1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/net_namespace.h>
22#include <net/sock.h>
23
24static LIST_HEAD(nf_tables_expressions);
25
26
27
28
29
30
31
32
33
34int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
35{
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41}
42EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
45
46
47
48
49
50
51
52
53void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
54{
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
59}
60EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
61
62static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
63{
64 struct nft_af_info *afi;
65
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
68 return afi;
69 }
70 return NULL;
71}
72
73static struct nft_af_info *
74nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
75{
76 struct nft_af_info *afi;
77
78 afi = nft_afinfo_lookup(net, family);
79 if (afi != NULL)
80 return afi;
81#ifdef CONFIG_MODULES
82 if (autoload) {
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
87 if (afi != NULL)
88 return ERR_PTR(-EAGAIN);
89 }
90#endif
91 return ERR_PTR(-EAFNOSUPPORT);
92}
93
94static void nft_ctx_init(struct nft_ctx *ctx,
95 struct net *net,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
102{
103 ctx->net = net;
104 ctx->afi = afi;
105 ctx->table = table;
106 ctx->chain = chain;
107 ctx->nla = nla;
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
111}
112
113static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
114 u32 size)
115{
116 struct nft_trans *trans;
117
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
119 if (trans == NULL)
120 return NULL;
121
122 trans->msg_type = msg_type;
123 trans->ctx = *ctx;
124
125 return trans;
126}
127
128static void nft_trans_destroy(struct nft_trans *trans)
129{
130 list_del(&trans->list);
131 kfree(trans);
132}
133
134static int nft_register_basechain(struct nft_base_chain *basechain,
135 unsigned int hook_nops)
136{
137 struct net *net = read_pnet(&basechain->pnet);
138
139 if (basechain->flags & NFT_BASECHAIN_DISABLED)
140 return 0;
141
142 return nf_register_net_hooks(net, basechain->ops, hook_nops);
143}
144
145static void nft_unregister_basechain(struct nft_base_chain *basechain,
146 unsigned int hook_nops)
147{
148 struct net *net = read_pnet(&basechain->pnet);
149
150 if (basechain->flags & NFT_BASECHAIN_DISABLED)
151 return;
152
153 nf_unregister_net_hooks(net, basechain->ops, hook_nops);
154}
155
156static int nf_tables_register_hooks(const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
159{
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !(chain->flags & NFT_BASE_CHAIN))
162 return 0;
163
164 return nft_register_basechain(nft_base_chain(chain), hook_nops);
165}
166
167static void nf_tables_unregister_hooks(const struct nft_table *table,
168 struct nft_chain *chain,
169 unsigned int hook_nops)
170{
171 if (table->flags & NFT_TABLE_F_DORMANT ||
172 !(chain->flags & NFT_BASE_CHAIN))
173 return;
174
175 nft_unregister_basechain(nft_base_chain(chain), hook_nops);
176}
177
178
179#define NFT_TABLE_INACTIVE (1 << 15)
180
181static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
182{
183 struct nft_trans *trans;
184
185 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
186 if (trans == NULL)
187 return -ENOMEM;
188
189 if (msg_type == NFT_MSG_NEWTABLE)
190 ctx->table->flags |= NFT_TABLE_INACTIVE;
191
192 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
193 return 0;
194}
195
196static int nft_deltable(struct nft_ctx *ctx)
197{
198 int err;
199
200 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
201 if (err < 0)
202 return err;
203
204 list_del_rcu(&ctx->table->list);
205 return err;
206}
207
208static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
209{
210 struct nft_trans *trans;
211
212 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
213 if (trans == NULL)
214 return -ENOMEM;
215
216 if (msg_type == NFT_MSG_NEWCHAIN)
217 ctx->chain->flags |= NFT_CHAIN_INACTIVE;
218
219 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
220 return 0;
221}
222
223static int nft_delchain(struct nft_ctx *ctx)
224{
225 int err;
226
227 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
228 if (err < 0)
229 return err;
230
231 ctx->table->use--;
232 list_del_rcu(&ctx->chain->list);
233
234 return err;
235}
236
237static inline bool
238nft_rule_is_active(struct net *net, const struct nft_rule *rule)
239{
240 return (rule->genmask & nft_genmask_cur(net)) == 0;
241}
242
243static inline int
244nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
245{
246 return (rule->genmask & nft_genmask_next(net)) == 0;
247}
248
249static inline void
250nft_rule_activate_next(struct net *net, struct nft_rule *rule)
251{
252
253 rule->genmask = nft_genmask_cur(net);
254}
255
256static inline void
257nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
258{
259 rule->genmask = nft_genmask_next(net);
260}
261
262static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
263{
264 rule->genmask &= ~nft_genmask_next(net);
265}
266
267static int
268nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
269{
270
271 if (nft_rule_is_active_next(ctx->net, rule)) {
272 nft_rule_deactivate_next(ctx->net, rule);
273 ctx->chain->use--;
274 return 0;
275 }
276 return -ENOENT;
277}
278
279static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
280 struct nft_rule *rule)
281{
282 struct nft_trans *trans;
283
284 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
285 if (trans == NULL)
286 return NULL;
287
288 nft_trans_rule(trans) = rule;
289 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
290
291 return trans;
292}
293
294static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
295{
296 struct nft_trans *trans;
297 int err;
298
299 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
300 if (trans == NULL)
301 return -ENOMEM;
302
303 err = nf_tables_delrule_deactivate(ctx, rule);
304 if (err < 0) {
305 nft_trans_destroy(trans);
306 return err;
307 }
308
309 return 0;
310}
311
312static int nft_delrule_by_chain(struct nft_ctx *ctx)
313{
314 struct nft_rule *rule;
315 int err;
316
317 list_for_each_entry(rule, &ctx->chain->rules, list) {
318 err = nft_delrule(ctx, rule);
319 if (err < 0)
320 return err;
321 }
322 return 0;
323}
324
325
326#define NFT_SET_INACTIVE (1 << 15)
327
328static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
329 struct nft_set *set)
330{
331 struct nft_trans *trans;
332
333 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
334 if (trans == NULL)
335 return -ENOMEM;
336
337 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
338 nft_trans_set_id(trans) =
339 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
340 set->flags |= NFT_SET_INACTIVE;
341 }
342 nft_trans_set(trans) = set;
343 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
344
345 return 0;
346}
347
348static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
349{
350 int err;
351
352 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
353 if (err < 0)
354 return err;
355
356 list_del_rcu(&set->list);
357 ctx->table->use--;
358
359 return err;
360}
361
362
363
364
365
366static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
367 const struct nlattr *nla)
368{
369 struct nft_table *table;
370
371 list_for_each_entry(table, &afi->tables, list) {
372 if (!nla_strcmp(nla, table->name))
373 return table;
374 }
375 return NULL;
376}
377
378static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
379 const struct nlattr *nla)
380{
381 struct nft_table *table;
382
383 if (nla == NULL)
384 return ERR_PTR(-EINVAL);
385
386 table = nft_table_lookup(afi, nla);
387 if (table != NULL)
388 return table;
389
390 return ERR_PTR(-ENOENT);
391}
392
393static inline u64 nf_tables_alloc_handle(struct nft_table *table)
394{
395 return ++table->hgenerator;
396}
397
398static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
399
400static const struct nf_chain_type *
401__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
402{
403 int i;
404
405 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
406 if (chain_type[family][i] != NULL &&
407 !nla_strcmp(nla, chain_type[family][i]->name))
408 return chain_type[family][i];
409 }
410 return NULL;
411}
412
413static const struct nf_chain_type *
414nf_tables_chain_type_lookup(const struct nft_af_info *afi,
415 const struct nlattr *nla,
416 bool autoload)
417{
418 const struct nf_chain_type *type;
419
420 type = __nf_tables_chain_type_lookup(afi->family, nla);
421 if (type != NULL)
422 return type;
423#ifdef CONFIG_MODULES
424 if (autoload) {
425 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
426 request_module("nft-chain-%u-%.*s", afi->family,
427 nla_len(nla), (const char *)nla_data(nla));
428 nfnl_lock(NFNL_SUBSYS_NFTABLES);
429 type = __nf_tables_chain_type_lookup(afi->family, nla);
430 if (type != NULL)
431 return ERR_PTR(-EAGAIN);
432 }
433#endif
434 return ERR_PTR(-ENOENT);
435}
436
437static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
438 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
439 .len = NFT_TABLE_MAXNAMELEN - 1 },
440 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
441};
442
443static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
444 u32 portid, u32 seq, int event, u32 flags,
445 int family, const struct nft_table *table)
446{
447 struct nlmsghdr *nlh;
448 struct nfgenmsg *nfmsg;
449
450 event |= NFNL_SUBSYS_NFTABLES << 8;
451 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
452 if (nlh == NULL)
453 goto nla_put_failure;
454
455 nfmsg = nlmsg_data(nlh);
456 nfmsg->nfgen_family = family;
457 nfmsg->version = NFNETLINK_V0;
458 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
459
460 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
461 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
462 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
463 goto nla_put_failure;
464
465 nlmsg_end(skb, nlh);
466 return 0;
467
468nla_put_failure:
469 nlmsg_trim(skb, nlh);
470 return -1;
471}
472
473static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
474{
475 struct sk_buff *skb;
476 int err;
477
478 if (!ctx->report &&
479 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
480 return 0;
481
482 err = -ENOBUFS;
483 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
484 if (skb == NULL)
485 goto err;
486
487 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
488 event, 0, ctx->afi->family, ctx->table);
489 if (err < 0) {
490 kfree_skb(skb);
491 goto err;
492 }
493
494 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
495 ctx->report, GFP_KERNEL);
496err:
497 if (err < 0) {
498 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
499 err);
500 }
501 return err;
502}
503
504static int nf_tables_dump_tables(struct sk_buff *skb,
505 struct netlink_callback *cb)
506{
507 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
508 const struct nft_af_info *afi;
509 const struct nft_table *table;
510 unsigned int idx = 0, s_idx = cb->args[0];
511 struct net *net = sock_net(skb->sk);
512 int family = nfmsg->nfgen_family;
513
514 rcu_read_lock();
515 cb->seq = net->nft.base_seq;
516
517 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
518 if (family != NFPROTO_UNSPEC && family != afi->family)
519 continue;
520
521 list_for_each_entry_rcu(table, &afi->tables, list) {
522 if (idx < s_idx)
523 goto cont;
524 if (idx > s_idx)
525 memset(&cb->args[1], 0,
526 sizeof(cb->args) - sizeof(cb->args[0]));
527 if (nf_tables_fill_table_info(skb, net,
528 NETLINK_CB(cb->skb).portid,
529 cb->nlh->nlmsg_seq,
530 NFT_MSG_NEWTABLE,
531 NLM_F_MULTI,
532 afi->family, table) < 0)
533 goto done;
534
535 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
536cont:
537 idx++;
538 }
539 }
540done:
541 rcu_read_unlock();
542 cb->args[0] = idx;
543 return skb->len;
544}
545
546static int nf_tables_gettable(struct net *net, struct sock *nlsk,
547 struct sk_buff *skb, const struct nlmsghdr *nlh,
548 const struct nlattr * const nla[])
549{
550 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
551 const struct nft_af_info *afi;
552 const struct nft_table *table;
553 struct sk_buff *skb2;
554 int family = nfmsg->nfgen_family;
555 int err;
556
557 if (nlh->nlmsg_flags & NLM_F_DUMP) {
558 struct netlink_dump_control c = {
559 .dump = nf_tables_dump_tables,
560 };
561 return netlink_dump_start(nlsk, skb, nlh, &c);
562 }
563
564 afi = nf_tables_afinfo_lookup(net, family, false);
565 if (IS_ERR(afi))
566 return PTR_ERR(afi);
567
568 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
569 if (IS_ERR(table))
570 return PTR_ERR(table);
571 if (table->flags & NFT_TABLE_INACTIVE)
572 return -ENOENT;
573
574 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
575 if (!skb2)
576 return -ENOMEM;
577
578 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
579 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
580 family, table);
581 if (err < 0)
582 goto err;
583
584 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
585
586err:
587 kfree_skb(skb2);
588 return err;
589}
590
591static int nf_tables_table_enable(const struct nft_af_info *afi,
592 struct nft_table *table)
593{
594 struct nft_chain *chain;
595 int err, i = 0;
596
597 list_for_each_entry(chain, &table->chains, list) {
598 if (!(chain->flags & NFT_BASE_CHAIN))
599 continue;
600
601 err = nft_register_basechain(nft_base_chain(chain), afi->nops);
602 if (err < 0)
603 goto err;
604
605 i++;
606 }
607 return 0;
608err:
609 list_for_each_entry(chain, &table->chains, list) {
610 if (!(chain->flags & NFT_BASE_CHAIN))
611 continue;
612
613 if (i-- <= 0)
614 break;
615
616 nft_unregister_basechain(nft_base_chain(chain), afi->nops);
617 }
618 return err;
619}
620
621static void nf_tables_table_disable(const struct nft_af_info *afi,
622 struct nft_table *table)
623{
624 struct nft_chain *chain;
625
626 list_for_each_entry(chain, &table->chains, list) {
627 if (chain->flags & NFT_BASE_CHAIN)
628 nft_unregister_basechain(nft_base_chain(chain),
629 afi->nops);
630 }
631}
632
633static int nf_tables_updtable(struct nft_ctx *ctx)
634{
635 struct nft_trans *trans;
636 u32 flags;
637 int ret = 0;
638
639 if (!ctx->nla[NFTA_TABLE_FLAGS])
640 return 0;
641
642 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
643 if (flags & ~NFT_TABLE_F_DORMANT)
644 return -EINVAL;
645
646 if (flags == ctx->table->flags)
647 return 0;
648
649 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
650 sizeof(struct nft_trans_table));
651 if (trans == NULL)
652 return -ENOMEM;
653
654 if ((flags & NFT_TABLE_F_DORMANT) &&
655 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
656 nft_trans_table_enable(trans) = false;
657 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
658 ctx->table->flags & NFT_TABLE_F_DORMANT) {
659 ret = nf_tables_table_enable(ctx->afi, ctx->table);
660 if (ret >= 0) {
661 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
662 nft_trans_table_enable(trans) = true;
663 }
664 }
665 if (ret < 0)
666 goto err;
667
668 nft_trans_table_update(trans) = true;
669 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
670 return 0;
