFTA_SET_ELEM_PAD))
3744 goto nla_put_failure;
3745
3746 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3747 u64 expires, now = get_jiffies_64();
3748
3749 expires = *nft_set_ext_expiration(ext);
3750 if (time_before64(now, expires))
3751 expires -= now;
3752 else
3753 expires = 0;
3754
3755 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3756 nf_jiffies64_to_msecs(expires),
3757 NFTA_SET_ELEM_PAD))
3758 goto nla_put_failure;
3759 }
3760
3761 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3762 struct nft_userdata *udata;
3763
3764 udata = nft_set_ext_userdata(ext);
3765 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3766 udata->len + 1, udata->data))
3767 goto nla_put_failure;
3768 }
3769
3770 nla_nest_end(skb, nest);
3771 return 0;
3772
3773nla_put_failure:
3774 nlmsg_trim(skb, b);
3775 return -EMSGSIZE;
3776}
3777
3778struct nft_set_dump_args {
3779 const struct netlink_callback *cb;
3780 struct nft_set_iter iter;
3781 struct sk_buff *skb;
3782};
3783
3784static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3785 struct nft_set *set,
3786 const struct nft_set_iter *iter,
3787 struct nft_set_elem *elem)
3788{
3789 struct nft_set_dump_args *args;
3790
3791 args = container_of(iter, struct nft_set_dump_args, iter);
3792 return nf_tables_fill_setelem(args->skb, set, elem);
3793}
3794
3795struct nft_set_dump_ctx {
3796 const struct nft_set *set;
3797 struct nft_ctx ctx;
3798};
3799
3800static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3801{
3802 struct nft_set_dump_ctx *dump_ctx = cb->data;
3803 struct net *net = sock_net(skb->sk);
3804 struct nft_table *table;
3805 struct nft_set *set;
3806 struct nft_set_dump_args args;
3807 bool set_found = false;
3808 struct nfgenmsg *nfmsg;
3809 struct nlmsghdr *nlh;
3810 struct nlattr *nest;
3811 u32 portid, seq;
3812 int event;
3813
3814 rcu_read_lock();
3815 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3816 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3817 dump_ctx->ctx.family != table->family)
3818 continue;
3819
3820 if (table != dump_ctx->ctx.table)
3821 continue;
3822
3823 list_for_each_entry_rcu(set, &table->sets, list) {
3824 if (set == dump_ctx->set) {
3825 set_found = true;
3826 break;
3827 }
3828 }
3829 break;
3830 }
3831
3832 if (!set_found) {
3833 rcu_read_unlock();
3834 return -ENOENT;
3835 }
3836
3837 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3838 portid = NETLINK_CB(cb->skb).portid;
3839 seq = cb->nlh->nlmsg_seq;
3840
3841 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3842 NLM_F_MULTI);
3843 if (nlh == NULL)
3844 goto nla_put_failure;
3845
3846 nfmsg = nlmsg_data(nlh);
3847 nfmsg->nfgen_family = table->family;
3848 nfmsg->version = NFNETLINK_V0;
3849 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3850
3851 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3852 goto nla_put_failure;
3853 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3854 goto nla_put_failure;
3855
3856 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3857 if (nest == NULL)
3858 goto nla_put_failure;
3859
3860 args.cb = cb;
3861 args.skb = skb;
3862 args.iter.genmask = nft_genmask_cur(net);
3863 args.iter.skip = cb->args[0];
3864 args.iter.count = 0;
3865 args.iter.err = 0;
3866 args.iter.fn = nf_tables_dump_setelem;
3867 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3868 rcu_read_unlock();
3869
3870 nla_nest_end(skb, nest);
3871 nlmsg_end(skb, nlh);
3872
3873 if (args.iter.err && args.iter.err != -EMSGSIZE)
3874 return args.iter.err;
3875 if (args.iter.count == cb->args[0])
3876 return 0;
3877
3878 cb->args[0] = args.iter.count;
3879 return skb->len;
3880
3881nla_put_failure:
3882 rcu_read_unlock();
3883 return -ENOSPC;
3884}
3885
3886static int nf_tables_dump_set_start(struct netlink_callback *cb)
3887{
3888 struct nft_set_dump_ctx *dump_ctx = cb->data;
3889
3890 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
3891
3892 return cb->data ? 0 : -ENOMEM;
3893}
3894
3895static int nf_tables_dump_set_done(struct netlink_callback *cb)
3896{
3897 kfree(cb->data);
3898 return 0;
3899}
3900
3901static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3902 const struct nft_ctx *ctx, u32 seq,
3903 u32 portid, int event, u16 flags,
3904 const struct nft_set *set,
3905 const struct nft_set_elem *elem)
3906{
3907 struct nfgenmsg *nfmsg;
3908 struct nlmsghdr *nlh;
3909 struct nlattr *nest;
3910 int err;
3911
3912 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3913 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3914 flags);
3915 if (nlh == NULL)
3916 goto nla_put_failure;
3917
3918 nfmsg = nlmsg_data(nlh);
3919 nfmsg->nfgen_family = ctx->family;
3920 nfmsg->version = NFNETLINK_V0;
3921 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3922
3923 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3924 goto nla_put_failure;
3925 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3926 goto nla_put_failure;
3927
3928 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3929 if (nest == NULL)
3930 goto nla_put_failure;
3931
3932 err = nf_tables_fill_setelem(skb, set, elem);
3933 if (err < 0)
3934 goto nla_put_failure;
3935
3936 nla_nest_end(skb, nest);
3937
3938 nlmsg_end(skb, nlh);
3939 return 0;
3940
3941nla_put_failure:
3942 nlmsg_trim(skb, nlh);
3943 return -1;
3944}
3945
3946static int nft_setelem_parse_flags(const struct nft_set *set,
3947 const struct nlattr *attr, u32 *flags)
3948{
3949 if (attr == NULL)
3950 return 0;
3951
3952 *flags = ntohl(nla_get_be32(attr));
3953 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3954 return -EINVAL;
3955 if (!(set->flags & NFT_SET_INTERVAL) &&
3956 *flags & NFT_SET_ELEM_INTERVAL_END)
3957 return -EINVAL;
3958
3959 return 0;
3960}
3961
3962static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3963 const struct nlattr *attr)
3964{
3965 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3966 const struct nft_set_ext *ext;
3967 struct nft_data_desc desc;
3968 struct nft_set_elem elem;
3969 struct sk_buff *skb;
3970 uint32_t flags = 0;
3971 void *priv;
3972 int err;
3973
3974 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3975 nft_set_elem_policy, NULL);
3976 if (err < 0)
3977 return err;
3978
3979 if (!nla[NFTA_SET_ELEM_KEY])
3980 return -EINVAL;
3981
3982 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3983 if (err < 0)
3984 return err;
3985
3986 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3987 nla[NFTA_SET_ELEM_KEY]);
3988 if (err < 0)
3989 return err;
3990
3991 err = -EINVAL;
3992 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3993 return err;
3994
3995 priv = set->ops->get(ctx->net, set, &elem, flags);
3996 if (IS_ERR(priv))
3997 return PTR_ERR(priv);
3998
3999 elem.priv = priv;
4000 ext = nft_set_elem_ext(set, &elem);
4001
4002 err = -ENOMEM;
4003 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4004 if (skb == NULL)
4005 goto err1;
4006
4007 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4008 NFT_MSG_NEWSETELEM, 0, set, &elem);
4009 if (err < 0)
4010 goto err2;
4011
4012 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4013
4014 if (err < 0)
4015 goto err1;
4016
4017 return 0;
4018err2:
4019 kfree_skb(skb);
4020err1:
4021
4022 return err == -EAGAIN ? -ENOBUFS : err;
4023}
4024
4025
4026static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4027 struct sk_buff *skb, const struct nlmsghdr *nlh,
4028 const struct nlattr * const nla[],
4029 struct netlink_ext_ack *extack)
4030{
4031 u8 genmask = nft_genmask_cur(net);
4032 struct nft_set *set;
4033 struct nlattr *attr;
4034 struct nft_ctx ctx;
4035 int rem, err = 0;
4036
4037 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4038 genmask);
4039 if (err < 0)
4040 return err;
4041
4042 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4043 if (IS_ERR(set))
4044 return PTR_ERR(set);
4045
4046 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4047 struct netlink_dump_control c = {
4048 .start = nf_tables_dump_set_start,
4049 .dump = nf_tables_dump_set,
4050 .done = nf_tables_dump_set_done,
4051 .module = THIS_MODULE,
4052 };
4053 struct nft_set_dump_ctx dump_ctx = {
4054 .set = set,
4055 .ctx = ctx,
4056 };
4057
4058 c.data = &dump_ctx;
4059 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4060 }
4061
4062 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4063 return -EINVAL;
4064
4065 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4066 err = nft_get_set_elem(&ctx, set, attr);
4067 if (err < 0)
4068 break;
4069 }
4070
4071 return err;
4072}
4073
4074static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4075 const struct nft_set *set,
4076 const struct nft_set_elem *elem,
4077 int event, u16 flags)
4078{
4079 struct net *net = ctx->net;
4080 u32 portid = ctx->portid;
4081 struct sk_buff *skb;
4082 int err;
4083
4084 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4085 return;
4086
4087 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4088 if (skb == NULL)
4089 goto err;
4090
4091 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4092 set, elem);
4093 if (err < 0) {
4094 kfree_skb(skb);
4095 goto err;
4096 }
4097
4098 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4099 GFP_KERNEL);
4100 return;
4101err:
4102 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4103}
4104
4105static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4106 int msg_type,
4107 struct nft_set *set)
4108{
4109 struct nft_trans *trans;
4110
4111 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4112 if (trans == NULL)
4113 return NULL;
4114
4115 nft_trans_elem_set(trans) = set;
4116 return trans;
4117}
4118
4119void *nft_set_elem_init(const struct nft_set *set,
4120 const struct nft_set_ext_tmpl *tmpl,
4121 const u32 *key, const u32 *data,
4122 u64 timeout, gfp_t gfp)
4123{
4124 struct nft_set_ext *ext;
4125 void *elem;
4126
4127 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4128 if (elem == NULL)
4129 return NULL;
4130
4131 ext = nft_set_elem_ext(set, elem);
4132 nft_set_ext_init(ext, tmpl);
4133
4134 memcpy(nft_set_ext_key(ext), key, set->klen);
4135 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4136 memcpy(nft_set_ext_data(ext), data, set->dlen);
4137 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4138 *nft_set_ext_expiration(ext) =
4139 get_jiffies_64() + timeout;
4140 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4141 *nft_set_ext_timeout(ext) = timeout;
4142
4143 return elem;
4144}
4145
4146void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4147 bool destroy_expr)
4148{
4149 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4150 struct nft_ctx ctx = {
4151 .net = read_pnet(&set->net),
4152 .family = set->table->family,
4153 };
4154
4155 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4156 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4157 nft_data_release(nft_set_ext_data(ext), set->dtype);
4158 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4159 struct nft_expr *expr = nft_set_ext_expr(ext);
4160
4161 if (expr->ops->destroy_clone) {
4162 expr->ops->destroy_clone(&ctx, expr);
4163 module_put(expr->ops->type->owner);
4164 } else {
4165 nf_tables_expr_destroy(&ctx, expr);
4166 }
4167 }
4168 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4169 (*nft_set_ext_obj(ext))->use--;
4170 kfree(elem);
4171}
4172EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4173
4174
4175
4176
4177static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4178 const struct nft_set *set, void *elem)
4179{
