1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/net_namespace.h>
22#include <net/sock.h>
23
24static LIST_HEAD(nf_tables_expressions);
25
26
27
28
29
30
31
32
33
34int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
35{
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41}
42EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44
45
46
47
48
49
50
51void nft_unregister_afinfo(struct nft_af_info *afi)
52{
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del_rcu(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
56}
57EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
58
59static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
60{
61 struct nft_af_info *afi;
62
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
65 return afi;
66 }
67 return NULL;
68}
69
70static struct nft_af_info *
71nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
72{
73 struct nft_af_info *afi;
74
75 afi = nft_afinfo_lookup(net, family);
76 if (afi != NULL)
77 return afi;
78#ifdef CONFIG_MODULES
79 if (autoload) {
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
84 if (afi != NULL)
85 return ERR_PTR(-EAGAIN);
86 }
87#endif
88 return ERR_PTR(-EAFNOSUPPORT);
89}
90
91static void nft_ctx_init(struct nft_ctx *ctx,
92 const struct sk_buff *skb,
93 const struct nlmsghdr *nlh,
94 struct nft_af_info *afi,
95 struct nft_table *table,
96 struct nft_chain *chain,
97 const struct nlattr * const *nla)
98{
99 ctx->net = sock_net(skb->sk);
100 ctx->afi = afi;
101 ctx->table = table;
102 ctx->chain = chain;
103 ctx->nla = nla;
104 ctx->portid = NETLINK_CB(skb).portid;
105 ctx->report = nlmsg_report(nlh);
106 ctx->seq = nlh->nlmsg_seq;
107}
108
109static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
110 u32 size)
111{
112 struct nft_trans *trans;
113
114 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
115 if (trans == NULL)
116 return NULL;
117
118 trans->msg_type = msg_type;
119 trans->ctx = *ctx;
120
121 return trans;
122}
123
124static void nft_trans_destroy(struct nft_trans *trans)
125{
126 list_del(&trans->list);
127 kfree(trans);
128}
129
130int nft_register_basechain(struct nft_base_chain *basechain,
131 unsigned int hook_nops)
132{
133 if (basechain->flags & NFT_BASECHAIN_DISABLED)
134 return 0;
135
136 return nf_register_hooks(basechain->ops, hook_nops);
137}
138EXPORT_SYMBOL_GPL(nft_register_basechain);
139
140void nft_unregister_basechain(struct nft_base_chain *basechain,
141 unsigned int hook_nops)
142{
143 if (basechain->flags & NFT_BASECHAIN_DISABLED)
144 return;
145
146 nf_unregister_hooks(basechain->ops, hook_nops);
147}
148EXPORT_SYMBOL_GPL(nft_unregister_basechain);
149
150static int nf_tables_register_hooks(const struct nft_table *table,
151 struct nft_chain *chain,
152 unsigned int hook_nops)
153{
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !(chain->flags & NFT_BASE_CHAIN))
156 return 0;
157
158 return nft_register_basechain(nft_base_chain(chain), hook_nops);
159}
160
161static void nf_tables_unregister_hooks(const struct nft_table *table,
162 struct nft_chain *chain,
163 unsigned int hook_nops)
164{
165 if (table->flags & NFT_TABLE_F_DORMANT ||
166 !(chain->flags & NFT_BASE_CHAIN))
167 return;
168
169 nft_unregister_basechain(nft_base_chain(chain), hook_nops);
170}
171
172
173#define NFT_TABLE_INACTIVE (1 << 15)
174
175static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
176{
177 struct nft_trans *trans;
178
179 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
180 if (trans == NULL)
181 return -ENOMEM;
182
183 if (msg_type == NFT_MSG_NEWTABLE)
184 ctx->table->flags |= NFT_TABLE_INACTIVE;
185
186 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
187 return 0;
188}
189
190static int nft_deltable(struct nft_ctx *ctx)
191{
192 int err;
193
194 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
195 if (err < 0)
196 return err;
197
198 list_del_rcu(&ctx->table->list);
199 return err;
200}
201
202static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
203{
204 struct nft_trans *trans;
205
206 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
207 if (trans == NULL)
208 return -ENOMEM;
209
210 if (msg_type == NFT_MSG_NEWCHAIN)
211 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
212
213 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
214 return 0;
215}
216
217static int nft_delchain(struct nft_ctx *ctx)
218{
219 int err;
220
221 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
222 if (err < 0)
223 return err;
224
225 ctx->table->use--;
226 list_del_rcu(&ctx->chain->list);
227
228 return err;
229}
230
231static inline bool
232nft_rule_is_active(struct net *net, const struct nft_rule *rule)
233{
234 return (rule->genmask & nft_genmask_cur(net)) == 0;
235}
236
237static inline int
238nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
239{
240 return (rule->genmask & nft_genmask_next(net)) == 0;
241}
242
243static inline void
244nft_rule_activate_next(struct net *net, struct nft_rule *rule)
245{
246
247 rule->genmask = nft_genmask_cur(net);
248}
249
250static inline void
251nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
252{
253 rule->genmask = nft_genmask_next(net);
254}
255
256static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
257{
258 rule->genmask &= ~nft_genmask_next(net);
259}
260
261static int
262nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
263{
264
265 if (nft_rule_is_active_next(ctx->net, rule)) {
266 nft_rule_deactivate_next(ctx->net, rule);
267 ctx->chain->use--;
268 return 0;
269 }
270 return -ENOENT;
271}
272
273static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
274 struct nft_rule *rule)
275{
276 struct nft_trans *trans;
277
278 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
279 if (trans == NULL)
280 return NULL;
281
282 nft_trans_rule(trans) = rule;
283 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
284
285 return trans;
286}
287
288static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
289{
290 struct nft_trans *trans;
291 int err;
292
293 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
294 if (trans == NULL)
295 return -ENOMEM;
296
297 err = nf_tables_delrule_deactivate(ctx, rule);
298 if (err < 0) {
299 nft_trans_destroy(trans);
300 return err;
301 }
302
303 return 0;
304}
305
306static int nft_delrule_by_chain(struct nft_ctx *ctx)
307{
308 struct nft_rule *rule;
309 int err;
310
311 list_for_each_entry(rule, &ctx->chain->rules, list) {
312 err = nft_delrule(ctx, rule);
313 if (err < 0)
314 return err;
315 }
316 return 0;
317}
318
319
320#define NFT_SET_INACTIVE (1 << 15)
321
322static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
323 struct nft_set *set)
324{
325 struct nft_trans *trans;
326
327 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
328 if (trans == NULL)
329 return -ENOMEM;
330
331 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
332 nft_trans_set_id(trans) =
333 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
334 set->flags |= NFT_SET_INACTIVE;
335 }
336 nft_trans_set(trans) = set;
337 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
338
339 return 0;
340}
341
342static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
343{
344 int err;
345
346 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
347 if (err < 0)
348 return err;
349
350 list_del_rcu(&set->list);
351 ctx->table->use--;
352
353 return err;
354}
355
356
357
358
359
360static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
361 const struct nlattr *nla)
362{
363 struct nft_table *table;
364
365 list_for_each_entry(table, &afi->tables, list) {
366 if (!nla_strcmp(nla, table->name))
367 return table;
368 }
369 return NULL;
370}
371
372static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
373 const struct nlattr *nla)
374{
375 struct nft_table *table;
376
377 if (nla == NULL)
378 return ERR_PTR(-EINVAL);
379
380 table = nft_table_lookup(afi, nla);
381 if (table != NULL)
382 return table;
383
384 return ERR_PTR(-ENOENT);
385}
386
387static inline u64 nf_tables_alloc_handle(struct nft_table *table)
388{
389 return ++table->hgenerator;
390}
391
392static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
393
394static const struct nf_chain_type *
395__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
396{
397 int i;
398
399 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
400 if (chain_type[family][i] != NULL &&
401 !nla_strcmp(nla, chain_type[family][i]->name))
402 return chain_type[family][i];
403 }
404 return NULL;
405}
406
407static const struct nf_chain_type *
408nf_tables_chain_type_lookup(const struct nft_af_info *afi,
409 const struct nlattr *nla,
410 bool autoload)
411{
412 const struct nf_chain_type *type;
413
414 type = __nf_tables_chain_type_lookup(afi->family, nla);
415 if (type != NULL)
416 return type;
417#ifdef CONFIG_MODULES
418 if (autoload) {
419 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
420 request_module("nft-chain-%u-%.*s", afi->family,
421 nla_len(nla), (const char *)nla_data(nla));
422 nfnl_lock(NFNL_SUBSYS_NFTABLES);
423 type = __nf_tables_chain_type_lookup(afi->family, nla);
424 if (type != NULL)
425 return ERR_PTR(-EAGAIN);
426 }
427#endif
428 return ERR_PTR(-ENOENT);
429}
430
431static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
432 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
433 .len = NFT_TABLE_MAXNAMELEN - 1 },
434 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
435};
436
437static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
438 u32 portid, u32 seq, int event, u32 flags,
439 int family, const struct nft_table *table)
440{
441 struct nlmsghdr *nlh;
442 struct nfgenmsg *nfmsg;
443
444 event |= NFNL_SUBSYS_NFTABLES << 8;
445 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
446 if (nlh == NULL)
447 goto nla_put_failure;
448
449 nfmsg = nlmsg_data(nlh);
450 nfmsg->nfgen_family = family;
451 nfmsg->version = NFNETLINK_V0;
452 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
453
454 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
455 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
456 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
457 goto nla_put_failure;
458
459 nlmsg_end(skb, nlh);
460 return 0;
461
462nla_put_failure:
463 nlmsg_trim(skb, nlh);
464 return -1;
465}
466
467static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
468{
469 struct sk_buff *skb;
470 int err;
471
472 if (!ctx->report &&
473 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
474 return 0;
475
476 err = -ENOBUFS;
477 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
478 if (skb == NULL)
479 goto err;
480
481 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
482 event, 0, ctx->afi->family, ctx->table);
483 if (err < 0) {
484 kfree_skb(skb);
485 goto err;
486 }
487
488 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
489 ctx->report, GFP_KERNEL);
490err:
491 if (err < 0) {
492 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
493 err);
494 }
495 return err;
496}
497
498static int nf_tables_dump_tables(struct sk_buff *skb,
499 struct netlink_callback *cb)
500{
501 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
502 const struct nft_af_info *afi;
503 const struct nft_table *table;
504 unsigned int idx = 0, s_idx = cb->args[0];
505 struct net *net = sock_net(skb->sk);
506 int family = nfmsg->nfgen_family;
507
508 rcu_read_lock();
509 cb->seq = net->nft.base_seq;
510
511 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
512 if (family != NFPROTO_UNSPEC && family != afi->family)
513 continue;
514
515 list_for_each_entry_rcu(table, &afi->tables, list) {
516 if (idx < s_idx)
517 goto cont;
518 if (idx > s_idx)
519 memset(&cb->args[1], 0,
520 sizeof(cb->args) - sizeof(cb->args[0]));
521 if (nf_tables_fill_table_info(skb, net,
522 NETLINK_CB(cb->skb).portid,
523 cb->nlh->nlmsg_seq,
524 NFT_MSG_NEWTABLE,
525 NLM_F_MULTI,
526 afi->family, table) < 0)
527 goto done;
528
529 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
530cont:
531 idx++;
532 }
533 }
534done:
535 rcu_read_unlock();
536 cb->args[0] = idx;
537 return skb->len;
538}
539
540static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
541 const struct nlmsghdr *nlh,
542 const struct nlattr * const nla[])
543{
544 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
545 const struct nft_af_info *afi;
546 const struct nft_table *table;
547 struct sk_buff *skb2;
548 struct net *net = sock_net(skb->sk);
549 int family = nfmsg->nfgen_family;
550 int err;
551
552 if (nlh->nlmsg_flags & NLM_F_DUMP) {
553 struct netlink_dump_control c = {
554 .dump = nf_tables_dump_tables,
555 };
556 return netlink_dump_start(nlsk, skb, nlh, &c);
557 }
558
559 afi = nf_tables_afinfo_lookup(net, family, false);
560 if (IS_ERR(afi))
561 return PTR_ERR(afi);
562
563 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
564 if (IS_ERR(table))
565 return PTR_ERR(table);
566 if (table->flags & NFT_TABLE_INACTIVE)
567 return -ENOENT;
568
569 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
570 if (!skb2)
571 return -ENOMEM;
572
573 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
574 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
575 family, table);
576 if (err < 0)
577 goto err;
578
579 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
580
581err:
582 kfree_skb(skb2);
583 return err;
584}
585
586static int nf_tables_table_enable(const struct nft_af_info *afi,
587 struct nft_table *table)
588{
589 struct nft_chain *chain;
590 int err, i = 0;
591
592 list_for_each_entry(chain, &table->chains, list) {
593 if (!(chain->flags & NFT_BASE_CHAIN))
594 continue;
595
596 err = nft_register_basechain(nft_base_chain(chain), afi->nops);
597 if (err < 0)
598 goto err;
599
600 i++;
601 }
602 return 0;
603err:
604 list_for_each_entry(chain, &table->chains, list) {
605 if (!(chain->flags & NFT_BASE_CHAIN))
606 continue;
607
608 if (i-- <= 0)
609 break;
610
611 nft_unregister_basechain(nft_base_chain(chain), afi->nops);
612 }
613 return err;
614}
615
616static void nf_tables_table_disable(const struct nft_af_info *afi,
617 struct nft_table *table)
618{
619 struct nft_chain *chain;
620
621 list_for_each_entry(chain, &table->chains, list) {
622 if (chain->flags & NFT_BASE_CHAIN)
623 nft_unregister_basechain(nft_base_chain(chain),
624 afi->nops);
625 }
626}
627
628static int nf_tables_updtable(struct nft_ctx *ctx)
629{
630 struct nft_trans *trans;
631 u32 flags;
632 int ret = 0;
633
634 if (!ctx->nla[NFTA_TABLE_FLAGS])
635 return 0;
636
637 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
638 if (flags & ~NFT_TABLE_F_DORMANT)
639 return -EINVAL;
640
641 if (flags == ctx->table->flags)
642 return 0;
643
644 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
645 sizeof(struct nft_trans_table));
646 if (trans == NULL)
647 return -ENOMEM;
648
649 if ((flags & NFT_TABLE_F_DORMANT) &&
650 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
651 nft_trans_table_enable(trans) = false;
652 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
653 ctx->table->flags & NFT_TABLE_F_DORMANT) {
654 ret = nf_tables_table_enable(ctx->afi, ctx->table);
655 if (ret >= 0) {
656 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