671err:
672 nft_trans_destroy(trans);
673 return ret;
674}
675
676static int nf_tables_newtable(struct net *net, struct sock *nlsk,
677 struct sk_buff *skb, const struct nlmsghdr *nlh,
678 const struct nlattr * const nla[])
679{
680 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
681 const struct nlattr *name;
682 struct nft_af_info *afi;
683 struct nft_table *table;
684 int family = nfmsg->nfgen_family;
685 u32 flags = 0;
686 struct nft_ctx ctx;
687 int err;
688
689 afi = nf_tables_afinfo_lookup(net, family, true);
690 if (IS_ERR(afi))
691 return PTR_ERR(afi);
692
693 name = nla[NFTA_TABLE_NAME];
694 table = nf_tables_table_lookup(afi, name);
695 if (IS_ERR(table)) {
696 if (PTR_ERR(table) != -ENOENT)
697 return PTR_ERR(table);
698 table = NULL;
699 }
700
701 if (table != NULL) {
702 if (table->flags & NFT_TABLE_INACTIVE)
703 return -ENOENT;
704 if (nlh->nlmsg_flags & NLM_F_EXCL)
705 return -EEXIST;
706 if (nlh->nlmsg_flags & NLM_F_REPLACE)
707 return -EOPNOTSUPP;
708
709 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
710 return nf_tables_updtable(&ctx);
711 }
712
713 if (nla[NFTA_TABLE_FLAGS]) {
714 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
715 if (flags & ~NFT_TABLE_F_DORMANT)
716 return -EINVAL;
717 }
718
719 err = -EAFNOSUPPORT;
720 if (!try_module_get(afi->owner))
721 goto err1;
722
723 err = -ENOMEM;
724 table = kzalloc(sizeof(*table), GFP_KERNEL);
725 if (table == NULL)
726 goto err2;
727
728 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
729 INIT_LIST_HEAD(&table->chains);
730 INIT_LIST_HEAD(&table->sets);
731 table->flags = flags;
732
733 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
734 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
735 if (err < 0)
736 goto err3;
737
738 list_add_tail_rcu(&table->list, &afi->tables);
739 return 0;
740err3:
741 kfree(table);
742err2:
743 module_put(afi->owner);
744err1:
745 return err;
746}
747
748static int nft_flush_table(struct nft_ctx *ctx)
749{
750 int err;
751 struct nft_chain *chain, *nc;
752 struct nft_set *set, *ns;
753
754 list_for_each_entry(chain, &ctx->table->chains, list) {
755 ctx->chain = chain;
756
757 err = nft_delrule_by_chain(ctx);
758 if (err < 0)
759 goto out;
760 }
761
762 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
763 if (set->flags & NFT_SET_ANONYMOUS &&
764 !list_empty(&set->bindings))
765 continue;
766
767 err = nft_delset(ctx, set);
768 if (err < 0)
769 goto out;
770 }
771
772 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
773 ctx->chain = chain;
774
775 err = nft_delchain(ctx);
776 if (err < 0)
777 goto out;
778 }
779
780 err = nft_deltable(ctx);
781out:
782 return err;
783}
784
785static int nft_flush(struct nft_ctx *ctx, int family)
786{
787 struct nft_af_info *afi;
788 struct nft_table *table, *nt;
789 const struct nlattr * const *nla = ctx->nla;
790 int err = 0;
791
792 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
793 if (family != AF_UNSPEC && afi->family != family)
794 continue;
795
796 ctx->afi = afi;
797 list_for_each_entry_safe(table, nt, &afi->tables, list) {
798 if (nla[NFTA_TABLE_NAME] &&
799 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
800 continue;
801
802 ctx->table = table;
803
804 err = nft_flush_table(ctx);
805 if (err < 0)
806 goto out;
807 }
808 }
809out:
810 return err;
811}
812
813static int nf_tables_deltable(struct net *net, struct sock *nlsk,
814 struct sk_buff *skb, const struct nlmsghdr *nlh,
815 const struct nlattr * const nla[])
816{
817 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
818 struct nft_af_info *afi;
819 struct nft_table *table;
820 int family = nfmsg->nfgen_family;
821 struct nft_ctx ctx;
822
823 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
824 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
825 return nft_flush(&ctx, family);
826
827 afi = nf_tables_afinfo_lookup(net, family, false);
828 if (IS_ERR(afi))
829 return PTR_ERR(afi);
830
831 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
832 if (IS_ERR(table))
833 return PTR_ERR(table);
834
835 ctx.afi = afi;
836 ctx.table = table;
837
838 return nft_flush_table(&ctx);
839}
840
841static void nf_tables_table_destroy(struct nft_ctx *ctx)
842{
843 BUG_ON(ctx->table->use > 0);
844
845 kfree(ctx->table);
846 module_put(ctx->afi->owner);
847}
848
849int nft_register_chain_type(const struct nf_chain_type *ctype)
850{
851 int err = 0;
852
853 nfnl_lock(NFNL_SUBSYS_NFTABLES);
854 if (chain_type[ctype->family][ctype->type] != NULL) {
855 err = -EBUSY;
856 goto out;
857 }
858 chain_type[ctype->family][ctype->type] = ctype;
859out:
860 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
861 return err;
862}
863EXPORT_SYMBOL_GPL(nft_register_chain_type);
864
865void nft_unregister_chain_type(const struct nf_chain_type *ctype)
866{
867 nfnl_lock(NFNL_SUBSYS_NFTABLES);
868 chain_type[ctype->family][ctype->type] = NULL;
869 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
870}
871EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
872
873
874
875
876
877static struct nft_chain *
878nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
879{
880 struct nft_chain *chain;
881
882 list_for_each_entry(chain, &table->chains, list) {
883 if (chain->handle == handle)
884 return chain;
885 }
886
887 return ERR_PTR(-ENOENT);
888}
889
890static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
891 const struct nlattr *nla)
892{
893 struct nft_chain *chain;
894
895 if (nla == NULL)
896 return ERR_PTR(-EINVAL);
897
898 list_for_each_entry(chain, &table->chains, list) {
899 if (!nla_strcmp(nla, chain->name))
900 return chain;
901 }
902
903 return ERR_PTR(-ENOENT);
904}
905
906static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
907 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
908 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
909 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
910 .len = NFT_CHAIN_MAXNAMELEN - 1 },
911 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
912 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
913 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
914 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
915};
916
917static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
918 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
919 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
920 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
921 .len = IFNAMSIZ - 1 },
922};
923
924static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
925{
926 struct nft_stats *cpu_stats, total;
927 struct nlattr *nest;
928 unsigned int seq;
929 u64 pkts, bytes;
930 int cpu;
931
932 memset(&total, 0, sizeof(total));
933 for_each_possible_cpu(cpu) {
934 cpu_stats = per_cpu_ptr(stats, cpu);
935 do {
936 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
937 pkts = cpu_stats->pkts;
938 bytes = cpu_stats->bytes;
939 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
940 total.pkts += pkts;
941 total.bytes += bytes;
942 }
943 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
944 if (nest == NULL)
945 goto nla_put_failure;
946
947 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
948 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
949 goto nla_put_failure;
950
951 nla_nest_end(skb, nest);
952 return 0;
953
954nla_put_failure:
955 return -ENOSPC;
956}
957
958static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
959 u32 portid, u32 seq, int event, u32 flags,
960 int family, const struct nft_table *table,
961 const struct nft_chain *chain)
962{
963 struct nlmsghdr *nlh;
964 struct nfgenmsg *nfmsg;
965
966 event |= NFNL_SUBSYS_NFTABLES << 8;
967 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
968 if (nlh == NULL)
969 goto nla_put_failure;
970
971 nfmsg = nlmsg_data(nlh);
972 nfmsg->nfgen_family = family;
973 nfmsg->version = NFNETLINK_V0;
974 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
975
976 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
977 goto nla_put_failure;
978 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
979 goto nla_put_failure;
980 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
981 goto nla_put_failure;
982
983 if (chain->flags & NFT_BASE_CHAIN) {
984 const struct nft_base_chain *basechain = nft_base_chain(chain);
985 const struct nf_hook_ops *ops = &basechain->ops[0];
986 struct nlattr *nest;
987
988 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
989 if (nest == NULL)
990 goto nla_put_failure;
991 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
992 goto nla_put_failure;
993 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
994 goto nla_put_failure;
995 if (basechain->dev_name[0] &&
996 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
997 goto nla_put_failure;
998 nla_nest_end(skb, nest);
999
1000 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1001 htonl(basechain->policy)))
1002 goto nla_put_failure;
1003
1004 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1005 goto nla_put_failure;
1006
1007 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1008 goto nla_put_failure;
1009 }
1010
1011 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1012 goto nla_put_failure;
1013
1014 nlmsg_end(skb, nlh);
1015 return 0;
1016
1017nla_put_failure:
1018 nlmsg_trim(skb, nlh);
1019 return -1;
1020}
1021
1022static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1023{
1024 struct sk_buff *skb;
1025 int err;
1026
1027 if (!ctx->report &&
1028 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1029 return 0;
1030
1031 err = -ENOBUFS;
1032 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1033 if (skb == NULL)
1034 goto err;
1035
1036 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1037 event, 0, ctx->afi->family, ctx->table,
1038 ctx->chain);
1039 if (err < 0) {
1040 kfree_skb(skb);
1041 goto err;
1042 }
1043
1044 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1045 ctx->report, GFP_KERNEL);
1046err:
1047 if (err < 0) {
1048 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1049 err);
1050 }
1051 return err;
1052}
1053
1054static int nf_tables_dump_chains(struct sk_buff *skb,
1055 struct netlink_callback *cb)
1056{
1057 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1058 const struct nft_af_info *afi;
1059 const struct nft_table *table;
1060 const struct nft_chain *chain;
1061 unsigned int idx = 0, s_idx = cb->args[0];
1062 struct net *net = sock_net(skb->sk);
1063 int family = nfmsg->nfgen_family;
1064
1065 rcu_read_lock();
1066 cb->seq = net->nft.base_seq;
1067
1068 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1069 if (family != NFPROTO_UNSPEC && family != afi->family)
1070 continue;
1071
1072 list_for_each_entry_rcu(table, &afi->tables, list) {
1073 list_for_each_entry_rcu(chain, &table->chains, list) {
1074 if (idx < s_idx)
1075 goto cont;
1076 if (idx > s_idx)
1077 memset(&cb->args[1], 0,
1078 sizeof(cb->args) - sizeof(cb->args[0]));
1079 if (nf_tables_fill_chain_info(skb, net,
1080 NETLINK_CB(cb->skb).portid,
1081 cb->nlh->nlmsg_seq,
1082 NFT_MSG_NEWCHAIN,
1083 NLM_F_MULTI,
1084 afi->family, table, chain) < 0)
1085 goto done;
1086
1087 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1088cont:
1089 idx++;
1090 }
1091 }
1092 }
1093done:
1094 rcu_read_unlock();
1095 cb->args[0] = idx;
1096 return skb->len;
1097}
1098
1099static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1100 struct sk_buff *skb, const struct nlmsghdr *nlh,
1101 const struct nlattr * const nla[])
1102{
1103 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1104 const struct nft_af_info *afi;
1105 const struct nft_table *table;
1106 const struct nft_chain *chain;
1107 struct sk_buff *skb2;
1108 int family = nfmsg->nfgen_family;
1109 int err;
1110
1111 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1112 struct netlink_dump_control c = {
1113 .dump = nf_tables_dump_chains,
1114 };
1115 return netlink_dump_start(nlsk, skb, nlh, &c);
1116 }
1117
1118 afi = nf_tables_afinfo_lookup(net, family, false);
1119 if (IS_ERR(afi))
1120 return PTR_ERR(afi);
1121
1122 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1123 if (IS_ERR(table))
1124 return PTR_ERR(table);
1125 if (table->flags & NFT_TABLE_INACTIVE)
1126 return -ENOENT;
1127
1128 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1129 if (IS_ERR(chain))
1130 return PTR_ERR(chain);
1131 if (chain->flags & NFT_CHAIN_INACTIVE)
1132 return -ENOENT;
1133
1134 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1135 if (!skb2)
1136 return -ENOMEM;
1137
1138 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1139 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1140 family, table, chain);
1141 if (err < 0)
1142 goto err;
1143
1144 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1145
1146err:
1147 kfree_skb(skb2);
1148 return err;
1149}
1150
1151static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1152 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1153 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1154};
1155
1156static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1157{
1158 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1159 struct nft_stats __percpu *newstats;
1160 struct nft_stats *stats;
1161 int err;
1162
1163 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1164 if (err < 0)
1165 return ERR_PTR(err);
1166
1167 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1168 return ERR_PTR(-EINVAL);
1169
1170 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1171 if (newstats == NULL)
1172 return ERR_PTR(-ENOMEM);
1173
1174
1175
1176
1177 preempt_disable();
1178 stats = this_cpu_ptr(newstats);
1179 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1180 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1181 preempt_enable();
1182
1183 return newstats;
1184}
1185
1186static void nft_chain_stats_replace(struct nft_base_chain *chain,
1187 struct nft_stats __percpu *newstats)
1188{
1189 if (newstats == NULL)
1190 return;
1191
1192 if (chain->stats) {
1193 struct nft_stats __percpu *oldstats =
1194 nft_dereference(chain->stats);
1195
1196 rcu_assign_pointer(chain->stats, newstats);
1197 synchronize_rcu();
1198 free_percpu(oldstats);
1199 } else
1200 rcu_assign_pointer(chain->stats, newstats);
1201}
1202
1203static void nf_tables_chain_destroy(struct nft_chain *chain)
1204{
1205 BUG_ON(chain->use > 0);
1206
1207 if (chain->flags & NFT_BASE_CHAIN) {
1208 struct nft_base_chain *basechain = nft_base_chain(chain);
1209
1210 module_put(basechain->type->owner);
1211 free_percpu(basechain->stats);
1212 if (basechain->ops[0].dev != NULL)
1213 dev_put(basechain->ops[0].dev);
1214 kfree(basechain);
1215 } else {
1216 kfree(chain);
1217 }
1218}
1219
1220static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1221 struct sk_buff *skb, const struct nlmsghdr *nlh,
1222 const struct nlattr * const nla[])
1223{
1224 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1225 const struct nlattr * uninitialized_var(name);
1226 struct nft_af_info *afi;
1227 struct nft_table *table;
1228 struct nft_chain *chain;
1229 struct nft_base_chain *basechain = NULL;