4180 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4181
4182 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4183 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4184 kfree(elem);
4185}
4186
4187static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4188 const struct nlattr *attr, u32 nlmsg_flags)
4189{
4190 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4191 u8 genmask = nft_genmask_next(ctx->net);
4192 struct nft_data_desc d1, d2;
4193 struct nft_set_ext_tmpl tmpl;
4194 struct nft_set_ext *ext, *ext2;
4195 struct nft_set_elem elem;
4196 struct nft_set_binding *binding;
4197 struct nft_object *obj = NULL;
4198 struct nft_userdata *udata;
4199 struct nft_data data;
4200 enum nft_registers dreg;
4201 struct nft_trans *trans;
4202 u32 flags = 0;
4203 u64 timeout;
4204 u8 ulen;
4205 int err;
4206
4207 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4208 nft_set_elem_policy, NULL);
4209 if (err < 0)
4210 return err;
4211
4212 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4213 return -EINVAL;
4214
4215 nft_set_ext_prepare(&tmpl);
4216
4217 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4218 if (err < 0)
4219 return err;
4220 if (flags != 0)
4221 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4222
4223 if (set->flags & NFT_SET_MAP) {
4224 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4225 !(flags & NFT_SET_ELEM_INTERVAL_END))
4226 return -EINVAL;
4227 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4228 flags & NFT_SET_ELEM_INTERVAL_END)
4229 return -EINVAL;
4230 } else {
4231 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4232 return -EINVAL;
4233 }
4234
4235 timeout = 0;
4236 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4237 if (!(set->flags & NFT_SET_TIMEOUT))
4238 return -EINVAL;
4239 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4240 &timeout);
4241 if (err)
4242 return err;
4243 } else if (set->flags & NFT_SET_TIMEOUT) {
4244 timeout = set->timeout;
4245 }
4246
4247 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4248 nla[NFTA_SET_ELEM_KEY]);
4249 if (err < 0)
4250 goto err1;
4251 err = -EINVAL;
4252 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4253 goto err2;
4254
4255 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4256 if (timeout > 0) {
4257 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4258 if (timeout != set->timeout)
4259 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4260 }
4261
4262 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4263 if (!(set->flags & NFT_SET_OBJECT)) {
4264 err = -EINVAL;
4265 goto err2;
4266 }
4267 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4268 set->objtype, genmask);
4269 if (IS_ERR(obj)) {
4270 err = PTR_ERR(obj);
4271 goto err2;
4272 }
4273 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4274 }
4275
4276 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4277 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4278 nla[NFTA_SET_ELEM_DATA]);
4279 if (err < 0)
4280 goto err2;
4281
4282 err = -EINVAL;
4283 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4284 goto err3;
4285
4286 dreg = nft_type_to_reg(set->dtype);
4287 list_for_each_entry(binding, &set->bindings, list) {
4288 struct nft_ctx bind_ctx = {
4289 .net = ctx->net,
4290 .family = ctx->family,
4291 .table = ctx->table,
4292 .chain = (struct nft_chain *)binding->chain,
4293 };
4294
4295 if (!(binding->flags & NFT_SET_MAP))
4296 continue;
4297
4298 err = nft_validate_register_store(&bind_ctx, dreg,
4299 &data,
4300 d2.type, d2.len);
4301 if (err < 0)
4302 goto err3;
4303
4304 if (d2.type == NFT_DATA_VERDICT &&
4305 (data.verdict.code == NFT_GOTO ||
4306 data.verdict.code == NFT_JUMP))
4307 nft_validate_state_update(ctx->net,
4308 NFT_VALIDATE_NEED);
4309 }
4310
4311 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4312 }
4313
4314
4315
4316
4317
4318 ulen = 0;
4319 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4320 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4321 if (ulen > 0)
4322 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4323 ulen);
4324 }
4325
4326 err = -ENOMEM;
4327 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4328 timeout, GFP_KERNEL);
4329 if (elem.priv == NULL)
4330 goto err3;
4331
4332 ext = nft_set_elem_ext(set, elem.priv);
4333 if (flags)
4334 *nft_set_ext_flags(ext) = flags;
4335 if (ulen > 0) {
4336 udata = nft_set_ext_userdata(ext);
4337 udata->len = ulen - 1;
4338 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4339 }
4340 if (obj) {
4341 *nft_set_ext_obj(ext) = obj;
4342 obj->use++;
4343 }
4344
4345 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4346 if (trans == NULL)
4347 goto err4;
4348
4349 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4350 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4351 if (err) {
4352 if (err == -EEXIST) {
4353 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4354 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4355 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4356 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4357 err = -EBUSY;
4358 goto err5;
4359 }
4360 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4361 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4362 memcmp(nft_set_ext_data(ext),
4363 nft_set_ext_data(ext2), set->dlen) != 0) ||
4364 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4365 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4366 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4367 err = -EBUSY;
4368 else if (!(nlmsg_flags & NLM_F_EXCL))
4369 err = 0;
4370 }
4371 goto err5;
4372 }
4373
4374 if (set->size &&
4375 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4376 err = -ENFILE;
4377 goto err6;
4378 }
4379
4380 nft_trans_elem(trans) = elem;
4381 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4382 return 0;
4383
4384err6:
4385 set->ops->remove(ctx->net, set, &elem);
4386err5:
4387 kfree(trans);
4388err4:
4389 kfree(elem.priv);
4390err3:
4391 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4392 nft_data_release(&data, d2.type);
4393err2:
4394 nft_data_release(&elem.key.val, d1.type);
4395err1:
4396 return err;
4397}
4398
4399static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4400 struct sk_buff *skb, const struct nlmsghdr *nlh,
4401 const struct nlattr * const nla[],
4402 struct netlink_ext_ack *extack)
4403{
4404 u8 genmask = nft_genmask_next(net);
4405 const struct nlattr *attr;
4406 struct nft_set *set;
4407 struct nft_ctx ctx;
4408 int rem, err;
4409
4410 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4411 return -EINVAL;
4412
4413 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4414 genmask);
4415 if (err < 0)
4416 return err;
4417
4418 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4419 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4420 if (IS_ERR(set))
4421 return PTR_ERR(set);
4422
4423 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4424 return -EBUSY;
4425
4426 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4427 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4428 if (err < 0)
4429 return err;
4430 }
4431
4432 if (net->nft.validate_state == NFT_VALIDATE_DO)
4433 return nft_table_validate(net, ctx.table);
4434
4435 return 0;
4436}
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4450{
4451 if (type == NFT_DATA_VERDICT) {
4452 switch (data->verdict.code) {
4453 case NFT_JUMP:
4454 case NFT_GOTO:
4455 data->verdict.chain->use++;
4456 break;
4457 }
4458 }
4459}
4460
4461static void nft_set_elem_activate(const struct net *net,
4462 const struct nft_set *set,
4463 struct nft_set_elem *elem)
4464{
4465 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4466
4467 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4468 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4469 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4470 (*nft_set_ext_obj(ext))->use++;
4471}
4472
4473static void nft_set_elem_deactivate(const struct net *net,
4474 const struct nft_set *set,
4475 struct nft_set_elem *elem)
4476{
4477 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4478
4479 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4480 nft_data_release(nft_set_ext_data(ext), set->dtype);
4481 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4482 (*nft_set_ext_obj(ext))->use--;
4483}
4484
4485static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4486 const struct nlattr *attr)
4487{
4488 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4489 struct nft_set_ext_tmpl tmpl;
4490 struct nft_data_desc desc;
4491 struct nft_set_elem elem;
4492 struct nft_set_ext *ext;
4493 struct nft_trans *trans;
4494 u32 flags = 0;
4495 void *priv;
4496 int err;
4497
4498 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4499 nft_set_elem_policy, NULL);
4500 if (err < 0)
4501 goto err1;
4502
4503 err = -EINVAL;
4504 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4505 goto err1;
4506
4507 nft_set_ext_prepare(&tmpl);
4508
4509 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4510 if (err < 0)
4511 return err;
4512 if (flags != 0)
4513 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4514
4515 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4516 nla[NFTA_SET_ELEM_KEY]);
4517 if (err < 0)
4518 goto err1;
4519
4520 err = -EINVAL;
4521 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4522 goto err2;
4523
4524 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4525
4526 err = -ENOMEM;
4527 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4528 GFP_KERNEL);
4529 if (elem.priv == NULL)
4530 goto err2;
4531
4532 ext = nft_set_elem_ext(set, elem.priv);
4533 if (flags)
4534 *nft_set_ext_flags(ext) = flags;
4535
4536 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4537 if (trans == NULL) {
4538 err = -ENOMEM;
4539 goto err3;
4540 }
4541
4542 priv = set->ops->deactivate(ctx->net, set, &elem);
4543 if (priv == NULL) {
4544 err = -ENOENT;
4545 goto err4;
4546 }
4547 kfree(elem.priv);
4548 elem.priv = priv;
4549
4550 nft_set_elem_deactivate(ctx->net, set, &elem);
4551
4552 nft_trans_elem(trans) = elem;
4553 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4554 return 0;
4555
4556err4:
4557 kfree(trans);
4558err3:
4559 kfree(elem.priv);
4560err2:
4561 nft_data_release(&elem.key.val, desc.type);
4562err1:
4563 return err;
4564}
4565
4566static int nft_flush_set(const struct nft_ctx *ctx,
4567 struct nft_set *set,
4568 const struct nft_set_iter *iter,
4569 struct nft_set_elem *elem)
4570{
4571 struct nft_trans *trans;
4572 int err;
4573
4574 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4575 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4576 if (!trans)
4577 return -ENOMEM;
4578
4579 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4580 err = -ENOENT;
4581 goto err1;
4582 }
4583 set->ndeact++;
4584
4585 nft_trans_elem_set(trans) = set;
4586 nft_trans_elem(trans) = *elem;
4587 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4588
4589 return 0;
4590err1:
4591 kfree(trans);
4592 return err;
4593}
4594
4595static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4596 struct sk_buff *skb, const struct nlmsghdr *nlh,
4597 const struct nlattr * const nla[],
4598 struct netlink_ext_ack *extack)
4599{
4600 u8 genmask = nft_genmask_next(net);
4601 const struct nlattr *attr;
4602 struct nft_set *set;
4603 struct nft_ctx ctx;
4604 int rem, err = 0;
4605
4606 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4607 genmask);
4608 if (err < 0)
4609 return err;