657 nft_trans_table_enable(trans) = true;
658 }
659 }
660 if (ret < 0)
661 goto err;
662
663 nft_trans_table_update(trans) = true;
664 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
665 return 0;
666err:
667 nft_trans_destroy(trans);
668 return ret;
669}
670
671static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
672 const struct nlmsghdr *nlh,
673 const struct nlattr * const nla[])
674{
675 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
676 const struct nlattr *name;
677 struct nft_af_info *afi;
678 struct nft_table *table;
679 struct net *net = sock_net(skb->sk);
680 int family = nfmsg->nfgen_family;
681 u32 flags = 0;
682 struct nft_ctx ctx;
683 int err;
684
685 afi = nf_tables_afinfo_lookup(net, family, true);
686 if (IS_ERR(afi))
687 return PTR_ERR(afi);
688
689 name = nla[NFTA_TABLE_NAME];
690 table = nf_tables_table_lookup(afi, name);
691 if (IS_ERR(table)) {
692 if (PTR_ERR(table) != -ENOENT)
693 return PTR_ERR(table);
694 table = NULL;
695 }
696
697 if (table != NULL) {
698 if (table->flags & NFT_TABLE_INACTIVE)
699 return -ENOENT;
700 if (nlh->nlmsg_flags & NLM_F_EXCL)
701 return -EEXIST;
702 if (nlh->nlmsg_flags & NLM_F_REPLACE)
703 return -EOPNOTSUPP;
704
705 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
706 return nf_tables_updtable(&ctx);
707 }
708
709 if (nla[NFTA_TABLE_FLAGS]) {
710 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
711 if (flags & ~NFT_TABLE_F_DORMANT)
712 return -EINVAL;
713 }
714
715 err = -EAFNOSUPPORT;
716 if (!try_module_get(afi->owner))
717 goto err1;
718
719 err = -ENOMEM;
720 table = kzalloc(sizeof(*table), GFP_KERNEL);
721 if (table == NULL)
722 goto err2;
723
724 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
725 INIT_LIST_HEAD(&table->chains);
726 INIT_LIST_HEAD(&table->sets);
727 table->flags = flags;
728
729 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
730 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
731 if (err < 0)
732 goto err3;
733
734 list_add_tail_rcu(&table->list, &afi->tables);
735 return 0;
736err3:
737 kfree(table);
738err2:
739 module_put(afi->owner);
740err1:
741 return err;
742}
743
744static int nft_flush_table(struct nft_ctx *ctx)
745{
746 int err;
747 struct nft_chain *chain, *nc;
748 struct nft_set *set, *ns;
749
750 list_for_each_entry(chain, &ctx->table->chains, list) {
751 ctx->chain = chain;
752
753 err = nft_delrule_by_chain(ctx);
754 if (err < 0)
755 goto out;
756 }
757
758 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
759 if (set->flags & NFT_SET_ANONYMOUS &&
760 !list_empty(&set->bindings))
761 continue;
762
763 err = nft_delset(ctx, set);
764 if (err < 0)
765 goto out;
766 }
767
768 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
769 ctx->chain = chain;
770
771 err = nft_delchain(ctx);
772 if (err < 0)
773 goto out;
774 }
775
776 err = nft_deltable(ctx);
777out:
778 return err;
779}
780
781static int nft_flush(struct nft_ctx *ctx, int family)
782{
783 struct nft_af_info *afi;
784 struct nft_table *table, *nt;
785 const struct nlattr * const *nla = ctx->nla;
786 int err = 0;
787
788 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
789 if (family != AF_UNSPEC && afi->family != family)
790 continue;
791
792 ctx->afi = afi;
793 list_for_each_entry_safe(table, nt, &afi->tables, list) {
794 if (nla[NFTA_TABLE_NAME] &&
795 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
796 continue;
797
798 ctx->table = table;
799
800 err = nft_flush_table(ctx);
801 if (err < 0)
802 goto out;
803 }
804 }
805out:
806 return err;
807}
808
809static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
810 const struct nlmsghdr *nlh,
811 const struct nlattr * const nla[])
812{
813 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
814 struct nft_af_info *afi;
815 struct nft_table *table;
816 struct net *net = sock_net(skb->sk);
817 int family = nfmsg->nfgen_family;
818 struct nft_ctx ctx;
819
820 nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
821 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
822 return nft_flush(&ctx, family);
823
824 afi = nf_tables_afinfo_lookup(net, family, false);
825 if (IS_ERR(afi))
826 return PTR_ERR(afi);
827
828 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
829 if (IS_ERR(table))
830 return PTR_ERR(table);
831 if (table->flags & NFT_TABLE_INACTIVE)
832 return -ENOENT;
833
834 ctx.afi = afi;
835 ctx.table = table;
836
837 return nft_flush_table(&ctx);
838}
839
840static void nf_tables_table_destroy(struct nft_ctx *ctx)
841{
842 BUG_ON(ctx->table->use > 0);
843
844 kfree(ctx->table);
845 module_put(ctx->afi->owner);
846}
847
848int nft_register_chain_type(const struct nf_chain_type *ctype)
849{
850 int err = 0;
851
852 nfnl_lock(NFNL_SUBSYS_NFTABLES);
853 if (chain_type[ctype->family][ctype->type] != NULL) {
854 err = -EBUSY;
855 goto out;
856 }
857 chain_type[ctype->family][ctype->type] = ctype;
858out:
859 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
860 return err;
861}
862EXPORT_SYMBOL_GPL(nft_register_chain_type);
863
864void nft_unregister_chain_type(const struct nf_chain_type *ctype)
865{
866 nfnl_lock(NFNL_SUBSYS_NFTABLES);
867 chain_type[ctype->family][ctype->type] = NULL;
868 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
869}
870EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
871
872
873
874
875
876static struct nft_chain *
877nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
878{
879 struct nft_chain *chain;
880
881 list_for_each_entry(chain, &table->chains, list) {
882 if (chain->handle == handle)
883 return chain;
884 }
885
886 return ERR_PTR(-ENOENT);
887}
888
889static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
890 const struct nlattr *nla)
891{
892 struct nft_chain *chain;
893
894 if (nla == NULL)
895 return ERR_PTR(-EINVAL);
896
897 list_for_each_entry(chain, &table->chains, list) {
898 if (!nla_strcmp(nla, chain->name))
899 return chain;
900 }
901
902 return ERR_PTR(-ENOENT);
903}
904
905static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
906 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
907 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
908 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
909 .len = NFT_CHAIN_MAXNAMELEN - 1 },
910 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
911 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
912 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
913 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
914};
915
916static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
917 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
918 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
919 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
920 .len = IFNAMSIZ - 1 },
921};
922
923static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
924{
925 struct nft_stats *cpu_stats, total;
926 struct nlattr *nest;
927 unsigned int seq;
928 u64 pkts, bytes;
929 int cpu;
930
931 memset(&total, 0, sizeof(total));
932 for_each_possible_cpu(cpu) {
933 cpu_stats = per_cpu_ptr(stats, cpu);
934 do {
935 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
936 pkts = cpu_stats->pkts;
937 bytes = cpu_stats->bytes;
938 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
939 total.pkts += pkts;
940 total.bytes += bytes;
941 }
942 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
943 if (nest == NULL)
944 goto nla_put_failure;
945
946 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
947 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
948 goto nla_put_failure;
949
950 nla_nest_end(skb, nest);
951 return 0;
952
953nla_put_failure:
954 return -ENOSPC;
955}
956
957static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
958 u32 portid, u32 seq, int event, u32 flags,
959 int family, const struct nft_table *table,
960 const struct nft_chain *chain)
961{
962 struct nlmsghdr *nlh;
963 struct nfgenmsg *nfmsg;
964
965 event |= NFNL_SUBSYS_NFTABLES << 8;
966 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
967 if (nlh == NULL)
968 goto nla_put_failure;
969
970 nfmsg = nlmsg_data(nlh);
971 nfmsg->nfgen_family = family;
972 nfmsg->version = NFNETLINK_V0;
973 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
974
975 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
976 goto nla_put_failure;
977 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
978 goto nla_put_failure;
979 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
980 goto nla_put_failure;
981
982 if (chain->flags & NFT_BASE_CHAIN) {
983 const struct nft_base_chain *basechain = nft_base_chain(chain);
984 const struct nf_hook_ops *ops = &basechain->ops[0];
985 struct nlattr *nest;
986
987 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
988 if (nest == NULL)
989 goto nla_put_failure;
990 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
991 goto nla_put_failure;
992 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
993 goto nla_put_failure;
994 if (basechain->dev_name[0] &&
995 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
996 goto nla_put_failure;
997 nla_nest_end(skb, nest);
998
999 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1000 htonl(basechain->policy)))
1001 goto nla_put_failure;
1002
1003 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1004 goto nla_put_failure;
1005
1006 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1007 goto nla_put_failure;
1008 }
1009
1010 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1011 goto nla_put_failure;
1012
1013 nlmsg_end(skb, nlh);
1014 return 0;
1015
1016nla_put_failure:
1017 nlmsg_trim(skb, nlh);
1018 return -1;
1019}
1020
1021static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1022{
1023 struct sk_buff *skb;
1024 int err;
1025
1026 if (!ctx->report &&
1027 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1028 return 0;
1029
1030 err = -ENOBUFS;
1031 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1032 if (skb == NULL)
1033 goto err;
1034
1035 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1036 event, 0, ctx->afi->family, ctx->table,
1037 ctx->chain);
1038 if (err < 0) {
1039 kfree_skb(skb);
1040 goto err;
1041 }
1042
1043 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1044 ctx->report, GFP_KERNEL);
1045err:
1046 if (err < 0) {
1047 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1048 err);
1049 }
1050 return err;
1051}
1052
1053static int nf_tables_dump_chains(struct sk_buff *skb,
1054 struct netlink_callback *cb)
1055{
1056 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1057 const struct nft_af_info *afi;
1058 const struct nft_table *table;
1059 const struct nft_chain *chain;
1060 unsigned int idx = 0, s_idx = cb->args[0];
1061 struct net *net = sock_net(skb->sk);
1062 int family = nfmsg->nfgen_family;
1063
1064 rcu_read_lock();
1065 cb->seq = net->nft.base_seq;
1066
1067 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1068 if (family != NFPROTO_UNSPEC && family != afi->family)
1069 continue;
1070
1071 list_for_each_entry_rcu(table, &afi->tables, list) {
1072 list_for_each_entry_rcu(chain, &table->chains, list) {
1073 if (idx < s_idx)
1074 goto cont;
1075 if (idx > s_idx)
1076 memset(&cb->args[1], 0,
1077 sizeof(cb->args) - sizeof(cb->args[0]));
1078 if (nf_tables_fill_chain_info(skb, net,
1079 NETLINK_CB(cb->skb).portid,
1080 cb->nlh->nlmsg_seq,
1081 NFT_MSG_NEWCHAIN,
1082 NLM_F_MULTI,
1083 afi->family, table, chain) < 0)
1084 goto done;
1085
1086 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1087cont:
1088 idx++;
1089 }
1090 }
1091 }
1092done:
1093 rcu_read_unlock();
1094 cb->args[0] = idx;
1095 return skb->len;
1096}
1097
1098static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
1099 const struct nlmsghdr *nlh,
1100 const struct nlattr * const nla[])
1101{
1102 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1103 const struct nft_af_info *afi;
1104 const struct nft_table *table;
1105 const struct nft_chain *chain;
1106 struct sk_buff *skb2;
1107 struct net *net = sock_net(skb->sk);
1108 int family = nfmsg->nfgen_family;
1109 int err;
1110
1111 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1112 struct netlink_dump_control c = {
1113 .dump = nf_tables_dump_chains,
1114 };
1115 return netlink_dump_start(nlsk, skb, nlh, &c);
1116 }
1117
1118 afi = nf_tables_afinfo_lookup(net, family, false);
1119 if (IS_ERR(afi))
1120 return PTR_ERR(afi);
1121
1122 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1123 if (IS_ERR(table))
1124 return PTR_ERR(table);
1125 if (table->flags & NFT_TABLE_INACTIVE)
1126 return -ENOENT;
1127
1128 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1129 if (IS_ERR(chain))
1130 return PTR_ERR(chain);
1131 if (chain->flags & NFT_CHAIN_INACTIVE)
1132 return -ENOENT;
1133
1134 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1135 if (!skb2)
1136 return -ENOMEM;
1137
1138 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1139 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1140 family, table, chain);
1141 if (err < 0)
1142 goto err;
1143
1144 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1145
1146err:
1147 kfree_skb(skb2);
1148 return err;
1149}
1150
1151static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1152 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1153 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1154};
1155
1156static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1157{
1158 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1159 struct nft_stats __percpu *newstats;
1160 struct nft_stats *stats;
1161 int err;
1162
1163 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1164 if (err < 0)
1165 return ERR_PTR(err);
1166
1167 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1168 return ERR_PTR(-EINVAL);
1169
1170 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1171 if (newstats == NULL)
1172 return ERR_PTR(-ENOMEM);
1173
1174
1175
1176
1177 preempt_disable();
1178 stats = this_cpu_ptr(newstats);
1179 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1180 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1181 preempt_enable();
1182
1183 return newstats;
1184}
1185
1186static void nft_chain_stats_replace(struct nft_base_chain *chain,
1187 struct nft_stats __percpu *newstats)
1188{
1189 if (newstats == NULL)
1190 return;
1191
1192 if (chain->stats) {
1193 struct nft_stats __percpu *oldstats =
1194 nft_dereference(chain->stats);
1195
1196 rcu_assign_pointer(chain->stats, newstats);
1197 synchronize_rcu();
1198 free_percpu(oldstats);
1199 } else
1200 rcu_assign_pointer(chain->stats, newstats);
1201}
1202
1203static void nf_tables_chain_destroy(struct nft_chain *chain)
1204{
1205 BUG_ON(chain->use > 0);
1206
1207 if (chain->flags & NFT_BASE_CHAIN) {
1208 struct nft_base_chain *basechain = nft_base_chain(chain);
1209
1210 module_put(basechain->type->owner);
1211 free_percpu(basechain->stats);
1212 if (basechain->ops[0].dev != NULL)
1213 dev_put(basechain->ops[0].dev);
1214 kfree(basechain);
1215 } else {
1216 kfree(chain);
1217 }
1218}
1219
1220static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
1221 const struct nlmsghdr *nlh,
1222 const struct nlattr * const nla[])
1223{
1224 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1225 const struct nlattr * uninitialized_var(name);