1230 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1231 int family = nfmsg->nfgen_family;
1232 struct net_device *dev = NULL;
1233 u8 policy = NF_ACCEPT;
1234 u64 handle = 0;
1235 unsigned int i;
1236 struct nft_stats __percpu *stats;
1237 int err;
1238 bool create;
1239 struct nft_ctx ctx;
1240
1241 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1242
1243 afi = nf_tables_afinfo_lookup(net, family, true);
1244 if (IS_ERR(afi))
1245 return PTR_ERR(afi);
1246
1247 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1248 if (IS_ERR(table))
1249 return PTR_ERR(table);
1250
1251 chain = NULL;
1252 name = nla[NFTA_CHAIN_NAME];
1253
1254 if (nla[NFTA_CHAIN_HANDLE]) {
1255 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1256 chain = nf_tables_chain_lookup_byhandle(table, handle);
1257 if (IS_ERR(chain))
1258 return PTR_ERR(chain);
1259 } else {
1260 chain = nf_tables_chain_lookup(table, name);
1261 if (IS_ERR(chain)) {
1262 if (PTR_ERR(chain) != -ENOENT)
1263 return PTR_ERR(chain);
1264 chain = NULL;
1265 }
1266 }
1267
1268 if (nla[NFTA_CHAIN_POLICY]) {
1269 if ((chain != NULL &&
1270 !(chain->flags & NFT_BASE_CHAIN)))
1271 return -EOPNOTSUPP;
1272
1273 if (chain == NULL &&
1274 nla[NFTA_CHAIN_HOOK] == NULL)
1275 return -EOPNOTSUPP;
1276
1277 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1278 switch (policy) {
1279 case NF_DROP:
1280 case NF_ACCEPT:
1281 break;
1282 default:
1283 return -EINVAL;
1284 }
1285 }
1286
1287 if (chain != NULL) {
1288 struct nft_stats *stats = NULL;
1289 struct nft_trans *trans;
1290
1291 if (chain->flags & NFT_CHAIN_INACTIVE)
1292 return -ENOENT;
1293 if (nlh->nlmsg_flags & NLM_F_EXCL)
1294 return -EEXIST;
1295 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1296 return -EOPNOTSUPP;
1297
1298 if (nla[NFTA_CHAIN_HANDLE] && name &&
1299 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
1300 return -EEXIST;
1301
1302 if (nla[NFTA_CHAIN_COUNTERS]) {
1303 if (!(chain->flags & NFT_BASE_CHAIN))
1304 return -EOPNOTSUPP;
1305
1306 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1307 if (IS_ERR(stats))
1308 return PTR_ERR(stats);
1309 }
1310
1311 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1312 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1313 sizeof(struct nft_trans_chain));
1314 if (trans == NULL) {
1315 free_percpu(stats);
1316 return -ENOMEM;
1317 }
1318
1319 nft_trans_chain_stats(trans) = stats;
1320 nft_trans_chain_update(trans) = true;
1321
1322 if (nla[NFTA_CHAIN_POLICY])
1323 nft_trans_chain_policy(trans) = policy;
1324 else
1325 nft_trans_chain_policy(trans) = -1;
1326
1327 if (nla[NFTA_CHAIN_HANDLE] && name) {
1328 nla_strlcpy(nft_trans_chain_name(trans), name,
1329 NFT_CHAIN_MAXNAMELEN);
1330 }
1331 list_add_tail(&trans->list, &net->nft.commit_list);
1332 return 0;
1333 }
1334
1335 if (table->use == UINT_MAX)
1336 return -EOVERFLOW;
1337
1338 if (nla[NFTA_CHAIN_HOOK]) {
1339 const struct nf_chain_type *type;
1340 struct nf_hook_ops *ops;
1341 nf_hookfn *hookfn;
1342 u32 hooknum, priority;
1343
1344 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1345 if (nla[NFTA_CHAIN_TYPE]) {
1346 type = nf_tables_chain_type_lookup(afi,
1347 nla[NFTA_CHAIN_TYPE],
1348 create);
1349 if (IS_ERR(type))
1350 return PTR_ERR(type);
1351 }
1352
1353 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1354 nft_hook_policy);
1355 if (err < 0)
1356 return err;
1357 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1358 ha[NFTA_HOOK_PRIORITY] == NULL)
1359 return -EINVAL;
1360
1361 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1362 if (hooknum >= afi->nhooks)
1363 return -EINVAL;
1364 priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1365
1366 if (!(type->hook_mask & (1 << hooknum)))
1367 return -EOPNOTSUPP;
1368 if (!try_module_get(type->owner))
1369 return -ENOENT;
1370 hookfn = type->hooks[hooknum];
1371
1372 if (afi->flags & NFT_AF_NEEDS_DEV) {
1373 char ifname[IFNAMSIZ];
1374
1375 if (!ha[NFTA_HOOK_DEV]) {
1376 module_put(type->owner);
1377 return -EOPNOTSUPP;
1378 }
1379
1380 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1381 dev = dev_get_by_name(net, ifname);
1382 if (!dev) {
1383 module_put(type->owner);
1384 return -ENOENT;
1385 }
1386 } else if (ha[NFTA_HOOK_DEV]) {
1387 module_put(type->owner);
1388 return -EOPNOTSUPP;
1389 }
1390
1391 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1392 if (basechain == NULL) {
1393 module_put(type->owner);
1394 if (dev != NULL)
1395 dev_put(dev);
1396 return -ENOMEM;
1397 }
1398
1399 if (dev != NULL)
1400 strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
1401
1402 if (nla[NFTA_CHAIN_COUNTERS]) {
1403 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1404 if (IS_ERR(stats)) {
1405 module_put(type->owner);
1406 kfree(basechain);
1407 if (dev != NULL)
1408 dev_put(dev);
1409 return PTR_ERR(stats);
1410 }
1411 basechain->stats = stats;
1412 } else {
1413 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1414 if (stats == NULL) {
1415 module_put(type->owner);
1416 kfree(basechain);
1417 if (dev != NULL)
1418 dev_put(dev);
1419 return -ENOMEM;
1420 }
1421 rcu_assign_pointer(basechain->stats, stats);
1422 }
1423
1424 write_pnet(&basechain->pnet, net);
1425 basechain->type = type;
1426 chain = &basechain->chain;
1427
1428 for (i = 0; i < afi->nops; i++) {
1429 ops = &basechain->ops[i];
1430 ops->pf = family;
1431 ops->hooknum = hooknum;
1432 ops->priority = priority;
1433 ops->priv = chain;
1434 ops->hook = afi->hooks[ops->hooknum];
1435 ops->dev = dev;
1436 if (hookfn)
1437 ops->hook = hookfn;
1438 if (afi->hook_ops_init)
1439 afi->hook_ops_init(ops, i);
1440 }
1441
1442 chain->flags |= NFT_BASE_CHAIN;
1443 basechain->policy = policy;
1444 } else {
1445 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1446 if (chain == NULL)
1447 return -ENOMEM;
1448 }
1449
1450 INIT_LIST_HEAD(&chain->rules);
1451 chain->handle = nf_tables_alloc_handle(table);
1452 chain->table = table;
1453 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1454
1455 err = nf_tables_register_hooks(table, chain, afi->nops);
1456 if (err < 0)
1457 goto err1;
1458
1459 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1460 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1461 if (err < 0)
1462 goto err2;
1463
1464 table->use++;
1465 list_add_tail_rcu(&chain->list, &table->chains);
1466 return 0;
1467err2:
1468 nf_tables_unregister_hooks(table, chain, afi->nops);
1469err1:
1470 nf_tables_chain_destroy(chain);
1471 return err;
1472}
1473
1474static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1475 struct sk_buff *skb, const struct nlmsghdr *nlh,
1476 const struct nlattr * const nla[])
1477{
1478 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1479 struct nft_af_info *afi;
1480 struct nft_table *table;
1481 struct nft_chain *chain;
1482 int family = nfmsg->nfgen_family;
1483 struct nft_ctx ctx;
1484
1485 afi = nf_tables_afinfo_lookup(net, family, false);
1486 if (IS_ERR(afi))
1487 return PTR_ERR(afi);
1488
1489 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1490 if (IS_ERR(table))
1491 return PTR_ERR(table);
1492
1493 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1494 if (IS_ERR(chain))
1495 return PTR_ERR(chain);
1496 if (chain->use > 0)
1497 return -EBUSY;
1498
1499 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1500
1501 return nft_delchain(&ctx);
1502}
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515int nft_register_expr(struct nft_expr_type *type)
1516{
1517 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1518 if (type->family == NFPROTO_UNSPEC)
1519 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1520 else
1521 list_add_rcu(&type->list, &nf_tables_expressions);
1522 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1523 return 0;
1524}
1525EXPORT_SYMBOL_GPL(nft_register_expr);
1526
1527
1528
1529
1530
1531
1532
1533void nft_unregister_expr(struct nft_expr_type *type)
1534{
1535 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1536 list_del_rcu(&type->list);
1537 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1538}
1539EXPORT_SYMBOL_GPL(nft_unregister_expr);
1540
1541static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1542 struct nlattr *nla)
1543{
1544 const struct nft_expr_type *type;
1545
1546 list_for_each_entry(type, &nf_tables_expressions, list) {
1547 if (!nla_strcmp(nla, type->name) &&
1548 (!type->family || type->family == family))
1549 return type;
1550 }
1551 return NULL;
1552}
1553
1554static const struct nft_expr_type *nft_expr_type_get(u8 family,
1555 struct nlattr *nla)
1556{
1557 const struct nft_expr_type *type;
1558
1559 if (nla == NULL)
1560 return ERR_PTR(-EINVAL);
1561
1562 type = __nft_expr_type_get(family, nla);
1563 if (type != NULL && try_module_get(type->owner))
1564 return type;
1565
1566#ifdef CONFIG_MODULES
1567 if (type == NULL) {
1568 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1569 request_module("nft-expr-%u-%.*s", family,
1570 nla_len(nla), (char *)nla_data(nla));
1571 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1572 if (__nft_expr_type_get(family, nla))
1573 return ERR_PTR(-EAGAIN);
1574
1575 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1576 request_module("nft-expr-%.*s",
1577 nla_len(nla), (char *)nla_data(nla));
1578 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1579 if (__nft_expr_type_get(family, nla))
1580 return ERR_PTR(-EAGAIN);
1581 }
1582#endif
1583 return ERR_PTR(-ENOENT);
1584}
1585
1586static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1587 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1588 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1589};
1590
1591static int nf_tables_fill_expr_info(struct sk_buff *skb,
1592 const struct nft_expr *expr)
1593{
1594 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1595 goto nla_put_failure;
1596
1597 if (expr->ops->dump) {
1598 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1599 if (data == NULL)
1600 goto nla_put_failure;
1601 if (expr->ops->dump(skb, expr) < 0)
1602 goto nla_put_failure;
1603 nla_nest_end(skb, data);
1604 }
1605
1606 return skb->len;
1607
1608nla_put_failure:
1609 return -1;
1610};
1611
1612int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1613 const struct nft_expr *expr)
1614{
1615 struct nlattr *nest;
1616
1617 nest = nla_nest_start(skb, attr);
1618 if (!nest)
1619 goto nla_put_failure;
1620 if (nf_tables_fill_expr_info(skb, expr) < 0)
1621 goto nla_put_failure;
1622 nla_nest_end(skb, nest);
1623 return 0;
1624
1625nla_put_failure:
1626 return -1;
1627}
1628
1629struct nft_expr_info {
1630 const struct nft_expr_ops *ops;
1631 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1632};
1633
1634static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1635 const struct nlattr *nla,
1636 struct nft_expr_info *info)
1637{
1638 const struct nft_expr_type *type;
1639 const struct nft_expr_ops *ops;
1640 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1641 int err;
1642
1643 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1644 if (err < 0)
1645 return err;
1646
1647 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1648 if (IS_ERR(type))
1649 return PTR_ERR(type);
1650
1651 if (tb[NFTA_EXPR_DATA]) {
1652 err = nla_parse_nested(info->tb, type->maxattr,
1653 tb[NFTA_EXPR_DATA], type->policy);
1654 if (err < 0)
1655 goto err1;
1656 } else
1657 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1658
1659 if (type->select_ops != NULL) {
1660 ops = type->select_ops(ctx,
1661 (const struct nlattr * const *)info->tb);
1662 if (IS_ERR(ops)) {
1663 err = PTR_ERR(ops);
1664 goto err1;
1665 }
1666 } else
1667 ops = type->ops;
1668
1669 info->ops = ops;
1670 return 0;
1671
1672err1:
1673 module_put(type->owner);
1674 return err;
1675}
1676
1677static int nf_tables_newexpr(const struct nft_ctx *ctx,
1678 const struct nft_expr_info *info,
1679 struct nft_expr *expr)
1680{
1681 const struct nft_expr_ops *ops = info->ops;
1682 int err;
1683
1684 expr->ops = ops;
1685 if (ops->init) {
1686 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1687 if (err < 0)
1688 goto err1;
1689 }
1690
1691 return 0;
1692
1693err1:
1694 expr->ops = NULL;
1695 return err;
1696}
1697
1698static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1699 struct nft_expr *expr)
1700{
1701 if (expr->ops->destroy)
1702 expr->ops->destroy(ctx, expr);
1703 module_put(expr->ops->type->owner);
1704}
1705
1706struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1707 const struct nlattr *nla)
1708{
1709 struct nft_expr_info info;
1710 struct nft_expr *expr;
1711 int err;
1712
1713 err = nf_tables_expr_parse(ctx, nla, &info);
1714 if (err < 0)
1715 goto err1;
1716
1717 err = -ENOMEM;
1718 expr = kzalloc(info.ops->size, GFP_KERNEL);
1719 if (expr == NULL)
1720 goto err2;
1721
1722 err = nf_tables_newexpr(ctx, &info, expr);
1723 if (err < 0)
1724 goto err2;
1725
1726 return expr;
1727err2:
1728 module_put(info.ops->type->owner);
1729err1:
1730 return ERR_PTR(err);
1731}
1732
1733void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1734{
1735 nf_tables_expr_destroy(ctx, expr);
1736 kfree(expr);
1737}
1738
1739
1740
1741
1742
1743static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1744 u64 handle)
1745{
1746 struct nft_rule *rule;
1747
1748
1749 list_for_each_entry(rule, &chain->rules, list) {
1750 if (handle == rule->handle)
1751 return rule;
1752 }
1753
1754 return ERR_PTR(-ENOENT);
1755}
1756
1757static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1758 const struct nlattr *nla)
1759{
1760 if (nla == NULL)
1761 return ERR_PTR(-EINVAL);
1762
1763 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1764}
1765
1766static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1767 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1768 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1769 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1770 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1771 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1772 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1773 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1774 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1775 .len = NFT_USERDATA_MAXLEN },
1776};
1777
1778static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1779 u32 portid, u32 seq, int event,
1780 u32 flags, int family,
1781 const struct nft_table *table,
1782 const struct nft_chain *chain,
1783 const struct nft_rule *rule)
1784{
1785 struct nlmsghdr *nlh;
1786 struct nfgenmsg *nfmsg;
1787 const struct nft_expr *expr, *next;
1788 struct nlattr *list;
1789 const struct nft_rule *prule;
1790 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1791
1792 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1793 flags);
1794 if (nlh == NULL)
1795 goto nla_put_failure;
1796
1797 nfmsg = nlmsg_data(nlh);
1798 nfmsg->nfgen_family = family;
1799 nfmsg->version = NFNETLINK_V0;
1800 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1801
1802 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1803 goto nla_put_failure;
1804 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1805 goto nla_put_failure;