4610
4611 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4612 if (IS_ERR(set))
4613 return PTR_ERR(set);
4614 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4615 return -EBUSY;
4616
4617 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4618 struct nft_set_iter iter = {
4619 .genmask = genmask,
4620 .fn = nft_flush_set,
4621 };
4622 set->ops->walk(&ctx, set, &iter);
4623
4624 return iter.err;
4625 }
4626
4627 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4628 err = nft_del_setelem(&ctx, set, attr);
4629 if (err < 0)
4630 break;
4631
4632 set->ndeact++;
4633 }
4634 return err;
4635}
4636
4637void nft_set_gc_batch_release(struct rcu_head *rcu)
4638{
4639 struct nft_set_gc_batch *gcb;
4640 unsigned int i;
4641
4642 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4643 for (i = 0; i < gcb->head.cnt; i++)
4644 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4645 kfree(gcb);
4646}
4647EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4648
4649struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4650 gfp_t gfp)
4651{
4652 struct nft_set_gc_batch *gcb;
4653
4654 gcb = kzalloc(sizeof(*gcb), gfp);
4655 if (gcb == NULL)
4656 return gcb;
4657 gcb->head.set = set;
4658 return gcb;
4659}
4660EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673int nft_register_obj(struct nft_object_type *obj_type)
4674{
4675 if (obj_type->type == NFT_OBJECT_UNSPEC)
4676 return -EINVAL;
4677
4678 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4679 list_add_rcu(&obj_type->list, &nf_tables_objects);
4680 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4681 return 0;
4682}
4683EXPORT_SYMBOL_GPL(nft_register_obj);
4684
4685
4686
4687
4688
4689
4690
4691void nft_unregister_obj(struct nft_object_type *obj_type)
4692{
4693 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4694 list_del_rcu(&obj_type->list);
4695 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4696}
4697EXPORT_SYMBOL_GPL(nft_unregister_obj);
4698
4699struct nft_object *nft_obj_lookup(const struct nft_table *table,
4700 const struct nlattr *nla, u32 objtype,
4701 u8 genmask)
4702{
4703 struct nft_object *obj;
4704
4705 list_for_each_entry_rcu(obj, &table->objects, list) {
4706 if (!nla_strcmp(nla, obj->name) &&
4707 objtype == obj->ops->type->type &&
4708 nft_active_genmask(obj, genmask))
4709 return obj;
4710 }
4711 return ERR_PTR(-ENOENT);
4712}
4713EXPORT_SYMBOL_GPL(nft_obj_lookup);
4714
4715static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4716 const struct nlattr *nla,
4717 u32 objtype, u8 genmask)
4718{
4719 struct nft_object *obj;
4720
4721 list_for_each_entry(obj, &table->objects, list) {
4722 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4723 objtype == obj->ops->type->type &&
4724 nft_active_genmask(obj, genmask))
4725 return obj;
4726 }
4727 return ERR_PTR(-ENOENT);
4728}
4729
4730static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4731 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4732 .len = NFT_TABLE_MAXNAMELEN - 1 },
4733 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4734 .len = NFT_OBJ_MAXNAMELEN - 1 },
4735 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4736 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4737 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4738};
4739
4740static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4741 const struct nft_object_type *type,
4742 const struct nlattr *attr)
4743{
4744 struct nlattr **tb;
4745 const struct nft_object_ops *ops;
4746 struct nft_object *obj;
4747 int err = -ENOMEM;
4748
4749 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4750 if (!tb)
4751 goto err1;
4752
4753 if (attr) {
4754 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4755 NULL);
4756 if (err < 0)
4757 goto err2;
4758 } else {
4759 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4760 }
4761
4762 if (type->select_ops) {
4763 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4764 if (IS_ERR(ops)) {
4765 err = PTR_ERR(ops);
4766 goto err2;
4767 }
4768 } else {
4769 ops = type->ops;
4770 }
4771
4772 err = -ENOMEM;
4773 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4774 if (!obj)
4775 goto err2;
4776
4777 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4778 if (err < 0)
4779 goto err3;
4780
4781 obj->ops = ops;
4782
4783 kfree(tb);
4784 return obj;
4785err3:
4786 kfree(obj);
4787err2:
4788 kfree(tb);
4789err1:
4790 return ERR_PTR(err);
4791}
4792
4793static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4794 struct nft_object *obj, bool reset)
4795{
4796 struct nlattr *nest;
4797
4798 nest = nla_nest_start(skb, attr);
4799 if (!nest)
4800 goto nla_put_failure;
4801 if (obj->ops->dump(skb, obj, reset) < 0)
4802 goto nla_put_failure;
4803 nla_nest_end(skb, nest);
4804 return 0;
4805
4806nla_put_failure:
4807 return -1;
4808}
4809
4810static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4811{
4812 const struct nft_object_type *type;
4813
4814 list_for_each_entry(type, &nf_tables_objects, list) {
4815 if (objtype == type->type)
4816 return type;
4817 }
4818 return NULL;
4819}
4820
4821static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4822{
4823 const struct nft_object_type *type;
4824
4825 type = __nft_obj_type_get(objtype);
4826 if (type != NULL && try_module_get(type->owner))
4827 return type;
4828
4829#ifdef CONFIG_MODULES
4830 if (type == NULL) {
4831 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4832 request_module("nft-obj-%u", objtype);
4833 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4834 if (__nft_obj_type_get(objtype))
4835 return ERR_PTR(-EAGAIN);
4836 }
4837#endif
4838 return ERR_PTR(-ENOENT);
4839}
4840
4841static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4842 struct sk_buff *skb, const struct nlmsghdr *nlh,
4843 const struct nlattr * const nla[],
4844 struct netlink_ext_ack *extack)
4845{
4846 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4847 const struct nft_object_type *type;
4848 u8 genmask = nft_genmask_next(net);
4849 int family = nfmsg->nfgen_family;
4850 struct nft_table *table;
4851 struct nft_object *obj;
4852 struct nft_ctx ctx;
4853 u32 objtype;
4854 int err;
4855
4856 if (!nla[NFTA_OBJ_TYPE] ||
4857 !nla[NFTA_OBJ_NAME] ||
4858 !nla[NFTA_OBJ_DATA])
4859 return -EINVAL;
4860
4861 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4862 if (IS_ERR(table)) {
4863 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4864 return PTR_ERR(table);
4865 }
4866
4867 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4868 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4869 if (IS_ERR(obj)) {
4870 err = PTR_ERR(obj);
4871 if (err != -ENOENT) {
4872 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4873 return err;
4874 }
4875 } else {
4876 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4877 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4878 return -EEXIST;
4879 }
4880 return 0;
4881 }
4882
4883 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4884
4885 type = nft_obj_type_get(objtype);
4886 if (IS_ERR(type))
4887 return PTR_ERR(type);
4888
4889 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4890 if (IS_ERR(obj)) {
4891 err = PTR_ERR(obj);
4892 goto err1;
4893 }
4894 obj->table = table;
4895 obj->handle = nf_tables_alloc_handle(table);
4896
4897 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4898 if (!obj->name) {
4899 err = -ENOMEM;
4900 goto err2;
4901 }
4902
4903 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4904 if (err < 0)
4905 goto err3;
4906
4907 list_add_tail_rcu(&obj->list, &table->objects);
4908 table->use++;
4909 return 0;
4910err3:
4911 kfree(obj->name);
4912err2:
4913 if (obj->ops->destroy)
4914 obj->ops->destroy(&ctx, obj);
4915 kfree(obj);
4916err1:
4917 module_put(type->owner);
4918 return err;
4919}
4920
4921static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4922 u32 portid, u32 seq, int event, u32 flags,
4923 int family, const struct nft_table *table,
4924 struct nft_object *obj, bool reset)
4925{
4926 struct nfgenmsg *nfmsg;
4927 struct nlmsghdr *nlh;
4928
4929 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4930 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4931 if (nlh == NULL)
4932 goto nla_put_failure;
4933
4934 nfmsg = nlmsg_data(nlh);
4935 nfmsg->nfgen_family = family;
4936 nfmsg->version = NFNETLINK_V0;
4937 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4938
4939 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4940 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4941 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4942 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4943 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4944 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4945 NFTA_OBJ_PAD))
4946 goto nla_put_failure;
4947
4948 nlmsg_end(skb, nlh);
4949 return 0;
4950
4951nla_put_failure:
4952 nlmsg_trim(skb, nlh);
4953 return -1;
4954}
4955
4956struct nft_obj_filter {
4957 char *table;
4958 u32 type;
4959};
4960
4961static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4962{
4963 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4964 const struct nft_table *table;
4965 unsigned int idx = 0, s_idx = cb->args[0];
4966 struct nft_obj_filter *filter = cb->data;
4967 struct net *net = sock_net(skb->sk);
4968 int family = nfmsg->nfgen_family;
4969 struct nft_object *obj;
4970 bool reset = false;
4971
4972 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4973 reset = true;
4974
4975 rcu_read_lock();
4976 cb->seq = net->nft.base_seq;
4977
4978 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4979 if (family != NFPROTO_UNSPEC && family != table->family)
4980 continue;
4981
4982 list_for_each_entry_rcu(obj, &table->objects, list) {
4983 if (!nft_is_active(net, obj))
4984 goto cont;
4985 if (idx < s_idx)
4986 goto cont;
4987 if (idx > s_idx)
4988 memset(&cb->args[1], 0,
4989 sizeof(cb->args) - sizeof(cb->args[0]));
4990 if (filter && filter->table &&
4991 strcmp(filter->table, table->name))
4992 goto cont;
4993 if (filter &&
4994 filter->type != NFT_OBJECT_UNSPEC &&
4995 obj->ops->type->type != filter->type)
4996 goto cont;
4997
4998 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4999 cb->nlh->nlmsg_seq,
5000 NFT_MSG_NEWOBJ,
5001 NLM_F_MULTI | NLM_F_APPEND,
5002 table->family, table,
5003 obj, reset) < 0)
5004 goto done;
5005
5006 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5007cont:
5008 idx++;
5009 }
5010 }
5011done:
5012 rcu_read_unlock();
5013
5014 cb->args[0] = idx;
5015 return skb->len;
5016}
5017
5018static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5019{
5020 const struct nlattr * const *nla = cb->data;
5021 struct nft_obj_filter *filter = NULL;
5022
5023 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5024 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5025 if (!filter)
5026 return -ENOMEM;
5027
5028 if (nla[NFTA_OBJ_TABLE]) {
5029 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5030 if (!filter->table) {
5031 kfree(filter);
5032 return -ENOMEM;
5033 }
5034 }
5035
5036 if (nla[NFTA_OBJ_TYPE])
5037 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5038 }
5039
5040 cb->data = filter;
5041 return 0;
5042}
5043
5044static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5045{
5046 struct nft_obj_filter *filter = cb->data;
5047
5048 if (filter) {
5049 kfree(filter->table);
5050 kfree(filter);
5051 }
5052
5053 return 0;
5054}
5055
5056