1226 struct nft_af_info *afi;
1227 struct nft_table *table;
1228 struct nft_chain *chain;
1229 struct nft_base_chain *basechain = NULL;
1230 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1231 struct net *net = sock_net(skb->sk);
1232 int family = nfmsg->nfgen_family;
1233 struct net_device *dev = NULL;
1234 u8 policy = NF_ACCEPT;
1235 u64 handle = 0;
1236 unsigned int i;
1237 struct nft_stats __percpu *stats;
1238 int err;
1239 bool create;
1240 struct nft_ctx ctx;
1241
1242 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1243
1244 afi = nf_tables_afinfo_lookup(net, family, true);
1245 if (IS_ERR(afi))
1246 return PTR_ERR(afi);
1247
1248 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1249 if (IS_ERR(table))
1250 return PTR_ERR(table);
1251
1252 chain = NULL;
1253 name = nla[NFTA_CHAIN_NAME];
1254
1255 if (nla[NFTA_CHAIN_HANDLE]) {
1256 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1257 chain = nf_tables_chain_lookup_byhandle(table, handle);
1258 if (IS_ERR(chain))
1259 return PTR_ERR(chain);
1260 } else {
1261 chain = nf_tables_chain_lookup(table, name);
1262 if (IS_ERR(chain)) {
1263 if (PTR_ERR(chain) != -ENOENT)
1264 return PTR_ERR(chain);
1265 chain = NULL;
1266 }
1267 }
1268
1269 if (nla[NFTA_CHAIN_POLICY]) {
1270 if ((chain != NULL &&
1271 !(chain->flags & NFT_BASE_CHAIN)))
1272 return -EOPNOTSUPP;
1273
1274 if (chain == NULL &&
1275 nla[NFTA_CHAIN_HOOK] == NULL)
1276 return -EOPNOTSUPP;
1277
1278 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1279 switch (policy) {
1280 case NF_DROP:
1281 case NF_ACCEPT:
1282 break;
1283 default:
1284 return -EINVAL;
1285 }
1286 }
1287
1288 if (chain != NULL) {
1289 struct nft_stats *stats = NULL;
1290 struct nft_trans *trans;
1291
1292 if (chain->flags & NFT_CHAIN_INACTIVE)
1293 return -ENOENT;
1294 if (nlh->nlmsg_flags & NLM_F_EXCL)
1295 return -EEXIST;
1296 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1297 return -EOPNOTSUPP;
1298
1299 if (nla[NFTA_CHAIN_HANDLE] && name &&
1300 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1301 return -EEXIST;
1302
1303 if (nla[NFTA_CHAIN_COUNTERS]) {
1304 if (!(chain->flags & NFT_BASE_CHAIN))
1305 return -EOPNOTSUPP;
1306
1307 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1308 if (IS_ERR(stats))
1309 return PTR_ERR(stats);
1310 }
1311
1312 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1313 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1314 sizeof(struct nft_trans_chain));
1315 if (trans == NULL) {
1316 free_percpu(stats);
1317 return -ENOMEM;
1318 }
1319
1320 nft_trans_chain_stats(trans) = stats;
1321 nft_trans_chain_update(trans) = true;
1322
1323 if (nla[NFTA_CHAIN_POLICY])
1324 nft_trans_chain_policy(trans) = policy;
1325 else
1326 nft_trans_chain_policy(trans) = -1;
1327
1328 if (nla[NFTA_CHAIN_HANDLE] && name) {
1329 nla_strlcpy(nft_trans_chain_name(trans), name,
1330 NFT_CHAIN_MAXNAMELEN);
1331 }
1332 list_add_tail(&trans->list, &net->nft.commit_list);
1333 return 0;
1334 }
1335
1336 if (table->use == UINT_MAX)
1337 return -EOVERFLOW;
1338
1339 if (nla[NFTA_CHAIN_HOOK]) {
1340 const struct nf_chain_type *type;
1341 struct nf_hook_ops *ops;
1342 nf_hookfn *hookfn;
1343 u32 hooknum, priority;
1344
1345 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1346 if (nla[NFTA_CHAIN_TYPE]) {
1347 type = nf_tables_chain_type_lookup(afi,
1348 nla[NFTA_CHAIN_TYPE],
1349 create);
1350 if (IS_ERR(type))
1351 return PTR_ERR(type);
1352 }
1353
1354 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1355 nft_hook_policy);
1356 if (err < 0)
1357 return err;
1358 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1359 ha[NFTA_HOOK_PRIORITY] == NULL)
1360 return -EINVAL;
1361
1362 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1363 if (hooknum >= afi->nhooks)
1364 return -EINVAL;
1365 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1366
1367 if (!(type->hook_mask & (1 << hooknum)))
1368 return -EOPNOTSUPP;
1369 if (!try_module_get(type->owner))
1370 return -ENOENT;
1371 hookfn = type->hooks[hooknum];
1372
1373 if (afi->flags & NFT_AF_NEEDS_DEV) {
1374 char ifname[IFNAMSIZ];
1375
1376 if (!ha[NFTA_HOOK_DEV]) {
1377 module_put(type->owner);
1378 return -EOPNOTSUPP;
1379 }
1380
1381 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1382 dev = dev_get_by_name(net, ifname);
1383 if (!dev) {
1384 module_put(type->owner);
1385 return -ENOENT;
1386 }
1387 } else if (ha[NFTA_HOOK_DEV]) {
1388 module_put(type->owner);
1389 return -EOPNOTSUPP;
1390 }
1391
1392 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1393 if (basechain == NULL) {
1394 module_put(type->owner);
1395 if (dev != NULL)
1396 dev_put(dev);
1397 return -ENOMEM;
1398 }
1399
1400 if (dev != NULL)
1401 strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
1402
1403 if (nla[NFTA_CHAIN_COUNTERS]) {
1404 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1405 if (IS_ERR(stats)) {
1406 module_put(type->owner);
1407 kfree(basechain);
1408 if (dev != NULL)
1409 dev_put(dev);
1410 return PTR_ERR(stats);
1411 }
1412 basechain->stats = stats;
1413 } else {
1414 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1415 if (stats == NULL) {
1416 module_put(type->owner);
1417 kfree(basechain);
1418 if (dev != NULL)
1419 dev_put(dev);
1420 return -ENOMEM;
1421 }
1422 rcu_assign_pointer(basechain->stats, stats);
1423 }
1424
1425 write_pnet(&basechain->pnet, net);
1426 basechain->type = type;
1427 chain = &basechain->chain;
1428
1429 for (i = 0; i < afi->nops; i++) {
1430 ops = &basechain->ops[i];
1431 ops->pf = family;
1432 ops->owner = afi->owner;
1433 ops->hooknum = hooknum;
1434 ops->priority = priority;
1435 ops->priv = chain;
1436 ops->hook = afi->hooks[ops->hooknum];
1437 ops->dev = dev;
1438 if (hookfn)
1439 ops->hook = hookfn;
1440 if (afi->hook_ops_init)
1441 afi->hook_ops_init(ops, i);
1442 }
1443
1444 chain->flags |= NFT_BASE_CHAIN;
1445 basechain->policy = policy;
1446 } else {
1447 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1448 if (chain == NULL)
1449 return -ENOMEM;
1450 }
1451
1452 INIT_LIST_HEAD(&chain->rules);
1453 chain->handle = nf_tables_alloc_handle(table);
1454 chain->table = table;
1455 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1456
1457 err = nf_tables_register_hooks(table, chain, afi->nops);
1458 if (err < 0)
1459 goto err1;
1460
1461 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1462 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1463 if (err < 0)
1464 goto err2;
1465
1466 table->use++;
1467 list_add_tail_rcu(&chain->list, &table->chains);
1468 return 0;
1469err2:
1470 nf_tables_unregister_hooks(table, chain, afi->nops);
1471err1:
1472 nf_tables_chain_destroy(chain);
1473 return err;
1474}
1475
1476static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1477 const struct nlmsghdr *nlh,
1478 const struct nlattr * const nla[])
1479{
1480 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1481 struct nft_af_info *afi;
1482 struct nft_table *table;
1483 struct nft_chain *chain;
1484 struct net *net = sock_net(skb->sk);
1485 int family = nfmsg->nfgen_family;
1486 struct nft_ctx ctx;
1487
1488 afi = nf_tables_afinfo_lookup(net, family, false);
1489 if (IS_ERR(afi))
1490 return PTR_ERR(afi);
1491
1492 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1493 if (IS_ERR(table))
1494 return PTR_ERR(table);
1495 if (table->flags & NFT_TABLE_INACTIVE)
1496 return -ENOENT;
1497
1498 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1499 if (IS_ERR(chain))
1500 return PTR_ERR(chain);
1501 if (chain->flags & NFT_CHAIN_INACTIVE)
1502 return -ENOENT;
1503 if (chain->use > 0)
1504 return -EBUSY;
1505
1506 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1507
1508 return nft_delchain(&ctx);
1509}
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522int nft_register_expr(struct nft_expr_type *type)
1523{
1524 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1525 if (type->family == NFPROTO_UNSPEC)
1526 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1527 else
1528 list_add_rcu(&type->list, &nf_tables_expressions);
1529 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1530 return 0;
1531}
1532EXPORT_SYMBOL_GPL(nft_register_expr);
1533
1534
1535
1536
1537
1538
1539
1540void nft_unregister_expr(struct nft_expr_type *type)
1541{
1542 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1543 list_del_rcu(&type->list);
1544 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1545}
1546EXPORT_SYMBOL_GPL(nft_unregister_expr);
1547
1548static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1549 struct nlattr *nla)
1550{
1551 const struct nft_expr_type *type;
1552
1553 list_for_each_entry(type, &nf_tables_expressions, list) {
1554 if (!nla_strcmp(nla, type->name) &&
1555 (!type->family || type->family == family))
1556 return type;
1557 }
1558 return NULL;
1559}
1560
1561static const struct nft_expr_type *nft_expr_type_get(u8 family,
1562 struct nlattr *nla)
1563{
1564 const struct nft_expr_type *type;
1565
1566 if (nla == NULL)
1567 return ERR_PTR(-EINVAL);
1568
1569 type = __nft_expr_type_get(family, nla);
1570 if (type != NULL && try_module_get(type->owner))
1571 return type;
1572
1573#ifdef CONFIG_MODULES
1574 if (type == NULL) {
1575 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1576 request_module("nft-expr-%u-%.*s", family,
1577 nla_len(nla), (char *)nla_data(nla));
1578 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1579 if (__nft_expr_type_get(family, nla))
1580 return ERR_PTR(-EAGAIN);
1581
1582 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1583 request_module("nft-expr-%.*s",
1584 nla_len(nla), (char *)nla_data(nla));
1585 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1586 if (__nft_expr_type_get(family, nla))
1587 return ERR_PTR(-EAGAIN);
1588 }
1589#endif
1590 return ERR_PTR(-ENOENT);
1591}
1592
1593static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1594 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1595 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1596};
1597
1598static int nf_tables_fill_expr_info(struct sk_buff *skb,
1599 const struct nft_expr *expr)
1600{
1601 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1602 goto nla_put_failure;
1603
1604 if (expr->ops->dump) {
1605 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1606 if (data == NULL)
1607 goto nla_put_failure;
1608 if (expr->ops->dump(skb, expr) < 0)
1609 goto nla_put_failure;
1610 nla_nest_end(skb, data);
1611 }
1612
1613 return skb->len;
1614
1615nla_put_failure:
1616 return -1;
1617};
1618
1619int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1620 const struct nft_expr *expr)
1621{
1622 struct nlattr *nest;
1623
1624 nest = nla_nest_start(skb, attr);
1625 if (!nest)
1626 goto nla_put_failure;
1627 if (nf_tables_fill_expr_info(skb, expr) < 0)
1628 goto nla_put_failure;
1629 nla_nest_end(skb, nest);
1630 return 0;
1631
1632nla_put_failure:
1633 return -1;
1634}
1635
1636struct nft_expr_info {
1637 const struct nft_expr_ops *ops;
1638 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1639};
1640
1641static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1642 const struct nlattr *nla,
1643 struct nft_expr_info *info)
1644{
1645 const struct nft_expr_type *type;
1646 const struct nft_expr_ops *ops;
1647 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1648 int err;
1649
1650 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1651 if (err < 0)
1652 return err;
1653
1654 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1655 if (IS_ERR(type))
1656 return PTR_ERR(type);
1657
1658 if (tb[NFTA_EXPR_DATA]) {
1659 err = nla_parse_nested(info->tb, type->maxattr,
1660 tb[NFTA_EXPR_DATA], type->policy);
1661 if (err < 0)
1662 goto err1;
1663 } else
1664 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1665
1666 if (type->select_ops != NULL) {
1667 ops = type->select_ops(ctx,
1668 (const struct nlattr * const *)info->tb);
1669 if (IS_ERR(ops)) {
1670 err = PTR_ERR(ops);
1671 goto err1;
1672 }
1673 } else
1674 ops = type->ops;
1675
1676 info->ops = ops;
1677 return 0;
1678
1679err1:
1680 module_put(type->owner);
1681 return err;
1682}
1683
1684static int nf_tables_newexpr(const struct nft_ctx *ctx,
1685 const struct nft_expr_info *info,
1686 struct nft_expr *expr)
1687{
1688 const struct nft_expr_ops *ops = info->ops;
1689 int err;
1690
1691 expr->ops = ops;
1692 if (ops->init) {
1693 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1694 if (err < 0)
1695 goto err1;
1696 }
1697
1698 return 0;
1699
1700err1:
1701 expr->ops = NULL;
1702 return err;
1703}
1704
1705static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1706 struct nft_expr *expr)
1707{
1708 if (expr->ops->destroy)
1709 expr->ops->destroy(ctx, expr);
1710 module_put(expr->ops->type->owner);
1711}
1712
1713struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1714 const struct nlattr *nla)
1715{
1716 struct nft_expr_info info;
1717 struct nft_expr *expr;
1718 int err;
1719
1720 err = nf_tables_expr_parse(ctx, nla, &info);
1721 if (err < 0)
1722 goto err1;
1723
1724 err = -ENOMEM;
1725 expr = kzalloc(info.ops->size, GFP_KERNEL);
1726 if (expr == NULL)
1727 goto err2;
1728
1729 err = nf_tables_newexpr(ctx, &info, expr);
1730 if (err < 0)
1731 goto err2;
1732
1733 return expr;
1734err2:
1735 module_put(info.ops->type->owner);
1736err1:
1737 return ERR_PTR(err);
1738}
1739
1740void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1741{
1742 nf_tables_expr_destroy(ctx, expr);
1743 kfree(expr);
1744}
1745
1746
1747
1748
1749
1750static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1751 u64 handle)
1752{
1753 struct nft_rule *rule;
1754
1755
1756 list_for_each_entry(rule, &chain->rules, list) {
1757 if (handle == rule->handle)
1758 return rule;
1759 }
1760
1761 return ERR_PTR(-ENOENT);
1762}
1763
1764static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1765 const struct nlattr *nla)
1766{
1767 if (nla == NULL)
1768 return ERR_PTR(-EINVAL);
1769
1770 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1771}
1772
1773static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1774 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1775 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1776 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1777 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1778 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1779 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1780 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1781 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1782 .len = NFT_USERDATA_MAXLEN },
1783};
1784
1785static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1786 u32 portid, u32 seq, int event,
1787 u32 flags, int family,
1788 const struct nft_table *table,
1789 const struct nft_chain *chain,
1790 const struct nft_rule *rule)
1791{
1792 struct nlmsghdr *nlh;
1793 struct nfgenmsg *nfmsg;
1794 const struct nft_expr *expr, *next;
1795 struct nlattr *list;
1796 const struct nft_rule *prule;
1797 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1798
1799 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1800 flags);
1801 if (nlh == NULL)