1806 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1807 goto nla_put_failure;
1808
1809 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1810 prule = list_entry(rule->list.prev, struct nft_rule, list);
1811 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1812 cpu_to_be64(prule->handle)))
1813 goto nla_put_failure;
1814 }
1815
1816 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1817 if (list == NULL)
1818 goto nla_put_failure;
1819 nft_rule_for_each_expr(expr, next, rule) {
1820 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1821 goto nla_put_failure;
1822 }
1823 nla_nest_end(skb, list);
1824
1825 if (rule->udata) {
1826 struct nft_userdata *udata = nft_userdata(rule);
1827 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1828 udata->data) < 0)
1829 goto nla_put_failure;
1830 }
1831
1832 nlmsg_end(skb, nlh);
1833 return 0;
1834
1835nla_put_failure:
1836 nlmsg_trim(skb, nlh);
1837 return -1;
1838}
1839
1840static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1841 const struct nft_rule *rule,
1842 int event)
1843{
1844 struct sk_buff *skb;
1845 int err;
1846
1847 if (!ctx->report &&
1848 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1849 return 0;
1850
1851 err = -ENOBUFS;
1852 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1853 if (skb == NULL)
1854 goto err;
1855
1856 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1857 event, 0, ctx->afi->family, ctx->table,
1858 ctx->chain, rule);
1859 if (err < 0) {
1860 kfree_skb(skb);
1861 goto err;
1862 }
1863
1864 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1865 ctx->report, GFP_KERNEL);
1866err:
1867 if (err < 0) {
1868 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1869 err);
1870 }
1871 return err;
1872}
1873
1874static int nf_tables_dump_rules(struct sk_buff *skb,
1875 struct netlink_callback *cb)
1876{
1877 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1878 const struct nft_af_info *afi;
1879 const struct nft_table *table;
1880 const struct nft_chain *chain;
1881 const struct nft_rule *rule;
1882 unsigned int idx = 0, s_idx = cb->args[0];
1883 struct net *net = sock_net(skb->sk);
1884 int family = nfmsg->nfgen_family;
1885
1886 rcu_read_lock();
1887 cb->seq = net->nft.base_seq;
1888
1889 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1890 if (family != NFPROTO_UNSPEC && family != afi->family)
1891 continue;
1892
1893 list_for_each_entry_rcu(table, &afi->tables, list) {
1894 list_for_each_entry_rcu(chain, &table->chains, list) {
1895 list_for_each_entry_rcu(rule, &chain->rules, list) {
1896 if (!nft_rule_is_active(net, rule))
1897 goto cont;
1898 if (idx < s_idx)
1899 goto cont;
1900 if (idx > s_idx)
1901 memset(&cb->args[1], 0,
1902 sizeof(cb->args) - sizeof(cb->args[0]));
1903 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1904 cb->nlh->nlmsg_seq,
1905 NFT_MSG_NEWRULE,
1906 NLM_F_MULTI | NLM_F_APPEND,
1907 afi->family, table, chain, rule) < 0)
1908 goto done;
1909
1910 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1911cont:
1912 idx++;
1913 }
1914 }
1915 }
1916 }
1917done:
1918 rcu_read_unlock();
1919
1920 cb->args[0] = idx;
1921 return skb->len;
1922}
1923
1924static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1925 struct sk_buff *skb, const struct nlmsghdr *nlh,
1926 const struct nlattr * const nla[])
1927{
1928 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1929 const struct nft_af_info *afi;
1930 const struct nft_table *table;
1931 const struct nft_chain *chain;
1932 const struct nft_rule *rule;
1933 struct sk_buff *skb2;
1934 int family = nfmsg->nfgen_family;
1935 int err;
1936
1937 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1938 struct netlink_dump_control c = {
1939 .dump = nf_tables_dump_rules,
1940 };
1941 return netlink_dump_start(nlsk, skb, nlh, &c);
1942 }
1943
1944 afi = nf_tables_afinfo_lookup(net, family, false);
1945 if (IS_ERR(afi))
1946 return PTR_ERR(afi);
1947
1948 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1949 if (IS_ERR(table))
1950 return PTR_ERR(table);
1951 if (table->flags & NFT_TABLE_INACTIVE)
1952 return -ENOENT;
1953
1954 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1955 if (IS_ERR(chain))
1956 return PTR_ERR(chain);
1957 if (chain->flags & NFT_CHAIN_INACTIVE)
1958 return -ENOENT;
1959
1960 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1961 if (IS_ERR(rule))
1962 return PTR_ERR(rule);
1963
1964 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1965 if (!skb2)
1966 return -ENOMEM;
1967
1968 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
1969 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1970 family, table, chain, rule);
1971 if (err < 0)
1972 goto err;
1973
1974 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1975
1976err:
1977 kfree_skb(skb2);
1978 return err;
1979}
1980
1981static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
1982 struct nft_rule *rule)
1983{
1984 struct nft_expr *expr;
1985
1986
1987
1988
1989
1990 expr = nft_expr_first(rule);
1991 while (expr->ops && expr != nft_expr_last(rule)) {
1992 nf_tables_expr_destroy(ctx, expr);
1993 expr = nft_expr_next(expr);
1994 }
1995 kfree(rule);
1996}
1997
1998#define NFT_RULE_MAXEXPRS 128
1999
2000static struct nft_expr_info *info;
2001
2002static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2003 struct sk_buff *skb, const struct nlmsghdr *nlh,
2004 const struct nlattr * const nla[])
2005{
2006 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2007 struct nft_af_info *afi;
2008 struct nft_table *table;
2009 struct nft_chain *chain;
2010 struct nft_rule *rule, *old_rule = NULL;
2011 struct nft_userdata *udata;
2012 struct nft_trans *trans = NULL;
2013 struct nft_expr *expr;
2014 struct nft_ctx ctx;
2015 struct nlattr *tmp;
2016 unsigned int size, i, n, ulen = 0, usize = 0;
2017 int err, rem;
2018 bool create;
2019 u64 handle, pos_handle;
2020
2021 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2022
2023 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2024 if (IS_ERR(afi))
2025 return PTR_ERR(afi);
2026
2027 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2028 if (IS_ERR(table))
2029 return PTR_ERR(table);
2030
2031 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2032 if (IS_ERR(chain))
2033 return PTR_ERR(chain);
2034
2035 if (nla[NFTA_RULE_HANDLE]) {
2036 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2037 rule = __nf_tables_rule_lookup(chain, handle);
2038 if (IS_ERR(rule))
2039 return PTR_ERR(rule);
2040
2041 if (nlh->nlmsg_flags & NLM_F_EXCL)
2042 return -EEXIST;
2043 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2044 old_rule = rule;
2045 else
2046 return -EOPNOTSUPP;
2047 } else {
2048 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2049 return -EINVAL;
2050 handle = nf_tables_alloc_handle(table);
2051
2052 if (chain->use == UINT_MAX)
2053 return -EOVERFLOW;
2054 }
2055
2056 if (nla[NFTA_RULE_POSITION]) {
2057 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2058 return -EOPNOTSUPP;
2059
2060 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2061 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2062 if (IS_ERR(old_rule))
2063 return PTR_ERR(old_rule);
2064 }
2065
2066 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2067
2068 n = 0;
2069 size = 0;
2070 if (nla[NFTA_RULE_EXPRESSIONS]) {
2071 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2072 err = -EINVAL;
2073 if (nla_type(tmp) != NFTA_LIST_ELEM)
2074 goto err1;
2075 if (n == NFT_RULE_MAXEXPRS)
2076 goto err1;
2077 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2078 if (err < 0)
2079 goto err1;
2080 size += info[n].ops->size;
2081 n++;
2082 }
2083 }
2084
2085 err = -EFBIG;
2086 if (size >= 1 << 12)
2087 goto err1;
2088
2089 if (nla[NFTA_RULE_USERDATA]) {
2090 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2091 if (ulen > 0)
2092 usize = sizeof(struct nft_userdata) + ulen;
2093 }
2094
2095 err = -ENOMEM;
2096 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2097 if (rule == NULL)
2098 goto err1;
2099
2100 nft_rule_activate_next(net, rule);
2101
2102 rule->handle = handle;
2103 rule->dlen = size;
2104 rule->udata = ulen ? 1 : 0;
2105
2106 if (ulen) {
2107 udata = nft_userdata(rule);
2108 udata->len = ulen - 1;
2109 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2110 }
2111
2112 expr = nft_expr_first(rule);
2113 for (i = 0; i < n; i++) {
2114 err = nf_tables_newexpr(&ctx, &info[i], expr);
2115 if (err < 0)
2116 goto err2;
2117 info[i].ops = NULL;
2118 expr = nft_expr_next(expr);
2119 }
2120
2121 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2122 if (nft_rule_is_active_next(net, old_rule)) {
2123 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2124 old_rule);
2125 if (trans == NULL) {
2126 err = -ENOMEM;
2127 goto err2;
2128 }
2129 nft_rule_deactivate_next(net, old_rule);
2130 chain->use--;
2131 list_add_tail_rcu(&rule->list, &old_rule->list);
2132 } else {
2133 err = -ENOENT;
2134 goto err2;
2135 }
2136 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2137 if (old_rule)
2138 list_add_rcu(&rule->list, &old_rule->list);
2139 else
2140 list_add_tail_rcu(&rule->list, &chain->rules);
2141 else {
2142 if (old_rule)
2143 list_add_tail_rcu(&rule->list, &old_rule->list);
2144 else
2145 list_add_rcu(&rule->list, &chain->rules);
2146 }
2147
2148 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2149 err = -ENOMEM;
2150 goto err3;
2151 }
2152 chain->use++;
2153 return 0;
2154
2155err3:
2156 list_del_rcu(&rule->list);
2157err2:
2158 nf_tables_rule_destroy(&ctx, rule);
2159err1:
2160 for (i = 0; i < n; i++) {
2161 if (info[i].ops != NULL)
2162 module_put(info[i].ops->type->owner);
2163 }
2164 return err;
2165}
2166
2167static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2168 struct sk_buff *skb, const struct nlmsghdr *nlh,
2169 const struct nlattr * const nla[])
2170{
2171 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2172 struct nft_af_info *afi;
2173 struct nft_table *table;
2174 struct nft_chain *chain = NULL;
2175 struct nft_rule *rule;
2176 int family = nfmsg->nfgen_family, err = 0;
2177 struct nft_ctx ctx;
2178
2179 afi = nf_tables_afinfo_lookup(net, family, false);
2180 if (IS_ERR(afi))
2181 return PTR_ERR(afi);
2182
2183 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
2184 if (IS_ERR(table))
2185 return PTR_ERR(table);
2186
2187 if (nla[NFTA_RULE_CHAIN]) {
2188 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
2189 if (IS_ERR(chain))
2190 return PTR_ERR(chain);
2191 }
2192
2193 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2194
2195 if (chain) {
2196 if (nla[NFTA_RULE_HANDLE]) {
2197 rule = nf_tables_rule_lookup(chain,
2198 nla[NFTA_RULE_HANDLE]);
2199 if (IS_ERR(rule))
2200 return PTR_ERR(rule);
2201
2202 err = nft_delrule(&ctx, rule);
2203 } else {
2204 err = nft_delrule_by_chain(&ctx);
2205 }
2206 } else {
2207 list_for_each_entry(chain, &table->chains, list) {
2208 ctx.chain = chain;
2209 err = nft_delrule_by_chain(&ctx);
2210 if (err < 0)
2211 break;
2212 }
2213 }
2214
2215 return err;
2216}
2217
2218
2219
2220
2221
2222static LIST_HEAD(nf_tables_set_ops);
2223
2224int nft_register_set(struct nft_set_ops *ops)
2225{
2226 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2227 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2228 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2229 return 0;
2230}
2231EXPORT_SYMBOL_GPL(nft_register_set);
2232
2233void nft_unregister_set(struct nft_set_ops *ops)
2234{
2235 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2236 list_del_rcu(&ops->list);
2237 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2238}
2239EXPORT_SYMBOL_GPL(nft_unregister_set);
2240
2241
2242
2243
2244
2245
2246static const struct nft_set_ops *
2247nft_select_set_ops(const struct nlattr * const nla[],
2248 const struct nft_set_desc *desc,
2249 enum nft_set_policies policy)
2250{
2251 const struct nft_set_ops *ops, *bops;
2252 struct nft_set_estimate est, best;
2253 u32 features;
2254
2255#ifdef CONFIG_MODULES
2256 if (list_empty(&nf_tables_set_ops)) {
2257 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2258 request_module("nft-set");
2259 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2260 if (!list_empty(&nf_tables_set_ops))
2261 return ERR_PTR(-EAGAIN);
2262 }
2263#endif
2264 features = 0;
2265 if (nla[NFTA_SET_FLAGS] != NULL) {
2266 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2267 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2268 }
2269
2270 bops = NULL;
2271 best.size = ~0;
2272 best.class = ~0;
2273
2274 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2275 if ((ops->features & features) != features)
2276 continue;
2277 if (!ops->estimate(desc, features, &est))
2278 continue;
2279
2280 switch (policy) {
2281 case NFT_SET_POL_PERFORMANCE:
2282 if (est.class < best.class)
2283 break;
2284 if (est.class == best.class && est.size < best.size)
2285 break;
2286 continue;
2287 case NFT_SET_POL_MEMORY:
2288 if (est.size < best.size)
2289 break;
2290 if (est.size == best.size && est.class < best.class)
2291 break;
2292 continue;
2293 default:
2294 break;
2295 }
2296
2297 if (!try_module_get(ops->owner))
2298 continue;
2299 if (bops != NULL)
2300 module_put(bops->owner);
2301
2302 bops = ops;
2303 best = est;
2304 }
2305
2306 if (bops != NULL)
2307 return bops;
2308
2309 return ERR_PTR(-EOPNOTSUPP);
2310}
2311
2312static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2313 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2314 [NFTA_SET_NAME] = { .type = NLA_STRING,
2315 .len = IFNAMSIZ - 1 },
2316 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2317 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2318 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2319 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2320 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2321 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2322 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2323 [NFTA_SET_ID] = { .type = NLA_U32 },
2324 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2325 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2326 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2327 .len = NFT_USERDATA_MAXLEN },
2328};
2329
2330static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2331 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2332};
2333
2334static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2335 const struct sk_buff *skb,
2336 const struct nlmsghdr *nlh,
2337 const struct nlattr * const nla[])
2338{
2339 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2340 struct nft_af_info *afi = NULL;
2341 struct nft_table *table = NULL;
2342
2343 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2344 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2345 if (IS_ERR(afi))
2346 return PTR_ERR(afi);
2347 }
2348
2349 if (nla[NFTA_SET_TABLE] != NULL) {
2350 if (afi == NULL)
2351 return -EAFNOSUPPORT;
2352
2353 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2354 if (IS_ERR(table))
2355 return PTR_ERR(table);
2356 }
2357
2358 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2359 return 0;
2360}
2361