5057static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5058 struct sk_buff *skb, const struct nlmsghdr *nlh,
5059 const struct nlattr * const nla[],
5060 struct netlink_ext_ack *extack)
5061{
5062 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5063 u8 genmask = nft_genmask_cur(net);
5064 int family = nfmsg->nfgen_family;
5065 const struct nft_table *table;
5066 struct nft_object *obj;
5067 struct sk_buff *skb2;
5068 bool reset = false;
5069 u32 objtype;
5070 int err;
5071
5072 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5073 struct netlink_dump_control c = {
5074 .start = nf_tables_dump_obj_start,
5075 .dump = nf_tables_dump_obj,
5076 .done = nf_tables_dump_obj_done,
5077 .module = THIS_MODULE,
5078 .data = (void *)nla,
5079 };
5080
5081 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5082 }
5083
5084 if (!nla[NFTA_OBJ_NAME] ||
5085 !nla[NFTA_OBJ_TYPE])
5086 return -EINVAL;
5087
5088 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5089 if (IS_ERR(table)) {
5090 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5091 return PTR_ERR(table);
5092 }
5093
5094 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5095 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
5096 if (IS_ERR(obj)) {
5097 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5098 return PTR_ERR(obj);
5099 }
5100
5101 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5102 if (!skb2)
5103 return -ENOMEM;
5104
5105 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5106 reset = true;
5107
5108 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5109 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5110 family, table, obj, reset);
5111 if (err < 0)
5112 goto err;
5113
5114 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5115err:
5116 kfree_skb(skb2);
5117 return err;
5118}
5119
5120static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5121{
5122 if (obj->ops->destroy)
5123 obj->ops->destroy(ctx, obj);
5124
5125 module_put(obj->ops->type->owner);
5126 kfree(obj->name);
5127 kfree(obj);
5128}
5129
5130static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5131 struct sk_buff *skb, const struct nlmsghdr *nlh,
5132 const struct nlattr * const nla[],
5133 struct netlink_ext_ack *extack)
5134{
5135 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5136 u8 genmask = nft_genmask_next(net);
5137 int family = nfmsg->nfgen_family;
5138 const struct nlattr *attr;
5139 struct nft_table *table;
5140 struct nft_object *obj;
5141 struct nft_ctx ctx;
5142 u32 objtype;
5143
5144 if (!nla[NFTA_OBJ_TYPE] ||
5145 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5146 return -EINVAL;
5147
5148 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5149 if (IS_ERR(table)) {
5150 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5151 return PTR_ERR(table);
5152 }
5153
5154 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5155 if (nla[NFTA_OBJ_HANDLE]) {
5156 attr = nla[NFTA_OBJ_HANDLE];
5157 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5158 } else {
5159 attr = nla[NFTA_OBJ_NAME];
5160 obj = nft_obj_lookup(table, attr, objtype, genmask);
5161 }
5162
5163 if (IS_ERR(obj)) {
5164 NL_SET_BAD_ATTR(extack, attr);
5165 return PTR_ERR(obj);
5166 }
5167 if (obj->use > 0) {
5168 NL_SET_BAD_ATTR(extack, attr);
5169 return -EBUSY;
5170 }
5171
5172 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5173
5174 return nft_delobj(&ctx, obj);
5175}
5176
5177void nft_obj_notify(struct net *net, struct nft_table *table,
5178 struct nft_object *obj, u32 portid, u32 seq, int event,
5179 int family, int report, gfp_t gfp)
5180{
5181 struct sk_buff *skb;
5182 int err;
5183
5184 if (!report &&
5185 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5186 return;
5187
5188 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5189 if (skb == NULL)
5190 goto err;
5191
5192 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5193 table, obj, false);
5194 if (err < 0) {
5195 kfree_skb(skb);
5196 goto err;
5197 }
5198
5199 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5200 return;
5201err:
5202 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5203}
5204EXPORT_SYMBOL_GPL(nft_obj_notify);
5205
5206static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5207 struct nft_object *obj, int event)
5208{
5209 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5210 ctx->family, ctx->report, GFP_KERNEL);
5211}
5212
5213
5214
5215
5216void nft_register_flowtable_type(struct nf_flowtable_type *type)
5217{
5218 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5219 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5220 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5221}
5222EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5223
5224void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5225{
5226 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5227 list_del_rcu(&type->list);
5228 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5229}
5230EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5231
5232static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5233 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5234 .len = NFT_NAME_MAXLEN - 1 },
5235 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5236 .len = NFT_NAME_MAXLEN - 1 },
5237 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5238 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5239};
5240
5241struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5242 const struct nlattr *nla, u8 genmask)
5243{
5244 struct nft_flowtable *flowtable;
5245
5246 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5247 if (!nla_strcmp(nla, flowtable->name) &&
5248 nft_active_genmask(flowtable, genmask))
5249 return flowtable;
5250 }
5251 return ERR_PTR(-ENOENT);
5252}
5253EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5254
5255static struct nft_flowtable *
5256nft_flowtable_lookup_byhandle(const struct nft_table *table,
5257 const struct nlattr *nla, u8 genmask)
5258{
5259 struct nft_flowtable *flowtable;
5260
5261 list_for_each_entry(flowtable, &table->flowtables, list) {
5262 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5263 nft_active_genmask(flowtable, genmask))
5264 return flowtable;
5265 }
5266 return ERR_PTR(-ENOENT);
5267}
5268
5269static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5270 const struct nlattr *attr,
5271 struct net_device *dev_array[], int *len)
5272{
5273 const struct nlattr *tmp;
5274 struct net_device *dev;
5275 char ifname[IFNAMSIZ];
5276 int rem, n = 0, err;
5277
5278 nla_for_each_nested(tmp, attr, rem) {
5279 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5280 err = -EINVAL;
5281 goto err1;
5282 }
5283
5284 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5285 dev = __dev_get_by_name(ctx->net, ifname);
5286 if (!dev) {
5287 err = -ENOENT;
5288 goto err1;
5289 }
5290
5291 dev_array[n++] = dev;
5292 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5293 err = -EFBIG;
5294 goto err1;
5295 }
5296 }
5297 if (!len)
5298 return -EINVAL;
5299
5300 err = 0;
5301err1:
5302 *len = n;
5303 return err;
5304}
5305
5306static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5307 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5308 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5309 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5310};
5311
5312static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5313 const struct nlattr *attr,
5314 struct nft_flowtable *flowtable)
5315{
5316 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5317 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5318 struct nf_hook_ops *ops;
5319 int hooknum, priority;
5320 int err, n = 0, i;
5321
5322 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5323 nft_flowtable_hook_policy, NULL);
5324 if (err < 0)
5325 return err;
5326
5327 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5328 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5329 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5330 return -EINVAL;
5331
5332 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5333 if (hooknum != NF_NETDEV_INGRESS)
5334 return -EINVAL;
5335
5336 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5337
5338 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5339 dev_array, &n);
5340 if (err < 0)
5341 return err;
5342
5343 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5344 if (!ops)
5345 return -ENOMEM;
5346
5347 flowtable->hooknum = hooknum;
5348 flowtable->priority = priority;
5349 flowtable->ops = ops;
5350 flowtable->ops_len = n;
5351
5352 for (i = 0; i < n; i++) {
5353 flowtable->ops[i].pf = NFPROTO_NETDEV;
5354 flowtable->ops[i].hooknum = hooknum;
5355 flowtable->ops[i].priority = priority;
5356 flowtable->ops[i].priv = &flowtable->data;
5357 flowtable->ops[i].hook = flowtable->data.type->hook;
5358 flowtable->ops[i].dev = dev_array[i];
5359 }
5360
5361 return err;
5362}
5363
5364static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5365{
5366 const struct nf_flowtable_type *type;
5367
5368 list_for_each_entry(type, &nf_tables_flowtables, list) {
5369 if (family == type->family)
5370 return type;
5371 }
5372 return NULL;
5373}
5374
5375static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5376{
5377 const struct nf_flowtable_type *type;
5378
5379 type = __nft_flowtable_type_get(family);
5380 if (type != NULL && try_module_get(type->owner))
5381 return type;
5382
5383#ifdef CONFIG_MODULES
5384 if (type == NULL) {
5385 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5386 request_module("nf-flowtable-%u", family);
5387 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5388 if (__nft_flowtable_type_get(family))
5389 return ERR_PTR(-EAGAIN);
5390 }
5391#endif
5392 return ERR_PTR(-ENOENT);
5393}
5394
5395static void nft_unregister_flowtable_net_hooks(struct net *net,
5396 struct nft_flowtable *flowtable)
5397{
5398 int i;
5399
5400 for (i = 0; i < flowtable->ops_len; i++) {
5401 if (!flowtable->ops[i].dev)
5402 continue;
5403
5404 nf_unregister_net_hook(net, &flowtable->ops[i]);
5405 }
5406}
5407
5408static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5409 struct sk_buff *skb,
5410 const struct nlmsghdr *nlh,
5411 const struct nlattr * const nla[],
5412 struct netlink_ext_ack *extack)
5413{
5414 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5415 const struct nf_flowtable_type *type;
5416 struct nft_flowtable *flowtable, *ft;
5417 u8 genmask = nft_genmask_next(net);
5418 int family = nfmsg->nfgen_family;
5419 struct nft_table *table;
5420 struct nft_ctx ctx;
5421 int err, i, k;
5422
5423 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5424 !nla[NFTA_FLOWTABLE_NAME] ||
5425 !nla[NFTA_FLOWTABLE_HOOK])
5426 return -EINVAL;
5427
5428 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5429 genmask);
5430 if (IS_ERR(table)) {
5431 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5432 return PTR_ERR(table);
5433 }
5434
5435 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5436 genmask);
5437 if (IS_ERR(flowtable)) {
5438 err = PTR_ERR(flowtable);
5439 if (err != -ENOENT) {
5440 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5441 return err;
5442 }
5443 } else {
5444 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5445 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5446 return -EEXIST;
5447 }
5448
5449 return 0;
5450 }
5451
5452 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5453
5454 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5455 if (!flowtable)
5456 return -ENOMEM;
5457