1802 goto nla_put_failure;
1803
1804 nfmsg = nlmsg_data(nlh);
1805 nfmsg->nfgen_family = family;
1806 nfmsg->version = NFNETLINK_V0;
1807 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1808
1809 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1810 goto nla_put_failure;
1811 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1812 goto nla_put_failure;
1813 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1814 goto nla_put_failure;
1815
1816 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1817 prule = list_entry(rule->list.prev, struct nft_rule, list);
1818 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1819 cpu_to_be64(prule->handle)))
1820 goto nla_put_failure;
1821 }
1822
1823 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1824 if (list == NULL)
1825 goto nla_put_failure;
1826 nft_rule_for_each_expr(expr, next, rule) {
1827 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1828 goto nla_put_failure;
1829 }
1830 nla_nest_end(skb, list);
1831
1832 if (rule->udata) {
1833 struct nft_userdata *udata = nft_userdata(rule);
1834 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1835 udata->data) < 0)
1836 goto nla_put_failure;
1837 }
1838
1839 nlmsg_end(skb, nlh);
1840 return 0;
1841
1842nla_put_failure:
1843 nlmsg_trim(skb, nlh);
1844 return -1;
1845}
1846
1847static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1848 const struct nft_rule *rule,
1849 int event)
1850{
1851 struct sk_buff *skb;
1852 int err;
1853
1854 if (!ctx->report &&
1855 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1856 return 0;
1857
1858 err = -ENOBUFS;
1859 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1860 if (skb == NULL)
1861 goto err;
1862
1863 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1864 event, 0, ctx->afi->family, ctx->table,
1865 ctx->chain, rule);
1866 if (err < 0) {
1867 kfree_skb(skb);
1868 goto err;
1869 }
1870
1871 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1872 ctx->report, GFP_KERNEL);
1873err:
1874 if (err < 0) {
1875 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1876 err);
1877 }
1878 return err;
1879}
1880
1881static int nf_tables_dump_rules(struct sk_buff *skb,
1882 struct netlink_callback *cb)
1883{
1884 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1885 const struct nft_af_info *afi;
1886 const struct nft_table *table;
1887 const struct nft_chain *chain;
1888 const struct nft_rule *rule;
1889 unsigned int idx = 0, s_idx = cb->args[0];
1890 struct net *net = sock_net(skb->sk);
1891 int family = nfmsg->nfgen_family;
1892
1893 rcu_read_lock();
1894 cb->seq = net->nft.base_seq;
1895
1896 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1897 if (family != NFPROTO_UNSPEC && family != afi->family)
1898 continue;
1899
1900 list_for_each_entry_rcu(table, &afi->tables, list) {
1901 list_for_each_entry_rcu(chain, &table->chains, list) {
1902 list_for_each_entry_rcu(rule, &chain->rules, list) {
1903 if (!nft_rule_is_active(net, rule))
1904 goto cont;
1905 if (idx < s_idx)
1906 goto cont;
1907 if (idx > s_idx)
1908 memset(&cb->args[1], 0,
1909 sizeof(cb->args) - sizeof(cb->args[0]));
1910 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1911 cb->nlh->nlmsg_seq,
1912 NFT_MSG_NEWRULE,
1913 NLM_F_MULTI | NLM_F_APPEND,
1914 afi->family, table, chain, rule) < 0)
1915 goto done;
1916
1917 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1918cont:
1919 idx++;
1920 }
1921 }
1922 }
1923 }
1924done:
1925 rcu_read_unlock();
1926
1927 cb->args[0] = idx;
1928 return skb->len;
1929}
1930
1931static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1932 const struct nlmsghdr *nlh,
1933 const struct nlattr * const nla[])
1934{
1935 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1936 const struct nft_af_info *afi;
1937 const struct nft_table *table;
1938 const struct nft_chain *chain;
1939 const struct nft_rule *rule;
1940 struct sk_buff *skb2;
1941 struct net *net = sock_net(skb->sk);
1942 int family = nfmsg->nfgen_family;
1943 int err;
1944
1945 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1946 struct netlink_dump_control c = {
1947 .dump = nf_tables_dump_rules,
1948 };
1949 return netlink_dump_start(nlsk, skb, nlh, &c);
1950 }
1951
1952 afi = nf_tables_afinfo_lookup(net, family, false);
1953 if (IS_ERR(afi))
1954 return PTR_ERR(afi);
1955
1956 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1957 if (IS_ERR(table))
1958 return PTR_ERR(table);
1959 if (table->flags & NFT_TABLE_INACTIVE)
1960 return -ENOENT;
1961
1962 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1963 if (IS_ERR(chain))
1964 return PTR_ERR(chain);
1965 if (chain->flags & NFT_CHAIN_INACTIVE)
1966 return -ENOENT;
1967
1968 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1969 if (IS_ERR(rule))
1970 return PTR_ERR(rule);
1971
1972 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1973 if (!skb2)
1974 return -ENOMEM;
1975
1976 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1977 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1978 family, table, chain, rule);
1979 if (err < 0)
1980 goto err;
1981
1982 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1983
1984err:
1985 kfree_skb(skb2);
1986 return err;
1987}
1988
1989static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1990 struct nft_rule *rule)
1991{
1992 struct nft_expr *expr;
1993
1994
1995
1996
1997
1998 expr = nft_expr_first(rule);
1999 while (expr->ops && expr != nft_expr_last(rule)) {
2000 nf_tables_expr_destroy(ctx, expr);
2001 expr = nft_expr_next(expr);
2002 }
2003 kfree(rule);
2004}
2005
2006#define NFT_RULE_MAXEXPRS 128
2007
2008static struct nft_expr_info *info;
2009
2010static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
2011 const struct nlmsghdr *nlh,
2012 const struct nlattr * const nla[])
2013{
2014 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2015 struct nft_af_info *afi;
2016 struct net *net = sock_net(skb->sk);
2017 struct nft_table *table;
2018 struct nft_chain *chain;
2019 struct nft_rule *rule, *old_rule = NULL;
2020 struct nft_userdata *udata;
2021 struct nft_trans *trans = NULL;
2022 struct nft_expr *expr;
2023 struct nft_ctx ctx;
2024 struct nlattr *tmp;
2025 unsigned int size, i, n, ulen = 0, usize = 0;
2026 int err, rem;
2027 bool create;
2028 u64 handle, pos_handle;
2029
2030 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2031
2032 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2033 if (IS_ERR(afi))
2034 return PTR_ERR(afi);
2035
2036 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2037 if (IS_ERR(table))
2038 return PTR_ERR(table);
2039
2040 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2041 if (IS_ERR(chain))
2042 return PTR_ERR(chain);
2043
2044 if (nla[NFTA_RULE_HANDLE]) {
2045 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2046 rule = __nf_tables_rule_lookup(chain, handle);
2047 if (IS_ERR(rule))
2048 return PTR_ERR(rule);
2049
2050 if (nlh->nlmsg_flags & NLM_F_EXCL)
2051 return -EEXIST;
2052 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2053 old_rule = rule;
2054 else
2055 return -EOPNOTSUPP;
2056 } else {
2057 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2058 return -EINVAL;
2059 handle = nf_tables_alloc_handle(table);
2060
2061 if (chain->use == UINT_MAX)
2062 return -EOVERFLOW;
2063 }
2064
2065 if (nla[NFTA_RULE_POSITION]) {
2066 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2067 return -EOPNOTSUPP;
2068
2069 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2070 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2071 if (IS_ERR(old_rule))
2072 return PTR_ERR(old_rule);
2073 }
2074
2075 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
2076
2077 n = 0;
2078 size = 0;
2079 if (nla[NFTA_RULE_EXPRESSIONS]) {
2080 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2081 err = -EINVAL;
2082 if (nla_type(tmp) != NFTA_LIST_ELEM)
2083 goto err1;
2084 if (n == NFT_RULE_MAXEXPRS)
2085 goto err1;
2086 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2087 if (err < 0)
2088 goto err1;
2089 size += info[n].ops->size;
2090 n++;
2091 }
2092 }
2093
2094 err = -EFBIG;
2095 if (size >= 1 << 12)
2096 goto err1;
2097
2098 if (nla[NFTA_RULE_USERDATA]) {
2099 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2100 if (ulen > 0)
2101 usize = sizeof(struct nft_userdata) + ulen;
2102 }
2103
2104 err = -ENOMEM;
2105 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2106 if (rule == NULL)
2107 goto err1;
2108
2109 nft_rule_activate_next(net, rule);
2110
2111 rule->handle = handle;
2112 rule->dlen = size;
2113 rule->udata = ulen ? 1 : 0;
2114
2115 if (ulen) {
2116 udata = nft_userdata(rule);
2117 udata->len = ulen - 1;
2118 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2119 }
2120
2121 expr = nft_expr_first(rule);
2122 for (i = 0; i < n; i++) {
2123 err = nf_tables_newexpr(&ctx, &info[i], expr);
2124 if (err < 0)
2125 goto err2;
2126 info[i].ops = NULL;
2127 expr = nft_expr_next(expr);
2128 }
2129
2130 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2131 if (nft_rule_is_active_next(net, old_rule)) {
2132 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2133 old_rule);
2134 if (trans == NULL) {
2135 err = -ENOMEM;
2136 goto err2;
2137 }
2138 nft_rule_deactivate_next(net, old_rule);
2139 chain->use--;
2140 list_add_tail_rcu(&rule->list, &old_rule->list);
2141 } else {
2142 err = -ENOENT;
2143 goto err2;
2144 }
2145 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2146 if (old_rule)
2147 list_add_rcu(&rule->list, &old_rule->list);
2148 else
2149 list_add_tail_rcu(&rule->list, &chain->rules);
2150 else {
2151 if (old_rule)
2152 list_add_tail_rcu(&rule->list, &old_rule->list);
2153 else
2154 list_add_rcu(&rule->list, &chain->rules);
2155 }
2156
2157 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2158 err = -ENOMEM;
2159 goto err3;
2160 }
2161 chain->use++;
2162 return 0;
2163
2164err3:
2165 list_del_rcu(&rule->list);
2166err2:
2167 nf_tables_rule_destroy(&ctx, rule);
2168err1:
2169 for (i = 0; i < n; i++) {
2170 if (info[i].ops != NULL)
2171 module_put(info[i].ops->type->owner);
2172 }
2173 return err;
2174}
2175
2176static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
2177 const struct nlmsghdr *nlh,
2178 const struct nlattr * const nla[])
2179{
2180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2181 struct nft_af_info *afi;
2182 struct net *net = sock_net(skb->sk);
2183 struct nft_table *table;
2184 struct nft_chain *chain = NULL;
2185 struct nft_rule *rule;
2186 int family = nfmsg->nfgen_family, err = 0;
2187 struct nft_ctx ctx;
2188
2189 afi = nf_tables_afinfo_lookup(net, family, false);
2190 if (IS_ERR(afi))
2191 return PTR_ERR(afi);
2192
2193 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2194 if (IS_ERR(table))
2195 return PTR_ERR(table);
2196 if (table->flags & NFT_TABLE_INACTIVE)
2197 return -ENOENT;
2198
2199 if (nla[NFTA_RULE_CHAIN]) {
2200 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2201 if (IS_ERR(chain))
2202 return PTR_ERR(chain);
2203 }
2204
2205 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
2206
2207 if (chain) {
2208 if (nla[NFTA_RULE_HANDLE]) {
2209 rule = nf_tables_rule_lookup(chain,
2210 nla[NFTA_RULE_HANDLE]);
2211 if (IS_ERR(rule))
2212 return PTR_ERR(rule);
2213
2214 err = nft_delrule(&ctx, rule);
2215 } else {
2216 err = nft_delrule_by_chain(&ctx);
2217 }
2218 } else {
2219 list_for_each_entry(chain, &table->chains, list) {
2220 ctx.chain = chain;
2221 err = nft_delrule_by_chain(&ctx);
2222 if (err < 0)
2223 break;
2224 }
2225 }
2226
2227 return err;
2228}
2229
2230
2231
2232
2233
2234static LIST_HEAD(nf_tables_set_ops);
2235
2236int nft_register_set(struct nft_set_ops *ops)
2237{
2238 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2239 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2240 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2241 return 0;
2242}
2243EXPORT_SYMBOL_GPL(nft_register_set);
2244
2245void nft_unregister_set(struct nft_set_ops *ops)
2246{
2247 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2248 list_del_rcu(&ops->list);
2249 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2250}
2251EXPORT_SYMBOL_GPL(nft_unregister_set);
2252
2253
2254
2255
2256
2257
2258static const struct nft_set_ops *
2259nft_select_set_ops(const struct nlattr * const nla[],
2260 const struct nft_set_desc *desc,
2261 enum nft_set_policies policy)
2262{
2263 const struct nft_set_ops *ops, *bops;
2264 struct nft_set_estimate est, best;
2265 u32 features;
2266
2267#ifdef CONFIG_MODULES
2268 if (list_empty(&nf_tables_set_ops)) {
2269 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2270 request_module("nft-set");
2271 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2272 if (!list_empty(&nf_tables_set_ops))
2273 return ERR_PTR(-EAGAIN);
2274 }
2275#endif
2276 features = 0;
2277 if (nla[NFTA_SET_FLAGS] != NULL) {
2278 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2279 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2280 }
2281
2282 bops = NULL;
2283 best.size = ~0;
2284 best.class = ~0;
2285
2286 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2287 if ((ops->features & features) != features)
2288 continue;
2289 if (!ops->estimate(desc, features, &est))
2290 continue;
2291
2292 switch (policy) {
2293 case NFT_SET_POL_PERFORMANCE:
2294 if (est.class < best.class)
2295 break;
2296 if (est.class == best.class && est.size < best.size)
2297 break;
2298 continue;
2299 case NFT_SET_POL_MEMORY:
2300 if (est.size < best.size)
2301 break;
2302 if (est.size == best.size && est.class < best.class)
2303 break;
2304 continue;
2305 default:
2306 break;
2307 }
2308
2309 if (!try_module_get(ops->owner))
2310 continue;
2311 if (bops != NULL)
2312 module_put(bops->owner);
2313
2314 bops = ops;
2315 best = est;
2316 }
2317
2318 if (bops != NULL)
2319 return bops;
2320
2321 return ERR_PTR(-EOPNOTSUPP);
2322}
2323
2324static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2325 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2326 [NFTA_SET_NAME] = { .type = NLA_STRING,
2327 .len = IFNAMSIZ - 1 },
2328 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2329 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2330 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2331 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2332 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2333 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2334 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2335 [NFTA_SET_ID] = { .type = NLA_U32 },
2336 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2337 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2338};
2339
2340static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2341 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2342};
2343
2344static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2345 const struct sk_buff *skb,
2346 const struct nlmsghdr *nlh,
2347 const struct nlattr * const nla[])
2348{
2349 struct net *net = sock_net(skb->sk);
2350 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2351 struct nft_af_info *afi = NULL;
2352 struct nft_table *table = NULL;
2353
2354 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2355 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2356 if (IS_ERR(afi))