2362struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2363 const struct nlattr *nla)
2364{
2365 struct nft_set *set;
2366
2367 if (nla == NULL)
2368 return ERR_PTR(-EINVAL);
2369
2370 list_for_each_entry(set, &table->sets, list) {
2371 if (!nla_strcmp(nla, set->name))
2372 return set;
2373 }
2374 return ERR_PTR(-ENOENT);
2375}
2376
2377struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2378 const struct nlattr *nla)
2379{
2380 struct nft_trans *trans;
2381 u32 id = ntohl(nla_get_be32(nla));
2382
2383 list_for_each_entry(trans, &net->nft.commit_list, list) {
2384 if (trans->msg_type == NFT_MSG_NEWSET &&
2385 id == nft_trans_set_id(trans))
2386 return nft_trans_set(trans);
2387 }
2388 return ERR_PTR(-ENOENT);
2389}
2390
2391static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2392 const char *name)
2393{
2394 const struct nft_set *i;
2395 const char *p;
2396 unsigned long *inuse;
2397 unsigned int n = 0, min = 0;
2398
2399 p = strnchr(name, IFNAMSIZ, '%');
2400 if (p != NULL) {
2401 if (p[1] != 'd' || strchr(p + 2, '%'))
2402 return -EINVAL;
2403
2404 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2405 if (inuse == NULL)
2406 return -ENOMEM;
2407cont:
2408 list_for_each_entry(i, &ctx->table->sets, list) {
2409 int tmp;
2410
2411 if (!sscanf(i->name, name, &tmp))
2412 continue;
2413 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2414 continue;
2415
2416 set_bit(tmp - min, inuse);
2417 }
2418
2419 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2420 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2421 min += BITS_PER_BYTE * PAGE_SIZE;
2422 memset(inuse, 0, PAGE_SIZE);
2423 goto cont;
2424 }
2425 free_page((unsigned long)inuse);
2426 }
2427
2428 snprintf(set->name, sizeof(set->name), name, min + n);
2429 list_for_each_entry(i, &ctx->table->sets, list) {
2430 if (!strcmp(set->name, i->name))
2431 return -ENFILE;
2432 }
2433 return 0;
2434}
2435
2436static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2437 const struct nft_set *set, u16 event, u16 flags)
2438{
2439 struct nfgenmsg *nfmsg;
2440 struct nlmsghdr *nlh;
2441 struct nlattr *desc;
2442 u32 portid = ctx->portid;
2443 u32 seq = ctx->seq;
2444
2445 event |= NFNL_SUBSYS_NFTABLES << 8;
2446 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2447 flags);
2448 if (nlh == NULL)
2449 goto nla_put_failure;
2450
2451 nfmsg = nlmsg_data(nlh);
2452 nfmsg->nfgen_family = ctx->afi->family;
2453 nfmsg->version = NFNETLINK_V0;
2454 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2455
2456 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2457 goto nla_put_failure;
2458 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2459 goto nla_put_failure;
2460 if (set->flags != 0)
2461 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2462 goto nla_put_failure;
2463
2464 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2465 goto nla_put_failure;
2466 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2467 goto nla_put_failure;
2468 if (set->flags & NFT_SET_MAP) {
2469 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2470 goto nla_put_failure;
2471 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2472 goto nla_put_failure;
2473 }
2474
2475 if (set->timeout &&
2476 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout)))
2477 goto nla_put_failure;
2478 if (set->gc_int &&
2479 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2480 goto nla_put_failure;
2481
2482 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2483 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2484 goto nla_put_failure;
2485 }
2486
2487 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2488 goto nla_put_failure;
2489
2490 desc = nla_nest_start(skb, NFTA_SET_DESC);
2491 if (desc == NULL)
2492 goto nla_put_failure;
2493 if (set->size &&
2494 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2495 goto nla_put_failure;
2496 nla_nest_end(skb, desc);
2497
2498 nlmsg_end(skb, nlh);
2499 return 0;
2500
2501nla_put_failure:
2502 nlmsg_trim(skb, nlh);
2503 return -1;
2504}
2505
2506static int nf_tables_set_notify(const struct nft_ctx *ctx,
2507 const struct nft_set *set,
2508 int event, gfp_t gfp_flags)
2509{
2510 struct sk_buff *skb;
2511 u32 portid = ctx->portid;
2512 int err;
2513
2514 if (!ctx->report &&
2515 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2516 return 0;
2517
2518 err = -ENOBUFS;
2519 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2520 if (skb == NULL)
2521 goto err;
2522
2523 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2524 if (err < 0) {
2525 kfree_skb(skb);
2526 goto err;
2527 }
2528
2529 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2530 ctx->report, gfp_flags);
2531err:
2532 if (err < 0)
2533 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2534 return err;
2535}
2536
2537static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2538{
2539 const struct nft_set *set;
2540 unsigned int idx, s_idx = cb->args[0];
2541 struct nft_af_info *afi;
2542 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2543 struct net *net = sock_net(skb->sk);
2544 int cur_family = cb->args[3];
2545 struct nft_ctx *ctx = cb->data, ctx_set;
2546
2547 if (cb->args[1])
2548 return skb->len;
2549
2550 rcu_read_lock();
2551 cb->seq = net->nft.base_seq;
2552
2553 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2554 if (ctx->afi && ctx->afi != afi)
2555 continue;
2556
2557 if (cur_family) {
2558 if (afi->family != cur_family)
2559 continue;
2560
2561 cur_family = 0;
2562 }
2563 list_for_each_entry_rcu(table, &afi->tables, list) {
2564 if (ctx->table && ctx->table != table)
2565 continue;
2566
2567 if (cur_table) {
2568 if (cur_table != table)
2569 continue;
2570
2571 cur_table = NULL;
2572 }
2573 idx = 0;
2574 list_for_each_entry_rcu(set, &table->sets, list) {
2575 if (idx < s_idx)
2576 goto cont;
2577
2578 ctx_set = *ctx;
2579 ctx_set.table = table;
2580 ctx_set.afi = afi;
2581 if (nf_tables_fill_set(skb, &ctx_set, set,
2582 NFT_MSG_NEWSET,
2583 NLM_F_MULTI) < 0) {
2584 cb->args[0] = idx;
2585 cb->args[2] = (unsigned long) table;
2586 cb->args[3] = afi->family;
2587 goto done;
2588 }
2589 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2590cont:
2591 idx++;
2592 }
2593 if (s_idx)
2594 s_idx = 0;
2595 }
2596 }
2597 cb->args[1] = 1;
2598done:
2599 rcu_read_unlock();
2600 return skb->len;
2601}
2602
2603static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2604{
2605 kfree(cb->data);
2606 return 0;
2607}
2608
2609static int nf_tables_getset(struct net *net, struct sock *nlsk,
2610 struct sk_buff *skb, const struct nlmsghdr *nlh,
2611 const struct nlattr * const nla[])
2612{
2613 const struct nft_set *set;
2614 struct nft_ctx ctx;
2615 struct sk_buff *skb2;
2616 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2617 int err;
2618
2619
2620 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
2621 if (err < 0)
2622 return err;
2623
2624 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2625 struct netlink_dump_control c = {
2626 .dump = nf_tables_dump_sets,
2627 .done = nf_tables_dump_sets_done,
2628 };
2629 struct nft_ctx *ctx_dump;
2630
2631 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2632 if (ctx_dump == NULL)
2633 return -ENOMEM;
2634
2635 *ctx_dump = ctx;
2636 c.data = ctx_dump;
2637
2638 return netlink_dump_start(nlsk, skb, nlh, &c);
2639 }
2640
2641
2642 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2643 return -EAFNOSUPPORT;
2644
2645 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2646 if (IS_ERR(set))
2647 return PTR_ERR(set);
2648 if (set->flags & NFT_SET_INACTIVE)
2649 return -ENOENT;
2650
2651 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2652 if (skb2 == NULL)
2653 return -ENOMEM;
2654
2655 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2656 if (err < 0)
2657 goto err;
2658
2659 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2660
2661err:
2662 kfree_skb(skb2);
2663 return err;
2664}
2665
2666static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2667 struct nft_set_desc *desc,
2668 const struct nlattr *nla)
2669{
2670 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2671 int err;
2672
2673 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2674 if (err < 0)
2675 return err;
2676
2677 if (da[NFTA_SET_DESC_SIZE] != NULL)
2678 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2679
2680 return 0;
2681}
2682
2683static int nf_tables_newset(struct net *net, struct sock *nlsk,
2684 struct sk_buff *skb, const struct nlmsghdr *nlh,
2685 const struct nlattr * const nla[])
2686{
2687 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2688 const struct nft_set_ops *ops;
2689 struct nft_af_info *afi;
2690 struct nft_table *table;
2691 struct nft_set *set;
2692 struct nft_ctx ctx;
2693 char name[IFNAMSIZ];
2694 unsigned int size;
2695 bool create;
2696 u64 timeout;
2697 u32 ktype, dtype, flags, policy, gc_int;
2698 struct nft_set_desc desc;
2699 unsigned char *udata;
2700 u16 udlen;
2701 int err;
2702
2703 if (nla[NFTA_SET_TABLE] == NULL ||
2704 nla[NFTA_SET_NAME] == NULL ||
2705 nla[NFTA_SET_KEY_LEN] == NULL ||
2706 nla[NFTA_SET_ID] == NULL)
2707 return -EINVAL;
2708
2709 memset(&desc, 0, sizeof(desc));
2710
2711 ktype = NFT_DATA_VALUE;
2712 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2713 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2714 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2715 return -EINVAL;
2716 }
2717
2718 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2719 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2720 return -EINVAL;
2721
2722 flags = 0;
2723 if (nla[NFTA_SET_FLAGS] != NULL) {
2724 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2725 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2726 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2727 NFT_SET_MAP | NFT_SET_EVAL))
2728 return -EINVAL;
2729
2730 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2731 (NFT_SET_MAP | NFT_SET_EVAL))
2732 return -EOPNOTSUPP;
2733 }
2734
2735 dtype = 0;
2736 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2737 if (!(flags & NFT_SET_MAP))
2738 return -EINVAL;
2739
2740 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2741 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2742 dtype != NFT_DATA_VERDICT)
2743 return -EINVAL;
2744
2745 if (dtype != NFT_DATA_VERDICT) {
2746 if (nla[NFTA_SET_DATA_LEN] == NULL)
2747 return -EINVAL;
2748 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2749 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2750 return -EINVAL;
2751 } else
2752 desc.dlen = sizeof(struct nft_verdict);
2753 } else if (flags & NFT_SET_MAP)
2754 return -EINVAL;
2755
2756 timeout = 0;
2757 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2758 if (!(flags & NFT_SET_TIMEOUT))
2759 return -EINVAL;
2760 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT]));
2761 }
2762 gc_int = 0;
2763 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2764 if (!(flags & NFT_SET_TIMEOUT))
2765 return -EINVAL;
2766 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2767 }
2768
2769 policy = NFT_SET_POL_PERFORMANCE;
2770 if (nla[NFTA_SET_POLICY] != NULL)
2771 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2772
2773 if (nla[NFTA_SET_DESC] != NULL) {
2774 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2775 if (err < 0)
2776 return err;
2777 }
2778
2779 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2780
2781 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2782 if (IS_ERR(afi))
2783 return PTR_ERR(afi);
2784
2785 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2786 if (IS_ERR(table))
2787 return PTR_ERR(table);
2788
2789 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2790
2791 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2792 if (IS_ERR(set)) {
2793 if (PTR_ERR(set) != -ENOENT)
2794 return PTR_ERR(set);
2795 set = NULL;
2796 }
2797
2798 if (set != NULL) {
2799 if (nlh->nlmsg_flags & NLM_F_EXCL)
2800 return -EEXIST;
2801 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2802 return -EOPNOTSUPP;
2803 return 0;
2804 }
2805
2806 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2807 return -ENOENT;
2808
2809 ops = nft_select_set_ops(nla, &desc, policy);
2810 if (IS_ERR(ops))
2811 return PTR_ERR(ops);
2812
2813 udlen = 0;
2814 if (nla[NFTA_SET_USERDATA])
2815 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2816
2817 size = 0;
2818 if (ops->privsize != NULL)
2819 size = ops->privsize(nla);
2820
2821 err = -ENOMEM;
2822 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2823 if (set == NULL)
2824 goto err1;
2825
2826 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2827 err = nf_tables_set_alloc_name(&ctx, set, name);
2828 if (err < 0)
2829 goto err2;
2830
2831 udata = NULL;
2832 if (udlen) {
2833 udata = set->data + size;
2834 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2835 }
2836
2837 INIT_LIST_HEAD(&set->bindings);
2838 write_pnet(&set->pnet, net);
2839 set->ops = ops;
2840 set->ktype = ktype;
2841 set->klen = desc.klen;
2842 set->dtype = dtype;
2843 set->dlen = desc.dlen;
2844 set->flags = flags;
2845 set->size = desc.size;
2846 set->policy = policy;
2847 set->udlen = udlen;
2848 set->udata = udata;
2849 set->timeout = timeout;
2850 set->gc_int = gc_int;
2851
2852 err = ops->init(set, &desc, nla);
2853 if (err < 0)
2854 goto err2;
2855
2856 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2857 if (err < 0)
2858 goto err2;
2859
2860 list_add_tail_rcu(&set->list, &table->sets);
2861 table->use++;
2862 return 0;
2863
2864err2:
2865 kfree(set);
2866err1:
2867 module_put(ops->owner);
2868 return err;
2869}
2870
2871static void nft_set_destroy(struct nft_set *set)
2872{
2873 set->ops->destroy(set);
2874 module_put(set->ops->owner);
2875 kfree(set);
2876}
2877
2878static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2879{
2880 list_del_rcu(&set->list);
2881 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2882 nft_set_destroy(set);
2883}
2884
2885static int nf_tables_delset(struct net *net, struct sock *nlsk,
2886 struct sk_buff *skb, const struct nlmsghdr *nlh,
2887 const struct nlattr * const nla[])
2888{
2889 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2890 struct nft_set *set;
2891 struct nft_ctx ctx;
2892 int err;
2893
2894 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2895 return -EAFNOSUPPORT;
2896 if (nla[NFTA_SET_TABLE] == NULL)
2897 return -EINVAL;
2898
2899 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
2900 if (err < 0)
2901 return err;
2902
2903 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2904 if (IS_ERR(set))
2905 return PTR_ERR(set);
2906 if (!list_empty(&set->bindings))
2907 return -EBUSY;
2908
2909 return nft_delset(&ctx, set);
2910}
2911
2912static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2913 const struct nft_set *set,
2914 const struct nft_set_iter *iter,
2915 const struct nft_set_elem *elem)
2916{
2917 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
2918 enum nft_registers dreg;
2919
2920 dreg = nft_type_to_reg(set->dtype);
2921 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
2922 set->dtype == NFT_DATA_VERDICT ?