5458 flowtable->table = table;
5459 flowtable->handle = nf_tables_alloc_handle(table);
5460
5461 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5462 if (!flowtable->name) {
5463 err = -ENOMEM;
5464 goto err1;
5465 }
5466
5467 type = nft_flowtable_type_get(family);
5468 if (IS_ERR(type)) {
5469 err = PTR_ERR(type);
5470 goto err2;
5471 }
5472
5473 flowtable->data.type = type;
5474 err = type->init(&flowtable->data);
5475 if (err < 0)
5476 goto err3;
5477
5478 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5479 flowtable);
5480 if (err < 0)
5481 goto err4;
5482
5483 for (i = 0; i < flowtable->ops_len; i++) {
5484 if (!flowtable->ops[i].dev)
5485 continue;
5486
5487 list_for_each_entry(ft, &table->flowtables, list) {
5488 for (k = 0; k < ft->ops_len; k++) {
5489 if (!ft->ops[k].dev)
5490 continue;
5491
5492 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5493 flowtable->ops[i].pf == ft->ops[k].pf) {
5494 err = -EBUSY;
5495 goto err5;
5496 }
5497 }
5498 }
5499
5500 err = nf_register_net_hook(net, &flowtable->ops[i]);
5501 if (err < 0)
5502 goto err5;
5503 }
5504
5505 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5506 if (err < 0)
5507 goto err6;
5508
5509 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5510 table->use++;
5511
5512 return 0;
5513err6:
5514 i = flowtable->ops_len;
5515err5:
5516 for (k = i - 1; k >= 0; k--)
5517 nf_unregister_net_hook(net, &flowtable->ops[k]);
5518
5519 kfree(flowtable->ops);
5520err4:
5521 flowtable->data.type->free(&flowtable->data);
5522err3:
5523 module_put(type->owner);
5524err2:
5525 kfree(flowtable->name);
5526err1:
5527 kfree(flowtable);
5528 return err;
5529}
5530
5531static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5532 struct sk_buff *skb,
5533 const struct nlmsghdr *nlh,
5534 const struct nlattr * const nla[],
5535 struct netlink_ext_ack *extack)
5536{
5537 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5538 u8 genmask = nft_genmask_next(net);
5539 int family = nfmsg->nfgen_family;
5540 struct nft_flowtable *flowtable;
5541 const struct nlattr *attr;
5542 struct nft_table *table;
5543 struct nft_ctx ctx;
5544
5545 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5546 (!nla[NFTA_FLOWTABLE_NAME] &&
5547 !nla[NFTA_FLOWTABLE_HANDLE]))
5548 return -EINVAL;
5549
5550 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5551 genmask);
5552 if (IS_ERR(table)) {
5553 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5554 return PTR_ERR(table);
5555 }
5556
5557 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5558 attr = nla[NFTA_FLOWTABLE_HANDLE];
5559 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5560 } else {
5561 attr = nla[NFTA_FLOWTABLE_NAME];
5562 flowtable = nft_flowtable_lookup(table, attr, genmask);
5563 }
5564
5565 if (IS_ERR(flowtable)) {
5566 NL_SET_BAD_ATTR(extack, attr);
5567 return PTR_ERR(flowtable);
5568 }
5569 if (flowtable->use > 0) {
5570 NL_SET_BAD_ATTR(extack, attr);
5571 return -EBUSY;
5572 }
5573
5574 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5575
5576 return nft_delflowtable(&ctx, flowtable);
5577}
5578
5579static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5580 u32 portid, u32 seq, int event,
5581 u32 flags, int family,
5582 struct nft_flowtable *flowtable)
5583{
5584 struct nlattr *nest, *nest_devs;
5585 struct nfgenmsg *nfmsg;
5586 struct nlmsghdr *nlh;
5587 int i;
5588
5589 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5590 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5591 if (nlh == NULL)
5592 goto nla_put_failure;
5593
5594 nfmsg = nlmsg_data(nlh);
5595 nfmsg->nfgen_family = family;
5596 nfmsg->version = NFNETLINK_V0;
5597 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5598
5599 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5600 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5601 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5602 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5603 NFTA_FLOWTABLE_PAD))
5604 goto nla_put_failure;
5605
5606 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5607 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5608 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5609 goto nla_put_failure;
5610
5611 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5612 if (!nest_devs)
5613 goto nla_put_failure;
5614
5615 for (i = 0; i < flowtable->ops_len; i++) {
5616 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5617
5618 if (dev &&
5619 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5620 goto nla_put_failure;
5621 }
5622 nla_nest_end(skb, nest_devs);
5623 nla_nest_end(skb, nest);
5624
5625 nlmsg_end(skb, nlh);
5626 return 0;
5627
5628nla_put_failure:
5629 nlmsg_trim(skb, nlh);
5630 return -1;
5631}
5632
5633struct nft_flowtable_filter {
5634 char *table;
5635};
5636
5637static int nf_tables_dump_flowtable(struct sk_buff *skb,
5638 struct netlink_callback *cb)
5639{
5640 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5641 struct nft_flowtable_filter *filter = cb->data;
5642 unsigned int idx = 0, s_idx = cb->args[0];
5643 struct net *net = sock_net(skb->sk);
5644 int family = nfmsg->nfgen_family;
5645 struct nft_flowtable *flowtable;
5646 const struct nft_table *table;
5647
5648 rcu_read_lock();
5649 cb->seq = net->nft.base_seq;
5650
5651 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5652 if (family != NFPROTO_UNSPEC && family != table->family)
5653 continue;
5654
5655 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5656 if (!nft_is_active(net, flowtable))
5657 goto cont;
5658 if (idx < s_idx)
5659 goto cont;
5660 if (idx > s_idx)
5661 memset(&cb->args[1], 0,
5662 sizeof(cb->args) - sizeof(cb->args[0]));
5663 if (filter && filter->table &&
5664 strcmp(filter->table, table->name))
5665 goto cont;
5666
5667 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5668 cb->nlh->nlmsg_seq,
5669 NFT_MSG_NEWFLOWTABLE,
5670 NLM_F_MULTI | NLM_F_APPEND,
5671 table->family, flowtable) < 0)
5672 goto done;
5673
5674 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5675cont:
5676 idx++;
5677 }
5678 }
5679done:
5680 rcu_read_unlock();
5681
5682 cb->args[0] = idx;
5683 return skb->len;
5684}
5685
5686static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5687{
5688 const struct nlattr * const *nla = cb->data;
5689 struct nft_flowtable_filter *filter = NULL;
5690
5691 if (nla[NFTA_FLOWTABLE_TABLE]) {
5692 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5693 if (!filter)
5694 return -ENOMEM;
5695
5696 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5697 GFP_ATOMIC);
5698 if (!filter->table) {
5699 kfree(filter);
5700 return -ENOMEM;
5701 }
5702 }
5703
5704 cb->data = filter;
5705 return 0;
5706}
5707
5708static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5709{
5710 struct nft_flowtable_filter *filter = cb->data;
5711
5712 if (!filter)
5713 return 0;
5714
5715 kfree(filter->table);
5716 kfree(filter);
5717
5718 return 0;
5719}
5720
5721
5722static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5723 struct sk_buff *skb,
5724 const struct nlmsghdr *nlh,
5725 const struct nlattr * const nla[],
5726 struct netlink_ext_ack *extack)
5727{
5728 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5729 u8 genmask = nft_genmask_cur(net);
5730 int family = nfmsg->nfgen_family;
5731 struct nft_flowtable *flowtable;
5732 const struct nft_table *table;
5733 struct sk_buff *skb2;
5734 int err;
5735
5736 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5737 struct netlink_dump_control c = {
5738 .start = nf_tables_dump_flowtable_start,
5739 .dump = nf_tables_dump_flowtable,
5740 .done = nf_tables_dump_flowtable_done,
5741 .module = THIS_MODULE,
5742 .data = (void *)nla,
5743 };
5744
5745 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5746 }
5747
5748 if (!nla[NFTA_FLOWTABLE_NAME])
5749 return -EINVAL;
5750
5751 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5752 genmask);
5753 if (IS_ERR(table))
5754 return PTR_ERR(table);
5755
5756 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5757 genmask);
5758 if (IS_ERR(flowtable))
5759 return PTR_ERR(flowtable);
5760
5761 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5762 if (!skb2)
5763 return -ENOMEM;
5764
5765 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5766 nlh->nlmsg_seq,
5767 NFT_MSG_NEWFLOWTABLE, 0, family,
5768 flowtable);
5769 if (err < 0)
5770 goto err;
5771
5772 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5773err:
5774 kfree_skb(skb2);
5775 return err;
5776}
5777
5778static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5779 struct nft_flowtable *flowtable,
5780 int event)
5781{
5782 struct sk_buff *skb;
5783 int err;
5784
5785 if (ctx->report &&
5786 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5787 return;
5788
5789 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5790 if (skb == NULL)
5791 goto err;
5792
5793 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5794 ctx->seq, event, 0,
5795 ctx->family, flowtable);
5796 if (err < 0) {
5797 kfree_skb(skb);
5798 goto err;
5799 }
5800
5801 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5802 ctx->report, GFP_KERNEL);
5803 return;
5804err:
5805 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5806}
5807
5808static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5809{
5810 kfree(flowtable->ops);
5811 kfree(flowtable->name);
5812 flowtable->data.type->free(&flowtable->data);
5813 module_put(flowtable->data.type->owner);
5814 kfree(flowtable);
5815}
5816
5817static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5818 u32 portid, u32 seq)
5819{
5820 struct nlmsghdr *nlh;
5821 struct nfgenmsg *nfmsg;
5822 char buf[TASK_COMM_LEN];
5823 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5824
5825 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5826 if (nlh == NULL)
5827 goto nla_put_failure;
5828
5829 nfmsg = nlmsg_data(nlh);
5830 nfmsg->nfgen_family = AF_UNSPEC;
5831 nfmsg->version = NFNETLINK_V0;
5832 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5833
5834 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5835 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5836 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5837 goto nla_put_failure;
5838
5839 nlmsg_end(skb, nlh);
5840 return 0;
5841
5842nla_put_failure:
5843 nlmsg_trim(skb, nlh);
5844 return -EMSGSIZE;
5845}
5846
5847static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5848 struct nft_flowtable *flowtable)
5849{
5850 int i;
5851
5852 for (i = 0; i < flowtable->ops_len; i++) {
5853 if (flowtable->ops[i].dev != dev)
5854 continue;
5855
5856 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5857 flowtable->ops[i].dev = NULL;
5858 break;
5859 }
5860}
5861
5862static int nf_tables_flowtable_event(struct notifier_block *this,
5863 unsigned long event, void *ptr)
5864{
5865 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5866 struct nft_flowtable *flowtable;
5867 struct nft_table *table;
5868 struct net *net;
5869
5870 if (event != NETDEV_UNREGISTER)
5871 return 0;
5872
5873 net = maybe_get_net(dev_net(dev));
5874 if (!net)
5875 return 0;
5876
5877 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5878 list_for_each_entry(table, &net->nft.tables, list) {
5879 list_for_each_entry(flowtable, &table->flowtables, list) {
5880 nft_flowtable_event(event, dev, flowtable);
5881 }
5882 }
5883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5884 put_net(net);
5885 return NOTIFY_DONE;
5886}
5887
5888static struct notifier_block nf_tables_flowtable_notifier = {