2357 return PTR_ERR(afi);
2358 }
2359
2360 if (nla[NFTA_SET_TABLE] != NULL) {
2361 if (afi == NULL)
2362 return -EAFNOSUPPORT;
2363
2364 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2365 if (IS_ERR(table))
2366 return PTR_ERR(table);
2367 if (table->flags & NFT_TABLE_INACTIVE)
2368 return -ENOENT;
2369 }
2370
2371 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2372 return 0;
2373}
2374
2375struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2376 const struct nlattr *nla)
2377{
2378 struct nft_set *set;
2379
2380 if (nla == NULL)
2381 return ERR_PTR(-EINVAL);
2382
2383 list_for_each_entry(set, &table->sets, list) {
2384 if (!nla_strcmp(nla, set->name))
2385 return set;
2386 }
2387 return ERR_PTR(-ENOENT);
2388}
2389
2390struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2391 const struct nlattr *nla)
2392{
2393 struct nft_trans *trans;
2394 u32 id = ntohl(nla_get_be32(nla));
2395
2396 list_for_each_entry(trans, &net->nft.commit_list, list) {
2397 if (trans->msg_type == NFT_MSG_NEWSET &&
2398 id == nft_trans_set_id(trans))
2399 return nft_trans_set(trans);
2400 }
2401 return ERR_PTR(-ENOENT);
2402}
2403
2404static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2405 const char *name)
2406{
2407 const struct nft_set *i;
2408 const char *p;
2409 unsigned long *inuse;
2410 unsigned int n = 0, min = 0;
2411
2412 p = strnchr(name, IFNAMSIZ, '%');
2413 if (p != NULL) {
2414 if (p[1] != 'd' || strchr(p + 2, '%'))
2415 return -EINVAL;
2416
2417 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2418 if (inuse == NULL)
2419 return -ENOMEM;
2420cont:
2421 list_for_each_entry(i, &ctx->table->sets, list) {
2422 int tmp;
2423
2424 if (!sscanf(i->name, name, &tmp))
2425 continue;
2426 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2427 continue;
2428
2429 set_bit(tmp - min, inuse);
2430 }
2431
2432 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2433 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2434 min += BITS_PER_BYTE * PAGE_SIZE;
2435 memset(inuse, 0, PAGE_SIZE);
2436 goto cont;
2437 }
2438 free_page((unsigned long)inuse);
2439 }
2440
2441 snprintf(set->name, sizeof(set->name), name, min + n);
2442 list_for_each_entry(i, &ctx->table->sets, list) {
2443 if (!strcmp(set->name, i->name))
2444 return -ENFILE;
2445 }
2446 return 0;
2447}
2448
2449static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2450 const struct nft_set *set, u16 event, u16 flags)
2451{
2452 struct nfgenmsg *nfmsg;
2453 struct nlmsghdr *nlh;
2454 struct nlattr *desc;
2455 u32 portid = ctx->portid;
2456 u32 seq = ctx->seq;
2457
2458 event |= NFNL_SUBSYS_NFTABLES << 8;
2459 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2460 flags);
2461 if (nlh == NULL)
2462 goto nla_put_failure;
2463
2464 nfmsg = nlmsg_data(nlh);
2465 nfmsg->nfgen_family = ctx->afi->family;
2466 nfmsg->version = NFNETLINK_V0;
2467 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2468
2469 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2470 goto nla_put_failure;
2471 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2472 goto nla_put_failure;
2473 if (set->flags != 0)
2474 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2475 goto nla_put_failure;
2476
2477 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2478 goto nla_put_failure;
2479 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2480 goto nla_put_failure;
2481 if (set->flags & NFT_SET_MAP) {
2482 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2483 goto nla_put_failure;
2484 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2485 goto nla_put_failure;
2486 }
2487
2488 if (set->timeout &&
2489 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout)))
2490 goto nla_put_failure;
2491 if (set->gc_int &&
2492 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2493 goto nla_put_failure;
2494
2495 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2496 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2497 goto nla_put_failure;
2498 }
2499
2500 desc = nla_nest_start(skb, NFTA_SET_DESC);
2501 if (desc == NULL)
2502 goto nla_put_failure;
2503 if (set->size &&
2504 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2505 goto nla_put_failure;
2506 nla_nest_end(skb, desc);
2507
2508 nlmsg_end(skb, nlh);
2509 return 0;
2510
2511nla_put_failure:
2512 nlmsg_trim(skb, nlh);
2513 return -1;
2514}
2515
2516static int nf_tables_set_notify(const struct nft_ctx *ctx,
2517 const struct nft_set *set,
2518 int event, gfp_t gfp_flags)
2519{
2520 struct sk_buff *skb;
2521 u32 portid = ctx->portid;
2522 int err;
2523
2524 if (!ctx->report &&
2525 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2526 return 0;
2527
2528 err = -ENOBUFS;
2529 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2530 if (skb == NULL)
2531 goto err;
2532
2533 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2534 if (err < 0) {
2535 kfree_skb(skb);
2536 goto err;
2537 }
2538
2539 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2540 ctx->report, gfp_flags);
2541err:
2542 if (err < 0)
2543 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2544 return err;
2545}
2546
2547static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2548{
2549 const struct nft_set *set;
2550 unsigned int idx, s_idx = cb->args[0];
2551 struct nft_af_info *afi;
2552 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2553 struct net *net = sock_net(skb->sk);
2554 int cur_family = cb->args[3];
2555 struct nft_ctx *ctx = cb->data, ctx_set;
2556
2557 if (cb->args[1])
2558 return skb->len;
2559
2560 rcu_read_lock();
2561 cb->seq = net->nft.base_seq;
2562
2563 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2564 if (ctx->afi && ctx->afi != afi)
2565 continue;
2566
2567 if (cur_family) {
2568 if (afi->family != cur_family)
2569 continue;
2570
2571 cur_family = 0;
2572 }
2573 list_for_each_entry_rcu(table, &afi->tables, list) {
2574 if (ctx->table && ctx->table != table)
2575 continue;
2576
2577 if (cur_table) {
2578 if (cur_table != table)
2579 continue;
2580
2581 cur_table = NULL;
2582 }
2583 idx = 0;
2584 list_for_each_entry_rcu(set, &table->sets, list) {
2585 if (idx < s_idx)
2586 goto cont;
2587
2588 ctx_set = *ctx;
2589 ctx_set.table = table;
2590 ctx_set.afi = afi;
2591 if (nf_tables_fill_set(skb, &ctx_set, set,
2592 NFT_MSG_NEWSET,
2593 NLM_F_MULTI) < 0) {
2594 cb->args[0] = idx;
2595 cb->args[2] = (unsigned long) table;
2596 cb->args[3] = afi->family;
2597 goto done;
2598 }
2599 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2600cont:
2601 idx++;
2602 }
2603 if (s_idx)
2604 s_idx = 0;
2605 }
2606 }
2607 cb->args[1] = 1;
2608done:
2609 rcu_read_unlock();
2610 return skb->len;
2611}
2612
2613static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2614{
2615 kfree(cb->data);
2616 return 0;
2617}
2618
2619static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2620 const struct nlmsghdr *nlh,
2621 const struct nlattr * const nla[])
2622{
2623 const struct nft_set *set;
2624 struct nft_ctx ctx;
2625 struct sk_buff *skb2;
2626 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2627 int err;
2628
2629
2630 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2631 if (err < 0)
2632 return err;
2633
2634 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2635 struct netlink_dump_control c = {
2636 .dump = nf_tables_dump_sets,
2637 .done = nf_tables_dump_sets_done,
2638 };
2639 struct nft_ctx *ctx_dump;
2640
2641 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2642 if (ctx_dump == NULL)
2643 return -ENOMEM;
2644
2645 *ctx_dump = ctx;
2646 c.data = ctx_dump;
2647
2648 return netlink_dump_start(nlsk, skb, nlh, &c);
2649 }
2650
2651
2652 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2653 return -EAFNOSUPPORT;
2654
2655 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2656 if (IS_ERR(set))
2657 return PTR_ERR(set);
2658 if (set->flags & NFT_SET_INACTIVE)
2659 return -ENOENT;
2660
2661 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2662 if (skb2 == NULL)
2663 return -ENOMEM;
2664
2665 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2666 if (err < 0)
2667 goto err;
2668
2669 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2670
2671err:
2672 kfree_skb(skb2);
2673 return err;
2674}
2675
2676static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2677 struct nft_set_desc *desc,
2678 const struct nlattr *nla)
2679{
2680 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2681 int err;
2682
2683 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2684 if (err < 0)
2685 return err;
2686
2687 if (da[NFTA_SET_DESC_SIZE] != NULL)
2688 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2689
2690 return 0;
2691}
2692
2693static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2694 const struct nlmsghdr *nlh,
2695 const struct nlattr * const nla[])
2696{
2697 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2698 const struct nft_set_ops *ops;
2699 struct nft_af_info *afi;
2700 struct net *net = sock_net(skb->sk);
2701 struct nft_table *table;
2702 struct nft_set *set;
2703 struct nft_ctx ctx;
2704 char name[IFNAMSIZ];
2705 unsigned int size;
2706 bool create;
2707 u64 timeout;
2708 u32 ktype, dtype, flags, policy, gc_int;
2709 struct nft_set_desc desc;
2710 int err;
2711
2712 if (nla[NFTA_SET_TABLE] == NULL ||
2713 nla[NFTA_SET_NAME] == NULL ||
2714 nla[NFTA_SET_KEY_LEN] == NULL ||
2715 nla[NFTA_SET_ID] == NULL)
2716 return -EINVAL;
2717
2718 memset(&desc, 0, sizeof(desc));
2719
2720 ktype = NFT_DATA_VALUE;
2721 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2722 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2723 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2724 return -EINVAL;
2725 }
2726
2727 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2728 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2729 return -EINVAL;
2730
2731 flags = 0;
2732 if (nla[NFTA_SET_FLAGS] != NULL) {
2733 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2734 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2735 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2736 NFT_SET_MAP | NFT_SET_EVAL))
2737 return -EINVAL;
2738
2739 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2740 (NFT_SET_MAP | NFT_SET_EVAL))
2741 return -EOPNOTSUPP;
2742 }
2743
2744 dtype = 0;
2745 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2746 if (!(flags & NFT_SET_MAP))
2747 return -EINVAL;
2748
2749 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2750 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2751 dtype != NFT_DATA_VERDICT)
2752 return -EINVAL;
2753
2754 if (dtype != NFT_DATA_VERDICT) {
2755 if (nla[NFTA_SET_DATA_LEN] == NULL)
2756 return -EINVAL;
2757 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2758 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2759 return -EINVAL;
2760 } else
2761 desc.dlen = sizeof(struct nft_verdict);
2762 } else if (flags & NFT_SET_MAP)
2763 return -EINVAL;
2764
2765 timeout = 0;
2766 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2767 if (!(flags & NFT_SET_TIMEOUT))
2768 return -EINVAL;
2769 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT]));
2770 }
2771 gc_int = 0;
2772 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2773 if (!(flags & NFT_SET_TIMEOUT))
2774 return -EINVAL;
2775 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2776 }
2777
2778 policy = NFT_SET_POL_PERFORMANCE;
2779 if (nla[NFTA_SET_POLICY] != NULL)
2780 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2781
2782 if (nla[NFTA_SET_DESC] != NULL) {
2783 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2784 if (err < 0)
2785 return err;
2786 }
2787
2788 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2789
2790 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2791 if (IS_ERR(afi))
2792 return PTR_ERR(afi);
2793
2794 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2795 if (IS_ERR(table))
2796 return PTR_ERR(table);
2797
2798 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2799
2800 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2801 if (IS_ERR(set)) {
2802 if (PTR_ERR(set) != -ENOENT)
2803 return PTR_ERR(set);
2804 set = NULL;
2805 }
2806
2807 if (set != NULL) {
2808 if (nlh->nlmsg_flags & NLM_F_EXCL)
2809 return -EEXIST;
2810 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2811 return -EOPNOTSUPP;
2812 return 0;
2813 }
2814
2815 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2816 return -ENOENT;
2817
2818 ops = nft_select_set_ops(nla, &desc, policy);
2819 if (IS_ERR(ops))
2820 return PTR_ERR(ops);
2821
2822 size = 0;
2823 if (ops->privsize != NULL)
2824 size = ops->privsize(nla);
2825
2826 err = -ENOMEM;
2827 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2828 if (set == NULL)
2829 goto err1;
2830
2831 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2832 err = nf_tables_set_alloc_name(&ctx, set, name);
2833 if (err < 0)
2834 goto err2;
2835
2836 INIT_LIST_HEAD(&set->bindings);
2837 write_pnet(&set->pnet, net);
2838 set->ops = ops;
2839 set->ktype = ktype;
2840 set->klen = desc.klen;
2841 set->dtype = dtype;
2842 set->dlen = desc.dlen;
2843 set->flags = flags;
2844 set->size = desc.size;
2845 set->policy = policy;
2846 set->timeout = timeout;
2847 set->gc_int = gc_int;
2848
2849 err = ops->init(set, &desc, nla);
2850 if (err < 0)
2851 goto err2;
2852
2853 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2854 if (err < 0)
2855 goto err2;
2856
2857 list_add_tail_rcu(&set->list, &table->sets);
2858 table->use++;
2859 return 0;
2860
2861err2:
2862 kfree(set);
2863err1:
2864 module_put(ops->owner);
2865 return err;
2866}
2867
2868static void nft_set_destroy(struct nft_set *set)
2869{
2870 set->ops->destroy(set);
2871 module_put(set->ops->owner);
2872 kfree(set);
2873}
2874
2875static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2876{
2877 list_del_rcu(&set->list);
2878 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2879 nft_set_destroy(set);
2880}
2881
2882static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2883 const struct nlmsghdr *nlh,
2884 const struct nlattr * const nla[])
2885{
2886 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2887 struct nft_set *set;
2888 struct nft_ctx ctx;
2889 int err;
2890
2891 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2892 return -EAFNOSUPPORT;
2893 if (nla[NFTA_SET_TABLE] == NULL)
2894 return -EINVAL;
2895
2896 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2897 if (err < 0)
2898 return err;
2899
2900 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2901 if (IS_ERR(set))
2902 return PTR_ERR(set);
2903 if (set->flags & NFT_SET_INACTIVE)
2904 return -ENOENT;
2905 if (!list_empty(&set->bindings))
2906 return -EBUSY;
2907
2908 return nft_delset(&ctx, set);
2909}
2910
2911static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2912 const struct nft_set *set,
2913 const struct nft_set_iter *iter,
2914 const struct nft_set_elem *elem)
2915{
2916 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2917 enum nft_registers dreg;
2918
2919 dreg = nft_type_to_reg(set->dtype);
2920 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2921 set->dtype == NFT_DATA_VERDICT ?