2923 NFT_DATA_VERDICT : NFT_DATA_VALUE,
2924 set->dlen);
2925}
2926
2927int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2928 struct nft_set_binding *binding)
2929{
2930 struct nft_set_binding *i;
2931 struct nft_set_iter iter;
2932
2933 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2934 return -EBUSY;
2935
2936 if (binding->flags & NFT_SET_MAP) {
2937
2938
2939
2940 list_for_each_entry(i, &set->bindings, list) {
2941 if (binding->flags & NFT_SET_MAP &&
2942 i->chain == binding->chain)
2943 goto bind;
2944 }
2945
2946 iter.skip = 0;
2947 iter.count = 0;
2948 iter.err = 0;
2949 iter.fn = nf_tables_bind_check_setelem;
2950
2951 set->ops->walk(ctx, set, &iter);
2952 if (iter.err < 0) {
2953
2954 if (set->flags & NFT_SET_ANONYMOUS)
2955 nf_tables_set_destroy(ctx, set);
2956
2957 return iter.err;
2958 }
2959 }
2960bind:
2961 binding->chain = ctx->chain;
2962 list_add_tail_rcu(&binding->list, &set->bindings);
2963 return 0;
2964}
2965
2966void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2967 struct nft_set_binding *binding)
2968{
2969 list_del_rcu(&binding->list);
2970
2971 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
2972 !(set->flags & NFT_SET_INACTIVE))
2973 nf_tables_set_destroy(ctx, set);
2974}
2975
2976const struct nft_set_ext_type nft_set_ext_types[] = {
2977 [NFT_SET_EXT_KEY] = {
2978 .align = __alignof__(u32),
2979 },
2980 [NFT_SET_EXT_DATA] = {
2981 .align = __alignof__(u32),
2982 },
2983 [NFT_SET_EXT_EXPR] = {
2984 .align = __alignof__(struct nft_expr),
2985 },
2986 [NFT_SET_EXT_FLAGS] = {
2987 .len = sizeof(u8),
2988 .align = __alignof__(u8),
2989 },
2990 [NFT_SET_EXT_TIMEOUT] = {
2991 .len = sizeof(u64),
2992 .align = __alignof__(u64),
2993 },
2994 [NFT_SET_EXT_EXPIRATION] = {
2995 .len = sizeof(unsigned long),
2996 .align = __alignof__(unsigned long),
2997 },
2998 [NFT_SET_EXT_USERDATA] = {
2999 .len = sizeof(struct nft_userdata),
3000 .align = __alignof__(struct nft_userdata),
3001 },
3002};
3003EXPORT_SYMBOL_GPL(nft_set_ext_types);
3004
3005
3006
3007
3008
3009static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3010 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3011 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3012 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3013 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3014 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3015 .len = NFT_USERDATA_MAXLEN },
3016};
3017
3018static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3019 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3020 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3021 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3022 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3023};
3024
3025static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3026 const struct sk_buff *skb,
3027 const struct nlmsghdr *nlh,
3028 const struct nlattr * const nla[])
3029{
3030 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3031 struct nft_af_info *afi;
3032 struct nft_table *table;
3033
3034 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3035 if (IS_ERR(afi))
3036 return PTR_ERR(afi);
3037
3038 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
3039 if (IS_ERR(table))
3040 return PTR_ERR(table);
3041
3042 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3043 return 0;
3044}
3045
3046static int nf_tables_fill_setelem(struct sk_buff *skb,
3047 const struct nft_set *set,
3048 const struct nft_set_elem *elem)
3049{
3050 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3051 unsigned char *b = skb_tail_pointer(skb);
3052 struct nlattr *nest;
3053
3054 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3055 if (nest == NULL)
3056 goto nla_put_failure;
3057
3058 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3059 NFT_DATA_VALUE, set->klen) < 0)
3060 goto nla_put_failure;
3061
3062 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3063 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3064 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3065 set->dlen) < 0)
3066 goto nla_put_failure;
3067
3068 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3069 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3070 goto nla_put_failure;
3071
3072 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3073 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3074 htonl(*nft_set_ext_flags(ext))))
3075 goto nla_put_failure;
3076
3077 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3078 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3079 cpu_to_be64(*nft_set_ext_timeout(ext))))
3080 goto nla_put_failure;
3081
3082 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3083 unsigned long expires, now = jiffies;
3084
3085 expires = *nft_set_ext_expiration(ext);
3086 if (time_before(now, expires))
3087 expires -= now;
3088 else
3089 expires = 0;
3090
3091 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3092 cpu_to_be64(jiffies_to_msecs(expires))))
3093 goto nla_put_failure;
3094 }
3095
3096 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3097 struct nft_userdata *udata;
3098
3099 udata = nft_set_ext_userdata(ext);
3100 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3101 udata->len + 1, udata->data))
3102 goto nla_put_failure;
3103 }
3104
3105 nla_nest_end(skb, nest);
3106 return 0;
3107
3108nla_put_failure:
3109 nlmsg_trim(skb, b);
3110 return -EMSGSIZE;
3111}
3112
3113struct nft_set_dump_args {
3114 const struct netlink_callback *cb;
3115 struct nft_set_iter iter;
3116 struct sk_buff *skb;
3117};
3118
3119static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3120 const struct nft_set *set,
3121 const struct nft_set_iter *iter,
3122 const struct nft_set_elem *elem)
3123{
3124 struct nft_set_dump_args *args;
3125
3126 args = container_of(iter, struct nft_set_dump_args, iter);
3127 return nf_tables_fill_setelem(args->skb, set, elem);
3128}
3129
3130static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3131{
3132 struct net *net = sock_net(skb->sk);
3133 const struct nft_set *set;
3134 struct nft_set_dump_args args;
3135 struct nft_ctx ctx;
3136 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3137 struct nfgenmsg *nfmsg;
3138 struct nlmsghdr *nlh;
3139 struct nlattr *nest;
3140 u32 portid, seq;
3141 int event, err;
3142
3143 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3144 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3145 if (err < 0)
3146 return err;
3147
3148 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3149 (void *)nla);
3150 if (err < 0)
3151 return err;
3152 if (ctx.table->flags & NFT_TABLE_INACTIVE)
3153 return -ENOENT;
3154
3155 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3156 if (IS_ERR(set))
3157 return PTR_ERR(set);
3158 if (set->flags & NFT_SET_INACTIVE)
3159 return -ENOENT;
3160
3161 event = NFT_MSG_NEWSETELEM;
3162 event |= NFNL_SUBSYS_NFTABLES << 8;
3163 portid = NETLINK_CB(cb->skb).portid;
3164 seq = cb->nlh->nlmsg_seq;
3165
3166 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3167 NLM_F_MULTI);
3168 if (nlh == NULL)
3169 goto nla_put_failure;
3170
3171 nfmsg = nlmsg_data(nlh);
3172 nfmsg->nfgen_family = ctx.afi->family;
3173 nfmsg->version = NFNETLINK_V0;
3174 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3175
3176 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3177 goto nla_put_failure;
3178 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3179 goto nla_put_failure;
3180
3181 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3182 if (nest == NULL)
3183 goto nla_put_failure;
3184
3185 args.cb = cb;
3186 args.skb = skb;
3187 args.iter.skip = cb->args[0];
3188 args.iter.count = 0;
3189 args.iter.err = 0;
3190 args.iter.fn = nf_tables_dump_setelem;
3191 set->ops->walk(&ctx, set, &args.iter);
3192
3193 nla_nest_end(skb, nest);
3194 nlmsg_end(skb, nlh);
3195
3196 if (args.iter.err && args.iter.err != -EMSGSIZE)
3197 return args.iter.err;
3198 if (args.iter.count == cb->args[0])
3199 return 0;
3200
3201 cb->args[0] = args.iter.count;
3202 return skb->len;
3203
3204nla_put_failure:
3205 return -ENOSPC;
3206}
3207
3208static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3209 struct sk_buff *skb, const struct nlmsghdr *nlh,
3210 const struct nlattr * const nla[])
3211{
3212 const struct nft_set *set;
3213 struct nft_ctx ctx;
3214 int err;
3215
3216 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3217 if (err < 0)
3218 return err;
3219 if (ctx.table->flags & NFT_TABLE_INACTIVE)
3220 return -ENOENT;
3221
3222 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3223 if (IS_ERR(set))
3224 return PTR_ERR(set);
3225 if (set->flags & NFT_SET_INACTIVE)
3226 return -ENOENT;
3227
3228 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3229 struct netlink_dump_control c = {
3230 .dump = nf_tables_dump_set,
3231 };
3232 return netlink_dump_start(nlsk, skb, nlh, &c);
3233 }
3234 return -EOPNOTSUPP;
3235}
3236
3237static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3238 const struct nft_ctx *ctx, u32 seq,
3239 u32 portid, int event, u16 flags,
3240 const struct nft_set *set,
3241 const struct nft_set_elem *elem)
3242{
3243 struct nfgenmsg *nfmsg;
3244 struct nlmsghdr *nlh;
3245 struct nlattr *nest;
3246 int err;
3247
3248 event |= NFNL_SUBSYS_NFTABLES << 8;
3249 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3250 flags);
3251 if (nlh == NULL)
3252 goto nla_put_failure;
3253
3254 nfmsg = nlmsg_data(nlh);
3255 nfmsg->nfgen_family = ctx->afi->family;
3256 nfmsg->version = NFNETLINK_V0;
3257 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3258
3259 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3260 goto nla_put_failure;
3261 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3262 goto nla_put_failure;
3263
3264 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3265 if (nest == NULL)
3266 goto nla_put_failure;
3267
3268 err = nf_tables_fill_setelem(skb, set, elem);
3269 if (err < 0)
3270 goto nla_put_failure;
3271
3272 nla_nest_end(skb, nest);
3273
3274 nlmsg_end(skb, nlh);
3275 return 0;
3276
3277nla_put_failure:
3278 nlmsg_trim(skb, nlh);
3279 return -1;
3280}
3281
3282static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3283 const struct nft_set *set,
3284 const struct nft_set_elem *elem,
3285 int event, u16 flags)
3286{
3287 struct net *net = ctx->net;
3288 u32 portid = ctx->portid;
3289 struct sk_buff *skb;
3290 int err;
3291
3292 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3293 return 0;
3294
3295 err = -ENOBUFS;
3296 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3297 if (skb == NULL)
3298 goto err;
3299
3300 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3301 set, elem);
3302 if (err < 0) {
3303 kfree_skb(skb);
3304 goto err;
3305 }
3306
3307 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3308 GFP_KERNEL);
3309err:
3310 if (err < 0)
3311 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3312 return err;
3313}
3314
3315static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3316 int msg_type,
3317 struct nft_set *set)
3318{
3319 struct nft_trans *trans;
3320
3321 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3322 if (trans == NULL)
3323 return NULL;
3324
3325 nft_trans_elem_set(trans) = set;
3326 return trans;
3327}
3328
3329void *nft_set_elem_init(const struct nft_set *set,
3330 const struct nft_set_ext_tmpl *tmpl,
3331 const u32 *key, const u32 *data,
3332 u64 timeout, gfp_t gfp)
3333{
3334 struct nft_set_ext *ext;
3335 void *elem;
3336
3337 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3338 if (elem == NULL)
3339 return NULL;
3340
3341 ext = nft_set_elem_ext(set, elem);
3342 nft_set_ext_init(ext, tmpl);
3343
3344 memcpy(nft_set_ext_key(ext), key, set->klen);
3345 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3346 memcpy(nft_set_ext_data(ext), data, set->dlen);
3347 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3348 *nft_set_ext_expiration(ext) =
3349 jiffies + msecs_to_jiffies(timeout);
3350 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3351 *nft_set_ext_timeout(ext) = timeout;
3352
3353 return elem;
3354}
3355
3356void nft_set_elem_destroy(const struct nft_set *set, void *elem)
3357{
3358 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3359
3360 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3361 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3362 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3363 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3364 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3365
3366 kfree(elem);
3367}
3368EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3369
3370static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3371 const struct nlattr *attr)
3372{
3373 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3374 struct nft_data_desc d1, d2;
3375 struct nft_set_ext_tmpl tmpl;
3376 struct nft_set_ext *ext;
3377 struct nft_set_elem elem;
3378 struct nft_set_binding *binding;
3379 struct nft_userdata *udata;
3380 struct nft_data data;
3381 enum nft_registers dreg;
3382 struct nft_trans *trans;
3383 u64 timeout;
3384 u32 flags;
3385 u8 ulen;
3386 int err;
3387
3388 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3389 nft_set_elem_policy);
3390 if (err < 0)
3391 return err;
3392
3393 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3394 return -EINVAL;
3395
3396 nft_set_ext_prepare(&tmpl);
3397
3398 flags = 0;
3399 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
3400 flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
3401 if (flags & ~NFT_SET_ELEM_INTERVAL_END)
3402 return -EINVAL;
3403 if (!(set->flags & NFT_SET_INTERVAL) &&
3404 flags & NFT_SET_ELEM_INTERVAL_END)
3405 return -EINVAL;
3406 if (flags != 0)
3407 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3408 }
3409
3410 if (set->flags & NFT_SET_MAP) {
3411 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3412 !(flags & NFT_SET_ELEM_INTERVAL_END))
3413 return -EINVAL;
3414 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3415 flags & NFT_SET_ELEM_INTERVAL_END)
3416 return -EINVAL;
3417 } else {
3418 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3419 return -EINVAL;
3420 }
3421
3422 timeout = 0;
3423 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3424 if (!(set->flags & NFT_SET_TIMEOUT))
3425 return -EINVAL;
3426 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT]));
3427 } else if (set->flags & NFT_SET_TIMEOUT) {
3428 timeout = set->timeout;
3429 }
3430
3431 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3432 nla[NFTA_SET_ELEM_KEY]);
3433 if (err < 0)
3434 goto err1;
3435 err = -EINVAL;
3436 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3437 goto err2;
3438
3439 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3440 if (timeout > 0) {
3441 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3442 if (timeout != set->timeout)
3443 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3444 }
3445
3446 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3447 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3448 nla[NFTA_SET_ELEM_DATA]);
3449 if (err < 0)
3450 goto err2;
3451
3452 err = -EINVAL;
3453 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3454 goto err3;
3455
3456 dreg = nft_type_to_reg(set->dtype);
3457 list_for_each_entry(binding, &set->bindings, list) {
3458 struct nft_ctx bind_ctx = {