5889 .notifier_call = nf_tables_flowtable_event,
5890};
5891
5892static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5893 int event)
5894{
5895 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5896 struct sk_buff *skb2;
5897 int err;
5898
5899 if (nlmsg_report(nlh) &&
5900 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5901 return;
5902
5903 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5904 if (skb2 == NULL)
5905 goto err;
5906
5907 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5908 nlh->nlmsg_seq);
5909 if (err < 0) {
5910 kfree_skb(skb2);
5911 goto err;
5912 }
5913
5914 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5915 nlmsg_report(nlh), GFP_KERNEL);
5916 return;
5917err:
5918 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5919 -ENOBUFS);
5920}
5921
5922static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5923 struct sk_buff *skb, const struct nlmsghdr *nlh,
5924 const struct nlattr * const nla[],
5925 struct netlink_ext_ack *extack)
5926{
5927 struct sk_buff *skb2;
5928 int err;
5929
5930 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5931 if (skb2 == NULL)
5932 return -ENOMEM;
5933
5934 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5935 nlh->nlmsg_seq);
5936 if (err < 0)
5937 goto err;
5938
5939 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5940err:
5941 kfree_skb(skb2);
5942 return err;
5943}
5944
5945static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5946 [NFT_MSG_NEWTABLE] = {
5947 .call_batch = nf_tables_newtable,
5948 .attr_count = NFTA_TABLE_MAX,
5949 .policy = nft_table_policy,
5950 },
5951 [NFT_MSG_GETTABLE] = {
5952 .call_rcu = nf_tables_gettable,
5953 .attr_count = NFTA_TABLE_MAX,
5954 .policy = nft_table_policy,
5955 },
5956 [NFT_MSG_DELTABLE] = {
5957 .call_batch = nf_tables_deltable,
5958 .attr_count = NFTA_TABLE_MAX,
5959 .policy = nft_table_policy,
5960 },
5961 [NFT_MSG_NEWCHAIN] = {
5962 .call_batch = nf_tables_newchain,
5963 .attr_count = NFTA_CHAIN_MAX,
5964 .policy = nft_chain_policy,
5965 },
5966 [NFT_MSG_GETCHAIN] = {
5967 .call_rcu = nf_tables_getchain,
5968 .attr_count = NFTA_CHAIN_MAX,
5969 .policy = nft_chain_policy,
5970 },
5971 [NFT_MSG_DELCHAIN] = {
5972 .call_batch = nf_tables_delchain,
5973 .attr_count = NFTA_CHAIN_MAX,
5974 .policy = nft_chain_policy,
5975 },
5976 [NFT_MSG_NEWRULE] = {
5977 .call_batch = nf_tables_newrule,
5978 .attr_count = NFTA_RULE_MAX,
5979 .policy = nft_rule_policy,
5980 },
5981 [NFT_MSG_GETRULE] = {
5982 .call_rcu = nf_tables_getrule,
5983 .attr_count = NFTA_RULE_MAX,
5984 .policy = nft_rule_policy,
5985 },
5986 [NFT_MSG_DELRULE] = {
5987 .call_batch = nf_tables_delrule,
5988 .attr_count = NFTA_RULE_MAX,
5989 .policy = nft_rule_policy,
5990 },
5991 [NFT_MSG_NEWSET] = {
5992 .call_batch = nf_tables_newset,
5993 .attr_count = NFTA_SET_MAX,
5994 .policy = nft_set_policy,
5995 },
5996 [NFT_MSG_GETSET] = {
5997 .call_rcu = nf_tables_getset,
5998 .attr_count = NFTA_SET_MAX,
5999 .policy = nft_set_policy,
6000 },
6001 [NFT_MSG_DELSET] = {
6002 .call_batch = nf_tables_delset,
6003 .attr_count = NFTA_SET_MAX,
6004 .policy = nft_set_policy,
6005 },
6006 [NFT_MSG_NEWSETELEM] = {
6007 .call_batch = nf_tables_newsetelem,
6008 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6009 .policy = nft_set_elem_list_policy,
6010 },
6011 [NFT_MSG_GETSETELEM] = {
6012 .call_rcu = nf_tables_getsetelem,
6013 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6014 .policy = nft_set_elem_list_policy,
6015 },
6016 [NFT_MSG_DELSETELEM] = {
6017 .call_batch = nf_tables_delsetelem,
6018 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6019 .policy = nft_set_elem_list_policy,
6020 },
6021 [NFT_MSG_GETGEN] = {
6022 .call_rcu = nf_tables_getgen,
6023 },
6024 [NFT_MSG_NEWOBJ] = {
6025 .call_batch = nf_tables_newobj,
6026 .attr_count = NFTA_OBJ_MAX,
6027 .policy = nft_obj_policy,
6028 },
6029 [NFT_MSG_GETOBJ] = {
6030 .call_rcu = nf_tables_getobj,
6031 .attr_count = NFTA_OBJ_MAX,
6032 .policy = nft_obj_policy,
6033 },
6034 [NFT_MSG_DELOBJ] = {
6035 .call_batch = nf_tables_delobj,
6036 .attr_count = NFTA_OBJ_MAX,
6037 .policy = nft_obj_policy,
6038 },
6039 [NFT_MSG_GETOBJ_RESET] = {
6040 .call_rcu = nf_tables_getobj,
6041 .attr_count = NFTA_OBJ_MAX,
6042 .policy = nft_obj_policy,
6043 },
6044 [NFT_MSG_NEWFLOWTABLE] = {
6045 .call_batch = nf_tables_newflowtable,
6046 .attr_count = NFTA_FLOWTABLE_MAX,
6047 .policy = nft_flowtable_policy,
6048 },
6049 [NFT_MSG_GETFLOWTABLE] = {
6050 .call_rcu = nf_tables_getflowtable,
6051 .attr_count = NFTA_FLOWTABLE_MAX,
6052 .policy = nft_flowtable_policy,
6053 },
6054 [NFT_MSG_DELFLOWTABLE] = {
6055 .call_batch = nf_tables_delflowtable,
6056 .attr_count = NFTA_FLOWTABLE_MAX,
6057 .policy = nft_flowtable_policy,
6058 },
6059};
6060
6061static int nf_tables_validate(struct net *net)
6062{
6063 struct nft_table *table;
6064
6065 switch (net->nft.validate_state) {
6066 case NFT_VALIDATE_SKIP:
6067 break;
6068 case NFT_VALIDATE_NEED:
6069 nft_validate_state_update(net, NFT_VALIDATE_DO);
6070
6071 case NFT_VALIDATE_DO:
6072 list_for_each_entry(table, &net->nft.tables, list) {
6073 if (nft_table_validate(net, table) < 0)
6074 return -EAGAIN;
6075 }
6076 break;
6077 }
6078
6079 return 0;
6080}
6081
6082static void nft_chain_commit_update(struct nft_trans *trans)
6083{
6084 struct nft_base_chain *basechain;
6085
6086 if (nft_trans_chain_name(trans)) {
6087 rhltable_remove(&trans->ctx.table->chains_ht,
6088 &trans->ctx.chain->rhlhead,
6089 nft_chain_ht_params);
6090 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6091 rhltable_insert_key(&trans->ctx.table->chains_ht,
6092 trans->ctx.chain->name,
6093 &trans->ctx.chain->rhlhead,
6094 nft_chain_ht_params);
6095 }
6096
6097 if (!nft_is_base_chain(trans->ctx.chain))
6098 return;
6099
6100 basechain = nft_base_chain(trans->ctx.chain);
6101 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
6102
6103 switch (nft_trans_chain_policy(trans)) {
6104 case NF_DROP:
6105 case NF_ACCEPT:
6106 basechain->policy = nft_trans_chain_policy(trans);
6107 break;
6108 }
6109}
6110
6111static void nft_commit_release(struct nft_trans *trans)
6112{
6113 switch (trans->msg_type) {
6114 case NFT_MSG_DELTABLE:
6115 nf_tables_table_destroy(&trans->ctx);
6116 break;
6117 case NFT_MSG_NEWCHAIN:
6118 kfree(nft_trans_chain_name(trans));
6119 break;
6120 case NFT_MSG_DELCHAIN:
6121 nf_tables_chain_destroy(&trans->ctx);
6122 break;
6123 case NFT_MSG_DELRULE:
6124 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6125 break;
6126 case NFT_MSG_DELSET:
6127 nft_set_destroy(nft_trans_set(trans));
6128 break;
6129 case NFT_MSG_DELSETELEM:
6130 nf_tables_set_elem_destroy(&trans->ctx,
6131 nft_trans_elem_set(trans),
6132 nft_trans_elem(trans).priv);
6133 break;
6134 case NFT_MSG_DELOBJ:
6135 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6136 break;
6137 case NFT_MSG_DELFLOWTABLE:
6138 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6139 break;
6140 }
6141 kfree(trans);
6142}
6143
6144static void nf_tables_commit_release(struct net *net)
6145{
6146 struct nft_trans *trans, *next;
6147
6148 if (list_empty(&net->nft.commit_list))
6149 return;
6150
6151 synchronize_rcu();
6152
6153 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6154 list_del(&trans->list);
6155 nft_commit_release(trans);
6156 }
6157}
6158
6159static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6160{
6161 struct nft_rule *rule;
6162 unsigned int alloc = 0;
6163 int i;
6164
6165
6166 if (chain->rules_next || !nft_is_active_next(net, chain))
6167 return 0;
6168
6169 rule = list_entry(&chain->rules, struct nft_rule, list);
6170 i = 0;
6171
6172 list_for_each_entry_continue(rule, &chain->rules, list) {
6173 if (nft_is_active_next(net, rule))
6174 alloc++;
6175 }
6176
6177 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6178 if (!chain->rules_next)
6179 return -ENOMEM;
6180
6181 list_for_each_entry_continue(rule, &chain->rules, list) {
6182 if (nft_is_active_next(net, rule))
6183 chain->rules_next[i++] = rule;
6184 }
6185
6186 chain->rules_next[i] = NULL;
6187 return 0;
6188}
6189
6190static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6191{
6192 struct nft_trans *trans, *next;
6193
6194 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6195 struct nft_chain *chain = trans->ctx.chain;
6196
6197 if (trans->msg_type == NFT_MSG_NEWRULE ||
6198 trans->msg_type == NFT_MSG_DELRULE) {
6199 kvfree(chain->rules_next);
6200 chain->rules_next = NULL;
6201 }
6202 }
6203}
6204
6205static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6206{
6207 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6208
6209 kvfree(o->start);
6210}
6211
6212static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6213{
6214 struct nft_rule **r = rules;
6215 struct nft_rules_old *old;
6216
6217 while (*r)
6218 r++;
6219
6220 r++;
6221 old = (void *) r;
6222 old->start = rules;
6223
6224 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6225}
6226
6227static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain)
6228{
6229 struct nft_rule **g0, **g1;
6230 bool next_genbit;
6231
6232 next_genbit = nft_gencursor_next(net);
6233
6234 g0 = rcu_dereference_protected(chain->rules_gen_0,
6235 lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
6236 g1 = rcu_dereference_protected(chain->rules_gen_1,
6237 lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
6238
6239
6240 if (chain->rules_next == NULL) {
6241
6242 if (g0 == g1)
6243 return;
6244
6245
6246
6247
6248 if (next_genbit) {
6249 rcu_assign_pointer(chain->rules_gen_1, g0);
6250 nf_tables_commit_chain_free_rules_old(g1);
6251 } else {
6252 rcu_assign_pointer(chain->rules_gen_0, g1);
6253 nf_tables_commit_chain_free_rules_old(g0);
6254 }
6255
6256 return;
6257 }
6258
6259 if (next_genbit)
6260 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6261 else
6262 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6263
6264 chain->rules_next = NULL;
6265
6266 if (g0 == g1)
6267 return;
6268
6269 if (next_genbit)
6270 nf_tables_commit_chain_free_rules_old(g1);
6271 else
6272 nf_tables_commit_chain_free_rules_old(g0);
6273}
6274
6275static void nft_chain_del(struct nft_chain *chain)
6276{
6277 struct nft_table *table = chain->table;
6278
6279 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6280 nft_chain_ht_params));
6281 list_del_rcu(&chain->list);
6282}
6283
6284static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6285{
6286 struct nft_trans *trans, *next;
6287 struct nft_trans_elem *te;
6288 struct nft_chain *chain;
6289 struct nft_table *table;
6290
6291
6292 if (nf_tables_validate(net) < 0)
6293 return -EAGAIN;
6294
6295
6296 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6297 int ret;
6298
6299 if (trans->msg_type == NFT_MSG_NEWRULE ||
6300 trans->msg_type == NFT_MSG_DELRULE) {
6301 chain = trans->ctx.chain;
6302
6303 ret = nf_tables_commit_chain_prepare(net, chain);
6304 if (ret < 0) {
6305 nf_tables_commit_chain_prepare_cancel(net);
6306 return ret;
6307 }
6308 }
6309 }
6310
6311
6312 list_for_each_entry(table, &net->nft.tables, list) {
6313 list_for_each_entry(chain, &table->chains, list) {
6314 if (!nft_is_active_next(net, chain))
6315 continue;
6316 nf_tables_commit_chain_active(net, chain);
6317 }
6318 }
6319
6320
6321
6322
6323
6324 while (++net->nft.base_seq == 0);
6325
6326
6327 net->nft.gencursor = nft_gencursor_next(net);
6328
6329 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6330 switch (trans->msg_type) {