2922 NFT_DATA_VERDICT : NFT_DATA_VALUE,
2923 set->dlen);
2924}
2925
2926int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2927 struct nft_set_binding *binding)
2928{
2929 struct nft_set_binding *i;
2930 struct nft_set_iter iter;
2931
2932 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2933 return -EBUSY;
2934
2935 if (binding->flags & NFT_SET_MAP) {
2936
2937
2938
2939 list_for_each_entry(i, &set->bindings, list) {
2940 if (binding->flags & NFT_SET_MAP &&
2941 i->chain == binding->chain)
2942 goto bind;
2943 }
2944
2945 iter.skip = 0;
2946 iter.count = 0;
2947 iter.err = 0;
2948 iter.fn = nf_tables_bind_check_setelem;
2949
2950 set->ops->walk(ctx, set, &iter);
2951 if (iter.err < 0) {
2952
2953 if (set->flags & NFT_SET_ANONYMOUS)
2954 nf_tables_set_destroy(ctx, set);
2955
2956 return iter.err;
2957 }
2958 }
2959bind:
2960 binding->chain = ctx->chain;
2961 list_add_tail_rcu(&binding->list, &set->bindings);
2962 return 0;
2963}
2964
2965void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2966 struct nft_set_binding *binding)
2967{
2968 list_del_rcu(&binding->list);
2969
2970 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2971 !(set->flags & NFT_SET_INACTIVE))
2972 nf_tables_set_destroy(ctx, set);
2973}
2974
2975const struct nft_set_ext_type nft_set_ext_types[] = {
2976 [NFT_SET_EXT_KEY] = {
2977 .align = __alignof__(u32),
2978 },
2979 [NFT_SET_EXT_DATA] = {
2980 .align = __alignof__(u32),
2981 },
2982 [NFT_SET_EXT_EXPR] = {
2983 .align = __alignof__(struct nft_expr),
2984 },
2985 [NFT_SET_EXT_FLAGS] = {
2986 .len = sizeof(u8),
2987 .align = __alignof__(u8),
2988 },
2989 [NFT_SET_EXT_TIMEOUT] = {
2990 .len = sizeof(u64),
2991 .align = __alignof__(u64),
2992 },
2993 [NFT_SET_EXT_EXPIRATION] = {
2994 .len = sizeof(unsigned long),
2995 .align = __alignof__(unsigned long),
2996 },
2997 [NFT_SET_EXT_USERDATA] = {
2998 .len = sizeof(struct nft_userdata),
2999 .align = __alignof__(struct nft_userdata),
3000 },
3001};
3002EXPORT_SYMBOL_GPL(nft_set_ext_types);
3003
3004
3005
3006
3007
3008static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3009 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3010 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3011 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3012 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3013 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3014 .len = NFT_USERDATA_MAXLEN },
3015};
3016
3017static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3018 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3019 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3020 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3021 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3022};
3023
3024static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
3025 const struct sk_buff *skb,
3026 const struct nlmsghdr *nlh,
3027 const struct nlattr * const nla[],
3028 bool trans)
3029{
3030 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3031 struct nft_af_info *afi;
3032 struct nft_table *table;
3033 struct net *net = sock_net(skb->sk);
3034
3035 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3036 if (IS_ERR(afi))
3037 return PTR_ERR(afi);
3038
3039 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
3040 if (IS_ERR(table))
3041 return PTR_ERR(table);
3042 if (!trans && (table->flags & NFT_TABLE_INACTIVE))
3043 return -ENOENT;
3044
3045 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
3046 return 0;
3047}
3048
3049static int nf_tables_fill_setelem(struct sk_buff *skb,
3050 const struct nft_set *set,
3051 const struct nft_set_elem *elem)
3052{
3053 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3054 unsigned char *b = skb_tail_pointer(skb);
3055 struct nlattr *nest;
3056
3057 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3058 if (nest == NULL)
3059 goto nla_put_failure;
3060
3061 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3062 NFT_DATA_VALUE, set->klen) < 0)
3063 goto nla_put_failure;
3064
3065 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3066 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3067 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3068 set->dlen) < 0)
3069 goto nla_put_failure;
3070
3071 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3072 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3073 goto nla_put_failure;
3074
3075 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3076 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3077 htonl(*nft_set_ext_flags(ext))))
3078 goto nla_put_failure;
3079
3080 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3081 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3082 cpu_to_be64(*nft_set_ext_timeout(ext))))
3083 goto nla_put_failure;
3084
3085 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3086 unsigned long expires, now = jiffies;
3087
3088 expires = *nft_set_ext_expiration(ext);
3089 if (time_before(now, expires))
3090 expires -= now;
3091 else
3092 expires = 0;
3093
3094 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3095 cpu_to_be64(jiffies_to_msecs(expires))))
3096 goto nla_put_failure;
3097 }
3098
3099 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3100 struct nft_userdata *udata;
3101
3102 udata = nft_set_ext_userdata(ext);
3103 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3104 udata->len + 1, udata->data))
3105 goto nla_put_failure;
3106 }
3107
3108 nla_nest_end(skb, nest);
3109 return 0;
3110
3111nla_put_failure:
3112 nlmsg_trim(skb, b);
3113 return -EMSGSIZE;
3114}
3115
3116struct nft_set_dump_args {
3117 const struct netlink_callback *cb;
3118 struct nft_set_iter iter;
3119 struct sk_buff *skb;
3120};
3121
3122static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3123 const struct nft_set *set,
3124 const struct nft_set_iter *iter,
3125 const struct nft_set_elem *elem)
3126{
3127 struct nft_set_dump_args *args;
3128
3129 args = container_of(iter, struct nft_set_dump_args, iter);
3130 return nf_tables_fill_setelem(args->skb, set, elem);
3131}
3132
3133static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3134{
3135 const struct nft_set *set;
3136 struct nft_set_dump_args args;
3137 struct nft_ctx ctx;
3138 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3139 struct nfgenmsg *nfmsg;
3140 struct nlmsghdr *nlh;
3141 struct nlattr *nest;
3142 u32 portid, seq;
3143 int event, err;
3144
3145 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3146 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3147 if (err < 0)
3148 return err;
3149
3150 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
3151 false);
3152 if (err < 0)
3153 return err;
3154
3155 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3156 if (IS_ERR(set))
3157 return PTR_ERR(set);
3158 if (set->flags & NFT_SET_INACTIVE)
3159 return -ENOENT;
3160
3161 event = NFT_MSG_NEWSETELEM;
3162 event |= NFNL_SUBSYS_NFTABLES << 8;
3163 portid = NETLINK_CB(cb->skb).portid;
3164 seq = cb->nlh->nlmsg_seq;
3165
3166 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3167 NLM_F_MULTI);
3168 if (nlh == NULL)
3169 goto nla_put_failure;
3170
3171 nfmsg = nlmsg_data(nlh);
3172 nfmsg->nfgen_family = ctx.afi->family;
3173 nfmsg->version = NFNETLINK_V0;
3174 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3175
3176 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3177 goto nla_put_failure;
3178 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3179 goto nla_put_failure;
3180
3181 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3182 if (nest == NULL)
3183 goto nla_put_failure;
3184
3185 args.cb = cb;
3186 args.skb = skb;
3187 args.iter.skip = cb->args[0];
3188 args.iter.count = 0;
3189 args.iter.err = 0;
3190 args.iter.fn = nf_tables_dump_setelem;
3191 set->ops->walk(&ctx, set, &args.iter);
3192
3193 nla_nest_end(skb, nest);
3194 nlmsg_end(skb, nlh);
3195
3196 if (args.iter.err && args.iter.err != -EMSGSIZE)
3197 return args.iter.err;
3198 if (args.iter.count == cb->args[0])
3199 return 0;
3200
3201 cb->args[0] = args.iter.count;
3202 return skb->len;
3203
3204nla_put_failure:
3205 return -ENOSPC;
3206}
3207
3208static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
3209 const struct nlmsghdr *nlh,
3210 const struct nlattr * const nla[])
3211{
3212 const struct nft_set *set;
3213 struct nft_ctx ctx;
3214 int err;
3215
3216 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3217 if (err < 0)
3218 return err;
3219
3220 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3221 if (IS_ERR(set))
3222 return PTR_ERR(set);
3223 if (set->flags & NFT_SET_INACTIVE)
3224 return -ENOENT;
3225
3226 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3227 struct netlink_dump_control c = {
3228 .dump = nf_tables_dump_set,
3229 };
3230 return netlink_dump_start(nlsk, skb, nlh, &c);
3231 }
3232 return -EOPNOTSUPP;
3233}
3234
3235static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3236 const struct nft_ctx *ctx, u32 seq,
3237 u32 portid, int event, u16 flags,
3238 const struct nft_set *set,
3239 const struct nft_set_elem *elem)
3240{
3241 struct nfgenmsg *nfmsg;
3242 struct nlmsghdr *nlh;
3243 struct nlattr *nest;
3244 int err;
3245
3246 event |= NFNL_SUBSYS_NFTABLES << 8;
3247 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3248 flags);
3249 if (nlh == NULL)
3250 goto nla_put_failure;
3251
3252 nfmsg = nlmsg_data(nlh);
3253 nfmsg->nfgen_family = ctx->afi->family;
3254 nfmsg->version = NFNETLINK_V0;
3255 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3256
3257 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3258 goto nla_put_failure;
3259 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3260 goto nla_put_failure;
3261
3262 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3263 if (nest == NULL)
3264 goto nla_put_failure;
3265
3266 err = nf_tables_fill_setelem(skb, set, elem);
3267 if (err < 0)
3268 goto nla_put_failure;
3269
3270 nla_nest_end(skb, nest);
3271
3272 nlmsg_end(skb, nlh);
3273 return 0;
3274
3275nla_put_failure:
3276 nlmsg_trim(skb, nlh);
3277 return -1;
3278}
3279
3280static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3281 const struct nft_set *set,
3282 const struct nft_set_elem *elem,
3283 int event, u16 flags)
3284{
3285 struct net *net = ctx->net;
3286 u32 portid = ctx->portid;
3287 struct sk_buff *skb;
3288 int err;
3289
3290 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3291 return 0;
3292
3293 err = -ENOBUFS;
3294 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3295 if (skb == NULL)
3296 goto err;
3297
3298 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3299 set, elem);
3300 if (err < 0) {
3301 kfree_skb(skb);
3302 goto err;
3303 }
3304
3305 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3306 GFP_KERNEL);
3307err:
3308 if (err < 0)
3309 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3310 return err;
3311}
3312
3313static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3314 int msg_type,
3315 struct nft_set *set)
3316{
3317 struct nft_trans *trans;
3318
3319 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3320 if (trans == NULL)
3321 return NULL;
3322
3323 nft_trans_elem_set(trans) = set;
3324 return trans;
3325}
3326
3327void *nft_set_elem_init(const struct nft_set *set,
3328 const struct nft_set_ext_tmpl *tmpl,
3329 const u32 *key, const u32 *data,
3330 u64 timeout, gfp_t gfp)
3331{
3332 struct nft_set_ext *ext;
3333 void *elem;
3334
3335 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3336 if (elem == NULL)
3337 return NULL;
3338
3339 ext = nft_set_elem_ext(set, elem);
3340 nft_set_ext_init(ext, tmpl);
3341
3342 memcpy(nft_set_ext_key(ext), key, set->klen);
3343 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3344 memcpy(nft_set_ext_data(ext), data, set->dlen);
3345 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3346 *nft_set_ext_expiration(ext) =
3347 jiffies + msecs_to_jiffies(timeout);
3348 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3349 *nft_set_ext_timeout(ext) = timeout;
3350
3351 return elem;
3352}
3353
3354void nft_set_elem_destroy(const struct nft_set *set, void *elem)
3355{
3356 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3357
3358 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3359 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3360 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3361 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3362 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3363
3364 kfree(elem);
3365}
3366EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3367
3368static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3369 const struct nlattr *attr)
3370{
3371 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3372 struct nft_data_desc d1, d2;
3373 struct nft_set_ext_tmpl tmpl;
3374 struct nft_set_ext *ext;
3375 struct nft_set_elem elem;
3376 struct nft_set_binding *binding;
3377 struct nft_userdata *udata;
3378 struct nft_data data;
3379 enum nft_registers dreg;
3380 struct nft_trans *trans;
3381 u64 timeout;
3382 u32 flags;
3383 u8 ulen;
3384 int err;
3385
3386 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3387 nft_set_elem_policy);
3388 if (err < 0)
3389 return err;
3390
3391 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3392 return -EINVAL;
3393
3394 nft_set_ext_prepare(&tmpl);
3395
3396 flags = 0;
3397 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3398 flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3399 if (flags & ~NFT_SET_ELEM_INTERVAL_END)
3400 return -EINVAL;
3401 if (!(set->flags & NFT_SET_INTERVAL) &&
3402 flags & NFT_SET_ELEM_INTERVAL_END)
3403 return -EINVAL;
3404 if (flags != 0)
3405 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3406 }
3407
3408 if (set->flags & NFT_SET_MAP) {
3409 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3410 !(flags & NFT_SET_ELEM_INTERVAL_END))
3411 return -EINVAL;
3412 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3413 flags & NFT_SET_ELEM_INTERVAL_END)
3414 return -EINVAL;
3415 } else {
3416 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3417 return -EINVAL;
3418 }
3419
3420 timeout = 0;
3421 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3422 if (!(set->flags & NFT_SET_TIMEOUT))
3423 return -EINVAL;
3424 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT]));
3425 } else if (set->flags & NFT_SET_TIMEOUT) {
3426 timeout = set->timeout;
3427 }
3428
3429 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3430 nla[NFTA_SET_ELEM_KEY]);
3431 if (err < 0)
3432 goto err1;
3433 err = -EINVAL;
3434 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3435 goto err2;
3436
3437 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3438 if (timeout > 0) {
3439 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3440 if (timeout != set->timeout)