3459 .afi = ctx->afi,
3460 .table = ctx->table,
3461 .chain = (struct nft_chain *)binding->chain,
3462 };
3463
3464 if (!(binding->flags & NFT_SET_MAP))
3465 continue;
3466
3467 err = nft_validate_register_store(&bind_ctx, dreg,
3468 &data,
3469 d2.type, d2.len);
3470 if (err < 0)
3471 goto err3;
3472 }
3473
3474 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3475 }
3476
3477
3478
3479
3480
3481 ulen = 0;
3482 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3483 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3484 if (ulen > 0)
3485 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3486 ulen);
3487 }
3488
3489 err = -ENOMEM;
3490 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3491 timeout, GFP_KERNEL);
3492 if (elem.priv == NULL)
3493 goto err3;
3494
3495 ext = nft_set_elem_ext(set, elem.priv);
3496 if (flags)
3497 *nft_set_ext_flags(ext) = flags;
3498 if (ulen > 0) {
3499 udata = nft_set_ext_userdata(ext);
3500 udata->len = ulen - 1;
3501 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3502 }
3503
3504 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3505 if (trans == NULL)
3506 goto err4;
3507
3508 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3509 err = set->ops->insert(set, &elem);
3510 if (err < 0)
3511 goto err5;
3512
3513 nft_trans_elem(trans) = elem;
3514 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3515 return 0;
3516
3517err5:
3518 kfree(trans);
3519err4:
3520 kfree(elem.priv);
3521err3:
3522 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3523 nft_data_uninit(&data, d2.type);
3524err2:
3525 nft_data_uninit(&elem.key.val, d1.type);
3526err1:
3527 return err;
3528}
3529
3530static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3531 struct sk_buff *skb, const struct nlmsghdr *nlh,
3532 const struct nlattr * const nla[])
3533{
3534 const struct nlattr *attr;
3535 struct nft_set *set;
3536 struct nft_ctx ctx;
3537 int rem, err = 0;
3538
3539 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3540 return -EINVAL;
3541
3542 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3543 if (err < 0)
3544 return err;
3545
3546 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3547 if (IS_ERR(set)) {
3548 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3549 set = nf_tables_set_lookup_byid(net,
3550 nla[NFTA_SET_ELEM_LIST_SET_ID]);
3551 }
3552 if (IS_ERR(set))
3553 return PTR_ERR(set);
3554 }
3555
3556 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3557 return -EBUSY;
3558
3559 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3560 if (set->size &&
3561 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3562 return -ENFILE;
3563
3564 err = nft_add_set_elem(&ctx, set, attr);
3565 if (err < 0) {
3566 atomic_dec(&set->nelems);
3567 break;
3568 }
3569 }
3570 return err;
3571}
3572
3573static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3574 const struct nlattr *attr)
3575{
3576 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3577 struct nft_data_desc desc;
3578 struct nft_set_elem elem;
3579 struct nft_trans *trans;
3580 int err;
3581
3582 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3583 nft_set_elem_policy);
3584 if (err < 0)
3585 goto err1;
3586
3587 err = -EINVAL;
3588 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3589 goto err1;
3590
3591 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3592 nla[NFTA_SET_ELEM_KEY]);
3593 if (err < 0)
3594 goto err1;
3595
3596 err = -EINVAL;
3597 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3598 goto err2;
3599
3600 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3601 if (trans == NULL) {
3602 err = -ENOMEM;
3603 goto err2;
3604 }
3605
3606 elem.priv = set->ops->deactivate(set, &elem);
3607 if (elem.priv == NULL) {
3608 err = -ENOENT;
3609 goto err3;
3610 }
3611
3612 nft_trans_elem(trans) = elem;
3613 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3614 return 0;
3615
3616err3:
3617 kfree(trans);
3618err2:
3619 nft_data_uninit(&elem.key.val, desc.type);
3620err1:
3621 return err;
3622}
3623
3624static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3625 struct sk_buff *skb, const struct nlmsghdr *nlh,
3626 const struct nlattr * const nla[])
3627{
3628 const struct nlattr *attr;
3629 struct nft_set *set;
3630 struct nft_ctx ctx;
3631 int rem, err = 0;
3632
3633 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3634 return -EINVAL;
3635
3636 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla);
3637 if (err < 0)
3638 return err;
3639
3640 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
3641 if (IS_ERR(set))
3642 return PTR_ERR(set);
3643 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3644 return -EBUSY;
3645
3646 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3647 err = nft_del_setelem(&ctx, set, attr);
3648 if (err < 0)
3649 break;
3650
3651 set->ndeact++;
3652 }
3653 return err;
3654}
3655
3656void nft_set_gc_batch_release(struct rcu_head *rcu)
3657{
3658 struct nft_set_gc_batch *gcb;
3659 unsigned int i;
3660
3661 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3662 for (i = 0; i < gcb->head.cnt; i++)
3663 nft_set_elem_destroy(gcb->head.set, gcb->elems[i]);
3664 kfree(gcb);
3665}
3666EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3667
3668struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3669 gfp_t gfp)
3670{
3671 struct nft_set_gc_batch *gcb;
3672
3673 gcb = kzalloc(sizeof(*gcb), gfp);
3674 if (gcb == NULL)
3675 return gcb;
3676 gcb->head.set = set;
3677 return gcb;
3678}
3679EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3680
3681static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3682 u32 portid, u32 seq)
3683{
3684 struct nlmsghdr *nlh;
3685 struct nfgenmsg *nfmsg;
3686 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3687
3688 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3689 if (nlh == NULL)
3690 goto nla_put_failure;
3691
3692 nfmsg = nlmsg_data(nlh);
3693 nfmsg->nfgen_family = AF_UNSPEC;
3694 nfmsg->version = NFNETLINK_V0;
3695 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3696
3697 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3698 goto nla_put_failure;
3699
3700 nlmsg_end(skb, nlh);
3701 return 0;
3702
3703nla_put_failure:
3704 nlmsg_trim(skb, nlh);
3705 return -EMSGSIZE;
3706}
3707
3708static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3709{
3710 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3711 struct sk_buff *skb2;
3712 int err;
3713
3714 if (nlmsg_report(nlh) &&
3715 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3716 return 0;
3717
3718 err = -ENOBUFS;
3719 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3720 if (skb2 == NULL)
3721 goto err;
3722
3723 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3724 nlh->nlmsg_seq);
3725 if (err < 0) {
3726 kfree_skb(skb2);
3727 goto err;
3728 }
3729
3730 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3731 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3732err:
3733 if (err < 0) {
3734 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3735 err);
3736 }
3737 return err;
3738}
3739
3740static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3741 struct sk_buff *skb, const struct nlmsghdr *nlh,
3742 const struct nlattr * const nla[])
3743{
3744 struct sk_buff *skb2;
3745 int err;
3746
3747 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3748 if (skb2 == NULL)
3749 return -ENOMEM;
3750
3751 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3752 nlh->nlmsg_seq);
3753 if (err < 0)
3754 goto err;
3755
3756 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3757err:
3758 kfree_skb(skb2);
3759 return err;
3760}
3761
3762static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3763 [NFT_MSG_NEWTABLE] = {
3764 .call_batch = nf_tables_newtable,
3765 .attr_count = NFTA_TABLE_MAX,
3766 .policy = nft_table_policy,
3767 },
3768 [NFT_MSG_GETTABLE] = {
3769 .call = nf_tables_gettable,
3770 .attr_count = NFTA_TABLE_MAX,
3771 .policy = nft_table_policy,
3772 },
3773 [NFT_MSG_DELTABLE] = {
3774 .call_batch = nf_tables_deltable,
3775 .attr_count = NFTA_TABLE_MAX,
3776 .policy = nft_table_policy,
3777 },
3778 [NFT_MSG_NEWCHAIN] = {
3779 .call_batch = nf_tables_newchain,
3780 .attr_count = NFTA_CHAIN_MAX,
3781 .policy = nft_chain_policy,
3782 },
3783 [NFT_MSG_GETCHAIN] = {
3784 .call = nf_tables_getchain,
3785 .attr_count = NFTA_CHAIN_MAX,
3786 .policy = nft_chain_policy,
3787 },
3788 [NFT_MSG_DELCHAIN] = {
3789 .call_batch = nf_tables_delchain,
3790 .attr_count = NFTA_CHAIN_MAX,
3791 .policy = nft_chain_policy,
3792 },
3793 [NFT_MSG_NEWRULE] = {
3794 .call_batch = nf_tables_newrule,
3795 .attr_count = NFTA_RULE_MAX,
3796 .policy = nft_rule_policy,
3797 },
3798 [NFT_MSG_GETRULE] = {
3799 .call = nf_tables_getrule,
3800 .attr_count = NFTA_RULE_MAX,
3801 .policy = nft_rule_policy,
3802 },
3803 [NFT_MSG_DELRULE] = {
3804 .call_batch = nf_tables_delrule,
3805 .attr_count = NFTA_RULE_MAX,
3806 .policy = nft_rule_policy,
3807 },
3808 [NFT_MSG_NEWSET] = {
3809 .call_batch = nf_tables_newset,
3810 .attr_count = NFTA_SET_MAX,
3811 .policy = nft_set_policy,
3812 },
3813 [NFT_MSG_GETSET] = {
3814 .call = nf_tables_getset,
3815 .attr_count = NFTA_SET_MAX,
3816 .policy = nft_set_policy,
3817 },
3818 [NFT_MSG_DELSET] = {
3819 .call_batch = nf_tables_delset,
3820 .attr_count = NFTA_SET_MAX,
3821 .policy = nft_set_policy,
3822 },
3823 [NFT_MSG_NEWSETELEM] = {
3824 .call_batch = nf_tables_newsetelem,
3825 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3826 .policy = nft_set_elem_list_policy,
3827 },
3828 [NFT_MSG_GETSETELEM] = {
3829 .call = nf_tables_getsetelem,
3830 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3831 .policy = nft_set_elem_list_policy,
3832 },
3833 [NFT_MSG_DELSETELEM] = {
3834 .call_batch = nf_tables_delsetelem,
3835 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3836 .policy = nft_set_elem_list_policy,
3837 },
3838 [NFT_MSG_GETGEN] = {
3839 .call = nf_tables_getgen,
3840 },
3841};
3842
3843static void nft_chain_commit_update(struct nft_trans *trans)
3844{
3845 struct nft_base_chain *basechain;
3846
3847 if (nft_trans_chain_name(trans)[0])
3848 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
3849
3850 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
3851 return;
3852
3853 basechain = nft_base_chain(trans->ctx.chain);
3854 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
3855
3856 switch (nft_trans_chain_policy(trans)) {
3857 case NF_DROP:
3858 case NF_ACCEPT:
3859 basechain->policy = nft_trans_chain_policy(trans);
3860 break;
3861 }
3862}
3863
3864static void nf_tables_commit_release(struct nft_trans *trans)
3865{
3866 switch (trans->msg_type) {
3867 case NFT_MSG_DELTABLE:
3868 nf_tables_table_destroy(&trans->ctx);
3869 break;
3870 case NFT_MSG_DELCHAIN:
3871 nf_tables_chain_destroy(trans->ctx.chain);
3872 break;
3873 case NFT_MSG_DELRULE:
3874 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
3875 break;
3876 case NFT_MSG_DELSET:
3877 nft_set_destroy(nft_trans_set(trans));
3878 break;
3879 case NFT_MSG_DELSETELEM:
3880 nft_set_elem_destroy(nft_trans_elem_set(trans),
3881 nft_trans_elem(trans).priv);
3882 break;
3883 }
3884 kfree(trans);
3885}
3886
3887static int nf_tables_commit(struct net *net, struct sk_buff *skb)
3888{
3889 struct nft_trans *trans, *next;
3890 struct nft_trans_elem *te;
3891
3892
3893 while (++net->nft.base_seq == 0);
3894
3895
3896 net->nft.gencursor = nft_gencursor_next(net);
3897
3898
3899
3900
3901 synchronize_rcu();
3902
3903 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3904 switch (trans->msg_type) {
3905 case NFT_MSG_NEWTABLE:
3906 if (nft_trans_table_update(trans)) {
3907 if (!nft_trans_table_enable(trans)) {
3908 nf_tables_table_disable(trans->ctx.afi,
3909 trans->ctx.table);
3910 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
3911 }
3912 } else {
3913 trans->ctx.table->flags &= ~NFT_TABLE_INACTIVE;
3914 }
3915 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
3916 nft_trans_destroy(trans);
3917 break;
3918 case NFT_MSG_DELTABLE:
3919 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
3920 break;
3921 case NFT_MSG_NEWCHAIN:
3922 if (nft_trans_chain_update(trans))
3923 nft_chain_commit_update(trans);
3924 else
3925 trans->ctx.chain->flags &= ~NFT_CHAIN_INACTIVE;
3926
3927 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
3928 nft_trans_destroy(trans);
3929 break;
3930 case NFT_MSG_DELCHAIN:
3931 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3932 nf_tables_unregister_hooks(trans->ctx.table,
3933 trans->ctx.chain,
3934 trans->ctx.afi->nops);
3935 break;
3936 case NFT_MSG_NEWRULE:
3937 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3938 nf_tables_rule_notify(&trans->ctx,
3939 nft_trans_rule(trans),
3940 NFT_MSG_NEWRULE);
3941 nft_trans_destroy(trans);
3942 break;
3943 case NFT_MSG_DELRULE:
3944 list_del_rcu(&nft_trans_rule(trans)->list);
3945 nf_tables_rule_notify(&trans->ctx,
3946 nft_trans_rule(trans),
3947 NFT_MSG_DELRULE);
3948 break;
3949 case NFT_MSG_NEWSET:
3950 nft_trans_set(trans)->flags &= ~NFT_SET_INACTIVE;
3951
3952
3953
3954 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
3955 !list_empty(&nft_trans_set(trans)->bindings))
3956 trans->ctx.table->use--;
3957
3958 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3959 NFT_MSG_NEWSET, GFP_KERNEL);
3960 nft_trans_destroy(trans);
3961 break;
3962 case NFT_MSG_DELSET:
3963 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
3964 NFT_MSG_DELSET, GFP_KERNEL);
3965 break;
3966 case NFT_MSG_NEWSETELEM:
3967 te = (struct nft_trans_elem *)trans->data;
3968
3969 te->set->ops->activate(te->set, &te->elem);
3970 nf_tables_setelem_notify(&trans->ctx, te->set,
3971 &te->elem,
3972 NFT_MSG_NEWSETELEM, 0);
3973 nft_trans_destroy(trans);
3974 break;
3975 case NFT_MSG_DELSETELEM:
3976 te = (struct nft_trans_elem *)trans->data;
3977
3978 nf_tables_setelem_notify(&trans->ctx, te->set,
3979 &te->elem,
3980 NFT_MSG_DELSETELEM, 0);
3981 te->set->ops->remove(te->set, &te->elem);
3982 atomic_dec(&te->set->nelems);
3983 te->set->ndeact--;
3984 break;
3985 }
3986 }
3987
3988 synchronize_rcu();
3989
3990 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3991 list_del(&trans->list);
3992 nf_tables_commit_release(trans);
3993 }
3994
3995 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
3996
3997 return 0;
3998}
3999
4000static void nf_tables_abort_release(struct nft_trans *trans)
4001{
4002 switch (trans->msg_type) {
4003 case NFT_MSG_NEWTABLE:
4004 nf_tables_table_destroy(&trans->ctx);
4005 break;
4006 case NFT_MSG_NEWCHAIN:
4007 nf_tables_chain_destroy(trans->ctx.chain);
4008 break;
4009 case NFT_MSG_NEWRULE:
4010 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4011 break;
4012 case NFT_MSG_NEWSET:
4013 nft_set_destroy(nft_trans_set(trans));
4014 break;
4015 case NFT_MSG_NEWSETELEM:
4016 nft_set_elem_destroy(nft_trans_elem_set(trans),
4017 nft_trans_elem(trans).priv);
4018 break;
4019 }
4020 kfree(trans);
4021}
4022
4023static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4024{
4025 struct nft_trans *trans, *next;
4026 struct nft_trans_elem *te;
4027
4028 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4029 list) {
4030 switch (trans->msg_type) {
4031 case NFT_MSG_NEWTABLE:
4032 if (nft_trans_table_update(trans)) {
4033 if (nft_trans_table_enable(trans)) {
4034 nf_tables_table_disable(trans->ctx.afi,