6331 case NFT_MSG_NEWTABLE:
6332 if (nft_trans_table_update(trans)) {
6333 if (!nft_trans_table_enable(trans)) {
6334 nf_tables_table_disable(net,
6335 trans->ctx.table);
6336 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6337 }
6338 } else {
6339 nft_clear(net, trans->ctx.table);
6340 }
6341 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6342 nft_trans_destroy(trans);
6343 break;
6344 case NFT_MSG_DELTABLE:
6345 list_del_rcu(&trans->ctx.table->list);
6346 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6347 break;
6348 case NFT_MSG_NEWCHAIN:
6349 if (nft_trans_chain_update(trans)) {
6350 nft_chain_commit_update(trans);
6351 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6352
6353 } else {
6354 nft_clear(net, trans->ctx.chain);
6355 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6356 nft_trans_destroy(trans);
6357 }
6358 break;
6359 case NFT_MSG_DELCHAIN:
6360 nft_chain_del(trans->ctx.chain);
6361 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6362 nf_tables_unregister_hook(trans->ctx.net,
6363 trans->ctx.table,
6364 trans->ctx.chain);
6365 break;
6366 case NFT_MSG_NEWRULE:
6367 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6368 nf_tables_rule_notify(&trans->ctx,
6369 nft_trans_rule(trans),
6370 NFT_MSG_NEWRULE);
6371 nft_trans_destroy(trans);
6372 break;
6373 case NFT_MSG_DELRULE:
6374 list_del_rcu(&nft_trans_rule(trans)->list);
6375 nf_tables_rule_notify(&trans->ctx,
6376 nft_trans_rule(trans),
6377 NFT_MSG_DELRULE);
6378 break;
6379 case NFT_MSG_NEWSET:
6380 nft_clear(net, nft_trans_set(trans));
6381
6382
6383
6384 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6385 !list_empty(&nft_trans_set(trans)->bindings))
6386 trans->ctx.table->use--;
6387
6388 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6389 NFT_MSG_NEWSET, GFP_KERNEL);
6390 nft_trans_destroy(trans);
6391 break;
6392 case NFT_MSG_DELSET:
6393 list_del_rcu(&nft_trans_set(trans)->list);
6394 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6395 NFT_MSG_DELSET, GFP_KERNEL);
6396 break;
6397 case NFT_MSG_NEWSETELEM:
6398 te = (struct nft_trans_elem *)trans->data;
6399
6400 te->set->ops->activate(net, te->set, &te->elem);
6401 nf_tables_setelem_notify(&trans->ctx, te->set,
6402 &te->elem,
6403 NFT_MSG_NEWSETELEM, 0);
6404 nft_trans_destroy(trans);
6405 break;
6406 case NFT_MSG_DELSETELEM:
6407 te = (struct nft_trans_elem *)trans->data;
6408
6409 nf_tables_setelem_notify(&trans->ctx, te->set,
6410 &te->elem,
6411 NFT_MSG_DELSETELEM, 0);
6412 te->set->ops->remove(net, te->set, &te->elem);
6413 atomic_dec(&te->set->nelems);
6414 te->set->ndeact--;
6415 break;
6416 case NFT_MSG_NEWOBJ:
6417 nft_clear(net, nft_trans_obj(trans));
6418 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6419 NFT_MSG_NEWOBJ);
6420 nft_trans_destroy(trans);
6421 break;
6422 case NFT_MSG_DELOBJ:
6423 list_del_rcu(&nft_trans_obj(trans)->list);
6424 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6425 NFT_MSG_DELOBJ);
6426 break;
6427 case NFT_MSG_NEWFLOWTABLE:
6428 nft_clear(net, nft_trans_flowtable(trans));
6429 nf_tables_flowtable_notify(&trans->ctx,
6430 nft_trans_flowtable(trans),
6431 NFT_MSG_NEWFLOWTABLE);
6432 nft_trans_destroy(trans);
6433 break;
6434 case NFT_MSG_DELFLOWTABLE:
6435 list_del_rcu(&nft_trans_flowtable(trans)->list);
6436 nf_tables_flowtable_notify(&trans->ctx,
6437 nft_trans_flowtable(trans),
6438 NFT_MSG_DELFLOWTABLE);
6439 nft_unregister_flowtable_net_hooks(net,
6440 nft_trans_flowtable(trans));
6441 break;
6442 }
6443 }
6444
6445 nf_tables_commit_release(net);
6446 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6447
6448 return 0;
6449}
6450
6451static void nf_tables_abort_release(struct nft_trans *trans)
6452{
6453 switch (trans->msg_type) {
6454 case NFT_MSG_NEWTABLE:
6455 nf_tables_table_destroy(&trans->ctx);
6456 break;
6457 case NFT_MSG_NEWCHAIN:
6458 nf_tables_chain_destroy(&trans->ctx);
6459 break;
6460 case NFT_MSG_NEWRULE:
6461 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6462 break;
6463 case NFT_MSG_NEWSET:
6464 nft_set_destroy(nft_trans_set(trans));
6465 break;
6466 case NFT_MSG_NEWSETELEM:
6467 nft_set_elem_destroy(nft_trans_elem_set(trans),
6468 nft_trans_elem(trans).priv, true);
6469 break;
6470 case NFT_MSG_NEWOBJ:
6471 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6472 break;
6473 case NFT_MSG_NEWFLOWTABLE:
6474 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6475 break;
6476 }
6477 kfree(trans);
6478}
6479
6480static int __nf_tables_abort(struct net *net)
6481{
6482 struct nft_trans *trans, *next;
6483 struct nft_trans_elem *te;
6484
6485 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6486 list) {
6487 switch (trans->msg_type) {
6488 case NFT_MSG_NEWTABLE:
6489 if (nft_trans_table_update(trans)) {
6490 if (nft_trans_table_enable(trans)) {
6491 nf_tables_table_disable(net,
6492 trans->ctx.table);
6493 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6494 }
6495 nft_trans_destroy(trans);
6496 } else {
6497 list_del_rcu(&trans->ctx.table->list);
6498 }
6499 break;
6500 case NFT_MSG_DELTABLE:
6501 nft_clear(trans->ctx.net, trans->ctx.table);
6502 nft_trans_destroy(trans);
6503 break;
6504 case NFT_MSG_NEWCHAIN:
6505 if (nft_trans_chain_update(trans)) {
6506 free_percpu(nft_trans_chain_stats(trans));
6507 kfree(nft_trans_chain_name(trans));
6508 nft_trans_destroy(trans);
6509 } else {
6510 trans->ctx.table->use--;
6511 nft_chain_del(trans->ctx.chain);
6512 nf_tables_unregister_hook(trans->ctx.net,
6513 trans->ctx.table,
6514 trans->ctx.chain);
6515 }
6516 break;
6517 case NFT_MSG_DELCHAIN:
6518 trans->ctx.table->use++;
6519 nft_clear(trans->ctx.net, trans->ctx.chain);
6520 nft_trans_destroy(trans);
6521 break;
6522 case NFT_MSG_NEWRULE:
6523 trans->ctx.chain->use--;
6524 list_del_rcu(&nft_trans_rule(trans)->list);
6525 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6526 break;
6527 case NFT_MSG_DELRULE:
6528 trans->ctx.chain->use++;
6529 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6530 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6531 nft_trans_destroy(trans);
6532 break;
6533 case NFT_MSG_NEWSET:
6534 trans->ctx.table->use--;
6535 list_del_rcu(&nft_trans_set(trans)->list);
6536 break;
6537 case NFT_MSG_DELSET:
6538 trans->ctx.table->use++;
6539 nft_clear(trans->ctx.net, nft_trans_set(trans));
6540 nft_trans_destroy(trans);
6541 break;
6542 case NFT_MSG_NEWSETELEM:
6543 te = (struct nft_trans_elem *)trans->data;
6544
6545 te->set->ops->remove(net, te->set, &te->elem);
6546 atomic_dec(&te->set->nelems);
6547 break;
6548 case NFT_MSG_DELSETELEM:
6549 te = (struct nft_trans_elem *)trans->data;
6550
6551 nft_set_elem_activate(net, te->set, &te->elem);
6552 te->set->ops->activate(net, te->set, &te->elem);
6553 te->set->ndeact--;
6554
6555 nft_trans_destroy(trans);
6556 break;
6557 case NFT_MSG_NEWOBJ:
6558 trans->ctx.table->use--;
6559 list_del_rcu(&nft_trans_obj(trans)->list);
6560 break;
6561 case NFT_MSG_DELOBJ:
6562 trans->ctx.table->use++;
6563 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6564 nft_trans_destroy(trans);
6565 break;
6566 case NFT_MSG_NEWFLOWTABLE:
6567 trans->ctx.table->use--;
6568 list_del_rcu(&nft_trans_flowtable(trans)->list);
6569 nft_unregister_flowtable_net_hooks(net,
6570 nft_trans_flowtable(trans));
6571 break;
6572 case NFT_MSG_DELFLOWTABLE:
6573 trans->ctx.table->use++;
6574 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6575 nft_trans_destroy(trans);
6576 break;
6577 }
6578 }
6579
6580 synchronize_rcu();
6581
6582 list_for_each_entry_safe_reverse(trans, next,
6583 &net->nft.commit_list, list) {
6584 list_del(&trans->list);
6585 nf_tables_abort_release(trans);
6586 }
6587
6588 return 0;
6589}
6590
6591static void nf_tables_cleanup(struct net *net)
6592{
6593 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6594}
6595
6596static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6597{
6598 return __nf_tables_abort(net);
6599}
6600
6601static bool nf_tables_valid_genid(struct net *net, u32 genid)
6602{
6603 return net->nft.base_seq == genid;
6604}
6605
6606static const struct nfnetlink_subsystem nf_tables_subsys = {
6607 .name = "nf_tables",
6608 .subsys_id = NFNL_SUBSYS_NFTABLES,
6609 .cb_count = NFT_MSG_MAX,
6610 .cb = nf_tables_cb,
6611 .commit = nf_tables_commit,
6612 .abort = nf_tables_abort,
6613 .cleanup = nf_tables_cleanup,
6614 .valid_genid = nf_tables_valid_genid,
6615};
6616
6617int nft_chain_validate_dependency(const struct nft_chain *chain,
6618 enum nft_chain_types type)
6619{
6620 const struct nft_base_chain *basechain;
6621
6622 if (nft_is_base_chain(chain)) {
6623 basechain = nft_base_chain(chain);
6624 if (basechain->type->type != type)
6625 return -EOPNOTSUPP;
6626 }
6627 return 0;
6628}
6629EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6630
6631int nft_chain_validate_hooks(const struct nft_chain *chain,
6632 unsigned int hook_flags)
6633{
6634 struct nft_base_chain *basechain;
6635
6636 if (nft_is_base_chain(chain)) {
6637 basechain = nft_base_chain(chain);
6638
6639 if ((1 << basechain->ops.hooknum) & hook_flags)
6640 return 0;
6641
6642 return -EOPNOTSUPP;
6643 }
6644
6645 return 0;
6646}
6647EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658static int nf_tables_check_loops(const struct nft_ctx *ctx,
6659 const struct nft_chain *chain);
6660
6661static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6662 struct nft_set *set,
6663 const struct nft_set_iter *iter,
6664 struct nft_set_elem *elem)
6665{
6666 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6667 const struct nft_data *data;
6668
6669 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6670 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6671 return 0;
6672
6673 data = nft_set_ext_data(ext);
6674 switch (data->verdict.code) {
6675 case NFT_JUMP:
6676 case NFT_GOTO:
6677 return nf_tables_check_loops(ctx, data->verdict.chain);
6678 default:
6679 return 0;
6680 }
6681}
6682
6683static int nf_tables_check_loops(const struct nft_ctx *ctx,
6684 const struct nft_chain *chain)
6685{
6686 const struct nft_rule *rule;
6687 const struct nft_expr *expr, *last;
6688 struct nft_set *set;
6689 struct nft_set_binding *binding;
6690 struct nft_set_iter iter;
6691
6692 if (ctx->chain == chain)
6693 return -ELOOP;
6694
6695 list_for_each_entry(rule, &chain->rules, list) {
6696 nft_rule_for_each_expr(expr, last, rule) {
6697 struct nft_immediate_expr *priv;
6698 const struct nft_data *data;
6699 int err;
6700
6701 if (strcmp(expr->ops->type->name, "immediate"))
6702 continue;
6703
6704 priv = nft_expr_priv(expr);
6705 if (priv->dreg != NFT_REG_VERDICT)
6706 continue;
6707
6708 data = &priv->data;
6709 switch (data->verdict.code) {
6710 case NFT_JUMP:
6711 case NFT_GOTO:
6712 err = nf_tables_check_loops(ctx,
6713 data->verdict.chain);
6714 if (err < 0)
6715 return err;
6716 default:
6717 break;
6718 }
6719 }
6720 }
6721
6722 list_for_each_entry(set, &ctx->table->sets, list) {
6723 if (!nft_is_active_next(ctx->net, set))
6724 continue;
6725 if (!(set->flags & NFT_SET_MAP) ||
6726 set->dtype != NFT_DATA_VERDICT)
6727 continue;
6728
6729 list_for_each_entry(binding, &set->bindings, list) {
6730 if (!(binding->flags & NFT_SET_MAP) ||
6731 binding->chain != chain)
6732 continue;
6733
6734 iter.genmask = nft_genmask_next(ctx->net);
6735 iter.skip = 0;
6736 iter.count = 0;
6737 iter.err = 0;
6738 iter.fn = nf_tables_loop_check_setelem;
6739
6740 set->ops->walk(ctx, set, &iter);
6741 if (iter.err < 0)