3441 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3442 }
3443
3444 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3445 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3446 nla[NFTA_SET_ELEM_DATA]);
3447 if (err < 0)
3448 goto err2;
3449
3450 err = -EINVAL;
3451 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3452 goto err3;
3453
3454 dreg = nft_type_to_reg(set->dtype);
3455 list_for_each_entry(binding, &set->bindings, list) {
3456 struct nft_ctx bind_ctx = {
3457 .afi = ctx->afi,
3458 .table = ctx->table,
3459 .chain = (struct nft_chain *)binding->chain,
3460 };
3461
3462 if (!(binding->flags & NFT_SET_MAP))
3463 continue;
3464
3465 err = nft_validate_register_store(&bind_ctx, dreg,
3466 &data,
3467 d2.type, d2.len);
3468 if (err < 0)
3469 goto err3;
3470 }
3471
3472 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3473 }
3474
3475
3476
3477
3478
3479 ulen = 0;
3480 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3481 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3482 if (ulen > 0)
3483 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3484 ulen);
3485 }
3486
3487 err = -ENOMEM;
3488 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3489 timeout, GFP_KERNEL);
3490 if (elem.priv == NULL)
3491 goto err3;
3492
3493 ext = nft_set_elem_ext(set, elem.priv);
3494 if (flags)
3495 *nft_set_ext_flags(ext) = flags;
3496 if (ulen > 0) {
3497 udata = nft_set_ext_userdata(ext);
3498 udata->len = ulen - 1;
3499 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3500 }
3501
3502 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3503 if (trans == NULL)
3504 goto err4;
3505
3506 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3507 err = set->ops->insert(set, &elem);
3508 if (err < 0)
3509 goto err5;
3510
3511 nft_trans_elem(trans) = elem;
3512 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3513 return 0;
3514
3515err5:
3516 kfree(trans);
3517err4:
3518 kfree(elem.priv);
3519err3:
3520 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3521 nft_data_uninit(&data, d2.type);
3522err2:
3523 nft_data_uninit(&elem.key.val, d1.type);
3524err1:
3525 return err;
3526}
3527
3528static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3529 const struct nlmsghdr *nlh,
3530 const struct nlattr * const nla[])
3531{
3532 struct net *net = sock_net(skb->sk);
3533 const struct nlattr *attr;
3534 struct nft_set *set;
3535 struct nft_ctx ctx;
3536 int rem, err = 0;
3537
3538 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3539 return -EINVAL;
3540
3541 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3542 if (err < 0)
3543 return err;
3544
3545 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3546 if (IS_ERR(set)) {
3547 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3548 set = nf_tables_set_lookup_byid(net,
3549 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3550 }
3551 if (IS_ERR(set))
3552 return PTR_ERR(set);
3553 }
3554
3555 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3556 return -EBUSY;
3557
3558 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3559 if (set->size &&
3560 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3561 return -ENFILE;
3562
3563 err = nft_add_set_elem(&ctx, set, attr);
3564 if (err < 0) {
3565 atomic_dec(&set->nelems);
3566 break;
3567 }
3568 }
3569 return err;
3570}
3571
3572static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3573 const struct nlattr *attr)
3574{
3575 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3576 struct nft_data_desc desc;
3577 struct nft_set_elem elem;
3578 struct nft_trans *trans;
3579 int err;
3580
3581 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3582 nft_set_elem_policy);
3583 if (err < 0)
3584 goto err1;
3585
3586 err = -EINVAL;
3587 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3588 goto err1;
3589
3590 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3591 nla[NFTA_SET_ELEM_KEY]);
3592 if (err < 0)
3593 goto err1;
3594
3595 err = -EINVAL;
3596 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3597 goto err2;
3598
3599 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3600 if (trans == NULL) {
3601 err = -ENOMEM;
3602 goto err2;
3603 }
3604
3605 elem.priv = set->ops->deactivate(set, &elem);
3606 if (elem.priv == NULL) {
3607 err = -ENOENT;
3608 goto err3;
3609 }
3610
3611 nft_trans_elem(trans) = elem;
3612 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3613 return 0;
3614
3615err3:
3616 kfree(trans);
3617err2:
3618 nft_data_uninit(&elem.key.val, desc.type);
3619err1:
3620 return err;
3621}
3622
3623static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3624 const struct nlmsghdr *nlh,
3625 const struct nlattr * const nla[])
3626{
3627 const struct nlattr *attr;
3628 struct nft_set *set;
3629 struct nft_ctx ctx;
3630 int rem, err = 0;
3631
3632 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3633 return -EINVAL;
3634
3635 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3636 if (err < 0)
3637 return err;
3638
3639 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3640 if (IS_ERR(set))
3641 return PTR_ERR(set);
3642 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3643 return -EBUSY;
3644
3645 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3646 err = nft_del_setelem(&ctx, set, attr);
3647 if (err < 0)
3648 break;
3649
3650 set->ndeact++;
3651 }
3652 return err;
3653}
3654
3655void nft_set_gc_batch_release(struct rcu_head *rcu)
3656{
3657 struct nft_set_gc_batch *gcb;
3658 unsigned int i;
3659
3660 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3661 for (i = 0; i < gcb->head.cnt; i++)
3662 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]);
3663 kfree(gcb);
3664}
3665EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3666
3667struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3668 gfp_t gfp)
3669{
3670 struct nft_set_gc_batch *gcb;
3671
3672 gcb = kzalloc(sizeof(*gcb), gfp);
3673 if (gcb == NULL)
3674 return gcb;
3675 gcb->head.set = set;
3676 return gcb;
3677}
3678EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3679
3680static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3681 u32 portid, u32 seq)
3682{
3683 struct nlmsghdr *nlh;
3684 struct nfgenmsg *nfmsg;
3685 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3686
3687 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3688 if (nlh == NULL)
3689 goto nla_put_failure;
3690
3691 nfmsg = nlmsg_data(nlh);
3692 nfmsg->nfgen_family = AF_UNSPEC;
3693 nfmsg->version = NFNETLINK_V0;
3694 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3695
3696 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3697 goto nla_put_failure;
3698
3699 nlmsg_end(skb, nlh);
3700 return 0;
3701
3702nla_put_failure:
3703 nlmsg_trim(skb, nlh);
3704 return -EMSGSIZE;
3705}
3706
3707static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3708{
3709 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3710 struct sk_buff *skb2;
3711 int err;
3712
3713 if (nlmsg_report(nlh) &&
3714 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3715 return 0;
3716
3717 err = -ENOBUFS;
3718 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3719 if (skb2 == NULL)
3720 goto err;
3721
3722 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3723 nlh->nlmsg_seq);
3724 if (err < 0) {
3725 kfree_skb(skb2);
3726 goto err;
3727 }
3728
3729 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3730 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3731err:
3732 if (err < 0) {
3733 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3734 err);
3735 }
3736 return err;
3737}
3738
3739static int nf_tables_getgen(struct sock *nlsk, struct sk_buff *skb,
3740 const struct nlmsghdr *nlh,
3741 const struct nlattr * const nla[])
3742{
3743 struct net *net = sock_net(skb->sk);
3744 struct sk_buff *skb2;
3745 int err;
3746
3747 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3748 if (skb2 == NULL)
3749 return -ENOMEM;
3750
3751 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3752 nlh->nlmsg_seq);
3753 if (err < 0)
3754 goto err;
3755
3756 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3757err:
3758 kfree_skb(skb2);
3759 return err;
3760}
3761
3762static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3763 [NFT_MSG_NEWTABLE] = {
3764 .call_batch = nf_tables_newtable,
3765 .attr_count = NFTA_TABLE_MAX,
3766 .policy = nft_table_policy,
3767 },
3768 [NFT_MSG_GETTABLE] = {
3769 .call = nf_tables_gettable,
3770 .attr_count = NFTA_TABLE_MAX,
3771 .policy = nft_table_policy,
3772 },
3773 [NFT_MSG_DELTABLE] = {
3774 .call_batch = nf_tables_deltable,
3775 .attr_count = NFTA_TABLE_MAX,
3776 .policy = nft_table_policy,
3777 },
3778 [NFT_MSG_NEWCHAIN] = {
3779 .call_batch = nf_tables_newchain,
3780 .attr_count = NFTA_CHAIN_MAX,
3781 .policy = nft_chain_policy,
3782 },
3783 [NFT_MSG_GETCHAIN] = {
3784 .call = nf_tables_getchain,
3785 .attr_count = NFTA_CHAIN_MAX,
3786 .policy = nft_chain_policy,
3787 },
3788 [NFT_MSG_DELCHAIN] = {
3789 .call_batch = nf_tables_delchain,
3790 .attr_count = NFTA_CHAIN_MAX,
3791 .policy = nft_chain_policy,
3792 },
3793 [NFT_MSG_NEWRULE] = {
3794 .call_batch = nf_tables_newrule,
3795 .attr_count = NFTA_RULE_MAX,
3796 .policy = nft_rule_policy,
3797 },
3798 [NFT_MSG_GETRULE] = {
3799 .call = nf_tables_getrule,
3800 .attr_count = NFTA_RULE_MAX,
3801 .policy = nft_rule_policy,
3802 },
3803 [NFT_MSG_DELRULE] = {
3804 .call_batch = nf_tables_delrule,
3805 .attr_count = NFTA_RULE_MAX,
3806 .policy = nft_rule_policy,
3807 },
3808 [NFT_MSG_NEWSET] = {
3809 .call_batch = nf_tables_newset,
3810 .attr_count = NFTA_SET_MAX,
3811 .policy = nft_set_policy,
3812 },
3813 [NFT_MSG_GETSET] = {
3814 .call = nf_tables_getset,
3815 .attr_count = NFTA_SET_MAX,
3816 .policy = nft_set_policy,
3817 },
3818 [NFT_MSG_DELSET] = {
3819 .call_batch = nf_tables_delset,
3820 .attr_count = NFTA_SET_MAX,
3821 .policy = nft_set_policy,
3822 },
3823 [NFT_MSG_NEWSETELEM] = {
3824 .call_batch = nf_tables_newsetelem,
3825 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3826 .policy = nft_set_elem_list_policy,
3827 },
3828 [NFT_MSG_GETSETELEM] = {
3829 .call = nf_tables_getsetelem,
3830 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3831 .policy = nft_set_elem_list_policy,
3832 },
3833 [NFT_MSG_DELSETELEM] = {
3834 .call_batch = nf_tables_delsetelem,
3835 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3836 .policy = nft_set_elem_list_policy,
3837 },
3838 [NFT_MSG_GETGEN] = {
3839 .call = nf_tables_getgen,
3840 },
3841};
3842
3843static void nft_chain_commit_update(struct nft_trans *trans)
3844{
3845 struct nft_base_chain *basechain;
3846
3847 if (nft_trans_chain_name(trans)[0])
3848 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3849
3850 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3851 return;
3852
3853 basechain = nft_base_chain(trans->ctx.chain);
3854 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3855
3856 switch (nft_trans_chain_policy(trans)) {
3857 case NF_DROP:
3858 case NF_ACCEPT:
3859 basechain->policy = nft_trans_chain_policy(trans);
3860 break;
3861 }
3862}
3863
3864static void nf_tables_commit_release(struct nft_trans *trans)
3865{
3866 switch (trans->msg_type) {
3867 case NFT_MSG_DELTABLE:
3868 nf_tables_table_destroy(&trans->ctx);
3869 break;
3870 case NFT_MSG_DELCHAIN:
3871 nf_tables_chain_destroy(trans->ctx.chain);
3872 break;
3873 case NFT_MSG_DELRULE:
3874 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3875 break;
3876 case NFT_MSG_DELSET:
3877 nft_set_destroy(nft_trans_set(trans));
3878 break;
3879 case NFT_MSG_DELSETELEM:
3880 nft_set_elem_destroy(nft_trans_elem_set(trans),
3881 nft_trans_elem(trans).priv);
3882 break;
3883 }
3884 kfree(trans);
3885}
3886
3887static int nf_tables_commit(struct sk_buff *skb)
3888{
3889 struct net *net = sock_net(skb->sk);
3890 struct nft_trans *trans, *next;
3891 struct nft_trans_elem *te;
3892
3893
3894 while (++net->nft.base_seq == 0);
3895
3896
3897 net->nft.gencursor = nft_gencursor_next(net);
3898
3899
3900
3901
3902 synchronize_rcu();
3903
3904 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3905 switch (trans->msg_type) {
3906 case NFT_MSG_NEWTABLE:
3907 if (nft_trans_table_update(trans)) {
3908 if (!nft_trans_table_enable(trans)) {
3909 nf_tables_table_disable(trans->ctx.afi,
3910 trans->ctx.table);
3911 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3912 }
3913 } else {
3914 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3915 }
3916 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3917 nft_trans_destroy(trans);
3918 break;
3919 case NFT_MSG_DELTABLE:
3920 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3921 break;
3922 case NFT_MSG_NEWCHAIN:
3923 if (nft_trans_chain_update(trans))
3924 nft_chain_commit_update(trans);
3925 else
3926 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3927
3928 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3929 nft_trans_destroy(trans);
3930 break;
3931 case NFT_MSG_DELCHAIN:
3932 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3933 nf_tables_unregister_hooks(trans->ctx.table,
3934 trans->ctx.chain,
3935 trans->ctx.afi->nops);
3936 break;
3937 case NFT_MSG_NEWRULE:
3938 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3939 nf_tables_rule_notify(&trans->ctx,
3940 nft_trans_rule(trans),
3941 NFT_MSG_NEWRULE);
3942 nft_trans_destroy(trans);
3943 break;
3944 case NFT_MSG_DELRULE:
3945 list_del_rcu(&nft_trans_rule(trans)->list);
3946 nf_tables_rule_notify(&trans->ctx,
3947 nft_trans_rule(trans),
3948 NFT_MSG_DELRULE);
3949 break;
3950 case NFT_MSG_NEWSET:
3951 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3952
3953
3954
3955 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3956 !list_empty(&nft_trans_set(trans)->bindings))
3957 trans->ctx.table->use--;
3958
3959 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3960 NFT_MSG_NEWSET, GFP_KERNEL);
3961 nft_trans_destroy(trans);
3962 break;
3963 case NFT_MSG_DELSET:
3964 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3965 NFT_MSG_DELSET, GFP_KERNEL);
3966 break;
3967 case NFT_MSG_NEWSETELEM:
3968 te = (struct nft_trans_elem *)trans->data;
3969
3970 te->set->ops->activate(te->set, &te->elem);
3971 nf_tables_setelem_notify(&trans->ctx, te->set,
3972 &te->elem,
3973 NFT_MSG_NEWSETELEM, 0);
3974 nft_trans_destroy(trans);
3975 break;
3976 case NFT_MSG_DELSETELEM:
3977 te = (struct nft_trans_elem *)trans->data;
3978
3979 nf_tables_setelem_notify(&trans->ctx, te->set,
3980 &te->elem,
3981 NFT_MSG_DELSETELEM, 0);
3982 te->set->ops->remove(te->set, &te->elem);
3983 atomic_dec(&te->set->nelems);
3984 te->set->ndeact--;
3985 break;
3986 }
3987 }
3988
3989 synchronize_rcu();
3990
3991 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3992 list_del(&trans->list);
3993 nf_tables_commit_release(trans);
3994 }
3995
3996 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