4035 trans->ctx.table);
4036 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4037 }
4038 nft_trans_destroy(trans);
4039 } else {
4040 list_del_rcu(&trans->ctx.table->list);
4041 }
4042 break;
4043 case NFT_MSG_DELTABLE:
4044 list_add_tail_rcu(&trans->ctx.table->list,
4045 &trans->ctx.afi->tables);
4046 nft_trans_destroy(trans);
4047 break;
4048 case NFT_MSG_NEWCHAIN:
4049 if (nft_trans_chain_update(trans)) {
4050 free_percpu(nft_trans_chain_stats(trans));
4051
4052 nft_trans_destroy(trans);
4053 } else {
4054 trans->ctx.table->use--;
4055 list_del_rcu(&trans->ctx.chain->list);
4056 nf_tables_unregister_hooks(trans->ctx.table,
4057 trans->ctx.chain,
4058 trans->ctx.afi->nops);
4059 }
4060 break;
4061 case NFT_MSG_DELCHAIN:
4062 trans->ctx.table->use++;
4063 list_add_tail_rcu(&trans->ctx.chain->list,
4064 &trans->ctx.table->chains);
4065 nft_trans_destroy(trans);
4066 break;
4067 case NFT_MSG_NEWRULE:
4068 trans->ctx.chain->use--;
4069 list_del_rcu(&nft_trans_rule(trans)->list);
4070 break;
4071 case NFT_MSG_DELRULE:
4072 trans->ctx.chain->use++;
4073 nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
4074 nft_trans_destroy(trans);
4075 break;
4076 case NFT_MSG_NEWSET:
4077 trans->ctx.table->use--;
4078 list_del_rcu(&nft_trans_set(trans)->list);
4079 break;
4080 case NFT_MSG_DELSET:
4081 trans->ctx.table->use++;
4082 list_add_tail_rcu(&nft_trans_set(trans)->list,
4083 &trans->ctx.table->sets);
4084 nft_trans_destroy(trans);
4085 break;
4086 case NFT_MSG_NEWSETELEM:
4087 te = (struct nft_trans_elem *)trans->data;
4088
4089 te->set->ops->remove(te->set, &te->elem);
4090 atomic_dec(&te->set->nelems);
4091 break;
4092 case NFT_MSG_DELSETELEM:
4093 te = (struct nft_trans_elem *)trans->data;
4094
4095 te->set->ops->activate(te->set, &te->elem);
4096 te->set->ndeact--;
4097
4098 nft_trans_destroy(trans);
4099 break;
4100 }
4101 }
4102
4103 synchronize_rcu();
4104
4105 list_for_each_entry_safe_reverse(trans, next,
4106 &net->nft.commit_list, list) {
4107 list_del(&trans->list);
4108 nf_tables_abort_release(trans);
4109 }
4110
4111 return 0;
4112}
4113
4114static const struct nfnetlink_subsystem nf_tables_subsys = {
4115 .name = "nf_tables",
4116 .subsys_id = NFNL_SUBSYS_NFTABLES,
4117 .cb_count = NFT_MSG_MAX,
4118 .cb = nf_tables_cb,
4119 .commit = nf_tables_commit,
4120 .abort = nf_tables_abort,
4121};
4122
4123int nft_chain_validate_dependency(const struct nft_chain *chain,
4124 enum nft_chain_type type)
4125{
4126 const struct nft_base_chain *basechain;
4127
4128 if (chain->flags & NFT_BASE_CHAIN) {
4129 basechain = nft_base_chain(chain);
4130 if (basechain->type->type != type)
4131 return -EOPNOTSUPP;
4132 }
4133 return 0;
4134}
4135EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4136
4137int nft_chain_validate_hooks(const struct nft_chain *chain,
4138 unsigned int hook_flags)
4139{
4140 struct nft_base_chain *basechain;
4141
4142 if (chain->flags & NFT_BASE_CHAIN) {
4143 basechain = nft_base_chain(chain);
4144
4145 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4146 return 0;
4147
4148 return -EOPNOTSUPP;
4149 }
4150
4151 return 0;
4152}
4153EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164static int nf_tables_check_loops(const struct nft_ctx *ctx,
4165 const struct nft_chain *chain);
4166
4167static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4168 const struct nft_set *set,
4169 const struct nft_set_iter *iter,
4170 const struct nft_set_elem *elem)
4171{
4172 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4173 const struct nft_data *data;
4174
4175 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4176 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4177 return 0;
4178
4179 data = nft_set_ext_data(ext);
4180 switch (data->verdict.code) {
4181 case NFT_JUMP:
4182 case NFT_GOTO:
4183 return nf_tables_check_loops(ctx, data->verdict.chain);
4184 default:
4185 return 0;
4186 }
4187}
4188
4189static int nf_tables_check_loops(const struct nft_ctx *ctx,
4190 const struct nft_chain *chain)
4191{
4192 const struct nft_rule *rule;
4193 const struct nft_expr *expr, *last;
4194 const struct nft_set *set;
4195 struct nft_set_binding *binding;
4196 struct nft_set_iter iter;
4197
4198 if (ctx->chain == chain)
4199 return -ELOOP;
4200
4201 list_for_each_entry(rule, &chain->rules, list) {
4202 nft_rule_for_each_expr(expr, last, rule) {
4203 const struct nft_data *data = NULL;
4204 int err;
4205
4206 if (!expr->ops->validate)
4207 continue;
4208
4209 err = expr->ops->validate(ctx, expr, &data);
4210 if (err < 0)
4211 return err;
4212
4213 if (data == NULL)
4214 continue;
4215
4216 switch (data->verdict.code) {
4217 case NFT_JUMP:
4218 case NFT_GOTO:
4219 err = nf_tables_check_loops(ctx,
4220 data->verdict.chain);
4221 if (err < 0)
4222 return err;
4223 default:
4224 break;
4225 }
4226 }
4227 }
4228
4229 list_for_each_entry(set, &ctx->table->sets, list) {
4230 if (!(set->flags & NFT_SET_MAP) ||
4231 set->dtype != NFT_DATA_VERDICT)
4232 continue;
4233
4234 list_for_each_entry(binding, &set->bindings, list) {
4235 if (!(binding->flags & NFT_SET_MAP) ||
4236 binding->chain != chain)
4237 continue;
4238
4239 iter.skip = 0;
4240 iter.count = 0;
4241 iter.err = 0;
4242 iter.fn = nf_tables_loop_check_setelem;
4243
4244 set->ops->walk(ctx, set, &iter);
4245 if (iter.err < 0)
4246 return iter.err;
4247 }
4248 }
4249
4250 return 0;
4251}
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262unsigned int nft_parse_register(const struct nlattr *attr)
4263{
4264 unsigned int reg;
4265
4266 reg = ntohl(nla_get_be32(attr));
4267 switch (reg) {
4268 case NFT_REG_VERDICT...NFT_REG_4:
4269 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4270 default:
4271 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4272 }
4273}
4274EXPORT_SYMBOL_GPL(nft_parse_register);
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4288{
4289 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4290 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4291 else
4292 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4293
4294 return nla_put_be32(skb, attr, htonl(reg));
4295}
4296EXPORT_SYMBOL_GPL(nft_dump_register);
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4308{
4309 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4310 return -EINVAL;
4311 if (len == 0)
4312 return -EINVAL;
4313 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4314 return -ERANGE;
4315
4316 return 0;
4317}
4318EXPORT_SYMBOL_GPL(nft_validate_register_load);
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334int nft_validate_register_store(const struct nft_ctx *ctx,
4335 enum nft_registers reg,
4336 const struct nft_data *data,
4337 enum nft_data_types type, unsigned int len)
4338{
4339 int err;
4340
4341 switch (reg) {
4342 case NFT_REG_VERDICT:
4343 if (type != NFT_DATA_VERDICT)
4344 return -EINVAL;
4345
4346 if (data != NULL &&
4347 (data->verdict.code == NFT_GOTO ||
4348 data->verdict.code == NFT_JUMP)) {
4349 err = nf_tables_check_loops(ctx, data->verdict.chain);
4350 if (err < 0)
4351 return err;
4352
4353 if (ctx->chain->level + 1 >
4354 data->verdict.chain->level) {
4355 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4356 return -EMLINK;
4357 data->verdict.chain->level = ctx->chain->level + 1;
4358 }
4359 }
4360
4361 return 0;
4362 default:
4363 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4364 return -EINVAL;
4365 if (len == 0)
4366 return -EINVAL;
4367 if (reg * NFT_REG32_SIZE + len >
4368 FIELD_SIZEOF(struct nft_regs, data))
4369 return -ERANGE;
4370
4371 if (data != NULL && type != NFT_DATA_VALUE)
4372 return -EINVAL;
4373 return 0;
4374 }
4375}
4376EXPORT_SYMBOL_GPL(nft_validate_register_store);
4377
4378static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4379 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4380 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4381 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4382};
4383
4384static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4385 struct nft_data_desc *desc, const struct nlattr *nla)
4386{
4387 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4388 struct nft_chain *chain;
4389 int err;
4390
4391 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4392 if (err < 0)
4393 return err;
4394
4395 if (!tb[NFTA_VERDICT_CODE])
4396 return -EINVAL;
4397 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4398
4399 switch (data->verdict.code) {
4400 default:
4401 switch (data->verdict.code & NF_VERDICT_MASK) {
4402 case NF_ACCEPT:
4403 case NF_DROP:
4404 case NF_QUEUE:
4405 break;
4406 default:
4407 return -EINVAL;
4408 }
4409
4410 case NFT_CONTINUE:
4411 case NFT_BREAK:
4412 case NFT_RETURN:
4413 break;
4414 case NFT_JUMP:
4415 case NFT_GOTO:
4416 if (!tb[NFTA_VERDICT_CHAIN])
4417 return -EINVAL;
4418 chain = nf_tables_chain_lookup(ctx->table,
4419 tb[NFTA_VERDICT_CHAIN]);
4420 if (IS_ERR(chain))
4421 return PTR_ERR(chain);
4422 if (chain->flags & NFT_BASE_CHAIN)
4423 return -EOPNOTSUPP;
4424
4425 chain->use++;
4426 data->verdict.chain = chain;
4427 break;
4428 }
4429
4430 desc->len = sizeof(data->verdict);
4431 desc->type = NFT_DATA_VERDICT;
4432 return 0;
4433}
4434
4435static void nft_verdict_uninit(const struct nft_data *data)
4436{
4437 switch (data->verdict.code) {
4438 case NFT_JUMP:
4439 case NFT_GOTO:
4440 data->verdict.chain->use--;
4441 break;
4442 }
4443}
4444
4445int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4446{
4447 struct nlattr *nest;
4448
4449 nest = nla_nest_start(skb, type);
4450 if (!nest)
4451 goto nla_put_failure;
4452
4453 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4454 goto nla_put_failure;
4455
4456 switch (v->code) {
4457 case NFT_JUMP:
4458 case NFT_GOTO:
4459 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4460 v->chain->name))
4461 goto nla_put_failure;
4462 }
4463 nla_nest_end(skb, nest);
4464 return 0;
4465
4466nla_put_failure:
4467 return -1;
4468}
4469
4470static int nft_value_init(const struct nft_ctx *ctx,
4471 struct nft_data *data, unsigned int size,
4472 struct nft_data_desc *desc, const struct nlattr *nla)
4473{
4474 unsigned int len;
4475
4476 len = nla_len(nla);
4477 if (len == 0)
4478 return -EINVAL;
4479 if (len > size)
4480 return -EOVERFLOW;
4481
4482 nla_memcpy(data->data, nla, len);
4483 desc->type = NFT_DATA_VALUE;
4484 desc->len = len;
4485 return 0;
4486}
4487
4488static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4489 unsigned int len)
4490{
4491 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4492}
4493
4494static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4495 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4496 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4497};
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514int nft_data_init(const struct nft_ctx *ctx,
4515 struct nft_data *data, unsigned int size,
4516 struct nft_data_desc *desc, const struct nlattr *nla)
4517{
4518 struct nlattr *tb[NFTA_DATA_MAX + 1];
4519 int err;
4520
4521 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4522 if (err < 0)
4523 return err;
4524
4525 if (tb[NFTA_DATA_VALUE])
4526 return nft_value_init(ctx, data, size, desc,
4527 tb[NFTA_DATA_VALUE]);
4528 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4529 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4530 return -EINVAL;
4531}
4532EXPORT_SYMBOL_GPL(nft_data_init);
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4544{
4545 if (type < NFT_DATA_VERDICT)
4546 return;
4547 switch (type) {
4548 case NFT_DATA_VERDICT:
4549 return nft_verdict_uninit(data);
4550 default:
4551 WARN_ON(1);
4552 }
4553}
4554EXPORT_SYMBOL_GPL(nft_data_uninit);
4555
4556int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4557 enum nft_data_types type, unsigned int len)
4558{
4559 struct nlattr *nest;
4560 int err;
4561
4562 nest = nla_nest_start(skb, attr);
4563 if (nest == NULL)
4564 return -1;
4565
4566 switch (type) {
4567 case NFT_DATA_VALUE:
4568 err = nft_value_dump(skb, data, len);
4569 break;
4570 case NFT_DATA_VERDICT:
4571 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4572 break;
4573 default:
4574 err = -EINVAL;
4575 WARN_ON(1);
4576 }
4577
4578 nla_nest_end(skb, nest);
4579 return err;
4580}
4581EXPORT_SYMBOL_GPL(nft_data_dump);
4582
4583static int __net_init nf_tables_init_net(struct net *net)
4584{
4585 INIT_LIST_HEAD(&net->nft.af_info);
4586 INIT_LIST_HEAD(&net->nft.commit_list);
4587 net->nft.base_seq = 1;
4588 return 0;
4589}
4590
4591int __nft_release_basechain(struct nft_ctx *ctx)
4592{
4593 struct nft_rule *rule, *nr;
4594
4595 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4596
4597 nf_tables_unregister_hooks(ctx->chain->table, ctx->chain,
4598 ctx->afi->nops);
4599 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4600 list_del(&rule->list);
4601 ctx->chain->use--;
4602 nf_tables_rule_destroy(ctx, rule);
4603 }
4604 list_del(&ctx->chain->list);
4605 ctx->table->use--;
4606 nf_tables_chain_destroy(ctx->chain);
4607
4608 return 0;
4609}
4610EXPORT_SYMBOL_GPL(__nft_release_basechain);
4611
4612
4613static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4614{
4615 struct nft_table *table, *nt;
4616 struct nft_chain *chain, *nc;
4617 struct nft_rule *rule, *nr;
4618 struct nft_set *set, *ns;
4619 struct nft_ctx ctx = {
4620 .net = net,
4621 .afi = afi,
4622 };
4623
4624 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4625 list_for_each_entry(chain, &table->chains, list)
4626 nf_tables_unregister_hooks(table, chain, afi->nops);
4627
4628 ctx.table = table;
4629 list_for_each_entry(chain, &table->chains, list) {
4630 ctx.chain = chain;
4631 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4632 list_del(&rule->list);
4633 chain->use--;
4634 nf_tables_rule_destroy(&ctx, rule);
4635 }
4636 }
4637 list_for_each_entry_safe(set, ns, &table->sets, list) {
4638 list_del(&set->list);
4639 table->use--;
4640 nft_set_destroy(set);
4641 }
4642 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4643 list_del(&chain->list);
4644 table->use--;
4645 nf_tables_chain_destroy(chain);
4646 }
4647 list_del(&table->list);
4648 nf_tables_table_destroy(&ctx);
4649 }
4650}
4651
4652static struct pernet_operations nf_tables_net_ops = {
4653 .init = nf_tables_init_net,
4654};
4655
4656static int __init nf_tables_module_init(void)
4657{
4658 int err;
4659
4660 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4661 GFP_KERNEL);
4662 if (info == NULL) {
4663 err = -ENOMEM;
4664 goto err1;
4665 }
4666
4667 err = nf_tables_core_module_init();
4668 if (err < 0)
4669 goto err2;
4670
4671 err = nfnetlink_subsys_register(&nf_tables_subsys);
4672 if (err < 0)
4673 goto err3;
4674
4675 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4676 return register_pernet_subsys(&nf_tables_net_ops);
4677err3:
4678 nf_tables_core_module_exit();
4679err2:
4680 kfree(info);
4681err1:
4682 return err;
4683}
4684
4685static void __exit nf_tables_module_exit(void)
4686{
4687 unregister_pernet_subsys(&nf_tables_net_ops);
4688 nfnetlink_subsys_unregister(&nf_tables_subsys);
4689 rcu_barrier();
4690 nf_tables_core_module_exit();
4691 kfree(info);
4692}
4693
4694module_init(nf_tables_module_init);
4695module_exit(nf_tables_module_exit);
4696
4697MODULE_LICENSE("GPL");
4698MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4699MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
4700