6742 return iter.err;
6743 }
6744 }
6745
6746 return 0;
6747}
6748
6749
6750
6751
6752
6753
6754
6755
6756
6757
6758
6759
6760
6761int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6762{
6763 u32 val;
6764
6765 val = ntohl(nla_get_be32(attr));
6766 if (val > max)
6767 return -ERANGE;
6768
6769 *dest = val;
6770 return 0;
6771}
6772EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6773
6774
6775
6776
6777
6778
6779
6780
6781
6782
6783unsigned int nft_parse_register(const struct nlattr *attr)
6784{
6785 unsigned int reg;
6786
6787 reg = ntohl(nla_get_be32(attr));
6788 switch (reg) {
6789 case NFT_REG_VERDICT...NFT_REG_4:
6790 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6791 default:
6792 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6793 }
6794}
6795EXPORT_SYMBOL_GPL(nft_parse_register);
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6809{
6810 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6811 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6812 else
6813 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6814
6815 return nla_put_be32(skb, attr, htonl(reg));
6816}
6817EXPORT_SYMBOL_GPL(nft_dump_register);
6818
6819
6820
6821
6822
6823
6824
6825
6826
6827
6828int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6829{
6830 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6831 return -EINVAL;
6832 if (len == 0)
6833 return -EINVAL;
6834 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6835 return -ERANGE;
6836
6837 return 0;
6838}
6839EXPORT_SYMBOL_GPL(nft_validate_register_load);
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855int nft_validate_register_store(const struct nft_ctx *ctx,
6856 enum nft_registers reg,
6857 const struct nft_data *data,
6858 enum nft_data_types type, unsigned int len)
6859{
6860 int err;
6861
6862 switch (reg) {
6863 case NFT_REG_VERDICT:
6864 if (type != NFT_DATA_VERDICT)
6865 return -EINVAL;
6866
6867 if (data != NULL &&
6868 (data->verdict.code == NFT_GOTO ||
6869 data->verdict.code == NFT_JUMP)) {
6870 err = nf_tables_check_loops(ctx, data->verdict.chain);
6871 if (err < 0)
6872 return err;
6873 }
6874
6875 return 0;
6876 default:
6877 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6878 return -EINVAL;
6879 if (len == 0)
6880 return -EINVAL;
6881 if (reg * NFT_REG32_SIZE + len >
6882 FIELD_SIZEOF(struct nft_regs, data))
6883 return -ERANGE;
6884
6885 if (data != NULL && type != NFT_DATA_VALUE)
6886 return -EINVAL;
6887 return 0;
6888 }
6889}
6890EXPORT_SYMBOL_GPL(nft_validate_register_store);
6891
6892static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6893 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6894 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6895 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6896};
6897
6898static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6899 struct nft_data_desc *desc, const struct nlattr *nla)
6900{
6901 u8 genmask = nft_genmask_next(ctx->net);
6902 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6903 struct nft_chain *chain;
6904 int err;
6905
6906 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6907 NULL);
6908 if (err < 0)
6909 return err;
6910
6911 if (!tb[NFTA_VERDICT_CODE])
6912 return -EINVAL;
6913 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6914
6915 switch (data->verdict.code) {
6916 default:
6917 switch (data->verdict.code & NF_VERDICT_MASK) {
6918 case NF_ACCEPT:
6919 case NF_DROP:
6920 case NF_QUEUE:
6921 break;
6922 default:
6923 return -EINVAL;
6924 }
6925
6926 case NFT_CONTINUE:
6927 case NFT_BREAK:
6928 case NFT_RETURN:
6929 break;
6930 case NFT_JUMP:
6931 case NFT_GOTO:
6932 if (!tb[NFTA_VERDICT_CHAIN])
6933 return -EINVAL;
6934 chain = nft_chain_lookup(ctx->table, tb[NFTA_VERDICT_CHAIN],
6935 genmask);
6936 if (IS_ERR(chain))
6937 return PTR_ERR(chain);
6938 if (nft_is_base_chain(chain))
6939 return -EOPNOTSUPP;
6940
6941 chain->use++;
6942 data->verdict.chain = chain;
6943 break;
6944 }
6945
6946 desc->len = sizeof(data->verdict);
6947 desc->type = NFT_DATA_VERDICT;
6948 return 0;
6949}
6950
6951static void nft_verdict_uninit(const struct nft_data *data)
6952{
6953 switch (data->verdict.code) {
6954 case NFT_JUMP:
6955 case NFT_GOTO:
6956 data->verdict.chain->use--;
6957 break;
6958 }
6959}
6960
6961int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6962{
6963 struct nlattr *nest;
6964
6965 nest = nla_nest_start(skb, type);
6966 if (!nest)
6967 goto nla_put_failure;
6968
6969 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6970 goto nla_put_failure;
6971
6972 switch (v->code) {
6973 case NFT_JUMP:
6974 case NFT_GOTO:
6975 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6976 v->chain->name))
6977 goto nla_put_failure;
6978 }
6979 nla_nest_end(skb, nest);
6980 return 0;
6981
6982nla_put_failure:
6983 return -1;
6984}
6985
6986static int nft_value_init(const struct nft_ctx *ctx,
6987 struct nft_data *data, unsigned int size,
6988 struct nft_data_desc *desc, const struct nlattr *nla)
6989{
6990 unsigned int len;
6991
6992 len = nla_len(nla);
6993 if (len == 0)
6994 return -EINVAL;
6995 if (len > size)
6996 return -EOVERFLOW;
6997
6998 nla_memcpy(data->data, nla, len);
6999 desc->type = NFT_DATA_VALUE;
7000 desc->len = len;
7001 return 0;
7002}
7003
7004static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7005 unsigned int len)
7006{
7007 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7008}
7009
7010static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7011 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7012 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7013};
7014
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7025
7026
7027
7028
7029
7030int nft_data_init(const struct nft_ctx *ctx,
7031 struct nft_data *data, unsigned int size,
7032 struct nft_data_desc *desc, const struct nlattr *nla)
7033{
7034 struct nlattr *tb[NFTA_DATA_MAX + 1];
7035 int err;
7036
7037 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7038 if (err < 0)
7039 return err;
7040
7041 if (tb[NFTA_DATA_VALUE])
7042 return nft_value_init(ctx, data, size, desc,
7043 tb[NFTA_DATA_VALUE]);
7044 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7045 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7046 return -EINVAL;
7047}
7048EXPORT_SYMBOL_GPL(nft_data_init);
7049
7050
7051
7052
7053
7054
7055
7056
7057
7058
7059void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7060{
7061 if (type < NFT_DATA_VERDICT)
7062 return;
7063 switch (type) {
7064 case NFT_DATA_VERDICT:
7065 return nft_verdict_uninit(data);
7066 default:
7067 WARN_ON(1);
7068 }
7069}
7070EXPORT_SYMBOL_GPL(nft_data_release);
7071
7072int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7073 enum nft_data_types type, unsigned int len)
7074{
7075 struct nlattr *nest;
7076 int err;
7077
7078 nest = nla_nest_start(skb, attr);
7079 if (nest == NULL)
7080 return -1;
7081
7082 switch (type) {
7083 case NFT_DATA_VALUE:
7084 err = nft_value_dump(skb, data, len);
7085 break;
7086 case NFT_DATA_VERDICT:
7087 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7088 break;
7089 default:
7090 err = -EINVAL;
7091 WARN_ON(1);
7092 }
7093
7094 nla_nest_end(skb, nest);
7095 return err;
7096}
7097EXPORT_SYMBOL_GPL(nft_data_dump);
7098
7099int __nft_release_basechain(struct nft_ctx *ctx)
7100{
7101 struct nft_rule *rule, *nr;
7102
7103 BUG_ON(!nft_is_base_chain(ctx->chain));
7104
7105 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7106 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7107 list_del(&rule->list);
7108 ctx->chain->use--;
7109 nf_tables_rule_release(ctx, rule);
7110 }
7111 nft_chain_del(ctx->chain);
7112 ctx->table->use--;
7113 nf_tables_chain_destroy(ctx);
7114
7115 return 0;
7116}
7117EXPORT_SYMBOL_GPL(__nft_release_basechain);
7118
7119static void __nft_release_tables(struct net *net)
7120{
7121 struct nft_flowtable *flowtable, *nf;
7122 struct nft_table *table, *nt;
7123 struct nft_chain *chain, *nc;
7124 struct nft_object *obj, *ne;
7125 struct nft_rule *rule, *nr;
7126 struct nft_set *set, *ns;
7127 struct nft_ctx ctx = {
7128 .net = net,
7129 .family = NFPROTO_NETDEV,
7130 };
7131
7132 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7133 ctx.family = table->family;
7134
7135 list_for_each_entry(chain, &table->chains, list)
7136 nf_tables_unregister_hook(net, table, chain);
7137 list_for_each_entry(flowtable, &table->flowtables, list)
7138 nf_unregister_net_hooks(net, flowtable->ops,
7139 flowtable->ops_len);
7140
7141 ctx.table = table;
7142 list_for_each_entry(chain, &table->chains, list) {
7143 ctx.chain = chain;
7144 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7145 list_del(&rule->list);
7146 chain->use--;
7147 nf_tables_rule_release(&ctx, rule);
7148 }
7149 }
7150 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7151 list_del(&flowtable->list);
7152 table->use--;
7153 nf_tables_flowtable_destroy(flowtable);
7154 }
7155 list_for_each_entry_safe(set, ns, &table->sets, list) {
7156 list_del(&set->list);
7157 table->use--;
7158 nft_set_destroy(set);
7159 }
7160 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7161 list_del(&obj->list);
7162 table->use--;
7163 nft_obj_destroy(&ctx, obj);
7164 }
7165 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7166 ctx.chain = chain;
7167 nft_chain_del(chain);
7168 table->use--;
7169 nf_tables_chain_destroy(&ctx);
7170 }
7171 list_del(&table->list);
7172 nf_tables_table_destroy(&ctx);
7173 }
7174}
7175
7176static int __net_init nf_tables_init_net(struct net *net)
7177{
7178 INIT_LIST_HEAD(&net->nft.tables);
7179 INIT_LIST_HEAD(&net->nft.commit_list);
7180 net->nft.base_seq = 1;
7181 net->nft.validate_state = NFT_VALIDATE_SKIP;
7182
7183 return 0;
7184}
7185
7186static void __net_exit nf_tables_exit_net(struct net *net)
7187{
7188 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7189 if (!list_empty(&net->nft.commit_list))
7190 __nf_tables_abort(net);
7191 __nft_release_tables(net);
7192 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7193 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7194}
7195
7196static struct pernet_operations nf_tables_net_ops = {
7197 .init = nf_tables_init_net,
7198 .exit = nf_tables_exit_net,
7199};
7200
7201static int __init nf_tables_module_init(void)
7202{
7203 int err;
7204
7205 nft_chain_filter_init();
7206
7207 info = kmalloc_array(NFT_RULE_MAXEXPRS, sizeof(struct nft_expr_info),
7208 GFP_KERNEL);
7209 if (info == NULL) {
7210 err = -ENOMEM;
7211 goto err1;
7212 }
7213
7214 err = nf_tables_core_module_init();
7215 if (err < 0)
7216 goto err2;
7217
7218 err = nfnetlink_subsys_register(&nf_tables_subsys);
7219 if (err < 0)
7220 goto err3;
7221
7222 register_netdevice_notifier(&nf_tables_flowtable_notifier);
7223
7224 return register_pernet_subsys(&nf_tables_net_ops);
7225err3:
7226 nf_tables_core_module_exit();
7227err2:
7228 kfree(info);
7229err1:
7230 return err;
7231}
7232
7233static void __exit nf_tables_module_exit(void)
7234{
7235 nfnetlink_subsys_unregister(&nf_tables_subsys);
7236 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7237 nft_chain_filter_fini();
7238 unregister_pernet_subsys(&nf_tables_net_ops);
7239 rcu_barrier();
7240 nf_tables_core_module_exit();
7241 kfree(info);
7242}
7243
7244module_init(nf_tables_module_init);
7245module_exit(nf_tables_module_exit);
7246
7247MODULE_LICENSE("GPL");
7248MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7249MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
7250