3997
3998 return 0;
3999}
4000
4001static void nf_tables_abort_release(struct nft_trans *trans)
4002{
4003 switch (trans->msg_type) {
4004 case NFT_MSG_NEWTABLE:
4005 nf_tables_table_destroy(&trans->ctx);
4006 break;
4007 case NFT_MSG_NEWCHAIN:
4008 nf_tables_chain_destroy(trans->ctx.chain);
4009 break;
4010 case NFT_MSG_NEWRULE:
4011 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4012 break;
4013 case NFT_MSG_NEWSET:
4014 nft_set_destroy(nft_trans_set(trans));
4015 break;
4016 case NFT_MSG_NEWSETELEM:
4017 nft_set_elem_destroy(nft_trans_elem_set(trans),
4018 nft_trans_elem(trans).priv);
4019 break;
4020 }
4021 kfree(trans);
4022}
4023
4024static int nf_tables_abort(struct sk_buff *skb)
4025{
4026 struct net *net = sock_net(skb->sk);
4027 struct nft_trans *trans, *next;
4028 struct nft_trans_elem *te;
4029
4030 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4031 switch (trans->msg_type) {
4032 case NFT_MSG_NEWTABLE:
4033 if (nft_trans_table_update(trans)) {
4034 if (nft_trans_table_enable(trans)) {
4035 nf_tables_table_disable(trans->ctx.afi,
4036 trans->ctx.table);
4037 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4038 }
4039 nft_trans_destroy(trans);
4040 } else {
4041 list_del_rcu(&trans->ctx.table->list);
4042 }
4043 break;
4044 case NFT_MSG_DELTABLE:
4045 list_add_tail_rcu(&trans->ctx.table->list,
4046 &trans->ctx.afi->tables);
4047 nft_trans_destroy(trans);
4048 break;
4049 case NFT_MSG_NEWCHAIN:
4050 if (nft_trans_chain_update(trans)) {
4051 free_percpu(nft_trans_chain_stats(trans));
4052
4053 nft_trans_destroy(trans);
4054 } else {
4055 trans->ctx.table->use--;
4056 list_del_rcu(&trans->ctx.chain->list);
4057 nf_tables_unregister_hooks(trans->ctx.table,
4058 trans->ctx.chain,
4059 trans->ctx.afi->nops);
4060 }
4061 break;
4062 case NFT_MSG_DELCHAIN:
4063 trans->ctx.table->use++;
4064 list_add_tail_rcu(&trans->ctx.chain->list,
4065 &trans->ctx.table->chains);
4066 nft_trans_destroy(trans);
4067 break;
4068 case NFT_MSG_NEWRULE:
4069 trans->ctx.chain->use--;
4070 list_del_rcu(&nft_trans_rule(trans)->list);
4071 break;
4072 case NFT_MSG_DELRULE:
4073 trans->ctx.chain->use++;
4074 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
4075 nft_trans_destroy(trans);
4076 break;
4077 case NFT_MSG_NEWSET:
4078 trans->ctx.table->use--;
4079 list_del_rcu(&nft_trans_set(trans)->list);
4080 break;
4081 case NFT_MSG_DELSET:
4082 trans->ctx.table->use++;
4083 list_add_tail_rcu(&nft_trans_set(trans)->list,
4084 &trans->ctx.table->sets);
4085 nft_trans_destroy(trans);
4086 break;
4087 case NFT_MSG_NEWSETELEM:
4088 te = (struct nft_trans_elem *)trans->data;
4089
4090 te->set->ops->remove(te->set, &te->elem);
4091 atomic_dec(&te->set->nelems);
4092 break;
4093 case NFT_MSG_DELSETELEM:
4094 te = (struct nft_trans_elem *)trans->data;
4095
4096 te->set->ops->activate(te->set, &te->elem);
4097 te->set->ndeact--;
4098
4099 nft_trans_destroy(trans);
4100 break;
4101 }
4102 }
4103
4104 synchronize_rcu();
4105
4106 list_for_each_entry_safe_reverse(trans, next,
4107 &net->nft.commit_list, list) {
4108 list_del(&trans->list);
4109 nf_tables_abort_release(trans);
4110 }
4111
4112 return 0;
4113}
4114
4115static const struct nfnetlink_subsystem nf_tables_subsys = {
4116 .name = "nf_tables",
4117 .subsys_id = NFNL_SUBSYS_NFTABLES,
4118 .cb_count = NFT_MSG_MAX,
4119 .cb = nf_tables_cb,
4120 .commit = nf_tables_commit,
4121 .abort = nf_tables_abort,
4122};
4123
4124int nft_chain_validate_dependency(const struct nft_chain *chain,
4125 enum nft_chain_type type)
4126{
4127 const struct nft_base_chain *basechain;
4128
4129 if (chain->flags & NFT_BASE_CHAIN) {
4130 basechain = nft_base_chain(chain);
4131 if (basechain->type->type != type)
4132 return -EOPNOTSUPP;
4133 }
4134 return 0;
4135}
4136EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4137
4138int nft_chain_validate_hooks(const struct nft_chain *chain,
4139 unsigned int hook_flags)
4140{
4141 struct nft_base_chain *basechain;
4142
4143 if (chain->flags & NFT_BASE_CHAIN) {
4144 basechain = nft_base_chain(chain);
4145
4146 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4147 return 0;
4148
4149 return -EOPNOTSUPP;
4150 }
4151
4152 return 0;
4153}
4154EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165static int nf_tables_check_loops(const struct nft_ctx *ctx,
4166 const struct nft_chain *chain);
4167
4168static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4169 const struct nft_set *set,
4170 const struct nft_set_iter *iter,
4171 const struct nft_set_elem *elem)
4172{
4173 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4174 const struct nft_data *data;
4175
4176 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4177 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4178 return 0;
4179
4180 data = nft_set_ext_data(ext);
4181 switch (data->verdict.code) {
4182 case NFT_JUMP:
4183 case NFT_GOTO:
4184 return nf_tables_check_loops(ctx, data->verdict.chain);
4185 default:
4186 return 0;
4187 }
4188}
4189
4190static int nf_tables_check_loops(const struct nft_ctx *ctx,
4191 const struct nft_chain *chain)
4192{
4193 const struct nft_rule *rule;
4194 const struct nft_expr *expr, *last;
4195 const struct nft_set *set;
4196 struct nft_set_binding *binding;
4197 struct nft_set_iter iter;
4198
4199 if (ctx->chain == chain)
4200 return -ELOOP;
4201
4202 list_for_each_entry(rule, &chain->rules, list) {
4203 nft_rule_for_each_expr(expr, last, rule) {
4204 const struct nft_data *data = NULL;
4205 int err;
4206
4207 if (!expr->ops->validate)
4208 continue;
4209
4210 err = expr->ops->validate(ctx, expr, &data);
4211 if (err < 0)
4212 return err;
4213
4214 if (data == NULL)
4215 continue;
4216
4217 switch (data->verdict.code) {
4218 case NFT_JUMP:
4219 case NFT_GOTO:
4220 err = nf_tables_check_loops(ctx,
4221 data->verdict.chain);
4222 if (err < 0)
4223 return err;
4224 default:
4225 break;
4226 }
4227 }
4228 }
4229
4230 list_for_each_entry(set, &ctx->table->sets, list) {
4231 if (!(set->flags & NFT_SET_MAP) ||
4232 set->dtype != NFT_DATA_VERDICT)
4233 continue;
4234
4235 list_for_each_entry(binding, &set->bindings, list) {
4236 if (!(binding->flags & NFT_SET_MAP) ||
4237 binding->chain != chain)
4238 continue;
4239
4240 iter.skip = 0;
4241 iter.count = 0;
4242 iter.err = 0;
4243 iter.fn = nf_tables_loop_check_setelem;
4244
4245 set->ops->walk(ctx, set, &iter);
4246 if (iter.err < 0)
4247 return iter.err;
4248 }
4249 }
4250
4251 return 0;
4252}
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263unsigned int nft_parse_register(const struct nlattr *attr)
4264{
4265 unsigned int reg;
4266
4267 reg = ntohl(nla_get_be32(attr));
4268 switch (reg) {
4269 case NFT_REG_VERDICT...NFT_REG_4:
4270 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4271 default:
4272 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4273 }
4274}
4275EXPORT_SYMBOL_GPL(nft_parse_register);
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4289{
4290 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4291 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4292 else
4293 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4294
4295 return nla_put_be32(skb, attr, htonl(reg));
4296}
4297EXPORT_SYMBOL_GPL(nft_dump_register);
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4309{
4310 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4311 return -EINVAL;
4312 if (len == 0)
4313 return -EINVAL;
4314 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4315 return -ERANGE;
4316
4317 return 0;
4318}
4319EXPORT_SYMBOL_GPL(nft_validate_register_load);
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335int nft_validate_register_store(const struct nft_ctx *ctx,
4336 enum nft_registers reg,
4337 const struct nft_data *data,
4338 enum nft_data_types type, unsigned int len)
4339{
4340 int err;
4341
4342 switch (reg) {
4343 case NFT_REG_VERDICT:
4344 if (type != NFT_DATA_VERDICT)
4345 return -EINVAL;
4346
4347 if (data != NULL &&
4348 (data->verdict.code == NFT_GOTO ||
4349 data->verdict.code == NFT_JUMP)) {
4350 err = nf_tables_check_loops(ctx, data->verdict.chain);
4351 if (err < 0)
4352 return err;
4353
4354 if (ctx->chain->level + 1 >
4355 data->verdict.chain->level) {
4356 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4357 return -EMLINK;
4358 data->verdict.chain->level = ctx->chain->level + 1;
4359 }
4360 }
4361
4362 return 0;
4363 default:
4364 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4365 return -EINVAL;
4366 if (len == 0)
4367 return -EINVAL;
4368 if (reg * NFT_REG32_SIZE + len >
4369 FIELD_SIZEOF(struct nft_regs, data))
4370 return -ERANGE;
4371
4372 if (data != NULL && type != NFT_DATA_VALUE)
4373 return -EINVAL;
4374 return 0;
4375 }
4376}
4377EXPORT_SYMBOL_GPL(nft_validate_register_store);
4378
4379static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4380 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4381 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4382 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4383};
4384
4385static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4386 struct nft_data_desc *desc, const struct nlattr *nla)
4387{
4388 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4389 struct nft_chain *chain;
4390 int err;
4391
4392 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4393 if (err < 0)
4394 return err;
4395
4396 if (!tb[NFTA_VERDICT_CODE])
4397 return -EINVAL;
4398 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4399
4400 switch (data->verdict.code) {
4401 default:
4402 switch (data->verdict.code & NF_VERDICT_MASK) {
4403 case NF_ACCEPT:
4404 case NF_DROP:
4405 case NF_QUEUE:
4406 break;
4407 default:
4408 return -EINVAL;
4409 }
4410
4411 case NFT_CONTINUE:
4412 case NFT_BREAK:
4413 case NFT_RETURN:
4414 break;
4415 case NFT_JUMP:
4416 case NFT_GOTO:
4417 if (!tb[NFTA_VERDICT_CHAIN])
4418 return -EINVAL;
4419 chain = nf_tables_chain_lookup(ctx->table,
4420 tb[NFTA_VERDICT_CHAIN]);
4421 if (IS_ERR(chain))
4422 return PTR_ERR(chain);
4423 if (chain->flags & NFT_BASE_CHAIN)
4424 return -EOPNOTSUPP;
4425
4426 chain->use++;
4427 data->verdict.chain = chain;
4428 break;
4429 }
4430
4431 desc->len = sizeof(data->verdict);
4432 desc->type = NFT_DATA_VERDICT;
4433 return 0;
4434}
4435
4436static void nft_verdict_uninit(const struct nft_data *data)
4437{
4438 switch (data->verdict.code) {
4439 case NFT_JUMP:
4440 case NFT_GOTO:
4441 data->verdict.chain->use--;
4442 break;
4443 }
4444}
4445
4446static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
4447{
4448 struct nlattr *nest;
4449
4450 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
4451 if (!nest)
4452 goto nla_put_failure;
4453
4454 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict.code)))
4455 goto nla_put_failure;
4456
4457 switch (data->verdict.code) {
4458 case NFT_JUMP:
4459 case NFT_GOTO:
4460 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4461 data->verdict.chain->name))
4462 goto nla_put_failure;
4463 }
4464 nla_nest_end(skb, nest);
4465 return 0;
4466
4467nla_put_failure:
4468 return -1;
4469}
4470
4471static int nft_value_init(const struct nft_ctx *ctx,
4472 struct nft_data *data, unsigned int size,
4473 struct nft_data_desc *desc, const struct nlattr *nla)
4474{
4475 unsigned int len;
4476
4477 len = nla_len(nla);
4478 if (len == 0)
4479 return -EINVAL;
4480 if (len > size)
4481 return -EOVERFLOW;
4482
4483 nla_memcpy(data->data, nla, len);
4484 desc->type = NFT_DATA_VALUE;
4485 desc->len = len;
4486 return 0;
4487}
4488
4489static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4490 unsigned int len)
4491{
4492 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4493}
4494
4495static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4496 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4497 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4498};
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515int nft_data_init(const struct nft_ctx *ctx,
4516 struct nft_data *data, unsigned int size,
4517 struct nft_data_desc *desc, const struct nlattr *nla)
4518{
4519 struct nlattr *tb[NFTA_DATA_MAX + 1];
4520 int err;
4521
4522 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4523 if (err < 0)
4524 return err;
4525
4526 if (tb[NFTA_DATA_VALUE])
4527 return nft_value_init(ctx, data, size, desc,
4528 tb[NFTA_DATA_VALUE]);
4529 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4530 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4531 return -EINVAL;
4532}
4533EXPORT_SYMBOL_GPL(nft_data_init);
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4545{
4546 if (type < NFT_DATA_VERDICT)
4547 return;
4548 switch (type) {
4549 case NFT_DATA_VERDICT:
4550 return nft_verdict_uninit(data);
4551 default:
4552 WARN_ON(1);
4553 }
4554}
4555EXPORT_SYMBOL_GPL(nft_data_uninit);
4556
4557int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4558 enum nft_data_types type, unsigned int len)
4559{
4560 struct nlattr *nest;
4561 int err;
4562
4563 nest = nla_nest_start(skb, attr);
4564 if (nest == NULL)
4565 return -1;
4566
4567 switch (type) {
4568 case NFT_DATA_VALUE:
4569 err = nft_value_dump(skb, data, len);
4570 break;
4571 case NFT_DATA_VERDICT:
4572 err = nft_verdict_dump(skb, data);
4573 break;
4574 default:
4575 err = -EINVAL;
4576 WARN_ON(1);
4577 }
4578
4579 nla_nest_end(skb, nest);
4580 return err;
4581}
4582EXPORT_SYMBOL_GPL(nft_data_dump);
4583
4584static int nf_tables_init_net(struct net *net)
4585{
4586 INIT_LIST_HEAD(&net->nft.af_info);
4587 INIT_LIST_HEAD(&net->nft.commit_list);
4588 net->nft.base_seq = 1;
4589 return 0;
4590}
4591
4592static struct pernet_operations nf_tables_net_ops = {
4593 .init = nf_tables_init_net,
4594};
4595
4596static int __init nf_tables_module_init(void)
4597{
4598 int err;
4599
4600 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4601 GFP_KERNEL);
4602 if (info == NULL) {
4603 err = -ENOMEM;
4604 goto err1;
4605 }
4606
4607 err = nf_tables_core_module_init();
4608 if (err < 0)
4609 goto err2;
4610
4611 err = nfnetlink_subsys_register(&nf_tables_subsys);
4612 if (err < 0)
4613 goto err3;
4614
4615 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4616 return register_pernet_subsys(&nf_tables_net_ops);
4617err3:
4618 nf_tables_core_module_exit();
4619err2:
4620 kfree(info);
4621err1:
4622 return err;
4623}
4624
4625static void __exit nf_tables_module_exit(void)
4626{
4627 unregister_pernet_subsys(&nf_tables_net_ops);
4628 nfnetlink_subsys_unregister(&nf_tables_subsys);
4629 rcu_barrier();
4630 nf_tables_core_module_exit();
4631 kfree(info);
4632}
4633
4634module_init(nf_tables_module_init);
4635module_exit(nf_tables_module_exit);
4636
4637MODULE_LICENSE("GPL");
4638MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4639MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
4640
